[SECURITY] [DSA 2724-1] chromium-browser security update

[Michael Gilbert]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-2724-1   secur...@debian.org
http://www.debian.org/security/   Michael Gilbert
July 17, 2013  http://www.debian.org/security/faq
- -

Package: chromium-browser
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID : CVE-2013-2853 CVE-2013-2867 CVE-2013-2868 CVE-2013-2869
 CVE-2013-2870 CVE-2013-2871 CVE-2013-2873 CVE-2013-2875
 CVE-2013-2876 CVE-2013-2877 CVE-2013-2878 CVE-2013-2879
 CVE-2013-2880

Several vulnerabilities have been discovered in the Chromium web browser.

CVE-2013-2853

The HTTPS implementation does not ensure that headers are terminated
by \r\n\r\n (carriage return, newline, carriage return, newline).

CVE-2013-2867

Chrome does not properly prevent pop-under windows.

CVE-2013-2868

common/extensions/sync_helper.cc proceeds with sync operations for
NPAPI extensions without checking for a certain plugin permission
setting.

CVE-2013-2869

Denial of service (out-of-bounds read) via a crafted JPEG2000
image.

CVE-2013-2870

Use-after-free vulnerability in network sockets.

CVE-2013-2871

Use-after-free vulnerability in input handling.

CVE-2013-2873

Use-after-free vulnerability in resource loading.

CVE-2013-2875

Out-of-bounds read in SVG file handling.

CVE-2013-2876

Chrome does not properly enforce restrictions on the capture of
screenshots by extensions, which could lead to information
disclosure from previous page visits.

CVE-2013-2877

Out-of-bounds read in XML file handling.

CVE-2013-2878

Out-of-bounds read in text handling.

CVE-2013-2879

The circumstances in which a renderer process can be considered a
trusted process for sign-in and subsequent sync operations were
not propertly checked.

CVE-2013-2880

The chrome 28 development team found various issues from internal
fuzzing, audits, and other studies.

For the stable distribution (wheezy), these problems have been fixed in
version 28.0.1500.71-1~deb7u1.

For the testing distribution (jessie), these problems will be fixed soon.

For the unstable distribution (sid), these problems have been fixed in
version 28.0.1500.71-1.

We recommend that you upgrade your chromium-browser packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iQQcBAEBCgAGBQJR5z1ZAAoJELjWss0C1vRzXNcgALd1S9ITVHdzvjtnyZ9j2o8c
WThFzzbsuq5NQdmvd05rgVE9DM4gZqw+iDDraeDPkNwG6u5v3DsjwQubRBCcsRT8
cPMVuV2hromqAmd5ghqbWQ4w4/I73JDJbrnGszJPL/SCKx7/6XYFl6HOgr3rNUxz
FCODDsahUPo/BJ39QImC2nLqaI0B+81CTMzna0oMRDXrAsHHo74U8o8Uf5W6W5ux
Lnxdw/mB+Ebh+2X73K4+xCHzzC5UEH7YR2VH2Ljex4D9SWdKUEk16Wb7qDXUuZ5D
Y30WQ7NRmZWfzrAHi510+I4gVyBY6F1n5wlb81jUcm6fk/Mgo17fe1DSaXn2TQf5
ikFvRaXVS+fT/RIhteyTJsGmIudFOmTt38vzH5sjMc3NV8o5EORA8GtE4q22ewiI
wyFYN4wFQgp684XHntcALnEOXGVM2Q9W+bfdqvKWQFYustzNjoHIlj0bEV1e+Ifg
2jhvE1hu5xj/UoIfUniqd1XwIx/bPMdk6Z8Ltb0D1cyHJ48H6VdAI2JQY7a3Xusq
1Aqk9DyIFdp+iR5FT+Ume03ucpwbnSx5qJxdGqb7tbmeNShY9xgyWZhRimrVt44c
hA+wqHXIBeK5Rq4+0RCfWTlTje61ZlGFzmxUVIBweFWXzHHMBDSIzMv944O6tQQx
oNHl2GinPZKs3H7ETIagV64qnB/829spKbktnBRJ4PMyOHMzVLs8r/ohL1VJMbKr
0rdnv/YHS+dMiFHI9L8S+oY/F7kkUVh+t3UvEXvMNhb9Y4xuT3jRzh89yT9btMTb
NABbqp0ADY5gVMqM8W5zfYklyD/kf+iyU233JArS6j3YZxJsZGfsUycmq118vygJ
WItOsInHTEsa53oCwMM9wrk96lFO44HqZ2ssyWK+Oi9CN8vihr10dirnk8hhXQrs
nwQiqxRUhPdVSrCYUM19k78lfPcR3fXzydiC9gPp3jD/7XxG7PWEfz4I8zVG1IFt
j/3BeWE6nJoK+G95ZrNeUdBSBdIM2JUjcFdsUJCAy+HWdOhJnRu6/CZsRjvND/H3
AATuIMBkfjj0sHeYN6MeUaaeVo3+QH3tJ+EbSiY2X8LIb97dTCa/lV0CZnA6ZpQw
IAPcfCajfPSQ0RmmwNm4bm+a+oRwalDnbjkOEWDIJmo74jpefgyDqYUVKKO8HVF0
uBsB7kvJwg6MyR6QMRj+6Ema0j5cbuXx8AVQtU2pGEqFTHTYL0DkYdojevegFqwM
giaO8ILAcR6C0BI8IrWSMde49piy4n8GHnAUhkVU5waJTiU5vTAv9yORkfFQEpfb
ZRIebEJdbxXbiyVdTVI/zmEf36kxLGUNge8sPreeQv8lGTkMxWNrPEeaDFSWk1s=
=gQNK
-END PGP SIGNATURE-

DeepSec 2013 - Call for Papers - REMINDER

[deepsec]

--- DeepSec 2013 Seven Seas - Call for Papers - REMINDER!

We are looking for talks and trainings for the DeepSec In-Depth Security
Conference 2013 (Seven Seas). We invite researchers, developers, auditors
and everyone else dealing with information security to submit their work.
We offer slots for talks and workshops, and we encourage everyone working
on projects to present their results and findings.

The motto of DeepSec 2013 is all about secrets, failures and visions!
See http://blog.deepsec.net/?p=1293 for the background.

Please visit our updated website for more details about the venue, the
schedule and information about our past conferences:
https://deepsec.net/

The DeepSec offers a mix of different topics and aspects like current
threats and vulnerabilities, social engineering and psychological aspects
as well as security management and philosophy. Our speakers and trainers
traditionally come from the security community, companies, hacker spaces,
journalism and academic organisations.

You can submit content for three categories:
- Talks for the conference (45 minute slots)
- Two day workshops
- U21 (a special category for young security researchers)

https://deepsec.net/cfp.html

--- Talks:
To make it short, talks should be up-to-date, of a high quality that
matches our previous years and preferably exclusive (which of course is not
a hard requirement but it will be one evaluation criterion). Topics from
all security disciplines are welcome but we encourage you to submit talks
about emerging technologies and concepts like these (in alphabetical
order):
- Cloud computing and virtualisation
- Design flaws (defective by design or even secure by design)
- IPv6 (again, until protocol designers get it right)
- Mobile computing and communications
- Risk assessment
- Security intelligence
- Security management and IT governance
- Topics that have a high impact on IT security

Talks must not:
- Endorse products, vendors or specific solutions
- Discredit anyone or anything, let's be fair

Speaker privileges:
- Free entrance to the conference
- Hotel accommodation for three nights (single/double room)
- Travel expenses up to EUR 800,-
- Invitation to our famous Speaker's Dinner with genuine Austrian food

--- Workshops:
We look for highest quality and most current topics. We had very good
feedback for our workshops in the past and we want to keep it that way.
Our audience has a very high level of technical understanding and is
deeply involved with security management, implementation, operation and
research.
What we like to see:
- Applied cryptography
- In-depth workshops on securing infrastructure or systems therein
- Mobile communications, vulnerabilities and defences
- Protocol and software development/design
- Social engineering and psychological aspects

Workshops should not:
- Cover too much (two days sounds a lot, but isn't)
- Focus on specific vendors or products
- Teach too much basic stuff (keep the level sufficiently high)

Trainer privileges:
- Free entrance to the conference
- Invitation to our famous Speaker's Dinner with Austrian food
- 50% of the net profit of your class

--- U21 category:
We don't take the age so serious as it might sound but this category is
especially for young security researchers who are *not* working in a
professional sense yet, e.g. (full-time) students, or attending college,
technical school or just interested in computer security. We will also
accept submissions if you are a little bit older than 21 years.
Don't be shy if your idea is not groundbreaking or not the top
vulnerability discovered in the last 5 years. There's always room for
some extra hacking and we'd be happy to provide a basis for breakthroughs. :)
We want to encourage you to submit your _own_ research.
We will ask some questions and evaluate your submission, so don't cheat.
What we like to see:
- anything that is your own idea and/or implementation
- a valuable extension to existing ideas and/or implementations
- anything you have discovered on your own and is not discussed a lot
yet or has been accepted as a CVE (common exploit and vulnerability)

Please don't:
- Implement something which has been around for long
- Reuse something existing

U21 privileges:
- A 15 minute lightning talk on the conference
- Free entrance to the conference
- Invitation to the Speaker's Dinner, but no alocohol without age
check ;)
- We help you with your travel expenses to Vienna, but cannot cover the
full speakers allowance, if in doubt talk to us we can work something
out.

All CfP submissions must go through the form on our web site:
https://deepsec.net/cfp.html

Please make sure that you read http://blog.deepsec.net/?p=294 before
submitting your ideas. Practice is never a bad thing. :)

We will support anyone if you have question, need clarification
whatever, just contact us for additional questions: c...@deepsec.net

Western Digital My Net N600, N750, N900 and N900C - Plain text disclosure of administrative credentials

[kyle Lovett]

Vulnerable Products -
WD My Net N600 HD Dual Band Router Wireless N WiFi Router Accelerate HD
WD My Net N750 HD Dual Band Router Wireless N WiFi Router Accelerate HD
Linux 2.6.3 Kernel
All firmware including the latest Ver. 1.04.16

WD My Net N900 HD Dual Band Router Wireless N WiFi Router Accelerate HD
WD My Net N900 Central HD Dual Band Router 2TB Storage WiFi Wireless Router
Firmware 1.06 and below -
Version 1.07.16 released on 05/2013 fixes the bug for the N900 and N900C

Vulnerabilities -
Due to a unspecified bug in the WD My Net N600, N750, N900 and N900C
routers, administrative credentials are stored in plain text and are
easily accessible from a remote location on the WAN side of the
router.

Note: In addition, hidden elements of the administrative GUI can be
revealed on all the routers with a few trivial actions. It is not
known at this time if changes to the admin console can be successful
made through the revealed elements.

Conditions -
UPnP and remote administrative access must be enabled for the bug to
be activated.

Vendor Timeline-
Western Digital has not returned any inquires that have been made
regarding the bug.

Patches of Fixes-
On WD My Net N900 and N900C
It is advised that users upgrade to Firmware Version 1.07.16, which
fixes the bug on these two routers.

On WD My Net N600 and N750
There are no known patches or fixes available at this time.

Mitigation and Workarounds-
On N900 and N900C
Upgrade to Firmware Version 1.07.16

WD My Net N600 and N750
Turn off all remote administrative access to the router
Disable UPnP services
Change the default username and password

Discovered - 07-02-2013
Research Contact - K Lovett
Affiliation - SUSnet

Re: [Full-disclosure] XSS Vulnerabilities in Serendipity

[Henri Salo]

On Fri, Jul 12, 2013 at 02:29:52PM +0300, Netsparker Advisories wrote:
 Information
 
 Name :  XSS Vulnerabilities in Serendipity
 Software :  Serendipity 1.6.2 and possibly below.
 Vendor Homepage :  http://www.s9y.org/
 Vulnerability Type :  Cross-Site Scripting
 Severity :  Medium
 Researcher :  Omar Kurt
 Advisory Reference :  NS-13-003
 
 Description
 
 Serendipity is a PHP-powered weblog application which gives the user an
 easy way to maintain an online diary, weblog or even a complete homepage.
 While the default package is designed for the casual blogger, Serendipity
 offers a flexible, expandable and easy-to-use framework with the power for
 professional applications.
 
 Details
 
 Serendipity is affected by XSS vulnerabilities in version 1.6.2.
 
 http://example.com/serendipity_admin_image_selector.php?serendipity%5Btextarea%5D=%27%2Balert(0x000887)%2B%27serendipity%5Baction%5D=208.100.0.117serendipity%5BadminAction%5D=208.100.0.117serendipity%5BadminModule%5D=208.100.0.117serendipity%5Bstep%5D=defaultserendipity%5Bonly_path%5D=208.100.0.117
 http://example.com/serendipity_admin_image_selector.php?serendipity%5Bhtmltarget%5D=%27%2Balert(0x000A02)%2B%27serendipity%5Baction%5D=208.100.0.117serendipity%5BadminAction%5D=208.100.0.117serendipity%5BadminModule%5D=208.100.0.117serendipity%5Bstep%5D=defaultserendipity%5Bonly_path%5D=208.100.0.117
 
 You can read the full article about Cross-Site Scripting from here :
 http://www.mavitunasecurity.com/crosssite-scripting-xss/
 
 Solution
 
 The vendor fixed this vulnerability in the new version. Please see the
 references.
 
 Advisory Timeline
 
 26/02/2013 - First contact
 04/03/2013 - Sent the details
 10/07/2013 - Advisory released
 
 References
 
 Vendor Url / Patch : -
 MSL Advisory Link :
 https://www.mavitunasecurity.com/xss-vulnerabilities-in-serendipity/
 Netsparker Advisories :
 http://www.mavitunasecurity.com/netsparker-advisories/

So is this fixed in version 1.7? No vendor URL/path listed in your references.
Does this vulnerability have CVE identifier? What was vendor response?

---
Henri Salo


signature.asc
Description: Digital signature

SEC Consult SA-20130719-0 :: Multiple vulnerabilities in Sybase EAServer

[SEC Consult Vulnerability Lab]

SEC Consult Vulnerability Lab Security Advisory  20130719-0 
===
  title: Multiple vulnerabilities
product: Sybase EAServer
 vulnerable version: =6.3.1
  fixed version: vendor did not supply version information
 CVE number: -
 impact: critical
   homepage: www.sybase.com
  found: 10/2012
 by: Gerhard Wagner, Bernhard Mueller
 SEC Consult Vulnerability Lab
 https://www.sec-consult.com
===

Vendor description:
---
Sybase EAServer fully supports all the Web services standards and enables
enterprises to rapidly expose business functions as Web services. EAServer also
provides a graphical interface to automate the publication and management of
your company’s Web services. Today, EAServer supports EJB and Java/CORBA
components, CICS integrator, and database stored procedures. These stored
procedures can be from all Sybase’s databases including ASE, SQL Anywhere,
and IQ; in addition, they will support IBM, Oracle, and Microsoft. EAServer can
also support iAnywhere messaging services, enabling the developer to expose
these components as Web services.


Business recommendation:

The default applications that are deployed by default during the installation
of Sybase EAServer should be removed. Further, it is recommended to test the
patches provided by Sybase.


Vulnerability overview/description:
---
1) Directory traversal
In order to use a common web server such as IIS as a fronted and forward only
certain requests to the Sybase EAServer it is a common practice to install and
configure the EAServer redirector plug-in. An incoming request will be received
by the web server, validated if it matches any context configured within the
redirector plug-in and if so forwarded to the appropriate application context.
So a request such as the following will be forwarded by the redirector plug-in
in case the configuration contains such an application.

https://example.com/myapp - https://myEAServer/myapp

If the request contains a path like /\.. the redirector plug-in is not
normalising the path as a part of the myapp application. Therefore, the
request will be passed on to the Sybase EAServer where backslash as well as
forward slash are valid directory separators and therefore using such a method
it is possible to access all deployed applications.

https://example.com/myapp/%5C../another_application


2) XML entity injection
Due to insufficient input validation it is possible to pass external entity
definitions to the server-side XML processor for REST requests with an XML
media type. By calling the built-in function testDataTypes() an attacker can
list directories and display arbitrary files on the affected system, as long as
the files don't conflict with the UTF-8 encoding.


3) OS command execution
The WSH service allows to run OS commands and it can only be accessed providing
administrative credentials. Using the XXE vulnerability mentioned before it is
potentially possible to retrieve the credentials from configuration files and
run OS commands using the WSH service.



Proof of concept:
-
1) Directory traversal
The following request allows to access the Sybase EAServer management
application:

https://example.com/myapp/%5C../console/Login.jsp

Also the other applications that come by default with Sybase EAServer can be
accessed using their respective context for example:

/rest
/wsh
/wsf
...



2) XML entity injection
The following XML message displays the contents of the drive C: on a Windows
system:

?xml version=1.0 encoding=ISO-8859-1?!DOCTYPE foo [
   !ELEMENT foo ANY 
   !ENTITY xxe SYSTEM file:///C:\]

lol
dt
stringValuexxe;/stringValue
booleanValue0/booleanValue
/dt
/lol



3) OS command execution
Due to the potential impact the proof-of-concept has been removed.


Vulnerable / tested versions:
-
The issues have been tested in Sybase EAServer 6.3.1 on Windows.


Vendor contact timeline:

2013-03-11: Contact the vendor and provide vulnerability information
2013-06-11: Vendor fixes the issues
2013-06-28: Agreement on disclosure date 2013-07-19
2013-07-19: Public disclosure


Solution:
-
According to the vendor customers can download the latest patches from
http://www.sybase.com/downloads. The patches have not been tested by
SEC Consult.


Advisory URL:
-
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm


~~~
SEC Consult Vulnerability Lab

SEC Consult
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius

Headquarter:
Mooslackengasse 17, 1190 Vienna, Austria
Phone:   +43 1 8903043 0
Fax: +43 1 8903043 15

[security bulletin] HPSBMU02900 rev.2 - HP System Management Homepage (SMH) running on Linux and Windows, Multiple Remote and Local Vulnerabilities

[security-alert]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Note: the current version of the following document is available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c03839862

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c03839862
Version: 2

HPSBMU02900 rev.2 - HP System Management Homepage (SMH) running on Linux and
Windows, Multiple Remote and Local Vulnerabilities

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2013-07-18
Last Updated: 2013-07-19

Potential Security Impact: Local Denial of Service (DoS), remote Denial of
Service (DoS), execution of arbitrary code, gain extended privileges,
disclosure of information, unauthorized access, XSS

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified with HP System
Management Homepage (SMH) running on Linux and Windows. The vulnerabilities
could be exploited remotely resulting in Local Denial of Service (DoS),
remote Denial of Service (DoS), execution of arbitrary code, gain privileges,
disclosure of information, unauthorized access, or XSS.

References:
CVE-2011-3389 (SSRT100740) Remote disclosure of information
CVE-2012-0883 (SSRT101209) Remote gain extended privileges
CVE-2012-2110 (SSRT101210) Remote Denial of Service (DoS)
CVE-2012-2311 (SSRT100992) Remote execution of arbitrary code
CVE-2012-2329 (SSRT100992) Remote Denial of Service (DoS)
CVE-2012-2335 (SSRT100992) Remote execution of arbitrary code
CVE-2012-2336 (SSRT100992) Remote Denial of Service (DoS)
CVE-2012-5217 (SSRT101137) Remote unauthorized access
CVE-2013-2355 (SSRT100696) Remote unauthorized Access
CVE-2013-2356 (SSRT100835) Remote disclosure of information
CVE-2013-2357 (SSRT100907) Remote Denial of Service (DoS)
CVE-2013-2358 (SSRT100907) Remote Denial of Service (DoS)
CVE-2013-2359 (SSRT100907) Remote Denial of Service (DoS)
CVE-2013-2360 (SSRT100907) Remote Denial of Service (DoS)
CVE-2013-2361 (SSRT101007) XSS
CVE-2013-2362 (SSRT101076, ZDI-CAN-1676) Local Denial of Service (DoS)
CVE-2013-2363 (SSRT101150) Remote disclosure of information
CVE-2013-2364 (SSRT101151) XSS

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP System Management Homepage (SMH) v7.2.0 and earlier running on Linux and
Windows.

BACKGROUND

CVSS 2.0 Base Metrics
===
  Reference  Base Vector Base Score
CVE-2011-3389(AV:N/AC:M/Au:N/C:P/I:N/A:N)   4.3
CVE-2012-0883(AV:L/AC:M/Au:N/C:C/I:C/A:C)   6.9
CVE-2012-2110(AV:N/AC:L/Au:N/C:P/I:P/A:P)   7.5
CVE-2012-2311(AV:N/AC:L/Au:N/C:P/I:P/A:P)   7.5
CVE-2012-2329(AV:N/AC:L/Au:N/C:N/I:N/A:P)   5.0
CVE-2012-2335(AV:N/AC:L/Au:N/C:P/I:P/A:P)   7.5
CVE-2012-2336(AV:N/AC:L/Au:N/C:N/I:N/A:P)   5.0
CVE-2012-5217(AV:N/AC:H/Au:N/C:P/I:N/A:N)   2.6
CVE-2013-2355(AV:N/AC:M/Au:N/C:P/I:N/A:N)   4.3
CVE-2013-2356(AV:N/AC:L/Au:N/C:C/I:N/A:N)   7.8
CVE-2013-2357(AV:N/AC:M/Au:S/C:N/I:N/A:C)   6.3
CVE-2013-2358(AV:N/AC:M/Au:S/C:N/I:N/A:C)   6.3
CVE-2013-2359(AV:N/AC:M/Au:S/C:N/I:N/A:P)   3.5
CVE-2013-2360(AV:N/AC:M/Au:S/C:N/I:N/A:P)   3.5
CVE-2013-2361(AV:N/AC:M/Au:N/C:N/I:P/A:N)   4.3
CVE-2013-2362(AV:L/AC:H/Au:S/C:N/I:N/A:P)   1.0
CVE-2013-2363(AV:N/AC:H/Au:N/C:C/I:N/A:P)   6.1
CVE-2013-2364(AV:N/AC:L/Au:S/C:N/I:N/A:P)   4.0
===
 Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002

The Hewlett-Packard Company thanks agix for working with the TippingPoint
Zero Day Initiative to report vulnerability CVE-2013-2362 to
security-al...@hp.com

RESOLUTION

HP has made System Management Homepage (SMH) v7.2.1 or subsequent available
for Windows and Linux to resolve the vulnerabilities.

Information and updates for SMH can be found at the following location:

http://h18013.www1.hp.com/products/servers/management/agents/index.html

HISTORY
Version:1 (rev.1) - 18 July 2013 Initial release
Version:2 (rev.2) - 19 July 2013 Corrected CVE-2012-5217 assignment

Third Party Security Patches: Third party security patches that are to be
installed on systems running HP software products should be applied in
accordance with the customer's patch management policy.

Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HP Services support channel.  For other issues about
the content of this Security Bulletin, send e-mail to security-al...@hp.com.

Report: To report a potential security vulnerability with any HP supported
product, send Email to: security-al...@hp.com

Subscribe: To initiate a subscription to receive future HP Security Bulletin
alerts via Email:
http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins

Security 

Download Lite v4.3 iOS - Persistent File Web Vulnerability

[Vulnerability Lab]

Title:
==
Download Lite v4.3 iOS - Persistent File Web Vulnerability


Date:
=
2013-07-19


References:
===
http://www.vulnerability-lab.com/get_content.php?id=1023


VL-ID:
=
1023


Common Vulnerability Scoring System:

3.5


Introduction:
=
Downloads Lite is a fully featured download manager that allows you to download 
files to your iPhone or 
iPod touch, you can then view/play the downloaded files right on your iPhone or 
iPod touch, or transfer 
them to your computer. Downloads Lite has all the essential features of the 
full version of Downloads 
except that it is limited to store up to 7 files.

( Copy of the Vendor Homepage: 
https://itunes.apple.com/en/app/downloads-lite-downloader/id349275540 )


Abstract:
=
The Vulnerability Laboratory Research Team discovered a persistent input 
validation vulnerability in the Download Lite application (Apple iOS - iPad  
iPhone).


Report-Timeline:

2013-07-19:Public Disclosure (Vulnerability Laboratory)


Status:

Published


Affected Products:
==
Apple AppStore
Product: Download Lite  Pro - Mobile Application 4.3


Exploitation-Technique:
===
Local


Severity:
=
Medium


Details:

A persistent input validation web vulnerability is detected  in the Download 
Lite v4.3 application (Apple iOS - iPad  iPhone).
The bug allows an attacker (remote) to implement/inject malicious script code 
on the application side (persistent) of the device.

The vulnerability is located in the index file dir listing module of the 
web-server (http://localhost:800) when processing to 
request via POST method injected manipulated `file names`. The persistent 
script code will be executed in the main 
index file dir listing module when the service lists the new malicious injected 
filename as item.

Exploitation of the persistent web vulnerability requires low user interaction 
and a local privilege application  device account.
Successful exploitation of the vulnerability can lead to persistent session 
hijacking (customers), account steal via persistent 
web attacks, persistent phishing or stable (persistent) certificate mail 
notification context manipulation.

Vulnerable Application(s):
[+] Download Lite v4.3 - ITunes or AppStore 
(Apple)

Vulnerable Module(s):
[+] Add File

Vulnerable Parameter(s):
[+] filename

Affected Module(s):
[+] Index File Dir Listing


Proof of Concept:
=
The persistent input validation web vulnerability can be exploited by local 
attackers with low required user interaction. For demonstration or reproduce ...


PoC: File Name - Persistent Script Code Injection

body
div id=main
div id=header
form action=/files enctype=multipart/form-data 
method=post class=upload
img src=Downloader_files/Icon-Small.png Downloader 
/form
/div
table border=0 cellpadding=0 cellspacing=0
thead
 trthName/thth class=delDelete/th/tr
/thead
tbody id=filelist
trtda 
href=http://192.168.2.104:8080/files/Downloader.sqlite3; 
class=fileDownloader.sqlite3[PERSISTENT INJECTED SCRIPT CODE as 
FILENAME!]/a/tdtd class=del
form action=/files/Downloader.sqlite3 method=postinput name=_method 
value=delete 
type=hiddeninput name=commit value=Delete class=button 
type=submit/form/td/tr/tbody
/table
script type=text/javascript charset=utf-8
var now = new Date();
$.getJSON(/files?+ now.toString(),
function(data){
  var shadow = false;
  $.each(data, function(i,item){
var trclass='';
if (shadow)
  trclass=  class='shadow';
encodeName = encodeURI(item.name).replace(', ');
  $(tr + trclass + tda href='/files/ + encodeName + ' 
class='file' + item.name + 
/a/td + td class='del'form action='/files/ + encodeName + ' 
method='post'input name='_method' 
value='delete' type='hidden'/input name=\commit\ type=\submit\ 
value=\Delete\ class='button' //td + /tr).appendTo(#filelist);
shadow = !shadow;
  });
});
/script
div id=footer

  div class=content
  
  /div
/div
/div 
/body/html

Note: Like you can see in the encode name are the string bypass the validation 
because of the local (stored) location.
Attacker can inject the own script code by using the local device to execute 
when a remote user is