usefulfor.com/security

Windows Vista includes the “Windows Sidebar”. This new feature allows users to display ‘gadgets’ on the sidebar and on the Windows desktop. Gadgets are small applications containing HTML, XML and JavaScript.

The National Rail Live Departure Board Sidebar gadget provides users with the ability to view real time train departure boards for all main railway stations in the UK. The gadget allows users to choose a “Start Station” and a “Destination Station” in order to provide them with the most up to date live departure information for their chosen trip. The gadget requests this information from a web server, which responds to the gadget with live departure board information for the user’s chosen rail journey.

An attacker capable of intercepting the web server response to the gadget request could modify that response such that a script was injected and then run on the user’s system. The injected script would run under the privileges of the currently logged in user, allowing the remote attacker to execute commands on the target system. An attacker successfully exploiting this vulnerability could execute arbitrary commands in the context of the current logged in user. (more…)

Elastic Path is a popular Java e-commerce platform for building online stores and shopping carts. Elastic Path consists of both a shopping front end where customers can browse and choose the products and a managing backend for administration purposes.

Users of the administrative interface can be granted different levels of access. Research revealed that users with upload/download privileges could abuse them to gain access to arbitrary files in the remote system (read the security advisory - mirror #1, mirror #2).

update: a link to the patch is available in Elastic Path Developer’s site (thanks to d-dub).
update: this vulnerability has been assigned the following CVE number: CVE-2008-1606.
(more…)

Windows Vista includes the “Windows Sidebar”. This new feature allows users to display ‘gadgets’ on the sidebar and on the Windows desktop. Gadgets are small applications containing HTML, XML and JavaScript.

The ITN News Sidebar gadget provides users with the ability to view the latest world, money, sports, showbiz and weather news. Allowing users to read and watch videos news on the flyout panel. These information is requested by the ITN News gadget from a web server, which responds to the gadget with the latest news stories. An attacker capable of intercepting the web server response to the gadget request could modify that response such that a script was injected and then run on the user’s system. The injected script would run under the privileges of the currently logged in user. (more…)

Meridio Document and Records Management is an enterprise content management system (Enterprise Document and Records Management - eDRM).

Meridio has been identified as being vulnerable to an embedded Cross Site Scripting vulnerability in the ‘Title’ field when uploading a document (name=”subGeneralProps:dmpvDocTitle:PROP_W_title”) and when creating a container (name=”subGeneralProps:dmpvContainerTitle:PROP_W_title”) and also within the uploaded document.

Consequently, a malicious user could permanently inject JavaScript into the application. This malicious code could be made publicly accessible for other users of the Meridio application and would be executed within the context of the user’s browser accessing the embedded script.

This vulnerability could be exploited in large number of ways; such as session hijacking, key logging or social enginering, the main limitation would be the creativity of the person performing the attack.

It should be noted that for this vulnerability to be exploited an attacker would need to be a user of the application or to have compromised a user account.

Meridio have addressed this vulnerability and implemented a fix in version 4.3 SR1 and higher.

The full security advisory can be found here: [1] [2]

Plogger is an open source PHP photo gallery with over two years of development and more than 50,000 downloads. The Plogger web site (http://www.plogger.org), describes the application as a fully featured photo sharing package with an attractive and easy to use administrative interface.

It was found that insufficient validation was applied to the input parameters of the script that generates Plogger’s RSS feeds. As a result, SQL code could be injected into Plogger database queries (read the security advisory - mirror #1, mirror #2).

update: this vulnerability has been assigned the following CVE number: CVE-2007-6587.
(more…)

Elastic Path is a Java e-commerce software platform for building online stores and shopping carts. This software is used by businesses to manage their e-commerce. Features such as a search engine, merchandising, payment, tax, customer management, order management, etc. are included in the Elastic Path manager.

Elastic Path 5.0 has been identified to be vulnerable to an embedded Cross Site Scripting attack that could allow an attacker to gain unauthorised access to the Elastic Path Commerce Manager and obtain administrative privileges.

The embedded XSS vulnerability was identified in the ‘First Name’ and ‘Last Name’ fields when viewing user’s details. An attacker could inject JavaScript into these fields in any e-commerce application that uses Elastic Path to manage their application and this would be executed by the Elastic Path manager when an administrator views this particular user’s details.

This vulnerability could be exploited in large number of ways; such as session hijacking, key logging or social enginering, the main limitation would be the creativity of the person performing the attack.

Elastic Path have addressed this vulnerability and implemented a fix in version 5.1.1

The full security advisory can be found here: [1] [2]