Apache Tomcat 5.5.25 Deploy/Undeploy/Start/Stop Applications

I and my friend Gianmarco Pirozzi discovered new vulnerabilities affecting Apache Tomcat which allow to perform the following malicious activities:

  • Undeploy an existing application
  • Deploy a new application
  • Stop an application
  • Start an application

For more details you can read our Original Advisory:
Apache Tomcat 5.5.25 Start/Stop/Deploy/Undeploy Application | CSRF Vulnerabilities

MITRE CVE Numbering Authority assigned me CVE-2013-6357 for these vulnerabilities.

My Advisory has been also published in the following web sites:
http://www.securityfocus.com/bid/63515
http://osvdb.org/show/osvdb/99375
http://packetstormsecurity.com/files/123894/Apache-Tomcat-5.5.25-Cross-Site-Request-Forgery.html
http://www.exploit-db.com/exploits/29435/
http://1337day.com/exploits/21455
http://www.scip.ch/en/?vuldb.11098
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6357
https://bugzilla.redhat.com/show_bug.cgi?id=1030090
http://www.cvedetails.com/cve/CVE-2013-6357/
http://xforce.iss.net/xforce/xfdb/88471
http://en.securitylab.ru/nvd/447679.php
http://www.us-cert.gov/ncas/bulletins/SB13-322
http://www.cvedetails.com/cve/CVE-2013-6357/

D-Link DSL-2740B Multiple CSRF Vulnerabilities | CVE-2013-5730

I’ve discovered new multiple CSRF vulnerabilities affecting D-Link DSL-2740B ADSL router allowing an attacker to carry out malicious activities, as:

  • Disable/Enable Wireless MAC Address Filter.
  • Disable/Enable all the Firewall protections (Both “SPI” and “DOS and Portscan Protection”).
  • Enable/Disable Remote Management (in my exploit I enabled remote management via http – tcp port 80 – and ssh – tcp port 22 -).

Many other changes can be performed.

For more details please read my Original Advisory:
D-Link DSL-2740B Multiple CSRF Vulnerabilities

MITRE CVE Numbering Authority assigned me CVE-2013-5730 for these vulnerabilities.

The vendor (D-Link) confirmed this vulnerability and  is pending a new firmware release that fixes this security issue:
http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10004

My Advisory has been also published in the following web sites:
http://www.securityfocus.com/bid/62356/
http://secunia.com/advisories/54795
http://www.exploit-db.com/exploits/28239/
http://1337day.com/exploits/21225
http://osvdb.org/show/osvdb/97278
http://xforce.iss.net/xforce/xfdb/87036
http://packetstormsecurity.com/files/123200/D-Link-DSL-2740B-Cross-Site-Request-Forgery.html
http://www.securelist.com/en/advisories/54795
http://www.scip.ch/en/?vuldb.10296
http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10004
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5730
http://cert-mu.gov.mu/English/Pages/Vulnerability%20Notes/2013/VN-2013-220.aspx
http://en.securitylab.ru/nvd/447902.php
Japan CERT (Computer Emergency Response Team)

D-Link DSL-2740B (ADSL Router) Authentication Bypass | CVE-2013-2271

I’ve discovered a new vulnerability affecting D-Link DSL-2740B ADSL Wifi Router, which allows an attacker to completely bypass the authentication of this device and gain administrative access.

Fore more details, please read my Advisory:

D-Link DSL-2740B (ADSL Router) Authentication Bypass

MITRE CVE Numbering Authority assigned me CVE-2013-2271 for this vulnerability.

NIST – NVD (Nation Vulnerability Database) published my Advisory:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2271

Department of Homeland Security / US-CERT published my Advisory into the Security Bulletin SB13-329:
https://www.us-cert.gov/ncas/bulletins/SB13-329

The vendor (D-Link) confirmed this vulnerability and  is pending a new firmware release that fixes this security issue:
http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10004

This advisory has been also published in the following web sites:
http://www.securityfocus.com/bid/58266/info
http://packetstormsecurity.com/files/120613/dlinkdsl2740b-bypass.txt
http://1337day.com/exploits/20469
http://www.exploit-db.com/exploits/24563/
http://www.osvdb.org/show/osvdb/90822
http://cxsecurity.com/issue/WLB-2013030027
http://www.scip.ch/?vuldb.7851
http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10004
http://www.eeye.com/resources/security-center/research/zero-day-tracker/2013/20130210
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2271
http://www.security-database.com/detail.php?alert=CVE-2013-2271
Japan CERT (Computer Emergency Response Team)

Axous 1.1.1 Multiple Vulnerabilities (CSRF – Persistent XSS)

Axous 1.1.1 (and below) is prone to CSRF and  peristent XSS vulnerability due to an improper input sanitization of multiple parameters. Following more details:

CSRF Vulnerabilities
Axous 1.1.1 (and below) suffers from multiple CSRF vulnerabilities which could allow an attacker to change any parameters when an authenticated  user/admin browses a special crafted web page. In this Advisory I will only demonstrate how to add a new administrator but, with little modifications to my exploit, you can modify any Axous’s parameters, as Axous does not use an anti-CSRF token.

Persistent XSS Vulnerabilities
Axous 1.1.1 (and below) is prone to multiple persistent XSS vulnerabilities due to an improper input sanitization of the following parameters:
– “page_title” passed to server side logic (path: “admin/content_pages_edit.php”) via http POST method.
Exploiting “page_title” parameter an authenticated administrator could insert arbitrary code in “Title” field, and execute it when another administrator clicks on “Pages” link or on that specific pages under “Title” menu.
Furthermore injected code will generate a persistent XSS for all unauthenticated users visiting that web page.
– “category_name[1]” passed to server side logic (path:”admin/products_category.php”) via http POST method.
Exploiting “category_name[1]” parameter an administrator could insert arbitrary code in “Category” field (under “Control Panel > Products”)
and create a persistent XSS for another administrator who clicks on the “Add New” button (always under “Control Panel > Products”).

-“site_name”, “seo_title” and “meta_keywords” parameters passed to “admin/settings_siteinfo.php” script via http POST method.
Exploiting these parameters an authenticated administrator could insert arbitrary code and create a persistent XSS for another administrator
who clicks “Site info” link under Settings menu.

– “company_name”, “address1″, “address2″, “city”, “state”, “country”, “author_first_name”, “author_last_name”, “author_email”, “contact_first_name”, “contact_last_name”, “contact_email”, “general_email”, “general_phone”, “general_fax”, “sales_email”, “sales_phone”, “support_email”, “support_phone” passed to “admin/settings_company.php” script via http POST method.
Exploiting these parameters an authenticated administrator could insert arbitrary code and create a persistent XSS for another administrator who visits that injected menu.

– “system_email”, “sender_name”, “smtp_server”, “smtp_username”, “smtp_password”, “order_notice_email” parameters passed to “admin/settings_email.php” via httl POSt method.
Exploiting these parameters an authenticated administrator could insert arbitrary code and create a persistent XSS for another administrator who clicks “Site info” link under Settings menu.

Other parameters could be injected!

To view my Original Advisory:
Axous 1.1.1 Multiple Vulnerabilities (CSRF – Persistent XSS)

MITRE CVE Numbering Authority assigned me CVE-2012-2629 for these vulnerabilities.

This advisory has been published in the following web sites:
http://xforce.iss.net/xforce/xfdb/75675
http://osvdb.org/show/osvdb/82075
http://osvdb.org/show/osvdb/82076
http://osvdb.org/show/osvdb/82077
http://osvdb.org/show/osvdb/82078
http://osvdb.org/show/osvdb/82079
http://osvdb.org/show/osvdb/82080
http://packetstormsecurity.org/files/112748/Axous-1.1.1-Cross-Site-Request-Forgery-Cross-Site-Scripting.html
http://www.exploit-db.com/exploits/18886/
http://www.1337day.com/exploits/18277

WordPress 3.3.1 Multiple CSRF Vulnerabilities

WordPress 3.3.1 (and below) suffers from multiple CSRF vulnerabilities which allow an attacker to change post title, add administrators/users, delete administrators/users, approve and unapprove comment, delete comment, change background image, insert custom header image, change site title, change administrator’s email, change WordPress Address, change Site Address, when an authenticated user/admin browses a special crafted web page. May be other parameters can be modified. This vulnerability is caused by a security flaw in anti-CSRF token (_wpnonce, _wpnonce_create-user, _ajax_nonce,
_wpnonce-custom-background-upload, _wpnonce-custom-header-upload) generation. For some operations (see below) above specified anti-CSRF tokens are not associated with the current user session (as Owasp recommends) but are the are valid for all operations (for a specific administrator/user) within 12 hour.
The above described vulnerability allows an attacker – who has sniffed anti-CSRF token – to have 12 hour to perform a CSRF attack.
This problem affects the following operations:

  • Add admin/user
  • Delete Admin/User
  • Approve comment
  • Unapprove comment
  • Delete comment
  • Change background image
  • Insert custom header image
  • Change site title
  • Change administrator’s email
  • Change WordPress Address
  • Change Site Address

Other operations (like insert a new post) are not affected by this CSRF vulnerability.

Probably also version 3.3.2 is affected by this CSRF vulnerability.

To view my Original Advisory:
WordPress 3.3.1 Multiple CSRF Vulnerabilities

MITRE CVE Numbering Authority assigned me CVE-2012-1936 for this vulnerability.

This Security Advisory was also published in the following web sites:
http://www.securityfocus.com/bid/53280
http://osvdb.org/show/osvdb/81588
http://xforce.iss.net/xforce/xfdb/75222
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1936
http://packetstormsecurity.org/files/112253/WordPress-3.3.1-Cross-Site-Request-Forgery.html
http://1337day.com/exploits/18138
http://www.exploit-db.com/exploits/18791/
http://www.cvedetails.com/cve/CVE-2012-1936/
http://www.exploit-id.com/web-applications/wordpress-3-3-1-multiple-csrf-vulnerabilities

PlumeCMS <= 1.2.4 Multiple Persistent XSS

PlumeCMS 1.2.4 (and below) is prone to multiple peristent XSS vulnerability due to an improper input sanitization of multiple parameters.

  • “u_email” and “u_realname” parameters are not correctly sanitized before being passed to server side script “manager/users.php” via http POST method. An attacker – who is able to change his profile settings – could insert malicious code into “Email” and/or “Name” fields- within “Authors” template – in order to create a persistent XSS vulnerability for all user/admin who access to Plume’s management interface.
  • An unauthenticated user could insert html/javascript code in “Author” field within “ADD A COMMENT” section – which is present in every web page – due to an incorrect sanitization of “c_author” parameter. This will produce a Persistent XSS vulnerability for all user/admin who will click on “Comments” tab within Plume’s administration interface.

To view my Original Advisory:
PlumeCMS 1.2.4 Multiple Permanent XSS

MITRE CVE Numbering Authority assigned me CVE-2012-2156 for this vulnerability

Other Advisory’s publications:
http://www.securityfocus.com/bid/52890
http://secunia.com/advisories/40133
http://xforce.iss.net/xforce/xfdb/74614
http://osvdb.org/show/osvdb/80960
http://osvdb.org/show/osvdb/80961
http://packetstormsecurity.org/files/111596/PlumeCMS-1.2.4-Cross-Site-Scripting.html
http://www.exploit-db.com/exploits/18699/
http://1337day.com/exploits/17963
http://www.thecybernuxbie.com/exploit-report/plumecms-1-2-4-multiple-persistent-xss.aspx
http://www.x-bug.com/exploits/221

SocialCMS <= 1.0.2 XSS (Persistent and Reflected) Vulnerabilities

SocialCMS 1.0.2 (and lower) is prone to a persistent XSS vulnerability due to an improper input sanitization of  “TR_title” parameter, passed to “my_admin/admin1_list_pages.php” via http POST method. Exploiting this vulnerability an authenticated user – which is able to publish an article – could insert arbitrary code in web management interface “Title” field – under “my_admin/admin1_list_pages.php?id=<page_id>&action=edit” – that will be executed when an administrator – or another user – will browse that web page.

Improper input sanitization of “TR_title” parameter causes also a Reflected XSS for the user which inserts html/javascript code.

MITRE CVE Numbering Authority assigned me CVE-2012-1982 for this vulnerability.

To view my Original Advisory:
SocialCMS 1.0.2 XSS (Persistent and Reflected) Advisory

Other related publications:
http://secunia.com/advisories/44313
http://osvdb.org/show/osvdb/80794
http://xforce.iss.net/xforce/xfdb/74540
http://xforce.iss.net/xforce/xfdb/74541
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1982
http://www.us-cert.gov/cas/bulletins/SB12-100.html
http://packetstormsecurity.org/files/111409/SocialCMS-1.0.2-Cross-Site-Scripting.html
http://www.securelist.com/en/advisories/44313
http://1337day.com/exploits/17895
http://www.cvedetails.com/cve/CVE-2012-1982/

SyndeoCMS <= 3.0.01 Persistent XSS

SyndeoCMS 3.0.01 (and lower) is prone to a persistent XSS vulnerability due to an improper input sanitization of  “email” parameter, passed to server side logic (path: “starnet/index.php”) via http POST method.
Exploiting this vulnerability an authenticated user – which is able to change his profile settings – could insert arbitrary code in “Site email” field that will be executed when another admin or user clicks on that user’profile.

MITRE CVE Numbering Authority assigned me CVE-2012-1979 for this vulnerability.

To view my Original Advisory:
SyndeoCMS <= 3.0.01 Persistent XSS Advisory

Other related publications:
http://osvdb.org/show/osvdb/80746
http://www.securityfocus.com/bid/52840
http://xforce.iss.net/xforce/xfdb/74545
http://packetstormsecurity.org/files/111405/SyndeoCMS-3.0.01-Cross-Site-Scripting.html
http://www.exploit-db.com/exploits/18686/
http://1337day.com/exploits/17894
http://www.thecybernuxbie.com/exploit-report/syndeocms-3-0-01-persistent-xss-vulnerability.aspx

Simple Php Agenda <= 2.2.8 Multiple CSRF Vulnerabilities

Simple Php Agenda 2.2.8  (and lower) is affected by a CSRF Vulnerability which allows an attacker to add a new administrator, delete an existing administrator, create/delete a new event and change any other parameters. In this document I will only  demonstrate how to:
– add a new administrator
– delete a existing administrator
– add a new event
– delete an existing event.
Other parameters can be also modified.

To view my Original Advisory:
Simple PHP Agenda 2.2.8 Multiple CSRF Advisory

MITRE CVE Numbering Authority for this vulnerability assigned me CVE-2012-1978

Other related publications:
http://secunia.com/advisories/48685
http://www.osvdb.org/show/osvdb/80793
http://xforce.iss.net/xforce/xfdb/74539
http://packetstormsecurity.org/files/111408/Simple-PHP-Agenda-2.2.8-Cross-Site-Request-Forgery.html
http://www.securelist.com/en/advisories/48685
http://1337day.com/exploits/17893
http://www.thecybernuxbie.com/exploit-report/simple-php-agenda-2-2-8-csrf-add-adminadd-new-event.aspx

Wolf CMS new Persistent XSS

Wolfcms 0.75 (and lower) is prone to  a persistent XSS vulnerability due to an improper input sanitization of  “setting[admin_email]” parameter, passed to server side logic (path: “wolfcms/admin/setting”) via http POST method.
Exploiting this vulnerability an authenticated admin could insert arbitrary code in “Site email” field which will be executed  when another admin clicks on “Administrator” tab.

To view my Original Advisory:
Wolfcms 0.75 new Pesistent XSS

Other related publications:
Packetstorm
Inj3ct0r
Security Focus
CVE-2012-1932
OSVDB