Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-29932: CVE-2022-29932/Proof-of-Concept.md at main · Off3nS3c/CVE-2022-29932

The HTTP Server in PRIMEUR SPAZIO 2.5.1.954 (File Transfer) allows an unauthenticated attacker to obtain sensitive data (related to the content of transferred files) via a crafted HTTP request.

CVE
#vulnerability#web#ios#auth

****CVE-2022-29932 - Primeur Spazio MFT - Information Disclosure (Memory Leak)******Description**

The HTTP Server in PRIMEUR SPAZIO 2.5.1.954 (Managed File Transfer) allows a remote unauthenticated attacker to obtain sensitive data (related to the content of transferred files) via a crafted HTTP request.

Vendor has acknowledged the vulnerability and promptly notified all impacted customers and provided a patch.

Affected Product Code Base

Primeur Spazio - 2.5.1.954.

Other versions may also be affected.

Attack Vectors

In order to exploit the vulnerability, an unauthenticated attacker should send crafted HTTP Request

Discovered by

Andrea Mattiazzo, Alessandro Cudini, Antonio Montesano, Emanuele Chiossi, Giovanni Battista Colonna

Reference

https://www.primeur.com/managed-file-transfer

****Proof-of-Concept (POC)****

Navigating the website without any kind of credentials and executing fuzzing on the root directory, it has been observed that some web resources were built at real-time.

After an in-depth analysis it was observed those resources (i.e. folders) are strictly related to already existent data directories (i.e. subfolders of root web folder) on the web server.

Creating a crafted HTTP request pointing to these data directories cutting the trailing “/” character, the web server answers with an unmanaged memory leak in HTTP response. As an example we created two folders on the webserver called “assets” and “pippo” in order to reproduce the unsecure behaviour obtaining the memory leak.

By downloading or navigating the resource containing the memory leak, it has been possible to gain access to the exfiltrated buffer of memory which contained the content of files exchanged by authorized users who are using the File Transfer solution, hence leading to an information disclosure.

Since folders name is usually easy-enumerable by any fuzzer, and some folders have standard naming (errors, templates, images), the bug can be easily exploited.

Related news

CVE-2022-29932: CVE-2022-29932/Proof-of-Concept.md at main · Off3nS3c/CVE-2022-29932

The HTTP Server in PRIMEUR SPAZIO 2.5.1.954 (File Transfer) allows an unauthenticated attacker to obtain sensitive data (related to the content of transferred files) via a crafted HTTP request.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907