ID SECURITYVULNS:DOC:22210 Type securityvulns Reporter Securityvulns Modified 2009-07-24T00:00:00
Description
=============================================
INTERNET SECURITY AUDITORS ALERT 2009-009
- Original release date: July 21st, 2009
- Last revised: July 23rd, 2009
- Discovered by: Juan Galiana Lara
- Severity: 5/10 (CVSS Base Score)
=============================================
I. VULNERABILITY
Joomla! < 1.5.12 Multiple Full Path Disclosure vulnerabilities
II. BACKGROUND
Joomla! is an award-winning content management system (CMS), which
enables you to build Web sites and powerful online applications. Many
aspects, including its ease-of-use and extensibility, have made
Joomla! the most popular Web site software available. Best of all,
Joomla! is an open source solution that is freely available to everyone.
III. DESCRIPTION
This vulnerability could allow a malicious user to view the internal
path information of the host due to some files were missing the check
for JEXEC.
IV. PROOF OF CONCEPT
The attacker can get the full path of the instalation of Joomla!
browsing to any of this urls:
The information obtained contais the full path to the files:
<b>Parse error</b>: syntax error, unexpected T_CLONE, expecting
T_STRING in
<b>/var/www/joomla-1.5.12/libraries/joomla/utilities/compat/php50x.php</b>
on line <b>100</b><br />
<b>Fatal error</b>: Class 'JObject' not found in
<b>/var/www/joomla-1.5.12/libraries/joomla/client/ldap.php</b> on line
<b>21</b><br />
<b>Fatal error</b>: Class 'JLoader' not found in
<b>/var/www/joomla-1.5.12/libraries/joomla/html/html/content.php</b>
on line <b>15</b><br />
V. BUSINESS IMPACT
Full path disclosure vulnerabilities enables an attacker to know the
path to the web root. This information can be used in order to launch
further attacks.
VI. SYSTEMS AFFECTED
Joomla! versions prior and including 1.5.12 are vulnerable.
VII. SOLUTION
Upgrade to version 1.5.13
VIII. REFERENCES
http://www.joomla.org
http://www.isecauditors.com
IX. CREDITS
This vulnerability has been discovered
by Juan Galiana Lara (jgaliana (at) isecauditors (dot) com).
X. REVISION HISTORY
July 21, 2009: Initial release.
July 23, 2009: Last revision.
XI. DISCLOSURE TIMELINE
July 21, 2009: Discovered by Internet Security Auditors.
July 21, 2009: Vendor contacted.
July 22, 2009: Joomla! publish update. Great job.
July 24, 2009: Advisory published.
XII. LEGAL NOTICES
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
Internet Security Auditors accepts no responsibility for any damage
caused by the use or misuse of this information.
{"id": "SECURITYVULNS:DOC:22210", "bulletinFamily": "software", "title": "[ISecAuditors Security Advisories] Joomla! < 1.5.12 Multiple Full Path Disclosure vulnerabilities", "description": "=============================================\r\nINTERNET SECURITY AUDITORS ALERT 2009-009\r\n- Original release date: July 21st, 2009\r\n- Last revised: July 23rd, 2009\r\n- Discovered by: Juan Galiana Lara\r\n- Severity: 5/10 (CVSS Base Score)\r\n=============================================\r\n\r\nI. VULNERABILITY\r\n-------------------------\r\nJoomla! < 1.5.12 Multiple Full Path Disclosure vulnerabilities\r\n\r\nII. BACKGROUND\r\n-------------------------\r\nJoomla! is an award-winning content management system (CMS), which\r\nenables you to build Web sites and powerful online applications. Many\r\naspects, including its ease-of-use and extensibility, have made\r\nJoomla! the most popular Web site software available. Best of all,\r\nJoomla! is an open source solution that is freely available to everyone.\r\n\r\nIII. DESCRIPTION\r\n-------------------------\r\nThis vulnerability could allow a malicious user to view the internal\r\npath information of the host due to some files were missing the check\r\nfor JEXEC.\r\n\r\nIV. PROOF OF CONCEPT\r\n-------------------------\r\nThe attacker can get the full path of the instalation of Joomla!\r\nbrowsing to any of this urls:\r\n\r\nhttp://example.com/joomla-1.5.12/libraries/joomla/utilities/compat/php50x.php\r\nhttp://example.com/joomla-1.5.12/libraries/joomla/client/ldap.php\r\nhttp://example.com/joomla-1.5.12/libraries/joomla/html/html/content.php\r\n\r\nThe information obtained contais the full path to the files:\r\n\r\n<b>Parse error</b>: syntax error, unexpected T_CLONE, expecting\r\nT_STRING in\r\n<b>/var/www/joomla-1.5.12/libraries/joomla/utilities/compat/php50x.php</b>\r\non line <b>100</b><br />\r\n<b>Fatal error</b>: Class 'JObject' not found in\r\n<b>/var/www/joomla-1.5.12/libraries/joomla/client/ldap.php</b> on line\r\n<b>21</b><br />\r\n<b>Fatal error</b>: Class 'JLoader' not found in\r\n<b>/var/www/joomla-1.5.12/libraries/joomla/html/html/content.php</b>\r\non line <b>15</b><br />\r\n\r\nV. BUSINESS IMPACT\r\n-------------------------\r\nFull path disclosure vulnerabilities enables an attacker to know the\r\npath to the web root. This information can be used in order to launch\r\nfurther attacks.\r\n\r\nVI. SYSTEMS AFFECTED\r\n-------------------------\r\nJoomla! versions prior and including 1.5.12 are vulnerable.\r\n\r\nVII. SOLUTION\r\n-------------------------\r\nUpgrade to version 1.5.13\r\n\r\nVIII. REFERENCES\r\n-------------------------\r\nhttp://www.joomla.org\r\nhttp://www.isecauditors.com\r\n\r\nIX. CREDITS\r\n-------------------------\r\nThis vulnerability has been discovered\r\nby Juan Galiana Lara (jgaliana (at) isecauditors (dot) com).\r\n\r\nX. REVISION HISTORY\r\n-------------------------\r\nJuly 21, 2009: Initial release.\r\nJuly 23, 2009: Last revision.\r\n\r\nXI. DISCLOSURE TIMELINE\r\n-------------------------\r\nJuly 21, 2009: Discovered by Internet Security Auditors.\r\nJuly 21, 2009: Vendor contacted.\r\nJuly 22, 2009: Joomla! publish update. Great job.\r\nJuly 24, 2009: Advisory published.\r\n\r\nXII. LEGAL NOTICES\r\n-------------------------\r\nThe information contained within this advisory is supplied "as-is"\r\nwith no warranties or guarantees of fitness of use or otherwise.\r\nInternet Security Auditors accepts no responsibility for any damage\r\ncaused by the use or misuse of this information.", "published": "2009-07-24T00:00:00", "modified": "2009-07-24T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:22210", "reporter": "Securityvulns", "references": [], "cvelist": [], "type": "securityvulns", "lastseen": "2018-08-31T11:10:31", "edition": 1, "viewCount": 38, "enchantments": {"score": {"value": -0.2, "vector": "NONE", "modified": "2018-08-31T11:10:31", "rev": 2}, "dependencies": {"references": [{"type": "mskb", "idList": ["KB2526297", "KB317244", "KB980408", "KB981401", "KB2785908", "KB953331", "KB2404575", "KB2510690", "KB3191913", "KB2874216"]}], "modified": "2018-08-31T11:10:31", "rev": 2}, "vulnersScore": -0.2}, "affectedSoftware": []}
{"nessus": [{"lastseen": "2020-10-16T08:29:59", "description": "This update for nextcloud fixes the following issues :\n\nnextcloud version 20.0.0 fix some security issues :\n\n - NC-SA-2020-037 PIN for passwordless WebAuthm is asked\n for but not verified\n\n - NC-SA-2020-033 (CVE-2020-8228) Missing rate limit on\n signup page\n\n - NC-SA-2020-029 (CVE-2020-8233, boo#1177346) Re-Sharing\n allows increase of privileges\n\n - NC-SA-2020-026 Passowrd of share by mail is not hashed\n when given on the create share call\n\n - NC-SA-2020-023 Increase random used for encryption\n\n - Update to 19.0.3\n\n - Fix possible leaking scope in Flow (server#22410)\n\n - Combine body-login rules in theming and fix twofactor\n and guest styling on bright colors (server#22427)\n\n - Show better quota warning for group folders and external\n storage (server#22442)\n\n - Add php docs build script (server#22448)\n\n - Fix clicks on actions menu of non opaque file rows in\n acceptance tests (server#22503)\n\n - Fix writing BLOBs to postgres with recent contacts\n interaction (server#22515)\n\n - Set the mount id before calling storage wrapper\n (server#22519)\n\n - Fix S3 error handling (server#22521)\n\n - Only disable zip64 if the size is known (server#22537)\n\n - Change free space calculation (server#22553)\n\n - Do not keep the part file if the forbidden exception has\n no retry set (server#22560)\n\n - Fix app password updating out of bounds (server#22569)\n\n - Use the correct root to determinate the webroot for the\n resource (server#22579)\n\n - Upgrade icewind/smb to 3.2.7 (server#22581)\n\n - Bump elliptic from 6.4.1 to 6.5.3 (notifications#732)\n\n - Fixes regression that prevented you from toggling the\n encryption flag (privacy#489)\n\n - Match any non-whitespace character in filesystem pattern\n (serverinfo#229)\n\n - Catch StorageNotAvailable exceptions (text#1001)\n\n - Harden read only check on public endpoints (text#1017)\n\n - Harden check when using token from memcache (text#1020)\n\n - Sessionid is an int (text#1029)\n\n - Only overwrite Ctrl-f when text is focussed (text#990)\n\n - Set the X-Requested-With header on dav requests\n (viewer#582)\n\n - Update to 19.0.2\n\n - [stable19] lower minimum search length to 2 characters\n (server#21782)\n\n - [stable19] Call openssl_pkey_export with $config and log\n errors. (server#21804)\n\n - [stable19] Improve error reporting on sharing errors\n (server#21806)\n\n - [stable19] Do not log RequestedRangeNotSatisfiable\n exceptions in DAV (server#21840)\n\n - [stable19] Fix parsing of language code (server#21857)\n\n - [stable19] fix typo in revokeShare() (server#21876)\n\n - [stable19] Discourage webauthn user interaction\n (server#21917)\n\n - [stable19] Encryption is ready if master key is enabled\n (server#21935)\n\n - [stable19] Disable fragile comments tests (server#21939)\n\n - [stable19] Do not double encode the userid in webauthn\n login (server#21953)\n\n - [stable19] update icewind/smb to 3.2.6 (server#21955)\n\n - [stable19] Respect default share permissions\n (server#21967)\n\n - [stable19] allow admin to configure the max trashbin\n size (server#21975)\n\n - [stable19] Fix risky test in twofactor_backupcodes\n (server#21978)\n\n - [stable19] Fix PHPUnit deprecation warnings\n (server#21981)\n\n - [stable19] fix moving files from external storage to\n object store trashbin (server#21983)\n\n - [stable19] Ignore whitespace in sharing by mail\n (server#21991)\n\n - [stable19] Properly fetch translation for remote wipe\n confirmation dialog (server#22036)\n\n - [stable19] parse_url returns null in case a parameter is\n not found (server#22044)\n\n - Bump elliptic from 6.5.2 to 6.5.3 (server#22050)\n\n - [stable19] Correctly remove usergroup shares on removing\n group members (server#22053)\n\n - [stable19] Fix height to big for iPhone when using many\n apps (server#22064)\n\n - [stable19] reset the cookie internally in new API when\n abandoning paged results op (server#22069)\n\n - [stable19] Add Guzzle's InvalidArgumentException\n (server#22070)\n\n - [stable19] contactsmanager shall limit number of results\n early (server#22091)\n\n - [stable19] Fix browser freeze on long password input\n (server#22094)\n\n - [stable19] Search also the email and displayname in user\n mangement for groups (server#22118)\n\n - [stable19] Ensured large image is unloaded from memory\n when generating previews (server#22121)\n\n - [stable19] fix display of remote users in incoming share\n notifications (server#22131)\n\n - [stable19] Reuse cache for directory mtime/size if\n filesystem changes can be ignored (server#22171)\n\n - [stable19] Remove unexpected argument (server#22178)\n\n - [stable19] Do not exit if available space cannot be\n determined on file transfer (server#22181)\n\n - [stable19] Fix empty 'more' apps navigation after\n installing an app (server#22183)\n\n - [stable19] Fix default log_rotate_size in\n config.sample.php (server#22192)\n\n - [stable19] shortcut in reading nested group members when\n IN_CHAIN is available (server#22203)\n\n - [stable19] Fix chmod on file descriptor (server#22208)\n\n - [stable19] Do clearstatcache() on rmdir (server#22209)\n\n - [stable19] SSE enhancement of file signature\n (server#22210)\n\n - [stable19] remove logging message carrying no valuable\n information (server#22215)\n\n - [stable19] Add app config option to disable 'Email was\n changed by admin' activity (server#22232)\n\n - [stable19] Delete chunks if the move on an upload failed\n (server#22239)\n\n - [stable19] Silence duplicate session warnings\n (server#22247)\n\n - [3rdparty] Doctrine: Fix unquoted stmt fragments\n backslash escaping (server#22252)\n\n - [stable19] Allow to disable share emails (server#22300)\n\n - [stable19] Show disabled user count in occ user:report\n (server#22302)\n\n - Bump 3rdparty to last stable19 commit (server#22303)\n\n - [stable19] fixing a logged deprecation message\n (server#22309)\n\n - [stable19] CalDAV: Add ability to limit sharing to owner\n (server#22333)\n\n - [stable19] Only copy the link when updating a share or\n no password was forced (server#22337)\n\n - [stable19] Remove encryption option for nextcloud\n external storage (server#22341)\n\n - [stable19] l10n:Correct appid for WebAuthn\n (server#22348)\n\n - [stable19] Properly search for users when limittogroups\n is enabled (server#22355)\n\n - [stable19] SSE: make legacy format opt in (server#22381)\n\n - [stable19] Update the CRL (server#22387)\n\n - [stable19] Fix missing FN from federated contact\n (server#22400)\n\n - [stable19] fix event icon sizes and text alignment\n (server#22414)\n\n - [stable19] Bump stecman/symfony-console-completion from\n 0.8.0 to 0.11.0 (3rdparty#457)\n\n - [stable19] Add Guzzle's InvalidArgumentException\n (3rdparty#474)\n\n - [stable19] Doctrine: Fix unquoted stmt fragments\n backslash escaping (3rdparty#486)\n\n - [stable19] Fix cypress (viewer#545)\n\n - Move to webpack vue global config & bump deps\n (viewer#558)\n\n - Update to 19.0.1\n\n - Security update Fix (CVE-2020-8183, NC-SA-2020-026,\n CWE-256) A logic error in Nextcloud Server 19.0.0 caused\n a plaintext storage of the share password when it was\n given on the initial create API call.\n\n - Update to 19.0.0\n\n - Changes Nextcloud Hub v19, code name “home\n office”, represents a big step forward for remote\n collaboration in teams. This release brings document\n collaboration to video chats, introduces password-less\n login and improves performance. As this is a major\n release, the changelog is too long to put here. Users\n can look at github milestones to find what has been\n merged. A quick overview of what is new :\n\n - password-less authentication and many other security\n measures\n\n - Talk 9 with built-in office document editing courtesy of\n Collabora, a grid view & more\n\n - MUCH improved performance, Deck integration in Calendar,\n guest account groups and more!", "edition": 2, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-10-12T00:00:00", "title": "openSUSE Security Update : nextcloud (openSUSE-2020-1652)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-8228", "CVE-2020-8154", "CVE-2020-8233", "CVE-2020-8155", "CVE-2020-8183"], "modified": "2020-10-12T00:00:00", "cpe": ["cpe:/o:novell:opensuse:15.2", "cpe:/o:novell:opensuse:15.1", "p-cpe:/a:novell:opensuse:nextcloud"], "id": "OPENSUSE-2020-1652.NASL", "href": "https://www.tenable.com/plugins/nessus/141387", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2020-1652.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(141387);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/10/15\");\n\n script_cve_id(\"CVE-2020-8154\", \"CVE-2020-8155\", \"CVE-2020-8183\", \"CVE-2020-8228\", \"CVE-2020-8233\");\n\n script_name(english:\"openSUSE Security Update : nextcloud (openSUSE-2020-1652)\");\n script_summary(english:\"Check for the openSUSE-2020-1652 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"This update for nextcloud fixes the following issues :\n\nnextcloud version 20.0.0 fix some security issues :\n\n - NC-SA-2020-037 PIN for passwordless WebAuthm is asked\n for but not verified\n\n - NC-SA-2020-033 (CVE-2020-8228) Missing rate limit on\n signup page\n\n - NC-SA-2020-029 (CVE-2020-8233, boo#1177346) Re-Sharing\n allows increase of privileges\n\n - NC-SA-2020-026 Passowrd of share by mail is not hashed\n when given on the create share call\n\n - NC-SA-2020-023 Increase random used for encryption\n\n - Update to 19.0.3\n\n - Fix possible leaking scope in Flow (server#22410)\n\n - Combine body-login rules in theming and fix twofactor\n and guest styling on bright colors (server#22427)\n\n - Show better quota warning for group folders and external\n storage (server#22442)\n\n - Add php docs build script (server#22448)\n\n - Fix clicks on actions menu of non opaque file rows in\n acceptance tests (server#22503)\n\n - Fix writing BLOBs to postgres with recent contacts\n interaction (server#22515)\n\n - Set the mount id before calling storage wrapper\n (server#22519)\n\n - Fix S3 error handling (server#22521)\n\n - Only disable zip64 if the size is known (server#22537)\n\n - Change free space calculation (server#22553)\n\n - Do not keep the part file if the forbidden exception has\n no retry set (server#22560)\n\n - Fix app password updating out of bounds (server#22569)\n\n - Use the correct root to determinate the webroot for the\n resource (server#22579)\n\n - Upgrade icewind/smb to 3.2.7 (server#22581)\n\n - Bump elliptic from 6.4.1 to 6.5.3 (notifications#732)\n\n - Fixes regression that prevented you from toggling the\n encryption flag (privacy#489)\n\n - Match any non-whitespace character in filesystem pattern\n (serverinfo#229)\n\n - Catch StorageNotAvailable exceptions (text#1001)\n\n - Harden read only check on public endpoints (text#1017)\n\n - Harden check when using token from memcache (text#1020)\n\n - Sessionid is an int (text#1029)\n\n - Only overwrite Ctrl-f when text is focussed (text#990)\n\n - Set the X-Requested-With header on dav requests\n (viewer#582)\n\n - Update to 19.0.2\n\n - [stable19] lower minimum search length to 2 characters\n (server#21782)\n\n - [stable19] Call openssl_pkey_export with $config and log\n errors. (server#21804)\n\n - [stable19] Improve error reporting on sharing errors\n (server#21806)\n\n - [stable19] Do not log RequestedRangeNotSatisfiable\n exceptions in DAV (server#21840)\n\n - [stable19] Fix parsing of language code (server#21857)\n\n - [stable19] fix typo in revokeShare() (server#21876)\n\n - [stable19] Discourage webauthn user interaction\n (server#21917)\n\n - [stable19] Encryption is ready if master key is enabled\n (server#21935)\n\n - [stable19] Disable fragile comments tests (server#21939)\n\n - [stable19] Do not double encode the userid in webauthn\n login (server#21953)\n\n - [stable19] update icewind/smb to 3.2.6 (server#21955)\n\n - [stable19] Respect default share permissions\n (server#21967)\n\n - [stable19] allow admin to configure the max trashbin\n size (server#21975)\n\n - [stable19] Fix risky test in twofactor_backupcodes\n (server#21978)\n\n - [stable19] Fix PHPUnit deprecation warnings\n (server#21981)\n\n - [stable19] fix moving files from external storage to\n object store trashbin (server#21983)\n\n - [stable19] Ignore whitespace in sharing by mail\n (server#21991)\n\n - [stable19] Properly fetch translation for remote wipe\n confirmation dialog (server#22036)\n\n - [stable19] parse_url returns null in case a parameter is\n not found (server#22044)\n\n - Bump elliptic from 6.5.2 to 6.5.3 (server#22050)\n\n - [stable19] Correctly remove usergroup shares on removing\n group members (server#22053)\n\n - [stable19] Fix height to big for iPhone when using many\n apps (server#22064)\n\n - [stable19] reset the cookie internally in new API when\n abandoning paged results op (server#22069)\n\n - [stable19] Add Guzzle's InvalidArgumentException\n (server#22070)\n\n - [stable19] contactsmanager shall limit number of results\n early (server#22091)\n\n - [stable19] Fix browser freeze on long password input\n (server#22094)\n\n - [stable19] Search also the email and displayname in user\n mangement for groups (server#22118)\n\n - [stable19] Ensured large image is unloaded from memory\n when generating previews (server#22121)\n\n - [stable19] fix display of remote users in incoming share\n notifications (server#22131)\n\n - [stable19] Reuse cache for directory mtime/size if\n filesystem changes can be ignored (server#22171)\n\n - [stable19] Remove unexpected argument (server#22178)\n\n - [stable19] Do not exit if available space cannot be\n determined on file transfer (server#22181)\n\n - [stable19] Fix empty 'more' apps navigation after\n installing an app (server#22183)\n\n - [stable19] Fix default log_rotate_size in\n config.sample.php (server#22192)\n\n - [stable19] shortcut in reading nested group members when\n IN_CHAIN is available (server#22203)\n\n - [stable19] Fix chmod on file descriptor (server#22208)\n\n - [stable19] Do clearstatcache() on rmdir (server#22209)\n\n - [stable19] SSE enhancement of file signature\n (server#22210)\n\n - [stable19] remove logging message carrying no valuable\n information (server#22215)\n\n - [stable19] Add app config option to disable 'Email was\n changed by admin' activity (server#22232)\n\n - [stable19] Delete chunks if the move on an upload failed\n (server#22239)\n\n - [stable19] Silence duplicate session warnings\n (server#22247)\n\n - [3rdparty] Doctrine: Fix unquoted stmt fragments\n backslash escaping (server#22252)\n\n - [stable19] Allow to disable share emails (server#22300)\n\n - [stable19] Show disabled user count in occ user:report\n (server#22302)\n\n - Bump 3rdparty to last stable19 commit (server#22303)\n\n - [stable19] fixing a logged deprecation message\n (server#22309)\n\n - [stable19] CalDAV: Add ability to limit sharing to owner\n (server#22333)\n\n - [stable19] Only copy the link when updating a share or\n no password was forced (server#22337)\n\n - [stable19] Remove encryption option for nextcloud\n external storage (server#22341)\n\n - [stable19] l10n:Correct appid for WebAuthn\n (server#22348)\n\n - [stable19] Properly search for users when limittogroups\n is enabled (server#22355)\n\n - [stable19] SSE: make legacy format opt in (server#22381)\n\n - [stable19] Update the CRL (server#22387)\n\n - [stable19] Fix missing FN from federated contact\n (server#22400)\n\n - [stable19] fix event icon sizes and text alignment\n (server#22414)\n\n - [stable19] Bump stecman/symfony-console-completion from\n 0.8.0 to 0.11.0 (3rdparty#457)\n\n - [stable19] Add Guzzle's InvalidArgumentException\n (3rdparty#474)\n\n - [stable19] Doctrine: Fix unquoted stmt fragments\n backslash escaping (3rdparty#486)\n\n - [stable19] Fix cypress (viewer#545)\n\n - Move to webpack vue global config & bump deps\n (viewer#558)\n\n - Update to 19.0.1\n\n - Security update Fix (CVE-2020-8183, NC-SA-2020-026,\n CWE-256) A logic error in Nextcloud Server 19.0.0 caused\n a plaintext storage of the share password when it was\n given on the initial create API call.\n\n - Update to 19.0.0\n\n - Changes Nextcloud Hub v19, code name “home\n office”, represents a big step forward for remote\n collaboration in teams. This release brings document\n collaboration to video chats, introduces password-less\n login and improves performance. As this is a major\n release, the changelog is too long to put here. Users\n can look at github milestones to find what has been\n merged. A quick overview of what is new :\n\n - password-less authentication and many other security\n measures\n\n - Talk 9 with built-in office document editing courtesy of\n Collabora, a grid view & more\n\n - MUCH improved performance, Deck integration in Calendar,\n guest account groups and more!\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1171572\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1171579\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1177346\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Update the affected nextcloud package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:nextcloud\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.2\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/05/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/10/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/10/12\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE15\\.1|SUSE15\\.2)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"15.1 / 15.2\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE15.1\", reference:\"nextcloud-20.0.0-lp151.2.9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"nextcloud-20.0.0-lp152.3.3.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"nextcloud\");\n}\n", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "suse": [{"lastseen": "2020-10-11T03:00:41", "bulletinFamily": "unix", "cvelist": ["CVE-2020-8228", "CVE-2020-8154", "CVE-2020-8233", "CVE-2020-8155", "CVE-2020-8183"], "description": "This update for nextcloud fixes the following issues:\n\n nextcloud version 20.0.0 fix some security issues:\n\n - NC-SA-2020-037 PIN for passwordless WebAuthm is asked for but not\n verified\n - NC-SA-2020-033 (CVE-2020-8228) Missing rate limit on signup page\n - NC-SA-2020-029 (CVE-2020-8233, boo#1177346) Re-Sharing allows increase\n of privileges\n - NC-SA-2020-026 Passowrd of share by mail is not hashed when given on\n the create share call\n - NC-SA-2020-023 Increase random used for encryption\n\n - Update to 19.0.3\n\n - Fix possible leaking scope in Flow (server#22410)\n - Combine body-login rules in theming and fix twofactor and guest\n styling on bright colors (server#22427)\n - Show better quota warning for group folders and external storage\n (server#22442)\n - Add php docs build script (server#22448)\n - Fix clicks on actions menu of non opaque file rows in acceptance tests\n (server#22503)\n - Fix writing BLOBs to postgres with recent contacts interaction\n (server#22515)\n - Set the mount id before calling storage wrapper (server#22519)\n - Fix S3 error handling (server#22521)\n - Only disable zip64 if the size is known (server#22537)\n - Change free space calculation (server#22553)\n - Do not keep the part file if the forbidden exception has no retry set\n (server#22560)\n - Fix app password updating out of bounds (server#22569)\n - Use the correct root to determinate the webroot for the resource\n (server#22579)\n - Upgrade icewind/smb to 3.2.7 (server#22581)\n - Bump elliptic from 6.4.1 to 6.5.3 (notifications#732)\n - Fixes regression that prevented you from toggling the encryption flag\n (privacy#489)\n - Match any non-whitespace character in filesystem pattern\n (serverinfo#229)\n - Catch StorageNotAvailable exceptions (text#1001)\n - Harden read only check on public endpoints (text#1017)\n - Harden check when using token from memcache (text#1020)\n - Sessionid is an int (text#1029)\n - Only overwrite Ctrl-f when text is focussed (text#990)\n - Set the X-Requested-With header on dav requests (viewer#582)\n\n - Update to 19.0.2\n\n - [stable19] lower minimum search length to 2 characters (server#21782)\n - [stable19] Call openssl_pkey_export with $config and log errors.\n (server#21804)\n - [stable19] Improve error reporting on sharing errors (server#21806)\n - [stable19] Do not log RequestedRangeNotSatisfiable exceptions in DAV\n (server#21840)\n - [stable19] Fix parsing of language code (server#21857)\n - [stable19] fix typo in revokeShare() (server#21876)\n - [stable19] Discourage webauthn user interaction (server#21917)\n - [stable19] Encryption is ready if master key is enabled (server#21935)\n - [stable19] Disable fragile comments tests (server#21939)\n - [stable19] Do not double encode the userid in webauthn login\n (server#21953)\n - [stable19] update icewind/smb to 3.2.6 (server#21955)\n - [stable19] Respect default share permissions (server#21967)\n - [stable19] allow admin to configure the max trashbin size\n (server#21975)\n - [stable19] Fix risky test in twofactor_backupcodes (server#21978)\n - [stable19] Fix PHPUnit deprecation warnings (server#21981)\n - [stable19] fix moving files from external storage to object store\n trashbin (server#21983)\n - [stable19] Ignore whitespace in sharing by mail (server#21991)\n - [stable19] Properly fetch translation for remote wipe confirmation\n dialog (server#22036)\n - [stable19] parse_url returns null in case a parameter is not found\n (server#22044)\n - Bump elliptic from 6.5.2 to 6.5.3 (server#22050)\n - [stable19] Correctly remove usergroup shares on removing group members\n (server#22053)\n - [stable19] Fix height to big for iPhone when using many apps\n (server#22064)\n - [stable19] reset the cookie internally in new API when abandoning\n paged results op (server#22069)\n - [stable19] Add Guzzle's InvalidArgumentException (server#22070)\n - [stable19] contactsmanager shall limit number of results early\n (server#22091)\n - [stable19] Fix browser freeze on long password input (server#22094)\n - [stable19] Search also the email and displayname in user mangement for\n groups (server#22118)\n - [stable19] Ensured large image is unloaded from memory when generating\n previews (server#22121)\n - [stable19] fix display of remote users in incoming share notifications\n (server#22131)\n - [stable19] Reuse cache for directory mtime/size if filesystem changes\n can be ignored (server#22171)\n - [stable19] Remove unexpected argument (server#22178)\n - [stable19] Do not exit if available space cannot be determined on file\n transfer (server#22181)\n - [stable19] Fix empty 'more' apps navigation after installing an app\n (server#22183)\n - [stable19] Fix default log_rotate_size in config.sample.php\n (server#22192)\n - [stable19] shortcut in reading nested group members when IN_CHAIN is\n available (server#22203)\n - [stable19] Fix chmod on file descriptor (server#22208)\n - [stable19] Do clearstatcache() on rmdir (server#22209)\n - [stable19] SSE enhancement of file signature (server#22210)\n - [stable19] remove logging message carrying no valuable information\n (server#22215)\n - [stable19] Add app config option to disable "Email was changed by\n admin" activity (server#22232)\n - [stable19] Delete chunks if the move on an upload failed (server#22239)\n - [stable19] Silence duplicate session warnings (server#22247)\n - [3rdparty] Doctrine: Fix unquoted stmt fragments backslash escaping\n (server#22252)\n - [stable19] Allow to disable share emails (server#22300)\n - [stable19] Show disabled user count in occ user:report (server#22302)\n - Bump 3rdparty to last stable19 commit (server#22303)\n - [stable19] fixing a logged deprecation message (server#22309)\n - [stable19] CalDAV: Add ability to limit sharing to owner (server#22333)\n - [stable19] Only copy the link when updating a share or no password was\n forced (server#22337)\n - [stable19] Remove encryption option for nextcloud external storage\n (server#22341)\n - [stable19] l10n:Correct appid for WebAuthn (server#22348)\n - [stable19] Properly search for users when limittogroups is enabled\n (server#22355)\n - [stable19] SSE: make legacy format opt in (server#22381)\n - [stable19] Update the CRL (server#22387)\n - [stable19] Fix missing FN from federated contact (server#22400)\n - [stable19] fix event icon sizes and text alignment (server#22414)\n - [stable19] Bump stecman/symfony-console-completion from 0.8.0 to\n 0.11.0 (3rdparty#457)\n - [stable19] Add Guzzle's InvalidArgumentException (3rdparty#474)\n - [stable19] Doctrine: Fix unquoted stmt fragments backslash escaping\n (3rdparty#486)\n - [stable19] Fix cypress (viewer#545)\n - Move to webpack vue global config & bump deps (viewer#558)\n\n - Update to 19.0.1\n\n - Security update Fix (CVE-2020-8183, NC-SA-2020-026, CWE-256) A logic\n error in Nextcloud Server 19.0.0 caused a plaintext storage of the\n share password when it was given on the initial create API call.\n\n - Update to 19.0.0\n\n * Changes Nextcloud Hub v19, code name \u00e2\u0080\u009chome office\u00e2\u0080\u009d, represents a\n big step forward for remote collaboration in teams. This release\n brings document collaboration to video chats, introduces password-less\n login and improves performance. As this is a major release, the\n changelog is too long to put here. Users can look at github milestones\n to find what has been merged. A quick overview of what is new:\n - password-less authentication and many other security measures\n - Talk 9 with built-in office document editing courtesy of Collabora,\n a grid view & more\n - MUCH improved performance, Deck integration in Calendar, guest\n account groups and more!\n\n", "edition": 1, "modified": "2020-10-11T00:16:44", "published": "2020-10-11T00:16:44", "id": "OPENSUSE-SU-2020:1652-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00020.html", "title": "Security update for nextcloud (moderate)", "type": "suse", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2020-10-03T12:01:15", "description": "Barracuda Web Application Firewall (WAF) 7.8.1.013 allows remote attackers to bypass authentication by leveraging a permanent authentication token obtained from a query string.", "edition": 6, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-02-12T01:15:00", "title": "CVE-2014-2595", "type": "cve", "cwe": ["CWE-613"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-2595"], "modified": "2020-02-20T15:55:00", "cpe": ["cpe:/a:barracuda:web_application_firewall:7.8.1.013"], "id": "CVE-2014-2595", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2595", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:barracuda:web_application_firewall:7.8.1.013:*:*:*:*:*:*:*"]}, {"lastseen": "2020-12-09T19:28:28", "description": "A symlink issue exists in Iceweasel-firegpg before 0.6 due to insecure tempfile handling.", "edition": 7, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-11-18T22:15:00", "title": "CVE-2008-7273", "type": "cve", "cwe": ["CWE-59"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2008-7273"], "modified": "2019-11-20T15:56:00", "cpe": [], "id": "CVE-2008-7273", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-7273", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": []}, {"lastseen": "2020-12-09T19:28:28", "description": "FireGPG before 0.6 handle user\u2019s passphrase and decrypted cleartext insecurely by writing pre-encrypted cleartext and the user's passphrase to disk which may result in the compromise of secure communication or a users\u2019s private key.", "edition": 7, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2019-11-08T00:15:00", "title": "CVE-2008-7272", "type": "cve", "cwe": ["CWE-312"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2008-7272"], "modified": "2020-02-10T21:16:00", "cpe": [], "id": "CVE-2008-7272", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-7272", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": []}, {"lastseen": "2020-12-09T20:03:10", "description": "Controllers.outgoing in controllers/index.js in NodeBB before 0.7.3 has outgoing XSS.", "edition": 5, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 6.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 2.7}, "published": "2019-04-30T14:29:00", "title": "CVE-2015-9286", "type": "cve", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-9286"], "modified": "2019-05-01T14:22:00", "cpe": [], "id": "CVE-2015-9286", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-9286", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": []}, {"lastseen": "2020-10-03T13:07:36", "description": "read_formatted_entries in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (infinite loop) via a crafted ELF file.", "edition": 4, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 5.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 3.6}, "published": "2017-09-30T01:29:00", "title": "CVE-2017-14933", "type": "cve", "cwe": ["CWE-835"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-14933"], "modified": "2019-10-03T00:03:00", "cpe": ["cpe:/a:gnu:binutils:2.29"], "id": "CVE-2017-14933", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14933", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:gnu:binutils:2.29:*:*:*:*:*:*:*"]}], "openbugbounty": [{"lastseen": "2018-03-15T00:05:23", "bulletinFamily": "bugbounty", "cvelist": [], "description": "##### Open Bug Bounty ID: OBB-427909\n\nDescription| Value \n---|--- \nAffected Website:| siteekle.com.tr \nVulnerable Application:| Custom Code \nVulnerability Type:| Open Redirect / CWE-601 \nCVSSv3 Score:| 3.4 [CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:N] \nRemediation Guide:| OWASP Open Redirect Cheat Sheet \n \n##### Vulnerable URL:\n \n \n http://www.siteekle.com.tr/jump.php?sid=22210&url;=http://openbugbounty.org\n \n\n##### Coordinated Disclosure Timeline\n\nDescription| Value \n---|--- \nVulnerability Reported:| 21 November, 2017 16:11 GMT \nVulnerability Verified:| 21 November, 2017 16:13 GMT \nWebsite Operator Notified:| 21 November, 2017 16:13 GMT \nVulnerability Published:| 21 November, 2017 16:13 GMT[without any technical details] \nVulnerability Fixed:| 20 February, 2018 09:31 GMT \nPublic Disclosure:| 20 February, 2018 09:31 GMT\n", "modified": "2018-02-20T09:31:00", "published": "2017-11-21T16:11:00", "id": "OBB:427909", "href": "https://www.openbugbounty.org/reports/427909/", "type": "openbugbounty", "title": "siteekle.com.tr Open Redirect vulnerability ", "cvss": {"score": 0.0, "vector": "NONE"}}], "securityvulns": [{"lastseen": "2018-08-31T11:11:02", "bulletinFamily": "software", "cvelist": ["CVE-2015-4878", "CVE-2015-4877"], "description": "\r\n\r\n======================================================================\r\n\r\n Secunia Research (now part of Flexera Software) 26/10/2015\r\n\r\n Oracle Outside In Two Buffer Overflow Vulnerabilities\r\n\r\n======================================================================\r\nTable of Contents\r\n\r\nAffected Software....................................................1\r\nSeverity.............................................................2\r\nDescription of Vulnerabilities.......................................3\r\nSolution.............................................................4\r\nTime Table...........................................................5\r\nCredits..............................................................6\r\nReferences...........................................................7\r\nAbout Secunia........................................................8\r\nVerification.........................................................9\r\n\r\n======================================================================\r\n\r\n1) Affected Software\r\n\r\n* Oracle Outside In versions 8.5.0, 8.5.1, and 8.5.2.\r\n\r\n====================================================================== \r\n2) Severity\r\n\r\nRating: Moderately critical\r\nImpact: System Access\r\nWhere: From remote\r\n\r\n====================================================================== \r\n3) Description of Vulnerabilities\r\n\r\nSecunia Research has discovered two vulnerabilities in Oracle Outside\r\nIn Technology, which can be exploited by malicious people to cause a\r\nDoS (Denial of Service) and compromise an application using the SDK.\r\n\r\n1) An error in the vstga.dll when processing TGA files can be\r\nexploited to cause an out-of-bounds write memory access.\r\n\r\n2) An error in the libxwd2.dll when processing XWD files can be\r\nexploited to cause a stack-based buffer overflow.\r\n\r\nSuccessful exploitation of the vulnerabilities may allow execution of\r\narbitrary code.\r\n\r\n====================================================================== \r\n4) Solution\r\n\r\nApply update. Please see the Oracle Critical Patch Update Advisory\r\nfor October 2015 for details.\r\n\r\n====================================================================== \r\n5) Time Table\r\n\r\n14/07/2015 - Vendor notified of vulnerabilities.\r\n14/07/2015 - Vendor acknowledges report.\r\n16/07/2015 - Vendor supplied bug ticket ID.\r\n27/07/2015 - Vendor supplied information of fix in main codeline.\r\n24/09/2015 - Replied to vendor and asked about CVE references.\r\n25/09/2015 - Vendor replied that they check our request.\r\n27/09/2015 - Vendor assigned two CVE references.\r\n17/10/2015 - Vendor supplied 20/10/2015 as estimated fix date.\r\n20/10/2015 - Release of vendor patch.\r\n21/10/2015 - Public disclosure.\r\n26/10/2015 - Publication of research advisory.\r\n\r\n======================================================================\r\n\r\n6) Credits\r\n\r\nDiscovered by Behzad Najjarpour Jabbari, Secunia Research (now part\r\nof Flexera Software).\r\n\r\n======================================================================\r\n\r\n7) References\r\n\r\nThe Common Vulnerabilities and Exposures (CVE) project has assigned\r\nthe CVE-2015-4877 and CVE-2015-4878 identifiers for the\r\nvulnerabilities.\r\n\r\n======================================================================\r\n\r\n8) About Secunia (now part of Flexera Software)\r\n\r\nIn September 2015, Secunia has been acquired by Flexera Software:\r\n\r\nhttps://secunia.com/blog/435/\r\n\r\nSecunia offers vulnerability management solutions to corporate\r\ncustomers with verified and reliable vulnerability intelligence\r\nrelevant to their specific system configuration:\r\n\r\nhttp://secunia.com/advisories/business_solutions/\r\n\r\nSecunia also provides a publicly accessible and comprehensive advisory\r\ndatabase as a service to the security community and private\r\nindividuals, who are interested in or concerned about IT-security.\r\n\r\nhttp://secunia.com/advisories/\r\n\r\nSecunia believes that it is important to support the community and to\r\ndo active vulnerability research in order to aid improving the\r\nsecurity and reliability of software in general:\r\n\r\nhttp://secunia.com/secunia_research/\r\n\r\nSecunia regularly hires new skilled team members. Check the URL below\r\nto see currently vacant positions:\r\n\r\nhttp://secunia.com/corporate/jobs/\r\n\r\nSecunia offers a FREE mailing list called Secunia Security Advisories:\r\n\r\nhttp://secunia.com/advisories/mailing_lists/\r\n\r\n======================================================================\r\n\r\n9) Verification \r\n\r\nPlease verify this advisory by visiting the Secunia website:\r\nhttp://secunia.com/secunia_research/2015-04/\r\n\r\nComplete list of vulnerability reports published by Secunia Research:\r\nhttp://secunia.com/secunia_research/\r\n\r\n======================================================================\r\n\r\n", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:DOC:32659", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32659", "title": "Secunia Research: Oracle Outside In Two Buffer Overflow Vulnerabilities", "type": "securityvulns", "cvss": {"score": 1.5, "vector": "AV:LOCAL/AC:MEDIUM/Au:SINGLE_INSTANCE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:11:02", "bulletinFamily": "software", "cvelist": ["CVE-2015-1341"], "description": "\r\n\r\n==========================================================================\r\nUbuntu Security Notice USN-2782-1\r\nOctober 27, 2015\r\n\r\napport vulnerability\r\n==========================================================================\r\n\r\nA security issue affects these releases of Ubuntu and its derivatives:\r\n\r\n- Ubuntu 15.10\r\n- Ubuntu 15.04\r\n- Ubuntu 14.04 LTS\r\n- Ubuntu 12.04 LTS\r\n\r\nSummary:\r\n\r\nApport could be made to run programs as an administrator.\r\n\r\nSoftware Description:\r\n- apport: automatically generate crash reports for debugging\r\n\r\nDetails:\r\n\r\nGabriel Campana discovered that Apport incorrectly handled Python module\r\nimports. A local attacker could use this issue to elevate privileges.\r\n\r\nUpdate instructions:\r\n\r\nThe problem can be corrected by updating your system to the following\r\npackage versions:\r\n\r\nUbuntu 15.10:\r\n apport 2.19.1-0ubuntu4\r\n\r\nUbuntu 15.04:\r\n apport 2.17.2-0ubuntu1.7\r\n\r\nUbuntu 14.04 LTS:\r\n apport 2.14.1-0ubuntu3.18\r\n\r\nUbuntu 12.04 LTS:\r\n apport 2.0.1-0ubuntu17.13\r\n\r\nIn general, a standard system update will make all the necessary changes.\r\n\r\nReferences:\r\n http://www.ubuntu.com/usn/usn-2782-1\r\n CVE-2015-1341\r\n\r\nPackage Information:\r\n https://launchpad.net/ubuntu/+source/apport/2.19.1-0ubuntu4\r\n https://launchpad.net/ubuntu/+source/apport/2.17.2-0ubuntu1.7\r\n https://launchpad.net/ubuntu/+source/apport/2.14.1-0ubuntu3.18\r\n https://launchpad.net/ubuntu/+source/apport/2.0.1-0ubuntu17.13\r\n\r\n\r\n\r\n\r\n-- \r\nubuntu-security-announce mailing list\r\nubuntu-security-announce@lists.ubuntu.com\r\nModify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce\r\n\r\n", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:DOC:32660", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32660", "title": "[USN-2782-1] Apport vulnerability", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:10:03", "bulletinFamily": "software", "cvelist": ["CVE-2015-4894", "CVE-2015-4000", "CVE-2015-4851", "CVE-2015-4895", "CVE-2015-4905", "CVE-2015-4866", "CVE-2015-4832", "CVE-2015-4822", "CVE-2015-4830", "CVE-2015-4804", "CVE-2015-4816", "CVE-2015-0235", "CVE-2015-1793", "CVE-2015-4793", "CVE-2015-4863", "CVE-2015-4913", "CVE-2015-4892", "CVE-2014-0191", "CVE-2015-4796", "CVE-2015-4864", "CVE-2015-4794", "CVE-2015-4887", "CVE-2015-2642", "CVE-2015-4860", "CVE-2015-4868", "CVE-1999-0377", "CVE-2015-4820", "CVE-2015-4903", "CVE-2015-0286", "CVE-2015-4906", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4910", "CVE-2015-4872", "CVE-2015-4846", "CVE-2014-3576", "CVE-2015-4876", "CVE-2014-3571", "CVE-2015-4883", "CVE-2014-7940", "CVE-2015-4858", "CVE-2015-4802", "CVE-2015-4882", "CVE-2015-4801", "CVE-2015-4878", "CVE-2015-4799", "CVE-2015-4811", "CVE-2015-4834", "CVE-2015-4762", "CVE-2015-4815", "CVE-2015-4812", "CVE-2015-4839", "CVE-2015-4798", "CVE-2015-4891", "CVE-2015-4734", "CVE-2015-4899", "CVE-2015-4865", "CVE-2015-4915", "CVE-2015-4871", "CVE-2015-4800", "CVE-2015-4869", "CVE-2015-4828", "CVE-2015-4803", "CVE-2015-4875", "CVE-2015-4902", "CVE-2015-4917", "CVE-2015-4909", "CVE-2015-4791", "CVE-2015-4805", "CVE-2015-4849", "CVE-2015-4879", "CVE-2015-4888", "CVE-2015-4838", "CVE-2015-4850", "CVE-2015-4806", "CVE-2015-4825", "CVE-2015-3144", "CVE-2015-4797", "CVE-2015-4792", "CVE-2015-4837", "CVE-2015-4904", "CVE-2015-4810", "CVE-2015-4827", "CVE-2014-0050", "CVE-2015-4817", "CVE-2015-4908", "CVE-2015-4912", "CVE-2015-4833", "CVE-2015-4847", "CVE-2015-4855", "CVE-2015-4848", "CVE-2015-4730", "CVE-2015-4819", "CVE-2015-4896", "CVE-2015-2633", "CVE-2015-4807", "CVE-2015-4901", "CVE-2015-4835", "CVE-2015-4873", "CVE-2015-4766", "CVE-2015-4795", "CVE-2015-4907", "CVE-2015-4859", "CVE-2015-1829", "CVE-2015-4898", "CVE-2015-4874", "CVE-2015-4836", "CVE-2015-4824", "CVE-2015-4900", "CVE-2015-4831", "CVE-2015-4861", "CVE-2015-4911", "CVE-2015-4886", "CVE-2015-2608", "CVE-2015-4809", "CVE-2015-4877", "CVE-2015-4844", "CVE-2015-4870", "CVE-2015-4881", "CVE-2015-4840", "CVE-2015-4856", "CVE-2015-4845", "CVE-2015-4914", "CVE-2015-4893", "CVE-2015-4916", "CVE-2015-4826", "CVE-2014-1569", "CVE-2015-4862", "CVE-2010-1622", "CVE-2015-4857", "CVE-2015-4890", "CVE-2015-4867", "CVE-2015-4884", "CVE-2015-4813", "CVE-2015-4841", "CVE-2015-4818", "CVE-2015-4880", "CVE-2015-1791", "CVE-2015-4823", "CVE-2015-4821"], "description": "Quarterly update closes 140 vulnerabilities in different applications.", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:VULN:14755", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14755", "title": "Oracle / Sun / PeopleSoft / MySQL multiple security vulnerabilities", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:11:02", "bulletinFamily": "software", "cvelist": ["CVE-2015-7803", "CVE-2015-7804"], "description": "\r\n\r\n==========================================================================\r\nUbuntu Security Notice USN-2786-1\r\nOctober 28, 2015\r\n\r\nphp5 vulnerabilities\r\n==========================================================================\r\n\r\nA security issue affects these releases of Ubuntu and its derivatives:\r\n\r\n- Ubuntu 15.10\r\n- Ubuntu 15.04\r\n- Ubuntu 14.04 LTS\r\n- Ubuntu 12.04 LTS\r\n\r\nSummary:\r\n\r\nPHP could be made to crash if it processed a specially crafted file.\r\n\r\nSoftware Description:\r\n- php5: HTML-embedded scripting language interpreter\r\n\r\nDetails:\r\n\r\nIt was discovered that the PHP phar extension incorrectly handled certain\r\nfiles. A remote attacker could use this issue to cause PHP to crash,\r\nresulting in a denial of service. (CVE-2015-7803, CVE-2015-7804)\r\n\r\nUpdate instructions:\r\n\r\nThe problem can be corrected by updating your system to the following\r\npackage versions:\r\n\r\nUbuntu 15.10:\r\n libapache2-mod-php5 5.6.11+dfsg-1ubuntu3.1\r\n php5-cgi 5.6.11+dfsg-1ubuntu3.1\r\n php5-cli 5.6.11+dfsg-1ubuntu3.1\r\n php5-fpm 5.6.11+dfsg-1ubuntu3.1\r\n\r\nUbuntu 15.04:\r\n libapache2-mod-php5 5.6.4+dfsg-4ubuntu6.4\r\n php5-cgi 5.6.4+dfsg-4ubuntu6.4\r\n php5-cli 5.6.4+dfsg-4ubuntu6.4\r\n php5-fpm 5.6.4+dfsg-4ubuntu6.4\r\n\r\nUbuntu 14.04 LTS:\r\n libapache2-mod-php5 5.5.9+dfsg-1ubuntu4.14\r\n php5-cgi 5.5.9+dfsg-1ubuntu4.14\r\n php5-cli 5.5.9+dfsg-1ubuntu4.14\r\n php5-fpm 5.5.9+dfsg-1ubuntu4.14\r\n\r\nUbuntu 12.04 LTS:\r\n libapache2-mod-php5 5.3.10-1ubuntu3.21\r\n php5-cgi 5.3.10-1ubuntu3.21\r\n php5-cli 5.3.10-1ubuntu3.21\r\n php5-fpm 5.3.10-1ubuntu3.21\r\n\r\nIn general, a standard system update will make all the necessary changes.\r\n\r\nReferences:\r\n http://www.ubuntu.com/usn/usn-2786-1\r\n CVE-2015-7803, CVE-2015-7804\r\n\r\nPackage Information:\r\n https://launchpad.net/ubuntu/+source/php5/5.6.11+dfsg-1ubuntu3.1\r\n https://launchpad.net/ubuntu/+source/php5/5.6.4+dfsg-4ubuntu6.4\r\n https://launchpad.net/ubuntu/+source/php5/5.5.9+dfsg-1ubuntu4.14\r\n https://launchpad.net/ubuntu/+source/php5/5.3.10-1ubuntu3.21\r\n\r\n\r\n\r\n\r\n-- \r\nubuntu-security-announce mailing list\r\nubuntu-security-announce@lists.ubuntu.com\r\nModify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce\r\n\r\n", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:DOC:32651", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32651", "title": "[USN-2786-1] PHP vulnerabilities", "type": "securityvulns", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:11:02", "bulletinFamily": "software", "cvelist": ["CVE-2015-4849"], "description": "\r\n\r\n1. ADVISORY INFORMATION\r\n\r\nTitle: Oracle E-Business Suite - XXE injection\r\nAdvisory ID: [ERPSCAN-15-029]\r\nAdvisory URL: http://erpscan.com/advisories/erpscan-15-029-oracle-e-business-suite-xxe-injection-vulnerability/\r\nDate published: 21.10.2015\r\nVendors contacted: Oracle\r\n\r\n2. VULNERABILITY INFORMATION\r\n\r\nClass: XML External Entity [CWE-611]\r\nImpact: information disclosure, DoS, SSRF, NTLM relay\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nCVE Name: CVE-2015-4849\r\nCVSS Information\r\nCVSS Base Score: 6.8 / 10\r\nAV : Access Vector (Related exploit range) Network (N)\r\nAC : Access Complexity (Required attack complexity) Medium (M)\r\nAu : Authentication (Level of authentication needed to exploit) None (N)\r\nC : Impact to Confidentiality Partial (P)\r\nI : Impact to Integrity Partial (P)\r\nA : Impact to Availability Partial (P)\r\n\r\n3. VULNERABILITY DESCRIPTION\r\n\r\n1) An attacker can read an arbitrary file on a server by sending a\r\ncorrect XML request with a crafted DTD and reading the response from\r\nthe service.\r\n2) An attacker can perform a DoS attack (for example, XML Entity Expansion).\r\n3) An SMB Relay attack is a type of Man-in-the-Middle attack where the\r\nattacker asks the victim to authenticate into a machine controlled by\r\nthe attacker, then relays the credentials to the target. The attacker\r\nforwards the authentication information both ways and gets access.\r\n\r\n4. VULNERABLE PACKAGES\r\n\r\nOracle E-Business Suite 12.1.3\r\n\r\nOther versions are probably affected too, but they were not checked.\r\n\r\n5. SOLUTIONS AND WORKAROUNDS\r\n\r\nInstall Oracle CPU October 2015\r\n\r\n6. AUTHOR\r\nNikita Kelesis, Ivan Chalykin, Alexey Tyurin (ERPScan)\r\n\r\n7. TECHNICAL DESCRIPTION\r\n\r\nVulnerable servlet:\r\n/OA_HTML/IspPunchInServlet\r\n\r\n\r\n8. REPORT TIMELINE\r\n\r\nReported: 17.07.2015\r\nVendor response: 24.07.2015\r\nDate of Public Advisory: 20.10.2015\r\n\r\n9. REFERENCES\r\n\r\nhttp://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html\r\nhttp://erpscan.com/advisories/erpscan-15-029-oracle-e-business-suite-xxe-injection-vulnerability/\r\n\r\n10. ABOUT ERPScan Research\r\nThe company\u2019s expertise is based on the research subdivision of\r\nERPScan, which is engaged in vulnerability research and analysis of\r\ncritical enterprise applications. It has achieved multiple\r\nacknowledgments from the largest software vendors like SAP, Oracle,\r\nMicrosoft, IBM, VMware, HP for discovering more than 400\r\nvulnerabilities in their solutions (200 of them just in SAP!).\r\nERPScan researchers are proud to have exposed new types of\r\nvulnerabilities (TOP 10 Web Hacking Techniques 2012) and to be\r\nnominated for the best server-side vulnerability at BlackHat 2013.\r\nERPScan experts have been invited to speak, present, and train at 60+\r\nprime international security conferences in 25+ countries across the\r\ncontinents. These include BlackHat, RSA, HITB, and private SAP\r\ntrainings in several Fortune 2000 companies.\r\nERPScan researchers lead the project EAS-SEC, which is focused on\r\nenterprise application security research and awareness. They have\r\npublished 3 exhaustive annual award-winning surveys about SAP\r\nsecurity.\r\nERPScan experts have been interviewed by leading media resources and\r\nfeatured in specialized info-sec publications worldwide. These include\r\nReuters, Yahoo, SC Magazine, The Register, CIO, PC World, DarkReading,\r\nHeise, and Chinabyte, to name a few.\r\nWe have highly qualified experts in staff with experience in many\r\ndifferent fields of security, from web applications and\r\nmobile/embedded to reverse engineering and ICS/SCADA systems,\r\naccumulating their experience to conduct the best SAP security\r\nresearch.\r\n\r\n\r\n11. ABOUT ERPScan\r\nERPScan is one of the most respected and credible Business Application\r\nSecurity providers. Founded in 2010, the company operates globally.\r\nNamed an Emerging vendor in Security by CRN and distinguished by more\r\nthan 25 other awards, ERPScan is the leading SAP SE partner in\r\ndiscovering and resolving security vulnerabilities. ERPScan\r\nconsultants work with SAP SE in Walldorf to improve the security of\r\ntheir latest solutions.\r\nERPScan\u2019s primary mission is to close the gap between technical and\r\nbusiness security. We provide solutions to secure ERP systems and\r\nbusiness-critical applications from both cyber attacks and internal\r\nfraud. Our clients are usually large enterprises, Fortune 2000\r\ncompanies, and managed service providers whose requirements are to\r\nactively monitor and manage the security of vast SAP landscapes on a\r\nglobal scale.\r\nOur flagship product is ERPScan Security Monitoring Suite for SAP.\r\nThis multi award-winning innovative software is the only solution on\r\nthe market certified by SAP SE covering all tiers of SAP security:\r\nvulnerability assessment, source code review, and Segregation of\r\nDuties.\r\nThe largest companies from diverse industries like oil and gas,\r\nbanking, retail, even nuclear power installations as well as\r\nconsulting companies have successfully deployed the software. ERPScan\r\nSecurity Monitoring Suite for SAP is specifically designed for\r\nenterprises to continuously monitor changes in multiple SAP systems.\r\nIt generates and analyzes trends in user friendly dashboards, manages\r\nrisks, tasks, and can export results to external systems. These\r\nfeatures enable central management of SAP system security with minimal\r\ntime and effort.\r\nWe follow the sun and function in two hubs located in the Netherlands\r\nand the US to operate local offices and partner network spanning 20+\r\ncountries around the globe. This enables monitoring cyber threats in\r\nreal time and providing agile customer support.\r\n\r\nAdress USA: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301\r\nPhone: 650.798.5255\r\nTwitter: @erpscan\r\nScoop-it: Business Application Security\r\n\r\n", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:DOC:32654", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32654", "title": "[ERPSCAN-15-029] Oracle E-Business Suite - XXE injection Vulnerability", "type": "securityvulns", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:03", "bulletinFamily": "software", "cvelist": ["CVE-2015-7803", "CVE-2015-7804"], "description": "PHAR extension DoS.", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:VULN:14753", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14753", "title": "PHP security vulnerabilities", "type": "securityvulns", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:11:02", "bulletinFamily": "software", "cvelist": ["CVE-2015-4846"], "description": "\r\n\r\n1. ADVISORY INFORMATION\r\n\r\nTitle: Oracle E-Business Suite SQL injection\r\nAdvisory ID: [ERPSCAN-15-026]\r\nAdvisory URL: http://erpscan.com/advisories/erpscan-15-026-oracle-e-business-suite-sql-injection-vulnerability/\r\nDate published: 20.10.2015\r\nVendors contacted: Oracle\r\n\r\n2. VULNERABILITY INFORMATION\r\n\r\nClass: SQL injection\r\nImpact: SQL injection, RCE\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nCVE Name: CVE-2015-4846\r\nCVSS Information\r\nCVSS Base Score: 3.6 / 10\r\nAV : Access Vector (Related exploit range) Network (N)\r\nAC : Access Complexity (Required attack complexity) High (H)\r\nAu : Authentication (Level of authentication needed to exploit) Single (S)\r\nC : Impact to Confidentiality Partial (P)\r\nI : Impact to Integrity Partial (P)\r\nA : Impact to Availability None (N)\r\n\r\n3. VULNERABILITY DESCRIPTION\r\n\r\nThe problem is caused by an SQL injection vulnerability. The code\r\ncomprises an SQL statement that contains strings that can be altered\r\nby an attacker. The manipulated SQL statement can then be used to\r\nretrieve additional data from the database or to modify the data.\r\n\r\n4. VULNERABLE PACKAGES\r\n\r\nOracle E-Business Suite 12.1.3, 12.1.4\r\n\r\nOther versions are probably affected too, but they were not checked.\r\n\r\n5. SOLUTIONS AND WORKAROUNDS\r\n\r\nInstall Oracle CPU October 2015\r\n\r\n6. AUTHOR\r\nNikita Kelesis, Ivan Chalykin, Alexey Tyurin, Egor Karbutov (ERPScan)\r\n\r\n7. TECHNICAL DESCRIPTION\r\n\r\nOne of SQL extensions (afamexts.sql) does not filter user input values\r\nwhich may lead to SQL injection. The only defense mechanism is a\r\npassword for APPS. If an attacker knows the password (for example,\r\ndefault password APPS/APPS), he will be able to exploit SQL injection\r\nwith high privilege.\r\n\r\n\r\n8. REPORT TIMELINE\r\n\r\nReported: 17.07.2015\r\nVendor response: 24.07.2015\r\nDate of Public Advisory: 20.10.2015\r\n\r\n9. REFERENCES\r\n\r\nhttp://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html\r\nhttp://erpscan.com/advisories/erpscan-15-026-oracle-e-business-suite-sql-injection-vulnerability/\r\nhttp://erpscan.com/press-center/press-release/erpscan-took-a-closer-look-at-oracle-ebs-security-6-vulnerabilities-patched-in-recent-update/\r\n\r\n10. ABOUT ERPScan Research\r\nThe company\u2019s expertise is based on the research subdivision of\r\nERPScan, which is engaged in vulnerability research and analysis of\r\ncritical enterprise applications. It has achieved multiple\r\nacknowledgments from the largest software vendors like SAP, Oracle,\r\nMicrosoft, IBM, VMware, HP for discovering more than 400\r\nvulnerabilities in their solutions (200 of them just in SAP!).\r\nERPScan researchers are proud to have exposed new types of\r\nvulnerabilities (TOP 10 Web Hacking Techniques 2012) and to be\r\nnominated for the best server-side vulnerability at BlackHat 2013.\r\nERPScan experts have been invited to speak, present, and train at 60+\r\nprime international security conferences in 25+ countries across the\r\ncontinents. These include BlackHat, RSA, HITB, and private SAP\r\ntrainings in several Fortune 2000 companies.\r\nERPScan researchers lead the project EAS-SEC, which is focused on\r\nenterprise application security research and awareness. They have\r\npublished 3 exhaustive annual award-winning surveys about SAP\r\nsecurity.\r\nERPScan experts have been interviewed by leading media resources and\r\nfeatured in specialized info-sec publications worldwide. These include\r\nReuters, Yahoo, SC Magazine, The Register, CIO, PC World, DarkReading,\r\nHeise, and Chinabyte, to name a few.\r\nWe have highly qualified experts in staff with experience in many\r\ndifferent fields of security, from web applications and\r\nmobile/embedded to reverse engineering and ICS/SCADA systems,\r\naccumulating their experience to conduct the best SAP security\r\nresearch.\r\n\r\n\r\n11. ABOUT ERPScan\r\nERPScan is one of the most respected and credible Business Application\r\nSecurity providers. Founded in 2010, the company operates globally.\r\nNamed an Emerging vendor in Security by CRN and distinguished by more\r\nthan 25 other awards, ERPScan is the leading SAP SE partner in\r\ndiscovering and resolving security vulnerabilities. ERPScan\r\nconsultants work with SAP SE in Walldorf to improve the security of\r\ntheir latest solutions.\r\nERPScan\u2019s primary mission is to close the gap between technical and\r\nbusiness security. We provide solutions to secure ERP systems and\r\nbusiness-critical applications from both cyber attacks and internal\r\nfraud. Our clients are usually large enterprises, Fortune 2000\r\ncompanies, and managed service providers whose requirements are to\r\nactively monitor and manage the security of vast SAP landscapes on a\r\nglobal scale.\r\nOur flagship product is ERPScan Security Monitoring Suite for SAP.\r\nThis multi award-winning innovative software is the only solution on\r\nthe market certified by SAP SE covering all tiers of SAP security:\r\nvulnerability assessment, source code review, and Segregation of\r\nDuties.\r\nThe largest companies from diverse industries like oil and gas,\r\nbanking, retail, even nuclear power installations as well as\r\nconsulting companies have successfully deployed the software. ERPScan\r\nSecurity Monitoring Suite for SAP is specifically designed for\r\nenterprises to continuously monitor changes in multiple SAP systems.\r\nIt generates and analyzes trends in user friendly dashboards, manages\r\nrisks, tasks, and can export results to external systems. These\r\nfeatures enable central management of SAP system security with minimal\r\ntime and effort.\r\nWe follow the sun and function in two hubs located in the Netherlands\r\nand the US to operate local offices and partner network spanning 20+\r\ncountries around the globe. This enables monitoring cyber threats in\r\nreal time and providing agile customer support.\r\n\r\nAdress USA: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301\r\nPhone: 650.798.5255\r\nTwitter: @erpscan\r\nScoop-it: Business Application Security\r\n\r\n", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:DOC:32657", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32657", "title": "[ERPSCAN-15-026] Oracle E-Business Suite - SQL injection Vulnerability", "type": "securityvulns", "cvss": {"score": 3.6, "vector": "AV:NETWORK/AC:HIGH/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-08-31T11:11:02", "bulletinFamily": "software", "cvelist": ["CVE-2015-4886"], "description": "\r\n\r\n1. ADVISORY INFORMATION\r\n\r\nTitle: Oracle E-Business Suite XXE injection\r\nAdvisory ID: [ERPSCAN-15-028]\r\nAdvisory URL: http://erpscan.com/advisories/erpscan-15-028-oracle-e-business-suite-xxe-injection-vulnerability/\r\nDate published: 20.10.2015\r\nVendors contacted: Oracle\r\n\r\n2. VULNERABILITY INFORMATION\r\n\r\nClass: XML External Entity [CWE-611]\r\nImpact: information disclosure, DoS, SSRF, NTLM relay\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nCVE Name: CVE-2015-4886\r\nCVSS Information\r\nCVSS Base Score: 6.4 / 10\r\nAV : Access Vector (Related exploit range) Network (N)\r\nAC : Access Complexity (Required attack complexity) Low (L)\r\nAu : Authentication (Level of authentication needed to exploit) None (N)\r\nC : Impact to Confidentiality Partial (P)\r\nI : Impact to Integrity Partial (P)\r\nA : Impact to Availability None (N)\r\n\r\n3. VULNERABILITY DESCRIPTION\r\n\r\n1) An attacker can read an arbitrary file on a server by sending a\r\ncorrect XML request with a crafted DTD and reading the response from\r\nthe service.\r\n2) An attacker can perform a DoS attack (for example, XML Entity Expansion).\r\n3) An SMB Relay attack is a type of Man-in-the-Middle attack where the\r\nattacker asks the victim to authenticate into a machine controlled by\r\nthe attacker, then relays the credentials to the target. The attacker\r\nforwards the authentication information both ways and gets access.\r\n\r\n4. VULNERABLE PACKAGES\r\n\r\nOracle E-Business Suite 12.1.3\r\n\r\nOther versions are probably affected too, but they were not checked.\r\n\r\n5. SOLUTIONS AND WORKAROUNDS\r\n\r\nInstall Oracle CPU October 2015\r\n\r\n6. AUTHOR\r\nNikita Kelesis, Ivan Chalykin, Alexey Tyurin (ERPScan)\r\n\r\n7. TECHNICAL DESCRIPTION\r\n\r\nVulnerable servlet:\r\n/OA_HTML/copxml\r\n\r\n8. REPORT TIMELINE\r\n\r\nReported: 17.07.2015\r\nVendor response: 24.07.2015\r\nDate of Public Advisory: 20.10.2015\r\n\r\n9. REFERENCES\r\n\r\nhttp://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html\r\nhttp://erpscan.com/advisories/erpscan-15-028-oracle-e-business-suite-xxe-injection-vulnerability/\r\n\r\n\r\n10. ABOUT ERPScan Research\r\nThe company\u2019s expertise is based on the research subdivision of\r\nERPScan, which is engaged in vulnerability research and analysis of\r\ncritical enterprise applications. It has achieved multiple\r\nacknowledgments from the largest software vendors like SAP, Oracle,\r\nMicrosoft, IBM, VMware, HP for discovering more than 400\r\nvulnerabilities in their solutions (200 of them just in SAP!).\r\nERPScan researchers are proud to have exposed new types of\r\nvulnerabilities (TOP 10 Web Hacking Techniques 2012) and to be\r\nnominated for the best server-side vulnerability at BlackHat 2013.\r\nERPScan experts have been invited to speak, present, and train at 60+\r\nprime international security conferences in 25+ countries across the\r\ncontinents. These include BlackHat, RSA, HITB, and private SAP\r\ntrainings in several Fortune 2000 companies.\r\nERPScan researchers lead the project EAS-SEC, which is focused on\r\nenterprise application security research and awareness. They have\r\npublished 3 exhaustive annual award-winning surveys about SAP\r\nsecurity.\r\nERPScan experts have been interviewed by leading media resources and\r\nfeatured in specialized info-sec publications worldwide. These include\r\nReuters, Yahoo, SC Magazine, The Register, CIO, PC World, DarkReading,\r\nHeise, and Chinabyte, to name a few.\r\nWe have highly qualified experts in staff with experience in many\r\ndifferent fields of security, from web applications and\r\nmobile/embedded to reverse engineering and ICS/SCADA systems,\r\naccumulating their experience to conduct the best SAP security\r\nresearch.\r\n\r\n\r\n11. ABOUT ERPScan\r\nERPScan is one of the most respected and credible Business Application\r\nSecurity providers. Founded in 2010, the company operates globally.\r\nNamed an Emerging vendor in Security by CRN and distinguished by more\r\nthan 25 other awards, ERPScan is the leading SAP SE partner in\r\ndiscovering and resolving security vulnerabilities. ERPScan\r\nconsultants work with SAP SE in Walldorf to improve the security of\r\ntheir latest solutions.\r\nERPScan\u2019s primary mission is to close the gap between technical and\r\nbusiness security. We provide solutions to secure ERP systems and\r\nbusiness-critical applications from both cyber attacks and internal\r\nfraud. Our clients are usually large enterprises, Fortune 2000\r\ncompanies, and managed service providers whose requirements are to\r\nactively monitor and manage the security of vast SAP landscapes on a\r\nglobal scale.\r\nOur flagship product is ERPScan Security Monitoring Suite for SAP.\r\nThis multi award-winning innovative software is the only solution on\r\nthe market certified by SAP SE covering all tiers of SAP security:\r\nvulnerability assessment, source code review, and Segregation of\r\nDuties.\r\nThe largest companies from diverse industries like oil and gas,\r\nbanking, retail, even nuclear power installations as well as\r\nconsulting companies have successfully deployed the software. ERPScan\r\nSecurity Monitoring Suite for SAP is specifically designed for\r\nenterprises to continuously monitor changes in multiple SAP systems.\r\nIt generates and analyzes trends in user friendly dashboards, manages\r\nrisks, tasks, and can export results to external systems. These\r\nfeatures enable central management of SAP system security with minimal\r\ntime and effort.\r\nWe follow the sun and function in two hubs located in the Netherlands\r\nand the US to operate local offices and partner network spanning 20+\r\ncountries around the globe. This enables monitoring cyber threats in\r\nreal time and providing agile customer support.\r\n\r\nAdress USA: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301\r\nPhone: 650.798.5255\r\nTwitter: @erpscan\r\nScoop-it: Business Application Security\r\n\r\n", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:DOC:32653", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32653", "title": "[ERPSCAN-15-028] Oracle E-Business Suite - XXE injection Vulnerability", "type": "securityvulns", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-08-31T11:11:02", "bulletinFamily": "software", "cvelist": ["CVE-2015-4845"], "description": "\r\n\r\n1. ADVISORY INFORMATION\r\n\r\nTitle: Oracle E-Business Suite - Database user enumeration\r\nAdvisory ID: [ERPSCAN-15-025]\r\nAdvisory URL: http://erpscan.com/advisories/erpscan-15-025-oracle-e-business-suite-database-user-enumeration-vulnerability/\r\nDate published:20.10.2015\r\nVendors contacted: Oracle\r\n\r\n2. VULNERABILITY INFORMATION\r\n\r\nClass: User Enumeration\r\nImpact: user enumeration, SSRF\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nCVE Name: CVE-2015-4845\r\nCVSS Information\r\nCVSS Base Score: 4.3 / 10\r\nAV : Access Vector (Related exploit range) Network (N)\r\nAC : Access Complexity (Required attack complexity) Medium (M)\r\nAu : Authentication (Level of authentication needed to exploit) None (N)\r\nC : Impact to Confidentiality Partial (P)\r\nI : Impact to Integrity None (N)\r\nA : Impact to Availability None (N)\r\n\r\n3. VULNERABILITY DESCRIPTION\r\n\r\nThere is a script in EBS that is used to connect to the database and\r\ndisplays the connection status. Different connection results can help\r\nan attacker to find existing database accounts.\r\n\r\n4. VULNERABLE PACKAGES\r\n\r\nOracle E-Business Suite 12.2.4\r\nOther versions are probably affected too, but they were not checked.\r\n\r\n5. SOLUTIONS AND WORKAROUNDS\r\n\r\nInstall Oracle CPU October 2015\r\n\r\n6. AUTHOR\r\nNikita Kelesis, Ivan Chalykin, Alexey Tyurin, Egor Karbutov (ERPScan)\r\n\r\n7. TECHNICAL DESCRIPTION\r\n\r\nDatabase users enumeration\r\nVunerable script: Aoljtest.js\r\n\r\n\r\n8. REPORT TIMELINE\r\n\r\nReported: 17.07.2015\r\nVendor response: 24.07.2015\r\nDate of Public Advisory: 20.10.2015\r\n\r\n9. REFERENCES\r\nhttp://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html\r\nhttp://erpscan.com/advisories/erpscan-15-025-oracle-e-business-suite-database-user-enumeration-vulnerability/\r\nhttp://erpscan.com/press-center/press-release/erpscan-took-a-closer-look-at-oracle-ebs-security-6-vulnerabilities-patched-in-recent-update/\r\n\r\n10. ABOUT ERPScan Research\r\nThe company\u2019s expertise is based on the research subdivision of\r\nERPScan, which is engaged in vulnerability research and analysis of\r\ncritical enterprise applications. It has achieved multiple\r\nacknowledgments from the largest software vendors like SAP, Oracle,\r\nMicrosoft, IBM, VMware, HP for discovering more than 400\r\nvulnerabilities in their solutions (200 of them just in SAP!).\r\nERPScan researchers are proud to have exposed new types of\r\nvulnerabilities (TOP 10 Web Hacking Techniques 2012) and to be\r\nnominated for the best server-side vulnerability at BlackHat 2013.\r\nERPScan experts have been invited to speak, present, and train at 60+\r\nprime international security conferences in 25+ countries across the\r\ncontinents. These include BlackHat, RSA, HITB, and private SAP\r\ntrainings in several Fortune 2000 companies.\r\nERPScan researchers lead the project EAS-SEC, which is focused on\r\nenterprise application security research and awareness. They have\r\npublished 3 exhaustive annual award-winning surveys about SAP\r\nsecurity.\r\nERPScan experts have been interviewed by leading media resources and\r\nfeatured in specialized info-sec publications worldwide. These include\r\nReuters, Yahoo, SC Magazine, The Register, CIO, PC World, DarkReading,\r\nHeise, and Chinabyte, to name a few.\r\nWe have highly qualified experts in staff with experience in many\r\ndifferent fields of security, from web applications and\r\nmobile/embedded to reverse engineering and ICS/SCADA systems,\r\naccumulating their experience to conduct the best SAP security\r\nresearch.\r\n\r\n\r\n11. ABOUT ERPScan\r\nERPScan is one of the most respected and credible Business Application\r\nSecurity providers. Founded in 2010, the company operates globally.\r\nNamed an Emerging vendor in Security by CRN and distinguished by more\r\nthan 25 other awards, ERPScan is the leading SAP SE partner in\r\ndiscovering and resolving security vulnerabilities. ERPScan\r\nconsultants work with SAP SE in Walldorf to improve the security of\r\ntheir latest solutions.\r\nERPScan\u2019s primary mission is to close the gap between technical and\r\nbusiness security. We provide solutions to secure ERP systems and\r\nbusiness-critical applications from both cyber attacks and internal\r\nfraud. Our clients are usually large enterprises, Fortune 2000\r\ncompanies, and managed service providers whose requirements are to\r\nactively monitor and manage the security of vast SAP landscapes on a\r\nglobal scale.\r\nOur flagship product is ERPScan Security Monitoring Suite for SAP.\r\nThis multi award-winning innovative software is the only solution on\r\nthe market certified by SAP SE covering all tiers of SAP security:\r\nvulnerability assessment, source code review, and Segregation of\r\nDuties.\r\nThe largest companies from diverse industries like oil and gas,\r\nbanking, retail, even nuclear power installations as well as\r\nconsulting companies have successfully deployed the software. ERPScan\r\nSecurity Monitoring Suite for SAP is specifically designed for\r\nenterprises to continuously monitor changes in multiple SAP systems.\r\nIt generates and analyzes trends in user friendly dashboards, manages\r\nrisks, tasks, and can export results to external systems. These\r\nfeatures enable central management of SAP system security with minimal\r\ntime and effort.\r\nWe follow the sun and function in two hubs located in the Netherlands\r\nand the US to operate local offices and partner network spanning 20+\r\ncountries around the globe. This enables monitoring cyber threats in\r\nreal time and providing agile customer support.\r\n\r\nAdress USA: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301\r\nPhone: 650.798.5255\r\nTwitter: @erpscan\r\nScoop-it: Business Application Security\r\n\r\n", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:DOC:32656", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32656", "title": "[ERPSCAN-15-025] Oracle E-Business Suite Database user enumeration Vulnerability", "type": "securityvulns", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-08-31T11:11:02", "bulletinFamily": "software", "cvelist": ["CVE-2015-7747"], "description": "\r\n\r\n==========================================================================\r\nUbuntu Security Notice USN-2787-1\r\nOctober 28, 2015\r\n\r\naudiofile vulnerability\r\n==========================================================================\r\n\r\nA security issue affects these releases of Ubuntu and its derivatives:\r\n\r\n- Ubuntu 15.10\r\n- Ubuntu 15.04\r\n- Ubuntu 14.04 LTS\r\n- Ubuntu 12.04 LTS\r\n\r\nSummary:\r\n\r\naudiofile could be made to crash or run programs as your login if it\r\nopened a specially crafted file.\r\n\r\nSoftware Description:\r\n- audiofile: Open-source version of the SGI audiofile library\r\n\r\nDetails:\r\n\r\nFabrizio Gennari discovered that audiofile incorrectly handled changing\r\nboth the sample format and the number of channels. If a user or automated\r\nsystem were tricked into processing a specially crafted file, audiofile\r\ncould be made to crash, leading to a denial of service, or possibly execute\r\narbitrary code.\r\n\r\nUpdate instructions:\r\n\r\nThe problem can be corrected by updating your system to the following\r\npackage versions:\r\n\r\nUbuntu 15.10:\r\n libaudiofile1 0.3.6-2ubuntu0.15.10.1\r\n\r\nUbuntu 15.04:\r\n libaudiofile1 0.3.6-2ubuntu0.15.04.1\r\n\r\nUbuntu 14.04 LTS:\r\n libaudiofile1 0.3.6-2ubuntu0.14.04.1\r\n\r\nUbuntu 12.04 LTS:\r\n libaudiofile1 0.3.3-2ubuntu0.1\r\n\r\nIn general, a standard system update will make all the necessary changes.\r\n\r\nReferences:\r\n http://www.ubuntu.com/usn/usn-2787-1\r\n CVE-2015-7747\r\n\r\nPackage Information:\r\n https://launchpad.net/ubuntu/+source/audiofile/0.3.6-2ubuntu0.15.10.1\r\n https://launchpad.net/ubuntu/+source/audiofile/0.3.6-2ubuntu0.15.04.1\r\n https://launchpad.net/ubuntu/+source/audiofile/0.3.6-2ubuntu0.14.04.1\r\n https://launchpad.net/ubuntu/+source/audiofile/0.3.3-2ubuntu0.1\r\n\r\n\r\n\r\n\r\n-- \r\nubuntu-security-announce mailing list\r\nubuntu-security-announce@lists.ubuntu.com\r\nModify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce\r\n\r\n", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:DOC:32652", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32652", "title": "[USN-2787-1] audiofile vulnerability", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}]}
