Full Disclosure

Syndicate content
A public, vendor-neutral forum for detailed discussion of vulnerabilities and exploitation techniques, as well as tools, papers, news, and events of interest to the community. The relaxed atmosphere of this quirky list provides some comic relief and certain industry gossip. More importantly, fresh vulnerabilities sometimes hit this list many hours or days before they pass through the Bugtraq moderation queue.
Updated: 14 min 22 sec ago

MySQL / MariaDB / PerconaDB - Root Privilege Escalation Exploit ( CVE-2016-6664 / CVE-2016-5617 )

4 November, 2016 - 23:13

Posted by Dawid Golunski on Nov 04

CVE-2016-6664 / (Oracle)CVE-2016-5617
Vulnerability: MySQL / MariaDB / PerconaDB - Root Privilege Escalation

Discovered by:
Dawid Golunski
@dawid_golunski
https://legalhackers.com

MySQL-based databases including MySQL, MariaDB and PerconaDB are affected
by a privilege escalation vulnerability which can let attackers who have
gained access to mysql system user (for example through CVE-2016-6663)
to further escalate their privileges to root user...

MSIE 9 MSHTML CPtsTextParaclient::CountApes out-of-bounds read

4 November, 2016 - 23:12

Posted by Berend-Jan Wever on Nov 04

Throughout November, I plan to release details on vulnerabilities I
found in web-browsers which I've not released before. This is the third
entry in that series.

The below information is also available on my blog at
http://blog.skylined.nl/20161104001.html. There you can find a repro
that triggered this issue in addition to the information below.

Follow me on http://twitter.com/berendjanwever for daily browser bugs.

MSIE 9 MSHTML...

KL-001-2016-009 : Sophos Web Appliance Remote Code Execution

4 November, 2016 - 10:13

Posted by KoreLogic Disclosures on Nov 04

KL-001-2016-009 : Sophos Web Appliance Remote Code Execution

Title: Sophos Web Appliance Remote Code Execution
Advisory ID: KL-001-2016-009
Publication Date: 2016.11.03
Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2016-009.txt

1. Vulnerability Details

Affected Vendor: Sophos
Affected Product: Web Apppliance
Affected Version: v4.2.1.3
Platform: Embedded Linux
CWE Classification: CWE-78:...

KL-001-2016-008 : Sophos Web Appliance Privilege Escalation

4 November, 2016 - 10:12

Posted by KoreLogic Disclosures on Nov 04

KL-001-2016-008 : Sophos Web Appliance Privilege Escalation

Title: Sophos Web Appliance Privilege Escalation
Advisory ID: KL-001-2016-008
Publication Date: 2016.11.03
Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2016-008.txt

1. Vulnerability Details

Affected Vendor: Sophos
Affected Product: Web Apppliance
Affected Version: v4.2.1.3
Platform: Embedded Linux
CWE Classification: CWE-522:...

[oss-security] CVE request:Lynx invalid URL parsing with '?'

4 November, 2016 - 04:16

Posted by redrain root on Nov 04

I can't find any bugtracker in lynx ,so i will disclose by this mail and
sent to the author dickey () invisible-island net.

redrain (rootredrain () gmail com)
Date:2016-11-03
Version: 2.8.8pre.4、2.8.9dev.8 and earlier
Platform: Linux and Windows
Vendor: http://lynx.browser.org/
Vendor Notified: 2016-11-03

VULNERABILITY
-------------------------

Lynx doesn't parse the authority component of the URL correctly when the
host
name part...

Re: [oss-security] CVE request:Lynx invalid URL parsing with '?'

4 November, 2016 - 04:15

Posted by Leo Famulari on Nov 04

FYI, as far as I can tell, this bug is present in 2.8.9dev.9 as well.

Re: [oss-security] CVE request:Lynx invalid URL parsing with '?'

4 November, 2016 - 04:15

Posted by Thomas Dickey on Nov 04

thanks (I'll put together a fix)

MSIE 10 MSHTML CElement::GetPlainTextInScope out-of-bounds read

4 November, 2016 - 04:13

Posted by Berend-Jan Wever on Nov 04

Throughout November, I plan to release details on vulnerabilities I
found in web-browsers which I've not released before. This is the third
entry in that series.

The below information is also available on my blog at
http://blog.skylined.nl/20161103001.html. There you can find a repro
that triggered this issue in addition to the information below.

Follow me on http://twitter.com/berendjanwever for daily browser bugs.

MSIE 10 MSHTML...

Sparkjava Framework - Arbitrary File Read Vulnerability

2 November, 2016 - 23:11

Posted by aj on Nov 02

Hey folks,

Spark (sparkjava.com) is a mildly hyped Java micro web framework that
also provides functionality to serve static files. Unfortunately,
there's no protection against directory traversal attacks and I haven't
been able to contact anyone related to the project (after trying 4
people over 2 weeks). As this bug is not that awesome, and fairly
trivial to find, please help yourself to some semi-shitty 0-day.

If configured, Spark...

Disclose [10 * cve] in Exponent CMS

2 November, 2016 - 10:35

Posted by Obfuscator on Nov 02

Disclose 10 * cve in Exponent CMS
[CVE-2016-7780]

fix: https://github.com/exponentcms/exponent-cms/commit/a8efd9ca71fc9b8b843ad0910d435d237482ee31

[CVE-2016-7781]

fix: In the line 169 of framework/modules/blog/controllers/blogController.php , $this->params['author'] has been
escaped.
https://github.com/exponentcms/exponent-cms/commit/fdafb5ec97838e4edbd685f587f28d3174ebb3db

[CVE-2016-7782]

fix:...

Re: Multiple SQL injection vulnerabilities in dotCMS (8x CVE)

2 November, 2016 - 10:34

Posted by Elar Lang on Nov 02

Public response also:

#1 I tested it during one pen-test case in December 2015. Exact
version was 3.2.1. I haven't set up this environment myself.

At the moment I used "Google Hacking" to find some dotCMS.
Use search phrase inurl:/html/portal/login.jsp

From login page you can see, what is the current version on this site,
change path to /categoriesServlet and you probably can see the output
like I described in my blog post. I...

MSIE 11 MSHTML CView::CalculateImageImmunity use-after-free details

2 November, 2016 - 10:34

Posted by Berend-Jan Wever on Nov 02

Throughout November, I plan to release details on vulnerabilities I
found in web-browsers which I've not released before. This is the second
entry in that series.

The below information is also available on my blog at
http://blog.skylined.nl/20161102001.html. There you can find a repro
that triggered this issue in addition to the information below.

Follow me on http://twitter.com/berendjanwever for daily browser bugs.

MSIE 11 MSHTML...

Microsoft Internet Explorer 9 MSHTML CAttrArray use-after-free details

1 November, 2016 - 19:23

Posted by Berend-Jan Wever on Nov 01

Throughout November, I plan to release details on vulnerabilities I
found in web-browsers which I've not released before. This is the first
entry in that series.
The below information is also available on my blog at
http://blog.skylined.nl/20161101001.html. There you can find a repro
that triggered this issue in addition to the information below.
Follow me on twitter.com/berendjanwever for daily browser bugs.

MSIE 9 MSHTML CAttrArray...

CVE-2016-8580 - Alienvault OSSIM/USM Object Injection Vulnerability

1 November, 2016 - 19:21

Posted by Peter Lapp on Nov 01

Details
=======

Product: Alienvault OSSIM/USM
Vulnerability: PHP Object Injection
Author: Peter Lapp, lappsec () gmail com
CVE: CVE-2016-8580
Vulnerable Versions: <=5.3.1
Fixed Version: 5.3.2

Vulnerability Details
=====================

A PHP object injection vulnerability exists in multiple widget files
due to the unsafe use of the unserialize() function. The affected
files include flow_chart.php, gauge.php, honeypot.php,...

CVE-2016-8581 - Alienvault OSSIM/USM Stored XSS Vulnerability

1 November, 2016 - 19:21

Posted by Peter Lapp on Nov 01

Details
=======

Product: Alienvault OSSIM/USM
Vulnerability: Stored XSS
Author: Peter Lapp, lappsec () gmail com
CVE: CVE-2016-8581
CVSS: 3.5
Vulnerable Versions: <=5.3.1
Fixed Version: 5.3.2

Vulnerability Details
=====================

A stored XSS vulnerability exists in the User-Agent header of the
login process. It's possible to inject a script into that header that
then gets executed when mousing over the User-Agent field in...

CVE-2016-8582 - Alienvault OSSIM/USM SQL Injection Vulnerability

1 November, 2016 - 19:21

Posted by Peter Lapp on Nov 01

Details
=======

Product: Alienvault OSSIM/USM
Vulnerability: SQL Injection
Author: Peter Lapp, lappsec () gmail com
CVE: CVE-2016-8582
Vulnerable Versions: <=5.3.1
Fixed Version: 5.3.2

Vulnerability Details
=====================

A SQL injection vulnerability exists in the value parameter of
/ossim/dashboard/sections/widgets/data/gauge.php on line 231. By
sending a serialized array with a SQL query in the type field, it's
possible to...

CVE-2016-8583 - Alienvault OSSIM/USM Reflected XSS

1 November, 2016 - 19:21

Posted by Peter Lapp on Nov 01

Details
=======

Product: Alienvault OSSIM/USM
Vulnerability: Reflected XSS
Author: Peter Lapp, lappsec () gmail com
CVE: CVE-2016-8583
Vulnerable Versions: <=5.3.1
Fixed Version: 5.3.2

Vulnerability Details
=====================

Multiple GET parameters in the vulnerability scan scheduler of
OSSIM/USM before 5.3.2 are vulnerable to reflected XSS. The parameters
include jobname, timeout, sched_id, and targets[] in
/ossim/vulnmeter/sched.php....

MySQL / MariaDB / PerconaDB - Privilege Escalation / Race Condition Exploit [CVE-2016-6663 / OCVE-2016-5616]

1 November, 2016 - 19:20

Posted by Dawid Golunski on Nov 01

CVE-2016-6663 / OCVE-2016-5616
Vulnerability: MySQL / MariaDB / PerconaDB - Privilege Escalation /
Race Condition

Discovered by:
Dawid Golunski
@dawid_golunski

http://legalhackers.com

Affected versions:

MariaDB
< 5.5.52
< 10.1.18
< 10.0.28

MySQL
<= 5.5.51
<= 5.6.32
<= 5.7.14

Percona Server
< 5.5.51-38.2
< 5.6.32-78-1
< 5.7.14-8

Percona XtraDB Cluster
< 5.6.32-25.17
< 5.7.14-26.17
< 5.5.41-37.0

An...

Re: Multiple SQL injection vulnerabilities in dotCMS (8x CVE)

1 November, 2016 - 19:20

Posted by Brandon Perry on Nov 01

I am having trouble reproducing this one on 3.3 and 3.2.4. As an unauthenticated user on a clean install of dotCMS, I
perform this request.

GET /categoriesServlet?start=0&count=10&sort=asc HTTP/1.1
Host: 10.211.55.37:8080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:49.0) Gecko/20100101 Firefox/49.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Cookie:...

Researchers Claim Wickr Patched Flaws but Didn't Pay Rewards

1 November, 2016 - 08:40

Posted by Vulnerability Lab on Nov 01

Topic: Researchers Claim Wickr Patched Flaws but Didn't Pay Rewards

Source:
http://www.securityweek.com/researchers-claim-wickr-patched-flaws-didnt-pay-rewards

Wickr Inc Secret Messenger - Bug Bounty Program Vulnerabilities by
Design - Wickr Inc - When honesty disappears behind the VCP Mountain -
References:
https://www.vulnerability-db.com/?q=articles/2016/10/27/wickr-inc-when-honesty-disappears-behind-vcp-mountain

Connected Articles:...