6kbbs v8.0 Weak Encryption Cryptography Security Vulnerabilities

6kbbs v8.0 Weak Encryption Cryptography Security Vulnerabilities


Exploit Title: 6kbbs Weak Encryption Web Security Vulnerabilities
Vendor: 6kbbs
Product: 6kbbs
Vulnerable Versions: v7.1   v8.0
Tested Version: v7.1   v8.0
Advisory Publication: June 08, 2015
Latest Update: June 10, 2015
Vulnerability Type: Inadequate Encryption Strength [CWE-326]
CVE Reference: *
CVSS Severity (version 2.0):
Discover and Reporter: Wang Jing [School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore] (@justqdjing)





Recommendation Details:


(1) Vendor & Product Description:


Vendor:
6kbbs



Product & Vulnerable Versions:
6kbbs
v7.1
v8.0



Vendor URL & download:
6kbbs can be gain from here,
http://www.6kbbs.com/download.html




Product Introduction Overview:
"6kbbs V8.0 is a PHP + MySQL built using high-performance forum, has the code simple, easy to use, powerful, fast and so on. It is an excellent community forum program. The program is simple but not simple; fast, small; Interface generous and good scalability; functional and practical pursuing superior performance, good interface, the user's preferred utility functions. Forum Technical realization (a) interface : using XHTML + CSS structure, so the structure of the page , easy to modify the interface ; save the transmission static page code , greatly reducing the amount of data transmitted over the network ; improve the interface scalability , more in line with WEB standards, support Internet Explorer, FireFox, Opera and other major browsers. (b) Program : The ASP + ACCESS mature technology , the installation process is extremely simple , the environment is also very common."


"(1) PHP version : (a) 6kbbs V8.0 start using PHP + MySQL architecture. (b) Currently ( July 2010 ) is still in the testing phase , 6kbbs V8.0 is the latest official release. (2) ASP Version: 6kbbs (6k Forum) is an excellent community forum process . The program is simple but not simple ; fast , small ; interface generous and good scalability ; functional and practical . pursue superiority , good interface , practical functions of choice for subscribers."





(2) Vulnerability Details:
6kbbs web application has a computer security problem. It can be exploited by weak encryption attacks. The software stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required. A weak encryption scheme can be subjected to brute force attacks that have a reasonable chance of succeeding using current attack methods and resources.


Several 6kbbs products 0-day web cyber bugs have been found by some other bug hunter researchers before. 6kbbs has patched some of them. "The Full Disclosure mailing list is a public forum for detailed discussion of vulnerabilities and exploitation techniques, as well as tools, papers, news, and events of interest to the community. FD differs from other security lists in its open nature and support for researchers' right to decide how to disclose their own discovered bugs. The full disclosure movement has been credited with forcing vendors to better secure their products and to publicly acknowledge and fix flaws rather than hide them. Vendor legal intimidation and censorship attempts are not tolerated here!" A great many of the web securities have been published here.




Source Code:
<?php
if(empty($row)){
        $extrow=$db->row_select_one("users","username='{$username}'");
        if(!empty($extrow) && !empty($extrow['salt'])){
                if(md5(md5($userpass).$extrow['salt'])==$extrow['userpass']){
                        $row=$extrow;
                        $new_row["userpass"]=$userpass_encrypt;
                        $new_row["salt"]="";
                        $db->row_update("users",$new_row,"id={$extrow['id']}");
                }
        }
}
?>



Source Code From:
http://code.google.com/p/6kbbs/source/browse/trunk/convert/discuz72/loginext.php?r=16


We can see that "userpass" stored in cookie was encrypted using "$userpass" user password directly. And there is no "HttpOnly" attribute at all. Since md5 is used for the encryption, it is easy for hackers to break the encrypted message.


"The MD5 message-digest cryptography algorithm is a widely used cryptographic hash function producing a 128-bit (16-byte) hash value, typically expressed in text format as a 32 digit hexadecimal number. Papers about it have been published on Eurocrypt, Asiacrypt and Crypto. Meanwhile, researchers focusing on it spread in Computer Science, Computer Engineering, IEEE and Mathematics. MD5 has been utilized in a wide variety of cryptographic applications, and is also commonly used to verify data integrity. MD5 was designed by Ronald Rivest in 1991 to replace an earlier hash function, MD4. The source code in RFC 1321 contains a "by attribution" RSA license." (Wikipedia)









References:
http://seclists.org/fulldisclosure/2015/Jun/34
http://lists.openwall.net/full-disclosure/2015/06/11/6
http://static-173-79-223-25.washdc.fios.verizon.net/?l=full-disclosure
https://www.mail-archive.com/fulldisclosure%40seclists.org/msg02160.html
https://packetstormsecurity.com/files/132270/6kbbs-7.1-8.0-Weak-Cryptography.html
http://permalink.gmane.org/gmane.comp.security.fulldisclosure/2092
http://tetraph.blog.163.com/blog/static/234603051201551415853846/#
http://essaybeans.blogspot.com/2015/06/6kbbs-v80-weak-encryption-cryptography.html
https://mathfas.wordpress.com/2015/06/14/6kbbs-weak-encryption/
http://tetraph.com/security/weak-encryption/6kbbs-v8-0-weak-encryption/
http://securityrelated.blogspot.com/2015/06/6kbbs-v80-weak-encryption-cryptography.html
https://vulnerabilitypost.wordpress.com/2015/06/11/6kbbs-v8-0-weak-encryption/
http://www.inzeed.com/kaleidoscope/computer-security/6kbbs-v8-0-weak-encryption/

CVE-2015-2563 - Vastal I-tech phpVID 1.2.3 SQL Injection Web Security Vulnerabilities

CVE-2015-2563 - Vastal I-tech phpVID 1.2.3 SQL Injection Web Security Vulnerabilities


Exploit Title: CVE-2015-2563 Vastal I-tech phpVID /groups.php Multiple Parameters SQL Injection Web Security Vulnerabilities
Product: phpVID
Vendor: Vastal I-tech
Vulnerable Versions: 1.2.3   0.9.9
Tested Version: 1.2.3   0.9.9
Advisory Publication: March 13, 2015
Latest Update: April 25, 2015
Vulnerability Type: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') [CWE-89]
CVE Reference: CVE-2015-2563 
CVSS Severity (version 2.0):
CVSS v2 Base Score: 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P) (legend)
Impact Subscore: 6.4
Exploitability Subscore: 10.0
CVSS Version 2 Metrics:
Access Vector: Network exploitable
Access Complexity: Low
Authentication: Not required to exploit
Impact Type: Allows unauthorized disclosure of information; Allows unauthorized modification; Allows disruption of service
Credit: Wang Jing [School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore] (@justqdjing)






Direction Details:


(1) Vendor & Product Description:


Vendor:
Vastal I-tech



Product & Vulnerable Versions:
phpVID
1.2.3
0.9.9



Vendor URL & Download:
phpVID can be approached from here,
http://www.vastal.com/phpvid-the-video-sharing-software.html#.VP7aQ4V5MxA



Product Introduction Overview: 
"phpVID is a video sharing software or a video shating script and has all the features that are needed to run a successful video sharing website like youtube.com. The features include the following. phpVID is the best youtube clone available. The latest features include the parsing of the subtitles file and sharing videos via facebook. With phpVID Video Sharing is extremely easy."

"The quality of code and the latest web 2.0 technologies have helped our customers to achieve their goals with ease. Almost all customers who have purchased phpVID are running a successful video sharing website. The quality of code has helped in generating more then 3 million video views a month using a "single dedicated server". phpVID is the only software in market which was built in house and not just purchased from someone. We wrote the code we know the code and we support the code faster then anyone else. Have any questions/concerns please contact us at: info@vastal.com. See demo at: www.phpvid.com. If you would like to see admin panel demo please email us at: info@vastal.com."

"Server Requirements:
Preferred Server: Linux any Version
PHP 4.1.0 or above
MySQL 3.1.10 or above
GD Library 2.0.1 or above
Mod Rewrite and .htaccess enabled on server.
FFMPEG (If you wish to convert the videos to Adobe Flash)"





(2) Vulnerability Details:
phpVID web application has a computer security bug problem. It can be exploited by SQL Injection attacks. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data. Other bug hunter researchers have found some SQL Injection vulnerabilities related to it before, too. phpVID has patched some of them.

Several other similar products 0-day vulnerabilities have been found by some other bug hunter researchers before. phpVID has patched some of them. "Openwall software releases and other related files are also available from the Openwall file archive and its mirrors. You are encouraged to use the mirrors, but be sure to verify the signatures on software you download. The more experienced users and software developers may use our CVSweb server to browse through the source code for most pieces of Openwall software along with revision history information for each source file. We publish articles, make presentations, and offer professional services." Openwall has published suggestions, advisories, solutions details related to important vulnerabilities.


(2.1) The first code programming flaw occurs at "&order_by" "&cat" parameters in "groups.php?" page.








Related Links:
http://packetstormsecurity.com/files/130754/Vastal-I-tech-phpVID-1.2.3-SQL-Injection.html
https://progressive-comp.com/?l=full-disclosure&m=142601071700617&w=2
http://seclists.org/fulldisclosure/2015/Mar/58
http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1699
http://lists.openwall.net/full-disclosure/2015/03/10/8
http://static-173-79-223-25.washdc.fios.verizon.net/?l=full-disclosure&m=142601071700617&w=2
http://www.tetraph.com/blog/xss-vulnerability/cve-2015-2563/
http://static-173-79-223-25.washdc.fios.verizon.net/?l=full-disclosure&m=142551597501701&w=2
https://cxsecurity.com/issue/WLB-2015020091
https://www.facebook.com/permalink.php?story_fbid=935563809832135&id=874373602617823
http://t.qq.com/p/t/482410003538035
http://biboying.lofter.com/post/1cc9f4f5_6ee2aa5
http://mathpost.tumblr.com/post/118768553885/xingti-cve-2015-2563-vastal-i-tech-phpvid
http://essayjeans.lofter.com/post/1cc7459a_6ee4fcb
http://xingti.tumblr.com/post/118768481545/cve-2015-2563-vastal-i-tech-phpvid-1-2-3-sql
https://plus.google.com/113698571167401884560/posts/gftS84rfD3A
https://itswift.wordpress.com/2015/05/12/cve-2015-2563-vastal-i-tech-phpvid/
https://www.facebook.com/essayjeans/posts/827458144012006
https://tetraph.wordpress.com/2015/05/12/cve-2015-2563-vastal-i-tech-phpvid/
http://mathstopic.blogspot.com/2015/05/cve-2015-2563-vastal-i-tech-phpvid-123.html
http://yurusi.blogspot.sg/2015/05/cve-2015-2563-vastal-i-tech-phpvid-123.html
https://twitter.com/tetraphibious/status/598057025247907840
http://tetraph.blog.163.com/blog/static/23460305120154125453111/

CVE-2015-2349 - SuperWebMailer 5.50.0.01160 XSS (Cross-site Scripting) Web Security Vulnerabilities

CVE-2015-2349 - SuperWebMailer 5.50.0.01160 XSS (Cross-site Scripting) Web Security Vulnerabilities

Exploit Title: CVE-2015-2349 - SuperWebMailer /defaultnewsletter.php" HTMLForm Parameter XSS Web Security Vulnerabilities

Product: SuperWebMailer

Vendor: SuperWebMailer

Vulnerable Versions: 5.*.0.*   4.*.0.*

Tested Version: 5.*.0.*   4.*.0.*

Advisory Publication: March 11, 2015

Latest Update: May 03, 2015

Vulnerability Type: Cross-Site Scripting [CWE-79]

CVE Reference: CVE-2015-2349

Impact CVSS Severity (version 2.0):

CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)

Impact Subscore: 2.9

Exploitability Subscore: 8.6

CVSS Version 2 Metrics:

Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism

Access Complexity: Medium

Authentication: Not required to exploit

Impact Type: Allows unauthorized modification

Author and Creditor: Jing Wang [School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore] (@justqdjing)

Information Details:

(1) Vendor & Product Description:

Vendor:

SuperWebMailer

Product & Vulnerable Versions:

SuperWebMailer

5.60.0.01190

5.50.0.01160

5.40.0.01145

5.30.0.01123

5.20.0.01113

5.10.0.00982

5.05.0.00970

5.02.0.00965

5.00.0.00962

4.50.0.00930

4.40.0.00917

4.31.0.00914

4.30.0.00907

4.20.0.00892

4.10.0.00875

Vendor URL & Download:

SuperWebMailer can be gained from here,

http://www.superwebmailer.de/

Product Introduction Overview:

"Super webmail is a web-based PHP Newsletter Software. The web-based PHP Newsletter Software Super webmail is the optimal solution for the implementation of a successful e-mail marketing."

"To use the online PHP Newsletter Script is your own website / server with PHP 4 or newer, MySQL 3.23 or later and the execution of CronJobs required. Once installed, the online newsletter software Super webmail can be served directly in the browser. The PHP Newsletter Tool Super webmail can therefore be used platform-independent all operating systems such as Windows, Linux, Apple Macintosh, with Internet access worldwide. The PHP Newsletter Script allows you to manage your newsletter recipients including registration and deregistration from the newsletter mailing list by double-opt In, Double Opt-Out and automatic bounce management. Send online your personalized newsletter / e-mails in HTML and Text format with embedded images and attachments immediately in the browser or by CronJob script in the background immediately or at a later. With the integrated tracking function to monitor the success of the newsletter mailing, if thereby the openings of the newsletter and clicks on links in the newsletter graphically evaluated and presented. Put the integrated autoresponder to autorun absence messages or the receipt of e-mails to confirm."

"It is now included CKEditor 4.4.7. An upgrade to the latest version is recommended as an in CKEditor 4.4.5 Vulnerability found. Super webmail from immediately contains new chart component for the statistics that do not need a flash and are therefore also represented on Apple devices. For the Newsletter tracking statistics is now an easy print version of the charts available that can be printed or saved with PDF printer driver installed in a PDF file. When viewing the e-mails in the mailing lists of the sender of the email is displayed in a column that sent the e-mail to the mailing list. For form creation for the newsletter subscription / cancellation are now available variant"

(2) Vulnerability Details:

SuperWebMailer web application has a computer security bug problem. It can be exploited by XSS attacks. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server. 

Several other related products 0-day vulnerabilities have been found by some other bug hunter researchers before. SuperWebMailer has patched some of them. FusionVM Vulnerability Management and Compliance provides sources for the latest info-sec news, tools, and advisories. It has published suggestions, advisories, solutions details related to web application vulnerabilities.

(2.1) The programming code flaw occurs at "&HTMLForm" parameter in "defaultnewsletter.php?" page.

Related Results:
http://seclists.org/fulldisclosure/2015/Mar/55
http://www.securityfocus.com/bid/73063
http://lists.openwall.net/full-disclosure/2015/03/07/3
http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1819
http://packetstormsecurity.com/files/131288/ECE-Projects-Cross-Site-Scripting.html
http://static-173-79-223-25.washdc.fios.verizon.net/?l=full-disclosure&m=142551542201539&w=2
https://cxsecurity.com/issue/WLB-2015030043
http://aibiyi.lofter.com/post/1cc9f4e9_6edf9bf

http://tetraph.tumblr.com/post/118764414962/canghaixiao-cve-2015-2349-superwebmailer
http://canghaixiao.tumblr.com/post/118764381217/cve-2015-2349-superwebmailer-5-50-0-01160-xss
http://essaybeans.lofter.com/post/1cc77d20_6edf28c
https://www.facebook.com/essaybeans/posts/561250300683107
https://twitter.com/essayjeans/status/598021595974602752
https://www.facebook.com/pcwebsecurities/posts/687478118064775
http://tetraph.blog.163.com/blog/static/234603051201541231655569/
https://plus.google.com/112682696109623633489/posts/djqcrDw5dQp
http://essayjeans.blogspot.com/2015/05/cve-2015-2349-superwebmailer-550001160.html
https://mathfas.wordpress.com/2015/05/12/cve-2015-2349-superwebmailer-5-50-0-01160-xss/
http://www.tetraph.com/blog/xss-vulnerability/cve-2015-2349-superwebmailer-5-50-0-01160-xss/
https://vulnerabilitypost.wordpress.com/2015/05/12/cve-2015-2349-superwebmailer-5-50-0-01160-xss/
http://aibiyi.blogspot.com/2015/05/cve-2015-2349-superwebmailer-550001160.html