During a penetration test, RedTeam Pentesting discovered a vulnerability in the management web interface of an Alcatel-Lucent OmniSwitch 6450. The management web interface has no protection against cross-site request forgery attacks. This allows specially crafted web pages to change the switch configuration and create users, if an administrator accesses the website while being authenticated in the management web interface.
Bonita BPM Portal before 6.5.3 allows remote attackers to read arbitrary files via a .. (dot dot) in the theme parameter and a file path in the location parameter to bonita/portal/themeResource.
The vulnerability exists due to insufficient filtration of input data passed via the 'server' HTTP GET parametre to '/monitor/show_sys_state.php' script before executing a SQL query. A remote authenticated attacker can pass arbitrary SQL commands to the vulnerable script and execute them in application’s database. Successful exploitation of this vulnerability will allow an attacker to read, insert and modify arbitrary records in database and compromise the entire web application, but requires the attacker to be authenticated and to have 'monitor' privileges. However, in combination with the CSRF vulnerability to which the application is also vulnerable, this vulnerability becomes exploitable by remote non-authenticated attacker.
The GeoVision GeoHttpServer application is prone to a remote file disclosure vulnerability. An attacker can exploit this vulnerability to retrieve and download stored files on server such as 'boot.ini' and 'win.ini' by using a simple url request which made by browser.
FiverrScript is vulnerable to CSRF attack (No CSRF token in place) meaning that if an admin user can be tricked to visit a crafted URL created by attacker (via spear phishing/social engineering), a form will be submitted to (http://localhost/fiverrscript/administrator/admins_create.php) that will add a new user as administrator. Once exploited, the attacker can login to the admin panel (http://localhost/fiverrscript/administrator/index.php) using the username and the password he posted in the form.
A vulnerability has been discovered in Pandora FMS that permits an unautheticated user to change the password for any Pandora user without knowing the actual user password. The vulnerability occurs at the login screen due to the session not being checked before the password is changed.
Wordpress history collection plugin contains a file called download.php which is not filtering the GET input, it then uses this get input value to force the download of a file. Proof of concept is provided in the text.
Based on user input, the content of a file is printed out (unfortunately not included) so any html file can be loaded, and an attacker may be able to read any local file which is not executed in the server.
The affected file is f.php and the get-parameter 'l' is vulnerable to local file inclusion. We just need to base64 encode our injection, like 'php://filter/resource=./../../../wp-config.php' or 'file:///etc/passwd', and then use it in a URL like 'http://domain.com/wp-content/plugins/robotcpa/f.php?l=ZmlsZTovLy9ldGMvcGFzc3dk' to view the content of the passwd file.
A website was created that exploits the vulnerability by using an OOB technique. The website contains a hidden input field with a payload that contains an XML External Entity. The entity references a file on the attacker's host which specifies which file should be retrieved from the remote host and where the content of that file should be sent. Another website was created that steals hashes of the Administrator user. The attacker needs to start a tool on the server that captures hashes. The exploit is triggered while profiling or scanning the created application using vulnerable versions of HP WebInspect.
Services By CQR