lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 15 Dec 2016 12:58:26 +0000
From: "Vishal Mishra" <vishalsec@...h.com>
To: fulldisclosure@...lists.org
Subject: [FD] XenForo 1.5.x Unauthenticated Remote Code Injection

XenForo 1.5.x Remote Code Execution Vulnerability

1. ADVISORY INFORMATION
=======================
Product:        XenForo
Vendor URL:     xenforo.com
Type:           Code Injection [CWE-94]
Date found:     2016-12-09
Date published: 2016-12-15
CVSSv3 Score:   9.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C)
CVE:            -


2. CREDITS
==========

This vulnerability was discovered and researched by indepent security 
expert Vishal Mishra.


3. VERSIONS AFFECTED
====================

XenForo 1.5.x versions prior to 1.5.11a. 
Older versions may be affected too but were not tested.


4. VULNERABILITY DETAILS
========================

The vulnerability allows a remote attacker to overwrite arbitrary PHP 
variables within the context of the vulnerable application. The 
vulnerability exists due to insufficient validation of user-supplied 
input in an HTTP cookie, thus allowing to read sensitive information
from the XenForo database like usernames and passwords. Since the 
affected script does not require an authentication, this 
vulnerability can be exploited by an unauthenticated attacker.


5. PROOF OF CONCEPT
===================

The following proof-of-concept exploit the vulnerable HTTP cookie
and execute the phpinfo() function:

Detailed proof of concept has been removed for this advisory.


6. SOLUTION
===========

Update to the latest version v1.5.11a


7. REPORT TIMELINE
==================

2016-12-09: Discovery of the vulnerability
2016-12-11: Notified vendor via contact address
2016-12-13: Vendor provides update
2016-12-13: Provided update fixes the reported issues
2016-12-13: Vendor publishes update
2016-12-15: Coordinated release of security advisory without proof of concept


8. DISCLAIMER
=============

Disclaimer: The information provided in this Advisory is provided "as is" and 
without any warranty of any kind. Details of this Advisory may be updated 
in order to provide as accurate information as possible.


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists