Advisories

WEP/WPA key generator for Huawei gateways

by Paulino Calderon on Sat, Jan 22 2011 00:43:00

We are proud to release our WEP/WPA default key generator for Huawei HG520x and HG530 Gateways. These devices use a weak cipher to generate their default keys and Humberto Ochoa, one of our vulnerability researchers at Websec, did a great job deciphering the algorithm:

Mac2wepkey - WEP/WPA default key generator for Huawei HG250x and HG530 Gateways

Ironically, Prodigy Telmex, the biggest ISP in Mexico, just replaced my old 2wire router with one of these vulnerable modems, a newer and "better" device (According to their technician of course hehe). 

XSS vulnerabilities in Croogo CMS 1.3

by Paulino Calderon on Tue, Jun 15 2010 03:52:00
Summary

Croogo CMS is prone to HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input.

Details

Vulnerable Software: 1.3
Full disclosure Date: 2010-06-14
Last Update: 2010-05-10
Critical: Low
Impact: HTML injection
           Session hijack
           Denial of service
           Code execution

Solution Status: Vendor informed and patch submitted to public repository

BACKGROUND
======================= 

Croogo is a content management system gaining popularity rapidily in the CAKEPHP community.

DESCRIPTION
======================= 

Croogo CMS is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied.

Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.

EXPLOIT / POC
======================= 

Attackers can exploit this issue with a web browser sending malicious code through the field 'name' located in the user registration form (http://site/users/add) or the field 'data[Comment][body]' in the "add a comment" form to comment on a post (http://site/comments/add/).

This time the field 'data[Comment][body]' gets sanitized correctly but Tipsy, a Javascript library in charge of creating the tooltips, decodes again the stored sanitized string and it allows html injection in the admin panel.

WORKAROUND
======================= 

Upgrade to Croogo 1.3.1 or apply patch Croogo's public repository

DISCLOSURE TIMELINE
======================= 

2010/05/08 - Vulnerability discovered
2010/05/08 - Vendor contacted
2010/05/1 2 - Patch submitted to Croogo's public source code repositories
2010/06/14 - Full disclosure

REFERENCES
======================= 

Croogo CMS - Croogo CMS Official website
Croogo on GitHub - Croogo GitHub
Websec's advisory permalink - http://websec.ca/advisories/view/ws10-08-croogo_cms_1.3_xss_vulnerabilities