seclist.org

Subscribe to seclist.org hírcsatorna
A public, vendor-neutral forum for detailed discussion of vulnerabilities and exploitation techniques, as well as tools, papers, news, and events of interest to the community. The relaxed atmosphere of this quirky list provides some comic relief and certain industry gossip. More importantly, fresh vulnerabilities sometimes hit this list many hours or days before they pass through the Bugtraq moderation queue.
Frissítve: 38 perc 1 másodperc
2019. szeptember 13.

Insecure tmpdir() use in dbtoepub.rb in docbook / xslt10-stylesheets

Posted by Shlomi Fish on Sep 13

See:

https://github.com/docbook/xslt10-stylesheets/pull/144

«
See https://ruby-doc.org/stdlib-2.0.0/libdoc/tmpdir/rdoc/Dir.html -
tmpdir returns the same value everytime and as a result the tmpdirs can
be identical or existing.

SECURITY!

Thanks to phaul from #ruby .
»

There is a patch that seems to work well in the mageia linux package, but
no PoC exploit.
2019. szeptember 13.

Piwigo - Version 2.9.5 [CVE-2019-13363, CVE-2019-13364 ]

Posted by rant on Sep 13

=====[ Tempest Security Intelligence - ADV-03/2019
]==========================

Piwigo - Version 2.9.5

Author: Rodolfo Tavares

Tempest Security Intelligence - Recife, Pernambuco - Brazil

=====[ Table of Contents]==================================================
 * Overview
 * Detailed description
 * Timeline of disclosure
 * Thanks & Acknowledgments
 * References

=====[ Vulnerability...
2019. szeptember 13.

FTPShell client 6.74 - Local Buffer Overflow (SEH)

Posted by Debashis Pal on Sep 13

#!/usr/bin/python

# Exploit Type : DOS
# Exploit Title: FTPShell client 6.74 - Local Buffer Overflow (SEH)
# Vulnerable Software & version : FTPShell client 6.74
# Vendor Homepage: https://www.ftpshell.com/
# Software Link: https://www.ftpshell.com/downloadclient.htm
# Tested Windows : Windows Vista Ultimate SP2(32-bit), Windows 7
Professional SP1(32-bit)
# Exploit Author: Debashis Pal
# Timeline
# Vulnerability Discover Date:...
2019. szeptember 13.

phpMyAdmin 4.9.0.1 - Cross-Site Request Forgery

Posted by Manuel Garcia Cardenas on Sep 13

=============================================
MGC ALERT 2019-003
- Original release date: June 13, 2019
- Last revised: September 13, 2019
- Discovered by: Manuel Garcia Cardenas
- Severity: 4,3/10 (CVSS Base Score)
- CVE-ID: CVE-2019-12922
=============================================

I. VULNERABILITY
-------------------------
phpMyAdmin 4.9.0.1 - Cross-Site Request Forgery

II. BACKGROUND
-------------------------
phpMyAdmin is a free...
2019. szeptember 12.

SEC Consult SA-20190912-0 :: Stored and reflected XSS vulnerabilities in LimeSurvey

Posted by SEC Consult Vulnerability Lab on Sep 12

SEC Consult Vulnerability Lab Security Advisory < 20190912-0 >
=======================================================================
title: Stored and reflected XSS vulnerabilities
product: LimeSurvey
vulnerable version: <= 3.17.13
fixed version: =>3.17.14
CVE number: CVE-2019-16172, CVE-2019-16173
impact: medium
homepage: https://www.limesurvey.org/...
2019. szeptember 10.

[CVE-2019-12516] SlickQuiz for Wordpress 1.3.7.1 "/wp-admin/admin.php?page=slickquiz-*" Multiple Authenticated SQL Injections

Posted by Info on Sep 10

RCE Security Advisory
https://www.rcesecurity.com

1. ADVISORY INFORMATION
=======================
Product: SlickQuiz
Vendor URL: https://wordpress.org/plugins/slickquiz/
Type: SQL Injection [CWE-74]
Date found: 2019-05-30
Date published: 2019-09-10
CVSSv3 Score: 8.1 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N)
CVE: CVE-2019-12516

2. CREDITS
==========
This vulnerability was discovered and researched by...
2019. szeptember 10.

[CVE-2019-12517] SlickQuiz for Wordpress 1.3.7.1 "/wp-admin/admin.php?page=slickquiz" Multiple Stored XSS

Posted by Info on Sep 10

RCE Security Advisory
https://www.rcesecurity.com

1. ADVISORY INFORMATION
=======================
Product: SlickQuiz
Vendor URL: https://wordpress.org/plugins/slickquiz/
Type: Cross-Site Scripting [CWE-79]
Date found: 2019-05-30
Date published: 2019-09-10
CVSSv3 Score: 6.1 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
CVE: CVE-2019-12517

2. CREDITS
==========
This vulnerability was discovered and...
2019. szeptember 10.

Multiple Reflected Cross-site Scripting Vulnerabilities in OpenEdx version Ironwood.1

Posted by Daniel Bishtawi on Sep 10

Hello,

We are informing you about the vulnerabilities in OpenEdx version
Ironwood.1.

Here are the details:

Information
--------------------
Advisory by Netsparker
Name: Multiple Reflected Cross-site Scripting Vulnerabilities in OpenEdx
version Ironwood.1
Affected Software: OpenEdx
Affected Versions: Ironwood.1
Homepage: https://open.edx.org/
Vulnerability: Cross site Scripting
Severity: Medium
Status: Fixed
CVSS Score (3.0):...
2019. szeptember 9.

NtFileSins v2.1 / Windows NTFS Privileged File Access Enumeration Tool

Posted by hyp3rlinx on Sep 09

Fixed a bug in the save report logic.

from subprocess import Popen, PIPE
import sys,argparse,re

# NtFileSins v2.1
# Fixed: save() logic to log report in case no Zone.Identifiers found.
# Added: Check for Zone.Identifer:$DATA to see if any identified files were
downloaded from internet.
#
# Windows File Enumeration Intel Gathering.
# Standard users can prove existence of privileged user artifacts.
#
# Typically, the Windows commands DIR or TYPE...
2019. szeptember 9.

CVE-2018-18809 Path traversal in Tibco JasperSoft

Posted by Elar Lang on Sep 09

Title: CVE-2018-18809 Path traversal in Tibco JasperSoft
Credit: Elar Lang / https://security.elarlang.eu
Vendor/Product: Tibco JasperSoft (https://www.jaspersoft.com/)
Vulnerability: Path traversal
CVE: CVE-2018-18809

# Path traversal
Vulnerability is in reportresource/reportresource/ service and in resource
parameter. There is "defence" - value for resource param must start with
net/sf/jasperreports/.

Available for remote not...
2019. szeptember 9.

Core FTP LE Version 2.2, build 1935 - Local Buffer Overflow (SEH Unicode)

Posted by Debashis Pal on Sep 09

#!/usr/bin/python

# Exploit Title: Core FTP LE Version 2.2, build 1935 - Local Buffer
Overflow (SEH Unicode)
# Vulnerability Details: Core FTP LE Version 2.2, build 1935 is prone to a
buffer overflow vulnerability that may result in a DoS user local folder
selection pane
# Exploit Type : DOS
# Date: 08-Sep-2019
# Vulnerable Software: Core FTP LE
# Version: Version 2.2, build 1935
# Vendor Homepage: http://www.coreftp.com/
# Software Link:...
2019. szeptember 9.

CA20190904-01: Security Notice for CA Common Services Distributed Intelligence Architecture (DIA)

Posted by Kevin Kotas via Fulldisclosure on Sep 09

CA20190904-01: Security Notice for CA Common Services Distributed
Intelligence Architecture (DIA)

Issued: September 4th, 2019
Last Updated: September 4th, 2019

CA Technologies, A Broadcom Company, is alerting customers to a
potential risk with CA Common Services in the Distributed
Intelligence Architecture (DIA) component. A vulnerability exists,
CVE-2019-13656, that can allow a remote attacker to execute arbitrary
code. CA published solutions...
2019. szeptember 9.

Re: CVE 2019-13224 (UAF in PHP and Ruby regex lib)

Posted by Marcin Kozlowski on Sep 09

Hi list,

Read about potential UAF in PHP and Ruby via regex library "oniguruma" (for
example here:
https://thehackernews.com/2019/09/php-programming-language.html)

However, I didn't find default PHP and Ruby vulnerable:

https://github.com/kkos/oniguruma/issues/153

My investigation showed the onig_new_deluxe() is not used by default.
However, modified PHP to use it and fuzzed it and was able to reproduce UAF
in 7 mins :)

Write...
2019. szeptember 9.

NtFileSins v2 / Windows NTFS Privileged File Access Enumeration Tool

Posted by hyp3rlinx on Sep 09

NtFileSins v2, exploits Windows privileged file access enumeration
vulnerability to gather intelligence on privileged users. This version
includes Zone.Identifier checks to see if any discovered files were
internet downloaded.

from subprocess import Popen, PIPE
import sys,argparse,re

# NtFileSins v2
# Added: Check for Zone.Identifer:$DATA to see if any identified files were
downloaded from internet.
#
# Windows File Enumeration Intel Gathering....
2019. szeptember 9.

Dabman & Imperial (i&d) Web Radio Devices - Undocumented Telnet Backdoor & Command Execution Vulnerability

Posted by Vulnerability Lab on Sep 09

Document Title:
===============
Dabman & Imperial (i&d) Web Radio Devices - Undocumented Telnet Backdoor
& Command Execution Vulnerability

References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2183

Video: https://www.vulnerability-lab.com/get_content.php?id=2190

Vulnerability Magazine:...
2019. szeptember 6.

Re: Totaljs CMS authenticated path traversal (could lead to RCE)

Posted by paw on Sep 06

Update:

[+] CVE-id: CVE-2019-15952

Il 30/08/19 19:45, paw ha scritto:
2019. szeptember 6.

Windows NTFS / Privileged File Access Enumeration

Posted by hyp3rlinx on Sep 06

[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-NTFS-PRIVILEGED-FILE-ACCESS-ENUMERATION.txt
[+] ISR: ApparitionSec

[Vendor]
www.microsoft.com

[Product]
Windows NTFS

NTFS is a proprietary journaling file system developed by Microsoft.
Starting with Windows NT 3.1, it is the default file system of the Windows
NT family.

[Vulnerability Type]...
2019. szeptember 5.

AST-2019-005: Remote Crash Vulnerability in audio transcoding

Posted by Asterisk Security Team on Sep 05

Asterisk Project Security Advisory - AST-2019-005

Product Asterisk
Summary Remote Crash Vulnerability in audio transcoding
Nature of Advisory Denial of Service
Susceptibility Remote Unauthenticated Sessions
Severity Minor...
2019. szeptember 5.

AST-2019-004: Crash when negotiating for T.38 with a declined stream

Posted by Asterisk Security Team on Sep 05

Asterisk Project Security Advisory - AST-2019-004

Product Asterisk
Summary Crash when negotiating for T.38 with a declined
stream
Nature of Advisory Remote Crash
Susceptibility Remote Authenticated Sessions...
2019. szeptember 4.

SEC Consult SA-20190904-0 :: Multiple vulnerabilities in Cisco router series RV34X, RV26X and RV16X

Posted by SEC Consult Vulnerability Lab on Sep 04

SEC Consult Vulnerability Lab Security Advisory < 20190904-0 >
=======================================================================
title: Multiple vulnerabilities
product: Cisco RV340, Cisco RV340W, Cisco RV345, Cisco RV345P,
Cisco RV260, Cisco RV260P, Cisco RV260W, Cisco 160,
Cisco 160W
vulnerable version: Cisco RV34X - 1.0.02.16, Cisco RV16X/26X - 1.0.00.15...