Disposable mail security updates for 19 October – 10 minute mail

For continuous coverage, we push out major Disposable mail security updates every two weeks, keeping our tool up-to-date with new findings, features and improvements sourced from our security researchers and Crowdsource ethical hacker community. Due to confidentially agreements, we cannot publicize all security update releases here but they are immediately added to our scanner and available to all users. This post highlights a few things that we have improved in the last two weeks.

 

CVE-2018-18069: WordPress wpml Stored XSS

Sitepress Multilingual CMS Plugin prior to version 3.6.3 is vulnerable to a stored cross site scripting in the WordPress admin login interface. This could lead to an unauthenticated attacker being able to completely take over a WordPress site.

CVE-2018-2894: Oracle WebLogic RCE

The CVE-2018-2894 which is affecting versions 12.1.3.0, 12.2.1.2 and 12.2.1.3 of Oracle Weblogic is a remote code execution (RCE) which allows unauthenticated attackers to upload arbitrary Java Server Pages-files (JSP) to the server. This could lead to a complete server takeover.

CVE-2018-1673: IBM WebSphere XSS

The CVE-2018-1673 is affecting several versions of IBM WebSphere Portal. The vulnerability is a reflected cross site scripting attack where an attacker can execute arbitrary Javascript in the context of the victim’s browser.

 

Questions or comments on our latest security updates? Let us know in the section below.

Begin a scan for the latest vulnerabilities today. Start a free trial with Disposable mail here!

Already have an account? Login to check your assets.

Disposable mail is a continuous web scanner monitor service that can be set up for automated scanning for 1000+ known vulnerabilities including the OWASP Top 10. Check for the latest vulnerabilities!

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

[Video] Proof of Concept: CVE-2018-2894 Oracle WebLogic RCE – 10 minute mail

A recent vulnerability was sent in to Crowdsource affecting Oracle WebLogic Server. The vulnerability is an unauthenticated remote code execution (RCE) that is easily exploited. In this article we will go through the technical aspects of the Oracle WebLogic RCE vulnerability and its exploitation.

Proof of concept video:

How the exploit works:

The vulnerability is affecting the Web Services (WLS) subcomponent. The path: /ws_utc/config.do (on port 7001) is by default reachable without any authentication, however this pages is only available in development mode. In order to make this vulnerability exploitable, the attacker needs to set a new Work Home Dir which has to be writable. The path: servers/AdminServer/tmp/_WL_internal/com.oracle.webservices.wls.ws-testclient-app-wls/4mcj4y/war/css works for this. After the new writable Work Home Dir is sat, it is then possible to upload a JSP file in the Security tab.

Image: The interface where it is possible to save a Work Home Dir which will be the path where JKS keystores will be saved.

The page lets an attacker upload JKS Keystores which are Java Server Pages (JSP) files. These uploaded files are then possible to access and execute. Then it is possible to do a file upload as a multipart/form-data to the path: ws_utc/resources/setting/keystore The server will then respond with XML containing the keyStoreItem ID which is used to reach the uploaded file in the format of: /ws_utc/css/config/keystore/1582617386107_filename.jsp


Image: After a successful upload of a JKS Keystore the response will contain its ID.

Impact:

If a hacker acts upon this vulnerability, they may be able to completely compromise the server. However, due to the test page only existing in development mode, it is very important to check that your WebLogic server is not running in development mode. In some cases the port 7001 is filtered and therefore not reachable on the Internet.

For an attacker it is very easy to detect this vulnerability. WebLogic is easily fingerprinted (with its Server header) and a quick search on Shodan shows that there are many instances open on the Internet.

Additional information:

Questions or comments? Let us know in the section below.

Begin a scan for the latest vulnerabilities today. Start a free trial with Disposable mail here!

Disposable mail is a continuous web scanner monitor service that can be set up for automated scanning for 1000+ known vulnerabilities including the OWASP Top 10. Check for the latest vulnerabilities!


Written by Krisitian Bremberg
Edited by Jocelyn Chan

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.