Description

Arbitrary code can be executed on the rooter due to bad login requests handling (when the password is empty.)
That can allow the attacker to get inside the network and eventually retrieve information using the router itself.

Versions

Routers: DIR-867, DIR-878, and DIR-882
Firmware: 1.10B04

Description

This is more of a bad configuration and practice from the user that allows an attacker to infect the command-line Safety package’s detection routines by disguising, or obfuscating, other malicious or non-secure packages.

Vulnerable configurations

• You are running Safety in a Python environment that you don’t trust.
  
• You are running Safety from the same Python environment where you have your dependencies installed.
  
• Dependency packages are being installed arbitrarily or without proper verification.
  This can easily be fixed.
  

Exploitation

A malicious package can avoid detection by Safety on load by running code in init.py such as seen in https://github.com/akoumjian/python-safety-vuln/blob/master/malicious/__init__.py which contains a patch.
This results in the package not to be flagged as malicious.

PoC

A great PoC and explanation is available at https://github.com/akoumjian/python-safety-vuln

Description

This is a Replay Attack found in versions 2.0.0 to 2.4.0 of “Sustainsys.Saml2” Nuget package.
The attacker can wait for the user’s token to be sent and reuse it.

“The Sustainsys.Saml2 library adds SAML2P support to ASP.NET web sites, allowing the web site to act as a SAML2 Service Provider (SP). The library was previously named Kentor.AuthServices.”

Severity

It depends on the context that the library is being used in. It can grant authentification as another user.
Though getting the token requires high access to the user.

Requirements

• openshift/jenkins-slave-base-rhel7-containera (as in Openshift 3.11, 4.2 and 4.3 are now fixed)
  
• Access to the running container (requires auth)
  

Loot/result

Easy privilege escalation.

How to/Details

The said container modifies the permissions of /etc/passwd so that other users than root can modify it. An attacker can profit from this if they have access to the container.
The attacker can now make a new user with higher privileges, etc.

Recap

Allows an unauthenticated remote attacker to upload files in the server (no extension restriction).

Requires

The page admin_add.php

Allows

File upload (any extension)

Leads to

Command execution, eventually a reverse shell.

Recap

Allows an unauthenticated remote attacker to upload files in the server (no extension restriction).

Requires

The page admin/gallery.php

Allows

File upload (any extension)

Leads to

Command execution, eventually a reverse shell.

Recap

Javascript execution.

Where

On the ip/www/status.php page, you can execute Javascript in the name and comment fields.

Not a lot of information provided for this CVE.

However, this is a javascript code execution in Your SoPlanning Url field which you can find in Global Settings leading to a stored XSS meaning that execution does not require user interaction.

CVE in SourceForge project phpABook V0.9i (https://sourceforge.net/projects/phpabook/)

Bypass auth through creation or modification of a cookie..

Cookie named userinfo has its value set as user+perms+lang.
Possibility to authenticate as a regular or privileged user with perms.

Recap

Nothing deep, passwords are sent using Base64.

Requires

Ability to monitor networking traffic during user authentification.

Loot

Possibility to retrieve and decode users’ passwords and gain access to their accounts.