SSD Advisory – vBulletin routestring Unauthenticated Remote Code Execution

Want to get paid for a vulnerability similar to this one?
Contact us at: sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom
See our full scope at: https://blogs.securiteam.com/index.php/product_scope

Vulnerability Summary
The following advisory describes a unauthenticated file inclusion vulnerability that leads to remote code execution found in vBulletin version 5.

vBulletin, also known as vB, is a widespread proprietary Internet forum software package developed by vBulletin Solutions, Inc., based on PHP and MySQL database server. vBulletin powers many of the largest social sites on the web, with over 100,000 sites built on it, including Fortune 500 and Alexa Top 1M companies websites and forums. According to the latest W3Techs1 statistics, vBulletin version 4 holds more than 55% of the vBulletin market share, while version 3 and 5 divide the remaining percentage

Credit
An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program

Vendor response
We tried to contact vBulletin since November 21 2017, repeated attempts to establish contact went unanswered. At this time there is no solution or workaround for these vulnerabilities.

Continue reading SSD Advisory – vBulletin routestring Unauthenticated Remote Code Execution

SSD Advisory – DblTek Multiple Vulnerabilities

Want to get paid for a vulnerability similar to this one?
Contact us at: sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom
See our full scope at: https://blogs.securiteam.com/index.php/product_scope

Vulnerabilities summary
The following advisory describes 2 (two) vulnerabilities found in DblTek webserver.

DBL is “specialized in VoIP products, especially GoIPs. We design, develop, manufacture, and sell our products directly and via distributors to customers. Our GoIP models now cover 1, 4, 8, 16, and 32-channel in order to meet the wide range of market demands. All our products are priced very attractively and probably the lowest in the market. Because of the price and performance, GoIPs have been widely adopted by system integrators, VoIP service providers, and many other business and individual users.”

The vulnerabilities found are:

  • Pre-authentication Information Disclosure
  • Command Execution

It is possible to combine the 2 vulnerabilities and gain unauthenticated remote command execution.

Credit
An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program

Vendor response

DblTek has released patches to address those vulnerabilities.

CVE-2017-16934

Continue reading SSD Advisory – DblTek Multiple Vulnerabilities

SSD Advisory – Sophos XG Firewall Path Traversal

Want to get paid for a vulnerability similar to this one?
Contact us at: sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom
See our full scope at: https://blogs.securiteam.com/index.php/product_scope

Vulnerabilities Summary
The following advisory describe two (2) vulnerabilities, a Path Traversal and a Missing Function Level Access Control, in Sophos XG Firewall 16.05.4 MR-4.

Sophos XG Firewall provides “unprecedented visibility into your network, users, and applications directly from the all-new control center. You also get rich on-box reporting and the option to add Sophos iView for centralized reporting across multiple firewalls”.

Credit
An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program

Vendor response
The vendor has released patches to address this vulnerability:
“The patches were released as part of SFOS 16.05.5 MR5:
https://community.sophos.com/products/xg-firewall/b/xg-blog/posts/sfos-16-05-5-mr5-released

Our internal bug number was NC-18958, mentioned in the changelog”

CVE: CVE-2017-12854

Continue reading SSD Advisory – Sophos XG Firewall Path Traversal

SSD Advisory – HPE OpenCall Media Platform (OCMP) Multiple Vulnerabilities

Want to get paid for a vulnerability similar to this one?
Contact us at: sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom
See our full scope at: https://blogs.securiteam.com/index.php/product_scope

Vulnerabilities Summary
The following advisory describes Reflected Cross-Site Scripting (XSS) vulnerabilities and a Remote File Inclusion vulnerability that when combined can lead to arbitrary Javascript code execution, were found in HP OpenCall Media Platform (OCMP), version 4.3.2.

HPE OpenCall Media Platform (OCMP) is a suite of software and hardware applications which allow implementation of common telecom operator services such as voicemail, sms (short message service), prepaid, billing, hlr, etc. It implements industry standard telecom protocols and standards such as SS7, ISUP, TCAP, SIP, MRCP, RTSP, and VoiceXML.
u
HPE OpenCall Media Platform offers a highly scalable, easy-to-manage, carrier-grade media platform that adapts to future networks and applications. Through its strong support of open standards and protocols, new applications can be rapidly developed and deployed in a way that preserves investments and reduces capital expenditures (CAPEX) and operational expenditure (OPEX).

There are 3 different components that are vulnerable in HPE OpenCall Media Platform (OCMP), and for each component has the following vulnerabilities:

  • Application Content Manager
  1. Reflected Cross-Site Scripting (XSS) – /mcm/resources/


  • Platform Administration Tool
  1. Reflected Cross-Site Scripting (XSS) that leads to arbitrary Javascript code execution
  2. Reflected Cross-Site Scripting (XSS) – GetMapAction function, LEV_TYPE0 parameter
  3. Reflected Cross-Site Scripting (XSS) – GetMapAction function, LEV_TYPE1 parameter
  4. Reflected Cross-Site Scripting (XSS) – GetMapAction function, LEV_TYPE2 parameter
  5. Reflected Cross-Site Scripting (XSS) – GetMapAction function, LEV_TYPE3 parameter
  6. Reflected Cross-Site Scripting (XSS) – GetMapAction function, LEV_NAME0 parameter
  7. Reflected Cross-Site Scripting (XSS) – GetMapAction function, LEV_NAME1 parameter
  8. Reflected Cross-Site Scripting (XSS) – GetMapAction function, LEV_NAME2 parameter
  9. Reflected Cross-Site Scripting (XSS) – GetMapAction function, LEV_NAME3 parameter
  10. Reflected Cross-Site Scripting (XSS) – GetMapAction function
  11. Reflected Cross-Site Scripting (XSS) – GetMapAction function, LEV_NUM parameter
  12. Reflected Cross-Site Scripting (XSS) – GetMapAction function, NAME parameter
  13. Reflected Cross-Site Scripting (XSS) – cdrdispatch function, next parameter
  14. Reflected Cross-Site Scripting (XSS) – cdrdispatch function, sessionType parameter


  • VoiceXML Administration Tool
  1. Reflected Cross-Site Scripting (XSS) – event.do function
  2. Reflected Cross-Site Scripting (XSS) – call.do function
  3. Remote File Inclusion – proxylink.do function


Credit
An independent security researcher Paolo Stagno from VoidSec has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.

Vendor Responses
HPE has released patches to address this vulnerability, for more details see:
https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbgn03686en_us

Continue reading SSD Advisory – HPE OpenCall Media Platform (OCMP) Multiple Vulnerabilities