From 79bbca85273d1186a06860a56ad912bb4ab4f370 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Sun, 20 Jul 2014 04:38:35 +0000 Subject: [PATCH] Updated 07_20_2014 --- files.csv | 6 + platforms/cgi/webapps/34103.txt | 211 +++++++++++++++++++++++++++++++ platforms/java/webapps/34108.txt | 9 ++ platforms/linux/dos/34102.py | 100 +++++++++++++++ platforms/php/webapps/34106.txt | 7 + platforms/php/webapps/34107.txt | 9 ++ platforms/php/webapps/34109.html | 9 ++ platforms/windows/dos/33860.html | 2 +- 8 files changed, 352 insertions(+), 1 deletion(-) create mode 100755 platforms/cgi/webapps/34103.txt create mode 100755 platforms/java/webapps/34108.txt create mode 100755 platforms/linux/dos/34102.py create mode 100755 platforms/php/webapps/34106.txt create mode 100755 platforms/php/webapps/34107.txt create mode 100755 platforms/php/webapps/34109.html diff --git a/files.csv b/files.csv index 3a69e9112..eea993ee3 100755 --- a/files.csv +++ b/files.csv @@ -30705,3 +30705,9 @@ id,file,description,date,author,platform,type,port 34096,platforms/php/webapps/34096.txt,"CuteSITE CMS 1.x manage/add_user.php user_id Parameter SQL Injection",2010-06-06,"High-Tech Bridge SA",php,webapps,0 34097,platforms/php/webapps/34097.txt,"CuteSITE CMS 1.x manage/main.php fld_path Parameter XSS",2010-06-06,"High-Tech Bridge SA",php,webapps,0 34100,platforms/php/webapps/34100.txt,"Omeka 2.2 - CSRF And Stored XSS Vulnerability",2014-07-17,LiquidWorm,php,webapps,80 +34102,platforms/linux/dos/34102.py,"ACME micro_httpd - Denial of Service",2014-07-18,"Yuval tisf Nativ",linux,dos,80 +34103,platforms/cgi/webapps/34103.txt,"Barracuda Networks Message Archiver 650 - Persistent XSS Vulnerability",2014-07-18,Vulnerability-Lab,cgi,webapps,3378 +34106,platforms/php/webapps/34106.txt,"cPanel 11.25 Image Manager 'target' Parameter Local File Include Vulnerability",2010-06-07,"AnTi SeCuRe",php,webapps,0 +34107,platforms/php/webapps/34107.txt,"boastMachine 3.1 'key' Parameter Cross Site Scripting Vulnerability",2010-06-07,"High-Tech Bridge SA",php,webapps,0 +34108,platforms/java/webapps/34108.txt,"PRTG Traffic Grapher 6.2.1 'url' Parameter Cross Site Scripting Vulnerability",2009-01-08,"Patrick Webster",java,webapps,0 +34109,platforms/php/webapps/34109.html,"log1 CMS 2.0 Session Handling Remote Security Bypass and Remote File Include Vulnerabilities",2010-06-03,"High-Tech Bridge SA",php,webapps,0 diff --git a/platforms/cgi/webapps/34103.txt b/platforms/cgi/webapps/34103.txt new file mode 100755 index 000000000..334206889 --- /dev/null +++ b/platforms/cgi/webapps/34103.txt @@ -0,0 +1,211 @@ +Document Title: +=============== +Barracuda Networks Message Archiver 650 - Persistent Input Validation Vulnerability + + +References (Source): +==================== +http://www.vulnerability-lab.com/get_content.php?id=751 + +https://www.barracuda.com/support/knowledgebase/501600000013lXe +Barracuda Networks Security ID (BNSEC): 703 + +BNSEC-00703: Remote authenticated persistent XSS in Barracuda Message Archiver v3.2 +Solution #00006604 + + +Release Date: +============= +2014-07-18 + + +Vulnerability Laboratory ID (VL-ID): +==================================== +751 + + +Common Vulnerability Scoring System: +==================================== +3.6 + + +Product & Service Introduction: +=============================== +The Barracuda Message Archiver is a complete and affordable email archiving solution, enabling you to effectively +index and preserve all emails, enhance operational efficiencies and enforce policies for regulatory compliance. By +leveraging standard policies and seamless access to messages, email content is fully indexed and backed up to enable +administrators, auditors and end users quick retrieval of any email message stored in an organization’s email archive. + + * Comprehensive archiving + * Exchange stubbing + * Search and retrieval + * Policy management + * Intelligent Storage Manager + * Roles-based interface + * Reporting and statistics + +The Barracuda Message Archiver provides everything an organization needs to comply with government regulations in an +easy to install and administer plug-and-play hardware solution. The Barracuda Message Archiver stores and indexes all +email for easy search and retrieval by both regular users and third-party auditors. Backed by Energize Updates, delivered +by Barracuda Central, the Barracuda Message Archiver receives automatic updates to its extensive library of virus, policy +definitions to enable enhanced monitoring of compliance and corporate guidelines, document file format updates needed to +decode content within email attachments, as well as security updates for the underlying Barracuda Message Archiver platform +to protect against any potential security vulnerabilities. + +(Copy of the Vendor Homepage: http://www.barracudanetworks.com ) + + +Abstract Advisory Information: +============================== +The Vulnerability Laboratory Research Team discovered a persistent web vulnerability in Barracudas Messsage Archiver 3.2 Appliance Application. + + +Vulnerability Disclosure Timeline: +================================== +2013-11-08: Researcher Notification & Coordination (Benjamin Kunz Mejri) +2013-11-10: Vendor Notification (Barracuda Networks - Bug Bounty Program) +2013-11-13: Vendor Response/Feedback (Barracuda Networks - Bug Bounty Program) +2014-06-31: Vendor Fix/Patch (Barracuda Networks Developer Team - Reward: $$$) +2014-00-00: Public Disclosure (Vulnerability Laboratory) + + +Discovery Status: +================= +Published + + +Affected Product(s): +==================== +Barracuda Networks +Product: Message Archiver 650 - Appliance Application 3.1.0.914 + + +Exploitation Technique: +======================= +Remote + + +Severity Level: +=============== +Medium + + +Technical Details & Description: +================================ +A persistent input validation web vulnerability has been discovered in the official Barracuda Networks Message Archiver 650 v3.2 appliance web-application. +The remote vulnerability allows remote attackers to inject own malicious script codes on the application-side of the vulnerable application module. + +The vulnerability is located in the `Benutzer > Neu Anlegen > Rolle: Auditor > Domänen` module. Remote attackers are able to inject own malicious script +codes in the vulnerable domain_list_table-r0 values. The execution of the script code occurs in the domain_list_table-r0 and user_domain_admin:1 appliance +application response context. The request method is POST and the attack vector is persistent on the application-side of the barracuda networks message +archiver web appliance. + +The security risk of the persistent input validation web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.6. +Exploitation of the vulnerability requires a low privileged or restricted application user account with low or medium user interaction. Successful exploitation +of the vulnerability results in session hijacking, persistent phishing, persistent external redirects and persistent manipulation of module context. + +Request Method(s): + [+] POST + +Vulnerable Module(s): + [+] Benutzer > Neu Anlegen > Rolle: Auditor + +Vulnerable Input(s): + [+] Domänen + +Vulnerable Parameter(s): + [+] domain_list_table-r0 + +Affected Module(s): + [+] Rolle: Auditor Listing + + +Proof of Concept (PoC): +======================= +The persistent web vulnerability can be exploited by remote attackers with low privileged or restricted application user account and low required user inter action. +For security demonstration or to reproduce the remote web vulnerability follow the provided information and steps below to continue. + +--- PoC Session Logs [POST] --- +ajax_bc_sub=addDomain +domain=%22%3E%3Ciframe%20src%3Dhttp%3A%2F%2Fvuln-lab.com%20onload%3Dalert(document.cookie)%20%3C%20%20%22%3E%3Ciframe%20src +%3Dhttp%3A%2F%2Fvuln-lab.com%20onload%3Dalert(document.cookie)%20%3C +user=guest +password=75361da9533223d9685576d10bd6aa02 +et= +1352520628 +locale=de_DE +realm= +auth_type=Local +primary_tab=USERS +secondary_tab=per_user_add_update + + +PoC (URL): +http://archiver.ptest.localhost:3378/cgi-mod/index.cgi?auth_type=Local&et=1352520461&locale=de_DE&password=4b0a7f3a136e60c7cf73ec1b30ec6a23& +primary_tab=USERS&realm=&secondary_tab=per_user_add_update&user=benjaminKM + + +PoC: Benutzer > Neu Anlegen > Rolle: Auditor > Domänen > (domain_list_table-r0) + + %20?????">?????