给我一瓢长江水啊长江水
那酒一样的长江水
那醉酒的滋味是乡愁的滋味
给我一瓢长江水啊长江水

© 乡土情深
Powered by LOFTER

Gcon Tech Solutions v1.0 XSS (Cross-site Scripting

来自:whitehat

Gcon Tech Solutions v1.0 XSS (Cross-site Scripting) Web Security Vulnerabilities - whitehat - 白帽子安全漏洞

 


Gcon Tech Solutions v1.0 XSS (Cross-site Scripting) Web Security Vulnerabilities

 

Exploit Title: Gcon Tech Solutions v1.0 content.php? &id Parameter XSS Security Vulnerabilities

Product: Gcon Tech Solutions

Vendor: Gcon Tech Solutions

Vulnerable Versions: v1.0

Tested Version: v1.0

Advisory Publication: May 23, 2015

Latest Update: May 23, 2015

Vulnerability Type: Cross-Site Scripting [CWE-79]

CVE Reference: *

Impact CVSS Severity (version 2.0):

CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)

Impact Subscore: 2.9

Exploitability Subscore: 8.6

Writer and Reporter: Wang Jing [School of Physical and Mathematical Sciences, Nanyang Technological University (NTU), Singapore] (@justqdjing)

 

 

 

 

Recommendation Details:

 

(1) Vendor & Product Description:

Vendor:

Gcon Tech Solutions

 

Product & Vulnerable Versions:

Gcon Tech Solutions

v1.0

 

Vendor URL & Download:

Gcon Tech Solutions can be obtained from here,

http://www.gconts.com/Development.htm

 

Google Dork:

“Developed and maintained by Gcon Tech Solutions"

 

Product Introduction Overview:

“Over the years we have developed business domain knowledge various business areas. We provide Development Services either on time and material or turn-key fixed prices basis, depending on the nature of the project. Application Development Services offered by Gcon Tech Solutions help streamline business processes, systems and information. Gcon Tech Solutions has a well-defined and mature application development process, which comprises the complete System Development Life Cycle (SDLC) from defining the technology strategy formulation to deploying, production operations and support. We fulfill our client’s requirement firstly from our existing database of highly skilled professionals or by recruiting the finest candidates locally. We analyze your business requirements and taking into account any constraints and preferred development tools, prepare a fixed price quote. This offers our customers a guaranteed price who have a single point contact for easy administration. We adopt Rapid Application Development technique where possible for a speedy delivery of the Solutions. Salient Features of Gcon Tech Solutions Application Development Services: (a) Flexible and Customizable. (b) Industry driven best practices. (c) Knowledgebase and reusable components repository. (d) Ensure process integration with customers at project initiation"

 

 

 

(2) Vulnerability Details:

Gcon Tech Solutions web application has a computer cyber security bug problem. It can be exploited by XSS attacks. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user’s browser session within the trust relationship between their browser and the server.

Several other similar products 0-day vulnerabilities have been found by some other bug hunter researchers before. Gcon Tech Solutions has patched some of them. The Mail Archive automatically detects when it receives mail from a new list. Thus, you are encouraged, although certainly not required, to send a test message to the newly archived list. If you are adding several lists to the archive, send a separate and distinct test message to each one. It also publishes suggestions, advisories, solutions details related to XSS vulnerabilities and cyber intelligence recommendations.

 

(2.1) The first programming code flaw occurs at “&id" parameter in “content.php?" page.

 

 

 

 

 

References:

http://www.tetraph.com/security/xss-vulnerability/gcon-tech-solutions-v1-0-xss/

http://securityrelated.blogspot.com/2015/05/gcon-tech-solutions-v10-xss-cross-site.html

http://www.inzeed.com/kaleidoscope/computer-web-security/gcon-tech-solutions-v1-0-xss/

http://diebiyi.com/articles/security/gcon-tech-solutions-v1-0-xss/

https://webtechwire.wordpress.com/2015/05/23/gcon-tech-solutions-v1-0-xss/

http://computerobsess.blogspot.com/2015/05/gcon-tech-solutions-v10-xss.html

http://whitehatpost.blog.163.com/blog/static/24223205420154245138791/

https://itswift.wordpress.com/2015/05/24/gcon-tech-solutions-v1-0-xss/

https://www.mail-archive.com/fulldisclosure%40seclists.org/msg02028.html

http://cxsecurity.com/issue/WLB-2015050068

http://seclists.org/fulldisclosure/2015/May/34

https://www.bugscan.net/#!/x/21839

http://www.openwall.com/lists/oss-security/2015/05/22/6

http://lists.openwall.net/full-disclosure/2015/04/05/8

http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1957

评论
热度 ( 7 )