AntiSnatch0r » XSS http://antisnatchor.com Keeping You Informed on the latest and coolest AntiSnatchOr security researches... Thu, 18 Feb 2010 09:40:11 +0000 http://wordpress.org/?v=2.8.5 en hourly 1 RiotFamily tag 8: still more exploitable points… http://antisnatchor.com/2009/03/20/riotfamily-tag-8-still-more-exploitable-points/ http://antisnatchor.com/2009/03/20/riotfamily-tag-8-still-more-exploitable-points/#comments Fri, 20 Mar 2009 18:58:12 +0000 admin http://antisnatchor.com/?p=59 After a few hours of research I’ve found other two XSS (reflected) insertion points.

More difficult to find, more satisfaction to have succeeded :)

Take a look here please: http://jira.riotfamily.org/browse/RIOT-121.

euronymous

]]> http://antisnatchor.com/2009/03/20/riotfamily-tag-8-still-more-exploitable-points/feed/ 0 Konakart 2.2.6.0 Responsible Disclosure http://antisnatchor.com/2008/12/22/konakart-2260-responsible-disclosure/ http://antisnatchor.com/2008/12/22/konakart-2260-responsible-disclosure/#comments Mon, 22 Dec 2008 16:21:45 +0000 antisnatchor http://antisnatchor.com/?p=39 Full Disclosure or Responsible Disclosure? That’s the problem!

Well, usually I prefer the second one, especially if I’m working with applications I’ve used, known or tried at least one time: that’s the case of Konakart. We actually don’t use it, but I still recommend it to every people that works with OScommerce (same DB structure) and don’t want to be bored developing in JEE.

Konakart is a really stable product, and now is also more secure on his default configuration: Paolo Sidoli and I worked together to fix frontend related XSS vulnerabilities and a few other bugs. His replies and patches were fast and concrete, and in less than one week we’ve managed a full pen test and a full security patch.

I confess that it’s really amazing to exploit web applications, bypass filters, find bugs and so on, but maybe the most exciting (and under-valuated) phase is the mitigation of those bugs. That’s clearly true if and only if the team to wich you’re reporting the vulns is open to collaborate with you: if don’t, RFpolicy can help us.

Konakart users, please apply the patch

]]> http://antisnatchor.com/2008/12/22/konakart-2260-responsible-disclosure/feed/ 0 Eclipse BIRT reflected XSS http://antisnatchor.com/2008/12/18/eclipse-birt-reflected-xss/ http://antisnatchor.com/2008/12/18/eclipse-birt-reflected-xss/#comments Thu, 18 Dec 2008 12:09:48 +0000 antisnatchor http://antisnatchor.com/?p=31 As I was doing an analysis on a few JEE applications that were using BIRT as default report/graph generation engine, I’ve found an XSS hole (reflected). They will fix it in version 2.5.0 (milestone), even if now the latest stable production version is 2.3.1: quite funny.

Here below my post on bugs.eclipse.org :

A Reflected XSS is present in the _report parameter: here below
th modified request (that is the BIRT 2.2.1 version included in
Konakart 2.2.6)

GET
/birt-viewer/run?__report='"><iframe%20src=javascript:alert(666)>
&r=-703171660 HTTP/1.1
Host: localhost:8780
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
rv:1.8.1.18) Gecko/20081029 Firefox/2.0.0.18
Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,
text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Referer: http://localhost:8780/konakartadmin/

Konakart is actually using
org.eclipse.birt.core_2.2.1.r22x_v20070924, that is actually
old I guess.

I don't have the time to try the exploit on newer versions,
I leave this to you, even if I suppose that newer version will
be vulnerable too.

Thanks

Michele Orru'
]]> http://antisnatchor.com/2008/12/18/eclipse-birt-reflected-xss/feed/ 0