[FD] Java 8u40 released: why?
I notice that Java (JDK, JRE) update 8u40 has been released. Though http://www.oracle.com/technetwork/java/javase/downloads/index.html says "this release includes important security fixes", the release notes http://www.oracle.com/technetwork/java/javase/8u40-relnotes-2389089.html says the "security baseline" is 1.8.0_31 (unchanged). I do not notice any major "useability" issues fixed. So: why this out-of-band release? Thanks, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Webshop hun v1.062S XSS (Cross-site Scripting) Security Vulnerabilities
*Webshop hun v1.062S XSS (Cross-site Scripting) Security Vulnerabilities* Exploit Title: Webshop hun v1.062S /index.php Multiple Parameters XSS Security Vulnerabilities Product: Webshop hun Vendor: Webshop hun Vulnerable Versions: v1.062S Tested Version: v1.062S Advisory Publication: Mar 04, 2015 Latest Update: Mar 04, 2015 Vulnerability Type: Cross-Site Scripting [CWE-79] CVE Reference: * Credit: Wang Jing [CCRG, Nanyang Technological University (NTU), Singapore] *Advisory Details:* *(1) Vendor & Product Description:* *Vendor:* Webshop hun *Product & Version:* Webshop hun v1.062S *Vendor URL & Download:* Webshop hun can be downloaded from here, http://www.webshophun.hu/index *Product Introduction:* Webshop hun is an online product sell web application system. "If our webshop you want to distribute your products, but it is too expensive to find on the internet found solutions, select the Webshop Hun shop program and get web store for free and total maker banner must display at the bottom of the page 468x60 size. The download shop program, there is no product piece limit nor any quantitative restrictions, can be used immediately after installation video which we provide assistance. "The Hun Shop store for a free for all. In our experience, the most dynamic web solutions ranging from our country. If the Webshop Hun own image does not suit you, you can also customize the look of some of the images and the corresponding text replacement, or an extra charge we can realize your ideas. The Webshop Hun pages search engine optimized. They made the Hun Shop web program to meet efficiency guidelines for the search engines. The pages are easy to read and contain no unnecessary HTML tags. Any web page is simply a few clicks away." *(2) Vulnerability Details:* Webshop hun has a web application security bug problem. It can be exploited by XSS (Cross-site Scripting) attacks. *(2.1) *The vulnerability occurs at "index.php?" page with "param" "center" "lap" "termid" "nyelv_id" parameters. *References:* http://tetraph.com/security/xss-vulnerability/webshop-hun-v1-062s-xss-cross-site-scripting-security-vulnerabilities/ http://securityrelated.blogspot.com/2015/03/webshop-hun-v1062s-xss-cross-site.html http://www.inzeed.com/kaleidoscope/computer-web-security/webshop-hun-v1-062s-xss-cross-site-scripting-security-vulnerabilities/ http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/webshop-hun-v1-062s-xss-cross-site-scripting-security-vulnerabilities/ https://itinfotechnology.wordpress.com/2015/03/04/webshop-hun-v1-062s-xss-cross-site-scripting-security-vulnerabilities/ http://lists.kde.org/?a=139222176300014&r=1&w=2 -- Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. http://www.tetraph.com/wangjing/ https://plus.google.com/u/0/+JingWang-tetraph-justqdjing/posts ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] WordPress "Max Banner Ads" Plug-in XSS (Cross-site Scripting) Security Vulnerabilities
*WordPress "Max Banner Ads" Plug-in XSS (Cross-site Scripting) Security Vulnerabilities* Exploit Title: Wordpress "Max Banner Ads" Plugin /info.php &zone_id Parameter XSS Security Vulnerabilities Product: Wordpress "Max Banner Ads" Plugin Vendor: MaxBlogPress Vulnerable Versions: 1.9 1.8 1.4 1.3.* 1.2.* 1.1 1.09 Tested Version: Check All Related Versions' Source Code Advisory Publication: Mar 04, 2015 Latest Update: Mar 04, 2015 Vulnerability Type: Cross-Site Scripting [CWE-79] CVE Reference: * Credit: Wang Jing [CCRG, Nanyang Technological University (NTU), Singapore] *Advisory Details:* *(1) Vendor & Product Description:* *Vendor:* MaxBlogPress *Product & Version:* Wordpress "Max Banner Ads" Plugin 1.9 1.8 1.4 1.3.7 1.3.6 1.3.5 1.3.4 1.3.3 1.3.2 1.3.1 1.3 1.2.7 1.2.6 1.2.5 1.2 1.1 1.09 *Vendor URL & Download:* Wordpress "Max Banner Ads" Plugin can be downloaded from here, http://www.maxblogpress.com/plugins/ *Product Introduction:* "Easily add and rotate banners in your wordpress blog anywhere you like without editing any themes or touching any codes" *(2) Vulnerability Details:* Wordpress "Max Banner Ads" Plugin has a web application security bug problem. It can be exploited by XSS (Cross-site Scripting) attacks. *(2.1) *The vulnerability occurs at "info.php?" page with "zone_id" parameter. *References:* http://tetraph.com/security/xss-vulnerability/wordpress-max-banner-ads-plug-in-xss-cross-site-scripting-security-vulnerabilities/ http://securityrelated.blogspot.com/2015/03/wordpress-max-banner-ads-plug-in-xss.html http://www.inzeed.com/kaleidoscope/computer-web-security/wordpress-max-banner-ads-plug-in-xss-cross-site-scripting-security-vulnerabilities/ http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/wordpress-max-banner-ads-plug-in-xss-cross-site-scripting-security-vulnerabilities/ https://itinfotechnology.wordpress.com/2015/03/04/wordpress-max-banner-ads-plug-in-xss-cross-site-scripting-security-vulnerabilities/ http://lists.kde.org/?a=139222176300014&r=1&w=2 -- Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. http://www.tetraph.com/wangjing/ https://plus.google.com/u/0/+JingWang-tetraph-justqdjing/posts ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Partial pointer leaks
Hi everyone, I am posting this message in the hope to gather suggestions about potential past vulnerabilities of a specific kind (described below), or ideas about applications, libraries or APIs that might potentially be subject to it. As part of an academic project, I am looking for examples of partial, and eventually indirect pointer leaks in the wild. I am basically after leaks that only reveal several bits (but not all) of an address (heap, stack, function, anything). What I mean here by indirect is the fact that the leaked information might not look like an address (or be an address) by itself. It could for example be the result of some operation (arithmetic or whatnot) on an address. I am not looking for general information disclosure vulnerabilities such as buffer over-reads (that may only be triggered by some specific out of range parameters or input), but rather for pointer leaks as being the result of manipulation errors, or "dangerous use of pointers", or anything else resulting in data dependency between a pointer and an output variable of any given application. If this description reminds any past vulnerabilities to anyone, I would be very interested to hear about it. Otherwise, something that comes to mind is applications/APIs using pointers or addresses (or anything deriving from them) as identifiers, with or without obfuscation. I read for example that INET_DIAG socket API in the Linux kernel is (or at least was) actually using addresses as handles[1]. Any other similar examples would be very interesting, both in user-space and kernel-space. [1] http://lwn.net/Articles/569635/ -- Christophe signature.asc Description: Digital signature ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] CSRF in Contact Form DB allows attacker to delete all stored form submissions (WordPress plugin)
Details Software: Contact Form DB Version: 2.8.29 Homepage: https://wordpress.org/plugins/contact-form-7-to-database-extension/ Advisory report: https://security.dxw.com/advisories/csrf-in-contact-form-db-allows-attacker-to-delete-all-stored-form-submissions/ CVE: CVE-2015-1874 CVSS: 4.3 (Medium; AV:N/AC:M/Au:N/C:N/I:P/A:N) Description CSRF in Contact Form DB allows attacker to delete all stored form submissions Vulnerability An attacker able to convince a logged in admin user to follow a link (for instance via spearphishing) will be able to cause all records stored by this plugin to be removed. Proof of concept If a logged-in administrator user clicks the submit button on this form, all records stored by the plugin will be deleted (in a real attack the form can be made to auto-submit using Javascript). http://localhost/wp-admin/admin.php?page=CF7DBPluginSubmissions\"; method=\"post\"> Mitigations Upgrade to version 2.8.32 or later Disclosure policy dxw believes in responsible disclosure. Your attention is drawn to our disclosure policy: https://security.dxw.com/disclosure/ Please contact us on secur...@dxw.com to acknowledge this report if you received it via a third party (for example, plug...@wordpress.org) as they generally cannot communicate with us on your behalf. This vulnerability will be published if we do not receive a response to this report with 14 days. Timeline 2015-02-05: Discovered 2015-02-17: Reported to vendor by email 2015-02-22: Vendor responded and agreed a schedule for fix 2015-02-23: Vendor published a fix in version 2.8.32 2015-03-04: Advisory published Discovered by dxw: Tom Adams Please visit security.dxw.com for more information. ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/