| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 14 Apr 2012 01:02:57 +0200
From: Research <research@...nerability-lab.com>
To: full-disclosure@...ts.grok.org.uk
Subject: EmbryoCore CMS v1.03 - Multiple Web
Vulnerabilities
Title:
======
EmbryoCore CMS v1.03 - Multiple Web Vulnerabilities
Date:
=====
2012-04-14
References:
===========
http://www.vulnerability-lab.com/get_content.php?id=503
VL-ID:
=====
503
Introduction:
=============
EmbryoCore is a blog / content management system written using PHP5 s newest features. Highly
customizable, XHTML:Strict compliant, with full integration of jQuery for dynamic ajax-powered content.
Completely XHTML Strict compliant
Pure CSS layouts
Drag and drop interface for moving content around
Static page and article entry for non-blog content
Ajax comments system
Ajax multi-page articles
Ajax file manager with upload and auto-thumbnailing for images
Ajax gallery system
Post priviledges - every post can be configured to be seen by only guests, administrators, members etc
Ratings and comments can be enabled or disabled on a per post basis
Spam protection - configurable time-outs for disallowing posts within a certain time from visiting site and
from last post made etc, also online post checking with TypePad AntiSpam
Advanced theme templating system means you can change the look of your site with a single click, and
building new themes is simplicity itself
WYSIWYG editor for simple content entry
Full categorization with sub-categories
Cross blog communication with built in pingback
Syndication with dynamic RSS creation for posts, comments etc
Search engine friendly URL s
Cache system reduces server load and speeds up page loads
Automatic updating from the admin area
Automatic installation of themes, plugins etc, no FTP access required
Fully object orientated code
Fully event driven
Takes full advantage of PHP5 s new features
Full integration with jQuery, including popular plugins like Shadowbox
Uses PHP5 s inbuilt PDO (PHP Data Objects) class, and the powerful abstraction layer means building queries is a breeze
Create as many sub-sites as you want from your admin area, all running off the same core code
(Copy of the Vendor Homepage: http://embryocore.sourceforge.net/ )
Abstract:
=========
The Vulnerability Laboratory Researcher Team discovered multiple Web Vulnerabilities in EmbryoCore v1.03.
Report-Timeline:
================
2012-04-14: Public or Non-Public Disclosure
Status:
========
Published
Exploitation-Technique:
=======================
Remote
Severity:
=========
High
Details:
========
1.1
A remote SQL Injection vulnerability (POST) is detected in EmbryoCore v1.03 content management system.
The vulnerability allows an attacker (remote) or local low privileged user account to inject/execute own sql commands
on the affected application dbms. Successful exploitation of the vulnerability results in dbms & application compromise.
The vulnerability is located on the username post method.
Vulnerable Module(s):
[+] Add User or Register User Request (POST) [embryocore/index.php?event=admin:auser]
--- SQL Exception Logs ---
<div style=``display: none; opacity: 1;`` id=``kmessage`` class=``no-display``><img src=``
content/themes/admin/images/apply.png`` alt=``> <strong>EmbryoCore Fatal Database error:</strong> [42000]:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server
version for the right syntax to use near ``=> ``></div>
Picture(s):
../1.png
1.2
A persistent input validation vulnerability is detected in the EmbryoCore v1.03 web application.
The bugs allow remote attackers to implement/inject malicious script code on the application side (persistent).
Successful exploitation of the vulnerability can lead to session hijacking (manager/admin) or stable (persistent)
context manipulation. Exploitation requires low user inter action because the admin needs to watch the user list.
The user includes his scriptcode as profile name and the code is getting executed on the administrator section
persistent.
Vulnerable Module(s):
[+] Profil & Username Input Field
[-] Admin Control Panel - User Listing
Picture(s):
../2.png
../3.png
Proof of Concept:
=================
The sql injection vulnerability can be exploited by remote attackers without inter action or local low
privileged user accounts. For demonstration or reproduce ...
1.1
To inject the sql command implement your statement on the user input fields and send it with the request (POST Method).
The return will be the error or successful query of the application dbms.
POST: /embryocore/index.php?ajax=admin:auser&mode=createNewUser HTTP/1.1
POC: user_displayname=[SQL-INJECTION]&user_login=test2&user_email=m@....empire&user_password=123456&user_cpassword=hack4best
1.2
The persistent input validation vulnerability can be exploited by remote attackers without inter action
or local low privileged
user accounts. Successful exploitation requires low user inter action because the admin only have to review the user listing.
For demonstration or reproduce ...
User Listing PoC:
<tr><td style="width: 1%; vertical-align: top;"><img src="http://www.gravatar.com/avatar.php?gravatar_id=
56f8d37b176ad6e9dc45e7923d1296ce&default=http%3A%2F%2Fxxx.com%2Fembryocore%2Flibs%2F
modules%2Ftemplate%2Fimages%2Fdefault_gravatar.png" alt="gravatar" style="width: 45px;">​​​​​</td><td style="
width: 15%; vertical-align: top;"><div class="list-title"><strong>-2</strong></div>"><iframe src="
http://www.vulnerability-lab.com" width"500"="" height="500"><br />91.37.89.26</td><td style='
width: 20%; vertical-align: top;'>Joined:<br />Monday 09th April 2012, 04:33am</td><td
style='width: 20%; vertical-align: top;'>Last Visit:<br />-</td><td style='width: 20%;
vertical-align: top;'>Last Post:<br />-</td><td style='width: 2%; vertical-align: top;
text-align: right;'><img src='http://xxx.com/embryocore/content/themes/admin/images/comment.png'
alt='comments' title='comments' /> 0</td></tr>
<tr>
Risk:
=====
1.1
The security risk of the sql injection vulnerability via post method is estimated as high(-).
1.2
The security risk of the persistent vulnerability is estimated as medium(+).
Credits:
========
Vulnerability Research Laboratory - Kevin J. (Silent_0x)
Disclaimer:
===========
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability-
Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of
other media, are reserved by Vulnerability-Lab or its suppliers.
Copyright © 2012 Vulnerability-Lab
--
VULNERABILITY RESEARCH LABORATORY TEAM
Website: www.vulnerability-lab.com
Mail: research@...nerability-lab.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists