[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [FD] Active Super Shop CMS v2.5 - HTML Injection Vulnerabilities
From:       "info () vulnerability-lab ! com" <info () vulnerability-lab ! com>
Date:       2023-07-19 7:09:01
Message-ID: 258bd0ba-ba7a-2e11-971e-3f618f6ba790 () vulnerability-lab ! com
[Download RAW message or body]

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--------------0nV9GR811nte2EeyOYmjE0Jg
From: "info@vulnerability-lab.com" <info@vulnerability-lab.com>
Reply-To: info@vulnerability-lab.com
To: fulldisclosure@seclists.org
Message-ID: <258bd0ba-ba7a-2e11-971e-3f618f6ba790@vulnerability-lab.com>
Subject: Active Super Shop CMS v2.5 - HTML Injection Vulnerabilities
Content-Type: multipart/mixed; boundary="------------8g0FEqhbVPOJ91Jh2VAr0d04"

[Attachment #2 (text/plain)]

Document Title:
===============
Active Super Shop CMS v2.5 - HTML Injection Vulnerabilities


References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2278


Release Date:
=============
2023-07-04


Vulnerability Laboratory ID (VL-ID):
====================================
2278


Common Vulnerability Scoring System:
====================================
5.4


Vulnerability Class:
====================
Script Code Injection


Current Estimated Price:
========================
500€ - 1.000€


Product & Service Introduction:
===============================
https://codecanyon.net/item/active-super-shop-multivendor-cms/12124432


Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered multiple html injection \
vulnerabilities in the Active Super Shop Multi-vendor CMS v2.5 web-application.


Affected Product(s):
====================
ActiveITzone
Product: Active Super Shop CMS v2.5 (CMS) (Web-Application)


Vulnerability Disclosure Timeline:
==================================
2021-08-20: Researcher Notification & Coordination (Security Researcher)
2021-08-21: Vendor Notification (Security Department)
2021-**-**: Vendor Response/Feedback (Security Department)
2021-**-**: Vendor Fix/Patch (Service Developer Team)
2021-**-**: Security Acknowledgements (Security Department)
2023-07-05: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium


Authentication Type:
====================
Restricted Authentication (User Privileges)


User Interaction:
=================
Low User Interaction


Disclosure Type:
================
Responsible Disclosure


Technical Details & Description:
================================
Multiple html injection web vulnerabilities has been discovered in the official Active Super \
Shop Multi-vendor CMS v2.5 web-application. The web vulnerability allows remote attackers to \
inject own html codes with persistent vector to manipulate application content.

The persistent html injection web vulnerabilities are located in the name, phone and address \
parameters of the manage profile and products branding module. Remote attackers with privileged \
accountant access are able to inject own malicious script code in the name parameter to provoke \
a persistent execution on profile view or products preview listing. There are 3 different \
privileges that are allowed to access the backend like the accountant (low privileges), the \
manager (medium privileges) or the admin (high privileges). Accountants are able to attack the \
higher privileged access roles of admins and manager on preview of the elements in the backend \
to compromise the application. The request method to inject is post and the attack vector is \
persistent located on the application-side.

Successful exploitation of the vulnerabilities results in session hijacking, persistent \
phishing attacks, persistent external redirects to malicious source and persistent manipulation \
of affected application modules.

Request Method(s):
[+] POST

Vulnerable Module(s):
[+] Manage Details

Vulnerable Parameter(s):
[+] name
[+] phone
[+] address

Affected Module(s):
[+] manage profile
[+] products branding


Proof of Concept (PoC):
=======================
The html injection web vulnerabilities can be exploited by remote attackers with privileged \
accountant access and with low user interaction. For security demonstration or to reproduce the \
persistent cross site web vulnerability follow the provided information and steps below to \
continue.


Exploitation: Payload
<img src="https://[DOMAIN]/[PATH]/[PICTURE].*">


Vulnerable Source: manage_admin & branding
<div class="tab-pane fade active in" id="" style="border:1px solid #ebebeb; \
border-radius:4px;"> <div class="panel-heading">
<h3 class="panel-title">Manage Details</h3>
</div>
<form action="https://assm_cms.localhost:8080/shop/admin/manage_admin/update_profile/"  \
class="form-horizontal" method="post" accept-charset="utf-8"> <div class="panel-body">
<div class="form-group">
<label class="col-sm-3 control-label" for="demo-hor-1">Name</label>
<div class="col-sm-6">
<input type="text" name="name" value="Mr. Accountant"><img \
src="https://MALICIOUS-DOMAIN.com/gfx/logo-header.png">" id="demo-hor-1" class="form-control \
required"&gt; </div></div>
<div class="form-group">
<label class="col-sm-3 control-label" for="demo-hor-2">Email</label>
<div class="col-sm-6">
<input type="email" name="email" value="accountant@shop.com"  id="demo-hor-2" \
class="form-control required"> </div></div>
<div class="form-group">
<label class="col-sm-3 control-label" for="demo-hor-3">
Phone</label>
<div class="col-sm-6">
<input type="text" name="phone" value="017"><img \
src="https://MALICIOUS-DOMAIN.com/gfx/logo-header.png">" id="demo-hor-3" \
class="form-control"&gt; </div></div>


--- PoC Session Logs (POST) ---
https://assm_cms.localhost:8080/shop/admin/manage_admin/update_profile/
Host: assm_cms.localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html, */*; q=0.01
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; \
                boundary=---------------------------280242453224137385302547344680
Content-Length: 902
Origin:https://assm_cms.localhost:8080
Connection: keep-alive
Referer:https://assm_cms.localhost:8080/shop/admin/manage_admin/
Cookie: ci_session=5n6fmo5q5gvik6i5hh2b72uonuem9av3; curr=1
-
POST: HTTP/3.0 200 OK
content-type: text/html; charset=UTF-8
ci_session=5n6fmo5q5gvik6i5hh2b72uonuem9av3; path=/; HttpOnly
https://assm_cms.localhost:8080/shop/admin/manage_admin/
Host: assm_cms.localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: keep-alive


Reference(s):
https://assm_cms.localhost:8080/shop/
https://assm_cms.localhost:8080/shop/admin/
https://assm_cms.localhost:8080/shop/admin/manage_admin/
https://assm_cms.localhost:8080/shop/admin/manage_admin/update_profile/


Solution - Fix & Patch:
=======================
Disallow inseration of html code for input fields like name, adress and phone. Sanitize the \
content to secure deliver.


Security Risk:
==============
The security risk of the html injection web vulnerabilities in the shopping web-application are \
estimated as medium.


Credits & Authors:
==================
Vulnerability-Lab [Research Team] \
-https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. \
Vulnerability Lab disclaims all warranties, either expressed or implied, including the \
warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its \
suppliers are not liable in any case of damage, including direct, indirect, incidental, \
consequential loss of business profits or special damages, even if Vulnerability-Lab or its \
suppliers have been advised of the possibility of such damages. Some states do not allow the \
exclusion or limitation of liability for consequential or incidental damages so the foregoing \
limitation may not apply. We do not approve or encourage anybody to break any licenses, \
policies, deface websites, hack into databases or trade with stolen data.

Domains:www.vulnerability-lab.com		www.vuln-lab.com				www.vulnerability-db.com

Any modified copy or reproduction, including partially usages, of this file requires \
authorization from Vulnerability Laboratory. Permission to electronically redistribute this \
alert in its unmodified form is granted. All other rights, including the use of other media, \
are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, \
advisories, source code, videos and other information on this website is trademark of \
vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit \
our material contact (admin@ or research@) to get a ask permission.

				    Copyright  © 2023 | Vulnerability Laboratory - [Evolution Security GmbH]â„¢



-- 
VULNERABILITY LABORATORY (VULNERABILITY LAB)
RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE


["OpenPGP_0x1554D09B2933E2FE.asc" (application/pgp-keys)]
["OpenPGP_signature.asc" (OpenPGP_signature.asc)]
-----BEGIN PGP SIGNATURE-----

wsF5BAABCAAjFiEE0BctHpBdnIQSMWpxFVTQmykz4v4FAmS3jA0FAwAAAAAACgkQFVTQmykz4v7K
2hAAhQTm/RSb+uR/8iN9jvqDNME5177Tsg7yS0xhtJHU2MOf+v8DUUuBrDQeGNn2Yi+IVKoM5bOu
BGUWxL4gQeMKg4nh8NQNwbe/fYUfM4J/4Buq2/cYq2VW0x+qioPpr5tOFco4R/IDg/rJ2xCP304b
LQAUbW3ep+4UPrVnX+MEupYtaWs0Uy0usG/OV8Fo9ZurRMEH1Es9w8RL0Xj6NIo+LVef0in1tveN
Cshk45/B6FyP+w7nCBUseEWxgQBtK5Mx9s4xZpXsI3/QwdgqzJ3RGPAkpAV/OMWo8cNH7TV5pIxa
1BxJcuO84I80YdZguPE8hBbCmuc/1lXHt6md+I2DGLhffXkys/PXAhvl6f1iksijCfAYyw8O8P2/
OzFix65s7KboiIMpzjs6dbbRsG80yIEXqfBvQVjGq4NfLHnMfEsVIqgig57rYE0OQ3pHg4jh6uyO
hss5IAKKD5D6iD35tgLDhYc3kaw1TpJS9hCNNPzPZSHo5D+0hzRJHXDJoTjBw/eb5YfQ582ZItCC
xRLrJcFEMDG+057uhvaG2czq7iyVSL0vxtLvVmlCFTr3ZorGVD8PUjNNHw3Kcd+oFbTrRcG5mn59
Wz5WC6+QrbnfzaEITZ//+1XZLO1aySHmfSOSmCMkVP540F1HvtntP2auw7Yj6uh/51PLAE2YFuMA
77A=
=bWrO
-----END PGP SIGNATURE-----

--------------0nV9GR811nte2EeyOYmjE0Jg--


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
--===============2388003535982640084==--

[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic