Jing Wang | 30 Aug 15:47 2015
Picon

Winmail Server 4.2 Reflected XSS (Cross-site Scripting) Web Application 0-Day Security Bug

*Winmail Server 4.2 Reflected XSS (Cross-site Scripting) Web Application
0-Day Security Bug*

Exploit Title: Winmail Server badlogin.php &lid parameter Reflected XSS Web
Security Vulnerability
Product: Winmail Server
Vendor: Winmail Server
Vulnerable Versions: 4.2   4.1
Tested Version: 4.2   4.1
Advisory Publication: August 24, 2015
Latest Update: August 30, 2015
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference:
Impact CVSS Severity (version 2.0):
CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)
Impact Subscore: 2.9
Exploitability Subscore: 8.6
CVSS Version 2 Metrics:
Access Vector: Network exploitable; Victim must voluntarily interact with
attack mechanism
Access Complexity: Medium
Authentication: Not required to exploit
Impact Type: Allows unauthorized modification
Discover and Reporter: Wang Jing [School of Physical and Mathematical
Sciences (SPMS), Nanyang Technological University (NTU), Singapore]
( <at> justqdjing)

*Suggestion Details:*

*(1) Vendor & Product Description:*
(Continue reading)

Jing Wang | 30 Aug 15:09 2015
Picon

KnowledgeTree OSS 3.0.3b Reflected XSS (Cross-site Scripting) Web Application 0-Day Security Bug

*KnowledgeTree OSS 3.0.3b Reflected XSS (Cross-site Scripting) Web
Application 0-Day Security Bug*

Exploit Title: KnowledgeTree login.php &errorMessage parameter Reflected
XSS Web Security Vulnerability
Product: Knowledge Tree Document Management System
Vendor: Knowledge Inc
Vulnerable Versions: OSS 3.0.3b
Tested Version: OSS 3.0.3b
Advisory Publication: August 22, 2015
Latest Update: August 31, 2015
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference:
Impact CVSS Severity (version 2.0):
CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)
Impact Subscore: 2.9
Exploitability Subscore: 8.6
CVSS Version 2 Metrics:
Access Vector: Network exploitable; Victim must voluntarily interact with
attack mechanism
Access Complexity: Medium
Authentication: Not required to exploit
Impact Type: Allows unauthorized modification
Discover and Reporter: Wang Jing [School of Physical and Mathematical
Sciences (SPMS), Nanyang Technological University (NTU), Singapore]
( <at> justqdjing)

*Suggestion Details:*

*(1) Vendor & Product Description:*
(Continue reading)

pcheng pcheng | 29 Aug 05:44 2015
Picon

CVE request: vorbis-tools: buffer overflow in aiff_open()

Name : vorbis-tool
Affected Version: <= Revision 19495
URL : https://wiki.xiph.org/Vorbis-tools

Description :
An issue was found in oggenc/audio.c when it tries to open invalid AIFF file.

274    if(fread(buffer,1,len,in) < len)
The input buffer and length can be controlled by user indirectly via:

260    if(!find_aiff_chunk(in, "COMM", &len))

More info can be found at :
https://trac.xiph.org/ticket/2212

Dis close | 28 Aug 12:20 2015

CVE Request - LFI/Path Traversal in NextGen Gallery WordPress Plugin.

Hi List:

We are requesting CVE for the below mentioned security issue in NextGen
Gallery Plugin:

Plugin Details:
==============
Plugin Name: NextGen Gallery
Version: 2.1.7
Homepage: https://wordpress.org/plugins/nextgen-gallery/

Description
===============
NextGEN Gallery is most popular *WordPress Gallery Plugin *with over 13
millions downloads.

Vulnerability
===============
The plugin fails to validate user input in one of the variables, which
allows a  log-in user to access system files and other unauthorized files
on the server.

POC Video Link: https://www.youtube.com/watch?v=KkPVMxubUis

Proof of Concept
================

Accessing the POST request http://localhost/wordpress/?photocrati_ajax=1
and modifying the *dir* variable with ../../../ input user can traverse
file system and access files even outside the application directory.
(Continue reading)

Florian Weimer | 28 Aug 10:05 2015
Picon

CVE request: XSS vulnerability in jsoup related to incomplete tags at EOF

Described in this pull request by Tommy Johansen:

“
We use Hibernate Validator (HV) and the  <at> SafeHtlm annotation to validate
input from users. During a security review we discovered that an unsafe
XSS vector slipped by the validator. During debugging HV we discovered
that the source of the problem was related to how Jsoup handled tags
without a closing > when reaching EOF.
”

<https://github.com/jhy/jsoup/pull/582>

Additional references:

<https://hibernate.atlassian.net/browse/HV-1012>
<https://issues.jboss.org/browse/WFLY-5223>

Would you please a CVE ID to this issue?  Thanks.

--

-- 
Florian Weimer / Red Hat Product Security

pcheng pcheng | 28 Aug 05:32 2015
Picon

CVE-2015-0852 [FreeImage] Integer overflow in PluginPCX.cpp

The following bug was reported to upstream and Debian security team. CVE-2015-0852 was assigned by Debian
security team.

Name : FreeImage
Affected Version: <= 3.17.0
URL : http://freeimage.sourceforge.net/

Description :
An integer overflow issue in the FreeImage project was reported and fixed recently.
Upstream fix: Revision 1.18 http://freeimage.cvs.sourceforge.net/viewvc/freeimage/FreeImage/Source/FreeImage/PluginPCX.cpp?view=log&pathrev=MAIN

Details:

The PluginPCX.cpp file(version 3.17.0) has:

371 unsigned width = header.window[2] - header.window[0] + 1;
372 unsigned height = header.window[3] - header.window[1] + 1;
373 unsigned bitcount = header.bpp * header.planes;

However, it's possible that header.window[2] < header.window[0], and also header.window[3] <
header.window[1]. In this two cases, width and height can be overflowed. And this can lead further issue
in the rest of the code. Take the following lines for example:

568 for (x = 0; x < width; x++) {
569 bits[x * 3 + FI_RGBA_RED] = pline[x];
570 }

The write operation on buffer bits can help an attacker to corrupt the heap.

(Continue reading)

Siddharth Sharma | 27 Aug 16:42 2015
Picon

CVE-2014-8177 gluster-swift metadata constraints are not correctly enforced

Hi,

A flaw was found in the metadata constraints in gluster-swift package. By
adding metadata in several separate calls, a malicious user could bypass the
max_meta_count constraint, and store more metadata than allowed by the
configuration.

Upstream Fix: https://review.openstack.org/#/c/215487

Please refer to https://bugzilla.redhat.com/show_bug.cgi?id=1257525

we are using  CVE-2014-8177,  CVE SPLIT due to different codebases. 
so Please use CVE-2014-8177 for gluster-swift and for openstack-swift 
CVE-2014-7960 was already assigned. 

https://bugzilla.redhat.com/show_bug.cgi?id=1150461

-----------------------------------------------------------------
Siddharth Sharma / Red Hat Product Security / Key ID : 0xD9F6489A 
Fingerprint :  0x6F04C684 A49C E4CE 8148 E841 CD6F 8E55 D9F6 489A 

Florian Weimer | 27 Aug 11:56 2015
Picon

CVE-2015-5237: Integer overflow in protobuf serialization (currently minor)

https://github.com/google/protobuf/issues/760

This is currently not intended to be addressed upstream, which is a bit
disappointing.  It's true that this issue does not have much exposure
right now, but in a couple of years, the message sizes involved will not
seem so gigantic anymore.  And as explained in the bug report, fixing
this will be difficult because it involves updating generated code; it
won't be a simple library update.

--

-- 
Florian Weimer / Red Hat Product Security

Gustavo Grieco | 26 Aug 23:01 2015
Picon

Multiple memory corruptions caused by uninitialized values in JasPer 1.900

Hi,

Following Raphael's advice, i found some memory corruptions in JasPer 1.900
after a quick round of fuzzing of the regression tests of Openjpeg. A few
interesting test cases are available here:

https://zimbra.imag.fr/home/gustavo.grieco-wMUr/XMoy4A <at> public.gmane.org/Briefcase/Public/cases.tar.gz

They are compressed to avoid easily crash programs like Nautilus and
Firefox. All them can be verified using:

jasper --input $filename --output-format pnm

(tested in Ubuntu 14.04, 32-bit but it should work in other configurations)

Additionally. sigsegv.jp2 crashes most of the programs using gdk-pixbuf
like Firefox and Chrome (!). I report them this issue a few days ago and
advise them to disable preview of jpeg images since Jasper is unmaintained
and vulnerable. Mozilla developers are working hard trying to find a
workaround to avoid use vulnerable code.
On the other hand, Chromium developers dismissed this issue saying that
they will wait the "upstream fix".

I think the cause of such memory corruptions is uninitialized values, taken
from the heap, as valgrind reports:

==15417== Memcheck, a memory error detector
==15417== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==15417== Using Valgrind-3.10.0.SVN and LibVEX; rerun with -h for copyright
info
(Continue reading)

Tristan Cacqueray | 26 Aug 22:22 2015
Picon

[OSSA 2015-016] Information leak via Swift tempurls (CVE-2015-5223)

==================================================
OSSA-2015-016: Information leak via Swift tempurls
==================================================

:Date: August 26, 2015
:CVE: CVE-2015-5223

Affects
~~~~~~~
- Swift: versions through 2.3.0

Description
~~~~~~~~~~~
Richard Hawkins from Rackspace and Swift core reviewers reported a
vulnerability in Swift tempurls. When in possession of a tempurl key
authorized for PUT, a malicious actor may retrieve other objects in
the same Swift account (tenant). All Swift setups are affected.

Patches
~~~~~~~
- https://review.openstack.org/217253 (Juno)
- https://review.openstack.org/217254 (Kilo)
- https://review.openstack.org/217255 (Kilo)
- https://review.openstack.org/217259 (Liberty)
- https://review.openstack.org/217260 (Liberty)

Credits
~~~~~~~
- Richard Hawkins from Rackspace (CVE-2015-5223)
- Swift core reviewers from OpenStack (CVE-2015-5223)
(Continue reading)

Dis close | 26 Aug 11:01 2015

CVE Request : Serenity Media Player Buffer Overflow

Hi List:

This issue was disclosed and was acknowledged as public disclosure on
http://openwall.com/lists/oss-security/2015/08/24/2

We request for a CVE on the below mentioned vulnerability.

Below is the detailed information about the exploit code and POC video.

Exploit code and stack trace:
https://github.com/cybersecurityworks/Diclosed/blob/master/Serenity%20audio%20Player%203.2.3%20SEH%20Buffer%20Overflow
<https://www.google.com/url?q=https%3A%2F%2Fgithub.com%2Fcybersecurityworks%2FDiclosed%2Fblob%2Fmaster%2FSerenity%2520audio%2520Player%25203.2.3%2520SEH%2520Buffer%2520Overflow&sa=D&sntz=1&usg=AFQjCNF6zuK_VDbA7UI72gJoxHFlzV7LpA>

Exploit Video POC
https://youtu.be/ZMC-URZagMg

Note : Vulnerability was discovered by below mentioned person and
organization. Credit for this vulnerability is requested for following :

*Discover Credit:*
*Arjun Basnet from Cyber Security Works Pvt Ltd*

*----*
Thanks in advance

Team CSW

Gmane