Kentico CMS v11.0 - Stack Buffer Overflow Vulnerability
Document Title: === Kentico CMS v11.0 - Stack Buffer Overflow Vulnerability References (Source): https://www.vulnerability-lab.com/get_content.php?id=1943 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-5282 CVE-ID: === CVE-2018-5282 Release Date: = 2018-01-04 Vulnerability Laboratory ID (VL-ID): 1943 Common Vulnerability Scoring System: 6 Vulnerability Class: Buffer Overflow Current Estimated Price: 2.000€ - 3.000€ Product & Service Introduction: === Kentico is the only fully integrated ASP.NET CMS, E-commerce, and Online Marketing platform that allows you to create cutting-edge websites and optimize your digital customers’ experiences fully across multiple channels. Kentico saves you time and resources so you can accomplish more. Giving you the power to improve and refine your digital strategy, align it with the needs of your customers, and create unique user experiences, Kentico 9 accelerates customer loyalty through new technologies. (Copy of the Homepage: http://www.kentico.com/product/kentico9 ) Abstract Advisory Information: == The vulnerability laboratory core research team discovered a stack buffer overflow vulnerability in the official Kentico v9.0, v10.0 & v11.0 content management system software. Vulnerability Disclosure Timeline: == 2018-01-04: Public Disclosure (Vulnerability Laboratory) Discovery Status: = Published Affected Product(s): Kentico Software Product: Kentico - Content Management System (eCommerce Software) 9.0 Kentico Software Product: Kentico - Content Management System (eCommerce Software) 10.0 Kentico Software Product: Kentico - Content Management System (eCommerce Software) 11.0 Exploitation Technique: === Local Severity Level: === High Technical Details & Description: A local stack buffer overflow vulnerability has been discovered in the official Kentico v9.0, v10.0 & v11.0 content management system software. The buffer overflow vulnerability allows local attackers to compromise the local system process by an overwrite of the active registers. The local buffer overflow vulnerability is located in the `Load XML Configuration` module for file imports. The xml file impact input data of the configuration for the software. In several values of the xml file the inputs are not recognized by an approval of the secure software validation mechanism. The iis configuration settings are connected to a secure validation process, the sql install database information in the xml file are not. The non-exisiting input validation and the unrestricted context size allows local attackers to trigger a stack buffer overflow vulnerability. That results in compromise of the software process with system privileges. The security risk of the local buffer overflow vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.0. Exploitation of the stack buffer overflow vulnerability requires a low privilege or restricted system user account without user interaction. Successful exploitation of the vulnerability results in overwrite of the active registers to compromise of the computer system or process. Vulnerable Module(s): [+] Load XML Configuration Proof of Concept (PoC): === The local buffer overflow vulnerability can be exploited by local attackers with low privileged or restricted system user account without user interaction. For security demonstration or to reproduce the software vulnerability follow the provided information and steps below to continue the process. Manual steps to reproduce the vulnerability ... 1. Download the newst software version of the Kentico cms (v9.0.x - 9.0.5981.23486) 2. Accept the program conditions and click to custom installation 3. Open the local hosted xml poc file 4. Include a large unicode payload to the marked values 5. Save the xml file on your localhost 6. Move back to the kentico v9.x installation process with the custom install screen Note: Attach a debugger to followup with the overwrite on the active registers 7. Load the xml poc file by usage of the import function of kentico (left|buttom) 8. The vulnerable values loaded and the process will permanently crash with different exceptions 9. Move back to the debugger that is attached to the active software process and followup with an overwrite of the active ecx, ebp or eip registers 10. Successful reproduce of the local buffer overflow vulnerability! PoC: Vulnerable Source (XML) Note: Start the software exe file kentico v9.0 on windows, attach the windows debugger and load the xml config f
[SECURITY] [DSA 4084-1] gifsicle security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4084-1 secur...@debian.org https://www.debian.org/security/ Sebastien Delafond January 12, 2018 https://www.debian.org/security/faq - - Package: gifsicle CVE ID : CVE-2017-1000421 It was discovered that gifsicle, a tool for manipulating GIF image files, contained a flaw that could lead to arbitrary code execution. For the oldstable distribution (jessie), this problem has been fixed in version 1.86-1+deb8u1. For the stable distribution (stretch), this problem has been fixed in version 1.88-3+deb9u1. We recommend that you upgrade your gifsicle packages. For the detailed security status of gifsicle please refer to its security tracker page at: https://security-tracker.debian.org/tracker/gifsicle Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQEzBAEBCgAdFiEEAqSkbVtrXP4xJMh3EL6Jg/PVnWQFAlpYpIwACgkQEL6Jg/PV nWRjYAgAo0Drf8Jo7xHbRjuStl9ixkAC/UBNOngLvs38BdE5hDPRMIngwjnKEIGl ms11ascazOu4vKRbsZwQxt0mDI6J4XMnMBSLV4JfsFlqdNTFwdyLSAULHEJ6/N3T zBRMfW8nD/kYWLbyFkTG3BXXWmgCXXSuwoXg2+G4rUox2XK4PNAJ0uloveQS46pm GwYgqS4f9HFBAbXZnUDfQHdUsRZ/Q2spzvvBT69n88jEEYAcGi7YDW+smDXGgnuU Vsu3N+dPrCLLPAsUPsyFbLEXxbg9el4chLe2Ged/ZUUYt/ZGZlM5t4MR9HqtORNB gB1ApmNxoTyC0Y5BrqmSU+mmXvVfDQ== =jqum -END PGP SIGNATURE-
MagicSpam 2.0.13 - Insecure File Permission Vulnerability
Document Title: === MagicSpam 2.0.13 - Insecure File Permission Vulnerability References (Source): https://www.vulnerability-lab.com/get_content.php?id=2113 Release Date: = 2018-01-12 Vulnerability Laboratory ID (VL-ID): 2113 Common Vulnerability Scoring System: 2.8 Vulnerability Class: Privacy Violation - Information Disclosure Current Estimated Price: 500€ - 1.000€ Product & Service Introduction: === MagicSpam comes fully-integrated with any Plesk 12+ package, blocking spam at the edge before it gets a chance to be filtered. There’s no need to change DNS or MX records. And your protection comes ready to go with complete logging, statistics, and custom controls. (Copy of the Homepage: https://www.plesk.com/extensions/magicspam/ ) Abstract Advisory Information: == An independent vulnerability laboratory researcher discovered a insecure file permission vulnerability in the MagicSpam 2.0.13-1 plesk extension. Vulnerability Disclosure Timeline: == 2017-01-12: Public Disclosure (Vulnerability Laboratory) Discovery Status: = Published Affected Product(s): LinuxMagic Product: MagicSpam - Plesk Extension 2.0.13-1 Exploitation Technique: === Remote Severity Level: === Low Technical Details & Description: An insecure file permission access vulnerability has been discovered in the MagicSpam 2.0.13-1 plesk extension. The vulnerability allows an attacker to access sensitive information like emails without permission or authentication. Plesk panel features the freemium extension MagicSpam providing industry-leading spam protection technologies. MagicSpam is keeping a detailed log of all e-mail messages processed under directory /var/log/magicspam/ in Ubuntu installations. A log file is created with the name mslog, with readable permissions for everyone, and rotated daily. The file will reveal the full list of mailboxes on the server (provided they received or sent at least one message in the past). The security risk of the permission vulnerability is estimated as low with a common vulnerability scoring system count of 2.8. Successful exploitation of the file permission security vulnerability results in information disclosure of emails. Proof of Concept (PoC): === The insecure file permission vulnerability can be exploited by remote attackers without user account or user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. $ id uid=1002(marco) gid=1011(marco) groups=1011(marco) $ cd /var/log/magicspam/ $ ls -l -rw-r--r-- 1 magicspam root 348937 Jan 10 11:50 mslog $ tail -n1 mslog 2018-01-10 11:51:26 magicspam-daemon[335]: HAM: mua=no,ip=[93.94.32.17:mail15.clab99a.contactlab.it],helo=,from=<564020151.35960.1000...@t.contactlab.it>,rcpt= Solution - Fix & Patch: === The security vulnerability can be resolved byan exclude of the emails in the list of the affected application log files. Another solution could be to integration an authentication mechanism for the log file of the magic spam web-application. Security Risk: == The security risk of the insecure file permission vulnerability in the plesk extension magic spam is estimated as medium (CVSS 2.8). Credits & Authors: == Marco Marsala [ma...@thenetworksolution.it] - https://www.vulnerability-lab.com/show.php?user=Marco+Marsala Disclaimer & Information: = The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability Labs or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for incidental or consequential damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. We have no need for criminal activities or membership requests. We do not publish advisories or vulnerabilities of religious-, militant- and racist- hacker/analyst/researcher groups or individuals. We do not publish trade researcher mails, phone numbers, conversations or anything else to journalists, investigative authorities or pr
Magento Commerce - SSRF & XSPA Web Vulnerability
Document Title: === Magento Commerce - SSRF & XSPA Web Vulnerability References (Source): http://www.vulnerability-lab.com/get_content.php?id=1631 Release Date: = 2018-01-03 Vulnerability Laboratory ID (VL-ID): 1631 Common Vulnerability Scoring System: 4.7 Vulnerability Class: Server Side Request Forgery Current Estimated Price: 1.000€ - 2.000€ Product & Service Introduction: === Magento is an open source e-commerce web application that was launched on March 31, 2008 under the name Bento. It was developed by Varien (now Magento, a division of eBay) with help from the programmers within the open source community but is now owned solely by eBay Inc. Magento was built using parts of the Zend Framework. It uses the entity-attribute-value (EAV) database model to store data. In November 2013, W3Techs estimated that Magento was used by 0.9% of all websites. Our team of security professionals works hard to keep Magento customer information secure. What`s equally important to protecting this data? Our security researchers and user community. If you find a site that isn`t following our policies, or a vulnerability inside our system, please tell us right away. ( Copy of the Vendor Homepage: http://magento.com/security & http://magento.com/security ) Abstract Advisory Information: == The Vulnerability Laboratory Core Research Team discovered SSRF/XSPA vulnerability in the official Magento Commerce online service web-application. Vulnerability Disclosure Timeline: == 2018-01-03: Public Disclosure (Vulnerability Laboratory) Discovery Status: = Published Affected Product(s): Ebay Inc. Product: Magento - Web Application Service 2015 Q4 Exploitation Technique: === Remote Severity Level: === Medium Technical Details & Description: SSRF/XSPA vulnerability has been discovered in the official Magento Commerce online service web-application. The vulnerability allows remote attackers to perform malicious server-side requests to compromise the computer system or to gain unauthorized access to data or sensitive information. The XSPA & SSRF allows to use the process functionality of the magento engine as port scanner for the local or any random remote machine in the same network. The issue is the first documented xspa and ssrf issue in the magento service web-applications. The security risk of the vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 4.7. Exploitation of the ssrf/xspa vulnerability requires a privileged web-application user account and no user interaction. Successful exploitation of the issue can result in web-server or web-application compromise or unauthorized malicious interactions. Proof of Concept (PoC): === Remote attackers are able to perform a local scan on the protected web-server firewall to magento.com and magentocommerce.com For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. Manual steps to reproduce the vulnerability ... 1. Open http://magento.com/security-patch (Magento Shoplift Bug Tester) 2. Write in the website input www.magento.com:22 3. Click to bug scan for the port 22 4. Successful reproduce of the issue! --- Scan Log NMAP --- Starting Nmap 6.00 at 2016-08-15 15:10 EEST Initiating Ping Scan at 15:10 Scanning magento.com (66.211.190.110) [4 ports] Completed Ping Scan at 15:10, 0.17s elapsed (1 total hosts) Initiating SYN Stealth Scan at 15:10 Scanning magento.com (66.211.190.110) [100 ports] Discovered open port 80/tcp on 66.211.190.110 Discovered open port 443/tcp on 66.211.190.110 Discovered open port 8443/tcp on 66.211.190.110 Discovered open port 8080/tcp on 66.211.190.110 Completed SYN Stealth Scan at 15:10, 2.38s elapsed (100 total ports) ...... Note: SSRF/XSPA allows to scan the local host to discovered the open service ports (References: https://cwe.mitre.org/data/definitions/918.html) Solution - Fix & Patch: === The vulnerability has been resolved as bug bounty issue by the magento security team in 2017. Security Risk: == The security risk of the ssrf/xspa web vulnerability that allows to scan the infrastructure behind the firewall is estimated as medium (CVSS 4.7). Credits & Authors: == Vulnerability Laboratory [Core Research Team] (resea...@vulnerability-lab.com) [www.vulnerability-lab.com] Disclaimer & Information: = The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either ex
SonicWall GMS v8.1 - Filter Bypass & Persistent Vulnerability
Document Title: === SonicWall GMS v8.1 - Filter Bypass & Persistent Vulnerability References (Source): http://www.vulnerability-lab.com/get_content.php?id=1819 Release Notes: http://documents.software.dell.com/sonicwall-gms-os/8.2/release-notes/known-issues?ParentProduct=867 Release Date: = 2018-01-12 Vulnerability Laboratory ID (VL-ID): 1819 Common Vulnerability Scoring System: 4.1 Vulnerability Class: Multiple Current Estimated Price: 1.000€ - 2.000€ Product & Service Introduction: === Dell SonicWALL`s management and reporting solutions provide a comprehensive architecture for centrally creating and managing security policies, providing real-time monitoring and alerts, and delivering intuitive compliance and usage reports, all from a single management interface. Whether your organization is a small- or medium-sized business, a distributed enterprise or a managed service provider, Dell™ SonicWALL™ offers software and appliance solutions to meet its needs. The award-winning Dell SonicWALL Global Management System (GMS) provides organizations, distributed enterprises and service providers with a flexible, powerful and intuitive solution to centrally manage and rapidly deploy SonicWALL firewall, anti-spam, backup and recovery, and secure remote access solutions. Flexibly deployed as software, hardware—in the form of the Universal Management Appliance (UMA)—or a virtual appliance, SonicWALL GMS also provides centralized real-time monitoring and comprehensive policy and compliance reporting to drive down the cost of owning and managing SonicWALL security appliances. Multiple GMS software, hardware, and virtual appliance agents, when deployed in a cluster, can scale to manage thousands of SonicWALL security appliances. This makes GMS an ideal solution for small- to medium-sized businesses, enterprises and managed service providers that have either single-site or distributed multi-site environments. (Copy of the Vendor Homepage: http://www.sonicwall.com/emea/en/products/Centralized_Management_Reporting.html ) Abstract Advisory Information: == The Vulnerability Laboratory Core Research Team discovered filter bypass and an application-side input validation vulnerability in the official SonicWall GMS v8.1 appliance web-application. Vulnerability Disclosure Timeline: == 2018-01-12: Public Disclosure (Vulnerability Laboratory) Discovery Status: = Published Affected Product(s): DELL SonicWall Product: SonicWall GMS Networks Appliance Application 8.1 (VA) Exploitation Technique: === Remote Severity Level: === Medium Technical Details & Description: A persistent web vulnerability and filter bypass issue has been discovered in the SonicWall GMS v8.1 appliance web-application. The application-side vulnerability allows remote attacker or privileged user accounts to inject own malicious persistent script codes to the sonicwall gms appliance web-application. The filter bypass issue allows an attacker to bypass the basic application validation. The vulnerability is located in the `newName` and `Name` values of the `/sgms/TreeControl` module POST method request. Attackers are able to inject own payloads as name in the firewall device name listing to compromise session data or the java module. The method to inject is POST and the attack vector is located on the application-side of the sonicwall gms appliance web-application. The basic fitler validation of the gms appliance web-application encodes basic strings like frames and other tags by a restriction of privileges on execution of for example iframes. Remote attackers can bypass the validation by usage of a double path value with double quotes. The way to bypass is very unique to the basic configuration of the appliance web-application. The security risk of the persistent vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 4.1. Exploitation of the persistent web vulnerability requires a low privileged account with restricted access and low user interaction. Successful exploitation of the vulnerabilities results in persistent phishing mails, session hijacking, persistent external redirect to malicious sources and application-side manipulation of affected or connected module context. Request Method(s): [+] POST Vulnerable Section(s): [+] Firewall (Device List) Affected Module(s): [+] ./sgms/TreeControl Vulnerable Parameter(s): [+] newName [+] name Proof of Concept (PoC): === The filter bypass issue and persistent vulnerability can
Microsoft Sharepoint 2013 - Limited Access Permission Bypass Vulnerability
Document Title: === Microsoft Sharepoint 2013 - Limited Access Permission Bypass Vulnerability References (Source): https://www.vulnerability-lab.com/get_content.php?id=2111 Release Date: = 2018-01-07 Vulnerability Laboratory ID (VL-ID): 2111 Common Vulnerability Scoring System: 4.8 Vulnerability Class: Filter or Protection Mechanism Bypass Current Estimated Price: 1.000€ - 2.000€ Abstract Advisory Information: == An independent vulnerability laboratory researcher discovered a permission bypass vulnerability in the Microsoft Sharepoint online service web-application. Vulnerability Disclosure Timeline: == 2018-01-07: Public Disclosure (Vulnerability Laboratory) Discovery Status: = Published Affected Product(s): Microsoft Corporation Product: Sharepoint Online Service - (Web-Application) 2013 Exploitation Technique: === Local Severity Level: === Medium Technical Details & Description: A permission level bypass web vulnerability has been identified in the microsoft sharePoint 2013 online service web-application & maybe prior versions. The security vulnerability allows attackers to open or view restricted items in the site or library. An authenticated user can bypass `Limited Access` permissions to browse a page or library to access a specific content item that was restricted. Proof of Concept (PoC): === POC 1: 1. Search for specific words inside web & mobile sharepoint search box: `password` `pass` `user` `domainuser` `name | lastname` ... [~] web search: http://site/BSearch/results.aspx [~] mobie search: http://site/_layouts/mobile/MobileResults.aspx example : http://site/BSearch/results.aspx?k=password example : http://site/BSearch/results.aspx?k="NSA1377"; example : http://site/_layouts/mobile/MobileResults.aspx?k=pass example : http://site/_layouts/mobile/MobileResults.aspx?k=BOB 2. The page shown some of sharepoint's search results like restricted specific item, site, library urls etc 3. so click at the urls to access|viwe|read site page and other restricted library and items POC 2: After capturing packets between our system and the sharepoint site (use fiddler or burpsiute, wireshark ...) We have access to items, list, pages, sites urls like as follows: http://site/IT/Lists/List70/AllItems.aspx Access to restricted items & lists by make /LIST#/ urls Example: http://site/IT/Lists/List100/AllItems.aspx http://site/IT/Lists/List101/AllItems.aspx http://site/IT/Lists/List102/AllItems.aspx Security Risk: == The security risk of the bypass vulnerability in the microsoft sharepoint 2013 application is estimated as medium (CVSS 4.8). Credits & Authors: == Behnam Vanda [beni.va...@gmail.com] [redhathackers] - https://www.vulnerability-lab.com/show.php?user=Behnam+Vanda Disclaimer & Information: = The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability Labs or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for incidental or consequential damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. We have no need for criminal activities or membership requests. We do not publish advisories or vulnerabilities of religious-, militant- and racist- hacker/analyst/researcher groups or individuals. We do not publish trade researcher mails, phone numbers, conversations or anything else to journalists, investigative authorities or private individuals. Domains:www.vulnerability-lab.com - www.vulnerability-db.com - www.evolution-sec.com Programs: vulnerability-lab.com/submit.php- vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php- vulnerability-lab.com/rss/rss_news.php Social: twitter.com/vuln_lab- facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Any modified copy or
Magento Connect T1 - (Claim) Persistent Vulnerability
Document Title: === Magento Connect T1 - (Claim) Persistent Vulnerability References (Source): http://www.vulnerability-lab.com/get_content.php?id=1469 Release Date: = 2018-01-08 Vulnerability Laboratory ID (VL-ID): 1469 Common Vulnerability Scoring System: 3.8 Vulnerability Class: Cross Site Scripting - Persistent Current Estimated Price: 1.000€ - 2.000€ Product & Service Introduction: === Magento is an open source e-commerce web application that was launched on March 31, 2008 under the name Bento. It was developed by Varien (now Magento, a division of eBay) with help from the programmers within the open source community but is now owned solely by eBay Inc. Magento was built using parts of the Zend Framework. It uses the entity-attribute-value (EAV) database model to store data. In November 2013, W3Techs estimated that Magento was used by 0.9% of all websites. Our team of security professionals works hard to keep Magento customer information secure. What`s equally important to protecting this data? Our security researchers and user community. If you find a site that isn`t following our policies, or a vulnerability inside our system, please tell us right away. ( Copy of the Vendor Homepage: http://magento.com/security & http://magento.com/security ) Abstract Advisory Information: == The Vulnerability Laboratory Research Team discovered an application-side cross site scripting web vulnerabilityin the Magento Connect web-application. Vulnerability Disclosure Timeline: == 2018-01-08: Public Disclosure (Vulnerability Laboratory) Discovery Status: = Published Affected Product(s): Ebay Inc. Product: Magento - Connect Web Application 2015 Q2 Exploitation Technique: === Remote Severity Level: === Medium Technical Details & Description: A persistent cross site scripting web vulnerability has been discovered in the official Magento Connect web-application. The vulnerability allows remote attackers to inject own script code on the application-side of the affected application module. The vulnerability is located in the `claim%5Bclaimed_extension_url` value of the `magento-connect/claim/claim/new/` module. Remote attackers are able to inject own script code on the application-side of the service to compromise user/moderator/admin session data. The request method to inject is POST and the attack vector is located on the application-side of the affected module. The security risk of the web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.8. Exploitation of the persistent input validation web vulnerability requires a low privileged web-application user account and low or medium user interaction. Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent external redirects to malicious source and persistent manipulation of affected or connected application modules (api). Request Method(s): [+] POST Vulnerable Service(s): [+] Magento Connect Vulnerable Module(s): [+] magento-connect/claim/claim/new/ Vulnerable Parameter(s): [+] claim%5Bclaimed_extension_url Proof of Concept (PoC): === The issue in the exception handling can be exploited by remote attackers with privileged application user account and low or medium user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. Manual steps to reproduce the vulnerability ... 1. Surf to http://www.magentocommerce.com/magento-connect/claim/claim/new/ 2. In the enter a link to the extension on Connect you have to inject the payload via http session tamper Note: Payload "> 3. Successful reproduce of the persistent xss security vulnerability! POC: Exception Handling Enter a link to the extension on Connect you believe violates our terms. [MALICIOUS PAYLOAD EXECUTION POINT!]"> Required field. Example: http://www.magentocommerce.com/magento-connect/extension-name --- PoC Session Logs [POST] --- POST http://www.magentocommerce.com/magento-connect/claim/claim/new/ Content Size[71413] Mime Type[text/html] Request Headers: Host[www.magentocommerce.com] User-Agent[Mozilla/5.0 (X11; Linux i686; rv:37.0) Gecko/20100101 Firefox/37.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[en-US,en;q=0.5] Accept-Encoding[gzip, deflate] Referer[http://www.magentocommerce.com/magento-connect
Piwigo v2.8.2 & 2.9.2 CMS - Multiple Cross Site Vulnerabilities
Document Title: === Piwigo v2.8.2 & 2.9.2 CMS - Multiple Cross Site Vulnerabilities References (Source): https://www.vulnerability-lab.com/get_content.php?id=2005 Release Date: = 2018-01-12 Vulnerability Laboratory ID (VL-ID): 2005 Common Vulnerability Scoring System: 3.6 Vulnerability Class: Cross Site Scripting - Non Persistent Current Estimated Price: 500€ - 1.000€ Product & Service Introduction: === Piwigo is a photo gallery software for the web, built by an active community of users and developers. Extensions make Piwigo easily customizable. Icing on the cake, Piwigo is free and opensource. Piwigo site is available to 13 languages, piwigo to 56 languages. (Copy of the Homepage: http://piwigo.org/ ) Abstract Advisory Information: == The vulnerability laboratory core research team discovered multiple client-side cross site scripting vulnerabilities in the Piwigo v2.8.2, 2.9.1 & 2.9.2 CMS. Vulnerability Disclosure Timeline: == 2018-01-12: Public Disclosure (Vulnerability Laboratory) Discovery Status: = Published Affected Product(s): Piwigo Product: Piwigo - Content Management System (Web-Application) 2.8.2 Exploitation Technique: === Remote Severity Level: === Medium Technical Details & Description: Multiple client-side cross site scripting vulnerabilities has been discovered in the Piwigo v2.8.2 content management system. The vulnerability allows remote attackers to inject malicious script code to client-side browser to web-application requests. The client-side cross site scripting vulnerabilities are located in the `tab`,`to`,`section`,`mode`, `installstatus` and `display` parameters of the `admin.php` file. Remote attackers are able to inject own malicious script code to hijack admin or moderator session credentials or to manipulate the affected webpages. The attack vector is non-persistent and the request method to inject is GET. The injection points are the vulnerable parameters and the execution point occurs in the status message or exception of the backend. The issues affect the backend within the vulnerable modules context. The security risk of the vulnerabilities are estimated as medium with a cvss (common vulnerability scoring system) count of 3.6. Exploitation of the web vulnerability requires no privileged web-application user account and only low user interaction. Successful exploitation of the vulnerability results in non-persistent phishing attacks, session hijacking, non-persistent external redirect to malicious sources and non-persistent manipulation of affected or connected web module context. Request Method(s): [+] GET Vulnerable File(s): [+] admin.php Vulnerable Parameter(s): [+] tab [+] to [+] section [+] mode [+] installstatus [+] display Affected Module(s): [+] Backend Proof of Concept (PoC): === The client-side xss vulnerabilities can be exploited by remote attackers without privileged user account and with low user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. PoC: Payloads http://piwigo.localhost:8080/piwigo/admin.php?page=languages&tab=>" http://piwigo.localhost:8080/piwigo/admin.php?page=updates&step=2&to=>" http://piwigo.localhost:8080/piwigo/admin.php?page=configuration§ion=>" http://piwigo.localhost:8080/piwigo/admin.php?page=notification_by_mail&mode=>" http://piwigo.localhost:8080/piwigo/admin.php?page=batch_manager&mode=&display=>" http://piwigo.localhost:8080/piwigo/admin.php?page=plugins&tab=new&installstatus=>" PoC: Exploitation PIWIGO v2.8.2 - CLIENT SIDE XSS - POC EXPLOIT http://piwigo.localhost:8080/piwigo/admin.php?page=languages&tab=>"> http://piwigo.localhost:8080/piwigo/admin.php?page=updates&step=2&to=>"> http://piwigo.localhost:8080/piwigo/admin.php?page=configuration§ion=>"> http://piwigo.localhost:8080/piwigo/admin.php?page=notification_by_mail&mode=>"> http://piwigo.localhost:8080/piwigo/admin.php?page=batch_manager&mode=&display=>"> http://piwigo.localhost:8080/piwigo/admin.php?page=plugins&tab=new&installstatus=>"> Vulnerable Source: tab (exception - undefined) Notice: Undefined index: >"<[MALICIOUS PAYLOAD EXECUTION!]> in /home/x/public_html/x/piwigo/admin/include/tabsheet.class.php on line 111 Warning: include(./admin/languages_>"<[MALICIOUS PAYLOAD EXECUTION!]>.php): failed to open stream: No such file or directory in /home/x/public_html/x/piwigo/admin/languages.php on line 48 Warning: include(): Failed opening './admin/languages_>"<[MALICIOUS PAYLOAD EXECUTION!]>.php' for inclusion (include_path='.:/usr/share/php:/
Flash Operator Panel v2.31.03 - Command Execution Vulnerability
Document Title:
===
Flash Operator Panel v2.31.03 - Command Execution Vulnerability
References (Source):
http://www.vulnerability-lab.com/get_content.php?id=1907
Release Date:
=
2018-01-08
Vulnerability Laboratory ID (VL-ID):
1907
Common Vulnerability Scoring System:
6.2
Vulnerability Class:
Command Injection
Current Estimated Price:
2.000€ - 3.000€
Product & Service Introduction:
===
The most comprehensive and affordable reporting and realtime monitor package
for Asterisk© based Call Centers.
A new approach on getting CDR reports for your phone system, centered on the
user and call direction. Top lists,
Usage pattern and real time view are included. This version works under any
Linux flavor (i386, x86_64 and R-Pi3).
Versions 1.2, 1.4, 1.6, 1.8, 10, 11 and 12 with the manager interface enabled
to asterisk. PHP 5 & MySQL 5: only
required for the visual phonebook, call history and recordings interface.
(Copy of the Vendor Homepage: https://www.fop2.com/index.php )
Abstract Advisory Information:
==
The vulnerability laboratory core research team discovered a remote command
execution in the official Flash Operator Panel v2.31.03.
Vulnerability Disclosure Timeline:
==
2018-01-08: Non-Public Disclosure (Vulnerability Laboratory - Shared Customer
Research Feed)
Discovery Status:
=
Published
Affected Product(s):
Nicolas Gudino (Asternic)
Product: Flash Operator Panel 2 - User Control Panel (Web-Application) CentOS
2.31.03, Debian 2.31.03 & RPI-ARM 2.30.03
Exploitation Technique:
===
Remote
Severity Level:
===
High
Technical Details & Description:
A command inject web vulnerability has been discovered in the official Flash
Operator Panel v2.31.03 web-application.
The security vulnerability allows remote attackers to inject own system
specific commands via web-application.
The command inject web vulnerability is located in the the `command` path
variable paramter of the `index.php` file.
Remote attackers with low privileged web-application user account roles are
able to perform command requests via
callforward module. Thus allows an user account with restricted privileges to
perform unauthorized command requests
to compromise the operator panel web-application. The request method to inject
the malicious command to the index path
variable is GET. The attack is limited on exploitation to a restricted
authenticated user account of the application.
The security risk of the command injection is estimated as high with a cvss
(common vulnerability scoring system) count of 6.2.
Exploitation of the command inject vulnerability requires a low privileged
web-application user account and no user interaction.
Successful exploitation of the vulnerability results in web-application-,
database management system or web-server -compromise.
Request Method(s):
[+] GET
Vulnerable Module(s):
[+] UCP - User Control Panel
Vulnerable File(s):
[+] index.php
Vulnerable Parameter(s):
[+] command
Proof of Concept (PoC):
===
The vulnerability can be exploited by remote attackers without user interaction
and with low privileged user account.
For security demonstration or to reproduce the vulnerability follow the
provided information and steps below to continue.
PoC: Exploitation
http://ucp-fop.localhost:8000/ucp/index.php?quietmode=1337&module=callforward&command=./&[Variable
Command Inject Vulnerability!]
PoC: Vulnerable Source (command)
($_REQUEST['quietmode']) && $user !== false && !empty($user))
(isset($_REQUEST['command']) && ($_REQUEST['command'] == 'login'
$_REQUEST['command'] == 'forgot'
$_REQUEST['command'] == 'reset'))) {
$m = !empty($_REQUEST['module']) ? $_REQUEST['module'] : null;
$ucp->Ajax->doRequest($m,$_REQUEST['command']);
Note: The request can be performed by restricted user accounts of the user
control panel for higher access privileges.
The main administrator can use the command parameter to attack the backend of
the main administrator by the same method.
The callforward uses the command variable to execute which is the same method
performed for basic restricted user accounts.
Reference(s):
http://ucp-fop.localhost:8000/
http://ucp-fop.localhost:8000/ucp/
http://ucp-fop.localhost:8000/ucp/index.php
http://ucp-fop.localhost:8000/ucp/index.php?quietmode=1337
http://ucp-fop.localhost:8000/ucp/index.php?quietmode=1337&module=callforward
http://ucp-fop.localhost:8000/ucp/index.php?quietmode=1337&module=callforward&command
Solution - Fix & Patch:
===
The command injection web vulnerability can be patched by a secure approval of
the command parameter in the index.p
