Posted by Vulnerability Lab on Feb 11

Document Title:
===============
BlinkSale Bug Bounty #1 – Encode & Validation Vulnerability

References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1416

Release Date:
=============
2015-02-06

Vulnerability Laboratory ID (VL-ID):
====================================
1416

Common Vulnerability Scoring System:
====================================
3.6

Product & Service Introduction:…

Posted by Vulnerability Lab on Feb 11

Document Title:
===============
Facebook Bug Bounty #23 – Session ID & CSRF Vulnerability

References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1432

Facebook Security ID: 10202805822321483

Video: https://www.youtube.com/watch?v=SAr2AGLrBkQ

Vulnerability Magazine:
http://magazine.vulnerability-db.com/?q=articles/2015/02/03/facebook-security-12500-bug-bounty-reward-security-researcher

Release Date:…

Posted by Vulnerability Lab on Feb 11

Document Title:
===============
Barracuda Cloud Series – Filter Bypass Vulnerability (ID 731)

References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=754

Barracuda Networks Security ID (BNSEC): 731

Release Date:
=============
2015-01-19

Vulnerability Laboratory ID (VL-ID):
====================================
754

Common Vulnerability Scoring System:
====================================
4.1

Abstract…

Posted by RedTeam Pentesting GmbH on Feb 10

Advisory: Cross-Site Scripting in IBM Endpoint Manager Relay Diagnostics
Page

During a penetration test, RedTeam Pentesting discovered that the IBM
Endpoint Manager Relay Diagnostics page allows anybody to persistently
store HTML and JavaScript code that is executed when the page is opened
in a browser.

Details
=======

Product: IBM Endpoint Manager
Affected Versions: 9.1.x versions earlier than 9.1.1229,
9.2.x…

Posted by Ben Lincoln (F7EFC8C9 – FD) on Feb 08

Hi David.

When I tried to reproduce it using code hosted on one of my domains, I
tried three variations of what I assumed at the time the PHP code from
the original was:

<?php
usleep(3000000);
header(“Location: http://www.dailymail.co.uk/&quot;);
die();
?>

<?php
sleep(3);
header(“Location: http://www.dailymail.co.uk/&quot;);
die();
?>

<?php
sleep(10);
header(“Location: http://www.dailymail.co.uk/&quot;);
die();…

Posted by Justin Steven on Feb 08

the targeted site as well as the attacking site?

No, this is entirely an IE flaw. I’ve repro’d on domains that I know don’t
use cloudflare, from a domain that doesn’t use cloudflare.

There’s a great teardown on this POC by @filedescriptor at
http://innerht.ml/blog/ie-uxss.html

Posted by Barkley, Peter on Feb 08

Thanks Zaakiy,

I’m able to get the hacked page on IE9 after changing the document mode from Quirks to IE9 Standards. Screenshot
attached. I’m sure you could get around having to manually switch the document mode with the appropriate DOCTYPE set in
the exploit html page.

David, could you share the contents of “1.php”? I’m assuming it is a delayed re-direct to the target’s domain? I am
unable to reproduce the…

Posted by Steffen Rösemann on Feb 08

Advisory: Multiple CSRF vulnerabilities in eFront v. 3.6.15.2 (CE)
Advisory ID: SROEADV-2015-09
Author: Steffen Rösemann
Affected Software: eFront v. 3.6.15.2 (CE) (Release-date: 05-Dec-2014,
build 18021)
Vendor URL: http://www.efrontlearning.net
Vendor Status: patched
CVE-ID: –

Tested with/on:

-Browser: Firefox 35, Iceweasel 31.3.0
-OS: Mac OS X 10.10 (XAMPP installation), Kali Linux 1.0.9a (Apache2,
MySQL)

==========================…

Posted by laurent gaffie on Feb 08

Responder for Windows is meant to propagate further compromises from a
Windows workstation/server.

Features includes:

– Be able to propagate (pivoting) compromises across subnets and domains
from any compromised Windows machine ranging from Windows 2000 to 8.1,
Server 2012R2.

– This tool can also be used to compromise a domain from an external
penetration test.

– This version will disable NetBIOS on all interfaces and the current
firewall…

Posted by Imre Rad on Feb 08

LG On Screen Phone authentication bypass vulnerability
——————————————————
SEARCH-LAB Ltd. discovered a serious security vulnerability in the On
Screen Phone protocol used by LG Smart Phones. A malicious attacker is
able to bypass the authentication phase of the network communication,
and thus establish a connection to the On Screen Phone application
without the owner’s knowledge or consent. Once connected,…