Full Disclosure mailing list archives

By Date By Thread MT.VERNON MEDIA Web-Design v1.12 Multiple XSS (Cross-site Scripting) Web Security Vulnerabilities From: Jing Wang <justqdjing () gmail com>

Date: Fri, 8 May 2015 21:19:46 +0800

*MT.VERNON MEDIA Web-Design v1.12 Multiple XSS (Cross-site Scripting) Web Security Vulnerabilities* Exploit Title: MT.VERNON MEDIA Web-Design v1.12 Multiple XSS Security Vulnerabilities Product: Web-Design Vendor: MT.VERNON MEDIA Vulnerable Versions: v1.12 Tested Version: v1.12 Advisory Publication: May 07, 2015 Latest Update: May 07, 2015 Vulnerability Type: Cross-Site Scripting [CWE-79] CVE Reference: * Impact CVSS Severity (version 2.0): CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend) Impact Subscore: 2.9 Exploitability Subscore: 8.6 Writer and Reporter: Wang Jing [Mathematics, Nanyang Technological University (NTU), Singapore] (@justqdjing) *Recommendation Details:* *(1) Vendor & Product Description:* *Vendor:* MT.VERNON MEDIA *Product & Vulnerable Versions:* Web-Design v1.12 *Vendor URL & Download:* MT.VERNON MEDIA can be obtained from here, http://www.mtvernonmedia.com/services/WebDesign.html *Google Dork:* "developed by: Mt. Vernon Media" *Product Introduction Overview:* "In today's economy every business is more focused on ROI (Return On Investment) than ever before. We'll help you ensure a solid ROI for your website, not only making it effective and easy to use for your clients, but helping you to drive traffic to your site and ensuring effective content and design to turn traffic into solid leads, sales, or repeat customers. We offer custom design and development services tailored to your needs and specifications drawn up jointly with you to ensure that the appropriate technology is leveraged for optimum results, creating a dynamic and effective design, based on market effectiveness and user-friendly design standards. Our developers are experts in web application development using various programming languages including Perl, SQL, C, C+, and many other back-end programming languages, as well as database integration. For a view of some of your past projects, take a look at our list of clients. We handle custom development of your Internet project from conception through publication: Internet & Intranet sites Design concepts, layouts, and specifications Intuitive Graphical User Interface (GUI) design Dynamic navigation design Creation and manipulation of graphical design elements GIF Animation Flash development HTML hand-coding and debugging JavaScript for interactivity and error-checking ASP (Active Server Pages) Customized Perl CGI scripts (mailing lists, form submission, etc) Customized application development in varied programming languages Site publication and promotion On-going updating and maintenance Banner ads" *(2) Vulnerability Details:* MT.VERNON MEDIA Web-Design web application has a computer security bug problem. It can be exploited by stored XSS attacks. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server. Several other MT.VERNON MEDIA products 0-day vulnerabilities have been found by some other bug hunter researchers before. MT.VERNON MEDIA has patched some of them. BugScan is the first community-based scanner, experienced five code refactoring. It has redefined the concept of the scanner provides sources for the latest info-sec news, tools, and advisories. It also publishs suggestions, advisories, solutions details related to XSS vulnerabilities. *(2.1) *The first programming code flaw occurs at "section.php?" page with "&id" parameter. *(2.2)* The second programming code flaw occurs at "illustrated_verse.php?" page with "&id" parameter. *(2.3)* The third programming code flaw occurs at "image.php?" page with "&id" parameter. *(2.4) *The forth programming code flaw occurs at "gallery.php?" page with "&np" parameter. *References:* http://www.tetraph.com/security/xss-vulnerability/mt-vernon-media-web-design-v1-12-multiple-xss/ http://securityrelated.blogspot.com/2015/05/mtvernon-media-web-design-v112-multiple.html http://www.inzeed.com/kaleidoscope/computer-web-security/mt-vernon-media-web-design-v1-12-multiple-xss/ https://vulnerabilitypost.wordpress.com/2015/05/08/mt-vernon-media-web-design-v1-12-multiple-xss/ http://whitehatpost.blog.163.com/blog/static/24223205420154885036469 https://progressive-comp.com/?a=139222176300014&r=1&w=1​ https://www.fusionvm.com/FusionVM/DesktopModules/SecurityAdvisories/SecurityAdvisoriesView.aspx?Alias=www.fusionvm&TabId=0&Lang=en-US&OU=0&ItemId=44832 https://www.bugscan.net/#!/x/21289 http://bluereader.org/article/30765596 -- Jing Wang, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. http://www.tetraph.com/wangjing/ https://twitter.com/justqdjing _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/ By Date By Thread Current thread: MT.VERNON MEDIA Web-Design v1.12 Multiple XSS (Cross-site Scripting) Web Security Vulnerabilities Jing Wang (May 08)