Full Disclosure

Syndicate content
A public, vendor-neutral forum for detailed discussion of vulnerabilities and exploitation techniques, as well as tools, papers, news, and events of interest to the community. The relaxed atmosphere of this quirky list provides some comic relief and certain industry gossip. More importantly, fresh vulnerabilities sometimes hit this list many hours or days before they pass through the Bugtraq moderation queue.
Updated: 19 min 57 sec ago

Multiple Vulnerabilities in Plone CMS

19 October, 2016 - 15:38

Posted by Sebastian Perez on Oct 19

[Product Description]
Plone is a free and open source content management system built on
top of the Zope application server. Plone is positioned as an
"Enterprise CMS" and is most commonly used for intranets and as part
of the web presence of large organizations

[Systems Affected]
Product : Plone
Version : All supported Plone versions (4.3.11 and any earlier 4.x
version, 5.0.6 and any earlier 5.x version). Previous versions...

Ghostscript sadbox bypass lead ImageMagick to remote code execution

19 October, 2016 - 15:37

Posted by redrain root on Oct 19

recently I noticed Tavis Ormandy reporting a vulnerability about Ghostscript
-dSAFER mode could be ignored and lead to code execution, however no one
exploit it in a application. there is a simple discussion and exploit
about it.

Author: redrain, yu.hong () chaitin com
Date: 2016-10-17
Version: Ghostscript version > 1.6
ImageMagick(or other app) all version
Vendor Notified: 2016-10-18

ImageMagick allows to process files with...

Evernote for Windows DLL Loading Remote Code Execution

19 October, 2016 - 15:34

Posted by Himanshu Mehta on Oct 19

Aloha,

Summary
Evernote contains a DLL hijacking vulnerability that could allow an
unauthenticated, remote attacker to execute arbitrary code on the targeted
system. The vulnerability exists due to some DLL file is loaded by
'Evernote_6.1.2.2292.exe' improperly. And it allows an attacker to load
this DLL file of the attacker’s choosing that could execute arbitrary code
without the user's knowledge.

Affected Product:
Evernote...

Defense in depth -- the Microsoft way (part 44): complete failure of Windows Update

19 October, 2016 - 15:27

Posted by Stefan Kanthak on Oct 19

Hi @ll,

since more than a year now, Windows Update fails (not only, but most
notably) on FRESH installations of Windows 7/8/8.1 (especially their
32-bit editions), which then get NO security updates at all [°]!

One of the many possible causes: Windows Update Client runs out of
(virtual) memory during the search for updates and yields 0x8007000E
alias E_OUTOFMEMORY ['].

According to <https://support.microsoft.com/en-us/kb/3050265>...

CVE-2016-7999: SPIP 3.1.2 Server Side Request Forgery

19 October, 2016 - 15:26

Posted by Sysdream Labs on Oct 19

## SPIP 3.1.2 Server Side Request Forgery (CVE-2016-7999)

### Product Description

SPIP is a publishing system for the Internet, which put importance on collaborative working, multilingual environments
and ease of use. It is free software, distributed under the GNU/GPL licence.

### Vulnerability Description

It's possible to send HTTP/FTP requests using the `valider_xml` file.
Attackers can make it look like the server is sending the...

CVE-2016-7998: SPIP 3.1.2 Template Compiler/Composer PHP Code Execution

19 October, 2016 - 15:26

Posted by Sysdream Labs on Oct 19

## SPIP 3.1.2 Template Compiler/Composer PHP Code Execution (CVE-2016-7998)

### Product Description

SPIP is a publishing system for the Internet, which put importance on collaborative working, multilingual environments
and ease of use. It is free software, distributed under the GNU/GPL licence.

### Vulnerability Description

The SPIP template composer/compiler does not correctly handle SPIP "INCLUDE/INCLURE" Tags, allowing PHP code...

CVE-2016-7982: SPIP 3.1.1/3.1.2 File Enumeration / Path Traversal

19 October, 2016 - 15:26

Posted by Sysdream Labs on Oct 19

## SPIP 3.1.1/3.1.2 File Enumeration / Path Traversal (CVE-2016-7982)

### Product Description

SPIP is a publishing system for the Internet, which put importance on collaborative working, multilingual environments
and ease of use. It is free software, distributed under the GNU/GPL licence.

### Vulnerability Description

The `valider_xml` file can be used to enumerate files on the system.

**Access Vector**: remote

**Security Risk**: medium...

CVE-2016-7981: SPIP 3.1.2 Reflected Cross-Site Scripting

19 October, 2016 - 15:26

Posted by Sysdream Labs on Oct 19

## SPIP 3.1.2 Reflected Cross-Site Scripting (CVE-2016-7981)

### Product Description

SPIP is a publishing system for the Internet, which put importance on collaborative working, multilingual environments
and ease of use. It is free software, distributed under the GNU/GPL licence.

### Vulnerability Description

The `var_url` parameter of the `valider_xml` file is not correctly sanitized and can be used to trigger a reflected XSS...

CVE-2016-7980: SPIP 3.1.2 Exec Code Cross-Site Request Forgery

19 October, 2016 - 15:26

Posted by Sysdream Labs on Oct 19

## SPIP 3.1.2 Exec Code Cross-Site Request Forgery (CVE-2016-7980)

### Product Description

SPIP is a publishing system for the Internet, which put importance on collaborative working, multilingual environments
and ease of use. It is free software, distributed under the GNU/GPL licence.

### Vulnerability Description

The vulnerable request to `valider_xml` (see: *SPIP 3.1.2 Template Compiler/Composer PHP Code Execution -
CVE-2016-7998*) is...

OpenSSL 1.1.0 remote client memory corruption

19 October, 2016 - 15:22

Posted by Guido Vranken on Oct 19

Triggering this requires that the client sets a very large ALPN list
(several thousand bytes). This would be very unusual in a real-world
application. For this reason OpenSSL does not treat this as a security
vulnerability and I am inclined to agree with this decision. However, if an
attacker can somehow influence the ALPN list of an OpenSSL-enabled
application (perhaps through another vulnerability), the attacker can write
arbitrary data past...

Man in the Middle Remote Code Execution Vulnerability in WineBottler and its Bundles

19 October, 2016 - 15:21

Posted by Bogner Florian on Oct 19

Man in the Middle Remote Code Execution Vulnerability in WineBottler and its Bundles

Metadata
===================================================
Release Date: 17-10-2016
Author: Florian Bogner // Kapsch BusinessCom AG (https://www.kapsch.net/kbc)
Affected product: WineBottler (http://winebottler.kronenberg.org/)
Affected versions: up to the still current version 1.8-rc4
Tested on: OS X El Capitan 10.11.6
CVE : product not covered
URL:...

cgiemail (included with cPanel) local file inclusion vulnerability

19 October, 2016 - 15:21

Posted by Finbar Crago on Oct 19

cgiecho a script included with cgiemail will return any file under a
websites document root if the file contains square brackets and the
text within the brackets is guessable.

e.g: http://hostname/cgi-sys/cgiecho/login.php?'pass'=['pass&apos;] will
display http://hostname/login.php if it contains $_POST['pass']

This behaviour is listed as a 'small risk' in the original
documentation (and back in 1998 it...

[ERPSCAN-16-030] SAP NetWeaver - buffer overflow vulnerability

19 October, 2016 - 15:20

Posted by ERPScan inc on Oct 19

Application: SAP NetWeaver KERNEL

Versions Affected: SAP NetWeaver KERNEL 7.0-7.5

Vendor URL: http://SAP.com

Bugs: Denial of Service

Sent: 09.03.2016

Reported: 10.03.2016

Vendor response: 10.03.2016

Date of Public Advisory: 12.07.2016

Reference: SAP Security Note 2295238

Author: Dmitry Yudin (ERPScan)

Description

1. ADVISORY INFORMATION

Title: [ERPSCAN-16-030] SAP NetWeaver – buffer overflow vulnerability

Advisory ID:...

[ERPSCAN-16-029] SAP NetWeaver AS JAVA - deserialization of untrusted user value

19 October, 2016 - 15:20

Posted by ERPScan inc on Oct 19

Application: SAP EP-RUNTIME component

Versions Affected: SAP EP-RUNTIME 7.5

Vendor URL: http://SAP.com

Bugs: Denial of Service

Sent: 22.04.2016

Reported: 23.04.2016

Vendor response: 23.04.2016

Date of Public Advisory: 12.07.2016

Reference: SAP Security Note 2315788

Author: Mathieu Geli (ERPScan)

Description

1. ADVISORY INFORMATION

Title: [ERPSCAN-16-029] SAP NetWeaver AS JAVA – deserialization of
untrusted user value

Advisory ID:...

[ERPSCAN-16-028] SAP Adaptive Server Enterprise - DoS vulnerability

19 October, 2016 - 15:20

Posted by ERPScan inc on Oct 19

Application: SAP Adaptive Server Enterprise

Versions Affected: SAP Adaptive Server Enterprise 16

Vendor URL: http://SAP.com

Bugs: Denial of Service

Sent: 01.02.2016

Reported: 02.02.2016

Vendor response: 02.02.2016

Date of Public Advisory: 12.07.2016

Reference: SAP Security Note 2330839

Author: Vahagn Vardanyan(ERPScan)

Description

1. ADVISORY INFORMATION

Title: [ERPSCAN-16-028] SAP Adaptive Server Enterprise – DoS...

CVE-2016-8600 dotCMS - CAPTCHA bypass by reusing valid code

19 October, 2016 - 15:20

Posted by Elar Lang on Oct 19

Title: CVE-2016-8600 dotCMS - CAPTCHA bypass by reusing valid code
Credit: Elar Lang / https://security.elarlang.eu
Vulnerability: CAPTCHA bypass by re-using last loaded valid CAPTCHA code
Vulnerable version: before 3.6.0
CVE: CVE-2016-8600
Vendor/Product: dotCMS (http://dotcms.com/)

# Background and description

It's possible to re-use valid CAPTCHA code in dotCMS framework.

Last loaded CAPTCHA code is stored in session and CAPTCHA code...