Summary An attacker with a basic user forum account can specify a malicious avatar URL that discloses the contents of arbitrary local files on the file system. Impact An attacker can read the contents of any local file. An attacker can also conduct blind SSRF attacks. Affected Software The following...
Introduction Flarum is a free, open source PHP-based forum software used for everything from gaming hobbyist sites to cryptocurrency discussion. A quick survey on Shodan suggests there are over 1200 installs exposed to the internet. Through our research we were able to leak the contents of arbitrary local files in...
Introduction A lot has been written about the recent Citrix NetScaler buffer overflow. In the initial rush to get information and platform checks out to customers, some details may not have been fully explained. In this post we hope to rectify that by detailing the full process from the initial...
In our last post we uncovered a vulnerability inside Citrix ADC and NetScaler Gateway that was in the patch fix for CVE-2023-3519. It seems that this vulnerability, while also critical, is not the one that is being exploited in the wild by threat actors. We continued our analysis and discovered...
Note: our analysis so far indicates that SAML has to be enabled for exploitation, this may change as we continue to reverse engineer this vulnerability. We will update our blog post accordingly. We have been notified that the patches from Citrix cover more than one vulnerability, and that the issue...
Summary An unauthenticated attacker can upload arbitrary files leading to remote code execution. A cryptographic flaw, coupled with a path traversal vulnerability enable the attacker to upload files to the webroot via the /documentum/upload.aspx page. Impact An attacker can upload a web shell to the ShareFile system and execute arbitrary...
Introduction As part of the security research here at Assetnote, one thing we have noticed is that some types of software are more fruitful than others. File upload and remote access software are prime examples of this. In this post we are looking at the former, a file sharing application...
Summary URL query parameters are not adequately sanitised before they are placed into an HTTP Location header. An attacker can exploit this to create a link which, when clicked, redirects the victim to an arbitrary location. Alternatively the attacker can inject newline characters into the Location header, to prematurely end...
One of the targets we looked at late last year was Citrix Gateway. Citrix Gateway is another of these “all-in-one” network devices, combining a load balancer, firewall, VPN, etc. Older versions of this product were sold under the name “NetScaler”. In this case we were only looking at the VPN...
Where We Left Off In our last post we detailed our initial work reversing the recent Progress MOVEit Transfer remote code execution vulnerability as well as our proof-of-concept demonstrating the exploit. We implemented checks in our Attack Surface Management platform providing our customers with assurance on whether or not they...
In the last few days, threat actors have been exploiting a critical pre-authentication vulnerability within Progress MOVEIt Transfer. There have been several great blog posts covering the incident response, forensic artifacts, and detection engineering efforts when it comes to preventing compromise. [1] [2] [3]. Assetnote was successful at determining the...
Introduction It’s time to look at Sitecore again! In 2021 our security research team took a look at Sitecore and found some nice vulnerabilities. Some time has passed, Sitecore is still very prevalent and we decided we would have another look. In this round we looked at version 9.3. This...
If you work in the hospitality industry, it’s quite likely that you have seen or worked with Oracle Opera. This software is used by almost all of the largest hotels/resort chains around the world. This critical piece of software holds all of the PII for every guest, including but not...
Summary An attacker can obtain the JNDI connection name through servlets that leak this information. Due to the weak hardcoded cryptography used by Oracle Opera, it is possible for an attacker to craft encrypted payloads. After the JNDI connection name and encryption elements have been obtained by an attacker, it...
cPanel is a web hosting control panel software that is deployed widely across the internet. To be exact, there are about ~1.4 million installations of cPanel exposed on the external internet at the time of writing this blog post. We discovered a reflected cross-site scripting vulnerability that could be exploited...
Summary A reflected cross-site scripting vulnerability can be exploited without any authentication in affected versions of cPanel. The XSS vulnerability is exploitable regardless of whether or not the cPanel management ports (2080, 2082, 2083, 2086) are exposed externally. Websites on port 80 and 443 are also vulnerable to the cross-site...
Introduction Many enterprise organizations that deal with large amounts of data that needs to be shared between employees or stakeholders often use enterprise file transfer software. In our experience, we have seen many industries adopt this type of software to quickly deliver large files. File transfer software can store extremely...
For those who haven’t had the pleasure, Avaya Aura is a (rather complicated) platform for managing IP phones. Today we’re going to be looking at Avaya Aura Device Services (AADS) component of the platform and detailing two vulnerabilities we found during our research. The first big hurdle with this type...
Introduction At Assetnote, we often audit enterprise software source code to discover pre-authentication vulnerabilities. Yellowfin BI had significance to us because it is a popular analytics platform for product managers, and we were able to deliver value to customers of our Attack Surface Management platform by alerting our customers about...
Over the last ten years, we have seen the industrialization of the content management space. A decade ago, it felt like every individual and business had a dynamic WordPress blog, loaded up with a hundred plugins to do everything from add widgets to improve performance. Over time, we realised this...
Introduction Methodology Exploitation But why does this work? Vendor Response Remediation Advice Conclusion Introduction Often when performing application security research, we come across other researchers who have found critical vulnerabilities in software that can inspire us to dig deeper as well. This was the case when we read the blog...
Summary Jira Core & Jira Service Desk are vulnerable to server-side request forgery after authenticating. In some cases, it is possible to leverage open sign ups in Jira Core or Jira Service Desk to exploit this server-side request forgery flaw without having known credentials. Impact The SSRF vulnerability allows attackers...
TL;DR Jira is vulnerable to SSRF which requires authentication to exploit. There are multiple ways to create user accounts on Jira in order to exploit this issue depending on the configuration of the Jira instance. As an attack chain, it may be possible for an attacker to exploit this issue...
Introduction Once in a while, you come across the perfect storm of vulnerabilities that may be assessed as a medium risk on their own, but when combined they can lead to a critical impact. In this blog post, we detail our journey in auditing a network monitoring software called WhatsUp...
Summary The following vulnerabilities were discovered in Progress Ipswitch WhatsUp Gold: CVE-2022-29845: Local File Disclosure CVE-2022-29846: WhatsUp Gold Serial Number Disclosure CVE-2022-29847: Unauthenticated Server-Side Request Forgery (SSRF) CVE-2022-29848: Authenticated Server-Side Request Forgery (SSRF) The adivsory from Progress can be found here. Impact When combined, these vulnerabilities lead to a critical...
Intro As part of our ongoing work on our Attack Surface Management platform we are continually researching new and relevant vulnerabilities. In some cases, we’ve experienced other talented researchers finding vulnerabilities in software we audited. This blog post attempts to trace the steps of someone else’s vulnerability research with the...
Introduction Let’s try this again Now, with added Kubernetes! Scanning & The Network Boundaries The Kubelet API: Git secrets redux Conclusion Introduction Following on from our 2nd story, we’ll be continuing the epic tale of our research into Cloudflare pages in this third installment. If you haven’t read part...
Introduction OrangeRa1n Jailbreak Conclusion Part 3 Introduction Following on from our 1st story, we’ll be continuing the epic tale of our research into Cloudflare pages in this second installment. If you haven’t read part 1, you can read it here. We pick up where we left off, after harvesting...
Introduction Overview of Cloudflare Pages 🤔 Diving Deeper into Cloudflare Pages The Treasure Map The CTF Command Injection in CLONE_REPO Command Injection in PUBLIC_ASSETS chmod 777 Path Injection Part 2 Introduction Before we get into this lengthy post, we’d like to thank both Cloudflare and HackerOne for working with...
Introduction What is dotCMS? Code Analysis Making a PoC Hacking a Bank Vendor Response Remediation Advice Conclusion The advisory for this issue can be found here. The CVE for this issue is CVE-2022-26352. The advisory from dotCMS can be found here. This security research was performed by Hussein Daher...
