176 lines
No EOL
6.8 KiB
Text
176 lines
No EOL
6.8 KiB
Text
Title:
|
||
======
|
||
BananaDance Wiki b2.2 - Multiple Web Vulnerabilities
|
||
|
||
|
||
Date:
|
||
=====
|
||
2012-11-10
|
||
|
||
|
||
References:
|
||
===========
|
||
http://www.vulnerability-lab.com/get_content.php?id=745
|
||
|
||
|
||
VL-ID:
|
||
=====
|
||
745
|
||
|
||
|
||
Common Vulnerability Scoring System:
|
||
====================================
|
||
7.1
|
||
|
||
|
||
Introduction:
|
||
=============
|
||
Banana Dance is an open-source PHP/MySQL-based program. It is designed to combine the simplicity of wiki-publishing
|
||
software with the versatility of a CMS. The program also promotes community-building through organized and
|
||
user-rated commenting features. Highly flexible with theme-integration and extension availability Banana Dance
|
||
can be used for all types of purposes, whether it be to create an entire website, a product owner`s manual, or
|
||
an `article`-posting site.
|
||
|
||
(Copy of the Vendor Homepage: http://www.bananadance.org )
|
||
|
||
|
||
Abstract:
|
||
=========
|
||
The vulnerability Laboratory Research Team discovered multiple web vulnerabilities in the official BananaDance Wiki b2.2 CMS.
|
||
|
||
|
||
Report-Timeline:
|
||
================
|
||
2012-11-10: Public or Non-Public Disclosure
|
||
|
||
|
||
Status:
|
||
========
|
||
Published
|
||
|
||
|
||
Exploitation-Technique:
|
||
=======================
|
||
Remote
|
||
|
||
|
||
Severity:
|
||
=========
|
||
High
|
||
|
||
|
||
Details:
|
||
========
|
||
1.1
|
||
A SQL Injection vulnerability is detected in the BananaDance Wiki B2.2 Content Management System.
|
||
The vulnerability allows an attacker (remote) or local privileged moderator/admin user account to execute own
|
||
SQL commands on the affected application dbms. The sql injection vulnerability is located in user management module
|
||
with the bound vulnerable alpha listing parameter. Successful exploitation of the vulnerability results in dbms &
|
||
application compromise. Exploitation requires no user interaction & without privileged user account.
|
||
|
||
Vulnerable Module(s):
|
||
[+] User Management
|
||
|
||
Vulnerable Parameter(s):
|
||
[+] alpha
|
||
|
||
|
||
1.2
|
||
Multiple persistent input validation vulnerabilities are detected in the BananaDance Wiki B2.2 Content Management System.
|
||
The bugs allow remote attackers to implement/inject malicious script code on the application side (persistent) of the vulnerable module.
|
||
The persistent vulnerabilities are located in the user, banned user, badge module listing with the bound vulnerable username and email parameters.
|
||
Successful exploitation of the vulnerability can lead to session hijacking (manager/admin) or stable (persistent) context manipulation.
|
||
Exploitation requires low user inter action (view listing) & a registered low privileged web application user account.
|
||
|
||
Vulnerable Module(s):
|
||
[+] Add User - Listing
|
||
[+] Banned User - Listing
|
||
[+] Badges - Listing
|
||
|
||
Vulnerable Parameter(s):
|
||
[+] Username & Email (Profil)
|
||
|
||
|
||
Proof of Concept:
|
||
=================
|
||
1.1
|
||
The sql injection vulnerability can be exploited by local privileged user accounts and moderators.
|
||
For demonstration or reproduce ...
|
||
|
||
PoC:
|
||
<html>
|
||
<head><body>
|
||
<title>BananaDance Wiki b2.2 - SQL Vulnerability</title>
|
||
<iframe src=http://bananadance-wiki.127.0.0.1:1339/admin/index.php?l=users&alpha=A'-1 [SQL-INJECTION!]-- width="1000" height="800">
|
||
<iframe src=http://bananadance-wiki.127.0.0.1:1339/admin/index.php?l=users&alpha=M'-1 [SQL-INJECTION!]-- width="1000" height="800">
|
||
<iframe src=http://bananadance-wiki.127.0.0.1:1339/admin/index.php?l=users&alpha=K'-1 [SQL-INJECTION!]-- width="1000" height="800">
|
||
</body></head>
|
||
<html>
|
||
|
||
|
||
1.2
|
||
The persistent input validation vulnerabilities can be exploited by remote attacker with low privileged application user account and
|
||
low required user inter action. For demonstration or reproduce ...
|
||
|
||
Review: Add (Existing) User - Listing
|
||
|
||
<tr id="19">
|
||
<td valign="top"><center><img src="imgs/status-on.png" id="status19" alt="Active" title="Active" border="0" height="16" width="16"></center></td>
|
||
<td valign="top"><a href="index.php?l=users_edit&id=19">"><[PERSISTENT EXECUTION OF INJECTED SCRIPT CODE!];)" <<="" a=""></td>
|
||
<td valign="top">2012-06-20</td>
|
||
<td valign="top"><span style="">ESTANDAR</span></td>
|
||
<td valign="top">0</td>
|
||
<td valign="top">0</td>
|
||
<td valign="top">0</td>
|
||
<td valign="top"><a href="#" onClick="deleteID('bd_users','19');return false;">
|
||
<img src="imgs/icon-delete.png" border="0" alt="Delete" title="Delete" /></a></td>
|
||
</tr>
|
||
|
||
URL(s):
|
||
http://bananadance-wiki.127.0.0.1:1339/admin/index.php?l=users > http://bananadance-wiki.127.0.0.1:1339/admin/index.php?l=users_add
|
||
|
||
|
||
Risk:
|
||
=====
|
||
1.1
|
||
The security risk of the local sql injection vulnerability is estimated as medium(+) because of the required moderator account.
|
||
|
||
1.2
|
||
The security risk of the persistent input validation vulnerabilities are estimated as high.
|
||
|
||
|
||
Credits:
|
||
========
|
||
Vulnerability Laboratory [Research Team] - Kathrin SL (katha@vulnerability-lab.com)
|
||
|
||
|
||
Disclaimer:
|
||
===========
|
||
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties,
|
||
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
|
||
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
|
||
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
|
||
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
|
||
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
|
||
or trade with fraud/stolen material.
|
||
|
||
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register
|
||
Contact: admin@vulnerability-lab.com - support@vulnerability-lab.com - research@vulnerability-lab.com
|
||
Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com
|
||
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
|
||
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
|
||
|
||
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
|
||
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
|
||
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and
|
||
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
|
||
modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission.
|
||
|
||
Copyright <20> 2012 | Vulnerability Laboratory
|
||
|
||
|
||
|
||
--
|
||
VULNERABILITY RESEARCH LABORATORY
|
||
LABORATORY RESEARCH TEAM
|
||
CONTACT: research@vulnerability-lab.com |