[FD] "long" filenames mishandled by Fujitsu's ScanSnap software

2017-02-16 Thread Stefan Kanthak 
Hi @ll,

Fujitsu's ScanSnap software installers WinSSInstiX500WW1.exe
and WinSSInstS1100iWW1.exe, available from

and
,
execute C:\Program.exe multiple times near the end of the
installation process.
I'm VERY confident that the installers for other scanner models
show the same vulnerability.

Culprit is the program SSInst.exe, which fails to quote the command
lines
C:\Program Files\PFU\ScanSnap\SSFolder\SSFolderTray.exe  /e /u
C:\Program Files\PFU\ScanSnap\Driver\SsWizard\PfuSsConnectionWizard.exe  
/ini
C:\Program Files\PFU\ScanSnap\Driver\SsWifiTool\PfuSsWiFiToolStart.exe  /s
C:\Program Files\PFU\ScanSnap\Driver\SsWizard\PfuSsConnectionWizard.exe  
/SSType
properly; since SSInst.exe runs with administrative privileges,
C:\Program.exe is executed with administrative privileges too.

For this well-known and well-documented beginner's error see
 as well as


JFTR: Microsoft introduced "long" filenames more that 20 years ago.

Stay away from the crapware shipped with Fujitsu's scanners!


stay tuned
Stefan Kanthak


Timeline:
~

2017-01-28vulnerability report sent to vendor

  no reply, not even an acknowledgement of receipt

2017-02-05vulnerability report resent to vendor

2017-02-06vendor hotline forwards report to product team,
  asking for support

2017-02-08mail from vendor's technical support, subject
  "Your Request from 08.02.2017"

  "Unfortunately this request can not be processed via
   this mailadress."

2017-02-09which request?
  I did not send a request on 2017-02-08

2017-02-10mail from vendor's technical support, subject
  "Your Request from 10.02.2017"

  "Sorry, this was a mistake from me.
   You get info about the security alert on Monday or
   Tuesday next weak."

2017-02-14status request sent to vendor:
  "Tuesday has passed..."

2017-02-16mail from vendor's technical support, subject
  "Your Request from 16.02.2017"

  "Unfortunately we can really not help in this case.
   Try to contact ... support team"

  No, I don't run around in circles!
  I contacted them already.

2017-02-16report published

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Elefant CMS 1.3.12-RC: Code Execution

2017-02-16 Thread Curesec Research Team (CRT) 
Security Advisory - Curesec Research Team

1. Introduction

Affected Product:  Elefant CMS 1.3.12-RC
Fixed in:  1.3.13
Fixed Version  https://github.com/jbroadway/elefant/releases/tag/
Link:  elefant_1_3_13_rc
Vendor Website:https://www.elefantcms.com/
Vulnerability  Code Execution
Type:
Remote Yes
Exploitable:
Reported to09/05/2016
vendor:
Disclosed to   02/02/2017
public:
Release mode:  Coordinated Release
CVE:   n/a (not requested)
CreditsTim Coen of Curesec GmbH

2. Overview

Elefant is a content managment system written in PHP. In version 1.3.12-RC, it
is vulnerable to code execution because of two different vulnerabilities. It
allows the upload of files with dangerous type, as well as PHP code injection.

An account is required to exploit these issues.

3. Details

Upload of file with dangerous type

CVSS: High 9.0 AV:N/AC:L/Au:S/C:C/I:C/A:C

The file upload forbids the uploading of files with the .php extension, but
allows uploading of files with a number of other dangerous extensions leading
to code execution and XSS.

A user account is required which has the right to upload and manage files. By
default, the editor or admin role have this right.

Proof of Concept:

POST /filemanager/upload/drop HTTP/1.1 Host: localhost Accept-Language:
en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/
form-data; boundary=--multipartformboundary1472116478634 X-Requested-With:
XMLHttpRequest Content-Length: 316 Cookie: PHPSESSID=
57uejmot41c4jsbtbac85mek55; elefant_update_checked=1; elefant_last_page=
%2Fuser; elefant_user=nj86h42vi2j73tsturvq4slr05 Connection: close
multipartformboundary1472116478634 Content-Disposition: form-data; name
="path" multipartformboundary1472116478634 Content-Disposition:
form-data; name="file"; filename="test.php5" Content-Type: application/x-php http://localhost/designer/add/layout Enter {{passthru('id')}} In the
textarea.

4. Solution

To mitigate this issue please upgrade at least to version 1.3.13.

Please note that a newer version might already be available.

5. Report Timeline

09/05/2016 Informed Vendor about Issue, Vendor announces fix
11/07/2016 Asked Vendor if recent releases fixes issues, Vendor confirmed
02/02/2017 Disclosed to public


Blog Reference:
https://www.curesec.com/blog/article/blog/Elefant-CMS-1312-RC-Code-Execution-188.html
 
--
blog:  https://www.curesec.com/blog
tweet: https://twitter.com/curesec

Curesec GmbH
Curesec Research Team
Josef-Orlopp-Straße 54
10365 Berlin, Germany

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Elefant CMS 1.3.12-RC: Code Execution

2017-02-16 Thread Curesec Research Team (CRT) 
Security Advisory - Curesec Research Team

1. Introduction

Affected Product:  Elefant CMS 1.3.12-RC
Fixed in:  1.3.13
Fixed Version  https://github.com/jbroadway/elefant/releases/tag/
Link:  elefant_1_3_13_rc
Vendor Website:https://www.elefantcms.com/
Vulnerability  Code Execution
Type:
Remote Yes
Exploitable:
Reported to09/05/2016
vendor:
Disclosed to   02/02/2017
public:
Release mode:  Coordinated Release
CVE:   n/a (not requested)
CreditsTim Coen of Curesec GmbH

2. Overview

Elefant is a content managment system written in PHP. In version 1.3.12-RC, it
is vulnerable to code execution because of two different vulnerabilities. It
allows the upload of files with dangerous type, as well as PHP code injection.

An account is required to exploit these issues.

3. Details

Upload of file with dangerous type

CVSS: High 9.0 AV:N/AC:L/Au:S/C:C/I:C/A:C

The file upload forbids the uploading of files with the .php extension, but
allows uploading of files with a number of other dangerous extensions leading
to code execution and XSS.

A user account is required which has the right to upload and manage files. By
default, the editor or admin role have this right.

Proof of Concept:

POST /filemanager/upload/drop HTTP/1.1 Host: localhost Accept-Language:
en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/
form-data; boundary=--multipartformboundary1472116478634 X-Requested-With:
XMLHttpRequest Content-Length: 316 Cookie: PHPSESSID=
57uejmot41c4jsbtbac85mek55; elefant_update_checked=1; elefant_last_page=
%2Fuser; elefant_user=nj86h42vi2j73tsturvq4slr05 Connection: close
multipartformboundary1472116478634 Content-Disposition: form-data; name
="path" multipartformboundary1472116478634 Content-Disposition:
form-data; name="file"; filename="test.php5" Content-Type: application/x-php http://localhost/designer/add/layout Enter {{passthru('id')}} In the
textarea.

4. Solution

To mitigate this issue please upgrade at least to version 1.3.13.

Please note that a newer version might already be available.

5. Report Timeline

09/05/2016 Informed Vendor about Issue, Vendor announces fix
11/07/2016 Asked Vendor if recent releases fixes issues, Vendor confirmed
02/02/2017 Disclosed to public


Blog Reference:
https://www.curesec.com/blog/article/blog/Elefant-CMS-1312-RC-Code-Execution-188.html
 
--
blog:  https://www.curesec.com/blog
tweet: https://twitter.com/curesec

Curesec GmbH
Curesec Research Team
Josef-Orlopp-Straße 54
10365 Berlin, Germany

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Elefant CMS 1.3.12-RC: CSRF

2017-02-16 Thread Curesec Research Team (CRT) 
Security Advisory - Curesec Research Team

1. Introduction

Affected Product:  Elefant CMS 1.3.12-RC
Fixed in:  1.3.13
Fixed Version  https://github.com/jbroadway/elefant/releases/tag/
Link:  elefant_1_3_13_rc
Vendor Website:https://www.elefantcms.com/
Vulnerability  CSRF
Type:
Remote Yes
Exploitable:
Reported to09/05/2016
vendor:
Disclosed to   02/02/2017
public:
Release mode:  Coordinated Release
CVE:   n/a (not requested)
CreditsTim Coen of Curesec GmbH

2. Overview

Elefant is a content managment system written in PHP. In version 1.3.12-RC, it
is vulnerable to cross site request forgery. If a victim visits a website that
contains specifically crafted code while logged into Elefant, an attacker can
for example create a new admin account without the victims knowledge.

3. Details

CVSS: Medium 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P

There is no CSRF protection for various components, allowing among other the
creation of new admin accounts or XSS attacks.

Proof of Concept:

Create New Admin:   http://localhost/user/add; method
="POST">
  XSS:   http://localhost/designer/preview; method="POST"> 

4. Solution

To mitigate this issue please upgrade at least to version 1.3.13.

Please note that a newer version might already be available.

5. Report Timeline

09/05/2016 Informed Vendor about Issue, Vendor announces fix
11/07/2016 Asked Vendor if recent releases fixes issues, Vendor confirmed
02/02/2017 Disclosed to public


Blog Reference:
https://www.curesec.com/blog/article/blog/Elefant-CMS-1312-RC-CSRF-189.html
 
--
blog:  https://www.curesec.com/blog
tweet: https://twitter.com/curesec

Curesec GmbH
Curesec Research Team
Josef-Orlopp-Straße 54
10365 Berlin, Germany

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Elefant CMS 1.3.12-RC: Multiple Persistent and Reflected XSS

2017-02-16 Thread Curesec Research Team (CRT) 
Security Advisory - Curesec Research Team

1. Introduction

Affected Product:  Elefant CMS 1.3.12-RC
Fixed in:  1.3.13
Fixed Version  https://github.com/jbroadway/elefant/releases/tag/
Link:  elefant_1_3_13_rc
Vendor Website:https://www.elefantcms.com/
Vulnerability  XSS
Type:
Remote Yes
Exploitable:
Reported to09/05/2016
vendor:
Disclosed to   02/02/2017
public:
Release mode:  Coordinated Release
CVE:   n/a (not requested)
CreditsTim Coen of Curesec GmbH

2. Overview

Elefant is a content managment system written in PHP. In version 1.3.12-RC, it
is vulnerable to multiple persistent as well as a reflected XSS issue. This
allows an attacker to steal cookies, inject JavaScript keyloggers, or bypass
CSRF protection.

3. Details

Persistent XSS: Username

CVSS: Medium 5.0 AV:N/AC:L/Au:N/C:N/I:P/A:N

The username is echoed in various locations in the administration backend
without encoding, leading to persistent XSS vulnerabilities. A user account is
required, but the registration is open by default.

Proof of Concept:

1. Register a new user (the registration is open by default). 2. Update the
profile, as name use: Username To trigger the
payload: 1. Log in as admin 2. View the edit page for the user, for example:
http://localhost/user/edit?id=3 Alternatively, the payload is also echoed on
the page listing all users: http://localhost/admin/versions?id==User As
well as on the version page: http://localhost/admin/versions?type=User=3

Persistent XSS: Version Comparison

CVSS: Medium 5.0 AV:N/AC:L/Au:N/C:N/I:P/A:N

Various fields of various components are echoed unencoded when comparing
versions of those components. Examples are the user profile fields Name,
Address, Address 2, City, Title, Company, or About, or the Title, Menu Title,
Window Title, Description, or Keyword of a page.

Proof of Concept:

The comparison page can for example be seen here: http://localhost/admin/
compare?id=8=no

Persistent XSS: Page & Content Block

CVSS: Medium 4.0 AV:N/AC:L/Au:S/C:N/I:P/A:N

The title of a new webpage is echoed unencoded, leading to persistent XSS. The
same issue also exists when creating blocks.

A user account with the right to create pages is required. By default, the
editor role has this right.

Proof of Concept:

Create a new page or block, as title use: 
The payload will be echoed in a title tag as well as a h1 tag when viewing the
page and when editing the page.

Persistent XSS: Blog Post

CVSS: Medium 4.0 AV:N/AC:L/Au:S/C:N/I:P/A:N

The title as well as the tags of a blog post are echoed unencoded, leading to
persistent XSS.

A user account with the right to create pages is required. By default, the
editor role has this right

Proof of Concept:

Create a new blog post, as title and tag use: '"> The payload will be echoed in a title tag, a h1 tag, as well as a
href tag when viewing the page and when editing the page.

Reflected XSS

CVSS: Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N

The name parameter of the custom fields component is vulnerable to reflected
XSS.

Proof of Concept:

GET /admin/extended?extends=User=%3Cimg%20src=no%20onerror=alert(1)%3E
HTTP/1.1

4. Solution

To mitigate this issue please upgrade at least to version 1.3.13.

Please note that a newer version might already be available.

5. Report Timeline

09/05/2016 Informed Vendor about Issue, Vendor announces fix
11/07/2016 Asked Vendor if recent releases fixes issues, Vendor confirmed
02/02/2017 Disclosed to public


Blog Reference:
https://www.curesec.com/blog/article/blog/Elefant-CMS-1312-RC-Multiple-Persistent-and-Reflected-XSS-191.html
 
--
blog:  https://www.curesec.com/blog
tweet: https://twitter.com/curesec

Curesec GmbH
Curesec Research Team
Josef-Orlopp-Straße 54
10365 Berlin, Germany

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/