Menu

Search for hundreds of thousands of exploits

"Elcom CommunityManager.NET - Authentication Bypass"

Author

Exploit author

"Sense of Security"

Platform

Exploit platform

asp

Release date

Exploit published date

2010-12-20

Download file

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
Elcom CommunityManager.NET Auth Bypass Vulnerability - Security Advisory - SOS-10-004
Release Date.                  20-Dec-2010
Last Update.                   -
Vendor Notification Date.      22-Jan-2010
Product.                       Elcom Technology's
                               CommunityManager.NET
Platform.                      IIS with ASP.NET
Affected versions.             v6.7 verified and 
                               possibly others.
Severity Rating.               High
Impact.                        Application "System" user access
Attack Vector.                 Remote without authentication
Solution Status.               Vendor patch
CVE reference.                 Not yet assigned

Details.
The web application uses cookie parameters passed via HTTP 
requests to identify which user is logged in. Authentication 
routines can be bypassed by simply appending the below POC 
string to a cookie which already contains a valid ASP.NET 
session ID. The value given to the various cookie parameters 
indicates the specific user ID for the application user the 
attacker wishes to impersonate.

Proof of Concept.
To exploit this vulnerability, simply browse to the software 
to automatically create a valid ASP.NET session ID. Once 
obtained, add the following to the cookie parameter:

; CMLogUserwww2=21; OnlineLearnUserwww2=21

Note that the ID value of "21" in the above instance 
indicates that the user with the user ID of "21" will be 
impersonated. If this user ID is not linked to a user account,
access will not be obtained. Some enumeration or educated
guessing may be required. 

Solution.
Sense of Security has been advised that Elcom Technology has
patched all versions of CommunityManager.NET and notified all
clients.

Discovered by.
Sense of Security Labs.

About us.
Sense of Security is a leading provider of information
security and risk management solutions. Our team has expert
skills in assessment and assurance, strategy and architecture,
and deployment through to ongoing management. We are
Australia's premier application penetration testing firm and
trusted IT security advisor to many of the countries largest
organisations.

Sense of Security Pty Ltd 
Level 8, 66 King St
Sydney NSW 2000
AUSTRALIA

T: +61 (0)2 9290 4444
F: +61 (0)2 9290 4455
W: http://www.senseofsecurity.com.au/consulting/penetration-testing
E: info@senseofsecurity.com.au
Twitter: @ITsecurityAU

The latest version of this advisory can be found at:
http://www.senseofsecurity.com.au/advisories/SOS-10-004.pdf
Release Date Title Type Platform Author
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-07-10 "HelloWeb 2.0 - Arbitrary File Download" webapps asp bRpsd
2020-03-16 "Enhanced Multimedia Router 3.0.4.27 - Cross-Site Request Forgery (Add Admin)" webapps asp "Miguel Mendez Z"
2020-01-24 "OLK Web Store 2020 - Cross-Site Request Forgery" webapps asp "Joel Aviad Ossi"
2019-12-18 "Rumpus FTP Web File Manager 8.2.9.1 - Reflected Cross-Site Scripting" webapps asp "Harshit Shukla"
2019-11-18 "Crystal Live HTTP Server 6.01 - Directory Traversal" webapps asp "numan türle"
2019-08-16 "Web Wiz Forums 12.01 - 'PF' SQL Injection" webapps asp n1x_
2019-05-06 "microASP (Portal+) CMS - 'pagina.phtml?explode_tree' SQL Injection" webapps asp "felipe andrian"
2019-02-12 "Skyworth GPON HomeGateways and Optical Network Terminals - Stack Overflow" dos asp "Kaustubh G. Padwad"
2018-11-05 "Advantech WebAccess SCADA 8.3.2 - Remote Code Execution" webapps asp "Chris Lyne"
2018-05-29 "IssueTrak 7.0 - SQL Injection" webapps asp "Chris Anastasio"
Release Date Title Type Platform Author
2013-11-12 "Juniper Junos J-Web - Privilege Escalation" webapps php "Sense of Security"
2013-04-08 "Google AD Sync Tool - Exposure of Sensitive Information" local multiple "Sense of Security"
2012-11-30 "SilverStripe CMS 3.0.2 - Multiple Vulnerabilities" webapps php "Sense of Security"
2012-09-05 "Ektron CMS 8.5.0 - Multiple Vulnerabilities" webapps asp "Sense of Security"
2012-08-27 "Elcom CMS 7.4.10 - Community Manager Insecure Arbitrary File Upload" webapps asp "Sense of Security"
2012-06-18 "QNAP Turbo NAS 3.6.1 Build 0302T - Multiple Vulnerabilities" webapps hardware "Sense of Security"
2012-03-07 "Iciniti Store - SQL Injection" webapps asp "Sense of Security"
2012-03-05 "Symfony2 - Local File Disclosure" webapps php "Sense of Security"
2012-02-23 "Snom IP Phone - Privilege Escalation" webapps hardware "Sense of Security"
2011-10-17 "WordPress Plugin BackWPUp 2.1.4 - Code Execution" webapps php "Sense of Security"
2011-09-20 "NETGEAR Wireless Cable Modem Gateway - Authentication Bypass / Cross-Site Request Forgery" webapps hardware "Sense of Security"
2011-09-19 "Cisco TelePresence SOS-11-010 - Multiple Vulnerabilities" webapps hardware "Sense of Security"
2011-07-20 "Oracle Sun GlassFish Enterprise Server - Persistent Cross-Site Scripting" webapps jsp "Sense of Security"
2011-06-18 "Cisco Unified Operations Manager 8.5 - '/iptm/logicalTopo.do' Multiple Cross-Site Scripting Vulnerabilities" remote hardware "Sense of Security"
2011-06-18 "Cisco Unified Operations Manager 8.5 - iptm/eventmon Multiple Cross-Site Scripting Vulnerabilities" remote hardware "Sense of Security"
2011-06-18 "Cisco Unified Operations Manager 8.5 - 'iptm/ddv.do?deviceInstanceName' Cross-Site Scripting" remote hardware "Sense of Security"
2011-06-18 "Cisco Unified Operations Manager 8.5 - '/iptm/faultmon/ui/dojo/Main/eventmon_wrapper.jsp' Multiple Cross-Site Scripting Vulnerabilities" remote hardware "Sense of Security"
2011-06-18 "Cisco Unified Operations Manager 8.5 - 'iptm/advancedfind.do?extn' Cross-Site Scripting" remote hardware "Sense of Security"
2011-05-20 "PHP Captcha / Securimage 2.0.2 - Authentication Bypass" webapps php "Sense of Security"
2011-05-18 "CiscoWorks Common Services 3.1.1 - Auditing Directory Traversal" webapps java "Sense of Security"
2011-05-18 "CiscoWorks Common Services Framework 3.1.1 Help Servlet - Cross-Site Scripting" remote hardware "Sense of Security"
2011-05-18 "Cisco Unified Operations Manager - Multiple Vulnerabilities" remote windows "Sense of Security"
2011-05-18 "Cisco Unified Operations Manager 8.5 - Common Services Device Center Cross-Site Scripting" remote hardware "Sense of Security"
2011-04-15 "cPassMan 1.82 - Arbitrary File Download" webapps php "Sense of Security"
2011-03-28 "WordPress Plugin BackWPup - Remote Code Execution / Local Code Execution" webapps php "Sense of Security"
2010-12-20 "Elcom CommunityManager.NET - Authentication Bypass" webapps asp "Sense of Security"
2009-08-12 "Plume CMS 1.2.3 - Multiple SQL Injections" webapps php "Sense of Security"
2009-06-30 "XOOPS 2.3.3 - 'op' Multiple Cross-Site Scripting Vulnerabilities" webapps php "Sense of Security" 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected