mehmet.ince | 23 May 22:09 2016

AfterLogic WebMail Pro ASP.NET < 6.2.7 Administrator Account Takover via XXE Injection

1. ADVISORY INFORMATION
========================================
Title: AfterLogic WebMail Pro ASP.NET Administrator Account Takover via XXE Injection
Application: AfterLogic WebMail Pro ASP.NET 
Class: Sensitive Information disclosure
Remotely Exploitable: Yes
Versions Affected: AfterLogic WebMail Pro ASP.NET < 6.2.7
Vendor URL: http://www.afterlogic.com/webmail-client-asp-net
Bugs:  XXE Injection
Date of found:  28.03.2016
Reported:  22.05.2016
Vendor response: 22.05.2016
Date of Public Advisory: 23.05.2016

2. CREDIT
========================================
This vulnerability was identified during penetration test
by Mehmet INCE & Halit Alptekin from PRODAFT / INVICTUS 

3. VERSIONS AFFECTED
========================================
AfterLogic WebMail Pro ASP.NET < 6.2.7

4. INTRODUCTION
========================================
It seems that /webmail/spellcheck.aspx?xml= endpoint takes XML request as an parameter and parse it with
XML entities.
By abusing XML entities attackers can read Web.config file as well as settings.xml that contains
administrator account
credentials in plain-text.
(Continue reading)

Moritz Muehlenhoff | 23 May 23:08 2016
Picon

[SECURITY] [DSA 3586-1] atheme-services security update


-------------------------------------------------------------------------
Debian Security Advisory DSA-3586-1                   security <at> debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
May 23, 2016                          https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package        : atheme-services
CVE ID         : CVE-2016-4478

It was discovered that a buffer overflow in the XMLRPC response encoding
code of the Atheme IRC services may result in denial of service.

For the stable distribution (jessie), this problem has been fixed in
version 6.0.11-2+deb8u1.

For the testing distribution (stretch), this problem has been fixed
in version 7.0.7-2.

For the unstable distribution (sid), this problem has been fixed in
version 7.0.7-2.

We recommend that you upgrade your atheme-services packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce <at> lists.debian.org
(Continue reading)

Julien Ahrens | 23 May 21:08 2016

[RCESEC-2016-002] XenAPI v1.4.1 for XenForo Multiple Unauthenticated SQL Injections

RCE Security Advisory
https://www.rcesecurity.com

1. ADVISORY INFORMATION
=======================
Product:        XenAPI for XenForo
Vendor URL:     github.com/Contex/XenAPI
Type:           SQL Injection [CWE-89]
Date found:     2016-05-20
Date published: 2016-05-23
CVSSv3 Score:   7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVE:            -

2. CREDITS
==========
This vulnerability was discovered and researched by Julien Ahrens from
RCE Security.

3. VERSIONS AFFECTED
====================
XenAPI for XenForo v1.4.1
older versions may be affected too but were not tested.

4. INTRODUCTION
===============
This Open Source REST API allows usage of several of XenForo's functions,
such as authentication, user information and many other functions!

(from the vendor's homepage)

(Continue reading)

Moritz Muehlenhoff | 22 May 23:29 2016
Picon

[SECURITY] [DSA 3585-1] wireshark security update


-------------------------------------------------------------------------
Debian Security Advisory DSA-3585-1                   security <at> debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
May 22, 2016                          https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package        : wireshark
CVE ID         : CVE-2016-4006 CVE-2016-4079 CVE-2016-4080 CVE-2016-4081 
                 CVE-2016-4082 CVE-2016-4085

Multiple vulnerabilities were discovered in the dissectors/parsers for
PKTC, IAX2, GSM CBCH and NCP which could result in denial of service.

For the stable distribution (jessie), these problems have been fixed in
version 1.12.1+g01b65bf-4+deb8u6.

For the testing distribution (stretch), these problems have been fixed
in version 2.0.3+geed34f0-1.

For the unstable distribution (sid), these problems have been fixed in
version 2.0.3+geed34f0-1.

We recommend that you upgrade your wireshark packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce <at> lists.debian.org
(Continue reading)

Julien Ahrens | 21 May 11:46 2016

[RCESEC-2016-001] Postfix Admin v2.93 Generic POST Cross-Site Request Forgeries

RCE Security Advisory
https://www.rcesecurity.com

1. ADVISORY INFORMATION
=======================
Product:        Postfix Admin
Vendor URL:     sourceforge.net/projects/postfixadmin/
Type:           Cross-Site Request Forgery [CWE-253]
Date found:     2016-04-23
Date published: 2016-05-21
CVSSv3 Score:   4.6 (AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N)
CVE:            -

2. CREDITS
==========
This vulnerability was discovered and researched by Julien Ahrens from
RCE Security.

3. VERSIONS AFFECTED
====================
Postfix Admin v2.93 (latest)
older versions may be affected too.

4. INTRODUCTION
===============
Postfix Admin is a Web Based Management tool created for Postfix. It is a
PHP based application that handles Postfix Style Virtual Domains and Users
that are stored in MySQL or PostgreSQL.

(from the vendor's homepage)
(Continue reading)

Slackware Security Team | 21 May 00:56 2016

[slackware-security] curl (SSA:2016-141-01)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[slackware-security]  curl (SSA:2016-141-01)

New curl packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1,
and -current to fix a security issue.

Here are the details from the Slackware 14.1 ChangeLog:
+--------------------------+
patches/packages/curl-7.49.0-i486-1_slack14.1.txz:  Upgraded.
  Fixed a TLS certificate check bypass with mbedTLS/PolarSSL.
  For more information, see:
    https://curl.haxx.se/docs/adv_20160518.html
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3739
  (* Security fix *)
+--------------------------+

Where to find the new packages:
+-----------------------------+

Thanks to the friendly folks at the OSU Open Source Lab
(http://osuosl.org) for donating FTP and rsync hosting
to the Slackware project!  :-)

Also see the "Get Slack" section on http://slackware.com for
additional mirror sites near you.

Updated package for Slackware 13.0:
(Continue reading)

security-alert | 19 May 21:31 2016

[security bulletin] HPSBGN03564 rev.1 - HPE Release Control using Java Deserialization, Remote Code Execution


Note: the current version of the following document is available here:
https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_n
a-c05063986

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c05063986
Version: 1

HPSBGN03564 rev.1 - HPE Release Control using Java Deserialization, Remote
Code Execution

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2016-03-29
Last Updated: 2016-03-29

Potential Security Impact: Remote Code Execution

Source: Hewlett Packard Enterprise, Product Security Response Team

VULNERABILITY SUMMARY
A vulnerability in Apache Commons Collections for handling Java object
deserialization was addressed by HPE Release Control. The vulnerability could
be exploited remotely to allow remote code execution.

References: CVE-2016-1999

(Continue reading)

Salvatore Bonaccorso | 19 May 21:09 2016
Picon

[SECURITY] [DSA 3584-1] librsvg security update


-------------------------------------------------------------------------
Debian Security Advisory DSA-3584-1                   security <at> debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
May 19, 2016                          https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package        : librsvg
CVE ID         : CVE-2015-7558 CVE-2016-4347 CVE-2016-4348

Gustavo Grieco discovered several flaws in the way librsvg, a SAX-based
renderer library for SVG files, parses SVG files with circular
definitions. A remote attacker can take advantage of these flaws to
cause an application using the librsvg library to crash.

For the stable distribution (jessie), these problems have been fixed in
version 2.40.5-1+deb8u2.

For the testing distribution (stretch), these problems have been fixed
in version 2.40.12-1.

For the unstable distribution (sid), these problems have been fixed in
version 2.40.12-1.

We recommend that you upgrade your librsvg packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

(Continue reading)

ERPScan inc | 19 May 12:03 2016
Picon

[ERPSCAN-16-011] SAP NetWeaver AS JAVA – SQL injection vulnerability

Application:  SAP NetWeaver AS JAVA

Versions Affected:  SAP NetWeaver  AS JAVA 7.1 - 7.5

Vendor URL:    http://SAP.com

Bugs:    SQL injection

Send:     04.12.2015

Reported: 04.12.2015

Vendor response:  05.12.2015

Date of Public Advisory:   09.02.2016

Reference:   SAP Security Note 2101079

Author:    Vahagn Vardanyan  (ERPScan)

Description

1. ADVISORY INFORMATION

Title: SAP NetWeaver AS JAVA – SQL injection vulnerability

Advisory ID: [ERPSCAN-16-011]

Risk: Critical

(Continue reading)

ERPScan inc | 19 May 12:01 2016
Picon

[ERPSCAN-16-010] SAP NetWeaver AS JAVA – information disclosure vulnerability

Application:SAP NetWeaver AS JAVA

Versions Affected: SAP NetWeaver  AS JAVA 7.1 - 7.5

Vendor URL: http://SAP.com

Bugs:  information disclosure

Sent:  15.09.2015

Reported:  15.09.2015

Vendor response: 16.09.2015

Date of Public Advisory: 09.02.2016

Reference: SAP Security Note 2256846

Author: Vahagn Vardanyan  (ERPScan)

Description

1. ADVISORY INFORMATION

Title: SAP NetWeaver AS JAVA – information disclosure vulnerability

Advisory ID: [ERPSCAN-16-010]

Risk: Medium

(Continue reading)

mandy | 19 May 09:56 2016

TYPO3 RemoveXSS.php vulnerability versions 6.2.19 and 7.6.4

Madison Gurkha Security Advisory

Advisory: TYPO3 circumvent RemoveXSS.php cross site scripting using BASE64 encoding

1. DETAILS
----------
Product: Typo3 CMS
Vendor URL: typo3.org
Type: Cross-site Scripting[CWE-79]
Date found: 2016-03-09
Date published: 2016-05-19

2. AFFECTED VERSIONS
--------------------
Typo3 6.2.19 and below
Typo3 7.6.4 and below
and other older versions may be affected too.
Until the removal of the RemoveXSS.php function, versions will be affected.

3. VULNERABILITY DETAILS
------------------------
The filter (RemoveXSS.php) to prevent XSS attacks when using the TYPO3 
framework can be circumvented.
The filter is based on a blacklist method which specifies the actions
that are not allowed. It is not recommended to implement security based
on blacklisting methods. Proper input validation and output escaping (in
the proper context) should be a sufficient measure against XSS attacks.

According to the filter it is allowed to add special characters like
"/><. These characters make it possible to create a reflected XSS attack
(Continue reading)


Gmane