| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <0MRB2F-1ZgzFz06ox-00UdaO@mrelayeu.kundenserver.de>
Date: Mon, 07 Dec 2015 18:12:27 +0100
From: "Curesec Research Team (CRT)" <crt@...esec.com>
To: fulldisclosure@...lists.org
Subject: [FD] 4images 1.7.12: XSS
Security Advisory - Curesec Research Team
1. Introduction
Affected Product: 4images 1.7.12
Fixed in: 1.7.13 (update)
Fixed Version Link: http://www.4homepages.de/download-4images
Vendor Website: http://www.4homepages.de/
Vulnerability Type: XSS
Remote Exploitable: Yes
Reported to vendor: 09/29/2015
Disclosed to public: 12/02/2015
Release mode: Coordinated release
CVE: Requested, but not assigned
Credits Tim Coen of Curesec GmbH
2. Overview
There are two reflected XSS vulnerabilities in 4images, as well as a persistent
Open Redirect, which may also lead to XSS in older browsers.
This allows an attacker to execute arbitrary JavaScript in the context of the
browser of a victim if the victim clicks on an attacker supplied link or visits
an attacker controlled website. With this, it is possible to bypass CSRF
protection and thus do anything the victim can do, inject a JavaScript
keylogger, or perform phishing attacks.
It should be noted that the XSS vulnerability still existed in another form in
the first release of version 1.17.13 and has been fixed with an update to that
version.
3. Reflected XSS 1
CVSS
Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N
Description
When displaying the form to add new images, $_SERVER['PHP_SELF'] is echoed
unencoded inside a select tag. Because of this, additional attributes can be
added and new HTML tags can be created, leading to XSS.
Proof of Concept
Prior to Version 1.7.12:
http://localhost/4images/admin/images.php/" onfocus=alert(1) autofocus foo="?action=addimages
Version 1.7.13 (before update):
http://localhost/4images/admin/images.php/');alert(1);window.location=('?action=addimages
This required a click of the victim to trigger, and a redirect will be
performed after the execution of the injected code.
Code
/admin/images.php
show_num_select_row(" ", "num_newimages", $lang['num_addnewimages_desc']);
/admin/admin_functions.php
function show_num_select_row($title, $option, $desc = "") {
global $site_sess, $PHP_SELF, $action, $$option;
echo "<tr class=\"".get_row_bg()."\">\n<td><p>".$title."</p></td>\n";
echo "<td align=\"right\"><p>".$desc;
$url = $PHP_SELF;
$url .= preg_match("/\?/", $url) ? "&" : "?";
$url .= "action=".$action;
$url = $site_sess->url($url);
echo "<select name=\"num\" onchange=\"window.location=('".$url."&";
echo $option."='+this.options[this.selectedIndex].value)\">\n";
for ($i = 1; $i < 11; $i++) {
echo "<option value=\"$i\"";
if ($i == ${$option}) {
echo " selected";
}
echo ">".$i."</option>\n";
}
echo "</select></p></td>\n</tr>\n";
}
4. Reflected XSS 2
CVSS
Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N
Description
User input is echoed inside the src attribute of a frame, which makes it
possible to execute javascript.
Proof of Concept
http://localhost/4images/admin/index.php?goto=javascript:alert%281%29
Code
/admin/index.php
if ($action == "") {
$action = "frames";
}
if ($action == "frames") {
if ($goto != "" && strpos($goto, '://') === false) {
$framesrc = $site_sess->url($goto);
}
else {
$framesrc = $site_sess->url("home.php");
}
?>
<html dir="<?php echo $lang['direction']; ?>">
<head>
<title><?php echo $config['site_name']; ?> Control Panel</title>
<meta http-equiv="Content-Type" content="text/html; charset=<?php echo $lang['charset']; ?>">
</head>
<frameset rows="70,*" framespacing="0" border="0" frameborder="0" frameborder="no" border="0">
<frame src="<?php echo $site_sess->url("index.php?action=head"); ?>" name="head" scrolling="NO" NORESIZE frameborder="0" marginwidth="0" marginheight="0" border="no">
<frameset cols="216,*" framespacing="0" border="0" frameborder="0" frameborder="no" border="0">
<frame src="<?php echo $site_sess->url("index.php?action=nav"); ?>" name="nav" scrolling="auto" NORESIZE frameborder="0" marginwidth="0" marginheight="0" border="no">
<frame src="<?php echo $framesrc ?>" name="main" scrolling="auto" NORESIZE frameborder="0" marginwidth="20" marginheight="20" border="no">
</frameset>
</frameset>
</html>
5. Persistent Open Redirect
CVSS
Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N
Description
When showing an uploaded image, the description and keyword are not properly
encoded. Tags are removed, but it is still possible to add further attributes
to the meta tag they are inserted into.
This makes it possible to inject a redirect. This redirect will be persistent,
meaning anyone visiting the site of the uploaded image will be redirected to an
attacker controlled website.
The attacker needs the rights to upload images to perform the attack, which
means that a category needs to exist where anyone can upload images, or a
category needs to exist where registered users can upload images and the
registration must be open - which it is by default.
Proof of Concept
Upload an image, as description or keyword use:
Version 1.7.11 and earlier:
5;URL=http://google.com/" http-equiv="refresh" foo="
Version 1.7.12:
5;URL=http://google.com/" http-equiv=refresh foo="
When visiting the page of the uploaded image, a redirect will be performed.
With older browsers, it will be possible to inject and execute javascript as
well.
Code
details.php
$meta_keywords = !empty($image_row['image_keywords']) ? strip_tags(implode(", ", explode(",", $image_row['image_keywords']))) : "";
$meta_description = !empty($image_row['image_description']) ? strip_tags($image_row['image_description']) . ". " : "";
$site_template->register_vars(array(
"detail_meta_description" => $meta_description,
"detail_meta_keywords" => $meta_keywords,
"prepend_head_title" => $image_name . " - ",
));
6. Solution
To mitigate this issue please upgrade at least to version 1.7.13:
http://www.4homepages.de/download-4images
Please note that a newer version might already be available.
7. Report Timeline
09/29/2015 Informed Vendor about Issue
10/21/2015 Reminded Vendor of Disclosure Date
11/03/2015 Vendor releases new version (1.7.12), partially fixing issues
11/17/2015 CVE Requested (no reply)
11/18/2015 Vendor releases new version (1.7.13), partially fixing issues
11/23/2015 Vendor releases update to version 1.7.13, fixing the issues
12/02/2015 Disclosed to public
Blog Reference:
https://blog.curesec.com/article/blog/4images-1712-XSS-110.html
--
blog: https://blog.curesec.com
tweet: https://twitter.com/curesec
Curesec GmbH
Curesec Research Team
Romain-Rolland-Str 14-24
13089 Berlin, Germany
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists