CISCO fixes multiple flaws in it’s products

Cisco has fixed 15 vulnerabilities affecting a dozen products, including two high severity flaws that could be exploited by attackers to trigger a denial of service condition or bypass local authentication.

CISCO also addressed four cross-site scripting vulnerabilities, a cross-site request forgery vulnerability, two SQL vulnerabilities, and a directory traversal vulnerability.

The Cisco advisory states that “A vulnerability in the cache server within Cisco Videoscape Distribution Suite (VDS) for Television could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on a targeted appliance.”

To exploit the flaw, an attacker could authenticate with a valid external user account that matches an internal username, then he will receive the authorization policy of the internal account. If successful the exploit would grant the attacker Super Admin privileges for the engine’s admin portal, Cisco said.

According to CISCO, the attacker would gain Super Admin privileges for the engine’s admin portal.

CISCO also published an advisory for several products affected by a bug involving the routing protocol Open Shortest Path First (OSPF).

A remote unauthenticated attacker can take full control of the OSPF Autonomous System (AS) domain routing table and intercept or black-hole traffic.

The advisory states that “The attacker could exploit this vulnerability by injecting crafted OSPF packets. Successful exploitation could cause the targeted router to flush its routing table and propagate the crafted OSPF LSA type 1 update throughout the OSPF AS domain.” 

“To exploit this vulnerability, an attacker must accurately determine certain parameters within the LSA database on the target router,” Cisco warned. “This vulnerability can only be triggered by sending crafted unicast or multicast OSPF LSA type 1 packets. No other LSA type packets can trigger this vulnerability.”

The security patches for affected products are already released.

Advertisements

AUTHENTICATED REFLECTED XSS IN WP STATISTICS

A new reflected XSS vulnerability has been found in popular WordPress plugin WP Statistics version <=12.0.8.1 within days of discovery of SQL injection vulnerability in the same plugin by Sucuri which was patched immediately.

According to the Dewhurst blog, the ‘ip’ GET parameter on the ‘wps_visitors_page’ page is output to a page without first being validated, sanitised or output encoded. This leads to Authenticated Reflected Cross-Site Scripting (XSS), which could allow attackers to compromise a WordPress application by tricking an authenticated administrator user into clicking on a specially crafted link.

Please note that other potential instances of Authenticated XSS were identified, however, were protected by Cross-Site Request Forgery (CSRF) .

Technical Description

Source: On line 28 of the includes/log/last-visitor.php file, the $_GET[‘ip’] is placed within the $_get variable.

Sink: On line 74 of the includes/log/last-visitor.php file, the $_get variable is output in the PHP echo() function.

Source

POC

Visit the given below link  in the Firefox browser:

http://mywordpress.com/wp-admin/admin.php?page=wps_visitors_page&ip=%27%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29%3E%3C%22

where put the name of the website you are testing in the above URL replacing mywordpress.com.

Then a fully weaponised XSS exploit was created that used the WordPress Theme Editor to insert a PHP backdoor into a WordPress site.

PREVENTION

Pass the $_get variable through WordPress  esc_attr() function. For example: $_get = esc_attr($_get);

Update the version to 12.0.9