William Robinet | 1 Apr 10:34 2015

CVE-2015-1845, CVE-2015-1846 - unzoo - Buffer overflow & Infinite loop

Dear oss-security list,

Two issues have been fixed in the "unzoo" package from Fedora EPEL.

CVE-2015-1845 unzoo:
    Buffer overflow in EntrReadArch()
    https://bugzilla.redhat.com/show_bug.cgi?id=1207645

CVE-2015-1846 unzoo:
    Infinite loop due to incorrect pointers handling in ExtrArch()/ListArch()
    https://bugzilla.redhat.com/show_bug.cgi?id=1207647

William
(Please note I'm not a member of the list)

--

-- 
GPG Key ID/Fingerprint:
    74C7A949/B509 4137 1353 A3FC 6A87  AA06 003F A3DF 74C7 A949

Conostix S.A.
4, Rue d'Arlon
L-8399 Windhof (Koerich)
T. +352 26 10 30 61
F. +352 26 10 30 62

Jeremy Spilman | 1 Apr 07:53 2015
Picon

Signature Bypass in several JSON Web Token Libraries (CVEs Needed?)

Tim McLean discovered two serious (related) vulnerabilities common to  
several widely used JSON Web Token (JSW) libraries which he wrote about  
here [1] a month ago, and again today here [2].

A JWT is base64 encoded header, payload, and signature, where the header  
specifies the signature algorithm and an expiration timestamp.

The validation libraries running server side provide APIs such as;

   verify(string token, string secretKey)

The two critical bugs;

- Even when a secretKey was provided to the API, if the data in 'token'  
decoded to a header specifying a signature algorithm of *none*, the API  
would still return success. Meaning an attacker could just strip the  
signature, change the header, and bypass the signature validation  
server-side.

- If the secretKey was expected to be a RSA public key, but the attacker  
changed the header to indicate a signature algorithm of HMAC, the RSA  
public key would be used as the signing secret.

Effected libraries include but probably not limited to:

namshi-jose:  
https://github.com/namshi/jose/commit/127b4415e66d89b1fcfb5a07933db0b5ff5cd636
python-jwt:  
https://github.com/davedoesdev/python-jwt/commit/5ddb71b2ed5785c329b761e45a246996a1dd9cab
node-jsonwebtoken:  
(Continue reading)

Larry W. Cashdollar | 1 Apr 03:54 2015

Remote file upload vulnerability in videowhisper-video-conference-integration wordpress plugin v4.91.8

Title: Remote file upload vulnerability in videowhisper-video-conference-integration wordpress
plugin v4.91.8
Author: Larry W. Cashdollar,  <at> _larry0
Date: 2015-03-29
Download Site: https://wordpress.org/support/plugin/videowhisper-video-conference-integration
Vendor: http://www.videowhisper.com/
Vendor Notified: 2015-03-31, won’t fix. http://www.videowhisper.com/tickets_view.php?t=10019545-1427810822
Vendor Contact: http://www.videowhisper.com/tickets_submit.php
Advisory: http://www.vapid.dhs.org/advisory.php?v=116
Description: From their site "VideoWhisper Video Conference is a modern web based multiple way video chat
and real time file sharing tool.  Read more on WordPress Video Conference plugin home page."

Vulnerability:
./videowhisper-video-conference-integration/vc/vw_upload.php Allows various remote
unauthenticated file uploads, among the file types is html where the last 4 characters are only being
checked in a file name to match which types are allowed. Because of this .shtml can be passed through and
remote code execution is SSI is allowed. The code does not do any user access validation and therefore
anyone can upload the following files to an unsuspecting wordpress site:

.shtml,swf,.zip,.rar,.jpg,jpeg,.png,.gif,.txt,.doc,docx,.htm,html,.pdf,.mp3,.flv,.avi,.mpg,.ppt,.pps The
if (strstr($filename,'.php')) exit;
can be by passed by using the extension .Php but the file extension check would allow files like test.Php.shtml

./videowhisper-video-conference-integration/vc/vw_upload.php

<?php 
if ($_GET["room"]) $room=$_GET["room"]; 
if ($_POST["room"]) $room=$_POST["room"]; 

$filename=$_FILES['vw_file']['name’];
(Continue reading)

Larry W. Cashdollar | 1 Apr 03:52 2015

Remote file upload vulnerability in wordpress plugin videowhisper-video-presentation v3.31.17

Title: Remote file upload vulnerability in wordpress plugin videowhisper-video-presentation v3.31.17
Author: Larry W. Cashdollar,  <at> _larry0
Date: 2015-03-29
Download Site: https://wordpress.org/plugins/videowhisper-video-presentation/
Vendor: http://www.videowhisper.com/
Vendor Notified: 2015-03-31 won’t fix, http://www.videowhisper.com/tickets_view.php?t=10019545-1427810822
Vendor Contact: http://www.videowhisper.com/tickets_submit.php
Advisory: http://www.vapid.dhs.org/advisory.php?v=117
Description: from the site 
"VideoWhisper Video Consultation is a web based video communication solution designed for online video
consultations, interactive live presentations, trainings, webinars, coaching and online
collaboration with webcam support. Read more on WordPress Video Presentation plugin home page."

Vulnerability:
From wp-content/plugins/videowhisper-video-presentation/vp/vw_upload.php Allows various remote
unauthenticated file uploads, among the file types is html where the last 4 characters are only being
checked in a file name to match which types are allowed. Because of this .shtml can be passed through and
remote code execution if SSI is allowed. The code does not do any user access validation and therefore
anyone can upload the following files to an unsuspecting wordpress site:
.shtml,swf,.zip,.rar,.jpg,jpeg,.png,.gif,.txt,.doc,docx,.htm,html,.pdf,.mp3,.flv,.avi,.mpg,.ppt,.pps 
The 
if (strstr($filename,'.php')) exit; 

can be by passed by using the extension .Php but the file extension check would allow files like test.Php.shtml
<?php 
if ($_GET["room"]) $room=$_GET["room"]; 
if ($_POST["room"]) $room=$_POST["room"]; 
$filename=$_FILES['vw_file']['name']; 
include_once("incsan.php"); 
sanV($room); 
(Continue reading)

Chris Steipp | 1 Apr 03:34 2015
Picon

CVE request: MediaWiki 1.24.2/1.23.9/1.19.24

Hi, we patched several security issues in MediaWiki today. Could we get
CVE's assigned?

* iSEC Partners discovered a way to circumvent the SVG MIME blacklist for
embedded resources (iSEC-WMF1214-11). This allowed an attacker to embed
JavaScript in the SVG. The issue was additionally identified by Mario
Heiderich / Cure53. MIME types are now whitelisted.
<https://phabricator.wikimedia.org/T85850>

* MediaWiki user Bawolff pointed out that the SVG filter to prevent
injecting JavaScript using animate elements was incorrect.
<https://phabricator.wikimedia.org/T86711>

* MediaWiki user Bawolff reported a stored XSS vulnerability due to the way
attributes were expanded in MediaWiki's Html class, in combination with
LanguageConverter substitutions.
<https://phabricator.wikimedia.org/T73394>

* Internal review discovered that MediaWiki's SVG filtering could be
bypassed with entity encoding under the Zend interpreter. This could be
used to inject JavaScript. This issue was also discovered by Mario Gomes /
Beyond Security.
<https://phabricator.wikimedia.org/T88310>

* iSEC Partners discovered a way to bypass the style filtering for SVG
files (iSEC-WMF1214-3) to load external resource. This could violate the
anonymity of users viewing the SVG.
<https://phabricator.wikimedia.org/T85349>

* Internal review and iSEC Partners discovered (iSEC-WMF1214-1) that
(Continue reading)

wzt wzt | 31 Mar 12:42 2015
Picon

CVE request: freebsd/sh stack overflow vulnerability

hi:
    I found sh have a stack overflow bug on freebsd(9.0-10.0),  it may be
triggered on all freebsd systems, but i have not tested yet. the poc below
is tested on freebsd10.0 amd64 arch:

$ ls
brootkit.sh
$ . brootkit.sh
$ command
$ ls
brootkit.sh     sh.core

(gdb) x/16x $rsp+0x1b8
0x7fffdfffeff8: Cannot access memory at address 0x7fffdfffeff8
(gdb) x/16x $rsp+0x1c0
0x7fffdffff000: 0x0000000000000000      0x0000000000000000
0x7fffdffff010: 0x0000000000000000      0x0000000000000000
0x7fffdffff020: 0x0000000000000000      0x0000000000000000
0x7fffdffff030: 0x0000000000000000      0x0000000000000000
0x7fffdffff040: 0x0000000000000000      0x0000000000000000
0x7fffdffff050: 0x0000000000000000      0x0000000000000000
0x7fffdffff060: 0x0000000000000000      0x0000000000000000
0x7fffdffff070: 0x0000000000000000      0x0000000000000000

(gdb) disass malloc malloc+32
Dump of assembler code from 0x800d593f0 to 0x800d59410:
0x0000000800d593f0 <malloc+0>:  push   %rbp
0x0000000800d593f1 <malloc+1>:  mov    %rsp,%rbp
0x0000000800d593f4 <malloc+4>:  push   %r15
0x0000000800d593f6 <malloc+6>:  push   %r14
(Continue reading)

Vasyl Kaigorodov | 30 Mar 14:40 2015
Picon

CVE Request: ikiwiki: cross-site scripting via openid_identifier

Hello,

Cross-site scripting flaw in the handling of the openid_identifier
parameterhas been fixed in ikiwiki:

http://source.ikiwiki.branchable.com/?p=source.git;a=commit;h=18dfba868fe2fb9c64706b2123eb0b3a3ce66a77

References:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=781483
https://bugzilla.redhat.com/show_bug.cgi?id=1207210

Can we have a CVE assigned to this please?

Thanks.
--

-- 
Vasyl Kaigorodov | Red Hat Product Security
PGP:  0xABB6E828 A7E0 87FF 5AB5 48EB 47D0 2868 217B F9FC ABB6 E828

Come talk to Red Hat Product Security at the Summit!
Red Hat Summit 2015 - https://www.redhat.com/summit/
Salvatore Bonaccorso | 30 Mar 06:58 2015
Picon

CVE Request: ikiwiki: cross-site scripting via openid_identifier

Hi

A cross-site scripting vulnerability via openid_identifier was
reported in the Debian BTS at [1]. Upstream fix is at [2]. Could a CVE
be assigned to this issue?

 [1] https://bugs.debian.org/781483
 [2] http://source.ikiwiki.branchable.com/?p=source.git;a=commitdiff;h=18dfba868fe2fb9c64706b2123eb0b3a3ce66a77

Regards,
Salvatore

Salvatore Bonaccorso | 30 Mar 06:35 2015
Picon

CVE Request: DBD-Firebird: Buffer Overflow in dbdimp.c

Hi

A buffer overflow has been fixed in DBD-Firebird, a DBI driver for
Firebird RDBMS server, in version 1.19:

 [1] https://metacpan.org/source/DAM/DBD-Firebird-1.19/Changes
 [2] https://bugs.debian.org/780925

Could you please assign a CVE for this issue?

Regards,
Salvatore

Javantea | 30 Mar 03:50 2015

CVE Request: Remote Code Execution in Realms Wiki install.sh

Hello,

Realms Wiki install.sh is vulnerable to remote code execution. This is unpatched but the author has
responded that he intends to fix the bugs when he has the time. At the same time I found a CSRF vulnerability
which I asked for a separate CVE for.

Product:  Realms Wiki
Website:  http://realms.io/
Github:   https://github.com/scragg0x/realms-wiki
CVSS Score: 7.9 (AV:A/AC:M/Au:N/C:C/I:C/A:C)

References:
[1] http://seclists.org/fulldisclosure/2015/Mar/153
[2] https://twitter.com/scragg0x/status/581602868802682881

Could you allocate a CVE id for this?

Thank you and Regards, Javantea.

Javantea | 30 Mar 03:47 2015

CVE Request: CSRF in Realms Wiki

Hello,

Realms Wiki is vulnerable to Cross-Site Request Forgery on all posts. Especially of concern are New, Edit,
and Revert. This is unpatched but the author has responded that he intends to fix the bugs when he has the
time. At the same time I found a remote code execution vulnerability which I will be asking for a separate
CVE for.

Product:  Realms Wiki
Website:  http://realms.io/
Github:   https://github.com/scragg0x/realms-wiki
CVSS Score: 7.8 (AV:N/AC:L/Au:N/C:N/I:C/A:N)

References:
[1] http://seclists.org/fulldisclosure/2015/Mar/152
[2] https://twitter.com/scragg0x/status/581602868802682881

Could you allocate a CVE id for this?

Thank you and Regards, Javantea.


Gmane