Summary=======The operating system used by Pexip Infinity does not create unique SSHhost keys on deployment of new Management and Conferencing Nodes, usingfixed host keys instead. Host keys are used to verify the identity ofthe remote host when connecting to it over SSH. These keys are containedin the publicly available software image.An attacker with privileged network access may make use of these keys tospoof the identity of a Pexip Infinity installation or conductman-in-the-middle attacks on administrative SSH sessions. This maypermit the attacker access to credentials used to authenticate sessionsover SSH and provide shell access to the affected systems.This issue is resolved in Pexip Infinity version 8.References=========CVE-2014-8779http://pexip.com/security-bulletins
Information------------Advisory by NetsparkerName: XSS Vulnerability in Blubrry PowerPressAffected Software : Blubrry PowerPressAffected Versions: 6.0 and possibly belowVendor Homepage : https://wordpress.org/plugins/powerpress/Vulnerability Type : Cross-site ScriptingSeverity : ImportantCVE-ID: CVE-2015-1385Netsparker Advisory Reference : NS-15-001Description-----------By exploiting a Cross-site scripting vulnerability the attacker canhijack a logged in user?s session. This means that the malicioushacker can change the logged in user?s password and invalidate thesession of the victim while the hacker maintains access. As seen fromthe XSS example in this article, if a web application is vulnerable tocross-site scripting and the administrator?s session is hijacked, themalicious hacker exploiting the vulnerability will have full adminprivileges on that web application.Netsparker finds and reports security issues and vulnerabilities suchas SQL Injection and Cross-site Scripting (XSS) in all websites andweb applications regardless of the platform and the technology theyare built on. Netsparker's unique detection and exploitationtechniques allows it to be dead accurate in reporting hence it's thefirst and the only False Positive Free web application securityscanner.--------------------Proof of Concept URLs for XSS in Blubrry PowerPress WordPress plugin:/wp-admin/admin.php?page=powerpress/powerpressadmin_
categoryfeeds.php&action=powerpress-editcategoryfeed&cat=1';"--></style></scRipt><scRipt>alert(0x014068)</scRipt>For more information on cross-site scripting vulnerabilities read thefollowing article on Cross-site Scripting (XSS) -https://www.netsparker.com/web-vulnerability-scanner/vulnerability-security-checks-index/crosssite-scripting-xss/Advisory Timeline--------------------22/01/2015 - First Contact26/01/2015 - Vulnerability fixed29/01/2015 - Advisory releasedSolution--------------------Download version 6.0.1 which includes fix for this vulnerability.Credits & Authors--------------------These issues have been discovered by Omar Kurt while testingNetsparker Web Application Security Scanner -https://www.netsparker.com/web-vulnerability-scanner/About Netsparker--------------------Netsparker finds and reports security issues and vulnerabilities suchas SQL Injection and Cross-site Scripting (XSS) in all websites andweb applications regardless of the platform and the technology theyare built on. Netsparker's unique detection and exploitationtechniques allows it to be dead accurate in reporting hence it's thefirst and the only False Positive Free web application securityscanner. For more information visit our website onhttps://www.netsparker.com
ESA-2015-002: Unisphere Central Security Update for Multiple Vulnerabilities
EMC Identifier: ESA-2015-002
CVE Identifier: CVE-2013-1899, CVE-2013-1900, CVE-2013-1901, CVE-2013-1902, CVE-2012-5885, CVE-2011-3389, CVE-2013-1767, CVE-2012-2137, CVE-2012-6548, CVE-2013-1797, CVE-2013-0231, CVE-2013-1774, CVE-2013-1848, CVE-2013-0311, CVE-2013-2634, CVE-2013-0268, CVE-2013-0913,CVE-2013-1772, CVE-2013-0216, CVE-2013-1792, CVE-2012-6549, CVE-2013-2635, CVE-2013-0914, CVE-2013-1796, CVE-2013-0160, CVE-2013-1860, CVE-2013-0349, CVE-2013-1798, CVE-2013-4242, CVE-2014-0138, CVE-2014-0139, CVE-2010-5298, CVE-2014-0076, CVE-2014-0195, CVE-2014-0198, CVE-2014-0221, CVE-2014-0224, CVE-2014-3470, CVE-2014-3506, CVE-2014-3507, CVE-2014-3508, CVE-2014-3509, CVE-2014-3510, CVE-2014-3511, CVE-2014-3512, CVE-2014-5139, CVE-2012-6085, CVE-2014-2403, CVE-2014-0446, CVE-2014-0457, CVE-2014-0453, CVE-2014-2412, CVE-2014-2398, CVE-2014-0458, CVE-2014-2397, CVE-2014-0460, CVE-2014-0429, CVE-2014-2428, CVE-2014-2423, CVE-2014-2420, CVE-2014-0448, CVE-2014-0459, CVE-2014-2427, CVE-2014-2414, CVE-2014-0461, CVE-2014-0454, CVE-2014-2422, CVE-2014-0464, CVE-2014-2401, CVE-2014-0456, CVE-2014-0455, CVE-2014-0451, CVE-2014-0449, CVE-2014-0432, CVE-2014-0463, CVE-2014-2410 , CVE-2014-2413, CVE-2014-2421, CVE-2014-2409, CVE-2014-2402, CVE-2014-0452, CVE-2010-5107, CVE-2014-1545, CVE-2014-1541, CVE-2014-1534, CVE-2014-1533, CVE-2014-1536, CVE-2014-1537, CVE-2014-1538, CVE-2013-2005, CVE-2013-2002, CVE-2014-0092, CVE-2014-0015, CVE-2014-4220, CVE-2014-2490, CVE-2014-4266, CVE-2014-4219, CVE-2014-2483, CVE-2014-4263, CVE-2014-4264, CVE-2014-4268, CVE-2014-4252, CVE-2014-4223, CVE-2014-4247, CVE-2014-4218, CVE-2014-4221, CVE-2014-4262, CVE-2014-4227, CVE-2014-4208, CVE-2014-4209, CVE-2014-4265, CVE-2014-4244,
CVE-2014-4216, CVE-2011-0020, CVE-2011-0064, CVE-2014-3638, CVE-2014-3639, CVE-2014-3513, CVE-2014-3567, CVE-2014-3568, CVE-2014-3566, CVE-2014-4330, CVE-2014-3613, CVE-2014-3620, CVE-2015-0512
Severity Rating: View details below for CVSSv2 scores
Affected products:
Unisphere Central versions prior to 4.0
Summary:
Unisphere Central requires an update to address various security vulnerabilities that could potentially be exploited by malicious users to compromise the affected system.
Details:
Unisphere Central requires an update to address various security vulnerabilities:
#####################################Title:- Reflected XSS vulnarbility in Asus RT-N10 Plus routerAuthor: Kaustubh G. PadwadProduct: ASUS Router RT-N10 PlusFirmware: 2.1.1.1.70Severity: MediumAuth: Requierd# Description:Vulnerable Parameter: flag=# Vulnerability Class:Cross Site Scripting (https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS))# About Vulnerability: Asus Router RT-N10 Plus with firmware 2.1.1.70 is vulnarable for crosss site scripting attack,this may cause a huge network compemise.#Technical Details: The value of the flag request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload initial78846%27%3balert("
Hacked_BY_S3curity_B3ast")%2f%2f372137b5d was submitted in the flag parameter. This input was echoed unmodified in the application's response.#Steps to Reproduce: (POC):After setting up routerEnter this URL1.http://ip-of-router/result_of_get_changed_status.asp?current_page=&sid_list=LANGUAGE%3B&action_mode=+App
ly+&preferred_lang=&flag=initial78846%27%3balert(1337)%2f%2f372137b5d2. this will ask for creadintial once creatintial enterd it will be successfull XSS# Disclosure:8-jan-2015 Repoerted to ASUS9-jan-2015 Asus confirm that they reported to concern department15-jan-2015 Ask for update from asus asus says reported to HQ28-jan-2015 Ask asus about reporting security foucus No reply from ASUS29-jan-2015 security focus bugtraq#credits:Kaustubh PadwadInformation Security Researcherkingkaustubh@me.comhttps://twitter.com/s3curityb3asthttp://breakthesec.comhttps://www.linkedin.com/in/kaustubhpadwad
