pfSense Arbitrary file deletion and multiple XSS

31 marzo 2015 - Fonte: http://www.mondounix.com
Advisory ID: HTB23251
Product: pfSense
Vendor: Electric Sheep Fencing LLC 
Vulnerable Version(s): 2.2 and probably prior
Tested Version: 2.2
Advisory Publication:  March 4, 2015  [without technical details]
Vendor Notification: March 4, 2015 
Vendor Patch: March 5, 2015 
Public Disclosure: March 25, 2015 
Vulnerability Type: Cross-Site Scripting [CWE-79], Cross-Site Request Forgery [CWE-352]
CVE References: CVE-2015-2294, CVE-2015-2295
Risk Level: Medium 
CVSSv2 Base Scores: 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N), 5.4 (AV:N/AC:H/Au:N/C:N/I:N/A:C)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) 
 
-----------------------------------------------------------------------------------------------
 
Advisory...

Leggi il seguito »

GoAhead Web Server heap overflow and directory traversal

31 marzo 2015 - Fonte: http://www.mondounix.com
Affected software: GoAhead Web Server
Affected versions: 3.0.0 - 3.4.1 (3.x.x series before 3.4.2)
CVE ID: CVE-2014-9707

Description: The server incorrectly normalizes HTTP request URIs that
contain path segments that start with a "." but are not entirely equal
to "." or ".." (eg. ".x"). By sending a request with a URI that
contains these incorrectly handled segments, it is possible for remote
attackers to cause a heap overflow with attacker-controlled content or
perform a directory traversal attack.

Fixed version: 3.4.2
Bug entry: https://github.com/embedthis/goahead/issues/106
Fix: https://github.com/embedthis/goahead/commit/eed4a7d177bf94a54c7b06ccce88507fbd76fb77
Reported by: Matthew Daley

Detail:

The vulnerability...

Leggi il seguito »

Appweb Web Server remotely-triggerable DoS

31 marzo 2015 - Fonte: http://www.mondounix.com
Affected software: Appweb Web Server
CVE ID: CVE-2014-9708
 
Description: An HTTP request with a Range header of the form "Range:
x=," (ie. with an empty range value) will cause a null pointer
dereference, leading to a remotely-triggerable DoS.
 
Fixed versions: 4.6.6, 5.2.1
Bug entry: https://github.com/embedthis/appweb/issues/413
Fix: 
https://github.com/embedthis/appweb/commit/7e6a925f5e86a19a7934a94bbd6959101d0b84eb#diff-7ca4d62c70220e0e226e7beac90c95d9L17348
Reported by: Matthew Daley
 
- Matthew Daley

(1)

...

Leggi il seguito »

WordPress InBoundio Marketing Shell Upload

30 marzo 2015 - Fonte: http://www.mondounix.com
<?php
###########################################
#-----------------------------------------#
#[ 0-DAY Aint DIE | No Priv8 | KedAns-Dz ]#
#-----------------------------------------#
#     *----------------------------*      #
#  K  |....##...##..####...####....|  .   #
#  h  |....#...#........#..#...#...|  A   #
#  a  |....#..#.........#..#....#..|  N   #
#  l  |....###........##...#.....#.|  S   #
#  E  |....#.#..........#..#....#..|  e   #
#  D  |....#..#.........#..#...#...|  u   #
#  .  |....##..##...####...####....|  r   #
#     *----------------------------*      #
#-----------------------------------------#
#[ Copyright (c) 2015 | Dz Offenders Cr3w]#
#-----------------------------------------#
###########################################
#...

Leggi il seguito »

WordPress MP3-Jplayer 2.1 Local File Disclosure

30 marzo 2015 - Fonte: http://www.mondounix.com
<?php
###########################################
#-----------------------------------------#
#[ 0-DAY Aint DIE | No Priv8 | KedAns-Dz ]#
#-----------------------------------------#
#     *----------------------------*      #
#  K  |....##...##..####...####....|  .   #
#  h  |....#...#........#..#...#...|  A   #
#  a  |....#..#.........#..#....#..|  N   #
#  l  |....###........##...#.....#.|  S   #
#  E  |....#.#..........#..#....#..|  e   #
#  D  |....#..#.........#..#...#...|  u   #
#  .  |....##..##...####...####....|  r   #
#     *----------------------------*      #
#-----------------------------------------#
#[ Copyright (c) 2015 | Dz Offenders Cr3w]#
#-----------------------------------------#
###########################################
#...

Leggi il seguito »

WordPress AB Google Map Travel CSRF / XSS

30 marzo 2015 - Fonte: http://www.mondounix.com
===============================================================================
CSRF/Stored XSS Vulnerability in AB Google Map Travel (AB-MAP) Wordpress Plugin 
===============================================================================
 
. contents:: Table Of Content
 
Overview
========
 
* Title :Stored XSS Vulnerability in AB Google Map Travel (AB-MAP) Wordpress Plugin 
* Author: Kaustubh G. Padwad
* Plugin Homepage: https://wordpress.org/plugins/ab-google-map-travel/
* Severity: HIGH
* Version Affected: Version 3.4  and mostly prior to it
* Version Tested : Version  3.4
* version patched: 
 
Description 
===========
 
Vulnerable Parameter  
--------------------
 
* Latitude:
* Longitude:
*...

Leggi il seguito »

WordPress Ajax Search Pro Remote Code Execution

30 marzo 2015 - Fonte: http://www.mondounix.com
------------------------------------------------------------------------------
WordPress ajax-search-pro Plugin Remote Code Execution
------------------------------------------------------------------------------
 
[-] Plugin Link:
 
http://codecanyon.net/item/ajax-search-pro-for-wordpress-live-search-plugin/3357410
 
also affected:
    https://wordpress.org/plugins/ajax-search-lite/
    https://wordpress.org/plugins/related-posts-lite/
 
[-] Vulnerability Description:
 
This vulnerability allows any registered user to execute arbitrary functions
vulnerability code:
 
add_action('wp_ajax_wpdreams-ajaxinput', "wpdreams_ajaxinputcallback");
if (!function_exists("wpdreams_ajaxinputcallback"))...

Leggi il seguito »

SSLStrip 2, come bypassare HSTS

29 marzo 2015 - Fonte: http://duxhack.blogspot.com/
Tutti quelli che sono interessati da qualche anno al penetration testing avranno sicuramente sentito parlare del famoso programma "SSLStrip", ma facciamo un piccolo ripassino.
Circa 6 anni fa, alla...

Leggi il seguito »

WordPress Reflex Gallery 3.1.3 Shell Upload

21 marzo 2015 - Fonte: http://www.mondounix.com
<?php
 
/*
  # Exploit Title: Wordpress Plugin Reflex Gallery - Arbitrary File Upload
  # TIPE:          Arbitrary File Upload
  # Google DORK:   inurl:"wp-content/plugins/reflex-gallery/"
  # Vendor:        https://wordpress.org/plugins/reflex-gallery/
  # Tested on:     Linux
  # Version:       3.1.3 (Last)
  # EXECUTE:       php exploit.php www.alvo.com.br shell.php
  # OUTPUT:        Exploit_AFU.txt
  # POC            http://i.imgur.com/mpjXaZ9.png
  # REF COD        http://1337day.com/exploit/23369
 
--------------------------------------------------------------------------------
  <form method = "POST" action = "" enctype = "multipart/form-data" >
  <input type...

Leggi il seguito »

Adobe Flash Player PCRE Regex Logic Error

18 marzo 2015 - Fonte: http://www.mondounix.com
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
 
require 'msf/core'
 
class Metasploit3 < Msf::Exploit::Remote
  Rank = NormalRanking
 
  CLASSID =  'd27cdb6e-ae6d-11cf-96b8-444553540000'
 
  include Msf::Exploit::Powershell
  include Msf::Exploit::Remote::BrowserExploitServer
 
  def initialize(info={})
    super(update_info(info,
      'Name'           => "Adobe Flash Player PCRE Regex Vulnerability",
      'Description'    => %q{
        This module exploits a vulnerability found in Adobe Flash Player. A compilation logic error
        in the PCRE engine, specifically in the handling of the \c...

Leggi il seguito »