Author: Osanda Malith Jayathissa

Acknowledged by Librato

I found 19 XSS vulnerabilities in this website. After a responsible disclosure I got my name in their Acknowledgements section.

hof

 

 

https://metrics.librato.com/vulnerability

Bandizip Multiple Vulnerabilities

All these issues are patched in Bandizip 3.10 after a responsible disclosure done to the vendor.

Overview of Bandizip

Bandizip is a Lightweight, Fast and 100% free All-In-One Zip Archiver. ItĀ has a very fast Zip algorithm for compression & extraction with Fast Drag and Drop, High Speed Archiving, and Multi-core compression. It handles the most popular compression formats, including Zip, 7z, Rar, and so on.

Arbitrary DLL Injection Code Execution

Bandizip 3.09 and below version are affected with a DLL hijacking issue in which the application loadsĀ dwmapi.dll in an insecure manner.Ā Ā This can be exploited to load arbitrary libraries by tricking a user into e.g. opening a file located on a remote WebDAV or SMB share. 1 You can clearly seeĀ dwmapi.dll is being searched by the application in the current directory as a result of loading it in an insecure manner.

Proof of Concept (more…)

MyBB 1.6.12 POST XSS 0day

This is a weird bug I found in MyBB. I fuzzed the input of the search.php file. This was my input given.

alert (bar) () ; // ' " > < prompt \x41 %42 constructor onload

MyBB throws out a SQL error:

[code language=”sql”]
SELECT t.tid, t.firstpost
FROM mybb_threads t
WHERE 1=1 AND t.closed NOT LIKE ‘moved|%’
AND ( LOWER(t.subject) LIKE ‘%&lt;foo&gt; &lt;h1&gt; &lt;script&gt; alert (bar) () ; //%’ LOWER(t.subject)
LIKE ‘%&gt; &lt; prompt \x41 \%42 constructor onload%’)

[/code]

fuzz1
(more…)

My Joomla XSS 0days

Last October 2013 I found some XSS vulnerabilities in Joomla! 3.1.2. Anyhow the affected versions were Joomla! version 2.5.14 and earlier 2.5.x versions and version 3.1.5 and earlier 3.0.x
versions. Actually all these XSS vulnerabilities existed on fields where we can insert links starting with http://. I first did a simple fuzz to test the output.

<foo> </bar> '" > <> ; () //

What I noticed was that it does filter out tags but still we can take advantage of these non-filtered characters. Of course we can use event handlers in JavaScript to trigger XSS.

ā€˜; ()//"

fuzz

Persistent XSS in com_contact

To reproduce this issue follow these steps.

  • Click components -> Contacts-> Contacts. This is the URL: http://localhost/Joomla_3.1.5/administrator/index.php?option=com_contact (more…)

Acknowledged by Twitter

Finally my name got published on twitter! I reported 2 issues. A logical issue in tweet cards with Fraph and a old vulnerable server hosted by twitter. For reporting them my name got published šŸ™‚

Screenshot_2

https://about.twitter.com/company/security

 

Rewarded by Campaign Monitor

pic
http://www.mediafire.com/view/yyx0dt71p26cygg/Osanda_-_thank_you_letter.pdf

I found a valid CSRF issue and got rewarded in this manner.

reward

Thank you very much guys! šŸ™‚

Acknowledged by Compilr

Found 2 major reflected XSS vulnerabilities in the login page and the signup page. The risk was very high because attackers can use a remote keylogger to capture keystrokes. This can be easily achieved by JavaScript. Ā For reporting them my name got published in the Thanks section.

Screenshot_2

https://compilr.com/forum/security-thanks

Acknowledged by Appcelerator

I found out a open redirection vulnerability and after a responsible disclosure my name got published.

Screenshot_4

https://www.appcelerator.com/privacy/responsible-disclosure-of-security-vulnerabilities/

 

Ophcrack Path Subversion Arbitrary DLL Injection Code Execution

What is DLL Hijacking?

This is how Microsoft describes it

When an application dynamically loads a dynamic-link library without specifying a fully qualified path name, Windows attempts to locate the DLL by searching a well-defined set of directories in a particular order, as described inĀ Dynamic-Link Library Search Order. If an attacker gains control of one of the directories on the DLL search path, it can place a malicious copy of the DLL in that directory. This is sometimes called aĀ DLL preloading attackĀ or aĀ binary planting attack. If the system does not find a legitimate copy of the DLL before it searches the compromised directory, it loads the malicious DLL. If the application is running with administrator privileges, the attacker may succeed in local privilege elevation.

Basically when an application tries to load a DLL without specifying a fully qualified path name Windows tries to load the DLL in a order of directories. If the application attempts to load a DLL by it’s name it should go in this order of directories (x86).

  1. The directory from which the application loaded.
  2. The system directory.
  3. The 16-bit system directory.
  4. The Windows directory.
  5. The current directory.
  6. The directories that are listed in the PATH environment variable.

Overview of Ophcrack 3.6 (more…)