IBM X-Force has published a new Advisory regarding my Razorcms vulnerability:
To read my Original Advisory:
Ivano Binetti’s RazorCMS Original Advisory
FlexCMS 3.2.1(latest version) suffers from multiple CSRF vulnerabilities which could allow an attacker to change any parameters when an authenticated user/admin browses a special crafted web page. In this Advisory I’ve only demonstrate how to change settings of user “demo” (is default user of demo page) and also I’ve created a new web page.
To read more about them you can download my Original Advisory.
Yesterday I’ve discovered new CSRF vulnerabilities in Sitecom WLM-2501 300N wireless modem/router which allow an attacker to change a lot of device parameter and, most of all, to change wireless passphrase.
To know more about these vulnerabilities please read my Original Advisory.
Other sources have published my Advisory:
Secunia Security Advisory 48840
Offensive Security Exploit-DB
IBM X-Force published an Advisory related to Webfolio <= 1.1.4 Multiple XSS that I’ve discovered in the past days.
For more details about my Original Advisory:
Drupal 7.12 – latest stable release – suffers from multiple vulnerabilities which could allow an attacker to gain access to the management interface.
Poor Session Checking (CSRF to change any Drupal settings)
Drupal, to secure changes made by administrators or users through web management interface, uses “form_token” parameter which is sent inside any http POST request. There is a security flaw inside the logic with which this parameter is generated, as is used the same parameter for for similar operations (the same “form_id”) in the same session (for example for article’s creation Drupal assigns the same “form_token”, for admin/user
creation Drupal assigns the same “form_token” and so on).
Another flaw is inside “form_buid_id” parameter, which is used “to fetch state from a database table during certain operations”. This parameter is generated different for any operation an admin/user performs, but Drupal allows to use any other Drupal generated “form_buid_id” parameter
(like this: “form-0iFqLlofT1uuJ_uwXPNdVlc_J9KL20oZE15dK9hxuQ8”) to make changes to Drupal settings through web management interface. So, even if Drupal creates a different “form_buid_id” for any operation you can use another “form_buid_id”compatible with Drupal instead of that generated by Drupa for that specific operation.
These flaws can be used by an attacker who knows the values of “form_buid_id” and “form_token” parameters (for example an internal attacker performing a “Man in The Middle Attack” or an external attacker that controls an internal client by an client-side exploit, an external attacker that controls directly a Drupal admin by a client-side exploit and son on. There are many possibilities) to create an “ad-hoc” crafted web page
in order to makes any Drupal changes (add administrator, delete administrator, add web pages, delete web pages, ….) when a Drupal administrator
or User browses that crafted web page.
Poor Session Checking (CSRF to Force administrator logout)
There is another vulnerability – always related to poor session checking / improper input validation – in “<drupal_ip>/user/logout” which allows an attacker to create a crafted web page an force logout of Drupal administrator/users at web management interface. This vulnerability – forcing administrator logout – will aid an attacker to sniff authentication credentials when a “Man in The Middle Attack” is performed.
Poor Session Checking (POST and GET method)
Drupal does not check “GET” or “POST” http method allowing, even though normal logout is made via http GET request, to exploit the above vulnerability using http POST method.
Poor Session Checking (Http Referer)
Drupal, furthermore, does not perform “http referer” checking, allowing to exploit all above described vulnerabilities.
Other web sites that have published my Advisory:
Furthermore MITRE CVE Numbering Authority, considers that:
Today IBM X-Force published my Advisory regarding multiple vulnerabilities which I’ve found in DFLabs PTK <= 1.0.5 which allow an attacker to steal administrator/investigator credentials.
For read my Original Advisory:
Yesterday IBM X-Force published my Advisory regarding a new CSRF vulneability that I’ve found in SyndeoCMS http://ivanobinetti.blogspot.com/2012/02/syndeocms-30-csrf-vulnerability.html
This vulnerability allows an attacker to change administrator password and gain access to the system.
IBM classified this vulnerability as “Highly Exploitable”.
For more details about IBM X-Force publication:
Few days ago I discovered a new CSRF vulnerability (http://ivanobinetti.blogspot.com/2012/02/plumecms-124-csrf-0day-vulnerability.html which affects all versions – included latest (1.2.4) – of Pluse CMS.
Today IBM X-Force published my Advisory and classified the “Exploitability:” of this vulnerability as “High”.
Fore more details: