Re: New vulnerabilities in eSitesBuilder

["MustLive" <mustlive () websecurity com ua>]

Hello security curmudgeon!

> How many times are you going to disclose this?

Be attentive - I wrote about different holes.

In June (http://seclists.org/bugtraq/2010/Jun/189) I wrote about XSS in
public forget.php (for users):

http://site/forget.php?e_mail=%3Cscript%3Ealert(document.cookie)%3C/script%3E&seenform=y

In August (http://seclists.org/fulldisclosure/2010/Aug/306) I wrote about
multiple holes in eSitesBuilder and in particularly wrote about holes in
public forget.php. I wrote about Insufficient Anti-automation and mentioned
for company :-) about earlier-mentioned XSS (so both holes in this script
would be in one place). Also it was possible to mention about Abuse of
Functionality hole in this script (to write about three holes in it in one
advisory), but only later I decided to write about this hole - in hidden
forget.php script - which I did in the next advisory (and people easily
could understand that both forget.php scripts has AoF hole which allows to
enumerate logins).

In December (http://seclists.org/fulldisclosure/2010/Dec/465) I wrote about
XSS in hidden (there are no public links to it) forget.php (for admins):

http://site/console/forget.php?e_mail=%3Cscript%3Ealert(document.cookie)%3C/script%3E&seenform=y

Plus added information about Insufficient Anti-automation and Abuse of
Functionality holes in this script. So these are two different forget.php
scripts. Which both have three similar holes (it's quite expected, that
developers used the same code for forget password functionality for users
and for admins).

> The June disclosure has a timeline indicating you had "announced" it
> almost two years prior to that:

My dear, in that timeline I showed that first time I found these holes long
time ago - at two e-commerce sites (99% of all holes I'm finding at web
sites in Internet). And I informed admins of those sites (which lamerly
ignored to fix the holes) and they could inform developer of this commercial
CMS (but most of holes wasn't fixed at demo site of CMS developer, which
showed that developer also don't care about security for a long time,
regardless if he was informed by owners of these sites or not, because they
ignored even after my informing).

This information in timeline must show long time ignorance of security by
owners of e-commerce sites (online shops) and developers of e-commerce
engines. And there must not be any questions (because everything must be
clear). But if there is some incomprehensibility, then I'll make it clear.

Those sites didn't show what engine they were using (it's common for
commercial engines and sites on such engines, online shops in particular).
Only in summer 2010 I've found (when decided to do it) at one of these
online shops, and then checked at another, the hidden admin panel with 
mentioned name of engine. As I wrote in Timeline:

> 18.06.2010 - disclosed at my site about vulnerabilities in eSitesBuilder
> (after I found that they concerned with eSitesBuilder).

And after I found that it's eSitesBuilder, I wrote series of advisories
about holes in this engine (as those holes which I found in 2007-2008, as
those ones found in 2010).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

----- Original Message ----- 
From: "security curmudgeon" <jericho () attrition org>
To: "MustLive" <mustlive () websecurity com ua>
Cc: <full-disclosure () lists grok org uk>
Sent: Sunday, April 17, 2011 3:56 AM
Subject: Re: [Full-disclosure] New vulnerabilities in eSitesBuilder


> : SecurityVulns ID: 11310.
>
> : XSS (WASC-08):
> :
> :
> http://site/console/forget.php?e_mail=%3Cscript%3Ealert(document.cookie)%3C/script%3E&seenform=y
>
> How many times are you going to disclose this?
>
> http://seclists.org/bugtraq/2010/Jun/189
>
> http://seclists.org/fulldisclosure/2010/Aug/306
>
> http://seclists.org/fulldisclosure/2010/Dec/465
>
> The June disclosure has a timeline indicating you had "announced" it
> almost two years prior to that:
>
> 21.11.2007 - found some of these vulnerabilities.
> 11.08.2008 - announced at my site.
> 11.08.2008 - informed admins of web site.
> 11.08.2008 - found others of these vulnerabilities.
> 11.02.2009 - disclosed at my site about first vulnerabilities.
> 05.05.2009 - disclosed at my site about other vulnerabilities.
> 06.05.2009 - informed admins of web site about other vulnerabilities.
> 18.06.2010 - disclosed at my site about vulnerabilities in eSitesBuilder
> (after I found that they concerned with eSitesBuilder).
> 19.06.2010 - informed developers (in case if owners of vulnerable site
> didn't informed them in previous years).
>
> Seriously, how long can you milk a single XSS here?
>
> : 2010.10.08 - announced at my site.
> : 2010.10.08 - informed developers.
> : 2010.12.16 - disclosed at my site.
> :
> : I mentioned about these vulnerabilities at my site
> : (http://websecurity.com.ua/4588/).
>
> http://websecurity.com.ua/4300/
>
> Several times, yes you did.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/