Posted by Pedro Ribeiro on Jan 05

This vulnerability has now been fixed. Upgrade to version 9.0 build
90109 or later. I’ve updated the advisory in my repo.

https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_dc9_admin.txt

Posted by Pedro Ribeiro on Jan 05

Hi,

This is part 11 of the ManageOwnage series. For previous parts, see [1].

This time we have two remote code execution via file upload (and
directory traversal) on several ManageEngine products – Service Desk
Plus, Asset Explorer, Support Center and IT360.

The first vulnerability can only be exploited by an authenticated
user, but it can be a low privileged guest (which is a default account
present in almost all installations). This…

Posted by Popovici, Alejo (LATCO – Buenos Aires) on Jan 05

Mantis BugTracker 1.2.17 multiple security vulnerabilities.

******************************************************************************

– Affected Vendor: Mantis
– Affected System: BugTracker 1.2.17
– Vulnerabilities’ Status: Fixed

******************************************************************************

– Associated CWEs:

CWE-79: Failure to Preserve Web Page Structure (‘Cross-site Scripting’)
CWE-601: URL Redirection…

Posted by Stefan Kanthak on Jan 03

Hi @ll,

in order to prevent the possible execution of a rogue program like
“C:Program.exe” or “C:Program FilesMicrosoft.exe”, on x64 also
“C:Program Files.exe” or “C:Program Files (x86)Microsoft.exe”,
due to the beginner’s error of using unquoted pathnames containing
spaces (see <https://cwe.mitre.org/data/definitions/428.html>),
Windows’ [*] “Set Program Access and Computer…

Posted by Pedro Ribeiro on Jan 02

Hi,

This is part 10 of the ManageOwnage series. For previous parts, see [1].

This time we have a vulnerability that allows an unauthenticated user
to create an administrator account, which can then be used to execute
code on all devices managed by Desktop Central (desktops, servers,
mobile devices, etc).
An auxiliary Metasploit module that creates the administrator account
has been released and its currently awaiting review [2]. I will leave
to…

Posted by Allen on Jan 02

Was surprised to see no discussion of this on this list.

https://code.google.com/p/google-security-research/issues/detail?id=118

Posted by SCADA StrangeLove on Jan 01

Slides and video from SCADA StrangeLove talks at Chaos Communication
Congress: Too Smart Grid in da Cloud and Bootkit via SMS.

http://scadastrangelove.blogspot.com/2014/12/31c3-too-smart-grid-in-da-cloud.html

Posted by Egidio Romano on Dec 31

——————————————————————————
Symantec Web Gateway <= 5.2.1 (restore.php) OS Command Injection Vulnerability
——————————————————————————

[-] Software Link:

http://www.symantec.com/web-gateway/

[-] Affected Versions:

Version 5.2.1 and prior versions.

[-] Vulnerability Description:

The vulnerable code is located in the /spywall/restore.php…

Posted by Egidio Romano on Dec 31

—————————————————————————–
Mantis Bug Tracker <= 1.2.17 (ImportXml.php) PHP Code Injection Vulnerability
—————————————————————————–

[-] Software Link:

http://www.mantisbt.org/

[-] Affected Versions:

All versions from 1.2.0 to 1.2.17.

[-] Vulnerability Description:

The vulnerable code is located in the…

Posted by Egidio Romano on Dec 31

——————————————————————
GetSimple CMS <= 3.3.4 (api.php) XML External Entity Vulnerability
——————————————————————

[-] Software Link:

http://get-simple.info/

[-] Affected Versions:

All versions from 3.1.1 to 3.3.4.

[-] Vulnerability Description:

The vulnerable code is located in the /admin/api.php script:

22. #step 2 – setup request
23. $in…