farid hashmi farid007

## Rconfig Multiple Vulnerabilities
1. Cross-Site Scripting (XSS) (CVE-2020-12256)

The rConfig 3.9.4 is vulnerable to cross-site scripting. The devicemgmnt.php file improperly validates the request coming from the user input. Due to this flaw, An attacker can exploit this vulnerability by crafting arbitrary javascript
("><script>alert(document.cookie)</script>) in `deviceId` GET parameter of devicemgmnt.php resulting in execution of the
javascript.

Step To Reproduce-:

  1. Login with the credential.
  2. Go to https://ip-rconfig/devicemgmt.php?deviceId="><script>alert(document.cookie)</script>

## Rconfig CSRF Exploit
Cross-Site Request Forgery (CSRF) (CVE-2020-12257)

The rConfig 3.9.4 is vulnerable to cross-site request forgery (CSRF).
Due to no implementation of CSRF protection such as CSRF token.
An attacker can leverage this vulnerability by creating a form (add the user or delete the user or edit user)
and host this form on his server and share this form to victims through social engineering methods.
once the victims who are already authenticated to the rConfig clicks upon the form, unintended actions will be performed on the victim's behalf.


Steps To Reproduce-:

## Rconfig File Upload RCE Exploit
Remote Code Execution via File Upload (CVE-2020-12255)


The rConfig 3.9.4 is vulnerable to remote code execution due to improper checks/validation via the file upload functionality.
The vendor.crud.php accepts the file upload by checking through content-type and it is not restricting upload by checking the file extension and header.
Due to this flaw, An attacker can exploit this vulnerability by uploading a PHP file that contains arbitrary code (shell) and changing the content-type to `image/gif` in the vendor.crud.php.
since the validation checks are happening through content-type the server would accept the PHP file uploaded ultimately resulting code execution upon the response when invoked.


Steps To Reproduce-:

## NeDI 1.9C RCE
CVE-2020-14412

NeDi 1.9C is vulnerable to Remote Command Execution. System-Snapshot.php improperly escapes shell metacharacters from a POST request. An attacker can exploit this by crafting an arbitrary payload (any system commands) that contains shell metacharacters via a POST request with a psw parameter.

(This can also be exploited via CSRF.)

Steps To Reproduce-:

> Login with the credential.
> Go to https://ip/System-Snapshot.php.

## NeDi 1.9C RCE
CVE-2020-14414

NeDi 1.9C is vulnerable to Remote Command Execution. pwsec.php improperly escapes shell metacharacters from a POST request. An attacker can exploit this by crafting an arbitrary payload (any system commands) that contains shell metacharacters via a POST request with a pw parameter. (This can also be exploited via CSRF.)


Steps To Reproduce-:
>
> Login with the credential.
> Go to https://ip/pwsec.php.
> Insert any data in the first field then intercept the request.

## NeDI 1.9C Bypass XSS
 CVE-2020-14413

NeDi 1.9C is vulnerable to XSS because of an incorrect implementation of sanitize() in inc/libmisc.php. This function attempts to escape the SCRIPT tag from user-controllable values, but can be easily bypassed, as demonstrated by an onerror attribute of an IMG element as a Devices-Config.php?sta= value.

Steps to reproduce :
> Note: every parameters is exploitable (Which are being displayed and stored).
> Login to the application.
> Go to "https://ip/Devices-Config.php?sta="><img src=x onerror=alert(1)>"
> Js Code will be executed.

## CSRF in PyroCMS
Product-: PyroCMS

CVE: CVE-2020-25263

Version: (,3.7) 3.7 Tested

Vulnerability-: Deletion of plugin via Cross-Site Request Forgery(CSRF).

Download-: https://github.com/pyrocms/pyrocms

## CSRF in PyroCMS
Product-: PyroCMS

CVE: CVE-2020-25262

Version: (,3.7) 3.7 Tested

Vulnerability-: Deletion of pages via Cross-Site Request Forgery(CSRF).

Download-: https://github.com/pyrocms/pyrocms
	1. Cross-Site Scripting (XSS) (CVE-2020-12256)

	The rConfig 3.9.4 is vulnerable to cross-site scripting. The devicemgmnt.php file improperly validates the request coming from the user input. Due to this flaw, An attacker can exploit this vulnerability by crafting arbitrary javascript
	("><script>alert(document.cookie)</script>) in `deviceId` GET parameter of devicemgmnt.php resulting in execution of the
	javascript.

	Step To Reproduce-:

	1. Login with the credential.
	2. Go to https://ip-rconfig/devicemgmt.php?deviceId="><script>alert(document.cookie)</script>
	Cross-Site Request Forgery (CSRF) (CVE-2020-12257)

	The rConfig 3.9.4 is vulnerable to cross-site request forgery (CSRF).
	Due to no implementation of CSRF protection such as CSRF token.
	An attacker can leverage this vulnerability by creating a form (add the user or delete the user or edit user)
	and host this form on his server and share this form to victims through social engineering methods.
	once the victims who are already authenticated to the rConfig clicks upon the form, unintended actions will be performed on the victim's behalf.


	Steps To Reproduce-:
	Remote Code Execution via File Upload (CVE-2020-12255)


	The rConfig 3.9.4 is vulnerable to remote code execution due to improper checks/validation via the file upload functionality.
	The vendor.crud.php accepts the file upload by checking through content-type and it is not restricting upload by checking the file extension and header.
	Due to this flaw, An attacker can exploit this vulnerability by uploading a PHP file that contains arbitrary code (shell) and changing the content-type to `image/gif` in the vendor.crud.php.
	since the validation checks are happening through content-type the server would accept the PHP file uploaded ultimately resulting code execution upon the response when invoked.


	Steps To Reproduce-:
	CVE-2020-14412

	NeDi 1.9C is vulnerable to Remote Command Execution. System-Snapshot.php improperly escapes shell metacharacters from a POST request. An attacker can exploit this by crafting an arbitrary payload (any system commands) that contains shell metacharacters via a POST request with a psw parameter.

	(This can also be exploited via CSRF.)

	Steps To Reproduce-:

	> Login with the credential.
	> Go to https://ip/System-Snapshot.php.
	CVE-2020-14414

	NeDi 1.9C is vulnerable to Remote Command Execution. pwsec.php improperly escapes shell metacharacters from a POST request. An attacker can exploit this by crafting an arbitrary payload (any system commands) that contains shell metacharacters via a POST request with a pw parameter. (This can also be exploited via CSRF.)


	Steps To Reproduce-:
	>
	> Login with the credential.
	> Go to https://ip/pwsec.php.
	> Insert any data in the first field then intercept the request.
	CVE-2020-14413

	NeDi 1.9C is vulnerable to XSS because of an incorrect implementation of sanitize() in inc/libmisc.php. This function attempts to escape the SCRIPT tag from user-controllable values, but can be easily bypassed, as demonstrated by an onerror attribute of an IMG element as a Devices-Config.php?sta= value.

	Steps to reproduce :
	> Note: every parameters is exploitable (Which are being displayed and stored).
	> Login to the application.
	> Go to "https://ip/Devices-Config.php?sta="><img src=x onerror=alert(1)>"
	> Js Code will be executed.
	Product-: PyroCMS

	CVE: CVE-2020-25263

	Version: (,3.7) 3.7 Tested

	Vulnerability-: Deletion of plugin via Cross-Site Request Forgery(CSRF).

	Download-: https://github.com/pyrocms/pyrocms
	Product-: PyroCMS

	CVE: CVE-2020-25262

	Version: (,3.7) 3.7 Tested

	Vulnerability-: Deletion of pages via Cross-Site Request Forgery(CSRF).

	Download-: https://github.com/pyrocms/pyrocms