[CVE-2014-7807] Apache CloudStack unauthenticated LDAP binds
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 CVE-2014-7807: Apache CloudStack unauthenticated LDAP binds CVSS: 7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P Vendors: The Apache Software Foundation Citrix, Inc. Versions Afffected: Apache CloudStack 4.3, 4.4 Description: Apache CloudStack may be configured to authenticate LDAP users. When so configured, it performs a simple LDAP bind with the name and password provided by a user. Simple LDAP binds are defined with three mechanisms (RFC 4513): 1) username and password; 2) unauthenticated if only a username is specified; and 3) anonymous if neither username or password is specified. Currently, Apache CloudStack does not check if the password was provided which could allow an attacker to bind as an unauthenticated user. Mitigation: Users of Apache CloudStack 4.4 and derivatives should update to the latest version (4.4.2) An updated release for Apache CloudStack 4.3.2 is in testing. Until that is released, we recommend following the mitigation below: By default, many LDAP servers are not configured to allow unauthenticated binds. If the LDAP server in use allow this behaviour, a potential interim solution would be to consider disabling unauthenticated binds. Credit: This issue was identified by the Citrix Security Team. -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCgAGBQJUhgUCAAoJEOom9N0pCN7SOQMQAKyBuhg25u3FcVOU5XMdGGpT 2kSVFoLFR74ObI8bdr3HP+2LdLf/Go9QBBrWlZ034FUj6OV0Ct5o8TNB6AHbv0qF Ar4N05JoGtPaDCe9sWV/+ykOJH8snQjnYwVFrLZlLw8Y/JUQ+I1yJBksw8a2/hT2 vmYgYiAQyrEMMk4bhBBlEyaJFMhuMtKtgUqLDW8wmlhkt2acZMt/0BKxDwAO8o7m 6ypepPCmkPHUpD50tfcCI+K4ib/C5EOn40n4orM97/JHZLsCyhz5nk36eQMOQQz2 fJlaA04fQSV4Cv7c+S0LPh5e4e6TPSrOW3O4/V2dkjK/GgP8kUoo7ivyjIw6d2oJ Z5vqqgxrmgwDjH58YfVu3tyVuDlOFTZfCLkhdoXMxHfMLYYKeXkffRli9XabxrE+ AkVoXaQAumf8IzTLVSQztV18jC79kvEeCV0pFYOjb/X/gShemruqmCWVDulj1ax6 tzoP+Bm2mQRyrRClY37R+q3cQ2z6eNAC/vAoYzhYBN1o63MYneLYDADhyE6YIGz0 LTbDDGFn0WVdFDrqworHdYDIMW7HQFMNtsQuueeP7LBldsgyTmjmBMp+S3Tq27UT RaVgp3n9ZUPdzj/i1vvJBrATKUNmv1GDoy+C1GPNx423nEOe7dFkMJARlcbf5Pml 03DX+ot4Xan0P5HXPT+r =QqOf -END PGP SIGNATURE-
[SECURITY] [DSA 3094-1] bind9 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 - - Debian Security Advisory DSA-3094-1 secur...@debian.org http://www.debian.org/security/ Giuseppe Iuculano December 08, 2014 http://www.debian.org/security/faq - - Package: bind9 CVE ID : CVE-2014-8500 It was discovered that BIND, a DNS server, is prone to a denial of service vulnerability. By making use of maliciously-constructed zones or a rogue server, an attacker can exploit an oversight in the code BIND 9 uses to follow delegations in the Domain Name Service, causing BIND to issue unlimited queries in an attempt to follow the delegation. This can lead to resource exhaustion and denial of service (up to and including termination of the named server process.) For the stable distribution (wheezy), this problem has been fixed in version 1:9.8.4.dfsg.P1-6+nmu2+deb7u3. For the upcoming stable distribution (jessie), this problem will be fixed soon. For the unstable distribution (sid), this problem will be fixed soon. We recommend that you upgrade your bind9 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCAAGBQJUhhtUAAoJEI9hzo2UfbETZNgQAK3cYJpGVfcD03AEU5KEkXbO rUor18BYRz6lCPSeLqIuF0OHR+ForpgV0t1CZ2mtexr3MSgve/LZn1LH5/YnYCLT 2A3UEtNgi7hzChbgQbWTLXTGzn1eOMxq1lS/pS40h0eLWrbKO8DIA+YiLzVm6G4a rBqHuF+7CoBcRLckk3G2pu+XUFH7SrSFURu8537/ihLqOU7s1vf26G79XmDxFp1m DHhqJ4A/qRTVwBcTaa7nXkQ3YZ1dNFjiSdq44i8N2NZgXhqPyfkfIEWmYI4pSVHi rWpW8j8K2EagbovTUcEYG4OW0P+R06oYNT3QP9RaDiGfEqge+L8gb+RJIZFkmh2o RDdpg3M4B8OZ9JVl/5x4Jdf6LUpfBe1UtAawNC8Fh7B/Xajgsr7mF7DsTBNDSOh9 5BhhSuZrSw2ZVU4rvC4g06lA6lq6GfXzwY8S0M9Mo3BeqvIr2L6BzX7ONUpmBx3n OAvbTFtaB2LZMoP2JVaa9wMmb2F5c5PMVRphaP+2AxP3KSLOYOCLoEv2gg/6udmU PC48Pyl2mm5TzSM7URZEP1lqx/lasdjg/XKfq/SkT7ZRXZqdd/aDy1M4R3RBNzWw dMH+vUHS4qdI2wxKrLkcOQjlQtqHh6+8fWSFb58OLEm7gJB9rMjtFvzcs4nvWiyh 12hvYBbyAjb6ovdvfYsP =b2o8 -END PGP SIGNATURE-
[security bulletin] HPSBST03154 rev.2 - HP StoreFabric C-series MDS switches and HP C-series Nexus 5K switches running Bash Shell, Remote Code Execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Note: the current version of the following document is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c04487558 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c04487558 Version: 2 HPSBST03154 rev.2 - HP StoreFabric C-series MDS switches and HP C-series Nexus 5K switches running Bash Shell, Remote Code Execution NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2014-11-06 Last Updated: 2014-12-08 Potential Security Impact: Remote code execution Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified with HP StoreFabric C-series MDS switches and HP C-series Nexus 5K switches running Bash Shell. This is the Bash Shell vulnerability known as ShellShock which could be exploited remotely to allow execution of code. References: CVE-2014-6271 CVE-2014-6277 CVE-2014-6278 CVE-2014-7169 CVE-2014-7186 CVE-2014-7187 Cisco defect id: CSCur01099 (for MDS switches) Cisco defect id: CSCur05017 (for Nexus switches) SSRT101747 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. All HP StoreFabric C-series MDS switches All HP C-series Nexus 5K switches BACKGROUND CVSS 2.0 Base Metrics === Reference Base Vector Base Score CVE-2014-6271(AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2014-6277(AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2014-6278(AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2014-7169(AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2014-7186(AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2014-7187(AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 === Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP is providing software updates as indicated below to resolve the vulnerability in HP StoreFabric C-series MDS switches. No other firmware stream updates are planned beyond the NX-OS 5.x and 6.x versions listed below for the MDS products. HP has released and posted the Cisco switch software version NX-OS 6.2(9a) on HP Support Center (HPSC). This software versions 6.2(9a) has included the fixes for the vulnerability in HP StoreFabric C-series MDS switches which currently supporting NX-OS 6.X releases. HP has released and posted the Cisco switch software version NX-OS 5.2(8e) on HP Support Center (HPSC). This software version 5.2(8e) has included the fix for the vulnerability in HP C-series MDS switches which currently supporting NX-OS 5.X releases. HP is continuing to actively work on software updates to resolve the vulnerability in HP C-series Nexus 5k switches. This bulletin will be revised when these updates become available. MITIGATION INFORMATION If updating to a NX-OS version containing the fix is not currently possible, HP recommends the following steps to reduce the risk of this vulnerability: The ssh or telnet features may be disabled by the admin user. All MDS and Nexus 5K switches can function in this configuration. Access is available through the console port. HISTORY Version:1 (rev.1) - 6 November 2014 Initial release Version:2 (rev.2) - 8 December 2014 Updated with MDS releases Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-al...@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-al...@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin Archive: A list of recently released Security Bulletins is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2014 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided as is without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or
[SECURITY] [DSA 3093-1] linux security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-3093-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso December 08, 2014 http://www.debian.org/security/faq - - Package: linux CVE ID : CVE-2014-7841 CVE-2014-8369 CVE-2014-8884 CVE-2014-9090 Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or privilege escalation: CVE-2014-7841 Liu Wei of Red Hat discovered that a SCTP server doing ASCONF will panic on malformed INIT chunks by triggering a NULL pointer dereference. CVE-2014-8369 A flaw was discovered in the way iommu mapping failures were handled in the kvm_iommu_map_pages() function in the Linux kernel. A guest OS user could exploit this flaw to cause a denial of service (host OS memory corruption) or possibly have other unspecified impact on the host OS. CVE-2014-8884 A stack-based buffer overflow flaw was discovered in the TechnoTrend/Hauppauge DEC USB driver. A local user with write access to the corresponding device could use this flaw to crash the kernel or, potentially, elevate their privileges. CVE-2014-9090 Andy Lutomirski discovered that the do_double_fault function in arch/x86/kernel/traps.c in the Linux kernel did not properly handle faults associated with the Stack Segment (SS) segment register, which allows local users to cause a denial of service (panic). For the stable distribution (wheezy), these problems have been fixed in version 3.2.63-2+deb7u2. This update also includes fixes for regressions introduced by previous updates. For the unstable distribution (sid), these problems will be fixed soon in version 3.16.7-ckt2-1. We recommend that you upgrade your linux packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCgAGBQJUhhMIAAoJEAVMuPMTQ89EWvoP/2Y+Dr62XSZ5MuBzFx739eZj jPEj/YtVMUylVX6/3wBp74JxPZsOs6YTeCZ3U6WHBlNoInEBZp8wxQ56X6fbMdsS NxNyvwQMCu52uneTujuSpXECnPyJAqJQtZnsILb6sHB+XbKlPGpfgt0Y5A1khMW6 zBndduifMBHv2D/ZoCHRzg94VIKmg1nG+DGjVSSDmti5BfNnb7j13aUXKqtdJG7m BLP3Wvi+AtgzQFXLi9BbgR3B3CpmHEa0t2+gn5PyDbjglyM63DxNFPEtt0eM9RxQ pMeRspIIvfSbvcrOtk1wFIc8LffptUnb/buYpvN6rs2/wfVywd0i9/yRAaXWlfr1 vryEWiK1R4yUZFBDmD3HU1boyBwsoDArhESwa7/ZL+B5WW1G773K7AKlB8JwB4AC ssKT2CTnagLMr9Dsr5FJYCeuHPAXRx96JbivZPz5jIt7hnHitsg3q05E76RowOik JzAfxQFovV2isHjrsuw3GYw/7VVLFE1Hzqch9K67Xa1c2gzpYOJl/M4wPdinDtM2 o69YjDRtcv4/voiET3X44loq9EoaEAqWF+QQhd7Flmuhj6JvEeKfqLN35MUGDSar r5FJOc6y0+fHsR5zggMcNGGw10r1ctmfoRjxeGjQw+gBV2da5/4+ryRPedfsHFSD yfxvUIxS1nq/ye3XQB2o =wZ/Y -END PGP SIGNATURE-
Subrion CMS Security Advisory - XSS Vulnerability - CVE-2014-9120
Information Advisory by Netsparker. Name: XSS Vulnerability in Subrion CMS Affected Software : Subrion CMS Affected Versions: 3.2.2 and possibly below Vendor Homepage : http://www.subrion.org/ Vulnerability Type : Cross-site Scripting Severity : Important CVE-ID: CVE-2014-9120 Netsparker Advisory Reference : NS-14-039 Advisory URL https://www.netsparker.com/xss-vulnerability-in-subrion-cms/ Description Subrion CMS is a powerful PHP content management system that is very easy to use. It comes with a ton of great features including full source editing, per-page permissions, extensive plugin system, and much more. Technical Details Proof of Concept URLs for XSS in Subrion CMS: http://example.com/subrion/search/';--/style/scRiptscRiptalert(0x003DE1)/scRipt/ For more information on cross-site scripting vulnerabilities read the following article https://www.netsparker.com/web-vulnerability-scanner/vulnerability-security-checks-index/crosssite-scripting-xss/ Advisory Timeline 29/11/2014 - First Contact 03/12/2014 - Vulnerability fixed 09/12/2014 - Advisory released Solution http://tools.subrion.org/get/latest.zip Credits Authors These issues have been discovered by Omar Kurt while testing Netsparker Web Application Security Scanner. About Netsparker Netsparker can find and report security issues and vulnerabilities such as SQL Injection and Cross-site Scripting (XSS) in all websites and web applications regardless of the platform and the technology they are built on. Netsparker's unique detection and exploitation techniques allows it to be dead accurate in reporting hence it's the first and the only False Positive Free web application security scanner. For more information on Netsparker visit https://www.netsparker.com/
[security bulletin] HPSBGN03222 rev.1 - HP Enterprise Maps running SSLv3, Remote Disclosure of Information
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Note: the current version of the following document is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c04518999 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c04518999 Version: 1 HPSBGN03222 rev.1 - HP Enterprise Maps running SSLv3, Remote Disclosure of Information NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2014-12-05 Last Updated: 2014-12-05 Potential Security Impact: Remote disclosure of information Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified with HP Enterprise Maps running SSLv3. This is the SSLv3 vulnerability known as Padding Oracle on Downgraded Legacy Encryption also known as Poodle, which could be exploited remotely to allow disclosure of information. References: CVE-2014-3566 (SSRT101860) SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP Enterprise Maps 1.0 BACKGROUND CVSS 2.0 Base Metrics === Reference Base Vector Base Score CVE-2014-3566(AV:N/AC:M/Au:N/C:P/I:N/A:N) 4.3 === Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP has made the following instructions available to resolve the vulnerability in HP Enterprise Maps: https://softwaresupport.hp.com/group/softwaresupport/search-result/-/facetsea rch/document/KM01264593 HISTORY Version:1 (rev.1) - 5 December 2014 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-al...@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-al...@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin Archive: A list of recently released Security Bulletins is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2014 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided as is without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.13 (GNU/Linux) iEYEARECAAYFAlSHEesACgkQ4B86/C0qfVmt5gCfUnsp405JoUI10KlfTBiuYCeZ Kf8AoLJoa29yQURSnji4Wp2XVn/ri/BN =P37g -END PGP SIGNATURE-
[security bulletin] HPSBGN03208 rev.1 - HP Cloud Service Automation running SSLv3, Remote Disclosure of Information
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Note: the current version of the following document is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c04516572 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c04516572 Version: 1 HPSBGN03208 rev.1 - HP Cloud Service Automation running SSLv3, Remote Disclosure of Information NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2014-12-08 Last Updated: 2014-12-08 Potential Security Impact: Remote disclosure of information Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified with HP Cloud Service Automation running SSLv3. This is the SSLv3 vulnerability known as Padding Oracle on Downgraded Legacy Encryption also known as Poodle, which could be exploited remotely to allow disclosure of information. References: CVE-2014-3566 (SSRT101838) SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP Cloud Service Automation 3.0, 3.01, 3.10, 3.20, 4.0, 4.01 and 4.10 BACKGROUND CVSS 2.0 Base Metrics === Reference Base Vector Base Score CVE-2014-3566(AV:N/AC:M/Au:N/C:P/I:N/A:N) 4.3 === Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP has made the following instructions available to resolve the vulnerability in HP Cloud Service Automation. https://softwaresupport.hp.com/group/softwaresupport/search-result/-/facetsea rch/document/KM01252141 HISTORY Version:1 (rev.1) - 8 December 2014 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-al...@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-al...@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin Archive: A list of recently released Security Bulletins is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2014 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided as is without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.13 (GNU/Linux) iEYEARECAAYFAlSF7WkACgkQ4B86/C0qfVmNpQCfXrTaFO45Pp17CQs6dz3xzvWA FXwAoK8Ng/OZZ8qYRjdR2OEq755YgMAa =mDPe -END PGP SIGNATURE-
[CVE-2014-8340] phpTrafficA SQL injection
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Product: phpTrafficA
Product page: http://soft.zoneo.net/phpTrafficA/
Affected versions: Up to and including 2.3 (latest as of writing).
Description:
An SQL injection exists in Php/Functions/log_function.php, line 933:
$sql3 =INSERT INTO `${table}_host` SET date='$date', host='',
hostname='', page='$page', ref='$cleanref', agent='$agent',
longIP='$iplong';
The $agent variable comes directly from $_SERVER['HTTP_USER_AGENT'],
without any escaping. This makes SQL injection possible. Even if
multiple statements in one query has been turned off, the contents of
the database can still be read by manipulating the last parameter of the
query (the IPv4-address stored as an integer). For example, the
following spoofed user agent will store the ASCII-value of the second
character of the admin hash as its IP:
Firefox', longIP=(SELECT ASCII(SUBSTRING(value,2,1)) FROM
phpTrafficA_conf WHERE variable='adminpassword') #
This will be displayed in the Latest visitors Details section, and
by repeating this procedure multiple times, the entire admin hash (or
any other database content) can be retrieved.
Partial mitigations:
- - Turn off multiple statements in one query.
- - Hide Latest visitors Details section from view. This prevents
the attacker from obtaining the output of the manipulated query.
- - Apply this quick fix to line 933:
$sql3 =INSERT INTO `${table}_host` SET date='$date', host='',
hostname='', page='$page', ref='$cleanref',
agent='.mysql_real_escape_string($agent).', longIP='$iplong';
The code-fix does not resolve the SQL injection for all server
configurations, but should be sufficient for most. A proper fix would be
a version of phpTrafficA that uses PDO with prepared statements.
Best regards,
Daniel Geerts
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)
iQIcBAEBAgAGBQJUhwA8AAoJEHn1bVIKHk5NxhYQAMiEbr06K7UQxXEZv0+3KTr6
LTA+65vVdmu0mTPQrTEjNeW46bv5tpnOuZc0q8Nprwbko2V/ANVXnD2NC4nBdYE8
J+7XonQq7CnsM//C504D2Vms3ylQhkthycCBc1OXaaEEIF2lmFrLPFsLLNkjaEAr
A5hDZJE7tSjDoq4/a3Psl1DLC+oblYbAA/JJxcSx5Abdnt47i9HMs9xWxN5Jn9oj
OwXoF31YrMxbMoqrENQqnc5lVvfxM+ki/t5sCZV4jk1kRX7Ivf7sEMbhiN0sKqnM
UeNwVSgi5308rAYdyg5zpUurvwIlKYtU9kA4N1sIVJCIGzeZXYCIOVAJZNglZ/NB
bX9EoLoxeU1R7RS2SWHLEneriiyj0nCyS1X+HSkov9p1gYemxqivgmBKsV3A4LxG
Crz7kHpcpYSn15u7vploGOki/G0sqpMVL9UwkK/F5vxRkMWxBjqvCzXudDXBvYVJ
gnSJGw0QB6roJqHx3yf3x91YE8m69axiFTE8dAUz1IfTsbEgc2oUfnO+crWPyWh7
IHx8gIfN/3Uck/6gLPse63rtKB+jI7/i4xJbm0FIbOnodzkJP1GDy9U3UsEbleSW
kKV884YFogi1iyfuOhrqCGWatQybpHlM/VyycH3NvzpsDFwVCYrnaQ/jpfKS1rlz
dWvSYp6b43Nui30hm+kv
=PZkK
-END PGP SIGNATURE-
[security bulletin] HPSBST03106 rev.2 - HP P2000 G3 MSA Array System, HP MSA 2040/1040 Storage running OpenSSL, Remote Unauthorized Access or Disclosure of Information
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Note: the current version of the following document is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c04438404 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c04438404 Version: 2 HPSBST03106 rev.2 - HP P2000 G3 MSA Array System, HP MSA 2040/1040 Storage running OpenSSL, Remote Unauthorized Access or Disclosure of Information NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2014-09-05 Last Updated: 2014-12-09 Potential Security Impact: Remote unauthorized access or disclosure of information Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified in the HP P2000 G3 MSA Array System, the HP MSA 2040 Storage, and the HP MSA 1040 Storage running OpenSSL. This vulnerability could be exploited remotely resulting in unauthorized access or disclosure of information. References: CVE-2014-0224 (SSRT101700) SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP P2000 G3 MSA Array System (TS251P005 and earlier) HP MSA 2040 Storage and HP MSA 1040 Storage (GL105P003 and earlier) BACKGROUND CVSS 2.0 Base Metrics === Reference Base Vector Base Score CVE-2014-0224(AV:N/AC:M/Au:N/C:P/I:P/A:P) 6.8 === Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP has released firmware version TS251P006 for the HP P2000 G3 MSA Array System: Windows: http://www.hp.com/swpublishing/MTX-a0228769136a457f9a05d06f48 Linux: http://www.hp.com/swpublishing/MTX-e3df2a57201644ff9df8180b40 HP has released firmware version GL200R007 for the HP MSA 2040 Storage and HP MSA 1040 Storage Systems: Windows: http://www.hp.com/swpublishing/MTX-2967e829feff4599958ed3479b Linux: http://www.hp.com/swpublishing/MTX-03608152ae694f26a2042781ae As with any security update, after applying the firmware to the array, HP highly recommends changing user passwords. HISTORY Version:1 (rev.1) - 5 September 2014 Initial release Version:2 (rev.2) - 9 December 2014 Added HP MSA 2040/1040 Storage Systems Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-al...@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-al...@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin Archive: A list of recently released Security Bulletins is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2014 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided as is without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.13 (GNU/Linux) iEYEARECAAYFAlSHazkACgkQ4B86/C0qfVkeNgCfQTQFDPWP9NLVKw7LbTQrdD9m G7EAoJqXX/7Mv2LgUPbeaFjmUwIloZcX =MosA -END PGP SIGNATURE-
[security bulletin] HPSBMU03043 rev.1 - HP Smart Update Manager for Windows and Linux, Local Disclosure of Information
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Note: the current version of the following document is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c04302476 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c04302476 Version: 1 HPSBMU03043 rev.1 - HP Smart Update Manager for Windows and Linux, Local Disclosure of Information NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2014-12-09 Last Updated: 2014-12-09 Potential Security Impact: Local disclosure of information Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified in HP Smart Update Manager for Windows and Linux. The vulnerability could be exploited to allow the local disclosure of information. References: CVE-2014-2608 (SSRT101578) SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP Smart Update Manager Windows (v6.x) and Linux (6.2.0, 6.3.0, 6.3.1, 6.4.0). BACKGROUND CVSS 2.0 Base Metrics === Reference Base Vector Base Score CVE-2014-2608(AV:L/AC:L/Au:S/C:C/I:C/A:C) 6.8 === Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP has made the following updates available: HP Smart Update Manager version 6.4.1 (hpsum-6.4.1-1) on the SDR. HISTORY Version:1 (rev.1) - 9 December 2014 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-al...@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-al...@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin Archive: A list of recently released Security Bulletins is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2014 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided as is without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.13 (GNU/Linux) iEYEARECAAYFAlSHaukACgkQ4B86/C0qfVkVpgCgt5TknTIqzqu9NqgUSc7YEKt3 8vYAoKdlvSgsVV4qu/rbyBQ/179AvfzX =O/EN -END PGP SIGNATURE-
Concrete5 CMS Reflected Cross-Site Scripting Vulnerabilities
Title: Concrete5 CMS Reflected Cross-Site Scripting Vulnerabilities Author: Simo Ben youssef Contact: Simo_at_Morxploit_com Discovered: 02 November 2014 Updated: 9 December 2014 Published: 9 December 2014 MorXploit Research http://www.MorXploit.com Vendor: Concrete5 Vendor url: www.concrete5.org Software: Concrete5 CMS Versions: 5.7.2 and 5.7.2.1 (probably older) Status: Unpatched Vulnerable scripts: single_pages/dashboard/users/groups/bulkupdate.php tools/dashboard/sitemap_drag_request.php Original document: http://morxploit.com/morxploits/morxconxss.txt About Concrete5 (from Wikipedia): Concrete5 is an open source content management system (CMS) for publishing content on the World Wide Web and intranets. Concrete5 was designed for ease of use, for users with a minimum of technical skills. It enables users to edit site content directly from the page. It provides version management for every page, similar to wiki software, another type of web site development software. concrete5 allows users to edit images through an embedded editor on the page. To learn more please visit: http://en.wikipedia.org/wiki/Concrete5 http://www.concrete5.org/ Description: Concrete5 is vulnerable to Cross-Site Scripting, both bulkupdate.php and sitemap_drag_request.php scripts fail to properly sanitize user-supplied input. PoC Exploit: bulkupdate.php XSS is exploitable through $_REQUEST['gName'] Using HTTP GET Method: http://target/index.php/dashboard/users/groups/bulkupdate/search?gName=;scriptalert(document.cookie)/scriptccm-submit-button=Search Using HTTP POST Method: POST http://target/index.php/dashboard/users/groups/bulkupdate/search POST DATA: gName=scriptalert(document.cookie)/scriptccm-submit-button=Search sitemap_drag_request.php XSS is triggered through $_REQUEST['instance_id'] but requires a valid ccm_token value which makes it unexploitable (unless the attacker somehow obtains a valid token) Using HTTP GET Method: http://target/index.php/tools/required/dashboard/sitemap_drag_request?origCID=147destCID=148instance_id=;BODY ONLOAD=alert(document.cookie)ctask=MOVEccm_token=1418116264:3ac1b1774e77fbc61b1c6b97a4f7c9eadragMode=over Mitigation: Validate/Sanitize user supplied-input through $_REQUEST['gName'] and $_REQUEST['instance_id'] Disclosure time-line 02 November 2014: Discovery. 03 November 2014: Initial report sent. 11 November 2014: Second contact. No response. 09 December 2014: Public disclosure. Author disclaimer: The information contained in this entire document is for educational, demonstration and testing purposes only. Author cannot be held responsible for any malicious use or damage. Use at your own risk.
