eTransfer Lite v1.0 iOS - Persistent Filename Vulnerability
Title: == eTransfer Lite v1.0 iOS - Persistent Filename Vulnerability Date: = 2013-08-31 References: === http://www.vulnerability-lab.com/get_content.php?id=1064 VL-ID: = 1064 Common Vulnerability Scoring System: 3.8 Introduction: = eTransfer is a tool for you to transfer photos among pc, iPad. eTransfer does not need iTunes. It supports to transfer photo: - iPad to iPad - iPad to PC - PC to iPad eTransfer does not need extra software. All you need is the device that installed eTransfer and web browser on any os. (Copy of the Homepage: https://itunes.apple.com/de/app/etransfer-lite-for-ipad/id492163598 ) Abstract: = The Vulnerability Laboratory Research Team discovered a persistent web vulnerability in the eTransfer Lite v1.0 application (Apple iOS - iPad iPhone). Report-Timeline: 2013-08-31:Public Disclosure (Vulnerability Laboratory) Status: Published Affected Products: == Apple AppStore Product: eTransfer Lite 1.0 Exploitation-Technique: === Remote Severity: = Medium Details: A persistent input validation web vulnerability is detected in the eTransfer Lite v1.0 application (Apple iOS - iPad iPhone). The bug allows an attacker (remote) to implement/inject malicious own malicious persistent script codes (application side). The vulnerability is located in the `Receive Photos from others` and `Send Photos to others` module of the web-server (http://localhost:8080) when processing to request via POST method manipulated `file-names`. The file name will be changed to the path value without secure filter, encode or parse. The injected script code will be executed in the main file listing were the attacker injected earlier the code and of course also in the index listing of the mobile web application. There is a security protection to filter random files because only images are allowed. To include own script code the attacker needs to manipulate the POST request after the first separate input parse. Exploitation of the persistent web vulnerability requires low user interaction and a local low privilege mobile application account with a password. Successful exploitation of the vulnerability can lead to persistent session hijacking (customers), account steal via persistent web attacks, persistent phishing or persistent module context manipulation. Vulnerable Application(s): [+] eTransfer Lite v1.0 - ITunes or AppStore (Apple) Vulnerable Module(s): [+] File Listing Vulnerable Parameter(s): [+] file name Affected Module(s): [+] Index File Dir Path Listing [+] Path/Folder Listing Proof of Concept: = The persistent input validation web vulnerability can be exploited by remote attackers and local privileged application user accounts with low or medium user interaction. For demonstration or reproduce ... PoC: bqThe following files are hosted live from the iPad's Docs folder./bqpbImages:brbr/b a href=http://192.168.2.104:8080/%3C[PERSISTENT INJECTED SCRIPT CODE!]%3Es2.png[PERSISTENT INJECTED SCRIPT CODE!]s2.png/a (51.8 Kb, 2013-08-25 02:09:25 +)br / a href=a2b642e7de.jpga2b642e7de.jpg/a ( 238.0 Kb, 2013-08-25 02:08:13 +)br / /pbrbrbrhrbrbrbrcenterform action= method=post enctype=multipart/form-data name=form1 id=form1labelUpload file to iPad input type=file name=file id=file //labellabel input type=submit name=button id=button value=Submit //label/form/centerbrbrbrPowered By a href=http://www.kaisatec.comKaisatec.com/a/body/html/iframe/a/p/body/html Reference(s): http://localhost:8080/ Solution: = To fix the vulnerability the filename needs to be parsed, escaped or separate encoded in the POST method request. Parse also the affected output listing in the of the filename in the index file dir listing and sub category path folder listing. Risk: = The security risk of the persistent input validation web vulnerability is estimated as medium(+). Credits: Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (b...@evolution-sec.com) [www.vulnerability-lab.com] Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for
Talkie Bluetooth Video iFiles 2.0 iOS - Multiple Vulnerabilities
Title: == Talkie Bluetooth Video iFiles 2.0 iOS - Multiple Vulnerabilities Date: = 2013-08-30 References: === http://www.vulnerability-lab.com/get_content.php?id=1062 VL-ID: = 1063 Common Vulnerability Scoring System: 8.8 Introduction: = Talkie Bluetooth Video iFiles allows you to connect two iPhone, iPod Touches, or iPads over Bluetooth and talk to each other. Turn your iPhone or iPad into a walkie-talkie and talk to each other. Instant voice chat. No registration. No costs. Try it now. - Video Transfer - File Transfer - Photo Transfer - Video Music Player - Video playback of .mp3, .mp4, and .mov formats A device with microphone is required. Bluetooth or wifi connection required. Range depends on local wireless coverage. No connection via Internet or telephone network. (Copy of the Homepage: https://itunes.apple.com/de/app/talkie-bluetooth-video-ifiles/id593553087 ) Abstract: = The vulnerability laboratory research team discovered multiple vulnerabilities in the Talkie Bluetooth Video iFiles v2 application (Apple iOS - iPad iPhone). Report-Timeline: 2013-08-30:Public Disclosure (Vulnerability Laboratory) Status: Published Affected Products: == Apple AppStore Product: Talkie Bluetooth Video iFiles 2.0 Exploitation-Technique: === Remote Severity: = Critical Details: 1.1 A local file/path include web vulnerability is detected in the Talkie Bluetooth Video iFiles v2 application (Apple iOS - iPad iPhone). The file include vulnerability allows remote attackers to include (upload) local file or path requests to compromise the application or service. The vulnerability is located in the upload.html file when processing to add (upload) files with via POST method request manipulated filenames. The attacker can inject local path or files to request context and compromise the mobile device or web service. The validation has a bad side effect which impacts the risk to combine the attack with persistent injected script code. Exploitation of the local file include web vulnerability requires no user interaction or privilege application user account with password. Successful exploitation of the vulnerability results in unauthorized local file and path requests to compromise the device or application. Vulnerable Application(s): [+] Talkie Bluetooth Video iFiles v2.0 - ITunes or AppStore (Apple) Vulnerable Module(s): [+] File Upload (FileMgr) - (http://localhost:1818/upload.html) Vulnerable Parameter(s): [+] filename Affected Module(s): [+] Index File Dir Listing (http://localhost:1818/) 1.2 An arbitrary file upload web vulnerability is detected in the Talkie Bluetooth Video iFiles v2 application (Apple iOS - iPad iPhone). The arbitrary file upload issue allows a remote attacker to upload files with multiple extensions to bypass the validation for unauthorized access. The vulnerability is located in the upload module when processing to upload files with multiple ending extensions. Attackers are able to upload a php or js web-shells by renaming the file with multiple extensions. The attacker uploads for example a web-shell with the following name and extension image.jpg.js.php.jpg . The attacker needs to open the file in the web application and deletes the .jpg file extension to access the picture with elevated access rights. Exploitation of the arbitrary file upload web vulnerability requires no user interaction or privilege application user account with password. Successful exploitation of the vulnerability results in unauthorized file access because of a compromise after the upload of web-shells. Vulnerable Application(s): [+] Talkie Bluetooth Video iFiles v2.0 - ITunes or AppStore (Apple) Vulnerable Module(s): [+] File Upload (FileMgr) - (http://localhost:1818/upload.html) Vulnerable Parameter(s): [+] filename (multiple extensions) Affected Module(s): [+] Index File Dir Listing (http://localhost:1818/[FILE PATH]/FILE_NAME) 1.3 A persistent input validation web vulnerability is detected in the Talkie Bluetooth Video iFiles v2 application (Apple iOS - iPad iPhone). The bug allows remote attackers to implement/inject own malicious persistent script codes (application side) via POST method. The vulnerability is located in the `Upload File` module of the web-server interface (http://localhost:1818) when processing to request via POST method manipulated `filename`. The file name will be changed to the path value without secure filter, encode or parse mechanism. The injected script code will be executed in the main index file
Synology DSM multiple vulnerabilities
** Title: Synology DSM multiple vulnerabilities Version affected: = 4.3-3776 Vendor: Synology Discovered by: Andrea Fabrizi Email: andrea.fabr...@gmail.com Web: http://www.andreafabrizi.it Twitter: @andreaf83 Status: unpatched ** Synology DiskStation Manager (DSM) it's a Linux based operating system, used for the DiskStation and RackStation products. 1] Remote file download Any authenticated user, even with the lowest privilege, can download any system file, included the /etc/shadow, samba password files and files owned by the other DSM users, without any restriction. The vulnerability is located in /webman/wallpaper.cgi. The CGI takes as parameter the full path of the image to download, encoded in ASCII Hex format. The problem is that any file type can be downloaded (not only images) and the path validation is very poor. In fact the CGI checks only if the path starts with an allowed directory (like /usr/syno/synoman/webman), and this kind of protection can be easily bypassed using the ../ attack. For example to access the /etc/shadow: 2f7573722f73796e6f2f73796e6f6d616e2f7765626d616e2f2e2e2f2e2e2f2e2e2f2e2e2f6574632f736861646f77 (/usr/syno/synoman/webman/../../../../etc/shadow) -- GET /webman/wallpaper.cgi?path=AABBCCDDEEFF11223344 HTTP/1.1 Host: 127.0.0.1:5000 Cookie: stay_login=0; id=XXX -- 2] Command injection A command injection vulnerability, present on the /webman/modules/ControlPanel/ modules/externaldevices.cgi CGI, allows any administrative user to execute arbitrary commands on the system, with root privileges. -- POST /webman/modules/ControlPanel/modules/externaldevices.cgi HTTP/1.1 Host: 127.0.0.1:5000 User-Agent: ls Cookie: stay_login=0; id=XXX Content-Length: 128 action=applydevice_name=aaprinterid=1.1.1.1-aa';$HTTP_USER_AGENT/tmp/output+%23printer_mode=netPrintereject_netprinter=true -- Putting the command to execute as the User Agent string, after the request the output will be ready into the /tmp/output file. 3] Partial remote content download For the localization DSM uses some CGI, that takes the lang parameter (e.g. enu for english) and returns a Json object containing the localized strings in a dictionary format. The strings are taken from a local file with the following path: [current_dir]/texts/[lang_parameter_value]/strings The /strings appended at the end of the path prevents a path injection, because any value injected using the lang parameter will be invalidated (in other words, it's possible to read only files named strings). But, the interesting thing is that the full path of the strings files is built using a snprintf function like that: snprintf(s, 0x80u, texts/%s/strings, lang) This means that putting a lang value big enough, it's possible to overflow the 128 byte allowed by the snprintf and take out the /strings from the built path. For example, the lang value ./ ///../../../../../etc/synoinfo.conf allow to get the /etc/synoinfo.conf file content. The second problem is that the input file taken by the CGI must be formatted in a key/value way: key1=string1 In other words, to get some content from a generic file it's necessary that the file contains at least an = for each line (this is the reason why I called the vulnerability Partial remote content download). At first glance it may seems very limiting, but, seen that it's possible to read directly from the disk block device (e.g. /dev/vg1000/lv), the amount of data dumped is very huge. In my tests I was able to dump around the 25/30% of the drive (tested with mixed content, like documents, images, generic files). It's possible to dump data from any drive connected. Interesting data can be also dumped from the /proc vfs. This vulnerability impacts two different CGI and is exploitable without authentication by any remote user: /scripts/uistrings.cgi /webfm/webUI/uistrings.cgi -- GET /scripts/uistrings.cgi?lang=X HTTP/1.1 Host: 127.0.0.1:5000 -- In the system there are two other uistrings.cgi, but are not affected. 4] XSS A classic Cross-site scripting affects the following CGI: /webman/info.cgi?host=target=add=
[security bulletin] HPSBUX02926 SSRT101281 rev.1 - HP-UX Running BIND, Remote Denial of Service (DoS)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Note: the current version of the following document is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c03922396 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c03922396 Version: 1 HPSBUX02926 SSRT101281 rev.1 - HP-UX Running BIND, Remote Denial of Service (DoS) NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2013-09-10 Last Updated: 2013-09-10 Potential Security Impact: Remote Denial of Service (DoS) Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified with HP-UX running BIND. This vulnerability could be exploited remotely to create a Denial of Service (DoS). References: CVE-2013-4854 (SSRT101281) SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP-UX B.11.31 running BIND 9.7.3 prior to C.9.7.3.3.0 BACKGROUND CVSS 2.0 Base Metrics === Reference Base Vector Base Score CVE-2013-4854(AV:N/AC:L/Au:N/C:N/I:N/A:C) 7.8 === Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP has provided an updated version of the BIND service to resolve this vulnerability. This update is available from the following location: ftp://bind9733:secur...@ftp.usa.hp.com https://ftp.usa.hp.com/hprc Login : bind9733 Password: Secure12 (NOTE: CASE-sensitive) BIND 9.7.3 for HP-UX Release Depot Name B.11.31 (PA and IA) HPUX-NameServer_C.9.7.3.3.0_HP-UX_B.11.31_IA_PA.depot MANUAL ACTIONS: Yes - Update Download and install the software update PRODUCT SPECIFIC INFORMATION HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see: https://www.hp.com/go/swa The following text is for use by the HP-UX Software Assistant. AFFECTED VERSIONS For BIND 9.7.3 HP-UX B.11.31 == NameService.BIND-AUX NameService.BIND-RUN action: install revision C.9.7.3.3.0 or subsequent END AFFECTED VERSIONS HISTORY Version:1 (rev.1) - 10 September 2013 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-al...@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-al...@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin Archive: A list of recently released Security Bulletins is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2013 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided as is without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.13 (GNU/Linux) iEYEARECAAYFAlIva/YACgkQ4B86/C0qfVmaYwCfbJud7qhY0Qa5/QZED0yMYfwo yGoAniW1Fbn4smEcD5D0vfulA/hkRwM+ =Um/8 -END PGP SIGNATURE-
[SECURITY] [DSA 2754-1] exactimage security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2754-1 secur...@debian.org http://www.debian.org/security/ Raphael Geissert September 10, 2013 http://www.debian.org/security/faq - - Package: exactimage Vulnerability : denial of service Problem type : local (remote) Debian-specific: no CVE ID : CVE-2013-1441 It was discovered that exactimage, a fast image processing library, does not correctly handle error conditions of the embedded copy of dcraw. This could result in a crash or other behaviour in an application using the library due to an uninitialized variable being passed to longjmp. This is a different issue than CVE-2013-1438/DSA-2748-1. For the oldstable distribution (squeeze), this problem has been fixed in version 0.8.1-3+deb6u3. For the stable distribution (wheezy), this problem has been fixed in version 0.8.5-5+deb7u3. For the testing distribution (jessie) and the unstable distribution (sid), this problem has been fixed in version 0.8.9-2. We recommend that you upgrade your exactimage packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlIvnOUACgkQYy49rUbZzlqXUACgh0rpuhTnKiiYhI7DOsKU0IeD rF4AnA2bCBKuZcY4TGhCCELQ8uf9N2qZ =a/07 -END PGP SIGNATURE-
Microsoft SharePoint 2013 (Cloud) - Persistent Exception Handling Web Vulnerability
Title: == Microsoft SharePoint 2013 (Cloud) - Persistent Exception Handling Web Vulnerability Date: = 2013-09-11 References: === http://www.vulnerability-lab.com/get_content.php?id=812 Security Bulletin: MS13-067 http://technet.microsoft.com/de-de/security/bulletin/MS13-067 Microsoft Security Response Center (MSRC) ID: 14096 VL-ID: = 812 Common Vulnerability Scoring System: 5.7 Introduction: = Microsoft SharePoint is a Web application platform developed by Microsoft. First launched in 2001, SharePoint has historically been associated with intranet content management and document management, but recent versions have significantly broader capabilities. Microsoft has two versions of SharePoint available at no cost, but it sells premium editions with additional functionality, and provides a cloud service edition as part of their Office 365 platform (previously BPOS). The product is also sold through a cloud model by many third-party vendors. SharePoint comprises a multipurpose set of Web technologies backed by a common technical infrastructure. By default, SharePoint has a Microsoft Office-like interface, and it is closely integrated with the Office suite. The web tools are designed to be usable by non- technical users. SharePoint can be used to provide intranet portals, document file management, collaboration, social networks, extranets, websites, enterprise search, and business intelligence. It also has system integration, process integration, and workflow automation capabilities. Enterprise application software (e.g. ERP or CRM packages) often provide some SharePoint integration capability, and SharePoint also incorporates a complete development stack based on web technologies and standards-based APIs. As an application platform, SharePoint provides central management, governance, and security controls for implementation of these requirements. The SharePoint platform integrates directly into IIS - enabling bulk management, scaling, and provisioning of servers, as is often required by large organizations or cloud hosting providers. In 2008, the Gartner Group put SharePoint in the`leaders` quadrant in three of its Magic Quadrants (for search, portals, and enterprise content management). SharePoint is used by 78% of Fortune 500 companies[citation needed]. Between 2006 to 2011, Microsoft sold over 36.5 million user licenses[citation needed]. (Copy of the Homepage: http://en.wikipedia.org/wiki/Microsoft_SharePoint ) Abstract: = The Vulnerability Laboratory Research Team discovered a persistent web vulnerability in the official Microsoft Sharepoint Online (cloud-based) application. Report-Timeline: 2013-02-01: Researcher Notification Coordination (Benjamin Kunz Mejri) 2013-02-06: Vendor Notification (Microsoft Security Response Center - MSRC) 2013-02-07: Vendor Response/Feedback (Microsoft Security Response Center - MSRC) 2013-09-11: Vendor Fix/Patch (Microsoft Security Bulletin) 2013-09-11: Public Disclosure (Vulnerability Laboratory) Status: Published Affected Products: == Microsoft Corp. Product: Sharepoint Online (Cloud-Based) Exploitation-Technique: === Remote Severity: = High Details: A persistent input validation vulnerability is detected in the official Microsoft Sharepoint 2013 Online (cloud-based) web-application. The vulnerability allows remote attackers to inject own malicious script code to a vulnerable module on application-side (persistent). The vulnerability is located in the `Sharepoint Online Cloud 2013 Service` section when processing to request the `Berechtigungen für den Metadatenspeicher festlegen` module with manipulated ms-descriptionText ctl00_PlaceHolderDialogBodySection_ PlaceHolderDialogBodyMainSection_ValSummary parameters. The persistent injected script code execution occurs in the main `invalid BDC Übereinstimmung` web application exception-handling. The vulnerability can be exploited with a low (restricted) privileged application user account and low or medium required user interaction. Successful exploitation of the vulnerability result in persistent session hijacking, persistent phishing, stable external redirect, stable external malware loads and persistent vulnerable module context manipulation. Vulnerable Service(s): [+] Microsoft - Sharepoint Online (cloud-based) Vulnerable Module(s): [+] Berechtigungen für den Metadatenspeicher festlegen - BDC Metadatenspeicher zuweisen Vulnerable Parameter(s): [+] ms-descriptionText ctl00_PlaceHolderDialogBodySection_PlaceHolderDialogBodyMainSection_ValSummary [+] TA_ManageBDCPermissions_data Affected Module(s): [+] BDC
Insecure CHIASMUS encryption in GSTOOL
== Insecure CHIASMUS encryption in GSTOOL == GSTOOL versions 3.0 to 4.7 (inclusive) contain an insecure encryption feature using the non-public CHIASMUS block cipher. Due to the use of an insecure PRNG for key generation, files encrypted using the encryption feature of this tool can be decrypted without knowledge of the key within seconds to minutes. The affected versions of GSTOOL were developed by Steria Mummert Consulting for the German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, BSI) and released by the BSI. We reported the issue to the BSI in November 2011. The BSI issued an advisory warning users to stop using the encryption feature in the same month. A patch disabling the vulnerable encryption feature was released in June 2013. We later learned that the issue was independently discovered by Felix Schuster in 2009. For full details including further issues found, please see the German advisory, available at http://janschejbal.wordpress.com/2013/09/11/advisory-unsichere-verschluesselung-bei-gstool/. Since this is an implementation issue, the CHIASMUS block cipher itself and other products (e.g. Chiasmus for Windows) using the CHIASMUS block cipher are NOT affected. Kind regards, Jan Schejbal
Cross-Site Scripting (XSS) in WikkaWiki
Advisory ID: HTB23170 Product: WikkaWiki Vendor: Wikka Development Team Vulnerable Version(s): 1.3.4 and probably prior Tested Version: 1.3.4 Vendor Notification: August 21, 2013 Vendor Patch: August 31, 2013 Public Disclosure: September 11, 2013 Vulnerability Type: Cross-Site Scripting [CWE-79] CVE Reference: CVE-2013-5586 Risk Level: Medium CVSSv2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N) Solution Status: Fixed by Vendor Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) --- Advisory Details: High-Tech Bridge Security Research Lab discovered vulnerability in WikkaWiki, which can be exploited to perform Cross-Site Scripting (XSS) attacks against users of vulnerable application. 1) Cross-Site Scripting (XSS) in WikkaWiki: CVE-2013-5586 The vulnerability exists due to insufficient sanitisation of user-supplied data in wakka HTTP GET parameter passed to /sql/ URL. A remote attacker can trick a logged-in user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website. The exploitation example below uses JavaScript alert() function to display user's cookies: http://[host]/sql/?wakka=sqlwakka=%22onmouseover=%22javascript:alert%28document.cookie%29;%22%3Elink%3C/a%3E --- Solution: Update to Wikka 1.3.4-p1 More Information: http://docs.wikkawiki.org/WhatsNew https://wush.net/trac/wikka/ticket/1152 --- References: [1] High-Tech Bridge Advisory HTB23170 - https://www.htbridge.com/advisory/HTB23170 - Cross-Site Scripting (XSS) in WikkaWiki. [2] WikkaWiki - http://www.wikkawiki.org - WikkaWiki is a flexible, standards-compliant and lightweight wiki engine written in PHP, which uses MySQL to store pages. [3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures. [4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. [5] ImmuniWeb® - http://www.htbridge.com/immuniweb/ - is High-Tech Bridge's proprietary web application security assessment solution with SaaS delivery model that combines manual and automated vulnerability testing. --- Disclaimer: The information provided in this Advisory is provided as is and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.
ProFTPd mod_sftp/mod_sftp_pam invalid pool allocation in kbdint authentication
Hi there! See my blog post about the mentioned vulnerability. http://kingcope.wordpress.com/2013/09/11/proftpd-mod_sftpmod_sftp_pam-invalid-pool-allocation-in-kbdint-authentication/ Cheers, Kingcope
[SECURITY] [DSA 2755-1] python-django security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2755-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso September 11, 2013 http://www.debian.org/security/faq - - Package: python-django Vulnerability : directory traversal Problem type : remote Debian-specific: no CVE ID : CVE-2013-4315 Rainer Koirikivi discovered a directory traversal vulnerability with 'ssi' template tags in python-django, a high-level Python web development framework. It was shown that the handling of the 'ALLOWED_INCLUDE_ROOTS' setting, used to represent allowed prefixes for the {% ssi %} template tag, is vulnerable to a directory traversal attack, by specifying a file path which begins as the absolute path of a directory in 'ALLOWED_INCLUDE_ROOTS', and then uses relative paths to break free. To exploit this vulnerability an attacker must be in a position to alter templates on the site, or the site to be attacked must have one or more templates making use of the 'ssi' tag, and must allow some form of unsanitized user input to be used as an argument to the 'ssi' tag. For the oldstable distribution (squeeze), this problem has been fixed in version 1.2.3-3+squeeze7. For the stable distribution (wheezy), this problem has been fixed in version 1.4.5-1+deb7u3. For the unstable distribution (sid), this problem will be fixed soon. We recommend that you upgrade your python-django packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCgAGBQJSMHpjAAoJEHidbwV/2GP+skUQAJkFYm+/zsBdAXEvwEHIExpc a8gSK9kgMC6122RewmfNy9RYB3gI2CZ/C50ImMVu5Ksw9XXasP1tomj2Y2xICCHk Jwx8hCiSPNfNgL7rt0F05Tp3BlkLMi666sSUQD3Etz7xUasN0UiZskdMe1FUukLT Fa0+qfWq7soEHIsoeWj0nhkRYy11BKETOFddlSE6CE/tsRBqVb/ZQbrlAg4+W8kx FtCVanN3tHNAcj4V+Q2KujxWDsY6mqSm0TY/5tavkc1pOIilz8sTZqdfMbmaZuhv ap0w7yW94prHEQvhYGlMdFn2BSDC8YadqGDr3p+K98jRNkVe7OST47gD3tGnRq8F CgRZCV0cNnpS8Al4JtAJ0Z6xaphrXd4/fYyQrRqcvSZ2U686Yz6f7XiMnJWzBSVH Y59+2gi+yg4p3SwinF3uSCXOXFoijvu2xP/FNySf/tnhWtz/o3zeCXwRu02Rk1gu Fd9tqPVvCgV69JCVk6pCC+q7Q1iqEmvyCloI/Z7mpnk43SiKezkbsFg/tgvD7ORD DYMbXX+LxYIbr635OvemE/cumBgcCyKH7qIMFhccjL0sXwH0cyeTEVen+YbpfnG2 wLx6TVUr2R7H93M6V/iByEThx0QyTpE7QgKNjI6mbJ4FtnBdIUgl6d0jsW+q2uoL ZuKaa8ELJZMOm1wlhQZh =W3/5 -END PGP SIGNATURE-
OWASP Zed Attack Proxy 2.2.0
Hi folks, ZAP 2.2.0 is now available from http://code.google.com/p/zaproxy/downloads/list This includes support for scripts embedded in ZAP components like the active and passive scanners as well as support for Zest - a new security focused scripting language from the Mozilla security team. It also supports Mozilla Plug-n-Hack, localization in 20 languages, various minor enhancements and lots of bug fixes. For more details see the release notes: http://code.google.com/p/zaproxy/wiki/HelpReleases2_2_0 If you use ZAP then please fill in the ZAP User Questionnaire linked off the ZAP homepage: https://www.owasp.org/index.php/ZAP This will help us prioritize features for future releases. Many thanks to everyone who contributed to this release. Cheers, Simon -- OWASP ZAP Project leader
[ MDVSA-2013:230 ] gdm
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2013:230 http://www.mandriva.com/en/support/security/ ___ Package : gdm Date: September 11, 2013 Affected: Enterprise Server 5.0 ___ Problem Description: A vulnerability has been discovered and corrected in gdm: GNOME Display Manager (gdm) before 2.21.1 allows local users to change permissions of arbitrary directories via a symlink attack on /tmp/.X11-unix/ (CVE-2013-4169). The updated packages have been patched to correct this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4169 rhn.redhat.com/errata/RHSA-2013-1213.html ___ Updated Packages: Mandriva Enterprise Server 5: c9c0e22c4dbf7734df019ec39e494acb mes5/i586/debugmode-8.81-10.8mdvmes5.2.i586.rpm 61af3c6bf858f4b2aad9bfc9f67c2f69 mes5/i586/gdm-2.20.11-0.2mdvmes5.2.i586.rpm 5ab82b08cef49c41ebc045196875b4a6 mes5/i586/gdm-Xnest-2.20.11-0.2mdvmes5.2.i586.rpm 61ab1d9c46c4dbdc968775a5d825cbf1 mes5/i586/initscripts-8.81-10.8mdvmes5.2.i586.rpm 8e097ab7ff0c6320770b86fb8cba73a4 mes5/SRPMS/gdm-2.20.11-0.2mdvmes5.2.src.rpm 3ab56a25b076a224c01a72e12652cc01 mes5/SRPMS/initscripts-8.81-10.8mdvmes5.2.src.rpm Mandriva Enterprise Server 5/X86_64: 09773125c4a75eb46d191f23bdede06e mes5/x86_64/debugmode-8.81-10.8mdvmes5.2.x86_64.rpm f34f8b5caf1aabcfd636929be8546fd0 mes5/x86_64/gdm-2.20.11-0.2mdvmes5.2.x86_64.rpm 5b0ac4e9219acb4432102bd52aab2cc1 mes5/x86_64/gdm-Xnest-2.20.11-0.2mdvmes5.2.x86_64.rpm be5edadaada0e51a3f28eb40e9c54356 mes5/x86_64/initscripts-8.81-10.8mdvmes5.2.x86_64.rpm 8e097ab7ff0c6320770b86fb8cba73a4 mes5/SRPMS/gdm-2.20.11-0.2mdvmes5.2.src.rpm 3ab56a25b076a224c01a72e12652cc01 mes5/SRPMS/initscripts-8.81-10.8mdvmes5.2.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFSMFczmqjQ0CJFipgRArCAAKCqw0oRwRMD/IVV5U5zDFmrcLKO4wCdGPs3 qweAcNHAuPAv8JmsXSFRSKc= =tMr1 -END PGP SIGNATURE-
[security bulletin] HPSBUX02928 SSRT101274 rev.1 - HP-UX running perl, Remote Denial of Service (DoS)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Note: the current version of the following document is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c03924247 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c03924247 Version: 1 HPSBUX02928 SSRT101274 rev.1 - HP-UX running perl, Remote Denial of Service (DoS) NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2013-09-11 Last Updated: 2013-09-11 Potential Security Impact: Remote Denial of Service (DoS) Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified with HP-UX perl. This vulnerability could be exploited remotely to create a Denial of Service (DoS). References: CVE-2013-1667 (SSRT101274) SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP-UX B.11.11, B.11.23, B.11.31 running HP-UX perl version E.5.8.8.L or earlier BACKGROUND CVSS 2.0 Base Metrics === Reference Base Vector Base Score CVE-2013-1667(AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5 === Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP has provided the following software updates to resolve the vulnerability. The updates are available for download from the following location: ftp://perl588m:secur...@ftp.usa.hp.com https://ftp.usa.hp.com/hprc Login : perl588m Password: Secure12 (NOTE: CASE-sensitive) HP-UX 11i Release HP-UX perl v5.8.8 Depot name B.11.11 (32/64 bit) perl_E.5.8.8.M_HP-UX_B.11.11_32_64.depot B.11.23 (32/64 bit) perl_E.5.8.8.M_HP-UX_B.11.23_IA_PA.depot B.11.31 (32/64 bit) perl_E.5.8.8.M_HP-UX_B.11.31_IA_PA.depot MANUAL ACTIONS: Yes - Update Install HP-UX perl E.5.8.8.M or subsequent PRODUCT SPECIFIC INFORMATION HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see https://www.hp.com/go/swa The following text is for use by the HP-UX Software Assistant. AFFECTED VERSIONS HP-UX B.11.11, B.11.23, B.11.31 == Perl5-32.PERL-RUN Perl5-64.PERL-RUN action: install revision E.5.8.8.M or subsequent END AFFECTED VERSIONS HISTORY Version:1 (rev.1) - 11 September 2013 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-al...@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-al...@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin Archive: A list of recently released Security Bulletins is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2013 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided as is without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.13 (GNU/Linux) iEYEARECAAYFAlIwEWoACgkQ4B86/C0qfVkrOACghhGgC7BeLrR5ks9/GJ6d3kFd ptwAn2k8QjdsKQ7mCE/CoFmV83F5Uslm =k7Jo -END PGP