Posted by Dawid Golunski on Dec 27

PHPMailer < 5.2.18 Remote Code Execution
CVE-2016-10033

Attaching an updated version of the advisory with more details + simple PoC.

Still incomplete. There will be more updates/exploits soon at:

https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html

and the feed:

https://twitter.com/dawid_golunski

Posted by gremlin on Dec 27

> res = apr_crypto_passphrase(&key, &ivSize, passphrase,
> strlen(passphrase), (unsigned char *) (&salt), sizeof(apr_uuid_t),
> *cipher, APR_MODE_CBC, 1, 4096, f, r->pool);

CBC. Again.

The earliest mention of CFB which I know is dated 1989.
The earliest mention of CTR which I know is dated 1990-ies.

But there still are people who use CBC…

Please, PLEASE, PPLEEEEAASSSE don’t use it. Instead, use either…

Posted by Dawid Golunski on Dec 27

PHPMailer < 5.2.18 Remote Code Execution [CVE-2016-10033]

Severity: CRITICAL

Discovered by:
Dawid Golunski (@dawid_golunski)
https://legalhackers.com

PHPMailer
“Probably the world’s most popular code for sending email from PHP!
Used by many open-source projects: WordPress, Drupal, 1CRM, SugarCRM, Yii,
Joomla! and many more”

Desc:
An independent research uncovered a critical vulnerability in PHPMailer that
could potentially…

Posted by BENCSATH Boldizsar on Dec 27

Dear kernel maintainers, specialists,

Regarding latest kernel vulns, like CVE-2016-8655, there were some
reports how and where ubuntu/debian/redhat distributions fixed the problem.

However, I could not find clear indications about fixes in plain vanilla
kernel sources. No indication on LTS, and of course nothing on the
others. O.K. there is a patch for the particular CVS+kernel version, but
it is rather not evident to people that they must not…

Posted by dxw Security on Dec 27

Details
================
Software: Image Slider
Version: 1.1.41,1.1.89
Homepage: http://wordpress.org/plugins/image-slider-widget/
Advisory report:
https://security.dxw.com/advisories/arbitrary-file-deletion-vulnerability-in-image-slider-allows-authenticated-users-to-delete-files/
CVE: Awaiting assignment
CVSS: 5.5 (Medium; AV:N/AC:L/Au:S/C:P/I:P/A:N)

Description
================
Arbitrary file deletion vulnerability in Image Slider allows…

Posted by Black Arch on Dec 27

Dear list,

We’ve released the new BlackArch Linux OVA image. It includes the complete
BlackArch Linux environment together with all tools. The image size is
about ~13GB and ready to use for Virtualbox, VMware and Qemu.

If you’re not already familiar with BlackArchLinux, please read the
DESCRIPTION section below.

[ DOWNLOAD ]

You can download the new OVA image here:
https://www.blackarch.org/downloads.html

[ DESCRIPTION ]

BlackArch…

Posted by RedTeam Pentesting GmbH on Dec 23

Advisory: Padding Oracle in Apache mod_session_crypto

During a penetration test, RedTeam Pentesting discovered a Padding
Oracle vulnerability in mod_session_crypto of the Apache web server.
This vulnerability can be exploited to decrypt the session data and even
encrypt attacker-specified data.

Details
=======

Product: Apache HTTP Server mod_session_crypto
Affected Versions: 2.3 to 2.5
Fixed Versions: 2.4.25
Vulnerability Type: Padding Oracle…

Posted by dxw Security on Dec 21

Details
================
Software: copy-me
Version: 1.0.0
Homepage: http://wordpress.org/plugins/copy-me/
Advisory report:
https://security.dxw.com/advisories/copy-me-vulnerable-to-csrf-allowing-unauthenticated-attacker-to-copy-posts/
CVE: Awaiting assignment
CVSS: 4.3 (Medium; AV:N/AC:M/Au:N/C:N/I:P/A:N)

Description
================
copy-me vulnerable to CSRF allowing unauthenticated attacker to copy posts

Vulnerability
================
This…

Posted by Pedro Ribeiro on Dec 21

Hi,

tl;dr
RCE in NETGEAR WNR2000 routers, exploitable over the LAN by default or
over the WAN if remote administration is enabled.
10.000 devices affected show up in Shodan – these are the ones with
remote admin enabled. There are likely tens of thousands of vulnerable
routers in private LANs as this device is extremely popular.

As usual, NETGEAR did not respond to any of my emails, so I’m releasing
this advisory and exploit code as a…

Posted by Berend-Jan Wever on Dec 21

Since November I have been releasing details on all vulnerabilities I
found that I have not released before. This is the 37th entry in the
series. This information is available in more detail on my blog at
http://blog.skylined.nl/20161221001.html. There you can find a repro
that triggered this issue in addition to the information below, as well
as a Proof-of-Concept exploit that attempts to prove exploitability.

If you find these releases…