67 matches found
Ubiquiti Networks UniFi Video Default - 'crossdomain.xml' Security Bypass
source: https://www.securityfocus.com/bid/68866/info UniFi Video is prone to a security-bypass vulnerability. An authenticated attacker can exploit this issue to bypass certain security restrictions and perform unauthorized actions. This may lead to further attacks. UniFi Video 2.1.3 is vulnerabl...
Flash "Rosetta" JSONP GET/POST Response Disclosure Exploit
A website that serves a JSONP endpoint that accepts a custom alphanumeric callback of 1200 chars can be abused to serve an encoded swf payload that steals the contents of a same-domain URL. Flash 'Flash "Rosetta" JSONP GET/POST Response Disclosure', 'Description' = %q A website that serves a JSON...
Flash crossdomain.xml 跨站请求伪造
Flash是由macromedia公司推出的交互式矢量图和 Web 动画的标准,由Adobe公司收购。 Flash crossdomain.xml 跨站请求伪造漏洞是指黑客利用Flash跨域配置文件(crossdomain.xml)的配置缺陷进行的跨域攻击。如果网站根目录下有crossdomain.xml文件且这个xml文件的allow-access-from标签为通配符,那么任意域就可以跨域获取本域的隐私数据。 0 Flash 修改crossdomain.xml文件且这个xml文件的allow-access-from标签不为通配符...
Discuz!配置不当可导致CSRF发帖
简要描述: Discuz!配置不当可导致CSRF发帖 详细说明: 这个漏洞中评论说的 WooYun: Discuz!全版本鸡肋CSRF漏洞一枚 ,由于crossdomain.xml配置不当,可能会导致一些问题。评论时只是有个基本的印象,没有实测,既然xsser说有对这个的防御,那来看看是怎么防的. crossdomain.xml的默认设置: 对dz的代码结构不熟,按黑盒来测。 首先是读取那个formhash,看来有了crossdomain.xml的帮助,很容易的读到了当前用户的formhash。 function gethash function getformhashtxt txt =...
Geonick Social Network Clickjacking / Credential Disclosure
Geonick Social Network suffers from a lack of clickjacking protection, it has an insecure crossdomain.xml file, and sends user credentials in the clear. GEONICK SOCIAL-NETWORK Insecure crossdomain.xml file / Clickjacking: X-Frame-Options header missing / User credentials are sent in clear text...
ria_enumerator
This plugin searches for various Rich Internet Application files. It currently searches for: Google gears manifests These files are used to determine which files are locally cached by google gears. They do not get cleared when the browser cache is cleared and may contain sensitive information. Fl...
Sun Java JRE Multiple Vulnerabilities (254569 / 254611 / 254608 ..) (Unix)
The version of Sun Java Runtime Environment JRE installed on the remote host is earlier than 6 Update 13 / 5.0 Update 18 / 1.4.220 / 1.3.125. Such versions are potentially affected by the following security issues : - A denial of service vulnerability affects the JRE LDAP implementation. 254569. ...
JW Player 5.9 Cross Site Scripting / Content Spoofing
Exploit for multiple platform in category web applications Hello list! I want to warn you about security vulnerabilities in JW Player. These are Content Spoofing and Cross-Site Scripting vulnerabilities. ------------------------- Affected products: ------------------------- Vulnerable are JW Play...
Design/Logic Flaw
The SmarterTools SmarterStats 6.0 web server omits the Content-Type header for certain resources, which might allow remote attackers to have an unspecified impact by leveraging an interpretation conflict involving 1 Admin/Defaults/frmDefaultSiteSettings.aspx, 2...
CVE-2011-2159
The SmarterTools SmarterStats 6.0 web server omits the Content-Type header for certain resources, which might allow remote attackers to have an unspecified impact by leveraging an interpretation conflict involving 1 Admin/Defaults/frmDefaultSiteSettings.aspx, 2...
Ucenter Projekt 2.0 - Insecure crossdomain (Cross-Site Scripting)
Ucenter Projekt 2.0 - Insecure crossdomain Cross-Site Scripting ======================================================================================== | Title : Ucenter Projekt 2.0 Insecure crossdomain XSS Vulnerability | Author : indoushka | email : [email protected] | Home :...
OpenJDK: Improper parsing of crossdomain.xml files (intended access restriction bypass) (6798948)
The Java Plug-in in Java SE Development Kit JDK and Java Runtime Environment JRE 6 Update 12, 11, and 10 does not properly parse crossdomain.xml files, which allows remote attackers to bypass intended access restrictions and connect to arbitrary sites via unknown vectors, aka CR 6798948...
OpenJDK: Improper parsing of crossdomain.xml files (intended access restriction bypass) (6798948)
The Java Plug-in in Java SE Development Kit JDK and Java Runtime Environment JRE 6 Update 12, 11, and 10 does not properly parse crossdomain.xml files, which allows remote attackers to bypass intended access restrictions and connect to arbitrary sites via unknown vectors, aka CR 6798948...
view-source: protocol
The view-source: URI implementation in Mozilla Firefox before 3.0.9, Thunderbird, and SeaMonkey does not properly implement the Same Origin Policy, which allows remote attackers to 1 bypass crossdomain.xml restrictions and connect to arbitrary web sites via a Flash file; 2 read, create, or modify...
OpenJDK: Improper parsing of crossdomain.xml files (intended access restriction bypass) (6798948)
The Java Plug-in in Java SE Development Kit JDK and Java Runtime Environment JRE 6 Update 12, 11, and 10 does not properly parse crossdomain.xml files, which allows remote attackers to bypass intended access restrictions and connect to arbitrary sites via unknown vectors, aka CR 6798948...
Mozilla Foundation Security Advisory 2009-17
Mozilla Foundation Security Advisory 2009-17 Title: Same-origin violations when Adobe Flash loaded via view-source: scheme Impact: High Announced: April 21, 2009 Reporter: Gregory Fleischer Products: Firefox, Thunderbird, SeaMonkey Fixed in: Firefox 3.0.9 Description Security researcher Gregory...
CVE-2009-1307
The view-source: URI implementation in Mozilla Firefox before 3.0.9, Thunderbird, and SeaMonkey does not properly implement the Same Origin Policy, which allows remote attackers to 1 bypass crossdomain.xml restrictions and connect to arbitrary web sites via a Flash file; 2 read, create, or modify...
Design/Logic Flaw
The view-source: URI implementation in Mozilla Firefox before 3.0.9, Thunderbird, and SeaMonkey does not properly implement the Same Origin Policy, which allows remote attackers to 1 bypass crossdomain.xml restrictions and connect to arbitrary web sites via a Flash file; 2 read, create, or modify...
CVE-2009-1307
CVE-2009-1307 is evidenced in connected documents as a vulnerability in the view-source: URI handling in Mozilla Firefox before 3.0.9 (also affecting Thunderbird and SeaMonkey) that breaks the Same Origin Policy. It enables remote attackers to bypass cross-domain restrictions and connect to arbit...
CVE-2009-1307
The view-source: URI implementation in Mozilla Firefox before 3.0.9, Thunderbird, and SeaMonkey does not properly implement the Same Origin Policy, which allows remote attackers to 1 bypass crossdomain.xml restrictions and connect to arbitrary web sites via a Flash file; 2 read, create, or modify...