| Ticket | Info |
|---|---|
| DE9130 | Removed the extra "OK" message when using CRAM_MD5 authentication. Adding extra space to the message when using CRAM_MD5. |
| DE10031 | Updated meta data to include CVE reference for several strikes. |
| DE10032 | Renamed Strike cve_2009_2015_unauthenticated_remote_dns_change_exploit.xml to unauthenticated_remote_dns_change_exploit.xml (E15-0sr01). |
| DE10078 | Added an additional check for strikes that send HTTP POST to include a Content-Length: 0 header if containing an empty body. Per RFC 7230: "a Content-Length header field is normally sent in a POST request even when the value is 0 (indicating an empty payload body)." |
| DE10079 | Strike for CVE-2015-2051 (E15-4kz01): - fixed strike keywords; - removed extra return characters from HTTP client request. Strike for CVE-2012-1823 (E12-0ij01): - fixed strike description and keywords; - appended missing forward slash in URI. Strike for CVE-2013-6026 (E13-7ne01): - fixed strike description and keywords; - removed unneeded spaces from User Agent list. |
| DE10080 | Minor fixes for HTTP traffic for the following strikes: Badblue Directory Traversal (E02-09101), CVE-2013-2010 Wordpress Total Cache PHP Code Execution (E13-zho01), CVE-2013-1599 Dlink IP Camera Auth Arbitrary Command Exec (E13-zng01), CVE-2014-0098 Apache HTTP Server mod_log_config DOS (E14-32q01), CVE-2017-15715 Apache httpd Filesmatch Policy Bypass (E18-3gub1), CVE-2015-2824 WordPress Simple Ads Manager SQLi (E15-56g01), CVE-2014-3704 Drupal Preauth SQLi (E14-5uw01). |
| DE10083 | Added an open for session 4 and put close sessions after each trans blocks for better readability for Strike E16-8bk01. |
| DE10096 | Fixed meta data, CVE reference and BID for Strike D17-0fux1. |
| DE10100 | Deleted extra CRLF's inserted in headers for Strike E18-0k0n1. |
| Ticket | Info |
|---|---|
| US89235 | Added missing files to the list of TLS certificates for the HTTPS applications. |
| US91536 | Added TLS SNI support for web-based and non-web-based applications that were missing the extension. |
| US91637 | The NAT tag was added to the following SuperFlows: BreakingPoint Raw 2.5m Data FTP Enterprise Google Hangouts Twitter View Favorites TLSv1.2 Google Play Sandvine Bandwidth TLSv1.2 Financial SMBv2 File Download BreakingPoint FIX Session BreakingPoint Pandora (iPhone) Raw UDP Enterprise |
| CVSS | ID | References | Category | Info |
|---|---|---|---|---|
| 10.0 | E18-0q3a1 |
BID-105679 CVE-2018-9206 CVSS-10.0 (AV:N/AC:L/AU:N/C:C/I:C/A:C) EXPLOITDB-45584 |
Exploits | This strike exploits an arbitrary file upload vulnerability in BlueImp Jquery File Upload widget. The vulnerability is due to the complete lack of server-side authorization or sanitization when handling a file upload. An attacker is thus able to create arbitrary files on the server which in most cases leads to remote arbitrary code execution. |
| 7.6 | D18-0jq11 |
BID-103990 CVE-2018-0953 CVSS-7.6 (AV:N/AC:H/AU:N/C:C/I:C/A:C) EXPLOITDB-44694 GOOGLE-1531 |
Denial | This strike exploits a vulnerability in the Microsoft Edge browser. Specifically, the vulnerability exists in the Javascript Chakra engine. It is possible to craft Javascript in such a way that the JITed code does not check the input value, which can lead to type confusion. This may lead to a denial of service condition in the browser, or potentially remote code execution. |
| 7.5 | E18-0omo1 |
CVE-2018-7312 CVSS-7.5 (AV:N/AC:L/AU:N/C:P/I:P/A:P) EXPLOITDB-44162 |
Exploits | This strike exploits a SQL injection vulnerability in the Alexandria Book Library component for Joomla!. The vulnerability is due to the improper sanitization of requests sent to the application. An attacker could exploit this vulnerability by sending specifically crafted packets, potentially resulting in the execution of SQL commands which may lead to information disclosure. |
| 7.5 | E18-0z271 |
CVE-2018-16299 CVSS-7.5 (AV:N/AC:L/AU:N/C:P/I:P/A:P) EXPLOITDB-45439 |
Exploits | This strike exploits a remote file inclusion vulnerability in WordPress Plugin Localize My Post 1.0. The vulnerability is due to improper sanitization of the "file" parameter. By successfully exploiting this vulnerability, a remote, unauthenticated attacker could retrieve arbitrary files from the target server. |
| 7.5 | E18-5mfv1 |
CVE-2018-16283 CVSS-7.5 (AV:N/AC:L/AU:N/C:P/I:P/A:P) EXPLOITDB-45438 |
Exploits | This strike exploits a remote file inclusion vulnerability in WordPress Plugin Wechat Broadcast 1.2.0. The vulnerability is due to improper sanitization of the "url" parameter. By successfully exploiting this vulnerability, a remote, unauthenticated attacker could retrieve arbitrary files from the target server. |
| 7.5 | E18-0lhp1 |
BID-105613 CVE-2018-3245 CVSS-7.5 (AV:N/AC:L/AU:N/C:P/I:P/A:P) URL |
Exploits | An insecure deserialization vulnerability was found in Oracle WebLogic Server. This vulnerability is due to insufficient validation of serialized data within T3 requests. The vulnerability can be exploited by sending a specially crafted serialized object. The vulnerability does not require authentication. Successful exploitation can result in arbitrary code execution in the context of the user running the WebLogic server. |
| 6.8 | E18-0z6l1 |
CVSS-6.8 (AV:N/AC:L/AU:S/C:C/I:N/A:N) EXPLOITDB-45597 |
Exploits | This strike exploits a directory traversal vulnerability in FLIR AX8 Thermal Camera. The vulnerability is due to lack of input sanitization while downloading config files using the 'file' parameter in download.php. Successful exploitation results in the disclosure of arbitrary file contents from the target server. |
| 6.8 | E18-5o0j1 |
CVE-2018-18323 CVSS-6.8 (AV:N/AC:L/AU:S/C:C/I:N/A:N) EXPLOITDB-45610 URL |
Exploits | This strike exploits a directory traversal vulnerability in CentOS Web Panel. The vulnerability is due to lack of parameter sanitization while executing service-related operations, with the service name passed as a GET parameter. Successful exploitation results in the disclosure of arbitrary file contents from the target server. |
| 5.5 | E18-5n7n1 |
CVE-2018-17283 CVSS-5.5 (AV:N/AC:L/AU:S/C:P/I:P/A:N) URL |
Exploits | This strike exploits a blind SQL injection vulnerability in ManageEngine's OpManager application. The vulnerability is present in a API parameter for managing devices as a result of insufficient user input sanitization. Therefore, an attacker may be able to read arbitrary database records or even access system files, depending on the database's configuration. |
| 5.0 | E18-5lv31 |
CVE-2018-15535 CVSS-5.0 (AV:N/AC:L/AU:N/C:P/I:N/A:N) EXPLOITDB-45271 |
Exploits | This strike simulates a directory traversal attack on Responsive FileManager. The vulnerability can be exploited by issuing requests to the endpoint that handles AJAX calls. By exploiting it, an attacker may read arbitrary files from the filesystem. |
| 5.0 | E18-0g1q1 |
BID-97620 CVE-2017-6190 CVSS-5.0 (AV:N/AC:L/AU:N/C:P/I:N/A:N) EXPLOITDB-41840 |
Exploits | This strike exploits a directory traversal vulnerability present in multiple firmware versions of D-Link routers. The vulnerability can be exploited by performing GET requests under the path '/uir' of router's web interface. By exploiting it, an attacker may read arbitrary files from the filesystem which could lead further to credentials disclosure. |
| 5.0 | D18-0n5b2 |
CVE-2018-5391 CVSS-5.0 (AV:N/AC:L/AU:N/C:N/I:N/A:P) URL |
Denial | This strike exploits a denial of service(DoS) vulnerability in IP fragments. The vulnerability is caused by the way how out-of-order IP fragments are handled from the kernel. A remote attacker could exploit this vulnerability by keep sending large amount crafted IP segments packet to the target server. Successful exploitation is able to exhaust target server's resource and lead to denial-of-service. *Note: Although this Strike sends the appropriate packets to trigger the vulnerability, in practice, we have found that actually crashing the endpoint requires a very high frame rate, higher than the Security Engine can provide. If you would like to try this at a higher rate, simply run this Strike against your DUT as you normally would, but take the capture from the port and then create a new test using the Recreate Component. Just import the PCAP you extracted and set the options "Send without modification" and "Unlimited Bandwidth" and finally "Use User based settings |
| 5.0 | D18-5l6g1 |
CVE-2018-14648 CVSS-5.0 (AV:N/AC:L/AU:N/C:N/I:N/A:P) URL |
Denial | A denial of service vulnerability has been found in Red Hat 389 Directory Server. The vulnerability is due to improper parsing of of LDAP search queries in the 'do_search' method within slapd/search.c. A remote, unauthenticated attacker could exploit this vulnerability by sending crafted LDAP search queries to a vulnerable server. Successful exploitation of the vulnerability leads to denial of service conditions. |