HTB23144: Piwigo CSRF & Path Traversal vulnerabilities

Two security issues in Piwigo version 2.4.6 was discovered and disclosed by High-Tech Bridge Security Research Lab. This photo gallery software for the web suffers from CSRF (Cross-Site Request Forgery) and Path Traversal vulnerabilities:
1. Path Traversal: The vulnerability exists due to insufficient filtration of user-supplied input in "dl" HTTP GET parameter passed to "install.php" script. The script is present on the system after installation by default, and can be accessed by attacker without any restrictions.
2. Сross-Site Request Forgery (CSRF) in Piwigo: The vulnerability exists due to insufficient verification of the HTTP request origin in "admin.php" script. A remote attacker can trick a logged-in administrator to visit a specially crafted webpage and create arbitrary PHP file on the remote server. Interesting PoC available on High-Tech Bridge's Advisory HTB23144.
Advisory ID: HTB23144
Vendor Notification / Patch / Public Disclosure Dates: February 6 / February 19 / February 27
Software weaknesses type: Cross-Site Request Forgery [CWE-352], Path Traversal [CWE-22]
Risk level: High
Solution Status: Fixed by Vendor, Upgrade to Piwigo 2.4.7

HTB23143: Geeklog 1.8.2 Cross-Site Scripting (XSS) vulnerability

Cross-Site Scripting (XSS) vulnerability has been discovered in Geeklog version 1.8.2.

HTB23143 security advisory describes XSS in "calendar_type" HTTP POST parameter passed to "calendar/index.php" script. Exploitation example for this medium-risk (CVSSv2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)) vulnerability available on security researcher's page.

Solution available for this issue: upgrade to Geeklog 1.8.2sr1.

More about Cross-site scripting, a vulnerability in web applications which attackers may exploit to steal users' information, can be read on WikiPedia.

HTB23142: glFusion 1.2.2 cross-site scripting (XSS) vulnerabilities

Multiple cross-site scripting (XSS) vulnerabilites in glFusion version 1.2.2 was discovered by High-Tech Bridge Security Research Lab. They can be exploited to perform cross-site scripting attacks.

According to HTB23142 Security Advisory glFusion has installed by default a "bad_behaviour" plugin that verifies HTTP Referer (aimed to protect against spambots). The plugin also makes reflected XSS attacks against the application more complex. To bypass the security restriction PoC (Proof-of-Concept) codes in this advisory for vulnerabilities 1–3 modify the HTTP Referer header.

The vulnerability exists due to insufficient filtration of user-supplied data in 1) "subject" HTTP POST parameter passed to "/profiles.php" script; 2) "address1", "address2", "calendar_type", "city", "state", "title", "url", "zipcode" HTTP POST parameters passed to "/calendar/index.php" script; 3) "title" and "url" HTTP POST parameters passed to "/links/index.php" script; 4) in URI after "/admin/plugins/mediagallery/xppubwiz.php" script.

Solution status: vulnerabilities are now fixed, upgrade to glFusion v1.2.2 Patch Level #4 (v1.2.2.pl4), more info: glfusion.org/article.php/glf122_update_20130130_01

HTB23134: jforum multiple vulnerabilities

Vulnerabilities in jforum 2.1.9 was reported today by High-Tech Bridge Security Research Lab, which can be exploited to perform cross-site scripting (XSS) and cross-site request forgery (CSRF) attacks. Proof-of-Concept (PoC) examples available on advisory page.

Cross-site scripting (XSS) vulnerabilities in jforum exists due to insufficient filtration of user-supplied input in "start" HTTP POST parameter in "jforum.page", "action" HTTP POST parameter in "jforum.page", "returnUrl", "forum_id" and "topic_id" HTTP POST parameters in "jforum.page" scripts.

CSRF (cross-site request forgery) in jforum exists due to insufficient verification of the HTTP request origin in "jforum.page" script. PoC available on advisory page.

Related links:

• Multiple Vulnerabilities in jforum - High-Tech Bridge Advisory HTB23134
• jforum is a powerful and robust discussion board system implemented in Java

Manipulating Memory for Fun & Profit

Memory analysis and manipulation can provide security analysts with formidable weapons. During his talk at Information Security Day for ISACA Luxembourg Chapter, where High-Tech Bridge was Gold Sponsor, Frederic BOURLA presented most memory manipulation tricks from both offensive and defensive angles. The talk first dealt with the attacker’s layer, from pivoting attacks to IEEE1394 issues through in-memory fuzzing, which permits auditors to bypass built-in features, network limitations and encryption to remain able to uncover security vulnerabilities in a running application. In a second stage, the talk focused on the benefits of memory manipulation in computer forensics and malware analysis fields, especially when facing sophisticated malcode, such as kernel rootkits or heavily encrypted reverse trojans. Basically, this talk aimed to open the doors to a fascinating world which could easily allow security analysts to save lots of time during their recurrent duties.

Manipulating Memory for Fun & Profit from High-Tech Bridge SA (HTBridge)

3 Demo videos available on publication page, original URL: Manipulating Memory for Fun & Profit.

HTB23140: Wysija Newsletters WordPress plugin SQL injection vulnerability

Wysija Newsletters WordPress plugin version 2.2 suffer from SQL injection vulnerability (HTB23140), which can be exploited to perform SQL Injection attacks.

The vulnerabilities exist due to insufficient filtration of user-supplied input passed via the "search" and "orderby" HTTP GET parameters to the "wp-admin/admin.php" script. A remote authenticated administrator can execute arbitrary SQL commands in application's database. This vulnerability could also be exploited by a remote non-authenticated attacker via CSRF vector, since the application is prone to cross-site request forgery attacks.

Upgrade to Wysija Newsletters version 2.2.1 to fix this vulnerability.

HTB23138: CommentLuv WordPress plugin cross-site scripting (XSS) vulnerability

Cross-site scripting (XSS) vulnerability was discovered by High-Tech Bridge Security Research Lab in CommentLuv WordPress plugin 2.92.3, which can be exploited by a malicious people to perform attacks. The vulnerability exists due to insufficient filtration of user-supplied data in "_ajax_nonce" HTTP POST parameter in the "wp-admin/admin-ajax.php" script.

CommentLuv is a popular WordPress plugin that will magnetize your readers, socialize your comments and viralize your posts.

For solution upgrade to CommentLuv 2.92.4

High-Tech Bridge: sponsor at Black Hat Europe 2013

High-Tech Bridge announced sponsorship at Black Hat Europe 2013. This Informaton Security professionals conference will take place in Amsterdam on March (from 12th to 15th), 2013 in the NH Grand Hotel Krasnapolsky in Amsterdam, The Netherlands.

Black Hat Briefings description from Wikipedia:

The Black Hat Briefings is a computer security conference that brings together a variety of people interested in information security. Representatives of federal agencies and corporations attend along with hackers. The Briefings take place regularly in Las Vegas, Barcelona (previously Amsterdam) and Tokyo. An event dedicated to the Federal Agencies is organized in Washington, D.C.

Black Hat was founded in 1997 by Jeff Moss, most famous for creating the Black Hat and DEF CON, which are considered the premier information Security conferences in the world, Black Hat 2009 hosting 4,000 digital experts and professionals. Black Hat started as a single annual conference held yearly in Las Vegas, and is now held in multiple locations around the world.