WordPress Plugin All In One WP Security & Firewall Cross-Site Scripting

The first plugin that will be analyzed in detail is called All In One WP Security & Firewall. It adds some additional layers of security to Wordpress, for example a brute force protection for the login or file permission checks. There are definitely quite a lot of good ideas integrated into this...

WordPress Plugin Quiz And Survey Master (Formerly Quiz Master Next) Multiple Vulnerabilities

Vulnerability A CSRF vulnerability allows an unauthenticated attacker to add questions to existing quizzes. The questionname parameter is put into a manually-constructed JavaScript object and escaped with escjs php/qmnoptionsquestionstab.php line 499. If the user or attacker creates a new questio...

CSRF vulnerability in Multisite Post Duplicator could allow an attacker to do almost anything an admin user can do (WordPress plugin)

Description ----------- ================ CSRF vulnerability in Multisite Post Duplicator could allow an attacker to do almost anything an admin user can do Vulnerability ------------- ================ Contains a CSRF vulnerability which can copy content from one site of a multisite installation t...

WordPress Plugin Social Share Buttons-Social Pug Cross-Site Scripting

Vulnerability This plugin takes input from $GET and puts it directly into HTML without escaping it. This means that anybody who is able to convince an admin user to click on a link would be able to take control of their browser on that domain name and delete posts, add new admin users, etc.. Proo...

WordPress Plugin Nelio AB Testing Server-Side Request Forgery (SSRF)

Case Study: SSRF in Nelio AB Testing WordPress Plugin Nelio AB Testing is a WordPress plugin used for A/B Testing in WordPress pages. We can download the source-code of the Plugin from plugins.svn.wordpress.org/nelio-ab-testing/tags/4.5.8/. Server-side Request Forgery SSRF is a vulnerability wher...

Microsoft Windows (x86) - 'NDISTAPI' Privilege Escalation (MS11-062)

No description provided by source. / Exploit Title: Windows x86 all versions NDISTAPI privilege escalation MS11-062 Date: 2016-10-24 Exploit Author: Tomislav Paskalev Vulnerable Software: Windows XP SP3 x86 Windows XP Pro SP2 x64 Windows Server 2003 SP2 x86 Windows Server 2003 SP2 x64 Windows...

MS15-076 Windows: DCOM DCE/RPC Local NTLM Reflection Elevation of Privilege (CVE-2015-2370)

Windows: DCOM DCE/RPC-Local NTLM Reflection Elevation of Privilege Platform: Windows 8.1 Update not tested on Windows 7, 10 Class: Elevation of Privilege Summary: Local DCOM DCE/RPC connections can be reflected back to a listening TCP socket allowing access to an NTLM authentication challenge for...

MS14-040 Microsoft Windows 7 (x86) - 'afd.sys' Dangling Pointer Privilege Escalation (CVE-2014-1767)

No description provided by source. Exploit Title: MS14-040 - AFD.SYS Dangling Pointer Date: 2016-02-05 Exploit Author: Rick Larabee Vendor Homepage: www.microsoft.com Version: Windows 7, 32 bit Tested on: Win7 x32 afd.sys - 6.1.7600.16385 ntdll.dll - 6.1.7600.16385 CVE : CVE-2014-1767 Category:...

WP Support Plus Responsive Ticket System 7.1.3 – WordPress Plugin – Sql Injection

Homepage: https://wordpress.org/plugins/wp-support-plus-responsive-ticket-system/ Description: Type user access: any user. $POST‘catid’ is not escaped. Is accessible for any user. File / Code: Path: /wp-content/wp-support-plus-responsive-ticket-system/includes/admin/wpspgetCatName.php Line: 4...

Cross-Site Request Forgery (CSRF)/Cross-Site Scripting (XSS) Vulnerability in Twitter Cards Meta

We recently found that the Twitter Cards Meta contains a cross-site request forgery CSRF/cross-site scripting XSS vulnerability on the plugin’s setting pages,/wp-admin/admin.php?page=twitter-cards-meta. The CSRF potion of the vulnerability was due to a lack of a nonce on the page and a lack of a...

Authenticated Persistent Cross-Site Scripting (XSS) Vulnerability in wpDataTables Lite

One of things we do to keep track of what vulnerabilities are out there in WordPress plugins, to provide our customers with the best data on them, is to monitor our websites for hacking attempts. In September we had request that looked like probing for usage of the plugin wpDataTables Lite, throu...

MS16-075 Windows SMB Server Elevation of Privilege Vulnerability (CVE-2016-3225)

Overview As we mentioned a number of times throughout our talk, this work is derived directly from James Forshaw’s BlackHat talk and Google Project Zero research. I highly recommend reviewing both of these resources to anyone interested in pursuing this topic. The idea behind this vulnerability i...

MS15-051 Win32k ClientCopyImage Elevation of Privilege Vulnerability (CVE-2015-1701)

No description provided by source. This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core' require 'msf/core/post/windows/reflectivedllinjection' require 'rex' class MetasploitModule 'Windows ClientCopyImage...

BigTree CMS - Bypass CSRF filter and execute code with PHPMailer

DESCRIPTION PHPMailer RCE CVE-2016-10033 An independent research uncovered a critical vulnerability in PHPMailer version Sender According to my analysis, if we can control the value of Sender, we can let sendmail save the context to any given path /var/www/html/shell.php, which means code...

Chrome Universal XSS using an intercepted native function (CVE-2016-1672)

VULNERABILITY DETAILS The fix for the issue 546677 is insufficient to protect against overriding the internal extensions code -- it is still possible to take over the built-in extension system with a combination of getters and setters. This allows web content to gain access to native functions th...

OurPHP SQL injection vulnerability

No description provided by source...

Chrome Universal XSS via ContainerNode::parserInsertBefore (CVE-2015-6755)

VULNERABILITY DETAILS From /WebKit/Source/core/dom/ContainerNode.cpp: void ContainerNode::parserInsertBeforePassRefPtrWillBeRawPtr newChild, Node& nextChild ... while RefPtrWillBeRawPtr parent = newChild-parentNode parent-parserRemoveChildnewChild; if document != newChild-document document...

Chrome Universal XSS using stack overflow exceptions (CVE-2015-1303)

VULNERABILITY DETAILS When the maximum call stack size is exceeded, a RangeError object is created using isolate's current context. Thus, if a cross-origin context had been entered through the V8WrapperInstantiationScope constructor, for example, a cross-origin exception will be propagated to the...

Chrome Universal XSS via the unload_event module (CVE-2015-6769)

VULNERABILITY DETAILS From /WebKit/Source/core/loader/DocumentLoader.cpp: PassRefPtrWillBeRawPtr DocumentLoader::createWriterForconst Document ownerDocument, const DocumentInit& init, ... LocalFrame frame = init.frame; ASSERT!frame-document || !frame-document-isActive; ASSERTframe-tree.childCount...

Chrome Universal XSS using IDBKeyRange static methods(CVE-2015-1268)

VULNERABILITY DETAILS Calling an object-returning static method with a cross-origin thing passed as |this| yields an object wrapped in the cross-origin scope. This is because FunctionCallbackInfo ends up with a cross-origin holder, and the holder acts as a creation context for the return value in...

Chrome Universal XSS using exceptions thrown from Object.observe (CVE-2015-1304)

VULNERABILITY DETAILS From /v8/src/object-observe.js: function ObjectObserveobject, callback, acceptList ... var objectObserveFn = %GetObjectContextObjectObserveobject; return objectObserveFnobject, callback, acceptList; From /v8/src/runtime/runtime-observe.cc:...

Chrome Universal XSS using plugin objects (CVE-2015-6772)

VULNERABILITY DETAILS This is a regression from issue 524120. Now that the widget updates are deferred until after the frame is detached from the document and beyond the lifetime of ScriptForbiddenScope, too, it is possible to attach another document to the frame before a new document is installe...

Chrome Universal XSS by loading a javascript: URI from an unloaded window (CVE-2015-1293)

VULNERABILITY DETAILS From /WebKit/Source/core/frame/DOMWindow.cpp: bool DOMWindow::isInsecureScriptAccessLocalDOMWindow& callingWindow, const String& urlString if !protocolIsJavaScripturlString return false; // If this DOMWindow isn't currently active in the Frame, then there's no // way we shou...

Chrome Universal XSS using Flash message loop (CVE-2016-1631)

VULNERABILITY DETAILS From /content/renderer/pepper/ppbflashmessageloopimpl. cc: int32t PPBFlashMessageLoopImpl::InternalRun const RunFromHostProxyCallback& callback ... // It is possible that the PPBFlashMessageLoopImpl object has been // destroyed when the nested message loop exits. scopedrefpt...

Chrome Universal XSS via the interception of |Binding| with Object.prototype.create (CVE-2016-1674)

VULNERABILITY DETAILS The fix for the issue 590118 is insufficient to protect against the bindings interception. While they can't be accessed by triggering accessors on the |modules| object anymore, it's still possible to trap the set operation for |Binding. create| using the Object. prototype...

Chrome Universal XSS using a FrameNavigationDisabler bypass (CVE-2016-1673)

VULNERABILITY DETAILS When a top-level navigation is triggered on a frame displaying the initial empty document, FrameLoader::load is invoked directly: void LocalFrame::navigateDocument& originDocument, const KURL& url, bool replaceCurrentItem, UserGestureStatus userGestureStatus ... if isMainFra...

Chrome Universal XSS using deferred history loads (CVE-2016-1675)

VULNERABILITY DETAILS When a ScopedPageLoadDeferrer is destroyed, the deferring state is updated on the associated pages and loaders. If any history of load was set aside during the event loop the deferrer has been protecting, it's processed during the update without checking if navigation is...

Chrome Universal XSS using a flaw in the load deferral logic

VULNERABILITY DETAILS This is a regression from https://crrev.com/f92a1f3b9 . Previously, ResourceLoader::start bailed out if ResourceLoader::mdefersLoading was true. Now, it calls setDefersLoading on the associated WebURLLoader instead: void ResourceLoader::startResourceRequest& request...

Cloudera Manager =< 5.5 Enumerating user sessions with an unprivileged account (CVE-2016-4950)

Cloudera Manager =:7180/api/v11/users/sessions It is worth mentioning that a user using the API won’t appear in the “currently connected” user list. The Cloudera CERT indicated that this vulnerability is fixed in version 5.8. Moreover, Cloudera Manager =:7180/api/v1/users...

Cloudera HUE Session cookies stored in the database

User session cookies are stored in the database. Combined with the vulnerability related to configuration file which is world readable, it is possible to spoof a user across the entire cluster launching jobs and browsing the datalake, without having to crack password hashes. Cookies are stored in...

Cloudera Manager =< 5.5 Process logs access (CVE-2016-4949)

Cloudera Manager =:7180/cmf/process//logs?filename=stderr,stdout.log The prerequisite to exploit this vulnerability is to know or iterate the targeted process identifier. The impact of the vulnerability is that a poorly developed process might contain sensitive information. The Cloudera CERT...

Cloudera Manager Unauthenticated configuration download

Cloudera Manager allows to download module configurations without authentication by iterating on the module index integer starting from 1 through the following GET request: http://:7180/cmf/services//client-config This finding may not constitute a vulnerability by itself as: This behaviour can be...

Cloudera HUE Configuration file world readable

The hue.ini configuration file is by default accessible to anyone with the other permission set to read: $ ls -al /etc/hue/conf/hue.ini -rw-rw-r-- 1 root root 22813 Nov 18 2015 /etc/hue/conf/hue.ini Several account credentials can be found in that configuration file such as: Database account: thi...

Chrome Universal XSS using document.adoptNode (CVE-2015-6770)

VULNERABILITY DETAILS From /thirdparty/WebKit/Source/core/dom/Document.cpp: PassRefPtrWillBeRawPtr Document::adoptNodePassRefPtrWillBeRawPtr source, ExceptionState& exceptionState EventQueueScope scope; switch source-nodeType ... default: ... if source-parentNode...

Chrome Universal XSS using navigator.serviceWorker.ready (CVE-2015-1292)

VULNERABILITY DETAILS From /WebKit/Source/modules/serviceworkers/ServiceWorkerContainer.cpp: ScriptPromise ServiceWorkerContainer::readyScriptState callerState if !executionContext return ScriptPromise; ... if !mready mready = createReadyProperty; if mprovider mprovider-getRegistrationForReadynew...

Cloudera Manager =< 5.5 Stored and reflected XSS (CVE-2016-4948)

Cloudera Manager =:7180/cmf/hardware/hosts/templates - In the following fields of the Kerberos activation page, which can then be triggered visiting the page http://:7180/cmf/clusters/1/kerberos/wizard KDC Server Host Kerberos Security Realm Kerberos Encryption Types Advanced Configuration Snippe...

Cloudera HUE =< 3.9.0 is vulnerable to multiple stored XSS (CVE-2016-4946)

Cloudera HUE = 3.9.0 is vulnerable to multiple stored XSS: In the Username, First name and Last name fields of a user profile. This can be triggered while logging in with the account. In the Group Name field of group creation. This can be triggered when sharing an item...

Cloudera HUE =< 3.9.0 Enumerating users with an unprivileged account (CVE-2016-4947)

Cloudera HUE =/desktop/api/users/autocomplete Open redirection Cloudera HUE =:8888/accounts/login/?next=//google.fr...

Nvidia GeForce Experience Node.js security vulnerability

Application Whitelisting Application whitelisting is an important security concept which can be found in many environments during penetration testing. The basic idea is to create a whitelist of allowed applications and after that only allow the execution of applications which can be found in that...

Apache Ranger =< 0.5.2 allows to download policy definitions without authentication

Apache Ranger =:6080/service/plugins/policies/download/ The prerequisite to exploit this flaw is to know or guess the policy name. This finding may not constitute a vulnerability by itself, but is equivalent to having access to a network filtering policy: finding holes in policies is then easier...

Hadoop HDFSBrowser information disclosure

Browsing the HDFS datalake ========================== Description ----------- There are 2 different and distinct approaches to browse the HDFS datalake: A. Through the WebHDFS API B. Through the native Hadoop CLI WebHDFS ------- WebHDFS offers REST API for users to access data on the HDFS...

Chrome Universal XSS using widget updates in ContainerNode::parserRemoveChild (CVE-2016-1630)

VULNERABILITY DETAILS There are 3 methods where ContainerNode::removeBetween is invoked: 1. ContainerNode::removeChild 2. ContainerNode::parserRemoveChild 3. ContainerNode::removeChildren The calls in 1 and 3 are within the scope of HTMLFrameOwnerElement::UpdateSuspendScope, but 2 is unprotected...

Chrome Universal XSS by circumventing the unload event ( CVE-2016-1623)

VULNERABILITY DETAILS From /thirdparty/WebKit/Source/core/dom/Document.cpp: void Document::dispatchUnloadEvents PluginScriptForbiddenScope forbidPluginDestructorScripting; RefPtrWillBeRawPtrprotectthis; if mparser mparser-stopParsing; if mloadEventProgress == LoadEventNotRun return; if...

Chrome Universal XSS via persistence of subframes (CVE-2015-6768)

VULNERABILITY DETAILS From /thirdparty/WebKit/Source/core/dom/Document.cpp: bool FrameLoader::prepareForCommit PluginScriptForbiddenScope forbidPluginDestructorScripting; RefPtrWillBeRawPtr pdl = mprovisionalDocumentLoader; ... if mdocumentLoader client-dispatchWillClose; dispatchUnloadEvent;...

Apache Ranger eventTime parameter SQL injection Vulnerability (CVE-2016-2174)

Description ----------- Apache Ranger =:6080/service/plugins/policies/eventTime ?eventTime=' or '1'='1 &policyId=1 The vulnerable code is located in the org/apache/ranger/db/XXDataHistDao.java file in the findObjByEventTimeClassTypeAndId function: public XXDataHist...

Chrome Universal XSS through adopting image elements (CVE-2016-1667)

VULNERABILITY DETAILS When a node is being adopted, the tree scope adopter calls |didMoveToNewDocument| on each rescoped node in the tree. The 同理 ， iframe 、 js也采用类似的处理流程 implementation of |didMoveToNewDocument| calls the corresponding method on the related loader, which clears and stops observing...

Squirrelmail 1.4.22 Remote Code Execution (CVE-2017-7692)

Squirrelmail version 1.4.22 and probably prior is vulnerable to a remote code execution vulnerability because it fails to sanitize a string before passing it to a popen call. It's possible to exploit this vulnerability to execute arbitrary shell commands on the remote server. The problem is in...

Chrome Universal XSS via fullscreen element updates (CVE-2016-5207)

VULNERABILITY DETAILS From /thirdparty/WebKit/Source/core/dom/Fullscreen.cpp: void Fullscreen::didEnterFullscreenForElementElement element ... // FIXME: This should not call updateStyleAndLayoutTree. document-updateStyleAndLayoutTree; ... Indeed. |didEnterFullscreenForElement| may be called in th...

Safari Browser: Memory corruption in Array concat (CVE-2017-2464)

There is an out-of-bounds memcpy in Array.concat that can lead to memory corruption. In builtins/ArrayPrototype.js, the function concatSlowPath calls a native method @appendMemcpy with a parameter resultIndex that is handled unsafely by the method. It calls JSArray::appendMemcpy, which calculates...

Drupal Core - Access Bypass vulnerability (CVE-2017-6919)

This is a critical access bypass vulnerability. A site is only affected by this if all of the following conditions are met: The site has the RESTful Web Services rest module enabled. The site allows PATCH requests. An attacker can get or register a user account on the site. While we don't normall...