Solarwinds Orion Service SQL Injection

4 marzo 2015 - Fonte: http://www.mondounix.com
I found a couple SQL injection vulnerabilities in the core Orion service used in most of the Solarwinds products (SAM, IPAM, NPM, NCM, etc…). This service provides a consistent configuration and authentication layer across the products.
 
To be exact, the vulnerable applications and versions are:
 
Network Performance Monitor -- < 11.5
NetFlow Traffic Analyzer -- < 4.1
Network Configuration Manager -- < 7.3.2
IP Address Manager -- < 4.3
User Device Tracker -- < 3.2
VoIP & Network Quality Manager -- < 4.2
Server & Application Monitor -- < 6.2
Web Performance Monitor -- < 2.2
 
At first glance, the injections are only available to admins, as the requests used are on the Manage Accounts...

Leggi il seguito »

srm – secure file deletion for posix systems

27 febbraio 2015 - Fonte: http://www.mondounix.com

srm is a secure replacement for rm(1). Unlike the standard rm, it overwrites the data in the target files before unlinking them.
This prevents command-line recovery of the data by examining the raw block device.
It may also help frustrate physical examination of the disk, although it's unlikely that it can completely prevent that type of recovery.
It is, essentially, a paper shredder for sensitive files.

srm is ideal for personal computers or workstations with Internet connections.
It can help prevent malicious users from breaking in and undeleting personal files, such as old emails.
Because it uses the exact same options as rm(1), srm is simple to use.
Just subsitute it for rm whenever you want to destroy files, rather than just unlinking them....

Leggi il seguito »

WordPress ADPlugg 1.1.33 Cross Site Scripting

26 febbraio 2015 - Fonte: http://www.mondounix.com
=====================================================
Stored XSS Vulnerability in ADPlugg  Wordpress Plugin 
=====================================================
 
. contents:: Table Of Content
 
Overview
========
 
* Title :Stored XSS Vulnerability in ADPlugg Wordpress Plugin 
* Author: Kaustubh G. Padwad
* Plugin Homepage: https://wordpress.org/plugins/adplugg/
* Severity: Medium
* Version Affected: 1.1.33 and mostly prior to it
* Version Tested : 1.1.33
* version patched: 1.1.34
 
Description 
===========
 
Vulnerable Parameter  
--------------------
 
*  Access Code
 
About Vulnerability
-------------------
This plugin is vulnerable to a Stored cross site scripting vulnerability,This...

Leggi il seguito »

WordPress WooCommerce 2.2.10 Cross Site Scripting

26 febbraio 2015 - Fonte: http://www.mondounix.com
====================================================
Product: WooCommerce WordPress plugin
Vendor: WooThemes
Tested Version: 2.2.10
Vulnerability Type: Cross-Site Scripting [CWE-79]
Risk Level: Medium
CVSSv2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Solution Status: Solved in version 2.2.11
Discovered and Provided: Eric Flokstra - ITsec Security Services
====================================================
[-] About the Vendor:
 
WooCommerce is a popular open source WordPress e-commerce plugin with 
around 6.2 million downloads.It is built by WooThemes and designed for 
small to large-sized online merchants.
 
[-] Advisory Details:
 
The WooCommerce plugin gives users the ability to see their stores 
performance...

Leggi il seguito »

Advanced Policy Firewall

26 febbraio 2015 - Fonte: http://www.mondounix.com

Current Release:

http://www.rfxn.com/downloads/apf-current.tar.gz

http://www.rfxn.com/appdocs/README.apf

http://www.rfxn.com/appdocs/CHANGELOG.apf

Description:
Advanced Policy Firewall (APF) is an iptables(netfilter) based firewall system designed around the essential needs of today’s Internet deployed servers and the unique needs of custom deployed Linux installations. The configuration of APF is designed to be very informative and present the user with an easy to follow process, from top to bottom of the configuration file.

The technical side of APF is such that it utilizes the latest stable features from the iptables (netfilter) project to provide a very robust and powerful firewall. The filtering performed by APF is three fold:
1) Static...

Leggi il seguito »

Juli Man-In-The-Middle Script

25 febbraio 2015 - Fonte: http://www.mondounix.com
#!usr/bin/perl
use Term::ANSIColor;
############################################################################
print "**************************************************************\n";  #
print "+ -==                        JULI                        ==- +\n";  #
print "+ -==          Man-in-the-middle  Attack Script          ==- +\n";  #
print "+ -== By em616 , em(at)em616.com , http://blog.em616.com ==- +\n";  #
print "**************************************************************\n";  #
############################################################################
 
# Cleaning stuff
system "killall -9 sslstrip arpspoof:";
system "echo '0' > /proc/sys/net/ipv4/ip_forward";
system...

Leggi il seguito »

PHP DateTime Use-After-Free

25 febbraio 2015 - Fonte: http://www.mondounix.com
#Use After Free Vulnerability in unserialize() with DateTime* [CVE-2015-0273]
 
Taoguang Chen <[@chtg](http://github.com/chtg)> - Write Date:
2015.1.29 - Release Date: 2015.2.20
 
> A use-after-free vulnerability was discovered in unserialize() with DateTime/DateTimeZone/DateInterval/DatePeriod objects's __wakeup() magic method that can be abused for leaking arbitrary memory blocks or execute arbitrary code remotely.
 
Affected Versions
------------
Affected is PHP 5.6 < 5.6.6
Affected is PHP 5.5 < 5.5.22
Affected is PHP 5.4 < 5.4.38
 
Credits
------------
This vulnerability was disclosed by Taoguang Chen.
 
Description
------------
 
```
static int php_date_initialize_from_hash(php_date_obj...

Leggi il seguito »

PHP DateTimeZone Type Confusion Infoleak

25 febbraio 2015 - Fonte: http://www.mondounix.com
#Type Confusion Infoleak Vulnerability in unserialize() with DateTimeZone
 
Taoguang Chen <[@chtg](http://github.com/chtg)> - Write Date:
2015.1.29 - Release Date: 2015.2.20
 
> A Type Confusion Vulnerability was discovered in unserialize() with DateTimeZone object's __wakeup() magic method that can be abused for leaking arbitrary memory blocks.
 
Affected Versions
------------
Affected is PHP 5.6 < 5.6.6
Affected is PHP 5.5 < 5.5.22
Affected is PHP 5.4 < 5.4.38
 
Credits
------------
This vulnerability was disclosed by Taoguang Chen.
 
Description
------------
 
```
static int php_date_timezone_initialize_from_hash(zval **return_value,
php_timezone_obj **tzobj, HashTable *myht...

Leggi il seguito »

WordPress Google Doc Embedder 2.5.18 Cross Site Scripting

18 febbraio 2015 - Fonte: http://www.mondounix.com
Title: WordPress 'Google Doc Embedder' plugin - XSS
Version: 2.5.18
Author: Morten Nørtoft, Kenneth Jepsen, Mikkel Vej
Date: 2015/01/26
Download: https://wordpress.org/plugins/google-document-embedder/
Contacted WordPress: 2015/01/26
==========================================================
 
## Description: 
==========================================================
Lets you embed PDF, MS Office, and many other file types in a web page using the free Google Docs Viewer (no Flash or PDF browser plug-ins required). 
 
 
## XSS:
==========================================================
By tricking a logged in admin into visiting a crafted page, it is possible to perform an XSS attack through the 'profile' parameter.
 
PoC:
Log...

Leggi il seguito »

WordPress Spider Facebook 1.0.10 Cross Site Scripting

18 febbraio 2015 - Fonte: http://www.mondounix.com
Title: WordPress 'WordPress Facebook' plugin - XSS
Version: 1.0.10
Author: Morten Nørtoft, Kenneth Jepsen, Mikkel Vej
Date: 2015/01/26
Download: https://wordpress.org/plugins/spider-facebook/
Contacted WordPress: 2015/01/26
==========================================================
 
## Description: 
==========================================================
Spider Facebook is a WordPress integration tool for Facebook.It includes all the available Facebook social plugins and widgets to be added to your web
 
## XSS:
==========================================================
Some parameters are shown unsanitized, making XSS possible.
 
PoC:
Log in as admin an submit one of the following forms:
<form method="POST"...

Leggi il seguito »