[SECURITY] [DSA 3561-1] subversion security update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-3561-1   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
April 29, 2016https://www.debian.org/security/faq
- -

Package: subversion
CVE ID : CVE-2016-2167 CVE-2016-2168

Several vulnerabilities were discovered in Subversion, a version control
system. The Common Vulnerabilities and Exposures project identifies the
following problems:

CVE-2016-2167

Daniel Shahaf and James McCoy discovered that an implementation
error in the authentication against the Cyrus SASL library would
permit a remote user to specify a realm string which is a prefix of
the expected realm string and potentially allowing a user to
authenticate using the wrong realm.

CVE-2016-2168

Ivan Zhakov of VisualSVN discovered a remotely triggerable denial
of service vulnerability in the mod_authz_svn module during COPY or
MOVE authorization check. An authenticated remote attacker could
take advantage of this flaw to cause a denial of service
(Subversion server crash) via COPY or MOVE requests with specially
crafted header.

For the stable distribution (jessie), these problems have been fixed in
version 1.8.10-6+deb8u4.

For the unstable distribution (sid), these problems have been fixed in
version 1.9.4-1.

We recommend that you upgrade your subversion packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQIcBAEBCgAGBQJXI1joAAoJEAVMuPMTQ89EPZsP/36yJUo4JEoii7cuoc9XLhSJ
Hj7ILFDSWkH7cUdUBVpCirvL+LwE2koIESE+K9xFiI2RpLIBZBnRDnSu9R7r+P8b
mVrGkMLaAWXdcwnZAcrcYggV/yetyGEleLMeUBqAxZ5UZwoiog5X9OON7nBNAeMS
+vUWv0bodjyljTR7u144yGTQv++WtFLnkdZPx4Ij68AGwBoSDwNyViPb/sFFzpkE
2UJl25GWtAcOsj9KKd9i5ADY2EKu7TxCzCQHvPflYSwNrD6ZlMAgoszYUMJRWt+I
XnC5SMGOkZKmT15OME+cZQcCtJaerApUxDSnyXy20pbsSW4cbLIW+kIZwZiFMUyQ
m+90HM9XNlmpr5J4+++iN7Y5zI01XkuQy7iQXRGDXkZO76v5tiJZS4/uEsGAATzM
jqUqs98vHU3FYkz0kyzZCrY1RmZNnbEtnXYafBQSdQhHM04bRllxhr35AA6LMOgE
TGijgyfQS9zLhP6ZbCW7VO1tOMjgdEgSy79XT+4iDZc5SsGSXVr1O14Ku3J2+TwX
OyokO7Y/7IebJedIVq8vLGwtUNe0t8PmvjETkQNRrdbGmpnyTCeitStMdi6SMZWR
fn4JQxsaSnbMha7+Kx46JShC5Bh6sHRhEnnV2cZO5r5NjI/QZxdRzxwZnbc4TJpO
BjTzPa9IX4a8MVBC0OA7
=z2mM
-END PGP SIGNATURE-

SQL Injection in GLPI

[High-Tech Bridge Security Research]

Advisory ID: HTB23301
Product: GLPI
Vendor: INDEPNET 
Vulnerable Version(s): 0.90.2 and probably prior
Tested Version: 0.90.2
Advisory Publication:  April 8, 2016  [without technical details]
Vendor Notification: April 8, 2016 
Vendor Patch: April 11, 2016 
Public Disclosure: April 29, 2016 
Vulnerability Type: SQL Injection [CWE-89]
Risk Level: High 
CVSSv3 Base Score: 7.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L]
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( 
https://www.htbridge.com/advisory/ ) 

---

Advisory Details:

High-Tech Bridge Security Research Lab discovered a high-risk SQL injection 
vulnerability in a popular Information Resource Manager (IRM) system GLPI. IRM 
systems are usually used for management and audit of software packages, 
providing ITIL-compliant service desk. The vulnerability allows remote 
non-authenticated attacker to execute arbitrary SQL queries, read and write 
data to the application's database and completely compromise the vulnerable 
system.

The vulnerability exists due to insufficient filtration of user-supplied data 
passed via the "page_limit" HTTP GET parameter to 
"/ajax/getDropdownConnect.php" PHP script. A remote unauthenticated attacker 
can alter present SQL query, inject and execute arbitrary SQL command in 
application's database.

Below is a simple SQL Injection exploit, which uses time-based exploitation 
technique. The page will load time will be significantly higher if MySQL 
version is 5.X or superior:

http://[host]/ajax/getDropdownConnect.php?fromtype=Computer=Computer=1_limit=1%20PROCEDURE%20analyse%28%28select%20extractvalue%28rand%28%29,concat%280x3a,%28IF%28MID%28version%28%29,1,1%29%20LIKE%205,%20BENCHMARK%28500,SHA1%281%29%29,1%29%29%29%29%29,1%29


---

Solution:

Update to GLPI 0.90.3

More Information:
http://www.glpi-project.org/spip.php?page=annonce_breve=358=en
https://github.com/glpi-project/glpi/issues/581

---

References:

[1] High-Tech Bridge Advisory HTB23301 - 
https://www.htbridge.com/advisory/HTB23301 - SQL Injection in GLPI.
[2] GLPI - http://www.glpi-project.org - GLPI is the Information Resource 
Manager with an additional Administration Interface.
[3] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to 
developers and security practitioners, CWE is a formal list of software 
weakness types.
[4] ImmuniWeb® - https://www.htbridge.com/immuniweb/ - web security platform by 
High-Tech Bridge for on-demand and continuous web application security, 
vulnerability management, monitoring and PCI DSS compliance.
[5] Free SSL/TLS Server test - https://www.htbridge.com/ssl/ - check your SSL 
implementation for PCI DSS and NIST compliance. Supports all types of protocols.

---

Disclaimer: The information provided in this Advisory is provided "as is" and 
without any warranty of any kind. Details of this Advisory may be updated in 
order to provide as accurate information as possible. The latest version of the 
Advisory is available on web page [1] in the References.

Wordpress Truemag Theme - Client Side Cross Site Scripting Web Vulnerability

[Vulnerability Lab]

Document Title:
===
Wordpress Truemag Theme - Client Side Cross Site Scripting Web Vulnerability


References (Source):

http://www.vulnerability-lab.com/get_content.php?id=1839


Release Date:
=
2016-04-29


Vulnerability Laboratory ID (VL-ID):

1839


Common Vulnerability Scoring System:

3.3


Product & Service Introduction:
===
CactusThemes is an experienced and passionate web design team with over 8 years 
working together designing and developing 
themes and plugins. Our goal is to create the best WordPress themes for 
education, event, news, etc. and meet all your needs. 

(Copy of the Homepage: http://www.cactusthemes.com/#themes )


Abstract Advisory Information:
==
An independent vulnerability laboratory researcher discovered a client-side 
cross site scripting vulnerability in the official Wordpress Truemag Theme.


Vulnerability Disclosure Timeline:
==
2016-04-29: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=
Published


Affected Product(s):

CactusThemes 
Product: Truemag Theme (Wordpress) - Theme (Web-Application) 2016 Q2


Exploitation Technique:
===
Remote


Severity Level:
===
Medium


Technical Details & Description:

A client-side cross site scripting web vulnerability has been discovered in the 
official Wordpress Truemag Theme web-application.
The non-persistent vulnerability allows remote attackers to inject own 
malicious script code to client-side application to browser requests.

The client-side cross site vulnerability is located in the `s` value of the 
page module GET method request. Remote attackers are able to inject 
own malicious script codes to the client-side of the online service 
web-application to compromise user session information or data. The request 
method to execute is GET and the attack vector is non-persistent. 

The security risk of the client-side web vulnerability is estimated as medium 
with a cvss (common vulnerability scoring system) count of 3.3.
Exploitation of the non-persistent web vulnerability requires no privileged web 
application user account and low user interaction (click link). 
Successful exploitation of the vulnerability results in session hijacking, 
non-persistent phishing, non-persistent external redirects, 
non-persistent load of malicious script codes or non-persistent web module 
context manipulation.

Request Method(s):
[+] GET

Vulnerable Service(s):
[+] Truemag Theme (Wordpress)

Vulnerable Module(s):
[+] /wp-contact/theme/truemag

Vulnerable Parameter(s):
[+] s


Proof of Concept (PoC):
===
The remote cross site vulnerability can be exploited by remote attackers 
without privileged web-application user account and with low user interaction.
For security demonstration or to reproduce the vulnerability follow the 
provided information and steps below to continue.

Dork(s):
inurl: /wp-contact/theme/truemag

PoC: Payload
">%20alert(document.cookie)


PoC: Example
http://wp.localhost:8080/?s=[CLIENT SIDE CROSS SITE SCRIPTING VULNERABILITY!]


PoC: Exploitation
http://wp.localhost:8080/?s=;>%20alert(document.cookie)


Reference(s):
http://wp.localhost:8080/?s=


Solution - Fix & Patch:
===
The vulnerability can be patched by a secure parse and encode of the vulnerable 
`s` value in the webpage GET method request.
Encode the parameter and restrict the value input to prevent further script 
code injection attacks.


Security Risk:
==
The security risk of the client-side cross site scripting web vulnerability in 
the vulnerbale `s` value is estimated as medium. (CVSS 3.3)


Credits & Authors:
==
Iran Cyber Security Group - 0x3a (ICG SEC) [Iran-Cyber.Net] 
[http://www.vulnerability-lab.com/show.php?user=Iran%20Cyber%20Security]
Special Thanks: root3r


Disclaimer & Information:
=
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability Lab disclaims all warranties, either expressed or 
implied, 
including the warranties of merchantability and capability for a particular 
purpose. Vulnerability-Lab or its suppliers are not liable in any case of 
damage, 
including direct, indirect, incidental, consequential loss of business profits 
or special damages, even if Vulnerability-Lab or its suppliers have been 
advised 
of the possibility of such damages. Some states do not allow the exclusion or 
limitation of liability for consequential or incidental damages so the 
foregoing 
limitation may not apply. We do not approve or encourage anybody to break any 
licenses, 

Mozilla doesn't care for upstream security fixes, and doesn't bother to send own security fixes upstream

[Stefan Kanthak]

Hi @ll

despite better knowledge and MULTIPLE bug/vulnerability reports
(see ,
, 
, ...)
Mozilla continues to ship Firefox and Thunderbird for Windows with
a vulnerable executable installer.


Proof of concept/demonstration:
~~~

1. visit , download
    and save
   it as ShimEng.dll in your "Downloads" folder, then copy it as
   WinMM.dll, SetupAPI.dll, MSACM32.dll, UXTheme.dll, DWMAPI.dll,
   ShFolder.dll, RichEd20.dll, ClbCatQ.dll, COMRes.dll, Version.dll,
   SAMCli.dll, SFC.dll, SFC_OS.dll, UserEnv.dll, ProfAPI.dll, MPR.dll,
   NTMarta.dll, Secur32.dll and CryptSP.dll

2. download any full-package installer for Firefox or Thunderbird
   from 
   or 
   (these are self-extractors built with 7-zip)

3. extract setup.exe from the downloaded self-extractor and save it
   in your "Downloads" folder, for example using the command line
  7za.exe x  setup.exe

   (or start the downloaded self-extractor, find the temporary
   subdirectory 7z*.tmp it created below %TEMP% and copy setup.exe
   from this subdirectory to your "Downloads" folder)

4. execute the extracted/copied setup.exe and notice the message
   boxes displayed from the DLL(s) downloaded in step 1:

PWNED!


See ,
 plus
 for the
well-known and well-documented DLL search path vulnerability.


Mitigation:
~~~
Stay away from Mozilla's crapware until Mozilla starts to develop
a sense for the basics of software engineering as well as the safety
and security of their users^Wvictims: the authors of the 3rd party
installer fixed these vulnerabilities about 4 months ago!


JFTR: the vulnerable executable installer is not the only outdated
  3rd party component used to build Firefox and Thunderbird!
  Mozilla even uses different versions of this vulnerable
  executable installer for Firefox and Firefox ESR.


See 
why you should NEVER name any executable (installer) setup.exe!


stay tuned
Stefan Kanthak


PS: Mozilla fixed the same vulnerabilities in their executable self-
extractor long ago (see for example
 or
), but
apparently did not send their fixes to the author of this tool.

[security bulletin] HPSBUX03583 SSRT110084 rev.1 - HP-UX BIND Service running Named, Remote Denial of Service (DoS)

[security-alert]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Note: the current version of the following document is available here:
https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_n
a-c05087821

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c05087821
Version: 1

HPSBUX03583 SSRT110084 rev.1 - HP-UX BIND Service running Named, Remote
Denial of Service (DoS)

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2016-04-28
Last Updated: 2016-04-28

Potential Security Impact: Remote Denial of Service (DoS)

Source: Hewlett Packard Enterprise, Product Security Response Team

VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified in the HP-UX BIND
service running named. These vulnerabilities could be exploited remotely to
create a Denial of Service (DoS).

References:

  - CVE-2016-1285
  - CVE-2016-1286
  - PSRT110084

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP-UX BIND B.11.31 BIND 9.9.4 prior to C.9.9.4.7.0

BACKGROUND

CVSS 2.0 Base Metrics
===
  Reference  Base Vector Base Score
CVE-2016-1285(AV:N/AC:L/Au:N/C:N/I:N/A:C)   7.8
CVE-2016-1286(AV:N/AC:L/Au:N/C:N/I:N/A:C)   7.8
===
 Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002

RESOLUTION

HPE has provided the following software updates to resolve the vulnerability
in the HP-UX BIND service running named.

  - BIND 9.9.4 for HP-UX Release B.11.31 (PA and IA)

Depot: HP_UX_11.31_HPUX-NameServer_C.9.9.4.7.0_HP-UX_B.11.31_IA_PA.depot

  **Note:** The depot files can be found here:

  

MANUAL ACTIONS: Yes - Update
Download and install the software update

PRODUCT SPECIFIC INFORMATION

**HP-UX Software Assistant:** HP-UX Software Assistant is an enhanced
application
that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins
issued by HPE and lists recommended actions that may apply to a specific
HP-UX
system. It can also download patches and create a depot automatically. For
more information see:


The following text is for use by the HP-UX Software Assistant.

AFFECTED VERSIONS

HP-UX B.11.31 IA/PA
===
NameService.BIND-AUX
NameService.BIND-RUN
action: install C.9.9.4.7.0 or subsequent

END AFFECTED VERSIONS

HISTORY
Version:1 (rev.1) - 28 April 2016 Initial release

Third Party Security Patches: Third party security patches that are to be
installed on systems running Hewlett Packard Enterprise (HPE) software
products should be applied in accordance with the customer's patch management
policy.

Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HPE Services support channel. For other issues about
the content of this Security Bulletin, send e-mail to security-al...@hpe.com.

Report: To report a potential security vulnerability with any HPE supported
product, send Email to: security-al...@hpe.com

Subscribe: To initiate a subscription to receive future HPE Security Bulletin
alerts via Email: http://www.hpe.com/support/Subscriber_Choice

Security Bulletin Archive: A list of recently released Security Bulletins is
available here: http://www.hpe.com/support/Security_Bulletin_Archive

Software Product Category: The Software Product Category is represented in
the title by the two characters following HPSB.

3C = 3COM
3P = 3rd Party Software
GN = HPE General Software
HF = HPE Hardware and Firmware
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PV = ProCurve
ST = Storage Software
UX = HP-UX

Copyright 2016 Hewlett Packard Enterprise

Hewlett Packard Enterprise shall not be liable for technical or editorial
errors or omissions contained herein. The information provided is provided
"as is" without warranty of any kind. To the extent permitted by law, neither
HP or its affiliates, subcontractors or suppliers will be liable for
incidental,special or consequential damages including downtime cost; lost
profits; damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration. The
information in this document is subject to change without notice. Hewlett
Packard Enterprise and the names of Hewlett Packard Enterprise products
referenced herein are trademarks of Hewlett Packard Enterprise in the United
States and other countries. Other product and company names mentioned herein
may be trademarks of their respective owners.

-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQEcBAEBAgAGBQJXIkQoAAoJEGIGBBYqRO9/VboH/iMBsXcNVn4zisOE+oWQm/EG
9ZXlg6pNU8uhNOPz0ezpVdqsZG3c47jFRCJSkURSqPEN/YfoeMoBBzYl06Mqz3kI