[FD] Stored XSS in Watu PRO Play allows unauthenticated attackers to do almost anything an admin can (WordPress plugin)
Details Software: Watu PRO Play Version: 1.9.2.1 Homepage: http://calendarscripts.info/watupro/modules.html#play Advisory report: https://security.dxw.com/advisories/stored-xss-in-watu-pro-play-allows-unauthenticated-attacker-to-do-almost-anything-an-admin-can/ CVE: Awaiting assignment CVSS: 5.8 (Medium; AV:N/AC:M/Au:N/C:P/I:P/A:N) Description Stored XSS in Watu PRO Play allows unauthenticated attackers to do almost anything an admin can Vulnerability An attacker able to convince an admin to visit a link of their choosing (e.g. via a phishing attack) is able to execute arbitrary JavaScript. This makes use of a CSRF vulnerability (no nonce protection on the levels form) Proof of concept If a logged-in administrator user clicks the submit button on this form, a JavaScript alert will display on /wp-admin/admin.php?page=watuproplay_levels (in a real attack the form can be made to auto-submit using JavaScript): http://localhost/wp-admin/admin.php?page=watuproplay_levels&action=add\"; method=\"POST\"> alert(1)\"> Mitigations Disable the plugin until a new version is released that fixes this bug Disclosure policy dxw believes in responsible disclosure. Your attention is drawn to our disclosure policy: https://security.dxw.com/disclosure/ Please contact us on secur...@dxw.com to acknowledge this report if you received it via a third party (for example, plug...@wordpress.org) as they generally cannot communicate with us on your behalf. This vulnerability will be published if we do not receive a response to this report with 14 days. Timeline 2015-08-11: Discovered 2015-08-26: Reported to vendor by email 2015-08-26: Requested CVE Discovered by dxw: Tom Adams Please visit security.dxw.com for more information. ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] CSRF in Watu PRO allows unauthenticated attackers to delete quizzes (WordPress plugin)
Details Software: Watu PRO Version: 4.8.8.4 Homepage: http://calendarscripts.info/watupro/ Advisory report: https://security.dxw.com/advisories/csrf-in-watu-pro-allows-unauthenticated-attackers-to-delete-quizzes/ CVE: Awaiting assignment CVSS: 4.3 (Medium; AV:N/AC:M/Au:N/C:N/I:P/A:N) Description CSRF in Watu PRO allows unauthenticated attackers to delete quizzes Vulnerability An attacker able to convince an admin to visit a link of their choosing is able to delete quizzes. Proof of concept Assuming there is a quiz with ID 1, the following link will delete it when visited by a logged-in admin: http://localhost/wp-admin/admin.php?page=watupro_exams&action=delete&quiz=1 Mitigations This issue has been discussed with the author, who disagrees that there is an exploitable issue. We maintain that the above proof of concept demonstrates this issue. Nonetheless, the author has told us that they have made changes to address the problem in version 4.9.0.8 of this plugin. We have not verified these changes, so our recommendation is to upgrade to version 4.9.0.8 or later, and ideally conduct your own security assessment of this plugin. Disclosure policy dxw believes in responsible disclosure. Your attention is drawn to our disclosure policy: https://security.dxw.com/disclosure/ Please contact us on secur...@dxw.com to acknowledge this report if you received it via a third party (for example, plug...@wordpress.org) as they generally cannot communicate with us on your behalf. This vulnerability will be published if we do not receive a response to this report with 14 days. Timeline 2015-08-11: Discovered 2015-08-11: Reported to Author via email 2015-08-11: Author responded 2015-08-26: Author reported fixed in version 4.9.0.8 2015-09-01: Published Discovered by dxw: Tom Adams Please visit security.dxw.com for more information. ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Stored XSS in Watu PRO allows unauthenticated attackers to do almost anything an admin can (WordPress plugin)
Details Software: Watu PRO Version: 4.8.8.4 Homepage: http://calendarscripts.info/watupro/ Advisory report: https://security.dxw.com/advisories/stored-xss-in-watu-pro-allows-unauthenticated-attackers-to-do-almost-anything-an-admin-can/ CVE: Awaiting assignment CVSS: 5.8 (Medium; AV:N/AC:M/Au:N/C:P/I:P/A:N) Description Stored XSS in Watu PRO allows unauthenticated attackers to do almost anything an admin can Vulnerability An attacker able to convince an admin to visit a link of their choosing (e.g. through phishing) is able to execute arbitrary JavaScript. This makes use of a CSRF vulnerability (no nonce protection on the options form) Proof of concept If a logged-in administrator user clicks the submit button on this form, a JavaScript alert will display on /wp-admin/admin.php?page=watupro_options (in a real attack the form can be made to auto-submit using JavaScript): http://localhost/wp-admin/admin.php?page=watupro_options\"; method=\"POST\"> \"> Mitigations This issue has been discussed with the author, who disagrees that there is an exploitable issue. We maintain that the above proof of concept demonstrates this issue. Nonetheless, the author has told us that they have made changes to address the problem in version 4.9.0.8 of this plugin. We have not verified these changes, so our recommendation is to upgrade to version 4.9.0.8 or later, and ideally conduct your own security assessment of this plugin. Disclosure policy dxw believes in responsible disclosure. Your attention is drawn to our disclosure policy: https://security.dxw.com/disclosure/ Please contact us on secur...@dxw.com to acknowledge this report if you received it via a third party (for example, plug...@wordpress.org) as they generally cannot communicate with us on your behalf. This vulnerability will be published if we do not receive a response to this report with 14 days. Timeline 2015-08-11: Discovered 2015-08-11: Reported to Author via email 2015-08-11: Author responded 2015-08-26: Author reported fixed in version 4.9.0.8 2015-09-01: Published Discovered by dxw: Tom Adams Please visit security.dxw.com for more information. ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] PacSec (Tokyo Nov 11-12): PWN2OWN Mobile first casualty of Wassenaar, CFP extended to Friday September 4
So we have the first bona fide research casualty of the new Wassenaar Agreement wording (ugh). HP and counsel are concerned over Japanese implementation of it, so they will not be involved with Pwn2Own Mobile in Japan. Given typical Japanese government bureaucracy, I don't think I can fault them. However, I still like hacker circuses, so I've ordered up my own RF isolation cage, and am interested in other folks to be involved (so contact me) in the competition which will continue. I'm basically passing the hat around to folks who might be interested in bug bounties for phones, so here is one of the limited chances we get to re-write the rules and patterns. My new plan is to hand over the bugs directly to local representatives in Japan, without the ZDI need to feed the bugs back to the US first - and make like the internet and route around the issues with export. Shortly, when we finalize the new bounties, we'll publish the new rules and registration process, which in all likelihood, will be much less complex. In related matters some folks complained about getting us mail for the PacSec CFP while I was at CCC Camp, and some office renovations yanked a cable and reinforced my belief that VLAN tagging is still bunk to be eliminated. So we'll be accepting proposals until the end of the week, just to make sure. Get your mail to us (secwes...@pacsec.jp) before Friday, all networks firing on all cylinders here now. Cheers, --dr ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Serendipity 2.0.1 - Persistent XSS
Serendipity 2.0.1: Persistent XSS
Security Advisory – Curesec Research Team
1. Introduction
Affected Product: Serendipity 2.0.1
Fixed in: 2.0.2
Fixed Version Link:
https://github.com/s9y/Serendipity/releases/download/2.0.2/serendipity-2.0.2.zip
Vendor Contact: serendip...@supergarv.de
Vulnerability Type: Persistent XSS
Remote Exploitable: Yes
Reported to vendor: 07/21/2015
Disclosed to public:09/01/2015
Release mode: Coordinated release
CVE:n/a
Credits Tim Coen of Curesec GmbH
2. Vulnerability Description
There is a persistent XSS vulnerability in Serendipity 2.0.1 when using
the default 2k11 theme. It requires a click of the victim to trigger.
The problem exists because the theme reads out the name field of a
comment using the jQuery .text() function, which decodes the previously
properly encoded name. It then inserts the result back into the DOM.
3. Proof of Concept
Add comment with name
Click "reply" on that comment
The admin may be tricked into clicking on reply by leaving a question as
comment or via ClickJacking.
4. Code
include/functions_comments.inc.php:180
function serendipity_displayCommentForm
[...]
'commentform_replyTo'=>
serendipity_generateCommentList($id, $comments,
((isset($data['replyTo']) && ($data['replyTo'])) ? $data['replyTo'] : 0)),
include/functions_comments.inc.php:306
function serendipity_generateCommentList(
[...]
$retval .= '' . str_repeat(' ', $level * 2) . '#' .
$indent . $i . ': ' . (empty($comment['author']) ? ANONYMOUS :
serendipity_specialchars($comment['author']))
js/2k11.min.js
a("#serendipity_replyTo :selected").text()
5. Solution
To mitigate this issue please upgrade at least to version 2.0.2:
https://github.com/s9y/Serendipity/releases/download/2.0.2/serendipity-2.0.2.zip
Please note that a newer version might already be available.
5. Report Timeline
07/21/2015 Informed Vendor about Issue
07/24/2015 Vendor releases Version 2.0.2
09/01/2015 Disclosed to public
6. Blog Reference
http://blog.curesec.com/article/blog/Serendipity-201-Persistent-XSS-51.html
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] NibbleBlog 4.0.3 - Code Execution - Not fixed
NibbleBlog 4.0.3: Code Execution
Security Advisory – Curesec Research Team
1. Introduction
Affected Product: NibbleBlog 4.0.3
Fixed in: not fixed
Fixed Version Link: n/a
Vendor Contact: Website: http://www.nibbleblog.com/
Vulnerability Type: Code Execution
Remote Exploitable: Yes
Reported to vendor: 07/21/2015
Disclosed to public:09/01/2015
Release mode: Full Disclosure
CVE:n/a
Credits Tim Coen of Curesec GmbH
2. Vulnerability Description
When uploading image files via the "My image" plugin - which is
delivered with NibbleBlog by default - , NibbleBlog 4.0.3 keeps the
original extension of uploaded files. This extension or the actual file
type are not checked, thus it is possible to upload PHP files and gain
code execution.
Please note that admin credentials are required.
3. Proof of Concept
Obtain Admin credentials (for example via Phishing via XSS which can
be gained via CSRF, see advisory about CSRF in NibbleBlog 4.0.3)
Activate My image plugin by visiting
http://localhost/nibbleblog/admin.php?controller=plugins&action=install&plugin=my_image
Upload PHP shell, ignore warnings
Visit
http://localhost/nibbleblog/content/private/plugins/my_image/image.php.
This is the default name of images uploaded via the plugin.
4. Code
if( $plugin->init_db() )
{
// upload files
foreach($_FILES as $field_name=>$file)
{
$extension = strtolower(pathinfo($file['name'],
PATHINFO_EXTENSION));
$destination =
PATH_PLUGINS_DB.$plugin->get_dir_name();
$complete =
$destination.'/'.$field_name.'.'.$extension;
// Upload the new file and move
if(move_uploaded_file($file["tmp_name"],
$complete))
{
// Resize images if requested by the
plugin
if(isset($_POST[$field_name.'_resize']))
{
$width =
isset($_POST[$field_name.'_width'])?$_POST[$field_name.'_width']:200;
$height =
isset($_POST[$field_name.'_height'])?$_POST[$field_name.'_height']:200;
$option =
isset($_POST[$field_name.'_option'])?$_POST[$field_name.'_option']:'auto';
$quality =
isset($_POST[$field_name.'_quality'])?$_POST[$field_name.'_quality']:100;
$Resize->setImage($complete,
$width, $height, $option);
$Resize->saveImage($complete,
$quality, true);
}
}
}
unset($_POST['plugin']);
// update fields
$plugin->set_fields_db($_POST);
Session::set_alert($_LANG['CHANGES_HAS_BEEN_SAVED_SUCCESSFULLY']);
}
}
5. Solution
This issue was not fixed by the vendor.
6. Report Timeline
07/21/2015 Informed Vendor about Issue
07/22/2015 Vendor Replied
08/18/2015 Reminded Vendor of release date (no reply)
09/01/2015 Disclosed to public
7. Blog Reference
http://blog.curesec.com/article/blog/NibbleBlog-403-Code-Execution-47.html
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] NibbleBlog 4.0.3 - CSRF - Not fixed
NibbleBlog 4.0.3: CSRF
Security Advisory – Curesec Research Team
1. Introduction
Affected Product: NibbleBlog 4.0.3
Fixed in: not fixed
Fixed Version Link: n/a
Vendor Contact: Website: http://www.nibbleblog.com/
Vulnerability Type: CSRF
Remote Exploitable: Yes
Reported to vendor: 07/21/2015
Disclosed to public:09/01/2015
Release mode: Full Disclosure
CVE:n/a
Credits Tim Coen of Curesec GmbH
2. Vulnerability Description
NibbleBlog 4.0.3 does not have CSRF protection. This means that an
attacker can perform actions for an admin if the admin is logged in and
visits an attacker controlled website. In the case of NibbleBlog, this
can for example lead to persistent XSS via the creation of a new post,
which in turn allows for phishing attacks or the injection of JavaScript
keyloggers.
3. Proof of Concept
Create new Post (for Spam and XSS):
http://localhost/nibbleblog/admin.php?controller=post&action=new_simple";
method="POST">
http://example.com'>this.">
document.getElementById("myForm").submit();
4. Solution
This issue was not fixed by the vendor.
5. Report Timeline
07/21/2015 Informed Vendor about Issue
07/22/2015 Vendor Replied
08/18/2015 Reminded Vendor of release date (no reply)
09/01/2015 Disclosed to public
6. Blog Reference
http://blog.curesec.com/article/blog/NibbleBlog-403-CSRF-46.html
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] PayPal Inc - Security Approval & 2FA Account Auth Bypass Session Vulnerability
*(o_O)! Document Title: === PayPal Inc - Security Approval & 2FA Account Auth Bypass Session Vulnerability References (Source): http://www.vulnerability-lab.com/get_content.php?id=1486 Video: http://www.vulnerability-lab.com/get_content.php?id=1485 Watch Video: https://www.youtube.com/watch?v=Gzq8TD2Co9Y EIBBP-31865 Vulnerability Magazine: http://magazine.vulnerability-db.com/?q=articles/2015/07/20/paypal-inc-identity-check-restriction-bypass-vulnerability Download (full pdf report with resource): http://www.file-upload.net/download-10881718/ppbb_115.zip.html Release Date: = 2015-09-02 Vulnerability Laboratory ID (VL-ID): 1486 Common Vulnerability Scoring System: 6.1 Product & Service Introduction: === PayPal is a global e-commerce business allowing payments and money transfers to be made through the Internet. Online money transfers serve as electronic alternatives to paying with traditional paper methods, such as checks and money orders. Originally, a PayPal account could be funded with an electronic debit from a bank account or by a credit card at the payer s choice. But some time in 2010 or early 2011, PayPal began to require a verified bank account after the account holder exceeded a predetermined spending limit. After that point, PayPal will attempt to take funds for a purchase from funding sources according to a specified funding hierarchy. If you set one of the funding sources as Primary, it will default to that, within that level of the hierarchy (for example, if your credit card ending in 4567 is set as the Primary over 1234, it will still attempt to pay money out of your PayPal balance, before it attempts to charge your credit card). The funding hierarchy is a balance in the PayPal account; a PayPal credit account, PayPal Extras, PayPal SmartConnect, PayPal Extras Master Card or Bill Me Later (if selected as primary funding source) (It can bypass the Balance); a verified bank account; other funding sources, such as non-PayPal credit cards. The recipient of a PayPal transfer can either request a check from PayPal, establish their own PayPal deposit account or request a transfer to their bank account. PayPal is an acquirer, performing payment processing for online vendors, auction sites, and other commercial users, for which it charges a fee. It may also charge a fee for receiving money, proportional to the amount received. The fees depend on the currency used, the payment option used, the country of the sender, the country of the recipient, the amount sent and the recipient s account type. In addition, eBay purchases made by credit card through PayPal may incur extra fees if the buyer and seller use different currencies. On October 3, 2002, PayPal became a wholly owned subsidiary of eBay. Its corporate headquarters are in San Jose, California, United States at eBay s North First Street satellite office campus. The company also has significant operations in Omaha, Nebraska, Scottsdale, Arizona, and Austin, Texas, in the United States, Chennai, Dublin, Kleinmachnow (near Berlin) and Tel Aviv. As of July 2007, across Europe, PayPal also operates as a Luxembourg-based bank. On March 17, 2010, PayPal entered into an agreement with China UnionPay (CUP), China s bankcard association, to allow Chinese consumers to use PayPal to shop online.PayPal is planning to expand its workforce in Asia to 2,000 by the end of the year 2010. (Copy of the Homepage: www.paypal.com) [http://en.wikipedia.org/wiki/PayPal] Abstract Advisory Information: == The Vulnerability Laboratory Core Research Team discovered a restriction filter bypass in the official PayPal Inc Mobile API for Apple iOS. Vulnerability Disclosure Timeline: == 2015-04-30: Researcher Notification & Coordination (Benjamin Kunz Mejri - Evolution Security GmbH) 2015-05-02: Vendor Notification (PayPal Inc - Security & Bug Bounty Team) 2015-05-13: Vendor Response/Feedback (PayPal Inc - Security & Bug Bounty Team) 2015-**-**: Vendor Fix/Patch (PayPal Inc - Developer Team) 2015-09-02: Public Disclosure (Vulnerability Laboratory) Discovery Status: = Published Affected Product(s): PayPal Inc Product: Mobile Web Application (API) 2015 Q2 Exploitation Technique: === Remote Severity Level: === High Technical Details & Description: By processing multiple login we saw a bug in the mobile app api next to the identity check. Normally an user account logs in and if the account is restricted by several requests a stable form popup to call paypal or write a ticket mail. By processing to request the form multiple times with an existing account (x01...@gmail.com:chaos666) we was able to bypass
