Re: XenForo 1.5.x Unauthenticated Remote Code Injection

[Julien Ahrens <info () rcesecurity com>]

This issue does not seem to exist at all.

Among the available versions/updates for XenForo there is no version
1.5.11a as stated in this advisory. After contacting XenForo about this
advisory and the corresponding update, they told me that they are
neither aware of this vulnerability nor about the reporter.

Best Regards
Julien


On 15.12.2016 13:58, Vishal Mishra wrote:
> XenForo 1.5.x Remote Code Execution Vulnerability
>
> 1. ADVISORY INFORMATION
> =======================
> Product:        XenForo
> Vendor URL:     xenforo.com
> Type:           Code Injection [CWE-94]
> Date found:     2016-12-09
> Date published: 2016-12-15
> CVSSv3 Score:   9.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C)
> CVE:            -
>
>
> 2. CREDITS
> ==========
>
> This vulnerability was discovered and researched by indepent security 
> expert Vishal Mishra.
>
>
> 3. VERSIONS AFFECTED
> ====================
>
> XenForo 1.5.x versions prior to 1.5.11a. 
> Older versions may be affected too but were not tested.
>
>
> 4. VULNERABILITY DETAILS
> ========================
>
> The vulnerability allows a remote attacker to overwrite arbitrary PHP 
> variables within the context of the vulnerable application. The 
> vulnerability exists due to insufficient validation of user-supplied 
> input in an HTTP cookie, thus allowing to read sensitive information
> from the XenForo database like usernames and passwords. Since the 
> affected script does not require an authentication, this 
> vulnerability can be exploited by an unauthenticated attacker.
>
>
> 5. PROOF OF CONCEPT
> ===================
>
> The following proof-of-concept exploit the vulnerable HTTP cookie
> and execute the phpinfo() function:
>
> Detailed proof of concept has been removed for this advisory.
>
>
> 6. SOLUTION
> ===========
>
> Update to the latest version v1.5.11a
>
>
> 7. REPORT TIMELINE
> ==================
>
> 2016-12-09: Discovery of the vulnerability
> 2016-12-11: Notified vendor via contact address
> 2016-12-13: Vendor provides update
> 2016-12-13: Provided update fixes the reported issues
> 2016-12-13: Vendor publishes update
> 2016-12-15: Coordinated release of security advisory without proof of concept
>
>
> 8. DISCLAIMER
> =============
>
> Disclaimer: The information provided in this Advisory is provided "as is" and 
> without any warranty of any kind. Details of this Advisory may be updated 
> in order to provide as accurate information as possible.
>
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> https://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/

-- 
Mit freundlichen Grüßen / With best regards / Atentamente

Julien Ahrens
Freelancer | Penetration Tester

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/