lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 15 Dec 2016 19:40:41 +0100
From: Julien Ahrens <info@...security.com>
To: fulldisclosure@...lists.org
Subject: Re: [FD] XenForo 1.5.x Unauthenticated Remote Code Injection

This issue does not seem to exist at all.

Among the available versions/updates for XenForo there is no version
1.5.11a as stated in this advisory. After contacting XenForo about this
advisory and the corresponding update, they told me that they are
neither aware of this vulnerability nor about the reporter.

Best Regards
Julien


On 15.12.2016 13:58, Vishal Mishra wrote:
> XenForo 1.5.x Remote Code Execution Vulnerability
>
> 1. ADVISORY INFORMATION
> =======================
> Product:        XenForo
> Vendor URL:     xenforo.com
> Type:           Code Injection [CWE-94]
> Date found:     2016-12-09
> Date published: 2016-12-15
> CVSSv3 Score:   9.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C)
> CVE:            -
>
>
> 2. CREDITS
> ==========
>
> This vulnerability was discovered and researched by indepent security 
> expert Vishal Mishra.
>
>
> 3. VERSIONS AFFECTED
> ====================
>
> XenForo 1.5.x versions prior to 1.5.11a. 
> Older versions may be affected too but were not tested.
>
>
> 4. VULNERABILITY DETAILS
> ========================
>
> The vulnerability allows a remote attacker to overwrite arbitrary PHP 
> variables within the context of the vulnerable application. The 
> vulnerability exists due to insufficient validation of user-supplied 
> input in an HTTP cookie, thus allowing to read sensitive information
> from the XenForo database like usernames and passwords. Since the 
> affected script does not require an authentication, this 
> vulnerability can be exploited by an unauthenticated attacker.
>
>
> 5. PROOF OF CONCEPT
> ===================
>
> The following proof-of-concept exploit the vulnerable HTTP cookie
> and execute the phpinfo() function:
>
> Detailed proof of concept has been removed for this advisory.
>
>
> 6. SOLUTION
> ===========
>
> Update to the latest version v1.5.11a
>
>
> 7. REPORT TIMELINE
> ==================
>
> 2016-12-09: Discovery of the vulnerability
> 2016-12-11: Notified vendor via contact address
> 2016-12-13: Vendor provides update
> 2016-12-13: Provided update fixes the reported issues
> 2016-12-13: Vendor publishes update
> 2016-12-15: Coordinated release of security advisory without proof of concept
>
>
> 8. DISCLAIMER
> =============
>
> Disclaimer: The information provided in this Advisory is provided "as is" and 
> without any warranty of any kind. Details of this Advisory may be updated 
> in order to provide as accurate information as possible.
>
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> https://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/

-- 
Mit freundlichen Grüßen / With best regards / Atentamente

Julien Ahrens
Freelancer | Penetration Tester

RCE Security
Sandfoort 60 - 22415 Hamburg - Germany
Tax ID: 49/003/01648
Website: www.rcesecurity.com

This e-mail may contain confidential and/or privileged information.
If you are not the intended recipient (or have received this e-mail in
error) please notify the sender immediately and destroy this e-mail.
Any unauthorized copying, disclosure or distribution of the material
in this e-mail is strictly forbidden.



Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists