[Full-disclosure] CubeCart 3.0.20 (3.0.x) and lower | Multiple SQL Injection Vulnerabilities
1. OVERVIEW The CubeCart 3.0.20 and lower versions are vulnerable to SQL Injection. 2. BACKGROUND CubeCart is an out of the box ecommerce shopping cart software solution which has been written to run on servers that have PHP MySQL support. With CubeCart you can quickly setup a powerful online store which can be used to sell digital or tangible products to new and existing customers all over the world. 3. VULNERABILITY DESCRIPTION Multiple parameters are not properly sanitized, which allows attacker to conduct SQL Injection attack. This could an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data. 4. VERSIONS AFFECTED 3.0.20 and lower (aka 3.0.x family) 5. Affected URLs and Parameters //cube/admin/products/extraCats.php (add parameter) /cube/admin/products/index.php (cat_id parameter) /cube/admin/products/index.php (category parameter) /cube/admin/products/index.php (orderCol parameter) /cube/admin/products/index.php (orderDir parameter) /cube/admin/products/options.php (masterProduct parameter) /cube/admin/settings/currency.php (active parameter) 6. SOLUTION The CubeCart 3.0.x version family is no longer maintained by the vendor. Upgrade to the currently supported CubeCart version - 5.x. 7. VENDOR CubeCart Development Team http:/cart.com/ 8. CREDIT Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 9. DISCLOSURE TIME-LINE 2012-02-10: CubeCart 3.0.x in End-of-Support/Maintenance circle 2012-12-22: Vulnerability disclosed 10. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/%5Bcubecart_3.0.20_3.0x%5D_sqli CubeCart Home Page: http://cubecart.com/ #yehg [2012-12-22] - Best regards, YGN Ethical Hacker Group Yangon, Myanmar http://yehg.net Our Lab | http://yehg.net/lab Our Directory | http://yehg.net/hwd ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] dyne_bolic hacked?
anyone seen this yet? its been floating around irc tonight. supposed to be Dyne.org (the people who make the Dyne_Bolic OS) hacked. good thing i use BSD! Title: EGO[0] zine Link: http://pastebin.com/NnJ19iPz ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDVSA-2012:182 ] apache-mod_security
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2012:182 http://www.mandriva.com/security/ ___ Package : apache-mod_security Date: December 23, 2012 Affected: 2011. ___ Problem Description: Multiple vulnerabilities has been discovered and corrected in apache-mod_security: ModSecurity before 2.6.6, when used with PHP, does not properly handle single quotes not at the beginning of a request parameter value in the Content-Disposition field of a request with a multipart/form-data Content-Type header, which allows remote attackers to bypass filtering rules and perform other attacks such as cross-site scripting (XSS) attacks. NOTE: this vulnerability exists because of an incomplete fix for CVE-2009-5031 (CVE-2012-2751). ModSecurity lt;= 2.6.8 is vulnerable to multipart/invalid part ruleset bypass, this was fixed in 2.7.0 (released on2012-10-16) (CVE-2012-4528). The updated packages have been patched to correct these issues. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2751 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4528 ___ Updated Packages: Mandriva Linux 2011: 97ce3bb44e48983170bd6f112a578c3c 2011/i586/apache-mod_security-2.6.1-1.1-mdv2011.0.i586.rpm 044aa147cd2c9b4989f47a74d04f3a62 2011/i586/mlogc-2.6.1-1.1-mdv2011.0.i586.rpm 4657a73f501344810c72d76c58532190 2011/SRPMS/apache-mod_security-2.6.1-1.1.src.rpm Mandriva Linux 2011/X86_64: d5e55155f32a9118977a96ea86efe1cf 2011/x86_64/apache-mod_security-2.6.1-1.1-mdv2011.0.x86_64.rpm 61d99efd771a68bb801b602294ce6efb 2011/x86_64/mlogc-2.6.1-1.1-mdv2011.0.x86_64.rpm 4657a73f501344810c72d76c58532190 2011/SRPMS/apache-mod_security-2.6.1-1.1.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iD8DBQFQ10wDmqjQ0CJFipgRAps5AJ4qK+9Wd2lVri03D+VVzWRgksdTkgCeOOeZ jnUCJwVJ+dnG0N7muIDsCFM= =u8HT -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDVSA-2012:183 ] apache-mod_security
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2012:183 http://www.mandriva.com/security/ ___ Package : apache-mod_security Date: December 23, 2012 Affected: Enterprise Server 5.0 ___ Problem Description: A vulnerability has been discovered and corrected in apache-mod_security: ModSecurity lt;= 2.6.8 is vulnerable to multipart/invalid part ruleset bypass, this was fixed in 2.7.0 (released on2012-10-16) (CVE-2012-4528). The updated packages have been patched to correct this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4528 ___ Updated Packages: Mandriva Enterprise Server 5: 18413b1e0520660d62de9e65fb2481ce mes5/i586/apache-mod_security-2.5.12-0.3mdvmes5.2.i586.rpm 6bd19e22c13a4b5aca610c6a7049792a mes5/i586/mlogc-2.5.12-0.3mdvmes5.2.i586.rpm 70689b90d15d7fba2ae35c8a4c40a960 mes5/SRPMS/apache-mod_security-2.5.12-0.3mdvmes5.2.src.rpm Mandriva Enterprise Server 5/X86_64: bea5768d5f9a05b8d53426708ac7362d mes5/x86_64/apache-mod_security-2.5.12-0.3mdvmes5.2.x86_64.rpm eea9adbbbfed5e5514a0370d2ff5b4c7 mes5/x86_64/mlogc-2.5.12-0.3mdvmes5.2.x86_64.rpm 70689b90d15d7fba2ae35c8a4c40a960 mes5/SRPMS/apache-mod_security-2.5.12-0.3mdvmes5.2.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iD8DBQFQ1076mqjQ0CJFipgRAmksAJ0S6kPArq56K3HgMfddaQaG7VXjIgCfTkHS o+UKMo90pYCRMwVLHAzLh6Y= =d+2j -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Wordpress Remote Exploit - W3 Total Cache
Hi all, From the developers' description [1], W3 Total Cache is: The most complete WordPress performance framework. Recommended by web hosts like: MediaTemple, Host Gator, Page.ly and WP Engine and countless more. Trusted by countless sites like: stevesouders.com, mattcutts.com, mashable.com, smashingmagazine.com, makeuseof.com, yoast.com, kiss925.com, pearsonified.com, lockergnome.com, johnchow.com, ilovetypography.com, webdesignerdepot.com, css-tricks.com and tens of thousands of others. W3 Total Cache improves the user experience of your site by improving your server performance, caching every aspect of your site, reducing the download times and providing transparent content delivery network (CDN) integration. Downloads: 1,388,876 Ratings: 4.6 out of 5 stars Unfortunately, it's frequently incorrectly deployed. When I set it up by going to the Wordpress panel and choosing add plugin and selecting the plugin from the Wordpress Plugin Catalog (or whatever), it left two avenues of attack open: 1) Directory listings were enabled on the cache directory, which means anyone could easily recursively download all the database cache keys, and extract ones containing sensitive information, such as password hashes. A simple google search of inurl:wp-content/plugins/w3tc/dbcache and maybe some other magic reveals this wasn't just an issue for me. As W3 Total Cache already futzes with the .htaccess file, I see no reason for it not to add Options -Indexes to it upon installation. I haven't read any W3 documentation, so it's possible this is a known and documented misconfiguration, but maybe not. 2) Even with directory listings off, cache files are by default publicly downloadable, and the key values / file names of the database cache items are easily predictable. Again, it seems odd that deny from all isn't added to the .htaccess file. Maybe it's documented somewhere that you should secure your directories, or maybe it isn't; I'm not sure. If I had to categorize these holes, I'd say they're due to misconfiguration, but I figure it's relevant to write in to full-disclosure webappsec because I'm usually not horrible with configuring things and I made these mistakes several times without realizing. I'm copying the author on this email, as he may want to include a warning message where nieve folks like myself can see it, or document these somewhere if they're not already, or at least apply the two .htaccess tweaks mentioned above. Anyway I put together a short and simple shell script that works pretty decently against my own various wordpress websites, and exploits the configuration error in point (2) above. Exploiting point (1) can be done with wget grep and is even more dull than the below exploit. W3 Total Fail Exploit for point (2): http://git.zx2c4.com/w3-total-fail/tree/w3-total-fail.sh (Read the entire usage message.) Screencast for point (2): http://git.zx2c4.com/w3-total-fail/plain/screencast.ogv or https://www.youtube.com/watch?v=sqZ_zYLFDSo Merry Christmas. - Jason zx2c4 [1] http://wordpress.org/extend/plugins/w3-total-cache/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
