Archived articles for 2017

VDSL Client Modem ALL-BM100VDSL2: XSS
2017 Apr 13

VDSL Client Modem ALL-BM100VDSL2: XSS

The web interface of the VDSL Client Modem ALL-BM100VDSL2 is vulnerable to reflected as well as persistent XSS. A privileged user account is required to exploit the persistent XSS vulnerability but this can be bypassed via CSRF.

VDSL Client Modem ALL-BM100VDSL2: CSRF
2017 Apr 13

VDSL Client Modem ALL-BM100VDSL2: CSRF

The web interface of the VDSL Client Modem ALL-BM100VDSL2 is vulnerable to CSRF. Because of this it is possible to add a new admin user.

VDSL Client Modem ALL-BM100VDSL2: Broken Authentication and Default Root User
2017 Apr 13

VDSL Client Modem ALL-BM100VDSL2: Broken Authentication and Default Root User

The authentication of the web interface of the VDSL Client Modem ALL-BM100VDSL2 relies on local IP addresses and can thus be bypassed by an attacker with access to the local network as long as any user is currently authenticated. Additionally, the system contains an undocumented default user with a hardcoded password who has root access to the device.

pfsense 2.3.2: Code Execution
2017 Mar 24

pfsense 2.3.2: Code Execution

pfsense is an open source firewall. The web interface is written in PHP. In version 2.3.2-RELEASE (amd64), the setup wizard is vulnerable to code execution. It should be noted that by default, only an administrator can access the setup wizard. By default, administrators have far-reaching permissions via the wizard and via other functionality. There are however some custom configurations where this vulnerability could lead to privilege escalation or undesired code execution.

pfsense 2.3.2: XSS
2017 Mar 24

pfsense 2.3.2: XSS

pfsense is an open source firewall. The web interface is written in PHP. In version 2.3.2-RELEASE (amd64), it is vulnerable to reflected XSS. XSS can lead to disclosure of cookies, session tokens etc.

pfsense 2.3.2: CSRF
2017 Mar 24

pfsense 2.3.2: CSRF

pfsense is an open source firewall. The web interface is written in PHP. In version 2.3.2-RELEASE (amd64), the actions of creating and deleting firewall rules are vulnerable to CSRF, enabling an Attacker to edit these rules with a little bit of social engineering.

HumHub 0.20.1 / 1.0.0-beta.3: Code Execution
2017 Mar 17

HumHub 0.20.1 / 1.0.0-beta.3: Code Execution

HumHub is a social media platform written in PHP. In version 0.20.1 as well as 1.0.0-beta.3, it is vulnerable to Code Execution as some functionality allows the uploading of PHP files. Successfull exploitation requires specific server settings. A user account is required as well, but registration is open by default.

HumHub 1.0.1: XSS
2017 Mar 17

HumHub 1.0.1: XSS

HumHub is a social media platform written in PHP. In version 1.0.1 and earlier, it is vulnerable to a reflected XSS attack if debugging is enabled, as well as a self-XSS attack. This allows an attacker to steal cookies, inject JavaScript keyloggers, or bypass CSRF protection.

phplist 3.2.6: XSS
2017 Feb 20

phplist 3.2.6: XSS

phplist is an application to manage newsletters, written in PHP. In version 3.2.6, it is vulnerable to reflected and persitent Cross Site Scripting vulnerabilities. The persistent XSS vulnerability is only exploitable by users with specific privileges and may be used for escalating privileges.

phplist 3.2.6: SQL Injection
2017 Feb 20

phplist 3.2.6: SQL Injection

phplist is an application to manage newsletters, written in PHP. In version 3.2.6, it is vulnerable to SQL injection. The application contains two SQL injections, one of which is in the administration area and one which requires no credentials. Additionally, at least one query is not properly protected against injections. Furthermore, a query in the administration area discloses some information on the password hashes of users.

Elefant CMS 1.3.12-RC: Multiple Persistent and Reflected XSS
2017 Feb 02

Elefant CMS 1.3.12-RC: Multiple Persistent and Reflected XSS

Elefant is a content managment system written in PHP. In version 1.3.12-RC, it is vulnerable to multiple persistent as well as a reflected XSS issue. To exploit these vulnerabilities a user account is required most of the time but registration is open by default. XSS allows an attacker to steal cookies, inject JavaScript keyloggers, or bypass CSRF protection.

Elefant CMS 1.3.12-RC: Open Redirect, Host Header Injection, Leakage of Password Hashes
2017 Feb 02

Elefant CMS 1.3.12-RC: Open Redirect, Host Header Injection, Leakage of Password Hashes

Elefant is a content managment system written in PHP. In version 1.3.12-RC, it is vulnerable to various low to medium impact issues, namely open redirect, host header injection, and the leakage of password hashes. Open redirect and host header injection can be used for phishing attacks. The leakage of password hashes is restricted to users with an admin account.

Elefant CMS 1.3.12-RC: CSRF
2017 Feb 02

Elefant CMS 1.3.12-RC: CSRF

Elefant is a content managment system written in PHP. In version 1.3.12-RC, it is vulnerable to cross site request forgery. If a victim visits a website that contains specifically crafted code while logged into Elefant, an attacker can for example create a new admin account without the victims knowledge.

Elefant CMS 1.3.12-RC: Code Execution
2017 Feb 02

Elefant CMS 1.3.12-RC: Code Execution

Elefant is a content managment system written in PHP. In version 1.3.12-RC, it is vulnerable to code execution because of two different vulnerabilities. It allows the upload of files with dangerous type, as well as PHP code injection. To exploit this a editor or admin account is required.

HTTP Strict Transport Security (HSTS)
2017 Jan 27

HTTP Strict Transport Security (HSTS)

This article will give a general overview over HTTP Strict Transport Security (HSTS) and discuss what attacks it tries to prevent, as well as how to use it correctly.

Plone: XSS
2017 Jan 26

Plone: XSS

Plone is an open source CMS written in python. In version 5.0.5, the Zope Management Interface (ZMI) component is vulnerable to reflected XSS as it does not properly encode double quotes.

Tap 'n' Sniff
2017 Jan 19

Tap 'n' Sniff

This is the first of three articles about a cute sniffing device which can be used for redteam assessments but normal day analysis as well. In this part we will focus of setting up the basics.

Archived articles for 2016

Content Security Policy (CSP)
2016 Dec 20

Content Security Policy (CSP)

Content Security Policy (CSP) is a HTTP header that can be used as defense in depth to mitigate certain types of attacks, especially Cross-site scripting (XSS) and Clickjacking. This article will explain when and how to use CSP.

Advanced Clickjacking Attacks
2016 Dec 08

Advanced Clickjacking Attacks

It is often assumed that allowing a site to be framed only has minor security implications. Clickjacking in particular is often associated with low-impact issues such as stealing Facebook likes. This article will show that allowing a site to be framed may be a more potent attack vector than often assumed. Framing makes some vulnerabilities easier or more realistic to exploit. Clickjacking can be used for more than just stealing likes, and in some contexts Clickjacking can gain the full power of CSRF - albeit with more user interaction.

Reading Data via CSS Injection
2016 Dec 01

Reading Data via CSS Injection

Because modern browsers do not allow the execution of JavaScript via CSS, CSS Injection is often seen as very limited, with the main dangers being defacement by placing images into the vulnerable application, or performing very limited phishing attacks by placing additional content in places a user would not expect user-controlled data to show. This article will show that it is possible to use CSS Injections to read out secret data in a vulnerable web application, independent of the browser used by the victim. With a successful attack, it would for example be possible to read out an anti-CSRF token and thus to perform CSRF attacks.

The HS-110 Smart Plug aka Projekt Kasa
2016 Nov 24

The HS-110 Smart Plug aka Projekt Kasa

In this article we are going to have a closer look on a Smart Plug from TP-Link together with its control app. In the process of investigating the product, we reverse engineered the firmware and the app, managed to control the Smart Plug and steal login credentials.

 MyLittleForum 2.3.6.1: XSS & RPO
2016 Nov 10

MyLittleForum 2.3.6.1: XSS & RPO

MyLittleForum is forum software written in PHP. In version 2.3.6.1, it is vulnerable to reflected cross site scripting as well as relative path overwrite. XSS can be used to steal cookies, inject JavaScript keyloggers, or bypass CSRF protection, and RPO may lead to CSS injection.

SPIP 3.1: XSS & Host Header Injection
2016 Nov 10

SPIP 3.1: XSS & Host Header Injection

SPIP is a content management system written in PHP. In version 3.1, it is vulnerable to a persistent as well as reflected cross site scripting vulnerability as it allows users to enter URLs containing the JavaScript protocol, which an attacker can exploit to steal cookies, inject JavaScript keylogger, or bypass CSRF protection. Additionally, it contains a Host Header Injection which may lead to the leakage of password reset tokens and thus the compromisation of user accounts. Finally, the application discloses httpOnly cookies, making exploitation of XSS issues slightly easier.

Mezzanine 4.2.0: XSS
2016 Nov 10

Mezzanine 4.2.0: XSS

Mezzanine is an open source CMS written in python. In version 4.2.0, it is vulnerable to two persistent XSS attacks, one of which requires extended privileges, the other one does not. These issues allow an attacker to steal cookies, inject JavaScript keyloggers, or bypass CSRF protection.

MyLittleForum 2.3.6.1: CSRF
2016 Nov 10

MyLittleForum 2.3.6.1: CSRF

MyLittleForum is forum software written in PHP. In version 2.3.6.1, it is vulnerable to cross site request forgery. An attacker could exploit this issue to add new users or change the status of existing users to administrator if a victim visits a website containing a specifically crafted payload while logged into MyLittleForum.

MoinMoin 1.9.8: XSS
2016 Nov 10

MoinMoin 1.9.8: XSS

MoinMoin is an open source Wiki application written in python. In version 1.9.8, it is vulnerable to two persistent XSS issues. This allows an attacker to steal cookies, inject JavaScript keyloggers, or bypass CSRF protection.

Lepton 2.2.2: SQL Injection
2016 Nov 10

Lepton 2.2.2: SQL Injection

Lepton is a content management system written in PHP. In version 2.2.2, it is vulnerable to multiple SQL injections. The injections require a user account with elevated privileges.

Lepton 2.2.2: CSRF, Open Redirect, Insecure Bruteforce Protection & Password Handling
2016 Nov 10

Lepton 2.2.2: CSRF, Open Redirect, Insecure Bruteforce Protection & Password Handling

Lepton is a content management system written in PHP. In version 2.2.2, it contains various low to medium impact issues. The functionality that operates on files and folders is vulnerable to CSRF which may lead to XSS, the logout is vulnerable to Open Redirect, the in-build bruteforce protection can be easily bypassed, and passwords are hashed with md5 and send out via email in plaintext.

Lepton 2.2.2: Code Execution
2016 Nov 10

Lepton 2.2.2: Code Execution

Lepton is a content management system written in PHP. In version 2.2.2, it is vulnerable to code execution as it is possible to upload files with dangerous type via the media manager.

Jaws 1.1.1: Code Execution
2016 Nov 10

Jaws 1.1.1: Code Execution

Jaws is a content management system written in PHP. In version 1.1.1, it is vulnerable to code execution as it allows the upload of files with a dangerous type. An account with extended privileges is required.

FUDforum 3.0.6: Multiple Persistent XSS & Login CSRF
2016 Nov 10

FUDforum 3.0.6: Multiple Persistent XSS & Login CSRF

FUDforum is forum software written in PHP. In version 3.0.6, it is vulnerable to multiple persistent XSS issues. This allows an attacker to steal cookies, inject JavaScript keyloggers, or bypass CSRF protection. Additionally, FUDforum is vulnerable to Login-CSRF.

Jaws 1.1.1: Object Injection, Open Redirect, Cookie Flags
2016 Nov 10

Jaws 1.1.1: Object Injection, Open Redirect, Cookie Flags

Jaws is a content management system written in PHP. In version 1.1.1, it is vulnerable to various low to medium impact issues. It contains an Object Injection, which does not seem to be currently exploitable without custom changes made by users; its session cookies are not set to httpOnly, which may make it easier to exploit XSS issues; and it contains an Open Redirect issue.

FUDforum 3.0.6: LFI
2016 Nov 10

FUDforum 3.0.6: LFI

FUDforum is forum software written in PHP. In version 3.0.6, it is vulnerable to local file inclusion. This allows an attacker to read arbitrary files that the webuser has access to. Admin credentials are required.

Security Implications of GET/POST Interchangeability
2016 Nov 03

Security Implications of GET/POST Interchangeability

This article will provide a short overview of the security implications of treating POST and GET requests interchangeably, thus allowing a POST to GET downgrade. It will conclude with possible solutions.

Peel Shopping 8.0.2: Object Injection
2016 Sep 15

Peel Shopping 8.0.2: Object Injection

Peel Shopping is ecommerce software written in PHP. In version 8.0.2, it is vulnerable to Object Injection. Peel Shopping stores a PHP object in a cookie, which is then unserialized when received by the application. An attacker can send arbitrary PHP objects, and has thus a limited influence on the control flow of the application. This can for example lead to DOS attacks by creating an infinite loop.

Kajona 4.7: XSS & Directory Traversal
2016 Sep 15

Kajona 4.7: XSS & Directory Traversal

Kajona is an open source CMS written in PHP. In version 4.7, it is vulnerable to multiple XSS attacks and limited directory traveral. The XSS vulnerabilities are reflected as well as persistent, and can lead to the stealing of cookies, injection of keyloggers, or the bypassing of CSRF protection. The directory travseral issue gives information about which files exist on a system, and thus allows an attacker to gather information about a system.

MyBB 1.8.6: CSRF, Weak Hashing, Plaintext Passwords
2016 Sep 15

MyBB 1.8.6: CSRF, Weak Hashing, Plaintext Passwords

MyBB 1.8.6 is vulnerable to login CSRF. Additionally, it stores passwords using weak hashing, and sends passwords via email in plaintext.

MyBB 1.8.6: XSS
2016 Sep 15

MyBB 1.8.6: XSS

MyBB is forum software written in PHP. In version 1.8.6, it contains various XSS vulnerabilities, some of which are reflected and some of which are persistent. Some of them depend on custom forum or server settings. These issues may lead to the injection of JavaScript keyloggers, injection of content such as ads, or the bypassing of CSRF protection, which would for example allow the creation of a new admin user.

MyBB 1.8.6: SQL Injection
2016 Sep 15

MyBB 1.8.6: SQL Injection

MyBB is forum software written in PHP. In version 1.8.6, it is vulnerable to a second order SQL injection by an authenticated admin user, allowing the extraction of data from the database.

MyBB 1.8.6: Improper validation of data passed to eval
2016 Sep 15

MyBB 1.8.6: Improper validation of data passed to eval

MyBB is forum software written in PHP. In version 1.8.6, it improperly validates templates that are passed to eval, allowing for the disclosure of the database password. If the database is writable from remote, it may also lead to code execution. An admin account is required.

Oxwall 1.8.0: XSS & Open Redirect
2016 Sep 15

Oxwall 1.8.0: XSS & Open Redirect

Oxwall is a social networking software written in PHP. In version 1.8.0, it is vulnerable to multiple XSS attacks and a persistent open redirect. The XSS vulnerabilities are reflected as well as persistent, and can lead to the stealing of cookies, injection of keyloggers, or the bypassing of CSRF protection.

Penetration Tester / Security Consultant (m/w)
2016 Sep 06

Penetration Tester / Security Consultant (m/w)

Die Curesec GmbH berät Unternehmen bei der Umsetzung sicherer IT-Systeme. Wir bieten Schwachstellenanalysen von Umgebung und Applikationen, z.B. in Onlineshops, Firmennetzwerken, Applikationen und externen Devices, um Unternehmens- und Kundendaten vor schädlichem Zugriff abzusichern.

Zenphoto 1.4.11: RFI
2016 Mar 15

Zenphoto 1.4.11: RFI

Zenphoto is vulnerable to remote file inclusion. An admin account is required.

PivotX 2.3.11: Reflected XSS
2016 Mar 15

PivotX 2.3.11: Reflected XSS

PivotX is vulnerable to reflected XSS.

PivotX 2.3.11: Directory Traversal
2016 Mar 15

PivotX 2.3.11: Directory Traversal

PivotX is vulnerable to Directory Traversal, allowing authenticated users to read and delete files outside of the PivotX directory.

PivotX 2.3.11: Code Execution
2016 Mar 15

PivotX 2.3.11: Code Execution

PivotX is vulnerable to code execution by authenticated users as it does not check the extension of files when renaming them.

BigTree 4.2.8: Object Injection & Improper Filename Sanitation
2016 Mar 15

BigTree 4.2.8: Object Injection & Improper Filename Sanitation

BigTree 4.2.8 is vulnerable to object injection. The impact on the CMS itself is rather small, but installed plugins may increase the risk the vulnerability poses.

Opendocman 1.3.4: HTML Injection
2016 Feb 01

Opendocman 1.3.4: HTML Injection

There are various HTML Injection vulnerabilities in opendocman 1.3.4, leading to XSS, Phishing, and Privilege Escalation.

Opendocman 1.3.4: CSRF
2016 Feb 01

Opendocman 1.3.4: CSRF

Opendocman 1.3.4 does not have CSRF protection, allowing an attacker to execute actions for a victim - for example adding a new admin user.

Atutor 2.2: XSS
2016 Feb 01

Atutor 2.2: XSS

There are various XSS vulnerabilities in Atutor 2.2.

Bigace 3.0: SQL Injection
2016 Jan 28

Bigace 3.0: SQL Injection

There is an SQL injection in Bigace. A user account with the lowest privilege level is required.

Bigace 3.0: Code Execution
2016 Jan 28

Bigace 3.0: Code Execution

Bigace 3.0 allows the uploading of media file, but there is no verification, allowing the upload of PHP files by editors and administrators.

DYNPG 4.6: XSS
2016 Jan 28

DYNPG 4.6: XSS

There are multiple XSS vulnerabilities in DYNPG 4.6.

DYNPG 4.6: CSRF
2016 Jan 28

DYNPG 4.6: CSRF

DYNPG 4.6 does not have CSRF protection, allowing an attacker to execute actions for a victim - for example adding a new admin user. In this case, this may lead to code execution by allowing the upload of PHP files.

Wolf CMS v0.8.3.1: XSS
2016 Jan 28

Wolf CMS v0.8.3.1: XSS

There is a reflected XSS vulnerability in Wolf CMS v0.8.3.1.

Wolf CMS v0.8.3.1: Code Execution & Privilege Escalation
2016 Jan 28

Wolf CMS v0.8.3.1: Code Execution & Privilege Escalation

There is a code execution vulnerability in Wolf CMS v0.8.3.1. A user account with the Editor role is required.

Xoops 2.5.7.1: XSS
2016 Jan 28

Xoops 2.5.7.1: XSS

There are multiple XSS vulnerabilities in Xoops 2.5.7.1.

Xoops 2.5.7.1: Blind SQL Injection
2016 Jan 28

Xoops 2.5.7.1: Blind SQL Injection

There is a Blind SQL Injection vulnerability in Xoops 2.5.7.1. An admin account is required to exploit this issue.

Xoops 2.5.7.1: Code Execution
2016 Jan 28

Xoops 2.5.7.1: Code Execution

There is a code execution vulnerability in Xoops 2.5.7.1. An admin account is required to exploit this issue, but the request is not protected against CSRF.

Archived articles for 2015

PhpSocial v2.0.0304: XSS
2015 Dec 21

PhpSocial v2.0.0304: XSS

PhpSocial v2.0.0304 is vulnerable to persistent XSS.

PhpSocial v2.0.0304: CSRF
2015 Dec 21

PhpSocial v2.0.0304: CSRF

PhpSocial v2.0.0304 does not have CSRF protection, allowing an attacker to execute actions for a victim - for example adding a new admin user.

Arastta 1.1.5: XSS
2015 Dec 21

Arastta 1.1.5: XSS

There is a reflected XSS vulnerability in Arastta 1.1.5.

Arastta 1.1.5: SQL Injection
2015 Dec 21

Arastta 1.1.5: SQL Injection

There are two SQL Injections in Arastta 1.1.5, which both require a user with special privileges to trigger.

Grawlix 1.0.3: XSS
2015 Dec 21

Grawlix 1.0.3: XSS

Grawlix 1.0.3 has multiple reflected XSS vulnerabilities.

Grawlix 1.0.3: CSRF
2015 Dec 21

Grawlix 1.0.3: CSRF

Grawlix 1.0.3 does not have CSRF protection, allowing an attacker to execute actions for a victim - for example changing the password of an admin user.

Grawlix 1.0.3: Code Execution
2015 Dec 21

Grawlix 1.0.3: Code Execution

Grawlix 1.0.3 does not check the file type or extension when an admin uploads an icon, leading to code execution.

CouchCMS 1.4.5: XSS & Open Redirect
2015 Dec 21

CouchCMS 1.4.5: XSS & Open Redirect

There are two reflected XSS and one open redirect vulnerability in CouchCMS 1.4.5.

CouchCMS 1.4.5: Code Execution
2015 Dec 21

CouchCMS 1.4.5: Code Execution

The file extension whitelist of CouchCMS 1.4.5 misses pht, which may lead to code execution under certain circumstances.

esoTalk 1.0.0g4: XSS
2015 Dec 21

esoTalk 1.0.0g4: XSS

There is a reflected XSS vulnerability in the search of esoTalk 1.0.0g4.

4images 1.7.12: XSS
2015 Dec 02

4images 1.7.12: XSS

There are multiple XSS vulnerabilities in 4images 1.7.12.

4images 1.7.11: SQL Injection
2015 Dec 02

4images 1.7.11: SQL Injection

There is an SQL Injection vulnerability in the admin area of 4images 1.7.11.

4images 1.7.11: Path Traversal
2015 Dec 02

4images 1.7.11: Path Traversal

There is a Path Traversal vulnerability in the admin area of 4images 1.7.11 which allows the reading of arbitrary files.

4images 1.7.11: Code Execution Exploit
2015 Dec 02

4images 1.7.11: Code Execution Exploit

4images 1.7.11: Code Execution
2015 Dec 02

4images 1.7.11: Code Execution

There is a code execution vulnerability in the admin area of 4images 1.7.11.

CodoForum 3.4: XSS
2015 Dec 02

CodoForum 3.4: XSS

There is an XSS vulnerability in CodoForum 3.4.

phpwcms 1.7.9: CSRF
2015 Dec 02

phpwcms 1.7.9: CSRF

There is a CSRF vulnerability in phpwcms 1.7.9.

phpwcms 1.7.9: Code Execution
2015 Dec 02

phpwcms 1.7.9: Code Execution

There are two Code Execution vulnerabilities in phpwcms 1.7.9. A registered user is required to exploit these issues.

Geeklog 2.1.0: XSS
2015 Dec 02

Geeklog 2.1.0: XSS

There is a reflected XSS vulnerability in the installation script of Geeklog 2.1.0.

Geeklog 2.1.0: Code Execution Exploit
2015 Dec 02

Geeklog 2.1.0: Code Execution Exploit

Geeklog 2.1.0: Code Execution
2015 Dec 02

Geeklog 2.1.0: Code Execution

There are two code execution vulnerability in the admin area of Geeklog 2.1.0.

redaxscript 2.5.0: XSS
2015 Dec 02

redaxscript 2.5.0: XSS

There is a persistent XSS vulnerability in redaxscript 2.5.0. It requires the victim to hover over a link to trigger.

redaxscript 2.5.0: Code Execution
2015 Dec 02

redaxscript 2.5.0: Code Execution

There is a Code Execution vulnerability in the admin area of redaxscript 2.5.0.

appRain 4.0.3: XSS
2015 Dec 02

appRain 4.0.3: XSS

There are two reflected XSS vulnerabilities in appRain 4.0.3.

appRain 4.0.3: Path Traversal
2015 Dec 02

appRain 4.0.3: Path Traversal

There is a Path Traversal vulnerability in appRain 4.0.3.

appRain 4.0.3: CSRF
2015 Dec 02

appRain 4.0.3: CSRF

None of the forms of appRain 4.0.3 have CSRF protection.

appRain 4.0.3: Code Execution
2015 Dec 02

appRain 4.0.3: Code Execution

appRain 4.0.3, Code Execution, vulnerability, advisory

AlegroCart 1.2.8: SQL Injection
2015 Nov 13

AlegroCart 1.2.8: SQL Injection

There is an SQL Injection vulnerability in the admin area of AlegroCart 1.2.8.

AlegroCart 1.2.8: LFI/RFI
2015 Nov 13

AlegroCart 1.2.8: LFI/RFI

There is an LFI/RFI vulnerability in the admin area of AlegroCart 1.2.8.

LiteCart 1.3.2: Multiple XSS
2015 Nov 13

LiteCart 1.3.2: Multiple XSS

There are multiple XSS vulnerabilities in LiteCart 1.3.2.

ClipperCMS 1.3.0: XSS
2015 Nov 13

ClipperCMS 1.3.0: XSS

There are multiple XSS vulnerabilities in ClipperCMS 1.3.0.

ClipperCMS 1.3.0: SQL Injection
2015 Nov 13

ClipperCMS 1.3.0: SQL Injection

There are multiple SQL Injection vulnerabilities in ClipperCMS 1.3.0.

ClipperCMS 1.3.0: Path Traversal
2015 Nov 13

ClipperCMS 1.3.0: Path Traversal

There is a Path Traversal vulnerability in ClipperCMS 1.3.0

ClipperCMS 1.3.0: CSRF
2015 Nov 13

ClipperCMS 1.3.0: CSRF

ClipperCMS 1.3.0 has as only CSRF protection a referer check, which can be disabled by an admin.

ClipperCMS 1.3.0: Code Execution Exploit
2015 Nov 13

ClipperCMS 1.3.0: Code Execution Exploit

ClipperCMS 1.3.0: Code Execution
2015 Nov 13

ClipperCMS 1.3.0: Code Execution

There is a Code Execution vulnerability in ClipperCMS 1.3.0

dotclear 2.8.1: XSS
2015 Nov 13

dotclear 2.8.1: XSS

There is a persistent XSS vulnerability in dotclear 2.8.1.

dotclear 2.8.1: Code Execution
2015 Nov 13

dotclear 2.8.1: Code Execution

There is a Code Execution vulnerability in dotclear 2.8.1.

Open Source Social Network 3.5: XSS
2015 Nov 13

Open Source Social Network 3.5: XSS

There are two reflected XSS vulnerabilities in Open Source Social Network 3.5.

Sitemagic CMS 4.1: XSS
2015 Nov 13

Sitemagic CMS 4.1: XSS

There is a reflected XSS vulnerability in Sitemagic CMS 4.1.

Thelia 2.2.1: XSS
2015 Nov 13

Thelia 2.2.1: XSS

There is a reflected XSS vulnerability in Thelia 2.2.1.

TomatoCart v1.1.8.6.1: XSS
2015 Nov 13

TomatoCart v1.1.8.6.1: XSS

There are two XSS vulnerabilities in TomatoCart v1.1.8.6.1.

 TomatoCart v1.1.8.6.1: Code Execution
2015 Nov 13

TomatoCart v1.1.8.6.1: Code Execution

There are two Code Execution vulnerabilities in TomatoCart v1.1.8.6.1.

XCart 5.2.6: Code Execution Exploit
2015 Nov 13

XCart 5.2.6: Code Execution Exploit

XCart 5.2.6: Code Execution
2015 Nov 04

XCart 5.2.6: Code Execution

There is a Code Execution vulnerability in the admin area of XCart 5.2.6.

XCart 5.2.6: Path Traversal
2015 Nov 04

XCart 5.2.6: Path Traversal

There is a Path Traversal vulnerability in the admin area of XCart 5.2.6. It makes it possible to list directories and download arbitrary files.

XCart 5.2.6: XSS
2015 Nov 04

XCart 5.2.6: XSS

There are multiple XSS vulnerabilities in XCart 5.2.6.

TheHostingTool 1.2.6: Multiple XSS
2015 Oct 07

TheHostingTool 1.2.6: Multiple XSS

There are multiple XSS vulnerabilities in TheHostingTool 1.2.6.

TheHostingTool 1.2.6: Multiple SQL Injection
2015 Oct 07

TheHostingTool 1.2.6: Multiple SQL Injection

There are multiple SQL Injection vulnerabilities in the admin area of TheHostingTool 1.2.6.

TheHostingTool 1.2.6: Code Execution
2015 Oct 07

TheHostingTool 1.2.6: Code Execution

There is a Code Execution vulnerability in the admin area of TheHostingTool 1.2.6.

Quick.Cart 6.6: Multiple XSS
2015 Oct 07

Quick.Cart 6.6: Multiple XSS

There are multiple XSS vulnerabilities in Quick.Cart 6.6.

Quick.Cart 6.6: CSRF
2015 Oct 07

Quick.Cart 6.6: CSRF

There are multiple CSRF vulnerabilities in Quick.Cart 6.6.

CubeCart 6.0.7: XSS
2015 Oct 07

CubeCart 6.0.7: XSS

There are multiple XSS vulnerabilities in the admin area of CubeCart 6.0.7.

CubeCart 6.0.7: Code Execution
2015 Oct 07

CubeCart 6.0.7: Code Execution

There is a Code Execution vulnerability in the admin area of CubeCart 6.0.7.

Supercali Event Calendar 1.0.8: XSS
2015 Oct 07

Supercali Event Calendar 1.0.8: XSS

There is an XSS vulnerability in Supercali Event Calendar 1.0.8. This issue has not been fixed.

Supercali Event Calendar 1.0.8: CSRF
2015 Oct 07

Supercali Event Calendar 1.0.8: CSRF

There is no CSRF protection in Supercali Event Calendar 1.0.8.

SQLiteManager 1.2.4: Multiple XSS
2015 Oct 07

SQLiteManager 1.2.4: Multiple XSS

There are multiple XSS vulnerabilities in SQLiteManager 1.2.4. This issue has not been fixed.

OpenCart 2.0.3.1: CSRF
2015 Oct 07

OpenCart 2.0.3.1: CSRF

OpenCart 2.0.3.1 does not have CSRF protection for customers.

MyWebSQL 3.6: CSRF
2015 Oct 07

MyWebSQL 3.6: CSRF

MyWebSQL 3.6 does not have CSRF protection.

MiniBB 3.1.1: XSS
2015 Oct 07

MiniBB 3.1.1: XSS

There is an XSS vulnerability in MiniBB 3.1.1.

Chyrp CMS 2.5.2: XSS
2015 Oct 07

Chyrp CMS 2.5.2: XSS

There is an XSS vulnerability in Chyrp CMS 2.5.2. This issue has not been fixed.

SQL Buddy 1.3.3: XSS
2015 Oct 07

SQL Buddy 1.3.3: XSS

There is an XSS vulnerability in SQL Buddy 1.3.3. This issue has not been fixed.

SQL Buddy 1.3.3: CSRF
2015 Oct 07

SQL Buddy 1.3.3: CSRF

The CSRF protection in SQL Buddy 1.3.3. does not work properly. This issue has not been fixed.

Installing Pulledpork for Snort
2015 Oct 07

Installing Pulledpork for Snort

In this article we will download, configure and install Pulledpork and also create a cronjob for automatic rule update while you bother with more important things of your life.

Pligg CMS 2.0.2: Multiple SQL Injections
2015 Oct 07

Pligg CMS 2.0.2: Multiple SQL Injections

There is a Code Execution vulnerability in the admin area of Pligg CMS 2.0.2. It can be exploited via CSRF. This issue has not been fixed.

Pligg CMS 2.0.2: Directory Traversal
2015 Oct 07

Pligg CMS 2.0.2: Directory Traversal

There is a Directory Traversal vulnerability in the admin area of Pligg CMS 2.0.2. This issue has not been fixed.

Pligg CMS 2.0.2: Code Execution and CSRF
2015 Oct 07

Pligg CMS 2.0.2: Code Execution and CSRF

There is a Code Execution vulnerability in the admin area of Pligg CMS 2.0.2. It can be exploited via CSRF. This issue has not been fixed.

Installing Snort and Barnyard2
2015 Oct 05

Installing Snort and Barnyard2

How to install Snort and Barnyard2 for Debian and Arch-Linux.

ZeusCart 4.0: CSRF
2015 Sep 14

ZeusCart 4.0: CSRF

ZeusCart 4.0 does not have CSRF protection. Because of this, it is for example possible to add additional admin accounts. This issue has not been fixed.

ZeusCart 4.0: Code Execution
2015 Sep 14

ZeusCart 4.0: Code Execution

There is an arbitrary file upload vulnerability in the admin area of ZeusCart 4.0. This issue has not been fixed.

ZeusCart 4.0: SQL Injection
2015 Sep 14

ZeusCart 4.0: SQL Injection

There are multiple SQL Injection vulnerabilities in ZeusCart 4.0. This issue has not been fixed.

ZeusCart 4.0: XSS
2015 Sep 14

ZeusCart 4.0: XSS

There is an XSS vulnerability in ZeusCart 4.0. This issue has not been fixed.

Zen Cart 1.5.4: Code Execution and Information Leak
2015 Sep 14

Zen Cart 1.5.4: Code Execution and Information Leak

There is an arbitrary file upload vulnerability in the admin area of Zen Cart 1.5.4 as well as an information leak. This issue has only been partially fixed.

Anchor CMS 0.9.2: XSS
2015 Sep 14

Anchor CMS 0.9.2: XSS

There is an XSS vulnerability in Anchor CMS 0.9.2. The issue is not yet fixed.

Serendipity 2.0.1: Blind SQL Injection
2015 Sep 01

Serendipity 2.0.1: Blind SQL Injection

There is a Blind SQL Injection vulnerability in the admin area of Serendipity 2.0.1.

Serendipity 2.0.1: Persistent XSS
2015 Sep 01

Serendipity 2.0.1: Persistent XSS

There is a Persistent XSS vulnerability in Serendipity 2.0.1 when using the default 2k11 theme. It requires a click to trigger.

Serendipity 2.0.1: Code Execution
2015 Sep 01

Serendipity 2.0.1: Code Execution

There is a code execution vulnerability in Serendipity 2.0.1. It requires a registered user to exploit.

NibbleBlog 4.0.3: Code Execution
2015 Sep 01

NibbleBlog 4.0.3: Code Execution

There is a Code Execution vulnerability in the admin area of NibbleBlog 4.0.3. The issue is not yet fixed.

NibbleBlog 4.0.3: CSRF
2015 Sep 01

NibbleBlog 4.0.3: CSRF

There is a CSRF vulnerability in NibbleBlog 4.0.3 which can lead to the creating of new posts and thus XSS. The issue is not yet fixed.

Phorum 5.2.19: Reflected XSS (IIS only) and Open Redirect
2015 Aug 17

Phorum 5.2.19: Reflected XSS (IIS only) and Open Redirect

When running on IIS, Phorum 5.2.19 is open to cross site scripting. Additionally, there is an open redirect vulnerability that is not restricted to any operating system.

Bolt 2.2.4: Code Execution
2015 Aug 17

Bolt 2.2.4: Code Execution

The file editor of the admin area of Bolt 2.2.4 allows for the editing of file extensions, which leads to code execution once an attacker has gained admin credentials.

ModX Revolution 2.3.5-pl: Reflected Cross Site Scripting Vulnerability
2015 Aug 17

ModX Revolution 2.3.5-pl: Reflected Cross Site Scripting Vulnerability

There is an XSS vulnerability in version 2.3.5 of ModX. As of now, this issue has not been fixed.

CodoForum 3.3.1: Multiple SQL Injection Vulnerabilities
2015 Aug 07

CodoForum 3.3.1: Multiple SQL Injection Vulnerabilities

There are two SQL injection vulnerabilities in CodoForum, one of which does not require the attacker to be authenticated.

CodoForum 3.3.1: Multiple Cross Site Scripting Vulnerabilities
2015 Aug 07

CodoForum 3.3.1: Multiple Cross Site Scripting Vulnerabilities

There are multiple reflected cross site scripting vulnerabilities in version 3.3.1 of CodoForum.

BigTree CMS 4.2.3: Multiple SQL Injection Vulnerabilities
2015 Aug 07

BigTree CMS 4.2.3: Multiple SQL Injection Vulnerabilities

There are multiple SQL injection vulnerabilities in the admin area of version 4.2.3 of the BigTree CMS.

BigTree CMS 4.2.3: Multiple Cross Site Scripting Vulnerabilities
2015 Aug 07

BigTree CMS 4.2.3: Multiple Cross Site Scripting Vulnerabilities

There are multiple reflected cross site scripting vulnerabilities in version 4.2.3 of BigTree CMS.

Archived articles for 2014

CVE-2014-N/A com.android.contacts
2014 Jul 04

CVE-2014-N/A com.android.contacts

This bug is similar to CVE-2013-6272 but is only exploitable on older Android versions. The bug exists in the component com.android.contacts.

CVE-2013-6272 com.android.phone
2014 Jul 04

CVE-2013-6272 com.android.phone

We conducted a deep investigation of android components and created some CVEs plus reporting Bugs to the Android Security Team in late 2013. Today we want publish one reported and one similar vulnerability.

Cybercrime insights @Be Mobile Conference of Blackberry
2014 Jun 03

Cybercrime insights @Be Mobile Conference of Blackberry

Marco went to Miami to give two talks at the Be Mobile Conference of Blackberry.

Presentation on Heartbleed @BSI Cyber-Alliance conference
2014 May 15

Presentation on Heartbleed @BSI Cyber-Alliance conference

On may 7th, Marco gave a presentation at the BSI Cyber-Alliance conference about heartbleed.

Heartbleed analysis daemon published
2014 May 02

Heartbleed analysis daemon published

The Heartbleed bug is a programming error in the versions 1.0.1 to 1.0.1f of the open-source OpenSSL cryptography library. Curesec has published hbad, a Heartbleed client side tool to check for this critical security gap.

2014 Apr 09

"Heartbleed" security checkup

Two days ago a critical security gap in one of the most common encryption protocolls (SSL) named „Heartbleed“ was published. We offer a free checkup to our clients!

Nsdtool published
2014 Mar 05

Nsdtool published

Nsdtool is a toolset of scripts used to detect netgear switches in local networks.

Archived articles for 2013

CVE-2013-6224: Cross Site Scripting in LiveZilla
2013 Dec 05

CVE-2013-6224: Cross Site Scripting in LiveZilla

Various components of the LiveZilla application are vulnerable to cross site scripting. An attacker can hijack an operator with cross site scripting.

CVE-2013-6223: Local Password Disclosure in LiveZilla
2013 Dec 05

CVE-2013-6223: Local Password Disclosure in LiveZilla

An 1click file that allows an admin to log into LiveZilla using a mouse click is saved in a xml representation. This xml file includes the admin username and password in plaintext.

CVE-2013-6271: Remove Device Locks from Android Phone
2013 Nov 27

CVE-2013-6271: Remove Device Locks from Android Phone

This vulnerability enables any rogue app at any time to remove all existing device locks activated by a user. Furthermore we have created an app to demonstrate the issue. You can choose two options, remove all locks right away or remove them at a defined time.

CVE-2013-6225: Remote Code Execution in LiveZilla
2013 Nov 15

CVE-2013-6225: Remote Code Execution in LiveZilla

On Windows systems with PHP versions installed that allow null bytes in the URL it is possible to turn a local file inclusion vulnerability to a full remote code execution vulnerability.

We have moved into our new office!
2013 Oct 02

We have moved into our new office!

Curesec has turned two years old! As a birthday present we have moved into our new office! 165sqm space for the security enthusiasts!

Inkasso Trojaner – Part 3
2013 Sep 16

Inkasso Trojaner – Part 3

In this report we would like to point out how the rootkit infects a system, how it operates and what kind of anti-reversing and anti-debugging techniques are in place.

Exfiltrate Data using the old ping utility trick
2013 Sep 10

Exfiltrate Data using the old ping utility trick

We are back with a great blogpost. This time about data exfiltration using ping, packed together as a simple backdoor-like code. The technique may work in generell for linux and windows as well, however the main target and interest was Android.

Article on Scada Security
2013 Aug 06

Article on Scada Security

welt.de and morgenpost.de published an article about vulnerabilities in industrial facilities in august 2013. The article is in german only.

Media reaction on Whatsapp bug
2013 Aug 03

Media reaction on Whatsapp bug

In july 2013 we published a way to abuse the popular chat software Whatsapp to get payment information from google wallet and Paypal.

 CVE-2013-6274: Security gap in WhatsApp. Phishing Google Wallet and Paypal Accounts
2013 Jul 24

CVE-2013-6274: Security gap in WhatsApp. Phishing Google Wallet and Paypal Accounts

This vulnerability can be used to get payment credentials for Google Wallet and Paypal by abusing the popular application Whatsapp.

OpenSSH User Enumeration Time-Based Attack
2013 Jul 09

OpenSSH User Enumeration Time-Based Attack

Today, we will show a bug concerning OpenSSH. OpenSSH is the most used remote control software nowadays on *nix like operating systems. Legacy claims it replaced unencrypted daemons like rcp, rsh and telnet. Find a version at: https://www.openssh.com.

Inkasso Trojaner – Part 2
2013 Jul 01

Inkasso Trojaner – Part 2

In Part 1 of the analysis we have seen a first description of the dropper and how to extract the executeable placed in the file. To move forward with work we dumped the memory with the decrypted virus body and continued the analysis.

Curesec @ BSIs ‘Allianz für Cyber-Sicherheit’
2013 Jun 20

Curesec @ BSIs ‘Allianz für Cyber-Sicherheit’

Curesec took a part in this year conference of the so called alliance for cyber security by the German federal agency for security in IT-Technology.

Inkasso Trojaner – Part 1
2013 Jun 18

Inkasso Trojaner – Part 1

Some days ago we received an email with a double zipped dropper agent included. We decided to start an analysis. This is the first part with our results, in this blogpost we only focus on the dropper itself.

Archived articles for 2012

FreeBSD Kernelland-Trickery / Gain root access via syscall
2012 Jul 16

FreeBSD Kernelland-Trickery / Gain root access via syscall

This time I will focus on FreeBSD kernel developement. The recent stable version of FreeBSD is 9.0, but for this example we will use a version 8.1 with i386 architecture.

Angriffs-Vektor: Direct Memory Access
2012 Feb 25

Angriffs-Vektor: Direct Memory Access

Wir bei Curesec haben uns mit Direct Memory Access (DMA) als Angriffsvektor auf Rechner beschäftigt. Dies haben wir vor allem getan, um die Sicherheit unserer eigenen Rechner entsprechend sicherstellen zu können. Dieser Blogartikel stellt die Ergebnisse dieser Untersuchung vor.