Lazarus Guestbook v1.22 - Multiple Web Vulnerabilities

[Vulnerability Lab <research () vulnerability-lab com>]

Document Title:
===============
Lazarus Guestbook v1.22 - Multiple Web Vulnerabilities


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1386

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2239

CVE-ID:
=======
CVE-2014-2239


Release Date:
=============
2014-12-24


Vulnerability Laboratory ID (VL-ID):
====================================
1386


Common Vulnerability Scoring System:
====================================
6.6


Product & Service Introduction:
===============================
Lazarus is a free guestbook script written in PHP that uses your MySQL database for storage and is based 
upon the excellent Advanced Guestbook script from Proxy2. I took the Advanced Guestbook and added more 
features and several layers of anti spam protection to make one of the most feature rich and spam resistant 
guestbook scripts available for free. I am always active on the forums and you can rest assured that if the 
spammers find a way past the current anti spam methods that I have others waiting in the wings. You can read my 
own guestbook to see what other people have had to say about Lazarus and my anti spam fixes for Advanced Guestbook.

(Copy of the Vendor Homepage: http://carbonize.co.uk/Lazarus/ )


Abstract Advisory Information:
==============================
An independent Vulnerability Laboratory researcher discovered multiple web vulnerabilities in the official Lazarus 
Guestbook v1.22 Content Management System.


Vulnerability Disclosure Timeline:
==================================
2014-12-23:     Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================

Exploitation Technique:
=======================
Remote


Severity Level:
===============
High


Technical Details & Description:
================================
1.1
A sql injection web vulnerability has been discovered in the official Lazarus Guestbook v1.22 content management system.
The vulnerability allows an attacker to inject sql commands by usage of a vulnerable value to compromise the 
application dbms.

The sql injection vulnerability is located in the gbsession value of the admin.php files. Local privileged user 
accounts are able to 
inject own sql commands by usage of vulnerable gbsession value in the settings&panel=general module. A successful 
attack requires to 
manipulate a GET method request with vulnerable gbsession value. The injection is a classic sql injection vulnerability 
that allows to 
compromise the web-application and connected dbms.

The security risk of the sql injection vulnerability is estimated as high with a cvss (common vulnerability scoring 
system) count of 6.6.
Exploitation of the application-side web vulnerability requires a low privileged web-application user account and no 
user interaction.
Successful exploitation of the security vulnerability result in web-application and database management system 
compromise.

Request Method(s):
                                [+] GET

Vulnerable Module(s):
                                [+] settings&panel=general

Vulnerable Files(s):
                                [+] admin.php

Vulnerable Parameter(s):
                                [+] gbsession


1.2
Multiple application-side input validation web vulnerabilities has been discovered in the official Lazarus Guestbook 
v1.22 content management system.
The vulnerability allows a local attacker to inject own script code as payload to the application-side of the 
vulnerable service function or module.

The vulnerabilities are located in the s_emotion, virtual, font_face, book_mail, text and comment_pass values of the 
platform inputs. Local attackers 
without and with low privileged user accounts are able to manipulate the s_emotion, virtual, font_face, book_mail, text 
and comment_pass values by usage 
of the platform input field module. The attack vector is persistent on the application-side and the request method to 
inject is POST. 

The security risk of the application-side web vulnerability is estimated as medium with a cvss (common vulnerability 
scoring system) count of 3.7.
Exploitation of the application-side web vulnerability requires a low privileged web-application user account and low 
or medium user interaction.
Successful exploitation of the vulnerabilities result in persistent phishing mails, session hijacking, persistent 
external redirect to malicious 
sources and application-side manipulation of affected or connected module context.

Request Method(s):
                                        [+] POST

Vulnerable Module(s):
                                        [+] 

Vulnerable Parameter(s):
                                        [+] s_emotion
                                        [+] virtual
                                        [+] font_face
                                        [+] book_mail
                                        [+] text
                                        [+] comment_pass


Proof of Concept (PoC):
=======================
1.1
The sql injection web vulnerability can be exploited by remote attackers with low privileged application user account 
and without user interaction.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below 
to continue.

#P0c
http://service.127.0.0.1:8080/lazarus/admin.php?action=settings&panel=general&gbsession="RANDOM_TOKEN"&uid=[SQL 
INJECTION VULNERABILITY!]

Note: SQL-Injection in control panel of admin and others users.

#Proof Concept
http://i.imgur.com/36JamRc.jpg



1.2
The cross site scripting web vulnerabilities can be exploited by remote attackers without privileged application user 
account and user interaction.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below 
to continue.

Note: Multiple Cross Site Scripting in multiple boxes of platform

#P0c [1]: Get into code xss in the ad block box
<textarea class="input" id="ad_code" name="ad_code" wrap="virtual" rows="14" cols="41">CODE XSS</textarea>

#P0c [2]: Get into code xss in the smile name box
<input type="text" size="25" value="CODE XSS" name="s_emotion">

#P0c [3]: Get into code xss in the font style box
<input type="text" class="input" maxlength="70" size="38" value="CODE XSS" name="font_face">

#P0c [4]: Get into code xss in the security box
<input type="text" class="input" value="CODE XSS" size="29" name="comment_pass">

#P0c [5]: Get into code xss in the email notification box
<input type="text" class="input" maxlength="60" size="30" value="CODE XSS" name="book_mail">

#P0c [6]: Get into code xss in the tags box
<input type="text" class="input" maxlength="60" size="30" value="CODE XSS" name="allowed_tags">

#Proof Concept
http://i.imgur.com/sczND0w.jpg
http://i.imgur.com/SNMFRCV.jpg
http://i.imgur.com/OR2RTc1.jpg
http://i.imgur.com/xNX6Ln0.jpg
http://i.imgur.com/dlqSpLM.jpg
http://i.imgur.com/JESZTCz.jpg



Security Risk:
==============
1.1
The security risk of the sql injection web vulnerability is estimated as high. (CVSS 6.6 )

1.2
The security risk of the cross site scripting web vulnerabilities are estimated as medium. (CVSS 3.7)



Credits & Authors:
==================
TaurusOmar  - @TaurusOmar_ (taurusomar13 () gmail com) [overhat.blogspot.com]


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all 
warranties, either expressed 
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or 
its suppliers are not liable 
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special 
damages, even if Vulnerability-Lab 
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or 
limitation of liability for 
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody 
to break any vendor licenses, 
policies, deface websites, hack into databases or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com           - www.vuln-lab.com                                      - 
www.evolution-sec.com
Contact:    admin () vulnerability-lab com      - research () vulnerability-lab com                     - admin () 
evolution-sec com
Section:    magazine.vulnerability-db.com       - vulnerability-lab.com/contact.php                     - 
evolution-sec.com/contact
Social:     twitter.com/#!/vuln_lab             - facebook.com/VulnerabilityLab                         - 
youtube.com/user/vulnerability0lab
Feeds:      vulnerability-lab.com/rss/rss.php   - vulnerability-lab.com/rss/rss_upcoming.php            - 
vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php    - vulnerability-lab.com/list-of-bug-bounty-programs.php - 
vulnerability-lab.com/register/

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability 
Laboratory. Permission to 
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other 
media, are reserved by 
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other 
information on this website 
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit 
our material contact 
(admin () vulnerability-lab com or research () vulnerability-lab com) to get a permission.

                                Copyright © 2014 | Vulnerability Laboratory - [Evolution Security GmbH]™



-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research () vulnerability-lab com
PGP KEY: http://www.vulnerability-lab.com/keys/admin () vulnerability-lab com%280x198E9928%29.txt