Full Disclosure

Syndicate content
A public, vendor-neutral forum for detailed discussion of vulnerabilities and exploitation techniques, as well as tools, papers, news, and events of interest to the community. The relaxed atmosphere of this quirky list provides some comic relief and certain industry gossip. More importantly, fresh vulnerabilities sometimes hit this list many hours or days before they pass through the Bugtraq moderation queue.
Updated: 4 min 48 sec ago

Re: WordPress Plugin Form Maker by WD [CSRF → LFI]

30 April, 2019 - 12:03

Posted by Henri Salo on Apr 30

MITRE assigned CVE-2019-11590 for this issue.

Re: WordPress Plugin Contact Form Builder [CSRF → LFI]

30 April, 2019 - 12:02

Posted by Henri Salo on Apr 30

MITRE assigned CVE-2019-11557 for this vulnerability.

Multiple vulnerabilities in Dovecot 2.3

30 April, 2019 - 12:01

Posted by Aki Tuomi via Fulldisclosure on Apr 30

Dear subscribers, we have been made aware of two critical vulnerabilities in Dovecot 2.3. Please find patches attached
for 2.3.5.2.

---
Aki Tuomi
Open-Xchange oy

------

Open-Xchange Security Advisory 2019-04-30

Product: Dovecot
Vendor: OX Software GmbH

Internal reference: DOV-3212 (Bug ID)
Vulnerability type: CWE-476
Vulnerable version: 2.3.0 - 2.3.5.2
Vulnerable component: submission-login
Report confidence: Confirmed
Researcher credits:...

Re: GAT-Ship Web Module [All versions before 1.40] - Unrestricted File Upload

26 April, 2019 - 12:00

Posted by gionreale on Apr 26

CVE-2019-11028

Multiple vulnerabilities in Sony Smart TVs

23 April, 2019 - 12:26

Posted by xen1thLabs on Apr 23

UNCLASSIFIED

## ADVISORY INFORMATION

TITLE: Multiple vulnerabilities in Sony Smart TVs
ADVISORY URL:
https://www.darkmatter.ae/blogs/security-flaws-uncovered-in-sony-smart-tvs/
DATE PUBLISHED: 23/04/2019
AFFECTED VENDORS: Sony
RELEASE MODE: Coordinated release
CVE: CVE-2019-10886, CVE-2019-11336
CVSSv3 for CVE-2019-10886: 6.5 (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVSSv3 for CVE-2019-11336: 6.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

## PRODUCT...

Re: Obtaining location using Google maps & JavaScript

23 April, 2019 - 12:25

Posted by Reed Black on Apr 23

Have you tested this?

The Google Maps page header includes "x-frame-options: SAMEORIGIN” which would prevent iframe embedding in every
commonly used browser. But even if this control were not in place, browsers implement additional controls. Most
significantly, if the page to be embedded in an iframe is on a remote domain, then the parent page is prevented from
inspecting iframe content and metadata unless permissions are granted by...

WordPress Plugin Contact Form Builder [CSRF → LFI]

23 April, 2019 - 12:23

Posted by Panagiotis Vagenas on Apr 23

# Exploit Title: Contact Form Builder [CSRF → LFI]
# Date: 2019-03-17
# Exploit Author: Panagiotis Vagenas
# Vendor Homepage: http://web-dorado.com/
# Software Link: https://wordpress.org/plugins/contact-form-builder
# Version: 1.0.67
# Tested on: WordPress 5.1.1

Description
-----------

Plugin implements the following AJAX actions:

- `ContactFormMakerPreview`
- `ContactFormmakerwdcaptcha`
- `nopriv_ContactFormmakerwdcaptcha`
- `CFMShortcode`...

Re: Redhat/CentOS root through network-scripts

19 April, 2019 - 00:36

Posted by Victor Angelier CCX on Apr 18

sounds clear, thanks!

Met vriendelijke groet,

Kind regards,

the Coding Company

[cid:6ccbe4bb-c1c0-4df5-9d4b-636a22d7d37a]

V.A. (Victor) Angelier

CISO,Certified Hacker, CAST611 Certified Advanced Pentester, DevOps

PGP: 612C4BB2<https://pgp.mit.edu/pks/lookup?op=get&search=0x0188D45D612C4BB2>

T: +31 55 302 00 10 (Main number)

M: +46 76 835 6450 (Swedish)

M: +31 6 195 22 602 (Dutch)

E: victor () thecodingcompany se

W:...

CVE-2018-2879 - anniversary

19 April, 2019 - 00:33

Posted by Red Timmy Sec - on Apr 18

For the anniversary of the discovery of CVE-2018-2879 by Sec Consult
(https://sec-consult.com/en/blog/2018/05/oracle-access-managers-identity-crisis/) we have decided to release OAMbuster,
a multi-thread implementation of CVE-2018-2879.

Link of the exploit: https://github.com/redtimmy/OAMBuster

Some additional details: https://redtimmysec.wordpress.com/2019/04/14/oambuster-multithreaded-exploit-for-cve-2018-2879/

Regards,
Red Timmy...

Re: Redhat/CentOS root through network-scripts

19 April, 2019 - 00:32

Posted by Kurt H Maier on Apr 18


Yes, if a root-user process executes a script as root then the resulting
commands are indeed run as root.

Those are not INI files, they are shell scripts that set environment
variables. If you do not want your users to have root access on your
computer, do not let them edit files that are run as root.

Your example command configures the environment variable NAME to have
the value 'Network' when the shell runs...

Obtaining location using Google maps & JavaScript

19 April, 2019 - 00:30

Posted by Bhavesh Naik via Fulldisclosure on Apr 18

HTML5's geolocation feature asks for permissions to obtain users current location & the current IP to location also
fails to pinpoint exact location of the user.However, one can use google maps to obtain the location of the user (being
said that he is currently logged in with his google account).
Using the URL: https://www.google.com/maps/search/current+location/ in an I-frame content and making the visitor access
the site would allow...

Re: Microsoft Internet Explorer v11 / XML External Entity Injection 0day

19 April, 2019 - 00:29

Posted by hyp3rlinx on Apr 18

Vimeo reinstated my account few hours later but I switched to youtube for
now.. but will check those out.

Thank you for that...
hyp3rlinx

Redhat/CentOS root through network-scripts

16 April, 2019 - 03:10

Posted by Victor Angelier CCX on Apr 16

Hi there,

Just found an issue in Redhat/CentOS which according to RedHat security team is not an issue. I don't know, sounds
weird to me.

If, for whatever reason, a user is able to write an ifcf-<whatever> script to /etc/sysconfig/network-scripts or it can
adjust an existing one, then your system in pwned.

Network scripts, ifcg-eth0 for example are used for network connections. The look exactly like .INI files. However,
they are...

Re: Microsoft Internet Explorer v11 / XML External Entity Injection 0day

16 April, 2019 - 03:08

Posted by bo0od on Apr 16

have your own videos either on one of the PeerTubes instances or have
your own instance.

https://joinpeertube.org/en/

other good alternative would be:

https://mediagoblin.org/pages/tour.html

Enjoy!

hyp3rlinx:

CVE-2019-9955 Refelected XSS on Zyxel Login page

16 April, 2019 - 03:07

Posted by aaron bishop on Apr 16

Numerous Zyxel devices are vulnerable to a reflected XSS issue on the login
page. The mp_idx parameter is included in the page unsanitized. A request
such a

https://$RHOST/?mobile=1&mp_idx=%22;alert(1);//

Will trigger an alert, demonstrating the issue. A call to getScript() can
be used to include a full external JavaScript file to capture the
credentials of the user.

Disclosure at:...

[SE-2019-01] Gemalto SIM card applet loading vulnerability

15 April, 2019 - 01:51

Posted by Security Explorations on Apr 14

Hello All,

On Mar 20, 2019 Security Explorations reported a security vulnerability
(Issue 19) to Gemalto [1], that made it possible to achieve read, write
and native code execution access on company's card (GemXplore 3G v3.0).

On Mar 30, 2019, Gemalto provided is with the results of its analysis
of the submitted report.

Gemalto started its message by stating that "the company is committed
to provide state of the art security products...

Microsoft Internet Explorer v11 / XML External Entity Injection 0day

13 April, 2019 - 15:35

Posted by hyp3rlinx on Apr 13

vimeo removed my account for no good reason so new POC url is included.

[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/MICROSOFT-INTERNET-EXPLORER-v11-XML-EXTERNAL-ENTITY-INJECTION-0DAY.txt
[+] ISR: ApparitionSec

[Vendor]
www.microsoft.com

[Product]
Microsoft Internet Explorer v11
(latest version)

Internet Explorer is a series of graphical web browsers...

Nagios XI 5.5.10: XSS to root RCE (CVE-2019-9164, 9165, 9166, 9167, 9202, 9203, 9204)

13 April, 2019 - 15:35

Posted by Abdel Adim `smaury` Oisfi on Apr 13

Description
==========
Various vulnerabilities have been found in Nagios XI 5.5.10, which allow
a remote attacker able to trick an authenticated victim (with
“autodiscovery job” creation privileges) to visit a malicious URL to
obtain a remote root shell via a reflected Cross-Site Scripting (XSS),
an authenticated Remote Code Execution (RCE) and a Local Privilege
Escalation (LPE).

Update to Nagios XI 5.5.11 which includes all the fixes.

Full...

Security Analysis of the TP-Link Archer C50 Router

13 April, 2019 - 15:35

Posted by Harley A.W. Lorenzo via Fulldisclosure on Apr 13

================================================================================
Title: Security Analysis of the TP-Link Archer C50 Router
Version: Archer C50(US)_V2_160801 (latest firmware available)
Product Page: https://www.tp-link.com/us/home-networking/wifi-router/archer-c50/
Published: 2019-04-10 (UTC Time)
Published by: Harley A.W. Lorenzo <hl1998 () protonmail com>
<GPG Key: 0xF6EF23904645BA53>...

HD Pan/Tilt Wi-Fi Camera NC450 Hard-Coded Credential Vulnerability

9 April, 2019 - 13:24

Posted by Sachin Wagh on Apr 09

*Summary:*

The NC450 is your favorable companion that meets to home and office
surveillance needs, keeping you in touch with what matters most. With its
smooth and durable Pan/Tilt of up to 300/110 degrees, you can turn the
camera to almost any position you want and watch over a wider area of your
home.

HD Pan/Tilt Wi-Fi Camera NC450 contain hard-coded credentials within its
Linux distribution image. This credentials (root:root) cannot be...