http://www.eazel.es Time Line:

• Nov 29, 2006: Discovered security issue by Jose Ramon Palanco
• Nov 30, 2006: Reported to Mono Project
• Dec 1, 2006: Patch in subversion rev 68776
• Dec 5, 2006: Mono is testing the patch and building packages for the fix
• Dec 19, 2006: Published advisory CVE-2006-6104

Using a source code disclosure attack, an attacker can retrieve the source code of server-side file. Obtaining the source code of server-side files grants the attacker deeper knowledge of the logic behind the Web application, how the application handles requests and their parameters, the structure of the database, vulnerabilities in the code and source code comments. Having the source code, and possibly a duplicate application to test on, helps the attacker to prepare an attack on the application.

An attacker can cause source code disclosure using adding %20 (space char) after the uri, for example

http://www.server.com/app/Default.aspx%20

Update: is also possible retrieve Web.Config file. This file contains sensible informatin like credentials. ]]> http://www.eazel.es/2006/12/19/mono-xsp-asp-net-server-sourcecode-disclosure-vulnerability/feed/ 0 http://www.eazel.es/2006/10/26/gforge-cross-site-scripting-vulnerability/ http://www.eazel.es/2006/10/26/gforge-cross-site-scripting-vulnerability/#comments Thu, 26 Oct 2006 20:23:01 +0000 admin http://www.eazel.es/?p=102 Version: Tested on GForge 4.5.11 Discovered by: José Ramón Palanco: jose.palanco(at)eazel(dot)es

http://www.eazel.es Description: GForge is vulnerable to a security vulnerability that allow Cross-Site Scripting attacks. Due to improper filtering, a remote attacker can cause a cross site scripting.

To exploit any attacker may send via GET method the “words” variable to:
>”<script>alert(‘www.eazel.es’)</script>
to http://site/search/advanced_search.php?group_id=X&search=1
where X is any active project in the gforge installation.
Timeline:
discovered: 26/10/2006
published: 5/01/2007

keywords: advisory006-gforge-cross-site-scripting-vulnerability.html ]]> http://www.eazel.es/2006/10/26/gforge-cross-site-scripting-vulnerability/feed/ 0 http://www.eazel.es/2006/10/20/d-link-dsl-g624t-several-vulnerabilities/ http://www.eazel.es/2006/10/20/d-link-dsl-g624t-several-vulnerabilities/#comments Fri, 20 Oct 2006 20:21:27 +0000 admin http://www.eazel.es/?p=100 Version: Tested on D-Link DSL-G624T
Version: Firmware Version : V3.00B01T01.YA-C.20060616 Discovered by: José Ramón Palanco: jose.palanco(at)eazel(dot).es

http://www.eazel.es Description: D-Link DSL-G624T ADSL Router is vulnerable to several securities.

Directory transversal

http://router/cgi-bin/webcm?getpage=/./././././././etc/passwd

http://router/cgi-bin/webcm?getpage=/./././././././etc/config.xml

Cross Site Scripting

Url:: http://router/cgi-bin/webcm
Method:: POST
Variable:: upnp%3Asettings%2Fstate
Value:: >”><ScRiPt%20%0a%0d>alert(20102006)%3B</ScRiPt>

Url:: http://router/cgi-bin/webcm
Method:: POST
Variable:: upnp%3Asettings%2Fconnection
Value:: >”><ScRiPt%20%0a%0d>alert(20102006)%3B</ScRiPt>

Url:: http://router/cgi-bin/webcm
Method:: POST
Variable:: upnp%3Asettings%2Fconnection
Value:: “+onmouseover=”alert(20102006)

Directory listing

Is possible to list the /cgi-bin directory

keywords: advisory005-D-Link-DSL-G624T-directoy-transversal-xss-cross-site-scripting-directory-listing-vulnerabilities.html ]]> http://www.eazel.es/2006/10/20/d-link-dsl-g624t-several-vulnerabilities/feed/ 1 http://www.eazel.es/2006/08/05/xpath-injection/ http://www.eazel.es/2006/08/05/xpath-injection/#comments Sat, 05 Aug 2006 20:58:23 +0000 admin http://www.eazel.es/?p=126 Autor:

http://www.eazel.es Description: Zyxel Prestige 660H-61 ADSL Router is vulnerable to a security vulnerability that allow Cross-Site Scripting attacks.
Due to improper filtering, a remote attacker can cause a cross site scripting in this script:

http://router/Forms/rpSysAdmin?a=%3Cscript%3Ealert(‘www.eazel.es’)%3C/script%3E

keywords: advisory004-Zyxel-Prestige-660H-61-Cross-Site-Scripting.php ]]> http://www.eazel.es/2006/07/26/zyxel-prestige-660h-61-cross-site-scripting/feed/ 0 http://www.eazel.es/2006/07/25/siemens-speedstream-2624-denial-of-service-vulnerability/ http://www.eazel.es/2006/07/25/siemens-speedstream-2624-denial-of-service-vulnerability/#comments Tue, 25 Jul 2006 20:06:08 +0000 admin http://www.eazel.es/?p=94 CVE Reference:  CVE-2006-3907   (Links to External Site)
Updated:  Jun 13 2008
Original Entry Date:  Jul 26 2006
Impact:  Denial of service via network
Version(s): Model 2624; possibly others
Description:  A vulnerability was reported in SpeedStream. A remote user can cause denial of service conditions.

A remote user can send a specially crafted packet to the administrative web server to cause the target router to freeze. A reboot is necessary to return to normal operations.

The vendor was notified on May 4, 2006.

Jaime Blasco discovered this vulnerability.

The original advisory is available at:

http://www.digitalarmaments.com/2006310665340982.html

Impact:  A remote user can cause the target device to freeze.
Solution:  No solution was available at the time of this entry.
Vendor URL:  www.siemens.com/ (Links to External Site)
Cause:  Exception handling error
Reported By:  info@digitalarmaments.com
Message History:   None.

Digital Armaments advisory is 05.4.2006

http://www.digitalarmaments.com/2006310665340982.html

I. Background

The SpeedStream Wireless DSL/Cable Router is usually adopted for home and small business solutions. T
ogether with an existing DSL
 or cable modem connection, this affordable, easy to use connection sharing solution brings the freed
om of high-speed, wireless broadband
 connectivity to home and SOHO networks. Its comprehensive functionality provides vital firewall prot
ection, IP sharing capabilities,
 and fundamental routing features that support popular protocols like NetMeeting and VPN.

For further information or detail about the software you can refer to the vendor's homepage:

http://subscriber.communications.siemens.com/

II. Problem Description

It is possible with a specially crafted packet sent to the Web Server that permit Administration of t
he Router to freeze it.

III. Detection

This problem has been detected on latest version of Siemens Speedstrem Router. It has been tested on
the Speedstream 2624.

IV. Impact analysis

Successful exploitation allow an attacker to freeze the router. Reboot is necessary.

V. Solution

First notification 05.04.2006.

Second notification 05.24.2006.

No answer from the vendor.

VI. Credit

Jaime Blasco - jaime.blasco@eazel.es is credited with this discovery.

Get paid and get stocks by vulnerability submission

http://www.digitalarmaments.com/contribute.html

VII. Legal Notices

Copyright © 2006 Digital Armaments LLC.

Redistribution of this alert electronically is allowed. It should not be edited in any way. Reprint t
he whole is allowed, partial
 reprint is not permitted. For any other request please email customerservice@digitalarmaments.com fo
r permission.

Disclaimer: The information in the advisory is believed to be accurate at the time of publishing base
d on currently available information.
 Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties
 with regard to this information.
 Neither the author nor the publisher accepts any liability for any direct, indirect, or consequentia
l loss or damage arising from
 use of, or reliance on, this information. 

Digital Armaments advisory is 05.4.2006

http://www.digitalarmaments.com/2006310665340982.html

I. Background

The SpeedStream Wireless DSL/Cable Router is usually adopted for home and small business solutions. T
ogether with an existing DSL
 or cable modem connection, this affordable, easy to use connection sharing solution brings the freed
om of high-speed, wireless broadband
 connectivity to home and SOHO networks. Its comprehensive functionality provides vital firewall prot
ection, IP sharing capabilities,
 and fundamental routing features that support popular protocols like NetMeeting and VPN.

For further information or detail about the software you can refer to the vendor's homepage:

http://subscriber.communications.siemens.com/

II. Problem Description

It is possible with a specially crafted packet sent to the Web Server that permit Administration of t
he Router to freeze it.

III. Detection

This problem has been detected on latest version of Siemens Speedstrem Router. It has been tested on
the Speedstream 2624.

IV. Impact analysis

Successful exploitation allow an attacker to freeze the router. Reboot is necessary.

V. Solution

First notification 05.04.2006.

Second notification 05.24.2006.

No answer from the vendor.

VI. Credit

Jaime Blasco - jaime.blasco@eazel.es is credited with this discovery.

Get paid and get stocks by vulnerability submission

http://www.digitalarmaments.com/contribute.html

VII. Legal Notices

Copyright © 2006 Digital Armaments LLC.

Redistribution of this alert electronically is allowed. It should not be edited in any way. Reprint t
he whole is allowed, partial
 reprint is not permitted. For any other request please email customerservice@digitalarmaments.com fo
r permission.

Disclaimer: The information in the advisory is believed to be accurate at the time of publishing base
d on currently available information.
 Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties
 with regard to this information.
 Neither the author nor the publisher accepts any liability for any direct, indirect, or consequentia
l loss or damage arising from
 use of, or reliance on, this information. 

Multiple FlexWATCH Network Cameras are vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the built-in Web server. A remote attacker could exploit this vulnerability using unspecified scripts and parameters to execute arbitrary script in a victim’s Web browser within the security context of the affected device, allowing the attacker to steal the victim’s cookie-based authentication credentials.

*CVSS:

Consequences:

Gain Access

Remedy:

Refer to the FlexWATCH Web site for patch information. See References.

References:

• BugTraq Mailing List, Mon Jul 10 2006 – 04:38:31 CDT : Digital Armaments Security Advisory 10.07.2006: Flexwath Authorization Bypassing and XSS Vulnerability.
• FlexWATCH Web site: FlexWATCH – Network Camera Server.
• BID-18936: FlexWATCH Network Camera Cross-Site Scripting Vulnerability
• CVE-2006-3603: Cross-site scripting (XSS) vulnerability in index.php in FlexWATCH Network Camera 3.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the URL.
• SA20994: FlexWATCH Network Camera FW-3400 Two Vulnerabilities

I. Background

FlexWATCH is a stand-alone network camera server with built-in CMOS camera and web server which deliver crisp real time
live videos at a rate up to 30fps over the network. It is normally used as security camera.
For further information or detail about the software you can refer to the vendor's homepage:

http://www.flexwatch.com/

II. Problem Description

Flexwatch Network Cameras are vulnerable to two security flaws, allowing a cross site scripting and bypassing the
protected areas. Here detailed:

- Cross-site scripting:

An attacker can cause a Cross-site-scripting:
http://camera/%3Cscript%3Ealert('www.eazel.es')%3C/script%3E

- Authorization Bypassing:

An attacker can bypass the protection of protected pages using /..%2f and access to administrative area:
Network Camera V3.0: http://camera/..%2fadmin/aindex.asp
Networks Camera Prior versions: http://camera/app/..%2fadmin/aindex.htm

III. Detection

This problem has been detected on latest and older version of Flexwatch Network Cameras.
Network Camera Versions tested on:
- ver 3.0 for FW-3400-A(PAL)
- ver 2.0 (PAL)
- ver 2.3 (NTSC)

IV. Impact analysis

Successful exploitation allow an attacker to bypass authorization and access the image/video of the security camera.
Cross site attacks are also possible.

V. Solution

First notification 04.16.2006.
Second notification 04.22.2006.
No answer from the vendor.

VI. Credit

Jaime Blasco - jaime.blasco () eazel es is credited with this discovery.

Get paid and get stocks by vulnerability submission
http://www.digitalarmaments.com/contribute.html

VII. Legal Notices

Copyright © 2006 Digital Armaments LLC.

Redistribution of this alert electronically is allowed. It should not be edited in any way. Reprint the whole is
allowed, partial reprint is not permitted. For any other request please email customerservice () digitalarmaments com
for permission.

Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently
available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no
warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or reliance on, this information.

A remote user can access protected files without having to login to the system by using the UPnP support interface.

The vendor was notified on May 2, 2006, without response.

Jaime Blasco discovered this vulnerability.

The original advisory is available at:

http://www.digitalarmaments.com/2006290674551938.html

Impact:  A remote user can access ostensibly protected files on the target device.
Solution:  No solution was available at the time of this entry.
Vendor URL:  www.siemens.com/ (Links to External Site)
Cause:  Access control error
Reported By:  info@digitalarmaments.com
Message History:   None.

Digital Armaments advisory is 05.02.2006

http://www.digitalarmaments.com/2006290674551938.html

I. Background

The SpeedStream Wireless DSL/Cable Router is usually adopted for home and small business solutions. T
ogether with an existing DSL
 or cable modem connection, this affordable, easy to use connection sharing solution brings the freed
om of high-speed, wireless broadband
 connectivity to home and SOHO networks. Its comprehensive functionality provides vital firewall prot
ection, IP sharing capabilities,
 and fundamental routing features that support popular protocols like NetMeeting and VPN.

For further information or detail about the software you can refer to the vendor's homepage:

http://subscriber.communications.siemens.com/

II. Problem Description

Speedstream routers have UPnP/1.0 support. An attacker can access protected files and bypass the pass
word protection without login
 using the UPnP part of the tree.

III. Detection

This problem has been detected on latest version of Siemens Speedstrem Router. It has been tested on
the Speedstream 2624.

IV. Impact analysis

Successful exploitation allow an attacker to bypass the password protection. It also allow an attacke
r to access protected files without
 login.

V. Solution

First notification 05.02.2006.

Second notification 05.20.2006.

No answer from the vendor.

VI. Credit

Jaime Blasco - jaime.blasco@eazel.es is credited with this discovery.

Get paid and get stocks by vulnerability submission

http://www.digitalarmaments.com/contribute.html

VII. Legal Notices

Copyright © 2006 Digital Armaments LLC.

Redistribution of this alert electronically is allowed. It should not be edited in any way. Reprint t
he whole is allowed, partial
 reprint is not permitted. For any other request please email customerservice@digitalarmaments.com fo
r permission.

Disclaimer: The information in the advisory is believed to be accurate at the time of publishing base
d on currently available information.
 Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties
 with regard to this information.
 Neither the author nor the publisher accepts any liability for any direct, indirect, or consequentia
l loss or damage arising from
 use of, or reliance on, this information.