discussions.apple.com, Resolved, XSS, Cross Site Scripting, CWE-79, CAPEC-86, Javascript Injection, Example, PoC, Report
Sun, 25 Mar 2012 14:00:00 +0000
CVE-2011-4763, Plesk Site Editor, CPanel 10.2.x, XSS, SQL Injection, CVE-2011-4764, CVE-2011-4765, CVE-2011-4766, CVE-2011-4767, CVE-2011-4768
Mon, 06 Feb 2012 13:34:00 +0000
SSO, XSS, CVE-2011-4745, PSA v10.3.1_build1013110726.09 os_RedHat el6, Billing Manager, CVE-2011-4746, CVE-2011-4747, CVE-2009-3555, CVE-2011-4748, CVE-2011-4749
Sun, 11 Dec 2011 23:10:00 +0000
CVE-2011-4734, Plesk Control Panel for Windows Version 10.2.x Build 20110407.20,CVE-2011-4735, CVE-2011-4736, CVE-2011-4737, CVE-2011-4738, CVE-2011-4739, CVE-2011-4740, CVE-2011-4741, CVE-2011-4742, CVE-2011-4743, CVE-2011-4744
Sun, 11 Dec 2011 22:33:00 +0000
CVE-2011-4753, Plesk Control Panel for Windows Version 10.2.0, CVE-2011-4754, CVE-2011-4755, CVE-2011-4756, CVE-2011-4757, CVE-2011-4758, CVE-2011-4759, CVE-2011-4760, CVE-2011-4761, CVE-2011-4762
Sun, 11 Dec 2011 22:22:00 +0000
CVE-2011-4725, Plesk Parallels Panel Version psa v10.2.0_build1011110331.18 os_RedHat el6, CVE-2011-4726, CVE-2011-4727, CVE-2011-4728, CVE-2011-4729, CVE-2011-4730, CVE-2011-4731, CVE-2011-4732, CVE-2011-4733
Sun, 11 Dec 2011 22:06:00 +0000
Commentary, Apple, Vulnerability Reporting, Stats, Burp Suite Pro, DOMinator, FuzzDB, Best Practices, Full Disclosure, Metrics, CoTs
Thu, 17 Nov 2011 22:36:00 +0000
|
|
Loading
Local File Inclusion - LFI
Impact
Impact can differ based on the exploitation and the read permission of the web server user. Depending on these factors an attacker might carry out one or more of the following attacks:
- Gather usernames via
/etc/password file
- Harvest useful information from the log files such as
/apache/logs/error.log or /apache/logs/access.log
- Directly run commands by using functions like "echo" to create script files
Required Skills for Successful Exploitation
Significant attacking skills are required because there is no tool or automated way to exploit this type of vulnerability. The attack consists of three phases. Detecting the vulnerability, then finding malicious code ( or if possible create one, by uploading an image, etc.) on the targeted system and finally including that code via the identified vulnerability to run it. Generally the attacker needs to find the physical path of server access logs or needs to upload an image to server or abuse /proc/self/ functionality in Linux systems where possible.
CloudScan Local File Inclusion 1-2-3 Step Process to Executing LFI Exploit Proof of Concept:
 |
| Local File Inclusion Exploit Instructions: 3 Step Manual Process |
 |
| STEP 1 - Harvest /etc/passwd |
 |
| Step 2 - Display a System Log File |
 |
| Step 3 - Create a Local File; Include in URL
LFI Exploit Completed
XSS.CX of Applications used in wide scale deployment is ongoing. Research is focused on Applications used for Internet Service Provider (ISP) Operations. Target Platform Example:
Plesk Parallels, Hosting Controller, Merak Mail, SmarterMail, SmarterTools and the related products bundled with these Applications and the Payment Platforms such as PayPal and Authorize.net focusing on Personal Information (PI) Laws and PCI Compliance.
---------------------------------------------
All works and exhibits are released under Creative Commons with Attribution. You may use our Proof of Concepts (PoC), Code or Frameworks for private use, education or commercial profit.
---------------------------------------------
XSS.CX | Software Assurance Metrics and Penetration Test Evaluation:
These are the coverage areas Hoyt LLC provides for Clients and Research for Manual Penetration Testing in addition to Vulnerability Scanner coverage:
XSS.CX is focused on:
With emphasis on technical areas such as:
CWE-209 - Information Exposure Through an Error Message
CWE-285 - Improper Access Control (Authorization)
CWE-306 - Missing Authentication for Critical Function
CWE-732 - Incorrect Permission Assignment for Critical Resource
CWE-770 - Allocation of Resources Without Limits or Throttling
CWE-807 - Reliance on Untrusted Inputs in a Security Decision
PCI Compliance
The OWASP Top Ten 2010 RC1, released in late 2009, is a valuable document for developers. Its focus is on web applications, and it characterizes problems in terms of risk, instead of weaknesses. It also uses different metrics for selection.
In general, the CWE/SANS 2010 Top 25 covers more weaknesses, including those that rarely appear in web applications, such as buffer overflows.
The following list identifies each Top Ten category along with its associated CWE entries.
| OWASP Top Ten 2010 RC1 | 2010 Top 25 |
| A1 - Injection | CWE-89 (SQL injection), CWE-78 (OS Command injection) |
| A2 - Cross Site Scripting (XSS) | CWE-79 (Cross-site scripting) |
| A3 - Broken Authentication and Session Management | CWE-306, CWE-307, CWE-798 |
| A4 - Insecure Direct Object References | CWE-285 |
| A5 - Cross Site Request Forgery (CSRF) | CWE-352 |
| A6 - Security Misconfiguration | No direct mappings; CWE-209 is frequently the result of misconfiguration. |
| A7 - Failure to Restrict URL Access | CWE-285 |
| A8 - Unvalidated Redirects and Forwards | CWE-601 |
| A9 - Insecure Cryptographic Storage | CWE-327, CWE-311 |
| A10 - Insufficient Transport Layer Protection | CWE-311 |
|
|
|