Posted by Mark Steward on Dec 03

I’ve spotted this before and ignored it because it’s all HTML-escaped. You
can actually put as much as you like before the equals, presumably
including script tags. You can also include enough after the equals to
write something like “<iframe src=//xy.co>”.

Where are you seeing it unescaped? Is it some third-party handler? Try on a
clean install with just an empty .aspx and a web.config with an empty
configuration…

Posted by waysea on Dec 03

If you can get a <script> tag in (usually the very first tag to be
blacklisted), you could
1. register a two character domain with a two character TLD (all the
single character domains with two letter TLDs had been taken the last
time I checked)
2. have the root page be an index.js file (instead of index.html)
3. use something like:

A) <script src=//ab.cd>
or
B) <script/src=//ef.gh>

Without knowing more about your specific…

Posted by MustLive on Dec 03

Hello list!

There are Cross-Site Request Forgery and Cross-Site Scripting
vulnerabilities in D-Link DAP-1360 (Wi-Fi Access Point and Router).

In addition to previous Abuse of Functionality, Brute Force, Information
Leakage, Cross-Site Request Forgery and Cross-Site Scripting vulnerabilities
in DAP-1360, which I wrote about earlier.

————————-
Affected products:
————————-

Vulnerable is the next model: D-Link…

Posted by Stephan.Rickauer on Dec 03

#############################################################
#
# SWISSCOM CSIRT ADVISORY – http://www.swisscom.com/security
#
#############################################################
#
# CVE ID: CVE-2014-3809
# Product: 1830 Photonic Service Switch PSS-32/16/4
# Vendor: Alcatel-Lucent
# Subject: Reflected Cross-site Scripting – XSS
# Effect: Remotely exploitable
# Author: Stephan Rickauer (stephan.rickauer _at_ swisscom.com)
#…

Posted by Devsec Security Departament on Dec 03

57 million web pages are affected by a security problem in wix.com

Proof of concept of a web page made in wix.com:
http://www.itsec.cl/

to see the source code can observe the following:

…
Find the SEO content of this site’s homepage via
http://www.itsec.cl/?_escaped_fragment_=
(That is where search engines like Google go to read your homepage’s
content.)
…

tried to access an existing section and added a third invalid…

Posted by Pedro Ribeiro on Dec 03

Hi,

This is part 9 of the ManageOwnage series. For previous parts see [1].

Today we have yet another 0 day – an arbitrary file download
vulnerability that be exploited unauthenticated in NetFlow Analyzer
and authenticated in IT360.
I’m releasing this as a 0 day because ManageEngine have been making a
fool out of me for 105 days. I have asked them “are you releasing a
fix soon?” at least a couple of times every month to which they…

Posted by Joshua Wright on Dec 03

I put together a Drozer module to leverage this flaw:

https://github.com/joswr1ght/drozer-modules/blob/master/whfs/smsdraftsend.py

Note that this flaw can be used for SMS premium message (short code) delivery, but does not bypass the Android 4.2 and
later verification dialog box prior to delivery. Normal SMS message delivery works fine without the SEND_SMS privilege.

-Josh

Posted by Hanno Böck on Dec 03

less out of bounds read access – TFPA 002/2014
https://blog.fuzzing-project.org/3-less-out-of-bounds-read-access-TFPA-0022014.html

An out of bounds read access in the UTF-8 decoding can be triggered
with a malformed file in the tool less. The access happens in the
function is_utf8_well_formed (charset.c, line 534) due to a truncated
multibyte character in the sample file. It affects the latest upstream
less version 470. The bug does not crash…

Posted by dash on Dec 03

h4ppy hello!

Intr0:

we have decided to not drive to hamburg this year, instead bringing up our own
conference in g00d 0ld berlin.

hack4 aims on tech talks and tech stuff – no politix.

even though we are looking for talks it is completely fine to just bring your
box put it on the table and connect it to the inet. spending whole time
exploring and discussing with (new) friends about networks, languages,
applications and how to break…

Posted by A. W. on Dec 03

[+] Yii framework CmsInput extension [1] improper XSS sanitation
[+] Discovered by: Jos Wetzels
[+] Affects: Yii framework CmsInput extension <= version 1.2

Yii framework’s CmsInput extension versions 1.2 and prior suffer from
an improper XSS sanitation implementation, which has now been resolved
in cooperation with the author [2], introducing XSS vulnerabilities in
web applications developed by third-party framework users [3].
CmsInput…