Re: ownCloud Unencrypted Private Key Exposure
Hello, If by acces to the file system you mean with all administrative privileges, yes but only if there are users sessions in php session storage to decrypt the files for that user. You can have multiple websites on the FS if they do not share the tmp session storage for php there are no vulnerability as it would require to access the session for owncloud user. Regards, Anthony Dubuissez Le 4 août 2014 à 16:00, Frank Stanek fr...@frank-stanek.de a écrit : Hi, thank you for this announcement. I have a (very naive) question about this. As a consequence of this vulnerability an attacker with access to the ownCloud server's file system can compromise the encrypted data stored on the server. There does not seem to be a workaround for that and there will be no fix. Thus, data on an ownCloud server is always accessible to an attacker with access to the file system, regardless of whether ownCloud's encryption feature is enabled or not. Is that correct so far? It seems to me that one of the encryption feature's main purposes is to prevent an attacker with access to the server's file system from immediate access to the user data. If my understanding above is true, then this purpose is void since the encryption is useless in that scenario. If this is somehow not part of the vendor's threat model, isn't it at least an important restriction? Or did I completely misunderstand something? Regards Frank Am 04.08.2014 08:38, schrieb Senderek Web Security: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Senderek Web Security - Security Advisory ownCloud Unencrypted Private Key Exposure = https://senderek.ie/archive/2014/owncloud_unencrypted_private_key_exposure.php Revision: 1.00 Last Updated: 3 Aug 2014 Summary: In consequence of an insufficient threat model, ownCloud is storing all user's private RSA keys in clear text in PHP session files. These unencrypted private keys can be accessed by every web application that has the privilege of the web server user. The affected files exposing cryptographic keys will be stored in the PHP session directory for a number of hours until they are removed. This issue was reported to ownCloud via encrypted email on Tue, 11 Mar 2014. I received a reply to this report from the vendor on Wed, 12 Mar 2014. On Tue, 22 July 2014 the vendor confirmed, that they will not address this problem, because the protection of user encrypted files from remote attackers that have read access to the file system with web server privilege is not - and will not be - part of their threat model. Consequently, the vendor does not consider this to be a vulnerability or security issue. Severity: High Affected Software Versions: All versions of ownCloud since the introduction of the encryption module in version 5.0.7 including version 7.0.0. Impact: An attacker, who is able to read the PHP session files by exploiting another web application that is running on the ownCloud server, will be able to gather the unencrypted private key of every ownCloud user. All encrypted files that are stored in a user's home directory can be decrypted with this RSA private key, stored in the PHP session files in plain text. If the user's encrypted files are synced to other devices or shared with other servers - for hosting or backup - an attacker will be able to decrypt all user data that is being intercepted, even if the attacker has no longer access to the server's file system. Fixes: In addition to the ownCloud encryption module users are advised to encrypt their sensitive files separately with a standard server-side encryption mechanism like GnuPG using a passphrase, that is not stored on the server except while being used in memory. One software solution that extends ownCloud with GnuPG-based server-side encryption can be downloaded here: https://senderek.ie/downloads/release/cloud/wee-owncloud.tar A detailed installation tutorial is available at: https://senderek.ie/wee/cloud/wee-owncloud.php This general web application extension addresses a more comprehensive threat model, that includes the possibility of read-access to web server accessible files on the server. However, it does not protect against malicious actions of server admins, as this cannot be prevented by web applications. Security Advice Policy: Complete information about reporting security vulnerabilities can be found here: https://senderek.ie/responsible.disclosure.policy.php All information in this security advisory is copyrighted
RE: ownCloud Unencrypted Private Key Exposure - version (6.0.4) reported not vulnerable
This came into our security group when we inquired with ownCloud: It has been officially confirmed by ownCloud security team that the version (6.0.4) running on our servers is not vulnerable to this issue. Hi --: I heard back from the Security team within ownCloud and this is not an issue in 6.0.4. -Original Message- From: Frank Stanek [mailto:fr...@frank-stanek.de] Sent: Monday, August 04, 2014 10:01 AM To: bugtraq@securityfocus.com Subject: Re: ownCloud Unencrypted Private Key Exposure Hi, thank you for this announcement. I have a (very naive) question about this. As a consequence of this vulnerability an attacker with access to the ownCloud server's file system can compromise the encrypted data stored on the server. There does not seem to be a workaround for that and there will be no fix. Thus, data on an ownCloud server is always accessible to an attacker with access to the file system, regardless of whether ownCloud's encryption feature is enabled or not. Is that correct so far? It seems to me that one of the encryption feature's main purposes is to prevent an attacker with access to the server's file system from immediate access to the user data. If my understanding above is true, then this purpose is void since the encryption is useless in that scenario. If this is somehow not part of the vendor's threat model, isn't it at least an important restriction? Or did I completely misunderstand something? Regards Frank Am 04.08.2014 08:38, schrieb Senderek Web Security: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Senderek Web Security - Security Advisory ownCloud Unencrypted Private Key Exposure = https://senderek.ie/archive/2014/owncloud_unencrypted_private_key_expo sure.php Revision: 1.00 Last Updated: 3 Aug 2014 Summary: In consequence of an insufficient threat model, ownCloud is storing all user's private RSA keys in clear text in PHP session files. These unencrypted private keys can be accessed by every web application that has the privilege of the web server user. The affected files exposing cryptographic keys will be stored in the PHP session directory for a number of hours until they are removed. This issue was reported to ownCloud via encrypted email on Tue, 11 Mar 2014. I received a reply to this report from the vendor on Wed, 12 Mar 2014. On Tue, 22 July 2014 the vendor confirmed, that they will not address this problem, because the protection of user encrypted files from remote attackers that have read access to the file system with web server privilege is not - and will not be - part of their threat model. Consequently, the vendor does not consider this to be a vulnerability or security issue. Severity: High Affected Software Versions: All versions of ownCloud since the introduction of the encryption module in version 5.0.7 including version 7.0.0. Impact: An attacker, who is able to read the PHP session files by exploiting another web application that is running on the ownCloud server, will be able to gather the unencrypted private key of every ownCloud user. All encrypted files that are stored in a user's home directory can be decrypted with this RSA private key, stored in the PHP session files in plain text. If the user's encrypted files are synced to other devices or shared with other servers - for hosting or backup - an attacker will be able to decrypt all user data that is being intercepted, even if the attacker has no longer access to the server's file system. Fixes: In addition to the ownCloud encryption module users are advised to encrypt their sensitive files separately with a standard server-side encryption mechanism like GnuPG using a passphrase, that is not stored on the server except while being used in memory. One software solution that extends ownCloud with GnuPG-based server-side encryption can be downloaded here: https://senderek.ie/downloads/release/cloud/wee-owncloud.tar A detailed installation tutorial is available at: https://senderek.ie/wee/cloud/wee-owncloud.php This general web application extension addresses a more comprehensive threat model, that includes the possibility of read-access to web server accessible files on the server. However, it does not protect against malicious actions of server admins, as this cannot be prevented by web applications. Security Advice Policy: Complete information about reporting security vulnerabilities can be found here:
CVE-2014-5075 MitM Vulnerability in the Smack XMPP Library for Java
CVE-2014-5075 MitM Vulnerability in the Smack XMPP Library for Java === Smack http://www.igniterealtime.org/projects/smack/ is an Open Source XMPP (Jabber) client library for instant messaging and presence written in Java. Smack prior to version 4.0.2 is vulnerable to TLS Man-in-the-Middle attacks, as it fails to check if the server certificate matches the hostname of the connection. Affected versions - - Smack 4.0.0 and 4.0.1 are vulnerable. - Smack 2.x and 3.x are vulnerable if a custom `SSLContext` is supplied via `connectionConfiguration.setCustomSSLContext()`. Details --- Smack is using Java's `SSLSocket`, which checks the peer certificate using an `X509TrustManager`, but does not perform hostname verification. Therefore, it is possible to redirect the traffic between a Smack-using application and a legitimate XMPP server through the attacker's server, merely by providing a valid certificate for a domain under the attacker's control. In Smack versions 2.2.0 to 3.4.1, a custom `ServerTrustManager` implementation was used, which was supplied with the connection's server name, and performed hostname verification. However, it failed to verify the basicConstraints and nameConstraints of the certificate chain (CVE-2014-0363, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0363) and has been removed in Smack 4.0.0. Applications using Smack 2.2.0 to 3.4.1 with a custom `TrustManager` did not benefit from `ServerTrustManager` and are vulnerable as well, unless their own `TrustManager` implementation explicitly performs hostname verification. Mitigation -- Users of the Smack library are advised to upgrade to Smack 4.0.2, and then use `connectionConfiguration.setHostnameVerifier()` with a reasonable `HostnameVerifier` implementation. A proper hostname verifier **MUST** be configured to close the vulnerability. For Smack 3.x users, a backported commit has been created: https://github.com/ge0rg/smack/commit/8d483b25bda7ae86a3f3e83217c2add6d710798a Here, a `HostnameVerifier` implementation needs to be supplied via `connectionConfiguration.setHostnameVerifier()` as well. When using the official JRE, the internal class `sun.security.util.HostnameChecker` can be wrapped as described here: http://kevinlocke.name/bits/2012/10/03/ssl-certificate-verification-in-dispatch-and-asynchttpclient/ If Apache's HttpClient library is available, its `StrictHostnameVerifier` can be used. On Android, MemorizingTrustManager provides both certificate checking and hostname verification with interactive fallback, allowing the user to decide about the trustworthiness of a server: https://github.com/ge0rg/MemorizingTrustManager/ Affected Applications - Smack is a library used by different applications. Therefore, the authors of the following Smack-based applications have been contacted to coordinate updated releases: - ChatSecure (fixed in 13.2.0-beta1) - GTalkSMS (contacted on 2014-07-28) - MAXS (fixed in 0.0.1.18) - yaxim and Bruno (fixed in 0.8.8) - *undisclosed Android application* (contacted on 2014-07-21) The following Smack-based applications were not affected: - TransVerse (special interest client) - Xabber (using a custom `TrustManager` performing hostname verification) Timeline - 2014-07-20 Discovery of Smack vulnerability, notification of Smack maintainer - 2014-07-21 Notification of vulnerable apps' authors - 2014-07-27 Release of Smack 4.0.2 - 2014-08-01 Release of MAXS 0.0.1.18 - 2014-08-04 Release of yaxim 0.8.8 - 2014-08-05 Release of ChatSecure 13.2.0 beta 1 - 2014-08-05 Publication of this advisory Links - Online version of advisory: http://op-co.de/CVE-2014-5075.html PDF version: http://op-co.de/CVE-2014-5075.pdf -- Dr. Georg Lukas rt-solutions.de GmbH Oberländer Ufer 190a D-50968 Köln Tel. : (+49)221 93724 0 Fax : (+49)221 93724 50 Mobil: (+49)179 4176591 Web : www.rt-solutions.de smime.p7s Description: S/MIME cryptographic signature
[SECURITY] [DSA 2997-1] reportbug security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2997-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso August 05, 2014http://www.debian.org/security/faq - - Package: reportbug CVE ID : CVE-2014-0479 Jakub Wilk discovered a remote command execution flaw in reportbug, a tool to report bugs in the Debian distribution. A man-in-the-middle attacker could put shell metacharacters in the version number allowing arbitrary code execution with the privileges of the user running reportbug. For the stable distribution (wheezy), this problem has been fixed in version 6.4.4+deb7u1. For the testing distribution (jessie), this problem will be fixed soon. For the unstable distribution (sid), this problem has been fixed in version 6.5.0+nmu1. We recommend that you upgrade your reportbug packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCgAGBQJT4R2DAAoJEAVMuPMTQ89EQ3IP/jpMDvRgkU3Qf9zVnbsqBudl ChgkyXxAFvsCOUSB9IwXdaBX4pd6B4g/3hxXlrp6CO2iA+dYIqx8Ih57kQSFU5aJ dSyR7VmEu2VuiEHi9cRIc/857Eye5iZHiuRQPfwYIfQgKAaNwFSdEAfcKuUS3zJu yE5TCVRXuS4W32iqgjVbpGgBzlbX+8IssqFvh/9Rx/FJvfHHTx3QS4TUyxC93bgf aIWdggniW3NmKhvE0IlrnAU+vUQMivWaOw2zocXUjKwoXPSm3dpXC9HWGwbwUYwf ebggLC/RMdS353+GsS3wXfyueD4dSLoDnCcOAzzl1Q8iFnrtPmDre3XWzvMeGEPy IuvK64Ulmpy83ZmpL7yBJMjCH/oivFeax9SeQwpP/UY0vg1s7awQT69DiO2tr7t4 v8HVPTUhfakKlagIqda+CHIX8i/6cu8d0QInwdk0EaFJinO4MBeYq/7/SD1AkW8e 8jsGAFZjcpMHYLpbeoVVWTZjLz/qIlIAiIUZ89RGqiDn2Ws84OzgwCku9ABZyKJd QAK2VkEWISk7h1olnDfOkYPCtTlmH1KaAmlhVYPXdKGHx+bmEwuLzutjnRSrIJYv MQYESsZlrqMePs1NwOuWj2C7io8uLapgr+Ity57xYaZ2mGx+CO0Is9sUyQ7Blsqw HsWQa6M8WJz3bcLpjrpw =+VYD -END PGP SIGNATURE-
Re: ownCloud Unencrypted Private Key Exposure
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, A valid concern. HTTPS should be used to secure traffic from a client to the server, solving any problems related to eavesdropping. Encrypting the content of the account data should solve two problems. 1. Secure data from curious system administrators. 2. Secure data in case of an account breach, Lost password or phishing (ect.) 3. Secure data that is copied off the server and taken offsite. The current solution doesn't solve any of those problems. Firstly the users password is the encryption key. Secondly, in the case of number 3, an attacker that can get your raw data will either have your account password or server side access. - From the OwnCloud Manual: http://doc.owncloud.org/server/6.0/user_manual/files/encryption.html Server-Side encryption is especially useful if you use external storages. This way you can make sure that the storage provider is not able to read your data. I'm not quite sure what they are suggesting, because if we read a little further: Encryption and decryption always happens server-side. This enables the user to continue to use all the other apps to view and edit their data. But this also means that the server administrator could intercept your data. With that in mind it would be nice to get some clarification as to what threat the encryption solution is designed to mitigate. Jack. Den 04.08.2014 16:00, skrev Frank Stanek: Hi, thank you for this announcement. I have a (very naive) question about this. As a consequence of this vulnerability an attacker with access to the ownCloud server's file system can compromise the encrypted data stored on the server. There does not seem to be a workaround for that and there will be no fix. Thus, data on an ownCloud server is always accessible to an attacker with access to the file system, regardless of whether ownCloud's encryption feature is enabled or not. Is that correct so far? It seems to me that one of the encryption feature's main purposes is to prevent an attacker with access to the server's file system from immediate access to the user data. If my understanding above is true, then this purpose is void since the encryption is useless in that scenario. If this is somehow not part of the vendor's threat model, isn't it at least an important restriction? Or did I completely misunderstand something? Regards Frank Am 04.08.2014 08:38, schrieb Senderek Web Security: Senderek Web Security - Security Advisory ownCloud Unencrypted Private Key Exposure = https://senderek.ie/archive/2014/owncloud_unencrypted_private_key_exposure.php Revision: 1.00 Last Updated: 3 Aug 2014 Summary: In consequence of an insufficient threat model, ownCloud is storing all user's private RSA keys in clear text in PHP session files. These unencrypted private keys can be accessed by every web application that has the privilege of the web server user. The affected files exposing cryptographic keys will be stored in the PHP session directory for a number of hours until they are removed. This issue was reported to ownCloud via encrypted email on Tue, 11 Mar 2014. I received a reply to this report from the vendor on Wed, 12 Mar 2014. On Tue, 22 July 2014 the vendor confirmed, that they will not address this problem, because the protection of user encrypted files from remote attackers that have read access to the file system with web server privilege is not - and will not be - part of their threat model. Consequently, the vendor does not consider this to be a vulnerability or security issue. Severity: High Affected Software Versions: All versions of ownCloud since the introduction of the encryption module in version 5.0.7 including version 7.0.0. Impact: An attacker, who is able to read the PHP session files by exploiting another web application that is running on the ownCloud server, will be able to gather the unencrypted private key of every ownCloud user. All encrypted files that are stored in a user's home directory can be decrypted with this RSA private key, stored in the PHP session files in plain text. If the user's encrypted files are synced to other devices or shared with other servers - for hosting or backup - an attacker will be able to decrypt all user data that is being intercepted, even if the attacker has no longer access to the server's file system. Fixes: In addition to the ownCloud encryption module users are advised to encrypt their sensitive files separately with a standard server-side encryption mechanism like GnuPG using a passphrase, that is not stored on the server except while being used in memory. One software solution that extends ownCloud with GnuPG-based server-side encryption can be downloaded here: https://senderek.ie/downloads/release/cloud/wee-owncloud.tar A detailed installation tutorial is
[security bulletin] HPSBMU03085 rev.1 - HP Application Lifecycle Management / Quality Center, Elevation of Privilege
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Note: the current version of the following document is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c04394553 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c04394553 Version: 1 HPSBMU03085 rev.1 - HP Application Lifecycle Management / Quality Center, Elevation of Privilege NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2014-08-05 Last Updated: 2014-08-05 Potential Security Impact: Elevation of privilege Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified with HP Application Lifecycle Management, which is also known as HP Quality Center. The vulnerability could be exploited to allow elevation of privilege. References: CVE-2014-2631 (ZDI-CAN-2138, SSRT101442) SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP Application Lifecycle Management v.11.5x, v.12.0x HP Quality Center v.11.5x, v.12.0x BACKGROUND CVSS 2.0 Base Metrics === Reference Base Vector Base Score CVE-2014-2631(AV:L/AC:L/Au:S/C:C/I:C/A:C) 6.8 === Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 The Hewlett-Packard Company thanks Dave Weinstein of HP Zero Day Initiative for reporting CVE-2014-2631 to security-al...@hp.com. RESOLUTION HP has provided the following guidelines for HP Application Lifecycle Management / Quality Center to resolve the vulnerability. The guideline can be viewed from HP Software Support Online here: HP Application Lifecycle Management / Quality Center Platform Configuration Guideline Linux http://support.openview.hp.com/selfsolve/document/KM01061318 Windows http://support.openview.hp.com/selfsolve/document/KM01008170 HISTORY Version:1 (rev.1) - 5 August 2014 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-al...@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-al...@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin Archive: A list of recently released Security Bulletins is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2014 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided as is without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.13 (GNU/Linux) iEYEARECAAYFAlPhRTwACgkQ4B86/C0qfVlxygCgmUsW0/vnfy1u9NxTN1jqXZLr DS0An22GW0pJxqF2zNAhenLmJzbFjrC+ =TJ3h -END PGP SIGNATURE-
PhotoSync Wifi Bluetooth v1.0 - File Include Vulnerability
Document Title:
===
PhotoSync Wifi Bluetooth v1.0 - File Include Vulnerability
References (Source):
http://www.vulnerability-lab.com/get_content.php?id=1289
Release Date:
=
2014-08-04
Vulnerability Laboratory ID (VL-ID):
1289
Common Vulnerability Scoring System:
6.8
Product Service Introduction:
===
PhotosSync - Wifi Bluetooth let you transfer photos from one iPhone, iPod
Touch, iPad to another iPhone, iPod Touch, iPad, Mac and PC.
- Wifi Transfer, support PhotosSync or most web browsers(safari, firefox,
chrome, opera, IE)
- Bluetooth Transfer, very useful when no wifi , no network available
- Upload photos from Mac/PC to iPhone, iPad, iPod Touch (Wifi needed)
- QRCode, scan QRCode to download photo, very convenient
( Copy of the Homepage:
https://itunes.apple.com/ke/app/photossync-wifi-bluetooth/id570672848 )
Abstract Advisory Information:
==
The Vulnerability Laboratory Research Team discovered a local file include web
vulnerability in the official PhotoSync WifiBluetooth 1.0 iOS mobile
application.
Vulnerability Disclosure Timeline:
==
2014-08-04: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=
Published
Affected Product(s):
Haixia Liu
Product: PhotoSync WifiBluetooth - iOS Mobile Web Application 1.0
Exploitation Technique:
===
Local
Severity Level:
===
High
Technical Details Description:
A local file include web vulnerability has been discovered in the official
PhotoSync WifiBluetooth 1.0 iOS mobile application.
The local file include web vulnerability allows remote attackers to
unauthorized include local file/path requests or system specific
path commands to compromise the mobile web-application.
The web vulnerability is located in the `filename` value of the `upload`
module. Remote attackers are able to inject own files with
malicious `filename` values in the `upload` POST method request to compromise
the mobile web-application. The local file/path include
execution occcurs in the index `file list` context next to the vulnerable
`filename` item value. The attacker is able to inject the
local malicious file request by usage of the available `wifi interface`
(http://localhost:8000/) upload form.
Remote attackers are also able to exploit the filename validation issue in
combination with persistent injected script codes to execute
different local malicious attacks requests. The attack vector is on the
application-side of the wifi service and the request method to
inject is POST.
The security risk of the local file include web vulnerability is estimated as
high with a cvss (common vulnerability scoring system) count
of 6.8. Exploitation of the local file include web vulnerability requires no
privileged web-application user account or user interaction.
Successful exploitation of the local file include web vulnerability results in
mobile application or connected device component compromise.
Request Method(s):
[+] [POST]
Vulnerable Service(s):
[+] PhotoSync WifiBluetooth 1.0
Vulnerable Module(s):
[+] upload
Vulnerable Parameter(s):
[+] filename
Affected Module(s):
[+] PhotoSync Images Dir Listing
(http://localhost:8000/)
Proof of Concept (PoC):
===
The local file include web vulnerability can be exploited by local attackers
without privileged application user account and
without user interaction. For security demonstration or to reproduce follow the
provided information and steps below to continue.
PoC:
http://localhost:8000/images/./[LOCAL FILE INCLUDE VULNERABILITY!]
PoC: Index File Dir Listing (http://localhost:8000/)
script type=text/javascript
function selectDivImage(div) {
if (div.children[1].style.visibility == hidden)
{
div.children[1].style.visibility = visible;
}
else
{
div.children[1].style.visibility = hidden;
}
}
function saveImages() {
var divs = document.getElementsByTagName('div');
for (var i = 0; i divs.length; i++)
{
var div = divs[i];
if (div.children[1].style.visibility == visible)
{
var str = div.children[0].src;
if (str.indexOf(Video) != -1)
{
str = str.replace(.jpg, .mov);
}
window.open(str.replace(_thumbnail, ));
}
}
}
function selectImages() {
var divs = document.getElementsByTagName('div');
for (var i = 0; i divs.length; i++)
{
divs[i].children[1].style.visibility = visible;
}
}
function deselectImages() {
var divs = document.getElementsByTagName('div');
for (var i = 0; i
[ MDVSA-2014:149 ] php
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2014:149 http://www.mandriva.com/en/support/security/ ___ Package : php Date: August 6, 2014 Affected: Business Server 1.0 ___ Problem Description: Multiple vulnerabilities has been discovered and corrected in php: Use-after-free vulnerability in ext/spl/spl_array.c in the SPL component in PHP through 5.5.14 allows context-dependent attackers to cause a denial of service or possibly have unspecified other impact via crafted ArrayIterator usage within applications in certain web-hosting environments (CVE-2014-4698). Use-after-free vulnerability in ext/spl/spl_dllist.c in the SPL component in PHP through 5.5.14 allows context-dependent attackers to cause a denial of service or possibly have unspecified other impact via crafted iterator usage within applications in certain web-hosting environments (CVE-2014-4670). file before 5.19 does not properly restrict the amount of data read during a regex search, which allows remote attackers to cause a denial of service (CPU consumption) via a crafted file that triggers backtracking during processing of an awk rule. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7345 (CVE-2014-3538). The updated php packages have been upgraded to the 5.5.15 version and patched to resolve these security flaws. Additionally, the jsonc extension has been upgraded to the 1.3.6 version and the PECL packages which requires so has been rebuilt for php-5.5.15. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4698 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4670 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3538 http://php.net/ChangeLog-5.php#5.5.15 http://pecl.php.net/package-changelog.php?package=jsoncrelease=1.3.6 ___ Updated Packages: Mandriva Business Server 1/X86_64: a8f1a14a82942bc714d6a099be8e5185 mbs1/x86_64/apache-mod_php-5.5.15-1.2.mbs1.x86_64.rpm b985fbddf2bc3242ca7a2b9fa59d435a mbs1/x86_64/lib64php5_common5-5.5.15-1.2.mbs1.x86_64.rpm 4096874876026f741813d42aabc7fc77 mbs1/x86_64/php-apc-3.1.15-1.9.mbs1.x86_64.rpm 8fa4bca573ff32baa586e21900c990bd mbs1/x86_64/php-apc-admin-3.1.15-1.9.mbs1.x86_64.rpm 1e1e9b04d4e864b89c6ee72401d19f07 mbs1/x86_64/php-bcmath-5.5.15-1.2.mbs1.x86_64.rpm 33bf033aaa30e10913a577c7bf056edb mbs1/x86_64/php-bz2-5.5.15-1.2.mbs1.x86_64.rpm 30d344da1d8d979376b9ffed01ac756d mbs1/x86_64/php-calendar-5.5.15-1.2.mbs1.x86_64.rpm 119e13214a525f356965aab9a5e87819 mbs1/x86_64/php-cgi-5.5.15-1.2.mbs1.x86_64.rpm d77ce1bb2c2a73774c5ea8a8a94322bd mbs1/x86_64/php-cli-5.5.15-1.2.mbs1.x86_64.rpm b6fa475c440644e4844644fd2d0f4bd4 mbs1/x86_64/php-ctype-5.5.15-1.2.mbs1.x86_64.rpm 0941ee03a5e9a7378b4b01432ca99007 mbs1/x86_64/php-curl-5.5.15-1.2.mbs1.x86_64.rpm c0e67e0418764df9c0124aecc6d27c71 mbs1/x86_64/php-dba-5.5.15-1.2.mbs1.x86_64.rpm b4df22a9a0ec0e276e09dd30b63934ee mbs1/x86_64/php-devel-5.5.15-1.2.mbs1.x86_64.rpm 574920252543de382a55387b2446f9f4 mbs1/x86_64/php-doc-5.5.15-1.2.mbs1.noarch.rpm e6ea55d91a757b2a9bd7115ee3caafb0 mbs1/x86_64/php-dom-5.5.15-1.2.mbs1.x86_64.rpm 7059a143838f8b38ec0847de3530cc7d mbs1/x86_64/php-enchant-5.5.15-1.2.mbs1.x86_64.rpm 1b83052b9a3360afe0ce7d9d8c0516d1 mbs1/x86_64/php-exif-5.5.15-1.2.mbs1.x86_64.rpm 851123d71e3de3194ecc030f37fb31b7 mbs1/x86_64/php-fileinfo-5.5.15-1.2.mbs1.x86_64.rpm 2ad566bd050fb268e9e0c13354b24b07 mbs1/x86_64/php-filter-5.5.15-1.2.mbs1.x86_64.rpm 6607d2b46f3c32340fd6fa15471c75ee mbs1/x86_64/php-fpm-5.5.15-1.2.mbs1.x86_64.rpm 800d0e33e959b44e3705a081eac37707 mbs1/x86_64/php-ftp-5.5.15-1.2.mbs1.x86_64.rpm c5efe218dee0a5f8f685fe4887121df6 mbs1/x86_64/php-gd-5.5.15-1.2.mbs1.x86_64.rpm c0a2ff63842df51a013346920cd85633 mbs1/x86_64/php-gettext-5.5.15-1.2.mbs1.x86_64.rpm 6a8a00249372f1822a1028ea003badda mbs1/x86_64/php-gmp-5.5.15-1.2.mbs1.x86_64.rpm 3d782e96ec768e2fbfdcb4966c17e4c5 mbs1/x86_64/php-hash-5.5.15-1.2.mbs1.x86_64.rpm 03302374100cbef6b17b36040b97df46 mbs1/x86_64/php-iconv-5.5.15-1.2.mbs1.x86_64.rpm 67ef91b4144597a8eee105d8d9e39785 mbs1/x86_64/php-imap-5.5.15-1.2.mbs1.x86_64.rpm 9d79601ac46b53eb93848bbdb91ae588 mbs1/x86_64/php-ini-5.5.15-1.2.mbs1.x86_64.rpm 9d36114cf05a452aa807a7e546e9f0d2 mbs1/x86_64/php-intl-5.5.15-1.2.mbs1.x86_64.rpm fe3164ded9c067c86da9abba22c179c7 mbs1/x86_64/php-json-5.5.15-1.2.mbs1.x86_64.rpm 3514239c38af0dc7d9365e8b174903f4 mbs1/x86_64/php-ldap-5.5.15-1.2.mbs1.x86_64.rpm 3a9080553c9d0389c4b209c7a66136d6
PhotoSync v2.2 iOS - Command Inject Web Vulnerability
Document Title: === PhotoSync v2.2 iOS - Command Inject Web Vulnerability References (Source): http://www.vulnerability-lab.com/get_content.php?id=1290 Release Date: = 2014-08-05 Vulnerability Laboratory ID (VL-ID): 1290 Common Vulnerability Scoring System: 6.5 Product Service Introduction: === It`s all about one thing – the best and easiest way to transfer, backup and share your photos videos! PhotoSync allows you to transfer your photos videos between your iPhone, iPad, Mac or PC over your local Wi-Fi network. It also supports sending and receiving photos videos to/from popular cloud photo services, mobile storage devices and NAS. ( Copy of the Homepage: https://itunes.apple.com/en/app/photosync-drahtlos-fotos-und/id415850124 http://www.photosync-app.com/ ) Abstract Advisory Information: == The Vulnerability Laboratory Research Team discovered a command inject web vulnerability in the official TouchByte PhotoSync v2.2 iOS (apple) mobile application. Vulnerability Disclosure Timeline: == 2014-08-05: Public Disclosure (Vulnerability Laboratory) Discovery Status: = Published Affected Product(s): Touchbyte GmbH Product: PhotoSync - iOS Mobile Web Application 2.2 Exploitation Technique: === Local Severity Level: === High Technical Details Description: A local command/path injection web vulnerabilities has been discovered in the official TouchByte PhotoSync v2.2 iOS (apple) mobile application. The vulnerability allows local attackers to inject commands via stored system/device values to compromise the apple mobile iOS application. The vulnerability is located in the vulnerable `albumname` value of the `index file dir` module. Local attackers are able to inject own malicious system specific commands or path value requests in the vulnerable `albumname` value. The execution of the command occurs in the `File Dir Index Listing` module of the photosync mobile application. The attacker is able to manipulate the local device values with physical or restricted acccess to compromise the mobile application by preparing to change the albumname. The encoding of the vulnerable values in the `File Dir Index Listing` module is broken. The attack vector is on the application-side and the injection requires physical device access or a local low privileged device user account. Local attackers are also able to exploit the albumname validation issue in combination with persistent injected script codes. The security risk of the local command/path inject vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 6.5. Exploitation of the command/path inject vulnerability requires a low privileged iOS device account with restricted access and no user interaction. Successful exploitation of the vulnerability results in unauthorized execution of system specific commands and unauthorized path value requests to compromise the mobile iOS application or the connected device components. Request Method(s): [+] [POST] Vulnerable Module(s): [+] File Dir Wifi Vulnerable Parameter(s): [+] albumname Affected Module(s): [+] File Dir Index Listing Proof of Concept (PoC): === The command inject web vulnerability can be exploited by local attackers with physical or restricted device access without user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. Manual steps to reproduce the vulnerability ... 1. Download and Install the PhotoSync mobile application to your iOS device (ipad or iphone) https://itunes.apple.com/en/app/photosync-drahtlos-fotos-und/id415850124 2. Open the default iOS Photo/Pictures App and exchange one of the albumnames to the local command inject string 3. Save the settings and close the default iOS photo/pictures app 4. Now, we start the photosync app Note: After the start at the bottom of the app is the local wifi web-server ip (localhost:8080) 5. Open the local IP 6. The execution directly occurs in the main directory of the file dir index listing service 7. Successful reproduce of the local command inject vulnerability! PoC: File Dir Index Listing (albumname) div class=albumentriesdiv class=albumentrydiv class=imagepreviewa href=/listAlbum/0 img src=/posterImage/0 alt=thumbnail/a/divdiv class=descriptiona href=/listAlbum/0 Aufnahmen span class=count(24)/span/a/divdiv class=disclosure/div/divdiv class=section div class=sectiontitleAlben/div/divdiv class=albumentrydiv
