Full Disclosure

Syndicate content
A public, vendor-neutral forum for detailed discussion of vulnerabilities and exploitation techniques, as well as tools, papers, news, and events of interest to the community. The relaxed atmosphere of this quirky list provides some comic relief and certain industry gossip. More importantly, fresh vulnerabilities sometimes hit this list many hours or days before they pass through the Bugtraq moderation queue.
Updated: 5 min 2 sec ago

Re: server and client side remote code execution through a buffer overflow in all git versions before 2.7.1 (unpublished ᴄᴠᴇ-2016-2324 and ᴄᴠᴇ‑2016‑2315)

20 March, 2016 - 08:23

Posted by Laël Cellier on Mar 20

Oh………………………… Big mistake. I might advertised too soon.

I saw changes were pushed in master, so I thought the next version
(which was 2.7.1) would be the one which will include the fix.
But as pointed out on
https://security-tracker.debian.org/tracker/CVE-2016-2324 no versions
including the fixes were released yet, and even 2.7.3 still include
path_name(). I didn’t checked the code (Sorrrry).

So the only way to fix it...

FortiOS (Fortinet) - Open Redirect and Cross Site Scripting

20 March, 2016 - 08:22

Posted by Javier Nieto on Mar 20

Description
===================================================================
The FortiOS webui accepts a user-controlled input that specifies a link to
an external site, and uses that link in a redirect.

The redirect input parameter is also prone to a cross site scripting.

Public Fortinet Security Advisory (Mar 16 2016):
http://www.fortiguard.com/advisory/fortios-open-redirect-vulnerability

PoC...

Re: [CORE-2016-0005] - FreeBSD Kernel amd64_set_ldt Heap Overflow

17 March, 2016 - 13:23

Posted by jungle Boogie on Mar 17

Your URL is wrong.

Correct location:
http://www.coresecurity.com/advisories/freebsd-kernel-amd64setldt-heap-overflow

New Security Tool: Enteletaor - Broker & MQ Injection tool

17 March, 2016 - 13:23

Posted by cr0hn on Mar 17

 
Dear colleagues,

Please, allow us to introduce Enteletaor -> https://github.com/cr0hn/enteletaor

Enteletaor is a Message Queue & Broker Injection tool that implements attacks to: Redis, RabbitMQ and ZeroMQ.

Some of the actions you can do:

- Listing remote tasks.
- Read remote task content.
- Disconnect remote clients from Redis server (even the admin)
- Inject tasks into remote processes.
- Make a scan to discover open...

server and client side remote code execution through a buffer overflow in all git versions before 2.7.1 (unpublished ᴄᴠᴇ-2016-2324 and ᴄᴠᴇ‑2016‑2315)

17 March, 2016 - 13:22

Posted by Laël Cellier on Mar 17

Hello, original report describing the first overflow full details is
here http://pastebin.com/UX2P2jjg or at the attachment
The aim is to push a crafted tree object if the target is a server or
make a client cloning a crafted repository.

Of course everything Peff talked about above is now fixed in git 2.7.1
with the removal of path_name() and the size_t/overflow check in
tree-diff.c. It was even fixed earlier for users of github enterprise....

WordPress Bulletproof Security Plugin Multiple Cross Site Scripting Vulnerabilities

17 March, 2016 - 13:22

Posted by Sachin Wagh on Mar 17

*Product: Bulletproof SecurityExploit Author: Sachin WaghAffected Version:
0.53.2*

*Fixed Version:** 0.53.3 *
(http://forum.ait-pro.com/forums/topic/bps-changelog/
<http://forum.ait-pro.com/forums/topic/bps-changelog/>)

*Home page Link: https://wordpress.org/plugins/bulletproof-security/
<https://wordpress.org/plugins/bulletproof-security/>*

*Detail:*

The Bulletproof Security plugin for WordPress is prone to a multiple
cross-site...

Defense in depth -- the Microsoft way (part 39): vulnerabilities, please meet the bar for security servicing

17 March, 2016 - 13:21

Posted by Stefan Kanthak on Mar 17

Hi @ll,

this multipart post does not require a MIME-compliant MUA.-)

Part 0:
~~~~~~~

On Windows 7 (other versions of Windows not tested for this
vulnerability, but are likely vulnerable too) all executable
installers/self-extractors based on Microsoft's SFXCAB [*]
load and execute a rogue CryptDll.dll from their application
directory instead of %SystemRoot%\System32\CryptDll.dll.

For software downloaded with a web browser the application...

BigTree 4.2.8: Object Injection & Improper Filename Sanitation

17 March, 2016 - 13:21

Posted by Curesec Research Team (CRT) on Mar 17

Security Advisory - Curesec Research Team

1. Introduction

Affected Product: BigTree 4.2.8
Fixed in: BigTree 4.2.9
Fixed Version Link: https://www.bigtreecms.org/download/
Vendor Website: https://www.bigtreecms.org/
Vulnerability Type: Object Injection & Improper Filename Sanitation
Remote Exploitable: Yes
Reported to vendor: 01/29/2016
Disclosed to public: 03/15/2016
Release mode: Coordinated Release
CVE:...

PivotX 2.3.11: Code Execution

17 March, 2016 - 13:21

Posted by Curesec Research Team (CRT) on Mar 17

Security Advisory - Curesec Research Team

1. Introduction

Affected Product: PivotX 2.3.11
Fixed in: not fixed
Fixed Version Link: n/a
Vendor Website: http://pivotx.net/
Vulnerability Type: Code Execution
Remote Exploitable: Yes
Reported to vendor: 01/20/2016
Disclosed to public: 03/15/2016
Release mode: Full Disclosure
CVE: n/a
Credits Tim Coen of Curesec GmbH

2. Overview

PivotX is a...

PivotX 2.3.11: Directory Traversal

17 March, 2016 - 13:21

Posted by Curesec Research Team (CRT) on Mar 17

Security Advisory - Curesec Research Team

1. Introduction

Affected Product: PivotX 2.3.11
Fixed in: not fixed
Fixed Version Link: n/a
Vendor Website: http://pivotx.net/
Vulnerability Type: Directory Traversal
Remote Exploitable: Yes
Reported to vendor: 01/20/2016
Disclosed to public: 03/15/2016
Release mode: Full Disclosure
CVE: n/a
Credits Tim Coen of Curesec GmbH

2. Overview

PivotX...

PivotX 2.3.11: Reflected XSS

17 March, 2016 - 13:21

Posted by Curesec Research Team (CRT) on Mar 17

Security Advisory - Curesec Research Team

1. Introduction

Affected Product: PivotX 2.3.11
Fixed in: not fixed
Fixed Version Link: n/a
Vendor Website: http://pivotx.net/
Vulnerability Type: Reflected XSS
Remote Exploitable: Yes
Reported to vendor: 01/20/2016
Disclosed to public: 03/15/2016
Release mode: Full Disclosure
CVE: n/a
Credits Tim Coen of Curesec GmbH

2. Overview

PivotX is a...

Zenphoto 1.4.11: RFI

17 March, 2016 - 13:21

Posted by Curesec Research Team (CRT) on Mar 17

Security Advisory - Curesec Research Team

1. Introduction

Affected Product: Zenphoto 1.4.11
Fixed in: 1.4.12
Fixed Version Link: https://github.com/zenphoto/zenphoto/archive/
zenphoto-1.4.12.zip
Vendor Website: http://www.zenphoto.org/
Vulnerability Type: RFI
Remote Exploitable: Yes
Reported to vendor: 01/29/2016
Disclosed to 03/15/2016
public:
Release mode: Coordinated Release
CVE:...

OWASP AppSec USA 2016 Call for Papers Released

17 March, 2016 - 13:21

Posted by Weidenhamer, Andrew on Mar 17

We are pleased to announce our annual OWASP AppSec USA 2016 conference to be to be held at the Renaissance Washington
DC on October 11th<http://airmail.calendar/2016-10-11%2012:00:00%20EDT> - 14th. We are actively looking for Call for
Papers and Call for Trainings which can be found at the official OWASP AppSec USA 2016 website below:

https://2016.appsecusa.org<https://2016.appsecusa.org/>

If you have any other cool ideas for...

[CORE-2016-0005] - FreeBSD Kernel amd64_set_ldt Heap Overflow

16 March, 2016 - 12:31

Posted by CORE Advisories Team on Mar 16

1. Advisory Information

Title: FreeBSD Kernel amd64_set_ldt Heap Overflow
Advisory ID: CORE-2016-0005
Advisory URL: http://www.coresecurity.com/content/freebsd-kernel-amd64_set_ldt-heap-overflow
Date published: 2016-03-16
Date of last update: 2016-03-14
Vendors contacted: FreeBSD
Release mode: Coordinated release

2. Vulnerability Information

Class: Unsigned to Signed Conversion Error [CWE-196]
Impact: Denial of service
Remotely Exploitable: No...

NEW VMSA-2016-0003 - VMware vRealize Automation and vRealize Business Advanced and Enterprise address Cross-Site Scripting (XSS) issues

15 March, 2016 - 14:20

Posted by VMware Security Response Center on Mar 15

​-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
VMware Security Advisory

Advisory ID: VMSA-2016-0003
Synopsis: VMware vRealize Automation and vRealize Business Advanced
and Enterprise address Cross-Site Scripting (XSS) issues.
Issue date: 2016-03-15
Updated on: 2016-03-15 (Initial Advisory)
CVE number: CVE-2015-2344, CVE-2016-2075...

[CFP] BSides Las Vegas

14 March, 2016 - 20:57

Posted by Genevieve Southwick on Mar 14

The CFP for BSides Las Vegas is now open. We're accepting proposals for the
following tracks:

Breaking Ground – Ground Breaking Information Security research and
conversations on the “Next Big Thing”. Interactively discussing your
research with our participants and getting feedback, input and opinion. No
preaching from the podium at a passive audience.

Common Ground – Other topics of interest to the security community. e.g.,...

Re: Security contact @ Gigabyte

14 March, 2016 - 20:57

Posted by Jeffrey Walton on Mar 14

Maybe FunSec (http://lists.linuxbox.org/cgi-bin/mailman/listinfo/funsec)
would be a better place to ask for hep finding the contact:

Funsec -- Fun and Misc security discussion for OT posts.

Jeff

Re: Security contact @ Gigabyte

14 March, 2016 - 20:56

Posted by Gustavo Sorondo on Mar 14

Fyodor,

We were not aware of that FD moderation rule. Now we know, and we'll try to
avoid this kind of request on FD.
Luckily, through this thread we got the contact we were looking for, so we
thank you all for that.

Cheers,

Gus.-

Re: Security contact @ Gigabyte

14 March, 2016 - 18:16

Posted by Fyodor on Mar 14

Yeah, the general FD list policy is to reject requests for vendor contacts
unless they also include full disclosure of the bug details:

https://secwiki.org/w/FD_Moderation#Requests_for_vendor_security_contacts

It's not that there is anything wrong with the more limited disclosure and
vendor pre-disclosure approaches, but those aren't full disclosure and so
probably belong on a different list. This post must have slipped by one of
the...

Re: Security contact @ Gigabyte

14 March, 2016 - 18:15

Posted by Jeffrey Walton on Mar 14

According to RFC 2142 (http://www.ietf.org/rfc/rfc2142.txt), MAILBOX
NAMES FOR COMMON SERVICES, ROLES AND FUNCTIONS, you should be able to
use:

secure () gigabyte com
security () gigabyte com

I also rummage the WHOIS data and use the Administrative and Technical contacts:

$ whois gigabyte.com | grep '@'
Registrant Email: domains () marcaria com
Admin Email: domains () marcaria com
Tech Email: domains () marcaria com...