Full Disclosure
Posted by Sysdream Labs on Oct 19
## SPIP 3.1.2 Template Compiler/Composer PHP Code Execution (CVE-2016-7998)
### Product Description
SPIP is a publishing system for the Internet, which put importance on collaborative working, multilingual environments
and ease of use. It is free software, distributed under the GNU/GPL licence.
### Vulnerability Description
The SPIP template composer/compiler does not correctly handle SPIP “INCLUDE/INCLURE” Tags, allowing PHP code…
Posted by Sysdream Labs on Oct 19
## SPIP 3.1.1/3.1.2 File Enumeration / Path Traversal (CVE-2016-7982)
### Product Description
SPIP is a publishing system for the Internet, which put importance on collaborative working, multilingual environments
and ease of use. It is free software, distributed under the GNU/GPL licence.
### Vulnerability Description
The `valider_xml` file can be used to enumerate files on the system.
**Access Vector**: remote
**Security Risk**: medium…
Posted by Sysdream Labs on Oct 19
## SPIP 3.1.2 Reflected Cross-Site Scripting (CVE-2016-7981)
### Product Description
SPIP is a publishing system for the Internet, which put importance on collaborative working, multilingual environments
and ease of use. It is free software, distributed under the GNU/GPL licence.
### Vulnerability Description
The `var_url` parameter of the `valider_xml` file is not correctly sanitized and can be used to trigger a reflected XSS…
Posted by Sysdream Labs on Oct 19
## SPIP 3.1.2 Exec Code Cross-Site Request Forgery (CVE-2016-7980)
### Product Description
SPIP is a publishing system for the Internet, which put importance on collaborative working, multilingual environments
and ease of use. It is free software, distributed under the GNU/GPL licence.
### Vulnerability Description
The vulnerable request to `valider_xml` (see: *SPIP 3.1.2 Template Compiler/Composer PHP Code Execution –
CVE-2016-7998*) is…
Posted by Guido Vranken on Oct 19
Triggering this requires that the client sets a very large ALPN list
(several thousand bytes). This would be very unusual in a real-world
application. For this reason OpenSSL does not treat this as a security
vulnerability and I am inclined to agree with this decision. However, if an
attacker can somehow influence the ALPN list of an OpenSSL-enabled
application (perhaps through another vulnerability), the attacker can write
arbitrary data past…
Posted by Bogner Florian on Oct 19
Man in the Middle Remote Code Execution Vulnerability in WineBottler and its Bundles
Metadata
===================================================
Release Date: 17-10-2016
Author: Florian Bogner // Kapsch BusinessCom AG (https://www.kapsch.net/kbc)
Affected product: WineBottler (http://winebottler.kronenberg.org/)
Affected versions: up to the still current version 1.8-rc4
Tested on: OS X El Capitan 10.11.6
CVE : product not covered
URL:…
Posted by Finbar Crago on Oct 19
cgiecho a script included with cgiemail will return any file under a
websites document root if the file contains square brackets and the
text within the brackets is guessable.
e.g: http://hostname/cgi-sys/cgiecho/login.php?’pass’=[‘pass'] will
display http://hostname/login.php if it contains $_POST[‘pass’]
This behaviour is listed as a ‘small risk’ in the original
documentation (and back in 1998 it…
Posted by Guido Vranken on Oct 12
These vulnerabilities were found in the latest OpenSSL (1.1.0b).
Triggering these vulnerabilities is not trivial — they rely on memory
shortages (malloc/realloc failures) or failing to acquire a thread
lock while the X509 data is being parsed. Possibly exploitation can be
achieved by exploiting a memory leak/accumulation (such as the
recently discovered CVE-2016-6304). Proof of concepts and more
extensive commentary at the link below….
Posted by Matthias Deeg on Oct 12
Advisory ID: SYSS-2016-075
Product: Multimedia Presentation Remote
Manufacturer: Targus
Affected Version(s): Model AMP09-EU
Tested Version(s): Model AMP09-EU
Vulnerability Type: Insufficient Verification of Data Authenticity (CWE-345)
Mouse Spoofing Attack
Risk Level: Medium
Solution Status: Open
Manufacturer Notification: 2016-08-16
Solution Date: –
Public Disclosure: 2016-10-12
CVE Reference: Not yet assigned
Authors of…
Posted by Matthias Deeg on Oct 12
Advisory ID: SYSS-2016-074
Product: Wireless Presenter R400
Manufacturer: Logitech
Affected Version(s): Model R-R0008
Tested Version(s): Model R-R0008
Vulnerability Type: Insufficient Verification of Data Authenticity (CWE-345)
Keystroke Injection Vulnerability
Risk Level: High
Solution Status: Open
Manufacturer Notification: 2016-08-12
Solution Date: –
Public Disclosure: 2016-10-12
CVE Reference: Not yet assigned
Authors of…