SSD Advisory – SolarWinds Multiple Vulnerabilities

Want to get paid for a vulnerability similar to this one?
Contact us at: sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom

Vulnerabilities Summary
SolarWinds Server and Application Monitor version 6.1.1 has been found to contain multiple vulnerabilities:

  1. Node Custom Properties Persistent XSS
  2. Audit Events Module Persistent XSS
  3. Custom “Data Source” and ‘Where Clause’ Persistent XSS
  4. “Build Dynamic Query Name” Persistent XSS
  5. Multiple Persistent XSS Vulnerabilities Via ‘Title’ field
  6. Application Monitor Template Persistent XSS
  7. NOC View Name Persistent XSS

Credit
An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.

Vendor response
We notified SolarWinds about the vulnerabilities back in August 2015, repeated attempts to re-establish contact and get some answers on the status of the patches for these vulnerabilities went unanswered. We have also contacted CERT in August 2015, but they were unable to get them to addresses these issues. At this time there is no solution or workaround for these vulnerabilities.

Continue reading SSD Advisory – SolarWinds Multiple Vulnerabilities

SSD Advisory – Over 100K IoT Cameras Vulnerable to Source Disclosure

Want to get paid for a vulnerability similar to this one?
Contact us at: sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom

Vulnerability Summary
The following advisory describes an arbitrary file content disclosure vulnerability found in GoAhead web server.

The GoAhead web server is present on multiple embedded devices, from IP Cameras to Printers and other embedded devices.

The vulnerability allows a remote unauthenticated attacker to disclose the content of the file being accessed. As most embedded devices do not run a SQL (or SQL-like) daemon, the credentials for authentication are stored inside the file being accessed. Through this disclosure attack, an attacker can view the credentials required to access the device.

Credit
An independent security researcher Istvan Toth has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.

Vendor response
Update #2: The vulnerability of the “/” less access causing file disclosure dates back to 2004, http://aluigi.altervista.org/adv/goahead-adv2.txt, I cannot find any indication when GoAhead fixed it – in any case it is still present in 2017 in devices that use the GoAhead server.

Update: The vendor (GoAhead) claims the vulnerability is not in his product, but rather in the camera vendor’s code.

We at Beyond Security, are unsure about this, but as none of the camera vendors responded, we are left in the dark at the root cause for the vulnerability.

Since this vulnerability affects practically multiple devices that have the GoAhead web server (these devices appear to implement old versions of GoAhead), there is no one company you can report these vulnerabilities to or get them addressed – further the majority of the products that are vulnerable are OEM products with no real “vendor” behind them.

We urge users who have an embedded device and have GoAhead running on them, you can know this by seeing the following banner returned when you connect to the device:

To remove the device from the network, or at the very least not allow access to the web interface to anyone beside a very strict IP address range.

Continue reading SSD Advisory – Over 100K IoT Cameras Vulnerable to Source Disclosure

SSD Advisory – MuraCMS Multiple Vulnerabilities

Want to get paid for a vulnerability similar to this one?
Contact us at: sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom

Vulnerabilities Summary
The following advisory describes two (2) vulnerabilities found in MuraCMS version 6.2. MuraCMS is an open source content management system for CFML, created by Blue River Interactive Group. Mura has been designed to be used by marketing departments, web designers and developers.

The vulnerabilities found in MuraCMS are:

  1. Unauthenticated remote arbitrary code execution
  2. Unrestricted file upload

Credit
An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.

Vendor response
BlurRiver has released patch to address the vulnerabilities: “we put builds with the vulnerabilities patched and then released a blog as well as communicated via our Google group, Slack channel, twitter and mailing list.”

The patch and blog post can be found here

Continue reading SSD Advisory – MuraCMS Multiple Vulnerabilities

SSD Advisory – HTC Sync Remote Code Execution

Want to get paid for a vulnerability similar to this one?
Contact us at: sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom

Vulnerabilities Summary
The following advisory describes a remote code execution (RCE) found in HTC Sync version v3.3.63.

Credit
An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.

Vendor response
The vulnerability was not reported to the vendor because the product has reached end of life on 31 August 2016 and was replaced by HTC Sync Manager which is not vulnerable to this vulnerability.

Continue reading SSD Advisory – HTC Sync Remote Code Execution