191 lines
7.5 KiB
Text
Executable file
191 lines
7.5 KiB
Text
Executable file
Title:
|
|
======
|
|
Eventy CMS v1.8 Plus - Multiple Web Vulnerablities
|
|
|
|
|
|
Date:
|
|
=====
|
|
2012-11-13
|
|
|
|
|
|
References:
|
|
===========
|
|
http://www.vulnerability-lab.com/get_content.php?id=756
|
|
|
|
|
|
VL-ID:
|
|
=====
|
|
756
|
|
|
|
|
|
Common Vulnerability Scoring System:
|
|
====================================
|
|
8.3
|
|
|
|
|
|
Introduction:
|
|
=============
|
|
Publish Your Events In Online Calendar. Eventy Is Beautiful And Easy To Use Web Based Event Calendar Software
|
|
Publish events like parties, courses, meetings, conferences, workshops, and more in easy and user-friendly way.
|
|
Eventy Plus adds features like mailing lists, multi-administrator interface, switchable weekly/monthly view,
|
|
event categories, and rich text editor. Use Eventy or Eventy Plus for your company website, freelancer`s blog,
|
|
club site, online school, or to show your consulting availability. Eventy uses Ajax and runs on web hosts
|
|
with PHP and MySQL.
|
|
|
|
(Copy of the Vendor Homepage: http://calendarscripts.info/event-calendar-software.html )
|
|
|
|
|
|
Abstract:
|
|
=========
|
|
The Vulnerability Laboratory Research Team discovered multiple Web Vulnerabilities in the Eventy CMS v1.8 Plus.
|
|
|
|
|
|
Report-Timeline:
|
|
================
|
|
2012-11-13: Public or Non-Public Disclosure
|
|
|
|
|
|
Status:
|
|
========
|
|
Published
|
|
|
|
|
|
Exploitation-Technique:
|
|
=======================
|
|
Remote
|
|
|
|
|
|
Severity:
|
|
=========
|
|
Critical
|
|
|
|
|
|
Details:
|
|
========
|
|
A SQL Injection vulnerability is detected in the Eventy CMS v1.8 Plus ,web based event calendar software.
|
|
The vulnerability allows an attacker (remote) or local low privileged user account to execute a SQL commands on the
|
|
affected application dbms. The sql injection vulnerability is located in eventy.php file with the bound vulnerable
|
|
event_id parameter. Successful exploitation of the vulnerability results in dbms & application compromise.
|
|
Exploitation requires no user interaction & without privileged user account.
|
|
|
|
Vulnerable File(s):
|
|
[+] eventy.php
|
|
|
|
Vulnerable Parameter(s):
|
|
[+] event_id
|
|
|
|
|
|
1.2
|
|
A persistent input validation vulnerability is detected in the Eventy CMS v1.8 Plus ,web based event calendar software.
|
|
The bug allows remote attackers to implement/inject malicious script code on the application side (persistent).
|
|
The persistent vulnerabilities is located in the the add Event module bound vulnerable Event Title and Event Location
|
|
parameters. Successful exploitation of the vulnerability can lead to session hijacking (manager/admin) or stable (persistent)
|
|
context manipulation. Exploitation requires low user inter action & privileged web application user account.
|
|
|
|
Vulnerable Module(s):
|
|
[+] Add Event
|
|
|
|
Vulnerable Parameter(s):
|
|
[+] Event Title - Event Location
|
|
|
|
1.3
|
|
A non-persistent cross site scripting vulnerability is detected in the Eventy CMS v1.8 Plus ,web based event calendar software.
|
|
The vulnerability allows remote attackers to hijack website customer, moderator or admin sessions with medium or high required
|
|
user inter action or local low privileged user account. The vulnerability is located in the eventy.php page the bound vulnerable selyear
|
|
and selmonth parameter. Successful exploitation of the vulnerability result in account steal, client site phishing or client-side
|
|
content request manipulation.
|
|
|
|
Vulnerable File(s):
|
|
[+] eventy.php
|
|
|
|
Vulnerable Parameter(s):
|
|
[+] selyear - selmonth
|
|
|
|
|
|
Proof of Concept:
|
|
=================
|
|
1.1
|
|
The SQL injection vulnerability can be exploited by remote attackers without privileged application user accounr and without
|
|
required user inter action. For demonstration or reproduce ...
|
|
|
|
PoC:
|
|
<html><head><body>
|
|
<title>SQL Injection Vulnerability - PoC</title>
|
|
<iframe src=http://eventy.127.0.0.1:8080/eventy/eventy.php?selyear=&selmonth=&event_id=-1869+union+select+1,version%28%29,3,4,5,6,7,8,9,10,11,12,13--%20->
|
|
</body></head></html>
|
|
|
|
|
|
1.2
|
|
The persistent input validation vulnerabilities can be exploited by remote attackers with low or medium required user inter action
|
|
& low privileged user account. For demonstration or reproduce ...
|
|
|
|
Manaually Reproduce ...
|
|
The attacker can create a new event with injecting a malicious code i.e.,
|
|
>"<iframe src=http://www.vulnerability-lab.com onload=alert("VL")</iframe>, in the field Event Title - Event Location Fields.
|
|
When the admin or any other user view the event the code gets executed.
|
|
|
|
Reference(s):
|
|
http://eventy.127.0.0.1:8080/eventy-plus/eve_edit.php?m=November&y=2012&d=20
|
|
|
|
|
|
1.3
|
|
PoC:
|
|
<html><head><body>
|
|
<title>Client side - Cross Site Scripting</title>
|
|
<iframe src=http://eventy.127.0.0.1:8080/eventy/eventy.php?selyear=&selmonth=>"<iframe%20src=http://vuln-lab.com%20onload=alert%28%22VL%22%29%3C/iframe%3E>
|
|
<iframe src=http://eventy.127.0.0.1:8080/eventy/eventy.php?selyear=>"<iframe%20src=http://vuln-lab.com%20onload=alert%28%22VL%22%29%3C/iframe%3E&selmonth=April>
|
|
</body></head></html>
|
|
|
|
|
|
Risk:
|
|
=====
|
|
1.1
|
|
The security risk of the remote SQL Injection vulnerability is estimated as critical.
|
|
|
|
1.2
|
|
The security risk of the persistent input validation vulnerability is estimated as medium(+).
|
|
|
|
1.3
|
|
The security risk of the client side cross site scripting vulnerability is estimated as low(+).
|
|
|
|
|
|
Credits:
|
|
========
|
|
Vulnerability Laboratory [Research Team] - Ibrahim El-Sayed (the_storm) [storm@vulnerability-lab.com] [iel-sayed.blogspot.com]
|
|
|
|
|
|
|
|
|
|
Disclaimer:
|
|
===========
|
|
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties,
|
|
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
|
|
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
|
|
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
|
|
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
|
|
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
|
|
or trade with fraud/stolen material.
|
|
|
|
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register
|
|
Contact: admin@vulnerability-lab.com - support@vulnerability-lab.com - research@vulnerability-lab.com
|
|
Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com
|
|
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
|
|
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
|
|
|
|
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
|
|
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
|
|
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and
|
|
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
|
|
modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission.
|
|
|
|
Copyright ? 2012 | Vulnerability Laboratory
|
|
|
|
|
|
|
|
|
|
--
|
|
VULNERABILITY RESEARCH LABORATORY
|
|
LABORATORY RESEARCH TEAM
|
|
CONTACT: research@vulnerability-lab.com
|
|
|
|
|