NetCat CMS v5.0.1 - Multiple Web Vulnerabilities
Title: == NetCat CMS v5.0.1 - Multiple Web Vulnerabilities Date: = 2012-10-31 References: === http://www.vulnerability-lab.com/get_content.php?id=738 VL-ID: = 738 Common Vulnerability Scoring System: 2.5 Introduction: = Vendor Website: http://netcat.ru (RU) Abstract: = The Security Effect Research Team discovered multiple Web Vulnerabilities in the russian Bce NetCat v5.0.1 content management system. Report-Timeline: 2012-10-31: Public Disclosure Status: Published Exploitation-Technique: === Remote Severity: = Medium Details: Multiple client side cross site scripting and http parameter pollution vulnerabilities are detected in the russian Bce NetCat v5.0.1 content management system. The non persistent cross site scripting vulnerabilities allow remote attackers to form malicious client side web requests to steal cms customer session information. The client side crlf vulnerability allows remote attackers to change the GET and POST request with own values to manipulate the http protocol request. The first client side cross site scripting vulnerability is located in the search module with the bound vulnerable search_query application parameter. The secound http parameter pollution vulnerability is located in the post.php file when processing to request via the bound vulnerable redirect_url parameter request. Successful exploitation of the vulnerabilities can result in client side http parameter manipulation via post/get, client side phishing, client side cookie stealing via cross site scripting and client side cms web context manipulation. Vulnerable Module(s): [+] search [+] post Vulnerable Parameter(s): [+] search_query [+] redirect_url Proof of Concept: = 1. Client Side - Cross Site Scripting The client side cross site scripting vulnerabilities can be exploited by remote attackers without privileged application user account and with medium or high required user inter action. For demonstration or reproduce ... 1.1 - In URL address. PoC: http://site.127.0.0.1:3666/?’ onmouseover=’prompt(document.cookie)’bad=’ 1.2 - In “search_query” parameter. PoC: http://site.127.0.0.1:3666/search/?search_query=’ onmouseover=prompt(document.cookie) bad=’ 2. Client Side via POST - CRLF injection/HTTP Parameter Pollution The client side crlf vulnerability can be exploited by remote attackers without privileged application user account and with medium or high required user inter action. For demonstration or reproduce ... In /netcat/modules/netshop/post.php URL encoded POST input redirect_url was set to NetCatStatus:hacked_by_seceffect PoC: POST http://site.127.0.0.1:3666/netcat/modules/netshop/post.php cart%5b353%5d%5b10%5d=1cart_mode=addredirect_url=%0d%0a%20NetCatStatus:hacked_by_seceffect Risk: = 1.1 The security risk of the client side cross site scripting vulnerabilities are estimated as low(+)|(-)medium. 1.2 The security risk of the http parameter pollution vulnerability is estimated as medium(-). Credits: SECURITY EFFECT [Research Team] - (http://seceffect.tumblr.com/) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains:www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com - resea...@vulnerability-lab.com Section:video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from
VaM Shop v1.69 - Multiple Web Vulnerabilities
Title: == VaM Shop v1.69 - Multiple Web Vulnerabilities Date: = 2012-10-24 References: === http://www.vulnerability-lab.com/get_content.php?id=730 VL-ID: = 730 Common Vulnerability Scoring System: 8.1 Introduction: = (Vendor Website: http://vamshop.ru/ ) Abstract: = The Security Effect Research Team discovered multiple Web Vulnerabilities in the VaM Shop v1.69 web application cms. Report-Timeline: 2012-10-24: Public Disclosure Status: Published Exploitation-Technique: === Remote Severity: = High Details: 1.1 A laboratory researcher discovered a critical sql injection vulnerability in the VaM Shop v1.69 web application content management system. The sql vulnerability allow remote attackers to inject/execute own sql commands/statements on the affected VaM Shop v1.69 web application dbms. The vulnerability is located in the shopping_cart.php files with the bound vulnerable products_id parameter request. The vulnerability can be exploited by remote attackers without required user inter action. Successful exploitation of the vulnerability results in web application dbms and service compromise or stable application manipulation via sql injection. Vulnerable Files(s): [+] shopping_cart.php Vulnerable Parameter(s): [+] products_id 1.2 A laboratory researcher discovered a client side Cross Site Scripting Vulnerability in the VaM Shop v1.69 web application content management system. The vulnerability is located in the advanced_search_result.php file when processing to load script code out of the search results web context. Successful exploitation results in session hijacking, non -persistent account phishing or client side content manipulation. Vulnerable Files(s): [+] advanced_search_result.php Proof of Concept: = 1. Blind SQL injection in shopping_cart.php in parameter product_id[]. The SQL Injection vulnerability can be exploited by remote attackers without privileged application user account. For demonstration or reproduce ... PoC: POST - SQL INJECTION /shopping_cart.php ?action=update_product cart_delete[]=2071cart_quantity[]=1old_qty[]=1products_id[]=2071'[SQL INJECTION VULNERABILITY] and sleep(37)%3d%27 2. Multiple Cross Site Scripting The client side cross site scripting vulnerabilities can be exploited by remote attacker with medium or high required user inter action. For demonstration or reproduce ... PoC: /advanced_search_result.php/o onmouseover=prompt(document.cookie) // /shopping_cart.php?action=update_product cart_delete[]=o onmouseover=prompt(document.cookie) // Risk: = 1. The security risk of the blind sql injection vulnerability is estimated as high(+). 2. The security risk of the client side cross site scripting vulnerability is estimated as low(+). Credits: SECURITY EFFECT [Research Team] - (http://seceffect.tumblr.com/) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains:www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com - resea...@vulnerability-lab.com Section:video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories,
XSS in dokeos 2.1.1
# Exploit Title : Dokeos 2.1.1 Multiple Cross-Site Scripting Vulnerabilities Author:Marcela Benetrix home:www.girlinthemiddle.net Date: 10/17/12 version: 2.1.1 software link:www.dokeos.com # Dokeos description Dokeos is an open source e-learning platform programmed in PHP, Javascript and HTML which provides different features: reports, mindmaps,documents, social network,etc. ## XSS location /main/auth/profile.php At this page, we have a form with many fields to fill in. 5 of them are vulnerable to PERSISTENT cross site scripting. The named fields are: extra_phone extra_street extra_addressline2 extra_zipcode Via post, we can send malicious code in order to steal cookies, access to sensitive information, do a web application defacement to every single user that visits the poisoned profile. ## Vendor Notification 10/13/2012 to: i...@dokeos.com 10/23/2012 to: sales...@dokeos.com 10/30/2012 No response, disclosure
Cisco Security Advisory: Multiple Vulnerabilities in Cisco Unified MeetingPlace Web Conferencing
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Cisco Security Advisory: Multiple Vulnerabilities in Cisco Unified MeetingPlace Web Conferencing Advisory ID: cisco-sa-20121031-mp Revision 1.0 For Public Release 2012 October 31 16:00 UTC (GMT) + Summary === Cisco Unified MeetingPlace Web Conferencing is affected by two vulnerabilities: * Cisco Unified MeetingPlace Web Conferencing SQL Injection Vulnerability * Cisco Unified MeetingPlace Web Conferencing Buffer Overrun Vulnerability Exploitation of the Cisco Unified MeetingPlace Web Conferencing SQL Injection Vulnerability may allow an unauthenticated, remote attacker to send Structured Query Language (SQL) commands to manipulate the MeetingPlace database stores information about server configuration, meetings, and users. These commands may be used to create, delete, or alter some of the information in the Cisco Unified MeetingPlace Web Conferencing database. Exploitation of the Cisco Unified MeetingPlace Web Conferencing Buffer Overrun Vulnerability may allow an unauthenticated, remote attacker to create a buffer overrun condition that may cause the Web Conferencing server to become unresponsive. Cisco has released free software updates that address these vulnerabilities. There are no workarounds that mitigate these vulnerabilities. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20121031-mp -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iF4EAREIAAYFAlCRS2sACgkQUddfH3/BbTqMAwD+MQwopEA45I2B7OCcFOkuDQ8/ TrGs6zU5Ne3h/adthZUA/jL0oa9uIVtgMmih5QPEjeNaFCsuLlQexhbPtycDJoOU =gqZZ -END PGP SIGNATURE-
Cisco Security Advisory: Cisco Prime Data Center Network Manager Remote Command Execution Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Cisco Security Advisory: Cisco Prime Data Center Network Manager Remote Command Execution Vulnerability Advisory ID: cisco-sa-20121031-dcnm Revision 1.0 For Public Release 2012 October 31 16:00 UTC (GMT) + Summary === Cisco Prime Data Center Network Manager (DCNM) contains a remote command execution vulnerability that may allow a remote, unauthenticated attacker to execute arbitrary commands on the computer that is running the Cisco Prime DCNM application. Cisco has released free software updates that address this vulnerability. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20121031-dcnm -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iF4EAREIAAYFAlCRS3YACgkQUddfH3/BbTq48QEAgoe/PkrhFtbx4mNBwPfiK8ft FAoYNVLQY4KvWs+IfhoA/17u0NgyNp5F5dd5Eda4m4xPHYuYWJdN16mfsEWb89ww =N5PT -END PGP SIGNATURE-
[SECURITY] [DSA 2570-1] openoffice.org security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2570-1 secur...@debian.org http://www.debian.org/security/ Yves-Alexis Perez October 31, 2012 http://www.debian.org/security/faq - - Package: openoffice.org Vulnerability : remote Problem type : remote Debian-specific: no CVE ID : CVE-2012-4233 Debian Bug : High-Tech Bridge SA Security Research Lab discovered multiple null-pointer dereferences based vulnerabilities in OpenOffice which could cause application crash or even arbitrary code execution using specially crafted files. Affected file types are LWP (Lotus Word Pro), ODG, PPT (MS Powerpoint 2003) and XLS (MS Excel 2003). For the stable distribution (squeeze), this problem has been fixed in version 1:3.2.1-11+squeeze8. openoffice.org package has been replaced by libreoffice in testing (wheezy) and unstable (sid) distributions. For the testing distribution (wheezy), this problem has been fixed in version 1:3.5.4+dfsg-3. For the unstable distribution (sid), this problem has been fixed in version 1:3.5.4+dfsg-3. We recommend that you upgrade your openoffice.org packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.19 (GNU/Linux) iQIcBAEBCgAGBQJQkYwEAAoJEDBVD3hx7wuoofcQAL40FW6uvEF8FQxJN1Sz46qK +9or2c+iRRF3eDuOBEHgECw0Knas33m/sLYIt2w7wywTLpO4FNgggeJXRY5P57oo I2EFo4ZnHSCa/kYGNkE6NuE+ZCDDJ8og+d8G7TxHbHMpWJXxWneEKlXhqB1nT0WQ t7TboxKXItxj82ezYClehkXCbK1v0t10rZipagwq7aZ5DPxSJ4GTBbFaJ96NLPqk aAZKO+yik+g+zFpy3y7EYPXseiTsW68pHQS+W/SvK6iTIHGHgKgZCFAlTAtVyQ// Vs82HkLWzGl/Bcm5o/Vght0rc0ZAEUBfpTiDfVTkAlmniao03YKD7wr3Ieqm9PXD hXgSy8x10DoLoZbdYPKG6M6To0jO4+8VidLd5nY48+TK//p3ZEEABuY5PP+OFIyI 7+vcLLvL/VeHguLJuKDqoK24YVsebCK6laNxIehtbvvJWz6qZzj7SfieVrVeaSgB 62XDCghfrhIlV23W/U85e0QRcEKbLzGxw1JFcbwmZh/7QMO3MixYvI9JJ7TQt/1r 9ZOqbfPiBVHzA0vEh5PK+L1C3idyh9pOT0Aoo9ZfTLt09P4CtWd3HTFZ8L+reaOi pWzV4REyhhFYo+4BsAgb4cT6fTW9x0Qh0P9b0rLWv2dCtqmpktKkVoXXzfCz/Pqp rKYAuypU8eo4B+Jq2O+p =hToM -END PGP SIGNATURE-
Re: [BUGTRAQ]Security Advisory - TP-LINK TL-WR841N LFI - [UPDATE]
Unfortunately confirmed. Just remember to use the default port 8080 (host:port) param or another, in case of change.
[ MDVSA-2012:169 ] java-1.6.0-openjdk
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2012:169 http://www.mandriva.com/security/ ___ Package : java-1.6.0-openjdk Date: November 1, 2012 Affected: 2011., Enterprise Server 5.0 ___ Problem Description: Multiple security issues were identified and fixed in OpenJDK (icedtea6): * S6631398, CVE-2012-3216: FilePermission improved path checking * S7093490: adjust package access in rmiregistry * S7143535, CVE-2012-5068: ScriptEngine corrected permissions * S7167656, CVE-2012-5077: Multiple Seeders are being created * S7169884, CVE-2012-5073: LogManager checks do not work correctly for sub-types * S7169888, CVE-2012-5075: Narrowing resource definitions in JMX RMI connector * S7172522, CVE-2012-5072: Improve DomainCombiner checking * S7186286, CVE-2012-5081: TLS implementation to better adhere to RFC * S7189103, CVE-2012-5069: Executors needs to maintain state * S7189490: More improvements to DomainCombiner checking * S7189567, CVE-2012-5085: java net obselete protocol * S7192975, CVE-2012-5071: Conditional usage check is wrong * S7195194, CVE-2012-5084: Better data validation for Swing * S7195917, CVE-2012-5086: XMLDecoder parsing at close-time should be improved * S7195919, CVE-2012-5979: (sl) ServiceLoader can throw CCE without needing to create instance * S7198296, CVE-2012-5089: Refactor classloader usage * S7158800: Improve storage of symbol tables * S7158801: Improve VM CompileOnly option * S7158804: Improve config file parsing * S7176337: Additional changes needed for 7158801 fix * S7198606, CVE-2012-4416: Improve VM optimization The updated packages provides icedtea6-1.11.5 which is not vulnerable to these issues. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3216 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5068 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5077 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5073 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5075 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5072 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5081 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5069 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5085 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5071 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5084 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5086 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5979 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5089 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4416 http://www.oracle.com/technetwork/topics/security/javacpuoct2012-1515924.html http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2012-October/020556.html ___ Updated Packages: Mandriva Linux 2011: b0b8d9c220ca7c5fd6679d6848de69eb 2011/i586/java-1.6.0-openjdk-1.6.0.0-35.b24.1-mdv2011.0.i586.rpm 45ea196c75b18bef9ecb5bc97615c1f3 2011/i586/java-1.6.0-openjdk-demo-1.6.0.0-35.b24.1-mdv2011.0.i586.rpm f33ac952a55cdb585a59e6021367482f 2011/i586/java-1.6.0-openjdk-devel-1.6.0.0-35.b24.1-mdv2011.0.i586.rpm 6ad5fcabc72830cd332cd9e5243be609 2011/i586/java-1.6.0-openjdk-javadoc-1.6.0.0-35.b24.1-mdv2011.0.i586.rpm 49008a850c545e90a0ebb002902528eb 2011/i586/java-1.6.0-openjdk-src-1.6.0.0-35.b24.1-mdv2011.0.i586.rpm 06e7da198f48cd281fe905deed67fd5c 2011/SRPMS/java-1.6.0-openjdk-1.6.0.0-35.b24.1.src.rpm Mandriva Linux 2011/X86_64: debfb115214191ac94d4282463962909 2011/x86_64/java-1.6.0-openjdk-1.6.0.0-35.b24.1-mdv2011.0.x86_64.rpm 09e81180ede0595f8068ef9baeb2da22 2011/x86_64/java-1.6.0-openjdk-demo-1.6.0.0-35.b24.1-mdv2011.0.x86_64.rpm d93f958ff56643adf973770ace599211 2011/x86_64/java-1.6.0-openjdk-devel-1.6.0.0-35.b24.1-mdv2011.0.x86_64.rpm 3a65468343ff92731e0a408f85d7e304 2011/x86_64/java-1.6.0-openjdk-javadoc-1.6.0.0-35.b24.1-mdv2011.0.x86_64.rpm ee4cf446eac536bf729eabf15a88867d 2011/x86_64/java-1.6.0-openjdk-src-1.6.0.0-35.b24.1-mdv2011.0.x86_64.rpm 06e7da198f48cd281fe905deed67fd5c 2011/SRPMS/java-1.6.0-openjdk-1.6.0.0-35.b24.1.src.rpm Mandriva Enterprise Server 5: bcf38e820f1aa357fa0d64c50d323599 mes5/i586/java-1.6.0-openjdk-1.6.0.0-35.b24.1mdvmes5.2.i586.rpm 7b79269ef163cab203f9b815f5216926 mes5/i586/java-1.6.0-openjdk-demo-1.6.0.0-35.b24.1mdvmes5.2.i586.rpm 24068e420773723a130cff03ae1ef47b mes5/i586/java-1.6.0-openjdk-devel-1.6.0.0-35.b24.1mdvmes5.2.i586.rpm 5e3611c799dcfdf1471a327ec5955ac7