Sidu 5.2 Admin XSS Vulnerability
Affected Vendor: www.topnew.net/sidu/ Credits: John Page ( hyp3rlinx ) Domains: hyp3rlinx.altervista.org Source: http://hyp3rlinx.altervista.org/advisories/AS-SIDU0513.txt Product: Sidu version 5.2 is a web based database front-end administration tool. Advisory Information: = Sidu 5.2 is vulnerable to cross site scripting attacks. Exploit code: == http://localhost/sidu52/sql.php?id=1sql=%27%27%3Cscript%3Ealert%28%22XSS%20By%20hyp3rlinx%20\n05112015\n%22%2bdocument.cookie%29%3C/script%3E Disclosure Timeline: == Vendor Notification May 12, 2015 May 13, 2015: Public Disclosure Severity Level: === High Description: Request Method(s): [+] GET Vulnerable Product: [+] Sidu 5.2 Vulnerable Parameter(s): [+] sql=[XSS] Affected Area(s): [+] Admin of currently logged in user. == (hyp3rlinx)
SEC Consult SA-20150514-0 :: Multiple vulnerabilities in Loxone Smart Home (part 2)
SEC Consult Vulnerability Lab Security Advisory 20150514-0 === title: Multiple vulnerabilities product: Loxone Smart Home vulnerable version: Firmware version 6.4.5.12 fixed version: 6.4.5.12 impact: Critical homepage: http://www.loxone.com found: 2015-03-12 by: Johannes Greil (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Berlin - Frankfurt/Main - Montreal - Singapore Vienna (HQ) - Vilnius - Zurich https://www.sec-consult.com === Vendor product description: - Loxone Electronics was founded in 2009. Our focus is the development and production of control solutions for all homes. Our aim is to make home automation interesting, affordable and accessible for everyone. URL: http://www.loxone.com/enus/company/about-us.html Business recommendation: Most of the issues previously identified (see SEC Consult security advisory SA-20150227-0) seem not to have been fixed properly and are still exploitable either directly or by easily bypassing implemented measures. A very short crash-test of only a few hours even resulted in new vulnerabilities. The Loxone smart home has multiple design and implementation flaws which combined could be used by an attacker to: 1) remotely cause a denial of service condition which renders the smart home unusable which would effectively disable any Loxone-controlled alarm system, 2) steal the user's credentials for the management interface and fully control the smart home, 3) execute JavaScript code in the user's browser for further attacks, 4) control arbitrary devices connected to the system, e.g. switch on/off lights, remotely open doors or garages, disable alarm system, etc., 5) gain access to admin passwords of Loxone partners (e.g. electricians who are implementing the smart home solution at customers) and completely take over other smart homes of the same Loxone partner! It is recommended by SEC Consult not to use this smart home system until a thorough security analysis (white box) of all components has been performed by security professionals, as a very short crash test (Blackbox) already resulted in critical vulnerabilities. Vulnerability overview/description: --- 1) Cross-site request-forgery (XSRF) The system is vulnerable to XSRF attacks. If an attacker is able to lure a user into clicking a crafted link or by embedding such a link within web pages (e.g. discussion forums) he could control arbitrary functions within the smart home system. All functions can be controlled via web based commands, e.g. in order to switch on lights, remotely open doors or garages, disable the alarm system, etc. This can still be exploited in the current Loxone version and it does not seem to be fixed properly. 2) HTTP Response Splitting / Header injection The web server of the Loxone smart home system is vulnerable to HTTP response splitting attacks. If an attacker is able to lure a user into clicking a crafted link (e.g. just by clicking a URL in a discussion forum or phishing email) he could arbitrarily manipulate the server's response (e.g. injection of JavaScript code). This can still be exploited in the current Loxone version and it does not seem to be fixed properly. The implemented measures/filters can be easily bypassed using double-encoded payloads. This attack is not limited to the admin interface, it can be exploited in any path of the webserver. SEC Consult has verified this attack in the most current versions of Mozilla Firefox and Google Chrome web browsers. 3) Reflected cross-site scripting (XSS) vulnerability The web interface of Loxone smart home is vulnerable to reflected cross-site scripting attacks. If an attacker is able to lure a user into clicking a crafted link (e.g. just by clicking a URL in a discussion forum or phishing email) he could execute arbitrary JavaScript code in the user's browser. Thereby he could steal the user's credentials or control arbitrary devices within the smart home system. To exploit this vulnerability it isn't mandatory for the user to be authenticated. Unauthenticated XSS vulnerabilities exist as well (by exploiting the HTTP Response Splitting vulnerability described in 2) as authenticated ones. SEC Consult has verified this attack in the most current versions of Mozilla Firefox and Google Chrome web browsers. 4) Denial of service An attacker could perform a denial of service attack with simple measures, such as synflood attacks. During such an attack the system isn't accessible via the network and can't be controlled
[SECURITY] CVE-2014-7810: Apache Tomcat Security Manager Bypass
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 CVE-2014-7810 Security Manager Bypass Severity: Moderate Vendor: The Apache Software Foundation Versions Affected: - - Apache Tomcat 8.0.0-RC1 to 8.0.15 - - Apache Tomcat 7.0.0 to 7.0.57 - - Apache Tomcat 6.0.0 to 6.0.43 Description: Malicious web applications could use expression language to bypass the protections of a Security Manager as expressions were evaluated within a privileged code section. This issue only affects installations that run web applications from untrusted sources. Mitigation: Users of affected versions should apply one of the following mitigations - - Upgrade to Apache Tomcat 8.0.17 or later (8.0.16 has the fix but was not released) - - Upgrade to Apache Tomcat 7.0.59 or later (7.0.58 has the fix but was not released) - - Upgrade to Apache Tomcat 6.0.44 or later Credit: This issue was discovered by the Apache Tomcat security team. References: [1] http://tomcat.apache.org/security-8.html [2] http://tomcat.apache.org/security-7.html [3] http://tomcat.apache.org/security-6.html -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJVVKsbAAoJEBDAHFovYFnnTkYQAMos6+1kaJ+d+h0oGeiG7CDV PxcQ/AS0LdqXZuC92dXYNv+eQTB+pD0N9ePIyIMwsyEzeS2KGyOw5R8Klsro6lcq eYKH8Tv7egIzKO9dRCqhyWTytl73KPf0h6z4nnVHr/rTJ2/7pJX6x+7fjey5jcO+ G7kCQErj6bnNzgeMM/mLLVlM7YYrbA5hbQgplCdgRO5NpxaL+3raaJ19/gFZKjP3 Mqgwg/6uopkgxTFRh8Fprj6tdoPBXZ6Vxy3qJmcuOCt0yktaypqFPLTH+JM6pnme 6/Mdk4u6PhKyGPPlmvrub0priFl32tEyJNBkghHJd2QkYkZrM6t3wcOsgUawPJxZ hJrq+nJ7CJ3FUzcj9o05M4Q/TJ7seOurhPXF8YMIPn7ibrSb1Eq2Y0yZe/NGij/k dOZX5m3I62HeS1zjCIcIhKx9i6ZFTvfoe8/bF6/LPgAqfy2AB8+HBrRGVfqUh/QB w3AdDX7BxDWJKVgz9YknJG9keuR0tLV+MOI0M0LS9LHj9wAiunmq/+x03ZUX+coc btTrKnSuZq5sjmX5Xj7rilrSlq1GftGMnQyxOHiIzjCR9b59yS/BX/OkprrFXIAM Nd42B7vxWubKuOhXlyMlDt4QpnM3RsAFaD3irNc3LAQ3kpdtvsinExr3VaCvIcJ1 IETAzUe85oPF2HojrJDu =2DTj -END PGP SIGNATURE-
Certificate trust vulnerability in Websense Content Gateway
SUMMARY Websense Content Gateway proxy explicitly trusts compromised certificate authorities Affected versions: Content Gateway 7.8.x Not affected: Content Gateway 7.7.x, 8.0 DESCRIPTION Websense Content Gateway is a filtering web proxy and content inspection application based on a modified Inktomi/Apache Traffic Server. To enable inspection and filtering of encrypted traffic, the application uses an internal certificate authority and decrypts and re-encrypts traffic passing through the device. Content Gateway maintains its own list of trusted certificate authorities, since all HTTPS traffic accessed via Content Gateway will appear to be signed by the Content Gateway CA. Websense updates the list of trusted certificate authorities with each new major version (7.7.0, 7.8.0, etc.). It appears new trusted certificates were imported from the Mozilla/NSS CA store for 7.8.0, but the deny trust flag was set incorrectly. Therefore, the status of compromised certificates (DigiNotar, UTN-USERFirst-Hardware, Digisign (Enrich)) was imported as explicitly trusted instead of untrusted. RISK An attacker with access to these compromised certificates could mount a phishing or MITM attack against clients behind a Content Gateway without raising suspicions. RESOLUTION Websense will not release a patch for this issue. Users of affected systems can upgrade to 8.0, manually delete the compromised trusted certificate authorities, or change the status to Deny. I have provided steps below which update the status in bulk from the OS shell (non-appliance). FIX You should review and test these steps first, and evaluate if any other trusted certificates should be updated or removed. These steps are not supported by Websense, and there is no warranty. From the shell, execute the following commands. This script will change the status column to 1 (deny) for the certificate authorities with the listed hashes. Content Gateway must be stopped, or your changes will be overwritten. sudo service WCG stop sudo /usr/bin/sqlite3 /opt/WCG/config/new_scip3.db Paste the following script: UPDATE cert_issuer SET status = 0 WHERE issuer_hash IN ( '20533f91_0FFF', '46f053f0_0FFF', '84009bc3_0FFF', '856583ec_0FFF', 'aee5f10d_07FF', 'b13cc6df_047ECBE9FCA55F7BD09EAE36E10CAE1E', 'b13cc6df_392A434F0E07DF1F8AA305DE34E0C229', 'b13cc6df_3E75CED46B693021218830AE86A82A71', 'b13cc6df_72032105C50C08573D8EA5304EFEE8B0', 'b13cc6df_9239D5348F40D1695A745470E1F23F43', 'b13cc6df_B0B7133ED096F9B56FAE91C874BD3AC0', 'b13cc6df_D7558FDAF5F1105BB213282B707729A3', 'b13cc6df_D8F35F4EB7872B2DAB0692E315382FB0', 'b13cc6df_E9028B9578E415DC1A710A2B88154447', 'b13cc6df_F5C86AF36162F13A64F54F6DC9587C06', 'c692a373_07FF', 'cc154c6e_0FFF', 'cee8e824_0FFF' ); .quit sudo service WCG start TIMELINE 10/10/2014: Opened case with Websense support 10/30/2014: Websense support claims product does not include compromised certificates, and that I added them. I disagree, and verify that a clean install of the product does include them. 11/11/2014: Informed by support that Websense will review the certificates for the next release, but will not issue a patch for existing systems. 11/19/2014: Attempt to escalate issue via sales instead of support 11/20/2014: Sales says they're checking with product management about a patch 1/20/2015: Asked for update on patch 1/21/2015: Informed 8.0 product will include a fix 2/3/2015: Triton 8.0 product released; compromised certificates are no longer included at all Thanks to Websense Product Security for correcting an error in the SQL script above.