| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 16 Oct 2019 17:52:27 -0600 From: Aaron Bishop <aaron@...uritymetrics.com> To: fulldisclosure@...lists.org Subject: [FD] WiKID 2FA Enterprise Server Multiple Issues WiKID Systems 2FA Enterprise Serverversion 4.2.0-b2032 and earlier was found to be vulnerable to multiple Cross-Site Scripting, SQLi, and CSRF issues. *searchDevices.jsp* is vulnerable to SQL injection through the *uid* and *domain* parameters. The application uses Postgres which supports Stacked Queries, the issue can be seen by submitting a request like: SLEEP=10; HOST=$RHOST; COOKIE=$COOKIE; time curl -v -i -s -k -X 'POST' -H "Host: $HOST" -H "Cookie: JSESSIONID=$COOKIE;" --data-binary "uid=test&domain=1;select pg_sleep($SLEEP);--&action=Search" https://$HOST/WiKIDAdmin/searchDevices.jsp The request will cause the database to sleep for 10+ seconds. This issue has been assigned *CVE-2019-16917*. *processPref.jsp* is vulnerable to SQL injection through the *key* parameter if the action parameter is set to *update.* The following request will trigger the issue for an authenticated user: https://$RHOST/WiKIDAdmin/processPref.jsp?action=Update&key=test%27;%20SELECT%20pg_sleep(5);-- The request will cause the database to sleep for 5+ seconds. This issue has been assigned *CVE-2019-17117.* *Logs.jsp* is vulnerable to SQL injection through the *substring *and *source* parameters. The following request will demonstrate the issue: time curl --output /dev/null -s -k -H "Cookie: JSESSIONID=$COOKIE" --data-binary "source='; select pg_sleep(5);--" https://$RHOST/WiKIDAdmin/Log.jsp real 0m10.572s user 0m0.008s sys 0m0.016s The request will cause the database to sleep for 5+ seconds. This issue has been assigned *CVE-2019-17119* *usrPreregistration.jsp *is vulnerable to cross site scripting by uploading a malicious .csv file containing <script> elements. This issue has been assigned *CVE-2019-17114* *Logs.jsp *is vulnerable to cross site scripting by triggering errors in the unauthenticated portion of the application. The errors are severe enough to appear in the logs by default. This issue has been assigned *CVE-2019-17115.* *groups.jsp *is vulnerable to cross site scripting by creating a group with a name that contains <script> elements. This issue has been assigned *CVE-2019-17116* *adm_usrs.jsp *is vulnerable to cross site scripting when an admin is created with a username containing <script> elements. This issue has been assigned *CVE-2019-17120* The application does not implement CSRF protection. Tricking an authenticated user to click a link like: <a href="https://$RHOST/WiKIDAdmin/adm_usrs.jsp?usr=pentest&newpass1=password1&newpass2=password1&action=Add">WiKIDAdmin Manual</a> Will result in an admin user unintentionally being created. This issue has been assigned *CVE-2019-17118* https://www.securitymetrics.com/blog/wikid-2fa-enterprise-server-csrf https://www.securitymetrics.com/blog/wikid-2fa-enterprise-server-cross-site-scripting https://www.securitymetrics.com/blog/wikid-2fa-enterprise-server-sql-injection AARON BISHOP | Principal Penetration Tester CISSP, OSCP, OSWE P:801.995.6999 [image: SecurityMetrics] _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists