[SRP-2018-01] Reverse engineering tools for ST DVB chipsets (public release)
Hello All, We have decided to release to the public domain our SRP-2018-01 security research project related to the security of STMicroelectronics chipsets. The research material (70+ pages long technical paper accompanied by two reverse engineering tools) can be downloaded from the SRP section of our portal (Past SRP materials): http://www.security-explorations.com/en/srp.html The release of SRP-2018-01 is a direct consequence of the following: 1) no response to our inquiries regarding the impact of ST issues from a SAT TV ecosystem [1] (STMicroelectronics, NC+, Canal+, Vivendi), 2) no will to provide assistance to obtain information pertaining to the impact and addressing [2] of the issues from STMicroelectronics, we asked for help CERT-FR (French governmental CSIRT), IT-CERT (CERT Nazionale Italia) and US-CERT (US government CERT), but all of them stopped responding to our messages [1], 3) a statement received from a major vendor in a SAT TV CAS / security field indicating that its "goal is to remove the marketplace from our materials", 4) us completely breaking security of ADB [3] set-top-boxes in use by NC+ SAT TV platform (Canal Digital makes use of similar boxes) and gaining access to vulnerable ST chipsets again [4] (we verified that 6 years following the disclosure Canal+ owned NC+ still relies on / offers to customers STBs vulnerable to ST flaws, which likely violates security requirements of agreements signed with content providers). In that context, we see no reason to continue keeping SRP-2018-01 material under wraps. Thank you. Best Regards, Adam Gowdiak - Security Explorations http://www.security-explorations.com "We bring security research to a new level" - References: [1] SE-2011-01 Vendors status http://www.security-explorations.com/en/SE-2011-01-status.html [2] The origin and impact of security vulnerabilities in ST chipsets http://www.security-explorations.com/materials/se-2011-01-st-impact.pdf [3] ADB https://www.adbglobal.com/ [4] SRP-2018-02 Exploitation Framework for STMicroelectronics DVB chipsets http://www.security-explorations.com/materials/SRP-2018-02.pdf
[SECURITY] [DSA 4225-1] openjdk-7 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4225-1 secur...@debian.org https://www.debian.org/security/ Moritz Muehlenhoff June 10, 2018 https://www.debian.org/security/faq - - Package: openjdk-7 CVE ID : CVE-2018-2790 CVE-2018-2794 CVE-2018-2795 CVE-2018-2796 CVE-2018-2797 CVE-2018-2798 CVE-2018-2799 CVE-2018-2800 CVE-2018-2814 CVE-2018-2815 Several vulnerabilities have been discovered in OpenJDK, an implementation of the Oracle Java platform, resulting in denial of service, sandbox bypass, execution of arbitrary code or bypass of JAR signature validation. For the oldstable distribution (jessie), these problems have been fixed in version 7u181-2.6.14-1~deb8u1. We recommend that you upgrade your openjdk-7 packages. For the detailed security status of openjdk-7 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/openjdk-7 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAlsdfmgACgkQEMKTtsN8 TjYPiRAAjZTDeS/p8tHJ8oqI5pBBtl0PkrxJuVcIFa5gjs0S0iyKhNFfNwbgpJVr f8l6WO76sh8X4IMn1NyiZnMZZL6+KoZQD6oBsCgkJSnjOmwxk5Gx/bZVBulIyjm2 3zAdSmF1MlRvEYExHl0UX3obm53zCsv/7UD3Zp4jjMgCl1yfrfI7NLWX/aLl4Grh nifTwsRQBCW9o8sjo1daNoIrofAAqrscRaRRmqgrKSYPyPjtilh3dkcFSEg5aOyd IAXsLWceMluQxJ5aca6MunV9uQGxdiyR2En4b1Oiao8VCkHm0y3ASUV1k4EfxV3S nA+4ztR//niiGCwqU4oLo735qjLN1IcuG6vJ3ow/RGPegpzK197AoLEurbVyhIHi 8LBjh5TlgrDJl80jlTpVcohULl07DO+4GFXSorql6bCijZ0pwD885qtpi2YFT9AK 4PxPy9OHHcHxXDXDZwC3v4/Jig2KJm4xyHeRPxFJkhuF1efDU5reQ06ZEeMUXBSw ZMmihZoc6WKpAoTLjTysx+yAWyMIi5TwxHIyWgoBfZGUb5ZI6wXbJBBoRLxiodD6 bL5gncS86hyH4fFqkB9octEWji7IF8xPOfJ74q99EBPcJu9yR779Uf3ceWVYCkhY Pk5XlUPLSaFNRT8V2zUoWRhQa3DRN6SXv2KeAULthJ47G8T5r/k= =vlxO -END PGP SIGNATURE-
[SECURITY] [DSA 4222-1] gnupg2 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4222-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso June 08, 2018 https://www.debian.org/security/faq - - Package: gnupg2 CVE ID : CVE-2018-12020 Marcus Brinkmann discovered that GnuGPG performed insufficient sanitisation of file names displayed in status messages, which could be abused to fake the verification status of a signed email. Details can be found in the upstream advisory at https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000425.html For the oldstable distribution (jessie), this problem has been fixed in version 2.0.26-6+deb8u2. For the stable distribution (stretch), this problem has been fixed in version 2.1.18-8~deb9u2. We recommend that you upgrade your gnupg2 packages. For the detailed security status of gnupg2 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/gnupg2 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlsa+MZfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0Sj/Q//S9O9UEDpOL16FPrsYWFohmcoDPspWHyACdFxoGOxJTZxDjDS6IsLuLu7 uSsSNyW1nQt1ghxuKO+XGEHfxMiPh54BdGf1w4PtUUw/1m9uQrlMsuyYGo2O4lMx NvpxN+IVKbKhDYHknH4f59KBv4cVZuLK6R2vuAidUmEoY0H+IEWmwdQxqRommUNh HYziSdcQgFEqWZ6HThqWPqJbvTHk3rX4viezex6TxfXBX88RgfHgxSLEV7xkJkHi X2oM3kEylacb53p3wlXrtpvTwXheIPvquIgOF8LIRGlMk2Hjz+I0jVYPZQL9Pz87 +PmJ2pmTtYFK6FI3LZcxs2JOuUKKEOSv7U7WkRb40tSDlY0mD1DgGghiYuL7tPid NbBRIKsrkvDGfvb1nL54QJ4Ej1J7yeYglxIoF7DW9l7bWgyIZfaIU0VesU9UpQUq YX/iQi1Pt/y6ZCuRlAF2Xg9VLKW/94HWYdD8KKOc8113JeJnlcEOmYDBjbsIdSuK R3hHVoKhZD+oDA2Hww/pDKeow0/9F6Zd/pxSZXxVcVvcT59y7T9XW18f0efZcBHf T2V019/YkYN2RasgDjjw1r1OOjitQn5ktvbdZfNW9BXq8NJiwLd99A3coLZx1GTv +Fl4up+v2d/zUKSXtvLfUyWjqem/keT6PKSBN4g9a5VyKLOj3Js= =2Ci/ -END PGP SIGNATURE-
SensioLabs Symfony version 3.3.6 - Cross-Site Scripting (Reflect)
SensioLabs Symfony version 3.3.6 - Cross-Site Scripting (Reflect)
# Exploit Title: SensioLabs Symfony version 3.3.6 - Cross-Site Scripting
(Reflect)
# Date: 08-06-2018
# Software Link: https://symfony.com/
# Exploit Author: HaMM0nz (Chakrit S.), a member of KPMG Cyber Security team in
Thailand
# CVE: CVE-2018-12040
# Category: webapps
1. Description
Symfony is a set of PHP Components, a Web Application framework, a Philosophy,
and a Community all working together in harmony. (Copied from homepage.)
2. Proof of Concept
1. Navigate to http://www.example.com/_profiler/ , by default the credential is
not required to access this component.
2. Insert any non-existence path in the website for example, a random path is
"http://www.example.com/qwertyuio";.
3. In the Symfony profiler navigate to the row with HTTP response code "404"
and click to the "Token" link in page.
4. Go to Exception pane and follow the any link in the page e.g.
"vendor/symfony/symfony/src/Symfony/Component/HttpKernel/EventListener/RouterListener.php"
5. Inject alert("XSS") into "file" parameter , the PoC exploit
will be
"http://www.example.com/_profiler/open?file=alert("XSS")".
3. Timeline
3.1 Discovery and report - 5 June 2018.
3.2 CVE ID was assigned - 8 June 2018.
3.3 Public - 8 June 2018.
4. Solution
Upgrade the Symfony to the version 4.1 or higher.
[SECURITY] [DSA 4220-1] firefox-esr security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4220-1 secur...@debian.org https://www.debian.org/security/ Moritz Muehlenhoff June 08, 2018 https://www.debian.org/security/faq - - Package: firefox-esr CVE ID : CVE-2018-6126 Ivan Fratric discovered a buffer overflow in the Skia graphics library used by Firefox, which could result in the execution of arbitrary code. For the oldstable distribution (jessie), this problem has been fixed in version 52.8.1esr-1~deb8u1. For the stable distribution (stretch), this problem has been fixed in version 52.8.1esr-1~deb9u1. We recommend that you upgrade your firefox-esr packages. For the detailed security status of firefox-esr please refer to its security tracker page at: https://security-tracker.debian.org/tracker/firefox-esr Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAlsay8IACgkQEMKTtsN8 TjbyjhAAr/QwN5ELZtGJQvcLZ8fniiNIC2J2yTzn3xYZc6eT4arZv+crgoLOGT/W o3nXQImxz3di+c7DlJwsMkazgNi+2vOt1RIYkHIoyoQdy1VtS0ZS+vStwJveieaM 4cITp7p1cYTab1kj4KmNGFfZXe15s/v2HajO4BlsaaPTMi5EdUSicRpG2rmRy/MA d8Fti0LlSqr525M4zfLWqvdnIJ2ihw75PY0Tis3v7ktaiGpoZ3/ULk5g2f/Gel/W CNSjW73qQKJzP+oo63eUabh+l9sAE0aWGB5TPyVio35ma6EeMLztxiLgDsXYHusz 1La88B3ECujvOA/WEELcK1EdT1GzrG9CE6CYgxSGpR0ht/Duccl38KIqPbXHsKe+ tcyfV0fo3l+V/psAh0SJmqZNhHih3v9LA7LrOKaV2CXbZv9F7tDUFQxc0xRH9UOh NV265MyHeLNMYFvohLgictrUguNMjrJEmlChkp0sDTqGHL/xqC+ZZeWdbj54JaM7 nCmNi02MKC8IwRDRpUyUyxqYbeQmBkPsc6tN1TOPQpeh4iMb+G5dRgX1R0XjYqR4 Xwh5vVvhRwIQc/PmFYtLPCRFuiLzCQ3CGYnDAXG5QK7qNlrkmcGc/dPI+BaZDwaW OG5Q2lxC9QYqm3hCmAqQWRH4TghKRuk1gED6pKTomgJ1InpJFPU= =pAlB -END PGP SIGNATURE-
[SECURITY] [DSA 4224-1] gnupg security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4224-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso June 08, 2018 https://www.debian.org/security/faq - - Package: gnupg CVE ID : CVE-2018-12020 Marcus Brinkmann discovered that GnuGPG performed insufficient sanitisation of file names displayed in status messages, which could be abused to fake the verification status of a signed email. Details can be found in the upstream advisory at https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000425.html For the oldstable distribution (jessie), this problem has been fixed in version 1.4.18-7+deb8u5. We recommend that you upgrade your gnupg packages. For the detailed security status of gnupg please refer to its security tracker page at: https://security-tracker.debian.org/tracker/gnupg Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlsa+NFfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0RlwA/+PHaY6JTa53Q9gM9MMbEV9aJ3aXvl3VAvu4EC8Ei/rxZH0kIOO25aL+Yc DsXwWmLl2FWuwLCRQ2HPsDuWLiNiuo4eAwM3pKg5vovAe4TbGLhd7VaSdTWa+PVj 3WwIgkZvOddPlR7saq48Lcc0taZAZwR1hQCS5bPDUzUhlzc2yMy+pi/oXioTvBxm xOd4899wWcuRpfiZBss6veONbnf12zq/H3aCJshZrIGKxU8b7Fc+Oyq+QyK4B6sO zMo134gF1M3HhjUxPjauX9keJe6/EMFHgjwQpA96JkNoKi96wWx31oBBJwHmLhRY tl0FaXsBuQbZNWDU+QLbH6g2r90uuOsDHK9oY8SKIHN92/s1zW4pv2rbmcmHMPrV oyabPZL10eH3wGf9NJAGhSO1vHOARdGJ2N3KL1AaIWLNfgXLt8QO+IH7OY3S04Y9 /sw89ojtrwIjcLpQ2DJ56Wd0LU/Jc0pNXUeEjkXthPD2VGKCYZm55yhDA5fKvBqo m1BeKMN1qf64c40ZXq3uxV8xnt9yaFMXtX9FMZnigS7doiJhcCjggGZvzbIFoWLE mhsDfST65Sbb9RE8q4V+tl14ssOFsQLhwByl3UzY89GpILU1qwnDyaQ2QgBI4Z18 oDQfpFkwka4Yy0iy8iqdi+DPN/VWBiIoC63ouO9MOU4rA8/VrNY= =WGe/ -END PGP SIGNATURE-
[slackware-security] gnupg2 (SSA:2018-159-01)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [slackware-security] gnupg2 (SSA:2018-159-01) New gnupg2 packages are available for Slackware 13.37, 14.0, 14.1, 14.2, and - -current to fix a security issue. Here are the details from the Slackware 14.2 ChangeLog: +--+ patches/packages/gnupg2-2.0.31-i586-1_slack14.2.txz: Upgraded. Sanitize the diagnostic output of the original file name in verbose mode. By using a made up file name in the message it was possible to fake status messages. Using this technique it was for example possible to fake the verification status of a signed mail. For more information, see: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12020 (* Security fix *) +--+ Where to find the new packages: +-+ Thanks to the friendly folks at the OSU Open Source Lab (http://osuosl.org) for donating FTP and rsync hosting to the Slackware project! :-) Also see the "Get Slack" section on http://slackware.com for additional mirror sites near you. Updated package for Slackware 13.37: ftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/gnupg2-2.0.31-i486-1_slack13.37.txz Updated package for Slackware x86_64 13.37: ftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/gnupg2-2.0.31-x86_64-1_slack13.37.txz Updated package for Slackware 14.0: ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/gnupg2-2.0.31-i486-1_slack14.0.txz Updated package for Slackware x86_64 14.0: ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/gnupg2-2.0.31-x86_64-1_slack14.0.txz Updated package for Slackware 14.1: ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/gnupg2-2.0.31-i486-1_slack14.1.txz Updated package for Slackware x86_64 14.1: ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/gnupg2-2.0.31-x86_64-1_slack14.1.txz Updated package for Slackware 14.2: ftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/gnupg2-2.0.31-i586-1_slack14.2.txz Updated package for Slackware x86_64 14.2: ftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/gnupg2-2.0.31-x86_64-1_slack14.2.txz Updated package for Slackware -current: ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/gnupg2-2.2.8-i586-1.txz Updated package for Slackware x86_64 -current: ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/gnupg2-2.2.8-x86_64-1.txz MD5 signatures: +-+ Slackware 13.37 package: 65c32255acff00361bd24e5353554c80 gnupg2-2.0.31-i486-1_slack13.37.txz Slackware x86_64 13.37 package: 7d03704928494b4c6b12d98c26de0a46 gnupg2-2.0.31-x86_64-1_slack13.37.txz Slackware 14.0 package: d9f38f11df078182129e0059d49cf547 gnupg2-2.0.31-i486-1_slack14.0.txz Slackware x86_64 14.0 package: c32f666c0248264020f2a90e3510b1c2 gnupg2-2.0.31-x86_64-1_slack14.0.txz Slackware 14.1 package: 54a17edf49c1fa17cb9be1c0213d37f9 gnupg2-2.0.31-i486-1_slack14.1.txz Slackware x86_64 14.1 package: fd5fd7da3a7cddc25a9b8beff8ed4bfc gnupg2-2.0.31-x86_64-1_slack14.1.txz Slackware 14.2 package: 23ef6d14bbaf7c4d33dae51086a6396a gnupg2-2.0.31-i586-1_slack14.2.txz Slackware x86_64 14.2 package: 12491aecdc47b0064974465969162a40 gnupg2-2.0.31-x86_64-1_slack14.2.txz Slackware -current package: 5822b4be4db3c8512f44d843655fd363 n/gnupg2-2.2.8-i586-1.txz Slackware x86_64 -current package: 379d6ef97f9d801bd112ceaef2ce0706 n/gnupg2-2.2.8-x86_64-1.txz Installation instructions: ++ Upgrade the package as root: # upgradepkg gnupg2-2.0.31-i586-1_slack14.2.txz +-+ Slackware Linux Security Team http://slackware.com/gpg-key secur...@slackware.com ++ | To leave the slackware-security mailing list: | ++ | Send an email to majord...@slackware.com with this text in the body of | | the email message: | || | unsubscribe slackware-security | || | You will get a confirmation message back containing instructions to| | complete the process. Please do not reply to this email address. | ++ -BEGIN PGP SIGNATURE- iEYEARECAAYFAlsa5aMACgkQakRjwEAQIjNvzACfTTrbDsaA4EgYWMnZ6/UkGYft KaUAn2qvTksI9VVqKSDYBrEaoSDYx7r0 =IK/X -END PGP SIGNATURE-
[SECURITY] [DSA 4223-1] gnupg1 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4223-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso June 08, 2018 https://www.debian.org/security/faq - - Package: gnupg1 CVE ID : CVE-2018-12020 Debian Bug : 901088 Marcus Brinkmann discovered that GnuGPG performed insufficient sanitisation of file names displayed in status messages, which could be abused to fake the verification status of a signed email. Details can be found in the upstream advisory at https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000425.html For the stable distribution (stretch), this problem has been fixed in version 1.4.21-4+deb9u1. We recommend that you upgrade your gnupg1 packages. For the detailed security status of gnupg1 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/gnupg1 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlsa+M9fFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0Q1wg/+LcbFthhjHEXY0itTJrfbXHvqR8JQ7OzEA+yRybho71ZM3LwjFO2Pl9j0 oNbn20soT5uX1MfP4sORaiOMIUKh2k4zbYQrS4BRV7TWoae3zmHQEhDFfhEhM17O JMnh3NqVs1NpNe7gn1+hBQCzlOmNYU3UvmXwCX3P5yyhSuO6isvLfZURHQB8qvmd RdNZu3nUYI8UfPp1j6wFrdR+rpUUATYy2MHZkD/BbVowk657Bul5Arx/r0QCaH88 ywMGMGvugsVQOdA02cKvCyzXVS/qgVjDsJH2ssDFPI4txKB3hEgYTBoKyoFpzHqc I7BOuDmo6/FpUuuruQcRPQk+5BDeiW2jazwf8WoCXYocwOAw7FTTLTEkZZm2Ce+c jtM7Bvhz3cXoQsTtze/t/BTWZuUWATsiRPgJSyKF2kPFwZIWhLu2BWF8LTGliX9M 8uXxi4ml1v2ISLlo8BEkETBrP+m77rKqfph0uV3sySXBv2qUDfJX2xNF/ig4eMfy zlIaZgv82ZIf+mCD0/Ji0HmsKG3C8RxEhwwr4R/oG7Q7qr07LMjKZhRLIE2ZkCC2 XM8IAdJLIzJckllI8mkPmm0GTZ6lX+BRrUSUKxKxY94QKNLRFzK7mMMWhJq3gMX8 PaYsTU67ZrDd4WPubFNzHC6DP+Fd4YZblXd8dyv1uSoe1/pIr78= =xHpn -END PGP SIGNATURE-
[SECURITY] [DSA 4221-1] libvncserver security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4221-1 secur...@debian.org https://www.debian.org/security/ Moritz Muehlenhoff June 08, 2018 https://www.debian.org/security/faq - - Package: libvncserver CVE ID : CVE-2018-7225 Alexander Peslyak discovered that insufficient input sanitising of RFB packets in LibVNCServer could result in the disclosure of memory contents. For the oldstable distribution (jessie), this problem has been fixed in version 0.9.9+dfsg2-6.1+deb8u3. For the stable distribution (stretch), this problem has been fixed in version 0.9.11+dfsg-1+deb9u1. We recommend that you upgrade your libvncserver packages. For the detailed security status of libvncserver please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libvncserver Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAlsa5awACgkQEMKTtsN8 Tjb9wxAAvqz4FyDwnXR1bJbtN8DxhbZx2McQMj9/+wDDW9dzOe/lH4VFWr97rIpb Gx1SSp2DtpXqt0SrgIRkBJHpue5QATh/eLpM+zDmjq2sTanZ3xmKlscXBRRRjSoa lbOmmKrem35otE1PzR5T+ngZqxEvD0pwsNILHLzgEfODqllMpD4rx+JJLNHXqLQ/ VtbWILAltB+D3AFTXUBxCxQ/0khhhXAmn1HeQq3Aa0OxRFjq/UGxMTVkVtygsHXR 0zENx+AFA+np+no0wD0TdnEtgZDw8VswY8IKRvkC96wE8l7P2oCmd3QXsYys4h0F 6mmkbORVV8FeySytQwT9zQKFKCWY1fVWGSRCe7OyQOfBf4AnNDgxYfpsUQ0JNTEp Xa78JigIsSiLWx77eoei4/XabjHMnNBd9X1NnOl0SlGIUbGraPy6hLXCjsP4AaXY sDX8y7qPLU/fvLDB2ntu1+ycVtCpY8muCcUf/b5CBl3mN16k/13RLT8yPJ5CRuDz h6DIMDypR664tMGbnoJypAFqHxYMBc7dLSngGV608xodg4B4gluRlKHsN0uC9VHM MAndJdLj2DZwemQTY7pXHr599wvpAcWK81DF/6dK16yhtww848zVvGH4ul/VV1f+ PdaUDKmxkZYCZF++70a9K/8BRxqIK0BLNu2zfrz2D4j2OV2UN7U= =6xPo -END PGP SIGNATURE-
Gridbox extension for Joomla! <= 2.4.0 Reflected Cross Site Scripting (XSS)
I. VULNERABILITY - Gridbox extension for Joomla! <= 2.4.0 Reflected Cross Site Scripting (XSS) II. CVE REFERENCE - CVE-2018-11690 III. VENDOR - https://extensions.joomla.org/extension/gridbox/ IV. REFERENCES - https://vulmon.com/vulnerabilitydetails?qid=CVE-2018-11690 https://vel.joomla.org/resolved/2155-gridbox-com-gridbox-multiple-vulnerabilities V. TIMELINE - 02/04/2018 Vulnerability discovered 09/04/2018 Vendor contacted 23/04/2018 Vulnerability fixed VI. CREDIT - Yavuz Atlas of Biznet Bilisim http://www.biznet.com.tr/biznet-guvenlik-duyurulari VII. DESCRIPTION - Balbooa Gridbox extension version 2.4.0 and previous versions for Joomla! is vulnerable to cross-site scripting. A remote attacker could exploit this vulnerability via a crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials VIII. PROOF OF CONCEPT - For category parameter: http://localhost:81/bg/Joomla_3.8.5-Stable-Full_Package/index.php?option=com_gridbox&view=pages&app=aaa&category=alert(1) For app parameter: http://localhost:81/bg/Joomla_3.8.5-Stable-Full_Package/index.php?option=com_gridbox&view=pages&app=alert(1)&category=aaa
