Apache Tomcat 5.5.25 Deploy/Undeploy/Start/Stop Applications

I and my friend Gianmarco Pirozzi discovered new vulnerabilities affecting Apache Tomcat which allow to perform the following malicious activities:

  • Undeploy an existing application
  • Deploy a new application
  • Stop an application
  • Start an application

For more details you can read our Original Advisory:
Apache Tomcat 5.5.25 Start/Stop/Deploy/Undeploy Application | CSRF Vulnerabilities

MITRE CVE Numbering Authority assigned me CVE-2013-6357 for these vulnerabilities.

My Advisory has been also published in the following web sites:
http://www.securityfocus.com/bid/63515
http://osvdb.org/show/osvdb/99375
http://packetstormsecurity.com/files/123894/Apache-Tomcat-5.5.25-Cross-Site-Request-Forgery.html
http://www.exploit-db.com/exploits/29435/
http://1337day.com/exploits/21455
http://www.scip.ch/en/?vuldb.11098
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6357
https://bugzilla.redhat.com/show_bug.cgi?id=1030090
http://www.cvedetails.com/cve/CVE-2013-6357/
http://xforce.iss.net/xforce/xfdb/88471
http://en.securitylab.ru/nvd/447679.php
http://www.us-cert.gov/ncas/bulletins/SB13-322
http://www.cvedetails.com/cve/CVE-2013-6357/

D-Link DSL-2740B Multiple CSRF Vulnerabilities | CVE-2013-5730

I’ve discovered new multiple CSRF vulnerabilities affecting D-Link DSL-2740B ADSL router allowing an attacker to carry out malicious activities, as:

  • Disable/Enable Wireless MAC Address Filter.
  • Disable/Enable all the Firewall protections (Both “SPI” and “DOS and Portscan Protection”).
  • Enable/Disable Remote Management (in my exploit I enabled remote management via http – tcp port 80 – and ssh – tcp port 22 -).

Many other changes can be performed.

For more details please read my Original Advisory:
D-Link DSL-2740B Multiple CSRF Vulnerabilities

MITRE CVE Numbering Authority assigned me CVE-2013-5730 for these vulnerabilities.

The vendor (D-Link) confirmed this vulnerability and  is pending a new firmware release that fixes this security issue:
http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10004

My Advisory has been also published in the following web sites:
http://www.securityfocus.com/bid/62356/
http://secunia.com/advisories/54795
http://www.exploit-db.com/exploits/28239/
http://1337day.com/exploits/21225
http://osvdb.org/show/osvdb/97278
http://xforce.iss.net/xforce/xfdb/87036
http://packetstormsecurity.com/files/123200/D-Link-DSL-2740B-Cross-Site-Request-Forgery.html
http://www.securelist.com/en/advisories/54795
http://www.scip.ch/en/?vuldb.10296
http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10004
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5730
http://cert-mu.gov.mu/English/Pages/Vulnerability%20Notes/2013/VN-2013-220.aspx
http://en.securitylab.ru/nvd/447902.php
Japan CERT (Computer Emergency Response Team)

Update on Google Translate CSRF Vulnerability | Google is fixing the issue

Hey there,
some days ago – 15th of August (2013) – I received the following email from Google Security Team about my latest Google Translate vulnerability:

Hello,
This issue has been fixed and verified by a security engineer – feel free to test and see if we’ve missed anything.
Thanks for all your help!
Regards,
Google Security Team

I cannot hide that, considering what happened in the previous months (read my previous post on this topic),  I have been surprised and happy – I have to admit it :) – to receive an email from Google Security Team in order to inform me that they fixed this vulnerability, independently from the reward that I did not receive.

In the above email they proposed me to test again the vulnerability in order to establish if their fixing activities have been performed correctly.

Yesterday (1st September 2013) I carried out new tests and – unfortunately –  I’ve verified that the vulnerability I discovered is still affecting Google Translate. After the analysis I’ve quickly contacted Google Security team in order to share the results of my tests with the purpose to patch as soon as possible this security issue.

I guess that I will share soon new information about this vulnerability.

Stay tuned!

Translate.google.com | CSRF Vulnerability

I  have discovered a new CSRF vulnerability on translate.google.com web site which could allow an attacker to insert items (Words/Phrases/Urls and related translations) into the user’s Phrasebook. Furthermore an attacker could also insert a potentially malicious Urls – into the above mentioned Phrasebook – towards which the victim could be redirected simply clicking on the “Go to <website>” right-click option on translate.google.com.
The vulnerability is related to a problem into the generation of “xt” anti-CSRF token which is not correctly associated with the user session, allowing an attacker to use any previous generated anti-CSRF parameter – for that specific user- in order to carry out this attack.

For more details, please read my original Advisory:
CSRF Vulnerability on translate.google.com

My research has been also published on PacketStorm:
Google Translate Cross Site Request Forgery

Update (15 August, 2013): I received an email by Google Security Team:

Hello,
This issue has been fixed and verified by a security engineer – feel free to test and see if we’ve missed anything.
Thanks for all your help!

Regards,
Google Security Team

Axous 1.1.1 Multiple Vulnerabilities (CSRF – Persistent XSS)

Axous 1.1.1 (and below) is prone to CSRF and  peristent XSS vulnerability due to an improper input sanitization of multiple parameters. Following more details:

CSRF Vulnerabilities
Axous 1.1.1 (and below) suffers from multiple CSRF vulnerabilities which could allow an attacker to change any parameters when an authenticated  user/admin browses a special crafted web page. In this Advisory I will only demonstrate how to add a new administrator but, with little modifications to my exploit, you can modify any Axous’s parameters, as Axous does not use an anti-CSRF token.

Persistent XSS Vulnerabilities
Axous 1.1.1 (and below) is prone to multiple persistent XSS vulnerabilities due to an improper input sanitization of the following parameters:
- “page_title” passed to server side logic (path: “admin/content_pages_edit.php”) via http POST method.
Exploiting “page_title” parameter an authenticated administrator could insert arbitrary code in “Title” field, and execute it when another administrator clicks on “Pages” link or on that specific pages under “Title” menu.
Furthermore injected code will generate a persistent XSS for all unauthenticated users visiting that web page.
- “category_name[1]” passed to server side logic (path:”admin/products_category.php”) via http POST method.
Exploiting “category_name[1]” parameter an administrator could insert arbitrary code in “Category” field (under “Control Panel > Products”)
and create a persistent XSS for another administrator who clicks on the “Add New” button (always under “Control Panel > Products”).

-”site_name”, “seo_title” and “meta_keywords” parameters passed to “admin/settings_siteinfo.php” script via http POST method.
Exploiting these parameters an authenticated administrator could insert arbitrary code and create a persistent XSS for another administrator
who clicks “Site info” link under Settings menu.

- “company_name”, “address1″, “address2″, “city”, “state”, “country”, “author_first_name”, “author_last_name”, “author_email”, “contact_first_name”, “contact_last_name”, “contact_email”, “general_email”, “general_phone”, “general_fax”, “sales_email”, “sales_phone”, “support_email”, “support_phone” passed to “admin/settings_company.php” script via http POST method.
Exploiting these parameters an authenticated administrator could insert arbitrary code and create a persistent XSS for another administrator who visits that injected menu.

- “system_email”, “sender_name”, “smtp_server”, “smtp_username”, “smtp_password”, “order_notice_email” parameters passed to “admin/settings_email.php” via httl POSt method.
Exploiting these parameters an authenticated administrator could insert arbitrary code and create a persistent XSS for another administrator who clicks “Site info” link under Settings menu.

Other parameters could be injected!

To view my Original Advisory:
Axous 1.1.1 Multiple Vulnerabilities (CSRF – Persistent XSS)

MITRE CVE Numbering Authority assigned me CVE-2012-2629 for these vulnerabilities.

This advisory has been published in the following web sites:
http://xforce.iss.net/xforce/xfdb/75675
http://osvdb.org/show/osvdb/82075
http://osvdb.org/show/osvdb/82076
http://osvdb.org/show/osvdb/82077
http://osvdb.org/show/osvdb/82078
http://osvdb.org/show/osvdb/82079
http://osvdb.org/show/osvdb/82080
http://packetstormsecurity.org/files/112748/Axous-1.1.1-Cross-Site-Request-Forgery-Cross-Site-Scripting.html
http://www.exploit-db.com/exploits/18886/
http://www.1337day.com/exploits/18277

WordPress 3.3.1 Multiple CSRF Vulnerabilities

WordPress 3.3.1 (and below) suffers from multiple CSRF vulnerabilities which allow an attacker to change post title, add administrators/users, delete administrators/users, approve and unapprove comment, delete comment, change background image, insert custom header image, change site title, change administrator’s email, change WordPress Address, change Site Address, when an authenticated user/admin browses a special crafted web page. May be other parameters can be modified. This vulnerability is caused by a security flaw in anti-CSRF token (_wpnonce, _wpnonce_create-user, _ajax_nonce,
_wpnonce-custom-background-upload, _wpnonce-custom-header-upload) generation. For some operations (see below) above specified anti-CSRF tokens are not associated with the current user session (as Owasp recommends) but are the are valid for all operations (for a specific administrator/user) within 12 hour.
The above described vulnerability allows an attacker – who has sniffed anti-CSRF token – to have 12 hour to perform a CSRF attack.
This problem affects the following operations:

  • Add admin/user
  • Delete Admin/User
  • Approve comment
  • Unapprove comment
  • Delete comment
  • Change background image
  • Insert custom header image
  • Change site title
  • Change administrator’s email
  • Change WordPress Address
  • Change Site Address

Other operations (like insert a new post) are not affected by this CSRF vulnerability.

Probably also version 3.3.2 is affected by this CSRF vulnerability.

To view my Original Advisory:
WordPress 3.3.1 Multiple CSRF Vulnerabilities

MITRE CVE Numbering Authority assigned me CVE-2012-1936 for this vulnerability.

This Security Advisory was also published in the following web sites:
http://www.securityfocus.com/bid/53280
http://osvdb.org/show/osvdb/81588
http://xforce.iss.net/xforce/xfdb/75222
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1936
http://packetstormsecurity.org/files/112253/WordPress-3.3.1-Cross-Site-Request-Forgery.html
http://1337day.com/exploits/18138
http://www.exploit-db.com/exploits/18791/
http://www.cvedetails.com/cve/CVE-2012-1936/
http://www.exploit-id.com/web-applications/wordpress-3-3-1-multiple-csrf-vulnerabilities

PlumeCMS <= 1.2.4 Multiple Persistent XSS

PlumeCMS 1.2.4 (and below) is prone to multiple peristent XSS vulnerability due to an improper input sanitization of multiple parameters.

  • “u_email” and “u_realname” parameters are not correctly sanitized before being passed to server side script “manager/users.php” via http POST method. An attacker – who is able to change his profile settings – could insert malicious code into “Email” and/or “Name” fields- within “Authors” template – in order to create a persistent XSS vulnerability for all user/admin who access to Plume’s management interface.
  • An unauthenticated user could insert html/javascript code in “Author” field within “ADD A COMMENT” section – which is present in every web page – due to an incorrect sanitization of “c_author” parameter. This will produce a Persistent XSS vulnerability for all user/admin who will click on “Comments” tab within Plume’s administration interface.

To view my Original Advisory:
PlumeCMS 1.2.4 Multiple Permanent XSS

MITRE CVE Numbering Authority assigned me CVE-2012-2156 for this vulnerability

Other Advisory’s publications:
http://www.securityfocus.com/bid/52890
http://secunia.com/advisories/40133
http://xforce.iss.net/xforce/xfdb/74614
http://osvdb.org/show/osvdb/80960
http://osvdb.org/show/osvdb/80961
http://packetstormsecurity.org/files/111596/PlumeCMS-1.2.4-Cross-Site-Scripting.html
http://www.exploit-db.com/exploits/18699/
http://1337day.com/exploits/17963
http://www.thecybernuxbie.com/exploit-report/plumecms-1-2-4-multiple-persistent-xss.aspx
http://www.x-bug.com/exploits/221

CMS Made Simple <= 1.10.3 XSS Vulnerability

CMS Made Simple 1.10.3 (and lower) is prone to a XSS vulnerability due to an improper input sanitization of “email” parameter,  passed to server side script “admin/edituser.php” via http POST method.

To view my Original Advisory:
CMS Made Simple <= 1.10.3 XSS Original Advisory

MITRE CVE Numbering Authority assigned me CVE-2012-1992 for this vulnerability.

This vulnerability has been also published in the following web sites:
http://osvdb.org/show/osvdb/80918
http://www.securityfocus.com/bid/52850/
http://xforce.iss.net/xforce/xfdb/74563
http://packetstormsecurity.org/files/111486/CMS-Made-Simple-1.10.3-Cross-Site-Scripting.html
http://1337day.com/exploits/17921

 

SocialCMS <= 1.0.2 XSS (Persistent and Reflected) Vulnerabilities

SocialCMS 1.0.2 (and lower) is prone to a persistent XSS vulnerability due to an improper input sanitization of  “TR_title” parameter, passed to “my_admin/admin1_list_pages.php” via http POST method. Exploiting this vulnerability an authenticated user – which is able to publish an article – could insert arbitrary code in web management interface “Title” field – under “my_admin/admin1_list_pages.php?id=<page_id>&action=edit” – that will be executed when an administrator – or another user – will browse that web page.

Improper input sanitization of “TR_title” parameter causes also a Reflected XSS for the user which inserts html/javascript code.

MITRE CVE Numbering Authority assigned me CVE-2012-1982 for this vulnerability.

To view my Original Advisory:
SocialCMS 1.0.2 XSS (Persistent and Reflected) Advisory

Other related publications:
http://secunia.com/advisories/44313
http://osvdb.org/show/osvdb/80794
http://xforce.iss.net/xforce/xfdb/74540
http://xforce.iss.net/xforce/xfdb/74541
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1982
http://www.us-cert.gov/cas/bulletins/SB12-100.html
http://packetstormsecurity.org/files/111409/SocialCMS-1.0.2-Cross-Site-Scripting.html
http://www.securelist.com/en/advisories/44313
http://1337day.com/exploits/17895
http://www.cvedetails.com/cve/CVE-2012-1982/

SyndeoCMS <= 3.0.01 Persistent XSS

SyndeoCMS 3.0.01 (and lower) is prone to a persistent XSS vulnerability due to an improper input sanitization of  “email” parameter, passed to server side logic (path: “starnet/index.php”) via http POST method.
Exploiting this vulnerability an authenticated user – which is able to change his profile settings – could insert arbitrary code in “Site email” field that will be executed when another admin or user clicks on that user’profile.

MITRE CVE Numbering Authority assigned me CVE-2012-1979 for this vulnerability.

To view my Original Advisory:
SyndeoCMS <= 3.0.01 Persistent XSS Advisory

Other related publications:
http://osvdb.org/show/osvdb/80746
http://www.securityfocus.com/bid/52840
http://xforce.iss.net/xforce/xfdb/74545
http://packetstormsecurity.org/files/111405/SyndeoCMS-3.0.01-Cross-Site-Scripting.html
http://www.exploit-db.com/exploits/18686/
http://1337day.com/exploits/17894
http://www.thecybernuxbie.com/exploit-report/syndeocms-3-0-01-persistent-xss-vulnerability.aspx