CVE Mitre – 9 new CVEs

MITRE CVE Numbering Authority assigned me 9 new CVEs. Following the details:

CVE-2007-6752 for Drupal 7.12 CSRF Vulnerability (force user/logout – sections 2.2, 3.2)
CVE-2012-1899 for Multiple XSS Vulnerabilities in Webfolio CMS <= 1.1.4
CVE-2012-1900 for CSRF Vulnerability (Delete Web Pages) in Razor CMS <= 1.2.1
CVE-2012-1901 for FlexCMS 3.2.1 Multiple CSRF
CVE-2012-1897 for Multiple XSS in Wolf CMS <= 0.75
CVE-2012-1898 for Multiple CSRF in Wolf CMS <= 0.75
CVE-2012-1921 for Sitecom WLM-2501 Change Wireless Passphrase
CVE-2012-1922 for Sitecom WLM-2501 new Multiple CSRF
CVE-2012-1932 for Wolf CMS <= 0.75 Persistent XSS

Regarding my Drupal 7.12 Advisory, Mitre considers that:

  • Sections 2.1 and 3.1  – Poor Session Checking (CSRF to change any Drupal settings) – would be a Drupal’s “Security Improvement”.
  • Section 2.3 – Poor Session Checking (POST and GET method) – and section 2.4 – Poor Session Checking (Http Referer) – would be Drupal’s “Potential Security Improvements”.

Sitecom WLM-2501 new Multiple CSRF Vulnerabilities

The web interface of this router is affected by multiple CSRF vulnerabilities which allows to change the following device’s parameters:

    • Disable Mac Filtering
    • Disable/Modify IP/Port Filtering
    • Disable/Modify Port Forwarding
    • Disable/Modify Wireless Access Control
    • Disable Wi-Fi Protected Setup
    • Disable/Modify URL Blocking Filter
    • Disable/Modify Domain Blocking Filter
    • Disable/Modify IP Address ACL
    • Change Wireless Passphrase
    • Enable/Modify Remote Access (also on WAN interface)

To view my Original Advisory:
Sitecom WLM-2501 new Multiple CSRF Vulnerabilities

MITRE CVE Numbering Authority assigned me CVE-2012-1921 and CVE-2012-1922 for these vulnerabilities.

Other related publications:
Secunia Advisory SA48840
Inj3ct0r
Packet Storm
Offensive Security DB
Security Focus
IBM X-Force
OSVDB
http://packetstormsecurity.org/files/111941/Secunia-Security-Advisory-48840.html

FlexCMS Multiple CSRF Vulnerabilities

FlexCMS 3.2.1(latest version) suffers from multiple CSRF vulnerabilities which could allow an attacker to change any parameters when an authenticated user/admin browses a special crafted web page. In this Advisory I’ve only demonstrate how to change settings of user “demo” (is default user of demo page) and also I’ve created a new web page.

To read more about them you can download my Original Advisory.

MITRE CVE Numbering Authority assigned me CVE-2012-1901 for this vulnerability,

Other related publications:

Offensive Security Exploit-DB
NIST – National Vulnerability Database
Inj3ct0r
Packet Storm
Secunia Advisory SA48451
Kaspersky Lab Advisory
OSVDB
IBM X-Force

Sitecom WLM-2501 Change Wireless Passphrase

Yesterday I’ve discovered new CSRF vulnerabilities in Sitecom WLM-2501 300N wireless modem/router which allow an attacker to change a lot of device parameter and, most of all, to change wireless passphrase.

To know more about these vulnerabilities please read my Original Advisory.

MITRE CVE Numbering Authority assigned me CVE-2012-1921 and CVE-2012-1922 for these vulnerabilities.

Other sources have published my Advisory:
Secunia Security Advisory 48840
Packet Storm
Offensive Security Exploit-DB
Inj3ct0r
IBM X-Force
Security Focus
http://packetstormsecurity.org/files/111941/Secunia-Security-Advisory-48840.html

Drupal CMS 7.12 (latest stable release) Multiple Vulnerabilities

Drupal 7.12 – latest stable release – suffers from multiple vulnerabilities which could allow an attacker to gain access to the management interface.

Poor Session Checking (CSRF to change any Drupal settings)
Drupal, to secure changes made by administrators or users through web management interface, uses “form_token” parameter which is sent inside any http POST request. There is a security flaw inside the logic with which this parameter is generated, as is used the same parameter for for similar operations  (the same “form_id”) in the same session (for example for article’s creation Drupal assigns the same “form_token”, for admin/user
creation Drupal assigns the same “form_token” and so on).
Another flaw is inside “form_buid_id” parameter, which is used “to fetch state from a database table during certain operations”. This parameter is generated different for any operation an admin/user performs, but Drupal allows to use any other Drupal generated “form_buid_id” parameter
(like this: “form-0iFqLlofT1uuJ_uwXPNdVlc_J9KL20oZE15dK9hxuQ8″) to make changes to Drupal settings through web management  interface. So, even if Drupal  creates a different “form_buid_id” for any operation you can use another “form_buid_id”compatible with Drupal instead of that generated by Drupa for that specific operation.
These flaws can be used by an attacker who knows the values of “form_buid_id” and “form_token” parameters (for example an internal attacker performing a “Man in The Middle Attack” or an external attacker that controls an internal client by an client-side exploit, an external attacker that controls directly a Drupal admin by a client-side exploit and son on. There are many possibilities) to create an “ad-hoc” crafted web page
in order to makes any Drupal changes (add administrator, delete administrator, add web pages, delete web pages, ….) when a Drupal administrator
or User browses that crafted web page.

Poor Session Checking (CSRF to Force administrator logout)
There is another vulnerability – always related to poor session checking / improper input validation – in “<drupal_ip>/user/logout” which allows an attacker to create a crafted web page an force logout of Drupal administrator/users at web management interface. This vulnerability – forcing administrator logout – will aid an attacker to sniff authentication credentials when a “Man in The Middle Attack” is performed.

Poor Session Checking (POST and GET method)
Drupal does not check “GET” or “POST” http method allowing, even though normal logout is made via http GET request, to exploit the above vulnerability using http POST method.

Poor Session Checking (Http Referer)
Drupal, furthermore, does not perform “http referer” checking, allowing to exploit all above described vulnerabilities.

To download my Original Advisory:

Drupal 7.12 (latest stable release) Multiple Vulnerabilities

Other web sites that have published my Advisory:
CVE-2007-6752
http://osvdb.org/show/osvdb/80665
http://secunia.com/advisories/cve_reference/CVE-2007-6752/
http://xforce.iss.net/xforce/xfdb/73674
http://packetstormsecurity.org/files/110404/drupal712-xsrf.txt
http://www.exploit-db.com/exploits/18564/
http://1337day.com/exploits/17611
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-6752
https://bugzilla.redhat.com/show_bug.cgi?id=807859
http://security-tracker.debian.org/tracker/CVE-2007-6752
http://images.redhatmagazine.com/security/data/cve/CVE-2007-6752.html
http://people.canonical.com/~ubuntu-security/cve/2007/CVE-2007-6752.html
http://en.securitylab.ru/nvd/422373.php
https://cert.inteco.es/vulnDetail/Actualidad/Actualidad_Vulnerabilidades/detalle_vulnerabilidad/CVE-2007-6752

Furthermore MITRE CVE Numbering Authority, considers that:

  • Sections 2.1 and 3.1  – Poor Session Checking (CSRF to change any Drupal settings) – would be a Drupal’s “Security Improvement”.
  • Section 2.3 – Poor Session Checking (POST and GET method) – and section 2.4 – Poor Session Checking (Http Referer) – would be Drupal’s “Potential Security Improvements”.

 

 

MITRE CVE Numbering Authority

I ‘m proud to announce that “MITRE CVE Numbering Authority” has assigned me eleven (11) CVE numbers for vulnerabilities that I’ve discovered in last days. In details:

DFLabs PTK <= 1.0.5:

  • CVE-2012-1415 for Multiple Vulnerabilities (Steal Authentication Credentials)

Fork CMS <= 3.2.5:

  • CVE-2012-1306 for “Delete Admins or Users” and “Delete Web Pages” issues.
  • CVE-2012-1307 for “poor logic to manage sessions” form_token issue.
  • CVE-2012-1304 for XSS into private/en/blog/settings and private/en/users/index issues.
  • CVE-2012-1305 for XSS into private/en/pages/settings issue.

D-Link DSL-2640B (ADSL Router):

  • CVE-2012-1308 for CSRF Vulnerability
  • CVE-2012-1309 for Authentication Bypass

 ContaoCMS (fka TYPOlight) <= 2.11:

  • CVE-2012-1297 for CSRF (Delete Admin- Delete Article)

SyndeoCMS <= 3.0:

  • CVE-2012-1203 for CSRF Vulnerability

SocialCMS <= 1.0.2:

  • CVE-2012-1416 for CSRF Vulnerabilities

PlumeCMS <= 1.2.4:

  • CVE-2012-1414 for CSRF Vulnerability