Информационная безопасность
[RU] switch to English


Дополнительная информация

  Cводка уязвимостей безопасности в Web-приложениях (PHP, ASP, JSP, CGI, Perl)

  Apache VCL improper input validation

  [CVE-2013-1814] Apache Rave exposes User over API

  SEC Consult SA-20130311-0 :: Persistent cross-site scripting in jforum

  [ISecAuditors Security Advisories] Reflected XSS in Asteriskguru Queue Statistics

From:SEC Consult Vulnerability Lab <research_(at)_sec-consult.com>
Date:6 мая 2013 г.
Subject:SEC Consult 20130417-0 :: Multiple vulnerabilities in Sosci Survey



SEC Consult Vulnerability Lab Security Advisory < 20130417-0 >
=======================================================================
             title: Multiple vulnerabilities in Sosci Survey
           product: Sosci Survey
vulnerable version: <2.3.04a
     fixed version: 2.3.04a
            impact: Critical
          homepage: https://www.soscisurvey.de
             found: 2012-06-18
                by: T. Lazauninkas, V. Paulikas
                    SEC Consult Vulnerability Lab
                    https://www.sec-consult.com
=======================================================================

Vendor description:
-------------------
SoSci Survey provides a non-comercial survey service, letting anyone to create and
share surveys for collecting data in a purpose of scientific research. It is a
flexible and efficient tool as it lets you to create a very customizable survey,
including active content (javascript) and PHP code.

https://www.soscisurvey.de/


Vulnerability overview/description:
-----------------------------------
1) Authorization Issues
  The web application fails to validate authorization for
  certain requests. This allows unauthorized users to access private messages
  that belong to other users.

2) Cross-Site Scripting
  The web application is prone to persistent and reflected Cross-Site Scripting
  attacks. The vulnerability can be used to include HTML or JavaScript
  code to the affected web page. The code is executed in the browser of
  users if they visit the manipulated site. The vulnerability can be used
  to change the contents of the displayed site, redirect to other sites
  or steal user credentials. Additionally, Portal users are potential
  victims of browser exploits and JavaScript Trojans.

3) Remote command execution
  Due to insufficient input validation, the web application fails to properly
  filter dangerous PHP code passed from the user side. This leads to OS command
  execution with the privileges of the web server. By exploiting this
  vulnerability, an attacker can read/write files, open connections, etc. posing
  a critical security risk.


Proof of concept:
-----------------

1) In the user profile, users are able to send and receive private messages to
  each other. This also includes the administrative users. By modifying one of the
  vulnerable script's parameters an attacker can read the messages of other users.
  A proof of concept is provided below:

  https://www.example.com/admin/index.php?o=account&a=message.
reply&id=[msg_id]

  By iterating between the integer parameter's id value, an attacker is able to exploit
  this vulnerability.

2) If an invalid id value is passed to the receiver.edit module, which is handled by
  the index.php script, its contents is reflected to the user without proper filtering.
  This leads to javascript execution in the web browser. This issue can be easily exploited
  by navigating to the folowing URL:


https://www.example.com/admin/index.php?o=panel&a=receiver.
edit&id=<script>alert(document.cookie)</script>

  An alert with the user's session cookie will be shown.

  Persistent Cross-Site scripting was identified in the private messaging module. It was
  discovered, that [subject, title, firstName, surname, content] parameters are
  vulnerable to persistent Cross-Site scripting as they are saved and later shown
  without proper filtering. A sample request is provided below:

   POST /admin/index.php HTTP/1.1
   Host: www.example.com
   [...]
   rec-name=some_name&subject=%3Cscript%3Ealert%28document.
cookie%29%3C%2Fscript%3E
   &message=asd%3Cscript%3Ealert%28document.
cookie%29%3C%2Fscript%3E&o=account
   &a=message.send&reference=

  Many parameters are vulnerable to reflected Cross-Site Scripting vulnerabilities:

  URL:
       https://www.example.com/admin/index.php

       Parameters:
           replace[0-24]
           search[0-24]
           id
           O
           Referer (header)

  URL:
       https://www.example.com/admin/ajax.feedback.php

       Parameters:
           dat_type

3) When creating a new survey it is possible to include PHP code. Despite that the web
  application is filtering most of the dangerous PHP functions, that would allow to execute OS
  commands, it is still possible to execute arbitrary commands by using the provided code below:

  print `id`;

  The above code, when executed, prints out the system id of the current user. This could be further
  exploited by an attacker for accessing the local file system, creating malicious files, opening
  remote conections, etc.


Vulnerable / tested versions:
-----------------------------
Pre-installed version of SoSci Survey, hosted on www.soscisurvey.de domain, was
tested. It was not possible to determine an exact version of the installed software.


Vendor contact timeline:
------------------------
2013-01-29: Contacted vendor through [email protected]
2013-01-29: Initial vendor response - issues will be verified
2013-03-29: Status request sent
2013-03-29: Vendor response: Security update 2.3.04a is available
2013-04-17: SEC Consult releases coordinated security advisory


Solution:
---------
Update to version 2.3.04a.


Workaround:
-----------


Advisory URL:
-------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Unternehmensberatung GmbH

Office Vienna
Mooslackengasse 17
A-1190 Vienna
Austria

Tel.: +43 / 1 / 890 30 43 - 0
Fax.: +43 / 1 / 890 30 43 - 25
Mail: research at sec-consult dot com
https://www.sec-consult.com

EOF T. Lazauninkas, V. Paulikas / @2013

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород