| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 15 Dec 2016 19:40:41 +0100
From: Julien Ahrens <info@...security.com>
To: fulldisclosure@...lists.org
Subject: Re: [FD] XenForo 1.5.x Unauthenticated Remote Code Injection
This issue does not seem to exist at all.
Among the available versions/updates for XenForo there is no version
1.5.11a as stated in this advisory. After contacting XenForo about this
advisory and the corresponding update, they told me that they are
neither aware of this vulnerability nor about the reporter.
Best Regards
Julien
On 15.12.2016 13:58, Vishal Mishra wrote:
> XenForo 1.5.x Remote Code Execution Vulnerability
>
> 1. ADVISORY INFORMATION
> =======================
> Product: XenForo
> Vendor URL: xenforo.com
> Type: Code Injection [CWE-94]
> Date found: 2016-12-09
> Date published: 2016-12-15
> CVSSv3 Score: 9.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C)
> CVE: -
>
>
> 2. CREDITS
> ==========
>
> This vulnerability was discovered and researched by indepent security
> expert Vishal Mishra.
>
>
> 3. VERSIONS AFFECTED
> ====================
>
> XenForo 1.5.x versions prior to 1.5.11a.
> Older versions may be affected too but were not tested.
>
>
> 4. VULNERABILITY DETAILS
> ========================
>
> The vulnerability allows a remote attacker to overwrite arbitrary PHP
> variables within the context of the vulnerable application. The
> vulnerability exists due to insufficient validation of user-supplied
> input in an HTTP cookie, thus allowing to read sensitive information
> from the XenForo database like usernames and passwords. Since the
> affected script does not require an authentication, this
> vulnerability can be exploited by an unauthenticated attacker.
>
>
> 5. PROOF OF CONCEPT
> ===================
>
> The following proof-of-concept exploit the vulnerable HTTP cookie
> and execute the phpinfo() function:
>
> Detailed proof of concept has been removed for this advisory.
>
>
> 6. SOLUTION
> ===========
>
> Update to the latest version v1.5.11a
>
>
> 7. REPORT TIMELINE
> ==================
>
> 2016-12-09: Discovery of the vulnerability
> 2016-12-11: Notified vendor via contact address
> 2016-12-13: Vendor provides update
> 2016-12-13: Provided update fixes the reported issues
> 2016-12-13: Vendor publishes update
> 2016-12-15: Coordinated release of security advisory without proof of concept
>
>
> 8. DISCLAIMER
> =============
>
> Disclaimer: The information provided in this Advisory is provided "as is" and
> without any warranty of any kind. Details of this Advisory may be updated
> in order to provide as accurate information as possible.
>
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> https://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/
--
Mit freundlichen Grüßen / With best regards / Atentamente
Julien Ahrens
Freelancer | Penetration Tester
RCE Security
Sandfoort 60 - 22415 Hamburg - Germany
Tax ID: 49/003/01648
Website: www.rcesecurity.com
This e-mail may contain confidential and/or privileged information.
If you are not the intended recipient (or have received this e-mail in
error) please notify the sender immediately and destroy this e-mail.
Any unauthorized copying, disclosure or distribution of the material
in this e-mail is strictly forbidden.
Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists