Security News

[RT-SA-2020-004] Inconsistent Behavior of Go's CGI and FastCGI Transport May Lead to Cross-Site Scripting

Full Disclosure - 2 September, 2020 - 02:16

Posted by RedTeam Pentesting GmbH on Sep 02

Advisory: Inconsistent Behavior of Go's CGI and FastCGI Transport May Lead to Cross-Site Scripting

The CGI and FastCGI implementations in the Go standard library behave
differently from the HTTP server implementation when serving content.
In contrast to the documented behavior, they may return non-HTML data as
HTML. This may lead to cross-site scripting vulnerabilities even if
uploaded data has been validated during upload.

Details
=======...

Kamailio vulnerable to header smuggling possible due to bypass of remove_hf

Full Disclosure - 1 September, 2020 - 11:52

Posted by Sandro Gauci on Sep 01

# Kamailio vulnerable to header smuggling possible due to bypass of remove_hf

- Fixed versions: Kamailio v5.4.0
- Enable Security Advisory: <https://github.com/EnableSecurity/advisories/tree/master/ES2020-01-kamailio-remove-hf>
- Tested vulnerable versions: 5.3.5 and earlier
- Timeline:
- Report date & issue patched by Kamailio: 2020-07-16
- Kamailio rewrite for header parser (better fix): 2020-07-16 to 2020-07-23
-...

Sagemcom router insecure deserialization > privilege escalation

Full Disclosure - 1 September, 2020 - 11:52

Posted by Ryan Delaney on Sep 01

<!--
# Exploit Title: Sagemcom router insecure deserialization > privilege
escalation
# Date: 08-31-2020
# Exploit Author: Ryan Delaney
# Author Contact: ryan.delaney () owasp org
# Author LinkedIn: https://www.linkedin.com/in/infosecrd/
# Vendor Homepage: https://sagemcom.com/en
# Software Link: N/A (F@ST 5280 firmware not published)
# Version: F@ST 5280 router, F/W 1.150.61, possibly others
# Tested on: F@ST 5280 router, F/W 1.150.61
#...

Roundcube issue - Auth bypass via Improper Session Management

Full Disclosure - 1 September, 2020 - 11:50

Posted by Balázs Hambalkó on Sep 01

Hi,

Title: Authentication bypass via Improper Session Management

Product: RoundcubeMail
Tested version: 1.4.4 - 1.4.8

CVE: in progress
Credit: Balazs Hambalko, IT Security Consultant

Risk: The lack of proper session validation could lead an attacker to
access the victim user's emails.

Issue fixed: in next release

URL:
https://github.com/roundcube/roundcubemail/issues/7576

Bagisto: Default credentials for admin interface

Full Disclosure - 1 September, 2020 - 11:49

Posted by devsecweb--- via Fulldisclosure on Sep 01

Vendor:
Bagisto (https://bagisto.com/)
Affected version:
All
Introduction:
Bagisto is an open source shop system based on PHP and Laravel framework
Vulnerability description:
All Bagisto installations use a default user name ("admin () example com (mailto:admin () example com)") and password
("admin123") until it's changed manually by the shop administrator.

Proof:...

Bagisto: Insecure installation in sub-directories

Full Disclosure - 1 September, 2020 - 11:49

Posted by devsecweb--- via Fulldisclosure on Sep 01

Vendor:
Bagisto (https://bagisto.com/)
Affected version:
All
Introduction:
Bagisto is an open source shop system based on PHP and Laravel framework
Vulnerability description:
Bagisto can be installed in sub-directories below the document root exposing the Laravel .env file which includes
database and e-mail server credentials.

Proof:
There have been observed installations in the wild exposing the .env file like...

SUPERAntiSpyware Professional X Trial < 10.0.1206 Local Privilege Escalation

Full Disclosure - 29 August, 2020 - 02:26

Posted by b1nary on Aug 29

# Vulnerability Description
SUPERAntiSpyware Professional X Trial versions prior to 10.0.1206 are
vulnerable to local privilege escalation because it allows unprivileged
users to restore quarantined files to a privileged location through a NTFS
directory junction.

# Home Page
https://www.superantispyware.com/

# Author: b1nary

# Proof of Concept

1. Place a dll payload in an empty folder
2. Scan the payload with the SUPERAntiSpyware...

Missing Trust Validation in Visual Studio's VSIX Installer

Full Disclosure - 29 August, 2020 - 02:24

Posted by Ostovary, Daniel on Aug 29

Hi,

we have recently discovered a vulnerability in the VSIX Installer of Visual Studio. More specifically, the
vulnerability existed in the validation of VSIX package signatures. This vulnerability allowed attackers

* to 'revive' expired code-signing certificates for VSIX package signatures and

* to maliciously modify timestamps when intercepting timestamp requests for VSIX package signatures.

For more details see...

Three vulnerabilities found in MikroTik's RouterOS

Full Disclosure - 29 August, 2020 - 02:24

Posted by Q C on Aug 29

Advisory: three vulnerabilities found in MikroTik's RouterOS

Details
=======

Product: MikroTik's RouterOS
Vendor URL: https://mikrotik.com/
Vendor Status: fixed version released
CVE: -
Credit: Qian Chen(@cq674350529) of Qihoo 360 Nirvan Team

Product Description
==================

RouterOS is the operating system used on the MikroTik's devices, such as
switch, router and access point.

Description of vulnerabilities...

SEC Consult SA-20200827-0 :: Multiple Vulnerabilities in ZTE mobile Hotspot MS910S

Full Disclosure - 27 August, 2020 - 13:04

Posted by SEC Consult Vulnerability Lab on Aug 27

SEC Consult Vulnerability Lab Security Advisory < 20200827-0 >
=======================================================================
title: Multiple Vulnerabilities
product: ZTE mobile Hotspot MS910S
vulnerable version: DL_MF910S_CN_EUV1.00.01
fixed version: -
CVE number: CVE-2019-3422
impact: High
homepage: https://www.zte.com.cn
found: 2019-09-25...

SEC Consult SA-20200826-0 :: Extensive file permissions on service executable in Eikon Thomson Reuters

Full Disclosure - 27 August, 2020 - 13:03

Posted by SEC Consult Vulnerability Lab on Aug 27

SEC Consult Vulnerability Lab Security Advisory < 20200826-0 >
=======================================================================
title: Extensive file permissions on service executable
product: Eikon Thomson Reuters
vulnerable version: 4.0.42144
fixed version: -
CVE number: CVE-2019-10679
impact: High
homepage: eikon.thomsonreuters.com
found: 2019-03-18...

A Tale of Escaping a Hardened Docker container

Full Disclosure - 25 August, 2020 - 12:13

Posted by Red Timmy Security on Aug 25

Hello,
in a recent security assessment we have managed to escape out of a
docker container by circumventing an ad-hoc reverse proxy that was
supposed to prevent abuse of "docker.sock" file exposure.

Full story here:
https://www.redtimmy.com/docker/a-tale-of-escaping-a-hardened-docker-container/

regards
Redtimmy Security

NEProfile - Host Header Injection

Full Disclosure - 25 August, 2020 - 12:12

Posted by ghost on Aug 25

Exploit Title: NEProfile - Host Header Injection
Date: 5/13/2020
Vendor Homepage: https://seczetta.com
Software Link: https://seczetta.com/product/ne-profile
Version: 3.3.11
Tested on: 3.3.11
Exploit Author: Josh Sheppard & Bryan Clements
Exploit Contact: ghost () a t undervurse dot_com & mavr1ck2020 a t protonmail dot_com
Exploit Technique: Remote
CVE ID: CVE-2020-12855

1. Description

A host header injection vulnerability has been...

Google Chromecast Auth Bypass/RCE

Full Disclosure - 25 August, 2020 - 12:11

Posted by Benjamin Floyd on Aug 25

Problem: Most modern Google-based smart devices run some form of
Chromecast (and a version of the Chrome browser to play content). All of
their Chromecast devices, Google Home, Nest, and basically any Google smart
device, as well as Android TVs with Chromecast built in run Chrome. In
Google's Cast Developer Console, you can add arbitrary Chromecast devices
for development purposes via serial number (which is on the outside of
device...

CVE-2020-24548 / Ericom Access Server for (AccessNow & Ericom Blaze) v9.2.0 / Server Side Request Forgery

Full Disclosure - 25 August, 2020 - 12:11

Posted by hyp3rlinx on Aug 25

[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/ERICOM-ACCESS-SERVER-ACCESS-NOW-BLAZE-9.2.0-SERVER-SIDE-REQUEST-FORGERY.txt
[+] twitter.com/hyp3rlinx
[+] ISR: ApparitionSec

[Vendor]
www.ericom.com

[Product]
Ericom Access Server x64 for (AccessNow & Ericom Blaze) v9.2.0

AccessNow is an HTML5 remote desktop gateway that works from any device
with an HTML5...

Open-Xchange Security Advisory 2020-08-20

Full Disclosure - 21 August, 2020 - 12:07

Posted by Open-Xchange GmbH via Fulldisclosure on Aug 21

Dear subscribers,

we're sharing our latest advisory with you and like to thank everyone who contributed in finding and solving those
vulnerabilities. Feel free to join our bug bounty programs for OX App Suite, Dovecot and PowerDNS at HackerOne.

Yours sincerely,
Martin Heiland, Open-Xchange GmbH

Product: OX App Suite / OX Documents
Vendor: OX Software GmbH

Internal reference: MWB-70 (Bug ID)
Vulnerability type: Cross-Site Scripting...

Payment bypass in WordPress - WooCommerce - NAB Transact plugin disclosure

Full Disclosure - 21 August, 2020 - 12:07

Posted by Jack Misiura via Fulldisclosure on Aug 21

Title: Payment bypass

Product: WordPress NAB Transact WooCommerce Plugin

Vendor Homepage: https://woocommerce.com/products/nab-transact-direct-post/

Vulnerable Version: 2.1.0

Fixed Version: 2.1.2

CVE Number: CVE-2020-11497

Author: Jack Misiura from The Missing Link

Website: https://www.themissinglink.com.au

Timeline:

2020-03-27 Disclosed to Vendor

2020-03-29 Vendor publishes first fix

2020-04-04 Vendor publishes second fix

2020-08-17...

New Release: UFONet v1.6 - "M4RAuD3R!"...

Full Disclosure - 18 August, 2020 - 01:09

Posted by psy on Aug 17

Hi Community,

I am glad to present a new release of this tool:

- https://ufonet.03c8.net

"UFONet is a free software, P2P and cryptographic -disruptive toolkit-
that allows to perform DoS and DDoS attacks; on the Layer 7 (APP/HTTP)
through the exploitation of Open Redirect vectors on third-party
websites to act as a botnet and on the Layer3 (Network) abusing the
protocol."

See these links for more info:

- UFONet schema (WebAbuse...

Two vulnerabilities found in MikroTik's RouterOS

Full Disclosure - 14 August, 2020 - 13:10

Posted by Q C on Aug 14

Advisory: two vulnerabilities found in MikroTik's RouterOS

Details
=======

Product: MikroTik's RouterOS
Vendor URL: https://mikrotik.com/
Vendor Status: fixed version released
CVE: -
Credit: Qian Chen(@cq674350529) of Qihoo 360 Nirvan Team

Product Description
==================

RouterOS is the operating system used on the MikroTik's devices, such as
switch, router and access point.

Description of vulnerabilities...

R2 Browser Hacking Class Review

Daily Dave - 13 August, 2020 - 13:58

Posted by Dave Aitel via Dailydave on Aug 13

Sometimes we review books on this list, but I spent last week, for seven
days in a row, taking the R2-RingZer0-Amy-Burnett Browser Hacking
<https://ringzer0.training/advanced-browser-exploitation.html> class. But
before I do, I want to point out that 36 Minutes into this video (
https://vimeo.com/442583799) I ask Marco Ivaldi about what it's like to
switch from management back into the technical field. "It's hard, but...
Syndicate content