malerisch.net

Kemp virtual load master is a virtual load-balancer appliance which comes with a web administrative interface. I had a chance to test it and this blog post summarises some of the most interesting vulnerabilities I have discovered and which have not been published yet. For those of you who want to try it as well, you can get a free trial version here:  http://kemptechnologies.com/server-load-balancing-appliances/virtual-loadbalancer/vlm-download By default, Kemp web administrative interface is protected by Basic authentication, so the vulnerabilities discussed in the post below can either be exploited attacking an authenticated user via CSRF or XSS based attacks. The following vulnerabilities were discovered when looking at Kemp Load Master v.7.1-16 and some of them should be fixed in the latest version (7.1-20b or later). Change logs of the fixed issues can be found at the following page: " PD-2183 Functions have been added to sanitize input in the WUI in order to   reso

Details Vendor Site: Avant browser ( www.avantbrowser.com ) Date: December, 5 2012 – CVE (TBA) Affected Software: Avant Browser Ultimate 2012 Build 28 and potentially previous versions Status: Unpatched Researcher: Roberto Suggi Liverani -  @malerisch PDF version:  Avant_multiple_vulnerabilities_advisory.pdf Stored Cross Site Scripting - Feed Reader (browser://localhost/lst?*) A malicious user can inject and store arbitrary JavaScript/HTML code via multiple RSS feed elements. Vulnerable elements are the following: <title>  element: JavaScript injection using HTML encoded payload <link>  element: JavaScript injection using javascript: pseudouri ( this is rendered in about:blank zone.) <description>  element: JavaScript injection using HTML encoded payload The following table shows an example of malicious RSS feed: <?xml version='1.0' encoding="ISO-8859-1"?> <rss version='2.0'> <channel> <des

Following disclosure of Oracle bugs , here is another bug found in Oracle GlassFish Server 3.1.1. The interesting part of this advisory is the exploit. When looking at the features of the Oracle GlassFish Server, I have noticed that with a XSS it would be possible to steal the session token and bypass HTTPOnly protection. I have found this condition to be true if a user is authenticated to the REST interface, which does not have the same security controls of the main web administrative interface. Quite an interesting point to keep in consideration when testing applications that come with a standard interface and a REST interface as well. Details Vendor Site: Oracle (www.oracle.com) Date: April, 19th 2012 – CVE 2012-0551 Affected Software: Oracle GlassFish Server 3.1.1 (build 12) Researcher: Roberto Suggi Liverani PDF version: http://www.security-assessment.com/files/documents/advisory/Oracle_GlassFish_Server_Multiple_XSS.pdf Description Security-Assessment.com has discover