[FD] Multiple vulnerabilities in InfiniteWP Admin Panel

[Walter Hop]

Multiple vulnerabilities in InfiniteWP Admin Panel
https://lifeforms.nl/20141210/infinitewp-vulnerabilities/

-

InfiniteWP (http://www.infinitewp.com/) allows an administrator to manage 
multiple Wordpress sites from one control panel. According to the InfiniteWP 
homepage, it is used on over 317,000 Wordpress sites.

The InfiniteWP Admin Panel contains a number of vulnerabilities that can be 
exploited by an unauthenticated remote attacker.

These vulnerabilities allow taking over managed Wordpress sites by leaking 
secret InfiniteWP client keys, allow SQL injection, allow cracking of 
InfiniteWP admin passwords, and in some cases allow PHP code injection.

It is strongly recommended that InfiniteWP users upgrade to InfiniteWP Admin 
Panel 2.4.4, and apply the recommendations at the end of this post.

-

Issue 1: login.php unauthenticated SQL injection vulnerability
Vulnerable: InfiniteWP Admin Panel <= 2.4.2

User-controlled parameter email appears in a SQL query modified by function 
filterParameters() which ostensibly "filters" its arguments, but escaping is 
not being performed, because the parameter $DBEscapeString is set to false by 
default. This allows for SQL injection.

-

Issue 2: execute.php unauthenticated SQL injection vulnerability
Vulnerable: InfiniteWP Admin Panel <= 2.4.3

User-controlled parameter historyID appears without quotes in a SQL query. 
Additionally, user-controlled parameters historyID and actionID should be 
escaped by function filterParameters(), but escaping is not being performed, 
because $DBEscapeString is set to false by default. This allows for SQL 
injection.

-

Issue 3: uploadScript.php unrestricted file upload vulnerability
Vulnerable: InfiniteWP Admin Panel <= 2.4.3

Unauthenticated users can upload various file types to the uploads directory, 
including .php files, if query parameter allWPFiles is set. File names however 
are suffixed with the .swp extension when written to the file system.

If the following two conditions hold, this leads to PHP injection:

1. The uploads directory must be writable by the webserver.
2. The webserver must interpret *.php.swp files as PHP code, which happens when 
Apache is used with configuration 'AddHandler application/x-httpd-php .php' or 
'AddType application/x-httpd-php .php' (This is discouraged by PHP, but older 
distributions and some shared hosts use it)

-

Issue 4: Insecure password storage
Vulnerable: All versions including current (2.4.4)

Passwords are stored as unsalted SHA1 hashes in iwp_users.password. These 
passwords can easily be cracked.

Cracking a password allows a successful attacker to keep their access to the 
admin panel even after security updates are applied.

-

Recommendations

We recommend that users of InfiniteWP take the following actions:

1. Upgrade InfiniteWP Admin Panel to version 2.4.4.
2. Check the uploads directory for the presence of any unauthorized file 
uploads.
3. Change admin passwords for the InfiniteWP Admin Panel and any Wordpress 
sites in the panel. Use long and unique passwords.
4. Remove and re-add Wordpress sites to the InfiniteWP Admin Panel, in order to 
generate new secret keys.
5. Strongly consider limiting access to the InfiniteWP Admin Panel, especially 
if you do not require customer access to the panel. For instance, use a 
.htaccess file to add authentication and limit IP addresses. If possible, 
protect the panel with a web application firewall (WAF) such as ModSecurity.

-

Timeline

- 26 Nov: Vulnerabilities and patches submitted to InfiniteWP
- 27 Nov: InfiniteWP publishes version 2.4.3 with fix for issue 1
- 4 Dec: Incomplete fix reported to InfiniteWP
- 9 Dec: InfiniteWP publishes version 2.4.4 with fix for issues 2-3
- 10 Dec: Vulnerabilities published

-

Credits

The vulnerabilities were found by Walter Hop, Slik BV (http://www.slik.eu/), 
The Netherlands.

-- 
Walter Hop | PGP key: https://lifeforms.nl/pgp


___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Releasing PuttyRider - for penetration testers

[Adrian Furtuna]

Dear List,

I am pleased to announce the release of a new tool that I have recently
developed - called PuttyRider.

In a few words, PuttyRider injects a DLL into a running putty.exe process
in order to sniff all communication and inject Linux commands on the remote
server.
This can be useful in an internal penetration test when you already have
access to a sysadmin’s machine who has a Putty session open to a Linux
server. You can use PuttyRider to take control of the remote server using
the existing SSH session.

The tool has been recently presented at Defcamp 2014 – a security
conference in Romania.

Presentation slides:*http://defcamp.ro/dc14/AdrianFurtuna.pdf*

Presentation video:
*https://www.youtube.com/watch?v=nfhzoFPGUhg&list=UUc05xgnkf4YZEdn3zBJRFkA*

Source code & binary:   *https://github.com/seastorm/PuttyRider*


Enjoy and let me know if you have any feedback or suggestion for
improvement.


Cheers,
Adrian

___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Re: [FD] Interesting Backdoor

[Ed Tredgett]

Check the following link out it may provide you with a greater insight as is 
looks like that rootkit from the information you've provided, which I've found 
floating around recently 

https://gitorious.org/dongforce/main/source/e08f161206e31cc12f1a874d8add153764564065:__UMBREON__

Ed 

> On 9 Dec 2014, at 01:43, Alfred Baroti  wrote:
> 
> Hi,
> I was wondering if someone found something similar with this. I didn't find 
> anything similar with this before.
> 
> 
> Here is:
> 
> root@pay1-test:~# ssh zimadmin@0
> zimadmin@0's password:
> ---;i--
> -.,if--
> -,tLE,--..:;ji-
> ;ittL;--.;;;tjfGj.-
> ---;tfGDK;,;;,tLEKKt-:;,---
> ---ijLDKD.--:;,iLfiiGD;---.,ifj.---
> --.;tGKKi--:tjLKWWEj;.--:;jLEE;
> ---;iLEL::..:,;tjEW##Wf,--.,;tGKWf-
> ---,,;t;,:,,ifi;LKELt:--.;;itiiLD:-
> ---:iiLjGLfLGGDEE;-.i:,LKEfji--
> --:;;jGfDGKWKL.i,,jDKWEt---
> --,.ifGGGLEEE###WEt---:tifDEKD;
> --:,;LDGELKKKKEj.-iLGKELi--
> ---ijGDEWKW###WDfi;;,,;ii,,,::DELt:
> ---,fDKKKW###WK#EGLLLfft,:ii.--
> -:,,,:;fji;LW#WKEEDLji::i;-
> ---,;GLjjDKKWWWEEEKEEDfjLLLGGDL:---
> ---,;fGL;;tfLfjjfGDDGftLEKKEDEEf---
> ---,;;GEt-:tftifGEEEDftLEKKjjLLL---
> ;iGKt-iGLGLttKEGDEEjiEGG;--
> .LEEi;ftff;--,ELjDEEGGDDD;-
> -;EL:jjGLi,K###t--,ijDKEDDL:---
> --jt;DGt:-.LKKKi--tDEDEt---
> -.tjDKf-.,ifff;tEDEj---
> :fDEWKi;;,,ii.,iLLDt---
> --:;ifEKG,---..---,jjj;
> ---fttGED--
> .--
> root@pay1-test:~# w
>  23:28:03 up 234 days, 14:54,  0 users,  load average: 0.00, 0.00, 0.00
> USER TTY  FROM  LOGIN@   IDLE   JCPU   PCPU WHAT
> root@pay1-test:~# id zimadmin
> uid=0(root) gid=197 groups=0(root)
> root@pay1-test:~# cat /etc/passwd |grep zimadmin
> root@pay1-test:~# cat /etc/shadow |grep zimadmin
> 
> And in normal login it make no sense:
> 
> root@pay1-test:~# ls -la /usr/lib/libc.so.0
> ls: cannot access /usr/lib/libc.so.0: No such file or directory
> root@pay1-test:~# cd /usr/lib/libc.so.0
> root@pay1-test:/usr/lib/libc.so.0# ls
> ls: cannot open directory .: No such file or directory
> root@pay1-test:/usr/lib/libc.so.0# pwd
> /usr/lib/libc.so.0
> root@pay1-test:/usr/lib/libc.so.0# ls
> ls: cannot open directory .: No such file or directory
> root@pay1-test:/usr/lib/libc.so.0# strace ls
> -bash: /usr/bin/strace: Input/output error
> root@pay1-test:/usr/lib/libc.so.0#
> 
> 
> Anyone have any idea with what i am dealing with ?
> 
> Thanks
> 
> ___
> Sent through the Full Disclosure mailing list
> http://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/

___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Re: [FD] Interesting Backdoor

[Brandon Vincent]

On Mon, Dec 8, 2014 at 4:52 PM, Alfred Baroti  wrote:
> Anyone have any idea with what i am dealing with ?

This looks like a Jynx derived rootkit which relies on LD_PRELOAD [1].

[1] 
http://volatility-labs.blogspot.com/2012/09/movp-24-analyzing-jynx-rootkit-and.html

Brandon Vincent

___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Call for Presenters - B-Sides Vancouver 2015 - March 16-17, 2015 in Vancouver, Canada

[Colin Keigher]

The third annual Security B-Sides Vancouver is an information security
conference that will be held March 16th and 17th in Vancouver, British
Columbia, Canada.

We love to see brand new speakers, seasoned speakers, and everyone in
between!

Topics of interest include (but are in no way limited to) the following,
preference given to talks that actually provide solutions as as well as
insight to problems:

- Information technology
- Network security
- Web Application security
- Mobile security
- Virtualization and cloud computing
- Innovative attack / defense strategies
- Forensics / Malware
- Embedded device security / Internet of things
- Biometrics
- Hardware hacking
- Phone phreaking
- Biohacking
- Open source software
- Evolutionary computing
- Robotics (bonus points for bringing an actual robot)
- Massive abuse of technology

(If it is not on the list but want to submit anyway, please do so and
we'll be glad to consider it!)

Please submit entries via our website:
http://bsidesvancouver.com/forms/bsides-2014-cfp/

We can't wait to see your ideas!

2014 December 2nd: CFP Open
2015 February 13th: CFP Deadline
2015 February 16th: Acceptance Notification

Are you interested in sponsoring us?

BSides Vancouver is a non-profit community driven event, and relies on
the kind sponsorship of people and companies like you to succeed.
If you want to support the initiative and gain visibility by sponsoring,
please contact us by writing an e-mail to

BSides Vancouver is organized by the Mainland Advanced Research Society
(MARS)

If you have any questions, please certainly feel free to contact me
(Colin) directly.

Thanks!

Colin Keigher
Vice President
Mainland Advanced Research Society (MARS)
fourthplanet.ca

___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Concrete5 CMS Reflected Cross-Site Scripting Vulnerabilities

[Simo Ben youssef]

Title: Concrete5 CMS Reflected Cross-Site Scripting Vulnerabilities
Author: Simo Ben youssef
Contact: Simo_at_Morxploit_com
Discovered: 02 November 2014
Updated: 9 December 2014
Published: 9 December 2014
MorXploit Research
http://www.MorXploit.com
Vendor: Concrete5
Vendor url: www.concrete5.org
Software: Concrete5 CMS
Versions: 5.7.2 and 5.7.2.1 (probably older)
Status: Unpatched
Vulnerable scripts:
single_pages/dashboard/users/groups/bulkupdate.php
tools/dashboard/sitemap_drag_request.php
Original document: http://morxploit.com/morxploits/morxconxss.txt

About Concrete5 (from Wikipedia):
Concrete5 is an open source content management system (CMS) for publishing 
content on the World Wide Web and intranets.
Concrete5 was designed for ease of use, for users with a minimum of technical 
skills. It enables users to edit site content directly from the page. It 
provides version management for every page, similar to wiki software, another 
type of web site development software. concrete5 allows users to edit images 
through an embedded editor on the page.

To learn more please visit:
http://en.wikipedia.org/wiki/Concrete5
http://www.concrete5.org/

Description:
Concrete5 is vulnerable to Cross-Site Scripting, both bulkupdate.php and 
sitemap_drag_request.php scripts fail to properly sanitize user-supplied input.

PoC Exploit:
bulkupdate.php XSS is exploitable through $_REQUEST['gName']

Using HTTP GET Method:
http://target/index.php/dashboard/users/groups/bulkupdate/search?gName=";>alert(document.cookie)&ccm-submit-button=Search

Using HTTP POST Method:
POST http://target/index.php/dashboard/users/groups/bulkupdate/search

POST DATA:
gName=">alert(document.cookie)&ccm-submit-button=Search


sitemap_drag_request.php XSS is triggered through $_REQUEST['instance_id'] but 
requires a valid ccm_token value which makes it unexploitable (unless the 
attacker somehow obtains a valid token)

Using HTTP GET Method:
http://target/index.php/tools/required/dashboard/sitemap_drag_request?origCID=147&destCID=148&instance_id=";>&ctask=MOVE&ccm_token=1418116264:3ac1b1774e77fbc61b1c6b97a4f7c9ea&dragMode=over

Mitigation:
Validate/Sanitize user supplied-input through $_REQUEST['gName'] and 
$_REQUEST['instance_id']

Disclosure time-line
02 November 2014: Discovery.
03 November 2014: Initial report sent.
11 November 2014: Second contact.
No response.
09 December 2014: Public disclosure.

Author disclaimer:
The information contained in this entire document is for educational, 
demonstration and testing purposes only.
Author cannot be held responsible for any malicious use or damage. Use at your 
own risk.  

___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Keurig 2.0 Genuine K-Cup Spoofing Vulnerability

[Kenneth Buckler]

*Overview*


Keurig 2.0 Coffee Maker contains a vulnerability in which the authenticity
of coffee pods, known as K-Cups, uses weak verification methods, which are
subject to a spoofing attack through re-use of a previously verified K-Cup.


*Impact*


CVSS Base Score: 4.9

Impact Subscore: 6.9

Exploitability Subscore: 3.9


Access Vector: Local

Access Complexity: Low

Authentication: None


Confidentiality Impact: None

Integrity Impact: Complete

Availability Impact: None


*Vulnerable Versions*

Keurig 2.0 Coffee Maker


*Technical Details*


Keurig 2.0 is designed to only use genuine Keurig approved coffee K-Cups.
However, a flaw in the verification method allows an attacker to use
unauthorized K-Cups. The Keurig 2.0 does verify that the K-Cup foil lid
used for verification is not re-used.


Step 1: Attacker uses a genuine K-Cup in the Keurig machine to brew coffee
or hot chocolate.

Step 2: After brewing is complete, attacker removes the genuine K-Cup from
the Keurig and uses a knife or scissors to carefully remove the full foil
lid from the K-Cup, ensuring to keep the full edges intact. Attacker keeps
this for use in the attack.

Step 3: Attacker inserts a non-genuine K-Cup in the Keurig, and closes the
lid. Attacker should receive an "oops" error message stating that the K-Cup
is not genuine.

Step 4: Attacker opens the Keurig, leaving the non-genuine K-Cup in the
Keurig, and carefully places the previously saved genuine K-Cup lid on top
of the non-genuine K-Cup, lining up the puncture hole to keep the lid in
place.

Step 5: Attacker closes the Keurig, and is able to brew coffee using the
non-genuine K-Cup.


Since no fix is currently available, owners of Keurig 2.0 systems may wish
to take additional steps to secure the device, such as keeping the device
in a locked cabinet, or using a cable lock to prevent the device from being
plugged in when not being used by an authorized user.


Please note that a proof of concept is already available online.


*Credit: *

Proof of concept at http://www.keurighack.com/

Vulnerability Writeup by Ken Buckler, Caffeine Security
http://caffeinesecurity.blogspot.com

___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] ESPN espn.go.com Login & Register Page XSS and Dest Redirect Privilege Escalation Security Vulnerabilities

[Jing Wang]

*ESPN espn.go.com  Login & Register Page XSS and Dest
Redirect Privilege Escalation Security Vulnerabilities*





*Domain:*
http://espn.go.com/


*"*As of August 2013, ESPN is available to approximately 97,736,000 pay
television households (85.58% of households with at least one television
set) in the United States.[2]
 In addition to the flagship
channel and its seven related channels in the United States, ESPN
broadcasts in more than 200 countries,[3]
 operating regional
channels in Australia , Brasil
, Latin America
 and the United Kingdom
, and owning a 20% interest in The
Sports Network  (TSN) as
well as its five sister networks and NHL Network
 in Canada
." (Wikipedia)






*Vulnerability description:*

Espn.go.com  has a security problem. It is vulnerable
to XSS (Cross Site Scripting) and Dest Redirect Privilege Escalation (Open
Redirect) attacks.


Those vulnerabilities are very dangerous. Since they happen at ESPN's
"login" & "register" pages that are credible. Attackers can abuse those
links to mislead ESPN's users. The success rate of attacks may be high.

During the tests, besides the links given above, large number of ESPN's
links are vulnerable to those attacks.


The vulnerability occurs at "espn.go.com"'s "login?" & "register" pages
with "redirect" parameter, i.e.
http://streak.espn.go.com/en/login?redirect=
https://r.espn.go.com/members/login?appRedirect=http%3A%2F%2Fr.espn.go.com
http://games.espn.go.com/world-cup-bracket-predictor/2014/es/login?redirect=
https://register.go.com/go/sendMemberNames?regFormId=espn&appRedirect=http://register.go.com/


Tests were performed on Firefox (33.0) in Ubuntu (14.04) and IE (8.0. 7601)
in Windows 8.






*(1) XSS Vulnerability*

*Vulnerable URLs:*
http://streak.espn.go.com/en/login?redirect=http%3A%2F%2Fstreak.espn.go.com%2Fen%2FcreateOrUpdateEntrylive%3Fgooglematchup%3Dm32620o35459
http://games.espn.go.com/world-cup-bracket-predictor/2014/es/login?redirect=http%3A%2F%2Fgames.espn.go.com%2Fworld-cup-bracket-linkedin-predictor%2Fvk%2F2014%2Fes%2Fgame%3Famazon%3Dcreate
https://r.espn.go.com/members/login?appRedirect=http%3A%2F%2Fr.espn.go.com%2Fgame%3Famazon%3Dcreate%2Fmembers%2FmodifyNewsletters%3FpageNamepaypal%3DESPNNewsletterPage&language=en&affiliateName=espn®FormId=reddit
https://register.go.com/go/sendMemberNames?aff_code=go&appRedirect=http://register.go.com/disney/ebay/GuestServices/YourYahooAccount/login


*POC:*
http://streak.espn.go.com/en/login?redirect=http%3A%2F%2Fstreak.espn.go.com%2Fen%2Fyandex%2FcreateOrUpdateEntrylive%3Fgooglematchup%3Dm32620o35459";>
https://r.espn.go.com/members/login?appRedirect=http%3A%2F%2Fr.espn.go.com%2Fgame%3Famazon%3Dcreate%2Fmembers%2FmodifyNewsletters%3FpageName%3DESPNNewsletterPage&language=en&affiliateName=espn®FormId=espn";>
http://games.espn.go.com/nfl-gridiron-challenge/2014/en/login?redirect=http%3A%2F%2Fgames.espn.go.com%2Fnfl-gridiron-challenge%2Febay2014%2Ffacebookesgame%3Fstep%3Dcreate";>
https://register.go.com/go/sendMemberNames?aff_code=go&appRedirect=http://register.go.com/disney/ebay/GuestServices/YourAccount/login";>




*Poc Video:*
https://www.youtube.com/watch?v=gGEZO8wbTBU&feature=youtu.be

*Blog Detail:*
http://securityrelated.blogspot.com/2014/12/espn-espngocom-login-register-page-xss.html





*(2) Dest Redirect Privilege Escalation Vulnerability*

Use one of webpages for the following tests. The webpage address is "
http://www.diebiyi.com/";. Suppose that this webpage is malicious.


*(2.1) Login Page ** Dest Redirect Privilege Escalation Vulnerability*

*Vulnerable URL 1:*
https://r.espn.go.com/members/login?appRedirect=https%3A%2F%2Fwww.facebook.com%2FAndroidOfficial

*POC:*
https://r.espn.go.com/members/login?appRedirect=http%3A%2f%2fdiebiyi.com


*Vulnerable URL 2:*
http://streak.espn.go.com/en/login?redirect=https%3A%2F%2Fwww.facebook.com%2Fpages%2Fwwwgooglecom%2Fyahoo101882723190828


*POC:*
http://streak.espn.go.com/en/login?redirect=http%3A%2F%2Fdiebiyi.com



*(2.2) Vulnerabilities Attacked without User Login*

*Vulnerable URL 1:*
http://m.espn.go.com/wireless/mw/util/redirectKeepParams?w=1dpoa&url=https%3A%2F%2Ftwitter.com%2FAdcash%2Flinkedinstatus%2Febay%2Falibaba%2F539770783556698112

[FD] CVE-2014-8489 Ping Identity Corporation "PingFederate 6.10.1 SP Endpoints" Dest Redirect Privilege Escalation Security Vulnerability

[Jing Wang]

*CVE-2014-8489 Ping Identity Corporation "PingFederate 6.10.1 SP Endpoints"
Dest Redirect Privilege Escalation Security Vulnerability*





Exploit Title: "Ping Identity Corporation" "PingFederate 6.10.1 SP
Endpoints" Dest Redirect Privilege Escalation Security Vulnerability
Product: PingFederate 6.10.1 SP Endpoints
Vendor: Ping Identity Corporation
Vulnerable Versions: 6.10.1
Tested Version: 6.10.1
Advisory Publication: Dec 09, 2014
Latest Update: Dec 09, 2014
Vulnerability Type: URL Redirection to Untrusted Site  [CWE-601]
CVE Reference: CVE-2014-8489
CVSS v2 Base Score: 5.8 (MEDIUM) (AV:N/AC:M/Au:N/C:P/I:P/A:N) (legend)
Impact Subscore: 4.9
Exploitability Subscore: 8.6
Credit: Wang Jing [SPMS, Nanyang Technological University, Singapore]








*Advisory Details*



*(1) Product:*
"PingFederate is a best-of-breed Internet-identity security platform that
implements multiple standards-based protocols to provide cross-domain
single sign-on (SSO) and user-attribute exchange, as well as support for
identity-enabled Web Services and cross-domain user provisioning."




*(2) Vulnerability Details:*
PingFederate 6.10.1 SP Endpoints is vulnerable to Dest Redirect Privilege
Escalation attacks.

The security vulnerability occurs at "/startSSO.ping?" page with
"&TargetResource" parameter.







*References:*
http://tetraph.com/security/cves/cve-2014-8489-ping-identity-corporation-pingfederate-6-10-1-sp-endpoints-dest-redirect-privilege-escalation-security-vulnerability/
http://documentation.pingidentity.com/display/PF610/PingFederate+6.10
http://cwe.mitre.org
http://cve.mitre.org/

___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] CVE-2014-8751 goYWP WebPress Multiple XSS (Cross-Site Scripting) Security Vulnerabilities

[Jing Wang]

*CVE-2014-8751  goYWP WebPress Multiple XSS (Cross-Site Scripting) Security
Vulnerabilities*







Exploit Title: goYWP WebPress Multiple XSS (Cross-Site Scripting) Security
Vulnerabilities
Product: WebPress
Vendor: goYWP
Vulnerable Versions: 13.00.06
Tested Version: 13.00.06
Advisory Publication: Dec 09, 2014
Latest Update: Dec 09, 2014
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2014-8751
Credit: Wang Jing [SPMS, Nanyang Technological University, Singapore]







*Advisory Details:*

*(1) Product*
"WebPress is the foundation on which we build web sites. It’s our unique
Content Management System (CMS), flexible enough for us to build your dream
site, and easy enough for you to maintain it yourself."



*(2) Vulnerability Details:*
goYWP WebPress is vulnerable to XSS attacks.

*(2.1)* The first security vulnerability occurs at "/search.php" page with
"&search_param" parameter in HTTP GET.

*(2.2)* The second security vulnerability occurs at "/forms.php" (form
submission ) page with "&name", "&address" "&comment" parameters in HTTP
POST.










*References:*
http://tetraph.com/security/cves/cve-2014-8751-goywp-webpress-multiple-xss-cross-site-scripting-security-vulnerabilities/
http://www.goywp.com/view/cms
http://www.goywp.com/demo.php
http://cwe.mitre.org
http://cve.mitre.org/

___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] NEW VMSA-2014-0013 - VMware vCloud Automation Center product updates address a critical remote privilege escalation vulnerability

[VMware Security Response Center]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- 
VMware Security Advisory

Advisory ID: VMSA-2014-0013
Synopsis:VMware vCloud Automation Center product updates address a 
 critical remote privilege escalation vulnerability 
Issue date:  2014-12-09
Updated on:  2014-12-09 (Initial Advisory)
CVE number:  CVE-2014-8373

- 

1. Summary

VMware vCloud Automation Center (vCAC) product updates address a 
critical vulnerability in the vCAC VMware Remote Console (VMRC) 
function which could lead to a remote privilege escalation.

2. Relevant releases

vCloud Automation Center 6.x without patch

3. Problem Description 

   a. VMware vCloud Automation Center remote privilege escalation

  VMware vCloud Automation Center has a remote privilege escalation 
  vulnerability. This issue may allow an authenticated vCAC user to
  obtain administrative access to vCenter Server.

  This issue is present in environments that use the "Connect (by) 
  Using VMRC" function in vCAC to connect directly to vCenter Server.
  Environments that exclusively use vCloud Director (vCD) as a 
  proxy to connect to vCenter Server are not affected.

  At this time the issue is remediated by removing the "Connect (by)
  Using VMRC" functionality for directly connecting to vCenter 
  Server. Deploying the provided patch will remove this 
  functionality. 

  VMware is working on a secure solution that will restore this 
  functionality. Customers may continue to use the "Connect (by) 
  Using RDP" or "Connect (by) Using SSH" options for remote desktop 
  management as they are not affected by this issue.

  The Common Vulnerabilities and Exposures project (cve.mitre.org)
  has assigned the identifier CVE-2014-8373 to this issue. 

  Column 4 of the following table lists the action required to
  remediate the vulnerability in each release, if a solution is 
  available.

  VMwareProduct   Running   Replace with/
  Product   Version   onApply Patch
  ===   ===   ===   ===
  vRealize Automation   6.2   any   Not Affected *

  vCloud Automation
  Center6.1.1 any   VMRC_VCAC_6.1.1.zip **

  vCloud Automation
  Center6.1   any   VMRC_VCAC_6.1.zip **

  vCloud Automation
  Center6.0.1.2   any   VMRC_VCAC_6.0.1.2.zip **

  vCloud Automation
  Center6.0.1.1   any   VMRC_VCAC_6.0.1.1.zip **

  vCloud Automation
  Center6.0.1 any   VMRC_VCAC_6.0.1.zip **


* vRealize Automation 6.2 ships with "Connect (by) Using VMRC" removed 
  for directly connecting to vCenter Server.
** Deployment of this patch will remove "Connect (by) Using VMRC" 
   functionality for directly connecting to vCenter Server.

4. Solution
   
   Please review the patch/release notes for your product and version 
   and verify the checksum of your downloaded file. 

   vCloud Automation Center 6.x
   
   Downloads and Documentation:
   http://kb.vmware.com/kb/2097932
   
5. References

   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8373

- 

6. Change log

   2014-12-09 VMSA-2014-0013
   Initial security advisory in conjunction with the release of patches 
   for vCloud Automation Center 6.x on 2014-12-09.

- 

7. Contact

   E-mail list for product security notifications and announcements:
   http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

   This Security Advisory is posted to the following lists:

security-announce at lists.vmware.com
bugtraq at securityfocus.com
fulldisclosure at seclists.org

   E-mail: security at vmware.com
   PGP key at: http://kb.vmware.com/kb/1055

   VMware Security Advisories
   http://www.vmware.com/security/advisories

   VMware Security Response Policy
   https://www.vmware.com/support/policies/security_response.html

   VMware Lifecycle Support Phases
   https://www.vmware.com/support/policies/lifecycle.html
 
   Twitter
   https://twitter.com/VMwareSRC

   Copyright 2014 VMware Inc.  All rights reserved.

-BEGIN PGP SIGNATURE-
Version: Encryption Desktop 10.3.2 (Build 15337)
Charset: utf-8

wj8DBQFUhzPNDEcm8Vbi9kMRAq9YAJsEge4uFNH+kEJf50ehFUERdmP+HQCg430j
PEwxKOMkjouYYa5E8cvIjRw=
=/re/
-END PGP SIGNATURE-

___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/