Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:27972
HistoryApr 23, 2012 - 12:00 a.m.

seditio_PmOS_plugin_XSS_vuln

2012-04-2300:00:00
vulners.com
20
JSON

============================================================================
Vulnerable Software: PmOS - Pm Okuma Sistemi [plugin for Seditio CMS].
http://seditio-eklenti.com/datas/users/1-pmoku.rar (MD5 SUM: 88235c2b4b0613bff87545d2d887f042 *1-pmoku.rar)
http://seditio-eklenti.com/seditio-pm-okuma-eklentisi-d46.html

About Software:
PmOS - Pm Okuma Sistemi [plugin for Seditio CMS]
gives ability to administrators to read anothers PM's (Private messages)

Tested:
With: Seditio 165

php.ini MAGIC_QUOTES_GPC OFF
Safe mode off
/*
OS: Windows XP SP2 (32 bit)
Apache: 2.2.21.0
PHP Version: 5.2.17.17
mysql> select version()
-> ;
Β±----------+
| version() |
Β±----------+
| 5.5.21 |
Β±----------+
*/

Vuln Desc:
Due Insufficent sanitization this plugin is prone Cross Site Scripting Vulnerability(Persistent Cross Site Scripting vuln)

No sanitization when fetching data from database.
And thanks to Seditio cms again! It stores private message body in database without any sanitization:

===========================================================================
mysql> select * from sed_pm \G
*************************** 1. row***************************
pm_id: 6
pm_state: 0
pm_date: 1334009749
pm_fromuserid: 1
pm_fromuser: admin
pm_touserid: 1
pm_title: <script>alert(1);</script>
pm_text: <script>alert(2);</script>
1 row in set (0.00 sec)

mysql>

Due trust to this issuse pmoku plugin is vulnerable to XSS.
Vulnerable code section(From bottom: $pm_text = $row['pm_text']; will become unsanitized)
//plugins/pmoku/pmoku.admin.php
----------------------------------------Snip ------------------------------------
$sql = sed_sql_query("SELECT * FROM sed_pm ORDER by pm_date DESC LIMIT 0,50");

$plugin_body .= "<h4>".$L['editdeleteentries']." :</h4>";
$plugin_body .= "<table class=\"cells\"><tr>";
$plugin_body .= "<td class=\"coltop\">".$L['Delete']."</td>";
$plugin_body .= "<td class=\"coltop\">Tarih</td>";
$plugin_body .= "<td class=\"coltop\">Gцnderen</td>";
$plugin_body .= "<td class=\"coltop\">Konu</td>";
$plugin_body .= "<td class=\"coltop\">Mesaj</td>";
$plugin_body .= "<td class=\"coltop\">Alan</td>";
$plugin_body .= "</tr>";

while ($row = sed_sql_fetcharray($sql))
{
$pm_id = $row['pm_id'];
$pm_date = @date($cfg['dateformat'], $row['pm_date'] + $usr['timezone'] * 3600);
$pm_fromuser = $row['pm_fromuser'];
$pm_title = $row['pm_title'];
$pm_text = $row['pm_text'];
$pm_touserid = $row['pm_touserid'];
$plugin_body .= "<form id=\"saveallowlist_".$allowlist_id."\" action=\"admin.php?m=tools&p=adminallow&amp;a=update&amp;id=".$allowlist_id."\" method=\"post\">";
$plugin_body .= "<tr><td style=\"text-align:center;\">[<a href=\"admin.php?m=tools&p=pmoku&amp;a=delete&amp;id=".$pm_id."&amp;".sed_xg()."\">x</a>]</td>";

$plugin_body .= "<td>$pm_date</td>";
$plugin_body .= "<td>$pm_fromuser</td>";
$plugin_body .= "<td>$pm_title</td>";
$plugin_body .= "<td>$pm_text</td>";
$plugin_body .= "<td>$pm_touserid</td>";
$plugin_body .= "<td><input type=\"submit\" class=\"submit\" value=\"".$L['Update']."\" /></td></tr></form>";
}
$plugin_body .= "</table>";
------------------------------EOF Snip ------------------------------------

Print screen:
http://s019.radikal.ru/i617/1204/b2/9c434fd50926.png

Special Thanks 2 MeTaiZm & 2 All AA Team.
+++++ Greetz to all ++++++
packetstormsecurity.*,securityfocus.com,cxsecurity.com,security.nnov.ru,securtiyvulns.com and to all others!

JSON