Full Disclosure

Syndicate content
A public, vendor-neutral forum for detailed discussion of vulnerabilities and exploitation techniques, as well as tools, papers, news, and events of interest to the community. The relaxed atmosphere of this quirky list provides some comic relief and certain industry gossip. More importantly, fresh vulnerabilities sometimes hit this list many hours or days before they pass through the Bugtraq moderation queue.
Updated: 17 min 50 sec ago

[KIS-2016-08] Concrete5 <= 5.7.3.1 Multiple Cross-Site Request Forgeries Vulnerabilities

28 June, 2016 - 10:57

Posted by Egidio Romano on Jun 28

--------------------------------------------------------------------------
Concrete5 <= 5.7.3.1 Multiple Cross-Site Request Forgeries Vulnerabilities
--------------------------------------------------------------------------

[-] Software Link:

https://www.concrete5.org/

[-] Affected Versions:

Version 5.7.3.1 and probably other versions.

[-] Vulnerabilities Description:

Concrete5 implements a Synchronizer Token Pattern in order to provide...

Iranian Weblog Services v3.3 CMS - Multiple Web Vulnerabilities

28 June, 2016 - 07:05

Posted by Vulnerability Lab on Jun 28

Document Title:
===============
Iranian Weblog Services v3.3 CMS - Multiple Web Vulnerabilities

References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1862

CWE-89
CWE-79
CWE-264

http://cwe.mitre.org/data/definitions/89
http://cwe.mitre.org/data/definitions/79
http://cwe.mitre.org/data/definitions/264

CWE-ID:
======
89

Release Date:
=============
2016-06-28

Vulnerability Laboratory ID (VL-ID):...

Alfine CMS v2.6 - (Login) Auth Bypass Vulnerability

28 June, 2016 - 07:03

Posted by Vulnerability Lab on Jun 28

Document Title:
===============
Alfine CMS v2.6 - (Login) Auth Bypass Vulnerability

References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1863

Release Date:
=============
2016-06-27

Vulnerability Laboratory ID (VL-ID):
====================================
1863

Common Vulnerability Scoring System:
====================================
8.1

Product & Service Introduction:...

Mutualaid CMS v4.3.1 - SQL Injection Web Vulnerability

28 June, 2016 - 07:02

Posted by Vulnerability Lab on Jun 28

Document Title:
===============
Mutualaid CMS v4.3.1 - SQL Injection Web Vulnerability

References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1858

Release Date:
=============
2016-06-21

Vulnerability Laboratory ID (VL-ID):
====================================
1858

Common Vulnerability Scoring System:
====================================
7.6

Product & Service Introduction:...

Ladesk Agent #1 (Bug Bounty) - Session Reset Password Vulnerability

28 June, 2016 - 07:00

Posted by Vulnerability Lab on Jun 28

Document Title:
===============
Ladesk Agent #1 (Bug Bounty) - Session Reset Password Vulnerability

References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1849

Release Date:
=============
2016-06-27

Vulnerability Laboratory ID (VL-ID):
====================================
1849

Common Vulnerability Scoring System:
====================================
8.7

Product & Service Introduction:...

Craft CMS affected by server side template injection

27 June, 2016 - 14:58

Posted by Securify B.V. on Jun 27

------------------------------------------------------------------------
Craft CMS affected by server side template injection
------------------------------------------------------------------------
Nelson Berg & Jurgen Kloosterman, June 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
It was discovered that Craft CMS is vulnerable...

Aramadito remote arbitrary file write in case of MiTM

27 June, 2016 - 13:02

Posted by thedeadcow on Jun 27

Armadito (https://github.com/armadito) is a cross-platform open-source
antivirus, that was originally the DAVFI project, financed through a french
government program.

As a security product supposed to protect computers against malware, its
update system fails at multiple points:
* the public key used to check update packages is retrieved using plain HTTP.
The same goes for the packages themselves.
* if Armadito can't download this...

Riverbed SteelCentral NetProfiler & NetExpress Multiple Vulnerabilities

27 June, 2016 - 13:02

Posted by Francesco Oddo on Jun 27

( , ) (,
. '.' ) ('. ',
). , ('. ( ) (
(_,) .'), ) _ _,
/ _____/ / _ \ ____ ____ _____
\____ \==/ /_\ \ _/ ___\/ _ \ / \
/ \/ | \\ \__( <_> ) Y Y \
/______ /\___|__ / \___ >____/|__|_| /
\/ \/.-. \/ \/:wq
(x.0)
'=.|w|.='
_=''"''=....

Panda Security Privilege Escalation

27 June, 2016 - 13:02

Posted by Ash on Jun 27

( , ) (,
. '.' ) ('. ',
). , ('. ( ) (
(_,) .'), ) _ _,
/ _____/ / _ \ ____ ____ _____
\____ \==/ /_\ \ _/ ___\/ _ \ / \
/ \/ | \\ \__( <_> ) Y Y \
/______ /\___|__ / \___ >____/|__|_| /
\/ \/.-. \/ \/:wq
(x.0)
'=.|w|.='
_=''"''=....

Re: [oss-security] libical 0.47 SEGV on unknown address

27 June, 2016 - 13:02

Posted by Brandon Perry on Jun 27

I had initially asked for contact information regarding reporting potentially sensitive security test cases, but after
a couple of days, I decided to look into another product that I figured would have more visibility and more power to
get things fixed.

https://github.com/libical/libical/issues/235 <https://github.com/libical/libical/issues/235>

Re: [oss-security] libical 0.47 SEGV on unknown address

27 June, 2016 - 13:02

Posted by Alan Coopersmith on Jun 27

Did you report them to libcial upstream? http://libical.github.io/libical/

While Thunderbird is still a beloved child of Mozilla, it's been told it's time
to move out of its parents house and find its own sources of income/support:

https://groups.google.com/d/msg/mozilla.governance/kAyVlhfEcXg/Eqyx1X62BQAJ
https://blog.mozilla.org/thunderbird/2015/12/thunderbird-active-daily-inquiries-surpass-10-million/

libical 0.47 SEGV on unknown address

25 June, 2016 - 00:09

Posted by Brandon Perry on Jun 24

Hello lists

Attached is a test case for causing a crash in libical 0.47 (shipped with Thunderbird) and this was also tested against
1.0 (various versions shipped with various email clients).

=================================================================
==24662==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x0000004fbb80 bp 0x7ffd68d966f0 sp
0x7ffd68d96520 T0)
#0 0x4fbb7f in icalproperty_new_clone...

#146416 Ruby:HTTP Header injection in 'net/http'

25 June, 2016 - 00:09

Posted by redrain root on Jun 24

TIMELINE
rootredrain submitted a report to Ruby.

show raw
Jun 22nd

Hi,

I would like to report a HTTP Header injection vulnerability in
'net/http' that allows attackers to inject arbitrary headers in
request even create a new evil request.

PoC

require 'net/http'
http = Net::HTTP.new('192.168.30.214','80')
res = http.get("/r.php HTTP/1.1\r\nx-injection: memeda")

Example

Server Code:...

EdgeCore - ES3526XA Manager - Multiple Vulnerabilities

25 June, 2016 - 00:09

Posted by Karn Ganeshen on Jun 24

*EdgeCore - Layer2+ Fast Ethernet Standalone Switch ES3526XA Manager -
Multiple Vulnerabilities*
Also rebranded as: *SMC TigerSwitch 10/100 SMC6128L2 Manager*

Object ID:
1.3.6.1.4.1.259.8.1.5

Switch Information

Re: Magic values in 32-bit processes on 64-bit OS-es and how to exploit them

25 June, 2016 - 00:09

Posted by Berend-Jan Wever on Jun 24

I've released a Proof-of-Concept html page that uses Javascript typed
arrays in 32-bit Chrome and Firefox on 64-bit Windows to allocated
address 0xDEADBEEF and store the value 0xBADC0DED there. You can find
this and details on the implementation at
http://blog.skylined.nl/20160622001.html.

That page also contains a write-up on CVE-2014-1736; a vulnerability in
32-bit Chrome on 64-bit Windows that allows arbitrary read&write that
was...

Sierra Wireless AirLink Raven XE Industrial 3G Gateway - Multiple Vulnerabilities

25 June, 2016 - 00:09

Posted by Karn Ganeshen on Jun 24

*Sierra Wireless AirLink Raven XE Industrial 3G Gateway - Multiple
Vulnerabilities*

*About*
http://www.sierrawireless.com/products-and-solutions/gateway-solutions/raven-series/

Rugged Design and Advanced Security for Fixed and Portable Wireless
Communication

Raven XE/XT
Compact design for industrial applications
Ethernet (XE) or serial (XT) options with USB and digital I/O

*APPLICATIONS:*
Remote Monitoring Surveillance Vending/Kiosk...

Re: Magic values in 32-bit processes on 64-bit OS-es and how to exploit them

25 June, 2016 - 00:09

Posted by Berend-Jan Wever on Jun 24

Obviously, this may be of interest to authors of security software that
aims to mitigate exploitation of 0-day: it should be possible to:
1) actively reserve memory regions referenced by such pointers to
prevent allocation by an exploit. The additional address space
fragmentation should not be a problem for most applications, but I have
no data, so you might want to consider:
2) analyze various binaries for their use of magic values, and actively...

Magic values in 32-bit processes on 64-bit OS-es and how to exploit them

25 June, 2016 - 00:09

Posted by Berend-Jan Wever on Jun 24

(You can read all this information in more detail on
http://blog.skylined.nl)

Software components such as memory managers often use magic values to
mark memory as having a certain state. These magic values can be used
during debugging to determine the state of the memory, and have often
(but not always) been chosen to coincide with addresses that fall
outside of the user-land address space on 32-bit versions of the
Operating System. This can...

Faraday v1.0.21 with our new GTK interface!

25 June, 2016 - 00:06

Posted by Francisco Amato on Jun 24

Faraday is the Integrated Multiuser Risk Environment you were looking
for! It maps and leverages all the knowledge you generate in real
time, letting you track and understand your audits. Our dashboard for
CISOs and managers uncovers the impact and risk being assessed by the
audit in real-time without the need for a single email. Developed with
a specialized set of functionalities that help users improve their own
work, the main purpose is to...

[ERPSCAN-16-018] SAP Application server for Javat - DoS vulnerability

25 June, 2016 - 00:06

Posted by ERPScan inc on Jun 24

Application: SAP NetWeaver AS JAVA

Versions Affected: SAP Application server for Java 7.2 - 7.4

Vendor URL: http://SAP.com

Bugs: denial of service

Sent: 04.12.2015

Reported: 05.12.2015

Vendor response: 05.12.2015

Date of Public Advisory: 14.03.2016

Reference: SAP Security Note 2259547

Author: Dmitry Yudin (ERPScan) @ret5et

Description

1. ADVISORY INFORMATION

Title: SAP Application server for Java – DoS vulnerability

Advisory...