406 lines
No EOL
15 KiB
Text
406 lines
No EOL
15 KiB
Text
Document Title:
|
||
===============
|
||
Zikula CMS v1.3.5 - Multiple Web Vulnerabilities
|
||
|
||
|
||
References (Source):
|
||
====================
|
||
http://www.vulnerability-lab.com/get_content.php?id=1114
|
||
|
||
|
||
Release Date:
|
||
=============
|
||
2013-10-16
|
||
|
||
|
||
Vulnerability Laboratory ID (VL-ID):
|
||
====================================
|
||
1114
|
||
|
||
|
||
Common Vulnerability Scoring System:
|
||
====================================
|
||
6.7
|
||
|
||
|
||
Product & Service Introduction:
|
||
===============================
|
||
Zikula is an open source MVC web application framework, released under the LGPLv3, that allows you to rapidly
|
||
build websites for any application including all forms of content management. Zikula is fast and flexible and
|
||
easily extendable via a system on plugins, themes and extensions.
|
||
|
||
No matter what your needs, Zikula can provide the solution. Whether it is a corporate presence with ecommerce,
|
||
a simple blog or a community portal, Zikula can do it all. Best of all, its completely free. Our community forum
|
||
provides you with the support and help you need free of charge.
|
||
|
||
(Copy of the Vendor Homepage: http://zikula.org/CMS/Zikula/ )
|
||
|
||
|
||
Abstract Advisory Information:
|
||
==============================
|
||
The Vulnerability Laboratory Research Team discovered multiple web vulnerabilities in the Zikula Content Management System v1.3.5 web-application.
|
||
|
||
|
||
Vulnerability Disclosure Timeline:
|
||
==================================
|
||
2013-10-16: Public Disclosure (Vulnerability Laboratory)
|
||
|
||
|
||
Discovery Status:
|
||
=================
|
||
Published
|
||
|
||
|
||
Affected Product(s):
|
||
====================
|
||
PostNuke e.V.
|
||
Product: Zikula Content Management System - Web Application 1.3.5
|
||
|
||
|
||
Exploitation Technique:
|
||
=======================
|
||
Remote
|
||
|
||
|
||
Severity Level:
|
||
===============
|
||
High
|
||
|
||
|
||
Technical Details & Description:
|
||
================================
|
||
1.1
|
||
A persistent input validation web vulnerability is detected in the Zikula Content Management System v1.3.5 web-application.
|
||
The bug allows an attacker (remote) to implement/inject malicious own malicious persistent script codes (application side).
|
||
|
||
The persistent web vulnerability is located in the `User Information (Page)` & `Profile Info (Page)` module. Remote attackers
|
||
are able to change the regular real name in the profile info page to own malicious script codes. The script code execute occurs
|
||
in the user profile info page of the public cms application.
|
||
|
||
Exploitation of the persistent web vulnerability requires low user interaction and a low privileged web-application user account
|
||
Successful exploitation of the vulnerability can lead to persistent session hijacking (customers), account steal via persistent
|
||
web attacks, persistent phishing or persistent module context manipulation.
|
||
|
||
Request Method(s):
|
||
[+] [POST]
|
||
|
||
Vulnerable Module(s):
|
||
[+] User Information (Page)
|
||
|
||
Vulnerable Parameter(s):
|
||
[+] real name (z-formnote)
|
||
|
||
Affected Module(s):
|
||
[+] Profile Info
|
||
|
||
|
||
1.2
|
||
A client-side POST injection web vulnerability is detected in the official Zikula Content Management System v1.3.5 web-application.
|
||
The non-persistent cross site web vulnerability allows an attacker to manipulate client side web application to browser GET method requests.
|
||
|
||
The client-side cross site web vulnerability is located in the `login` module of the web-application. Remote attackers can inject via POST
|
||
request method own malicious script codes as authentication_info (users_login) value.
|
||
|
||
Exploitation of the vulnerability requires no privileged application user account but low or medium user interaction. Successful exploitation
|
||
of the vulnerability results in session hijacking, client-side phishing, client-side external redirects or malware loads and client-side
|
||
manipulation of the vulnerable module context.
|
||
|
||
Request Method(s):
|
||
[+] [POST]
|
||
|
||
Vulnerable Module(s):
|
||
[+] Login
|
||
|
||
Vulnerable Parameter(s):
|
||
[+] users_login_login_id > authentication_info > username & password text
|
||
|
||
|
||
|
||
1.3
|
||
A client-side cross site scripting web vulnerability is detected in the Zikula Content Management System v1.3.5 web-application.
|
||
The non-persistent cross site scripting web vulnerability allows an attacker to manipulate client side web application GET method requests.
|
||
|
||
The first client-side cross site vulnerability is located in the `func` value of the index.php file. Remote attackers are able to inject own
|
||
malicious script codes via vulnerable `func` parameter in client-side GET method requests.
|
||
|
||
The second client-side cross site vulnerability is located in the display name to path value GET method request. Remote attackers are able
|
||
to inject own malicious script codes as regular path. The script code execute occurs in the news display path. Attackers can change the
|
||
regular path with script code to execute the client-side malicious context.
|
||
|
||
Exploitation of the vulnerability requires no privileged application user account but low or medium user interaction. Successful exploitation
|
||
of the vulnerability results in session hijacking, client-side phishing, client-side external redirects or malware loads and client-side
|
||
manipulation of the vulnerable module context.
|
||
|
||
Request Method(s):
|
||
[+] [GET]
|
||
|
||
Vulnerable Parameter(s):
|
||
[+] display path
|
||
[+] func
|
||
|
||
|
||
Proof of Concept (PoC):
|
||
=======================
|
||
1.1
|
||
The persistent input validation web vulnerability can be exploited by remote attackers with low privileged application user account
|
||
and low user interaction. For demonstration or reproduce ...
|
||
|
||
Inject via Real Name
|
||
http://zikula.localhost:8080/en/profile/modify
|
||
|
||
Exploitation in Profile
|
||
http://zikula.localhost:8080/en/profile/view/[PROFILE NAME]
|
||
|
||
|
||
PoC: Personal Info - Profile (Users)
|
||
|
||
<div class="z-formrow">
|
||
<strong class="z-label">Real name:</strong>
|
||
<span class="z-formnote">>"<<>"<[PERSISTENT INJECTED SCRIPT CODE!]"> >"<<>"<[PERSISTENT INJECTED SCRIPT CODE!/a></span>
|
||
</div>
|
||
<div class="z-formrow">
|
||
<strong class="z-label">Site:</strong>
|
||
<span class="z-formnote"><a href="http://zikula.localhost:8080" title="demoadmin's site" rel="nofollow">http://zikula.localhost:8080</a></span>
|
||
</div>
|
||
|
||
|
||
|
||
--- PoC Session Logs (Response/Request) ---
|
||
|
||
POST http://demo.zikula.de/en/profile/update
|
||
Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ]
|
||
Content Size[20] Mime Type[text/html]
|
||
|
||
Request Headers:
|
||
Host[demo.zikula.de]
|
||
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0]
|
||
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
|
||
Accept-Language[en-US,en;q=0.5]
|
||
Accept-Encoding[gzip, deflate]
|
||
DNT[1]
|
||
Referer[http://demo.zikula.de/en/profile/modify]
|
||
Cookie[ZKSID2=7d8348a4744c45ab23713f42d621915c4b8a58cd]
|
||
Connection[keep-alive]
|
||
|
||
Post Data:
|
||
csrftoken[NTI1ZGQzNWY3OGE1NjguMjUxNTI5ODM6MTY3NDgyMTU3MzlhNDI4NmEzYzhkNjRmMTczZTRkYWU6MTM4MTg4MDY3MQ%3D%3D]
|
||
dynadata%5Brealname%5D[%3E%22%3C%3C%3E%22%3C[PERSISTENT INJECTED SCRIPT CODE!%3E]
|
||
dynadata%5Bpublicemail%5D[]
|
||
dynadata%5Burl%5D[http%3A%2F%2Fdemo.zikula.de]
|
||
dynadata%5Btzoffset%5D[1]
|
||
dynadata%5Bavatar%5D[010.gif]
|
||
dynadata%5Bicq%5D[]
|
||
dynadata%5Baim%5D[]
|
||
dynadata%5Byim%5D[]
|
||
dynadata%5Bmsnm%5D[]
|
||
dynadata%5Bcity%5D[]
|
||
dynadata%5Boccupation%5D[]
|
||
dynadata%5Bsignature%5D[]
|
||
dynadata%5Bextrainfo%5D[]
|
||
dynadata%5Binterests%5D[]
|
||
submit[]
|
||
|
||
|
||
Response Headers:
|
||
Date[Tue, 15 Oct 2013 23:44:42 GMT]
|
||
Server[Apache]
|
||
Expires[Thu, 19 Nov 1981 08:52:00 GMT]
|
||
Cache-Control[no-store, no-cache, must-revalidate, post-check=0, pre-check=0]
|
||
Pragma[no-cache]
|
||
Set-Cookie[bb2_screener_=1381880682+84.150.67.47; path=//]
|
||
X-Frames-Options[SAMEORIGIN]
|
||
X-XSS-Protection[1]
|
||
Location[http://demo.zikula.de/en/profile/view/demoadmin]
|
||
Vary[Accept-Encoding]
|
||
Content-Encoding[gzip]
|
||
Content-Length[20]
|
||
Keep-Alive[timeout=1, max=100]
|
||
Connection[Keep-Alive]
|
||
Content-Type[text/html; charset=UTF-8]
|
||
|
||
|
||
|
||
Status: 200[OK]
|
||
GET http://demo.zikula.de/en/profile/view/demoadmin
|
||
Load Flags[LOAD_DOCUMENT_URI LOAD_REPLACE LOAD_INITIAL_DOCUMENT_URI ]
|
||
Content Size[8967] Mime Type[text/html]
|
||
|
||
|
||
Request Headers:
|
||
Host[demo.zikula.de]
|
||
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0]
|
||
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
|
||
Accept-Language[en-US,en;q=0.5]
|
||
Accept-Encoding[gzip, deflate]
|
||
DNT[1]
|
||
Referer[http://demo.zikula.de/en/profile/modify]
|
||
Cookie[ZKSID2=7d8348a4744c45ab23713f42d621915c4b8a58cd]
|
||
Connection[keep-alive]
|
||
|
||
Response Headers:
|
||
Date[Tue, 15 Oct 2013 23:44:43 GMT]
|
||
Server[Apache]
|
||
Expires[Thu, 19 Nov 1981 08:52:00 GMT]
|
||
Cache-Control[no-store, no-cache, must-revalidate, post-check=0, pre-check=0]
|
||
Pragma[no-cache]
|
||
Set-Cookie[bb2_screener_=1381880683+84.150.67.47; path=//]
|
||
X-Frames-Options[SAMEORIGIN]
|
||
X-XSS-Protection[1]
|
||
Vary[Accept-Encoding]
|
||
Content-Encoding[gzip]
|
||
Content-Length[8967]
|
||
Keep-Alive[timeout=1, max=99]
|
||
Connection[Keep-Alive]
|
||
Content-Type[text/html; charset=UTF-8]
|
||
|
||
|
||
|
||
Status: 200[OK]
|
||
GET http://vuln-lab.com/ Load Flags[LOAD_DOCUMENT_URI ]
|
||
Content Size[65038] Mime Type[text/html]
|
||
|
||
Request Headers:
|
||
Host[vuln-lab.com]
|
||
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0]
|
||
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
|
||
Accept-Language[en-US,en;q=0.5]
|
||
Accept-Encoding[gzip, deflate]
|
||
DNT[1]
|
||
Referer[http://demo.zikula.de/en/profile/view/demoadmin]
|
||
Cookie[PHPSESSID=68989d80ca49d28477fa69e191ef5653]
|
||
Connection[keep-alive]
|
||
|
||
|
||
Response Headers:
|
||
Cache-Control[no-store, no-cache, must-revalidate, post-check=0, pre-check=0]
|
||
Pragma[no-cache]
|
||
Content-Type[text/html]
|
||
Expires[Thu, 19 Nov 1981 08:52:00 GMT]
|
||
Server[Microsoft-IIS/7.0]
|
||
Drupal[nginx]
|
||
X-Powered-By[ASP.NET]
|
||
X-Powered-By-Plesk[PleskWin]
|
||
Date[Tue, 15 Oct 2013 23:44:07 GMT]
|
||
Content-Length[65038]
|
||
|
||
|
||
|
||
|
||
1.2
|
||
The client-side POST inject web vulnerability can be exploited by remote attackers without privileged application user account and
|
||
low user interaction. For demonstration or reproduce ...
|
||
|
||
Inject & Affected by Exploitation
|
||
http://zikula.localhost:8080/en/benutzer/login
|
||
|
||
|
||
PoC: Login - Username & Password
|
||
|
||
<fieldset>
|
||
<div id="users_login_fields">
|
||
<div class="z-formrow">
|
||
<label for="users_login_login_id">User name</label>
|
||
<input id="users_login_login_id" name="authentication_info[login_id]"
|
||
maxlength="64" value=">" <<="" type="text">"<[NON-PERSISTENT INJECTED SCRIPT CODE VIA POST METHOD!]"> >" />
|
||
</div>
|
||
|
||
|
||
--- PoC Session Logs (Response/Request) ---
|
||
Status: 200[OK]
|
||
POST http://zikula.localhost:8080/en/benutzer/login
|
||
Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ]
|
||
Content Size[10101] Mime Type[text/html]
|
||
|
||
Request Headers:
|
||
Host[zikula.localhost:8080]
|
||
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0]
|
||
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
|
||
Accept-Language[en-US,en;q=0.5]
|
||
Accept-Encoding[gzip, deflate]
|
||
DNT[1]
|
||
Referer[http://zikula.localhost:8080/en/benutzer/login]
|
||
Cookie[ZKSID2=196ab1525de479adc56a04829204d4b389462996]
|
||
Connection[keep-alive]
|
||
|
||
Post Data:
|
||
authentication_method%5Bmodname%5D[Users]
|
||
authentication_method%5Bmethod%5D[uname]
|
||
returnpage[]
|
||
csrftoken[NTI1ZGQ0M2RkYTE2NDYuMTIwMTA5MjA6MDZmM2JhNmM1YzU0ZDgzYWQzN2JhMTNlYTkzYTUwMDM6MTM4MTg4MDg5Mw%3D%3D]
|
||
event_type[login_screen]
|
||
authentication_info%5Blogin_id%5D[%3E%22%3C%3C%3E%22%3C[NON-PERSISTENT INJECTED SCRIPT CODE!]%3E+%3E]
|
||
authentication_info%5Bpass%5D[%3E%22%3C%3C%3E%22%3C[NON-PERSISTENT INJECTED SCRIPT CODE!]%3A%2F%2F]
|
||
rememberme[1]
|
||
submit[]
|
||
|
||
|
||
|
||
1.3
|
||
The client-side cross site scripting web vulnerabilities can be exploited by remote attackers without privileged application user account and
|
||
low or medium user interaction. For demonstration or reproduce ...
|
||
|
||
http://zikula.localhost:8080/en/news/display/camp-zikula-&[CLIENT-SIDE CROSS SITE SCRIPTING VULNERABILITY!]//
|
||
http://zikula.localhost:8080/index.php?module=benutzer&type=admin&func=-%27+[CLIENT-SIDE CROSS SITE SCRIPTING VULNERABILITY!]&lang=en&userid=3
|
||
|
||
|
||
Solution - Fix & Patch:
|
||
=======================
|
||
1.1
|
||
The first persistent input validation web vulnerability can be patched by a secure encode and parse of the real name profile input fields.
|
||
Also parse the vulnerable user profile info output page to ensure the issue is fixed.
|
||
|
||
1.2
|
||
Parse the username input field in the login module. Encode also the vulnerable users_login_id and authentication_info[login] values.
|
||
|
||
1.3
|
||
Parse and encode the vulnerable func value parameter in the index.php.
|
||
Encode and filter the path value in the display section to prevent client-side attacks.
|
||
|
||
|
||
Security Risk:
|
||
==============
|
||
1.1
|
||
The security risk of the persistent input validation web vulnerability is estimated as high(+).
|
||
|
||
1.2
|
||
The security risk of the non-persistent post inject web vulnerability is estimated as medium(+).
|
||
|
||
1.3
|
||
The security risk of the client-side cross site scripting web vulnerabilities are estimated as low(+)|(-)medium.
|
||
|
||
|
||
Credits & Authors:
|
||
==================
|
||
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
|
||
|
||
|
||
Disclaimer & Information:
|
||
=========================
|
||
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
|
||
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
|
||
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
|
||
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
|
||
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
|
||
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
|
||
or trade with fraud/stolen material.
|
||
|
||
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
|
||
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
|
||
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com
|
||
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
|
||
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
|
||
|
||
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
|
||
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
|
||
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and
|
||
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
|
||
modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
|
||
|
||
Copyright <20> 2013 | Vulnerability Laboratory [Evolution Security]
|
||
|
||
|
||
|
||
--
|
||
VULNERABILITY LABORATORY RESEARCH TEAM
|
||
DOMAIN: www.vulnerability-lab.com
|
||
CONTACT: research@vulnerability-lab.com |