TP-Link TL-WR841N v13: CSRF (CVE-2018-12574)

  • Vulnerability: Cross-Site Request Forgery
  • Affected Software: TP-Link TL-WR841N v13
  • Affected Version: 0.9.1 4.16 v0001.0 Build 180119 Rel.65243n
  • Patched Version: None
  • Risk: High
  • Vendor Contacted: 05/20/2018
  • Vendor Fix: None
  • Public Disclosure: 06/27/2018
Overview

The web interface of the router is vulnerable to CSRF. An attacker can perform arbitrary actions in the name of an authenticated user if that user visits an attacker-controlled website.

TP-Link TL-WR841N v13: Authenticated Blind Command Injection (CVE-2018-12577)

  • Vulnerability: Authenticated Blind Command Injection
  • Affected Software: TP-Link TL-WR841N v13
  • Affected Version: 0.9.1 4.16 v0001.0 Build 180119 Rel.65243n
  • Patched Version: None
  • Risk: High
  • Vendor Contacted: 05/20/2018
  • Vendor Fix: None
  • Public Disclosure: 06/27/2018
Overview

The ping and traceroute functionalities allow for OS command injection. An authenticated attacker can use this to execute arbitrary commands on the router by sending specifically crafter HTTP requests to it.

GetSimpleCMS 3.3.5: XSS, Code Execution, DOS, Password Leak, Weak Authentication, Misc

  • Vulnerability: XSS, Code Execution, DOS, Password Leak, Weak Authentication, Misc
  • Affected Software: GetSimple CMS
  • Affected Version: 3.3.5 (probably also prior versions)
  • Partially Patched Version: 3.3.6
  • Risk: Medium-High
  • Vendor Contacted: 2015-06-14
  • Vendor Partial Fix: 2015-07-14
  • Public Disclosure: 2015-07-15

GetSimple CMS is a content management system written in PHP. It does not use a database, but xml files instead.

There are various vulnerabilities in version 3.3.5, most of which are fixed in version 3.3.6.

For version 3.3.6 it is important that the htaccess file of GetSimple CMS can be read by the server, as otherwise passwords and other sensitive information will be disclosed (the functionality of the website itself is not affected by an unread htaccess file, so it might go unnoticed).

ZenPhoto 1.4.8: Second Order SQL Injection, Reflected XSS, Path Traversal, Function Execution

  • Vulnerability: Second Order SQL Injection, Reflected XSS, Path Traversal, Function Execution
  • Affected Software: ZenPhoto
  • Affected Version: 1.4.8 (probably also prior versions)
  • Patched Version: 1.4.9
  • Risk: Medium
  • Vendor Contacted: 2015-05-18
  • Vendor Fix: 2015-07-09
  • Public Disclosure: 2015-07-10

ZenPhoto is an open-source CMS written in PHP with a focus on hosting images. There are multiple vulnerabilities in version 1.4.8, including SQL injection and XSS vulnerabilities.

TinyWebGallery 2.3.2: Reflected XSS

  • Vulnerability: Reflected XSS
  • Affected Software: TinyWebGallery
  • Affected Version: 2.3.2 (probably also prior versions)
  • Patched Version: 2.3.3
  • Risk: Low-Medium
  • Vendor Contacted: 2015-05-26
  • Vendor Fix: 2015-06-15
  • Public Disclosure: 2015-06-27

There is an XSS vulnerability in version 2.3.2 of TinyWebGallery. It is relatively hard to trigger as it requires a double click by an admin (which can be achieved via clickjacking and social engineering), but once triggered, leads to code execution because of the provided file edit functionality.

The vulnerability is unlikely to be exploited in the wild because it requires quite a bit of social engineering; I’m publishing it because it is a nice example of how different small vulnerabilities can come together and lead to arbitrary PHP code execution.