Category Archives: Web Vulnerabilities

Simple Php Agenda <= 2.2.8 Multiple CSRF Vulnerabilities

Posted on
Reply

Simple Php Agenda 2.2.8  (and lower) is affected by a CSRF Vulnerability which allows an attacker to add a new administrator, delete an existing administrator, create/delete a new event and change any other parameters. In this document I will only  demonstrate how to:
– add a new administrator
– delete a existing administrator
– add a new event
– delete an existing event.
Other parameters can be also modified.

To view my Original Advisory:
Simple PHP Agenda 2.2.8 Multiple CSRF Advisory

MITRE CVE Numbering Authority for this vulnerability assigned me CVE-2012-1978

Other related publications:
http://secunia.com/advisories/48685
http://www.osvdb.org/show/osvdb/80793
http://xforce.iss.net/xforce/xfdb/74539
http://packetstormsecurity.org/files/111408/Simple-PHP-Agenda-2.2.8-Cross-Site-Request-Forgery.html
http://www.securelist.com/en/advisories/48685
http://1337day.com/exploits/17893
http://www.thecybernuxbie.com/exploit-report/simple-php-agenda-2-2-8-csrf-add-adminadd-new-event.aspx

Wolf CMS new Persistent XSS

Posted on
Reply

Wolfcms 0.75 (and lower) is prone to  a persistent XSS vulnerability due to an improper input sanitization of  “setting[admin_email]” parameter, passed to server side logic (path: “wolfcms/admin/setting”) via http POST method.
Exploiting this vulnerability an authenticated admin could insert arbitrary code in “Site email” field which will be executed  when another admin clicks on “Administrator” tab.

To view my Original Advisory:
Wolfcms 0.75 new Pesistent XSS

Other related publications:
Packetstorm
Inj3ct0r
Security Focus
CVE-2012-1932
OSVDB

 

Wolfcms <= 0.75 Multiple Vulnerabilities

Posted on
Reply

Wolfcms 0.75 (and lower) is prone to multiple CSRF vulnerabilities that allow to delete admin/user, delete web pages, delete “images” and “themes” directory, force logout  when an authenticated admin/user browses a special crafted web page.
This cms is also affected by XSS vulnerabilities in “wolfcms/admin/user/add” pages due to an improper input sanitization of “user[name]”, “user[email]” and “user[username]” parameters passed via POST http method.

To view my Original Advisory:
Wolfcms 0.75 Multiple Vulnerabilities (CSRF-XSS)

Other related publications:
Inj3ct0r
Packet Storm
Secunia
Kaspersky Lab
Offensive Security DB
IBM X-Force Wolfcsm XSS
IBM X-Force Wolfcms CSRF
OSVDB
NIST – NVDB

 

Sitecom WLM-2501 new Multiple CSRF Vulnerabilities

Posted on
Reply

The web interface of this router is affected by multiple CSRF vulnerabilities which allows to change the following device’s parameters:

    • Disable Mac Filtering
    • Disable/Modify IP/Port Filtering
    • Disable/Modify Port Forwarding
    • Disable/Modify Wireless Access Control
    • Disable Wi-Fi Protected Setup
    • Disable/Modify URL Blocking Filter
    • Disable/Modify Domain Blocking Filter
    • Disable/Modify IP Address ACL
    • Change Wireless Passphrase
    • Enable/Modify Remote Access (also on WAN interface)

To view my Original Advisory:
Sitecom WLM-2501 new Multiple CSRF Vulnerabilities

MITRE CVE Numbering Authority assigned me CVE-2012-1921 and CVE-2012-1922 for these vulnerabilities.

Other related publications:
Secunia Advisory SA48840
Inj3ct0r
Packet Storm
Offensive Security DB
Security Focus
IBM X-Force
OSVDB
http://packetstormsecurity.org/files/111941/Secunia-Security-Advisory-48840.html

FlexCMS Multiple CSRF Vulnerabilities

Posted on
Reply

FlexCMS 3.2.1(latest version) suffers from multiple CSRF vulnerabilities which could allow an attacker to change any parameters when an authenticated user/admin browses a special crafted web page. In this Advisory I’ve only demonstrate how to change settings of user “demo” (is default user of demo page) and also I’ve created a new web page.

To read more about them you can download my Original Advisory.

MITRE CVE Numbering Authority assigned me CVE-2012-1901 for this vulnerability,

Other related publications:

Offensive Security Exploit-DB
NIST – National Vulnerability Database
Inj3ct0r
Packet Storm
Secunia Advisory SA48451
Kaspersky Lab Advisory
OSVDB
IBM X-Force

Sitecom WLM-2501 Change Wireless Passphrase

Posted on
Reply

Yesterday I’ve discovered new CSRF vulnerabilities in Sitecom WLM-2501 300N wireless modem/router which allow an attacker to change a lot of device parameter and, most of all, to change wireless passphrase.

To know more about these vulnerabilities please read my Original Advisory.

MITRE CVE Numbering Authority assigned me CVE-2012-1921 and CVE-2012-1922 for these vulnerabilities.

Other sources have published my Advisory:
Secunia Security Advisory 48840
Packet Storm
Offensive Security Exploit-DB
Inj3ct0r
IBM X-Force
Security Focus
http://packetstormsecurity.org/files/111941/Secunia-Security-Advisory-48840.html

More about Drupal 7.12 CSRF Exploit

Posted on
Reply

This morning I’ve received a tweet from Heine – who “provide free Drupal support on the Drupal.org forum” –  who invite me to read his article (Heine’s article) about my security advisory related to latest stable version (7.12) of Dupal cms.

In his article Heine said that I’ve “rightly identified” a CSRF vulnerability which allows to force logout administrator, but he does not refer to the main problem which I’ve identified in my advisory:  form_token (anti-CSRF) security flaw, as you can read in my security advisory:
http://ivanobinetti.blogspot.com/2012/03/drupal-cms-712-latest-stable-release.html

“form_token” (anti-CSRF) security flaw
As reported in my Advisory:

“In “form_token” parameter there is another security flaw inside the logic with which this parameter is generated, because is used the  same parameter for for similar operations  in the same session (for example for article’s creation Drupal assigns the same “form_token”, for admin/user
creation Drupal assigns the same “form_token” and so on). This flaw can be used by un attacker which  knows the values of “form_buid_id” and “form_token” parameters (for example an internal attacker performing a “Man in The Middle Attack” or an external attacker that controls an internal client by an client-side exploit, an external attacker that controls directly a Drupal admin by a client-side exploit and son on. There are many possibilities to create an “ad-hoc” crafted web page that allows to performs any Drupal changes (add administrator, delete administrator, add web pages, delete  web pages, and so on) when a Drupal administrator or User browses that crafted web page.

This means that the anti-CSRF “form_token” parameter is not unique for any operations but is the same (in the same session obviously) for similar operation. An attacker – also with low knowledge of Man in the Middle attack – can sniff  anti-CSRF parameter and – without make a rewrite rule in order to modify the traffic in real time (this might require some more skills) – could use sniffed  “form_token” parameter to change Drupal settings.
This is the main flaw which I’ve described and which Heine did not mention in his article.

“form_buid_id” parameter 
As you can read in my advisory I’ve never said that “form_build_id” is an anti-CSRF parameter but I’ve noticed as is possible to use any Drupal compatible form_build_id instead of the right one – specifically created  for that operation – in order to use my exploit and add an Drupal admin.
You said that form_build_id is used “to fetch state from a database table during certain operations.” Do you think that is normal that I can modify a parameter as I want and Drupal does not care about it?


Http Referer
I confirm you that if you would make void my exploit Drupal have to:

  • use “http referer” check , which is not in contradiction with form_token check, but  it can only increase Drupal’s security level. 
  •  fix “form_token” flaw.

HTTPS protection
Drupal default installation does not provide default http to https redirection.

p.s. I think that Drupal is a great cms and may be I’ll use it in my blog.

Webfolio <= 1.1.4 Multiple XSS

Posted on
Reply

WebfolioCMS 1.1.4 (and lower) is prone to multiple XSS vulnerabilities in “webfolio/admin/users/edit/<used_id>” path  – where <used_id> = 1….n – due to an improper input sanitization.

To download my Original Advisory:
Webfolio <= 1.1.4 Multiple XSS

Other publications:
http://packetstormsecurity.org/files/110524/Webfolio-CMS-1.1.4-Cross-Site-Scripting.html
http://1337day.com/exploits/17634
http://www.securityfocus.com/bid/52335
http://osvdb.org/show/osvdb/80218