HTB23172: X2CRM's multiple security vulnerabilities

High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in X2CRM version 3.4.1, which can be exploited to include arbitrary local files and execute arbitrary PHP code, as well as to perform cross-site sripting (XSS) attacks against users of vulnerable application.

PHP File Inclusion vulnerability in X2CRM exists due to insufficient filtration of the "file" HTTP GET parameter passed to "index.php/admin/translationManager" URL before using it in PHP "include()" function. A remote authenticated administrator can include and execute arbitrary local PHP files on the target system using directory traversal sequences. Successful exploitation of this vulnerability requires administrative privileges, however it can be also exploited via CSRF vector to which the application is prone.

Cross-site scripting (XSS) vulnerability exists due to insufficient sanitisation of user-supplied data in "model" HTTP GET parameter passed to "index.php/admin/editor" URL. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.

Solution: Update to X2CRM 3.5 More information: www.htbridge.com/advisory/HTB23172.

HTB23168: vtiger CRM's SQL Injection

High-Tech Bridge Security Research Lab discovered SQL injection vulnerability in vtiger CRM version 5.4.0, which can be exploited to execute arbitrary SQL commands in application's database.

vtiger CRM is an on demand customer relationship management software that provides sales, marketing, and support teams with powerful tools to efficiently and effectively collaborate in providing the ideal customer experience.

This SQL injection vulnerability exists due to insufficient validation of "onlyforuser" HTTP GET parameter passed to "index.php" script. A remote authenticated user can execute arbitrary SQL commands in application's database. Successful exploitation of this vulnerability requires the attacker to be registered and logged-in. The registration is disabled by default. So severity of this issue has medium level with CVSSv2 Base Score 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P). Read full advisory and solution details on htbridge.com.

Nasdaq website security vulnerabilities

A penetration testing company uncovered security vulnerabilities on the NASDAQ website that remained open for two weeks after the stock exchange was notified.
NASDAQ Website Security Vulnerabilities Remained Open for Weeks After Alert (securityweek.com)

Exchange delayed fixing potentially critical website vulnerabilities despite multiple alerts, security firm says
Nasdaq waited two weeks to fix flaws (computerworld.com)

Ilia Kolochenko, head of Swiss information security company High-Tech Bridge, says he’s repeatedly warned Nasdaq.com that hackers could steal users’ browser history or confidential data, but claims the exchange has done nothing to fix the problem. 'It is quite frightening when you think about it,' he says.
Cypersecurity pro on Nasdaq website: 'I needed 10 minutes to hack' (nydailynews.com)

ImmuniWeb® Self-Fuzzer Firefox Extension

High-Tech Bridge announced new Firefox Addon: ImmuniWeb® Self-Fuzzer.

ImmuniWeb® Self-Fuzzer is a simple and free extension that fuzzes user's HTTP requests in real-time to detect SQLi and XSS vulnerabilities on a website, demonstrating how easily these 2 most common web weaknesses can be found by anyone.

Description in PDF format: PDF: ImmuniWeb® Self-Fuzzer Firefox Extension

ImmuniWeb® Self-Fuzzer Firefox Extension from High-Tech Bridge SA (HTBridge)

Also demo video available:

HTB23170: WikkaWiki 1.3.4 XSS vulnerability

WikkaWiki version 1.3.4 is vulnerable to perform cross-site scripting attack, described in HTB23170 security advisory. The vulnerability exists due to insufficient sanitisation of user-supplied data in "wakka" HTTP GET parameter passed to "/sql/" URL. A remote attacker can trick a logged-in user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website. Exploit example is available on security research page.

Solution: upgrade to Wikka Wiki version 1.3.4-p1 that is available here.

HTB23169: Collabtive - improper access control vulnerability

High-Tech Bridge SA Security Research Lab has discovered vulnerability in Collabtive version 1.0, which can be exploited to gain complete control over the application. The vulnerability exists due to improper access restrictions to the third installation step after successfully installing the application. A remote attacker can send a specially crafted HTTP POST request to the "install.php" script and create a new user with administrative privileges. The installation script is not deleted after application installation and is publicly available by default. You can update to Collabtive 1.1 to fix this vulnerability.

XSS in BackWPup WordPress plugin HTB23161

BackWPup version 3.0.12 (WordPress plugin) is vulnerable to perform cross-site scripting (XSS) attacks against administrator of website. The vulnerability exists due to insufficient filtration of user-supplied data in "tab" HTTP GET parameter passed to "wp-admin/admin.php" script. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.

Full details and how-to exploit XSS vulnerability on BackWPup example available here. Solution: upgrade your installation to BackWPup 3.0.13.

XSS in Twilight CMS & path traversal in DeWeS Web Server

Details about XSS in Twilight CMS 5.17 & path traversal in DeWeS Web Server 0.4.2 PoC's available here1 and here2.

HTB23165: BigTree CMS vulnerabilities - SQLi, XSS, XSRF

Multiple vulnerabilities found in BigTree CMS 4.0 RC2 by HTB Security Research Lab.

SQL Injection in BigTree CMS: CVE-2013-4879 - exists due to insufficient sanitisation of user-supplied data passed to "site/index.php" script. A remote unauthenticated attacker can execute arbitrary SQL commands in application's database.

Сross-Site Request Forgery (CSRF) in BigTree CMS: CVE-2013-4881 - exists due to insufficient validation of the HTTP request origin. A remote attacker can create a malicious web page with CSRF exploit, trick a logged-in administrator into opening that page and create a new user with administrative privileges.

Cross-Site Scripting (XSS) in BigTree CMS: CVE-2013-4880 - exists due to insufficient filtration of user-supplied data in "module" HTTP GET parameter passed to "site/index.php/admin/developer/modules/views/add/" URL. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.

To fix this vulnerabilities follow instuctions on researcher's page.