[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Apple WGT Dictionnaire 1.3 - Script Code Inject Vulnerability



Am 01.12.2012 18:33, schrieb Vulnerability Lab:
> Thanks for the response! We are working on a better automatic scoring
> bound to the risk system vector calculation of our db. Its all bound and
> normally a moderator check the content but after a ddos last week we
> missed to checkthe issue again. We are only human and mistakes happen
> can ... thanks.
>
> Update ...
>
> Title:
> ======
> Apple WGT Dictionnaire 1.3 - Script Code Inject Vulnerability
>
>
> Date:
> =====
> 2012-11-27
>
>
> References:
> ===========
> http://www.vulnerability-lab.com/get_content.php?id=774
>
>
> VL-ID:
> =====
> 774
>
>
> Common Vulnerability Scoring System:
> ====================================
> 1.3
>
>
> Introduction:
> =============
> http://www.apple.com/downloads/dashboard/reference/dictionnaire.html
>
>
> Abstract:
> =========
> The Vulnerability Laboratory Research Team discovered a script code inject 
> vulnerability in Apples (MacOSx) Widget Dictionnaire v1.3 software. 
>
>
> Report-Timeline:
> ================
> 2012-11-27:   Public Disclosure
>
>
> Status:
> ========
> Published
>
>
> Exploitation-Technique:
> =======================
> Local
>
>
> Severity:
> =========
> Low
>
>
> Details:
> ========
> A persistent script code inject vulnerability is detected in the 
> Dictionnaire, Dictionary of the French language based on TLFi (in French), 
> Software. 
> The vulnerability allows a local attacker execute malicious codes to 
> compromise the connected client system in the lan. The command execution 
> vulnerability is located in the search field of the Dictionnaire module. The 
> malicious injected script code will be directly executed out of 
> the result field. Successful exploitation of the vulnerability results in 
> system compromise via script code injections, persistent software 
> context manipulation, external malware loads or malicious external redirects. 
>
> Vulnerable Software Module(s):
>                                       [+] Search Box
>
> Vulnerable Software Parameter(s):
>                                       [+] Search Field
>
>
> Proof of Concept:
> =================
> The software validation vulnerability can be exploited by local attackers 
> with required user interaction and privileged local system account.
> For demonstration or reproduce ...
>
> PoC: Script Code Inject
> "<h1>VL Tester</h1>
> “<iframe src=http://vuln-lab.com>>
> "<iframe src=vuln-lab.com onload=alert("VLab") <>
> "<script>alert(document.cookie)</script><div style="1
>
>
> Solution:
> =========
> The vulnerability can be patched by parsing the search string input field and 
> result output (listing) web context.
>
>
> Risk:
> =====
> The security risk of the remote command execution vulnerability is estimated 
> as low.
>
>
> Credits:
> ========
> Vulnerability Laboratory [Research Team] - Ibrahim El-Sayed (the_storm) 
> [storm@xxxxxxxxxxxxxxxxxxxxx] [iel-sayed.blogspot.com]
>
>
>
> Disclaimer:
> ===========
> The information provided in this advisory is provided as it is without any 
> warranty. Vulnerability-Lab disclaims all warranties, 
> either expressed or implied, including the warranties of merchantability and 
> capability for a particular purpose. Vulnerability-
> Lab or its suppliers are not liable in any case of damage, including direct, 
> indirect, incidental, consequential loss of business 
> profits or special damages, even if Vulnerability-Lab or its suppliers have 
> been advised of the possibility of such damages. Some 
> states do not allow the exclusion or limitation of liability for 
> consequential or incidental damages so the foregoing limitation 
> may not apply. We do not approve or encourage anybody to break any vendor 
> licenses, policies, deface websites, hack into databases 
> or trade with fraud/stolen material.
>
> Domains:    www.vulnerability-lab.com         - www.vuln-lab.com              
>                - www.vulnerability-lab.com/register
> Contact:    admin@xxxxxxxxxxxxxxxxxxxxx       - support@xxxxxxxxxxxxxxxxxxxxx 
>                - research@xxxxxxxxxxxxxxxxxxxxx
> Section:    video.vulnerability-lab.com       - forum.vulnerability-lab.com   
>                - news.vulnerability-lab.com
> Social:           twitter.com/#!/vuln_lab             - 
> facebook.com/VulnerabilityLab                - 
> youtube.com/user/vulnerability0lab
> Feeds:            vulnerability-lab.com/rss/rss.php   - 
> vulnerability-lab.com/rss/rss_upcoming.php   - 
> vulnerability-lab.com/rss/rss_news.php
>
> Any modified copy or reproduction, including partially usages, of this file 
> requires authorization from Vulnerability Laboratory. 
> Permission to electronically redistribute this alert in its unmodified form 
> is granted. All other rights, including the use of other 
> media, are reserved by Vulnerability-Lab Research Team or its suppliers. All 
> pictures, texts, advisories, sourcecode, videos and 
> other information on this website is trademark of vulnerability-lab team & 
> the specific authors or managers. To record, list (feed), 
> modify, use or edit our material contact (admin@xxxxxxxxxxxxxxxxxxxxx or 
> support@xxxxxxxxxxxxxxxxxxxxx) to get a permission.
>
>                                       Copyright © 2012 | Vulnerability 
> Laboratory
>


-- 
VULNERABILITY RESEARCH LABORATORY
LABORATORY RESEARCH TEAM
CONTACT: research@xxxxxxxxxxxxxxxxxxxxx


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/