Moodle 2.7 Persistent XSS

Overview

I hope you all have heard about the Moodle project. The full form is Moodle Modular Object-Oriented Dynamic Learning Environment. This project is a free open-source project which focuses in teaching and learning online courses effectively. Most of the universities, colleges, educational institutes use this application in interacting with students. You can read and research more information on Wikipedia.

Vulnerability and Exploit

This is a persistent XSS I found in Moodle 2.7. Well, this vulnerability was present from the version 2.4.9 till 2.7 so far hidden from the eye 😉 luckily I spotted this while I was fuzzing random stuff against the application.

Edit your user profile and under “Optional” you can see “Skype ID”. Let’s inject some HTML into the Skype ID field and check the output

“>>><h1>Hello World</h1>

It seems like our input is echoed back thrice. In one line the input is being URL encoded since it should be the URL of the user and in another it is being converted to HTML entities, while in the other field it seems like our input is being filtered out. I love to break filters. Here is my quick and small analysis in detail.

Output 1:

<a href=”skype:%22%3E%3E%3EHello+World?call”>

Output 2:

&quot;&gt;&gt;&gt;Hello World

(more…)

Advertisements

Concrete 5.6.2.1 Multiple XSS

While I was playing around with Concrete 5.6.2.1 CMS, I wanted to know how this application shows us a hyperlink to the “Back” button. I found something interesting in the “download_file.php” file.


\concrete\single_pages\download_file.php

line 27

<form action="<?php echo  View::url('/download_file', 'submit_password', $fID) ?>" method="post">
		<?php  if(isset($force)) { ?>
			<input type="hidden" value="<?php echo  $force ?>" name="force" />
		<?php  } ?>
		<input type="hidden" value="<?php echo  $returnURL ?>" name="returnURL" />
		<input type="hidden" value="<?php echo  $rcID ?>" name="rcID"/>
		<label for="password"><?php echo t('Password')?>: <input type="password" name="password" /></label>
		<br /><br />
		<button type="submit"><?php echo t('Download')?></button>
	</form>

Let’s have a look at the “$returnURL” variable. (more…)

ZTE WXV10 W300 Multiple Vulnerabilities

Default Password Being Used (CVE-2014-4018)

In ZTE routers the username is a constant which is “admin” and the password by default is “admin”

ROM-0 Backup File Disclosure (CVE-2014-4019)

There is a rom-0 backup file contains sensitive information such as the passwords. There is a disclosure in which anyone can download that file without any authentication by a simple GET request.

http://192.168.1.1/rom-0 (more…)

ZTE and TP-Link RomPager DoS

Introduction

I think by now you know the security issues disclosed related to TP-Link routers. I’ve noticed that some ZTE and TP-Link routers have the same ADSL firmware which is “FwVer:3.11.2.175_TC3086 HwVer:T14.F7_5.0”. I was curious to test the web application and I found out that the embedded server which is “RomPager” cannot handle fairly large POST requests.
Tested Routers:

Xilisoft Video Converter Ultimate DLL Hijacking

Overview of Xilisoft Video Converter Ultimate

Xilisoft Video Converter Ultimate is a professional video converter which has a wide range of video and audio formats. I personally love this software since it uses GPU acceleration in converting videos.

It is on the high side of premium video converters for home use. It automatic profiles enhanced for just any device or format, graphics card detection and acceleration.
-CNET

(more…)

Pwning Script Kiddies – Acunetix Buffer Overflow

Introduction

Recently a security researcher named “Danor Cohen – An7i” had found a buffer overflow vulnerability and he has written a nice exploit for Acunetix Web Vulnerability Scanner 8.0. As this exploit was an ascii based one I was interested in re-writing the exploit because my previous exploit was also an ascii based one. However with the emerging of bug bounties and responsible disclosure policies I’ve seen many people firing up web application security scanners against live hosts in which automated vulnerability assessments are not permitted at all. Well, by triggering this buffer overflow vulnerability we can have some fun owning the noobs 😉

Crash

When we submit a new website to be scanned by Acunetix it searches for html tags like <img src=”” >, <a href=””> to get the additional hosts from that website. So if we place an html tag in the page like (more…)