[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [Full-disclosure] NetCat CMS v5.0.1 - Multiple Web Vulnerabilities
From: Vulnerability Lab <research () vulnerability-lab ! com>
Date: 2012-10-31 0:53:07
Message-ID: 50907673.8040807 () vulnerability-lab ! com
[Download RAW message or body]
Title:
======
NetCat CMS v5.0.1 - Multiple Web Vulnerabilities
Date:
=====
2012-10-31
References:
===========
http://www.vulnerability-lab.com/get_content.php?id=738
VL-ID:
=====
738
Common Vulnerability Scoring System:
====================================
2.5
Introduction:
=============
Vendor Website: http://netcat.ru (RU)
Abstract:
=========
The Security Effect Research Team discovered multiple Web Vulnerabilities in the russian Bce \
NetCat v5.0.1 content management system.
Report-Timeline:
================
2012-10-31: Public Disclosure
Status:
========
Published
Exploitation-Technique:
=======================
Remote
Severity:
=========
Medium
Details:
========
Multiple client side cross site scripting and http parameter pollution vulnerabilities are \
detected in the russian Bce NetCat v5.0.1 content management system. The non persistent cross \
site scripting vulnerabilities allow remote attackers to form malicious client side web \
requests to steal cms customer session information. The client side crlf vulnerability allows \
remote attackers to change the GET and POST request with own values to manipulate the http \
protocol request.
The first client side cross site scripting vulnerability is located in the search module with \
the bound vulnerable search_query application parameter. The secound http parameter pollution \
vulnerability is located in the post.php file when processing to request via the bound \
vulnerable redirect_url parameter request.
Successful exploitation of the vulnerabilities can result in client side http parameter \
manipulation via post/get, client side phishing, client side cookie stealing via cross site \
scripting and client side cms web context manipulation.
Vulnerable Module(s):
[+] search
[+] post
Vulnerable Parameter(s):
[+] search_query
[+] redirect_url
Proof of Concept:
=================
1. Client Side - Cross Site Scripting
The client side cross site scripting vulnerabilities can be exploited by remote attackers \
without privileged application user account and with medium or high required user inter \
action. For demonstration or reproduce ...
1.1 - In URL address.
PoC:
http://site.127.0.0.1:3666/?' onmouseover='prompt(document.cookie)'bad='>
1.2 - In "search_query" parameter.
PoC:
http://site.127.0.0.1:3666/search/?search_query=' onmouseover=prompt(document.cookie) bad='
2. Client Side via POST - CRLF injection/HTTP Parameter Pollution
The client side crlf vulnerability can be exploited by remote attackers without privileged \
application user account and with medium or high required user inter action. For demonstration \
or reproduce ...
In /netcat/modules/netshop/post.php URL encoded POST input redirect_url was set to \
NetCatStatus:hacked_by_seceffect
PoC: POST
http://site.127.0.0.1:3666/netcat/modules/netshop/post.php
cart%5b353%5d%5b10%5d=1&cart_mode=add&redirect_url=%0d%0a%20NetCatStatus:hacked_by_seceffect
Risk:
=====
1.1
The security risk of the client side cross site scripting vulnerabilities are estimated as \
low(+)|(-)medium.
1.2
The security risk of the http parameter pollution vulnerability is estimated as medium(-).
Credits:
========
SECURITY EFFECT [Research Team] - (http://seceffect.tumblr.com/)
Disclaimer:
===========
The information provided in this advisory is provided as it is without any warranty. \
Vulnerability-Lab disclaims all warranties, either expressed or implied, including the \
warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or \
its suppliers are not liable in any case of damage, including direct, indirect, incidental, \
consequential loss of business profits or special damages, even if Vulnerability-Lab or its \
suppliers have been advised of the possibility of such damages. Some states do not allow the \
exclusion or limitation of liability for consequential or incidental damages so the foregoing \
limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, \
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - \
www.vulnerability-lab.com/register
Contact: admin@vulnerability-lab.com - support@vulnerability-lab.com - \
research@vulnerability-lab.com
Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - \
news.vulnerability-lab.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - \
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - \
vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file requires \
authorization from Vulnerability Laboratory. Permission to electronically redistribute this \
alert in its unmodified form is granted. All other rights, including the use of other media, \
are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, \
advisories, sourcecode, videos and other information on this website is trademark of \
vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use \
or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to \
get a permission.
Copyright © 2012 | Vulnerability Laboratory
--
VULNERABILITY RESEARCH LABORATORY
LABORATORY RESEARCH TEAM
CONTACT: research@vulnerability-lab.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic