Ivano Binetti

Personal Blog

Latest articles

Apache Tomcat 5.5.25 Deploy/Undeploy/Start/Stop Applications

I and my friend Gianmarco Pirozzi discovered new vulnerabilities affecting Apache Tomcat which allow to perform the following malicious activities: Undeploy an existing application Deploy a new application Stop an application Start an application For more details you can read our Original Advisory:Apache Tomcat 5.5.25 Start/Stop/Deploy/Undeploy Application...

D-Link DSL-2740B Multiple CSRF Vulnerabilities | CVE-2013-5730

I’ve discovered new multiple CSRF vulnerabilities affecting D-Link DSL-2740B ADSL router allowing an attacker to carry out malicious activities, as: Disable/Enable Wireless MAC Address Filter. Disable/Enable all the Firewall protections (Both “SPI” and “DOS and Portscan Protection”). Enable/Disable Remote Management (in my exploit I enabled remote management...

Update on Google Translate CSRF Vulnerability | Google is fixing the issue

Hey there, some days ago – 15th of August (2013) – I received the following email from Google Security Team about my latest Google Translate vulnerability: Hello, This issue has been fixed and verified by a security engineer – feel free to test and see if we’ve missed anything. Thanks for all your help! Regards, Google Security Team I cannot hide that,...

Translate.google.com | CSRF Vulnerability

I  have discovered a new CSRF vulnerability on translate.google.com web site which could allow an attacker to insert items (Words/Phrases/Urls and related translations) into the user’s Phrasebook. Furthermore an attacker could also insert a potentially malicious Urls – into the above mentioned Phrasebook – towards which the victim could be redirected...

D-Link DSL-2740B (ADSL Router) Authentication Bypass | CVE-2013-2271

I’ve discovered a new vulnerability affecting D-Link DSL-2740B ADSL Wifi Router, which allows an attacker to completely bypass the authentication of this device and gain administrative access. Fore more details, please read my Advisory: D-Link DSL-2740B (ADSL Router) Authentication Bypass MITRE CVE Numbering Authority assigned me CVE-2013-2271 for this...

Axous 1.1.1 Multiple Vulnerabilities (CSRF – Persistent XSS)

Axous 1.1.1 (and below) is prone to CSRF and  peristent XSS vulnerability due to an improper input sanitization of multiple parameters. Following more details: CSRF Vulnerabilities Axous 1.1.1 (and below) suffers from multiple CSRF vulnerabilities which could allow an attacker to change any parameters when an authenticated  user/admin browses a special...

WordPress 3.3.1 Multiple CSRF Vulnerabilities

WordPress 3.3.1 (and below) suffers from multiple CSRF vulnerabilities which allow an attacker to change post title, add administrators/users, delete administrators/users, approve and unapprove comment, delete comment, change background image, insert custom header image, change site title, change administrator’s email, change WordPress Address, change...

PlumeCMS

PlumeCMS 1.2.4 (and below) is prone to multiple peristent XSS vulnerability due to an improper input sanitization of multiple parameters. “u_email” and “u_realname” parameters are not correctly sanitized before being passed to server side script “manager/users.php” via http POST method. An attacker – who is able to change his profile settings – could...

CMS Made Simple

CMS Made Simple 1.10.3 (and lower) is prone to a XSS vulnerability due to an improper input sanitization of “email” parameter,  passed to server side script “admin/edituser.php” via http POST method. To view my Original Advisory:CMS Made Simple <= 1.10.3 XSS Original Advisory MITRE CVE Numbering Authority assigned me CVE-2012-1992 for this vulnerability. This...

SocialCMS

SocialCMS 1.0.2 (and lower) is prone to a persistent XSS vulnerability due to an improper input sanitization of  “TR_title” parameter, passed to “my_admin/admin1_list_pages.php” via http POST method. Exploiting this vulnerability an authenticated user – which is able to publish an article – could insert arbitrary code in web management interface “Title”...

Discover, share and read the best on the web

Subscribe to RSS Feeds, Blogs, Podcasts, Twitter searches, Facebook pages, even Email Newsletters! Get unfiltered news feeds or filter them to your liking.

Get Inoreader
Inoreader - Subscribe to RSS Feeds, Blogs, Podcasts, Twitter searches, Facebook pages, even Email Newsletters!