Full Disclosure

Syndicate content
A public, vendor-neutral forum for detailed discussion of vulnerabilities and exploitation techniques, as well as tools, papers, news, and events of interest to the community. The relaxed atmosphere of this quirky list provides some comic relief and certain industry gossip. More importantly, fresh vulnerabilities sometimes hit this list many hours or days before they pass through the Bugtraq moderation queue.
Updated: 2 days 10 hours ago

Onapsis Security Advisory ONAPSIS-2016-033: SAP TREX TNS Information Disclosure in NameServer

19 August, 2016 - 10:13

Posted by Onapsis Research on Aug 19

Onapsis Security Advisory ONAPSIS-2016-033: SAP TREX TNS Information
Disclosure in NameServer

1. Impact on Business
=====================
By exploiting this vulnerability an attacker could discover
information relating to servers. This information could be used to
allow the attacker to specialize their attacks.

Risk Level: Medium

2. Advisory Information
=======================
- Public Release Date: 07/20/2016
- Last Revised: 07/20/2016
-...

Onapsis Security Advisory ONAPSIS-2016-027: SAP HANA User information disclosure

19 August, 2016 - 10:11

Posted by Onapsis Research on Aug 19

Onapsis Security Advisory ONAPSIS-2016-027: SAP HANA User information disclosure

1. Impact on Business
=====================
By exploiting this vulnerability a remote unauthenticated attacker
could obtain valid usernames that could be helpful to support more
complex attacks.

Risk Level: Medium

2. Advisory Information
=======================
- Public Release Date: 07/20/2016
- Last Revised: 07/20/2016
- Security Advisory ID: ONAPSIS-2016-027
-...

Onapsis Security Advisory ONAPSIS-2016-026: SAP HANA SYSTEM user brute force attack

19 August, 2016 - 10:09

Posted by Onapsis Research on Aug 19

Onapsis Security Advisory ONAPSIS-2016-026: SAP HANA SYSTEM user brute
force attack

1. Impact on Business
=====================
By exploiting this vulnerability a remote unauthenticated attacker
could get high privilleges on the HANA system with unrestricted
access to any business information.

Risk Level: Critical

2. Advisory Information
=======================
- Public Release Date: 07/20/2016
- Last Revised: 07/20/2016
- Security Advisory...

Onapsis Security Advisory ONAPSIS-2016-024: SAP HANA arbitrary audit injection via HTTP requests

19 August, 2016 - 10:06

Posted by Onapsis Research on Aug 19

Onapsis Security Advisory ONAPSIS-2016-024: SAP HANA arbitrary audit
injection via HTTP requests

1. Impact on Business
=====================
By exploiting this vulnerability an attacker could tamper the audit
logs, hiding his trails after an attack to a HANA system.

Risk Level: High

2. Advisory Information
=======================
- Public Release Date: 07/20/2016
- Last Revised: 07/20/2016
- Security Advisory ID: ONAPSIS-2016-024
- Onapsis...

Onapsis Security Advisory ONAPSIS-2016-025: SAP HANA arbitrary audit injection via SQL protocol

19 August, 2016 - 09:57

Posted by Onapsis Research on Aug 19

Onapsis Security Advisory ONAPSIS-2016-025: SAP HANA arbitrary audit
injection via SQL protocol

1. Impact on Business
=====================
By exploiting this vulnerability an attacker could tamper the audit
logs, hiding his trails after an attack to a HANA system.

Risk Level: High

2. Advisory Information
=======================
- Public Release Date: 07/20/2016
- Last Revised: 07/20/2016
- Security Advisory ID: ONAPSIS-2016-025
- Onapsis SVS...

Onapsis Security Advisory ONAPSIS-2016-022: SAP TREX Arbitrary file write

19 August, 2016 - 09:53

Posted by Onapsis Research on Aug 19

Onapsis Security Advisory ONAPSIS-2016-022: SAP TREX Arbitrary file write

1. Impact on Business
=====================
By exploiting this vulnerability an unauthenticated attacker could
modify any information indexed by the SAP system.

Risk Level: High

2. Advisory Information
=======================
- Public Release Date: 07/20/2016
- Last Revised: 07/20/2016
- Security Advisory ID: ONAPSIS-2016-022
- Onapsis SVS ID: ONAPSIS-00180
- CVE:...

Onapsis Security Advisory ONAPSIS-2016-021: SAP TREX Remote file read

19 August, 2016 - 09:50

Posted by Onapsis Research on Aug 19

Onapsis Security Advisory ONAPSIS-2016-021: SAP TREX Remote file read

1. Impact on Business
=====================
By exploiting this vulnerability, a remote unauthenticated attacker
could access arbitrary business information from the SAP system.

Risk Level: High

2. Advisory Information
=======================
- Public Release Date: 07/20/2016
- Last Revised: 07/20/2016
- Security Advisory ID: ONAPSIS-2016-021
- Onapsis SVS ID: ONAPSIS-00179
-...

Onapsis Security Advisory ONAPSIS-2016-020: SAP TREX Remote Directory Traversal

19 August, 2016 - 09:47

Posted by Onapsis Research on Aug 19

Onapsis Security Advisory ONAPSIS-2016-020: SAP TREX Remote Directory Traversal

1. Impact on Business
=====================
By exploiting this vulnerability, a remote unauthenticated attacker
could access arbitrary business information from the SAP system.

Risk Level: High

2. Advisory Information
=======================
- Public Release Date: 07/20/2016
- Last Revised: 07/20/2016
- Security Advisory ID: ONAPSIS-2016-020
- Onapsis SVS ID:...

Onapsis Security Advisory ONAPSIS-2016-019: SAP TREX Remote Command Execution

19 August, 2016 - 09:36

Posted by Onapsis Research on Aug 19

Onapsis Security Advisory ONAPSIS-2016-019: SAP TREX Remote Command Execution

1. Impact on Business
=====================
By exploiting this vulnerability an unauthenticated attacker could
access and modify any information indexed by the SAP system.

Risk Level: Critical

2. Advisory Information
=======================
- Public Release Date: 07/20/2016
- Last Revised: 07/20/2016
- Security Advisory ID: ONAPSIS-2016-019
- Onapsis SVS ID:...

Onapsis Security Advisory ONAPSIS-2016-007: SAP HANA Password Disclosure

19 August, 2016 - 09:32

Posted by Onapsis Research on Aug 19

Onapsis Security Advisory ONAPSIS-2016-007: SAP HANA Password Disclosure

1. Impact on Business
=====================
By exploiting this vulnerability, a remote attacker may obtain
clear-text passwords of SAP HANA users and get critical information.

Risk Level: Low

2. Advisory Information
=======================
- Public Release Date: 07/20/2016
- Last Revised: 07/20/2016
- Security Advisory ID: ONAPSIS-2016-007
- Onapsis SVS ID: ONAPSIS-00186...

Onapsis Security Advisory ONAPSIS-2016-006: SAP HANA Get Topology Information

18 August, 2016 - 14:40

Posted by Onapsis Research on Aug 18

Onapsis Security Advisory ONAPSIS-2016-006: SAP HANA Get Topology Information

1. Impact on Business
=====================
By exploiting this vulnerability, a remote unauthenticated attacker
could obtain technical information about the SAP HANA Platform that
can be used to perform more complex attacks

Risk Level: Medium

2. Advisory Information
=======================
- Public Release Date: 07/20/2016
- Last Revised: 07/20/2016
- Security...

Re: Zabbix 2.2.x, 3.0.x SQL Injection Vulnerability

16 August, 2016 - 05:33

Posted by Brandon Perry on Aug 16

Right, it’s the same vuln, just in different places. It was fixed in 3.0.4.

Re: Zabbix 2.2.x, 3.0.x SQL Injection Vulnerability

16 August, 2016 - 05:33

Posted by 1n3 on Aug 16

Which version of Zabbix? 3.0.3?

-1N3

Re: Zabbix 2.2.x, 3.0.x SQL Injection Vulnerability

16 August, 2016 - 05:33

Posted by Brandon Perry on Aug 16

I actually ended up finding this vuln in a different vector (in the profileIdx2 parameter)....

Taser Axon Dock (Body-Worn Camera Docking Station) v3.1 - Authentication Bypass

16 August, 2016 - 05:32

Posted by Reggie Dodd on Aug 16

[TITLE]
Taser Axon Dock (Body-Worn Camera Docking Station) v3.1 - Authentication
Bypass

[CREDITS & AUTHORS]
Reginald Dodd
https://www.linkedin.com/in/reginalddodd

[VENDOR & PRODUCT]
Taser International Inc.
Axon Dock - Body-Worn Camera Docking Station
https://www.axon.io/products/dock

[SUMMARY]
The Axon Dock is the camera docking station component of Taser's body-worn
camera system. It charges body-worn cameras and automatically...

German Cable Provider Router (In)Security

16 August, 2016 - 05:31

Posted by Sebastian Michel on Aug 16

Hey Guys,

im not sure if this is a new point. But i´m thinking about a possible security hole by design
which exists at maybe many (german) cable providers.

German cable providers like Unitymedia/Kabel Deutschland provides u a Fritzbox or any other
Cable-Router for internet access. As you know, this routers have a mac-address on every
Interface like on wifi, ethernet and so on.

By default, the Wifi-SSID is public available. The SSID gives you...

Executable installers are vulnerable^WEVIL (case 39): MalwareBytes' "junkware removal tool" allows escalation of privilege

16 August, 2016 - 05:30

Posted by Stefan Kanthak on Aug 16

Hi @ll,

JRT.exe (see <https://en.malwarebytes.com/junkwareremovaltool/>)

1. is vulnerable to DLL hijacking:
see <https://cwe.mitre.org/data/definitions/426.html>
and <https://cwe.mitre.org/data/definitions/427.html> for
these WELL-KNOWN and WELL-DOCUMENTED beginner's errors;

2. creates an unsafe directory "%TEMP%\jrt":
see <https://cwe.mitre.org/data/definitions/377.html>
and <...

php-gettext php code execution in select_string, ngettext, npgettext count parameter <1.0.12

16 August, 2016 - 05:29

Posted by crashenator on Aug 16

CERT ID - VU#520504 (pending since 2015)
Product - php-gettext
Company - Danilo Segan
Name - php-gettext php code execution
Versions - <1.0.12
Patched - 11/11/2015
Ref: https://launchpad.net/php-gettext/trunk/1.0.12
Vulnerability - "code injection into the ngettext family of calls:
evaluating the plural form formula can execute arbitrary code if number
is passed unsanitized from the untrusted user."
Description -
In 1.0.11 and...

Actiontec T2200H (Telus Modem) Root Reverse Shell

16 August, 2016 - 05:28

Posted by Andrew Klaus on Aug 16

### Device Details
Vendor: Actiontec (Telus Branded, but may work on others)
Model: T2200H (but likely affecting other similar models of theirs)
Affected Firmware: T2200H-31.128L.03
Device Manual:
http://static.telus.com/common/cms/files/internet/telus_t2200h_user_manual.pdf

Reported: November 2015
Status: Fixed on newly pushed firmware version
CVE: Not needed since update is pushed by the provider.

The Telus Actiontec T2200H is Telus’...

Persistent Cross-Site Scripting in Magic Fields 1 WordPress Plugin

15 August, 2016 - 11:22

Posted by Summer of Pwnage on Aug 15

------------------------------------------------------------------------
Persistent Cross-Site Scripting in Magic Fields 1 WordPress Plugin
------------------------------------------------------------------------
Burak Kelebek, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A Cross-Site Scripting vulnerability was found in the...