[SECURITY] [DSA 2724-1] chromium-browser security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2724-1 secur...@debian.org http://www.debian.org/security/ Michael Gilbert July 17, 2013 http://www.debian.org/security/faq - - Package: chromium-browser Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2013-2853 CVE-2013-2867 CVE-2013-2868 CVE-2013-2869 CVE-2013-2870 CVE-2013-2871 CVE-2013-2873 CVE-2013-2875 CVE-2013-2876 CVE-2013-2877 CVE-2013-2878 CVE-2013-2879 CVE-2013-2880 Several vulnerabilities have been discovered in the Chromium web browser. CVE-2013-2853 The HTTPS implementation does not ensure that headers are terminated by \r\n\r\n (carriage return, newline, carriage return, newline). CVE-2013-2867 Chrome does not properly prevent pop-under windows. CVE-2013-2868 common/extensions/sync_helper.cc proceeds with sync operations for NPAPI extensions without checking for a certain plugin permission setting. CVE-2013-2869 Denial of service (out-of-bounds read) via a crafted JPEG2000 image. CVE-2013-2870 Use-after-free vulnerability in network sockets. CVE-2013-2871 Use-after-free vulnerability in input handling. CVE-2013-2873 Use-after-free vulnerability in resource loading. CVE-2013-2875 Out-of-bounds read in SVG file handling. CVE-2013-2876 Chrome does not properly enforce restrictions on the capture of screenshots by extensions, which could lead to information disclosure from previous page visits. CVE-2013-2877 Out-of-bounds read in XML file handling. CVE-2013-2878 Out-of-bounds read in text handling. CVE-2013-2879 The circumstances in which a renderer process can be considered a trusted process for sign-in and subsequent sync operations were not propertly checked. CVE-2013-2880 The chrome 28 development team found various issues from internal fuzzing, audits, and other studies. For the stable distribution (wheezy), these problems have been fixed in version 28.0.1500.71-1~deb7u1. For the testing distribution (jessie), these problems will be fixed soon. For the unstable distribution (sid), these problems have been fixed in version 28.0.1500.71-1. We recommend that you upgrade your chromium-browser packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQQcBAEBCgAGBQJR5z1ZAAoJELjWss0C1vRzXNcgALd1S9ITVHdzvjtnyZ9j2o8c WThFzzbsuq5NQdmvd05rgVE9DM4gZqw+iDDraeDPkNwG6u5v3DsjwQubRBCcsRT8 cPMVuV2hromqAmd5ghqbWQ4w4/I73JDJbrnGszJPL/SCKx7/6XYFl6HOgr3rNUxz FCODDsahUPo/BJ39QImC2nLqaI0B+81CTMzna0oMRDXrAsHHo74U8o8Uf5W6W5ux Lnxdw/mB+Ebh+2X73K4+xCHzzC5UEH7YR2VH2Ljex4D9SWdKUEk16Wb7qDXUuZ5D Y30WQ7NRmZWfzrAHi510+I4gVyBY6F1n5wlb81jUcm6fk/Mgo17fe1DSaXn2TQf5 ikFvRaXVS+fT/RIhteyTJsGmIudFOmTt38vzH5sjMc3NV8o5EORA8GtE4q22ewiI wyFYN4wFQgp684XHntcALnEOXGVM2Q9W+bfdqvKWQFYustzNjoHIlj0bEV1e+Ifg 2jhvE1hu5xj/UoIfUniqd1XwIx/bPMdk6Z8Ltb0D1cyHJ48H6VdAI2JQY7a3Xusq 1Aqk9DyIFdp+iR5FT+Ume03ucpwbnSx5qJxdGqb7tbmeNShY9xgyWZhRimrVt44c hA+wqHXIBeK5Rq4+0RCfWTlTje61ZlGFzmxUVIBweFWXzHHMBDSIzMv944O6tQQx oNHl2GinPZKs3H7ETIagV64qnB/829spKbktnBRJ4PMyOHMzVLs8r/ohL1VJMbKr 0rdnv/YHS+dMiFHI9L8S+oY/F7kkUVh+t3UvEXvMNhb9Y4xuT3jRzh89yT9btMTb NABbqp0ADY5gVMqM8W5zfYklyD/kf+iyU233JArS6j3YZxJsZGfsUycmq118vygJ WItOsInHTEsa53oCwMM9wrk96lFO44HqZ2ssyWK+Oi9CN8vihr10dirnk8hhXQrs nwQiqxRUhPdVSrCYUM19k78lfPcR3fXzydiC9gPp3jD/7XxG7PWEfz4I8zVG1IFt j/3BeWE6nJoK+G95ZrNeUdBSBdIM2JUjcFdsUJCAy+HWdOhJnRu6/CZsRjvND/H3 AATuIMBkfjj0sHeYN6MeUaaeVo3+QH3tJ+EbSiY2X8LIb97dTCa/lV0CZnA6ZpQw IAPcfCajfPSQ0RmmwNm4bm+a+oRwalDnbjkOEWDIJmo74jpefgyDqYUVKKO8HVF0 uBsB7kvJwg6MyR6QMRj+6Ema0j5cbuXx8AVQtU2pGEqFTHTYL0DkYdojevegFqwM giaO8ILAcR6C0BI8IrWSMde49piy4n8GHnAUhkVU5waJTiU5vTAv9yORkfFQEpfb ZRIebEJdbxXbiyVdTVI/zmEf36kxLGUNge8sPreeQv8lGTkMxWNrPEeaDFSWk1s= =gQNK -END PGP SIGNATURE-
DeepSec 2013 - Call for Papers - REMINDER
--- DeepSec 2013 Seven Seas - Call for Papers - REMINDER! We are looking for talks and trainings for the DeepSec In-Depth Security Conference 2013 (Seven Seas). We invite researchers, developers, auditors and everyone else dealing with information security to submit their work. We offer slots for talks and workshops, and we encourage everyone working on projects to present their results and findings. The motto of DeepSec 2013 is all about secrets, failures and visions! See http://blog.deepsec.net/?p=1293 for the background. Please visit our updated website for more details about the venue, the schedule and information about our past conferences: https://deepsec.net/ The DeepSec offers a mix of different topics and aspects like current threats and vulnerabilities, social engineering and psychological aspects as well as security management and philosophy. Our speakers and trainers traditionally come from the security community, companies, hacker spaces, journalism and academic organisations. You can submit content for three categories: - Talks for the conference (45 minute slots) - Two day workshops - U21 (a special category for young security researchers) https://deepsec.net/cfp.html --- Talks: To make it short, talks should be up-to-date, of a high quality that matches our previous years and preferably exclusive (which of course is not a hard requirement but it will be one evaluation criterion). Topics from all security disciplines are welcome but we encourage you to submit talks about emerging technologies and concepts like these (in alphabetical order): - Cloud computing and virtualisation - Design flaws (defective by design or even secure by design) - IPv6 (again, until protocol designers get it right) - Mobile computing and communications - Risk assessment - Security intelligence - Security management and IT governance - Topics that have a high impact on IT security Talks must not: - Endorse products, vendors or specific solutions - Discredit anyone or anything, let's be fair Speaker privileges: - Free entrance to the conference - Hotel accommodation for three nights (single/double room) - Travel expenses up to EUR 800,- - Invitation to our famous Speaker's Dinner with genuine Austrian food --- Workshops: We look for highest quality and most current topics. We had very good feedback for our workshops in the past and we want to keep it that way. Our audience has a very high level of technical understanding and is deeply involved with security management, implementation, operation and research. What we like to see: - Applied cryptography - In-depth workshops on securing infrastructure or systems therein - Mobile communications, vulnerabilities and defences - Protocol and software development/design - Social engineering and psychological aspects Workshops should not: - Cover too much (two days sounds a lot, but isn't) - Focus on specific vendors or products - Teach too much basic stuff (keep the level sufficiently high) Trainer privileges: - Free entrance to the conference - Invitation to our famous Speaker's Dinner with Austrian food - 50% of the net profit of your class --- U21 category: We don't take the age so serious as it might sound but this category is especially for young security researchers who are *not* working in a professional sense yet, e.g. (full-time) students, or attending college, technical school or just interested in computer security. We will also accept submissions if you are a little bit older than 21 years. Don't be shy if your idea is not groundbreaking or not the top vulnerability discovered in the last 5 years. There's always room for some extra hacking and we'd be happy to provide a basis for breakthroughs. :) We want to encourage you to submit your _own_ research. We will ask some questions and evaluate your submission, so don't cheat. What we like to see: - anything that is your own idea and/or implementation - a valuable extension to existing ideas and/or implementations - anything you have discovered on your own and is not discussed a lot yet or has been accepted as a CVE (common exploit and vulnerability) Please don't: - Implement something which has been around for long - Reuse something existing U21 privileges: - A 15 minute lightning talk on the conference - Free entrance to the conference - Invitation to the Speaker's Dinner, but no alocohol without age check ;) - We help you with your travel expenses to Vienna, but cannot cover the full speakers allowance, if in doubt talk to us we can work something out. All CfP submissions must go through the form on our web site: https://deepsec.net/cfp.html Please make sure that you read http://blog.deepsec.net/?p=294 before submitting your ideas. Practice is never a bad thing. :) We will support anyone if you have question, need clarification whatever, just contact us for additional questions: c...@deepsec.net
Western Digital My Net N600, N750, N900 and N900C - Plain text disclosure of administrative credentials
Vulnerable Products - WD My Net N600 HD Dual Band Router Wireless N WiFi Router Accelerate HD WD My Net N750 HD Dual Band Router Wireless N WiFi Router Accelerate HD Linux 2.6.3 Kernel All firmware including the latest Ver. 1.04.16 WD My Net N900 HD Dual Band Router Wireless N WiFi Router Accelerate HD WD My Net N900 Central HD Dual Band Router 2TB Storage WiFi Wireless Router Firmware 1.06 and below - Version 1.07.16 released on 05/2013 fixes the bug for the N900 and N900C Vulnerabilities - Due to a unspecified bug in the WD My Net N600, N750, N900 and N900C routers, administrative credentials are stored in plain text and are easily accessible from a remote location on the WAN side of the router. Note: In addition, hidden elements of the administrative GUI can be revealed on all the routers with a few trivial actions. It is not known at this time if changes to the admin console can be successful made through the revealed elements. Conditions - UPnP and remote administrative access must be enabled for the bug to be activated. Vendor Timeline- Western Digital has not returned any inquires that have been made regarding the bug. Patches of Fixes- On WD My Net N900 and N900C It is advised that users upgrade to Firmware Version 1.07.16, which fixes the bug on these two routers. On WD My Net N600 and N750 There are no known patches or fixes available at this time. Mitigation and Workarounds- On N900 and N900C Upgrade to Firmware Version 1.07.16 WD My Net N600 and N750 Turn off all remote administrative access to the router Disable UPnP services Change the default username and password Discovered - 07-02-2013 Research Contact - K Lovett Affiliation - SUSnet
Re: [Full-disclosure] XSS Vulnerabilities in Serendipity
On Fri, Jul 12, 2013 at 02:29:52PM +0300, Netsparker Advisories wrote: Information Name : XSS Vulnerabilities in Serendipity Software : Serendipity 1.6.2 and possibly below. Vendor Homepage : http://www.s9y.org/ Vulnerability Type : Cross-Site Scripting Severity : Medium Researcher : Omar Kurt Advisory Reference : NS-13-003 Description Serendipity is a PHP-powered weblog application which gives the user an easy way to maintain an online diary, weblog or even a complete homepage. While the default package is designed for the casual blogger, Serendipity offers a flexible, expandable and easy-to-use framework with the power for professional applications. Details Serendipity is affected by XSS vulnerabilities in version 1.6.2. http://example.com/serendipity_admin_image_selector.php?serendipity%5Btextarea%5D=%27%2Balert(0x000887)%2B%27serendipity%5Baction%5D=208.100.0.117serendipity%5BadminAction%5D=208.100.0.117serendipity%5BadminModule%5D=208.100.0.117serendipity%5Bstep%5D=defaultserendipity%5Bonly_path%5D=208.100.0.117 http://example.com/serendipity_admin_image_selector.php?serendipity%5Bhtmltarget%5D=%27%2Balert(0x000A02)%2B%27serendipity%5Baction%5D=208.100.0.117serendipity%5BadminAction%5D=208.100.0.117serendipity%5BadminModule%5D=208.100.0.117serendipity%5Bstep%5D=defaultserendipity%5Bonly_path%5D=208.100.0.117 You can read the full article about Cross-Site Scripting from here : http://www.mavitunasecurity.com/crosssite-scripting-xss/ Solution The vendor fixed this vulnerability in the new version. Please see the references. Advisory Timeline 26/02/2013 - First contact 04/03/2013 - Sent the details 10/07/2013 - Advisory released References Vendor Url / Patch : - MSL Advisory Link : https://www.mavitunasecurity.com/xss-vulnerabilities-in-serendipity/ Netsparker Advisories : http://www.mavitunasecurity.com/netsparker-advisories/ So is this fixed in version 1.7? No vendor URL/path listed in your references. Does this vulnerability have CVE identifier? What was vendor response? --- Henri Salo signature.asc Description: Digital signature
SEC Consult SA-20130719-0 :: Multiple vulnerabilities in Sybase EAServer
SEC Consult Vulnerability Lab Security Advisory 20130719-0 === title: Multiple vulnerabilities product: Sybase EAServer vulnerable version: =6.3.1 fixed version: vendor did not supply version information CVE number: - impact: critical homepage: www.sybase.com found: 10/2012 by: Gerhard Wagner, Bernhard Mueller SEC Consult Vulnerability Lab https://www.sec-consult.com === Vendor description: --- Sybase EAServer fully supports all the Web services standards and enables enterprises to rapidly expose business functions as Web services. EAServer also provides a graphical interface to automate the publication and management of your company’s Web services. Today, EAServer supports EJB and Java/CORBA components, CICS integrator, and database stored procedures. These stored procedures can be from all Sybase’s databases including ASE, SQL Anywhere, and IQ; in addition, they will support IBM, Oracle, and Microsoft. EAServer can also support iAnywhere messaging services, enabling the developer to expose these components as Web services. Business recommendation: The default applications that are deployed by default during the installation of Sybase EAServer should be removed. Further, it is recommended to test the patches provided by Sybase. Vulnerability overview/description: --- 1) Directory traversal In order to use a common web server such as IIS as a fronted and forward only certain requests to the Sybase EAServer it is a common practice to install and configure the EAServer redirector plug-in. An incoming request will be received by the web server, validated if it matches any context configured within the redirector plug-in and if so forwarded to the appropriate application context. So a request such as the following will be forwarded by the redirector plug-in in case the configuration contains such an application. https://example.com/myapp - https://myEAServer/myapp If the request contains a path like /\.. the redirector plug-in is not normalising the path as a part of the myapp application. Therefore, the request will be passed on to the Sybase EAServer where backslash as well as forward slash are valid directory separators and therefore using such a method it is possible to access all deployed applications. https://example.com/myapp/%5C../another_application 2) XML entity injection Due to insufficient input validation it is possible to pass external entity definitions to the server-side XML processor for REST requests with an XML media type. By calling the built-in function testDataTypes() an attacker can list directories and display arbitrary files on the affected system, as long as the files don't conflict with the UTF-8 encoding. 3) OS command execution The WSH service allows to run OS commands and it can only be accessed providing administrative credentials. Using the XXE vulnerability mentioned before it is potentially possible to retrieve the credentials from configuration files and run OS commands using the WSH service. Proof of concept: - 1) Directory traversal The following request allows to access the Sybase EAServer management application: https://example.com/myapp/%5C../console/Login.jsp Also the other applications that come by default with Sybase EAServer can be accessed using their respective context for example: /rest /wsh /wsf ... 2) XML entity injection The following XML message displays the contents of the drive C: on a Windows system: ?xml version=1.0 encoding=ISO-8859-1?!DOCTYPE foo [ !ELEMENT foo ANY !ENTITY xxe SYSTEM file:///C:\] lol dt stringValuexxe;/stringValue booleanValue0/booleanValue /dt /lol 3) OS command execution Due to the potential impact the proof-of-concept has been removed. Vulnerable / tested versions: - The issues have been tested in Sybase EAServer 6.3.1 on Windows. Vendor contact timeline: 2013-03-11: Contact the vendor and provide vulnerability information 2013-06-11: Vendor fixes the issues 2013-06-28: Agreement on disclosure date 2013-07-19 2013-07-19: Public disclosure Solution: - According to the vendor customers can download the latest patches from http://www.sybase.com/downloads. The patches have not been tested by SEC Consult. Advisory URL: - https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm ~~~ SEC Consult Vulnerability Lab SEC Consult Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius Headquarter: Mooslackengasse 17, 1190 Vienna, Austria Phone: +43 1 8903043 0 Fax: +43 1 8903043 15
[security bulletin] HPSBMU02900 rev.2 - HP System Management Homepage (SMH) running on Linux and Windows, Multiple Remote and Local Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Note: the current version of the following document is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c03839862 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c03839862 Version: 2 HPSBMU02900 rev.2 - HP System Management Homepage (SMH) running on Linux and Windows, Multiple Remote and Local Vulnerabilities NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2013-07-18 Last Updated: 2013-07-19 Potential Security Impact: Local Denial of Service (DoS), remote Denial of Service (DoS), execution of arbitrary code, gain extended privileges, disclosure of information, unauthorized access, XSS Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY Potential security vulnerabilities have been identified with HP System Management Homepage (SMH) running on Linux and Windows. The vulnerabilities could be exploited remotely resulting in Local Denial of Service (DoS), remote Denial of Service (DoS), execution of arbitrary code, gain privileges, disclosure of information, unauthorized access, or XSS. References: CVE-2011-3389 (SSRT100740) Remote disclosure of information CVE-2012-0883 (SSRT101209) Remote gain extended privileges CVE-2012-2110 (SSRT101210) Remote Denial of Service (DoS) CVE-2012-2311 (SSRT100992) Remote execution of arbitrary code CVE-2012-2329 (SSRT100992) Remote Denial of Service (DoS) CVE-2012-2335 (SSRT100992) Remote execution of arbitrary code CVE-2012-2336 (SSRT100992) Remote Denial of Service (DoS) CVE-2012-5217 (SSRT101137) Remote unauthorized access CVE-2013-2355 (SSRT100696) Remote unauthorized Access CVE-2013-2356 (SSRT100835) Remote disclosure of information CVE-2013-2357 (SSRT100907) Remote Denial of Service (DoS) CVE-2013-2358 (SSRT100907) Remote Denial of Service (DoS) CVE-2013-2359 (SSRT100907) Remote Denial of Service (DoS) CVE-2013-2360 (SSRT100907) Remote Denial of Service (DoS) CVE-2013-2361 (SSRT101007) XSS CVE-2013-2362 (SSRT101076, ZDI-CAN-1676) Local Denial of Service (DoS) CVE-2013-2363 (SSRT101150) Remote disclosure of information CVE-2013-2364 (SSRT101151) XSS SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP System Management Homepage (SMH) v7.2.0 and earlier running on Linux and Windows. BACKGROUND CVSS 2.0 Base Metrics === Reference Base Vector Base Score CVE-2011-3389(AV:N/AC:M/Au:N/C:P/I:N/A:N) 4.3 CVE-2012-0883(AV:L/AC:M/Au:N/C:C/I:C/A:C) 6.9 CVE-2012-2110(AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5 CVE-2012-2311(AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5 CVE-2012-2329(AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0 CVE-2012-2335(AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5 CVE-2012-2336(AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0 CVE-2012-5217(AV:N/AC:H/Au:N/C:P/I:N/A:N) 2.6 CVE-2013-2355(AV:N/AC:M/Au:N/C:P/I:N/A:N) 4.3 CVE-2013-2356(AV:N/AC:L/Au:N/C:C/I:N/A:N) 7.8 CVE-2013-2357(AV:N/AC:M/Au:S/C:N/I:N/A:C) 6.3 CVE-2013-2358(AV:N/AC:M/Au:S/C:N/I:N/A:C) 6.3 CVE-2013-2359(AV:N/AC:M/Au:S/C:N/I:N/A:P) 3.5 CVE-2013-2360(AV:N/AC:M/Au:S/C:N/I:N/A:P) 3.5 CVE-2013-2361(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3 CVE-2013-2362(AV:L/AC:H/Au:S/C:N/I:N/A:P) 1.0 CVE-2013-2363(AV:N/AC:H/Au:N/C:C/I:N/A:P) 6.1 CVE-2013-2364(AV:N/AC:L/Au:S/C:N/I:N/A:P) 4.0 === Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 The Hewlett-Packard Company thanks agix for working with the TippingPoint Zero Day Initiative to report vulnerability CVE-2013-2362 to security-al...@hp.com RESOLUTION HP has made System Management Homepage (SMH) v7.2.1 or subsequent available for Windows and Linux to resolve the vulnerabilities. Information and updates for SMH can be found at the following location: http://h18013.www1.hp.com/products/servers/management/agents/index.html HISTORY Version:1 (rev.1) - 18 July 2013 Initial release Version:2 (rev.2) - 19 July 2013 Corrected CVE-2012-5217 assignment Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-al...@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-al...@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security
Download Lite v4.3 iOS - Persistent File Web Vulnerability
Title: == Download Lite v4.3 iOS - Persistent File Web Vulnerability Date: = 2013-07-19 References: === http://www.vulnerability-lab.com/get_content.php?id=1023 VL-ID: = 1023 Common Vulnerability Scoring System: 3.5 Introduction: = Downloads Lite is a fully featured download manager that allows you to download files to your iPhone or iPod touch, you can then view/play the downloaded files right on your iPhone or iPod touch, or transfer them to your computer. Downloads Lite has all the essential features of the full version of Downloads except that it is limited to store up to 7 files. ( Copy of the Vendor Homepage: https://itunes.apple.com/en/app/downloads-lite-downloader/id349275540 ) Abstract: = The Vulnerability Laboratory Research Team discovered a persistent input validation vulnerability in the Download Lite application (Apple iOS - iPad iPhone). Report-Timeline: 2013-07-19:Public Disclosure (Vulnerability Laboratory) Status: Published Affected Products: == Apple AppStore Product: Download Lite Pro - Mobile Application 4.3 Exploitation-Technique: === Local Severity: = Medium Details: A persistent input validation web vulnerability is detected in the Download Lite v4.3 application (Apple iOS - iPad iPhone). The bug allows an attacker (remote) to implement/inject malicious script code on the application side (persistent) of the device. The vulnerability is located in the index file dir listing module of the web-server (http://localhost:800) when processing to request via POST method injected manipulated `file names`. The persistent script code will be executed in the main index file dir listing module when the service lists the new malicious injected filename as item. Exploitation of the persistent web vulnerability requires low user interaction and a local privilege application device account. Successful exploitation of the vulnerability can lead to persistent session hijacking (customers), account steal via persistent web attacks, persistent phishing or stable (persistent) certificate mail notification context manipulation. Vulnerable Application(s): [+] Download Lite v4.3 - ITunes or AppStore (Apple) Vulnerable Module(s): [+] Add File Vulnerable Parameter(s): [+] filename Affected Module(s): [+] Index File Dir Listing Proof of Concept: = The persistent input validation web vulnerability can be exploited by local attackers with low required user interaction. For demonstration or reproduce ... PoC: File Name - Persistent Script Code Injection body div id=main div id=header form action=/files enctype=multipart/form-data method=post class=upload img src=Downloader_files/Icon-Small.png Downloader /form /div table border=0 cellpadding=0 cellspacing=0 thead trthName/thth class=delDelete/th/tr /thead tbody id=filelist trtda href=http://192.168.2.104:8080/files/Downloader.sqlite3; class=fileDownloader.sqlite3[PERSISTENT INJECTED SCRIPT CODE as FILENAME!]/a/tdtd class=del form action=/files/Downloader.sqlite3 method=postinput name=_method value=delete type=hiddeninput name=commit value=Delete class=button type=submit/form/td/tr/tbody /table script type=text/javascript charset=utf-8 var now = new Date(); $.getJSON(/files?+ now.toString(), function(data){ var shadow = false; $.each(data, function(i,item){ var trclass=''; if (shadow) trclass= class='shadow'; encodeName = encodeURI(item.name).replace(', '); $(tr + trclass + tda href='/files/ + encodeName + ' class='file' + item.name + /a/td + td class='del'form action='/files/ + encodeName + ' method='post'input name='_method' value='delete' type='hidden'/input name=\commit\ type=\submit\ value=\Delete\ class='button' //td + /tr).appendTo(#filelist); shadow = !shadow; }); }); /script div id=footer div class=content /div /div /div /body/html Note: Like you can see in the encode name are the string bypass the validation because of the local (stored) location. Attacker can inject the own script code by using the local device to execute when a remote user is