New Google Tools Help Devs Improve Content Security Policy Protection

Cross-site scripting is the cockroach of web application security vulnerabilities, enjoying continued longevity despite the abundant availability of scanning tools and programming advice designed to squash it. Google yesterday took another shot at eradicating XSS attacks with the release of two...

W3 Total Cache <= 0.9.4.1 – Unauthenticated Security Token Bypass

The /pub/apc.php file is used to empty the OPCache/APC. The script seems protected by a nonce aka security token: $nonce = W3Request::getstring'nonce'; $uri = $SERVER'REQUESTURI'; if wphash$uri == $nonce But the flaw stays in the == operator which is not the one to use when you want to compare...

W3 Total Cache <= 0.9.4.1 – Unauthenticated Security Token Bypass

The /pub/apc.php file is used to empty the OPCache/APC. The script seems protected by a nonce aka security token: $nonce = W3Request::getstring'nonce'; $uri = $SERVER'REQUESTURI'; if wphash$uri == $nonce But the flaw stays in the == operator which is not the one to use when you want to compare...

Ruby: Ruby OpenSSL Library - IV Reuse in GCM Mode

Hello, An IV reuse bug was discovered in Ruby's OpenSSL library when using aes-gcm. When encrypting data with aes--gcm, if the IV is set before setting the key, the cipher will default to using a static IV. This creates a static nonce and since aes-gcm is a stream cipher, this can lead to known...

WP Front End Profile <= 0.2.1 - Privilege Escalation & Stored Cross-Site Scripting (XSS)

It is possible to modify a POST request to overwrite user meta including 'wpcapabilities' and 'wpuserlevel' which results in a privilege escalation vulnerability. User input is not sanitised or escaped on output resulting in a stored XSS vulnerability. Timeline: 2016-09-12: Vulnerability found...

Ian Dunn: Send emails to all users using Camptix

Ian, This is my first stab at submitting a bug, and I'm not even sure it is one. Here's what I found. If an admin of a site using Camptix who is logged into the admin screen visits a malicious site which has access to a valid wpnonce value could send a large volume of spam to all ticket holders...

WordPress Magic Fields 2 Cross Site Scripting

------------------------------------------------------------------------ Persistent Cross-Site Scripting in Magic Fields 2 WordPress Plugin ------------------------------------------------------------------------ Burak Kelebek, July 2016...

The vulnerability of the Cisco Unified Communications Manager software allows a malicious individual to obtain a one-time code (nonce) for an ECDSA encryption algorithm.

The vulnerability exists in the implementation of the Montgomery algorithm in OpenSSL, due to the temporal impermanence of the operations involved in padding. Exploiting this vulnerability allows local users to obtain a one-time code nonce for ECDSA by attacking the cache through external channel...

The vulnerability of Cisco IPS’ software allows a malicious individual to obtain a one-time code (nonce) for ECDSA encryption.

The vulnerability exists in the implementation of the Montgomery algorithm in OpenSSL, due to the temporal impermanence of the padding operations. Exploiting this vulnerability allows local users to obtain a one-time code nonce for ECDSA by attacking the cache through external channels using the...

Untangle NGFW 12.1.0 Beta execEvil() Command Injection

!/usr/bin/python Title: Untangle NGFW " print "! and in a separat...

SOL05405841 - GCM nonce vulnerability CVE-2016-0270

Vulnerability Recommended Actions None Supplemental Information SOL9970: Subscribing to email notifications regarding F5 products SOL9957: Creating a custom RSS feed to view new and updated documents SOL4602: Overview of the F5 security vulnerability response policy SOL4918: Overview of the F5...

Petya of Salsa: a modified algorithm to bring the defect-vulnerability warning-the black bar safety net

Previously the Hubble analysis of the system describes about the modified MBR for disk encryption extortion Trojan Petya's. Recently Leo Stone gives crack Petya key full blasting code and decrypt tool, and noted that Petya author is using a variant of the Salsa20 algorithm to perform key...

OptinMonster <= 1.1.4.5 - Execution of Arbitrary Shortcodes

Unauthenticated users are able to execute arbitrary WordPress shortcodes via a simple HTTP GET request. While the command is protected by a nonce, the nonce is leaked on every page load...

Cisco IOS XE Multiple OpenSSL Vulnerabilities (CSCup22487)

The remote Cisco IOS XE device is missing a vendor-supplied security patch, and its web user interface is configured to use HTTPS. It is, therefore, affected by the following vulnerabilities in the bundled OpenSSL library : - An error exists in the ssl3readbytes function that could allow data to ...

Gratipay: Prevent content spoofing on /~username/emails/verify.html

Hi, When an user add his email then a verification link has been sent to that email. the link looks like this https://gratipay.com/exampleuser/emails/verify.html?email=example%40gmail.com&nonce=cb2487f6-61cf-4a8a-81af-c8fab6fe0f90 The link has three changeable things. 1. Username ex: exampleuser ...

Users Ultra Membership Plugin <= 1.5.62 - Authenticated Stored Cross-Site Scripting (XSS) & CSRF

Both pname and pdesc are vulnerable. No nonce on form so also vulnerable to CSRF. Original researcher's PoC does not work as all parameters are needed to be submitted not just the pname parameter...

SUSE-SU-2015:1983-1 Security update for squid

squid was updated to fix two security issues. These security issues were fixed: - CVE-2014-6270: Fixed an off by one in snmp subsystem bsc895773. - CVE-2014-9749: Fixed a nonce replay vulnerability in Digest authentication bsc949942...

Wordpress Ajax Load More Plugin 2.8.1.1 Upload Shell Exploit

This Metasploit module exploits an arbitrary file upload in the WordPress Ajax Load More version 2.8.1.1. It allows you to upload arbitrary php files and get remote code execution. This Metasploit module has been tested successfully on WordPress Ajax Load More 2.8.0 with WordPress 4.1.3 on Ubuntu...

Authentication flaw

Squid 3.4.4 through 3.4.11 and 3.5.0.1 through 3.5.1, when Digest authentication is used, allow remote authenticated users to retain access by leveraging a stale nonce, aka "Nonce replay vulnerability."...

CVE-2014-9749

Squid 3.4.4 through 3.4.11 and 3.5.0.1 through 3.5.1, when Digest authentication is used, allow remote authenticated users to retain access by leveraging a stale nonce, aka "Nonce replay vulnerability."...