[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FD] Lazarus Guestbook v1.22 - Multiple Web Vulnerabilities
- To: fulldisclosure@xxxxxxxxxxxx
- Subject: [FD] Lazarus Guestbook v1.22 - Multiple Web Vulnerabilities
- From: Vulnerability Lab <research@xxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 25 Dec 2014 11:33:32 +0100
Document Title:
===============
Lazarus Guestbook v1.22 - Multiple Web Vulnerabilities
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1386
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2239
CVE-ID:
=======
CVE-2014-2239
Release Date:
=============
2014-12-24
Vulnerability Laboratory ID (VL-ID):
====================================
1386
Common Vulnerability Scoring System:
====================================
6.6
Product & Service Introduction:
===============================
Lazarus is a free guestbook script written in PHP that uses your MySQL database
for storage and is based
upon the excellent Advanced Guestbook script from Proxy2. I took the Advanced
Guestbook and added more
features and several layers of anti spam protection to make one of the most
feature rich and spam resistant
guestbook scripts available for free. I am always active on the forums and you
can rest assured that if the
spammers find a way past the current anti spam methods that I have others
waiting in the wings. You can read my
own guestbook to see what other people have had to say about Lazarus and my
anti spam fixes for Advanced Guestbook.
(Copy of the Vendor Homepage: http://carbonize.co.uk/Lazarus/ )
Abstract Advisory Information:
==============================
An independent Vulnerability Laboratory researcher discovered multiple web
vulnerabilities in the official Lazarus Guestbook v1.22 Content Management
System.
Vulnerability Disclosure Timeline:
==================================
2014-12-23: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Technical Details & Description:
================================
1.1
A sql injection web vulnerability has been discovered in the official Lazarus
Guestbook v1.22 content management system.
The vulnerability allows an attacker to inject sql commands by usage of a
vulnerable value to compromise the application dbms.
The sql injection vulnerability is located in the gbsession value of the
admin.php files. Local privileged user accounts are able to
inject own sql commands by usage of vulnerable gbsession value in the
settings&panel=general module. A successful attack requires to
manipulate a GET method request with vulnerable gbsession value. The injection
is a classic sql injection vulnerability that allows to
compromise the web-application and connected dbms.
The security risk of the sql injection vulnerability is estimated as high with
a cvss (common vulnerability scoring system) count of 6.6.
Exploitation of the application-side web vulnerability requires a low
privileged web-application user account and no user interaction.
Successful exploitation of the security vulnerability result in web-application
and database management system compromise.
Request Method(s):
[+] GET
Vulnerable Module(s):
[+] settings&panel=general
Vulnerable Files(s):
[+] admin.php
Vulnerable Parameter(s):
[+] gbsession
1.2
Multiple application-side input validation web vulnerabilities has been
discovered in the official Lazarus Guestbook v1.22 content management system.
The vulnerability allows a local attacker to inject own script code as payload
to the application-side of the vulnerable service function or module.
The vulnerabilities are located in the s_emotion, virtual, font_face,
book_mail, text and comment_pass values of the platform inputs. Local attackers
without and with low privileged user accounts are able to manipulate the
s_emotion, virtual, font_face, book_mail, text and comment_pass values by usage
of the platform input field module. The attack vector is persistent on the
application-side and the request method to inject is POST.
The security risk of the application-side web vulnerability is estimated as
medium with a cvss (common vulnerability scoring system) count of 3.7.
Exploitation of the application-side web vulnerability requires a low
privileged web-application user account and low or medium user interaction.
Successful exploitation of the vulnerabilities result in persistent phishing
mails, session hijacking, persistent external redirect to malicious
sources and application-side manipulation of affected or connected module
context.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+]
Vulnerable Parameter(s):
[+] s_emotion
[+] virtual
[+] font_face
[+] book_mail
[+] text
[+] comment_pass
Proof of Concept (PoC):
=======================
1.1
The sql injection web vulnerability can be exploited by remote attackers with
low privileged application user account and without user interaction.
For security demonstration or to reproduce the security vulnerability follow
the provided information and steps below to continue.
#P0c
http://service.127.0.0.1:8080/lazarus/admin.php?action=settings&panel=general&gbsession="RANDOM_TOKEN"&uid=[SQL
INJECTION VULNERABILITY!]
Note: SQL-Injection in control panel of admin and others users.
#Proof Concept
http://i.imgur.com/36JamRc.jpg
1.2
The cross site scripting web vulnerabilities can be exploited by remote
attackers without privileged application user account and user interaction.
For security demonstration or to reproduce the security vulnerability follow
the provided information and steps below to continue.
Note: Multiple Cross Site Scripting in multiple boxes of platform
#P0c [1]: Get into code xss in the ad block box
<textarea class="input" id="ad_code" name="ad_code" wrap="virtual" rows="14"
cols="41">CODE XSS</textarea>
#P0c [2]: Get into code xss in the smile name box
<input type="text" size="25" value="CODE XSS" name="s_emotion">
#P0c [3]: Get into code xss in the font style box
<input type="text" class="input" maxlength="70" size="38" value="CODE XSS"
name="font_face">
#P0c [4]: Get into code xss in the security box
<input type="text" class="input" value="CODE XSS" size="29" name="comment_pass">
#P0c [5]: Get into code xss in the email notification box
<input type="text" class="input" maxlength="60" size="30" value="CODE XSS"
name="book_mail">
#P0c [6]: Get into code xss in the tags box
<input type="text" class="input" maxlength="60" size="30" value="CODE XSS"
name="allowed_tags">
#Proof Concept
http://i.imgur.com/sczND0w.jpg
http://i.imgur.com/SNMFRCV.jpg
http://i.imgur.com/OR2RTc1.jpg
http://i.imgur.com/xNX6Ln0.jpg
http://i.imgur.com/dlqSpLM.jpg
http://i.imgur.com/JESZTCz.jpg
Security Risk:
==============
1.1
The security risk of the sql injection web vulnerability is estimated as high.
(CVSS 6.6 )
1.2
The security risk of the cross site scripting web vulnerabilities are estimated
as medium. (CVSS 3.7)
Credits & Authors:
==================
TaurusOmar - @TaurusOmar_ (taurusomar13@xxxxxxxxx) [overhat.blogspot.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any
warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a
particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential
loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any vendor licenses,
policies, deface websites, hack into databases or trade with fraud/stolen
material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com
- www.evolution-sec.com
Contact: admin@xxxxxxxxxxxxxxxxxxxxx -
research@xxxxxxxxxxxxxxxxxxxxx - admin@xxxxxxxxxxxxxxxxx
Section: magazine.vulnerability-db.com -
vulnerability-lab.com/contact.php -
evolution-sec.com/contact
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab
- youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php -
vulnerability-lab.com/rss/rss_upcoming.php -
vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php -
vulnerability-lab.com/list-of-bug-bounty-programs.php -
vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file
requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All
other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts,
advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To
record, list (feed), modify, use or edit our material contact
(admin@xxxxxxxxxxxxxxxxxxxxx or research@xxxxxxxxxxxxxxxxxxxxx) to get a
permission.
Copyright © 2014 | Vulnerability Laboratory -
[Evolution Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@xxxxxxxxxxxxxxxxxxxxx
PGP KEY:
http://www.vulnerability-lab.com/keys/admin@xxxxxxxxxxxxxxxxxxxxx%280x198E9928%29.txt
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/