Recent Curesec Publications

VDSL Client Modem ALL-BM100VDSL2: XSS
2017 Apr 13

VDSL Client Modem ALL-BM100VDSL2: XSS

The web interface of the VDSL Client Modem ALL-BM100VDSL2 is vulnerable to reflected as well as persistent XSS. A privileged user account is required to exploit the persistent XSS vulnerability but this can be bypassed via CSRF.  

VDSL Client Modem ALL-BM100VDSL2: CSRF
2017 Apr 13

VDSL Client Modem ALL-BM100VDSL2: CSRF

The web interface of the VDSL Client Modem ALL-BM100VDSL2 is vulnerable to CSRF. Because of this it is possible to add a new admin user.  

VDSL Client Modem ALL-BM100VDSL2: Broken Authentication and Default Root User
2017 Apr 13

VDSL Client Modem ALL-BM100VDSL2: Broken Authentication and Default Root User

The authentication of the web interface of the VDSL Client Modem ALL-BM100VDSL2 relies on local IP addresses and can thus be bypassed by an attacker with access to the local network as long as any user is currently authenticated. Additionally, the system contains an undocumented default user with a hardcoded password who has root access to the device.  

pfsense 2.3.2: Code Execution
2017 Mar 24

pfsense 2.3.2: Code Execution

pfsense is an open source firewall. The web interface is written in PHP. In version 2.3.2-RELEASE (amd64), the setup wizard is vulnerable to code execution. It should be noted that by default, only an administrator can access the setup wizard. By default, administrators have far-reaching permissions via the wizard and via other functionality. There are however some custom configurations where this vulnerability could lead to privilege escalation or undesired code execution.  

pfsense 2.3.2: XSS
2017 Mar 24

pfsense 2.3.2: XSS

pfsense is an open source firewall. The web interface is written in PHP. In version 2.3.2-RELEASE (amd64), it is vulnerable to reflected XSS. XSS can lead to disclosure of cookies, session tokens etc.  

pfsense 2.3.2: CSRF
2017 Mar 24

pfsense 2.3.2: CSRF

pfsense is an open source firewall. The web interface is written in PHP. In version 2.3.2-RELEASE (amd64), the actions of creating and deleting firewall rules are vulnerable to CSRF, enabling an Attacker to edit these rules with a little bit of social engineering.  

HumHub 0.20.1 / 1.0.0-beta.3: Code Execution
2017 Mar 17

HumHub 0.20.1 / 1.0.0-beta.3: Code Execution

HumHub is a social media platform written in PHP. In version 0.20.1 as well as 1.0.0-beta.3, it is vulnerable to Code Execution as some functionality allows the uploading of PHP files. Successfull exploitation requires specific server settings. A user account is required as well, but registration is open by default.  

HumHub 1.0.1: XSS
2017 Mar 17

HumHub 1.0.1: XSS

HumHub is a social media platform written in PHP. In version 1.0.1 and earlier, it is vulnerable to a reflected XSS attack if debugging is enabled, as well as a self-XSS attack. This allows an attacker to steal cookies, inject JavaScript keyloggers, or bypass CSRF protection.   

phplist 3.2.6: XSS
2017 Feb 20

phplist 3.2.6: XSS

Written by Tim Coen

phplist is an application to manage newsletters, written in PHP. In version 3.2.6, it is vulnerable to reflected and persitent Cross Site Scripting vulnerabilities. The persistent XSS vulnerability is only exploitable by users with specific privileges and may be used for escalating privileges.  

phplist 3.2.6: SQL Injection
2017 Feb 20

phplist 3.2.6: SQL Injection

Written by Tim Coen

phplist is an application to manage newsletters, written in PHP. In version 3.2.6, it is vulnerable to SQL injection. The application contains two SQL injections, one of which is in the administration area and one which requires no credentials. Additionally, at least one query is not properly protected against injections. Furthermore, a query in the administration area discloses some information on the password hashes of users.