PEAR HTTP_Upload v1.0.0b3 Arbitrary File Upload
[+] [+] Credits: John Page AKA Hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/PEAR-HTTP_UPLOAD-ARBITRARY-FILE-UPLOAD.txt [+] ISR: ApparitionSEC [+] Vendor: pear.php.net Product: HTTP_Upload v1.0.0b3 Download: https://pear.php.net/manual/en/package.http.http-upload.php Easy and secure managment of files submitted via HTML Forms. pear install HTTP_Upload This class provides an advanced file uploader system for file uploads made from html forms. Features: * Can handle from one file to multiple files. * Safe file copying from tmp dir. * Easy detecting mechanism of valid upload, missing upload or error. * Gives extensive information about the uploaded file. * Rename uploaded files in different ways: as it is, safe or unique * Validate allowed file extensions * Multiple languages error messages support (es, en, de, fr, it, nl, pt_BR) Vulnerability Type: == Arbitrary File Upload CVE Reference: == N/A Vulnerability Details: = The package comes with an "upload_example.php" file to test the package, when uploading a "restricted" PHP file user will get message like "Unauthorized file transmission". Line: 488 of "Upload.php" var $_extensionsCheck = array('php', 'phtm', 'phtml', 'php3', 'inc'); If user does not go thru the "Upload.php" code line by line. They will find option to set case sensitive check. e.g. Line: 503 "$_extensionsCaseSensitive"=true Line: 874 * @param bool $case_sensitive whether extension check is case sensitive. * When it is case insensitive, the extension * is lowercased before compared to the array * of valid extensions. This setting looks to prevent mixed or uppercase extension on disallowed PHP file type bypass before uploading. However, some developers are unaware that "Apache" can process file with extension like PHP.1, PHP.; etc. if the last extension is not specified in the list of mime-types known to the web server. Therefore, attackers can easily bypass the security check by appending ".1" to end of the file, which can result in arbitrary command execution on the affected server. e.g. "ext_bypass.php.1" contents: Sucessfully Tested on: Bitnami wampstack-5.6.29-0. Server version: Apache/2.4.23 (Win64) Sucessfully Tested on: XAMPP for Linux 5.6.8-0 Server version: Apache/2.4.12 (Unix) Disclosure Timeline: == Vendor Notification: December 31, 2016 Similar bug reported and open 2012 Issue Fixed: January 17, 2017 January 25, 2017 : Public Disclosure Severity Level: High [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. hyp3rlinx
[SECURITY] [DSA 3771-1] firefox-esr security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 - - Debian Security Advisory DSA-3771-1 secur...@debian.org https://www.debian.org/security/ Moritz Muehlenhoff January 25, 2017 https://www.debian.org/security/faq - - Package: firefox-esr CVE ID : CVE-2017-5373 CVE-2017-5375 CVE-2017-5376 CVE-2017-5378 CVE-2017-5380 CVE-2017-5383 CVE-2017-5386 CVE-2017-5390 CVE-2017-5396 Multiple security issues have been found in the Mozilla Firefox web browser: Memory safety errors, use-after-frees and other implementation errors may lead to the execution of arbitrary code, information disclosure or privilege escalation. For the stable distribution (jessie), these problems have been fixed in version 45.7.0esr-1~deb8u1. For the unstable distribution (sid), these problems have been fixed in version 45.7.0esr-1 of firefox-esr and version 51.0-1 of firefox. We recommend that you upgrade your firefox-esr packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAliJHIUACgkQEMKTtsN8 TjYexQ/+O/+MLKzBc4csbrwlf4BLIWDi8uNAihn/S/pV+u9VkbaBohpod/iOSaYg ZVSn0MAchI6zXZN2YokVKJQZGxKR66MbXFZH2rtLlmuvCkW2nus1/A5728PiAsLA 9Pi54mQdYGJkElfed0QId0zvtykRBrQP9QL9Y6KRs2Cn1UzNkmE+ypZmdgHbcK0H oNhS3FLVgJH7DuEB7JDo+QfiCgqYAKiQ4JG+Dr0Ft1qdeFD8c7JvVA6zxW15nH1R eCwenS4BL48YgfCHgCGqJqGC2Iz27t8be1laQxpJLPIZm/3y54aPQb6SJT+71FkV qZT/dG5EaNh+INxYEY/zKmu636grjKXd/jIVCSaMKlev+wqDgleEM0cVz4agywY3 CJqfx3EhyK0qiwdc9fi0rAqtIYNaCsXZ6VolVnd9Ea0aqWn+w1pRzy1ZGj0gWlyU H6LHGgfBmtPsqxkb2o0+2IDTzeNxC+7EgCoM012axIwwimZKFXJJeRknmyqPD55g +r4KAv+UFZF7EsT132avWS+Wg0f/9bP6NkDoEpEFz/+Wp5sHG+u6e/ACD6EfQVJs GigFm+9dwglfzCBhioL25E/73SgL1pNh8V3Js/0A3RnMq6OAV626N2VL7+QeW5D+ 5MdhPxJxEr9pjEtSG1/g5fp1gD71mioRaJihywLBt2uqCK+ZBS0= =e/Q3 -END PGP SIGNATURE-
Google Forms WordPress Plugin unauthenticated PHP Object injection vulnerability
Google Forms WordPress Plugin unauthenticated PHP Object injection vulnerability Yorick Koster, June 2016 Abstract A PHP Object injection vulnerability was found in the Google Forms WordPress Plugin, which can be used by an unauthenticated user to instantiate arbitrary PHP Objects. Using this vulnerability it is possible to execute arbitrary PHP code. OVE ID OVE-20160803-0001 Tested versions This issue was successfully tested on the Google Forms WordPress Plugin version 0.84 - 0.87. Fix This issue is resolved in Google Forms version 0.91. Details https://sumofpwn.nl/advisory/2016/google_forms_wordpress_plugin_unauthenticated_php_object_injection_vulnerability.html Summer of Pwnage (https://sumofpwn.nl) is a Dutch community project. Its goal is to contribute to the security of popular, widely used OSS projects in a fun and educational way.
Cisco Security Advisory: Cisco TelePresence Multipoint Control Unit Remote Code Execution Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco TelePresence Multipoint Control Unit Remote Code Execution Vulnerability Advisory ID: cisco-sa-20170125-telepresence Revision 1.0 For Public Release 2017 January 25 16:00 UTC (GMT) +- Summary === A vulnerability in a proprietary device driver in the kernel of Cisco TelePresence Multipoint Control Unit (MCU) Software could allow an unauthenticated, remote attacker to execute arbitrary code or cause a denial of service (DoS) condition. The vulnerability is due to improper size validation when reassembling fragmented IPv4 or IPv6 packets. An attacker could exploit this vulnerability by sending crafted IPv4 or IPv6 fragments to a port receiving content in Passthrough content mode. An exploit could allow the attacker to overflow a buffer. If successful, the attacker could execute arbitrary code or cause a DoS condition on the affected system. Cisco has released software updates that address this vulnerability. Workarounds that address this vulnerability are not available. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170125-telepresence -BEGIN PGP SIGNATURE- iQIVAwUBWIeDdK89gD3EAJB5AQI79RAAplmPBpkFRYb4q6MDIh+/vve0iCnqG3wr 9jBWnzBazufUTII3085vH9snHmZjw2ffliVNv6DsWVXeouuxKgKHMi63dHoLmOTc wvfAGCY8Ag9ML9or0ksOgeKcSq4qgmVqZDN163CvFtG/bq2W1yNqSOeNT2ay00SA Xe0mP/lzqzgI0V7kw8Z3JmGq01sOOgTNV/RV3f5ZQOG3JpXQUuto8YfDwug3F1sl JnNloBK2DNi5c6PzopqH2nYgWmOokv2VsSZchV7dZHHuwpL4yif3BY3p6SnZm6bc ijTI2RhAfGf8NMMkGGoj/qYWn0JgzUEJ0sjPnpEmk2wo7YrdiABussvQ7HhHjaIB 3ayzYMoPI5RfMXiBgFgz5Y0YSJPj/WUNEMc2P7uzWTXq9WHEI26Mpp9Abc5w/lYC e73xzbLwpEqCMwhNtjPCXZizG7bkOUeNWQCZv7SzRPB2vFpHUOGqUlpjHN5hygfk 576+N1nFcDcck6lpYGjuEcvbHQ+uJtQgGNcxm/8HHtApG44OFrN2lfy3nRolt9ib hngttXqZjvW8Z1TAwQmohzaio46lNlLpBbHj2lsT0WeluP6YTbGW3hybHqnDDui6 Nr6hmdyGkCay9zIvPwRsisDUOltu2x3RU/cAPFvqk3//fkyrCQ5b9/6o/qh+MKZN SLjZF80kyW8= =bl4y -END PGP SIGNATURE-
Cisco Security Advisory: Cisco Expressway Series and TelePresence VCS Denial of Service Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco Expressway Series and TelePresence VCS Denial of Service Vulnerability Advisory ID: cisco-sa-20170125-expressway Revision 1.0 For Public Release 2017 January 25 16:00 UTC (GMT) +- Summary === A vulnerability in the received packet parser of Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) software could allow an unauthenticated, remote attacker to cause a reload of the affected system, resulting in a denial of service (DoS) condition. The vulnerability is due to insufficient size validation of user-supplied data. An attacker could exploit this vulnerability by sending crafted H.224 data in Real-Time Transport Protocol (RTP) packets in an H.323 call. An exploit could allow the attacker to overflow a buffer in a cache that belongs to the received packet parser, which will result in a crash of the application, resulting in a DoS condition. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170125-expressway -BEGIN PGP SIGNATURE- iQIVAwUBWIeDZq89gD3EAJB5AQJoOhAAm8pNabl5Kr9d+LAe4IluOsqyeHf2gMg0 drcfsdA36rLpGDHkjNrY8bLkOpC1CG+XM0DNTcRztggya05W4EiI26DmFyxlIWyR bVI6h5VcTO4TpqNRrIYq9+iqEV2oKKTLNcBn5YCS0qU2dwGoN882cFoUsgKQcnCj etLfzRByCEpAye02Lz8bZFRuRdPe98GCqxo7mSnZzxQNtiUfN1LfUvlryoeDh01J d0oDQy8fsOtoKfWJi6DtZwZO79ySJ3Z6FDp03Xd2OqJmWNCMfYYkmzKMrfMI/Jyo l1Ze70epM9SJyxZp0h5dsSDryCMQdBvdwlhQuk84Dnu1hZOTcM2d88KhWIEpiUGo RcVQsAHMMkqHZYz14uy1bRc5Y0QxRu8WooSVQsDofSOJD/p33aDGudgnPZwyEvQQ V2w5oQ29jEiInPd+sadpBUtVcq2/EI79qJK9PaLmx7ML3lZmKynXfwCyWbS5o91q orsl7/+/EH+ty3VKF0c6x8n5tnRMTEfaD+bL7akjGaespehEL7t5qQiIHIBxWleX jXpYh5NeoVPGARMoQt6KtDsbjPY0I4nVbb5kTRoKMQ/9kZ3H0FAwxUwkKAnEVt6C g7USmB32lBaSCqnKAuRzOVz8bSy/6rdG9Br7bTZ8ezQatOCZBgmu5cBZ5yNVTxsb aifANu7jBdc= =fBku -END PGP SIGNATURE-
Cisco Security Advisory: Cisco Adaptive Security Appliance CX Context-Aware Security Denial of Service Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco Adaptive Security Appliance CX Context-Aware Security Denial of Service Vulnerability Advisory ID: cisco-sa-20170125-cas Revision 1.0 For Public Release 2017 January 25 16:00 UTC (GMT) +- Summary === A vulnerability in the data plane IP fragment handler of the Adaptive Security Appliance (ASA) CX Context-Aware Security module could allow an unauthenticated, remote attacker to cause the CX module to be unable to process further traffic, resulting in a denial of service (DoS) condition. The vulnerability is due to improper handling of IP fragments. An attacker could exploit this vulnerability by sending fragmented IP traffic across the CX module. An exploit could allow the attacker to exhaust free packet buffers in shared memory (SHM), causing the CX module to be unable to process further traffic, resulting in a DoS condition. Cisco has not released and will not release software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170125-cas -BEGIN PGP SIGNATURE- iQIVAwUBWIeDV689gD3EAJB5AQJ5Zg//a3dCro6pWqKHfveTah65APzs2XpMIMIk 3D7dKxnm1d6g0TKOI+lGcqDlgTnApDGJNAtAxhYqFN+w/RofPHTY5FzRZHzoikYc d3rWZkPmLPld/WjdTq+yHH0yFC/fyjYE9jFRD96uV3AyCWJZbX3931mAotJp4YKL McteDcw1tzZkoR5uOmbks6pzBbS70ZxYZ6o2fz9MhdIbBK9OfMp61sfIRGF/L8n9 Jbyc+Boqru29lTjwmWmeMq39G+gAm6QQxTKA0yiIq43RrHrDc+jGCW3jXQ58ptYn geG5xQngqWSI/0/2q4R5GHmVXbprrWu4jvdYcM8z9FRi03wYkivMbLjAP0k41oX3 OQOIsR0frAxtAhmjQ62njOMbmWPVwyCxr+NKacQl0VfyXubiyGWVsM+APu3Kxowo hlCKHnV+J1/8I9yx8rqUe8kqdoNM9edMUUC9M2DP5oscG76kP9sIfu8ZujHxwmsd ehp64NTrYfWLDLvlhCvkSli/74wfC7fjou/lLatqZd2l9Q17wBhhd0/Sq8DMNw6U 1NZgT/WKDq35nOPwmVYm1JyClhMx0bmbxCGwRICDTjW+kWZKQV16Bm4lOeHFKoPq LtS5DI8l4oJHa91g25BIkEP3A5GH57k6drPi1UaCaXPO2Vk2/ea04roPpJSY/g5Y 4PRK9X5DKrU= =780F -END PGP SIGNATURE-
ESA-2016-166: EMC Isilon OneFS Privilege Escalation Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 ESA-2016-166: EMC Isilon OneFS Privilege Escalation Vulnerability EMC Identifier: ESA-2016-166 CVE Identifier: CVE-2016-9871 Severity Rating: CVSS v3 Base Score: 7.2 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Affected products: EMC Isilon OneFS 7.2.1.0 - 7.2.1.3 EMC Isilon OneFS 7.2.0.x EMC Isilon OneFS 7.1.1.0 - 7.1.1.10 EMC Isilon OneFS 7.1.0.x Summary: EMC Isilon OneFS is affected by a privilege escalation vulnerability that could potentially be exploited by attackers to compromise the affected system. Details: A malicious user who has both ISI_PRIV_LOGIN_PAPI and ISI_PRIV_SYS_SUPPORT privileges could potentially exploit this vulnerability to gain root-level privileges. Resolution: The following versions of EMC Isilon OneFS resolve this vulnerability: EMC Isilon OneFS 7.2.1.4 EMC Isilon OneFS 7.1.1.11 EMC recommends that all customers upgrade to a version containing the resolution at the earliest opportunity. Link to remedies: Registered EMC Online Support customers can download OneFS installation files from the Downloads for Isilon OneFS page of the EMC Online Support site at https://support.emc.com/downloads/15209_Isilon-OneFS. If you have any questions, please contact EMC Support. Read and use the information in this EMC Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this product alert, contact EMC Software Technical Support at 1-877-534-2867. For an explanation of Severity Ratings, refer to EMC Knowledgebase solution emc218831. EMC recommends all customers take into account both the base score and any relevant temporal and environmental scores which may impact the potential severity associated with particular security vulnerability. EMC Corporation distributes EMC Security Advisories, in order to bring to the attention of users of the affected EMC products, important security information. EMC recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided "as is" without warranty of any kind. EMC disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event, shall EMC or its suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if EMC or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply. -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJYh61+AAoJEHbcu+fsE81ZYX8H/RNBiW/NDCsmJePmhT+pjTao YSKYFAEorhVwxPfGPQelXYj8DlW0/V81iwEs4DLui1DN4eie41XY9e7dtsc6BeSn Ok1xMlKEsZpG4503vaDi9bzW2w+jdB7K8vz2a0lt0gHJuWRhtQy+rvTEjz7HGI46 Zf/cDPNA4P2VJCOG/Q+Lb9STfANivmXREsOO4Gi9CphSou1Hg/g3Bck+N7ireHkK si0VwvRRgdauLv+LoBRvUx1XgDrZkOYep4B5uwsYFJMaUsol0MvWvlp6Afy9NtJt zpupWDu6xvRHnAxLASCgO3jWxwq/kDpKRvZUukoxEU6Omkzka+ID4HJWyU2OiYw= =UP1n -END PGP SIGNATURE-
OpenCart 2.3.0.2 CSRF - User Account Takeover
===[ Introduction ]=== OpenCart is a free open source ecommerce platform for online merchants. OpenCart provides a professional and reliable foundation from which to build a successful online store. ===[ Description ]=== There is a security vulnerability in OpenCart 2.3.0.2 which allows a hacker to break into a customer account. The bug exists in "My Account Information" page. The form is not protected with a token id, so a hacker can change user's information silently. A demonstrative video for this vulnerability can be found here : http://opensecurity.ca/media/opencart-csrf.mp4 ===[ Timeline ]=== [17/01/2017] - Email was sent to the vendor's support desk (request #100298) [19/01/2017] - Vendor asked to send the vulnerability to the Github repository [19/01/2017] - Vulnerability was reported to the Github repository [20/01/2017] - Vendor's staff replied that he knew about this vulnerability for years [25/01/2017] - Public disclosure ===[ Credits ]=== Vulnerability has been discovered by Omid @ Open Security. ===[ References ]=== Open Security : http://opensecurity.ca/ Original Advisory : http://opensecurity.ca/2017/01/opencart-csrf-user-account-takeover POC Video : http://opensecurity.ca/media/opencart-csrf.mp4