M/Monit 3.2.2 Cross Site Request Forgery

20 settembre 2014 - Fonte: http://www.mondounix.com
Application: M/Monit 3.2.2
Author: Dolev Farhi @dolevff
Date: 13.9.2014
Relevant CVEs: CVE-2014-6409, CVE-2014-6607
Vulnerable version: <= 3.2.2
 
 
 
M/Monit is an Easy, proactive monitoring of Unix systems, network and 
cloud services.
 
1. Vulnerability Description:
Account hijack via cross-site request forgery (CVE-2014-6409, 
CVE-2014-6607)
It was found that M/Monit latest version is vulnerable to CSRF attacks. 
it is possible to reset the password of any user account (admin/user)
on the system without needing to know the current password of the 
attacked account, due to missing password change verification mechanism.
2. Proof of concept
<html> <div align="center"> <pre>...

Leggi il seguito »

WordPress WooCommerce Reflected XSS

19 settembre 2014 - Fonte: http://www.mondounix.com
Details
================
Software: WooCommerce - excelling eCommerce
Version: 2.1.12
Homepage: http://wordpress.org/plugins/woocommerce/
Advisory report: 
https://security.dxw.com/advisories/reflected-xss-in-woocommerce-excelling-ecommerce-allows-attackers-ability-to-do-almost-anything-an-admin-user-can-do/
CVE: Awaiting assignment
CVSS: 6.8 (Medium; AV:N/AC:M/Au:N/C:P/I:P/A:P)
 
Description
================
Reflected XSS in WooCommerce – excelling eCommerce allows attackers ability to do almost anything an admin user can do
 
Vulnerability
================
An attacker able to convince a logged-in admin user to visit a link of their choosing (for instance via spearphishing) 
can execute arbitrary JavaScript within...

Leggi il seguito »

WatchGuard XTM 11.8.3 Reflected XSS (CVE-2014-6413)

19 settembre 2014 - Fonte: http://www.mondounix.com
I. VULNERABILITY
 
Reflected XSS Attacks vulnerabilities in WatchGuard XTM 11.8.3
 
II. BACKGROUND
-------------------------
WatchGuard builds affordable, all-in-one network and content security
solutions to provide defense in depth for corporate content, networks
and the businesses they power.
 
III. DESCRIPTION
-------------------------
Has been detected a Reflected XSS vulnerability in XTM WatchGuard.
The code injection is done through the parameter "poll_name" in the
page “/firewall/policy?pol_name=(HERE XSS)”
 
IV. PROOF OF CONCEPT
-------------------------
The application does not validate the parameter “poll_name” correctly.
https://10.200.210.100:8080/network/dynamic_dns_config?intf=aaaa<scrip
t>alert(document.cookie)</script>
 
V....

Leggi il seguito »

MODX Revolution Reflected Cross-Site Scripting (XSS)

19 settembre 2014 - Fonte: http://www.mondounix.com
Advisory ID: HTB23229
Product: MODX Revolution
Vendor: MODX
Vulnerable Version(s): 2.3.1-pl and probably prior
Tested Version: 2.3.1-pl
Advisory Publication:  August 20, 2014  [without technical details]
Vendor Notification: August 20, 2014 
Vendor Patch: September 11, 2014 
Public Disclosure: September 17, 2014 
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2014-5451
Risk Level: Low 
CVSSv2 Base Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) 
 
-----------------------------------------------------------------------------------------------
 
Advisory Details:
 
High-Tech...

Leggi il seguito »

WordPress WP-Ban 1.62 Bypass

18 settembre 2014 - Fonte: http://www.mondounix.com
Details
================
Software: WP-Ban
Version: 1.62
Homepage: http://wordpress.org/plugins/wp-ban/
Advisory report: https://security.dxw.com/advisories/vulnerability-in-wp-ban-allows-visitors-to-bypass-the-ip-blacklist-in-some-configurations/
CVE: CVE-2014-6230
CVSS: 5 (Medium; AV:N/AC:L/Au:N/C:P/I:N/A:N)
 
Description
================
Vulnerability in WP-Ban allows visitors to bypass the IP blacklist in some configurations
 
Vulnerability
================
This plugin allows blacklisting users based on their IP address, however it takes the IP address from the X-Forwarded-For header if available.
Not all Web server configurations will strip or replace X-Forwarded-For headers – in which case the IP ban can be bypassed...

Leggi il seguito »

DVWA Cross Site Request Forgery

16 settembre 2014 - Fonte: http://www.mondounix.com
<!-- There are multiple CSRF issues in DVWA. Attackers can use these CSRF exploits to
  first reset the DVWA database of victim, then make the victim log in using the default resets,
  next crafts another CSRF to change the challenge level to low to make exploitation more probable,
  then use these to craft a command execution CSRF and possibly get a shell. :) 
 
  *This PoC will open calculator as a demo execution in approximately 5 seconds.*
 
  The attacker just needs to know you have DVWA for this to work.
 
  Paulos Yibelo and Tabor N. Shiferaw  2014
 
  -->
 
  <script src='https://ajax.googleapis.com/ajax/libs/jquery/1.8.0/jquery.min.js' type='text/javascript'>
  </script>
  <div...

Leggi il seguito »

HttpFileServer 2.3.x Remote Command Execution

16 settembre 2014 - Fonte: http://www.mondounix.com
ffected software: http://sourceforge.net/projects/hfs/
Version : 2.3x
# Exploit Title: HttpFileServer 2.3.x Remote Command Execution
# Google Dork: intext:"httpfileserver 2.3"
# Date: 11-09-2014
# Remote: Yes
# Exploit Author: Daniele Linguaglossa
# Vendor Homepage: http://rejetto.com/
# Software Link: http://sourceforge.net/projects/hfs/
# Version: 2.3.x
# Tested on: Windows Server 2008 , Windows 8, Windows 7
# CVE : CVE-2014-6287
 
issue exists due to a poor regex in the file ParserLib.pas
 
 
function findMacroMarker(s:string; ofs:integer=1):integer;
begin result:=reMatch(s, '\{[.:]|[.:]\}|\|', 'm!', ofs) end;
 
 
it will not handle null byte so a request to
 
http://localhost:80/search=%00{.exec|cmd.}
 
will...

Leggi il seguito »

WordPress Slideshow Gallery 1.4.6 Shell Upload

16 settembre 2014 - Fonte: http://www.mondounix.com
#!/usr/bin/env python
#
# WordPress Slideshow Gallery 1.4.6 Shell Upload Exploit
#
# WordPress Slideshow Gallery plugin version 1.4.6 suffers from a remote shell upload vulnerability (CVE-2014-5460)
#
# Vulnerability discovered by: Jesus Ramirez Pichardo - http://whitexploit.blogspot.mx/
#
# Exploit written by: Claudio Viviani - info@homelab.it - http://www.homelab.it
#
#
# Disclaimer:
#
# This exploit is intended for educational purposes only and the author
# can not be held liable for any kind of damages done whatsoever to your machine,
# or damages caused by some other,creative application of this exploit.
# In any case you disagree with the above statement,stop here.
#
#
# Requirements:
#
# 1) Enabled user management...

Leggi il seguito »

WordPress Photo Album Plus 5.4.4 Cross Site Scripting

15 settembre 2014 - Fonte: http://www.mondounix.com
WP Photo Album Plus Security Vulnerabilities
 
Author: Milhouse 
Download: https://wordpress.org/plugins/wp-photo-album-plus/
Home Page: http://wppa.opajaap.nl/
Google dork: inurl:wp-content/plugins/wp-photo-album-plus
 
Set up:
Wordpress Version: 3.9.1, 3.9.2
WP Photo Album Plus version: 5.4.4, 5.4.3
Client browsers: FireFox 31, Internet Explorer 8-11
 
Issue number 1: A Cross-Site Scripting (reflective) vulnerability.
Details:
The plugin echoes the value of  the http header “User-Agent” back to the client browser. Allowing un-sanitized java script to be inserted. 
 
Severity: Low
 
Proof of Concept (POC):
Request:
GET / HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent:...

Leggi il seguito »