iletisim | 27 Feb 08:04 2015
Picon

Wordpress Media Cleaner Plugin - XSS Vulnerability

# Exploit Title: Wordpress Media Cleaner - XSS
# Author: İsmail SAYGILI
# Web Site: www.ismailsaygili.com.tr
# E-Mail: iletisim <at> ismailsaygili.com.tr
# Date: 2015-02-26
# Plugin Download: https://downloads.wordpress.org/plugin/wp-media-cleaner.2.2.6.zip
# Version: 2.2.6

# Vulnerable File(s):
                [+] wp-media-cleaner.php

# Vulnerable Code(s):
				[+] 647. Line
					$view = $_GET['view'] : "issues"; 
				[+] 648. Line	
					$paged = $_GET['paged'] : 1;
				[+] 653. Line
					$s = isset ( $_GET[ 's' ] ) ? $_GET[ 's' ] : null;

# Request Method(s):
                [+] GET
 
# Vulnerable Parameter(s):
                [+] view, paged, s

# Proof of Concept

--> http://target.com/wordpress/wp-admin/upload.php?s=test&page=wp-media-cleaner&view={XSS}&paged={XSS}&s={XSS}

--> http://localhost/wordpress/wp-admin/upload.php?s=test&page=wp-media-cleaner&view="><img
(Continue reading)

dennis.veninga | 26 Feb 21:59 2015
Picon

HelpDezk 1.0.1 Multiple Vulnerabilities

# Exploit Title: HelpDezk 1.0.1 Multiple Vulnerabilities
# Google Dork: "intext: helpdezk-community-1.0.1"
# Date: 26-2-2015
# Exploit Author: Dennis Veninga
# Vendor Homepage: http://www.helpdezk.org/
# Vendor contacted: 26-2-2015
# Version: 1.0.1
# Tested on: Firefox 36 & Chrome 38 / W8.1-x64

HelpDezk ->
Version:   		1.0.1
Type:      		Multiple Critical Vulnerabilities
Severity:   		Critical
Info Exploit:  		Different exploits making it possible to take over the website/server

- Arbitrary File Upload
- Remote Command Execution
- User Information Disclosure

###############################################
Arbitrary File Upload, 2 ways ->
1. Direct Access:
http://{target}/helpdezk/admin/logos/upload
#########

2. POST: http://localhost/helpdezk/admin/logos/upload
After posting this, visit http://{target}/helpdezk/app/uploads/logos/shell.php?cmd=whoami

CONTENT: 
-----------------------------14463264629720\r\n
(Continue reading)

Ben Fuhrmannek | 26 Feb 22:00 2015
Picon

Cross-Site-Scripting (XSS) in tcllib's html::textarea


                            SektionEins GmbH
                           www.sektioneins.de

                        -= Security  Advisory =-

       Advisory: Cross-Site-Scripting (XSS) in tcllib's html::textarea
   Release Date: 26 February 2015
  Last Modified: 26 February 2015
         Author: Ben Fuhrmannek [ben.fuhrmannek[at]sektioneins.de]

    Application: tcllib - Tcl standard library - versions 1.0.0 to 1.16;
                 html package versions lower than 1.4.4
       Severity: The use of html::textarea always results in XSS.
           Risk: High
  Vendor Status: resolved with html package version 1.4.4
      Reference: https://www.sektioneins.de/en/advisories/advisory-012015-xss-tcllib-html-textarea.html
                 http://core.tcl.tk/tcllib/tktview/09110adc430de8c91d26015f9697cdd099755e63

Overview:

   "The Tcl Library is a kitchen sink of packages across a broad spectrum of
   things." - Tcl Library Home (http://core.tcl.tk/tcllib/home)

   Applications using tcllib's ::html::textarea functions are vulnerable to
   Cross-Site-Scripting. This function is usually used to programmatically add
   an HTML <textarea> to the output stream of a CGI script.

   No publicly available software has been found to be vulnerable. However it is
   suspected that many non-public Tcl web applications using the
(Continue reading)

Salvatore Bonaccorso | 26 Feb 18:00 2015
Picon

[SECURITY] [DSA 3176-1] request-tracker4 security update


-------------------------------------------------------------------------
Debian Security Advisory DSA-3176-1                   security <at> debian.org
http://www.debian.org/security/                      Salvatore Bonaccorso
February 26, 2015                      http://www.debian.org/security/faq
-------------------------------------------------------------------------

Package        : request-tracker4
CVE ID         : CVE-2014-9472 CVE-2015-1165 CVE-2015-1464

Multiple vulnerabilities have been discovered in Request Tracker, an
extensible trouble-ticket tracking system. The Common Vulnerabilities
and Exposures project identifies the following problems:

CVE-2014-9472

    Christian Loos discovered a remote denial of service vulnerability,
    exploitable via the email gateway and affecting any installation
    which accepts mail from untrusted sources. Depending on RT's
    logging configuration, a remote attacker can take advantage of
    this flaw to cause CPU and excessive disk usage.

CVE-2015-1165

    Christian Loos discovered an information disclosure flaw which may
    reveal RSS feeds URLs, and thus ticket data.

CVE-2015-1464

    It was discovered that RSS feed URLs can be leveraged to perform
(Continue reading)

Vulnerability Lab | 26 Feb 12:48 2015

Wireless File Transfer Pro Android - Multiple CSRF Vulnerabilities

Document Title:
===============
Wireless File Transfer Pro Android - CSRF Vulnerabilities

References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1437

Release Date:
=============
2015-02-25

Vulnerability Laboratory ID (VL-ID):
====================================
1437

Common Vulnerability Scoring System:
====================================
2.3

Product & Service Introduction:
===============================
Wireless File Transfer Pro is the advanced version of Wireless File Transfer.

(Copy of the Vendor Homepage:
https://play.google.com/store/apps/details?id=com.lextel.WirelessFileTransferPro )

Abstract Advisory Information:
==============================
An independent vulnerability laboratory researcher discovered multiple cross site request forgery web
(Continue reading)

Vulnerability Lab | 26 Feb 12:45 2015

Data Source: Scopus CMS - SQL Injection Web Vulnerability

Document Title:
===============
Data Source: Scopus CMS - SQL Injection Web Vulnerability

References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1436

Release Date:
=============
2015-02-25

Vulnerability Laboratory ID (VL-ID):
====================================
1436

Common Vulnerability Scoring System:
====================================
8.9

Abstract Advisory Information:
==============================
An independent security team of the vulnerability laboratory discovered a critical sql injection web
vulnerability in the official Data Source Scopus Content Management System.

Vulnerability Disclosure Timeline:
==================================
2015-02-25:	Public Disclosure (Vulnerability Laboratory)

Discovery Status:
(Continue reading)

Vulnerability Lab | 26 Feb 12:43 2015

DSS TFTP 1.0 Server - Path Traversal Vulnerability

Document Title:
===============
DSS TFTP 1.0 Server - Path Traversal Vulnerability

References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1440

Release Date:
=============
2015-02-26

Vulnerability Laboratory ID (VL-ID):
====================================
1440

Common Vulnerability Scoring System:
====================================
6.2

Product & Service Introduction:
===============================
DSS TFTP 1.0 Server is a simple TFTP server that allows basic file transfers.

(Download: http://www.kndata.com/downloads/ )

Abstract Advisory Information:
==============================
An independent vulnerability laboratory researcher discovered a path traversal vulnerability in the
official DSS TFTP 1.0 Server software.
(Continue reading)

Peter Adkins | 26 Feb 09:42 2015
Picon

D-Link and TRENDnet 'ncc2' service - multiple vulnerabilities

>> D-Link and TRENDnet 'ncc2' service - multiple vulnerabilities

Discovered by:
----
Peter Adkins <peter.adkins <at> kernelpicnic.net>

Access:
----
Local network; unauthenticated access.
Remote network; unauthenticated access*.
Remote network; 'drive-by' via CSRF.

Tracking and identifiers:
----
CVE - Mitre contacted; not yet allocated.

Platforms / Firmware confirmed affected:
----
D-Link DIR-820L (Rev A) - v1.02B10
D-Link DIR-820L (Rev A) - v1.05B03
D-Link DIR-820L (Rev B) - v2.01b02
TRENDnet TEW-731BR (Rev 2) - v2.01b01

Additional platforms believed to be affected:
----
D-Link DIR-808L (Rev A) - v1.03b05
D-Link DIR-810L (Rev A) - v1.01b04
D-Link DIR-810L (Rev B) - v2.02b01
D-Link DIR-826L (Rev A) - v1.00b23
D-Link DIR-830L (Rev A) - v1.00b07
(Continue reading)

Slackware Security Team | 26 Feb 07:16 2015

[slackware-security] mozilla-firefox (SSA:2015-056-01)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[slackware-security]  mozilla-firefox (SSA:2015-056-01)

New mozilla-firefox packages are available for Slackware 14.1 and -current to
fix security issues.

Here are the details from the Slackware 14.1 ChangeLog:
+--------------------------+
patches/packages/mozilla-firefox-31.5.0esr-i486-1_slack14.1.txz:  Upgraded.
  This release contains security fixes and improvements.
  For more information, see:
    http://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html
  (* Security fix *)
+--------------------------+

Where to find the new packages:
+-----------------------------+

Thanks to the friendly folks at the OSU Open Source Lab
(http://osuosl.org) for donating FTP and rsync hosting
to the Slackware project!  :-)

Also see the "Get Slack" section on http://slackware.com for
additional mirror sites near you.

Updated package for Slackware 14.1:
ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/mozilla-firefox-31.5.0esr-i486-1_slack14.1.txz
(Continue reading)

Slackware Security Team | 26 Feb 07:16 2015

[slackware-security] mozilla-thunderbird (SSA:2015-056-02)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[slackware-security]  mozilla-thunderbird (SSA:2015-056-02)

New mozilla-thunderbird packages are available for Slackware 14.1 and -current
to fix security issues.

Here are the details from the Slackware 14.1 ChangeLog:
+--------------------------+
patches/packages/mozilla-thunderbird-31.5.0-i486-1_slack14.1.txz:  Upgraded.
  This release contains security fixes and improvements.
  For more information, see:
    http://www.mozilla.org/security/known-vulnerabilities/thunderbird.html
  (* Security fix *)
+--------------------------+

Where to find the new packages:
+-----------------------------+

Thanks to the friendly folks at the OSU Open Source Lab
(http://osuosl.org) for donating FTP and rsync hosting
to the Slackware project!  :-)

Also see the "Get Slack" section on http://slackware.com for
additional mirror sites near you.

Updated package for Slackware 14.1:
ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/mozilla-thunderbird-31.5.0-i486-1_slack14.1.txz
(Continue reading)

security-alert | 26 Feb 04:21 2015
Picon

[security bulletin] HPSBUX03273 SSRT101951 rev.1 - HP-UX running Java6, Remote Unauthorized Access, Disclosure of Information, and Other Vulnerabilities


Note: the current version of the following document is available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c04580241

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c04580241
Version: 1

HPSBUX03273 SSRT101951 rev.1 - HP-UX running Java6, Remote Unauthorized
Access, Disclosure of Information, and Other Vulnerabilities

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2015-02-25
Last Updated: 2015-02-25

Potential Security Impact: Remote unauthorized access, disclosure of
information, and other vulnerabilities

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified in the Java Runtime
Environment (JRE) and the Java Developer Kit (JDK) running on HP-UX. These
vulnerabilities could allow remote unauthorized access, disclosure of
information, and other vulnerabilities.

(Continue reading)


Gmane