bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1
exploit-db-mirror/exploits/php/webapps/43823.txt
Offensive Security bfebc3fa5a DB: 2018-01-20 
62 changes to exploits/shellcodes

macOS 10.13 (17A365) - Kernel Memory Disclosure due to Lack of Bounds Checking in 'AppleIntelCapriController::getDisplayPipeCapability'
Peercast < 0.1211 - Format String
Trillian Pro < 2.01 - Design Error
dbPowerAmp < 2.0/10.0 - Buffer Overflow
PsychoStats < 2.2.4 Beta - Cross Site Scripting

MongoDB 2.2.3 - nativeHelper.apply Remote Code Execution
GitStack 2.3.10 - Unauthenticated Remote Code Execution
Invision Power Top Site List < 2.0 Alpha 3 - SQL Injection	 (PoC)
Invision Power Board (IP.Board) < 2.0 Alpha 3 - SQL Injection (PoC)
Aardvark Topsites < 4.1.0 - Multiple Vulnerabilities
DUWare Multiple Products - Multiple Vulnerabilities
AutoRank PHP < 2.0.4 - SQL Injection (PoC)
ASPapp Multiple Products - Multiple Vulnerabilities
osCommerce < 2.2-MS2 - Multiple Vulnerabilities
PostNuke < 0.726 Phoenix - Multiple Vulnerabilities
MetaDot < 5.6.5.4b5 - Multiple Vulnerabilities
phpGedView < 2.65 beta 5 - Multiple Vulnerabilities
phpShop < 0.6.1-b - Multiple Vulnerabilities
Invision Power Board (IP.Board) < 1.3 - SQL Injection
phpBB < 2.0.6d - Cross Site Scripting
Phorum < 5.0.3 Beta - Cross Site Scripting
vBulletin < 3.0.0 RC4 - Cross Site Scripting
Mambo < 4.5 - Multiple Vulnerabilities
phpBB < 2.0.7a - Multiple Vulnerabilities
Invision Power Top Site List < 1.1 RC 2 - SQL Injection
Invision Gallery < 1.0.1 - SQL Injection
PhotoPost < 4.6 - Multiple Vulnerabilities
TikiWiki < 1.8.1 - Multiple Vulnerabilities
phpBugTracker < 0.9.1 - Multiple Vulnerabilities
OpenBB < 1.0.6 - Multiple Vulnerabilities
PHPX < 3.26 - Multiple Vulnerabilities
Invision Power Board (IP.Board) < 1.3.1 - Design Error
HelpCenter Live! < 1.2.7 - Multiple Vulnerabilities
LiveWorld Multiple Products - Cross Site Scripting
WHM.AutoPilot < 2.4.6.5 - Multiple Vulnerabilities
PHP-Calendar < 0.10.1 - Arbitrary File Inclusion
PhotoPost Classifieds < 2.01 - Multiple Vulnerabilities
ReviewPost < 2.84 - Multiple Vulnerabilities
PhotoPost < 4.85 - Multiple Vulnerabilities
AZBB < 1.0.07d - Multiple Vulnerabilities
Invision Power Board (IP.Board) < 2.0.3 - Multiple Vulnerabilities
Burning Board < 2.3.1 - SQL Injection
XOOPS < 2.0.11 - Multiple Vulnerabilities
PEAR XML_RPC < 1.3.0 - Remote Code Execution
PHPXMLRPC < 1.1 - Remote Code Execution
SquirrelMail < 1.4.5-RC1 - Arbitrary Variable Overwrite
XPCOM - Race Condition
ADOdb < 4.71 - Cross Site Scripting
Geeklog < 1.4.0 - Multiple Vulnerabilities
PEAR LiveUser < 0.16.8 - Arbitrary File Access
Mambo < 4.5.3h - Multiple Vulnerabilities
phpRPC < 0.7 - Remote Code Execution
Gallery 2 < 2.0.2 - Multiple Vulnerabilities
PHPLib < 7.4 - SQL Injection
SquirrelMail < 1.4.7 - Arbitrary Variable Overwrite
CubeCart < 3.0.12 - Multiple Vulnerabilities
Claroline < 1.7.7 - Arbitrary File Inclusion
X-Cart < 4.1.3 - Arbitrary Variable Overwrite
Mambo < 4.5.4 - SQL Injection
Synology Photostation < 6.7.2-3429 - Multiple Vulnerabilities
D-Link DNS-343 ShareCenter < 1.05 - Command Injection
D-Link DNS-325 ShareCenter < 1.05B03 - Multiple Vulnerabilities

Linux/ARM - Reverse TCP (192.168.1.1:4444/TCP) Shell (/bin/sh) + Password (MyPasswd) + Null-Free Shellcode (156 bytes)
2018-01-20 05:01:49 +00:00

58 lines
No EOL
3.7 KiB
Text
Raw Blame History

AZBB Multiple Vulnerabilities
Vendor: AZBB
Product: AZBB
Version: <= 1.0.07d
Website: http://azbb.cyaccess.com/
BID: 13272 13278
CVE: CVE-2005-1200 CVE-2005-1201
OSVDB: 15700 15701 15702 15703
SECUNIA: 15013
PACKETSTORM: 37792
Description:
azbb is a forum that was written with a primary focus on security. azbb does not require a database such as MySQL, PostGres or MSSQL and can even be used as a blog, or portal of sorts. Unfortunately there are a number of security issues in AZBB versions prior to 1.0.08, but none of these issues are considered "high risk". However, the developer has addressed these issues and all users should upgrade to the current 1.0.08 version. These vulnerabilities include file enumeration, arbitrary file deletion, and file inclusion issues.
Arbitrary File Deletion:
There is an issue in AZBB that could allow for an attacker logged in as an admin, or a malicious admin to delete arbitrary files outside the scope of the application. The vulnerable code is in admin_avatar.php and admin_attachment.php Lets have a look at the code in admin_avatar.php
## trim all and delete
foreach ($_POST['avat_select'] as $ent)
{
if (file_exists($dir_avatar.'/'.$ent))
{ unlink($dir_avatar.'/'.$ent); }
}
As we can see there are no checks made for traversal sequences, and a user with admin privileges could easily delete arbitrary files on the server. The vulnerability in admin_attachment.php is nearly identical.
File Include Vulnerability:
There is a file inclusion vulnerability in AZBB 1.0.07a - 1.0.07c that is the result of missing code that is present in all of the other AZBB versions. This file inclusion issue poses a different risk level depending on your server configuration. Lets have a look at the code in question. @ /azbb_center/source/main_index.php
########## Get the Abstraction Layer
$inc = $dir_src.'/'.$abs_layer.'_db_ops.php';
file_exists($inc) ? include($inc) : exit('Unable to open '.$inc);
Since the "AZBB KEY CHECK" that exists in other pages is missing from this page we can influence both the $dir_src and $abs_layer variables if register globals is on. However, what we can do with this greatly depends on the server configuration, and this is a result of the file_exists() function being used. You can read more about this in the official php manual located here http://us2.php.net/file_exists
Arbitrary File Enumeration:
There is an issue in AZBB that can be exploited by both users and guests alike to tell whether or not files on the target server exists. This is due to a file check coming before the input is cleaned in attachment.php
elseif (!file_exists($dir_att.'/'.$_POST['attachment'])) {$error = $txt_err[13];}
This issue can not be used to download arbitrary files, because the input is cleaned before the file is included, but we can enumerate files. To check if a file exists on the target web server all an attacker has to do is modify the "attachment" parameter to include traversal sequences. If the file exists we will be prompted with a download, and if it doesn't exists we will see an error message.
Solution:
The developer of AZBB was very quick to respond and has addressed these issues. A complete change log can be seen by following the url posted below. Also, you will find the link to the updated AZBB 1.0.08 downloads below
http://azbb.cyaccess.com/azbb.php?1091778548
http://azbb.cyaccess.com/azbb.php?1091872271
All users are advised to upgrade their azbb installations as soon as possible. A special thanks to AZ for remedying these issues so quickly. If everyone responded in this timely of a manner it would make what we do a lot easier :)
Credits:
James Bercegay of the GulfTech Security Research Team
Reference in a new issue View git blame Copy permalink