245 lines
No EOL
8.8 KiB
Text
245 lines
No EOL
8.8 KiB
Text
Title:
|
||
======
|
||
Freeside SelfService CGI|API 2.3.3 - Multiple Vulnerabilities
|
||
|
||
|
||
Date:
|
||
=====
|
||
2012-06-14
|
||
|
||
|
||
References:
|
||
===========
|
||
http://www.vulnerability-lab.com/get_content.php?id=614
|
||
|
||
|
||
VL-ID:
|
||
=====
|
||
614
|
||
|
||
|
||
Common Vulnerability Scoring System:
|
||
====================================
|
||
6.5
|
||
|
||
|
||
Introduction:
|
||
=============
|
||
Billing, ticketing, reporting and configuration for employees and resellers The majority of Freeside s
|
||
functionality is accessed from here. The back office interface includes searching and viewing of customers,
|
||
invoices, trouble tickets and services, as well as reporting, configuration, per-user access control,
|
||
resellser virtualization and more.
|
||
|
||
(Copy of the Vendor Homepage: http://freeside.biz/freeside )
|
||
|
||
|
||
Abstract:
|
||
=========
|
||
The Vulnerability Laboratory Research Team discovered multiple web vulnerabilities in Freesides SelfService CGI|API v2.3.3 git.
|
||
|
||
|
||
Report-Timeline:
|
||
================
|
||
2012-06-14: Public or Non-Public Disclosure
|
||
|
||
|
||
Status:
|
||
========
|
||
Published
|
||
|
||
|
||
Affected Products:
|
||
==================
|
||
Freeside
|
||
Product: SelfService CGI|API v2.3.3
|
||
|
||
|
||
Exploitation-Technique:
|
||
=======================
|
||
Remote
|
||
|
||
|
||
Severity:
|
||
=========
|
||
High
|
||
|
||
|
||
Details:
|
||
========
|
||
1.1
|
||
Multiple SQL Injection vulnerabilities are detected in Freesides SelfService CGI|API v2.3.3.
|
||
The vulnerability allows an attacker (remote) or local low privileged user account to inject/execute own
|
||
sql commands on the affected application dbms without user inter action. The vulnerability is located in the
|
||
selfservice.cgi and the bound parameters action & svcnum. Successful exploitation of the vulnerability
|
||
results in dbms & application compromise.
|
||
|
||
|
||
Vulnerable Module(s):
|
||
[+] View my usage - Service usage details
|
||
|
||
Vulnerable File(s):
|
||
[+] selfservice.cgi
|
||
|
||
Vulnerable File(s):
|
||
[+] svcnum
|
||
[+] action
|
||
|
||
|
||
1.2
|
||
Multiple persistent input validation vulnerabilities are detected in Freesides SelfService CGI|API v2.3.3.
|
||
The bugs allow remote attackers to implement/inject malicious script code on the application side (persistent).
|
||
The persistent vulnerabilities are located in the cust_main.cgi, part_pkg.cgi, part_event.html or part_device.html
|
||
with the bound parameters company address, package comment, event- & device name. Exploitation requires low user
|
||
inter action & privileged application user account. Successful exploitation of the vulnerability can lead to
|
||
session hijacking (admin) or stable (persistent) context manipulation.
|
||
|
||
Vulnerable Files(s):
|
||
[+] ../edit/cust_main.cgi?426
|
||
[+] ../edit/part_pkg.cgi?4
|
||
[+] ../browse/part_event.html
|
||
[+] ../browse/part_device.html
|
||
|
||
Vulnerable Module(s):
|
||
[+] [Company] [Address]
|
||
[+] [Package] [Comment]
|
||
[+] [Event Name]
|
||
[+] [Device Name]
|
||
|
||
|
||
|
||
1.3
|
||
Multiple non persistent cross site scripting vulnerabilities are detected in Freesides SelfService CGI|API v2.3.3.
|
||
The vulnerability allows remote attackers to hijack website customer, moderator or admin sessions with high required
|
||
user inter action or local low privileged user account. The vulnerabilities are located in the selfservice.cgi file
|
||
with the vulnerable bound parameters pkg, pkgnum, beginning & end. Successful exploitation can result in account steal,
|
||
phishing & client-side content request manipulation.
|
||
|
||
Vulnerable Module(s):
|
||
[+] Change User Details
|
||
[+] Change Package
|
||
|
||
Vulnerable File(s):
|
||
[+] selfservice.cgi
|
||
|
||
|
||
Vulnerable Parameter(s):
|
||
[+] pkg & pkgnum
|
||
[+] end & beginning
|
||
|
||
|
||
Proof of Concept:
|
||
=================
|
||
1.1
|
||
The sql injection vulnerability can be exploited by remote attackers without privileged user account or user inter action.
|
||
For demonstration or reproduce ...
|
||
|
||
PoC:
|
||
../selfserv/selfservice.cgi?session=8cd42b35567e5bdce44bf17779b6431e;action=view_usage_details;svcnum=-1'[SQL-INJECTION];beginning=0;ending=0
|
||
../selfserv/selfservice.cgi?session=8cd42b35567e5bdce44bf17779b6431e;action=view_usage_details[SQL-INJECTION];svcnum=X;beginning=0;ending=0
|
||
|
||
> "SELECT * FROM svc_acct WHERE svcnum = ?": LINE 1: SELECT * FROM svc_acct WHERE svcnum = $1
|
||
|
||
Note: First get a alive session, exchange it with the expired of the poc and then try to access the url to inject your sql commands.
|
||
|
||
|
||
1.2
|
||
The persistent input validation vulnerabilities can be exploited by remote attackers with low required user inter action.
|
||
For demonstration or reproduce ...
|
||
|
||
Example:
|
||
The attacker create/edit an account and inject a malicious script code i.e., <iframe src=www.vuln-lab.com onload=alert("VL")></iframe>
|
||
in the vulnerable fields which are Company and Address. This bug is very dangerous because once the admin enters the admin area
|
||
he will see the page of users. The code that we injected will be executed out of the main page context of the admin.
|
||
|
||
|
||
Review: Payname
|
||
|
||
<font color="#FF0000">Illegal (name) (error code illegal_name) payname:
|
||
"><iframe src="selfservice.cgi-Dateien/a.xht" onload='alert("VL")' <<="" font="">
|
||
</FONT><BR><BR>
|
||
|
||
|
||
Review: Faxname
|
||
|
||
<font color="#FF0000">Illegal (phone) (error code illegal_phone) fax: "
|
||
><iframe src="selfservice2.cgi-Dateien/a.htm" onload='alert("VL")' <<="" font=""><
|
||
/FONT><BR><BR>
|
||
|
||
|
||
Review: Username
|
||
|
||
username) (2-32): "><iframe src="selfservice3.cgi-Dateien/a.htm" onload='alert("VL</FONT'>
|
||
</FONT><BR><BR>
|
||
<FORM
|
||
NAME="OrderPkgForm"
|
||
|
||
|
||
1.3
|
||
The non persistent cross site scripting vulnerabilities can be exploited by remote attackers with medium or high required user
|
||
inter action & without local privileged user account. For demonstration or reproduce ...
|
||
|
||
PoC:
|
||
|
||
Module: Change User Details
|
||
|
||
http://127.0.0.1:8080/selfserv/selfservice.cgi?session=8cd42b35567e5bdce44bf17779b6431e;action=view_usage_details;svcnum=598;
|
||
beginning=%22%3E%3Ciframe%20src=http://vuln-lab.com%20onload=alert%28%22VL%22%29%20%3C;ending=%22
|
||
%3E%3Ciframe%20src=http://vuln-lab.com%20onload=alert%28%22VL%22%29%20%3C
|
||
|
||
|
||
Module: Change Package
|
||
|
||
http://127.0.0.1:8080/selfserv/selfservice.cgi?session=8cd42b35567e5bdce44bf17779b6431e;action=customer_change_pkg;
|
||
pkgnum=3646;pkg=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C
|
||
|
||
|
||
http://127.0.0.1:8080/selfserv/selfservice.cgi?session=8cd42b35567e5bdce44bf17779b6431e;action=customer_change_pkg;
|
||
pkgnum=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C;pkg=Super%20Bundle%20200GB
|
||
|
||
|
||
Risk:
|
||
=====
|
||
1.1
|
||
The security risk of the sql injection vulnerability is estimated as high(-).
|
||
|
||
1.2
|
||
The security risk of the persistent input validation vulnerabilities are estimated as medium(+).
|
||
|
||
1.3
|
||
The security risk of the non-persistent cross site scripting vulnerabilities are estimated as low(+).
|
||
|
||
|
||
Credits:
|
||
========
|
||
Vulnerability Laboratory [Research Team] - Ibrahim El-Sayed [the StOrM) (storm@vulnerability-lab.com)
|
||
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@vulnerability-lab.com)
|
||
|
||
|
||
Disclaimer:
|
||
===========
|
||
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties,
|
||
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
|
||
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
|
||
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
|
||
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
|
||
may not apply.
|
||
|
||
Domains: www.vulnerability-lab.com - www.vuln-lab.com
|
||
Contact: admin@vulnerability-lab.com - support@vulnerability-lab.com - research@vulnerability-lab.com
|
||
Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com
|
||
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
|
||
|
||
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
|
||
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
|
||
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and
|
||
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
|
||
modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission.
|
||
|
||
Copyright <20> 2012 Vulnerability-Lab
|
||
|
||
|
||
|
||
--
|
||
VULNERABILITY RESEARCH LABORATORY TEAM
|
||
Website: www.vulnerability-lab.com
|
||
Mail: research@vulnerability-lab.com |