Vulnerability Research


Vulnerabilities and Scalp-O-Meter moving

As you may or not be aware, the vast majority of earned bug bounty rewards has been used to develop Uzbey.  For this reason, I am choosing to move the current advisories and all new ones to Uzbey  If you wish to view the content from the website (I am sure after a few days of them being posted the content also gets hosted elsewhere), registration would be required.  Yep, its a cheap shot to increase traffic and awareness to Uzbey, but it also seemed a perfect fit as Uzbey is a direct result of the content contained within these publications and all future ones.

On Wednesday morning, 30th July,  I will be releasing a number of new vulnerabilities that I have either not released yet or simply forgotten to do so.  These are in Yahoo, Ebay (Magento, Prostores), WePay and RelateIQ and possibly two zero days in Kenexa (IBM Smarter Workforce) that result in remote code execution.

 

6 new vulnerability reports released totaling over $33,000 in bug bounty payments. 

 

cseye_ut@yahoo.com released an issue to Bugtraq, so to complement his advisory and seeing as there does not seem to be a need to hang on to it anymore, here is some more notes (written in 2010) to take the attack further to Plesk Domain Admin and to access ports behind the firewall.

This hack requires a numerous steps to bypasses a number of security measures taken by PayPal to protect manager.paypal.com.  Paypal were very qucik in resolving the issue

Reported on the 11th February, an XML External Entity Vulnerability was discovered

Due to the nature of the data returned (including full credit card information in plain text), only a summary of the issue is being reported.  Details are minimal and there is no screen shots.  Sorry.

Reported on the 13th February (Google closed down this vulnerability within an hour), an XML External Entity Vulnerability was discovered within Google's Public Explorer

This issue was reported on Sunday at 7:14am 2/16/2014.  At 10:09am, I received an email, back from Andrew stating they had confirmed the issue and were working on a fix.  At 4:22pm, I received another email from Andrew stating the issue had now been resolved and the vulnerability no longer present.  Pretty impressive especially when considering it was a Sunday.  If you are a customer of Shopify, you should be happy about this commitment to security.

This attack allows for a cross store (so essentially unauthenticated, as we have not authenticated to our target store) privilege escalation attack creating an administrative user on any gostorego online store.  As indicated by their own website, there are over 200,000 active stores.  This vulnerability was reported to the eBay Enterprise Bug Bounty team on Sunday 9th February 2014.  They and the Magento engineering team put out a fix for this issue extremely quickly. So pats on the back all around are deserved.  I tested the issue and tried a few work arounds, but the fix holds good.

This paper shows how to hijack existing privileged accounts and gain full administrative access to the CMS as an unauthenticated user bypassing the previous fix.  At a quick glance Version 9 does not appear to be vulnerable.  PayPal fixed the issue extremely quickly (within an hour) with their own workaround.  Excellent work by their security and dev team.

This attack will show how to read other users emails without leaving any visible trace

This attack will elevate a regular SmarterMail user to Domain Administrator

 Apparently this vulnerability never existed. Download FileStoreServlet.jar file.  This was obtained through the attack

An XSS issue within financing.paypal.com

This paper shows how to hijack existing privileged accounts and gain full administrative access to the CMS as an unauthenticated user.  A following paper will be released shortly that bypasses the security fix.

 Sitecore CMS suffers from an Insecure Direct Object Reference attack - https://www.owasp.org/index.php/Top_10_2010-A4.  This vulnerability allows for a complete compromise of the CMS and the server it is installed upon through the upload of a remote shell.

Mura CMS suffers from an Insecure Direct Object Reference attack - https://www.owasp.org/index.php/Top_10_2010-A4.  This vulnerability allows for a complete compromise of the CMS and the server it is installed upon through the upload of a remote shell.    UPDATE - A patch has now been released available here.

SmarterMail suffers from an Insecure Direct Object Reference attack - https://www.owasp.org/index.php/Top_10_2010-A4.  This vulnerability allows for a complete compromise of the mail server and the server it is installed upon through the upload of a remote shell running as NT Authority / System

Sitecores “special way” of displaying XML Controls directly allows for a Cross Site Scripting Attack – more can be achieved  with these XML Controls and will be documented in another vulnerability report


This file will be updated later, but in the meantime should you happen to come across Sitecore during a web application security assessment you may find it useful