PEAR HTTP_Upload v1.0.0b3 Arbitrary File Upload

2017-01-25 Thread hyp3rlinx 
[+]
[+] Credits: John Page AKA Hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source:  
http://hyp3rlinx.altervista.org/advisories/PEAR-HTTP_UPLOAD-ARBITRARY-FILE-UPLOAD.txt
[+] ISR: ApparitionSEC   
[+]



Vendor:

pear.php.net



Product:

HTTP_Upload v1.0.0b3

Download:
https://pear.php.net/manual/en/package.http.http-upload.php

Easy and secure managment of files submitted via HTML Forms.

pear install HTTP_Upload

This class provides an advanced file uploader system for file uploads made
from html forms. Features:
* Can handle from one file to multiple files.
* Safe file copying from tmp dir.
* Easy detecting mechanism of valid upload, missing upload or error.
* Gives extensive information about the uploaded file.
* Rename uploaded files in different ways: as it is, safe or unique
* Validate allowed file extensions
* Multiple languages error messages support (es, en, de, fr, it, nl, pt_BR)


Vulnerability Type:
==
Arbitrary File Upload



CVE Reference:
==
N/A



Vulnerability Details:
=

The package comes with an "upload_example.php" file to test the package, when 
uploading a "restricted" PHP file
user will get message like "Unauthorized file transmission".

Line: 488 of "Upload.php"
var $_extensionsCheck = array('php', 'phtm', 'phtml', 'php3', 'inc');

If user does not go thru the "Upload.php" code line by line. They will find 
option to set case sensitive check.
e.g. Line: 503  "$_extensionsCaseSensitive"=true

Line: 874

* @param bool $case_sensitive whether extension check is case sensitive.

* When it is case insensitive, the extension

* is lowercased before compared to the array

* of valid extensions.


This setting looks to prevent mixed or uppercase extension on disallowed PHP 
file type bypass before uploading. 

However, some developers are unaware that "Apache" can process file with 
extension like PHP.1, PHP.; etc. 
if the last extension is not specified in the list of mime-types known to the 
web server.

Therefore, attackers can easily bypass the security check by appending ".1" to 
end of the file,
which can result in arbitrary command execution on the affected server.

e.g.

"ext_bypass.php.1" contents:




Sucessfully Tested on: Bitnami wampstack-5.6.29-0.
Server version: Apache/2.4.23 (Win64)

Sucessfully Tested on: XAMPP for Linux 5.6.8-0
Server version: Apache/2.4.12 (Unix)



Disclosure Timeline:
==
Vendor Notification: December 31, 2016
Similar bug reported and open 2012
Issue Fixed: January 17, 2017
January 25, 2017  : Public Disclosure




Severity Level:

High




[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no 
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided 
that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in 
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the 
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author 
prohibits any malicious use of security related information
or exploits by the author or elsewhere.

hyp3rlinx

[SECURITY] [DSA 3771-1] firefox-esr security update

2017-01-25 Thread Moritz Muehlenhoff 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

- -
Debian Security Advisory DSA-3771-1   secur...@debian.org
https://www.debian.org/security/   Moritz Muehlenhoff
January 25, 2017  https://www.debian.org/security/faq
- -

Package: firefox-esr
CVE ID : CVE-2017-5373 CVE-2017-5375 CVE-2017-5376 CVE-2017-5378 
 CVE-2017-5380 CVE-2017-5383 CVE-2017-5386 CVE-2017-5390 
 CVE-2017-5396

Multiple security issues have been found in the Mozilla Firefox web
browser: Memory safety errors, use-after-frees and other implementation
errors may lead to the execution of arbitrary code, information
disclosure or privilege escalation.

For the stable distribution (jessie), these problems have been fixed in
version 45.7.0esr-1~deb8u1.

For the unstable distribution (sid), these problems have been fixed in
version 45.7.0esr-1 of firefox-esr and version 51.0-1 of firefox.

We recommend that you upgrade your firefox-esr packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAliJHIUACgkQEMKTtsN8
TjYexQ/+O/+MLKzBc4csbrwlf4BLIWDi8uNAihn/S/pV+u9VkbaBohpod/iOSaYg
ZVSn0MAchI6zXZN2YokVKJQZGxKR66MbXFZH2rtLlmuvCkW2nus1/A5728PiAsLA
9Pi54mQdYGJkElfed0QId0zvtykRBrQP9QL9Y6KRs2Cn1UzNkmE+ypZmdgHbcK0H
oNhS3FLVgJH7DuEB7JDo+QfiCgqYAKiQ4JG+Dr0Ft1qdeFD8c7JvVA6zxW15nH1R
eCwenS4BL48YgfCHgCGqJqGC2Iz27t8be1laQxpJLPIZm/3y54aPQb6SJT+71FkV
qZT/dG5EaNh+INxYEY/zKmu636grjKXd/jIVCSaMKlev+wqDgleEM0cVz4agywY3
CJqfx3EhyK0qiwdc9fi0rAqtIYNaCsXZ6VolVnd9Ea0aqWn+w1pRzy1ZGj0gWlyU
H6LHGgfBmtPsqxkb2o0+2IDTzeNxC+7EgCoM012axIwwimZKFXJJeRknmyqPD55g
+r4KAv+UFZF7EsT132avWS+Wg0f/9bP6NkDoEpEFz/+Wp5sHG+u6e/ACD6EfQVJs
GigFm+9dwglfzCBhioL25E/73SgL1pNh8V3Js/0A3RnMq6OAV626N2VL7+QeW5D+
5MdhPxJxEr9pjEtSG1/g5fp1gD71mioRaJihywLBt2uqCK+ZBS0=
=e/Q3
-END PGP SIGNATURE-

Google Forms WordPress Plugin unauthenticated PHP Object injection vulnerability

2017-01-25 Thread Summer of Pwnage 


Google Forms WordPress Plugin unauthenticated PHP Object injection
vulnerability

Yorick Koster, June 2016


Abstract

A PHP Object injection vulnerability was found in the Google Forms
WordPress Plugin, which can be used by an unauthenticated user to
instantiate arbitrary PHP Objects. Using this vulnerability it is
possible to execute arbitrary PHP code.


OVE ID

OVE-20160803-0001


Tested versions

This issue was successfully tested on the Google Forms WordPress Plugin
version 0.84 - 0.87.


Fix

This issue is resolved in Google Forms version 0.91.


Details

https://sumofpwn.nl/advisory/2016/google_forms_wordpress_plugin_unauthenticated_php_object_injection_vulnerability.html


Summer of Pwnage (https://sumofpwn.nl) is a Dutch community project. Its
goal is to contribute to the security of popular, widely used OSS
projects in a fun and educational way.

Cisco Security Advisory: Cisco TelePresence Multipoint Control Unit Remote Code Execution Vulnerability

2017-01-25 Thread Cisco Systems Product Security Incident Response Team 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Cisco Security Advisory: Cisco TelePresence Multipoint Control Unit Remote Code 
Execution Vulnerability

Advisory ID: cisco-sa-20170125-telepresence

Revision 1.0

For Public Release 2017 January 25 16:00  UTC (GMT)

+-

Summary
===

A vulnerability in a proprietary device driver in the kernel of Cisco 
TelePresence Multipoint Control Unit (MCU) Software could allow an 
unauthenticated, remote attacker to execute arbitrary code or cause a denial of 
service (DoS) condition.

The vulnerability is due to improper size validation when reassembling 
fragmented IPv4 or IPv6 packets. An attacker could exploit this vulnerability 
by sending crafted IPv4 or IPv6 fragments to a port receiving content in 
Passthrough content mode. An exploit could allow the attacker to overflow a 
buffer. If successful, the attacker could execute arbitrary code or cause a DoS 
condition on the affected system.

Cisco has released software updates that address this vulnerability. 
Workarounds that address this vulnerability are not available.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170125-telepresence
-BEGIN PGP SIGNATURE-

iQIVAwUBWIeDdK89gD3EAJB5AQI79RAAplmPBpkFRYb4q6MDIh+/vve0iCnqG3wr
9jBWnzBazufUTII3085vH9snHmZjw2ffliVNv6DsWVXeouuxKgKHMi63dHoLmOTc
wvfAGCY8Ag9ML9or0ksOgeKcSq4qgmVqZDN163CvFtG/bq2W1yNqSOeNT2ay00SA
Xe0mP/lzqzgI0V7kw8Z3JmGq01sOOgTNV/RV3f5ZQOG3JpXQUuto8YfDwug3F1sl
JnNloBK2DNi5c6PzopqH2nYgWmOokv2VsSZchV7dZHHuwpL4yif3BY3p6SnZm6bc
ijTI2RhAfGf8NMMkGGoj/qYWn0JgzUEJ0sjPnpEmk2wo7YrdiABussvQ7HhHjaIB
3ayzYMoPI5RfMXiBgFgz5Y0YSJPj/WUNEMc2P7uzWTXq9WHEI26Mpp9Abc5w/lYC
e73xzbLwpEqCMwhNtjPCXZizG7bkOUeNWQCZv7SzRPB2vFpHUOGqUlpjHN5hygfk
576+N1nFcDcck6lpYGjuEcvbHQ+uJtQgGNcxm/8HHtApG44OFrN2lfy3nRolt9ib
hngttXqZjvW8Z1TAwQmohzaio46lNlLpBbHj2lsT0WeluP6YTbGW3hybHqnDDui6
Nr6hmdyGkCay9zIvPwRsisDUOltu2x3RU/cAPFvqk3//fkyrCQ5b9/6o/qh+MKZN
SLjZF80kyW8=
=bl4y
-END PGP SIGNATURE-

Cisco Security Advisory: Cisco Expressway Series and TelePresence VCS Denial of Service Vulnerability

2017-01-25 Thread Cisco Systems Product Security Incident Response Team 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Cisco Security Advisory: Cisco Expressway Series and TelePresence VCS Denial of 
Service Vulnerability

Advisory ID: cisco-sa-20170125-expressway

Revision 1.0

For Public Release 2017 January 25 16:00  UTC (GMT)

+-

Summary
===

A vulnerability in the received packet parser of Cisco Expressway Series and 
Cisco TelePresence Video Communication Server (VCS) software could allow an 
unauthenticated, remote attacker to cause a reload of the affected system, 
resulting in a denial of service (DoS) condition.

The vulnerability is due to insufficient size validation of user-supplied data. 
An attacker could exploit this vulnerability by sending crafted H.224 data in 
Real-Time Transport Protocol (RTP) packets in an H.323 call. An exploit could 
allow the attacker to overflow a buffer in a cache that belongs to the received 
packet parser, which will result in a crash of the application, resulting in a 
DoS condition.

Cisco has released software updates that address this vulnerability. There are 
no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170125-expressway
-BEGIN PGP SIGNATURE-

iQIVAwUBWIeDZq89gD3EAJB5AQJoOhAAm8pNabl5Kr9d+LAe4IluOsqyeHf2gMg0
drcfsdA36rLpGDHkjNrY8bLkOpC1CG+XM0DNTcRztggya05W4EiI26DmFyxlIWyR
bVI6h5VcTO4TpqNRrIYq9+iqEV2oKKTLNcBn5YCS0qU2dwGoN882cFoUsgKQcnCj
etLfzRByCEpAye02Lz8bZFRuRdPe98GCqxo7mSnZzxQNtiUfN1LfUvlryoeDh01J
d0oDQy8fsOtoKfWJi6DtZwZO79ySJ3Z6FDp03Xd2OqJmWNCMfYYkmzKMrfMI/Jyo
l1Ze70epM9SJyxZp0h5dsSDryCMQdBvdwlhQuk84Dnu1hZOTcM2d88KhWIEpiUGo
RcVQsAHMMkqHZYz14uy1bRc5Y0QxRu8WooSVQsDofSOJD/p33aDGudgnPZwyEvQQ
V2w5oQ29jEiInPd+sadpBUtVcq2/EI79qJK9PaLmx7ML3lZmKynXfwCyWbS5o91q
orsl7/+/EH+ty3VKF0c6x8n5tnRMTEfaD+bL7akjGaespehEL7t5qQiIHIBxWleX
jXpYh5NeoVPGARMoQt6KtDsbjPY0I4nVbb5kTRoKMQ/9kZ3H0FAwxUwkKAnEVt6C
g7USmB32lBaSCqnKAuRzOVz8bSy/6rdG9Br7bTZ8ezQatOCZBgmu5cBZ5yNVTxsb
aifANu7jBdc=
=fBku
-END PGP SIGNATURE-

Cisco Security Advisory: Cisco Adaptive Security Appliance CX Context-Aware Security Denial of Service Vulnerability

2017-01-25 Thread Cisco Systems Product Security Incident Response Team 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Cisco Security Advisory: Cisco Adaptive Security Appliance CX Context-Aware 
Security Denial of Service Vulnerability

Advisory ID: cisco-sa-20170125-cas

Revision 1.0

For Public Release 2017 January 25 16:00  UTC (GMT)

+-

Summary
===

A vulnerability in the data plane IP fragment handler of the Adaptive Security 
Appliance (ASA) CX Context-Aware Security module could allow an 
unauthenticated, remote attacker to cause the CX module to be unable to process 
further traffic, resulting in a denial of service (DoS) condition.

The vulnerability is due to improper handling of IP fragments. An attacker 
could exploit this vulnerability by sending fragmented IP traffic across the CX 
module. An exploit could allow the attacker to exhaust free packet buffers in 
shared memory (SHM), causing the CX module to be unable to process further 
traffic, resulting in a DoS condition.

Cisco has not released and will not release software updates that address this 
vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170125-cas

-BEGIN PGP SIGNATURE-

iQIVAwUBWIeDV689gD3EAJB5AQJ5Zg//a3dCro6pWqKHfveTah65APzs2XpMIMIk
3D7dKxnm1d6g0TKOI+lGcqDlgTnApDGJNAtAxhYqFN+w/RofPHTY5FzRZHzoikYc
d3rWZkPmLPld/WjdTq+yHH0yFC/fyjYE9jFRD96uV3AyCWJZbX3931mAotJp4YKL
McteDcw1tzZkoR5uOmbks6pzBbS70ZxYZ6o2fz9MhdIbBK9OfMp61sfIRGF/L8n9
Jbyc+Boqru29lTjwmWmeMq39G+gAm6QQxTKA0yiIq43RrHrDc+jGCW3jXQ58ptYn
geG5xQngqWSI/0/2q4R5GHmVXbprrWu4jvdYcM8z9FRi03wYkivMbLjAP0k41oX3
OQOIsR0frAxtAhmjQ62njOMbmWPVwyCxr+NKacQl0VfyXubiyGWVsM+APu3Kxowo
hlCKHnV+J1/8I9yx8rqUe8kqdoNM9edMUUC9M2DP5oscG76kP9sIfu8ZujHxwmsd
ehp64NTrYfWLDLvlhCvkSli/74wfC7fjou/lLatqZd2l9Q17wBhhd0/Sq8DMNw6U
1NZgT/WKDq35nOPwmVYm1JyClhMx0bmbxCGwRICDTjW+kWZKQV16Bm4lOeHFKoPq
LtS5DI8l4oJHa91g25BIkEP3A5GH57k6drPi1UaCaXPO2Vk2/ea04roPpJSY/g5Y
4PRK9X5DKrU=
=780F
-END PGP SIGNATURE-

ESA-2016-166: EMC Isilon OneFS Privilege Escalation Vulnerability

2017-01-25 Thread EMC Product Security Response Center 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

ESA-2016-166: EMC Isilon OneFS Privilege Escalation Vulnerability 

EMC Identifier: ESA-2016-166 

CVE Identifier: CVE-2016-9871

Severity Rating: CVSS v3 Base Score: 7.2 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Affected products:   
•   EMC Isilon OneFS 7.2.1.0 - 7.2.1.3
•   EMC Isilon OneFS 7.2.0.x
•   EMC Isilon OneFS 7.1.1.0 - 7.1.1.10
•   EMC Isilon OneFS 7.1.0.x

Summary:  
EMC Isilon OneFS is affected by a privilege escalation vulnerability that could 
potentially be exploited by attackers to compromise the affected system.

Details:  
A malicious user who has both ISI_PRIV_LOGIN_PAPI and ISI_PRIV_SYS_SUPPORT 
privileges could potentially exploit this vulnerability to gain root-level 
privileges.  

Resolution: 
The following versions of EMC Isilon OneFS resolve this vulnerability:
•   EMC Isilon OneFS 7.2.1.4
•   EMC Isilon OneFS 7.1.1.11
EMC recommends that all customers upgrade to a version containing the 
resolution at the earliest opportunity. 
Link to remedies:

Registered EMC Online Support customers can download OneFS installation files 
from the Downloads for Isilon OneFS page of the EMC Online Support site at 
https://support.emc.com/downloads/15209_Isilon-OneFS. 
If you have any questions, please contact EMC Support.


Read and use the information in this EMC Security Advisory to assist in 
avoiding any situation that might arise from the problems described herein. If 
you have any questions regarding this product alert, contact EMC Software 
Technical Support at 1-877-534-2867.

For an explanation of Severity Ratings, refer to EMC Knowledgebase solution 
emc218831. EMC recommends all customers take into account both the base score 
and any relevant temporal and environmental scores which may impact the 
potential severity associated with particular security vulnerability.

EMC Corporation distributes EMC Security Advisories, in order to bring to the 
attention of users of the affected EMC products, important security 
information. EMC recommends that all users determine the applicability of this 
information to their individual situations and take appropriate action. The 
information set forth herein is provided "as is" without warranty of any kind. 
EMC disclaims all warranties, either express or implied, including the 
warranties of merchantability, fitness for a particular purpose, title and 
non-infringement. In no event, shall EMC or its suppliers, be liable for any 
damages whatsoever including direct, indirect, incidental, consequential, loss 
of business profits or special damages, even if EMC or its suppliers have been 
advised of the possibility of such damages. Some states do not allow the 
exclusion or limitation of liability for consequential or incidental damages, 
so the foregoing limitation may not apply.



-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJYh61+AAoJEHbcu+fsE81ZYX8H/RNBiW/NDCsmJePmhT+pjTao
YSKYFAEorhVwxPfGPQelXYj8DlW0/V81iwEs4DLui1DN4eie41XY9e7dtsc6BeSn
Ok1xMlKEsZpG4503vaDi9bzW2w+jdB7K8vz2a0lt0gHJuWRhtQy+rvTEjz7HGI46
Zf/cDPNA4P2VJCOG/Q+Lb9STfANivmXREsOO4Gi9CphSou1Hg/g3Bck+N7ireHkK
si0VwvRRgdauLv+LoBRvUx1XgDrZkOYep4B5uwsYFJMaUsol0MvWvlp6Afy9NtJt
zpupWDu6xvRHnAxLASCgO3jWxwq/kDpKRvZUukoxEU6Omkzka+ID4HJWyU2OiYw=
=UP1n
-END PGP SIGNATURE-

OpenCart 2.3.0.2 CSRF - User Account Takeover

2017-01-25 Thread Open Security 
===[ Introduction ]===

OpenCart is a free open source ecommerce platform for online merchants.
OpenCart provides a professional and reliable foundation from which to
build a successful online store.


===[ Description ]===

There is a security vulnerability in OpenCart 2.3.0.2 which allows a
hacker to break into a customer account.
The bug exists in "My Account Information" page. The form is not protected
with a token id, so a hacker can change user's information silently.
A demonstrative video for this vulnerability can be found here :
http://opensecurity.ca/media/opencart-csrf.mp4


===[ Timeline ]===

[17/01/2017] - Email was sent to the vendor's support desk (request #100298)
[19/01/2017] - Vendor asked to send the vulnerability to the Github
repository
[19/01/2017] - Vulnerability was reported to the Github repository
[20/01/2017] - Vendor's staff replied that he knew about this
vulnerability for years
[25/01/2017] - Public disclosure


===[ Credits ]===

Vulnerability has been discovered by Omid @ Open Security.


===[ References ]===

Open Security :
http://opensecurity.ca/

Original Advisory :
http://opensecurity.ca/2017/01/opencart-csrf-user-account-takeover

POC Video :
http://opensecurity.ca/media/opencart-csrf.mp4