[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] Lazarus Guestbook v1.22 - Multiple Web Vulnerabilities
From: Vulnerability Lab <research () vulnerability-lab ! com>
Date: 2014-12-25 10:33:32
Message-ID: 549BE7FC.1070405 () vulnerability-lab ! com
[Download RAW message or body]
Document Title:
===============
Lazarus Guestbook v1.22 - Multiple Web Vulnerabilities
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1386
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2239
CVE-ID:
=======
CVE-2014-2239
Release Date:
=============
2014-12-24
Vulnerability Laboratory ID (VL-ID):
====================================
1386
Common Vulnerability Scoring System:
====================================
6.6
Product & Service Introduction:
===============================
Lazarus is a free guestbook script written in PHP that uses your MySQL database for storage and \
is based upon the excellent Advanced Guestbook script from Proxy2. I took the Advanced \
Guestbook and added more features and several layers of anti spam protection to make one of \
the most feature rich and spam resistant guestbook scripts available for free. I am always \
active on the forums and you can rest assured that if the spammers find a way past the current \
anti spam methods that I have others waiting in the wings. You can read my own guestbook to \
see what other people have had to say about Lazarus and my anti spam fixes for Advanced \
Guestbook.
(Copy of the Vendor Homepage: http://carbonize.co.uk/Lazarus/ )
Abstract Advisory Information:
==============================
An independent Vulnerability Laboratory researcher discovered multiple web vulnerabilities in \
the official Lazarus Guestbook v1.22 Content Management System.
Vulnerability Disclosure Timeline:
==================================
2014-12-23: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Technical Details & Description:
================================
1.1
A sql injection web vulnerability has been discovered in the official Lazarus Guestbook v1.22 \
content management system. The vulnerability allows an attacker to inject sql commands by usage \
of a vulnerable value to compromise the application dbms.
The sql injection vulnerability is located in the gbsession value of the admin.php files. Local \
privileged user accounts are able to inject own sql commands by usage of vulnerable gbsession \
value in the settings&panel=general module. A successful attack requires to manipulate a GET \
method request with vulnerable gbsession value. The injection is a classic sql injection \
vulnerability that allows to compromise the web-application and connected dbms.
The security risk of the sql injection vulnerability is estimated as high with a cvss (common \
vulnerability scoring system) count of 6.6. Exploitation of the application-side web \
vulnerability requires a low privileged web-application user account and no user interaction. \
Successful exploitation of the security vulnerability result in web-application and database \
management system compromise.
Request Method(s):
[+] GET
Vulnerable Module(s):
[+] settings&panel=general
Vulnerable Files(s):
[+] admin.php
Vulnerable Parameter(s):
[+] gbsession
1.2
Multiple application-side input validation web vulnerabilities has been discovered in the \
official Lazarus Guestbook v1.22 content management system. The vulnerability allows a local \
attacker to inject own script code as payload to the application-side of the vulnerable service \
function or module.
The vulnerabilities are located in the s_emotion, virtual, font_face, book_mail, text and \
comment_pass values of the platform inputs. Local attackers without and with low privileged \
user accounts are able to manipulate the s_emotion, virtual, font_face, book_mail, text and \
comment_pass values by usage of the platform input field module. The attack vector is \
persistent on the application-side and the request method to inject is POST.
The security risk of the application-side web vulnerability is estimated as medium with a cvss \
(common vulnerability scoring system) count of 3.7. Exploitation of the application-side web \
vulnerability requires a low privileged web-application user account and low or medium user \
interaction. Successful exploitation of the vulnerabilities result in persistent phishing \
mails, session hijacking, persistent external redirect to malicious sources and \
application-side manipulation of affected or connected module context.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+]
Vulnerable Parameter(s):
[+] s_emotion
[+] virtual
[+] font_face
[+] book_mail
[+] text
[+] comment_pass
Proof of Concept (PoC):
=======================
1.1
The sql injection web vulnerability can be exploited by remote attackers with low privileged \
application user account and without user interaction. For security demonstration or to \
reproduce the security vulnerability follow the provided information and steps below to \
continue.
#P0c
http://service.127.0.0.1:8080/lazarus/admin.php?action=settings&panel=general&gbsession="RANDOM_TOKEN"&uid=[SQL \
INJECTION VULNERABILITY!]
Note: SQL-Injection in control panel of admin and others users.
#Proof Concept
http://i.imgur.com/36JamRc.jpg
1.2
The cross site scripting web vulnerabilities can be exploited by remote attackers without \
privileged application user account and user interaction. For security demonstration or to \
reproduce the security vulnerability follow the provided information and steps below to \
continue.
Note: Multiple Cross Site Scripting in multiple boxes of platform
#P0c [1]: Get into code xss in the ad block box
<textarea class="input" id="ad_code" name="ad_code" wrap="virtual" rows="14" cols="41">CODE \
XSS</textarea>
#P0c [2]: Get into code xss in the smile name box
<input type="text" size="25" value="CODE XSS" name="s_emotion">
#P0c [3]: Get into code xss in the font style box
<input type="text" class="input" maxlength="70" size="38" value="CODE XSS" name="font_face">
#P0c [4]: Get into code xss in the security box
<input type="text" class="input" value="CODE XSS" size="29" name="comment_pass">
#P0c [5]: Get into code xss in the email notification box
<input type="text" class="input" maxlength="60" size="30" value="CODE XSS" name="book_mail">
#P0c [6]: Get into code xss in the tags box
<input type="text" class="input" maxlength="60" size="30" value="CODE XSS" name="allowed_tags">
#Proof Concept
http://i.imgur.com/sczND0w.jpg
http://i.imgur.com/SNMFRCV.jpg
http://i.imgur.com/OR2RTc1.jpg
http://i.imgur.com/xNX6Ln0.jpg
http://i.imgur.com/dlqSpLM.jpg
http://i.imgur.com/JESZTCz.jpg
Security Risk:
==============
1.1
The security risk of the sql injection web vulnerability is estimated as high. (CVSS 6.6 )
1.2
The security risk of the cross site scripting web vulnerabilities are estimated as medium. \
(CVSS 3.7)
Credits & Authors:
==================
TaurusOmar - @TaurusOmar_ (taurusomar13@gmail.com) [overhat.blogspot.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. \
Vulnerability Lab disclaims all warranties, either expressed or implied, including the \
warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its \
suppliers are not liable in any case of damage, including direct, indirect, incidental, \
consequential loss of business profits or special damages, even if Vulnerability-Lab or its \
suppliers have been advised of the possibility of such damages. Some states do not allow the \
exclusion or limitation of liability for consequential or incidental damages so the foregoing \
limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, \
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - \
admin@evolution-sec.com
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - \
evolution-sec.com/contact
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - \
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - \
vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - \
vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file requires \
authorization from Vulnerability Laboratory. Permission to electronically redistribute this \
alert in its unmodified form is granted. All other rights, including the use of other media, \
are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, \
advisories, source code, videos and other information on this website is trademark of \
vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use \
or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) \
to get a permission.
Copyright © 2014 | Vulnerability Laboratory - [Evolution Security GmbH]â„¢
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic