Full Disclosure mailing list archives
Elefant CMS v1.3.9 - Persistent Name Update Vulnerability
From: Vulnerability Lab <research () vulnerability-lab com>
Date: Tue, 16 Dec 2014 20:47:40 +0100
Document Title: =============== Elefant CMS v1.3.9 - Persistent Name Update Vulnerability References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1365 Release Date: ============= 2014-12-03 Vulnerability Laboratory ID (VL-ID): ==================================== 1365 Common Vulnerability Scoring System: ==================================== 3.9 Product & Service Introduction: =============================== Elefant provides a modern, minimalist user interface that eliminates clutter and confusion, with a site editor that gets out of your way and is a pleasure to use. You`ll notice right away the attention to detail throughout the software. Elefant takes the best WYSIWYG editor in the world, and makes it better through deep integration with your content. With Elefant`s dynamic objects plugin, you can embed dozens of types of dynamic content anywhere on your site, things like videos, event calendars, contact forms, social media integration, photo galleries and slideshows, member login, payment buttons, you name it. (Copy of the Vendor Homepage: https://elefantcms.com/ ) Abstract Advisory Information: ============================== The Vulnerability Laboratory Research Team discovered an application-side input validation web vulnerability in the official ElefantCMS v1.3.9 web-application. Vulnerability Disclosure Timeline: ================================== 2014-12-03: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Github Product: ElefantCMS - Web Application 1.3.9 Exploitation Technique: ======================= Remote Severity Level: =============== Medium Technical Details & Description: ================================ A persistent input validation web vulnerability has been discovered in the official ElefantCMS v1.3.9 web-application. The vulnerability allows remote attackers to inject malicious script codes on the application-side of the vulnerable service. The vulnerability is located in the user `name` value of the profile module. Remote attackers are able to inject own persistent script code in the user profile module. The POST method inject runs through the /user/update module and the execution of the payload occurs in the ./user profile page. The attack vector of the vulnerability is located on the application-side and the request method to inject malicious codes is POST. The security risk of the persistent vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.9. Exploitation of the persistent security vulnerability requires a low privileged web-application user account and low user interaction. Successful exploitation of the vulnerabilities result in persistent phishing attacks, persistent session hijacking attacks, persistent external redirect to malicious sources and application-side manipulation of affected or connected module context. Request Method(s): [+] POST Vulnerable Module(s): [+] http://elefantcms.127.0.0.1:8080/user/update Vulnerable Parameter(s): [+] name Affected Module(s): [+] http://elefantcms.127.0.0.1:8080/user Proof of Concept (PoC): ======================= The persistent input validation web vulnerability can be exploited by remote attackers with low user interaction (click). For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. Manual steps to reproduce the vulnerability ... 1. Install the elefeantcms application and open the frontend 2. Register an user account and save the random settings 3. Do to the ./user page to update the users profile 4. Inject own script code as payload to the vulnerable name input field. Save the settings 5. The execution occurs in the profile page of the user that is visible to the admin or other users 6. Successful reproduce of the vulnerability! PoC: ./user <html><head> <title>Your Site Name - "><TEST") <</title> <meta charset="UTF-8"> <link rel="stylesheet" href="http://fonts.googleapis.com/css?family=Roboto:400,300";> <link rel="stylesheet" type="text/css" href="/css/960_compiled.css"> <link rel="stylesheet" type="text/css" href="/css/style.css"> <script src="/js/jquery-1.8.3.min.js"></script> <link rel="stylesheet" href="/apps/admin/css/jquery.jgrowl.css"> <link rel="stylesheet" href="/apps/admin/css/top-bar.css"> <script>$(function(){$.elefant_version='1.3.3';});</script><script src="/apps/admin/js/jquery.jgrowl.min.js"></script> <script src="/js/jquery.cookie.js"></script> <script src="/apps/admin/js/top-bar.js"></script> </head> <body> <div id="wrapper" class="container_12"> <div id="reset-notice" class="grid_12"> <p align="center"><strong>Demo Notice: This site resets itself every hour on the hour.</strong> <br> <a href="http://www.elefantcms.com/download";>Download Elefant</a> | <a href="https://affiliates.arvixe.com/track.php?id=3618&url=393";>Elefant web hosting</a> <!-- | <a href="https://phpfog.com/?a_aid=18859164";>Elefant cloud hosting</a> --> | <a href="http://www.dotblock.com/vps_hosting_stacks/elefantcms_vps_stack.php";>Elefant VPS hosting</a> </p> </div> <div id="head" class="grid_12"> <div class="grid_6 alpha"> <h1><a href="/">Your Site Name</a></h1> </div> <div class="grid_6 omega menu"> <ul><li><a href="/index">Home</a></li> </ul> </div> </div> <div class="clear"></div> <div id="body" class="grid_8"> <h2>"><[PERSISTENT SCRIPT CODE EXECUTION VULNERABILITY!];)" <<="" h2=""><p><a href="http://www.gravatar.com/site/login/"; target="_blank" title="Klicken Sie um das Foto zu aktualisieren (Gravatar)"> <img src="http://www.gravatar.com/avatar/43fa13578c4b764f6754d7dae507e963?s=42&d=mm"; style="float: left; margin-right: 15px" /></a> <a href="/user/update">Profil bearbeiten</a> </p> <br clear="both" /> </div> --- PoC Session Logs [POST] --- Status: 200[OK] POST http://elefantcms.127.0.0.1:8080/user/update Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[1531] Mime Type[text/html] Request Header: Host[elefantcms.127.0.0.1:8080] User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[de,en-US;q=0.7,en;q=0.3] Accept-Encoding[gzip, deflate] Referer[http://elefantcms.127.0.0.1:8080/user/update] Cookie[PHPSESSID=m1lkc0d1icld38qr9060loj5h6; elefant_update_checked=1; __utma=29033641.1115304499.1417521358.1417521358.1417521358.1; __utmb=29033641.7.10.1417521358; __utmc=29033641; __utmz=29033641.1417521358.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1] Connection[keep-alive] POST-Daten: name[%22%3E%3C[PERSISTENT INJECTED SCRIPT CODE!]+%3C] email[rpknilst%40elefantcms.127.0.0.1:8080] password[] verify_pass[] _token_[761ecc8f6422453154062fae2a9a1396] Response Header: Date[Tue, 02 Dec 2014 11:56:53 GMT] Server[Apache] X-Powered-By[PHP/5.3.3] Expires[Thu, 19 Nov 1981 08:52:00 GMT] Cache-Control[no-store, no-cache, must-revalidate, post-check=0, pre-check=0] Pragma[no-cache] Content-Encoding[gzip] Vary[Accept-Encoding] Content-Length[1531] Keep-Alive[timeout=20, max=79] Connection[Keep-Alive] Content-Type[text/html; charset=UTF-8] Status: 200[OK] GET http://elefantcms.127.0.0.1:8080/user Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[1611] Mime Type[text/html] Request Header: Host[elefantcms.127.0.0.1:8080] User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[de,en-US;q=0.7,en;q=0.3] Accept-Encoding[gzip, deflate] Referer[http://elefantcms.127.0.0.1:8080/user/update] Cookie[PHPSESSID=m1lkc0d1icld38qr9060loj5h6; elefant_update_checked=1; __utma=29033641.1115304499.1417521358.1417521358.1417521358.1; __utmb=29033641.8.10.1417521358; __utmc=29033641; __utmz=29033641.1417521358.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1] Connection[keep-alive] Response Header: Date[Tue, 02 Dec 2014 11:56:55 GMT] Server[Apache] X-Powered-By[PHP/5.3.3] Expires[Thu, 19 Nov 1981 08:52:00 GMT] Cache-Control[no-store, no-cache, must-revalidate, post-check=0, pre-check=0] Pragma[no-cache] Content-Encoding[gzip] Vary[Accept-Encoding] Content-Length[1611] Keep-Alive[timeout=20, max=77] Connection[Keep-Alive] Content-Type[text/html; charset=UTF-8] Status: 200[OK] GET http://elefantcms.127.0.0.1:8080/[PERSISTENT SCRIPT CODE EXECUTION!] Load Flags[LOAD_DOCUMENT_URI ] Größe des Inhalts[1483] Mime Type[text/html] Request Header: Host[elefantcms.127.0.0.1:8080] User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[de,en-US;q=0.7,en;q=0.3] Accept-Encoding[gzip, deflate] Referer[http://elefantcms.127.0.0.1:8080/user] Cookie[PHPSESSID=m1lkc0d1icld38qr9060loj5h6; elefant_update_checked=1; __utma=29033641.1115304499.1417521358.1417521358.1417521358.1; __utmb=29033641.8.10.1417521358; __utmc=29033641; __utmz=29033641.1417521358.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1] Connection[keep-alive] Response Header: Date[Tue, 02 Dec 2014 11:56:55 GMT] Server[Apache] X-Powered-By[PHP/5.3.3] Expires[Thu, 19 Nov 1981 08:52:00 GMT] Cache-Control[no-store, no-cache, must-revalidate, post-check=0, pre-check=0] Pragma[no-cache] Content-Encoding[gzip] Vary[Accept-Encoding] Content-Length[1483] Keep-Alive[timeout=20, max=76] Connection[Keep-Alive] Content-Type[text/html; charset=UTF-8] Reference(s): http://elefantcms.127.0.0.1:8080/user http://elefantcms.127.0.0.1:8080/user/update Solution - Fix & Patch: ======================= The vulnerability can be patched by a secure parse and encode of the vulnerable name value in the user/update POST method request. Restrict the input field with the vulnerable name value and encode the vulnerable profile context output page to prevent persistent script code execution. https://github.com/jbroadway/elefant/commit/5784b27e6dbd6ad4f68724f9ee1be376a40dd971 https://github.com/jbroadway/elefant/releases/tag/elefant_1_3_10_beta https://www.elefantcms.com/download Security Risk: ============== The security risk of the application-side input validation vulnerability in the user profile module is estimated as medium. (3.9) Credits & Authors: ================== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm () evolution-sec com) [www.vulnerability-lab.com] Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: admin () vulnerability-lab com - research () vulnerability-lab com - admin () evolution-sec com Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/ Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin () vulnerability-lab com or research () vulnerability-lab com) to get a permission. Copyright © 2014 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com CONTACT: research () vulnerability-lab com PGP KEY: http://www.vulnerability-lab.com/keys/admin () vulnerability-lab com%280x198E9928%29.txt _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Elefant CMS v1.3.9 - Persistent Name Update Vulnerability Vulnerability Lab (Dec 16)