SSD Advisory – Acunetix WVS XSS, Memory Exhaustion and DoS

Vulnerability Description
Three security vulnerabilities have been discovered in Acunetix WVS, these vulnerabilities allow a site owner that knows that his site will scanned by Acunetix (with permission or without) to target the user of the Acunetix and to cause the product to crash, exhaust memory of the scanner or to trigger a cross site scripting attack against the user during the configuration step and during the user’s reading of the final report.

All these vulnerabilities do not pose a harm greater than being an annoyance, beside the XSS which could be leveraged to preform cause more harm if it is combined with some social engineering aspects.

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

SSD Advisory – Xerox DocuShare Multiple Vulnerabilities

Introduction
DocuShare is a content management system developed by Xerox Corporation. DocuShare makes use of open standards and allows for managing content, integrating it with other business systems, and developing customized and packaged software applications.

Multiple vulnerabilities have been found in Xerox DocuShare:
 

  • DSUtilityLib.HelperObj.4 Activex Control ShowHelp Method lstrcatW() Call Stack Buffer Overflow Vulnerability
  • DSUtilityLib.HelperObj.4 ActiveX Control GetResourceString Method _vswprintf() Call Stack Buffer Overflow Vulnerability
  • DSUtilityLib.HelperObj.4 Activex Control ProfileInt Property wsprintfW() Call Stack Buffer Overflow Vulnerability
  • DSITEMENUMLib.ItemObj.4 Activex Control Basetype Property Stack Buffer Overflow Vulnerability
  • DsSearch.SearchConsole.1 ActiveX Control RestrictGlobalScope Method wcscpy() Call Stack Buffer Overflow Vulnerability
  • DSUtilityLib.HelperObj.4 Activex Control RunCommand Method CreateProcessW() Call Command Execution Vulnerability
    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

SSD Advisory – EMC RecoverPoint for Virtual Machines (VMs) Restriction Bypass

Vulnerability Description
RecoverPoint’s virtual appliance can be accessible via SSH with the default credentials of boxmgmt:boxmgmt; during testing, no password change option was found. Using these credentials, it’s possible to escape the management interface via command injection to drop into a shell and further take advantage of sudo privileged operations to read arbitrary files as root. It also may also be possible to execute arbitrary os commands as root, but this was not confirmed.

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

SSD Advisory – Infinite Automation Systems Mango Cross Site Scripting and Arbitrary File Upload

Introduction
Infinite Automation Systems is headquartered in Lafayette, Colorado.

The affected product, Mango Automation, is a centralized web-based SCADA/HMI and data acquisition software. According to Infinite Automation Systems, Mango Automation is deployed across several sectors including Commercial Facilities, Critical Manufacturing, Food and Agriculture, and Energy. Infinite Automation Systems estimates that these products are used worldwide.

Vulnerable Versions
Mango Automation version 2.5.0 through Version 2.6.0 beta (builds prior to 430)

Vulnerability Description
Improper verification of uploaded image files allows arbitrary files to be uploaded, which may allow for the execution of malicious JSP script files. In addition, the application does not verify HTTP requests, causing it to be vulnerable to a cross site scripting vulnerability.

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

SSD Advisory – eBay Arbitrary Invoice Disclosure

Vulnerability Description
A vulnerability in the way invoices are handled by eBay allows users that sell items on eBay to view other’s reseller’s invoices. Though access to the invoice is somewhat arbitrary, there is no easy way to find a specific invoice of a specific seller, it is possible to harvest a large amount of invoice and gather sensitive information from them. This information includes (though not in all invoices):

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

SSD Advisory – Media Wiki SVG XSS

Introduction
MediaWiki is a free software open source wiki package written in PHP, originally for use on Wikipedia. It is now also used by several other projects of the non-profit Wikimedia Foundation and by many other wikis, including this website, the home of MediaWiki.

Vulnerable Version
Media Wiki version 1.24.1

Vendor Response
The vulnerability has been addressed in Media Wiki version 1.24.2.

Vulnerability Details
A vulnerability in the way Media Wiki handles SVG files allow attackers to cause it to display arbitrary javascript code to users that are presented with an embedded SVG file. The vulnerability is triggered through the use of an encoded ENTITY that doesn’t get properly filtered out for malicious content.

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

SSD Advisory – Remote Command Execution in Proliant iLO Intelligent Provisioning

Vulnerability Description
iLO is an embedded operating system available within HP Proliant and Integrity servers. IP is a feature within iLO that provides local and remote access for provisioning purposes. It was discovered that hidden requests were being made to server during a normal client session. Exploring this obfuscated functionality revealed the ability to execute arbitrary commands as root on the system.

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

SSD Advisory – Dynamic Web TWAIN SDK Vulnerabilities

Introduction
Dynamic Web TWAIN is a TWAIN-based scanning SDK software specifically designed for web applications. With just a few lines of code, you can develop robust applications to scan documents from TWAIN-compatible scanners, edit the scanned images and save them to a file system.

Vulnerability Details
Two security vulnerabilities have been found in Dynamic Web TAWIN:
 

  • DynamicWebTwainCtrl.DynamicWebTwain.1 ActiveXObject SaveAllAsPDF/SaveAsPDF Methods lstrcpyA() Call Stack Buffer Overflow Vulnerability
  • WebTWAINService.exe Service SaveAllAsPDF/SaveAsPDF Methods lstrcpyA() Call Stack Buffer Overflow Vulnerability
    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.