Re: Samsung TV - DoS vulnerability

[malik]

Assigned CVE number: CVE-2013-4890

Photo Server 2.0 iOS - Multiple Critical Vulnerabilities

[Vulnerability Lab]

Title:
==
Photo Server 2.0 iOS - Multiple Critical Vulnerabilities


Date:
=
2013-07-23


References:
===
http://www.vulnerability-lab.com/get_content.php?id=1029


VL-ID:
=
1029


Common Vulnerability Scoring System:

8.6


Introduction:
=
Photo Server is the free (photos only) version of Video Server. Access your 
device`s camera roll from any computer or 
device with a web browser on your local network router`s WiFi. With proper 
configuration of your WiFi router, access 
can be made from the web browser of any computer or device connected to the 
internet.

Video transfer can be enabled either through the in-app upgrade or by clicking 
on and viewing an iAd (iAds not available 
in all countries yet).

The Bluetooth option allows you to transfer photos stored in your camera roll 
between Apple iMobile devices such as the 
iPhone, iPod Touch, and iPad without WiFi. Once the BlueTooth connection is 
established between the devices, choose your 
picture and the app automatically begins transmitting it via BlueTooth to the 
other device. Once received on the other 
device you can view the photograph and save it to your camera roll.

(Copy of the Homepage: https://itunes.apple.com/en/app/photo-server/id397545365 
)


Abstract:
=
The Vulnerability Laboratory Research Team discovered a command injection and 
file include (arbitrary file upload) vulnerability in the Photo Server 2.0 
application (Apple iOS - iPad & iPhone).


Report-Timeline:

2013-07-23:Public Disclosure (Vulnerability Laboratory)


Status:

Published


Affected Products:
==
Apple AppStore
Product: Photo Server - Application 2.0


Exploitation-Technique:
===
Remote


Severity:
=
Critical


Details:

1.1
A local command/path injection web vulnerability is detected  in the Photo 
Server 2.0 application (Apple iOS - iPad & iPhone).
The vulnerability allows to inject local commands via vulnerable system values 
to compromise the apple mobile iOS application.

The vulnerability is located in the index file dir listing module when 
processing to request and list the ipad or iphone devicename.
Local attackers can change the name of the device to inject the code and 
request any local path or inject commands on application-side.
The malicious context with the path request executes when a user or victim is 
watching the file dir index listing.

Exploitation of the web vulnerability requires a local privilege iOS device 
account with restricted access and no user interaction.
Successful exploitation of the vulnerability results unauthorized execution of 
system specific commands and path requests.

Vulnerable Application(s):
[+] Photo Server v2.0  - ITunes or AppStore 
(Apple)

Vulnerable Parameter(s):
[+] device name

Affected Module(s):
[+] Index File Dir Listing




1.2
A file include web vulnerability is detected in the Photo Server 2.0 
application (Apple iOS - iPad & iPhone).
The file include vulnerability allows remote attackers to include (upload) 
local file or path requests to compromise the application or service.

The vulnerability is located in the upload module when processing to upload 
files with manipulated names via POST method. The attacker can inject 
local path or files to request context and compromise the device. The 
validation has a bad side effect which impacts the risk to combine the attack 
with persistent injected script code.

Exploitation of the file include web vulnerability requires no user interaction 
or privilege application user account. 
Successful exploitation of the vulnerability results in unauthorized local file 
and path requests to compromise the device or application.

Vulnerable Module(s):
[+] Upload (Files)

Vulnerable Parameter(s):
[+] filename 

Affected Module(s):
[+] Index File Dir Listing



1.3
An arbitrary file upload web vulnerability is detected in the Photo Server 2.0 
application (Apple iOS - iPad & iPhone).
The arbitrary file upload issue allows a remote attacker to upload files with 
multiple extensions to bypass the validation for unauthorized access.

The vulnerability is located in the upload module when processing to upload 
files with multiple ending extensions. Attackers are able to upload 
a php or js web-shells by renaming the file with multiple extensions. He 
uploads for example a web-shell with the following name and 
extension image.jpg.js.php.jpg . He deletes in the request after the upload the 
jpg to access unauthorized the malicious file (web-shell) to 
compromise the web-server or mobile device.

Exploitation of the arbitrary file upload web vulnerability requires no user 
interaction or privilege application user account.
Successful ex

Defense in depth -- the Microsoft way (part 4)

[Stefan Kanthak]

Hi,

Microsoft distributes (security critical) updates for Windows components
and Microsoft products installed on user systems via "Windows/Microsoft
Update" and installs them automatically.

Except in some VERY common cases...

For the incorporation of redistributable components like the MSVCRT, MFC,
ATL etc. in MSI installer packages of other (including 3rd party) products
Microsoft provides so-called "MSI merge modules" *.MSM with Visual Studio.

This is primarily a convenience for the packager/developer and the
user/consumer, since both dont have to handle the (typically larger)
standalone "redistributable packages" of the included components from
their "main" installer package.

The files included in these MSI merge modules are installed in the same
locations as their standalone "redistributable packages" do.

But... Windows Update Agent doesnt detect vulnerable/outdated files
installed via MSI merge modules: some of the meta-data which is written
by the standalone "redistributable packages" is not written by the MSI
merge modules and lets Windows Update Agent fail to detect them properly.

The result: all Windows installations where

* Microsoft products like Microsoft Security Essentials, Windows Defender,
  Forefront Security, Microsoft Office , Microsoft Sharepoint
  , Microsoft SQL Server , .NET Framework 2.0/3.0/3.5,
  which come with outdated and vulnerable MSI merge modules, are installed,

* 3rd party products like Adobe Reader/Acrobat and numerous others of
  numerous other developers/companies, which come with outdated and
  vulnerable MSI merge modules, are installed,

* the current version of the standalone "redistributable packages" of the
  resp. MSCVRT, MFC, ATL etc. are NOT installed,

are (potentially) VULNERABLE!


stay tuned
Stefan Kanthak


PS: if you want to check your own Windows installations: get FILEVER.EXE
from 
(the download link in  points
to an older version), start a command prompt and run the following
commands:

FILEVER.EXE /S %SystemRoot%\WinSxS\MSVC*.DLL
FILEVER.EXE /S %SystemRoot%\WinSxS\MFC*.DLL
FILEVER.EXE /S %SystemRoot%\WinSxS\ATL*.DLL
FILEVER.EXE /S %SystemRoot%\WinSxS\MSDIA*.DLL
FILEVER.EXE /S %SystemRoot%\WinSxS\VCOMP*.DLL

FILEVER.EXE %SystemRoot%\System32\MSVC*.DLL
FILEVER.EXE %SystemRoot%\System32\MFC*.DLL
FILEVER.EXE %SystemRoot%\System32\ATL*.DLL
FILEVER.EXE %SystemRoot%\System32\MSDIA*.DLL
FILEVER.EXE %SystemRoot%\System32\VCOMP*.DLL

FILEVER.EXE %SystemRoot%\SysNative\MSVC*.DLL(x64 only)
FILEVER.EXE %SystemRoot%\SysNative\MFC*.DLL ...
FILEVER.EXE %SystemRoot%\SysNative\ATL*.DLL ...
FILEVER.EXE %SystemRoot%\SysNative\MSDIA*.DLL   ...
FILEVER.EXE %SystemRoot%\SysNative\VCOMP*.DLL   ...

If the output shows DLLs with version numbers less than listed in





you should fetch the resp. "redistributable packages" and install
them (as stated in the FAQ section of
)

Don't forget to file file bug reports against any product that
installed the outdated DLLs.


PPS: if you find any of these DLLs in %ProgramFiles%, %ProgramFiles(x86)%
 or other locations: remove them!

 Then ask the developers/vendors who installed them there to take a
 REALLY THOROUGH look at !

 And don't forget to file file bug reports against any product that
 installed OUTDATED DLLs there!

SurgeFtp Server BufferOverflow Vulnerability

[Anil Pazvant]

---


| SurgeFtp Server BufferOverflow Vulnerability|





Summary


SurgeFTP  Server has a buffer overflow vulnerability which effects
denial of service or potential remote code execution.

CVE number: CVE-2013-4742
Impact: High

Vendor homepage:
http://netwinsite.com/cgi-bin/keycgi.exe?cmd=download&product=surgeftp

Vendor notified: 22/05/2013

Vendor fixed: 30/05/2013



Affected Products
=
SurgeFTP Server 23c8 and older linux versions.


Details
==

The bug was triggered during authentication of ftp service .The root
cause of the problem is processing a very long line with no 'crlf' ,
resulting in a memmove operation past the end of a buffer, and that
would turn in corruption in a random way on heap or stack.Unless the
injection vector effect is not so stable ,one of the possibility of
code execution is "vfprint" function which you can exploit by calling
a next library function that exists and writable on GOT entry . The
following you can see EIP can be owned by ECX+0x1c address. Software
was complied with NX and code execution can be done by using ROP.


Gnu debugger enabled with pead output=>


EAX: 0x3b93b70 ("22 13:15:14.00: <-- ", 'F' , "\n")
EBX: 0x353ff4 --> 0xb4cd7c
ECX: 0x54545454 ('')
EDX: 0x65 ('e')
ESI: 0xb7611700 ('C' , "T\333q\003", 'T' ...)
EDI: 0x1
EBP: 0x3b95c34 --> 0x3b961f8 --> 0x3b96218 --> 0x3b96e18 --> 0x3b97df8
--> 0x3b99258 --> 0x3b99698 --> 0x3b9a2e8 --> 0x3b9a338 --> 0x3b9a388
--> 0x3b9a498 --> 0x0
ESP: 0x3b93b54 --> 0xb7611700 ('C' , "T\333q\003",
'T' ...)
EIP: 0x206f15 (: call   DWORD PTR [ecx+0x1c])


Impact

DoS or RCE


Solution

Upgrade to  SurgeFTP 23d2.


Twitter @pazwant

Juniper Secure Access XSS Vulnerability

[Anil Pazvant]

---


| Juniper Secure Access XSS Vulnerability|





Summary
===

Juniper Secure Access software has reflected XSS vulnerability

CVE number: CVE-2012-5460
PSN-2013-03-874
Impact: Low

Vendor homepage:
http://www.juniper.net/alerts/viewalert.jsp?actionBtn=Search&txtAlertNumber=PSN-2013-03-874&viewMode=view

Vendor notified: 06/06/2012

Vendor fixed: 12/12/2012

Affected Products
=
Juniper SA (IVE OS) to versions prior to  7.1r13, 7.2r7, 7.3r2 .


Details
==
In order to exploit this vulnerability , the client should
authenticate to SSLVPN service.The vulnerable parameter exists on help
page of IVE user web interface.

Effected parameter: WWHSearchWordsText

Impact
==
Execution of arbitrary script code in a user's browser during an
authenticated session.


Solution
==
Upgrade to 7.1r13, 7.2r7, 7.3r2, or higher.

Twitter @pazwant

Dell Kace 1000 SMA 5.4.742 - SQL Injection Vulnerabilities

[Vulnerability Lab]

Title:
==
Dell Kace 1000 SMA 5.4.742 - SQL Injection Vulnerabilities


Date:
=
2013-07-22


References:
===
http://www.vulnerability-lab.com/get_content.php?id=832


VL-ID:
=
832


Common Vulnerability Scoring System:

7.5


Introduction:
=
Dell KACE is to provide an appliance-based approach to systems management, to 
create time for systems administration professionals, 
while saving money for their companies. Dell KACE Systems Management Appliances 
are available as both physical and virtual appliances. 

The KACE Management Appliance delivers a fully integrated systems management 
solution, unlike traditional software approaches that 
can require complex and time-consuming deployment and maintenance. KACE 
accomplishes this via an extremely flexible, intelligent 
appliance-based architecture that typically deploys in days and is self 
maintaining. The KACE Management Appliance also provides 
direct access to time-saving ITNinja systems management community information 
using AppDeploy Live, the leading destination for end 
point administrators. The result: Comprehensive systems management that is 
easy-to-use and that can be more economical than software 
only alternatives. Read more in the white paper KACE K1000 Management Appliance 
Architecture: Harnessing the Power of an 
Appliance-based Architecture. The KACE Management Appliance is designed for 
enterprises and business units with up to 20,000 nodes. 

(Copy of the Vendor Homepage:  
http://www.kace.com/products/systems-management-appliance )


Abstract:
=
The Vulnerability Laboratory Research Team discovered a SQL Injection web 
vulnerabilities in Dell Kace K1000, Systems Management Appliance.


Report-Timeline:

2013-01-24: Researcher Notification & Coordination (Ibrahim Mosaad El-Sayed)
2013-02-06: Vendor Notification (Dell Security Team)
2013-02-08: Vendor Response/Feedback  (Dell Security Team)
2013-**-**: Vendor Fix/Patch (Dell Security Team)
2013-07-22: Public Disclosure (Vulnerability Laboratory)


Status:

Published


Affected Products:
==
DELL
Product: Kace K1000 SMA 5.4.70402


Exploitation-Technique:
===
Remote


Severity:
=
Critical


Details:

Multiple SQL Injection vulnerabilities are detected in the Dell Kace K1000, 
Systems Management Appliance Application.
A SQL Injection vulnerability allows an attacker (remote) to execute/inject SQL 
commands in the affected application dbms. 

The sql injection vulnerabilities are located in the history_log.php, 
service.php, software.php, settings_network_scan.php, 
asset.php, asset_type.php, metering.php and mi.php files. All files are located 
in the adminui. A remote attacker is able 
to inject own sql commands when processing to request the vulnerable TYPE_ID 
and ID parameters.

Exploitation of the sql injection vulnerabilities requires no or a low 
privilege application user account and no user interaction. 
Successful exploitation of the vulnerability results in database management 
system & application compromise via remote sql injection attack. 


Vulnerable Module(s):
[+] adminui

Vulnerable File(s):
[+] history_log.php
[+] service.php
[+] software.php
[+] settings_network_scan.php
[+] asset.php
[+] asset_type.php
[+] metering.php
[+] mi.php
[+] replshare.php
[+] kbot.php

Vulnerable Parameter(s):
[+] TYPE_ID
[+] ID


Proof of Concept:
=
The SQL injection vulnerabilities can be exploited by remote attackers without 
privileged application user account and without required user interaction. 
For demonstration or reproduce ...

1.1
PoC:
https://pub37.137.0.0.1:8080/adminui/history_log.php?HISTORY_TYPE=ASSET&TYPE_NAME=Computer&TYPE_ID=7+union+Select+1,2,3,4,5,6,version%28%29,8,9,10,11,12--%20-

1.2
PoC:
https://pub37.137.0.0.1:8080/adminui/service.php?ID=-1211+union+select+1,2,3,4,5,version(),7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23--%20-

1.3
 https://pub37.137.0.0.1:8080/adminui/software.php?ID=1291+[SQL-INJECTION!]--

Exploit:


Dell Kace 1000 SMA v5.4.70402 - SQL Injection Exploit
https://pub37.137.0.0.1:8080/adminui/history_log.php?HISTORY_TYPE=ASSET&TYPE_NAME=Computer&TYPE_ID=7+union+Select+1,2,3,4,5,
6,version%28%29,8,9,10,11,12--%20- width="600" height"600">https://pub37.137.0.0.1:8080/adminui/service.php?ID=-1211+
union+select+1,2,3,4,5,version(),7,8,9,10,11,12,13,14,15,16,17

Full Disclosure - WD My Net N600, N750, N900, N900C - Plain Text Disclosure of Admin Credentials

[kyle Lovett]

Vulnerable Products -
WD My Net N600 HD Dual Band Router Wireless N WiFi Router Accelerate HD
WD My Net N750 HD Dual Band Router Wireless N WiFi Router Accelerate HD
Linux 2.6.3 Kernel
Firmware Ver. 1.03.xx 1.04.xx
Firmware unaffected Ver 1.01.xx

WD My Net N900 HD Dual Band Router Wireless N WiFi Router Accelerate HD
WD My Net N900 Central HD Dual Band Router 2TB Storage WiFi Wireless Router
Firmware Ver. 1.05.xx 1.06.xx
Version 1.07.16 released on 05/2013 does not have this bug
Firmware unaffected Ver. 1.01.xx 1.02.xx 1.03.xx

--

Vulnerabilities -
On the WD My Net N600, N750, N900 and N900C routers, administrative
credentials are stored in plain text and are easily accessible from a
remote location via port 8080 on the WAN side of the router.

On those routers affected by the bug, the following command will
display the password value that openly resides in their php source
code:

curl -s http://:8080/main_internet.php? -L | egrep -i 'var pass'

During initial setup, the page "main_internet.php" will store in plain
text the admin password as a value of "var pass". Port 8080 is shared
by both the UPnP modules and WAN side HTTP web services which remote
administrative access is set to by default. The inherent difficulty
with writing code to fit the unique requirements for authentication
based tasks (administrative) on the same port as services that are
privileged (UPnP), is quite apparent in the complexity with which each
service is called on these units. Indeed, several of the developers
comments
inside the code, as well as warnings to the end user on the admin GUIs
are made concerning this conflict and the risks involved.

For example, in one line commented out speaking on an api function they state:
/* 80, 443 ports can not
use*//api/1.0/rest/device?owner=admin&pw=&name=" + hostname +
"&rest_method=PUT";

Again, under code to start certain features that call UPnP services,
it warns the end user:
"Conflict with Remote Management service HTTP port"+":
"+XG(XMLrm+"/web")+". "+"This may cause unpredictable problem. Are you
sure you want to override?"

In fact, when a call is made to change the password for the admin
user, or to authenticate a remote administrative user access, a php or
cgi action
will call one of several modules services built into UPnP, in this
case DEVICE.ACCOUNT.

Ex: - Changing the password for admin will issue the following series
of commands:

/tools_admin.php --> /getcfg.php
(SERVICES=DEVICE.ACCOUNT%2CHTTP.WAN-1%2CALERTMSG)--> hedwig.cgi (which
posts the privlidged  module for
DEVICE.ACCOUNT)  --> /pigwidgeon.cgi
(ACTIONS=SETCFG%2CSAVE%2CACTIVATE) --> /getcfg.php(sets the new cookie
value, and finalizes the action)

Conditions -
UPnP and remote administrative access must be enabled for the bug to
be activated.

---

Vendor Timeline-
Western Digital has not returned any inquires that have been made
regarding the bug.

Patches of Fixes-
On WD My Net N900 and N900C
It is advised that users upgrade to Firmware Version 1.07.16.

On WD My Net N600 and N750
If a restoration to Ver. 1.01.xx firmware is available, and remote
access via the internet is a required feature, it is advised to
contact vendor support for how best to proceed.

Mitigation and Workarounds for those who aren't able to upgrade to
downgrade firmware -
Turn off all remote administrative access to the router
Disable UPnP services
Change the default username and password



Note:
Critical vulnerabilities discovered on UPnP enable routers and other
devices, that have visibility and access to the WAN, have continued to
rise at a very rapid pace over the past year. During Defcon 19 Daniel
Garcia gave a talk about UPnP Port mapping, the risks involved with
the unpredictable nature of UPnP stacks and the danger that NAT
traversal could be a possible outcome.
http://toor.do/DEFCON-19-Garcia-UPnP-Mapping-WP.pdf

Back in January of this year, the security researcher at Rapid7,
HDMoore had written a white paper on UPnP vulnerabilities, warning
that "around 40-50 million network-enabled devices are at risk" which
he explains includes "devices such as routers, printers,
network-attached storage (NAS), media players and smart TVs."
https://community.rapid7.com/docs/DOC-2150 In each of the devices he
mentions, we have seen some exploitable vulnerabilities begin to
surface, and even in some devices not mentioned yet such as DVRs and
IP Web Cameras.

A few vendors have been able to sufficiently mitigate the risks of
UPnP/DLNA services co-existing with their products supporting remote
access capabilities, however, many have not. The growing list of home
router or modem models that are still vulnerable to a know

Barracuda CudaTel 2.6.02.040 - SQL Injection Vulnerability

[Vulnerability Lab]

Title:
==
Barracuda CudaTel 2.6.02.040 - SQL Injection Vulnerability


Date:
=
2013-07-20


References:
===
http://vulnerability-lab.com/get_content.php?id=775

BARRACUDA NETWORK SECURITY ID: BNSEC-723


VL-ID:
=
775


Common Vulnerability Scoring System:

8.6


Introduction:
=
Designed to enable seamless voice and video communication, the CudaTel 
Communication Server is an easy-to-use, 
affordable, next-generation phone system for businesses. CudaTel Communication 
Server s enterprise-class 
feature set includes Voice over IP (VoIP) PBX services, conferencing, 
follow-me, automated attendant services, 
and more, controlled by an easy-to-use Web interface. CudaTel Communication 
Server is compatible with any SIP 
device and provider, and can be pre-configured for use with both analog and 
digital telephone networks. Powerful, 
Complete Solution With an expansive feature set and and no per user or phone 
licensing fees, the CudaTel 
Communication Server is equipped and priced for organizations of any size. 
Native High Definition audio support 
and integrated phone line (TDM) hardware produces an unparalleled audio 
experience. VOIP encryption protects calls 
from hackers and digital eavesdroppers.

(Copy of the Vendor Homepage: http://www.barracudanetworks.ca/cudatel.aspx )


Abstract:
=
1.1
The Vulnerability Laboratory Research Team discovered a sql injection 
vulnerability in Barracuda Networks CudaTel v2.6.002.040 appliance application.

1.2
The Vulnerability Laboratory Research Team discovered a client side 
vulnerability in Barracuda Networks CudaTel v2.6.002.040 appliance application.


Report-Timeline:

2012-11-26: Researcher Notification & Coordination (Benjamin Kunz Mejri)
2012-11-27: Vendor Notification (Barracuda Networks Security Team - Bug 
Bounty Program)
2012-12-01: Vendor Response/Feedback (Barracuda Networks Security Team - 
Bug Bounty Program)
2013-03-01: Vendor Fix/Patch (Barracuda Networks Developer Team) [Manager: 
Dave Farrow]
2013-07-20: Public Disclosure (Vulnerability Laboratory)


Status:

Published


Affected Products:
==
Barracuda Networks
Product: CudaTel - Communication Server 2.6.002.040


Exploitation-Technique:
===
Remote


Severity:
=
Critical


Details:

1.1
A SQL Injection vulnerability is detected in the Barracuda Networks CudaTel 
v2.6.002.040 appliance web application.
The vulnerability allows remote attackers or local low privilege application 
user accounts to inject (execute) 
own SQL commands to the affected application dbms. 

The blind sql injection vulnerability is located in the cdr module when 
processing to request manipulated row & page 
parameters as searchstring. A remote attacker can for example delete the 
standard value context of the module request 
to inject (execute) own sql commands. 

Eploitation of the vulnerability requires a low privilege web application user 
account and no user interaction.
Successful exploitation of the vulnerability results in datbase management 
system and web application compromise.

Vulnerable Section(s)
[+] search - listing

Vulnerable Module(s)
[+] cdr - seachstring listing

Vulnerable Parameter(s)
[+] &row
[+] &page



1.2
A client side input validation vulnerability is detected in the Barracuda 
Networks CudaTel v2.6.002.040 appliance web application.
The non-persistent vulnerability allows remote attackers to manipulate client 
side application requests to browser.

The secound vulnerability (client side) is located in the invalid value 
exception handling. Remote attackers can provoke the 
exception-handling by including invalid script code inputs to redisplay the 
malicious context when processing to load the output.
To provoke the exception-handling the remote attacker can use the vulnerable 
row parameter of the cdr searchstring listing to 
execute own malicious (client-side) script code.

Exploitation of the vulnerability requires a no web application user account 
but medium or high user interaction.
Successful exploitation of the vulnerability results in client side phishing, 
client side session hijacking and client side 
external redirects to malware or malicious websites. Exploitation requires 
medium user interaction.

Vulnerable Section(s):
[+] search - listing

Vulnerable Module(s):
[+] cdr - seachstring listing

Vulnerable Parameter(s):
[+] &row

Affected Module(s):
[+] Exception-Handling (invalid value)


Proof of Concept:
=
1.1
The sql injection vulnerability can be exploited by remote attackers with low 
privilege web application user account and without user int

[CVE-2013-2137] Apache OFBiz XSS vulnerability in the "View Log" screen of the Webtools application

[Jacopo Cappellato]

CVE-2013-2137 - Apache OFBiz XSS vulnerability in the "View Log" screen of the 
Webtools application

Vendor:
The Apache Software Foundation

Versions Affected:
Apache OFBiz 10.04.01 to 10.04.05
Apache OFBiz 11.04.01 to 11.04.02
Apache OFBiz 12.04.01

Description:

XSS vulnerability in the "View Log" screen of the Webtools application because 
the content of the html log was not properly encoded.

Mitigation:
10.04.x users should upgrade to 10.04.06
11.04.x users should upgrade to 11.04.03
12.04.01 users should upgrade to 12.04.02

Credit:
This issue was discovered by Grégory Draperi (gregory.drap...@gmail.com).

References:

http://ofbiz.apache.org/download.html#vulnerabilities



signature.asc
Description: Message signed with OpenPGP using GPGMail

[CVE-2013-2250] Apache OFBiz Nested expression evaluation allows remote users to execute arbitrary UEL functions in OFBiz

[Jacopo Cappellato]

CVE-2013-2250 - Apache OFBiz Nested expression evaluation allows remote users 
to execute arbitrary UEL functions in OFBiz

Vendor:
The Apache Software Foundation

Versions Affected:
Apache OFBiz 10.04.01 to 10.04.05
Apache OFBiz 11.04.01 to 11.04.02
Apache OFBiz 12.04.01

Description:

Parameter values are not correctly validated and if JUEL metacharacters are 
included they are interpreted.

Mitigation:
10.04.x users should upgrade to 10.04.06
11.04.x users should upgrade to 11.04.03
12.04.01 users should upgrade to 12.04.02

Credit:
This issue was discovered by Grégory Draperi (gregory.drap...@gmail.com).

References:

http://ofbiz.apache.org/download.html#vulnerabilities


signature.asc
Description: Message signed with OpenPGP using GPGMail