[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] Portcullis Computer Security Ltd - Advisories
- To: <moderators@xxxxxxxxx>, <bugtraq@xxxxxxxxxxxxxxxxx>, <full-disclosure@xxxxxxxxxxxxxxxxx>, <vuln@xxxxxxxxxxx>, <news@xxxxxxxxxxxxxx>
- Subject: [Full-disclosure] Portcullis Computer Security Ltd - Advisories
- From: "advisories" <advisories@xxxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 4 Jun 2007 11:49:35 +0100
Hello
Please find attached the above advisories from Portcullis Computer
Security Ltd.
Kind Regards
Tracey Parry
Advisories
Portcullis Computer Security Ltd
###############################################################
This email originates from the systems of Portcullis
Computer Security Limited, a Private limited company,
registered in England in accordance with the Companies
Act under number 02763799. The registered office
address of Portcullis Computer Security Limited is:
The Grange Barn, Pikes End, Pinner, MIDDX,
United Kingdom, HA5 2EX.
The information in this email is confidential and may be
legally privileged. It is intended solely for the addressee.
Any opinions expressed are those of the individual and
do not represent the opinion of the organisation. Access
to this email by persons other than the intended recipient
is strictly prohibited.
If you are not the intended recipient, any disclosure,
copying, distribution or other action taken or omitted to be
taken in reliance on it, is prohibited and may be unlawful.
When addressed to our clients any opinions or advice
contained in this email is subject to the terms and
conditions expressed in the applicable Portcullis Computer
Security Limited terms of business.
###############################################################
#####################################################################################
This e-mail message has been scanned for Viruses and Content and cleared
by MailMarshal.
#####################################################################################
Portcullis Security Advisory 06-038
Vulnerable System:
Movable Type
Vulnerability Title:
Username enumeration is possible via the password reset mechanism.
Vulnerability Discovery And Development:
Portcullis Security Testing Services.
Credit For Discovery:
Tim Brown - Porcullis Computer Security Ltd.
Affected systems:
All known versions of Movable Type, this vulnerability was discovered for
version 3.16.
Details:
Requesting the URL
http://webserver/path/to/mt.cgi?__mode=recover&name=<username> returns pages
containing different error messages dependent on whether an account with that
username exists in the authentication database or not. If an account with that
username exists, the error message is "'Birthplace' does not match stored
'birthplace' for this author"; however, if no account with that username
exists, then the error message "No such author with name '<username>'" is
instead returned.
Impact:
An attacker could use this to enumerate the account usernames which exist in
the authentication database.
Exploit:
Exploit code is not required.
Copyright:
Copyright © Portcullis Computer Security Limited 2005, All rights reserved
worldwide.
Permission is hereby granted for the electronic redistribution of this
information. It is not to be edited or altered in any way without the express
written consent of Portcullis Computer Security Limited.
Disclaimer:
The information herein contained may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are NO
warranties, implied or otherwise, with regard to this information or its use.
Any use of this information is at the user's risk. In no event shall the
author/distributor (Portcullis Computer Security Limited) be held liable for
any damages whatsoever arising out of or in connection with the use or spread
of this information.
Portcullis Security Advisory - 06-033
Vulnerable System:
Movable Type
Vulnerability Title:
The username and password hash for the administration interface is stored
within a cookie.
Vulnerability Discovery And Development:
Portcullis Security Testing Services.
Credit For Discovery:
Tim Brown - Portcullis Computer-Security Ltd.
Affected systems:
All known versions of Movable Type, the vulnerability discovered was for
version 3.16.
Details:
Following a successful login to the administration interface, the cookie
mt_user is set. This cookie contains the string <account username>::<account
password hash>::<remember flag> and is accessible to any page requested from
within the same directory as the mt.cgi CGI script. This string will expire at
the end of the users session where the remember flag is set to 0 during the
initial login, or in 10 years time where the remember flag is set to 1 during
the inital login.
Impact:
Should an attacker succeed in grabbing this cookie (either via Cross-site
Scripting(XSS) as described above, interception during transmission or from the
user's browser), they will be able to successfully login, until such time as
the password for this account is changed either by setting a similar cookie in
their browser, or by modifying their requests through a Man-In-The-Middle proxy.
Exploit:
Exploit code is not required.
Copyright:
Copyright © Portcullis Computer Security Limited 2005, All rights reserved
worldwide.
Permission is hereby granted for the electronic redistribution of this
information. It is not to be edited or altered in any way without the express
written consent of Portcullis Computer Security Limited.
Disclaimer:
The information herein contained may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are NO
warranties, implied or otherwise, with regard to this information or its use.
Any use of this information is at the user's risk. In no event shall the
author/distributor (Portcullis Computer Security Limited) be held liable for
any damages whatsoever arising out of or in connection with the use or spread
of this information.
Portcullis Security Advisory 06-034
Vulnerable System:
Movable Type
Vulnerability Title:
The blog directory path can be set to any arbitrary directory path during the
creation of new blogs.
Vulnerability discovery and development:
Portcullis Security Testing Services.
Credit for Discovery:
Tim Brown - Portcullis Computer Security Ltd.
Affected systems:
All known versions of Movable Type, this vulnerability was discovered for
version 3.16.
Details:
Assuming the account that the user is logged in with has sufficient permissions
to create new blogs, then a blog can be created with any arbitrary directory
path.
Impact:
An attacker could use this in combination with the upload mechanism issue below
to upload SSH private keys into the web server system users home directory,
overwrite existing CGI scripts, deface other web sites on the web server or
carry out any other attack which requires the modification of files on the web
server. This is especially dangerous if the web server system user has
administrative permission which allow it to access any directory and write to
any file.
Exploit:
Exploit code is not required.
Copyright:
Copyright © Portcullis Computer Security Limited 2005, All rights reserved
worldwide.
Permission is hereby granted for the electronic redistribution of this
information. It is not to be edited or altered in any way without the express
written consent of Portcullis Computer Security Limited.
Disclaimer:
The information herein contained may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are NO
warranties, implied or otherwise, with regard to this information or its use.
Any use of this information is at the user's risk. In no event shall the
author/distributor (Portcullis Computer Security Limited) be held liable for
any damages whatsoever arising out of or in connection with the use or spread
of this information.
Portcullis Security Advisory 06-035
Vulnerable System:
Movable Type.
Vulnerability Title:
The create entry mechanism is vulnerable to JavaScript injection.
Vulnerability Discovery And Development:
Portcullis Security Testing Services
Credit for Discovery:
Tim Brown - Portcullis Computer Security Ltd.
Affected systems:
All known versions of Movable Type, this vulnerability was discovered for
version 3.16.
Details:
During the creation of new blog entries, it is possible for an attacker to
inject JavaScript into the title, category, body, extended body and excerpt
form elements which will then be executed when a user visits a number of
sections of the administration interface including the list entries mechanism,
the preview entry mechanism as well as the blog index and the published entry.
Impact:
An attacker could use this to execute malicious code on visitors computers.
Exploit:
Exploit code is not required.
Copyright:
Copyright © Portcullis Computer Security Limited 2005, All rights reserved
worldwide.
Permission is hereby granted for the electronic redistribution of this
information. It is not to be edited or altered in any way without the express
written consent of Portcullis Computer Security Limited.
Disclaimer:
The information herein contained may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are NO
warranties, implied or otherwise, with regard to this information or its use.
Any use of this information is at the user's risk. In no event shall the
author/distributor (Portcullis Computer Security Limited) be held liable for
any damages whatsoever arising out of or in connection with the use or spread
of this information.
Portcullis Security Advisory 06-036
Vulnerable System:
Movable Type
Vulnerability Title:
A potential phishing attack via the comments mechanism.
Vulnerability Discovery And Development:
Portcullis Security Testing Services
Credit for Discovery:
Tim Brown - Portcullis Computer Security Ltd.
Affected systems:
All known versions of Movable Type, the vulnerability was discovered for
version 3.16.
Details:
By posting a comment to an entry on a blog, it is possible to create URLs
within the web server domain which actually forward anyone who requests them to
a URL on another web server by entering a URL with the comment. Comments that
include a URL will be added to the blog entry with the URL encoded as
http://webserver/path/to/mt-comments.cgi?__mode=red;id=<id> which forwards any
user who requests the URL using JavaScript to the URL referenced by the id.
Impact:
By forwarding this URL, which may be seen as trusted an attacker may be able to
lure its recipients to a malicous site of their creation.
Exploit:
Exploit code is not required.
Copyright:
Copyright © Portcullis Computer Security Limited 2005, All rights reserved
worldwide.
Permission is hereby granted for the electronic redistribution of this
information. It is not to be edited or altered in any way without the express
written consent of Portcullis Computer Security Limited.
Disclaimer:
The information herein contained may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are NO
warranties, implied or otherwise, with regard to this information or its use.
Any use of this information is at the user's risk. In no event shall the
author/distributor (Portcullis Computer Security Limited) be held liable for
any damages whatsoever arising out of or in connection with the use or spread
of this information.
Portcullis Security Advisory 06-037
Vulnerable System:
Movable Type
Vulnerability Title:
The Upload mechanism potentially allows the upload of arbitrary code for
execution as the web server user.
Vulnerability Discovery And Development:
Portcullis Security Testing Services.
Credit for Discovery:
Tim Brown - Portcullis Computer Security Ltd.
Affected systems:
All known versions of Movable Type, this vulnerability was discovered for
version 3.16.
Details:
Since the Movable Type application stores all uploads to a blog within the blog
directory path, it may be possible to execute arbitrary code by uploading it
and requesting the resulting URL.
Impact:
An attacker could use this to upload scripts written in languages such as PHP
which the web server may, by default, execute directly from any point within
the web root, or in combination with the blog directory path issue above to
overwrite existing CGI scripts such as those included within the Movable Type
application.
Exploit:
Exploit code is not required.
Copyright:
Copyright © Portcullis Computer Security Limited 2005, All rights reserved
worldwide.
Permission is hereby granted for the electronic redistribution of this
information. It is not to be edited or altered in any way without the express
written consent of Portcullis Computer Security Limited.
Disclaimer:
The information herein contained may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are NO
warranties, implied or otherwise, with regard to this information or its use.
Any use of this information is at the user's risk. In no event shall the
author/distributor (Portcullis Computer Security Limited) be held liable for
any damages whatsoever arising out of or in connection with the use or spread
of this information.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/