Tuesday 15 January 2013

[EN] Mantis Bug Tracker 1.2.12 Persistent XSS

Hello Mantis Community,

few minutes ago I found an old nice persistent XSS in latest version of Mantis Bug Tracker (1.2.12).

Persistent XSS for admin

This vulnerability exists for admin user, but same could be in other part of this webapp.

Update : 18.01.2013
Few minutes ago I spoke again with Developer Team.
After this little chat I have surprise for you: new Mantis BT is comming! :)

Update 21.01.2013
As you can see now (in comments) MantisBT is available for download and soon you can get
brand new version. Patch for this vulnerability, for now is available here .

Once again I would like to thanks MantisBT Team for a fast reply, great knowledge and excellent work! :)

Cheers! o/
 





Monday 14 January 2013

[EN] SMF 2.0.3 Persistent XSS

 For admin user this time ;)

Persistent XSS in latest SMF 2.0.3

 
Details here: http://whk.drawcoders.net/

At this point I would like to thanks all SMF Team for cooperating.
Fast and responsible Team! :)

Wednesday 9 January 2013

[EN] e107 CMS 1.0.2 SQL Injection

Yes it's true, but calm down. This vulnerability can be triggered only by admin. ;)

If attacker is able to get admin's password, then vulnerability status can 'increase' from
low to high.

Anyway, more details soon.

If you need it faster - mail me.

Tuesday 8 January 2013

[EN] osTicket 1.74 RC - multiple vulnerabilities

Details soon...

Monday 7 January 2013

[EN] Wolf CMS 0.7.5-SP1 XSS

In latest Wolf CMS I found XSS vulnerability in 'Forgot password' mechanism.

Go to you admin panel:
http://192.168.64.106/wolfcms/?/admin/login  and click to 'Forgot password'.

Now put your xss code in forgot_email parameter:

./wolf/app/controllers/LoginController.php:154:           
return $this->_sendPasswordTo($_POST['forgot']['email']);


and

./wolf/app/views/login/forgot.php:61:                   
<input class="long" id="forgot-email" type="text" name="forgot[email]" value="<?php echo $email; ?>" />



and that's how we can do an xss attack here.

[EN] Wolf CMS 0.7.5-SP1 RCE

In latest Wolf CMS if user is able to create page, there we have remote-code execution possibility.

Let me know if you need details.

Cheers o/

[EN] osCommerce 2.3.3 Exploited

I found few bugs in latest version of popular osCommerce.

Here for now will be presented only persistent XSS bug and information disclosure.

It's good practice to remember that in case of information disclosure bugs we don't need any 'error displaying'. So it will be good idea to set it to "Off" in your php.ini file.


Update:
osCommerce 2.3.3 after XSS attack



This screen presents xss for logged in user.