[Full-disclosure] [SECURITY] [DSA 2655-1] rails security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2655-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff March 28, 2013 http://www.debian.org/security/faq - - Package: rails Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2011-2932 CVE-2012-3464 CVE-2012-3465 CVE-2013-1854 CVE-2013-1855 CVE-2013-1857 Several cross-site-scripting and denial of service vulnerabilities were discovered in Ruby on Rails, a Ruby framework for web application development. For the stable distribution (squeeze), these problems have been fixed in version 2.3.5-1.2+squeeze8. For the testing distribution (wheezy) and the unstable distribution (sid), these problems have been fixed in the version 3.2.6-5 of ruby-activerecord-3.2, version 2.3.14-6 of ruby-activerecord-2.3, version 2.3.14-7 of ruby-activesupport-2.3, version 3.2.6-6 of ruby-actionpack-3.2 and in version 2.3.14-5 of ruby-actionpack-2.3. We recommend that you upgrade your rails packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlFUbH8ACgkQXm3vHE4uylpsqQCfX695TQww9jB4MtB0rPE8hzzb ZgAAoIjUMa20xfUcvUe0l88L2tsJ7GSu =Y08N -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Paypal Bug Bounty #5 - Persistent Web Vulnerability
Title: == Paypal Bug Bounty #5 - Persistent Web Vulnerability Date: = 2013-03-02 References: === http://www.vulnerability-lab.com/get_content.php?id=639 PayPal Security UID: tob141irj VL-ID: = 639 Common Vulnerability Scoring System: 3.3 Introduction: = PayPal is a global e-commerce business allowing payments and money transfers to be made through the Internet. Online money transfers serve as electronic alternatives to paying with traditional paper methods, such as checks and money orders. Originally, a PayPal account could be funded with an electronic debit from a bank account or by a credit card at the payer s choice. But some time in 2010 or early 2011, PayPal began to require a verified bank account after the account holder exceeded a predetermined spending limit. After that point, PayPal will attempt to take funds for a purchase from funding sources according to a specified funding hierarchy. If you set one of the funding sources as Primary, it will default to that, within that level of the hierarchy (for example, if your credit card ending in 4567 is set as the Primary over 1234, it will still attempt to pay money out of your PayPal balance, before it attempts to charge your credit card). The funding hierarchy is a balance in the PayPal account; a PayPal credit account, PayPal Extras, PayPal SmartConnect, PayPal Extras Master Card or Bill Me Later (if selected as primary funding source) (It can bypass the Balance); a verified bank account; other funding sources, such as non-PayPal credit cards. The recipient of a PayPal transfer can either request a check from PayPal, establish their own PayPal deposit account or request a transfer to their bank account. PayPal is an acquirer, performing payment processing for online vendors, auction sites, and other commercial users, for which it charges a fee. It may also charge a fee for receiving money, proportional to the amount received. The fees depend on the currency used, the payment option used, the country of the sender, the country of the recipient, the amount sent and the recipient s account type. In addition, eBay purchases made by credit card through PayPal may incur extra fees if the buyer and seller use different currencies. On October 3, 2002, PayPal became a wholly owned subsidiary of eBay. Its corporate headquarters are in San Jose, California, United States at eBay s North First Street satellite office campus. The company also has significant operations in Omaha, Nebraska, Scottsdale, Arizona, and Austin, Texas, in the United States, Chennai, Dublin, Kleinmachnow (near Berlin) and Tel Aviv. As of July 2007, across Europe, PayPal also operates as a Luxembourg-based bank. On March 17, 2010, PayPal entered into an agreement with China UnionPay (CUP), China s bankcard association, to allow Chinese consumers to use PayPal to shop online.PayPal is planning to expand its workforce in Asia to 2,000 by the end of the year 2010. Between December 4ñ9, 2010, PayPal services were attacked in a series of denial-of-service attacks organized by Anonymous in retaliation for PayPal s decision to freeze the account of WikiLeaks citing terms of use violations over the publication of leaked US diplomatic cables. (Copy of the Homepage: www.paypal.com) [http://en.wikipedia.org/wiki/PayPal] Abstract: = The Vulnerability Laboratory Research Team discovered a Web Vulnerability in the official Paypal Plaze ecommerce website application. Report-Timeline: 2012-06-30: Researcher Notification Coordination 2012-06-30: Vendor Notification 2012-07-02: Vendor Response/Feedback 2013-01-15: Vendor Fix/Patch 2013-02-03: Public Disclosure Status: Published Exploitation-Technique: === Remote Severity: = Medium Details: A persistent input validation vulnerability is detected in the official Paypal ecommerce website content management system. The bugs allow remote attackers to implement/inject malicious script code on the application side (persistent). The persistent vulnerability is located in the Gift eCard module with the bound vulnerable titel or message parameters. Exploitation requires low user inter action or privileged application user account for local exploitation. Successful exploitation of the vulnerability can lead to session hijacking (admin), account steal via persistent web attack or stable (persistent) context manipulation. Vulnerable Module(s): [+] Send an eCard eCard/GiftCard Listing Vulnerable Parameter(s): [+] Greeting Title [+] Gretting Message Proof of Concept: = The persistent vulnerability can be exploited by remote attackers local privileged user accounts with low required user inter action. For demonstration or reproduce ...
[Full-disclosure] Paypal Bug Bounty #46 - Persistent Web Vulnerability
Title: == Paypal Bug Bounty #46 - Persistent Web Vulnerability Date: = 2013-03-28 References: === http://www.vulnerability-lab.com/get_content.php?id=805 PayPal Security UID: esj1f86plc VL-ID: = 805 Common Vulnerability Scoring System: 4.3 Introduction: = PayPal offers, both companies and individuals, a simple, quick and innovative solution of receiving money and making payments online. In ten years time, this company has become an authority in this market. Online buyers, eBay vendors, online stores and even the traditional offline companies. The number of users who trust PayPal with their transactions, continues to grow. 175 million PayPal accounts worldwide are certainly proof of that. PayPal uses a unique and extremely advanced system to prevent fraud, which guarantees a completely reliable and safe solution for real time payments online. GP+ objectively analyzes and assesses the quality and findablility of online stores and, at the same time, examines the possibilities to avoid attrition in the sales process. The base of this analysis is formed by: Google, Yahoo! and Microsoft Live, the W3C, Lipperhey in house research, governments, renowned trade publications, worldwide specialists pool and research done by PayPal into the characteristics of the most successful online stores worldwide. (Copy of the Vendor Homepage: https://www.paypal-gpplus.com/en/about/ ) Abstract: = The Vulnerability Laboratory Research Team discovered a web session vulnerability in the official PayPal GP+ Web Application Service. Report-Timeline: 2013-01-01: Researcher Notification Coordination 2013-01-02: Vendor Notification 2013-01-12: Vendor Response/Feedback 2013-03-26: Vendor Fix/Patch 2013-03-28: Public Disclosure Status: Published Affected Products: == PayPal Inc Product: GP+ - Application Service 2013 Q1 Exploitation-Technique: === Remote Severity: = Medium Details: A persistent input validation web vulnerability is detected in the official Paypal GP+ service application for anlayzing websites. The vulnerability is located in the pop up message of the delete button where the name of the website, that has been analyzed, is not sanitized, hence the malicious code gets executed. The delete button is located in two different places which are `Recent analysis` and `all analysis` listings. Exploitation of the vulnerability requires low user interaction. Successful exploitation of the vulnerability result in persistent session hijacking, persistent phishing, persistent external redirects, persistent external malware loads via inject and persistent vulnerable module web context manipulation. Vulnerable Section(s): [+] Paypal GP+ - (https://www.paypal-gpplus.com/en/dashboard/all/) Vulnerable Module(s): [+] Analyze a new website Vulnerable Parameter(s): [+] Website field out of the pop up message Affected Module(s): [+] Recent Analysis - All Analysis Proof of Concept: = The vulnerability can be exploited by remote attackers without user interaction and without privileged application user account. For demonstration or reproduce ... PoC: The attacker should go and insert the malicious code in the field of the website he would like to search it. After that, he should click on Scan URL. The scan will generate an error because the url is invalid, but when the user goes back to his dashboard and choose Recent Analysis/All Analysis, and he stops with his mouse pointer no the delete icon in the page, the malicious code will be executed. URL: https://www.paypal-gpplus.com/en/dashboard/all/ Code Review: td /td td a href=https://www.paypal-gpplus.com/en/dashboard/analysis/2727753/;[PERSISTENT INJECTED SCRIPT CODE!]/a /td td div class=more-options /td td colspan=6An error has occurred!/td /tr tr id=tr-2727749 class=tr-row td /td td a href=https://www.paypal-gpplus.com/en/dashboard/analysis/2727749/;[PERSISTENT INJECTED SCRIPT CODE!]/a Risk: = The security risk of the persistent input validation web vulnerability is estimated as medium(+). Credits: Vulnerability Laboratory [Research Team] - Ibrahim El-Sayed (the_storm) [st...@vulnerability-lab.com] [iel-sayed.blogspot.com] Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if
[Full-disclosure] MailOrderWorks v5.907 - Multiple Web Vulnerabilities
Title: == MailOrderWorks v5.907 - Multiple Web Vulnerabilities Date: = 2013-01-02 References: === http://www.vulnerability-lab.com/get_content.php?id=798 VL-ID: = 796 Common Vulnerability Scoring System: 4.5 Introduction: = Mail order management and stock control is easy with MailOrderWorks. MailOrderWorks (aka MOW) is an easy to use mail order software and stock control system that supports multiple users, but is also ideal for single person companies too. Our software allows you and your staff to access the same information, at the same time, from anywhere - even if you`re not in the same office or building. It`s affordable, easy to use, allows integration and is easily expandable for more users. It`s free to try too. (Copy of the Vendor Homepage: http://www.mailorderworks.co.uk/index.php ) Abstract: = The Vulnerability-Laboratory Research Team discovered multiple web vulnerabilities in MailOrderWorks v5.907, Mail order management application. Report-Timeline: 2012-12-26: Public Disclosure Status: Published Affected Products: == 2Dmedia Product: MailOrderWorks 5.907 Exploitation-Technique: === Remote Severity: = Medium Details: Multiple persistent web vulnerabilities are detected in the MailOrderWorks v5.907, Mail order management application. The vulnerability allows an attacker to inject own malicious script code in the vulnerable modules on application side (persistent). The vulnerabilities mainly exist in the create document/print module. The module doesn`t validate the file context when processing to create. For example, if we are creating a products summary, the print module(vulnerable) doesn`t check the products titles, and creates the document with the injected malicious code inside. 1.1 The first vulnerability is located in the `dispatch order` module. The attacker can create an order by injecting the malicious code in the vulnerable customer parameters which are firstname, lastname, custom A1 and custom A2. For the malicious code to get executed, the target user should go to `dispatch order` module `Open Batch screen` and then click `start`. The output file executes the malicious script code while creating the malicious order via add. 1.2 The second vulnerability is located in the `reports and exports` module. The attacker can create an order injecting the vulnerable parameters in it. The malicious code will be executed when the user choose the orders and create a report about them. The vulnerability also can be executed from creating a report about the products. The attacker can create a product with injecting malicious code in the vulnerable parameters which are SKU, Title and Group. When the user create a report about the products, the malicious code will be executed out of the context from the report file 1.3 The persistent input validation vulnerability is located in the `Create/View issue` in the show/add orders modules. The attacker can inject malicious codes in different vulnerable parameters which are Reason/fault, Resolution, Issue Notes and Order notes. Whenever the user clicks on `print issue document` a file will be generated and it includes the malicious codes where it gets executed. 1.4 The final persistent cross-site scripting vulnerability is ver critical because it gets injected in every file that is being generated from the MailOrderWorld(MOW). The vulnerability is located in the settings of the application where the attacker can inject a malicious code inside the company profiles in the vulnerable fields which are, Company Name and Address. Whenever a user generates any page, the malicious code will be executed because the fields: `company name` and `company address` are included in every page that is generated by MOW. The vulnerability can be exploited with privileged application user account and low or medium required user interaction. Successful exploitation of the vulnerability result in persistent/non-persistent session hijacking, persistent/non-persistent phishing, external redirect, external malware loads and persistent/non-persistent vulnerable module context manipulation. Vulnerable Service(s): [+] MailOrderWorks (5.907) Vulnerable Section(s): [+] New Order [+] Add new Product [+] View Orders [+] Settings Vulnerable Module(s): [+] Customer [+] Add new Product [+] View Orders = Done = Create/View Issue [+] Company Settings Vulnerable Parameter(s): [+] [Name] - [Mobile/Work] - [Custom A1] - [Custom A2] - [Custom
Re: [Full-disclosure] On the impact of CVE-2013-2266 (BIND9)
In response to comments on this list from Daniel Franke, describing a possible exploitation scenario for the CVE-2013-2266 vulnerability, ISC would like to point out that the vector identified by Mr. Franke is not the only one possible, and that operators of *ANY* recursive *OR* authoritative nameservers running an unpatched installation of an affected version of BIND should consider themselves vulnerable to this security issue. We wish, however, to express agreement with the main point of Mr. Franke's comment, which is that the required complexity of the exploit for this vulnerability is not high, and immediate action is recommended to ensure your nameservers are not at risk. Jeff Wright ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/