Include old advisories

pandujar · Sep 14, 2015 · 3bdb622 · 3bdb622
1 parent 651577b
commit 3bdb622
Show file tree

Hide file tree

Showing 11 changed files with 1,862 additions and 0 deletions.
diff --git a/CM3.AcoraCMS.v6.txt b/CM3.AcoraCMS.v6.txt
@@ -0,0 +1,144 @@
+          ===============================
+                   - Advisory -
+          ===============================
+
+  Tittle:   CM3 AcoraCMS - Several Vulnerabilities 
+    Risk:   Medium
+    Date:   12.Sept.2012
+  Author:   Pedro Andujar
+ Twitter:   @pandujar
+
+
+.: [ INTRO ] :.
+
+Acora CMS is a sleek and powerful off-the-shelf content management application coupled with a deep and extensible advanced website development framework at a killer price. This home grown product is one of DDSN's key differentiators. It's in use by many high profile clients, but easily scales down for smaller websites too. 
+
+AcoraCMS is widely used accross Austalian IT companies, Banks and government websites.
+
+
+.: [ TECHNICAL DESCRIPTION ] :.
+
+AcoraCMS, v6.0.6/1a, v6.0.2/1a, v5.5.7/12b, v5.5.0/1b-p1  (and probably others), are prone to several security issues as described below;
+
+
+.: [ ISSUE #1 }:.
+
+Name: Reflected Cross Site Scripting
+Severity: Medium 
+CVE: CVE-2013-4722
+
+Due to lack of input validation and output escaping in the default.asp page,
+parameters such username, url, qstr, etc. can be used by an attacker to perform XSS
+attacks.
+
+Example:
+
+/AcoraCMS/Admin/login/default.asp?username="</div><script>alert(document.cookie)</script>
+
+/AcoraCMS/Admin/login/default.asp?url="</form><META HTTP-EQUIV=Refresh CONTENT="0; URL=http://www.google.es">
+
+
+.: [ ISSUE #2 }:.
+
+Name: URL Redirect
+Severity Medium
+CVE: CVE-2013-4723
+
+URL redirection functionality doesn't verify that VirtualPath are relatives.
+
+Example:
+
+/AcoraCMS/track.aspx?m=1&l=//www.google.es
+
+
+.: [ ISSUE #3 }:.
+
+Name: Username and password sent in clear text
+Severity: Medium
+
+Authentication credentials (username and password) and session cookies are unencrypted.
+
+
+.: [ ISSUE #4 }:.
+
+Name: Cookie Lack of Hardening
+Severity: Low
+CVE: CVE-2013-4724 & CVE-2013-4725
+
+Cookies are not hardened using HttpOnly or Secure flags.
+
+
+.: [ ISSUE #5 }:.
+
+Name: XSRF
+Severity: Low
+CVE: CVE-2013-4726
+
+The application lacks controls to prevent Cross Site Request Forgery. 
+
+
+.: [ ISSUE #6 }:.
+
+Name: Information Leaks
+Severity: Low
+CVE: CVE-2013-4727 & CVE-2013-4728
+
+* Unauthenticated users are able to retrive _viewstate encoded base64 information.
+
+/AcoraCMS/Admin/top.aspx
+
+<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE"
+value="/wEPDwUKLTQ4NjIxMDUxOQ9kFgJmD2QWAgIDD2QWAgIBD2QWCmYPFgIeBFRleHQFJERpZ2l0YWxTZWMgTmV0d29ya3MgV2Vic2l0ZWQCAQ8WAh8ABQpFbnRlcnByaXNlZAICDw8WAh8ABQt2NS40LjUvNGEtY2RkAgMPFgIfAAUgQW5vbnltb3VzIChQdWJsaWMgSW50ZXJuZXQgVXNlcilkAgQPDxYCHgdWaXNpYmxlaGRkZIL9u8OSlqqnBHGwtssOBV5lciAoCg"
+/>
+</div>
+
+Once decoded gives you information about the version and license including the company who owns the license, it 
+could be used for fingerprinting the application:
+
+-486210519 d  f d     d     d
+f     Text $DigitalSec Networks Websited      
+Enterprised         v5.4.5/4a-cdd        Anonymous (Public Internet
+User)d        VisiblehdddÒq  ^er (
+
+
+* Application Physical Path exposed to unauthenticated users
+
+/AcoraCMS/track.aspx?m=1&l=..\..
+
+Exception Details: System.Web.HttpException: Cannot use a leading ..
+to exit above the top directory.
+Source File: d:\Path\to\site\AcoraCMS\track.aspx.cs    Line: 57
+
+
+
+.: [ CHANGELOG ] :.
+
+  * 12/Sep/2012:   - Vulnerability discovered.
+  * 27/May/2013:   - Vendor contacted. No response
+  * 19/Aug/2013:   - Vendor recontacted. No response
+  * 26/Aug/2013:   - Public
+
+.: [ SOLUTIONS ] :.
+
+N/A
+
+
+
+
+.: [ REFERENCES ] :.
+
+   [+] Acora CMS 
+    http://www.ddsn.com/knowledge-base/cm3-acora-cms.aspx
+
+   [+] Clients & Projects
+    http://www.ddsn.com/portfolio/clients.aspx
+
+   [+] CM3CMS
+    http://www.cm3cms.com/
+
+   [+] !dSR - Digital Security Research
+    http://www.digitalsec.net/
+
+
+
+
diff --git a/CiscoIronPort.7.1-XSS.txt b/CiscoIronPort.7.1-XSS.txt
@@ -0,0 +1,113 @@
+          ===============================
+                   - Advisory -
+          ===============================
+
+  Tittle:   Cisco IronPort Security Management Appliance - Multiple issues
+    Risk:   Medium
+    Date:   20.May.2013
+  Author:   Pedro Andujar
+ Twitter:   @pandujar
+
+
+.: [ INTRO ] :.
+
+
+The Cisco Security Management Appliance helps to enable flexible management and comprehensive security control 
+at the network gateway. Is a central platform for managing all policy, reporting, and auditing information 
+for Cisco web and email security appliances.
+
+
+.: [ TECHNICAL DESCRIPTION ] :.
+
+Cisco IronPort Security Management Appliance M170 v7.9.1-030 (and probably other products), are prone to several security issues 
+as described below;
+
+
+.: [ ISSUE #1 }:.
+
+Name: Reflected Cross Site Scripting
+Severity: Low 
+CVE: CVE-2013-3396
+
+There is a lack of output escaping in the default error 500 page. When a exception occurs in the application, the error
+description contains user unvalidated input from the request:
+
+** PoC removed as requested by Cisco. **
+
+
+.: [ ISSUE #2 }:.
+
+Name: Stored Cross Site Scripting
+Severity: Medium
+
+Due to a lack of input validation on job_name, job_type, appliances_options and config_master parameters which are then 
+printed unscapped on job_name, old_job_name, job_type, appliance_lists and config_master fields.
+
+
+** PoC removed as requested by Cisco. **
+
+
+.: [ ISSUE #3 }:.
+
+Name: CSRF Token is not used
+Severity: Low
+CVE: CVE-2013-3395
+
+CSRFKey is not used in some areas of the application, which make even easier to exploit Reflected XSS Issues. In the /report area 
+of the application, we got no error even when completely removing the parameter CSRFKey; 
+
+** PoC removed as requested by Cisco. **
+
+See: http://tools.cisco.com/security/center/viewAlert.x?alertId=29844
+
+.: [ ISSUE #4 }:.
+
+Name: Lack of password obfuscation
+Severity: Low
+
+When exporting the configuration file even if you mark the "mask password" option, the SNMPv3 password still appears in cleartext.
+
+
+.: [ CHANGELOG ] :.
+
+  * 20/May/2013:   - Vulnerability found.
+  * 27/May/2013:   - Vendor contacted.
+  * 11/Jul/2013:   - Public Disclosure
+
+
+.: [ SOLUTIONS ] :.
+
+Thanks to Stefano De Crescenzo (Cisco PSIRT Team), because of his professional way of managing the entire process.
+
+Stored XSS
+CSCuh24755
+
+Reflected XSS
+http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-3396
+
+SNMP password issue
+CSCuh27268, CSCuh70314
+
+CSRF
+http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-3395
+
+
+.: [ REFERENCES ] :.
+
+   [+] Cisco Content Security Management Appliance M170
+    http://www.cisco.com/en/US/products/ps12503/index.html
+
+   [+] Cisco Security Advisories
+    http://tools.cisco.com/security/center/publicationListing.x
+
+   [+] !dSR - Digital Security Research
+    http://www.digitalsec.net/
+
+
+
+
+
+
+                    -=EOF=-
+
+