Detectify security updates for 20 February

For continuous coverage, we push out major Detectify security updates every two weeks, keeping our tool up-to-date with new findings, features and improvements sourced from our security researchers and Crowdsource ethical hacker community. Due to confidentially agreements, we cannot publicize all security update releases here but they are immediately added to our scanner and available to all users. This post highlights a few things that we have improved in the last two weeks.

The following are some of the security vulnerabilities reported by Detectify Crowdsource ethical hackers. We added these tests to the Detectify scanner tool on 20 February.

CVE-2017-3528: Oracle E-Business Suite Open Redirect
Oracle E-Business has a known open redirect-issue. There is a redirect-parameter that accepts any domain.

CVE-2016-3436: Oracle E-Business Suite XSS
More information about this module can be found here: https://nvd.nist.gov/vuln/detail/CVE-2016-3436

CruiseControl CI / Open Access
CruiseControl is an old CI tool. It has been found that it commonly configured to be exposed openly on the internet.

FinalBuilder Stack Trace Disclosure
The CI server FinalBuilder can be forced to generate an error message by sending a crafted request. This is a minor information leak.

Joomla! jmultiplehotelreservation SQL Injection
Version 6.0.7 and below of the extension has a known SQL-injection vulnerability. Read more: https://www.exploit-db.com/exploits/46232

MongoDB Exposure
It is possible to configure MongoDB to expose a HTTP interface. If this is done in an insecure way this would risk exposing the database to anyone on the internet.