srm – secure file deletion for posix systems

27 febbraio 2015 - Fonte: http://www.mondounix.com

srm is a secure replacement for rm(1). Unlike the standard rm, it overwrites the data in the target files before unlinking them.
This prevents command-line recovery of the data by examining the raw block device.
It may also help frustrate physical examination of the disk, although it's unlikely that it can completely prevent that type of recovery.
It is, essentially, a paper shredder for sensitive files.

srm is ideal for personal computers or workstations with Internet connections.
It can help prevent malicious users from breaking in and undeleting personal files, such as old emails.
Because it uses the exact same options as rm(1), srm is simple to use.
Just subsitute it for rm whenever you want to destroy files, rather than just unlinking them....

Leggi il seguito »

WordPress ADPlugg 1.1.33 Cross Site Scripting

26 febbraio 2015 - Fonte: http://www.mondounix.com
=====================================================
Stored XSS Vulnerability in ADPlugg  Wordpress Plugin 
=====================================================
 
. contents:: Table Of Content
 
Overview
========
 
* Title :Stored XSS Vulnerability in ADPlugg Wordpress Plugin 
* Author: Kaustubh G. Padwad
* Plugin Homepage: https://wordpress.org/plugins/adplugg/
* Severity: Medium
* Version Affected: 1.1.33 and mostly prior to it
* Version Tested : 1.1.33
* version patched: 1.1.34
 
Description 
===========
 
Vulnerable Parameter  
--------------------
 
*  Access Code
 
About Vulnerability
-------------------
This plugin is vulnerable to a Stored cross site scripting vulnerability,This...

Leggi il seguito »

WordPress WooCommerce 2.2.10 Cross Site Scripting

26 febbraio 2015 - Fonte: http://www.mondounix.com
====================================================
Product: WooCommerce WordPress plugin
Vendor: WooThemes
Tested Version: 2.2.10
Vulnerability Type: Cross-Site Scripting [CWE-79]
Risk Level: Medium
CVSSv2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Solution Status: Solved in version 2.2.11
Discovered and Provided: Eric Flokstra - ITsec Security Services
====================================================
[-] About the Vendor:
 
WooCommerce is a popular open source WordPress e-commerce plugin with 
around 6.2 million downloads.It is built by WooThemes and designed for 
small to large-sized online merchants.
 
[-] Advisory Details:
 
The WooCommerce plugin gives users the ability to see their stores 
performance...

Leggi il seguito »

Advanced Policy Firewall

26 febbraio 2015 - Fonte: http://www.mondounix.com

Current Release:

http://www.rfxn.com/downloads/apf-current.tar.gz

http://www.rfxn.com/appdocs/README.apf

http://www.rfxn.com/appdocs/CHANGELOG.apf

Description:
Advanced Policy Firewall (APF) is an iptables(netfilter) based firewall system designed around the essential needs of today’s Internet deployed servers and the unique needs of custom deployed Linux installations. The configuration of APF is designed to be very informative and present the user with an easy to follow process, from top to bottom of the configuration file.

The technical side of APF is such that it utilizes the latest stable features from the iptables (netfilter) project to provide a very robust and powerful firewall. The filtering performed by APF is three fold:
1) Static...

Leggi il seguito »

Juli Man-In-The-Middle Script

25 febbraio 2015 - Fonte: http://www.mondounix.com
#!usr/bin/perl
use Term::ANSIColor;
############################################################################
print "**************************************************************\n";  #
print "+ -==                        JULI                        ==- +\n";  #
print "+ -==          Man-in-the-middle  Attack Script          ==- +\n";  #
print "+ -== By em616 , em(at)em616.com , http://blog.em616.com ==- +\n";  #
print "**************************************************************\n";  #
############################################################################
 
# Cleaning stuff
system "killall -9 sslstrip arpspoof:";
system "echo '0' > /proc/sys/net/ipv4/ip_forward";
system...

Leggi il seguito »

WordPress Google Doc Embedder 2.5.18 Cross Site Scripting

18 febbraio 2015 - Fonte: http://www.mondounix.com
Title: WordPress 'Google Doc Embedder' plugin - XSS
Version: 2.5.18
Author: Morten Nørtoft, Kenneth Jepsen, Mikkel Vej
Date: 2015/01/26
Download: https://wordpress.org/plugins/google-document-embedder/
Contacted WordPress: 2015/01/26
==========================================================
 
## Description: 
==========================================================
Lets you embed PDF, MS Office, and many other file types in a web page using the free Google Docs Viewer (no Flash or PDF browser plug-ins required). 
 
 
## XSS:
==========================================================
By tricking a logged in admin into visiting a crafted page, it is possible to perform an XSS attack through the 'profile' parameter.
 
PoC:
Log...

Leggi il seguito »

WordPress Spider Facebook 1.0.10 Cross Site Scripting

18 febbraio 2015 - Fonte: http://www.mondounix.com
Title: WordPress 'WordPress Facebook' plugin - XSS
Version: 1.0.10
Author: Morten Nørtoft, Kenneth Jepsen, Mikkel Vej
Date: 2015/01/26
Download: https://wordpress.org/plugins/spider-facebook/
Contacted WordPress: 2015/01/26
==========================================================
 
## Description: 
==========================================================
Spider Facebook is a WordPress integration tool for Facebook.It includes all the available Facebook social plugins and widgets to be added to your web
 
## XSS:
==========================================================
Some parameters are shown unsanitized, making XSS possible.
 
PoC:
Log in as admin an submit one of the following forms:
<form method="POST"...

Leggi il seguito »

WordPress Redirection Page 1.2 CSRF / XSS

18 febbraio 2015 - Fonte: http://www.mondounix.com
Title: WordPress 'Redirection Page' CSRF/XSS
Version: 1.2
Author: Morten Nørtoft, Kenneth Jepsen, Mikkel Vej
Date: 2015-01-26
Download: https://wordpress.org/plugins/redirection-page/
Contacted WordPress: 2015-01-26
==========================================================
 
## Plugin description: 
==========================================================
Redirect your specified pages, it is usefull when you have 404/not-found pages. Go to Settings Page to start redirection. 
 
## CSRF:
==========================================================
It is possible to change the plugins redirect settings by tricking a logged in admin to visit a crafted page. 
 
 
## Stored XSS:
==========================================================
Redirect...

Leggi il seguito »

WordPress Cross Slide 2.0.5 Cross Site Request Forgery / Cross Site Scripting

18 febbraio 2015 - Fonte: http://www.mondounix.com
Title: WordPress 'Cross Slide' plugin - XSS/CSRF
Version: 2.0.5
Author: Morten Nørtoft, Kenneth Jepsen, Mikkel Vej
Date: 2015/01/26
Download: https://wordpress.org/plugins/crossslide-jquery-plugin-for-wordpress/
Contacted WordPress: 2015/01/26
==========================================================
 
## Plugin description: 
==========================================================
The CrossSlide jQuery plugin for WordPress is designed to quickly add the JS and CSS requirements to operate the jQuery slideshow. 
 
## CSRF:
==========================================================
It is possible to change the plugins admin settings by tricking a logged in admin to visit a crafted page. 
 
 
## Stored XSS:
==========================================================
Settings...

Leggi il seguito »

WordPress Mobile Domain 1.5.2 Cross Site Request Forgery / Cross Site Scripting

18 febbraio 2015 - Fonte: http://www.mondounix.com
Title: WordPress 'Mobile Domain' CSRF/XSS
Version: 1.5.2
Author: Morten Nørtoft, Kenneth Jepsen, Mikkel Vej
Date: 2015/01/26
Download: https://wordpress.org/plugins/mobile-domain/
Contacted WordPress: 2015/01/26
==========================================================
 
## Description: 
==========================================================
Redirect WordPress blog from desktop domain to mobile subdomain and create Mobile XML Sitemap. 
 
## CSRF:
==========================================================
It is possible to change the plugins admin settings by tricking a logged in admin to visit a crafted page. 
 
 
## Stored XSS:
==========================================================
Settings data...

Leggi il seguito »