Distributed Weakness Filing (DWF) CVE Request form for PUBLIC issues in OpenSource software v5.0 (Responses)
 Share
The version of the browser you are using is no longer supported. Please upgrade to a supported browser.Dismiss

 
Comment only
 
 
ABCDEFGHIJKLMNOPQRSTUVWXYZAAABACADAEAFAGAHAIAJAKALAMANAOAPAQARAS
1
Timestamp
Requestors emails address:
I confirm that this CVE is for an Open Source software component/library/etc.
I confirm that I have read the CVE Terms of Use and agree to them
Vendor/Project of the product
Affected product name Product URLAffected version
Fixed version (optional information)
Vulnerability type
Vulnerability type if other or unknown
Affected componentImpact of exploitationAttack vectorReference URL 1Reference URL 2Reference URL 3Reference URL 4Reference URL5NotesURL_PROD_URLURL_1_200CODEURL_2_200CODEURL_3_200CODEURL_4_200CODEURL_5_200CODECVE ToU EmailAnalystDescriptionStatusErrors
2
11/5/2018 10:11:17misi@majd.euYesYescoTURNcoTURN
https://github.com/coturn/coturn
4.5.0.8 and earlierany after 4.5.0.8SQL Injectioncoturn with backend dbSQL injection
SQL injection vulnerability in the realm username in ConnectionBind request messages. This could give write access to the TURN server configuration
https://github.com/coturn/coturn/blob/5d88f8275df4fa27236cc219d526c9e09d89815c/src/server/ns_turn_server.c#L3346
The issue has been reported by Nicolas Edet <nicedet@cisco.com>. Many Thanks for it!!
200200SENT
3
11/5/2018 11:41:30misi@majd.euYesYescoTURNcoTURN
https://github.com/coturn/coturn/
4.5.0.8 and earlierafter 4.5.0.8SQL Injectionweb admin login form
Full admin access to the TURN server, open relay
Connect to admin interface and with a crafted admin username can bypass authentication and give full access to server
https://github.com/coturn/coturn/blob/5d88f8275df4fa27236cc219d526c9e09d89815c/src/apps/relay/turn_admin_server.c#L3138
This issue has been discovered by Nicolas Edet (cisco).
200200SENT
4
11/5/2018 12:35:14misi@majd.euYesYescoTURNcoTURN
https://github.com/coturn/coturn
4.5.0.8 and earlierafter 4.5.0.8Other/Unknown
Security flaw: Unsafe default settings
cli-interface & loopback-relay
Full turnserver admin access
Attacker allocate loopback address, and open connection to cli interface without auth
https://github.com/coturn/coturn/blob/5d88f8275df4fa27236cc219d526c9e09d89815c/src/apps/relay/mainrelay.c#L77
This issue has been discovered by Nicolas Edet (cisco)
200200SENT
5
11/12/2018 15:52:55secure@veritas.comYesYesOpenKMIPPyKMIP
https://github.com/OpenKMIP/PyKMIP/
All versions before 0.8.0
0.8.0Other/Unknown
CWE 399: Resource Management Errors (similar issue to CVE-2015-5262)
PyKMIP server
DOS: the server can be made unavailable by one or more clients opening all of the available sockets
A client or clients open sockets with the server and then never close them
https://github.com/OpenKMIP/PyKMIP/issues/430
200200SENT
6
11/23/2018 9:49:43yzeng@hdu.edu.cnYesYestcpdump.orgtcpdump
https://github.com/the-tcpdump-group/tcpdump
4.9.2Other/Unknown
CWE-126: Buffer Over-read
line 234: "ND_PRINT((ndo, "%s", buf));", in function named "print_prefix", in "print-hncp.c"
May expose Saved Frame Pointer, Return Address etc. on stack
The victim must open a specially crafted pcap file
https://github.com/the-tcpdump-group/tcpdump/blob/tcpdump-4.9.2/print-hncp.c
https://github.com/the-tcpdump-group/tcpdump/blob/master/print-hncp.c
When processing a special pcap file (http://bbs.nju.edu.cn/file/N/nexttime/id_57 ), tcpdump runs into the else-clause (i.e., decode_prefix6 function) of the print_prefix function of print-hncp.c, but the decode_prefix6 function directly returns and does not feed any data into buf. Then since buf is not initialized so "ND_PRINT("%s", buf)" may over read the buf. (Found by fuzzing)
200200200SENT
7
11/28/2018 12:10:00
sarawudpaksa2510@hotmail.com
YesYesiosiPad Mini2
https://docs.google.com/forms/d/e/1FAIpQLSddsMgF0JuiMlcURdmVuIdGtEgDNKXhjNy6ZoRwGrSb6Ty60g/formResponse
10.32014-10001
Incorrect Access Control
09172691530917269153OpenSource109803
https://docs.google.com/forms/d/e/1FAIpQLSddsMgF0JuiMlcURdmVuIdGtEgDNKXhjNy6ZoRwGrSb6Ty60g/viewform
https://docs.google.com/forms/d/e/1FAIpQLSddsMgF0JuiMlcURdmVuIdGtEgDNKXhjNy6ZoRwGrSb6Ty60g/formResponse
https://docs.google.com/forms/d/e/1FAIpQLSddsMgF0JuiMlcURdmVuIdGtEgDNKXhjNy6ZoRwGrSb6Ty60g/formResponse
200200200SENT
8
11/28/2018 12:30:15
sarawudpaksa2510@hotmail.com
YesYesiosiPad Mini2
https://docs.google.com/forms/d/e/1FAIpQLSddsMgF0JuiMlcURdmVuIdGtEgDNKXhjNy6ZoRwGrSb6Ty60g/formResponse
10.32014-10001
Incorrect Access Control
09172691530917269153OpenSource109803
https://docs.google.com/forms/d/e/1FAIpQLSddsMgF0JuiMlcURdmVuIdGtEgDNKXhjNy6ZoRwGrSb6Ty60g/viewform
https://docs.google.com/forms/d/e/1FAIpQLSddsMgF0JuiMlcURdmVuIdGtEgDNKXhjNy6ZoRwGrSb6Ty60g/formResponse
https://docs.google.com/forms/d/e/1FAIpQLSddsMgF0JuiMlcURdmVuIdGtEgDNKXhjNy6ZoRwGrSb6Ty60g/formResponse
200200200SENT
9
12/3/2018 8:52:04
nils.stuenkel@t-systems.com
YesYesWeBidWeBid
http://www.webidsupport.com/
up to current version 1.2.2
after commit 256a5f9d3eafbc477dcf77c7682446cc4b449c7f
Directory Traversalgetthumb.php
Arbitrary Image File Read
HTTP GET Request
https://telekomsecurity.github.io/assets/advisories/20181108_WeBid_Multiple_Vulnerabilities.txt
http://bugs.webidsupport.com/view.php?id=646
https://github.com/renlok/WeBid/commit/256a5f9d3eafbc477dcf77c7682446cc4b449c7f
200200200200ACCEPTED
10
12/3/2018 8:55:27
nils.stuenkel@t-systems.com
YesYesWeBidWeBid
http://www.webidsupport.com/
up to current version 1.2.2
after commit 256a5f9d3eafbc477dcf77c7682446cc4b449c7f
SQL Injection
All five yourauctions*.php scripts
Database Read via Blind SQL Injection
HTTP Request
https://telekomsecurity.github.io/assets/advisories/20181108_WeBid_Multiple_Vulnerabilities.txt
http://bugs.webidsupport.com/view.php?id=647
https://github.com/renlok/WeBid/commit/256a5f9d3eafbc477dcf77c7682446cc4b449c7f
200200200200ACCEPTED
11
12/3/2018 8:58:33
nils.stuenkel@t-systems.com
YesYesWeBidWeBid
http://www.webidsupport.com/
up to current version 1.2.2
after commit 256a5f9d3eafbc477dcf77c7682446cc4b449c7f
Cross Site Scripting (XSS)
user_login.php, register.php
Javascript execution in the user's browser, injection of malicious markup into the page
The victim user must click a malicous link
https://telekomsecurity.github.io/assets/advisories/20181108_WeBid_Multiple_Vulnerabilities.txt
http://bugs.webidsupport.com/view.php?id=648
https://github.com/renlok/WeBid/commit/256a5f9d3eafbc477dcf77c7682446cc4b449c7f
200200200200ACCEPTED
12
12/4/2018 14:07:18
nickb@appcheck-ng.com
YesYesTraccarTraccar Serverhttps://www.traccar.org4.0 and earlier4.1 and laterOther/Unknown
CWE-94: Improper Control of Generation of Code ('Code Injection')
ComputedAttributesHandler.java
Remote Command Execution
Remote: web application request by a self-registered user
https://appcheck-ng.com/advisory-remote-code-execution-traccar-server/
The system allows self-registering users by default

The system appears to commonly be deployed running as the user root
200200ACCEPTED
13
12/5/2018 7:39:06oscar@arnflo.seYesYesphpIPAMphpIPAMhttps://phpipam.net/1.3.21.4SQL InjectionCWE-89
/app/admin/nat/item-add-submit.php
SQL Injection.
Rough user, exploiting the vulnerability to access information he/she does not have access to.
https://github.com/phpipam/phpipam/issues/2344
https://github.com/phpipam/phpipam/commit/856b10ca85a24c04ed8651f4e13f867ec78a353d
200200200ACCEPTED
14
12/5/2018 15:20:20
stayysalty@protonmail.com
YesYesPHPMarkdown
https://github.com/cebe/markdown
1.2.0 and earlier
Cross Site Scripting (XSS)
cross site scripting
The parser allows a malicious crafted script to be executed
Steal user data with a crafted script
User must open a crafted MD formatted file
https://github.com/cebe/markdown/issues/166
To perform the attack a user has to provide a crafted XSS using a simple payload: L: ```<script>alert(1);</script>``` will be enough for the attack to execute
200200ACCEPTED
15
12/6/2018 6:56:23
oscar@sakerhetskontoret.com
YesYesPHPipamPHPipamhttps://phpipam.net/1.3.2 and earlier1.4
Cross Site Scripting (XSS)
CWE-79
/app/admin/users/print-user.php
Execute code in the victims browser
Attacker change theme parameter in user settings. Admin(Victim) views user in admin-panel and gets exploited.
https://github.com/phpipam/phpipam/issues/2326
https://github.com/phpipam/phpipam/commit/552fbb0fc7ecb84bda4a131b4f290a3de9980040
Vulnerablity is now confirmed
SENT
16
12/10/2018 2:33:42214127385@qq.comYesYesTP-Link
TP-Link TL-WVR600G Wireless Router
https://www.tp-link.com.cn/product_317.html
TL-WVR600G
Cross Site Scripting (XSS)
The web page /Lan_Setting.htm
code execution(javascript,html)
The attacker needs to access the network
https://www.tp-link.com.cn/product_317.html
I could not contact the product owner of the company, so this is a 0day vulnerability
17
12/10/2018 18:55:46
kurtisgmiller@gmail.com
YesYesQEMUQEMUhttps://www.qemu.org/
4f818e7b7f8ecb5c166d093b8859fec2ddeca2ef
Buffer OverflowHEAP OVERFLOWDTB HandlingCode Execution
local (remote only in specific circumstances)
https://bugs.launchpad.net/qemu/+bug/1807753
18
12/11/2018 8:20:36
fotios.rogkotis@darkmatter.ae
YesYesPgPoolPgPoolAdminhttp://www.pgpool.net
pgPoolAdmin 3.6.0 up to latest 4.0.1
Other/Unknown
Authentication bypass from the unauthenticated perspective (login as admin without password). The specific flaw exists within the handling of the user supplied input which is not validated properly.
pgPoolAdmin - web login form (login.php)
Critical
Unauthenticated perspective, just network access to login.php is enough.
https://github.com/pgpool/pgpooladmin/blob/master/login.php
Timeline

Vulnerability was found on 20th of November 2018. Several attempts to reach the vendor failed and eventually an email to their mailing lists reached out.
Vendor replied on 9th of December the last update which is the following "Hi Fotios,

Thank you for sending the security issue report. I have quickly looked
into the report and I think there's definitely a security issue in
PgpoolAdmin. I will discuss with other project members who are in
charge of maintaining PgpoolAdmin to confirm the issue and to study
possible solution. I will get back to you tomorrow.

Best regards,"

As of now, vulnerability is not fixed (can be also seen from their GitHub) so it would make sense not to disclose it publicly.


Technical notes

The issue lies in the regular expression code used for matching the supplied/submitted username and passwords that is read from the PGPOOL2_PASSWORD_FILE file. This is from the unauthenticated perspective (only condition that must be met is access login.php over the network).
An attacker can leverage this vulnerability to gain admin privileges (first account found on the file) resulting in the following:
• Availability disruption by deleting nodes
• Change the topology by adding nodes (this would potentially allow him to gain further access to the data stored on the database)
• Command execution through the master failover possibility
• Disclose the recovery password in plaintext
• Execute SQL queries

Steps to reproduce
Visit the login page under “/PgpoolAdmin/login.php” and complete the username field with logical or the pipe character “|”. Press login.

Vulnerable code
File: pgpoolAdmin/login.php
Relevant lines: 63-71
61 // Check each rows in pcp.conf to search
62 $fp = fopen(_PGPOOL2_PASSWORD_FILE, 'r');
63 $regexp = "^{$username}:{$md5password}";
64
65 if ($fp != NULL) {
66 while (!feof($fp) ) {
67 $line = fgets($fp);
68 if (preg_match("/$regexp/", $line) ) {
69 $_SESSION[SESSION_LOGIN_USER] = $username;
70 $_SESSION[SESSION_LOGIN_USER_PASSWORD] = $password;
71 $success = TRUE;
72 }
73 }
74 }


19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
Loading...