[iBliss Security Advisory] Cross-Site Scripting (XSS) vulnerability in Design-approval-system wordpress plugin
[Design-Approval-System Wordpress plugin XSS ] [vendor product description] A system to streamline the process of getting designs, photos, documents, videos or music approved by clients quickly. [Bug Description] The walkthrouth web page does not validate the step parameter leading to a Cross-site scripting flaw. An no authenticated user is required to exploit these security flaws. [History] Advisory sent to vendor on 09/03/2013 Vendor reply 09/03/2013 Vendor patch published 09/07/2013 [Impact] HIGH [Afected Version] 3.6 [Vendor Reply] 03/09/2013 07/09/2013 - Vulnerability fixed. 3.7 version released. [CVE Reference] CVE-2013-5711 [PoC] Payload: http://[host]/wordpress/wp-content/plugins/design-approval-system/admin/walkthrough/walkthrough.php?step=%3C/script%3E%3Cscript%3Ealert%28%27XSS%27%29%3C/script%3E [References] [1] Design Approval System http://wordpress.org/plugins/design-approval-system [2] Design Approval System 3.7 release notes http://wordpress.org/plugins/design-approval-system/other_notes/ [3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ iBliss Segurança e Inteligência - Sponsor: Alexandro Silva - Alexos alexos (at) ibliss.com (dot) br [email concealed] [Greetz] Ewerson Guimarães - Crash -- Alexandro Silva alexandro.si...@ibliss.com.br iBLISS Segurança Inteligência +55 71 8847-5385 +55 11 3255-3926 www.ibliss.com.br
APPLE-SA-2013-09-12-1 OS X Mountain Lion v10.8.5 and Security Update 2013-004
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 APPLE-SA-2013-09-12-1 OS X Mountain Lion v10.8.5 and Security Update 2013-004 OS X Mountain Lion v10.8.5 and Security Update 2013-004 is now available and addresses the following: Apache Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8 to v10.8.4 Impact: Multiple vulnerabilities in Apache Description: Multiple vulnerabilities existed in Apache, the most serious of which may lead to cross-site scripting. These issues were addressed by updating Apache to version 2.2.24. CVE-ID CVE-2012-0883 CVE-2012-2687 CVE-2012-3499 CVE-2012-4558 Bind Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8 to v10.8.4 Impact: Multiple vulnerabilities in BIND Description: Multiple vulnerabilities existed in BIND, the most serious of which may lead to a denial of service. These issues were addressed by updating BIND to version 9.8.5-P1. CVE-2012-5688 did not affect Mac OS X v10.7 systems. CVE-ID CVE-2012-3817 CVE-2012-4244 CVE-2012-5166 CVE-2012-5688 CVE-2013-2266 Certificate Trust Policy Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8 to v10.8.4 Impact: Root certificates have been updated Description: Several certificates were added to or removed from the list of system roots. The complete list of recognized system roots may be viewed via the Keychain Access application. ClamAV Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7.5, OS X Lion Server v10.7.5 Impact: Multiple vulnerabilities in ClamAV Description: Multiple vulnerabilities exist in ClamAV, the most serious of which may lead to arbitrary code execution. This update addresses the issues by updating ClamAV to version 0.97.8. CVE-ID CVE-2013-2020 CVE-2013-2021 CoreGraphics Available for: OS X Mountain Lion v10.8 to v10.8.4 Impact: Viewing a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in the handling of JBIG2 encoded data in PDF files. This issue was addressed through additional bounds checking. CVE-ID CVE-2013-1025 : Felix Groebert of the Google Security Team ImageIO Available for: OS X Mountain Lion v10.8 to v10.8.4 Impact: Viewing a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in the handling of JPEG2000 encoded data in PDF files. This issue was addressed through additional bounds checking. CVE-ID CVE-2013-1026 : Felix Groebert of the Google Security Team Installer Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8 to v10.8.4 Impact: Packages could be opened after certificate revocation Description: When Installer encountered a revoked certificate, it would present a dialog with an option to continue. The issue was addressed by removing the dialog and refusing any revoked package. CVE-ID CVE-2013-1027 IPSec Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8 to v10.8.4 Impact: An attacker may intercept data protected with IPSec Hybrid Auth Description: The DNS name of an IPSec Hybrid Auth server was not being matched against the certificate, allowing an attacker with a certificate for any server to impersonate any other. This issue was addressed by properly checking the certificate. CVE-ID CVE-2013-1028 : Alexander Traud of www.traud.de Kernel Available for: OS X Mountain Lion v10.8 to v10.8.4 Impact: A local network user may cause a denial of service Description: An incorrect check in the IGMP packet parsing code in the kernel allowed a user who could send IGMP packets to the system to cause a kernel panic. The issue was addressed by removing the check. CVE-ID CVE-2013-1029 : Christopher Bohn of PROTECTSTAR INC. Mobile Device Management Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8 to v10.8.4 Impact: Passwords may be disclosed to other local users Description: A password was passed on the command-line to mdmclient, which made it visible to other users on the same system. The issue was addressed by communicating the password through a pipe. CVE-ID CVE-2013-1030 : Per Olofsson at the University of Gothenburg OpenSSL Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8 to v10.8.4 Impact: Multiple vulnerabilities in OpenSSL Description: Multiple vulnerabilities existed in OpenSSL, the most serious of which may lead to disclosure of user data. These issues were addressed by updating OpenSSL to version 0.9.8y. CVE-ID CVE-2012-2686 CVE-2013-0166 CVE-2013-0169 PHP Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7.5, OS X Lion Server v10.7.5,
WordPress Fixes Multiple Vulnerabilities With 3.6.1 Release
Multiple vulnerabilities were reported in WordPress. WordPress has released version 3.6.1 to fix three security issues. Check this URL: http://www.itsecuritycenter.com/wordpress-fixes-multiple-vulnerabilities-3-6-1-release.html
OpenSSL,OpenSSH ecdsa authentication code inconsistent return values.. no vulnerability?
Hello lists, Attached is the blog post for the mentioned issues that in its shape are not a vulnerability, still interesting to see. http://kingcope.wordpress.com/2013/09/13/opensslopenssh-ecdsa-authentication-code-inconsistent-return-values-no-vulnerability/ Cheers, Kingcope
[SECURITY] [DSA 2753-1] mediawiki security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2753-1 secur...@debian.org http://www.debian.org/security/ Thijs Kinkhorst September 13, 2013 http://www.debian.org/security/faq - - Package: mediawiki Vulnerability : information leak Problem type : remote Debian-specific: no CVE ID : CVE-2013-4302 It was discovered that in Mediawiki, a wiki engine, several API modules allowed anti-CSRF tokens to be accessed via JSONP. These tokens protect against cross site request forgeries and are confidential. For the oldstable distribution (squeeze), this problem has been fixed in version 1.15.5-2squeeze6. For the stable distribution (wheezy), this problem has been fixed in version 1.19.5-1+deb7u1. For the testing distribution (jessie) and unstable distribution (sid), this problem has been fixed in version 1.19.8+dfsg-1. We recommend that you upgrade your mediawiki packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJSMsSzAAoJEFb2GnlAHawEswAH/0ucxY3KlJ8bMNqCLllZxDxC EPNgflHIPVZlI//b8k5N52c3G0ql/rF5N1ewpmHNXCRwaxwXZF7UgJJ1ph2sjhj/ fAK00C97tlO/84Ya/qxzsjonDRXqpkJ3Y3VMWyI7J6kUavS4qf+8xvCVQYYoH1/h 5cFiKyTWYOLFZ1CcuoG/6m7LE3L/oaI8NXswAz8fKB+dISeK9kD62KSqzb1t5UYg 4GjzeakInryWsYF2TebGmDlyK/Vy5xttIKkCKSi/0qQIXJr5cOckIew2FrroRJSD N3CHj/3ahGkKi1n0stzuux/8e9QJcGK94kO3ekJdreQRHD9CxenootAeFMs/tus= =ZDhD -END PGP SIGNATURE-
[ MDVSA-2013:233 ] python-OpenSSL
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2013:233 http://www.mandriva.com/en/support/security/ ___ Package : python-OpenSSL Date: September 13, 2013 Affected: Business Server 1.0 ___ Problem Description: A vulnerability has been discovered and corrected in python-OpenSSL: The string formatting of subjectAltName X509Extension instances in pyOpenSSL before 0.13.1 incorrectly truncated fields of the name when encountering a null byte, possibly allowing man-in-the-middle attacks through certificate spoofing (CVE-2013-4314). The updated packages have been patched to correct this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4314 ___ Updated Packages: Mandriva Business Server 1/X86_64: 9c1a53018f31b26cee286d9c05e06e6c mbs1/x86_64/python-OpenSSL-0.12-2.1.mbs1.x86_64.rpm f6b4dc37dde9cc96018b1f98a9f4df93 mbs1/SRPMS/python-OpenSSL-0.12-2.1.mbs1.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFSMvxCmqjQ0CJFipgRAkO1AJ9m9KXGkjeOKy2v5SbP36FMjqEaWgCeKGi7 EjXxhUXcY5HAs9/mnAHVYts= =1Zaf -END PGP SIGNATURE-
[SECURITY] [DSA 2756-1] wireshark security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2756-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff September 13, 2013 http://www.debian.org/security/faq - - Package: wireshark Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2013-5718 CVE-2013-5720 CVE-2013-5722 Multiple vulnerabilities were discovered in the dissectors for LDAP, RTPS and NBAP and in the Netmon file parser, which could result in denial of service or the execution of arbitrary code. For the oldstable distribution (squeeze), these problems have been fixed in version 1.2.11-6+squeeze12. For the stable distribution (wheezy), these problems have been fixed in version 1.8.2-5wheezy6. For the unstable distribution (sid), these problems have been fixed in version 1.10.2-1. We recommend that you upgrade your wireshark packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (GNU/Linux) iEYEARECAAYFAlIzRzwACgkQXm3vHE4uylr+pQCcDwnUHuC4WV+oNaA7PY0kHTuS NrwAmQFjC2u+xh1eYz4Rkkltecfg9XNJ =Tgkb -END PGP SIGNATURE-
Zimbra Collaboration Suite (ZCS) Session Replay Vulnerability
Product: Zimbra Collaboration Suite Vendor: VMWare Vulnerable Version: 6.0.16 and probably prior Tested Version: 6.0.16 Vendor Notification: 09/03/2013 Public Disclosure: 09/13/2013 Vulnerability Type: Authentication Bypass by Capture-replay (CWE-294) CVE: CVE-2013-5119 Discovered and Provided By: Brian Warehime (Aplura LLC) -- Advisory Details: A vulnerability exists in Zimbra Collaboration Suite (ZCS) which can be exploited to bypass authentication by replaying a captured session token. A remote attacker can sniff network traffic and obtain an authorized user's session token and modify the token on the attacker's machine to replay the token and successfully log in. If an attacker can capture the ZM_AUTH_TOKEN after a user has successfully logged in, the attacker can then create a new ZM_AUTH_TOKEN with the same information and log in, even after the other user logs out. -- Solution: Upgrade to the latest version of ZCS.
[ MDVSA-2013:232 ] libmodplug
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2013:232 http://www.mandriva.com/en/support/security/ ___ Package : libmodplug Date: September 13, 2013 Affected: Business Server 1.0 ___ Problem Description: Multiple vulnerabilities has been discovered and corrected in libmodplug: An integer overflow within the abc_set_parts() function (src/load_abc.cpp) can be exploited to corrupt heap memory via a specially crafted ABC file (CVE-2013-4233). An error within the abc_MIDI_drum() and abc_MIDI_gchord() functions (src/load_abc.cpp) can be exploited to cause a buffer overflow via a specially crafted ABC file (CVE-2013-4234). The updated packages have been patched to correct these issues. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4233 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4234 ___ Updated Packages: Mandriva Business Server 1/X86_64: ae24c113e7c571f585af044ba307f698 mbs1/x86_64/lib64modplug1-0.8.8.4-2.1.mbs1.x86_64.rpm e1f3732a939563bf270dcc0560a40c2d mbs1/x86_64/lib64modplug-devel-0.8.8.4-2.1.mbs1.x86_64.rpm af8ea54fb4ec2bc03442a8779b58a695 mbs1/SRPMS/libmodplug-0.8.8.4-2.1.mbs1.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFSMvt8mqjQ0CJFipgRAs38AKC+d3s07+vhqfnGUcHETJV7X3qf/wCffMDX Vx8MjMLCCZybgeww5slh5nU= =GC5+ -END PGP SIGNATURE-
[ MDVSA-2013:234 ] python-django
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2013:234 http://www.mandriva.com/en/support/security/ ___ Package : python-django Date: September 13, 2013 Affected: Business Server 1.0, Enterprise Server 5.0 ___ Problem Description: A vulnerability has been discovered and corrected in python-django: Rainer Koirikivi discovered a directory traversal vulnerability with #039;ssi#039; template tags in python-django, a high-level Python web development framework. It was shown that the handling of the #039;ALLOWED_INCLUDE_ROOTS#039; setting, used to represent allowed prefixes for the {% ssi %} template tag, is vulnerable to a directory traversal attack, by specifying a file path which begins as the absolute path of a directory in #039;ALLOWED_INCLUDE_ROOTS#039;, and then uses relative paths to break free. To exploit this vulnerability an attacker must be in a position to alter templates on the site, or the site to be attacked must have one or more templates making use of the #039;ssi#039; tag, and must allow some form of unsanitized user input to be used as an argument to the #039;ssi#039; tag (CVE-2013-4315). The updated packages have been patched to correct this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4315 ___ Updated Packages: Mandriva Enterprise Server 5: fcfdd74c10f1d320c689640553607289 mes5/i586/python-django-1.3.7-0.2mdvmes5.2.noarch.rpm 1db8ecba27f22c0a7e44d1f1aae827bf mes5/SRPMS/python-django-1.3.7-0.2mdvmes5.2.src.rpm Mandriva Enterprise Server 5/X86_64: 3707f6171b360dd898ef2fb6e4947eec mes5/x86_64/python-django-1.3.7-0.2mdvmes5.2.noarch.rpm 1db8ecba27f22c0a7e44d1f1aae827bf mes5/SRPMS/python-django-1.3.7-0.2mdvmes5.2.src.rpm Mandriva Business Server 1/X86_64: 9b560a6a59e88e6530480fd00c5d28bc mbs1/x86_64/python-django-1.3.7-1.2.mbs1.noarch.rpm 0a83da2368e8d27c1a4e4131341cb935 mbs1/SRPMS/python-django-1.3.7-1.2.mbs1.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFSMvz2mqjQ0CJFipgRApgGAJ0ZhWYJGyR4c/oFZ5eZLEZuIWFrXgCfbL80 6conr1NuuMmTKC1uxEHEWF8= =6yFh -END PGP SIGNATURE-