D-Link DSL-2740B (ADSL Router) Authentication Bypass

Posted on March 1, 2013 by admin_24

I’ve discovered a new vulnerability affecting D-Link DSL-2740B ADSL Wifi Router, which allows an attacker to completely bypass the authentication of this device and gain administrative access.

Fore more details, please read my Advisor:
D-Link DSL-2740B (ADSL Router) Authentication Bypass

MITRE CVE Numbering Authority assigned me CVE-2013-2271 for this vulnerability.

This advisory has been published in the following web sites:
http://www.securityfocus.com/bid/58266/info
http://packetstormsecurity.com/files/120613/dlinkdsl2740b-bypass.txt
http://1337day.com/exploits/20469
http://www.exploit-db.com/exploits/24563/
http://www.osvdb.org/show/osvdb/90822
http://cxsecurity.com/issue/WLB-2013030027
http://www.scip.ch/?vuldb.7851

Axous 1.1.1 Multiple Vulnerabilities (CSRF – Persistent XSS)

Posted on May 15, 2012 by admin_24

Axous 1.1.1 (and below) is prone to CSRF and peristent XSS vulnerability due to an improper input sanitization of multiple parameters. Following more details:

CSRF Vulnerabilities
Axous 1.1.1 (and below) suffers from multiple CSRF vulnerabilities which could allow an attacker to change any parameters when an authenticated user/admin browses a special crafted web page. In this Advisory I will only demonstrate how to add a new administrator but, with little modifications to my exploit, you can modify any Axous’s parameters, as Axous does not use an anti-CSRF token.

Persistent XSS Vulnerabilities
Axous 1.1.1 (and below) is prone to multiple persistent XSS vulnerabilities due to an improper input sanitization of the following parameters:
- “page_title” passed to server side logic (path: “admin/content_pages_edit.php”) via http POST method.
Exploiting “page_title” parameter an authenticated administrator could insert arbitrary code in “Title” field, and execute it when another administrator clicks on “Pages” link or on that specific pages under “Title” menu.
Furthermore injected code will generate a persistent XSS for all unauthenticated users visiting that web page.
- “category_name[1]” passed to server side logic (path:”admin/products_category.php”) via http POST method.
Exploiting “category_name[1]” parameter an administrator could insert arbitrary code in “Category” field (under “Control Panel > Products”)
and create a persistent XSS for another administrator who clicks on the “Add New” button (always under “Control Panel > Products”).

-”site_name”, “seo_title” and “meta_keywords” parameters passed to “admin/settings_siteinfo.php” script via http POST method.
Exploiting these parameters an authenticated administrator could insert arbitrary code and create a persistent XSS for another administrator
who clicks “Site info” link under Settings menu.

- “company_name”, “address1″, “address2″, “city”, “state”, “country”, “author_first_name”, “author_last_name”, “author_email”, “contact_first_name”, “contact_last_name”, “contact_email”, “general_email”, “general_phone”, “general_fax”, “sales_email”, “sales_phone”, “support_email”, “support_phone” passed to “admin/settings_company.php” script via http POST method.
Exploiting these parameters an authenticated administrator could insert arbitrary code and create a persistent XSS for another administrator who visits that injected menu.

- “system_email”, “sender_name”, “smtp_server”, “smtp_username”, “smtp_password”, “order_notice_email” parameters passed to “admin/settings_email.php” via httl POSt method.
Exploiting these parameters an authenticated administrator could insert arbitrary code and create a persistent XSS for another administrator who clicks “Site info” link under Settings menu.

Other parameters could be injected!

To view my Original Advisory:
Axous 1.1.1 Multiple Vulnerabilities (CSRF – Persistent XSS)

MITRE CVE Numbering Authority assigned me CVE-2012-2629 for these vulnerabilities.

This advisory has been published in the following web sites:
http://xforce.iss.net/xforce/xfdb/75675
http://osvdb.org/show/osvdb/82075
http://osvdb.org/show/osvdb/82076
http://osvdb.org/show/osvdb/82077
http://osvdb.org/show/osvdb/82078
http://osvdb.org/show/osvdb/82079
http://osvdb.org/show/osvdb/82080
http://packetstormsecurity.org/files/112748/Axous-1.1.1-Cross-Site-Request-Forgery-Cross-Site-Scripting.html
http://www.exploit-db.com/exploits/18886/
http://www.1337day.com/exploits/18277

WordPress 3.3.1 Multiple CSRF Vulnerabilities

Posted on April 26, 2012 by admin_24

WordPress 3.3.1 (and below) suffers from multiple CSRF vulnerabilities which allow an attacker to change post title, add administrators/users, delete administrators/users, approve and unapprove comment, delete comment, change background image, insert custom header image, change site title, change administrator’s email, change WordPress Address, change Site Address, when an authenticated user/admin browses a special crafted web page. May be other parameters can be modified. This vulnerability is caused by a security flaw in anti-CSRF token (_wpnonce, _wpnonce_create-user, _ajax_nonce,
_wpnonce-custom-background-upload, _wpnonce-custom-header-upload) generation. For some operations (see below) above specified anti-CSRF tokens are not associated with the current user session (as Owasp recommends) but are the are valid for all operations (for a specific administrator/user) within 12 hour.
The above described vulnerability allows an attacker – who has sniffed anti-CSRF token – to have 12 hour to perform a CSRF attack.
This problem affects the following operations:

Add admin/user
Delete Admin/User
Approve comment
Unapprove comment
Delete comment
Change background image
Insert custom header image
Change site title
Change administrator’s email
Change WordPress Address
Change Site Address

Other operations (like insert a new post) are not affected by this CSRF vulnerability.

Probably also version 3.3.2 is affected by this CSRF vulnerability.

To view my Original Advisory:
WordPress 3.3.1 Multiple CSRF Vulnerabilities

MITRE CVE Numbering Authority assigned me CVE-2012-1936 for this vulnerability.

This Security Advisory was also published in the following web sites:
http://www.securityfocus.com/bid/53280
http://osvdb.org/show/osvdb/81588
http://xforce.iss.net/xforce/xfdb/75222
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1936
http://packetstormsecurity.org/files/112253/WordPress-3.3.1-Cross-Site-Request-Forgery.html
http://1337day.com/exploits/18138
http://www.exploit-db.com/exploits/18791/
http://www.cvedetails.com/cve/CVE-2012-1936/
http://www.exploit-id.com/web-applications/wordpress-3-3-1-multiple-csrf-vulnerabilities

PlumeCMS <= 1.2.4 Multiple Persistent XSS

Posted on April 4, 2012 by admin_24

PlumeCMS 1.2.4 (and below) is prone to multiple peristent XSS vulnerability due to an improper input sanitization of multiple parameters.

“u_email” and “u_realname” parameters are not correctly sanitized before being passed to server side script “manager/users.php” via http POST method. An attacker – who is able to change his profile settings – could insert malicious code into “Email” and/or “Name” fields- within “Authors” template – in order to create a persistent XSS vulnerability for all user/admin who access to Plume’s management interface.
An unauthenticated user could insert html/javascript code in “Author” field within “ADD A COMMENT” section – which is present in every web page – due to an incorrect sanitization of “c_author” parameter. This will produce a Persistent XSS vulnerability for all user/admin who will click on “Comments” tab within Plume’s administration interface.

To view my Original Advisory:
PlumeCMS 1.2.4 Multiple Permanent XSS

MITRE CVE Numbering Authority assigned me CVE-2012-2156 for this vulnerability

Other Advisory’s publications:
http://www.securityfocus.com/bid/52890
http://secunia.com/advisories/40133
http://xforce.iss.net/xforce/xfdb/74614
http://osvdb.org/show/osvdb/80960
http://osvdb.org/show/osvdb/80961
http://packetstormsecurity.org/files/111596/PlumeCMS-1.2.4-Cross-Site-Scripting.html
http://www.exploit-db.com/exploits/18699/
http://1337day.com/exploits/17963
http://www.thecybernuxbie.com/exploit-report/plumecms-1-2-4-multiple-persistent-xss.aspx
http://www.x-bug.com/exploits/221

CMS Made Simple <= 1.10.3 XSS Vulnerability

Posted on April 2, 2012 by admin_24

CMS Made Simple 1.10.3 (and lower) is prone to a XSS vulnerability due to an improper input sanitization of “email” parameter, passed to server side script “admin/edituser.php” via http POST method.

To view my Original Advisory:
CMS Made Simple <= 1.10.3 XSS Original Advisory

MITRE CVE Numbering Authority assigned me CVE-2012-1992 for this vulnerability.

This vulnerability has been also published in the following web sites:
http://osvdb.org/show/osvdb/80918
http://www.securityfocus.com/bid/52850/
http://xforce.iss.net/xforce/xfdb/74563
http://packetstormsecurity.org/files/111486/CMS-Made-Simple-1.10.3-Cross-Site-Scripting.html
http://1337day.com/exploits/17921

SocialCMS <= 1.0.2 XSS (Persistent and Reflected) Vulnerabilities

Posted on March 30, 2012 by admin_24

SocialCMS 1.0.2 (and lower) is prone to a persistent XSS vulnerability due to an improper input sanitization of “TR_title” parameter, passed to “my_admin/admin1_list_pages.php” via http POST method. Exploiting this vulnerability an authenticated user – which is able to publish an article – could insert arbitrary code in web management interface “Title” field – under “my_admin/admin1_list_pages.php?id=<page_id>&action=edit” – that will be executed when an administrator – or another user – will browse that web page.

Improper input sanitization of “TR_title” parameter causes also a Reflected XSS for the user which inserts html/javascript code.

MITRE CVE Numbering Authority assigned me CVE-2012-1982 for this vulnerability.

To view my Original Advisory:
SocialCMS 1.0.2 XSS (Persistent and Reflected) Advisory

SyndeoCMS <= 3.0.01 Persistent XSS

Posted on March 30, 2012 by admin_24

SyndeoCMS 3.0.01 (and lower) is prone to a persistent XSS vulnerability due to an improper input sanitization of “email” parameter, passed to server side logic (path: “starnet/index.php”) via http POST method.
Exploiting this vulnerability an authenticated user – which is able to change his profile settings – could insert arbitrary code in “Site email” field that will be executed when another admin or user clicks on that user’profile.

MITRE CVE Numbering Authority assigned me CVE-2012-1979 for this vulnerability.

To view my Original Advisory:
SyndeoCMS <= 3.0.01 Persistent XSS Advisory

Simple Php Agenda <= 2.2.8 Multiple CSRF Vulnerabilities

Posted on March 28, 2012 by admin_24

Simple Php Agenda 2.2.8 (and lower) is affected by a CSRF Vulnerability which allows an attacker to add a new administrator, delete an existing administrator, create/delete a new event and change any other parameters. In this document I will only demonstrate how to:
- add a new administrator
- delete a existing administrator
- add a new event
- delete an existing event.
Other parameters can be also modified.

To view my Original Advisory:
Simple PHP Agenda 2.2.8 Multiple CSRF Advisory

MITRE CVE Numbering Authority for this vulnerability assigned me CVE-2012-1978

CVE Mitre – 9 new CVEs

Posted on March 28, 2012 by admin_24

MITRE CVE Numbering Authority assigned me 9 new CVEs. Following the details:

CVE-2007-6752 for Drupal 7.12 CSRF Vulnerability (force user/logout – sections 2.2, 3.2)
CVE-2012-1899 for Multiple XSS Vulnerabilities in Webfolio CMS <= 1.1.4
CVE-2012-1900 for CSRF Vulnerability (Delete Web Pages) in Razor CMS <= 1.2.1
CVE-2012-1901 for FlexCMS 3.2.1 Multiple CSRF
CVE-2012-1897 for Multiple XSS in Wolf CMS <= 0.75
CVE-2012-1898 for Multiple CSRF in Wolf CMS <= 0.75
CVE-2012-1921 for Sitecom WLM-2501 Change Wireless Passphrase
CVE-2012-1922 for Sitecom WLM-2501 new Multiple CSRF
CVE-2012-1932 for Wolf CMS <= 0.75 Persistent XSS

Regarding my Drupal 7.12 Advisory, Mitre considers that:

Sections 2.1 and 3.1 – Poor Session Checking (CSRF to change any Drupal settings) – would be a Drupal’s “Security Improvement”.
Section 2.3 – Poor Session Checking (POST and GET method) – and section 2.4 - Poor Session Checking (Http Referer) - would be Drupal’s “Potential Security Improvements”.

Wolf CMS new Persistent XSS

Posted on March 26, 2012 by admin_24

Wolfcms 0.75 (and lower) is prone to a persistent XSS vulnerability due to an improper input sanitization of “setting[admin_email]” parameter, passed to server side logic (path: “wolfcms/admin/setting”) via http POST method.
Exploiting this vulnerability an authenticated admin could insert arbitrary code in “Site email” field which will be executed when another admin clicks on “Administrator” tab.

To view my Original Advisory:
Wolfcms 0.75 new Pesistent XSS

Other related publications:
Packetstorm
Inj3ct0r
Security Focus
CVE-2012-1932
OSVDB

Ivano Binetti

Personal Blog