Disposable mail security updates for 20 September – 10 minute mail

For continuous coverage, we push out major Disposable mail security updates every two weeks, keeping our tool up-to-date with new findings, features and improvements sourced from our security researchers and Crowdsource ethical hacker community. Due to confidentially agreements, we cannot publicize all security update releases here but they are immediately added to our scanner and available to all users. This post highlights a few things that we have improved in the last two weeks.

 

Jolokia is a software that is used internally to setup an API that can be used to query information about the system.

Until recently the default configuration of this was to allow anyone to use it, as it was not supposed to be publicly accessible. It was possible to set a username and password, but it required a more complex setup. In a lot of instances, people went with the default. This combined with it being exposed on the internet means that malicious actors can query information about the system. This is not information that should be publicly available.

The original research can be found here.

Two versions of the WordPress plugin Loginizer have a stored XSS-vulnerability, which means that it is possible for an unauthenticated attacker to try to login on a URL that contains a XSS-payload. This attempt will then be logged, and the XSS-payload will execute when a logged in administrator reviews the log.

More information can be found here.

Similar to the vulnerability above, iThemes Security logged all non-existing URLs that someone had tried to access. By visiting a non-existing URL containing the XSS-payload, this would show up in the logs when later reviewed by a logged in administrator.

More information.

Atmosphere is a popular framework for asynchronous applications written in Java. This framework is made for building applications utilizing WebSocket, Server Sent Events, traditional Ajax Techniques among others.

The issue was in the JSONP-endpoint. It had a callback parameter that would reflect its value to the page. The response did not specify content type, which made it possible to have it treated as HTML and therefore cause XSS.

The full advisory can be found here.

A remote code execution vulnerability in a WordPress plugin called Duplicator was recently published online. This would allow an attacker to execute code on the server. Read the original research here.

After looking into this Crowdsource submission we also realised it is a big problem if directory listing is activated when running this plugin, as that would expose database backups. A test for this on this plugin, as well as related, was then also added at the same time.

 

Questions or comments on our latest security updates? Let us know in the section below.

Begin a scan for the latest vulnerabilities today. Start a free trial with Disposable mail here!

Already have an account? Login to check your assets.

Disposable mail is a continuous web scanner monitor service that can be set up for automated scanning for 1000+ known vulnerabilities including the OWASP Top 10. Check for the latest vulnerabilities!

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Disposable mail security updates for 19 October – 10 minute mail

For continuous coverage, we push out major Disposable mail security updates every two weeks, keeping our tool up-to-date with new findings, features and improvements sourced from our security researchers and Crowdsource ethical hacker community. Due to confidentially agreements, we cannot publicize all security update releases here but they are immediately added to our scanner and available to all users. This post highlights a few things that we have improved in the last two weeks.

 

CVE-2018-18069: WordPress wpml Stored XSS

Sitepress Multilingual CMS Plugin prior to version 3.6.3 is vulnerable to a stored cross site scripting in the WordPress admin login interface. This could lead to an unauthenticated attacker being able to completely take over a WordPress site.

CVE-2018-2894: Oracle WebLogic RCE

The CVE-2018-2894 which is affecting versions 12.1.3.0, 12.2.1.2 and 12.2.1.3 of Oracle Weblogic is a remote code execution (RCE) which allows unauthenticated attackers to upload arbitrary Java Server Pages-files (JSP) to the server. This could lead to a complete server takeover.

CVE-2018-1673: IBM WebSphere XSS

The CVE-2018-1673 is affecting several versions of IBM WebSphere Portal. The vulnerability is a reflected cross site scripting attack where an attacker can execute arbitrary Javascript in the context of the victim’s browser.

 

Questions or comments on our latest security updates? Let us know in the section below.

Begin a scan for the latest vulnerabilities today. Start a free trial with Disposable mail here!

Already have an account? Login to check your assets.

Disposable mail is a continuous web scanner monitor service that can be set up for automated scanning for 1000+ known vulnerabilities including the OWASP Top 10. Check for the latest vulnerabilities!

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

[Video] Proof of Concept: CVE-2018-2894 Oracle WebLogic RCE – 10 minute mail

A recent vulnerability was sent in to Crowdsource affecting Oracle WebLogic Server. The vulnerability is an unauthenticated remote code execution (RCE) that is easily exploited. In this article we will go through the technical aspects of the Oracle WebLogic RCE vulnerability and its exploitation.

Proof of concept video:

How the exploit works:

The vulnerability is affecting the Web Services (WLS) subcomponent. The path: /ws_utc/config.do (on port 7001) is by default reachable without any authentication, however this pages is only available in development mode. In order to make this vulnerability exploitable, the attacker needs to set a new Work Home Dir which has to be writable. The path: servers/AdminServer/tmp/_WL_internal/com.oracle.webservices.wls.ws-testclient-app-wls/4mcj4y/war/css works for this. After the new writable Work Home Dir is sat, it is then possible to upload a JSP file in the Security tab.

Image: The interface where it is possible to save a Work Home Dir which will be the path where JKS keystores will be saved.

The page lets an attacker upload JKS Keystores which are Java Server Pages (JSP) files. These uploaded files are then possible to access and execute. Then it is possible to do a file upload as a multipart/form-data to the path: ws_utc/resources/setting/keystore The server will then respond with XML containing the keyStoreItem ID which is used to reach the uploaded file in the format of: /ws_utc/css/config/keystore/1582617386107_filename.jsp


Image: After a successful upload of a JKS Keystore the response will contain its ID.

Impact:

If a hacker acts upon this vulnerability, they may be able to completely compromise the server. However, due to the test page only existing in development mode, it is very important to check that your WebLogic server is not running in development mode. In some cases the port 7001 is filtered and therefore not reachable on the Internet.

For an attacker it is very easy to detect this vulnerability. WebLogic is easily fingerprinted (with its Server header) and a quick search on Shodan shows that there are many instances open on the Internet.

Additional information:

Questions or comments? Let us know in the section below.

Begin a scan for the latest vulnerabilities today. Start a free trial with Disposable mail here!

Disposable mail is a continuous web scanner monitor service that can be set up for automated scanning for 1000+ known vulnerabilities including the OWASP Top 10. Check for the latest vulnerabilities!


Written by Krisitian Bremberg
Edited by Jocelyn Chan

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

[PoC Video] jQuery-File-Upload: A tale of three vulnerabilities – 10 minute mail

TL;DR Three vulnerabilities in the second most starred Javascript repository on Github which two of them are remote code execution and the third makes it possible to permanently delete any uploaded file made by jQuery-File-Upload. The latter is intended behaviour however our research suggests that user privacy is not respected as content can easily be viewed by external actors.

Disposable mail Crowdsource has been working with three vulnerabilities in jQuery-File-Upload submitted by our security researcher community, and now we’ve implemented these security tests in the Disposable mail tool. Our research found out that jQuery-File-Upload is included in several different platforms and not properly configured. The following Proof of Concept is of CVE-2018-9206: Unauthenticated arbitrary file upload vulnerability and the remote code execution due to ImageTragick. Explanations of all three vulnerabilities follow.

CVE-2018-9206: Unauthenticated arbitrary file upload vulnerability

This first vulnerability has been known for a few years, since 2015. But in 2018 a CVE was finally assigned and the vulnerability was brought to public attention as Thousands of Applications were vulnerable to RCE via jQuery File Upload. The open-source file upload widget, jQuery-File-Upload, is the second most starred Javascript repository on Github, after jQuery JavaScript Library itself. The core of CVE-2018-9206 is a vulnerability within the server configuration and PHP components of the technology and not Javascript. While a RCE in Javascript would be surprising, it’s not as surprising in PHP.

The vulnerability is due to the code relying on Apache’s .htaccess support. This is a way to restrict files being uploaded or executed on an Apache web server.

# The following directives prevent the execution of script files
# in the context of the website.
# They also force the content-type application/octet-stream and
# force browsers to display a download dialog for non-image files.
SetHandler default-handler
ForceType application/octet-stream
Header set Content-Disposition attachment

# The following unsets the forced type and Content-Disposition headers
# for known image files:

ForceType none
Header unset Content-Disposition


<...>

The above .htaccess is included in jQuery-File-Upload and prior to version 9.22.0 it was the only protection against arbitrary file upload. The .htaccess files makes the browser download files with MIME application/octet-stream (for example PHP-files) instead of executing them in the context of the web server. This means that jQuery-File-Upload allowed any files to be uploaded, but not executed on the server, as they trusted the web server to make the check. After the patch, later versions have been changed so that the code checks the type of file being uploaded.

However, the problem is that Apache stopped to enable .htaccess support by default in version 2.3.9, making the only protection useless if not explicitly enabled. If another web server is in use (for example Nginx), there is no protection at all as .htaccess only works in Apache web server.

An attacker can simply upload any file and it will be handled by the web server. This leads to remote code execution as an attacker can upload PHP-files and execute them.

Remote code execution due to ImageTragick

The second jQuery-File-Upload vulnerability was also known within the hacking community for some years and was not publicly known until the technology started to get attention due to CVE-2018-9206, as more people started looking into jQuery-File-Upload’s code base. As the code makes use of ImageMagic, it may be possible to obtain remote code execution with GhostScript (CVE-2016-3714 AKA ImageTragick). This is demonstrated in the video.

An attacker can upload the following GhostScript saved with the whitelisted extensions; PNG, GIF or JPG.

%!PS
userdict /setpagedevice undef
save
legal
{ null restore } stopped { pop } if
{ legal } stopped { pop } if
restore
mark /OutputFile (%pipe%ping example.com) currentdevice putdeviceprops

The server will then execute the command ping example.com. Note that GhostScript will look a little bit different depending on the operating system and the ping command works in most environments, making our automatic tests very accurate to detect this vulnerability.

Note that this is a vulnerability in a library that jQuery-File-Upload uses, and not in the code itself.

An intentional but vulnerable feature

The third and last vulnerability found was an insecure direct object reference or IDOR vulnerability. One website owner responded that the issue was actually “intentional behaviour” but many users of jQuery-File-Upload may not know of the behaviour, making it risky to use.

Here’s why: The endpoint where files are uploaded to can be requested with GET and the server will respond with a JSON object containing all the previous uploaded files. This exposes the file names, upload path, thumbnail and whether it is possible to delete the file permanently from the server. The response will look something like:

{"files":[{"name":image.jpg","size":68549,"url":"http://example.com/image.jpg","thumbnailUrl":"http://example.com/thumbnail/image.jpg","deleteUrl":"http://example.com/server/php?file=image.jpg","deleteType":"DELETE"}

With this, a user can now view all the previous uploaded files by requesting the value in the url key. It is also possible to delete any file by sending the DELETE HTTP-method to the value in the deleteUrl key. This can easily be done with cURL:

curl -X DELETE http://example.com/server/php?file=image.jpg

When looking for websites using jQuery-File-Upload I came across a few cases where this “intentional behaviour” probably shouldn’t be “intentional”. One case was a dating site where users naturally uploaded images of themselves. By sending this request, I was able to view the whole user base of uploaded photos. In another case I was able to access all uploaded photos on a website which requires users to verify their identity by uploading a photo of their government ID or passport. I have reached out to Sebastian Tschan (the maintainer of jQuery-File-Upload) and all these websites which I found the vulnerability on.

Remediation

The first two issues have been fixed in the latest version of jQuery-file-upload, and we recommend to update the code to latest version as soon as possible. To remediate the the last vulnerability, you would restrict access to the endpoint where files are uploaded (usually server/php/index.php) if it is important that all the uploaded files should not be publicly viewable.

Do you use jQuery-File-Upload on your web applications and you’re not sure if you have secured the code? You can check the code with Disposable mail now. Just log in here. Not a customer yet? No problem! You can sign up for your account and free trial today.


 

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Disposable mail security updates for 13 December – 10 minute mail

For continuous coverage, we push out major Disposable mail security updates every two weeks, keeping our tool up-to-date with new findings, features and improvements sourced from our security researchers and Crowdsource ethical hacker community. Due to confidentially agreements, we cannot publicize all security update releases here but they are immediately added to our scanner and available to all users. This post highlights a few things that we have improved in the last two weeks.

CVE-2018-14912: cgit Path Traversal

A vulnerability in cgit was recently made public by Google Project Zero. After getting it as a submission through Disposable mail Crowdsource we implemented it as a module. More information about the issue can be found here: https://bugs.chromium.org/p/project-zero/issues/detail?id=1627

 CVE-2018-5006: Adobe AEM SSRF via SalesforceSecretServlet

Adobe AEM, also called Adobe Experience Manager, has previously had a few known vulnerabilities. Frans Rosén, one of our security advisors, has done a presentation on this here: https://www.youtube.com/watch?v=_j9ZEIodMDs

However, a new SSRF was released recently, which in addition to all the other research has been implemented to the scanner.

Apache Hadoop RCE

Read more about the story around this vulnerability here: https://securityaffairs.co/wordpress/77565/malware/hadoop-zero-day-exploit-leaked.html

jQuery-File-Upload related vulnerabilities

The last of the three! See the following blog post: https://blog.detectify.com/2018/12/13/jquery-file-upload-a-tale-of-three-vulnerabilities/

 

 

A few of the other things implemented…

  • CVE-2018-9845: Etherpad Authentication Bypass https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9845
  • Exposed Docker configuration file
  • Header-Based SSRF
  • URL-based Authentication Bypass

Questions or comments on our latest security updates? Let us know in the section below.

Begin a scan for the latest vulnerabilities today. Start a free trial with Disposable mail here!

Already have an account? Login to check your assets.

Disposable mail is a continuous web scanner monitor service that can be set up for automated scanning for 1000+ known vulnerabilities including the OWASP Top 10. Check for the latest vulnerabilities!

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Disposable mail security updates for 18 April – 10 minute mail

For continuous coverage, we push out major Disposable mail security updates every two weeks, keeping our tool up-to-date with new findings, features and improvements sourced from our security researchers and Crowdsource ethical hacker community. Due to confidentially agreements, we cannot publicize all security update releases here but they are immediately added to our scanner and available to all users. This post highlights a few things that we have improved in the last two weeks.

 

Apache Tomcat RCE when “enableCmdLineArguments” is enabled on Windows (CVE-2019-0232)

CGI Servlets are by disabled by default on a Tomcat installation. However, if one would enable this feature without having to disable enableCmdLineArguments it leads to RCE. This became public a few days ago and was quickly submitted by several Crowdsource researchers.

Confluence Widget Connector path traversal (CVE-2019-3396)

To quote the advisory:

There was a server-side template injection vulnerability in Confluence Server and Data Center, in the Widget Connector. An attacker is able to exploit this issue to achieve path traversal and remote code execution on systems that run a vulnerable version of Confluence Server or Data Center.

More information here.

Backdoor / RCE in bootstrap-sass 3.2.0.3

A backdoor was discovered by Snyk in the gem bootstrap-sass. It makes it possible to send crafted cookies that are then decoded and executed as code.

More information about it.

Embedded Metadata in Office files

After receiving a Crowdsource submission about it we have improved the support for handling meta-data in files found during crawling, in this case Office documents. This data can show information about the authors or system it was created on that is not intended to be public.


Questions or comments on our latest security updates? Let us know in the section below.

Begin a scan for the latest vulnerabilities today. Start a free trial with Disposable mail here!

Already have an account? Log in to check your assets.

Disposable mail is a continuous web scanner monitor service that can be set up for automated scanning for 1000+ known vulnerabilities including the OWASP Top 10. Check for the latest vulnerabilities!

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

vBulletin RCE CVE-2019-16759 exploited in the wild, to Disposable mail – 10 minute mail

Disposable mail now has a built-in detection for vBulletin RCE CVE-2019-16759, thanks to a report from our Crowdsource community. Last week, a proof-of-concept exploit for a Remote Code Execution (RCE) vulnerability for vBulletin forum software CVE 2019-16759 was disclosed publicly. The vulnerability was exploited in the wild and actively being exploited by malicious attackers. 

What is the vBulletin RCE?

The vulnerability exists in a PHP widget creation functionality that takes parameters from HTTP POST request that can be trivially modified by a user. The vBulletin forum versions that are affected are from 5.0.0 till 5.5.4. The official patch for the vulnerability was released on the 25th of September by vBulletin

The public release of the exploit code resulted in companies such as Comodo having their forum and underlying server compromised. The exploitation can be scripted and automated, so anyone running a vulnerable version of vBulletin software could have their server compromised by an opportunistic attacker. 

A known vulnerability for a few years

According to Chaouki Bekrar, the CEO of the zero day exploit market Zerodium, the exploit has been sold for three years. The exploit has been most likely used over the years, but only gained more attention last week.

vbulletin RCE was on zerodium for a few years

The Impact

The vulnerability allows attackers to run arbitrary code on the servers of the affected vBulletin forums. RCE vulnerabilities lead to full takeover of the server, meaning that any data stored on the server is compromised. In addition, an attacker can leverage the computing power of the server for other criminal activities, such as installing cryptominers or botnets.

The severity of the issue is increased by the fact that no form of authentication is needed to exploit the vulnerability.

Technical details

The vulnerability is in the dynamic creation of widgets, which can be done over an HTTP request. 

The vulnerability can be exploited via ajax/render/widget_php route. The RCE payload, such as shellcode, is processed by the widget rendering when malicious payload is sent over HTTP POST request in widgetConfig[code] parameter. The proof of concept exploit can be found here.

How can Disposable mail help?

Thanks to Disposable mail Crowdsource hackers, we are now detecting the CVE-2019-16759 RCE vulnerability in vBulletin software. If your Disposable mail Deep Scan report shows you are running a vulnerable version of vBulletin, patch your installation by following the guidance provided by vBulletin’s official patch release.


Written by:
Laura Kankaala
Security Researcher, Disposable mail

Do you use vBulletin on your web applications and you’re not sure if you have a vulnerable version? You can check it with Disposable mail now. Just log in here. Not a customer yet? No problem! You can sign up for your account and free trial today.

 


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.