gmane.comp.security.full-disclosure

AFU vulnerabilities in MCFileManager for TinyMCE

MustLive — 2013-05-18T20:45:44

Hello list!

I want to warn you about vulnerabilities in Moxiecode File Manager 
(MCFileManager). This is commercial plugin for TinyMCE. It concerns as 
MCFileManager, as all web applications which have MCFileManager in their 
bundle.

These are Arbitrary File Uploading vulnerabilities, which lead to Code 
Execution on IIS and Apache web servers.

-------------------------
Affected products:
-------------------------

Vulnerable are Moxiecode File Manager 3.1.5 and previous versions.

-------------------------
Affected vendors:
-------------------------

Moxiecode
http://www.moxiecode.com

----------
Details:
----------

Arbitrary File Uploading (WASC-31):

Execution of arbitrary code is possible due to bypass of program's security 
filters (on IIS and Apache web servers).

Code will execute via file uploading. Program is vulnerable to three methods 
of code execution:

1. Via using of symbol ";" (1.asp;.txt) in file name (IIS).

2. Via "1.asp" in folder name (IIS).

3. Via double extension (1.php.txt) (Apac

exploitation ideas under memory pressure

Tavis Ormandy — 2013-05-17T21:26:10

List, there's a pretty obvious bug in win32k!EPATHOBJ::pprFlattenRec where the
PATHREC object returned by win32k!EPATHOBJ::newpathrec doesn't initialise the
next list pointer. The bug is really nice, but exploitation when
allocations start failing is tricky.

As vuln-dev is dead, I thought I'd post here, I don't have much free
time to work on silly Microsoft code, so I'm looking for ideas on how to
fix the final obstacle for exploitation. I first published details about
this in March, but here's a recap:

; BOOL __thiscall EPATHOBJ::newpathrec(EPATHOBJ     *this,
                                       PATHRECORD   **pppr,
                                       ULONG         *pcMax,
                                       ULONG cNeeded)
.text:BFA122CA                 mov     esi, [ebp+ppr]
.text:BFA122CD                 mov     eax, [esi+PATHRECORD.pprPrev]
.text:BFA122D0                 push    edi
.text:BFA122D1                 mov     edi, [ebp+pprNew]
.text:BFA122D4                 mov     [edi+PATHRECORD.

My ISP is routing traffic to private addresses...

kyle kemmerer — 2013-05-17T19:08:23

So today when trying to access a device on my network (172.30.x.x range) I
was taken to the web interface of a completely different device.  This
baffled me at first, but after a bit of poking around, I determined that my
ISP was actually routing traffic to these addresses.  See the trace below


Tracing route to 172.30.4.18 over a maximum of 30 hops

  1    11 ms    18 ms    19 ms  XXXXXXXXX
  2    30 ms   178 ms   212 ms  vl4.aggr1.phdl.pa.rcn.net [208.59.252.1]
  3    13 ms    18 ms    13 ms  tge0-1-0-0.core1.phdl.pa.rcn.net[207.172.15.50]

  4    37 ms    39 ms    57 ms  tge0-0-0-2.core1.lnh.md.rcn.net[207.172.19.227]

  5    35 ms    34 ms    32 ms  tge0-1-0-1.core1.chgo.il.rcn.net[207.172.19.235
]
  6    42 ms    38 ms    39 ms  port-chan13.aggr2.chgo.il.rcn.net[207.172.15.20
1]
  7    37 ms    39 ms    39 ms
port-chan1.mart-ubr1.chi-mart.il.cable.rcn.net [
207.229.191.132]
  8    57 ms    61 ms    53 ms  172.30.4.18

Trace complete.


So I break out nmap and do a quick scan, and find that there are th

CONFidence - May, 28-29, Krakow, Poland - a conference adventure that never stops!

Sławomir Jabs — 2013-05-17T11:40:40

Everything has a story, everything evolves, adapts to changing circumstances
but does your IT Sec strategy evolve with the development of the digital
world?

Are you wiling to gamble on the security of you systems?

Join the upcoming CONFidence conference and meet both renown speakers and
specialists who deal with the IT security on a daily basis. People like,
you, who never stop asking questions and play with risks all the time...

We will gather in Krakow, Poland on 28-29th May, 2013 on an extreme
conference...

1. The schedule:

Check out the schedule of the conference, as it will feature:
- Felix "fx" Lindner and  Gregor Kopf  discussing virtual and physical
switching,
- Fernando Gont discussing the Ipv6 network reconnaissance,
- Ilja van Sprudel discussing his analysis of linux insecurities,
- a couple of topics related to Mobile security including presentations from
Jesse Burns, Georgia Weidman and Yury Chemerkin,
- Meredith L. Patterson discussing the state of LANGSEC,
- and many more concerning compu

On Skype URL eavesdropping

Kirils Solovjovs — 2013-05-16T21:41:09

You may have read about this in another list.
http://lists.randombit.net/pipermail/cryptography/2013-May/004224.html
http://financialcryptography.com/mt/archives/001430.html


I'd like to give out some observations and point out some not so obvious 
risks (as if Microsoft Skypying™ on your conversations is not enough).

Requests always come from the same IP 65.52.100.214.
They have referrer and user agent set to a dash "-".
They are always HEAD requests which immediately follow 302 redirects.
They access both http and https links despite some speculations saying 
that they do it one way or the other.
This is a relatively new phenomena that by my accounts is happening 
since the end of April 2013.


Sidenote: A couple of years ago before acquisition by Microsoft, Skype 
expressed unhealthy level of interest in my work, so I decided to run a 
privacy test trying to catch them red handed. I set up some traplinks, 
but to this day noone has triggered them. Maybe it had to do with me 
using a Linux version of t

Multiple vulnerabilities in multiple themes forWordPress with VideoJS

MustLive — 2013-05-16T15:52:24

Hello list!

These are Cross-Site Scripting and Full path disclosure vulnerabilities in 
multiple themes for WordPress with VideoJS. Earlier I've wrote about 
vulnerabilities in VideoJS (http://seclists.org/fulldisclosure/2013/May/21). 
This is popular video and audio player, which is used at hundreds thousands 
of web sites and in multiple web applications. Google dork for VideoJS shows 
446000 results and for WP themes with it shows 171000 (inurl:video-js.swf 
inurl:wp-content/themes/).

Among them are Covert VideoPress, Photolio, Source, Smartstart and Crius. 
But there are other vulnerable themes for WP with video-js.swf (these are 
free, commercial and custom themes), which can be found with above-mentioned 
Google dork. All developers of these plugins, the same as developers of all 
other web applications with VideoJS, need to update it in their software.

-------------------------
Affected products:
-------------------------

All versions of Covert VideoPress, Photolio, Source, Smartstart and Crius 
t

Take Part in Positive Hack Days in Any Part ofthe World

PHD — 2013-05-16T13:11:12

As part of PHDays Everywhere, any visitor of hackspaces in different parts of the planet will be able to partake in the international forum Positive Hack Days.



15 hackspaces in 7 countries will throw their doors open on May 23 and 24. Abu Dhabi (United Arab Emirates), Cairo (Egypt), Birzeit (Palestine), Kollam (India), Tunis (Tunisia), as well as Kiev, Lviv, Vladivostok, St. Petersburg, Novosibirsk, Kaliningrad, Omsk, Voronezh, Saratov, and Krasnodar have already joined the initiative.



The visitors of all the hackspaces will have an opportunity to:



*         Watch the forum's events online both in English and Russian in the HD format.

*         Participate in discussions and put questions to the speakers online.

*         Demonstrate their hacking skills in a data hacking and protecting contest (winners will receive prizes).



Reports and hands-on labs of the world's leading experts, many contests (including online competitions), PHDays CTF hacking battle, PHDays Young School, and a lot of other

[SECURITY] [DSA 2669-1] linux security update

dann frazier — 2013-05-16T02:48:53

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ----------------------------------------------------------------------
Debian Security Advisory DSA-2669-1                security< at >debian.org
http://www.debian.org/security/                           Dann Frazier
May 15, 2013                        http://www.debian.org/security/faq
- ----------------------------------------------------------------------

Package        : linux
Vulnerability  : privilege escalation/denial of service/information leak
Problem type   : local
Debian-specific: no
CVE Id(s)      : CVE-2013-0160 CVE-2013-1796 CVE-2013-1929 CVE-2013-1979
                 CVE-2013-2015 CVE-2013-2094 CVE-2013-3076 CVE-2013-3222
                 CVE-2013-3223 CVE-2013-3224 CVE-2013-3225 CVE-2013-3227
                 CVE-2013-3228 CVE-2013-3229 CVE-2013-3231 CVE-2013-3234
                 CVE-2013-3235 CVE-2013-3301

Several vulnerabilities have been discovered in the Linux kernel that may lead
to a denial of service, information leak or privilege escala

[Security-news] SA-CONTRIB-2013-047 - GoogleAuthenticator login -Access Bypass

2013-05-15T18:48:44

View online: http://drupal.org/node/1995706

  * Advisory ID: DRUPAL-SA-CONTRIB-2013-047
  * Project: Google Authenticator login [1] (third-party module)
  * Version: 6.x, 7.x
  * Date: 2013-May-15
  * Security risk: Moderately critical [2]
  * Exploitable from: Remote
  * Vulnerability: Access bypass

-------- DESCRIPTION  
---------------------------------------------------------

This module will allow you to add Time-based One-time Password Algorithm
(also called "Two Step Authentication" or "Multi-Factor Authentication")
support to user logins. It works with Google's Authenticator app system and
support most (if not all) OATH based HOTP/TOTP systems.

.... Accidental removal of account configuration.

In certain scenarios, Google Authenticator login incorrectly determines the
user's account name. The change in account name could cause the two-factor
authentication for existing accounts to be lost, allowing users to log in
using just username and password.

This vulnerability is mitigated by the fact whi

Cisco Security Advisory: Cisco TelePresenceSupervisor MSE 8050 Denial of Service Vulnerability

Cisco Systems Product Security Incident Response Team — 2013-05-15T16:00:08

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Cisco Security Advisory: Cisco TelePresence Supervisor MSE 8050 Denial of Service Vulnerability

Advisory ID: cisco-sa-20130515-mse

Revision 1.0

For Public Release 2013 May 15 16:00  UTC (GMT)

+---------------------------------------------------------------------

Summary
=======

Cisco TelePresence Supervisor MSE 8050 contains a vulnerability that may allow an unauthenticated, remote attacker to cause high CPU utilization and a reload of the affected system.

Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are not available. This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130515-mse
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.18 (Darwin)

iF4EAREKAAYFAlGTkX0ACgkQUddfH3/BbTqBrAD/d72SaHSpIobiIRsxt3mix+un
hm8A7MB7AYUp74iliGIA/jTzBZEumgt1RgP0Lfvs4SQQZSN3wBQHnR9pH845cgjS
=0mDU
-----END PGP SIGNATU

Indusface Website Hacked and Infected?

Rahul T — 2013-05-15T09:16:23

Dear All,

I was searching for some information on the internet and it seems that the
Indusface website was infected with Russian Spam and Malware. There seems
to be spam and malicious code in the homepage along with many more spam
pages added into the webroot. Below are some screenshots of the same:

*Indusface Homepage Infected with Russian Spam*
*
*
*[image: Inline image 2]
*
*
*
*Google Search Results Showing Indusface Pages with Russian Spam and Malware
*

[image: Inline image 1]

*These Spam Pages on the Indusface Website Contain Potentially Malicious JS
Files*
*
*
*[image: Inline image 3]
*
*
*
*[image: Inline image 4]
*

Does anyone know how this sort of hack takes place? Please let me know any
information possible.

Thanks - Rahul
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[ MDVSA-2013:165 ] firefox

2013-05-15T10:19:00

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2013:165
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : firefox
 Date    : May 15, 2013
 Affected: Enterprise Server 5.0
 _______________________________________________________________________

 Problem Description:

 Multiple security issues was identified and fixed in mozilla firefox:
 
 Mozilla developers identified and fixed several memory safety
 bugs in the browser engine used in Firefox and other Mozilla-based
 products. Some of these bugs showed evidence of memory corruption under
 certain circumstances, and we presume that with enough effort at least
 some of these could be exploited to run arbitrary code (CVE-2013-0801).
 
 Security researcher Cody Crews reported a method to call a content
 level constructor that allows for this cons

[SECURITY] [DSA 2668-1] linux-2.6 security update

dann frazier — 2013-05-14T19:14:29

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ----------------------------------------------------------------------
Debian Security Advisory DSA-2668-1                security< at >debian.org
http://www.debian.org/security/                           Dann Frazier
May 14, 2013                        http://www.debian.org/security/faq
- ----------------------------------------------------------------------

Package        : linux-2.6
Vulnerability  : privilege escalation/denial of service/information leak
Problem type   : local/remote
Debian-specific: no
CVE Id(s)      : CVE-2012-2121 CVE-2012-3552 CVE-2012-4461 CVE-2012-4508
                 CVE-2012-6537 CVE-2012-6539 CVE-2012-6540 CVE-2012-6542
                 CVE-2012-6544 CVE-2012-6545 CVE-2012-6546 CVE-2012-6548
                 CVE-2012-6549 CVE-2013-0349 CVE-2013-0914 CVE-2013-1767
                 CVE-2013-1773 CVE-2013-1774 CVE-2013-1792 CVE-2013-1796
                 CVE-2013-1798 CVE-2013-1826 CVE-2013-1860 CVE-2013-1928
                 CVE-2013-19

Remote command Injection in Creme Fraiche 0.6Ruby Gem

Larry W. Cashdollar — 2013-05-14T20:06:37

TITLE: Remote command Injection in Creme Fraiche 0.6 Ruby Gem

DATE: 5/14/2013

AUTHOR: Larry W. Cashdollar (< at >_larry0)

DOWNLOAD: http://rubygems.org/gems/cremefraiche, http://www.uplawski.eu/technology/cremefraiche/

DESCRIPTION: Converts Email to PDF files.

VENDOR: Notifed on 5/13/2013, provided fix 5/14/2013

FIX: Version in 0.6.1

CVE: 2013-2090

DETAILS: The following lines pass unsanitized user input directly to the command line.
A malicious email attachment with a file name consisting of shell meta characters could inject commands into the shell.

If the attacker is allowed to specify a filename (via a web gui) commands could be injected that way as well.

218 cmd = "pdftk %s updateinfo %s output %s" %[pdf, infofile, tfile] 219 < at >log.debug('pdftk-command is ' << cmd) 220 pdftkresult = system( cmd)

GREETINGS: < at >vladz,< at >quine,< at >BrandonTansey,< at >sushidude,< at >jkouns,< at >sub_space and < at >attritionorg

ADVISORY: http://vapid.dhs.org/advisories/cremefraiche-cmd-inj.html_______________________________________________

www.netcraft.com - "Search Form" Cross-siteScripting vulnerability

Stefan Schurtz — 2013-05-14T19:02:02

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Advisory:www.netcraft.com - Search Form Cross-site Scripting vulnerability
Advisory ID:SSCHADV2013-008
Author:Stefan Schurtz
Affected Software:Successfully tested on www.netcraft.com
Vendor URL:http://www.netcraft.com
Vendor Status:fixed

==========================
Vulnerability Description
==========================

The 'q'-Parameter in the Search Form on www.netcraft.com is prone to a
XSS vulnerability.

==========================
PoC-Exploit
==========================

// IE8 & IE 10 & Aurora 8.0

http://www.netcraft.com/search/?q=127.0.0.1"></iframe><script>alert(document.domain)</script>&submit=Search&submit=Search

==========================
Solution
==========================

fixed

==========================
Disclosure Timeline
==========================

12-May-2013 - vendor informed by email
13-may-2013 - feedback from vendor

==========================
Credits
==========================

Vulnerability found and advisory written by Stefan

Vulnerabilities in multiple plugins for WordPresswith VideoJS

MustLive — 2013-05-14T16:01:23

Hello list!

These are Cross-Site Scripting vulnerabilities in multiple plugins for 
WordPress with VideoJS. Earlier I've wrote about vulnerabilities in VideoJS 
(http://seclists.org/fulldisclosure/2013/May/21). This is popular video and 
audio player, which is used at hundreds thousands of web sites and in 
multiple web applications. Google dork for VideoJS shows 446000 results and 
for WP plugins with it shows 178000 (inurl:video-js.swf 
inurl:wp-content/plugins/).

In addition to plugin VideoJS - HTML5 Video Player for WordPress 
(http://seclists.org/fulldisclosure/2013/May/35), about which I wrote 
earlier, here are new plugins with this player.

Among them are Video Embed & Thumbnail Generator, External "Video for 
Everybody", 1player, S3 Video and EasySqueezePage. But there are other 
vulnerable plugins for WP with video-js.swf (which can be found with 
above-mentioned Google dork). All developers of these plugins, the same as 
developers of all other web applications with VideoJS, need to update it in

GreHack 2013 - Call For Papers - November 15,Grenoble, France

F. Duchene — 2013-05-14T10:11:31

---------------------------
*GreHack 2013* — 2nd Call For Papers
November 15, Grenoble, France
http://grehack.org — Twitter: < at >grehack
---------------------------
*Topics*
The 2nd International Symposium on Grey-Hat Hacking — aka GreHack 2013
— will gather researchers and practitioners from academia, industry,
and government to discuss new advances in computer and information
security research.

All topics related to vulnerability discovery are within scope. In
addition, topics of interest also include but are not limited to:

 - Reverse Engineering and Obfuscation
 - Vulnerability Discovery, Analysis and Exploit Automation
 - Embedded Systems Security, including Smartphone Security
 - Hardware Vulnerabilities
 - Malware Creation, Analysis and Prevention
 - Web Application Security
 - Network Exfiltration
 - Intrusion Detection and Prevention
 - Security and Privacy in Cloud, P2P Networks
 - Penetration Testing
 - Disclosure and Ethics
 - Digital Forensics
 - Applied Cryptography and Cryptanalysis

We

[HITB-Announce] HITB Magazine Issue 010

Hafez Kamal — 2013-05-14T10:54:53

Hi everyone,

A small reminder that article submissions for HITB Magazine Issue 010
are due tomorrow (15th May 2013). If you're interested in submitting
please send your > 3000 word article to editorial< at >hackinthebox.org

Topics of interest include, but are not limited to the following:

    Next generation attacks and exploits
    Apple / OS X security vulnerabilities
    SS7/Backbone telephony networks
    VoIP security
    Data Recovery, Forensics and Incident Response
    HSDPA / CDMA Security / WIMAX Security
    Network Protocol and Analysis
    Smart Card and Physical Security
    WLAN, GPS, HAM Radio, Satellite, RFID and Bluetooth Security
    Analysis of malicious code
    Applications of cryptographic techniques
    Analysis of attacks against networks and machines
    File system security
    Side Channel Analysis of Hardware Devices
    Cloud Security
    Exploit Analysis

On an unrelated note, registration for the 11th annual HITB Security
Conference (#HITB2013KUL) is also open. Taking place from

Q: CVE Database with Programming Language andFailure Classification?

Jeffrey Walton — 2013-05-14T03:54:53

Hi All,

Does anyone know where to find an augmented CVE database with: (1)
programming language and (2) failure classification?

For example, CVE-2013-3301 is the Linux kernel, written in C, and the
failure is lack of parameter validation. As another example,
CVE-2013-3302 would also be the Linux kernel, written in C, with a
failure of race condition.

(I'm very interested in aggregated data on all programs/modules
written in C/C++/Objective C).

Jeff

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Security-Assessment.com Advisory: Gallery Server Pro File Upload Filter Bypass

Drew Calcott — 2013-05-14T02:14:12

   (    , )     (,
  .   `.' ) ('.    ',
   ). , ('.   ( ) (
  (_,) .`), ) _ _,
 /  _____/  / _  \    ____  ____   _____
 \____  \==/ /_\  \ _/ ___\/  _ \ /     \
 /       \/   |    \\  \__(  <_> )  Y Y  \
/______  /\___|__  / \___  >____/|__|_|  /
       \/        \/  .-. \/            \/:wq
                    (x.0)
                  '=.|w|.='
                  _='`"``=.

        presents..


Gallery Server Pro File Upload Filter Bypass

Vendor Link: http://www.galleryserverpro.com/
PDF:
http://security-assessment.com/files/documents/advisory/GalleryServerProFileUploadFilterBypass.pdf


+-----------+
|Description|
+-----------+

Gallery Server Pro is a media gallery that works both as a stand-alone
application and as a module for DotNetNuke. Security-Assessment.com has
discovered that the upload functionality of both the application and
DotNetNuke module are vulnerable to bypassing the restrictions present
in the file upload filter. This permits a malicious authenticated user
to upload arbitrary file types

IPB (Invision Power Board) all versions (1.x? /2.x / 3.x) Admin account Takeover leading to code execution

John JEAN — 2013-05-13T13:42:30

IPB (Invision Power Board) all versions (1.x? / 2.x / 3.x) Admin account Takeover leading to code execution

Written on : 2013/05/02
Released on : 2013/05/13
Author: John JEAN (< at >johnjean on twitter)
Affected application: Invision Power Board <= 3.4.4
Type of vulnerability: Logical Vulnerability / Bad Sanitization
Required informations : Administrator's email
Evaluated Risk : Critical
Solution Status : A patch has been released which fixes these vulnerabilities
References :  http://www.john-jean.com/blog/securite-informatique/ipb-invision-power-board-all-versions-1-x-2-x-3-x-admin-account-takeover-leading-to-code-execution-742


[0] Application description & Deployment estimation

From wikipedia.org:
Invision Power Board (abbreviated IPB, IP.Board or IP Board) is an Internet forum software produced by Invision Power Services, Inc. It is written in PHP and primarily uses MySQL as a database management system, although support for other database engines is available. While Invision Power Board is a commercially