Tuesday 17 March 2015

CVE-2014-7291 Springshare LibCal XSS (Cross-Site Scripting) Security Vulnerability Weakness





CVE-2014-7291  Springshare LibCal XSS (Cross-Site Scripting) Security Vulnerability Weakness



Exploit Title: Springshare LibCal Multiple XSS (Cross-Site Scripting) Security Weakness
Product: LibCal
Vendor: Springshare
Vulnerable Versions: 2.0
Tested Version: 2.0
Advisory Publication: Nov 25, 2014
Latest Update: Nov 25, 2014
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2014-7291
CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)
Impact Subscore: 2.9
Exploitability Subscore: 8.6
Solution Status: Fixed by Vendor
Credit: Wang Jing [SPMS, Nanyang Technological University (NTU), Singapore]







 

Recommendation Details:


(1) Vendor & Product Description:


Vendor:
Springshare


Product & Vulnerable Versions:
LibCal
2.0

Vendor URL & download:
http://springshare.com/libcal/


Product Introduction Overview:
“LibCal is an easy to use calendaring and event management platform for libraries. Used by 1,600+ libraries worldwide, LibCal makes it a breeze to manage online calendar of events, offer room bookings online, manage the opening hours for various locations."
    

    "Manage Calendar & Event Registrations
    Create custom Registration Forms
    Manage Consultation Appointments"

    Create an Online Room Booking System
    Display Library & Departmental Hours
    Share Calendar/Event Info via Widgets"



(2) Vulnerability Details:
Springshare LibCal web application has a security bug problem. It can be exploited by XSS attacks. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.

Several Springshare LibCal products vulnerabilities have been found by some other bug hunter researchers before. Springshare LibCal has patched some of them. The MITRE Corporation is a not-for-profit company that operates multiple federally funded research and development centers (FFRDCs), which provide innovative, practical solutions for some of our nation's most critical challenges in defense and intelligence, aviation, civil systems, homeland security, the judiciary, healthcare, and cybersecurity. It has published suggestions, advisories, solutions details related to Springshare LibCal vulnerabilities.


(2.1) The first code programming flaw 
occur at “/api_events.php?” page, with “&m” and “&cid” parameters.





(3) Solutions:
2014-10-01: Report vulnerability to Vendor
2014-10-15: Vendor replied with thanks and vendor changed the source code







 


References:

Wednesday 11 March 2015

醉清風 – 弦子 – 唯美空靈的音樂

Tulips

 

醉清風 – 弦子 – 唯美空靈的音樂

喜歡醉清風空靈的意境,明月,清風,孤人,琴聲,把酒當歌,令人陶醉, 特制作壹視頻,以為回憶。萬事萬物,誰是誰非,誰又能說清道明


歌曲 & 歌詞

醉清風 歌手:張弦子

月色正朦朧

與清風把酒相送

太多的詩頌

醉生夢死也空

和妳醉後纏綿

妳曾記得

亂了分寸的心動

怎麼只有這首歌

會讓妳輕聲合

醉清風

夢境的虛有

琴聲壹曲相送

還有沒有情濃

風花雪月顏容

和妳醉後纏綿

妳曾記得

亂了分寸的心動

蝴蝶去向無影蹤

舉杯消愁意正濃

無人寵

是我想得太多

猶如飛蛾撲火那麼沖動

最後

還有壹盞燭火

燃盡我

曲終人散

誰無過錯

我看破

月色正朦朧 與清風把酒相送

太多的詩頌 醉生夢死夜空

和妳醉後纏綿

妳曾記得

夢境的虛有琴聲壹曲相送

還有沒有情濃風花雪月顏容

和妳醉後纏綿

妳曾記得

夢境的虛有

琴聲壹曲相送

還有沒有情濃

風花雪月顏容

和妳醉後纏綿

妳曾記得

亂了分寸的心動

蝴蝶去向無影蹤

舉杯消愁意正濃

無人寵

是我想得太多

猶如飛蛾撲火那麼沖動

最後

還有壹盞燭火

燃盡我

曲終人散

誰無過錯

我看破