MailOrderWorks v5.907 - Multiple Web Vulnerabilities
Title: == MailOrderWorks v5.907 - Multiple Web Vulnerabilities Date: = 2013-01-02 References: === http://www.vulnerability-lab.com/get_content.php?id=798 VL-ID: = 796 Common Vulnerability Scoring System: 4.5 Introduction: = Mail order management and stock control is easy with MailOrderWorks. MailOrderWorks (aka MOW) is an easy to use mail order software and stock control system that supports multiple users, but is also ideal for single person companies too. Our software allows you and your staff to access the same information, at the same time, from anywhere - even if you`re not in the same office or building. It`s affordable, easy to use, allows integration and is easily expandable for more users. It`s free to try too. (Copy of the Vendor Homepage: http://www.mailorderworks.co.uk/index.php ) Abstract: = The Vulnerability-Laboratory Research Team discovered multiple web vulnerabilities in MailOrderWorks v5.907, Mail order management application. Report-Timeline: 2012-12-26: Public Disclosure Status: Published Affected Products: == 2Dmedia Product: MailOrderWorks 5.907 Exploitation-Technique: === Remote Severity: = Medium Details: Multiple persistent web vulnerabilities are detected in the MailOrderWorks v5.907, Mail order management application. The vulnerability allows an attacker to inject own malicious script code in the vulnerable modules on application side (persistent). The vulnerabilities mainly exist in the create document/print module. The module doesn`t validate the file context when processing to create. For example, if we are creating a products summary, the print module(vulnerable) doesn`t check the products titles, and creates the document with the injected malicious code inside. 1.1 The first vulnerability is located in the `dispatch order` module. The attacker can create an order by injecting the malicious code in the vulnerable customer parameters which are firstname, lastname, custom A1 and custom A2. For the malicious code to get executed, the target user should go to `dispatch order` module `Open Batch screen` and then click `start`. The output file executes the malicious script code while creating the malicious order via add. 1.2 The second vulnerability is located in the `reports and exports` module. The attacker can create an order injecting the vulnerable parameters in it. The malicious code will be executed when the user choose the orders and create a report about them. The vulnerability also can be executed from creating a report about the products. The attacker can create a product with injecting malicious code in the vulnerable parameters which are SKU, Title and Group. When the user create a report about the products, the malicious code will be executed out of the context from the report file 1.3 The persistent input validation vulnerability is located in the `Create/View issue` in the show/add orders modules. The attacker can inject malicious codes in different vulnerable parameters which are Reason/fault, Resolution, Issue Notes and Order notes. Whenever the user clicks on `print issue document` a file will be generated and it includes the malicious codes where it gets executed. 1.4 The final persistent cross-site scripting vulnerability is ver critical because it gets injected in every file that is being generated from the MailOrderWorld(MOW). The vulnerability is located in the settings of the application where the attacker can inject a malicious code inside the company profiles in the vulnerable fields which are, Company Name and Address. Whenever a user generates any page, the malicious code will be executed because the fields: `company name` and `company address` are included in every page that is generated by MOW. The vulnerability can be exploited with privileged application user account and low or medium required user interaction. Successful exploitation of the vulnerability result in persistent/non-persistent session hijacking, persistent/non-persistent phishing, external redirect, external malware loads and persistent/non-persistent vulnerable module context manipulation. Vulnerable Service(s): [+] MailOrderWorks (5.907) Vulnerable Section(s): [+] New Order [+] Add new Product [+] View Orders [+] Settings Vulnerable Module(s): [+] Customer [+] Add new Product [+] View Orders = Done = Create/View Issue [+] Company Settings Vulnerable Parameter(s): [+] [Name] - [Mobile/Work] - [Custom A1] - [Custom A2] - [Custom
[security bulletin] HPSBUX02859 SSRT101144 rev.1 - HP-UX Running XNTP, Remote Denial of Service (DoS) and Execute Arbitrary Code
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 UPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c03714526 Version: 1 HPSBUX02859 SSRT101144 rev.1 - HP-UX Running XNTP, Remote Denial of Service (DoS) and Execute Arbitrary Code NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2013-03-27 Last Updated: 2013-03-27 - - - - Potential Security Impact: Remote Denial of Service (DoS) Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified with HP-UX running XNTP. The vulnerability could be exploited remotely create a Denial of Service (DoS) or Execute Arbitrary Code. References: CVE-2009-3563, CVE-2009-0158 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP-UX B.11.31 running XNTP version 3.5. BACKGROUND CVSS 2.0 Base Metrics === Reference Base Vector Base Score CVE-2009-3563(AV:N/AC:L/Au:N/C:N/I:P/A:P) 6.4 CVE-2009-0159(AV:N/AC:M/Au:N/C:P/I:P/A:P) 6.8 === Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP has provided the following upgrade to resolve these vulnerabilities. The upgrade is available by downloading from software.hp.com - HPUX 11i Software - Internet ready and networking - HP-UX Network Time Protocol version 4 or directly from https://h20392.www2.hp.com/portal/swdepot/displayP roductInfo.do?productNumber=HPUX-NTP Review the Installation link at the bottom of the page. MANUAL ACTIONS: Yes - Update PRODUCT SPECIFIC INFORMATION HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see: https://www.hp.com/go/swa The following text is for use by the HP-UX Software Assistant. AFFECTED VERSIONS HP-UX B.11.31 == NTP.INETSVCS2-BOOT NTP.NTP-AUX NTP.NTP-RUN action: install revision C.4.2.6.0.0 or subsequent END AFFECTED VERSIONS HISTORY Version:1 (rev.1) - 27 March 2013 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-al...@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-al...@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin List: A list of HP Security Bulletins, updated periodically, is contained in HP Security Notice HPSN-2011-001: https://h20566.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c02964430 Security Bulletin Archive: A list of recently released Security Bulletins is available here: http://h20566.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2013 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided as is without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.13 (GNU/Linux) iEYEARECAAYFAlFTWywACgkQ4B86/C0qfVmOaQCghh0ZjE0mYuBb9lzEkMzzVfND
[waraxe-2013-SA#101] - Update Spoofing Vulnerability in Royal TS 2.1.5
[waraxe-2013-SA#101] - Update Spoofing Vulnerability in Royal TS 2.1.5 === Author: Janek Vind waraxe Date: 29. March 2013 Location: Estonia, Tartu Web: http://www.waraxe.us/advisory-101.html Description of vulnerable software: ~~~ Royal TS is a simple, yet powerful tool for administrators, developers, system engineers and many other IT focused information workers that supports them in working effortless with their remote systems or management consoles. http://www.royalts.com/main/home/win.aspx Vulnerable is version 2.1.5, other versions not tested. ### 1. Update Spoofing Vulnerability ### Current version of Royal TS contains security vulnerability in update mechanism, which can be exploited by malicious people to conduct spoofing attacks. When checking for updates, Royal TS issues GET request over HTTP: GET /dl/RoyalTS/VersionInfo.xml?r=9:54:35%20PM HTTP/1.1 Cache-Control: no-cache Host: www.royalts.com Connection: Keep-Alive Server response: HTTP/1.1 200 OK Content-Type: text/xml Last-Modified: Fri, 16 Nov 2012 11:13:01 GMT Accept-Ranges: bytes ETag: d11e6057ebc3cd1:0 Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: Thu, 28 Mar 2013 19:54:39 GMT Content-Length: 13375 ?xml version=1.0 encoding=utf-8? RoyalVersionInfo xmlns:xsd=http://www.w3.org/2001/XMLSchema; xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance; Major2/Major Minor1/Minor Build5/Build MinorRevision61116/MinorRevision DownloadURLhttp://www.royalts.com/dl/RoyalTS/RoyalTSInstaller_2.01.05.61116.msi/DownloadURL ReleaseNotes lt;html lang=quot;enquot; xmlns=quot;http://www.w3.org/1999/xhtmlquot;gt;lt; ... /ReleaseNotes /RoyalVersionInfo Royal TS user can click Start Download button and Royal TS will open web browser with download starting dialog. Such update mechanism contains security flaw: Update check is done over unencrypted HTTP channel. Malicious third party is able to conduct Man-in-the-Middle (MitM) attacks and spoof server response. In this way it is possible to instruct user to download malicious update. Testing: tests were done using Windows 7 and Apache webserver. Steps: 1. modify windows/system32/drivers/etc/hosts file in order to emulate DNS spoofing: 127.0.0.1 www.royalts.com 2. create xml file /dl/RoyalTS/VersionInfo.xml to the webserver directory with following content: ?xml version=1.0 encoding=utf-8? RoyalVersionInfo xmlns:xsd=http://www.w3.org/2001/XMLSchema; xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance; Major2/Major Minor3/Minor Build4/Build MinorRevision61116/MinorRevision DownloadURLhttp://localhost/calc.exe/DownloadURL ReleaseNotes New version 2.3.4 available! /ReleaseNotes /RoyalVersionInfo 3. Place calc.exe file to the webserver main directory. 4. Open Royal TS, it will check for updates automatically, resulting in dialog: New version 2.3.4 available! 5. Press Start Download button. Default web browser window will be open offering file download: You have chosen to open calc.exe Contact: ~~~ come2war...@yahoo.com Janek Vind waraxe Waraxe forum: http://www.waraxe.us/forums.html Personal homepage: http://www.janekvind.com/ Random project: http://albumnow.com/ -- [ EOF ]
[SECURITY] [DSA 2656-1] bind9 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2656-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso March 30, 2013 http://www.debian.org/security/faq - - Package: bind9 Vulnerability : denial of service Problem type : remote Debian-specific: no CVE ID : CVE-2013-2266 Debian Bug : 704174 Matthew Horsfall of Dyn, Inc. discovered that BIND, a DNS server, is prone to a denial of service vulnerability. A remote attacker could use this flaw to send a specially-crafted DNS query to named that, when processed, would cause named to use an excessive amount of memory, or possibly crash. For the stable distribution (squeeze), this problem has been fixed in version 1:9.7.3.dfsg-1~squeeze10. For the testing distribution (wheezy), this problem has been fixed in version 1:9.8.4.dfsg.P1-6+nmu1. For the unstable distribution (sid), this problem has been fixed in version 1:9.8.4.dfsg.P1-6+nmu1. We recommend that you upgrade your bind9 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.19 (GNU/Linux) iQEcBAEBCgAGBQJRVwfuAAoJEG3bU/KmdcClTN8H/RFFGZtUqsNOL2f1h37luA37 ue0ijzAQewC+BSYn6sGTYItmiPDMU5Ok5m6LdYI5U5f/+47FBUcIQJv569zI5IKt J7gKlsNXCAQfV0eYZu0FctfSMn23QoKBSBF7j5PTwW6RiP2PvcocRa/lvYmT2GIU K6F5/Gmfk8VQRyCbsy26T7J3d3PuKIKYV2LGTUvKhIJKPhokrm5nESBTrE/0nmW7 9I/PSqK35nTiLyCBZinY0G3xl6UhrlQxxqHCryrFVZQVkOn8pUR06tulkJsx6rHW k8GgPkPk5w0oPs5VEk9WfLLgFX+ukvGS+DWFZyIT7lMPvQ2ac8aGDjpm0bu6Ys8= =7ACF -END PGP SIGNATURE-
US-CERT Alert TA13-088A: DNS Amplification Attacks
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 National Cyber Awareness System TA13-088A: DNS Amplification Attacks Original release date: March 29, 2013 Systems Affected * Domain Name System (DNS) servers Overview A Domain Name Server (DNS) Amplification attack is a popular form of Distributed Denial of Service (DDoS) that relies on the use of publically accessible open recursive DNS servers to overwhelm a victim system with DNS response traffic. Description A Domain Name Server (DNS) Amplification attack is a popular form of Distributed Denial of Service (DDoS) that relies on the use of publically accessible open recursive DNS servers to overwhelm a victim system with DNS response traffic. The basic attack technique consists of an attacker sending a DNS name lookup request to an open recursive DNS server with the source address spoofed to be the victims address. When the DNS server sends the DNS record response, it is sent instead to the victim. Because the size of the response is typically considerably larger than the request, the attacker is able to amplify the volume of traffic directed at the victim. By leveraging a botnet to perform additional spoofed DNS queries, an attacker can produce an overwhelming amount of traffic with little effort. Additionally, because the responses are legitimate data coming from valid servers, it is especially difficult to block these types of attacks. While the attacks are difficult to prevent, network operators can implement several possible mitigation strategies. The primary element in the attack that is the focus of an effective long-term solution is the detection and elimination of open recursive DNS resolvers. These systems are typically legitimate DNS servers that have been improperly configured to respond to recursive queries on behalf of any system, rather than restricting recursive responses only to requests from local or authorized clients. By identifying these systems, an organization or network operator can reduce the number of potential resources that the attacker can employ in an attack. Impact A misconfigured Domain Name System (DNS) server can be exploited to participate in a Distributed Denial of Service (DDoS) attack. Solution DETECTION Several organizations offer free, web-based scanning tools that will search a network for vulnerable open DNS resolvers. These tools will scan entire network ranges and list the address of any identified open resolvers. Open DNS Resolver Project http://openresolverproject.org The Open DNS Resolver Project has compiled a list of DNS servers that are known to serve as globally accessible open resolvers. The query interface allows network administrators to enter IP ranges in CIDR format [1]. The Measurement Factory http://dns.measurement-factory.com Like the Open DNS Resolver Project, the Measurement Factory maintains a list of Internet accessible DNS servers and allows administrators to search for open recursive resolvers [2]. In addition, the Measurement Factory offers a free tool to directly test an individual DNS resolver to determine if it allows open recursion. This will allow an administrator to determine if configuration changes are necessary and verify that configuration changes have been effective [3]. Finally, the site offers statistics showing the number of open resolvers detected on the various Autonomous System (AS) networks, sorted by the highest number found [4]. DNSInspect http://www.dnsinspect.com Another freely available, web-based tool for testing DNS resolvers is DNSInspect. This site is similar to The Measurement Factorys ability to test a specific resolver for vulnerability, but offers the ability to test an entire DNS Zone for several other potential configuration and security issues [5]. Indicators In a typical recursive DNS query, a client sends a query request to a local DNS server requesting the resolution of a name or the reverse resolution of an IP address. The DNS server performs the necessary queries on behalf of the client and returns a response packet with the requested information or an error [6, page 21]. The specification does not allow for unsolicited responses. In a DNS amplification attack, the key indicator is a query response without a matching request. MITIGATION Unfortunately, due to the overwhelming traffic volume that can be produced by one of these attacks, there is often little that the victim can do to counter a large-scale DNS amplification-based distributed denial-of-service attack. While the only effective means of eliminating this type of attack is to eliminate open recursive resolvers, this requires a large-scale effort by numerous parties. According to the Open DNS Resolver Project, of the 27 million known DNS resolvers on the Internet, approximately 25 million pose a significant threat of being used in an attack [1]. However, several possible techniques are available to reduce the overall effectiveness of such attacks to the Internet community
[security bulletin] HPSBUX02860 SSRT101146 rev.1 - HP-UX Apache Running Tomcat Servlet Engine, Remote Denial of Service (DoS), Access Restriction Bypass, Unauthorized Modification and Other Vulnerabil
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Note: the current version of the following document is available here: https://h20566.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c03716627 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c03716627 Version: 1 HPSBUX02860 SSRT101146 rev.1 - HP-UX Apache Running Tomcat Servlet Engine, Remote Denial of Service (DoS), Access Restriction Bypass, Unauthorized Modification and Other Vulnerabilities NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2013-03-28 Last Updated: 2013-03-28 - Potential Security Impact: Remote Denial of Service (DoS), access restriction bypass, unauthorized modification and other vulnerabilities Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY Potential security vulnerabilities have been identified with HP-UX Apache running Tomcat Servlet Engine. These vulnerabilities could be exploited remotely to create a Denial of Service (DoS) or to perform an access restriction bypass, unauthorized modification, and other vulnerabilities. References: CVE-2008-5515, CVE-2009-0033, CVE-2009-0580, CVE-2009-0781, CVE-2009-0783, CVE-2009-2693, CVE-2009-2902, CVE-2009-3548, CVE-2010-1157, CVE-2010-2227, CVE-2010-3718, CVE-2010-4476, CVE-2011-0013, CVE-2011-1184, CVE-2011-2204, CVE-2011-2526, CVE-2011-2729, CVE-2011-3190, CVE-2011-4858, CVE-2012-0022, CVE-2012-5885. SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP-UX B.11.23, B.11.31 running HP-UX Apache running Tomcat Servlet Engine 5.5.35.01 or earlier BACKGROUND CVSS 2.0 Base Metrics === Reference Base Vector Base Score CVE-2008-5515(AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0 CVE-2009-0033(AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0 CVE-2009-0580(AV:N/AC:M/Au:N/C:P/I:N/A:N) 4.3 CVE-2009-0781(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3 CVE-2009-0783(AV:L/AC:L/Au:N/C:P/I:P/A:P) 4.6 CVE-2009-2693(AV:N/AC:M/Au:N/C:N/I:P/A:P) 5.8 CVE-2009-2902(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3 CVE-2009-3548(AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5 CVE-2010-1157(AV:N/AC:H/Au:N/C:P/I:N/A:N) 2.6 CVE-2010-2227(AV:N/AC:L/Au:N/C:P/I:N/A:P) 6.4 CVE-2010-3718(AV:L/AC:H/Au:N/C:N/I:P/A:N) 1.2 CVE-2010-4476(AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0 CVE-2011-0013(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3 CVE-2011-1184(AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0 CVE-2011-2204(AV:L/AC:M/Au:N/C:P/I:N/A:N) 1.9 CVE-2011-2526(AV:L/AC:M/Au:N/C:P/I:P/A:P) 4.4 CVE-2011-2729(AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0 CVE-2011-3190(AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5 CVE-2011-4858(AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0 CVE-2012-0022(AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0 CVE-2012-5885(AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0 === Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP has provided the following software updates to resolve the vulnerability. The updates are available for download from https://h20392.www2.hp.com/portal /swdepot/displayProductInfo.do?productNumber=HPUXWST553601 Servlet Version Depot Name HP-UX Apache Tomcat Servlet Engine v5.5.36.01 HP-UX_11.23_HPUXWS22T-B5536-1123.depot HP-UX_11.31_HPUXWS22T-B5536-1131.depot MANUAL ACTIONS: Yes - Update Install HP-UX Apache Tomcat Servlet Engine 5.5.36.01 or subsequent PRODUCT SPECIFIC INFORMATION HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see https://www.hp.com/go/swa The following text is for use by the HP-UX Software Assistant. AFFECTED VERSIONS HP-UX Web Server Suite HP-UX B.11.23 HP-UX B.11.31 == hpuxws22TOMCAT.TOMCAT action: install revision B.5.5.36.01 or subsequent END AFFECTED VERSION HISTORY Version:1 (rev.1) - 28 March 2013 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-al...@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-al...@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin
