dab1517032
13 new exploits Borland Interbase 2007 - ibserver.exe Buffer Overflow (PoC) Borland Interbase 2007 - 'ibserver.exe' Buffer Overflow (PoC) Linux Kernel (Ubuntu / RedHat) - 'keyctl' Null Pointer Dereference Linux Kernel 4.8.0-22 / 3.10.0-327 (Ubuntu 16.10 / RedHat) - 'keyctl' Null Pointer Dereference Microsoft Edge Scripting Engine - Memory Corruption (MS16-129) Microsoft Edge - 'CTextExtractor::GetBlockText' Out-of-Bounds Read (MS16-104) Microsoft Internet Explorer 8 jscript - 'RegExpBase::FBadHeader' Use-After-Free (MS15-018) NTP 4.2.8p8 - Denial of Service Tumbleweed SecureTransport FileTransfer - ActiveX Buffer Overflow Tumbleweed SecureTransport 4.6.1 FileTransfer - ActiveX Buffer Overflow Borland Interbase 2007 - PWD_db_aliased Buffer Overflow (Metasploit) Borland Interbase 2007 - 'PWD_db_aliased' Buffer Overflow (Metasploit) Borland Interbase 2007 / 2007 SP2 - open_marker_file Buffer Overflow (Metasploit) Borland Interbase 2007 / 2007 sp2 - jrd8_create_database Buffer Overflow (Metasploit) Borland Interbase 2007 / 2007 SP2 - INET_connect Buffer Overflow (Metasploit) Borland Interbase 2007 / 2007 SP2 - 'open_marker_file' Buffer Overflow (Metasploit) Borland Interbase 2007 / 2007 sp2 - 'jrd8_create_database' Buffer Overflow (Metasploit) Borland Interbase 2007 / 2007 SP2 - 'INET_connect' Buffer Overflow (Metasploit) Borland Interbase - isc_create_database() Buffer Overflow (Metasploit) Borland Interbase - 'isc_create_database()' Buffer Overflow (Metasploit) Borland Interbase - isc_attach_database() Buffer Overflow (Metasploit) Borland Interbase - 'isc_attach_database()' Buffer Overflow (Metasploit) Borland Interbase - SVC_attach() Buffer Overflow (Metasploit) Borland Interbase - 'SVC_attach()' Buffer Overflow (Metasploit) Borland Interbase - Create-Request Buffer Overflow (Metasploit) Borland Interbase - 'Create-Request' Buffer Overflow (Metasploit) Borland Interbase - PWD_db_aliased() Buffer Overflow (Metasploit) Borland Interbase - open_marker_file() Buffer Overflow (Metasploit) Borland Interbase - 'PWD_db_aliased()' Buffer Overflow (Metasploit) Borland Interbase - 'open_marker_file()' Buffer Overflow (Metasploit) Borland Interbase - jrd8_create_database() Buffer Overflow (Metasploit) Borland Interbase - INET_connect() Buffer Overflow (Metasploit) Borland Interbase - 'jrd8_create_database()' Buffer Overflow (Metasploit) Borland Interbase - 'INET_connect()' Buffer Overflow (Metasploit) Dlink DIR Routers - Unauthenticated HNAP Login Stack Buffer Overflow (Metasploit) phpunity.postcard - (gallery_path) Remote File Inclusion phpunity.postcard - 'gallery_path' Parameter Remote File Inclusion CcMail 1.0.1 - (update.php functions_dir) Remote File Inclusion CcMail 1.0.1 - 'functions_dir' Parameter Remote File Inclusion 1024 CMS 0.7 - (download.php item) Remote File Disclosure 1024 CMS 0.7 - 'download.php' Remote File Disclosure cpCommerce 1.1.0 - (category.php id_category) SQL Injection CPCommerce 1.1.0 - 'id_category' Parameter SQL Injection 1024 CMS 1.3.1 - (Local File Inclusion / SQL Injection) Multiple Vulnerabilities 1024 CMS 1.3.1 - Local File Inclusion / SQL Injection Mole 2.1.0 - (viewsource.php) Remote File Disclosure ChartDirector 4.1 - (viewsource.php) File Disclosure 724CMS 4.01 Enterprise - (index.php ID) SQL Injection My Gaming Ladder 7.5 - (ladderid) SQL Injection Mole 2.1.0 - 'viewsource.php' Remote File Disclosure ChartDirector 4.1 - 'viewsource.php' File Disclosure 724CMS 4.01 Enterprise - 'index.php' SQL Injection My Gaming Ladder 7.5 - 'ladderid' Parameter SQL Injection exbb 0.22 - (Local File Inclusion / Remote File Inclusion) Multiple Vulnerabilities Pligg CMS 9.9.0 - (editlink.php id) SQL Injection ExBB 0.22 - Local / Remote File Inclusion Pligg CMS 9.9.0 - 'editlink.php' SQL Injection Prediction Football 1.x - (matchid) SQL Injection Prediction Football 1.x - 'matchid' Parameter SQL Injection Free Photo Gallery Site Script - (path) File Disclosure Free Photo Gallery Site Script - 'path' Parameter File Disclosure LiveCart 1.1.1 - (category id) Blind SQL Injection Ksemail - 'index.php language' Local File Inclusion LiveCart 1.1.1 - 'id' Parameter Blind SQL Injection Ksemail - Local File Inclusion RX Maxsoft - 'popup_img.php fotoID' SQL Injection PHPKB Knowledge Base Software 1.5 - 'ID' SQL Injection RX Maxsoft - 'fotoID' Parameter SQL Injection PHPKB Knowledge Base Software 1.5 - 'ID' Parameter SQL Injection Pollbooth 2.0 - (pollID) SQL Injection cpcommerce 1.1.0 - (Cross-Site Scripting / Local File Inclusion) Multiple Vulnerabilities Pollbooth 2.0 - 'pollID' Parameter SQL Injection CPCommerce 1.1.0 - Cross-Site Scripting / Local File Inclusion SmallBiz eShop - (content_id) SQL Injection SmallBiz eShop - 'content_id' Parameter SQL Injection lightneasy sqlite / no database 1.2.2 - Multiple Vulnerabilities LightNEasy sqlite / no database 1.2.2 - Multiple Vulnerabilities PostcardMentor - 'step1.asp cat_fldAuto' SQL Injection PostcardMentor - 'cat_fldAuto' Parameter SQL Injection Pligg CMS 9.9.0 - (story.php id) SQL Injection Pligg CMS 9.9.0 - 'story.php' SQL Injection LokiCMS 0.3.4 - writeconfig() Remote Command Execution LokiCMS 0.3.4 - 'writeconfig()' Remote Command Execution cpCommerce 1.2.6 - (URL Rewrite) Input Variable Overwrite / Authentication Bypass CPCommerce 1.2.6 - (URL Rewrite) Input Variable Overwrite / Authentication Bypass cpCommerce 1.2.8 - (id_document) Blind SQL Injection CPCommerce 1.2.8 - 'id_document' Parameter Blind SQL Injection cpCommerce 1.2.x - GLOBALS[prefix] Arbitrary File Inclusion CPCommerce 1.2.x - 'GLOBALS[prefix]' Arbitrary File Inclusion ChartDirector 5.0.1 - (cacheId) Arbitrary File Disclosure ChartDirector 5.0.1 - 'cacheId' Parameter Arbitrary File Disclosure Pligg CMS 1.0.4 - (story.php?id) SQL Injection Pligg CMS 1.0.4 - 'story.php' SQL Injection 724CMS 4.59 Enterprise - SQL Injection 724CMS Enterprise 4.59 - SQL Injection lightneasy 3.2.2 - Multiple Vulnerabilities LightNEasy 3.2.2 - Multiple Vulnerabilities My Postcards 6.0 - MagicCard.cgi Arbitrary File Disclosure My Postcards 6.0 - 'MagicCard.cgi' Arbitrary File Disclosure Mambo Open Source 4.0.14 - PollBooth.php Multiple SQL Injection Mambo Open Source 4.0.14 - 'PollBooth.php' Multiple SQL Injection PhotoKorn 1.53/1.54 - postcard.php id Parameter SQL Injection PhotoKorn 1.53/1.54 - 'id' Parameter SQL Injection CPCommerce 1.1 - Manufacturer.php SQL Injection CPCommerce 1.1 - 'manufacturer.php' SQL Injection LiveCart 1.0.1 - user/remindPassword return Parameter Cross-Site Scripting LiveCart 1.0.1 - category q Parameter Cross-Site Scripting LiveCart 1.0.1 - order return Parameter Cross-Site Scripting LiveCart 1.0.1 - user/remindComplete email Parameter Cross-Site Scripting LiveCart 1.0.1 - 'return' Parameter Cross-Site Scripting LiveCart 1.0.1 - 'q' Parameter Cross-Site Scripting LiveCart 1.0.1 - 'return' Parameter Cross-Site Scripting LiveCart 1.0.1 - 'email' Parameter Cross-Site Scripting Pligg CMS 1.x - module.php Multiple Parameter Cross-Site Scripting Pligg CMS 1.x - 'module.php' Multiple Parameter Cross-Site Scripting Pligg CMS 2.0.2 - (load_data_for_search.php) SQL Injection Pligg CMS 2.0.2 - 'load_data_for_search.php' SQL Injection CMS Made Simple 2.1.5 - Cross-Site Scripting Atlassian Confluence AppFusions Doxygen 1.3.0 - Directory Traversal WordPress Plugin Instagram Feed 1.4.6.2 - Cross-Site Request Forgery Mezzanine 4.2.0 - Cross-Site Scripting LEPTON 2.2.2 - SQL Injection LEPTON 2.2.2 - Remote Code Execution FUDforum 3.0.6 - Cross-Site Scripting / Cross-Site Request Forgery FUDforum 3.0.6 - Local File Inclusion Wordpress Plugin Olimometer 2.56 - SQL Injection
58 lines
No EOL
1.5 KiB
Text
Executable file
58 lines
No EOL
1.5 KiB
Text
Executable file
Security Advisory - Curesec Research Team
|
|
|
|
1. Introduction
|
|
|
|
Affected Product: FUDforum 3.0.6
|
|
Fixed in: not fixed
|
|
Fixed Version Link: n/a
|
|
Vendor Website: http://fudforum.org/forum/
|
|
Vulnerability Type: LFI
|
|
Remote Exploitable: Yes
|
|
Reported to vendor: 04/11/2016
|
|
Disclosed to public: 11/10/2016
|
|
Release mode: Full Disclosure
|
|
CVE: n/a
|
|
Credits Tim Coen of Curesec GmbH
|
|
|
|
2. Overview
|
|
|
|
FUDforum is forum software written in PHP. In version 3.0.6, it is vulnerable
|
|
to local file inclusion. This allows an attacker to read arbitrary files that
|
|
the web user has access to.
|
|
|
|
Admin credentials are required.
|
|
|
|
3. Details
|
|
|
|
CVSS: Medium 4.0 AV:N/AC:L/Au:S/C:P/I:N/A:N
|
|
|
|
Description: The "file" parameter of the hlplist.php script is vulnerable to
|
|
directory traversal, which allows the viewing of arbitrary files.
|
|
|
|
Proof of Concept:
|
|
|
|
http://localhost/fudforum/adm/hlplist.php?tname=default&tlang=./af&&SQ=
|
|
4b181ea1d2d40977c7ffddb8a48a4724&file=../../../../../../../../../../etc/passwd
|
|
|
|
4. Solution
|
|
|
|
This issue was not fixed by the vendor.
|
|
|
|
5. Report Timeline
|
|
|
|
04/11/2016 Informed Vendor about Issue (no reply)
|
|
09/14/2016 Reminded Vendor (no reply)
|
|
11/10/2016 Disclosed to public
|
|
|
|
|
|
Blog Reference:
|
|
https://www.curesec.com/blog/article/blog/FUDforum-306-LFI-167.html
|
|
|
|
--
|
|
blog: https://www.curesec.com/blog
|
|
tweet: https://twitter.com/curesec
|
|
|
|
Curesec GmbH
|
|
Curesec Research Team
|
|
Josef-Orlopp-Straße 54
|
|
10365 Berlin, Germany |