Recent
WordPress Plugin Disqus Comment System XSS
# Exploit Title: WordPress Plugin Disqus Comment System < = 2.68 Reflected Cross-Site Scripting (XSS)
# Google Dork: inurl:/wp-content/plugins/disqus-comment-system/
# Date: 11.12.11
# Author: Ryan Dewhurst (@ethicalhack3r)
# Software Link: http://downloads.wordpress.org/plugin/disqus-comment-system.2.68.zip
# Version: 2.68
# Tested on: Cross-Platform
** Vulnerability Description **
The WordPress Disqus Commment System version 2.68 was found to be effected by Reflected Cross-Site Scripting (XSS). At the time of writing the plugin (not version) had been downloaded 504,746 times. [0]
Concrete5 <= 5.4.2.1 SQL Injection and XSS Vulnerabilities
# Exploit Title: Concrete5 < = 5.4.2.1 SQL Injection and XSS Vulnerabilities
# Date: 2011-10-04
# Author: Ryan Dewhurst (ryandewhurst at gmail) (@ethicalhack3r)(www.ethicalhack3r.co.uk)
# Software Link: http://sourceforge.net/projects/concretecms/files/concrete5/5.4.2.1/
# Version: 5.4.2.1 (tested)
1.Vulnerability Description
Multiple SQL Injection, Cross-Site Scripting (XSS) and Information Disclosure vulnerabilities were identified within Concrete5 version 5.4.2.1
Please note: Only a select few vulnerabilities are outlined in this disclosure, many other vulnerabilities were discovered. Due to time restraints only a small sample of the vulnerabilities are outlined below. The vendor was contacted and replied promptly. Further assistance was asked for but not delivered due to my time constraints.
2.Software Description
CMS made for Marketing but built for Geeks, concrete5 [0] is a content management system that is free and open source.
WordPress >= 2.9 Failure to Restrict URL Access
1. *Advisory Information*
Title: WordPress >= 2.9 Failure to Restrict URL Access
Date published: 13/02/2010
2. *Vulnerability Information*
Class: Failure to Restrict URL Access
Remotely Exploitable: Yes
Locally Exploitable: Yes
[BONSAI] XSS and SQL Injection in Achievo <= 1.3.4
Today Andres Riancho owner of Bonsai Information Security (Argentina) and lead developer of w3af has released a couple of advisories on vulnerabilities in Achievo <= 1.3.4 which we found a few months ago after our vulnerability research into common web applications.
The affected web application is Achievo <= 1.3.4. Achievo suffered from multiple simple persistent XSS vulnerabilities within their scheduler module and an SQL injection vulnerability within their dispatch.php file.
Achievo is a flexible web-based resource management tool for business environments. Achievo’s resource management capabilities will enable organisations to support their business processes in a simple, but effective manner.
[BONSAI] SQL Injection in CS-Cart <= 2.0.5
Here is one of the vulnerabilities which I found during my research for Bonsai Security a few weeks ago. The research consisted of vulnerability assessing commercial and open source ecommerce web applications over a 2 week period.
During the time of my research I learnt a great deal from Andres Riancho (w3af/bonsai-sec owner) and from the vulnerability assessments them selves. So what did I learn? I learnt that patience is definitely a virtue, javascript is a pain in the ass, ecommerce web application developers need to invest more time on security and a lot more as regards to perfecting my assessment techniques.
Here is the vulnerability report:
http://www.bonsai-sec.com/research/vulnerabilities/cs-cart_SQL-injection-0100.txt
Here is a great post by Andres on the difficulty on the actual exploitation:
http://www.bonsai-sec.com/blog/index.php/not-the-average-sql-injection/
A massive thanks to Andres for giving me the opportunity to work for him. I learnt more in the (just over) two week period working for him than I could have learnt in a whole 12 months.
