Next Page >>
upload
------------------------------------------------------------------------
Akamai Download Manager arbitrary file download & execution
------------------------------------------------------------------------
Yorick Koster, April 2009
------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
Akamai's Download Manager allows attackers to download arbitrary
files onto a user's desktop. Using a so-called "blended
Thanks to Rafal Wojtczvk of McAfee for identifying and reporting
these issues.
ESX
---
VMware ESX 3.0.1 Download Patch Bundle ESX-8258730
http://www.vmware.com/support/vi3/doc/esx-8258730-patch.html
md5sum a06d0e36e403b0fe6bc6fbc76220a86d
VMware ESX 3.0.0 Download Patch Bundle ESX-4809553
http://www.vmware.com/support/vi3/doc/esx-4809553-patch.html
{"file":"pJhdgHSudwNdiwdjMLpwdsKSJWSocdwcwoSOJOdwdduwjSSIisdsdiSWswd==",
"success":"Your file was successfully uploaded!"}
There are some mitigating factors though:
1. files are uploaded to "download" directory, but filenames are
random. As we can see above, server response contains filename on JSON
format, but it's encrypted. Random filename example:
waraxe.jpg.620d348d4551ea2870e4cb602881a1d8
Browse to http://www.hp.com and do the following:
Select "Support & Drivers"
In Step 1 select "Download drivers and software (and firmware)"
In Step 2 enter one of the following:
HP LaserJet 4345 Multifunction Printer series
HP Color LaserJet 4730 Multifunction Printer series
HP LaserJet 9040/9050 Multifunction Printer series
Browse to http://www.hp.com and do the following:
Select "Support & Drivers"
In Step 1 select "Download drivers and software (and firmware)"
In Step 2 enter one of the following:
HP LaserJet 4345 Multifunction Printer series
HP Color LaserJet 4730 Multifunction Printer series
HP LaserJet 9040/9050 Multifunction Printer series
The vendor released a patched version of 'image_core_class.php' that
must replace the file 'lib/classes/image_core_class.php' in existing
Papoo installations [0].
NOTE: The archive containing the current version 3.7.3 of Papoo does
NOT contain a fix. Users downloading the latest version of Papoo MUST
apply the fix after installation.
Security Risk
=============
Hello Bugtraq!
I want to warn you about File Download and Denial of Service vulnerabilities
in Mozilla Firefox, Internet Explorer, Google Chrome and Opera. Earlier I
already wrote about DoS vulnerabilities in different browsers via different
protocol handlers. And now I'll tell about research concerned with attacks
via protocols http and ftp which I made already in 2008 and published at
30.06.2010.
-----------------------------
mechanism.
2 Detailed Descriptions
____________________________________________________
MyBB relied on setting headers and forced the download of files
(i.e. content-disposition: attachment). This is a sufficient safeguard for IE7,
but IE6 has the added complexity that it ignores the content-disposition, when
the file is already cached. This can happen when the user cancels the download
dialog and then visits the download url again. The script used the incorrect
image/bmp content type, making the issue manifest with files (1) and (2).
.. then in case of Apache webserver php code inside of picture will
be executed. Therefore it's basically remote php code execution.
2. Insecure file upload in Downloads module
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Security risk: critical
Preconditions:
1. attacker must be registered user
Akamai Download Manager File Downloaded To Arbitrary Location Vulnerability
by cocoruder(frankruder@hotmail.com)
http://ruder.cdut.net
Summary:
A parameter injection vulnerability exists in Akamai Download
Manager. By exploiting this vulnerability, the remote attacker can
http://labs.idefense.com/intelligence/vulnerabilities/
Apr 30, 2008
I. BACKGROUND
Akamai Download Manager is an integral component of Akamai's global
distribution service. It is used to deliver big files quickly and
reliably to users around world. It has been used by vendors such as
Symantec and Microsoft to provide downloads to the public.
Akamai provides both an ActiveX and a Java based Download Manager. If a
Found by : Xcross87
1. File Upload Vulnerability
Xploit :
victim.com/ghboard/component/upload.jsp
2. FlashUpload component File Upload and File Download Vulnerability
Upload Xploit :
victim.com/ghboard/component/flashupload/upload.html
Not allow upload php,jsp,html
But attacker can download source and remove javascript code which check for file type and upload easily.
Uploaded file is located in :
* hosted products are VMware Workstation, Player, ACE, Fusion.
4. Solution
Please review the patch/release notes for your product and version
and verify the checksum of your downloaded file.
vCenter Server 5.0 Update 1
---------------------------
The download for vCenter Server includes vSphere Update Manager,
II. DESCRIPTION
This CMS is affected by multiple remote security flaws,
such as SQL Injection, Arbitrary File upload, etc.
These security flaws DO NOT require authentication. Other
files may be vulnerable.
III. ANALYSIS
Release Type: Co-ordinated, responsible disclosure
2. Vulnerability Information
----------------------------------------------------------------------------------------------
Class: SQL Injection, Insecure File Upload, Cross Site Scripting,
Filepath Disclosure
Remotely Exploitable: Yes
Locally Exploitable: No
Akamai Technologies Security Advisory 2009-0001
* Akamai ID: 2009-0001
* Date: 2009/23/20
* Product Name: Download Manager
* Affected Versions: < 2.2.4.8
* Fixed Version: 2.2.4.8
* CVE IDs: {TBD}
* CVSS Base Score: (AV:R/AC:H/Au:NR/C:C/I:C/A:C/B:N) 8.0
Multiple Vulnerabilities found in Rapidleech
1. General Information
Rapidleech is a Web based application supporting file upload and download on
the Internet, especially files from popular sites such as rapidshare.com,
megaupload.com, depositfiles.com.
On March 03, 2009, Bkis has detected several vulnerabilities in the upload
function of Rapidleech. These are highly critical vulnerabilities, allowing
> > case the browser issues multiple requests for the
> > same file.
>
> No, the thing to do here is a one-time, limited
> duration key. When the browser first hits the
> download page using the key, the user is assigned
> an internal session by the file download site, and
> the one-time key is voided. No replay attacks. The
> internal session is used for all subsequent
> requests. And the key is limited in duration
> (maybe a minute), so if the user's browser dies or
# Version: <= 1.0
# File affected: processFiles.php
# Download: http://sourceforge.net/projects/fossgallery/
#
#
Akamai Technologies Security Advisory 2008-0001
* Akamai ID: 2008-0002
* Date: 2008/04/20
* Product Name: Download Manager
* Affected Versions: < 2.2.3.6
* Fixed Version: 2.2.3.7
* CVE IDs: CVE-2008-1770
* CVSS Base Score: (AV:R/AC:H/Au:NR/C:C/I:C/A:C/B:N) 8.0
Where 'test' is a page containing the {{files}} action.
+---------------------------------------------------------------------+
| Arbitrary File Download and Arbitrary File Deletion (CVE-2011-4450) |
+---------------------------------------------------------------------+
The vulnerable code is located in /handlers/files.xml/files.xml.php
53. $file = $this->GetSafeVar('file', 'get');
Vulnerable Version(s): 2.3.6 and probably prior
Tested Version: 2.3.6
Vendor Notification: 29 February 2012
Vendor Patch: 16 March 2012
Public Disclosure: 21 March 2012
Vulnerability Type: Arbitrary File Manipulation, Arbitrary File Upload, XSS
CVE Reference(s): CVE-2012-1467, CVE-2012-1468, CVE-2012-1469
Solution Status: Fixed by Vendor
Risk Level: Critical
Credit: High-Tech Bridge SA Security Research Lab ( https://www.htbridge.com/advisory/ )
0 I'm eidelweiss member from Inj3ct0r Team 1
1 ######################################## 0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
Developers: www.nakid.org
Download : https://sourceforge.net/projects/nakidcms/files/Nakid%20CMS%20v_0_5_2.rar/download
Version: 0.5.2
exploited by ..: eidelweiss
details..: works with an Apache server with the mod_mime module installed (if specific)
======================================================================
Secunia Research 13/05/2010
- Free Download Manager metalink "name" Directory Traversal -
======================================================================
Table of Contents
Affected Software....................................................1
Yorick Koster, April 2009
------------------------------------------------------------------------
See also
------------------------------------------------------------------------
APSB10-08 [2] Security update available for Adobe Download Manager
CVE-2010-0189 [3]
02.23.10 [4] Multiple Vendor NOS Microsystems getPlus Downloader Input
Validation Vulnerability
Aviv Raff On .NET: [5] Skeletons in Adobe's security closet
entitled Chromium, in 2008. Google Chrome is best known for its fast speed,
simplicity and reliability.
IV. DESCRIPTION
-------------------------
Google Chrome has an inbuilt file downloader[1], just like every other
browser. However, the behavior of this function is different from other
browsers and provides users much more usability and convenience. Chrome
automatically downloads a file from any site that is passed using the
Content-Disposition header value "attachment" (on the contrary, all other
browsers show a save as dialog). There are some mitigations done by Chrome
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
$ Program: eFront
$ File affected: studentpage.php / professorpage
$ Version: 3.5.1 / build 2710
$ Download: http://www.efrontlearning.net
Found by Pepelux <pepelux[at]enye-sec.org>
eNYe-Sec - www.enye-sec.org
NOTE: The SMA must have all pertinent SMA Service Packs applied
Windows 2000 Update Rollup 1
Customers are advised to download and install the Windows 2000 Update Rollup 1 for Service Pack 4 on SMA v2.1. For more information please refer to the Windows 2000 Update Rollup 1 for Service Pack 4 and Storage Management Appliance v2.1 advisory at the following website: http://h20000.www2.hp.com/bizsupport/TechSupport/DocumentIndex.jsp?contentType=SupportManual&lang=en&cc=us&docIndexId=179111&taskId=101&prodTypeId=12169&prodSeriesId=315667
Windows 2000 Update Rollup 1 for SP4 does not include security updates released after April 30, 2005 starting from MS05-026. It also does not include patches MS04-003 and MS04-028. Please install these patches in addition to Windows 2000 Update Rollup 1 for SP4, if they have not been installed already
RESOLUTION
HP strongly recommends the immediate installation of all security patches that apply to third party software which is integrated with SMA software products supplied by HP, and that patches are applied in accordance with an appropriate patch management policy.
PHP-Nuke v8.1 FINAL
http://phpnuke.org/
./html/mainfile.php starting on line 1574
PHP-Nuke v7.0
download:
http://sourceforge.net/project/showfiles.php?group_id=7511&package_id=7622&release_id=213152
in:
./html/admin.php line 111 in funciton gfx()
and:
./modules/Your_Account/index.php line 489 in funciton gfx()
0 I'm eidelweiss member from Inj3ct0r Team 1
1 ######################################## 0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
Vendor: www.dutchmonkey.com
Download : http://www.dutchmonkey.com/?file=downloads.html&label=Downloads
exploited by ..: eidelweiss
Affected: version 3.9.11
details..: works with an Apache server with the mod_mime module installed (if specific)
[-] vulnerable code in /path/fckeditor/editor/filemanager/connectors/php/config.php
Next Page>>
|
