It seems that Snuffleupagus is doing a decent job!
Time to see if it's still the case one year later.
ImpressCMS 1.3.11 — SQL injection
A possible way to harden the application without disrupting anything would be to
write a rule to check if
`$_SERVER['PHP_SELF'] doesn't contain quotes.
WordPress <= 5.2.3: Hardening Bypass
Simon Scannell from RIPS found a bypass of some hardneing-fu in Wordpress boiling down to an LFI, so it's mitigated by the file upload check, and depending of the configuration, it might also be prevented by W^X.
BigTree 4.4.6 — SQLI
SuiteCRM — CSRF to SQLI to RCE — CVE-2019-12598 and CVE-2019-12601
Robin Peraglie from RIPS disclosed
a couple of critical vulnerabilities in SuiteCRM.
The CSRF is prevented by samesite attribute,
while the SQLI isn't. The RCE is based on an
unserialize, mitigated by the HMAC-for-unserialize
TYPO3 — XSS to RCE
Pimcore 6.2.0 — RCE, SQLI and CSRF
Robin Peraglie from RIPS found a couple of issues in Pimcore:
- A command injection, complicated and maybe mitigated against casual attackers by the default ruleset
- A couple of SQL injections, not mitigated by the public version of Snuffleupagus
- Absence of anti-CSRF mecanism, mitigated by the
WooCommerce 3.6.4 - CSRF to XSS
Dennis Brinkrolf of RIPS found a CSRF in Woocommerce, leading to an XSS, meaning RCE since this is wordpress.
The CSRF is mitigated by
Samesite, killing the XSS as well since it's a
Prestashop 220.127.116.11 — CSRF to XSS to RCE
Unraid 6.8.0 — RCE — CVE-2020-5847 and CVE-2020-5849
The auth bypass is based on a logic flaw, and can't be mitigated in a generic
way. The RCE however, is due to the usage of
now mitigated by the default rules set,
albeit to be fair, this function should never be used, especially with such
stupid default values, but well, it's php,
so, yeah, … Amusingly, php's documentation is lying about the name of the
function's parameters, which should be
int extract(array var_array [, int extract_type [, string prefix]]) instead.
As a side note, why the fuck is Unraid running php scripts as root‽
Netsweeper's webadmin 6.4.3 — RCE
An "independent Security Researcher" found an unauthenticated remote code execution in Netsweeper's webadmin vulnerability, based on a shell injection. Which should be mitigated by the default ruleset.
Roundcube 1.4.3 — XSS
Roundcube fixed an XSS, present thanks to a logic bug. There is nothing Snuffleupagus can do against those, but it's trivial to write a rule to virtual-patch this particular issue.
Composr — RCE
Mautic — RCE
Squirrelmail - likely RCE
Drupal 8 — RCE
- A CSRF to create an arbitrary folder, mitigated by the samesite option
- A quirk of
- Some bruteforcing on Linux, none is required on Windows, unmitigated
- Deserialisation-based RCE, mitigated by the HMAC-for-unserialize option
BoltCMS — CSRF to XSS to RCE
- The CSRF is prevented by samesite attribute.
- The reflected and stored XSS aren't mitigated by Snuffleupagus.
- The LFI is mitigated by file-upload-checking as well as by W^X.
Trixbox CE — RCE
FusionPBX — XSS to RCE
Dustin Cobb from Gotham Digital Science
an XSS to RCE in FusionPBX.
The XSS isn't mitigated by snuffleupagus, and the command injection used for the RCE
is made harder to exploit, but isn't full mitigated, since the entire content of the parameter
controlled by the attacker is passed to a
system-like function, without any prepending or appending.
Like last year, the only vulnerabilities that weren't killed are either:
- Logic issues, that can't be generically mitigated.
- Client-side issues, like XSS, that are explicitly out of scope.
- Application-specific issues that can't be dealt with in a generic way.
- SQLI, since this part is still private for now.
It seems that Snuffleupagus is still doing a decent job!
Feel free to send me an email if I've missed your favourite web vulnerability.