Cross-Site Scripting (XSS) in Feng Office
Advisory ID: HTB23174 Product: Feng Office Vendor: Secure Data SRL Vulnerable Version(s): 2.3.2-rc and probably prior Tested Version: 2.3.2-rc Advisory Publication: September 18, 2013 [without technical details] Vendor Notification: September 18, 2013 Public Disclosure: October 9, 2013 Vulnerability Type: Cross-Site Scripting [CWE-79] CVE Reference: CVE-2013-5744 Risk Level: Medium CVSSv2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N) Solution Status: Solution Available Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) --- Advisory Details: High-Tech Bridge Security Research Lab discovered vulnerability in Feng Office, which can be exploited to perform Cross-Site Scripting (XSS) attacks against users of vulnerable application. 1) Cross-Site Scripting (XSS) in Feng Office: CVE-2013-5744 1.1 The vulnerability exists due to insufficient sanitisation of user-supplied data in ref_[any] HTTP GET parameter passed to /index.php script. A remote attacker can trick a logged-in user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website. The exploitation example below uses JavaScript alert() function to display user's cookies: http://[host]/index.php?c=accessa=loginref_abc=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E --- Solution: Vendor did not reply to 3 notifications by email, 1 notification by twitter, 1 notification by contact form on website, 1 forum thread, 1 support ticket. Currently we are not aware of any official solution for this vulnerability. Unofficial patch was developed by High-Tech Bridge Security Research Lab and is available here: https://www.htbridge.com/advisory/HTB23174-patch.zip --- References: [1] High-Tech Bridge Advisory HTB23174 - https://www.htbridge.com/advisory/HTB23174 - Cross-Site Scripting (XSS) in Feng Office. [2] Feng Office - http://www.fengoffice.com - Feng Office is a Web-based Software that integrates Project Management, Client Relationship Management, Billing, Financing, among other features that help you efficiently run your Professional Services Business. [3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures. [4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. [5] ImmuniWeb® - http://www.htbridge.com/immuniweb/ - is High-Tech Bridge's proprietary web application security assessment solution with SaaS delivery model that combines manual and automated vulnerability testing. --- Disclaimer: The information provided in this Advisory is provided as is and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.
[ISecAuditors Security Advisories] Multiple Vulnerabilities in Uebimiau = 2.7.11
= INTERNET SECURITY AUDITORS ALERT 2013-008 - Original release date: March 15th, 2013 - Last revised: March 20th, 2013 - Discovered by: Manuel Garcia Cardenas - Severity: 4,8/10 (CVSS Base Score) - CVE-ID: CVE-2013-2621, CVE-2013-2622, CVE-2013-2623 = I. VULNERABILITY - Multiple Vulnerabilities in Uebimiau = 2.7.11 II. BACKGROUND - UebiMiau is a webmail reader application supporting both IMAP and POP3 protocols. It can be installed without dependence of any PHP's extra modules or a separate database. It is Open source software published under GNU General Public License (GPL). UebiMiau has not been developed since March 2006 and does not work with PHP 5.3 due to its use of deprecated functions. A new project, which is a forked reboot of UebiMiau based on the jimjag patches, named Telaen is an actively developed drop-in replacement. III. DESCRIPTION - Uebimiau 2.7.11 and lower versions contain a flaw that allows a remote redirection attack. This flaw exists because the application does not properly sanitise the file redir.php. This allows an attacker to create a specially crafted URL, that if clicked, would redirect a victim from the intended legitimate web site to an arbitrary web site of the attacker's choice. Aditionaly, it has been detected a reflected XSS vulnerability in Uebimiau 2.7.11 and lower versions, that allows the execution of arbitrary HTML/JavaScript code to be executed in the context of the victim user's browser. The code injection is done through the parameter f_email in the page index.php and parameter selected_theme in the page error.php. IV. PROOF OF CONCEPT - REDIRECT: http://vulnerablesite.com/uebimiau/redir.php?http://www.malicious-site.com XSS 1: http://vulnerablesite.com/uebimiau/error.php?f_pass=blackybrsess[auth]=1selected_theme=;scriptalert(XSS)/script XSS 2: http://vulnerablesite.com/uebimiau/index.php?tid=defaultlid=en_UKf_email=;scriptalert(XSS)/script V. BUSINESS IMPACT - REDIRECT: An attacker can redirect any user to any malicious website. Below I have mentioned the vulnerable URL. XSS: An attacker can execute arbitrary HTML or JavaScript code in a targeted user's browser, this can leverage to steal sensitive information as user credentials, personal data, etc. VI. SYSTEMS AFFECTED - All Versions of Uebimiau. VII. SOLUTION - REDIRECT AND XSS: All data received by the application and can be modified by the user, before making any kind of transaction with them must be validated. VIII. REFERENCES - http://www.uebimiau.org http://www.isecauditors.com IX. CREDITS - This vulnerability has been discovered by Manuel Garcia Cardenas (mgarcia (at) isecauditors (dot) com). X. REVISION HISTORY March 15, 2013 1: Initial release XI. DISCLOSURE TIMELINE - March 15, 2013: Vulnerability acquired by Internet Security Auditors (www.isecauditors.com) March 20, 2013: Sent to devel Manager. March 21, 2013: Answer. After 4 years of previous version, the developer will publish new patched version in 3 days! September 26, 2013: Ask to devel manager for feedback October 09, 2013: After some months without feedback, we do a full-disclosure XII. LEGAL NOTICES - The information contained within this advisory is supplied as-is with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors accepts no responsibility for any damage caused by the use or misuse of this information. XIII. ABOUT - Internet Security Auditors is a Spain based leader in web application testing, network security, penetration testing, security compliance implementation and assessing. Our clients include some of the largest companies in areas such as finance, telecommunications, insurance, ITC, etc. We are vendor independent provider with a deep expertise since 2001. Our efforts in RD include vulnerability research, open security project collaboration and whitepapers, presentations and security events participation and promotion. For further information regarding our security services, contact us. XIV. FOLLOW US - You can follow Internet Security Auditors, news and security advisories at: https://www.facebook.com/ISecAuditors https://twitter.com/ISecAuditors http://www.linkedin.com/company/internet-security-auditors http://www.youtube.com/user/ISecAuditors
[ISecAuditors Security Advisories] Multiple Reflected XSS vulnerabilities in BoltWire = v3.5
= INTERNET SECURITY AUDITORS ALERT 2013-010 - Original release date: March 20th, 2013 - Last revised: March 25th, 2013 - Discovered by: Manuel Garcia Cardenas - Severity: 4,8/10 (CVSS Base Score) - CVE-ID: CVE-2013-2651 = I. VULNERABILITY - Multiple Reflected XSS vulnerabilities in BoltWire = v3.5 II. BACKGROUND - BoltWire is an easy to use web development engine with surprizing flexibility and power. It has the various strengths of a wiki, cms, database, search engine, and more, all rolled together into a software system of ground-breaking design. III. DESCRIPTION - Has been detected a reflected XSS vulnerability in BoltWire =3.5 , that allows the execution of arbitrary HTML/script code to be executed in the context of the victim user's browser. The code injection is done through the parameter p and content in the page index.php. IV. PROOF OF CONCEPT - The application does not validate the double encoding of the p parameter. Malicious Request (p parameter): Not vulnerable: http://vulnerablesite.com/boltwire/index.php?p=scriptalert(XSS)/script Not Vulnerable: http://vulnerablesite.com/boltwire/index.php?p=%3cscript%3ealert%28%22XSS %22%29%3c%2fscript%3e Vulnerable: http://vulnerablesite.com/boltwire/index.php?p=%253cscript%253ealert%2528%2522XSS %2522%2529%253c%252fscript%253e Malicious Request (content parameter): POST /bolt/field/index.php?p=action.create HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Cookie: PHPSESSID=bf1bcm8370oqt84lh8nvrdklb7; BOLTsession=bf1bcm8370oqt84lh8nvrdklb7 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 121 target=examplecontent=/textareascriptalert(XSS)/scriptsubmit=PREVIEW V. BUSINESS IMPACT - An attacker can execute arbitrary HTML or script code in a targeted user's browser, this can leverage to steal sensitive information as user credentials, personal data, etc. VI. SYSTEMS AFFECTED - All Versions of BoltWire = v3.5 VII. SOLUTION - All data received by the application and can be modified by the user, before making any kind of transaction with them must be validated. VIII. REFERENCES - http://www.boltwire.com http://www.isecauditors.com IX. CREDITS - This vulnerability has been discovered by Manuel García Cárdenas (mgarcia (at) isecauditors (dot) com). X. REVISION HISTORY March 20, 2013 1: Initial release XI. DISCLOSURE TIMELINE - March 20, 2013: Vulnerability acquired by Internet Security Auditors (www.isecauditors.com) March 25, 2013: Sent to Devel Team. October 09, 2013: After some months without feedback, we do a full-disclosure XII. LEGAL NOTICES - The information contained within this advisory is supplied as-is with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors accepts no responsibility for any damage caused by the use or misuse of this information. XIII. ABOUT - Internet Security Auditors is a Spain based leader in web application testing, network security, penetration testing, security compliance implementation and assessing. Our clients include some of the largest companies in areas such as finance, telecommunications, insurance, ITC, etc. We are vendor independent provider with a deep expertise since 2001. Our efforts in RD include vulnerability research, open security project collaboration and whitepapers, presentations and security events participation and promotion. For further information regarding our security services, contact us. XIV. FOLLOW US - You can follow Internet Security Auditors, news and security advisories at: https://www.facebook.com/ISecAuditors https://twitter.com/ISecAuditors http://www.linkedin.com/company/internet-security-auditors http://www.youtube.com/user/ISecAuditors
[SECURITY] [DSA 2770-1] torque security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2770-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso October 09, 2013 http://www.debian.org/security/faq - - Package: torque Vulnerability : authentication bypass Problem type : remote Debian-specific: no CVE ID : CVE-2013-4319 Debian Bug : 722306 John Fitzpatrick of MWR InfoSecurity discovered an authentication bypass vulnerability in torque, a PBS-derived batch processing queueing system. The torque authentication model revolves around the use of privileged ports. If a request is not made from a privileged port then it is assumed not to be trusted or authenticated. It was found that pbs_mom does not perform a check to ensure that connections are established from a privileged port. A user who can run jobs or login to a node running pbs_server or pbs_mom can exploit this vulnerability to remotely execute code as root on the cluster by submitting a command directly to a pbs_mom daemon to queue and run a job. For the oldstable distribution (squeeze), this problem has been fixed in version 2.4.8+dfsg-9squeeze2. For the stable distribution (wheezy), this problem has been fixed in version 2.4.16+dfsg-1+deb7u1. For the unstable distribution (sid), this problem will be fixed soon. We recommend that you upgrade your torque packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (GNU/Linux) iQIcBAEBCgAGBQJSVWfFAAoJEAVMuPMTQ89E6Z8P/20uNyrICGD4ut8gjo9SN91S rCH5IfPwaIqS9cwZBkoqlRKxSc54d5eO7dlSGeOEpuB5KExYHi/h9KmS/Ja31pUO nCZ9onijhiyIr7d1+7YIVQpBXA7E3QxDXC5462ZtCuM9OPwFO22yspQKq9TfI2U+ hAhuRPnb6J7+7i8WQubpOLGynhuy4EJaYBTNiL7i9Z/Na7iWKRTHioFb92y4Y/pT sFpQ1r5EMVDzmJ8UzmyrWbdWMumKKoiGzgBCan9UKtkX2l4i8wjmc3ypifox+1zo lJqoBXh0PFrRtyHYwFAAU2oujuNdxgTwBD9al7Jip/0FHtEbhGum1VwIx9t95JrZ PsrjWjXZWdydRQHflBoGj3pKxD0UPH+OcEWgXpR8gGsID0g17muKRIuztAwFtrbR yLOpV0sobzR5GWaBFfwbIf+zziljqNKhXe1DgAjjegUuWD9Y4HP0H2pb42bp5ybx L9avUTjn9GOz428cAuj2PBLPaBLrtlvXePgjk88sl+Gf6Dt1SWqtH5niFgQtwhfV XFwIG6zBhCJp6jW2CyZxXHMkWgOWTAIOTb7B4R77y8MTyAnK/Ua30x4DFAaF4qli ARF6BsI3h6VjU835sDPJlaPHu+0KwM5Q7xOswuNtxyNYsuxVD2+ap+e0zIYlEod0 aO3eNNSfeTDJq1B2aD54 =0S9S -END PGP SIGNATURE-
Cisco Security Advisory: Multiple Vulnerabilities in Cisco Firewall Services Module Software
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Cisco Security Advisory: Multiple Vulnerabilities in Cisco Firewall Services Module Software Advisory ID: cisco-sa-20131009-fwsm Revision 1.0 For Public Release 2013 October 9 16:00 UTC (GMT) +- Summary === Cisco Firewall Services Module (FWSM) Software for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers is affected by the following vulnerabilities: Cisco FWSM Command Authorization Vulnerability SQL*Net Inspection Engine Denial of Service Vulnerability These vulnerabilities are independent of each other; a release that is affected by one of the vulnerabilities may not be affected by the other. Successful exploitation of the Cisco FWSM Command Authorization Vulnerability may result in a complete compromise of the confidentiality, integrity and availability of the affected system. Successful exploitation of the SQL*Net Inspection Engine Denial of Service Vulnerability may result in a reload of an affected device, leading to a denial of service (DoS) condition. Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131009-fwsm Note: The Cisco Adaptive Security Appliance (ASA) may be affected by the SQL*Net Inspection Engine Denial of Service Vulnerability. A separate Cisco Security Advisory has been published to disclose the vulnerabilities that affect the Cisco ASA. That advisory is available at: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131009-asa -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.20 (Darwin) iF4EAREKAAYFAlJVVngACgkQUddfH3/BbTqEHwD+MG4AnaGKJkTqhajTCmuZMSwC q8zMqwatIzdi3sisKJcA/28pIwT+I0BapJppueqTvMKvVfxA0X78/dgGkY82Jdgp =TW/T -END PGP SIGNATURE-
[SECURITY] [DSA 2771-1] nas security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2771-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff October 09, 2013 http://www.debian.org/security/faq - - Package: nas Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2013-4256 CVE-2013-4257 CVE-2013-4258 Hamid Zamani discovered multiple security problems (buffer overflows, format string vulnerabilities and missing input sanitising), which could lead to the execution of arbitrary code. For the oldstable distribution (squeeze), these problems have been fixed in version 1.9.2-4squeeze1. For the stable distribution (wheezy), these problems have been fixed in version 1.9.3-5wheezy1. For the testing distribution (jessie), these problems have been fixed in version 1.9.3-6. For the unstable distribution (sid), these problems have been fixed in version 1.9.3-6. We recommend that you upgrade your nas packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (GNU/Linux) iEYEARECAAYFAlJVfZMACgkQXm3vHE4uylr83gCfWpW/Kmq7tahh1hWZ2EJ9CJvq kKYAn37glnlS65B4njea5psbDGv0nBx+ =Qblm -END PGP SIGNATURE-