[CVE-2017-5869] Nuxeo Platform remote code execution

We found a file upload vulnerability in the Nuxeo CMS. Through the web interface, we managed to abuse the file upload vulnerability to execute arbitrary code and take over the platform.

We developed a Metasploit module to ease the exploitation.

Lire la suite


[CVE-2017-6088] EON 5.0 Multiple SQL Injection

EyesOfNetwork ("EON") is an OpenSource network monitoring solution.

We found an SQL injection vulnerability in the authenticated part of the application.

Successful exploitation would lead to a complete database dump by any logged user, even with low privileges, thus exposing confidential data.

Lire la suite


[CVE-2017-6087] EON 5.0 Remote Code Execution

EyesOfNetwork ("EON") is an OpenSource network monitoring solution.

We found a vulnerability caused by incorrect filtering of inbound parameters of the Web component.

It leads to remote code execution. In other words, an attacker exploiting this vulnerability could retrieve a remote shell (e.g. /bin/bash) on the operating system of the target.

Lire la suite


Riverbed RiOS insecure cryptographic storage (CVE-2017-5670)

We found vulnerabilities on Riverbed appliance, and specifically in the way the secure vault is protecting TLS private keys.

Such appliances are often found in sensitive environments, where they compress network traffic between end-points. When communications are protected with TLS, such appliance need to decrypt the traffic with the server's private key. Basically, they intercept the traffic in a Man-in-The-Middle position.

Thus, private key storage confidentiality and integrity is critical.

Riverbed

Lire la suite


CVE-2016-3403 : Multiple CSRF in Zimbra Administration interface

We found Multiple CSRF vulnerabilities in the administration interface of Zimbra, giving possibilities like adding, modifying and removing admin accounts.

Zimbra nicely credited our efforts:

Zimbra credits

Lire la suite


SPIP 3.1.2 Server Side Request Forgery (CVE-2016-7999)

SPIP is a publishing system for the Internet, which put importance on collaborative working, multilingual environments and ease of use. It is free software, distributed under the GNU/GPL licence.
It's possible to send HTTP/FTP requests using the valider_xml file.
Attackers can make it look like the server is sending the request, possibly bypassing access controls such as a firewall that would prevent the attacker from accessing the URLs directly.

Lire la suite


SPIP 3.1.2 Template Compiler/Composer PHP Code Execution (CVE-2016-7998)

SPIP is a publishing system for the Internet, which put importance on collaborative working, multilingual environments and ease of use. It is free software, distributed under the GNU/GPL licence.

The SPIP template composer/compiler does not correctly handle SPIP "INCLUDE/INCLURE" Tags, allowing PHP code execution by an authenticated user.
This vulnerability can be exploited using the CSRF or the XSS vulnerability also found in this advisory.

Lire la suite


SPIP 3.1.1/3.1.2 File Enumeration / Path Traversal (CVE-2016-7982)

SPIP is a publishing system for the Internet, which put importance on collaborative working, multilingual environments and ease of use. It is free software, distributed under the GNU/GPL licence.

The valider_xml file can be used to enumerate files on the system.

Lire la suite


SPIP 3.1.2 Exec Code Cross-Site Request Forgery (CVE-2016-7980)

SPIP is a publishing system for the Internet, which put importance on collaborative working, multilingual environments and ease of use. It is free software, distributed under the GNU/GPL licence.
The vulnerable request to valider_xml (see: SPIP 3.1.2 Template Compiler/Composer PHP Code Execution - CVE-2016-7998) is vulnerable to Cross-Site Request Forgery, allowing the execution of the CVE-2016-7998 attack by tricking an administrator to open the malicious link.

Lire la suite


SPIP 3.1.2 Reflected Cross-Site Scripting (CVE-2016-7981)

SPIP is a publishing system for the Internet, which put importance on collaborative working, multilingual environments and ease of use. It is free software, distributed under the GNU/GPL licence.
The var_url parameter of the valider_xml file is not correctly sanitized and can be used to trigger a reflected XSS vulnerability.

Lire la suite