czwartek, 19 grudnia 2013

Yandex Metrica multiple XSS vulnerabilities

Ok, some time ago I found few XSS vulnerabilities at one of Yandex services called Metrika.. Most are fixed now, so I can provide Proof Of Concepts publicly. :)

1) Reflected XSS - [somewhere]

(this one is still not fixed so - it will be disclosed in future, but it's nothing special really)

2) Stored XSS - external links

Demonstration video is quite long because I was creating PoC while recording. ;-)

http://www.youtube.com/watch?v=ZhNn0uYXpL8

3) Stored XSS - WebVisior

Visiting your website with Metrica counter in this way:

http://hostname/x.htm?<img/src="XXX"/onerror="alert(1)">ab

causes that Metrica WebVisior rendered it without escaping, which is just another stored XSS.














4) Stored XSS - file downloads

http://www.youtube.com/watch?v=4xgcjisyzK8

5) Stored XSS - Clickpath analysis

http://www.youtube.com/watch?v=SqTSoCd86Sk

6) Reflected XSS - Form Data analysis

http://www.youtube.com/watch?v=LALvffnT-vQ

7) *BONUS* out of scope (so unrewarded) reflected XSS in yandex.st.

http://yandex.st/mail/neo2/7.35.2005/static/swf/web-socket.swf?onLoad=this.alert('XSS')

Effect + source code:


And that's all for today. :)

sobota, 14 grudnia 2013

[EN] LiveZilla multiple vulnerabilities

I was looking a bit into LiveZilla source code and found few vulnerabilities. Most of them fixed in 5.1.2.1 released few days ago. Details:


CVE-2013-7034 - LiveZilla 5.1.2.0 PHP Object Injection
CVE-2013-7033 - LiveZilla 5.1.2.0 Insecure password storage
CVE-2013-7032 - LiveZilla 5.1.2.0 Multiple Stored XSS in webbased operator client
CVE-2013-7003 - LiveZilla 5.1.1.0 Stored XSS in operator clients
CVE-2013-7002 - LiveZilla 5.1.0.0 Reflected XSS in translations