197 lines
6.9 KiB
Text
Executable file
197 lines
6.9 KiB
Text
Executable file
Title:
|
|
======
|
|
Social Engine v4.2.5 - Multiple Web Vulnerabilities
|
|
|
|
|
|
Date:
|
|
=====
|
|
2012-07-31
|
|
|
|
|
|
References:
|
|
===========
|
|
http://www.vulnerability-lab.com/get_content.php?id=672
|
|
|
|
|
|
VL-ID:
|
|
=====
|
|
672
|
|
|
|
|
|
Common Vulnerability Scoring System:
|
|
====================================
|
|
3
|
|
|
|
|
|
Abstract:
|
|
=========
|
|
A Laboratory Researcher [X-Cisadane] discovered multiple Web Vulnerabilities in the Social Engine v4.2.5 web application.
|
|
|
|
|
|
Report-Timeline:
|
|
================
|
|
2012-07-31: Public or Non-Public Disclosure
|
|
|
|
|
|
Status:
|
|
========
|
|
Published
|
|
|
|
|
|
Exploitation-Technique:
|
|
=======================
|
|
Remote
|
|
|
|
|
|
Severity:
|
|
=========
|
|
Medium
|
|
|
|
|
|
Details:
|
|
========
|
|
1.1
|
|
Multiple persistent input validation vulnerabilities are detected in the Social Engine v4.2.5 web application.
|
|
The bug allows an attackers to implement/inject malicious script code on the application side (persistent).
|
|
The persistent vulnerabilities are located in the add- new videos and classiefieds module with the bound vulnerable
|
|
tag (keywords) parameter. Successful exploitation of the vulnerability can lead to persistent session hijacking (manager/admin)
|
|
or stable (persistent) context manipulation. Exploitation requires low user inter action but a privileged user account.
|
|
|
|
|
|
Vulnerable Module(s):
|
|
[+] Add New Video
|
|
[+] Add New Classfields
|
|
|
|
|
|
Affected Module(s):
|
|
[+] Videos Listing Page
|
|
[+] Classfields Listing Page
|
|
|
|
|
|
Vulnerable Parameter(s):
|
|
[+] Tags (keywords)
|
|
|
|
|
|
1.2
|
|
A non persistent cross site scripting vulnerability is detected in the Social Engine v4.2.5 web application.
|
|
The vulnerability allows remote attackers to hijack website customer, moderator or admin sessions with medium
|
|
or high required user inter action or local low privileged user account. The bug is located in the signup (profile)
|
|
module with the bound vulnerable name and address parameters. Successful exploitation can result in account steal,
|
|
client side phishing & client-side content request manipulation. Exploitation requires medium or high user inter
|
|
action & without privileged web application user account.
|
|
|
|
Vulnerable Module(s):
|
|
[+] Profile - Signup
|
|
|
|
Vulnerable Parameter(s):
|
|
[+] Name & Address
|
|
|
|
|
|
Proof of Concept:
|
|
=================
|
|
1.1
|
|
The persistent vulnerability can be exploited by remote attackers with low required user inter action & low privileged
|
|
application user account. For demonstration or reproduce ...
|
|
|
|
|
|
- In the Post New Video Page (http://127.0.0.1:8080/videos/create)
|
|
Information: Copy & Paste persistent malicious script coe (js/html) into the Tags (keywords) field and save the context
|
|
|
|
|
|
- In the Post New Classfields Listing Page (http://127.0.0.1:8080/classifieds/create)
|
|
Information: Copy & Paste persistent malicious script coe (js/html) into the Tags (keywords) field and save the context
|
|
|
|
|
|
Picture : http://i47.tinypic.com/2ptcv29.png
|
|
Picture : http://i50.tinypic.com/14soaci.png
|
|
|
|
|
|
PoC:
|
|
|
|
<DIV align=left>
|
|
<DIV id=Layer1 style="BORDER-RIGHT: #000000 1px; BORDER-TOP: #000000 1px; 1; LEFT: 1px;
|
|
|
|
BORDER-LEFT: #000000 1px; WIDTH: 1500px; BORDER-BOTTOM: #000000 1px; POSITION: absolute;
|
|
|
|
TOP: 0px; HEIGHT: 5000px; BACKGROUND-COLOR: #000000; layer-background-color: #000000">
|
|
<br /><br />
|
|
<br>
|
|
<center>
|
|
<font face="Arial" color="red" size="4"><strong><br><br><br>Defaced By : X-Cisadane
|
|
<br>
|
|
</center>
|
|
<font face="Courier New" color="#FF0000" size="3"><center>Greetz To : X-Code, Borneo Crew,
|
|
|
|
Depok Cyber, Explore Crew, CodeNesia, Bogor-H, Jakarta Anonymous Club and Winda
|
|
|
|
Utari</center></font>
|
|
<center><img
|
|
|
|
src="http://obnoxiousgamer.files.wordpress.com/2010/01/jollyroger.gif"></img></center>
|
|
<center><font face="arial" size="3" color="#FF0000">
|
|
<marquee behavior="alternate" scrolldelay="100" style="width: 90%">Please fix your hole!
|
|
</li>
|
|
</ul>
|
|
</td>
|
|
</tr>
|
|
</table>
|
|
</div>
|
|
|
|
|
|
|
|
1.2
|
|
The non persistent cross site scripting vulnerability can be exploited by remote attackers with medium or high required
|
|
user inter action and without privileged user account. For demonstration or reproduce ...
|
|
|
|
Information: Copy & Paste cross site scripting (script code) into the Profile Address Field of the signup form
|
|
URL: http://127.0.0.1:8080/signup
|
|
|
|
Picture : http://i45.tinypic.com/v46iyd.png
|
|
Picture : http://i49.tinypic.com/156e79h.png
|
|
|
|
|
|
|
|
Risk:
|
|
=====
|
|
1.1
|
|
The security risk of the persistent web vulnerabilities are estimated as medium(+).
|
|
|
|
1.2
|
|
The security risk of the client side cross site scripting vulnerability is estimated as low(+).
|
|
|
|
|
|
Credits:
|
|
========
|
|
X-Cisadane ( http://www.vulnerability-lab.com/show.php?user=X-Cisadane )
|
|
|
|
|
|
Disclaimer:
|
|
===========
|
|
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties,
|
|
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
|
|
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
|
|
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
|
|
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
|
|
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
|
|
or trade with fraud/stolen material.
|
|
|
|
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register
|
|
Contact: admin@vulnerability-lab.com - support@vulnerability-lab.com - research@vulnerability-lab.com
|
|
Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com
|
|
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
|
|
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
|
|
|
|
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
|
|
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
|
|
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and
|
|
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
|
|
modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission.
|
|
|
|
Copyright ? 2012 | Vulnerability Laboratory
|
|
|
|
--
|
|
VULNERABILITY RESEARCH LABORATORY
|
|
LABORATORY RESEARCH TEAM
|
|
CONTACT: research@vulnerability-lab.com
|
|
|
|
|